I recently had to cleanup some websites where some of the wordpress files were changed. I was able to clean the files by using a few scripts. The first one looks through all the files looking for base64 php code: base64-check.sh
timestamp=`date +%Y%m%d`
log="/logs/base64-check-$timestamp.txt"
touch $log
echo "Checking for base64 code in www/" >> $log
grep -r "base64_decode" www | grep www >> $log
Next I looked at that log and found the base64 code that was bad and put it in the next script and ran that on multiple wordpress sites: b64-clean-org.sh
find . -name "*.php" -print | xargs sed -i 's@eval(base64_decode("
Lastly I reset he file permissions on the wordpress file structor using this script: wp-perm.sh
WP_OWNER=www # <-- wordpress owner WP_GROUP=www # <-- wordpress group WP_ROOT=. # <-- wordpress root directory WS_GROUP=www # <-- webserver group # reset to safe defaults find ${WP_ROOT} -exec chown ${WP_OWNER}:${WP_GROUP} {} \; find ${WP_ROOT} -type d -exec chmod 755 {} \; find ${WP_ROOT} -type f -exec chmod 644 {} \; # allow wordpress to manage wp-config.php (but prevent world access) chgrp ${WS_GROUP} ${WP_ROOT}/wp-config.php chmod 660 ${WP_ROOT}/wp-config.php # allow wordpress to manage .htaccess touch ${WP_ROOT}/.htaccess chgrp ${WS_GROUP} ${WP_ROOT}/.htaccess chmod 664 ${WP_ROOT}/.htaccess # allow wordpress to manage wp-content find ${WP_ROOT}/wp-content -exec chgrp ${WS_GROUP} {} \; find ${WP_ROOT}/wp-content -type d -exec chmod 775 {} \; find ${WP_ROOT}/wp-content -type f -exec chmod 664 {} \;
I found the info to fix this from these websites:
http://raamdev.com/2013/cleaning-evalbase64_decode-from-a-hacked-wordpress-website-via-ssh/
A good friend of mine , Martin Obando (http://www.obandocomputing.com/), had a similar problem so we got together to make a youtube video using google hangouts onair to talk about how we fixed it. Here is the video: