Malin/LP-MSH-Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

moved deprecated scripts where they belong

Browse Source
This commit is contained in:
Palma Solutions LTD
2019-02-23 06:34:28 +01:00
parent 14ad2ab425
commit 2ed80e7078
19 changed files with 1651 additions and 1651 deletions
Download Patch File Download Diff File Expand all files Collapse all files

625
deprecated/clean.php Normal file
View File

@@ -0,0 +1,625 @@
<?php
/**
* Malware cleaner (old PHP version - needs tweaking)
* Modified by Malin Cenusa (original code by Nino Paolo Amarillento)
* Version: 1.1
* malin.cenusa@lunarpages.com
*
*
*/
ini_set('memory_limit','512M'); // If you have memory_limit problem just adjust to a higher value, like 256M
set_time_limit(0);
ob_start();
// header("Content-type:text/plain");
$root = "../";
$aPattern = array(
"eval\(base64_decode\(\'aWYgKGlzc2V0KCRfUE9TVFsienoxIl0pKSB7ZXZhbChzdHJpcHNsYXNoZXMoJF9QT1NUWyJ6ejEiXSkpO30=\'\)\)",
"<\?php\s*\W.*([a-zA-Z0-9]{5}).*=\s*array\((.*)function_exists\(\"(.*)\);\}\?>",
"<\?php\s*\W.*([a-zA-Z0-9]{10}).*\s*=\s*\'(.*)\/epreg_replace(.*)explode\(chr\(\((.*)-1; ?>",
"<script\s*type=\"text\/javascript\"\s*src=\"http:\/\/ftp\.sanatoriomayosa\.com\.ar\/zdKrgP8p\.php\Wid=(.*)\"><\/script>",
"<\?php\s*\W(.*)=\s*array\(\'(.*)=\s*array\(\'(.*)=\s*array\(\'(.*)==\";if\s*\(\Wfunction_exists\(\"(.*)\);\}\?>",
"<\!--.*([a-zA-Z0-9]{6}).*--><script\s*type=\"text\/javascript\"\s*src=\"http\:\/\/centexcomputer.com\/(.*)\"><\/script><\!--\/.*([a-zA-Z0-9]{6}).*-->",
"eval\(base64_decode\(\W_POST\[\'.*([a-zA-Z0-9]{7}).*\'\]\)\);",
"<iframe\s*width=\"10\"\s*height=\"10\"\s*src=\"http:\/\/(.*)\"\s*frameborder=\"0\"><\/iframe>",
"<script\s*type=\"text\/javascript\">\s*\(function\(\)\{var\s*agent\s*\=\s*navigator\.userAgent;(.*)\{location\.href\s*\=\s*\'http\:\/\/bit\.ly\/1aMmdYs\';\}\}\)\(\)\s*<\/script>",
"<script\s*type=\"text\/javascript\">if\(document.loaded\)\s*\{\s*showBrowVer\(\);(.*)js_kod2\);\s*\}\s*\}\s*\}<\/script>",
"<\?php\s*\/\/\s*The\s*JS\s*here(.*)Eabi.p\!\'\s*\)\s*\);",
"<embed\s*src\=\"http:\/\/(.*)\"\s*type=\"application\/x-shockwave-flash\"\s*wmode=\"transparent\"\s*width=\"1\"\s*height=\"1\"><\/embed>",
"ErrorDocument(.*)http\:\/\/congatarcxisi.ru\/mays\/index.php",
"<iframe\s*width=\"10\"\s*height=\"10\"\s*src=(.*)frameborder=\"0\"><\/iframe>",
"<iframe(.*)nioxox(.*)iframe>",
"<\?php\s*if\s*\(\Wisset(.*)aHR0cDovL21icm93c2Vyc3RhdHMuY29tL3N0YXRIL3N0YXQucGhw(.*)stCurlHandle\);\s*\}\s*\}\s*\?>",
"<iframe\s*src=\"(.*)\"\s*height=\"0\"\s*width=\"0\"\s*style=\'visibility:\s*hidden\'><\/iframe>",
"<?php(.*)4125a73128a5bc472091d99126855415(.*)exit\(\)\;\s*\}\?>",
"<\?php\s*\W.*([a-zA-Z0-9]{5}).*=\s*\"(.*)exit\(\);\s*\}\s*\?>",
"<script\s+?src=http:\/\/photopost\.co\.kr\/iphotodown\/ebindexp\.php\s+?>",
"<\?php\s*\W.*([a-zA-Z0-9]{4}).*=\s*\"(.*)echo\s*\W.*([a-zA-Z0-9]{6}).*;\s*exit\(\);\s*\}\s*\?>",
"<\?php\s*\W.*([a-zA-Z0-9]{10}).*=\s*\'(.*)=\W.*([a-zA-Z0-9]{10}).*-1;\s*\?>",
"<iframe\s*src=\"http\:\/\/(.*)\/counter.php\"\s*style=\"visibility:\s*hidden;\s*position:\s*absolute;\s*left:\s*0px;\s*top:\s*0px\"\s*width=\"10\"\s*height=\"10\"\/>",
"<\!DOCTYPE(.*)BreezeBrowser(.*)printFullsizeContent\(\)(.*)<\/html>",
"<script\s*language=\"javascript\">\s*var\s*\_0x2b7d(.*)0x2b7d\[8\]\]\(hs\);\s*<\/script>",
"<iframe\s*src=\"http\:\/\/(.*)ini\.php\"\s*width=\"1\"\s*height=\"1\"\s*frameborder=\"0\"><\/iframe>",
"<\?PHP\s*\/\*\s*GNU(.*)gnu=false;\s*\}\s*\?>",
"\#c3284d\#(.*)\#\/c3284d\#",
"<\?php\s*if\s*\(isset\(\W_POST\[\"code\"\]\)\)\s*eval\(base64_decode\(\W_POST\[\"code\"\]\)\);\s*\?>",
"<\?\Wtds\=\"http\:\/\/(.*)\}\?>",
"<IfModule\s*mod_rewrite\.c>\s*RewriteEngine\s*On\s*RewriteCond\s*\%\{HTTP_REFERER\}\s*\^\.\*\(google\|ask\|(.*)RewriteRule\s*\^\(\.\*\)\W\s*http\:\/\/datinginstallshield.ru\/pavilion\?8\s*\[R\=301,L\]",
"<\?\Wtds\=\"http\:\/\/(.*)echo\s*\Wx;\}\?>",
"<\?PHP\s*defined\(\'_OLD_JEXEC_\'\)\s*or\s*die\(@eval\(base64_decode\(\W_REQUEST\[\'(.*)\'\]\)\)\);\s*\?>",
"<\?php\s*\W.*([a-zA-Z0-9]{5}).*\s*=\s*\"(.*)exit\(\);\s*\}\s*\?>",
"^<\?php\s*\Whaikzdiigp(.*)quegvtluws\-1;\s*\?>",
"\/\*.*([a-zA-Z0-9]{6}).*\*\/(.*)\/\*\/.*([a-zA-Z0-9]{6}).*\*\/",
"\/\*63aef4\*\/(.*)\/\*\/63aef4\*\/",
"<\?PHP\s*\/\/Authentication(.*)eval\(gzinflate\(base64_decode\((.*)8A\'\)\)\);\s*\?>",
"<\?\s*error_reporting\(0\);\W\w=\(isset\(\W_SERVER\[\"HTTP_HOST\"\]\)(.*)curl_exec\(\W\w\w\);curl_close\(\W\w\w\);eval\(\W\w\);\};die\(\);\s*\?>",
"RewriteCond\s*\%\{HTTP_USER_AGENT\}\s*android\s*\[NC\,OR\](.*)\.php\s*\[L\,R\=302\]",
"<\?php(.*)if\(isset\(\W_REQUEST\[\'(.*)eval\((.*)exit\(\);\s*\}\s*if\(isset\(\W_REQUEST\[\'(.*)fopen\((.*)fwrite\((.*)fclose\((.*)exit\(\);\s*\}\s*\?>",
"<\!\-\-1c1c7d\-\->(.*)<\!\-\-\/1c1c7d\-\->",
"<script>\s*var\s*x\s*=\s*\'h\'\s*\+\s*\'t\'\s*\+\s*\'t\'\s*\+\s*\'p\'(.*)\'m\'\s*\+\s*\'e\'\s*\+\s*\'>\'\);\s*<\/script>",
"\#\#\#\#\#\#\#\#GET\#\#\#\#\#\#\#(.*)\.ru\s*\[L\,R\=302\]",
"<iframe\s*name\=Twitter(.*)<\/iframe>",
"ErrorDocument(.*)http\:\/\/msn.com",
"<IfModule\s*mod_rewrite\.c>(.*)msn\.com\s*\[R\=301\,L\]\s*<\/IfModule>",
"try\{if\(window\.document\)\-\-document\.getElementById\(\'12\'\)(.*)\/\*\/d04bb5\*\/",
"<u\s*style\=\"left\:\s*\-(.*)<\/u>",
"########GET#######(.*)gerania\.ru\s*\[L\,R\=302\]",
"<\?php\s*#(.*)#\s*\?>",
"<\?\Wtds\=\"http\:\/\/(.*)\{echo\s*\Wx;\}\?>",
"<\?php\s*\#c4e573\#(.*)\#\/c4e573\#\s*\?>",
"<\?php\s*define\(\'CONFIG_FILE\'\,\s*\'\/images\/config\.db\'\);(.*)process\(\);\s*\?>",
"<\!\-\-05f6a(.*)<\/script><\!\-\-05f6a42413abf89b36479144725bcc597bkmr0naf2i4od6f\-\->",
"\#767b55\#(.*)\#\/767b55\#",
"\#f879e8\#(.*)\#\/f879e8\#",
"<\?php\s*\W\_\s*\=\s*strrev\(\"tress\Wx61\"\);(.*)073\"\);\s*\?>",
"ument;for\(i\=0(.*)apply\(ss\,a\)\);<\/script>",
"\,167\,155\,170(.*)apply\(ss\,a\)\);<\/script>",
"147\,163\,163(.*)\/\*\/f82c4e\*\/",
"\/\*f82c4e\*\/(.*)\/\*\/f82c4e\*\/",
"\}147\,163\,163(.*)\/\*\/f82c4e\*\/",
"<\!\-\-d68107\-\->(.*)<\!\-\-\/d68107\-\->",
",151,170(.*)eval\(ss\[\"fromCharCode\"\].apply\(ss,a\)\);<\/script>",
"<img\s*id=\"hidadvnet\"(.*)centralrxmall\.com\/\';\">",
"<\?\s*\#17da00\#(.*)\#\/17da00\#\s*\?>",
"<iframe\s*src\=\"http\:\/\/(.*)\"\s*height\=1\s*width\=1\s*frameborder\=0><\/iframe>",
"<\?php\s*if\(\W_GET\[\'(.*)\'\]==\"(.*)\"\)\{\s*eval\(base64_decode\(\W_POST\[\'(.*)\'\]\)\);\s*exit;\s*\}\s*\?>",
"<\?php\s*if\(md5\(\W_COOKIE\[\'_wp_debugger\'\]\)==\"69d8bf808cff565a2e89942f5bc3a94e\"\)\{\s*eval\(base64_decode\(\W_POST\[\'file\'\]\)\);\s*exit;\s*\}\s*\?>",
"<script\s*language\=\"JavaScript\"\s*src\=\"http\:\/\/stummann\.net\/steffen\/google\-analytics\/jquery\-1\.6\.5\.min\.js\"\s*type\=\"text\/javascript\"><\/script>",
"<\!\-\-339810\-\->(.*)<\!\-\-\/339810\-\->",
"<\?php\s*session_start\(\);(.*)cwd\s*\=\s*getcwd\(\)\.DIRECTORY_SEPARATOR;(.*)function\s*mailf\((.*)80<\/address>\Wn<\/body>\Wn<\/html>\";\}\s*\?>",
"<html><head>\s*<title>404\s*Not\s*Found<\/title>(.*)UDP\s*flood\s*completed\s*with(.*)die\(\"\Wnbsp;\"\);\s*}\s*\?>",
"<\!\-\-2d3965\-\->(.*)<\!\-\-\/2d3965\-\->",
"<\?php\s*eval\(\"\?>\"\.base64_decode\(\"IDxkaXY(.*)9kaXY\+\"\)\)\;\s*\?>",
"<script>function\s*c3257948b3q49f99fc8e80fa\(q49f99fc8e88c3\)(.*)\(q49f99fc8ea033\(q49f99fc8ed6df\)\);<\/script>",
"\#\!\/usr\/bin\/perl\s*\W\?\?s\:\;s\:s\;\;\W\?\:\:s\;\(\.\*\)(.*)\_rs\}\&a\-\h\;\;s\;\(\.\*\)\;\W\_\;see\;",
"<\!\-\-32f02e\-\->(.*)<\!\-\-\/32f02e\-\->",
"<\?php\s*\/\*(.*)\*\/\s*function\s*xmail\s*\(\)(.*)return\s*\Wo\;\}\?>",
"Options\s*\-MultiViews\s*ErrorDocument\s*404\s*\/\/(.*)\.php",
"<script\s*type\=\"text\/javascript\"\s*language\=\"javascript\">\s*tqrjmw\=document\;cxlr\=(.*)<\/script>",
"\/\*2d3965\*\/(.*)\/\*\/2d3965\*\/",
"<IfModule\s*mod\_rewrite\.c>\s*RewriteEngine\s*On\s*RewriteCond\s*\%\{HTTP\_REFERER\}\s*\^.\*\(google\|ask\|yahoo\|yandex\|ya\|baidu\|(.*)\!\/phpinfo\.php\s*RewriteRule\s*\(\.\*\)\s*\/phpinfo\.php\?query\=\W1\s*\[QSA\,L\]\s*<\/IfModule>",
"<\?php\s*\/\*(.*)\*\/\s*eval\(gzinflate\(base64\_decode\(\'(.*)\'\)\)\)\;\?>",
"<\!\-\-2d3965\-\->(.*)<\!\-\-\/2d3965\-\->",
"\#a9a007\#(.*)\#\/a9a007\#",
"<\?php\s*\/\*b97227(.*)8d1zyyx\*\/\s*\?>",
"<\!\-\-b97227(.*)8d1zyyx\-\->",
"<\!\-\-a9a007\-\->(.*)<\!\-\-\/a9a007\-\->",
"\/\*74ed9f\*\/(.*)\/\*\/74ed9f\*\/",
"\/\*a9a007\*\/(.*)\/\*\/a9a007\*\/",
"<\!\-\-0f868c\-\->(.*)<\!\-\-\/0f868c\-\->",
"<\?php\s*\WSERVER_UNIQUE_LOAD_BALANCE\s*\=\s*strrev\((.*)SERVER_UNIQUE_LOAD_BALANCE\(current\(\W_REQUEST\)\)\)\;",
"<script>z=\"y\";vz=\"d\"\+\"oc\"\+\"ument\"(.*)zaz=za;e\(zaz\);\}<\/script>",
"<\!\-\-\s*\~\s*\-\->(.*)<\!\-\-\s*\~\s*\-\->",
"\#17da00\#(.*)\#\/17da00\#",
"\/\*17da00\*\/(.*)\/\*\/17da00\*\/",
"<\!\-\-d04bb5\-\->(.*)<\!\-\-\/d04bb5\-\->",
"\#0f2490\#(.*)\#\/0f2490\#",
"\/\*0f2490\*\/(.*)\/\*\/0f2490\*\/",
"\#d04bb5\#(.*)\#\/d04bb5\#",
"\/\*d04bb5\*\/(.*)\/\*\/d04bb5\*\/",
"<\!\-\-950459\-\->(.*)<\!\-\-\/950459\-\->",
"<\?php(.*)\=\@create\_function\((.*)\,\'ev\'\.\'al\'\.(.*)\?>\"\.gz\'\.\'inf\'\.\'late\'\.\'\(\s*bas\'\.\'e64\'\.\'\_de\'\.\'co\'\.\'de\((.*)\)\;\?>",
"\#9269ad\#(.*)\#\/9269ad\#",
"bv\=\(5\-3\-(.*)za\(s\)\}<\/script>",
"<\!\-\-0f2490\-\->(.*)<\!\-\-\/0f2490\-\->",
"<\?(.*)vBulletin\s*3\.1\.9(.*)preg\_replace\(\"\/\.\*\/e\"\,\"(.*)\"\,\"\.\"\)\;",
"\#\s*Netscape\s*HTTP\s*Cookie\s*File(.*)<\?eval\(stripslashes\(array\_pop\(\W\_POST\)\)\)\?>\s*1",
/* "<\?php(.*)preg\_replace\(\"\/\.\*\/\e\"\,\"(.*)\"\,\"\.\"\)\;\?>", */
"GIF89a1\s*GIF89GHZ\s*<\?php\s*eval\s*\(gzinflate\(base64\_decode\(str\_rot13\(\"(.*)\"\)\)\)\)\;\s*\?>",
"GIF89a1\s*<\?php\s*eval\(\"\?\>\"\.base64\_decode\(\"(.*)\"\)\)\;\s*\?>",
"GIF89a1\s*<\?php\s*eval\(base64\_decode\(\'(.*)\'\)\)\;echo\(\'(.*)\'\)\;\?>",
"<\?error\_reporting\(0\)\;\Whost\=urldecode\(\W\_GET\[\'ho\'\]\)(.*)fclose\(\Whttp\)\;die\(\)\;\}\?>",
"<\?error\_reporting\(0\)\;\Whost\=urldecode\(\W\_COOKIE\[\'ho\'\]\)(.*)socket\_close\(\Wsocket\)\;\}die\(\)\;\}\s*\?>",
"GIF89a1\s*<\?php\s*eval\(stripslashes\(\@\W\_POST\[\(chr\(112\)\.chr\(49\)\)\]\)\)\;\?>",
"<\?php\s*\WGLOBALS\[\'(.*)\'\]\=Array\(base64\_decode\((.*)\)\)\;\}\s*\?>",
"<\!\-\-\#1h8s0a1m\-\->(.*)<\!\-\-\#1h8s0a1m\-\->",
"<\!\-\-0c0896\-\->(.*)<\!\-\-\/0c0896\-\->",
"\#0c0896\#(.*)\#\/0c0896\#",
"\/\*0c0896\*\/(.*)\/\*\/0c0896\*\/",
"<\?php\s*\Wauth\_pass(.*)\"\,\"\.\"\)\;\s*\?>",
"<\?php\s*\Wauth\_pass(.*)exit\;",
"<\?php(.*)me\s*\=\s*basename\(\_\_FILE\_\_\)\;(.*)function\s*reload\(\)\{header\(\"Location\:\s*\"\.basename\(\_\_FILE\_\_\)\)\;\}(.*)\"\,\'\.\'\)\;\?>",
"<\?php(.*)strrev\(\"edoced\_46esab\"\)\;(.*)\'\)\)\)\)\;\s*\?>",
"<\?php\s*\Ws\_key\=\'bas\'\.\'e6\'\.\'4\_d\'\.\'ec\'\.\'ode\'\;eval\(\Ws\_key\(\"(.*)\=\"\)\)\;\s*\?>",
"<\!\-\-Support\s*links\s*begin\-\->(.*)<\!\-\-Support\s*links\s*end\-\->",
"<\!\-\-f82c4e\-\->(.*)<\!\-\-\/f82c4e\-\->",
"<\?php\s*\Wzend_framework\=\"(.*)x2f\"\)\;\s*\?>",
"\Wcookey\s*\=\s*(.*)preg_replace(.*)x3b\"\)\;",
"<\?php\s*\/\*\s*\<\<Mr\.DevilHacker\>\>\s* dvhma\@yahoo.com\*\/\s*eval\(\"\?\>\"\.gzuncompress\(base64\_decode\((.*)mail\s*\(\Wto\,\Wsubject\,\Wmessage\)\s*;\s*",
"<form\s*action\=\"\"\s*method\=\"POST\"\>(.*)ProGraMmeD(.*)SrawLkom\s*\:\s*\)\s*\.\s*\<\/p\>\s*\<p\>\Wnbsp\;\s*\<\/p\>",
"^if\(isset(.*)auth_pass\=(.*)FilesMan(.*);preg_replace\((.*);exit;\s*\}$",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\'rV(.*)qLw\=\=\'\)\)\)\;\?>\s*",
"<\?php\s*if\s*\(\Wisset\(\WsRetry\)\)(.*)stCurlLink\s*\=\s*base64\_decode\(\s*(.*)curl_close\(\WstCurlHandle\);\s*\}\s*\}\s*\?>",
"<\!\-\-d0e3a6\-\->(.*)<\!\-\-\/d0e3a6\-\->",
"<\?php\s*\Wzend_framework\=(.*)x2f\"\)\;\s*\?>",
"eval\(gzinflate\(base64_decode\('rVdtU9tIEv7sVO1(.*)wv'\)\)\);",
"#0242d5#(.*)#\/0242d5#",
"<iframe\s*src\=http\:\/\/sexshopsexy\.es\/waser\.html\s*WIDTH\=1\s*HEIGHT\=1\s*frameborder\=0><\/IFRAME>",
"if\(isset(.*)\=sprintf\(\(substr\(urlencode\(print\_r\(array(.*)eval\(\Wd\)\;\s*\}",
"ErrorDocument\s*500\s*http\:\/\/cylinderssoundsyou\.portuguesemx\.info\/benrataz\.cgi\W\d",
"document\.write\(\'<iframe\s*src\=\"http\:\/\/cylinderssoundsyou.portuguesemx.info\/benrataz\.cgi\W\d\"\s*scrolling\=\"auto\"\s*frameborder\=\"no\"\s*align\=\"center\"\s*height\=\"12\"\s*width\=\"12\"><\/iframe>\'\)\;",
"<script\s*language\=\"JavaScript\"\s*src\=\"http\:\/\/abtt\.tv(.*)jquery\-1\.6\.5\.min\.js\"\s*type\=\"text\/javascript\"><\/script>",
"#0c0896#(.*)#\/0c0896#",
"<\!\-\-0c0896\-\->(.*)<\!\-\-\/0c0896\-\->",
"\/\*0c0896\*\/(.*)\/\*\/0c0896\*\/",
"<\?php(.*)auth\_pass\=(.*)FilesMan(.*)preg\_replace(.*)exit\;\s*\}\s*\?>",
"<\?php\s*if\(isset(.*)d\=substr(.*)foreach\(array(.*)sprintf\(\(substr\(urlencode\(print\_r\(array(.*)\?>",
"<\?php\s*\/\*\s*copyright\s*\*\/(.*)\=base64_decode(.*)exit\;\}\s*\/\*\s*copyright\s*\*\/\s*\?>",
"<\?php\s*\/\*(.*)\*\/eval\/\*(.*)\*\/base64_decode\/\*(.*)\*\/\s*\?>",
"<\?php eval\(base64_decode\(\"DQoNCn(.*)o=\"\)\); \?>",
"RewriteCond\s*\%\{HTTP\_REFERER\}\s*\^\.\*\(google(.*)index\_backup\.php\s*\Wquery\=\W1\s*\[QSA\,L\]",
"RewriteCond\s*\%\{HTTP\_REFERER\}\s*\^\.\*\(google(.*)index\_backup\.php\s*\[R\=301\,L\]",
"<\?php\s*eval\(base64\_decode\(\"DQoN(.*)0KDQo\=\"\)\)\;\s*\?>",
"<iframe\s*src\=\"http\:\/\/(.*)\/\"\s*width\=\"4\"\s*height\=\"2\"><\/iframe>",
"<\?\s*#0242d5#(.*)#\/0242d5#\s*\?>",
"<\?php\s*\/\*\.\~\.\~\.\~\.\*\/(.*)\/\*\.\~\.\~\.\~\.\*\/\s*\?>",
"<\?php\s*?\/\*\*\/\s*?eval\(base64_decode\(\"aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9z(?:.+?)ICB9ICB9\"\)\);\?>",
"\s*?(?:\/\*\*\/\s*?)?eval\((?:gzinflate\()?base64_decode\(['\"]DQplcnJvcl9yZXBvcn(?:.+?)QoKTsNCn0NCn0NCn0NCn0=['\"]\)(?:\))?\);",
"<?php\s+\/\*\*\/\s+eval\(base64_decode\(['\"]aWYoZnVuY3(?:.*?)CB9ICB9['\"]\)\);?>",
"<\?\s*\#bf760a\#(.*)\#\/bf760a\#\s*\?>",
"eval\(base64_decode\([\'\"]DQp(?:.*)?[\'\"]\)\);",
"<\?php\s*\/\*\*\/\s*eval\(base64\_decode\(\"aWYoZnV(.*)CB9ICB9\"\)\)\;\?>",
"<!-- 4ccd15b6d4 -->(.*)<!-- 4ccd15b6d4 -->",
"\;var\s*\_1O0\=\'\=\=(.*)eval\(ll0\(lOl\(\_1O0\)\)\)",
"\s*eval\(base64_decode\([\"'][^\"']{255,}[\"']\)\);",
"<iframe\s*src\=\"http\:\/\/riversidetransit\.com\/counter\.php\"\s*style\=\"visibility\:\s*hidden\;\s*position\:\s*absolute\;\s*left\:\s*0px\;\s*top\:\s*0px\"\s*width\=\"10\"\s*height\=\"10\"\/>",
"\#d93065\#(.*)\#\/d93065\#",
"\/\*9c282e\*\/(.*)\/\*\/9c282e\*\/",
"var\s*\_0x4470\=(.*)\(\_0x4470\[1\]\)\,0\,\{\}\)\)\;",
"ErrorDocument\s*400\s*http\:\/\/(.*)\W\d",
"<\?\s*error\_reporting\(0\)(.*)if\(\(include\(base64\_decode\(\"aHR0cDovL2Fkcy4\=\"\)(.*)\)\;\}\;\s*\?>",
"ErrorDocument\s*404\s*\/\/(.*)\.php",
"<\?\s*\#0242d5\#(.*)\#\/0242d5\#\s*\?>",
"<title>\s*Alien\s*\-\s*UFO\s*\-\s*<\?php\s*echo\s*getenv\(\"HTTP_HOST\"\)\;\s*\?><\/title>(.*)print\s*\"<pre><center>UpLoad\s*Error\!<\/center><\/pre>\"\;(.*)\?><\/body><\/font><\/font><\/b><\/font>",
"<IfModule\s*mod\_rewrite\.c>\s*RewriteEngine\s*On\s*RewriteCond\s*\%\{HTTP\_REFERER\}\s*\^\.\*\(google\|ask\|yahoo\|yandex(.*)RewriteRule\s*\(\.\*\)\s*\/index\_backup.php\Wquery\=\W1\s*\[QSA\,L\]\s*<\/IfModule>",
"<\?\s*\WGLOBALS\[\'(.*)\=Array\(base64\_decode\(.*",
"<\?php\s*\@error\_reporting\(0\)\;\s*\@set\_time\_limit\(0\)\;\s*\Wstr\=\s*\"(.*)\"\;\s*eval\(GzInFlate\(Str\_Rot13\(Base64\_decode\(\Wstr\)\)\)\)\;\s*\?>",
"<script\s*type\=\"text\/javascript\"\s*src\=\"http\:\/\/(.*)\.php\"><\/script>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\'1V(.*)\'\)\)\)\;\s*\?>",
"\#0242d5\#(.*)\#\/0242d5\#",
"<\!\-\-0242d5\-\->(.*)<\!\-\-\/0242d5\-\->",
"RewriteCond\s*\W\{HTTP\:X\-WAP\-PROFILE\}\s*\!\^\W\s*\[OR\](.*)RewriteCond\s*\W\{HTTP\_ACCEPT\}\s*text\/vnd\.wap\.wml\s*\[NC\]\s*RewriteRule\s*\^\(\.\*\)\s*http\:\/\/(.*)\[L\,R\=302\]",
"<\?\s*\#0242d5\#(.*)\#\/0242d5\#\s*\?>",
"<iframe\s*name\=Twitter\s*scrolling\=auto\s*frameborder\=no\s*align\=center\s*height\=2\s*width\=2\s*src\=http\:\/\/(.*)\.html(.*)><\/iframe>",
"document\.write\(\'<iframe\s*name\=Twitter\s*scrolling\=auto\s*frameborder\=no\s*align\=center\s*height\=2\s*width\=2\s*src\=http\:\/\/(.*)\.html(.*)><\/iframe>\'\)\;",
"<IfModule\s*mod\_rewrite\.c>\s*RewriteEngine\s*On\s*RewriteBase\s*\/\s*RewriteCond\s*\W\{HTTP\_REFERER\}\s*\^http\:\/\/\[w\.\]\*\(\[\^\/\]\+\)\s*RewriteCond\s*\W\{HTTP\_HOST\}\/\W1\s*\!\^\[w\.\]\*\(\[\^\/\]\+\)\/\D\W\s*\[NC\]\s*RewriteRule\s*\^\.\*\W\s*http\:\/\/(.*)\.html(.*)\[L\,R\]\s*<\/IfModule>",
"\#b5bee1\#(.*)\#\/b5bee1\#",
"\/\*b5bee1\*\/(.*)\/\*\/b5bee1\*\/",
"<\!\-\-b5bee1\-\->(.*)<\!\-\-\/b5bee1\-\->",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\'fVdtc9pGEP7czPQ(.*)x5V8\=\'\)\)\)\;\?>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\'hVfrc9pGEP(.*)wI\=\'\)\)\)\;\?>",
"<script\s*language\=\"JavaScript\"\s*type\=\"text\/javascript\"><\!\-\-\s*var(.*)\;eval\(unescape\(\"(.*)\;document\.write\(u\)\;u\=\"\"\;\/\/\-\->\s*<\/script>",
"<\?PHP\s*defined\(\'\_OLD\_JEXEC\_\'\)\s*or\s*die\(\@eval\(base64\_decode\(\W\_REQUEST\[\'(.*)\'\]\)\)\)\;\s*\?>",
