Defeating Base64 Decode virus in Wordpress

Hello, ever noticed some weird keywords in your Google Webmaster Tools? This is how i actually draw attention to a problem on one site, i was cleaning from BASE64_DECODE problem in recent days.

If you open your website and view source (ctrl+u) scroll to footer and you may notice all the junk stuff in there with padding -5000px (this is done for this viagra and cialis links not to appear on the visible part of main page – they are hidden, but they exist).

So how do we fight it? My experience says, that you should start with a database. Because if you don’t clean your database, it is useless to clean injected code in your php files, since it will appear over and over again.

1. Database cleanup
Open your wp-config.php and find username (MySQL database username) and password (MySQL database password), as well as url for your PHPMyAdmin (MySQL hostname). Login, click your database and go to SQL tab. Enter this:
SELECT * FROM wp_options WHERE (option_id LIKE ‘%base64_decode%’ OR blog_id LIKE ‘%base64_decode%’ OR option_name LIKE ‘%base64_decode%’ OR option_value LIKE ‘%base64_decode%’ OR autoload LIKE ‘%base64_decode%’ OR option_id LIKE ‘%edoced_46esab%’ OR blog_id LIKE ‘%edoced_46esab%’ OR option_name LIKE ‘%edoced_46esab%’ OR option_value LIKE ‘%edoced_46esab%’ OR autoload LIKE ‘%edoced_46esab%’ OR option_name LIKE ‘wp_check_hash’ OR option_name LIKE ‘class_generic_support’ OR option_name LIKE ‘widget_generic_support’ OR option_name LIKE ‘ftp_credentials’ OR option_name LIKE ‘fwp’ OR option_name LIKE ‘rss_%’) order by option_id

Your wp_options table may have a different name, if so change to your name.
It will show up all entries in wp_options, which are not relevant to this table and should be deleted.

2. Plugins and themes
Plugins and themes are also vulnerable if they are outdated or even worse – not supported anymore. Update all your plugins (and delete unnecessary), all your themes and DO delete the ones you are not using. It is a must! When i was fighting the virus i spend lots of time cleaning database and garbage from php files, but the problem was in func.php file in default wordpress theme, which was outdated and had a hole obviously. Quite stupid wasting so much time, when solution is so simple, isn’t it?

3. Cleaning .php files
Only after part 1 and 2 are done you may start to clean the code. Otherwise you will loose time, patience and may be even your blog. I suggest to download your site completely to your HDD. If you have windows, turn on indexing inside .php files. After you are done, search in your directory, you have downloaded, for base64_decode and all the garbage, which comes with it and clean your .php files from it.

4. Move to another hosting
It may look painful, but if you are really frustrated with the pharma hack, you should consider moving to a new host.

2 Comments


  1. Hi,

    Excellent information and really handy for people that have had the PharmaHack. Just thought worth mentioning that now in 2014 this is so much more prevalent and the hacks are so much more targeted. So if your site is vulnerable moving to a different host (as in your step 4) will not ensure your security and stop your site being hacked. Hacker Bots now target sites for factor that are independent of the host the are one. So for example for sites that have not updated their WordPress to the latest version and do not have all their plugins updated. These days is it so key to your site fully updated (daily or weekly checks on your site version can save you a lot of pain in the future)

    Best Regards,
    James
    Helping Keep The Internet Clean
    http://www.onehoursitefix.com

Leave a Reply

Your email address will not be published. Required fields are marked *