Malin/LP-MSH-Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Upload files to ''

Browse Source
This commit is contained in:
Malin 2016-09-22 09:46:19 +02:00
parent 68d1202a78
commit 151df82b33
5 changed files with 1605 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

625
clean.php Normal file
View File

@ -0,0 +1,625 @@
<?php
/**
* Malware cleaner
* Modified by Malin Cenusa (original code by Nino Paolo Amarillento)
* Version: 1.1
* malin.cenusa@lunarpages.com
*
*
*/
ini_set('memory_limit','512M'); // If you have memory_limit problem just adjust to a higher value, like 256M
set_time_limit(0);
ob_start();
// header("Content-type:text/plain");
$root = "../";
$aPattern = array(
"eval\(base64_decode\(\'aWYgKGlzc2V0KCRfUE9TVFsienoxIl0pKSB7ZXZhbChzdHJpcHNsYXNoZXMoJF9QT1NUWyJ6ejEiXSkpO30=\'\)\)",
"<\?php\s*\W.*([a-zA-Z0-9]{5}).*=\s*array\((.*)function_exists\(\"(.*)\);\}\?>",
"<\?php\s*\W.*([a-zA-Z0-9]{10}).*\s*=\s*\'(.*)\/epreg_replace(.*)explode\(chr\(\((.*)-1; ?>",
"<script\s*type=\"text\/javascript\"\s*src=\"http:\/\/ftp\.sanatoriomayosa\.com\.ar\/zdKrgP8p\.php\Wid=(.*)\"><\/script>",
"<\?php\s*\W(.*)=\s*array\(\'(.*)=\s*array\(\'(.*)=\s*array\(\'(.*)==\";if\s*\(\Wfunction_exists\(\"(.*)\);\}\?>",
"<\!--.*([a-zA-Z0-9]{6}).*--><script\s*type=\"text\/javascript\"\s*src=\"http\:\/\/centexcomputer.com\/(.*)\"><\/script><\!--\/.*([a-zA-Z0-9]{6}).*-->",
"eval\(base64_decode\(\W_POST\[\'.*([a-zA-Z0-9]{7}).*\'\]\)\);",
"<iframe\s*width=\"10\"\s*height=\"10\"\s*src=\"http:\/\/(.*)\"\s*frameborder=\"0\"><\/iframe>",
"<script\s*type=\"text\/javascript\">\s*\(function\(\)\{var\s*agent\s*\=\s*navigator\.userAgent;(.*)\{location\.href\s*\=\s*\'http\:\/\/bit\.ly\/1aMmdYs\';\}\}\)\(\)\s*<\/script>",
"<script\s*type=\"text\/javascript\">if\(document.loaded\)\s*\{\s*showBrowVer\(\);(.*)js_kod2\);\s*\}\s*\}\s*\}<\/script>",
"<\?php\s*\/\/\s*The\s*JS\s*here(.*)Eabi.p\!\'\s*\)\s*\);",
"<embed\s*src\=\"http:\/\/(.*)\"\s*type=\"application\/x-shockwave-flash\"\s*wmode=\"transparent\"\s*width=\"1\"\s*height=\"1\"><\/embed>",
"ErrorDocument(.*)http\:\/\/congatarcxisi.ru\/mays\/index.php",
"<iframe\s*width=\"10\"\s*height=\"10\"\s*src=(.*)frameborder=\"0\"><\/iframe>",
"<iframe(.*)nioxox(.*)iframe>",
"<\?php\s*if\s*\(\Wisset(.*)aHR0cDovL21icm93c2Vyc3RhdHMuY29tL3N0YXRIL3N0YXQucGhw(.*)stCurlHandle\);\s*\}\s*\}\s*\?>",
"<iframe\s*src=\"(.*)\"\s*height=\"0\"\s*width=\"0\"\s*style=\'visibility:\s*hidden\'><\/iframe>",
"<?php(.*)4125a73128a5bc472091d99126855415(.*)exit\(\)\;\s*\}\?>",
"<\?php\s*\W.*([a-zA-Z0-9]{5}).*=\s*\"(.*)exit\(\);\s*\}\s*\?>",
"<script\s+?src=http:\/\/photopost\.co\.kr\/iphotodown\/ebindexp\.php\s+?>",
"<\?php\s*\W.*([a-zA-Z0-9]{4}).*=\s*\"(.*)echo\s*\W.*([a-zA-Z0-9]{6}).*;\s*exit\(\);\s*\}\s*\?>",
"<\?php\s*\W.*([a-zA-Z0-9]{10}).*=\s*\'(.*)=\W.*([a-zA-Z0-9]{10}).*-1;\s*\?>",
"<iframe\s*src=\"http\:\/\/(.*)\/counter.php\"\s*style=\"visibility:\s*hidden;\s*position:\s*absolute;\s*left:\s*0px;\s*top:\s*0px\"\s*width=\"10\"\s*height=\"10\"\/>",
"<\!DOCTYPE(.*)BreezeBrowser(.*)printFullsizeContent\(\)(.*)<\/html>",
"<script\s*language=\"javascript\">\s*var\s*\_0x2b7d(.*)0x2b7d\[8\]\]\(hs\);\s*<\/script>",
"<iframe\s*src=\"http\:\/\/(.*)ini\.php\"\s*width=\"1\"\s*height=\"1\"\s*frameborder=\"0\"><\/iframe>",
"<\?PHP\s*\/\*\s*GNU(.*)gnu=false;\s*\}\s*\?>",
"\#c3284d\#(.*)\#\/c3284d\#",
"<\?php\s*if\s*\(isset\(\W_POST\[\"code\"\]\)\)\s*eval\(base64_decode\(\W_POST\[\"code\"\]\)\);\s*\?>",
"<\?\Wtds\=\"http\:\/\/(.*)\}\?>",
"<IfModule\s*mod_rewrite\.c>\s*RewriteEngine\s*On\s*RewriteCond\s*\%\{HTTP_REFERER\}\s*\^\.\*\(google\|ask\|(.*)RewriteRule\s*\^\(\.\*\)\W\s*http\:\/\/datinginstallshield.ru\/pavilion\?8\s*\[R\=301,L\]",
"<\?\Wtds\=\"http\:\/\/(.*)echo\s*\Wx;\}\?>",
"<\?PHP\s*defined\(\'_OLD_JEXEC_\'\)\s*or\s*die\(@eval\(base64_decode\(\W_REQUEST\[\'(.*)\'\]\)\)\);\s*\?>",
"<\?php\s*\W.*([a-zA-Z0-9]{5}).*\s*=\s*\"(.*)exit\(\);\s*\}\s*\?>",
"^<\?php\s*\Whaikzdiigp(.*)quegvtluws\-1;\s*\?>",
"\/\*.*([a-zA-Z0-9]{6}).*\*\/(.*)\/\*\/.*([a-zA-Z0-9]{6}).*\*\/",
"\/\*63aef4\*\/(.*)\/\*\/63aef4\*\/",
"<\?PHP\s*\/\/Authentication(.*)eval\(gzinflate\(base64_decode\((.*)8A\'\)\)\);\s*\?>",
"<\?\s*error_reporting\(0\);\W\w=\(isset\(\W_SERVER\[\"HTTP_HOST\"\]\)(.*)curl_exec\(\W\w\w\);curl_close\(\W\w\w\);eval\(\W\w\);\};die\(\);\s*\?>",
"RewriteCond\s*\%\{HTTP_USER_AGENT\}\s*android\s*\[NC\,OR\](.*)\.php\s*\[L\,R\=302\]",
"<\?php(.*)if\(isset\(\W_REQUEST\[\'(.*)eval\((.*)exit\(\);\s*\}\s*if\(isset\(\W_REQUEST\[\'(.*)fopen\((.*)fwrite\((.*)fclose\((.*)exit\(\);\s*\}\s*\?>",
"<\!\-\-1c1c7d\-\->(.*)<\!\-\-\/1c1c7d\-\->",
"<script>\s*var\s*x\s*=\s*\'h\'\s*\+\s*\'t\'\s*\+\s*\'t\'\s*\+\s*\'p\'(.*)\'m\'\s*\+\s*\'e\'\s*\+\s*\'>\'\);\s*<\/script>",
"\#\#\#\#\#\#\#\#GET\#\#\#\#\#\#\#(.*)\.ru\s*\[L\,R\=302\]",
"<iframe\s*name\=Twitter(.*)<\/iframe>",
"ErrorDocument(.*)http\:\/\/msn.com",
"<IfModule\s*mod_rewrite\.c>(.*)msn\.com\s*\[R\=301\,L\]\s*<\/IfModule>",
"try\{if\(window\.document\)\-\-document\.getElementById\(\'12\'\)(.*)\/\*\/d04bb5\*\/",
"<u\s*style\=\"left\:\s*\-(.*)<\/u>",
"########GET#######(.*)gerania\.ru\s*\[L\,R\=302\]",
"<\?php\s*#(.*)#\s*\?>",
"<\?\Wtds\=\"http\:\/\/(.*)\{echo\s*\Wx;\}\?>",
"<\?php\s*\#c4e573\#(.*)\#\/c4e573\#\s*\?>",
"<\?php\s*define\(\'CONFIG_FILE\'\,\s*\'\/images\/config\.db\'\);(.*)process\(\);\s*\?>",
"<\!\-\-05f6a(.*)<\/script><\!\-\-05f6a42413abf89b36479144725bcc597bkmr0naf2i4od6f\-\->",
"\#767b55\#(.*)\#\/767b55\#",
"\#f879e8\#(.*)\#\/f879e8\#",
"<\?php\s*\W\_\s*\=\s*strrev\(\"tress\Wx61\"\);(.*)073\"\);\s*\?>",
"ument;for\(i\=0(.*)apply\(ss\,a\)\);<\/script>",
"\,167\,155\,170(.*)apply\(ss\,a\)\);<\/script>",
"147\,163\,163(.*)\/\*\/f82c4e\*\/",
"\/\*f82c4e\*\/(.*)\/\*\/f82c4e\*\/",
"\}147\,163\,163(.*)\/\*\/f82c4e\*\/",
"<\!\-\-d68107\-\->(.*)<\!\-\-\/d68107\-\->",
",151,170(.*)eval\(ss\[\"fromCharCode\"\].apply\(ss,a\)\);<\/script>",
"<img\s*id=\"hidadvnet\"(.*)centralrxmall\.com\/\';\">",
"<\?\s*\#17da00\#(.*)\#\/17da00\#\s*\?>",
"<iframe\s*src\=\"http\:\/\/(.*)\"\s*height\=1\s*width\=1\s*frameborder\=0><\/iframe>",
"<\?php\s*if\(\W_GET\[\'(.*)\'\]==\"(.*)\"\)\{\s*eval\(base64_decode\(\W_POST\[\'(.*)\'\]\)\);\s*exit;\s*\}\s*\?>",
"<\?php\s*if\(md5\(\W_COOKIE\[\'_wp_debugger\'\]\)==\"69d8bf808cff565a2e89942f5bc3a94e\"\)\{\s*eval\(base64_decode\(\W_POST\[\'file\'\]\)\);\s*exit;\s*\}\s*\?>",
"<script\s*language\=\"JavaScript\"\s*src\=\"http\:\/\/stummann\.net\/steffen\/google\-analytics\/jquery\-1\.6\.5\.min\.js\"\s*type\=\"text\/javascript\"><\/script>",
"<\!\-\-339810\-\->(.*)<\!\-\-\/339810\-\->",
"<\?php\s*session_start\(\);(.*)cwd\s*\=\s*getcwd\(\)\.DIRECTORY_SEPARATOR;(.*)function\s*mailf\((.*)80<\/address>\Wn<\/body>\Wn<\/html>\";\}\s*\?>",
"<html><head>\s*<title>404\s*Not\s*Found<\/title>(.*)UDP\s*flood\s*completed\s*with(.*)die\(\"\Wnbsp;\"\);\s*}\s*\?>",
"<\!\-\-2d3965\-\->(.*)<\!\-\-\/2d3965\-\->",
"<\?php\s*eval\(\"\?>\"\.base64_decode\(\"IDxkaXY(.*)9kaXY\+\"\)\)\;\s*\?>",
"<script>function\s*c3257948b3q49f99fc8e80fa\(q49f99fc8e88c3\)(.*)\(q49f99fc8ea033\(q49f99fc8ed6df\)\);<\/script>",
"\#\!\/usr\/bin\/perl\s*\W\?\?s\:\;s\:s\;\;\W\?\:\:s\;\(\.\*\)(.*)\_rs\}\&a\-\h\;\;s\;\(\.\*\)\;\W\_\;see\;",
"<\!\-\-32f02e\-\->(.*)<\!\-\-\/32f02e\-\->",
"<\?php\s*\/\*(.*)\*\/\s*function\s*xmail\s*\(\)(.*)return\s*\Wo\;\}\?>",
"Options\s*\-MultiViews\s*ErrorDocument\s*404\s*\/\/(.*)\.php",
"<script\s*type\=\"text\/javascript\"\s*language\=\"javascript\">\s*tqrjmw\=document\;cxlr\=(.*)<\/script>",
"\/\*2d3965\*\/(.*)\/\*\/2d3965\*\/",
"<IfModule\s*mod\_rewrite\.c>\s*RewriteEngine\s*On\s*RewriteCond\s*\%\{HTTP\_REFERER\}\s*\^.\*\(google\|ask\|yahoo\|yandex\|ya\|baidu\|(.*)\!\/phpinfo\.php\s*RewriteRule\s*\(\.\*\)\s*\/phpinfo\.php\?query\=\W1\s*\[QSA\,L\]\s*<\/IfModule>",
