WordPress.org

Support

Support » How-To and Troubleshooting » Fatal error: Cannot redeclare _765258526()

Fatal error: Cannot redeclare _765258526()

  • Hi folks,

    just yesterday noticed the following notice at the bottom on one of my subdomain websites:
    “Fatal error: Cannot redeclare _765258526() (previously declared in /home/aimaeaco/public_html/leda/wp-content/themes/Leda/footer.php(76) : eval()’d code:1) in /home/aimaeaco/public_html/leda/index.php(18) : eval()’d code on line 1”

    after this I’ve checked all my websites (domain & sub-domains) and each and every contains the same notice, only the directories differ.

    sub-domain where I noticed: http://leda.aimaea.com (running WP 3.2.1 and no events calendar of any sort).

    though I haven’t noticed any change in the websites’ functionality, it is pretty annoying to have “Fatal error” text at the very bottom of each website.

    I would appreciate Your help.

    many, many thanks in advance.

    Levee

Viewing 15 replies - 16 through 30 (of 54 total)
  • victorciobanu
    Member

    @victorciobanu

    This attack is related to the MW:JS:DEPACK one.
    Your linux server is infected, i would recommend changing all the passwords you can (sql,root,ftp).

    I had the MW:JS:DEPACK on november 5’th and written an article about it here How to Remove MW:JS:DEPACK.

    On 14 nov my server (all index.php) files were infected by this mallware.
    I’ve written a tutorial here How to remove Cannot redeclare _765258526 , however i realize now that the issue is with the server and not the wordpress install.

    To avoid removing all the code by hand just replace (overwrite) the wordpress install files, then manually clean the theme’s index.php

    CHMOD’ing the theme index.php to 444 helps, otherwise the code will be inserted again.

    I’m starting to think that these are anonymous’s (the hacker group) DDOS’es at work (they are using our site’s visitors), since both exploits (ms:js:deepack and redeclare_76528526) open an invisible iframe on our site, iframe that loads a certain page at a certain moment (with js:deepack it was facebook)

    victorciobanu
    Member

    @victorciobanu

    *edit – this exploit however does not work since workpress uses 2 index.php files … the one the wordpress intall has(root) and the theme’s(wp-content/themes) index.php ; and the code declares function _765258526($i){$a=Array();return base64_decode($a[$i]);} twice, since it’s inserted in both files, causing it to malfunction

    so far i have decoded `$GLOBALS[‘_2143977049_’]=Array();
    function _765258526($i){$a=Array();return base64_decode($a[$i]);}
    $GLOBALS[‘_226432454_’]=Array();` there is another part i cannot decode yet.

    Decoding the whole thing would help us find out what was the malware script doing and putting a stop to these kind of recent hacks.

    keesiemeijer
    Moderator

    @keesiemeijer

    I’ve been trying to decode the code given by iramaura: http://pastebin.com/i73NKHiU

    the results of that decoding are: http://pastebin.com/xAeB81uL

    It seems it wants to get code included from: 91.196.216.64/btt.php
    I also think it fails to do this. not sure though.

    victorciobanu
    Member

    @victorciobanu

    @keesiemeijer you rock ! btt.php is the key !

    logged on to my server, and looked for the file, i only found that file on infected wordpress instalations. btt.php looks to be related to tehnocrati import module and it was used to put some files in the server in /wp-admin/import

    while looking for the file i noticed something strange in one of my installs in wp-admin/import/wunderbar_emporium !!! inside this folder there are some files that were not supposed to be there. they are most likely put there by the hacker !

    this is mind-blowing stuff ! i will invastigate this further and post the results!

    wunderbar_emporium is the name of the linux exploit responsible for all this hassle ! contact your host providers (i run my own server) and notify them about this (check to see if the files are there first)

    i have 2 sites affected, with a php malicious code in index and footer.php files of theme used. i removed both code and change the password of user wp and ftp. its sufficient, or i must do other things?
    my sites are hosted on dreamhost too.

    saynototheoffice
    Member

    @saynototheoffice

    @marujobhz In summary:

    – Delete all the themes and plugins you aren’t using
    – Clean code from all footer.php and index.php. You have to look carefully as the hackers hide them with white space.
    – Run the script I linked to above to detect any other malicious code and delete
    – Change the database password. You have to do that in Dreamhost control panel and unfortunately the new password you set for the ‘user’ will affect all the databases you are using that user to access – if you see what I mean. Then you have to change the WP configuration file with the new DB password – for all sites on your account. Also, if you have any other non WP sites, you will have to change the configuration of them too.

    I’m not an expert, but this worked for me. Good luck. J

    hi, im doing it. one question: all files listed with “contains base64_decode” are infected?? in my search, the script is listed too: ./find-string.php -> contains base64_decode

    so im run the find string and change the pws, and now i have this result:
    its is normal or i have to delete some part of code? i dont see the strange code/script in these files…
    ./find-string.php -> contains base64_decode
    ./site/wp-app.php -> contains base64_decode
    ./site/wp-content/themes/themename/scripts/timthumb.php -> contains base64_decode
    ./site/wp-content/plugins/shortcodes-ultimate/lib/timthumb.php -> contains base64_decode
    ./site/wp-content/plugins/gravityforms/form_display.php -> contains base64_decode
    ./site/wp-includes/class-IXR.php -> contains base64_decode
    ./site/wp-includes/class-simplepie.php -> contains base64_decode
    Could not check ./site/wp-includes/js/jquery.js
    thanks!

    saynototheoffice
    Member

    @saynototheoffice

    Not all the files that come up positive necessarily have malicious code. You can normally tell if the code looks dodgy – you have to use your judgment. I think the ones you have listed are OK. I had those too.

    ok, i think now its ok. how i can warn google to retire the alert with malicious. its possible? i install the plugin ‘secure wordpress’, that use ‘werbsite defender’ to scan the website. so, its show me this alerts:
    Malware
    SpamHaus – DNS1 – ns1.dreamhost.com.
    its possible to dreamhost have the virus/malware inside webserver/host?
    thanks.
    keep in touch to verify and propose solutions.
    best regards!

    saynototheoffice
    Member

    @saynototheoffice

    You have to request a review from within Webmaster tools. Can’t answer the other questions, sorry.

    hi again,

    the script from Red Leg blog is a fine little tool, though it lists “healthy” files as well (but it really doesn’t matter).

    how old is this kind of malware attack? have such attacks happend in the past and how often do such malicious attacks happen?

    which WP plugins may strenghten websites’ security, i.e. which ones from the link I attached earlier would You recommend?

    many thanks for all Your efforts.

    cheers!

    keesiemeijer
    Moderator

    @keesiemeijer

    This dumb hack hit me too. Second time I’ve been hacked in two months. My friend who uses Dreamhost got hit by it as well. It’s unfortunate as my friends are talking about switching to Drupal because of WordPress being targeted so much and broken into so easily these days.

    Any fix for this?

    Second time my indexs.php has been changed, all the passwords have been changed last time…

Viewing 15 replies - 16 through 30 (of 54 total)
  • The topic ‘Fatal error: Cannot redeclare _765258526()’ is closed to new replies.