[PHP] base64_decode
Without anyone infecting their machines, can someone tell me what this is? I found a phishing site on my DreamHost server. DreamHost has been very helpful. We found a file containing this code. What is it? What does it contain? ?php eval(base64_decode('Pz4gPC9kaXY+DQo8ZGl2IGlkPSJmb290ZXIiPjxhIGhyZWY9Imh0dHA6Ly93ZWItaG9zdGluZy1jbGljay5jb20vIiB0aXRsZT0iV2ViIGhvc3RpbmciPldlYiBob3N0aW5nPC9hPg0KPCEtLSAyNyBxdWVyaWVzLiAwLjU2MSBzZWNvbmRzLiAtLT4NCjwvZGl2Pg0KPD9waHAgd3BfZm9vdGVyKCk7ID8+DQo8L2JvZHk+DQo8L2h0bWw+IDw/'));? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] base64_decode
Hello John. This code generates the following html: ? /div div id=footera href=http://web-hosting-click.com/; title=Web hostingWeb hosting/a !-- 27 queries. 0.561 seconds. -- /div ?php wp_footer(); ? /body /html ? Appears that is nothing dangerous, only unauthorized advertising. Em 02-10-2012 14:27, John Taylor-Johnston escreveu: Without anyone infecting their machines, can someone tell me what this is? I found a phishing site on my DreamHost server. DreamHost has been very helpful. We found a file containing this code. What is it? What does it contain? ?php eval(base64_decode('Pz4gPC9kaXY+DQo8ZGl2IGlkPSJmb290ZXIiPjxhIGhyZWY9Imh0dHA6Ly93ZWItaG9zdGluZy1jbGljay5jb20vIiB0aXRsZT0iV2ViIGhvc3RpbmciPldlYiBob3N0aW5nPC9hPg0KPCEtLSAyNyBxdWVyaWVzLiAwLjU2MSBzZWNvbmRzLiAtLT4NCjwvZGl2Pg0KPD9waHAgd3BfZm9vdGVyKCk7ID8+DQo8L2JvZHk+DQo8L2h0bWw+IDw/'));?
Re: [PHP] base64_decode
Am 02.10.2012 19:27, schrieb John Taylor-Johnston: Without anyone infecting their machines, can someone tell me what this is? I found a phishing site on my DreamHost server. DreamHost has been very helpful. We found a file containing this code. What is it? What does it contain? ?php eval(base64_decode('Pz4gPC9kaXY+DQo8ZGl2IGlkPSJmb290ZXIiPjxhIGhyZWY9Imh0dHA6Ly93ZWItaG9zdGluZy1jbGljay5jb20vIiB0aXRsZT0iV2ViIGhvc3RpbmciPldlYiBob3N0aW5nPC9hPg0KPCEtLSAyNyBxdWVyaWVzLiAwLjU2MSBzZWNvbmRzLiAtLT4NCjwvZGl2Pg0KPD9waHAgd3BfZm9vdGVyKCk7ID8+DQo8L2JvZHk+DQo8L2h0bWw+IDw/'));? http://codepad.org/Kyka99fE -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: {ATTENTION} Re: [PHP] base64_decode
Interesting. Thanks. It was a footer.php in a webpress theme. I was wondering if it was a portal someone was using to get onto my server. I changted ftp passwords and begun using sftp, but phishing code is still leaking onto my sites. My wordpress copies are up to date and DreamHost has no real answers as to how someone is uploading and expanding *.tar.gz files. Thanks, john Rodrigo Silva dos Santos wrote: Hello John. This code generates the following html: ? /div div id=footera href=*MailScanner has detected a possible fraud attempt from web-hosting-click.com claiming to be* http://web-hosting-click.com/; title=Web hostingWeb hosting/a !-- 27 queries. 