• /
  • /
  • How to remove base64 encrypted code from your website

How to remove base64 encrypted code from your website

March 29, 2012 — Leave a comment

WordPress or other PHP CMS based website hacked?

base64 code hacked

 

It happens to the best of us. Sometimes it has nothing to do with the level of security you have tried to impose for your website. Coming up with crazy long passwords that no one or machine would guess. Sometimes it is beyond your control. I host several sites on Dreamhost, and their servers were hacked. The hackers were able to gain access to the database server. On January 20th Dreamhost admitted there had been a breach, but they weren’t divulging specifics. Link to TechCrunch Story.

So what happens if you have been a victime of such a hack? Well, if you ‘re like me, you had sites that were redirecting to other websites when visitors would request your page or URL. Not cool. Totally sucks right…amIright? Ok, so you’ve been hacked…now what? Well, depending on what kind of hack you have it could be a simple resolution or a complete pain in the ass to resolve. This post is focused on what I have done to fix hacks related to websites redirecting due to injected “base64 encrypted” code. To resolve it we need to take a look at the files in your website.

This how to is going to make a couple assumptions:

1) You have a shell connection to your server

2) Your website is running on a Linux web server

3) You have some familiarity with using an SSH or shell connection from a terminal, putty etc.

Ok, so what are we looking for? Well, once logged into your site, look at your index.php or any “.php” file and see if you see anything that looks like this:

DreamHost Hacked, Password Changes Made Mandatory

Looks pretty nasty right? Well that’s because it is. So let’s get to it. The first thing I recommend is BACK YOUR SH*T UP. Ok, now that we have that clear, let’s move forward. Linux has some pretty amazing tools within it’s tool set to do some pretty powerful stuff. We are going to use “find” and “sed” commands. Find is a powerful search tool that we can leverage to search throgh files and directories and combining that with the power of sed allows us to filter and transform the string we are wanting to manipulate. Think of it as a powerful “find & replace” type of function. Once you have successfully backed your data up, you want to drop to a shell on your server where your website lives and run this command:

find . -name "*.php" -type f -exec sed -i '/eval(base64_decode(/d' {} \;

 

That should do it.. enjoy, drink beer…profit. Put questions down in the comments..

 

 

 

 

 

 

 


No related posts.

In Tutorials , , ,
permalink

josh

Posts Twitter Facebook

I'm Josh, a principal founder @ Run Level Media , a web dev and internet strategy consulting firm in Atlanta, GA. I enjoy anything web, mobile, tech, gaming, golf and craft beers. I look forward to connecting with you.

No Comments

Be the first to start the conversation.

Leave a Reply

*

Text formatting is available via select HTML. <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Have you Subscribed via RSS yet? Don't miss a post!