How to check your site for base64 links

by yukon Banned
14 replies
  • SEO
  • |
[How to check your site for base64 links]

This is a quick way to check your site for hidden base64 links, which are used by link spammers. There's multiple ways to check a live site for hidden links, this technique is one of the faster ways to check a Wordpress theme.

This assumes your not technically challenged. If you need individual help checking your own files, hire someone to help you, tell them to read the instructions below.



Step #1

Get a copy of your Wordpress theme onto your offline desktop, you can use something like Filezilla (free FTP).



Step #2

We need a way to search the entire Wordpress theme (including any theme sub-folders), we'll use Notepad++ (free text editor).



Step #3

With the Wordpress theme on your desktop, open Notepad++, go to Search --> Find, you'll get a popup window search box.

Click the Find in Files tab on the search box popup window.

Here's my settings inside the Notepad++ search box:




What this does is scan the entire WP theme including any sub-folders, then list each instance of the keyword base that is found inside the theme template files & displays the line-number where the keyword was found. This takes only a few seconds to scan the entire Wordpress theme.

You can also use this for searching for the keyword http, to verify all the regular links are legit links inside the Wordpress theme.

This will work for any type of CMS (Joomla, Drupal, Wordpress, etc...), even bulk plain HTML files/folders. If you can get your files on your offline desktop, you scan for hidden links.






How do I know what hidden links look like?

The base64 links usually only show up in the Google Cache (text version), not in the live web page HTML, not in the full Google Cache.

Here's a screenshot of what base64 links can do to a web page (major link spam):







What should I do If my theme has hidden base64 links?

The first thing I would do is switch your theme back to the default theme that was included with your Wordpress install.

Next, delete the infected base64 theme from your live site.

Do not try & make edits to a live sites Wordpress theme that has base64 links, sometimes the base64 link code will make calls to multiple theme files so If the code on one template page is removed, the entire site will get locked up (trust me on this, I've had it happen), the only way back into the site is Cpanel, or If you know what your doing, FTP.




Is a Wordpress theme the only place base64 links might be hidden?

No, base64 links can also be hidden inside Wordpress plugins. Do the same search for the keyword base on all the plugin files (everything).

A Wordpress plugin can add links anyplace on your live web page, the base64 links do not have to be in (example) a header.php file to show up in the live web pages header.




How do I view the Google Cache (text version)?

You can view your Google Cache (text version) by adding cache: to the front of any URL, If a Google Cache exist, then you should see a link in the top/right side of the cache page (Text-only version).

Here's an example of the Warrior Forums Google cache (text version):
If for some reason you don't see a link to the text version of the Google cache, then add this to the end of the URL of the full Google cache URL:
&strip=1
The &strip=1 part of the URL is what triggers the text version of a Google cache.




How can I prevent base64 from ever getting on my new website?

The easiest way to prevent base64 links from ever getting on your live website to begin with is, simply download all Wordpress themes & Wordpress plugins to your offline desktop, then use the Notepad++ search function (above) to verify no base64 links exist inside of any files that will be installed on your live webpage.



Why do people add these base64 links to free Wordpress themes/plugins?

They're link spammers, that's what link spammers do, they find the easiest way to add links to any webpage. Wordpress powers approx. +14% of the worlds blogs, If even a small amount of that percentage is hit with base64 link spam, that's a huge amount of links. Remember, these base64 links are typically site-wide spam links, most Wordpress blogs have hundreds/thousands of pages per domain (massive amount of spam links).

Google is catching on to which sites have been hit with base64 links, this Google page mentions base64.




Can I search my live site/blog for base64 links?

You can manually search your live site/blog template files via your CMS Admin. panel, but it's very time consuming since there's so many files that need to be searched. If you miss one instance of the base64 link code, you could either still have the spam links on your site/blog, or worse, lock up your entire site (mentioned above). IMO, it's easier/faster to automate the base64 search while running Notepad++.




Is every instance of the keyword base a problem?

You might find that every instance of the keyword base isn't a problem, this is a generic search string instead of searching for example: base_64, base64, etc...

Use your own judgement for deciding which template code is actually base64 code. Here's what part of the base64 code might look like (random numbers/letters):
dGhpcyBpcyB3aGF0IGJhc2VfNjQgY29kZSBsb29rcyBsaWtl
Since all themes are different & all themes have different theme authors, it's possible that some parts of a theme template page could be legitimately encrypted, example for verifying the user has a payed license code to actually use the theme.

My advice is, If you're running anything free, do a base64 search on the entire theme/plugin files/folders to be on the safe side.





Related Google links:
#base64 #check #links #site #yukon
  • Profile picture of the author intergen
    Hey Yukon great info! I got hit with a Base64 exploit and did a lot of what you are talking about here. I still had hidden files I could not find and spent days looking for them.

    Since I had a Wordpress install I found a plug-in called "exploit scanner" ran it and found the hidden Base64 exploit files.

    They got removed and my problem went away.
    {{ DiscussionBoard.errors[7870614].message }}
  • Profile picture of the author Lyanna
    My site was hacked so my hosting did a backup. Just checked and it seems clean of the base64, thanks for the help.
    {{ DiscussionBoard.errors[7871992].message }}
  • Profile picture of the author jovykhan
    Now that's the easy way to do it. Before I searched it via WP editor and checked every file one by one.

    Thanks yukon!
    Signature
    LocalFinder.net Australia's Leading Online Business Directory
    Australian Local Citation Service
    {{ DiscussionBoard.errors[7872069].message }}
  • Profile picture of the author kpmedia
    Just note that not all base64 is malicious code.
    And I'd use grepWin, not the built-in Windows search function.
    {{ DiscussionBoard.errors[7872155].message }}
  • Profile picture of the author xMizzlex
    Thank you for this awesome info, Yukon.

