php decode hacked my sites. Is it Virus

[spidersense101]

I Found a problem on my site and when i compare the files on the server with my local files i found that every page (*.js or *.php) has this line on it
<?php /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKC
or a javascript line

so i knew that my site has been hacked..
so
1 - i want to know how to prevent anyone to hack my site?
i made on every textfield or textarea on posting or getting it the htmlspecialcharacter($_POST['name'])

is this true? and can it help me?
2- how did anyone hack my site??
3- how i can know what does this code mean???
thanks in advance and have a nice day

Please help me. i am in trouble..If this is not the right place to post.

Than i request to DP Admin that please move my post to right Forum.

Thanks

[mastermunj]

its not hacked.. its been infected by malicious script..

if you have backup copy of your files, then immediately delete these files and after putting files back from backup, change its permission to 755 or 766 after consulting a linux expert.

[spidersense101]

I have also try to do with 744 but not secure ....... please give me more suggestion on that.

Thanks

[mastermunj]

no no.. do not just change it to 744... first replace affected files with clean files from backup.

it might also be possible due to shared hosting, may be your domain was not affected but since other domain which is co-hosted on same server as yours got affected and that affected your files too.

stay calm and follow all security steps one by one with guidance from your host and it all will be fine soon.

[VouchersGG]

what the link site you has been hacked ?
i think i can help you

[dsignresponder]

Read this article and try to follow the steps. It helped me to decode some malicious script on a host :
http://danilo.ariadoss.com/decoding-...-base64-decode

Hope that might help...

[Gray Fox]

Can you paste the full "eval'd" code here? It shouldn't be too hard to decode and investigate it.

[jestep]

If you found an eval( code in your php, your site/server is hacked. The only way to insert this on a page is via command line or ftp, or a very unprotected script that allows user input to be processed.

Look at the modified date of the affected pages, and look through your logs to try and figure out how the compromise happened.

[Stephie]

I had the same thing happen to my sites. I hate hackers !

[rainborick]

When you find your site has been hacked, you need to do two things: (1) remove the hacked files, and (2) close the hole in your security that allowed the hacker to gain access to your site.

First, run your regular anti-virus scan on your own computer. Then run an anti-malware or anti-virus program that you don't use regularly in order to get a "second opinion". Once you've done that and repaired any problems, you should change the passwords on all of the FTP accounts for your site. Next, delete all of the files on the site and then restore them from known clean copies on your computer. Then be sure to update all blog, forum, gallery, or other scripts that are running on your site to get the latest version because hackers most often gain access through known vulnerabilities in these scripts. Finally, download the resulting files for your site back down to your computer so that you have the current copies available to restore again. This process should clean your site and give you good protection against further problems.

[MattyAsia]

I met this virus just a few weeks ago, it seemed to have come in through some gallery software.
If it's the same, it will have added itself to the start of ever PHP file on your site.
What you need to do is decode the message, and then find the file that started it, and first delete that file, check the software that the file was in the folder of for updates and update asap, then it's a matter of cleaning each and every php file. Though without the root file, they mostly do nothing, though that depends on the virus to be honest.

If you post the full text, I can maybe help more.