2018-05-14 13:46:09 +02:00
#!/usr/bin/perl
use strict ;
use warnings ;
use CGI ;
BEGIN {
$ SIG { __DIE__ } = sub {
my $ msg = shift ;
print "status: 500\n" ;
print "content-type: text/html\n\n" ;
$ msg =~ s/\n/\0/g ;
print "error: $msg\n" ;
CORE:: die $ msg ;
}
}
$| = 1 ;
our $ q = CGI - > new ;
print "Content-type: text/html\n\n" ;
my @ regexen = (
qr/;tixe.+?;\)0\(emitnur_setouq_cigam_tes\@.+?\" = ssap_htua\$/ is ,
qr/<span style=\"font-size:5px; font-style:italic; font-family:Arial; width:\d\dpx; display:none; color:violet;\">\s+<a href=http:\/ \ /.+?(viagra|cialis|levitra).+?<\/a>\s+<\/span>/is ,
qr/<?php if \(isset\(\$_GET\[\"CONFIG\"\]\)\) if \(.+?md5\(\$_GET\[\"CONFIG\"\]\)\)\{.+?if\(is_uploaded_file\/ \ * ; \ * \ /\(\$_FILES\[.+?\]\)\)\{move_uploaded_file\/\*;\*\/\(\$_FILES\[.+?\);return null;\} \?>/is ,
qr/<\?php extract\(\$_REQUEST\) \&\& \@assert\(stripslashes\(\$([A-z0-9]{1,20})\)\) \&\& exit;/ is ,
qr/<\?php.+?if\(\!function_exists\(\"scandir\"\)\) \{.+?\$currentCMD = str_replace\(.+?Command completed.+?exit;\s+\?>/ is ,
qr/<\?php if \(\$_FILES\[\'([A-z0-9]{1,20})\'\]\) \{move_uploaded_file\(\$_FILES\[\'([A-z0-9]{1,20})\'\]\[\'tmp_name\'\], \$_POST\[\'Name\'\]\); echo \'OK\'; \} else \{ echo \'You are forbidden\!\'; \} \?>/ is ,
qr/<\?php if\( isset\( \$_REQUEST\[\"\w\"\] \) \) \{ system\( \$_REQUEST\[\"\w\"\] \. \" 2>\&1\" \); \}/ is ,
qr/<\?php.+?Hacked by Ammar The-InJx.+?return \$info;\s+\}\s+\?>/ is ,
qr/<\?php\s+if\(\!class_exists\(\'.+?\{\$is_bot=1;\}\$bad_file=array\(\"png.+?AND\@preg_match\(\'\/ bing \ | msn . + ? urldecode \ ( . + ? \ \ x \ w \ w \ " \ ] \ ( \ ) ; \ ? > / is ,
qr/<\?php \$([A-z0-9]{1,20})=\"([A-z0-9]{20,}).+?\$([A-z0-9]{1,20}) = str_replace\(\"b\",\"\",\"bsbtbrb_rbebpblacbe\"\); \$([A-z0-9]{1,20})=\"([A-z0-9]{20,}).+?\$([A-z0-9]{1,20}) = \$([A-z0-9]{1,20})\(\"q\", \"\", \"qbaqsqeq6q4q_qdqecoqde\"\); \$([A-z0-9]{1,20}) = \$([A-z0-9]{1,20})\(\"z\",\"\",\"crzezatez_fzunctzizon\"\); \$([A-z0-9]{1,20}) = \$([A-z0-9]{1,20})\(\"\", \$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\"([A-z0-9]{1,20})\", \"\", \$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\)\)\); \$([A-z0-9]{1,20})\(\); \?>/ is ,
2018-05-16 19:02:54 +02:00
qr/<\?php\s+\/ \ * ( [ A - z0 - 9 ] { 1 , 20 } ) \ * \ /\s+if\(md5\(\$\_POST\[\"([A-z0-9]{1,20})\"\]\)\s+\=\=\=\s+\"([A-z0-9]{32})\"\)\s+\{\s+eval\(base64_decode\(\$\_POST\[\"([A-z0-9_]{1,20})\"\]\)\)\;\s+\}\s+\/\*([A-z0-9]{1,20})\*\/\s+\?>/is ,
2018-05-17 06:35:03 +02:00
qr/<\?php.+?if \(stristr\(php_sapi_name\(\).+?404\);\} exit\(\); \?>/ is ,
qr/<\?php\s+if \(!isset\(\$sRetry\)\).+?\$stCurlLink = base64_decode\(.+?curl_close\(\$stCurlHandle\);.+?\?>/ is ,
qr/eval\(\"\?\>\" \. base64_decode\(.+?\)\); \?>/ is ,
qr/<\?php.+?\$alphabet =.+?exit\(\);.+?\$([A-z0-9]{1,20}) =.+?\"\"\.chr\(.+?\)\.\"\"\.chr\(.+?\)\.\"\\x.+?\]\.\$([A-z0-9]{1,20})\[\d\d\], \$([A-z0-9]{1,20}) ,\"([A-z0-9]{1,20})\"\);/ is ,
2018-05-17 11:11:35 +02:00
qr/<\? echo\(base64_decode\(.+?\)\); \?>/ is ,
2018-05-17 19:18:39 +02:00
qr/<\?php.+?\$auth_pass.+?FilesMan.+?preg_replace\(\"\/ \ . \ * \ /e\",\"\\x65.+?\\x3B\",\"\.\"\);\?>/is ,
qr/<\?php\s+\@preg_replace\(\"\\x.+?\);\?>/ is ,
qr/<\?php \$([A-z0-9]{1,20}) = true;\$([A-z0-9]{1,20}) = true;\$([A-z0-9]{1,20}) = true;\$([A-z0-9]{1,20}).+?\);\$([A-z0-9]{1,20}) = \"([A-z0-9]{20,})\";\$([A-z0-9]{1,20}) = true;\$([A-z0-9]{1,20}).+?\$([A-z0-9]{1,20}) = \"\"; \?>/ is ,
2018-05-17 19:48:03 +02:00
qr/<\?php if \(\$_SERVER\[\'QUERY_STRING\'\] != \"passw0rd\"\) \{.+?\$uploadfile = \$uploaddir \. basename\(\$_FILES\[.+?\$numemails mail\(s\) was sent successfully\'\); <\/ script > \ " ; . + ? \ ? > \ s + <\/body> \ s + <\/html> / is ,
qr/\@ini_set\(\'display_errors\', \'0\'\);.+?if \(!\$npDcheckClassBgp\) \{.+?str_replace\(\'([A-z0-9_]{1,20})\', \'bas\'.+?str_replace\(\'([A-z0-9]{1,20})\', \'64\'.+?function wp\_cd\(\$fd, \$fa=\"\"\).+?fwrite\(\$hdl, \"<\?php\\n\$mtchs\[1\]\\n\?>\"\);.+?\$npDcheckClassBgp = \'([A-z0-9]{1,20})\';\s+\}/ is ,
2018-05-17 20:07:13 +02:00
qr/<html>.+?<body>\s+<script type=\"text\/ javascript \ " > . + ? function ( [ A - z0 - 9 ] { 1 , 20 } ) \ ( \ ) \ s + \ { \ s + setTimeout \ ( ( [ A - z0 - 9 ] { 1 , 20 } ) \ ( \ ) , ( [ 0 - 9 ] { 1 , 5 } ) \ ) ; \ s + \ } \ s + function ( [ A - z0 - 9 ] { 1 , 20 } ) \ ( \ ) \ s + \ { \ s + ( [ A - z0 - 9 ] { 1 , 20 } ) = ( [ A - z0 - 9 ] { 1 , 20 } ) \ ( \ ) ; \ s + ( [ A - z0 - 9 ] { 1 , 20 } ) = \ [ ( [ 0 - 9 ] { 1 , 5 } ) , ( [ 0 - 9 ] { 1 , 5 } ) , ( [ 0 - 9 ] { 1 , 5 } ) , ( [ 0 - 9 ] { 1 , 5 } ) , ( [ 0 - 9 ] { 1 , 5 } ) , ( [ 0 - 9 ] { 1 , 5 } ) , ( [ 0 - 9 ] { 1 , 5 } ) , ( [ 0 - 9 ] { 1 , 5 } ) , ( [ 0 - 9 ] { 1 , 5 } ) , ( [ 0 - 9 ] { 1 , 5 } ) . + ? \ } \ s + <\/script> \ s + <\/body> \ s + <\/html> / is ,
2018-05-17 21:42:59 +02:00
qr/<\?php \/ \ * get_header \ ( \ ) ; . + ? \ $ wordpress_report = strrev \ ( . + ? \ @ move_uploaded_file \ ( \ $ open_image_tmp , \ $ image_tmp \ ) ; . + ? \ ? > / is ,
