LP-MSH-Scanner/malware4.pl

#!/usr/bin/perl

use strict;
use warnings;
use CGI;

BEGIN {
    $SIG{__DIE__} = sub {
        my $msg = shift;
        print "status: 500\n";
        print "content-type: text/html\n\n";
        $msg =~ s/\n/\0/g;
        print "error: $msg\n";
        CORE::die $msg;
    }
}

$| = 1;
our $q = CGI->new;
print "Content-type: text/html\n\n";

my @regexen = (
    qr/<\?php\s+function\s+([A-z0-9]{1,10})\(\$([A-z0-9]{1,10})\,\s+\$([A-z0-9]{1,10})\)\{\$([A-z0-9]{1,10})\s+\=\s+\'\'\;\s+for\(\$([A-z]{1,2})\=0\;\s+\$([A-z]{1,2})\s+\<\s+strlen\(\$([A-z0-9]{1,10})\)\;\s+\$([A-z]{1,2})\+\+\)\{\$([A-z0-9]{1,10})\s+\.\=\s+isset\(\$([A-z0-9]{1,10})\[\$([A-z0-9]{1,10})\[\$([A-z]{1,2})\]\]\)\s+\?\s+\$([A-z0-9]{1,10})\[\$([A-z0-9]{1,10})\[\$([A-z]{1,2})\]\]\s+\:\s+\$([A-z0-9]{1,10})\[\$([A-z]{1,2})\]\;\}\s+\$([A-z0-9]{1,10})\=\"base64\_decode\"\;return\s+\$([A-z0-9]{1,10})\(\$([A-z0-9]{1,10})\)\;\}.+?\$([A-z]{1,2})\s+\=\s+\Array\(.+?eval\(([A-z0-9]{1,10})\(\$([A-z]{1,2})\,\s+\$([A-z]{1,2})\)\)\;\?>/is,
	qr/<\?php\s+eval\(gzuncompress\(\".+?\"\)\)/is,
	qr/<\?php\s+\$([A-z0-9]{1,10})\=\'aWYoaXNzZXQoJF9SRVFVRVNUWydjb2NvJ10pICYmICRfUkVRVUVTVFsnY29jbyddIT0nJyl7ZXZhbCgkX1JFUVVFU1RbJ2NvY28nXSk7ZXhpdCgpO30\=\'\;eval\(base64\_decode\(\$([A-z0-9]{1,10})\)\)\;exit\(\)\;\s+\?>/is,
	qr/<\?php\s+chmod\(get\_root\_path\(\)\,\s+0755\)\;.+?function\s+get\_root\_path\(\).+?die\(\$reason\)\;\s+\}/is,
    qr/<html>\s+<title>1962Cracker\s+\|\s+cPanel\s+Cracker\s+\&\s+Root\s+Server\.\.\.\|<\/title>.+?<\?php\s+eval\(base64\_decode\(.+?<\/Script>/is,
    qr/<\?php.+?\$wp\_file\_descriptions\s+\=\s+array\(.+?\$wp\_template\s+\=\s+\@preg\_replace\(\"\/\(\[a\-z0\-9\-\%\]\+\)\.\(\[a\-z\-\@\]\+\)\.\(\[a\-z\]\+\)\/.+?\$2\(\$3\(urldecode\(\'\$1\'\)\)\)\"\,\s+\$search\.\"\.\@\"\.\$wp\_file\_descriptions\[\'rtl\.css\'\]\)\;\s+\?>/is,
    qr/<\?php\s+if\s+\(isset\(\$\_REQUEST\[\"q\"\]\)\s+AND\s+\$\_REQUEST\[\"q\"\]\=\=\"1\"\)\{echo\s+\"200\"\;\s+exit\;\}\s+if\(isset\(\$\_POST\[\"key\"\]\)\s+\&\&\s+isset\(\$\_POST\[\"chk\"\]\)\s+\&\&\s+\$\_POST\[\"key\"\]\=\=\".+?\"\)eval\(gzuncompress\(base64\_decode\(\$\_POST\[\"chk\"\]\)\)\)\;\s+\?>/is,
    qr/<\?php\s+if\s+\(\!defined\(\'ALREADY\_RUN\_.+?define\(\'ALREADY\_RUN\_.+?eval\/\*i\*\/\(([A-z0-9]{1,20})\(\$([A-z0-9]{1,10})\,\s+\$([A-z0-9]{1,10})\)\)\;\s+\}/is,
    qr/<\?php\s+eval\(gzuncompress\(.+?\"\)\)\;/is,
    qr/<\?php.+?class\s+JApplication.+?new\s+JApplication\(array\s+\(\'UID\'\s+\=>\s+\'([A-z0-9]{1,20})\'\)\)\;/is,
    qr/<\?php\s+\/\*\s+\@package\s+WordPress\s+\*\/\s+eval\(base64\_decode\(\@\$\_POST\[\"([A-z0-9]{1,20})\"\]\)\)\;\?>/is,
    qr/<\?php\s+if\s+\(\!defined\(\'ALREADY\_RUN\_.+?\)\)\;\s+\}/is,
    qr/<\?php\s+\$dom\s+\=\s+array\(.+?\$url\s+\=\s+\'http\:\/\/\'\.\$dom\[mt\_rand\(0\,sizeof\(\$dom\)\-1\)\]\.\'\/file\.php\'\;.+?header\(\'Location\:\s+\'\.\$url\)\;\s+\}\s+exit\;\s+\?>/is,
    qr/<\?php\s+if\s+\(isset\(\$\_GET\[\"id\"\]\)\)\s+header\(.+?\.\$\_GET\[\"id\"\]\)\;\s+\?>/is,
    qr/<\?php\s+eval\(base64\_decode\(.+?\)\)\;/is,
    qr/<\?php\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\$\_SERVER\;\s+function\s+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\).+?functions+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\{return\s+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\;\}\;.+?\}\(\$url\,\s+FALSE\,\s+\$\{([A-z0-9]{1,20})\(.+?return\s+\$\{.+?\)\}\;\s+\}/is,
    qr/<\?php\s+eval\(base64\_decode\(.+?include.+?x70hp\"\;.+?include.+?x70hp\"\;/is,
    qr/<\?php\s+\$([A-z0-9]{1,20})\=chr\(([0-9]{1,4})\).+?chr\(([0-9]{1,4})\).+?chr\(([0-9]{1,4})\).+?chr\(([0-9]{1,4})\).+?chr\(([0-9]{1,4})\).+?\)\;\s+\?>/is,
    qr/\*\/\s+eval\(base64\_decode\(\"aWY.+?\=\"\)\)\;\s+\/\*/is,
    qr/\*\/include\s+\/\*/is,
    qr/\*\/\".+?\.co.+?php\"\;\/\*/is,
