2018-03-30 10:04:44 +02:00
#!/usr/bin/perl
use strict ;
use warnings ;
use CGI ;
BEGIN {
$ SIG { __DIE__ } = sub {
my $ msg = shift ;
print "status: 500\n" ;
print "content-type: text/html\n\n" ;
$ msg =~ s/\n/\0/g ;
print "error: $msg\n" ;
CORE:: die $ msg ;
}
}
$| = 1 ;
our $ q = CGI - > new ;
print "Content-type: text/html\n\n" ;
my @ regexen = (
2018-05-03 13:57:14 +02:00
qr/<\?php\s+\$\{\"\\x47\\x4c\\x4fB\\x41\\x4c\\x53\"\}.+?exit\(\)\;\s+\}\Z/ is ,
2018-05-03 07:06:34 +02:00
qr/<\?php\s+\/ \ /header\(\'Content\-Type\:text\/html\;.+?\=array\(.+?\=urldecode\(.+?\)\;exit\(\)\;\}\'\)\;\$\{\"\\x47\\x4c\\x4f\\x42\\x41\\x4c\\x53\"\}.+?\]\(\)\;\?>/is ,
2018-04-28 13:31:23 +02:00
qr/<\?php.+?\$\{\"\\x47\\x4c\\x4fB\\x41\\x4c\\x53\"\}.+?\?>/ is ,
2018-04-28 19:49:38 +02:00
qr/<\?php\s+\$\{\"\\x.+?\$\{\"G\\x.+?\$\{\"\\x.+?\$\{\$\{\"G\\x.+?\}\;\}\s+\?>/ is ,
2018-03-30 10:04:44 +02:00
qr/<\?php\s+\/ \ * \ s + Plugin \ s + Name \ : \ s + antisp . + ? add \ _filter \ ( \ ' all \ _plugins \ ' \ , \ s + \ ' ANTISP \ _hide \ ' \ ) \ ; / is ,
2018-04-12 06:07:21 +02:00
qr/<\?php.+?\;\$\{\"G.+?\;global\$mysqli\;global\$dbHost\;global\$dbUser\;\$.+?\;else\s+return\;break\;\}\}\s+\?>/ is ,
2018-03-30 10:04:44 +02:00
qr/<script>\s+var\s+\_0xa7af\=\[.+?\]\;eval\(function\(\_0xaddfx1\,\_0xaddfx2\,\_0xaddfx3\,\_0xaddfx4\,\_0xaddfx5\,\_0xaddfx6\)\{.+?\]\)\,0\,\{\}\)\)\s+<\/ script > / is ,
qr/<\?php\s+\/ \ * \ s + Plugin \ s + Name \ : \ s + spamdetectvr . + ? add \ _filter \ ( \ ' all \ _plugins \ ' \ , \ s + \ ' SPAMDETECTVR \ _hide \ ' \ ) \ ; . + ? \ /\/\s+\}\s+\/\/\}\)\;/is ,
qr/<script\s+type\=\"text\/ javascript \ " > \ s + eval \ ( function \ ( p \ , a \ , c \ , k \ , e \ , d \ ) \ { e \= function \ ( c \ ) \ { return \ s + c \ . toString \ ( . + ? \ . replace \ ( new \ s + RegExp \ ( . + ? script \ | insertBefore \ ' \ . split \ ( \ ' \ | \ ' \ ) \ , 0 \ , \ { \ } \ ) \ ) \ s + <\/script> / is ,
qr/\/ \ /([A-z0-9]{32})\s+create\_function\(\'\'\,\s+gzuncompress\(base64_decode\(.+?\)\)\)\;\s+\/\/([A-z0-9]{32})/is ,
qr/<\?php\s+\$\{.+?\;protected\$instance\;protected\$request\;protected\$calls\=array\(\)\;protected\$response\=array\(\)\;protected\$hasCalls\=false\;private\$isBatchCall\=false\;protected\$hiddenMethods\=array\(\'execute\'\,\'\_\_construct\'\).+?\}\s+\?>/ is ,
qr/<\?php\s+\$\{.+?\]\;\@mail\(.+?\]\}\)\;\$\_SESSION\[.+?\]\}\=curl\_init\(\)\;curl\_setopt\(\$\{\$\{.+?\]\}\,CURLOPT\_RETURNTRANSFER\,1\)\;curl\_setopt\(\$\{\$\{.+?\]\}\}\;\}\}\s+\?>/ is ,
qr/<\?php\s+\/ \ * \ s + Plugin \ s + Name \ : \ s + Pisher . + ? trojan \ .25 hack . + ? \ ; \ } \ ) \ ; \ } \ ) \ ; \ s + \ ? > / is ,
qr/\s+<\?php\s+echo\(base64\_decode\(.+?\)\)\;eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;echo\s+\"\\x\d\d\\n\"\;\s+\?>/ is ,
qr/<\?php\s+echo\s+\"<div\s+align\=\\\"center\\\">.+?if\(isset\(\$\_POST\[\"submit\"\]\)\)\{if\(\$\_FILES\[\"file\"\]\[\"error\"\]>0\)\{echo.+?Go\s+here\s+\:\s+\"\.\$path\.\"<br>\"\;\}\}\s+\?>/ is ,
qr/<\?php\s+session\_start\(\)\;.+?function\s+login\_shell\(\)\s+\{\s+?>.+?IndoXploit.+?serverinfo\(\)\;\s+action\(\)\;\s+\?>\s+<\/ body > \ s + <\/html> / is ,
qr/<\?.+?Aldwiry\s+Hack3r.+?\$usrp\s+\=\s+\"jo\/ usr \ . pl \ " \ ; . + ? Error \ s + CHMOD \ s + \ ! \ " \ ; \ s + \ } \ s + \ ? > / is ,
qr/<\/ br > \ " \ ; \ s + session \ _start \ ( \ ) \ ; . + ? Moshkela \ s + Hacker <\/title> . + ? \ } \ /\/\s+end\s+if\s+\}\s+\?>/is ,
qr/<\?php\s+\$GLOBALS\[\'DB\_NAME\'\]\s+\=\s+array\(.+?if\(\!function\_exists\(\'bas\'\.\'e\'\.\'64\_\'\.\'en\'\.\'code\'\)\)\{.+?ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789.+?\)\;\?>/ is ,
qr/<\?php\s+\/ \ * \ * \ s + \ * \ s + SAPE \ . ru . + ? class \ s + SAPE \ _globals \ s + \ { . + ? \ $ this \ - > \ _data \ [ \ $ this \ - > \ _request \ _mode \ ] \ s + \= \ s + \ $ data \ ; \ s + \ } \ s + \ } / is ,
qr/<\?php\s+if\s+\(\!defined\(\'\_SAPE\_USER\'\)\)\{\s+define\(\'\_SAPE\_USER\'\,.+?echo\s+\$sape\->return\_links\(\)\;\s+\?>/ is ,
qr/<\?\s+eval\(gzinflate\(base64\_decode\(.+?\)\)\)\s+\?>/ is ,
qr/<\?php\s+error\_reporting\(0\)\;.+?\$domain\s+\=\s+\'([A-z0-9]{1,20})\.liveupdates\.host\'\;.+?dns\_get\_record\(\$domain\,\s+DNS\_TXT\)\;.+?else\s+header\(\'Location\:\s+\'\.\$location\.\'\&\'\.\$\w\,\s+TRUE\,\s+302\)\;\s+\}/ is ,
qr/<\?php\s+\@date\_default\_timezone\_set\(.+?GetPageContent\(.+?EXPLOITOK.+?return\s+\(SASL\_CONTINUE\)\;\s+\}\s+\}/ is ,
qr/<\?php\s+function\s+cURLRequest\(\$url.+?function\s+Display404Page\(\)\s+\{.+?Display404Page\(\)\;\s+\}\s+exit\;\s+\}/ is ,
qr/<\?php\s+\$o0o\=\_\_FILE\_\_\;\$oOo\=\'.+?\'\;eval\(gzinflate\(base64\_decode\(.+?\'\)\)\)\;\?>/ is ,
qr/<\?php\s+\$o0O0\s+=.+?\$oO0\=\"cr\"\.\"eat\"\.\"e\_fun\"\.\"cti\"\.\"on\"\;\$oO0o\=\@\$oO0\(.+?\?>\"\.gz\'\.\'inf\'\.\'late\'\.\'\(\s+bas\'\.\'e64\'\.\'\_de\'\.\'co\'\.\'de\(.+?\,\$o0O0\)\;/ is ,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+true\;\$([A-z0-9]{1,20})\s+\=\s+true\;\$([A-z0-9]{1,20})\s+\=\s+true\;\$([A-z0-9]{1,20})\s+\=\s+\"([A-z0-9]{20,})\"\;.+?\$([A-z0-9]{1,20})\s+\=\s+\"([A-z0-9]{20,})\"\;\$([A-z0-9]{1,20})\s+\=\s+true\;\$.+?\;\$([A-z0-9]{1,20})\s+\=\s+\"\"\;\s+\?>/ is ,
qr/<\?php\s+\$\w\_\_\_\w\=\'base\'\.\(128\/ 2 \ ) \ . \ ' \ _de \ ' \ . \ ' code \ ' \ ; \ $ \ w \ _ \ _ \ _ \ w \= \ $ \ w \ _ \ _ \ _ \ w \ ( str \ _replace \ ( \ " \ \ n \ " \ , \ \ ' \ ' \ , . + ? <input\s+type\=\"submit\"value\=\"\>\;\"\/> <\/form> / is ,
qr/<\?php\s+set\_time\_limit\(0\)\;.+?Mister\s+Spy<\/ title > . + ? Upload \ s + File . + ? \ ? > \ s + bypass . + ? contact \ @ elmoujehidin \ . net / is ,
qr/<\?php\s+\@\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\;\s+\?>/ is ,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\"([A-z0-9]{1,20})\"\]\)\)\s+\{\$([A-z0-9]{1,20})\=\"ass\"\.\"ert\"\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\$\_REQUEST\[\"([A-z0-9]{1,20})\"\]\)\;\}\?>/ is ,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\"ass\"\.\"ert\"\;\s+\$([A-z0-9]{1,20})\(\$\{\"\_PO\"\.\"ST\"\}\s+\[\"([A-z0-9]{1,20})\"\]\)\;\?>/ is ,
qr/<\?php\s+\$([A-z0-9]{20,})\=.+?eval\(base64\_decode\(gzuncompress\(base64\_decode\(\$([A-z0-9]{20,})\)\)\)\)\;\s+\?>/ is ,
qr/<\!DOCTYPE.+?libraries\/ joomla \ /document\/json\/a\.txt\s+was\s+not\s+found.+?<\/html>/is ,
qr/<\?php\s+session\_start\(\)\;.+?\$auth\_pass.+?IndoXploit.+?IndoXploit<\/ font > <\/a> <\/center> \ " \ ; \ s + \ } \ s + \ ? > \ s + <\/html> / is ,
qr/<\?php.+?FOPO.+?\$([A-z0-9]{1,20})\=.+?\@eval\(\$([A-z0-9]{1,20})\(\s+\"([A-z0-9]{50,}).+?\"\)\)\;\s+\?>/ is ,
qr/<SCRIPT\s+SRC\=http\:\/ \ /w0rms\.com\/sayac\.js><\/SCRIPT>\s+<\?php.+?header\(\'HTTP\/1\.0\s+404\s+Not\s+Found\'\)\;\s+exit\;/is ,
qr/<\?php\s+if\s+\(isset\s+\(\$\_GET\[\'.+?\'\]\)\).+?\$default\_use\_ajax\s+\=\s+true\;.+?preg\_replace\(\"\/ \ . \ * \ /e\"\,\".+?\"\,\"\.\"\)\;\s+\}\s+else\s+\{\s+echo\s+\"<div\s+style\=display\:none>.+?<\/div>\"\;\s+\}\s+\?>/is ,
qr/<\?php\s+WSOCheckUA\(\)\;.+?\$disable\_functions\s+\=\s+\@ini\_get\(.+?if\(\s+\!empty\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\s+\&\&\s+function\_exists\(\'action\'\s+\.\s+\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\s+\)\s+\{\s+call\_user\_func\(\'action\'\s+\.\s+\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\;\s+\}/ is ,
qr/<\?php.+?Bypass\s+\.\/ Config \ s + \ . \ /User\s+\.\/Domain.+?eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;\s+\?>/is ,
qr/<\?php\s+function\s+wsoHeader\(\)\s+\{.+?\$drives\s+\=\s+\"\"\;.+?<div\s+style\=\"margin\:5\">\'\;\s+\}/ is ,
qr/<\?php\s+function\s+getBot\(\$url\)\s+.+?echo\s+\"<b>Namesis<br>.+?exit\(\)\;\s+\}\s+\?>/ is ,
qr/<\?php\s+\$\_F\=\_\_FILE\_\_\;\$\_X\=.+?eval\(base64\_decode\(.+?\)\)\;\?>/ is ,
qr/<\?php\s+error\_reporting\(0\)\;.+?File\s+Manager<\/ title > . + ? \ $ pathen \ s + \= \ s + base64 \ _encode \ ( \ $ path \ ) \ ; . + ? return \ s + \ $ info \ ; \ s + \ } \ s + \ ? > / is ,
qr/<\?php\s+\$([A-z0-9]{1,20})\_\w\s+\=\s+\'\'\.chr\(([0-9]{1,5})\)\.\'\'\.chr\(([0-9]{1,5})\)\.\'([A-z0-9]{1,20})\'\.chr\(([0-9]{1,5})\)\.\'de\'\s+\;\$([A-z0-9]{1,20})\s+\=\s+\$([A-z0-9]{1,20})\_\w\(\'\'\,array\(.+?\)\)\;\$([A-z0-9]{1,20})\(\)\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\;\?>/ is ,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+array\(.+?array\(\'ba\'\s+\,\'se\'\s+\,\'64\'\s+\,\'\_d\'\s+\,\'ec\'\s+\,\'od\'\s+\,\'e\'\)\;.+?array\(\'gzu\'\,\s+\'nco\'\,\s+\'mpr\'\,\s+\'ess\'\).+?eval.+?\)\s+\)\s+\)\s+\)\s+\;\s+\?>/ is ,
qr/<\?php.+?\'\'\.chr\(.+?\'\.chr\(.+?\(\'\'\,array\(.+?\)\.\'e64\_deco\'\.chr\(.+?\(\)\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\;\?>/ is ,
qr/<\?php\s+header\(\'Content\-Type\:text\/ . + ? define \ ( \ ' SHELL \ _PASSWORD \ ' \ , . + ? API \ _VERSION \ , \ s + 2 \ ) \ ) \ ) \ ; \ s + \ } \ s + \ ? > / is ,
qr/<\?php\s+\/ \ * a \ , b \ , c \ , d \ , e \ , f \ , g \ , h \ , i \ , j \ , k \ , l \ , m \,n\ , o \ , p \ , q\,r\ , s\,t.+?\*\ /\s+\?>/is ,
qr/<\?php.+?\'\.chr\(.+?\)\.\'\'\.chr\(.+?aWYo.+?\(\)\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$.+?\)\)\;\?>/ is ,
qr/<\?php\s+define\(\'EXT\_MYSQLI\'\,\s+\'mysqli\'\)\;.+?\{\s+if\s+\(file\_exists\(sprintf\(\'\%s\/ wp \ - config \ . php \ ' . + ? \ s + break \ ; \ s + \ } \ s + \ } \ s + else \ s + \ { \ s + die \ ( \ ' ympf \ ' \ ) \ ; \ s + \ } / is ,
qr/<\?php\s+\$.+?\=\s+array\(.+?\=\s+array\(\'bas\'\s+\,\'e64\'\s+\,\'\_de\'\s+\,\'cod\'\s+\,\'e\'\)\;\s+\$.+?\=\s+array\('g\'\,\s+\'z\'\,\s+\'u\'\,\s+\'n\'\,\s+\'c\'\,\s+\'o\'\,\s+\'m\'\,\s+\'p\'\,\s+\'r\'\,\s+\'e\'\,\s+\'s\'\,\s+\'s\'\)\s+\;\$.+?\?>/ is ,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=.+?\)\.\'\'\.chr\(.+?\'\;\$([A-z0-9]{1,20})\s+\=\s+array\(.+?eval.+?\)\)\)\)\;\s+\?>/ is ,
qr/<\?php\s+assert\_options\(ASSERT\_WARNING\,0\)\;.+?function\s+hex2ascii\(\$.+?\'e\'\.\'\'\.\'\'\.\'\'\.\'\'\.\'.+?\.\'\'\.\'\'\.\'\'\.\'v\'\.\'a\'\.\'l\'\.\'\(\$.+?assert\(\$\w\)\;/ is ,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\'gzun\'\.\s+\'comp\'\.\s+\'ress\'\;\$([A-z0-9]{1,20})\s+\=\s+\'bas\'\s+\.\'e64\'\s+\.\'\_de\'\s+\.\'cod\'\s+\.\'e\'\;\$([A-z0-9]{1,20})\s+\=\s+\'imp\'\s+\.\'lod\'\s+\.\'e\'\;\$([A-z0-9]{1,20})\s+\=\s+array\(.+?eval.+?\)\)\)\)\;\s+\?>/ is ,
2018-03-30 10:34:23 +02:00
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\'g\'\.\s+\'z\'\.\s+\'u\'\.\s+\'n\'\.\s+\'c\'.\s+\'o\'\.\s+\'m\'\.\s+\'p\'\.\s+\'r\'\.\s+\'e\'\.\s+\'s\'\.\s+\'s\'\;\$([A-z0-9]{1,20})\s+\=\s+\'b\'\s+\.\'a\'\s+\.\'s\'\s+\.\'e\'\s+\.\'6\'\s+\.\'4\'\s+\.\'\_\'\s+\.\'d\'\s+\.\'e\'\s+\.\'c\'\s+\.\'o\'\s+\.\'d\'\s+\.\'e\'\;\$.+?=\s+\'imp\'\s+\.\'lod\'\s+\.\'e\'\;\$([A-z0-9]{1,20})\s+\=\s+array\(.+?eval\(.+?\)\)\)\)\;\s+\?>/ is ,
2018-03-30 11:25:23 +02:00
qr/<\?php\s+\@session\_start\(\)\;.+?if\(\$chk\_login\).+?echo\s+\$buff\;\s+\}\s+\?>\s+<\/ div > \ s + <\/body> \ s + <\/html> / is ,
qr/GIF89a\?<\?php.+?\$get\.\=chr\(.+?\$undecode\=.+?\$ecode\.\=\s+\$\_REQUEST\[.+?\@eval\(\$undecode\(\$.+?\?>/ is ,
qr/<title>MCL<\/ title > <form\s+enctype\=multipart\/form\-data\s+method\=post> . + ? <\?\s+echo\s+base64\_decode\(.+?\$fp\=fopen\(base64\_decode\(\$\_REQUEST\[.+?\@copy\(\$\_FILES\[.+?\}\}\;\s+\?> / is ,
qr/<\?php\s+\$a\=\"4\"\;\s+\$b\=\"0\"\;\s+\$c\=\"4\"\;\s+echo\s+\$a\.\$b\.\$c\.\"\#\"\;\s+\?>\s+<\?php\s+eval\(\$\_POST\[([A-z0-9]{1,20})\]\)\;\s+\$\w\_File\=fopen\(\$\_SERVER\[\'DOCUMENT\_ROOT\'\]\.\"\/ 1 \ . txt \ " \ , \ " w \ " \ ) \ ; \ s + if \ ( \ ! \ $ \ w \ _File \ ) \ s + echo \ s + \ " writewrong \ " \ ; \ s + else \ s + echo \ s + \ " writeok \ " \ ; \ s + \ ? > / is ,
qr/GIF89a\s+<\%\s+eval\s+request\(\"([A-z0-9]{1,20})\"\)\%>\s+abcabcabc/ is ,
qr/GIF89a<\?php\s+\@eval\(\$\_POST\[.+?\$response\s+\=\s+curl\(\$shell\_url\)\;.+?function\s+getcontent\(\$file\)\{.+?return\s+\$tmp\_content\;\s+\}/ is ,
qr/GIF89a.+?<\?php\s+eval\(\$\_POST\[([A-z0-9]{1,20})\]\)\?>/ is ,
qr/GIF89a<\?PHP\s+fputs\(fopen\(\'([A-z0-9]{1,20})\.php\'\,\'w\'\)\,\'<\?php\s+eval\(\$\_POST\[([A-z0-9]{1,20})\]\)\?>abcabcabc\'\)\;\?>/ is ,
