Fixing eval(base64_decode in WordPress
Today’s “to do” list was obliterated with the need to fight malware on 8 of my websites running WordPress. (all on a shared hosting account) A plugin introduced a “base64 code” onto every single .php file of the WordPress system which redirected referring links to a malicious site. (I wont even type in the link to ensure it doesn’t get anymore links from me.) Essentialy, my websites worked great, all content accounted for. However if someone attempted to visit my site from aol, yahoo, google, google+, facebook, myspace and more, then they would be sent to the other site.
This obviously is a HUGE problem and I have learned a lot from this experience.
My purpose in writing is to offer a solution to others with the problem. All it requires is Notepad++ & an ftp client.
Requirements:
- Basic knowledge of WordPress and php
- Notepad++
- FTP client
Instructions:
- Download all files to your computer from where your WordPress System is installed. This can be either your root (“public_html”) or in a sub folder (“public_html/blog”).
- wp-admin
- wp-includes
- wp-content
- all other misc. files
- Open up “index.php” – immediately you should see a code like this:
The code that is creating all your problems is
eval(base64_decode(
));
That long string of code can be decoded using this website where you will find out what the code is actually doing.
- Next step is to remove that code from ever .php file in your site; which if you had to do that manually, would be disastrous. However thanks to Notepad++ and the “Find in Files” tool – this is actually quite a bit easier.
- Highlight the code to be removed “eval(base64_decode( ));”
- Click “Search > Find in Files” or Keyboard shortcut: Ctrl + Shift + F
- The Find What field should now be filled out with your highlighted code.
- Leave the Replace With field empty. (Because we are deleting the code to nothing)
- Leave the Filters drop down empty. (It will auto populate as *.* when you perform search)
- In the Directory box, navigate to where ever you downloaded your site too.
Your Find in Files prompt should look similar to this:
- Now press Replace in Files. You will have a pop up that says “Press enter to cancel” DO NOT CLOSE OR PRESS OK on this prompt.
- When the program completes the replacement you will get a new pop up that says something along the lines of, “Replaced 1287 occurences.”
At this point your site is officially cleaned of spam base64 code. Upload the new site files and voila! Good as new.
Be sure to only use trusted plug-ins; block spam comments & users and above all backup your site often.
Want to Learn More?
- See J.T. Pratt for his post about similar attacks.
- DesignPX also wrote an article about this attack.
- As well as Sucuri for their malware site checker.
This walk-through might be the greatest thing I have ever found in the history of the Internet. I had the eval(base64_decode thing hit one of my sites (due to my own laziness, I must admit) and your solution fixed it in about 10 minutes when it would have otherwise probably cost my months of time and hundreds of dollars. Good one.
Thank you SO much – I really needed the search in file-function in Notepad++. Superb guide
just incase anyone is interested I created a script that would scan all your php, js and .htaccess files and would remove sevral types of malware inserted codes.
check out my script at my website http://ombing.info/2012/10/20/php-malware-scanner/