"<\?php\s*\/\*(.*)\*\/\s*eval\(gzinflate\(base64\_decode\(\'(.*)\'\)\)\)\;\?>",
"<\!\-\-2d3965\-\->(.*)<\!\-\-\/2d3965\-\->",
"\#a9a007\#(.*)\#\/a9a007\#",
"<\?php\s*\/\*b97227(.*)8d1zyyx\*\/\s*\?>",
"<\!\-\-b97227(.*)8d1zyyx\-\->",
"<\!\-\-a9a007\-\->(.*)<\!\-\-\/a9a007\-\->",
"\/\*74ed9f\*\/(.*)\/\*\/74ed9f\*\/",
"\/\*a9a007\*\/(.*)\/\*\/a9a007\*\/",
"<\!\-\-0f868c\-\->(.*)<\!\-\-\/0f868c\-\->",
"<\?php\s*\WSERVER_UNIQUE_LOAD_BALANCE\s*\=\s*strrev\((.*)SERVER_UNIQUE_LOAD_BALANCE\(current\(\W_REQUEST\)\)\)\;",
"<script>z=\"y\";vz=\"d\"\+\"oc\"\+\"ument\"(.*)zaz=za;e\(zaz\);\}<\/script>",
"<\!\-\-\s*\~\s*\-\->(.*)<\!\-\-\s*\~\s*\-\->",
"\#17da00\#(.*)\#\/17da00\#",
"\/\*17da00\*\/(.*)\/\*\/17da00\*\/",
"<\!\-\-d04bb5\-\->(.*)<\!\-\-\/d04bb5\-\->",
"\#0f2490\#(.*)\#\/0f2490\#",
"\/\*0f2490\*\/(.*)\/\*\/0f2490\*\/",
"\#d04bb5\#(.*)\#\/d04bb5\#",
"\/\*d04bb5\*\/(.*)\/\*\/d04bb5\*\/",
"<\!\-\-950459\-\->(.*)<\!\-\-\/950459\-\->",
"<\?php(.*)\=\@create\_function\((.*)\,\'ev\'\.\'al\'\.(.*)\?>\"\.gz\'\.\'inf\'\.\'late\'\.\'\(\s*bas\'\.\'e64\'\.\'\_de\'\.\'co\'\.\'de\((.*)\)\;\?>",
"\#9269ad\#(.*)\#\/9269ad\#",
"bv\=\(5\-3\-(.*)za\(s\)\}<\/script>",
"<\!\-\-0f2490\-\->(.*)<\!\-\-\/0f2490\-\->",
"<\?(.*)vBulletin\s*3\.1\.9(.*)preg\_replace\(\"\/\.\*\/e\"\,\"(.*)\"\,\"\.\"\)\;",
"\#\s*Netscape\s*HTTP\s*Cookie\s*File(.*)<\?eval\(stripslashes\(array\_pop\(\W\_POST\)\)\)\?>\s*1",
/* "<\?php(.*)preg\_replace\(\"\/\.\*\/\e\"\,\"(.*)\"\,\"\.\"\)\;\?>", */
"GIF89a1\s*GIF89GHZ\s*<\?php\s*eval\s*\(gzinflate\(base64\_decode\(str\_rot13\(\"(.*)\"\)\)\)\)\;\s*\?>",
"GIF89a1\s*<\?php\s*eval\(\"\?\>\"\.base64\_decode\(\"(.*)\"\)\)\;\s*\?>",
"GIF89a1\s*<\?php\s*eval\(base64\_decode\(\'(.*)\'\)\)\;echo\(\'(.*)\'\)\;\?>",
"<\?error\_reporting\(0\)\;\Whost\=urldecode\(\W\_GET\[\'ho\'\]\)(.*)fclose\(\Whttp\)\;die\(\)\;\}\?>",
"<\?error\_reporting\(0\)\;\Whost\=urldecode\(\W\_COOKIE\[\'ho\'\]\)(.*)socket\_close\(\Wsocket\)\;\}die\(\)\;\}\s*\?>",
"GIF89a1\s*<\?php\s*eval\(stripslashes\(\@\W\_POST\[\(chr\(112\)\.chr\(49\)\)\]\)\)\;\?>",
"<\?php\s*\WGLOBALS\[\'(.*)\'\]\=Array\(base64\_decode\((.*)\)\)\;\}\s*\?>",
"<\!\-\-\#1h8s0a1m\-\->(.*)<\!\-\-\#1h8s0a1m\-\->",
"<\!\-\-0c0896\-\->(.*)<\!\-\-\/0c0896\-\->",
"\#0c0896\#(.*)\#\/0c0896\#",
"\/\*0c0896\*\/(.*)\/\*\/0c0896\*\/",
"<\?php\s*\Wauth\_pass(.*)\"\,\"\.\"\)\;\s*\?>",
"<\?php\s*\Wauth\_pass(.*)exit\;",
"<\?php(.*)me\s*\=\s*basename\(\_\_FILE\_\_\)\;(.*)function\s*reload\(\)\{header\(\"Location\:\s*\"\.basename\(\_\_FILE\_\_\)\)\;\}(.*)\"\,\'\.\'\)\;\?>",
"<\?php(.*)strrev\(\"edoced\_46esab\"\)\;(.*)\'\)\)\)\)\;\s*\?>",
"<\?php\s*\Ws\_key\=\'bas\'\.\'e6\'\.\'4\_d\'\.\'ec\'\.\'ode\'\;eval\(\Ws\_key\(\"(.*)\=\"\)\)\;\s*\?>",
"<\!\-\-Support\s*links\s*begin\-\->(.*)<\!\-\-Support\s*links\s*end\-\->",
"<\!\-\-f82c4e\-\->(.*)<\!\-\-\/f82c4e\-\->",
"<\?php\s*\Wzend_framework\=\"(.*)x2f\"\)\;\s*\?>",
"\Wcookey\s*\=\s*(.*)preg_replace(.*)x3b\"\)\;",
"<\?php\s*\/\*\s*\<\<Mr\.DevilHacker\>\>\s* dvhma\@yahoo.com\*\/\s*eval\(\"\?\>\"\.gzuncompress\(base64\_decode\((.*)mail\s*\(\Wto\,\Wsubject\,\Wmessage\)\s*;\s*",
"<form\s*action\=\"\"\s*method\=\"POST\"\>(.*)ProGraMmeD(.*)SrawLkom\s*\:\s*\)\s*\.\s*\<\/p\>\s*\<p\>\Wnbsp\;\s*\<\/p\>",
"^if\(isset(.*)auth_pass\=(.*)FilesMan(.*);preg_replace\((.*);exit;\s*\}$",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\'rV(.*)qLw\=\=\'\)\)\)\;\?>\s*",
"<\?php\s*if\s*\(\Wisset\(\WsRetry\)\)(.*)stCurlLink\s*\=\s*base64\_decode\(\s*(.*)curl_close\(\WstCurlHandle\);\s*\}\s*\}\s*\?>",
"<\!\-\-d0e3a6\-\->(.*)<\!\-\-\/d0e3a6\-\->",
"<\?php\s*\Wzend_framework\=(.*)x2f\"\)\;\s*\?>",
"eval\(gzinflate\(base64_decode\('rVdtU9tIEv7sVO1(.*)wv'\)\)\);",
"#0242d5#(.*)#\/0242d5#",
"<iframe\s*src\=http\:\/\/sexshopsexy\.es\/waser\.html\s*WIDTH\=1\s*HEIGHT\=1\s*frameborder\=0><\/IFRAME>",
"if\(isset(.*)\=sprintf\(\(substr\(urlencode\(print\_r\(array(.*)eval\(\Wd\)\;\s*\}",
"ErrorDocument\s*500\s*http\:\/\/cylinderssoundsyou\.portuguesemx\.info\/benrataz\.cgi\W\d",
"document\.write\(\'<iframe\s*src\=\"http\:\/\/cylinderssoundsyou.portuguesemx.info\/benrataz\.cgi\W\d\"\s*scrolling\=\"auto\"\s*frameborder\=\"no\"\s*align\=\"center\"\s*height\=\"12\"\s*width\=\"12\"><\/iframe>\'\)\;",
"<script\s*language\=\"JavaScript\"\s*src\=\"http\:\/\/abtt\.tv(.*)jquery\-1\.6\.5\.min\.js\"\s*type\=\"text\/javascript\"><\/script>",
"#0c0896#(.*)#\/0c0896#",
"<\!\-\-0c0896\-\->(.*)<\!\-\-\/0c0896\-\->",
"\/\*0c0896\*\/(.*)\/\*\/0c0896\*\/",
"<\?php(.*)auth\_pass\=(.*)FilesMan(.*)preg\_replace(.*)exit\;\s*\}\s*\?>",
"<\?php\s*if\(isset(.*)d\=substr(.*)foreach\(array(.*)sprintf\(\(substr\(urlencode\(print\_r\(array(.*)\?>",
"<\?php\s*\/\*\s*copyright\s*\*\/(.*)\=base64_decode(.*)exit\;\}\s*\/\*\s*copyright\s*\*\/\s*\?>",
"<\?php\s*\/\*(.*)\*\/eval\/\*(.*)\*\/base64_decode\/\*(.*)\*\/\s*\?>",
"<\?php eval\(base64_decode\(\"DQoNCn(.*)o=\"\)\); \?>",
"RewriteCond\s*\%\{HTTP\_REFERER\}\s*\^\.\*\(google(.*)index\_backup\.php\s*\Wquery\=\W1\s*\[QSA\,L\]",
"RewriteCond\s*\%\{HTTP\_REFERER\}\s*\^\.\*\(google(.*)index\_backup\.php\s*\[R\=301\,L\]",
"<\?php\s*eval\(base64\_decode\(\"DQoN(.*)0KDQo\=\"\)\)\;\s*\?>",
"<iframe\s*src\=\"http\:\/\/(.*)\/\"\s*width\=\"4\"\s*height\=\"2\"><\/iframe>",
"<\?\s*#0242d5#(.*)#\/0242d5#\s*\?>",
"<\?php\s*\/\*\.\~\.\~\.\~\.\*\/(.*)\/\*\.\~\.\~\.\~\.\*\/\s*\?>",
"<\?php\s*?\/\*\*\/\s*?eval\(base64_decode\(\"aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9z(?:.+?)ICB9ICB9\"\)\);\?>",
"\s*?(?:\/\*\*\/\s*?)?eval\((?:gzinflate\()?base64_decode\(['\"]DQplcnJvcl9yZXBvcn(?:.+?)QoKTsNCn0NCn0NCn0NCn0=['\"]\)(?:\))?\);",
"<?php\s+\/\*\*\/\s+eval\(base64_decode\(['\"]aWYoZnVuY3(?:.*?)CB9ICB9['\"]\)\);?>",
"<\?\s*\#bf760a\#(.*)\#\/bf760a\#\s*\?>",
"eval\(base64_decode\([\'\"]DQp(?:.*)?[\'\"]\)\);",
"<\?php\s*\/\*\*\/\s*eval\(base64\_decode\(\"aWYoZnV(.*)CB9ICB9\"\)\)\;\?>",
"<!-- 4ccd15b6d4 -->(.*)<!-- 4ccd15b6d4 -->",
"\;var\s*\_1O0\=\'\=\=(.*)eval\(ll0\(lOl\(\_1O0\)\)\)",
"\s*eval\(base64_decode\([\"'][^\"']{255,}[\"']\)\);",
"<iframe\s*src\=\"http\:\/\/riversidetransit\.com\/counter\.php\"\s*style\=\"visibility\:\s*hidden\;\s*position\:\s*absolute\;\s*left\:\s*0px\;\s*top\:\s*0px\"\s*width\=\"10\"\s*height\=\"10\"\/>",
"\#d93065\#(.*)\#\/d93065\#",
"\/\*9c282e\*\/(.*)\/\*\/9c282e\*\/",
"var\s*\_0x4470\=(.*)\(\_0x4470\[1\]\)\,0\,\{\}\)\)\;",
"ErrorDocument\s*400\s*http\:\/\/(.*)\W\d",
"<\?\s*error\_reporting\(0\)(.*)if\(\(include\(base64\_decode\(\"aHR0cDovL2Fkcy4\=\"\)(.*)\)\;\}\;\s*\?>",
"ErrorDocument\s*404\s*\/\/(.*)\.php",
"<\?\s*\#0242d5\#(.*)\#\/0242d5\#\s*\?>",
"<title>\s*Alien\s*\-\s*UFO\s*\-\s*<\?php\s*echo\s*getenv\(\"HTTP_HOST\"\)\;\s*\?><\/title>(.*)print\s*\"<pre><center>UpLoad\s*Error\!<\/center><\/pre>\"\;(.*)\?><\/body><\/font><\/font><\/b><\/font>",
"<IfModule\s*mod\_rewrite\.c>\s*RewriteEngine\s*On\s*RewriteCond\s*\%\{HTTP\_REFERER\}\s*\^\.\*\(google\|ask\|yahoo\|yandex(.*)RewriteRule\s*\(\.\*\)\s*\/index\_backup.php\Wquery\=\W1\s*\[QSA\,L\]\s*<\/IfModule>",
"<\?\s*\WGLOBALS\[\'(.*)\=Array\(base64\_decode\(.*",
"<\?php\s*\@error\_reporting\(0\)\;\s*\@set\_time\_limit\(0\)\;\s*\Wstr\=\s*\"(.*)\"\;\s*eval\(GzInFlate\(Str\_Rot13\(Base64\_decode\(\Wstr\)\)\)\)\;\s*\?>",
"<script\s*type\=\"text\/javascript\"\s*src\=\"http\:\/\/(.*)\.php\"><\/script>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\'1V(.*)\'\)\)\)\;\s*\?>",
"\#0242d5\#(.*)\#\/0242d5\#",
"<\!\-\-0242d5\-\->(.*)<\!\-\-\/0242d5\-\->",
"RewriteCond\s*\W\{HTTP\:X\-WAP\-PROFILE\}\s*\!\^\W\s*\[OR\](.*)RewriteCond\s*\W\{HTTP\_ACCEPT\}\s*text\/vnd\.wap\.wml\s*\[NC\]\s*RewriteRule\s*\^\(\.\*\)\s*http\:\/\/(.*)\[L\,R\=302\]",
