One of my clients was hacked with the so-called Cannot redeclare hack. It seems closely related to the nefarious TimThumb hack, so if you've been hit by either of these hacks, you should check for the other. Apparently these hacks affect shared servers, so if you host multiple WordPress sites, chances are high that they're all infected.
Checking for the "Cannot redeclare" hack
The good news is that the hack is easy to diagnose. Just open any page from your site and look for the following PHP error message:
Fatal error: Cannot redeclare _765258526() (previously declared in /path/to/www/wp-content/themes/THEME/footer.php(12) : eval()'d code:1) in /path/to/www/index.php(18) : eval()'d code on line 1
PHP errors like this are usually located at the bottom of the web page, but may appear elsewhere or even not all in some cases (i.e., proper configuration). To be certain, scan your server's PHP error logs for the "Cannot redeclare" error string. If you find anything that matches, it's time to fix your site..
About the "Cannot redeclare" hack
If your site's been hit with "Cannot redeclare", you're in for a wild clean-up party because it infects every
footer.php file for every WordPress site on the server.
For example, my client hosted 11 sites on the same shared account, so multiply that by the number of index and footer files used by WordPress (core files and themes) and you get over 200 hacked files to clean up. Needless to say the client's sites have been moved to a more secure location.
Fortunately finding the hacked index files is relatively painless, just search all files on your server for the following phrase:
Here is a screenshot showing search results for this phrase:
As seen here, the hacked files should be easy to recognize because they:
- include the
- include long strings of encoded gibberish
- consist of
If your search turns up anything that similar but not quite what we're talking about here, it may or may not be legit. The main thing that we're looking for are the long strings of encoded nonsense. Also, remember to check all sites that you may have on the same server. Once you've isolated the infected files, it's time to clean 'em up..
Removing the "Cannot redeclare" hack
Looking at any of the hacked files, you'll find this hideous looking piece of code garbage:
Disgusting stuff, and if you don't see it at first, that doesn't mean it's not there. The scumbags who deal in this filth are clever enough to indent the code so it appears off-screen (via horizontal scrollbar). It's a clever trick, but most text editors have a limit to the number of characters that appear on each line, so the super-long string of encoded gibberish wraps and becomes easy to spot:
Notice it there in the last line.. it's like that for all teh files. And again, if you don't see anything then look for it off-screen. Once you find it, delete it. Then repeat for all index and footer files on your server. Once you've done that the "Cannot redeclare" hack should be gone, but you should take steps to prevent future attacks..
Securing your WordPress site
For public websites, there is no such thing as perfect security. There are many ways to improve security, however, including finding a more secure host for your sites. In general, private or some sort of virtual private hosting is better than shared hosting (for many reasons), but it's also more expensive. Hosting is one of those things where you get what you pay for.. so if you have the means, upgrading to a better, more secure host is the first thing I would consider.
Beyond switching hosts, there are a number of known effective measures you can take to improve the security of your site. There are many excellent resources available to help with site security (both for WordPress and in general), including an entire Lynda.com video/screencast series that focuses in-depth on devloping secure WordPress sites. Even more recently is Smashing Magazine's article on securing your WordPress website. And if you want to hear it direct from the horse's mouth, check out the good 'ol fashioned WP Codex for info on hardening WordPress.
There's currently not a lot of info on the "Cannot redeclare" hack, but this WP Forum thread provides some additional clues. If you have any information regarding this hack, or how it relates to the TimThumb hack, please leave a comment to share the information with others in the WP community. Thanks.