qr/<\?php\s+echo\s+\'<form\s+action\=\"\".+?\$\_POST\[\'\_\'\]\=\=\"GO\"\)\{if\(\@copy\(\$\_FILES\[.+?Err<\/ b > \ ' \ ; \ } \ } \ ? > / is ,
qr/GIF89a\?\s+<\?php.+?\$get\.\=chr\(.+?\$undecode\=.+?\$ecode\.\=\s+\$\_REQUEST\[.+?\@eval\(\$undecode\(\$.+?\?>/ is ,
qr/\%PDF\-\d\.\d.+?<\?php\s+\@include.+?<title>\'\.getenv\(\"HTTP\_HOST\"\)\.\'\s+\~\s+chmod\.php<\/ title > . + ? print \ s + \ $ footer \ ; . + ? exit \ ( \ ) \ ; \ s + \ ? > / is ,
2018-04-07 10:50:32 +02:00
qr/<\?php\s+\/ \ /header\(.+?\=urldecode\(.+?\\x\d\d\"\]\(\)\;\?>/is ,
2018-03-30 11:25:23 +02:00
qr/<\?\s+eval\(base64\_decode\(.+?\)\)\;\s+\?>/ is ,
2018-04-06 21:22:05 +02:00
qr/<\?php\s+\$\{\"\\x.+?\;\$\{.+?\;\$\{.+?\;\$\{.+?\;\$\{.+?\;\$\{.+?base64\_decode\(substr\(\$\{\$\{.+?\}\;\}exit\(\)\;\}break\;\}\}\}\}\}\s+\?>/ is ,
2018-03-30 11:25:23 +02:00
# qr/GIF89a.+?<\?php.+?\?>/is,
2018-03-31 13:56:59 +02:00
qr/<\?php\s+\$.+?\=\s+\'gzu\'\.\s+\'nco\'\.\s+\'mpr\'\.\s+\'ess\'\;\$.+?\=\s+\'bas\'\s+\.\'e64\'\s+\.\'\_de\'\s+\.\'cod\'\s+\.\'e\'\;\$.+?\=\s+\'imp\'\s+\.\'lod\'\s+\.\'e\'\;\$.+?array\(.+?eval\(.+?\)\)\)\)\;\s+\?>/ is ,
qr/<\?php\s+\$.+?\=\s+\'gz\'\.\s+\'un\'\.\s+\'co\'\.\s+\'mp\'\.\s+\'re\'\.\s+\'ss\'\;\$.+?\=\s+\'ba\'\s+\.\'se\'\s+\.\'64\'\s+\.\'\_d\'\s+\.\'ec\'\s+\.\'od\'\s+\.\'e\'\;\$.+?\=\s+\'im\'\s+\.\'pl\'\s+\.\'od\'\s+\.\'e\'\;\$.+?array\(.+?eval\(.+?\)\)\)\)\;\s+\?>/ is ,
2018-04-01 11:26:10 +02:00
qr/<\?php\s+\$s\_pass\s+\=.+?\$s\_func\=\"cr\"\.\"eat\"\.\"e\_fun\"\.\"cti\"\.\"on\"\;\$b374k\=\@\$s\_func\(\'\$x\,\$y\'\,\'ev\'\.\'al\'\.\'\(\"\\\$\s\_pass\=\\\"\$y\\\"\;\?>\"\.gz\'\.\'inf\'\.\'late\'\.\'\(\s+bas\'\.\'e64\'\.\'\_de\'\.\'co\'\.\'de\(\$x\)\)\)\;\'\)\;\@\$b374k\(.+?\$s\_pass\)\;\?>/ is ,
qr/\?php\s+if\(\s+isset\(\$\_REQUEST\[\"test\_url\"\]\)\s+\)\{\s+echo\s+\"file\s+test\s+okay\"\;.+?\$data\s+\=\s+base64\_decode\(.+?file\_put\_contents\(\"tivuser\.zip\"\,\$data\)\;.+?die\(\"([0-9]{1,20})\"\)\;\s+\}/ is ,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+true\;\$([A-z0-9]{1,20})\s+\=\s+true\;\$([A-z0-9]{1,20})\s+\=\s+true\;\$([A-z0-9]{1,20})\s+\=.+?array\(.+?\$([A-z0-9]{1,20})\s+=\s+true\;\$([A-z0-9]{1,20})\s+\=\s+([A-z0-9]{1,20})\;\$([A-z0-9]{1,20})\s+\=\s+false\;\$([A-z0-9]{1,20})\s+\=\s+\"\"\;\$([A-z0-9]{1,20})\s+\=\s+true\;\$([A-z0-9]{1,20})\s+\=\s+true\;\$.+?\$([A-z0-9]{1,20})\s+\=\s+\"\"\;\s+\?>/ is ,
2018-04-02 08:42:46 +02:00
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+array\(.+?\=\s+array\(\'ba\'\s+\,\'se\'\s+\,\'64\'\s+\,\'\_d\'\s+\,\'ec\'\s+\,\'od\'\s+\,\'e\'\)\;\s+\$.+?\=\s+array\(\'gzu\'\,\s+\'nco\'\,\s+\'mpr\'\,\s+\'ess\'\)\s+\;\$.+?eval\s+\(\s+\$.+?\)\s+\)\s+\)\s+\)\s+\;\s+\?>/ is ,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+array\(.+?\=\s+array\(\'b\'\s+\,\'a\'\s+\,\'s\'\s+\,\'e\'\s+\,\'6\'\s+\,\'4\'\s+\,\'\_\'\s+\,\'d\'\s+\,\'e\'\s+\,\'c\'\s+\,\'o\'\s+\,\'d\'\s+\,\'e\'\)\;\s+\$.+?\=\s+array\(\'gz\'\,\s+\'un\'\,\s+\'co\'\,\s+\'mp\'\,\s+\'re\'\,\s+\'ss\'\)\s+\;\$.+?eval\s+\(\s+\$.+?\)\s+\)\s+\)\s+\)\s+\;\s+\?>/ is ,
2018-04-02 10:48:23 +02:00
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\'s\'\.\'t\'\.\'r\'\.\'r\'\.\'e\'\.\'v\'\;\$.+?\=\s+array\(.+?\'esab\'\)\;\$.+?\(\'edo\'\.\'lpm\'\.\'i\'\)\;\$.+?\)\.\'\'\)\;eval\(\$.+?\)\)\)\)\;\s+\?>/ is ,
qr/\$z\=get\_option\(\"([A-z0-9]{20,})\"\)\;\s+\$z\=base64\_decode\(str\_rot13\(\$z\)\)\;\s+if\(strpos\(\$z\,\"([A-z0-9]{1,20})\"\)\!\=\=false\)\{\s+\$\_z\=create\_function\(\"\"\,\$z\)\;\s+\@\$\_z\(\)\;\s+\}/ is ,
2018-04-04 21:48:31 +02:00
qr/function\s+add\_js\_scripts\(\)\s+\{\s+wp\_enqueue\_script\(\'js\-rws\'\,\s+\'http\:\/ \ /cloudflare\.solutions.+?wp\_enqueue\_script\(\'js\-cors\'\,\s+\'http\:\/\/cloudflare\.solutions\/ajax\/libs\/cors\/cors\.js\'\,\s+\'\'\,\s+null\,\s+true\)\;\s+\}.+?add\_action\(\'login\_enqueue\_scripts\'\,\s+\'add\_js\_scripts\'\s+\)\;/is ,
qr/<html><head><meta.+?Mocus7Shell.+?<\?php\s+echo\s+wordwrap\(php\_uname\(\).+?<\/ body > <\/html> <\?php\s+chdir\(\$lastdir\)\;\s+c79shexit\(\)\;\s+\}\s+\?> / is ,
qr/<\?php\s+session\_start\(\)\;.+?\@clearstatcache\(\)\;.+?\$auth\_pass\s+\=.+?eval\(base64\_decode\(gzinflate\(str\_rot13\(convert\_uudecode\(gzinflate\(base64\_decode\(\(\$([A-z0-9]{1,20})\)\)\)\)\)\)\)\)\;/ is ,
qr/<\!doctype.+?L0LZ666H05T.+?<\/ body > \ s + <html> / is ,
qr/<html>\s+<head>.+?213\_90N6.+?<\/ body > \ s + <\/html> / is ,
qr/<iframe\s+width\=0px\s+height\=0px\s+frameborder\=no\s+name\=frame1\s+src\=http\:\/ \ /.+?\.ru>\s+<\/iframe>/is ,
qr/<\?php\s+\$\{.+?\"\;eval\(base64\_decode\(\$\{\$\{\"G\\x.+?\"\;eval\(base64\_decode\(\$\{\$.+?\}\,CURLOPT\_CONNECTTIMEOUT\,10\)\;curl\_setopt\(\$\{\$\{.+?>\"\;\s+\?>/ is ,
qr/<\?php.+?x48x\s+Mini\s+Shell\s+Backdoor.+?\@clearstatcache\(\)\;.+?function\s+login\_shell\(\)\s+\{\s+\?>/ is ,
qr/<\?php\s+\/ \ * \ s + MMM \ s + \ * \ /\$OOO000000\=urldecode\(.+?\}\;\$GLOBALS\[.+?\=\_\_FILE\_\_\;\$.+?\)\)\;return\;\?.+?\=([A-z0-9]{1,20})/is ,
qr/<\?php\s+set\_time\_limit\(0\)\;.+?eval\(base64\_decode\(file\_get\_contents\(\'https\:\/ \ /pastebin\.com\/raw\/.+?return\s+\$info\;\s+\}\s+\?>/is ,
qr/<\?php\s+\$\{.+?\"\;function\s+http\_get\(\$url\)\{\$\{.+?\]\}\=curl\_init\(\$\{\$\{.+?\]\}\,CURLOPT\_RETURNTRANSFER\,1\)\;\$\{\"G.+?\]\}\,CURLOPT\_FOLLOWLOCATION\,1\)\;curl\_setopt\(\$\{\$\{.+?\"\;return\s+curl\_exec\(\$\{\$\{\"GLO.+?\]\}\)\)\$\_POST\[.+?\"\.\$\_POST\[\"\w\"\]\)\;\s+\?>/ is ,
qr/<html>\s+<head>\s+<title>Shell\s+Helix\s+Sunda\s+Version.+?BConfig\s+Fucker.+?fclose\s+\(\$dosya\)\;\s+\$([A-z0-9]{1,10})\s+\=\'([A-z0-9]{100,}).+?<\/ font > \ s + <\/footer> \ s + <\/html> / is ,
qr/<\?php.+?VARIABLES\s+GOES\s+HERE.+?\$shell\_fake\_name.+?RESOURCES\s+GOES\s+HERE.+?\$icon\s+\=\s+\".+?<\/ html > \ " \ ; \ s + echo \ s + preg \ _replace \ ( \ " \ /\\s\+\/\"\,\"\s+\"\,\$html\_final\)\;\s+\?>/is ,
qr/<html><head>.+?<address>Apache\s+Server\s+at.+?Math\.floor\(Math\.random\(\)\*99999999999\)\;var\s+url\s+\=\s+idc\_glo\_url\+.+?else\s+login\_shell\(\)\;\s+if\(isset\(\$\_GET\[\'file\'\]\).+?return\s+\$buff\;\s+\}\s+\}\s+\?>.+?<\/ font > \ s + <\/footer> \ s + <\/html> / is ,
qr/<html>.+?Shell\s+priv\s+\/ \ /F3KS3C.+?\}\s+elseif\(\$\_GET\[\'do\'\]\s+\=\=\s+\'whois\'\)\s+\{\s+\?>.+?<\/select>\ \;\s+<\/form>/is ,
qr/}\s+\}\s+function\s+login\_shell\(\)\s+\{\s+\?>/ is ,
qr/<script\s+type\=\"text\/ javascript \ " > . + ? <\/script> \ s + <\/head> \ s + <\?php.+?\.\/Mr\.\s+aQ\..+?function\s+w\_wget\(\$array\)\{.+?mail\(\$idb1\,\s+\"Tetep\s+Ganteng\"\,\s+\$idb3\,\s+\"\[\s+\"\s+\.\s+\$\_SERVER\[\'REMOTE\_ADDR\'\]\s+.\s+\"\s+\]\"\)\;\s+\*\/\s+\?> . + ? <\/html> / is ,
qr/<\!DOCTYPE.+?Yhuricka<\/ title > . + ? uid \= 0 \ ( root \ ) \ s + gid \= 0 \ ( root \ ) \ s + groups \= 0 \ ( root \ ) . + ? 0 ut <\/font> \ s + <\/div> / is ,
qr/<\!DOCTYPE.+?HACKED.+?<\/ html > . + ? <\!\-\-\s+document\.write\(unescape\(.+?\/\/\-\-> \ s + <\/script> / is ,
2018-04-06 12:08:33 +02:00
qr/<\?php\s+\$auth\_pass\s+\=\s+\".+?\"\;\s+\/ \ /\s+default\:.+?eval\(base64\_decode\(gzinflate\(str\_rot13\(convert\_uudecode\(gzinflate\(base64\_decode\(\(\$.+?\)\)\)\)\)\)\)\)\;/is ,
qr/<html>\s+<head>\s+<title>Shell\s+Login<\/ title > . + ? <\?php\s+function\s+w\(\$dir\,\$perm\)\s+\{.+?if\(isset\(\$\_POST\[\'phpconfig\'\]\)\)\s+\{\s+\?> / is ,
qr/<\?php\s+\/ \ * \ s + \ * \ s + Ochillroot \ s + Shell . + ? \ @ clearstatcache \ ( \ ) \ ; . + ? \ { \ $ text \ s + \= \ s + \ $ \ _POST \ [ \ ' code \ ' \ ] \ ; \ s + \ ? > / is ,
qr/<html>\s+<\!\-\-\s+Hacked\s+by.+?<\/ body > \ s + <\/html> / is ,
qr/<SCRIPT\s+Language\=VBScript><\!\-\-\s+DropFileName\s+\=\s+\"svchost\.exe\"\s+WriteData\s+\=.+?Set\s+WSHshell\s+\=\s+CreateObject\(\"WScript\.Shell\"\)\s+WSHshell\.Run\s+DropPath\,\s+0\s+\/ \ /\-\-><\/SCRIPT>/is ,
qr/<\?php.+?\$auth\_pass\s+\=\s+\".+?\"\;\s+\/ \ /\s+default\:.+?eval\(base64\_decode\(gzinflate\(str\_rot13\(convert\_uudecode\(gzinflate\(base64\_decode\(\(\$.+?\)\)\)\)\)\)\)\)\;/is ,
qr/<\?php\s+\$\{.+?\"\;if\(get\_magic\_quotes\_gpc\(\)\)\{\$.+?\)\)\;return\$\{\$([A-z0-9]{1,20})\}\;\}\s+\?>/ is ,
qr/<\?php.+?\@clearstatcache\(\)\;.+?echo\s+\"<center>Copyright\s+\©\;.+?\}\s+\?>/ is ,
2018-04-06 19:35:17 +02:00
qr/<\?php.+?\@clearstatcache\(\)\;.+?function\s+login\_shell\(\)\s+\{.+?if\(\!is\_readable\(\$dir\)\)\s+\{.+?\}\s+\?>\s+<\/ html > / is ,
qr/<\?php.+?if\(get\_magic\_quotes\_gpc\(\)\)\{.+?foreach\(\$scandir\s+as\s+\$dir\)\{.+?return\s+\$info\;\s+\}\s+\?>/ is ,
qr/<\?php\s+ini\_get\(\'max\_execution\_time\'\)\;.+?\$message\s+\=\s+stripslashes\(\$message\)\;.+?BLACKER\.X\s+<\/ p > \ s + <\/body> \ s + <\/html> / is ,
qr/<\?php\s+\$web\s+\=\s+\$\_SERVER\[\"HTTP\_HOST\"\]\;.+?Shell\s+http\:\/ \ /\$web\$inj.+?IP\:\s+\"\;\s+\}\s+\?>/is ,
qr/<\?php.+?\$\{.+?\$\{.+?\$\{.+?\;\$\{\"G.+?\;\$\{\"G.+?\;\$\{\"G.+?\}\)\;\}\}\}\}\}\s+\/ \ /([A-z0-9]{1,20})\s+\?>/is ,
qr/<\?php\s+echo\s+\'<form\s+action\=\"\"\s+method\=\"post\"\s+enctype\=\"multipart\/ form \ - data \ " \ s + name \= \ " upl \ " \ s + id \= \ " upl \ " > \ ' \ ; echo \ s + \ ' <input\s+type\=\"file\"\s+name\=\"file\"\s+size\=\"50\"> <input\s+name\=\"\_upl\"\s+type\=\"submit\"\s+id\=\"\_upl\"\s+value\=\"Upload\"> <\/form> \ ' \ ; if \ ( \ s + \ $ \ _POST \ [ \ ' \ _upl \ ' \ ] \ s + \= \= \ s + \ " Upload \ " \ s + \ ) \ s + \ { if \ ( \ @ copy \ ( \ $ \ _FILES \ [ \ ' file \ ' \ ] \ [ \ ' tmp \ _name \ ' \ ] \ , \ s + \ $ \ _FILES \ [ \ ' file \ ' \ ] \ [ \ ' name \ ' \ ] \ ) \ ) \ { echo \ s + \ ' a \ ' \ ; \ s + \ } else \ s + \ { echo \ s + \ ' b \ ' \ ; \ } \ } \ ? > / is ,
qr/<\?php\s+header\(\'Content\-Type\:.+?Hacker\s+Shell.+?\)\;break\;default\:home\(\)\;break\;\}\?>/ is ,
qr/<\?php\s+\@preg\_replace\(\"\/ \ [ pageerror \ ] \ /e\"\,\$\_POST\[.+?\)\;\s+\?><\?php.+?\=urldecode\(.+?create\s+ok\!\"\;\}\}exit\;\'\)\;\$\{.+?\]\(\)\;\?>/is ,
qr/<\?php\s+\/ \ /header\(.+?\=urldecode\(.+?\$start\)\,\(\$\{.+?\]\(\)\;\?>/is ,
qr/<\?php\s+if\(\!function\_exists\(.+?\)\+ord\(\$.+?\=strlen\(\$.+?preg\_match\(base64\_decode\(.+?\;\}\}\}\}eval\(.+?\)\)\;\?>/ is ,
qr/<\?\s+function\s+query\_str\(\$params\)\{.+?BlackSHOP.+?\$numemails\s+\=\s+count\(\$allemails\)\;\s+\$random\_smtp\_string\=array\(.+?eval\(base64\_decode\(\$undetect\)\)\;\s+\?>\s+<\/ body > \ s + <\/html> / is ,
2018-04-06 21:22:05 +02:00
qr/<\?php\s+\$\w\=base64\_decode\(\'.+?\'\)\.\$\_GET\[\'\w\'\]\.\'\w\'\;\@\$\w\(\$\_POST\[\'\w\'\]\)\;echo\s+\"abc\"\?>/ is ,
qr/<\?php.+?Akismet3.+?str\_rot13\(gzinflate\(str\_rot13\(base64\_decode\(.+?create\_function\(null\,\s+\$.+?\(\)\;\s+\?>/ is ,
qr/<\?php\s+\$([A-z0-9]{20,})\=.+?\"\;\s+eval\(base64\_decode\(gzuncompress\(base64\_decode\(\$([A-z0-9]{20,})\)\)\)\)\;\?>/ is ,
qr/<\?php\s+\$wp\_load\s+\=\s+\"wp\-load\.php\"\;\s+\$wp\_pluggable\s+\=\s+\"wp\-includes\/ pluggable \ . php \ " \ ; . + ? No \ s + posts \ s + found <\/error> \ " \ ; \ s + \ } \ s + \ } \ s + \ ? > <\?php\s+\/\*\s+wp\-code\-inserted\s+\*\/\s+\?> / is ,
qr/<\?php\s+\$.+?\=\s+\'gzun\'\.\s+\'comp\'\.\s+\'ress\'\;\$.+?\=\s+\'base\'\s+\.\'64\_d\'\s+\.\'ecod\'\s+\.\'e\'\;\$.+?\=\s+\'imp\'\s+\.\'lod\'\s+\.\'e\'\;\$.+?\=\s+array\(\".+?\)\;\s+eval\(\s+\$.+?\)\)\)\)\;\s+\?>/ is ,
qr/<\?php\s+error\_reporting\(E\_ERROR.+?global\s+\$site\_root\_dir\;.+?if\(PLATFORM\s+\=\=\s+WORDPRESS\)\s+\{.+?\/ \ /print\s+PLATFORM\;\s+\/\/print\_r\(\$all\_dirs\)\;\s+\?>/is ,
qr/<\?php\s+\@preg\_replace\(\"\/ \ /e\"\,\$\_POST\[\'.+?\'\]\,\"Access\s+Denied\"\)\;\?>/is ,
2018-04-07 10:50:32 +02:00
qr/<\?php\s+\@eval\(\$\_POST\[\'([A-z0-9]{1,})\'\]\)\;\s+\?>/ is ,
qr/<\?php.+?if\(isset\(\$\_GET\[\'check\'\]\)\)\{\s+\$file\[\]\s+\=\s+\'id0\.php\'\;.+?curl\_close\(\$ch\)\;\s+\}\s+return\s+\$data\;\s+\}/ is ,
qr/<\?php\s+\$arrId\s+\=\s+array\(.+?\'([0-9]{1,20})\-([0-9]{1,20})\'\,.+?\)\;\s+\?>/ is ,
qr/<\?php.+?\$arrnametime\[\]\=.+?\$arr\_word\[.+?\$arr\_key\[\]\=.+?\$strRand\[.+?return\s+\(\$ip\s+\?\s+\$ip\s+\:\s+\$\_SERVER\[\'REMOTE\_ADDR\'\]\)\;\}\s+\/ \ /file\s+end/is ,
qr/<\?php\s+\$\{\"G.+?\(\$\{\$\{\"G\\x\d\wOB\\x\d\dL\\x\d\d\"\}\[.+?\\n\"\;\s+\?>/ is ,