    qr/<\?\s+\$([A-z0-9]{1,3})\[1\]\=\"([A-z0-9]{1,20})\.html\"\;\$([A-z0-9]{1,3})\[1\]\=.+?file\_put\_contents\(\$fileaddr\,gzuncompress\(base64\_decode\(\$([A-z0-9]{1,3})\[\$([A-z0-9]{1,3})\]\)\)\)\;\}\s+unlink\(\$scr\.\"\.php\"\)\;\s+\?>/is,
    qr/<\?php\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\$\_SERVER\;\s+function\s+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\).+?exit\(\$\{([A-z0-9]{1,20})\(\"lie\=\=\?\"\)\}\)\;\s+\}/is,
	qr/eval\(base64\_decode\(\"aWY.+?include.+?eval\(base64\_decode\(\"aWY.+?include.+?ephp\"\;/is,
    qr/<\?php\s+\/\*\s+ionCube24\s+encoder\s+\*\/\s+global.+?eval\(base64\_decode\(.+?\_\_halt\_compiler\(\)\;([A-z0-9]{250,})/is,
    qr/<\?\s+eval\(gzuncompress\(base64\_decode\(.+?\)\)\)\;\s+\?>/is,
    qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=.+?\$([A-z0-9]{1,20})\s+\=\s+\'pr\'\.\'eg\'\.\'\_r\'\.\'epl\'\.\'ace\'\;.+?\@\$([A-z0-9]{1,20})\(\'\#\#e\'\,.+?\'\'\)\;/is,
    qr/<\?php\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\$\_SERVER\;\s+function\s+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\).+?\Z/is,
    qr/<script\s+type\=\"application\/javascript\">var\s+toggleMenu\s+\=\s+function\(\).+?getCookie\(\"ytm\_hit1\"\)\&\&\(setCookie\(\"ytm\_hit1\"\,1\,1\)\,1\=\=getCookie\(\"ytm\_hit1\"\).+?\/script>\'\)\)\)\;<\/script>/is,
	qr/<\?php\s+if\(isset\(\$\_POST\[chr\(100\).+?<h1>Object\s+not\s+found\!<\/h1>.+?<h2>Error\s+404<\/h2>\s+<\/body>\s+<\/html>/is,
    qr/<\?php\s+\$([A-z0-9]{1,20})\=chr\(97\)\.chr\(117\)\.\"t\"\.chr\(104\)\.\"\_\"\.\"p\"\.\".+?\"\.\"s\"\.chr\(115\)\;.+?\)\)\;\s+\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#/is,
    qr/<\?\s+\$GLOBALS\[\'\_([0-9]{1,20})\_\'\]\=Array\(base64\_decode\(.+?return.+?round\(.+?\)\;\}/is,
    qr/<IfModule\s+mod\_rewrite\.c>\s+\RewriteEngine\s+On\s+RewriteCond\s+\%\{HTTP\_REFERER\}\s+\^\.\*\(google\|ask\|yahoo.+?\/index\_backup\.php\?query\=\$1\s+\[QSA\,L\]\s+<\/IfModule>/is,
    qr/<\?php\s+if\s+\(isset\(\$\_GET\[\'jpg\'\]\)\)\s+\{\s+\header\(\s+\'Content\-Type\:\s+image\/jpeg\'\s+\)\;\s+readfile\(\'http\:\/\/.+?\.jpg\'\)\;\s+\exit\(\)\;\s+\}\s+header\(\'Location\:\s+http\:\/\/.+?\'\)\;\s+exit\(\)\;/is,
    qr/function\s+l\_\_1\(\$.+?function\s+l\_\_3\(\$\_2\)\{if\(\$GLOBALS\[\Z/is,
    qr/<\?php\s+if\s+\(isset\(\$\_GET\[\'jpg\'\]\)\).+?\)\;\s+exit\(\)\;/is,
    qr/<\?php\s+define\(\'URL\_HEADER\_NAME\'\,\s+\"X\-Upstream\-Url\"\)\;\s+define\(\'DEBUG\_HEADER\_NAME\'\,\s+\"X\-Debug\-Oleg\"\)\;.+?else\s+if\(strcasecmp\(\$h\,\s+\$key\)\s+\=\=\s+0\)\s+unset\(\$headers\[\$h\]\)\;\s+\}\s+\}/is,
    qr/<\?php\s+\$GLOBALS\[\'\_([0-9]{1,20})\_\'\]\=Array\(base64\_decode\(.+?return\s+base64\_decode\(\$a\[\$i\]\)\;\}.+?\$GLOBALS\[\'\_([0-9]{1,20})\_\'\]\[.+?\s+exit\(\)\;\Z/is,
	qr/<\?php\s+\$ua\s+\=\s+\$\_SERVER\[\'HTTP\_USER\_AGENT\'\]\;\s+if\s+\(preg\_match\(\'\/facebook\/si\'\,\$ua\)\)\s+\{.+?<\/noframes>\s+<\/html>\'\;\s+\}\s+\?>/is, 
    qr/<\?php\s+session\_start\(\)\;.+?\.php\_uname\(\)\..+?<\/form>/is,
	qr/\'\;if\(\s+\$\_POST\[\'\_upl\'\].+?<\/form>/is,
	qr/<\?php\s+if\(\!empty\(\$\_FILES\[\'message\'\]\[\'name\'\]\).+?<\/body>\s+<\/html>\'\;\/\/([0-9]{1,20})/is,
    qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\"\_\"\.\'G\'\.\'E\'\.\'T\'\;\s+if\s+\(isset\(.+?preg\_replace\(.+?header\(\'Location\:\s+http\:\/\/.+?exit\(\)\;/is,
    qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=.+?if\s+\(\(strstr\(\$([A-z0-9]{1,20})\,\".+?\"\)\)\s+or\s+\(strstr\(([A-z0-9]{1,20})\}\[.+?\)rtolower\(\$\_SERVER\[.+?\)\s+\&\&\s+\(\!isset\(\$GLOBALS\[.+?if\(\(function\_exists\(.+?\)\)\s+or\s+\(strstr\(\$.+?\(0\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+implode\(array\_.+?\)\{return\s+chr\(ord\(\$n\)\-1\)\;\}\s+\@error\_reportin.+?\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/is,
    qr/<\?php\s+\$([A-z0-9]{1,20})\s+=.+?\$uas\=strtolower\(.+?\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/is,
