I have to caution you, this is the labor intensive method on how to clean eval base64 decode and may take in upwards of an hour or two. But once done you’ll have an extremely clean, and updated bail bonds website. There are scripts out there to automatically clean eval base64 decode, but, cleaning by hand will a. teach you whats going on, b. ensure all eval hack code has been removed.
I say all eval hack code because some hackers may place additional redirects on different files. So while you may be searching to replace one string, there may be several strings that are written into the same file. So you look at the header of the file and see the eval hack removed but deeper down into the file there may be another occurrence using a different string.
As well, you may also need to invest in a script to remove whitespace that is left behind by the script meant to clean eval base64 decode.
For those hearty souls who have some free time, here are the instructions to clean eval base64 decode from their WordPress websites.
How To Clean Eval Base64 Decode from WordPress
- Grab a snack, a drink and hunker down it may be a while. I suggest that you start by disabling your website so that no one is either infected nor cast off from that code being perpetrated throughout your site.
So to begin, the easiest way to do this would be to delete the index.php file in the root of your WordPress installation. This will stop anyone from accessing the site. If you don’t replace the file with something that says “Under Construction” or “Maintenance Mode”.
You can of course edit the .htaccess file by adding a line of code, but I’m trying to keep this easy.
When you delete that index file you’ll see the Forbidden Server Message when visiting the site as pictured.
If you would like a simple “Maintenance Mode” so that people won’t think the site has come crashing down, you can download my version here. It’s a simple index.html file you simply upload to the root of your WordPress installation. Nothing fancy but it does the trick in telling loyal viewers and bail bond aficionados you’ll be back online soon:
- Delete the folders “WP-ADMIN” AND “WP-INCLUDES”. These are the two primary folders for your WordPress installation and can easily be re-installed via your cPanel. More on that in a minute.
- Step 3. Open your wp-content folder. You will see an index.php file. This file should be a max size of roughly up to 60 characters. If you’ve been whacked, you’ll see that this file is now a whopping 1.2k. Delete it. You’ll also see this index file in the plugins and themes folder. Delete those as well. You’ll get a new one soon. Promise.
- Go to your plugins folder. Write down the name of your plugins. Your plugins folder is located at : wp-content/plugins/ . Once you have the plugin names written down (and your shouldn’t have too many plugins), back out of that folder and delete it. You’ll be re-installing new versions from the authors.
- Look in your wp-content/uploads/ folder. Only images should reside here. There should be no .php, .zip, .html files listed in this folder. If there are, make a backup of them and then delete them. Unless you know exactly what those files are and you need them. I would suggest looking at them via and editor to determine if the eval code was placed within them, especially the .php file.
- Now it’s time to clean your theme. Unless you have never edited the theme and have a backup you will be fine. But, if you’ve edited files on the theme, or your coder has edited files, you’ll need to clean this by hand if you have no backup. This sucks.You will now visit every single file in your theme. Starting from the very beginning you’ll want to get deep into all the folders opening each file and checking for that eval code hack. This will probably take about an hour depending on the size of your theme.
You simply spot the code, delete it and save. Realize though that some files have multiple instances of the call for other functions (<?php) and that the code will be placed directly after that call.
Some files may call up to 30 times, so it may take some time to clean each and every file. We can’t stress the importance of a good backup of your theme. And this is one of those reasons you need one.
If you don’t have a backup copy of your theme, ask your designer for a copy. Keep it on a thumbdrive, in a safe or under your mattress
The two most important folder on any WordPress CMS installation are the theme folder itself and the uploads folder (where your images are stored). Everything else can be replaced by re-installation.
- Rename your “WP-CONTENT” folder to something like “WP-CONTENTOLD”. When you re-install your WordPress application it will create a new folder within included plugins and themes. Again, more on this process in just a bit. Stick with me here…
- Rename your “WP-CONFIG.PHP” file to something like: wp-configOLD.bail. This is the file which connects your WP installation to your database.Edit the wp-config.php file. More than likely it is infected and will need to be cleaned. To clean, simply delete the bastard code starting from <?php to just before the first “define” string. Your wp-config file should now look like this from the start:
define(‘DB_NAME’, …etc etc.
***NOTE: We delete all the labeling that WordPress includes in this file. Yours is probably not edited so you may see:
* The base configuration of the WordPress. blah blah blah (not really blah blah blah – just a lot of entries after WordPress.)
- Delete all the other additional files in the root which begin with WP and one titled “xmlrpc.php”.
Putting Your Bail Bond Site All back Together
Once you you have made sure to clean eval base64 decode from all files, it’s time to reload WordPress and put the site back online.
- Log in to your cPanel (or vDeck) and look for the Scriptaculous section or section where the WordPress loader is.
- Choose to install WordPress and pick the domain where you want the install to happen.
*** Be sure you choose the correct domain (if you have multiple domains on your host), and that you leave the directory location blank. Often these auto-install WordPress scripts will insert /wordpress/ or /blog/ directory and you’ll have to wipe that install and reload… again.
Allow the install to create a database and username. It won’t matter as we will not be using that install. We are going to use your original.
- Once installed go to your FTP program. We’re going to delete some things.
- Back in your FTP window, delete the new wp-config.php, and rename the wp-configOLD.php to wp-config.php. Basically we are telling the system to use our config file to connect to the server.
- Now, delete the new WP-CONTENT folder.
- Rename your old WP-CONTENTOLD to WP-CONTENT
- Your site will now be live, sort of. Go ahead and login to your site using yourdomain.com/wp-login.php (substitute “yourdomain.com” for your actual domain name). You may notice that you have to update your database based on how old your original WordPress installation was. You’ll now be running on the newest WP platform. So go ahead and update database.
- Once logged in you may need to activate your theme. Go to the tab “Appearance”, click on “Themes” and select your theme to activate. You will probably see two additional themes that come free from WordPress. We’ll delete those in a bit.I say to delete those as they are a point of failure for your system. Deleting unused plugins and themes will save you the hassle of trying to keep everything tidy and secure.
At this point your site is functional albeit you still need to install the new version of your plugins.
- Click on “Plugins” and the “Add New” tab. Here is where you’ll download the newest versions of the plugins you need for your site. Simply look at the list of plugins you wrote down and in the search bar type in the name of the plugin and click “Search Plugins”. When you see your plugin simply install it. DO NOT activate the plugin just yet.
- A plugin I would suggest installing is “Wordfence Security” (by Mark Maunder) – this is a first line of defense for your website. This is the free version but you can upgrade for more security features which is a good suggestion. I have this plugin (paid) on all sites I maintain.
- Once you have all of your plugins loaded, I want you to activate ONLY the WordFence plugin. You will see a notice to sign up to receive security alerts. I suggest you do it. You’ll receive alerts you need especially when someone is attempting to alter your files or log in as you. So enter your email and click “Get Alerted”
- You’ll notice that Wordfence has loaded a management utility on the far left of the dashboard. Click on Wordfence to open the utilities and open “Options”
- SCAN! Now click “Scan” and start a Wordfence scan of your site. If it comes back all clean then start bringing in your plugins from the list you created.
Once complete I would suggest that you contact your hosting provider and ask them to scan your site. Best of luck with your work and if you need assistance BailHound can be hired to do the cleaning process for you to clean eval base64 decode from all your sites.
Simply call or email to get in touch with us. We also do emergency cleaning 24 hours per day. If it’d 2am and you need us, just call and our answering service will get us online.
We’ll contact you and get started straight away on the cleaning process and clean eval base64 decode and other forms of eval malware on your website. Prices start at $90.
*** More information on malware can be found here: http://en.wikipedia.org/wiki/Malware