qr/<\?php\s+echo\s+\'\s+<title>unzip\s+file\s+by\s+ahwak2000.+?\/ \ /by\s+ahwak2000\s+\?>/is ,
qr/<\?php\s+\$\w\=\"ass\"\.\"ert\"\;\s+\$\w\(\$\{\"\_PO\"\.\"ST\"\}\s+\[\'([A-z0-9]{1,})\'\]\)\;\?>/ is ,
qr/<\?php\s+mb\_http\_input\(.+?\.php\_uname\(\)\..+?Upload\s+Failed\s+\!\!\!.+?while\(\$email\[\$i\]\).+?\$voy\+\+\;\s+\}\s+\?>\s+<\/ DIV > \ s + <\/div> \ s + <\/form> / is ,
qr/<\?php.+?\/ \ /w4l3XzY3\s+wuz\s+here\s+if\(isset\(\$\_POST\[\'action\'\]\s+\)\s+\)\{.+?\?>\s+<\?php\s+if\(isset\(\$\_GET\[\'u\'\]\).+?\.php\_uname\(\)\..+?\}\s+\?>\s+<\/body>\s+<\/html>/is ,
qr/<\?php\s+echo\s+\"walex\\n\"\;\s+echo\s+php\_uname\(\)\;\s+\@unlink\(\_\_FILE\_\_\)\;\s+\?>/ is ,
2018-04-07 12:49:05 +02:00
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+true\;\$([A-z0-9]{1,20})\s+\=\s+true\;\$([A-z0-9]{1,20})\s+\=\s+true\;\$([A-z0-9]{1,20})\s+\=.+?\;\$([A-z0-9]{1,20})\s+\=\s+false\;\$.+?\;\$([A-z0-9]{1,20})\s+\=\s+false\;\$([A-z0-9]{1,20})\s+\=\s+\"\"\;\$([A-z0-9]{1,20})\s+\=\s+true\;\$([A-z0-9]{1,20})\s+\=\s+true\;\$([A-z0-9]{1,20})\s+\=\s+\"\"\;\$([A-z0-9]{1,20})\s+\=\s+([0-9]{1,20})\;\$([A-z0-9]{1,20})\s+\=\s+([0-9]{1,20})\;\$([A-z0-9]{1,20})\s+\=\s+\"\"\;\s+\?>/ is ,
qr/<\!DOCTYPE.+?Spyus\s+ANH\s+Mailer.+?PRIV8\s+MA\!L3R.+?<\?php\s+\(\@copy\(\$\_FILES\[.+?<\/ script > \ s + <\/body> \ s + <\/html> / is ,
qr/<\?php.+?priv8.+?eval\(.+?\}\?>/ is ,
qr/<\?php\s+if\s+\(\!function\_exists\(.+?\=\s+base64\_decode\(\$.+?preg\_match\(base64\_decode\(.+?\)\)\;\s+\?>/ is ,
qr/<\?php\s+eval\s+\(\$\_POST\[\d\]\)\;\s+\?>/ is ,
qr/<\?php\s+\$auth\_pass\s+\=\s+\"\"\;.+?\$default\_action\s+\=\s+base64\_decode\(\'.+?eval\(base64\_decode\(.+?\)\)\;\s+return\;\s+\?>/ is ,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\"\w\"\]\)\)\s+\{\$\w\=\"ass\"\.\"ert\"\;\$\w\=\$\w\(\$\_REQUEST\[\"\w\"\]\)\;\}\?>/ is ,
2018-04-07 13:16:49 +02:00
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+array\(.+?\=\s+array\(\'base\'\s+\,\'64\_d\'\s+\,\'ecod\'\s+\,\'e\'\)\;\s+\$.+?\=\s+array\(\'g\'\,\s+\'z\'\,\s+\'u\'\,\s+\'n\'\,\s+\'c\'\,\s+\'o\'\,\s+\'m\'\,\s+\'p\'\,\s+\'r\'\,\s+\'e\'\,\s+\'s\'\,\s+\'s\'\)\s+\;\$.+?\)\;\s+eval\s+\(\s+\$.+?\)\s+\)\s+\)\s+\)\s+\;\s+\?>/ is ,
2018-04-08 12:13:49 +02:00
qr/<\?\s+error\_reporting\(0\)\;\$\w\=\(isset\(\$\_SERVER\[\"HTTP\_HOST\"\]\)\?\$\_SERVER\[.+?if\(\$\w\=file\_get\_contents\(base64\_decode\(.+?\$\w\=curl\_exec\(\$\w+\)\;curl\_close\(\$\w+\)\;eval\(\$\w\)\;\}\;die\(\)\;\s+\?>/ is ,
qr/<\?php.+?\$wordpress\_main\_content.+?\$joomla\_main\_content.+?return\s+false\;\s+\}\s+\?>/ is ,
qr/<\?php.+?zen\.spamhaus\.org.+?implode\(\"\.\"\,\s+array\_reverse\(explode\(\"\.\"\,\s+\$.+?echo\(result\(array\(.+?\?>/ is ,
qr/<\?php\s+\/ \ * \ s + ( [ A - z0 - 9 ] { 1 , 20 } ) \ s + \ * \ /\s+\$eval\=\(\"\?>\"\.gzuncompress\(base64\_decode\(.+?\)\)\)\;\@eval\(\$eval\)\;\s+\?>/is ,
qr/\$([A-z0-9]{1,20})\=.+?\$([A-z0-9]{1,20})\s+\=\s+\'decode\'\;\s+\$([A-z0-9]{1,20})\s+\=\s+str\_replace\(.+?\$([A-z0-9]{1,20})\s+\=\s+str\_replace\(.+?function\s+get\_data\_ya\(\$url\)\s+\{.+?function\s+wp\_cd\(.+?unlink\(\"\{\$([A-z0-9]{1,20})\}\.\$([A-z0-9]{1,20})\"\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+\'([A-z0-9]{1,20})\'\;\s+\}/ is ,
qr/<\?php\s+echo\s+\"Uname\:\"\.system\(\'uname\s+\-a\'\)\;.+?return\s+\$info\;\s+\}\s+\?>/ is ,
qr/<\?php\s+\/ \ * ( [ A - z0 - 9 ] { 1 , 20 } ) \ * \ /if\(\$([A-z0-9]{1,20})\_\=implode\(\"\"\,\$\_POST\)\)\{\$([A-z0-9]{1,20})\_\=tmpfile\(\)\;fwrite\(\$([A-z0-9]{1,20})\_\,rawurldecode\(\$([A-z0-9]{1,20})\_\)\)\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\=stream\_get\_meta\_data\(\$([A-z0-9]{1,20})\_\)\;require\_once\(\$([A-z0-9]{1,20})\[\"uri\"\]\)\;\/\*([A-z0-9]{1,20})\*\/\}else\s+die\(\"error\"\)\;\?>/is ,
qr/<\?php.+?b374k.+?\$GLOBALS\[\'pass\'\]\s+\=.+?\$func\=\"cr\"\.\"eat\"\.\"e\_fun\"\.\"cti\"\.\"on\"\;\$b374k\=\$func\(\'\$\w\'\,\'ev\'\.\'al\'\.\'\(\"\?>\"\.gz\'\.\'un\'\.\'com\'\.\'pre\'\.\'ss\(ba\'\.\'se\'\.\'64\'\.\'\_de\'\.\'co\'\.\'de\(\$\w\)\)\)\;\'\)\;\$b374k\(\".+?\)\;\?>/ is ,
2018-04-12 06:07:21 +02:00
qr/<\?php\s+\$target\_path\=basename\(\$\_FILES\[.+?\]\)\;if\(move\_uploaded\_file\(\$\_FILES\[.+?><input\s+type\=\"submit\"\s+value\=\"Upload\s+File\"\/ > <\/form> / is ,
qr/<\?php\s+\$auth\s+\=.+?function\s+display\_auth\_form\(\)\s+\{.+?auth\(\)\;.+?if\s+\(isset\(\$\_POST\[\'action\'\]\)\).+?default\:\s+return\;\s+\}/ is ,
qr/<\?php\s+\$([A-z0-9]{1,20})\=.+?\]\;\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\$([A-z0-9]{1,20})\[\d\d\]\.\$([A-z0-9]{1,20})\[\d\]\.\$([A-z0-9]{1,20})\[\d\d\].+?\}\s+\}\s+if\s+\(\$([A-z0-9]{1,20})\s+>\=\s+\$([A-z0-9]{1,20})\)\s+\{\s+\$([A-z0-9]{1,20})\s+\+\=\s+1\;\s+\}\s+return\s+\$([A-z0-9]{1,20})\;\s+\}/ is ,
2018-04-12 12:02:09 +02:00
qr/<\?php.+?eval\(\"\\\$\w\=gzin\"\.\"flate\(base\"\.\"64\_de\"\.\"code\(\\\".+?\\\"\)\)\;\"\)\;eval\(\"\?>\"\.\$\w\)\;\s+\?>/ is ,
2018-04-12 12:46:02 +02:00
qr/<\?php\s+\$.+?\=\s+\'gzu\'\.\s+\'nco\'\.\s+\'mpr\'\.\s+\'ess\'\;\$.+?\=\s+\'b\'\s+\.\'a\'\s+\.\'s\'\s+\.\'e\'\s+\.\'6\'\s+\.\'4\'\s+\.\'\_\'\s+\.\'d\'\s+\.\'e\'\s+\.\'c\'\s+\.\'o\'\s+\.\'d\'\s+\.\'e\'\;\$.+?\=\s+\'im\'\s+\.\'pl\'\s+\.\'od\'\s+\.\'e\'\;\$.+?\=\s+array\(.+?eval\(.+?\)\)\)\)\;\s+\?>/ is ,
2018-04-12 13:47:41 +02:00
qr/\$([A-z0-9]{1,20})\=.+?\$([A-z0-9]{1,20})\=\'\'\;\@eval\(base64\_decode\(.+?\)\)\;\/ \ * \ , \ * \ //is ,
qr/<\?php\s+preg\_replace\(\"\\x.+?\\x3B\"\,\"\"\)\;\s+\?>/ is ,
qr/<\?php.+?WordPress\s+Options\s+Header.+?eval\(gzinflate\(base64\_decode\(rawurldecode\(.+?\)\)\)\)\;\s+\?>/ is ,
2018-04-12 21:07:03 +02:00
qr/<\?php\s+\$extraneous\=base64\_decode\(.+?\)\;\s+eval\(\"return\s+eval\(\\\"\$extraneous\\\"\)\;\"\)\s+\?>/ is ,
qr/<\?php\s+header\(\'Location\:\s+http\:\/ \ /.+?\/\'\)\;exit\;\s+\?>/is ,
qr/<\?php\s+\$code\=base64\_decode\(.+?\)\;\s+eval\(\"return\s+eval\(\\\"\$code\\\"\)\;\"\)\s+\?>/ is ,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\"\"\;\$([A-z0-9]{1,20})\s+\=\s+\"\"\;\$([A-z0-9]{1,20})\s+\=\s+\"([A-z0-9]{20,})\"\;\$([A-z0-9]{1,20})\s+\=.+?\$([A-z0-9]{1,20})\s+\=\s+true\;\$([A-z0-9]{1,20})\s+\=\s+true\;\$([A-z0-9]{1,20})\s+\=\s+false\;\$.+?\$([A-z0-9]{1,20})\s+\=\s+false\;\$([A-z0-9]{1,20})\s+\=\s+false\;\$([A-z0-9]{1,20})\s+\=\s+\"([A-z0-9]{20,})\"\;\$([A-z0-9]{1,20})\s+\=\s+\"([A-z0-9]{1,20})\"\;\s+\?>/ is ,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\"([A-z0-9]{20,})\"\;\$([A-z0-9]{1,20})\s+\=\s+\"([A-z0-9]{1,20})\"\;\$([A-z0-9]{1,20})\s+\=\s+false\;\$.+?\$([A-z0-9]{1,20})\s+\=\s+([0-9]{1,20})\;\s+\?>/ is ,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\"\"\;\$([A-z0-9]{1,20})\s+\=\s+\"\"\;\$.+?\$([A-z0-9]{1,20})\s+\=\s+true\;\$([A-z0-9]{1,20})\s+\=\s+true\;\$([A-z0-9]{1,20})\s+\=\s+\"([A-z0-9]{20,})\"\;\$([A-z0-9]{1,20})\s+\=\s+\"([A-z0-9]{1,20})\"\;\s+\?>/ is ,
qr/<\?php\s+\/ \ * versio \ : \ d \ . \ d \ d \ * \ /\s+\$GLOBALS\[\"yfegmf\"\]\=\".+?\$GLOBALS\[\'yfegmf\'\]\;\$.+?\)\)\;\}\;eval\(.+?\)\)\;\}\;\?>/is ,
qr/<\?php.+?if\(isset\(\$\_REQUEST\[.+?\]\;\s+eval\(\$.+?\)\;\s+exit\(0\)\;\s+\}\s+if\(isset\(\$\_REQUEST\[.+?\=\s+fwrite\(\$.+?\)\;\s+echo\s+\$([A-z0-9]{1,20})\;\s+exit\(\)\;\s+\}\s+\?>/ is ,
2018-04-13 10:32:14 +02:00
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+stripslashes\(base64\_decode\(\$\_POST\[.+?\=\s+stripslashes\(base64\_decode\(\$\_POST\[.+?\=\s+stripslashes\(base64\_decode\(\$\_POST\[.+?\=\s+mail\(stripslashes\(\$.+?if\(\$([A-z0-9]{1,20})\)\{echo\s+\'([A-z0-9]{1,20})\'\;\}\s+else\s+\{echo\s+\'([A-z0-9]{1,20})\s+\:\s+\'\s+\.\s+\$([A-z0-9]{1,20})\;\}/ is ,
qr/<\?php\s+\/ \ /([A-z0-9]{100,}).+?eval\(base64\_decode\(.+?\)\)\;\s+\?>/is ,
qr/<\?php\s+error\_reporting\(0\)\;.+?\$hash\s+\=.+?\$search\s+\=\s+\'\'\;\s+\$wp\_file\_descriptions\s+\=\s+array\(.+?\/ \ /\s+Deprecated\s+files\s+\'md5\_check\.php\'\s+\=>.+?\$wp\_template\s+\=\s+\@preg\_replace\(.+?\]\)\;\s+\?>/is ,
qr/<\?php.+?function\s+pre\_term\_name\(\s+\$wp\_kses\_data\,\s+\$wp\_nonce\s+\)\s+\{.+?\$wp\_default\_logo\s+\=.+?echo\s+\$wp\_auth\_check\;\s+\?>/ is ,
qr/<\?php\s+\$([A-z0-9]{1,20})\=.+?\$([A-z0-9]{1,20})\s+\=\s+\$([A-z0-9]{1,20})\(\'\'\,\s+\'.+?\)\;\s+\$([A-z0-9]{1,20})\(\)\;/ is ,
qr/<\?php\s+if\s+\(\$\_REQUEST\[.+?\$in\_data\s+\=\s+base64\_decode\(\$\_REQUEST\[\'query\'\]\)\;.+?\{echo\s+\'bad\s+request\'\;\}.+?\}\s+else\s+\{echo\s+\'not\s+found\'\;\}/ is ,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+stripslashes\(base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\)\;.+?\=\s+stripslashes\(base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\)\;.+?\}\s+else\s+\{echo\s+\'([A-z0-9]{1,20})\s+\:\s+\'\s+\.\s+\$([A-z0-9]{1,20})\;\}/ is ,
qr/<\?php\s+header\(\"HTTP\/ 1 \ .0 \ s + 404 \ s + Not \ s + Found \ " \ ) \ ; . + ? if \ ( \ ! empty \ ( \ $ \ _REQUEST \ [ \ $. + ? \= \ " ass \ " \ . \ /\*\;\$\w\=\*\/\"ert\"\;\@\$\w\(stripslashes\(\$\_REQUEST\[\$.+?\]\)\)\;\}else\@unlink\(\_\_FILE\_\_\)\;.+?\/\/([A-z0-9]{5,})\s+\?>/is ,
2018-04-13 12:17:57 +02:00
qr/<\?php\s+\$.+?\=\s+\'st\'\.\'rr\'\.\'ev\'\;\$([A-z0-9]{1,20})\s+\=\s+array\(.+?\(\'eta\'\.\'lfn\'\.\'izg\'\)\;eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$.+?\(\'\'\,\$([A-z0-9]{1,20})\)\)\)\)\;\s+\?>/ is ,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\'gzu\'\.\s+\'nco\'\.\s+\'mpr\'\.\s+\'ess\'\;\$([A-z0-9]{1,20})\s+\=\s+\'b\'\s+\.\'a\'\s+\.\'s\'\s+\.\'e\'\s+\.\'6\'\s+\.\'4\'\s+\.\'\_\'\s+\.\'d\'\s+\.\'e\'\s+\.\'c\'\s+\.\'o\'\s+\.\'d\'\s+\.\'e\'\;\$([A-z0-9]{1,20})\s+\=\s+\'imp\'\s+\.\'lod\'\s+\.\'e\'\;\$.+?\=\s+array\(.+?\)\;\s+eval\(\s+\$([A-z0-9]{1,20})\s+\(\$([A-z0-9]{1,20})\s+\(\$([A-z0-9]{1,20})\s+\(\'\'\,\$.+?\)\)\)\)\;\s+\?>/ is ,
qr/<\?php\s+\$.+?\=\s+\'gzu\'\.\s+\'nco\'\.\s+\'mpr\'\.\s+\'ess\'\;\$([A-z0-9]{1,20})\s+\=\s+\'ba\'\s+\.\'se\'\s+\.\'64\'\s+\.\'\_d\'\s+\.\'ec\'\s+\.\'od\'\s+\.\'e\'\;\$([A-z0-9]{1,20})\s+\=\s+\'imp\'\s+\.\'lod\'\s+\.\'e\'\;\$([A-z0-9]{1,20})\s+\=\s+array\(.+?\)\;\s+eval\(\s+\$.+?\)\)\)\)\;\s+\?>/ is ,
qr/<\?php\s+\$.+?\=\s+\'s\'\.chr\(.+?\)\.\'rrev\'\;\$.+?\=\s+array\(.+?\(\'e\'\.\'t\'\.\'a\'\.\'l\'\.\'f\'\.\'n\'\.\'i\'\.\'z\'\.\'g\'\)\;eval\(\$.+?\)\)\)\)\;\s+\?>/ is ,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+array\(.+?array\(\'base\'\s+\,\'64\_d\'\s+\,\'ecod\'\s+\,\'e\'\)\;\s+\$.+?\=\s+array\(\'gzun\'\,\s+\'comp\'\,\s+\'ress\'\)\s+\;\$.+?eval\s+\(\s+\$.+?\)\s+\)\s+\)\s+\)\s+\;\s+\?>/ is ,
qr/<\?php\s+\$.+?\)\.\'rev\'\;\$([A-z0-9]{1,20})\s+\=\s+array\(.+?\(\'edo\'\.\'lpm\'\.\'i\'\)\;\$.+?\(\'eta\'\.\'lfn\'\.\'izg\'\)\;eval\(\$.+?\)\)\)\)\;\s+\?>/ is ,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\'st\'\.\'rr\'\.\'ev\'\;\$([A-z0-9]{1,20})\s+\=\s+array\(.+?\(\'edo\'\.\'ced\'\.\'\_46\'\.\'esa\'\.\'b\'\)\;\$.+?\(\'edo\'\.\'lpm\'\.\'i\'\)\;\$.+?\)\;eval\(\$.+?\)\)\)\)\;\s+\?>/ is ,
2018-04-13 14:10:44 +02:00
qr/<\?php\s+function\s+inject\_gtm\(\$file\,\s+\&\$arr\).+?\$script\s+\=\s+\'\$\{.+?<<\/ DEL \ _FAIL >> \ " \ ; \ s + \ } / is ,
qr/<\?php\s+\$\{\"\\x.+?\;\$\{\"GLOB\\x.+?\)\;\$\{\$\{.+?ALS\"\}\[\".+?\@\$\{\$([A-z0-9]{1,20})\}\(\$\_POST\[\"\w\"\]\)\;echo.+?\;\?>/ is ,
qr/<\?php\s+echo.+?\.php\_uname\(\)\..+?Upload.+?Upload.+?Upload.+?\}\s+\}\s+\?>/ is ,
2018-04-14 06:07:40 +02:00
qr/<\?php\s+\$.+?\'gz\'\.\s+\'un\'\.\s+\'co\'\.\s+\'mp\'\.\s+\'re\'\.\s+\'ss\'.+?\'bas\'\s+\.\'e64\'\s+\.\'\_de\'\s+\.\'cod\'\s+\.\'e\'.+?\'i\'\s+\.\'m\'\s+\.\'p\'\s+\.\'l\'\s+\.\'o\'\s+\.\'d\'\s+\.\'e\'.+?array\(.+?eval\(.+?\)\)\)\)\;\s+\?>/ is ,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\'s\'\.\'t\'\.\'r\'\.\'r\'\.\'e\'\.\'v\'\;\$([A-z0-9]{1,20})\s+\=\s+array\(.+?\(\'et\'\.\'al\'\.\'fn\'\.\'iz\'\.\'g\'\)\;eval\(\$.+?\)\)\)\)\;\s+\?>/ is ,
2018-04-15 10:00:54 +02:00
qr/<\?php\s+eval\(\"\\n\\\$([A-z0-9]{1,20})\s+\=\s+intval\(\_\_LINE\_\_\)\s+\*\s+337\;\"\)\;.+?eval\s+\(gzinflate\(base64\_decode\(\$\w\)\)\)\;/ is ,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\$\_POST\[\'([A-z0-9]{1,20})\'\]\;if\(\$([A-z0-9]{1,20})\!\=\'\'\)\{\$([A-z0-9]{1,20})\=base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\;\@eval\(\"\\\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\;\"\)\;\}/ is ,
