Knowledge Base

Browse our knowledge base for free solutions to common problems

Scanning For Base64 and Eval Using Bash

Created On: 14 September 2022
Written by: Ben

Having dealt with many hacked websites over the years it is common knowledge that hackers love to use base64 encoded files and eval function to take control of websites and exploit them to the best of their ability.

Scanning For Base64

If you are dealing with a hacked website you can scan for files containing base64 code with the following:

find /path/to/scan/ -type f -exec grep "base64" '{}' \; -print &> /path/to/output/base64-detections.txt

Obviously replacing /path/to/scan/ with the directory you wish to scan and /path/to/output/base64-detections.txt with the location you wish to place the output.

After this is done the easiest way to find complete paths to the files which are returned is by using the following:

cat /path/to/output/base64-detections.txt | grep /path/to/scan/

Each file that is returned should be checked to ensure it is authentic. Anything that has been maliciously tampered with should be replaced with the original. If you are dealing with WordPress core files for example, you could choose to md5sum your file with the original inside the WordPress github repository.

Scanning For Eval

To scan for files containing eval use the following code:

find /path/to/scan/ -type f -exec grep "eval" '{}' \; -print &> /path/to/output/eval-detections.txt

Obviously replacing /path/to/scan/ with the directory you wish to scan and /path/to/output/eval-detections.txt with the location you wish to place the output.

After this is done the easiest way to find complete paths to the files which are returned is by using the following:

cat /path/to/output/eval-detections.txt | grep /path/to/scan/

Again each file that is returned should be checked to ensure it is authentic. Developers should be avoiding the use of eval so this is something to bear in mind. Many web servers have eval disabled by default to prevent some of the issues it causes.

Anything that has been maliciously tampered with should be replaced with the original. If you are dealing with WordPress core files for example, you could choose to md5sum your file with the original inside the WordPress github repository.

Important Notes

Locating malicious files and replacing them is not enough to prevent further hacking on a website. It's important you find and patch the point of entry to prevent the website being targeted again. Websites should be penetration tested frequently and you should fix any issues with your code where exploitation can be performed. This guide is a few simple tips when attempting to cleanup a hacked website.

ICTU LTD is a company registered England and Wales (Company No. 09344913) 15 Queen Square, Leeds, West Yorkshire, England, LS2 8AJ
Copyright © 2024 ICTU LTD, All Rights Reserved.
exit