Remote Script Injection caught by BitNinja
Nikoletta Szabo

Remote Script Injection caught by BitNinja

Nikoletta Szabo

Let’s see a real-life evidence from the BitNinja logs how we detect and block script injection.  The hackers always think they can fool the software, but the malicious scripts and packages are constantly dropped by Ninja Security. Being a machine-learning system, BitNinja collects the attack information and spreads it to other protected servers, so they will be shielded from the attack.

What does this code mean?

This time, the hacker wrote a nice code which is encoded with base64, but even looking at this suspicious string you are able to see that there is something wrong in the background.

The whole string was written in PHP. We can see signs that it was encoded with base 64, for example “b64d”, which is a unique abbreviation by the hacker to mask the obvious presence of base64. “eval” in PHP runs the code between the ” “, which will grant the attacker full control over the server.

If we decode the strings, this is what we get:

These mean that our intruder must have hidden a malicious script or infection on the server earlier and now s/he is checking if it is still there. If s/he finds the hidden backdoor to the still vulnerable server, s/he can easily start the inclusion of the victimized server to the zombie botnet or execute several attacks through the server, while masking the real origin of the attempts.

This server is safe from intrusions like this and many others, what about yours? Write us an email and we help you to endow your treasured server with the necessary weapons to continue the daily battle against malicious requests and attacks with an enhanced weaponry.

Share your ideas with us about this article

Previous posts

Ransomware: what is it and why is it dangerous?
Let’s start with the definition. Ransomware is a kind of malware that installs itself onto an unprotected computer, encrypts some files, and asks for a certain amount of money for decryption or to not publish certain sensitive information online. It is called a denial-of-access attack and it can be very frustrating because you know that the files are there but you can’t access them.   There are two types of ransomware attacks: Simple ransomware or lockscreen, where the system is locked. The attack is more serious if the files are really encrypted. It is called a file co...
Trump’s 4 Cyber Security Visions
President-elect of the United States, Donald J. Trump, will be inaugurated into office on Friday, January 20th, 2017. In light of this passing of the torch from President Obama to Trump, it’s important to review where Trump stands on cyber security and what his policies and goals may represent. I’ll break down Trump’s four main “visions” for cyber security and their relevance. Read all of Trump’s Visions on his website here.     Vision 1: “Order an immediate review of all U.S. cyber defenses and vulnerabilities, including critical infrastructure, by a Cyber Review Tea...