This code was found at my world press theme Function.php I have want to check this is a hacking code ..Please someone help me to to encode this eval(base64_decode('aWYgKCFlbXB0eSgkX1JFUVVFU1RbInRoZW1lX2NyZWRpdCJdKSkgew0KDQoJdGhlbWVfdXNhZ2VfbWVzc2FnZSgpOyBleGl0KCk7DQoNCgl9DQoNCglmdW5jdGlvbiB0aGVtZV91c2FnZV9tZXNzYWdlKCkgew0KDQoJaWYgKGVtcHR5KCRfUkVRVUVTVFsidGhlbWVfY3JlZGl0Il0pKSB7DQoNCgkkdGhlbWVfY3JlZGl0X2ZhbHNlID0gZ2V0X2Jsb2dpbmZvKCJ1cmwiKSAuICIvaW5kZXgucGhwP3RoZW1lX2NyZWRpdD1mYWxzZSI7DQoNCgllY2hvICI8bWV0YSBodHRwLWVxdWl2PVwicmVmcmVzaFwiIGNvbnRlbnQ9XCIwO3VybD0kdGhlbWVfY3JlZGl0X2ZhbHNlXCI+IjsgZXhpdCgpOw0KDQoJfSBlbHNlIHsNCg0KICAgICRya191cmwgPSBnZXRfYmxvZ2luZm8oJ3RlbXBsYXRlX2RpcmVjdG9yeScpOw0KCSRob21lcGFnZSA9IGdldF9ibG9naW5mbygnaG9tZScpOw0KDQoJZWNobyAoIjxkaXYgc3R5bGU9XCJ3aWR0aDo4MDBweDsgbWFyZ2luOmF1dG87IHBhZGRpbmc6MTVweDsgdGV4dC1hbGlnbjpjZW50ZXI7IGJhY2tncm91bmQtY29sb3I6I0ZGRkZGRjsgYm9yZGVyOjVweCBzb2xpZCAjRkYwMDAwOyBjb2xvcjojMDAwMDAwXCI+Iik7DQogICAgZWNobyAoIjxkaXY+PGltZyBzcmM9XCIkcmtfdXJsL2ltYWdlcy9lcnJvci5qcGdcIiBhbHQ9XCJFcnJvclwiIC8+PC9kaXY+Iik7DQogICAgZWNobyAoIjxkaXYgc3R5bGU9XCJmb250LXNpemU6MzZweDtcIj48Yj5PcHBzLi5Zb3UgSGF2ZSBNb2RpZmllZCBUaGUgRm9vdGVyIExpbmtzLi48L2I+PC9kaXY+Iik7DQogICAgZWNobyAoIjxkaXYgc3R5bGU9XCJmb250LXNpemU6MTVweDtcIj48Yj5UaGlzIFRoZW1lIElzIFJlbGVhc2VkIEZyZWUgRm9yIFVzZSBVbmRlciBDcmVhdGl2ZSBDb21tb25zIExpY2VuY2UuIEFsbCBMaW5rcyBJbiBUaGUgRm9vdGVyIE11c3QgUmVtYWluIEludGFjdCBBUyBJUy4gVGhlc2UgTGlua3MgQXJlIEFsbCBGYW1pbHkgRnJpZW5kbHkgQW5kIFdpbGwgTm90IEh1cnQgWW91ciBTaXRlIEluIEFueSBXYXkuIFBsZWFzZSBBcHByZWNpYXRlIFRoZXNlIFN1cHBvcnRlcnMgRWZmb3J0IEluIFByb3ZpZGluZyBZb3UgVGhpcyBHcmVhdCBUaGVtZSBGb3IgRnJlZS48L2I+PC9kaXY+Iik7DQogICAgZWNobyAoIjxkaXYgc3R5bGU9XCJmb250LXNpemU6MTZweDsgcGFkZGluZy10b3A6MjBweDtcIj48Yj5QbGVhc2UgRm9sbG93IFRoZXNlIFN0ZXBzIFRvIFJlc3RvcmUgVGhlIEZvb3RlcjogPG9sPjxsaT5QbGVhc2Ugb3BlbiB0aGUgZGVmYXVsdCBmb2xkZXIsIHlvdSdsbCBmaW5kIGZvb3Rlci5waHAgaW5zaWRlPC9saT48bGk+Q29weSAmYW1wOyBwYXN0ZSBpdCB0byBvdmVyd3JpdGUgdGhlIGN1cnJlbnQgZm9vdGVyLnBocCB5b3UndmUgbW9kaWZpZWQuPC9saT48bGk+RmluYWxseSwgcmVmcmVzaCB5b3VyIHBhZ2UgPGEgaHJlZj1cIiRob21lcGFnZVwiPkhFUkU8L2E+IHRvIGdvIGJhY2sgdG8geW91ciBob21lcGFnZS48L2xpPjwvb2w+PC9iPjwvZGl2PjwvZGl2PiIpOw0KDQoJfQ0KDQp9DQoNCmZ1bmN0aW9uIGNoZWNrX3RoZW1lX2Zvb3RlcigpIHsNCg0KCSRsID0gJzxhIGhyZWY9Imh0dHA6Ly93d3cubWFncHJlc3MuY29tIiB0aXRsZT0iV29yZFByZXNzIFRoZW1lIiB0YXJnZXQ9Il9ibGFuayI+V29yZFByZXNzIFRoZW1lPC9hPiBCeSBNYWdQcmVzczxiciAvPlRoYW5rcyBUbyA8YSBocmVmPSJodHRwOi8vbW1vaHV0LmNvbSIgdGl0bGU9IkZyZWUgTU1PIiB0YXJnZXQ9Il9ibGFuayI+RnJlZSBNTU88L2E+IHwgPGEgaHJlZj0iaHR0cDovL3d3dy5ob3N0di5jb20iIHRpdGxlPSJWUFMgSG9zdGluZyIgdGFyZ2V0PSJfYmxhbmsiPlZQUyBIb3N0aW5nPC9hPiB8IDxhIGhyZWY9Imh0dHA6Ly93d3cuY2lydGV4aG9zdGluZy5jb20vc2hhcmVkLnNodG1sIiB0aXRsZT0iU2hhcmVkIEhvc3RpbmciIHRhcmdldD0iX2JsYW5rIj5TaGFyZWQgSG9zdGluZzwvYT4nOw0KDQoJJGYgPSBkaXJuYW1lKF9fZmlsZV9fKSAuICIvZm9vdGVyLnBocCI7DQoNCgkkZmQgPSBmb3BlbigkZiwgInIiKTsNCg0KCSRjID0gZnJlYWQoJGZkLCBmaWxlc2l6ZSgkZikpOw0KDQoJZmNsb3NlKCRmZCk7IGlmIChzdHJwb3MoJGMsICRsKSA9PSAwKSB7DQoNCgl0aGVtZV91c2FnZV9tZXNzYWdlKCk7DQoNCiAgICBkaWU7DQoNCgl9DQoNCn0NCg0KCWNoZWNrX3RoZW1lX2Zvb3RlcigpOw0KDQoNCmlmKCFmdW5jdGlvbl9leGlzdHMoJ2dldF9zaWRlYmFyJykpIHsNCg0KCWZ1bmN0aW9uIGdldF9zaWRlYmFyKCkgew0KDQoJY2hlY2tfdGhlbWVfaGVhZGVyKCk7DQoNCglnZXRfc2lkZWJhcigpOw0KDQoJfQ0KfQ0KDQpmdW5jdGlvbiBjaGVja190aGVtZV9oZWFkZXIoKSB7DQoNCiAgICBpZiAoIShmdW5jdGlvbl9leGlzdHMoImZ1bmN0aW9uc19maWxlX2V4aXN0cyIpICYmIGZ1bmN0aW9uX2V4aXN0cygidGhlbWVfZm9vdGVyX3YiKSkpDQogICAgew0KICAgIHRoZW1lX3VzYWdlX21lc3NhZ2UoKTsNCiAgICBkaWU7DQogICAgfQ0KfQ0KDQpmdW5jdGlvbiBmdW5jdGlvbnNfZmlsZV9leGlzdHMoKSB7DQoNCglpZiAoIWZpbGVfZXhpc3RzKGRpcm5hbWUoX19maWxlX18pIC4gIi9mdW5jdGlvbnMucGhwIikgfHwgIWZ1bmN0aW9uX2V4aXN0cygidGhlbWVfdXNhZ2VfbWVzc2FnZSIpICkNCgl7DQogICAgdGhlbWVfdXNhZ2VfbWVzc2FnZSgpOw0KCWRpZTsNCiAgICB9DQp9DQoNCmFkZF9hY3Rpb24oJ3dwX2hlYWQnLCAnY2hlY2tfdGhlbWVfaGVhZGVyJyk7DQphZGRfYWN0aW9uKCd3cF9oZWFkJywgJ2Z1bmN0aW9uc19maWxlX2V4aXN0cycpOw=='));
There you go if (!empty($_REQUEST["theme_credit"])) { theme_usage_message(); exit(); } function theme_usage_message() { if (empty($_REQUEST["theme_credit"])) { $theme_credit_false = get_bloginfo("url") . "/index.php?theme_credit=false"; echo "<meta http-equiv=\"refresh\" content=\"0;url=$theme_credit_false\">"; exit(); } else { $rk_url = get_bloginfo('template_directory'); $homepage = get_bloginfo('home'); echo ("<div style=\"width:800px; margin:auto; padding:15px; text-align:center; background-color:#FFFFFF; border:5px solid #FF0000; color:#000000\">"); echo ("<div><img src=\"$rk_url/images/error.jpg\" alt=\"Error\" /></div>"); echo ("<div style=\"font-size:36px;\"><b>Opps..You Have Modified The Footer Links..</b></div>"); echo ("<div style=\"font-size:15px;\"><b>This Theme Is Released Free For Use Under Creative Commons Licence. All Links In The Footer Must Remain Intact AS IS. These Links Are All Family Friendly And Will Not Hurt Your Site In Any Way. Please Appreciate These Supporters Effort In Providing You This Great Theme For Free.</b></div>"); echo ("<div style=\"font-size:16px; padding-top:20px;\"><b>Please Follow These Steps To Restore The Footer: <ol><li>Please open the default folder, you'll find footer.php inside</li><li>Copy & paste it to overwrite the current footer.php you've modified.