eval(base64_decode [SOLVED]
Moderator: General Support Moderators
Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
-
- Joomla! Fledgling
- Posts: 3
- Joined: Sun Dec 09, 2007 9:54 pm
eval(base64_decode [SOLVED]
Hello all! In many pages of my web appear a strange code "<? /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFyd..............." and they have links to other pages externals and mine dont open totally. This is a example: http://xxxxxxxxxx where you can see my problem. I have read a lot about this theme in internet, but nobody coment a solution. Please, I delete all eva(base64.... that I see in my pages, but I dont fix all. Can I must delete something more? Sorry my poor english, and thanks in advance for your help. I think so many people have this problem. Please, what can I do? Greetings from Spain.
Last edited by elindalo on Fri Dec 19, 2008 2:26 pm, edited 1 time in total.
-
- Joomla! Ace
- Posts: 1070
- Joined: Mon Aug 22, 2005 7:53 pm
- Location: Ilkley, West Yorkshire, UK
- Contact:
Re: eval(base64_decode
Check the configuration.php, index.php and templates/index.php files for the hacked code. Delete the code and resave. See if that fixes it. You will also need to make sure your files are set to no higher than 644 via CHMOD permissions.
My sites: http://dragonrider.co.uk, http://wharfedalefestival.co.uk and several others
-
- Joomla! Fledgling
- Posts: 3
- Joined: Sun Dec 09, 2007 9:54 pm
Re: eval(base64_decode [SOLVED]
SOLVED
First, thank you very much, dragonrider, for your answer. I have followed that steps and I have deleted all code EVA(Base... that appear in these pages.
The problem, go on. Some pages have the error. I to grin and bear it. Third parts and permissions with "a little" flippancy for me. I am the only culpable.
SOLUTION:
Hallelujah!! at last! I see too much code EVA(Base... in FCKEDITOR folder I discover the problem there. I delete completly that folder.
Next, set, by first time in my joomla-life, all folders and files to 755 and 644. Now, if I need change a permission, I make it and return to security permission when finish the operation.
Lesson for me, all permissions are sacred now.
I hope this help to others members of this nice community. Greetings!
First, thank you very much, dragonrider, for your answer. I have followed that steps and I have deleted all code EVA(Base... that appear in these pages.
The problem, go on. Some pages have the error. I to grin and bear it. Third parts and permissions with "a little" flippancy for me. I am the only culpable.
SOLUTION:
Hallelujah!! at last! I see too much code EVA(Base... in FCKEDITOR folder I discover the problem there. I delete completly that folder.
Next, set, by first time in my joomla-life, all folders and files to 755 and 644. Now, if I need change a permission, I make it and return to security permission when finish the operation.
Lesson for me, all permissions are sacred now.
I hope this help to others members of this nice community. Greetings!
-
- Joomla! Enthusiast
- Posts: 248
- Joined: Tue Nov 14, 2006 3:29 am
- Contact:
Re: eval(base64_decode [SOLVED]
Just has this happen to me today. I have cleaned my website, but in case someone else needs to know, see below.
Change your FTP password first.
Download entire site.
Delete all files on site (make another backup first!)
Find/Replace all bad code by checking file modified dates and finding all bad code, this is usually different every few days.
This was the lines inserted into various files.
Also it created some files.
gifimg.php
changes.php
Change your FTP password first.
Download entire site.
Delete all files on site (make another backup first!)
Find/Replace all bad code by checking file modified dates and finding all bad code, this is usually different every few days.
This was the lines inserted into various files.
Code: Select all
<?php eval(base64_decode('')); ?>
<?php eval(base64_decode('')); ?>
<script src=http://deleted/celebs/rumble.php ></script>
document.write('<script src=http://deleted.co.uk/images/deleted.php ><\/script>');
document.write('<script src=http://deleted/celebs/rumble.php ><\/script>');
document.write('<script src=http://deleted/celebs/rumble.php ><\/script>');
gifimg.php
changes.php
Last edited by mandville on Tue Jun 08, 2010 9:11 am, edited 1 time in total.
