Ever wonder how a site like Wordpress or Magento get hacked? It's usually done via a eval/base64_decode hack.
In php, here is how this works:
echo 'Hello World!';
Run this and you get:
If you take this and run it through
base64_encode() you get a hash.
Then, we run
base64_decode() and we get the command back. We can use the eval() command in conjunction with this:
I've seen strings that decode into scripts that build zip files and executables…all used as payloads in spam based attacks.
The good thing is that you can find this type of hack in your code fairly easily.
grep -Rn “base64_decode *(” /var/www grep -Rn “eval *(” /var/www