"<\?php\s*if\(isset\(\W\_REQUEST\[\"(.*)\"\]\)\)\s*\{\s*eval\(base64\_decode\(\W\_REQUEST\[\"(.*)\"\]\)\)\;\s*exit\;\s*\}\s*else\s*\{\s*die\(\"404\s*Not\s*Found\"\)\;\s*\}\?>",
"function\_exists\(\'date\_default\_timezone\'\)\s*\?\s*date\_default\_timezone\_set\(\'America\/Los\_Angeles\'\)\s*\:\s*\@eval\(base64\_decode\(\W\_REQUEST\[\'(.*)\'\]\)\)\;",
"<\?PHP\s*define\(\'REAL\_SERVER\_ROOT\'\,\s*\'SERVER\'\)\;\s*\/\/DIR(.*)define\(\'SYSTEM\_SKEL\_DIR\'\,\s*\'skel\'\)\s*\?\s*\@eval\(base64\_decode\(\W\_REQUEST\[\'(.*)\'\]\)\)\s*\:(.*)define\(\'WORKGROUPS\_META\_SETTINGS\_FILENAME\'\,\s*\'settings.xml\'\)\;\s*\?>",
"<\?php\s*echo\s*\'<b>Sw\s*Bilgi<br><br>\'\.php\_uname\(\)\.\'<br><\/b>\'\;(.*)else\s*\{\s*echo\s*\'<b>Basarisiz<\/b><br><br>\'\;\s*\}\s*\}\s*\?>",
"<\?php\s*preg\_replace\(\"\/\.\*\/e\"\,\"(.*)\"\,\"\"\)\;\s*\?>",
"<\?php\s*\Wauth\_pass\s*\=\s*\"(.*)\"\s*\Wcolor\s*\=\s*\"(.*)preg\_replace\(\"\/\.\*\/e\"\,\"(.*)\"\,\"\.\"\)\;\?>",
"\#GIF89\;<br><br>\s*<Hmei7>\s*<\?php\s*if\s*\(\s*isset\(\W\_GET\[\'versi\'\]\)\s*\)\'s*\{\s*vers\(\)\;(.*)fff\s*\=\s*fopen\(\'\.\/images\/\'\.\Wnama\,\s*\'w\'\)\;\s*fwrite\(\Wfff\,\s*\Wtmp\)\;\s*fclose\(\Wfff\)\;\s*\}\s*\?>",
"<\?php\s*if\(\!empty\(\W\_FILES\[\'message\'\]\[\'name\'\]\)\s*AND\s*\(md5\(\W\_POST\[\'nick\'\]\)\s*\=\=(.*)<br\/>Nick\:\s*<br\/><input\s*name\=\"nick\"\s*value\=\"\"\/><br\/>\s*<input\s*type\=\"submit\"\s*value\=\"Sent\"\s*\/>\s*<\/form>\s*<\/body>\s*<\/html>\'\;",
"<\!\-\-0c45ef\-\->(.*)<\!\-\-\/0c45ef\-\->",
"<\?php\s*\Wis\_bot\s*\=\s*FALSE\s*;\s*\Wuser\_agent\_to\_filter\s*\=\s*array\(\s*\'\#fileuploads\#\'\)\s*\;(.*)<title>404\s*Not\s*Found<\/title>\s*<\/head><body>\s*<h1>Not\s*Found<\/h1>\s*<\/body><\/html>\s*\'\;\s*\?>",
"<\?php\s*eval\(base64\_decode\(\'c2Vzc2lvbl9zdGFydCgpOw(.*)klzQ3JlYXRlIik7Cn0\=\'\)\)\;\s*\?>",
"<\?php\s*\Wd\=substr\(8\,1\)\;foreach\(array\((.*)d\.\=sprintf\(\(substr\(urlencode\(print\_r\(array\(\)\,1\)\)\,5\,1\)\.c\)\,\Wc\)\;\}eval\(\Wd\)\;exit\;\s*\?>",
"if\(\@\W\_POST\[\'(.*)\'\]\)\{eval\(base64\_decode\(\W\_POST\[\'(.*)\'\]\)\)\;\s*exit\(\)\;\}php\s*if\(\@\W\_POST\[\'(.*)\'\]\)\{eval\(base64\_decode\(\W\_POST\[\'(.*)\'\]\)\)\;\s*exit\(\)\;\}",
"<\?php\s*\Whost\s*\=(.*)eval\(base64\_decode\(str\_rot13\(strrev\(base64\_decode\(str\_rot13\((.*)curl\_close\(\Wch\)\;\s*\?>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\"DdK1EqzYAkDRf5noThFA410TAQd3l(.*)w\=\=\"\)\)\)\;\s*\?>",
"<\?php\s*\/\/Counter\s*V\.1\.25\s*\/\/Generated\s*by\s*server\s*\/\/Do\s*not\s*delete\s*eval\(gzuncompress\(base64\_decode\(\'eF6FUlFLwzAY(.*)LPD5x\'\)\)\)\;\s*\?>",
"<\?php\s*if\s*\(\!isset\(\WsRetry\)\)\s*\{\s*global\s*\WsRetry\;(.*)stCurlLink\s*\=\s*base64\_decode\(\s*\'aHR0cDovL2NvbnFzdGF0LmNvbS9zdGF0L3N0YXQucGhw\'\)\.\'\?(.*)curl\_close\(\WstCurlHandle\)\;\s*\}\s*\}\s*\?>",
"<\!\-\-\s*linkslspw\s*\-\->(.*)<\!\-\-\s*linksbmtr\s*\-\->",
"<\?php\s*\/\*\s*This\s*file\s*is\s*protected(.*)\*\/\WOOO000000\=urldecode\(\'\%66\%67(.*)GLOBALS\[\'OOO0000O0\'\]\(\'JE8wMDBPME8(.*)\=alVnRPIq",
"<\?\s*if\(\@\W\_POST\[\'(.*)\'\]\)\{eval\(base64\_decode\(\W\_POST\[\'(.*)\'\]\)\)\;\s*exit\(\)\;\}\s*\?>",
"<\?php\s*if\(isset\(\W\_GET\[\"(.*)\"\]\)\)\{\s*\Wauth\_pass\=\"\"\;\Wcolor\=\"\#df5\"\;\Wdefault\_action\=\"FilesMan\"(.*)7X1re9s2z(.*)x3B\"\,\"\.\"\)\;\s*exit\;\s*\}\s*\?>",
"<\?php\s*if\(\!empty\(\W\_SERVER\[\'HTTP\_USER\_AGENT\'\]\)\)\s*\{\s*\Wv2045f746\s*\=\s*array\(\"Google\"\,\s*\"Slurp\"\,\s*\"MSNBot\"(.*)return\s*\Wve04aa510\s*\;\s*\}\s*\?>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\"DZQ1rtwKAADvkiqRCzMpSmFm5m2(.*)R8\=\"\)\)\)\;\s*\?>",
"<IfModule\s*mod\_rewrite\.c>\s*RewriteEngine\s*On\s*RewriteBase\s*\/\s*RewriteCond\s*\%\{HTTP\_REFERER\}\s*\^http\:\/\/\[w\.\]\*\(\[\^\/\]\+\)\s*RewriteCond\s*\%\{HTTP\_HOST\}\/\%1\s*\!\^\[w\.\]\*\(\[\^\/\]\+\)\/\W1\W\s*\[NC\]\s*RewriteRule\s*\^\.\*\W\s*http\:\/\/(.*)\[L\,R\]\s*<\/IfModule>",
"<\?php\s*if\s*\(isset\(\W\_POST\[\'(.*)\'\]\)\)\s*\{\s*eval\(\W\_POST\[\'(.*)\'\]\)\;\s*\}\;\s*\?>",
"<\?php\s*eval\(base64\_decode\(\'ZXJyb3JfcmVwb3(.*)VcbiIpOwp9Cn0KfQo\=\'\)\)\;\s*\?>",
"<\?php\s*session\_start\(\)\;\s*set\_time\_limit\(0\)\;(.*)function\s*cmdexec\(\Wcmd\)\s*\{\s*if\(function\_exists\(\'exec\'\)\)\@exec\(\Wcmd\)\;(.*)print\(\"IsCreate\"\)\;\s*\}\s*\?>",
"<\?php\s*print\(\"Direct\s*Access\s*Not\s*Allowed\"\)\;\s*if\(\s*\W\_GET\[\'token\'\]\s*\=\=\s*\"up\"\s*\)\s*\{(.*)echo\s*\'<b>K\.O<\/b><br><br>\'\;\s*\}\s*\}\s*\}\s*\?>",
"<\?php\s*\@set\_time\_limit\(0\)\;\s*\@error\_reporting\(NULL\)\;(.*)<\/p><\/body\s*><\/html\s*>\'\;die\(\)\;exit\(\)\;\s*\}\s*\?>",
"<\?php\s*defined\(\'\_JEXEC\'\)\s*or\s*die\(\'Restricted\s*access\'\)\;\s*class\s*modJGAHelper\s*\{(.*)\Wadm\s*\=\s*\"006\"\.\Wxls\;\s*return\s*\Wadm\;\s*\}\s*\}\s*\}",
"<\?php\s*session\_start\(\)\;\s*\Wme\=\W\_SERVER\[\'PHP\_SELF\'\]\;(.*)\W\_SESSION\[\'LoGiN\'\]\=true\;(.*)value\=Upload\s*\/><\/form>\"\;\s*\?>",
"<\?php\s*if\s*\(\W\_GET\[\'g0\'\]\=\=\'g3t\'\)\s*\{\s*\Wdocr\s*\=\s*\W\_SERVER\[\"DOCUMENT\_ROOT\"\]\;\s*echo\s*\<\<\<HTML(.*)passthru\(\W\_GET\[\'g3t\'\]\)\;\s*echo\'<\/pre>\'\;\s*exit\;\s*}\s*\?>",
"echo\"\s*<div\s*id\=\'newsline\'>(.*)viagraonlineget(.*)if\(document\.getElementById\(\'newsline\'\)(.*)\.style\.height\s*\=\s*\'0px\'\;\}<\/script>\s*<\/body>\s*<\/html>\s*\"\;",
"<iframe\s*src\=\"http\:\/\/(.*)\/counter\.php\"\s*style\=\"visibility\:\s*hidden\;\s*position\:\s*absolute\;\s*left\:\s*0px\;\s*top\:\s*0px\"\s*width\=\"10\"\s*height\=\"10\"\/>",
"<\!\-\-c3284d\-\->(.*)<\!\-\-\/c3284d\-\->",
"<iframe\s*name\=Twitter\s*scrolling\=auto\s*frameborder\=no\s*align\=center\s*height\=2\s*width\=2\s*src\=http\:\/\/(.*)><\/iframe>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\"FZRFrsUIggTv0q(.*)33f\/4P\"\)\)\)\;\s*\?>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\"JZ3HkqzKlkT(.*)\+\+\+9\/\/w8\=\"\)\)\)\;\s*\?>",
"<IfModule\s*mod\_rewrite\.c>\s*RewriteEngine\s*On\s*RewriteBase\s*\/\s*RewriteCond\s*\%\{HTTP\_REFERER\}\s*\^http\:\/\/\[w\.\]\*\(\[\^\/\]\+\)\s*RewriteCond\s*\%\{HTTP\_HOST\}\/\%1\s*\!\^\[w\.\]\*\(\[\^\/\]\+\)\/\W\s*\[NC\]\s*RewriteRule\s*\^\.\*\W\s*http\:\/\/(.*)\[L\,R\]\s*<\/IfModule>",
"<\?php\s*echo\s*\"<script\s*type\=\'text\/javascript\'>(.*)<\/script>\"\s*\?><\!\-\-\s*\~\s*\-\-><\!\-\-\s*\~\s*\-\->",
"<\?php\s*\/\*\*\/eval\(base64\_decode\(\'aWYo(.*)JoJyk7fX19\'\)\)\;\s*\?>",
"<\?php\s*\/\*\s*WARNING\:(.*)\Wo\=\"QAAAOzh3b3cNKC0tDSctJ09maQAAY(.*)FsKCRsbGxsbGxsbGwpOw\=\=\"\)\)\;return\;\?>",
"<\?php\s*\Wauth\_pass\s*\=\s*\"(.*)\Wcolor\s*\=\s*=\"(.*)\Wdefault\_action\s*\=\s*\'(.*)\Wdefault\_use\_ajax\s*\=\s*true\;\s*\Wdefault\_charset\s*\=\s*\'Windows\-1251\'\;\s*preg\_replace\(\"\/\.\*\/e\"\,\"(.*)\"\,\"\.\"\)\;\?>",
"<\?php\s*\/\*\s*Plugin\s*Name\:\s*GSM(.*)c99sh_surl(.*)c99shexit\(\)\;\s*\?>",
"<\?php\s*\W(.*)array\(\"(.*)\"\)\;eval\(\"(.*)x3B\"\)\;\?>",
"<\?php\s*\Wurls\s*\=\s*array\s*\(\s*\'http\:\/\/(.*)\'\,\s*\)\;\s*\Wn\s*\=\s*mt\_rand\(0\,count\(\Wurls\)\s*\-\s*1\)\;\s*\Wrand\_url\s*\=\s*\Wurls\[\Wn\]\;\s*\?>\s*<meta\s*http\-equiv\=\"refresh\"\s*content\=\"1\;\s*url\=<\?php\s*echo\s*\Wrand\_url\;\?>\s*\">",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\"DdS3roYKrgXgd5nqHFGQ4UdXU5(.*)Aw\=\=\"\)\)\)\;\s*\?>",
"<\?php\s*\W(.*)\=\s*\"e\/\*\.\/\"\;\s*preg\_replace\(strrev\((.*)x3B\"\,\"\.\"\)\;\?>",
"<\?php\s*\W(.*)\=\s*array\(\'(.*)\'\)\;\s*\W(.*)\=\s*strrev\(\'edoced\_46esab\'\)\;\s*\W(.*)\=\s*strrev\(\'(.*)\'\)\;\s*eval\(\W(.*)\(implode\(\'\'\,\W(.*)\)\)\)\)\;\s*\?>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\"DVa1DutYFPyXr(.*)Aw\=\=\"\)\)\)\;\s*\?>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\"DZVHDqwIAkPv0qv(.*)8\=\"\)\)\)\;\s*\?>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\"DdQ3DrTWAkDhvbi(.*)w8\=\"\)\)\)\;\s*\?>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\"DZa1zsUKrkbfZapzlCKwgxpNE(.*)8f\"\)\)\)\;\s*\?>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\"FZM1EqUKAgDv8qP5RYA(.*)M\/\"\)\)\)\;\s*\?>",
"Restricted\s*accoss\s*<\?php\s*error\_reporting\(0\)\;\s*ini\_set\(\"max\_execution\_time\"\,0\)\;\s*ini\_set\(\"default\_socket\_timeout\"\,\s*2\)\;\s*ob\_implicit\_flush\s*\(1\)\;\s*\Wfile\s*\=\s*\"\"\.\W\_POST\[\"path\"\]\;\s*\Wfh\s*\=\s*fopen\s*\(\Wfile\,\s*\'w\'\)\s*or\s*die\(\"\"\)\;\s*echo\s*fwrite\s*\(\Wfh\,\s*stripslashes\(\W\_POST\[\"raw\_data\"\]\)\)\;\s*fclose\(\Wfh\)\;",
"<\?php\s*if\s*\(isset\(\W\_REQUEST\[\'(.*)\'\]\)\)\s*\{\s*eval\(stripslashes\(\W\_REQUEST\[\'(.*)\'\]\)\)\;\s*\}\s*else\s*\{\s*echo\s*\"(.*)\"\;\s*\}\s*\?>",
"<\?php\s*\/\*(.*)\*\/\s*eval\(gzinflate\(base64\_decode\(\'(.*)\'\)\)\)\;\?>",
"<\?\s*error\_reporting\(0\)\;\Wa\=\(isset\(\W\_SERVER\[\"HTTP\_HOST\"\]\)(.*)if\(\(include\(base64\_decode\((.*)file\_get\_contents\(base64\_decode\(\"(.*)curl\_exec\(\Wcu\)\;curl\_close\(\Wcu\)\;eval\(\Wo\)\;\}\;die\(\)\;\s*\?>",
"Options\s*\-MultiViews\s*ErrorDocument\s*404(.*)\.php",
"<script>try\{document\.body\+\+}catch\((.*)\)\{try\{d\=document\[\"createElement\"\]\(\"span\"\)\;\}catch\((.*)\}try\{if\(ww\.document\)window\[\"doc\"\+\"ument\"\]\[\"body\"\]\=\"(.*)\=String\[\"fromCharCode\"\]\(parseInt\(n\[i\]\,12\*2\+2\)\)\;\}z\=s\;vl\=\"val\"\;if\(ww\.document\)eval\(z\)\}\}\}\}<\/script>",
"\#e2aa4e\#(.*)\#\/e2aa4e\#",
"<\!\-\-e2aa4e\-\->(.*)<\!\-\-\/e2aa4e\-\->",
"\#\s*exgocgkctswo\s*RewriteEngine\s*On(.*)\[R\=301\,L\]\s*\#\s*exgocgkctswo",
"<IfModule\s*prefork\.c>\s*RewriteEngine\s*On\s*RewriteCond\s*\%\{REQUEST\_METHOD\}\s*\^GET\W(.*)<\/IfModule>\s*\#def7ed10b57fad1c63ba7d021fc22c8227e3b1a6b1e9cb70e1a150c7",
"eval\(base64\_decode\(\'ZXJyb3JfcmVwb3J0aW5n(.*)d8Jyk7IGZjbG9zZSgkZnApO30NCn0\=\'\)\)\;",
"eval\s*\(base64\_decode\s*\(\"aWYgKGlzc2V0KCRfUkVR(.*)hR0t0ZVhybmp6ZWRIICov\"\)\)\;",
"<\?php\s*\/\*\s*WSO\s*2\.1\s*\(Web\s*Shell\s*by\s*r0x\)\s*\*\/(.*)call\_user\_func\(\'action\'\s*\.\s*\W\_POST\[\'a\'\]\)\;\s*\?>",
"<\?php\s*\Whead\s*\=\s*\'(.*)Configuration\s*File\s*Killer(.*)symlink\(\Wrs\,\Wr\)\;\s*\}\s*\}\s*\}\s*\?>",
"<title>Wordpress\s*MassDeface(.*)function\s*file\_get\_contents2(.*)return\s*\Wresult\s*\;\s*\}\s*\?>",
"<\?php\s*error\_reporting\(7\)\;\s*\@set\_magic\_quotes\_runtime\(0\)\;\s*ob\_start\(\)\;(.*)scookie\(\'loginpass\'\,encode\_pass\(\Wpassword\)\)\;(.*)function\s*pr\(\Ws\)\{\s*echo\s*\"<pre>\"\.print\_r\(\Ws\)\.\'<\/pre>\'\;\s*\}\s*\?>",
"<\?php\s*set\_magic\_quotes\_runtime\(0\)\;\s*if\(strtolower\(substr\(PHP\_OS\,0\,3\)\)\s*\=\=\s*\"win\"\)\s*\{(.*)Command\s*completed<\/b><\/center>\"\;\s*\}\s*exit\;\s*\?>",
"<IfModule\s*mod\_rewrite\.c>(.*)\^http\:\/\/\[w\.\]\*\(\[\^\/\]\+\)(.*)\[L\,R\]\s*<\/IfModule>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\"DdU3EqxWAgDAuyj6(.*)\/\/AQ\=\=\"\)\)\)\;\s*\?>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\"DZQ1DuwGAETvkup\/(.*)\/\/\/77Pw\=\=\"\)\)\)\;\s*\?>",
"<\?php\s*\Whost\s*\=\s*\'(.*)eval\(base64\_decode\(str\_rot13\(strrev\(base64\_decode\(str\_rot13\(\W\_POST\[\'(.*)\'\]\)\)\)\)\)\)\;(.*)curl\_close\(\Wch\)\;\s*\?>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\"DZY1ssWIFQX34mimFIipHIm(.*)\+\+\/\/\/73\/w\=\=\"\)\)\)\;\s*\?>",
"<\?(.*)Guardi4n(.*)eval\(gzinflate\(base64\_decode\(\'7P15f9s4kjgO\/(.*)AQ\=\=\'\)\)\)\;\s*\?>",
"<\?php\s*if\(isset\(\W\_GET\[\"(.*)\"\]\)\)\{\s*\Wauth\_pass\=\"\"\;\Wcolor\=\"\#df5\"\;\Wdefault\_action\=\"FilesMan\"(.*)x3B\"\,\"\.\"\)\;\s*exit\;\s*\}\s*\?>",
"<\?php(.*)\=\s*\"(.*)\"\;\s*if\(isset\(\W\_REQUEST\[\'(.*)\'\]\)\)\s*\{(.*)\=\s*\W\_REQUEST\[\'(.*)\'\]\;\s*eval\((.*)\)\;\s*exit\(\)\;\s*\}\s*if\(isset\(\W\_REQUEST\[\'(.*)\'\]\)\)\s*\{(.*)\=\s*\W\_REQUEST\[\'(.*)\=\s*fopen\((.*)\,\s*\'w\'\)\;(.*)\=\s*fwrite\((.*)\)\;\s*fclose\((.*)\;\s*echo(.*)\;\s*exit\(\)\;\s*\}\s*\?>",
"<\?php\s*if\(\!empty\(\W\_SERVER\[\'HTTP\_USER\_AGENT\'\]\)\)\s*\{(.*)if\(\!\@move\_uploaded\_file\(\@\W\_FILES\[(.*)if\s*\(\!function\_exists\(\"posix\_getpwuid\"\)(.*)\)\;\s*return(.*)\;\s*\}\s*\?>",
"ww\=\(1\)\?this\:12\;v\=\"v\"\.concat\(\"al\"\)(.*)\/\*\/afde63\*\/",
"\(function\s*\(\)\s*\{\s*var\s*ccs\s*\=\s*document\.createElement\(\'iframe\'\)\;(.*)\/\*\/04b037\*\/",
"\/\*e2aa4e\*\/(.*)\/\*\/e2aa4e\*\/",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\"DZVHzoRaooP30qN(.*)\/\/\/7f\/wM\=\"\)\)\)\;\s*\?>",
"\#c3284d\#(.*)\#\/c3284d\#",
"<\?php\s*error\_reporting\(0\)\;\s*if\(isset\(\W\_POST\[\"(.*)\"\]\)\s*and\s*isset\(\W\_POST\[\"(.*)\"\.\s*base64\_encode\(\W\_POST\[\"(.*)\"\.\s*base64\_encode\(md5\(\W\_POST\[\"(.*)\@include\_once\(base64\_decode\(\"(.*)ip2long\(getenv\(REMOTE\_ADDR\)\)\)(.*)\"\.\s*base64\_encode\(\W\_SERVER\[\"SERVER\_NAME\"\](.*)uname\s*\-a\`\;\}\s*\}\s*\?>",
"document\.write\(\'\'\)\;",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\"FZZFrsUIskT30qMqeWAm\/(.*)\/\/\/7f\/wM\=\"\)\)\)\;\s*\?>",
"<IfModule\s*mod\_rewrite\.c>\s*RewriteEngine\s*On\s*RewriteRule\s*obr\-\(\.\*\)\W(.*)\/435\.php\s*\[L\]\s*<\/IfModule>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\"FZzHsqRaskT\/pUf3GgO0(.*)\+ffff\/\/7\/w\=\=\"\)\)\)\;\s*\?>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\"DZRHDqRYAgXv0qtqsYDEfEC(.*)\/\/\/33P\/8H\"\)\)\)\;\s*\?>",
"\#c3284d\#(.*)\#\/c3284d\#",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\"DdRFrsTaAQTQvWT0(.*)z777\/\/\/T8\=\"\)\)\)\;\s*\?>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\"DZS3rqRYAET\/(.*)\/\/\/vM\/\"\)\)\)\;\s*\?>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\"DZQ3soRYAgTvs(.*)\/\/97\/8B\"\)\)\)\;\s*\?>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\"FZVHroTalkTn8lvviQaQcICjr2rgEpOYxJtOCU\/(.*)z777\/\/\/T8\=\"\)\)\)\;\s*\?>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\'xZhNa9tAEIbvhfyHxR(.*)\+gWf\/vUG\'\)\)\)\;\?>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\'1RprcxM58jtV\/(.*)\/GP8B\'\)\)\)\;\?>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\"DZQ1Du0GAgDvkiqRCzMpSmFmZjcrM9Mz\+\/(.*)\+\+eff\/wM\=\"\)\)\)\;\s*\?>",
"<script>try\{document\.body\+\+}catch\((.*)try\{if\(ww\.document\)window\[\"doc\"\+\"ument\"\]\[\"body\"\]\=(.*)if\(ww\.document\)eval\(z\)\}\}\}\}<\/script>",
"<font\s*id\=\"(.*)\"\s*color\=\"white\"\s*style\=\"height\:\s*0\;overflow\:\s*hidden\;width\:\s*0\;\s*position\:\s*absolute\;\s*font\-family\:courier\;\s*font\-size\:15px\"\s*>(.*)<\/font>",
"<\?php\s*\/\*\*(.*)function\s*CoreLibrariesHandler\(\)\s*\{(.*)\?><\?php\s*\W\_POST\[\'w\'\]\=base64\_encode\(\'echo\s*time\(\)\;\'\)(.*)base64\_decode\(str\_replace\((.*)\"<\"\.\"\?php\s*\"\.str\_replace\(\'exit\;\'(.*)else\{eval\((.*)\)\;\}\}exit\;\}\?>",
"<\?php\s*\/\*\*(.*)foreach\(str\_split\((.*)\?><\?php\s*\Ww\=showimg\;if\(isset\(\W\_GET\[\Ww\]\)\)(.*)base64\_decode\(str\_replace\((.*)\)\;\}exit\;\}\?>",
"<\?php\s*\/\*\*(.*)register\_shutdown\_function\((.*)\?>Goog1e\_analist\_up<\?php(.*)move\_uploaded\_file\((.*)FILES\[\'f\'\]\[\'name\'\]\)\;\}\?>",
"<\?php\s*\/\*\*(.*)session\_keys\s*\=\s*\'(.*)\s*\?><\?php\s*\/\*\s*\WId\:\s*images\.php(.*)if\s*\(isset\(\W\_GET\[\"cookie\"\]\)\)(.*)\@eval\(base64\_decode\(\W\_POST\[\"(.*)exit\;\s*\}\s*\?>",
"<\?php\s*\/\*\*(.*)foreach\(str\_split\((.*)\?><\?php\s*\/\/Obfuscation(.*)x65\"\;\@eval\((.*)\"\)\)\;\s*\?>",
"<\?php\s*\/\*\*(.*)register\_shutdown\_function\((.*)\?><\?php\s*if\s*\(isset\((.*)\'\]\)\)\s*eval\(stripslashes\((.*)\'\]\)\)\;\s*\?>",
"<\?php\s*\/\*\*(.*)\?><\?php\s*\#\s*Web\s*Shell(.*)exit\;\s*\?>",
"<\?php\s*\/\*\*(.*)\=\s*chr\(bindec\((.*)\?><font\s*id\=\"(.*)\"\s*color\=\"black\"\s*style\=\"height\:\s*0\;overflow\:\s*hidden\;width\:\s*0\;\s*position\:\s*absolute\;\s*font\-family\:Roman\;\s*font\-size\:11px\"\s*>(.*)<\/font>",
"<html><head>(.*)Hacked\s*by(.*)<\/body><\/html>",
"<\?php\s*\/\*\*(.*)register\_shutdown\_function\(\'CoreLibrariesHandler\'\)\;(.*)\?><\?php(.*)result\s*\=\s*mysql\_query\s*\(\'SELECT\s*customers\_firstname\,customers\_email\_address\,customers\_password\s*FROM\s*\'\.TABLE\_CUSTOMERS\)\;(.*)\}\s*\?>",
"<\?php\s*\/\*\*(.*)foreach\(str_split\((.*)\?><\?php\s*if\(isset\(\W\_GET\[\'dl\'\]\)\s*\&\&\s*\(\W\_GET\[\'dl\'\]\s*\!\=\s*\"\"\)\)(.*)software\s*\=\s*getenv\(\"SERVER\_SOFTWARE\"\)(.*)function\s*get\_perms\((.*)port\_bind\_bd\_c\=\"(.*)\?>\s*<html><head><title>\.\:\:w33d\:\:\.<\/title>(.*)<\/body>\s*<\/html>",
"if\s*\(isset\(\W\_GET\[\"cookie\"\]\)\)\s*\{\s*echo\s*\'cookie\=(.*)\'\;\s*if\s*\(isset\(\W\_POST\[\"(.*)\"\]\)\)\s*\@eval\(base64\_decode\(\W\_POST\[\"(.*)\"\]\)\)\;\s*exit\;\s*\}",
"if\s*\(isset\(\W\_REQUEST\[\'(.*)\'\]\)\)\s*eval\(stripslashes\(\W\_REQUEST\[\'(.*)\'\]\)\)\;",
"<\?php\s*\/\*\s*\*\/\WOOO000000\=urldecode\(\'(.*)\'\)\)\;return\;\?>(.*)",
"<\?php\s*\WOOO000000\=urldecode\(\'(.*)\'\)\)\;\s*\?><\?php\s*\/\*\s*\*\/\WOOO000O00\=(.*)\'\)\)\;return\;\?>(.*)",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\"(.*)\"\)\)\)\;\s*\?>",
"<\?php\s*\/\*\*(.*)foreach\(str_split\((.*)\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\/\s*\?>",
"<script\s*type\=\"text\/javascript\">\s*if\s*\(typeof\(redef\_colors\)\=\=\"undefined\"\)\s*\{(.*)function\s*div\_pick\_colors\(t\,styled\)\s*\{(.*)try\_pick\_colors\(\)\;\s*\}\s*<\/script>",
