WordPress providing base64_decode functions that facilitate hacking?

  • Are WordPress Programmers providing base64_decode functions that could allow a hacker to execute malicious code processed from within an unmonitored Blog comment?

    My WordPress site was hacked last December and I cleaned it up yesterday.
    Google Provided me with a nem.php script that scans my host directories looking for:
    base64_decode, edoced_64esab, and nemonn

    I found several obviously malicious scripts and removed or refreshed them from a new install.

    However, I was surprised to discover base64_decode in the freshly installed update.
    The functions appear capable of performing the wretched base64_decode masking of coder intentions.
    Will it be OK if we DELETED these scripts?
    /wordpress/wp-includes/SimplePie/Sanitize.php /base64_decode/ 244 (Line#)
    ./wordpress/wp-includes/class-feed.php /base64_decode/ 117
    ./wordpress/wp-includes/class-IXR.php /base64_decode/ 303
    ./wordpress/wp-content/plugins/jetpack/jetpack.php /base64_decode/ 3191

    Let me know If you’d like to see the nem.php discovery script.

    Thanks

Viewing 2 replies - 1 through 2 (of 2 total)
  • Moderator bcworkz

    (@bcworkz)

    I don’t have jetpack so I couldn’t say about that, but the rest are legitimate implementations of WP core. Do not delete them, you will break the installation. base64_decode() is definitely a favorite way for hackers to utilize their hidden code, so it is a handy way to find malicious code. However, it remains a legitimate PHP function with legitimate uses.

    If a hacker has enough access to utilize these functions, they could just as easily inject their own base64_decode() implementation. The existence of the function alone is not necessarily a weak point that hackers can leverage, nor is it a sure sign of malicious code

    Thread Starter [email protected]

    (@realizebelieveitus)

    Thanks – I am most concerned that rogue unmonitored comments could pass embedded base64 values that would be decoded to perform unauthorized Hack activities like reading wp_config passwords.
    I’ve seen some pretty questionable base64 appearing comments in the past. Obviously someone trying to manipulate something.
    I am NOT a PHP programmer, so I’ll defer to your judgement and the other experts interested in commenting. Thanks Again

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘WordPress providing base64_decode functions that facilitate hacking?’ is closed to new replies.