Eval64 Hack Attack Solution
Is your site down because of the Eval64 hack attack? Here’s the solution.
A mass hack occurred on the Internet on May 10, 2010. At first it was assumed that only WordPress sites were involved, but it soon became apparent that other sites were also affected, including Joomla sites and any that used PHP. It is now commonly referred to as the Eval64 hack.
Affected hosting companies so far include Go Daddy, Bluehost, Media temple, Dreamhost and Network Solutions. Other hosts may soon follow.
If your site was attacked, it is imperative that you:
- Take your site down immediately. If you’re using Joomla you can turn it off temporarily through your general configuration. Other CMS and blog platforms have ways to do that as well. It’s important that you keep people from landing on your site because they can get infected with a virus. Additionally, if Google’s robot lands on it and detects the virus, your site will be banned and you’ll have to take steps to get reindexed.
- Normally we’d say back up your site before you do number 3, but since your site has been hacked and the code is infected, it does no good to back it up at this point. Hopefully, you have a backup already. If not, use this as a reminder to do so on a regular basis from here on out after you clear your code. If you have a backup, restore it. Godaddy and other hosts generally back up for you and provide access to what they call “History” files in the admin they provide you. Check with them if you don’t know how to do that. If you have a clean backup, skip down to “Turn your site back on” below.
- Clear out the malicious code. This particular hack placed code at the top of every php file in your site. You can remove that code manually or run a shell script to remove that for you. Securi. net has posted the fix below. If you don’t want to do this yourself, give us a call. We’d be glad to help. Call 831.419.9854.
- After your site is clean, BACK IT UP!
- Turn your site back on. This is somewhat risky because the hacker may still have access to the server and may compromise your site again. Monitor it regularly to see that that doesn’t happen. Also, call your webhost to see if they have secured the server. We also recommend signing up for Securi.net’s monitoring service. They will monitor every few minutes and notify you of hack attacks so that you can attack back immediately.
- For the long term, make sure your software, including extensions, plug-ins and components are all up to date. There are no guarantees, but that will help. Kat & Mouse provides a SECURITY SERVICE PLAN that does just that for you. For a low monthly fee, you can sit back and relax.
Here’s the fix:
Via SSH:
If you have SSH access to your server, run the following commands on your web root:
$ find ./ -name “*.php” -type f |
xargs sed -i ’s###g’ 2>&1
$ find ./ -name “*.php” -type f |
xargs sed -i ‘/./,$!d’ 2>&1
Via web:
If you don’t have SSH access, download this file to your desktop:
http://sucuri.net/malware/helpers/wordpress-fix_php.txt and rename it to hack-fix.php.
After that, upload it to your site via FTP, and run it (using your browser) as: http://yoursite.com/hack-fix.php
This script will take a few minutes to complete, but will scan your whole site and remove the malware entries.
Once you are done, go back to your site and remove this file.
