1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Base64_decode - Hack?

Discussion in 'Security' started by WebDev Solutions, May 7, 2012.

  1. #1
    Hi,

    A quick Google search was inconclusive but seemed to point towards a possible automated hack attempt. Earlier today we received the php code below in the form of a support ticket which someone/something created in our system.

    Should we be concerned? Can somebody please shed a little light? Thanks...

    WebDev
     
    WebDev Solutions, May 7, 2012 IP
  2. HostingLynx

    HostingLynx Active Member

    Messages:
    106
    Likes Received:
    1
    Best Answers:
    1
    Trophy Points:
    83
    Articles:
    10
    #2
    That decodes to
    Then the base_64 text in teh base64_decode function in the decoded text is
    So I would suggest checking the file "templates_c/mxm.php" to make sure there was not a PHP backdoor implanted
     
    HostingLynx, May 8, 2012 IP
  3. WebDev Solutions

    WebDev Solutions Well-Known Member

    Messages:
    1,644
    Likes Received:
    80
    Best Answers:
    2
    Trophy Points:
    170
    #3
    Hi,

    Thanks for your response.

    I've looked in templates_c/mxm.php and I cannot even find that file, however?

    WebDev
     
    WebDev Solutions, May 8, 2012 IP
  4. kulik

    kulik Member

    Messages:
    162
    Likes Received:
    18
    Best Answers:
    1
    Trophy Points:
    45
    #4
    kulik, May 21, 2012 IP
    WebDev Solutions likes this.
  5. WebDev Solutions

    WebDev Solutions Well-Known Member

    Messages:
    1,644
    Likes Received:
    80
    Best Answers:
    2
    Trophy Points:
    170
    #5
    Was this likely to be an attack aimed specifically at our site, or is it an automated attack which targets random sites for exploits?

    WebDev
     
    WebDev Solutions, May 22, 2012 IP
  6. kulik

    kulik Member

    Messages:
    162
    Likes Received:
    18
    Best Answers:
    1
    Trophy Points:
    45
    #6
    These type of "attacks" are generally just "hackers" who look to get their name on as many sites as possible, mainly just an index page hack with their name on it for bragging rights (Google his handle Abu 6aLaL and you can see his YouTube video of sites he "hacked").

    They generally find exploits on certain site s0ft-w4r3 (didn't post in my last response, word filter I guess), and Google what sites are using that along with version, why I asked.

    The echo 'Abu 6aLaL / '; is probably a test to see if the exploit is there, if so the file upload code then would kick in and he could upload a shell to root the server possibly. Then he'd probably go on to change your index page to his lame "I h4x dis site lololol". And if he successfully roots the server he then could change every site on that server too.

    I'm may be wrong about the code but that's my first glance assumption.

    So to quickly answer you, no you weren't directly targeted most likely, just probably because they saw a posted exploit for certain s0ft-w4r3 you use and they found your site in Google.
     
    kulik, May 24, 2012 IP