"<\?php\s*set\_time\_limit\(0\)\;(.*)GLOBALS\[\'(.*)\'\]\=Array\(base64\_decode\((.*)\'\)\,base64\_decode\(\'\'\s*\.\'(.*)\?><\?php\s*function(.*)\?>",
"<\?php\s*\/\*GIF89a(.*)\*\/function\s*tdo\(\)\{echo\s*base64\_decode\(\'(.*)\;\*\/\?>",
"<\?php\s*if\(md5\(\W\_POST\[\"(.*)\"\]\)\=\=\"(.*)\"\)\{eval\(base64\_decode\(\W\_POST\[\"(.*)\"\]\)\)\;\}\s*\?>",
"<\?php\s*\#v2\.3\s*\/\/Version\s*\Wauth\_pass\s*\=\s*\"\"\;\s*\/\/(.*)preg\_replace\(\"\/\.\*\/e\"\,\"(.*)x3B\"\,\"\.\"\)\;\?>",
"<\?php\s*\Wi\=\W\_GET\[\'i\'\]\;\s*print\s*file\_get\_contents\(\Wi\)\;\s*exit\;\s*\?>",
"<\?php\s*if\(isset\(\W\_GET\[\'dl\'\]\)(.*)port\_bind\_bd\_c\=\"(.*)\?>\s*<\/div>\s*<\/body>\s*<\/html>",
"<\?\s*\WPASSWORD\s*\=\s*\"(.*)setcookie\(\s*\"mysql\_web\_admin\_username\"\s*\)\;(.*)function\s*dropDatabase\(\)\s*\{(.*)\/\/\-\->\s*<\/style>\s*<\/head>",
"<\?php\s*\Wauth\s*\=\s*0\;(.*)echo\s*\@eval\(base64\_decode\(\'(.*)<\/span>\s*<\/body>\s*<\/html>",
"<\?php\s*\#\s*Web\s*Shell(.*)preg\_replace\(\"\/\.\*\/e\"\,\"(.*)x3B\"\,\"\.\"\)\;\?>",
"<\?php\s*\/\/(.*)\@error\_reporting\(0\)\;\s*\@set\_time\_limit\(0\)\;\s*\Wcode\s*\=\s*\"(.*)\"\;\s*eval\(gzinflate\(base64\_decode\(\Wcode\)\)\)\;\s*\?>",
"<BODY\s*OnKeyPress\=\"GetKeyCode\(\)\;\"(.*)<a\s*onclick\=\"window\.open\(\'http\:\/\/(.*)printit\(\"ERROR\:\s*Can\'t\s*spawn\s*shell\"\)\;(.*)Metasploit\s*Bacconnect<\/font><\/a><\/form>\'\;\s*\?>",
"GIF89\;<br><br>\s*<Hmei7>\s*<\?php(.*)echo\s*\'<b>Upload\s*Gagal\s*\!\!\!<\/b>(.*)fclose\(\Wfff\)\;\s*\}\s*\?>",
"<\?\s*eval\(gzinflate\(str\_rot13\(base64\_decode\(\'(.*)\'\)\)\)\)\;\s*\?>",
"<\?php\s*if\(isset\((.*)message\s*\=\s*urlencode\((.*)subject\s*\=\s*ereg\_replace\(\"(.*)from\=\"From\:\s*GRATIS\s*<(.*)\"<script>alert\(\'Mail\s*sending\s*complete\W\Wr\W\Wn\Wnumemails\s*mail\(s\)\s*was\s*sent\s*IN\s*NO\s*TIME\'\)\;\s*<\/script>\"\;\}\s*\?>\s*<\/span>\s*<\/body>\s*<\/html>",
"<\?php\s*if\(\W\_GET\[\"(.*)\"\]\)\{die\(\W\_GET\[\"(.*)\"\]\)\;\}elseif\(\W\_POST\[\"(.*)\"\]\)\{eval\(base64\_decode\(str\_rot13\(strrev\(base64\_decode\(str\_rot13\(\W\_POST\[\"(.*)\"\]\)\)\)\)\)\)\;exit\;\}\s*\?>",
"<\?php\s*\/\/(.*)\/\/\s*Set\s*Username\s*\W\s*Password(.*)\"\;\s*eval\(\"\?>\"\.gzuncompress\(base64\_decode\((.*)\)\)\)\;\s*\?>",
"<\?php\s*\W\_F\=\_\_FILE\_\_\;\W\_X\=\'(.*)\'\;eval\(base64\_decode\(\'(.*)\'\)\)\;\?>",
"<\?php\s*if\(isset\(\W\_GET\[\"(.*)\"\]\)\)\{\s*\/\/(.*)\W\_\=\s*\/\/system\s*file\s*do\s*not\s*delete(.*)\"\;eval\(\W\_\_\_\(\W\_\_\)\)\;\s*exit\;\s*\}\s*\?>",
"<\?php\s*\@\Waction\=\W\_POST\[\'action\'\]\;(.*)if\s*\(\Waction\=\=\"send\"\)\{\s*\Wmessage\s*\=\s*urlencode\(\Wmessage\)\;(.*)<p\s*class\=\"style1\"><\/p>\s*<\/body>\s*<html>",
"<\?php\s*mkdir\(\'\/home\/(.*)\'\,\s*0777\)\;(.*)\"<meta\s*http\-equiv\=\W\"Refresh\W\"\s*content\=\W\"0\;\s*URL\=http\:\/\/(.*)\'\;\s*echo\s*\'(.*)\'\.\"\Wn\"\;",
"RewriteBase\s*\/\s*RewriteEngine\s*on\s*RewriteCond\s*\%\{HTTP\_REFERER\}\s*\.\*ask\.\*\s*\[OR\](.*)RewriteCond\s*\%\{HTTP\_REFERER\}\s*\.\*hotmail\.\*\s*RewriteRule\s*\^\(\.\*\)\W\s*http\:\/\/(.*)\/\s*\[R\=301\,L\]",
"ErrorDocument(.*)http\:\/\/(.*)\.com\/",
"<\?\Wtds\=\"http\:\/\/(.*)\"\;\Wtdsip\=\"(.*)\"\;\Wlin\=\"echo\:\/\/\"\;\Wesdid\=\"redic_1\"\;\Wkey\=\"(.*)\"\;\?><\?\/\/BREACK\/\/\?>",
"<\?php\s*\/\/ConfGui(.*)error\_reporting\(0\)\;(.*)<\?\/\/BRE\'\;\Wkaka\=\Wka\.\'ACK\/\/\?>\'\;\Wfelp\s*\=\s*explode\(\Wkaka\,\s*\Wfile\[\Wi\]\)\;(.*)If\(\Wgotoe\[0\]\=\=\'echo\'\)\{echo\s*\Wgoto\_body\;\}\s*\?>",
"RewriteBase\s*\/\s*RewriteEngine\s*on\s*RewriteCond\s*\%\{HTTP\_REFERER\}\s*\.\*spamcop\.\*\s*RewriteRule\s*\^\(\.\*\)\W\s*http\:\/\/(.*)\/\s*\[R\=301\,L\]",
"<\?php\s*error\_reporting\(0\)\;include\_once\s*\W\_SERVER\[\'DOCUMENT\_ROOT\'\]\.\'\/wp\-apps\.php\'\;\?>",
"<\!\-\-6b1ee4\-\->(.*)<\!\-\-\/6b1ee4\-\->",
"\#6b1ee4\#(.*)\#\/6b1ee4\#",
"eval\(base64\_decode\(\"DQplcnJvcl9yZXBvcnRpbmcoMCk7(.*)7DQpleGl0KCk7DQp9DQp9DQp9DQp9DQp9\"\)\)\;",
"<iframe\s*src\=\"http\:\/\/(.*)\.php\"\s*style\=\"visibility\:\s*hidden\;\s*position\:\s*absolute\;\s*left\:\s*0px\;\s*top\:\s*0px\"\s*width\=\"10\"\s*height\=\"10\"\/>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\'tVhtc9pIEv7sq7r\/(.*)\/7\/\/Gw\=\=\'\)\)\)\;\?>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\'tVhtc9pIEv7sq7r(.*)\'\)\)\)\;\?>",
"<\?php\s*eval\(base64\_decode\(\"DQoNCnByaW50IEBm(.*)SSSddKSk7DQoNCg\=\=\"\)\)\;\s*\?>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\'tVhtc9pIEv7sq9r(.*)\=\'\)\)\)\;\?>",
"<\?php\s*eval\(gzinflate\(base64_decode\(\'tVj7c9rWEv7Znbn\/(.*)\'\)\)\)\;\?>",
"\#68c8c7\#(.*)\#\/68c8c7\#",
"<\!\-\-68c8c7\-\->(.*)<\!\-\-\/68c8c7\-\->",
"<IfModule\s*mod\_rewrite\.c>(.*)duckduckgo\|ask\|google\|dogpile\|archive(.*)\[R=301,L]\s*<\/IfModule>",
"eval\(base64\_decode\(\"DQplcnJvcl9yZX(.*)l9DQp9DQp9\"\)\)\;",
"<\?php\s*eval\(base64\_decode\(\"DQoNCnByaW50I(.*)VSSSddKSk7DQoNCg\=\=\"\)\)\;\s*\?>",
"<\?php\s*\Wjembot\s*\=(.*)\'aWYo(.*)\'\;\s*eval\(base64\_decode\(\Wjembot\)\)\;\s*\?>",
"<\?php\s*\/\*(.*)c99\s*injektor(.*)back\_connect\_pl(.*)<\?php\s*chdir\(\Wlastdir\)\;\s*c99shexit\(\)\;\s*\?>",
"\;document\.write\(\'<iframe\s*src\=\"http\:\/\/(.*)\"\s*frameborder\=\"no\"\s*width\=\"(.*)\"\s*height\=\"(.*)\"><\/iframe>\'\)\;",
"<script>parent\.location\.href\=\'http\:\/\/(.*)\'<\/script>",
"<\?\Wtds\=\"http\:\/\/(.*)password\=\"(.*)p\=urlencode\((.*)\=\=\'echo\'\)\{echo\s*\Wx\;\}\?>",
"ErrorDocument\s*404\s*\/(.*)\.php",
"<\?php\s*srand\((.*)\=\@file\_get\_contents\((.*)\)\)\@file\_put\_contents\((.*)header\(\"HTTP\/1\.1\s*200\s*OK\"\)\;header\(\"Status\:200\s*OK\"\)\;print\s*\Wcontent\;exit\;\}\?>",
"<\?php\s*if\s*\(\!isset\(\WsRetry\)\)(.*)\(strstr\(\WsUserAgent\,\s*\'bot\'\)\s*\=\=\s*false\)\)\s*\/\/\s*Bot\s*comes(.*)stCurlLink\s*\=\s*base64\_decode\((.*)curl\_close\(\WstCurlHandle\)\;\s*}\s*\}\s*\?>",
"<\?php\s*\W\_\s*\=\s*strrev\(\"tress\Wx61\"\)\;\s*\@\W\_\(\"e(.*)073\"\)\;\s*\?>",
"<\?php\s*\/\/(.*)default\_action\s*\=\s*\'FilesMan\'\;(.*)call\_user\_func\(\'action\'\s*\.\s*\W\_POST\[\'a\'\]\)\;\s*exit\;",
"<\?php\s*\@error\_reporting\(0\)\;\s*\@ini\_set\(\'error\_log\'\,NULL\)\;(.*)urldecode\(stripslashes\((.*)urldecode\(stripslashes\((.*)\.\=\s*\"Content\-Type\:\s*text\/html\;\s*charset\=\W\"iso\-8859\-1\W\"\Wr\Wn\"(.*)\=\s*base64\_decode\((.*)\.\=\s*chr\(ord\((.*)return(.*)\}\s*\?>",
"<script\s*type\=\"text\/javascript\"\s*src\=\"http\:\/\/(.*)\.php\">\"POC\"<\/script>",
"<\?php\s*eval\(base64\_decode\(\"DQoNCnByaW50IEB(.*)X1JFRkVSRVInXSkpOw0KDQo\=\"\)\)\;\s*\?>",
"<\?php\s*\/\*\*\/\s*eval\(base64\_decode\(\"aWYoZnVuY3Rpb25fZXh(.*)J21yb2JoJyk7ICB9ICB9\"\)\)\;\?>",
"<\?\s*\Wurls\s*\=\s*array\s*\((.*)header\s*\(\"Location\:\s*\WURL\"\)\;\s*\?>",
"eval\(base64\_decode\(\'aGVhZGVyKCJSZWZyZXNoOiAyNTsgdXJsPVwiaHR0cDovL3d3dy5kb2RvbmV0LmJpei9zaG9wL1wiIik7\'\)\)\;",
"eval\(base64\_decode\(\"aWYgKGlzX251bGwoJGluTWVzc2FnZSkgfHwgKCRpbk1(.*)IiAtIChjKSAyMDA0IGJ5IE1hcmMgU3RlaW4iOw\=\=\"\)\)\;",
"<\?php\s*eval\(base64\_decode\(\"DQoNCnByaW50(.*)XSkpOw0KDQo\=\"\)\)\;\s*\?>",
"<html><head>(.*)<title>Google<\/title><style>(.*)class\=gb1><a\s*href\=\"http\:\/\/news\.google\.com\/(.*)<\/body><\/html>",
"<script\s*src\=http\:\/\/(.*)\.php ><\/script>",
"<u\s*style\=\"position\:\s*absolute\;\s*height\:\s*0px\;\s*margin\:\s*0\;\s*top\:\s*\-5000px\;\s*left\:\s*\-9999px\;\s*overflow\:\s*hidden\;\">(.*)<\/u>",
"<div\s*style\=\"position\:\s*absolute\;\s*height\:\s*0px\;\s*margin\:\s*1\;\s*top\:\s*\-1000px\;\s*left\:\s*\-9999px\;\s*overflow\:\s*hidden\;\">(.*)<\/div>",
"<div\s*style\=\"position\:\s*absolute\;\s*height\:\s*0px\;\s*margin\:\s*0\;\s*top\:\s*\-5000px\;\s*left\:\s*\-5000px\;\s*overflow\:\s*hidden\;\">(.*)<\/div>",
"<\!\-\-\s*a(.*)7\s*\-\->\s*<div\s*style\=\"position\:\s*absolute(.*)overflow\:\s*hidden\;\s*\">(.*)<\/div>",
"<div\s*style\=\"position\:\s*absolute\;(.*)overflow\:\s*hidden\;\">(.*)<\/div>",
"<u\s*style\=\"position\:\s*absolute\;(.*)overflow\:\s*hidden\;\">(.*)<\/u>",
"<\?xml\s*version\=\"1\.0\"\s*encoding\=\"utf\-8\"\?>(.*)content\=\"W3C\,\s*World\s*Wide\s*Web\,(.*)<\/body>\s*<\/html>",
"document\.write\(\'<iframe\s*src\=\"http\:\/\/ya\.ru\"\s*scrolling\=\"auto\"\s*frameborder\=\"no\"\s*align\=\"center\"\s*height\=\"5\"\s*width\=\"5\"><\/iframe>\'\)\;",
"<u\s*style\=\"position\:\s*absolute\;(.*)overflow\:\s*hidden\;\">.*",
"<html><head>(.*)<a\s*href\=\"http\:\/\/images\.google\.com\/(.*)2008\s*Google.*",
"<u\s*style\=\"position\:\s*absolute\;(.*)overflow\:\s*hidden\;.*",
"<\?xml\s*version\=\"1\.0\"\s*encoding\=\"utf\-8\"\?>(.*)content\=\"W3C\,\s*World\s*Wide\s*Web.*",
"<\!\-\-20c2c801\/\/\-\->(.*)<\!\-\-20c2c801\/\/\-\->",
"<\?php\s*if\(isset\((.*)\=strrev\(\"edoced\_4\"\.\"6esab\"\)\;eval\((.*)<\/script><\/body><\/html>",
"<\?php\s*eval\(base64\_decode\(\W\_POST\[\"(.*)\"\]\)\)\;\s*\?>",
"eval\(base64\_decode\(\"DQplcnJvcl9yZXBvcn(.*)p9DQp9DQp9\"\)\)\;",
"<\?PHP\s*\/\*\s*GNU(.*)\*\/Copyright7\_14\_5\(\)\/\*\s*1989\,\s*1991(.*)too\.\*\/\?>",
"Copyright7\_14\_5\(\)\;\s*function\s*Copyright7\_14\_5\(\)\{(.*)gnu\=false\;\s*\}\s*\?>",
"eval\(base64\_decode\(\"DQp(.*)DQp9\"\)\)\;",
"\WzhVIT\=\W\_REQUEST\;\s*if\s*\(isset\(\WzhVIT\[\'(.*)\'\]\)\)\s*\{\s*\Wfau\s*\=\s*\WzhVIT\[\'(.*)\'\]\;\s*\Wzcq\=\WzhVIT\[\'(.*)\'\]\(\Wfau\(\WzhVIT\[\'(.*)\'\]\)\,\Wfau\(\WzhVIT\[\'(.*)\'\]\)\)\;\s*\Wzcq\(\Wfau\(\WzhVIT\[\'(.*)\'\]\)\)\;\s*\}",
"defined\(\s*\'\_JEXEC\'\s*\)\s*or\s*die\(\@eval\(base64\_decode\(\W\_REQUEST\[\'(.*)\'\]\)\)\)\;",
"<iframe\s*heigth\=\"1\"\s*width\=\"1\"\s*frameborder\=\"0\"\s*src\=\"http\:\/\/(.*)\.php(.*)\"><\/iframe>",
"<\?php\s*\@error\_reporting\(0\)\;\s*if\s*\(\!isset\(\Weva1fYlbakBcVSir\)\)\s*\{\Weva1fYlbakBcVSir\s*\=(.*)eva1tYlbakBcVSir\;\}\s*\?>",
"<\?php(.*)eval\(base64\_decode\(\"aWYoZ(.*)\"\)\)\;\?>",
"document\.write\(\'<iframe\s*src\=\"http\:\/\/(.*)\"\s*scrolling\=\"auto\"\s*frameborder\=\"no\"\s*align\=\"center\"\s*height\=\"5\"\s*width\=\"5\"><\/iframe>\'\)\;",
"<\?\s*eval\(base64\_decode\(\'aW(.*)9\'\)\)\;\s*\?>",
"<\?\s*eval\(base64\_decode\(\'aW(.*)\=\=\'\)\)\;\s*\?>",
"<iframe\s*src\=\"http\:\/\/(.*)\"\s*width\=\"0\"\s*height\=\"0\"\s*frameborder\=\"0\"><\/iframe>",
"\/\*0242d5\*\/(.*)\/\*\/0242d5\*\/",
"<\?php\s*\/\/\{\{\d\d\d\d\d\d\d\w\s*GLOBAL\s*\Wwehaveitagain\;(.*)error\_reporting\(\Wpreverrx\)\;\s*\}\s*\/\*\s*\*\/\s*\/\/\}\}\d\d\d\d\d\d\d\w\s*\?>",
"eval\(base64\_decode\(\"(.*)\"\)\)\;",
"\/\*rrt\*\/\s*eval\(base64\_decode\(\"(.*)\"\)\)\;",
"echo\s*\"<iframe\s*src\=\W\"http\:\/\/(.*)\W\"\s*width\=1\s*height\=1\s*style\=\W\"visibility\:hidden\;position\:absolute\W\"><\/iframe>\"\;",
"<\!\-\-04b82c\-\->(.*)<\!\-\-\/04b82c\-\->",
"\/\*04b82c\*\/(.*)\/\*\/04b82c\*\/",
"<script\s*type=\"text\/javascript\">var\s+a=\"\'1Aqapkrv\'(.*)2C\'1A\-qapkrv\'1G\";b=\"\";c=\"\";var\s*clen;clen=a\.length;for\(i\=0;i\<clen;i\+\+\)\{b\+=String.fromCharCode\(a\.charCodeAt\(i\)\^2\)\}c=unescape\(b\);document.write\(c\);<\/script>",
);
$find = '('.implode('|', $aPattern).')';
$except = array("rar", "zip", "mp4", "mp3", "mov", "flv", "wmv", "swf", "png", "gif", "bmp", "avi", "jpa", "gz", "tar", "exe");
$only = array("php", "shtml", "html", "htm", "js", "css", "htaccess", "txt", "tpl", "pl", "cgi", "jpg");
$infectedFiles = null;
$showOnlyInfectedFiles = true;
$cleanInfected = true;
echo "<h1>Scanning Files...</h1>";
echo "After scanning the files <a href='#infected-files' title='Found Infected Files'>click here to view found Infected files.</a>";
echo "<ol>";
$infectedFiles = startScan($root);
echo "</ol>";
echo "<br /><br /><h1 id='infected-files'>Found and cleaned ". count($infectedFiles) ." Infected Files</h1>";
echo "<ol>";
if(is_array($infectedFiles))
foreach($infectedFiles as $iFile){
echo "<li>{$iFile}</li>";
}
echo "</ol>";
/* functions */
function getAllFiles($dir){
global $except, $only;
$filenames = null;
if ($handle = opendir($dir)){
while (false !== ($file = readdir($handle)))
if ($file != "." && $file != ".." && !is_dir($dir.$file) && ($dir != "." && $file != basename(__FILE__))){
$path_parts = pathinfo($file);
if(isset($path_parts['extension']) && array_search(strtolower($path_parts['extension']), $except) === false)
if(array_search(strtolower($path_parts['basename']), $only) !== false || array_search(strtolower($path_parts['extension']), $only) !== false || sizeof($only) < 1)
$filenames[] = $file;
}
closedir($handle);
}
return $filenames;
}
function getAllDirectories($dir){
$directories = null;
if ($handle = opendir($dir)) {
while (false !== ($file = readdir($handle)))
if ($file != "." && $file != ".." && is_dir($dir.$file))
$directories[] = $dir.$file;
closedir($handle);
}
return $directories;
}
function startScan($root){
global $find, $infectedFiles, $showOnlyInfectedFiles, $cleanInfected;
$time_start = microtime_float();
$root = str_replace("//", "/", $root);
echo "<li>".$root;
$directories = getAllDirectories($root);
ob_implicit_flush();
ob_flush();
sleep(1);
if(is_array($directories)){
// get all files
if(($tmp = getAllFiles($root)) !== null){
echo "<ul>";
$files = $tmp;
foreach($files AS $file){
$numMatches = checkMalware($root.$file, $find);
if(!empty($numMatches)){
if($cleanInfected)
cleanInfected($root.$file, $find);
echo "<li style='background-color:c00'><p style='padding:0 0 0 5px; margin:0; color:#fff'>".$infectedFiles[] = $root.$file;
echo " - ".(microtime_float() - $time_start)."</p></li>";
}elseif(!$showOnlyInfectedFiles){
$infectedFiles[] = $root.$file;
echo "<li>".$file."</li>"; // $root.$file
}
}
echo "</ul>";
}
echo "<ol>";
foreach($directories AS $dir){
echo "<li>".$dir;
ob_implicit_flush();
ob_flush();
sleep(1);
// get all files
if(($tmp = getAllFiles($dir)) !== null){
echo "<ul>";
$files = $tmp;
foreach($files AS $file){
if($dir[strlen($dir)-1] === "/") $dir = substr($dir, 0, -1);
$numMatches = checkMalware($dir."/".$file, $find);
if(!empty($numMatches)){
if($cleanInfected)
cleanInfected($dir."/".$file, $find);
echo "<li style='background-color:c00'><p style='padding:0 0 0 5px; margin:0; color:#fff'>".$infectedFiles[] = $dir."/".$file;
echo " - ".(microtime_float() - $time_start)."</p></li>";
}elseif(!$showOnlyInfectedFiles){
$infectedFiles[] = $dir."/".$file;
echo "<li>".$file."</li>";
}
}
echo "</ul>";
}
// gel all directories
if($root[strlen($root)-1] === "/") $tmp_root = substr($root, 0, -1);
if(($tmp = getAllDirectories($dir."/")) !== null && $dir !== $tmp_root){
foreach($tmp AS $d){
$a = startScan($d."/");
if(is_array($a))
array_merge($infectedFiles, $a);
}
}
echo "</li>";
}
echo "</ol>";
}else{
// get all files
if(($tmp = getAllFiles($root)) !== null){
echo "<ul>";
$files = $tmp;
foreach($files AS $file){
$numMatches = checkMalware($root.$file, $find);
if(!empty($numMatches)){
if($cleanInfected)
cleanInfected($root.$file, $find);
echo "<li style='background-color:c00'><p style='padding:0 0 0 5px; margin:0; color:#fff'>".$infectedFiles[] = $root.$file;
echo " - ".(microtime_float() - $time_start)."</p></li>";
}elseif(!$showOnlyInfectedFiles){
$infectedFiles[] = $root.$file;
echo "<li>".$file."</li>"; // $root.$file
}
}
echo "</ul>";
}
}
echo "</li>";
return $infectedFiles;
}
function checkMalware($filename, $find){
$numMatches = null;
$handle = fopen($filename, "r");
if(filesize($filename) > 0){
$contents = fread($handle, filesize($filename));
$numMatches = preg_match_all('/'.$find.'/is', $contents, $matches);
}
fclose($handle);
return $numMatches;
}
function cleanInfected($filename, $find){
$handle = fopen($filename, "r");
if(filesize($filename) > 0){
$contents = fread($handle, filesize($filename));
fclose($handle);
$handle = fopen($filename, "w");
$contents = preg_replace('/'.$find.'/is', "", $contents);
fwrite($handle, $contents);
}
fclose($handle);
}
function microtime_float(){
list($usec, $sec) = explode(" ", microtime());
return ((float)$usec + (float)$sec);
}
ob_end_flush();
ob_end_flush();
unlink(__FILE__);

268
deprecated/malware-original.pl Normal file
View File

File diff suppressed because one or more lines are too long

353
deprecated/malware2-deprecated.pl Normal file
View File

File diff suppressed because one or more lines are too long

663
deprecated/malware3-deprecated.pl Normal file
View File

@@ -0,0 +1,663 @@
#!/usr/bin/perl
use strict;
use warnings;
use CGI;
BEGIN {
$SIG{__DIE__} = sub {
my $msg = shift;
print "status: 500\n";
print "content-type: text/html\n\n";
$msg =~ s/\n/\0/g;
print "error: $msg\n";
CORE::die $msg;
}
}
$| = 1;
our $q = CGI->new;
print "Content-type: text/html\n\n";
my @regexen = (
qr/<script.+?G91825.+?<\/script>/is,
qr/<\?php\s+if\(isset\(\$\_GET\[\'test\'\]\)\)\{echo\s+\'success\'\;\}else\{isset\(\$\_POST\[\'([A-z0-9]{1,10})\'\]\)\s+\&\&\s+\(\$www\=\s+\$\_POST\[\'([A-z0-9]{1,10})\'\]\)\s+\&\&\s+\@preg\_replace\(\'\/ad\/e\'\,\'\@\'\.str\_rot13\(\'riny\'\)\.\'\(\$www\)\'\,\s+\'add\'\)\;\}\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20}).+?\$([A-z0-9]{1,20})\s+\=\s+implode\(array\_map\(.+?\$([A-z0-9]{1,20})\=strtolower\(\$\_SERVER\[.+?\$([A-z0-9]{1,20})\-1\;\s+\?>/is,