"<\?\s*\#0242d5\#(.*)\#\/0242d5\#\s*\?>",
"<iframe\s*name\=Twitter\s*scrolling\=auto\s*frameborder\=no\s*align\=center\s*height\=2\s*width\=2\s*src\=http\:\/\/(.*)\.html(.*)><\/iframe>",
"document\.write\(\'<iframe\s*name\=Twitter\s*scrolling\=auto\s*frameborder\=no\s*align\=center\s*height\=2\s*width\=2\s*src\=http\:\/\/(.*)\.html(.*)><\/iframe>\'\)\;",
"<IfModule\s*mod\_rewrite\.c>\s*RewriteEngine\s*On\s*RewriteBase\s*\/\s*RewriteCond\s*\W\{HTTP\_REFERER\}\s*\^http\:\/\/\[w\.\]\*\(\[\^\/\]\+\)\s*RewriteCond\s*\W\{HTTP\_HOST\}\/\W1\s*\!\^\[w\.\]\*\(\[\^\/\]\+\)\/\D\W\s*\[NC\]\s*RewriteRule\s*\^\.\*\W\s*http\:\/\/(.*)\.html(.*)\[L\,R\]\s*<\/IfModule>",
"\#b5bee1\#(.*)\#\/b5bee1\#",
"\/\*b5bee1\*\/(.*)\/\*\/b5bee1\*\/",
"<\!\-\-b5bee1\-\->(.*)<\!\-\-\/b5bee1\-\->",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\'fVdtc9pGEP7czPQ(.*)x5V8\=\'\)\)\)\;\?>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\'hVfrc9pGEP(.*)wI\=\'\)\)\)\;\?>",
"<script\s*language\=\"JavaScript\"\s*type\=\"text\/javascript\"><\!\-\-\s*var(.*)\;eval\(unescape\(\"(.*)\;document\.write\(u\)\;u\=\"\"\;\/\/\-\->\s*<\/script>",
"<\?PHP\s*defined\(\'\_OLD\_JEXEC\_\'\)\s*or\s*die\(\@eval\(base64\_decode\(\W\_REQUEST\[\'(.*)\'\]\)\)\)\;\s*\?>",
"<\?php\s*if\(isset\(\W\_REQUEST\[\"(.*)\"\]\)\)\s*\{\s*eval\(base64\_decode\(\W\_REQUEST\[\"(.*)\"\]\)\)\;\s*exit\;\s*\}\s*else\s*\{\s*die\(\"404\s*Not\s*Found\"\)\;\s*\}\?>",
"function\_exists\(\'date\_default\_timezone\'\)\s*\?\s*date\_default\_timezone\_set\(\'America\/Los\_Angeles\'\)\s*\:\s*\@eval\(base64\_decode\(\W\_REQUEST\[\'(.*)\'\]\)\)\;",
"<\?PHP\s*define\(\'REAL\_SERVER\_ROOT\'\,\s*\'SERVER\'\)\;\s*\/\/DIR(.*)define\(\'SYSTEM\_SKEL\_DIR\'\,\s*\'skel\'\)\s*\?\s*\@eval\(base64\_decode\(\W\_REQUEST\[\'(.*)\'\]\)\)\s*\:(.*)define\(\'WORKGROUPS\_META\_SETTINGS\_FILENAME\'\,\s*\'settings.xml\'\)\;\s*\?>",
"<\?php\s*echo\s*\'<b>Sw\s*Bilgi<br><br>\'\.php\_uname\(\)\.\'<br><\/b>\'\;(.*)else\s*\{\s*echo\s*\'<b>Basarisiz<\/b><br><br>\'\;\s*\}\s*\}\s*\?>",
"<\?php\s*preg\_replace\(\"\/\.\*\/e\"\,\"(.*)\"\,\"\"\)\;\s*\?>",
"<\?php\s*\Wauth\_pass\s*\=\s*\"(.*)\"\s*\Wcolor\s*\=\s*\"(.*)preg\_replace\(\"\/\.\*\/e\"\,\"(.*)\"\,\"\.\"\)\;\?>",
"\#GIF89\;<br><br>\s*<Hmei7>\s*<\?php\s*if\s*\(\s*isset\(\W\_GET\[\'versi\'\]\)\s*\)\'s*\{\s*vers\(\)\;(.*)fff\s*\=\s*fopen\(\'\.\/images\/\'\.\Wnama\,\s*\'w\'\)\;\s*fwrite\(\Wfff\,\s*\Wtmp\)\;\s*fclose\(\Wfff\)\;\s*\}\s*\?>",
"<\?php\s*if\(\!empty\(\W\_FILES\[\'message\'\]\[\'name\'\]\)\s*AND\s*\(md5\(\W\_POST\[\'nick\'\]\)\s*\=\=(.*)<br\/>Nick\:\s*<br\/><input\s*name\=\"nick\"\s*value\=\"\"\/><br\/>\s*<input\s*type\=\"submit\"\s*value\=\"Sent\"\s*\/>\s*<\/form>\s*<\/body>\s*<\/html>\'\;",
"<\!\-\-0c45ef\-\->(.*)<\!\-\-\/0c45ef\-\->",
"<\?php\s*\Wis\_bot\s*\=\s*FALSE\s*;\s*\Wuser\_agent\_to\_filter\s*\=\s*array\(\s*\'\#fileuploads\#\'\)\s*\;(.*)<title>404\s*Not\s*Found<\/title>\s*<\/head><body>\s*<h1>Not\s*Found<\/h1>\s*<\/body><\/html>\s*\'\;\s*\?>",
"<\?php\s*eval\(base64\_decode\(\'c2Vzc2lvbl9zdGFydCgpOw(.*)klzQ3JlYXRlIik7Cn0\=\'\)\)\;\s*\?>",
"<\?php\s*\Wd\=substr\(8\,1\)\;foreach\(array\((.*)d\.\=sprintf\(\(substr\(urlencode\(print\_r\(array\(\)\,1\)\)\,5\,1\)\.c\)\,\Wc\)\;\}eval\(\Wd\)\;exit\;\s*\?>",
"if\(\@\W\_POST\[\'(.*)\'\]\)\{eval\(base64\_decode\(\W\_POST\[\'(.*)\'\]\)\)\;\s*exit\(\)\;\}php\s*if\(\@\W\_POST\[\'(.*)\'\]\)\{eval\(base64\_decode\(\W\_POST\[\'(.*)\'\]\)\)\;\s*exit\(\)\;\}",
"<\?php\s*\Whost\s*\=(.*)eval\(base64\_decode\(str\_rot13\(strrev\(base64\_decode\(str\_rot13\((.*)curl\_close\(\Wch\)\;\s*\?>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\"DdK1EqzYAkDRf5noThFA410TAQd3l(.*)w\=\=\"\)\)\)\;\s*\?>",
"<\?php\s*\/\/Counter\s*V\.1\.25\s*\/\/Generated\s*by\s*server\s*\/\/Do\s*not\s*delete\s*eval\(gzuncompress\(base64\_decode\(\'eF6FUlFLwzAY(.*)LPD5x\'\)\)\)\;\s*\?>",
"<\?php\s*if\s*\(\!isset\(\WsRetry\)\)\s*\{\s*global\s*\WsRetry\;(.*)stCurlLink\s*\=\s*base64\_decode\(\s*\'aHR0cDovL2NvbnFzdGF0LmNvbS9zdGF0L3N0YXQucGhw\'\)\.\'\?(.*)curl\_close\(\WstCurlHandle\)\;\s*\}\s*\}\s*\?>",
"<\!\-\-\s*linkslspw\s*\-\->(.*)<\!\-\-\s*linksbmtr\s*\-\->",
"<\?php\s*\/\*\s*This\s*file\s*is\s*protected(.*)\*\/\WOOO000000\=urldecode\(\'\%66\%67(.*)GLOBALS\[\'OOO0000O0\'\]\(\'JE8wMDBPME8(.*)\=alVnRPIq",
"<\?\s*if\(\@\W\_POST\[\'(.*)\'\]\)\{eval\(base64\_decode\(\W\_POST\[\'(.*)\'\]\)\)\;\s*exit\(\)\;\}\s*\?>",
"<\?php\s*if\(isset\(\W\_GET\[\"(.*)\"\]\)\)\{\s*\Wauth\_pass\=\"\"\;\Wcolor\=\"\#df5\"\;\Wdefault\_action\=\"FilesMan\"(.*)7X1re9s2z(.*)x3B\"\,\"\.\"\)\;\s*exit\;\s*\}\s*\?>",
"<\?php\s*if\(\!empty\(\W\_SERVER\[\'HTTP\_USER\_AGENT\'\]\)\)\s*\{\s*\Wv2045f746\s*\=\s*array\(\"Google\"\,\s*\"Slurp\"\,\s*\"MSNBot\"(.*)return\s*\Wve04aa510\s*\;\s*\}\s*\?>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\"DZQ1rtwKAADvkiqRCzMpSmFm5m2(.*)R8\=\"\)\)\)\;\s*\?>",
"<IfModule\s*mod\_rewrite\.c>\s*RewriteEngine\s*On\s*RewriteBase\s*\/\s*RewriteCond\s*\%\{HTTP\_REFERER\}\s*\^http\:\/\/\[w\.\]\*\(\[\^\/\]\+\)\s*RewriteCond\s*\%\{HTTP\_HOST\}\/\%1\s*\!\^\[w\.\]\*\(\[\^\/\]\+\)\/\W1\W\s*\[NC\]\s*RewriteRule\s*\^\.\*\W\s*http\:\/\/(.*)\[L\,R\]\s*<\/IfModule>",
"<\?php\s*if\s*\(isset\(\W\_POST\[\'(.*)\'\]\)\)\s*\{\s*eval\(\W\_POST\[\'(.*)\'\]\)\;\s*\}\;\s*\?>",
"<\?php\s*eval\(base64\_decode\(\'ZXJyb3JfcmVwb3(.*)VcbiIpOwp9Cn0KfQo\=\'\)\)\;\s*\?>",
"<\?php\s*session\_start\(\)\;\s*set\_time\_limit\(0\)\;(.*)function\s*cmdexec\(\Wcmd\)\s*\{\s*if\(function\_exists\(\'exec\'\)\)\@exec\(\Wcmd\)\;(.*)print\(\"IsCreate\"\)\;\s*\}\s*\?>",
"<\?php\s*print\(\"Direct\s*Access\s*Not\s*Allowed\"\)\;\s*if\(\s*\W\_GET\[\'token\'\]\s*\=\=\s*\"up\"\s*\)\s*\{(.*)echo\s*\'<b>K\.O<\/b><br><br>\'\;\s*\}\s*\}\s*\}\s*\?>",
"<\?php\s*\@set\_time\_limit\(0\)\;\s*\@error\_reporting\(NULL\)\;(.*)<\/p><\/body\s*><\/html\s*>\'\;die\(\)\;exit\(\)\;\s*\}\s*\?>",
"<\?php\s*defined\(\'\_JEXEC\'\)\s*or\s*die\(\'Restricted\s*access\'\)\;\s*class\s*modJGAHelper\s*\{(.*)\Wadm\s*\=\s*\"006\"\.\Wxls\;\s*return\s*\Wadm\;\s*\}\s*\}\s*\}",
"<\?php\s*session\_start\(\)\;\s*\Wme\=\W\_SERVER\[\'PHP\_SELF\'\]\;(.*)\W\_SESSION\[\'LoGiN\'\]\=true\;(.*)value\=Upload\s*\/><\/form>\"\;\s*\?>",
"<\?php\s*if\s*\(\W\_GET\[\'g0\'\]\=\=\'g3t\'\)\s*\{\s*\Wdocr\s*\=\s*\W\_SERVER\[\"DOCUMENT\_ROOT\"\]\;\s*echo\s*\<\<\<HTML(.*)passthru\(\W\_GET\[\'g3t\'\]\)\;\s*echo\'<\/pre>\'\;\s*exit\;\s*}\s*\?>",
"echo\"\s*<div\s*id\=\'newsline\'>(.*)viagraonlineget(.*)if\(document\.getElementById\(\'newsline\'\)(.*)\.style\.height\s*\=\s*\'0px\'\;\}<\/script>\s*<\/body>\s*<\/html>\s*\"\;",
"<iframe\s*src\=\"http\:\/\/(.*)\/counter\.php\"\s*style\=\"visibility\:\s*hidden\;\s*position\:\s*absolute\;\s*left\:\s*0px\;\s*top\:\s*0px\"\s*width\=\"10\"\s*height\=\"10\"\/>",
"<\!\-\-c3284d\-\->(.*)<\!\-\-\/c3284d\-\->",
"<iframe\s*name\=Twitter\s*scrolling\=auto\s*frameborder\=no\s*align\=center\s*height\=2\s*width\=2\s*src\=http\:\/\/(.*)><\/iframe>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\"FZRFrsUIggTv0q(.*)33f\/4P\"\)\)\)\;\s*\?>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\"JZ3HkqzKlkT(.*)\+\+\+9\/\/w8\=\"\)\)\)\;\s*\?>",
"<IfModule\s*mod\_rewrite\.c>\s*RewriteEngine\s*On\s*RewriteBase\s*\/\s*RewriteCond\s*\%\{HTTP\_REFERER\}\s*\^http\:\/\/\[w\.\]\*\(\[\^\/\]\+\)\s*RewriteCond\s*\%\{HTTP\_HOST\}\/\%1\s*\!\^\[w\.\]\*\(\[\^\/\]\+\)\/\W\s*\[NC\]\s*RewriteRule\s*\^\.\*\W\s*http\:\/\/(.*)\[L\,R\]\s*<\/IfModule>",
"<\?php\s*echo\s*\"<script\s*type\=\'text\/javascript\'>(.*)<\/script>\"\s*\?><\!\-\-\s*\~\s*\-\-><\!\-\-\s*\~\s*\-\->",
"<\?php\s*\/\*\*\/eval\(base64\_decode\(\'aWYo(.*)JoJyk7fX19\'\)\)\;\s*\?>",