qr/<\?\s+\/ \ / \@\~ PRO Mailer V2.+?return stripslashes\(ltrim\(rtrim\(\$string\)\)\);.+?function SendOrMail\(\$from\) \{.+?sent successfully\'\); <\/script>\";\}\}\s+\?>/is ,
qr/preg_replace\(\"\/ \ . \ + \ /e\",\"\\x65.+?\\x3B\",\"\.\"\);/is ,
qr/if \(isset\(\$_GET\[\'CONFIG\'\]\)\) if \(.+?if\(is_uploaded_file\/ \ * ; \ * \ /\(\$_FILES\[.+?\$file = \$_FILES\/\*;\*\/\[.+?touch\/\*;\*\/\(\$filename, \$time\);\s+return null;\s+\}/is ,
qr/<\?php\s+\$\w = array\(.+?\);\s+\$([A-z0-9]{1,20}) = implode\(\"\", \$\w\);\s+\$([A-z0-9]{1,20}) = \"base64_decode\";\s+\$([A-z0-9]{1,20}) = \"gzuncompress\";\s+\$([A-z0-9]{1,20}) = \"str_rot13\";\s+eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\)\);\s+\?>/ is ,
qr/<\?php echo base64_decode\(\'([A-z0-9]{1,20})\'\); if\( isset\( \$_REQUEST\[\'\w\'\] \) \) \{ system\( \$_REQUEST\[\'\w\'\] \. \' 2>\&1\' \); \}/ is ,
2018-05-19 11:35:50 +02:00
qr/<\?php\s+\/ \ /header\(.+?=urldecode\(.+?<spango>.+?\$\{\"\\x47\\x4c\\x4f\\x42\\x41\\x4c\\x53\"\}.+?\]\(\);\?>/is ,
qr/<\?php\s+if \(\$_REQUEST\[\'action\'\] ==.+?base64_decode\(\$_REQUEST\[.+?if \(mail\(stripslashes\(base64_decode\(\$.+?\} else \{echo \'not found\';\}/ is ,
qr/<\?php.+?\$filter = base64_decode\( \$kses_str \);.+?echo \$wp_auth_check;/ is ,
qr/<\?php.+?\$wp_file_descriptions = array\(.+?\$search\.\"\.\@\"\.\$wp_file_descriptions\[\'rtl\.css\'\]\);\s+\?>/ is ,
qr/<\?php \@eval\(\"\?>\"\.base64_decode\(.+?\)\);\/ \ /Generated by Ampare PHP Encoder. For more security please use php protect before encode the php program/is ,
2018-05-19 14:05:59 +02:00
qr/<\?php echo \'<div style=\"position:absolute; left:-9000px;\"><a href=\"http:\/ \ /.+?\">(viagra|cialis|levitra)<\/a><\/div>\'; \?>/is ,
2018-05-19 14:13:23 +02:00
qr/if\(\$([A-z0-9]{1,20})=curl_init\(\)\)\{if\(isset\(\$_GET\[base64_decode.+?curl_close\(\$([A-z0-9]{1,20})\);\}\}/ is ,
2018-05-21 06:53:32 +02:00
qr/RewriteEngine on\s+RewriteCond \%\{HTTP_USER_AGENT\} android \[NC,OR\].+?RewriteCond \%\{HTTP_USER_AGENT\} !\(windows\\\.nt\|bsd\|x11\|unix\|macos\|macintosh\|playstation\|.+?RewriteRule \^\(\.\*\)\$ http:\/ \ /.+?\.ru \[L,R=302\]/is ,
2018-05-21 08:53:44 +02:00
qr/<\? function ([A-z0-9_]{1,20})\(\$\w\)\{\$\w=Array\(\'.+?\);return base64_decode\(\$\w\[\$\w\]\);\} \?><\?php \$GLOBALS\[\'([A-z0-9_]{1,20})\'\]\[\d\].+?\)\); \?>/ is ,
qr/error 407<\?php system\(\$_GET\[cmd\]\); \?>/ is ,
qr/<\?php eval\(chr\(([0-9]{1,3})\)\.chr\(([0-9]{1,3})\)\.chr\(([0-9]{1,3})\)\.chr\(([0-9]{1,3})\)\.chr\(([0-9]{1,3})\)\.chr\(([0-9]{1,3})\)\.chr\(([0-9]{1,3})\)\.chr\(.+?\)\.chr\(([0-9]{1,3})\)\.chr\(([0-9]{1,3})\)\.chr\(([0-9]{1,3})\)\.chr\(([0-9]{1,3})\)\); \?>/ is ,
2018-05-21 10:59:30 +02:00
qr/preg_replace\(\"\\x2f.+?\\x3d\"\);/ is ,
qr/<\?php\s+\@ini_set\(.+?function wp_cd\(\$fd, \$fa=\"\"\).+?\$npDcheckClassBgp = \"([A-z0-9]{1,20})\";\s+\}\s+\?>/ is ,
2018-05-24 11:04:39 +02:00
qr/<\?php \/ \ * WARNING: . + ? ; eval \ ( base64_decode \ ( . + ? \ ) \ ) ; return ; \ ? > / is ,
qr/<\?php\s+\@eval\(base64_decode\(.+?\)\);\s+\?>/ is ,
2018-05-24 11:31:58 +02:00
qr/([A-z0-9]{1,20}) <\?php\s+if\(\@md5\(\$_POST\[\"gif\"\]\) === \"([A-z0-9]{20,})\"\) \{\s+eval \(base64_decode\(\$_POST\[\"php\"\]\)\);\s+exit;\s+\}\s+\?>/ is ,
2018-05-24 11:29:44 +02:00
qr/<\?eval\(stripslashes\(array_pop\(\$_POST\)\)\)\?>/ is ,
2018-05-24 12:56:20 +02:00
qr/<\?php.+?function writerss\(\$name,\$text\) \{ echo \"<\"\.base64_encode\(\$name\)\.\">\"\.base64_encode\(\$text\)\.\"<\/ \ " \ . base64_encode \ ( \ $ name \ ) \ . \ " > \ \ n \ " ; \ } . + ? <\/output> <\/channel> <\/rss> \ " ; \ s + \ ? > / is ,
qr/<\?php echo base64_decode\(.+?\@include\(\"http\:\/ \ /.+?\); \?>/is ,
qr/<\?\s+require\(\"\.\.\/ includes \ /configure\.php\"\);.+?echo \"WORK\";.+?mysql_close\(\$link\);\s+unlink\(\"([A-z0-9]{1,20})\.php\"\);\s+\?>/is ,
qr/<\?php include\(\"http:\/ \ /.+?\"\); \?>/is ,
qr/<\?php\s+if\(isset\(\$_POST\[\'code\'\]\)\) \{\s+if \(\$_POST\[\'code\'\]\!=\"\"\) \{\s+eval\(stripslashes\(\$_POST\[code\]\)\);\s+exit;\s+\}\s+\}\s+echo \"([A-z0-9]{1,20})\";\s+\?>/ is ,
qr/<\?php \@passthru\(\"cd \/ tmp ; wget http: \ /\/.+?\); \?>/is ,
qr/<\?php \$x\w\w=\"\\x65.+?\);if\(isset\(\$_POST\[.+?\}else\{\@\$x\w\w\(\$_POST\[.+?\]\);\}\?>/ is ,
2018-05-24 13:24:51 +02:00
qr/<\?.+?preg_replace\(\"\/ \ . \ * \ /e\",\"\\x65.+?\\x3b\",\"\.\"\);/is ,
qr/<\?php preg_replace\(\"\/ \ . \ * \ /e\",\"eval\(gzinflate\(base64_decode\(.+?\)\)\);\",\"\"\); \?>/is ,
qr/<\?php if \(isset\(\$_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\) eval\(stripslashes\(\$_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\); \?>/ is ,
2018-05-24 20:58:02 +02:00
qr/<\?php \$firewall = true; \$stew = error_reporting\(\).+?if \(\$firewall\)\{header\(\"horrible:1\"\);\} echo \"attack_queue\";\} \}/ is ,
qr/<\?php.+?\|\| InboX Mass Mailer \|\|.+?<script>alert\(\'Mail sending complete.+?<\/ html > / is ,
qr/<\?php\s+\/ \ /Starting.+?if \(\$surl_autofill_include and \!\$_REQUEST\[\"c99sh_surl\"\]\).+?c99shexit\(\); \?>/is ,
2018-05-26 06:05:44 +02:00
