Jump to content
Sign in to follow this  
yukon

How to check your site for base64 links

Recommended Posts

This is a quick way to check your site for hidden base64 links, which are used by link spammers. There's multiple ways to check a live site for hidden links, this technique is one of the faster ways to check a Wordpress theme.
 
This assumes your not technically challenged. If you need individual help checking your own files, hire someone to help you, tell them to read the instructions below.
 
Step #1
 
Get a copy of your Wordpress theme onto your offline desktop, you can use something like Filezilla (free FTP).
 
 
 
 
Step #2
 
We need a way to search the entire Wordpress theme (including any theme sub-folders), we'll use Notepad++ (free text editor).
 
 
 
 
Step #3
 
With the Wordpress theme on your desktop, open Notepad++, go to Search --> Find, you'll get a popup window search box.
 
Click the Find in Files tab on the search box popup window.
 
Here's my settings inside the Notepad++ search box:
 

2h5432d.png

 
 
 
What this does is scan the entire WP theme including any sub-folders, then list each instance of the keyword base that is found inside the theme template files & displays the line-number where the keyword was found. This takes only a few seconds to scan the entire Wordpress theme.
 
You can also use this for searching for the keyword http, to verify all the regular links are legit links inside the Wordpress theme.
 
This will work for any type of CMS (Joomla, Drupal, Wordpress, etc...), even bulk plain HTML files/folders. If you can get your files on your offline desktop, you scan for hidden links.
 
 
 
 
How do I know what hidden links look like?
 
The base64 links usually only show up in the Google Cache (text version), not in the live web page HTML, not in the full Google Cache.
 
Here's a screenshot of what base64 links can do to a web page (major link spam):
 
 

2dmbng3.png

 
 
 
What should I do If my theme has hidden base64 links?
 
The first thing I would do is switch your theme back to the default theme that was included with your Wordpress install.
 
Next, delete the infected base64 theme from your live site.
 
Do not try & make edits to a live sites Wordpress theme that has base64 links, sometimes the base64 link code will make calls to multiple theme files so If the code on one template page is removed, the entire site will get locked up (trust me on this, I've had it happen), the only way back into the site is Cpanel, or If you know what your doing, FTP.
 
 
 
 
Is a Wordpress theme the only place base64 links might be hidden?
 
No, base64 links can also be hidden inside Wordpress plugins. Do the same search for the keyword base on all the plugin files (everything).
 
A Wordpress plugin can add links anyplace on your live web page, the base64 links do not have to be in (example) a header.php file to show up in the live web pages header.
 
 
 
 
How do I view the Google Cache (text version)?
 
You can view your Google Cache (text version) by adding cache: to the front of any URL, If a Google Cache exist, then you should see a link in the top/right side of the cache page (Text-only version).
 
Here's an example of the Spartan Marketing Academy forum Google cache (text version):
 
 
If for some reason you don't see a link to the text version of the Google cache, then add this to the end of the URL of the full Google cache URL:

&strip=1

 
The &strip=1 part of the URL is what triggers the text version of a Google cache.
 
 
 
 
How can I prevent base64 from ever getting on my new website?
 
The easiest way to prevent base64 links from ever getting on your live website to begin with is, simply download all Wordpress themes & Wordpress plugins to your offline desktop, then use the Notepad++ search function (above) to verify no base64 links exist inside of any files that will be installed on your live webpage.
 
 
 
 
Why do people add these base64 links to free Wordpress themes/plugins?
 
They're link spammers, that's what link spammers do, they find the easiest way to add links to any webpage. Wordpress powers approx. +14% of the worlds blogs, If even a small amount of that percentage is hit with base64 link spam, that's a huge amount of links. Remember, these base64 links are typically site-wide spam links, most Wordpress blogs have hundreds/thousands of pages per domain (massive amount of spam links).
 
Google is catching on to which sites have been hit with base64 links, this Google page mentions base64.
 
 
 
 
Can I search my live site/blog for base64 links?
 
You can manually search your live site/blog template files via your CMS Admin. panel, but it's very time consuming since there's so many files that need to be searched. If you miss one instance of the base64 link code, you could either still have the spam links on your site/blog, or worse, lock up your entire site (mentioned above). IMO, it's easier/faster to automate the base64 search while running Notepad++.
 
 
 
 
Is every instance of the keyword base a problem?
 
