Find this useful? Enter your email to receive occasional updates for securing PHP code.

Signing you up...

Thank you for signing up!

PHP Decode

<?php /* Sucuri integrity monitor * Integrity checking and server side scanning. * ..

Decoded Output download

<?php /* Sucuri integrity monitor .
 * Connects back home.
 * Copyright (C) 2010-2013 Sucuri, LLC
 * Do not distribute or share.
*/
$SUCURIPWD = "535e26eb0f3324e8056fe6954976b04c62eb977f2cc51";
if (isset($_GET['test'])) {
    echo "OK: Sucuri: Found
";
    exit(0);
}
/* Valid argument. */
if (!isset($_GET['run'])) {
    exit(0);
}
/* Must have an IP address. */
if (!isset($_SERVER['REMOTE_ADDR'])) {
    exit(0);
}
$origremoteip = $_SERVER['REMOTE_ADDR'];
/* If coming from cloudflare: */
if (isset($_SERVER['HTTP_CF_CONNECTING_IP'])) {
    $_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_CF_CONNECTING_IP'];
}
/* More gateway requests. */
else if (isset($_SERVER['HTTP_X_ORIG_CLIENT_IP'])) {
    $_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_X_ORIG_CLIENT_IP'];
}
/* Proxy requests. */
else if (isset($_SERVER['HTTP_TRUE_CLIENT_IP'])) {
    $_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_TRUE_CLIENT_IP'];
}
/* Proxy requests. */
else if (isset($_SERVER['HTTP_X_REAL_IP'])) {
    $_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_X_REAL_IP'];
}
/* More gateway requests. */
else if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
    $_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_X_FORWARDED_FOR'];
}
$myiplist = array('97.74.127.171', '69.164.203.172', '173.230.128.135', '66.228.34.49', '66.228.40.185', '50.116.3.171', '50.116.36.92', '198.58.96.212', '50.116.63.221', '192.155.92.112', '192.81.128.31', '198.58.106.244', '2600:3c00::f03c:91ff:feae:e104', '2600:3c02::f03c:91ff:fedf:58c6', '2600:3c02::f03c:91ff:fedf:5835', '2600:3c03::f03c:91ff:fedf:6a7a', 'fe80::fcfd:adff:fee6:8087', '2600:3c03::f03c:91ff:fe70:36ce', '2600:3c02::f03c:91ff:fe70:f12d', '2600:3c01::f03c:91ff:fe70:52bb', '50.116.36.93', "192.155.95.139", "2600:3c02::f03c:91ff:fe69:4b66", "2600:3c00::f03c:91ff:fe70:5213", "2600:3c03::f03c:91ff:fedb:b9ce", "23.239.9.227",);
$ipmatches = 0;
foreach ($myiplist as $myip) {
    if (strpos($_SERVER['REMOTE_ADDR'], $myip) !== FALSE) {
        $ipmatches = 1;
        break;
    }
    if (strpos($origremoteip, $myip) !== FALSE) {
        $ipmatches = 1;
        break;
    }
}
if ($ipmatches == 0) {
    echo "ERROR: Invalid IP Address
";
    exit(0);
}
/* Valid key. */
if (!isset($_POST['sscred'])) {
    echo "ERROR: Invalid argument
";
    exit(0);
}
/* Connect back to get what to run. */
if (!function_exists('curl_exec') || isset($_GET['nocurl'])) {
    $postdata = http_build_query(array('p' => $SUCURIPWD, 'q' => $_POST['sscred'],));
    $opts = array('http' => array('method' => 'POST', 'header' => 'Content-type: application/x-www-form-urlencoded', 'content' => $postdata));
    $context = stream_context_create($opts);
    $my_sucuri_encoding = file_get_contents("https://$MYMONITOR.sucuri.net/imonitor", false, $context);
    if (strncmp($my_sucuri_encoding, "WORKED:", 7) == 0) {
    } else {
        echo "ERROR: Unable to complete (missing curl support and file_get failed). Please contact [email protected] for guidance.
";
        exit(1);
    }
} else {
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, "https://$MYMONITOR.sucuri.net/imonitor");
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_POSTFIELDS, "p=$SUCURIPWD&q=" . $_POST['sscred']);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
    $my_sucuri_encoding = curl_exec($ch);
    curl_close($ch);
    if (strncmp($my_sucuri_encoding, "WORKED:", 7) == 0) {
    } else {
        if ($my_sucuri_encoding == NULL || strlen($my_sucuri_encoding) < 3) {
            $my_sucuri_encoding = "x2351";
        }
        echo "ERROR: Unable to connect back to Sucuri (error: $my_sucuri_encoding). Please contact [email protected] for guidance.
";
        exit(1);
    }
}
$my_sucuri_encoding = base64_decode(substr($my_sucuri_encoding, 7));
eval($my_sucuri_encoding);

Did this file decode correctly?