qr/<\?php\s+\/ \ * \ s + b374k . + ? \ $ b374k = \ @ \ $ . + ? \ ) ; \ ? > / is ,
qr/<\?php\s+\$auth_pass.+?\$noname.+?eval\(str_rot13\(gzinflate\(str_rot13\(base64_decode\(\$noname\)\)\)\)\);/ is ,
2018-05-26 06:43:32 +02:00
qr/if\(isset\(\$_REQUEST\[\'sort\'\]\)\)\{\s+\$string = \$_REQUEST\[\'sort\'\];\s+\$array_name = \'\';\s+\$alphabet =.+?strrev\(\"noi\"\.\"tcnuf\"\.\"_eta\"\.\"erc\"\);.+?\$\w\(\);\s+exit\(\);\s+\}/ is ,
2018-05-26 06:54:55 +02:00
qr/<\?php \$([A-z0-9_]{1,20}) = true;\$([A-z0-9_]{1,20}) = true;\$([A-z0-9_]{1,20}) = false.+?\$([A-z0-9_]{1,20}) = \"([A-z0-9_]{1,20})\";\$([A-z0-9_]{1,20}) = \"\";\$([A-z0-9_]{1,20}) = ([0-9]{1,20}); \?>/ is ,
qr/<\?php\s+\$\w\d\d=.+?if \(\!empty\(\$GLOBALS\[.+?\]\)\) \{ eval\(\$GLOBALS\[\'([A-z0-9_]{1,20})\'\]\[\'([A-z0-9_]{1,20})\'\]\); \} \$GLOBALS\[\'([A-z0-9_]{1,20})\'\]\(\$\w\d\d\[\d\d\]\.\$\w\d\d\[\d\d\]\.\$.+?\.\$\w\d\d\[\d\d\]\.\$\w\d\d\[\d\d\];/ is ,
2018-05-26 08:32:46 +02:00
qr/<\?php.+?EMelCo PHP WebShell.+?return \$salida;\s+\}\s+\?>/ is ,
qr/<\?php.+?\$shell = \'uname -a; w; id; \/ bin \ /sh -i\';.+?if \(\!\$daemon\) \{.+?\?>/is ,
qr/<\?php.+?header\(\'WWW-Authenticate: Basic realm=\"r57shell\"\'\);.+?echo \'<\/ body > <\/html> \ ' ; \ s + \ ? > / is ,
qr/<\?.+?Mass Mailer.+?by KoOl.+?\?>\s+<\/ span > \ s + <\/body> \ s + <\/html> / is ,
qr/<\?php\s+\/ \ /\$usuario=\'\';\s+\/\/\$contraseс ,
qr/<\?php.+?\$ea = \'_shaesx_\'; \$ay = \'get_data_ya\'; \$ae = \'decode\'; \$ea = str_replace\(\'_sha\', \'bas\', \$ea\); \$ao = \'wp_cd\'; \$ee = \$ea\.\$ae; \$oa = str_replace\(\'sx\', \'64\', \$ee\); \$algo = \'md5\';.+?function wp_cd\(\$fd, \$fa=\"\"\).+?\)\)\&\& \$GLOBALS\[\'([A-z0-9_]{1,20})\'\]\[\d\]\(\$([A-z0-9_]{1,20})\)\)\$GLOBALS\[\'([A-z0-9_]{1,20})\'\]\[\d\]\(\$([A-z0-9_]{1,20})\);\}/ is ,
2018-05-26 09:45:17 +02:00
qr/<\?php \$([A-z0-9_]{1,20})=\"\\x70\\x72\\x65\\x67\\x5f\\x72\\x65\\x70\\x6c\\x61\\x63\\x65\";\$([A-z0-9_]{1,20})\(\"\\x7c\\x2e\\x7c\\x65\",\"\\x65\\x76\\x61\\x6c\\x28\\x27\\x65\\x76\\x61\\x6c\\x28\\x62\\x61\\x73\\x65\\x36\\x34\\x5f\\x64\\x65\\x63\\x6f\\x64\\x65\\x28\\x22.+?\\x22\\x29\\x29\\x3b\\x27\\x29\",\'\.\'\);\?>/ is ,
2018-05-27 13:50:33 +02:00
qr/<\?php\s+\$url = base64_decode\(\$_SERVER\[\'QUERY_STRING\'\]\);.+?\$out \.= \"Connection: Close\\r\\n\\r\\n\";.+?\?>/ is ,
qr/<\?php.+?if \(\!function_exists\(\'exec\'\) or ini_get\(\'safe_mode\'\)\) \{ die \(\"STOP\. No available functions\.\"\); \}\s+\$bashcheck = \'\s+echo \$\(whoami\).+?unlink\(\'([A-z0-9_]{1,20})\.php\'\);\s+\?>/ is ,
qr/<\?php ignore_user_abort\(1\);set_time_limit\(0\);file_put_contents\(\"\/ tmp \ /.+?\"\)\); \@shell_exec\(\"perl.+?\?>/is ,
qr/<\?php ignore_user_abort\(1\);set_time_limit\(0\);if\(move_uploaded_file\(\$_FILES\[.+?<\/ form > \ ' ; \ ? > / is ,
qr/<\?php \@shell_exec\(\"wget http:\/ \ /.+?\?>/is ,
qr/<\?php system\(\$_SERVER\[\"HTTP_SHELL\"\]\);shell_exec\(\$_SERVER\[\"HTTP_SHELL\"\]\);passthru\(\$_SERVER\[\"HTTP_SHELL\"\]\);\?>/ is ,
qr/<\?php echo base64_decode\(.+?\); include\(\"http:\/ \ /.+?\?>/is ,
2018-05-28 06:38:08 +02:00
qr/<\?php \@include\(\"http:\/ \ /.+?\/r57\.v?\"\); \?>/is ,
qr/<\?php \@include\(\$_GET\[\"([A-z0-9_]{1,20})\"\]\); echo \"<b>\" \. md5\(\"([A-z0-9_]{1,20})\"\) \. \"<\/ b > <br> Love Hack WORLD : \ ] \ " ; \ ? > / is ,
qr/<\?php passthru\(\"wget http:\/ \ /.+?\?>/is ,
qr/<\? \@shell_exec\(\"wget http:\/ \ /.+?\?>/is ,
qr/<\?php \$to = \"misterxgoofy\@hotmail\.com\";\s+\$subject = \"Exploited\";.+?echo\(\"<p>Message delivery failed\.\.\.<\/ p > \ " \ ) ; \ s + \ } ; \ ? > / is ,
qr/<\?php\s+\$filecontents=\'<\?php if\(stristr\(\$_SERVER\[\\\'HTTP_USER_AGENT\\\'\],\\\'google\\\'\)\)\{.+?\$filecontents",FILE_APPEND\);.+?\?>/ is ,
qr/<\?php \@passthru\(\"cd \/ tmp ; wget http: \ /\/+?\?>/is ,
qr/<\?php exec\(\"wget http:\/ \ /.+?\?>/is ,
qr/<\?php+?elseif\(function_exists\(\"passthru\"\)\)\{.+?fclose\(\$handle\);.+?echo ex\(\"cd \/ dev \ /shm;rm -rf ([A-z0-9_]{1,20})\.txt\"\);\s+\?>/is ,
2018-05-28 07:44:18 +02:00
qr/<\?php.+?if \(isset\(\$_GET\[\"cookie\"\]\)\) \{ echo \'cookie=4\'; if \(isset\(\$_POST\[\"([A-z0-9_]{1,20})\"\]\)\) \@eval\(base64_decode\(\$_POST\[\"([A-z0-9_]{1,20})\"\]\)\); exit; \}.+?\?>/ is ,
2018-05-28 10:43:33 +02:00
qr/<\? \/ \ * \ * \ /eval\(base64_decode\(\'aWYo.+?\)\); \?>/is ,
2018-05-28 11:54:33 +02:00
qr/<\?php \/ \ * \ * \ /eval\(base64_decode\(\'aWYo.+?\'\)\); \?>/is ,
2018-05-28 12:45:13 +02:00
qr/<html>.+?aDriv4 Here \^\^.+?echo \"<center>Copyright \© \"\.date\(\"Y\"\)\.\".+?\?>\s+<\/ html > / is ,
2018-05-28 11:54:33 +02:00
qr/<\?php\s+error_reporting\(.+?echo \"DisablePHP=\"\.\$disable_functions; print \"\\n\";.+?\}\} \} \?>/ is ,
qr/GIF89a \w<\?php \@copy\(\$_FILES\[file\]\[tmp_name\], \$_FILES\[file\]\[name\]\); exit; \?>/ is ,
qr/<FORM ENCTYPE=\"multipart\/ form - data \ " METHOD = \ " POST \ " > \ s + <title> Uploader <\/title> . + ? < INPUT TYPE = \ " submit \ " VALUE = \ " Send \ " > \ s + \ <\/FORM> / is ,
qr/<\?php if \(isset\(\$_GET\[([A-z0-9_]{1,20})\]\)\) \{preg_replace\(\"\\x2F.+?\\x3B\",\"\\x2E\"\);\}\?>/ is ,
