I adore Wordpress themes! And I like to download and test the themes (free ones) frequently. Few days back I bumped across a plugin - TAC (Theme Authenticity Checker) which checks for any malicious code in the Wordpress themes present in /wp-content/themes folder.
When I ran TAC today, I found that couple of the themes I downloaded yesterday (name withheld) were having some encoded string in the Footer section. TAC projected them as potential threats since some malicious code could have been injected and encoded. The code looked something like this
echo(base64_decode(”PGRpdiBjbGFzcz0iZm9vdGVy
Ij4NCiAgPGRpdiBjbGFzcz0iZm9vdGVyX3R4dCI+IA0KICAgIDxw
PiBEZXNpZ25lZCBieTogPGEgaHJlZj0iaHR0cDovL3d3dy
50YWxrcmV2aWV3cy5jb20vdG9wLXNp
dGVzIj5Ub3AgV2Vic2l0ZSBSZXZpZXdzPC9hPiA8L3A+
DQoNCiAgICA8cD4NCiAgICAgIDxhIGhy
g0KDQo=”))
I started looking out for a tool which can decode this encoded string for me. And I found out this page which can encode as well decode! There is a radio button at the bottom where you need to select the decode option. The output decoded data will be displayed in the same screen within few seconds!
Just replace the encoded code with the decoded one and the theme will continue to work like a charm!
Link: Base-64-encoder-decoder
Mirror: Base-64 decoder
Also try this : OpionatedGeek decoder tool
If you enjoyed this post, make sure you subscribe to my RSS feed!
Related Posts:





November 29th, 2008 at 10:22 pm
if the author wants to be sure though he can use what is called code obfuscation and at that point you are in a deadlock…. also base64 encodings are used in mails
nice quick tip!
stratosgs last blog post..Delete post revisions without any plugin
November 29th, 2008 at 10:40 pm
If code is obfuscated, I won’t even care to test the theme unless it’s released by a trusted source. And yeah I do know about base64 encodings, it is there in java as well!
November 30th, 2008 at 12:51 am
im just learning PHP and this looks like a pretty nifty tip! will definitely keep this in mind. great work, mate!
techniqueal t.s last blog post..The Singing Google Page Rank
December 1st, 2008 at 3:28 am
yah it’s just another way of encoding your strings… as for the obfuscation you are right… i wouldn’t use it at all. when people try to hide and become “closed source” i get a bit mad
stratosgs last blog post..WordPress Categories for hardcores or… masochists!
December 3rd, 2008 at 11:11 pm
That page didn’t wordked for me, but nice try. I’ll keep looking for some decoder…
OneLags last blog post..OneLag: @tatato não sei. Tenta lá. Se não tiver, faça o upload. =]
December 4th, 2008 at 5:41 am
@onelag
It does work, I am 100% sure that it will work if you give the input properly. I hope you are not looking to decode eval().
December 15th, 2008 at 11:42 am
Hello
I tried the script on the page.
It doesn’t work with the code of my footer.
I get a result yet coded such : eval(base64_decode(”JGxsbGxsbGxsbGxsPSdiYXNlNjRfZGVjb2RlJzs=”));$ll=0; …..
December 15th, 2008 at 12:04 pm
Hi Jean,
I have focused on echo(base64_decode()) and not eval(base64_decode()). Hence that link is not working for your case. Try out this link and let me know if it was able to decode.
http://www.opinionatedgeek.com/dotnet/tools/Base64Decode/Default.aspx
You might have to decode recursively in case the coder has encoded the string recursively.
December 15th, 2008 at 12:26 pm
Thank you for your help. But this time it says “Sorry, it just was not possible to decode that string.”
Here is the code in a txt file
footer
it would be nice if you could throw a glance
December 15th, 2008 at 2:14 pm
As expected it has multi level encoding. First of all I want to clarify that I am no expert in PHP!In the txt file you have shared, the code has 2 parts. first part is a variable definition ($o) and the other part which has eval method. I was able to decode the eval method using the link I provided above. It returned me a series of code having for loops and more encoded data. So, it’s a recursively encoded code by some smart fellow. If I was you, I wouldn’t be daring to use that theme with such a footer
December 15th, 2008 at 3:43 pm
Thank you for having looked at the code. The footer coded it becomes a very bad way. Especially we don’t know if it hides a malicious script.
February 22nd, 2009 at 2:27 pm
On gzipped content like:
eval(gzinflate(base64_decode('glztGlnskJVlg0')));- I have succesfully used this on-line decrypter:http://www.tareeinternet.com/scripts/decrypt.php
Thanks for this article
MY solution (no decoding):
—————————-
1/ Install the theme on localhosted apache + php + wp
2/ Point browser there (http://localhost/wordpress/)
3/ View page source
4/ copy footer code from viewed source
5/ erase
footer.php, create new file with same name6/ paste footer code from clipboard into this newly created file
footer.php7/ save
footer.phpcode and test the theme8/ you may need to debug it little bit (someone is putting tricks like
?>footer html code
<?
to protect theme from this kind of manipulation and such techniques).
→ This solution is absolutely legal, ’cause you are not modifiing
footer.php, you aren’t reverse engineering, but you’re building your ownfooter.phpfileFebruary 22nd, 2009 at 5:42 pm
@mijk,
Thanks for your comments. But how many people do you think will be capable enough to install WP locally? That is why I suggested decoding approach. You are absolutely right in terming it “legal”, Even I have mentioned the same above.
February 22nd, 2009 at 9:26 pm
@Raju:
I think there is lot of all-in-one apache+mysql+php solutions (EasyPHP @ http://www.easyphp.org/, WAMP @ http://www.wampserver.com/en/ etc.) which are easy to install (standard installshield installation) and setup (fully featured clickable control panel with links to phpmyadmin, for setting up modules like gd etc., selecting php (4/5) or mysql version (for debugging purpose) - so for clarity I think that almost anyone could be capable to install WP locally
I was just sharing another approach to this issue (mainly ’cause of legality of this kind of approach).
Thank you very much for quick response and thanks once again for cool article.
February 22nd, 2009 at 9:44 pm
@mijk,
I must thank you for sharing so much info with your 2 comments.
You are absolutely right. I personally use WAMP and XAMPP, but what I meant was non-geeks will not dare to try most of the times. But yeah, its very easy
March 5th, 2009 at 10:17 am
@mijk,
Thanks for your solution, that is a bright idea.
yup, building your own.
March 5th, 2009 at 11:18 am
@ mijk
I am sorry, where is the true to debug in php ?
or
?>
……………..
<?
I will try both of them, because I found
in my wp theme.
I will learn php on next semester on my campus, once again thanks to Raju and mijk.
March 5th, 2009 at 11:29 am
I am sorry, where is the true to debug in php ?
“”
(without quote)
or
?>
……………..
<?
I will try both of them, because I found
“” (without quote)
in my wp theme.
I will learn php on next semester on my campus, once again thanks to Raju and mijk.
===========
Sorry Raju, I just look like spamer.
I repost my comment because the previous one is incomplete, you can delete it.
March 5th, 2009 at 10:40 pm
@bachtiar,
Sorry dude, I cannot understand what the issue is. Please explain in detail
April 26th, 2009 at 12:01 pm
Fantastic!
July 4th, 2009 at 3:56 am