0.561 seconds. -- /div ?php wp_footer(); ? /body /html ? Appears that is nothing dangerous, only unauthorized advertising. Em 02-10-2012 14:27, John Taylor-Johnston escreveu: Without anyone infecting their machines, can someone tell me what this is? I found a phishing site on my DreamHost server. DreamHost has been very helpful. We found a file containing this code. What is it? What does it contain? ?php eval(base64_decode('Pz4gPC9kaXY+DQo8ZGl2IGlkPSJmb290ZXIiPjxhIGhyZWY9Imh0dHA6Ly93ZWItaG9zdGluZy1jbGljay5jb20vIiB0aXRsZT0iV2ViIGhvc3RpbmciPldlYiBob3N0aW5nPC9hPg0KPCEtLSAyNyBxdWVyaWVzLiAwLjU2MSBzZWNvbmRzLiAtLT4NCjwvZGl2Pg0KPD9waHAgd3BfZm9vdGVyKCk7ID8+DQo8L2JvZHk+DQo8L2h0bWw+IDw/'));? -- John Taylor-Johnston Département de Langues modernes Cégep de Sherbrooke, Sherbrooke, Québec http://cegepsherbrooke.qc.ca/~languesmodernes/ http://cegepsherbrooke.qc.ca/~languesmodernes/wiki/
RES: [PHP] Re: {ATTENTION} Re: [PHP] base64_decode
Another way to decode and inspect such data is to use utilities like: http://www.motobit.com/util/base64-decoder-encoder.asp By the way, never saw before this kind of sloppy irritating malicious obfuscation =). Does your server allow execution of the eval function? I consider this a security breach especially if your apache user is not correctly sandboxed. I wonder if there is a way to disable execution of this method on shared servers. AFAIK there is a way, I just can't remember how to do it. Cheers. -Mensagem original- De: John Taylor-Johnston [mailto:john.taylor-johns...@cegepsherbrooke.qc.ca] Enviada em: terça-feira, 2 de outubro de 2012 14:46 Para: Rodrigo Silva dos Santos Cc: PHP-General Assunto: [PHP] Re: {ATTENTION} Re: [PHP] base64_decode Interesting. Thanks. It was a footer.php in a webpress theme. I was wondering if it was a portal someone was using to get onto my server. I changted ftp passwords and begun using sftp, but phishing code is still leaking onto my sites. My wordpress copies are up to date and DreamHost has no real answers as to how someone is uploading and expanding *.tar.gz files. Thanks, john Rodrigo Silva dos Santos wrote: Hello John. This code generates the following html: ? /div div id=footera href=*MailScanner has detected a possible fraud attempt from web-hosting-click.com claiming to be* http://web-hosting-click.com/; title=Web hostingWeb hosting/a !-- 27 queries. 0.561 seconds. -- /div ?php wp_footer(); ? /body /html ? Appears that is nothing dangerous, only unauthorized advertising. Em 02-10-2012 14:27, John Taylor-Johnston escreveu: Without anyone infecting their machines, can someone tell me what this is? I found a phishing site on my DreamHost server. DreamHost has been very helpful. We found a file containing this code. What is it? What does it contain? ?php eval(base64_decode('Pz4gPC9kaXY+DQo8ZGl2IGlkPSJmb290ZXIiPjxhIGhyZWY9I mh0dHA6Ly93ZWItaG9zdGluZy1jbGljay5jb20vIiB0aXRsZT0iV2ViIGhvc3RpbmciPl dlYiBob3N0aW5nPC9hPg0KPCEtLSAyNyBxdWVyaWVzLiAwLjU2MSBzZWNvbmRzLiAtLT4 NCjwvZGl2Pg0KPD9waHAgd3BfZm9vdGVyKCk7ID8+DQo8L2JvZHk+DQo8L2h0bWw+IDw/ '));? -- John Taylor-Johnston Département de Langues modernes Cégep de Sherbrooke, Sherbrooke, Québec http://cegepsherbrooke.qc.ca/~languesmodernes/ http://cegepsherbrooke.qc.ca/~languesmodernes/wiki/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: RES: [PHP] Re: {ATTENTION} Re: [PHP] base64_decode
