diff --git a/sc.php b/sc.php
new file mode 100644
index 0000000..6fa9fcc
--- /dev/null
+++ b/sc.php
@@ -0,0 +1,2478 @@
+<?php
+/* Made by Malin Cenusa
+ June 2016 - v3.9.6
+ TODO:
+ - clear error logs
+ - add chown
+ - add suspicious plugins - done for WP
+ - add resource hogs - done for WP
+ - code cleanup
+
+*/
+
+$version = "v3.9.6";
+$released = "June/16";
+$author = "Malin Cenusa";
+$mail = "malin.cenusa@lunarpages.com";
+$ip = "141.105.110.133";
+$error = "Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 54 bytes)";
+
+?>
+
+<html>
+<head>
+<title>..:: Global Account Maintenance Tool ::.. <?php print_r($version); ?> released <?php print_r($released); ?> - by <?php print_r($author); ?> [ <?php print_r($mail); ?> ]</title>
+    <link rel="stylesheet" type="text/css" href="http://fonts.googleapis.com/css?family=Poiret One|Play" media="screen">
+ <style type="text/css">
+     h3 {
+    font-family: 'Poiret One', Helvetica, Arial, serif;
+}
+
+     p {
+         font-family: 'Play', Helvetica, Arial, serif;
+         font-size: 13px;
+}
+ 
+     a {
+         font-family: 'Play', Helvetica, Arial, serif;
+         font-size: 13px;
+}
+body{
+	padding:20px;
+    background-color: #D8D8D8;
+}
+.icon-warning-sign{
+	padding-right:10px;
+}
+</style>
+</head>
+    
+<body>
+<div id="menu">
+<h3>..:: Global Account Maintenance Tool ::.. <?php print_r($version); ?> released <?php print_r($released); ?> - by <?php print_r($author); ?> [ <?php print_r($mail); ?> ]</h3>
+<div align="right" ><a href="?run=remove" style="color: #000000; background-color:#00ff00; font-size: 18px;">REMOVE SCRIPT</a></div><br /><hr>
+    
+<table style="border-spacing:0; width:100%; ">
+<tr>
+<td width="25%">
+    <span style="background-color:#00ff00; font-family: 'Play', Helvetica, Arial, serif; font-size: 16px; ">..:: MALWARE AUDIT ::..</span><br />
+    <ul>
+    <li><a href="?run=infection" style="color: #ff0000;">Known PHPShell Scan</a></li>
+    <li><a href="?run=scanme" style="color: #ff0000;">Known Malware Scan</a></li>
+    <li><a href="?run=less" style="color: #ff0000;">Less used patterns</a></li>
+    <li><a href="?run=checkexif" style="color: #ff0000;">Scan JPEG EXIF Data</b></a></li>
+    <li><a href="?run=iframe" style="color: #ff0000;">malicious IFRAME scan</a></li>
+    <li><a href="?run=checklarge" style="color: #ff0000;">Check Files With Large Lines</b></a></li>
+    <li><a href="?run=newscan" style="color: #ff0000;">Database String Scanner</a></li>
+    <li><a href="?run=cryptophp" style="color: #ff0000;">CryptoPHP Scanner</a></li>
+    <li><a href="?run=findbot" style="color: #ff0000;">Run Findbot.PL</a></li>
+    <li><a href="?run=custom" style="color: #ff0000;">Custom string scanner</b></a></li>
+</ul>
+    </td>
+
+<td width="25%">
+    <span style="background-color:#00ff00; font-family: 'Play', Helvetica, Arial, serif; font-size: 16px; ">..:: INSTALLED SCRIPTS ::..</span><br />
+    <ul>
+    <li><a href="?run=version" style="color: #ff0000;">Most used scripts (batch #1)</a></li>
+    <li><a href="?run=cms" style="color: #ff0000;">Other scripts (batch #2)</a></li>
+    <li><a href="?run=blog" style="color: #ff0000;">Other blogs & portals</a></li>
+    <li><a href="?run=commerce" style="color: #ff0000;">Other ecommerce & forums</a></li>
+    <li><a href="?run=rarely" style="color: #ff0000;">Rarely used</a></li>
+    <li><a href="?run=insecplug" style="color: #ff0000;">Insecure WP plugins</a></li>
+    <li><a href="?run=vulntheme" style="color: #ff0000;">Vulnerable WP themes</a></li>
+</ul>
+        </td>
+
+<td width="25%">
+    <span style="background-color:#00ff00; font-family: 'Play', Helvetica, Arial, serif; font-size: 16px; ">..:: CLEANER ::..</span><br />
+    <ul>
+    <li><a href="?run=cleanPL" style="color: #ff0000;">Clean.PL</b></a></li>
+    <li><a href="?run=cleanPHP" style="color: #ff0000;">Clean.PHP</a></li>
+    <li><a href="?run=cleanerrorlogs" style="color: #ff0000;">Clear Error Logs</a></li>
+    <li><a href="?run=cleanexif" style="color: #ff0000;">Clean EXIF</a></li>
+    <li><a href="?run=cleangravity" style="color: #ff0000;">Clean Gravity Forms Exploit</a></li>
+    <li><a href="?run=removezero" style="color: #ff0000;">Remove Empty Files</a></li>
+    <li><a href="?run=removezero" style="color: #ff0000;">Remove Error Logs</a></li>
+    <li><a href="?run=cleanupl" style="color: #ff0000;">Remove PHP files from uploads dir (WP)</a></li>
+
+</ul>
+</td>
+
+<td width="25%">
+    <span style="background-color:#00ff00; font-family: 'Play', Helvetica, Arial, serif; font-size: 16px; ">..:: MySQL ::..</span><br />
+    <ul>
+    <li><a href="?run=prefix" style="color: #ff0000;">Change Table Prefix</a></li>
+    <li><a href="?run=pwds" style="color: #ff0000;">Check password security</a></li>
+    <li><a href="?run=mysqlpwd" style="color: #ff0000;">Change MySQL user password</a></li>
+    <li><a href="?run=changeengine" style="color: #ff0000;">Change MySQL database engine</a></li>
+    <li><a href="?run=repl" style="color: #ff0000;">Replace Strings (MySQL password)</a></li>
+    <li><a href="?run=optim" style="color: #ff0000;">MySQL DB Optimization</a></li>
+</ul>
+</td>
+</tr>
+</table><br />
+
+<table style="border-spacing:0; width:100%; ">
+<tr>
+<td width="25%">
+    <span style="background-color:#00ff00; font-family: 'Play', Helvetica, Arial, serif; font-size: 16px; ">..:: FIND STUFF::..</span><br />
+    <ul>
+    <li><a href="?run=tmpcheck" style="color: #ff0000;">Find suspicious files in /tmp</a></li>
+    <li><a href="?run=symcheck" style="color: #ff0000;">Check for broken symlinks</a></li>
+    <li><a href="?run=findbackups" style="color: #ff0000;">Find backups</a></li>
+    <li><a href="?run=findsql" style="color: #ff0000;">Find SQL dumps</a></li>
+    <li><a href="?run=findlarge" style="color: #ff0000;">Find large files (unrelated content)</a></li>
+    <li><a href="?run=lastfiles" style="color: #ff0000;">Find last 500 modified files</a></li>
+    <li><a href="?run=findsymlinks" style="color: #ff0000;">Find Symlinks</a></li>
+    <li><a href="?run=findchmod" style="color: #ff0000;">Find Files & Dirs With Chmod 0000</a></li>
+    <li><a href="?run=getsize" style="color: #ff0000;">Get Size of a directory</a></li>
+</ul>
+    </td>
+
+<td width="25%">
+    <span style="background-color:#00ff00; font-family: 'Play', Helvetica, Arial, serif; font-size: 16px; ">..:: SOP/MISC. ::..</span><br />
+    <ul>
+    <li><a href="?run=addsec" style="color: #ff0000;">Secure .htaccess and php.ini</a></li>
+    <li><a href="?run=fixperms" style="color: #ff0000;">Fix File and Folder Permissions</a></li>
+    <li><a href="?run=securetemps" style="color: #ff0000;">Secure Temporary/Images</a></li>
+    <li><a href="?run=transfer" style="color: #ff0000;">Site Transfer</a></li>
+    <li><a href="?run=zencart" style="color: #ff0000;">ZenCart Concantenated</a></li>
+    <li><a href="?run=mysqlpwd" style="color: #ff0000;">Empty</a></li>
+    <li><a href="?run=mysqlpwd" style="color: #ff0000;">Empty</a></li>
+</ul>
+</td>
+    
+<td>
+    <span style="background-color:#00ff00; font-family: 'Play', Helvetica, Arial, serif; font-size: 16px; ">..:: USAGE Investigation ::..</span><br />
+    <ul>
+            <li><a href="?run=reshog" style="color: #ff0000;">WP Resource Hogs</a></li>
+            <li><a href="?run=reshog" style="color: #ff0000;">Database Size</a></li>
+            <li><a href="?run=reshog" style="color: #ff0000;">Running Processes</a></li>
+            <li><a href="?run=processlist" style="color: #ff0000;">Check The ProcessList</a></li>
+</ul>
+</td>
+</tr>
+</ul>
+</table>
+<hr>
+<div align="center">
+    
+<?php
+
+/* setting the PHP environment variables */
+ini_set('memory_limit', '512M');
+ini_set('max_execution_time', '0'); // supress problems with timeouts
+ini_set('set_time_limit', '0'); // supress problems with timeouts
+ini_set('display_errors', '0'); // show/hide errors
+ini_set("max_input_time", '50000');
+ini_set('default_socket_timeout', '50000');
+
+/* let's define the paths first */
+$GLOBALS["userdir"] = system('whoami');
+$GLOBALS["public_html"] = '/home/'.$GLOBALS["userdir"].'/public_html';
+$GLOBALS["doc_root"] = '/home/'.$GLOBALS["userdir"].'/';
+$GLOBALS["findcmd"] = 'find '.$GLOBALS["public_html"].'/';
+
+$GLOBALS["red"] = "<span style='color: #FF0000';>";
+$GLOBALS["br"] = "<br />";
+$GLOBALS["span"] = "</span>";
+    
+/* let's get the server and account specs */
+echo "Server: ";
+system('hostname');
+echo " | user: ";
+system('whoami');
+echo " | location: ";
+system('pwd');
+if( ini_get('safe_mode') ){
+   echo "<font color=\"#ff0000;\"><br />PHP is running in safe mode - functionality is limited</font>";
+}else{
+   echo "<font color=\"#ff0000;\"><br />PHP is not running in safe mode - script has full functionality<br /></font>";
+}
+/* checking the server wide load */
+echo "<h3><b><center><font color='#FF0000'>Check the server load below first and make sure that you do not execute any of the functions if server has high load!!!</font></b></h3>";
+system ("w | grep load");
+
+?>
+<hr>
+</div>
+<span style="font-size: 15px; line-height:90%">
+<?php
+
+    function cleanupl(){
+        system("find ../*/wp-content/uploads/ -type f -name '*.php' -print -exec rm -rf {} \;"); /* clear PHP files from wp-content/uploads */
+        system('find ../ -type f -name "*.php.suspected" -print -exec rm -rf {} \;'); /* clear files renamed as *.suspected by the server AV */
+        system($GLOBALS["findcmd"].' -type f -size 0 -print -exec rm -rf {} \;'); /* clear files with 0 bytes size */
+        
+    }
+    
+ /*   function removezero(){
+        system("find ./ -type f -empty -print -exec rm -f {} \;");
+    } */
+function vulntheme(){
+
+}
+
+/* cleaning the backdoor files of the Gravity Forms Exploit */
+function cleangravity(){
+system($GLOBALS["findcmd"].' -type f -name "*_input__test*" -print -exec rm -rf {} \;');
+system($GLOBALS["findcmd"].' -type f -name "*_input_*.php*" -print -exec rm -rf {} \;');
+system($GLOBALS["findcmd"].' -type f -name "*_input_*.txt*" -print -exec rm -rf {} \;');
+}
+
+/* use a modified version of Spamhaus's findbot.pl to identify left over backdoors */
+function findbot(){
+$output = shell_exec('./findbot.pl -c ./');
+echo "<pre>$output</pre>";
+}
+
+/* secure the temporary directories against execution of malicious files */
+function securetemps(){
+    $htdata = '
+<FilesMatch "\.(php([0-9]|s)?|s?p?html|cgi|pl|exe)$">
+Order Deny,Allow
+Deny from all
+</FilesMatch>
+';
+        system("for i in `find ../ -type d -path '*/wp-content/uploads' -print;`; do echo -e '".$htdata."' >> \$i/.htaccess; done");
+        system("for i in `find ../ -type d -path '*/tmp' -print;`; do echo -e '".$htdata."' >> \$i/.htaccess; done");
+/* Joomla /images may cause a ton of false positive patches so we'll research this further */
+// system("for i in `find ./ -type d -path '*/images' -print;`; do echo -e '".$htdata."' >> \$i/.htaccess; done"); 
+echo "all patched\n";
+
+}
+/* Vulnerability check
+$output = shell_exec('find ./ -type f -name "*.php" -print -exec grep -RPn "(passthru|shell_exec|system|phpinfo|base64_decode|chmod|mkdir|fopen|fclose|readfile|php_uname|eval|tcpflood|udpflood|edoced_46esab) *\(" --color {} \;');
+echo "<pre>$output</pre>"; */
+
+/* let's scan and clean cryptoPHP */
+function cryptophp(){
+    echo "Scanning for cryptoPHP in social.png files\n";
+           system("find ../ -type f -iname \"social*.png\" -exec grep -E -o 'php.{0,80}' {} \; -print");
+    
+    echo "\nScanning for cryptoPHP in all PNG files\n";
+           system("find ../ -type f -iname '*.png' -print0 | xargs -0 file | grep \"PHP script\"");
+}
+
+/* Execute The Malware Scanner */
+function scanme(){
+require_once("./scan.php");
+}
+
+/* Execute The PHP Cleaner */
+function cleanPHP(){
+require_once("./clean.php");
+}
+
+/* Execute the Perl Cleaners */
+function cleanPL(){
+system("./malware.pl");
+}
+
+/* Site Transfer Script */
+function transfer(){
+system("./transfer.pl");
+
+}
+/* EXIF scanner */
+function checkexif(){
+ini_set('exif.encode_unicode', 'UTF-8');
+define('IMAGEPATH', $GLOBALS["public_html"]);
+
+$directory = new RecursiveDirectoryIterator(IMAGEPATH);
+$iterator = new RecursiveIteratorIterator($directory);
+$matches = new RegexIterator($iterator, '/^.+\.(jpg|jpeg|png|tiff)$/i', RecursiveRegexIterator::GET_MATCH);
+foreach($matches as $key => $match):
+    $exif = exif_read_data($match[0], 0, 'EXIF');
+    echo '<pre>', print_r($exif, true), '</pre>';
+endforeach;
+}
+
+/* Insecure Plugins */
+function insecplug(){
+  $plugins_list = array(
+    "complete-gallery-manager",
+    "wp-phpmyadmin",
+    "1-flash-gallery",
+    "category-list-portfolio-page",
+    "disclosure-policy-plugin",
+    "dp-thumbnail",
+    "ip-logger",
+    "is-human",
+    "jquery-slider-for-featured-content",
+    "kish-guest-posting",
+    "lisl-last-image-slider",
+    "really-easy-slider",
+    "rent-a-car",
+    "vk-gallery",
+    "wordpress-news-ticker-plugin",
+    "wp-marketplace",
+    "adminer",
+    "file-commander",
+    "portable-phpmyadmin",
+    "portable-phpmyadmin",
+    "toolspack",
+    "ToolsPack",
+    "revslider",
+    "research-plugin*"
+  );
+
+  foreach ($plugins_list as $plugin){
+
+    system($GLOBALS["findcmd"].' -type d -name '.$plugin.' -print');
+
+  }
+
+}
+
+/* Resource Hog Plugins */
+function reshog(){
+  $plugin_list = array(
+    "broken-link-checker",
+    "myreviewplugin",
+    "linkman",
+    "fuzzy-seo-booster",
+    "wp-postviews",
+    "wordfence",
+    "tweet-blender",
+    "dynamic-related-posts",
+    "yet-another-related-posts-plugin",
+    "similar-posts",
+    "contextual-related-posts",
+    "yet-another-featured-posts-plugin",
+    "wponlinebackup",
+    "wpengine-snapshot",
+    "wpengine-migrate",
+    "wp-symposium-alerts",
+    "wp-slimstat",
+    "wp-missed-schedule",
+    "wordpress-gzip-compression",
+    "wp-cache",
+    "wp-database-optimizer",
+    "wp-db-backup",
+    "wp-dbmanager",
+    "wp-engine-snapshot",
+    "wp-file-cache",
+    "wp-mailinglist",
+    "async-google-analytics",
+    "backup-scheduler",
+    "backupwordpress",
+    "backwpup",
+    "duplicator",
+    "ewww-image-optimizer",
+    "ezpz-one-click-backup",
+    "google-xml-sitemaps-with-multisite-support",
+    "jr-referrer",
+    "missed-schedule",
+    "no-revisions",
+    "ozh-who-sees-ads",
+    "quick-cache",
+    "seo-alrp",
+    "si-captcha-for-wordpress",
+    "similar-posts",
+    "spyderspanker",
+    "spyderspanker_pro",
+    "super-post",
+    "superslider",
+    "text-passwords",
+    "the-codetree-backup",
+    );
+
+    foreach ($plugin_list as $plugins){
+
+      system($GLOBALS["findcmd"].' -type d -name '.$plugins.' -print');
+
+    }
+
+}
+
+/* EXIF cleaner */
+function cleanexif(){
+ini_set('exif.encode_unicode', 'UTF-8');
+define('IMAGEPATH', $GLOBALS["public_html"]);
+
+$directory = new RecursiveDirectoryIterator(IMAGEPATH);
+$iterator = new RecursiveIteratorIterator($directory);
+$matches = new RegexIterator($iterator, '/^.+\.(jpg|jpeg)$/i', RecursiveRegexIterator::GET_MATCH);
+
+foreach($matches as $key => $image):
+echo '<pre>', print_r($image, true),'</pre>';
+    try
+    {
+        $img = new Imagick($image[0]);
+        $img->stripImage();
+        $img->writeImage($image[0]);
+        $img->clear();
+        $img->destroy();
+
+        echo "Removed EXIF data from $image. \n";
+
+    } catch(Exception $e) {
+        echo 'Exception caught: ',  $e->getMessage(), PHP_EOL;
+    }
+endforeach;
+}
+
+/* Get MySQL process list for a given user */
+
+function processlist(){
+echo '<form method="post" enctype="multipart/form-data"><br /><hr>';
+echo '<b>MySQL Host:</b></td><td><input name="host" id="host" type="text" size="30"><br />';
+echo '<b>MySQL Username:</b></td><td><input name="usern" id="usern" type="text" size="30"><br />';
+echo '<b>MySQL Password:</b></td><td><input name="passwd" id="passwd" type="text" size="30"><br />';
+echo '<input name="submit" type="submit" value="Go"><br /><br />';
+    if(($_POST['submit']) == "Go") {
+    $mhost = ($_POST["host"]);;
+    $mpass = ($_POST["passwd"]);
+    $musr = ($_POST["usern"]);
+}
+mysql_connect($mhost, $musr, $mpass);
+
+$q = mysql_query("SHOW FULL PROCESSLIST");
+
+echo "<span style='background-color:#00ff00; '>..:: MySQL-Processes ::..</span>\n";
+echo "<table width='*' border='1' cellspacing='1' cellpadding='3'>\n";
+
+while($l = mysql_fetch_row($q) ) {
+
+    echo "<tr>\n";
+    foreach($l as $val) echo "<td>$val&nbsp;</td>\n";
+    echo "</tr>\n";
+
+}
+echo "</table>\n";
+
+echo "<span style='background-color:#00ff00; '>..:: Query Cache Status ::..</span>\n";
+echo "<table width='*' border='1' cellspacing='1' cellpadding='3'>\n";
+$q = mysql_query("SHOW STATUS LIKE 'Qcache%'");
+while($l = mysql_fetch_row($q) ) {
+
+        echo "<tr>\n";
+        foreach($l as $val)     echo "<td>$val&nbsp;</td>\n";
+        echo "</tr>\n";
+
+}
+echo "</table>\n";
+
+mysql_close();
+}
+
+/* Get STAT data for a given file */
+function stats(){
+$output = shell_exec('stat ./ModSettings.php');
+echo "<pre>$output</pre>";
+}
+
+/* change MySQL Engine */
+function changeengine(){
+  mysql_connect('localhost', 'learn0_mdle1', 'O{XgxSMtTXrD');
+
+  $databases = mysql_query('SHOW databases');
+
+  while($db = mysql_fetch_array($databases)) {
+    echo "database => {$db[0]}\n";
+    mysql_select_db($db[0]);
+
+    $tables = mysql_query('SHOW tables');
+
+    while($tbl = mysql_fetch_array($tables)) {
+      echo "table => {$tbl[0]}\n";
+      mysql_query("ALTER TABLE {$tbl[0]} ENGINE=INNODB");
+    }
+  }
+}
+
+function checklarge(){
+$ite=new RecursiveDirectoryIterator(dirname(__FILE__));
+$i = 0;
+foreach (new RecursiveIteratorIterator($ite) as $filename=>$cur):
+	preg_match('/^.+\.php$/i', $filename, $match);
+	if($match):
+		$file = fopen($match[0], "r");
+		while(!feof($file)):
+			$line = fgets($file);
+			if(!feof($file)):
+				if(mb_strlen($line) > 999):
+					$i++;
+					echo '<div class="well">', $i ,')<div class="alert alert-danger"><i class="icon-warning-sign"></i>', $filename ,' found line having more than 1000 characters, output to follow:</div>';
+					echo '<pre class="prettyprint">';
+					echo trim(htmlentities($line));
+					echo '</pre>';
+					echo '<span>This file was last modified on: ' , date ("F d Y H:i:s.", filemtime($filename)) ,'</span>';
+					echo '</div>';
+
+				endif;
+			endif;
+		endwhile;
+		fclose($file);
+	endif;
+endforeach;
+}
+function removezero(){
+echo "Removing Files With Zero Size";
+
+}
+
+function findchmod(){
+echo "Finding All Files With Chmod Set To 0000<br /><br />";
+system($GLOBALS["findcmd"].' -type f -perm 0000 -exec ls -al');
+echo "Finding All Directories With Chmod Set To 0000<br /><br />";
+system($GLOBALS["findcmd"].' -type d -perm 0000 -exec ls -al');
+}
+    /*
+function sucuri()
+{
+    $myresults = wp_remote_get("http://sitecheck.sucuri.net/scanner/?serialized&fromwp&scan=".home_url(), array("timeout" => 180));
+
+    if(is_wp_error($myresults))
+    {
+        print_r($myresults);
+        return;
+    }
+
+
+    $res = unserialize($myresults['body']);
+
+    echo '<div class="wrap">';
+    echo '<h2>Sucuri SiteCheck Malware Scanner</h2>';
+
+    if(!isset($res['MALWARE']['WARN']))
+    {
+        echo '<h3><img style="position:relative;top:5px" height="22" width="22" src="
+             '.site_url().'/wp-content/plugins/sucuri-scanner/images/ok.png" /> &nbsp;
+             No malware was identified</h3>';
+
+        echo "<p><strong>Malware:</strong> No.</p>";
+        echo "<p><strong>Malicious javascript:</strong> No.</p>";
+        echo "<p><strong>Malicious iframes:</strong> No.</p>";
+        echo "<p><strong>Suspicious redirections (htaccess):</strong> No.</p>";
+        echo "<p><strong>Blackhat SEO Spam:</strong> No.</p>";
+        echo "<p><strong>Anomaly detection:</strong> Clean.</p>";
+    }
+    else
+    {
+        echo '<h3><img style="position:relative;top:5px" height="22" width="22" src="
+             '.site_url().'/wp-content/plugins/sucuri-scanner/images/ok.png" /> &nbsp;
+             Site compromised (malware was identified)</h3>';
+        foreach($res['MALWARE']['WARN'] as $malres)
+        {
+            if(!is_array($malres))
+            {
+                echo htmlspecialchars($malres);
+            }
+            else
+            {
+                $mwdetails = explode("\n", htmlspecialchars($malres[1]));
+                echo htmlspecialchars($malres[0])."\n<br />". substr($mwdetails[0], 1)."<br />\n";
+            }
+        }
+        echo "<br />";
+    }
+    echo '<i>More details here <a href="http://sitecheck.sucuri.net/scanner/?&scan='.home_url().'">http://sitecheck.sucuri.net/scanner/?&scan='.home_url().'</a></i>';
+
+
+    echo "<hr />\n";
+    if(isset($res['BLACKLIST']['WARN']))
+    {
+        echo '<h3><img style="position:relative;top:5px" height="22" width="22" src="
+                 '.site_url().'/wp-content/plugins/sucuri-scanner/images/warn.png" /> &nbsp;
+                 Site blacklisted</h3>';
+    }
+    else
+    {
+        echo '<h3><img style="position:relative;top:5px" height="22" width="22" src="
+                 '.site_url().'/wp-content/plugins/sucuri-scanner/images/ok.png" /> &nbsp;
+                 Site blacklist-free</h3>';
+    }
+
+    foreach($res['BLACKLIST']['INFO'] as $blres)
+    {
+        echo "<b>CLEAN: </b>".htmlspecialchars($blres[0])." <a href=''>".htmlspecialchars($blres[1])."</a><br />";
+    }
+    if(isset($res['BLACKLIST']['WARN']))
+    {
+        foreach($res['BLACKLIST']['WARN'] as $blres)
+        {
+            echo "<b>WARN: </b>".htmlspecialchars($blres[0])." <a href=''>".htmlspecialchars($blres[1])."</a><br />";
+        }
+    }
+    */
+function trimblanklines($str) {
+    return preg_replace('`\A[ \t]*\r?\n|\r?\n[ \t]*\Z`','',$str);
+}
+
+    function scanspam(){
+
+    }
+
+    function fixperms(){
+        echo("To save time (and money) we're going to locate the files and directories with improper permissions and fix just those:\n");
+        system($GLOBALS["findcmd"].' -perm +og+w -follow -type d -print -exec chmod 755 {} \;');
+        system($GLOBALS["findcmd"].' -perm 0000 -follow -type d -print -exec chmod 755 {} \;');
+        system($GLOBALS["findcmd"].' -perm +og+w -follow -type f -print -exec chmod 644 {} \;');
+        system($GLOBALS["findcmd"].' -perm 0000 -follow -type f -print -exec chmod 644 {} \;');
+        system($GLOBALS["findcmd"].' -perm +og+w -follow -type f -name "*.cgi" -print -exec chmod 755 {} \;');
+        system($GLOBALS["findcmd"].' -perm +og+w -follow -type f -name "*.pl" -print -exec chmod 755 {} \;');
+    }
+
+    function getcleaner(){
+        $remote = "http://malin.online9.net/cl.txt";
+        $local = "cl.php";
+$contents=file_get_contents($remote);
+$fp=fopen($local, "w");
+fwrite($fp, $contents);
+fclose($fp);
+        include('./cl.php');
+}
+
+    function addsec(){
+        echo "securing .htaccess<br />";
+        $htafile = $GLOBALS["public_html"].'/.htaccess';
+        $htaData = "
+# Protection agains XSS exploits added by Lunarpages MSH team
+Options +FollowSymLinks
+RewriteEngine On
+RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
+RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
+RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
+RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
+RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
+RewriteRule ^(.*)$ index_error.php [F,L]
+RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
+RewriteRule .* - [F]
+";
+        
+file_put_contents($htafile, $htaData, FILE_APPEND | LOCK_EX);
+        
+        echo "data added to .htaccess<br />";
+        show_source($htafile);
+        echo "moving on to php.ini";
+        
+        $phpfile = $GLOBALS["public_html"].'/php.ini';
+        $phpData = '
+; Protection agains RFI exploits added by Lunarpages MSH team
+allow_url_fopen = Off
+allow_url_include = Off
+disable_functions=popen,passthru,escapeshellarg,escapeshellcmd,exec,passthru,proc_close,proc_get_status,proc_nice,proc_open,proc_terminate,shell_exec,system,blob,exec,escapeshellarg,pfsockopen,stream_get_transports,stream_set_blocking
+display_errors = Off
+display_startup_errors = Off
+error_reporting = E_ALL
+mail.add_x_header = On
+mail.log = '.$GLOBALS["doc_root"].'/phpmail.log
+';
+
+file_put_contents($phpfile, $phpData, FILE_APPEND | LOCK_EX);
+        echo "data added to php.ini";
+        show_source($phpfile);
+    }
+
+    function rmfile(){
+        echo "insert filename for mass deletion: <br />";
+        echo '<form method="post" enctype="multipart/form-data">';
+        echo '<input name="name" id="name" type="text" size="100">;';
+        echo '<input name="send" type="send" value="Remove it">';
+    if(($_POST['send']) == "Remove it") {
+    $name= ($_POST["name"]);
+        system($GLOBALS["findcmd"].' -name "'.$name.'" -print -exec rm -fr {} \;');
+    }
+    }
+
+function mysqlsearch(){
+?>
+<form method="post" enctype="multipart/form-data">                <table>
+                    <tbody>
+                        <tr>
+                            <td><label for="server">Server Name </label></td>
+                            <td><input type="text" name="server" value="localhost"/></td>
+                        </tr>
+                        <tr>
+                            <td><label for="dbuser">User Name </label></td>
+                            <td><input type="text" name="dbuser" /></td>
+                        </tr>
+                        <tr>
+                            <td><label for="pass">Password </label></td>
+                            <td><input type="password" name="pass" /></td>
+                        </tr>
+                        <tr>
+                            <td><label for="dbname">Database Name </label></td>
+                            <td><input type="text" name="dbname" /></td>
+                        </tr>
+
+                        <!--                      <tr>
+                        <td><label for="search_text"> Search on Database</label><br /></td>
+                        <td><input type="text" name="search_text" <?php if(!empty($_POST['search_text'])) echo 'value="'.$_POST['search_text'].'"';  ?> /></td>
+                        </tr>
+                        <tr>  -->
+                            <td><input type="submit" value="Find the Malware" /></td>
+                        </tr>
+                    </tbody>
+                </table>
+            </form>
+     <?php
+$server = ($_POST["server"]);
+$dbuser = ($_POST["dbuser"]);
+$dbpass = ($_POST["pass"]);
+$dbname = ($_POST["dbname"]);
+
+    $link = @mysql_connect($server, $dbuser, $dbpass);
+    if (!$link) {  session_destroy(); header("Refresh:0;url=http://".$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'].'?error_message=Username OR password Missmatch');}
+    if(!@mysql_select_db($dbname, $link)){ session_destroy(); header("Refresh:0;url=http://".$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'].'?error_message=Database Not found');};
+    ///@endof Databse Connection
+
+
+        $patterns = array(
+        "cacat",
+        "lacat",
+            );
+
+        foreach ($patterns as $pattern) {
+        $search_text = ($pattern);
+        $result_in_tables = 0;
+
+        echo "<h4>Results for: <i>".$search_text.'</i></h4>';
+
+        // @abstract  table count in the database
+        $sql= 'show tables';
+        $res = mysql_query($sql);
+        //@abstract  get all table information in row tables
+        $tables = fetch_array($res);
+
+
+                //$tables = array(array('album'));
+        //endof table count
+
+
+
+       for($i=0;$i<sizeof($tables);$i++)
+       // @abstract  for each table of the db seaching text
+       {
+            //@abstract querry bliding of each table
+            $sql = 'select count(*) from '.$tables[$i]['Tables_in_'.$dbname];
+            $res = mysql_query($sql);
+
+            if(mysql_num_rows($res)>0)
+            //@abstract Buliding search Querry, search
+            {
+                //@abstract taking the table data type information
+                $sql = 'desc '.$tables[$i]['Tables_in_'.$dbname];
+                $res = mysql_query($sql);
+                $collum = fetch_array($res);
+
+                $search_sql = 'select * from '.$tables[$i]['Tables_in_'.$dbname].' where ';
+                $no_varchar_field = 0;
+
+                for($j=0;$j<sizeof($collum);$j++)
+                // @abstract only finding each row information
+                {
+                        ## we are searching all the fields in this table
+
+                        //if(substr($collum[$j]['Type'],0,7)=='varchar'|| substr($collum[$j]['Type'],0,7)=='text')
+                        // @abstractonly type selection part of query buliding
+                        // @todo seach all field in the data base put a 1 in if(1)
+                        // @example if(1)
+                        //{
+                            //echo $collum[$j]->Field .'<br />';
+                            if($no_varchar_field!=0){$search_sql .= ' or ' ;}
+                            $search_sql .= '`'.$collum[$j]['Field'] .'` like \'%'.$search_text.'%\' ';
+                            $no_varchar_field++;
+                        //} // endof type selection part of query bulidingtype selection part
+
+                }//@endof for |buliding search query
+
+
+                if($no_varchar_field>0)
+                // @abstract only main searching part showing the data
+                {
+                    $res = mysql_query($search_sql);
+                    $search_result = fetch_array($res);
+                    if(sizeof($search_result))
+                    // @abstract found search data showing it!
