Server Eval Hijacked

Over the past few months more and more servers have been hijacked by eval viruses. Some of these viruses have been coming through timthumb and your servers .htaccess files. Me like others have been trying to figure out the best ways to delete these viruses. Some people may have seen these in there WordPress theme folder or even in any of there php files. These are really tricky viruses or backdoors. I have encountered 2 of these backdoors and have successfully found ways to clean all of my files. It was really hard and time consuming. So this post is to share my ways that I have fixed these backdoor eval php codes.

The First Eval Code @error_reporting(0);

This code was not as hard to remove as the other two. But if you don’t know what you are doing you could really mess your website/server up. The code for this virus looks like this:

The code for this backdoor is quite long and kind of confusing. In order to fix this backdoor there is a script that will search you entire server and delete any instances of the code. You can find the script for this below:

Should Be Cleaned

After you run the script you should be cleaned but still not protected. There are two main reasons this backdoor gets into your server. One an old version of timthumb.php and two your .htaccess file needs to be more secure. As for the timthumb.php all that you will have to do is replace this file with the newest version. You can get that here. If for instance your server is like mine and has a ton of files and you are not sure where all of your timthumb.php files are you can use the script below to find all the areas on your server that have timthumb.php.

This will search your server and output the areas that timthumb.php was found.

Backdoor Number 2 – eval(base64_decode(“DQplc

This backdoor is kind of the same as the first one but much harder to remove. The virus looks like this:

This backdoor will show up on every php page right after your opening < ?php. Now unlike the first virus you are unable to search for this one and delete the entire line involved because it is adding the code to your current this backdoor would add the code right before get_header. If you use the first code to remove this it will delete the get_header also. So your template files will not work at all after that. There is no easy way to fix this backdoor with out removing your files from your server.

How To Fix

In order to fix this backdoor you will have to download your entire root directory and search all the files for the instance of the code. the way I did this is downloaded notepad++. Once you install this you can search all the files at once and replace the code with blank space. Be careful when doing this. After you are done you would just have to upload and replace your files on your server.

Hopeful, Helpful Words

The first thing make sure that the backdoor that you have is the one that you are trying to fix. After fixing make sure to research how to up your server security. And last but not least please use these scripts at your own risk.

About Shane

Hi I am Shane the main author of this blog. I am a self taught web developer. I have been working in this industry since 2008. I work a lot with WordPress, Magento, SEO & SEM, and custom built websites. I love all sports and I will try anything at least twice.

Working remotely is one of the fastest growing perks in the working world. It’s something that people talk about a lot, and it’s a solution to the “work/life balance” problem that bothers so many people. Most of us have asked the question, “Why do I work so hard?” For some people, there are many sides

Know little about the use of keylogger for Android? Wondering why so many friends choose free Android spy? What benefits can you get from tracking cell phones of your children and employees with the help of sms tracker? Keep reading and find the answers in this short article. Have you ever dreamed of taking control

As a photographer whether it be a hobby or on a professional level the realm of high dynamic range photography can be very troublesome without photo editing software specifically made for photo HDR. Aurora HDR photography can be very challenging as it is, but with Aurora the job gets a little bit easier. Some might

  • Reeme

    Hello,
    I am a newbie, and just google to your blog.
    My website also got hijacked by ‘Backdoor Number 1’. As poor of php, can you help, just put the fix code in a easy file, so that we just run to fix the problem. Much appreciate if it be done.

  • James

    My contribution

    // Grep all instance of the mailicious code
    // by doing a grep
    $path = “/var/www/webmaster/www/enseignement/”; // ppath to store grep if too large
    $pathwebroot = “/var/www/webmaster/www”;

    shell_exec(‘grep -R “eva1fYlbakBcVSir” -l ‘.$pathtowebroot.’* > grep.out’);

    $handle = fopen($path.”/grep.out”, “r”);
    $cnt = fread($handle, filesize($path.”/grep.out”));
    fclose($handle);

    $arrReplace = explode(“\n”, $cnt);
    // grep sep with :
    // then parse with the linebreak
    echo ‘found ‘.sizeof( $arrReplace).”\n”;
    sleep(5);

    $x = 0;
    for($i = 0; $i < sizeof( $arrReplace); $i++)
    {
    echo $arrReplace[$i]." sanitized \n”;

    // open the infected file for reading
    $handle = fopen($arrReplace[$i], “r”);
    $infected = fread($handle, filesize($arrReplace[$i]));
    fclose($handle);

    // cleaning up
    //$cleared = str_replace(‘< ?php ..', '//:start:', $infected);
    $cleared = explode('<?php @error_reporting(0); if (!isset($eva1fYlbakB', $infected);
    $cleared = $cleared[0];

    // saving cleared data
    $fp = fopen($arrReplace[$i], "w");
    fwrite($fp,$cleared);
    fclose( $fp );
    $x++;
    }
    die(sizeof( $x ).' were fixed.');