    qr/<\?php\s+\/\*([A-z0-9]{1,10})\*\/\s+\@include\s+\".+?\/\*([A-z0-9]{1,10})\*\/\s+echo\s+file\_get\_contents\(\'.+?\'\)\;/is,
    qr/function\s+l\_\_1\(\$\_\Z/is,
    qr/<\?php\s+if\(\!empty\(\$\_FILES\[\'message\'\]\[\'name\'\]\)\s+\&\&\s+\(md5\(\$\_POST\[\'name\'\]\).+?Message\s+sent\!<\/body>\s+<\/html>\'\;/is,
    qr/<\?php\s+\$report\_url\s+\=\s+\$\_POST\[\'url\'\]\;\s+\$pass\s+\=\s+\$\_POST\[\'pass\'\]\;\s+\$list\s+\=\s=\$\_POST\[\'list\'\]\;.+?if\s+\(\@stripos\(\$hello\,\'\+OK\'\)\!\=\=false\)\s+\{\s+return\s+true\;\s+\}\s+return\s+false\;\s+\}/is,
    qr/<\?php\s+\/\*\s+<\!\-\-\s+WordPress\s+SEO\s+Plugin\s+\-\->\s+\*\/\s+eval\(gzuncompress\(base64_decode\(.+?\)\)\)\;\s+\/\*\s+<\!\-\-\s+End\s+WordPress\s+SEO\s+Plugin\s+\-\->\s+\*\/\s+\?>/is,
    qr/\/\*([A-z0-9]{1,10})\*\/\s+\@include\s+\".+?\"\;\s+\/\*([A-z0-9]{1,10})\*\//is,
    qr/<\?PHP\s+if\(isset\(\$\_REQUEST\[\"cmd\"\]\)\)\{eval\(stripslashes\(\$\_REQUEST\[\"cmd\"\]\)\)\;die\(\)\;\}\s+\?>/is,
    qr/<\?php\s+\$auth_pass.+?\$color.+?\$default\_action\s+\=\s+\'FilesMan\'\;\s+\$default\_use\_ajax\s+\=\s+true\;\s+\$default\_charset\s+\=\s+\'Windows\-1251\'\;\s+if\(\!empty\(\$\_SERVER\[\'HTTP\_USER\_AGENT\'\]\)\)\s+\{\s+\$userAgents\s+\=\s+array\(\"Google\"\,\s+\"Slurp\"\,\s+\"MSNBot\"\,\s+\"ia\_archiver\"\,\s+\"Yandex\"\,\s+\"Rambler\"\)\;\s+if\(preg\_match\(\'\/\'\s+\.\s+implode\(\'\|\'\,\s+\$userAgents\)\s+\.\s+\'\/i\'\,\s+\$\_SERVER\[\'HTTP\_USER\_AGENT\'\]\)\)\s+\{\s+header\(\'HTTP\/1\.0\s+404\s+Not\s+Found\'\)\;\s+exit\;/is,
    qr/<\?php.+?\$auth_pass.+?\$color.+?\$default_action\s+\=\s+\'FilesMan\'\;.+?\)\;\?>/is,
    qr/<\?php\s+\$\{.+?\,NULL\)\;\@ini\_set\(\"log\_.+?\;return\s+sh\_decrypt\_phase\(sh\_decrypt\_phase\(\$\{\$\{.+?\=>\@phpversion\(\)\,.+?\]\)\;\}exit\(\)\;\}/is,
    qr/<\?php\s+\$\{.+?\)\{if\(is\_uploaded\_file\(.+?\)\;\s+\?>/is,
    qr/<\?php\s+eval\(.+?x3B\"\)\;\s+\?>/is,
    qr/<\?php\s+\/\*\*\s+WordPress.+?eval\(gz.+?\$x([A-z0-9]{1,10})\s+\,\"([0-9]{1,5})\"\)\;/is,
    qr/<\?php\s+\$noc\s+=\s+\".+?\$noc\[([0-9]{1,3})\]\.\$noc\[([0-9]{1,3})\]\.\$noc\[([0-9]{1,3})\]\.\$noc\[([0-9]{1,3})\].+?\$noc\[([0-9]{1,3})\]\.\$([A-z0-9]{1,10})\;\@\$([A-z0-9]{1,10})\(\$([A-z0-9]{1,10})\)\;\?>/is,
    qr/<\?php\s+\/\/function\s+M404\s+\(\)\{.+?\$strings\s+\=\s+explode\(\'\|\'\,\s+base64\_decode\(base64\_decode\(base64\_decode\(base64\_decode\(base64\_decode\(base64\_decode\(base64\_decode\(base64\_decode\(\$value\)\)\)\)\)\)\)\)\)\;.+?echo\s+\'\#\#\#\#\#\'\.\s+\$result\s+\.\s+\'\*\*\*\*\*\'\;\s+exit\;/is,
	qr/<\?php\s+\$action\=\$\_REQUEST\[\'action\'\]\;\s+\/\/status.+?echo\s+\"File\s+does\s+not\s+exist\"\;\s+\}\s+\?>/is,
    qr/<\?php\s+\$p\s+\=\s+\$\_REQUEST\[\"m\"\]\;\s+eval\(base64\_decode\(\$p\)\)\;\s+\?>/is,
    qr/\/\*edition\:1\.6\*\/.+?\;eval\(gzuncompress\(base64\_decode\(\$([A-z0-9]{1,20})\)\)\)\;/is,
    qr/<\?php\s+\$([A-z0-9]{1,20})\=.+?\$([A-z0-9]{1,20})\=call\_user\_func\(.+?\)\;\s+\$([A-z0-9]{1,20})\=call\_user\_func\(.+?\)\;\s+eval\(\$([A-z0-9]{1,20})\)\;/is,
    qr/<\?php\s+\$([A-z0-9]{1,20})\=\".+?\"\;\$([A-z0-9]{1,20})\=call\_user\_func\(\$.+?\)\;\$([A-z0-9]{1,20})\=call\_user\_func\(\$.+?\)\;eval\(\$([A-z0-9]{1,20})\)\;/is,
    qr/var\s+\_0xaae8\=\[\"\"\,\".+?\"\]\;document\[\_0xaae8\[5\]\]\(\_0xaae8\[4\]\[\_0xaae8\[3\]\]\(\_0xaae8\[0\]\)\[\_0xaae8\[2\]\]\(\)\[\_0xaae8\[1\]\]\(\_0xaae8\[0\]\)\)/is,
    qr/<\?php\s+eval\(gzuncompress\(base64\_decode\(.+?\=\=\'\)\)\)\;/is,
    qr/<\?php\s+\$report\_url\s+\=\s+\$\_POST\[\'url\'\]\;\s+\$pass\s+\=\s+\$\_POST\[\'pass\'\]\;\s+\$list\s+\=\s+\$\_POST\[\'list\'\]\;.+?if\s+\(\@stripos\(\$hello\,\'\+OK\'\)\!\=\=false\)\s+\{\s+return\s+true\;\s+\}\s+return\s+false\;\s+\}/is,
	qr/A<\?php\s+\$license\s+\=\s+str\_rot13\(\'n\'\.\'f\'\.\'f\'\.\'r\'\.\'e\'\.\'g\'\)\;\s+\$license\(\$\_POST\[\'info\'\]\)\;\s+\?>/is,
    
