1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Suspicious encrypted code in theme..

Discussion in 'PHP & Perl' started by Darius Arsalan, Jun 29, 2012.

  1. Darius Arsalan

    Darius Arsalan Junior Member

    Joined:
    Nov 24, 2010
    Messages:
    137
    Likes Received:
    204
    Location:
    Longitude 102.5333
    Hi BHW,

    I download these theme from somewhere:

    Code:
    http://www.warriorforum.com/warrior-special-offers-forum/616266-hot-offer-amazing-easyzon-estore-wp-theme-will-skyrockets-your-amazon-profit-mobile-ready.html
    Download here:

    Code:
    http://www.mediafire.com/?iu8sgchca4mbm7s
    I check it and found something suspicious on pilihan.php file..

    PHP:
    <?php //0046b
    if(!extension_loaded('ionCube Loader')){$__oc=strtolower(substr(php_uname(),0,3));$__ln='ioncube_loader_'.$__oc.'_'.substr(phpversion(),0,3).(($__oc=='win')?'.dll':'.so');if(function_exists('dl')){@dl($__ln);}if(function_exists('_il_exec')){return _il_exec();}$__ln='/ioncube/'.$__ln;$__oid=$__id=realpath(ini_get('extension_dir'));$__here=dirname(__FILE__);if(strlen($__id)>1&&$__id[1]==':'){$__id=str_replace('\\','/',substr($__id,2));$__here=str_replace('\\','/',substr($__here,2));}$__rd=str_repeat('/..',substr_count($__id,'/')).$__here.'/';$__i=strlen($__rd);while($__i--){if($__rd[$__i]=='/'){$__lp=substr($__rd,0,$__i).$__ln;if(file_exists($__oid.$__lp)){$__ln=$__lp;break;}}}if(function_exists('dl')){@dl($__ln);}}else{die('The file '.__FILE__." is corrupted.\n");}if(function_exists('_il_exec')){return _il_exec();}echo('Site error: the file <b>'.__FILE__.'</b> requires the ionCube PHP Loader '.basename($__ln).' to be installed by the website operator. If you are the website operator please use the <a href="http://www.ioncube.com/lw/">ionCube Loader Wizard</a> to assist with installation.');exit(199);

