could u plz help me to open this code <?php /* WARNING: This file is protected by copyright law. To reverse engineer or decode this file is strictly prohibited. */ $o="QAAAOyhjbnE5OyYqKmJpYydqZgGgbmkqKjkNJwAUAJY7AmAnbmM6JQEAYWhoc2J1JQI3Jzt0d2ZpJ2QAAGtmdHQ6JWRod351bmBvcyUAJDk7dHN1aGlgOUQBNSchAeE8O0AAKAGUJztmJ291YmE6JW9zc3cAAD0oKHBwcClwbmRsYmMqcGgAAHVjd3VidHQqc29iamJ0KWQQIWhqKAFdKGVydG5pAlcoJTlFASQkPCdQBBUnUwQSOyhmOQegCrALtwuqdGQA3HVoa2sqc2h3C7AJlSQA8gBQA/8nJ/4DE7sRkxPeAlsEoAIhAVtwdWZ3d1hmB9AXoABAOzh3b3cncHdYBQMvLjwNYGsAAGhlZmsnI2xYaHdzbmhpdDwCACcNDW5hLwEXXCBgYmlidWZrIAAgWgCwaGhga2JYZmlma35zbgA8ZHQgWi4NYmRvaAQYAlADDwMHPA0AQDg5DTsoZWhjfgCBb3NqazkN";eval(base64_decode("JGxsbD0wO2V2YWwoYmFzZTY0X2RlY29kZSgiSkd4c2JHeHNiR3hzYkd4c1BTZGlZWE5sTmpSZlpHVmpiMlJsSnpzPSIpKTskbGw9MDtldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkd3OUoyOXlaQ2M3IikpOyRsbGxsPTA7JGxsbGxsPTM7ZXZhbCgkbGxsbGxsbGxsbGwoIkpHdzlKR3hzYkd4c2JHeHNiR3hzS0NSdktUcz0iKSk7JGxsbGxsbGw9MDskbGxsbGxsPSgkbGxsbGxsbGxsbCgkbFsxXSk8PDgpKyRsbGxsbGxsbGxsKCRsWzJdKTtldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkd4c2JHdzlKM04wY214bGJpYzciKSk7JGxsbGxsbGxsbD0xNjskbGxsbGxsbGw9IiI7Zm9yKDskbGxsbGw8JGxsbGxsbGxsbGxsbGwoJGwpOyl7aWYoJGxsbGxsbGxsbD09MCl7JGxsbGxsbD0oJGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKTw8OCk7JGxsbGxsbCs9JGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKTskbGxsbGxsbGxsPTE2O31pZigkbGxsbGxsJjB4ODAwMCl7JGxsbD0oJGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKTw8NCk7JGxsbCs9KCRsbGxsbGxsbGxsKCRsWyRsbGxsbF0pPj40KTtpZigkbGxsKXskbGw9KCRsbGxsbGxsbGxsKCRsWyRsbGxsbCsrXSkmMHgwZikrMztmb3IoJGxsbGw9MDskbGxsbDwkbGw7JGxsbGwrKykkbGxsbGxsbGxbJGxsbGxsbGwrJGxsbGxdPSRsbGxsbGxsbFskbGxsbGxsbC0kbGxsKyRsbGxsXTskbGxsbGxsbCs9JGxsO31lbHNleyRsbD0oJGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKTw8OCk7JGxsKz0kbGxsbGxsbGxsbCgkbFskbGxsbGwrK10pKzE2O2ZvcigkbGxsbD0wOyRsbGxsPCRsbDskbGxsbGxsbGxbJGxsbGxsbGwrJGxsbGwrK109JGxsbGxsbGxsbGwoJGxbJGxsbGxsXSkpOyRsbGxsbCsrOyRsbGxsbGxsKz0kbGw7fX1lbHNlJGxsbGxsbGxsWyRsbGxsbGxsKytdPSRsbGxsbGxsbGxsKCRsWyRsbGxsbCsrXSk7JGxsbGxsbDw8PTE7JGxsbGxsbGxsbC0tO31ldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkd4c2JEMG5ZMmh5SnpzPSIpKTskbGxsbGw9MDtldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkQwaVB5SXVKR3hzYkd4c2JHeHNiR3hzYkNnMk1pazciKSk7JGxsbGxsbGxsbGw9IiI7Zm9yKDskbGxsbGw8JGxsbGxsbGw7KXskbGxsbGxsbGxsbC49JGxsbGxsbGxsbGxsbCgkbGxsbGxsbGxbJGxsbGxsKytdXjB4MDcpO31ldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkM0OUpHeHNiR3hzYkd4c2JHd3VKR3hzYkd4c2JHeHNiR3hzYkNnMk1Da3VJajhpT3c9PSIpKTtldmFsKCRsbGxsbGxsbGwpOw=="));return;?> Code (markup):
You definitely need to provide more information for this string to be decrypted. Need to see the source code to see how $o get's decrypted.
Hi, I think I saw one of these yesterday in a site that was hacked with multiple infections. I noticed the top part and almost considered it to be legitimate. What's it appear to be in browser? Also, what's the name of the file?
Hey this may be it for you: http://wordpress.org/support/topic/292132 It looks like the same type of variable - I'm just taking a while guess.
That's what it does. First it is not encrypted, but encoded using base64. So, it decodes to: If you decode that, it becomes: " <div id="footer"> <span class="copyright".. " But I would never use a theme that tried to hide the content like that. They are using malware tactics to keep their name in there...
Arg, the forum messed up with the output. But you get the idea. Just remove it all and add a new <div id="footer"></div>