);
my @base64_decodes = (


);

my @file_list;
my %possible_list;

my $start_dir = $ENV{'SCRIPT_FILENAME'} || '../';
$start_dir =~ s/\/cgi-bin//;
$start_dir =~ s/\/lp-msh-scanner//;
$start_dir = substr($start_dir, 0, rindex($start_dir, '/'));
dir ($start_dir);

print "<br />\n<br />\n";
print 'Infected Files (' . scalar(@file_list) . "):<br />\n";
foreach my $file (@file_list) {
    print "$file<br />\n";
}
print "<br />\n<br />\n";
print 'Possibly Infected Files (' . scalar(keys(%possible_list)) . "):<br />\n";
foreach my $key (keys(%possible_list)) {
    print "$key => $possible_list{$key}<br />\n";
}

sub dir {
    my ($start_dir) = @_;

    unless (opendir(DIR, $start_dir)) {
        print "Skipping directory $start_dir: $! <br />";
        return;
    }

    opendir(DIR, $start_dir) || die "$start_dir: $!";
    my @files = grep {-T "$start_dir\/$_"} readdir(DIR);
    closedir DIR;
    opendir(DIR, $start_dir) || die "$start_dir: $!";
    my @folders = grep {-d "$start_dir\/$_"} readdir(DIR);
    closedir DIR;

foreach my $file (sort @files) {
        next if $file eq 'error_log';
        next if $file eq 'tcpdf.php';
        next if $file eq 'charmap.php';
        next if $file eq 'main-modules.php';
        next if $file eq 'wp-super-cache.php';
        next if $file eq 'user-edit.php';
        print "Scanning $start_dir/$file... ";

        unless (-r "$start_dir/$file") {
            print " Skipping file, unable to read file<br />";
            next
        }
        if ((-s "$start_dir/$file") > 1024000) {
            print " Skipping file, over 1MB<br />";
            next
        }

        my $fh;
        unless (open ($fh, '<', "$start_dir/$file")) {
            print " Unable to read file, $!<br />";
            next
        }

        my $contents = do { local $/; <$fh> };
        close $fh;

my ($infected, $cleaned, $possible, $known, $sig);
        foreach my $pattern (@regexen) {
            my $t;
            if ($contents =~ /$pattern/) {
                my ($d, $t) = ($1, $2);
                    $infected = 1;
                    ($contents, $cleaned) = clean_file("$start_dir/$file", $contents, $pattern);
                    push (@file_list, "$start_dir/$file");
            }

            $t = undef;
        }


        print $infected ? ($cleaned ? "<font color='green'>Infected, Cleaned<br /></font>\n" : "Infected, Cleaning failed<br />\n") : ($possible ? "Possibly Infected<br />\nSignature Unknown: $sig<br />\n" : "Not infected<br />\n");
    }


    foreach my $folder (sort @folders) {
        if ($folder !~ /^\.\.?$/) {
            dir("$start_dir/$folder");
        }
    }
}

sub clean_file {
    my ($file, $contents, $pattern) = @_;
    my $cleaned;

    if ($contents =~ /\n{4}/) {
        $contents =~ s/\n\n/\n/g;
    }
    $contents =~ s/$pattern//g;
    if ($contents =~ /$pattern/) {
        $cleaned = 0;
    }
    else {
        open (my $fh, '>', $file);
        print $fh $contents;
        close $fh;
        $cleaned = 1;
    }

    return ($contents, $cleaned);
}

1;
Add 'malware4.pl' 2017-01-02 09:13:21 +01:00			`#!/usr/bin/perl`

			`use strict;`
			`use warnings;`
			`use CGI;`

			`BEGIN {`
			`$SIG{__DIE__} = sub {`
			`my $msg = shift;`
			`print "status: 500\n";`
			`print "content-type: text/html\n\n";`
			`$msg =~ s/\n/\0/g;`
			`print "error: $msg\n";`
			`CORE::die $msg;`
			`}`
			`}`

