Support » Fixing WordPress » Can someone decode this for me?

  • <?php eval(base64_decode(‘Pz4gCTwvZGl2Pg0KCTwhLS0gbWFpbiBFTkQgLS0+DQoNCgk8P3BocCBnZXRfc2lkZWJhcigpOyA/Pg0KCTxkaXYgY2xhc3M9ImZpeGVkIj48L2Rpdj4NCjwvZGl2Pg0KPCEtLSBjb250ZW50IEVORCAtLT4NCg0KPCEtLSBmb290ZXIgU1RBUlQgLS0+DQo8ZGl2IGlkPSJmb290ZXIiPg0KCTxhIGlkPSJnb3RvcCIgaHJlZj0iIyIgb25jbGljaz0iTUdKUy5nb1RvcCgpO3JldHVybiBmYWxzZTsiPjw/cGhwIF9lKCdUb3AnLCAnaW5vdmUnKTsgPz48L2E+DQoJPGEgaWQ9InBvd2VyZWQiIGhyZWY9Imh0dHA6Ly93b3JkcHJlc3Mub3JnLyI+V29yZFByZXNzPC9hPg0KCTxkaXYgaWQ9ImNvcHlyaWdodCI+DQoJCTw/cGhwDQoJCQlnbG9iYWwgJHdwZGI7DQoJCQkkcG9zdF9kYXRldGltZXMgPSAkd3BkYi0+Z2V0X3Jlc3VsdHMoIlNFTEVDVCBZRUFSKG1pbihwb3N0X2RhdGVfZ210KSkgQVMgZmlyc3R5ZWFyLCBZRUFSKG1heChwb3N0X2RhdGVfZ210KSkgQVMgbGFzdHllYXIgRlJPTSAkd3BkYi0+cG9zdHMgV0hFUkUgcG9zdF9kYXRlX2dtdCA+IDE5NzAiKTsNCgkJCWlmICgkcG9zdF9kYXRldGltZXMpIHsNCgkJCQkkZmlyc3Rwb3N0X3llYXIgPSAkcG9zdF9kYXRldGltZXNbMF0tPmZpcnN0eWVhcjsNCgkJCQkkbGFzdHBvc3RfeWVhciA9ICRwb3N0X2RhdGV0aW1lc1swXS0+bGFzdHllYXI7DQoNCgkJCQkkY29weXJpZ2h0ID0gX18oJ0NvcHlyaWdodCAmY29weTsgJywgJ2lub3ZlJykgLiAkZmlyc3Rwb3N0X3llYXI7DQoJCQkJaWYoJGZpcnN0cG9zdF95ZWFyICE9ICRsYXN0cG9zdF95ZWFyKSB7DQoJCQkJCSRjb3B5cmlnaHQgLj0gJy0nLiAkbGFzdHBvc3RfeWVhcjsNCgkJCQl9DQoJCQkJJGNvcHlyaWdodCAuPSAnICc7DQoNCgkJCQllY2hvICRjb3B5cmlnaHQ7DQoJCQkJYmxvZ2luZm8oJ25hbWUnKTsNCgkJCX0NCgkJPz4NCgk8L2Rpdj4NCgk8ZGl2IGlkPSJ0aGVtZWluZm8iPg0KCQk8P3BocCBpZihpc19ob21lKCkpIDogPz48YSBocmVmPSJodHRwOi8vY2hlYXBkcnVnczI0LmNvbS8iIHRpdGxlPSJkaXNjb3VudCBkcnVncyI+ZGlzY291bnQgZHJ1Z3M8L2E+PD9waHAgZW5kaWY7ID8+IAk8L2Rpdj4NCjwvZGl2Pg0KPCEtLSBmb290ZXIgRU5EIC0tPg0KDQo8L2Rpdj4NCjwhLS0gY29udGFpbmVyIEVORCAtLT4NCjwvZGl2Pg0KPCEtLSB3cmFwIEVORCAtLT4NCg0KPD9waHAgd3BfZm9vdGVyKCk7ID8+DQoNCjwvYm9keT4NCjwvaHRtbD4NCg0KDQogPD8=’));?>

Viewing 3 replies - 1 through 3 (of 3 total)
  • It is base64 encoded (only once– very uncreative) PHP source. Its basically footer.php source code but hides a link to cheapdrugs24 dot com. Chop off this part– <?php eval(base64_decode(' from the front and this part– '));?> from the end and drop the middle in the base64 box here if you want to see the full source.

    Your footer appears to be a corrupted version of the original iNove theme footer. You should probably download a new copy from the Themes Directory, because I don’t believe that the original version of theme contains any base 64 nonsense. It appears that the “themeinfo” div in your version has been modified by someone to place spam link(s) in the footer.

    </div>
    	<!-- main END --> 
    
    		<div class="fixed"></div>
    </div>
    <!-- content END --> 
    
    <!-- footer START -->
    <div id="footer">
    	<a id="gotop" href="#" onclick="MGJS.goTop();return false;"></a>
    	<a id="powered" href="http://wordpress.org/">WordPress</a>
    	<div id="copyright">
    		get_results("SELECT YEAR(min(post_date_gmt)) AS firstyear, YEAR(max(post_date_gmt)) AS lastyear FROM $wpdb->posts WHERE post_date_gmt > 1970");
    			if ($post_datetimes) {
    				$firstpost_year = $post_datetimes[0]->firstyear;
    				$lastpost_year = $post_datetimes[0]->lastyear;
    
    				$copyright = __('Copyright &copy; ', 'inove') . $firstpost_year;
    				if($firstpost_year != $lastpost_year) {
    					$copyright .= '-'. $lastpost_year;
    				}
    				$copyright .= ' ';
    
    				echo $copyright;
    				bloginfo('name');
    			}
    		?>
    	</div>
    	<div id="themeinfo">
    		<a href="http://cheapdrugs24.com/" title="discount drugs">discount drugs</a> 	</div>
    </div>
    <!-- footer END --> 
    
    </div>
    <!-- container END -->
    </div>
    <!-- wrap END --> 
    
    </body>
    </html>
Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Can someone decode this for me?’ is closed to new replies.