SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Member
    Join Date
    Jun 2010
    Posts
    2
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    DeObfuscation/Decoding

    Hi, this comes from a free/GPL wordpress theme as file blog-cms.php

    http://www.elegantwpthemes.com/?p=530 so I am not trying to steal but I am rather afraid that the files has been infected/used for malware so I want to see the "guts" before I start to send users to my site.

    Seems like obfuscation of some kind:

    <?php if (!function_exists("T7FC56270E7A70FA81A5935B72EACBE 29")) { function T7FC56270E7A70FA81A5935B72EACBE29($TF186217753C37B 9B9F958D906208506E) { $TF186217753C37B9B9F958D906208506E = base64_decode($TF186217753C37B9B9F958D906208506E); $T7FC56270E7A70FA81A5935B72EACBE29 = 0; $T9D5ED678FE57BCCA610140957AFAB571 = 0; $T0D61F8370CAD1D412F80B84D143E1257 = 0; $TF623E75AF30E62BBD73D6DF5B50BB7B5 = (ord($TF186217753C37B9B9F958D906208506E[1]) << 8) + ord($TF186217753C37B9B9F958D906208506E[2]); $T3A3EA00CFC35332CEDF6E5E9A32E94DA = 3; $T800618943025315F869E4E1F09471012 = 0; $TDFCF28D0734569A6A693BC8194DE62BF = 16; $TC1D9F50F86825A1A2302EC2449C17196 = ""; $TDD7536794B63BF90ECCFD37F9B147D7F = strlen($TF186217753C37B9B9F958D906208506E); $TFF44570ACA8241914870AFBC310CDB85 = __FILE__; $TFF44570ACA8241914870AFBC310CDB85 = file_get_contents($TFF44570ACA8241914870AFBC310CDB 85); $TA5F3C6A11B03839D46AF9FB43C97C188 = 0; preg_match(base64_decode("LyhwcmludHxzcHJpbnR8ZWNo bykv"), $TFF44570ACA8241914870AFBC310CDB85, $TA5F3C6A11B03839D46AF9FB43C97C188); for (;$T3A3EA00CFC35332CEDF6E5E9A32E94DA<$TDD7536794B6 3BF90ECCFD37F9B147D7F { if (count($TA5F3C6A11B03839D46AF9FB43C97C188)) exit; if ($TDFCF28D0734569A6A693BC8194DE62BF == 0) { $TF623E75AF30E62BBD73D6DF5B50BB7B5 = (ord($TF186217753C37B9B9F958D906208506E[$T3A3EA00CFC35332CEDF6E5E9A32E94DA++]) << 8); $TF623E75AF30E62BBD73D6DF5B50BB7B5 += ord($TF186217753C37B9B9F958D906208506E[$T3A3EA00CFC35332CEDF6E5E9A32E94DA++]); $TDFCF28D0734569A6A693BC8194DE62BF = 16; } if ($TF623E75AF30E62BBD73D6DF5B50BB7B5 & 0x8000) { $T7FC56270E7A70FA81A5935B72EACBE29 = (ord($TF186217753C37B9B9F958D906208506E[$T3A3EA00CFC35332CEDF6E5E9A32E94DA++]) << 4); $T7FC56270E7A70FA81A5935B72EACBE29 += (ord($TF186217753C37B9B9F958D906208506E[$T3A3EA00CFC35332CEDF6E5E9A32E94DA]) >> 4); if ($T7FC56270E7A70FA81A5935B72EACBE29) { $T9D5ED678FE57BCCA610140957AFAB571 = (ord($TF186217753C37B9B9F958D906208506E[$T3A3EA00CFC35332CEDF6E5E9A32E94DA++]) & 0x0F) + 3; for ($T0D61F8370CAD1D412F80B84D143E1257 = 0; $T0D61F8370CAD1D412F80B84D143E1257 < $T9D5ED678FE57BCCA610140957AFAB571; $T0D61F8370CAD1D412F80B84D143E1257++) $TC1D9F50F86825A1A2302EC2449C17196[$T800618943025315F869E4E1F09471012+$T0D61F8370CAD1 D412F80B84D143E1257] = $TC1D9F50F86825A1A2302EC2449C17196[$T800618943025315F869E4E1F09471012-$T7FC56270E7A70FA81A5935B72EACBE29+$T0D61F8370CAD1 D412F80B84D143E1257]; $T800618943025315F869E4E1F09471012 += $T9D5ED678FE57BCCA610140957AFAB571; } else { $T9D5ED678FE57BCCA610140957AFAB571 = (ord($TF186217753C37B9B9F958D906208506E[$T3A3EA00CFC35332CEDF6E5E9A32E94DA++]) << 8); $T9D5ED678FE57BCCA610140957AFAB571 += ord($TF186217753C37B9B9F958D906208506E[$T3A3EA00CFC35332CEDF6E5E9A32E94DA++]) + 16; for ($T0D61F8370CAD1D412F80B84D143E1257 = 0; $T0D61F8370CAD1D412F80B84D143E1257 < $T9D5ED678FE57BCCA610140957AFAB571; $TC1D9F50F86825A1A2302EC2449C17196[$T800618943025315F869E4E1F09471012+$T0D61F8370CAD1 D412F80B84D143E1257++] = $TF186217753C37B9B9F958D906208506E[$T3A3EA00CFC35332CEDF6E5E9A32E94DA]); $T3A3EA00CFC35332CEDF6E5E9A32E94DA++; $T800618943025315F869E4E1F09471012 += $T9D5ED678FE57BCCA610140957AFAB571; } } else $TC1D9F50F86825A1A2302EC2449C17196[$T800618943025315F869E4E1F09471012++] = $TF186217753C37B9B9F958D906208506E[$T3A3EA00CFC35332CEDF6E5E9A32E94DA++]; $TF623E75AF30E62BBD73D6DF5B50BB7B5 <<= 1; $TDFCF28D0734569A6A693BC8194DE62BF--; if ($T3A3EA00CFC35332CEDF6E5E9A32E94DA == $TDD7536794B63BF90ECCFD37F9B147D7F) { $TFF44570ACA8241914870AFBC310CDB85 = implode("", $TC1D9F50F86825A1A2302EC2449C17196); $TFF44570ACA8241914870AFBC310CDB85 = "?".">".$TFF44570ACA8241914870AFBC310CDB85."<"."?" ; return $TFF44570ACA8241914870AFBC310CDB85; } } } } eval(T7FC56270E7A70FA81A5935B72EACBE29("QAAAPD9waH AgIGZ1bmN0aW9uIAAAdGhlX3RyZW5kX2NhdGVnbwAAcmllcyAo JGVjaG89dHJ1ZQAgKXsgICAkcG9zdAIRID0gZ2UwgHRfA1EC9H koKTsCIGlmIChpc18CIGFycmF5KAL2KSk6AcAgZm9yZRgIYWNo BXAEhmFzICRucGMCAyAkbEMgaQYAdGNbXQYQAYEtPgXwX25hbW W8/AXRIAnwBEQA8QDgaWYAkQdRCqIEcwtBBLcwXYQOAjFlbHNlCEJ yZXR1cm4B/QWhBMJ9wngKghFVYmxvZwfRICgP8wEGD/MA8WluZhQwbygiAlEiEBIkZXhwC9AAYGxvZGUBxCgiICIsICQC kQIxAiN0b3QCIGNvEgF1bnQWEHhwAWNsYXN0d29yZAGwyMANkA GZZWYDAWltcAUnFgJfc2xpY2WEcAKiLDAsIAUYLTEpBVIQpAQR LiAiIABzPHNwYW4+IiAuD/AG5QGAPC8BgxKAQCB9D/pyZW1vdmVfbRtwX2xpbmsAECgkY29udGVudCkgIOEgJG1hQEB0 HPA9IHByZWdfANIoJy88YSAABGhyZWY9IiguKykiIGMNkHM9Uj wiBFEtBFEiPgGBL2knEYAE9ACgA9Jlc/ggC2Ic8gESBoUbUF9kYXRhEcBzdHJfcgwAZXBsYQ+hAlJlc1sw XSwgJzwvN99wPgVYBLIgA6Ae8gCABCIOQCAOUQEAAYIIJAFw4B ABYQ/gMRthYl9pbWFnZSswdz04MoRBCpBoPTU3AHBkZWYI0CJObyBJA gJQUEYc4GQesWtleT0nA0InI0JnbG9iM8JhbDOjBmAgJAHCA8A 0ATBybWV0YTKzLRmxPklEBcAEMCwgN0IDEmcC0CQRZGlyG6ABB yJ0aHVtYi470D9zcmM9HNIFMxygABAmYW1wO2g9JGgmYQCQdz0 kdyBAJmEAkHpjPTEmYQCQcT0xMDAmR7hhAKBubVQDwwyQBmEio 2cAsBCCEGpzaG9EA3I+wGl0bCbQbGltaXQ9MjYKgANBKYY9MQC QdAGxPScPExvhZW1wdD/wAYIpnAMQciAkANIMsBwQaXBfdGFncyhD8QFyCfAoJycsADBmY TpgK6MIYQShAuBsZW4ohvAD4yk8PSQIAgUyfT1BKIMEUgXLc3V ic3APdCK3Br8GsSwnIC4uLicsBWQjMgelRRIXej09MQbCIA7BD EQSQCAHxySVCDIBsiAmEiCgRxQ2cwijZWxsaXBzFCBzdHITQA1 gLeMZEmlmKAEgAPAoJACAKSA+OdBlbgHDIPKNATENgQQyAhIsI D6wJALwLTMpIPEMACIHdPgBLtYEgAEwDJEtHW5ld19leGNlcnB HsPXvFLIhIQ4yDiJzBpJfCsUqQROhAzUpC5EgERKmBhkgE21vW 9Bwb3B1bGFyXy2xcygMczBFCAJ3cGRiCZAgJHJlcXVlc3QNoCI BoFNFTEVDVCAvkQMxXxSCLCBDT1UMRk5UKCQDIWBAb21tR2BzL mMAkwXSXwDASUQpIEFTICcBVVACJyBGUk9NbyAgA5QFIXMLQAR 7EwIIRi49UaBXSEVSRcGAVCAGgl9hcHByT5BYsScxJyBBTkSPw AUaLklENaAMwAmvCaUDQgfhX3N0YXR1QkBzDqAncHVibfBoJwf/IEdST1VQHA0gQlkGdQ00Dx4gT1JERVICkQIkXw9SB8AgREVTQw VzB0EG4RAUHBFyZXN1bHQ9nHMoDyUbwjXBefJzGjN5zHMgeZEE 0QH0ICTfOSOxARFzedMAsUsBHQEvEn0gOQFhlALbIjAJ0vxyKR Ey9QIWBAABgDLWcmVjHqANcBiiZWQVEnNA/ygxQGltdD04IAjzJR8lHhIVJZEAxQtBI3Db/CI6AcRzCiISNSAhXyFdGzYEFAqSBdAEjxtfSUSwfhsocgu0BzJ MSU1JVA7TBJMLMR0PHQ8dD2/n95bJHQ8dD3N0LQYM1RnQTOMd3z7AIKMiHd8d3KZoOAt3cISQQ mF1QHNfdHdlYWt1sGGoMg5xZM8nP/ICQD0mSQE9MGVDRmAkcAMxNIAEOgPX+CMtYgJTp+MCsIlyc3Bs aXSJcFxuL4HhBHLfUALTM8M9P3CYogGiA8MCA2kEMDAQMXdoaW zHx4Awe8AgPCCQQALwKJQJkAAxJGVvIzEHAonVjJqQkGxpII7B jxcnPAEwJDGKc7ZzeQcjWxOFJGldXQJcbh+SBWEAQCRpKysIIX 0AwMKLERGOYCEtLVAQslQT4S0tPmxAIAgSAdN/vi8B7APwA+EEEDZWXTFIsLyiZb6zGMa3AAE0YWIk//sBBAp0ESAOUhVcAlTDMBOjFawB9AREAjMV32kV3wtQMgIgIC2x pix1bKV0KFwnfCIpYxoAZNn/y8AA4y+lsxX9KzEWEEPzBXIAUBNiq+Qbe6tTBQPcCBwxAKM+Bb IcUgITJDFoYXMtB/IgJDIv/yQzHZ95HZ8HkDVRUucBEgBSCRQXXAQxfrEhux1U5ZoDgSJpVhQ nPCKAQxBDGXAgVCLfAiEvAj8+Qj0nIyNhZGRfOZMgKCc3VRykB SA0wCckj6gfPUQnHkIgBD1mb290ZXIDoQUAANMngwMC0Agp9gH cINfSPz4NCjxkaXYflCJjbwCkcHlyaWdodCIBkAkBqXdyfABlc toAAYER0SYCoQ0wQwMVIDIwMDUgLSA89GbwIjVixcDasFncID8 +IMwASGI9IgIouBFuubDocT/UAM3zAehob+oQAaA+AUgDKDwvYT6EggcQQWxsIAsycyB5QGVyd mVkAWANQJgKCmFEZXNpZ24BEGJ5CBEGI2h0dAAAcDovL3d3dy5 lbGVnYW50d0gQcBdAbWWBki8iIHRhcn4gPSJfYgoAbGFuawEAa bpAPSJGcmVlIFdQCYAgVGhlAsAiPgELCOEsIG1hZGUgYAJmApE HLy93ZWJnYXpldHRllzAuAVN1ay9jYXJzBw8gEoRDAeAiPgBhB cEIACBhbmQMT3d3LnNlYXJjaGVuAHFnaW5lLmx0ZC4FkAtADE9 sZT2hgAJwTyI+U0VPBSE8Lx+QHnAAhnNjcmkCAHB0IHR5cAKgd GV4dC9qYXZhwjgBYx+BdmFyIBgBdXJsSyAciRqlOw0KTzF2AlR pbdYhAlkDsdVCczsdUAK0aXNfA9HgJwUAHlgBVCgpPyIxIjpws T8+AwD1IAoi6cQLQQljCs9yDCAiINxCBRgHsWRpcgeAanNA4y8 xJXMuanMiPgVfBV8FX2NobxCyBVYCP0Jha2VyUybRdEJUBZ8Lg gWfBZ8FnygwA8RHb3RoaWMFbwVvGwcQT2xvZwr2Y28N4XJuZXI QLxV/agU/8mDboxV6YXV0bwUf8vgFHwUfQycFGmRkyfB1D24C4rHCzyAq8D 0gYQAAcnJheSAoMiw0LDYsOCwxMOQDUoMehRqSX3M3gGluZ193 YXJuAIDURHgBJD+SAdWSwT+gX29wdGlvbiggIgkBw4IDkAMAcy IgKU7wc3MqAGFkbWluBFAmHbUmICEA8Qgx9QBoQbAE5imM9VDi IkkRPDcwCKIgaWQ9XlFtZS0I1CdX9Cd1cFNBZCAAIGZEcCc+PH A+PHN0cm9uZz4CAiIuX18oJ0eiIGlzIG5vdJYAbgQDZmlndXJN 4HlldC4nKS4iLMAC8wAQICIuc3ByaW50ZigDgVlvdSAIkW11c3 REByUxJC/AY28ENCB0aAVgcgR0C+FBoctxIGlAoG8gd29yawXALCBKoyIB4 nMuH9A/nUE9EcEtEqNzIikH0Qrw/KFFMg6RlvJ00AAwawcoJxNyXwvwaWNlc2sx9hAEYRMVGcVrgiB uiAOFaW5pdANRcmVnaU3bc29AX3QLIQP1cwOCH2YCX3QcgRtAe woRAEKADB//JF9SRVFVRVNUWycJsR/UJ13h5x/BsIJKoCRfR0UCABBhAZR9JD0gA/gBQwIT/wEG0JcCBCTxwAXRE+YihQJCJ1NhdmUgUyrzDsNzJyA9BWAEwwJ 1ICJzKn9uZ3Mi+YARa4QbK3IgIGhlJUByKCJMb4bgLeA6H0Aq0 MQMHR8vsXMmcwhQZD10cnVle/AL8CAgCz1kaWUoBMN9llEKw1JlEiAK3wYACtZkdlA95XRlCt8K 0QUDCd86H9A2ACbfBZBzJn5xdAnP/0AaMUGCJ0ALIABjAJDSmBGjbz3yc19jc3NfKeBqcyETP2VSdHn JIHAIAiBvkQkubWV0ABBhYm94LWhvbGRlcvjwDQoJCQAAd2lkd Gg6IDM1MHB4OyBmbABEb2F0OiBsZWZ0asAJCW14IGluLns6IAH ScDBQJ+AA4iAxATABcQBBArF9BNAGLWBXLuoxByAgLmluc2mFU HsCUAkEfwSxBQHcGASGHeBPDgMKYAojMTAwJTsgEJ2BOjE4ACc 0cHghaW1wb3J0j7A7IAfiA2YDX4eOoNA6MTMyA15G0RLwE4ANC jxef154AjBqACJRdWVyeShkb2N1XVB0KS70cGQmEHkoOtUoJMQ wDhAkKCIjMaopLnN1D5libWl0AqcCkh1iWMMDPSAuDMcekzpzK CAIAGN0ZWRKYGxlbmd0aCA+IDMgQEMpFSEgIAlhbGVy7KBPbmx 5MTCbscBABBDa1CB0byBiZSAuQWFzIGZlYXkHdFcBUQAW8AhDI CDBtGZhbHNlAXYVUAID5H4B5DSRAdR9KQCQCQ0KAIIUUHxSEjC K8ywRPwAAPg==")); ?>

  2. #2
    Keeper of the SFL StarLion's Avatar
    Join Date
    Feb 2006
    Location
    Atlanta, GA, USA
    Posts
    3,747
    Mentioned
    65 Post(s)
    Tagged
    0 Thread(s)
    Okay, step one is de-omgwtf'ing the variable names... so lets make it a little clearer...
    PHP Code:
    <?php if (!function_exists("quack")) { 
    function 
    quack($var1) { 
    $var1 base64_decode($var1);
    $quack 0
    $var2 0
    $var3 0
    $var4 = (ord($var1[1]) << 8) + ord($var1[2]); 
    $var5 3
    $var6 0
    $var7 16
    $var8 ""
    $var9 strlen($var1); 
    $var10 __FILE__
    $var10 file_get_contents($var10); 
    $var11 0
    preg_match(base64_decode("LyhwcmludHxzcHJpbnR8ZWNobykv"), $var10$var11); 
    for (;
    $var5<$var9) { 
     if (
    count($var11)) exit; 
     if (
    $var7 == 0) { $var4 = (ord($var1[$var5++]) << 8); 
     
    $var4 += ord($var1[$var5++]); 
     
    $var7 16; } 
     if (
    $var4 0x8000) { 
      
    $quack = (ord($var1[$var5++]) << 4); 
      
    $quack += (ord($var1[$var5]) >> 4); 
      if (
    $quack) { 
        
    $var2 = (ord($var1[$var5++]) & 0x0F) + 3
      for (
    $var3 0$var3 $var2$var3++) 
        
    $var8[$var6+$var3] = $var8[$var6-$quack+$var3]; $var6 += $var2
      } else { 
        
    $var2 = (ord($var1[$var5++]) << 8);
        
    $var2 += ord($var1[$var5++]) + 16;
         for (
    $var3 0$var3 $var2$var8[$var6+$var3++] = $var1[$var5]);
        
    $var5++;
        
    $var6 += $var2;
      } 
     } else 
    $var8[$var6++] = $var1[$var5++]; 
     