			`$\| = 1;`
			`our $q = CGI->new;`
			`print "Content-type: text/html\n\n";`

			`my @regexen = (`
			qr/<\?php\s+function\s+([A-z0-9]{1,10})\(\$([A-z0-9]{1,10})\,\s+\$([A-z0-9]{1,10})\)\{\$([A-z0-9]{1,10})\s+\=\s+\'\'\;\s+for\(\$([A-z]{1,2})\=0\;\s+\$([A-z]{1,2})\s+\<\s+strlen\(\$([A-z0-9]{1,10})\)\;\s+\$([A-z]{1,2})\+\+\)\{\$([A-z0-9]{1,10})\s+\.\=\s+isset\(\$([A-z0-9]{1,10})\[\$([A-z0-9]{1,10})\[\$([A-z]{1,2})\]\]\)\s+\?\s+\$([A-z0-9]{1,10})\[\$([A-z0-9]{1,10})\[\$([A-z]{1,2})\]\]\s+\:\s+\$([A-z0-9]{1,10})\[\$([A-z]{1,2})\]\;\}\s+\$([A-z0-9]{1,10})\=\"base64\_decode\"\;return\s+\$([A-z0-9]{1,10})\(\$([A-z0-9]{1,10})\)\;\}.+?\$([A-z]{1,2})\s+\=\s+\Array\(.+?eval\(([A-z0-9]{1,10})\(\$([A-z]{1,2})\,\s+\$([A-z]{1,2})\)\)\;\?>/is,
Update 'malware4.pl' 2017-04-28 21:13:45 +02:00			`qr/<\?php\s+eval\(gzuncompress\(\".+?\"\)\)/is,`
			`qr/<\?php\s+\$([A-z0-9]{1,10})\=\'aWYoaXNzZXQoJF9SRVFVRVNUWydjb2NvJ10pICYmICRfUkVRVUVTVFsnY29jbyddIT0nJyl7ZXZhbCgkX1JFUVVFU1RbJ2NvY28nXSk7ZXhpdCgpO30\=\'\;eval\(base64\_decode\(\$([A-z0-9]{1,10})\)\)\;exit\(\)\;\s+\?>/is,`
Update 'malware4.pl' 2017-01-02 09:27:31 +01:00			`qr/<\?php\s+chmod\(get\_root\_path\(\)\,\s+0755\)\;.+?function\s+get\_root\_path\(\).+?die\(\$reason\)\;\s+\}/is,`
			`qr/<html>\s+<title>1962Cracker\s+\\|\s+cPanel\s+Cracker\s+\&\s+Root\s+Server\.\.\.\\|<\/title>.+?<\?php\s+eval\(base64\_decode\(.+?<\/Script>/is,`
			`qr/<\?php.+?\$wp\_file\_descriptions\s+\=\s+array\(.+?\$wp\_template\s+\=\s+\@preg\_replace\(\"\/\(\[a\-z0\-9\-\%\]\+\)\.\(\[a\-z\-\@\]\+\)\.\(\[a\-z\]\+\)\/.+?\$2\(\$3\(urldecode\(\'\$1\'\)\)\)\"\,\s+\$search\.\"\.\@\"\.\$wp\_file\_descriptions\[\'rtl\.css\'\]\)\;\s+\?>/is,`
			`qr/<\?php\s+if\s+\(isset\(\$\_REQUEST\[\"q\"\]\)\s+AND\s+\$\_REQUEST\[\"q\"\]\=\=\"1\"\)\{echo\s+\"200\"\;\s+exit\;\}\s+if\(isset\(\$\_POST\[\"key\"\]\)\s+\&\&\s+isset\(\$\_POST\[\"chk\"\]\)\s+\&\&\s+\$\_POST\[\"key\"\]\=\=\".+?\"\)eval\(gzuncompress\(base64\_decode\(\$\_POST\[\"chk\"\]\)\)\)\;\s+\?>/is,`
			`qr/<\?php\s+if\s+\(\!defined\(\'ALREADY\_RUN\_.+?define\(\'ALREADY\_RUN\_.+?eval\/\i\\/\(([A-z0-9]{1,20})\(\$([A-z0-9]{1,10})\,\s+\$([A-z0-9]{1,10})\)\)\;\s+\}/is,`
			`qr/<\?php\s+eval\(gzuncompress\(.+?\"\)\)\;/is,`
			`qr/<\?php.+?class\s+JApplication.+?new\s+JApplication\(array\s+\(\'UID\'\s+\=>\s+\'([A-z0-9]{1,20})\'\)\)\;/is,`
Update 'malware4.pl' 2017-01-06 13:21:08 +01:00			`qr/<\?php\s+\/\\s+\@package\s+WordPress\s+\\/\s+eval\(base64\_decode\(\@\$\_POST\[\"([A-z0-9]{1,20})\"\]\)\)\;\?>/is,`
Update 'malware4.pl' 2017-05-03 07:39:55 +02:00			`qr/<\?php\s+if\s+\(\!defined\(\'ALREADY\_RUN\_.+?\)\)\;\s+\}/is,`
Update 'malware4.pl' 2017-01-13 21:22:54 +01:00			`qr/<\?php\s+\$dom\s+\=\s+array\(.+?\$url\s+\=\s+\'http\:\/\/\'\.\$dom\[mt\_rand\(0\,sizeof\(\$dom\)\-1\)\]\.\'\/file\.php\'\;.+?header\(\'Location\:\s+\'\.\$url\)\;\s+\}\s+exit\;\s+\?>/is,`
			`qr/<\?php\s+if\s+\(isset\(\$\_GET\[\"id\"\]\)\)\s+header\(.+?\.\$\_GET\[\"id\"\]\)\;\s+\?>/is,`
Update 'malware4.pl' 2017-03-03 21:04:46 +01:00			`qr/<\?php\s+eval\(base64\_decode\(.+?\)\)\;/is,`
Update 'malware4.pl' 2017-01-14 14:21:48 +01:00			`qr/<\?php\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\$\_SERVER\;\s+function\s+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\).+?functions+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\{return\s+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\;\}\;.+?\}\(\$url\,\s+FALSE\,\s+\$\{([A-z0-9]{1,20})\(.+?return\s+\$\{.+?\)\}\;\s+\}/is,`
			`qr/<\?php\s+eval\(base64\_decode\(.+?include.+?x70hp\"\;.+?include.+?x70hp\"\;/is,`
			`qr/<\?php\s+\$([A-z0-9]{1,20})\=chr\(([0-9]{1,4})\).+?chr\(([0-9]{1,4})\).+?chr\(([0-9]{1,4})\).+?chr\(([0-9]{1,4})\).+?chr\(([0-9]{1,4})\).+?\)\;\s+\?>/is,`
Update 'malware4.pl' 2017-01-15 13:14:54 +01:00			`qr/\\/\s+eval\(base64\_decode\(\"aWY.+?\=\"\)\)\;\s+\/\/is,`
			`qr/\\/include\s+\/\/is,`
			`qr/\\/\".+?\.co.+?php\"\;\/\/is,`
Update 'malware4.pl' 2017-01-15 13:22:45 +01:00			`qr/<\?\s+\$([A-z0-9]{1,3})\[1\]\=\"([A-z0-9]{1,20})\.html\"\;\$([A-z0-9]{1,3})\[1\]\=.+?file\_put\_contents\(\$fileaddr\,gzuncompress\(base64\_decode\(\$([A-z0-9]{1,3})\[\$([A-z0-9]{1,3})\]\)\)\)\;\}\s+unlink\(\$scr\.\"\.php\"\)\;\s+\?>/is,`
Update 'malware4.pl' 2017-01-18 21:23:45 +01:00			`qr/<\?php\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\$\_SERVER\;\s+function\s+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\).+?exit\(\$\{([A-z0-9]{1,20})\(\"lie\=\=\?\"\)\}\)\;\s+\}/is,`