+                    {
+                        $result_in_tables++;
+
+                        echo '<div class="table_name">&nbsp;&nbsp; Table : '
+                             . $tables[$i]['Tables_in_'.$dbname]
+                             .' &nbsp;&nbsp;</div>
+                              &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;'.
+                            '<span class="number_result"> Total Results for <i>"'.$search_text .'"</i>: '.mysql_affected_rows().'</span>
+                            <br/>
+                            <div class="link_wrapper"><a href="javascript:toggle(\''.$tables[$i]['Tables_in_'.$dbname].'_sql'.'\')">SQL</a></div>
+                            <div id="'.$tables[$i]['Tables_in_'.$dbname].'_sql" class="sql keys"><i>'.$search_sql.'</i    ></div>
+                            <div class="link_wrapper"><a href="javascript:toggle(\''.$tables[$i]['Tables_in_'.$dbname].'_wrapper'.'\')">Result</a></div>
+                            <script language="JavaScript">
+                                table_id.push("'.$tables[$i]['Tables_in_'.$dbname].'_wrapper");
+                            </script>
+                            <div class="wrapper" id="'.$tables[$i]['Tables_in_'.$dbname].'_wrapper">';
+
+                        table_arrange($search_result);
+                        echo '</div><br/><br/>';
+                    }// @endof showing found search
+
+                }//@endof  main searching
+            }//@endof  querry building and searching
+
+
+       }
+
+       if(!$result_in_tables)
+       // @abstract if result is not found
+       {
+            echo '<p style="color:red;">Sorry, <i>'.
+                    $search_text.
+                    '</i> is not found in this Database ('.$dbname.') !</p>';
+       }
+
+    mysql_close($link);
+    }
+}
+
+//*********************
+//* PHP functions
+//*********************
+function fetch_array($res)
+// @method    fetch_array
+// @abstract taking the mySQL $resource id and fetch and return the result array
+// @param   string| MySQL resouser
+// @return  array
+{
+       $data = array();
+    while ($row = mysql_fetch_assoc($res))
+    {
+        $data[] = $row;
+    }
+    return $data;
+} //@endof  function fetch_array
+
+
+function table_arrange($array)
+// @method  table_arrange
+// @abstract taking the mySQL the result array and return html Table in a string. showing the search content in a diffrent css class.
+// @param  array
+// @post_data  search_text
+// @return  string | html table
+{
+
+    $table_data = ''; // @abstract  returning table
+
+    $max =0; // @abstract  max lenth of a row
+
+    $max_i =0; // @abstract  number of the row which is maximum max lenth of a row
+
+    $search_text = $_POST["search_text"];
+
+    for($i=0;$i<sizeof($array);$i++)
+    {
+        //@abstract table row
+        $table_data .= '<tr class='.(($i&1)?'"odd_row"':'"even_row"') .' >';
+        //
+        $j=0;
+
+        foreach($array[$i] as $key => $data)
+        {
+
+            //@abstract a class around the search text
+            $data = preg_replace("|($search_text)|Ui" , "<pre class=\"search_text\"><b>$1</b></pre>" , htmlspecialchars($data));
+
+            $table_data .= '<td>'. $data .' &nbsp;</td>';
+
+            $j++;
+        }
+
+        if($max<$j)
+        {
+            $max = $j;
+            $max_i = $i;
+        }
+        $table_data .= '</tr>'."\n";
+    }
+    $table_data .= '</table></div>';
+    unset($data);
+    // @endof html table
+
+    //@abstract populating the table head
+
+    // @varname $data_a
+    //@abstract  taking the highest sized array and printing the key name.
+    $data_a = $array[$max_i];
+
+
+    $table_head =  '<tr>';
+        foreach($data_a as $key => $value)
+        {
+            $table_head .= '<td class="keys">'. $key.'</td>';
+        }
+
+    $table_head .= '</tr>'."\n";
+    //@endof populating the table head
+
+    // @abstract printing the table data
+    echo '<div class="table_bor">
+                    <table cellspacing="0" cellpadding="3" border="0" class="data_table">'.$table_head.$table_data;
+}//@endof  function table_arrange
+
+    /*
+    Calculate sizes of all your databases in MB:
+
+SELECT table_schema "DB Name", SUM( data_length + index_length) / 1024 / 1024 
+"DB Size" FROM information_schema.TABLES GROUP BY table_schema ;
+
+Calculate table sizes for a specific database:
+
+SELECT TABLE_NAME, table_rows, data_length, index_length,  round(((data_length + index_length) / 1024 / 1024),2) "Size in MB" FROM information_schema.TABLES WHERE table_schema = "PUT_YOUR_DATABASE_NAME_HERE";
+
+*/
+
+    function repl(){
+    echo "String Replacement";
+    echo '<form method="post" enctype="multipart/form-data"><br /><hr>';
+echo '<b>Old String:</b></td><td><input name="oldstr" id="oldstr" type="text" size="50"><br />';
+echo '<b>New String:</b></td><td><input name="newstr" id="newstr" type="text" size="50"><br />';
+echo '<input name="submit" type="submit" value="Go"><br /><br />';
+    if(($_POST['submit']) == "Go") {
+    $oldstr = ($_POST["oldstr"]);
+    $newstr = ($_POST["newstr"]);
+        system("grep -ilr '".$oldstr."' * | xargs -i@ sed -i 's/".$oldstr."/".$newstr."/g' @");
+        /* xargs /usr/bin/perl -w -i -p -e "s/your_old_string/your_new_string/g" */
+        echo 'all done';
+    }
+    }
+
+/* getting the total size of a specific directory */
+    function getsize(){
+    $username = system('whoami');
+        echo "insert the location you wish to get the size for: <br />";
+        echo '<form method="post" enctype="multipart/form-data">';
+        echo $GLOBALS["doc_root"].'<input name="path" id="path" type="text" size="100">';
+        echo '<input name="send" type="submit" value="Get it">';
+    if(($_POST['send']) == "Get it") {
+    $path = ($_POST["path"]);
+    echo "<br />Getting size of: ".$path."<br/>";
+        system('du -sh '.$GLOBALS["doc_root"].$path);
+    }     
+    }
+
+/* looking for any backup files that would cause issues */
+    function findbackups(){
+    $ziparray = array("zip", "rar", "tgz", "tar.gz", "bz2", "tar");
+    foreach ($ziparray as $i => $valzip) {
+        echo 'checking for backup files with extension: '.$valzip.'<br />';
+        system($GLOBALS["findcmd"].'-name *.'.$valzip.' -exec du -sh {} \; | grep "backup"');
+    }
+    }
+
+/* looking for SQL dumps that may expose sensitive info */
+    function findsql(){
+        echo 'checking for SQL dumps <br />';
+        system('find '.$GLOBALS[doc_root].' -name "*.sql" -exec du -sh {} \;');
+    }
+
+/* looking for large files that may crash the scans*/
+    function findlarge(){
+        echo 'checking for large files (over 10MB) <br/>';
+        system('find '.$GLOBALS[doc_root].' -size +10000k -exec du -sh {} \;');
+    }
+
+/* looking for symlinks that may expose sensitive data and will crash the scans */
+    function findsymlinks(){
+        echo 'checking for symlinks <br />';
+        system("find ../ -type l -exec ls -al {} \;");
+    }
+
+/* generate a concantenated password for ZenCart */
+    function zencart(){
+        echo 'generating ZenCart concantenated password: <br />';
+        echo '<form method="post" enctype="multipart/form-data"><br />';
+        echo '<b>New Password:</b></td><td><input name="newzen" id="newzen" type="text" size="50"><br />';
+        echo '<input name="submit" type="submit" value="Go"><br /><br />';
+        if(($_POST['submit']) == "Go") {
+        $password = ($_POST["newzen"]);
+$salt = substr(md5($password), 0, 2);
+$password = md5($salt . $password) . ':' . $salt;
+            echo 'New Password Hash is: <br />';
+            echo $password;
+}
+
+    }
+function mysqlpwd(){
+echo '<form method="post" enctype="multipart/form-data"><br /><hr>';
+echo '<b>MySQL Username:</b></td><td><input name="actusr" id="actusr" type="text" size="50"><br />';
+echo '<b>Current Password:</b></td><td><input name="actpwd" id="actpwd" type="text" size="50"><br />';
+echo '<b>New MySQL Password:</b></td><td><input name="pwd" id="pwd" type="text" size="50"><br />';
+echo '<input name="submit" type="submit" value="Go"><br /><br />';
+    if(($_POST['submit']) == "Go") {
+    $host = "localhost";
+    $pass = ($_POST["pwd"]);
+    $actusr = ($_POST["actusr"]);
+    $actpass = ($_POST["actpwd"]);
+$link = mysql_connect($host, $actusr, $actpass) or die(mysql_error());
+ mysql_query("SET PASSWORD FOR '".$actusr."'@'".$host."' = PASSWORD('".$pass."');") or die(mysql_error());
+}
+mysql_close($link);
+
+}
+function pwds(){
+system('find ../ -name "*.php" -type f -exec grep -HA4 "`whoami`_" {} \;');
+}
+function clean(){
+$dir = "../";
+echo '<form method="post" enctype="multipart/form-data"><br /><hr>';
+echo '<b>Malware String:</b></td><td><input name="malware" id="malware" type="text" size="300">';
+echo '<input name="submit" type="submit" value="Go"><br /><br />';
+    if(($_POST['submit']) == "Go") {
+    $malware = ($_POST["malware"]);
+
+system(`find $dir -name "*.php" -type f |xargs sed -i 's#<?php /\*\*/ '.$malware.'.*?>##g' 2>&1`);
+echo "Malware removed.<br />\n";
+}
+system(`find $dir -name "*.php" -type f | xargs sed -i '/./,$!d' 2>&1`);
+echo "Empty lines removed.<br />\n";
+}
+
+function optim(){
+echo '<form method="post" enctype="multipart/form-data"><br /><hr>';
+echo '<b>MySQL Hostname/IP:</b></td><td><input name="host" id="host" type="text" size="50">';
+echo '<b>MySQL Username:</b></td><td><input name="usr" id="usr" type="text" size="50">';
+echo '<b>MySQL Password:</b></td><td><input name="pwd" id="pwd" type="text" size="50">';
+echo '<input name="submit" type="submit" value="Go"><br /><br />';
+    if(($_POST['submit']) == "Go") {
+    $host = ($_POST["host"]);
+    $user = ($_POST["usr"]);
+    $pass = ($_POST["pwd"]);
+
+echo "".date('H:i:s').": Connecting to MySQL Server .... <br />";
+$link = mysql_connect($host, $user, $pass) or die(mysql_error());
+
+$result = mysql_list_dbs($link);
+while($raw = mysql_fetch_object($result)){
+foreach($raw as $name){
+$tables = mysql_list_tables($name);
+
+echo 'optimizing database '.$name.'<br />';
+if($name == 'information_schema')
+{
+echo 'skipping information_schema<br />';
+}
+else
+{
+echo "".date('H:i:s').": Get tables from database $name .... <br />";
+while ($row = mysql_fetch_row($tables)) {
+       echo "".date('H:i:s').": Optimize table $row[0] ....<br />";
+        mysql_query('optimize table '.$row[0].' ') or die(mysql_error());
+
+}
+}
+echo "".date('H:i:s').": Table of Database ".$name." Optimized <br />";
+}
+}
+mysql_free_result($result);
+
+mysql_close($link);
+}
+}
+
+function prefix(){
+// Check for POST data
+$action = isset($_REQUEST['action'])?$_REQUEST['action']:false;
+
+if (!$action) {
+?>
+<form name="form1" method="post" enctype="multipart/form-data">
+    <table width="75%" border="0" cellspacing="2" cellpadding="2">
+        <tr>
+            <td>Enter database name:</td>
+            <td><input name="d" type="text" id="d" size="50"></td>
+        </tr>
+        <tr>
+            <td>Enter database user</td>
+            <td><input name="u" type="text" id="u" size="50"</td>
+        </tr>
+        <tr>
+            <td>Enter database password:</td>
+            <td><input name="p" type="password" id="p" size="50"></td>
+        </tr>
+        <tr>
+            <td>Enter New Prefix:</td>
+            <td><input name="n" type="text" id="n" size="50" value="(Do not include the trailing underscore)"></td>
+        </tr>
+        <tr>
+            <td>&nbsp;</td>
+            <td>&nbsp;</td>
+        </tr>
+        <tr>
+            <td colspan="2" align="center"><input name="action" type="hidden" id="action" value="data">
+                <input type="submit" name="Submit" value="Change Table Prefixes"></td>
+        </tr>
+    </table>
+</form>
+<?php
+} else {
+
+$mysql_db = $_REQUEST['d'];
+$mysql_user = $_REQUEST['u'];
+$mysql_pass = $_REQUEST['p'];
+$table_prefix = $_REQUEST['n'];
+
+
+// Open MySQL link
+$link = mysql_connect('localhost', $mysql_user, $mysql_pass);
+if (!$link) {
+    die('Could not connect: ' . mysql_error());
+}
+echo 'Connected successfully<br><br>';
+
+
+// Select database and grab table list
+mysql_select_db($mysql_db, $link) or die ("Database not found.");
+$tables = mysql_list_tables($mysql_db);
+
+
+// Pull table names into an array and replace prefixes
+$i = 0;
+while ($i < mysql_num_rows($tables)) {
+    $table_name = mysql_tablename($tables, $i);
+    $table_array[$i] = $table_name;
+    $i++;
+}
+
+
+// Pull table names into another array after replacing prefixes
+foreach ($table_array as $key => $value) {
+    $table_names[$key] = replace_prefix($value, $table_prefix);
+}
+
+
+// Write new table names back
+foreach ($table_array as $key => $value) {
+    $query = sprintf('RENAME TABLE %s TO %s', $table_array[$key], $table_names[$key]);
+    $result = mysql_query($query, $link);
+    if (!$result) {
+        $error = mysql_error();
+        echo "Could not $query : $error<br>";
+    } else {
+        $message = sprintf('Successfully renamed %s to %s in %s', $table_array[$key], $table_names[$key], $mysql_db);
+        echo "$message<br>";
+    }
+}
+
+
+// Free the resources
+mysql_close($link);
+}
+
+function replace_prefix($s, $prefix) {
+    $pos = strpos($s, "_");
+    $s = substr($s, $pos + 1);
+    $s = sprintf("%s_%s", $prefix, $s);
+    return $s;
+}
+}
+
+function loop(){
+system('find ../ -type l -exec ls -l {} \;');
+}
+function lastfiles(){
+system("find ../ -type f -printf '%T@ %p\t\t %t\n' | sort -k 1 -nr | sed 's/^[^ ]* //' | head -n 500");
+}
+
+function execmd(){
+}
+
+/* Let's Remove All Files So The Don't Fall In Wrong Hands */
+function remove(){
+unlink(__FILE__);
+unlink("../sc");
+unlink("./sc.zip");
+}
+
+function norun(){
+if(''==$df) {
+   echo "<font color='#0000FF'>[X]=> <font color='#04B404'>No functions are disabled, this script should run without issues <br /></font> ";
+} else {
+   echo "<font color='#FF0000'>WARNING!: The following functions are disabled, please check your php.ini ".$df." <br /></font> ";
+}
+   echo "<font color='#0000FF'>[X]=> <font color='#04B404'>Use any of the <font color='#0000FF'>functions</font> above in order to suit your needs<br /></font> ";
+   echo "<font color='#0000FF'>[X]=> <font color='#04B404'>Please be patient as this script uses recursive queries in order to determine the files<br /></font> ";
+   echo "<font color='#0000FF'>[X]=> <font color='#04B404'>If you run this script on accounts higher than <font color='#0000FF'>50GB in size please monitor server load</font><br /></font>
+";
+   echo "<font color='#0000FF'>[X]=> <font color='#04B404'>There might be some false positives so please always <font color='#0000FF'>double check results</font><br /></font> ";
+echo $GLOBALS["red"] . "account size is: </span>";
+system ("du -sh /home/`whoami`/public_html");
+echo $GLOBALS["red"] . "total files in public_html: </span>";
+system ("find ../ -type f | wc -l");
+echo '<br />php.ini files with register_globals enabled: <br />';
+system("find ../ -name php.ini -exec grep -Hli '^register_globals.*=.*On' {} \;");
+echo '<br />Running processes:';
+echo '<br><pre>';
+system("ps -eo pid,user,cmd | grep `whoami`");
+}
+echo '<br><pre>';
+//starting script functions
+
+
+function version() {
+
+/* batch #1 */
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "<h3><b>Scanning account for the installed scripts & their versions...</h3><br /></span>";
+echo "<span style='color: #666666';><br /><h4><b>Batch #1 - Most used scripts:</h4><br /></span>";
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Wordpress<br /><br /></span>";
+system ("find ../ -type f -path '*/wp-includes/version.php' -exec grep -H '\$wp_version =' {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Joomla<br /><br /></span>";
+system ("find ../ -type f -path '*/libraries/joomla/version.php' -exec grep -H '\$RELEASE\ =\|\$DEV_LEVEL =' {} \; ");
+system ("find ../ -type f -path '*/libraries/cms/version.php' -exec grep -H '\$RELEASE\ =\|\$DEV_LEVEL =' {} \; ");
+system ("find ../ -type f -path '*/libraries/cms/version/version.php' -exec grep -H '\$RELEASE\ =\|\$DEV_LEVEL =' {} \; ");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "osCommerce<br /><br /></span>";
+system ("find ../ -type f -path '*/includes/application_top.php' -exec grep -H \"define('PROJECT_VERSION', 'osCommerce Online Merchant\" {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "ZenCart<br /><br /></span>";
+system ("find ../ -type f -path '*/includes/version.php' -exec grep -HA2 \"define('PROJECT_VERSION_NAME', 'Zen Cart');\" {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Drupal<br /><br /></span>";
+system("find ../ type f -path '*/modules/system/system.info' -exec grep -H 'version = \"' {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Timthumb<br /><br /></span>";
+system("find ../ type f -name '*.php' ! -name 'sc.php' -exec grep -H \"TimThumb CONFIGURATION\|define ('VERSION',\" {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "phpBB<br /><br /></span>";
+system("find ../ type f -path '*/includes/constants.php' -exec grep -H \"define('PHPBB_VERSION',\" {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "SMF<br /><br /></span>";
+system("find ../ type f -path '*/index.php' -exec grep -H \"\$forum_version = 'SMF\" {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Gallery<br /><br /></span>";
+system("find ../ type f -path '*/modules/gallery/helpers/gallery.php' -exec grep -H 'const VERSION =' {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Coppermine<br /><br /></span>";
+system("find ../ type f -path '*/versioncheck.inc.php' -exec grep -H 'Coppermine version:' {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "4images<br /><br /></span>";
+system("find ../ type f -path '*/includes/constants.php' -exec grep -H \"define('SCRIPT_VERSION',\" {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "MediaWiki<br /><br /></span>";
+system("find ../ type f -path '*/includes/DefaultSettings.php' -exec grep -H '\$wgVersion =' {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "PHPlist<br /><br /></span>";
+system("find ../ type f -path '*/admin/init.php' -exec grep -H 'define(\"VERSION\",' {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "RoundCube<br /><br /></span>";
+system("find ../ type f -path '*/program/include/iniset.php' -exec grep -H \"define('RCMAIL_VERSION',\" {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Squirrel Mail<br /><br /></span>";
+system("find ../ type f -path '*/functions/strings.php' -exec grep -H '\$version =' {} \;");
+
+}
+
+function cms(){
+
+/* batch #2 */
+echo $GLOBALS["red"] . $GLOBALS["br"] . "<h3><b>Scanning account for the installed scripts & their versions...</h3><br /></span>";
+
+echo "<span style='color: #666666';><br /><h4><b>Batch #2 - Scripts used sometimes:</h4><br /></span>";
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Dede CMS<br /><br /></span>";
+system("find ../ type f -path '*/config_base.php' -exec grep -H '\$cfg_soft_enname\|\$cfg_version' {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Sugar CRM<br /><br /></span>";
+system("find ../ type f -path '*/sugar_version.php' -exec grep -H '\$sugar_version' {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "XOOPS<br /><br /></span>";
+system ("find ../ type f -path '*/version.php' -exec grep -H 'XOOPS_VERSION' {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Concrete5<br /><br /></span>";
+system ("find ../ type f -path '*/config/concrete.php' -exec grep -H 'version_installed' {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Serendipity<br /><br /></span>";
+system("find ../ type f -path '*/serendipity_config.inc.php' -exec grep -H \"\$serendipity\['version'\] =\" {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "OpenBlog<br /><br /></span>";
+system("find ../ type f -path '*/application/config/open_blog.php' -exec grep -H \"\$config\['version'\] =\" {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "b2evolution<br /><br /></span>";
+system("find ../ type f -path '*/conf/_application.php' -exec grep -H '\$app_version =' {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Nucleus<br /><br /></span>";
+system("find ../ type f -path '*/nucleus/libs/globalfunctions.php' -exec grep -H \"\$nucleus\['version'\] =\" {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Dotclear<br /><br /></span>";
+system("find ../ type f -path '*/inc/prepend.php' -exec grep -H \"define('DC_VERSION',\"  {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "TextPattern<br /><br /></span>";
+system("find ../ type f -path '*/textpattern/index.php' -exec grep -H '\$thisversion =' {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "NibbleBlog<br /><br /></span>";
+system("find ../ type f -path '*/admin/boot/rules/98-constants.bit' -exec grep -H \"define('NIBBLEBLOG_VERSION',\" {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Lifetype<br /><br /></span>";
+system("find ../ type f -path '*/version.php' -exec grep -H '\$version = \"lifetype' {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Chyrp<br /><br /></span>";
+system("find ../ type f -path '*/includes/common.php' -exec grep -H \"define('CHYRP_VERSION',\" {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "PivotX<br /><br /></span>";
+system("find ../ type f -path '*/pivotx/lib.php' -exec grep -H '\$version =' {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "FlatPress<br /><br /></span>";
+system("find ../ type f -path '*/fp-includes/core/core.system.php' -exec grep -H \"define('SYSTEM_VER',\" {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Status.Net<br /><br /></span>";
+system("find ../ type f -path '*/lib/framework.php' -exec grep -H \"define('STATUSNET_BASE_VERSION',\" {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Sharetronix<br /><br /></span>";
