Last Post i was talking about how to clean up a hacked web server, hopeful your server is clean now and you can get back to what you do best. But what was the hacker trying to do? What does that long string mean? I will tell you how to decode the string the safe way, and understand how it was constructed.
The Example that I am going to use is from a real hacked website, the code that I will display is only partial but the construct will be complete. Any identifiable URLs will be changed to prevent identification and your safety.
Lets start by identifying the code, this is what i had found at the very beginning of the page.
<? /**/eval(base64_decode(aWYoZnVuY3Rpb25<–>KTt9fX0=)); ?>
lets start with /**/, it looks innocent but its a way to hide the code, what the code usually used for is large blocks of comments instead of using // on each line you would start it with /* and end with */ but what i noticed is that in bluefish and notepad++ when these are highlighted the whole line appears to be a comment, my guess is that other code scanners will look like one long comment on that line and skip it. But this is just my conclusion and testing, very clever way to use comments.
almost forgot the first thing to notice is the use of short tags(<?) that they use, on my personal server I have short tags disabled, I had learned that it should be disabled for security purposes, I don’t know if this holds true today. but the reason they use it is it helps hide it as a comment adding php to it (<?php),makes it show up as php code not a comment, now its starting to unravel………
eval — Evaluate a string as PHP code
very simple right, they need something to run there code, eval does this trick, you can even add html to the string. just another peice of the pie.
base64_decode – it decodes base64 code, now what is base64? It was originally for email to send binary data in emails, and other uses like binary data in urls and other variables but newest use is hiding php code in a long string, the string was 2692 characters long. So what did that string have in it.
Continue reading → Post ID 357