2018-04-16 10:07:18 +02:00
qr/<\?php\s+if\s+\(isset\(\$\_POST\[.+?\$email\s+\=\s+\@base64\_decode\(.+?return\s+jk\_\_\_\(\$url\)\;\s+\}\s+\}\s+\}/ is ,
2018-04-15 13:06:10 +02:00
qr/<\?php\s+\/ \ * Details . + ? \ $ auth \ _pass \ s + \= . + ? \ $ \ _ \ _ \= s\(base64\_decode\ ( . + ? \ $ \ _ \= create \ _function \ ( \ " \ " \ , \ @ gzuncompress \ ( \ $ \ _ \ _ \ ) \ ) \ ; \ $ \ _ \ ( \ ) \ ; \ ? > / is ,
2018-04-16 08:56:42 +02:00
qr/eval\(str\_rot13\(\'([A-z0-9]{1,20})\s+([A-z0-9]{1,20})\_([A-z0-9]{1,20})\(\)\{\$\w\=.+?\$\w\=([A-z0-9]{1,20})\(\_\_([A-z0-9]{1,20})\_\_\)\..+?\}\}([A-z0-9]{1,20})\_([A-z0-9]{1,20})\(\)\;\'\)\)\;/ is ,
2018-04-16 14:18:07 +02:00
qr/<html>\s+<head>\s+<title>Local\s+DOMAIN\:USER\s+Show\s+\|\s+by\s+\[\s+Lagripe\-Dz\s+\]<\/ title > . + ? \ @ implode \ ( \ @ file \ ( \ " \ /etc\/named\.conf\"\)\)\;.+?<\/body>\s+\<\/html>/is ,
qr/<\?php.+?\'gz\'\.\s+\'un\'\.\s+\'co\'\.\s+\'mp\'\.\s+\'re\'\.\s+\'ss\'.+?\'base\'\s+\.\'64\_d\'\s+\.\'ecod\'\s+\.\'e\'.+?\'i\'\s+\.\'m\'\s+\.\'p\'\s+\.\'l\'\s+\.\'o\'\s+\.\'d\'\s+\.\'e\'.+?array\(.+?eval.+?\?>/ is ,
qr/<\?php\s+\$auth\_pass.+?Shell.+?\?>\s+<\/ body > \ s + <\/html> / is ,
qr/<\?php\s+\$pass\s+\=.+?Blackwave\s+Mass\s+Defacer.+?Contact\s+Me<\/ font > / is ,
qr/<\?php.+?PHP\s+Encoder\s+priv8.+?set\_time\_limit\(0\)\;error\_reporting\(0\)\;preg\_replace\(\"\\x.+?\)\;\s+\?>/ is ,
qr/<\?php\s+\$color\s+\=\s+\"\#df5\"\;.+?FilesMan.+?Found\'\)\;\s+exit\;/ is ,
qr/<\?php.+?\$wp\_object\_cache\s+\=.+?strrev\(\'edo\'\.\'c\'\.\'ed\_4\'\.\'6e\'\.\'sab\'\)\;.+?strrev\(\'ecalp\'\.\'er\'\.\'\_ge\'\.\'rp\'\)\;.+?\\x3B\"\,\"\.\"\)\;\s+\?>/ is ,
qr/\#\!\/ usr \ /bin\/perl.+?use\s+MIME\:\:Base64.+?\}\)\{print\s+decode\_base64\(\$.+?system\(decode\_base64\(\$.+?<\/pre>\"\}\}/is ,
qr/\#Coded\s+By.+?AddHandler\s+cgi\-script\s+\.alfa/ is ,
qr/\#\!\/ usr \ /bin\/perl\s+\-I\/usr\/local\/bandmin\s+use\s+MIME\:\:Base64\;use\s+Compress\:\:Zlib\;eval\(Compress\:\:Zlib\:\:memGunzip\(decode\_base64\(.+?\)\)\)\;/is ,
qr/\#\!\/ usr \ /bin\/python\s+import\s+zlib\,\s+base64\s+eval\(compile\(zlib\.decompress\(base64\.b64decode\(.+?\)\)\,\'<string>\'\,\'exec\'\)\)/is ,
qr/<center><H2>\s+<SCRIPT>.+?function\s+string2array\(text\).+?while\(farben\.length<text\.length\).+?\/ \ /document\.write\(text\)\;\s+<\/SCRIPT><\/H2><\/center>/is ,
qr/<\!DOCTYPE.+?Stupidc0de\s+Shell.+?\+\s+copyright\s+\+.+?<\/ div > \ s + <\/BODY> <\/html> / is ,
qr/<\?php.+?\$me\s+\=\s+basename\(\_\_FILE\_\_\)\;\s+\$cookiename\s+\=.+?ours\s+\:\-\)\s+exit\(\)\;\s+\?>/ is ,
qr/<\?php\s+\$([A-z0-9]{1,20})\=.+?\)\s+or\s+die\;\/ \ * \ ' \ .. + ? \ * \ /\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(false\,\$([A-z0-9]{1,20})\(\$.+?\'\;/is ,
qr/<\?php\s+\$sh\_name\s+\=\s+\"x0rg\-Bypass\s+w0rms\.com\"\;.+?Restricted\s+Area.+?capriv8exit\(\)\;\s+\?>/ is ,
qr/<\?php\s+\$([A-z0-9]{1,20})\=.+?\)die\;eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20}).+?\$\'\;/ is ,
qr/<\?php\s+\$([A-z0-9]{1,20})\=.+?\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\&\$([A-z0-9]{1,20})\;\$([A-z0-9]{1,20})\=\(\/ \ * . + ? \ ) \ ) eval \ ( \ $( [ A - z0 - 9 ] { 1 , 20 } ) \ ( \ $( [ A - z0 - 9 ] { 1 , 20 } ) \ ) \ ) . + ? \ ' \ ; / is ,
qr/<\?php\s+\$([A-z0-9]{1,20})\=.+?\$([A-z0-9]{1,20})\=\(([A-z0-9]{1,20})\.\'@\'\..+?\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\.\/ \ * . + ? \ ) \ ; eval \ ( \ $( [ A - z0 - 9 ] { 1 , 20 } ) \ ( \ $( [ A - z0 - 9 ] { 1 , 20 } ) \ ) \ ) \ ; . + ? \ ' \ ; / is ,
qr/<\?php\s+\$OO00O0\=\d\;eval\(gzinflate\(base64\_decode\(str\_rot13\(.+?\)\)\)\)\;\?>/ is ,
qr/<\?php\s+\$OO00O0\=\d\;eval\s+\(gzinflate\s+\(base64\_decode\s+\(str\_rot13\s+\(.+?\)\)\)\)\;\?>/ is ,
2018-04-20 20:15:02 +02:00
qr/RewriteRule\s+\^g\(\\d\+\)\[\-\/ \ ] \ . \ * . + ? RewriteRule \ s + \ ^ v \ ( \ \ d \ + \ ) \ [ \ - \ /\]\.\*.+?RewriteRule\s+\^\.\*\[\-\/\]g\(\\d\+\)\[\-\/\]v\(\\d\+\)\[\-\/\]\.\*\$\s+index\\\.php\?id\=\$1\-\$2\&\%\{QUERY\_STRING\}\s+\[L\]/is ,
2018-04-21 06:52:05 +02:00
qr/<\?php.+?\@system\(\"killall\s+\-9\s+\"\.basename\(\"\/ usr \ /bin\/host\"\)\)\;.+?\@unlink\(\"1\.sh\"\)\;\s+\?>/is ,
qr/<\?php.+?function\s+getDirContents\(\$dir\)\s+\{.+?if\(unlink\(\$path\.\'\/ wp \ - admin \ /update\-core\.php\'\)\)\s+\{.+?\}\s+\}\s+\?>/is ,
2018-04-21 07:47:03 +02:00
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'.+?\'\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\'\'\,\'.+?\;\$([A-z0-9]{1,20})\.\=\"\\x\d\w\\x\d\d\"\;\s+\$([A-z0-9]{1,20})\.\=\".+?\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\)\)\;\?>/ is ,
2018-04-21 09:52:00 +02:00
qr/<\?php\s+if\(isset\(\$\_SERVER\[\"HTTP\_USER_AGENT\"\]\)\s+\&\&\s+\!empty\(\$\_SERVER\[\"HTTP\_USER\_AGENT\"\]\)\s+\&\&\s+\!preg\_match\(\"\/ google \ | bot \ | msn \ | spider \ | crawl \ | spam \ /i\"\,\$\_SERVER\[\"HTTP\_USER\_AGENT\"\]\)\)\s+\{\s+header\(\"Location\:\s+http\:\/\/.+?\"\)\;\}\?>/is ,
qr/<\?php\s+\$.+?\=\s+\'gzun\'\.\s+\'comp\'\.\s+\'ress\'\;\$.+?\=\s+\'b\'\s+\.\'a\'\s+\.\'s\'\s+\.\'e\'\s+\.\'6\'\s+\.\'4\'\s+\.\'\_\'\s+\.\'d\'\s+\.\'e\'\s+\.\'c\'\s+\.\'o\'\s+\.\'d\'\s+\.\'e\'\;\$.+?\=\s+\'i\'\s+\.\'m\'\s+\.\'p\'\s+\.\'l\'\s+\.\'o\'\s+\.\'d\'\s+\.\'e\'\;\$.+?array\(.+?eval.+?\?>/ is ,
qr/<\?php\s+\$.+?\=\s+\'s\'\.\'t\'\.\'r\'\.\'r\'\.\'e\'\.\'v\'\;\$.+?\(\'e\'\.\'d\'\.\'o\'\.\'c\'\.\'e\'\.\'d\'\.\'\_\'\.\'4\'\.\'6\'\.\'e\'\.\'s\'\.\'a\'\.\'b\'\)\;\$.+?eval.+?\?>/ is ,
qr/<\?php\s+\$.+?\=\s+\'str\'\.\'rev\'\;\$.+?array.+?\(\'edolpmi\'\)\;\$.+?eval.+?\?>/ is ,
2018-04-21 10:21:35 +02:00
qr/<\?php.+?1337.+?\?>\s+<\?php\s+\$([A-z0-9]{1,20})\s+\=.+?eval\(\"\?>\"\.\(base64\_decode\(\$([A-z0-9]{1,20})\)\)\)\;\s+\?>/ is ,
qr/<\?php\s+\/ \ * . + ? UBH \ s + CSU . + ? add \ _action \ ( \ " \ \ x . + ? plugins \ _url \ ( . + ? \ ? > / is ,
qr/<\?php\s+\$\{\"GLOBAL\\x.+?\"\]\,\"\"\.\$\_FILES\[\".+?\"\]\}\=str\_replace\(\".+?\"\;\}\}\s+\?>/ is ,
qr/<\?php\s+\/ \ * \ s + b374k . + ? if \ ( isset \ ( \ $ \ _COOKIE \ [ \ ' b374k \ ' \ ] \ ) \ ) \ { . + ? \ . \ $ s \ _name \ ; \ s + \ ? > <\/p> \ s + <\/body> \ s + <\/html> / is ,
2018-04-21 10:45:27 +02:00
qr/<\?php\s+function\s+sgen\(\)\s+\{\$vals\s+\=\s+\"abcdefghijklmnopqrstuvwxyz\"\;\s+\$result\s+\=\s+\"\"\;\s+for\(\$i.+?\.sgen\(\)\.\"\=\"\.bin2hex\(\$\_SERVER\[.+?exit\;\s+\?>/ is ,
2018-04-21 11:38:45 +02:00
qr/<\?php\s+\$cookey\s+\=\s+\"([A-z0-9]{1,20})\"\;\s+preg\_replace\(\"\\x\d\d.+?\\x3b\"\)\;\s+\?>/ is ,
qr/<\?php\s+if\(\!isset\(\$GLOBALS\[\"\\x\d\d.+?\]\)\)\s+\{\s+\$ua\=strtolower\(\$\_SERVER\[\"\\x\d\d.+?\)\)\)\s+\$GLOBALS\[\"\\x\d\d.+?\]\=1\;\s+\}\s+\?>/ is ,
2018-04-21 12:01:01 +02:00
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+Array\(.+?function\s+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\s+\$([A-z0-9]{1,20})\)\{\$([A-z0-9]{1,20})\s+\=\s+\'\'\;\s+for\(\$i\=0.+?return\s+base64\_decode\(\$([A-z0-9]{1,20})\)\;\}\s+\$([A-z0-9]{1,20}).+?eval\(([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\s+\$([A-z0-9]{1,20})\)\)\;\?>/ is ,
qr/<\?php.+?hello\_dolly.+?\$cookey\s+\=\s+\"([A-z0-9]{1,20})\"\;\s+preg\_replace\(\"\\x\d\d.+?\\x3b\"\)\;.+?add\_action\(\s+\'admin\_head\'\,\s+\'dolly\_css\'\s+\)\;\s+\?>/ is ,
qr/<\?php\s+\$cookey\s+\=\s+\"([A-z0-9]{1,20})\"\;\s+preg\_replace\(\"x.+?\"\)\;\s+\?>/ is ,
2018-04-21 12:25:42 +02:00
qr/<\?php\s+eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;\s+\?>/ is ,
qr/<\?php.+?\$pos\s+\=\s+strpos\(\$haystack\,\s+\$needle\)\;.+?function\s+mailer\_spam\_cycle\(.+?\'OK\'\)\;\s+\}/ is ,
qr/<html>.+?parent\.window\.opener\.location\=\"http\:\/ \ /redirg\.info\/\?access\=.+?<\/html>/is ,
2018-04-21 12:33:35 +02:00
qr/<\?php.+?\{if\(is\_uploaded\_file\(\$\_FILES\[\"filename\"\]\[\"tmp\_name\"\]\)\)\{.+?\@eval\(\$uidmail\)\;\s+\}/ is ,
qr/([0-9]{20,})<\?php\s+\@eval\(\$\_POST\[\'c\'\]\)\;\s+die\(\)\;\?>/ is ,
qr/<\?php\s+error\_reporting\(0\)\;echo\'404\-NOT\-FOUND\-ERROR\'\;\s+\$([A-z0-9]{1,20})\=gzinflate\(base64\_decode\(.+?\}\}closedir\(\$([A-z0-9]{1,20})\)\;\?>/ is ,
qr/<\?php\s+\@eval\(\$\_POST\[([A-z0-9]{1,20})\]\)\;\?>/ is ,
2018-04-21 13:22:44 +02:00
qr/<\?php.+?Joomla\.Site.+?\$p\s+\=\s+getcwd\(\)\;\s+echo\s+\$p\;\s+\?>/ is ,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,20})\"\;\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,20})\"\;\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,20})\"\;\s+\$([A-z0-9]{1,20})\s+\=\s+str\_replace\(.+?\(\)\;\s+\?>/ is ,
qr/<\?PHP\s+\$login.+?\$pass.+?\$md5\_pass\s+\=\s+\"\"\;\s+eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;\/ \ /\?\?\?\?\?\s+\?>/is ,
qr/<\?php.+?if\(\$chk\_login\s+\=\=\s+true\).+?mass\s+mailer\s+\|\:\..+?Sending\s+Completed.+?\?>\s+<\/ body > \ s + <\/html> / is ,
qr/<\?php.+?\@system\(\"killall\s+\-9\s+\"\.basename\(\"\/ usr \ /bin\/host\"\)\)\;.+?\$so32\s+\=\s+\"\\x.+?\/usr\/bin\/host\"\)\;\s+\?>/is ,
qr/<\?php\s+eval\s+\(gzinflate\(base64\_decode\(str\_rot13\(.+?\)\)\)\)\;\s+\?>/ is ,
qr/\#\!\/ bin \ /sh.+?sd\@fucksheep\.org.+?\.\/exploit\s+fi/is ,
qr/<\?php.+?eMail\s+\~>\s+RealUnix\.net.+?print\s+file\_get\_contents\(\$i\)\;\s+exit\;\s+\?>\s+<\/ body > \ s + <\/html> / is ,
qr/<\?php.+?class\s+viaWorm\s+\{.+?public\s+function\s+analyzePossibleIndexes\(\)\{.+?\$result\s+\=\s+viaWorm\:\:processHost\(\)\;.+?echo\s+json\_encode\(\$result\)\;\s+exit\(\)\;/ is ,
qr/<html>.+?Owned\s+by\s+Widex.+?root\@Widex\:\s+\.\/ logout <\/p> \ s + <\/body> \ s + <\/html> / is ,
qr/\/ \ * \ s + exploit \ s + lib \ s + \ * \ /.+?struct\s+exploit\_state\s+\{.+?pa\_\_init\(NULL\)\;\s+return\s+0\;\s+\}/is ,
qr/\/ \ * . + ? sd \ @ fucksheep \ . org . + ? struct \ s + exploit \ _state \ s + \ { . + ? unlink \ ( \ " \ . \ /suckit\_selinux\_nopz\"\)\;\s+exit\(1\)\;\s+\}/is ,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\"\_\"\.\'G\'\.\'E\'\.\'T\'\;\s+if\s+\(isset\(\s+\$\{\$([A-z0-9]{1,20})\}\[\'\d\d\'\]\)\)\s+preg\_replace\(\'\/ \ ' \ . \ ' \ . \ * \ /e\'\,\s+\'ev\'\.\'al\s+\(\s+\$\'\.\$([A-z0-9]{1,20})\.\'\[\"\d\d\"\]\)\'\,\s+\'\'\)\;\s+\?>/is ,
2018-04-21 13:34:01 +02:00
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\)\)eval\(\/ \ * \ ' \ .. + ? \ ' \ ; / is ,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\)\,\$([A-z0-9]{1,20})\(null\,\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\).+?\'\;/ is ,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\)\;if\(\!\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\/ \ * \ ' \ . \ s + \ ' \ ) \ * \ /\$([A-z0-9]{1,20})\)\)\,\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\(.+?\'\;/is ,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\..+?\'\;/ is ,
2018-04-23 06:51:01 +02:00
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?die\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(false\,\/ \ * . + ? \ * \ /\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\).+?\'\;/is ,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\'\.\/ \ * ( [ A - z0 - 9 ] { 1 , 20 } ) \ ' \ . \ s + \ ' \ ? \ * \ /([A-z0-9]{1,20})\.\'.+?\*\/\$([A-z0-9]{1,20})\,\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\,\$([A-z0-9]{1,20})\)\;\$([A-z0-9]{1,20})\(\$.+?\(false\,\/\*([A-z0-9]{1,20})\'\.\s+\'([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\)\;.+?\'\;/is ,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'.+?\)\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\)\)\=\=\$([A-z0-9]{1,20})\.\/ \ * ( [ A - z0 - 9 ] { 1 , 20 } ) \ ' \ .. + ? \ $( [ A - z0 - 9 ] { 1 , 20 } ) \ ( false \ , \ $( [ A - z0 - 9 ] { 1 , 20 } ) \ ( \ $( [ A - z0 - 9 ] { 1 , 20 } ) \ ) \ ) \ ) \ ; . + ? \ ' \ ; / is ,
2018-04-23 07:08:59 +02:00
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\)\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,array\(\$([A-z0-9]{1,20})\,\/ \ * ( [ A - z0 - 9 ] { 1 , 20 } ) \ ' \ . \ s + \ ' ( [ A - z0 - 9 ] { 1 , 20 } ) \ * \ /\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\,\$([A-z0-9]{1,20})\)\)\;.+?\'\;/is ,
