Question posted in 
At my company, we have a problem with most eCommerce software like osCommerce and OpenCart and some content management sites like WordPress or Joomla!.
This is the code we find in, pretty much, every footer.php, header.php and index.php file in some of the sites my company is running on a 3rd-party hosting company.
Giving it a thought… isn’t it possible to have a regex for detecting this particular piece of code? It’s exactly the same pattern found on some pages, without variation, so I think a pattern-matching algorithm or a search-and-replace method would be the best candidate to help us (apart from a good security audit, which we’re actually running with one of Spain’s top auditing companies).
Can you give me a hint on what method could we use for such detection and removal pattern?
2
Answers
I wouldn’t use an automated process on something so critical. I would want a human to check each file specifically as part of the removal.
Just search for that base64 string?
aHR0cDovL2Jyb3dzZXJnbG9iYWxzdGF0LmNvbS9zdGF0RC9zdGF0LnBocA==It decodes to:
hxxp://browserglobalstat.com/statD/stat.php(don’t go there!!) so it’s probably always the same string.