jump to last post 1-7 of 7 discussions (10 posts)

Anyone else suffered from the eval(base64_decode virus?

  1. TerryGl profile image61
    TerryGlposted 6 years ago

    Well after the last two weeks I now consider myself an expert in installing Wordpress blogs on self hosting and a virus deletion technician extraordinaire. I am now accomplished at securing a Wordpress blog.

    The reason why, I am hosted at Go-Daddy and that whole site has been infected by a malaware bug. This is a php script that infects every site on the Go-Daddy host. Reports are now coming in that other hosting accounts are being infected.

    There is a report that Fort Knox lost their site from this very same attack.

    If you have any sort of hosting, go to your site, look at the page source and if you see at the bottom a script calling "http://holasionweb dot com/oo dot php" - then be prepared to lose everything.

    I had twelve sites infected and rebuilt each one by hand. Lost a lot of money in adsense and affiliate sales.

    I despise hackers who do this type of thing. Anyone else having the same problem, just contact me for a very easy and quick fix. Its free, so don't think I am riding on the hackers coat tails to make a few bucks.

    Edit: To save on receiving so many emails I actually put up a hubpage detailing the fix. No links in the hubpage or anything self promoting. Just hope I can help someone else the anguish I went through.

  2. earnestshub profile image87
    earnestshubposted 6 years ago

    Terry I am sorry to hear that. I have a few over there I will go check on.
    Bummer you had to rebuild them all, a spiteful selfish act.

  3. 61
    serypetaposted 6 years ago

    I have had this virus attack me 4 maybe 5 times now and hits every php website I have on godaddy.  I am not sure if its hitting my html websites as I believe it might put in a different code, something to do with before the body and a document_write script but cant work that one out.

    I now back up at the end of every day with a complete website clean script and as I check the website every time I make a change which is every day and as soon as it hits I then upload the new website straight away.

    Each time it infects it puts a new script at the bottom of the page so its not always an oo.php string, it changes each time, so make sure its cleaned out properly.

    You say you have a way of cleaning it out.  I am looking at doing something with my SSH files at godaddy on info I found in a previous thread but until I can get rid of it for good I am being really cautious as I lost 3 days on the first attack.


    1. TerryGl profile image61
      TerryGlposted 6 years ago in reply to this

      Hi Serena, I wrote this hub which is repeating Securi's advice and is a fix.

      http://hubpages.com/hub/How-To-Remove-T … code-Virus

      Save the script in the Hub as wordpress-fix.php and load it to your index. Then add wordpress-fix.php as an extension to your domain name.

      I did this on all of my sites and bookmarked each site under a folder I called malaware. I now just go to the folder and click "open All in tabs' and let it run. I do this everytime I sit at the computer.

      Just got infected about one hour ago again, I ran the script and it is all now clean.

      This script will not need the ssh approval from G-Dy.

  4. TerryGl profile image61
    TerryGlposted 6 years ago

    Reports are now coming in that other web hosting sites are now being infected.

    If you have any hosting at all, you must check your sites as once Google finds the threat they will tag your site a threat site.

    Just open your url's to your sites and you will soon see if your infected or not.

    Lean Mit college and university have just been hit, so no one is safe.

    The fix in my hubpage will work to remove this latest attack.

  5. Misha profile image76
    Mishaposted 6 years ago

    Terry, if you google it, you don't see much except for this thread. Somehow it makes me thinking the virus is not THAT bad, and did not affect a whole lot of users. smile

  6. Misha profile image76
    Mishaposted 6 years ago

    http://www.google.com.au/search?hl=en&a … amp;tab=wn

    If you really want to go there... Zero news on this stuff and godaddy... I don't believe you Terry. Nice self promotinal trick though...

    1. TerryGl profile image61
      TerryGlposted 6 years ago in reply to this



      For anyone else here is a free virus fix that Wordpress org recommend.

      http://www.deepjava.com/Trinetra_Ninopl … emover.jsp

  7. TerryGl profile image61
    TerryGlposted 6 years ago

    Just checked one of my sites today after putting up a new hubpage.

    It was infected again. The time is 11.00am Monday, 14 June 2010 Australian time.

    If you have a Go-Daddy hosted wordpress blog, you had better check it.

    It seems this virus has returned after a few weeks.