    ?>
    4+oV57vT2rZGyO+VkPsUUomzMoySCh43SkrbfQciX2V+zqmroYQirmb//lehm8wSyCXDIWVXHNkK
    UOzsZLX0yCf58vqPiOw6nQGOHjZZCGQDzL6NdmnVOlf1H61eUWb2pApL5cp8dSuA83kby/i54lQX
    nJVzRT21d+0a3Q/GvG/1/MsE/sZqcjTSMrIkMhyHS4s7CwZxvDPhTHn11+I+lYJxUiF8tdLkb/bG
    uc/o+1p62+xt0loawXr+geJEQWVqGETW0M3CK/gWqXvfg7XzcsV2gkSfXJut0ieZyuE7dnSk0xEr
    P73mk5gSpksA7AYzyy8QG0sAAvbrBPPDB6HGiHJGO4JvMq9ZVnkb/WO4PAMMH13V9afBDvQZaReI
    X1qsDnMaLTXuetFpiZ55MgjTP1VUc94ZNpGZuTT0STDbMVxN09DJek1SgI1qh9LXrYWI/0YwGDbB
    RdeW9Ot1DOZifQruj15mDkrqFUsjKCAicJapMN2mNZWbWv8ZPak5cgckIxPnJFK/NOgSnIwN5+ll
    60GIun0KJSp2ruLcDgEy313FrwU2kidBkyg5LOga41pN1MTd+JRllbf2wiZ5E9F4CKs9drpkrII8
    wVuvXKIJ5uCF7WiwrCvc87Q35kD+PMBZuttSMsqpHCttvmXl+nBujUYhvXphC9h69dTV0gko0JrO
    SCoh4704lh8NAK7e/NmnFcJo3ueIy3cQ/+WVrcNgR+ddR9n4acUQUzd8cT/4mqEfQeCJ0fZqTDCO
    3gYGAS26iLypij1trwvC0I5XJXAb4N1avAgZlaA0loQOxfpvhvZS40lBPj6WD93jumeJuB28/eAB
    W0yYjZxqIOX2FPHCFdHYTdbYkWlblihJ7+Fzr/cIPRNaKxXQdjg9X231Ch9hSFOV/XDeUZc4Cwm6
    tXFKn5GsoaBKkK0vml4r/lKeMLnF8GQ2bcaR1irLVfJSSgxgrFVM8eJwSw/oKdYP4cOvL7uZ6Fzh
    qx1Tjfgf6tCUcTu9RU2sTyWffQLIqdtqaoFcJrpccq3cmX48pedh1s4Ndnm+TWV/ETbHwJV2Aw4s
    O6GTBmuEO2eau209HhFoW24Q0XPLq/gVRQGi8LZWFpRszcdMw5Ex0K+/CtbwTlpZMZfWTtf4ldPN
    7f9PskF5BGUt7iQqANj9nnHaKG+/GWbiLsXsrZ33LLIt57OfhxSRdLCRVlNjFGa/cy6zrjlufRrt
    qwXsiAZL5gX3KJ7Ho5cKqnyKGbdz0X0zsU8kHWycWyY6/AEokEX+pPRI6jEsjMckCmEU76TwypI8
    Q1F/YrzL5km0mD8Spxekg+fecxawE0jzvVvp3Dw8nXaQXT31JPVXp9FUDox/2d7u5pGsosQyyONJ
    nrTeYEHk++laziXYPdufjVUWRHc7DhmiGBTQTtM3vArEboKvmzylXHK7/VJoLjNijiJIeV13oDDD
    aECj5aiNUggUKaKF7M4t4nvG+uK2Fk7auILvzB1ds86kfExx4KSAEI1a2KYaBxMV9q0zn20nkc1l
    BSteerkYkMmT/VbvRBhd1AizATmiUIfUg7sHDxzoUwCA8NTl4Ez58Abk55xgPRXfcKWFPtJvCnKN
    bCt4Cn61ghja5VR9E0+gZoFThHvVvmsxXCV8OnES8UBjfuVPXJ9BLJv2bTlX23fdJ2L5FxfMp7ea
    gTusxrV/eo2b8yLl/zWNME6sdqJSJ/rUsMjLkeG4DHQWVoN4R1YIunMzJCn7wynyHyAATcY83VNa
    3HR3mzEuRwK3vUp7jsoQ2uijpRDLw7+dUOZ0GPqnv29MLD183fiDEZHwn2G13+DwmJf0O2R/CqlQ
    oJWI/j9BlW8X3eW1rHCbg4GGbM/JdDohGv1d77l0iadzd2JVrWZ635qTDorlSxGsSeKBI8umDaMu
    zxv2HDz7l3fRD8Uz4g1EBCBM+XkV18uMeQJ62u7BWWv+6uIi+YeXddOSevjct6Q1wRMsFTJpxubq
    O5BEqMbR3KnCtc2V/bZ02aRREmfBPXoirMJPXMwvj2T3Rn/eIPijjhZvMK0h43lmP/GehcpDAbmZ