Original Code

<?php
/* Sucuri integrity monitor
 * Integrity checking and server side scanning.
 *
 * Copyright (C) 2010, 2011, 2012 Sucuri, LLC
 * http://sucuri.net
 * Do not distribute or share.
 */

$MYMONITOR = "monitor10";
$my_sucuri_encoding = "



LyogU3VjdXJpIGludGVncml0eSBtb25pdG9yIC4gCiAqIENvbm5lY3RzIGJhY2sgaG9tZS4KICog
Q29weXJpZ2h0IChDKSAyMDEwLTIwMTMgU3VjdXJpLCBMTEMKICogRG8gbm90IGRpc3RyaWJ1dGUg
b3Igc2hhcmUuCiAqLwoKCiRTVUNVUklQV0QgPSAiNTM1ZTI2ZWIwZjMzMjRlODA1NmZlNjk1NDk3
NmIwNGM2MmViOTc3ZjJjYzUxIjsKCgppZihpc3NldCgkX0dFVFsndGVzdCddKSkKewogICAgZWNo
byAiT0s6IFN1Y3VyaTogRm91bmRcbiI7CiAgICBleGl0KDApOwp9CgoKCi8qIFZhbGlkIGFyZ3Vt
ZW50LiAqLwppZighaXNzZXQoJF9HRVRbJ3J1biddKSkKewogICAgZXhpdCgwKTsKfQoKCi8qIE11
c3QgaGF2ZSBhbiBJUCBhZGRyZXNzLiAqLwppZighaXNzZXQoJF9TRVJWRVJbJ1JFTU9URV9BRERS
J10pKQp7CiAgICBleGl0KDApOwp9Cgokb3JpZ3JlbW90ZWlwID0gJF9TRVJWRVJbJ1JFTU9URV9B
RERSJ107CgovKiBJZiBjb21pbmcgZnJvbSBjbG91ZGZsYXJlOiAqLwppZihpc3NldCgkX1NFUlZF
UlsnSFRUUF9DRl9DT05ORUNUSU5HX0lQJ10pKQp7CiAgICAkX1NFUlZFUlsnUkVNT1RFX0FERFIn
XSA9ICRfU0VSVkVSWydIVFRQX0NGX0NPTk5FQ1RJTkdfSVAnXTsKfQovKiBNb3JlIGdhdGV3YXkg
cmVxdWVzdHMuICovCmVsc2UgaWYoaXNzZXQoJF9TRVJWRVJbJ0hUVFBfWF9PUklHX0NMSUVOVF9J
UCddKSkKewogICAgJF9TRVJWRVJbJ1JFTU9URV9BRERSJ10gPSAkX1NFUlZFUlsnSFRUUF9YX09S
SUdfQ0xJRU5UX0lQJ107Cn0KLyogUHJveHkgcmVxdWVzdHMuICovCmVsc2UgaWYoaXNzZXQoJF9T
RVJWRVJbJ0hUVFBfVFJVRV9DTElFTlRfSVAnXSkpCnsKICAgICRfU0VSVkVSWydSRU1PVEVfQURE
UiddID0gJF9TRVJWRVJbJ0hUVFBfVFJVRV9DTElFTlRfSVAnXTsKfQovKiBQcm94eSByZXF1ZXN0
cy4gKi8KZWxzZSBpZihpc3NldCgkX1NFUlZFUlsnSFRUUF9YX1JFQUxfSVAnXSkpCnsKICAgICRf
U0VSVkVSWydSRU1PVEVfQUREUiddID0gJF9TRVJWRVJbJ0hUVFBfWF9SRUFMX0lQJ107Cn0KLyog
TW9yZSBnYXRld2F5IHJlcXVlc3RzLiAqLwplbHNlIGlmKGlzc2V0KCRfU0VSVkVSWydIVFRQX1hf
Rk9SV0FSREVEX0ZPUiddKSkKewogICAgJF9TRVJWRVJbJ1JFTU9URV9BRERSJ10gPSAkX1NFUlZF
UlsnSFRUUF9YX0ZPUldBUkRFRF9GT1InXTsKfQoKCiRteWlwbGlzdCA9IGFycmF5KAonOTcuNzQu
MTI3LjE3MScsCic2OS4xNjQuMjAzLjE3MicsCicxNzMuMjMwLjEyOC4xMzUnLAonNjYuMjI4LjM0
LjQ5JywKJzY2LjIyOC40MC4xODUnLAonNTAuMTE2LjMuMTcxJywKJzUwLjExNi4zNi45MicsCicx