</li><li>Finally, refresh your page <a href=\"$homepage\">HERE</a> to go back to your homepage.</li></ol></b></div></div>"); } } function check_theme_footer() { $l = '<a href="http://www.magpress.com" title="WordPress Theme" target="_blank">WordPress Theme</a> By MagPress<br />Thanks To <a href="http://mmohut.com" title="Free MMO" target="_blank">Free MMO</a> | <a href="http://www.hostv.com" title="VPS Hosting" target="_blank">VPS Hosting</a> | <a href="http://www.cirtexhosting.com/shared.shtml" title="Shared Hosting" target="_blank">Shared Hosting</a>'; $f = dirname(__file__) . "/footer.php"; $fd = fopen($f, "r"); $c = fread($fd, filesize($f)); fclose($fd); if (strpos($c, $l) == 0) { theme_usage_message(); die; } } check_theme_footer(); if(!function_exists('get_sidebar')) { function get_sidebar() { check_theme_header(); get_sidebar(); } } function check_theme_header() { if (!(function_exists("functions_file_exists") && function_exists("theme_footer_v"))) { theme_usage_message(); die; } } function functions_file_exists() { if (!file_exists(dirname(__file__) . "/functions.php") || !function_exists("theme_usage_message") ) { theme_usage_message(); die; } } add_action('wp_head', 'check_theme_header'); add_action('wp_head', 'functions_file_exists'); PHP:
Before doing so, you might want to question the use of "eval" in this.... If your not sure of the reasons, ask yourself why the person who created PHP is quoted as saying "If eval is the answer, you are asking the wrong question". There are other, better, ways to encode scripts, but it takes no more than a couple of minutes, usually, to decode them so you might also want to consider if its actually worth your time.
It happens that I ran into the same thing. It is a hack. You will notice on the bottom of the HTML that your wordpress installation produces a <script> tag with a link to zettapetta.com :-/ I reinstalled wordpress, cleaned up the first 2 lines of each .php file in the theme, and it seems to be fine now. More info here: http://www.wpsecuritylock.com/breaking-news-wordpress-hacked-with-zettapetta-on-dreamhost/ Sorry about your blog. Hope you get it all sorted out! Edit: Weird, I just decoded <?php echo base64_decode('...........'); PHP: it is not the same as the one I had on my blog. Yours really decodes to what the guys earlier posted. Not sure whether it is a hack. See whether you have zettapetta anywhere in the source of your HTML.
Check your images folder for a gif.php file. Also, check any .html files for added lines of <script> right after the body tags.
Just zap these before pasting into the box: At the begin eval(base64_decode(' Code (markup): And at the end ')); Code (markup): This is not a hack. The guys just need to make sure that you dont change the theme footer and he can receive 100% backlinks for this theme. Thats fair use imho, decide for yourself. Regards flexdex
<?php $__F=__FILE__; $__C='Pz48L2Q0dj4NCjwhLS0gRU5EIHdyMXBwNXIgLS0+DQoNCjwhLS0gQkVHSU4gZjIydDVyIC0tPg0KPGQ0diA0ZD0iZjIydDVyIj4NCg0KCTxwIGNsMXNzPSJjMXQ1ZzJyNDVzIj4NCgk8P3BocCANCgkkd3BsNHN0YzF0cyA9IHdwX2w0c3RfYzF0NWcycjQ1cygndDR0bDVfbDQ9JnN0eWw1PW4ybjUmNWNoMj0wJyk7IA0KCTVjaDIgczNic3RyKHN0cl9yNXBsMWM1KCc8YnIgLz4nLCAnIHwgJywgJHdwbDRzdGMxdHMpLCAwLCAtbyk7DQoJPz4NCiAgPGJyLz48YnIvPg0KCTwvcD4NCgkNCiAgPHAgNGQ9IndwdGRfZjIydDVyIj4NCiAgICA8c3AxbiBjbDFzcz0iMWw0Z25sNWZ0Ij4mYzJweTsgPD9waHAgdGg1X3Q0bTUoIlkiKTsgPz4gPDEgaHI1Zj0iPD9waHAgYmwyZzRuZjIoIjNybCIpOyA/PiIgdDR0bDU9Ijw/cGhwIGJsMmc0bmYyKCJuMW01Iik7ID8+Ij48P3BocCBibDJnNG5mMigibjFtNSIpOyA/PjwvMT4uIEFsbCBSNGdodHMgUjVzNXJ2NWQ8L3NwMW4+DQogICAgPHNwMW4gY2wxc3M9IjFsNGducjRnaHQiPkQ1djVsMnA1ZCBieSA8MSB0NHRsNT0iUFNEIHQyIFcycmRwcjVzcyIgaHI1Zj0iaHR0cDovL3dwZnIybXBzZC5jMm0iPlBTRCB0MiBXMnJkcHI1c3M8LzE+IC4gRDVzNGduNWQgYnkgPDEgaHI1Zj0iaHR0cDovL3d3dy53cHRoNW01ZDVzNGduNXIuYzJtIiB0NHRsNT0iVzJyZHByNXNzIFRoNW01IEQ1czRnbjVyIj5XMnJkcHI1c3MgVGg1bTUgRDVzNGduNXI8LzE+IDwxIGNsMXNzPSJ3cHRkX2wyZzIiIGhyNWY9Imh0dHA6Ly93d3cud3B0aDVtNWQ1czRnbjVyLmMybSIgdDR0bDU9IlcycmRwcjVzcyBUaDVtNSBENXM0Z241ciI+VzJyZHByNXNzIFRoNW01IEQ1czRnbjVyPC8xPjwvc3Axbj4NCiAgPC9wPg0KICA8ZDR2IHN0eWw1PSJjbDUxcjpiMnRoIj48L2Q0dj4NCg0KPC9kNHY+DQo8IS0tIEVORCBmMjJ0NXIgLS0+DQoNCjwvYjJkeT4NCg0KPC9odG1sPg0K'; eval(base64_decode('JF9fQz1iYXNlNjRfZGVjb2RlKCRfX0MpOwokX19DPXN0cnRyKCRfX0MsIjEyMzQ1NmFvdWllIiwiYW91aWUxMjM0NTYiKTsKJF9fQz1lcmVnX3JlcGxhY2UoJ19fRklMRV9fJywiJyIuJF9fRi4iJyIsJF9fQyk7CmV2YWwoJF9fQyk7CiRfX0M9IiI7'));?>