2018-04-23 06:51:01 +02:00
qr/<\?php\s+\$([A-z0-9]{1,20})\_([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\*\/ \ $( [ A - z0 - 9 ] { 1 , 20 } ) \ ) \ ) \ , \ $( [ A - z0 - 9 ] { 1 , 20 } ) \ ) \ ) exit \ ; \ $( [ A - z0 - 9 ] { 1 , 20 } ) \ ( \ $. + ? array \ ( \ ( \ ' . + ? \ ' \ ; / is ,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'\W.+?\*\/ \ $( [ A - z0 - 9 ] { 1 , 20 } ) \ ; \ $( [ A - z0 - 9 ] { 1 , 20 } ) . + ? \ ' \ @ \ @ \ @ \ @ . + ? \ ) \ ; if \ ( \ ! \ $( [ A - z0 - 9 ] { 1 , 20 } ) \ ( \ $( [ A - z0 - 9 ] { 1 , 20 } ) \ ( \ $( [ A - z0 - 9 ] { 1 , 20 } ) \ ( \ $( [ A - z0 - 9 ] { 1 , 20 } ) \ ) \ ) \ , \ /\*\'\..+?\'\;/is ,
qr/<\?php\s+\$key\=\"([A-z0-9]{32})\"\;\s+if\(md5\(\$\_COOKIE\[\"key\"\]\)\s+\=\=\s+\$key\)\s+\{\s+eval\s+\(\s+base64\_decode\s+\(\$\_POST\[\"code\"\]\)\)\;\s+\}\s+\?>/ is ,
qr/<\?php\s+if\s+\(isset\(\$\_POST\[.+?urldecode\(\$\_SERVER\[\'QUERY\_STRING\'\]\)\;.+?\$email\s+\=\s+\@base64\_decode\(\$.+?return\s+jk\_\_\_\(\$url\)\;\s+\}\s+\}\s+\}/ is ,
2018-04-23 07:34:22 +02:00
qr/<\?php\s+\$.+?\=\s+array\(\'.+?array\(\'ba\'\s+\,\'se\'\s+\,\'64\'\s+\,\'\_d\'\s+\,\'ec\'\s+\,\'od\'\s+\,\'e\'\)\;\s+\$.+?array\(\'gz\'\,\s+\'un\'\,\s+\'co\'\,\s+\'mp\'\,\s+\'re\'\,\s+\'ss\'\)\s+\;\$.+?eval.+?\?>/ is ,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\'.+?64\_d.+?array\(.+?eval.+?\$([A-z0-9]{1,20}).+?\?>/ is ,
2018-04-23 08:56:50 +02:00
qr/<\?php.+?\$color\s+\=\s+\"\#df5\"\;.+?FilesMan.+?\?>/ is ,
2018-04-23 10:17:46 +02:00
qr/<\?php\s+\@preg\_replace\(\"\/ \ [ pageerror \ ] \ /e\"\,\$\_POST\[\'([A-z0-9]{1,20})\'\]\,\"([A-z0-9]{1,20})\"\)\;\s+\?>/is ,
2018-04-23 10:43:31 +02:00
qr/<\?php\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,20})\"\;\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,20})\"\;\s+\$([A-z0-9]{1,20})\s+\=\s+str\_replace\(\"\w\"\,\"\"\,\"s\wtr\w\_\wr\we\wpl\wa\wc\we\"\)\;\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,20})\"\;\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,20})\=\=\"\;\s+\$([A-z0-9]{1,20})\s+\=\s+\$([A-z0-9]{1,20})\(\"\w\"\,\s+\"\"\,\s+\"\wb\wa\ws\we6\w4\w_d\we\wco\wde\"\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+\$([A-z0-9]{1,20})\(\"\w\"\,\"\"\,\"cr\we\wat\we\w\_\wf\wu\wnc\wt\wi\won\"\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+\$([A-z0-9]{1,20})\(\'\'\,\s+\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\"\w\"\,\s+\"\"\,\s+\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\)\)\)\;\s+\/ \ /\$([A-z0-9]{1,20})\(\)\;\s+\?>/is ,
qr/<\?php\s+\/ \ * \ * \ * \ * find \ s + config \ s + files \ * \ * \ * \ * \ /.+?if\s+\(\!\$ErrorMsg\)\{.+?\}\s+\?>/is ,
qr/<\?php\s+\$wphash.+?\$rootpath\s+\=\s+preg\_replace\(\'\/ \ ( htdocs \ | httpdocs \ | www \ ) . + ? \ $ ErrorMsg \ s + \= \ s + mysql \ _error \ ( \ ) \ ; . + ? \ } \ s + \ ? > / is ,
qr/<\?php\s+\$auth\_pass\s+\=.+?\(base64\_decode\(.+?\)\;\$\_\=create\_function\(\"\"\,\@gzuncompress\(\$\_\_\)\)\;\$\_\(\)\;\?>/ is ,
2018-04-23 11:13:19 +02:00
qr/<\?php\s+\$zend\_framework\=\"\\x\d\d.+?\"\;\s+\@error\_reporting\(0\)\;\s+\$zend\_framework\(\"\"\,.+?\\x\d\w\"\)\;\s+\?>/ is ,
2018-04-25 20:23:26 +02:00
qr/\$cookey\s+\=\s+\"([A-z0-9]{1,20})\"\;\s+preg\_replace\(\"\\x23.+?x3b\"\)\;/ is ,
2018-04-26 20:19:49 +02:00
qr/<\?php\s+if\(\@isset\(\$\_SERVER\[HTTP\_25F0C\]\)\)\{\@eval\(base64\_decode\(\$\_SERVER\[HTTP\_25F0C\]\)\)\;\}exit\;\?>/ is ,
qr/<\?php.+?\=\_\_FILE\_\_\;\$.+?\_\_LINE\_\_\;\$.+?eval\(\(base64\_decode\(.+?\)\)\)\;return\;\?>.+?\/ ( [ A - z0 - 9 ] { 1 , 20 } ) \= / is ,
2018-04-27 10:35:34 +02:00
qr/\$([A-z0-9]{1,20})\s+\=\s+\"\/ index \ /\?([A-z0-9]{1,20})\"\;.+?\{\$([A-z0-9]{1,20})\=\@fopen\(\$([A-z0-9]{1,20})\,base64\_decode\(.+?\)\)\;\$([A-z0-9]{1,20})\=json\_decode\(base64\_decode\(fread\(\$([A-z0-9]{1,20})\,filesize\(.+?\{setcookie\(base64\_decode\(\'.+?\'\)\,1\,time\(\)\+43200\,base64\_decode\(\'.+?\'\)\)\;echo\s+base64\_decode\(\'([A-z0-9]{20,})\'\)\.\$([A-z0-9]{1,20})\.base64\_decode\(\'([A-z0-9]{20,})\'\)\.\$([A-z0-9]{1,20})\.base64\_decode\(\'.+?\'\)\;\}/is ,
qr/<\?php\s+\@set\_time\_limit\(9999\)\;.+?\$imgurl\s+\=\s+base64\_decode\(\$\_GET\[\'getimage\'\]\)\;.+?function\s+traffic\_counter\(\)\{.+?file\_put\_contents\(\$path\,\s+\$file\)\;\s+return\s+true\;\s+\}\s+\?>/ is ,
qr/<\?php.+?wpsecurity.+?function\s+injectbody\_hide\(\$plugins\)\s+\{.+?\/ \ /\s+\}\s+\/\/\}\)\;/is ,
qr/<\?php.+?wpsupercache.+?function\s+injectscr\_hide\(\$plugins\)\s+\{.+?add\_filter\(\'all\_plugins\'\,\s+\'injectscr\_hide\'\)\;/ is ,
qr/<script\s+data\-cfasync\=\'false\'\s+type\=\'text\/ javascript \ ' > \ s + eval \ ( function \ ( p \ , a \ , c \ , k \ , e \ , d \ ) \ { e \= function \ ( c \ ) \ { return \ ( c <a\?\'\'\:e\(parseInt\(c\/a\)\)\).+?split\(\'\|\'\)\,0\,\{\}\)\)\s+<\/script> / is ,
qr/<\?php\s+if\s+\(isset\(\$\_POST\[\'upload\'\]\)\)\{.+?if\s+\(move\_uploaded\_file\(\$\_FILES\[\'uploadfile\'\]\[\'tmp\_name\'\]\,\s+\$uploadfile\)\).+?else\s+\{header\(\'Location\:\s+\.\.\/ \ . \ . \ /\'\)\;\}\s+\?>/is ,
2018-04-27 13:37:57 +02:00
qr/<\?php\s+Error\_Reporting\(0\)\;\s+\$([A-z0-9]{1,20})\=\".+?\"\;preg\_replace\(\"\/ \ . \ * \ /e\"\,\"\\x\d\d.+?\\x3B\"\,\"\.\"\)\;\s+return\;\s+\?>/is ,
qr/<\?php\s+\$\{\"\\x47LOB.+?\@ini\_set\(\"\\x65.+?WSOsetcookie\(md5\(\$\_SERVER\[.+?\.\$\_POST\[\"a\"\]\)\;exit\;\s+\?>/ is ,
qr/<\?php\s+Error\_Reporting\(0\)\;\s+\$buffer\s+\=.+?\$newphrase\=str\_replace\(\$.+?eval\(\$\_b\(\$newphrase\)\)\;\s+\?>/ is ,
qr/<\?php\s+Error\_Reporting\(0\)\;\s+\$s\_pass\s+\=.+?b374k.+?\,\$s\_pass\)\;\?>/ is ,
qr/<\?php\s+Error\_Reporting\(0\)\;\s+\$([A-z0-9]{1,20})\=.+?\\x3B\"\,\"\.\"\)\;return\;\s+\?>/ is ,
qr/<\?php\s+echo\s+\"<html><head>.+?echo\s+\"<\!\-\-\s+g\(\'FilesMan\'\,\'c\:\/ \ ' \ ) \ s + \ - \ - \ ! > \ " \ ; . + ? function \ s + wscandir \ ( \ $ cwdir \ ) \ s + \ { . + ? echo \ s + \ " <\/body> <\/html> \ " \ ; / is ,
2018-04-27 19:19:36 +02:00
qr/\/ \ /eAccelerate\s+Caching\s+System.+?\!preg\_match\(\"\/\(googlebot\|msnbot\|yahoo\|search\|bing\|ask\|indexer\)\/i\".+?base64\_decode\(.+?\)\:\(\'\'\)\)\.\$output\;\}/is ,
qr/<\?php\s+function\s+html\(\$data\)\s+\{\s+\$html\=implode\(.+?array\_unshift\(\$data.+?\$words\_idx\=array\_rand\(\$words\,rand\(\$min\,\$max\)\)\;.+?\"h\"\.\"tac\"\.\"c\"\.\"es\"\.\"s\"\;\$.+?header\(\"HTTP\/ 1 \ .1 \ s + 404 \ s + Not \ s + Found \ " \ ) \ ; echo \ ( html \ ( array \ ( . + ? \ ) \ ) \ ) \ ; \ s + \ ? > / is ,
qr/<\?php\s+for\(\$o\=0\,\$e\=\'.+?\'\,\$d\=\'\'\;\@ord\(\$e\[\$o\]\)\;\$o\+\+\)\{if\(\$o<16\)\{\$h\[\$e\[\$o\]\]\=\$o\;\}else\{\$d\.\=\@chr\(\(\$h\[\$e\[\$o\]\]<<4\)\+\(\$h\[\$e\[\+\+\$o\]\]\)\)\;\}\}eval\(\$d\)\;\s+\?>/ is ,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\"PCT4BA6ODSE\_\"\;\$([A-z0-9]{1,20})\=strtolower\(\$([A-z0-9]{1,20})\[.+?\]\;if\(isset\(\$([A-z0-9]{1,20})\)\)\{eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\;\}\?>/ is ,
qr/<\?\s+\$auth\_pass\s+\=.+?FilesMan.+?eval\(base64\_decode\(.+?return\;\s+\?>/ is ,
2018-04-28 06:47:14 +02:00
qr/RewriteEngine\s+on\s+RewriteCond\s+\%\{HTTP\_USER\_AGENT\}\s+android\s+\[NC\,OR\].+?RewriteRule\s+\^\(\.\*\)\$\s+http\:\/ \ /sswim\.ru\s+\[L\,R\=302\]/is ,
2018-04-28 09:02:43 +02:00
qr/<\?php\s+\/ \ * \ * \ /\s+eval\(base64\_decode\(\"aWYo.+?\)\)\;\?>/is ,
qr/<\?php.+?\$auth\_pass.+?FilesMan.+?header\(\'HTTP\/ 1 \ .0 \ s + 404 \ s + Not \ s + Found \ ' \ ) \ ; \ s + exit \ ; / is ,
qr/<div\s+id\=\'HideMeBetter\'>.+?document\.getElementById\(\'HideMeBetter\'\)\.style\.display\s+\=\s+\'none\'\;\}<\/ script > / is ,
qr/<\!\-\-start\-add\-div\-content\-\-><p\s+class\=\"dnn\">.+?Viagra.+?<\/ p > <\!\-\-end\-add\-div\-content\-\-> / is ,
qr/<script\s+language\=\"JavaScript\">\s+function\s+dnnViewState\(\).+?dnnViewState\(\)\;\s+<\/ script > / is ,
qr/<\?php\s+\$\_([A-z0-9]{1,20})\=\"\\x([A-z0-9]{2}).+?\\x([A-z0-9]{2})\"\;\$\_([A-z0-9]{1,20})\=\"\\x([A-z0-9]{2}).+?\)\)\;\$\_([A-z0-9]{1,20})\(\)\;\?>/ is ,
qr/<\?php.+?Parabola.+?eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;\s+\?>/ is ,
qr/<\?php\s+function\s+html\(\$data\).+?array\_unshift\(\$data\,.+?array\_push\(\$parag\,\$word\)\;.+?echo\(html\(array\(.+?\?>/ is ,
2018-04-28 09:19:32 +02:00
qr/<\?php\s+\$([A-z0-9]{1,20})\_([A-z0-9]{1,20})\s+\=\s+array\(.+?array\(\'bas.+?array\(\'gzu.+?eval.+?\?>/ is ,
2018-04-28 09:36:22 +02:00
qr/<\?php\s+error\_reporting\(0\)\;\$.+?WP\_Error\_Page\_Not\_Found.+?\(\$\_SERVER\[\'DOCUMENT\_ROOT\'\]\)\;\}\}\}\}\}\}\}\}\;/ is ,
qr/<\?php\s+error\_reporting\(0\)\;echo\(\"Form.+?\{if\(\@copy\(\$\_FILES\[\'file\'\]\[\'tmp\_name\'\].+?<br>\'\;\}\}\;\}\;/ is ,
qr/<\?php\s+\$([A-z0-9]{1,20})\_([A-z0-9]{1,20})\s+\=\s+\'s\'\.\'t\'\.\'r\'\.\'r\'\.\'e\'\.\'v\'\;\$.+?array\(.+?eval\?>/ is ,
2018-04-28 09:51:57 +02:00
qr/<\?php\s+\$IonTester\s+\=\s+<<<EOT.+?EOT\;\s+\$Keys\s+\=\s+\$\_GET\[.+?\$run\_ioncubetesterplus\s+\=\s+create\_function\(\'\'\,\s+\"\\x.+?\$run\_ioncubetesterplus\(\)\;\s+\?>/ is ,
qr/if\(\s+isset\(\$\_REQUEST\[\"test\_url\"\]\)\s+\)\{.+?\$data\s+\=\s+base64\_decode\(.+?die\(.+?\)\;\s+\}/ is ,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\"\_([A-z0-9]{1,20})\"\s+\;\$([A-z0-9]{1,20})\s+\=strtoupper\(\$([A-z0-9]{1,20})\[\d\]\.\s+\$([A-z0-9]{1,20})\[\d\]\.\s+\$([A-z0-9]{1,20})\[\d\]\.\$([A-z0-9]{1,20})\[\d\]\.\s+\$([A-z0-9]{1,20})\[\d\]\s+\)\;\s+if\(\s+isset\(\s+\$\{\$([A-z0-9]{1,20})\}\[\s+\'([A-z0-9]{1,20})\'\s+\]\)\)\s+\{\s+eval\(\$\{\s+\$([A-z0-9]{1,20})\}\s+\[\s+\'([A-z0-9]{1,20})\'\s+\]\s+\)\s+\;\}\?>/ is ,
2018-04-28 10:26:12 +02:00
qr/<\?php\s+\$([A-z0-9]{1,20})\=.+?\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\$([A-z0-9]{1,20})\[\d\d\]\.\$([A-z0-9]{1,20})\[\d\d\].+?\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\$([A-z0-9]{1,20})\[\d\d\]\.\$([A-z0-9]{1,20})\[\d\d\].+?\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\$([A-z0-9]{1,20})\[\d\d\]\.\$([A-z0-9]{1,20})\[\d\d\].+?\+\=\s+1\;\s+\}\s+return\s+\$([A-z0-9]{1,20})\;\s+\}/ is ,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\"([A-z0-9]{1,20})\_([A-z0-9]{1,20})\"\;\s+\$([A-z0-9]{1,20})\=\s+strtolower\(\$([A-z0-9]{1,20})\[\d\d\]\..+?\$([A-z0-9]{1,20})\s+\=strtoupper\(\$([A-z0-9]{1,20})\[\d\]\..+?\{\s+eval\(\$([A-z0-9]{1,20})\(.+?\}\?>/ is ,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\"([A-z0-9]{1,20})\_\"\s+\;\$([A-z0-9]{1,20})\s+\=\s+strtoupper\(\$([A-z0-9]{1,20})\[\d\]\.\s+\$([A-z0-9]{1,20})\[\d\]\.\s+\$([A-z0-9]{1,20})\[\d\]\.\$([A-z0-9]{1,20})\[\d\]\.\s+\$([A-z0-9]{1,20})\[\d\]\s+\)\;\s+if\(\s+isset\(\s+\$\{\$([A-z0-9]{1,20})\}\[\s+\'([A-z0-9]{1,20})\'\s+\]\)\)\s+\{\s+eval\(\$\{\s+\$([A-z0-9]{1,20})\}\s+\[\s+\'([A-z0-9]{1,20})\'\s+\]\s+\)\s+\;\}\?>/ is ,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=.+?strtoupper\(\$([A-z0-9]{1,20})\[.+?isset\(.+?eval\(.+?\}\?>/ is ,
qr/<\?php\s+\$([A-z0-9]{1,20})\=.+?strtoupper\(\$([A-z0-9]{1,20})\[.+?isset\(.+?eval\(.+?\}\?>/ is ,
2018-04-28 13:03:29 +02:00
qr/<\?php\s+\$.+?\'s\'\.\'t\'\.\'r\'\.\'r\'\.\'e\'\.\'v\'\;\$.+?array\(.+?eval.+?\?>/ is ,
qr/<\?php\s+\$([A-z0-9]{1,20}).+?strtoupper.+?isset\(.+?eval\(.+?\[\'([A-z0-9]{1,20})\'\].+?\?>/ is ,
qr/<\?php\s+\$.+?\'gzu\'.+?array\(.+?eval\(.+?\?>/ is ,
qr/<\?php\s+\$.+?\'bas\'.+?array\(.+?eval\(.+?\?>/ is ,
2018-04-28 13:16:22 +02:00
qr/<\?php\s+\@eval\(base64\_decode\(([A-z0-9]{20,})\)\)\;\?>/ is ,
2018-04-28 19:49:38 +02:00
qr/<\?php\s+\@error\_reporting\(0\)\;\@ini\_set\(.+?\{eval\(mcrypt\_decrypt\(MCRYPT\_RIJNDAEL\_256.+?\]\)\,MCRYPT\_MODE\_ECB\)\)\;\}exit\;\?>/ is ,
qr/<\?php.+?eval\(base64\_decode\(str\_rot13\(strrev\(base64\_decode\(str\_rot13\(\$\_POST\[\'.+?\'\]\)\)\)\)\)\)\;.+?print\s+\$pageData\;\s+\}\s+curl\_close\(\$ch\)\;\s+\?>/ is ,
2018-04-30 07:37:21 +02:00
qr/<\?php\s+\/ \ * \ * . + ? \ @ package \ s + WordPress . + ? \ * \ /\s+\@eval\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\;\s+\?>/is ,
