bail-hound-logo
  • Home
  • Bail Domains For Sale
  • Services
  • Pricing
  • Blog
  • Contact

OUR BLOG

347-497-6776
Tweet
Nick Clark
Feb 22, 2014
clean wordpress, eval code hack, malware
Comments Off on Eval Code Hack on WordPress Bail Bond Websites

Eval Code Hack on WordPress Bail Bond Websites

Yours truly spent almost all of last weekend helping a compadre clean over 200 of his clients sites which were infected with this nasty script. Eval code hack cleanup costing me 20 straight hours of fun and excitement. You never know what you get yourself into when a friend asks you for a little help.

Eval Code Hack image

Eval Code Hack

Eval Code Hack: What it is, what it does, what it be

I’m not going to go geek on you and explain the science behind it. Just the cold hard facts about an eval code hack and what you will be looking for.

The eval ( base64 decode script is deployed onto all .php files within each installation of WordPress. So joy… 20 hours and 65k files later Archers WordPress sites are clean as a whistle. It appears I am going to have to take you into a bit of geeky detail on what this is, does and how to get rid of it and hopefully, protect you in the future.

It all started when “Archer” (not his real name) hit me up on Skype asking if I’d seen this code before… I had. Every once in a while I get a call from frantic site owners that their hosting companies have shut them down due to eval code hack malware. I’d like to mention this does not happen to my clients. We set rules…

Oddly enough, most shared hosting companies will send the site owner a notice that they are being shut down to protect the 50k other websites on the shared server and that when the site is clean they’ll be brought back online.

Sorry, the oddly enough point was that the site owner is usually locked out of FTP so they have no way to clean anything. First things first, call and let them know you are willing to clean the problem but in order to do so you’ll need FTP access. smh…

How did this happen?

Typically this malware occurs when outdated plugins or scripts within themes are left lounging about. Why it’s important to have a quality backup and of course to keep your plugins and themes up to date.

From what I noticed on Archer’s server is that one of the themes his client was using had an old copy of “Uploadify” on it in the admin section. In the /uploadify/ directory I noticed files which didn’t belong. Simply deleting this folder helped. For now… still testing.

Another way scambags get in to your site is through an outdated timthumb hack. This is an old method but still works if you or your web guy are using one of those “freebie” themes you found on the interwebs.

You’ll want to update (or remove depending) any instance of timthumb.php or thumb.php. I know that Woothemes uses thumb.php so check with them for an updated copy. Then again, they probably have the update waiting for you.

What the Eval Code Hack Does

Typically these hacks will redirect your site somewhere else. Normally placed by hackers who make money off of your unsecure wesbite. They often have signed up to a CPA site or other type of site which they get paid for their traffic.

How To Clean the Eval Code Hack For WordPress CMS

I have to caution you, this is the labor intensive method and may take in upwards of an hour. But once done you’ll have an extremely clean, and updated site.

You’ll be deleting files, folders and then reinstalling them. Much like watching paint dry or grass grow, this is going to be a tad tedious and yet boring. Two worlds collide.

If you aren’t comfortable doing this, please call or email us or another webadmin professional. BailHound can clean your site for you and let you know upfront what it will cost. We may need access to the backend of your site (FTP) to have a good look. Please also let us know if you have a backup of your theme. This is important.

One thing you may notice is that the file dates may not have changed on some infected files, so don’t expect that only the files which have a new date are infected.

We’ve had to break up this post into two parts. This first part explains the eval code hack and the second part is the cleaning process. If we didn’t this post would be ginormous and you may get lost in the context.

So, if you’re done reading all about the eval code hack and want to start cleaning, click this link to go to part two.

DISCLAIMER: I don’t consider myself to be a security expert, but on the following page are the steps I took to clean up customer (and Archer’s) sites.
CLEAN CODE EVAL HACK

How to Decode the Eval Code Hack:

You may be wondering what that long malware string of code even means? If you’re dying to find out there is a free website service to decode eval strings. You simply copy and paste the code you find and the system returns the string in logical English.

Link to PHP decoder: http://ddecode.com/phpdecoder/
Somewhere around the bottom will be the web address where the site is spamming to. I do not suggest going to that link. Ever.

Like anything else in life, if you don’t know how to do something, o runderstand how it’s done, hire a professional. Example: I would never bail myself out of jail. I would use a professional bondsman.

Nick Clark

Writer, coder, search engine marketer (und SEO), designer and lover of all things made with strong coffee and care.

Comments are closed.

Recent Posts

  • Eval Code Hack on WordPress Bail Bond Websites
  • Clean Eval Base64 Decode from WordPress Bail Bond Sites
  • Bail Bond Website Hacked
  • How To Set Up Your Bail Bonds Twitter BIO
  • Copy and Paste Backlink Plugin

Categories

  • Bail Bond Marketing Tips
  • Bail Domains
  • Design
  • SEO

Bail Bond Equipment

Bail Bond Website Themes
Domains For Sale|Lease
Bail Bond Forms

Please activate some Widgets.

© Copyright 2012 Bail Bonds Marketing | All Rights Reserved