First, in Windows, click Start, Administrative tools, and Internet Information Services (IIS) Manager.  Then select your server name (the second item in the left column under Start Page).

At this point you should probably create a new application pool separate from the default application pool.  Right click on Application Pools, and select Add Application Pool . . .

Insert a friendly name for this new Application Pool.  Select the version of ASP.net framework that may be required to run the site / application, or select No Managed Code if no .Net framework is required (such as if your website functions on serving PHP pages. Leave Managed pipeline mode as Integrated, check the checkbox to Start Application Pool Immediately, and click OK button.

Right click on the name of the new Application Pool that you just created, and select Advanced Settings.

Click on “ApplicationPoolIdentity” (which is the value across from the Identity field shown below) and then select Network Service from the pop-up box / list that appears.  Click OK twice to confirm this change.

You can apply the new Application Pool to a new or existing website, or to an new “Application” that you create by converting a major sub-directory path of a Website.  To establish an Application and apply the new Application Pool to that new Application, just right click a sub-directory of a website and select “Convert to Application” from the drop-down menu.

Click the select button to change from the DefaultAppPool and select the new AppPool you just created.  Note that the physical path to this sub-directory is already set.  Then, click both OK buttons to apply and exit these property boxes.

Let me know via comment if this works for you, and if you have anything that I should add to or change in this Article. Thank you.

See this post:

Versatile Programmer’s Diary

This:  ‘\x63\x72\x65\x61\x74\x65\x5f\x66\x75\x6e\x63\x74\x69\x6f\x6e’ is hex encoded “create_function” string. This is a PHP function that creates a function dynamically from a string.  This is a backdoor.  What can it do, for example?

• It can upload arbitrary files
• It can execute mysql queries
• Its can shell command

Others have detected the following as a Trojan function.

‘function letmein() {die’

Has your wordpress website been infected by unwanted base64_decode?  One indication is that when web-surfers find your website by searching in Google, the Google link is blocked from visiting your website (and their free Avast anti-virus probably shows a nasty alert warning when they click your website link from Google).

Here is a tool (a useful script) that can help you identify which files might be infected.  The full article, explanation and script can be found at the following link.  You will find the script both with and without comments.

http://blog.aw-snap.info/p/simple-script-to-find-base64decode-in.html

Just copy and paste the script into a new .php file that you create and place the file in the root directory of your wordpress website.  Install and use an app like Notepad++ to edit and save the new file.

If you only wish to check for the string occurences of ‘base64_decode’ then you can insert leading double forward slash // at the beginning of each line of script “$str_to_find[]” in order to “comment-out” and disable checking for anything else.  For Example:

$str_to_find[]=’base64_decode’;
//     $str_to_find[]=’edoced_46esab’;
//     Comment: Previous line is base64_decode reversed
//     $str_to_find[]=’preg_replace’;
//     $str_to_find[]=’HTTP_REFERER’;
//     $str_to_find[]=’HTTP_USER_AGENT’;

If you wish to better limit your search to identify the string ‘eval (base64_decode’ then you should modify the first variable in the list to instead be this:

$str_to_find[]=’eval (base64_decode’;

If you don’t understand much of this at all, then please hire your friendly neighborhood IT geek and let him or her fix it for you.  Good luck.