My fix for the eval(base64_decode, $_87b7 hack , rr.nu, lilypophilypop.com worm


#1

Hi everyone -

I’ve been dealing with this issue for the past week and so blogged about it. Would’ve been good to have had others to discuss with whilie finding a fix!

You can see how I solved it at domesticenthusiast.blogspot.com. It is pretty thorough.

hope that helps some!
Simon


#2

http://discussion.dreamhost.com/thread-134262.html


#3

This tool automates the removal of the base64_decode stuff from your php. You’ll still need to check your databases…

http://www.php-beginners.com/solve-wordpress-malware-script-attack-
fix.html


#4

As the other thread has noted, you’ll still need to do more than that. You can wipe out some of the manifestations of the problem by striping out base64 crap, but you’ve still got the original exploit to plug, other files (shells) which have probably been placed in your account through the exploit which give your adversary a large amount of control to your account, possible changes to your database, possible authenticated cookies, possible new user privileged accounts in your apps, etc.

If you don’t spend the time to find the root cause and fix it, then it will keep coming back. The process can be seen in this thread.


#5

ENABLE ENHANCED SECURITY for your users and domains.

My sites without enhanced security enabled were hacked (Wordpress and Drupal). I should have known better. It’s a dead simple step to help secure your sites.