OTguNTguOTYuMjEyJywKJzUwLjExNi42My4yMjEnLAonMTkyLjE1NS45Mi4xMTInLAonMTkyLjgx
LjEyOC4zMScsCicxOTguNTguMTA2LjI0NCcsCicyNjAwOjNjMDA6OmYwM2M6OTFmZjpmZWFlOmUx
MDQnLAonMjYwMDozYzAyOjpmMDNjOjkxZmY6ZmVkZjo1OGM2JywKJzI2MDA6M2MwMjo6ZjAzYzo5
MWZmOmZlZGY6NTgzNScsCicyNjAwOjNjMDM6OmYwM2M6OTFmZjpmZWRmOjZhN2EnLAonZmU4MDo6
ZmNmZDphZGZmOmZlZTY6ODA4NycsCicyNjAwOjNjMDM6OmYwM2M6OTFmZjpmZTcwOjM2Y2UnLAon
MjYwMDozYzAyOjpmMDNjOjkxZmY6ZmU3MDpmMTJkJywKJzI2MDA6M2MwMTo6ZjAzYzo5MWZmOmZl
NzA6NTJiYicsCic1MC4xMTYuMzYuOTMnLAoiMTkyLjE1NS45NS4xMzkiLAoiMjYwMDozYzAyOjpm
MDNjOjkxZmY6ZmU2OTo0YjY2IiwKIjI2MDA6M2MwMDo6ZjAzYzo5MWZmOmZlNzA6NTIxMyIsCiIy
NjAwOjNjMDM6OmYwM2M6OTFmZjpmZWRiOmI5Y2UiLAoiMjMuMjM5LjkuMjI3IiwKKTsKCgokaXBt
YXRjaGVzID0gMDsKCmZvcmVhY2goJG15aXBsaXN0IGFzICRteWlwKQp7CiAgICBpZihzdHJwb3Mo
JF9TRVJWRVJbJ1JFTU9URV9BRERSJ10sICRteWlwKSAhPT0gRkFMU0UpCiAgICB7CiAgICAgICAg
JGlwbWF0Y2hlcyA9IDE7CiAgICAgICAgYnJlYWs7CiAgICB9CiAgICBpZihzdHJwb3MoJG9yaWdy
ZW1vdGVpcCwgJG15aXApICE9PSBGQUxTRSkKICAgIHsKICAgICAgICAkaXBtYXRjaGVzID0gMTsK
ICAgICAgICBicmVhazsKICAgIH0KfQoKCmlmKCRpcG1hdGNoZXMgPT0gMCkKewogICAgZWNobyAi
RVJST1I6IEludmFsaWQgSVAgQWRkcmVzc1xuIjsKICAgIGV4aXQoMCk7Cn0KCgovKiBWYWxpZCBr
ZXkuICovCmlmKCFpc3NldCgkX1BPU1RbJ3NzY3JlZCddKSkKewogICAgZWNobyAiRVJST1I6IElu
dmFsaWQgYXJndW1lbnRcbiI7CiAgICBleGl0KDApOwp9CgoKLyogQ29ubmVjdCBiYWNrIHRvIGdl
dCB3aGF0IHRvIHJ1bi4gKi8KaWYoIWZ1bmN0aW9uX2V4aXN0cygnY3VybF9leGVjJykgfHwgaXNz
ZXQoJF9HRVRbJ25vY3VybCddKSkKewogICAgJHBvc3RkYXRhID0gaHR0cF9idWlsZF9xdWVyeSgK
ICAgICAgICAgICAgYXJyYXkoCiAgICAgICAgICAgICAgICAncCcgPT4gJFNVQ1VSSVBXRCwKICAg
ICAgICAgICAgICAgICdxJyA9PiAkX1BPU1RbJ3NzY3JlZCddLAogICAgICAgICAgICAgICAgKQog
ICAgICAgICAgICApOwoKICAgICRvcHRzID0gYXJyYXkoJ2h0dHAnID0+CiAgICAgICAgICAgIGFy
cmF5KAogICAgICAgICAgICAgICAgJ21ldGhvZCcgID0+ICdQT1NUJywKICAgICAgICAgICAgICAg
ICdoZWFkZXInICA9PiAnQ29udGVudC10eXBlOiBhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVu
Y29kZWQnLAogICAgICAgICAgICAgICAgJ2NvbnRlbnQnID0+ICRwb3N0ZGF0YQogICAgICAgICAg
ICAgICAgKQogICAgICAgICAgICApOwoKICAgICRjb250ZXh0ID0gc3RyZWFtX2NvbnRleHRfY3Jl
