WordPress & Eval(base64_decode

A good friend of mine sent me an email today asking me if a free theme he was looking into had a virus or some sort of spam code in it. The code he was referring to was a couple strings of code that started out with..

eval(base64_decode('

the code went on to show what seem to be a random string of letters, numbers and symbols. I explained to him that this was the theme creators way of hidding code, so the wordpress owner could not own it.

The easiest way to read the code is to copy all the random (stuff) between the single quotes and paste it into this page Base64 decoder and hit the decode from base64. This will enable you to read the code and make sure that the theme doesn’t have any evil code.

If I’ve downloaded a free theme, I always leave the theme’s author and weblink at the bottom of my blog, but I don’t think that the authors should put more or less spam messages at the bottom of the blog. Someone new to themes usually won’t know enough to delete all the code, the authors have even added code that if the footer was changed, the theme wouldn’t work correctly.

How To Delete the Eval(base64_decode lines

Most the code has been hidden in the footer.php but I’ve also found it in the header.php looking for the other code in other files, so our safest bet is to search through all the files for the code. While you could look through each file and all the directories and sub-directories, there’s an easier way.

Download the free application: Notepad++ and install it. Notepad++ is handy for alot of things but one of the best parts of it is you can search for a tern within an entire directory. Open Notepad++ and from the top menu choose “Search” and “Find in Files”. In the find waht field type eval(base and in the directory field click the … button to choose the directory you’ve unzipped the theme. Make sure the “In all sub-folders” check is checked and hit find all. At the bottom of the screen a list will show all the lines when the search term has showed up and which file they’re in. By clicking on the line number, the top of the page will open that file and to that spot in the code. Delete every line that starts with the eval(base64_decode (including the ; after it) and if it’s in the middle of a line, delete from the space in front of it to the space after the ; following it. Save this file as {filename}2.php. I then go back to the directory and rename the orginal as {filename}-old.php and rename the new file to what the original was named, this allows us a backup. Now upload and test your theme, all should work. Remember if you’ve downloaded this theme for free, leave the author and hir or her link, but kill the spam links in your footer.php.

Technorati Tags: , , , , , ,

     

One Comment to “WordPress & Eval(base64_decode”

  1. myblogtrainer 19 July 2011 at 11:25 pm #

    Is there also a tool where I can search and replace over all files on a server?


Leave a Reply