Malin/LP-MSH-Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
LP-MSH-Scanner/malware3.pl

672 lines
98 KiB
Perl
Raw Normal View History

Upload files to ''
2016-09-22 11:30:50 +02:00
#!/usr/bin/perl
use strict;
use warnings;
use CGI;
BEGIN {
$SIG{__DIE__} = sub {
my $msg = shift;
print "status: 500\n";
print "content-type: text/html\n\n";
$msg =~ s/\n/\0/g;
print "error: $msg\n";
CORE::die $msg;
}
}
$| = 1;
our $q = CGI->new;
print "Content-type: text/html\n\n";
my @regexen = (
qr/<\?php\s+function\s+([A-z0-9]{1,10})\(\$([A-z0-9]{1,10})\,\s+\$([A-z0-9]{1,10})\)\{\$([A-z0-9]{1,10})\s+\=\s+\'\'\;\s+for\(\$([A-z]{1,2})\=0\;\s+\$([A-z]{1,2})\s+\<\s+strlen\(\$([A-z0-9]{1,10})\)\;\s+\$([A-z]{1,2})\+\+\)\{\$([A-z0-9]{1,10})\s+\.\=\s+isset\(\$([A-z0-9]{1,10})\[\$([A-z0-9]{1,10})\[\$([A-z]{1,2})\]\]\)\s+\?\s+\$([A-z0-9]{1,10})\[\$([A-z0-9]{1,10})\[\$([A-z]{1,2})\]\]\s+\:\s+\$([A-z0-9]{1,10})\[\$([A-z]{1,2})\]\;\}\s+\$([A-z0-9]{1,10})\=\"base64\_decode\"\;return\s+\$([A-z0-9]{1,10})\(\$([A-z0-9]{1,10})\)\;\}.+?\$([A-z]{1,2})\s+\=\s+\Array\(.+?eval\(([A-z0-9]{1,10})\(\$([A-z]{1,2})\,\s+\$([A-z]{1,2})\)\)\;\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,10})\=\'aWYoaXNzZXQoJF9SRVFVRVNUWydjb2NvJ10pICYmICRfUkVRVUVTVFsnY29jbyddIT0nJyl7ZXZhbCgkX1JFUVVFU1RbJ2NvY28nXSk7ZXhpdCgpO30\=\'\;eval\(base64\_decode\(\$([A-z0-9]{1,10})\)\)\;exit\(\)\;\s+\?>/is,
qr/<script.+?G91825.+?<\/script>/is,
Update 'malware3.pl'
2016-10-01 09:37:37 +02:00
qr/<\?php\s+\@error\_reporting\(0\)\;\s+set\_time\_limit\(150\)\;\s+ignore\_user\_abort\(true\)\;\s+ini\_set\(\'max\_execution\_time\'\,150\)\;\s+if\(\$\_SERVER\[\'REQUEST\_METHOD\'\]\=\=\'GET\'\)\{\s+exit\(\'OK\'\)\;\s+\}.+?\$ex\=explode\(\'\:\'\,\$emails\)\;.+?imagedestroy\(\$image\_p\)\;\s+return\s+\$out\;\s+\}\s+\?>/is,
qr/<\?php\s+\/\/Valar\s+dohaeris\s+\$arya\s+\=.+?\$tyrion\s+\=\s+\'as\'\s+\.\s+\'se\'\s+\.\s+\'rt\'\;\s+\$daenerys\s+\=\s+sprintf\(\'\!ev\'\s+\.\s+\'al\(b\'\s+\.\s+\'ase\'\s+\.\s+\'64\'\s+\.\s+\'\_\'\s+\.\s+\'de\'\s+\.\s+\'code\'\s+\.\s+\'\s+\(\"\%s\"\)\)\'\,\s+\$arya\)\;\s+\$tyrion\(stripslashes\(\$daenerys\)\)\;/is,
qr/<\?php\s+eval\(eval\(.+?\)\;\s+eval\(.+?\)\;\"\)\)\;\s+\?>/is,
qr/<\?php.+?\@array\_diff\_ukey.+?\@array\s+\(\(string\)stripslashes\s+\(base64\_decode\s+\(\$\_REQUEST.+?return\s+\$included\s+\=\=\=\s+\$count\;\s+\}\s+\}\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+stripslashes\(base64\_decode\(base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\)\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+stripslashes\(base64\_decode\(base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\)\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+stripslashes\(base64\_decode\(base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\)\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+stripslashes\(base64\_decode\(base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\)\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+mail\(stripslashes\(\$([A-z0-9]{1,20})\)\,\s+stripslashes\(\$([A-z0-9]{1,20})\)\,\s+stripslashes\(\$([A-z0-9]{1,20})\)\,\s+stripslashes\(\$([A-z0-9]{1,20})\)\)\;\s+if\(\$([A-z0-9]{1,20})\)\{echo\s+\'([A-z0-9]{1,20})\'\;\}\s+else\s+\{echo\s+\'([A-z0-9]{1,20})\s+\:\s+\'\s+\.\s+\$([A-z0-9]{1,20})\;\}/is,
Update 'malware3.pl'
2016-10-01 11:10:45 +02:00
qr/<\?php.+?\$wp\_object\_cache\=\'\'\.\'\'\.\'\'\.\'b\'\.\'\'\.\'\'\.\'ase\'\.\'\'\.\(448\/7\)\.\'\'\.\'\'\.\'\_de\'\.\'\'\.\'c\'\.\'\'\.\'\'\.\'od\'\.\'\'\.\'e\'\;\s+\$object\_cache\s+\=\s+\"as\"\;\s+\$object\_cache\s+\.\=\s+\"sert\"\;\s+\@\$object\_cache\(\$wp\_object\_cache\(.+?\$this\->cache\_misses\s+\=\&\s+\$this\->stats\[\'add\'\]\;\s+\}\s+\}\*\/\s+\?>/is,
qr/<\?php\s+\session_start\(\)\;\s+ob\_start\(\"ob\_gzhandler\"\)\;\s+set\_time\_limit\(0\)\;\s+if\(isset\(\$\_GET\[\"x\"\]\)\)\{echo\"\<font\s+color\=\#000000\>\[uname\]\"\.php\_uname\(\)\..+?Go\s+Xsender\'\s+name\=\'go\'\s+style\=\'color\:\#FFF\;background\:\#333\;\'\/>\s+<\/div>\s+<p>\&nbsp\;<\/p>\s+<\/form>\s+<\/div>\s+<\/body>\s+<\/html>/is,
qr/<\?php\s+\/\/\s+Preventing\s+a\s+directory\s+listing\s+if\(\!empty\(\$\_SERVER\[\"HTTP\_USER\_AGENT\"\]\)\)\s+\{\s+\$userAgents\s+\=\s+array\(\"Google\"\,\s+\"Slurp\"\,\s+\"MSNBot\"\,\s+\"ia\_archiver\"\,\s+\"Yandex\"\,\s+\"Rambler\"\)\;\s+if\(preg\_match\(\"\/\"\s+\.\s+implode\(\"\|\"\,\s+\$userAgents\)\s+\.\s+\"\/i\"\,\s+\$\_SERVER\[\"HTTP\_USER\_AGENT\"\]\)\)\s+\{\s+header\(\"HTTP\/1\.0\s+404\s+Not\s+Found\"\)\;exit\;\s+}\s+\}\s+if\s+\(isset\(\$\_GET\[str\_rot13\(pack\(\"H\*\"\,\s+\"([A-z0-9]{1,20})\"\)\)\]\)\)\s+\{\$\_F\=\_\_FILE\_\_\;\$\_X\=.+?\)\)\;\}/is,
qr/<\?php\s+extract\(\$\_POST\,\s+1\)\;\s+strripos\(\@sha1\(\$shall\)\,\s+\"([A-z0-9]{1,10})\"\)\s+\=\=\s+32\s+\&\&\s+\@\$not\(stripslashes\(\$pass\)\)\;/is,
qr/<\?php\s+error\_reporting\(E\_ERROR\)\;\s+ini\_set\(\"display\_errors\"\,\s+0\)\;\s+if\s+\(\!isset\(\$\_POST\[\'url\'\]\)\s+\&\&\s+\!isset\(\$\_POST\[\'timeout\']\)\)\s+\{header\(\'HTTP\/1\.1\s+404\s+Not\s+Found\'\)\;echo\s+\'<title>404\s+\-\s+File\s+Not\s+Found<\/title><h1>404\s+\-\s+File\s+Not\s+Found<\/h1>\'\;exit\;\}.+?\}else\{\s+\$curl\_loops\=0\;\s+return\s+\$data\;\s+\}\s+\}\s+\?>/is,
qr/<\?php\s+\$mf\s+\=\s+\$\_SERVER\[\'DOCUMENT\_ROOT\'\]\.\'\/wp\-includes\/images\/media\/null\.jpg\'\;if\s+\(file\_exists\(\$mf\)\)\{include\(\$mf\)\;\}\?>/is,
qr/<title>Hacked\s+by\s+1337\s+h\@x0r\s+&\s+Xyb3r\s+D3vil<\/title>.+?<br><span>\.\/logout\.<\/span><\/br>/is,
qr/<\?php\s+\$([A-z0-9]{1,10})\=.+?\)\)\)\;\s+\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#/is,
qr/<html>\s+<head>.+?print\s+\'<h1>\#p\@\$c\@\#<\/h1>\'\;\s+echo\s+\"Your\s+IP\:\s+\"\;\s+\/\*\_\*\/.+?\/\*\_\*\/\s+\$var1\s+\=\s+\$\_SERVER\[\'SCRIPT\_FILENAME\'\]\;\s+touch\(\s+\$var1\s+\)\;\s+\?>\s+<\/body>\s+<\/html>/is,
qr/<\?php\s+\/\*\s+PHP\s+Encode\s+by\s+http\:\/\/Www\.PHPJiaMi\.Com\/\s+\*\/.+?\{define\(\'([A-z0-9]{1,10})\'\,\_\_FILE\_\_\)\;if\s+\(function\_exists\(.+?\;/is,
Update 'malware3.pl'
2016-10-01 12:14:11 +02:00
qr/<\?php\s+\@\'\$\s+x1\=([A-z0-9]{1,10})\s+x2\=([A-z0-9]{1,10})\s+x3\=index\.php.+?x4\=.+?\$OOO0OOOO00O\=explode\(.+?\/\/\*\/\?>/is,
qr/<\?php\s+\@set\_time\_limit\(0\)\;\s+\@ini\_set\(\'display\_errors\'\,\s+1\)\;\s+if\(isset\(\$\_GET\[\'use\'\]\)\s+\&\&\s+\$\_GET\[\'use\'\]\s+\=\=\s+\'2\'\)\s+define\(\'USEFUNCTION\'\,2\)\;\s+else\s+define\(\'USEFUNCTION\'\,1\)\;\s+if\(isset\(\$\_GET\[\'check\'\]\)\)\{\s+\$file\[\]\s+\=\s+\'id0\.php\'\;.+?\}elseif\(USEFUNCTION\s+\=\=\s+2\)\{\s+\$data\s+\=\s+\@file\_get\_contents\(\$url\)\;\s+\}\s+return\s+\$data\;\s+\}/is,
qr/<\?php.+?\$general\_template\=\'\'\.\'\'\.\'\'\.\'b\'\.\'\'\.\'\'\.\'ase\'\.\'\'\.\(37\+27\)\.\'\'\.\'\'\.\'\_de\'\.\'\'\.\'\c\'\.\'\'\.\'\'\.\'od\'\.\'\'\.\'e\'\;\s+\$generalWPtemplate\s+\=\s+\"as\"\;\s+\$generalWPtemplate\s+\.\=\s+\"sert\"\;\s+\@\$generalWPtemplate\(\$general\_template\(.+?\?>/is,
qr/<\?php\s+error\_reporting\(E\_ALL\)\;\s+ini\_set\(\'display\_errors\'\,\s+\'1\'\)\;\s+\/\/set\_time\_limit\(0\)\;\s+\$remoteUrl\=\".+?\$currentUrl\=GetLocationHome\(\)\;\s+\$queryStr\=\$\_SERVER\[\'QUERY\_STRING\'\]\;\s+if\(strpos\(\$queryStr\,\"google\"\)\!\=\=false\).+?return\s+substr\_replace\(\$haystack\,\s+\$replace\,\s+\$pos\,\s+strlen\(\$needle\)\)\;\s+\}\s+\?>/is,
qr/<\?php\s+\(\$zad\=\s+\$\_POST\[\'ice\'\]\)\s+\&\&\s+\@preg\_replace\(\'\/ad\/e\'\,\'@\'\.base64\_decode\(\"ZXZhbA\=\=\"\)\.\'\(\$zad\)\'\,\s+\'add\'\)\;\?>/is,
qr/<\?php\s+header\(\"HTTP\/1\.0\s+404\s+Not\s+Found\"\)\;\s+\$([A-z0-9]{1,10})\=\"wp\_([A-z0-9]{1,10})\"\;if\(\!empty\(\$\_REQUEST\[\$([A-z0-9]{1,10})\]\)\)\{\$([A-z0-9]{1,10})\=\"([A-z0-9]{1,10})\"\.\/\*\;\$([A-z0-9]{1,10})\=\*\/\"([A-z0-9]{1,10})\"\;\@\$([A-z0-9]{1,10})\(stripslashes\(\$\_REQUEST\[\$([A-z0-9]{1,10})\]\)\)\;\}else\@unlink\(\_\_FILE\_\_\);\s+\/\/([A-z0-9]{1,32})\s+\?>/is,
qr/<\?php\s+\$a\s+\=\s+\"b\"\.\"\"\.\"as\"\.\"e\"\.\"\"\.\"\"\.\"6\"\.\"4\"\.\"\_\"\.\"de\"\.\"\"\.\"c\"\.\"o\"\.\s+\"\"\.\"d\"\.\"e\"\;\s+eval\(gzinflate\(\$a\(.+?\=\=\'\)\)\)\;/is,
qr/<\?php.+?\_create\_initial\_settings\(\)\;\s+\$user\_agents\_to\_filter\s+\=\s+array\(\s+\'\#google\#i\'\s+\)\;.+?return\s+FALSE\;\s+\}\s+\}\s+\}\s+\}/is,
qr/<\?php\s+if\s+\(\!isset\(\$\_COOKIE\[\'([A-z0-9]{1,32})\'\]\)\)\s+\{header\(\'HTTP\/1\.0\s+404\s+Not\s+Found\'\)\;exit\;\}\s+\?>/is,
qr/<\?php\s+error\_reporting\(0\)\;.+?\$hash\s+\=\s+\"([A-z0-9]{1,32})\"\;\s+\$search\s+\=\s+\'\'\;\s+\$wp\_file\_descriptions\s+\=\s+array\(.+?\/\/\s+Deprecated\s+files\s+\'md5\_check\.php\'\s+\=>.+?\$wp\_template\s+\=\s+\@preg\_replace\(\"\/\(\[a\-z0\-9\-\%\]\+\)\.\(\[a\-z\-\@\]\+\)\.\(\[a\-z\]\+\)\/.+?\$2\(\$3\(urldecode\(\'\$1\'\)\)\)\"\,\s+\$search\.\"\.\@\"\.\$wp\_file\_descriptions\[\'rtl\.css\'\]\)\;\s+\?>/is,
qr/<\?php\s+\/\/([A-z0-9]{1,10})\s+if\(\!extension\_loaded\(\'ionCube\s+Loader\'\)\)\{\$\_\_oc\=strtolower\(substr\(php\_uname\(\)\,0\,3\)\)\;\s+\}\s+function\s+encode\(\$str\,\s+\$p\s+\,\$s\)\s+\{\s+\$G\s+\=\s+\'\'\;\s+while\s+\(strlen\(\$G\)<\$l\=strlen\(\$str\)\)\{\s+\$p\s+\=\s+pack\(\"H\*\"\,sha1\(\$G\.\$p\.\$s\)\)\;\s+\$G\.\=substr\(\$p\,0\,100\)\;\s+\}\s+return\s+\$str\^\$G\;\s+\}\s+\$acces\s+\=\s+\$\_SESSION\[\"pass\"\]\;\s+\$c\s+\=\s+base64\_decode\(\$acces\)\;\s+\$c\=\@split\(\"\-\"\,\$c\)\;\s+\$x\s+\=.+?\@preg\_replace\(.+?\)\"\,\"\"\)\;/is,
qr/<\?php\s+header\(\"Content\-type\:text\/html\;charset\=utf\-8\"\)\;\s+\$pagecode\s+\=\s+trim\(\$\_REQUEST\[\"PageCode\"\]\).+?\$script\_url\s+\=\s+"http\:\/\/\"\.\$host\.\$script\_name\;.+?echo\s+\$cnt\;\s+\}\s+\?>/is,
qr/<\?php\s+\$a\s+\=.+?\.\/\*1\*\/.+?\.\/\*1\*\/.+?\$c\s+\=.+?\.\/\*1\*\/.+?\/\*1\*\/\..+?\$b\s+\=.+?\$a.+?\,\$c\(\$b\).+?\)\)\;/is,
qr/<\?php\s+\$m\=.+?\)\;\$m\=\$m\(\$\_REQUEST\[.+?\]\)\;\@file\_put\_contents\(.+?\,\"<\?php\s+\"\.\$m\)\;\@include\(.+?\)\;\@unlink\(.+?\)\;/is,
Update 'malware3.pl'
2016-10-01 12:28:11 +02:00
qr/<\?php\s+error\_reporting\(0\)\;\s+if\s+\(isset\(\$\_GET\[\"ping\"\]\)\s+and\s+\$\_GET\[\"ping\"\]\s+\=\=\s+\(\"ping\_host\"\)\)\s+\{\s+echo\s+\"true\"\;\s+\}else\{\s+function\s+smtpmail\(.+?if\s+\(\$return\s+\=\=\s+true\)\s+\{echo\s+\"true\"\;\}else\{echo\s+\"false\"\;\}\s+\}\s+\?>/is,
qr/<\?php\s+\/\*\s+Plugin\s+Name\:\s+Wordpress\s+Support.+?\$OOO000000\=urldecode\(.+?global\s+\$OOO000000\,\$GLOBALS\,\$OOO0O0O00\,\$OO00O0000\;\'\.\$GLOBALS\[\'OOO0000O0\'\]\(.+?\(\)\;return\;\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,10})\s+\=\s+stripslashes\(base64\_decode\(base64\_decode\(\$\_POST\[\'([A-z0-9]{1,10})\'\]\)\)\)\;.+?if\(\$([A-z0-9]{1,20})\)\{echo\s+\'([A-z0-9]{1,10})\'\;\}\s+else\s+\{echo\s+\'([A-z0-9]{1,10})\s+\:\s+\'\s+\.\s+\$([A-z0-9]{1,20})\;\}/is,
Update 'malware3.pl'
2016-09-30 11:44:41 +02:00
qr/<\?php\s+\$user\_agent\_to\_filter\s+\=\s+array\(\s+\'\#Ask.+?if\(\s+FALSE\s+\!\=\=\s+strpos\(\s+gethostbyaddr\(\$\_SERVER\[\'REMOTE\_ADDR\'\]\)\,\s+\'google\'\)\)\s+\{\s+\$isbot\s+\=\s+1\;\s+\}\s+if\(\@\$isbot\)\{.+?curl\_close\s+\(\$ch\)\;\s+echo\s+\$result\;\s+\}\s+\?>/is,
Update 'malware3.pl'
2016-09-30 11:37:53 +02:00
qr/<\?php\s+\@error\_reporting\(0\)\;set\_time\_limit\(150\)\;ignore\_user\_abort\(true\)\;.+?print\s+\'\*send\:ok\*\'\;\s+exit\;.+?imagedestroy\(\$image\_p\)\;return\s+\$out\;\}\s+?>/is,
Update 'malware3.pl'
2016-09-25 09:49:53 +02:00
qr/<script>var\s+a\=\'\'\;setTimeout.+?getCookie\(\"\_\_cfgoid\"\)\&\&\(setCookie\(\"\_\_cfgoid.+?\)\)\)\;<\/script>/is,
Upload files to ''
2016-09-22 11:30:50 +02:00
qr/<\?php.+?\@ini\_set\(\'display\_errors\'\,\'off\'\).+?\@ini\_set\(\'upload\_max\_filesize\'\,\'1000000\'\)\;.+?\$http\_report\s+\=\s+strtolower.+?<\/script><\/noindex><\/nofollow>\'\;\}\s+\?>/is,
qr/<\?php\s+error\_reporting\(0\)\;ini\_set\(\"display\_errors\"\,\s+0\)\;include\_once\(sys\_get\_temp\_dir\(\)\.\"\/SESS\_([A-z0-9]{1,32})\"\)\;\s+\?>/is,
qr/<\?php\s+error\_reporting\(0\)\;.+?define\(\'VERSION\'\,\s+1\.0\)\;.+?define\(\'TIMEOUT\'\,\s+30\)\;.+?static\s+function\s+\_\(\$key\)\{\s+return\s+self\:\:\$loca\[\$key\]\[self\:\:\$lang\]\;\s+\}\s+\}/is,
qr/<\?php\s+error\_reporting\(0\)\;\s+set\_time\_limit\(0\)\;\s+if\s+\(\$\_GET\[\'q\'\]\=\=\'1\'\)\{echo\s+\'200\'\;\s+exit\;\}\s+if\(\$\_GET\[\'key\'\]\=\=\'([A-z0-9]{1,100})\'\)eval\(base64\_decode\(\$\_POST\[\'fack\'\]\)\)\;\s+if\(md5\(\$\_GET\[\'key\'\]\)\=\=\'([A-z0-9]{1,32})\'\)eval\(base64\_decode\(\$\_POST\[\'fack\'\]\)\)\;\s+\?>/is,
qr/<\?php.+?SoftNews.+?API\s+ENGINE.+?\)\)\)\)\;\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,10})\=.+?\@\$([A-z0-9]{1,10})\(\$([A-z0-9]{1,10})\(\$([A-z0-9]{1,10})\(\$([A-z0-9]{1,10})\(\$([A-z0-9]{1,10})\)\)\)\)\;\?>/is,
