WordPress.org

Forums

eval and base64_decode found! Is my website hacked? (8 posts)

  1. Shekhar
    Member
    Posted 2 years ago #

    Exploit scanner plugin shows eval and base64_decode codes after 3.4.2 installation which I removed later on:

    Please Check

    I just wanted to know if it is a possible security issue!

    Thanks!!

  2. Krishna
    Volunteer Moderator
    Posted 2 years ago #

  3. poddys
    Member
    Posted 2 years ago #

    It definitely sounds like you were hacked.
    Manually editing the infected php scripts several times on my site resulted in them being re-infected within 30 minutes.
    I recommend taking full database backups, as well as taking screen shots and making lists of your plugins etc.
    Try exporting the posts/pages etc as well - you might need multiple forms of backup to restore.
    Be sure to disable all users as well, except Admin, so nobody else can log in.
    When you have saved everything, take your site(s) offline, clean up the database (there are posts on how to do this - sorry I don't have them handy), and try a fresh install from scratch.
    Change your passwords too!!!
    Good Luck.

  4. Shekhar
    Member
    Posted 2 years ago #

    @poddys what I found is, those codes are in the default installation files of WordPress 3.4.2.

    Just download WordPress and check in those files, you will find eval and base64_decode codes..

  5. Krishna
    Volunteer Moderator
    Posted 2 years ago #

    Just download WordPress and check in those files, you will find eval and base64_decode codes..

    @Shekhar,

    Did you confirm that the codes are harmful? Sorry, I have not gone through version 3.4.2 and hence cannot give you any opinion on it.

    BTW, can you tell us the file/ folder where you found the codes which you found as harmful?

  6. Shekhar
    Member
    Posted 2 years ago #

    @Krishna it is already been proved that eval and base64_decode are in use to hack WordPress. May be you don't know that...

    Besides, Check the files and folders on the screenshot link on my first post.

    &

    If you like, install Exploit scanner plugin to confirm.

    Thnx

  7. cooeeman
    Member
    Posted 2 years ago #

    had similar issue after updating WordPress 3 days ago have found all index.php files infected with base64_decode, even the two themes supplied with WP where affected. Have had to delete each index.php file in the wordpress core plus all themes. Sites hosted on mediatemple, Also noticed each infected site had a file in the root with list of IP address. file name: 9fec9686a688eb028f2ca1506bc4b9ac

    Would welcome any ideas what this exploit is and how best to deal with it.
    So far have replaced all instances of index.php plus deleting the above file from the root dir.

Topic Closed

This topic has been closed to new replies.

About this Topic