SUHOSIN and eval(base64_decode

Portal Home > Knowledgebase > Articles Database > SUHOSIN and eval(base64_decode

Posted by 50dh, 04-12-2012, 07:20 PM
Hello , Some websites in my server has been hacked using eval(base64_decode Actually i want to disable it , so i install and configure SUHOSIN . I disable base64_decode in php.ini suhosin.executor.eval.blacklist=base64_decode .... but the problem it seems not enough , because eval(base64_decode is still working . here is an example : any help please how to fix it ?!
Posted by 50dh, 04-12-2012, 07:24 PM
the example here show that eval(base64_decode is still working n my server ... www dot vipmaroc dot com/test dot php
Posted by Server Management, 04-12-2012, 07:27 PM
You will need to use Mod_Security with some decent rules in place. Also posting a domain along with information like this could lead to you having more problems, Please get the domain removed
Posted by AMSWebHost, 04-12-2012, 09:32 PM
lol - exactly what I was thinking. OP report the post to the mods and get the link removed.
Posted by foobic, 04-12-2012, 09:49 PM
Mod_security is a nice extra but whatever ruleset you use there are always ways around it, and the stricter you try to get the more false positives it generates. IDK about suhosin but have you tried just adding base64_decode (and eval) to disable_functions in php.ini?
Posted by enigma-1, 04-13-2012, 04:22 AM
I would prefer to locate the vulnerable script and fix the root of the problem. Disabling various php functions or adding various wrappers only masks the issue.
Posted by 50dh, 04-13-2012, 05:32 AM
Many thanks for your reply ... BUT For mod_security it is already activated , and it does not help to disable PHP functions , but only to stop some sql injections , scanning ports , flooding ... EVAL cannot be disabled in php.ini by disable_functions directive because it is not a function ( like if you tell me disable FOREACH .. ) base64_decode : cannot be disabled alone , else it will broke a lot of CMS scripts , joomla , wordpress ... What i want it to disable the conbinaison eval(base64_decode , the only way to do it it using SUHOSIN , whith directive : suhosin.executor.eval.blacklist Normaly how this supposing to work is to disable any use of EVAL(function) where "function" is in suhosin.executor.eval.blacklist . so i add : base64_decode to suhosin.executor.eval.blacklist ( with others) , but the problem is that eval(base64_decode) still working. so im wondering it someone this test this with SUHOSIN? I hope i was clear enough this time . and im sorry for my poor english
Posted by 50dh, 04-13-2012, 05:48 AM
Not easy , because i host hundred of websites , and some are using old versions of WP and Joomla which contain a lot of vulnerabilities , even if you make all the security of the world in the server , this WP and Joomla websites can be bypassed by injecting some PHP malicious code, what im trying to do is to disable the work of this injected malicious PHP by deactivating eval(base64_decode) , because a lot of them work with this function . But the big question how to deactivate EVAL(base64_decode) and keep working EVAL and BASE64_DECODE if used separately ?
Posted by mellow-h, 04-13-2012, 06:19 AM
That is the best way to patch it.
Posted by SAHostKing, 04-18-2012, 04:38 PM
Maybe as mentioned before try decent mod_Security rules or tryt he following: http://www.atomicorp.com/products.html not sure how good they are against these but I'm sure it can warn you when it's used?
Posted by lifewithcause, 04-19-2012, 01:51 PM
I was also recently hacked. Initially I also thought I am victim of Base64 but it was more than that. Took us 8 full days to recover and rebuild our defences. Please PM me if you like us to help.

Add to Favourites Print this Article