Is base64_decode legit ?

yettie

I had a parse error syntax error the other day because my site was hacked but since i have managed to clean it up a bit and i have done a scan and found these files that came up in the scan as dangerous.

return rsa_decrypt(base64_decode($message)
return rsa_decrypt(base64_decode($message), $private_key, $modulus, $keylength);
$enc_text = base64_decode($enc_text);

I know base64_decode in the past has been related to some malware code or been some bad code before over the last few days i noticed it and it had a lot of crap after it like the follow code.
eval(base64_decode('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0N

I guess my question is, is base64_decode legit code or is that always a sign of a hacked site and does it always have something to do with malware etc???

If so im worried because some of this code was found in plugins that i installed after the retoring of my site back to normal and so that would mean the code has spread to other fresh plugins after i fixed it the other day.

Any ideas anyone?

Weedpacket

(Note: I've moved your post into a new thread, as it wasn't really anything to do with where it was originally.)

Obviously, if you wrote the code you should know what it does, so I'll assume that what you have is something someone else wrote for you.

What you should keep is a reference copy of what they wrote for you that has never gone on the server: it's basic backup practice. Then, any code that appears on the server that isn't in your backup is to be treated with suspicion.

If it is in the reference copy (or if you don't have a reference copy) then the person who should know why it's there is the developer; they should be able to give you an answer. If it's a mystery to them then that's very suspicious indeed. If they're coy about it, or you can't bring yourself to trust their responses, then you need to find yourself another developer.

Whether it is malware or not depends on what it does. If it's your site and it's supposed to be there then you know who put it there and you can ask them. There are legitimate reasons to obfuscate a section of code like this. I'm not saying they have to be good reasons, just legitimate ones - there's almost never a good reason to be using [man]eval[/man].

However, this doesn't say anything about eval. It says rsa_decrypt(). What it looks like to me is that $message is binary data (after having been encrypted using RSA) that has then be base64-encoded for transport (to avoid the possibility that whatever protocols the encrypted message is passing through would misinterpret it as containing protocol instructions). Which is what base64 was invented for. Assuming all the while that rsa_decrypt does what it says on the tin.

You can deobfuscate it (and feel free to search the forums for all the threads by people wanting to do something with "eval base64_decode" to find out how) to find out what it does. But it might be quicker to just ask whoever is supposed to be responsible for it.

Replicants are like any other machine: they're either a benefit or a hazard. If they're a benefit it's not my problem.