2018-05-30 21:47:36 +02:00
qr/GIF([A-z0-9_]{1,20})\s+<\?php\s+if\( file_exists\(\$_FILES\[\"uploadfile\"\]\[\"tmp_name\"\]\) \).+?<INPUT TYPE=\"submit\" VALUE=\"Send\">\s+<\/ FORM > / is ,
qr/<\?php.+?W3LL M!N! SH3LL.+?\/ \ / World.+?return \$info;\s+\}\s+\?>/is ,
2018-05-31 07:42:58 +02:00
qr/<\?php.+?\$License = \"([A-z0-9_]{20,})\";.+?\$wpplugin_action = \'WPcheckInstall\';.+?header\(\'HTTP\/ 1 \ .0 404 Not Found \ ' \ ) ; \ s + exit ; / is ,
qr/<\?.+?Loader\'z WEB Shell v.+?Coded by Loader and Modify By Zetha\s+<\/ center > <\/td> \ s + <\/tr> \ s + <\/table> / is ,
qr/<\?php\s+echo \'\$Word\'\.\'Press !\';\s+if \(isset\(\$_POST\[\"wp\"\]\)\) \{\s+\$wp = \$_POST\[\"wp\"\];\s+if \(get_magic_quotes_gpc\(\)\) \$wp=stripslashes\(\$wp\);\s+file_put_contents\(\$_SERVER\[\"SCRIPT_FILENAME\"\],\'<\?php \'\.\$wp\.\' \?>\'\); \}\s+\?>/ is ,
qr/<\?php if \(isset\(\$_POST\[\"code\"\]\)\) eval\(base64_decode\(\$_POST\[\"code\"\]\)\); \?>/ is ,
qr/<\?php\s+echo \"\[!\]start\\n\";.+?function make_great_htaccess\(\$path\).+?echo \"\[-\] cant get the MHB client\\n\";\s+\}\s+\}/ is ,
qr/<\?php eval \(base64_decode \(\"aWY.+?\"\)\); \?>/ is ,
qr/<\?php\s+if\(isset\(\$_REQUEST\[\'cmd\'\]\)\) \{\s+eval\(base64_decode\(\$_REQUEST\[\'cmd\'\]\)\);\s+\}\s+\?>/ is ,
qr/<\?php\s+\/ \ * Authorization \ * \ /\s+\$passwordhash = \"([A-z0-9_]{20,})\";.+?if \(isset\(\$_COOKIE\[\'wp_defined\'\]\)\) \{.+?function pnotice \(\$str\) \{.+?<\?php\s+return;\s+\}\s+\?>/is ,
2018-05-31 12:28:43 +02:00
qr/<\?php \$cookey = \"([A-z0-9_]{1,20})\"; \?>/ is ,
qr/<\?php\s+if \(isset\(\$_POST\[\'([A-z0-9_]{1,20})\'\]\)\) \{\s+file_put_contents\(\'([A-z0-9_]{1,20})\.php\', base64_decode\(\$_POST\[\'([A-z0-9_]{1,20})\'\]\), LOCK_EX\);\s+\}\s+\?>/ is ,
qr/<\?php\s+\$([A-z0-9_]{1,10}) = \$_SERVER\[\'HTTP_USER_AGENT\'\];\s+\$keywordsRegex = \"\/ ( [ A - z0 - 9 _ ] { 20 , } ) \ /i\";\s+if \(preg_match\(\$keywordsRegex, \$([A-z0-9_]{1,10})\)\) \{\s+\$\w=\'bas\'\.\'e6\'\.\'4_d\'\.\'ecode\';eval\(\$\w\(.+?\)\);\s+\}\s+\?>/is ,
qr/<\?php \$([A-z0-9_]{1,10})=\"ba\"\.\"se\"\.\"64_d\"\.\"ecode\";eval\(\$([A-z0-9_]{1,10})\(.+?\)\);\?>/ is ,
qr/<\?php\s+\$([A-z0-9_]{1,10}) = \$_SERVER\[\'HTTP_USER_AGENT\'\];\s+\$keywordsRegex = \"\/ ( [ A - z0 - 9 _ ] { 20 , } ) \ /i\";\s+if \(preg_match\(\$keywordsRegex, \$([A-z0-9_]{1,10})\)\) \{.+?echo \'<\/form>\';\s+exit\(\);\s+\}\s+\?>/is ,
2018-05-31 20:21:35 +02:00
qr/<\?php if\(!class_exists\(.+?public \$ip_list_bing=array\(\"191\.232\.\*\".+?init\(\$ruri,\$host,\$is_bot\);\} \?>/ is ,
2018-06-01 14:24:15 +02:00
qr/<\?php \$([A-z0-9_]{1,20}) =.+?\$([A-z0-9_]{1,20}) = str_split\(rawurldecode\(str_rot13\(\$([A-z0-9_]{1,20})\)\)\).+?\$([A-z0-9_]{1,20}) = \$([A-z0-9_]{1,20})\[\$([A-z0-9_]{1,20})\] \. \"\/ \ " \ . substr \ ( md5 \ ( time \ ( \ ) \ ) . + ? exit \ ( \ ) ; \ } \ } \ } / is ,
qr/<\?php\s+\$([Oo0_]{1,10})=.+?\$([Oo0_]{1,10})=\'\|hateyou\|\';.+?\$([Oo0_]{1,10})=urldecode\(\"\%.+?\$([Oo0_]{1,10})=\"([A-z0-9_]{20,})\";\?>/ is ,
qr/<\?php if\/ \ * ( [ A - z0 - 9 _ ] { 1 , 20 } ) \ * \ /\(isset\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\)\/\*([A-z0-9_]{1,20})\*\/\{eval\(\/\*([A-z0-9_]{1,20})\*\/\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\);\/\*([A-z0-9_]{1,20})\*\/exit;\/\*([A-z0-9_]{1,20})\*\/\}\?>/is ,
qr/<\?php \/ \ * ( [ A - z0 - 9 _ ] { 1 , 20 } ) \ * \ /if\(isset\(\$\{\"_RE\"\.\"QUE\"\.\"ST\"\}\[\'([A-z0-9_]{1,20})\'\]\)\)\{\$\w=\/\*([A-z0-9_]{1,20})\*\/\"pr\"\.\"eg\"\.\"_r\"\.\"ep\"\.\"la\"\.\"ce\";\$\w\(\'\/\/e\',\$\{\"_RE\"\.\"QUE\"\.\"ST\"\}\[\'([A-z0-9_]{1,20})\'\],\'\'\);\/\*([A-z0-9_]{1,20})\*\/exit;\}/is ,
qr/<\?php\s+if\(isset\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\)\{\/ \ * ( [ A - z0 - 9 _ ] { 1 , 20 } ) \ * \ /\$\w=\"assert\";\/\*([A-z0-9_]{1,20})\*\/\$\w=\$\w\/\*([A-z0-9_]{1,20})\*\/\(\/\*([A-z0-9_]{1,20})\*\/\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\);\/\*([A-z0-9_]{1,20})\*\/exit;\/\*([A-z0-9_]{1,20})\*\/\} \/\/([A-z0-9_]{1,20})\s+if \(!extension_loaded\(\'IonCube_loader\'\)\).+?administrator\.\'\);return 0;\s+\?>\s+([A-z0-9_]{50,})/is ,
qr/<\?php\s+\/ \ * ( [ A - z0 - 9 _ ] { 1 , 20 } ) \ * \ /if\/\*([A-z0-9_]{1,20})\*\/\(isset\(\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\)\)\{\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\(\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\);exit;\} \@eval\(\$_POST\[\'([A-z0-9_]{1,20})\'\]\);\?>/is ,
qr/<\?php\s+\/ \ * ( [ A - z0 - 9 _ ] { 1 , 20 } ) \ * \ /if\(isset\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\)\{\/\*([A-z0-9_]{1,20})\*\/eval\(\/\*([A-z0-9_]{1,20})\*\/\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\);\/\*([A-z0-9_]{1,20})\*\/exit;\/\*([A-z0-9_]{1,20})\*\/\} if\(isset\(\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\)\)\{\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\(\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\);exit;\}/is ,
2018-06-01 20:48:02 +02:00