Reason: do not post infected code, links to infected code,
Reason: do not post infected code, links to infected code,
- toner728
- Joomla! Intern
- Posts: 57
- Joined: Wed Aug 27, 2008 1:55 pm
- Location: New York City
- Contact:
Re: eval(base64_decode [SOLVED]
Ok so.. I had this issue with several of my sites and i have fixed it very easily. First of all it happened because the permissions of my folders were writable. Shame on the original webmaster. This is how i fixed it.
I dont know what kind of web editor you guys use.. I use Dreamweaver.
So.. I pulled down the entire site to a folder. Dreamweaver has a ctrl-F function which lets you do a search on a file "or the entire site" do an entire site search for that base64 code and leave the replace field with nothing.. Blank!! It will search and remove the code from the entire site. Then just do a sync to put newer files back to the server and u will be good.. I did this with 8 different sites and they are all clean
I dont know what kind of web editor you guys use.. I use Dreamweaver.
So.. I pulled down the entire site to a folder. Dreamweaver has a ctrl-F function which lets you do a search on a file "or the entire site" do an entire site search for that base64 code and leave the replace field with nothing.. Blank!! It will search and remove the code from the entire site. Then just do a sync to put newer files back to the server and u will be good.. I did this with 8 different sites and they are all clean
- Tonie
- Joomla! Master
- Posts: 16553
- Joined: Thu Aug 18, 2005 7:13 am
Re: eval(base64_decode [SOLVED]
Good that it's solved for you in this way. However, the cause of the hack hasn't been taken away by doing this.
- toner728
- Joomla! Intern
- Posts: 57
- Joined: Wed Aug 27, 2008 1:55 pm
- Location: New York City
- Contact:
Re: eval(base64_decode [SOLVED]
Obviously the permissions have to be set as well as passwords changed.
Did I really have to mention that?
Did I really have to mention that?
- mandville
- Joomla! Master
- Posts: 15150
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: eval(base64_decode [SOLVED]
might be best to run and post the fpa after runing security checklist 7toner728 wrote:Obviously the permissions have to be set as well as passwords changed.
Did I really have to mention that?
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
- Tonie
- Joomla! Master
- Posts: 16553
- Joined: Thu Aug 18, 2005 7:13 am
Re: eval(base64_decode [SOLVED]
If I understood you correctly, you did the following:
- you removed the nastly code by search/replace
- then set permissions/changes passwords
This takes care of the hack showing to the public. Now the question is, how did the hacker enter your site in the first place? Through Joomla, webserver, one of the extensions, etc. This is not done just by the permissions on the server.
- you removed the nastly code by search/replace
- then set permissions/changes passwords
This takes care of the hack showing to the public. Now the question is, how did the hacker enter your site in the first place? Through Joomla, webserver, one of the extensions, etc. This is not done just by the permissions on the server.
- pictureperfectne
- Joomla! Intern
- Posts: 54
- Joined: Sat Dec 02, 2006 3:41 am
- Location: Stafford Springs CT
- Contact:
Re: eval(base64_decode [SOLVED]
I'm probably late to the game but my host told me yesterday that only my joomla site out of all their hundreds of clients got hacked. Every php file in every folder was infected with eval(base 64_decode in it.) that's hundreds of files. I got a clean joomla zip file, uploaded and overlaid all of the joomla core files and then went through to clean up the rest.
The only way to access the root folder to do this kind of damage is through the server access like ftp. Does anyone have an htaccess file that uses ip addresses instead of password and user, because it somehow broke through the server using an http request. and was changing the permissions a good fix?
Thanks
The only way to access the root folder to do this kind of damage is through the server access like ftp. Does anyone have an htaccess file that uses ip addresses instead of password and user, because it somehow broke through the server using an http request. and was changing the permissions a good fix?
Thanks
- toner728
- Joomla! Intern
- Posts: 57
- Joined: Wed Aug 27, 2008 1:55 pm
- Location: New York City
- Contact:
Re: eval(base64_decode [SOLVED]
@pictureperfectne.. I would do a search in the DB because when it happened to us, our clients database had the code in it as well.
- pictureperfectne
- Joomla! Intern
- Posts: 54
- Joined: Sat Dec 02, 2006 3:41 am
- Location: Stafford Springs CT
- Contact:
Re: eval(base64_decode [SOLVED]
Thanks for the heads up. I'l do a sql dump and a keyword search. I really think that I need to protect the folders better with htaccess