Replacing/deleting encrypted code on my site
-
Hi
I’m new to php and wordpress.
I was trying edit the footer of my site to delete some links that were placed there when I first received the Template and upon doing so got a messege on my site saying “This theme is released free for use under creative commons licence. All links in the footer should remain intact. These links are all family friendly and will not hurt your site in any way. This great theme is brought to you for free by these supporters.”
After doing a bit of research I found that this may be linked to some encrypted/malicious code located in my functions.php
After searching I found 4 sectiong of encrypted codeand tried to remove them. The problem is that when I attempt to remove them my site stops unctioning all together.
Is there a way to safetly remove or replace these sections and have my site functionign again?
The 4 sections are;
eval(base64_decode('aWYgKCFlbXB0eSgkX1JFUVVFU1RbInRoZW1lX2xpY2Vuc2UiXSkpIHsgdGhlbWVfdXNhZ2VfbWVzc2FnZSgpOyBleGl0KCk7IH0gZnVuY3Rpb24gdGhlbWVfdXNhZ2VfbWVzc2FnZSgpIHsgaWYgKGVtcHR5KCRfUkVRVUVTVFsidGhlbWVfbGljZW5zZSJdKSkgeyAkdGhlbWVfbGljZW5zZV9mYWxzZSA9IGdldF9ibG9naW5mbygidXJsIikgLiAiL2luZGV4LnBocD90aGVtZV9saWNlbnNlPXRydWUiOyBlY2hvICI8bWV0YSBodHRwLWVxdWl2PVwicmVmcmVzaFwiIGNvbnRlbnQ9XCIwO3VybD0kdGhlbWVfbGljZW5zZV9mYWxzZVwiPiI7IGV4aXQoKTsgfSBlbHNlIHsgZWNobyAoIjxwIHN0eWxlPVwicGFkZGluZzoxMHB4OyBtYXJnaW46IDEwcHg7IHRleHQtYWxpZ246Y2VudGVyOyBib3JkZXI6IDJweCBkYXNoZWQgUmVkOyBmb250LWZhbWlseTphcmlhbDsgZm9udC13ZWlnaHQ6Ym9sZDsgYmFja2dyb3VuZDogI2ZmZjsgY29sb3I6ICMwMDA7XCI+VGhpcyB0aGVtZSBpcyByZWxlYXNlZCBmcmVlIGZvciB1c2UgdW5kZXIgY3JlYXRpdmUgY29tbW9ucyBsaWNlbmNlLiBBbGwgbGlua3MgaW4gdGhlIGZvb3RlciBzaG91bGQgcmVtYWluIGludGFjdC4gVGhlc2UgbGlua3MgYXJlIGFsbCBmYW1pbHkgZnJpZW5kbHkgYW5kIHdpbGwgbm90IGh1cnQgeW91ciBzaXRlIGluIGFueSB3YXkuIFRoaXMgZ3JlYXQgdGhlbWUgaXMgYnJvdWdodCB0byB5b3UgZm9yIGZyZWUgYnkgdGhlc2Ugc3VwcG9ydGVycy48L3A+Iik7IH0gfQ=='));
eval(base64_decode('ZnVuY3Rpb24gY2hlY2tfdGhlbWVfZm9vdGVyKCkgeyAkdXJpID0gc3RydG9sb3dlcigkX1NFUlZFUlsiUkVRVUVTVF9VUkkiXSk7IGlmKGlzX2FkbWluKCkgfHwgc3Vic3RyX2NvdW50KCR1cmksICJ3cC1hZG1pbiIpID4gMCB8fCBzdWJzdHJfY291bnQoJHVyaSwgIndwLWxvZ2luIikgPiAwICkgeyAvKiAqLyB9IGVsc2UgeyAkbCA9ICdEZXNpZ25lZCBieTogPGEgaHJlZj0iaHR0cDovL2dhbWVmcmllbmRzLmNvbSI+dmlkZW8gZ2FtZTwvYT4gfCBUaGFua3MgdG8gPGEgaHJlZj0iaHR0cDovL3d3dy5rcmF3aWtldHQuZGUvIj5LcmF3aWtldHQgRXRpa2V0dGVuPC9hPiwgPGEgaHJlZj0iaHR0cDovL3Nlby1zZXJ2aWNlcy51cyI+c2VvIHNlcnZpY2U8L2E+IGFuZCA8YSBocmVmPSJodHRwOi8vaW50ZXJuZXRtYXJrZXRpbmcxLnVzIj5pbnRlcm5ldCBtYXJrZXRpbmc8L2E+JzsgJGYgPSBkaXJuYW1lKF9fZmlsZV9fKSAuICIvZm9vdGVyLnBocCI7ICRmZCA9IGZvcGVuKCRmLCAiciIpOyAkYyA9IGZyZWFkKCRmZCwgZmlsZXNpemUoJGYpKTsgJGxwID0gcHJlZ19xdW90ZSgkbCwgIi8iKTsgZmNsb3NlKCRmZCk7IGlmICggc3RycG9zKCRjLCAkbCkgPT0gMCB8fCBwcmVnX21hdGNoKCIvPFwhLS0oLioiIC4gJGxwIC4gIi4qKS0tPi9zaSIsICRjKSB8fCBwcmVnX21hdGNoKCIvPFw/cGhwKFteXD9dK1tePl0rIiAuICRscCAuICIuKilcPz4vc2kiLCAkYykgKSB7IHRoZW1lX3VzYWdlX21lc3NhZ2UoKTsgZGllOyB9IH0gfSBjaGVja190aGVtZV9mb290ZXIoKTs='));
if(!function_exists('get_sidebars')) { function get_sidebars($args='') { eval(base64_decode('Y2hlY2tfdGhlbWVfaGVhZGVyKCk7')); get_sidebar($args); } }
mytheme_admin_init(); eval(base64_decode('ZnVuY3Rpb24gY2hlY2tfdGhlbWVfaGVhZGVyKCkgeyBpZiAoIShmdW5jdGlvbl9leGlzdHMoImZ1bmN0aW9uc19maWxlX2V4aXN0cyIpICYmIGZ1bmN0aW9uX2V4aXN0cygidGhlbWVfZm9vdGVyX3QiKSkpIHsgdGhlbWVfdXNhZ2VfbWVzc2FnZSgpOyBkaWU7IH0gfQ==')); add_action('admin_menu', 'mytheme_add_admin');
-
The technical statement is that legally you aren’t supposed to as the theme author is trying to use CCL for a license.
There is a whole world of discussion CCL vs. GPL and what themes should be released as. Below is a good article on the subject.
http://www.bestwpthemez.com/wordpress/difference-between-gpl-and-ccl-themes-2958/
My first statement is that perhaps finding a more flexible theme would make life easier, otherwise, pulling code is the only way to move ahead. The key is finding where these things are being checked for. Not going to be easy if the creator planned for this.
Sorry I should have ellaborated, I actually already decoded it myself but wanted to know if there was anyway to delete those sections or replace them with something safe instead.
If the decoded version is needed I can post that aswell.
@drax88: Post in the thread I linked. Look at the source code in the browser and your decoded eval stuff and try and parse the php for what stays and what can be deleted. Good luck.
- The topic ‘Replacing/deleting encrypted code on my site’ is closed to new replies.