Skip to main content

How to quickly fix a base64-infected website

Base64 attacks are becoming more and more common these days. They involve exploiting a PHP vulnerability on a website and injecting malicious, base64-obfuscated code. The main targets
of such attacks are poorly coded plugins that feature security holes.
The encoded code is decoded when the infected .php file is loaded and the actual attack is carried out. A popular attack is to forward a website to another page, which grants the attacker an affiliate
bonus.
Here is an example of what a base64 hack looks like in a .php file:
eval(base64_decode
("dGhpcyBpcyBhIHRlc3Q=")); – this code will output "this is a test" when decoded.
A regular base64 code snippet will be significantly longer.
On our web hosting platform, there are several ways to deal with such hacks:

Restore a backup
With our cloud hosting accounts, we offer multiple daily backups, so anyone can easily revert to a previous version of a website with just a click. And we keep backups for up to 30 days.

Here is how to choose the correct backup:
– Log into the Hepsia Control Panel and navigate to the File Manager section;
– Head to the folder pertaining to the hacked website;
– Sort the files by modified date;
This way, anyone can see when the files were last updated. When there
are multiple .php files that were updated 10 days ago, simply load an earlier backup with clean versions of those files.
If there are problems restoring a backup, our support team reps will be happy to assist.

Clean the files manually
To clean the files by hand, simply
download them to a computer and clean them using a text editor. The Windows/OSXcompatibleSublimeText or the
Windows-compatible Notepad++, both of which are available for free, will do a great job.

Once the files are downloaded, load them in the text editor and search for any base64 code. To see if there is any base64 code on the website, use the following search term:
eval(base64_decode.
Once you discover an instance, copy the actual code snippet and search again.
Simply replace the code with an empty space to get rid of it. If there are still any other base64 instances, repeat the procedure until non are left.

Regular expressions can also be used to target base64 code on the website. Again, simply replace the regex matches with an empty space to clear them from the pages.

Here is a sample regex search term: /eval\(base64_decode\((.*)\)\);/i

Keep in mind that this type of search with target all base64 instances. This means that if any plugin or element of the site is
using base64 encoding as well, it will also be removed.

Clean the files over SSH
When using terminal access, all infected files can be cleaned with just a few commands over SSH. If SSH access is not enabled for the account, it can be done with a request in the Upgrades section
of the Hepsia Control Panel.

The first thing that needs to be done is to get a sample of the infected base64 code.

Use this as a reference for cleaning all infected files.
See which files are infected by using the following command:
$ find . -type f | xargs grep
"dGhpcyBpcyBhIHRlc3Q="

This command will search for all files in the current folder that contain the following string:
"dGhpcyBpcyBhIHRlc3Q=".
Here is how the output of that command will look like:
./themes/default/single.php:<?php
eval(base64_decode
("dGhpcyBpcyBhIHRlc3Q=));
./themes/default/search.php:<?php
eval(base64_decode
("dGhpcyBpcyBhIHRlc3Q="));


This will list all the infected files in the current folder and its subfolders. Once the list is ready, it's time to eliminate the code.

We'll use the sed program and our
function will look like this:
find . -name "*.php" -print | xargs
sed -i 's@eval(base64_decode
("dGhpcyBpcyBhIHRlc3Q="));@@g'
Use the search function one more time to make sure that all the files are now clean.
If the search returns no results, the
website has been cleaned.

Preventing base64 attacks
As we've noted, a base64 hack will target a vulnerability in the code. So the best course of action is to always keep apps and plugins updated to the latest versions
available. A good rule of thumb is to only download plugins that are actually needed. If a plugin is not used anymore – remove it from the application.

Also, when downloading new plugins, always keep track of the number of downloads and the update dates. If the last update is more than one year old, the plugin in question may be susceptible to
an attack.

---------
At josidelhosting.com we take care of not just you but your site, cause you having a happy clients is you being happy with us. At discount code for all services; OJAJ
Josidel Hosting

Comments

Post a Comment

Popular posts from this blog

Google Authenticator, a formidable layer of protection to your account.

​Google Authenticator is a free security app that can protect your accounts against password theft. It's easy to set up and can be used in a process called two-factor authentication (2FA) offered on popular social media services like Gmail, Facebook, Twitter, Instagram, etc.  The app ( iOS / Android ) generates a random code used to verify your identity when you're logging into various services. The code can technically be sent to your phone via text message every time— but the Google Authenticator app provides an extra level of security.  SMS-based 2FA has a  known security flaw , and any devoted hacker can attempt to  socially engineer  an attack against your phone company. The Google Authenticator app eliminates the possibility of an SMS-based attack  using algorithms  to generate the codes on your phone. Here's how to set it up: 1. Download Google Authenticator from either the Apple App Store or the Android Google Play store. It's free. 2. Nex...
Post a Comment
Read more

Floyd Mayweather Baby Mama Sues for $20 Mil ... He's a Despicable Liar

Floyd Mayweather could lose tens of millions of dollars from his big payday if his baby mama gets her way ... because she's just filed a lawsuit claiming he ruined her with lies to save his own ass. Josie Harris, who has 3 kids with Floyd, claims he lied through his teeth in an interview with Katie Couric just 2 weeks before the big fight ... when he claimed Josie was in a drug-fueled rage and he had to "restrain" her during their infamous 2010 domestic violence incident. Point of fact ... Floyd was convicted of domestic violence and spent two months in jail. Josie recounts her terror in the lawsuit, explaining how she and Floyd had broken up ... but he flew into a jealous rage that night, broke into her home and viciously attacked her while she was sleeping on her couch ... and her kids saw part of the beating. Harris says she is now labeled a drug addict thanks to Mayweather's lies -- and was embarrassed and humiliated on a global scale.   Her lawyer, Dan Friedl...
Post a Comment
Read more

Google, harder to search for results from other countries

For a long time, there was an easy way to conduct a Google search in a country other than the one you’re in. If you wanted to get results specific to Japan, for instance, you would visit www.google.co.jp; to get Australian results you would visit www.google.com.au — but this trick no longer works. Google has announced that it will now always serve up results that are relevant to the country that you’re in, regardless of the country code top level domain names (ccTLD) you use. The reason given is a little bizarre. The search giant says that the change has been introduced because of the way people are using the search engine these days. It says: “around one in five searches on Google is related to location, so providing locally relevant search results is an essential part of serving you the most accurate information.” The argument seems counterintuitive, however. Anyone who has changed the ccTLD has done so consciously, and for a reason — for Google to override this decision is strange...
Post a Comment
Read more