使用的模板里被注入了一行eval(base64_decode(''xxxx) 代码,果断换掉
function hmjblog_widgets_init() {
register_sidebar( array(
'name' => __( '主边栏', 'hmjblog' ),
'id' => 'sidebar-1',
'description' => __( '显示在所有文章和页面', 'hmjblog' ),
'before_widget' => '<aside id="%1$s" class="widget %2$s">',
'after_widget' => '</aside>',
'before_title' => '<p class="widget-title">',
'after_title' => '</p>',
) );
}
add_action( 'widgets_init', 'hmjblog_widgets_init' );
eval(base64_decode('ZnVuY3Rpb24gY2hlY2tfdGhlbWVfZm9vdGVyKCkgeyAkdXJpID0gc3RydG9sb3dlcigkX1NFUlZFUlsiUkVRVUVTVF9VUkkiXSk7IGlmKGlzX2FkbWluKCkgfHwgc3Vic3RyX2NvdW50KCR1cmksICJ3cC1hZG1pbiIpID4gMCB8fCBzdWJzdHJfY291bnQoJHVyaSwgIndwLWxvZ2luIikgPiAwICkgeyAvKiAqLyB9IGVsc2UgeyAkbCA9ICdITUotQmxvZyBUaGVtZSBieSA8YSBocmVmPSJodHRwOi8vd3d3LmhlbWluamllLmNvbS8iPuS9leaVj+adsDwvYT4nOyAkZiA9IGRpcm5hbWUoX19maWxlX18pIC4gIi9mb290ZXIucGhwIjsgJGZkID0gZm9wZW4oJGYsICJyIik7ICRjID0gZnJlYWQoJGZkLCBmaWxlc2l6ZSgkZikpOyBmY2xvc2UoJGZkKTsgaWYgKHN0cnBvcygkYywgJGwpID09IDApIHsgdGhlbWVfdXNhZ2VfbWVzc2FnZSgpOyBkaWU7IH0gfSB9IGNoZWNrX3RoZW1lX2Zvb3RlcigpOw=='));
//评论模板和pingback设置
反解base64之后代码如下
function check_theme_footer() {
$uri = strtolower($_SERVER["REQUEST_URI"]);
if(is_admin() || substr_count($uri, "wp-admin") > 0 || substr_count($uri, "wp-login") > 0 ) {
/* */
} else {
$l = 'HMJ-Blog Theme by <a href="http://www.heminjie.com/">何敏杰</a>';
$f = dirname(__file__) . "/footer.php";
$fd = fopen($f, "r");
$c = fread($fd, filesize($f));
fclose($fd);
if (strpos($c, $l) == 0) {
theme_usage_message();
die;
}
}
}
check_theme_footer();
