{"id":970,"date":"2010-05-25T01:36:25","date_gmt":"2010-05-24T22:36:25","guid":{"rendered":"http:\/\/www.void.gr\/kargig\/blog\/?p=970"},"modified":"2010-05-25T01:36:25","modified_gmt":"2010-05-24T22:36:25","slug":"scanning-for-base64_decode-references","status":"publish","type":"post","link":"https:\/\/www.void.gr\/kargig\/blog\/2010\/05\/25\/scanning-for-base64_decode-references\/","title":{"rendered":"scanning for base64_decode references"},"content":{"rendered":"<p>A friend&#8217;s site was recently hit by the <a href=\"http:\/\/blog.sucuri.net\/2010\/05\/new-attack-today-against-wordpress.html\">massive infections\/hacks<\/a> on <a href=\"http:\/\/www.dreamhost.com\/\">Dreamhost<\/a>&#8216;s servers, so I decided to do some scanning on some servers that I administrate for base64_decode references.<\/p>\n<p>The simple command I used to find suspect files was:<br \/>\n<code># find . -name \\*.php -exec grep -l \"eval(base64_decode\" {} \\;<\/code><\/p>\n<p>The results could be sorted in just 2 categories. Malware and stupidity. There was no base64_decode reference that did something useful in any possible way.<\/p>\n<p>The best malware I found was a slightly modified version of the c99 php shell on a hacked joomla installation (the site has been hacked multiple times but the client insists on just re-installing the same joomla installation over and over and always wonders how the hell do they find him and hack him&#8230;oh well). c99 is impressive though&#8230;excellent work. I won&#8217;t post the c99 shell here&#8230;google it, you can even find infected sites running it and you can &#8220;play&#8221; with them if you like&#8230;<\/p>\n<p>And now comes the good part, stupidity.<br \/>\nMy favorite php code containing a base64_decode reference that I found:<br \/>\n<pre><code2>$hash&nbsp;&nbsp;= &#039;aW5jbHVkZSgnLi4vLi&#039;;\n$hash .= &#039;4vaW5jX2NvbmYvY29u&#039;;\n$hash .= &#039;Zi5pbmMucGhwJyk7aW&#039;;\n$hash .= &#039;5jbHVkZSgnLi4vLi4v&#039;;\n$hash .= &#039;aW5jX2xpYi9kZWZhdW&#039;;\n$hash .= &#039;x0LmluYy5waHAnKTtl&#039;;\n$hash .= &#039;Y2hvICRwaHB3Y21zWy&#039;;\n$hash .= &#039;d2ZXJzaW9uJ107&#039;;\neval(base64_decode($hash));\n<\/code2><\/pre><\/p>\n<p>Let&#8217;s see what this little diamond does:<br \/>\n<pre><code2>\n% base64 -d \naW5jbHVkZSgnLi4vLi4vaW5jX2NvbmYvY29uZi5pbmMucGhwJyk7aW5jbHVkZSgnLi4vLi4vaW5jX2xpYi9kZWZhdWx0LmluYy5waHAnKTtlY2hvICRwaHB3Y21zWyd2ZXJzaW9uJ107\ninclude(&#039;..\/..\/inc_conf\/conf.inc.php&#039;);include(&#039;..\/..\/inc_lib\/default.inc.php&#039;);echo $phpwcms[&#039;version&#039;];\n<\/code2><\/pre><\/p>\n<p>So this guy used a series of strings which all of them together create a base64 encoded string in order to prevent someone from changing the version tag of his software. That&#8217;s not software, that&#8217;s crapware. Hiding the code where the version string appears ? That&#8217;s how you protect your software ? COME OOOOON&#8230;.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A friend&#8217;s site was recently hit by the massive infections\/hacks on Dreamhost&#8216;s servers, so I decided to do some scanning on some servers that I administrate for base64_decode references. The simple command I used to find suspect files was: # find . -name \\*.php -exec grep -l &#8220;eval(base64_decode&#8221; {} \\; The results could be sorted [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ep_exclude_from_search":false,"footnotes":""},"categories":[5,3,4],"tags":[279,281,231,280,595,278,277],"class_list":["post-970","post","type-post","status-publish","format-standard","hentry","category-internet","category-linux","category-privacy","tag-base64_decode","tag-crapware","tag-hack","tag-joomla","tag-linux","tag-malware","tag-php"],"aioseo_notices":[],"views":8769,"_links":{"self":[{"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/posts\/970","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/comments?post=970"}],"version-history":[{"count":19,"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/posts\/970\/revisions"}],"predecessor-version":[{"id":989,"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/posts\/970\/revisions\/989"}],"wp:attachment":[{"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/media?parent=970"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/categories?post=970"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/tags?post=970"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}