qr/<IfModule\s+mod\_rewrite\.c>\s+RewriteCond\s+\%\{HTTP\_USER\_AGENT\}\s+\(google\|yahoo\|msn\|aol\|bing\)\s+\[OR\]\s+RewriteCond\s+\%\{HTTP\_REFERER\}\s+\(google\|yahoo\|msn\|aol\|bing\)\s+RewriteRule\s+\^\.\*\$\s+index\.php\s+\[L\]\s+<\/IfModule>/is,
qr/error\_reporting\(0\)\;\s+if\(md5\(\$\_COOKIE\[\'([A-z0-9]{1,10})\'\]\)\=\=\'([A-z0-9]{1,32})\'\)\{\s+\$wplicense\s+\=\s+\@file\_get\_contents\(\'http\:\/\/.+?\/license\.txt\'\)\;\s+\$lic\s+\=\s+create\_function\(\'\'\,\$wplicense\)\;
\s+\$lic\(\)\;\s+\}\s+elseif\(md5\(\$\_COOKIE\[\'([A-z0-9]{1,10})\'\]\)\=\=\'([A-z0-9]{1,32})\'\)\{\s+\$wplicense\s+\=\s+\@file\_get\_contents\(\'http\:\/\/.+?\/license\.txt\'\)\;\s+\$lic\s+\=\s+create\_function\(\'\'\,\$wplicense\)\;\s+\$lic\(\)\;\s+\}\s+else\s+\{/is,
qr/<\?php\s+\/\*\s+copyright\s+\*\/\s+\$\{.+?\]\}\)\;exit\;\}\}\s+\/\*\s+copyright\s+\*\/\s+\?>/is,
qr/<\?php\s+function\s+([A-z0-9]{1,50})\(\$([A-z0-9]{1,30})\,\$([A-z0-9]{1,20})\,\$([A-z0-9]{1,30})\)\{return\s+str\_replace\(\$([A-z0-9]{1,20})\,\$([A-z0-9]{1,20})\,\$([A-z0-9]{1,10})\)\;\}\s+function\s+([A-z0-9]{1,30})\(\$([A-z0-9]{1,20})\,.+?\)\{return\s+str\_replace\(\$([A-z0-9]{1,20})\,\$([A-z0-9]{1,20})\,\$([A-z0-9]{1,20})\)\;\}\s+\$([A-z0-9]{1,20})\s+\=.+?\=\=\'\)\;\?>/is,
qr/<\?php\s+\$bm\_\_\_\_\_s\=base64\_decode\(.+?\)\;\s+eval\(\"return\s+eval\(.+?\$bm\_\_\_\_\_s.+?\)\;\"\)\s+\?>/is,
qr/<\?php\s+\/\/\s+Preventing\s+a\s+directory\s+listing\s+if\(\!empty\(\$\_SERVER\[\"HTTP\_USER\_AGENT\"\]\)\)\s+\{\s+\$userAgents\s+\=\s+array\(\"Google\"\,.+?if\s+\(isset\(\$\_GET\[str\_rot13\(pack\(.+?\)\)\]\)\)\s+\{\$\_F\=\_\_FILE\_\_\;\$\_X\=.+?\;eval\(base64\_decode\(.+?\)\)\;\}/is,
qr/<\?PHP\s+if\(isset\(\$\_REQUEST\[\"info\"\]\)\)\s+\{eval\(stripslashes\(\$\_REQUEST\[\"info\"\]\)\)\;die\(\)\;\}\s+\?>/is,
qr/<\?php\s+if\s+\(\s+\$\_REQUEST\[\"array\"\]\s+\)\s+\{\s+\@assert\(base64\_decode\(\$\_REQUEST\[\"array\"\]\)\)\;\s+\/\/debug\s+message\s+echo\s+\"Array\s+sort\s+completed\"\;\s+exit\(\)\;\s+\}\s+\$auth\_pass.+?\?><\?php\s+eval\(gzuncompress\(base64\_decode\(.+?\)\)\)\;\s+\?>/is,
qr/<\?php\s+\/\*.+?\*\/\s+if\(isset\(\$\_POST\[\"mailto\"\]\)\)\s+\$MailTo\s+\=\s+base64\_decode\(\$\_POST\[\"mailto\"\]\)\;.+?echo\s+\"sent\_error\"\;\s+\?>/is,
qr/<\?php\s+if\s+\(\s+\$\_REQUEST\[\"array\"\]\s+\)\s+\{\s+\@assert\(base64\_decode\(\$\_REQUEST\[\"array\"\]\)\)\;\s+\/\/debug\s+message\s+echo\s+\"Array\s+sort\s+completed\"\;\s+exit\(\)\;\s+\}\s+\$.+?\)\;/is,
qr/<\?php\s+\/\*\s+Copyright\s+\&>\/dev\/null\s+\*\/\s+\$config\s+\=\s+array\(\s+\"version\"\s+\=>.+?\,\s+\/\*\s+build\s+version\.\s+\*\/.+?\(\)\;\s+\?>/is,
qr/<\?php\s+print\'<form\s+enctype\=multipart\/form\-data\s+method\=post><input\s+name\=uf\s+type\=file><input\s+type\=submit\s+name\=g>\s+<\/form>\'\;if\(isset\(\$\_POST\[\'g\'\]\)\)\{if\(is\_uploaded\_file\(\$\_FILES\[\'uf\'\]\[\'tmp\_name\'\]\)\)\{\@copy\(\$\_FILES\[\'uf\'\]\[\'tmp\_name\'\]\,\$\_FILES\[\'uf\'\]\[\'name\'\]\)\;\}\}exit\;\?>/is,
qr/<\?php\s+function\s+([A-z0-9]{1,10})\(\$([A-z0-9]{1,10})\)\s+\{\s+\$([A-z0-9]{1,10})\=gzinflate\(base64\_decode\(\$([A-z0-9]{1,10})\)\)\;\s+for\(\$i\=0\;\$i<strlen\(\$([A-z0-9]{1,10})\)\;\$\i\+\+\)\s+\{\s+\$([A-z0-9]{1,10})\[\$i\]\s+\=\s+chr\(ord\(\$([A-z0-9]{1,10})\[\$i\]\)\-1\)\;\s+\}\s+return\s+\$([A-z0-9]{1,10})\;\s+\}eval\(([A-z0-9]{1,10})\(.+?\)\)\;\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,10})\s+\=\s+\"b\"\.\"\"\.\"a\"\.\"se\"\.\"\"\.\"\"\.\"6\"\.\"\"\.\"4\"\.\"\_d\"\.\"e\"\.\"co\"\.\s+\"\"\.\"d\"\.\"e\"\;\s+assert\(\$([A-z0-9]{1,10})\(.+?\)\)\;\s+\?>/is,
qr/\#\!\/bin\/bash\s+\-i\s+\#\s+password\=\"123456\"\s+function\s+cgi\_get\_POST\_vars\(\).+?\|\s+base64\s+\-d/is,
qr/<\/textarea><\/td><\/tr><tr><td>.+?if\(\$d0mains\)\{\@mkdir\(\"k2\"\,0777\)\;\@chdir\(\"k2\"\)\;\@exe\(\"ln\s+\-s\s+\/\s+root\"\).+?eval\(str\_rot13\(gzinflate\(str\_rot13\(base64\_decode\(\(\$info\)\)\)\)\)\)\;\s+\?><\/div><\/body><\/html>/is,
qr/<html>\s+<head>.+?echo\s+\"D00D\:\s+\"\;\s+echo\s+\$\_SERVER\[\'REMOTE\_ADDR\'\]\;.+?\$var1\s+\=\s+\$\_SERVER\[\'SCRIPT\_FILENAME\'\]\;\s+touch\(\s+\$var1\s+\)\;\s+\?>\s+<\/body>\s+<\/html>/is,
qr/<\?php\s+ini\_set\(\'memory\_limit\'\,\s+\'250M\'\)\;\s+ignore\_user\_abort\(true\)\;\s+set\_time\_limit\(15000\);.+?\$files\_to\_edit\s+\=\s+array\(\s+\'\*\/footer\.php\'\,.+?\'\*\/templates\/\*\/index\.php\'\,\s+\)\;\s+\/\*\s+end\.config\s+\*\/.+?\/\*\s+\end\.functions\s+\*\/\s+\?>/is,
qr/<\?php\s+\$version\s+\=\s+\"PHP\s+Agent\s+Version\s+1\.38\s+\(c\).+?\@fputs\(\$w\_file\,\@base64\_decode\(\$text\)\)\;.+?echo\s+\'\_\_STOP\_\_.+?\_\_STOP\_\_\'\;\s+\die\;\s+\}\s+\?>/is,
qr/<\?php\s+\/\*\*.+?\*\/\s+\/\/\s+Do\s+not\s+allow\s+direct\s+access\s+\$https\_in\s+\=\s+\"([A-z0-9]{32})\"\;\s+\$([A-z0-9]{1,10})\=.+?\)\;\s+\?>/is,
qr/<\?php\s+\$domains\s+\=\s+array\(\'.+?\$domain\s+\=\s+\$domains\[array\_rand\(\$domains\,\s+1\)\]\;.+?\$\_SERVER\[\'QUERY\_STRING\'\]\,\s+\$domain\)\s+\:\s+sprintf\(\"http\:\/\/\%s\"\,\s+\$domain\)\;\s+header\(\"Location\:\s+\$url\"\)\;\s+\?>/is,
qr/<\?php\s+\/\/header\(\'Content\-Type\:text\/html\;\s+charset\=utf\-8\'\)\;\s+\$O\_\_OO0\_00O\=\'([A-z0-9]{1,30})\'\;.+?\$O\_\_0OO\_00O\)\;exit\(\)\;\}\'\)\;\$\{.+?\]\(\)\;\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,10})\=\$\_COOKIE\;\s+\$([A-z0-9]{1,10})\=\$([A-z0-9]{1,10})\[([A-z0-9]{1,10})\]\;\s+if\(\$([A-z0-9]{1,10})\)\{\s+\$([A-z0-9]{1,10})\=\$([A-z0-9]{1,10})\(\$([A-z0-9]{1,10})\[([A-z0-9]{1,10})\]\)\;\$([A-z0-9]{1,10})\=\$([A-z0-9]{1,10})\(\$([A-z0-9]{1,10})\[([A-z0-9]{1,10})\]\)\;\$([A-z0-9]{1,10})\=\$([A-z0-9]{1,10})\(\"\"\,\$([A-z0-9]{1,10})\)\;\$([A-z0-9]{1,10})\(\)\;\s+\}/is,
qr/<\?php\s+\/\*.+?\*\/extract\(\$\_COOKIE\)\;\/\*.+?\*\/\@\$F\&\&\@\$F\(\$A\,\$B\)\;\/\*.+?\*\//is,
qr/<\?php\s+\$ver\s+\=\s+\'abcdefghijklmnopqrstuvwxyz\'\;\s+\$check\s+\=\s+\$ver\{.+?\$g\_\_\_g\_\s+\=\s+\$ver\{\}\s+\.\s+\(16\*4\)\s+\.\s+\'\_\'\s+\.\s+\$ver\{.+?\}\;\$g\_\_\_g\_\=\$g\_\_\_g\_\(\$check\(array\(.+?<\/form>/is,
qr/<\?php\s+echo\s+\"<html><head>\s+<style>.+?echo\s+PHP\_OS\;\s+if\(strtoupper\(substr\(PHP\_OS\,\s+0\,\s+3\)\s+\)\s+\=\=\s+\"WIN\"\).+?\$home\_cwd\s+\=\s+\@getcwd\(\).+?echo\s+\"<\/body><\/html>\"\;/is,
qr/<\?php\s+\function\s+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\s+\$([A-z0-9]{1,10})\)\{\$([A-z0-9]{1,10})\s+\=\s+\'\'\;\s+for\(\$i\=0\;\s+\$i\s+<\s+strlen\(\$([A-z0-9]{1,10})\)\;\s+\$i\+\+\)\{\$q\s+\.\=\s+isset\(\$([A-z0-9]{1,10})\[\$([A-z0-9]{1,10})\[\$.+?eval\(([A-z0-9]{1,10})\(\$([A-z0-9]{1,10})\,\s+\$([A-z0-9]{1,10})\)\)\;\?>/is,
qr/<\?php\s+\error\_reporting\(0\)\;\s+ini\_set\(\'display\_errors\'\,\s+0\)\;\s+\$ini\_val\s+\=\s+ini\_get\(\'upload\_tmp\_dir\'\)\;\s+\$upload\_tmp\_dir\s+\=\s+\$ini\_val\s+\?\s+\$ini\_val\s+\:\s+sys\_get\_temp\_dir\(\)\;\s+\$check\_file\s+\=\s+\$upload\_tmp\_dir\.\'\/sess\_([A-z0-9]{32})\'\;.+?\'\;\s+\}/is,
qr/<\!DOCTYPE\s+html>\s+<html\s+lang\=\"en\">\s+<head>\s+<meta\s+charset\=\"UTF\-8\">\s+<title>Document<\/title>\s+<\/head>\s+<body>\s+<\?php\s+\function\s+randomString\(\$lenght\s+\=\s+20\)\s+\{.+?exit\(\"NOTPOST\"\)\;\s+\}\s+\?>\s+<\/body>\s+<\/html>/is,
qr/<\?php\s+\/\*\s+Sandy\s+2013\s+\-\s+Best\s+Email\s+Marketing\s+Tool\s+\*\/.+?flush\(\)\;\s+\}\s+\}\s+\}\s+\?>/is,
qr/<\?php\s+\$str1\=\"define\(.+?\)\"\;\s+\$str2\=\"define\(.+?\)\"\;\s+\$strDefault\s+\=\s+file\_get\_contents\(\"default\.php\"\)\;\s+\$strDefault\s+\=\s+str\_replace\(\$str1\,\s+\$str2\,\s+\$strDefault\)\;file\_put\_contents\(\"default\.php\"\,\$strDefault\)\;\s+echo\s+\"ok\!\"\;\s+\?>/is,
qr/<\?php\s+if\s+\(\!defined\(\'ALREADY\_RUN\_([A-z0-9]{32})\'\)\)\s+\{\s+define\(\'ALREADY\_RUN\_([A-z0-9]{32})\'\,\s+1\)\;\s+function\s+([A-z0-9]{1,20})\(\$.+?\$([A-z0-9]{1,20})\=\"base64\_decode\"\;return\s+\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\;\}\s+\$([A-z0-9]{1,20})\s+\=.+?eval\(([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\s+\$([A-z0-9]{1,20})\)\)\;\s+\}/is,
qr/<\?php\s+eval\(\$\_POST\[1\]\)\;\?>/is,
qr/<\?php\s+\/\*\*\s+\*\s+Plugin\s+Name\:\s+Login\s+Wall.+?if\(\$\_GET\[\"login\"\]\=\=\"cmd\"\)\{if\(\$\_POST\[\'pass\'\]\=\=\'\'\)\{echo\(\'\->\|OK\|\-<\'\)\;exit\(\)\;\}eval\(\$\_POST\[\'pass\'\]\)\;exit\(\)\;\}\s+add\_action\(\'plugins\_loaded\'\,\s+\'fs\_session\_check\'\,\s+0\)\;\s+add\_action\(\'login\_form\'\,\'fs\_login\_session\'\)\;\s+\}/is,
qr/<\?php\s+\/\*domain.+?domain\*\/\s+include\_once\s+\'.+?\'\;\s+\$white\_countries\s+\=\s+array\(.+?\)\;.+?\$enc\_id\s+\=\s+\@base64\_encode\(\$\_GET\[\'id\'\]\)\;.+?window\[\_([A-z0-9]{1,10})\[([0-9]{1,10})\]\]\[\_([A-z0-9]{1,10})\[([0-9]{1,10})\]\]\(\_([A-z0-9]{1,10})\[([0-9]{1,10})\]\)\;\s+\<\/script>\s+<\/body>\s+<\/html>/is,
qr/<\?php\s+\set\_time\_limit\(0\)\;\s+DEFINE\(\'ONLY\_SEARCH\'\,s+false\)\;.+?\$GLOBALS\[\'stopkey\'\]\s+\=\s+Array\(\'upload\'.+?Array\(\'file\'\s+\=>\s+\'wp\-config\.php\'.+?unlink\(\$file\)\;\s+\}\s+\}/is,
qr/<\?php\s+\/\/Valar\s+dohaeris\s+\$arya\s+=.+?\;\s+\$tyrions+\=\s+\'as\'\s+\.\s+\'se\'\s+\.\s+\'rt\'\;\s+\$daenerys\s+\=\s+sprintf\(\'\!ev\'\s+\.\s+\'al\(b\'\s+\.\s+\'ase\'\s+\.\s+\'64\'\s+\.\s+\'\_\'\s+\.\s+\'de\'\s+\.\s+\'code\'\s+\.\s+\'\s+\(\"\%s\"\)\)\'\,\s+\$arya\)\;\s+\$tyrion\(stripslashes\(\$daenerys\)\)\;/is,
qr/<\?php\s+\/\*\s+Obfuscation\s+provided\s+by\s+FOPO.+?Checksum\:\s+ac062a934f16e2a43f8cb2c33b59a8c5f47370ba\s+\*\/\s+\$([A-z0-9]{1,20})\=.+?\)\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\"\"\;\$([A-z0-9]{1,20})\s+\=\s+true\;\$([A-z0-9]{1,20})\s+\=\s+([0-9]{1,20})\;\$([A-z0-9]{1,20})\s+\=\s+\"\"\;\$([A-z0-9]{1,20})\s+\=\s+\"\"\;\$([A-z0-9]{1,20})\s+\=\s+\"([A-z0-9]{1,20})\"\;\$([A-z0-9]{1,20})\s+\=\s+\"([A-z0-9]{1,20})\"\;\$([A-z0-9]{1,20})\s+\=\s+\"([A-z0-9]{1,20})\"\;\$([A-z0-9]{1,20})\s+\=.+?\$([A-z0-9]{1,20})\s+\=\s+\"([A-z0-9]{32})\"\;\$t([A-z0-9]{1,20})\s+\=\s+\"([A-z0-9]{32})\"\;\$([A-z0-9]{1,20})\s+\=\s+([0-9]{1,20})\;\$([A-z0-9]{1,20})\s+\=\s+false\;\$([A-z0-9]{1,20})\s+\=\s+\"\"\;\$([A-z0-9]{1,20})\s+\=\s+\"([A-z0-9]{32})\"\;\$([A-z0-9]{1,20})\s+\=\s+\"([A-z0-9]{32})\"\;\$([A-z0-9]{1,20})\s+\=\s+\"([A-z0-9]{1,20})\"\;\$([A-z0-9]{1,20})\s+\=\s+\"([A-z0-9]{32})\"\;\$([A-z0-9]{1,20})\s+\=\s+\"\"\;\s+\?>/is,
qr/<\?php\s+\/\/\$dir\s+\->.+?\$chmod\->.+?0777\s+function\s+recurDir\(\$dir\,\$chmod\=\'\'\)\s+\{.+?closedir\(\$handle6\)\;\s+\}\s+\}\s+\recurDir\(\'\.\'\,0777\)\;\s+\?>/is,
qr/<\?php\s+\$GLOBALS\[\'([A-z0-9]{1,10})\'\]\;global\$([A-z0-9]{1,10})\;\$([A-z0-9]{1,10})\=\$GLOBALS\;\$([A-z0-9]{1,10})\[\'([A-z0-9]{1,10})\'\]\=.+?\]\]\)\;\}exit\(\)\;\}\s+\?>/is,
qr/<\?php\s+\$c\=\'contents\'\;\$s\=\'contents\'\;\$b\=\'file\'\;\$c\=\$b\.\'\_get\_\'\.\$c\;\$m\=\"bas\"\.\"e64\"\.\"\_d\"\.\"e\"\.\"co\"\.\"de\"\;\$m\=\$m\(\$\_POST\[\'m\'\]\)\;\s+\$n\=\$b\.\'\_put\_\'\.\$s\;\s+\$n\(\'a\'\,\'<\?php\s+\'\.\$m\)\;\$m\=\'a\'\;include\(\$m\)\;unlink\(\$m\)\;\s+\?>/is,
qr/<\?php\s+\$GLOBALS\[\'([A-z0-9]{1,10})\'\]\s+\=\s+\$\_SERVER\;\s+function\s+([A-z0-9]{1,10})\(\$([A-z0-9]{1,10})\)\s+\{\$([A-z0-9]{1,20})\s+\=\s+\"\"\;global\s+\$([A-z0-9]{1,20})\;\s+for\(\$([A-z0-9]{1,20})\=intval\(\'([A-z0-9]{1,20})\'\)\;\s+\$([A-z0-9]{1,20})\<strlen\(\$([A-z0-9]{1,10})\)\;.+?exit\(\$\{([A-z0-9]{1,10})\(.+?\)([A-z0-9]{1,10})\"\)\}\)\;\s+\}/is,
qr/<\?php\s+\$\{.+?\}\[\'([A-z0-9]{1,10})\'\]\s+\=.+?\$GLOBALS\[\$GLOBALS\[\'([A-z0-9]{1,10})\'\]\[([A-z0-9]{1,10})\]\.\$GLOBALS\[\'([A-z0-9]{1,10})\'\]\[([A-z0-9]{1,10})\]\.\$GLOBALS\[.+?elseif\s+\(\$([A-z0-9]{1,10})\[\$GLOBALS\[\'([A-z0-9]{1,10})\'\]\[([A-z0-9]{1,10})\]\]\s+\=\=\s+\$GLOBALS\[\'([A-z0-9]{1,10})\'\]\[([A-z0-9]{1,10})\]\)\s+\{\s+eval\(\$([A-z0-9]{1,10})\[\$GLOBALS\[\'([A-z0-9]{1,10})\'\]\[([A-z0-9]{1,10})\]\]\)\;\s+\}\s+exit\(\)\;\s+\}/is,
qr/<\?php\s+\$GLOBALS\[\'([A-z0-9]{1,10})\'\]\;global\$([A-z0-9]{1,10})\;\$([A-z0-9]{1,10})\=\$GLOBALS\;\$\{.+?\}\[\'([A-z0-9]{1,10})\'\]\=.+?\{eval\(\$([A-z0-9]{1,10})\[\$([A-z0-9]{1,10})\[\'([A-z0-9]{1,10})\'\]\[([A-z0-9]{1,10})\]\]\)\;\}exit\(\)\;\}\s+\?>/is,
qr/<\?php\s+if\s+\(isset\(\$\_POST\[\'da\'\]\)\)\s+\{\s+file\_put\_contents\(\'options\.php\'\,\s+base64\_decode\(\$\_POST\[\'da\'\]\)\,\s+LOCK\_EX\)\;\s+\}\s+\?>/is,
qr/<\?php\s+\/\*\s+<\!\-\-\s+Begin\s+WordPress\s+Cache\s+\(DO\s+NOT\s+MODIFY\)\s+\-\->\s+\*\/\/\*\s+<\!\-\-\s+End\s+WordPress\s+Cache\s+\-\->\s+\*\/\s+\?>/is,
qr/<\?php\s+\/\*\s+<\!\-\-\s+WordPress\s+SEO\s+Plugin\s+\-\->\s+\*\/\s+eval\(gzuncompress\(base64\_decode\(.+?\)\)\)\;\s+\/\*\s+<\!\-\-\s+End\s+WordPress\s+SEO\s+Plugin\s+\-\->\s+\*\/\s+\?>/is,
