Recently my shared hosting account was compromised and many of my sites were serving up blank pages.
This had happened with a vbulletin site I ran and I found the cause to be the eval(base64_decode()) hack or code injection or whatever you want to call it. I cleaned it up and got things running, but yesterday more sites were attacked. I found it can also hit Wordpress sites, but if was also hit on several static sites (sites that use PHP for pages but do not use SQL databases).
As I work to fix all this I have some questions:
1. If they have admin access to my bulletin got Wordpress sites can they access other sites on my account? My cpanel password is different from all admin passwords. I guess I'm asking if using an admin login of a vbulletin or Wordpress site can give them access to the directory structure of the server.
2. They didn't get all of my sites (or that is to say all PHP files on my account). They didn't even compromise all if the PHP files in a given site. Does that indicate a general server intrusion not specific to my account? My host insists there are no problems but I don't know that I trust them.
3. I do not have shell access so I'm relegated to downloading files, editing them, and re-uploading them in cases where the files cannot be simply replaced (core Wordpress files can be replaced but certain customizations cannot) is there a good text editor that will let me open dozens of PHP files at a time, search for the chunk of code (it's the same in every instance) and delete it? I tried Notepad++ but it has limits on the number if characters in the find & replace feature.
Any other general insight or experience with this type of hack is appreciated.
Concerning the eval(base64_decode()) it's done to Encrypte a piece of code.. on a file that you uploaded on your Vbulletin website.
For the 2nd question, If The Wordpress directory and vbulletin are on the Same shared hosting (i mean if them folder are on the public_html), If the hacker have a Root Access so he can get on the both websites.
To avoid all that, check your database and backup it, delete all the files and install a fresh files. Always check the theme / template/ modules and extensions you install on your website...
He dont need know your cpanel password or your shell access. Using a bug like eval() in wp allow hacker to execute commands or uplaod shell files that allow it locally access to your website and if your server security is low, he can access other websites too.
it's a shame you don't have shell access, it would be extremely easy to find malicious content. firstly understand that base64 is not encryption that was pointed out earlier and eval is not a bug. that being said the base64 is used to encode data for various purposes and is not a bad thing. there are several uses for it... it's even built into core WordPress files. the issue is the nasty injections or simply malicious files that contain it to try and hide webshells, mass mailers, malicious code, drive by downloads, etc..
as for obtaining directory structure the information can be accessed depending on the vulnerabilities of the software and the level of compromise. the attackers access to the other directories in your account are also contingent on the level of compromise.
at this time without shell access you need to ask your hosting provider to run a scan on your server for malicious files. this will however not detect everything but it will grab a majority of the issues you are experiencing. as for the others, look for dates of recently edited or added files. chances are they are all likely close to each other as far as timestamps are concerned. start with the files you know are bad and match it with the rest from there. it's tedious work but is unfortunately the way it has to be.
there are other things that can be done depending on your level of experience with dealing with such issues. sorry if this was not answered in the numbered order you printed out, it's just my input on your problem