+system("find ../ type f -path '*/system/conf_main.php' -exec grep -H '\$C->VERSION' {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "PageCookery<br /><br /></span>";
+system("find ../ type f -path '*/global.php' -exec grep -H '\$pcm_version =' {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "StoryTLR<br /><br /></span>";
+system("find ../ type f -path '*/index.php' -exec grep -H 'define(\"STORYTLR_VERSION\",' {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "PHP-Fusion<br /><br /></span>";
+system("find ../ type f -path '*/administration/upgrade.php' -exec grep -H \"WHERE settings_name='version'\" {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "e107<br /><br /></span>";
+system("find ../ type f -path '*/e107_admin/ver.php' -exec grep -H \"\$e107info\['e107_version'\] =\" {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Open Real Estate<br /><br /></span>";
+system("find ../ type f -path '*/index.php' -exec grep -H \"define('ORE_VERSION',\" {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Zikula<br /><br /></span>";
+system("find ../ type f -path '*/lib/Zikula/Core.php' -exec grep -H 'const VERSION_NUM =' {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Website Baker<br /><br /></span>";
+system("find ../ type f -path '*/pages/posts/index.php' -exec grep -H 'by WebsiteBaker Ver.' {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Subrion<br /><br /></span>";
+system("find ../ type f -path '*/index.php' -exec grep -H \"define('IA_VERSION', '\" {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Pligg<br /><br /></span>";
+system("find ../ type f -path '*/languages/lang_english.conf' -exec grep -H '//<VERSION>' {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "PyroCMS<br /><br /></span>";
+system("find ../ type f -path '*/system/cms/config/constants.php' -exec grep -H \"define('CMS_VERSION',\" {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Contao<br /><br /></span>";
+system("find ../ type f -path '*/system/config/localconfig.php' -exec grep -H \"\$GLOBALS\['TL_CONFIG'\]\['latestVersion'\] =\" {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Geeklog<br /><br /></span>";
+system("find ../ type f -path '*/siteconfig.php' -exec grep -H \"define('VERSION',\" {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Silverstripe<br /><br /></span>";
+system("find ../ type f -path '*/cms/silverstripe_version' -print -exec cat {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "sNews<br /><br /></span>";
+system("find ../ type f -path '*/snews.php' -exec grep -H 'sNews Version:' {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "jCore<br /><br /></span>";
+system("find ../ type f -path '*/config.inc.php' -exec grep -H \"@define('JCORE_VERSION',\" {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "ImpressPages<br /><br /></span>";
+system("find ../ type f -path '*/Ip/Application.php' -exec grep -H '; //CHANGE_ON_VERSION_UPDATE' {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Quick.CMS<br /><br /></span>";
+system("find ../ type f -path '*/database/config.php' -exec grep -H \"\$config\['version'\] =\" {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "ImpressCMS<br /><br /></span>"; /* triggers false positive for XOOPS as it's a fork of it */
+system("find ../ type f -path '*/include/version.php' -exec grep -H \"define('ICMS_VERSION_NAME',\" {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Monstra<br /><br /></span>";
+system("find ../ type f -path '*/engine/Monstra.php' -exec grep -H 'const VERSION =' {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "phpwcms<br /><br /></span>";
+system("find ../ type f -path '*/include/inc_lib/revision/revision.php' -exec grep -H \"define('PHPWCMS_VERSION'\" {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Redaxscript<br /><br /></span>";
+system("find ../ type f -path '*/languages/en.json' -exec grep -H '\"version\":' {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Silex<br /><br /></span>";
+system("find ../ type f -path '*/version.txt' -exec grep -H 'version=v' {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Mahara<br /><br /></span>";
+system("find ../ type f -path '*/lib/version.php' -exec grep -H '\$config->release =' {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Saurus<br /><br /></span>";
+system("find ../ type f -path '*/classes/site.class.php' -exec grep -H '\$this->script_version =' {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Jamroom<br /><br /></span>";
+system("find ../ type f -path '*/modules/jrCore/include.php' -exec grep -H \"'version'     =>\" {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Bolt<br /><br /></span>";
+system("find ../ type f -path '*/src/Application.php' -exec grep -H \"\$values\['bolt_version'\] =\" {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Pluck<br /><br /></span>";
+system("find ../ type f -path '*/data/inc/security.php' -exec grep -H \"define('PLUCK_VERSION',\" {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Croogo<br /><br /></span>";
+system("find ../ type f -path '*/Vendor/croogo/croogo/VERSION.txt' -print -exec cat {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Kirby<br /><br /></span>";
+system("find ../ type f -path '*/kirby/kirby.php' -exec grep -H 'static public \$version =' {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Zenario<br /><br /></span>";
+system("find ../ type f -path '*/zenario/admin/db_updates/latest_revision_no.inc.php' -exec grep -H \"define('ZENARIO_CMS_VERSION',\" {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Cotonti<br /><br /></span>";
+system("find ../ type f -path '*/system/functions.php' -exec grep -H \"\$cfg\['version'\] =\" {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "appRain<br /><br /></span>";
+system("find ../ type f -path '*/development/definition/system_configuration/config.xml' -exec grep -H '<appRainversion>' {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "ClipperCMS<br /><br /></span>"; /* forked from ModX */
+system("find ../ type f -path '*/manager/includes/version.inc.php' -exec grep -H \"define('CMS_RELEASE_VERSION',\" {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "MyBB<br /><br /></span>";
+system("find ../ type f -path '*/inc/class_core.php' -exec grep -H 'public \$version =' {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "AEF<br /><br /></span>";
+system("find ../ type f -path '*/globals.php' -exec grep -HA1 '// AEF : Advanced Electron Forum' {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Vanilla<br /><br /></span>";
+system("find ../ type f -path '*/conf/config.php' -exec grep -H \"\$Configuration\['Vanilla'\]\['Version'\] =\" {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "PunBB<br /><br /></span>";
+system("find ../ type f -path '*/include/constants.php' -exec grep -H \"define('FORUM_VERSION',\" {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "XMB<br /><br /></span>";
+system("find ../ type f -path '*/db/mysql.php' -exec grep -HA1 '* eXtreme Message Board' {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "FluxBB<br /><br /></span>";
+system("find ../ type f -path '*/include/common.php' -exec grep -H \"define('FORUM_VERSION',\" {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Phorum<br /><br /></span>";
+system("find ../ type f -path '*/common.php' -exec grep -H 'define( \"PHORUM\",' {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "MiniBB<br /><br /></span>";
+system("find ../ type f -path '*/bb_functions.php' -exec grep -H '\$version=' {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Piwigo<br /><br /></span>";
+system("find ../ type f -path '*/include/constants.php' -exec grep -H \"define('PHPWG_VERSION',\" {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "TinyWebGallery<br /><br /></span>";
+system("find ../ type f -path '*/config.php' -exec grep -H 'TWG version:' {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "phpAlbum<br /><br /></span>";
+system("find ../ type f -path '*/main.php' -exec grep -H '\$phpalbum_version=\"' {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "iGalerie<br /><br /></span>";
+system("find ../ type f -path '*/includes/classes/system.class.php' -exec grep -H 'public static \$galleryVersion =' {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Dolphin<br /><br /></span>";
+system("find ../ type f -path '*/modules/boonex/news/install/config.php' -exec grep -HA1 \"'compatible_with' => array(\" {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Oxwall<br /><br /></span>";
+system("find ../ type f -path '*/ow_version.xml' -exec grep -H '<version>' {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Etano<br /><br /></span>";
+system("find ../ type f -path '*/includes/defines.inc.php' -exec grep -H \"define('_INTERNAL_VERSION_',\" {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "PeoplePods<br /><br /></span>";
+system("find ../ type f -path '*/peoplepods/lib/etc/options.php' -exec grep -H \"\$this->setLibOptions('last_database_update','\" {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Family Connections<br /><br /></span>";
+system("find ../ type f -path '*/install.php' -exec grep -H \"\$_POST\['contact'\], 'Family Connections\" {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "OSClass<br /><br /></span>";
+system("find ../ type f -path '*/oc-load.php' -exec grep -H \"define('OSCLASS_VERSION',\" {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Revive AdServer<br /><br /></span>";
+system("find ../ type f -path '*/constants.php' -exec grep -H \"define('VERSION',\" {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "WebCalendar<br /><br /></span>";
+system("find ../ type f -path '*/includes/config.php' -exec grep -H '\$PROGRAM_VERSION =' {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Booked<br /><br /></span>";
+system("find ../ type f -path '*/lib/Config/Configuration.php' -exec grep -H 'const VERSION =' {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "PHP iCalendar<br /><br /></span>";
+system("find ../ type f -path '*/default_config.php' -exec grep -H '\$this->phpicalendar_version =' {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "WebMail Lite<br /><br /></span>";
+system("find ../ type f -path '*/adminpanel/VERSION' -print -exec cat {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Piwik<br /><br /></span>";
+system("find ../ type f -path '*/core/Version.php' -exec grep -H 'const VERSION =' {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Little Poll<br /><br /></span>";
+system("find ../ type f -path '*/lp_admin.php' -exec grep -H 'Little Poll Admin Center v' {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Sphider<br /><br /></span>";
+system("find ../ type f -path '*/settings/conf.php' -exec grep -H '\$version_nr' {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "BigTree CMS<br /><br /></span>";
+system("find ../ type f -path '*/core/version.php' -exec grep -H 'define(\"BIGTREE_VERSION\",\"' {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Quick Cart<br /><br /></span>";
+system("find ../ type f -path '*/database/config/general.php' -exec grep -H \"\$config\['version'\] = \" {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "gpEasy<br /><br /></span>";
+system("find ../ type f -path '*/include/common.php' -exec grep -H \"define('gpversion','\" {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Elxis<br /><br /></span>";
+system("find ../ type f -path '*/includes/version.php' -exec grep -HA4 '\$elxis_version = array(' {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "CMSimple<br /><br /></span>";
+system("find ../ type f -path '*/cmsimple/cms.php' -exec grep -H \"define('CMSIMPLE_VERSION', '\" {} \;");
+    
+echo $GLOBALS["red"] . $GLOBALS["br"] . "CRE Loaded<br /><br /></span>";
+system("find ../ type f -path '*/includes/version.php' -exec grep -H \"define('PROJECT_VERSION', '\[CRE Loaded v\" {} \;");
+    
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Expression Engine<br /><br /></span>";
+system("find ../ type f -path '*/config/config.php' -exec grep -H \"\$config\['app_version'\] = \" {} \;");
+    
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Pydio<br /><br /></span>";
+system("find ../ type f -path '*/conf/VERSION.php' -exec grep -H 'define(\"AJXP_VERSION\", \"' {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Aardvark Topsites<br /><br /></span>";
+system("find ../ type f -path '*/index.php' -exec grep -H \"\$TMPL\['version'\] =\" {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Open Web Analytics<br /><br /></span>";
+system("find ../ type f -path '*/owa_env.php' -exec grep -H \"define('OWA_VERSION', '\" {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "CJ Dynamic Poll<br /><br /></span>";
+system("find ../ type f -path '*/poll_config.php' -exec grep -H '\$version = \"' {} \;");
+    
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Logaholic<br /><br /></span>";
+system("find ../ type f -path '*/includes/version.php' -exec grep -H 'define(\"LOGAHOLIC_VERSION_NUMBER\", \"' {} \;");
+    
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Little Software Stats<br /><br /></span>";
+system("find ../ type f -path '*/inc/version.php' -exec grep -H \"define( 'VERSION'\" {} \;");
+    
+echo $GLOBALS["red"] . $GLOBALS["br"] . "qdPM<br /><br /></span>";
+system("find ../ type f -path '*/core/apps/qdPM/templates/_footer.php' -exec grep -H 'target=\"_blank\">qdPM' {} \;");
+    
+echo $GLOBALS["red"] . $GLOBALS["br"] . "eyeOS<br /><br /></span>";
+system("find ../ type f -path '*/settings.php' -exec grep -H \"define('EYE_VERSION', '\" {} \;");
+    
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Collabtive<br /><br /></span>";
+system("find ../ type f -path '*/init.php' -exec grep -H '\$template->assign(\"myversion\"' {} \;");
+    
+echo $GLOBALS["red"] . $GLOBALS["br"] . "DotProj<br /><br /></span>";
+system("find ../ type f -path '*/includes/version.php' -exec grep -HA2 '\$dp_version_major' {} \;");
+    
+echo $GLOBALS["red"] . $GLOBALS["br"] . "ProjectPier<br /><br /></span>";
+system("find ../ type f -path '*/version.php' -exec grep -H \"return '\" {} \;");
+    
+echo $GLOBALS["red"] . $GLOBALS["br"] . "PHProjekt<br /><br /></span>";
+system("find ../ type f -path '*/VERSION' -exec grep -H 'PHProjekt ' {} \;");
+    
+echo $GLOBALS["red"] . $GLOBALS["br"] . "TaskFreak<br /><br /></span>";
+system("find ../ type f -path '*/include/config.php' -exec grep -H \"define('FRK_VERSION','\" {} \;");
+    
+echo $GLOBALS["red"] . $GLOBALS["br"] . "todoyu<br /><br /></span>";
+system("find ../ type f -path '*/core/inc/version.php' -exec grep -H \"define('TODOYU_VERSION', '\" {} \;");
+    
+echo $GLOBALS["red"] . $GLOBALS["br"] . "FlySpray<br /><br /></span>";
+system("find ../ type f -path '*/includes/class.flyspray.php' -exec grep -H 'public \$version =' {} \;");
+    
+echo $GLOBALS["red"] . $GLOBALS["br"] . "PHPCollab<br /><br /></span>";
+system("find ../ type f -path '*/includes/settings.php' -exec grep -HA1 '# PhpCollab version' {} \;");
+    
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Traq<br /><br /></span>";
+system("find ../ type f -path '*/vendor/traq/version.php' -exec grep -H 'define(\"TRAQ_VER\",' {} \;");
+    
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Admidio<br /><br /></span>";
+system("find ../ type f -path '*/adm_program/system/constants.php' -exec grep -HA2 \"define('ADMIDIO_VERSION_MAIN',\" {} \;");
+    
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Eventum<br /><br /></span>";
+system("find ../ type f -path '*/init.php' -exec grep -H \"define('APP_VERSION',\" {} \;");
+    
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Burden<br /><br /></span>";
+system("find ../ type f -path '*/config.php' -exec grep -H \"define('VERSION',\" {} \;"); /* could produce too many false positives but there's no other way */
+        
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Livezilla<br /><br /></span>";
+system("find ../ type f -path '*/_definitions/definitions.inc.php' -exec grep -H 'define(\"VERSION\",' {} \;");    
+    
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Perch<br /><br /></span>";
+system("find ../ type f -path '*/admin/core/lib/Perch.class.php' -exec grep -H 'public \$version =' {} \;"); 
+    
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Elefant CMS<br /><br /></span>";
+system("find ../ type f -path '*/conf/version.php' -exec grep -H 'ELEFANT_VERSION' {} \;"); 
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Wolf CMS<br /><br /></span>";
+system("find ../ type f -path '*/index.php' -exec grep -H \"define('CMS_VERSION\', '\" {} \;"); 
+    
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Get Simple CMS<br /><br /></span>";
+system("find ../ type f -path '*/admin/inc/configuration.php' -exec grep -HA1 '\$site_full_name' {} \;"); 
+    
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Anchor CMS<br /><br /></span>";
+system("find ../ type f -path '*/index.php' -exec grep -H \"define('VERSION', '\" {} \;"); 
+    
+echo $GLOBALS["red"] . $GLOBALS["br"] . "CodeIgniter<br /><br /></span>";
+system("find ../ type f -path '*/CodeIgniter.php' -exec grep -H \"define('CI_VERSION', '\" {} \;"); 
+    
+echo $GLOBALS["red"] . $GLOBALS["br"] . "GotCMS<br /><br /></span>";
+system("find ../ type f -path '*/library/Gc/Version.php' -exec grep -H 'const VERSION =' {} \;"); 
+    
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Frog CMS<br /><br /></span>";
+system("find ../ type f -path '*/admin/index.php' -exec grep -H \"define('FROG_VERSION', '\" {} \;"); 
+    
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Pulse CMS<br /><br /></span>";
+system("find ../ type f -path '*/admin/index.php' -exec grep -H 'class=\"ver\">Pulse CMS' {} \;"); 
+    
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Couch CMS<br /><br /></span>";
+system("find ../ type f -path '*/header.php' -exec grep -H \"define( 'K_COUCH_VERSION', '\" {} \;"); 
+    
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Kanboard<br /><br /></span>";
+system("find ../ type f -path '*/app/constants.php' -exec grep -H \"define('APP_VERSION', '\" {} \;"); 
+    
+echo $GLOBALS["red"] . $GLOBALS["br"] . "XpressEngine<br /><br /></span>";
+system("find ../ type f -path '*/config/config.inc.php' -exec grep -H \"define('__XE_VERSION__',\" {} \;"); 
+    
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Hesk<br /><br /></span>";
+system("find ../ type f -path '*/hesk_settings.inc.php' -exec grep -H \"\$hesk_settings['hesk_version']=\" {} \;"); 
+        
+echo $GLOBALS["red"] . $GLOBALS["br"] . "PHPWiki<br /><br /></span>";
+system("find ../ type f -path '*/lib/config.php' -exec grep -H \"define('PHPWIKI_VERSION',\" {} \;"); 
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "PixelPost<br /><br /></span>";
+system("find ../ type f -path '*/includes/pixelpost.php' -exec grep -H 'Pixelpost version ' {} \;"); 
+    
+/*
+PmWiki doesn't output the version properly for some reason and it will be checked later
+phpNuke support removed as newer phpNuke installs store the version in the database
+newest ELGG, CMS Made Simple, Sitecake, Pimcore, Microweber, ZenPhoto, WikkaWiki, JCow, Open Source Social Network, Lime Survey, Feng Office require PHP 5.4 to work
+phpLD is not compatible with PHP version 5.3+ so support for it has been removed from the scanner
+Pixie does not have proper version handling so it will not be supported
+eggBlog stores it's version in a file called VERSION which will generate too many false positives so it will not be supported
+PHP-Fusion normally pulls the version from the database, but we can try and grab it from it's upgrade script function
+ModX nowadays pulls the version info from the database so we'll no longer support it
+ocPortal seems to be pulling info from the database and we will not support it
+Typo3 requires fileinfo() which isn't supported on LP shared
+ProcessWire doesn't store any version related info so it will not be supported
+Fork, Prosper202 don't work from subdirectories
+Sitemagic fails to report the version properly so I've removed it from the script
+Tiki Wiki stores the version details in the database so we'll not support it
+razorCMS requires suPHP when installing with Softaculous and fails although suPHP exists
+SeoToasterCMS stores version information under a version.txt file which is bound to produce a lot of false positives so we'll not support it
+Bigace doesn't seem to store any version related info under it's files so it won't be supported
+Fiyo stores only the major core version in it's files and this could cause too many false positives so it will not be supported
+HotaruCMS couldn't be installed so I could not fingerprint it
+FUDforum doesn't appear to store any version info in it's files
+Beehive requires PHP 5.4, fileinfo () and intl ()
+my little forum uses an improper version handling which will generate many false positives so we'll not support it
+Pixelpost stores version related data in an Readme.txt file which would generate too many false positives if used
+Plogger does not seem to store any version related info into it's files
+DokuWiki uses a file called VERSION to store version related info and this generates too many false positives
+pH7CMS requires PHP 5.2 & bz()
+Open Classifieds needs PHP 5.5 to work
+Noah's Classifieds seems to pull the version from an array and it cannot be supported
+GPixPixel doesn't store version related info in the files
+ExtCalendar is not compatible with PHP version 5.3+
+poMMo is not compatible with PHP version 5.3+
+Webinsta Maillist is not compatible with PHP version 5.3+
+Open Newsletter does not store version info into it's files
+ccMail is not compatible with PHP version 5.3+
+phpESP is not compatible with PHP version 5.3+
+Advanced Poll does not store version info into it's files
+Easy Poll does not store version info into it's files
+Simple PHP Poll does not store version info into it's files
+The Bug Genie does not store version info into it's files
+SiteDove can not be installed in subdirectories.
