Malicious code : eval(base64_decode(
To answer the direct question: yes, your site has been hacked.
The eval(base64_decode(....))
is intended to disguise the nature of the code being executed, but it can't disguise the fact that there is code in your PHP files that does not belong there.
As for what the hacked code does, I'm unable to answer that, as you haven't provided all of it.
I also can't answer any question as to how they might have got in, but the likelyhood is that somewhere in your system (or in your web hosting company's system) there is a software package which has a known security flaw.
In most cases, this flaw will have been fixed by the providers of that software, but the version on the hacked site won't have been updated with the latest fixes, thus giving the hackers an opportunity to get in.
There are other methods to break into a site, but this is by far the most likely.
I can't tell you which software was used to hack your site; there are too many variables involved, and I don't know enough about it. I can advise you to make sure that all the software you are responsible for is secure and running the latest versions, and to check with your hosting company to make sure they're fully up-to-date as well.
You haven't mentioned Wordpress by name, but the files you've specified sound like they belong to Wordpress. Therefore, recovering the files should be simply a case of updating them back to the original Wordpress versions. However, as I say, you should make sure you update to the latest WP version, because it sounds like the version you've got is out of date and vulnerable.
The actual data in your pages may have been compromised, but the nature of the hack described, it sounds more like a PHP injection hack, so I would expect that if you get the WP files back to their original state, your pages will be restored. You should check thoroughly, however, to make sure there isn't anything unexpected still lurking in there.
[EDIT]
Now we have the full code, it's easy to see what it's doing: copy the code into a small PHP program, and replace eval
with print
, so you can see is being run, rather than actually running it. The answer is that it checks that the user isn't a googlebot or similar, and if not, it redirects the page to a malicious URL.
PHP base64_decode eval found in all .php files for site. WHY?
He just thought that this may protect the code from being stolen, but that 's wrong off course.
How to decode suspicious PHP file
If I understood your question correct, I believe you want to know what the code will return. It translates to:
<form method="post" action=""><input type="text"name="WP_g_"value=""/><input type="submit"value=">"/></form>
injection attack (I thought I was protected!) ?php /**/eval(base64_decode( everywhere
As a matter of fact, SQL injection is not the only type of attack your server may suffer.
And this one doesn't looks like SQL injection.
Most of time it's just a trojan horse at your PC, stealing FTP password.
to see the actual code, replace eval with echo. But I doubt it has anything interesting
Malicious PHP file found on my webserver, need help cleaning and preventing this from happening again
eval()
is a very dangerous little language construct in that it can execute practically any piece of PHP code passed to it as a string, so it certainly could be that script sending the mail, although sending out spam is actually fairly non-destructive as far as what eval()
could do.
If your page had the permissions to delete every file in your web root, eval()
would also be able to do it too, just by someone sending the right command to the script via POST.
If you really want to ensure it is that piece of code sending out the mail, put it back but modify it to your advantage. Stop it from using eval()
and instead save the POST data to a database or text file. It is the only way you will know exactly what this code is being used for.
Related Topics
Access Controller Method from Another Controller in Laravel 5
Rebase Array Keys After Unsetting Elements
How to Delete Element With Domdocument
Upgrading PHP in Xampp For Windows
Array_Splice() For Associative Arrays
Restructure Multidimensional Array of Column Data into Multidimensional Array of Row Data
How to Loop Through an Associative Array and Get the Key
How to Embed a .Png Image into an HTML Page
File_Get_Contents =≫ PHP Fatal Error: Allowed Memory Exhausted
How to Import a .SQL File in MySQL Database Using PHP
PHP - Merging Two Arrays into One Array (Also Remove Duplicates)
How to Sort a Multidimensional Array by One of the Fields of the Inner Array in PHP
Remove Warning Messages in PHP
Does MySQL_Real_Escape_String() Fully Protect Against SQL Injection
How to Make Dot Match Newline Characters Using Regular Expressions