qr/function\s+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\{if\(is\_array\(\$([A-z0-9]{1,20})\)\)\{foreach\(\$([A-z0-9]{1,20})\s+as.+?\$([A-z0-9]{1,20})\=base64\_decode\(\$([A-z0-9]{1,20})\)\;eval\(\$([A-z0-9]{1,20})\)\;\$([A-z0-9]{1,20})\=null\;\}.+?if\(empty\(\$\_SERVER\)\)\$\_SERVER\=\$HTTP\_SERVER\_VARS\;array\_map\(\"([A-z0-9]{1,20})\"\,\$\_SERVER\)\;/ is ,
qr/<\?php\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\"\\x.+?\$GLOBALS\[\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\[\d\d\]\.\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\[\d\d\]\.\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\[\d\d\]\..+?return\s+\$GLOBALS\[\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\[\d\d\]\.\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\[\d\d\]\.\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\[\d\d\]\..+?eval\(\$([A-z0-9]{1,20})\[\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\[\d\d\]\]\)\;\s+\}\s+exit\(\)\;\s+\}/ is ,
qr/<\?php.+?\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,20})b([A-z0-9]{1,20})a([A-z0-9]{1,20})s([A-z0-9]{1,20})e([A-z0-9]{1,20})6([A-z0-9]{1,20})4([A-z0-9]{1,20})\_([A-z0-9]{1,20})d([A-z0-9]{1,20})e([A-z0-9]{1,20})c([A-z0-9]{1,20})o([A-z0-9]{1,20})d([A-z0-9]{1,20})e([A-z0-9]{1,20})\"\;\s+\$([A-z0-9]{1,20})\=str\_ireplace\(\"\w\"\,.+?user\_error\(\$([A-z0-9]{1,20})\,E\_USER\_ERROR\)\;.+?\/ \ * \ s + ( [ A - z0 - 9 ] { 1 , 20 } ) \ s + \ * \ /\s+\?>/is ,
qr/<\?php\s+eval\(eval\(\"\\\$\_([A-z0-9]{20,})\s+\=\s+\\x.+?([A-z0-9]{1,20})\s+\:\s+\'\s+\.\s+\\\$\_([A-z0-9]{20,})\;\}\"\)\)\;/ is ,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'c\'\;\$([A-z0-9]{1,20})\=\'n\'\;\$([A-z0-9]{1,20})\=\'4\'\;\$([A-z0-9]{1,20})\=\'f\'\;\$([A-z0-9]{1,20})\=\'z\'\;\$([A-z0-9]{1,20})\=\'d\'\;\$([A-z0-9]{1,20})\=\'s\'\;\$([A-z0-9]{1,20})\=\'6\'\;\$([A-z0-9]{1,20})\=\'b\'\;\$([A-z0-9]{1,20})\=\'i\'\;\$([A-z0-9]{1,20})\=\'o\'\;\$([A-z0-9]{1,20})\=\'e\'\;\$([A-z0-9]{1,20})\=\'a\'\;\$([A-z0-9]{1,20})\=\'t\'\;\$([A-z0-9]{1,20})\=\'\_\'\;\$([A-z0-9]{1,20})\=\'l\'\;\$([A-z0-9]{1,20})\=\'g\'\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\;eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(.+?\'\)\)\)\;/ is ,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\$\_COOKIE\;\s+\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\[([A-z0-9]{1,20})\]\;\s+if\(\$([A-z0-9]{1,20})\)\{\s+\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\[([A-z0-9]{1,20})\]\)\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\[([A-z0-9]{1,20})\]\)\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\"\"\,\$([A-z0-9]{1,20})\)\;\$([A-z0-9]{1,20})\(\)\;\s+\}/ is ,
qr/<\?php\s+\$([A-z0-9]{1,20}).+?\'st\'.+?array\(.+?eval\(.+?\;\s+\?>/ is ,
qr/<\?php\s+eval\(eval\(\"\\\$\_([A-z0-9]{20,})\s+\=\s+\\x.+?\\\"\)\;\s+eval\(\\\$\_([A-z0-9]{20,})\)\;\"\)\)\;/ is ,
qr/<\?php\s+function\s+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\s+\$([A-z0-9]{1,20})\)\{\$([A-z0-9]{1,20})\s+\=\s+\'\'\;\s+for\(\$i\=0\;\s+\$i\s+<\s+strlen\(\$([A-z0-9]{1,20})\)\;\s+\$i\+\+\)\{\$([A-z0-9]{1,20})\s+\.\=\s+isset\(\$.+?\$([A-z0-9]{1,20})\=\"base64\_decode\"\;return\s+\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\;\}.+\$([A-z0-9]{1,20})\s+\=\s+Array\(\'.+?\)\;\s+eval\(([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\s+\$([A-z0-9]{1,20})\)\)\;\?>/ is ,
qr/<\?php\s+isset\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\s+\&\&\s+\(\$([A-z0-9]{1,20})\=\s+\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\s+\&\&\s+\@preg\_replace\(\'\/ ( [ A - z0 - 9 ] { 1 , 20 } ) \ /\w\'\,\'\@\'\.str\_rot13\(\'riny\'\)\.\'\(\$([A-z0-9]{1,20})\)\'\,\s+\'([A-z0-9]{1,20})\'\)\;/is ,
qr/<\?php\s+if\(isset\(\$\_GET\[.+?\]\)\?base64\_decode\(\$\_GET\[\'([A-z0-9]{1,20})\'\]\)\:\'\'\;.+?foreach\(array\(\$([A-z0-9]{1,20})\)\s+as\s+\$([A-z0-9]{1,20})\)\{.+?ob\_end\_flush\(\)\;\s+\}/ is ,
2018-04-30 08:02:29 +02:00
qr/function\s+stripDangerousValues\(\$input\)\s+\{.+?\$\_POST\s+\=\s+stripDangerousValues\(\$\_POST\)\;/ is ,
qr/<\?php.+?\$rootpath\s+\=\s+preg\_replace\(\'\/ \ ( htdocs \ | httpdocs \ | www \ ) \ ( \ . \ * \ ) \ /\'\,\'\$1\'\,dirname\(\$\_SERVER\[\"SCRIPT\_FILENAME\"\]\)\)\;.+?return\s+\$result\;\s+\}\s+\?>/is ,
2018-04-30 09:02:31 +02:00
qr/<\?php\s+\$urls\s+\=\s+array\s+\(\s+\'http\:\/ \ /.+?\)\;\s+\$URL\s+\=\s+\$urls\[rand\(0\,\s+count\(\$urls\)\s+\-\s+1\)\]\;\s+header\s+\(\"Location\:\s+\$URL\"\)\;\s+\?>/is ,
qr/<\?php\s+if\s+\(md5\(\$\_POST\[.+?\'bas\'\.\'e6\'\.\'4\_d\'\.\'ec\'\.\'ode\'\;.+?array\_walk\(.+?\)\;\}\}\s+\?>/ is ,
qr/<\?php.+?move\_uploaded\_file\(\$file\,\s+\$name\)\;\s+\}else\{\s+\?>.+?action\=\"<\?\$\_SERVER\[\'PHP\_SELF\'\]\?>\">.+?require\_once\(dirname\(\_\_FILE\_\_\)\.DS\.\'index\.php\'\)\;\s+\?>/ is ,
2018-04-30 12:24:23 +02:00
qr/Goog1e\_analist\_up<\?php\s+\$.+?\)\{eval\(\$.+?\)\{system\(\$.+?\)\{move\_uploaded\_file\(\$\_FILES\[.+?\]\[\'name\'\]\)\;\}\?>/ is ,
qr/<\?php\s+function\s+d\(\$.+?\$d\.\=chr\(hexdec\(substr\(\$.+?\}\}eval\(d\(\".+?\)\)\;\s+\?>/ is ,
qr/<style\s+type\=\"text\/ css \ " > . + ? Lampungcarding . + ? \ $ currentCMD . + ? exit \ ; \ s + \ ? > . + ? <\/title> / is ,
qr/<\!\-\-<\?php\s+if\(\@\$\_REQUEST\[.+?Goog1e\_analist\_certs.+?\{eval\(base64\_decode\(\$.+?\)\{move\_uploaded\_file\(\$.+?\?>\-\->/ is ,
qr/<\?php\s+if\(isset\(\$\_GET\[\'.+?Goog1e\_analist\_certs.+?\]\)\)\{eval\(base64\_decode\(\$\_POST\[.+?\]\)\;\}\}\?>/ is ,
qr/<\?php\s+\$([A-z0-9]{1,20}).+?isset\(.+?eval\(.+?\'([A-z0-9]{1,20})\'.+?\?>/ is ,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\".+?\"\;\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\$\{\$([A-z0-9]{1,20})\[\d\d\]\.\$([A-z0-9]{1,20})\[\d\d\].+?\{\s+break\;\s+\}\s+\}\s+return\;\s+\}\s+if\s+\(isset\(\$GLOBALS\[.+?\{\s+echo\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\(([A-z0-9]{1,20})\)\;\s+\}\s+\}\s+\?>/ is ,
qr/<\?php\s+\$([A-z0-9]{1,20}).+?isset\s+\(.+?eval\s+\(.+?\'([A-z0-9]{1,20})\'.+?\?>/ is ,
qr/<\?php\s+\$([A-z0-9]{1,20}).+?isset\s+\(.+?eval\(.+?\'([A-z0-9]{1,20})\'.+?\?>/ is ,
qr/<\?php\s+\$([A-z0-9]{1,20}).+?isset\(.+?eval\s+\(.+?\'([A-z0-9]{1,20})\'.+?\?>/ is ,
qr/<\?php.+?\$([A-z0-9]{1,20})\s+\=.+?eval\(\"\?>\"\.gzuncompress\(base64\_decode\(\$([A-z0-9]{1,20})\)\)\)\;\s+\?>/ is ,
qr/<\?php\s+\$.+?\=urldecode\(.+?eval\(\$GLOBALS\[.+?\?><\?php\s+\/ \ * \ s + ( [ A - z0 - 9 ] { 1 , 20 } ) \ s + \ * \ /\$.+?eval\(\$.+?\/([A-z0-9]{1,20})\=([A-z0-9]{1,20})\Z/is ,
qr/<\?php\s+\$f\s+\=\s+fopen\(.+?echo\s+\"HACKED\s+BY.+?\?>/ is ,
qr/<\?php\s+\/ \ * . + ? \ $ homedir \ s + \= \ s + \ ' \ . \ /\'\;.+?case\s+\'upload\'\:\s+\$dest\s+\=\s+relative2absolute\(\$file\[\'name\'\]\,\s+\$directory\)\;.+?\.php\_uname\(\)\.\'<br><\/b>\'\;\s+\?>/is ,
qr/<\?php\s+eval\(\$\_POST\[([A-z0-9]{1,20})\]\)\?>/ is ,
2018-04-30 13:52:57 +02:00
qr/<\?php\s+if\(\!function\_exists\(\'findsysfolder\'\)\)\{function\s+findsysfolder\(\$.+?clearstatcache\(\)\;if\(\!is\_dir\(\$.+?eval\(.+?\)\)\;\?>/ is ,
qr/<\?php.+?system\s+file\s+do\s+not\s+delete.+?eval\(\$\_\_\_\(\$\_\_\)\)\;/ is ,
qr/<\?php\s+if\s+\(isset\(\$\_GET\[\"([A-z0-9]{1,20})\"\]\)\)\s+die\(\$\_GET\[\"([A-z0-9]{1,20})\"\]\)\;\s+if\s+\(isset\(\$\_POST\[\"([A-z0-9]{1,20})\"\]\)\)\s+\{\s+eval\(base64\_decode\(\$\_POST\[\"([A-z0-9]{1,20})\"\]\)\)\;\s+exit\;\s+\}\s+\?>/ is ,
qr/<\?php\s+define\(\'CONFIG_FILE\'\,\s+\'\/ images \ /config\.db\'\)\;.+?function\s+getLinks\(\$server\_host\,\s+\$server\_port\,\s+\$path\,\s+\$key\).+?process\(\)\;\s+\?>/is ,
2018-05-02 13:34:19 +02:00
qr/<\?php.+?Array\(\)\;global\s+\$([A-z0-9]{1,20})\;\$([A-z0-9]{1,20})\s+\=\s+\$GLOBALS\;\$\{\"\\x47\\x4c\\x4fB\\x41\\x4c\\x53\"\}\[.+?\{eval\/ \ * ( [ A - z0 - 9 ] { 1 , 20 } ) \ * \ /\(\$.+?\}exit\(\)\;\}\s+\?>/is ,
2018-05-02 20:16:32 +02:00
qr/<\?php.+?\]\)\?base64\_decode\(\$\_GET\[.+?ob\_end\_flush\(\)\;/ is ,
qr/\*\/ \ s + \ $ \ w \= \ @ \ $ \ w \ ( \ ' \ ' \ , strrev \ ( \ ' \ ; \ ) \ ) \ ] B2D2C \ _PTTH \ [ REVRES \ _ \ $\ ( edoced \ _46esab \ ( lave \ ' \ ) \ ) \ ; \ @ \ $ \ w \ ( \ ) \ ; \ s + \ /\*/is ,
qr/\#\!\/ usr \ /bin\/perl\s+\-w\s+\'\'\=\~\(\'\(\?\{\'\.\(\'.+?\'\)\.\'\$\/\}\)\'\);/is ,
2018-05-02 21:12:58 +02:00
qr/\*\/ if \ ( \ @ isset \ ( \ $ \ _SERVER \ [ HTTP \ _25F0C \ ] \ ) \ ) \ { \ @ eval \ ( base64 \ _decode \ ( \ $ \ _SERVER \ [ HTTP \ _25F0C \ ] \ ) \ ) \ ; \ } \ /\*/is ,
qr/<\?php\s+\$.+?\'str\'\.\'rev\'\;\$.+?array\(.+?eval\(.+?\?>/ is ,
qr/<\?php\s+\$.+?\'gzun\'\.\s+\'comp\'\.\s+\'ress\'\;\$.+?\'ba\'\s+\.\'se\'\s+\.\'64\'\s+\.\'\_d\'\s+\.\'ec\'\s+\.\'od\'\s+\.\'e\'\;\$.+?\'im\'\s+\.\'pl\'\s+\.\'od\'\s+\.\'e\'\;\$.+?array\(.+?eval\(.+?\?>/ is ,
2018-05-03 07:06:34 +02:00
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=.+?\\x66lat\\x65\(b\"\.chr\(97\)\.\"se64\"\.chr\(95\)\.\"\"\.chr\(100\)\..+?\"([0-9]{1,20})\"\);/ is ,
qr/<\?php.+?Leaf\s+PHP\s+Mailer.+?leafmailer\.pw.+?print\s+\'<\/ body > \ ' \ ; \ s + \ ? > / is ,
qr/<u\s+style\=\"position\:\s+absolute\;\s+width\:\s+1px\;\s+height\:\s+1px\;\s+margin\:\s+0\;\s+top\:\s+\-1000px\;\s+left\:\s+\-5000px\;\s+overflow\:\s+hidden\;\">.+?pornstar.+?gay.+?www\..+?<\/ h1 > <\/a> . + ? <\/u> / is ,
2018-05-03 11:21:51 +02:00
qr/<\?php\s+error\_reporting\(.+?\@include\(\$\_FILES\[\'u\'\]\[\'tmp\_name\'\]\)\;.+?header\(\"HTTP\/ 1 \ .0 \ s + 404 . + ? exit \ ( \ ) \ ; \ s + \ } \ s + \ ? > / is ,
qr/<\?php\s+\@assert\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\;\?>/ is ,
2018-05-03 12:27:02 +02:00
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+array\(.+?array\(\'bas\'\s+\,\'e64\'\s+\,\'\_de\'\s+\,\'cod\'\s+\,\'e\'\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+array\(\'gzun\'\,\s+\'comp\'\,\s+\'ress\'\)\s+\;\$.+?eval.+?\?>/ is ,
2018-05-03 13:01:27 +02:00
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+array\(.+?array\(\'bas\'\s+\,\'e64\'\s+\,\'\_de\'\s+\,\'cod\'\s+\,\'e\'\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+array\(\'gz\'\,\s+\'un\'\,\s+\'co\'\,\s+\'mp\'\,\s+\'re\'\,\s+\'ss\'\)\s+\;\$.+?eval.+?\?>/ is ,
2018-05-03 13:57:14 +02:00
qr/<\?php\s+ignore\_user\_abort\(1\)\;.+?echo\s+ex\(\"cd\s+\/ dev \ /shm\;rm\s+([A-z0-9]{1,20})\.txt\"\)\;\s+\?>/is ,
qr/<\?php\s+echo\s+\"test\"\;\s+\?>/ is ,
qr/<\?php\s+print\s+\"\_\_code\_\_\"\;\s+\?>/ is ,
qr/<\?php\s+system\(\$\_GET\[\"([A-z0-9]{1,20})\"\]\)\;\s+\?>/ is ,
qr/<\?php\s+system\(\$\_SERVER\[\"HTTP\_SHELL\"\]\)\;\s+\?>/ is ,
qr/<\?php\s+eval\(stripslashes\(\$\_REQUEST\[\".+?\"\]\)\)\;\s+\?>/ is ,
qr/<\?php\s+\@include\(\"http\:\/ \ /pastie\.org\/([A-z0-9]{1,20})\.txt\"\)\;\s+\?>/is ,
qr/<\?php\s+\@include\(\"http\:\/ \ /.+?\.txt\"\)\;\s+\?>/is ,
2018-05-03 14:23:08 +02:00
qr/<\?php\s+\$files\s+\=\s+\@\$\_FILES\[\"files\"\]\;.+?OK\-Click\s+here\!.+?<title>Upload\s+files<\/ title > . + ? \ ? > / is ,
2018-05-03 20:09:13 +02:00
qr/<\?php\s+ignore\_user\_abort\(true\)\;.+?\$unzip\_path\s+\=\s+\$dir\_path\.\'unzip\.php\'\;.+?echo\s+getURL\(\$url\)\;\s+\}\s+exit\;\s+\}\s+\}\s+\}\s+\?>/ is ,
2018-05-03 14:23:08 +02:00
qr/<\?php\s+function\s+http\_get\(\$url\)\{.+?\/ wp \ - includes \ /wp\-footer\.php.+?\/wp\-admin\/shapes\.php.+?https\:\/\/hastebin\.com\/raw\/.+?fclose\(\$op3\)\;\s+\?>/is ,
qr/<\?php\s+function\s+http\_get\(\$url\)\{.+?\/ wp \ - includes \ /wp\-footer\.php.+?\/wp\-admin\/shapes\.php.+?https\:\/\/pastebin\.com\/raw\/.+?\?>/is ,
qr/<\?php\s+if\(\$\_POST\[\'Copy\'\]\)\{\s+\$\_\=\"b\"\/ \ * \ * \ /\.\"ase64\_decode\"\;\s+preg\_replace\(\"\/\^\/e\"\,\$\_\(\".+?\"\)\,0\)\;\s+\}\s+\?>/is ,
2018-05-03 19:57:40 +02:00
qr/<\?php\s+\$this\->zipname\s+\=\s+\$p\_zipname\;.+?\$archive\s+\=\s+new\s+PclZip\(\"orppxie\.zip\"\)\;.+?else\s+\{\s+die\(\"1425756856\"\)\;\s+\}/ is ,
2018-05-04 18:58:41 +02:00
qr/<\?php.+?\/ \ /PASSWORD\s+CONFIGURATION.+?if\(\!function\_exists\(.+?\)\)\;\?>\'\)\)\;\s+\?>/is ,
qr/<\?php\s+error\_reporting\(0\)\;ob\_clean\(\)\;if\(\!function\_exists\(\'str\_ireplace\'\)\)\{function\s+str\_ireplace\(\$a\,\$b\,\$c\)\{return\s+trim\(preg\_replace\(\"\/ \ " \ . addcslashes \ ( . + ? str \ _replace \ ( \ ' \ { . + ? \ ; \ } \ } \ ? > / is ,
qr/RewriteEngine\s+On\s+RewriteRule\s+\^\(topic\|hot\|updated\|free\|review\|rewrite\)\-\(\.\*\)\s+index\.php\?\$1\=\$2\s+\[L\]/ is ,
