base64_decode in Wordfence files
-
Hello,
Wonder if someone can speak to this:
wp-content/plugins/wordfence/js/admin.liveTraffic.js:374
Used by malicious scripts to decode previously obscured data/programs
var paramKey = WFAD.base64_decode(data.paramKey);wp-content/plugins/wordfence/js/admin.liveTraffic.js:375
Used by malicious scripts to decode previously obscured data/programs
var paramValue = WFAD.base64_decode(data.paramValue);wp-content/plugins/wordfence/js/jquery.dataTables.min.js:113
Often used to execute malicious code
‘”‘)):eval(“(“+d+”)”)}catch(e){return}d=0;for(f=a.aoStateLwp-content/plugins/wordfence/js/jquery.dataTables.min.js:115
Often used to execute malicious code
f(a[j].indexOf(d)!=-1){var m=a[j].split(“=”);try{h=eval(“(“+decodeURIComponent(m[1])+”)”)}catch(u){contwp-content/plugins/wordfence/js/jquery-ui-timepicker-addon.js:180
Often used to execute malicious code
inlineSettings[attrName] = eval(attrValue);wp-content/plugins/wordfence/vendor/wordfence/wf-waf/src/lib/request.php:112
Used by malicious scripts to decode previously obscured data/programs
list($authUser, $authPass) = explode(‘:’, base64_decode($matches[1]), 2);wp-content/plugins/wordfence/vendor/wordfence/wf-waf/src/lib/storage/file.php:644
Used by malicious scripts to decode previously obscured data/programs
$json[$index] = base64_decode($json[$index]);wp-content/plugins/wordfence/vendor/wordfence/wf-waf/src/lib/waf.php:209
Used by malicious scripts to decode previously obscured data/programs
// $this->updateRuleSet(base64_decode($this->getRequest()->body(‘ping’)));wp-content/plugins/wordfence/vendor/wordfence/wf-waf/src/lib/waf.php:438
Used by malicious scripts to decode previously obscured data/programs
$encoded = base64_decode($encoded);wp-content/plugins/wordfence/vendor/wordfence/wf-waf/src/lib/waf.php:1434
Used by malicious scripts to decode previously obscured data/programs
$waf->verifySignedRequest(base64_decode($jsonData[‘data’][‘signature’]), $jsonData[‘datwp-content/plugins/wordfence/vendor/wordfence/wf-waf/src/lib/waf.php:1436
Used by malicious scripts to decode previously obscured data/programs
$waf->updateRuleSet(base64_decode($jsonData[‘data’][‘rules’]),wp-content/plugins/wordfence/vendor/wordfence/wf-waf/src/lib/waf.php:1447
Used by malicious scripts to decode previously obscured data/programs
$waf->updateRuleSet(base64_decode($jsonData[‘data’][‘rules’]),wp-content/plugins/wordfence/vendor/wordfence/wf-waf/src/lib/waf.php:1471
Used by malicious scripts to decode previously obscured data/programs
$waf->verifySignedRequest(base64_decode($jsonData[‘data’][‘signature’]), $jsonData[‘datwp-content/plugins/wordfence/vendor/wordfence/wf-waf/src/lib/waf.php:1473
Used by malicious scripts to decode previously obscured data/programs
waf->setMalwareSignatures(wfWAFUtils::json_decode(base64_decode($jsonData[‘data’][‘signatures’])),wp-content/plugins/wordfence/vendor/wordfence/wf-waf/src/lib/waf.php:1484
Used by malicious scripts to decode previously obscured data/programs
waf->setMalwareSignatures(wfWAFUtils::json_decode(base64_decode($jsonData[‘data’][‘signatures’])),wp-content/plugins/wordfence/vendor/wordfence/wf-waf/src/lib/rules.php:1439
Used by malicious scripts to decode previously obscured data/programs
return base64_decode($value);wp-content/plugins/wordfence/vendor/wordfence/wf-waf/src/lib/json.php:22
Often used to execute malicious code
* Javascript, and can be directly eval()’ed with no further parsingwp-content/plugins/wordfence/waf/wfWAFIPBlocksController.php:273
Used by malicious scripts to decode previously obscured data/programs
if (base64_decode($b[‘IP’]) != $ipNum) {wp-content/plugins/wordfence/views/waf/debug.php:18
Used by malicious scripts to decode previously obscured data/programs
$requestString = base64_decode($hitData->fullRequest);wp-content/plugins/wordfence/lib/wfLog.php:1697
Used by malicious scripts to decode previously obscured data/programs
$actionData[$key] = base64_decode($actionData[$key]);wp-content/plugins/wordfence/lib/wfActivityReport.php:518
Used by malicious scripts to decode previously obscured data/programs
$paramKey = base64_decode($actionData[‘paramKey’]);wp-content/plugins/wordfence/lib/wfActivityReport.php:519
Used by malicious scripts to decode previously obscured data/programs
$paramValue = base64_decode($actionData[‘paramValue’]);wp-content/plugins/wordfence/lib/menu_waf.php:389
Used by malicious scripts to decode previously obscured data/programs
class=”whitelist-display”>${WFAD.htmlEscape(WFAD.base64_decode(whitelistedURLParam.path))}</span>wp-content/plugins/wordfence/lib/menu_waf.php:391
Used by malicious scripts to decode previously obscured data/programs value=”${WFAD.htmlEscape(WFAD.base64_decode(whitelistedURLParam.path))}”>wp-content/plugins/wordfence/lib/menu_waf.php:395
Used by malicious scripts to decode previously obscured data/programs
class=”whitelist-display”>${WFAD.htmlEscape(WFAD.base64_decode(whitelistedURLParam.paramKey))}</span>wp-content/plugins/wordfence/lib/menu_waf.php:397
Used by malicious scripts to decode previously obscured data/programs
type=”text” value=”${WFAD.htmlEscape(WFAD.base64_decode(whitelistedURLParam.paramKey))}”>wp-content/plugins/wordfence/lib/wordfenceClass.php:6061
Used by malicious scripts to decode previously obscured data/programs
$waf->whitelistRuleForParam(base64_decode($_POST[‘path’]), base64_decode($_POST[‘paramKey’]),wp-content/plugins/wordfence/lib/wordfenceClass.php:6288
Used by malicious scripts to decode previously obscured data/programs
$paramKey = base64_decode($actionData[‘paramKey’]);wp-content/plugins/wordfence/lib/wordfenceClass.php:6289
Used by malicious scripts to decode previously obscured data/programs
$paramValue = base64_decode($actionData[‘paramValue’]);wp-content/plugins/wordfence/lib/wordfenceScanner.php:357
Often used to execute malicious code
c_html($badStringFound) . “‘ (without quotes). The eval() function along with an encoding function likeThank you,
~ Angela
-
Hi wfalaa,
Sorry for the delay in reply. Thank you for your response.
Yes, I was using the Exploit Scanner plugin.
Thank you for the clarification. I have, unfortunately, experienced several repeated hacks on this website despite Wordfence being installed. My wflogs folder filled up with malicious looking files as well. See here: https://www.dropbox.com/sh/pzx65e7sclxof7z/AAC12UEx54FRNBj__mAMbaW5a?dl=0
So that is one reason for asking my question… basically were hackers able to exploit “base64_decode” and “eval” functions in Wordfence.
And thank you for the tip on Pastebin!
~ Angela
- The topic ‘base64_decode in Wordfence files’ is closed to new replies.