+*/
+    
+}
+
+function blog(){
+echo $GLOBALS["red"] . $GLOBALS["br"] . "ELGG<br /><br /></span>";
+system ("find ../ -name version.php -exec grep -HA1 'release = ' {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "CMS Made Simple<br /><br /></span>";
+system ("find ../ -name version.php -exec grep -HA3 'CMS_VERSION =' {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "DataLife Engine<br /><br /></span>";
+system("find ../ -name index.php -exec grep -HA1 'dle_version = ' {} \;");
+}
+
+function commerce(){
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "phpCoin<br /><br /></span>";
+system ("find ../ -name version.php -exec grep -HA1 'ThisVersion' {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Avactis<br /><br /></span>";
+system ("find ../ -name version.php -exec grep -HA1 'PRODUCT_VERSION_NUMBER' {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "AccountLab Plus<br /><br /></span>";
+system ("find ../ -name version.php -exec grep -HA1 'ALPversion=' {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "tDah Webmail<br /><br /></span>";
+system("find ../ -name config.system.php -print -exec awk '/define/ && /SW_VERSION/' {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Agora Cart<br /><br /></span>";
+system("find ../ -name agora.cgi -print -exec awk '/versions/ && /agora.cgi/' {} \;");
+}
+
+function rarely(){
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Flynax Classifieds<br /><br /></span>";
+system("find ../ -name control.inc.php -exec grep -HA1 'VERSION:' {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "vBulletin<br /><br /></span>";
+system("find ../ -name version.php -exec grep -HA1 'fr_version = ' {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "CubeCart<br /><br /></span>";
+system("find ../ -name index.php -exec grep -HA1 'CubeCart v' {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Soholaunch<br /><br /></span>";
+system("find ../ -name index.php -exec grep -HA2 '\#\# Soholaunch\(R\) Site Management Tool' {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "PHP Pro Bid<br /><br /></span>";
+system("find ../ -name index.php -exec grep -HA1 'PHP Pro Bid v' {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "ITLPoll<br /><br /></span>";
+system("find ../ -name index.php -exec grep -HA1 'ITLPoll Version ' {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Openads<br /><br /></span>";
+system("find ../ -name index.php -exec grep -HA1 '\/\* Openads ' {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "phpFormGenerator<br /><br /></span>";
+system("find ../ -name index.php -exec grep -HA1 '\<title\>phpFormGenerator v' {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "LightMon Engine<br /><br /></span>";
+system("find ../ -name index.php -exec grep -HA1 '  *           LightMon v' {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Kasseler CMS<br /><br /></span>";
+system("find ../ -name index.php -exec grep -HA4 'by Kasseler CMS' {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Silurus Classifieds Builder<br /></span>";
+system("find ../ -name index.php -exec grep -HA7 '* Silurus Classifieds Builder' {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Bitweaver<br /></span>";
+system("find ../ -name config_defaults_inc.php -exec grep -HA3 'BIT_MAJOR_VERSION' {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "phpFoX<br /></span>";
+system("find ../ -name version.php -exec grep -HA1 '\$_CONF\[\'info.version\'\] =' {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Open Conference System<br /></span>";
+system("find ../ -name version.xml -exec grep -HA1 '\<release\>' {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "SPIP<br /></span>";
+system("find ../ -name svn.revision -exec grep -HA1 'Origine: svn:' {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Exponent<br /></span>";
+system("find ../ -name exponent_version.php -exec grep -HA7 'EXPONENT_VERSION_MAJOR' {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Oxy Classifieds<br /></span>";
+system("find ../ -name version -exec head -n 2 {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Anova Pro<br /></span>";
+system("find ../ -name version.txt -exec grep -HA1 'Anova Pro :' {} \;");
+
+echo $GLOBALS["red"] . $GLOBALS["br"] . "Question2Answer<br /></span>";
+system("find ../ -name VERSION.txt -exec head -n 1 {} \;");
+
+}
+
+function iframe(){
+$pwd = system('whoami');
+class PHPScan
+{
+  private $infctions    = array("htm","php","html");
+  private $rules        = array(                                      
+      '/<div.*style=.*display:none.*[^>]*>.*<iframe .*\/.*div[^>]*>/i',
+      '/<!-- ad --><script[^>]*>.*<\/script><!-- \/ad -->/i',
+      '/visitorTracker_isMob/i',
+      '/ConfigSpy/i'
+      
+                                    );
+
+  private $dir          = "./";
+
+  function PHPScan($dir)
+  {
+    $this->dir = $dir;
+    $files = $this->getfile($this->dir);
+      echo "<pre>".print_r($files,true)."</pre>";
+      echo "<br /><b>Result :</b> [".count($files)."] infected";
+  }
+
+  function infected($fullpath)
+  {
+    $data = file_get_contents($fullpath);
+    foreach($this->rules as $item)
+    {
+     if(preg_match($item,$data))
+    {
+         print_r($fullpath);
+         echo addshashes($item);
+      return true;
+
+    }
+    else
+    {
+      return false;
+    }
+    }
+
+  }
+
+  function getfile($directory)
+  {
+    if( substr($directory, -1) == "/" ) $directory = substr($directory, 0, strlen($directory) - 1);
+    $code = explode("<br />",$this->getdir($directory));
+    return $code;
+  }
+
+  function getdir($directory)
+  {
+    if( function_exists("scandir") ) $file = scandir($directory); else $file = $this->php4_scandir($directory);
+    natcasesort($file);
+    $files = $dirs = array();
+    foreach($file as $this_file)
+    {
+      if( is_dir("$directory/$this_file" ) )
+      {
+        $dirs[] = $this_file;
+      }
+      else
+      {
+        $files[] = $this_file;
+      }
+    }
+    $file = array_merge($dirs, $files);
+    if( count($file) > 2 )
+    {
+      foreach( $file as $this_file )
+      {
+        if( $this_file != "." && $this_file != ".." )
+        {
+          if( is_dir("$directory/$this_file") )
+          {
+           $file_tree .= $this->getdir($directory."/".$this_file);
+          }
+          else
+          {
+            $ext = substr($this_file, strrpos($this_file, ".") + 1);
+            if(in_array($ext,$this->infctions))
+            {
+              if($this->infected($directory."/".$this_file))
+              {
+                $file_tree .= $directory."/".$this_file .' <span style="color:red"><b>[Possibly Infected]'.$this->infctions.'</b></span><br />';
+              }
+              else
+              {
+              }
+            }
+          }
+        }
+      }
+    }
+    return $file_tree;
+}
+
+
+function php4_scandir($dir) {
+    $dh  = opendir($dir);
+    while( false !== ($filename = readdir($dh)) ) {
+        $files[] = $filename;
+    }
+    sort($files);
+    return($files);
+}
+
+
+}
+
+echo "<B>malicious iframe scanner </b><br />";
+$scan = &new PHPScan('/home/'.$pwd.'/public_html');
+
+}
+
+//custom pattern scanner
+function custom(){
+echo '<form method="post" enctype="multipart/form-data"><br /><hr>';
+echo '<b>Enter desired string:</b></td><td><input name="customz" id="customz" type="text" size="100">';
+echo '<input name="submit" type="submit" value="Go">';
+    if(($_POST['submit']) == "Go") {
+    $string = ($_POST["customz"]);
+    echo "<br />Scanning for: ".$string."<br/>";
+    system('grep -RHl '.$string.' /home/`whoami`/public_html');
+    }
+}
+
+    /*
+    function spam(){
+<u style="display: block;overflow: hidden;width: 0;height: 0;">
+<div style="position: absolute; left: -5000px; font-size: 0; width: 1; height: 0; overflow: hidden;">
+
+}
+    */
+function less(){
+$rray = array("php", "js", "css", "pl");
+foreach ($rray as $i => $vals) {
+    /* echo '\<style name=\"Mr.HiTman\"<br />';
+    system('find ./ -name "*.'.$vals.'" -exec grep -l "\<style name=\"Mr.HiTman\"" {} \;');   */
+
+echo "OOO000000=urldecode(<br />";
+system('find ../ -name "*.'.$vals.'" -exec grep -l "OOO000000=urldecode(" {} \;');
+echo "visitorTracker_isMob<br />";
+system('find ../ -name "*.'.$vals.'" -exec grep -l "visitorTracker_isMob" {} \;');
+echo "this->privmsg(<br />";
+system('find ./ -name "*.'.$vals.'" -exec grep -l "this->privmsg(" {} \;');
+echo "Starting call<br />";
+system('find ../ -name "*.'.$vals.'" -exec grep -l "Starting call" {} \;');
+echo "Hacker<br />";
+system('find ../ -name "*.'.$vals.'" -exec grep -l "Hacker" {} \;');
+echo "boff<br />";
+system('find ../ -name "*.'.$vals.'" -exec grep -l "boff" {} \;');
+echo "r57Shell Edited By Margu<br />";
+system('find ../ -name "*.'.$vals.'" -exec grep -l "r57Shell Edited By Margu" {} \;');
+echo "IRC_socket<br />";
+system('find ../ -name "*.'.$vals.'" -exec grep -l "IRC_socket" {} \;');
+echo "ConfigSpy<br />";
+system('find ../ -name "*.'.$vals.'" -exec grep -l "ConfigSpy" {} \;');
+echo "aWYo<br />";
+system('find ../ -name "*.'.$vals.'" -exec grep -l "aWYo" {} \;');
+echo "currentCMD<br />";
+system('find ../ -name "*.'.$vals.'" -exec grep -l "currentCMD" {} \;');
+echo "IyEvdXNyL2Jpbi9<br />";
+system('find ../ -name "*.'.$vals.'" -exec grep -l "IyEvdXNyL2Jpbi9" {} \;');
+echo "bind_port<br />";
+system('find ../ -name "*.'.$vals.'" -exec grep -l "bind_port" {} \;');
+echo "BaseIRC<br />";
+system('find ../ -name "*.'.$vals.'" -exec grep -l "BaseIRC" {} \;');
+echo "procname<br />";
+system('find ../ -name "*.'.$vals.'" -exec grep -l "procname" {} \;');
+echo "Web Shell<br />";
+system('find ../ -name "*.'.$vals.'" -exec grep -l "Web Shell" {} \;');
+echo "Goog1e_analist<br />";
+system('find ../ -name "*.'.$vals.'" -exec grep -l "Goog1e_analist" {} \;');
+echo "Upload Fail !<br />";
+system('find ../ -name "*.'.$vals.'" -exec grep -l "Upload Fail !" {} \;');
+echo "FilesMan<br />";
+system('find ../ -name "*.'.$vals.'" -exec grep -l "FilesMan" {} \;');
+echo "uname -a<br />";
+system('find ../ -name "*.'.$vals.'" -exec grep -l "uname -a" {} \;');
+echo "OOO000000<br />";
+system('find ../ -name "*.'.$vals.'" -exec grep -l "OOO000000" {} \;');
+echo "Sakerhetsniva<br />";
+system('find ../ -name "*.'.$vals.'" -exec grep -l "Sakerhetsniva" {} \;');
+echo "0x00 PHP shell<br />";
+system('find ../ -name "*.'.$vals.'" -exec grep -l "0x00 PHP shell" {} \;');
+echo "surl = htmlspecialchars<br />";
+system('find ../ -name "*.'.$vals.'" -exec grep -l "surl = htmlspecialchars" {} \;');
+echo "function echoQueryResult() {<br />";
+system('find ../ -name "*.'.$vals.'" -exec grep -l "function echoQueryResult() {" {} \;');
+echo "Safe Mode on/off:  <br />";
+system('find ../ -name "*.'.$vals.'" -exec grep -l "Safe Mode on/off:  " {} \;');
+echo "Script for l33t admin job<br />";
+system('find ../ -name "*.'.$vals.'" -exec grep -l "Script for l33t admin job" {} \;');
+echo "ONBOOMSHELL V 0.2<br />";
+system('find ../ -name "*.'.$vals.'" -exec grep -l "ONBOOMSHELL V 0.2" {} \;');
+echo "StresBypass v1.0<br />";
+system('find ../ -name "*.'.$vals.'" -exec grep -l "StresBypass v1.0" {} \;'); //StressBypass shell
+echo "JspWebshell<br />";
+system('find ../ -name "*.'.$vals.'" -exec grep -l "JspWebshell" {} \;'); //JSP shell
+echo "StAkeR ~ Shell<br />";
+system('find ../ -name "*.'.$vals.'" -exec grep -l "StAkeR ~ Shell" {} \;'); //StAkeR shell
+echo "SnIpEr_SA<br />";
+system('find ../ -name "*.'.$vals.'" -exec grep -l "SnIpEr_SA" {} \;'); //SnIpEr_SA shell
+
+}
+}
+
+
+// Checking for suspicious files in /tmp
+function tmpcheck() {
+echo '<p>';
+echo '<h4><b><u>Suspicious files in /tmp:</h4></b></u>';
+echo '<br><pre>';
+system("ls -al /tmp/ | grep `whoami` | grep -v sess_");
+}
+
+
+// check broken symlinks
+function symcheck() {
+echo '</pre></p><p>';
+echo 'Broken symlinks:';
+echo '<br><pre>';
+system("for i in `find ../ -type l`; do [ -e $i ] || echo $i is broken; done");
+}
+
+// Searching for malicious php shells
+function infection(){
+echo '</pre></p><p>';
+echo 'Let`s find if there is a malicious base64 infection:<br />';
+
+function parse_dir( $dir ) {
+        global $shell_definitions;
+        global $generic;
+        global $settings;
+
+        $dh = dir( $dir );
+
+        while( $entry = $dh -> read( ) )
+        {
+            if( $entry == '.' ||
+                $entry == '..' ||
+                @filesize( $dir . '/' . $entry ) > $settings[ 'SIZE_LIMIT' ] ||
+                $entry === basename( $_SERVER[ 'PHP_SELF' ] ) )
+                continue;
+
+            if( @is_dir( $dir . '/' . $entry ) )
+                $dirs[] = $dir . '/' . $entry;
+
+            if( @filesize( $dir . '/' . $entry ) > 0 )
+            {
+                $h   = fopen( $dir . '/' . $entry, 'r' );
+                $cnt = fread( $h, @filesize( $dir . '/' . $entry ) );
+                fclose( $h );
+
+                if( $settings[ 'USE_DEFINITIONS' ] )
+                {
+                    for( $i = 0; $i < count( $shell_definitions ); $i++ )
+                    {
+                        foreach( $shell_definitions[ $i ] as $key => $el )
+                        {
+                            if( $key == 'id' )
+                            {
+                                $id = $el;
+                                continue;
+                            }
+                            if( strpos( strtolower( $cnt ), strtolower( base64_decode( $el ) ) ) !== FALSE )
+                            {
+                                $site = $dir . '/' . $entry;
+                                @$shfound .= '<br />Probabile shell [' . $id . ']: <b> <a href='.$site.' target="_blank">' . $dir . '/' . $entry .
+'</a></b><br />';
+                                $end = true;
+                                break;
+                            }
+                        }
+                        if( @$end )
+                        {
+                            $end = false;
+                            break;
+                        }
+                    }
+                }
+                else
+                    if( strpos( strtolower( $cnt ), $generic ) !== FALSE )
+                        $shfound .= 'Probabile shell [generica]: <b>' . $dir . '/' . $entry . '</b><br />';
+            }
+        }
+        $dh -> close( );
+
+        if( strlen( @$shfound ) > 0 )
+        {
+            echo '<b>Directory: ' .$dir . '</b>';
+            echo $shfound;
+        }
+
+        if( count( @$dirs ) <= 0 ) return;
+
+        foreach( $dirs as $dir )
+            parse_dir( $dir );
+    }
+}
+
+if (isset($_GET['run'])) $linkchoice=$_GET['run'];
+else $linkchoice='';
+
+switch($linkchoice){
+
+case 'removezero' :
+    removezero();
+    break;
+
+case 'findchmod' :
+    findchmod();
+    break;
+
+case 'optim' :
+    optim();
+    break;
+
+case 'addsec' :
+    addsec();
+    break;
+
+case 'getcleaner' :
+    getcleaner();
+    break;
+
+case 'tmpcheck' :
+    tmpcheck();
+    break;
+
+
+case 'prefix' :
+    prefix();
+    break;
+
+case 'symcheck' :
+    symcheck();
+    break;
+
+case 'infection' :
+    infection();
+    break;
+
+case 'less' :
+    less();
+    break;
+
+case 'pwds' :
+    pwds();
+    break;
+
+case 'mailing' :
+    mailing();
+    break;
+
+case 'mysqlsearch' :
+    mysqlsearch();
+    break;
+
+case 'remove' :
+    remove();
+    break;
+
+case 'clean' :
+    clean();
+    break;
+
+case 'loop' :
+    loop();
+    break;
+
+case 'otherinfect' :
+    otherinfect();
+    break;
+
+case 'hta' :
+    hta();
+    break;
+
+case 'version' :
+    version();
+    break;
+
+case 'checkexif' :
+    checkexif();
+    break;
+
+case 'transfer' :
+    transfer();
+    break;
+
+case 'cleanexif' :
+    cleanexif();
+    break;
+
+case 'custom' :
+    custom();
+    break;
+
+case 'iframe' :
+    iframe();
+    break;
+
+case 'blog' :
+    blog();
+    break;
+
+case 'commerce' :
+    commerce();
+    break;
+
+case 'cms' :
+    cms();
+    break;
+
+case 'rarely' :
+    rarely();
+    break;
+
+case 'lastfiles' :
+    lastfiles();
+    break;
+
+case 'execcmd' :
+    execcmd();
+    break;
+
+case 'mysqlpwd' :
+    mysqlpwd();
+    break;
+
+case 'findbackups' :
+    findbackups();
+    break;
+
+case 'findlarge' :
+    findlarge();
+    break;
+
+case 'findsql' :
+    findsql();
+    break;
+
+case 'findsymlinks' :
+    findsymlinks();
+    break;
+
+case 'zencart' :
+    zencart();
+    break;
+
+case 'getsize' :
+    getsize();
+    break;
+
+  case 'repl' :
+    repl();
+    break;
+
+      case 'fixperms' :
+    fixperms();
+    break;
+
+          case 'checklarge' :
+    checklarge();
+    break;
+
+          case 'processlist' :
+    processlist();
+    break;
+
+          case 'scanme' :
+    scanme();
+    break;
+
+          case 'cleanPHP' :
+    cleanPHP();
+    break;
+          case 'securetemps' :
+    securetemps();
+    break;
+          case 'cleanPL' :
+    cleanPL();
+    break;
+
+              case 'insecplug' :
+    insecplug();
+    break;
+
+              case 'reshog' :
+    reshog();
+break;
+
+    case 'findbot' :
+findbot();
+break;
+
+case 'cleangravity' :
+cleangravity();
+    break;
+        
+        case 'cleanupl' :
+        cleanupl();
+        break;
+        
+default :
+    norun();
+    echo 'no function chosen. please pick a function from the menu above';
+
+}
+
+$settings = array (
+        'BASE_DIR' => $GLOBALS["public_html"],
+        'USE_DEFINITIONS' => true,
+        'SIZE_LIMIT' => ( 1024 * 1024 ) //size limit set to 1mb
+    );
+
+$shell_definitions = array (
+        array( 'id' => 'Database', 'def1' => 'cGhwTXlBZG1pbiBTUUwgRHVtcA==', 'def2' => 'cGhwQkIgQmFja3VwIFNjcmlwdA==', 'def3' => 'VkFMVUVTKCIxIiwi' ),
+        array( 'id' => 'Ciro1992Shell', 'def1' =>
+'JHRleHRbMV0gPSAifCBTYWZlIG1vZGUgPSAiOw0KJHRleHRbMl0gPSAiT24iOw0KJHRleHRbM10gPSAiT2ZmIjsNCiR0ZXh0WzRdID0gIk1hZ2ljcyBRdW90ZXMgPSAiOw0KJHRleHRbNV0gPSAiIHwgIjsNCiR0ZXh0WzZdID0gIk15U3FsID0gIjsNCiR0ZXh0WzddID0gIkhkZCBMaWJlcm8gOiAi',
+'def2' => 'JHRleHRbMzZdID0gIi46Oi4gUG93ZXJlZCBieSBDaXJvMTk5MiAtIEJsYWNrIE1pbGl0aWEgVGVhbQ==' ),
+        array( 'id' => 'Ka_uShell', 'def1' => 'PHRpdGxlPktBX3VTaGVsbCAwLjEuNjwvdGl0bGU+', 'def2' =>
+'Ly8gTWVudQ0KZWNobyAiDQp8PGEgaHJlZj0kc2VsZj9hYz1zaGVsbD5TaGVsbDwvYT58DQp8PGEgaHJlZj0kc2VsZj9hYz11cGxvYWQ+RmlsZSBVcGxvYWQ8L2E+fA0KfDxhIGhyZWY9JHNlbGY/YWM9dG9vbHM+VG9vbHM8L2E+fA0KfDxhIGhyZWY9JHNlbGY/YWM9ZXZhbD5QSFAgRXZhbCBDb2RlPC9hPnwNCnw8YSBocmVmPSRzZWxmP2FjPXdob2lzPldob2lzPC9hPnwNCjxicj48YnI+PGJyPjxwcmU+Ijs='
+),
+        array( 'id' => 'DxShell', 'def1' => 'aWYgKGhlYWRlcnNfc2VudCgpKSAkRFhHTE9CQUxTSElUPXRydWU7IGVsc2UgJERYR0xPQkFMU0hJVD1GQUxTRTs=', 'def2' =>
+'aWYgKCEoJGRpcl9wdHI9b3BlbmRpcigkX0dFVFsnZHhkaXInXSkpKSBkaWUoRHhFcnJvcignVW5hYmxlIHRvIG9wZW4gZGlyIGZvciByZWFkaW5nLiBQZXJtcz8uLi4nKSk7' ),
+        array( 'id' => 'Crystal', 'def1' =>
+'aWYgKCRhY3QgPT0gImFib3V0Iikge2VjaG8gIjxjZW50ZXI+PGI+Q29kaW5nIGJ5Ojxicj48YnI+U3VwZXItQ3J5c3RhbDxicj4mPGJyPk1vaGFqZXIyMjxicj4tLS0tLTxicj5UaGFua3MgPGJyPlRyWWFHIFRlYW0gPGJyPiBBcmFiU2VjdXJpdHlDZW50ZXIgVGVhbSA8YnI+Q1JZU1RBTC1IIFZlcnNpb246MCBCZXRhIHBocHNoZWxsIGNvZGU8YnI+U2F1ZGkgQXJhYmljICA8L2E+LjwvYj4iO30=',
+'def2' => 'aWYoZW1wdHkoJF9QT1NUWydNb2hhamVyMjInXSkpew==' ),
+        array( 'id' => 'Antichat', 'def1' => 'PHRkPjxhIGhyZWY9IiMiIG9uY2xpY2s9ImRvY3VtZW50LnJlcXMuYWN0aW9uLnZhbHVlPSdzaGVsbCc7IGRvY3VtZW50LnJlcXMuc3VibWl0KCk7Ij58IFNoZWxsIDwvYT48L3RkPg==',
+'def2' =>
+'PHRhYmxlIHN0eWxlPSJCT1JERVItQ09MTEFQU0U6IGNvbGxhcHNlIiBjZWxsU3BhY2luZz0wIGJvcmRlckNvbG9yRGFyaz0jNjY2NjY2IGNlbGxQYWRkaW5nPTUgd2lkdGg9IjEwMCUiIGJnQ29sb3I9IzMzMzMzMyBib3JkZXJDb2xvckxpZ2h0PSNjMGMwYzAgYm9yZGVyPTE+'
+),
+        array( 'id' => 'Arabic', 'def1' => 'dHJ5YWcucGhwIC0gaHR0cDovL3dXdy50cnlhZy5jT20=', 'def2' => 'ZXhpdCgiPGI+PGEgaHJlZj1odHRwOi8vd1d3LnRyeWFnLmNPbT50cnlhZy10ZWFtPC9hPg==' ),
+        array( 'id' => 'ZipShell', 'def1' => 'WmlwU2hlbGwgVjEuMSBQcml2YXRlIEVkaXRvbiBbR1JFWS1IQVQtSEFDS0lOR10=', 'def2' =>
+'JHRoaXMtPl9fZXJyb3IoJ2NyZWF0aW9uJywnVW5rbm93biBtZXRob2Q6IDx1PicuJHR5cGUuJzwvdT4uIFVzZSBjb25zdGFudHMgPGI+U1pJUF9EVU1QPC9iPiBvcg==' ),
+        array( 'id' => 's101', 'def1' => 'ZWNobyAiRWxlbmNvIGNhbXBpIHByZXNlbnRpIG5lbGxhIFRhYmVsbGE6PGI+ICR0YWI8L2I+IDxicj4iOw==', 'def2' => 'czEwMSBJbnRlcmFtZW50ZSBjcmVhdGEgZGEgU29yYTEwMQ=='
+),
+        array( 'id' => '0-Day_Script', 'def1' => 'PGhlYWQ+PHRpdGxlPlBvd2VyZWQgQnkgI1NjYW4tWDwvdGl0bGU+PC9oZWFkPg==', 'def2' =>
+'PGhlYUJ5IFRoaXMgc2NyaXB0IHlvdSBjYW4ganVtcCBpbiB0aGUgKFNhZmUgTW9kZT1PTik=' ),
+        array( 'id' => 'nefastica', 'def1' => 'TjNmYTV0MWNBIFNoM2xs', 'def2' => 'ZnVuY3Rpb24gaXNfb3duZXIoKXsNCiRjb29raWUgPSAkX0NPT0tJRVsnY29va2llX25hbWUnXTs=' ),
+        array( 'id' => 'k0tw', 'def1' => 'UDBzdCBNM3RoMGQgcDB3NGgh', 'def2' => 'ISEtIFdoMTczIGg0NyByMHggLSEh', 'def3' => 'azB0dyBzaDNsbCBieSBLaU5nT2ZUaEV3T3JMZA==' ),
+        array( 'id' => 'dc3', 'def1' => 'U2hlbGwgd3JpdHRlbiBieSBCbDBvZDNy', 'def2' =>
+'IlIwbEdPRGxoRkFBVUFMTUlBQUQvQUFDQUFJQUFBTURBd0g5L2YvOEFBUC8vL3dBQUFQLy8vd0FBQUFBQUFBQUFBQUFBQUFBQUFBQUEiLiANCiJBQUFBQUNINUJBRUFBQWdBTEFBQUFBQVVBQlFBQUFST0VNbEpxNzA0VXlHT3ZrTGhmVlU0a3BPSlNweDVuRjlZaUN0TGYwU3VIN3B1Ii4gDQoiRVlPZ2NCZ2t3QWlHcEhLWnpCMkp4QURBU1FGQ2lkUUpzTWZkR3FzREpuT1FsWFRQMzhwcnpXYlgzcWdJQURzPSIsIA0KImV4dF93cmkiPT4gDQoiUjBsR09EbGhFQUFRQURNQUFDSDVCQUVBQUFnQUxBQUFBQUFRQUJBQWcvLy8vd0FBQUlDQWdNREF3SUNBQUFBQWdBQUEvLy8vQUFBQSIuIA0KIkFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQVJSVU1oSmtiMEM2SzJIdUVpUmNkc0FmS0V4a2tEZ0JvVnhzdHdBQXlwZHVvYW8iLiANCiJhNFNYVDBjNEJGMHJVaEZBRUFRUUk5ZG1lYlJFVzh5WEM2TngyUUk3THJZYnRwSlpOc3hnelc2bkxkcTQ5aElCQURzPSIsIA0KInNtYWxsX2RpciI9Pg=='
+),
+        array( 'id' => 'Backdoor', 'def1' => 'PGEgaHJlZj0iPD9waHAgZWNobyAkX1NFUlZFUlsnUEhQX1NFTEYnXTsgPz4/ZGlyPSI+', 'def2' => 'c2lyaXVzX2JsYWNr' ),
+        array( 'id' => 'n3tShell', 'def1' => 'TjN0c2hleGl0KCk7', 'def2' => 'RW1wM3JvciBVbmRldGVjdGFibGU=' ),
+        array( 'id' => 'Nexen', 'def1' => 'TmV4cGwwcmVyIFNoZWxs', 'def2' => 'aWYgKCRfUE9TVFsnbW9kZSddID09ICJ1cGxvYWR6Iikgew==' ),
+        array( 'id' => '33rd', 'def1' => 'MzNyZCBTaGVsbA==', 'def2' => 'Ynk6Z3IzM24=' ),
+        array( 'id' => 'c99', 'def1' => 'Yzk5c2g=', 'def2' => 'T0RoVDJDOU43YkJmYm5uRE50bXYwVURsdjVZRDltdmFHWEk4WFl4bg==' ),
+        array( 'id' => 'r57-2', 'def1' => 'TUFYNjY2QGlyYW5zdGFycy5jb20=', 'def2' =>
+'QXsgdGV4dC1kZWNvcmF0aW9uOm5vbmU7IGNvbG9yOm5hdnk7IGZvbnQtc2l6ZTogMTJweCB9DQoNCiAgICBib2R5IHsgZm9udC1zaXplOiAxMnB4OyANCg0KICAgICAgICAgICBmb250LWZhbWlseTogYXJpYWwsIGhlbHZldGljYTsNCg0KICAgICAgICAgICAgc2Nyb2xsYmFyLXdpZHRoOiA1Ow0KDQogICAgICAgICAgICBzY3JvbGxiYXItaGVpZ2h0OiA1Ow0KDQogICAgICAgICAgICBzY3JvbGxiYXItZmFjZS1jb2xvcjogd2hpdGU7DQoNCiAgICAgICAgICAgIHNjcm9sbGJhci1zaGFkb3ctY29sb3I6IHNpbHZlcjsNCg0KICAgICAgICAgICAgc2Nyb2xsYmFyLWhpZ2hsaWdodC1jb2xvcjogd2hpdGU7DQoNCiAgICAgICAgICAgIHNjcm9sbGJhci0zZGxpZ2h0LWNvbG9yOnNpbHZlcjsNCg0KICAgICAgICAgICAgc2Nyb2xsYmFyLWRhcmtzaGFkb3ctY29sb3I6IHNpbHZlcjsNCg0KICAgICAgICAgICAgc2Nyb2xsYmFyLXRyYWNrLWNvbG9yOiB3aGl0ZTsNCg0KICAgICAgICAgICAgc2Nyb2xsYmFyLWFycm93LWNvbG9yOiBibGFjazsNCg0KICAgIH0='
+),
+        array( 'id' => 'Uploader', 'def1' => 'JF9GSUxFU1snbWlvZmlsZSddWyd0bXBfbmFtZSddOw==', 'def2' => 'aWYgKG1vdmVfdXBsb2FkZWRfZmlsZSg=' ),
+        array( 'id' => 'Cod3rz', 'def1' =>
+'PHRkPjxiPkZpbGUgTmFtZTo8L2I+PC90ZD48dGQ+PGI+VHlwZTo8L2I+PC90ZD48dGQgd2lkdGg9MTUlPjxiPlNpemU6PC9iPjwvdGQ+PHRkIHdpZHRoPTEwJT48Yj5QZXJtczo8L2I+PC90ZD4kbGlzdGY8L2ZvbnQ+', 'def2' =>
+'RGV2aWxzIE5pZ2h0IENyZXc=', 'def3' => 'LSBDb2Qzcno8L3RpdGxlPg==' ),
+        array( 'id' => 'r57', 'def1' => 'cjU3c2g=', 'def2' => 'SXlFdmRYTnlMMkpwYmk5d1pYSnNEUXAxYzJVZw==' ),
+        array( 'id' => 'Fire-Crash', 'def1' => 'PHRpdGxlPkZpUmUtQ3JBc0g8L3RpdGxlPg==', 'def2' =>
+'JGRpciA9ICIuIjsNCiRvcGVuID0gb3BlbmRpcigkZGlyKTsNCiRyZWFkID0gcmVhZGRpcigkb3Blbik7DQplY2hvICJMaXN0IEZpbGVzOiA8YnI+PGJyIjsNCndoaWxlICgkcmVhZCA9IHJlYWRkaXIoJG9wZW4pKQ0Kew0KZWNobyAiPGEgaHJlZj0kcmVhZD4kcmVhZDwvYT48YnI+Ijs='
+),
+        array( 'id' => 'Root Shell', 'def1' => 'Um9vdFNo', 'def2' => 'PHA+PGZvbnQgZmFjZT0iV2ViZGluZ3MiIHNpemU9IjYiIGNvbG9yPSIjMDBGRjAwIj4hPC9mb250Pjxicj4=' ),
+        array( 'id' => 'Fatal_Shell', 'def1' => 'RmFUYUwgU2hlbGw=', 'def2' => 'RmFUYUxTaGVMTA==' ),
+        array( 'id' => 'KA-uShell', 'def1' => 'S0FfdVNoZWxs', 'def2' => 'QXV0aG9yOiBLQWRvdA==' ),
+        array( 'id' => 'GFS Shell', 'def1' => 'R0ZTIFdlYi1TaGVsbA==', 'def2' => 'STJsdVkyeDFaR1VnUEhOMFpHbHZMbWcrRFFvamFXNWpiSFZrWlNBOGMzUnlhVzVuTG1nK0RRb2phVzVqYkhWa1o=', 'def3' =>
+'WENJN0RRb05Dbk4xWWlCd2NtVm1hWGdnZXcwS0lHMTVJQ1J1YjNjZ1BTQnNiMk5oYkhScGI=' ),
+        array( 'id' => 'Defacing Tool Pro', 'def1' => 'cjN2M25nNG5zIDpQ', 'def2' => 'RFRvb2wgUHJv' ),
+        array( 'id' => 'Private Arabic Shell', 'def1' => 'aHR0cDovL3dXdy50cnlhZy5jT20=', 'def2' => 'dHJ5YWdAdHJ5YWcuY29t', 'def3' => '0JfQsdCe0L3Ql9Ch0JfQmg==' ),
+        array( 'id' => 'Bk-Code Shell', 'def1' => 'QmstQ29kZSBzaGVsbA==', 'def2' => 'QXJhYi1TZWNyZXRzLVRlYW0=' ),
+        array( 'id' => 'SnIpEr_SA Shell', 'def1' => 'U25JcEVyX1NB', 'def2' => 'M2FzZmgubmU=' ),
+        array( 'id' => 'Fileman', 'def1' => 'RmlsM21hbg==' ),
