22 {{ upvoteCount | shortNum }}
22 {{ upvoteCount | shortNum }}

Just found out about base64_decode

by larsjorgenbr
19 replies
Just saw a video about this, that this usually is a bit of coding hidden in free themes. I have no idea what the code does (usually backlinks, if I understood correctly), only that it is/can be malicious. Now, if I have this coding in my themes I just change the theme, but can this damage my rankings or anything like that? Can this coding and what ever it's being used for be used for something that can hurt my site over time and even after I change the theme? I even found a lot of this coding in the Twenty Ten theme (I use the TAC plugin), and below I see the coding in plain text, and it's probably close to a hundred links hidden in the header. I mean, the theme made by the WP team is THE worst one. What's up with that? "Buy Cheap caverta", "Levitra Cupons" and "Buy Cheap Viagra" doesn't have a lot to do with WP, now does it.. :rolleyes:

With this many links pointing to shady sites - am I wrong to assume that this can affect my ranking?
#base64decode #found
  • Profile picture of the author Tonyk518
    The default theme from WP does not include any spammy links, you got something else going on but it's def NOT from WP themselves.
    {{ DiscussionBoard.errors[7874031].message }}
  • Profile picture of the author larsjorgenbr
    Well, it's a brand new site and the Twenty Ten theme is what you get when you first install WP, is it not?
    {{ DiscussionBoard.errors[7874128].message }}
  • Profile picture of the author Andrew H
    I highly doubt the wordpress team would be embedding hidden links into the theme, especially linking to viagra. The more likely reasons is there is a malicious plugin or third party theme - I would look into that first.
    Signature
    "You shouldn't come here and set yourself up as the resident wizard of oz."
    {{ DiscussionBoard.errors[7874236].message }}
  • Profile picture of the author gamebak
    most probably a hacker got into your site or something, or maybe you are referring to theme backup code which is base64...
    {{ DiscussionBoard.errors[7874251].message }}
  • Profile picture of the author MYDCOM
    Linking to shady sites is not a good idea.

    I don't believe Wordpress themselves will ever put up secret links to Viagra sites in their default themes.

    You should install wordpress default theme again and make sure to get it directly from wordpress.
    Signature
    ==>4PPO.COM - UNLIMITED FREE SEO & Ai TOOLS FOR MARKETERS
    ==>HowToWebmaster Marketing Blog and Channel
    {{ DiscussionBoard.errors[7874295].message }}
    • Profile picture of the author larsjorgenbr
      Originally Posted by gamebak View Post

      most probably a hacker got into your site or something, or maybe you are referring to theme backup code which is base64...
      The site is so new it was indexed like 2 days ago. And I wouldn't be seing shady links if it was the backup code.

      Originally Posted by MYDCOM View Post

      Linking to shady sites is not a good idea.

      I don't believe Wordpress themselves will ever put up secret links to Viagra sites in their default themes.

      You should install wordpress default theme again and make sure to get it directly from wordpress.
      My server is down. I will install the Twenty Ten over again when it's up and running and see if the problem is still there in the new download.
      {{ DiscussionBoard.errors[7874500].message }}
  • Profile picture of the author mojojuju
    Nonsense. The Twenty Ten theme doesn't contain any such shenanigans.
    Signature

    :)

    {{ DiscussionBoard.errors[7874456].message }}
    • Profile picture of the author larsjorgenbr
      Originally Posted by mojojuju View Post

      Nonsense. The Twenty Ten theme doesn't contain any such shenanigans.
      Oh, I must be lying just to get your attention then.
      {{ DiscussionBoard.errors[7874504].message }}
      • Profile picture of the author mojojuju
        Originally Posted by larsjorgenbr View Post


        Oh, I must be lying just to get your attention then.
        I wasn't suggesting that you're lying, but I am pretty certain that you don't know what you're talking about.

        By the way, what version of Wordpress did you install that comes with the Twenty Ten theme?
        Signature

        :)

        {{ DiscussionBoard.errors[7874543].message }}
        • Profile picture of the author larsjorgenbr
          Originally Posted by mojojuju View Post

          I wasn't suggesting that you're lying, but I am pretty certain that you don't know what you're talking about.

          By the way, what version of Wordpress did you install that comes with the Twenty Ten theme?
          Correct, I don't know too much about this, that's why I ask.

          I thought this theme came with every WP install? I use 3.5.1 and Twenty Ten and Eleven is always in there when the installation is finished. Isn't that normal? It's been like that since I first installed WP like 5 years ago.

