Sucuri Labs

Do you still look for base64_decode?

A common keyword that people use to find hidden injections on web sites is base64_decode. Youoften see injections that look like eval ( base64_decode or eval ( gzinflate ( base64_decode beingused by the attackers.

So most web security tools have some signatures to look for it (specially on WordPress).

Well, the attackers do know about it as well and we are starting to see some interesting variations for it. Forexample, instead of injecting base64_decode, they are injecting as a variable:

$g___g_='base'.(32*2).'_de'.'code';

And instead of calling out base64_decode directly, they are using base + 32*2 + decode. A simple trick that allows them to bypass many security filters.

Daniel Cid

Daniel B. Cid is Founder of Sucuri and the VP of Engineering for the GoDaddy Security Products group. He is also the founder of OSSEC and CleanBrowsing. You can find more about Daniel on his site dcid.me or on Twitter: @danielcid

Related Tags

Labs Note

Backdooring sites using exotic php functions

John Castro
February 16, 2017

Throughout the last few months, we published multiple articles about simple but powerful backdoors and how attackers get creative. Virtually in all cases, the code…

Read the Post

Hiding a Hacktool Using a .jpg Extension

Gabriel Barbosa
June 17, 2019

Hackers will do anything to hide their intentions behind the files they upload to compromised websites. This time, we’ve found a hacktool hidden inside a…

Read the Post

Sucuri Labs

Magento Login and Credentials Stealer

Krasimir Konov
December 13, 2016

Lately we’ve been dealing with an increase in attacks against ecommerce platforms. Attackers usually choose this type of solution (like Magento & others) because of…

Read the Post

Tricky malvertising injections

Abdelli Nassereddine
May 10, 2017

When a website is compromised, one of the most interesting and challenging tasks we perform is identifying all malware to prevent attackers from regaining access…

Read the Post

Hackers Are Just as Vulnerable as You

Luke Leal
June 15, 2018

I came across some interesting defacement pages recently and noticed a peculiar JavaScript injection included within each source code of the defaced websites. As shown…

Read the Post

Sucuri Labs

Out-of-Site Drupal Malware

Cesar Anjos
July 13, 2016

We recently wrote about a Drupal black-hat SEO hack that among other things redirected users coming from Google to botscache[.]com site. It hijacked the bootstrapping…

Read the Post

Sucuri Labs

Secondtds.mooo[.]com .htaccess redirects

Krasimir Konov
September 2, 2015

We are finding many sites infected with malicious redirects inside the .htaccess file, to secondtds.mooo[.]com/go.php?sid=3. That domain is a TDS (traffic controller) which redirects visitors…

Read the Post

Google Analytics Swiper Disguised as Legitimate Traffic

Denis Sinegubko
July 23, 2019

At first glance, this short script looks like benign Google Analytics code: <script type=”text/javascript”> (function() { var ga = document.createElement(‘script’); ga.type = ‘text/javascript’; ga.async =…

Read the Post

Evasive Maneuvers in Data Stealing Gateways

Cesar Anjos
November 17, 2020

We have already shared examples of many kinds of malware that rely on an external gateway to receive or return data, such as different malware…

Read the Post

B374k Web Shell Packer

Luke Leal
May 13, 2020

PHP web shells are a type of backdoor which, when left on compromised websites, allow attackers to maintain unauthorized access after initial compromise. To further…

Read the Post

Related Tags

Related Categories

You May Also Like