A classic example is a normal readable string that gets encoded
$normal = "A normal string that is readable"; $encode = base64_encode($normal); echo $encode;//QSBub3JtYWwgc3RyaW5nIHRoYXQgaXMgcmVhZGFibGU=
Then to decode the now encoded string
$our_string = "QSBub3JtYWwgc3RyaW5nIHRoYXQgaXMgcmVhZGFibGU="; echo base64_decode($our_string);//A normal string that is readable
In a directory of PHP exploit scripts base64_decode was found in 31 of the files. Wphackedhelp sums it up by saying base64_decode mostly exists in WordPress code when being used to hide malicious code.
As the example above shows you simply have no idea what the encoded string is, it could be a sentence or worst actual PHP code.
A soft example being this string
$our_string = 'DQokZGF0YSA9ICIkaXAgJHVzZXJuYW1lICRwYXNzd29yZCAkZGIiOw0KJGYgPSBmb3BlbigibG9nLnR4dCIsICJhIik7DQpmd3JpdGUoJGYsJGRhdGEuIlxyXHJcbiIpOw0KZmNsb3NlKCRmKTs=';
Looking at it you have no idea what it is, says or does.
echo base64_decode($our_string); //eval($our_string); //runs
$data = "$ip $username $password $db"; $f = fopen("log.txt", "a"); fwrite($f,$data."\r\r\n"); fclose($f); //Formatted $data = "$ip $username $password $db"; $f = fopen("log.txt", "a"); fwrite($f, $data . "\r\r\n"); fclose($f);
Which will write (if the are set) those variables into a text file called log.txt Of course it would be better to turn of errors and add in many more common variables and see what gets written. That is just a small achievement with base64_decode and eval().
Creating a PHP file and then accessing it is common, as is the use of $_GET to have better “customization” over certain values being involved in the hack.
It can be an eye opener to see how easy and how much freedom one can have over running an encoded script on your server. More the reasons to never use nulled scripts, themes and plugins.