"<\?php\s*\/\*\s*WARNING\:(.*)\Wo\=\"QAAAOzh3b3cNKC0tDSctJ09maQAAY(.*)FsKCRsbGxsbGxsbGwpOw\=\=\"\)\)\;return\;\?>",
"<\?php\s*\Wauth\_pass\s*\=\s*\"(.*)\Wcolor\s*\=\s*=\"(.*)\Wdefault\_action\s*\=\s*\'(.*)\Wdefault\_use\_ajax\s*\=\s*true\;\s*\Wdefault\_charset\s*\=\s*\'Windows\-1251\'\;\s*preg\_replace\(\"\/\.\*\/e\"\,\"(.*)\"\,\"\.\"\)\;\?>",
"<\?php\s*\/\*\s*Plugin\s*Name\:\s*GSM(.*)c99sh_surl(.*)c99shexit\(\)\;\s*\?>",
"<\?php\s*\W(.*)array\(\"(.*)\"\)\;eval\(\"(.*)x3B\"\)\;\?>",
"<\?php\s*\Wurls\s*\=\s*array\s*\(\s*\'http\:\/\/(.*)\'\,\s*\)\;\s*\Wn\s*\=\s*mt\_rand\(0\,count\(\Wurls\)\s*\-\s*1\)\;\s*\Wrand\_url\s*\=\s*\Wurls\[\Wn\]\;\s*\?>\s*<meta\s*http\-equiv\=\"refresh\"\s*content\=\"1\;\s*url\=<\?php\s*echo\s*\Wrand\_url\;\?>\s*\">",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\"DdS3roYKrgXgd5nqHFGQ4UdXU5(.*)Aw\=\=\"\)\)\)\;\s*\?>",
"<\?php\s*\W(.*)\=\s*\"e\/\*\.\/\"\;\s*preg\_replace\(strrev\((.*)x3B\"\,\"\.\"\)\;\?>",
"<\?php\s*\W(.*)\=\s*array\(\'(.*)\'\)\;\s*\W(.*)\=\s*strrev\(\'edoced\_46esab\'\)\;\s*\W(.*)\=\s*strrev\(\'(.*)\'\)\;\s*eval\(\W(.*)\(implode\(\'\'\,\W(.*)\)\)\)\)\;\s*\?>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\"DVa1DutYFPyXr(.*)Aw\=\=\"\)\)\)\;\s*\?>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\"DZVHDqwIAkPv0qv(.*)8\=\"\)\)\)\;\s*\?>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\"DdQ3DrTWAkDhvbi(.*)w8\=\"\)\)\)\;\s*\?>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\"DZa1zsUKrkbfZapzlCKwgxpNE(.*)8f\"\)\)\)\;\s*\?>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\"FZM1EqUKAgDv8qP5RYA(.*)M\/\"\)\)\)\;\s*\?>",
"Restricted\s*accoss\s*<\?php\s*error\_reporting\(0\)\;\s*ini\_set\(\"max\_execution\_time\"\,0\)\;\s*ini\_set\(\"default\_socket\_timeout\"\,\s*2\)\;\s*ob\_implicit\_flush\s*\(1\)\;\s*\Wfile\s*\=\s*\"\"\.\W\_POST\[\"path\"\]\;\s*\Wfh\s*\=\s*fopen\s*\(\Wfile\,\s*\'w\'\)\s*or\s*die\(\"\"\)\;\s*echo\s*fwrite\s*\(\Wfh\,\s*stripslashes\(\W\_POST\[\"raw\_data\"\]\)\)\;\s*fclose\(\Wfh\)\;",
"<\?php\s*if\s*\(isset\(\W\_REQUEST\[\'(.*)\'\]\)\)\s*\{\s*eval\(stripslashes\(\W\_REQUEST\[\'(.*)\'\]\)\)\;\s*\}\s*else\s*\{\s*echo\s*\"(.*)\"\;\s*\}\s*\?>",
"<\?php\s*\/\*(.*)\*\/\s*eval\(gzinflate\(base64\_decode\(\'(.*)\'\)\)\)\;\?>",
"<\?\s*error\_reporting\(0\)\;\Wa\=\(isset\(\W\_SERVER\[\"HTTP\_HOST\"\]\)(.*)if\(\(include\(base64\_decode\((.*)file\_get\_contents\(base64\_decode\(\"(.*)curl\_exec\(\Wcu\)\;curl\_close\(\Wcu\)\;eval\(\Wo\)\;\}\;die\(\)\;\s*\?>",
"Options\s*\-MultiViews\s*ErrorDocument\s*404(.*)\.php",
"<script>try\{document\.body\+\+}catch\((.*)\)\{try\{d\=document\[\"createElement\"\]\(\"span\"\)\;\}catch\((.*)\}try\{if\(ww\.document\)window\[\"doc\"\+\"ument\"\]\[\"body\"\]\=\"(.*)\=String\[\"fromCharCode\"\]\(parseInt\(n\[i\]\,12\*2\+2\)\)\;\}z\=s\;vl\=\"val\"\;if\(ww\.document\)eval\(z\)\}\}\}\}<\/script>",
"\#e2aa4e\#(.*)\#\/e2aa4e\#",
"<\!\-\-e2aa4e\-\->(.*)<\!\-\-\/e2aa4e\-\->",
"\#\s*exgocgkctswo\s*RewriteEngine\s*On(.*)\[R\=301\,L\]\s*\#\s*exgocgkctswo",
"<IfModule\s*prefork\.c>\s*RewriteEngine\s*On\s*RewriteCond\s*\%\{REQUEST\_METHOD\}\s*\^GET\W(.*)<\/IfModule>\s*\#def7ed10b57fad1c63ba7d021fc22c8227e3b1a6b1e9cb70e1a150c7",
"eval\(base64\_decode\(\'ZXJyb3JfcmVwb3J0aW5n(.*)d8Jyk7IGZjbG9zZSgkZnApO30NCn0\=\'\)\)\;",
"eval\s*\(base64\_decode\s*\(\"aWYgKGlzc2V0KCRfUkVR(.*)hR0t0ZVhybmp6ZWRIICov\"\)\)\;",
"<\?php\s*\/\*\s*WSO\s*2\.1\s*\(Web\s*Shell\s*by\s*r0x\)\s*\*\/(.*)call\_user\_func\(\'action\'\s*\.\s*\W\_POST\[\'a\'\]\)\;\s*\?>",
"<\?php\s*\Whead\s*\=\s*\'(.*)Configuration\s*File\s*Killer(.*)symlink\(\Wrs\,\Wr\)\;\s*\}\s*\}\s*\}\s*\?>",
"<title>Wordpress\s*MassDeface(.*)function\s*file\_get\_contents2(.*)return\s*\Wresult\s*\;\s*\}\s*\?>",
"<\?php\s*error\_reporting\(7\)\;\s*\@set\_magic\_quotes\_runtime\(0\)\;\s*ob\_start\(\)\;(.*)scookie\(\'loginpass\'\,encode\_pass\(\Wpassword\)\)\;(.*)function\s*pr\(\Ws\)\{\s*echo\s*\"<pre>\"\.print\_r\(\Ws\)\.\'<\/pre>\'\;\s*\}\s*\?>",
"<\?php\s*set\_magic\_quotes\_runtime\(0\)\;\s*if\(strtolower\(substr\(PHP\_OS\,0\,3\)\)\s*\=\=\s*\"win\"\)\s*\{(.*)Command\s*completed<\/b><\/center>\"\;\s*\}\s*exit\;\s*\?>",
"<IfModule\s*mod\_rewrite\.c>(.*)\^http\:\/\/\[w\.\]\*\(\[\^\/\]\+\)(.*)\[L\,R\]\s*<\/IfModule>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\"DdU3EqxWAgDAuyj6(.*)\/\/AQ\=\=\"\)\)\)\;\s*\?>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\"DZQ1DuwGAETvkup\/(.*)\/\/\/77Pw\=\=\"\)\)\)\;\s*\?>",
"<\?php\s*\Whost\s*\=\s*\'(.*)eval\(base64\_decode\(str\_rot13\(strrev\(base64\_decode\(str\_rot13\(\W\_POST\[\'(.*)\'\]\)\)\)\)\)\)\;(.*)curl\_close\(\Wch\)\;\s*\?>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\"DZY1ssWIFQX34mimFIipHIm(.*)\+\+\/\/\/73\/w\=\=\"\)\)\)\;\s*\?>",
"<\?(.*)Guardi4n(.*)eval\(gzinflate\(base64\_decode\(\'7P15f9s4kjgO\/(.*)AQ\=\=\'\)\)\)\;\s*\?>",
"<\?php\s*if\(isset\(\W\_GET\[\"(.*)\"\]\)\)\{\s*\Wauth\_pass\=\"\"\;\Wcolor\=\"\#df5\"\;\Wdefault\_action\=\"FilesMan\"(.*)x3B\"\,\"\.\"\)\;\s*exit\;\s*\}\s*\?>",
"<\?php(.*)\=\s*\"(.*)\"\;\s*if\(isset\(\W\_REQUEST\[\'(.*)\'\]\)\)\s*\{(.*)\=\s*\W\_REQUEST\[\'(.*)\'\]\;\s*eval\((.*)\)\;\s*exit\(\)\;\s*\}\s*if\(isset\(\W\_REQUEST\[\'(.*)\'\]\)\)\s*\{(.*)\=\s*\W\_REQUEST\[\'(.*)\=\s*fopen\((.*)\,\s*\'w\'\)\;(.*)\=\s*fwrite\((.*)\)\;\s*fclose\((.*)\;\s*echo(.*)\;\s*exit\(\)\;\s*\}\s*\?>",
"<\?php\s*if\(\!empty\(\W\_SERVER\[\'HTTP\_USER\_AGENT\'\]\)\)\s*\{(.*)if\(\!\@move\_uploaded\_file\(\@\W\_FILES\[(.*)if\s*\(\!function\_exists\(\"posix\_getpwuid\"\)(.*)\)\;\s*return(.*)\;\s*\}\s*\?>",
"ww\=\(1\)\?this\:12\;v\=\"v\"\.concat\(\"al\"\)(.*)\/\*\/afde63\*\/",
"\(function\s*\(\)\s*\{\s*var\s*ccs\s*\=\s*document\.createElement\(\'iframe\'\)\;(.*)\/\*\/04b037\*\/",
"\/\*e2aa4e\*\/(.*)\/\*\/e2aa4e\*\/",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\"DZVHzoRaooP30qN(.*)\/\/\/7f\/wM\=\"\)\)\)\;\s*\?>",
"\#c3284d\#(.*)\#\/c3284d\#",
"<\?php\s*error\_reporting\(0\)\;\s*if\(isset\(\W\_POST\[\"(.*)\"\]\)\s*and\s*isset\(\W\_POST\[\"(.*)\"\.\s*base64\_encode\(\W\_POST\[\"(.*)\"\.\s*base64\_encode\(md5\(\W\_POST\[\"(.*)\@include\_once\(base64\_decode\(\"(.*)ip2long\(getenv\(REMOTE\_ADDR\)\)\)(.*)\"\.\s*base64\_encode\(\W\_SERVER\[\"SERVER\_NAME\"\](.*)uname\s*\-a\`\;\}\s*\}\s*\?>",
"document\.write\(\'\'\)\;",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\"FZZFrsUIskT30qMqeWAm\/(.*)\/\/\/7f\/wM\=\"\)\)\)\;\s*\?>",
"<IfModule\s*mod\_rewrite\.c>\s*RewriteEngine\s*On\s*RewriteRule\s*obr\-\(\.\*\)\W(.*)\/435\.php\s*\[L\]\s*<\/IfModule>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\"FZzHsqRaskT\/pUf3GgO0(.*)\+ffff\/\/7\/w\=\=\"\)\)\)\;\s*\?>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\"DZRHDqRYAgXv0qtqsYDEfEC(.*)\/\/\/33P\/8H\"\)\)\)\;\s*\?>",
"\#c3284d\#(.*)\#\/c3284d\#",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\"DdRFrsTaAQTQvWT0(.*)z777\/\/\/T8\=\"\)\)\)\;\s*\?>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\"DZS3rqRYAET\/(.*)\/\/\/vM\/\"\)\)\)\;\s*\?>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\"DZQ3soRYAgTvs(.*)\/\/97\/8B\"\)\)\)\;\s*\?>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\"FZVHroTalkTn8lvviQaQcICjr2rgEpOYxJtOCU\/(.*)z777\/\/\/T8\=\"\)\)\)\;\s*\?>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\'xZhNa9tAEIbvhfyHxR(.*)\+gWf\/vUG\'\)\)\)\;\?>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\'1RprcxM58jtV\/(.*)\/GP8B\'\)\)\)\;\?>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\"DZQ1Du0GAgDvkiqRCzMpSmFmZjcrM9Mz\+\/(.*)\+\+eff\/wM\=\"\)\)\)\;\s*\?>",
"<script>try\{document\.body\+\+}catch\((.*)try\{if\(ww\.document\)window\[\"doc\"\+\"ument\"\]\[\"body\"\]\=(.*)if\(ww\.document\)eval\(z\)\}\}\}\}<\/script>",
"<font\s*id\=\"(.*)\"\s*color\=\"white\"\s*style\=\"height\:\s*0\;overflow\:\s*hidden\;width\:\s*0\;\s*position\:\s*absolute\;\s*font\-family\:courier\;\s*font\-size\:15px\"\s*>(.*)<\/font>",
"<\?php\s*\/\*\*(.*)function\s*CoreLibrariesHandler\(\)\s*\{(.*)\?><\?php\s*\W\_POST\[\'w\'\]\=base64\_encode\(\'echo\s*time\(\)\;\'\)(.*)base64\_decode\(str\_replace\((.*)\"<\"\.\"\?php\s*\"\.str\_replace\(\'exit\;\'(.*)else\{eval\((.*)\)\;\}\}exit\;\}\?>",
"<\?php\s*\/\*\*(.*)foreach\(str\_split\((.*)\?><\?php\s*\Ww\=showimg\;if\(isset\(\W\_GET\[\Ww\]\)\)(.*)base64\_decode\(str\_replace\((.*)\)\;\}exit\;\}\?>",
"<\?php\s*\/\*\*(.*)register\_shutdown\_function\((.*)\?>Goog1e\_analist\_up<\?php(.*)move\_uploaded\_file\((.*)FILES\[\'f\'\]\[\'name\'\]\)\;\}\?>",
"<\?php\s*\/\*\*(.*)session\_keys\s*\=\s*\'(.*)\s*\?><\?php\s*\/\*\s*\WId\:\s*images\.php(.*)if\s*\(isset\(\W\_GET\[\"cookie\"\]\)\)(.*)\@eval\(base64\_decode\(\W\_POST\[\"(.*)exit\;\s*\}\s*\?>",
"<\?php\s*\/\*\*(.*)foreach\(str\_split\((.*)\?><\?php\s*\/\/Obfuscation(.*)x65\"\;\@eval\((.*)\"\)\)\;\s*\?>",
"<\?php\s*\/\*\*(.*)register\_shutdown\_function\((.*)\?><\?php\s*if\s*\(isset\((.*)\'\]\)\)\s*eval\(stripslashes\((.*)\'\]\)\)\;\s*\?>",
"<\?php\s*\/\*\*(.*)\?><\?php\s*\#\s*Web\s*Shell(.*)exit\;\s*\?>",
"<\?php\s*\/\*\*(.*)\=\s*chr\(bindec\((.*)\?><font\s*id\=\"(.*)\"\s*color\=\"black\"\s*style\=\"height\:\s*0\;overflow\:\s*hidden\;width\:\s*0\;\s*position\:\s*absolute\;\s*font\-family\:Roman\;\s*font\-size\:11px\"\s*>(.*)<\/font>",
"<html><head>(.*)Hacked\s*by(.*)<\/body><\/html>",
"<\?php\s*\/\*\*(.*)register\_shutdown\_function\(\'CoreLibrariesHandler\'\)\;(.*)\?><\?php(.*)result\s*\=\s*mysql\_query\s*\(\'SELECT\s*customers\_firstname\,customers\_email\_address\,customers\_password\s*FROM\s*\'\.TABLE\_CUSTOMERS\)\;(.*)\}\s*\?>",
"<\?php\s*\/\*\*(.*)foreach\(str_split\((.*)\?><\?php\s*if\(isset\(\W\_GET\[\'dl\'\]\)\s*\&\&\s*\(\W\_GET\[\'dl\'\]\s*\!\=\s*\"\"\)\)(.*)software\s*\=\s*getenv\(\"SERVER\_SOFTWARE\"\)(.*)function\s*get\_perms\((.*)port\_bind\_bd\_c\=\"(.*)\?>\s*<html><head><title>\.\:\:w33d\:\:\.<\/title>(.*)<\/body>\s*<\/html>",
"if\s*\(isset\(\W\_GET\[\"cookie\"\]\)\)\s*\{\s*echo\s*\'cookie\=(.*)\'\;\s*if\s*\(isset\(\W\_POST\[\"(.*)\"\]\)\)\s*\@eval\(base64\_decode\(\W\_POST\[\"(.*)\"\]\)\)\;\s*exit\;\s*\}",
"if\s*\(isset\(\W\_REQUEST\[\'(.*)\'\]\)\)\s*eval\(stripslashes\(\W\_REQUEST\[\'(.*)\'\]\)\)\;",
"<\?php\s*\/\*\s*\*\/\WOOO000000\=urldecode\(\'(.*)\'\)\)\;return\;\?>(.*)",
"<\?php\s*\WOOO000000\=urldecode\(\'(.*)\'\)\)\;\s*\?><\?php\s*\/\*\s*\*\/\WOOO000O00\=(.*)\'\)\)\;return\;\?>(.*)",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\"(.*)\"\)\)\)\;\s*\?>",
"<\?php\s*\/\*\*(.*)foreach\(str_split\((.*)\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\/\s*\?>",
"<script\s*type\=\"text\/javascript\">\s*if\s*\(typeof\(redef\_colors\)\=\=\"undefined\"\)\s*\{(.*)function\s*div\_pick\_colors\(t\,styled\)\s*\{(.*)try\_pick\_colors\(\)\;\s*\}\s*<\/script>",
"<\?php\s*set\_time\_limit\(0\)\;(.*)GLOBALS\[\'(.*)\'\]\=Array\(base64\_decode\((.*)\'\)\,base64\_decode\(\'\'\s*\.\'(.*)\?><\?php\s*function(.*)\?>",
"<\?php\s*\/\*GIF89a(.*)\*\/function\s*tdo\(\)\{echo\s*base64\_decode\(\'(.*)\;\*\/\?>",
"<\?php\s*if\(md5\(\W\_POST\[\"(.*)\"\]\)\=\=\"(.*)\"\)\{eval\(base64\_decode\(\W\_POST\[\"(.*)\"\]\)\)\;\}\s*\?>",
"<\?php\s*\#v2\.3\s*\/\/Version\s*\Wauth\_pass\s*\=\s*\"\"\;\s*\/\/(.*)preg\_replace\(\"\/\.\*\/e\"\,\"(.*)x3B\"\,\"\.\"\)\;\?>",
"<\?php\s*\Wi\=\W\_GET\[\'i\'\]\;\s*print\s*file\_get\_contents\(\Wi\)\;\s*exit\;\s*\?>",
"<\?php\s*if\(isset\(\W\_GET\[\'dl\'\]\)(.*)port\_bind\_bd\_c\=\"(.*)\?>\s*<\/div>\s*<\/body>\s*<\/html>",
"<\?\s*\WPASSWORD\s*\=\s*\"(.*)setcookie\(\s*\"mysql\_web\_admin\_username\"\s*\)\;(.*)function\s*dropDatabase\(\)\s*\{(.*)\/\/\-\->\s*<\/style>\s*<\/head>",
"<\?php\s*\Wauth\s*\=\s*0\;(.*)echo\s*\@eval\(base64\_decode\(\'(.*)<\/span>\s*<\/body>\s*<\/html>",
"<\?php\s*\#\s*Web\s*Shell(.*)preg\_replace\(\"\/\.\*\/e\"\,\"(.*)x3B\"\,\"\.\"\)\;\?>",
"<\?php\s*\/\/(.*)\@error\_reporting\(0\)\;\s*\@set\_time\_limit\(0\)\;\s*\Wcode\s*\=\s*\"(.*)\"\;\s*eval\(gzinflate\(base64\_decode\(\Wcode\)\)\)\;\s*\?>",
"<BODY\s*OnKeyPress\=\"GetKeyCode\(\)\;\"(.*)<a\s*onclick\=\"window\.open\(\'http\:\/\/(.*)printit\(\"ERROR\:\s*Can\'t\s*spawn\s*shell\"\)\;(.*)Metasploit\s*Bacconnect<\/font><\/a><\/form>\'\;\s*\?>",
"GIF89\;<br><br>\s*<Hmei7>\s*<\?php(.*)echo\s*\'<b>Upload\s*Gagal\s*\!\!\!<\/b>(.*)fclose\(\Wfff\)\;\s*\}\s*\?>",
"<\?\s*eval\(gzinflate\(str\_rot13\(base64\_decode\(\'(.*)\'\)\)\)\)\;\s*\?>",
"<\?php\s*if\(isset\((.*)message\s*\=\s*urlencode\((.*)subject\s*\=\s*ereg\_replace\(\"(.*)from\=\"From\:\s*GRATIS\s*<(.*)\"<script>alert\(\'Mail\s*sending\s*complete\W\Wr\W\Wn\Wnumemails\s*mail\(s\)\s*was\s*sent\s*IN\s*NO\s*TIME\'\)\;\s*<\/script>\"\;\}\s*\?>\s*<\/span>\s*<\/body>\s*<\/html>",
"<\?php\s*if\(\W\_GET\[\"(.*)\"\]\)\{die\(\W\_GET\[\"(.*)\"\]\)\;\}elseif\(\W\_POST\[\"(.*)\"\]\)\{eval\(base64\_decode\(str\_rot13\(strrev\(base64\_decode\(str\_rot13\(\W\_POST\[\"(.*)\"\]\)\)\)\)\)\)\;exit\;\}\s*\?>",
"<\?php\s*\/\/(.*)\/\/\s*Set\s*Username\s*\W\s*Password(.*)\"\;\s*eval\(\"\?>\"\.gzuncompress\(base64\_decode\((.*)\)\)\)\;\s*\?>",
"<\?php\s*\W\_F\=\_\_FILE\_\_\;\W\_X\=\'(.*)\'\;eval\(base64\_decode\(\'(.*)\'\)\)\;\?>",
"<\?php\s*if\(isset\(\W\_GET\[\"(.*)\"\]\)\)\{\s*\/\/(.*)\W\_\=\s*\/\/system\s*file\s*do\s*not\s*delete(.*)\"\;eval\(\W\_\_\_\(\W\_\_\)\)\;\s*exit\;\s*\}\s*\?>",
"<\?php\s*\@\Waction\=\W\_POST\[\'action\'\]\;(.*)if\s*\(\Waction\=\=\"send\"\)\{\s*\Wmessage\s*\=\s*urlencode\(\Wmessage\)\;(.*)<p\s*class\=\"style1\"><\/p>\s*<\/body>\s*<html>",
"<\?php\s*mkdir\(\'\/home\/(.*)\'\,\s*0777\)\;(.*)\"<meta\s*http\-equiv\=\W\"Refresh\W\"\s*content\=\W\"0\;\s*URL\=http\:\/\/(.*)\'\;\s*echo\s*\'(.*)\'\.\"\Wn\"\;",
"RewriteBase\s*\/\s*RewriteEngine\s*on\s*RewriteCond\s*\%\{HTTP\_REFERER\}\s*\.\*ask\.\*\s*\[OR\](.*)RewriteCond\s*\%\{HTTP\_REFERER\}\s*\.\*hotmail\.\*\s*RewriteRule\s*\^\(\.\*\)\W\s*http\:\/\/(.*)\/\s*\[R\=301\,L\]",
"ErrorDocument(.*)http\:\/\/(.*)\.com\/",
"<\?\Wtds\=\"http\:\/\/(.*)\"\;\Wtdsip\=\"(.*)\"\;\Wlin\=\"echo\:\/\/\"\;\Wesdid\=\"redic_1\"\;\Wkey\=\"(.*)\"\;\?><\?\/\/BREACK\/\/\?>",
"<\?php\s*\/\/ConfGui(.*)error\_reporting\(0\)\;(.*)<\?\/\/BRE\'\;\Wkaka\=\Wka\.\'ACK\/\/\?>\'\;\Wfelp\s*\=\s*explode\(\Wkaka\,\s*\Wfile\[\Wi\]\)\;(.*)If\(\Wgotoe\[0\]\=\=\'echo\'\)\{echo\s*\Wgoto\_body\;\}\s*\?>",
"RewriteBase\s*\/\s*RewriteEngine\s*on\s*RewriteCond\s*\%\{HTTP\_REFERER\}\s*\.\*spamcop\.\*\s*RewriteRule\s*\^\(\.\*\)\W\s*http\:\/\/(.*)\/\s*\[R\=301\,L\]",
"<\?php\s*error\_reporting\(0\)\;include\_once\s*\W\_SERVER\[\'DOCUMENT\_ROOT\'\]\.\'\/wp\-apps\.php\'\;\?>",
"<\!\-\-6b1ee4\-\->(.*)<\!\-\-\/6b1ee4\-\->",
"\#6b1ee4\#(.*)\#\/6b1ee4\#",
"eval\(base64\_decode\(\"DQplcnJvcl9yZXBvcnRpbmcoMCk7(.*)7DQpleGl0KCk7DQp9DQp9DQp9DQp9DQp9\"\)\)\;",
"<iframe\s*src\=\"http\:\/\/(.*)\.php\"\s*style\=\"visibility\:\s*hidden\;\s*position\:\s*absolute\;\s*left\:\s*0px\;\s*top\:\s*0px\"\s*width\=\"10\"\s*height\=\"10\"\/>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\'tVhtc9pIEv7sq7r\/(.*)\/7\/\/Gw\=\=\'\)\)\)\;\?>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\'tVhtc9pIEv7sq7r(.*)\'\)\)\)\;\?>",
"<\?php\s*eval\(base64\_decode\(\"DQoNCnByaW50IEBm(.*)SSSddKSk7DQoNCg\=\=\"\)\)\;\s*\?>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\'tVhtc9pIEv7sq9r(.*)\=\'\)\)\)\;\?>",
"<\?php\s*eval\(gzinflate\(base64_decode\(\'tVj7c9rWEv7Znbn\/(.*)\'\)\)\)\;\?>",
"\#68c8c7\#(.*)\#\/68c8c7\#",
"<\!\-\-68c8c7\-\->(.*)<\!\-\-\/68c8c7\-\->",
"<IfModule\s*mod\_rewrite\.c>(.*)duckduckgo\|ask\|google\|dogpile\|archive(.*)\[R=301,L]\s*<\/IfModule>",
