I adore WordPress themes! And I like to download and test the themes (free ones) frequently. Few days back I bumped across a plugin – TAC (Theme Authenticity Checker) which checks for any malicious code in the WordPress themes present in /wp-content/themes folder.
When I ran TAC today, I found that couple of the themes I downloaded yesterday (name withheld) were having some encoded string in the Footer section. TAC projected them as potential threats since some malicious code could have been injected and encoded. The code looked something like this
echo(base64_decode(“PGRpdiBjbGFzcz0iZm9vdGVy
Ij4NCiAgPGRpdiBjbGFzcz0iZm9vdGVyX3R4dCI+IA0KICAgIDxw
PiBEZXNpZ25lZCBieTogPGEgaHJlZj0iaHR0cDovL3d3dy
50YWxrcmV2aWV3cy5jb20vdG9wLXNp
dGVzIj5Ub3AgV2Vic2l0ZSBSZXZpZXdzPC9hPiA8L3A+
DQoNCiAgICA8cD4NCiAgICAgIDxhIGhy
g0KDQo=”))
I started looking out for a tool which can decode this encoded string for me. And I found out this page which can encode as well decode! There is a radio button at the bottom where you need to select the decode option. The output decoded data will be displayed in the same screen within few seconds!
Just replace the encoded code with the decoded one and the theme will continue to work like a charm!
Link: Base-64-encoder-decoder
Mirror: Base-64 decoder
Also try this : OpionatedGeek decoder tool
if the author wants to be sure though he can use what is called code obfuscation and at that point you are in a deadlock…. also base64 encodings are used in mails
nice quick tip!
stratosgs last blog post..Delete post revisions without any plugin
If code is obfuscated, I won’t even care to test the theme unless it’s released by a trusted source. And yeah I do know about base64 encodings, it is there in java as well!
im just learning PHP and this looks like a pretty nifty tip! will definitely keep this in mind. great work, mate!
techniqueal t.s last blog post..The Singing Google Page Rank
yah it’s just another way of encoding your strings… as for the obfuscation you are right… i wouldn’t use it at all. when people try to hide and become “closed source” i get a bit mad
stratosgs last blog post..WordPress Categories for hardcores or… masochists!
That page didn’t wordked for me, but nice try. I’ll keep looking for some decoder…
OneLags last blog post..OneLag: @tatato não sei. Tenta lá. Se não tiver, faça o upload. =]
@onelag
It does work, I am 100% sure that it will work if you give the input properly. I hope you are not looking to decode eval().
Hello
I tried the script on the page.
It doesn’t work with the code of my footer.
I get a result yet coded such : eval(base64_decode(“JGxsbGxsbGxsbGxsPSdiYXNlNjRfZGVjb2RlJzs=”));$ll=0; …..
Hi Jean,
I have focused on echo(base64_decode()) and not eval(base64_decode()). Hence that link is not working for your case. Try out this link and let me know if it was able to decode.
http://www.opinionatedgeek.com/dotnet/tools/Base64Decode/Default.aspx
You might have to decode recursively in case the coder has encoded the string recursively.
Thank you for your help. But this time it says “Sorry, it just was not possible to decode that string.”
Here is the code in a txt file
footer
it would be nice if you could throw a glance
As expected it has multi level encoding. First of all I want to clarify that I am no expert in PHP!In the txt file you have shared, the code has 2 parts. first part is a variable definition ($o) and the other part which has eval method. I was able to decode the eval method using the link I provided above. It returned me a series of code having for loops and more encoded data. So, it’s a recursively encoded code by some smart fellow. If I was you, I wouldn’t be daring to use that theme with such a footer
Thank you for having looked at the code. The footer coded it becomes a very bad way. Especially we don’t know if it hides a malicious script.
