Suspicious code is code that matches general malware practices, but may not fit into a specific category of malicious intent. Suspicious code may have nothing inherently malicious within it, however, it matches patterns of either functional usage or obfuscation (intentionally obscure to make code ambiguous) that are often malicious. Suspicious code should be examined more carefully to determine if there are valid reasons for using the methods within the code.
If your site has suspicious code within it, it does not necessarily mean that your site is infected. You’ll need to analyze the code on your site to determine if it has been placed with malicious intent or if it is functional code that is integral to your site’s operation.
Removal of suspicious code usually requires a deep understanding of coding methodologies and functions and determining if the suspicious usage of functions or obfuscation is warranted or valid. Suspicious code can be found in a site’s core, theme, or plugin files, and it can also be found within database content.
Here are some samples of suspicious code that we’ve found on sites. Remember, this does not necessarily mean that the code is malicious.
Most non malicious suspicious code is using some obfuscation technique using base64_decode(); function.
Obfuscated theme options. Many premium themes come with obfuscated options embedded within the theme. The theme options are hidden with
Obfuscated variable names. [“\x64\x63\x66j\x68t\x68”] is actually a variable in a premium plugin that decodes to [“dcfjhth”]. It is not malicious.
This code contains an array that basically rewrites variable names into unintelligible language to hide the functionality of the script. By reviewing the code, you wouldn’t be able to tell that this is malicious mailer script without reviewing the code more in depth.
function v78ZFAX($vJOJJ7T, $vRJ8WGX){$vM74216 = ''; for($i=0; $i < strlen($vJOJJ7T); $i++){$vM74216 .= isset($vRJ8WGX[$vJOJJ7T[$i]]) ? $vRJ8WGX[$vJOJJ7T[$i]] : $vJOJJ7T[$i];} |
return base64_decode($vM74216);} |
Suspicious code is often obfuscated using base64_decode functionality.
eval(base64_decode("ZXJyb3JfcmVwb3J0aW5nKDApOw0KJHRydW09aGVh |
You might even see the base64_decode function reversed.
str_rev(edoced_46esab('ZXJyb3JfcmVwb3J0aW5nKDApOw0KJHRydW09aGVh |
Often, suspicious code attempts to hide itself from detection by turning off any error reporting.
error_reporting(0); or error_reporting(E_ERROR | E_WARNING | E_PARSE); or ini_set('display_errors', "0"); |
A good method of analyzing suspicious code is comparing plugin or theme files on your site with the originals from the developer.
If the code is within your database, you can look at the code around the suspicious code to determine if it is valid or not.
If after reading this guide, you are unsure if the suspicious code is valid or malicious, get help by contacting us on chat or by email on support@consignweb.com.