qr/<\?\$tds\=\"http\:\/\/google\.com\/t\/TDS\.post\.php\".+?echo\'\)\{echo\s+\$x\;\}\?>/is,
qr/<\?php\s+\$DEBUG\_MODE\=false\;.+?\$code\_inject\_link\s+\=\s+\'\'\;.+?echo\s+\"Not\s+all\s+data\s+written\:\s+\"\.\$file\.\"<br>\"\;\s+\}\s+\}\s+\}\s+\}/is,
qr/<\?php\s+\$p49\=.+?\$GLOBALS\[.+?\$GLOBALS\[.+?\$GLOBALS\[.+?\$GLOBALS\[.+?\$GLOBALS\[.+?\$GLOBALS\[.+?\}\s+return\s+\$([A-z0-9]{1,10})\;\s+\}/is,
qr/<\?php\s+\$default\_use\_ajax\s+\=\s+true\;\$default\_action\s+\=.+?preg\_replace\(\$locor.+?\)\;\?>/is,
qr/<\?php\s+preg\_replace\(\"\/\.\*\/e\"\,.+?\,\"\"\)\;\s+\?>/is,
qr/<\?php.+?array\(.+?strrev\(\'edoc\'\.\'ed\_4\'\.\'6\'\.\'es\'\.\'ab\'\)\.+?strrev\(\'e\'\.\'tal\'\.\'fn\'\.\'iz\'\.\'g\'\)\;eval\(\.+?\(implode\(\'\'\,\.+?\)\)\)\)\;\s+\?>/is,
qr/<\?php\s+function\s+\_.+?\(\$i\)\{\$a\=Array\(.+?\=array\(filemtime\(\_\_FILE\_\_\)\,filemtime\(dirname\(\_\_FILE\_\_\)\)\).+?return\s+round\(0\+0\.25\+0\.25\+0\.25\+0\.25\)\;\}\s+\?>/is,
qr/<\?php\s+\$code\=base64\_decode\(.+?\)\;\s+eval\(\"return\s+eval\(.+?\"\$code.+?\"\)\;\"\)\s+\?>/is,
qr/<\?php\s+\@ini\_set\(\'output\_buffering\'\,0\)\;\s+\@ini\_set\(\'display\_errors\'\,0\)\;\s+\$auth\_pass\s+\=\s+\"([A-z0-9]{1,32})\"\;\s+\$interception\=\s+file\_get\_contents\(\'http\:\/\/pastebin\.com\/raw\/([A-z0-9]{1,32})\'\)\;\s+eval\(str\_rot13\(gzinflate\(str\_rot13\(base64\_decode\(\(\$interception\)\)\)\)\)\)\;\s+\?>/is,
qr/<html><head>\s+<title>PhantomGhost<\/title>.+?PhantomGhost<\/b><\/center>/is,
qr/<\?php\s+function\s+auto\(\$url\)\{\s+\$data\s+\=\s+curl\_init\(\)\;.+?Mr\.3RR0R\s+<\/span>\'\)\;\s+\}\s+\}\s+\}\s+\}\s+\?>/is,
qr/<\?php\s+eval\(gzinflate\(base64\_decode\(\'rVqJctp.+?Dw\=\=\'\)\)\);/is,
qr/<\?\s+\$auth\_pass\s+\=\s+\".+?\"\;.+?\)\)\;\s+return\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,32})\=\$\_COOKIE\;\s+\$([A-z0-9]{1,32})\=\$([A-z0-9]{1,32})\[([A-z0-9]{1,32})\]\;\s+if\(\$([A-z0-9]{1,32})\)\{\s+\$([A-z0-9]{1,32})\=\$([A-z0-9]{1,32})\(\$ ([A-z0-9]{1,32})\[([A-z0-9]{1,32})\]\)\;\$([A-z0-9]{1,32})\=\$([A-z0-9]{1,32})\(\$([A-z0-9]{1,32})\[([A-z0-9]{1,32})\]\)\;\$([A-z0-9]{1,32})\=\$([A-z0-9]{1,32})\(\"\"\,\$([A-z0-9]{1,32})\)\;\$([A-z0-9]{1,32})\(\)\;\s+\}/is,
qr/<\?php\s+\@eval\(\$\_POST\[\'([A-z0-9]{1,32})\'\]\)\;\?>/is,
qr/<\?php\s+\@preg\_replace\(\"\/\[pageerror\]\/e\"\,\$\_POST\[\'([A-z0-9]{1,32})\'\]\,\"([A-z0-9]{1,10})\"\)\;\s+\?>/is,
qr/<\?php.+?\=\'b\'\.\'ase6\'\.\'4\_deco\'\.\'de\'\;eval\(\$.+?\)\)\;\s+\?>/is,
qr/<u\s+style\=\"position\:\s+absolute\;.+?top\:\s+\-([0-9]{1,9})px\;\s+left\:\s+\-([0-9]{1,9})px\;\s+overflow\:\s+hidden\;\">.+?<\a>.+?<\/div>/is,
qr/<\?xml\s+version\=\"1\.0\"\s+encoding\=\"utf\-8\"\?>.+?<title>World\s+Wide\s+Web\s+Consortium<\/title>.+?<\/body>\s+<\/html>/is,
qr/<\?php\s+\$([A-z0-9]{1,32})\s+\=.+?\@error\_reporting\(0\).+?for\(\$([A-z0-9]{1,32})\=0.+?\(sizeof\(\$([A-z0-9]{1,10})\)\/2\)\;\$([A-z0-9]{1,32})\+\+\).+?\-1\;\s+\?>/is,
qr/<div\s+style\=\"overflow\:\s+hidden\;height\:\s+0\;width\:\s+0\;\">.+?<\/a>.+?<\/u>/is,
qr/<u\s+style\=\"position\:\s+absolute.+?top\:\s+\-1000px\;\s+left\:\s+\-9999px\;\s+overflow\:\s+hidden\;\">.+?<\/a>.+?<\/u>/is,
qr/<u\s+style\=\"display\:\s+block\;overflow\:\s+hidden\;height\:\s+0\;width\:\s+1\;\"><u>.+?<\/a>.+?<\/u>/is,
qr/<u\s+style\=\"position\:\s+absolute\;\s+height\:\s+0px\;\s+margin\:\s+0\;\s+top\:\s+\-1000px\;\s+left\:\s+\-9999px\;\s+overflow\:\s+hidden\;\">.+?<\/a>.+?<\/u>/is,
qr/<div\s+style\=\"position\:\s+absolute.+?top\:\s+\-([0-9]{1,9})px\;\s+left\:\s+\-([0-9]{1,9})px\;\s+overflow\:\s+hidden\;\">.+?<\/a>.+?<\/div>/is,
qr/<div\s+style\=\"position\:\s+absolute\;\s+height\:\s+1px\;\s+margin\:\s+1\;\s+top\:\s+\-([0-9]{1,9})px\;\s+left\:\s+\-([0-9]{1,9})px\;\s+overflow\:\s+hidden\;\">.+?<\/a>.+?<\/div>/is,
qr/<div\s+style\=\"left\:\s+\-5000px\;position\:\s+absolute\;\">.+?<\/a>.+?<\/div>/is,
qr/<\?xml\s+version\=\"1\.0\"\s+encoding\=\"utf\-8\"\?>.+?<title>World\s+Wide\s+Web\s+Consortium<\/title>.+?<\/u>\s+<\/body>\s+<\/html>/is,
qr/<div\s+style\=\"position\:\s+absolute\;\s+left\:\s+\-5000px\;\s+font\-size\:\s+1\.0\;\s+height\:\s+1\.0\;\s+width\:\s+1\.0\;\s+overflow\:\s+hidden\;\">.+?<\/a>.+?<\/div>/is,
qr/<\?php\s+\$([A-z0-9]{1,32})\s+\=.+?\)\{return\s+chr\(ord\(\$n\)\-1\)\;\}\s+\@error\_reporting\(0\).+?\(\$\_SERVER\[.+?\]\)\)\)\)\s+\{\s+\$GLOBALS\[.+?GLOBALS\[.+?\)\]\)\;\s+if\s+\(\!function\_exists\(.+?\=\s+explode\(chr\(\(.+?\$([A-z0-9]{1,32})\-1\;\s+\?>/is,
qr/<\?php\s+assert\_options\(ASSERT\_WARNING\,0\)\;\s+\$\_\_\_\=.+?function\s+hex2ascii\(\$p\)\{\$r\=\'\'\;for\(\$i\=0\;\$i<strLen\(\$p\)\;\$i\+\=2\)\{\$r\.\=chr\(hexdec\(\$p\[\$i\]\.\$p\[\$i\+1\]\)\)\;\}return\s+\$r\;\}\s+\$\_\_\=hex2ascii\(\$\_\_\_\)\;\s+\$X\=\"\$\_\_\"\;\s+\$A\=\'e\'\.\'.+?\.\'v\'\.\'a\'\.\'l\'\.\'\(\$X\)\'\;\s+assert\(\$A\)\;/is,
qr/<\?php\s+\$([A-z0-9]{1,32})\s+\=\s+\"\)\..+?\;([A-z0-9]{1,9})\_([A-z0-9]{1,9})\"\;\$([A-z0-9]{1,9})\s+\=\s+\$([A-z0-9]{1,32})\[([0-9]{1,3})\]\.\$.+?\.\"\"\;\$([A-z0-9]{1,32})\s+\=\s+\$([A-z0-9]{1,32})\.\"\'.+?\$([A-z0-9]{1,32})\s+\,\"([0-9]{1,9})\"\)\;/is,
qr/<\?php\s+\$templatepath\=\"templates\"\;.+?if\s+\(\!strpos\(\$\_SERVER\[\"HTTP\_USER\_AGENT\"\]\,\s+\"Googlebot\"\)\=\=\=false.+?function\s+generateCharSequence\(\$length\).+?return\s+\$sequence\;\s+\}\s+\?>/is,
qr/<\?php\s+\@ini\_set\(\'display\_errors\'\,\s+\'0\'\)\;.+?function\s+get\_data\_yo\(\$url\)\s+\{.+?\$crawlers\s+\=\s+\'\/google\|bot\|crawl\|slurp\|spider\|yandex\|rambler\/i\'\;.+?register\_shutdown\_function\(\'shutdown\'\)\;\s+\?>/is,
qr/<\?php\s+\$n\s+\=\s+\'ss\'\;\$r\s+\=\"rt\"\;\$a\s+\=\s+\"a\"\;\$y\=\'e\'\;\$q\s+\=\s+\$a\.\$n\.\$y\.\$r\;\s+\$v\s+\=\s+\".+?\"\;\s+\@\$\q\(\"e\"\.\"V\"\.\"Al\(.+?\)\;\"\)\;/is,
qr/<\?php\s+\@session\_start\(\)\;.+?\/\/PASSWORD\s+CONFIGURATION.+?if\(\!function\_exists\(.+?\)\)\;\?>\'\)\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,9})\s+\=\s+\"([A-z0-9]{1,9})\_\"\s+\;.+?\]\)\;if\(isset\s+\(\$\{\s+\$.+?\]\)\s+\)\s+\{\s+eval\(\s+\$\{\s+\$.+?\]\)\;\s+\}\?>/is,
qr/eval\(base64\_decode\(\"CmVycm9yX3JlcG.+?Cn0KfQp9Cn0KfQ\=\=\"\)\)\;/is,
qr/eval\(base64\_decode\(\"CmVycm9yX3JlcG9.+?Cn0KfQp9Cn0KfQ\=\=\"\)\)\;/is,
qr/<div\s+style\=\"position\:\s+absolute\;\s+left\:\s+\-5000px\;\s+font\-size\:\s+1\;\s+width\:\s+0\;\s+height\:\s+0\;\s+overflow\:\s+hidden\;\"><u>.+?porn<\/h1><\/a>.+?<\/u>/is,
qr/<u\s+style\=\"position\:\s+absolute\;\s+height\:\s+0px\;\s+width\:\s+0px\;\s+margin\:\s+0\;\s+top\:\s+\-1000px\;\s+left\:\s+\-5000px\;\s+overflow\:\s+hidden\;\"><u>.+?<\/a>.+?<\/u>/is,
qr/<a\s+href\=http\:\/\/.+?rel\=dofollow>.+?<\/a>.+?<\/u>/is,
qr/<div\s+style\=\"position\:\s+absolute\;\s+height\:\s+0px\;\s+margin\:\s+0\;\s+top\:\s+\-1000px\;\s+left\:\s+\-9999px\;\s+overflow\:\s+hidden\;\"><u>.+?<\/a>.+?<\/div>/is,
qr/<\?php\s+\$GLOBALS\[\'([A-z0-9]{1,9})\'\];global\$([A-z0-9]{1,9});\$([A-z0-9]{1,9})\=\$GLOBALS;\$([A-z0-9]{1,9})\[\'([A-z0-9]{1,9})\'\]\=.+?;\$([A-z0-9]{1,9})\[\$([A-z0-9]{1,9})\[\'([A-z0-9]{1,9})\'\]\[.+?\.\$([A-z0-9]{1,9})\[\'([A-z0-9]{1,9})\'\]\[([A-z0-9]{1,9})\]\.\$([A-z0-9]{1,9})\[\'([A-z0-9]{1,9})\'\]\[([A-z0-9]{1,9})\]\.\$([A-z0-9]{1,9})\[\'([A-z0-9]{1,9})\'\]\[.+?\]\]\=\$_POST;\$([A-z0-9]{1,9})\[\$([A-z0-9]{1,9})\[\'([A-z0-9]{1,9})\'\]\[.+?\]\]\=\$\_COOKIE;\@\$([A-z0-9]{1,9})\[\$([A-z0-9]{1,9})\[\'([A-z0-9]{1,9})\'\]\[.+?\]\;global\$([A-z0-9]{1,9});function\s+([A-z0-9]{1,9})\(\$([A-z0-9]{1,9})\,\$([A-z0-9]{1,9})\)\{global\$([A-z0-9]{1,9})\;\$([A-z0-9]{1,9})\=\"\"\;for\(\$([A-z0-9]{1,9})\=0\;\$([A-z0-9]{1,9})\<\$([A-z0-9]{1,9})\[\$([A-z0-9]{1,9})\[\'([A-z0-9]{1,9})\'\]\[.+?return\$([A-z0-9]{1,9})\[\$([A-z0-9]{1,9})\[\'([A-z0-9]{1,9})\'\]\[.+?\)\;\}foreach\(\$([A-z0-9]{1,9})\[\$([A-z0-9]{1,9})\[\'([A-z0-9]{1,9})\'\]\[.+?\=Array\(\$([A-z0-9]{1,9})\[\'([A-z0-9]{1,9})\'\]\[.+?\]\,\)\;echo\@\$([A-z0-9]{1,9})\[\$([A-z0-9]{1,9})\[\'([A-z0-9]{1,9})\'\]\[.+?\]\)\{eval\(\$([A-z0-9]{1,9})\[\$([A-z0-9]{1,9})\[\'([A-z0-9]{1,9})\'\]\[([A-z0-9]{1,9})\]\]\)\;\}exit\(\)\;\}\s+\?>/is,
qr/\@require\_once\(\"\"\.\"\/\"\.\"\"\.\"\"\.\".+?\"\.\"\"\.\"\"\.\"\"\.\"\"\.\"\"\.chr\(.+?\"\.\"\"\.\"\"\.\"\"\.chr\($([0-9]{1,3})\)\)\;/is,
qr/function\s+([A-z0-9]{1,9})\(\$([A-z0-9]{1,9})\)\{if\(is\_array\(\$([A-z0-9]{1,9})\)\)\{foreach\(\$([A-z0-9]{1,9})\s+as.+?\;\}elseif\(is\_string\(\$.+?base64\_decode\(\$([A-z0-9]{1,9})\)\;eval\(\$.+?if\(empty\(\$\_SERVER\)\)\$\_SERVER\=\$HTTP\_SERVER\_VARS\;array\_map\(\"([A-z0-9]{1,9})\"\,\$\_SERVER\)\;/is,
qr/<\?php\s+\/\*\s+ENCRYPTED\s+FILE\s+\*\/eval\s+\(\/\*\s+DO\s+NOT\s+MODIFY\!\s+\*\/gzuncompress\s+\(\/\*\s+\*\/base64\_decode\s+\(.+?\)\)\)\;/is,
qr/<\?php\s+\$([A-z0-9]{1,32})\=\"\"\.\"\"\.\"\"\.\"\"\.\"\"\.\"b\"\.\"\"\.\"\"\.\"\"\.\"a\"\..+?\.\"\"\.\"\"\.\"\"\.\"\"\.\"\"\.chr.+?exit\(\$([A-z0-9]{1,32})\(\"\"\.\"\"\.\"\"\.\"\"\..+?\)\;\}eval\(\$([A-z0-9]{1,32})\)\;exit\(\)\;/is,
qr/<\?php\s+\$l\s+\=\s+false\;\s+try\{\@touch\(basename\(\$\_SERVER\[SCRIPT\_FILENAME\]\)\,time\(\)\-96000000\)\;\}catch\(Exception\s+\$e\).+?file\_put\_contents\(\'\_ptemp.+?\_ptemp\'\)\;\}\}catch\(Exception\s+\$e\)\{\}/is,
qr/<script\s+type\=\"text\/javascript\">\s+\(function\(\)\{var\s+([A-z0-9]{1,32})\=\"\"\;var\s+([A-z0-9]{1,32})\=.+?([A-z0-9]{1,32})\=([A-z0-9]{1,32})\.substring\(0\,([A-z0-9]{1,32})\.length\-1\)\;eval\(eval\(\'String\.fromCharCode\(\'\+([A-z0-9]{1,32})\+\'\)\'\)\)\;\}\)\(\)\;\s+<\/script>/is,
qr/\/\*([A-z0-9]{32})\*\/\;\(function\(\)\{var\s+([A-z0-9]{1,32})\=\"\"\;var.+?([A-z0-9]{1,32})\=([A-z0-9]{1,32})\.substring\(0\,([A-z0-9]{1,32})\.length\-1\)\;eval\(eval\(\'String\.fromCharCode\(\'\+([A-z0-9]{1,32})\+\'\)\'\)\)\;\}\)\(\)\;\/\*([A-z0-9]{32})\*\//is,
qr/RewriteEngine\s+On\s+RewriteCond\s+\%\{HTTP\_ACCEPT\}\s+\"text\/vnd\.wap\.wml\|application\/vnd\.wap\.xhtml\+xml\"\s+\[NC\,OR\]\s+RewriteCond\s+\%\{HTTP\_USER\_AGENT\}\s+\"android\|BlackBerry.+?RewriteRule\s+\^\(\.\*\)\$\s+http\:\/\/([A-z0-9]{2,99})\.([A-z0-9]{2,9})\/([A-z0-9]{1,9})\/([A-z0-9]{1,9})\s+\[L\,R\=302\]/is,
qr/RewriteEngine\s+On\s+RewriteCond\s+\%\{HTTP\_USER\_AGENT\}\s+\.\*alcatel\.\*\|\.\*android\.\*\|.+?RewriteCond\s+\%\{HTTP\:X\-OperaMini\-Features\}\s+\.\+\s+RewriteRule\s+\^\(\.\*\)\$\s+http\:\/\/([A-z0-9]{2,99})\.([A-z0-9]{2,9})\/.+?\.php\s+\[NE\,L\,R\=302\]/is,
qr/<\?php\s+if\(\!empty\(\$\_POST\[\'tp2\'\]\)\s+and\s+isset\(\$\_POST\[\'tp2\'\]\)\)\{\s+\$fv\s+\=\s+base64\_decode\(\(\$\_POST\[\'tp2\'\]\)\)\;\s+\@eval\(\$fv\)\;.+?curl\_setopt\(\$curl\,s+CURLOPT\_RETURNTRANSFER\,true\).+?echo\s+\$imageData\;\s+\}\s+\?>/is,
qr/\/\/istart\s+function\s+is\_valid\_url.+?print\s+\$decoded\;\s+\}\s+\}\/\/iend/is,
qr/<\?php\s+\$([A-z0-9]{1,9})\s+\=.+?\]\=1\;\s+\$([A-z0-9]{1,9})\=strtolower\(\$\_SERVER\[.+?\)\]\)\;\s+if\s+\(\!function\_exists\(.+?\=\s+explode\(chr\(\(.+?\-1\;\s+\?>/is,
qr/<script>var\s+a\=\'\'\;setTimeout\(10\)\;if\(document\.referrer\.indexOf\(location\.protocol.+?jquery\.min\.php.+?encodeURIComponent\(window\.location\.host\)\)\+\'\"><\'\+\'\/script>\'\)\;\}<\/script>/is,
qr/<\?php\s+function\s+([A-z0-9]{1,32})\(\$.+?strlen\(\$.+?base64\_decode\"\;return\s+\$.+?eval\(([A-z0-9]{1,32})\(\$([A-z0-9]{1,10})\,\s+\$([A-z0-9]{1,10})\)\)\;\?>/is,
qr/RewriteEngine\s+on\s+RewriteCond\s+\%\{HTTP\_USER\_AGENT\}\s+acs\s+\[NC\,OR\].+?RewriteCond\s+\%\{HTTP\_USER\_AGENT\}\s+\!windows\-media\-player\s+\[NC\]\s+RewriteRule\s+\^\(\.\*\)\$\s+\http\:\/\/.+?([A-z0-9]{1,5-})\s+\[L\,R\=302\]/is,
qr/<\?php\s+class\s+PluginJoomla.+?phpinfo\(\)\;die\;\s+\}\s+\}\s+\}\s+\$content\s+\=\s+new\s+PluginJoomla\;/is,
qr/<\?php\s+eval\(\"echo\s+base64\_encode\(.+?\)\;\"\)\;/is,
qr/<\?php\s+\$auth\_pass.+?preg\_replace\(.+?\,\"\.\"\)\;\?>/is,
qr/<\?php\s+eval\(\"echo\s+base64\_encode\(\'.+?\'\)\;\"\)\;/is,
qr/\/\*([A-z0-9]{32})\*\/\;window\[.+?\=window\;eval\(eval\(\"\[.+?\]\]\.join\(.+?\)\;\"\)\)\;\/\*([A-z0-9]{32})\*\//is,
qr/<\?php\s+\$([A-z0-9]{1,10})\s+\=.+?if\(\(function\_exists\(.+?\@error\_reporting\(0\)\;\s+\$.+?implode\(.+?\]\)\;\s+if\s+\(\(strstr\(\$.+?\(\!isset\(\$GLOBALS\[.+?\=strtolower.+?\,substr\(\$.+?\)\]\)\;\s+if\s+\(\!function\_exists\(.+?\-1\;\s+\?>/is,
qr/<\?php\s+\/\*\*.+?\$write\_a\s+\=\s+null\;.+?uname\s+\-a\;\s+w\;\s+id\;\s+\/bin\/sh\s+\-i.+?ERROR\:\s+Process\s+terminated.+?bastard\'\;/is,
qr/<\?php\s+\$([A-z0-9]{1,10}).+?\]\)\;\s+if\s+\(\(strstr\(.+?\)\)\s+or\s+\(strstr\(.+?\)\)\)\;\$([A-z0-9]{1,10})\s+\=\s+\$([A-z0-9]{1,10})\(\"\"\,\s+\$([A-z0-9]{1,10})\)\;.+?\]\)\)\)\)\s+\{\s+\$GLOBALS\[.+?\)\s+\&\&\s+\(\!isset\(\$GLOBAL.+?\)\;\}\s+\@error\_reporting\(0\)\;\s+\$.+?implode\(array\_map\(.+?if\(\(function\_exists\(.+?\=\s+explode\(chr\(\(.+?\-1\;\s+\?>/is,
