Fix for malware, infected files, malicious codes
I recently got some problems with some WordPress themes and cracked “nulled” scripts. So here is my problem:
I am using Linux Server (centos), which is very good for websites and fast optimized for my needs. But recently I was doing some tests on some themes, designs, functionality and plugins. While I was doing that I get some problems or how to say minor things that people do to make damage to your project.
While I was doing my tests on those themes and plugins and before I upload them on my server I put them on virus total. It was saying that 5 of 60 antiviruses found issue/ malicious code / malware … So, after that I open up the folder and I put them on “maldet” Antivirus which is antivirus coded for Linux machines/servers.
Maldet found issues on several files – around 250 infected files and around 1000 lines of code infected. But hackers are smart and they encode their code base64
This is a code execution that is obfuscated by a base64 encoding scheme, the only reason this would be present is to hide malicious code. Generally if you find any suspicious base64 encoded commands you should decode strings and see what they contain.
An eval base64 is a php function of hacked code which is used by hackers to gain control over your website. Adding eval (base64_decode) code in PHP files helps the hackers to illegitimately enter your website and try to use your site for malicious purposes.
Now, this seems extremely dangerous. This code is not hard to remove manually from all of PHP written files but what if the all of the WordPress websites got infected by the malicious code again! We need to understand the main cause of the malicious code injection.
After investigating, we found the reasons behind the hacking of wordpress websites using eval base64 decode, listed below:
- Running an outdated version of WordPress.
- Type of hosting you use (shared, dedicated, virtual).
- Vulnerable admin account exploit.
- Compromise of your ftp/ssh/web console/etc account with your provider.
- If you ever send your password via an unencrypted protocol (like FTP), stop doing that.
- Loopholes in the code written.
- Installing outdated themes which use old php scripts.
- Old and vulnerable versions of themes. [Use WordPress Vulnerability Scanner to Find Security Vulnerabilities]
- Are all software, for example – Is Apache HTTP Server updated?
What does the malicious “eval base64 decode” code do?
If your PHP files are being injected by eval base64 decode code line, the users coming from different search engines like Chrome, Firefox, yahoo, bing etc will be automatically redirected to a malicious website. This is what an “eval(base64_decode(“someObscureCharacterString”));” can do.
In simple words, the eval base64 decode is a php function call encoded in base64 which runs the decoded code. This helps the hacker to run any Php function and inject malware on your website
How eval code looks like