Support » Plugins and Hacks » PHP eval(base64_decode(……..)) what does this mean and what to do?

  • Resolved Leo

    (@wp_new_user)


    Hi there,

    Yesterday I suddenly discovered that one of my websites doesn’t load. I tried to open the WP Dashboard, but no success either. All I can do is view my WP files from FTP account and also MySQL Database.

    I have found eval(base64_decode(……..)) in almost every PHP file I opened. I read some articles but each one has a different problem and they were able to log in to their dashboards.

    I would like to know what this is and what’s the reason?
    Should I remove all the content of the folder and reinstall WordPress again?

    Thanks in advance!

Viewing 5 replies - 1 through 5 (of 5 total)
  • andrewmills

    (@andrewmills)

    It sounds like your WordPress site has been compromised. This WordPress Codex item is a good place to start.

    andrewmills

    (@andrewmills)

    As for what this is, and what’s the reason . . . sometimes people will encrypt their code in base64 to make it more difficult to spot as malicious code, or to keep people from readily seeing what the code actually does.

    If you really want to decrypt the code and analyze what the code would do, you can find several base64 decoders online. Here’s one, for example.

    Leo

    (@wp_new_user)

    Hi Andrew.

    I have read it all, cleaned all the files from the encrypted code and made a copy. Now I am going to install a new copy of WordPress.

    Also I have decrypted the code.

    Thanks!

    andrewmills

    (@andrewmills)

    Sounds good. When you are ready to make things more difficult for people who want to compromise your website in the future, you may want to study this: http://codex.wordpress.org/Hardening_WordPress.

    Leo

    (@wp_new_user)

    Yeah, sure.
    I read it, and also I found a good article on Hardening PHP.

    Thank you!

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘PHP eval(base64_decode(……..)) what does this mean and what to do?’ is closed to new replies.