Posts about gzinflate written by gr00ve_hack3r. Skip to navigation. Cyberoam Hack: As many accounts as you like The Worst of Unsanitization: php eval(). Did Someone hack my site? Did Someone hack my site? ( Eval Base64 Decode ).

$ pwd /home/username/wwww/ $ head wp-config. Boa Kpop Selection Chrome there. php. $ That eval(base64_decode('ZXJy.

Line is a classic sign of a compromised site. Attackers obfuscate malicious code by hiding it with the PHP function. Then they use the function to decode (i.e. Finally, the PHP function is used to 'run' (or EVALuate) the malicious code. They place the malicious line at the top of as many PHP files as they can.

What Does the Malicious Code Do? If you're curious what the obfuscated code looks like, you can copy and paste the whole line into a new PHP file and then replace eval(base64_decode(.)); with echo base64_decode(.). That will print out the PHP code that the attacker is trying to run. Hacks like these usually involve redirecting sites somewhere else on the Internet so that the attacker makes money. If someone earns $0.01 per redirection to an ad somewhere on the web, imagine how much they could make if they infected a popular site. Temporarily Blocking Access to the Site While we're fixing the problem, we don't want the attacker to have any access to the site. To block all access to the website, you can add the following to the top of the.htaccess in the root folder of the website (if an.htaccess file doesn't already exist, you'll want to create it).

To allow access from just your IP address, replace '!!Your IP Address Here!!' Your IP Address Here!! Now we're ready to start cleaning things up. Automating the Cleanup Process When one file has been compromised, there's a good chance that many more files have been compromised. The attacker wants to ensure that as many files have been infected as possible so as to maximize the chances that his code will be run.

With this being a WordPress site, the easiest solution is to simply replace all the existing files with a clean copy of the WordPress files. However, you don't want to replace the wp-content/ directory because that contains your themes, plugins, and any media that you may have uploaded. Since we want to keep the contents of the wp-content/ directory, we'll first need to clean it out. The first step is to search the directory for any files that may contain the malicious code. $ pwd /home/username/wwww/ $ cd wp-content/ $ find. -type f xargs grep 'ZXJyb3JfcmVwb3J0aW5nKDApOwokcWF6cGxtPWhlYWRl'./themes/default/single.php.