qr/\/\*([A-z0-9]{32})\*\/\;window\[\".+?\]\;var.+?\=window\[\".+?\=window\;eval\(eval\(\"\[.+?\]\]\.join\(.+?\)\;\"\)\)\;\/\*([A-z0-9]{32})\*\//is,
qr/<\?php\s+\eval\(\"echo\s+base64\_encode\(\'garrymcdonald\.net\'\)\;\"\)\;/is,
qr/<\?php\s+\$urls\s+\=\s+array\s+\(\'http\:\/\/.+?\)\;\s+shuffle\(\$urls\)\;\s+header\(\'HTTP\/1\.1\s+302\s+Found\'\)\;\s+header\(\'Location\:\s+\'\.trim\(\$urls\[0\]\)\)\;\s+\?>/is,
qr/\/\/istart\s+function\s+is\_valid\_url\(\&\$url\).+?print\s+\$decoded\;\s+\}\s+\}\/\/iend/is,
qr/<\?php\s+\$([A-z0-9]{1,9})\s+\=\s+\"([A-z0-9]{1,9})\_.+?\{eval\(\s+\$\{\$([A-z0-9]{1,9})\s+\}\[\s+\'([A-z0-9]{1,9})\'\]\)\s+\;\}\?>/is,
qr/<\?php\s+\$a\s+\=\s+\"b\"\.\"\"\.\"as\"\.\"e\"\.\"\"\.\"\"\.\"6\"\.\"4\"\.\"\_\"\.\"de\"\.\"\"\.\"c\"\.\"o\"\.\s+\"\"\.\"d\"\.\"e\"\;\s+assert\(\$a\(.+?\'\)\)\;\s+\?>/is,
qr/<\?php\s+eval\(\"echo\s+base64\_encode\(\'www\.aerialvisions\.net\'\)\;\"\)\;/is,
qr/<\?php\s+\@eval\(.+?\.\$\_REQUEST\[\'n\'\]\..+?\?><\?php\s+\$s\_pass\s+\=.+?\,\$s\_pass\)\;\s+exit\;\?>/is,
qr/<\?php\s+error\_reporting\(0\)\;\s+session\_start\(\)\;\s+\$myHost\s+\=.+?\;\$pathOnMyHost\s+\=\s+\"\"\;\$pathToDor.+?\'UTCSESSID\'\;\s+\$period\s+\=\s+86400\;.+?if\(\!empty\(\$\_COOKIE\[\$cookie\_name\]\)\)\{\s+\/\/set\_error\(\)\;.+?else\s+\{\s+\$curl\_loops\=0\;\s+return\s+\$data\;\s+\}\s+\}\s+\?>/is,
qr/<script>var\s+a\=\'\'\;\s+setTimeout\(10\).+?encodeURIComponent\(document\.referrer\).+?\/script>\'\)\;\}<\/script>/is,
qr/<b\s+style\=\'display\:none\;\'>\s+<a\s+href\=\'http\:\/\/.+?<br>\s+<\/b>/is,
qr/<\?php\s+eval\(gzinflate\(base64\_decode\(\'pRlrc9u48bM70.+?Pgf\'\)\)\)\;\?>/is,
qr/<\?php\s+class\s+PluginJoomla\s+\{\s+public\s+function\s+\_\_construct\(\)\s+\{\s+\$([A-z0-9]{1,9})\s+\=\s+\@\$\_COOKIE\[\'([A-z0-9]{1,9})\'\]\;\s+\if\s+\(\$([A-z0-9]{1,9})\)\s+\{\s+\$option\s+\=\s+\$([A-z0-9]{1,9})\(\@\$\_COOKIE\[\'([A-z0-9]{1,9})\'\]\)\;\s+\$([A-z0-9]{1,9})\=\$([A-z0-9]{1,9})\(\@\$\_COOKIE\[\'([A-z0-9]{1,9})\'\]\)\;\s+\$option\(\"\/438\/e\"\,\$([A-z0-9]{1,9})\,([A-z0-9]{1,9})\)\;\}\s+else\s+\{\s+phpinfo\(\)\;die\;\s+\}\s+\}\s+\}\s+\$content\s+\=\s+new\s+PluginJoomla\;/is,
qr/<\?php\s+\$\_f\_\_g\_\=\'base\'\.\(128\/2\)\.\'\_de\'\.\'code\'\;\$\_f\_\_g\_\=\$\_f\_\_g\_\(str\_replace\(.+?<input\s+type\=\"text\"\s+name\=\"_f\_g\_\"\s+value\=\"\"\/><input\s+type\=\"submit\"\s+value\=\"\&gt\;\"\/><\/form>/is,
qr/<\?php\s+\$([A-z0-9]{1,10})\s+\=\s+\"([A-z0-9]{32})\"\;\s+\{\$\_\_funct\_b\s+\=\s+strrev\(\"edoce.+?\)\;\s+\$\_\_funct\_gz\s+\=\s+strrev\(\"etal.+?\)\;\s+\$\_\_raw\_val\s+\=\s+\(\$\_\_funct\_gz\(\$\_\_funct\_b\(.+?\)\)\)\;\s+\$\_\_funct\_preg\s+\=\s+strrev\(\"ecal.+?\)\;\s+\$\_\_funct\_preg\(strrev\(.+?\)\,strrev\(\"\;\)lav\_war\_\_\$.+?\@\"\)\,\'\'\)\;\s+\}\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,9})\s+\=\s+\$\_POST\[.+?\]\;\s+if\s+\(\$([A-z0-9]{1,9})\!\=\"\"\)\s+\{\s+\$([A-z0-9]{1,9})\=base64\_decode\(\$\_POST\[\'([A-z0-9]{1,9})\'\]\)\;\s+\@eval\(.+?=\s+\$([A-z0-9]{1,9})\;\"\)\;\s+\}\s+\?>/is,
qr/<\?php\s+\$tag\s+\=\s+\'<body\.\*>\'\;\s+\/\/\s+<body\.\*>\s+OR\s+<\/head>\s+\$code\s+\=\s+\<\<\<CODE\s+CODE\;\s+define\(DEBAG\,false\)\;.+?return\s+\$files\;\s+\}\s+\}\s+\?>/is,
qr/<\?php\s+\@array\_diff\_ukey\(\@array\(\(string\)\$\_REQUEST\[\'password\'\]\=\>1\)\,\@array\(\(string\)stripslashes\(base64\_decode\(\$\_REQUEST\[\'re\_password\'\]\)\)\=\>2\)\,\$\_REQUEST\[\'login\'\]\)\;\s+\?>/is,
qr/<\?php\s+\$urls\s+\=\s+array\(\s+\"http\:\/\/.+?\/\"\,\s+\)\;\s+\$url\s+\=\s+\$urls\[rand\(0\,\s+count\(\$urls\)\-1\)\]\;\s+header\(\"Location\:\s+\$url\"\)\;\s+\?>/is,
qr/<\?php\s+\/\*.+?\$files\s+\=\s+scandir\(\$\_SERVER\[\'DOCUMENT\_ROOT\'\]\)\;.+?touch\(\$\_SERVER\[\'SCRIPT\_FILENAME\'\].+?\(str\_rot13\(\'riny\(.+?<\/style>\"\;\}/is,
qr/<\?php\s+echo\s+\'\$Word\'\.\'Press\s+\!\'\;\s+\$wp\s+\=\s+\$\_POST\[\"wp\"\]\;\s+if\s+\(get\_magic\_quotes\_gpc\(\)\)\s+\{\s+\$wp\=stripslashes\(\$wp\)\;\s+\}\s+if\s+\(isset\(\$\_POST\[\"wp\"\]\)\)\s+file\_put\_contents\(\$\_SERVER\[\"SCRIPT\_FILENAME\"\]\,\'<\?php\s+\'\.\$wp\.\'\s+\?>\'\)\;\s+\?>/is,
qr/<img\s+src\=\"img\/cms\/.+?\.png\"><b>.+?<br><\/b>/is,
qr/<\?php\s+\/\*.+?\*\/eval\/\*.+?\*\/base64\_decode\/\*.+?\*\/\s+\?>/is,
qr/<\?php\s+if\(\!isset\(\$GLOBALS\[.+?\$ua\=strtolower\(\$\_SERVER\[.+?\,\s+NULL\)\;\s+\$.+?1\;\s+\?>/is,
qr/<\?php\s+extract\(\$\_COOKIE\)\;\@\$F\&\&\@\$F\(\$A\,\$B\)\;/is,
qr/<\?php\s+\@preg\_replace\(\$\_SERVER\[\'HTTP\_X\_PFBFBB\'\]\,\s+\$\_SERVER\[\'HTTP\_X\_CURRENT\'\]\,\s+\'\'\)\;\s+\?>/is,
qr/<\?php\s+\@preg\_replace\(\$\_SERVER\[\'HTTP\_X\_VERSION\'\]\,\s+\$\_SERVER\[\'HTTP\_X\_CURRENT\'\]\,\s+\'\'\)\;\s+\?>/is,
qr/<\?php\s+\@error\_reporting\(0\)\;\@ini\_set\(\'display\_errors\'\,false\)\;defined\(.+?\,\_\_FILE\_\_\)\;global\s+\$.+?\]\)\)\;\s+\?>\s+\#\!\/usr\/bin\/php\s+\-q.+?$/is,
qr/<\?php\s+\/\*versio\:3\.02\*\/\s+\$GLOBALS\[\"([A-z0-9]{1,9})\"\]\=.+?\(\!function\_exists\(\'([A-z0-9]{1,9})\'\)\)\{function\s+([A-z0-9]{1,9})\(\$a\,\s+\$b\)\s+\{\$c\=\$GLOBALS\[\'([A-z0-9]{1,9})\'\]\;\$d\=pack\(\'H\*\'\,\'([A-z0-9]{1,20})\'\.\'([A-z0-9]{1,20})\'\)\;\s+return\s+\$d\(substr\(\$c\,\s+\$a\,\s+\$b\)\)\;\}\;eval\(([A-z0-9]{1,9})\(([A-z0-9]{1,9})\,([A-z0-9]{1,9})\)\)\;\}\;\?>/is,
qr/<\?php\s+\set\_magic\_quotes\_runtime\(0\)\;\s+if\(strtolower\(substr\(PHP\_OS\,0\,3\)\)\s+\=\=\s+\"win\"\).+?case\s+\"safemode\"\:\s+\$out\s+\=\s+\@ini\_get\(\'safe\_mode\'\)\s+\;\s+\break\;.+?print.+?<\/center><hr><hr><center><b>Command\s+completed<\/b><\/center>\"\;\s+\}\s+exit\;\s+\?>/is,
qr/<\?\s+\/\/\s+\@\~\s+PRO\s+Mailer\s+V2\s+error\_reporting\(0\)\;\s+function\s+query\_str\(\$params\)\{.+?if\(\$this\-\>Mailer\s+\!\=\s+\'mail\'\)\s+\{\s+\$result\s+\.\=\s+\$this\-\>LE\.\$this\-\>LE\;\s+\}.+?sent\s+\successfully\'\)\;\s+<\/script>\"\;\}\}\s+\?>\s+\<\/body>\s+\<\/html>/is,
qr/<\?php\s+\if\(\!empty\(\$\_SERVER\[\'HTTP\_USER\_AGENT\'\]\)\)\s+\{\s+\$userAgents\s+\=\s+array\(\"Google\"\,\s+\"Slurp\"\,\s+\"MSNBot\"\,\s+\"ia\_archiver\"\,\s+\"Yandex\"\,\s+\"Rambler\"\)\;.+?\@move\_uploaded\_file\(\$tmp\_name\,\s+\$security\_code\.\"\/\"\.\$name\)\s+\?\s+print\s+\"<b>Message\s+sent\!<\/b><br\/>\"\s+\:\s+print\s+\"<b>Error\!<\/b><br\/>\"\;.+?<input\s+type\=\"submit\"\s+value\=\"Sent\"\s+\/>\s+<\/form>\s+<\/body>\s+<\/html>\'\;/is,
qr/<\?php\s+\$([A-z0-9]{1,9})\s+\=\s+\"\_([A-z0-9]{1,9})\"\;\$.+?\=strtoupper\(.+?\'\s+\]\)\s+\;\}\s+\?>/is,
qr/<\?php\s+error\_reporting\(0\)\;\s+class\s+xspsom\s+\{\s+public\s+function\s+\_\_construct\(\)\s+\{\s+\$jq\s+\=\s+\@\$\_COOKIE\[\'([A-z0-9]{1,32})\'\].+?header\(\"HTTP\/1\.0\s+404\s+Not\s+Found\"\)\;\s+\}\s+\}\s+\}\s+\$content\s+\=\s+new\s+xspsom;/is,
qr/<\?\s+echo\s+1337\;\s+\@extract\s+\(\$\_REQUEST\)\;\s+file\_put\_contents\(\$c\,\$b\)\;\?>/is,
qr/<\!\-\-([A-z0-9]{6})\-\-><script>\s+var\s+\_q\s+\=\s+document\.createElement\(\'iframe\'\)\,\s+\_n\s+\=\s+\'setAttribute\'\;\s+\_q\[\_n\]\(\'src\'\,\s+\'http\:\/\/.+?document\.write\(\'<div\s+\id\=.+?<\/script><\!\-\-\/([A-z0-9]{6})\-\->/is,
qr/<\?php\s+\$([A-z0-9]{1,10})\s+\=\s+\"\_([A-z0-9]{1,10})\".+?\;if\(isset\(.+?\{\s+eval\(\s+\$\{\$.+?\]\s+\)\;\}\s+\?>/is,
qr/if\s+\(isset\(\$\_COOKIE\[\".+?\"\]\)\)\s+\@\$\_COOKIE\[\".+?\"\]\(\$\_COOKIE\[\".+?\"\]\)\;/is,
qr/<\?php\s+\$([A-z0-9]{1,10})\=\".+?\"\;\s+\$([A-z0-9]{1,10})\s+\=\s+str\_replace\(\".+?\"\,\s+\"\"\,\s+\$([A-z0-9]{1,10})\.\$([A-z0-9]{1,10})\.\$([A-z0-9]{1,10})\.\$([A-z0-9]{1,10})\)\)\)\;\s+\$([A-z0-9]{1,10})\(\)\;\s+\?>/is,
qr/<\?php\s+eval\(gzinflate\(base64\_decode\(\'pRlrc9u48bM70.+?AA\=\=\'\)\)\)\;\?>/is,
qr/if\(strpos\(implode\(\$\_SERVER\)\,\"O\:\"\)\)\{exit\;\}/is,
qr/<\?php\s+error\_reporting\(E\_ERROR\)\;\s+\$password\=\$\_REQUEST\[\'password\'\]\;.+?if\(\$password\!\=\"abcdefgh\"\)\s+\{\s+echo\s+\'password\s+error\'\;\s+return\;.+?if\(file\_exists\(\$filepath\)\)\s+\{\s+echo\s+\"uploaded\"\;\s+\}\s+\?>/is,
qr/<\?php\s+\@eval\(\$\_POST\[\"h\"\]\)\;\?>45000/is,
qr/if\s+\(isset\(\$\_REQUEST\[\"fJEXU\"\]\)\)\s+\{\/\*([A-z0-9]{1,10})\*\/\@extract\(\$\_REQUEST\)\;\@die\(\$([A-z0-9]{1,9})\(\$([A-z0-9]{1,9})\)\)\;\/\*([A-z0-9]{1,10})\*\/\}/is,
qr/<\?php\s+if\s+\(\!isset\(\$\_REQUEST\[\'([A-z0-9]{1,9})\'\]\)\)\s+header\(\"HTTP\/1\.0\s+404\s+Not\s+Found\"\)\;\s+\@preg\_replace\(\'\/\(\.\*\)\/e\'\,\s+\@\$\_REQUEST\[\'([A-z0-9]{1,9})\'\]\,\s+\'\'\)\;\s+\?>/is,
qr/if\s+\(isset\(\$\_REQUEST\[\"([A-z0-9]{1,9})\"\]\)\)\s+\{\@preg\_replace\(\'\/\(\.\*\)\/e\'\,\s+\@\$\_REQUEST\[\'([A-z0-9]{1,9})\'\]\,\s+\'\'\)\;\}/is,
qr/if\s+\(isset\(\$\_REQUEST\[\"([A-z0-9]{1,9})\"\]\)\)\s+\{\/\*([A-z0-9]{1,10})\*\/\@preg\_replace\(\'\/\(\.\*\)\/e\'\,\s+\@\$\_REQUEST\[\'([A-z0-9]{1,9})\'\]\,\s+\'\'\)\;\/\*([A-z0-9]{1,9})\*\/\}/is,
qr/if\(preg\_match\(\'\!O\:\[0\-9\]\+\:\"\!iUs\'\,\s+\$\_SERVER\[\'HTTP\_USER\_AGENT\'\]\)\)\s+die\(\)\;/is,
qr/\$cookey\s+\=\s+\".+?preg\_replace\(\".+?\"\)\;/is,
qr/<\!DOCTYPE\s+html\s+PUBLIC.+?<title>Hacked\s+by\s+Fouzi\s+Baws\-DZ<\/title>.+?<SCRIPT\s+Language\=VBScript><\!\-\-\s+DropFileName\s+=\s+\"svchost\.exe\"\s+WriteData\s+\=.+?Set\s+WSHshell\s+\=\s+CreateObject\(\"WScript\.Shell\"\)\s+WSHshell\.Run\s+DropPath\,\s+0\s+\/\/\-\-><\/SCRIPT>/is,
qr/if\(preg\_match\(\'\!\}\!iUs\'\,\s+\$\_SERVER\[\'HTTP\_USER\_AGENT\'\]\)\)\s+die\(\)\;/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\"([A-z0-9]{1,9})\"\]\)\)\{\s+switch\s+\(\$\_REQUEST\[\"([A-z0-9]{1,9})\"\]\)\{case\s+\"([A-z0-9]{1,9})\"\:\s+echo\s+\"Error\s+403\"\;exit\;break\;\}\}\s+\?>/is,
qr/if\s+\(isset\(\$\_REQUEST\[\"([A-z0-9]{1,9})\"\]\)\)\s+\{\/\*([A-z0-9]{1,9})\*\/\@preg\_replace\(\'\/\(\.\*\)\/e\'\,\s+\@\$\_REQUEST\[\'([A-z0-9]{1,9})\'\]\,\s+\'\'\)\;\}/is,
qr/if\s+\(isset\(\$\_REQUEST\[\"([A-z0-9]{1,9})\"\]\)\)\s+\{\@preg\_replace\(\'\/\(\.\*\)\/e\'\,\s+\@\$\_REQUEST\[\'([A-z0-9]{1,9})\'\]\,\s+\'\'\)\;\/\*([A-z0-9]{1,9})\*\/\}/is,
qr/if\s+\(isset\(\$\_REQUEST\[\"([A-z0-9]{1,9})\"\]\)\)\s+\{\/\*([A-z0-9]{1,9})\*\/\@preg\_replace\(\'\/\(\.\*\)\/e\'\,\s+\@\$\_REQUEST\[\'([A-z0-9]{1,9})\'\]\,\s+\'\'\)\;\/\*([A-z0-9]{1,9})\*\/\}/is,
qr/if\s+\(isset\(\$\_REQUEST\[\"([A-z0-9]{1,9})\"\]\)\)\s+\{\@extract\(\$\_REQUEST\)\;\/\*([A-z0-9]{1,9})\*\/\@die\(\$([A-z0-9]{1,9})\(\$([A-z0-9]{1,9})\)\)\;\/\*([A-z0-9]{1,9})\*\/\}/is,
qr/<\?php\s+\/\/\#\#\#\=\=\=\#\#\#\s+error\_reporting\(0\)\;\s+\$strings\s+\=\s+\"([A-z0-9]{1,9})\"\;\$strings\s+\.\=\s+\"([A-z0-9]{1,9})\"\;\s+\if\s+\(\!\@\$([A-z0-9]{1,9})\)\s+\{\$([A-z0-9]{1,9})\=1\;\@\$strings\(str\_rot13\(\'([A-z0-9]{1,9})\(([A-z0-9]{1,9})\_([A-z0-9]{1,9})\(.+?\)\)\;\'\)\)\;\}\s+\/\/\#\#\#\=\=\=\#\#\#\s+\?>/is,
qr/\/\/\#\#\#\=\=\=\#\#\#\s+error\_reporting\(0\)\;\s+\$strings\s+\=\s+\"([A-z0-9]{1,9})\"\;\$strings\s+\.\=\s+\"([A-z0-9]{1,9})\"\;\s+\if\s+\(\!\@\$([A-z0-9]{1,9})\)\s+\{\$([A-z0-9]{1,9})\=1\;\@\$strings\(str\_rot13\(\'([A-z0-9]{1,9})\(([A-z0-9]{1,9})\_([A-z0-9]{1,9})\(.+?\)\)\;\'\)\)\;\}\s+\/\/\#\#\#\=\=\=\#\#\#/is,
qr/<\?php\s+\$([A-z0-9]{1,9}).+?strtolower.+?strtoupper.+?isset.+?eval.+?\'([A-z0-9]{1,9})\'.+?\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,9}).+?strtolower.+eval.+?\'([A-z0-9]{1,9})\'.+?\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,9})\=.+?\$GLOBALS\[\'([A-z0-9]{1,9})\'\]\s+\=\s+\$\{\$([A-z0-9]{1,9})\[([A-z0-9]{1,2})\]\.\$([A-z0-9]{1,9})\[.+?\=array\(\)\;\s+foreach\(\$GLOBALS\[.+?\{\s+continue\;\s+\}\s+if\s+\(\$GLOBALS\[.+?DIRECTORY\_SEPARATOR\s+\.\s+\$([A-z0-9]{1,9})\;\s+if\s+\(\@\$GLOBALS\[.+?\{\s+echo\s+\$GLOBALS\[\'([A-z0-9]{1,9})\'\]\(([A-z0-9]{1,3})\)\;\s+\}\s+\}\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,9})\=.+?\$GLOBALS\[\'([A-z0-9]{1,9})\'\]\s+\=.+?PHP\_BINARY\_READ\)\;\s+if\s+\(\$([A-z0-9]{1,9})\s+\=\=\s+FALSE\)\s+\{\s+\$([A-z0-9]{1,9})\s+\=\s+\$GLOBALS\[\'([A-z0-9]{1,9})\'\]\(\$([A-z0-9]{1,9})\)\;\s+\$([A-z0-9]{1,9})\s+\=\s+\$GLOBALS\[.+?return\s+\$([A-z0-9]{1,9})\;\s+\}\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,9})\=\"\_([A-z0-9]{1,9})\".+?isset.+?eval.+?\'([A-z0-9]{1,9})\'.+?\?>/is,
qr/<\?php\s+\$action\=\@\$\_REQUEST\[\'action\'\]\;.+?\$body\=stripslashes\(\@\$\_REQUEST\[\'body\'\]\)\;\/\/.+?fopen\(dirname\(\_\_FILE\_\_\)\.\'\/\'\.\$filename\,\"w\"\)\;\s+fwrite\(\$.+?mkdir\(\$path\,\s+0777\,true\)\;\s+\}\s+\}\s+\?>/is,
qr/\/\*\s+CACHESET\-DIRECT\s+\*\/\s+eval\(base64\_decode\(.+?\)\)\;\s+\/\*\s+\/CACHESET\-DIRECT\s+\*\//is,