    r3uboP0cc0CKZtrk2j+lR40fHYcImLUEg6wGWg89kLRg+UL+wV+T5jqd9inKXkfheALQaWnW3g3U
    KNOTeitc/4Mb6wmfz+A+HKkeSDRZpyynQ4uv3EqmQzROferW33/4YNRKWrcjYaP6OOFX8Bu/44dJ
    AdukG3HF5XgnZnJzspMLKJSEg/tS4iT2uh9d1dcsSp/3LnvMd8trPnd6SAWO1RJNvJVxBqIFr1/h
    ZfSFGtXh+Yo0GjHbSqEj717ezuU6Tl1e8fPCe4G3AKI0FvK5mPR25b9PPA8b+7rlZcwiRORwDeXH
    DnlmVPLYL1XiYrbSjqCU/q9G5uUfzgOvl8UnI63y73ra9c63xEfYKnwk6PVMmvGagPuXjxYN95yQ
    4UQdk/ErD3zCEChDr2r/s1m6569QzbcI/qvxH8i9dxagkjht1OQIoDqhkqrbKpPeGjiC9S0nW4dO
    zwp/hQzBUiulB1IP4Ta19xwlKKJQqT/Vm/gojaz/tZ7Cn9INoq+7xPwdIO121D4wNhF5V2DUPzXM
    UBOptT5X2uIl0MTCP4bKnPXBlF7RSJg/yIoXB9Nux283hBunuR+JgifgeuGNKy9d8YTXIa4+i/Yc
    G/P4YHkyOeoGDzsGvHvA4qrTSVm/4w8g//nJ/9UakOyn66ef3TAU7k9ePch/JjSLDYBEo/NwtelP
    BvqwHRRDFRnHKFwH7LZiWOrDRl75jdMolPlpE1HtVtcWJqjgG0CvKO2JJJkVd9MvRdnwVODcMtM2
    KM7Z9R9v12WDA7glZZTZgDyLRtgmhlnWvIothUVgqdzcdtC4znNe397xJa0h0IYb+Z5OLDeQnUDu
    NfIOccINh5NBHQ6B5lio8lMHD2ztiqFf1RjEwX96sp5N+vw0AHzIlIPuAZG2gZ8aLYMnTEbUu5RM
    qpfOPTAPU3aN2uo8U1qAFkxYt553YyAuMDkmKqSetSME/gENn8TpTKZPEkFYh1N/cxBF3lOQ6onA
    /AhGVP9zUiE9DUB7mjNrTHlRslEmc/YVAhwdVKh/5CcK4SfR4iGZNqwg/VwL6L48HqpLlCpniI6H
    aaHPtlH/al9oDXGoZZTCO30BL8W7XQ7+UktSLwm8kze4gkiCQP0cVrTbFYqP1e+8ZtvrKOlgzDKx
    JCm51QYxexqJnlnl0U63ENWZ9K0xs1R+k/Bt5Kk+bC7sfcA4jtY0GsBUeBV2wp5hZ/ujVvAgB3wj
    5HA/vNl7y882QuDsIPWONnn5eRw79dZoLAlGcOD2o/j2ofNIt6ii0qT16+waQl5mATzLNuM9NwR9
    sekEWigD8yvYORtrr468BOdpwrJF+EvBBVITtvuI4c46p8TCeZSZ4l+8AQ8STyCQ5798Me8n/oaH
    /ivUK6ZJGjVA4czQnmUlGNfvAhCJbd6dCuE262VvNWPqzzZh7R98rZHoeOWo7s6/5p0L2zku4jNa
    3zhoMrtj2B+e7UNkWypfhIu4MUyXh/FM9J27m5nurpsr7STjMozwfCCd7e3EQ+ZdW07xYXzbHUaN
    0d2/q0DM/+WA81BICblWJOJMlm7W2OaxfZtUWtd6Ra0jVAqkCopn2F6xyUc8fj5D6sXl9QfXy7Zg
    8/+h19J2V8ItOqxLaLb0/9c+TS2d+M/Th3HeGx542JMeli97mFmeprmaXqbHGcclemoh1BsAayEH
    wTj44xPwSRpkNUQuiQCkU7m+uEfwFksHSJfYw6JmgNJztcJCkRo/N0KEr8o99eysqWosLNZ/dhEs
    g5zQ9W3K8RmHDq3t8ErRVDPR0hLQN7nWmiivo9hceVThC4hV3Z7Gb9R1hJCAABTMYzTA0oKcFhLR
    hmWYpT62NpL4cZMQT1LWj0v2B9YC9wtbWIov/slBuqgKUg3AyDqtTKWUu3cohlYrVEHMHdWiW4b8
    1HAo6eMh0kHvAY2qY+scsd3l+z3CYYbWIdlq+ou8vHsgU9+s4s2yo6qFei2d3ssCvYi9u3cvbSnb