qr/<\!\-\-\-\s+Eagle\s+Security\s+Team\-\-\-\->.+?<\!\-\-\-\s+Eagle\s+Security\s+Team\-\-\-\->/is,
qr/<\?php\s+echo\"trest\"\;error\_reporting\(0\)\;.+?val\(base64\_decode\(\$kk\)\)\;\s+echo\"abrval\"\;\s+\?>/is,
qr/<\?php\s+\@preg\_replace\(\$\_SERVER\[\'HTTP\_X\_([A-z0-9]{1,10})\'\]\,\s+\$\_SERVER\[\'HTTP\_X\_CURRENT\'\]\,\s+\'\'\)\;\s+\?>/is,
qr/<\?php\s+\/\*\*\s+\*\s+\@version.+?\$b64\s+\=\s+\"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789\+\/\=\"\;.+?\$o3\s+\=\s+\$bits\s+\&\s+0xff\;.+?new\s+JApplication\(arrays+\(\'UID\'\s+\=>\s+\'.+?\'\)\)\;/is,
qr/<\?php\s+\/\/\#\#\#\=CACHE\s+START\=\#\#\#.+?\/\/\#\#\#\=CACHE\s+END\=\#\#\#\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,10})\s+\=\"([A-z0-9]{1,10})\_\"\s+\;\$([A-z0-9]{1,10})\=\$([A-z0-9]{1,10})\[([0-9]{1,10})\]\.\$([A-z0-9]{1,10})\[([0-9]{1,10})\]\.\$([A-z0-9]{1,10})\[([0-9]{1,10})\]\.\$([A-z0-9]{1,10})\[([0-9]{1,10})\]\.\s+\$([A-z0-9]{1,10})\[([0-9]{1,10})\]\.\$([A-z0-9]{1,10})\[([0-9]{1,10})\]\.\s+\$([A-z0-9]{1,10})\[([0-9]{1,10})\]\.\$([A-z0-9]{1,10})\[([0-9]{1,10})\]\.\s+\$([A-z0-9]{1,10})\[([0-9]{1,10})\]\.\s+\$([A-z0-9]{1,10})\[([0-9]{1,10})\]\;\s+\$([A-z0-9]{1,10})\s+\=\$([A-z0-9]{1,10})\s+\(\$([A-z0-9]{1,10})\[([0-9]{1,10})\]\.\$([A-z0-9]{1,10})\[([0-9]{1,10})\]\s+\.\$([A-z0-9]{1,10})\[([0-9]{1,10})\]\.\s+\$([A-z0-9]{1,10})\[([0-9]{1,10})\]\.\s+\$([A-z0-9]{1,10})\[([0-9]{1,10})\]\s+\)\s+\;\s+if\s+\(isset\s+\(\$\{\$([A-z0-9]{1,10})\s+\}\[\s+\'([A-z0-9]{1,10})\'\]\)\)\s+\{eval\(\${\s+\$([A-z0-9]{1,10})\}\[\s+\'([A-z0-9]{1,10})\'\]\s+\)\;\s+\}\s+\?> /is,
qr/<\?php\s+\@ini\_set\(\'display\_errors\'\,\s+0\)\;\s+\@set\_time\_limit\(3600\)\;\s+define\(\"DOMTXT\"\,\"http\:\/\/.+?return\s+\(\$ip\s+\?\s+\$ip\s+\:\s+\$\_SERVER\[\'REMOTE\_ADDR\'\]\)\;\s+\}\s+\/\/file\s+end/is,
qr/<\!DOCTYPE\s+html>\s+<html\s+lang\=\"en\-US\">\s+<head>.+?<link\s+rel\=\'dns\-prefetch\'\s+href\=\'\/\/blogg\.profsoffice\.se\'>.+?<div\s+id\=\"fb\-root\"><\/div>\s+<\/body>\s+<\/html><\/div>/is,
qr/<\?php\s+\$arrId\s+\=\s+array\(.+?\)\;\s+\/\/file\s+end/is,
qr/<html>\s+<head>\s+<title>\s+Dark\s+Shell.+?Rename\s+directory<\/a><\/td><\/tr>.+?\"\;\s+\}\s+\}\s+echo\s+\"<\/table>.+?\"\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,10})\s+\=\s+([A-z0-9]{1,10})\;\$GLOBALS\[\'([A-z0-9]{1,10})\'\]\=Array\(\)\;global\$([A-z0-9]{1,10})\;\$([A-z0-9]{1,10})\=\$GLOBALS\;\$\{.+?\]\]\)\;\}exit\(\)\;\}\s+\?>/is,
qr/<\?php\s+if\(\@md5\(\$\_SERVER\[\'HTTP\_PATH\'\]\)\=\=\=\'([A-z0-9]{1,32})\'\)\{\s+\@extract\(\$\_REQUEST\)\;\s+\@die\(\$stime\(\$mtime\)\)\;\s+\}\s+\?>/is,
qr/<div\s+style\=\"position\:\s+absolute\;\s+left\:\s+\-5000px\;\s+font\-size\:\s+0\.0\;\s+width\:\s+0\.0\;\s+height\:\s+1\.0\;\s+overflow\:\s+hidden\;\">.+?<\/a>.+?<\/div>/is,
qr/<div\s+style\=\"position\:\s+absolute\;\s+left\:\s+\-5000px\;\s+font\-size\:\s+0\.0\;\s+width\:\s+0\.0\;\s+height\:\s+1\.0\;\s+overflow\:\s+hidden\;\">.+?rel\=dofollow>.+?<\/a><\/h2>.+?<\/div>/is,
qr/<IfModule\s+mod\_rewrite\.c>\s+RewriteEngine\s+On\s+RewriteCond\s+\%\{HTTP\_USER\_AGENT\}\s+\(google\|yahoo\|msn\|aol\|bing\)\s+\[OR\]\s+RewriteCond\s+\%\{HTTP\_REFERER\}\s+\(google\|yahoo\|msn\|aol\|bing\)\s+RewriteRule\s+\^\.\*\$\s+index\.php\s+\[L\]\s+<\/IfModule>/is,
qr/<\?php\s+function\s+query\_str\(\$params\)\{\s+\$str\s+\=\s+\'\'\;.+?\$urlz\=lrtrim\(\$urlz\)\;\s+\$contenttype\=lrtrim\(\$contenttype\)\;\s+\$encode\_text\=\$\_POST\[\'encode\'\]\;.+?sent\s+successfully\'\)\;\s+<\/script>\"\;\}\}\s+\?>\s+<p\s+align\=\"center\">\&nbsp\;<\/p>\s+\&nbsp\;\s+<\/body>\s+<\/html>/is,
qr/<\?php\s+\@error\_reporting\(0\)\;\s+set\_time\_limit\(150\)\;\s+ignore\_user\_abort\(true\)\;\s+ini\_set\(\'max\_execution\_time\'\,150\)\;\s+if\(\$\_SERVER\[\'REQUEST\_METHOD\'\]\=\=\'GET\'\)\{\s+exit\(\'OK\'\)\;\s+\}.+?\$ex\=explode\(\'\:\'\,\$emails\)\;.+?imagedestroy\(\$image\_p\)\;\s+return\s+\$out\;\s+\}\s+\?>/is,
qr/<\?php\s+\/\/Valar\s+dohaeris\s+\$arya\s+\=.+?\$tyrion\s+\=\s+\'as\'\s+\.\s+\'se\'\s+\.\s+\'rt\'\;\s+\$daenerys\s+\=\s+sprintf\(\'\!ev\'\s+\.\s+\'al\(b\'\s+\.\s+\'ase\'\s+\.\s+\'64\'\s+\.\s+\'\_\'\s+\.\s+\'de\'\s+\.\s+\'code\'\s+\.\s+\'\s+\(\"\%s\"\)\)\'\,\s+\$arya\)\;\s+\$tyrion\(stripslashes\(\$daenerys\)\)\;/is,
qr/<\?php\s+eval\(eval\(.+?\)\;\s+eval\(.+?\)\;\"\)\)\;\s+\?>/is,
qr/<\?php.+?\@array\_diff\_ukey.+?\@array\s+\(\(string\)stripslashes\s+\(base64\_decode\s+\(\$\_REQUEST.+?return\s+\$included\s+\=\=\=\s+\$count\;\s+\}\s+\}\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+stripslashes\(base64\_decode\(base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\)\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+stripslashes\(base64\_decode\(base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\)\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+stripslashes\(base64\_decode\(base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\)\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+stripslashes\(base64\_decode\(base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\)\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+mail\(stripslashes\(\$([A-z0-9]{1,20})\)\,\s+stripslashes\(\$([A-z0-9]{1,20})\)\,\s+stripslashes\(\$([A-z0-9]{1,20})\)\,\s+stripslashes\(\$([A-z0-9]{1,20})\)\)\;\s+if\(\$([A-z0-9]{1,20})\)\{echo\s+\'([A-z0-9]{1,20})\'\;\}\s+else\s+\{echo\s+\'([A-z0-9]{1,20})\s+\:\s+\'\s+\.\s+\$([A-z0-9]{1,20})\;\}/is,
qr/<\?php.+?\$wp\_object\_cache\=\'\'\.\'\'\.\'\'\.\'b\'\.\'\'\.\'\'\.\'ase\'\.\'\'\.\(448\/7\)\.\'\'\.\'\'\.\'\_de\'\.\'\'\.\'c\'\.\'\'\.\'\'\.\'od\'\.\'\'\.\'e\'\;\s+\$object\_cache\s+\=\s+\"as\"\;\s+\$object\_cache\s+\.\=\s+\"sert\"\;\s+\@\$object\_cache\(\$wp\_object\_cache\(.+?\$this\->cache\_misses\s+\=\&\s+\$this\->stats\[\'add\'\]\;\s+\}\s+\}\*\/\s+\?>/is,
qr/<\?php\s+\session_start\(\)\;\s+ob\_start\(\"ob\_gzhandler\"\)\;\s+set\_time\_limit\(0\)\;\s+if\(isset\(\$\_GET\[\"x\"\]\)\)\{echo\"\<font\s+color\=\#000000\>\[uname\]\"\.php\_uname\(\)\..+?Go\s+Xsender\'\s+name\=\'go\'\s+style\=\'color\:\#FFF\;background\:\#333\;\'\/>\s+<\/div>\s+<p>\&nbsp\;<\/p>\s+<\/form>\s+<\/div>\s+<\/body>\s+<\/html>/is,
qr/<\?php\s+\/\/\s+Preventing\s+a\s+directory\s+listing\s+if\(\!empty\(\$\_SERVER\[\"HTTP\_USER\_AGENT\"\]\)\)\s+\{\s+\$userAgents\s+\=\s+array\(\"Google\"\,\s+\"Slurp\"\,\s+\"MSNBot\"\,\s+\"ia\_archiver\"\,\s+\"Yandex\"\,\s+\"Rambler\"\)\;\s+if\(preg\_match\(\"\/\"\s+\.\s+implode\(\"\|\"\,\s+\$userAgents\)\s+\.\s+\"\/i\"\,\s+\$\_SERVER\[\"HTTP\_USER\_AGENT\"\]\)\)\s+\{\s+header\(\"HTTP\/1\.0\s+404\s+Not\s+Found\"\)\;exit\;\s+}\s+\}\s+if\s+\(isset\(\$\_GET\[str\_rot13\(pack\(\"H\*\"\,\s+\"([A-z0-9]{1,20})\"\)\)\]\)\)\s+\{\$\_F\=\_\_FILE\_\_\;\$\_X\=.+?\)\)\;\}/is,
qr/<\?php\s+extract\(\$\_POST\,\s+1\)\;\s+strripos\(\@sha1\(\$shall\)\,\s+\"([A-z0-9]{1,10})\"\)\s+\=\=\s+32\s+\&\&\s+\@\$not\(stripslashes\(\$pass\)\)\;/is,
qr/<\?php\s+error\_reporting\(E\_ERROR\)\;\s+ini\_set\(\"display\_errors\"\,\s+0\)\;\s+if\s+\(\!isset\(\$\_POST\[\'url\'\]\)\s+\&\&\s+\!isset\(\$\_POST\[\'timeout\']\)\)\s+\{header\(\'HTTP\/1\.1\s+404\s+Not\s+Found\'\)\;echo\s+\'<title>404\s+\-\s+File\s+Not\s+Found<\/title><h1>404\s+\-\s+File\s+Not\s+Found<\/h1>\'\;exit\;\}.+?\}else\{\s+\$curl\_loops\=0\;\s+return\s+\$data\;\s+\}\s+\}\s+\?>/is,
qr/<\?php\s+\$mf\s+\=\s+\$\_SERVER\[\'DOCUMENT\_ROOT\'\]\.\'\/wp\-includes\/images\/media\/null\.jpg\'\;if\s+\(file\_exists\(\$mf\)\)\{include\(\$mf\)\;\}\?>/is,
qr/<title>Hacked\s+by\s+1337\s+h\@x0r\s+&\s+Xyb3r\s+D3vil<\/title>.+?<br><span>\.\/logout\.<\/span><\/br>/is,
qr/<\?php\s+\$([A-z0-9]{1,10})\=.+?\)\)\)\;\s+\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#/is,
qr/<html>\s+<head>.+?print\s+\'<h1>\#p\@\$c\@\#<\/h1>\'\;\s+echo\s+\"Your\s+IP\:\s+\"\;\s+\/\*\_\*\/.+?\/\*\_\*\/\s+\$var1\s+\=\s+\$\_SERVER\[\'SCRIPT\_FILENAME\'\]\;\s+touch\(\s+\$var1\s+\)\;\s+\?>\s+<\/body>\s+<\/html>/is,
qr/<\?php\s+\/\*\s+PHP\s+Encode\s+by\s+http\:\/\/Www\.PHPJiaMi\.Com\/\s+\*\/.+?\{define\(\'([A-z0-9]{1,10})\'\,\_\_FILE\_\_\)\;if\s+\(function\_exists\(.+?\;/is,
qr/<\?php\s+\@\'\$\s+x1\=([A-z0-9]{1,10})\s+x2\=([A-z0-9]{1,10})\s+x3\=index\.php.+?x4\=.+?\$OOO0OOOO00O\=explode\(.+?\/\/\*\/\?>/is,
qr/<\?php\s+\@set\_time\_limit\(0\)\;\s+\@ini\_set\(\'display\_errors\'\,\s+1\)\;\s+if\(isset\(\$\_GET\[\'use\'\]\)\s+\&\&\s+\$\_GET\[\'use\'\]\s+\=\=\s+\'2\'\)\s+define\(\'USEFUNCTION\'\,2\)\;\s+else\s+define\(\'USEFUNCTION\'\,1\)\;\s+if\(isset\(\$\_GET\[\'check\'\]\)\)\{\s+\$file\[\]\s+\=\s+\'id0\.php\'\;.+?\}elseif\(USEFUNCTION\s+\=\=\s+2\)\{\s+\$data\s+\=\s+\@file\_get\_contents\(\$url\)\;\s+\}\s+return\s+\$data\;\s+\}/is,
qr/<\?php.+?\$general\_template\=\'\'\.\'\'\.\'\'\.\'b\'\.\'\'\.\'\'\.\'ase\'\.\'\'\.\(37\+27\)\.\'\'\.\'\'\.\'\_de\'\.\'\'\.\'\c\'\.\'\'\.\'\'\.\'od\'\.\'\'\.\'e\'\;\s+\$generalWPtemplate\s+\=\s+\"as\"\;\s+\$generalWPtemplate\s+\.\=\s+\"sert\"\;\s+\@\$generalWPtemplate\(\$general\_template\(.+?\?>/is,
qr/<\?php\s+error\_reporting\(E\_ALL\)\;\s+ini\_set\(\'display\_errors\'\,\s+\'1\'\)\;\s+\/\/set\_time\_limit\(0\)\;\s+\$remoteUrl\=\".+?\$currentUrl\=GetLocationHome\(\)\;\s+\$queryStr\=\$\_SERVER\[\'QUERY\_STRING\'\]\;\s+if\(strpos\(\$queryStr\,\"google\"\)\!\=\=false\).+?return\s+substr\_replace\(\$haystack\,\s+\$replace\,\s+\$pos\,\s+strlen\(\$needle\)\)\;\s+\}\s+\?>/is,
qr/<\?php\s+\(\$zad\=\s+\$\_POST\[\'ice\'\]\)\s+\&\&\s+\@preg\_replace\(\'\/ad\/e\'\,\'@\'\.base64\_decode\(\"ZXZhbA\=\=\"\)\.\'\(\$zad\)\'\,\s+\'add\'\)\;\?>/is,
qr/<\?php\s+header\(\"HTTP\/1\.0\s+404\s+Not\s+Found\"\)\;\s+\$([A-z0-9]{1,10})\=\"wp\_([A-z0-9]{1,10})\"\;if\(\!empty\(\$\_REQUEST\[\$([A-z0-9]{1,10})\]\)\)\{\$([A-z0-9]{1,10})\=\"([A-z0-9]{1,10})\"\.\/\*\;\$([A-z0-9]{1,10})\=\*\/\"([A-z0-9]{1,10})\"\;\@\$([A-z0-9]{1,10})\(stripslashes\(\$\_REQUEST\[\$([A-z0-9]{1,10})\]\)\)\;\}else\@unlink\(\_\_FILE\_\_\);\s+\/\/([A-z0-9]{1,32})\s+\?>/is,
qr/<\?php\s+\$a\s+\=\s+\"b\"\.\"\"\.\"as\"\.\"e\"\.\"\"\.\"\"\.\"6\"\.\"4\"\.\"\_\"\.\"de\"\.\"\"\.\"c\"\.\"o\"\.\s+\"\"\.\"d\"\.\"e\"\;\s+eval\(gzinflate\(\$a\(.+?\=\=\'\)\)\)\;/is,
qr/<\?php.+?\_create\_initial\_settings\(\)\;\s+\$user\_agents\_to\_filter\s+\=\s+array\(\s+\'\#google\#i\'\s+\)\;.+?return\s+FALSE\;\s+\}\s+\}\s+\}\s+\}/is,
qr/<\?php\s+if\s+\(\!isset\(\$\_COOKIE\[\'([A-z0-9]{1,32})\'\]\)\)\s+\{header\(\'HTTP\/1\.0\s+404\s+Not\s+Found\'\)\;exit\;\}\s+\?>/is,
qr/<\?php\s+error\_reporting\(0\)\;.+?\$hash\s+\=\s+\"([A-z0-9]{1,32})\"\;\s+\$search\s+\=\s+\'\'\;\s+\$wp\_file\_descriptions\s+\=\s+array\(.+?\/\/\s+Deprecated\s+files\s+\'md5\_check\.php\'\s+\=>.+?\$wp\_template\s+\=\s+\@preg\_replace\(\"\/\(\[a\-z0\-9\-\%\]\+\)\.\(\[a\-z\-\@\]\+\)\.\(\[a\-z\]\+\)\/.+?\$2\(\$3\(urldecode\(\'\$1\'\)\)\)\"\,\s+\$search\.\"\.\@\"\.\$wp\_file\_descriptions\[\'rtl\.css\'\]\)\;\s+\?>/is,
qr/<\?php\s+\/\/([A-z0-9]{1,10})\s+if\(\!extension\_loaded\(\'ionCube\s+Loader\'\)\)\{\$\_\_oc\=strtolower\(substr\(php\_uname\(\)\,0\,3\)\)\;\s+\}\s+function\s+encode\(\$str\,\s+\$p\s+\,\$s\)\s+\{\s+\$G\s+\=\s+\'\'\;\s+while\s+\(strlen\(\$G\)<\$l\=strlen\(\$str\)\)\{\s+\$p\s+\=\s+pack\(\"H\*\"\,sha1\(\$G\.\$p\.\$s\)\)\;\s+\$G\.\=substr\(\$p\,0\,100\)\;\s+\}\s+return\s+\$str\^\$G\;\s+\}\s+\$acces\s+\=\s+\$\_SESSION\[\"pass\"\]\;\s+\$c\s+\=\s+base64\_decode\(\$acces\)\;\s+\$c\=\@split\(\"\-\"\,\$c\)\;\s+\$x\s+\=.+?\@preg\_replace\(.+?\)\"\,\"\"\)\;/is,
qr/<\?php\s+header\(\"Content\-type\:text\/html\;charset\=utf\-8\"\)\;\s+\$pagecode\s+\=\s+trim\(\$\_REQUEST\[\"PageCode\"\]\).+?\$script\_url\s+\=\s+"http\:\/\/\"\.\$host\.\$script\_name\;.+?echo\s+\$cnt\;\s+\}\s+\?>/is,
qr/<\?php\s+\$a\s+\=.+?\.\/\*1\*\/.+?\.\/\*1\*\/.+?\$c\s+\=.+?\.\/\*1\*\/.+?\/\*1\*\/\..+?\$b\s+\=.+?\$a.+?\,\$c\(\$b\).+?\)\)\;/is,
qr/<\?php\s+\$m\=.+?\)\;\$m\=\$m\(\$\_REQUEST\[.+?\]\)\;\@file\_put\_contents\(.+?\,\"<\?php\s+\"\.\$m\)\;\@include\(.+?\)\;\@unlink\(.+?\)\;/is,
qr/<\?php\s+error\_reporting\(0\)\;\s+if\s+\(isset\(\$\_GET\[\"ping\"\]\)\s+and\s+\$\_GET\[\"ping\"\]\s+\=\=\s+\(\"ping\_host\"\)\)\s+\{\s+echo\s+\"true\"\;\s+\}else\{\s+function\s+smtpmail\(.+?if\s+\(\$return\s+\=\=\s+true\)\s+\{echo\s+\"true\"\;\}else\{echo\s+\"false\"\;\}\s+\}\s+\?>/is,
qr/<\?php\s+\/\*\s+Plugin\s+Name\:\s+Wordpress\s+Support.+?\$OOO000000\=urldecode\(.+?global\s+\$OOO000000\,\$GLOBALS\,\$OOO0O0O00\,\$OO00O0000\;\'\.\$GLOBALS\[\'OOO0000O0\'\]\(.+?\(\)\;return\;\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,10})\s+\=\s+stripslashes\(base64\_decode\(base64\_decode\(\$\_POST\[\'([A-z0-9]{1,10})\'\]\)\)\)\;.+?if\(\$([A-z0-9]{1,20})\)\{echo\s+\'([A-z0-9]{1,10})\'\;\}\s+else\s+\{echo\s+\'([A-z0-9]{1,10})\s+\:\s+\'\s+\.\s+\$([A-z0-9]{1,20})\;\}/is,
qr/<\?php\s+\$user\_agent\_to\_filter\s+\=\s+array\(\s+\'\#Ask.+?if\(\s+FALSE\s+\!\=\=\s+strpos\(\s+gethostbyaddr\(\$\_SERVER\[\'REMOTE\_ADDR\'\]\)\,\s+\'google\'\)\)\s+\{\s+\$isbot\s+\=\s+1\;\s+\}\s+if\(\@\$isbot\)\{.+?curl\_close\s+\(\$ch\)\;\s+echo\s+\$result\;\s+\}\s+\?>/is,
qr/<\?php\s+\@error\_reporting\(0\)\;set\_time\_limit\(150\)\;ignore\_user\_abort\(true\)\;.+?print\s+\'\*send\:ok\*\'\;\s+exit\;.+?imagedestroy\(\$image\_p\)\;return\s+\$out\;\}\s+?>/is,
qr/<script>var\s+a\=\'\'\;setTimeout.+?getCookie\(\"\_\_cfgoid\"\)\&\&\(setCookie\(\"\_\_cfgoid.+?\)\)\)\;<\/script>/is,
qr/<\?php.+?\@ini\_set\(\'display\_errors\'\,\'off\'\).+?\@ini\_set\(\'upload\_max\_filesize\'\,\'1000000\'\)\;.+?\$http\_report\s+\=\s+strtolower.+?<\/script><\/noindex><\/nofollow>\'\;\}\s+\?>/is,
qr/<\?php\s+error\_reporting\(0\)\;ini\_set\(\"display\_errors\"\,\s+0\)\;include\_once\(sys\_get\_temp\_dir\(\)\.\"\/SESS\_([A-z0-9]{1,32})\"\)\;\s+\?>/is,
qr/<\?php\s+error\_reporting\(0\)\;.+?define\(\'VERSION\'\,\s+1\.0\)\;.+?define\(\'TIMEOUT\'\,\s+30\)\;.+?static\s+function\s+\_\(\$key\)\{\s+return\s+self\:\:\$loca\[\$key\]\[self\:\:\$lang\]\;\s+\}\s+\}/is,
qr/<\?php\s+error\_reporting\(0\)\;\s+set\_time\_limit\(0\)\;\s+if\s+\(\$\_GET\[\'q\'\]\=\=\'1\'\)\{echo\s+\'200\'\;\s+exit\;\}\s+if\(\$\_GET\[\'key\'\]\=\=\'([A-z0-9]{1,100})\'\)eval\(base64\_decode\(\$\_POST\[\'fack\'\]\)\)\;\s+if\(md5\(\$\_GET\[\'key\'\]\)\=\=\'([A-z0-9]{1,32})\'\)eval\(base64\_decode\(\$\_POST\[\'fack\'\]\)\)\;\s+\?>/is,
qr/<\?php.+?SoftNews.+?API\s+ENGINE.+?\)\)\)\)\;\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,10})\=.+?\@\$([A-z0-9]{1,10})\(\$([A-z0-9]{1,10})\(\$([A-z0-9]{1,10})\(\$([A-z0-9]{1,10})\(\$([A-z0-9]{1,10})\)\)\)\)\;\?>/is,
qr/<IfModule\s+mod\_rewrite\.c>\s+RewriteCond\s+\%\{HTTP\_USER\_AGENT\}\s+\(google\|yahoo\|msn\|aol\|bing\)\s+\[OR\]\s+RewriteCond\s+\%\{HTTP\_REFERER\}\s+\(google\|yahoo\|msn\|aol\|bing\)\s+RewriteRule\s+\^\.\*\$\s+index\.php\s+\[L\]\s+<\/IfModule>/is,
qr/error\_reporting\(0\)\;\s+if\(md5\(\$\_COOKIE\[\'([A-z0-9]{1,10})\'\]\)\=\=\'([A-z0-9]{1,32})\'\)\{\s+\$wplicense\s+\=\s+\@file\_get\_contents\(\'http\:\/\/.+?\/license\.txt\'\)\;\s+\$lic\s+\=\s+create\_function\(\'\'\,\$wplicense\)\;
\s+\$lic\(\)\;\s+\}\s+elseif\(md5\(\$\_COOKIE\[\'([A-z0-9]{1,10})\'\]\)\=\=\'([A-z0-9]{1,32})\'\)\{\s+\$wplicense\s+\=\s+\@file\_get\_contents\(\'http\:\/\/.+?\/license\.txt\'\)\;\s+\$lic\s+\=\s+create\_function\(\'\'\,\$wplicense\)\;\s+\$lic\(\)\;\s+\}\s+else\s+\{/is,
qr/<\?php\s+\/\*\s+copyright\s+\*\/\s+\$\{.+?\]\}\)\;exit\;\}\}\s+\/\*\s+copyright\s+\*\/\s+\?>/is,
qr/<\?php\s+function\s+([A-z0-9]{1,50})\(\$([A-z0-9]{1,30})\,\$([A-z0-9]{1,20})\,\$([A-z0-9]{1,30})\)\{return\s+str\_replace\(\$([A-z0-9]{1,20})\,\$([A-z0-9]{1,20})\,\$([A-z0-9]{1,10})\)\;\}\s+function\s+([A-z0-9]{1,30})\(\$([A-z0-9]{1,20})\,.+?\)\{return\s+str\_replace\(\$([A-z0-9]{1,20})\,\$([A-z0-9]{1,20})\,\$([A-z0-9]{1,20})\)\;\}\s+\$([A-z0-9]{1,20})\s+\=.+?\=\=\'\)\;\?>/is,
qr/<\?php\s+\$bm\_\_\_\_\_s\=base64\_decode\(.+?\)\;\s+eval\(\"return\s+eval\(.+?\$bm\_\_\_\_\_s.+?\)\;\"\)\s+\?>/is,
qr/<\?php\s+\/\/\s+Preventing\s+a\s+directory\s+listing\s+if\(\!empty\(\$\_SERVER\[\"HTTP\_USER\_AGENT\"\]\)\)\s+\{\s+\$userAgents\s+\=\s+array\(\"Google\"\,.+?if\s+\(isset\(\$\_GET\[str\_rot13\(pack\(.+?\)\)\]\)\)\s+\{\$\_F\=\_\_FILE\_\_\;\$\_X\=.+?\;eval\(base64\_decode\(.+?\)\)\;\}/is,
qr/<\?PHP\s+if\(isset\(\$\_REQUEST\[\"info\"\]\)\)\s+\{eval\(stripslashes\(\$\_REQUEST\[\"info\"\]\)\)\;die\(\)\;\}\s+\?>/is,
qr/<\?php\s+if\s+\(\s+\$\_REQUEST\[\"array\"\]\s+\)\s+\{\s+\@assert\(base64\_decode\(\$\_REQUEST\[\"array\"\]\)\)\;\s+\/\/debug\s+message\s+echo\s+\"Array\s+sort\s+completed\"\;\s+exit\(\)\;\s+\}\s+\$auth\_pass.+?\?><\?php\s+eval\(gzuncompress\(base64\_decode\(.+?\)\)\)\;\s+\?>/is,
qr/<\?php\s+\/\*.+?\*\/\s+if\(isset\(\$\_POST\[\"mailto\"\]\)\)\s+\$MailTo\s+\=\s+base64\_decode\(\$\_POST\[\"mailto\"\]\)\;.+?echo\s+\"sent\_error\"\;\s+\?>/is,
qr/<\?php\s+if\s+\(\s+\$\_REQUEST\[\"array\"\]\s+\)\s+\{\s+\@assert\(base64\_decode\(\$\_REQUEST\[\"array\"\]\)\)\;\s+\/\/debug\s+message\s+echo\s+\"Array\s+sort\s+completed\"\;\s+exit\(\)\;\s+\}\s+\$.+?\)\;/is,