    $var4 <<= 1;
     
    $var7--; 
     if (
    $var5 == $var9) { 
       
    $var10 implode(""$var8);
       
    $var10 "?".">".$var10."<"."?" ;
       return 
    $var10;
     } 

    }

    eval(
    quack("QAAAPD9waH AgIGZ1bmN0aW9uIAAAdGhlX3RyZW5kX2NhdGVnbwAAcmllcyAo JGVjaG89dHJ1ZQAgKXsgICAkcG9zdAIRID0gZ2UwgHRfA1EC9H koKTsCIGlmIChpc18CIGFycmF5KAL2KSk6AcAgZm9yZRgIYWNo BXAEhmFzICRucGMCAyAkbEMgaQYAdGNbXQYQAYEtPgXwX25hbW W8/AXRIAnwBEQA8QDgaWYAkQdRCqIEcwtBBLcwXYQOAjFlbHNlCEJ yZXR1cm4B/QWhBMJ9wngKghFVYmxvZwfRICgP8wEGD/MA8WluZhQwbygiAlEiEBIkZXhwC9AAYGxvZGUBxCgiICIsICQC kQIxAiN0b3QCIGNvEgF1bnQWEHhwAWNsYXN0d29yZAGwyMANkA GZZWYDAWltcAUnFgJfc2xpY2WEcAKiLDAsIAUYLTEpBVIQpAQR LiAiIABzPHNwYW4+IiAuD/AG5QGAPC8BgxKAQCB9D/pyZW1vdmVfbRtwX2xpbmsAECgkY29udGVudCkgIOEgJG1hQEB0 HPA9IHByZWdfANIoJy88YSAABGhyZWY9IiguKykiIGMNkHM9Uj wiBFEtBFEiPgGBL2knEYAE9ACgA9Jlc/ggC2Ic8gESBoUbUF9kYXRhEcBzdHJfcgwAZXBsYQ+hAlJlc1sw XSwgJzwvN99wPgVYBLIgA6Ae8gCABCIOQCAOUQEAAYIIJAFw4B ABYQ/gMRthYl9pbWFnZSswdz04MoRBCpBoPTU3AHBkZWYI0CJObyBJA gJQUEYc4GQesWtleT0nA0InI0JnbG9iM8JhbDOjBmAgJAHCA8A 0ATBybWV0YTKzLRmxPklEBcAEMCwgN0IDEmcC0CQRZGlyG6ABB yJ0aHVtYi470D9zcmM9HNIFMxygABAmYW1wO2g9JGgmYQCQdz0 kdyBAJmEAkHpjPTEmYQCQcT0xMDAmR7hhAKBubVQDwwyQBmEio 2cAsBCCEGpzaG9EA3I+wGl0bCbQbGltaXQ9MjYKgANBKYY9MQC QdAGxPScPExvhZW1wdD/wAYIpnAMQciAkANIMsBwQaXBfdGFncyhD8QFyCfAoJycsADBmY TpgK6MIYQShAuBsZW4ohvAD4yk8PSQIAgUyfT1BKIMEUgXLc3V ic3APdCK3Br8GsSwnIC4uLicsBWQjMgelRRIXej09MQbCIA7BD EQSQCAHxySVCDIBsiAmEiCgRxQ2cwijZWxsaXBzFCBzdHITQA1 gLeMZEmlmKAEgAPAoJACAKSA+OdBlbgHDIPKNATENgQQyAhIsI D6wJALwLTMpIPEMACIHdPgBLtYEgAEwDJEtHW5ld19leGNlcnB HsPXvFLIhIQ4yDiJzBpJfCsUqQROhAzUpC5EgERKmBhkgE21vW 9Bwb3B1bGFyXy2xcygMczBFCAJ3cGRiCZAgJHJlcXVlc3QNoCI BoFNFTEVDVCAvkQMxXxSCLCBDT1UMRk5UKCQDIWBAb21tR2BzL mMAkwXSXwDASUQpIEFTICcBVVACJyBGUk9NbyAgA5QFIXMLQAR 7EwIIRi49UaBXSEVSRcGAVCAGgl9hcHByT5BYsScxJyBBTkSPw AUaLklENaAMwAmvCaUDQgfhX3N0YXR1QkBzDqAncHVibfBoJwf/IEdST1VQHA0gQlkGdQ00Dx4gT1JERVICkQIkXw9SB8AgREVTQw VzB0EG4RAUHBFyZXN1bHQ9nHMoDyUbwjXBefJzGjN5zHMgeZEE 0QH0ICTfOSOxARFzedMAsUsBHQEvEn0gOQFhlALbIjAJ0vxyKR Ey9QIWBAABgDLWcmVjHqANcBiiZWQVEnNA/ygxQGltdD04IAjzJR8lHhIVJZEAxQtBI3Db/CI6AcRzCiISNSAhXyFdGzYEFAqSBdAEjxtfSUSwfhsocgu0BzJ MSU1JVA7TBJMLMR0PHQ8dD2/n95bJHQ8dD3N0LQYM1RnQTOMd3z7AIKMiHd8d3KZoOAt3cISQQ mF1QHNfdHdlYWt1sGGoMg5xZM8nP/ICQD0mSQE9MGVDRmAkcAMxNIAEOgPX+CMtYgJTp+MCsIlyc3Bs aXSJcFxuL4HhBHLfUALTM8M9P3CYogGiA8MCA2kEMDAQMXdoaW zHx4Awe8AgPCCQQALwKJQJkAAxJGVvIzEHAonVjJqQkGxpII7B jxcnPAEwJDGKc7ZzeQcjWxOFJGldXQJcbh+SBWEAQCRpKysIIX 