blacklisted by Google

We woke up this morning to many reports and people asking why the site is being blacklisted.We did not get a chance to analyze it while it was compromised, but it seems that one of their javascript files ( was modified to inject a malicious iframefrom

That’s the supposed bad code:

It seems the PHP team fixed it already and requested Google to clear it. If anyone has more info, we would love to hear it.

bookmark_borderDo you still look for base64_decode?

A common keyword that people use to find hidden injections on web sites is base64_decode. Youoften see injections that look like eval ( base64_decode or eval ( gzinflate ( base64_decode beingused by the attackers.

So most web security tools have some signatures to look for it (specially on WordPress).

Well, the attackers do know about it as well and we are starting to see some interesting variations for it. Forexample, instead of injecting base64_decode, they are injecting as a variable:


And instead of calling out base64_decode directly, they are using base + 32*2 + decode. A simple trick that allowsthen to bypass many security filters.