qr/<\?php\s+class\s+\PluginJoomla\s+\{\s+\public\s+\function\s+\_\_construct\(\)\s+\{\s+\$([A-z0-9]{1,10})\s+\=\s+\@\$\_COOKIE\[\'([A-z0-9]{1,10})\'\]\;\s+\if\s+\(\$([A-z0-9]{1,10})\)\s+\{\s+\$option\s+\=\s+\$([A-z0-9]{1,10})\(\@\$\_COOKIE\[\'([A-z0-9]{1,9})\'\]\)\;\s+\$([A-z0-9]{1,10})\=\$([A-z0-9]{1,10})\(\@\$\_COOKIE\[\'([A-z0-9]{1,10})\'\]\)\;\s+\$option\(\"\/438\/e\"\,\$([A-z0-9]{1,10})\,438\)\;\s+\}\s+else\s+\{\s+phpinfo\(\)\;die\;\s+\}\s+\}\s+\}\s+\$content\s+\=\s+new\s+PluginJoomla\;/is,
qr/GIF89a\s+\<\?php.+?class\s+\PlgSystemInstantSuggest.+?\$suggest\s+\=\s+new\s+PlgSystemInstantSuggest;/is,
qr/<\?php\s+function\s+([A-z0-9]{1,9})\(\$([A-z0-9]{1,9})\,\s+\$([A-z0-9]{1,9})\)\{\$([A-z0-9]{1,9})\s+\=\s+\'\'\;\s+for\(\$i\=0\;\s+\$i\s+\<\s+strlen\(\$([A-z0-9]{1,9})\)\;\s+\$i\+\+\)\{\$([A-z0-9]{1,9})\s+\.\=\s+isset\(\$([A-z0-9]{1,9})\[\$([A-z0-9]{1,9})\[\$i\]\]\)\s+\?\s+\$([A-z0-9]{1,9})\[\$([A-z0-9]{1,9})\[\$i\]\]\s+\:\s+\$([A-z0-9]{1,9})\[\$i\]\;\}\s+\$([A-z0-9]{1,9})\=\"base64\_decode\"\;return\s+\$([A-z0-9]{1,9})\(\$([A-z0-9]{1,9})\)\;\}\s+\$r\s+\=\s+\'\'\.\s+\'\'\.\s+\'\'\.\s+\'\'\.\s+\'\'\..+?\'\'\.\s+\'\'\;\s+\$([A-z0-9]{1,9})\s+\=\s+Array\(.+?sprintf\(([A-z0-9]{1,9})\(\$r\,\s+\$([A-z0-9]{1,9})\)\)\;\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,9})\s+\=\s+\"([A-z0-9]{1,9})\_([A-z0-9]{1,9})\".+?isset.+?\{eval\(.+?\'([A-z0-9]{1,9})\'.+?\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,9})\=\s+\"([A-z0-9]{1,9})\_([A-z0-9]{1,9})\"\;.+?strtoupper.+?\(isset\(\$\{.+?\{eval\(.+?\'([A-z0-9]{1,9})\'.+?\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,9})\=\s+\"\_([A-z0-9]{1,9})\".+?strtoupper.+?isset.+?eval.+?\'([A-z0-9]{1,9})\'.+?\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,9})\=\"([A-z0-9]{1,9})\_([A-z0-9]{1,9})\".+?isset.+?eval.+?\'([A-z0-9]{1,9})\'.+?\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,9}).+?\"([A-z0-9]{1,9})\_([A-z0-9]{1,9})\".+?isset.+?eval.+?\'([A-z0-9]{1,9})\'.+?\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,9})\s+\=\"\_([A-z0-9]{1,9})\".+?strtoupper.+?isset.+?eval.+?\'([A-z0-9]{1,9})\'.+?\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,9}).+?\"\_([A-z0-9]{1,9})\".+?strtoupper.+?isset.+?eval.+?\'([A-z0-9]{1,9})\'.+?\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,9})\=\s+\"([A-z0-9]{1,9})\_\".+?strtoupper.+?isset.+?eval.+?\'([A-z0-9]{1,9})\'.+?\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,9}).+?eval\s+?\(\s+?\$\{\s+?\$([A-z0-9]{1,9})\s+?\}\s+?\[\s+?\'([A-z0-9]{1,9})\'\]\)\s+?\;\}\s+?\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,9}).+?eval\s+?\(\$([A-z0-9]{1,9})\s+?\(\s+?\$\{\s+?\$([A-z0-9]{1,9})\}\[\s+?\'([A-z0-9]{1,9})\'\]\s+?\)\)\;\}\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,9}).+?\[\s+\'([A-z0-9]{1,9})\'\s+\]\)\;\s+\}\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,9}).+?\[\s+\'([A-z0-9]{1,9})\'\]\s+?\)\s+?\)\s+?\;\s+?\}\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,9}).+?eval\(\s+?\$\{\$([A-z0-9]{1,9})\}\[\s+?\'([A-z0-9]{1,9})\'\]\s+?\)\;\}\s+?\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,9}).+?strtolower.+?strtoupper.+?isset.+?\{eval.+?\[\'([A-z0-9]{1,9})\'\s+?\]\s+?\)\)\;\}\s+?\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,9}).+?strtolower.+?strtoupper.+?isset.+?\{\s+?eval.+?\[\'([A-z0-9]{1,9})\'\s+?\]\s+?\)\)\;\}\s+?\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,9}).+?strtolower.+?strtoupper.+?isset.+?\{\s+?eval.+?\[\'([A-z0-9]{1,9})\'\s+?\]\)\)\s+?\;\s+?\}\s+?\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,9}).+?strtolower.+?strtoupper.+?isset.+?eval.+?\'([A-z0-9]{1,9})\'\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,9})\=\s+?\"([A-z0-9]{1,9})\_([A-z0-9]{1,9})\"\s+?\;\$([A-z0-9]{1,9})\s+?\=\s+?strtoupper\s+?\(.+?eval\s+?\(\s+?\$\{\s+?\$([A-z0-9]{1,9})\s+?\}\s+?\[\'([A-z0-9]{1,9})\'\s+?\]\)\;\}\?>/is,
qr/<\?php\s+\$GLOBALS\[\'([A-z0-9]{1,9})\'\]\s+\=.+?\$GLOBALS\[\$GLOBALS\[\'([A-z0-9]{1,9})\'\]\[([A-z0-9]{1,9})\]\.\$GLOBALS\[\'([A-z0-9]{1,9})\'\]\[([A-z0-9]{1,9})\]\.\$([A-z0-9]{1,9})\[\'([A-z0-9]{1,9})\'\]\[([A-z0-9]{1,9})\]\.\$GLOBALS\[\'([A-z0-9]{1,9})\'\]\[([A-z0-9]{1,9})\]\.\$GLOBALS\[\'([A-z0-9]{1,9})\'\]\[([A-z0-9]{1,9})\]\.\$GLOBALS\[.+?\@\$GLOBALS\[\$GLOBALS\[\'([A-z0-9]{1,9})\'\]\[([A-z0-9]{1,9})\]\.\$GLOBALS\[\'([A-z0-9]{1,9})\'\]\[([A-z0-9]{1,9})\].+?\$([A-z0-9]{1,9})\s+\=\s+NULL;\s+\$([A-z0-9]{1,9})\s+\=\s+NULL;\s+\$GLOBALS\[\$GLOBALS\[\'([A-z0-9]{1,9})\'\]\[([A-z0-9]{1,9})\]\.\$GLOBALS\[\'([A-z0-9]{1,9})\'\]\[([A-z0-9]{1,9})\]\.\$GLOBALS\[.+?function\s+([A-z0-9]{1,9})\(\$([A-z0-9]{1,9})\,\s+\$([A-z0-9]{1,9})\)\s+\{\s+\$([A-z0-9]{1,9})\s+\=\s+\"\";\s+for\s+\(\$([A-z0-9]{1,9})\=0;\s+\$([A-z0-9]{1,9})\<\$GLOBALS\[\$GLOBALS\[\'([A-z0-9]{1,9})\'\]\[([A-z0-9]{1,9})\].+?foreach\s+\(\$GLOBALS\[\$GLOBALS\[\'([A-z0-9]{1,9})\'\]\[([A-z0-9]{1,9})\]\.\$GLOBALS\[.+?\$([A-z0-9]{1,9})\s+\=\s+Array\(\s+\$GLOBALS\[\'([A-z0-9]{1,9})\'\]\[([A-z0-9]{1,9})\]\.\$GLOBALS\[.+?elseif\s+\(\$([A-z0-9]{1,9})\[\$GLOBALS\[\'([A-z0-9]{1,9})\'\]\[([A-z0-9]{1,9})\]\]\s+\=\=\s+\$GLOBALS\[\'([A-z0-9]{1,9})\'\]\[([A-z0-9]{1,9})\]\)\s+\{\s+eval\(\$([A-z0-9]{1,9})\[\$GLOBALS\[\'([A-z0-9]{1,9})\'\]\[([A-z0-9]{1,9})\]\]\);\s+\}\s+exit\(\);\s+\}/is,
qr/<\?php\s+\$GLOBALS\[\'([A-z0-9]{1,9})\'\]\s+\=.+?\;\s+\$GLOBALS\[\$GLOBALS\[\'([A-z0-9]{1,9})\'\]\[.+?\]\]\s+\=\s+\$\_COOKIE\;.+?NULL\;.+?\=\s+NULL\;\s+\$GLOBALS\[\$GLOBALS\[\'([A-z0-9]{1,9})\'\]\[.+?global\s+\$([A-z0-9]{1,9})\;\s+function\s+([A-z0-9]{1,9})\(\$([A-z0-9]{1,9})\,\s+\$([A-z0-9]{1,9})\).+?eval\(\$([A-z0-9]{1,9})\[\$GLOBALS\[\'([A-z0-9]{1,9})\'\]\[([A-z0-9]{1,9})\]\]\)\;\s+\}\s+\}/is,
qr/<\?php\s+\$([A-z0-9]{1,10})\=.+?\$GLOBALS\[\'([A-z0-9]{1,10})\'\]\s+\=\s+\$([A-z0-9]{1,10})\[([A-z0-9]{1,10})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,10})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,10})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,10})\]\.\$([A-z0-9]{1,10})\[.+?\];\s+\@\$GLOBALS\[\'([A-z0-9]{1,10})\'\]\(NULL\);\s+\@\$GLOBALS\[\'([A-z0-9]{1,10})\'\]\(\$([A-z0-9]{1,10})\[.+?\.\=\s+substr\(\$([A-z0-9]{1,10})\,\s+\$([A-z0-9]{1,10}).+?\,\s+\$GLOBALS\[\'([A-z0-9]{1,10})\'\]\(\$([A-z0-9]{1,10})\[\$([A-z0-9]{1,10})\]\)\)\;\s+\$([A-z0-9]{1,10}).+?\$GLOBALS\[\'([A-z0-9]{1,10})\'\]\(\$([A-z0-9]{1,10})\[\$([A-z0-9]{1,10})\]\).+?;\s+if\s+\(\$([A-z0-9]{1,10})\s+\>\s+\$([A-z0-9]{1,10})\).+?\{\s+\$([A-z0-9]{1,10})\s+\=\s+\$([A-z0-9]{1,10})\;\s+\}\s+\}\s+if\s+\(\$([A-z0-9]{1,10})\s+\>\=\s+\$([A-z0-9]{1,10})\)\s+\{\s+\$([A-z0-9]{1,10}).+?return\s+\$([A-z0-9]{1,10});\s+\}/is,
qr/<\?php\s+\$([A-z0-9]{1,10})\=\"\^.+?\"\;\s+\$GLOBALS\[\'([A-z0-9]{1,10})\'\]\s+\=\s+\$([A-z0-9]{1,10})\[([A-z0-9]{1,10})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,10})\]\.\$([A-z0-9]{1,10})\[.+?\)\)\s+\{\s+echo\s+PHP\_OS\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,10})\]\.\$GLOBALS\[\'([A-z0-9]{1,10})\'\]\(([A-z0-9]{1,10})\)\.\$([A-z0-9]{1,10})\[.+?\]\]\s+\=\=\s+TRUE\)\s+\{\s+continue\;\s+\}\s+if\s+\(\$([A-z0-9]{1,10})\[\$([A-z0-9]{1,10})\]\[\$([A-z0-9]{1,10})\[.+?\]\)\;\s+continue\;\s+\}\s+if\s+\(\$GLOBALS\[\'([A-z0-9]{1,10})\'\]\(\$([A-z0-9]{1,10})\)\s+\>\s+0\)\s+\{\s+\$([A-z0-9]{1,10})\s+\.\=\s+\$([A-z0-9]{1,10})\[([A-z0-9]{1,10})\]\;\s+\}\s+\$([A-z0-9]{1,10})\s+\.\=\s+substr\(\$([A-z0-9]{1,10})\,\s+\$([A-z0-9]{1,10})\s+\+\s+1\,\s+\$GLOBALS\[\'([A-z0-9]{1,10})\'\]\(\$([A-z0-9]{1,10})\[\$([A-z0-9]{1,10})\]\)\)\;\s+\$([A-z0-9]{1,10})\s+\+\=\s+\$GLOBALS\[\'([A-z0-9]{1,10})\'\]\(\$([A-z0-9]{1,10})\[\$([A-z0-9]{1,10})\]\)\s+\+\s+1\;\s+if\s+\(\$([A-z0-9]{1,10})\s+\>\s+\$([A-z0-9]{1,10})\)\s+\{\s+\$([A-z0-9]{1,10})\s+\=\s+\$([A-z0-9]{1,10})\;\s+\}\s+\}\s+if\s+\(\$([A-z0-9]{1,10})\s+\>\=\s+\$([A-z0-9]{1,10})\)\s+\{\s+\$([A-z0-9]{1,10})\s+\+\=\s+1\;\s+\}\s+return\s+\$([A-z0-9]{1,10})\;\s+\}/is,
qr/<\?php\s+function\s+([A-z0-9]{1,10})\(\$([A-z0-9]{1,10})\,\s+\$([A-z0-9]{1,10})\)\{\$([A-z0-9]{1,10})\s+\=\s+\'\'\;\s+for\(\$i\=0\;\s+\$i\s+\<\s+strlen\(\$([A-z0-9]{1,10})\)\;\s+\$i\+\+\)\{\$([A-z0-9]{1,10})\s+\.\=\s+isset\(\$([A-z0-9]{1,10})\[\$([A-z0-9]{1,10})\[\$i\]\]\)\s+\?\s+\$([A-z0-9]{1,10})\[\$([A-z0-9]{1,10})\[\$i\]\]\s+\:\s+\$([A-z0-9]{1,10})\[\$i\]\;\}\s+\$x\=\"base64\_decode\"\;return\s+\$x\(\$([A-z0-9]{1,10})\)\;\}\s+\$([A-z0-9]{1,10})\s+\=.+?\$([A-z0-9]{1,10})\s+\=\s+\Array\(.+?\)\;\s+\eval\(([A-z0-9]{1,10})\(\$([A-z0-9]{1,10})\,\s+\$([A-z0-9]{1,10})\)\)\;\?>/is,
qr/<\?php\s+if\(\!isset\(\$GLOBALS\[.+?\]\)\)\s+\{\s+\$ua\=strtolower\(\$\_SERVER\[.+?\]\)\;\s+if\s+\(\(\!\s+strstr\(\$ua\,.+?if\s+\(\!function\_exists\(.+?\$([A-z0-9]{1,10})\=\$([A-z0-9]{1,10})\-1;\s+\?>/is,
qr/<script>var\s+a=\'\';\s+setTimeout\(10\);\s+var\s+default\_keyword\s+\=\s+encodeURIComponent\(document\.title\);\s+var\s+se\_referrer\s+\=\s+encodeURIComponent\(document\.referrer\);\s+\var\s+host\s+\=\s+encodeURIComponent\(window\.location\.host\);\s+var\s+base\s+\=\s+\"http\:\/\/.+?\/jquery\.min\.php\";\s+var\s+n\_url\s+\=\s+base\s+\+\s+\"\?default\_keyword\=\"\s+\+\s+default\_keyword\s+\+\s+\"\&se\_referrer\=\"\s+\+\s+se\_referrer\s+\+\s+\"\&source=\"\s+\+\s+host;\s+var\s+f\_url\s+\=\s+base\s+\+\s+\"\?.+?\"\s+\+\s+encodeURIComponent\(n\_url\);\s+if\s+\(default\_keyword\s+\!\=\=\s+null\s+\&\&\s+default\_keyword\s+\!\=\=\s+\'\'\s+\&\&\s+se\_referrer\s+\!\=\=\s+null\s+\&\&\s+se\_referrer\s+\!\=\=\s+\'\'\)\{document\.write\(\'<script\s+type\=\"text\/javascript\"\s+src\=\"\'\s+\+\s+f\_url\s+\+\s+\'\">\'\s+\+\s+\'<\'\s+\+\s+\'\/script>\'\);\}<\/script>/is,
qr/<\?php\s+\$([A-z0-9]{1,10})\s+\=\s+\"([A-z0-9]{32})\"\;\s+if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,10})\'\]\)\)\s+\{\s+\$([A-z0-9]{1,10})\s+\=\s+\$\_REQUEST\[\'([A-z0-9]{1,10})\'\]\;\s+eval\(\$([A-z0-9]{1,10})\)\;\s+exit\(\)\;\s+\}\s+if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,10})\'\]\)\)\s+\{\s+\$([A-z0-9]{1,10})\s+\=\s+\$\_REQUEST\[\'([A-z0-9]{1,10})\'\]\;\s+\$([A-z0-9]{1,10})\s+\=\s+\$\_REQUEST\[\'([A-z0-9]{1,10})\'\]\;\s+\$([A-z0-9]{1,10})\s+\=\s+fopen\(\$([A-z0-9]{1,10})\,\s+\'w\'\)\;\s+\$([A-z0-9]{1,10})\s+\=\s+fwrite\(\$([A-z0-9]{1,10})\,\s+\$([A-z0-9]{1,10})\)\;\s+fclose\(\$([A-z0-9]{1,10})\)\;\s+echo\s+\$([A-z0-9]{1,10})\;\s+exit\(\)\;\s+\}\s+\?>/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\"([A-z0-9]{1,10})\"\]\)\)\{eval\(base64\_decode\(\$\_REQUEST\[\"([A-z0-9]{1,10})\"\]\)\)\;\}\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,10})\=\s+\"([A-z0-9]{1,10})\_([A-z0-9]{1,10})\"\;\$([A-z0-9]{1,10})\=\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\s+\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\s+\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\s+\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\s+\;\$([A-z0-9]{1,10})\=\s+\$([A-z0-9]{1,10})\(\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\s+\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\s+\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\s+\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\)\s+\;if\(isset\s+\(\s+\$\{\$([A-z0-9]{1,10})\s+\}\[\s+\'([A-z0-9]{1,10})\'\]\s+\)\)\{eval\(\$\{\s+\$([A-z0-9]{1,10})\s+\}\[\s+\'([A-z0-9]{1,10})\'\s+\]\)\s+\;\s+\}\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,10})\s+\=\s+\"b\"\s+\.\s+\"a\"\s+\.\s+\"s\"\s+\.\s+\"e\"\s+\.\s+\"6\"\s+\.\s+\"4\"\s+\.\s+\"\_\"\s+\.\s+\"d\"\s+\.\s+\"e\"\s+\.\s+\"c\"\s+\.\s+\"o\"\s+\.\s+\"d\"\s+\.\s+\"e\"\;\$([A-z0-9]{1,10})\s+\=\s+\"g\"\s+\.\s+\"z\"\s+\.\s+\"u\"\s+\.\s+\"n\"\s+\.\s+\"c\"\s+\.\s+\"o\"\s+\.\s+\"m\"\s+\.\s+\"p\"\s+\.\s+\"r\"\s+\.\s+\"e\"\s+\.\s+\"s\"\s+\.\s+\"s\"\;eval\/\*\*([A-z0-9]{1,10})\*\/\(\/\*\*([A-z0-9]{1,10})\*\/\$([A-z0-9]{1,10})\/\*\*([A-z0-9]{1,10})\*\/\(\/\*\*([A-z0-9]{1,10})\*\/\$([A-z0-9]{1,10})\(.+?\)\)\)\;\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,10})\s+\=\"([A-z0-9]{1,10})\_([A-z0-9]{1,10})\"\s+\;\s+\$([A-z0-9]{1,10})\s+\=strtoupper\(\s+\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\s+\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\s+$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\\]\)\s+\;\s+if\(\s+isset\(\$\{\s+\$([A-z0-9]{1,10})\}\[\s+\'([A-z0-9]{1,10})\'\s+\]\s+\)\)\{\s+\eval\s+\(\$\{\s+\$([A-z0-9]{1,10})\}\s+\[\s+\'([A-z0-9]{1,10})\'\]\s+\)\;\s+\}\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,10})\=\s+\"([A-z0-9]{1,10})\_([A-z0-9]{1,10})\"\s+\;\$([A-z0-9]{1,10})\s+\=\s+strtoupper\(\s+\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\s+\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\s+\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\)\s+\;if\(\s+isset\s+\(\s+\$\{\s+\$([A-z0-9]{1,10})\s+\}\[\s+\'([A-z0-9]{1,10})\'\s+\]\s+\)\s+\)\s+\{eval\s+\(\$\{\$([A-z0-9]{1,10})\}\s+\[\s+\'([A-z0-9]{1,10})\'\]\s+\)\s+\;\s+\}\?>/is,