On Tue, 2012-10-02 at 15:04 -0300, Samuel Lopes Grigolato wrote: Another way to decode and inspect such data is to use utilities like: http://www.motobit.com/util/base64-decoder-encoder.asp By the way, never saw before this kind of sloppy irritating malicious obfuscation =). Does your server allow execution of the eval function? I consider this a security breach especially if your apache user is not correctly sandboxed. I wonder if there is a way to disable execution of this method on shared servers. AFAIK there is a way, I just can't remember how to do it. Cheers. -Mensagem original- De: John Taylor-Johnston [mailto:john.taylor-johns...@cegepsherbrooke.qc.ca] Enviada em: terça-feira, 2 de outubro de 2012 14:46 Para: Rodrigo Silva dos Santos Cc: PHP-General Assunto: [PHP] Re: {ATTENTION} Re: [PHP] base64_decode Interesting. Thanks. It was a footer.php in a webpress theme. I was wondering if it was a portal someone was using to get onto my server. I changted ftp passwords and begun using sftp, but phishing code is still leaking onto my sites. My wordpress copies are up to date and DreamHost has no real answers as to how someone is uploading and expanding *.tar.gz files. Thanks, john Rodrigo Silva dos Santos wrote: Hello John. This code generates the following html: ? /div div id=footera href=*MailScanner has detected a possible fraud attempt from web-hosting-click.com claiming to be* http://web-hosting-click.com/; title=Web hostingWeb hosting/a !-- 27 queries. 0.561 seconds. -- /div ?php wp_footer(); ? /body /html ? Appears that is nothing dangerous, only unauthorized advertising. Em 02-10-2012 14:27, John Taylor-Johnston escreveu: Without anyone infecting their machines, can someone tell me what this is? I found a phishing site on my DreamHost server. DreamHost has been very helpful. We found a file containing this code. What is it? What does it contain? ?php eval(base64_decode('Pz4gPC9kaXY+DQo8ZGl2IGlkPSJmb290ZXIiPjxhIGhyZWY9I mh0dHA6Ly93ZWItaG9zdGluZy1jbGljay5jb20vIiB0aXRsZT0iV2ViIGhvc3RpbmciPl dlYiBob3N0aW5nPC9hPg0KPCEtLSAyNyBxdWVyaWVzLiAwLjU2MSBzZWNvbmRzLiAtLT4 NCjwvZGl2Pg0KPD9waHAgd3BfZm9vdGVyKCk7ID8+DQo8L2JvZHk+DQo8L2h0bWw+IDw/ '));? -- John Taylor-Johnston Département de Langues modernes Cégep de Sherbrooke, Sherbrooke, Québec http://cegepsherbrooke.qc.ca/~languesmodernes/ http://cegepsherbrooke.qc.ca/~languesmodernes/wiki/ I'd say the first step is to remove or disable any unnecessary plugins and make sure all the necessary ones are as up-to-date as they can be. I recall reading an article recently about the most popular thumbnail generation plugin for Wordpress (I'm not a Wordpress user, don't recall the plugin name) that had a security flaw that would allow unauthorised access to your server. Look at server logs. See if there is any useful information in them that would tell you what pages were requested just prior to the .tar.gz archives being uploaded. Change login details for both FTP and Wordpress itself for all users if you can, and maybe check for any added users who shouldn't be there. If you have a backup of the code files try and restore it. If you don't, compare a fresh Wordpress install with the plugins you're using to what you have on the live site to see if there are any other dodgy files on the server that ought not to be. Hope that helps some! -- Thanks, Ash http://www.ashleysheridan.co.uk
[PHP] base64_decode an image, works on blank page, not on page where text is..
