Hi to everyone... my name is Niko and i'm a italian boy... I'm writing to ask you a pleasure ... I have read many threads about this problem but they all seem a bit different from my problem ... I downloaded this wordpress premium theme, I do some changes and I create a skydive site... Among the files of this theme there is the footer.php that contains several links that if i delete them and reloading the file via FTP, return the famous message "This theme is released free for use under creative commons license ..." These links may not be masked by encrypted code but there are visible and clear. I also noticed that in header.php are 2 strings of encrypted code: Code: <?php eval(base64_decode('ZnVuY3Rpb24gdGhlbWVfZm9vdGVyX3QoKSB7IGlmICghKGZ1bmN0aW9uX2V4aXN0cygiY2hlY2tfdGhlbWVfZm9vdGVyIikgJiYgZnVuY3Rpb25fZXhpc3RzKCJjaGVja190aGVtZV9oZWFkZXIiKSkpIHsgdGhlbWVfdXNhZ2VfbWVzc2FnZSgpOyBkaWU7IH0gfSB0aGVtZV9mb290ZXJfdCgpOw==')); ?> and this Code: <?php echo get_theme_option("head") . "\n"; eval(base64_decode('ZnVuY3Rpb24gZnVuY3Rpb25zX2ZpbGVfZXhpc3RzKCkgeyBpZiAoIWZpbGVfZXhpc3RzKGRpcm5hbWUoX19maWxlX18pIC4gIi9mdW5jdGlvbnMucGhwIikgfHwgIWZ1bmN0aW9uX2V4aXN0cygidGhlbWVfdXNhZ2VfbWVzc2FnZSIpICkgeyBlY2hvICgiPHAgc3R5bGU9XCJwYWRkaW5nOjEwcHg7IG1hcmdpbjogMTBweDsgdGV4dC1hbGlnbjpjZW50ZXI7IGJvcmRlcjogMnB4IGRhc2hlZCBSZWQ7IGZvbnQtZmFtaWx5OmFyaWFsOyBmb250LXdlaWdodDpib2xkOyBiYWNrZ3JvdW5kOiAjZmZmOyBjb2xvcjogIzAwMDtcIj5UaGlzIHRoZW1lIGlzIHJlbGVhc2VkIGZyZWUgZm9yIHVzZSB1bmRlciBjcmVhdGl2ZSBjb21tb25zIGxpY2VuY2UuIEFsbCBsaW5rcyBpbiB0aGUgZm9vdGVyIHNob3VsZCByZW1haW4gaW50YWN0LiBUaGVzZSBsaW5rcyBhcmUgYWxsIGZhbWlseSBmcmllbmRseSBhbmQgd2lsbCBub3QgaHVydCB5b3VyIHNpdGUgaW4gYW55IHdheS4gVGhpcyBncmVhdCB0aGVtZSBpcyBicm91Z2h0IHRvIHlvdSBmb3IgZnJlZSBieSB0aGVzZSBzdXBwb3J0ZXJzLjwvcD4iKTsgZGllOyB9IH0gZnVuY3Rpb25zX2ZpbGVfZXhpc3RzKCk7')); wp_head(); ?