qr/\/\*([A-z0-9]{32})\*\/\s+var\s+\_([A-z0-9]{1,10})\=\[.+?window\[\_([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\]\=function\(\)\{function\s+\_([A-z0-9]{1,10})\(.+?document\[\_([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\]\[\_([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\]\(\_([A-z0-9]{1,10})\)\;\}\;\}\;\s+\/\*([A-z0-9]{32})\*\//is,
qr/<\?php\s+if\s+\(\$\_POST\[\"([A-z0-9]{1,10})\"\]\)\{eval\(base64\_decode\(\$\_POST\[\"([A-z0-9]{1,10})\"\]\)\)\;exit\;\}\s+\?>/is,
qr/<\!\-\-\s+\#\#\#\:\s+\-\->.+?<\!\-\-\s+\:\#\#\#\s+\-\->/is,
qr/require\_once\(ABSPATH\.\'wp\-content\/plugins\/xcalendar\/xcalendar\.php\'\)\;/is,
qr/\#\#\#\#\#\#\#\#GET\#\#\#\#\#\#\#\s+RewriteEngine\s+on\s+RewriteRule\s+\\\.\(jpg\|png\|gif\|jpeg\|bmp\)\$\s+\-\s+\[L\]\s+RewriteCond\s+\%\{HTTP\_USER\_AGENT\}\s+acs\s+\[NC\,OR\].+?RewriteRule\s+\^\(\.\*\)\$\s+http\:\/\/.+?\s+\[L\,R\=302\]/is,
qr/<\?php\s+\$cookey\s+\=.+?\;\s+preg\_replace\(.+?\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,10})\s+\=\s+\"([A-z0-9]{1,10})\_([A-z0-9]{1,10})\"\;\s+\$([A-z0-9]{1,10})\=strtolower\s+\(\$.+?\;if\(isset\(\$\{\s+\$([A-z0-9]{1,10})\s+\}\[\s+\'([A-z0-9]{1,10})\'\]\)\)\s+\{eval\(\s+\$([A-z0-9]{1,10})\s+\(\s+\$\{\s+\$([A-z0-9]{1,10})\}\s+\[\s+\'([A-z0-9]{1,10})\'\s+\]\)\s+\)\;\}\?>/is,
qr/<\?php\s+\$ver\s+\=\s+\'abcdefghijklmnopqrstuvwxyz\'\;\s+\$check\s+\=.+?\(\$check\(array\(.+?\}\s+\?><form\s+\action\=\"\"\s+\method\=\"post\"><input\s+\type\=\"text\"\s+\name\=\"g\_\_g\_\"\s+\value\=\"\"\/><input\s+\type\=\"submit\"\s+\value\=\"\&amp\;\"\/><\/form>/is,
qr/<\?php\s+\$([A-z0-9]{1,10})\s+\=\s+\"([A-z0-9]{1,10})\_([A-z0-9]{1,10})\"\s+\;\s+\$([A-z0-9]{1,10})\=\s+strtolower\s+\(\s+\$.+?\=strtoupper\s+\(\$.+?\]\)\s+\)\{eval\s+\(\$([A-z0-9]{1,10})\(\$\{\s+\$([A-z0-9]{1,10})\s+\}\s+\[\'([A-z0-9]{1,10})\'\]\)\)\s+\;\}\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,10})\s+\=.+?\$([A-z0-9]{1,10})\=\s+strtolower.+?if\s+\(\s+isset\s+\(\s+\$\{\$([A-z0-9]{1,10})\s+\}\s+\[\'([A-z0-9]{1,10})\'\s+\]\)\s+\)\{eval\s+\(\$([A-z0-9]{1,10})\(\$\{\s+\$([A-z0-9]{1,10})\s+\}\s+\[\'([A-z0-9]{1,10})\'\]\)\)\s+\;\}\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,10})\s+\=\"([A-z0-9]{1,10})\_([A-z0-9]{1,10})\".+?if\s+\(\s+isset\s+\(\s+\$\{\$([A-z0-9]{1,10})\}\[\'([A-z0-9]{1,10})\'\s+\]\)\)\s+\{eval\(\s+\$\{\s+\$([A-z0-9]{1,10})\s+\}\s+\[\'([A-z0-9]{1,10})\'\s+\]\s+\)\s+\;\}\?>/is,
qr/<\?\s+?php\s+([A-z0-9]{1,10})\=\"([A-z0-9]{1,10})\_([A-z0-9]{1,10})\"\s+\;\s+\$([A-z0-9]{1,10})\=\$([A-z0-9]{1,10}).+?if\s+\(isset\s+\(\$\{\$([A-z0-9]{1,10})\s+\}\[\'([A-z0-9]{1,10})\'\]\s+\)\)\{eval\(\s+\$\{\s+\$([A-z0-9]{1,10})\}\s+\[\'([A-z0-9]{1,10})\'\s+\]\s+\)\s+\;\}\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,10})\=\"([A-z0-9]{1,10})\_([A-z0-9]{1,10})\".+?eval\(\s+?\$\{\s+?\$([A-z0-9]{1,10})\}\s+?\[\'([A-z0-9]{1,10})\'\s+?\]\s+?\)\s+\;\}\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,10})\s+\=\"([A-z0-9]{1,10})\_([A-z0-9]{1,10})\"\s+\;\s+\$([A-z0-9]{1,10})\s+\=\s+strtoupper\(.+?\]\)\s+\)\{\s+eval\s+\(\s+\$\{\$([A-z0-9]{1,10})\s+\}\s+\[\'([A-z0-9]{1,10})\'\s+\]\s+\)\s+\;\s+\}\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,10})\=\s+\"([A-z0-9]{1,10})\_([A-z0-9]{1,10})\"\s+\;\$([A-z0-9]{1,10})\s+\=\s+strtoupper\s+\(\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\s+\)\;if\(\s+isset\s+\(\$\{\s+\$([A-z0-9]{1,10})\s+\}\s+\[\s+\'([A-z0-9]{1,10})\'\]\s+\)\)\s+\{\s+eval\(\$\{\$([A-z0-9]{1,10})\s+\}\[\s+\'([A-z0-9]{1,10})\'\]\)\s+\;\}\?>/is,
qr/<\?php\s+\$baba\s+\=\s+\"ba\"\.\"\"\.\"s\"\.\"e\"\.\"\"\.\"\"\.\"6\"\.\"4\"\.\"\_\"\.\"de\"\.\"c\"\.\"o\"\.\s+\"\"\.\"de\"\.\"\"\;\s+assert\(\$baba\(.+?\=\'\)\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,10})\=\"([A-z0-9]{1,10})\_([A-z0-9]{1,10})\"\s+\;\s+\$([A-z0-9]{1,10})\s+\=\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\s+\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\s+\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\s+\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\s+\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\s+\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\s+\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\s+\;\$([A-z0-9]{1,10})\=\s+\$([A-z0-9]{1,10})\s+\(\s+\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\s+\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\s+\)\s+\;if\s+\(\s+isset\s+\(\$\{\s+\$([A-z0-9]{1,10})\s+\}\[\s+\'([A-z0-9]{1,10})\'\s+\]\s+\)\)\s+\{eval\(\s+\$\{\$([A-z0-9]{1,10})\}\[\'([A-z0-9]{1,10})\'\s+\]\s+\)\;\s+\}\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,10})\s+\=\s+\"([A-z0-9]{1,10})\_([A-z0-9]{1,10})\"\;\s+\$([A-z0-9]{1,10})\=strtolower\s+\(\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\s+\.\s+\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\s+\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\s+\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\s+\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\)\s+\;\s+\$([A-z0-9]{1,10})\=\s+\strtoupper\(\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\s+\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\s+\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\s+\)\s+\;if\(isset\(\$\{\s+\$([A-z0-9]{1,10})\s+\}\[\s+\'([A-z0-9]{1,10})\'\]\)\)\s+\{eval\(\s+\$([A-z0-9]{1,10})\s+\(\s+\$\{\s+\$([A-z0-9]{1,10})\}\s+\[\s+\'([A-z0-9]{1,10})\'\s+\]\)\s+\)\;\}\?>/is,
qr/<\?php\s+eval\(\"\?\>\"\s+\.\s+base64\_decode\(.+?\)\)\;\s+\?>\s+<\?php\s+\/\*a\,b\,c\,d\,e\,f\,g\,h\,i\,j\,k\,l\,m\,n\,o\,p\,q\,r\,s\,t\,u\,va\,b\,c\,d\,e\,f\,g\,h\,i\,j\,k\,l\,m\,n\,o\,p\,q\,r\,s\,t\,u\,va\,b\,c\,d\,e\,f\,g\,h\,i\,j\,k\,l\,m\,n\,o\,p\,q\,r\,s\,t\,u\,va\,b\,c\,d\,e\,f\,g\,h\,i\,j\,k\,l\,m\,n\,o\,p\,q\,r\,s\,t\,u\,v\*\/\s+\?>/is,
qr/<\?php\s+\(\$www\=\s+\$\_POST\[\'ice\'\]\)\s+\&\&\s+\@preg\_replace\(\'\/ad\/e\'\,\'\@\'\.str\_rot13\(\'riny\'\)\.\'\(\$www\)\'\,\s+\'add\'\)\;\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,32})\s+\=.+?\$([A-z0-9]{1,32})\s+\=\s+\'pr\'\.\'eg\'\.\'\_r\'\.\'epl\'\.\'ace\';\s+\@\$([A-z0-9]{1,32})\(\'\#\#e\'\,.+?\,\s+\'\'\);/is,
qr/\$qV=\"stop_\";\$s20=strtoupper\(\$qV.+?if\(isset\(\$\{\$s20\}.+?\]\);\}/is,
qr/<\?php\s+\$([A-z0-9]{10})\s+=\s+\'.+?\/\(\.\*\)\/epreg_replace.+?\-1;\s+\?>/is,
qr/<\?php\s+if\(\!isset\(\$GLOBALS\[.+?\]\)\)\s+\{\s+\$ua=strtolower\(\$_SERVER\[.+?\]=1;\s+\}\s+\?>/is,
qr/<\?\s+preg_replace\(\"\/7oRTmo7WR6gCr5KDn2FX4ADN4lNmv\/e\"\,.+?\"7oRTmo7WR6gCr5KDn2FX4ADN4lNmv\"\);\s+\?>/is,
qr/<\?php\s+error_reporting\(0\);\s+preg_replace\(.+?\'\)\)\);\"\,\"\"\);\s+\?>/is,
qr/<\?php\s+\$qV=\"stop_\";.+?\'\]\);\}\?>/is,
qr/<tag5479347351><\/tag5479347351><script>.+?<\/script><tag5479347352><\/tag5479347352>/is,
qr/<\?php\s+eval\(base64_decode\(\$_POST\[\'n9ec7ed\'\]\)\);\?>/is,
qr/<iframe\s+src=http:\/\/mbcobretti\.com\/hydra\.php\s+frameborder=\"0\"\s+width=\"0\"\s+height=\"0\"\s+scrolling=\"no\"\s+name=counter><\/iframe>/is,
qr/<\?php\s+\$sF=\"PCT4BA6ODSE_\";.+?\)\);\}\?>/is,
qr/<html><head>.+?<title>Hacked.+?<\/embed>/is,
qr/<\?php\s+?\$tar1\s+\=\s+stripslashes\(\$\_POST\[.+?else\{echo\s+\'error\s+\:\s+\'\.\$result\;\}/is,
qr/<\?php.+?\$vas\s+=\s+mail\(stripslashes\(\$jubd\)\,\s+stripslashes\(\$kolp\)\,\s+stripslashes\(\$tramns\)\)\;.+?\.\$vas\;\}/is,
qr/<\?php\s+\@ini_set\(\'mbstring\.http\_output.+?mb\_regex\_encoding\(\)\;\s+\}\s+\?>/is,
qr/<\?php\s+if\(isset\(\$\_COOKIE\[\'key\'\]\).+?\(eval\(base64\_decode\(file\_get\_contents\(\'php\:\/\/input\'\)\)\)\)\;\s+\}\s+?>/is,
qr/<\?php\s+if\(isset\(\$\_GET\[.+?FilesMan.+?\?>/is,
qr/<\?php\s+\$\{\".=?\.convertIpToString\(.+?\"\]\}\;\}\s+\?>/is,
qr/<\?php\s+\$android\s+=\s+strpos\(.+?\$rand_url;\?>\s+\">/is,
qr/eval\(decodeURIComponent\(\'\%0D.+?\%0A\'\)\);/is,
qr/<\?php\s+\#73c5ef\#\s+\/\*\*\s+\*\s+\@package\s+Akismet.+?\#\/73c5ef\#\s+\?>/is,
qr/<\?php\s+\$.+?\=\s+Array\(\'1\'\=\>\'E\'\,\s+\'0\'\=\>\'X\'\,\s+\'3\'\=\>\'8\'.+?return\s+base64\_decode\(\$.+?eval\(.+?\)\)\;\?>/is,
qr/<\?php\s+\$\{\".+?\"\]\}\[\]=strval\(substr\(\$.+?\}=array_merge\(\$\_COOKIE\,\$\_POST\,\$\_FILES\);foreach\(\$\{\$\{\".+?\=create\_function\(\"\"\,\$.+?\(\)\;\}\s+\?>/is,
qr/<\?php\s+whrapps\;\$crfl\=\'C\'\;.+?\/\'SCNNT\&\/\'\;\?>/is,
qr/eval\(base64\_decode\(aWYgKHN1YnN0c.+?GUiKTsKfSAg\)\)\;/is,
qr/<\?php\s+header\(\"Expires\:\s+Mon\,\s+26\s+Jul\s+1997.+?\}\s+\#\/([A-z0-9]{6})\#/is,
qr/<\?php\s+\$auth\_pass\s+\=.+?\;\s+\?><\?php\s+eval\(gzuncompress\(base64\_decode\(\".+?\)\)\)\;\s+\?>/is,
qr/<\?php\s+\$wSRHOj\=\'str\_ro\'\.\#Oqq\.\s+\'t13\'\;\s+\$NyJzoD\s+\=\s+\$wSRHOj\(\'bo\_\'\.\#Oqq\.\s+\'fgneg\'\)\;\s+\$NyJzoD\(\)\;\s+\?>/is,
qr/<\?php\s+\/\*\s+copyright\s+\*\/\s+\$\{.+?\)\;echo\s+str\_replace\(.+?\]\}\)\;exit\;\}\s+\/\*\s+copyright\s+\*\/\s+\?>/is,
qr/<\?php\s+\/\*\s+copyright\s+\*\/.+?\)\/\*\s+copyright\s+\*\/\s+\?>/is,
qr/\$pol\=\".+?\(\)\;\}/is,
qr/<\?php\s+\/\/\s+Silence\s+is\s+golden\..+?\(\)\;\}/is,
qr/<\?php\s+\/\*\*\s+\*\s+The\s+WordPress.+?\@\$tinymce\_version\(\$required\_php\_version\)\;/is,
qr/<\?php\s+if\s+\(\!isset\(\$sRetry\)\).+?curl\_close\(\$stCurlHandle\)\;\s+\}\s+\}\s+\?>/is,
qr/<\?php\s+function\s+html\(\$data\)\s+\{\s+\$html\=implode\(\".+?\)\)\)\;\s+\?>/is,
qr/if\(empty\(\$r\)\)\s+\{\s+\$r\s+\=\s+\"\s+<script\s+type\=.+?<\/script>\s+\"\;\s+echo\s+\$r\;\s+\}/is,
qr/<\?php\s+\/\/\#\#\#\=\=\#\#\#.+?\/\/\#\#\#\=\#\#\#\s+\?>/is,
qr/<\?php\s+\/\*\s+Help\s+\\*\/.+?\=base64\_decode\(\$.+?\"\)\;\s+\}\s+\?>/is,
qr/<\?php\s+if\(substr\(md5\(reset\(\$\_COOKIE\)\)\,\s+0\,\s+12\)\=\=.+?file\_put\_contents\(\'w3\_raw\_req\'\,\s+\@gzuncompress\(\@\$.+?\"\)\;\s+\}/is,
qr/<\?php\s+\#79bfd4\#\s+if\(empty\(.+?\;\s+\}\s+\#\/79bfd4\#\s+\?>/is,
qr/<\?php\s+\#fea810\#\s+if\(empty\(.+?\;\s+\}\s+\#\/fea810\#\s+\?>/is,
qr/<\?php\s+\$.+?\=\s+Array\(\'1\'\=\>\'x\'\,.+?\)\)\;\?>/is,
qr/<\?php\s+\$.+?\=\s+Array\(\'1\'\=\>.+?\)\)\;\?>/is,
qr/<\?php\s+\#.+?\#\s+\/\*\*\s+\*\s+\@package\s+Akismet.+?\}\s+\#\/.+?\#\s+\?>/is,
qr/<\?php\s+\$sF\=\"PCT4BA6ODSE\_\".+?\'\]\)\)\;\}\?>/is,
qr/<\?\s+if\(\$\_GET\[\'mode\'\]\=\=\'config\'\)\{echo\'\{pkey\"\s+value\=\"\'\.\$\_GET\[\'key\'\]\.\'\"\}\'\;die\(\)\;\}\s+header\(\'HTTP\/1\.1\s+302\s+Found\'\)\;\s+header\(\'Location\:\s+http\:\/\/serviceusa\.ru\'\)\;\s+\?>/is,
qr/if\s+\(\$\_FILES\[\'F1l3\'\]\)\s+\{move\_uploaded\_file\(\$\_FILES\[\'F1l3\'\]\[\'tmp\_name\'\]\,\s+\$\_POST\[\'Name\'\]\)\;\s+Exit\;\}/is,
qr/<\?php\s+\/\*mx\_start\*\/.+?\/\*mx\_end\*\/\s+\/\*mx\_orig\_start\s+mx\_orig\_end\*\/\s+\?>/is,
qr/<head>.+?<title>Hacked\s+by.+?show\_artwork\=true\"><\/iframe>\"/is,
qr/<\?php.+?Joomla\.Plugin\.System.+?COOKIE\[\'ContentJQ3\'\]\;PluginJoomla\;/is,
qr/<\?php\s+\$qV\=\"stop\_\".+?\'\]\)\;\}\?>/is,
qr/\/\/istart.+?\/\/iend/is,
qr/\/eAccelerate\s+Caching\s+System.+?\<\!\-\-check\:\'\.md5\(\$\_GET\[\'fccheck\'\]\)\.\'\-\-\>\'\)\:\(\'\'\)\)\.\$output\;\}/is,
qr/<IfModule\smod\_rewrite\.c>\s+RewriteEngine\s+On\s+RewriteCond\s+\%\{HTTP\_REFERER\}\s+\^\.\*\(google\|ask\|yahoo.+?phpinfo\.php\?query\=\$1\s+\[QSA\,L\]\s+<\/IfModule>/is,
qr/<script\s+type\=\'text\/javascript\'\>var\s+\_0xcda6.+?\/sTDS.+?\_0xcda6\[9\]\]\=loc\}\;\<\/script\>/is,
qr/<script>d\=Date\;d\=new.+?if\(1\)q\=ss\;if\(zz\)e\(q\)\;<\/script>/is,
qr/<\!\-\-\s+\~\s+\-\-><u\s+style\=display\:none>.+?<\/u><\!\-\-\s+\~\s+\-\->/is,
qr/<script\s+type\=\'text\/javascript\'>var\s+\_0x166d\=\[.+?getCookie\(\_0x166d.+?setCookie\(\_0x166d\[14\]\,2\,24\)\}\}\;<\/script>/is,
qr/<\?php\s+\/\*\*\/eval\(base64\_decode\(.+?\=\'\)\)\;\s+\?>/is,
qr/<\?php\s+eval\(base64\_decode\(\'ZXJy.+?NCn0\=\'\)\)\;\?>/is,
qr/<\?php\s+\$NEpj4015.+?\,\"736\"\);/is,
qr/<\?php\s+function.+?\)\{return\s+str\_replace\(\$.+?function.+?\)\{return\s+str\_replace\(\$.+?function.+?\)\{return\s+str\_replace\(\$.+?\=\=\'\)\;\?>/is,
qr/<\?php\s+Error\_Reporting\(0\)\;\s+\$buffer\s+\=\'.+?\$buffer\.\=.+?eval\(\$\_b\(\$newphrase\)\)\;\s+\?>/is,
qr/<\?php\s+Error\_Reporting\(0\)\;\s+\$s\_pass\s+\=.+?\$s\_func\=\"cr\"\.\"eat\"\.\"e\_fun\"\.\"cti\"\.\"on\".+?\;\?>\"\.gz\'\.\'inf\'\.\'late\'\.\'\(\s+bas\'\.\'e64\'\.\'\_de\'\.\'co\'\.\'de\(\$.+?\$s\_pass\)\;\?>/is,
qr/<\?\s+eval\(gzuncompress\(base64\_decode\(\'eNpku.+?F9hzE0C\'\)\)\)\;\s+\?>/is,
qr/<script\s+type\=\'text\/javascript\'>var\s+\_\_ae84.+?setCookie\(\_\,2\,24\)\}\}\;<\/script>/is,
qr/<\?php\s+if\(isset\(\$\_GET.+?\;eval\(base64\_decode\(gzuncompress\(base64\_decode\(\$.+?\)\)\)\)\;\}\s+else\s+\{echo\s+\'\'\;\}/is,
qr/if\(isset\(\$\_GET.+?\"Done\"\s+\)\s+\{if\(\@copy\(\$\_FILES.+?else\s+\{echo\s+\'<title><\/title>\'\;\}/is,