You might find that every instance of the keyword base isn't a problem, this is a generic search string instead of searching for example: base_64, base64, etc...
 
Use your own judgement for deciding which template code is actually base64 code. Here's what part of the base64 code might look like (random numbers/letters):

dGhpcyBpcyB3aGF0IGJhc2VfNjQgY29kZSBsb29rcyBsaWtl

 
Since all themes are different & all themes have different theme authors, it's possible that some parts of a theme template page could be legitimately encrypted, example for verifying the user has a payed license code to actually use the theme.
 
My advice is, If you're running anything free, do a base64 search on the entire theme/plugin files/folders to be on the safe side.
 
 
 
 
Related Google links:
 

 

Share this post


Link to post
Share on other sites

SEMrush

so, i ftp the wordpress theme to my laptop, find and delete all the base64 stuff, then ftp the theme back and im all done? seems easy enough

Share this post


Link to post
Share on other sites

If you run WordPress you've got no excuse to not install Wordfence that scans your site automatically in the background. It'll very likely find these, and report back to you. iThemes Security is another great security plugin.

 

so, i ftp the wordpress theme to my laptop, find and delete all the base64 stuff, then ftp the theme back and im all done? seems easy enough

 

That should take care of the mechanism that fetches the spam links to your site.

 

However, just cleaning a theme isn't enough. You should reinstall WordPress, preferably reinstall all the plugins, and go through all the directories in wp-content for any PHP scripts. It really helps if you know what doesn't belong in your WordPress directories. Of course having a nice and clean backup helps, because you can restore the site to a clean state.

 

After you've done all this you might still have the original security hole to deal with unless the updates helped to close it.

Share this post


Link to post
Share on other sites

If you run WordPress you've got no excuse to not install Wordfence that scans your site automatically in the background. It'll very likely find these, and report back to you. iThemes Security is another great security plugin.

 

The problem with that is it's like going to a hospital after someone shoots their own foot.

 

These types of base64 pharma/porn links are willingly being installed & activated by unwitting webmasters.

 

These are not hacks in the sense that a malicious person cracked a WP admin password, or host password.

Share this post


Link to post
Share on other sites

i found base64 when search All in One Seo Pack Plugin & Wordpress Backup like this :

 

base64-ss.jpg

 

base64.jpg

 

that is dangerous or not? :)

 

 

Well, they're both Wordpress plugins.

 

 

Hard to say what the base64 is actually doing from the screenshot, the 1st one looks image styling related (.css file URL) & the 2nd one looks text related (maybe a font).

 

I'm not sure why they would need to use base64 for either plugin.

Share this post


Link to post
Share on other sites

Looks like I found a base64 site on my money site unfortunately. Is the only way to pull this off with infected themes / plugins, or could this be the result of things such as SQL injections?

 

Anyways, I wonder if Google gives any credit for these links since they do not show up on the live version of the site.

base64.png

Share this post


Link to post
Share on other sites

Looks like I found a base64 site on my money site unfortunately. Is the only way to pull this off with infected themes / plugins, or could this be the result of things such as SQL injections?

 

Anyways, I wonder if Google gives any credit for these links since they do not show up on the live version of the site.

base64.png

 

Check the same webpage/URL running this web/dev browser plugin with the settings below.

 

  • Disable all javascript
  • Disable all images
  • Disable all styles

 

Next turn off all plugins & switch the theme back to the default Wordpress theme, then check the problem page/URL again with the web/dev plugin to see If the spam text/link is removed.

Share this post


Link to post
Share on other sites

Something else to keep in mind, sometimes a spammy theme or plugin will use base64 that rotates text/links, so it's possible what you see on a Google cache might be different than the spam text/links on a live webpage. 

Share this post


Link to post
Share on other sites

The problem with that is it's like going to a hospital after someone shoots their own foot.

 

These types of base64 pharma/porn links are willingly being installed & activated by unwitting webmasters.

 

These are not hacks in the sense that a malicious person cracked a WP admin password, or host password.

 

Sort of. However, if you patch the hole fast enough you don't end up bleeding dry. Or in this case, you don't get those nasty warnings to the search results from Google.

 

You're right that sometimes webmasters are installing the links themselves. However, it's quite often a hack of some sort. There's sites that haven't been touched by the webmaster that get the exact same pharma and porn links.

 

One small note: often the spam code is trying to hide the links from admins. If you're logged in you may not see anything wrong.

