Base64 code – is it always a concern?

Lins
(@lins)

13 years, 3 months ago

Hi there!

Is base64 code always a concern when found in files?

I’m asking because the plugin Exploit Scanner found it in several plugin files & in the wp-includes-class-wp-atom-server.php file.

Plugins include
Google Analytics for WordPress
WP SuperCache
Wp-Meetup

My thinking is that I should re-install fresh copies of the plugins & a fresh WP-includes folder. Or do I only need the one file wp-atom-server.php?

Or is it sometimes a false positive, and sometimes supposed to be there?

Same with the “eval” code — this also shows up in several of the plugins. Is that necessarily bad & the plugins should be re-installed?

Would be very grateful for someone more experienced to confirm or call me out… Want to clean it up, just don’t want to break this site.

Thank you!

Viewing 5 replies - 1 through 5 (of 5 total)

WPyogi
(@wpyogi)

13 years, 3 months ago

You actually need to go through all of these:

http://codex.ww.wp.xz.cn/FAQ_My_site_was_hacked
http://ww.wp.xz.cn/support/topic/268083#post-1065779
http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
http://ottopress.com/2009/hacked-wordpress-backdoors/

Additional Resources:
http://sitecheck.sucuri.net/scanner/
http://www.unmaskparasites.com/
http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html

Which plugins and where did they come from?

Thread Starter Lins
(@lins)

13 years, 3 months ago

The plugins include
Plugins include
Google Analytics for WordPress
WP SuperCache
Wp-Meetup
and the client installed SmartS3 Video Plugin which isn’t from ww.wp.xz.cn.

The article on backdoors concerns me, as I’m not a programmer. If I reinstall a fresh copy of wordpress 3.5.1 and a fresh install of all the plugins, how do I test further?

Thanks for your help.

WPyogi
(@wpyogi)

13 years, 3 months ago

I’m really not at all an expert on that kind of thing. You should probably check with your hosting company because site hacks can be via a server hack. Check on your theme too – is it from a reputable source?

If you need expert help, Securi is supposed to be very good.

Thread Starter Lins
(@lins)

13 years, 3 months ago

Thanks WPyogi.

In the Ottopress article it says
“Base64_decode (and the similar uudecode) are the main way to find malicious code used today. There’s almost never a good reason to use them. Note the “almost” there, many plugins (notably the venerable Google Sitemap Generator) use base64_decode in legitimate ways. So it’s not exactly a smoking gun, but it is highly questionable for some randomly named file lying around to have that inside it.”

I was wondering if it could be legit, but there is a lot of the Base64 code showing up across several different files. Then, the free Securi scan as well as several other free online scans show this website as being “clean,” so somehow they’re either missing the code or I am over-reacting.

Anyways… better safe than sorry I suppose. Thanks for your assistance.

WPyogi
(@wpyogi)

13 years, 3 months ago

Yeah, it’s hard to know for sure. But as Otto’s article also says, the bad guys do a good job at hiding malicious code. I’d opt for the safe than sorry approach too :). But maybe do some looking into Google Analytics — see if you find anything relevant.

Viewing 5 replies - 1 through 5 (of 5 total)

The topic ‘Base64 code – is it always a concern?’ is closed to new replies.

Base64 code – is it always a concern?

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics