One of the sites it redirects to is: http://e.pepato.org/e/adsr.php?t=0
It infects each individual .php file and does not re-infect after the initial infection. I have created new sites and cleaned infected .php files and it has disappeared completely. It injects this code into .php (and .html) files about 115 lines below the end line. It ONLY infects index.php/html files in the root directory of the website. If you name your file: index2.php – it will not be infected. The “modified date” time stamps DO change with the infection. There was a spread of 1 minute for hundreds of .php files. If you need a quick way to search all index.php/html files on a server, download notepad++ and use the “search in directory” feature for certain strings of text. Alternatively, once you find the time stamp of infection, search for files modified at that time.
Looks like a newer one, I’ve heard reports of similar activity as far back as mid January.