Update 'malware4.pl' 2017-01-19 21:30:18 +01:00			`qr/eval\(base64\_decode\(\"aWY.+?include.+?eval\(base64\_decode\(\"aWY.+?include.+?ephp\"\;/is,`
			`qr/<\?php\s+\/\\s+ionCube24\s+encoder\s+\\/\s+global.+?eval\(base64\_decode\(.+?\_\_halt\_compiler\(\)\;([A-z0-9]{250,})/is,`
Update 'malware4.pl' 2017-01-20 10:43:33 +01:00			`qr/<\?\s+eval\(gzuncompress\(base64\_decode\(.+?\)\)\)\;\s+\?>/is,`
Update 'malware4.pl' 2017-01-20 21:22:55 +01:00			`qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=.+?\$([A-z0-9]{1,20})\s+\=\s+\'pr\'\.\'eg\'\.\'\_r\'\.\'epl\'\.\'ace\'\;.+?\@\$([A-z0-9]{1,20})\(\'\#\#e\'\,.+?\'\'\)\;/is,`
Update 'malware4.pl' 2017-01-21 11:26:58 +01:00			`qr/<\?php\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\$\_SERVER\;\s+function\s+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\).+?\Z/is,`
Update 'malware4.pl' 2017-01-26 07:13:48 +01:00			`qr/<script\s+type\=\"application\/javascript\">var\s+toggleMenu\s+\=\s+function\(\).+?getCookie\(\"ytm\_hit1\"\)\&\&\(setCookie\(\"ytm\_hit1\"\,1\,1\)\,1\=\=getCookie\(\"ytm\_hit1\"\).+?\/script>\'\)\)\)\;<\/script>/is,`
Update 'malware4.pl' 2017-01-26 14:52:44 +01:00			`qr/<\?php\s+if\(isset\(\$\_POST\[chr\(100\).+?<h1>Object\s+not\s+found\!<\/h1>.+?<h2>Error\s+404<\/h2>\s+<\/body>\s+<\/html>/is,`
			`qr/<\?php\s+\$([A-z0-9]{1,20})\=chr\(97\)\.chr\(117\)\.\"t\"\.chr\(104\)\.\"\_\"\.\"p\"\.\".+?\"\.\"s\"\.chr\(115\)\;.+?\)\)\;\s+\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#/is,`
Update 'malware4.pl' 2017-01-29 13:15:05 +01:00			`qr/<\?\s+\$GLOBALS\[\'\_([0-9]{1,20})\_\'\]\=Array\(base64\_decode\(.+?return.+?round\(.+?\)\;\}/is,`
Update 'malware4.pl' 2017-03-03 21:04:46 +01:00			`qr/<IfModule\s+mod\_rewrite\.c>\s+\RewriteEngine\s+On\s+RewriteCond\s+\%\{HTTP\_REFERER\}\s+\^\.\*\(google\\|ask\\|yahoo.+?\/index\_backup\.php\?query\=\$1\s+\[QSA\,L\]\s+<\/IfModule>/is,`
			`qr/<\?php\s+if\s+\(isset\(\$\_GET\[\'jpg\'\]\)\)\s+\{\s+\header\(\s+\'Content\-Type\:\s+image\/jpeg\'\s+\)\;\s+readfile\(\'http\:\/\/.+?\.jpg\'\)\;\s+\exit\(\)\;\s+\}\s+header\(\'Location\:\s+http\:\/\/.+?\'\)\;\s+exit\(\)\;/is,`
Update 'malware4.pl' 2017-01-29 13:41:18 +01:00			`qr/function\s+l\_\_1\(\$.+?function\s+l\_\_3\(\$\_2\)\{if\(\$GLOBALS\[\Z/is,`
Update 'malware4.pl' 2017-03-03 21:04:46 +01:00			`qr/<\?php\s+if\s+\(isset\(\$\_GET\[\'jpg\'\]\)\).+?\)\;\s+exit\(\)\;/is,`
			`qr/<\?php\s+define\(\'URL\_HEADER\_NAME\'\,\s+\"X\-Upstream\-Url\"\)\;\s+define\(\'DEBUG\_HEADER\_NAME\'\,\s+\"X\-Debug\-Oleg\"\)\;.+?else\s+if\(strcasecmp\(\$h\,\s+\$key\)\s+\=\=\s+0\)\s+unset\(\$headers\[\$h\]\)\;\s+\}\s+\}/is,`
Update 'malware4.pl' 2017-01-29 13:41:18 +01:00			`qr/<\?php\s+\$GLOBALS\[\'\_([0-9]{1,20})\_\'\]\=Array\(base64\_decode\(.+?return\s+base64\_decode\(\$a\[\$i\]\)\;\}.+?\$GLOBALS\[\'\_([0-9]{1,20})\_\'\]\[.+?\s+exit\(\)\;\Z/is,`
Update 'malware4.pl' 2017-02-10 21:06:58 +01:00			`qr/<\?php\s+\$ua\s+\=\s+\$\_SERVER\[\'HTTP\_USER\_AGENT\'\]\;\s+if\s+\(preg\_match\(\'\/facebook\/si\'\,\$ua\)\)\s+\{.+?<\/noframes>\s+<\/html>\'\;\s+\}\s+\?>/is,`
			`qr/<\?php\s+session\_start\(\)\;.+?\.php\_uname\(\)\..+?<\/form>/is,`
Update 'malware4.pl' 2017-02-10 21:12:16 +01:00			`qr/\'\;if\(\s+\$\_POST\[\'\_upl\'\].+?<\/form>/is,`
Update 'malware4.pl' 2017-02-12 11:04:38 +01:00			`qr/<\?php\s+if\(\!empty\(\$\_FILES\[\'message\'\]\[\'name\'\]\).+?<\/body>\s+<\/html>\'\;\/\/([0-9]{1,20})/is,`
Update 'malware4.pl' 2017-02-12 11:15:32 +01:00			`qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\"\_\"\.\'G\'\.\'E\'\.\'T\'\;\s+if\s+\(isset\(.+?preg\_replace\(.+?header\(\'Location\:\s+http\:\/\/.+?exit\(\)\;/is,`
Update 'malware4.pl' 2017-02-19 09:18:46 +01:00			`qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=.+?if\s+\(\(strstr\(\$([A-z0-9]{1,20})\,\".+?\"\)\)\s+or\s+\(strstr\(([A-z0-9]{1,20})\}\[.+?\)rtolower\(\$\_SERVER\[.+?\)\s+\&\&\s+\(\!isset\(\$GLOBALS\[.+?if\(\(function\_exists\(.+?\)\)\s+or\s+\(strstr\(\$.+?\(0\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+implode\(array\_.+?\)\{return\s+chr\(ord\(\$n\)\-1\)\;\}\s+\@error\_reportin.+?\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/is,`
Update 'malware4.pl' 2017-02-19 10:47:43 +01:00			`qr/<\?php\s+\$([A-z0-9]{1,20})\s+=.+?\$uas\=strtolower\(.+?\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/is,`
Update 'malware4.pl' 2017-02-23 12:33:39 +01:00			`qr/<\?php\s+\/\([A-z0-9]{1,10})\\/\s+\@include\s+\".+?\/\([A-z0-9]{1,10})\\/\s+echo\s+file\_get\_contents\(\'.+?\'\)\;/is,`
Update 'malware4.pl' 2017-03-03 20:52:15 +01:00			`qr/function\s+l\_\_1\(\$\_\Z/is,`
