Wordpress Obfuscated Code. Need to Remove It.

**rome9t9** · 14 December, 2010, 13:05 PM

Ok guys I downloaded this awesome theme from skinpress and they have obfuscated code in their header.php and functions.php.

NOT in the footer.php. The footer has sponsored links.

I don't mind the sponsored links but I want the code on my site clean.

The code is in rot13 which I decoded. The obfuscated code in header.php calls the obfuscated code in functions.php to ensures that the footer link are intact.

I think it notifies the theme owner/sponsor if any site removes the footer link. I want these codes to begone from my site.

But when I remove them, they break the entire theme. How can I remove them??

Obfuscated codes:

Header.php

PHP Code:


<?php eval(str_rot13('shapgvba purpx_s_sbbgre(){vs(!(shapgvba_rkvfgf("purpx_sbbgre")&&shapgvba_rkvfgf("purpx_urnqre"))){rpub(\'Guvf gurzr vf eryrnfrq haqre perngvir pbzzbaf yvprapr, nyy yvaxf va gur sbbgre fubhyq erznva vagnpg\');qvr;}}purpx_s_sbbgre();'));eval(str_rot13('shapgvba purpx_shapgvbaf(){vs(!svyr_rkvfgf(qveanzr(__SVYR__)."/shapgvbaf.cuc")){rpub(\'Guvf gurzr vf eryrnfrq haqre perngvir pbzzbaf yvprapr, nyy yvaxf va gur sbbgre fubhyq erznva vagnpg\');qvr;}}purpx_shapgvbaf();')); ?>

Functions.php

PHP Code:


eval(str_rot13('shapgvba purpx_sbbgre(){$y=\'<o><n uers="uggc://jjj.fxvacerff.pbz/">Serr Jbeqcerff Gurzrf</n></o> Qrfvtarq ol <o><n uers="uggc://jjj.npgvirgenvy.pbz/">Rznvy Znexrgvat</n></o> naq <o><n uers="uggc://jjj.npnqrzvpnqivfbewbof.pbz/">Nqivfbe Wbof</n></o>\';$s=qveanzr(__SVYR__).\'/sbbgre.cuc\';$sq=sbcra($s,\'e\');$p=sernq($sq,svyrfvmr($s));spybfr($sq);vs(fgecbf($p,$y)==0){rpub(\'Guvf gurzr vf eryrnfrq haqre perngvir pbzzbaf yvprapr, nyy yvaxf va gur sbbgre fubhyq erznva vagnpg\');qvr;}}purpx_sbbgre();')); eval(str_rot13('shapgvba purpx_urnqre(){vs(!(shapgvba_rkvfgf("purpx_shapgvbaf")&&shapgvba_rkvfgf("purpx_s_sbbgre"))){rpub(\'Guvf gurzr vf eryrnfrq haqre perngvir pbzzbaf yvprapr, nyy yvaxf va gur sbbgre fubhyq erznva vagnpg\');qvr;}}'));

Decoded:

Header.php

PHP Code:


<?php eval(str_rot13('function check_f_footer(){if(!(function_exists("check_footer")&&function_exists("check_header"))){echo(\'This theme is released under creative commons licence, all links in the footer should remain intact\');
die;
}}check_f_footer();
'));
riny(fge_ebg13('function check_functions(){if(!file_exists(dirname(__FILE__)."/functions.php")){echo(\'This theme is released under creative commons licence, all links in the footer should remain intact\');
die;
}}check_functions();
'));
?>

Functions.php

PHP Code:


<?php eval(str_rot13('function check_footer(){$l=\'<b><a href="http://www.skinpress.com/">Free Wordpress Themes</a></b> Designed by <b><a href="http://www.activetrail.com/">Email Marketing</a></b> and <b><a href="http://www.academicadvisorjobs.com/">Advisor Jobs</a></b>\';
$f=dirname(__FILE__).\'/footer.php\';
$fd=fopen($f,\'r\');
$c=fread($fd,filesize($f));
fclose($fd);
if(strpos($c,$l)==0){echo(\'This theme is released under creative commons licence, all links in the footer should remain intact\');
die;
}}check_footer();
')); 
riny(fge_ebg13('function check_header(){if(!(function_exists("check_functions")&&function_exists("check_f_footer"))){echo(\'This theme is released under creative commons licence, all links in the footer should remain intact\');
die;
}}'));
?>

In case they cannot be removed, are they safe?? Skinpress.com is a trustworthy site btw.

**iowadawg** · 14 December, 2010, 17:18 PM

There is no reason to have such code in header and body, etc.
Usually means that either links are added to your wordpress unknowingly, or there will be visitors going to sites unknown to you from your wordpress.

Trustworthy site or not, I would not use any theme that has stuff like this.

**bhartzer** · 14 December, 2010, 17:43 PM

Trustworthy site or not, I would not use any theme that has stuff like this.

I totally agree, no reason to have code in there like that.

**TopDogger** · 14 December, 2010, 19:16 PM

There are lots of good reasons to remove obfuscated code--or refuse to use themes with encoded sections.

Read this article and check out the links to the supporting articles.

Malware Found in WordPress Theme – Protect Yourself Now � Lorelle on WordPress

**rome9t9** · 15 December, 2010, 07:44 AM

I finally managed to remove the code..but found another good theme that doesnt obfuscated codes in functions.php, only in the footer.php which I removed.

There aren't many great looking themes in the wordpress.org theme index, so I have to look elsewhere for some great themes.

Thanks TopDogger for the link. Installed the Theme-Check plugin for my site.

**Andy101** · 15 December, 2010, 09:06 AM

They seemed to have done this to ensure that their attribution links remained intact but it had the effect of the entire theme being deleted!

**jackcr** · 6 July, 2011, 02:39 AM

I understand the reason to put some code in some themes, but I don't like see waht I don't understand.

So, I have a "encripted" code in the footer.php in one theme I have and has no problems if you dont change the links of the author (that's ok) but the footer is a mess and don't like it.
Maybe somebody can help me with this new (to me) encription mode.

Lets see, I leave the content of the footer.php here and maybe somebody knows how decript this mess. Thanks for any help

Code:

*/$OOO000000=urldecode('fg6sbehpra4co_tnd');$OOO0000O0=$OOO000000{4}.$OOO000000{9}.$OOO000000{3}.$OOO000000{5};$OOO0000O0.=$OOO000000{2}.$OOO000000{10}.$OOO000000{13}.$OOO000000{16};$OOO0000O0.=$OOO0000O0{3}.$OOO000000{11}.$OOO000000{12}.$OOO0000O0{7}.$OOO000000{5};$OOO000O00=$OOO000000{0}.$OOO000000{12}.$OOO000000{7}.$OOO000000{5}.$OOO000000{15};$O0O000O00=$OOO000000{0}.$OOO000000{1}.$OOO000000{5}.$OOO000000{14};$O0O000O0O=$O0O000O00.$OOO000000{11};$O0O000O00=$O0O000O00.$OOO000000{3};$O0O00OO00=$OOO000000{0}.$OOO000000{8}.$OOO000000{5}.$OOO000000{9}.$OOO000000{16};$OOO00000O=$OOO000000{3}.$OOO000000{14}.$OOO000000{8}.$OOO000000{14}.$OOO000000{8};$OOO0O0O00=__FILE__;$OO00O0000=0x36c;eval($OOO0000O0('JE8wMDBPME8wMD0kT09PMDAwTzAwKCRPT08wTzBPMDAsJ3JiJyk7JE8wTzAwT08wMCgkTzAwME8wTzAwLDB4NGY4KTskT08wME8wME8wPSRPT08wMDAwTzAoJE9PTzAwMDAwTygkTzBPMDBPTzAwKCRPMDAwTzBPMDAsMHgxN2MpLCdFbnRlcnlvdXdraFJIWUtOV09VVEFhQmJDY0RkRmZHZ0lpSmpMbE1tUHBRcVNzVnZYeFp6MDEyMzQ1Njc4OSsvPScsJ0FCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaYWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXowMTIzNDU2Nzg5Ky8nKSk7ZXZhbCgkT08wME8wME8wKTs='));return;?>~Dkr9NHenNHenNHe1zfukgFMaXdoyjcUImb19oUAxyb18mRtwmwJ4LT09NHr8XTzEXRJwmwJXLT09NHeEXHr8XhtONT08XHeEXHr8Pkr8XTzEXT08XHtILTzEXHr8XTzEXRtONTzEXTzEXHeEpRtfydmOlFmlvfbfqDykwBAsKa09aaryiWMkeC0OLOMcuc0lpUMpHdr1sAunOFaYzamcCGyp6HerZHzW1YjF4KUSvNUFSk0ytW0OyOLfwUApRTr1KT1nOAlYAaacbBylDCBkjcoaMc2ipDMsSdB5vFuyZF3O1fmf4GbPXHTwzYeA2YzI5hZ8mhULpK2cjdo9zcUILTzEXHr8XTzEXhTslfMyShtONTzEXTzEXTzEpKX==tjslC2ivwtFYtjXvcol2NjXiRU0IR2YvdmOldmWIRU0+eWPYtjXvcol2NjXiRU0IR2YvdmOiDB5lFJEsRT4YtI0hNoOpfJnpce0JCM90fo9swj4YtI0hNoOpfJnjdoyzFz0JDB5VcbwJNI0heWPkkzspcJEPwtyMfB5jfolvdl9lGolzfuHPk2O5dMysDBYgF2lLcBkiFJFpwux8wBO5dMysDBYgF2lLcBkiFJIJOM9vfoaZwJLIhUE6woaVcolMK2ajDo8IkX0htW0hNt9LDbC+eWPYtjXvcol2NjXiRU0IR2kvfuOvdUEsRT4YtI0heWPYtjxLDbCIDBW9wMcvd3OlFJw+eWPYtjxLDbCIC2xiF3H9wMlVdMaZwj4YtI0heWPYtILYtJF7koYvFuLINUnmcbOgd3n0DB9Vhtf3d3kLFuklF3YJdolVc19MdoaMftFpK2ajDo8IkX0hNuE+kzslC2ivwtOjd3n5K2ajDo8IkzXvCT48R3E+eWP8Fe5rcbYpc25lctnJGUE8CUnPFMaMNUkPfuOXKJ8vf3f3RMyjfol2cbflCMOpFJ5jd20Jwuklde0Jco9Md2xSd3FJNLyjfol2cUnbcBwIOolZcBY0d3k5Nt9iNjXvFe4YtI0heWPYtjXvcol2NI0hNt9LDbC+NtrsRUEvcM9vfoaZwt0sNI0hNt9LDbC+NtrsRUEvC29VfoypdMaZFZEsRT4YtI0heWPYtjxzC3kpFuWIfulXcT0Jfoa4ft9QCbciF2YZDbn0wj4IW3aMd24VdM93htL7weXvF2YZDbn0NI0heWPmK3fXb2cvd3OlFJIpK2ajDo8IkX0hNt9Jd2O5NI0heWPYtI0hNt9Pfo1SNJF7tjS=alVnRPIq