Find all files modified within 30 days and then parsed that for base64 decodes (used to encrypt/hide coding)

If your site is hacked, the check for edited files. Find all files modified within 30 days and then parsed that for base64 decodes (used to encrypt/hide coding)

Find the coding itself

# cd /home/domain/public_html
# find . -type f -ctime -30 -iname "*.php" -exec grep "base64_decode" {} \;

Results

# find . -type f -ctime -30 -iname "*.php" -exec grep "base64_decode" {} \;
        $buf .= base64_decode($util->GetRandom($bytes, 0));
                                $data = base64_decode($data);
                        $data = base64_decode( $data );
                        $data = base64_decode($data);
                $value = base64_decode($this->_currentTagContents);
                $challenge = base64_decode(substr($this->last_reply, 4));
                $decoded = base64_decode( $value['encoded_serialized_instance'], true );
                                        $flac->setStringMode(base64_decode($ThisFileInfo_ogg_comments_raw[$i]['value']));
                                        $data = base64_decode($ThisFileInfo_ogg_comments_raw[$i]['value']);
    $decoded_sig = base64_decode($signature);
        $uncompressed =$this->_uncompress(base64_decode(strtr($compressed, '-_', '+/')));
                        return base64_decode($value);
                        return base64_decode($value);
                $this->_accountKey = base64_decode($accountKey);
                $this->_accountKey = base64_decode($value);
                                        base64_decode((string)$xmlMessages[$i]->MessageText)
            return base64_decode($sessionRecord->serializedData);
        $incomingSignature = base64_decode($message->get('Signature'));
            if (base64_decode($token,true)){
                $decoded_token = base64_decode($token,true);
            $raw_data = base64_decode($data);
    return base64_decode($b64);
                $challenge = base64_decode($challenge);
                $challenge = base64_decode(substr($this->last_reply, 4));
    return base64_decode($b64);
eval(base64_decode('TWFuIGlzIGRpc3Rpbmd1aXNoZWQsIG5vdCBvbmx5IGJ5IGhpcyByZWFzb24sIGJ1dCBieSB0aGlz'.
                $expected_raw_md5 = base64_decode( $expected_md5 );

As we can see – here is a excerpt from the base64 code. Now, lets find the file. To find the base64 coding, copy a bit of the base64 and run;


# find . -type f -ctime -30 -iname "*.php" -exec grep -l "TWFuIGlzIGR" {} \;
./basecode.php


Where that gibberish in the grep is a small tidbit of the base64 coding
The first one finds the coding itself. The second finds the file containing the coding.

Leave a Comment