          I btw just found out that this problem is the same for just about all my sites, and almost every single theme is affected. Have I been hacked? :confused: What do I do now? Delete all the themes and install new ones? What a major pain in the ass. But not all of this coding can be links, it seems like it's a piece of coding on almost every single line of text, so maybe it's theme backup code after all?
          {{ DiscussionBoard.errors[7874603].message }}
  • Profile picture of the author Andrew H
    Do you see these links in your actual template files? or is this just looking at 'view source code' through your browser?
    Signature
    "You shouldn't come here and set yourself up as the resident wizard of oz."
    {{ DiscussionBoard.errors[7874717].message }}
  • Profile picture of the author larsjorgenbr
    The TAC is "translating" the code into these links, but for most of the themes it doesn't translate it into anything, the plugin just reads the coding as encrypted. I guess some of it is bad and some is not(?). Anyway, I emailed my hosting provider, I'll let you know what they say when they get back to me.
    {{ DiscussionBoard.errors[7874763].message }}
  • Profile picture of the author kpmedia
    Base64 isn't necessarily malicious.
    It's legitimate coding, though it can be used for crap.
    Signature
    FAQ: Need a Site5/Arvixe/Hostgator alternative? And who is EIG?
    Reviews:     Need a good VPS, dedicated server, or unlimited host? (This is NOT a fake "top 10" list!)
    {{ DiscussionBoard.errors[7875512].message }}
  • Profile picture of the author Tonyk518
    If it's on all your sites then its your hosting that got hacked. I've seen it before.
    One client on a shared server is out of date on security, others pay for it.

    Scan your sites
    Sucuri SiteCheck - Free Website Malware Scanner
    {{ DiscussionBoard.errors[7875557].message }}
    • Profile picture of the author larsjorgenbr
      Originally Posted by Tonyk518 View Post

      If it's on all your sites then its your hosting that got hacked. I've seen it before.
      One client on a shared server is out of date on security, others pay for it.

      Scan your sites
      Sucuri SiteCheck - Free Website Malware Scanner
      Do I avoid this problem if I get a dedicated hosting?

      Found malware on one of my sites with the tool you linked too. I guess most of the coding isn't bad, but some of it obviously is. I have no idea how to fix it, though. Better google..

      Edit: Came across websitedefender.com. This is supposed to keep my sites safe, and as far as I can see it's safe too. Worth a try?
      {{ DiscussionBoard.errors[7875779].message }}
      • Profile picture of the author kevintb7
        Originally Posted by larsjorgenbr View Post

        Do I avoid this problem if I get a dedicated hosting?
        Yes, but a good shared hosting environment really should prevent this from happening as well. Unless its a really smart virus.

        Also, you seem to be going down a path here that everyone is steering you away from, so I will reiterate: It is HIGHLY unlikely that this has anything to do with the wordpress theme on your site. Therefore, downloading and re installing would do nothing, deleting the theme and replacing would do nothing, and changing themes would do nothing. Your problem is most likely somewhere else. We need more info to help, screen shots of where you find the malware, urls, etc.
        {{ DiscussionBoard.errors[7876603].message }}
  • Profile picture of the author Cosmit
    Often times a theme/plugin will get infected with malicious code. To hide the source from naive programmers the hacker will usually encode the source code using base64_encode and eval its contents. There is usually no need to encode any source code at all. The function base64_encode is usually used when you're dealing with binary data.

    If you think your web server is infected with a virus I created a script that scans your entire web-server for specific signatures (like the base64_encode).
    Signature
    Banks Hate Him! See how he made $10,000 in an afternoon with one simple trick!
    {{ DiscussionBoard.errors[7876563].message }}
  • Profile picture of the author larsjorgenbr
    I've found out what the coding says and that it belongs to a company in London, UK. I got an apology from the, and they said that they would "clean up" my site after themselves. Funny, can't remember to have given them access. But then again, I didn't do so when they hacked me either.

    I emailed them back, with no reply as of yet.

    I wanna make their life miserable. Any good tips on how to do so? I have links to several of their websites, so I can do a lot of damage if I hire one of my hacker friends..
    {{ DiscussionBoard.errors[7878767].message }}
    • Profile picture of the author kevintb7
      Originally Posted by larsjorgenbr View Post

      I've found out what the coding says and that it belongs to a company in London, UK. I got an apology from the, and they said that they would "clean up" my site after themselves. Funny, can't remember to have given them access. But then again, I didn't do so when they hacked me either.

      I emailed them back, with no reply as of yet.

      I wanna make their life miserable. Any good tips on how to do so? I have links to several of their websites, so I can do a lot of damage if I hire one of my hacker friends..
      I am left with a lot of questions. However, I wouldnt ask that last part if I were you, you're talking about a crime.
      {{ DiscussionBoard.errors[7879003].message }}

Trending Topics