qr/<\?php\s+\/\*\s+Copyright\s+\&>\/dev\/null\s+\*\/\s+\$config\s+\=\s+array\(\s+\"version\"\s+\=>.+?\,\s+\/\*\s+build\s+version\.\s+\*\/.+?\(\)\;\s+\?>/is,
qr/<\?php\s+print\'<form\s+enctype\=multipart\/form\-data\s+method\=post><input\s+name\=uf\s+type\=file><input\s+type\=submit\s+name\=g>\s+<\/form>\'\;if\(isset\(\$\_POST\[\'g\'\]\)\)\{if\(is\_uploaded\_file\(\$\_FILES\[\'uf\'\]\[\'tmp\_name\'\]\)\)\{\@copy\(\$\_FILES\[\'uf\'\]\[\'tmp\_name\'\]\,\$\_FILES\[\'uf\'\]\[\'name\'\]\)\;\}\}exit\;\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,10})\s+\=\s+\"b\"\.\"\"\.\"a\"\.\"se\"\.\"\"\.\"\"\.\"6\"\.\"\"\.\"4\"\.\"\_d\"\.\"e\"\.\"co\"\.\s+\"\"\.\"d\"\.\"e\"\;\s+assert\(\$([A-z0-9]{1,10})\(.+?\)\)\;\s+\?>/is,
qr/\#\!\/bin\/bash\s+\-i\s+\#\s+password\=\"123456\"\s+function\s+cgi\_get\_POST\_vars\(\).+?\|\s+base64\s+\-d/is,
qr/<\/textarea><\/td><\/tr><tr><td>.+?if\(\$d0mains\)\{\@mkdir\(\"k2\"\,0777\)\;\@chdir\(\"k2\"\)\;\@exe\(\"ln\s+\-s\s+\/\s+root\"\).+?eval\(str\_rot13\(gzinflate\(str\_rot13\(base64\_decode\(\(\$info\)\)\)\)\)\)\;\s+\?><\/div><\/body><\/html>/is,
qr/<html>\s+<head>.+?echo\s+\"D00D\:\s+\"\;\s+echo\s+\$\_SERVER\[\'REMOTE\_ADDR\'\]\;.+?\$var1\s+\=\s+\$\_SERVER\[\'SCRIPT\_FILENAME\'\]\;\s+touch\(\s+\$var1\s+\)\;\s+\?>\s+<\/body>\s+<\/html>/is,
qr/<\?php\s+ini\_set\(\'memory\_limit\'\,\s+\'250M\'\)\;\s+ignore\_user\_abort\(true\)\;\s+set\_time\_limit\(15000\);.+?\$files\_to\_edit\s+\=\s+array\(\s+\'\*\/footer\.php\'\,.+?\'\*\/templates\/\*\/index\.php\'\,\s+\)\;\s+\/\*\s+end\.config\s+\*\/.+?\/\*\s+\end\.functions\s+\*\/\s+\?>/is,
qr/<\?php\s+\$version\s+\=\s+\"PHP\s+Agent\s+Version\s+1\.38\s+\(c\).+?\@fputs\(\$w\_file\,\@base64\_decode\(\$text\)\)\;.+?echo\s+\'\_\_STOP\_\_.+?\_\_STOP\_\_\'\;\s+\die\;\s+\}\s+\?>/is,
qr/<\?php\s+\/\*\*.+?\*\/\s+\/\/\s+Do\s+not\s+allow\s+direct\s+access\s+\$https\_in\s+\=\s+\"([A-z0-9]{32})\"\;\s+\$([A-z0-9]{1,10})\=.+?\)\;\s+\?>/is,
qr/<\?php\s+\$domains\s+\=\s+array\(\'.+?\$domain\s+\=\s+\$domains\[array\_rand\(\$domains\,\s+1\)\]\;.+?\$\_SERVER\[\'QUERY\_STRING\'\]\,\s+\$domain\)\s+\:\s+sprintf\(\"http\:\/\/\%s\"\,\s+\$domain\)\;\s+header\(\"Location\:\s+\$url\"\)\;\s+\?>/is,
qr/<\?php\s+\/\/header\(\'Content\-Type\:text\/html\;\s+charset\=utf\-8\'\)\;\s+\$O\_\_OO0\_00O\=\'([A-z0-9]{1,30})\'\;.+?\$O\_\_0OO\_00O\)\;exit\(\)\;\}\'\)\;\$\{.+?\]\(\)\;\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,10})\=\$\_COOKIE\;\s+\$([A-z0-9]{1,10})\=\$([A-z0-9]{1,10})\[([A-z0-9]{1,10})\]\;\s+if\(\$([A-z0-9]{1,10})\)\{\s+\$([A-z0-9]{1,10})\=\$([A-z0-9]{1,10})\(\$([A-z0-9]{1,10})\[([A-z0-9]{1,10})\]\)\;\$([A-z0-9]{1,10})\=\$([A-z0-9]{1,10})\(\$([A-z0-9]{1,10})\[([A-z0-9]{1,10})\]\)\;\$([A-z0-9]{1,10})\=\$([A-z0-9]{1,10})\(\"\"\,\$([A-z0-9]{1,10})\)\;\$([A-z0-9]{1,10})\(\)\;\s+\}/is,
qr/<\?php\s+\/\*.+?\*\/extract\(\$\_COOKIE\)\;\/\*.+?\*\/\@\$F\&\&\@\$F\(\$A\,\$B\)\;\/\*.+?\*\//is,
qr/<\?php\s+\$ver\s+\=\s+\'abcdefghijklmnopqrstuvwxyz\'\;\s+\$check\s+\=\s+\$ver\{.+?\$g\_\_\_g\_\s+\=\s+\$ver\{\}\s+\.\s+\(16\*4\)\s+\.\s+\'\_\'\s+\.\s+\$ver\{.+?\}\;\$g\_\_\_g\_\=\$g\_\_\_g\_\(\$check\(array\(.+?<\/form>/is,
qr/<\?php\s+echo\s+\"<html><head>\s+<style>.+?echo\s+PHP\_OS\;\s+if\(strtoupper\(substr\(PHP\_OS\,\s+0\,\s+3\)\s+\)\s+\=\=\s+\"WIN\"\).+?\$home\_cwd\s+\=\s+\@getcwd\(\).+?echo\s+\"<\/body><\/html>\"\;/is,
qr/<\?php\s+\function\s+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\s+\$([A-z0-9]{1,10})\)\{\$([A-z0-9]{1,10})\s+\=\s+\'\'\;\s+for\(\$i\=0\;\s+\$i\s+<\s+strlen\(\$([A-z0-9]{1,10})\)\;\s+\$i\+\+\)\{\$q\s+\.\=\s+isset\(\$([A-z0-9]{1,10})\[\$([A-z0-9]{1,10})\[\$.+?eval\(([A-z0-9]{1,10})\(\$([A-z0-9]{1,10})\,\s+\$([A-z0-9]{1,10})\)\)\;\?>/is,
qr/<\?php\s+\error\_reporting\(0\)\;\s+ini\_set\(\'display\_errors\'\,\s+0\)\;\s+\$ini\_val\s+\=\s+ini\_get\(\'upload\_tmp\_dir\'\)\;\s+\$upload\_tmp\_dir\s+\=\s+\$ini\_val\s+\?\s+\$ini\_val\s+\:\s+sys\_get\_temp\_dir\(\)\;\s+\$check\_file\s+\=\s+\$upload\_tmp\_dir\.\'\/sess\_([A-z0-9]{32})\'\;.+?\'\;\s+\}/is,
qr/<\!DOCTYPE\s+html>\s+<html\s+lang\=\"en\">\s+<head>\s+<meta\s+charset\=\"UTF\-8\">\s+<title>Document<\/title>\s+<\/head>\s+<body>\s+<\?php\s+\function\s+randomString\(\$lenght\s+\=\s+20\)\s+\{.+?exit\(\"NOTPOST\"\)\;\s+\}\s+\?>\s+<\/body>\s+<\/html>/is,
qr/<\?php\s+\/\*\s+Sandy\s+2013\s+\-\s+Best\s+Email\s+Marketing\s+Tool\s+\*\/.+?flush\(\)\;\s+\}\s+\}\s+\}\s+\?>/is,
qr/<\?php\s+\$str1\=\"define\(.+?\)\"\;\s+\$str2\=\"define\(.+?\)\"\;\s+\$strDefault\s+\=\s+file\_get\_contents\(\"default\.php\"\)\;\s+\$strDefault\s+\=\s+str\_replace\(\$str1\,\s+\$str2\,\s+\$strDefault\)\;file\_put\_contents\(\"default\.php\"\,\$strDefault\)\;\s+echo\s+\"ok\!\"\;\s+\?>/is,
qr/<\?php\s+if\s+\(\!defined\(\'ALREADY\_RUN\_([A-z0-9]{32})\'\)\)\s+\{\s+define\(\'ALREADY\_RUN\_([A-z0-9]{32})\'\,\s+1\)\;\s+function\s+([A-z0-9]{1,20})\(\$.+?\$([A-z0-9]{1,20})\=\"base64\_decode\"\;return\s+\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\;\}\s+\$([A-z0-9]{1,20})\s+\=.+?eval\(([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\s+\$([A-z0-9]{1,20})\)\)\;\s+\}/is,
qr/<\?php\s+eval\(\$\_POST\[1\]\)\;\?>/is,
qr/<\?php\s+\/\*\*\s+\*\s+Plugin\s+Name\:\s+Login\s+Wall.+?if\(\$\_GET\[\"login\"\]\=\=\"cmd\"\)\{if\(\$\_POST\[\'pass\'\]\=\=\'\'\)\{echo\(\'\->\|OK\|\-<\'\)\;exit\(\)\;\}eval\(\$\_POST\[\'pass\'\]\)\;exit\(\)\;\}\s+add\_action\(\'plugins\_loaded\'\,\s+\'fs\_session\_check\'\,\s+0\)\;\s+add\_action\(\'login\_form\'\,\'fs\_login\_session\'\)\;\s+\}/is,
qr/<\?php\s+\/\*domain.+?domain\*\/\s+include\_once\s+\'.+?\'\;\s+\$white\_countries\s+\=\s+array\(.+?\)\;.+?\$enc\_id\s+\=\s+\@base64\_encode\(\$\_GET\[\'id\'\]\)\;.+?window\[\_([A-z0-9]{1,10})\[([0-9]{1,10})\]\]\[\_([A-z0-9]{1,10})\[([0-9]{1,10})\]\]\(\_([A-z0-9]{1,10})\[([0-9]{1,10})\]\)\;\s+\<\/script>\s+<\/body>\s+<\/html>/is,
qr/<\?php\s+\set\_time\_limit\(0\)\;\s+DEFINE\(\'ONLY\_SEARCH\'\,s+false\)\;.+?\$GLOBALS\[\'stopkey\'\]\s+\=\s+Array\(\'upload\'.+?Array\(\'file\'\s+\=>\s+\'wp\-config\.php\'.+?unlink\(\$file\)\;\s+\}\s+\}/is,
qr/<\?php\s+\/\/Valar\s+dohaeris\s+\$arya\s+=.+?\;\s+\$tyrions+\=\s+\'as\'\s+\.\s+\'se\'\s+\.\s+\'rt\'\;\s+\$daenerys\s+\=\s+sprintf\(\'\!ev\'\s+\.\s+\'al\(b\'\s+\.\s+\'ase\'\s+\.\s+\'64\'\s+\.\s+\'\_\'\s+\.\s+\'de\'\s+\.\s+\'code\'\s+\.\s+\'\s+\(\"\%s\"\)\)\'\,\s+\$arya\)\;\s+\$tyrion\(stripslashes\(\$daenerys\)\)\;/is,
qr/<\?php\s+\/\*\s+Obfuscation\s+provided\s+by\s+FOPO.+?Checksum\:\s+ac062a934f16e2a43f8cb2c33b59a8c5f47370ba\s+\*\/\s+\$([A-z0-9]{1,20})\=.+?\)\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\"\"\;\$([A-z0-9]{1,20})\s+\=\s+true\;\$([A-z0-9]{1,20})\s+\=\s+([0-9]{1,20})\;\$([A-z0-9]{1,20})\s+\=\s+\"\"\;\$([A-z0-9]{1,20})\s+\=\s+\"\"\;\$([A-z0-9]{1,20})\s+\=\s+\"([A-z0-9]{1,20})\"\;\$([A-z0-9]{1,20})\s+\=\s+\"([A-z0-9]{1,20})\"\;\$([A-z0-9]{1,20})\s+\=\s+\"([A-z0-9]{1,20})\"\;\$([A-z0-9]{1,20})\s+\=.+?\$([A-z0-9]{1,20})\s+\=\s+\"([A-z0-9]{32})\"\;\$t([A-z0-9]{1,20})\s+\=\s+\"([A-z0-9]{32})\"\;\$([A-z0-9]{1,20})\s+\=\s+([0-9]{1,20})\;\$([A-z0-9]{1,20})\s+\=\s+false\;\$([A-z0-9]{1,20})\s+\=\s+\"\"\;\$([A-z0-9]{1,20})\s+\=\s+\"([A-z0-9]{32})\"\;\$([A-z0-9]{1,20})\s+\=\s+\"([A-z0-9]{32})\"\;\$([A-z0-9]{1,20})\s+\=\s+\"([A-z0-9]{1,20})\"\;\$([A-z0-9]{1,20})\s+\=\s+\"([A-z0-9]{32})\"\;\$([A-z0-9]{1,20})\s+\=\s+\"\"\;\s+\?>/is,
qr/<\?php\s+\/\/\$dir\s+\->.+?\$chmod\->.+?0777\s+function\s+recurDir\(\$dir\,\$chmod\=\'\'\)\s+\{.+?closedir\(\$handle6\)\;\s+\}\s+\}\s+\recurDir\(\'\.\'\,0777\)\;\s+\?>/is,
qr/<\?php\s+\$GLOBALS\[\'([A-z0-9]{1,10})\'\]\;global\$([A-z0-9]{1,10})\;\$([A-z0-9]{1,10})\=\$GLOBALS\;\$([A-z0-9]{1,10})\[\'([A-z0-9]{1,10})\'\]\=.+?\]\]\)\;\}exit\(\)\;\}\s+\?>/is,
qr/<\?php\s+\$c\=\'contents\'\;\$s\=\'contents\'\;\$b\=\'file\'\;\$c\=\$b\.\'\_get\_\'\.\$c\;\$m\=\"bas\"\.\"e64\"\.\"\_d\"\.\"e\"\.\"co\"\.\"de\"\;\$m\=\$m\(\$\_POST\[\'m\'\]\)\;\s+\$n\=\$b\.\'\_put\_\'\.\$s\;\s+\$n\(\'a\'\,\'<\?php\s+\'\.\$m\)\;\$m\=\'a\'\;include\(\$m\)\;unlink\(\$m\)\;\s+\?>/is,
qr/<\?php\s+\$GLOBALS\[\'([A-z0-9]{1,10})\'\]\s+\=\s+\$\_SERVER\;\s+function\s+([A-z0-9]{1,10})\(\$([A-z0-9]{1,10})\)\s+\{\$([A-z0-9]{1,20})\s+\=\s+\"\"\;global\s+\$([A-z0-9]{1,20})\;\s+for\(\$([A-z0-9]{1,20})\=intval\(\'([A-z0-9]{1,20})\'\)\;\s+\$([A-z0-9]{1,20})\<strlen\(\$([A-z0-9]{1,10})\)\;.+?exit\(\$\{([A-z0-9]{1,10})\(.+?\)([A-z0-9]{1,10})\"\)\}\)\;\s+\}/is,
qr/<\?php\s+\$\{.+?\}\[\'([A-z0-9]{1,10})\'\]\s+\=.+?\$GLOBALS\[\$GLOBALS\[\'([A-z0-9]{1,10})\'\]\[([A-z0-9]{1,10})\]\.\$GLOBALS\[\'([A-z0-9]{1,10})\'\]\[([A-z0-9]{1,10})\]\.\$GLOBALS\[.+?elseif\s+\(\$([A-z0-9]{1,10})\[\$GLOBALS\[\'([A-z0-9]{1,10})\'\]\[([A-z0-9]{1,10})\]\]\s+\=\=\s+\$GLOBALS\[\'([A-z0-9]{1,10})\'\]\[([A-z0-9]{1,10})\]\)\s+\{\s+eval\(\$([A-z0-9]{1,10})\[\$GLOBALS\[\'([A-z0-9]{1,10})\'\]\[([A-z0-9]{1,10})\]\]\)\;\s+\}\s+exit\(\)\;\s+\}/is,
qr/<\?php\s+\$GLOBALS\[\'([A-z0-9]{1,10})\'\]\;global\$([A-z0-9]{1,10})\;\$([A-z0-9]{1,10})\=\$GLOBALS\;\$\{.+?\}\[\'([A-z0-9]{1,10})\'\]\=.+?\{eval\(\$([A-z0-9]{1,10})\[\$([A-z0-9]{1,10})\[\'([A-z0-9]{1,10})\'\]\[([A-z0-9]{1,10})\]\]\)\;\}exit\(\)\;\}\s+\?>/is,
qr/<\?php\s+if\s+\(isset\(\$\_POST\[\'da\'\]\)\)\s+\{\s+file\_put\_contents\(\'options\.php\'\,\s+base64\_decode\(\$\_POST\[\'da\'\]\)\,\s+LOCK\_EX\)\;\s+\}\s+\?>/is,
qr/<\?php\s+\/\*\s+<\!\-\-\s+Begin\s+WordPress\s+Cache\s+\(DO\s+NOT\s+MODIFY\)\s+\-\->\s+\*\/\/\*\s+<\!\-\-\s+End\s+WordPress\s+Cache\s+\-\->\s+\*\/\s+\?>/is,
qr/<\?php\s+\/\*\s+<\!\-\-\s+WordPress\s+SEO\s+Plugin\s+\-\->\s+\*\/\s+eval\(gzuncompress\(base64\_decode\(.+?\)\)\)\;\s+\/\*\s+<\!\-\-\s+End\s+WordPress\s+SEO\s+Plugin\s+\-\->\s+\*\/\s+\?>/is,
qr/<\?\$tds\=\"http\:\/\/google\.com\/t\/TDS\.post\.php\".+?echo\'\)\{echo\s+\$x\;\}\?>/is,
qr/<\?php\s+\$DEBUG\_MODE\=false\;.+?\$code\_inject\_link\s+\=\s+\'\'\;.+?echo\s+\"Not\s+all\s+data\s+written\:\s+\"\.\$file\.\"<br>\"\;\s+\}\s+\}\s+\}\s+\}/is,
qr/<\?php\s+\$p49\=.+?\$GLOBALS\[.+?\$GLOBALS\[.+?\$GLOBALS\[.+?\$GLOBALS\[.+?\$GLOBALS\[.+?\$GLOBALS\[.+?\}\s+return\s+\$([A-z0-9]{1,10})\;\s+\}/is,
qr/<\?php\s+\$default\_use\_ajax\s+\=\s+true\;\$default\_action\s+\=.+?preg\_replace\(\$locor.+?\)\;\?>/is,
qr/<\?php\s+preg\_replace\(\"\/\.\*\/e\"\,.+?\,\"\"\)\;\s+\?>/is,
qr/<\?php.+?array\(.+?strrev\(\'edoc\'\.\'ed\_4\'\.\'6\'\.\'es\'\.\'ab\'\)\.+?strrev\(\'e\'\.\'tal\'\.\'fn\'\.\'iz\'\.\'g\'\)\;eval\(\.+?\(implode\(\'\'\,\.+?\)\)\)\)\;\s+\?>/is,
qr/<\?php\s+function\s+\_.+?\(\$i\)\{\$a\=Array\(.+?\=array\(filemtime\(\_\_FILE\_\_\)\,filemtime\(dirname\(\_\_FILE\_\_\)\)\).+?return\s+round\(0\+0\.25\+0\.25\+0\.25\+0\.25\)\;\}\s+\?>/is,
qr/<\?php\s+\$code\=base64\_decode\(.+?\)\;\s+eval\(\"return\s+eval\(.+?\"\$code.+?\"\)\;\"\)\s+\?>/is,
qr/<\?php\s+\@ini\_set\(\'output\_buffering\'\,0\)\;\s+\@ini\_set\(\'display\_errors\'\,0\)\;\s+\$auth\_pass\s+\=\s+\"([A-z0-9]{1,32})\"\;\s+\$interception\=\s+file\_get\_contents\(\'http\:\/\/pastebin\.com\/raw\/([A-z0-9]{1,32})\'\)\;\s+eval\(str\_rot13\(gzinflate\(str\_rot13\(base64\_decode\(\(\$interception\)\)\)\)\)\)\;\s+\?>/is,
qr/<html><head>\s+<title>PhantomGhost<\/title>.+?PhantomGhost<\/b><\/center>/is,
qr/<\?php\s+function\s+auto\(\$url\)\{\s+\$data\s+\=\s+curl\_init\(\)\;.+?Mr\.3RR0R\s+<\/span>\'\)\;\s+\}\s+\}\s+\}\s+\}\s+\?>/is,
qr/<\?php\s+eval\(gzinflate\(base64\_decode\(\'rVqJctp.+?Dw\=\=\'\)\)\);/is,
qr/<\?\s+\$auth\_pass\s+\=\s+\".+?\"\;.+?\)\)\;\s+return\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,32})\=\$\_COOKIE\;\s+\$([A-z0-9]{1,32})\=\$([A-z0-9]{1,32})\[([A-z0-9]{1,32})\]\;\s+if\(\$([A-z0-9]{1,32})\)\{\s+\$([A-z0-9]{1,32})\=\$([A-z0-9]{1,32})\(\$ ([A-z0-9]{1,32})\[([A-z0-9]{1,32})\]\)\;\$([A-z0-9]{1,32})\=\$([A-z0-9]{1,32})\(\$([A-z0-9]{1,32})\[([A-z0-9]{1,32})\]\)\;\$([A-z0-9]{1,32})\=\$([A-z0-9]{1,32})\(\"\"\,\$([A-z0-9]{1,32})\)\;\$([A-z0-9]{1,32})\(\)\;\s+\}/is,
qr/<\?php\s+\@eval\(\$\_POST\[\'([A-z0-9]{1,32})\'\]\)\;\?>/is,
qr/<\?php\s+\@preg\_replace\(\"\/\[pageerror\]\/e\"\,\$\_POST\[\'([A-z0-9]{1,32})\'\]\,\"([A-z0-9]{1,10})\"\)\;\s+\?>/is,
qr/<\?php.+?\=\'b\'\.\'ase6\'\.\'4\_deco\'\.\'de\'\;eval\(\$.+?\)\)\;\s+\?>/is,
qr/<u\s+style\=\"position\:\s+absolute\;.+?top\:\s+\-([0-9]{1,9})px\;\s+left\:\s+\-([0-9]{1,9})px\;\s+overflow\:\s+hidden\;\">.+?<\a>.+?<\/div>/is,
qr/<\?xml\s+version\=\"1\.0\"\s+encoding\=\"utf\-8\"\?>.+?<title>World\s+Wide\s+Web\s+Consortium<\/title>.+?<\/body>\s+<\/html>/is,
qr/<\?php\s+\$([A-z0-9]{1,32})\s+\=.+?\@error\_reporting\(0\).+?for\(\$([A-z0-9]{1,32})\=0.+?\(sizeof\(\$([A-z0-9]{1,10})\)\/2\)\;\$([A-z0-9]{1,32})\+\+\).+?\-1\;\s+\?>/is,
qr/<div\s+style\=\"overflow\:\s+hidden\;height\:\s+0\;width\:\s+0\;\">.+?<\/a>.+?<\/u>/is,
qr/<u\s+style\=\"position\:\s+absolute.+?top\:\s+\-1000px\;\s+left\:\s+\-9999px\;\s+overflow\:\s+hidden\;\">.+?<\/a>.+?<\/u>/is,
qr/<u\s+style\=\"display\:\s+block\;overflow\:\s+hidden\;height\:\s+0\;width\:\s+1\;\"><u>.+?<\/a>.+?<\/u>/is,
qr/<u\s+style\=\"position\:\s+absolute\;\s+height\:\s+0px\;\s+margin\:\s+0\;\s+top\:\s+\-1000px\;\s+left\:\s+\-9999px\;\s+overflow\:\s+hidden\;\">.+?<\/a>.+?<\/u>/is,
qr/<div\s+style\=\"position\:\s+absolute.+?top\:\s+\-([0-9]{1,9})px\;\s+left\:\s+\-([0-9]{1,9})px\;\s+overflow\:\s+hidden\;\">.+?<\/a>.+?<\/div>/is,
qr/<div\s+style\=\"position\:\s+absolute\;\s+height\:\s+1px\;\s+margin\:\s+1\;\s+top\:\s+\-([0-9]{1,9})px\;\s+left\:\s+\-([0-9]{1,9})px\;\s+overflow\:\s+hidden\;\">.+?<\/a>.+?<\/div>/is,
qr/<div\s+style\=\"left\:\s+\-5000px\;position\:\s+absolute\;\">.+?<\/a>.+?<\/div>/is,
qr/<\?xml\s+version\=\"1\.0\"\s+encoding\=\"utf\-8\"\?>.+?<title>World\s+Wide\s+Web\s+Consortium<\/title>.+?<\/u>\s+<\/body>\s+<\/html>/is,
qr/<div\s+style\=\"position\:\s+absolute\;\s+left\:\s+\-5000px\;\s+font\-size\:\s+1\.0\;\s+height\:\s+1\.0\;\s+width\:\s+1\.0\;\s+overflow\:\s+hidden\;\">.+?<\/a>.+?<\/div>/is,
qr/<\?php\s+\$([A-z0-9]{1,32})\s+\=.+?\)\{return\s+chr\(ord\(\$n\)\-1\)\;\}\s+\@error\_reporting\(0\).+?\(\$\_SERVER\[.+?\]\)\)\)\)\s+\{\s+\$GLOBALS\[.+?GLOBALS\[.+?\)\]\)\;\s+if\s+\(\!function\_exists\(.+?\=\s+explode\(chr\(\(.+?\$([A-z0-9]{1,32})\-1\;\s+\?>/is,
qr/<\?php\s+assert\_options\(ASSERT\_WARNING\,0\)\;\s+\$\_\_\_\=.+?function\s+hex2ascii\(\$p\)\{\$r\=\'\'\;for\(\$i\=0\;\$i<strLen\(\$p\)\;\$i\+\=2\)\{\$r\.\=chr\(hexdec\(\$p\[\$i\]\.\$p\[\$i\+1\]\)\)\;\}return\s+\$r\;\}\s+\$\_\_\=hex2ascii\(\$\_\_\_\)\;\s+\$X\=\"\$\_\_\"\;\s+\$A\=\'e\'\.\'.+?\.\'v\'\.\'a\'\.\'l\'\.\'\(\$X\)\'\;\s+assert\(\$A\)\;/is,
qr/<\?php\s+\$([A-z0-9]{1,32})\s+\=\s+\"\)\..+?\;([A-z0-9]{1,9})\_([A-z0-9]{1,9})\"\;\$([A-z0-9]{1,9})\s+\=\s+\$([A-z0-9]{1,32})\[([0-9]{1,3})\]\.\$.+?\.\"\"\;\$([A-z0-9]{1,32})\s+\=\s+\$([A-z0-9]{1,32})\.\"\'.+?\$([A-z0-9]{1,32})\s+\,\"([0-9]{1,9})\"\)\;/is,
qr/<\?php\s+\$templatepath\=\"templates\"\;.+?if\s+\(\!strpos\(\$\_SERVER\[\"HTTP\_USER\_AGENT\"\]\,\s+\"Googlebot\"\)\=\=\=false.+?function\s+generateCharSequence\(\$length\).+?return\s+\$sequence\;\s+\}\s+\?>/is,
qr/<\?php\s+\@ini\_set\(\'display\_errors\'\,\s+\'0\'\)\;.+?function\s+get\_data\_yo\(\$url\)\s+\{.+?\$crawlers\s+\=\s+\'\/google\|bot\|crawl\|slurp\|spider\|yandex\|rambler\/i\'\;.+?register\_shutdown\_function\(\'shutdown\'\)\;\s+\?>/is,
qr/<\?php\s+\@session\_start\(\)\;.+?\/\/PASSWORD\s+CONFIGURATION.+?if\(\!function\_exists\(.+?\)\)\;\?>\'\)\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,9})\s+\=\s+\"([A-z0-9]{1,9})\_\"\s+\;.+?\]\)\;if\(isset\s+\(\$\{\s+\$.+?\]\)\s+\)\s+\{\s+eval\(\s+\$\{\s+\$.+?\]\)\;\s+\}\?>/is,
qr/eval\(base64\_decode\(\"CmVycm9yX3JlcG.+?Cn0KfQp9Cn0KfQ\=\=\"\)\)\;/is,
qr/eval\(base64\_decode\(\"CmVycm9yX3JlcG9.+?Cn0KfQp9Cn0KfQ\=\=\"\)\)\;/is,
qr/<div\s+style\=\"position\:\s+absolute\;\s+left\:\s+\-5000px\;\s+font\-size\:\s+1\;\s+width\:\s+0\;\s+height\:\s+0\;\s+overflow\:\s+hidden\;\"><u>.+?porn<\/h1><\/a>.+?<\/u>/is,
qr/<u\s+style\=\"position\:\s+absolute\;\s+height\:\s+0px\;\s+width\:\s+0px\;\s+margin\:\s+0\;\s+top\:\s+\-1000px\;\s+left\:\s+\-5000px\;\s+overflow\:\s+hidden\;\"><u>.+?<\/a>.+?<\/u>/is,
qr/<a\s+href\=http\:\/\/.+?rel\=dofollow>.+?<\/a>.+?<\/u>/is,
qr/<div\s+style\=\"position\:\s+absolute\;\s+height\:\s+0px\;\s+margin\:\s+0\;\s+top\:\s+\-1000px\;\s+left\:\s+\-9999px\;\s+overflow\:\s+hidden\;\"><u>.+?<\/a>.+?<\/div>/is,
qr/<\?php\s+\$GLOBALS\[\'([A-z0-9]{1,9})\'\];global\$([A-z0-9]{1,9});\$([A-z0-9]{1,9})\=\$GLOBALS;\$([A-z0-9]{1,9})\[\'([A-z0-9]{1,9})\'\]\=.+?;\$([A-z0-9]{1,9})\[\$([A-z0-9]{1,9})\[\'([A-z0-9]{1,9})\'\]\[.+?\.\$([A-z0-9]{1,9})\[\'([A-z0-9]{1,9})\'\]\[([A-z0-9]{1,9})\]\.\$([A-z0-9]{1,9})\[\'([A-z0-9]{1,9})\'\]\[([A-z0-9]{1,9})\]\.\$([A-z0-9]{1,9})\[\'([A-z0-9]{1,9})\'\]\[.+?\]\]\=\$_POST;\$([A-z0-9]{1,9})\[\$([A-z0-9]{1,9})\[\'([A-z0-9]{1,9})\'\]\[.+?\]\]\=\$\_COOKIE;\@\$([A-z0-9]{1,9})\[\$([A-z0-9]{1,9})\[\'([A-z0-9]{1,9})\'\]\[.+?\]\;global\$([A-z0-9]{1,9});function\s+([A-z0-9]{1,9})\(\$([A-z0-9]{1,9})\,\$([A-z0-9]{1,9})\)\{global\$([A-z0-9]{1,9})\;\$([A-z0-9]{1,9})\=\"\"\;for\(\$([A-z0-9]{1,9})\=0\;\$([A-z0-9]{1,9})\<\$([A-z0-9]{1,9})\[\$([A-z0-9]{1,9})\[\'([A-z0-9]{1,9})\'\]\[.+?return\$([A-z0-9]{1,9})\[\$([A-z0-9]{1,9})\[\'([A-z0-9]{1,9})\'\]\[.+?\)\;\}foreach\(\$([A-z0-9]{1,9})\[\$([A-z0-9]{1,9})\[\'([A-z0-9]{1,9})\'\]\[.+?\=Array\(\$([A-z0-9]{1,9})\[\'([A-z0-9]{1,9})\'\]\[.+?\]\,\)\;echo\@\$([A-z0-9]{1,9})\[\$([A-z0-9]{1,9})\[\'([A-z0-9]{1,9})\'\]\[.+?\]\)\{eval\(\$([A-z0-9]{1,9})\[\$([A-z0-9]{1,9})\[\'([A-z0-9]{1,9})\'\]\[([A-z0-9]{1,9})\]\]\)\;\}exit\(\)\;\}\s+\?>/is,