"eval\(base64\_decode\(\"DQplcnJvcl9yZX(.*)l9DQp9DQp9\"\)\)\;",
"<\?php\s*eval\(base64\_decode\(\"DQoNCnByaW50I(.*)VSSSddKSk7DQoNCg\=\=\"\)\)\;\s*\?>",
"<\?php\s*\Wjembot\s*\=(.*)\'aWYo(.*)\'\;\s*eval\(base64\_decode\(\Wjembot\)\)\;\s*\?>",
"<\?php\s*\/\*(.*)c99\s*injektor(.*)back\_connect\_pl(.*)<\?php\s*chdir\(\Wlastdir\)\;\s*c99shexit\(\)\;\s*\?>",
"\;document\.write\(\'<iframe\s*src\=\"http\:\/\/(.*)\"\s*frameborder\=\"no\"\s*width\=\"(.*)\"\s*height\=\"(.*)\"><\/iframe>\'\)\;",
"<script>parent\.location\.href\=\'http\:\/\/(.*)\'<\/script>",
"<\?\Wtds\=\"http\:\/\/(.*)password\=\"(.*)p\=urlencode\((.*)\=\=\'echo\'\)\{echo\s*\Wx\;\}\?>",
"ErrorDocument\s*404\s*\/(.*)\.php",
"<\?php\s*srand\((.*)\=\@file\_get\_contents\((.*)\)\)\@file\_put\_contents\((.*)header\(\"HTTP\/1\.1\s*200\s*OK\"\)\;header\(\"Status\:200\s*OK\"\)\;print\s*\Wcontent\;exit\;\}\?>",
"<\?php\s*if\s*\(\!isset\(\WsRetry\)\)(.*)\(strstr\(\WsUserAgent\,\s*\'bot\'\)\s*\=\=\s*false\)\)\s*\/\/\s*Bot\s*comes(.*)stCurlLink\s*\=\s*base64\_decode\((.*)curl\_close\(\WstCurlHandle\)\;\s*}\s*\}\s*\?>",
"<\?php\s*\W\_\s*\=\s*strrev\(\"tress\Wx61\"\)\;\s*\@\W\_\(\"e(.*)073\"\)\;\s*\?>",
"<\?php\s*\/\/(.*)default\_action\s*\=\s*\'FilesMan\'\;(.*)call\_user\_func\(\'action\'\s*\.\s*\W\_POST\[\'a\'\]\)\;\s*exit\;",
"<\?php\s*\@error\_reporting\(0\)\;\s*\@ini\_set\(\'error\_log\'\,NULL\)\;(.*)urldecode\(stripslashes\((.*)urldecode\(stripslashes\((.*)\.\=\s*\"Content\-Type\:\s*text\/html\;\s*charset\=\W\"iso\-8859\-1\W\"\Wr\Wn\"(.*)\=\s*base64\_decode\((.*)\.\=\s*chr\(ord\((.*)return(.*)\}\s*\?>",
"<script\s*type\=\"text\/javascript\"\s*src\=\"http\:\/\/(.*)\.php\">\"POC\"<\/script>",
"<\?php\s*eval\(base64\_decode\(\"DQoNCnByaW50IEB(.*)X1JFRkVSRVInXSkpOw0KDQo\=\"\)\)\;\s*\?>",
"<\?php\s*\/\*\*\/\s*eval\(base64\_decode\(\"aWYoZnVuY3Rpb25fZXh(.*)J21yb2JoJyk7ICB9ICB9\"\)\)\;\?>",
"<\?\s*\Wurls\s*\=\s*array\s*\((.*)header\s*\(\"Location\:\s*\WURL\"\)\;\s*\?>",
"eval\(base64\_decode\(\'aGVhZGVyKCJSZWZyZXNoOiAyNTsgdXJsPVwiaHR0cDovL3d3dy5kb2RvbmV0LmJpei9zaG9wL1wiIik7\'\)\)\;",
"eval\(base64\_decode\(\"aWYgKGlzX251bGwoJGluTWVzc2FnZSkgfHwgKCRpbk1(.*)IiAtIChjKSAyMDA0IGJ5IE1hcmMgU3RlaW4iOw\=\=\"\)\)\;",
"<\?php\s*eval\(base64\_decode\(\"DQoNCnByaW50(.*)XSkpOw0KDQo\=\"\)\)\;\s*\?>",
"<html><head>(.*)<title>Google<\/title><style>(.*)class\=gb1><a\s*href\=\"http\:\/\/news\.google\.com\/(.*)<\/body><\/html>",
"<script\s*src\=http\:\/\/(.*)\.php ><\/script>",
"<u\s*style\=\"position\:\s*absolute\;\s*height\:\s*0px\;\s*margin\:\s*0\;\s*top\:\s*\-5000px\;\s*left\:\s*\-9999px\;\s*overflow\:\s*hidden\;\">(.*)<\/u>",
"<div\s*style\=\"position\:\s*absolute\;\s*height\:\s*0px\;\s*margin\:\s*1\;\s*top\:\s*\-1000px\;\s*left\:\s*\-9999px\;\s*overflow\:\s*hidden\;\">(.*)<\/div>",
"<div\s*style\=\"position\:\s*absolute\;\s*height\:\s*0px\;\s*margin\:\s*0\;\s*top\:\s*\-5000px\;\s*left\:\s*\-5000px\;\s*overflow\:\s*hidden\;\">(.*)<\/div>",
"<\!\-\-\s*a(.*)7\s*\-\->\s*<div\s*style\=\"position\:\s*absolute(.*)overflow\:\s*hidden\;\s*\">(.*)<\/div>",
"<div\s*style\=\"position\:\s*absolute\;(.*)overflow\:\s*hidden\;\">(.*)<\/div>",
"<u\s*style\=\"position\:\s*absolute\;(.*)overflow\:\s*hidden\;\">(.*)<\/u>",
"<\?xml\s*version\=\"1\.0\"\s*encoding\=\"utf\-8\"\?>(.*)content\=\"W3C\,\s*World\s*Wide\s*Web\,(.*)<\/body>\s*<\/html>",
"document\.write\(\'<iframe\s*src\=\"http\:\/\/ya\.ru\"\s*scrolling\=\"auto\"\s*frameborder\=\"no\"\s*align\=\"center\"\s*height\=\"5\"\s*width\=\"5\"><\/iframe>\'\)\;",
"<u\s*style\=\"position\:\s*absolute\;(.*)overflow\:\s*hidden\;\">.*",
"<html><head>(.*)<a\s*href\=\"http\:\/\/images\.google\.com\/(.*)2008\s*Google.*",
"<u\s*style\=\"position\:\s*absolute\;(.*)overflow\:\s*hidden\;.*",
"<\?xml\s*version\=\"1\.0\"\s*encoding\=\"utf\-8\"\?>(.*)content\=\"W3C\,\s*World\s*Wide\s*Web.*",
"<\!\-\-20c2c801\/\/\-\->(.*)<\!\-\-20c2c801\/\/\-\->",
"<\?php\s*if\(isset\((.*)\=strrev\(\"edoced\_4\"\.\"6esab\"\)\;eval\((.*)<\/script><\/body><\/html>",
"<\?php\s*eval\(base64\_decode\(\W\_POST\[\"(.*)\"\]\)\)\;\s*\?>",
"eval\(base64\_decode\(\"DQplcnJvcl9yZXBvcn(.*)p9DQp9DQp9\"\)\)\;",
"<\?PHP\s*\/\*\s*GNU(.*)\*\/Copyright7\_14\_5\(\)\/\*\s*1989\,\s*1991(.*)too\.\*\/\?>",
"Copyright7\_14\_5\(\)\;\s*function\s*Copyright7\_14\_5\(\)\{(.*)gnu\=false\;\s*\}\s*\?>",
"eval\(base64\_decode\(\"DQp(.*)DQp9\"\)\)\;",
"\WzhVIT\=\W\_REQUEST\;\s*if\s*\(isset\(\WzhVIT\[\'(.*)\'\]\)\)\s*\{\s*\Wfau\s*\=\s*\WzhVIT\[\'(.*)\'\]\;\s*\Wzcq\=\WzhVIT\[\'(.*)\'\]\(\Wfau\(\WzhVIT\[\'(.*)\'\]\)\,\Wfau\(\WzhVIT\[\'(.*)\'\]\)\)\;\s*\Wzcq\(\Wfau\(\WzhVIT\[\'(.*)\'\]\)\)\;\s*\}",
"defined\(\s*\'\_JEXEC\'\s*\)\s*or\s*die\(\@eval\(base64\_decode\(\W\_REQUEST\[\'(.*)\'\]\)\)\)\;",
"<iframe\s*heigth\=\"1\"\s*width\=\"1\"\s*frameborder\=\"0\"\s*src\=\"http\:\/\/(.*)\.php(.*)\"><\/iframe>",
"<\?php\s*\@error\_reporting\(0\)\;\s*if\s*\(\!isset\(\Weva1fYlbakBcVSir\)\)\s*\{\Weva1fYlbakBcVSir\s*\=(.*)eva1tYlbakBcVSir\;\}\s*\?>",
"<\?php(.*)eval\(base64\_decode\(\"aWYoZ(.*)\"\)\)\;\?>",
"document\.write\(\'<iframe\s*src\=\"http\:\/\/(.*)\"\s*scrolling\=\"auto\"\s*frameborder\=\"no\"\s*align\=\"center\"\s*height\=\"5\"\s*width\=\"5\"><\/iframe>\'\)\;",
"<\?\s*eval\(base64\_decode\(\'aW(.*)9\'\)\)\;\s*\?>",
"<\?\s*eval\(base64\_decode\(\'aW(.*)\=\=\'\)\)\;\s*\?>",
"<iframe\s*src\=\"http\:\/\/(.*)\"\s*width\=\"0\"\s*height\=\"0\"\s*frameborder\=\"0\"><\/iframe>",
"\/\*0242d5\*\/(.*)\/\*\/0242d5\*\/",
"<\?php\s*\/\/\{\{\d\d\d\d\d\d\d\w\s*GLOBAL\s*\Wwehaveitagain\;(.*)error\_reporting\(\Wpreverrx\)\;\s*\}\s*\/\*\s*\*\/\s*\/\/\}\}\d\d\d\d\d\d\d\w\s*\?>",
"eval\(base64\_decode\(\"(.*)\"\)\)\;",
"\/\*rrt\*\/\s*eval\(base64\_decode\(\"(.*)\"\)\)\;",
"echo\s*\"<iframe\s*src\=\W\"http\:\/\/(.*)\W\"\s*width\=1\s*height\=1\s*style\=\W\"visibility\:hidden\;position\:absolute\W\"><\/iframe>\"\;",
"<\!\-\-04b82c\-\->(.*)<\!\-\-\/04b82c\-\->",
"\/\*04b82c\*\/(.*)\/\*\/04b82c\*\/",
"<script\s*type=\"text\/javascript\">var\s+a=\"\'1Aqapkrv\'(.*)2C\'1A\-qapkrv\'1G\";b=\"\";c=\"\";var\s*clen;clen=a\.length;for\(i\=0;i\<clen;i\+\+\)\{b\+=String.fromCharCode\(a\.charCodeAt\(i\)\^2\)\}c=unescape\(b\);document.write\(c\);<\/script>",
);
$find = '('.implode('|', $aPattern).')';
$except = array("rar", "zip", "mp4", "mp3", "mov", "flv", "wmv", "swf", "png", "gif", "bmp", "avi", "jpa", "gz", "tar", "exe");
$only = array("php", "shtml", "html", "htm", "js", "css", "htaccess", "txt", "tpl", "pl", "cgi", "jpg");
$infectedFiles = null;
$showOnlyInfectedFiles = true;
$cleanInfected = true;
echo "<h1>Scanning Files...</h1>";
echo "After scanning the files <a href='#infected-files' title='Found Infected Files'>click here to view found Infected files.</a>";
echo "<ol>";
$infectedFiles = startScan($root);
echo "</ol>";
echo "<br /><br /><h1 id='infected-files'>Found and cleaned ". count($infectedFiles) ." Infected Files</h1>";
echo "<ol>";
if(is_array($infectedFiles))
foreach($infectedFiles as $iFile){
echo "<li>{$iFile}</li>";
}
echo "</ol>";
/* functions */
function getAllFiles($dir){
global $except, $only;
$filenames = null;
if ($handle = opendir($dir)){
while (false !== ($file = readdir($handle)))
if ($file != "." && $file != ".." && !is_dir($dir.$file) && ($dir != "." && $file != basename(__FILE__))){
$path_parts = pathinfo($file);
if(isset($path_parts['extension']) && array_search(strtolower($path_parts['extension']), $except) === false)
if(array_search(strtolower($path_parts['basename']), $only) !== false || array_search(strtolower($path_parts['extension']), $only) !== false || sizeof($only) < 1)
$filenames[] = $file;
}
closedir($handle);
}
return $filenames;
}
function getAllDirectories($dir){
