I adore Wordpress themes! And I like to download and test the themes (free ones) frequently. Few days back I bumped across a plugin - TAC (Theme Authenticity Checker) which checks for any malicious code in the Wordpress themes present in /wp-content/themes folder.
When I ran TAC today, I found that couple of the themes I downloaded yesterday (name withheld) were having some encoded string in the Footer section. TAC projected them as potential threats since some malicious code could have been injected and encoded. The code looked something like this
echo(base64_decode(”PGRpdiBjbGFzcz0iZm9vdGVy
Ij4NCiAgPGRpdiBjbGFzcz0iZm9vdGVyX3R4dCI+IA0KICAgIDxw
PiBEZXNpZ25lZCBieTogPGEgaHJlZj0iaHR0cDovL3d3dy
50YWxrcmV2aWV3cy5jb20vdG9wLXNp
dGVzIj5Ub3AgV2Vic2l0ZSBSZXZpZXdzPC9hPiA8L3A+
DQoNCiAgICA8cD4NCiAgICAgIDxhIGhy
g0KDQo=”))
I started looking out for a tool which can decode this encoded string for me. And I found out this page which can encode as well decode! There is a radio button at the bottom where you need to select the decode option. The output decoded data will be displayed in the same screen within few seconds!
Just replace the encoded code with the decoded one and the theme will continue to work like a charm!
Link: Base-64-encoder-decoder
November 29th, 2008 at 10:22 pm
if the author wants to be sure though he can use what is called code obfuscation and at that point you are in a deadlock…. also base64 encodings are used in mails
nice quick tip!
stratosgs last blog post..Delete post revisions without any plugin
November 29th, 2008 at 10:40 pm
If code is obfuscated, I won’t even care to test the theme unless it’s released by a trusted source. And yeah I do know about base64 encodings, it is there in java as well!
November 30th, 2008 at 12:51 am
im just learning PHP and this looks like a pretty nifty tip! will definitely keep this in mind. great work, mate!
techniqueal t.s last blog post..The Singing Google Page Rank
December 1st, 2008 at 3:28 am
yah it’s just another way of encoding your strings… as for the obfuscation you are right… i wouldn’t use it at all. when people try to hide and become “closed source” i get a bit mad
stratosgs last blog post..WordPress Categories for hardcores or… masochists!
December 3rd, 2008 at 11:11 pm
That page didn’t wordked for me, but nice try. I’ll keep looking for some decoder…
OneLags last blog post..OneLag: @tatato não sei. Tenta lá. Se não tiver, faça o upload. =]
December 4th, 2008 at 5:41 am
@onelag
It does work, I am 100% sure that it will work if you give the input properly. I hope you are not looking to decode eval().
December 15th, 2008 at 11:42 am
Hello
I tried the script on the page.
It doesn’t work with the code of my footer.
I get a result yet coded such : eval(base64_decode(”JGxsbGxsbGxsbGxsPSdiYXNlNjRfZGVjb2RlJzs=”));$ll=0; …..
December 15th, 2008 at 12:04 pm
Hi Jean,
I have focused on echo(base64_decode()) and not eval(base64_decode()). Hence that link is not working for your case. Try out this link and let me know if it was able to decode.
http://www.opinionatedgeek.com/dotnet/tools/Base64Decode/Default.aspx
You might have to decode recursively in case the coder has encoded the string recursively.
December 15th, 2008 at 12:26 pm
Thank you for your help. But this time it says “Sorry, it just was not possible to decode that string.”
Here is the code in a txt file
footer
it would be nice if you could throw a glance
December 15th, 2008 at 2:14 pm
As expected it has multi level encoding. First of all I want to clarify that I am no expert in PHP!In the txt file you have shared, the code has 2 parts. first part is a variable definition ($o) and the other part which has eval method. I was able to decode the eval method using the link I provided above. It returned me a series of code having for loops and more encoded data. So, it’s a recursively encoded code by some smart fellow. If I was you, I wouldn’t be daring to use that theme with such a footer
December 15th, 2008 at 3:43 pm
Thank you for having looked at the code. The footer coded it becomes a very bad way. Especially we don’t know if it hides a malicious script.
January 3rd, 2009 at 10:14 pm