Lampwrights Forum - View Single Post

Jeff · 09-09-2010, 06:39 AM

When a PHP application is hacked and serving content that you cannot seem to find, chances are it is encoded in base64 and somewhere being decoded and displayed. Hackers will obfuscate this code making it hard to find. One way to find this code is to disable the base64_decode function in your php.ini file:

Code:

disable_function = "base64_decode"

Restart Apache and watch your error log to see where error messages pop up and this may allow you to see where the code is executing. Knowing where it executes is a great leap into finding HOW it is executing.

If none of your applications use base64_decode, then feel free to leave it disabled in php.ini. It will save you a lot of headaches in the future anyway.

09-09-2010, 06:39 AM	#1
Jeff Administrator Join Date: Jul 2010 Posts: 402 Rep Power: 10	Finding Base64 Encoded Exploits When a PHP application is hacked and serving content that you cannot seem to find, chances are it is encoded in base64 and somewhere being decoded and displayed. Hackers will obfuscate this code making it hard to find. One way to find this code is to disable the base64_decode function in your php.ini file: Code: disable_function = "base64_decode" Restart Apache and watch your error log to see where error messages pop up and this may allow you to see where the code is executing. Knowing where it executes is a great leap into finding HOW it is executing. If none of your applications use base64_decode, then feel free to leave it disabled in php.ini. It will save you a lot of headaches in the future anyway.
	Reply With Quote