How to mass clean base64_decode infected php files (Including WordPress)

Posted by: Chris  :  Category: Linux Tips

Hello once again,

I had recently been asked to take a look at a server that was being reported as having a virus passed to unsuspecting visitors. I did the usual scan (using clamscan) and came up with a couple of files that had PHP shells. I removed those files, and started digging deeper. What I found was that two of the accounts on the server had all of their .php files infected with a base64_decode right on the first line. What this does is it encrypts code so that a user cannot see it. The web server knows how to decrypt it, so when the page is served to a user, they get a little more than they bargained for! The following information will only replace the first line of these infected files.

Read more…