    I'm using the shortcodes-ultimate plugin and I found this:

    / base64 encoded red image that says 'no hotlinkers'
    Line 221: $imgData = base64_decode("R0lGODlhUAAMAIAAAP8AAP///yH5BAAHAP8ALAAAAABQAAwAAAJpjI+py+0Po5y0OgAMjjv01YU Z\nOGplhWXfNa6JCLnWkXplrcBmW+spbwvaVr/cDyg7IoFC2KbYVC2NQ5MQ4ZNao9Ynzjl9ScNYpneb\nDULB3RP 6JuPuaGfuuV4fumf8PuvqFyhYtjdoeFgAADs=");

    Could that cause any harm?
    {{ DiscussionBoard.errors[7885225].message }}
    • Profile picture of the author Cosmit
      Originally Posted by xMizzlex View Post

      Thank you for this awesome info, Yukon.

      I'm using the shortcodes-ultimate plugin and I found this:

      / base64 encoded red image that says 'no hotlinkers'
      Line 221: = base64_decode("R0lGODlhUAAMAIAAAP8AAP///yH5BAAHAP8ALAAAAABQAAwAAAJpjI+py+0Po5y0OgAMjjv01YU ZnOGplhWXfNa6JCLnWkXplrcBmW+spbwvaVr/cDyg7IoFC2KbYVC2NQ5MQ4ZNao9Ynzjl9ScNYpnebnDULB3RP6 JuPuaGfuuV4fumf8PuvqFyhYtjdoeFgAADs=");

      Could that cause any harm?
      It's most likely just binary data for an image. You can always decode it here.
      {{ DiscussionBoard.errors[7885996].message }}
  • Profile picture of the author legoog8
    Hey,

    Is this just for WordPress or what about blogger blogs too?
    Signature
    {{ DiscussionBoard.errors[7886083].message }}
    • Profile picture of the author yukon
      Banned
      Originally Posted by legoog8 View Post

      Hey,

      Is this just for WordPress or what about blogger blogs too?
      Blogger runs a single page template, you can open your blog template in your blogspot Admin, then do a page search for the keyword base directly from your browser.
      Signature
      Hi
      {{ DiscussionBoard.errors[7886107].message }}
  • Profile picture of the author legoog8
    I see thanks!
    Signature
    {{ DiscussionBoard.errors[7886114].message }}
  • Profile picture of the author tritrain
    I found that someone hijacked my Analytics. While at the same time (possibly the same person) was hitting my site via proxies, trying to gain access. I created traps and such to catch them in the act and immediately ban the IPs.

    Maybe this is one of their intentions, to add spam links too? I suspect they may have been trying to do base injections.


    Oh, by the way Digital Pointe has a tool to decrypt base64, so you can make sense of the code.

    More importantly, try https://sitecheck.sucuri.net/
    You can scan your website for free.

    Also, there are a couple WP addons that check for such things, as well as protect your site. Wordfence is a good security addon.
    Signature
    Domains for sale - see seopositions.net
    {{ DiscussionBoard.errors[10044642].message }}
    • Profile picture of the author yukon
      Banned
      Originally Posted by tritrain View Post

      I found that someone hijacked my Analytics. While at the same time (possibly the same person) was hitting my site via proxies, trying to gain access. I created traps and such to catch them in the act and immediately ban the IPs.

      Maybe this is one of their intentions, to add spam links too? I suspect they may have been trying to do base injections.


      Oh, by the way Digital Pointe has a tool to decrypt base64, so you can make sense of the code.

      More importantly, try https://sitecheck.sucuri.net/
      You can scan your website for free.

      Also, there are a couple WP addons that check for such things, as well as protect your site. Wordfence is a good security addon.
      The problem with base64 on Wordpress is webmasters need to get in the habit of checking for problems offline (see OP) before uploading to their host/server.

      Preventive maintenance is easier than waiting for Google or traffic to find the problem first.
      Signature
      Hi
      {{ DiscussionBoard.errors[10113668].message }}
  • Profile picture of the author jazbo
    This is great advice. I'm off to try it!
    Signature
    CONTENT WRITER. Reliable, UK-Based, 6 Years Experience - ANY NICHE
    Click Here For Writing Samples & Online Ordering
    {{ DiscussionBoard.errors[10114849].message }}
  • Profile picture of the author Nabaleka
    I just read an article on free themes and plugins being a source of malicious attacks yesterday and now I have seen this. Thanks
    {{ DiscussionBoard.errors[10114888].message }}
    • Profile picture of the author yukon
      Banned
      Originally Posted by Nabaleka View Post

      I just read an article on free themes and plugins being a source of malicious attacks yesterday and now I have seen this. Thanks
      Don't get paranoid over something being free. Just because somethings free doesn't mean the person who origionally created the theme/plugin ever had malicious intent.

      Here's what happens most times...

      Someone with good intent creates a free theme/plugin.

      Along comes a link spammer downloading free themes that other people created. The link spammer adds base64 spam links & starts uploading to the net because they know the original theme already has traffic wanting to download the theme/plugin.

      So..., now there's multiple versions of a single theme/plugin spread all over the net. The issue is, a webmaster needs to search the theme/plugin files & determine If the theme is legit or a theme/plugin that has been hacked with base64.

      Obviously a link spammer can create themes/plugins from scratch but it's doubtful that happens much because link spammers have a lazy mindset, they're not in the business of creating content. Their business is blasting as many links as possible.

      Do your part by verifying a theme/plugin is legit before uploading to a host & you'll be fine.
      Signature
      Hi
      {{ DiscussionBoard.errors[10115074].message }}

Trending Topics