Eval base64 Hack Solutions

eval base64 on WordPress or other Sites

WordPress and other CMS powered sites are often targets for hackers who mass-inject some code into php and or html files.

What to look for

The cases I came across so far showed a hack just before the closing body tag in form of a short script pointing to an external source. Also, in some cases I found some php file in the uploads folder (in WP the uploads folder should not contain any php files).

Once the script executed, a long string starting something like this:


<?php /**/ //eval(base64_decode("aWYoZ...

is placed on php and/or htm/html files. This eval base64 encoded and injected PHP code will hit all php archives.

WordPress Theme Yorgo

How to get rid of the hack without destroying your site

To start with: change your passwords (FTP and Admin). Make sure your site script WP and Plugins are updated.

Check your footer.php (theme folder) and delete eventually the script added by the hack (or just load your backed up footer.php and replace the file).

Check your uploads folder for php files and delete them. Check your plugins folder for unusual php files and as the case may be delete them.

If you are not familiar with Ruby, PuTTY and Shell access, then there is a relatively simple solution available by running a php script from your root. The script will back-up the hacked files, replace the hack with another string and save the repaired file.

A second script can be used to delete the backed-up hacks once we are sure that all works fine.

These scripts have been developed by Sergi Rodrigues Rius and published on his spanish website. They work on the most common php CMS.

Download from HERE.

Upload the search_and_replace.php into the root folder of your site and run it by opening the page in your browser.

Once you are sure all is working fine, run the second script (this can be done after a few days or weeks).

  2 comments for “Eval base64 Hack Solutions

  1. May 15, 2015 at 6:20 pm

    You know I’m not sure if it’s me or perhaps your web page but it’s launching seriously slowly
    for me personally, it took me just like a minute in order to load
    on the other hand facebook operates absolutely for me.
    However thanks for submitting fabulous article. I believe
    this has been seriously useful to user who
    visit here. This one is actually brilliant what you actually
    have done and wish to see a lot more content from
    your site. I ‘ve got you saved to my bookmarks to look at blog you post.

  2. April 27, 2012 at 12:59 am

    Wish I had had this information when my site was hacked by this virus. Great to know there is a solution available.

Leave a Reply

Your email address will not be published. Required fields are marked *