Sadly, its necessary for me to leave these reminders here:
If you get eval(base64 hacked on wordpress/dreamhost
I have a shared host on Dreamhost that just got hacked to shit. A fairly standard hack, and nothing particularly inspired, but nevertheless some clients from years ago weren’t too happy. If this happens to anyone else, here’s the fix (for now)…
Dyslexic Mayans Want to Sell You Cialis
My shared host account got hacked-TFU last Monday. After looking a little closer it became clear that there had been more than one break in. Apparently my account also got hacked last November, three times in December (twice by the same hacker!) and once in January too, so for the past few months my server has had a back door like Dennis the Menace’s hanging pajama flap.
Simple cleanup solution for the latest WordPress hack
If your site got hacked on the last mass infection of WordPress sites out there, we have a simple solution to clean it up.
Via SSH:
If you have SSH access to your server, run the following commands on your web root:
$ find ./ -name "*.php" -type f | xargs sed -i 's#< ?php /\*\*/ eval(base64_decode("aWY.*?>##g' 2>&1 $ find ./ -name "*.php" -type f | xargs sed -i '/./,$!d' 2>&1
And, oh yes—don’t forget the spaces-in-filename clusterfrak:
Unix/Linux — find & xargs — Spaces in filenames
Spaces in filenames can be a problem when using find | xargs combination.
To solve this, use:
find . -print0 | xargs -0This tells find and xargs to use the ASCII NUL character instead of space to end (separate) the filenames.