eval base64 on WordPress or other Sites
WordPress and other CMS powered sites are often targets for hackers who mass-inject some code into php and or html files.
What to look for
The cases I came across so far showed a hack just before the closing body tag in form of a short script pointing to an external source. Also, in some cases I found some php file in the uploads folder (in WP the uploads folder should not contain any php files).
Once the script executed, a long string starting something like this:
<?php /**/ //eval(base64_decode("aWYoZ...
is placed on php and/or htm/html files. This eval base64 encoded and injected PHP code will hit all php archives.
How to get rid of the hack without destroying your site
To start with: change your passwords (FTP and Admin). Make sure your site script WP and Plugins are updated.
Check your footer.php (theme folder) and delete eventually the script added by the hack (or just load your backed up footer.php and replace the file).
Check your uploads folder for php files and delete them. Check your plugins folder for unusual php files and as the case may be delete them.
If you are not familiar with Ruby, PuTTY and Shell access, then there is a relatively simple solution available by running a php script from your root. The script will back-up the hacked files, replace the hack with another string and save the repaired file.
A second script can be used to delete the backed-up hacks once we are sure that all works fine.
These scripts have been developed by Sergi Rodrigues Rius and published on his spanish website. They work on the most common php CMS.
Download from HERE.
Upload the search_and_replace.php into the root folder of your site and run it by opening the page in your browser.
Once you are sure all is working fine, run the second script (this can be done after a few days or weeks).