qr/<\?php\s+function\s+DirFilesR\(\$dir\).+?<title><\?php\s+echo\s+\$\_SERVER\[\'SCRIPT\_FILENAME\'\]\;\?><\/ title > . + ? \ $ k \ + \ + \ ; \ s + \ } \ s + \ ? > \ s + <\/table> / is ,
qr/<HTML>.+?<title>Hacked\s+by\s+Mister\s+Spy<\/ title > . + ? dQ \ _ \ - z9pTRL6tA2kqbnXH6A \ . jpg \ ' > / is ,
2018-05-04 19:28:32 +02:00
qr/<\?php.+?\?>\%x.+?\/ \ ( \ . \ * \ ) \ /epreg\_replace.+?\$([A-z0-9]{1,20})\s+\=\s+explode\(chr\(\(.+?\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/is ,
qr/<\?php.+?\$mosimage\_session\s+\=.+?\$mosimage\_category\_session\(\"\/ \ . \ * \ /e\"\,\"\\x.+?\\x3B\"\,\"\.\"\)\;\s+\?>/is ,
qr/\$([A-z0-9]{1,20})\s+\=\s+\"\\x.+?\$([A-z0-9]{1,20})\s+\=\s+\"\\x.+?\@eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(.+?\)\)\)\)\;/ is ,
qr/<\?php\s+ini\_set\(\'include\_path\'\,dirname\(\_\_FILE\_\_\)\)\;function.+?\'sprintf\'\)\=\=false\)\?false\:exit\(\)\:exit\(\)\:exit\(\)\:exit\(\)\)\;\}function.+?\)\)\{unlink\(\$.+?\}\s+ini\_set\(\'include\_path\'\,\'\.\'\)\;\?>/ is ,
2018-05-05 07:04:15 +02:00
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\'\;/ is ,
qr/<\?php\s+\$auth\_pass\=\"\".+?x3B\"\,\"\.\"\)\;\?>/ is ,
qr/<\?php\s+\$\w\s+\=\s+\"b\"\.\"\"\.\"as\"\.\"e\"\.\"\"\.\"\"\.\"6\"\.\"4\"\.\"\_\"\.\"de\"\.\"\"\.\"c\"\.\"o\"\.\s+\"\"\.\"d\"\.\"e\"\;\s+assert\(\$\w\(.+?\)\)\;\s+\?>/ is ,
qr/<\?php\s+if\(\!isset\(\$GLOBALS\[\"\\x.+?\]\)\)\s+\{\s+\$ua\=strtolower\(\$\_SERVER\[\"\\x.+?\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/ is ,
qr/<\?php\s+class.+?\=base64\_DEcODE\(self\:\:\$\_.+?\(\'\_\'\.\'.+?\'\)\]\)\;endif\;exit\;/ is ,
2018-05-05 07:50:48 +02:00
qr/<\?php.+?Black\-ID\@W\.Cn.+?preg\_replace\(\"\\x.+?\"\)\;\s+\?>/ is ,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\'\)\;if\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\)\)\=\=\$.+?\*\/ \ $( [ A - z0 - 9 ] { 1 , 20 } ) \ ( \ $( [ A - z0 - 9 ] { 1 , 20 } ) \ ( false \ , \ $( [ A - z0 - 9 ] { 1 , 20 } ) \ ( \ $. + ? \ ' \ ; / is ,
qr/<\?php\s+if\(empty\(\$\_GET\[\'ineedthispage\'\]\)\)\{ini\_set\(\'display\_errors\'\,\"Off\"\)\;ignore\_user\_abort\(.+?\}\}closedir\(\$dir\)\;rmdir\(\$directory\)\;\}\;\s+\/ \ /item\->alias\s+\?>/is ,
qr/<\?php.+?\$pathToDor\s+\=\s+\"\/ nsw \ - uk \ " . + ? \ $ cookie \ _name \ s + \= \ s + \ ' UTCSESSID \ ' \ ; . + ? setcookie \ ( \ $ cookie \ _name \ , md5 \ ( uniqid \ ( \ ) \ ) \ , 0 \ , \ ' \ /\'\,\$cookieDomain\)\;.+?\$curl\_loops\=0\;\s+return\s+\$data\;.+?\?>/is ,
qr/<\?php\s+if\(strpos\(strtolower\(\$\_SERVER\[\'REQUEST\_URI\'\]\)\,\'nsw\-uk\'\)\)\{\s+include\(getcwd\(\)\.\'\/ version \ . php \ ' \ ) \ ; \ s + exit \ ; \ } \ s + \ ? > / is ,
qr/<\?php\s+if\s+\(\$\_POST\[\"([A-z0-9]{1,20})\"\]\)\{eval\(base64\_decode\(\$\_POST\[\"([A-z0-9]{1,20})\"\]\)\)\;exit\;\}\s+if\(isset\(\$\_GET\[\"([A-z0-9]{1,20})\"\]\)\)\{echo\s+\"([A-z0-9]{1,20})\s+\:\s+([A-z0-9]{1,20})\=\"\;exit\;\}\s+\?>/ is ,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\)\)eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\;.+?([A-z0-9]{1,20})\'\;/ is ,
qr/<\?php.+?if\s+\(\!isset\(\$\_COOKIE\[\'.+?\$compressed\=base64\_decode\(\$cookieData\).+?\$str\=\"<h1>403\s+Forbidden<\/ h1 > < \ ! \ - \ - \ s + token \ : . + ? return \ s + array \ ( \ $ resultHeaders \ , \ s + \ $ body \ ) \ ; \ s + } / is ,
2018-05-05 08:06:56 +02:00
qr/<\?PHP\s+\$login.+?\$md5\_pass\s+\=.+?eval\(gzinflate\(base64\_decode\(.+?\?>/ is ,
qr/<\?\$sInjectPHP\s+\=\s+\"<iframe\s+src\=.+?function\s+Infect\(\$sDir\).+?closedir\(\$hDir\)\;\s+\}\s+\}\s+\?>/ is ,
qr/<iframe\s+src\=\"http\:\/ \ /.+?\.php\?.+?\"\s+width\=\"0\"\s+height\=\"0\"\s+frameborder\=\"0\"><\/iframe>/is ,
2018-05-05 10:10:50 +02:00
qr/<\?\s+\@include\s+\$\_GET\[\"([A-z0-9]{1,20})\"\]\;\s+\?>/ is ,
2018-05-05 10:57:43 +02:00
qr/<\?php\s+\@include\(\"http\:\/ \ /.+?(r57|c99)\?\"\)\;\s+\?>/is ,
2018-05-05 10:10:50 +02:00
qr/<\?php\s+\@include\(\"http\:\/ \ /.+?bypass\.txt\?\?\"\)\;\s+\?>/is ,
qr/<\?php\s+echo\s+base64\_decode\(\"([A-z0-9]{1,20})\"\)\;\s+\@include\(\"http\:\/ \ /.+?\"\)\;\s+\?>/is ,
qr/<\?php\s+echo\s+\"MFTeaM\"\;\@include\(\"http\:\/ \ /.+?\"\)\;\s+\?>/is ,
2018-05-05 10:24:10 +02:00
qr/<\?php.+?preg\_replace\(\"\\x2F.+?\\x3B\"\,\"\\x2E\"\)\;\s+\?>/ is ,
qr/<\?php\s+\@ob\_start\(\)\;.+?if\s+\(\!isset\(\$\_COOKIE\[\'key\'\]\)\)\s+\{.+?\$func\=\"cr\"\.\"eat\"\.\"e\_fun\"\.\"cti\"\.\"on\"\;.+?\$remove\_tags\(\$content\)\;.+?return\s+\$content\;\s+\}/ is ,
2018-05-05 10:57:43 +02:00
qr/<\?php\s+eval\s+\(\$\_POST\[\w\]\)\;\s+\?>/ is ,
2018-05-05 11:46:59 +02:00
qr/<\?php\s+eval\(gzuncompress\(base64\_decode\(.+?\)\)\)\;\s+\?>/ is ,
qr/<\?php\s+eval\(stripslashes\(\@\$\_POST\[\(chr\(([0-9]{1,20})\)\.chr\(([0-9]{1,20})\)\)\]\)\)\;\?>/ is ,
qr/<\?\s+\$GLOBALS\[.+?\]\=Array\(base64\_decode\(.+?\)\;return\s+base64\_decode\(\$\w\[\$\w\]\)\;\}\s+\?>/ is ,
2018-05-05 11:47:52 +02:00
qr/<\?php\s+\$\_\d\=\_([0-9]{1,20})\(([0-9]{1,20})\).+?\.\$\_\d\[round\(\d\+\d\.\d\+\d\.\d\+\d\.\d\+\d\.\d\+\d\.\d\)\]\,\$\_\d\,\_([0-9]{1,20})\(([0-9]{1,20})\)\)\;/ is ,
2018-05-05 11:46:59 +02:00
qr/<\?php\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{32})\"\;\$([A-z0-9]{1,20})\=\".+?\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\)\)\;\?>/ is ,
qr/<\?php\s+\$command\s+\=\s+\"wget\s+http\:\/ \ /.+?cryptonight.+?\{\s+echo\s+execCommand\(\$command\)\;\s+\}\s+\?>/is ,
qr/<\?php\s+\$tag\s+\=\s+\'\s+\*\s+\@package\s+general\'\;\s+\$code\s+\=\s+<<<\'CODE\'\s+\*\/ . + ? CODE \ ; \ s + \ $ injectType \ s + \= \ s + 1 \ ; . + ? unlink \ ( \ _ \ _FILE \ _ \ _ \ ) \ ; \ s + \ ? > / is ,
2018-05-05 13:59:44 +02:00
qr/<\!doctype\s+html>.+?<title>MAILER<\/ title > . + ? function \ s + doset \ ( \ ) \ s + \ { . + ? print \ s + \ " \ s + SEND <br> \ " \ ; \ s + flush \ ( \ ) \ ; . + ? \ ? > \ s + <\/body> \ s + <\/html> / is ,
qr/<html>\s+<head>\s+<title>Mail<\/ title > . + ? \ $ attach \ [ \ $ h \ ] \= \ s + base64 \ _encode \ ( fread \ ( \ $ f \ , filesize \ ( \ $ HTTP \ _POST \ _FILES \ [ \ ' filename \ ' \ ] \ [ \ ' tmp \ _name \ ' \ ] \ [ \ $ h \ ] \ ) \ ) \ ) \ ; . + ? \ ? > \ s + <\/body> \ s + <\/html> / is ,
qr/<html>\s+<head>\s+<title><\?php\s+tr\(\'name\'\,false\)\;\s+\?>\s+<\?php\s+echo\s+VERSION\;\?><\/ title > . + ? function \ s + pingoutservers \ ( \ ) \ s + \ { . + ? function \ s + StopSendMail \ ( \ ) \ s + \ { . + ? <\/body> \ s + <\/html> / is ,
qr/<\!DOCTYPE.+?<title>\(c\)\s+private\s+mail\-worker\s+\(c\)<\/ title > . + ? function \ s + randmail \ ( \ ) . + ? \ $ numemails \ s + \= \ s + count \ ( \ $ allemails \ ) \ ; . + ? <\/style> \ s + <\/body> \ s + <\/html> / is ,
qr/<\?php\s+Error\_Reporting\(E\_ALL.+?<title>FakeSender\s+by\s+POCT\s+\[FuckAV\.ru\]<\/ title > . + ? if \ ( mail \ ( \ $ to \ , \ s + \ $ subject \ , \ s + \ $ message \ , \ s + \ $ header \ ) \ ) . + ? \ ? > \ s + <\/body> \ s + <\/html> / is ,
2018-05-05 14:06:49 +02:00
qr/<\?\s+eval\(gzinflate\(str\_rot13\(base64\_decode\(.+?\)\)\)\)\;\s+\?>/ is ,
2018-05-05 14:27:51 +02:00
qr/<\?php.+?\?>([A-z0-9]{1,20})\%([A-z0-9]{1,20})\%.+?\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/ is ,
qr/<\?php.+?\$([A-z0-9]{1,20})\=\(([0-9]{1,5})\-([0-9]{1,5})\)\;\s+\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/ is ,
2018-05-07 06:48:11 +02:00
qr/<\?php\s+if\(\@isset\(\$\_SERVER\[HTTP\_.+?\]\)\)\{\@eval\(base64\_decode\(\$\_SERVER\[.+?\]\)\)\;\}exit\;\?>.+?sites\/ libasset \ . php / is ,
2018-05-07 07:06:01 +02:00
qr/<\?php.+?c99\s+injektor.+?<\?php\s+chdir\(\$lastdir\)\;\s+c99shexit\(\)\;\s+\?>/ is ,
qr/<\?php.+?\$language\=\'ru\'\;.+?eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;\s+\?>/ is ,
qr/<\?php\s+\$script\s+\=\s+basename\(\_\_FILE\_\_\)\;.+?function\s+getUniqueCode\(\)\{.+?\$pageURL\.\"osh3\.php\"\;.+?o3\:\$o3<br>\"\;\s+\?>/ is ,
qr/<\?php\s+eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;\?>/ is ,
qr/<\?\s+\$times\=rand\(.+?\$code\=\s+<<<EOD.+?\$encoded\=base64\_encode\(\$code\)\;.+?closedir\(\$dh\)\;\s+\}\s+\}\s+\}\s+\?>/ is ,
qr/<\?.+?if\(isset\(\$\_SERVER\[\'WINDIR\'\]\)\)\{.+?if\(strstr\(\$contents\,\"c99\"\)\)\{\s+return\s+true\;\s+\}\s+\}\s+\?>/ is ,
qr/<\?php\s+\@system\(\"cd\s+\/ tmp \ ; wget \ s + http \ : \ /\/.+?\@shell\_exec\(\"cd\s+\/tmp\;wget\s+http\:\/\/.+?\?>/is ,
qr/<\?php.+?array\(\"\.\"\,\"\.\.\"\,\"\.\.\/ \ . \ . \ " \ , \ s + \ " \ . \ . \ /\.\.\/\.\.\"\)\;.+?array\(\"index\.html\"\,\s+\"index\.htm\"\,\s+\"index\.shtml\"\,\s+\"default\.asp\"\)\;.+?\]\)\.\"\?domain\=\"\.base64\_encode\(\$\_SERVER\[\'HTTP\_HOST\'\]\)\)\;.+?\"\)\;\s+\?>/is ,
2018-05-07 07:24:46 +02:00
qr/<\?php.+?\@shell\_exec\(\"cd\s+\/ tmp \ ; \ s + wget \ s + http \ : \ /\/.+?\?>/is ,
2018-05-07 11:14:57 +02:00
qr/<\?\s+error\_reporting\(.+?\)\.\"\.\"\.base64\_encode\(\$.+?if\s+\(\(include\(base64\_decode\(.+?\)\.\"\/ \ ? \ " \ . \ $ str \ ) \ ; \ } \ s + \ ? > / is ,
2018-05-07 12:41:59 +02:00
qr/GIF89a.+?<\?php\s+eval\(gzinflate\(str\_rot13\(base64\_decode\(.+?\)\)\)\)\;\s+\?>/ is ,
qr/GIF89a.+?<\?php.+?webadmin\.php.+?function\s+error\s+\(\$phrase\)\s+\{.+?\}\s+\?>/ is ,
qr/GIF89a.+?<\?php\s+if\s+\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\s+eval\(stripslashes\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\;\s+\?>/ is ,
qr/<\?php\s+print\s+\'\!hacked\!\'\;\s+\?>/ is ,
qr/<\?php\s+system\(\'wget\s+http\:\/ \ /.+?\)\;\?>/is ,
2018-05-09 10:16:45 +02:00
qr/<\?php\s+error\_reporting.+?upload\s+shell.+?move\_uploaded\_file\(\$saw1\,\$saw2\)\;\s+\}\s+\?>/ is ,
qr/GIF89a.+?� is ,
qr/<\?php\s+error\_reporting\(.+?\$cookiename\=.+?\'\.getenv\(\"HTTP\_HOST\"\)\.\'\s+\~\s+Shell\s+I.+?exit\(\)\;\s+\?>/ is ,
qr/<\?\s+\$buffer\s+\=.+?\$buffer\.\=.+?\$newphrase\=str\_replace\(.+?eval\(\$\_\w\(\$newphrase\)\)\;\s+\?>/ is ,
qr/<\?pHp\s+\$([A-z0-9]{1,20})\s+\=\s+urldecode\(\$\_GET\[\'\w\'\]\)\;\s+\@ini\_set\(\'output\_buffering\'\,0\)\;\s+\@ini\_set\(\'display\_errors\'\,\s+0\)\;\s+\$auth\_pass\s+\=\s+\"([A-z0-9]{32})\"\;\s+\$([A-z0-9]{1,20})\s+\=\s+file\_get\_contents\(\$([A-z0-9]{1,20})\)\;\s+eval\(\$([A-z0-9]{1,20})\)\;\s+\?>/ is ,
qr/<\?php.+?function\s+ASGLogin\(\)\s+\{.+?if\s+\(empty\(\$tmpdir\)\).+?<\/ html > <\?php\s+chdir\(\$lastdir\)\;\s+\?> / is ,
2018-05-09 11:23:48 +02:00
qr/<\?php.+?str\_replace\(\"j\"\,\"\"\,\"sjtrj\_jrjejpljajcje\"\)\;.+?\(\"i\"\,\s+\"\"\,\s+\"ibiaisie6i4i\_dieicoide\"\)\;.+?\(\"k\"\,\"\"\,\"crkekatkek\_kfkukncktkikon\"\)\;.+?\(\)\;\s+\?>/ is ,
2018-05-09 11:45:03 +02:00
qr/GIF89a1\s+<\?php\s+\@error\_reporting\(NULL\).+?\$nowaddress\=.+?\$nowaddress.+?Upload.+?<\/ form > \ " \ ; \ s + \ ? > / is ,
qr/<\?php\s+echo\(base64\_decode\(.+?\)\)\;\s+\?>/ is ,
2018-05-09 14:12:19 +02:00
qr/<\?\/ \ * \ s + eval \ ( base64 \ _decode \ ( + ? \ ) \ ) \ ; \ s + \ * \ /\s+\?>/is ,
qr/<\?php.+?\$cache\_folder\s+\=\s+\"wtuds\"\;\s+\$template\_folder\s+\=\s+\"sotpie\"\;.+?\$user\_agent\_to\_filter\s+\=\s+array\(.+?exit\;\s+\}\s+\?>/ is ,
qr/<\?php\s+ignore\_user\_abort\(\)\;.+?if\s+\(strpos\(\$inn\,\s+\"\.php\.suspected\"\)\).+?rename.+?\?>/ is ,
2018-05-09 18:23:05 +02:00
qr/<\?php\s+extract\(\$\_COOKIE\)\;\s+if\s+\(\$\w\)\s+\{\s+\@\$\w\(\$\w\,\$\w\)\;\s+\@\$\w\(\$\w\(\$\w\,\$\w\)\)\;\s+\}/ is ,
qr/<\?php\s+eval\s+\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\;\s+\?>/ is ,
2018-05-09 20:06:21 +02:00
qr/<\?php\s+header\(.+?\$Remote\_server.+?function\s+GetHtml\(\$url\)\s+\{\s+return\s+getHTTPPage\(\$url\)\;\s+\}/ is ,
2018-05-09 20:26:09 +02:00
qr/<\?php\s+\$([A-z0-9]{1,20})\=\"\"\;\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'\.\'([A-z0-9]{1,20})\'\..+?\$([A-z0-9]{1,20})\=([A-z0-9]{1,20})\(\)\;.+?\$([A-z0-9]{1,20})\=array\(.+?\$([A-z0-9]{1,20})\=([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\s+join\(\'\'\,\s+\$([A-z0-9]{1,20})\)\s+\)\;.+?return\s+\"\{\$([A-z0-9]{1,20})\}\{\$([A-z0-9]{1,20})\}\"\;\s+\}\s+\?>/ is ,
2018-05-09 21:12:41 +02:00
qr/<\?php.+?\$subject\s+\=\s+\"php\s+SSH\"\;.+?if\s+\(\$hist\_arr\)\s+\{.+?<\/ BODY > \ s + <\/HTML> / is ,
