NYCPHP Meetup

NYPHP.org

[nycphp-talk] I've been hit with an eval(base64_decode("....")) injection attack

Daniel Convissor danielc at analysisandsolutions.com
Sun Mar 25 16:07:55 EDT 2012


Hi David:

> My Dreamhost shared hosting account just had its *.php injected with some
> garbage.

Sorry.  Alas, injecting code into legitimate sites is the #1 source
these days of infecting end user computers.  So securing our rinky-dink
personal websites has become quite important.

I recently picked WordPress for a site and then looked for security
plugins for it.  The eventually lead me to write my own plugin, which
somehow wound up taking about six weeks of intense work.  I've passed it
around for testing and code review.  I'd love to hear the thoughts of
the people here on it from a code level and user interface level.

http://wordpress.org/extend/plugins/login-security-solution/


>        egrep -lr '<\?php.+eval\(base64_decode\("[^"]+"\)\);\?>'  *| xargs

I'd have just grep'ed for "eval", since that should never be in any code
I want to use.  Your regex would miss code that doesn't have double
quotes, doesn't use base64_decode, has spacing in it, etc.

Oh, and lock down your file permissions.  The web server shouldn't be
allowed to write to any files or directories.

Thanks,

--Dan

-- 
 T H E   A N A L Y S I S   A N D   S O L U T I O N S   C O M P A N Y
            data intensive web and database programming
                http://www.AnalysisAndSolutions.com/
 4015 7th Ave #4, Brooklyn NY 11232  v: 718-854-0335 f: 718-854-0409



More information about the talk mailing list