Not all PHP scripts are created equal. Just like there are counterfeit watches on the market, there are also counterfeit premium themes, plugins, and scripts that can be downloaded from the web. These are called nulled PHP scripts. Urban Dictionary defines the term nulled as a program that has been modified to not call home–report that you did not purchase the software. This allows people to re-distrubute paid software for their own gain at deep discounts, sometimes even free, without paying the original authors.
Scanning For Nulled PHP Scripts
Like it or not, nulled scripts happen. There are entire marketplaces that look complete legit, dedicated to selling the latest versions of stolen software for 50% or more off. Some even have their own software update clients, ensuring you’re on the latest version as if you paid full price.
Unfortunately, not all illegal software are simply stolen copies. A majority of “nulled scripts” you find online include remote backdoors, click hijacking, and advertisements. It’s important for webmasters and server administrators to know what exactly they’re hosting. A popular way they hide the malicious code in nulled PHP scripts is with something called base64. This scrambles and encrypts the plain text, making it more difficult to detect — but not impossible!
There are several powerful commands within PHP scripting that typically raise red flags with security professionals. One of them is having a large, unexplained encrypted chunk of data in the middle of your script or plugin. Luckily, this information can be decrypted with even trivial online tools by searching for base64 decoder.
To help keep a lid on this problem of end-users uploading shady code (usually to save a buck or two), I created a Bash script called PHP Nulled Scanner that runs a check for several red flag commands in PHP that are generally found in stolen PHP software. You can check it out on my GitHub.
Let’s take a look at one of these backdoors:
This PHP code was discovered after a hacker breached a web server and injected this garbled code into every index.php file. As you can see, it’s not easy to read because it has been encrypted with base64. When we run base64_decode on it, we can see what it is really doing below.
It appears that this code is written for Blackhat SEO purposes. You can see the referral link at the bottom of the decode, as well as user agent blockers for search engines. These types of infections are common in nulled scripts. To avoid having to deal with this, I recommend seeking out the original software author and buying a legitimate copy. It is important to educate your users on the risks of getting discounted or free PHP scripts, as they can easily lead to issues for all users of where it’s hosted.
Ready to scan your website for PHP backdoors? Check out my PHP Nulled Scanner on GitHub.