On gzipped content like:
eval(gzinflate(base64_decode('glztGlnskJVlg0')));– I have succesfully used this on-line decrypter:http://www.tareeinternet.com/scripts/decrypt.php
Thanks for this article
MY solution (no decoding):
—————————-
1/ Install the theme on localhosted apache + php + wp
2/ Point browser there (http://localhost/wordpress/)
3/ View page source
4/ copy footer code from viewed source
5/ erase
footer.php, create new file with same name6/ paste footer code from clipboard into this newly created file
footer.php7/ save
footer.phpcode and test the theme8/ you may need to debug it little bit (someone is putting tricks like
?>footer html code
<?
to protect theme from this kind of manipulation and such techniques).
→ This solution is absolutely legal, ’cause you are not modifiing
footer.php, you aren’t reverse engineering, but you’re building your ownfooter.phpfile@mijk,
Thanks for your comments. But how many people do you think will be capable enough to install WP locally? That is why I suggested decoding approach. You are absolutely right in terming it “legal”, Even I have mentioned the same above.
@Raju:
I think there is lot of all-in-one apache+mysql+php solutions (EasyPHP @ http://www.easyphp.org/, WAMP @ http://www.wampserver.com/en/ etc.) which are easy to install (standard installshield installation) and setup (fully featured clickable control panel with links to phpmyadmin, for setting up modules like gd etc., selecting php (4/5) or mysql version (for debugging purpose) – so for clarity I think that almost anyone could be capable to install WP locally
I was just sharing another approach to this issue (mainly ’cause of legality of this kind of approach).
Thank you very much for quick response and thanks once again for cool article.
@mijk,
I must thank you for sharing so much info with your 2 comments.
You are absolutely right. I personally use WAMP and XAMPP, but what I meant was non-geeks will not dare to try most of the times. But yeah, its very easy
@mijk,
Thanks for your solution, that is a bright idea.
yup, building your own.
@ mijk
I am sorry, where is the true to debug in php ?
or
?>
……………..
<?
I will try both of them, because I found
in my wp theme.
I will learn php on next semester on my campus, once again thanks to Raju and mijk.
I am sorry, where is the true to debug in php ?
“”
(without quote)
or
?>
……………..
<?
I will try both of them, because I found
“” (without quote)
in my wp theme.
I will learn php on next semester on my campus, once again thanks to Raju and mijk.
===========
Sorry Raju, I just look like spamer.
I repost my comment because the previous one is incomplete, you can delete it.
@bachtiar,
Sorry dude, I cannot understand what the issue is. Please explain in detail
Fantastic!
Thank You! Awesome Tip!
btw: yes, the links work. u just gotta know what you are doing..
Thank you for this tip. I agree to others above that if you have something to hide then its not worth it. I found a great theme that fits perfect for my company and I was able to successfully decode the footer, replace the numbers in the decoding text with letters I.E: d4v = div (they had this done to trick the code to force the template not to work)
Thank you again ((Link you provided was bookmarked)
thanks it works like charm, greetz.
Hey,
I’m having a problem with my theme as well. My index.php is encoded with crap and I can’t seem to decode it. The index.php is vital to my editing – so obviously I need it decoded. Any ideas?
I want to decode my footer.php code into html one but How?
wow, it worked !!!
many thankx
Nice share, the trick is to download the theme from the original author/designer’s website. Most of theme directories are loading the themes with malicious links using this encode, which a non-technical person won’t be able to identify.
Can u decode this code
pls help me some one………….
there is a online tool which can help you to remove unwanted link from ur footer. http://www.theecommercesolution.com/decrypt.php
Thanks for the tip, it helped me a lot!
look .i`m tried to decode my footer with your recommended site .but it did not work and get back my own code .how can i solve my problem .plz answer
plz decode this code
Hey….hellow unfortunately I cant do this with my code… Can You Help me…??? please reply.. plz plz I’m waiting 4 u.
thanks
Please go through different links posted in the article as well as other comments on the post
what happened sir i didnt get any reply from u..
plz help me