homepage Welcome to WebmasterWorld Guest from 54.211.100.183
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Hardware and OS Related Technologies / Website Technology Issues
Forum Library, Charter, Moderators: phranque

Website Technology Issues Forum

    
Removing malicious lines of base 64 code
Malware in files, what to do, how to remove?
skibum

WebmasterWorld Administrator skibum us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 4209468 posted 5:58 pm on Sep 30, 2010 (gmt 0)

So in a hosting account with a few Wordpress installations, there are several files that have been injected with malicious code. The web host says I will need to remove the malicious lines of base 64 code and secure the account against future attacks. There is a list of probably at least 200 files. Many are in the wp-admin, wp-includes, wp-content/themes and a few others I created trying to learn php/mysql and understand all this stuff better.

Any suggestions on what to do or how to remedy this? This all might as well be written in Chinese as I have no idea what to do. I looked at a few of the files I created and nothing jumps out at me as being out of place so can't see any "malicious lines of base 64 code".

 

lammert

WebmasterWorld Senior Member lammert us a WebmasterWorld Top Contributor of All Time 5+ Year Member



 
Msg#: 4209468 posted 2:57 am on Oct 1, 2010 (gmt 0)

These lines shouldn't be too difficult to recognize. They all start with something like

eval(base64_decode('some string...

The more sophisticated versions use zip compression:

eval(stripslashes(gzinflate(base64_decode('some string ...

I had them a few months ago in a WordPress installation of a non-profit organization I host for. The lines were there right from the beginning--even before the site went live--and I therefore don't think they were injected, but part of a free theme they found somewhere. I didn't analyze it fully, but it seemed that part of the functionality of the theme was coming from an external server and that server delivered the malicious payload. The download code from that remote server was base64 encoded, to make it difficult to identify for the average website builder.

Rather than cleaning up the mess, I just disabled the use of WordPress, removed all files and pushed the user in the direction of another CMS.

phranque

WebmasterWorld Administrator phranque us a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



 
Msg#: 4209468 posted 7:24 am on Oct 5, 2010 (gmt 0)

you have to figure out where the vulnerability is to ultimately solve the problem.
for example, it could be that someone obtained your login credentials, or that another account on the shared server provided a back door, or that you installed a theme containing some "bad stuff", or that WP or a plugin has a vulnerability.

here are a few WebmasterWorld posts that may provide some clues.

Website HACKED - help!:
http://www.webmasterworld.com/webmaster/4042154.htm [webmasterworld.com]

I have a site hijacking my wordpress - can you help?:
http://www.webmasterworld.com/content_management/3830507.htm [webmasterworld.com]

30 day ban for cloaked outgoing links due to PHP hack:
http://www.webmasterworld.com/google/3823009.htm [webmasterworld.com]

skibum

WebmasterWorld Administrator skibum us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 4209468 posted 7:44 am on Oct 5, 2010 (gmt 0)

Thanks! Was looking at the files noted by the host as having Base 64 code in them and could not find any strange code in a handful that were supposedly infected. Doubt I'll ever be able to figure out where the backdoor is if changing login credentials doesn't work but those threads add a few more things to run through to try to clean things up.

phranque

WebmasterWorld Administrator phranque us a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



 
Msg#: 4209468 posted 9:32 am on Oct 5, 2010 (gmt 0)

as was mentioned in one thread the payload could be dynamically included from an external server.
also note that the database may contain the encoded javascript and the php script is assembling that content on the fly.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Hardware and OS Related Technologies / Website Technology Issues
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved