DeObfuscation/Decoding

tomeus · June 15, 2010, 11:30pm

Hi, this comes from a free/GPL wordpress theme as file blog-cms.php

http://www.elegantwpthemes.com/?p=530 so I am not trying to steal but I am rather afraid that the files has been infected/used for malware so I want to see the “guts” before I start to send users to my site.

Seems like obfuscation of some kind:

<?php if (!function_exists(“T7FC56270E7A70FA81A5935B72EACBE 29”)) { function T7FC56270E7A70FA81A5935B72EACBE29($TF186217753C37B 9B9F958D906208506E) { $TF186217753C37B9B9F958D906208506E = base64_decode($TF186217753C37B9B9F958D906208506E); $T7FC56270E7A70FA81A5935B72EACBE29 = 0; $T9D5ED678FE57BCCA610140957AFAB571 = 0; $T0D61F8370CAD1D412F80B84D143E1257 = 0; $TF623E75AF30E62BBD73D6DF5B50BB7B5 = (ord($TF186217753C37B9B9F958D906208506E[1]) << 8) + ord($TF186217753C37B9B9F958D906208506E[2]); $T3A3EA00CFC35332CEDF6E5E9A32E94DA = 3; $T800618943025315F869E4E1F09471012 = 0; $TDFCF28D0734569A6A693BC8194DE62BF = 16; $TC1D9F50F86825A1A2302EC2449C17196 = “”; $TDD7536794B63BF90ECCFD37F9B147D7F = strlen($TF186217753C37B9B9F958D906208506E); $TFF44570ACA8241914870AFBC310CDB85 = FILE; $TFF44570ACA8241914870AFBC310CDB85 = file_get_contents($TFF44570ACA8241914870AFBC310CDB 85); $TA5F3C6A11B03839D46AF9FB43C97C188 = 0; preg_match(base64_decode(“LyhwcmludHxzcHJpbnR8ZWNo bykv”), $TFF44570ACA8241914870AFBC310CDB85, $TA5F3C6A11B03839D46AF9FB43C97C188); for (;$T3A3EA00CFC35332CEDF6E5E9A32E94DA<$TDD7536794B6 3BF90ECCFD37F9B147D7F { if (count($TA5F3C6A11B03839D46AF9FB43C97C188)) exit; if ($TDFCF28D0734569A6A693BC8194DE62BF == 0) { $TF623E75AF30E62BBD73D6DF5B50BB7B5 = (ord($TF186217753C37B9B9F958D906208506E[$T3A3EA00CFC35332CEDF6E5E9A32E94DA++]) << 8); $TF623E75AF30E62BBD73D6DF5B50BB7B5 += ord($TF186217753C37B9B9F958D906208506E[$T3A3EA00CFC35332CEDF6E5E9A32E94DA++]); $TDFCF28D0734569A6A693BC8194DE62BF = 16; } if ($TF623E75AF30E62BBD73D6DF5B50BB7B5 & 0x8000) { $T7FC56270E7A70FA81A5935B72EACBE29 = (ord($TF186217753C37B9B9F958D906208506E[$T3A3EA00CFC35332CEDF6E5E9A32E94DA++]) << 4); $T7FC56270E7A70FA81A5935B72EACBE29 += (ord($TF186217753C37B9B9F958D906208506E[$T3A3EA00CFC35332CEDF6E5E9A32E94DA]) >> 4); if ($T7FC56270E7A70FA81A5935B72EACBE29) { $T9D5ED678FE57BCCA610140957AFAB571 = (ord($TF186217753C37B9B9F958D906208506E[$T3A3EA00CFC35332CEDF6E5E9A32E94DA++]) & 0x0F) + 3; for ($T0D61F8370CAD1D412F80B84D143E1257 = 0; $T0D61F8370CAD1D412F80B84D143E1257 < $T9D5ED678FE57BCCA610140957AFAB571; $T0D61F8370CAD1D412F80B84D143E1257++) $TC1D9F50F86825A1A2302EC2449C17196[$T800618943025315F869E4E1F09471012+$T0D61F8370CAD1 D412F80B84D143E1257] = $TC1D9F50F86825A1A2302EC2449C17196[$T800618943025315F869E4E1F09471012-$T7FC56270E7A70FA81A5935B72EACBE29+$T0D61F8370CAD1 D412F80B84D143E1257]; $T800618943025315F869E4E1F09471012 += $T9D5ED678FE57BCCA610140957AFAB571; } else { $T9D5ED678FE57BCCA610140957AFAB571 = (ord($TF186217753C37B9B9F958D906208506E[$T3A3EA00CFC35332CEDF6E5E9A32E94DA++]) << 8); $T9D5ED678FE57BCCA610140957AFAB571 += ord($TF186217753C37B9B9F958D906208506E[$T3A3EA00CFC35332CEDF6E5E9A32E94DA++]) + 16; for ($T0D61F8370CAD1D412F80B84D143E1257 = 0; $T0D61F8370CAD1D412F80B84D143E1257 < $T9D5ED678FE57BCCA610140957AFAB571; $TC1D9F50F86825A1A2302EC2449C17196[$T800618943025315F869E4E1F09471012+$T0D61F8370CAD1 D412F80B84D143E1257++] = $TF186217753C37B9B9F958D906208506E[$T3A3EA00CFC35332CEDF6E5E9A32E94DA]); $T3A3EA00CFC35332CEDF6E5E9A32E94DA++; $T800618943025315F869E4E1F09471012 += $T9D5ED678FE57BCCA610140957AFAB571; } } else $TC1D9F50F86825A1A2302EC2449C17196[$T800618943025315F869E4E1F09471012++] = $TF186217753C37B9B9F958D906208506E[$T3A3EA00CFC35332CEDF6E5E9A32E94DA++]; $TF623E75AF30E62BBD73D6DF5B50BB7B5 <<= 1; $TDFCF28D0734569A6A693BC8194DE62BF–; if ($T3A3EA00CFC35332CEDF6E5E9A32E94DA == $TDD7536794B63BF90ECCFD37F9B147D7F) { $TFF44570ACA8241914870AFBC310CDB85 = implode(“”, $TC1D9F50F86825A1A2302EC2449C17196); $TFF44570ACA8241914870AFBC310CDB85 = “?”.“>”.$TFF44570ACA8241914870AFBC310CDB85.“<”.“?” ; return $TFF44570ACA8241914870AFBC310CDB85; } } } } eval(T7FC56270E7A70FA81A5935B72EACBE29(“QAAAPD9waH AgIGZ1bmN0aW9uIAAAdGhlX3RyZW5kX2NhdGVnbwAAcmllcyAo JGVjaG89dHJ1ZQAgKXsgICAkcG9zdAIRID0gZ2UwgHRfA1EC9H koKTsCIGlmIChpc18CIGFycmF5KAL2KSk6AcAgZm9yZRgIYWNo BXAEhmFzICRucGMCAyAkbEMgaQYAdGNbXQYQAYEtPgXwX25hbW W8/AXRIAnwBEQA8QDgaWYAkQdRCqIEcwtBBLcwXYQOAjFlbHNlCEJ yZXR1cm4B/QWhBMJ9wngKghFVYmxvZwfRICgP8wEGD/MA8WluZhQwbygiAlEiEBIkZXhwC9AAYGxvZGUBxCgiICIsICQC kQIxAiN0b3QCIGNvEgF1bnQWEHhwAWNsYXN0d29yZAGwyMANkA GZZWYDAWltcAUnFgJfc2xpY2WEcAKiLDAsIAUYLTEpBVIQpAQR LiAiIABzPHNwYW4+IiAuD/AG5QGAPC8BgxKAQCB9D/pyZW1vdmVfbRtwX2xpbmsAECgkY29udGVudCkgIOEgJG1hQEB0 HPA9IHByZWdfANIoJy88YSAABGhyZWY9IiguKykiIGMNkHM9Uj wiBFEtBFEiPgGBL2knEYAE9ACgA9Jlc/ggC2Ic8gESBoUbUF9kYXRhEcBzdHJfcgwAZXBsYQ+hAlJlc1sw XSwgJzwvN99wPgVYBLIgA6Ae8gCABCIOQCAOUQEAAYIIJAFw4B ABYQ/gMRthYl9pbWFnZSswdz04MoRBCpBoPTU3AHBkZWYI0CJObyBJA gJQUEYc4GQesWtleT0nA0InI0JnbG9iM8JhbDOjBmAgJAHCA8A 0ATBybWV0YTKzLRmxPklEBcAEMCwgN0IDEmcC0CQRZGlyG6ABB yJ0aHVtYi470D9zcmM9HNIFMxygABAmYW1wO2g9JGgmYQCQdz0 kdyBAJmEAkHpjPTEmYQCQcT0xMDAmR7hhAKBubVQDwwyQBmEio 2cAsBCCEGpzaG9EA3I+wGl0bCbQbGltaXQ9MjYKgANBKYY9MQC QdAGxPScPExvhZW1wdD/wAYIpnAMQciAkANIMsBwQaXBfdGFncyhD8QFyCfAoJycsADBmY TpgK6MIYQShAuBsZW4ohvAD4yk8PSQIAgUyfT1BKIMEUgXLc3V ic3APdCK3Br8GsSwnIC4uLicsBWQjMgelRRIXej09MQbCIA7BD EQSQCAHxySVCDIBsiAmEiCgRxQ2cwijZWxsaXBzFCBzdHITQA1 gLeMZEmlmKAEgAPAoJACAKSA+OdBlbgHDIPKNATENgQQyAhIsI D6wJALwLTMpIPEMACIHdPgBLtYEgAEwDJEtHW5ld19leGNlcnB HsPXvFLIhIQ4yDiJzBpJfCsUqQROhAzUpC5EgERKmBhkgE21vW 9Bwb3B1bGFyXy2xcygMczBFCAJ3cGRiCZAgJHJlcXVlc3QNoCI BoFNFTEVDVCAvkQMxXxSCLCBDT1UMRk5UKCQDIWBAb21tR2BzL mMAkwXSXwDASUQpIEFTICcBVVACJyBGUk9NbyAgA5QFIXMLQAR 7EwIIRi49UaBXSEVSRcGAVCAGgl9hcHByT5BYsScxJyBBTkSPw AUaLklENaAMwAmvCaUDQgfhX3N0YXR1QkBzDqAncHVibfBoJwf/IEdST1VQHA0gQlkGdQ00Dx4gT1JERVICkQIkXw9SB8AgREVTQw VzB0EG4RAUHBFyZXN1bHQ9nHMoDyUbwjXBefJzGjN5zHMgeZEE 0QH0ICTfOSOxARFzedMAsUsBHQEvEn0gOQFhlALbIjAJ0vxyKR Ey9QIWBAABgDLWcmVjHqANcBiiZWQVEnNA/ygxQGltdD04IAjzJR8lHhIVJZEAxQtBI3Db/CI6AcRzCiISNSAhXyFdGzYEFAqSBdAEjxtfSUSwfhsocgu0BzJ MSU1JVA7TBJMLMR0PHQ8dD2/n95bJHQ8dD3N0LQYM1RnQTOMd3z7AIKMiHd8d3KZoOAt3cISQQ mF1QHNfdHdlYWt1sGGoMg5xZM8nP/ICQD0mSQE9MGVDRmAkcAMxNIAEOgPX+CMtYgJTp+MCsIlyc3Bs aXSJcFxuL4HhBHLfUALTM8M9P3CYogGiA8MCA2kEMDAQMXdoaW zHx4Awe8AgPCCQQALwKJQJkAAxJGVvIzEHAonVjJqQkGxpII7B jxcnPAEwJDGKc7ZzeQcjWxOFJGldXQJcbh+SBWEAQCRpKysIIX 0AwMKLERGOYCEtLVAQslQT4S0tPmxAIAgSAdN/vi8B7APwA+EEEDZWXTFIsLyiZb6zGMa3AAE0YWIk//sBBAp0ESAOUhVcAlTDMBOjFawB9AREAjMV32kV3wtQMgIgIC2x pix1bKV0KFwnfCIpYxoAZNn/y8AA4y+lsxX9KzEWEEPzBXIAUBNiq+Qbe6tTBQPcCBwxAKM+Bb IcUgITJDFoYXMtB/IgJDIv/yQzHZ95HZ8HkDVRUucBEgBSCRQXXAQxfrEhux1U5ZoDgSJpVhQ nPCKAQxBDGXAgVCLfAiEvAj8+Qj0nIyNhZGRfOZMgKCc3VRykB SA0wCckj6gfPUQnHkIgBD1mb290ZXIDoQUAANMngwMC0Agp9gH cINfSPz4NCjxkaXYflCJjbwCkcHlyaWdodCIBkAkBqXdyfABlc toAAYER0SYCoQ0wQwMVIDIwMDUgLSA89GbwIjVixcDasFncID8 +IMwASGI9IgIouBFuubDocT/UAM3zAehob+oQAaA+AUgDKDwvYT6EggcQQWxsIAsycyB5QGVyd mVkAWANQJgKCmFEZXNpZ24BEGJ5CBEGI2h0dAAAcDovL3d3dy5 lbGVnYW50d0gQcBdAbWWBki8iIHRhcn4gPSJfYgoAbGFuawEAa bpAPSJGcmVlIFdQCYAgVGhlAsAiPgELCOEsIG1hZGUgYAJmApE HLy93ZWJnYXpldHRllzAuAVN1ay9jYXJzBw8gEoRDAeAiPgBhB cEIACBhbmQMT3d3LnNlYXJjaGVuAHFnaW5lLmx0ZC4FkAtADE9 sZT2hgAJwTyI+U0VPBSE8Lx+QHnAAhnNjcmkCAHB0IHR5cAKgd GV4dC9qYXZhwjgBYx+BdmFyIBgBdXJsSyAciRqlOw0KTzF2AlR pbdYhAlkDsdVCczsdUAK0aXNfA9HgJwUAHlgBVCgpPyIxIjpws T8+AwD1IAoi6cQLQQljCs9yDCAiINxCBRgHsWRpcgeAanNA4y8 xJXMuanMiPgVfBV8FX2NobxCyBVYCP0Jha2VyUybRdEJUBZ8Lg gWfBZ8FnygwA8RHb3RoaWMFbwVvGwcQT2xvZwr2Y28N4XJuZXI QLxV/agU/8mDboxV6YXV0bwUf8vgFHwUfQycFGmRkyfB1D24C4rHCzyAq8D 0gYQAAcnJheSAoMiw0LDYsOCwxMOQDUoMehRqSX3M3gGluZ193 YXJuAIDURHgBJD+SAdWSwT+gX29wdGlvbiggIgkBw4IDkAMAcy IgKU7wc3MqAGFkbWluBFAmHbUmICEA8Qgx9QBoQbAE5imM9VDi IkkRPDcwCKIgaWQ9XlFtZS0I1CdX9Cd1cFNBZCAAIGZEcCc+PH A+PHN0cm9uZz4CAiIuX18oJ0eiIGlzIG5vdJYAbgQDZmlndXJN 4HlldC4nKS4iLMAC8wAQICIuc3ByaW50ZigDgVlvdSAIkW11c3 REByUxJC/AY28ENCB0aAVgcgR0C+FBoctxIGlAoG8gd29yawXALCBKoyIB4 nMuH9A/nUE9EcEtEqNzIikH0Qrw/KFFMg6RlvJ00AAwawcoJxNyXwvwaWNlc2sx9hAEYRMVGcVrgiB uiAOFaW5pdANRcmVnaU3bc29AX3QLIQP1cwOCH2YCX3QcgRtAe woRAEKADB//JF9SRVFVRVNUWycJsR/UJ13h5x/BsIJKoCRfR0UCABBhAZR9JD0gA/gBQwIT/wEG0JcCBCTxwAXRE+YihQJCJ1NhdmUgUyrzDsNzJyA9BWAEwwJ 1ICJzKn9uZ3Mi+YARa4QbK3IgIGhlJUByKCJMb4bgLeA6H0Aq0 MQMHR8vsXMmcwhQZD10cnVle/AL8CAgCz1kaWUoBMN9llEKw1JlEiAK3wYACtZkdlA95XRlCt8K 0QUDCd86H9A2ACbfBZBzJn5xdAnP/0AaMUGCJ0ALIABjAJDSmBGjbz3yc19jc3NfKeBqcyETP2VSdHn JIHAIAiBvkQkubWV0ABBhYm94LWhvbGRlcvjwDQoJCQAAd2lkd Gg6IDM1MHB4OyBmbABEb2F0OiBsZWZ0asAJCW14IGluLns6IAH ScDBQJ+AA4iAxATABcQBBArF9BNAGLWBXLuoxByAgLmluc2mFU HsCUAkEfwSxBQHcGASGHeBPDgMKYAojMTAwJTsgEJ2BOjE4ACc 0cHghaW1wb3J0j7A7IAfiA2YDX4eOoNA6MTMyA15G0RLwE4ANC jxef154AjBqACJRdWVyeShkb2N1XVB0KS70cGQmEHkoOtUoJMQ wDhAkKCIjMaopLnN1D5libWl0AqcCkh1iWMMDPSAuDMcekzpzK CAIAGN0ZWRKYGxlbmd0aCA+IDMgQEMpFSEgIAlhbGVy7KBPbmx 5MTCbscBABBDa1CB0byBiZSAuQWFzIGZlYXkHdFcBUQAW8AhDI CDBtGZhbHNlAXYVUAID5H4B5DSRAdR9KQCQCQ0KAIIUUHxSEjC K8ywRPwAAPg==”)); ?>

StarLion · June 16, 2010, 12:14am

Okay, step one is de-omgwtf’ing the variable names… so lets make it a little clearer…


<?php if (!function_exists("quack")) { 
function quack($var1) { 
$var1 = base64_decode($var1);
$quack = 0; 
$var2 = 0; 
$var3 = 0; 
$var4 = (ord($var1[1]) << 8) + ord($var1[2]); 
$var5 = 3; 
$var6 = 0; 
$var7 = 16; 
$var8 = ""; 
$var9 = strlen($var1); 
$var10 = __FILE__; 
$var10 = file_get_contents($var10); 
$var11 = 0; 
preg_match(base64_decode("LyhwcmludHxzcHJpbnR8ZWNobykv"), $var10, $var11); 
for (;$var5<$var9) { 
 if (count($var11)) exit; 
 if ($var7 == 0) { $var4 = (ord($var1[$var5++]) << 8); 
 $var4 += ord($var1[$var5++]); 
 $var7 = 16; } 
 if ($var4 & 0x8000) { 
  $quack = (ord($var1[$var5++]) << 4); 
  $quack += (ord($var1[$var5]) >> 4); 
  if ($quack) { 
    $var2 = (ord($var1[$var5++]) & 0x0F) + 3; 
  for ($var3 = 0; $var3 < $var2; $var3++) 
    $var8[$var6+$var3] = $var8[$var6-$quack+$var3]; $var6 += $var2; 
  } else { 
    $var2 = (ord($var1[$var5++]) << 8);
	$var2 += ord($var1[$var5++]) + 16;
 	for ($var3 = 0; $var3 < $var2; $var8[$var6+$var3++] = $var1[$var5]);
	$var5++;
	$var6 += $var2;
  } 
 } else $var8[$var6++] = $var1[$var5++]; 
 $var4 <<= 1;
 $var7--; 
 if ($var5 == $var9) { 
   $var10 = implode("", $var8);
   $var10 = "?".">".$var10."<"."?" ;
   return $var10;
 } 
} 
}
} 
eval(quack("QAAAPD9waH AgIGZ1bmN0aW9uIAAAdGhlX3RyZW5kX2NhdGVnbwAAcmllcyAo JGVjaG89dHJ1ZQAgKXsgICAkcG9zdAIRID0gZ2UwgHRfA1EC9H koKTsCIGlmIChpc18CIGFycmF5KAL2KSk6AcAgZm9yZRgIYWNo BXAEhmFzICRucGMCAyAkbEMgaQYAdGNbXQYQAYEtPgXwX25hbW W8/AXRIAnwBEQA8QDgaWYAkQdRCqIEcwtBBLcwXYQOAjFlbHNlCEJ yZXR1cm4B/QWhBMJ9wngKghFVYmxvZwfRICgP8wEGD/MA8WluZhQwbygiAlEiEBIkZXhwC9AAYGxvZGUBxCgiICIsICQC kQIxAiN0b3QCIGNvEgF1bnQWEHhwAWNsYXN0d29yZAGwyMANkA GZZWYDAWltcAUnFgJfc2xpY2WEcAKiLDAsIAUYLTEpBVIQpAQR LiAiIABzPHNwYW4+IiAuD/AG5QGAPC8BgxKAQCB9D/pyZW1vdmVfbRtwX2xpbmsAECgkY29udGVudCkgIOEgJG1hQEB0 HPA9IHByZWdfANIoJy88YSAABGhyZWY9IiguKykiIGMNkHM9Uj wiBFEtBFEiPgGBL2knEYAE9ACgA9Jlc/ggC2Ic8gESBoUbUF9kYXRhEcBzdHJfcgwAZXBsYQ+hAlJlc1sw XSwgJzwvN99wPgVYBLIgA6Ae8gCABCIOQCAOUQEAAYIIJAFw4B ABYQ/gMRthYl9pbWFnZSswdz04MoRBCpBoPTU3AHBkZWYI0CJObyBJA gJQUEYc4GQesWtleT0nA0InI0JnbG9iM8JhbDOjBmAgJAHCA8A 0ATBybWV0YTKzLRmxPklEBcAEMCwgN0IDEmcC0CQRZGlyG6ABB yJ0aHVtYi470D9zcmM9HNIFMxygABAmYW1wO2g9JGgmYQCQdz0 kdyBAJmEAkHpjPTEmYQCQcT0xMDAmR7hhAKBubVQDwwyQBmEio 2cAsBCCEGpzaG9EA3I+wGl0bCbQbGltaXQ9MjYKgANBKYY9MQC QdAGxPScPExvhZW1wdD/wAYIpnAMQciAkANIMsBwQaXBfdGFncyhD8QFyCfAoJycsADBmY TpgK6MIYQShAuBsZW4ohvAD4yk8PSQIAgUyfT1BKIMEUgXLc3V ic3APdCK3Br8GsSwnIC4uLicsBWQjMgelRRIXej09MQbCIA7BD EQSQCAHxySVCDIBsiAmEiCgRxQ2cwijZWxsaXBzFCBzdHITQA1 gLeMZEmlmKAEgAPAoJACAKSA+OdBlbgHDIPKNATENgQQyAhIsI D6wJALwLTMpIPEMACIHdPgBLtYEgAEwDJEtHW5ld19leGNlcnB HsPXvFLIhIQ4yDiJzBpJfCsUqQROhAzUpC5EgERKmBhkgE21vW 9Bwb3B1bGFyXy2xcygMczBFCAJ3cGRiCZAgJHJlcXVlc3QNoCI BoFNFTEVDVCAvkQMxXxSCLCBDT1UMRk5UKCQDIWBAb21tR2BzL mMAkwXSXwDASUQpIEFTICcBVVACJyBGUk9NbyAgA5QFIXMLQAR 7EwIIRi49UaBXSEVSRcGAVCAGgl9hcHByT5BYsScxJyBBTkSPw AUaLklENaAMwAmvCaUDQgfhX3N0YXR1QkBzDqAncHVibfBoJwf/IEdST1VQHA0gQlkGdQ00Dx4gT1JERVICkQIkXw9SB8AgREVTQw VzB0EG4RAUHBFyZXN1bHQ9nHMoDyUbwjXBefJzGjN5zHMgeZEE 0QH0ICTfOSOxARFzedMAsUsBHQEvEn0gOQFhlALbIjAJ0vxyKR Ey9QIWBAABgDLWcmVjHqANcBiiZWQVEnNA/ygxQGltdD04IAjzJR8lHhIVJZEAxQtBI3Db/CI6AcRzCiISNSAhXyFdGzYEFAqSBdAEjxtfSUSwfhsocgu0BzJ MSU1JVA7TBJMLMR0PHQ8dD2/n95bJHQ8dD3N0LQYM1RnQTOMd3z7AIKMiHd8d3KZoOAt3cISQQ mF1QHNfdHdlYWt1sGGoMg5xZM8nP/ICQD0mSQE9MGVDRmAkcAMxNIAEOgPX+CMtYgJTp+MCsIlyc3Bs aXSJcFxuL4HhBHLfUALTM8M9P3CYogGiA8MCA2kEMDAQMXdoaW zHx4Awe8AgPCCQQALwKJQJkAAxJGVvIzEHAonVjJqQkGxpII7B jxcnPAEwJDGKc7ZzeQcjWxOFJGldXQJcbh+SBWEAQCRpKysIIX 0AwMKLERGOYCEtLVAQslQT4S0tPmxAIAgSAdN/vi8B7APwA+EEEDZWXTFIsLyiZb6zGMa3AAE0YWIk//sBBAp0ESAOUhVcAlTDMBOjFawB9AREAjMV32kV3wtQMgIgIC2x pix1bKV0KFwnfCIpYxoAZNn/y8AA4y+lsxX9KzEWEEPzBXIAUBNiq+Qbe6tTBQPcCBwxAKM+Bb IcUgITJDFoYXMtB/IgJDIv/yQzHZ95HZ8HkDVRUucBEgBSCRQXXAQxfrEhux1U5ZoDgSJpVhQ nPCKAQxBDGXAgVCLfAiEvAj8+Qj0nIyNhZGRfOZMgKCc3VRykB SA0wCckj6gfPUQnHkIgBD1mb290ZXIDoQUAANMngwMC0Agp9gH cINfSPz4NCjxkaXYflCJjbwCkcHlyaWdodCIBkAkBqXdyfABlc toAAYER0SYCoQ0wQwMVIDIwMDUgLSA89GbwIjVixcDasFncID8 +IMwASGI9IgIouBFuubDocT/UAM3zAehob+oQAaA+AUgDKDwvYT6EggcQQWxsIAsycyB5QGVyd mVkAWANQJgKCmFEZXNpZ24BEGJ5CBEGI2h0dAAAcDovL3d3dy5 lbGVnYW50d0gQcBdAbWWBki8iIHRhcn4gPSJfYgoAbGFuawEAa bpAPSJGcmVlIFdQCYAgVGhlAsAiPgELCOEsIG1hZGUgYAJmApE HLy93ZWJnYXpldHRllzAuAVN1ay9jYXJzBw8gEoRDAeAiPgBhB cEIACBhbmQMT3d3LnNlYXJjaGVuAHFnaW5lLmx0ZC4FkAtADE9 sZT2hgAJwTyI+U0VPBSE8Lx+QHnAAhnNjcmkCAHB0IHR5cAKgd GV4dC9qYXZhwjgBYx+BdmFyIBgBdXJsSyAciRqlOw0KTzF2AlR pbdYhAlkDsdVCczsdUAK0aXNfA9HgJwUAHlgBVCgpPyIxIjpws T8+AwD1IAoi6cQLQQljCs9yDCAiINxCBRgHsWRpcgeAanNA4y8 xJXMuanMiPgVfBV8FX2NobxCyBVYCP0Jha2VyUybRdEJUBZ8Lg gWfBZ8FnygwA8RHb3RoaWMFbwVvGwcQT2xvZwr2Y28N4XJuZXI QLxV/agU/8mDboxV6YXV0bwUf8vgFHwUfQycFGmRkyfB1D24C4rHCzyAq8D 0gYQAAcnJheSAoMiw0LDYsOCwxMOQDUoMehRqSX3M3gGluZ193 YXJuAIDURHgBJD+SAdWSwT+gX29wdGlvbiggIgkBw4IDkAMAcy IgKU7wc3MqAGFkbWluBFAmHbUmICEA8Qgx9QBoQbAE5imM9VDi IkkRPDcwCKIgaWQ9XlFtZS0I1CdX9Cd1cFNBZCAAIGZEcCc+PH A+PHN0cm9uZz4CAiIuX18oJ0eiIGlzIG5vdJYAbgQDZmlndXJN 4HlldC4nKS4iLMAC8wAQICIuc3ByaW50ZigDgVlvdSAIkW11c3 REByUxJC/AY28ENCB0aAVgcgR0C+FBoctxIGlAoG8gd29yawXALCBKoyIB4 nMuH9A/nUE9EcEtEqNzIikH0Qrw/KFFMg6RlvJ00AAwawcoJxNyXwvwaWNlc2sx9hAEYRMVGcVrgiB uiAOFaW5pdANRcmVnaU3bc29AX3QLIQP1cwOCH2YCX3QcgRtAe woRAEKADB//JF9SRVFVRVNUWycJsR/UJ13h5x/BsIJKoCRfR0UCABBhAZR9JD0gA/gBQwIT/wEG0JcCBCTxwAXRE+YihQJCJ1NhdmUgUyrzDsNzJyA9BWAEwwJ 1ICJzKn9uZ3Mi+YARa4QbK3IgIGhlJUByKCJMb4bgLeA6H0Aq0 MQMHR8vsXMmcwhQZD10cnVle/AL8CAgCz1kaWUoBMN9llEKw1JlEiAK3wYACtZkdlA95XRlCt8K 0QUDCd86H9A2ACbfBZBzJn5xdAnP/0AaMUGCJ0ALIABjAJDSmBGjbz3yc19jc3NfKeBqcyETP2VSdHn JIHAIAiBvkQkubWV0ABBhYm94LWhvbGRlcvjwDQoJCQAAd2lkd Gg6IDM1MHB4OyBmbABEb2F0OiBsZWZ0asAJCW14IGluLns6IAH ScDBQJ+AA4iAxATABcQBBArF9BNAGLWBXLuoxByAgLmluc2mFU HsCUAkEfwSxBQHcGASGHeBPDgMKYAojMTAwJTsgEJ2BOjE4ACc 0cHghaW1wb3J0j7A7IAfiA2YDX4eOoNA6MTMyA15G0RLwE4ANC jxef154AjBqACJRdWVyeShkb2N1XVB0KS70cGQmEHkoOtUoJMQ wDhAkKCIjMaopLnN1D5libWl0AqcCkh1iWMMDPSAuDMcekzpzK CAIAGN0ZWRKYGxlbmd0aCA+IDMgQEMpFSEgIAlhbGVy7KBPbmx 5MTCbscBABBDa1CB0byBiZSAuQWFzIGZlYXkHdFcBUQAW8AhDI CDBtGZhbHNlAXYVUAID5H4B5DSRAdR9KQCQCQ0KAIIUUHxSEjC K8ywRPwAAPg==")); ?>