    EsZffxrk3v517eJGBUCKZfhHtLdghKz2cajewgJzFfEYiZKM5y0/N/vtLyZks2aI1l4nRsG1mj89
    tij7VF+bVvY26xTBSZGkBdZVxjAVTVNh96zodGvFaL7gJa3Zm5Nr8NhQG2NRziscxRxYFt0nk9fZ
    FWoSHcTh/5pbUHoOADgvy6vXTrvukAopdv7Gq/noM73oa9kEpVrBK2pEpG5C1FRseo3Mx0L6agzQ
    4wL7XB++h0sUJIfcWQqHYcKL2cCrmQ1lMtc7ejuhqFKAcSPVxgXr34JbQp+WUQlKGVWOsh0gv4zU
    jbluP37uIEU70ROmgr0LIElzU0zUEMblYLRiqD1o+me+5EVVtQtJwoqk3AW9h1IKB9Yw4+I9g8gO
    RcdtJxuZWV7vRLHSLLnCadHS9TWieLlVfd15kmBaX5qJ/x0eZGlNhG1TuymYVHQJx8FuTpAV7uP1
    9cli7oyk+Y9B+u+bIVcyczAOCOh7NXRNGF8jTeAha2D5xG7Toz3LOnaROWbOAKPRjrZEsdgs1lMt
    ByeMq98xaQgrTmT6OSx+FXoM3oXO9+v680ZaSCa0Sm4pRWleG/RJjYUdz1NPu2lHSRcxRZb10KMA
    igtc809uvujUwYaWMQGvWQJ6MLmvJ1hKGLaRU5MKYZwcby3LAmKJZbilJkBhPJZCcpLm+q+ynim0
    WnRaoJFToq4tRbKLXMMptl6UT0Y/sw+QqGkOouh8lpGTONapydS4+NwTQ4pB+wid/ipTxHwNcdtN
    hBkRTsl/dtPWGBiP3ZvvNrudG3/OHopRVOKt0DfDcKMGZnM+wvl9QNVk7RFDn5DcrczqbeGlE6rP
    kfqg2aVkyWzru5slswYded1UoRqmn3dVZtI55pXTl8TSau39jm0NHoSSKoKhM0zx+haUCdVhQrDK
    s5kuctIZDtU7/l3a0rqi8aLXgLP65++sxTWtnoRO6Skpxf55xLrdWf9hB/L2blkqmhYtVP2bcMPj
    bHdihwT0dlU90LhGFcJ7B0thDTc1LQ8tp5O36ziaMJ24jV/4i/Uj4ubCTM2W6D4lURwKu3xMUKAT
    67zmfu5itcuTVaRG15ijJVVdE4E7U7aec0y1x2m+MS52JeLiCrjLW6YMEw0JJxqT/e61iK54RaJj
    T2GhNb80RKMjJNrouY3PvZ8LiEmrhwifWYhMZgKOstsGOeeqtrmpDn/CMaPJXr2DQsB2UG/s9AyD
    8phKOz9sPZ1WoxIjLVzR6yE7ILYG4Cy9c7QVuvg9OJdZ96I3IWnBsTYCvnI5fvjLOK/zzFdnZW82
    UKo+G1Wra+qIJ69UdxDf8KLGimgDpo4KFqkE8C3FTJEcvsXcRjB/ak05MAwqG0s0q6W18X9PhIjP
    Lo1uq6j0coD+wC2on+5Qg/V74+QEX210RY6DXnY6uiAPXh8uPnXiWFsdaERhJ2dPfeZxk0D9Hrdz
    RdMkU4R1TheW/xm6CkP0bJRqXkoMs6TbMoG48/L8wQ7FFm7RnsYz3LnFrlWleQq74ZjATqIJZqs+
    JfqbTEPlBUYxZRBv/wBQRwZcQM1rMGPONGonnoRdGm/fN8oKCqDXSPQDQ1GzBVA8P8exQ2LNgzJW
    HRZEnPqOHYxhDlx/+tzEi4es676L66AB7M394mRuOGvSIaJwK285wVF2A/frmiMp4M3U09c6qVAE
    a+MVM6kjQ8rSy6SIEpkkdZDFXxL+3zRSaZd8oytoDKePOhSFvOgkXgSSCqee2M0tRWkaYzjvJ4q2
    LaWbXb/iFhgpkDIp+4cJCZ3/S2Om5OY5FogKpE37iWggYjDXHptTnBH3+Sq/2DKE78xaQzFxVmAj
    /dzOnuGMR+8usFWDlg1VkILEln8pzHzJjP3ssgnBhslaOfCz2khHkFoIpv90BGLNkgE4UQqltehM
    hXu+Xni0X08Xr67dvJr2ehDJjgaDYd3sPOCaZSLnAXcKH9or1gbyjHPZknIpa6Ndos/en9zKoQ67
    ONCNTF2GiXHMrV7AGvYIoczY7XfSkrmVgaDmos1dYx6YqkkXeugmP6oFMPKlTcSU3Ab6q9JHZ/Ll
