Anyone else suffered from the eval(base64_decode virus?

Jump to Last Post 1-7 of 7 discussions (10 posts)
  1. TerryGl profile image59
    TerryGlposted 8 years ago

    Well after the last two weeks I now consider myself an expert in installing Wordpress blogs on self hosting and a virus deletion technician extraordinaire. I am now accomplished at securing a Wordpress blog.

    The reason why, I am hosted at Go-Daddy and that whole site has been infected by a malaware bug. This is a php script that infects every site on the Go-Daddy host. Reports are now coming in that other hosting accounts are being infected.

    There is a report that Fort Knox lost their site from this very same attack.

    If you have any sort of hosting, go to your site, look at the page source and if you see at the bottom a script calling "http://holasionweb dot com/oo dot php" - then be prepared to lose everything.

    I had twelve sites infected and rebuilt each one by hand. Lost a lot of money in adsense and affiliate sales.

    I despise hackers who do this type of thing. Anyone else having the same problem, just contact me for a very easy and quick fix. Its free, so don't think I am riding on the hackers coat tails to make a few bucks.

    Edit: To save on receiving so many emails I actually put up a hubpage detailing the fix. No links in the hubpage or anything self promoting. Just hope I can help someone else the anguish I went through.

  2. earnestshub profile image87
    earnestshubposted 8 years ago

    Terry I am sorry to hear that. I have a few over there I will go check on.
    Bummer you had to rebuild them all, a spiteful selfish act.

  3. profile image48
    serypetaposted 8 years ago

    I have had this virus attack me 4 maybe 5 times now and hits every php website I have on godaddy.  I am not sure if its hitting my html websites as I believe it might put in a different code, something to do with before the body and a document_write script but cant work that one out.

    I now back up at the end of every day with a complete website clean script and as I check the website every time I make a change which is every day and as soon as it hits I then upload the new website straight away.

    Each time it infects it puts a new script at the bottom of the page so its not always an oo.php string, it changes each time, so make sure its cleaned out properly.

    You say you have a way of cleaning it out.  I am looking at doing something with my SSH files at godaddy on info I found in a previous thread but until I can get rid of it for good I am being really cautious as I lost 3 days on the first attack.


    1. TerryGl profile image59
      TerryGlposted 8 years agoin reply to this

      Hi Serena, I wrote this hub which is repeating Securi's advice and is a fix. … code-Virus

      Save the script in the Hub as wordpress-fix.php and load it to your index. Then add wordpress-fix.php as an extension to your domain name.

      I did this on all of my sites and bookmarked each site under a folder I called malaware. I now just go to the folder and click "open All in tabs' and let it run. I do this everytime I sit at the computer.

      Just got infected about one hour ago again, I ran the script and it is all now clean.

      This script will not need the ssh approval from G-Dy.

  4. TerryGl profile image59
    TerryGlposted 8 years ago

    Reports are now coming in that other web hosting sites are now being infected.

    If you have any hosting at all, you must check your sites as once Google finds the threat they will tag your site a threat site.

    Just open your url's to your sites and you will soon see if your infected or not.

    Lean Mit college and university have just been hit, so no one is safe.

    The fix in my hubpage will work to remove this latest attack.

  5. Misha profile image69
    Mishaposted 8 years ago

    Terry, if you google it, you don't see much except for this thread. Somehow it makes me thinking the virus is not THAT bad, and did not affect a whole lot of users. smile

  6. Misha profile image69
    Mishaposted 8 years ago … amp;tab=wn

    If you really want to go there... Zero news on this stuff and godaddy... I don't believe you Terry. Nice self promotinal trick though...

    1. TerryGl profile image59
      TerryGlposted 8 years agoin reply to this


      For anyone else here is a free virus fix that Wordpress org recommend. … emover.jsp

  7. TerryGl profile image59
    TerryGlposted 8 years ago

    Just checked one of my sites today after putting up a new hubpage.

    It was infected again. The time is 11.00am Monday, 14 June 2010 Australian time.

