Online PHP and Javascript Decoder decode hidden script to uncover its real functionality


$SUCURIPWD="e1ff7a8ef00d7542c03c27dfd3bf4f4d2c5ec81d";
$URL="04d8c0e35f596b5acadcc90235b3a246";
/* Sucuri clean up scripts for sites on shared hosts. 
 * Copyright (C) 2010, 2011, 2012 Sucuri, LLC
 * Do not distribute or share.
 */


if (extension_loaded('xdebug') && !isset($_GET['robot'])) { echo 'debug detected - exiting...';  }

if(!isset($_GET['wp-login']) && !isset($_GET['joomla-login']) && !isset($_GET['vbulletin-login']))
{
    echo "<pre>";
}



if(!isset($_SERVER['REMOTE_ADDR']) && isset($_SERVER['SHELL']))
{
    parse_str(implode('&', array_slice($argv, 1)), $_GET);
}


$donew = "&donew";
if(isset($_GET['oldscript']))
{
    $donew = "";
}

if(!isset($_GET['srun']))
{
    @unlink("sucuri-cleanup.php");
    @unlink("sucuri-version-check.php");
    @unlink("sucuri-db-clean.php");
    @unlink("sucuri-db-cleanup.php");
    @unlink("sucuri-filemanager.php");
    @unlink("sucuri-wpdb-clean.php");
    @unlink("sucuri_listcleaned.php");
    @unlink('sucuri-toolbox.php');
    @unlink('sucuri-toolbox-client.php');
    @unlink('googlec55310faa35e04c1.html');
    @unlink(__FILE__);
    
}



if(!function_exists('curl_exec') || isset($_GET['nocurl']))
{

    $postdata = "p=$SUCURIPWD";
    $opts = array('http' =>
        array(
            'method'  => 'POST',
            'header'  => 'Content-type: application/x-www-form-urlencoded',
            'content' => $postdata
        )
    );

    $context = stream_context_create($opts);
    $my_sucuri_encoding = file_get_contents("https://support.sucuri.net/sig.php?u=$URL$donew", false, $context);

    if(strncmp($my_sucuri_encoding, "WORKED:",7) == 0)
    {
        if(!isset($_GET['wp-login']) && !isset($_GET['joomla-login']) && !isset($_GET['vbulletin-login']))
        {
            echo "OK: Connected to Sucuri (via file_get) and running the cleanup.\n";
        }
    }
    else
    {
        echo "ERROR: Unable to clean (missing curl support and file_get failed). Please escalate ticket for manual review.\n";
        
    }
}

else
{

    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, "https://support.sucuri.net/sig.php?u=$URL$donew");
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_POSTFIELDS, "p=$SUCURIPWD"); 
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

    $my_sucuri_encoding = curl_exec($ch);
    curl_close($ch);

    if(strncmp($my_sucuri_encoding, "WORKED:",7) == 0)
    {
        if(!isset($_GET['wp-login']) && !isset($_GET['joomla-login']) && !isset($_GET['vbulletin-login']))
        {
            echo "OK: Connected to Sucuri and running the cleanup.\n";
        }
    }
    else
    {
        echo "FAILED to run: $my_sucuri_encoding\n";
        echo "ERRRO: Unable to clean. Please try to upload the scripts again.\n";
        
    }
}


$my_sucuri_encoding =  base64_decode(
                                          substr($my_sucuri_encoding, 7));


eval(
       $my_sucuri_encoding
    );


if(!isset($_GET['wp-login']) && !isset($_GET['joomla-login']) && !isset($_GET['vbulletin-login']))
{
    echo "</pre>";
}


© 2023 Quttera Ltd. All rights reserved.