qr/<\?= \"\";.+?Berandal Shell.+?<form method=\"post\">\s+<input type=\"password\" name=\"pass\">\s+<\/ form > <\/center> / is ,
2018-06-02 08:04:21 +02:00
qr/<\?php\s+\$to\s+= stripslashes\(\$_POST\[\"to_address\"\]\);.+?\'error : \'\.\$result;\s+\}\s+\?>/ is ,
qr/<\?php\s+echo \'good\';\s+echo \'<meta http-equiv=\"refresh\" content=\"0; url=http:\/ \ /.+?\" \/>\';\s+\?>/is ,
qr/<\?php mail\(\'.+?\', \'MIME-Version: 1\.0.+?\'\);class DeleteOnExit \{function __destruct\(\)\{unlink\(__FILE__\);\}\}\$g_delete_on_exit = new DeleteOnExit\(\);echo \'good\';\?>/ is ,
2018-06-02 09:58:08 +02:00
qr/<\?php if\(empty\(\$_GET\[\'ineedthispage\'\]\)\).+?\}function randStringfrpernames\(\).+?\}return\$([A-z0-9_]{1,30});\};\s+\?>/ is ,
qr/<\?php ini_set\(\'display_errors\',\"Off\"\);ignore_user_abort\(1\);\$.+?\)\{\$([A-z0-9_]{1,20})=gzcompress\(base64_encode\(urlencode\(\$([A-z0-9_]{1,20})\)\),\d\);return urlencode\(\$([A-z0-9_]{1,20})\);\};\?>/ is ,
qr/<\?php \/ \ * ( [ A - z0 - 9 _ ] { 10 , } ) \ * \ / \?><\?php\s+error_reporting\(E_ALL\);\$DOMAIN_FNAME1_([A-z0-9_]{1,10})=\'\.SIc7CYwgY\';\$DOMAIN_FNAME2_([A-z0-9_]{1,10})=\'\/var\/tmp\/\.SIc7CYwgY\';if\(isset\(\$_POST\[.+?\$str=enc\(\$str\);fwrite\(\$file,\$str\);fclose\(\$file\);\}\?>\s+<\?php \/\* ([A-z0-9_]{10,}) \*\/ \?>/is ,
qr/<\?php preg_replace\(\"\/ \ . \ * \ /e\",\"eval\(gzinflate\(base64_decode\(.+?\)\)\);\",\"\.\"\);exit;\?>/is ,
qr/<\?php.+?\$url = \".+?\";\s+\}\s+header\(\"Location: http:\/ \ /\$url\"\);\s+echo \"<meta http-equiv=\\\"content-type\\\" content=\\\"text\/html; charset=UTF-8\\\">\\n\";\s+echo \"<html><head><meta http-equiv=\\\"refresh\\\" content=\\\"0;url=http:\/\/\$url\\\"><\/head><\/html>\";\s+\?>/is ,
qr/<html>\s+<head>\s+<meta http-equiv=\"refresh\" content=\"1; url=http:\/ \ /.+?document\.write\(\"<img src=\'\" + l + \"\'>\"\);\s+<\/script>\s+<body>\s+<h1>Loading\.\.\.<\/h1>\s+<\/body>\s+<\/html>/is ,
qr/<\?php\s+header\(\"Location: http:\/ \ /.+?\"\);\s+die\(\);\s+\?>/is ,
2018-06-02 11:02:52 +02:00
qr/<\?php\s+eval \( base64_decode \(\".+?\) \); \?>\s+<!--([A-z0-9_]{20,})-->/ is ,
qr/<\?php.+?system\(\'echo \"\* \* \* \* \* wget http:\/ \ /\'\.\$_SERVER\[\"HTTP_HOST\"\]\.\$_SERVER\[\"REQUEST_URI\"\]\.\'\" \| crontab\'\);.+?system\(\'echo \"\* \* \* \* \* wget http:\/\/\'\.\$_SERVER\[\"HTTP_HOST\"\]\.\$_SERVER\[\"REQUEST_URI\"\]\.\'\" \| crontab\'\);\s+\?>/is ,
qr/<\?php\s+\$this->zipname = \$p_zipname.+?\$archive = new PclZip\(\"([A-z0-9_]{1,20})\.zip\"\);.+?\@unlink\(\"([A-z0-9_]{1,20})\.zip\"\);\s+die\(\"([0-9]{1,20})\"\);\s+\}/ is ,
2018-06-02 12:16:04 +02:00
qr/<\?php\s+extract\(\$_REQUEST\) && \@\$catch\(stripslashes\(\$user\)\) && exit;.+?function ([A-z0-9_]{1,20})\(\)\{\s+\$([A-z0-9_]{1,20})=\"([A-z0-9_]{20,})\";\s+\$([A-z0-9_]{1,20})=\"([A-z0-9_]{20,})\";\s+return \"\{\$([A-z0-9_]{1,20})\}\{\$([A-z0-9_]{1,20})\}\";\s+\}\s+\?>/ is ,
qr/<\?php\s+\$([A-z0-9_]{1,20}) = basename\/ \ * ( [ A - z0 - 9 _ ] { 1 , 20 } ) \ * \ /\(\/\*([A-z0-9_]{1,20})\*\/trim\/\*([A-z0-9_]{1,20})\*\/\(\/\*([A-z0-9_]{1,20})\*\/preg_replace\/\*([A-z0-9_]{1,20})\*\/\(\/\*([A-z0-9_]{1,20})\*\/rawurldecode\/\*([A-z0-9_]{1,20})\*\/\(\/\*([A-z0-9_]{1,20})\*\/\".+?\"\/\*([A-z0-9_]{1,20})\*\/\)\/\*([A-z0-9_]{1,20})\*\/, \'\', __FILE__\/\*([A-z0-9_]{1,20})\*\/\)\/\*([A-z0-9_]{1,20})\*\/\/\*([A-z0-9_]{1,20})\*\/\)\/\*([A-z0-9_]{1,20})\*\/\/\*([A-z0-9_]{1,20})\*\/\)\/\*([A-z0-9_]{1,20})\*\/;\$([A-z0-9_]{1,20}) =.+?%([A-z0-9_]{1,20})\Z/is ,
qr/<\?php extract\(\$_REQUEST\) && \@\$([A-z0-9_]{1,20})\(stripslashes\(\$([A-z0-9_]{1,20})\)\) && exit;/ is ,
qr/<\?php \/ \ * ( [ A - z0 - 9 _ ] { 1 , 20 } ) \ * \ /if\/\*([A-z0-9_]{1,20})\*\/\(isset\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\)\/\*([A-z0-9_]{1,20})\*\/\{eval\(\/\*([A-z0-9_]{1,20})\*\/\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\);\/\*([A-z0-9_]{1,20})\*\/exit;\/\*([A-z0-9_]{1,20})\*\/\}\?>/is ,
qr/<\?php\s+extract\(\$_REQUEST\) && \@\$([A-z0-9_]{1,20})\(stripslashes\(\$([A-z0-9_]{1,20})\)\) && exit; extract\(\$_REQUEST\) && \@\$([A-z0-9_]{1,20})\(stripslashes\(\$([A-z0-9_]{1,20})\)\) && exit;/ is ,
qr/<\?php if\/ \ * ( [ A - z0 - 9 _ ] { 1 , 20 } ) \ * \ /\(isset\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\)\{eval\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\/\*([A-z0-9_]{1,20})\*\/;\/\*([A-z0-9_]{1,20})\*\/exit;\}\?>/is ,
qr/<\?php\s+\(\$([A-z0-9_]{1,20}) = \$_POST\[\'([A-z0-9_]{1,20})\'\]\) && \@preg_replace\(\'\/ ( [ A - z0 - 9 _ ] { 1 , 20 } ) \ /e\',\'\@\'\.str_rot13\(\'riny\'\)\.\'\(\$([A-z0-9_]{1,20})\)\', \'([A-z0-9_]{1,20})\'\);\s+\?>/is ,
qr/<\?php if\/ \ * ( [ A - z0 - 9 _ ] { 1 , 20 } ) \ * \ /\(isset\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\)\{eval\(\/\*([A-z0-9_]{1,20})\*\/\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\/\*([A-z0-9_]{1,20})\*\/;\/\*([A-z0-9_]{1,20})\*\/exit;\/\*([A-z0-9_]{1,20})\*\/\}\?>/is ,