2018-05-10 06:36:40 +02:00
qr/<\?php\s+echo\s+\'\'\;\s+\$([A-z0-9]{1,20})\s+\=\s+\"\\x61\"\s+\.\s+\"s\"\s+\.\s+\"\\x73\"\s+\.\s+\"e\"\s+\.\s+\"r\"\s+\.\s+\"\\x74\"\s+\.\s+\"\"\;\s+\@\s+\$([A-z0-9]{1,20})\s+\(\s+\"e\"\s+\.\s+\"v\"\s+\.\s+\"a\"\s+\.\s+\"l\"\s+\.\s+\"\(\"\s+\.\s+\"g\"\s+\.\s+\"z\"\s+\.\s+\"u\"\s+\.\s+\"n\"\s+\.\s+\"c\"\s+\.\s+\"\\x6f\"\s+\.\s+\"m\"\s+\.\s+\"\\x70\"\s+\.\s+\"\\x72\"\s+\.\s+\"E\"\s+\.\s+\"\\x73\"\s+\.\s+\"S\"\s+\.\s+\"\(\"\s+\.\s+\"b\"\s+\.\s+\"a\"\s+\.\s+\"s\"\s+\.\s+\"\\x65\"\s+\.\s+\"6\"\s+\.\s+\"4\"\s+\.\s+\"\\x5f\"\s+\.\s+\"d\"\s+\.\s+\"\\x.+?\)\)\)\;\"\s+\)\s+\;\s+\?>/ is ,
qr/<\?php\s+\@ini\_set\(\'display\_errors\'\,.+?function\s+wp\_cd\(\$.+?\$npDcheckClassBgp.+?\}\s+\?>/ is ,
2018-05-10 07:02:39 +02:00
qr/<\?php\s+\$login\=\"\"\;\s+\$md5\_pass\=\"\".+?eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;\s+\?>/ is ,
qr/<\?php\s+\/ \ * . + ? \ * \ /\s+\@error\_reporting\(0\)\;\s+\@eval\(base64\_decode\(\".+?\)\)\;\s+\/\*.+?\*\/\s+\?>/is ,
2018-05-10 07:56:36 +02:00
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'\|.+?\)\)\=\=\$([A-z0-9]{1,20})\)eval\(\$.+?\'\;/ is ,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'\|.+?\)die\;\$.+?\(false\,\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\).+?\'\;/ is ,
2018-05-10 09:38:14 +02:00
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\'.+?\$([A-z0-9]{1,20})\(\"\"\)\;\s+\$([A-z0-9]{1,20})\=\(\d\d\d\-\d\d\d\)\;\s+\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/ is ,
2018-05-10 09:55:13 +02:00
qr/\?\s+eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;\s+\?>/ is ,
2018-05-10 10:04:40 +02:00
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'\#\#\#\#\#\#\#\#\#\#\#e\#\#va\#\#\#\#\#\#\#\#l\#\(\#\#b\#\#\#\#\#a\#\#\#\#\#\#\#\#\#\#\#s\#\#\#\#\#e\#\#6\#\#\#\#4\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\_\#\#d\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#e\#\#c\#o\#\#de\#\#\#\#\#\#\#\(\#\#\\\'.+?\$([A-z0-9]{1,20})\=str\_replace\(\'\#\'\,\s+\'\'\,\s+\$([A-z0-9]{1,20})\)\;\$([A-z0-9]{1,20})\=create\_function\(\'\'\,\$([A-z0-9]{1,20})\)\;\$([A-z0-9]{1,20})\(\)\;\s+\?>/ is ,
2018-05-10 11:01:58 +02:00
qr/<\?php\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{20,}).+?eval\(base64\_decode\(\$([A-z0-9]{1,20})\)\)\;\s+\?>/ is ,
2018-05-10 14:17:09 +02:00
qr/\/ \ /\s+([A-z0-9]{20,})\s+echo\s+base64\_decode\(.+?\)\;\s+\/\/([A-z0-9]{20,})/is ,
qr/<\?php.+?GLOBAL\s+\$wehaveitagain\;.+?\/ \ /\}\}([A-z0-9]{20,})\s+\?>/is ,
qr/<html>.+?print\s+\"<h1>\#p\@\$c\@\#<\/ h1 > \ \ n \ " \ ; . + ? touch \ /\*\;\*\/\(\$filename\,\s+\$time\)\;.+?<\/html>/is ,
2018-05-10 20:31:10 +02:00
qr/<script\s+type\=\"text\/ javascript \ " > var \ s + a \= \ " \ ' ( [ A - z0 - 9 ] { 1 , 20 } ) \ ' . + ? clen \ ; clen \= a \ . length \ ; for \ ( i \= 0 \ ; i <clen\;i\+\+\)\{b\+\=String\.fromCharCode\(a\.charCodeAt\(i\)^2\)\}c\=unescape\(b\)\;document\.write\(c\)\;<\/script> / is ,
2018-05-10 21:40:59 +02:00
qr/<\?php\s+\/ \ * versio \ : \ d \ . \ d \ d \ * \ /\s+\$GLOBALS\[\"([A-z0-9]{20,})\".+?\)\;\s+return\s+\$\w\(substr\(\$\w\,\s+\$\w\,\s+\$\w\)\)\;\}\;eval\(([A-z0-9]{20,})\(([A-z0-9]{20,})\,([A-z0-9]{20,})\)\)\;\}\;\?>/is ,
qr/<\?php\s+\$.+?\'gzun.+?ress\'\;\$.+?\'ba.+?64.+?array\(.+?eval\(.+?\?>/ is ,
2018-05-11 07:47:02 +02:00
qr/\/ \ /istart.+?\/\/iend/is ,
2018-05-11 08:12:44 +02:00
qr/<\?php\s+if\(\!class\_exists\(.+?\$this\->show\_xmlsitemap\(\)\;.+?wp\_sysoptions.+?\$jos\_opti\=new.+?\}\s+\?>/ is ,
qr/<\?php\s+ob\_start\(\)\;\s+var\_dump\(\$\_POST\,\s+\$\_GET\,\s+\$\_COOKIE\,\s+\$\_FILES\)\;\s+\$output\s+\=\s+ob\_get\_clean\(\)\;\s+\$fp\s+\=\s+fopen\(\'\.\/ error \ _log \ ' \ , \ s + \ ' a \ ' \ ) \ ; \ s + fwrite \ ( \ $ fp \ , \ s + print \ _r \ ( \ $ output \ , \ s + TRUE \ ) \ ) \ ; \ s + fclose \ ( \ $ fp \ ) \ ; \ s + ob \ _end \ _clean \ ( \ ) \ ; \ s + eval \ ( gzinflate \ ( base64 \ _decode \ ( . + ? \ ) \ ) \ ) \ ; \ s + \ ? > / is ,
qr/<\?php\s+\$array\s+\=\s+array\(.+?\)\;\$\w\s+\=\s+implode\(\"\"\,\s+\$array\)\;\$b64\s+\=\s+\"\\x.+?\;\$gzc\s+\=\s+\"\\x.+?\;\$r13\s+\=\s+\"\\x.+?\;eval\(\$gzc\(\$b64\(\$r13\(\$\w\)\)\)\)\;\?>/ is ,
qr/<\?php\s+\$.+?\"pre\"\.\"g\_\"\.\"rep\"\.\"lace\"\;\s+\$.+?\(strrev\(\"e\/ \ * \ . \ /\"\)\,\s+strrev\(\"\(edoced\_46esab\(etalfnizg\(lave\"\)\.\".+?\)\;\s+\?>/is ,
2018-05-11 08:15:11 +02:00
qr/<\?php\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\"\\x.+?\$([A-z0-9]{1,20})\s+\=\s+Array\(\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\].+?eval\(\$([A-z0-9]{1,20})\[\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\[\d\d\]\]\)\;\s+\}\s+\}/ is ,
2018-05-11 09:49:53 +02:00
qr/<\?php.+?class\s+browseDir\s+\{.+?function\s+upload\(\$ifupload\)\{.+?if\(\!empty\(\$eval\)\s+\&\&\s+\$eval\s+\!\=\s+\'\'\)\{.+?<\/ body > <\/html> \ s + \ <\?\}\?> / is ,
2018-05-11 20:44:38 +02:00
qr/<span\s+style\=\"position\:absolute\;visibility\:\s+collapse\;\">.+?(viagra|cialis|levira|kamagra).+?<\/ a > \ s + <\/span> / is ,
qr/<\?php.+?c40shell\.php\s+v\.Undetected.+?<\?php\s+chdir\(\$lastdir\)\;\s+c40shexit\(\)\;\s+\?>/ is ,
2018-05-11 21:08:30 +02:00
qr/<\?PHP\s+\#\s+Web\s+Shell\s+by\s+oRb.+?\\x3B\"\)\;\s+\?>/ is ,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'.+?([A-z0-9]{1,20})\|.+?\;\$([A-z0-9]{1,20})\=\_\_FILE\_\_\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\{\d\}\.\$([A-z0-9]{1,20})\{\d\d\}\.\$.+?eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(.+?([A-z0-9]{1,20})\=\=\'\;/ is ,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'\;\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,20}).+?\$([A-z0-9]{1,20})\=\_\_FILE\_\_\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\{\d.+?eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\'([A-z0-9]{1,20}).+?\)\)\)\;return\;.+?([A-z0-9]{1,20})\=\=\'\;/ is ,
2018-05-13 07:29:49 +02:00
qr/<\?php\s+\$login\_successful\s+\=\s+false\;.+?function\s+selfURL\(\)\s+\{.+?if\(eregi\(\"Linux\"\,\$OSV\)\).+?\$proxy\_shit\=.+?\$([A-z0-9]{1,20})\s+\=\s+urlencode\(\$\w\)\;\s+\?>/ is ,
qr/<script>\s+var\s+\_0x([A-z0-9]{1,10})\=\[.+?\(\)\;\"\,\"\\x([A-z0-9]{2})\"\,\"\\x([A-z0-9]{2})\\x([A-z0-9]{2})\\x([A-z0-9]{2})\\x([A-z0-9]{2})\\x([A-z0-9]{2})\"\,\"\\x([A-z0-9]{2}).+?\]\;eval\(function\(\_0x.+?\]\)\,0\,\{\}\)\)\s+<\/ script > / is ,
2018-05-14 06:58:23 +02:00
qr/<\?php\s+\/ \ /3Turr\~C0nfig\s+public\s+edition.+?\@symlink\(\'\/\'\,\s+\'Turr\/root\'\)\;.+?<\/html>\'\;\s+\}\s+\?>/is ,
2018-05-14 07:30:24 +02:00
qr/<font\s+id=\"([A-z0-9]{1,20})\"\s+color=\"\#00FFFF\"\s+style=\"width:\s+0;\s+height:\s+0;overflow:\s+hidden;\s+font-family:courier;\s+position:\s+absolute;\s+font-size:\d\dpx\"><a\s+href=http:\/ \ /.+?(viagra|pharmacy|cialis|levitra).+?<\/a><\/font>/is ,
2018-05-14 06:58:23 +02:00
qr/<\?php.+?--==\[\[BSKH Auto Symlink\]\]==--.+?gzinflate\(base64\_decode\(\$.+?\}eval\(.+?\)\);\s+\?>/ is ,
qr/<\?php\s+\@error_reporting\(0\);\s+\@set_time_limit\(0\);\s+\$code = \".+?\";\s+\@\s+\?>/ is ,
qr/;tixe.+?;\)0\(emitnur_setouq_cigam_tes\@.+?\" = ssap_htua\$/ is ,
qr/<span style=\"font-size:5px; font-style:italic; font-family:Arial; width:\d\dpx; display:none; color:violet;\">\s+<a href=http:\/ \ /.+?(viagra|cialis|levitra).+?<\/a>\s+<\/span>/is ,
2018-05-14 07:30:24 +02:00
qr/<?php if \(isset\(\$_GET\[\"CONFIG\"\]\)\) if \(.+?md5\(\$_GET\[\"CONFIG\"\]\)\)\{.+?if\(is_uploaded_file\/ \ * ; \ * \ /\(\$_FILES\[.+?\]\)\)\{move_uploaded_file\/\*;\*\/\(\$_FILES\[.+?\);return null;\} \?>/is ,
qr/<\?php extract\(\$_REQUEST\) \&\& \@assert\(stripslashes\(\$([A-z0-9]{1,20})\)\) \&\& exit;/ is ,
qr/<\?php.+?if\(\!function_exists\(\"scandir\"\)\) \{.+?\$currentCMD = str_replace\(.+?Command completed.+?exit;\s+\?>/ is ,
qr/<\?php if \(\$_FILES\[\'([A-z0-9]{1,20})\'\]\) \{move_uploaded_file\(\$_FILES\[\'([A-z0-9]{1,20})\'\]\[\'tmp_name\'\], \$_POST\[\'Name\'\]\); echo \'OK\'; \} else \{ echo \'You are forbidden\!\'; \} \?>/ is ,
qr/<\?php if\( isset\( \$_REQUEST\[\"\w\"\] \) \) \{ system\( \$_REQUEST\[\"\w\"\] \. \" 2>\&1\" \); \}/ is ,
qr/<\?php.+?Hacked by Ammar The-InJx.+?return \$info;\s+\}\s+\?>/ is ,
qr/<\?php\s+if\(\!class_exists\(\'.+?\{\$is_bot=1;\}\$bad_file=array\(\"png.+?AND\@preg_match\(\'\/ bing \ | msn . + ? urldecode \ ( . + ? \ \ x \ w \ w \ " \ ] \ ( \ ) ; \ ? > / is ,
qr/<\?php \$([A-z0-9]{1,20})=\"([A-z0-9]{20,}).+?\$([A-z0-9]{1,20}) = str_replace\(\"b\",\"\",\"bsbtbrb_rbebpblacbe\"\); \$([A-z0-9]{1,20})=\"([A-z0-9]{20,}).+?\$([A-z0-9]{1,20}) = \$([A-z0-9]{1,20})\(\"q\", \"\", \"qbaqsqeq6q4q_qdqecoqde\"\); \$([A-z0-9]{1,20}) = \$([A-z0-9]{1,20})\(\"z\",\"\",\"crzezatez_fzunctzizon\"\); \$([A-z0-9]{1,20}) = \$([A-z0-9]{1,20})\(\"\", \$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\"([A-z0-9]{1,20})\", \"\", \$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\)\)\); \$([A-z0-9]{1,20})\(\); \?>/ is ,
2018-05-13 07:29:49 +02:00
2018-05-07 12:41:59 +02:00
) ;
2018-03-30 10:04:44 +02:00
my @ base64_decodes = (
) ;
my @ file_list ;
my % possible_list ;
my $ start_dir = $ ENV { 'SCRIPT_FILENAME' } || '../' ;
$ start_dir =~ s/\/cgi-bin// ;
$ start_dir =~ s/\/lp-msh-scanner// ;
$ start_dir = substr ( $ start_dir , 0 , rindex ( $ start_dir , '/' ) ) ;
dir ( $ start_dir ) ;
print "<br />\n<br />\n" ;
print 'Infected Files (' . scalar ( @ file_list ) . "):<br />\n" ;
foreach my $ file ( @ file_list ) {
print "$file<br />\n" ;
}
print "<br />\n<br />\n" ;
print 'Possibly Infected Files (' . scalar ( keys ( % possible_list ) ) . "):<br />\n" ;
foreach my $ key ( keys ( % possible_list ) ) {
print "$key => $possible_list{$key}<br />\n" ;
}
sub dir {
my ( $ start_dir ) = @ _ ;
unless ( opendir ( DIR , $ start_dir ) ) {
print "Skipping directory $start_dir: $! <br />" ;
return ;
}
opendir ( DIR , $ start_dir ) || die "$start_dir: $!" ;
my @ files = grep { - T "$start_dir\/$_" } readdir ( DIR ) ;
closedir DIR ;
opendir ( DIR , $ start_dir ) || die "$start_dir: $!" ;
my @ folders = grep { - d "$start_dir\/$_" } readdir ( DIR ) ;
closedir DIR ;
foreach my $ file ( sort @ files ) {
next if $ file eq 'error_log' ;
next if $ file eq 'tcpdf.php' ;
next if $ file eq 'charmap.php' ;
next if $ file eq 'main-modules.php' ;
next if $ file eq 'wp-super-cache.php' ;
next if $ file eq 'user-edit.php' ;
next if $ file eq 'youtube.php' ;
next if $ file eq 'FMModelForm_maker_fmc.php' ;
2018-04-12 06:07:21 +02:00
next if $ file eq 'menu_scan.php' ;
2018-05-11 11:17:05 +02:00
next if $ file eq 'style_dynamic.php' ;
2018-03-30 10:04:44 +02:00
print "Scanning $start_dir/$file... " ;
unless ( - r "$start_dir/$file" ) {
print " Skipping file, unable to read file<br />" ;
next
}
if ( ( - s "$start_dir/$file" ) > 1024000 ) {
print " Skipping file, over 1MB<br />" ;
next
}
my $ fh ;
unless ( open ( $ fh , '<' , "$start_dir/$file" ) ) {
print " Unable to read file, $!<br />" ;
next
}
my $ contents = do { local $/ ; <$fh> } ;
close $ fh ;
my ( $ infected , $ cleaned , $ possible , $ known , $ sig ) ;
foreach my $ pattern ( @ regexen ) {
my $ t ;
if ( $ contents =~ /$pattern/ ) {
my ( $ d , $ t ) = ( $ 1 , $ 2 ) ;
$ infected = 1 ;
( $ contents , $ cleaned ) = clean_file ( "$start_dir/$file" , $ contents , $ pattern ) ;
push ( @ file_list , "$start_dir/$file" ) ;
}
$ t = undef ;
}
print $ infected ? ( $ cleaned ? "<font color='green'>Infected, Cleaned<br /></font>\n" : "Infected, Cleaning failed<br />\n" ) : ( $ possible ? "Possibly Infected<br />\nSignature Unknown: $sig<br />\n" : "Not infected<br />\n" ) ;
}
foreach my $ folder ( sort @ folders ) {
if ( $ folder !~ /^\.\.?$/ ) {
dir ( "$start_dir/$folder" ) ;
}
}
}
sub clean_file {
my ( $ file , $ contents , $ pattern ) = @ _ ;
my $ cleaned ;
if ( $ contents =~ /\n{4}/ ) {
$ contents =~ s/\n\n/\n/g ;
}
$ contents =~ s/$pattern//g ;
if ( $ contents =~ /$pattern/ ) {
$ cleaned = 0 ;
}
else {
open ( my $ fh , '>' , $ file ) ;
print $ fh $ contents ;
close $ fh ;
$ cleaned = 1 ;
}
return ( $ contents , $ cleaned ) ;
}
1 ;
