Hi experts, my web pages are getting code automatically added with eval(base64_decode followed by a long string? I ask this question in PHP section too, and experts there suggest me that I should not save password in my FTP and should change all the passwords. And put my backup live. But this all is not working. B'coz that unknown code is getting added everyday in my webpages. I want to know that Is my website is being hacked or my code is malware effected. So that first I came to know where is the problem? Please, suggest me some best way to avoid this problem. Thanks
nehrav, see the links in my signature for the various possibilities. It can be a security weakness in your website, or on your personal PC, or it can be that your whole server, not just your website, is hacked.
One thing, I notice that my website is not showing this message in google search results: "This site may harm your computer" so does it means that my website is not infected with virus and the problem is due to code injection???
eval(base64_decode('ZWNobyAiSGFsbG8gd29ybGQhIjs=')); Code (markup): This will print "Hallo world!" eval(base64_decode('aW5jbHVkZSAkcmVtOw==')); Code (markup): Gives attacker possibility to backdoor your site and use your site to hack/edit another sites at same host, send spam or use any own script at your site. And this is not a virus for Google. Your eval(base64_decode can be everything.
It's more than likely something the theme developer added for tracking. If it's not throwing up a 'This site may harm your computer' that means that after google has combed your site, no additional processes or services became apparent on the pc used to comb. Hope this helps.
Please see my post here on DPF on how to secure your Wordpress installations: http://forums.digitalpoint.com/showthread.php?t=1563995
Is this the start of some of the code you're seeing: <?php eval(base64_decode('aWYo If so, you may also have a file any or all images folders that is named gifimg.php. I've also seen the same file with various other common names, but often it's in the images folder. If you Google gifimg.php you can find my blog post which talks more about this. This allows the hackers to send command strings to your site and infect it whenever they want to. It's often also inserted as the first line in many .php files which activates whenever someone accesses that webpage. The original assessment was correct. More than likely your website was hacked by stealing the FTP credentials from a PC with FTP access to your website. First, change all FTP passwords. Second, scan all PCs with FTP access to your site for viruses. Sometimes I've seen where these viruses/trojans know how to evade detection from the currently installed anti-virus program. You may have to install a different anti-virus program to find and remove it. Many have had good success with AVG, Avast or Avira. Use one of those with Malwarebytes and you should be able to find and remove the virus. Then, if you're using an FTP program that stores the login credentials in plain text, get a different FTP program. Check www.unmaskparasites.com for a list of programs that fit the above description. Read their blog. You have to be sure you find every file with that string in it otherwise, the hackers will just keep on re-infecting your site. It might be that the reason Google hasn't flagged your site yet is that the code is there but the hackers haven't used it yet. I've seen sites that had that code inserted back in April and it wasn't used by the hackers until recently. If you're using a PC check out grepWin. It's awesome at searching and replacing strings like what you've found. Post back here if you have more questions.
Yes, this eval code get added in the very beginning of my webpages and yes, it generate gifimg.php also in my images folder. And I try changing passwords, all (FTP, CP ...), but all waste, that too every week. And only my webmaster PC is connected with FTP and that is virus free and I scan that 2 times in past two days with AVG. And yes, I will change my FTP now, using FILEZILLA. And I am not aware of grepWin.... And Thanks for your valuable suggestions.
This is another base 64 decoder: http://www.opinionatedgeek.com/dotnet/tools/Base64Decode/Default.aspx
There is some Windows spyware around that does it; it takes FTP passes, sends them to russia where bots login and add code to all html/php pages. Don't use Windows, never have this kind of thing.
Hi! This happened to me! And I'm fed up with it! I search my computer with many malware programs and avast etc. but nothing was found! So I think I'll reinstall my windows AND/Or use Ubunte linux. That was a good idea of Kwaku. Thanks for the advice
Hi, I suffer a lot with this problem in past 1-2 months but at last I manage to get ride of this problem. In my case, problem was that my own system was infected with Trojan which upload the trojan everytime I upload the website and backups At last, problem was sorted out after upgrading my AV. and then reuploading the backup. U can delete the files from your server and then reupload the backup from some other system after deleting those strings and then ur website should work properly. and If not then u will come to know that yur system is not infected its the server who is creating prob. Thanks
This junk has come to your site due to compromised FTP password. If you are using Filezilla don't save the password. Btw, who is your hosting provider?