Cleaning up a evalbase64(decode()) hack

26 Sep 2013

Cleaning up a evalbase64(decode()) hack

Over the years I’ve had a few people ask me to help fix hacked sites. The most common hack I’ve seen is an Eval(base64_decode(…)) insertion. A single line of code that evaluates to any number of malicious results. The  line is generally inserted into every file of a site. Cleaning out every theme file, plugin file, and core file on a site can be extremely tedious by hand, luckily the power of SSH can save us hours of needless labour.

Connect to your site via SSH, and navigate to the root directory of the affected area. Paste this line into the terminal/command prompt to find all instances of the malicious line and replace it with a blank string.

find . \( -name "*.php" \) -exec grep -Hn "[\t]*eval(base64_decode(.*));" {} \; -exec sed -i 's/[\t]*eval(base64_decode(.*));//g' {} \;

Your terminal will look crazy for a couple of minutes as hundreds of lines of gibberish fly by, but don’t freak out. When it finally comes to a stand still you can run the code again to verify that the code is all gone.

One response to “Cleaning up a evalbase64(decode()) hack”

Leave a Reply

Your email address will not be published. Required fields are marked *