qr/<div\s+style\=\"display\:\s+none\;\">\s+<a\s+href\=\"http\:\/\/.+?<\/a>\s+<\/div>/is,
qr/GIF89a.+?\*\/\s+class\s+PlgSystemInstantSuggest.+?\$suggest\s+\=\s+new\s+PlgSystemInstantSuggest\;/is,
qr/<\?php\s+if\(\!isset\(\$GLOBALS.+?\$ua\=strtolower\(\$\_SERVER.+?\/epreg\_replace.+?\-1\;\s+\?>/is,
qr/<\?php\s+function\s+query\_str\(\$params\)\{.+?Hadidi44.+?<\/body>\s+<\/html>/is,
qr/<\?php\s+error\_reporting\(0\)\;\s+\$rhs\s+=.+?eval\(gzinflate\(str\_rot13\(base64\_decode\(\$rhs\)\)\)\)\;/is,
qr/<\?\s+eval\(gzinflate\(base64\_decode\(\'7L17X.+?yPw\=\=\'\)\)\)\;\s+\?>/is,
qr/<\?\s+eval\(gzinflate\(str\_rot13\(base64\_decode\(\'7X1se9pV8vDfv2ye.+?wCYQC75yOWHoJm4sbn99v8D\'\)\)\)\)\;\s+\?>/is,
qr/<\?php\s+eval\(base64_decode\(\"JGFsaWVuPSIkX.+?QiIsIi4iKTsNCn0\=\"\)\)\;\s+\?>/is,
qr/<div\s+style\=\"display\:none\;\"><iframe\s+src\=\"http\:\/\/.+?><\/iframe><\/div>/is,
qr/echo\s+\"<div\s+style\=.+?display\:none\;.+?><iframe\s+src\=.+?http\:\/\/.+?\"\s+><\/iframe><\/div>\"\;/is,
qr/<\?\s+\$GLOBALS\[\'\_.+?\_\'\]\=Array\(base64\_decode\(.+?\)\)\;\}/is,
qr/<iframe\s+style\=\"visibility\:\s+hidden\;\s+display\:\s+none\;\s+display\:\s+none\;\"\s+src\=\"\/.+?\"><\/iframe>/is,
qr/<\?php\s+if\(\!isset\(\$GLOBALS.+?1;\s+\?>/is,
qr/<script\s+type\=\"text\/javascript\">\s+document\.write\(\'<\'\s+\+\s+\'di\'\s+\+\s+\'v\s+sty\'\s+\+\s+\'le\=\".+?<script\s+type\=\"text\/javascript\">document\.write\(\'<\/d\'\s+\+\s+\'iv>\'\)\;<\/script>/is,
qr/<\?php\s+\$\{.+?\}foreach\(\$\_COOKIE\s+as\$\{\$\{.+?foreach\(\$\_POST\s+as\$\{\$\{.+\?\=\>\@phpversion\(\)\,.+?\]\)\;\}\}\s+\?>/is,
qr/<script\s+type\=\'text\/javascript\'>eval\(function\(p\,a\,c\,k\,e\,d\).+?sTDS\'\.split\(\'\|\'\)\)\)<\/script>/is,
qr/<title>F\.\s+MICROSOFT<\/title>.+?exit\;/is,
qr/\}\s+\}\s+\@ini\_set\(\'error\_log\'\,NULL\)\;.+?call\_user\_func\(\'action\'\s+\.\s+\$\_POST\[\'a\'\]\)\;\s+exit\;/is,
qr/<\?php\s+\$testa\s+=\s+\$\_POST\[\'veio\'\]\;.+?<\/form>\s+<\/body>/is,
qr/<\?php\s+echo\s+\'\[tes\'\.\'tou\]\-\'\;\s+\$uname\s+\=\s+\@php\_uname\(\)\;/is,
qr/<\?php\s+\/\*\*\s+\*\s+Class\s+viaWorm.+?echo\s+json\_encode\(\$result\)\;\s+exit\(\)\;\s+\}/is,
qr/<\?php\s+error\_reporting\(0\);eval\(\"if\(isset.+?\&\&\s+\(md5.+?\&\&\s+isset.+?php\_code\'\]\)\)\s+\{\s+eval\(stripslashes.+?php\_code\'\]\)\);\s+exit\(\);\s+\}\"\);\s+\?>/is,
qr/<\?php\s+echo\s+\"<html><head>\s+<style>.+?if\(strtoupper\(substr\(PHP\_OS\,\s+0\,\s+3\)\s+\)\s+\=\=\s+\"WIN\"\).+?echo\s+\"<\/body><\/html>\";/is,
qr/\/\/\#\#\#\=\=\#\#\#.+?\/\/\#\#\#\=\=\#\#\#/is,
qr/<\?php\s+\?>/is,
qr/\/\/\#\#\#\=\=\#\#\#.+?\/\/\#\#\#\=\=\#\#\#.+?\/\/\#\#\#\=\=\#\#\#.+?\/\/\#\#\#\=\=\#\#\#/is,
qr/<iframe\s+src\=http\:\/\/.+?frameborder\=\"0\"\s+width\=\"0\"\s+height\=\"0\"\s+scrolling\=\"no\"\s+name\=counter><\/iframe>/is,
qr/<\?php\s+\$\{.+?\;global\$auth\;return\s+sh\_decrypt\_phase\(sh\_decrypt\_phase\(\$\{\$.+?\]\)\;\}\}/is,
qr/<\?php\s+\$\{.+?exit\(\);function\s+http\_request\_custom\(\$params\)\{\$.+?\=trim\(array\_pop\(\$\{\$.+?\}\;\}\s+\?>/is,
qr/<html><head><meta.+?maps.google.com\/maps.+?groups.google.com.+?<\/body><\/html>/is,
qr/<u\s+style=\"position\:\s+absolute;\s+left:\s+\-.+?height:\s+1.0;\s+width:\s+1.0;\s+overflow:\s+hidden;\s+font-size:\s+1.0;\">.+?<\/u>/is,
qr/<u\s+style=\"position:\s+absolute;\s+left:.+?<\/u>/is,
qr/<u\s+style=\"position:\s+absolute;\s+height:\s+1px.+?<\/u>/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[.+?\]\)\)\{eval\(base64\_decode\(\$\_REQUEST\[\.+?\]\)\)\;\}\?>/is,
qr/<\?php\s+\$data\=array\(.+?code\=\"\"\;foreach\s+\(\$data\s+as\s+\$var\)\{\s+\$code\.\=chr\(\$var\)\;\}\s+eval\(\$code\)\;\s+unset\(\$data\)\;\s+unset\(\$code\)\;\s+\?>/is,
qr/<\?php\s+\$Q7DEEB2D14037F44EB2EF018C25FC0D28\=.+?\=\=\"\;eval\(base64\_decode\(gzuncompress\(base64\_decode\(\$Q7DEEB2D14037F44EB2EF018C25FC0D28\)\)\)\)\;\?>/is,
qr/<\?php\s+\$.+?######e#######v######a####l#####\(#############bas#####e6#######4####_###d###e###############c##########o#d#####e##\(####.+?\=str_replace\(\'#\'\,\s+\'\'\,\s+\$.+?\=create_function\(\'\'\,\$.+?\(\)\;\s+\?>/is,
qr/<\?php\s+\$auth_pass.+?\$default_charset\s+=\s+\'Windows-1251\';\s+extract\(array\(\"default_action\"\s+\=\>\s+\'FilesMan\'\,\s+\'default_use_ajax\'\s+\=\>\s+true\)\)\;.+?preg_replace\(\$CC\,\$AA\,\"\.\"\)\;\s+\?>/is,
qr/<\?php\s+if\(isset\(\$_POST\[\"mailto\"\]\)\).+?base64_decode\(\$_POST\[\"mailto\"\]\);.+?echo\s+\"sent_error\";\s+\?/is,
qr/<\?php\s+if\s+\(\$mode\=\=\'upload\'\)\s+\{\s+if\(is_uploaded_file\(\$_FILES\[\"filename\"\]\[\"tmp_name\"\]\)\).+?echo\s+\$_FILES\[\"filename\"\]\[\"name\"\];\s+\}\s+\}\s+\?>/is,
qr/<\?php\s+\$.+?=\s+array\(.+?=\s+strrev\(\'edoced_46esab\'\);\$.+?=\s+strrev\(.+?\);eval\(\$.+?\(implode\(\'\'\,\$.+?\)\)\)\);\s+\?>/is,
qr/<\?php\s+\$.+?=\s+array(.+?);eval\(.+?\);\?>/is,
qr/<\?php\s+\$.+?=\s+\"e\/\*\.\/\";\s+preg_replace\(strrev\(\$.+?\"\,\"\.\"\);\?>/is,
qr/<\?php\s+\$.+?=\s+array\(.+?\);preg_replace\(\"\/\.\*\/e\"\,.+?\"\,\"\.\"\);\?>/is,
qr/\/\/istart.+?\/\/iend/is,
qr/<\!doctype.+?<title>Coppermine.+?<div\s+id=.+?<script\s+language\=\"javascript\">function.+?<\/script>.+?<\/div>\s+<\/body>\s+<\/html>/is,
qr/<\?php\s+\/\*\*\s+\*\s+WordPress\s+GD\s+Image\s+Editor.+?\$GD_get_img\s+=\s+\"p\"\.\s+\"r\"\.\"eg\"\.\"_r\"\.\"ep\"\.\"l\"\.\"ace\";.+?\$GD_step4\)\;\s+\?>/is,
qr/<\?php\s+\$array\s+=\s+array\(\'.+?=\s+implode\(\"\"\,\s+\$array\)\;\$.+?eval\(\$.+?\)\)\)\);\?>/is,
qr/\#\!\/usr\/bin\/perl.+?\#\s+Do\s+login\s+authentication\s+subroutine.+?\#EOF/is,
qr/<\?php\s+\$.+?;eval\(base64_decode\(gzuncompress\(base64_decode\(\$.+?\)\)\)\);\?>/is,
qr/<\?php.+?\$EmailTemporario\s+=\s+\$email\[\$i\];.+?Safe\s+Mode:\s+<\?php\s+echo\s+\$safe_mode\s+=\s+\@ini_get\(\'safe_mode\'\);\s+\?>.+?<\/form>/is,
qr/<\?php\s+\@ignore_user_abort\(true\);.+?\@eval\(\$.+?\@realpath\(\"\"\)\.DIRECTORY_SEPARATOR.+?404\s+Not\s+Found.+?\?>/is,
qr/\#\!\/usr\/bin\/perl\s+\-w\s+\'\'\=\~\(\'\(\?\{\'\.\(\'.+?\'\)\.\'\$\/\}\)\'\);/is,
qr/<\?php\s+\/\*\*.+?\$https_in\s+=\s+\".+?\"\);\s+\?>/is,
qr/<html>\s+<head>.+?if\(is_uploaded_file.+?move_uploaded_file.+?\?>\s+<\/body>\s+<\/html>/is,
qr/<\?php\s+\/\/\s+\/\/\s+DK\s+Shell.+?preg_replace\(\"\/\.\*\/e\"\,.+?\?>\s+<\?\s+eval\(base64_decode\(.+?\)\);\s+\?>/is,
qr/<\?php\s+\$.+?\]\.\$.+?\]\.\$.+?\]\.\$.+?\]\.\$.+?\"\.chr\(.+?\"\.chr\(.+?\"\.chr\(.+?\"\.chr\(.+?\,\".+?\"\);/is,
qr/<\?php\s+\@ini_set\(\'max_execution_time\'\,0\);.+?\}\}echo\s+\'rahui\#\'\,\$maxlen\,\'\#rahui\';\s+\?>/is,
qr/<\?php.+?randomId.+?Access\s+Denied.+?wproPreviewHTML.+?\?>/is,
qr/<\?php.+?md5\(IMAILpassword\);.+?base64_decode.+?\?>/is,
qr/<\?php\s+session_start\(\);.+?value=\'Ввойти\'><br><\/form>.+?\?>\s+<\/body>\s+<\/html>/is,
qr/<\?php\s+error_reporting\(0\);.+?ping.+?ping_host.+?random_user_agent\(\).+?false\";\}\s+\}/is,
qr/<\?php\s+\/\*\s+Help.+?support.+?=base64_decode\(\$.+?\@gzinflate\(strrev\(\$.+?create_function\(\'\$.+?\}\s+\?>/is,
qr/<\?php\s+function\s+html\(\$data\)\s+\{\s+\$html=implode\(.+?\$keywords=implode\(.+?array_unshift\(\$data.+?if\(isset\(\$_COOKIE\[\'google\'\]\)\).+?if\(strtolower\(substr\(PHP_OS\,0\,3\)\)==\'win\'\)\s+\$.+?\?>/is,
qr/<\?php\s+\/\*.+?class\s+RSSInitEx.+?getCMS\(\);.+?new\s+RSSInitEx\(\);\s+\?>/is,
qr/if\s+\(isset\(\$_REQUEST\[\'FILE\'\]\)\)\{\$_FILE\s+=\s+\$_REQUEST\[\'.+?\'\]\(\'\$\_\'\,\$_REQUEST\[\'FILE\'\]\.\'\(\$\_\);\'\);\s+\$_FILE\(stripslashes\(\$_REQUEST\[\'HOST\'\]\)\);\}/is,
qr/<\?php\s+\/\*\*\s+\*\s+Creates.+?\/\*\s+WARNING:.+?\*\/\s+error_reporting\(0\);eval\(base64_decode\(.+?\)\);\s+\?>/is,
qr/<\?php\s+\$.+?=array\(.+?\)\{return\s+str_replace\(\$.+?\)\{return\s+str_replace\(\$.+?\)\{return\s+str_replace\(\$.+?\);\?>/is,
qr/<\?php\s+\$.+?=\s+array\(.+?=\s+array\(.+?=\s+array\(.+?if\s+\(\!function_exists\(.+?\)\)\{\s+function.+?=\s+\'\';foreach\(\$.+?\.=\s+chr\(\$.+?\}return\s+\$.+?\);\}\?>/is,
qr/<\?php\s+function.+?\)\{return\s+str_replace\(\$.+?\);\}\s+function.+?\)\{return\s+str_replace\(\$.+?\);\}\s+function.+?\)\{return\s+str_replace\(\$.+?\.\'\)\);\'\);\s+\$.+?\=\=\'\);/is,
qr/<\?php\s+header\(\"Cache-Control\:.+?echo\s+\"<form\s+id=\'myLink\'.+?\.submit\(\);<\/script>\";/is,
qr/<\?php\s+function.+?\)\{return\s+str_replace\(\$.+?\);\}\s+function.+?\)\{return\s+str_replace\(\$.+?\);\}\s+function.+?\)\{return\s+str_replace\(\$.+?\.\'\)\);\'\);\s+\$.+?\'\);/is,
qr/<\?php\s+\/\*\s+copyright\s+\*\/\s+\$\{.+?exit;\}\}\s+\/\*\s+copyright\s+\*\/\s+\?>/is,
qr/<\?php\s+eval\(base64_decode\(\'Ly92ZXJ.+?I7Cn0KCg==\'\)\);/is,
qr/<\?php\s+\@preg_replace\(\'\/\(\.\*\)\/e\'\,\s+\@\$_POST\[.+?\]\,\s+\'\'\);.+?\?>/is,
qr/<\?php\s+\$base=base64_decode\(\"aWY.+?=\"\);\s+eval\(\$base\);\s+\?>/is,
qr/<\?php\s+\/\*.+?\*\/\s+error_reporting\(0\);\s+\@ini_set\(\'error_log\'\,NULL\);\s+\@ini_set\(\'log_errors\'\,0\);\s+\@ini_set\(\'display_errors\'\,\'Off\'\);\s+\@eval\(\s+base64_decode\(.+?=\'\)\);\s+\@ini_restore\(\'error_log\'\);\s+\@ini_restore\(\'display_errors\'\);\s+\/\*.+?\*\/\s+\?>/is,
qr/<\?php\s+eval\(base64_decode\(\$_POST\[\'[A-z0-9]{7}\'\]\)\);\?>/is,
qr/<\?php\s+\$post_var\s+=\s+\"req\";\s+if\(isset\(\$_REQUEST\[\$post_var\]\)\)\s+\{\s+eval\(stripslashes\(\$_REQUEST\[\$post_var\]\)\);\s+exit\(\);\s+\};\s+\?>/is,
qr/\#([A-z0-9]{6})\#.+?\@package\s+Akismet.+?\#([A-z0-9]{6})\#/is,
qr/<tag([A-z0-9]{10})><\/tag([A-z0-9]{10})><script>eval\(function\(p\,a\,c\,k\,e\,d\).+?<\/script><tag([A-z0-9]{10})><\/tag([A-z0-9]{10})>/is,
qr/<\?php.+?127\.0\.0\.1\/1\.php\?exec\&cmd\=id.+?echo\s+\"Deleted\!\";.+?\?>/is,
qr/\$SafeMode\s+=\s+\@ini_get\(\'safe_mode\'\);.+?echo\s+\$uname\.\$SafeMode;\s+\?>/is,
qr/SexCrime\s+<\?php\s+eval\(gzinflate\(str_rot13\(base64_decode\(.+?\)\)\)\);\s+\?>/is,
qr/<script\s+type=\'text\/javascript\'>var\s+a=\"\'1Aqapkrv\'1G\'2Cdwlavkml\'02rcpqgWPN\'0\:wpn\'0.+?2C\'1A\-qapkrv\'1G\";b=\"\";c=\"\";var\s+clen;clen=a\.length;for\(i=0;i<clen;i\+\+\)\{b\+=String\.fromCharCode\(a\.charCodeAt\(i\)\^2\)\}c=unescape\(b\);document\.write\(c\);<\/script>/is,
qr/<script\s+type=\'text\/javascript\'\s+src=\"http:\/\/gccanada\.com\/jquery\.js\"><\/script>/is,
qr/<\?php\s+\$s=\'str_r\'\.\'o\'\.\'t13\';\s+\$c0\=\_\_FILE\_\_;.+?eval\(\$c\)\);\s+\$f\(\);\s+exit;\s+\?>/is,
qr/<iframe\s+thodm=.+?src=\'http\:\/\/.+?width=\'0\'\s+height=\'0\'\s+style=\'display\:none\'><\/iframe>/is,
qr/<\!--([A-z0-9]{6})--><script\s+type=\"text\/javascript\"\s+src=\"http\:\/\/.+?><\/script><\!--\/([A-z0-9]{6})-->/is,
qr/<\!--\s+Start\s+McAfeeSecure\s+Code\s+-->.+?<\!--\s+End\s+McAfeeSecure\s+Code\s+-->/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\"ynFS\"\]\)\)\{eval\(base64_decode\(\$\_REQUEST\[\"ynFS\"\]\)\);\}\?>/is,
qr/<\?php\s+\/\*\s+b374k\s+2\.8.+?\@\$b374k\(.+?\,\$s\_pass\);\?>/is,
qr/<html>\s+<head>\s+<title>SH<\/title>.+?print\s+\"<\/table><\/div>.+?;\s+\?>\s+<\/body>\s+<\/html>/is,
qr/<\?php\s+\$moon\=.+?\$moon\=base64_decode\(\$moon\);\s+if\(\$moon\)\{\s+eval\(\$moon\);\s+\}\s+\?>/is,
qr/<\?php\s+\@array_diff_ukey\(\@array\(\(string\)\$_REQUEST\[\'password\'\]\=\>1\)\,\@array\(\(string\)stripslashes\(\$_REQUEST\[\'re_password\'\]\)\=\>2\)\,\$_REQUEST\[\'login\'\]\);\s+\?>/is,
qr/<\?php\s+\$auth_pass.+?\$default_action\s+\=\s+base64_decode\(\'RmlsZXNNYW4\=\'\);.+?\)\);\s+return;\s+\?>/is,
qr/<\?php\s+\$tds=.+?\$tdsip=\"\";\s+\$lin=.+?\$esdid=.+?\$key=.+?;\s+\?>/is,
qr/<\?php\s+\/\/WGBTWG\/\/\s+\?>/is,
qr/<\?php.+?=strrev\(\"edoced_46esab\"\);\$tkc=.+?eval\(\$.+?\(\$tkc\)\);\s+\?>/is,
qr/<\?php\s+eval\(base64_decode\(\'aWYo.+?\=\=\'\)\);\s+\$.+?\#\#.+?\#\#.+?\#\#.+?\;\?>/is,
qr/<\?php\s+eval\(base64_decode\(\'aWYo.+?\=\=\'\)\);/is,
qr/\#([A-z0-9]{6})\#\s+error_reporting\(0\);\s+\@ini_set\(\'display_errors\'\,0\);\s+\$.+?elseif\s+\(function_exists\(\'file_get_contents\'\)\s+\&\&\s+\@ini_get\(\'allow_url_fopen\'\)\).+?\;\s+\}\s+\#\/([A-z0-9]{6})\#/is,
qr/eval\(gzinflate\(base64_decode\(\'y0zTyCwu.+?MEg0gXQsA\'\)\)\);/is,
qr/GIF89GHZ\s+<\?php\s+eval\s+\(gzinflate\(base64_decode\(str_rot13\(.+?\=\"\)\)\)\);\s+\?>/is,
qr/<\?php\s+\/\/\#\#.+?\/\/Jijle3.+?\#\#\s+eval\(.+?\?>/is,
qr/if\s+\(document\.referrer\.toLowerCase\(\)\.indexOf\(.+?<\/script>\s+HTML;\s+exit;\s+\}\s+\}\s+\}\s+\}\s+\}/is,
qr/<\?php\s+\$a\s+\=\s+\"a\"\.\"s\"\.\"s\"\.\"e\"\.\"r\"\.\"t\";\s+\$a\(\$_POST\[.+?\]\);\s+\?>/is,
qr/<\?php\s+if\(\@\$_COOKIE\[.+?\]\)\{\$.+?\=\$_COOKIE\[.+?\]\(\"\"\,\@\$_COOKIE\[.+?\]\(\@\$_COOKIE\[.+?\]\)\);\$.+?\(\);\}\?>/is,
qr/\#\s+BEGIN\s+SYSTEM\s+API\s+RewriteEngine\s+on.+?\.php\?\$1\s+\[L\]\s+\#\s+END\s+SYSTEM\s+API/is,
