If your site is hacked, the check for edited files. Find all files modified within 30 days and then parsed that for base64 decodes (used to encrypt\/hide coding)<\/p>\n
Find the coding itself<\/p>\n
\n# cd \/home\/domain\/public_html\n# find . -type f -ctime -30 -iname "*.php" -exec grep "base64_decode" {} \\;\n<\/pre>\nResults<\/p>\n
\n# find . -type f -ctime -30 -iname "*.php" -exec grep "base64_decode" {} \\;\n $buf .= base64_decode($util->GetRandom($bytes, 0));\n $data = base64_decode($data);\n $data = base64_decode( $data );\n $data = base64_decode($data);\n $value = base64_decode($this->_currentTagContents);\n $challenge = base64_decode(substr($this->last_reply, 4));\n $decoded = base64_decode( $value['encoded_serialized_instance'], true );\n $flac->setStringMode(base64_decode($ThisFileInfo_ogg_comments_raw[$i]['value']));\n $data = base64_decode($ThisFileInfo_ogg_comments_raw[$i]['value']);\n $decoded_sig = base64_decode($signature);\n $uncompressed =$this->_uncompress(base64_decode(strtr($compressed, '-_', '+\/')));\n return base64_decode($value);\n return base64_decode($value);\n $this->_accountKey = base64_decode($accountKey);\n $this->_accountKey = base64_decode($value);\n base64_decode((string)$xmlMessages[$i]->MessageText)\n return base64_decode($sessionRecord->serializedData);\n $incomingSignature = base64_decode($message->get('Signature'));\n if (base64_decode($token,true)){\n $decoded_token = base64_decode($token,true);\n $raw_data = base64_decode($data);\n return base64_decode($b64);\n $challenge = base64_decode($challenge);\n $challenge = base64_decode(substr($this->last_reply, 4));\n return base64_decode($b64);\neval(base64_decode('TWFuIGlzIGRpc3Rpbmd1aXNoZWQsIG5vdCBvbmx5IGJ5IGhpcyByZWFzb24sIGJ1dCBieSB0aGlz'.\n $expected_raw_md5 = base64_decode( $expected_md5 );\n<\/pre>\nAs we can see – here is a excerpt from the base64 code. Now, lets find the file. To find the base64 coding, copy a bit of the base64 and run;<\/p>\n
\n\n# find . -type f -ctime -30 -iname "*.php" -exec grep -l "TWFuIGlzIGR" {} \\;\n.\/basecode.php\n\n\n<\/pre>\nWhere that gibberish in the grep is a small tidbit of the base64 coding
\nThe first one finds the coding itself. The second finds the file containing the coding.<\/p>\n","protected":false},"excerpt":{"rendered":"
If your site is hacked, the check for edited files. Find all files modified within 30 days and then parsed that for base64 decodes (used to encrypt\/hide coding) Find the coding itself # cd \/home\/domain\/public_html # find . -type f -ctime -30 -iname "*.php" -exec grep "base64_decode" {} \\; Results # find . -type f … Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-3225","post","type-post","status-publish","format-standard","hentry","category-administration"],"_links":{"self":[{"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/posts\/3225","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/comments?post=3225"}],"version-history":[{"count":0,"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/posts\/3225\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/media?parent=3225"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/categories?post=3225"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/tags?post=3225"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}