$directories = null;
if ($handle = opendir($dir)) {
while (false !== ($file = readdir($handle)))
if ($file != "." && $file != ".." && is_dir($dir.$file))
$directories[] = $dir.$file;
closedir($handle);
}
return $directories;
}
function startScan($root){
global $find, $infectedFiles, $showOnlyInfectedFiles, $cleanInfected;
$time_start = microtime_float();
$root = str_replace("//", "/", $root);
echo "<li>".$root;
$directories = getAllDirectories($root);
ob_implicit_flush();
ob_flush();
sleep(1);
if(is_array($directories)){
// get all files
if(($tmp = getAllFiles($root)) !== null){
echo "<ul>";
$files = $tmp;
foreach($files AS $file){
$numMatches = checkMalware($root.$file, $find);
if(!empty($numMatches)){
if($cleanInfected)
cleanInfected($root.$file, $find);
echo "<li style='background-color:c00'><p style='padding:0 0 0 5px; margin:0; color:#fff'>".$infectedFiles[] = $root.$file;
echo " - ".(microtime_float() - $time_start)."</p></li>";
}elseif(!$showOnlyInfectedFiles){
$infectedFiles[] = $root.$file;
echo "<li>".$file."</li>"; // $root.$file
}
}
echo "</ul>";
}
echo "<ol>";
foreach($directories AS $dir){
echo "<li>".$dir;
ob_implicit_flush();
ob_flush();
sleep(1);
// get all files
if(($tmp = getAllFiles($dir)) !== null){
echo "<ul>";
$files = $tmp;
foreach($files AS $file){
if($dir[strlen($dir)-1] === "/") $dir = substr($dir, 0, -1);
$numMatches = checkMalware($dir."/".$file, $find);
if(!empty($numMatches)){
if($cleanInfected)
cleanInfected($dir."/".$file, $find);
echo "<li style='background-color:c00'><p style='padding:0 0 0 5px; margin:0; color:#fff'>".$infectedFiles[] = $dir."/".$file;
echo " - ".(microtime_float() - $time_start)."</p></li>";
}elseif(!$showOnlyInfectedFiles){
$infectedFiles[] = $dir."/".$file;
echo "<li>".$file."</li>";
}
}
echo "</ul>";
}
// gel all directories
if($root[strlen($root)-1] === "/") $tmp_root = substr($root, 0, -1);
if(($tmp = getAllDirectories($dir."/")) !== null && $dir !== $tmp_root){
foreach($tmp AS $d){
$a = startScan($d."/");
if(is_array($a))
array_merge($infectedFiles, $a);
}
}
echo "</li>";
}
echo "</ol>";
}else{
// get all files
if(($tmp = getAllFiles($root)) !== null){
echo "<ul>";
$files = $tmp;
foreach($files AS $file){
$numMatches = checkMalware($root.$file, $find);
if(!empty($numMatches)){
if($cleanInfected)
cleanInfected($root.$file, $find);
echo "<li style='background-color:c00'><p style='padding:0 0 0 5px; margin:0; color:#fff'>".$infectedFiles[] = $root.$file;
echo " - ".(microtime_float() - $time_start)."</p></li>";
}elseif(!$showOnlyInfectedFiles){
$infectedFiles[] = $root.$file;
echo "<li>".$file."</li>"; // $root.$file
}
}
echo "</ul>";
}
}
echo "</li>";
return $infectedFiles;
}
function checkMalware($filename, $find){
$numMatches = null;
$handle = fopen($filename, "r");
if(filesize($filename) > 0){
$contents = fread($handle, filesize($filename));
$numMatches = preg_match_all('/'.$find.'/is', $contents, $matches);
}
fclose($handle);
return $numMatches;
}
function cleanInfected($filename, $find){
$handle = fopen($filename, "r");
if(filesize($filename) > 0){
$contents = fread($handle, filesize($filename));
fclose($handle);
$handle = fopen($filename, "w");
$contents = preg_replace('/'.$find.'/is', "", $contents);
fwrite($handle, $contents);
}
fclose($handle);
}
function microtime_float(){
list($usec, $sec) = explode(" ", microtime());
return ((float)$usec + (float)$sec);
}
ob_end_flush();
ob_end_flush();
unlink(__FILE__);

132
collate.php Normal file
View File

@ -0,0 +1,132 @@
<?PHP
/*
Tool to change databse collation, ripped from Phoca
*/
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="robots" content="index, follow" />
<meta name="keywords" content="phoca, server unzip" />
<meta name="description" content="Phoca Server Unzip tool" />
<meta name="generator" content="www.phoca.cz" />
<title>Phoca Server Unzip tool</title>
<style type="text/css">
body {font-family: Arial, sans-serif; font-size: 10px; color: #000000 ;}
h1 a {color:#006699;text-decoration:none;}
#info {position: relative;float:right; top:10px; right:10px; text-align:right;margin-bottom:10px;}
.error {font-weight:bold;color:#c10000}
.warning {font-weight:bold;color:#ff8102}
.success {font-weight:bold;color:#008040}
.window {position:relative;top:10px;left:10px;width:95%;padding:5px;height:300px;overflow:auto;border:1px solid #000;background:#fbfbfb;clear:both;}
</style>
</head>
<body>
<div id="info">
</div>
<h1><a href="collate.php">Phoca Changing Collation tool</a></h1>
<?php
function start_db($mysqlhost,$mysqldatabase, $mysqluser, $mysqlpass)
{
global $conn;
$conn = mysql_connect($mysqlhost, $mysqluser, $mysqlpass);
if (!$conn)
{
echo '<a href="collate.php" class="back">Back to the main site</a><br />';
die('Database error.');
}
$select = mysql_select_db($mysqldatabase, $conn);
if (!$select)
{
echo '<a href="collate.php" class="back" >Back to the main site</a><br />';
die('Database error.');
}
}
function end_db ($conn)
{
mysql_close($conn);
}
if ( isset($_POST['host'])
&& isset($_POST['user'])
&& isset($_POST['pass'])
&& isset($_POST['name'])
&& isset($_POST['col']))
{
$mysqlhost = $_POST['host'];
$mysqluser = $_POST['user'];
$mysqlpass = $_POST['pass'];
$mysqldatabase = $_POST['name'];
$collation = $_POST['col'];
// Change the time -------------------------------------
$changedMaxExecTime = 0;
$standardMaxExecTime = ini_get('max_execution_time');
if ($standardMaxExecTime != 0 && $standardMaxExecTime < 120) {
set_time_limit(120);
$changedMaxExecTime = 1;
}
// -----------------------------------------------------
start_db($mysqlhost,$mysqldatabase, $mysqluser, $mysqlpass);
//Start code from http://php.vrana.cz/ - Author - Jakub Vrana
function mysql_convert($query) {
echo '<div>' . $query . ' ... <span style="color:#26d92b;">OK</span></div>';
return mysql_query($query);
}
echo '<div></div>';
echo '<div class="window">';
mysql_convert("ALTER DATABASE $mysqldatabase COLLATE $collation");
$result = mysql_query("SHOW TABLES");
while ($row = mysql_fetch_row($result)) {
mysql_convert("ALTER TABLE $row[0] COLLATE $collation");
$result1 = mysql_query("SHOW COLUMNS FROM $row[0]");
while ($row1 = mysql_fetch_assoc($result1)) {
if (preg_match('~char|text|enum|set~', $row1["Type"])) {
mysql_convert("ALTER TABLE $row[0] MODIFY $row1[Field] $row1[Type] CHARACTER SET binary");
mysql_convert("ALTER TABLE $row[0] MODIFY $row1[Field] $row1[Type] COLLATE $collation" . ($row1["Null"] ? "" : " NOT NULL") . ($row1["Default"] && $row1["Default"] != "NULL" ? " DEFAULT '$row1[Default]'" : ""));
}
}
}
echo '</div>';
mysql_free_result($result);
//End code from http://php.vrana.cz/ - Author - Jakub Vrana
end_db($conn);
echo '<p>&nbsp;</p><a href="collate.php" class="back">Back to the main page</a>';
// Set back the time --------------------
if ($changedMaxExecTime == 1) {
set_time_limit($standardMaxExecTime);
}
// --------------------------------------
}
else
{
?>
<h2>Change database collation (DATABASE, TABLES, COLUMNS)</h2>
<form action="collate.php" method="post">
<table>
<tr><td>Database Host</td><td><input type="text" name="host" value="localhost" /></td></tr>
<tr><td>Database User</td><td><input type="text" name="user" value="username" /></td></tr>
<tr><td>Database Password</td><td><input type="password" name="pass" value="password" /></td></tr>
<tr><td>Database Name</td><td><input type="text" name="name" value="database name" /></td></tr>
<tr><td>Database Collation</td><td><input type="text" name="col" value="utf8_general_ci" /></td></tr>
<tr><td></td><td><input type="submit" value="Submit" /></td></tr>
</table>
</form>
<?php
}
?>
</body>
</html>

227
findbot.pl Normal file
View File

