You Are Here: Home » Articles » How-To » Security » Software » Tech » Web » Web Design » Wordpress

4 ways to find out if your WordPress installation has been affected by eval / base64_decode

By Debjit on September 6th, 2009 

wordpress logoMany websites including Lorelle and Techcrunch are reporting a new kind of attack on WordPress that affects almost all WordPress installations running WordPress software below version 2.6. All those running WordPress version 2.8 are not  affected.  Users having blogs on have not been affected, although. In this article we will tell four ways which you can use to find out if you have been affected.

Search for keywords in your website

You should look for the presence of four keywords: eval, base64_decode, base64, eval(base64_decode in your website. If any one of these is present then you have been affected. You can search for the keywords using google. Say if you want to search for the keyword "eval" on your site, then you need to send the following query in Google: eval If Google says no results found then you are safe. You can similarly run a check for all the keywords on your website.

Check your categories permalink structure

According to lorrele if you find strange additions to your permalinks, such as$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER%5D))%7D%7D|.+)&%/. then you are affected.

Run a Anti-Virus scan on your WordPress template files

You can also use the Antivirus for WordPress to run a Scan on the individual files in your templates / themes. If a suspicious code snippet is found then you will be reported accordingly.

Check your Authors & Users page in the admin area

You should check for bogus users in your Authors & Users list inside the WordPress Admin area. The Authors & Users page can be located at: <path-to-wordpress>/wp-admin/users.php. If you see a user called Administrator (2) or a username you do not know then you are possibly affected.

Update: We list 2 more ways in which you can detect the hack on your blog as suggested by our readers.

Search the  User Settings page source code

Again navigate to the Authors & Users page which can be located at: <path-to-wordpress>/wp-admin/users.php. Now view the source for this page on your browser. In the source listing search for the keyword: user_superuser. If you find it, then you are possibly affected.

Shell - Directory Search from command line

If your web host provides you direct shell access to your hosting account then log in to your account via SSH and run the following command on the terminal in your web hosting account's home folder:

grep -lr eval > list.txt

This command basically searches for the keyword: eval in all your files and lists the file names in another file called list.txt. You can similarly run checks for the other three keywords as mentioned above.

Quick Remedy

First and foremost you must upgrade to the latest version of WordPress if you are running it on your website. You can find out the version of wordpress running on your website by going to: <your domain>/<path-to-wp>/readme.html. In case you want to upgrade you can point your browser to <path-to-wp>/wp-admin/upgrade.php. Lorelle has listed various ways that can help you to rescue your blog in case you are affected.


4 ways to find out if your WordPress installation has been affected by eval / base64_decode was originally published on on September 5, 2009 - 7:27 pm (Indian Standard Time)