qr/<\?php \/ \ * ( [ A - z0 - 9 _ ] { 1 , 20 } ) \ * \ /if\(isset\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\)\/\*([A-z0-9_]{1,20})\*\/\{eval\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\);exit;\/\*([A-z0-9_]{1,20})\*\/\}\?>/is ,
qr/<\?php \/ \ * ( [ A - z0 - 9 _ ] { 1 , 20 } ) \ * \ /if\(isset\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\)\{\/\*([A-z0-9_]{1,20})\*\/eval\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\/\*([A-z0-9_]{1,20})\*\/;\/\*([A-z0-9_]{1,20})\*\/exit;\/\*([A-z0-9_]{1,20})\*\/\}\?>/is ,
qr/<\?php if\(isset\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\)\/ \ * ( [ A - z0 - 9 _ ] { 1 , 20 } ) \ * \ /\{eval\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\);exit;\/\*([A-z0-9_]{1,20})\*\/\}\?>/is ,
2018-06-02 12:31:09 +02:00
qr/<\?php if \(isset\(\$\{\"_R\"\.\"EQ\"\.\"UE\"\.\"ST\"\}\[\'([A-z0-9_]{1,20})\'\]\)\)\{\$\w=\"ass\"\.\"ert\";\$\w\(\$\{\"_REQUEST\"\}\[\'([A-z0-9_]{1,20})\'\]\);exit;\}/ is ,
2018-06-02 12:16:04 +02:00
qr/<\?php if\(isset\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\)\/ \ * ( [ A - z0 - 9 _ ] { 1 , 20 } ) \ * \ /\{eval\(\/\*([A-z0-9_]{1,20})\*\/\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\/\*([A-z0-9_]{1,20})\*\/;exit;\}\?>/is ,
qr/<\?php \/ \ * ( [ A - z0 - 9 _ ] { 1 , 20 } ) \ * \ /if\/\*([A-z0-9_]{1,20})\*\/\(isset\(\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\)\)\/\*([A-z0-9_]{1,20})\*\/\{\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\(\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\);exit;\/\*([A-z0-9_]{1,20})\*\/\}\/\*([A-z0-9_]{1,20})\*\//is ,
qr/<\?php if\(isset\(\$\{\"_R\"\.\"EQ\"\.\"UE\"\.\"ST\"\}\[\'([A-z0-9_]{1,20})\'\]\)\)\{\$\w\/ \ * ( [ A - z0 - 9 _ ] { 1 , 20 } ) \ * \ /=\"pre\"\.\"g_r\"\.\"epl\"\.\"ace\";\$\w\(\'\/\/e\'\,\$\{\"_R\"\.\"EQ\"\.\"UE\"\.\"ST\"\}\[\'([A-z0-9_]{1,20})\'\],\'\'\);\/\*([A-z0-9_]{1,20})\*\/exit;\/\*([A-z0-9_]{1,20})\*\/\}/is ,
qr/ \/ \ * ( [ A - z0 - 9 _ ] { 1 , 20 } ) \ * \ /if\(isset\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\)\/\*([A-z0-9_]{1,20})\*\/\{\/\*([A-z0-9_]{1,20})\*\/\$\w=\"as\"\.\"se\"\.\"rt\";\/\*([A-z0-9_]{1,20})\*\/\$\w=\$\w\(\/\*([A-z0-9_]{1,20})\*\/\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\/\*([A-z0-9_]{1,20})\*\/;exit;\/\*([A-z0-9_]{1,20})\*\/\}\?>/is ,
qr/ extract\(\$_REQUEST\) && \@\$([A-z0-9_]{1,20})\(stripslashes\(\$([A-z0-9_]{1,20})\)\) && exit;/ is ,
2018-06-02 12:19:35 +02:00
qr/<\?php \/ \ * ( [ A - z0 - 9 _ ] { 1 , 20 } ) \ * \ /if\(isset\(\$\{\"_REQUEST\"\}\[\'([A-z0-9_]{1,20})\'\]\)\)\{\/\*([A-z0-9_]{1,20})\*\/\$([A-z0-9_]{1,20})=\/\*([A-z0-9_]{1,20})\*\/\"preg_repl\"\.\"ace\";\/\*([A-z0-9_]{1,20})\*\/\$\w\(\'\/\/e\',\$\{\"_REQUEST\"\}\[\'([A-z0-9_]{1,20})\'\],\'\'\);\/\*([A-z0-9_]{1,20})\*\/exit;\}/is ,
2018-06-04 12:33:04 +02:00
qr/<\?php\s+if\(isset\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\)\/ \ * ( [ A - z0 - 9 _ ] { 1 , 20 } ) \ * \ /\{\$([A-z0-9_]{1,20})=\/\*([A-z0-9_]{1,20})\*\/\"ass\"\.\"ert\";\/\*([A-z0-9_]{1,20})\*\/\$([A-z0-9_]{1,20})=\$([A-z0-9_]{1,20})\(\/\*([A-z0-9_]{1,20})\*\/\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\/\*([A-z0-9_]{1,20})\*\/;exit;\/\*([A-z0-9_]{1,20})\*\/\} if\(isset\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\)\{\$([A-z0-9_]{1,20})\/\*([A-z0-9_]{1,20})\*\/=\"asse\"\.\"rt\";\$([A-z0-9_]{1,20})=\$([A-z0-9_]{1,20})\/\*([A-z0-9_]{1,20})\*\/\(\/\*([A-z0-9_]{1,20})\*\/\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\);\/\*([A-z0-9_]{1,20})\*\/exit;\/\*([A-z0-9_]{1,20})\*\/\}\?>/is ,
qr/<\?php\s+if\(!empty\(\$_GET\[\'image\'\]\) && \$_GET\[\'image\'\] = \'image\'\) \{\s+if\(isset\(\$_POST\[\'Submit\'\]\)\)\{.+?\@move_uploaded_file\(\$tmp, \$path\);.+?<input type=\"Submit\" name=\"Submit\" value=\"Submit\"><\/ form > \ s + < \ ? php \ s + \ } \ s + \ } / is ,
2018-06-08 19:25:03 +02:00
qr/<\?php function ([A-z0-9_]{1,20})\(\$\w,\$\w,\$\w,\$\w,\$\w\)\{return \$\w\.\$\w\.\$\w\.\$\w\.\$\w;\}\$([A-z0-9_]{1,20}) =.+?\$([A-z0-9_]{1,20}) = \"bas\\x656\\x34\\x5fd\";\$([A-z0-9_]{1,20}) = \"\\x29\)\)\\x3B\".+?\"\.\$([A-z0-9_]{1,20});\$([A-z0-9_]{1,20})\(\'\', \'\}\'\.\$([A-z0-9_]{1,20})\.\'\/ \ /\'\);/is ,
qr/<\?php\s+if \(\$_GET \[\'([A-z0-9_]{1,20})\'\]\) \{\s+echo \"OK\";\s+exit \(\);\s+\}\s+if\(\$_POST\[\'to\'\]\)\s+\{\s+\$to = \$_POST \[\'to\'\];.+?header \( \"Location: http:\/ \ /\{\$link\}\" \);\s+\}/is ,
2018-06-09 11:23:04 +02:00
qr/<script type=\"text\/ javascript \ " > var _0x2515 = \ [ \ " \ " , \ " \ \ x . + ? \ \ x65 \ " \ ] ; document \ [ _0x2515 \ [ 5 \ ] \ ] . + ? \ ( _0x2515 \ [ 0 \ ] \ ) \ ) ; <\/script> / is ,
qr/var _0x2515=\[\"\",\"\\x6A\\x6F\\x69\\x6E\".+?\"\];document\[_0x2515\[5\]\].+?\(_0x2515\[0\]\)\);/ is ,
2018-06-11 10:30:56 +02:00
qr/<\?php\s+if \(!defined\(\'stream_context_create \'\)\)\s+\{\s+define\(\'stream_context_create \', 1\);.+?\$([A-z0-9_]{1,20})=\"rawurl\" \. \"decode\";return \$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\);\}.+?eval\/ \ * ( [ A - z0 - 9 _ ] { 1 , 20 } ) \ * \ /\(([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20}), \$([A-z0-9_]{1,20})\)\);\s+\}/is ,
