Community Support Forums

— WordPress® ( Users Helping Users ) —
http://www.primothemes.com/forums/

"base64_decode" and "eval(" in S2member??

http://www.primothemes.com/forums/viewtopic.php?f=4&t=16179

Page 1 of 1

"base64_decode" and "eval(" in S2member??

PostPosted: December 3rd, 2011, 6:12 pm
by tourdecartes
Hello,

I wanted to ask my question also on this forum (cause i sent it as well to my host provider).

I ran the "Exploit Scanner" plugin on my site and I could find weird piece of code in my S2member plugin code: "base64_decode" and "eval(". I checked around and apparently, it is a sign that i have been hacked. However nothing seems wrong at all with my website (no paid subscriptions for a few weeks though).

I can see "eval(" codes on the paypal strings and other.
eval('foreach(array_keys(get_defined_vars())as$

I dont know much about hacking or anything so I would really appreciate any help regarding this.

I also checked my "last logged in IP" box in my cPanel and found this IP address: 180.194.195.197 (leading to burma). It is weird since I live in the Philippines and noone should have access to my cpanel except IPs from the Philippines. Would you know if there is anything to worry about?

Now since i am using my website to process payments, i really want to make sure that everything is secure. Could you please advise me on what to do regarding this matter please?

Best regards,

Emmanuel

Re: "base64_decode" and "eval(" in S2member??

PostPosted: December 3rd, 2011, 6:42 pm
by Raam Dev
Hi Emmanuel,

eval() and base64_decode() are normal PHP functions that have several different uses. s2Member uses the eval() function, so a security scan that finds that function in s2Member code is not an indication that your site has been cracked.

A common use of the eval() function by attackers is to obfuscate (i.e., hide) code that an attacker wants to run. For example, if you saw something like this, eval("87ed32f3036c649a2980ab72"), at the top of one of your PHP scripts, then you should be suspicious.

Due to the way Internet traffic routing works, it's possible that your Internet connection goes through Burma servers, so even that's not an indication of unauthorized access to your control panel.

I suggest you visit http://whatismyip.com/ and find out what your IP address is; compare that with the IP address you see in your control panel.

If you're still worried, I suggest that you change your Control Panel and FTP passwords to something strong (see these guidelines).

Re: "base64_decode" and "eval(" in S2member??

PostPosted: December 3rd, 2011, 10:19 pm
by tourdecartes
Hello Raam Dev,

Thanks very much much for taking time to answer me! My IP address is different than the other one from Burma, so i changed my passwords just in case.

Thanks again :)

Emmanuel
All times are UTC - 5 hours
Page 1 of 1
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
http://www.phpbb.com/