Website attacks are becoming more and more popular these days, and Base64 attacks are by far one of the most common. They focus on exploiting a PHP vulnerability within a website and injecting malicious, base64-encoded code. The main targets of such attacks are usually out-dated, poorly coded, or nulled plugins. With that said if you’ve found that you’re website suddenly redirects to a new page, or displays something you definitely didn’t put onto it – this should help you figure out and fix what’s going on.
The encoded code is decoded when the infected .php file is loaded and the actual attack is carried out. A popular attack is to forward a website to another page, which usually grants the attacker an affiliate bonus or increased page views. Here is an example of what a base64 hack looks like in a .php file:
eval(base64_decode(“dGhpcyBpcyBhIHRlc3Q=”));
The above code will output “this is a test” when decoded. A regular base64 code snippet will be significantly longer. So onto the real question – how do you fix your website if it has been infected by a base64 hack. You have a few options here.
Restore a Backup
Assuming you’ve followed the age-old rule of keeping your own website backups – you can go and simply restore an older version of the affected files. To determine which files you should replace you can simply utilize the built in File Managers included with most hosting control panels these days (such as cPanel & Hepsia) and view the most recently modified files. Some FTP programs like FileZilla will show you this as-well.
Furthermore most hosting providers out there will keep some sort of backup as-well. You can always put in a support request with your hosting company and ask to restore a website backup.
Clean the Files Manually
To clean the files by hand, simply download them to a computer and clean them using a text editor. The SublimeText, Adobe Brackets or Notepad++, all of which are available for free, will do a great job here.
Once the files are downloaded, load them in the text editor and search for any base64 code. To see if there is any base64 code on the website, use the following search term:
eval(base64_decode
Once you discover an instance, copy the actual code snippet and search again. Simply replace the code with an empty space to get rid of it. If there are still any other base64 instances, repeat the procedure until non are left.
Regular expressions can also be used to target base64 code on the website. Again, simply replace the regex matches with an empty space to clear them from the pages. Here is a sample regex search term:
/eval\(base64_decode\((.*)\)\);/i
Keep in mind that this type of search with target all base64 instances. This means that if any plugin or element of the site is using base64 encoding as well, it will also be removed.
Clean the Files via SSH
When using terminal access, all infected files can be cleaned with just a few commands over SSH – assuming SSH access is enabled by your hosting provider. The first thing you’ll need to do is to get a sample of the infected base64 code. Use this sample as a reference for cleaning all further infected files.
To See which files are infected by using the following command:
$ find . -type f | xargs grep “dGhpcyBpcyBhIHRlc3Q=”
This command will search for all files in the current folder that contain the following string:
“dGhpcyBpcyBhIHRlc3Q=”.
Then output a list of all the infected files in the current folder and its sub-folders. Here is how the output of that command will look like:
./themes/default/single.php:Once the list is ready, it’s time to eliminate the code. We’ll use the
sed
program for this and our function will look like this:find . -name “*.php” -print | xargs sed -i ‘s@eval(base64_decode(“dGhpcyBpcyBhIHRlc3Q=”));@@g’Use the search function one more time to make sure that all the files are now clean. If the search returns no results, the website has been cleaned.
Preventing base64 Attacks
As noted above, a base64 hack will target a vulnerability in the code. So the best course of action is to always keep apps and plugins updated to the latest versions available. A good rule of thumb is to only download plugins that are actually needed. If a plugin is not used anymore - remove it from the application.
Also, when downloading new plugins, always keep track of the number of downloads and the update dates. If the last update is more than one year old, the plugin in question may be susceptible to an attack.
I think most internet users are well aware of the threats that comes with using the internet, but that we might actually forget about the possibility of threats against out website when doing something as simple as installing plugins. Sure, it could just be a redirect to another annoying website (not that that isn’t bad), but obviously it can also be a lot more serious. I certainly am aware, but I can also be quite cavalier when it comes to the actual threat of an attack on my work. This is some great information about exactly how the can attacks occur, what they can do, as well as some wonderful fixes and prevention tips. Thanks for the great post 🙂