“This is for the most common encoded method I’ve seen. This is the method that starts with $o=”blah blah.[...]1. Make a copy of the php file. Call it temp.php. Open it in a text editor.2. Use search replace to find the semi-colons and replace them with semi-colons followed by a carriage return. In TextPad, I enable regular expressions and replace ; with ;\n . Easy.
3. You’ll get three lines of code. The second one starts with ‘eval’. Change that to ‘echo’ instead.
4. Run the php file in php. On the command line, this looks like “php temp.php”. You can also do it in a website/browser if you like.
5. You’ll get a big long line of code with a lot of $lllll stuff in it. Copy all that and paste it back in to the original file. You’re going to REPLACE the entire “echo” line with it. But only that line, you still need to have the $o=”blah” line at the top of the file.
6. Do the semi-colon replace thing again to get a lot of lines instead of one long one.
7. Right at the end, there’s a line that looks like eval($lllllllll); or similar, all by itself. Change that eval to an echo.
8. Run it again. Voila, you should have your unencrypted code now. Copy and paste it where you want it.”
Also, Here are some decrypters for you:
12 Comments until now
Wow thanks. Pretty scary stuff base64 and websites (non-wordpress.org) free WP themes, avoid them it seems. Cheers
Thanks, i’m using this online decryptor http://www.base64online.com
Have any idea what this is all about?:
Thanks for sharing ! Some of these base64 footers also use ROT13 code, which can be decoded with EditPad text-editor (free an pro versions)
Wow, i was going well untill the last step, i’ve got the text separated into lines but after changing the last “eval” to an “echo” i just got this rendered in my browser:
?>
the code i’m using is this: http://pastebin.com/q921vjSa
¿can you please take a look? would be very helpful.
Thanks anyway for sharing this info
finaly i found out what my eval code is in my footer! it was just a backlink by theme greator thank you
When you find more than one eval statement in the code, consider doing this logic (by Otto):
1. Replace the first eval with an echo. Add a “return” immediately after that eval statement.
2. Run the code, capture the output using output buffering.
3. Replace that echo (and the return) with the new output, since it will be from that one echo only.
4. Start over with your new code.
Can anyone help me to understand why i am getting this in my worpdress theme and what i should do?
I don’t understand wich part of the code i have to paste to the tool.
Thanks!
// base64 encoded red image that says ‘no hotlinkers’
// nothing to worry about!
$imgData = base64_decode(“R0lGODlhUAAMAIAAAP8AAP///yH5BAAHAP8ALAAAAABQAAwAAAJpjI+py+0Po5y0OgAMjjv01YUZ\nOGplhWXfNa6JCLnWkXplrcBmW+spbwvaVr/cDyg7IoFC2KbYVC2NQ5MQ4ZNao9Ynzjl9ScNYpneb\nDULB3RP6JuPuaGfuuV4fumf8PuvqFyhYtjdoeFgAADs=”);
It appears that your theme-author doesn’t want you to remove their base64 code that, according to him, just makes the red image that says “no hotlinkers” …
I would suggest abandoning this theme. If that isn’t an issue to you, feel free to use it and continue to pursue it but, most would simply rather stay away from such things. You never know when or where vulnerabilities may be added in custom signatures like that.
it good man
Luckily I managed to find a free wordpress theme that wasn’t infected with base64 code.
I do have the plugin Theme Authenticity Checker (TAC) installed should it get infected later on.
I did happen to research this topic before I found my theme so I knew which free themes to avoid.
Are these base64 codes legal ? I understand that themes can be free , but does that allow the developer to install `naughty code’ like base64 ?
Deon. ‘base64′ code isn’t necessarily ‘naughty’ code. It has legitimate uses. But it is very often used by hackers and is also used to hide details the theme-developers don’t want you to see.
It is often used to force you to have their credentials kept on the theme, to keep you from being able to easily edit the theme, etc. Since WordPress is free, any theme that is also free, ought to come free, with no strings attached, and should not have shady content on it.
Add your Comment!