pjholden

Looks like this issue is to do with the version of cURL on the host server:

http://web.archiveorange.com/archive/v/XZYvy9JytAk5SqOwgSUB

I’ve had the same error messages and think I’ve come to the same conclusion as epiyoo

First thing I did was checked one of my theme files – and I found the

/**/eval(base64_decode(

I stripped out the characters from that, and decoded them which revealed the following php code:
if(function_exists(‘ob_start’)&&!isset($GLOBALS[‘sh_no’])){$GLOBALS[‘sh_no’]=1;if(file_exists(‘/home/directory/www/libs/templates/skel/views/elements/email/html/copper.php’))

I dug into the file copper.php (which was never placed there by me) and found it was further obfusticated code. Which I deleted and replaced with “echo ‘Hello World!'” doing that revealed just how often that copper.php file was called.

I upgraded my wordpress install, but “Hello World!” still appeared so I went digging into my template files/plugins where I discovered, again, that “/**/eval(base64_decode(” was the first line of many of those. I deleted and reinstalled the templates that seemed to to be calling it (and double checked them afterwards). Then I went through my plugins – one at a time – not all of them seem to be calling the code, but lots did. So I simply deleted the line from them.

Once done, I deleted the copper.php file. I think it’s clean now. But blimey, that was a nightmare… And I’m pretty sure it’s been on my site for some time (despite upgrading everytime there’s an upgrade available – I think it got in via a backdoor on an earlier build of WP and has just clung on, malignantly in the plugins and themes, which is why further upgrades haven’t shifted them).

-pj