Sponsor this Blog or let us know if you want to hear more.

Fixing “eval(base64” in WordPress

Today’s “to do” list was obliterated with the need to fight malware on 8 of my websites running WordPress. (all on a shared hosting account) A plugin introduced a “base64 code” onto every single .php file of the WordPress system which redirected referring links to a malicious site. (I wont even type in the link to ensure it doesn’t get anymore links from me.) Essentialy, my websites worked great, all content accounted for. However if someone attempted to visit my site from aol, yahoo, google, google+, facebook, myspace and more, then they would be sent to the other site.

This obviously is a HUGE problem and I have learned a lot from this experience.

My purpose in writing is to offer a solution to others with the problem. All it requires is Notepad++ & an ftp client.

REQUIREMENTS

INSTRUCTIONS:

  • Download all files to your computer from where your WordPress System is installed. This can be either your root (“public_html”) or in a sub folder (“public_html/blog”).
    • wp-admin
    • wp-includes
    • wp-content
    • all other misc. files
  • Open up “index.php” – immediately you should see a code like this:

base 64 code example

The code that is creating all of your problems is:

eval(base64_decode(

));

That long string of code can be decoded using this website where you will find out what the code is actually doing.

  • Next step is to remove that code from ever .php file in your site; which if you had to do that manually, would be disastrous. However thanks to Notepad++ and the “Find in Files” tool – this is actually quite a bit easier.
  • Highlight the code to be removed “eval(base64_decode( ));”
  • Click “Search > Find in Files” or Keyboard shortcut: Ctrl + Shift + F
  • The Find What field should now be filled out with your highlighted code.
  • Leave the Replace With field empty. (Because we are deleting the code to nothing)
  • Leave the Filters drop down empty. (It will auto populate as . when you perform search)
  • In the Directory box, navigate to where ever you downloaded your site too.

Your Find in Files prompt should look similar to this:

base 64 code example

  • Now press Replace in Files. You will have a pop up that says “Press enter to cancel” DO NOT CLOSE OR PRESS OK on this prompt.
  • When the program completes the replacement you will get a new pop up that says something along the lines of, “Replaced 1287 occurences.”

At this point your site is officially cleaned of spam base64 code. Upload the new site files and voila! Good as new.

Be sure to only use trusted plug-ins; block spam comments & users and above all backup your site often.

WANT TO LEARN MORE?

  • See J.T. Pratt for his post about similar attacks.
  • DesignPX also wrote an article about this attack.
  • As well as Sucuri for their malware site checker.
Share

Add a Comment

Your email address will not be published. Required fields are marked *