Moderator
Jan Dembowski
(@jdembowski)
Forum Moderator and Brute Squad
Generally speaking eval(base64_decode... is malicious and EVIL especially if you didn’t put it there yourself.
Thread Starter
Bas
(@bask)
Thank you for your response. Yes I know the base64_decode code is always malicious, but this code block doesn’t contain base64_decode, but only the eval command with lots of random characters.
Sorry for posting this explicitly in code blocks, here is the paste bin:
http://pastebin.com/tsSv79kH
Thank you in advance
That code you posted is indeed malicious code and it either came with your theme or your site has been hacked.
Thread Starter
Bas
(@bask)
Ok thank you, yes it came as part of my theme, and its also in the source theme files. Could you maybe explain me why this is malicious? (so I can tell that to the theme developer)
I doubt that the theme developer will care. They do this to get traffic to their site.
Here’s a good article that explains why you shouldn’t download free themes other than on the WordPress repo.
http://wpmu.org/why-you-should-never-search-for-free-wordpress-themes-in-google-or-anywhere-else/
Thread Starter
Bas
(@bask)
Its not a free theme, its a premium wordpress theme bought at a respected website. So Im pretty sure the developer will care.
Thread Starter
Bas
(@bask)
the theme is bought at themeforest.net, developers are themeprovince.
Then you need to seek support from the theme’s vendors.
Thread Starter
Bas
(@bask)
Ok, I just wanted a second opinion on this. I just contacted the developers.
Thread Starter
Bas
(@bask)
I just got a response back, he says its used by millions and def not malicious. I did some more research on the file, and it seems to be used a lot. Could you explain me why you think its malicious? Because now I dont know who to believe…
My personal belief is that obfuscating code in a WordPress Theme template file is inherently malicious, and I would never use a Theme that has such code.
Moderator
Jan Dembowski
(@jdembowski)
Forum Moderator and Brute Squad
Because now I dont know who to believe
Believe what you can validate.
When you see eval(base64_decode that obfuscation is a deliberate attempt to hide from the user what they are actually doing. At a minimum it’s disingenuous and that sort of behavior would get that theme removed from the WordPress theme repo in a cool minute.
At the other end of that, it’s malicious.
If you want to use that theme that’s up to you. But don’t take anyone’s word for if it, if it’s alright then they should provide you with the clear version of that code.
Edit: Shorter version is Chip’s right and you should avoid that theme like an infection.
Thread Starter
Bas
(@bask)
Ok, im quite new to this obfuscated code, this code is in a plugin used by the theme (fancybox), I think it could be used to protect the code from being copied? I now simply removed these files from my server, because I dont use this plugin. Would that be sufficient?
And its not using the eval(base64_decode, but eval(function( . Im just being extra careful because my site has been hacked over and over lately, and I wasnt able to find out why. Today I did a full reupload after completely wiping the files from the server, so if it happens again it means there is or a backdoor somewhere, a leak in the software or a problem at my host.
Not using this theme would mean i have to set up a completely new website, which would currently take too much time for me.
I think it could be used to protect the code from being copied
That, in itself, is contrary to the principles of GPL which specifically allows for the re-user of any and all code. There is no need foro any developer to encrypt their code, so when one does, you have to ask why…
Would that be sufficient?
Deleting that plugin may be sufficient but it really depends if there is any other encrypted code in the theme.
my site has been hacked over and over lately
I’d suggest working through these resources:
http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
http://ottopress.com/2009/hacked-wordpress-backdoors/