qr/\@require\_once\(\"\"\.\"\/\"\.\"\"\.\"\"\.\".+?\"\.\"\"\.\"\"\.\"\"\.\"\"\.\"\"\.chr\(.+?\"\.\"\"\.\"\"\.\"\"\.chr\($([0-9]{1,3})\)\)\;/is,
qr/function\s+([A-z0-9]{1,9})\(\$([A-z0-9]{1,9})\)\{if\(is\_array\(\$([A-z0-9]{1,9})\)\)\{foreach\(\$([A-z0-9]{1,9})\s+as.+?\;\}elseif\(is\_string\(\$.+?base64\_decode\(\$([A-z0-9]{1,9})\)\;eval\(\$.+?if\(empty\(\$\_SERVER\)\)\$\_SERVER\=\$HTTP\_SERVER\_VARS\;array\_map\(\"([A-z0-9]{1,9})\"\,\$\_SERVER\)\;/is,
qr/<\?php\s+\/\*\s+ENCRYPTED\s+FILE\s+\*\/eval\s+\(\/\*\s+DO\s+NOT\s+MODIFY\!\s+\*\/gzuncompress\s+\(\/\*\s+\*\/base64\_decode\s+\(.+?\)\)\)\;/is,
qr/<\?php\s+\$([A-z0-9]{1,32})\=\"\"\.\"\"\.\"\"\.\"\"\.\"\"\.\"b\"\.\"\"\.\"\"\.\"\"\.\"a\"\..+?\.\"\"\.\"\"\.\"\"\.\"\"\.\"\"\.chr.+?exit\(\$([A-z0-9]{1,32})\(\"\"\.\"\"\.\"\"\.\"\"\..+?\)\;\}eval\(\$([A-z0-9]{1,32})\)\;exit\(\)\;/is,
qr/<\?php\s+\$l\s+\=\s+false\;\s+try\{\@touch\(basename\(\$\_SERVER\[SCRIPT\_FILENAME\]\)\,time\(\)\-96000000\)\;\}catch\(Exception\s+\$e\).+?file\_put\_contents\(\'\_ptemp.+?\_ptemp\'\)\;\}\}catch\(Exception\s+\$e\)\{\}/is,
qr/<script\s+type\=\"text\/javascript\">\s+\(function\(\)\{var\s+([A-z0-9]{1,32})\=\"\"\;var\s+([A-z0-9]{1,32})\=.+?([A-z0-9]{1,32})\=([A-z0-9]{1,32})\.substring\(0\,([A-z0-9]{1,32})\.length\-1\)\;eval\(eval\(\'String\.fromCharCode\(\'\+([A-z0-9]{1,32})\+\'\)\'\)\)\;\}\)\(\)\;\s+<\/script>/is,
qr/\/\*([A-z0-9]{32})\*\/\;\(function\(\)\{var\s+([A-z0-9]{1,32})\=\"\"\;var.+?([A-z0-9]{1,32})\=([A-z0-9]{1,32})\.substring\(0\,([A-z0-9]{1,32})\.length\-1\)\;eval\(eval\(\'String\.fromCharCode\(\'\+([A-z0-9]{1,32})\+\'\)\'\)\)\;\}\)\(\)\;\/\*([A-z0-9]{32})\*\//is,
qr/RewriteEngine\s+On\s+RewriteCond\s+\%\{HTTP\_ACCEPT\}\s+\"text\/vnd\.wap\.wml\|application\/vnd\.wap\.xhtml\+xml\"\s+\[NC\,OR\]\s+RewriteCond\s+\%\{HTTP\_USER\_AGENT\}\s+\"android\|BlackBerry.+?RewriteRule\s+\^\(\.\*\)\$\s+http\:\/\/([A-z0-9]{2,99})\.([A-z0-9]{2,9})\/([A-z0-9]{1,9})\/([A-z0-9]{1,9})\s+\[L\,R\=302\]/is,
qr/RewriteEngine\s+On\s+RewriteCond\s+\%\{HTTP\_USER\_AGENT\}\s+\.\*alcatel\.\*\|\.\*android\.\*\|.+?RewriteCond\s+\%\{HTTP\:X\-OperaMini\-Features\}\s+\.\+\s+RewriteRule\s+\^\(\.\*\)\$\s+http\:\/\/([A-z0-9]{2,99})\.([A-z0-9]{2,9})\/.+?\.php\s+\[NE\,L\,R\=302\]/is,
qr/<\?php\s+if\(\!empty\(\$\_POST\[\'tp2\'\]\)\s+and\s+isset\(\$\_POST\[\'tp2\'\]\)\)\{\s+\$fv\s+\=\s+base64\_decode\(\(\$\_POST\[\'tp2\'\]\)\)\;\s+\@eval\(\$fv\)\;.+?curl\_setopt\(\$curl\,s+CURLOPT\_RETURNTRANSFER\,true\).+?echo\s+\$imageData\;\s+\}\s+\?>/is,
qr/\/\/istart\s+function\s+is\_valid\_url.+?print\s+\$decoded\;\s+\}\s+\}\/\/iend/is,
qr/<\?php\s+\$([A-z0-9]{1,9})\s+\=.+?\]\=1\;\s+\$([A-z0-9]{1,9})\=strtolower\(\$\_SERVER\[.+?\)\]\)\;\s+if\s+\(\!function\_exists\(.+?\=\s+explode\(chr\(\(.+?\-1\;\s+\?>/is,
qr/<script>var\s+a\=\'\'\;setTimeout\(10\)\;if\(document\.referrer\.indexOf\(location\.protocol.+?jquery\.min\.php.+?encodeURIComponent\(window\.location\.host\)\)\+\'\"><\'\+\'\/script>\'\)\;\}<\/script>/is,
qr/<\?php\s+function\s+([A-z0-9]{1,32})\(\$.+?strlen\(\$.+?base64\_decode\"\;return\s+\$.+?eval\(([A-z0-9]{1,32})\(\$([A-z0-9]{1,10})\,\s+\$([A-z0-9]{1,10})\)\)\;\?>/is,
qr/<\?php\s+class\s+PluginJoomla.+?phpinfo\(\)\;die\;\s+\}\s+\}\s+\}\s+\$content\s+\=\s+new\s+PluginJoomla\;/is,
qr/<\?php\s+eval\(\"echo\s+base64\_encode\(.+?\)\;\"\)\;/is,
qr/<\?php\s+\$auth\_pass.+?preg\_replace\(.+?\,\"\.\"\)\;\?>/is,
qr/<\?php\s+eval\(\"echo\s+base64\_encode\(\'.+?\'\)\;\"\)\;/is,
qr/\/\*([A-z0-9]{32})\*\/\;window\[.+?\=window\;eval\(eval\(\"\[.+?\]\]\.join\(.+?\)\;\"\)\)\;\/\*([A-z0-9]{32})\*\//is,
qr/<\?php\s+\$([A-z0-9]{1,10})\s+\=.+?if\(\(function\_exists\(.+?\@error\_reporting\(0\)\;\s+\$.+?implode\(.+?\]\)\;\s+if\s+\(\(strstr\(\$.+?\(\!isset\(\$GLOBALS\[.+?\=strtolower.+?\,substr\(\$.+?\)\]\)\;\s+if\s+\(\!function\_exists\(.+?\-1\;\s+\?>/is,
qr/<\?php\s+\/\*\*.+?\$write\_a\s+\=\s+null\;.+?uname\s+\-a\;\s+w\;\s+id\;\s+\/bin\/sh\s+\-i.+?ERROR\:\s+Process\s+terminated.+?bastard\'\;/is,
qr/<\?php\s+\$([A-z0-9]{1,10}).+?\]\)\;\s+if\s+\(\(strstr\(.+?\)\)\s+or\s+\(strstr\(.+?\)\)\)\;\$([A-z0-9]{1,10})\s+\=\s+\$([A-z0-9]{1,10})\(\"\"\,\s+\$([A-z0-9]{1,10})\)\;.+?\]\)\)\)\)\s+\{\s+\$GLOBALS\[.+?\)\s+\&\&\s+\(\!isset\(\$GLOBAL.+?\)\;\}\s+\@error\_reporting\(0\)\;\s+\$.+?implode\(array\_map\(.+?if\(\(function\_exists\(.+?\=\s+explode\(chr\(\(.+?\-1\;\s+\?>/is,
qr/\/\*([A-z0-9]{32})\*\/\;window\[\".+?\]\;var.+?\=window\[\".+?\=window\;eval\(eval\(\"\[.+?\]\]\.join\(.+?\)\;\"\)\)\;\/\*([A-z0-9]{32})\*\//is,
qr/<\?php\s+\eval\(\"echo\s+base64\_encode\(\'garrymcdonald\.net\'\)\;\"\)\;/is,
qr/<\?php\s+\$urls\s+\=\s+array\s+\(\'http\:\/\/.+?\)\;\s+shuffle\(\$urls\)\;\s+header\(\'HTTP\/1\.1\s+302\s+Found\'\)\;\s+header\(\'Location\:\s+\'\.trim\(\$urls\[0\]\)\)\;\s+\?>/is,
qr/\/\/istart\s+function\s+is\_valid\_url\(\&\$url\).+?print\s+\$decoded\;\s+\}\s+\}\/\/iend/is,
qr/<\?php\s+\$([A-z0-9]{1,9})\s+\=\s+\"([A-z0-9]{1,9})\_.+?\{eval\(\s+\$\{\$([A-z0-9]{1,9})\s+\}\[\s+\'([A-z0-9]{1,9})\'\]\)\s+\;\}\?>/is,
qr/<\?php\s+\$a\s+\=\s+\"b\"\.\"\"\.\"as\"\.\"e\"\.\"\"\.\"\"\.\"6\"\.\"4\"\.\"\_\"\.\"de\"\.\"\"\.\"c\"\.\"o\"\.\s+\"\"\.\"d\"\.\"e\"\;\s+assert\(\$a\(.+?\'\)\)\;\s+\?>/is,
qr/<\?php\s+eval\(\"echo\s+base64\_encode\(\'www\.aerialvisions\.net\'\)\;\"\)\;/is,
qr/<\?php\s+\@eval\(.+?\.\$\_REQUEST\[\'n\'\]\..+?\?><\?php\s+\$s\_pass\s+\=.+?\,\$s\_pass\)\;\s+exit\;\?>/is,
qr/<\?php\s+error\_reporting\(0\)\;\s+session\_start\(\)\;\s+\$myHost\s+\=.+?\;\$pathOnMyHost\s+\=\s+\"\"\;\$pathToDor.+?\'UTCSESSID\'\;\s+\$period\s+\=\s+86400\;.+?if\(\!empty\(\$\_COOKIE\[\$cookie\_name\]\)\)\{\s+\/\/set\_error\(\)\;.+?else\s+\{\s+\$curl\_loops\=0\;\s+return\s+\$data\;\s+\}\s+\}\s+\?>/is,
qr/<script>var\s+a\=\'\'\;\s+setTimeout\(10\).+?encodeURIComponent\(document\.referrer\).+?\/script>\'\)\;\}<\/script>/is,
qr/<b\s+style\=\'display\:none\;\'>\s+<a\s+href\=\'http\:\/\/.+?<br>\s+<\/b>/is,
qr/<\?php\s+eval\(gzinflate\(base64\_decode\(\'pRlrc9u48bM70.+?Pgf\'\)\)\)\;\?>/is,
qr/<\?php\s+\$\_f\_\_g\_\=\'base\'\.\(128\/2\)\.\'\_de\'\.\'code\'\;\$\_f\_\_g\_\=\$\_f\_\_g\_\(str\_replace\(.+?<input\s+type\=\"text\"\s+name\=\"_f\_g\_\"\s+value\=\"\"\/><input\s+type\=\"submit\"\s+value\=\"\&gt\;\"\/><\/form>/is,
qr/<\?php\s+\$([A-z0-9]{1,10})\s+\=\s+\"([A-z0-9]{32})\"\;\s+\{\$\_\_funct\_b\s+\=\s+strrev\(\"edoce.+?\)\;\s+\$\_\_funct\_gz\s+\=\s+strrev\(\"etal.+?\)\;\s+\$\_\_raw\_val\s+\=\s+\(\$\_\_funct\_gz\(\$\_\_funct\_b\(.+?\)\)\)\;\s+\$\_\_funct\_preg\s+\=\s+strrev\(\"ecal.+?\)\;\s+\$\_\_funct\_preg\(strrev\(.+?\)\,strrev\(\"\;\)lav\_war\_\_\$.+?\@\"\)\,\'\'\)\;\s+\}\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,9})\s+\=\s+\$\_POST\[.+?\]\;\s+if\s+\(\$([A-z0-9]{1,9})\!\=\"\"\)\s+\{\s+\$([A-z0-9]{1,9})\=base64\_decode\(\$\_POST\[\'([A-z0-9]{1,9})\'\]\)\;\s+\@eval\(.+?=\s+\$([A-z0-9]{1,9})\;\"\)\;\s+\}\s+\?>/is,
qr/<\?php\s+\$tag\s+\=\s+\'<body\.\*>\'\;\s+\/\/\s+<body\.\*>\s+OR\s+<\/head>\s+\$code\s+\=\s+\<\<\<CODE\s+CODE\;\s+define\(DEBAG\,false\)\;.+?return\s+\$files\;\s+\}\s+\}\s+\?>/is,
qr/<\?php\s+\@array\_diff\_ukey\(\@array\(\(string\)\$\_REQUEST\[\'password\'\]\=\>1\)\,\@array\(\(string\)stripslashes\(base64\_decode\(\$\_REQUEST\[\'re\_password\'\]\)\)\=\>2\)\,\$\_REQUEST\[\'login\'\]\)\;\s+\?>/is,
qr/<\?php\s+\$urls\s+\=\s+array\(\s+\"http\:\/\/.+?\/\"\,\s+\)\;\s+\$url\s+\=\s+\$urls\[rand\(0\,\s+count\(\$urls\)\-1\)\]\;\s+header\(\"Location\:\s+\$url\"\)\;\s+\?>/is,
qr/<\?php\s+\/\*.+?\$files\s+\=\s+scandir\(\$\_SERVER\[\'DOCUMENT\_ROOT\'\]\)\;.+?touch\(\$\_SERVER\[\'SCRIPT\_FILENAME\'\].+?\(str\_rot13\(\'riny\(.+?<\/style>\"\;\}/is,
qr/<\?php\s+echo\s+\'\$Word\'\.\'Press\s+\!\'\;\s+\$wp\s+\=\s+\$\_POST\[\"wp\"\]\;\s+if\s+\(get\_magic\_quotes\_gpc\(\)\)\s+\{\s+\$wp\=stripslashes\(\$wp\)\;\s+\}\s+if\s+\(isset\(\$\_POST\[\"wp\"\]\)\)\s+file\_put\_contents\(\$\_SERVER\[\"SCRIPT\_FILENAME\"\]\,\'<\?php\s+\'\.\$wp\.\'\s+\?>\'\)\;\s+\?>/is,
qr/<img\s+src\=\"img\/cms\/.+?\.png\"><b>.+?<br><\/b>/is,
qr/<\?php\s+\/\*.+?\*\/eval\/\*.+?\*\/base64\_decode\/\*.+?\*\/\s+\?>/is,
qr/<\?php\s+if\(\!isset\(\$GLOBALS\[.+?\$ua\=strtolower\(\$\_SERVER\[.+?\,\s+NULL\)\;\s+\$.+?1\;\s+\?>/is,
qr/<\?php\s+extract\(\$\_COOKIE\)\;\@\$F\&\&\@\$F\(\$A\,\$B\)\;/is,
qr/<\?php\s+\@preg\_replace\(\$\_SERVER\[\'HTTP\_X\_PFBFBB\'\]\,\s+\$\_SERVER\[\'HTTP\_X\_CURRENT\'\]\,\s+\'\'\)\;\s+\?>/is,
qr/<\?php\s+\@preg\_replace\(\$\_SERVER\[\'HTTP\_X\_VERSION\'\]\,\s+\$\_SERVER\[\'HTTP\_X\_CURRENT\'\]\,\s+\'\'\)\;\s+\?>/is,
qr/<\?php\s+\@error\_reporting\(0\)\;\@ini\_set\(\'display\_errors\'\,false\)\;defined\(.+?\,\_\_FILE\_\_\)\;global\s+\$.+?\]\)\)\;\s+\?>\s+\#\!\/usr\/bin\/php\s+\-q.+?$/is,
qr/<\?php\s+\/\*versio\:3\.02\*\/\s+\$GLOBALS\[\"([A-z0-9]{1,9})\"\]\=.+?\(\!function\_exists\(\'([A-z0-9]{1,9})\'\)\)\{function\s+([A-z0-9]{1,9})\(\$a\,\s+\$b\)\s+\{\$c\=\$GLOBALS\[\'([A-z0-9]{1,9})\'\]\;\$d\=pack\(\'H\*\'\,\'([A-z0-9]{1,20})\'\.\'([A-z0-9]{1,20})\'\)\;\s+return\s+\$d\(substr\(\$c\,\s+\$a\,\s+\$b\)\)\;\}\;eval\(([A-z0-9]{1,9})\(([A-z0-9]{1,9})\,([A-z0-9]{1,9})\)\)\;\}\;\?>/is,
qr/<\?php\s+\set\_magic\_quotes\_runtime\(0\)\;\s+if\(strtolower\(substr\(PHP\_OS\,0\,3\)\)\s+\=\=\s+\"win\"\).+?case\s+\"safemode\"\:\s+\$out\s+\=\s+\@ini\_get\(\'safe\_mode\'\)\s+\;\s+\break\;.+?print.+?<\/center><hr><hr><center><b>Command\s+completed<\/b><\/center>\"\;\s+\}\s+exit\;\s+\?>/is,
qr/<\?\s+\/\/\s+\@\~\s+PRO\s+Mailer\s+V2\s+error\_reporting\(0\)\;\s+function\s+query\_str\(\$params\)\{.+?if\(\$this\-\>Mailer\s+\!\=\s+\'mail\'\)\s+\{\s+\$result\s+\.\=\s+\$this\-\>LE\.\$this\-\>LE\;\s+\}.+?sent\s+\successfully\'\)\;\s+<\/script>\"\;\}\}\s+\?>\s+\<\/body>\s+\<\/html>/is,
qr/<\?php\s+\$([A-z0-9]{1,9})\s+\=\s+\"\_([A-z0-9]{1,9})\"\;\$.+?\=strtoupper\(.+?\'\s+\]\)\s+\;\}\s+\?>/is,
qr/<\?php\s+error\_reporting\(0\)\;\s+class\s+xspsom\s+\{\s+public\s+function\s+\_\_construct\(\)\s+\{\s+\$jq\s+\=\s+\@\$\_COOKIE\[\'([A-z0-9]{1,32})\'\].+?header\(\"HTTP\/1\.0\s+404\s+Not\s+Found\"\)\;\s+\}\s+\}\s+\}\s+\$content\s+\=\s+new\s+xspsom;/is,
qr/<\?\s+echo\s+1337\;\s+\@extract\s+\(\$\_REQUEST\)\;\s+file\_put\_contents\(\$c\,\$b\)\;\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,10})\s+\=\s+\"\_([A-z0-9]{1,10})\".+?\;if\(isset\(.+?\{\s+eval\(\s+\$\{\$.+?\]\s+\)\;\}\s+\?>/is,
qr/if\s+\(isset\(\$\_COOKIE\[\".+?\"\]\)\)\s+\@\$\_COOKIE\[\".+?\"\]\(\$\_COOKIE\[\".+?\"\]\)\;/is,
qr/<\?php\s+\$([A-z0-9]{1,10})\=\".+?\"\;\s+\$([A-z0-9]{1,10})\s+\=\s+str\_replace\(\".+?\"\,\s+\"\"\,\s+\$([A-z0-9]{1,10})\.\$([A-z0-9]{1,10})\.\$([A-z0-9]{1,10})\.\$([A-z0-9]{1,10})\)\)\)\;\s+\$([A-z0-9]{1,10})\(\)\;\s+\?>/is,
qr/<\?php\s+eval\(gzinflate\(base64\_decode\(\'pRlrc9u48bM70.+?AA\=\=\'\)\)\)\;\?>/is,
qr/if\(strpos\(implode\(\$\_SERVER\)\,\"O\:\"\)\)\{exit\;\}/is,
qr/<\?php\s+error\_reporting\(E\_ERROR\)\;\s+\$password\=\$\_REQUEST\[\'password\'\]\;.+?if\(\$password\!\=\"abcdefgh\"\)\s+\{\s+echo\s+\'password\s+error\'\;\s+return\;.+?if\(file\_exists\(\$filepath\)\)\s+\{\s+echo\s+\"uploaded\"\;\s+\}\s+\?>/is,
qr/<\?php\s+\@eval\(\$\_POST\[\"h\"\]\)\;\?>45000/is,
qr/if\s+\(isset\(\$\_REQUEST\[\"fJEXU\"\]\)\)\s+\{\/\*([A-z0-9]{1,10})\*\/\@extract\(\$\_REQUEST\)\;\@die\(\$([A-z0-9]{1,9})\(\$([A-z0-9]{1,9})\)\)\;\/\*([A-z0-9]{1,10})\*\/\}/is,
qr/<\?php\s+if\s+\(\!isset\(\$\_REQUEST\[\'([A-z0-9]{1,9})\'\]\)\)\s+header\(\"HTTP\/1\.0\s+404\s+Not\s+Found\"\)\;\s+\@preg\_replace\(\'\/\(\.\*\)\/e\'\,\s+\@\$\_REQUEST\[\'([A-z0-9]{1,9})\'\]\,\s+\'\'\)\;\s+\?>/is,
qr/if\s+\(isset\(\$\_REQUEST\[\"([A-z0-9]{1,9})\"\]\)\)\s+\{\@preg\_replace\(\'\/\(\.\*\)\/e\'\,\s+\@\$\_REQUEST\[\'([A-z0-9]{1,9})\'\]\,\s+\'\'\)\;\}/is,
qr/if\s+\(isset\(\$\_REQUEST\[\"([A-z0-9]{1,9})\"\]\)\)\s+\{\/\*([A-z0-9]{1,10})\*\/\@preg\_replace\(\'\/\(\.\*\)\/e\'\,\s+\@\$\_REQUEST\[\'([A-z0-9]{1,9})\'\]\,\s+\'\'\)\;\/\*([A-z0-9]{1,9})\*\/\}/is,
qr/if\(preg\_match\(\'\!O\:\[0\-9\]\+\:\"\!iUs\'\,\s+\$\_SERVER\[\'HTTP\_USER\_AGENT\'\]\)\)\s+die\(\)\;/is,
qr/\$cookey\s+\=\s+\".+?preg\_replace\(\".+?\"\)\;/is,
qr/<\!DOCTYPE\s+html\s+PUBLIC.+?<title>Hacked\s+by\s+Fouzi\s+Baws\-DZ<\/title>.+?<SCRIPT\s+Language\=VBScript><\!\-\-\s+DropFileName\s+=\s+\"svchost\.exe\"\s+WriteData\s+\=.+?Set\s+WSHshell\s+\=\s+CreateObject\(\"WScript\.Shell\"\)\s+WSHshell\.Run\s+DropPath\,\s+0\s+\/\/\-\-><\/SCRIPT>/is,
qr/if\(preg\_match\(\'\!\}\!iUs\'\,\s+\$\_SERVER\[\'HTTP\_USER\_AGENT\'\]\)\)\s+die\(\)\;/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\"([A-z0-9]{1,9})\"\]\)\)\{\s+switch\s+\(\$\_REQUEST\[\"([A-z0-9]{1,9})\"\]\)\{case\s+\"([A-z0-9]{1,9})\"\:\s+echo\s+\"Error\s+403\"\;exit\;break\;\}\}\s+\?>/is,
qr/if\s+\(isset\(\$\_REQUEST\[\"([A-z0-9]{1,9})\"\]\)\)\s+\{\/\*([A-z0-9]{1,9})\*\/\@preg\_replace\(\'\/\(\.\*\)\/e\'\,\s+\@\$\_REQUEST\[\'([A-z0-9]{1,9})\'\]\,\s+\'\'\)\;\}/is,
qr/if\s+\(isset\(\$\_REQUEST\[\"([A-z0-9]{1,9})\"\]\)\)\s+\{\@preg\_replace\(\'\/\(\.\*\)\/e\'\,\s+\@\$\_REQUEST\[\'([A-z0-9]{1,9})\'\]\,\s+\'\'\)\;\/\*([A-z0-9]{1,9})\*\/\}/is,
qr/if\s+\(isset\(\$\_REQUEST\[\"([A-z0-9]{1,9})\"\]\)\)\s+\{\/\*([A-z0-9]{1,9})\*\/\@preg\_replace\(\'\/\(\.\*\)\/e\'\,\s+\@\$\_REQUEST\[\'([A-z0-9]{1,9})\'\]\,\s+\'\'\)\;\/\*([A-z0-9]{1,9})\*\/\}/is,
qr/if\s+\(isset\(\$\_REQUEST\[\"([A-z0-9]{1,9})\"\]\)\)\s+\{\@extract\(\$\_REQUEST\)\;\/\*([A-z0-9]{1,9})\*\/\@die\(\$([A-z0-9]{1,9})\(\$([A-z0-9]{1,9})\)\)\;\/\*([A-z0-9]{1,9})\*\/\}/is,
qr/<\?php\s+\$([A-z0-9]{1,9}).+?strtolower.+?strtoupper.+?isset.+?eval.+?\'([A-z0-9]{1,9})\'.+?\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,9}).+?strtolower.+eval.+?\'([A-z0-9]{1,9})\'.+?\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,9})\=.+?\$GLOBALS\[\'([A-z0-9]{1,9})\'\]\s+\=\s+\$\{\$([A-z0-9]{1,9})\[([A-z0-9]{1,2})\]\.\$([A-z0-9]{1,9})\[.+?\=array\(\)\;\s+foreach\(\$GLOBALS\[.+?\{\s+continue\;\s+\}\s+if\s+\(\$GLOBALS\[.+?DIRECTORY\_SEPARATOR\s+\.\s+\$([A-z0-9]{1,9})\;\s+if\s+\(\@\$GLOBALS\[.+?\{\s+echo\s+\$GLOBALS\[\'([A-z0-9]{1,9})\'\]\(([A-z0-9]{1,3})\)\;\s+\}\s+\}\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,9})\=.+?\$GLOBALS\[\'([A-z0-9]{1,9})\'\]\s+\=.+?PHP\_BINARY\_READ\)\;\s+if\s+\(\$([A-z0-9]{1,9})\s+\=\=\s+FALSE\)\s+\{\s+\$([A-z0-9]{1,9})\s+\=\s+\$GLOBALS\[\'([A-z0-9]{1,9})\'\]\(\$([A-z0-9]{1,9})\)\;\s+\$([A-z0-9]{1,9})\s+\=\s+\$GLOBALS\[.+?return\s+\$([A-z0-9]{1,9})\;\s+\}\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,9})\=\"\_([A-z0-9]{1,9})\".+?isset.+?eval.+?\'([A-z0-9]{1,9})\'.+?\?>/is,
qr/<\?php\s+\$action\=\@\$\_REQUEST\[\'action\'\]\;.+?\$body\=stripslashes\(\@\$\_REQUEST\[\'body\'\]\)\;\/\/.+?fopen\(dirname\(\_\_FILE\_\_\)\.\'\/\'\.\$filename\,\"w\"\)\;\s+fwrite\(\$.+?mkdir\(\$path\,\s+0777\,true\)\;\s+\}\s+\}\s+\?>/is,
qr/\/\*\s+CACHESET\-DIRECT\s+\*\/\s+eval\(base64\_decode\(.+?\)\)\;\s+\/\*\s+\/CACHESET\-DIRECT\s+\*\//is,
qr/GIF89a\s+\<\?php.+?class\s+\PlgSystemInstantSuggest.+?\$suggest\s+\=\s+new\s+PlgSystemInstantSuggest;/is,