    Dp04xRN9+ZPQnDQjB4VY+O6gUZ4bbWQJpNUrt2qRYRkTxtmXytYUKyL/xMCxQfGstXRewQ8u690o
    N3X/QfELH8xknfEIG/yjgTQfuZJusLOrzrnazBJqZSFXYjUleZL28SN8IFq8sEFXtt3H7HilWASN
    1XpiXA7+T8AbxtV3z2+uWA9INVfhGUNNstR6HiC/TAfVTkOnb/uDYB3xdcziE3kmTp8PLuGP9Inf
    lrEv5QWDZlH2PFxkSo2ekR+o+SCTOIssUEeHayjesFe35TyLYfyHZaQKP52aEV6XnegRjChp7G6q
    AQZJe6wiEhU/RsDSVWlPnuV2jg1z7/462tr+zckpuCLoJdexAeMNEWKC4+/9jswCC6piwhroGVKN
    0+unsyYoR58YfMAvBe+YAFj+WspmtQ2GOU6cuv+XzVJD3Ib4KCDC9wGiaup5shTlauOXSqLF7exQ
    BDdJZ75jHkhVmrQw7EP2x05F/dybO49m9OhCMqwNc7mcXhZnqRo3SRw5drt/7qojd2dX8hPOrF0k
    pn2d5E1u6zgcs3L9V92v75s5VjVaXRa/QLE6dUr4dXM23JAbWfFBNmoCcP3VVzC86rPnnyF6NHhf
    cMNmQKFLT4UjKWp8qw1wL2xHO8pQ9Lf1pjp8x1vrmuWP2+2Tbghxa/QgT4mRmtj3mBMaPL1a7RxU
    14Z1fd0DZHpfkM/H8WVntytdHwGzS8GjYlHSVMwOz2vhuQjH/hD4hEWwcBti3wvJp9KtVxvZFvU5
    PdKGyWyjBn2fD5IvgR+IMrbaIsGKRS9OX3J4GKVzu+2Vj14hVlGAqvE42tFgWVZZYZEWxPTrxSyM
    vTqttNHTkScZh1eVtlK4cj+hMKiHmcIxFlNNIsiSrsvU8htTG1BWGbPc8Xcc6UsNzxljcC36gxJb
    nfyVmu/7lbUZAoTCYzs7iRIOQTawlA15L5LQOGSSC2ElJvftMcKIrggmGB72ZF16/9a1afGNp2hS
    CrGnJQlNi3MIsmfAMf58vI8k2/lRfCeHlhA+zV3pOTpuN7s/ttiE/4ogygGdojbfen2rkPchodJV
    6kTWz7x+D6mmxQqh3Wlhc5VjPPyMnHwimlbv+fh2nWbowa53PPJA+x3LH4zsS+SbSUMM8/+x3mZs
    FdmNWNT5dHfzGy8jBGpXrCKCT9anjAKxu5Qc24fQMv8BC008diygtPjWU1bjUSnJ7brTRlS9g8MK
    8H2y/cL8V0jHp+TrJCJyWtkzc8m5XAb/7EJQCxgmb8EwtfM4yOkWBivt1WzOCphRE8Aw5IpBKNhy
    mQxpmoFxIYmE83qKIX0Eh6ltIK0E+Z6uXV3FltsW4pGLiVP+x/vtXhQlHLitTnO67UJM9IeYRkIp
    +gZ0H55Esh+QuDSSqWZLJ/HANOEo0YGVppg5TbdggZN6WxSmq2ghlQOo2UFDo8F9Rhv3+aTZ1uwC
    mJhodl77rVYTGGrc7HGD61amiO1mzYb6BwSQzvZEm3WanBh+EEgtetBDdi2wEOZU9NyxOMsUw/cV
    k4Qf59xQgSbM69jTGG6IXjr44vY/b9X5IzKJB68xDb3GDGtMJzs4ZGUxwy39TlsUhpF921Fb318H
    b1o2s81nHX4XfsptPiXfJXh1/VU4yQkOSQYIGL0nSDBr5fdswtBHUp+KB2/tf98kSqsT6KvejTYb
    a+wDdOxmKoVwwiWrGmWEnx77cParyW3/sN/y3pvP45z3dozZBDRWXNX7hAjICBgmPnnQNeAdURTC
    grO+9Uf7DR1qFiD+O/uIpfwKxLEXuA31gaA9mOWsyvIWKBUslpbx1/dB7fRY7HPJ6kyq1xIhQD9o
    qrHP2b7vf2l/q6UjnKrvFIRBjvWqKuYRu8d+qmSYTBQ8w3+qbqIV35odlXHXefqA6tm0C+KxcrX5
    uL3VtUJprCmUQAJr4NBbPdqIvOXd/FdzrM8zcCtuKDEiSrMXS54MuG==
    Can someone decode it because I worry it has amazon affiliate cookies on it..