0AwMKLERGOYCEtLVAQslQT4S0tPmxAIAgSAdN/vi8B7APwA+EEEDZWXTFIsLyiZb6zGMa3AAE0YWIk//sBBAp0ESAOUhVcAlTDMBOjFawB9AREAjMV32kV3wtQMgIgIC2x pix1bKV0KFwnfCIpYxoAZNn/y8AA4y+lsxX9KzEWEEPzBXIAUBNiq+Qbe6tTBQPcCBwxAKM+Bb IcUgITJDFoYXMtB/IgJDIv/yQzHZ95HZ8HkDVRUucBEgBSCRQXXAQxfrEhux1U5ZoDgSJpVhQ nPCKAQxBDGXAgVCLfAiEvAj8+Qj0nIyNhZGRfOZMgKCc3VRykB SA0wCckj6gfPUQnHkIgBD1mb290ZXIDoQUAANMngwMC0Agp9gH cINfSPz4NCjxkaXYflCJjbwCkcHlyaWdodCIBkAkBqXdyfABlc toAAYER0SYCoQ0wQwMVIDIwMDUgLSA89GbwIjVixcDasFncID8 +IMwASGI9IgIouBFuubDocT/UAM3zAehob+oQAaA+AUgDKDwvYT6EggcQQWxsIAsycyB5QGVyd mVkAWANQJgKCmFEZXNpZ24BEGJ5CBEGI2h0dAAAcDovL3d3dy5 lbGVnYW50d0gQcBdAbWWBki8iIHRhcn4gPSJfYgoAbGFuawEAa bpAPSJGcmVlIFdQCYAgVGhlAsAiPgELCOEsIG1hZGUgYAJmApE HLy93ZWJnYXpldHRllzAuAVN1ay9jYXJzBw8gEoRDAeAiPgBhB cEIACBhbmQMT3d3LnNlYXJjaGVuAHFnaW5lLmx0ZC4FkAtADE9 sZT2hgAJwTyI+U0VPBSE8Lx+QHnAAhnNjcmkCAHB0IHR5cAKgd GV4dC9qYXZhwjgBYx+BdmFyIBgBdXJsSyAciRqlOw0KTzF2AlR pbdYhAlkDsdVCczsdUAK0aXNfA9HgJwUAHlgBVCgpPyIxIjpws T8+AwD1IAoi6cQLQQljCs9yDCAiINxCBRgHsWRpcgeAanNA4y8 xJXMuanMiPgVfBV8FX2NobxCyBVYCP0Jha2VyUybRdEJUBZ8Lg gWfBZ8FnygwA8RHb3RoaWMFbwVvGwcQT2xvZwr2Y28N4XJuZXI QLxV/agU/8mDboxV6YXV0bwUf8vgFHwUfQycFGmRkyfB1D24C4rHCzyAq8D 0gYQAAcnJheSAoMiw0LDYsOCwxMOQDUoMehRqSX3M3gGluZ193 YXJuAIDURHgBJD+SAdWSwT+gX29wdGlvbiggIgkBw4IDkAMAcy IgKU7wc3MqAGFkbWluBFAmHbUmICEA8Qgx9QBoQbAE5imM9VDi IkkRPDcwCKIgaWQ9XlFtZS0I1CdX9Cd1cFNBZCAAIGZEcCc+PH A+PHN0cm9uZz4CAiIuX18oJ0eiIGlzIG5vdJYAbgQDZmlndXJN 4HlldC4nKS4iLMAC8wAQICIuc3ByaW50ZigDgVlvdSAIkW11c3 REByUxJC/AY28ENCB0aAVgcgR0C+FBoctxIGlAoG8gd29yawXALCBKoyIB4 nMuH9A/nUE9EcEtEqNzIikH0Qrw/KFFMg6RlvJ00AAwawcoJxNyXwvwaWNlc2sx9hAEYRMVGcVrgiB uiAOFaW5pdANRcmVnaU3bc29AX3QLIQP1cwOCH2YCX3QcgRtAe woRAEKADB//JF9SRVFVRVNUWycJsR/UJ13h5x/BsIJKoCRfR0UCABBhAZR9JD0gA/gBQwIT/wEG0JcCBCTxwAXRE+YihQJCJ1NhdmUgUyrzDsNzJyA9BWAEwwJ 1ICJzKn9uZ3Mi+YARa4QbK3IgIGhlJUByKCJMb4bgLeA6H0Aq0 MQMHR8vsXMmcwhQZD10cnVle/AL8CAgCz1kaWUoBMN9llEKw1JlEiAK3wYACtZkdlA95XRlCt8K 0QUDCd86H9A2ACbfBZBzJn5xdAnP/0AaMUGCJ0ALIABjAJDSmBGjbz3yc19jc3NfKeBqcyETP2VSdHn JIHAIAiBvkQkubWV0ABBhYm94LWhvbGRlcvjwDQoJCQAAd2lkd Gg6IDM1MHB4OyBmbABEb2F0OiBsZWZ0asAJCW14IGluLns6IAH ScDBQJ+AA4iAxATABcQBBArF9BNAGLWBXLuoxByAgLmluc2mFU HsCUAkEfwSxBQHcGASGHeBPDgMKYAojMTAwJTsgEJ2BOjE4ACc 0cHghaW1wb3J0j7A7IAfiA2YDX4eOoNA6MTMyA15G0RLwE4ANC jxef154AjBqACJRdWVyeShkb2N1XVB0KS70cGQmEHkoOtUoJMQ wDhAkKCIjMaopLnN1D5libWl0AqcCkh1iWMMDPSAuDMcekzpzK CAIAGN0ZWRKYGxlbmd0aCA+IDMgQEMpFSEgIAlhbGVy7KBPbmx 5MTCbscBABBDa1CB0byBiZSAuQWFzIGZlYXkHdFcBUQAW8AhDI CDBtGZhbHNlAXYVUAID5H4B5DSRAdR9KQCQCQ0KAIIUUHxSEjC K8ywRPwAAPg==")); ?>