> At the same time in the file functions.php I have this 4 string: Code: eval(base64_decode('aWYgKCFlbXB0eSgkX1JFUVVFU1RbInRoZW1lX2xpY2Vuc2UiXSkpIHsgdGhlbWVfdXNhZ2VfbWVzc2FnZSgpOyBleGl0KCk7IH0gZnVuY3Rpb24gdGhlbWVfdXNhZ2VfbWVzc2FnZSgpIHsgaWYgKGVtcHR5KCRfUkVRVUVTVFsidGhlbWVfbGljZW5zZSJdKSkgeyAkdGhlbWVfbGljZW5zZV9mYWxzZSA9IGdldF9ibG9naW5mbygidXJsIikgLiAiL2luZGV4LnBocD90aGVtZV9saWNlbnNlPXRydWUiOyBlY2hvICI8bWV0YSBodHRwLWVxdWl2PVwicmVmcmVzaFwiIGNvbnRlbnQ9XCIwO3VybD0kdGhlbWVfbGljZW5zZV9mYWxzZVwiPiI7IGV4aXQoKTsgfSBlbHNlIHsgZWNobyAoIjxwIHN0eWxlPVwicGFkZGluZzoxMHB4OyBtYXJnaW46IDEwcHg7IHRleHQtYWxpZ246Y2VudGVyOyBib3JkZXI6IDJweCBkYXNoZWQgUmVkOyBmb250LWZhbWlseTphcmlhbDsgZm9udC13ZWlnaHQ6Ym9sZDsgYmFja2dyb3VuZDogI2ZmZjsgY29sb3I6ICMwMDA7XCI+VGhpcyB0aGVtZSBpcyByZWxlYXNlZCBmcmVlIGZvciB1c2UgdW5kZXIgY3JlYXRpdmUgY29tbW9ucyBsaWNlbmNlLiBBbGwgbGlua3MgaW4gdGhlIGZvb3RlciBzaG91bGQgcmVtYWluIGludGFjdC4gVGhlc2UgbGlua3MgYXJlIGFsbCBmYW1pbHkgZnJpZW5kbHkgYW5kIHdpbGwgbm90IGh1cnQgeW91ciBzaXRlIGluIGFueSB3YXkuIFRoaXMgZ3JlYXQgdGhlbWUgaXMgYnJvdWdodCB0byB5b3UgZm9yIGZyZWUgYnkgdGhlc2Ugc3VwcG9ydGVycy48L3A+Iik7IH0gfQ==')); Code: eval(base64_decode('ZnVuY3Rpb24gY2hlY2tfdGhlbWVfZm9vdGVyKCkgeyAkdXJpID0gc3RydG9sb3dlcigkX1NFUlZFUlsiUkVRVUVTVF9VUkkiXSk7IGlmKGlzX2FkbWluKCkgfHwgc3Vic3RyX2NvdW50KCR1cmksICJ3cC1hZG1pbiIpID4gMCB8fCBzdWJzdHJfY291bnQoJHVyaSwgIndwLWxvZ2luIikgPiAwICkgeyAvKiAqLyB9IGVsc2UgeyAkbCA9ICdEZXNpZ25lZCBieTogPGEgaHJlZj0iaHR0cDovL21tb2h1dC5jb20vIj5NTU8gR2FtZXM8L2E+IHwgVGhhbmtzIHRvIDxhIGhyZWY9Imh0dHA6Ly9tbW9odXQuY29tL2dhbWVsaXN0Ij5NTU9SUEcgTGlzdDwvYT4sIDxhIGhyZWY9Imh0dHA6Ly93d3cuaG9zdHYuY29tLyI+VlBTIEhvc3Rpbmc8L2E+IGFuZCA8YSBocmVmPSJodHRwOi8vd3d3LmNpcnRleGhvc3RpbmcuY29tL3NoYXJlZC5zaHRtbCI+U2hhcmVkIEhvc3Rpbmc8L2E+JzsgJGYgPSBkaXJuYW1lKF9fZmlsZV9fKSAuICIvZm9vdGVyLnBocCI7ICRmZCA9IGZvcGVuKCRmLCAiciIpOyAkYyA9IGZyZWFkKCRmZCwgZmlsZXNpemUoJGYpKTsgZmNsb3NlKCRmZCk7IGlmIChzdHJwb3MoJGMsICRsKSA9PSAwKSB7IHRoZW1lX3VzYWdlX21lc3NhZ2UoKTsgZGllOyB9IH0gfSBjaGVja190aGVtZV9mb290ZXIoKTs=')); Code: eval(base64_decode('Y2hlY2tfdGhlbWVfaGVhZGVyKCk7')); and this Code: <?php } mytheme_admin_init(); eval(base64_decode('ZnVuY3Rpb24gY2hlY2tfdGhlbWVfaGVhZGVyKCkgeyBpZiAoIShmdW5jdGlvbl9leGlzdHMoImZ1bmN0aW9uc19maWxlX2V4aXN0cyIpICYmIGZ1bmN0aW9uX2V4aXN0cygidGhlbWVfZm9vdGVyX3QiKSkpIHsgdGhlbWVfdXNhZ2VfbWVzc2FnZSgpOyBkaWU7IH0gfQ==')); add_action('admin_menu', 