    If you have a Go-Daddy hosted wordpress blog, you had better check it.

    It seems this virus has returned after a few weeks.


This website uses cookies

As a user in the EEA, your approval is needed on a few things. To provide a better website experience, uses cookies (and other similar technologies) and may collect, process, and share personal data. Please choose which areas of our service you consent to our doing so.

For more information on managing or withdrawing consents and how we handle data, visit our Privacy Policy at:

Show Details
HubPages Device IDThis is used to identify particular browsers or devices when the access the service, and is used for security reasons.
LoginThis is necessary to sign in to the HubPages Service.
Google RecaptchaThis is used to prevent bots and spam. (Privacy Policy)
AkismetThis is used to detect comment spam. (Privacy Policy)
HubPages Google AnalyticsThis is used to provide data on traffic to our website, all personally identifyable data is anonymized. (Privacy Policy)
HubPages Traffic PixelThis is used to collect data on traffic to articles and other pages on our site. Unless you are signed in to a HubPages account, all personally identifiable information is anonymized.
Amazon Web ServicesThis is a cloud services platform that we used to host our service. (Privacy Policy)
CloudflareThis is a cloud CDN service that we use to efficiently deliver files required for our service to operate such as javascript, cascading style sheets, images, and videos. (Privacy Policy)
Google Hosted LibrariesJavascript software libraries such as jQuery are loaded at endpoints on the or domains, for performance and efficiency reasons. (Privacy Policy)
Google Custom SearchThis is feature allows you to search the site. (Privacy Policy)
Google MapsSome articles have Google Maps embedded in them. (Privacy Policy)
Google ChartsThis is used to display charts and graphs on articles and the author center. (Privacy Policy)
Google AdSense Host APIThis service allows you to sign up for or associate a Google AdSense account with HubPages, so that you can earn money from ads on your articles. No data is shared unless you engage with this feature. (Privacy Policy)
Google YouTubeSome articles have YouTube videos embedded in them. (Privacy Policy)
VimeoSome articles have Vimeo videos embedded in them. (Privacy Policy)
PaypalThis is used for a registered author who enrolls in the HubPages Earnings program and requests to be paid via PayPal. No data is shared with Paypal unless you engage with this feature. (Privacy Policy)
Facebook LoginYou can use this to streamline signing up for, or signing in to your Hubpages account. No data is shared with Facebook unless you engage with this feature. (Privacy Policy)
MavenThis supports the Maven widget and search functionality. (Privacy Policy)
Google AdSenseThis is an ad network. (Privacy Policy)
Google DoubleClickGoogle provides ad serving technology and runs an ad network. (Privacy Policy)
Index ExchangeThis is an ad network. (Privacy Policy)
SovrnThis is an ad network. (Privacy Policy)
Facebook AdsThis is an ad network. (Privacy Policy)
Amazon Unified Ad MarketplaceThis is an ad network. (Privacy Policy)
AppNexusThis is an ad network. (Privacy Policy)
OpenxThis is an ad network. (Privacy Policy)
Rubicon ProjectThis is an ad network. (Privacy Policy)
TripleLiftThis is an ad network. (Privacy Policy)
Say MediaWe partner with Say Media to deliver ad campaigns on our sites. (Privacy Policy)
Remarketing PixelsWe may use remarketing pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to advertise the HubPages Service to people that have visited our sites.
Conversion Tracking PixelsWe may use conversion tracking pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to identify when an advertisement has successfully resulted in the desired action, such as signing up for the HubPages Service or publishing an article on the HubPages Service.
Author Google AnalyticsThis is used to provide traffic data and reports to the authors of articles on the HubPages Service. (Privacy Policy)
ComscoreComScore is a media measurement and analytics company providing marketing data and analytics to enterprises, media and advertising agencies, and publishers. Non-consent will result in ComScore only processing obfuscated personal data. (Privacy Policy)
Amazon Tracking PixelSome articles display amazon products as part of the Amazon Affiliate program, this pixel provides traffic statistics for those products (Privacy Policy)