Victor CIobanu

Back-end Developer

Front-end Developer

Programmer

Internet of Things

Victor CIobanu

Back-end Developer

Front-end Developer

Programmer

Internet of Things

Blog Post

How to remove “Cannot redeclare _765258526”

November 15, 2011 diy

If you read this your site has been marked as unsafe by google, and if you do a site check on Sucuri ( sitecheck.sucuri.net/scanner/ ) this is the error that you get :

Site error detected.
Details: http://sucuri.net/malware/php-error-fatal-error
Fatal error: Cannot redeclare _765258526() (previously declared in /path/domain-name.tld/wp-content/themes/Theme-name/footer.php(18) : eval()’d code:1) in /path/domain-name.tld/index.php(18) : eval()’d code on line 1

The malware code (from clients end perspective – view source) is in your footer this time (last 2 lines), however the files affected by the virus are Index.php (wordpress -index.php and the theme’s index.php)

This is how the malware code looks like , it consists of 4 parts:

php eval(gzuncompress(base64_decode(‘eF5Tcffxd3L0CY5WjzcyNDG2NDc3MLGMV4+1dSwqSqzU

This is what the malware code translates to (after being decoded):

$GLOBALS[‘_2143977049_’]=Array();
function _765258526($i){$a=Array();return base64_decode($a[$i]);}
$GLOBALS[‘_226432454_’]=Array();
and another part i was unable to decode.

I have no idea what that does (any help would be much appreciated), however it is interpreted as a threat by most antivirus programs : ” object is infected by Trojan-Downloader.JS.Iframe.cow ”

So, Here is how to remove the malware code, where to look for it and how to prevent this from happening again, all in baby steps :

1. Log in to your wordpress ( /wp-admin) and go to Appearance => Editor and select index.php (Main Index Template) ;
2. In index.php look for ” gzuncompress ” (easy to spot since the code is compressed, and delete the whole thing from <(questionmark) php till the very end (questionmark)> and hit update/save your file ;
3. Connect to your wordpress site using FTP (filezila or any other client u like) and navigate to the root of your wordpress install, order files by modified and notice that index.php has been changed during the past 2-3 days (14 nov 2011 in my case);
4. Download index.php , open it and repeat step 2 (remove the code) save the file and replace the old one, or if you have a clean index.php from a recent backup, just replace the infected one with the new one.
5. CHMOD (change permissions using your ftp client) to index.php to 444 (read only), navigate to your theme folder ( /wp-content/themes/your-theme) and do the same with that index.php file (chmod 444- read only)

Or to avoid removing all the code by hand just replace (overwrite) the wordpress install files, then manually clean the theme’s index.php

You are done ! (however, keep in mind that every index.php on your server is infected! so when you change your theme, your site will be infected again – even the index.php files in the /wp-content or /wp-conent/themes/ are infected )

Please like and share this post (that’s all i ask since you don’t see any annoying ads or any other means of buying a Ferrari 599 at the expense of your nerves :P )

9 Comments
  • admin 5:17 am November 15, 2011

    Please feel free to ask any questions !

  • Eugen 9:59 pm November 16, 2011

    Chiar functioneaza :) Aveam pe hosting 3 platforme WP si acum sunt mai curate ca niciodata! Mii de multumiri dlui Victor!

    • Victor Ciobanu 8:39 am December 19, 2011

      Glad i could help :)

  • bangfruit 2:32 am November 17, 2011

    I run a wordpress multi-site network and have 72 affected sites (argh!)

    This had just happpend Nov 10,2011

    I am wondering how this can happen. I only use premium themes (press75, elegant themes) and ones from the wordpress.com

    Thank you for the insight.

  • Daniel15 11:21 am November 19, 2011

    Here’s my analysis of the code – http://dan.cx/blog/2011/11/pulling-apart-wordpress-hack . Hope it’s useful for someone :)

    • Victor Ciobanu 8:44 am December 19, 2011

      You rock ! :) however, on that site 91.196.216.64 there was another iframe that targeted a certain site (on november 5 it was facebook). So the main purpose of the attack was flooding a certain site at a certain moment.

  • MX 8:56 pm December 1, 2011

    Here’s the thing — there’s something on the server that allows the malware to keep propagating on any non 444’d index.php files…how do we stop the root cause? I haven’t found any traces in any of my WP site DBs … and can’t find it in ANY files on the server anymore. In fact, when I replace the hacked index.php files with clean files from a clean WP package…it takes approx. 25 minutes for the index.php files to be re-infected with the eval code — my eval code is different though. I can share it with you if you e-mail me. Cheers!

    • Victor Ciobanu 8:48 am December 19, 2011

      You might have wunderbar_emporium rootkit exploit, somewhere in your site. my guess would be wp_includes. check every folder there using FTP, look for anything suspicious. (files that are not commonly found in a typical wp install)

  • marshall baker 12:15 am December 4, 2011

    thanks so much! this really helped quite a bit.

Comments are closed.