If I try to base64_decode an image which was encoded with base64_encode on a blank page, it works, if I try on a page with stuff already on it, it just shows me the source code to the image... Example: Run this code as a blank page, no spaces before or after the ? then run it again with a space or a character.. Any ideas how to fix it? Thanks. ?php if (!function_exists(ac_call_base64_image)) { function ac_call_base64_image ($Image) { //require (./ACWB/ACWB_Base64_Images.php); //$Image = $ACWB_B64I[$Image]; return base64_decode($Image); } } // RedX Image... $ACWB_B64I['ACWB'] = R0lGODlhHAAeAKIAAP8AAP///8DAwICAgP///wAAACH5BAEAAAUALAAcAB4AAAO COLrc7mGUSau9NuL Np+5g9YXhSHbmuaXF81zsEMx0HQgELFmybeO6S89HA2Z2lSHxl jsKaQDALDozipAUZZRabV6fNW43yAtvi15KDCoNcK1q7ERJhHv krSWanNSPnWV+dgUxAoaHiIZpdxcEjo+QkHwqK3iUX5eVmZqbk 50efqFECQA7; echo ac_call_base64_image ($ACWB_B64I['ACWB']); ? PS: phpBB2 somehow got it to work, not sure how though :-/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] base64_decode an image, works on blank page, not on page where text is..
On Mon, 9 Aug 2004 14:23:22 -0700, Josh Acecool M [EMAIL PROTECTED] wrote: If I try to base64_decode an image which was encoded with base64_encode on a blank page, it works, if I try on a page with stuff already on it, it just shows me the source code to the image... Example: Run this code as a blank page, no spaces before or after the ? then run it again with a space or a character.. Any ideas how to fix it? Thanks. ?php if (!function_exists(ac_call_base64_image)) { function ac_call_base64_image ($Image) { //require (./ACWB/ACWB_Base64_Images.php); //$Image = $ACWB_B64I[$Image]; return base64_decode($Image); } } // RedX Image... $ACWB_B64I['ACWB'] = R0lGODlhHAAeAKIAAP8AAP///8DAwICAgP///wAAACH5BAEAAAUALAAcAB4AAAO COLrc7mGUSau9NuL Np+5g9YXhSHbmuaXF81zsEMx0HQgELFmybeO6S89HA2Z2lSHxl jsKaQDALDozipAUZZRabV6fNW43yAtvi15KDCoNcK1q7ERJhHv krSWanNSPnWV+dgUxAoaHiIZpdxcEjo+QkHwqK3iUX5eVmZqbk 50efqFECQA7; echo ac_call_base64_image ($ACWB_B64I['ACWB']); ? PS: phpBB2 somehow got it to work, not sure how though :-/ You can't display an image inline. At least, not quite like that. You *can* use a special img tag with mozilla to display inline, but this isn't very well supported. Use an img tag to link to another script and have that script base64_decode the image and display it (with the correct headers). -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- DB_DataObject_FormBuilder - The database at your fingertips http://pear.php.net/package/DB_DataObject_FormBuilder paperCrane --Justin Patrin-- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] base64_decode()
hi, i want to save a base64 encoded string after i decode it. i saw that base64_decode function returns a string. so how do i save it as a binary file? i plan to save it to postgresql database field. thanks... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] base64_decode problem.
Hi all. I have this variable cn$ which sometimes is in base64 format and sometimes it isnt. This is how the script looks like. It will get bigger but this is one of the problem i have to get threw first. If you wonder why i dont use the built in ldap function in PHP i just can tell you that i want to. The compilation doesnt work and i have talked to several OpanLdap persons. So ignore that for now. The problem below is that ldaps $cn is sometimes in base64 format and if it is i need to decode it. I have no problem decoding it my problem is that i need to make it somehow know if it is in that format or not. Thankfull for any help. //Johan ?php $ldap=/export/scratch/apps3/ldap/bin/ldapsearch; $string=`$ldap -L uid=$user uid cn department telephoneNumber| awk '{print $0}'`; $line = explode(\n,$string); $var = array(cn:, department:,uid:, telephoneNumber:); foreach ($var as $varx) { foreach ($line as $str) { if (ereg($varx,$str)) { $newvarx = str_replace (:,,$varx); $tomte[$newvarx] = str_replace($varx,,$str); } //if } //foreach } //foreach $cn=$tomte['cn']; $uid=$tomte['uid']; $dep=$tomte['department']; $phone=$tomte['telephoneNumber']; ? /HTML -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]