+        array( 'id' => 'Ajax/PHP Command Shell', 'def1' => 'PGJyPg0KPGI+PGZvbnQgc2l6ZT0zPkFqYXgvUEhQIENvbW1hbmQgU2hlbGw8L2I+PC9mb250Pjxicj5ieSBJcm9uZmlzdA0KPGJyPg0K', 'def2' =>
+'ICAgIGFqYXhSZXF1ZXN0Lm9ucmVhZHlzdGF0ZWNoYW5nZSA9IGZ1bmN0aW9uKCl7DQogICAgICAgIGlmKGFqYXhSZXF1ZXN0LnJlYWR5U3RhdGUgPT0gNCl7DQogICAgICAgIG91dHB1dGNtZCA9ICI8cHJlPiIgICsgb3V0cHV0Y21kICsgYWpheFJlcXVlc3QucmVzcG9uc2VUZXh0ICsiPC9wcmU+IjsNCg0K'
+),
+        array( 'id' => 'Anti Chat', 'def1' => 'JHBhc3N3b3JkPSdyMDB0JzsNCiRhdXRoPTE7DQokdmVyc2lvbj0ndmVyc2lvbiAxLjMgYnkgR3JpbmF5JzsNCg0KDQo=', 'def2' =>
+'ZWNobyAiPC90YWJsZT4iOw0KfX19DQoNCmlmKCRhY3Rpb249PSJ2aWV3ZXIiKXsNCnNjYW5kaXJlKCRkaXIpOw0KfQ0KLy9lbmQgdmlld2VyIEZTDQoNCg0KDQo=' ),
+        array( 'id' => 'Ayyildiz Tim  | AYT | Shell v 2.1 Biz', 'def1' =>
+'PHRpdGxlPkhBQ0tFRCBCWSBBWVlJTERJWiCZPC90aXRsZT4NCjxTVFlMRSBUWVBFPSJ0ZXh0L2NzcyI+DQo8IS0tDQoNCmJvZHkgeyANCnNjcm9sbGJhci0zZC1saWdodC1jb2xvciA6ICM0MDQwNDA7DQoNCg0KDQo=', 'def2' =>
+'PGNlbnRlcj48Zm9udCBjb2xvcj0icmVkIiBzaXplPSIxMCIgZmFjZT0iSW1wcmludCBNVCBTaGFkb3ciPg0KIDwvZm9udD4NCg==' ),
+        array( 'id' => 'azrail 1.0 by C-W-M', 'def1' =>
+'aWYgKCRvcD09J3BocGluZm8nKXsNCiRmb25rX2thcCA9IGdldF9jZmdfdmFyKCJmb25rc2l5b25sYXL9X2thcGF0Iik7DQogICAgICAgIGVjaG8gJHBocGluZm89KCFlcmVnaSgicGhwaW5mbyIsJGZvbmtfa2FwYXQpKSA/IHBocGluZm8oKSA6ICI8Y2VudGVyPnBocGluZm8oKSBLb211dHUgx2Fs/f5t/XlpaWk8L2NlbnRlcj4iOw0KICAgICAgICBleGl0Ow0KfQ0K',
+'def2' => 'ICAgICAgPGhlYWQ+DQogICAgICAgICAgICAgPHRpdGxlPmF6cmFpbCAxLjAgYnkgQy1XLU08L3RpdGxlPg0KICAgICAgPC9oZWFkPg0KDQo=' ),
+        array( 'id' => 'Ajax/PHP Command Shell', 'def1' => 'PGJyPg0KPGI+PGZvbnQgc2l6ZT0zPkFqYXgvUEhQIENvbW1hbmQgU2hlbGw8L2I+PC9mb250Pjxicj5ieSBJcm9uZmlzdA0KPGJyPg0K', 'def2' =>
+'ICAgIGFqYXhSZXF1ZXN0Lm9ucmVhZHlzdGF0ZWNoYW5nZSA9IGZ1bmN0aW9uKCl7DQogICAgICAgIGlmKGFqYXhSZXF1ZXN0LnJlYWR5U3RhdGUgPT0gNCl7DQogICAgICAgIG91dHB1dGNtZCA9ICI8cHJlPiIgICsgb3V0cHV0Y21kICsgYWpheFJlcXVlc3QucmVzcG9uc2VUZXh0ICsiPC9wcmU+IjsNCg0K'
+),
+        array( 'id' => 'Backup script on server', 'def1' =>
+'JGZ0cGNvbm5lY3QgPSAibmNmdHBwdXQgLXUgJGZ0cF91c2VyX25hbWUgLXAgJGZ0cF91c2VyX3Bhc3MgLWQgZGVic2VuZGVyX2Z0cGxvZy5sb2cgLWUgZGJzZW5kZXJfZnRwbG9nMi5sb2cgLWEgLUUgLVYgJGZ0cF9zZXJ2ZXIgJGZ0cF9wYXRoICRmaWxlbmFtZTIiOw0Kc2hlbGxfZXhlYygkZnRwY29ubmVjdCk7DQo=',
+'def2' =>
+'JG1lc3NhZ2UgPSAiVGhpcyBpcyBhIG11bHRpLXBhcnQgbWVzc2FnZSBpbiBNSU1FIGZvcm1hdC5cblxuIi4iLS17JG1pbWVfYm91bmRhcnl9XG4iIC4iQ29udGVudC1UeXBlOiB0ZXh0L3BsYWluOyBjaGFyc2V0PVwiaXNvLTg4NTktMVwiXG4iIC4iQ29udGVudC1UcmFuc2Zlci1FbmNvZGluZzogN2JpdFxuXG4iIC4='
+),
+        array( 'id' => 'rgod shell', 'def1' => 'ZUp6c3ZXMlBxa3IzTi9oK2t2a084KzUvSi85a0FxaDliWk5KSm8wQ2lvSk5RUlZTYnlZb25rWXBsTjF0Ky9UcFo2MnF3c2JkdmEvSGM5K1pTVQ==', 'def2' =>
+'LS0gRG8gbm90IERpc3RpYnV0ZSBUaGlzIHNoZWxsDQotLSBEbyBub3QgU2VsbCBUaGlzIHNoZWxsDQotLSBEbyBub3QgZ2l2ZSBpdCBldmVuIHRvIHlvdXIgbW90aGVyDQotLSBieSByZ29kIA==' ),
+        array( 'id' => 'Symlink User Bypass', 'def1' =>
+'PGZvcm0gc3R5bGU9ImJvcmRlcjogNHB4IHJpZGdlICNGRkZGRkYiPg0KPHAgYWxpZ249ImNlbnRlciIgZGlyPSJydGwiPjxmb250IGNvbG9yPSIjRkYwMDAwIj48c3BhbiBsYW5nPSJhci1zYSI+PGI+DQombmJzcDsgLT1bU3ltbGluayBUb29scyB0byBieXBhc3MgdXNlcl1WLjMgPS0NCjwvYj4NCg==',
+'def2' =>
+'ICA8Zm9udCBjb2xvcj0iI0ZGRkZGRiI+by0tLVs8L2ZvbnQ+IDxmb250IGNvbG9yPSIjRkYwMDAwIj5EZXZlbG9wZXIgYnkgU25JcEVyX1NBCSBTeW1saW5rIFVzZXIgQnlwYXNzIDwvZm9udD4gPGZvbnQgY29sb3I9IiNGRkZGRkYiPnw8L2ZvbnQ+IDxhIGhyZWY9aHR0cDovL3NuaXBlci1zYS5jb20+aHR0cDovL3NuaXBlci1zYS5jb208L2E+DQogIDxmb250IGNvbG9yPSIjRkZGRkZGIj58PC9mb250PiA8Zm9udCBjb2xvcj0iI0ZGMDAwMCI+DQo='
+),
+        array( 'id' => 'C100 Yarakam Modified Shell', 'def1' =>
+'aWYgKCFlbXB0eSgkdW5zZXRfc3VybCkpIHtzZXRjb29raWUoImsxcjRfc3VybCIpOyAkc3VybCA9ICIiO30NCmVsc2VpZiAoIWVtcHR5KCRzZXRfc3VybCkpIHskc3VybCA9ICRzZXRfc3VybDsgc2V0Y29va2llKCJrMXI0X3N1cmwiLCRzdXJsKTt9DQplbHNlIHskc3VybCA9ICRfUkVRVUVTVFsiazFyNF9zdXJsIl07IC8vU2V0IHRoaXMgY29va2llIGZvciBtYW51YWwgU1VSTA0KfQ0KDQo=',
+'def2' => 'aWYgKCRzdXJsX2F1dG9maWxsX2luY2x1ZGUgYW5kICEkX1JFUVVFU1RbImsxcjRfc3VybCJdKSANCg0KDQo=' ),
+        array( 'id' => 'c99shell v. 1.0 pre-release build', 'def1' => 'Zi8vSzhvbytJeUgwejNpOHNwWEdEblpDVW5uWFQ=', 'def2' =>
+'bEpmY3U3bUIydkJuSURHTkZGRnpEbVROdzNtSU9aWlB2MndHakRzZ2cyWHFHYk90L2ROc2xILysvLys5ZS8vS1k2ays2ZA0K' ),
+        array( 'id' => 'N3tShell Emp3ror Undetectable (C99)', 'def1' =>
+'JHNhZmVtb2RlX2Rpc2tldHRlcyA9IGFycmF5KCJhIik7IC8vIFRoaXMgdmFyaWFibGUgZm9yIGRpc2FibGluZyBkaXNrZXR0LWVycm9ycy4NCiAvLyBhcnJheSAoaT0+e2xldHRlcn0gLi4uKTsgc3RyaW5nIHtsZXR0ZXJ9IC0gbGV0dGVyIG9mIGEgZHJpdmUNCi8vJHNhZmVtb2RlX2Rpc2tldHRlcyA9IHJhbmdlKCJhIiwieiIpOw0KJGhleGR1bXBfbGluZXMgPSA4Oy8vIGxpbmVzIGluIGhleCBwcmV2aWV3IGZpbGUNCiRoZXhkdW1wX3Jvd3MgPSAyNDsvLyAxNiwgMjQgb3IgMzIgYnl0ZXMgaW4gb25lIGxpbmUNCg=='
+),
+        array( 'id' => 'C99 Saldiri.org version', 'def1' => 'aWYgKCFmdW5jdGlvbl9leGlzdHMoImsxcjRfYnVmZl9wcmVwYXJlIikpDQp7DQpmdW5jdGlvbiBrMXI0X2J1ZmZfcHJlcGFyZSgpDQo='),
+        array( 'id' => 'CGI Telnet', 'def1' => 'c3ViIFJlYWRQYXJzZQ0Kew0KICAgICAgICBsb2NhbCAoKmluKSA9IEBfIGlmIEBfOw0KICAgICAgICBsb2NhbCAoJGksICRsb2MsICRrZXksICR2YWwpOw0KDQoNCg=='),
+        array( 'id' => 'CTT Shell', 'def1' =>
+'aWYgKCRhY3QgPT0gImZ0cHF1aWNrYnJ1dGUiKQ0Kew0KIGVjaG8gIjxiPkZ0cCBRdWljayBicnV0ZTo8L2I+PGJyPiI7DQogaWYgKCR3aW4pIHtlY2hvICJUaGlzIGZ1bmN0aW9ucyBub3Qgd29yayBpbiBXaW5kb3dzITxicj48YnI+Ijt9DQogZWxzZQ0KIHsNCiAgZnVuY3Rpb24gY3RmdHBicnV0ZWNoZWNrKCRob3N0LCRwb3J0LCR0aW1lb3V0LCRsb2dpbiwkcGFzcywkc2gsJGZxYl9vbmx5d2l0aHNoKQ0KICB7DQppZiAoJGZxYl9vbmx5d2l0aHNoKQ0KDQo='),
+        array( 'id' => 'Cyber Shell', 'def1' =>
+'PGNlbnRlcj4uOkN5YmVyIFNoZWxsICh2IDEuMCk6Ljxicj5Db3B5cmlnaHQgqSA8YSBocmVmPSJodHRwOi8vd3d3LmN5YmVybG9yZHMubmV0IiB0YXJnZXQ9Il9ibGFuayI+Q3liZXIgTG9yZHMgQ29tbXVuaXR5PC9hPiwgMjAwMi0yMDA2PC9jZW50ZXI+'),
+        array( 'id' => 'Dive Shell', 'def1' => 'LypFbXBlcm9yIEhhY2tpbmcgVEVBTSAqLw0KICBzZXNzaW9uX3N0YXJ0KCk7DQo='),
+        array( 'id' => 'DTool Pro Shell', 'def1' =>
+'aWYoaXNzZXQoJGNoZGlyKSkgQGNoZGlyKCRjaGRpcik7DQpmdW5jdGlvbiBzYWZlbW9kZSgkd2hhdCl7ZWNobyAiVGhpcyBzZXJ2ZXIgaXMgaW4gc2FmZW1vZGUuIFRyeSB0byB1c2UgRFRvb2wgaW4gU2FmZW1vZGUuIjt9DQo='),
+        array( 'id' => 'Erne Safe Mode Bypass Shell', 'def1' =>
+'PHRyPjx0ZD48Y2VudGVyPjxmb250IHNpemU9IjQiIGNvbG9yPSIjRkZGRkZGIj48c3BhbiBzdHlsZT0iYmFja2dyb3VuZC1jb2xvcjogIzAwMDAwMCI+RXJOZSBTYWZlIE1vZGUgQnlwYXNzIEZvciBCaXlvU2VjdXJpdHkuTmV0PC9zcGFuPg0K'),
+        array( 'id' => 'GFS Shell', 'def1' => 'R0ZTIFdlYi1TaGVsbA0KKi8NCmVycm9yX3JlcG9ydGluZygwKTsNCmlmKCRfUE9TVFsnYl9kb3duJ10pew0K'),
+        array( 'id' => 'GNY Shell', 'def1' =>
+'Ly93NGNrMW5nIFNoZWxsDQppZiAoIWZ1bmN0aW9uX2V4aXN0cygnbXlzaGVsbGV4ZWMnKSkNCnsNCmlmKGlzX2NhbGxhYmxlKCdwb3BlbicpKXsNCmZ1bmN0aW9uIG15c2hlbGxleGVjKCRjb21tYW5kKSB7DQoNCg=='),
+        array( 'id' => 'H4NTU Shell', 'def1' =>
+'PD9waHANCmVjaG8gIjxwPjxmb250IHNpemU9MiBmYWNlPVZlcmRhbmE+PGI+VGhpcyBJcyBUaGUgU2VydmVyIEluZm9ybWF0aW9uPC9iPjwvZm9udD48L3A+IjsNCj8+DQoNCg0KDQo='),
+        array( 'id' => 'Heykir Shell', 'def1' =>
+'ICRjb2Rlcj0iVGhlX0JlS2lSICAmICBUaVQgICYgUnVzbGFuICI7DQogJHN0cmluZyA9ICFlbXB0eSgkX1BPU1RbJ3N0cmluZyddKSA/ICRfUE9TVFsnc3RyaW5nJ10gOiAwOw0KICRzd2l0Y2ggPSAhZW1wdHkoJF9QT1NUWydzd2l0Y2gnXSkgPyAkX1BPU1RbJ3N3aXRjaCddIDogMDsNCg=='),
+        array( 'id' => 'iMHaP FTP Shell', 'def1' =>
+'PEJPRFk+PElNRyBzdHlsZT0iV0lEVEg6IDMwNnB4OyBIRUlHSFQ6IDc2cHgiIGhlaWdodD0xMDAgDQpzcmM9Imh0dHA6Ly93d3cubmV0dGVraWFkcmVzLmNvbS9pbWhhYmlybGlnaS5qcGciIHdpZHRoPTI4Mj48L0JPRFk+DQo8YnI+PENlbnRlcj5TVSBBTiA8QSBocmVmPSJodHRwOi8vd3d3LmltaGFiaXJsaWdpLmNvbSI+aU1IYUJpUkxpR2k8L0E+IEhVRFVUTEFSSU5EQSBCVUxVTk1BS1RBU0lOSVouISE8L0NlbnRlcj4NCg0K'),
+        array( 'id' => 'Iron Shell', 'def1' =>
+'cHJpbnQgIjxmb3JtIGFjdGlvbj1cIiIuJG1lLiI/cD1ldmFsXCIgbWV0aG9kPVBPU1Q+DQoNCgkJCQk8dGV4dGFyZWEgY29scz02MCByb3dzPTEwIG5hbWU9XCJldmFsXCI+IjsNCg0KCQkJCWlmKGlzc2V0KCRfUE9TVFsnZXZhbCddKSkNCg0KDQo='),
+        array( 'id' => 'JSP Shell', 'def1' =>
+'PC90YWJsZT4NCjxwIGFsaWduPSJjZW50ZXIiPlBvd2VyIEJ5IL74ttTB47bIW0IuQy5UXSBRUTo0ODEyNDAxMjwvcD4NCjxwIGFsaWduPSJjZW50ZXIiPiZuYnNwOzwvcD4NCjwlfS8vaWYgZWRpdA0KDQoNCg=='),
+        array( 'id' => 'Kacak Shell', 'def1' =>
+'PG1ldGEgaHR0cC1lcXVpdj0iQ29udGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9d2luZG93cy0xMjU0Ij4NCjx0aXRsZT5LYWNhayBGU08gMS4wIHwgVGVycm9yaXN0IENyZXcgLSBTaGVsbGNpLmJpejwvdGl0bGU+DQoNCg0K'),
+        array( 'id' => 'KADot Shell', 'def1' =>
+'PG1ldGEgaHR0cC1lcXVpdj0iQ29udGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9d2luZG93cy0xMjU0Ij4NCjx0aXRsZT5LYWNhayBGU08gMS4wIHwgVGVycm9yaXN0IENyZXcgLSBTaGVsbGNpLmJpejwvdGl0bGU+DQoNCg0K'),
+        array( 'id' => 'Lama Shell', 'def1' => 'PGh0bWw+DQogIDxoZWFkPg0KICAgIDx0aXRsZT5sYW1hJ3MnaGVsbCB2LiAzLjA8L3RpdGxlPg0K'),
+        array( 'id' => 'Liz0zim Shell', 'def1' =>
+'ZWNobyAiPGI+PGZvbnQgY29sb3I9Ymx1ZT5MaXowemlNIFByaXZhdGUgU2FmZSBNb2RlIENvbW1hbmQgRXhlY3VyaXRvbiBCeXBhc3MgRXhwbG9pdDwvZm9udD48L2I+PGJyPiI7DQo='),
+        array( 'id' => 'Load Shell', 'def1' => 'PHRpdGxlPkxvYWRlcid6IFdFQiBzaGVsbDwvdGl0bGU+DQo='),
+        array( 'id' => 'Moroccan Spamers Shell', 'def1' =>
+'PHRkIHdpZHRoPSIzMTciIGJvcmRlcmNvbG9yPSIjQ0NDQ0NDIiBiZ2NvbG9yPSIjRjBGMEYwIiBiYWNrZ3JvdW5kPSIvc2ltcGFydHMvaW1hZ2VzL2NlbGxwaWMxLmdpZiIgaGVpZ2h0PSIyMiI+PGZvbnQgc2l6ZT0iLTEiIGZhY2U9IlZlcmRhbmEsIEFyaWFsLCBIZWx2ZXRpY2EsIHNhbnMtc2VyaWYiPiA='),
+        array( 'id' => 'MyShell Shell', 'def1' => 'PHRpdGxlPiRNeVNoZWxsVmVyc2lvbiAtIEFjY2VzcyBEZW5pZWQ8L3RpdGxlPg0KICAgICAgICAgPC9oZWFkPg0K'),
+        array( 'id' => 'MySQL Interface Shell', 'def1' =>
+'KiBNeXNxbCBpbnRlcmZhY2UgdjEuMA0KKiAtLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tDQoqIERlc2NyaXB0aW9uIDoNCiogRHVuZ2AgZGUgbG9naW4gdmFvYCBDU0RMIGN1YSB2aWN0aW0ga2hpIGRhIGJpZXQgdXNlciB2YWAgcGFzcyBjdWEgbXlzcWwgdGhvbmcgcXVhIGZpbGUgY29uZmlnDQo='),
+        array( 'id' => 'Sora 101 shell', 'def1' =>
+'fWVsc2VpZigkX0dFVFsiYXp6Il09PSJ2ZWRpIil7DQogICAgZWNobyBodG1sc3BlY2lhbGNoYXJzKGZpbGVfZ2V0X2NvbnRlbnRzKCRfR0VUWyJmaWxlIl0pKTsNCn1lbHNlaWYoJF9HRVRbImF6eiJdPT0iaW5jIil7DQogICAgaW5jbHVkZSgkX0dFVFsiZmlsZSJdKTsNCn0='),
+        array( 'id' => 'N Shell', 'def1' => 'PHRpdGxlPiBuU2hlbGwgdjEuMDwvdGl0bGU+DQo='),
+        array( 'id' => 'NCC Shell', 'def1' => 'PGgxPi46TkNDOi4gU2hlbGwgdjEuMC4wPC9oMT4NCg=='),
+        array( 'id' => 'Network File Manager PHP Shell', 'def1' => 'JHRpdGxlPSJOZXR3b3JrRmlsZU1hbmFnZXJQSFAgZm9yIGNoYW5uZWwgI2hhY2sucnUiOw0K'),
+        array( 'id' => 'Nix Remote Shell', 'def1' =>
+'JHRpdGxlPSJOZXR3b3JrRmlsZU1hbmFnZXJQSFAgZm9yIGNoYW5uZWwgI2hhY2sucnUiOw0KDQokdmVyPSIxLjcucHJpdmF0ZSAoW2ZpbmFsX2VuZ2xpc2hfcmVsZWFzZV0pIjsNCg=='),
+        array( 'id' => 'NST Shell', 'def1' => 'IyMjIyMjdmVyIyMjIw0KJHZlcj0gInYyLjEiOw0KIyMjIyMjIyMjIyMjIw0K'),
+        array( 'id' => 'PH Vayv Shell', 'def1' => 'ICAgIDxicj4NCiAgICBQSFZheXYgMS4wPC9zcGFuPjwvZm9udD48L3RkPg0K'),
+        array( 'id' => 'PHANTASMA Shell', 'def1' =>
+'PERJViBTVFlMRT0iZm9udC1mYW1pbHk6IHZlcmRhbmE7IGZvbnQtc2l6ZTogMjVweDsgZm9udC13ZWlnaHQ6IGJvbGQ7IGNvbG9yOiAjRjNiNzAwOyI+UEhBTlRBU01BLSBOZVcgQ21EIDspIDwvRElWPg0KDQo='),
+        array( 'id' => 'PHP Backdoor Shell', 'def1' => 'Ly8gYSBzaW1wbGUgcGhwIGJhY2tkb29yIHwgY29kZWQgYnkgejBtYmllIFszMC4wOC4wM10gfCBodHRwOi8vZnJlZW5ldC5hbS9+em9tYmllIFxcDQo='),
+        array( 'id' => 'PHP Bypass Shell', 'def1' => 'KgkJCQkJCQlTaGVMTCBBcmNoaXZlDQoqICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBQaHAgQnlwYXNzIC0gd3d3LnNoZWxsY2kuYml6DQoNCg=='),
+        array( 'id' => 'PHP Include With Shell', 'def1' => 'IyB3ZSBkZWNpZGUgaWYgd2Ugd2FudCBzeXNsb2dnaW5nDQpjbG9zZWxvZygpOw0KDQo='),
+        array( 'id' => 'PHP Inj Shell', 'def1' => 'PHRpdGxlPnx8IC46Ok5ld3MgUmVtb3RlIFBIUCBTaGVsbCBJbmplY3Rpb246Oi4gfHwgICA8L3RpdGxlPg0K'),
+        array( 'id' => 'PHP Jackal Shell', 'def1' =>
+'Y2FzZSAnY3InOmNyYWNrZVIoKTticmVhazsNCmNhc2UgJ2RpYyc6ZGljbWFrZVIoKTticmVhazsNCmNhc2UgJ3Rvb2xzJzp0b29sUygpO2JyZWFrOw0KY2FzZSAnaGV4JzpoZXh2aWVXKCk7YnJlYWs7DQoNCg=='),
+        array( 'id' => 'PHP Remote View Shell', 'def1' => 'ICogIFdlbGNvbWUgdG8gcGhwUmVtb3RlVmlldyAoUmVtVmlldykgDQoNCg=='),
+        array( 'id' => 'R57 ORIGINAL Shell', 'def1' => 'LyogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBSNTcgc2hlbGwNCg0K'),
+        array( 'id' => 'R57 IFX Modified Shell', 'def1' =>
+'LyogIHI1N3NoZWxsLnBocCAtID8/Pz8/PyA/PyA/Pz8gPz8/Pz8/Pz8/Pz8gPz8/ID8/Pz8/Pz8/PyA/Pz8/ID8/Pz8/Pz8gID8/ID8/Pz8/Pz8gPz8/Pz8gPz8/Pz8/Pw0K'),
+        array( 'id' => 'R57 Kartal Modified Shell', 'def1' => 'LyogICAgICAgICAgICAgICAgICAgIGthcnRhbF81NjdAaG90bWFpbC5jb21bS2FSVGFMXQ0KDQo='),
+        array( 'id' => 'R57 Mohajer22 Shell', 'def1' => 'LyogIChjKW9kZWQgYnkgMWR0LncwbGYNCg0KDQo='),
+        array( 'id' => 'R57 New Year Edition Shell', 'def1' => 'LyogID8/Pz8/PzogMS4yNCAoTmV3IFllYXIgRWRpdGlvbikNCg0KDQo='),
+        array( 'id' => 'Remview Shell', 'def1' => 'ICogICMgU2hlbGxjaS5CaXoNCiAqICBXZWxjb21lIHRvIHBocFJlbW90ZVZpZXcgKFJlbVZpZXcpIA0K'),
+        array( 'id' => 'S72 Shell', 'def1' => 'PHRpdGxlPnM3MiBTaGVsbCB2MS4wIENvZGluZiBieSBDckB6eV9LaW5nPC90aXRsZT4NCg=='),
+        array( 'id' => 'Safe Mode Bypass PHP 4.4.2 & 5.1.2 Shell', 'def1' =>
+'TW9kZSBTaGVsbCB2MS4wPC9mb250Pjwvc3Bhbj48L2E+PC9mb250Pjxmb250IGZhY2U9IldlYmRpbmdzIiBzaXplPSI2IiBjb2xvcj0iI0ZGMDAwMCI+ITwvZm9udD48L2I+PC9wPg0KDQo='),
+        array( 'id' => 'SIM Attacker Shell', 'def1' => 'Jm5ic3A7SXJhbmlhbiBIYWNrZXJzIDogV1dXLlNJTU9SR0gtRVYuQ09NIDxicj4NCiZuYnNwO1Byb2dyYW1lciA6IEhvc3NlaW4gQXNnYXJ5IDxicj4NCg=='),
+        array( 'id' => 'SnIpEr SA Shell', 'def1' =>
+'LyogIFNuSXBFcl9TQS5waHAgLSA/Pz8/Pz8gPz8gPz8/ID8/Pz8/Pz8/Pz8/ID8/PyA/Pz8/Pz8/Pz8gPz8/Pz8/Pz8/ID8/Pz8/Pz8gPz8gPz8/Pz8/PyA/Pz8/PyA/Pz8/Pz8/DQo='),
+        array( 'id' => 'Stres Bypass Shell', 'def1' => 'LyogICAgICAgICAgICAgICAgICAgICAgICAgIFN0cmVzQnlwYXNzIHYxLjANCg=='),
+        array( 'id' => 'Dark-Shell', 'def1' => 'ZWNobyAiPGNlbnRlcj48aDE+RGFyayBTaGVsbDwvaDE+PC9jZW50ZXI+PHA+PGhyPjxwPlxuIjsNCg=='),
+        array( 'id' => '0x00 PHP shell', 'def1' => 'ICAgICAgICA8dGl0bGU+fiAweDAwIFBIUCBzaGVsbCB2LjB4MjwvdGl0bGU+DQo='),
+        array( 'id' => 'okno_Shell', 'def1' => 'ZWNobyAnPGJyPlBIUCBzeXN0ZW0oKSBjb25zb2xlIGJ5IG9rbm8gLSBtYWluQHBhd2Vsem9yemFuLmV1IDxicj4nOw0K'),
+        array( 'id' => 'CShell', 'def1' => 'ICogQ1NoZWxsDQoNCg=='),
+        array( 'id' => 'Bl0od3r Priv8 Shell', 'def1' => 'U2hlbGwgd3JpdHRlbiBieSBCbDBvZDNyDQoNCg0K'),
+        array( 'id' => 'Root Access Shell', 'def1' =>
+'PHRyPjx0ZCBjbGFzcz1jb250ZW50Yj48Y2VudGVyPjxhIGhyZWY9Imh0dHA6Ly9mb3J1bS5yb290LWFjY2Vzcy5ydSI+PGZvbnQgc2l6ZT0yIGNvbG9yPSNlN2U3ZWI+Um9vdC1BY2Nlc3MgU2hlbGwgdjEuMDwvZm9udD48L2E+PC9jZW50ZXI+DQoNCg0K'),
+        array( 'id' => 'G00nShell', 'def1' => 'IyBbZzAwbl1GaVNoIHByZXNlbnRzOiAjDQojIGcwMG5zaGVsbCB2MS4zIGZpbmFsICMNCg0KDQo='),
+        array( 'id' => 'CShell', 'def1' => 'ICogQ1NoZWxsDQoNCg=='),
+        array( 'id' => 'lostDC shell', 'def1' => 'ICogbG9zdERDIHNoZWxsDQoNCg0K'),
+        array( 'id' => '_GsC_ shell', 'def1' => 'R3NDIFNoZUxMIHYwLjguMCBDcmVhdGVkIEJ5IF9Hc0NfIEFrYSBTazFwcDNyDQoNCg0K'),
+        array( 'id' => 'OnBoomShell', 'def1' => 'LyoNCk9OQk9PTVNIRUxMIFYgMC4yDQpieSBjb2JyYTkwbmoNCg=='),
+        array( 'id' => 'StAkeR ~ Shell', 'def1' => 'PHRpdGxlPlN0QWtlUiB+IFNoZWxsPC90aXRsZT4NCjxzdHlsZSB0eXBlPSJ0ZXh0L2NzcyI+DQo='),
+        array( 'id' => 'Iron Shell', 'def1' =>
+'JGZvb3RlciA9ICc8dHI+PHRkPjxocj48Y2VudGVyPiZjb3B5OyA8YSBocmVmPSJodHRwOi8vd3d3Lmlyb253YXJlei5pbmZvIj5Jcm9uPC9hPiAmIDxhIGhyZWY9Imh0dHA6Ly93d3cucm9vdHNoZWxsLXRlYW0uaW5mbyI+Um9vdFNoZWxsIFNlY3VyaXR5IEdyb3VwPC9hPjwvY2VudGVyPjwvdGQ+PC90YWJsZT48L2JvZHk+PC9oZWFkPjwvaHRtbD4nOw=='),
+        array( 'id' => '..:: HiddenShell ::..', 'def1' => 'ICAgIDx0aXRsZT5IaWRkZW5TaGVsbDwvdGl0bGU+DQo='),
+        array( 'id' => 'N3fa5t1cA Sh3ll', 'def1' => 'PGh0bWw+PHRpdGxlPk4zZmE1dDFjQSBTaDNsbDwvdGl0bGU+DQoNCg=='),
+        array( 'id' => '! ~ Cod3rZ Shell ~ !', 'def1' => 'IyBDb2QzclogU2hlbGwgNS4xDQojIGMwZGVkIGJ5IENvZDNyWg0KDQoNCg=='),
+        array( 'id' => 's101', 'def1' => 'PHRpdGxlPnMxMDEgdjAuMi41PC90aXRsZT4NCg0K'),
+        array( 'id' => 'Nexpl0rer Shell', 'def1' => 'MzEzMzcgU2hlbGwgYnkgTmV4ZW4gLSBQaFAgYzBkYWgNCg0K'),
+        array( 'id' => 'DC3 Shell (Priv8)', 'def1' => 'ICAgICAgICAgIGRDMyBTZWN1cml0eSBDcmV3DQo='),
+        array( 'id' => 'H4ntu Shell', 'def1' =>
+'ZWNobyAiPHRpdGxlPmg0bnR1IHNoZWxsIFtwb3dlcmVkIGJ5IHRzb2ldPC90aXRsZT5cbjxwPjxmb250IHNpemU9MiBmYWNlPVZlcmRhbmE+PGI+VGhpcyBJcyBUaGUgU2VydmVyIEluZm9ybWF0aW9uPC9iPjwvZm9udD48L3A+IjsNCg=='),
+        array( 'id' => 'Macker s Private PHPShell', 'def1' => 'KiAgICAgICAgICAgICAgICAgICAgICAgICAgIFBIUFNIRUxMLlBIUCAgICAgICAgICAgICAqDQoNCg=='),
+        array( 'id' => '~ Andr3a92 ~ Sh3ll ~', 'def1' =>
+'ZWNobyAiPHRyPjx0ZCBiZ2NvbG9yPVwiI0NDQ0NDQ1wiPjxjZW50ZXI+PGltZyBzcmM9XCIiLiRzaGVsbC4iP2ltZz1maWxlXCIgYm9yZGVyPVwiMFwiPjwvY2VudGVyPjwvdGQ+PHRkIGJnY29sb3I9XCIjQ0NDQ0NDXCI+PGEgaHJlZj1cIiIuJGZpbGV6LiJcIiB0YXJnZXQ9XCJfQkxBTktcIj4iLiRmaWxlX25hbWUuIjwvYT48L3RkPg0K'),
+        array( 'id' => 'JsBack - Shell Backdoor', 'def1' => 'ICAgICAgICAgICAgICAgSnNCYWNrIC0gSmF2YXNjcmlwdCBCYWNrZG9vcg0K'),
+        array( 'id' => 'shell qualsiasi', 'def1' => 'c2hlbGwNCg==', 'def2' => 'U2hlbGwNCg==', 'def3' => 'U2gzbGwNCg==')
+    );
+
+$generic = 'Shell';
+parse_dir( $settings[ 'BASE_DIR' ] );
+echo "</pre><br />";
+?>
+<br>
+</div></span>
+</pre></p></body></html>
diff --git a/scan.php b/scan.php
new file mode 100644
index 0000000..f7de764
--- /dev/null
+++ b/scan.php
@@ -0,0 +1,3598 @@
+<?php
+/*
+[+] Malware Scanner version 2.1
+[+] Patterns updated on July 18 2015 - next update in September 2015
+[+] by Malin Cenusa
+*/
+
+/* let's make sure nobody uses this further */
+
+
+/* script variables */
+$version = '2.1';
+$self = basename(__FILE__);
+
+$eroot = '../';
+$print_infected = true;
+$print_suspected = true;
+$print_all = false;
+$recurse = 200;
+
+print "<pre>";
+print "Malware Scanner v{$version} by Malin Cenusa (malin@cenusa.me)\n\n";
+print "Directory depth set to {$recurse}\n\n";
+
+$fl = new e_file();
+$tree = $fl->get_files($eroot, '\.php|\.sc|.bb|\.gif|\.js|\.htm|\.html|\.htaccess', 'standard', $recurse);
+
+$counter_infected = 0;
+$counter_cleaned = 0;
+$counter_suspected = 0;
+$counter_error = 0;
+$counter_warning = 0;
+
+// just in case
+set_time_limit(0);
+error_reporting(E_ALL);
+
+foreach ($tree as $finfo)
+{
+    // exclude self
+    if(strpos($finfo['fname'], $self) !== FALSE && realpath(__FILE__) == realpath($finfo['path'].$finfo['fname']))
+    {
+        continue;
+    }
+
+    if($print_all) print "{$finfo['path']}{$finfo['fname']}....CHECKING";
+    $tmp = file_get_contents($finfo['path'].$finfo['fname']);
+    preg_match('/[^.\s]*([a-z])$/i', $finfo['fname'], $match);
+
+    if(preg_match('/[^.\s]*([a-z])$/i', $finfo['fname'], $match))
+    {
+        $ext = $match[0];
+        unset($match);
+    }
+
+    ///<\?(php)?/i - short tag detection problem
+    if('gif' == $ext && preg_match('/<\?php/i', $tmp))
+    {
+        $counter_infected++;
+        //$counter_error++;
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "\n";
+        {
+            print "...INFECTED (PHP open tag inside GIF image)\n";
+            //     print("\n\ERROR: {$finfo['path']}{$finfo['fname']} will not be auto-deleted, you have to delete it manually if you think it's a threat!\n\n");
+        }
+
+    }
+    elseif('jpg' == $ext && preg_match('/<\?php/i', $tmp))
+    {
+        $counter_infected++;
+        //$counter_error++;
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "\n";
+        {
+            print "...INFECTED (PHP open tag inside JPG image)\n";
+
+            //     print("\n\ERROR: {$finfo['path']}{$finfo['fname']} will not be auto-deleted, you have to delete it manually if you think it's a threat!\n\n");
+        }
+
+    }
+    elseif('jpeg' == $ext && preg_match('/<\?php/i', $tmp))
+    {
+        $counter_infected++;
+        //$counter_error++;
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "\n";
+        {
+            print "...INFECTED (PHP open tag inside JPEG image)\n";
+            //     print("\n\ERROR: {$finfo['path']}{$finfo['fname']} will not be auto-deleted, you have to delete it manually if you think it's a threat!\n\n");
+        }
+
+    }
+    // known infection - can be auto-cleaned
+    elseif(preg_match('#^(.*)<\?php(.*)eval(\s*)\((\s*)base64_decode(\s*)\((\s*)(.*)(\?><\?php)*\n#i', $tmp, $matches))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "...INFECTED";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+
+        //        $counter_error++;
+        //print("\n\ERROR: {$finfo['path']}{$finfo['fname']} will NOT BE CLEANED! Please use the shell version of this script.\n\n");
+        continue;
+    }
+
+    // just a guess - eval(base64_decode(... pattern match
+    elseif(preg_match('#eval(\s*)\((.*)base64_decode(\s*)\(#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (eval/base64_decode found)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+
+    // Found inside the compromised e107 full release (class2.php)
+    elseif(preg_match('/\$_COOKIE\[[\'|"]access-admin[\'|"]\]/i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all)
+        {
+            print "...INFECTED (access-admin COOKIE reference)\n";
+        }
+        //        print("\nERROR: {$finfo['path']}{$finfo['fname']} can't be auto-cleaned!\n\n");
+        $counter_infected++;
+        //        $counter_error++;
+        continue;
+    }
+
+/* new patterns */
+    elseif(preg_match('#this.form.upload_file.disabled=false#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MALWARE (this.form.upload_file.disabled=false)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#function(\s*)jspw3\(d\,m\,f\)#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MALWARE (function jspw3 (d ,m ,f))</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#a(\s*)simple(\s*)Web-based(\s*)file(\s*)manager#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED SHELL (a simple Web-based file manager)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#php\_uname(\s*)\(preg_replace(\s*)\(#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MALWARE (php_uname(preg_replace()</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#function(\s*)rewrioutclbkxxx1\(#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MALWARE (function rewrioutclbkxxx1()</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#eval\(\(base64_decode\(#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED SHELL (eval((base64_decode()</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#preg_replace\(strrev\(#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MALWARE (preg_replace(strrev()</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#s=base64_decode\(str_replace\(chr\(32\)#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MALWARE (s=base64_decode(str_replace(chr(32))</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#_GET\[base64_decode\(#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MALWARE (_GET[base64_decode()</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#@error_reporting\(0\)#i', $tmp))
+    {
+        if($print_suspected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_suspected || $print_all) print "<font color='#FF0000'>...SUSPECTED SHELL (error_reporting)</font>";
+        $counter_suspected++;
