Fatal error: Cannot redeclare _765258526()

Read saynototheoffice’s post above, and use the script at https://redleg-redleg.blogspot.com/p/simple-script-to-find-base64decode-in.html to find errors (The bug files are all in index.phps, in your root directory, wp-content, themes, plugin folders. Then there are 3 in wp-admin, wp-admin/user/, and wp-admin/network/ – it’s all pretty consistent).

Important: I don’t know if this is related to this same malware issue or an another hack but check your source code as well. When I did so I found an invisible link on all of my infected WordPress sites to businessactionforafrica.org/?kids

Though I can’t for the life of me figure out what’s causing the link or where it’s located yet.

yes i know that are indexes.php that are hacked only, stupid hack..

wordpress blogs hacked same here and removed all the codes and delete the theme for fresh installation.

So am I right to assume that if the hack got me then all my sites would be infected not just 1 or 2? I checked 3 of 24 sites on my hostgator vps. Should I check each one w/ the bug check php suggested here :
https://redleg-redleg.blogspot.com/2011/11/malicious-software-hosted-on-nlai.html#more

I dont want to check each if not needed. Thanks

We all know we have something in common, WordPress. We also know in this thread that we have a common infection.

It is important, very important also mention what? web hosting company we are using.

Some, very few in this thread have mentioned it, but if we do it all in each post, we might discover another aspect we have in common.

Currently I have 4 Blogs in a shared hosting account, in Hostgator.

Twenty Eleven Child Theme, and Plugin not installed. Linux Xfce Desktop, and sftp connection. So far I have none of the symptoms.

Although this seems commercial, I’m interested to know if I’m using a secure web hosting.

I read that “givesuccess” is using hostgator vps. So would this be? viruses on a PC, or a plugin.

The more information on our setup, we add to this thread, the sooner we reach our weak point.

people, the vulnerability is in the timthumb.php script.
check this:
https://www.dataprotectioncenter.com/security/wordpress-sites-hacked-with-superpuperdomain-dot-com-attacking-timthumb-php/
https://www.dataprotectioncenter.com/security/vulnerability-in-timthumb-wordpress-plugins-the-effects/
in pt_BR, my lang, have this post about it:
https://www.noxion.com.br/blog/vulnerabilidade-no-timthumb-expoe-sites-a-malware/

and his another, in pt_BR:
https://www.bdibbs.com.br/2011/falha-de-seguranca-no-timthumb

Please see: https://digwp.com/2011/11/clean-up-cannot-redeclare-hack/

Cheers,
Emil

@adrian2
the main reason I went to HGator was bc they made some adjustments to fight the timthumb thing. I read this in the forums back when the tt thing was flying around. I have not had the tt probs or this new one either. Maybe I am just lucky and I really should not brag too much…. I might get in future.
What info might help to find the common thing with all the infected sites?
Host, themnes, plugins…ect?
So we can list them in our replies.

givesuccess, commenting on your first question, in my case I have verified (from browser) that none of my blog shows the error message.

Then run a search on cPanel, on the top right has a search filter. In this filter I searched some file names that “saynototheoffice”, put in his post.

And finally in the database search by “eval(gzun” according to a comment made on the website (link) that “Emil” has added this morning. (I read that post yesterday).

Also I’m paranoid, I check each Blog Log at least every other day. I guess when you have lots of blog, a search on some of them is enough.

I know adding this information adds time and effort that may not have. But every time something like this happens, we should find our weak point faster.

And the only way is by sharing this information. If we find that weak point, as users can send a strong message, and also data that can be used in evaluation for;
www.remarpro.com
plugin
browser
Web Hosting
and ourselves, to avoid service or use something that is obviously harmful, according to these data.

—– This is a proposal on information to be submitted

Infected
– positive|negative

WordPress
– Version

Hosting
– if, shared
– if, vps
– if, ds

Theme
– in use (name)
– additional (number)

Plugins
– this
– this
– this

Desktop
– linux|win|mac|.*

FTP
– if, sftp|ftp (name)

Browser (to login)
– name
– last version yes|no

—– This is my own information

Infected
– negative

WordPress
– Version 3.2.1

Hosting
– shared Hostgator

Theme
– in use Twenty Eleven Child Theme
– additional 1

Plugins
– none

Desktop
– Linux Xfce Desktop

FTP
– sftp gFTP

Browser (to login)
– FireFox
– last version (yes)

I did look at my sides in browser and did not see the error/hack. Some said it is on shared hosting but I have vps w/ many of my own sites. It can be considered “shared” hosting. So has anyone had this prob on a vps w/ many sites or is it mainly truly shared hosting. (not vps)?

This is results of the checking php code suggested:

./wp-app.php -> contains base64_decode
./d-64test.php -> contains base64_decode
./wp-includes/class-simplepie.php -> contains base64_decode
./wp-includes/class-IXR.php -> contains base64_decode
./wp-content/plugins/sabre/sabre_captcha.php -> contains base64_decode
Could not check ./wp-content/plugins/sabre/index.php
Could not check ./wp-content/plugins/all-in-one-seo-pack/aioseop_options.php
./wp-content/themes/arras/library/timthumb.php -> contains base64_decode

When i look tru them they seem to b ok. the only one worries me is the timthumb one but it is up to date so it is ok i guess.

If infected will the 64* code be at the very bottom only, (of the *.index.*) or can it show in middle of infected files?

My info:

Hosting
– vps Hostgator

Theme
– arras
– 2022
– 2010
– default

Plugins
– aioseo
– sabre
– context. related post
– digg digg
– Easy Privacy Policy
– gtranslate
– wp stats (non jetpack)
– wp page navi
– check last login
– akistmet
– Easy Privacy Policy
– Google XML Sitemaps
– CW Image Optimizer

Desktop
– win7

FTP
– ProFTPD 1.3.4a Server

Browser (to login)
– FireFox
– last version (yes)

Most of my sites on my vps use same themes & plugins.

sucuri scan says that my website is also infected by MW:JS:DEPACK

There is encrypted code in my main ./index.php file, when I remove that the site becomes clear, however after sometime the infection again comes back
I am on shared hosting and there are multiple sites in my account and all are infected, One site was using timthumb.php which I have updated to latest version now but that does not seem to have made any difference

what to do ?