Share this post


Link to post
Share on other sites

 

The problem with that is it's like going to a hospital after someone shoots their own foot.

 

These types of base64 pharma/porn links are willingly being installed & activated by unwitting webmasters.

 

These are not hacks in the sense that a malicious person cracked a WP admin password, or host password.

 

Sort of. However, if you patch the hole fast enough you don't end up bleeding dry. Or in this case, you don't get those nasty warnings to the search results from Google.

 

You're right that sometimes webmasters are installing the links themselves. However, it's quite often a hack of some sort. There's sites that haven't been touched by the webmaster that get the exact same pharma and porn links.

 

One small note: often the spam code is trying to hide the links from admins. If you're logged in you may not see anything wrong.

 

 

The majority of spam links on WP sites are literally installed by webmasters on their own sites because it's the easy route. The multi domain footprints are easy enough to follow.

Share this post


Link to post
Share on other sites

 

The majority of spam links on WP sites are literally installed by webmasters on their own sites because it's the easy route. The multi domain footprints are easy enough to follow.

 

Do you have a source for this? I don't mean to be a smartass, but I don't see that many cases where I could confidently claim this. Of course this might be because of my line of work: mostly business websites, and admins who would not install anything even if you threatened them.

 

Ultimately the webmasters or site owners are responsible for their site, and if you're dealing with the typical blog or small business sites they've installed some of the plugins. In a recent clean up case I first threw out plugins that I didn't know to have some kind of base to work from.

Share this post


Link to post
Share on other sites

 

 

The majority of spam links on WP sites are literally installed by webmasters on their own sites because it's the easy route. The multi domain footprints are easy enough to follow.

 

Do you have a source for this? I don't mean to be a smartass, but I don't see that many cases where I could confidently claim this. Of course this might be because of my line of work: mostly business websites, and admins who would not install anything even if you threatened them.

 

Ultimately the webmasters or site owners are responsible for their site, and if you're dealing with the typical blog or small business sites they've installed some of the plugins. In a recent clean up case I first threw out plugins that I didn't know to have some kind of base to work from.

 

 

 

 

 

 

 

 

Sure, Google warns about base64 on their own site (same link I posted in OP), not that Google is by any means needed to verify.

 

Obfuscated spammy text, links, or meta refreshes (which can be harder to detect). Try searching the page code for words like base_64. For example, text like eval(base_64_decode("aisiYSlbYlaws...")) might be used for cloaking.

 

 

I've dealt with enough of this type of spam to know it's commonplace on the web. This type of spam footprint is easy to spot on the text version of a webpage (see OP Google cache screenshot). 

 

Usually a SQL injection spawns new internal pages which doesn't typically happen on base64 spam.

 

I don't know who your clients are but you might be surprised how people will install themes/plugins without ever checking the source code for hidden links. I'm not suggesting you do this but unless your clients are technically savvy I bet If you suggested they install a WP theme or plugin with base64 hidden spam links, they would would install the spam links without thinking twice. My point is people usually don't care about security until after there's a problem.

Share this post


Link to post
Share on other sites

Usually a SQL injection spawns new internal pages which doesn't typically happen on base64 spam.

 

I don't know who your clients are but you might be surprised how people will install themes/plugins without ever checking the source code for hidden links. I'm not suggesting you do this but unless your clients are technically savvy I bet If you suggested they install a WP theme or plugin with base64 hidden spam links, they would would install the spam links without thinking twice. My point is people usually don't care about security until after there's a problem.

 

That's true. Base64 and other forms of spam hacks often don't even touch the database (although you still should verify to be sure, and change all passwords).

 

There's the crowd that really likes to play with the themes and plugins. My typical scenario is a non-savvy person from a small business who's only interested in having a webpage. They don't want to touch anything on it, and often contract me to install the basic updates. On the other hand, I had to repeatedly discuss why plugins can't be tested on a production website with a lady from one of the biggest corporations I've worked for. In the usual case I'm managing the site, and in the case of the nutty plugin lady she ultimately had to obey their corporate IT.

 

So I guess my scenario is pretty different from your typical WP site.

Share this post


Link to post
Share on other sites

I registered account because this thread.

Can you tell me what base64 link can effect to my website ? I turn on view source my website to view source code then i find "base64". There is only one result.

I dont know what plugin or what thing content this base64 link. What happen with my website if I remove this base64 link or dont remove ?