+        if($print_suspected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#eval\(base64_decode\(<(.*)POST(.*)>php#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MALWARE (eval(base64_decode(<.*POST.*>php)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#==========================+(\s*)Credit.Mutuel.ReZult(\s*)+==================#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MAILER (==========================+ Credit.Mutuel.ReZult +==================)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#X-Mailer:(\s*)The(\s*)Bat\!(\s*)\(v#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MAILER (X-Mailer: The Bat! (v)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#WordPress(\s*)Inserter(\s*)Links#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MALWARE (WordPress Inserter Links)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#The(\s*)Sword(\s*)Config(\s*)Fuck(\s*)Script#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MALWARE (The Sword Config Fuck Script)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#@kr(\s*)=(\s*)<d0mains>;#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MALWARE (@kr = <d0mains>;)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#copyto(\s*)=(\s*)explode\(#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MALWARE (copyto = explode()</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#d.=sprintf\(\(substr\(urlencode\(print_r\(array\(#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MALWARE (d.=sprintf((substr(urlencode(print_r(array()</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#eval\(gzinflate\(base64_decode\(#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MALWARE (eval(gzinflate(base64_decode()</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#eval\(gzinflate\(str_rot13\(base64_decode\(#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MALWARE (eval(gzinflate(str_rot13(base64_decode()</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#Bank(\s*)of(\s*)America(\s*)\|(\s*)Home(\s*)\|(\s*)Personal#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED PHISHING (Bank of America | Home | Personal)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#Bank(\s*)of(\s*)America(\s*)\|(\s*)Online(\s*)Banking(\s*)\|(\s*)Sign(\s*)In(\s*)to(\s*)Online(\s*)Banking#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED PHISHING (Bank of America | Online Banking | Sign In to Online Banking)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#Bank(\s*)of(\s*)America(\s*)\|(\s*)Thank(\s*)you#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED PHISHING (Bank of America | Thank you)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#Wells(\s*)Fargo(\s*)Home(\s*)Page#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED PHISHING (Wells Fargo Home Page)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#Chase(\s*)Online(\s*)-(\s*)Logon#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED PHISHING (Chase Online - Logon)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#Send(\s*)Money,(\s*)Pay(\s*)Online(\s*)or(\s*)Set(\s*)Up(\s*)a(\s*)Merchant(\s*)Account(\s*)with(\s*)PayPal#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED PHISHING (Send Money, Pay Online or Set Up a Merchant Account with PayPal)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#Login(\s*)-(\s*)PayPal#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED PHISHING (Login - PayPal)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#Sign(\s*)Up(\s*)for(\s*)PayPal(\s*)-(\s*)It\'s(\s*)Free(\s*)and(\s*)Easy(\s*)to(\s*)Get(\s*)Started#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED PHISHING (Sign Up for PayPal - It's Free and Easy to Get Started)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#My(\s*)Account(\s*)-(\s*)Telstra#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED PHISHING (My Account - Telstra)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#RBC(\s*)Royal(\s*)Bank(\s*)-(\s*)Sign(\s*)In(\s*)to(\s*)Online(\s*)Banking#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED PHISHING (RBC Royal Bank - Sign In to Online Banking)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#RBC(\s*)Financial(\s*)Group(\s*)-(\s*)Online(\s*)Banking#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED PHISHING (RBC Financial Group - Online Banking)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#Online(\s*)Banking(\s*)Security(\s*)and(\s*)Privacy(\s*)Guide(\s*)-(\s*)RBC(\s*)Royal(\s*)Bank#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED PHISHING(Online Banking Security and Privacy Guide - RBC Royal Bank)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#~(\s*)Santander(\s*)Online(\s*)Banking(\s*)~#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED PHISHING (~ Santander Online Banking ~)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#Santander(\s*)e-Banking(\s*)?(\s*)Logon(\s*)page#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED PHISHING (Santander e-Banking ? Logon page)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#Santander(\s*)Online(\s*)Banking#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED PHISHING (Santander Online Banking)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#eBucks(\s*)>(\s*)Home#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED PHISHING (eBucks > Home)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#Chase(\s*)Personal(\s*)Banking(\s*)Investments(\s*)Credit(\s*)Cards(\s*)Home(\s*)Auto(\s*)Commercial(\s*)Small(\s*)Business(\s*)Insurance#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED PHISHING (Chase Personal Banking Investments Credit Cards Home Auto Commercial Small Business Insurance)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#Yahoo!(\s*)Mail:(\s*)The(\s*)best(\s*)web-based(\s*)email!#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED PHISHING (Yahoo! Mail: The best web-based email!)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#Remax(\s*)ReZulT(\s*)By#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MAILER (Remax ReZulT By)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#ErrorDocument(\s*)404(\s*)http#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED REDIRECT (ErrorDocument 404 http)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#ErrorDocument(\s*)500(\s*)http#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED REDIRECT (ErrorDocument 500 http)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#ErrorDocument(\s*)403(\s*)http#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (ErrorDocument 403 http)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#%u0c0c%u0c0c#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED REDIRECT (%u0c0c%u0c0c)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#String.fromCharCode(32)#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED REDIRECT (String.fromCharCode\(32\))</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#HTTP_REFERER(.*)msn(.*)live#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED REDIRECT (HTTP_REFERER msn live)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#SnIpEr_SA#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED REDIRECT (SnIpEr_SA)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#php_value(\s*)auto_append_file#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MALWARE (php_value auto_append_file)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#AddType(\s*)application(\s*).jpg#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MALWARE (AddType application .jpg)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#AddHandler(\s*)php5-script(\s*).jpg#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MALWARE (AddHandler php5-script .jpg)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#HTTP_USER_AGENT(.*)google(.*)yahoo#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED REDIRECT (HTTP_USER_AGENT google yahoo)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#HTTP_REFERER(.*)\*search.yahoo\*#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED REDIRECT (HTTP_REFERER *search.yahoo*)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+
+    elseif(preg_match('#Card(.*)number:#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED PHISHING (Card number:)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+/*    elseif(preg_match('#Mass(.*)Mailer#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MAILER (Mass Mailer)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    } */
+    elseif(preg_match('#<\?php\s*eval\(\"\?>\"\.base64\_decode\(\"(.*)\"\)\)\;\s*\?>#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED SHELL (base64 encoded shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#\;if\(aa\.indexOf\(aaa\)\=\=\=0\)#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED JS MALWARE(;if(aa.indexOf(aaa)===0))</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#function\s*re\(s\,n\,r\,b\,e\)#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED JS MALWARE (function re(s,n,r,b,e))</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#var\s*foobar\s*\=\s*unescape\;#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (var foobar = unescape;)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#auth\_pass\s*\=\s*\"(.*)\"\;\s*eval\(\"#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED SHELL (encrypted filesman)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#<\?php\s*\@copy\(\W\_FILES\[file\]\[tmp\_name\]\,\s*\W\_FILES\[file\]\[name\]\)\;\s*exit\;\s*\?>#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED DEFACE SCRIPT (filecopy)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#<\?php\s*\/\/(.*)\_\=\s*\/\/system\s*file\s*do\s*not\s*delete\'\'\;\s*\/\/system\s*file\s*do\s*not\s*delete\s*\W\_\_\s*\=\s*\"(.*)\"\;\W\_\_\_\s*\=\s*\"(.*)\"\;eval\(\W\_\_\_\(\W\_\_\)\)\;#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED SHELL (encrypted)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#preg\_replace\(\"\/\.\+\/esi\"\,\"#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED SHELL (encrypted)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#<script\s*language\=\"JavaScript\"\s*type\=\"text\/javascript\"><\!\-\-\s*var(.*)\;eval\(unescape\(\"(.*)\;document\.write\(u\)\;u\=\"\"\;\/\/\-\->\s*<\/script>#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED JS MALWARE(eval/unescape)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#<\?php\s*session\_start\(\)\;\s*\Wme\=\W\_SERVER\[\'PHP\_SELF\'\]\;\s*\WNameF\=\W\_REQUEST\[\'NameF\'\]\;\s*\Wnowaddress\=\'<input\s*type\=hidden\s*name\=address\s*value\=\"\'\.getcwd\(\)\.\'\">\'\;\s*\Wpass\_up\=#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED UPLOAD SCRIPT(malicious)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#<\?php\s*\@set\_time\_limit\(0\)\;\s*\@error\_reporting\(NULL\)\;\s*\@ini\_set\(\'display\_errors\'\,0\)\;\s*\@ignore\_user\_abort\(TRUE\)\;\s*if\(md5\(md5\(\W\_REQUEST\[\'(.*)\'\]\)\)\=\=\'#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED UPLOAD SCRIPT(malicious)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#<\?PHP\s*defined\(\'\_OLD\_JEXEC\_\'\)\s*or\s*die\(\@eval\(base64\_decode\(\W\_REQUEST\[\'(.*)\'\]\)\)\)\;\s*\?>#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED base64 injection script</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#<\?php\s*if\(isset\(\W\_REQUEST\[\"(.*)\"\]\)\)\s*\{\s*eval\(base64\_decode\(\W\_REQUEST\[\"(.*)\"\]\)\)\;\s*exit\;\s*\}\s*else\s*\{\s*die\(\"404\s*Not\s*Found\"\)\;\s*\}\?>#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED base64 injection script</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#function\_exists\(\'date\_default\_timezone\'\)\s*\?\s*date\_default\_timezone\_set\(\'America\/Los\_Angeles\'\)\s*\:\s*\@eval\(base64\_decode\(\W\_REQUEST\[\'(.*)\'\]\)\)\;#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MALICIOUS SCRIPT</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#<\?PHP\s*define\(\'REAL\_SERVER\_ROOT\'\,\s*\'SERVER\'\)\;\s*\/\/DIR(.*)define\(\'SYSTEM\_SKEL\_DIR\'\,\s*\'skel\'\)\s*\?\s*\@eval\(base64\_decode\(\W\_REQUEST\[\'(.*)\'\]\)\)\s*\:(.*)define\(\'WORKGROUPS\_META\_SETTINGS\_FILENAME\'\,\s*\'settings.xml\'\)\;\s*\?>#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MALICIOUS SCRIPT</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#<\?\s*if\(\@\W\_POST\[\'(.*)\'\]\)\{eval\(base64\_decode\(\W\_POST\[\'(.*)\'\]\)\)\;\s*exit\(\)\;\}\s*\?>#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED base64 injection script</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#<\?php\s*echo\s*\'<b>Sw\s*Bilgi<br><br>\'\.php\_uname\(\)\.\'<br><\/b>\'\;(.*)else\s*\{\s*echo\s*\'<b>Basarisiz<\/b><br><br>\'\;\s*\}\s*\}\s*\?>#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED UPLOAD SCRIPT</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#GIF89\;<br><br>\s*<Hmei7>\s*<\?php\s*if\s*\(\s*isset\(\W\\[\'versi\'\]\)\s*\)\'s*\{\s*vers\(\)\;#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (GIF infection)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#<\?php\s*if\(\!empty\(\W\_FILES\[\'message\'\]\[\'name\'\]\)\s*AND\s*\(md5\(\W\_POST\[\'nick\'\]\)\s*\=\=#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (POST backdoor)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#<\?php\s*\Wis\_bot\s*\=\s*FALSE\s*;\s*\Wuser\_agent\_to\_filter\s*\=\s*array\(\s*\'\#fileuploads\#\'\)\s*\;#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED UPLOAD SCRIPT</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#auth_pass(.*)eval\(#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED SHELL</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#<\?php\s*\/\*\s*Plugin\s*Name\:\s*GSM#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MALICIOUS PLUGIN</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#<\?php\s*\W(.*)array\(\"(.*)\"\)\;eval\(\"(.*)x3B\"\)\;\?>#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED SHELL</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#base=base64_encode\(#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (base=base64_encode()</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#.rand\(100000000,9999999999\).#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (.rand(100000000,9999999999).)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#__++\)\)\].=#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (__++))].=)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#Fredrik N. Almroth - h.ackack.net#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (Fredrik N. Almroth - h.ackack.net)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#The Sword Config Fuck Script#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (The Sword Config Fuck Script)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#4297f44b13955235245b2497399d7a93#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (4297f44b13955235245b2497399d7a93)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#<\!-- provided by.\/katAK -->#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (<!-- provided by./katAK -->)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#user_agent_to_filter#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (user_agent_to_filter)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#\@unserialize\(base64_decode\(#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (@unserialize(base64_decode()</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#file_put_contents\(__FILE__,base64_decode\(#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (file_put_contents(__FILE__,base64_decode()</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#echo eval\(urldecode\(#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (echo eval(urldecode()</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#echo @eval\(base64_decode\(#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (echo @eval(base64_decode()</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#xml_str = base64_decode#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (xml_str = base64_decode)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#X-Mailer: Microsoft Office Outlook#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (X-Mailer: Microsoft Office Outlook)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#mode=show>Commands Run#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (mode=show>Commands Run)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#_SAPE_USER#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (_SAPE_USER)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#.gzuncompress\(base64_decode\(#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (.gzuncompress(base64_decode()</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#\);preg_replace\(#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED ();preg_replace()</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#\),base64_decode\(#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (),base64_decode()</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#eVAl\( base64_decode\(#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (eVAl( base64_decode()</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#\(gzinflate\(str_rot13\(base64_decode\(#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED ((gzinflate(str_rot13(base64_decode()</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#body=stripslashes\(urldecode\(#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (body=stripslashes(urldecode()</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#REQUEST = array_merge\(#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (REQUEST = array_merge()</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#;eval\(\(\(strlen\(#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (;eval(((strlen()</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#viagra#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (viagra)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#levitra#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (levitra)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#male enhancement#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (male enhancement)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#propceia#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (propceia)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#xViewState\(\)#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (xViewState)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#Fonksiyonlar#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (Fonksiyonlar)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#<vuln> <dork>#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (<vuln> <dork>)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+     elseif(preg_match('#Sh3llBoT#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (Sh3llBoT)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#Upload Your Fav Shell#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (Upload Your Fav Shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#Is cURL installed\? \(nst\) which curl#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (Is cURL installed\? \(nst\) which curl)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#Magic Include Shell ver#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (Magic Include Shell ver)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#irc.securitychat.org#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (irc.securitychat.org)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#function printLogin\(\)#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (function printLogin\(\))</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#function GetMama\(\)#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (function GetMama\(\))</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#runcommand#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (AJAX runcommand)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#my @nickname = #i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (my @nickname = )</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#dosyaPath = mid\(mpat,InStrRev\(mpat#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (ASP Shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#coded by z0mbie#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (coded by z0mbie)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#Php Bypass - www.shellci.biz#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (Php Bypass - www.shellci.biz)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#fistik=PHVayv;#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (fistik=PHVayv;)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#Dark Shell#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (Dark Shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#CTT SHELL#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (CTT SHELL)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#\/etc\/passwd#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (/etc/passwd)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#<tr><td>Chiave<\/td><td>Valore<\/td><\/tr>#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (cShell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#fonk_kap = get_cfg_var#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (fonk_kap = get_cfg_var)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#PHPSHELL_VERSION#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (PHPSHELL_VERSION)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#Root-Access Shell#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (Root-Access Shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#s101 Interamente creata da Sora101#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (s101 Interamente creata da Sora101)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#SimAttacker - Vrsion#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (SimAttacker - Vrsion)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#Shell Dizini:#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (Shell Dizini:)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#\/etc\/syslog.conf#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (\/etc\/syslog.conf)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#die\(PHP_OS.chr\(49\).chr\(48\)#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED die\(PHP_OS.chr\(49\).chr\(48\)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#stCurlLink = base64_decode\(#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (stCurlLink = base64_decode\()</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#cookey =#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (cookey =)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+
+    elseif(preg_match('#cxyyt = array\(#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (cxyyt = array\()</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+
+    elseif(preg_match('#.str_pad\(strtoupper\(dechex\(#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (.str_pad\(strtoupper\(dechex\()</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+
+    elseif(preg_match('#veb65c0b0 = array_keys\(#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (veb65c0b0 = array_keys\()</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+
+    elseif(preg_match('#=Array\(base64_decode\(#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (=Array(base64_decode\()</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+
+    elseif(preg_match('#edoced_46esab#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (edoced_46esab)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+
+    elseif(preg_match('#\*\/base64_decode\/\*#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (\*\/base64_decode\/\*)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+
+    elseif(preg_match('#eval\(stripslashes\(#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (eval\(stripslashes\()</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+
+    elseif(preg_match('#eval\(\@gzinflate\(base64_decode\(#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (eval\(\@gzinflate\(base64_decode\()</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+
+    elseif(preg_match('#eva1fYlbakBcVSir#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (eva1fYlbakBcVSir)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+
+    elseif(preg_match('#preg_replace\(\"\/\.\*\/e\"\,\"\\x65#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (preg_replace\(\"\/\.\*\/e\"\,\"\\x65)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+
+    elseif(preg_match('#cg2bW3yV4NSpnvKX2cFAvjczD7#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (cg2bW3yV4NSpnvKX2cFAvjczD7)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+
+    elseif(preg_match('#fcgr2boWm3yVC4NShpnvaKrXC2ocFAdvjcezD7#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (fcgr2boWm3yVC4NShpnvaKrXC2ocFAdvjcezD7)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+
+    elseif(preg_match('#Macro Hack#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (Macro Hack)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+
+    elseif(preg_match('#JGs9MTQzOyRtPWV4cGxvZGUoIjsiLCIyMzQ7MjUzOzI1Mzs#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (JGs9MTQzOyRtPWV4cGxvZGUoIjsiLCIyMzQ7MjUzOzI1Mzs)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+
+    elseif(preg_match('#XERATUTA#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (XERATUTA)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+
+    elseif(preg_match('#unserialize\(string_cpt\(base64_decode\(#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unserialize\(string_cpt\(base64_decode\()</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+
+    elseif(preg_match('#data.dat.gz#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (data.dat.gz)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+
+    elseif(preg_match('#Scam Redirector#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (Scam Redirector)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+
+    elseif(preg_match('#\/images\/config.db#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (\/images\/config.db)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+
+    elseif(preg_match('#\/temp\/links.db#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (\/temp\/links.db)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+
+    elseif(preg_match('#LS0tLS0tLS0tLS0tLS0t#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (LS0tLS0tLS0tLS0tLS0t)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+
+    elseif(preg_match('#BlackMail#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (BlackMail)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+
+    elseif(preg_match('#\{ hauguen priv\@ spammer \}#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (\{ hauguen priv\@ spammer \})</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+
+    elseif(preg_match('#echo \'Shell Ok \';#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (echo \'Shell Ok \';)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+
