eval(base64_decode & eval(unescape Hack in WordPress

Well my day ended yesterday with a shock and the whole day today was spent in getting back to normalcy. Yes, SEO-Mind.com was hacked. I am not sure how it was hacked, but a whole bunch of codes were injected in the top of each and every file in my server. That would be 6000 + !!! Yes, the number is right!

When I opened any php file, I had a code starting like below on top of the source code:

This in turn loaded a iframe, which would get added to the footer of every page and download malware to visitors local computer. On decoding the Base 64, I found that it had another encrypted code using eval(unescape in it. This created an iframe as follows:


Now, the problem was, “How do I remove this from the 6000 odd pages on the server? Not just wordpress, the joomla site residing on the same server location was also infected. This means, the malware code was injected into every php file on the server. It had not left a single php file uninfected.

After breaking my head on different things, finally, here is what I did:
1. Took backup of the database
2. Backup of the wp-content/upload folder
3. Downloaded the plugins folder and themes into dreamweaver and removed the malicious code using find and replace. This was around 1500 files. I had to do this because I had customized most of the plugins and themes and I hate doing that to the dozen plugins and themes that reside on my wordpress again. Infact, I have forgotten what I did as it was years earlier.
4. Install a fresh pack of WordPress
5. link the database to it [Please be aware that some WordPress users have mentioned even their database being hacked. Thank God, it did not happen to me!]
6. Drop the upload folder back to the place as its only images, its not prone to hacks or malicious code
7. Drop the cleaned plugins and themes folders to their respective locations
8. Hurray! it started working fine without the code. I am yet to clean up the other sites, but wordpress is working great and faster too!!

The next immediate step I took was to increase my WordPress Security.

Though a Hack can happen through various channels, majority of the hacks can be avoided through easy precautions. I am writing an article on how a hack like this can be avoided by following some simple procedures. I will post soon about this. Anyone who had a bad day or a week due to this hack can comment on how you solved it out!! I should be getting a peaceful sleep tonight!!