Update 'malware4.pl' 2017-03-03 21:04:46 +01:00			`qr/<\?php\s+if\(\!empty\(\$\_FILES\[\'message\'\]\[\'name\'\]\)\s+\&\&\s+\(md5\(\$\_POST\[\'name\'\]\).+?Message\s+sent\!<\/body>\s+<\/html>\'\;/is,`
			`qr/<\?php\s+\$report\_url\s+\=\s+\$\_POST\[\'url\'\]\;\s+\$pass\s+\=\s+\$\_POST\[\'pass\'\]\;\s+\$list\s+\=\s=\$\_POST\[\'list\'\]\;.+?if\s+\(\@stripos\(\$hello\,\'\+OK\'\)\!\=\=false\)\s+\{\s+return\s+true\;\s+\}\s+return\s+false\;\s+\}/is,`
Update 'malware4.pl' 2017-03-04 13:45:26 +01:00			`qr/<\?php\s+\/\\s+<\!\-\-\s+WordPress\s+SEO\s+Plugin\s+\-\->\s+\\/\s+eval\(gzuncompress\(base64_decode\(.+?\)\)\)\;\s+\/\\s+<\!\-\-\s+End\s+WordPress\s+SEO\s+Plugin\s+\-\->\s+\\/\s+\?>/is,`
Update 'malware4.pl' 2017-03-05 12:26:52 +01:00			`qr/\/\([A-z0-9]{1,10})\\/\s+\@include\s+\".+?\"\;\s+\/\([A-z0-9]{1,10})\\//is,`
Update 'malware4.pl' 2017-03-09 13:06:44 +01:00			`qr/<\?PHP\s+if\(isset\(\$\_REQUEST\[\"cmd\"\]\)\)\{eval\(stripslashes\(\$\_REQUEST\[\"cmd\"\]\)\)\;die\(\)\;\}\s+\?>/is,`
			qr/<\?php\s+\$auth_pass.+?\$color.+?\$default\_action\s+\=\s+\'FilesMan\'\;\s+\$default\_use\_ajax\s+\=\s+true\;\s+\$default\_charset\s+\=\s+\'Windows\-1251\'\;\s+if\(\!empty\(\$\_SERVER\[\'HTTP\_USER\_AGENT\'\]\)\)\s+\{\s+\$userAgents\s+\=\s+array\(\"Google\"\,\s+\"Slurp\"\,\s+\"MSNBot\"\,\s+\"ia\_archiver\"\,\s+\"Yandex\"\,\s+\"Rambler\"\)\;\s+if\(preg\_match\(\'\/\'\s+\.\s+implode\(\'\\|\'\,\s+\$userAgents\)\s+\.\s+\'\/i\'\,\s+\$\_SERVER\[\'HTTP\_USER\_AGENT\'\]\)\)\s+\{\s+header\(\'HTTP\/1\.0\s+404\s+Not\s+Found\'\)\;\s+exit\;/is,
Update 'malware4.pl' 2017-03-10 11:35:16 +01:00			`qr/<\?php.+?\$auth_pass.+?\$color.+?\$default_action\s+\=\s+\'FilesMan\'\;.+?\)\;\?>/is,`
Update 'malware4.pl' 2017-03-10 11:12:03 +01:00			`qr/<\?php\s+\$\{.+?\,NULL\)\;\@ini\_set\(\"log\_.+?\;return\s+sh\_decrypt\_phase\(sh\_decrypt\_phase\(\$\{\$\{.+?\=>\@phpversion\(\)\,.+?\]\)\;\}exit\(\)\;\}/is,`
Update 'malware4.pl' 2017-03-10 11:34:25 +01:00			`qr/<\?php\s+\$\{.+?\)\{if\(is\_uploaded\_file\(.+?\)\;\s+\?>/is,`
Update 'malware4.pl' 2017-03-20 10:01:13 +01:00			`qr/<\?php\s+eval\(.+?x3B\"\)\;\s+\?>/is,`
			`qr/<\?php\s+\/\\\s+WordPress.+?eval\(gz.+?\$x([A-z0-9]{1,10})\s+\,\"([0-9]{1,5})\"\)\;/is,`
Update 'malware4.pl' 2017-03-25 19:54:52 +01:00			`qr/<\?php\s+\$noc\s+=\s+\".+?\$noc\[([0-9]{1,3})\]\.\$noc\[([0-9]{1,3})\]\.\$noc\[([0-9]{1,3})\]\.\$noc\[([0-9]{1,3})\].+?\$noc\[([0-9]{1,3})\]\.\$([A-z0-9]{1,10})\;\@\$([A-z0-9]{1,10})\(\$([A-z0-9]{1,10})\)\;\?>/is,`
Update 'malware4.pl' 2017-03-27 10:02:19 +02:00			`qr/<\?php\s+\/\/function\s+M404\s+\(\)\{.+?\$strings\s+\=\s+explode\(\'\\|\'\,\s+base64\_decode\(base64\_decode\(base64\_decode\(base64\_decode\(base64\_decode\(base64\_decode\(base64\_decode\(base64\_decode\(\$value\)\)\)\)\)\)\)\)\)\;.+?echo\s+\'\#\#\#\#\#\'\.\s+\$result\s+\.\s+\'\\\\\*\'\;\s+exit\;/is,`
Update 'malware4.pl' 2017-03-27 19:16:20 +02:00			`qr/<\?php\s+\$action\=\$\_REQUEST\[\'action\'\]\;\s+\/\/status.+?echo\s+\"File\s+does\s+not\s+exist\"\;\s+\}\s+\?>/is,`
			`qr/<\?php\s+\$p\s+\=\s+\$\_REQUEST\[\"m\"\]\;\s+eval\(base64\_decode\(\$p\)\)\;\s+\?>/is,`
Update 'malware4.pl' 2017-03-27 19:46:40 +02:00			`qr/\/\edition\:1\.6\\/.+?\;eval\(gzuncompress\(base64\_decode\(\$([A-z0-9]{1,20})\)\)\)\;/is,`
Update 'malware4.pl' 2017-04-07 14:46:55 +02:00			`qr/<\?php\s+\$([A-z0-9]{1,20})\=.+?\$([A-z0-9]{1,20})\=call\_user\_func\(.+?\)\;\s+\$([A-z0-9]{1,20})\=call\_user\_func\(.+?\)\;\s+eval\(\$([A-z0-9]{1,20})\)\;/is,`
Update 'malware4.pl' 2017-04-07 20:52:40 +02:00			`qr/<\?php\s+\$([A-z0-9]{1,20})\=\".+?\"\;\$([A-z0-9]{1,20})\=call\_user\_func\(\$.+?\)\;\$([A-z0-9]{1,20})\=call\_user\_func\(\$.+?\)\;eval\(\$([A-z0-9]{1,20})\)\;/is,`
Update 'malware4.pl' 2017-04-22 11:34:38 +02:00			`qr/var\s+\_0xaae8\=\[\"\"\,\".+?\"\]\;document\[\_0xaae8\[5\]\]\(\_0xaae8\[4\]\[\_0xaae8\[3\]\]\(\_0xaae8\[0\]\)\[\_0xaae8\[2\]\]\(\)\[\_0xaae8\[1\]\]\(\_0xaae8\[0\]\)\)/is,`
Update 'malware4.pl' 2017-04-28 21:03:50 +02:00			`qr/<\?php\s+eval\(gzuncompress\(base64\_decode\(.+?\=\=\'\)\)\)\;/is,`
Update 'malware4.pl' 2017-04-28 20:21:52 +02:00			`qr/<\?php\s+\$report\_url\s+\=\s+\$\_POST\[\'url\'\]\;\s+\$pass\s+\=\s+\$\_POST\[\'pass\'\]\;\s+\$list\s+\=\s+\$\_POST\[\'list\'\]\;.+?if\s+\(\@stripos\(\$hello\,\'\+OK\'\)\!\=\=false\)\s+\{\s+return\s+true\;\s+\}\s+return\s+false\;\s+\}/is,`
Update 'malware4.pl' 2017-05-01 09:01:02 +02:00			`qr/A<\?php\s+\$license\s+\=\s+str\_rot13\(\'n\'\.\'f\'\.\'f\'\.\'r\'\.\'e\'\.\'g\'\)\;\s+\$license\(\$\_POST\[\'info\'\]\)\;\s+\?>/is,`