+    elseif(preg_match('#Da Slake PHP MAILER#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (Da Slake PHP MAILER)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+
+    elseif(preg_match('#: :   M A I L E R   : :   \$ d o m a i n   -   I n s i d e T e a m   v#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (: :   M A I L E R   : :   \$ d o m a i n   -   I n s i d e T e a m   v)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+
+    elseif(preg_match('#\/etc\/valiases/#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (\/etc\/valiases/)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+
+    elseif(preg_match('#numemails#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (numemails)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+
+    elseif(preg_match('#PHP Mailer#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (PHP Mailer)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+
+    elseif(preg_match('#\/etc\/named.conf#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (\/etc\/named.conf)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+
+    elseif(preg_match('#set_index .= base64_encode\(#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (set_index .= base64_encode\()</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+
+    elseif(preg_match('#eval\(gzinflate\(base64_decode\(strrev\(#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (eval\(gzinflate\(base64_decode\(strrev\()</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+
+    elseif(preg_match('#system file do not delete#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (system file do not delete)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+
+    elseif(preg_match('#nslookup -type=MX#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (nslookup -type=MX)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+
+    elseif(preg_match('#\$copyto = explode\(\'wp-content\'\,#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (copyto = explode\()</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+
+    elseif(preg_match('#default_action =(.*)default_charset =(.*)preg_replace\((/*)\,str_replace\(#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED FilesMan Shell</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+
+    elseif(preg_match('#\<\?php for\(\$o=0,\$e=#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (\<\?php for\(\$o=0,\$e=)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+
+    elseif(preg_match('#\$felp = explode\(\$kaka#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (\$felp = explode\(\$kaka)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+
+    elseif(preg_match('#getdata = base64_decode\(\$datacheck\);#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (getdata = base64_decode\(\$datacheck\);)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+
+    elseif(preg_match('#array_map\(strrev\(\"ed\".\"oced_\".\"46esab\"\),array\(str_replace\(#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED Shell (encrypted)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+
+    elseif(preg_match('#if \(md5\(md5\(\$\_REQUEST\[\'hhh\'\]\)\) ==#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED Shell (encrypted)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+
+    elseif(preg_match('#Upload GAGAL#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (Upload GAGAL)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+
+    elseif(preg_match('#Config Grabber#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (Config Grabber)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+
+    elseif(preg_match('#@symlink\(#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (@symlink\()</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+
+    elseif(preg_match('#OOO000000=urldecode\(#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (OOO000000=urldecode\()</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+
+    elseif(preg_match('#eval \(gzinflate\(base64_decode\(#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (eval \(gzinflate\(base64_decode\()</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+
+    elseif(preg_match('#return rawurlencode\(rawurlencode\(#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (return rawurlencode\(rawurlencode\()</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+
+    elseif(preg_match('#=array_map\(\"ba\".\"se6\".\"4\".\"_decode\",array\(\'\',str_replace\(#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED Shell (encrypted)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+
+    elseif(preg_match('#d.=sprintf\(\(substr\(urlencode\(print_r\(array\(#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED Shell (encrypted)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+
+    elseif(preg_match('#eval\(gzinflate\(base64_decode\(#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED Shell (encrypted)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+
+    elseif(preg_match('#eval\(gzinflate\(str_rot13\(base64_decode\(#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED Shell (encrypted)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+
+    elseif(preg_match('#eval\(gzinflate\(base64_decode\(str_rot13\(#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED Shell (encrypted)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+
+    elseif(preg_match('#eval\(gzinflate\(base64_decode\(base64_decode\(#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED Shell (encrypted)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+
+    elseif(preg_match('#eval\(gzuncompress\(base64_decode\(#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED Shell (encrypted)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+
+    elseif(preg_match('#eval\(gzuncompress\(str_rot13\(base64_decode\(#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED Shell (encrypted)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+
+    elseif(preg_match('#eval\(gzuncompress\(base64_decode\(str_rot13\(#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED Shell (encrypted)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+
+    elseif(preg_match('#eval\(str_rot13\(gzinflate\(base64_decode\(#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED Shell (encrypted)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#eval\(gzinflate\(base64_decode\(strrev\(str_rot13\(#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED Shell (encrypted)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+
+    elseif(preg_match('#eval\(gzinflate\(base64_decode\(strrev\(#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED Shell (encrypted)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+
+    elseif(preg_match('#eval\(gzinflate\(base64_decode\(str_rot13\(#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED Shell (encrypted)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+
+    elseif(preg_match('#eval\(gzinflate\(base64_decode\(str_rot13\(strrev\(#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED Shell (encrypted)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+
+    elseif(preg_match('#echo\(gzinflate\(base64_decode\(#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED Shell (encrypted)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+
+    elseif(preg_match('#^<\?php\s*\\\$md5\s*=\s*[\"|\']\w+[\"|\'];\s*\\\$wp_salt\s*=\s*[\w\(\),\"\'\;\$]+\s*\\\$wp_add_filter\s*=\s*create_function\(.*\);\s*\\\$wp_add_filter\(.*\);\s*\?>\s*#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED Shell (encrypted)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+
+    elseif(preg_match('#libworker.so#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (libworker.so)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+
+    elseif(preg_match('#by.\/katAK#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (by.\/katAK)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+
+    elseif(preg_match('#array\(\"Google\", \"Slurp\", \"MSNBot\", \"ia_archiver\", \"Yandex\", \"Rambler\", \"StackRambler\"\)#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (crawler filter)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+    elseif(preg_match('#<span>Make dir:<\/span>#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+
+    elseif(preg_match('#\}eval\(x0r\("#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+
+    elseif(preg_match('#function x0r\(\$h3ll0s\)#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+
+    elseif(preg_match('#<\?php\s*preg_replace\(\"#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+
+     elseif(preg_match('#\$security_code = \(empty\(\$_POST\[\'security_code\'\]\)\)#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+        elseif(preg_match('#\.ucwords\(str_replace\(#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+        elseif(preg_match('#\)\);array_multisort\(array_map\(#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+        elseif(preg_match('#\.rawurlencode\(strtolower\(#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+        elseif(preg_match('#<\?php\s*eval \( base64_decode \(\"#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+        elseif(preg_match('#eval\(stripslashes\(\$_POST\[codee\]\)\);"#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+        elseif(preg_match('#eval\(pet\(\"#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+        elseif(preg_match('#<\?php \$g___g_=\'base\'.\(32*2\).\'_de\'.\'code\';\$g___g_=\$g___g_\(str_replace\(\"\n\", \'\', \'#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+        elseif(preg_match('#eval\((.*)\(base64_decode\((.*)1234567890\)\);#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+        elseif(preg_match('#\$opt\(\"\/292\/e\",\$au,292\); die\(\);\}\}\}#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+        elseif(preg_match('#\$MailTo = base64_decode\(\$_POST\[\"mailto\"\]\);#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+        elseif(preg_match('#email_polucha#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+        elseif(preg_match('#if\(isset\(\$_REQUEST\[\'(.*)eval\((.*)\); exit\(\); \} if\(isset\(\$_REQUEST\[\'(.*)exit\(\); \}\s*\?>#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+        elseif(preg_match('#.::\[ Phproxy \]::.#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+        elseif(preg_match('#teksasli=unescape\(teks\);document.write\(teksasli\)#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+        elseif(preg_match('#eval\(base64_decode\(\$jembot\)\);#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+        elseif(preg_match('#eval\(base64_decode\(\$_REQUEST\[\'p64\'\]\)\);#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+        elseif(preg_match('#die\(\"Restricted accoss\"\);#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+/*        elseif(preg_match('#F(.*)i(.*)l(.*)e(.*)s(.*)m(.*)a(.*)n#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }      */
+        elseif(preg_match('#<\?php\s*eval\(gzinflate\(str_rot13\(base64_decode\(\'#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+        elseif(preg_match('#phpRemoteView#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+        elseif(preg_match('#if \(isset\(\$_POST\[\'_\'\]\) \&\& \(sha1\(base64_decode\(\$_POST\[\'_\'\]\)\^\$str\) ==#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+        elseif(preg_match('#x47FzcyA9ICI#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+        elseif(preg_match('#mkdir\(\'Indishell\',0777\);#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+        elseif(preg_match('#Superfast Zone-H submitter#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+        elseif(preg_match('#if\(stripos\((.*)=base64_decode\((.*)=create_function\(\"\"#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+        elseif(preg_match('#Done ==> \$userfile_name#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+        elseif(preg_match('#preg_match\(\"\/google\|bot\|msn\|spider\|crawl\|spam#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+        elseif(preg_match('#WEB(.*)Shell#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+        elseif(preg_match('#index.php replaced successufuly\!#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+        elseif(preg_match('#sloboz#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+        elseif(preg_match('#\$URI = str_replace\(\"sync.php\", \$filename, \$URI\);#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+        elseif(preg_match('#<\? eval\(gzuncompress\(base64_decode\(\'#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+        elseif(preg_match('#WPcheckInstall#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+        elseif(preg_match('#echo \"Already writed\"#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+        elseif(preg_match('#if \(move_uploaded_file \(\$_FILES\[\"update\"\]\[\"tmp_name\"\], __FILE__\)\)#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+        elseif(preg_match('#FilesMan#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+        elseif(preg_match('#<\?php(.*)= array\(\'(.*)= array\(\'(.*)= array\(\'(.*)\";if \(\!function_exists\(\"#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+        elseif(preg_match('#\{eval\(base64_decode\(\$_POST\[\"#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+        elseif(preg_match('#\$uid = strtoupper\(md5\(uniqid\(time\(\)\)\)\);#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+        elseif(preg_match('#Created By Spaghy#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+        elseif(preg_match('#= strrev\(\'ed\'.\'oc\'.\'ed_4\'.\'6e\'.\'sab\'\);#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+        elseif(preg_match('#= strrev\(\'eca\'.\'lper\'.\'_ge\'.\'rp\'\);#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+        elseif(preg_match('#<\?php\s*if \(\!function_exists\(\"(.*)\"\)\)\s*\{\s*function(.*)= base64_decode\((.*)= strlen\((.*)= file_get_contents\(#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+        elseif(preg_match('#Mestre eCoLoGy#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+        elseif(preg_match('#PHP eMailer#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+        elseif(preg_match('#= \"p\".\"r\".\"e\".\"g\".\"_\".\"r\".\"e\".\"p\".\"l\".\"a\".\"c\".\"e\";#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+        elseif(preg_match('#The Devil made me do it :\)#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+        elseif(preg_match('#echo \"Can\'t upload file:#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+        elseif(preg_match('#<\?\/\/BREACK\/\/\?>#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+        elseif(preg_match('#Bypass SuHosin#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+        elseif(preg_match('#\$_FILE\(stripslashes\(\$_REQUEST\[\'HOST\'\]\)\);\}#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+               elseif(preg_match('#atualizar_flash_player_ver#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+               elseif(preg_match('#Made By mr.hosam#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+               elseif(preg_match('#<script>document.getElementById\(\'a22\'+\'222\'\).style.display=\'no\'+\'ne\'<\/script><\!-- InstanceEnd -->#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+               elseif(preg_match('#\$auth_pass = \"#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+               elseif(preg_match('#<\?php\s*\/\*(.*)*\/\s*eval \( base64_decode \(\"#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+               elseif(preg_match('#\/usr\/bin\/host#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+               elseif(preg_match('#<\?php preg_replace\(\"\/.\*\/e\",\"#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+               elseif(preg_match('#\]\}=__FUNCTION__;return\@is_object\(#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+               elseif(preg_match('#eval\(\"\?>\".gzuncompress\(base64_decode\(#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+               elseif(preg_match('#\$headers = \"Alibaba:#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+               elseif(preg_match('#<\?php \@array_diff_ukey\(\@array\(\(string\)#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+               elseif(preg_match('#\$auth = \$filter\(\@\$_COOKIE\[\'p1\'\]\);#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+               elseif(preg_match('#<\?php\s*if \(isset\(\$_REQUEST\[\'p1\'\]\)\) \{\s*eval\(stripslashes\(\$_REQUEST\[\'p1\'\]\)\);#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+               elseif(preg_match('#<\?php function(.*)=gzinflate\(base64_decode\((.*)\)\); for\(\$i=0;\$i<strlen\(#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+               elseif(preg_match('#\'\]=Array\(base64_decode\(\'#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+               elseif(preg_match('#<\?php \(\$_=\@\$_GET\[2\]\).\@\$_\(\$_POST\[1\]\)\?>#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+               elseif(preg_match('#return stripslashes\(ltrim\(rtrim\(\$string\)\)\);#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+               elseif(preg_match('#4297f44b13955235245b2497399d7a93#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+               elseif(preg_match('#<\?php \$a=\'bas\'.\'e6\'.\'4_d\'.\'ecode\';eval\(\$a\(\"#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+               elseif(preg_match('#l = \"http:\/\/(.*)\" + r + \"&r=\" + document.referrer;\s*document.write\(\"<img src=\'\" + l + \"\'>\"\);#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+              elseif(preg_match('#<title>(.*)PORN(.*)</title>#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+                elseif(preg_match('#Login your email address below to view the document#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (Google Docs Phishing)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+               elseif(preg_match('#symlink\(\'\/home#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+               elseif(preg_match('#local-root-exploit#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (local root)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+              elseif(preg_match('#my \$fakeproc\s*= \"\/usr\/sbin\/httpd\";#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+               elseif(preg_match('#Server Scanner#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+               elseif(preg_match('#<\?\$x\d\d=\"(.*)\"; \$GLOBALS\[\'#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+               elseif(preg_match('#<\?php(.*)=\s*\'(.*)\';(.*)=\s*str_replace\(\'(.*)\',\'\',(.*)\);(.*)=\s*\'(.*)\';(.*)=\s*str_replace\(\'#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+               elseif(preg_match('#function\s*xViewState\(\)#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (function xViewState())</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+               elseif(preg_match('#<\!\-\-start\-add\-div\-content\-\->#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (<!--start-add-div-content-->)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+              elseif(preg_match('#<\?php\s*if\(\W_GET\[\"(.*)\"\]==\"(.*)value=\"ok\"><\/form><\?php\s*\}\?>#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (uploader)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+               elseif(preg_match('#function\s*research_plugin\(\)(.*)eval\(base64_decode\(#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (malicious WP plugin)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+              elseif(preg_match('#<chr\(ord\(\Wn\)\-1\);\}\s*\@error_reporting#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+              elseif(preg_match('#Exploit\s*failed#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (local root exploit)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+                 elseif(preg_match('#for\s*i\s*in\s*\"uname\s*-a\"\s*\"mount\"\s*\"df\s*-h\"#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (server info grabber)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+              elseif(preg_match('#<\?php\s*\Wdomain\s*=\s*"(.*)header\(\"Location:\s*\Wurl\"\);\s*\?>#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (malicious redirect)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+            elseif(preg_match('#move_uploaded_file\(\W_FILES\[\"file\"\]\[\"tmp_name\"\],\Wz\);#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (uploader)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+                 elseif(preg_match('#str_replace\(\"w\",\"\",\"wstrw_wrewpwlwawcwe\"\);#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+            elseif(preg_match('#echo\s*\'\[vuln\]\';#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (exploit)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+                elseif(preg_match('#echo"<font\s*color=\#FFFFFF>\[uname\]\".php_uname\(\).#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (server info grabber)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+               elseif(preg_match('#if\(\Wresult\)\s*\{\s*echo\s*\'good\';\s*\}\s*else\s*\{\s*\'error\s*:\s*\'.\Wresult;\s*\}#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (malicious mailer)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+               elseif(preg_match('#<\?php\s*\Wandroid\s*=\s*strpos\(\W_SERVER\[\'HTTP_USER_AGENT\'\],\"Android\"\);\s*\Wandroid_urls\s*=\s*array\s*\(#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (malicious redirect)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+                elseif(preg_match('#last\s*root\s*\(nst\)\s*last\s*root#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+                 elseif(preg_match('#online\s*encode\s*by\s*cha88.cn\!#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+                       elseif(preg_match('#<title>SERVER\s*INFO<\/title>#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+                       elseif(preg_match('#ZnZGZnZGZnZGZn#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+                       elseif(preg_match('#else\{\s*echo\s*\"sorry\s*file\s*didn\'t\s*chmoded\";\s*\}#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+                       elseif(preg_match('#\"\];exit\(\);\}error_404\(\);function\s*is_good_ip\(#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+                       elseif(preg_match('#\@system\(\"killall\s*-9\s*\".basename\(\"\/usr\/bin\/host\"\)\);#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+                       elseif(preg_match('#<\?php\s*\/\/\#\#\#==\#\#\#(.*)\/\/\#\#\#==\#\#\#\s*\?>#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+                      elseif(preg_match('#<\?php\s*\$r76=\"F\[<PAlDf\|\]\}#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+                        elseif(preg_match('#<\?php\s*include\(\'(.*)\.png\'\);\s*\?>#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (CryptoPHP)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+                      elseif(preg_match('#<\?php\s*include\(\'(.*)\.jpg\'\);\s*\?>#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (CryptoPHP)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+                       elseif(preg_match('#<\?php\s*include\(\'(.*)\.gif\'\);\s*\?>#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (CryptoPHP)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+                      elseif(preg_match('#\$GLOBALS\[(.*)\$GLOBALS\[(.*)\}\s*\}\s*return\s*$(.*)\$GLOBALS\[(.*)\}\s*return\s*\$#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (GLOBALS backdoor)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+                       elseif(preg_match('#\$qV=\"stop_\"#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (qV stop backdoor)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+                       elseif(preg_match('#\$GD_get_img\s*=\s*\"p\"\.\s*\"r\"\.\"eg\"\.\"_r\"\.\"ep\"\.\"l\"\.\"ace\";#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (Wordpress malicious plugin)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+                        elseif(preg_match('#<\?php\s*\$array\s*=\s*array\(\'(.*)=\s*implode\(\"\"\,\s*\$array\)\;\$(.*)eval\(\$(.*)\)\)\)\);\?>#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+                      elseif(preg_match('#\#\!\/usr\/bin\/perl(.*)\#\s*Do\s*login\s*authentication\s*subroutine(.*)\#EOF#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (Proxy opener)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+                        elseif(preg_match('#<\?php\s*\$(.*);eval\(base64_decode\(gzuncompress\(base64_decode\(\$(.*)\)\)\)\);\?>#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+                     elseif(preg_match('#<\?php(.*)\$EmailTemporario\s*=\s*\$email\[\$i\];(.*)Safe\s*Mode:\s*<\?php\s*echo\s*\$safe_mode\s*=\s*\@ini_get\(\'safe_mode\'\);\s*\?>(.*)<\/form>#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (info mailer)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+                       elseif(preg_match('#<\?php\s*\@ignore_user_abort\(true\);(.*)\@eval\(\$(.*)\@realpath\(\"\"\)\.DIRECTORY_SEPARATOR(.*)404\s*Not\s*Found(.*)\?>#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown backdoor)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+                       elseif(preg_match('#\#\!\/usr\/bin\/perl\s*\-w\s*\'\'\=\~\(\'\(\?\{\'\.\(\'(.*)\'\)\.\'\$\/\}\)\'\);#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (CGI shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+                      elseif(preg_match('#<\?php\s*\/\*\*(.*)\$https_in\s*=\s*\"(.*)\"\);\s*\?>#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown backdoor)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+                       elseif(preg_match('#<html>\s*<head>(.*)if\(is_uploaded_file(.*)move_uploaded_file(.*)\?>\s*<\/body>\s*<\/html>#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (shell uploader)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+                    elseif(preg_match('#DK\s*Shell\s*\-#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (DK Shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+                         elseif(preg_match('#<\?php\s*\$(.*)\]\.\$(.*)\]\.\$(.*)\]\.\$(.*)\]\.\$(.*)\"\.chr\((.*)\"\.chr\((.*)\"\.chr\((.*)\"\.chr\((.*)\,\"(.*)\"\);#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+                    elseif(preg_match('#<\?php\s*\@ini_set\(\'max_execution_time\'\,0\);(.*)\}\}echo\s*\'rahui\#\'\,\$maxlen\,\'\#rahui\';\s*\?>#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (uploader)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+                         elseif(preg_match('#randomId(.*)Access\s*Denied(.*)wproPreviewHTML#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+                       elseif(preg_match('#md5\(IMAILpassword\)(.*)base64_decode#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+                      elseif(preg_match('#value=\'Ввойти\'><br><\/form><br>вы\s*не\s*авторизованы\s*<\/center>#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (uploader)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+                      elseif(preg_match('#ping(.*)ping_host(.*)browser_strings#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (proxy)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+                       elseif(preg_match('#Help(.*)support(.*)=base64_decode\(\$create_function\(\'\$#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown backdoor)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+                      elseif(preg_match('#if\(isset\(\$_COOKIE\[\'google\'\]\)\)(.*)if\(strtolower\(substr\(PHP_OS\,0\,3\)\)==\'win\'\)\s*\$#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (spam script)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+
