How to resolve Eval Base64 Malicious Code’s Problem?

Home  /  Website Development  /  How to resolve Eval Base64 Malicious Code’s Problem?

On May 13, 2014, Posted by , In Website Development

This is SynramTechnolab Blog and in this blog, you will learn what is Eval base code, how much dangerous it is for website and most important thing how to remove it. If you read the complete, I can make you sure that, you will get rid of this malicious code.


Eval code 64 is a malicious code that is infused by hackers in the site’s code line. This dangerous code is highly infectious and can result in site crash, Google search problems and also infects entire system with malware. An apparent indication of a compromised site is when you see it loading with blank white pages. After SSH’ing into the server you can come up with wp-config.php file. And the thing that come next is eval(base64_decode(“ZXJy….line which confirms that your site has been  compromised. In such cases attackers fuse the malicious code with PHP base64_encode () function. Then they use the base64_decode() function to decode (i.e. un-hide) it. Finally, the PHP eval () function is used to ‘run’ (or EVALuate) the malicious code. They place the malicious line at the top of as many PHP files as they can.

To peek into the fused code copy and paste the whole line into a new PHP file and then replace eval(base64_decode(….)); with echo base64_decode(…);. That will print out the PHP code that the attacker is trying to run.

Danger posed by hackers.

As we have understood that this code is highly dangerous and if not taken preventive measures in time then apart from the website it can spread and infect entire system with malware.

Most often hacker’s intention is to redirect the site to some other domain in order to make money. Suppose if a hacker earns as miniscule amount as $0.01 for redirection to an ad somewhere on the Gigantic World of web then they could earn unimaginable amount of illegitimate money by infecting any popular site.

While dealing with such problem or performing the cleaning process you can temporarily block access to the site by adding the deny, allow command to the top of .htaccess in the root folder of the website. Then allow deny command must deny access from all and allow only from your IP address (if .htaccess file doesn’t already exist, you’ll want to create it).


Once it is done you initiated the cleaning process and not let the attacker any chance to infect other files.

Synram Technolab team would like to share the simple Solution to the problem is here. If you see the malicious Eval base code in your website in any file then finding that list of infected files is rather too long editing each file will be too time consuming but thankfully there is an easier way of doing it by running a link specially designed to identify files and remove such malicious code. We have the file which you can run on your browser and that file will work in a way that not only it will remove malicious/infected files but also will show you what were the infected files, there you do not need to search the directory for any files that may contain the malicious code.

After running that link on your browser you can find all .php files in current directory and subdirectories and search for the malicious line and replace it with nothing, doing so you can easily eliminate the malicious code from each line.  You must repeat the process to check any discrepancy.

Here is the sample code:

(you just need to ask for the code either by mailing us or by commenting on this blog, we will give you the code on your email free of cost).

As we all know that ‘prevention is always better than cure’. Believing in this wisdom here are some pointers for you to prevent your website and system from this malicious code.

  • 1. Install security plug-ins. You can opt for plugins like better WP security, Bullet proof security.
  • 2. Rewrite the prefix of database
  • 3. Change the username of wp admin
  • 4. To see the decoded version of eval base code. Check out the decoded code and see what it meant for. Here is the website
  • 5. when your website get infected with this code, just close down the website immediately till you fix it by putting underconstruction tag so that Google can not blacklist it. If blacklisted by Google then it tags the website with a warning page , then you will need to take the following steps:


What you’ll do:

  1. Confirm you’ve completed the requisite steps:
    • – Verified ownership of your site in Webmaster Tools
    • – Cleaned your site of the hacker’s vandalism
    • – Corrected the vulnerability
    • – Brought your clean site back online
  2. Double-check that your pages are available and clean

To be safe, use either Wget or cURL to safely view pages on your site, such as your homepage and a URL modified by the hacker that should now be clean. If these URLs return content free of the hacker’s damage (and you’re confident that same applies to the rest of the pages on your site), it’s time to request a review.

3. Here is the last steps to follow:

a. Click the link for the site which will take you to the Dashboard for the site

b. Click Diagnostics, and then click Malware.
c. Click the link “Request a Review” and submit the requested information.

or if the link is not there try

a. Click the link [ More Details ] from the red malware warning bar
b. Click the link “Request a Review” and submit the requested information.

Leave a Reply

Your email address will not be published.