[wp-hackers] OT: Decoding injected scripts

Beau Lebens beau at dentedreality.com.au
Thu Aug 6 02:00:10 UTC 2009

The ones I've seen have usually just been base64 encoded (sometimes a
few times).

Usually all it takes is a quick base64_decode() in PHP to see what's in there.

On Wed, Aug 5, 2009 at 6:55 PM, John Blackbourn<johnbillion+wp at gmail.com> wrote:
> In the last few days two of my clients' sites have been hacked or
> somehow otherwise compromised and both have resulted in encoded
> scripts being injected into pages on the sites.
> Both the attacks were different. One has resulted in some encoded
> Javascript wrapped in an eval() statement injected into HTML pages.
> The other resulted in some very strange PHP being injected into a PHP
> file which looks like it might be partially base encoded.
> Does anyone have tips on how I might go about decoding these scripts
> to see what they were attempting to do?
> John.
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

More information about the wp-hackers mailing list