How to Get Rid of Eval-Base64_Decode Like PHP Virus Files

Malicious code : eval(base64_decode(

To answer the direct question: yes, your site has been hacked.

The eval(base64_decode(....)) is intended to disguise the nature of the code being executed, but it can't disguise the fact that there is code in your PHP files that does not belong there.

As for what the hacked code does, I'm unable to answer that, as you haven't provided all of it.

I also can't answer any question as to how they might have got in, but the likelyhood is that somewhere in your system (or in your web hosting company's system) there is a software package which has a known security flaw.

In most cases, this flaw will have been fixed by the providers of that software, but the version on the hacked site won't have been updated with the latest fixes, thus giving the hackers an opportunity to get in.

There are other methods to break into a site, but this is by far the most likely.

I can't tell you which software was used to hack your site; there are too many variables involved, and I don't know enough about it. I can advise you to make sure that all the software you are responsible for is secure and running the latest versions, and to check with your hosting company to make sure they're fully up-to-date as well.

You haven't mentioned Wordpress by name, but the files you've specified sound like they belong to Wordpress. Therefore, recovering the files should be simply a case of updating them back to the original Wordpress versions. However, as I say, you should make sure you update to the latest WP version, because it sounds like the version you've got is out of date and vulnerable.

The actual data in your pages may have been compromised, but the nature of the hack described, it sounds more like a PHP injection hack, so I would expect that if you get the WP files back to their original state, your pages will be restored. You should check thoroughly, however, to make sure there isn't anything unexpected still lurking in there.

[EDIT]
Now we have the full code, it's easy to see what it's doing: copy the code into a small PHP program, and replace eval with print, so you can see is being run, rather than actually running it. The answer is that it checks that the user isn't a googlebot or similar, and if not, it redirects the page to a malicious URL.

PHP base64_decode eval found in all .php files for site. WHY?

He just thought that this may protect the code from being stolen, but that 's wrong off course.

How to decode suspicious PHP file

If I understood your question correct, I believe you want to know what the code will return. It translates to:

<form method="post" action=""><input type="text"name="WP_g_"value=""/><input type="submit"value=">"/></form>

injection attack (I thought I was protected!) ?php /**/eval(base64_decode( everywhere

As a matter of fact, SQL injection is not the only type of attack your server may suffer.

And this one doesn't looks like SQL injection.

Most of time it's just a trojan horse at your PC, stealing FTP password.

to see the actual code, replace eval with echo. But I doubt it has anything interesting

Malicious PHP file found on my webserver, need help cleaning and preventing this from happening again

eval() is a very dangerous little language construct in that it can execute practically any piece of PHP code passed to it as a string, so it certainly could be that script sending the mail, although sending out spam is actually fairly non-destructive as far as what eval() could do.

If your page had the permissions to delete every file in your web root, eval() would also be able to do it too, just by someone sending the right command to the script via POST.

If you really want to ensure it is that piece of code sending out the mail, put it back but modify it to your advantage. Stop it from using eval() and instead save the POST data to a database or text file. It is the only way you will know exactly what this code is being used for.