I think my site has been hacked! I found these lines of code on all my php files and I didn't put them there. Problem is I don't know enough php to understand what this batch of code does. Could anyone please help? How bad is it?
We seem to be seeing more of this as I've noticed more similar posts of this nature. People are encoding malicious PHP code as base64 and calling base64_decode so it is turned into readable/executable code.
Some people run into this and see that all of their PHP files have had this included. If it is true in your case you should delete all the files containing it and re-upload the valid .php files. Check for .php files with a weird name that you didn't not upload yourself. It can be in any number of directories away from the one where your changed files are.
If you find one you will need to delete it. As it will keep adding the base64 code to files which you've "cleaned". Even if you find it and delete it check your entire database to make sure that the malicious file didn't add code to your database that will also check to make sure that the malicious code is in your php files and adding them if you've removed it.
If your server allows you to do it view your logs to see when files were uploaded to your site. Look especially hard for where the malicious file was added. It can help you pinpoint anything else that may have been done and where within your directory structure it was done.
You should change your hosting account username/password, FTP account(s) username/password as well as those for any affected databases.
This type of attack seems to be quite common in WordPress installations but you don't have to be using WordPress for it to happen.
You're very welcome. I don't know if the script(s) you're running were written by you or if you're using another party's code. If someone else coded it I would inform them of the vulnerability so that they can address the issue and patch it.
Whether you coded it or someone else did I would set MAXLENGTH for all text inputs and textareas to the most that you'd want to allow. Also set the same max length to the column that stores the data from that input field.
One reason base64 is used in these attacks is that if they are using a form to initiate the attack, it will pass most filtering/sanitation functions because the encoded coding would pass most if not all sanitation checks.
Here's a site which offers some details on options you can turn off in your php.ini file IF your server host allows it. They turn off many server features which these base64 attacks use which wouldn't normally be used by you yourself. http://www.thonky.com/how-to/prevent-base-64-decode-hack/
You can reactivate something in the future if you should need it for your own purposes but again most of them are basically unnecessary and unfortunately open vulnerabilities.
You can also search online for other info regarding base64 attacks using PHP but this may be sufficient. If you're satisfied please mark this thread as solved. Or leave it open if you seek more info.