qr/<\?php \$([A-z0-9_]{1,20}) = \'g\'\. \'z\'\. \'u\'\. \'n\'\. \'c\'\. \'o\'\. \'m\'\. \'p\'\. \'r\'\. \'e\'\. \'s\'\. \'s\';\$([A-z0-9_]{1,20}) = \'ba\' \.\'se\' \.\'64\' \.\'_d\' \.\'ec\' \.\'od\' \.\'e\';\$([A-z0-9_]{1,20}) = \'i\' \.\'m\' \.\'p\' \.\'l\' \.\'o\' \.\'d\' \.\'e\';\$([A-z0-9_]{1,20}) = array\(.+?\); eval\( \$([A-z0-9_]{1,20}) \(\$([A-z0-9_]{1,20}) \(\$([A-z0-9_]{1,20}) \(\'\',\$([A-z0-9_]{1,20})\)\)\)\); \?>/ is ,
qr/<\?php \$([A-z0-9_]{1,20}) = array\(.+?\);\$([A-z0-9_]{1,20}) = array\(\'b\' ,\'a\' ,\'s\' ,\'e\' ,\'6\' ,\'4\' ,\'_\' ,\'d\' ,\'e\' ,\'c\' ,\'o\' ,\'d\' ,\'e\'\); \$([A-z0-9_]{1,20}) = array\(\'gzun\', \'comp\', \'ress\'\) ;\$([A-z0-9_]{1,20}) = \'\'\.chr\(105\)\.\'\'\.chr\(109\)\.\'\'\.chr\(112\)\.\'l\'\.chr\(111\)\.\'de\' ; \$([A-z0-9_]{1,20}) = \$([A-z0-9_]{1,20})\(\'\', \$([A-z0-9_]{1,20})\); \$([A-z0-9_]{1,20}) = \$([A-z0-9_]{1,20})\(\'\', \$([A-z0-9_]{1,20})\); eval \( \$([A-z0-9_]{1,20})\( \$([A-z0-9_]{1,20})\( \$([A-z0-9_]{1,20})\( \'\', \$([A-z0-9_]{1,20}) \) \) \) \) ; \?>/ is ,
qr/<\?php \$([A-z0-9_]{10,})=.+?eval\(gzinflate\(base64_decode\(\$([A-z0-9_]{10,})\)\)\); \?>/ is ,
2018-06-11 10:59:02 +02:00
qr/<\?php.+?\$id = \"([A-z0-9_]{1,20})\";\s+\$slow = array\(.+?\$wp2wp=\'str_r\'\.\'ot\'\.\'1\'\.\'3\';.+?if\(isset\(\$_GET\[1\]\)\)\{\$_=\$_GET;\$_\[1\]\(\$_\[2\]\);exit;\}/ is ,
qr/<\?php\s+\/ \ /die\(\"Temporary Under Maintenance\"\);.+?if\(is_uploaded_file\(\$_FILES\[([A-z0-9_]{1,20})\]\[tmp_name\]\)\) \{ \@copy\(\$_FILES\[([A-z0-9_]{1,20})\]\[tmp_name\],\$_FILES\[([A-z0-9_]{1,20})\]\[name\]\); \}\};\}.+?404 Not Found<\/h1>\";\s+exit\(\);\s+\}\?>/is ,
qr/<\?php\s+if\(isset\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\)\{\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\);exit;\}/ is ,
2018-06-15 10:19:28 +02:00
qr/<\?php \$([A-z0-9_]{1,20}) = array\(.+?array\(\'ba\' \,\'se\' \,\'64\' \,\'_d\' \,\'ec\' \,\'od\' \,\'e\'\); \$([A-z0-9_]{1,20}) = array\(\'g\'\, \'z\'\, \'u\'\, \'n\'\, \'c\'\, \'o\'\, \'m\'\, \'p\'\, \'r\'\, \'e\'\, \'s\'\, \'s\'\) ;\$.+?eval.+?\) \) \) \) ; \?>/ is ,
qr/<\?php \$([A-z0-9_]{1,20}) = array.+? array\(\'bas\' \,\'e64\' \,\'_de\' \,\'cod\' \,\'e\'\); \$([A-z0-9_]{1,20}) = array\(\'gzu\'\, \'nco\'\, \'mpr\'\, \'ess\'\) ;\$([A-z0-9_]{1,20}).+?eval.+?\) \) \) \) ; \?>/ is ,
qr/<\?php\s+if \(isset\(\$_POST\[\'([A-z0-9_-]{1,20})\'\]\)\) \{\s+eval\(\$_POST\[\'([A-z0-9_-]{1,20})\'\]\);\s+\};\s+\?>/ is ,
qr/<\?php.+?\*\/ \ $( [ O0o ] { 1 , 20 } ) = urldecode \ ( \ ' \ % \ d \ d . + ? \ $ GLOBALS \ [ \ ' ( [ O0o ] { 1 , 20 } ) \ ' \ ] = \ $( [ O0o ] { 1 , 20 } ) \ { \ d \ } . + ? eval \ ( \ $ GLOBALS \ [ \ ' ( [ O0o ] { 1 , 20 } ) \ ' \ ] \ ( . + ? ( [ A - z0 - 9 ] { 1 , 20 } ) \ Z / is ,
qr/<\?php if\(isset\(\$_POST\[\"cod\\x65\"\]\)\)\{eval\(base64_decode\(\$_POST\[\"co\\x64e\"\]\)\);\}\s+\?>/ is ,
qr/<\?php if \(\$_POST\[\"([A-z0-9_]{1,20})\"\]\)\{eval\(base64_decode\(\$_POST\[\"([A-z0-9_]{1,20})\"\]\)\);exit;\} \?>/ is ,
qr/<html>\s+<head>\s+<meta http-equiv=\"refresh\" content=\"2; url=http:\/ \ /.+?\">\s+<\/head>\s+<body>\s+<h1>Loading\.\.\.<\/h1>\s+<\/body>/is ,
qr/<\?php\s+\@error_reporting\(0\); \@ini_set\(\'error_log\',NULL\); \@ini_set\(\'log_errors\',0\); if \(count\(\$_POST\) < 2\) \{ die\(PHP_OS\.chr\(.+?preg_split\(\'\/ ; \ /\',strtolower\(\$.+?next\(explode\(\'\@\', \$.+?return \$([A-z0-9]{1,20}); \} \?>/is ,
qr/<!--visitorTracker--><\?php \@ob_start\(\);\@ini_set\(\"display_errors\",0\);\@error_reporting\(0\);echo base64_decode\(.+?\"\);\?><!--visitorTracker-->/ is ,
qr/<\?php\s+if\(!empty\(\$_SERVER\[\'HTTP_USER_AGENT\'\]\)\) \{ \$([A-z0-9_]{1,20}) = array\(\"Google\", \"Slurp\", \"MSNBot\", \"ia_archiver\", \"Yandex\", \"Rambler\", \"StackRambler\"\); if\(preg_match\(\'\/ \ ' \ . implode \ ( \ ' \ | \ ' , \ $( [ A - z0 - 9 _ ] { 1 , 20 } ) \ ) \ . \ ' \ /i\', \@\$_SERVER\[\'HTTP_USER_AGENT\'\]\)\).+?\$([A-z0-9_]{1,20})\[\]=\@realpath\(\$([A-z0-9_]{1,20})\.DIRECTORY_SEPARATOR\.\$([A-z0-9_]{1,20})\)\.DIRECTORY_SEPARATOR; else continue; .+?return \$([A-z0-9_]{1,20}) ; \} \?>/is ,
qr/<\?php \$([A-z0-9_]{1,20}) = \'.+?\$([A-z0-9_]{1,20}) = \$([A-z0-9_]{1,20})\(\"\",([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20}),\$([A-z0-9_]{1,20}),\$([A-z0-9_]{1,20})\)\); \$([A-z0-9_]{1,20})=\$([A-z0-9_]{1,20}); \$([A-z0-9_]{1,20})\(\"\"\); \$([A-z0-9_]{1,20})=\(([0-9_]{1,20})-([0-9_]{1,20})\); \$([A-z0-9_]{1,20})=\$([A-z0-9_]{1,20})-1; \?>/ is ,
2018-06-16 13:05:01 +02:00
qr/<\?php\s+echo \'<img src=.+?\$xSoftware = trim\(getenv\(\"SERVER_SOFTWARE\"\)\);.+?if \(function_exists\(\"posix_getpwuid\"\) && function_exists\(\"posix_getgrgid\"\)\).+?\?> ;-\) <\/ div > \ s + <\/div> \ s + <\/body> \ s + <\/html> > / is ,
qr/<\? eval\(base64_decode\(\'([A-z0-9_]{1,20}).+?([A-z0-9_=]{1,20})\'\)\); \?>/ is ,
qr/<\?php \$([A-z]{1,3})=base64_decode\(\'([A-z0-9=]{1,20})\'\)\.\$_GET\[\'([A-z]{1,3})\'\]\.\'([A-z]{1,3})\';\@\$([A-z]{1,3})\(\$_POST\[\'([A-z0-9_]{1,20})\'\]\);\?>([A-z0-9_]{1,20})/ is ,
