Yours truly spent almost all of last weekend helping a compadre clean over 200 of his clients sites which were infected with this nasty script. Eval code hack cleanup costing me 20 straight hours of fun and excitement. You never know what you get yourself into when a friend asks you for a little help.
Eval Code Hack: What it is, what it does, what it be
I’m not going to go geek on you and explain the science behind it. Just the cold hard facts about an eval code hack and what you will be looking for.
The eval ( base64 decode script is deployed onto all .php files within each installation of WordPress. So joy… 20 hours and 65k files later Archers WordPress sites are clean as a whistle. It appears I am going to have to take you into a bit of geeky detail on what this is, does and how to get rid of it and hopefully, protect you in the future.
It all started when “Archer” (not his real name) hit me up on Skype asking if I’d seen this code before… I had. Every once in a while I get a call from frantic site owners that their hosting companies have shut them down due to eval code hack malware. I’d like to mention this does not happen to my clients. We set rules…
Oddly enough, most shared hosting companies will send the site owner a notice that they are being shut down to protect the 50k other websites on the shared server and that when the site is clean they’ll be brought back online.
Sorry, the oddly enough point was that the site owner is usually locked out of FTP so they have no way to clean anything. First things first, call and let them know you are willing to clean the problem but in order to do so you’ll need FTP access. smh…
How did this happen?
Typically this malware occurs when outdated plugins or scripts within themes are left lounging about. Why it’s important to have a quality backup and of course to keep your plugins and themes up to date.
From what I noticed on Archer’s server is that one of the themes his client was using had an old copy of “Uploadify” on it in the admin section. In the /uploadify/ directory I noticed files which didn’t belong. Simply deleting this folder helped. For now… still testing.
Another way scambags get in to your site is through an outdated timthumb hack. This is an old method but still works if you or your web guy are using one of those “freebie” themes you found on the interwebs.
You’ll want to update (or remove depending) any instance of timthumb.php or thumb.php. I know that Woothemes uses thumb.php so check with them for an updated copy. Then again, they probably have the update waiting for you.
What the Eval Code Hack Does
Typically these hacks will redirect your site somewhere else. Normally placed by hackers who make money off of your unsecure wesbite. They often have signed up to a CPA site or other type of site which they get paid for their traffic.
How To Clean the Eval Code Hack For WordPress CMS
I have to caution you, this is the labor intensive method and may take in upwards of an hour. But once done you’ll have an extremely clean, and updated site.
You’ll be deleting files, folders and then reinstalling them. Much like watching paint dry or grass grow, this is going to be a tad tedious and yet boring. Two worlds collide.
If you aren’t comfortable doing this, please call or email us or another webadmin professional. BailHound can clean your site for you and let you know upfront what it will cost. We may need access to the backend of your site (FTP) to have a good look. Please also let us know if you have a backup of your theme. This is important.
One thing you may notice is that the file dates may not have changed on some infected files, so don’t expect that only the files which have a new date are infected.
We’ve had to break up this post into two parts. This first part explains the eval code hack and the second part is the cleaning process. If we didn’t this post would be ginormous and you may get lost in the context.
So, if you’re done reading all about the eval code hack and want to start cleaning, click this link to go to part two.
DISCLAIMER: I don’t consider myself to be a security expert, but on the following page are the steps I took to clean up customer (and Archer’s) sites.
CLEAN CODE EVAL HACK
How to Decode the Eval Code Hack:
You may be wondering what that long malware string of code even means? If you’re dying to find out there is a free website service to decode eval strings. You simply copy and paste the code you find and the system returns the string in logical English.
Link to PHP decoder: http://ddecode.com/phpdecoder/
Somewhere around the bottom will be the web address where the site is spamming to. I do not suggest going to that link. Ever.
Like anything else in life, if you don’t know how to do something, o runderstand how it’s done, hire a professional. Example: I would never bail myself out of jail. I would use a professional bondsman.