Title: Malicious code? Last modified: August 20, 2016 --- # Malicious code? * [Bas](https://wordpress.org/support/users/bask/) * (@bask) * [14 years ago](https://wordpress.org/support/topic/malicious-code-1/) * My website has been hacked recently, so I went thru all the advised steps. While checking my files for malicious codes (eval(base64_decode ) ) I found this file called jquery.easing-1.3.pack.js containing the following code: * _[Code moderated. Please do not post hack code blocks in the forums. Please use the [pastebin](http://wordpress.pastebin.com/)]_ * I wonder if this is malicious or not? Could someone help me? Viewing 15 replies - 1 through 15 (of 23 total) 1 [2](https://wordpress.org/support/topic/malicious-code-1/page/2/?output_format=md) [→](https://wordpress.org/support/topic/malicious-code-1/page/2/?output_format=md) * Moderator [Jan Dembowski](https://wordpress.org/support/users/jdembowski/) * (@jdembowski) * Forum Moderator and Brute Squad * [14 years ago](https://wordpress.org/support/topic/malicious-code-1/#post-2630473) * Generally speaking `eval(base64_decode...` is malicious and EVIL especially _if you didn’t put it there yourself_. * Thread Starter [Bas](https://wordpress.org/support/users/bask/) * (@bask) * [14 years ago](https://wordpress.org/support/topic/malicious-code-1/#post-2630478) * Thank you for your response. Yes I know the base64_decode code is always malicious, but this code block doesn’t contain base64_decode, but only the eval command with lots of random characters. * Sorry for posting this explicitly in code blocks, here is the paste bin: * [http://pastebin.com/tsSv79kH](http://pastebin.com/tsSv79kH) * Thank you in advance * [Christine Rondeau](https://wordpress.org/support/users/crondeau/) * (@crondeau) * [14 years ago](https://wordpress.org/support/topic/malicious-code-1/#post-2630503) * That code you posted is indeed malicious code and it either came with your theme or your site has been hacked. * Thread Starter [Bas](https://wordpress.org/support/users/bask/) * (@bask) * [14 years ago](https://wordpress.org/support/topic/malicious-code-1/#post-2630510) * Ok thank you, yes it came as part of my theme, and its also in the source theme files. Could you maybe explain me why this is malicious? (so I can tell that to the theme developer) * [Christine Rondeau](https://wordpress.org/support/users/crondeau/) * (@crondeau) * [14 years ago](https://wordpress.org/support/topic/malicious-code-1/#post-2630511) * I doubt that the theme developer will care. They do this to get traffic to their site. * Here’s a good article that explains why you shouldn’t download free themes other than on the WordPress repo. * [http://wpmu.org/why-you-should-never-search-for-free-wordpress-themes-in-google-or-anywhere-else/](http://wpmu.org/why-you-should-never-search-for-free-wordpress-themes-in-google-or-anywhere-else/) * Thread Starter [Bas](https://wordpress.org/support/users/bask/) * (@bask) * [14 years ago](https://wordpress.org/support/topic/malicious-code-1/#post-2630516) * Its not a free theme, its a premium wordpress theme bought at a respected website. So Im pretty sure the developer will care. * [esmi](https://wordpress.org/support/users/esmi/) * (@esmi) * [14 years ago](https://wordpress.org/support/topic/malicious-code-1/#post-2630520) * > its a premium wordpress theme bought at a respected website * Which web site? * Thread Starter [Bas](https://wordpress.org/support/users/bask/) * (@bask) * [14 years ago](https://wordpress.org/support/topic/malicious-code-1/#post-2630522) * the theme is bought at themeforest.net, developers are themeprovince. * [esmi](https://wordpress.org/support/users/esmi/) * (@esmi) * [14 years ago](https://wordpress.org/support/topic/malicious-code-1/#post-2630524) * Then you need to seek support from the theme’s vendors. * Thread Starter [Bas](https://wordpress.org/support/users/bask/) * (@bask) * [14 years ago](https://wordpress.org/support/topic/malicious-code-1/#post-2630562) * Ok, I just wanted a second opinion on this. I just contacted the developers. * Thread Starter [Bas](https://wordpress.org/support/users/bask/) * (@bask) * [14 years ago](https://wordpress.org/support/topic/malicious-code-1/#post-2630571) * I just got a response back, he says its used by millions and def not malicious. I did some more research on the file, and it seems to be used a lot. Could you explain me why you think its malicious? Because now I dont know who to believe… * [Chip Bennett](https://wordpress.org/support/users/chipbennett/) * (@chipbennett) * [14 years ago](https://wordpress.org/support/topic/malicious-code-1/#post-2630577) * My _personal belief_ is that obfuscating code in a WordPress Theme template file is inherently malicious, and I would never use a Theme that has such code. * Moderator [Jan Dembowski](https://wordpress.org/support/users/jdembowski/) * (@jdembowski) * Forum Moderator and Brute Squad * [14 years ago](https://wordpress.org/support/topic/malicious-code-1/#post-2630578) * > Because now I dont know who to believe * Believe what you can _validate_. * When you see `eval(base64_decode` that obfuscation is a deliberate attempt to hide from the user what they are actually doing. At a minimum it’s disingenuous and that sort of behavior would get that theme removed from the WordPress theme repo in a cool minute. * At the other end of that, it’s malicious. * If you want to use that theme that’s up to you. But don’t take anyone’s word for if it, if it’s alright then they should provide you with the clear version of that code. * **Edit**: Shorter version is Chip’s right and you should avoid that theme like an infection. * Thread Starter [Bas](https://wordpress.org/support/users/bask/) * (@bask) * [14 years ago](https://wordpress.org/support/topic/malicious-code-1/#post-2630579) * Ok, im quite new to this obfuscated code, this code is in a plugin used by the theme (fancybox), I think it could be used to protect the code from being copied? I now simply removed these files from my server, because I dont use this plugin. Would that be sufficient? * And its not using the eval(base64_decode, but eval(function( . Im just being extra careful because my site has been hacked over and over lately, and I wasnt able to find out why. Today I did a full reupload after completely wiping the files from the server, so if it happens again it means there is or a backdoor somewhere, a leak in the software or a problem at my host. * Not using this theme would mean i have to set up a completely new website, which would currently take too much time for me. * [esmi](https://wordpress.org/support/users/esmi/) * (@esmi) * [14 years ago](https://wordpress.org/support/topic/malicious-code-1/#post-2630586) * > I think it could be used to protect the code from being copied * That, in itself, is contrary to the principles of GPL which specifically allows for the re-user of any and all code. There is no need foro any developer to encrypt their code, so when one does, you have to ask why… * > Would that be sufficient? * Deleting that plugin may be sufficient but it really depends if there is any other encrypted code in the theme. * > my site has been hacked over and over lately * I’d suggest working through these resources: [http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/](http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/) [http://ottopress.com/2009/hacked-wordpress-backdoors/](http://ottopress.com/2009/hacked-wordpress-backdoors/) Viewing 15 replies - 1 through 15 (of 23 total) 1 [2](https://wordpress.org/support/topic/malicious-code-1/page/2/?output_format=md) [→](https://wordpress.org/support/topic/malicious-code-1/page/2/?output_format=md) The topic ‘Malicious code?’ is closed to new replies. * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) * 23 replies * 7 participants * Last reply from: [Ipstenu (Mika Epstein)](https://wordpress.org/support/users/ipstenu/) * Last activity: [14 years ago](https://wordpress.org/support/topic/malicious-code-1/page/2/#post-2630608) * Status: not resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics