Hacked by base64_eval

Discussion regarding Joomla! 2.5 security issues.

Moderators: Bernard T, mandville, fcoulter, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Tue Mar 03, 2015 6:33 pm

Hacked by base64_eval

Post by markutovich » Tue Mar 03, 2015 6:40 pm

Hi, my website was hacked by an injection of PHP code.
I have searched and i was hacked with base64_eval
I have already deleted all the new php files that has been created and also I deleted some code that have been inserted in my php files
Now, i search " base64_decode" in all my site and there are still some files (mostly in my components files) with code like this

$text = base64_decode($text);
return base64_decode(AKEEBA_SERVERKEY);

I really dont know if these code is malicious or not, because i have compared a clean site with the infected one, and seem that this code is also in the clean site
So i dont know if i have to deleted all the base64_decode code or not
Thanks in advance

Joomla! Virtuoso
Joomla! Virtuoso
Posts: 4026
Joined: Mon Nov 25, 2013 4:35 pm
Location: Montreal, Canada

Re: Hacked by base64_eval

Post by itoctopus » Tue Mar 03, 2015 6:50 pm

These are not dangerous. What's dangerous is when you see base64_decode next to a very long list of meaningless characters (which are technically an encoded malicious command).

It is important to scan your website at least every week for base64 functions - these are very dangerous and subtle.
http://www.itoctopus.com - Joomla consulting at its finest
https://twitter.com/itoctopus - Follow us on Twitter

User avatar
Joomla! Master
Joomla! Master
Posts: 14953
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Hacked by base64_eval

Post by mandville » Wed Mar 04, 2015 3:18 pm

follow the sticky post, and security checklist 7
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}



Return to “Security in Joomla! 2.5”