'mytheme_add_admin'); Now, what can i do for decrypt these codes???? I tried to follow some tutorial, also from this forum... but i don't resolve the problem, because in one way or in other I always have some other errors... Is there any good soul that can give me a hand please ?? I apologize for my bad English and for some mistakes that I have committed. Thanks a lot Niko
Hi mazgalici... thanks for the quick reply... I had already read that guide, but one thing is not clear for me ... in my footer, there isn't any encrypted code, but only visible links ... Instead the guide that u have linked shows how to decrypt the encrypted code ... I've got the encrypted code, but only in 'header.php and functions.php what can I do, in this case, to find the code that i replace it... and most importantly, how to do so then changing the links in the footer, my site keeps working ?? thanks
to decode create a php file and "echo(evalcode)": PHP: <?phpecho(eval(base64_decode('ZnVuY3Rpb24gY2hlY2tfdGhlbWVfaGVhZGVyKCkgeyBpZiAoIShmdW5jdGlvbl9leGlzdHMoImZ1bmN0aW9uc19maWxlX2V4aXN0cyIpICYmIGZ1bmN0aW9uX2V4aXN0cygidGhlbWVfZm9vdGVyX3QiKSkpIHsgdGhlbWVfdXNhZ2VfbWVzc2FnZSgpOyBkaWU7IH0gfQ==')));?>
PHP: <?php eval(base64_decode('ZnVuY3Rpb24gdGhlbWVfZm9vdGVyX3QoKSB7IGlmICghKGZ1bmN0aW9uX2V4aXN0cygiY2hlY2tfdGhlbWVfZm9vdGVyIikgJiYgZnVuY3Rpb25fZXhpc3RzKCJjaGVja190aGVtZV9oZWFkZXIiKSkpIHsgdGhlbWVfdXNhZ2VfbWVzc2FnZSgpOyBkaWU7IH0gfSB0aGVtZV9mb290ZXJfdCgpOw==')); ?> PHP: <?php echo get_theme_option("head") . "\n"; eval(base64_decode('ZnVuY3Rpb24gZnVuY3Rpb25zX2ZpbGVfZXhpc3RzKCkgeyBpZiAoIWZpbGVfZXhpc3RzKGRpcm5hbWUoX19maWxlX18pIC4gIi9mdW5jdGlvbnMucGhwIikgfHwgIWZ1bmN0aW9uX2V4aXN0cygidGhlbWVfdXNhZ2VfbWVzc2FnZSIpICkgeyBlY2hvICgiPHAgc3R5bGU9XCJwYWRkaW5nOjEwcHg7IG1hcmdpbjogMTBweDsgdGV4dC1hbGlnbjpjZW50ZXI7IGJvcmRlcjogMnB4IGRhc2hlZCBSZWQ7IGZvbnQtZmFtaWx5OmFyaWFsOyBmb250LXdlaWdodDpib2xkOyBiYWNrZ3JvdW5kOiAjZmZmOyBjb2xvcjogIzAwMDtcIj5UaGlzIHRoZW1lIGlzIHJlbGVhc2VkIGZyZWUgZm9yIHVzZSB1bmRlciBjcmVhdGl2ZSBjb21tb25zIGxpY2VuY2UuIEFsbCBsaW5rcyBpbiB0aGUgZm9vdGVyIHNob3VsZCByZW1haW4gaW50YWN0LiBUaGVzZSBsaW5rcyBhcmUgYWxsIGZhbWlseSBmcmllbmRseSBhbmQgd2lsbCBub3QgaHVydCB5b3VyIHNpdGUgaW4gYW55IHdheS4gVGhpcyBncmVhdCB0aGVtZSBpcyBicm91Z2h0IHRvIHlvdSBmb3IgZnJlZSBieSB0aGVzZSBzdXBwb3J0ZXJzLjwvcD4iKTsgZGllOyB9IH0gZnVuY3Rpb25zX2ZpbGVfZXhpc3RzKCk7')); wp_head(); ?> PHP: eval(base64_decode('aWYgKCFlbXB0eSgkX1JFUVVFU1RbInRoZW1lX2xpY2Vuc2UiXSkpIHsgdGhlbWVfdXNhZ2VfbWVzc2FnZSgpOyBleGl0KCk7IH0gZnVuY3Rpb24gdGhlbWVfdXNhZ2VfbWVzc2FnZSgpIHsgaWYgKGVtcHR5KCRfUkVRVUVTVFsidGhlbWVfbGljZW5zZSJdKSkgeyAkdGhlbWVfbGljZW5zZV9mYWxzZSA9IGdldF9ibG9naW5mbygidXJsIikgLiAiL2luZGV4LnBocD90aGVtZV9saWNlbnNlPXRydWUiOyBlY2hvICI8bWV0YSBodHRwLWVxdWl2PVwicmVmcmVzaFwiIGNvbnRlbnQ9XCIwO3VybD0kdGhlbWVfbGljZW5zZV9mYWxzZVwiPiI7IGV4aXQoKTsgfSBlbHNlIHsgZWNobyAoIjxwIHN0eWxlPVwicGFkZGluZzoxMHB4OyBtYXJnaW46IDEwcHg7IHRleHQtYWxpZ246Y2VudGVyOyBib3JkZXI6IDJweCBkYXNoZWQgUmVkOyBmb250LWZhbWlseTphcmlhbDsgZm9udC13ZWlnaHQ6Ym9sZDsgYmFja2dyb3VuZDogI2ZmZjsgY29sb3I6ICMwMDA7XCI+VGhpcyB0aGVtZSBpcyByZWxlYXNlZCBmcmVlIGZvciB1c2UgdW5kZXIgY3JlYXRpdmUgY29tbW9ucyBsaWNlbmNlLiBBbGwgbGlua3MgaW4gdGhlIGZvb3RlciBzaG91bGQgcmVtYWluIGludGFjdC4gVGhlc2UgbGlua3MgYXJlIGFsbCBmYW1pbHkgZnJpZW5kbHkgYW5kIHdpbGwgbm90IGh1cnQgeW91ciBzaXRlIGluIGFueSB3YXkuIFRoaXMgZ3JlYXQgdGhlbWUgaXMgYnJvdWdodCB0byB5b3UgZm9yIGZyZWUgYnkgdGhlc2Ugc3VwcG9ydGVycy48L3A+Iik7IH0gfQ==')); PHP: eval(base64_decode('ZnVuY3Rpb24gY2hlY2tfdGhlbWVfZm9vdGVyKCkgeyAkdXJpID0gc3RydG9sb3dlcigkX1NFUlZFUlsiUkVRVUVTVF9VUkkiXSk7IGlmKGlzX2FkbWluKCkgfHwgc3Vic3RyX2NvdW50KCR1cmksICJ3cC1hZG1pbiIpID4gMCB8fCBzdWJzdHJfY291bnQoJHVyaSwgIndwLWxvZ2luIikgPiAwICkgeyAvKiAqLyB9IGVsc2UgeyAkbCA9ICdEZXNpZ25lZCBieTogPGEgaHJlZj0iaHR0cDovL21tb2h1dC5jb20vIj5NTU8gR2FtZXM8L2E+IHwgVGhhbmtzIHRvIDxhIGhyZWY9Imh0dHA6Ly9tbW9odXQuY29tL2dhbWVsaXN0Ij5NTU9SUEcgTGlzdDwvYT4sIDxhIGhyZWY9Imh0dHA6Ly93d3cuaG9zdHYuY29tLyI+VlBTIEhvc3Rpbmc8L2E+IGFuZCA8YSBocmVmPSJodHRwOi8vd3d3LmNpcnRleGhvc3RpbmcuY29tL3NoYXJlZC5zaHRtbCI+U2hhcmVkIEhvc3Rpbmc8L2E+JzsgJGYgPSBkaXJuYW1lKF9fZmlsZV9fKSAuICIvZm9vdGVyLnBocCI7ICRmZCA9IGZvcGVuKCRmLCAiciIpOyAkYyA9IGZyZWFkKCRmZCwgZmlsZXNpemUoJGYpKTsgZmNsb3NlKCRmZCk7IGlmIChzdHJwb3MoJGMsICRsKSA9PSAwKSB7IHRoZW1lX3VzYWdlX21lc3NhZ2UoKTsgZGllOyB9IH0gfSBjaGVja190aGVtZV9mb290ZXIoKTs=')); PHP: eval(base64_decode('Y2hlY2tfdGhlbWVfaGVhZGVyKCk7')); PHP: <?php}mytheme_admin_init();eval(base64_decode('ZnVuY3Rpb24gY2hlY2tfdGhlbWVfaGVhZGVyKCkgeyBpZiAoIShmdW5jdGlvbl9leGlzdHMoImZ1bmN0aW9uc19maWxlX2V4aXN0cyIpICYmIGZ1bmN0aW9uX2V4aXN0cygidGhlbWVfZm9vdGVyX3QiKSkpIHsgdGhlbWVfdXNhZ2VfbWVzc2FnZSgpOyBkaWU7IH0gfQ=='));add_action('admin_menu', 'mytheme_add_admin');
wickedguy thanks a lot... you're fantastic now if i understand well, must i replace this codes ???? right???
ok guys i have replaced the codes and it works all the same... now I think that to delete the link in the footer I need to correct something in functions.php... maybe in this Code: function check_theme_footer() { $uri = strtolower($_SERVER["REQUEST_URI"]); if(is_admin() || substr_count($uri, "wp-admin") > 0 || substr_count($uri, "wp-login") > 0 ) { /* */ } else { $l = 'Designed by: <a href=... ...Shared Hosting</a>'; $f = dirname(__file__) . "/footer.php"; $fd = fopen($f, "r"); $c = fread($fd, filesize($f)); fclose($fd); if (strpos($c, $l) == 0) { theme_usage_message(); die; } } } check_theme_footer(); but there is any method to erase this code and change the links directly from footer??? sorry for all this questions but i'm a newbie Niko
REPLACE THIS PHP: function check_theme_footer() { $uri = strtolower($_SERVER["REQUEST_URI"]); if(is_admin() || substr_count($uri, "wp-admin") > 0 || substr_count($uri, "wp-login") > 0 ) { /* */ } else { $l = 'Designed by: <a href="http://mmohut.com/">MMO Games</a> | Thanks to <a href="http://mmohut.com/gamelist">MMORPG List</a>, <a href="http://www.hostv.com/">VPS Hosting</a> and <a href="http://www.cirtexhosting.com/shared.shtml">Shared Hosting</a>'; $f = dirname(__file__) . "/footer.php"; $fd = fopen($f, "r"); $c = fread($fd, filesize($f)); fclose($fd); if (strpos($c, $l) == 0) { theme_usage_message(); die; } } } check_theme_footer(); WITH THIS PHP: function check_theme_footer() { } check_theme_footer();