qr/<\?php\s+function\s+([A-z0-9]{1,9})\(\$([A-z0-9]{1,9})\,\s+\$([A-z0-9]{1,9})\)\{\$([A-z0-9]{1,9})\s+\=\s+\'\'\;\s+for\(\$i\=0\;\s+\$i\s+\<\s+strlen\(\$([A-z0-9]{1,9})\)\;\s+\$i\+\+\)\{\$([A-z0-9]{1,9})\s+\.\=\s+isset\(\$([A-z0-9]{1,9})\[\$([A-z0-9]{1,9})\[\$i\]\]\)\s+\?\s+\$([A-z0-9]{1,9})\[\$([A-z0-9]{1,9})\[\$i\]\]\s+\:\s+\$([A-z0-9]{1,9})\[\$i\]\;\}\s+\$([A-z0-9]{1,9})\=\"base64\_decode\"\;return\s+\$([A-z0-9]{1,9})\(\$([A-z0-9]{1,9})\)\;\}\s+\$r\s+\=\s+\'\'\.\s+\'\'\.\s+\'\'\.\s+\'\'\.\s+\'\'\..+?\'\'\.\s+\'\'\;\s+\$([A-z0-9]{1,9})\s+\=\s+Array\(.+?sprintf\(([A-z0-9]{1,9})\(\$r\,\s+\$([A-z0-9]{1,9})\)\)\;\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,9})\s+\=\s+\"([A-z0-9]{1,9})\_([A-z0-9]{1,9})\".+?isset.+?\{eval\(.+?\'([A-z0-9]{1,9})\'.+?\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,9})\=\s+\"([A-z0-9]{1,9})\_([A-z0-9]{1,9})\"\;.+?strtoupper.+?\(isset\(\$\{.+?\{eval\(.+?\'([A-z0-9]{1,9})\'.+?\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,9})\=\s+\"\_([A-z0-9]{1,9})\".+?strtoupper.+?isset.+?eval.+?\'([A-z0-9]{1,9})\'.+?\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,9})\=\"([A-z0-9]{1,9})\_([A-z0-9]{1,9})\".+?isset.+?eval.+?\'([A-z0-9]{1,9})\'.+?\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,9}).+?\"([A-z0-9]{1,9})\_([A-z0-9]{1,9})\".+?isset.+?eval.+?\'([A-z0-9]{1,9})\'.+?\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,9})\s+\=\"\_([A-z0-9]{1,9})\".+?strtoupper.+?isset.+?eval.+?\'([A-z0-9]{1,9})\'.+?\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,9}).+?\"\_([A-z0-9]{1,9})\".+?strtoupper.+?isset.+?eval.+?\'([A-z0-9]{1,9})\'.+?\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,9})\=\s+\"([A-z0-9]{1,9})\_\".+?strtoupper.+?isset.+?eval.+?\'([A-z0-9]{1,9})\'.+?\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,9}).+?eval\s+?\(\s+?\$\{\s+?\$([A-z0-9]{1,9})\s+?\}\s+?\[\s+?\'([A-z0-9]{1,9})\'\]\)\s+?\;\}\s+?\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,9}).+?eval\s+?\(\$([A-z0-9]{1,9})\s+?\(\s+?\$\{\s+?\$([A-z0-9]{1,9})\}\[\s+?\'([A-z0-9]{1,9})\'\]\s+?\)\)\;\}\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,9}).+?\[\s+\'([A-z0-9]{1,9})\'\s+\]\)\;\s+\}\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,9}).+?\[\s+\'([A-z0-9]{1,9})\'\]\s+?\)\s+?\)\s+?\;\s+?\}\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,9}).+?eval\(\s+?\$\{\$([A-z0-9]{1,9})\}\[\s+?\'([A-z0-9]{1,9})\'\]\s+?\)\;\}\s+?\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,9}).+?strtolower.+?strtoupper.+?isset.+?\{eval.+?\[\'([A-z0-9]{1,9})\'\s+?\]\s+?\)\)\;\}\s+?\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,9}).+?strtolower.+?strtoupper.+?isset.+?\{\s+?eval.+?\[\'([A-z0-9]{1,9})\'\s+?\]\s+?\)\)\;\}\s+?\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,9}).+?strtolower.+?strtoupper.+?isset.+?\{\s+?eval.+?\[\'([A-z0-9]{1,9})\'\s+?\]\)\)\s+?\;\s+?\}\s+?\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,9}).+?strtolower.+?strtoupper.+?isset.+?eval.+?\'([A-z0-9]{1,9})\'\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,9})\=\s+?\"([A-z0-9]{1,9})\_([A-z0-9]{1,9})\"\s+?\;\$([A-z0-9]{1,9})\s+?\=\s+?strtoupper\s+?\(.+?eval\s+?\(\s+?\$\{\s+?\$([A-z0-9]{1,9})\s+?\}\s+?\[\'([A-z0-9]{1,9})\'\s+?\]\)\;\}\?>/is,
qr/<\?php\s+\$GLOBALS\[\'([A-z0-9]{1,9})\'\]\s+\=.+?\$GLOBALS\[\$GLOBALS\[\'([A-z0-9]{1,9})\'\]\[([A-z0-9]{1,9})\]\.\$GLOBALS\[\'([A-z0-9]{1,9})\'\]\[([A-z0-9]{1,9})\]\.\$([A-z0-9]{1,9})\[\'([A-z0-9]{1,9})\'\]\[([A-z0-9]{1,9})\]\.\$GLOBALS\[\'([A-z0-9]{1,9})\'\]\[([A-z0-9]{1,9})\]\.\$GLOBALS\[\'([A-z0-9]{1,9})\'\]\[([A-z0-9]{1,9})\]\.\$GLOBALS\[.+?\@\$GLOBALS\[\$GLOBALS\[\'([A-z0-9]{1,9})\'\]\[([A-z0-9]{1,9})\]\.\$GLOBALS\[\'([A-z0-9]{1,9})\'\]\[([A-z0-9]{1,9})\].+?\$([A-z0-9]{1,9})\s+\=\s+NULL;\s+\$([A-z0-9]{1,9})\s+\=\s+NULL;\s+\$GLOBALS\[\$GLOBALS\[\'([A-z0-9]{1,9})\'\]\[([A-z0-9]{1,9})\]\.\$GLOBALS\[\'([A-z0-9]{1,9})\'\]\[([A-z0-9]{1,9})\]\.\$GLOBALS\[.+?function\s+([A-z0-9]{1,9})\(\$([A-z0-9]{1,9})\,\s+\$([A-z0-9]{1,9})\)\s+\{\s+\$([A-z0-9]{1,9})\s+\=\s+\"\";\s+for\s+\(\$([A-z0-9]{1,9})\=0;\s+\$([A-z0-9]{1,9})\<\$GLOBALS\[\$GLOBALS\[\'([A-z0-9]{1,9})\'\]\[([A-z0-9]{1,9})\].+?foreach\s+\(\$GLOBALS\[\$GLOBALS\[\'([A-z0-9]{1,9})\'\]\[([A-z0-9]{1,9})\]\.\$GLOBALS\[.+?\$([A-z0-9]{1,9})\s+\=\s+Array\(\s+\$GLOBALS\[\'([A-z0-9]{1,9})\'\]\[([A-z0-9]{1,9})\]\.\$GLOBALS\[.+?elseif\s+\(\$([A-z0-9]{1,9})\[\$GLOBALS\[\'([A-z0-9]{1,9})\'\]\[([A-z0-9]{1,9})\]\]\s+\=\=\s+\$GLOBALS\[\'([A-z0-9]{1,9})\'\]\[([A-z0-9]{1,9})\]\)\s+\{\s+eval\(\$([A-z0-9]{1,9})\[\$GLOBALS\[\'([A-z0-9]{1,9})\'\]\[([A-z0-9]{1,9})\]\]\);\s+\}\s+exit\(\);\s+\}/is,
qr/<\?php\s+\$GLOBALS\[\'([A-z0-9]{1,9})\'\]\s+\=.+?\;\s+\$GLOBALS\[\$GLOBALS\[\'([A-z0-9]{1,9})\'\]\[.+?\]\]\s+\=\s+\$\_COOKIE\;.+?NULL\;.+?\=\s+NULL\;\s+\$GLOBALS\[\$GLOBALS\[\'([A-z0-9]{1,9})\'\]\[.+?global\s+\$([A-z0-9]{1,9})\;\s+function\s+([A-z0-9]{1,9})\(\$([A-z0-9]{1,9})\,\s+\$([A-z0-9]{1,9})\).+?eval\(\$([A-z0-9]{1,9})\[\$GLOBALS\[\'([A-z0-9]{1,9})\'\]\[([A-z0-9]{1,9})\]\]\)\;\s+\}\s+\}/is,
qr/<\?php\s+\$([A-z0-9]{1,10})\=.+?\$GLOBALS\[\'([A-z0-9]{1,10})\'\]\s+\=\s+\$([A-z0-9]{1,10})\[([A-z0-9]{1,10})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,10})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,10})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,10})\]\.\$([A-z0-9]{1,10})\[.+?\];\s+\@\$GLOBALS\[\'([A-z0-9]{1,10})\'\]\(NULL\);\s+\@\$GLOBALS\[\'([A-z0-9]{1,10})\'\]\(\$([A-z0-9]{1,10})\[.+?\.\=\s+substr\(\$([A-z0-9]{1,10})\,\s+\$([A-z0-9]{1,10}).+?\,\s+\$GLOBALS\[\'([A-z0-9]{1,10})\'\]\(\$([A-z0-9]{1,10})\[\$([A-z0-9]{1,10})\]\)\)\;\s+\$([A-z0-9]{1,10}).+?\$GLOBALS\[\'([A-z0-9]{1,10})\'\]\(\$([A-z0-9]{1,10})\[\$([A-z0-9]{1,10})\]\).+?;\s+if\s+\(\$([A-z0-9]{1,10})\s+\>\s+\$([A-z0-9]{1,10})\).+?\{\s+\$([A-z0-9]{1,10})\s+\=\s+\$([A-z0-9]{1,10})\;\s+\}\s+\}\s+if\s+\(\$([A-z0-9]{1,10})\s+\>\=\s+\$([A-z0-9]{1,10})\)\s+\{\s+\$([A-z0-9]{1,10}).+?return\s+\$([A-z0-9]{1,10});\s+\}/is,
qr/<\?php\s+\$([A-z0-9]{1,10})\=\"\^.+?\"\;\s+\$GLOBALS\[\'([A-z0-9]{1,10})\'\]\s+\=\s+\$([A-z0-9]{1,10})\[([A-z0-9]{1,10})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,10})\]\.\$([A-z0-9]{1,10})\[.+?\)\)\s+\{\s+echo\s+PHP\_OS\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,10})\]\.\$GLOBALS\[\'([A-z0-9]{1,10})\'\]\(([A-z0-9]{1,10})\)\.\$([A-z0-9]{1,10})\[.+?\]\]\s+\=\=\s+TRUE\)\s+\{\s+continue\;\s+\}\s+if\s+\(\$([A-z0-9]{1,10})\[\$([A-z0-9]{1,10})\]\[\$([A-z0-9]{1,10})\[.+?\]\)\;\s+continue\;\s+\}\s+if\s+\(\$GLOBALS\[\'([A-z0-9]{1,10})\'\]\(\$([A-z0-9]{1,10})\)\s+\>\s+0\)\s+\{\s+\$([A-z0-9]{1,10})\s+\.\=\s+\$([A-z0-9]{1,10})\[([A-z0-9]{1,10})\]\;\s+\}\s+\$([A-z0-9]{1,10})\s+\.\=\s+substr\(\$([A-z0-9]{1,10})\,\s+\$([A-z0-9]{1,10})\s+\+\s+1\,\s+\$GLOBALS\[\'([A-z0-9]{1,10})\'\]\(\$([A-z0-9]{1,10})\[\$([A-z0-9]{1,10})\]\)\)\;\s+\$([A-z0-9]{1,10})\s+\+\=\s+\$GLOBALS\[\'([A-z0-9]{1,10})\'\]\(\$([A-z0-9]{1,10})\[\$([A-z0-9]{1,10})\]\)\s+\+\s+1\;\s+if\s+\(\$([A-z0-9]{1,10})\s+\>\s+\$([A-z0-9]{1,10})\)\s+\{\s+\$([A-z0-9]{1,10})\s+\=\s+\$([A-z0-9]{1,10})\;\s+\}\s+\}\s+if\s+\(\$([A-z0-9]{1,10})\s+\>\=\s+\$([A-z0-9]{1,10})\)\s+\{\s+\$([A-z0-9]{1,10})\s+\+\=\s+1\;\s+\}\s+return\s+\$([A-z0-9]{1,10})\;\s+\}/is,
qr/<\?php\s+function\s+([A-z0-9]{1,10})\(\$([A-z0-9]{1,10})\,\s+\$([A-z0-9]{1,10})\)\{\$([A-z0-9]{1,10})\s+\=\s+\'\'\;\s+for\(\$i\=0\;\s+\$i\s+\<\s+strlen\(\$([A-z0-9]{1,10})\)\;\s+\$i\+\+\)\{\$([A-z0-9]{1,10})\s+\.\=\s+isset\(\$([A-z0-9]{1,10})\[\$([A-z0-9]{1,10})\[\$i\]\]\)\s+\?\s+\$([A-z0-9]{1,10})\[\$([A-z0-9]{1,10})\[\$i\]\]\s+\:\s+\$([A-z0-9]{1,10})\[\$i\]\;\}\s+\$x\=\"base64\_decode\"\;return\s+\$x\(\$([A-z0-9]{1,10})\)\;\}\s+\$([A-z0-9]{1,10})\s+\=.+?\$([A-z0-9]{1,10})\s+\=\s+\Array\(.+?\)\;\s+\eval\(([A-z0-9]{1,10})\(\$([A-z0-9]{1,10})\,\s+\$([A-z0-9]{1,10})\)\)\;\?>/is,
qr/<\?php\s+if\(\!isset\(\$GLOBALS\[.+?\]\)\)\s+\{\s+\$ua\=strtolower\(\$\_SERVER\[.+?\]\)\;\s+if\s+\(\(\!\s+strstr\(\$ua\,.+?if\s+\(\!function\_exists\(.+?\$([A-z0-9]{1,10})\=\$([A-z0-9]{1,10})\-1;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,10})\s+\=\s+\"([A-z0-9]{32})\"\;\s+if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,10})\'\]\)\)\s+\{\s+\$([A-z0-9]{1,10})\s+\=\s+\$\_REQUEST\[\'([A-z0-9]{1,10})\'\]\;\s+eval\(\$([A-z0-9]{1,10})\)\;\s+exit\(\)\;\s+\}\s+if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,10})\'\]\)\)\s+\{\s+\$([A-z0-9]{1,10})\s+\=\s+\$\_REQUEST\[\'([A-z0-9]{1,10})\'\]\;\s+\$([A-z0-9]{1,10})\s+\=\s+\$\_REQUEST\[\'([A-z0-9]{1,10})\'\]\;\s+\$([A-z0-9]{1,10})\s+\=\s+fopen\(\$([A-z0-9]{1,10})\,\s+\'w\'\)\;\s+\$([A-z0-9]{1,10})\s+\=\s+fwrite\(\$([A-z0-9]{1,10})\,\s+\$([A-z0-9]{1,10})\)\;\s+fclose\(\$([A-z0-9]{1,10})\)\;\s+echo\s+\$([A-z0-9]{1,10})\;\s+exit\(\)\;\s+\}\s+\?>/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\"([A-z0-9]{1,10})\"\]\)\)\{eval\(base64\_decode\(\$\_REQUEST\[\"([A-z0-9]{1,10})\"\]\)\)\;\}\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,10})\=\s+\"([A-z0-9]{1,10})\_([A-z0-9]{1,10})\"\;\$([A-z0-9]{1,10})\=\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\s+\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\s+\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\s+\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\s+\;\$([A-z0-9]{1,10})\=\s+\$([A-z0-9]{1,10})\(\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\s+\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\s+\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\s+\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\)\s+\;if\(isset\s+\(\s+\$\{\$([A-z0-9]{1,10})\s+\}\[\s+\'([A-z0-9]{1,10})\'\]\s+\)\)\{eval\(\$\{\s+\$([A-z0-9]{1,10})\s+\}\[\s+\'([A-z0-9]{1,10})\'\s+\]\)\s+\;\s+\}\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,10})\s+\=\s+\"b\"\s+\.\s+\"a\"\s+\.\s+\"s\"\s+\.\s+\"e\"\s+\.\s+\"6\"\s+\.\s+\"4\"\s+\.\s+\"\_\"\s+\.\s+\"d\"\s+\.\s+\"e\"\s+\.\s+\"c\"\s+\.\s+\"o\"\s+\.\s+\"d\"\s+\.\s+\"e\"\;\$([A-z0-9]{1,10})\s+\=\s+\"g\"\s+\.\s+\"z\"\s+\.\s+\"u\"\s+\.\s+\"n\"\s+\.\s+\"c\"\s+\.\s+\"o\"\s+\.\s+\"m\"\s+\.\s+\"p\"\s+\.\s+\"r\"\s+\.\s+\"e\"\s+\.\s+\"s\"\s+\.\s+\"s\"\;eval\/\*\*([A-z0-9]{1,10})\*\/\(\/\*\*([A-z0-9]{1,10})\*\/\$([A-z0-9]{1,10})\/\*\*([A-z0-9]{1,10})\*\/\(\/\*\*([A-z0-9]{1,10})\*\/\$([A-z0-9]{1,10})\(.+?\)\)\)\;\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,10})\s+\=\"([A-z0-9]{1,10})\_([A-z0-9]{1,10})\"\s+\;\s+\$([A-z0-9]{1,10})\s+\=strtoupper\(\s+\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\s+\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\s+$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\\]\)\s+\;\s+if\(\s+isset\(\$\{\s+\$([A-z0-9]{1,10})\}\[\s+\'([A-z0-9]{1,10})\'\s+\]\s+\)\)\{\s+\eval\s+\(\$\{\s+\$([A-z0-9]{1,10})\}\s+\[\s+\'([A-z0-9]{1,10})\'\]\s+\)\;\s+\}\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,10})\=\s+\"([A-z0-9]{1,10})\_([A-z0-9]{1,10})\"\s+\;\$([A-z0-9]{1,10})\s+\=\s+strtoupper\(\s+\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\s+\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\s+\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\)\s+\;if\(\s+isset\s+\(\s+\$\{\s+\$([A-z0-9]{1,10})\s+\}\[\s+\'([A-z0-9]{1,10})\'\s+\]\s+\)\s+\)\s+\{eval\s+\(\$\{\$([A-z0-9]{1,10})\}\s+\[\s+\'([A-z0-9]{1,10})\'\]\s+\)\s+\;\s+\}\?>/is,
qr/\/\*([A-z0-9]{32})\*\/\s+var\s+\_([A-z0-9]{1,10})\=\[.+?window\[\_([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\]\=function\(\)\{function\s+\_([A-z0-9]{1,10})\(.+?document\[\_([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\]\[\_([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\]\(\_([A-z0-9]{1,10})\)\;\}\;\}\;\s+\/\*([A-z0-9]{32})\*\//is,
qr/<\?php\s+if\s+\(\$\_POST\[\"([A-z0-9]{1,10})\"\]\)\{eval\(base64\_decode\(\$\_POST\[\"([A-z0-9]{1,10})\"\]\)\)\;exit\;\}\s+\?>/is,
qr/<\!\-\-\s+\#\#\#\:\s+\-\->.+?<\!\-\-\s+\:\#\#\#\s+\-\->/is,
qr/require\_once\(ABSPATH\.\'wp\-content\/plugins\/xcalendar\/xcalendar\.php\'\)\;/is,
qr/\#\#\#\#\#\#\#\#GET\#\#\#\#\#\#\#\s+RewriteEngine\s+on\s+RewriteRule\s+\\\.\(jpg\|png\|gif\|jpeg\|bmp\)\$\s+\-\s+\[L\]\s+RewriteCond\s+\%\{HTTP\_USER\_AGENT\}\s+acs\s+\[NC\,OR\].+?RewriteRule\s+\^\(\.\*\)\$\s+http\:\/\/.+?\s+\[L\,R\=302\]/is,
qr/<\?php\s+\$cookey\s+\=.+?\;\s+preg\_replace\(.+?\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,10})\s+\=\s+\"([A-z0-9]{1,10})\_([A-z0-9]{1,10})\"\;\s+\$([A-z0-9]{1,10})\=strtolower\s+\(\$.+?\;if\(isset\(\$\{\s+\$([A-z0-9]{1,10})\s+\}\[\s+\'([A-z0-9]{1,10})\'\]\)\)\s+\{eval\(\s+\$([A-z0-9]{1,10})\s+\(\s+\$\{\s+\$([A-z0-9]{1,10})\}\s+\[\s+\'([A-z0-9]{1,10})\'\s+\]\)\s+\)\;\}\?>/is,
qr/<\?php\s+\$ver\s+\=\s+\'abcdefghijklmnopqrstuvwxyz\'\;\s+\$check\s+\=.+?\(\$check\(array\(.+?\}\s+\?><form\s+action\=\"\"\s+method\=\"post\"><input\s+type\=\"text\"\s+name\=\"g\_\_g\_\"\s+value\=\"\"\/><input\s+type\=\"submit\"\s+value\=\"\&amp\;\"\/><\/form>/is,
qr/<\?php\s+\$([A-z0-9]{1,10})\s+\=\s+\"([A-z0-9]{1,10})\_([A-z0-9]{1,10})\"\s+\;\s+\$([A-z0-9]{1,10})\=\s+strtolower\s+\(\s+\$.+?\=strtoupper\s+\(\$.+?\]\)\s+\)\{eval\s+\(\$([A-z0-9]{1,10})\(\$\{\s+\$([A-z0-9]{1,10})\s+\}\s+\[\'([A-z0-9]{1,10})\'\]\)\)\s+\;\}\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,10})\s+\=.+?\$([A-z0-9]{1,10})\=\s+strtolower.+?if\s+\(\s+isset\s+\(\s+\$\{\$([A-z0-9]{1,10})\s+\}\s+\[\'([A-z0-9]{1,10})\'\s+\]\)\s+\)\{eval\s+\(\$([A-z0-9]{1,10})\(\$\{\s+\$([A-z0-9]{1,10})\s+\}\s+\[\'([A-z0-9]{1,10})\'\]\)\)\s+\;\}\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,10})\s+\=\"([A-z0-9]{1,10})\_([A-z0-9]{1,10})\".+?if\s+\(\s+isset\s+\(\s+\$\{\$([A-z0-9]{1,10})\}\[\'([A-z0-9]{1,10})\'\s+\]\)\)\s+\{eval\(\s+\$\{\s+\$([A-z0-9]{1,10})\s+\}\s+\[\'([A-z0-9]{1,10})\'\s+\]\s+\)\s+\;\}\?>/is,
qr/<\?\s+?php\s+([A-z0-9]{1,10})\=\"([A-z0-9]{1,10})\_([A-z0-9]{1,10})\"\s+\;\s+\$([A-z0-9]{1,10})\=\$([A-z0-9]{1,10}).+?if\s+\(isset\s+\(\$\{\$([A-z0-9]{1,10})\s+\}\[\'([A-z0-9]{1,10})\'\]\s+\)\)\{eval\(\s+\$\{\s+\$([A-z0-9]{1,10})\}\s+\[\'([A-z0-9]{1,10})\'\s+\]\s+\)\s+\;\}\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,10})\=\"([A-z0-9]{1,10})\_([A-z0-9]{1,10})\".+?eval\(\s+?\$\{\s+?\$([A-z0-9]{1,10})\}\s+?\[\'([A-z0-9]{1,10})\'\s+?\]\s+?\)\s+\;\}\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,10})\s+\=\"([A-z0-9]{1,10})\_([A-z0-9]{1,10})\"\s+\;\s+\$([A-z0-9]{1,10})\s+\=\s+strtoupper\(.+?\]\)\s+\)\{\s+eval\s+\(\s+\$\{\$([A-z0-9]{1,10})\s+\}\s+\[\'([A-z0-9]{1,10})\'\s+\]\s+\)\s+\;\s+\}\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,10})\=\s+\"([A-z0-9]{1,10})\_([A-z0-9]{1,10})\"\s+\;\$([A-z0-9]{1,10})\s+\=\s+strtoupper\s+\(\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\s+\)\;if\(\s+isset\s+\(\$\{\s+\$([A-z0-9]{1,10})\s+\}\s+\[\s+\'([A-z0-9]{1,10})\'\]\s+\)\)\s+\{\s+eval\(\$\{\$([A-z0-9]{1,10})\s+\}\[\s+\'([A-z0-9]{1,10})\'\]\)\s+\;\}\?>/is,
qr/<\?php\s+\$baba\s+\=\s+\"ba\"\.\"\"\.\"s\"\.\"e\"\.\"\"\.\"\"\.\"6\"\.\"4\"\.\"\_\"\.\"de\"\.\"c\"\.\"o\"\.\s+\"\"\.\"de\"\.\"\"\;\s+assert\(\$baba\(.+?\=\'\)\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,10})\=\"([A-z0-9]{1,10})\_([A-z0-9]{1,10})\"\s+\;\s+\$([A-z0-9]{1,10})\s+\=\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\s+\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\s+\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\s+\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\s+\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\s+\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\s+\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\s+\;\$([A-z0-9]{1,10})\=\s+\$([A-z0-9]{1,10})\s+\(\s+\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\s+\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\s+\)\s+\;if\s+\(\s+isset\s+\(\$\{\s+\$([A-z0-9]{1,10})\s+\}\[\s+\'([A-z0-9]{1,10})\'\s+\]\s+\)\)\s+\{eval\(\s+\$\{\$([A-z0-9]{1,10})\}\[\'([A-z0-9]{1,10})\'\s+\]\s+\)\;\s+\}\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,10})\s+\=\s+\"([A-z0-9]{1,10})\_([A-z0-9]{1,10})\"\;\s+\$([A-z0-9]{1,10})\=strtolower\s+\(\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\s+\.\s+\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\s+\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\s+\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\s+\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\)\s+\;\s+\$([A-z0-9]{1,10})\=\s+\strtoupper\(\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\s+\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\s+\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\s+\)\s+\;if\(isset\(\$\{\s+\$([A-z0-9]{1,10})\s+\}\[\s+\'([A-z0-9]{1,10})\'\]\)\)\s+\{eval\(\s+\$([A-z0-9]{1,10})\s+\(\s+\$\{\s+\$([A-z0-9]{1,10})\}\s+\[\s+\'([A-z0-9]{1,10})\'\s+\]\)\s+\)\;\}\?>/is,
qr/<\?php\s+eval\(\"\?\>\"\s+\.\s+base64\_decode\(.+?\)\)\;\s+\?>\s+<\?php\s+\/\*a\,b\,c\,d\,e\,f\,g\,h\,i\,j\,k\,l\,m\,n\,o\,p\,q\,r\,s\,t\,u\,va\,b\,c\,d\,e\,f\,g\,h\,i\,j\,k\,l\,m\,n\,o\,p\,q\,r\,s\,t\,u\,va\,b\,c\,d\,e\,f\,g\,h\,i\,j\,k\,l\,m\,n\,o\,p\,q\,r\,s\,t\,u\,va\,b\,c\,d\,e\,f\,g\,h\,i\,j\,k\,l\,m\,n\,o\,p\,q\,r\,s\,t\,u\,v\*\/\s+\?>/is,
qr/<\?php\s+\(\$www\=\s+\$\_POST\[\'ice\'\]\)\s+\&\&\s+\@preg\_replace\(\'\/ad\/e\'\,\'\@\'\.str\_rot13\(\'riny\'\)\.\'\(\$www\)\'\,\s+\'add\'\)\;\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,32})\s+\=.+?\$([A-z0-9]{1,32})\s+\=\s+\'pr\'\.\'eg\'\.\'\_r\'\.\'epl\'\.\'ace\';\s+\@\$([A-z0-9]{1,32})\(\'\#\#e\'\,.+?\,\s+\'\'\);/is,
qr/\$qV=\"stop_\";\$s20=strtoupper\(\$qV.+?if\(isset\(\$\{\$s20\}.+?\]\);\}/is,
qr/<\?php\s+\$([A-z0-9]{10})\s+=\s+\'.+?\/\(\.\*\)\/epreg_replace.+?\-1;\s+\?>/is,
qr/<\?php\s+if\(\!isset\(\$GLOBALS\[.+?\]\)\)\s+\{\s+\$ua=strtolower\(\$_SERVER\[.+?\]=1;\s+\}\s+\?>/is,
qr/<\?\s+preg_replace\(\"\/7oRTmo7WR6gCr5KDn2FX4ADN4lNmv\/e\"\,.+?\"7oRTmo7WR6gCr5KDn2FX4ADN4lNmv\"\);\s+\?>/is,
qr/<\?php\s+error_reporting\(0\);\s+preg_replace\(.+?\'\)\)\);\"\,\"\"\);\s+\?>/is,
qr/<\?php\s+\$qV=\"stop_\";.+?\'\]\);\}\?>/is,
qr/<tag5479347351><\/tag5479347351><script>.+?<\/script><tag5479347352><\/tag5479347352>/is,
qr/<\?php\s+eval\(base64_decode\(\$_POST\[\'n9ec7ed\'\]\)\);\?>/is,
qr/<iframe\s+src=http:\/\/mbcobretti\.com\/hydra\.php\s+frameborder=\"0\"\s+width=\"0\"\s+height=\"0\"\s+scrolling=\"no\"\s+name=counter><\/iframe>/is,
qr/<\?php\s+\$sF=\"PCT4BA6ODSE_\";.+?\)\);\}\?>/is,
qr/<html><head>.+?<title>Hacked.+?<\/embed>/is,
qr/<\?php\s+?\$tar1\s+\=\s+stripslashes\(\$\_POST\[.+?else\{echo\s+\'error\s+\:\s+\'\.\$result\;\}/is,
qr/<\?php.+?\$vas\s+=\s+mail\(stripslashes\(\$jubd\)\,\s+stripslashes\(\$kolp\)\,\s+stripslashes\(\$tramns\)\)\;.+?\.\$vas\;\}/is,