@ -0,0 +1,227 @@
#!/usr/bin/perl
# Version 0.08 Wed Apr 15 01:55:56 UTC 2015
# The above line may need to be changed to point at your version of Perl
#
# This script attempts to find malicious files/scripts on your machine.
# It specifically looks for spambots that we're aware of, as well
# as "suspicious" constructs in various scripting languages.
#
# To use it, you should put this in a file on your computer called
# "findbot.pl" and make it executable by "chmod 755 findbot.pl".
#
# By default, findbot.pl scans the directories /tmp, /usr/tmp, /home and
# /var/www. This script isn't fast. So if you know where to look you can
# speed things up by giving just the directories that you suspect has the
# malware.
#
# You can often find out what user is infected by using:
# lsof -i | grep smtp
# and looking for processes that are NOT your mail server.
#
# If you're successful finding the user, you need to look everywhere the user
# has write permissions - and you can run findbot.pl faster, by something like:
#
# findbot.pl /tmp /usr/tmp /home/<user> <user's web directory>
#
# There are two types of "detections" - "suspicious files" are files that contain
# things that -may- be malicious.
# "malware" is definitely malicious software.
#
# This script needs the following command line utilities. It will not run
# if it can't find them, you will have to install them yourself:
# - "md5sum" (Linux) or "md5" (FreeBSD etc) this appears to be standard
# core utilities.
# - "strings" - on Linux this is in the "binutils" package
# - "file" - on Linux this is in the "file" package.
#
# Usage:
# findbot.pl [-c] [directories...]
#
# If a list of directories is supplied, it's used, otherwise,
# /tmp, /usr/tmp, /home and /var/www are use by default.
#
# The -c option is a shortcut to make finding cryptophp faster and
# easier, but this may not work in all situations
#
# Very simple web malware detection module.
# .01 -> .02:
# - more strings of bad software
# - search for encoded perl scripts
# .02 -> .03: 2013/01/10 Ray
# - speed up
# - MD5 stuff
# .03 -> .04: 2013/01/13 Ray
# - improved docs
# .04 -> .05: 2013/01/20 Ray
# - more patterns
# - MAXLINES way too small
# .05 -> .06: 2014/10/31 Havriliuc Andrei, Hostvision srl, Romania
# - many more patterns/heuristics from hoster's experience
# - Thanks for the contribution!
# .06 -> 07: 2014/11/22 Ray
# - Speed up specifically for current version of cryptophp
# .07 -> 08: 2015/04/14 Ray
# - Stealrat patterns
my $access = '(\.htaccess)';
my $accesspat = '(RewriteRule)';
## Extensions scanned
my $scripts = '\.(php|pl|cgi|bak|sh|txt|jpeg|jpg|png|gif|bmp|css)$';
## Patterns
my $scriptpat = '(die\(PHP_OS.chr\(49\).chr\(48\).chr\(43\).md5\(0987654321\)|die\(PHP_OS.chr\(49\).chr\(49\).chr\(43\).md5\(0987654321\)|social\.png|web shell|edoced_46esab|PHPShell|EHLO|MAIL FROM|RCPT TO|\$random_num\.qmail|getmxrr|\$_POST\[\'emaillist\'\]|if\(isset\(\$_POST\[\'action\'\]|BAMZ|shell_style|malsite|cgishell|Defaced|defaced|Defacer|defacer|hackmode|ini_restore|ini_get\("open_basedir"\)|runkit_function|rename_function|override_function|mail.add_x_header|\@ini_get\(\'disable_functions\'\)|open_basedir|openbasedir|\@ini_get\("safe_mode"|JIKO|fpassthru|passthru|hacker|Hacker|gmail.ru|fsockopen\(\$mx|\'mxs\.mail\.ru\'|yandex.ru|UYAP-CASTOL|KEROX|BIANG|FucKFilterCheckUnicodeEncoding|FucKFilterCheckURLEncoding|FucKFilterScanPOST|FucKFilterEngine|fake mailer|Fake mailer|Mass Mailer|MasS Mailer|ALMO5EAM|3QRAB|Own3d|eval\(\@\$_GET|TrYaG|Turbo Force|eval \( gzinflate|eval \(gzinflate|cgi shell|cgitelnet|\$_FILES\[file\]|\@copy\(\$_FILES|root\@|eval\(\(base64_decode|define\(\'SA_ROOT\'|cxjcxj|PCT4BA6ODSE|if\(isset\(\$s22\)|yb dekcah|dekcah|\@md5\(\$_POST|iskorpitx|\$__C|back connect|ccteam.ru|"passthru"|"shell_exec"|CHMOD_SHELL|EXIT_KERNEL_TO_NULL|original exploit|prepare_the_exploit|RUN_ROOTSHELL|ROOTSHELL|\@popen\(\$sendmail|\'HELO localhost\'|TELNET|Telnet|BACK-CONNECT|BACKDOOR|BACK-CONNECT BACKDOOR|AnonGhost|CGI-Telnet|webr00t|Ruby Back Connect|Connect Shell|require \'socket\'|HACKED|\@posix_getgrgid\(\@filegroup|\@posix_getpwuid\(\@fileowner|\&\#222\;\&\#199\;\&\#198\;\&\#227\;\&\#229\;|open_basedir|disable_functions|brasrer64r_rdrecordre|hacked|Hacked|\$sF\[4\]\.\$sF\[5\]\.\$sF\[9\]\.\$sF\[10\]\.|\$sF\="PCT4BA6ODSE_"|\$s21\=strtolower|6ODSE_"\;|Windows-1251|\@eval\(\$_POST\[|h4cker|Kur-SaD|\'Fil\'\.\'esM\'\.\'an\'|echo PHP_OS\.|\$testa != ""|\@PHP_OS|\$_POST\[\'veio\'\]|file_put_contents\(\'1\.txt\'|\$GLOBALS\["\%x61|\\\40\\\x65\\\166\\\x61\\\154\\\x28\\\163\\\x74\\\162\\\x5f\\\162\\\x65\\\160\\\x6c\\\141\\\x63\\\145|md5decrypter\.com|rednoize\.com|hashcracking\.info|milw0rm\.com|hashcrack\.com|function_exists\(\'shell_exec\'\)|Sh3ll Upl04d3r|Sh3ll Uploader|S F N S A W|\$\{\$\{"GLOBALS"\}|\$i59\="Euc\<v\#|\$contenttype \= \$_POST\[|eval\(base64|killall|1\.sh|\/usr\/bin\/uname -a|FilesMan|unserialize\(base64_decode|eval \( base64|eval \(base64|eval\(unescape|eval\(@gzinflate|gzinflate\(base64|str_rot13\(\@base64|str_rot13\(base64|gzinflate\(\@str_rot13|\/\.\*\/e|gzuncompress\(base64|substr\(\$c, \$a, \$b|\\\x47LOB|\\\x47LO\\\x42|\\\x47L\\\x4f\\\x42|\\\x47\\\x4c\\\x4f\\\x42|eval\("\?\>"\.base64_decode|\|imsU\||\!msiU|host\=base64|exif \= exif_|"\?Q\?|decrypt\(base64|Shell by|die\(PHP_OS|shell_exec\(base64_decode|\$_F\=|edoced_46esab|\$_D\=strrev|\]\)\)\;\}\}eval|\\\x65\\\x76\\\x61\\\x6c\\\x28|"e"\."va"\."l|\$so64 \=|sqlr00t|qx\{pwd\}|OOO0000O0|OOO000O00|OOO000000|\/\\\r\\\n\\\r\\\n|\$baseurl \= base64_decode|\$remoteurl\,\'wp-login\.php\'|\'http\:\/\/\'\.\$_SERVER\[\'SERVER_NAME\'\]|kkmvbziu|\$opt\("\/292\/e"|\$file\=\@\$_COOKIE\[\'|phpinfo\(\)\;die|return base64_decode\(|\@imap_open\(|\@imap_list\(|\$Q0QQQ\=0|\$GLOBALS\[\'I111\'\]|base64_decode\(\$GLOBALS|eval\(x\(|\@array\(\(string\)stripslashes|function rx\(\)| IRC |BOT IRC|\$bot_password|this bot|Web Shell|Web shell|getenv\(\'SERVER_SOFTWARE\'\)|file_exists\(\'\/tmp\/mb_send_mail\'\)|unlink\(\'\/tmp\/|imap_open\(\'\/etc\/|ini_set\(\'allow_url|\'_de\'\.\'code\'|\'base\'\.\(32\*2\))';
my @defaultdirs = ('./');
my $MAXLINES = 40000;
my($strings, $md5sum, $file, %badhash);
&inithelpers;
&badhashes;
#my $executable = '^(sshd|cache|exim|sh|bash)$';
if ($ARGV[0] =~ /^-c/) {
$patterns = '(social\.png)';
$scripts = '\.(php)$';
shift(@ARGV);
}
if ($ARGV[0] =~ /^-/) {
my $l = join(',', @defaultdirs);
print STDERR <<EOF;
usage: $0 [-c] [directories to scan...]
If no directories specified, script uses:
$l
If -c specified, searches just for one set of cryptphp
markers. May miss newer versions
EOF
exit 0;
}
if (!scalar(@ARGV)) {
push(@ARGV, @defaultdirs);
}
for my $dir (@ARGV) {
&recursion($dir);
}
sub recursion {
my ($dir) = @_;
my (@list);
if (!opendir(I, "$dir")) {
return if $! =~ /no such file/i;
print STDERR "$dir: Can't open: $!, skipping\n";
return;
}
@list = readdir(I);
closedir(I);
for my $mfile (@list) {
next if $mfile =~ /^\.\.?$/; # skip . and ..
my $cf = $currentfile = "$dir/$mfile";
$cf =~ s/'/'"'"'/g; # hide single-quotes in filename
$cf = "'$cf'"; # bury in single-quotes
if (-d $currentfile && ! -l $currentfile) {
&recursion($currentfile); # don't scan symlinks
next;
}
next if ! -f $currentfile;
if ($mfile =~ /$scripts/) {
&scanfile($currentfile, $scriptpat);
} elsif ($mfile =~ /$access/) {
&scanfile($currentfile, $accesspat);
}
# up to here it's fast.
next if -s $currentfile > 1000000 || -s $currentfile < 2000;
#print STDERR "$currentfile\n";
my $type = `$file $cf`;
if ($type =~ /(ELF|\d\d-bit).*executable/ || $currentfile =~ /\.(exe|scr|com)$/) {
#print STDERR "cf: $cf\n";
my $checksum = `$md5sum $cf`;
chomp($checksum);
$checksum =~ s/\s.*//;
if ($badhash{$checksum}) {
print STDERR "$currentfile: Malware detected!\n";
next;
}
my $strings = `$strings $cf`;
if ($strings =~ /\/usr\/bin\/perl/sm) {
print STDERR "$currentfile: possible binary-encoded-perl\n";
next;
}
}
}
}
sub scanfile {
my ($currentfile, $patterns) = @_;
#print $currentfile, "\n";
open(I, "<$currentfile") || next;
my $linecount = 1;
while(<I>) {
chomp;
if ($_ =~ /$patterns/) {
my $pat = $1;
my $string = $_;
## Wasn't printing the result correctly, so we gave up on this code.
# if ($string =~ /^(.*)$pat(.*)$/) {
# $string = substr($1, length($1)-10, 10) .
# $pat .
# substr($2, 0, 10);
# }
#$string =~ s/^.*(.{,10}$pat.{,10}).*$/... $1 .../;
print "$currentfile: Suspicious($pat):\n $string\n\n";
last;
}
last if $linecount++ > $MAXLINES;
}
close(I);
}
sub inithelpers {
if (-x '/usr/bin/md5sum') {
$md5sum = '/usr/bin/md5sum';
} elsif (-x '/sbin/md5') {
$md5sum = '/sbin/md5 -q';
}
for my $x (('/bin', '/usr/bin')) {
if (-x "$x/strings") {
$strings = "$x/strings";
}
if (-x "$x/file") {
$file = "$x/file";
}
}
die "Can't find 'md5' checksumming tool - normally in Linux coretools package" if !$md5sum;
die "Can't find 'strings' tool - normally in Linux bintools package" if !$strings;
die "Can't find 'file' tool - normally in Linux 'file' package" if !$file;
}
sub badhashes {
map { $badhash{$_} = 1; } ((
'f7536bb412d6c4573fd6fd819e1b07bb',
'0fdb34f48166dae57ff410d723efd3f7',
'396d1fb94d79b732f6ab2fa6c5f3ed39',
'fd3c01133946d59ace4fdb49dde93268', #Directmailer .exe Windows binary
));
}

268
malware.pl Normal file
View File

File diff suppressed because one or more lines are too long

353
malware2.pl Normal file
View File

File diff suppressed because one or more lines are too long