1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Base64 in my Wordpress theme slider

Discussion in 'Black Hat SEO' started by imlol, Oct 7, 2013.

  1. imlol

    imlol Regular Member

    Joined:
    Apr 21, 2010
    Messages:
    318
    Likes Received:
    464
    Location:
    USA
    I noticed something in WP in the edit post section for an image. So something is up. Searched for base64 in the theme file and found 7. How hard is this going to be to fix? I figure I might as well just delete everything on the website and start over. That should take about 40 minutes and removing all this will probably take over an hour and then I'll never know for sure. I guess the theme isn't legit?

    Any info or advice on this is appreciate.

    [​IMG]
    [​IMG]
     
  2. Asif WILSON Khan

    Asif WILSON Khan Executive VIP Premium Member

    Joined:
    Nov 10, 2012
    Messages:
    10,115
    Likes Received:
    28,557
    Gender:
    Male
    Occupation:
    Fun Lovin' Criminal
    Location:
    London
    Home Page:
  3. imlol

    imlol Regular Member

    Joined:
    Apr 21, 2010
    Messages:
    318
    Likes Received:
    464
    Location:
    USA
    Thanks, looks like what I saw is common according to http://ronangelo.com/base64-on-my-wordpress-theme/

    TAC also said it's fine.

    I'm very careful about the themes that I use but I have a feeling either this one is not legit, I have a plugin that's not legit, or possible someone else that's using the same server (shared host) has something wrong.
     
  4. ficfroc

    ficfroc Regular Member

    Joined:
    Feb 14, 2010
    Messages:
    475
    Likes Received:
    267
    Location:
    Sous Les Etoiles
    it is sometimes somthing very commonly used by theme developers , you can always use a free base64 decrypter and see what is the encrypted code aiming for .
     
    • Thanks Thanks x 1
  5. Diplomat

    Diplomat Jr. VIP Jr. VIP Premium Member

    Joined:
    Oct 25, 2011
    Messages:
    872
    Likes Received:
    410
    Occupation:
    CEO
    It's base64 encoded raw image file. It's totally normal. Google uses same technique for some of it's sites. :)
     
    • Thanks Thanks x 1
  6. TZ2011

    TZ2011 Senior Member

    Joined:
    Jun 26, 2011
    Messages:
    832
    Likes Received:
    863
    Occupation:
    Cleaning servers
    src=data/image.png, perfectly normal, like stated already. If in doubt in future, there is like 50 or more sites for decoding/encoding/beautifying base64, buterun decoders, eval gzinflate base64, javascript etc
     
    • Thanks Thanks x 1
  7. HeRBaR

    HeRBaR Supreme Member

    Joined:
    Aug 15, 2011
    Messages:
    1,216
    Likes Received:
    980
    Occupation:
    Sleeping
    Location:
    localhost
    Home Page:
    There is nothing to worry about, this are called image sprites and they look always like that to make your site load faster...

    Read more about them here:
    http://tjrus.com/blog/base64-vs-css-sprites-battle-for-performance

    Cheers
     
    • Thanks Thanks x 3
  8. Jesam

    Jesam Newbie

    Joined:
    Sep 6, 2012
    Messages:
    13
    Likes Received:
    1
    Location:
    PerĂº
    Beware that there are many wordpress themes with the base 64 encoding which include malisiosos codes, in this case in themes nulled
     
  9. Diplomat

    Diplomat Jr. VIP Jr. VIP Premium Member

    Joined:
    Oct 25, 2011
    Messages:
    872
    Likes Received:
    410
    Occupation:
    CEO
    Most of those themes, that contain base64 with malicious codes.. have "eval" function. Eval function allows to activate PHP code that's in text format. For example:
    Code:
    <?php
    
    $phpcode = 'echo "hello World";';
    eval($phpcode);
    
    ?>
    
    The output would be "helloWorld"
     
    • Thanks Thanks x 1
  10. Emp1!

