Joomla WordPress eval base64_encode hack fixes

How did I encounter it eval base64_encode hack

I got to know this hack after I was contacted by my hosting provider telling me that one of my WordPress/Joomla websites was generating a lot of spam traffic. If you are running your own host you might discover it by monitoring the e-mail traffic generated by your server or if the load on the server has unnaturally increased.

The issue spread quite quickly and soon many others websites got hacked. I also got a lot inquiries from friends having the same issue.

How does it happen?

Sites are hacked after an attacker sends through request a piece of code that gets executed once received. That is usually done through untrusted plugins, or flaws in the CMS software.

The attack usually sneaks a line of bad code in some of the CMS’s original files. Usually in the beginning of the files, could also be in the middle. In general they try to replace a line starting with <?php with a line that has many blank spaces followed by something that usually looks like this:

eval(base64_encode('Zwnkjlhfk....'))

In addition some new files could be created.

To clean your installation you need to remove all those infected lines and delete newly fully hacked files.

How to clean it?

A very nice article of how to clean a WordPress installation from such attack, using SSH, you could find here: Cleaning wordpress from eval hack

In addition it might be useful to know that the encoded string is not always the same as demonstrated by Raam Dev. To make sure you are correctly discovering hacked files search your installation for eval( or base64_decode( occurrences and carefully examine the findings, look for unusual appearances of the long, unreadable and suspicious strings, search for them and clean the occurrences.

From command line you could search for those files with the following commands:

grep -r base64_ ./public_html/ > base64_files.log
grep -r eval( ./public_html/ | grep -v .js > eval_files.log

The second command searches for “eval(” occurrences ignoring js files, where the meaning of the

No SSH access, how to clean it then?
Make an archive of your installation from your hosting control panel. Download it. Make the above described searches in your own environment.

How to prevent it?

First step is to protect your .htaccess by following the instructions described here: htaccess security

Second step could be adding those lines in the beginning of your index.php.

# ######
# START OF ANTI-HACK config
# #####

# List of patterns to search
$drop_patterns = array( 'array_values', 'com_contenthistory', 'ZWNobyA', 'Mysql' );
$post_vars = "";

# Add post string if post exists
if ($_POST) {
    $post_vars .= json_encode($_POST);
}
# Add get string if get exists
if ($_GET) {
    $post_vars .= json_encode($_GET);
}

# Check the aggregated string against the given list of bad strings
if( $post_vars != "" ) {
    if ( preg_match("/".implode("|", $drop_patterns)."/i", $post_vars)) {
        header("HTTP/1.0 404 Not Found");
        die("Get OUT!!!");
    }
}

# ###
# END OF ANTI-HACK config
# ###

These lines will simply drop any request that contains strange words like: mysql, eval, array_values and so on. Note that you can add other patterns to the drop patterns array.

If you still continue having problems you might want to log the captured _POST and _GET requests to find out which patterns are used by the attackers and add those to the drop_patterns array.

Categories