Update 'malware4.pl' 2017-01-18 21:23:45 +01:00			`);`
Add 'malware4.pl' 2017-01-02 09:13:21 +01:00			`my @base64_decodes = (`


			`);`

			`my @file_list;`
			`my %possible_list;`

			`my $start_dir = $ENV{'SCRIPT_FILENAME'} \|\| '../';`
			`$start_dir =~ s/\/cgi-bin//;`
			`$start_dir =~ s/\/lp-msh-scanner//;`
			`$start_dir = substr($start_dir, 0, rindex($start_dir, '/'));`
			`dir ($start_dir);`

			`print "<br />\n<br />\n";`
			`print 'Infected Files (' . scalar(@file_list) . "):<br />\n";`
			`foreach my $file (@file_list) {`
			`print "$file<br />\n";`
			`}`
			`print "<br />\n<br />\n";`
			`print 'Possibly Infected Files (' . scalar(keys(%possible_list)) . "):<br />\n";`
			`foreach my $key (keys(%possible_list)) {`
			`print "$key => $possible_list{$key}<br />\n";`
			`}`

			`sub dir {`
			`my ($start_dir) = @_;`

			`unless (opendir(DIR, $start_dir)) {`
			`print "Skipping directory $start_dir: $! <br />";`
			`return;`
			`}`

			`opendir(DIR, $start_dir) \|\| die "$start_dir: $!";`
			`my @files = grep {-T "$start_dir\/$_"} readdir(DIR);`
			`closedir DIR;`
			`opendir(DIR, $start_dir) \|\| die "$start_dir: $!";`
			`my @folders = grep {-d "$start_dir\/$_"} readdir(DIR);`
			`closedir DIR;`

			`foreach my $file (sort @files) {`
			`next if $file eq 'error_log';`
			`next if $file eq 'tcpdf.php';`
Update 'malware4.pl' 2017-03-29 08:14:44 +02:00			`next if $file eq 'charmap.php';`
			`next if $file eq 'main-modules.php';`
			`next if $file eq 'wp-super-cache.php';`
			`next if $file eq 'user-edit.php';`
Add 'malware4.pl' 2017-01-02 09:13:21 +01:00			`print "Scanning $start_dir/$file... ";`

			`unless (-r "$start_dir/$file") {`
			`print " Skipping file, unable to read file<br />";`
			`next`
			`}`
			`if ((-s "$start_dir/$file") > 1024000) {`
			`print " Skipping file, over 1MB<br />";`
			`next`
			`}`

			`my $fh;`
			`unless (open ($fh, '<', "$start_dir/$file")) {`
			`print " Unable to read file, $!<br />";`
			`next`
			`}`

			`my $contents = do { local $/; <$fh> };`
			`close $fh;`

			`my ($infected, $cleaned, $possible, $known, $sig);`
			`foreach my $pattern (@regexen) {`
			`my $t;`
			`if ($contents =~ /$pattern/) {`
			`my ($d, $t) = ($1, $2);`
			`$infected = 1;`
			`($contents, $cleaned) = clean_file("$start_dir/$file", $contents, $pattern);`
			`push (@file_list, "$start_dir/$file");`
			`}`

			`$t = undef;`
			`}`


			`print $infected ? ($cleaned ? "<font color='green'>Infected, Cleaned<br /></font>\n" : "Infected, Cleaning failed<br />\n") : ($possible ? "Possibly Infected<br />\nSignature Unknown: $sig<br />\n" : "Not infected<br />\n");`
			`}`


			`foreach my $folder (sort @folders) {`
			`if ($folder !~ /^\.\.?$/) {`
			`dir("$start_dir/$folder");`
			`}`
			`}`
			`}`

			`sub clean_file {`
			`my ($file, $contents, $pattern) = @_;`
			`my $cleaned;`

			`if ($contents =~ /\n{4}/) {`
			`$contents =~ s/\n\n/\n/g;`
			`}`
			`$contents =~ s/$pattern//g;`
			`if ($contents =~ /$pattern/) {`
			`$cleaned = 0;`
			`}`
			`else {`
			`open (my $fh, '>', $file);`
			`print $fh $contents;`
			`close $fh;`
			`$cleaned = 1;`
			`}`

			`return ($contents, $cleaned);`
			`}`

			`1;`