Skip to main content

How to prevent base 64 encode attack

If you look in the source code of your PHP files and see that there is a call to eval and base 64 decode that you didn't put there, then your site has been hacked. When this happens, usually there are no records of anyone FTPing or SSHing to your site, leaving you scratching your head as to how in the world this hacker got that code into your site.

How did it get there?

I'm not entirely sure of the vulnerability that lets this hack in, but I do know that after being repeatedly hit with it for several weeks, I managed to stop it entirely after I updated my PHP configuration to forbid the fopen and file_get_contents functions from opening off-site URLs.

This seems to suggest that there was code somewhere on my site that was allowing a malicious user's script to execute on my server, which was able to then write the eval base 64 decode function calls into all of my PHP files. Since I have seen this happen to Wordpress users, it looks like Wordpress has the vulnerability in it somewhere.

How do I stop it?

First, add the following lines to your php.ini file. Check with your hosting provider to find out if and how you can edit your php.ini file.

allow_url_fopen = off
allow_url_include = off
disable_functions = "apache_child_terminate, apache_setenv, define_syslog_variables, escapeshellarg, escapeshellcmd, eval, exec, fp, fput, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_get_all, ini_restore, inject_code, mysql_pconnect, openlog, passthru, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, syslog, system, xmlrpc_entity_decode"

Once you've done this, REMOVE ALL INSTANCES OF THE MALICIOUS CODE FROM YOUR SITE. This attack tends to add the bad code to every PHP file on your site, so you might want to run a script to remove all occurrences of it. The bad code can still work even if you add those lines to your php.ini file, so it is imperative that you get rid of all of it as soon as possible.

If you use fopen or file_get_contents on your site, they might stop working after you make this change. If your web host has the CURL module installed with PHP, then you can use that to load off-site URLs.

The above changes will disable the functions that make PHP the most vulnerable. However, if your site depends on any of them, you will have to either find a different way to do it, or to enable the functions that you need.

Above all, NEVER use a variable in a call to a function like fopen or file get contents. Look for any places in your code where a malicious user could inject malicious code. Read more about how to prevent cross-site scripting (XSS) attacks.

What does it do?

The eval base 64 decode code is actually a PHP or JavaScript function call, encoded in base 64. The eval function runs the decoded text. In this way, the hacker can run any PHP function that he or she wants to. Usually, this is used to put malware onto your site. Whenever you see Google warn you that a site has malware on it, it might be because an otherwise good site has been hit with this hack.

Get help with games!
Pokémon Sun and Moon Zero Escape: Zero Time Dilemma Yo-Kai Watch Animal Crossing: Happy Home Designer Fire Emblem Fates Story of Seasons Pokémon Omega Ruby and Alpha Sapphire Disco Zoo The Legend of Zelda: A Link Between Worlds Pokémon X and Y Animal Crossing: New Leaf Nimble Quest Zero Escape: Virtue's Last Reward Pokémon Black 2 and White 2 Pocket Planes The Legend of Zelda: Skyward Sword Professor Layton's London Life Tiny Tower Pokédex 3D Guide Portal 2 Find Mii 3DS Walkthrough Nintendogs + Cats Guide Super Scribblenauts Walkthrough Pokémon Black and White Walkthrough Pocket Frogs Guide Zero Escape Nine Hours, Nine Persons, Nine Doors Walkthrough The Legend of Zelda: Spirit Tracks Walkthrough Animal Crossing: Wild World Guide Pokémon HeartGold and SoulSilver Walkthrough Dragon Quest IX The Sims 3 Guide Final Fantasy Tactics A2: Grimoire of the Rift Portal Walkthrough Contact for Nintendo DS Walkthrough White Chamber Walkthrough The Legend of Zelda: The Minish Cap Walkthrough Blue Chamber Walkthrough Crimson Room Walkthrough Viridian Room Walkthrough EVE Online Guide Final Fantasy Tactics Advance Walkthrough The Legend of Zelda: The Wind Waker Walkthrough Pokémon Ruby, Sapphire, Emerald Metroid Fusion Walkthrough The Legend of Zelda: Oracle of Seasons The Legend of Zelda: Oracle of Ages The Legend of Zelda: Majora's Mask The Legend of Zelda: Ocarina of Time Walkthrough Dink Smallwood Pokémon Tales of Phantasia Walkthrough Terranigma Chrono Trigger EarthBound Walkthrough QR Code Tutorial Final Fantasy 3/6 Walkthrough Illusion of Gaia Secret of Mana Walkthrough The Legend of Zelda: Link's Awakening DX Soul Blazer Walkthrough The Legend of Zelda: A Link to the Past Walkthrough Battle of Olympus Maniac Mansion (NES) Castlevania II: Simon's Quest Zelda II: The Adventure of Link Walkthrough Picross Tutorial The Legend of Zelda Sudoku Chess