    Emp1! Junior Member

    Joined:
    Dec 10, 2012
    Messages:
    147
    Likes Received:
    167
    Hi,

    As OP pmed me with concern for one template which I uploaded on BHW, I want to stress:

    You have to be extra cautious when you download template here
    It is very easy to add encode w/ eval, to call distant JS file or even to fopen distant files. Since I am not advanced in PHP, I imagine that there is a lot more ways to take unsuspected control of your website if you agree to install a template with malicious code.
    Since it is not cost efficient for you to check each line of the template (rather buy it yourself), you have to take a risk. I recommend you to do it on a website you do not care. Sure, you can monitor which server is called by your browser easily, but you have to be a more advanced webmaster if you want to carefully monitor which distant server your website access by himself.

    Now, since it is about Avad* template, I want to say to BHW members: I downloaded it from TF, VT scanned it, uploaded it to mediafire and made the post myself.

    If someone can access it from legitimate source (i.e. theme*orest), can you download it, extract the template package from the master package, check MD5 (e.g. http://onlinemd5.com/) and post it here. That will be a proof that I do not edited it :)

    Have a good day :)


    Edit: TAC seems to be a very good plugin to know :)
     
    • Thanks Thanks x 1
    Last edited: Oct 7, 2013
  11. duimstra

    duimstra Regular Member

    Joined:
    Jul 3, 2010
    Messages:
    244
    Likes Received:
    41
    Location:
    Europe, ATM
    Home Page:
    The screenshot in question is an encoded image. Perfectly normal and not malicious.

    If a base_64 code would be found directly in PHP code - that is something else and it's usually some malware that allows attackers to load:
    - spam sending software
    - phishing sites
    - seo spam
    on your hosting account.
     
    • Thanks Thanks x 1
  12. gullsinn

    gullsinn Jr. VIP Jr. VIP Premium Member

    Joined:
    Dec 24, 2009
    Messages:
    2,429
    Likes Received:
    2,210
    Gender:
    Male
    Occupation:
    Jobless :D
    Location:
    Graveyard
    Home Page:
    Remove that theme and flash your web hosting account.
     
  13. Emp1!

    Emp1! Junior Member

    Joined:
    Dec 10, 2012
    Messages:
    147
    Likes Received:
    167
    Hmm, as I said:
    But if you want to:
    It is up to you :)
     
  14. jennym

    jennym Junior Member

    Joined:
    Sep 26, 2008
    Messages:
    176
    Likes Received:
    89
    I always test a theme locally using wamp with a couple plug-ins before I use it for my real sites (plus I like to customize it also). The first two are necessary, and I just like to use the second two. You never know what someone has done when they've made their theme, or cracked it.

    Code:
    TAC
    http://wordpress.org/extend/plugins/tac/
    
    Exploit Scanner
    http://ocaoimh.ie/exploit-scanner
    http://wordpress.org/plugins/exploit-scanner/
    
    Theme Check
    http://wordpress.org/plugins/theme-check/
    
    Timthumb Vulnerability Scanner
    http://wordpress.org/plugins/timthumb-vulnerability-scanner/
    HTH

    Jenny
     
    • Thanks Thanks x 1
  15. imlol

    imlol Regular Member

    Joined:
    Apr 21, 2010
    Messages:
    318
    Likes Received:
    464
    Location:
    USA
    I've been using this theme for a while with no issues but then I saw this. My traffic isn't converting well so I figured something must be up.

    To be clear the theme I'm using is not the theme Emp1! shared. If you're using his you should be fine.

    I downloaded his theme yesterday to compare it to the one I have, then asked him through pm for some info.
     
    • Thanks Thanks x 1
    Last edited: Oct 8, 2013
  16. Emp1!

    Emp1! Junior Member

    Joined:
    Dec 10, 2012
    Messages:
    147
    Likes Received:
    167
    AH ok sorry, I did not understand :D

    I will try to improve my English understanding in the future :D