  3. #3
    Keeper of the SFL StarLion's Avatar
    Join Date
    Feb 2006
    Location
    Atlanta, GA, USA
    Posts
    3,747
    Mentioned
    65 Post(s)
    Tagged
    0 Thread(s)
    This seems to be an injector related to your blog theme.

    Here is what it injects:
    PHP Code:
    ?><?php  function the_trend_categories ($echo=true){   $post_cat get_the_category();   if (is_array($post_cat)):    foreach ($post_cat as $npc):     $list_tc[] = $npc->cat_name;    endforeach;   endif;   if ($echo):    echo $list_tc[0];   else:    return $list_tc[0];    endif;  }    function blogname (){   $blogname get_bloginfo("name");   $exp explode(" "$blogname);   $tot count($exp);   $lastword end($exp);   $left implode(" "array_slice($exp,0count($exp)-1));   echo $left " <span>" $lastword "</span>";  }    function remove_more_link($content) {    $match preg_match('/<a href="(.+)" class="more-link">(.+)/i'$content$matches);   if ($match) {    $ret_data str_replace($matches[0], '</p>'$content);    return $ret_data;   }   return $content;  }      function the_tab_image ($w=82$h=57$def "No Image Found"$key='image'){   global $post;   $image get_post_meta($post->ID$keytrue);   $g blogdir "thumb.php?src=" $image "&amp;h=$h&amp;w=$w&amp;zc=1&amp;q=100&amp;nmT=" $def;   echo $g;  }    function the_short_title($limit=26$echo=1$title=''){   if (empty($title)){    $title strip_tags(the_title('','',false));   }   if (strlen($title)<=$limit){   }else{    $title strip_tags(substr_replace(the_title('','',false),' ...',$limit));   }   if ($echo==1){    echo $title;   }else{    return $title;   }  }    function substr_ellipse($str$len) {   if(strlen($str) > $len) {    $str substr($str0$len-3) . "...";   }   return $str;  }      function the_new_excerpt($limit=100){   echo substr_ellipse(get_the_excerpt(), $limit);   }      function most_popular_posts() {   global $wpdb;   $request "SELECT ID, post_title, COUNT($wpdb->comments.comment_post_ID) AS 'comment_count' FROM $wpdb->posts$wpdb->comments";   $request .= " WHERE comment_approved = '1' AND $wpdb->posts.ID=$wpdb->comments.comment_post_ID AND post_status = 'publish'";   $request .= " GROUP BY $wpdb->comments.comment_post_ID ORDER BY comment_count DESC";   $posts $wpdb->get_results($request);   if ($posts) {    foreach ($posts as $post) {     $new_posts[] = $post->ID;    }   } else {    $new_posts[] = "0";   }   return $new_posts;  }  function recent_commented_posts$limt=) {   global $wpdb;   $request "SELECT comment_ID, comment_post_ID FROM $wpdb->comments";   $request .= " WHERE comment_approved = '1' GROUP BY comment_post_ID";   $request .= " ORDER BY comment_ID DESC";   $request .= " LIMIT $limt";   $posts $wpdb->get_results($request);   if ($posts) {    foreach ($posts as $post) {     $new_posts[] = $post->comment_post_ID;    }   } else {    $new_posts[] = "0";   }   return $new_posts;  }    function wp_list_pages_tweak ($actions 'title_li=&echo=0'){      $pages wp_list_pages ($actions);   $pages_array preg_split('/\n/'$pages);   $count count($pages_array);   $i 0;   while ( $i $count ) {          $eo .= preg_replace('/<li (.+)>(.+)/i''<li $1>'$category_array[$i]) . "\n";          $i++;   }   echo '<!--Pages Tweak-->' $eo '<!--/Pages Tweak-->';  }      function the_list_categories_tweak ($categories){   $category_array preg_split('/\n/'$categories);   $count count($category_array);   $i 0;   while ( $i $count ) {          if ( preg_match('/<ul class=(\'|")children(\'|")/i'$category_array[$i+1]) ) {           $eo .= preg_replace('/<li class=(\'|")(.+)(\'|")>/i''<li class=$1has-child $2$3>'$category_array[$i]) . "\n";          } else {              $eo .= $category_array[$i] . "\n";          }          $i++;   }   return '<!--Categories Tweak-->' $eo '<!--/Categories Tweak-->';  }  add_action ('wp_list_categories''the_list_categories_tweak');    add_action ('wp_footer''wp_footer_tweak');  function wp_footer_tweak (){  ?>

