Blog Sections Open
Recognizing a Base64 + gzinflate Malware File in an Evolution CMS Site
How to recognize a likely malware file in an Evolution CMS project when it hides behind encoded PHP payloads.
A random PHP file inside assets is bad enough. A PHP file that wraps its logic in base64, gzinflate, and opaque hashes is a serious compromise signal.
The reported file matched a familiar malware pattern: encoded payloads designed to hide their real behavior from casual inspection. That is not a “strange utility script”. It is the kind of artifact that should trigger a full incident response mindset.
The right response is broader than deleting one file. You need to inspect neighboring files, review writable directories, rotate credentials, check for modified core files, and identify how the attacker got in. Otherwise the backdoor often returns.
For Evolution CMS maintainers, this kind of pattern is worth documenting because many hacked sites show the same obfuscation signatures.
Fixing Weird `?alias` URL Variants and 404 Behavior in Evolution CMS
Why a page can resolve as a normal friendly URL but fail through strange query-style variants, and what that says about routing and rewrites.
Fixing “Class browser not found” in the Evolution File Browser
What to check when the Evolution manager file browser crashes with a missing browser class error after a move or update.