    Or anyone know where to encode these kind of code?
     
  2. 2k9bomb

    2k9bomb Registered Member

    Joined:
    Sep 21, 2011
    Messages:
    78
    Likes Received:
    22
    Just remove the encrypted code. 99% of the time, encrypted code in WP themes/plugins is malicious.
     
  3. Darius Arsalan

    Darius Arsalan Junior Member

    Joined:
    Nov 24, 2010
    Messages:
    137
    Likes Received:
    204
    Location:
    Longitude 102.5333
    If I just remove it, it will never effect my theme function?
     
  4. cool0403

    cool0403 BANNED BANNED

    Joined:
    Dec 29, 2008
    Messages:
    565
    Likes Received:
    718
    why don't you pay those people with ionCube decoders to do it, i saw a few russian guys that had a service for decoding that.But you should be proud, not many people check their themes lol you would be surprised how many people will just fucking upload their themes without even looking at the php code, trust me the majority of webmasters are dumb I can tell you how easy is to just spread a theme and get backdoor access to hundreds of wordpress sites from dumb webmasters.
     
  5. jazzc

    jazzc Moderator Staff Member Moderator Jr. VIP

    Joined:
    Jan 27, 2009
    Messages:
    2,468
    Likes Received:
    10,148
    Could also be a licensing scheme and it 's encrypted for protection. But of course, when you get encrypted code, you never know what 's really in it.
     
  6. Darius Arsalan

    Darius Arsalan Junior Member

    Joined:
    Nov 24, 2010
    Messages:
    137
    Likes Received:
    204
    Location:
    Longitude 102.5333
    As I download this theme for free, so surely I will try to find the free method first.

    Just remove the suspicious code and got error.
    Recover it and everything is ok.
    Suspicious about people put the code to get free commission from my site.
     
  7. powforlife

    powforlife Junior Member

    Joined:
    Dec 12, 2009
    Messages:
    144
    Likes Received:
    74
    Occupation:
    Directing Traffic
    Location:
    A to the Z


    I highly recommend you look into sucuri for wordpress malware issues, if that code is in the header.php you have bigger fish to fry, most likely a backdoor in your uploads folder that was put there thru the timthumb.php hack.
     
    • Thanks Thanks x 1