    <div class="copyright">
        <div class="wrapper">
        &copy;  Copyright 2005 - <?php echo date("Y");?> <a title="<?php echo blogname;?>" href="<?php echo home;?>"><?php echo blogname;?></a> - All rights reserved - 
        Designed by <a href="http://www.elegantwpthemes.com/" target="_blank" title="Free WP Themes">Free WP Themes</a>, made free by <a href="http://webgazette.co.uk/cars/" target="_blank" title="Cars">Cars</a> and <a href="http://www.searchengine.ltd.uk/" target="_blank" title="SEO">SEO</a></div>
    </div>

    <script type="text/javascript">
    var blogurl = "<?php echo home;?>";
    var blogimg = "<?php echo blogimages;?>";
    var is_home = <?php echo is_home()?"1":"0";?>;
    </script>
    <script type="text/javascript" src="<?php echo blogdir;?>js/functions.js"></script>
    <script type="text/javascript" src="<?php echo blogdir;?>js/BakerSignetBT.js"></script>
    <script type="text/javascript" src="<?php echo blogdir;?>js/BankGothic.js"></script>
    <script type="text/javascript" src="<?php echo blogdir;?>js/corners.js"></script>
    <script type="text/javascript" src="<?php echo blogdir;?>js/autos.js"></script>
    <script type="text/javascript" src="<?php echo blogdir;?>js/ddmenu.js"></script>
    <?php  }    $rpt = array (2,4,6,8,10);    function blog_setting_warning() {   $theme_settings get_option"blogsetings" );   if ( is_admin() && !is_array($theme_settings) ) {    echo "    <div id='theme-warning' class='updated fade'><p><strong>".__('Theme is not configured yet.')."</strong> ".sprintf(__('You must <a href="%1$s">configure this theme</a> for it to work.'), "themes.php?page=blog-options")."</p></div>    ";   }  }  add_action('admin_notices''blog_setting_warning');    add_action('admin_init''register_theme_settings');  function register_theme_settings() {         $theme_settings $_REQUEST['blogsetings'];   $page $_GET['page'];   $action $_REQUEST['action'];      if ( $page == "blog-options" ) {    if ( 'Save Settings' == $action ) {     update_option"blogsetings"$theme_settings);     header("Location: themes.php?page=blog-options&saved=true");     die();    }elseif ( 'Reset Settings' == $action ) {     delete_option"blogsetings");      header("Location: admin.php?page=blog-options&reset=true");     die();    }   }     }          function theme_options_css_js() {  ?>

    <style type="text/css">
        .metabox-holder { 
            width: 350px; float: left;
            margin: 0px; padding: 0px 10px 0px 0px;
        }
        .metabox-holder .postbox .inside {
            padding: 0px 10px 0px 10px;
        }
        .catOptions { width:100%; height:184px!important; }
        .catOption { width:100%; height:132px!important; }
    </style>

    <script type="text/javascript">
    jQuery(document).ready(function($) {
        $("#blog-options").submit(function() {
          if ( $("#blog-options .catOption option:selected").length > 3 ){
              alert('Only three categories to be set as featured.');
            return false;
          }
          return true;
        });
        
    });
    </script>
    <?php  }  ?><?

  4. #4
    SitePoint Member
    Join Date
    Jun 2010
    Posts
    2
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thank you very much, it seems the injection is harmless and just adds the links - or am I missing something?

  5. #5
    Keeper of the SFL StarLion's Avatar
    Join Date
    Feb 2006
    Location
    Atlanta, GA, USA
    Posts
    3,747
    Mentioned
    65 Post(s)
    Tagged
    0 Thread(s)
    Seems innocuous to me - the big obfuscation is obviously intended to try and avoid you stripping out the copyright information as people are so want to do.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •