So, I simply uploaded an old website to a domain I activated, and it had a very simple free PHP Blog script as part of it with a Footer that had “obfuscated” Copyright info in it more than likely to keep the author’s info from not being removed which btw is a COMMON thing with scripts, especially free ones which people using free hosting would tend to use more, so this makes things difficult in more ways then one.
However, the moment I uploaded the site, my ENTIRE account was suspended, i.e. ALL of my websites went down, rather than simply the offending website. Now, I kinda can understand this since there’s just one FTP, and all sites are under that account.
So, I’m wondering to prevent all my websites going down if there’s ever an innocent issue in the future, since many scripts will have even a little obfuscated text for copyright purposes or code protection purposes, and a person can’t necessarily go through every line of code hunting for obfuscation (especially when I don’t think it all starts with Base64 thus easy to search for), can we use the “Up to 3 accounts” option to provide us with at least some “redundancy” so at least not “all” of our websites go down if there’s an issue with one? Or, do account suspensions suspend the ENTIRE “Main Account”, thus all websites will go down even if you’ve put some under different accounts?
I asked this question to support when I was getting my account unsuspended, but they ignored the question, and then for some reason, we can’t access Tickets anymore I’m guessing if it’s been closed or something (which is weird), the entire Ticket System just “disappears”.
Suspensions are done at the account level, not the website level. There are various reasons why an account might be suspended. For some it might make sense to target only a specific website, but for others it’s necessary to lock down the entire account.
In your case, it was a malware infection in the files of a single website, in which case it would make sense to only take down the single website.
But if someone overloads the server, we can quite reliably trace that back to an account but not always to a specific website. Or if someone is actually trying to do bad stuff, we want to lock down access to the contents of the website, but we can only block control panel, FTP and database access for the entire account.
While it’s hypothetically possible to make the suspension more granular, we don’t have the systems in place to do this.
Clearly you get your scripts from different sources than I do. Because the places where I get free software, they don’t put obfuscated code in their downloads.
The base64/eval code obfuscation trick isn’t necessarily harmful, but it does tell you that whoever wrote that code wants to hide what the code does. In the best possible circumstances, it’s just a bit of DRM to enforce a copyright notice. Although more serious developers would use a proper code protection solution like IonCube for this, not rely on cheap obfuscation tricks.
In the cases I’ve seen, obfuscated code frequently also included harmful ads, virus code, or a call home to the code author’s server from where it would send data about your website and/or receive remote code to execute in your website. There are a lot of bad things you can do with untrusted code, and these obfuscated code blocks are almost always bad news.
WordPress and other popular CMS don’t contain obfuscated code blocks. Neither do popular plugins from the official stores or other reputable sources. Most obfuscated code blocks I’ve seen are from pirated software and other stuff from sketchy websites, or they were added afterwards by a hacker or virus.
If I personally saw such code, I might decode it, verify it, strip it for the useful bits and put those back as regular code. Or maybe drop the software entirely and use safe software from a trusted source. I would definitely not leave the obfuscated code in there and just hope that it’s safe. Because it generally isn’t.
Most suspensions only target a specific account. But if we suspect that something really bad is going on, we may also attempt to suspend your other accounts pending further review.
If your account was reactivated, you can still view your tickets through the Deactivation History menu. If your account was suspended very recently, you may still be able to reply to the tickets too.
Interesting info. Ya, a lot of free scripts out there especially they my obfuscate their copyright info to help prevent it from being removed. Although, this particular one was pretty LARGE, so I wonder if there is something actually bad in it?
You seem to know how to crack this code.
If I sent it to you would you be able to do it? I’m curious if there is bad stuff in it etc.
I’ve try to deobfuscate before and now, and for some reason all the “decoders” out there don’t deobfuscate the code. Don’t know if I’m doing something wrong or what, i.e. like not selecting the right part of the code etc., but however way I’ve tried I haven’t gotten it to work, so I’m curious if you could explain it or show me a place that does. I clearly need to do more research to be doing it right or something.
Ya, for some reason it was just a Footer PHP in one site, and they suspended my entire account, and it seems to have been automatically by whatever security bot you have, cause it happened immediately after upload. So, given what you’ve said, I’m assuming that your Security system “won’t” ban my other accounts/websites if anything retarded occurs in one account (like something like this, totally innocent thing)?
Ah, I see… Crossed my mind I should click on that link, but I didn’t yet. LOL
BTW, did you see my last comment in relation to Comment Forms? What did you think?
I don’t really do de-obfuscation as a service, but I can share my method.
The basics of the obfuscation trick is that there is a code block like eval(base64_decode("asdfasdfasdf")); somewhere in the file. The eval(...) function takes PHP code text and executes it. The base64_decode(...) function takes any data which is encoded with the base64 algorithm and turns it back into the raw data.
So what you can do is take the base64 encoded text between the quotes and decode it without executing it. You can do that with PHP, another programming language or a web based tool. The output should be readable PHP code.
That said, this is only the simple case. I’ve seen many tricks to make it harder to decode, like having multiple rounds of eval and base64_decode, splitting the base64 payload into multiple variables and doing other transformations on the text. This is probably why the online decoder wasn’t able to make sense of it.
But it’s all possible to read, understand and repeat by hand by carefully checking the code. Just make sure you never actually run the eval function.
Ya, I figured that was the problem… I’m doing it right, but they are clearly doing other stuff to the code cause the simple decode tools have NEVER worked for me. They just show even MORE gobledigoop.
I was just checking to see if you knew something I wasn’t figuring.