#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2012
    Posts
    3
    Rep Power
    0

    Unhappy Need help removing Wordpress/Server base64_decode


    So...day 4 of attempting to completely remove a eval(base64_decode); thats been inserted into my PHP files across my wordpress sites. It seems that it's deeper than I initially thought, as it's affected numerous separate WP installations on my server. Here's what I've done so far, maybe someone can help me further.

    I've done a grep -r for just about anything related to the iframe that's produced, and I've found things like:
    Code:
    /wp-app.php: explode(':', base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6))); /wp-app.php: explode(':', base64_decode(substr($_SERVER['REDIRECT_REMOTE_USER'], 6))); /wp-includes/class-IXR.php: $value = base64_decode( trim( $this->_currentTagContents ) ); /wp-includes/class-simplepie.php: $data = base64_decode($data); /wp-content/plugins/mystat/mystat.php: function v3g3($s){return base64_decode($GLOBALS['myStat_on']);};
    Are these related? Should they be removed?

    I've removed this bit numerous times from various theme files, but it keeps coming back:
    Code:
    eval(gzinflate(base64_decode("bZFNT8...eA5+=="))); ?> slipfive/www/theswitchny/wp-content/themes/dj-wild/index.php:<?php eval(gzinflate(base64_decode('ADgGx/...EAAP//')));?>
    No I'm not looking for a Google'd link, believe me, I've done enough of that..unless it's something I've missed, I'm looking for some real help from someone who's dealt with this...it seems to be happening a lot lately, so someone has to have removed it completely. It's possible I may have to just let go and re-install, but maybe there's a way, anyone?
    Last edited by requinix; October 3rd, 2012 at 02:19 PM. Reason: trimmed out malicious code
  2. #2
  3. Sarcky
    Devshed Supreme Being (6500+ posts)

    Join Date
    Oct 2006
    Location
    Pennsylvania, USA
    Posts
    10,908
    Rep Power
    6352
    Your site has been seriously compromised. Shut it down. Remove all instances of this bad code (or re-export from source control). Upgrade PHP, your webserver, and any other services that listen on ports.

    If this is a shared host, move to a new one.

    There aren't really any "tips" for recovering from a server hack. Shut it down, clean it out, and come back.
    HEY! YOU! Read the New User Guide and Forum Rules

    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin

    "The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002

    Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2012
    Posts
    3
    Rep Power
    0
    It just seems to me that removing all of the bad scripts and files that are sitting in there, then disabling base64_decode in my php.ini should work...maybe it's just easier to wipe everything, I guess. =(
  6. #4
  7. Sarcky
    Devshed Supreme Being (6500+ posts)

    Join Date
    Oct 2006
    Location
    Pennsylvania, USA
    Posts
    10,908
    Rep Power
    6352
    There's nothing special about base64, disabling it is like leaving all your windows unlocked, and then locking the ones that burglars use. They'll just use another one.
    HEY! YOU! Read the New User Guide and Forum Rules

    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin

    "The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002

    Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
  8. #5
  9. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2012
    Posts
    3
    Rep Power
    0
    Originally Posted by ManiacDan
    There's nothing special about base64, disabling it is like leaving all your windows unlocked, and then locking the ones that burglars use. They'll just use another one.
    thanks for the analogy..upsetting but helpful. =(

IMN logo majestic logo threadwatch logo seochat tools logo