+                       elseif(preg_match('#class\s*RSSInitEx(.*)getCMS\(\)(.*)new\s*RSSInitEx\(\);#i', $tmp))
+    {
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (config stealer)</font>";
+        $counter_infected++;
+        if($print_infected || $print_all) print "\n";
+        continue;
+    }
+/* added July 2015 */
+elseif(preg_match('#\$this\-\>headers\s*\.=\s*\"Errors\-To\:\s*\{\$this\-\>from\}#i', $tmp))
+{
+if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (malicious mailer)</font>";
+$counter_infected++;
+if($print_infected || $print_all) print "\n";
+continue;
+}
+
+elseif(preg_match('#PRIV8#i', $tmp))
+{
+if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (backdoor)</font>";
+$counter_infected++;
+if($print_infected || $print_all) print "\n";
+continue;
+}
+
+elseif(preg_match('#for\s*i\s*in\s*\"uname\s*\-a\"#i', $tmp))
+{
+if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (config stealer)</font>";
+$counter_infected++;
+if($print_infected || $print_all) print "\n";
+continue;
+}
+
+elseif(preg_match('#Exploit\s*failed#i', $tmp))
+{
+if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (local root)</font>";
+$counter_infected++;
+if($print_infected || $print_all) print "\n";
+continue;
+}
+
+elseif(preg_match('#Suicide\(\'Windows\s*\-\s*Suicide\'\)\;\}#i', $tmp))
+{
+if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (Suicide shell)</font>";
+$counter_infected++;
+if($print_infected || $print_all) print "\n";
+continue;
+}
+
+elseif(preg_match('#=\s*str\_replace\(\"w\"\,\"\"\,\"wstrw\_wrewpwlwawcwe\"\);#i', $tmp))
+{
+if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (malicious string replace)</font>";
+$counter_infected++;
+if($print_infected || $print_all) print "\n";
+continue;
+}
+
+elseif(preg_match('#\(\"x\"\,\s*\"\"\,\s*\"xbxasxex6x4x_xdexcoxde\"\);#i', $tmp))
+{
+if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (obfuscated base64 strings)</font>";
+$counter_infected++;
+if($print_infected || $print_all) print "\n";
+continue;
+}
+
+elseif(preg_match('#\(\"s\"\,\"\"\,\"scsrsesatses_fsusnscstsisosn\"\);#i', $tmp))
+{
+if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (obfuscated function create)</font>";
+$counter_infected++;
+if($print_infected || $print_all) print "\n";
+continue;
+}
+
+elseif(preg_match('#\$i=strrev\(\"uoy yb dekcah\"\);#i', $tmp))
+{
+if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (reversed string deface)</font>";
+$counter_infected++;
+if($print_infected || $print_all) print "\n";
+continue;
+}
+
+elseif(preg_match('#<font\s*color=\#FFFFFF>\[uname\]\"\.php_uname\(\)\.\"#i', $tmp))
+{
+if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (config stealer)</font>";
+$counter_infected++;
+if($print_infected || $print_all) print "\n";
+continue;
+}
+
+elseif(preg_match('#\$result\s*=\s*mail\(stripslashes\(\$to\)\,\s*stripslashes\(\$subject\)\,\s*stripslashes\(\$message\)\);#i', $tmp))
+{
+if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (malicious mailer)</font>";
+$counter_infected++;
+if($print_infected || $print_all) print "\n";
+continue;
+}
+
+elseif(preg_match('#\$android\s*=\s*strpos\(\$_SERVER\[\'HTTP_USER_AGENT\'\]\,\"Android\"\);#i', $tmp))
+{
+if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (mobile redirect)</font>";
+$counter_infected++;
+if($print_infected || $print_all) print "\n";
+continue;
+}
+
+elseif(preg_match('#last\s*\(all\s*users\)\s*\(nst\)\s*last\s*all#i', $tmp))
+{
+if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (config stealer)</font>";
+$counter_infected++;
+if($print_infected || $print_all) print "\n";
+continue;
+}
+
+elseif(preg_match('#online\s*encode\s*by\s*cha88\.cn\!#i', $tmp))
+{
+if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (malicious encoder)</font>";
+$counter_infected++;
+if($print_infected || $print_all) print "\n";
+continue;
+}
+
+elseif(preg_match('#<title>Solutions\s*en\s*ligne\s*\-\s*AccèsD<\/title>#i', $tmp))
+{
+if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (phishing)</font>";
+$counter_infected++;
+if($print_infected || $print_all) print "\n";
+continue;
+}
+
+elseif(preg_match('#<title>SERVER\s*INFO<\/title>#i', $tmp))
+{
+if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (config stealer)</font>";
+$counter_infected++;
+if($print_infected || $print_all) print "\n";
+continue;
+}
+
+elseif(preg_match('#\$OUT=alfa\(\$OUT\);eval\(\$OOO0000O0\(\$OUT\)\);return;#i', $tmp))
+{
+if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (malicous script)</font>";
+$counter_infected++;
+if($print_infected || $print_all) print "\n";
+continue;
+}
+
+elseif(preg_match('#\$sys\s*=\s*strrev\(base64_decode\(\"bWV0U3lT\"\)\);\/\/system#i', $tmp))
+{
+if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (malicious shell)</font>";
+$counter_infected++;
+if($print_infected || $print_all) print "\n";
+continue;
+}
+
+elseif(preg_match('#\}=\@unserialize\(base64_decode\(\$_POST\[\"#i', $tmp))
+{
+if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (backdoor)</font>";
+$counter_infected++;
+if($print_infected || $print_all) print "\n";
+continue;
+}
+
+elseif(preg_match('#\@system\(\"killall\s*\-9\s*\"\.basename\(\"\/usr\/bin\/host\"\)\);#i', $tmp))
+{
+if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (WP bruteforcer)</font>";
+$counter_infected++;
+if($print_infected || $print_all) print "\n";
+continue;
+}
+
+elseif(preg_match('#\@system\(\"\(crontab\s*\-l\|grep\s*\-v\s*crontab;echo;echo\s*\'\*\s*\*\s*\*\s*\*\s*\*\s*\"\.\$SCP\.\"\/1\.sh\'\)\|crontab\"\,\s*\$ret\);#i', $tmp))
+{
+if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (cron injection)</font>";
+$counter_infected++;
+if($print_infected || $print_all) print "\n";
+continue;
+}
+
+elseif(preg_match('#function\s*GetWPFooterFNs\(\)#i', $tmp))
+{
+if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (WP backdoor)</font>";
+$counter_infected++;
+if($print_infected || $print_all) print "\n";
+continue;
+}
+
+elseif(preg_match('#\$tmp\s*=\s*\@fread\s*\(\$a\,\s*sprintf\s*\(\"\%u\"\,\s*\@filesize\s*\(\$a\)\)\);#i', $tmp))
+{
+if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (config stealer)</font>";
+$counter_infected++;
+if($print_infected || $print_all) print "\n";
+continue;
+}
+
+elseif(preg_match('#\(\"e\"\.\"va\"\.\"l\(\'#i', $tmp))
+{
+if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (base64 obfuscation)</font>";
+$counter_infected++;
+if($print_infected || $print_all) print "\n";
+continue;
+}
+
+elseif(preg_match('#title=\"Remote\s*Shell\">#i', $tmp))
+{
+if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (shell)</font>";
+$counter_infected++;
+if($print_infected || $print_all) print "\n";
+continue;
+}
+
+elseif(preg_match('#\/\/Obfuscation\s*provided\s*by\s*FOPO\s*-\s*Free\s*Online\s*PHP\s*Obfuscator\s*v1\.2\:#i', $tmp))
+{
+if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (obfuscated - maybe malicious)</font>";
+$counter_infected++;
+if($print_infected || $print_all) print "\n";
+continue;
+}
+
+elseif(preg_match('#<\?php\s*\@array_diff_ukey\(\@array\(\(string\)\$_REQUEST\[\'password\'\]\=\>1\)#i', $tmp))
+{
+if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (backdoor)</font>";
+$counter_infected++;
+if($print_infected || $print_all) print "\n";
+continue;
+}
+
+elseif(preg_match('#\$file=\@\$_COOKIE\[\'Jlma3\'\];#i', $tmp))
+{
+if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (cookie backdoor)</font>";
+$counter_infected++;
+if($print_infected || $print_all) print "\n";
+continue;
+}
+
+elseif(preg_match('#\$fc64=strip_tags\(str_replace\(\"\s*\"\,\"\"\,trim\(\$_GET\[\'fc\'\]\)\)\);#i', $tmp))
+{
+if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (backdoor)</font>";
+$counter_infected++;
+if($print_infected || $print_all) print "\n";
+continue;
+}
+
+elseif(preg_match('#<li><a\s*href=http\:\/\/(.*)<\/a><\/li>\s*<li><a\s*href=http\:\/\/(.*)<\/a><\/li>(.*)<li><a\s*href=http\:\/\/(.*)<\/a><\/li>(.*)<li><a\s*href=http\:\/\/#i', $tmp))
+{
+if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (spam links)</font>";
+$counter_infected++;
+if($print_infected || $print_all) print "\n";
+continue;
+}
+
+elseif(preg_match('#echo\s*base64_encode\(\'error\s*\:\s*\'\.\$result\);#i', $tmp))
+{
+if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (backdoor)</font>";
+$counter_infected++;
+if($print_infected || $print_all) print "\n";
+continue;
+}
+
+elseif(preg_match('#\$i59\[#i', $tmp))
+{
+if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (shell)</font>";
+$counter_infected++;
+if($print_infected || $print_all) print "\n";
+continue;
+}
+
+elseif(preg_match('#\$x74\[#i', $tmp))
+{
+if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (shell)</font>";
+$counter_infected++;
+if($print_infected || $print_all) print "\n";
+continue;
+}
+
+elseif(preg_match('#if\s*\(get_magic_quotes_gpc\(\)\)\s*\{\s*\$wp=stripslashes\(\$wp\);\s*\}#i', $tmp))
+{
+if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (backdoor)</font>";
+$counter_infected++;
+if($print_infected || $print_all) print "\n";
+continue;
+}
+
+elseif(preg_match('#my\s*\@dangercalls=qw\(#i', $tmp))
+{
+if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (malicious Perl)</font>";
+$counter_infected++;
+if($print_infected || $print_all) print "\n";
+continue;
+}
+
+elseif(preg_match('#<\?php\s*extract\(\$_COOKIE\);\s*\@\$F\&\&\@\$F\(\$A\,\$B\);#i', $tmp))
+{
+if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (cookie stealer)</font>";
+$counter_infected++;
+if($print_infected || $print_all) print "\n";
+continue;
+}
+
+elseif(preg_match('#copy\(\$_FILES\[\"upfile\"\]\[\"tmp_name\"\]\,\s*\$_FILES\[\"upfile\"\]\[\"name\"\]\)#i', $tmp))
+{
+if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (uploader)</font>";
+$counter_infected++;
+if($print_infected || $print_all) print "\n";
+continue;
+}
+
+elseif(preg_match('#\$back_connect=\"#i', $tmp))
+{
+if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (backdoor)</font>";
+$counter_infected++;
+if($print_infected || $print_all) print "\n";
+continue;
+}
+
+elseif(preg_match('#add_action\(\'after_setup_theme\'\,\s*\'research_plugin\'\);#i', $tmp))
+{
+if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (WP backdoor)</font>";
+$counter_infected++;
+if($print_infected || $print_all) print "\n";
+continue;
+}
+
+elseif(preg_match('#document\.getElementById\(\'HideMeBetter\'\)#i', $tmp))
+{
+if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (spam JS)</font>";
+$counter_infected++;
+if($print_infected || $print_all) print "\n";
+continue;
+}
+
+elseif(preg_match('#<\?php\s*\/\*\s*copyright\s*\*\/(.*)\/\*\s*copyright\s*\*\/ ?>#i', $tmp))
+{
+if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (shell)</font>";
+$counter_infected++;
+if($print_infected || $print_all) print "\n";
+continue;
+}
+
+elseif(preg_match('#elseif\(strstr\(\$_0\,_203519383#i', $tmp))
+{
+if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (shell)</font>";
+$counter_infected++;
+if($print_infected || $print_all) print "\n";
+continue;
+}
+
+elseif(preg_match('#<div\s*style=\"position\:absolute;\s*left\:\-(.*)px;\s*top\:\-(.*)px;\"><a\s*href=\"http\:\/\/#i', $tmp))
+{
+if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (spam links)</font>";
+$counter_infected++;
+if($print_infected || $print_all) print "\n";
+continue;
+}
+
+elseif(preg_match('#<\?php\s*eval\(\"\?>\"\.base64_decode\(\"#i', $tmp))
+{
+if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (shell)</font>";
+$counter_infected++;
+if($print_infected || $print_all) print "\n";
+continue;
+}
+
+elseif(preg_match('#\$workdir\s*=\s*preg_replace\(\"\/\^www\W\.\/\"\,\s*\"\"\,\s*\$_SERVER\[\"HTTP_HOST\"\]\);#i', $tmp))
+{
+if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (spam redirect)</font>";
+$counter_infected++;
+if($print_infected || $print_all) print "\n";
+continue;
+}
+
+elseif(preg_match('#<\?php\s*echo\s*eval\(base64_decode\(str_replace\(\'\*\'\,\'a\'\,str_replace\(\'\%\'\,\'B\'\,str_replace\(\'\~\'\,\'F\'\,str_replace\(\'\_\'\,\'z\'\,str_replace\(\'\$\'\,\'x\'\,str_replace\(\'\@\'\,\'d\'\,str_replace\(\'\^\'\,\'3\'\,str_rot13\(#i', $tmp))
+{
+if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (obfuscator)</font>";
+$counter_infected++;
+if($print_infected || $print_all) print "\n";
+continue;
+}
+
+elseif(preg_match('#<\?php\s*if\(\@\$_COOKIE\[\'ft\'\]\)\{\$xww=\$_COOKIE\[\'ft\'\]\(\"\"\,\@\$_COOKIE\[\'st\'\]\(\@\$_COOKIE\[\'nk\'\]\)\);\$xww\(\);\}\?>#i', $tmp))
+{
+if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (backdoor)</font>";
+$counter_infected++;
+if($print_infected || $print_all) print "\n";
+continue;
+}
+
+elseif(preg_match('#function\s*Decode\(\)\{var#i', $tmp))
+{
+if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (JS malware)</font>";
+$counter_infected++;
+if($print_infected || $print_all) print "\n";
+continue;
+}
+
+elseif(preg_match('#<\?php\s*function\s*hex2str\(\$hex\)\s*\{\s*return\s*pack\(\'H\*\'\,\s*\$hex\);\s*\}\s*if\(\$_GET\[\'xhelp\'\]\)\s*\{\s*echo\s*\"<pre>\";\s*eval\(\$_GET\[\'xhelp\'\]\);\s*\}\s*if\(\$_GET\[\'hex\'\]\)\s*\{\s*\$payload=hex2str\(\$_GET\[\'hex\'\]\);\s*echo\s*\"<pre>\";\s*system\(\$payload\);\s*\}\s*\?>#i', $tmp))
+{
+if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (backdoor)</font>";
+$counter_infected++;
+if($print_infected || $print_all) print "\n";
+continue;
+}
+
+elseif(preg_match('#\$z=get_option\(\"_site_transient_browser_(.*)\)\"\);\s*\$z=base64_decode\(str_rot13\(\$z\)\);\s*if\(strpos\(\$z\,\"C20F58DE\"\)\!\=\=false\)\{\s*\$_z=create_function\(\"\"\,\$z\);\s*\@\$_z\(\);\s*\}#i', $tmp))
+{
+if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (backdoor)</font>";
+$counter_infected++;
+if($print_infected || $print_all) print "\n";
+continue;
+}
+
+elseif(preg_match('#Copyright7_20_127\(\);#i', $tmp))
+{
+if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (shell)</font>";
+$counter_infected++;
+if($print_infected || $print_all) print "\n";
+continue;
+}
+
+elseif(preg_match('#eval\(\"\W\$x=gzin\"\.\"flate\(base\"\.\"64_de\"\.\"code\(\W\"#i', $tmp))
+{
+if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (shell)</font>";
+$counter_infected++;
+if($print_infected || $print_all) print "\n";
+continue;
+}
+
+elseif(preg_match('#\$userAgents\s*=\s*array\(\"Google\"\,\s*\"Slurp\"\,\s*\"MSNBot\"\,\s*\"ia_archiver\"\,\s*\"Yandex\"\,\s*\"Rambler\"\)#i', $tmp))
+{
+if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (uploader)</font>";
+$counter_infected++;
+if($print_infected || $print_all) print "\n";
+continue;
+}
+
+elseif(preg_match('#for\(\$i=0;\s*\$i\s*<\s*strlen\(\$x\);\s*\$i\+\+\)\{\$(.*)=\"base64_decode\";return\s*\$#i', $tmp))
+{
+if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (shell)</font>";
+$counter_infected++;
+if($print_infected || $print_all) print "\n";
+continue;
+}
+
+elseif(preg_match('#Upload Complete\!#i', $tmp))
+{
+if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (insecure uploader)</font>";
+$counter_infected++;
+if($print_infected || $print_all) print "\n";
+continue;
+}
+
+elseif(preg_match('#\$query\s*=\s*base64_decode\(str_replace\(\'\s*\'\,\s*\'\+\'\,\s*\$_POST\[\'query\'\]\)\);#i', $tmp))
+{
+if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (web proxy)</font>";
+$counter_infected++;
+if($print_infected || $print_all) print "\n";
+continue;
+}
+
+elseif(preg_match('#<\?php\s*\$wp__wp=\'base\'\.\(32\*2\)\.\'_de\'\.\'code\';\$wp__wp=\$wp__wp\(str_replace\("#i', $tmp))
+{
+if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (shell)</font>";
+$counter_infected++;
+if($print_infected || $print_all) print "\n";
+continue;
+}
+
+elseif(preg_match('#\#Coded\s*By\s*Pejvaknuse\s*Socket;#i', $tmp))
+{
+if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (DDoSer)</font>";
+$counter_infected++;
+if($print_infected || $print_all) print "\n";
+continue;
+}
+
+elseif(preg_match('#<\?php\s*\(\$www=\s*\$_POST\[\'yt\'\]\)\s*\&\&\s*\@preg_replace\(\'\/ad\/e\'\,\'\@\'\.str_rot13\(\'riny\'\)\.\'\(\$www\)\'\,\s*\'add\'\);\?>#i', $tmp))
+{
+if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (backdoor)</font>";
+$counter_infected++;
+if($print_infected || $print_all) print "\n";
+continue;
+}
+
+elseif(preg_match('#\.\"<html><head><title>404\s*Not\s*Found<\/title><\/head><body>#i', $tmp))
+{
+if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (hide behind 404 error)</font>";
+$counter_infected++;
+if($print_infected || $print_all) print "\n";
+continue;
+}
+
+    elseif($print_all) print "...OK\n";
+    unset($tmp);
+}
+echo "\n";
+print "Files checked: ".count($tree)."\n";
+print "Files suspected: ".$counter_suspected."\n";
+print "Files infected: ".$counter_infected."\n";
+    //print "Files cleaned: ".$counter_cleaned."\n";
+    //print "Clean errors: ".$counter_error."\n";
+    //print "Clean warnings: ".$counter_warning."\n\n";
+if($counter_suspected) print "NOTE: SUSPECTED DOESN'T MEAN INFECTED! DIFF AGAINST TRUSTED COPY OF SUSPECTED FILES TO BE SURE EVERYTHING IS OK. \n\n";
+print "</pre>";
+unlink(__FILE__);
+exit;
+
+class e_file
+{
+    function get_files($path, $fmask = '', $omit='standard', $recurse_level = 0, $current_level = 0)
+    {
+        $ret = array();
+        if($recurse_level != 0 && $current_level > $recurse_level)
+        {
+            return $ret;
+        }
+        if(substr($path,-1) == '/')
+        {
+            $path = substr($path, 0, -1);
+        }
+
+        if(!$handle = opendir($path))
+        {
+            return $ret;
+        }
+        if($omit == 'standard')
+        {
+            $rejectArray = array('^\.$','^\.\.$','^\/$','^CVS$','thumbs\.db','.*\._$','null\.txt');
+        }
+        else
+        {
+            if(is_array($omit))
+            {
+                $rejectArray = $omit;
+            }
+            else
+            {
+                $rejectArray = array($omit);
+            }
+        }
+        while (false !== ($file = readdir($handle)))
+        {
+            if(is_dir($path.'/'.$file))
+            {
+                if($file != '.' && $file != '..' && $file != 'CVS' && $recurse_level > 0 && $current_level < $recurse_level)
+                {
+                    $xx = $this->get_files($path.'/'.$file, $fmask, $omit, $recurse_level, $current_level+1);
+                    $ret = array_merge($ret,$xx);
+                }
+            }
+            elseif ($fmask == '' || preg_match("#".$fmask."#i", $file))
+            {
+                $rejected = FALSE;
+
+                foreach($rejectArray as $rmask)
+                {
+                    if(preg_match("#".$rmask."#", $file))
+                    {
+                        $rejected = TRUE;
+                        break;
+                    }
+                }
+                if($rejected == FALSE)
+                {
+                    $finfo['path'] = $path."/";  // important: leave this slash here and update other file instead.
+                    $finfo['fname'] = $file;
+                    $ret[] = $finfo;
+                }
+            }
+        }
+        return $ret;
+    }
+
+    function get_dirs($path, $fmask = '', $omit='standard')
+    {
+        $ret = array();
+        if(substr($path,-1) == '/')
+        {
+            $path = substr($path, 0, -1);
+        }
+
+        if(!$handle = opendir($path))
+        {
+            return $ret;
+        }
+        if($omit == 'standard')
+        {
+            $rejectArray = array(
+              '^\.$',
+              '^\.\.$',
+              '^\/$',
+              '^CVS$',
+              'thumbs\.db',
+              '.*\._$',
+              'error_log',
+              '.*\.pdf',
+              '.*\.doc',
+              '.*\.xls',
+              '.*\.mp3',
+              '.*\.mov',
+              '.*\.mp4',
+              '.*\.flv',
+              '.*\.swf',
+              '.*\.ppt',
+              '.*\.log',
+              '.*\.zip',
+              '.*\.tar',
+              '.*\.gz',
+              '.*\.tar.gz',
+              '.*\.rar',
+              '.*\.exe',
+              '.*\.7z',
+              '.*\.webm',
+              '.*\.txt',
+              '.*\.csv',
+              '.*\.svg',
+              '.*\.wmv',
+              '.*\.iso',
+              '.*\.sql',
+              '.*\.db',
+              '.*\.psd',
+              '.*\.eps',
+              '.*\.ai');
+        }
+        else
+        {
+            if(is_array($omit))
+            {
+                $rejectArray = $omit;
+            }
+            else
+            {
+                $rejectArray = array($omit);
+            }
+        }
+        while (false !== ($file = readdir($handle)))
+        {
+            if(is_dir($path.'/'.$file) && ($fmask == '' || preg_match("#".$fmask."#", $file)))
+            {
+                $rejected = FALSE;
+                foreach($rejectArray as $rmask)
+                {
+                    if(preg_match("#".$rmask."#", $file))
+                    {
+                        $rejected = TRUE;
+                        break;
+                    }
+                }
+                if($rejected == FALSE)
+                {
+                    $ret[] = $file;
+                }
+            }
+        }
+        return $ret;
+    }
+
+    function rmtree($dir)
+    {
+        if (substr($dir, strlen($dir)-1, 1) != '/')
+        {
+            $dir .= '/';
+        }
+        if ($handle = opendir($dir))
+        {
+            while ($obj = readdir($handle))
+            {
+                if ($obj != '.' && $obj != '..')
+                {
+                    if (is_dir($dir.$obj))
+                    {
+                        if (!$this->rmtree($dir.$obj))
+                        {
+                            return false;
+                        }
+                    }
+                    elseif (is_file($dir.$obj))
+                    {
+                        if (!unlink($dir.$obj))
+                        {
+                            return false;
+                        }
+                    }
+                }
+            }
+
+            closedir($handle);
+
+            if (!@rmdir($dir))
+            {
+                return false;
+            }
+            return true;
+        }
+        return false;
+    }
+
+}
+?>