Sucuri Labs

Do you still look for base64_decode?

A common keyword that people use to find hidden injections on web sites is base64_decode. Youoften see injections that look like eval ( base64_decode or eval ( gzinflate ( base64_decode beingused by the attackers.

So most web security tools have some signatures to look for it (specially on WordPress).

Well, the attackers do know about it as well and we are starting to see some interesting variations for it. Forexample, instead of injecting base64_decode, they are injecting as a variable:

$g___g_='base'.(32*2).'_de'.'code';

And instead of calling out base64_decode directly, they are using base + 32*2 + decode. A simple trick that allows them to bypass many security filters.

Daniel Cid

Daniel B. Cid is Founder of Sucuri and the VP of Engineering for the GoDaddy Security Products group. He is also the founder of OSSEC and CleanBrowsing. You can find more about Daniel on his site dcid.me or on Twitter: @danielcid

Related Tags

Labs Note

Sucuri_encrypted: Magento Malware

Denis Sinegubko
October 17, 2019

In an effort to make malicious code appear to be credible, hackers commonly piggyback on the names of reputable, well-known companies and services. Typical examples…

Read the Post

Fake Cloudflare Injection

Fioravante Souza
August 8, 2018

Seeing malicious campaigns using domain names that resemble big market players is not news anymore. This time I\’ll talk about the new redirects of cloudflare.pw.****…

Read the Post

Phishing & Malspam with Leaf PHPMailer

Luke Leal
January 26, 2021

It’s common knowledge that attackers often use email as a delivery mechanism for their malicious activity — which can range from enticing victims to click…

Read the Post

.user.ini SPAM SEO Redirect

John Castro
February 17, 2017

Since PHP 5.3.0, PHP includes support for configuration INI files on a per-directory basis that has the same effect (depending on the case) that the…

Read the Post

Defunct Malware Can Cause Problems Too

Harshad Mane
April 18, 2019

Recently our incident response analyst Harshad Mane worked on a site that redirected users to a third-party malicious site whenever they logged into the WordPress…

Read the Post

Sucuri Labs

Backdoor abusing of PHP tricks

Fernando Barbosa
October 24, 2016

During an incident response process, we found a very interesting malicious code abusing some PHP tricks. Attackers placed the malware at the end of a…

Read the Post

Sucuri Labs

Hidden iframe Injected into WordPress core file

Krasimir Konov
December 6, 2016

Injecting malware into core files of CMS installations is one of the techniques attackers use. From the user’s perspective, it is easier to detect and…

Read the Post

How Some OTP Systems Can Be Used to Prank Spam

Luke Leal
July 25, 2018

I recently came across an interesting index.php file and its corresponding directory on a compromised website. I loaded it in a testing environment and immediately…

Read the Post

When Online Shopping leads to Malware download

Ahmad Azizan Idris
August 28, 2017

Recently, during an incident response process, we worked on an interesting Magento website. This site was reported to having a strange redirection when users visited…

Read the Post

Sucuri Labs

Unwanted Sex Toys Advertisement

Eugene Wozniak
November 8, 2016

Recently, during an incident response process, we have found an advertisement floating banner on specific pages of an html-based website. Despite what people think, these…

Read the Post

Related Tags

Related Categories

You May Also Like