Another way to decode and inspect such data is to use utilities like: http://www.motobit.com/util/base64-decoder-encoder.asp By the way, never saw before this kind of sloppy irritating malicious "obfuscation" =). Does your server allow execution of the "eval" function? I consider this a security breach especially if your apache user is not correctly "sandboxed". I wonder if there is a way to disable execution of this method on shared servers. AFAIK there is a way, I just can't remember how to do it. Cheers. -----Mensagem original----- De: John Taylor-Johnston [mailto:John.Taylor-Johnston@xxxxxxxxxxxxxxxxxxxxx] Enviada em: terça-feira, 2 de outubro de 2012 14:46 Para: Rodrigo Silva dos Santos Cc: PHP-General Assunto: Re: {ATTENTION} Re: [PHP] base64_decode Interesting. Thanks. It was a footer.php in a webpress theme. I was wondering if it was a portal someone was using to get onto my server. I changted ftp passwords and begun using sftp, but phishing code is still leaking onto my sites. My wordpress copies are up to date and DreamHost has no real answers as to how someone is uploading and expanding *.tar.gz files. Thanks, john Rodrigo Silva dos Santos wrote: > > > Hello John. > > This code generates the following html: > > > ?> </div> > <div id="footer"><a href=*MailScanner has detected a possible fraud > attempt from "web-hosting-click.com" claiming to be* > "http://web-hosting-click.com/"; title="Web hosting">Web hosting</a> > <!-- 27 queries. 0.561 seconds. --> > </div> > <?php wp_footer(); ?> > </body> > </html> <? > > Appears that is nothing dangerous, only "unauthorized advertising". > > > > > Em 02-10-2012 14:27, John Taylor-Johnston escreveu: >> Without anyone infecting their machines, can someone tell me what >> this is? I found a phishing site on my DreamHost server. DreamHost >> has been very helpful. >> We found a file containing this code. >> What is it? What does it contain? >> >> <?php >> eval(base64_decode('Pz4gPC9kaXY+DQo8ZGl2IGlkPSJmb290ZXIiPjxhIGhyZWY9I >> mh0dHA6Ly93ZWItaG9zdGluZy1jbGljay5jb20vIiB0aXRsZT0iV2ViIGhvc3RpbmciPl >> dlYiBob3N0aW5nPC9hPg0KPCEtLSAyNyBxdWVyaWVzLiAwLjU2MSBzZWNvbmRzLiAtLT4 >> NCjwvZGl2Pg0KPD9waHAgd3BfZm9vdGVyKCk7ID8+DQo8L2JvZHk+DQo8L2h0bWw+IDw/ >> '));?> >> > -- John Taylor-Johnston Département de Langues modernes Cégep de Sherbrooke, Sherbrooke, Québec http://cegepsherbrooke.qc.ca/~languesmodernes/ http://cegepsherbrooke.qc.ca/~languesmodernes/wiki/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