qr/<\?php\s+\/ \ * \ s + \ * hostname \ . php \ s + \ * \ /\s+\$hostname = gethostbyaddr\(\$_SERVER\[\'REMOTE_ADDR\'\]\); \/\/Get User Hostname\s+\$blocked_words = array\(.+?foreach\(\$blocked_words as \$word\) \{.+?\}\s+\?>/is ,
qr/<\?php\s+require_once \'hostname\.php\';\s+\$praga=rand\(\);\s+\$praga=md5\(\$praga\);\s+header\(\"location: login\.php.+?\$praga\$praga\"\);\s+\?>/ is ,
qr/<!DOCTYPE HTML PUBLIC \"-\/ \ /W3C\/\/DTD HTML 4\.01 Transitional\/\/EN\">\s+<html>\s+<head>\s+<title>.+?<body style=\"visibility:hidden\" onload=\"unhideBody\(\)\">.+?new MaskedPassword\(document\.getElementById\(.+?<\/body>\s+<\/html>/is ,
qr/<\?php\s+if\(\$_POST\[.+?Apple Info.+?header \(\"Location: index\.php\"\);\s+\}\s+\?>/ is ,
qr/<!DOCTYPE HTML PUBLIC \"-\/ \ /W3C\/\/DTD HTML 4\.01 Transitional\/\/EN\">\s+<html>\s+<head>\s+<title>.+?<body style=\"visibility:hidden\" onload=\"unhideBody\(\)\">.+?src=\"images\/sbmit\.png\"><\/div>\s+<\/div>\s+<\/body>\s+<\/html>/is ,
qr/<!DOCTYPE HTML PUBLIC \"-\/ \ /W3C\/\/DTD HTML 4\.01 Transitional\/\/EN\">\s+<html>\s+<head>\s+<title>.+?<body style=\"visibility:hidden\" onload=\"unhideBody\(\)\">.+?src=\"images\/apl\.gif\" alt=\"\" title=\"\" border=0 width=77 height=77><\/div>\s+<\/div>\s+<\/body>\s+<\/html>/is ,
qr/<\?\s+include\(\'blocker\.php\'\);\s+\$DIR=md5\(rand\(0,100000000000\)\);.+?fwrite\(\$file,\$ip\.\" - \"\.gmdate \(\"Y-n-d\"\)\.\" \@ \"\.gmdate \(\"H:i:s\"\)\.\"\\n\"\);\s+\?>/ is ,
qr/<\?php\s+\$hostname = gethostbyaddr\(\$_SERVER\[\'REMOTE_ADDR\'\]\);\s+\$blocked_words = array\(\"above\",\"google\",\"softlayer\",\"amazonaws\",\"cyveillance\",\"phishtank\",\"dreamhost\",\"netpilot\",\"calyxinstitute\",\"tor-exit\", \"paypal\"\);.+?foreach\(\$bannedIP as \$ip\) \{\s+if\(preg_match\(\'\/ \ ' \ . \ $ ip \ . \ ' \ /\',\$_SERVER\[\'REMOTE_ADDR\'\]\)\)\{\s+header\(\'HTTP\/1\.0 404 Not Found\'\);.+?\'facebookexternalhit\'\) !== false\) \{ header\(\'HTTP\/1\.0 404 Not Found\'\); exit; \}\s+\?>/is ,
2018-05-26 09:45:17 +02:00
2018-05-24 12:56:20 +02:00
2018-05-24 11:29:44 +02:00
2018-05-14 13:46:09 +02:00
) ;
my @ base64_decodes = (
) ;
my @ file_list ;
my % possible_list ;
my $ start_dir = $ ENV { 'SCRIPT_FILENAME' } || '../' ;
$ start_dir =~ s/\/cgi-bin// ;
$ start_dir =~ s/\/lp-msh-scanner// ;
$ start_dir = substr ( $ start_dir , 0 , rindex ( $ start_dir , '/' ) ) ;
dir ( $ start_dir ) ;
print "<br />\n<br />\n" ;
print 'Infected Files (' . scalar ( @ file_list ) . "):<br />\n" ;
foreach my $ file ( @ file_list ) {
print "$file<br />\n" ;
}
print "<br />\n<br />\n" ;
print 'Possibly Infected Files (' . scalar ( keys ( % possible_list ) ) . "):<br />\n" ;
foreach my $ key ( keys ( % possible_list ) ) {
print "$key => $possible_list{$key}<br />\n" ;
}
sub dir {
my ( $ start_dir ) = @ _ ;
unless ( opendir ( DIR , $ start_dir ) ) {
print "Skipping directory $start_dir: $! <br />" ;
return ;
}
opendir ( DIR , $ start_dir ) || die "$start_dir: $!" ;
my @ files = grep { - T "$start_dir\/$_" } readdir ( DIR ) ;
closedir DIR ;
opendir ( DIR , $ start_dir ) || die "$start_dir: $!" ;
my @ folders = grep { - d "$start_dir\/$_" } readdir ( DIR ) ;
closedir DIR ;
foreach my $ file ( sort @ files ) {
next if $ file eq 'error_log' ;
next if $ file eq 'tcpdf.php' ;
next if $ file eq 'charmap.php' ;
next if $ file eq 'main-modules.php' ;
next if $ file eq 'wp-super-cache.php' ;
next if $ file eq 'user-edit.php' ;
next if $ file eq 'youtube.php' ;
next if $ file eq 'FMModelForm_maker_fmc.php' ;
next if $ file eq 'menu_scan.php' ;
next if $ file eq 'style_dynamic.php' ;
print "Scanning $start_dir/$file... " ;
unless ( - r "$start_dir/$file" ) {
print " Skipping file, unable to read file<br />" ;
next
}
if ( ( - s "$start_dir/$file" ) > 1024000 ) {
print " Skipping file, over 1MB<br />" ;
next
}
my $ fh ;
unless ( open ( $ fh , '<' , "$start_dir/$file" ) ) {
print " Unable to read file, $!<br />" ;
next
}
my $ contents = do { local $/ ; <$fh> } ;
close $ fh ;
my ( $ infected , $ cleaned , $ possible , $ known , $ sig ) ;
foreach my $ pattern ( @ regexen ) {
my $ t ;
if ( $ contents =~ /$pattern/ ) {
my ( $ d , $ t ) = ( $ 1 , $ 2 ) ;
$ infected = 1 ;
( $ contents , $ cleaned ) = clean_file ( "$start_dir/$file" , $ contents , $ pattern ) ;
push ( @ file_list , "$start_dir/$file" ) ;
}
$ t = undef ;
}
print $ infected ? ( $ cleaned ? "<font color='green'>Infected, Cleaned<br /></font>\n" : "Infected, Cleaning failed<br />\n" ) : ( $ possible ? "Possibly Infected<br />\nSignature Unknown: $sig<br />\n" : "Not infected<br />\n" ) ;
}
foreach my $ folder ( sort @ folders ) {
if ( $ folder !~ /^\.\.?$/ ) {
dir ( "$start_dir/$folder" ) ;
}
}
}
sub clean_file {
my ( $ file , $ contents , $ pattern ) = @ _ ;
my $ cleaned ;
if ( $ contents =~ /\n{4}/ ) {
$ contents =~ s/\n\n/\n/g ;
}
$ contents =~ s/$pattern//g ;
if ( $ contents =~ /$pattern/ ) {
$ cleaned = 0 ;
}
else {
open ( my $ fh , '>' , $ file ) ;
print $ fh $ contents ;
close $ fh ;
$ cleaned = 1 ;
}
return ( $ contents , $ cleaned ) ;
}
1 ;
