vb.org Archive - View Single Post

kerrghann · #22 07-30-2016, 04:47 PM

I use this piece of PHP code to find base64 and other uglies that might have been injected or placed on my server.

Note: This will not look through your hooks, this looks through all the PHP files on your server.

It'll most likely bring up a large list, so I recommend skimming through the list and finding anything that mentions base64_decode()

Then open up that file and find the base64 string in it and decode it yourself with an online decoder or using the php base64_decode($string)

Place this in your forum root and then navigate to it ( http://www.yourforumhere.com/base64-check.php
best of luck:

base64-check.php

PHP Code:


			
<html><head><title>Find String</title></head><body>
<?php
find_files('.');
function find_files($seed)
{
if(! is_dir($seed)) return false;
$files = array();
$dirs = array($seed);
while(NULL !== ($dir = array_pop($dirs)))
{
if($dh = opendir($dir))
{
while( false !== ($file = readdir($dh)))
{
if($file == '.' || $file == '..') continue;
$path = $dir . '/' . $file;
if(is_dir($path)) { $dirs[] = $path; }
else { if(preg_match('/^.*\.(php[\d]?|js|txt)$/i', $path)) { check_files($path); }}
}
closedir($dh);
}}} function check_files($this_file)
{
$str_to_find[]='base64_decode';
$str_to_find[]='edoced_46esab';
$str_to_find[]='preg_replace';
$str_to_find[]='HTTP_REFERER';
$str_to_find[]='HTTP_USER_AGENT';
$str_to_find[]='assert('; $str_to_find[]='create_function('; $str_to_find[]='$_REQUEST['; if(!($content = file_get_contents($this_file)))
{ echo("<p>Could not check $this_file You should check the contents manually!</p>\n"); }
else
{
while(list(,$value)=each($str_to_find))
{
if (stripos($content, $value) !== false)
{
echo("<p>$this_file -> contains $value</p>\n");
}
}
}
unset($content);
}?>
</body></html>

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.01874 seconds Memory Usage 1,797KB Queries Executed 11 (?)
More Information
Template Usage: (1)SHOWTHREAD_SHOWPOST (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)bbcode_php (1)footer (1)gobutton (1)header (1)headinclude (6)option (1)post_thanks_box (1)post_thanks_box_bit (1)post_thanks_button (1)post_thanks_javascript (1)post_thanks_navbar_search (1)post_thanks_postbit (1)post_thanks_postbit_info (1)postbit (1)postbit_onlinestatus (1)postbit_wrapper (1)spacer_close (1)spacer_open Phrase Groups Available: global postbit reputationlevel showthread	Included Files: ./showpost.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/functions_bigthree.php ./includes/class_postbit.php ./includes/class_bbcode.php ./includes/functions_reputation.php ./includes/functions_post_thanks.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_postinfo_query fetch_postinfo fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete showpost_start bbcode_fetch_tags bbcode_create postbit_factory showpost_post postbit_display_start post_thanks_function_post_thanks_off_start post_thanks_function_post_thanks_off_end post_thanks_function_fetch_thanks_start fetch_musername post_thanks_function_fetch_thanks_end post_thanks_function_thanked_already_start post_thanks_function_thanked_already_end post_thanks_function_fetch_thanks_bit_start post_thanks_function_show_thanks_date_start post_thanks_function_show_thanks_date_end post_thanks_function_fetch_thanks_bit_end post_thanks_function_fetch_post_thanks_template_start post_thanks_function_fetch_post_thanks_template_end postbit_imicons bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete postbit_display_complete post_thanks_function_can_thank_this_post_start showpost_complete
Messages:

Благодарность от:
MarkFL