Share this post


Link to post
Share on other sites

I registered account because this thread.

Can you tell me what base64 link can effect to my website ? I turn on view source my website to view source code then i find "base64". There is only one result.

I dont know what plugin or what thing content this base64 link. What happen with my website if I remove this base64 link or dont remove ?

 

 

 

 

I can't tell you what will happen without seeing the code. I can tell you that it's very much possible removing base64 code on a live website can lock a webmaster out of their admin pages.

 

First thing to do is check the text version of your webpages, If there's spam links you'll see them.

 

If you find spam links on your text versions of your webpages and it's a free theme or plugin, turn them all off and check each file one by one like the OP tutorial shows.

 

If it's a paid theme you'll most likely be ok just leaving the base64 code alone, most sellers don't sabotage their own products (themes, plugins). Assuming it's a paid theme/plugin downloaded from the original author and not a black hat site/forum.

Share this post


Link to post
Share on other sites

If you find spam links on your text versions of your webpages and it's a free theme or plugin, turn them all off and check each file one by one like the OP tutorial shows.

 

If it's a paid theme you'll most likely be ok just leaving the base64 code alone, most sellers don't sabotage their own products (themes, plugins). Assuming it's a paid theme/plugin downloaded from the original author and not a black hat site/forum.

I use paid theme but plugins are free version. All plugin I install from Wordpress store, dont get via 3rd party. May I comfortable about it ? All plugin store in WP are carefully check, right ?

Share this post


Link to post
Share on other sites

Well, I'm bookmarking this thread.  I "get" how to hunt these down, but this is really depressing.   I remember when the only thing you had to do to keep crap like this off your site was to put in an MS anitparse metatag.   I also remember having to have a site rebuilt after a Mysql injection.   Now this? 

 

So I have to go back and check my new WP theme to make sure it's a clean copy, and then what?  Do I have to check every plugin before I try to use it?  

Share this post


Link to post
Share on other sites

Well, I'm bookmarking this thread.  I "get" how to hunt these down, but this is really depressing.   I remember when the only thing you had to do to keep crap like this off your site was to put in an MS anitparse metatag.   I also remember having to have a site rebuilt after a Mysql injection.   Now this? 

 

So I have to go back and check my new WP theme to make sure it's a clean copy, and then what?  Do I have to check every plugin before I try to use it?  

 

 

Yes, check everything, theme and all plugins. It only takes one entry point to drop spam links on a site.

 

If you download all the plugins and theme to your offline PC then it doesn't take very long to scan all the files following the OP tutorial. Shouldn't take more than a few minutes total. Once you know the files are safe, zip them back up and upload to your Wordpress Admin.

Share this post


Link to post
Share on other sites

Yes, check everything, theme and all plugins. It only takes one entry point to drop spam links on a site.

 

If you download all the plugins and theme to your offline PC then it doesn't take very long to scan all the files following the OP tutorial. Shouldn't take more than a few minutes total. Once you know the files are safe, zip them back up and upload to your Wordpress Admin.

Thank you.  

 

From what I am understanding here, though - I'm not to remove base links because it might lock me out of my admin?  Does this mean if I find one on my theme or a pluggin that I can't use it or do I just need to get it from a different site.  I only download from wordpress.org.  

Share this post


Link to post
Share on other sites

The problem with that is it's like going to a hospital after someone shoots their own foot.

These types of base64 pharma/porn links are willingly being installed & activated by unwitting webmasters.

These are not hacks in the sense that a malicious person cracked a WP admin password, or host password.

If the first thing you installed on your brand new site was a plugin such as Wordfence and had it running it should alert or protect you from then on for something such as these base64 links popping up after?

Share this post


Link to post
Share on other sites

If the first thing you installed on your brand new site was a plugin such as Wordfence and had it running it should alert or protect you from then on for something such as these base64 links popping up after?

 

 

I don't use Wordfence but from what I've read on their plugin page it's trying to prevent hacks, other folks from entering the site. The problem is a WP Admin has rights to install a plugin/theme which isn't a hack but can include bogus links or base_64 code/links.

 

Personally I'd manually check everything offline before installing on a host. It only takes a few minutes and you don't have to guess If a security plugin is working.

Share this post


Link to post
Share on other sites

Really well elaborated thread with lots of information but I use Maldet software on my server to find all bad links.

 

It mark base64 as malicious code and inform me. Its so simple ;)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.