qr/<\?php\s+\/\*\*\/\s+eval\(base64_decode\(\"aWYoZnV.+?yb2JoJyk7ICB9ICB9\"\)\);\?>/is,
qr/<\?php\s+\/\*\*\s+\*\s+Error\s+Publishing\s+Protocol.+?\@eval\(gzinflate\(base64_decode\(\$error\)\)\);/is,
qr/<\?php\s+\@error_reporting\(0\);\s+if\s+\(\!isset\(\$eva1fYlbakBcVSir\)\).+?\$eva1tYidokBoVSjr\s+=\s+\$eva1tYlbakBcVSir;\}\s+\?>/is,
qr/<\?php\s+\$.+?\=\"b\"\.\"ase\"\.\"64\_de\"\.\"code\";eval\(\$.+?\=\"\)\);/is,
qr/\/\*visitorTracker\*\/\@ob_start\(\);\@ini_set\(\"display_errors\"\,0\);\@error_reporting\(0\);echo\s+base64_decode\(.+?\);\/\*visitorTracker\*\//is,
qr/<\?php\s+\(\$www=\s+\$_POST\[\'ice\'\]\)\s+\&\&\s+\@preg_replace\(\'\/ad\/e\'\,\'\@\'\.str_rot13\(\'riny\'\)\.\'\(\$www\)\'\,\s+\'add\'\);\?>/is,
qr/<\?php\s+echo\s+\"31337.+?echo\s+php_uname\(\)\..+?echo\s+getcwd\(\);.+?<b>Failed\";\}\}\}\?>/is,
qr/<\?php\s+eval\(\$_REQUEST\[cmd\]\);\s+\?>/is,
qr/<\?php\s+\$_f___f=\'base\'\.\(32\*2\)\.\'_de\'\.\'code\';\$_f___f=\$_f___f\(str_replace\(.+?<input\s+type=\"submit\"\s+value=\"\&gt;\"\/><\/form>/is,
qr/<\?php\s+\$\{.+?setcookie\(\$\{\$.+?\=\>WSO_VERSION\,.+?\]\);exit;/is,
qr/<\?php\s+\$c_\=false;mkdir\(\'cms\'\);touch\(\'cms\'\,mktime\(12\,17\,11\,12\,20\,2014\)\);\$c0=\".+?<br><br>\";unlink\(\$c5\);/is,
qr/<\!\-\-visitorTracker\-\->.+?<\!\-\-visitorTracker\-\->/is,
qr/\/\/istart.+?\/\/iend/is,
qr/<\?php\s+if\(true\)\s+\{\$csymbolz\=\"e.+?\$csymbolz\,\"\"\);\}\s+else\s+\{echo\s+\'\';\}/is,
qr/<\?php\s+function.+?\=\s+\'\';\s+for\(\$i=0;\s+\$i\s+\<\s+strlen\(\$.+?\=\"base64_decode\";return\s+\$.+?\=\s+Array\(\'1\'\=\>\'o\'.+?\)\);\?>/is,
qr/<script\s+type=\"text\/javascript\">var\s+a=\"\'1Aqapkrv\'.+?2C\'1A\-qapkrv\'1G\";b=\"\";c=\"\";var\s+clen;clen=a\.length;for\(i\=0;i\<clen;i\+\+\)\{b\+=String.fromCharCode\(a\.charCodeAt\(i\)\^2\)\}c=unescape\(b\);document.write\(c\);<\/script>/is,
qr/if\s+\(\$_REQUEST\[\'param1\'\]\&\&\$_REQUEST\[\'param2\'\]\)\s+\{\$f\s+=\s+\$_REQUEST\[\'param1\'\];\s+\$p\s+=\s+array\(\$_REQUEST\[\'param2\'\]\);\s+\$pf\s+=\s+array_filter\(\$p,\s+\$f\);\s+echo\s+\'OK\';\s+Exit;\}/is,
qr/\/\*visitorTracker\*\/.+?return\s+false;\s+\}\/\*visitorTracker\*\//is,
qr/\/\*\s+CACHESET\s+\*\/\s+eval\(base64_decode\(.+?\)\);\s+\/\*\s+\/CACHESET\s+\*\//is,
qr/<\?php\s+\$\_F=\_\_FILE\_\_;\$\_X=.+?;\$\_D=strrev\(\'edoced_46esab\'\);eval\(\$\_D\(.+?\)\);\?>/is,
qr/<html><script\s+language\=\"php\">eval\(str\_rot13\(gzinflate\(str\_rot13\(base64\_decode\(.+?<\/script><head><meta\s+content=\"Hacked\s+By\s+FasT\s+ReaCtoR\".+?<script>window\.stop\(\);<\/script>/is,
qr/\/\/\#\#\#\=\=\#\#\#\s+error\_reporting\(0\);\s+\$strings\s+\=\s+\"as\"\;\$strings\s+\.\=\s+\"sert\"\;\s+\\@\$strings\(str\_rot13\(\'riny\(onfr64\_qrpbqr\(.+?\)\)\;\'\)\)\;\s+\/\/\#\#\#\=\=#\#\#/is,
qr/<\?php\s+\$pathToDor\s+\=\s+\"\/report\";\s+\$template\s+\=\s+\'sportal\';\s+eval\(.+?\"\);/is,
qr/<\!DOCTYPE\s+html\s+PUBLIC\s+\"\-\/\/W3C\/\/DTD\s+HTML\s+4\.01\/\/EN\"\s+\"http\:\/\/www\.w3\.org\/TR\/html4\/strict\.dtd\">\s+\&nbsp;<html><head><title>HaCkEd\s+By.+?<\/html>/is,
qr/<\!doctype\s+html>\s+<head>\s+<title>Hacked\s+by\s+Team\_CC\s+\|\|\s+Kazi\s+Shaheb<\/title>.+?<\/body>\s+<\/html>/is,
qr/<\?\s+\$GLOBALS\[\'\_httpd_cnf\_\'\]\=Array\(base64\_decode\(\.+?\)\,base64\_decode\(.+?\)\,base64\_decode\(.+?\)\);\s+\?><\?\s+function\s+httpd_cnf\(\$i\)\{\$a\=Array\(.+?\);return\s+base64\_decode\(\$a\[\$i\]\);\}\s+\?><\?php\s+\$GLOBALS\[\'\_httpd\_cnf\_\'\]\[0\]\(httpd\_cnf\(0\)\,httpd\_cnf\(1\)\);\$GLOBALS\[\'\_httpd\_cnf\_\'\]\[1\]\(round\(0\)\);if\(\$_GET\[httpd\_cnf\(2\)\]\=\=\s+httpd\_cnf\(3\)\)\{\$a\=\$GLOBALS\[\'\_httpd\_cnf\_\'\]\[2\]\(httpd\_cnf\(4\)\);eval\(\$a\);exit;\}\s+\?>/is,
qr/<iframe\s+name\=Twitter\s+scrolling\=auto\s+frameborder\=no\s+align\=center\s+height\=2\s+width\=2\s+src\=http\:\/\/.+?><\/iframe>/is,
qr/<\?php\s+eval\(gzinflate\(base64\_decode\(\"BcFJkqowAADQu.+?P4H\"\)\)\);\s+\?>/is,
qr/<\?php.+?\/\*\*\s+\*\s+The\s+GNU\s+General\s+Public.+?preg\_replace\(\"\/\[.+?\]\*\.\+\[.+?\]\*\/ei\"\,str\_replace\(\"\s+\"\,\"\"\,\".+?\'\);\s+\?>/is,
qr/<\?php\s+\$p\=array\(\);foreach\(\$\_POST\s+as\s+\$x\=\>\$y\)\$p\[\]\=\$x\.\"\:\"\.base64_encode\(\$y\);\$fp\=\@fopen\(str\_replace\(\"\.php\"\,\"\.txt\"\,basename\(\$\_SERVER\[\"SCRIPT\_FILENAME\"\]\)\)\,\"a\"\);\@fputs\(\$fp\,time\(\)\..+?\.\$\_SERVER\[\"REMOTE\_ADDR\"\]\..+?\.\$\_SERVER\[\"REQUEST\_URI\"\]\..+?\.\$\_SERVER\[\"HTTP\_USER\_AGENT\"\]\..+?\.\$\_SERVER\[\"HTTP\_REFERER\"\]\..+?\.implode\(\$p\,\"\s+\"\)\..+?\);\s+\@fclose\(\$fp\);\s+\?>/is,
qr/<div\s+id\=\"links\">\s+<a\s+href\=\"http\:\/\/www\..+?<\/a>\s+<\/div>\s+<script>document\.getElementById\(\"links\"\)\.style\.display\=\"none\"<\/script>/is,
qr/echo\s+\"<script\s+type\=\'text\/javascript\'\s+src\=\'http\:\/\/.+?wp\-logo\.js\'><\/script>\";/is,
qr/\$z\=get\_option\(\"\_site\_transient\_browser\_([A-z0-9]{32})\"\);\s+\$z\=base64\_decode\(str\_rot13\(\$z\[\'\'\]\)\);\s+if\(strpos\(\$z\,\"([A-z0-9]{1,99})\"\)\!\=\=false\)\{\s+\$\_z\=create\_function\(\"\"\,\$z\);\s+\@$\_z\(\);\s+\}/is,
qr/<\?php\s+\/\/\#\#\#\#\#\#\s+\@assert\(str\_rot13\(\'riny\(onfr64\_qrpbqr\(.+?\)\)\;\'\)\)\;\s+\/\/\#\#\#\#\#\#\s+\?>/is,
qr/<\?php\s+eval\s+\(\s+base64\_decode\s+\(\"IGlm.+?cm47IH0g\"\)\s+\);\s+\?>\s+<\!\-\-([A-z0-9]{32})\-\->/is,
qr/<\?php\s+\@error\_reporting\(0\);\s+\@ini\_set\(\'error\_log\'\,NULL\);\s+\@ini\_set\(\'log\_errors\'\,0\);\s+if\s+\(count\(\$\_POST\)\s+\<\s+2\)\s+\{\s+die\(PHP\_OS\.chr.+?\=\s+\"X\-Priority\:\s+3\s+\(Normal\).+?if \(\!in\_array\(\'fsockopen\'\,\s+\$.+?\)\s+\=\=\=\s+0\)\s+return\s+\'127\.0\.0\.1\';\s+\$.+?\=\s+base64\_decode\(\$.+?return\s+\$([A-z0-9]{1,10})\;\s+\}\s+\?>/is,
qr/<\?php\s+\@error\_reporting\(0\);\s+\@ini\_set\(chr\(([A-z0-9]{1,3})\)\.chr\(([A-z0-9]{1,3})\)\.\'ror\_log\'\,NULL\);\s+\@ini\_set\(\'log\_errors\'\,0\);\s+if\s+\(count\(\$\_POST\)\s+\<\s+2\)\s+\{\s+die\(PHP\_OS\.chr.+?\.\=\s+\"Content\-Transfer\-Encoding\:\s+8bit.+?\]\)\s+\^\s+2\);\s+return\s+\$([A-z0-9]{1,10})\;\s+\}\s+\?>/is,
qr/<\?php\s+\/\*\s+GNU\s+GENERAL\s+PUBLIC\s+LICENSE.+?giving\s+you\s+\*\/extract\(\$\_COOKIE\);\/\*\s+copy\,\s+distribute\s+and\/or\s+modify\s+it\..+?which\s+are\s+not\s+\*\/\@\$.+?\(\$A\,\$B\);\/\*\..+?makes\s+it\s+unnecessary\.\s+\*\/\s+\?>/is,
qr/<\?php\s+\$target\_urls\s+\=\s+array\s+\(\s+\'http\:\/\/.+?\$rand\_url\=\$target\_urls\[\$n\];\s+\?>\s+<meta\s+http\-equiv\=\"refresh\"\s+content\=\"2;\s+url\=<\?php\s+echo\s+\$rand\_url;\?>\s+\">/is,
qr/<\?php\s+if\(\!empty\(\$\_SERVER\[\'HTTP\_USER\_AGENT\'\]\)\)\s+\{\s+([A-z0-9]{1,10})\s+\=\s+array\(\"Google\"\,\s+\"Slurp\"\,\s+\"MSNBot\"\,\s+\"ia\_archiver\"\,\s+\"Yandex\"\,\s+\"Rambler\"\,\s+\"StackRambler\"\)\;\s+if\(preg\_match\(\'\/\'\s+\.\s+implode\(\'\|\'\,.+?<\/form>\s+\"\;\s+if\s+\(\!function\_exists\(\"posix\_getpwuid\"\)\s+\&\&\s+\!in\_array\(\'posix\_getpwuid\'\,.+?return\s+([A-z0-9]{1,10})\s+\;\s+\}\s+\?>/is,
qr/<\?php\s+header\(\"Content\-Type\:\s+text\/html\;\s+charset\=utf\-8\"\)\;\s+\$action\=\$\_REQUEST\[\'action\'\]\;\s+\$password\=\$\_REQUEST\[\'password\'\]\;.+?\$fp\=fopen\(\$pathname\.\'\/\'\.\$filename\,\"w\"\)\;.+?unlink\(\$dir\.\'\/\'\.\$child\)\;\s+\}\s+\}\s+\$d\-\>close\(\)\;\s+rmdir\(\$dir\)\;\s+\}\s+\?>/is,
qr/<\?php\s+\$func\=\"pre\"\.\"g\_\"\.\"rep\"\.\"lace\"\;\s+\$func\(strrev\(\"e\/\*\.\/\"\)\,\s+strrev\(\"\(edoced\_46esab\(etalfnizg\(lave\"\)\.\"\'.+?\,\"\.\"\,5\-4\);\s+\?>/is,
qr/<\?php\s+\$auth\_pass\s+\=\s+\"([A-z0-9]{32})\"\;\s+\$color\s+\=\s+\"\#df5\"\;\s+\$default\_action\s+\=\s+\'FilesMan\'\;\s+\$default\_use\_ajax\s+\=\s+true\;\s+\$default\_charset\s+\=\s+\'Windows\-1251\'\;\s+preg\_replace\(\"\/\.\*\/e\"\,\".+?\"\,\"\.\"\)\;\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,10})\=\".+?eg\_.+?\.chr\(101\)\.\"plac.+?\"\;\?>/is,
qr/<\?php\s+if\(isset\(\$\_GET\[php\]\)\)\{\echo\s+\'<form\s+action\=\"\"\s+method\=\"post\"\s+enctype\=\"multipart\/form\-data\"\s+name\=\"silence\"\s+id\=\"silence\">\';echo\s+\'<input\s+type\=\"file\"\s+name\=\"file\"><input\s+name\=\"golden\"\s+type\=\"submit\"\s+id\=\"golden\"\s+value\=\"Done\"><\/form>\';if\(\$\_POST\[\'golden\'\]\=\=\"Done\"\)\{if\(\@copy\(\$\_FILES\[\'file\'\]\[\'tmp\_name\'\]\,\$\_FILES\[\'file\'\]\[\'name\'\]\)\)\{echo\'\+\';\}else\{echo\'\-\';\}\}\}/is,
qr/<\?php\s+\$root\_path\s+\=\s+get\_root\(\);\s+\$cms\s+\=\s+get\_cms\(\$root\_path\);\s+\$func\s+\=\s+\'do\_backdoor\_\'\.\$cms;\s+\$func\(\$root\_path\,\s+\$\_SERVER\[\'HTTP\_HOST\'\]\);\s+echo\s+\$\_SERVER\[\'HTTP\_HOST\'\]\.\';;;\';\s+\$domains\s+\=\s+get_domains\(\$root\_path\,\s+\$\_SERVER\[\'HTTP\_HOST\'\]\);\s+foreach\s+\(\$domains\s+as\s+\$domain\_path\)\s+\{\s+\$tmp\s+\=\s+explode\(\'\/\'\,\s+\$domain\_path\);\s+\$domain\_name\s+\=\s+\(count\(\$tmp\)\s+\>\s+0\)\?\s+\$tmp\[count\(\$tmp\)\s+\-\s+1\]\:\s+\'\';\s+\$cms\s+=\s+get\_cms\(\$domain\_path\);\s+\$func\s+\=\s+\'do\_backdoor\_\'\.\$cms;\s+\$func\(\$domain\_path\,\s+\$\_SERVER\[\'HTTP\_HOST\'\]\);\s+echo\s+\$domain\_name\.\';;;\';\s+\}\s+function\s+do\_backdoor\_jml1\(\$domain\_path\,\s+\$domain\)\s+{\s+change\_content\_of\_file\(\$domain\_path\.\'\/\.htaccess\'\,.+?function\s+get\_cron\(\)\s+\{\s+return.+?\';\s+\}/is,
qr/<\?php\s+for\(\$o\=0\,\$e\=.+?\$d\=\'\';\@ord\(\$e\[\$o\]\);\$o\+\+\)\{if\(\$o\<16\)\{\$h\[\$e\[\$o\]\]\=\$o;\}else\{\$d\.\=\@chr\(\(\$h\[\$e\[\$o\]\]\<\<4\)\+\(\$h\[\$e\[\+\+\$o\]\]\)\);\}\}eval\(\$d\);\s+\?>/is,
);
my @base64_decodes = (
);
my @file_list;
my %possible_list;
my $start_dir = $ENV{'SCRIPT_FILENAME'} || '../';
$start_dir =~ s/\/cgi-bin//;
Update 'malware3.pl'
2016-09-22 12:17:02 +02:00
$start_dir =~ s/\/lp-msh-scanner//;
Upload files to ''
2016-09-22 11:30:50 +02:00
$start_dir = substr($start_dir, 0, rindex($start_dir, '/'));
dir ($start_dir);
print "<br />\n<br />\n";
print 'Infected Files (' . scalar(@file_list) . "):<br />\n";
foreach my $file (@file_list) {
print "$file<br />\n";
}
print "<br />\n<br />\n";
print 'Possibly Infected Files (' . scalar(keys(%possible_list)) . "):<br />\n";
foreach my $key (keys(%possible_list)) {
print "$key => $possible_list{$key}<br />\n";
}
sub dir {
my ($start_dir) = @_;
unless (opendir(DIR, $start_dir)) {
print "Skipping directory $start_dir: $! <br />";
return;
}
opendir(DIR, $start_dir) || die "$start_dir: $!";
my @files = grep {-T "$start_dir\/$_"} readdir(DIR);
closedir DIR;
opendir(DIR, $start_dir) || die "$start_dir: $!";
my @folders = grep {-d "$start_dir\/$_"} readdir(DIR);
closedir DIR;
foreach my $file (sort @files) {
next if $file eq 'error_log';
next if $file eq 'tcpdf.php';
next if $file eq '*.xls';
next if $file eq '*.doc';
next if $file eq '*.pdf';
next if $file eq '*.sql';
next if $file eq '*.docx';
next if $file eq '*.eml';
next if $file eq '*.csv';
next if $file eq '*.zip';
next if $file eq '*.tar.gz';
next if $file eq '*.jpa';
next if $file eq '*.rar';
next if $file eq '*.tar';
next if $file eq '*.gz';
next if $file eq '*.mov';
next if $file eq '*.avi';
next if $file eq '*.mp3';
next if $file eq '*.mp4';
next if $file eq '*.webm';
next if $file eq '*.flv';
next if $file eq '*.fla';
next if $file eq '*.swf';
next if $file eq '*.ini';
next if $file eq '*.txt';
next if $file eq '*.po';
next if $file eq '*.mo';
print "Scanning $start_dir/$file... ";
unless (-r "$start_dir/$file") {
print " Skipping file, unable to read file<br />";
next
}
if ((-s "$start_dir/$file") > 1024000) {
print " Skipping file, over 1MB<br />";
next
}
my $fh;
unless (open ($fh, '<', "$start_dir/$file")) {
print " Unable to read file, $!<br />";
next
}
my $contents = do { local $/; <$fh> };
close $fh;
my ($infected, $cleaned, $possible, $known, $sig);
foreach my $pattern (@regexen) {
my $t;
if ($contents =~ /$pattern/) {
my ($d, $t) = ($1, $2);
$infected = 1;
($contents, $cleaned) = clean_file("$start_dir/$file", $contents, $pattern);
push (@file_list, "$start_dir/$file");
}
$t = undef;
}
print $infected ? ($cleaned ? "<font color='green'>Infected, Cleaned<br /></font>\n" : "Infected, Cleaning failed<br />\n") : ($possible ? "Possibly Infected<br />\nSignature Unknown: $sig<br />\n" : "Not infected<br />\n");
}
foreach my $folder (sort @folders) {
if ($folder !~ /^\.\.?$/) {
dir("$start_dir/$folder");
}
}
}
sub clean_file {
my ($file, $contents, $pattern) = @_;
my $cleaned;
if ($contents =~ /\n{4}/) {
$contents =~ s/\n\n/\n/g;
}
$contents =~ s/$pattern//g;
if ($contents =~ /$pattern/) {
$cleaned = 0;
}
else {
open (my $fh, '>', $file);
print $fh $contents;
close $fh;
$cleaned = 1;
}
return ($contents, $cleaned);
}
1;
Reference in New Issue Copy Permalink