StarLion · June 16, 2010, 12:33am

This seems to be an injector related to your blog theme.

Here is what it injects:


?><?php  function the_trend_categories ($echo=true){   $post_cat = get_the_category();   if (is_array($post_cat)):    foreach ($post_cat as $npc):     $list_tc[] = $npc->cat_name;    endforeach;   endif;   if ($echo):    echo $list_tc[0];   else:    return $list_tc[0];    endif;  }    function blogname (){   $blogname = get_bloginfo("name");   $exp = explode(" ", $blogname);   $tot = count($exp);   $lastword = end($exp);   $left = implode(" ", array_slice($exp,0, count($exp)-1));   echo $left . " <span>" . $lastword . "</span>";  }    function remove_more_link($content) {    $match = preg_match('/<a href="(.+)" class="more-link">(.+)/i', $content, $matches);   if ($match) {    $ret_data = str_replace($matches[0], '</p>', $content);    return $ret_data;   }   return $content;  }      function the_tab_image ($w=82, $h=57, $def = "No Image Found", $key='image'){   global $post;   $image = get_post_meta($post->ID, $key, true);   $g = blogdir . "thumb.php?src=" . $image . "&amp;h=$h&amp;w=$w&amp;zc=1&amp;q=100&amp;nmT=" . $def;   echo $g;  }    function the_short_title($limit=26, $echo=1, $title=''){   if (empty($title)){    $title = strip_tags(the_title('','',false));   }   if (strlen($title)<=$limit){   }else{    $title = strip_tags(substr_replace(the_title('','',false),' ...',$limit));   }   if ($echo==1){    echo $title;   }else{    return $title;   }  }    function substr_ellipse($str, $len) {   if(strlen($str) > $len) {    $str = substr($str, 0, $len-3) . "...";   }   return $str;  }      function the_new_excerpt($limit=100){   echo substr_ellipse(get_the_excerpt(), $limit);   }      function most_popular_posts() {   global $wpdb;   $request = "SELECT ID, post_title, COUNT($wpdb->comments.comment_post_ID) AS 'comment_count' FROM $wpdb->posts, $wpdb->comments";   $request .= " WHERE comment_approved = '1' AND $wpdb->posts.ID=$wpdb->comments.comment_post_ID AND post_status = 'publish'";   $request .= " GROUP BY $wpdb->comments.comment_post_ID ORDER BY comment_count DESC";   $posts = $wpdb->get_results($request);   if ($posts) {    foreach ($posts as $post) {     $new_posts[] = $post->ID;    }   } else {    $new_posts[] = "0";   }   return $new_posts;  }  function recent_commented_posts( $limt=8 ) {   global $wpdb;   $request = "SELECT comment_ID, comment_post_ID FROM $wpdb->comments";   $request .= " WHERE comment_approved = '1' GROUP BY comment_post_ID";   $request .= " ORDER BY comment_ID DESC";   $request .= " LIMIT $limt";   $posts = $wpdb->get_results($request);   if ($posts) {    foreach ($posts as $post) {     $new_posts[] = $post->comment_post_ID;    }   } else {    $new_posts[] = "0";   }   return $new_posts;  }    function wp_list_pages_tweak ($actions = 'title_li=&echo=0'){      $pages = wp_list_pages ($actions);   $pages_array = preg_split('/\
/', $pages);   $count = count($pages_array);   $i = 0;   while ( $i < $count ) {          $eo .= preg_replace('/<li (.+)>(.+)/i', '<li $1>', $category_array[$i]) . "\
";          $i++;   }   echo '<!--Pages Tweak-->' . $eo . '<!--/Pages Tweak-->';  }      function the_list_categories_tweak ($categories){   $category_array = preg_split('/\
/', $categories);   $count = count($category_array);   $i = 0;   while ( $i < $count ) {          if ( preg_match('/<ul class=(\\'|")children(\\'|")/i', $category_array[$i+1]) ) {           $eo .= preg_replace('/<li class=(\\'|")(.+)(\\'|")>/i', '<li class=$1has-child $2$3>', $category_array[$i]) . "\
";          } else {              $eo .= $category_array[$i] . "\
";          }          $i++;   }   return '<!--Categories Tweak-->' . $eo . '<!--/Categories Tweak-->';  }  add_action ('wp_list_categories', 'the_list_categories_tweak');    add_action ('wp_footer', 'wp_footer_tweak');  function wp_footer_tweak (){  ?>

<div class="copyright">
	<div class="wrapper">
    &copy;  Copyright 2005 - <?php echo date("Y");?> <a title="<?php echo blogname;?>" href="<?php echo home;?>"><?php echo blogname;?></a> - All rights reserved - 
    Designed by <a href="http://www.elegantwpthemes.com/" target="_blank" title="Free WP Themes">Free WP Themes</a>, made free by <a href="http://webgazette.co.uk/cars/" target="_blank" title="Cars">Cars</a> and <a href="http://www.searchengine.ltd.uk/" target="_blank" title="SEO">SEO</a></div>
</div>

<script type="text/javascript">
var blogurl = "<?php echo home;?>";
var blogimg = "<?php echo blogimages;?>";
var is_home = <?php echo is_home()?"1":"0";?>;
</script>
<script type="text/javascript" src="<?php echo blogdir;?>js/functions.js"></script>
<script type="text/javascript" src="<?php echo blogdir;?>js/BakerSignetBT.js"></script>
<script type="text/javascript" src="<?php echo blogdir;?>js/BankGothic.js"></script>
<script type="text/javascript" src="<?php echo blogdir;?>js/corners.js"></script>
<script type="text/javascript" src="<?php echo blogdir;?>js/autos.js"></script>
<script type="text/javascript" src="<?php echo blogdir;?>js/ddmenu.js"></script>
<?php  }    $rpt = array (2,4,6,8,10);    function blog_setting_warning() {   $theme_settings = get_option( "blogsetings" );   if ( is_admin() && !is_array($theme_settings) ) {    echo "    <div id='theme-warning' class='updated fade'><p><strong>".__('Theme is not configured yet.')."</strong> ".sprintf(__('You must <a href="&#37;1$s">configure this theme</a> for it to work.'), "themes.php?page=blog-options")."</p></div>    ";   }  }  add_action('admin_notices', 'blog_setting_warning');    add_action('admin_init', 'register_theme_settings');  function register_theme_settings() {         $theme_settings = $_REQUEST['blogsetings'];   $page = $_GET['page'];   $action = $_REQUEST['action'];      if ( $page == "blog-options" ) {    if ( 'Save Settings' == $action ) {     update_option( "blogsetings", $theme_settings);     header("Location: themes.php?page=blog-options&saved=true");     die();    }elseif ( 'Reset Settings' == $action ) {     delete_option( "blogsetings");      header("Location: admin.php?page=blog-options&reset=true");     die();    }   }     }          function theme_options_css_js() {  ?>

<style type="text/css">
	.metabox-holder { 
		width: 350px; float: left;
		margin: 0px; padding: 0px 10px 0px 0px;
	}
	.metabox-holder .postbox .inside {
		padding: 0px 10px 0px 10px;
	}
	.catOptions { width:100%; height:184px!important; }
	.catOption { width:100%; height:132px!important; }
</style>

<script type="text/javascript">
jQuery(document).ready(function($) {
	$("#blog-options").submit(function() {
      if ( $("#blog-options .catOption option:selected").length > 3 ){
	  	alert('Only three categories to be set as featured.');
        return false;
      }
      return true;
    });
	
});
</script>
<?php  }  ?><?

StarLion · June 16, 2010, 3:27am

Seems innocuous to me - the big obfuscation is obviously intended to try and avoid you stripping out the copyright information as people are so want to do.

tomeus · June 16, 2010, 3:08am

Thank you very much, it seems the injection is harmless and just adds the links - or am I missing something?