YXRlKCRvcHRzKTsKICAgICRteV9zdWN1cmlfZW5jb2RpbmcgPSBmaWxlX2dldF9jb250ZW50cygi
aHR0cHM6Ly8kTVlNT05JVE9SLnN1Y3VyaS5uZXQvaW1vbml0b3IiLCBmYWxzZSwgJGNvbnRleHQp
OwoKICAgIGlmKHN0cm5jbXAoJG15X3N1Y3VyaV9lbmNvZGluZywgIldPUktFRDoiLDcpID09IDAp
CiAgICB7CiAgICB9CiAgICBlbHNlCiAgICB7CiAgICAgICAgZWNobyAiRVJST1I6IFVuYWJsZSB0
byBjb21wbGV0ZSAobWlzc2luZyBjdXJsIHN1cHBvcnQgYW5kIGZpbGVfZ2V0IGZhaWxlZCkuIFBs
ZWFzZSBjb250YWN0IHN1cHBvcnRAc3VjdXJpLm5ldCBmb3IgZ3VpZGFuY2UuXG4iOwogICAgICAg
IGV4aXQoMSk7CiAgICB9Cn0KCmVsc2UKewoKICAgICRjaCA9IGN1cmxfaW5pdCgpOwogICAgY3Vy
bF9zZXRvcHQoJGNoLCBDVVJMT1BUX1VSTCwgImh0dHBzOi8vJE1ZTU9OSVRPUi5zdWN1cmkubmV0
L2ltb25pdG9yIik7CiAgICBjdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIs
IHRydWUpOwogICAgY3VybF9zZXRvcHQoJGNoLCBDVVJMT1BUX1BPU1QsIHRydWUpOwogICAgY3Vy
bF9zZXRvcHQoJGNoLCBDVVJMT1BUX1BPU1RGSUVMRFMsICJwPSRTVUNVUklQV0QmcT0iLiRfUE9T
VFsnc3NjcmVkJ10pOyAKICAgIGN1cmxfc2V0b3B0KCRjaCwgQ1VSTE9QVF9TU0xfVkVSSUZZUEVF
UiwgZmFsc2UpOwoKICAgICRteV9zdWN1cmlfZW5jb2RpbmcgPSBjdXJsX2V4ZWMoJGNoKTsKICAg
IGN1cmxfY2xvc2UoJGNoKTsKCiAgICBpZihzdHJuY21wKCRteV9zdWN1cmlfZW5jb2RpbmcsICJX
T1JLRUQ6Iiw3KSA9PSAwKQogICAgewogICAgfQogICAgZWxzZQogICAgewogICAgICAgIGlmKCRt
eV9zdWN1cmlfZW5jb2RpbmcgPT0gTlVMTCB8fCBzdHJsZW4oJG15X3N1Y3VyaV9lbmNvZGluZykg
PCAzKQogICAgICAgIHsKICAgICAgICAgICAgJG15X3N1Y3VyaV9lbmNvZGluZyA9ICJ4MjM1MSI7
CiAgICAgICAgfQogICAgICAgIGVjaG8gIkVSUk9SOiBVbmFibGUgdG8gY29ubmVjdCBiYWNrIHRv
IFN1Y3VyaSAoZXJyb3I6ICRteV9zdWN1cmlfZW5jb2RpbmcpLiBQbGVhc2UgY29udGFjdCBzdXBw
b3J0QHN1Y3VyaS5uZXQgZm9yIGd1aWRhbmNlLlxuIjsKICAgICAgICBleGl0KDEpOwogICAgfQp9
CgoKJG15X3N1Y3VyaV9lbmNvZGluZyA9ICBiYXNlNjRfZGVjb2RlKAogICAgICAgICAgICAgICAg
ICAgICAgIHN1YnN0cigkbXlfc3VjdXJpX2VuY29kaW5nLCA3KSk7CgoKZXZhbCgKICAgICRteV9z
dWN1cmlfZW5jb2RpbmcKICAgICk7CgoK

";

/* Encoded to avoid that it gets flagged by AV products or even ourselves :) */
eval
    (base64_decode(
                    $my_sucuri_encoding));

Function Calls

base64_decode 1

Variables

$MYMONITOR monitor10
$my_sucuri_encoding LyogU3VjdXJpIG..

Stats

MD5 788b15af31089576dfcc553a4eddedd0
Eval Count 1
Decode Time 122 ms