qr/<\?php\s+\@ini_set\(\'mbstring\.http\_output.+?mb\_regex\_encoding\(\)\;\s+\}\s+\?>/is,
qr/<\?php\s+if\(isset\(\$\_COOKIE\[\'key\'\]\).+?\(eval\(base64\_decode\(file\_get\_contents\(\'php\:\/\/input\'\)\)\)\)\;\s+\}\s+?>/is,
qr/<\?php\s+if\(isset\(\$\_GET\[.+?FilesMan.+?\?>/is,
qr/<\?php\s+\$\{\".=?\.convertIpToString\(.+?\"\]\}\;\}\s+\?>/is,
qr/<\?php\s+\$android\s+=\s+strpos\(.+?\$rand_url;\?>\s+\">/is,
qr/eval\(decodeURIComponent\(\'\%0D.+?\%0A\'\)\);/is,
qr/<\?php\s+\#73c5ef\#\s+\/\*\*\s+\*\s+\@package\s+Akismet.+?\#\/73c5ef\#\s+\?>/is,
qr/<\?php\s+\$.+?\=\s+Array\(\'1\'\=\>\'E\'\,\s+\'0\'\=\>\'X\'\,\s+\'3\'\=\>\'8\'.+?return\s+base64\_decode\(\$.+?eval\(.+?\)\)\;\?>/is,
qr/<\?php\s+\$\{\".+?\"\]\}\[\]=strval\(substr\(\$.+?\}=array_merge\(\$\_COOKIE\,\$\_POST\,\$\_FILES\);foreach\(\$\{\$\{\".+?\=create\_function\(\"\"\,\$.+?\(\)\;\}\s+\?>/is,
qr/<\?php\s+whrapps\;\$crfl\=\'C\'\;.+?\/\'SCNNT\&\/\'\;\?>/is,
qr/eval\(base64\_decode\(aWYgKHN1YnN0c.+?GUiKTsKfSAg\)\)\;/is,
qr/<\?php\s+header\(\"Expires\:\s+Mon\,\s+26\s+Jul\s+1997.+?\}\s+\#\/([A-z0-9]{6})\#/is,
qr/<\?php\s+\$auth\_pass\s+\=.+?\;\s+\?><\?php\s+eval\(gzuncompress\(base64\_decode\(\".+?\)\)\)\;\s+\?>/is,
qr/<\?php\s+\$wSRHOj\=\'str\_ro\'\.\#Oqq\.\s+\'t13\'\;\s+\$NyJzoD\s+\=\s+\$wSRHOj\(\'bo\_\'\.\#Oqq\.\s+\'fgneg\'\)\;\s+\$NyJzoD\(\)\;\s+\?>/is,
qr/<\?php\s+\/\*\s+copyright\s+\*\/\s+\$\{.+?\)\;echo\s+str\_replace\(.+?\]\}\)\;exit\;\}\s+\/\*\s+copyright\s+\*\/\s+\?>/is,
qr/<\?php\s+\/\*\s+copyright\s+\*\/.+?\)\/\*\s+copyright\s+\*\/\s+\?>/is,
qr/\$pol\=\".+?\(\)\;\}/is,
qr/<\?php\s+\/\/\s+Silence\s+is\s+golden\..+?\(\)\;\}/is,
qr/<\?php\s+\/\*\*\s+\*\s+The\s+WordPress.+?\@\$tinymce\_version\(\$required\_php\_version\)\;/is,
qr/<\?php\s+if\s+\(\!isset\(\$sRetry\)\).+?curl\_close\(\$stCurlHandle\)\;\s+\}\s+\}\s+\?>/is,
qr/<\?php\s+function\s+html\(\$data\)\s+\{\s+\$html\=implode\(\".+?\)\)\)\;\s+\?>/is,
qr/if\(empty\(\$r\)\)\s+\{\s+\$r\s+\=\s+\"\s+<script\s+type\=.+?<\/script>\s+\"\;\s+echo\s+\$r\;\s+\}/is,
qr/<\?php\s+\/\/\#\#\#\=\=\#\#\#.+?\/\/\#\#\#\=\#\#\#\s+\?>/is,
qr/<\?php\s+\/\*\s+Help\s+\\*\/.+?\=base64\_decode\(\$.+?\"\)\;\s+\}\s+\?>/is,
qr/<\?php\s+if\(substr\(md5\(reset\(\$\_COOKIE\)\)\,\s+0\,\s+12\)\=\=.+?file\_put\_contents\(\'w3\_raw\_req\'\,\s+\@gzuncompress\(\@\$.+?\"\)\;\s+\}/is,
qr/<\?php\s+\#79bfd4\#\s+if\(empty\(.+?\;\s+\}\s+\#\/79bfd4\#\s+\?>/is,
qr/<\?php\s+\#fea810\#\s+if\(empty\(.+?\;\s+\}\s+\#\/fea810\#\s+\?>/is,
qr/<\?php\s+\$.+?\=\s+Array\(\'1\'\=\>\'x\'\,.+?\)\)\;\?>/is,
qr/<\?php\s+\$.+?\=\s+Array\(\'1\'\=\>.+?\)\)\;\?>/is,
qr/<\?php\s+\#.+?\#\s+\/\*\*\s+\*\s+\@package\s+Akismet.+?\}\s+\#\/.+?\#\s+\?>/is,
qr/<\?php\s+\$sF\=\"PCT4BA6ODSE\_\".+?\'\]\)\)\;\}\?>/is,
qr/<\?\s+if\(\$\_GET\[\'mode\'\]\=\=\'config\'\)\{echo\'\{pkey\"\s+value\=\"\'\.\$\_GET\[\'key\'\]\.\'\"\}\'\;die\(\)\;\}\s+header\(\'HTTP\/1\.1\s+302\s+Found\'\)\;\s+header\(\'Location\:\s+http\:\/\/serviceusa\.ru\'\)\;\s+\?>/is,
qr/if\s+\(\$\_FILES\[\'F1l3\'\]\)\s+\{move\_uploaded\_file\(\$\_FILES\[\'F1l3\'\]\[\'tmp\_name\'\]\,\s+\$\_POST\[\'Name\'\]\)\;\s+Exit\;\}/is,
qr/<\?php\s+\/\*mx\_start\*\/.+?\/\*mx\_end\*\/\s+\/\*mx\_orig\_start\s+mx\_orig\_end\*\/\s+\?>/is,
qr/<head>.+?<title>Hacked\s+by.+?show\_artwork\=true\"><\/iframe>\"/is,
qr/<\?php.+?Joomla\.Plugin\.System.+?COOKIE\[\'ContentJQ3\'\]\;PluginJoomla\;/is,
qr/<\?php\s+\$qV\=\"stop\_\".+?\'\]\)\;\}\?>/is,
qr/\/\/istart.+?\/\/iend/is,
qr/\/eAccelerate\s+Caching\s+System.+?\<\!\-\-check\:\'\.md5\(\$\_GET\[\'fccheck\'\]\)\.\'\-\-\>\'\)\:\(\'\'\)\)\.\$output\;\}/is,
qr/<IfModule\smod\_rewrite\.c>\s+RewriteEngine\s+On\s+RewriteCond\s+\%\{HTTP\_REFERER\}\s+\^\.\*\(google\|ask\|yahoo.+?phpinfo\.php\?query\=\$1\s+\[QSA\,L\]\s+<\/IfModule>/is,
qr/<script\s+type\=\'text\/javascript\'\>var\s+\_0xcda6.+?\/sTDS.+?\_0xcda6\[9\]\]\=loc\}\;\<\/script\>/is,
qr/<script>d\=Date\;d\=new.+?if\(1\)q\=ss\;if\(zz\)e\(q\)\;<\/script>/is,
qr/<\!\-\-\s+\~\s+\-\-><u\s+style\=display\:none>.+?<\/u><\!\-\-\s+\~\s+\-\->/is,
qr/<script\s+type\=\'text\/javascript\'>var\s+\_0x166d\=\[.+?getCookie\(\_0x166d.+?setCookie\(\_0x166d\[14\]\,2\,24\)\}\}\;<\/script>/is,
qr/<\?php\s+\/\*\*\/eval\(base64\_decode\(.+?\=\'\)\)\;\s+\?>/is,
qr/<\?php\s+eval\(base64\_decode\(\'ZXJy.+?NCn0\=\'\)\)\;\?>/is,
qr/<\?php\s+\$NEpj4015.+?\,\"736\"\);/is,
qr/<\?php\s+function.+?\)\{return\s+str\_replace\(\$.+?function.+?\)\{return\s+str\_replace\(\$.+?function.+?\)\{return\s+str\_replace\(\$.+?\=\=\'\)\;\?>/is,
qr/<\?php\s+Error\_Reporting\(0\)\;\s+\$buffer\s+\=\'.+?\$buffer\.\=.+?eval\(\$\_b\(\$newphrase\)\)\;\s+\?>/is,
qr/<\?php\s+Error\_Reporting\(0\)\;\s+\$s\_pass\s+\=.+?\$s\_func\=\"cr\"\.\"eat\"\.\"e\_fun\"\.\"cti\"\.\"on\".+?\;\?>\"\.gz\'\.\'inf\'\.\'late\'\.\'\(\s+bas\'\.\'e64\'\.\'\_de\'\.\'co\'\.\'de\(\$.+?\$s\_pass\)\;\?>/is,
qr/<\?\s+eval\(gzuncompress\(base64\_decode\(\'eNpku.+?F9hzE0C\'\)\)\)\;\s+\?>/is,
qr/<script\s+type\=\'text\/javascript\'>var\s+\_\_ae84.+?setCookie\(\_\,2\,24\)\}\}\;<\/script>/is,
qr/<\?php\s+if\(isset\(\$\_GET.+?\;eval\(base64\_decode\(gzuncompress\(base64\_decode\(\$.+?\)\)\)\)\;\}\s+else\s+\{echo\s+\'\'\;\}/is,
qr/if\(isset\(\$\_GET.+?\"Done\"\s+\)\s+\{if\(\@copy\(\$\_FILES.+?else\s+\{echo\s+\'<title><\/title>\'\;\}/is,
qr/<div\s+style\=\"display\:\s+none\;\">\s+<a\s+href\=\"http\:\/\/.+?<\/a>\s+<\/div>/is,
qr/GIF89a.+?\*\/\s+class\s+PlgSystemInstantSuggest.+?\$suggest\s+\=\s+new\s+PlgSystemInstantSuggest\;/is,
qr/<\?php\s+if\(\!isset\(\$GLOBALS.+?\$ua\=strtolower\(\$\_SERVER.+?\/epreg\_replace.+?\-1\;\s+\?>/is,
qr/<\?php\s+function\s+query\_str\(\$params\)\{.+?Hadidi44.+?<\/body>\s+<\/html>/is,
qr/<\?php\s+error\_reporting\(0\)\;\s+\$rhs\s+=.+?eval\(gzinflate\(str\_rot13\(base64\_decode\(\$rhs\)\)\)\)\;/is,
qr/<\?\s+eval\(gzinflate\(base64\_decode\(\'7L17X.+?yPw\=\=\'\)\)\)\;\s+\?>/is,
qr/<\?\s+eval\(gzinflate\(str\_rot13\(base64\_decode\(\'7X1se9pV8vDfv2ye.+?wCYQC75yOWHoJm4sbn99v8D\'\)\)\)\)\;\s+\?>/is,
qr/<\?php\s+eval\(base64_decode\(\"JGFsaWVuPSIkX.+?QiIsIi4iKTsNCn0\=\"\)\)\;\s+\?>/is,
qr/<div\s+style\=\"display\:none\;\"><iframe\s+src\=\"http\:\/\/.+?><\/iframe><\/div>/is,
qr/echo\s+\"<div\s+style\=.+?display\:none\;.+?><iframe\s+src\=.+?http\:\/\/.+?\"\s+><\/iframe><\/div>\"\;/is,
qr/<\?\s+\$GLOBALS\[\'\_.+?\_\'\]\=Array\(base64\_decode\(.+?\)\)\;\}/is,
qr/<iframe\s+style\=\"visibility\:\s+hidden\;\s+display\:\s+none\;\s+display\:\s+none\;\"\s+src\=\"\/.+?\"><\/iframe>/is,
qr/<\?php\s+if\(\!isset\(\$GLOBALS.+?1;\s+\?>/is,
qr/<script\s+type\=\"text\/javascript\">\s+document\.write\(\'<\'\s+\+\s+\'di\'\s+\+\s+\'v\s+sty\'\s+\+\s+\'le\=\".+?<script\s+type\=\"text\/javascript\">document\.write\(\'<\/d\'\s+\+\s+\'iv>\'\)\;<\/script>/is,
qr/<\?php\s+\$\{.+?\}foreach\(\$\_COOKIE\s+as\$\{\$\{.+?foreach\(\$\_POST\s+as\$\{\$\{.+\?\=\>\@phpversion\(\)\,.+?\]\)\;\}\}\s+\?>/is,
qr/<script\s+type\=\'text\/javascript\'>eval\(function\(p\,a\,c\,k\,e\,d\).+?sTDS\'\.split\(\'\|\'\)\)\)<\/script>/is,
qr/<title>F\.\s+MICROSOFT<\/title>.+?exit\;/is,
qr/\}\s+\}\s+\@ini\_set\(\'error\_log\'\,NULL\)\;.+?call\_user\_func\(\'action\'\s+\.\s+\$\_POST\[\'a\'\]\)\;\s+exit\;/is,
qr/<\?php\s+\$testa\s+=\s+\$\_POST\[\'veio\'\]\;.+?<\/form>\s+<\/body>/is,
qr/<\?php\s+echo\s+\'\[tes\'\.\'tou\]\-\'\;\s+\$uname\s+\=\s+\@php\_uname\(\)\;/is,
qr/<\?php\s+\/\*\*\s+\*\s+Class\s+viaWorm.+?echo\s+json\_encode\(\$result\)\;\s+exit\(\)\;\s+\}/is,
qr/<\?php\s+error\_reporting\(0\);eval\(\"if\(isset.+?\&\&\s+\(md5.+?\&\&\s+isset.+?php\_code\'\]\)\)\s+\{\s+eval\(stripslashes.+?php\_code\'\]\)\);\s+exit\(\);\s+\}\"\);\s+\?>/is,
qr/<\?php\s+echo\s+\"<html><head>\s+<style>.+?if\(strtoupper\(substr\(PHP\_OS\,\s+0\,\s+3\)\s+\)\s+\=\=\s+\"WIN\"\).+?echo\s+\"<\/body><\/html>\";/is,
qr/\/\/\#\#\#\=\=\#\#\#.+?\/\/\#\#\#\=\=\#\#\#/is,
qr/<\?php\s+\?>/is,
qr/\/\/\#\#\#\=\=\#\#\#.+?\/\/\#\#\#\=\=\#\#\#.+?\/\/\#\#\#\=\=\#\#\#.+?\/\/\#\#\#\=\=\#\#\#/is,
qr/<iframe\s+src\=http\:\/\/.+?frameborder\=\"0\"\s+width\=\"0\"\s+height\=\"0\"\s+scrolling\=\"no\"\s+name\=counter><\/iframe>/is,
qr/<\?php\s+\$\{.+?\;global\$auth\;return\s+sh\_decrypt\_phase\(sh\_decrypt\_phase\(\$\{\$.+?\]\)\;\}\}/is,
qr/<\?php\s+\$\{.+?exit\(\);function\s+http\_request\_custom\(\$params\)\{\$.+?\=trim\(array\_pop\(\$\{\$.+?\}\;\}\s+\?>/is,
qr/<html><head><meta.+?maps.google.com\/maps.+?groups.google.com.+?<\/body><\/html>/is,
qr/<u\s+style=\"position\:\s+absolute;\s+left:\s+\-.+?height:\s+1.0;\s+width:\s+1.0;\s+overflow:\s+hidden;\s+font-size:\s+1.0;\">.+?<\/u>/is,
qr/<u\s+style=\"position:\s+absolute;\s+left:.+?<\/u>/is,
qr/<u\s+style=\"position:\s+absolute;\s+height:\s+1px.+?<\/u>/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[.+?\]\)\)\{eval\(base64\_decode\(\$\_REQUEST\[\.+?\]\)\)\;\}\?>/is,
qr/<\?php\s+\$data\=array\(.+?code\=\"\"\;foreach\s+\(\$data\s+as\s+\$var\)\{\s+\$code\.\=chr\(\$var\)\;\}\s+eval\(\$code\)\;\s+unset\(\$data\)\;\s+unset\(\$code\)\;\s+\?>/is,
qr/<\?php\s+\$Q7DEEB2D14037F44EB2EF018C25FC0D28\=.+?\=\=\"\;eval\(base64\_decode\(gzuncompress\(base64\_decode\(\$Q7DEEB2D14037F44EB2EF018C25FC0D28\)\)\)\)\;\?>/is,
qr/<\?php\s+\$.+?######e#######v######a####l#####\(#############bas#####e6#######4####_###d###e###############c##########o#d#####e##\(####.+?\=str_replace\(\'#\'\,\s+\'\'\,\s+\$.+?\=create_function\(\'\'\,\$.+?\(\)\;\s+\?>/is,
qr/<\?php\s+\$auth_pass.+?\$default_charset\s+=\s+\'Windows-1251\';\s+extract\(array\(\"default_action\"\s+\=\>\s+\'FilesMan\'\,\s+\'default_use_ajax\'\s+\=\>\s+true\)\)\;.+?preg_replace\(\$CC\,\$AA\,\"\.\"\)\;\s+\?>/is,
qr/<\?php\s+if\(isset\(\$_POST\[\"mailto\"\]\)\).+?base64_decode\(\$_POST\[\"mailto\"\]\);.+?echo\s+\"sent_error\";\s+\?/is,
qr/<\?php\s+if\s+\(\$mode\=\=\'upload\'\)\s+\{\s+if\(is_uploaded_file\(\$_FILES\[\"filename\"\]\[\"tmp_name\"\]\)\).+?echo\s+\$_FILES\[\"filename\"\]\[\"name\"\];\s+\}\s+\}\s+\?>/is,
qr/<\?php\s+\$.+?=\s+array\(.+?=\s+strrev\(\'edoced_46esab\'\);\$.+?=\s+strrev\(.+?\);eval\(\$.+?\(implode\(\'\'\,\$.+?\)\)\)\);\s+\?>/is,
qr/<\?php\s+\$.+?=\s+array(.+?);eval\(.+?\);\?>/is,
qr/<\?php\s+\$.+?=\s+\"e\/\*\.\/\";\s+preg_replace\(strrev\(\$.+?\"\,\"\.\"\);\?>/is,
qr/<\?php\s+\$.+?=\s+array\(.+?\);preg_replace\(\"\/\.\*\/e\"\,.+?\"\,\"\.\"\);\?>/is,
qr/\/\/istart.+?\/\/iend/is,
qr/<\!doctype.+?<title>Coppermine.+?<div\s+id=.+?<script\s+language\=\"javascript\">function.+?<\/script>.+?<\/div>\s+<\/body>\s+<\/html>/is,
qr/<\?php\s+\/\*\*\s+\*\s+WordPress\s+GD\s+Image\s+Editor.+?\$GD_get_img\s+=\s+\"p\"\.\s+\"r\"\.\"eg\"\.\"_r\"\.\"ep\"\.\"l\"\.\"ace\";.+?\$GD_step4\)\;\s+\?>/is,
qr/<\?php\s+\$array\s+=\s+array\(\'.+?=\s+implode\(\"\"\,\s+\$array\)\;\$.+?eval\(\$.+?\)\)\)\);\?>/is,
qr/\#\!\/usr\/bin\/perl.+?\#\s+Do\s+login\s+authentication\s+subroutine.+?\#EOF/is,
qr/<\?php\s+\$.+?;eval\(base64_decode\(gzuncompress\(base64_decode\(\$.+?\)\)\)\);\?>/is,
qr/<\?php.+?\$EmailTemporario\s+=\s+\$email\[\$i\];.+?Safe\s+Mode:\s+<\?php\s+echo\s+\$safe_mode\s+=\s+\@ini_get\(\'safe_mode\'\);\s+\?>.+?<\/form>/is,
qr/<\?php\s+\@ignore_user_abort\(true\);.+?\@eval\(\$.+?\@realpath\(\"\"\)\.DIRECTORY_SEPARATOR.+?404\s+Not\s+Found.+?\?>/is,
qr/<\?php\s+\/\*\*.+?\$https_in\s+=\s+\".+?\"\);\s+\?>/is,
qr/<html>\s+<head>.+?if\(is_uploaded_file.+?move_uploaded_file.+?\?>\s+<\/body>\s+<\/html>/is,
qr/<\?php\s+\/\/\s+\/\/\s+DK\s+Shell.+?preg_replace\(\"\/\.\*\/e\"\,.+?\?>\s+<\?\s+eval\(base64_decode\(.+?\)\);\s+\?>/is,
qr/<\?php\s+\$.+?\]\.\$.+?\]\.\$.+?\]\.\$.+?\]\.\$.+?\"\.chr\(.+?\"\.chr\(.+?\"\.chr\(.+?\"\.chr\(.+?\,\".+?\"\);/is,
qr/<\?php\s+\@ini_set\(\'max_execution_time\'\,0\);.+?\}\}echo\s+\'rahui\#\'\,\$maxlen\,\'\#rahui\';\s+\?>/is,
qr/<\?php.+?randomId.+?Access\s+Denied.+?wproPreviewHTML.+?\?>/is,
qr/<\?php.+?md5\(IMAILpassword\);.+?base64_decode.+?\?>/is,
qr/<\?php\s+session_start\(\);.+?value=\'Ввойти\'><br><\/form>.+?\?>\s+<\/body>\s+<\/html>/is,
qr/<\?php\s+error_reporting\(0\);.+?ping.+?ping_host.+?random_user_agent\(\).+?false\";\}\s+\}/is,
qr/<\?php\s+\/\*\s+Help.+?support.+?=base64_decode\(\$.+?\@gzinflate\(strrev\(\$.+?create_function\(\'\$.+?\}\s+\?>/is,
qr/<\?php\s+function\s+html\(\$data\)\s+\{\s+\$html=implode\(.+?\$keywords=implode\(.+?array_unshift\(\$data.+?if\(isset\(\$_COOKIE\[\'google\'\]\)\).+?if\(strtolower\(substr\(PHP_OS\,0\,3\)\)==\'win\'\)\s+\$.+?\?>/is,
qr/<\?php\s+\/\*.+?class\s+RSSInitEx.+?getCMS\(\);.+?new\s+RSSInitEx\(\);\s+\?>/is,
qr/if\s+\(isset\(\$_REQUEST\[\'FILE\'\]\)\)\{\$_FILE\s+=\s+\$_REQUEST\[\'.+?\'\]\(\'\$\_\'\,\$_REQUEST\[\'FILE\'\]\.\'\(\$\_\);\'\);\s+\$_FILE\(stripslashes\(\$_REQUEST\[\'HOST\'\]\)\);\}/is,
qr/<\?php\s+\/\*\*\s+\*\s+Creates.+?\/\*\s+WARNING:.+?\*\/\s+error_reporting\(0\);eval\(base64_decode\(.+?\)\);\s+\?>/is,
qr/<\?php\s+\$.+?=array\(.+?\)\{return\s+str_replace\(\$.+?\)\{return\s+str_replace\(\$.+?\)\{return\s+str_replace\(\$.+?\);\?>/is,
qr/<\?php\s+\$.+?=\s+array\(.+?=\s+array\(.+?=\s+array\(.+?if\s+\(\!function_exists\(.+?\)\)\{\s+function.+?=\s+\'\';foreach\(\$.+?\.=\s+chr\(\$.+?\}return\s+\$.+?\);\}\?>/is,
qr/<\?php\s+function.+?\)\{return\s+str_replace\(\$.+?\);\}\s+function.+?\)\{return\s+str_replace\(\$.+?\);\}\s+function.+?\)\{return\s+str_replace\(\$.+?\.\'\)\);\'\);\s+\$.+?\=\=\'\);/is,
qr/<\?php\s+header\(\"Cache-Control\:.+?echo\s+\"<form\s+id=\'myLink\'.+?\.submit\(\);<\/script>\";/is,
qr/<\?php\s+function.+?\)\{return\s+str_replace\(\$.+?\);\}\s+function.+?\)\{return\s+str_replace\(\$.+?\);\}\s+function.+?\)\{return\s+str_replace\(\$.+?\.\'\)\);\'\);\s+\$.+?\'\);/is,
qr/<\?php\s+\/\*\s+copyright\s+\*\/\s+\$\{.+?exit;\}\}\s+\/\*\s+copyright\s+\*\/\s+\?>/is,
qr/<\?php\s+eval\(base64_decode\(\'Ly92ZXJ.+?I7Cn0KCg==\'\)\);/is,
qr/<\?php\s+\@preg_replace\(\'\/\(\.\*\)\/e\'\,\s+\@\$_POST\[.+?\]\,\s+\'\'\);.+?\?>/is,
qr/<\?php\s+\$base=base64_decode\(\"aWY.+?=\"\);\s+eval\(\$base\);\s+\?>/is,
qr/<\?php\s+\/\*.+?\*\/\s+error_reporting\(0\);\s+\@ini_set\(\'error_log\'\,NULL\);\s+\@ini_set\(\'log_errors\'\,0\);\s+\@ini_set\(\'display_errors\'\,\'Off\'\);\s+\@eval\(\s+base64_decode\(.+?=\'\)\);\s+\@ini_restore\(\'error_log\'\);\s+\@ini_restore\(\'display_errors\'\);\s+\/\*.+?\*\/\s+\?>/is,
qr/<\?php\s+eval\(base64_decode\(\$_POST\[\'[A-z0-9]{7}\'\]\)\);\?>/is,
qr/<\?php\s+\$post_var\s+=\s+\"req\";\s+if\(isset\(\$_REQUEST\[\$post_var\]\)\)\s+\{\s+eval\(stripslashes\(\$_REQUEST\[\$post_var\]\)\);\s+exit\(\);\s+\};\s+\?>/is,
qr/\#([A-z0-9]{6})\#.+?\@package\s+Akismet.+?\#([A-z0-9]{6})\#/is,
qr/<tag([A-z0-9]{10})><\/tag([A-z0-9]{10})><script>eval\(function\(p\,a\,c\,k\,e\,d\).+?<\/script><tag([A-z0-9]{10})><\/tag([A-z0-9]{10})>/is,
qr/<\?php.+?127\.0\.0\.1\/1\.php\?exec\&cmd\=id.+?echo\s+\"Deleted\!\";.+?\?>/is,
qr/\$SafeMode\s+=\s+\@ini_get\(\'safe_mode\'\);.+?echo\s+\$uname\.\$SafeMode;\s+\?>/is,
qr/SexCrime\s+<\?php\s+eval\(gzinflate\(str_rot13\(base64_decode\(.+?\)\)\)\);\s+\?>/is,
qr/<script\s+type=\'text\/javascript\'>var\s+a=\"\'1Aqapkrv\'1G\'2Cdwlavkml\'02rcpqgWPN\'0\:wpn\'0.+?2C\'1A\-qapkrv\'1G\";b=\"\";c=\"\";var\s+clen;clen=a\.length;for\(i=0;i<clen;i\+\+\)\{b\+=String\.fromCharCode\(a\.charCodeAt\(i\)\^2\)\}c=unescape\(b\);document\.write\(c\);<\/script>/is,
qr/<script\s+type=\'text\/javascript\'\s+src=\"http:\/\/gccanada\.com\/jquery\.js\"><\/script>/is,
qr/<\?php\s+\$s=\'str_r\'\.\'o\'\.\'t13\';\s+\$c0\=\_\_FILE\_\_;.+?eval\(\$c\)\);\s+\$f\(\);\s+exit;\s+\?>/is,
qr/<iframe\s+thodm=.+?src=\'http\:\/\/.+?width=\'0\'\s+height=\'0\'\s+style=\'display\:none\'><\/iframe>/is,
qr/<\!--([A-z0-9]{6})--><script\s+type=\"text\/javascript\"\s+src=\"http\:\/\/.+?><\/script><\!--\/([A-z0-9]{6})-->/is,
qr/<\!--\s+Start\s+McAfeeSecure\s+Code\s+-->.+?<\!--\s+End\s+McAfeeSecure\s+Code\s+-->/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\"ynFS\"\]\)\)\{eval\(base64_decode\(\$\_REQUEST\[\"ynFS\"\]\)\);\}\?>/is,
qr/<\?php\s+\/\*\s+b374k\s+2\.8.+?\@\$b374k\(.+?\,\$s\_pass\);\?>/is,
qr/<html>\s+<head>\s+<title>SH<\/title>.+?print\s+\"<\/table><\/div>.+?;\s+\?>\s+<\/body>\s+<\/html>/is,
qr/<\?php\s+\$moon\=.+?\$moon\=base64_decode\(\$moon\);\s+if\(\$moon\)\{\s+eval\(\$moon\);\s+\}\s+\?>/is,
qr/<\?php\s+\@array_diff_ukey\(\@array\(\(string\)\$_REQUEST\[\'password\'\]\=\>1\)\,\@array\(\(string\)stripslashes\(\$_REQUEST\[\'re_password\'\]\)\=\>2\)\,\$_REQUEST\[\'login\'\]\);\s+\?>/is,
qr/<\?php\s+\$auth_pass.+?\$default_action\s+\=\s+base64_decode\(\'RmlsZXNNYW4\=\'\);.+?\)\);\s+return;\s+\?>/is,
qr/<\?php\s+\$tds=.+?\$tdsip=\"\";\s+\$lin=.+?\$esdid=.+?\$key=.+?;\s+\?>/is,
qr/<\?php\s+\/\/WGBTWG\/\/\s+\?>/is,
qr/<\?php.+?=strrev\(\"edoced_46esab\"\);\$tkc=.+?eval\(\$.+?\(\$tkc\)\);\s+\?>/is,
qr/<\?php\s+eval\(base64_decode\(\'aWYo.+?\=\=\'\)\);\s+\$.+?\#\#.+?\#\#.+?\#\#.+?\;\?>/is,
qr/<\?php\s+eval\(base64_decode\(\'aWYo.+?\=\=\'\)\);/is,
qr/\#([A-z0-9]{6})\#\s+error_reporting\(0\);\s+\@ini_set\(\'display_errors\'\,0\);\s+\$.+?elseif\s+\(function_exists\(\'file_get_contents\'\)\s+\&\&\s+\@ini_get\(\'allow_url_fopen\'\)\).+?\;\s+\}\s+\#\/([A-z0-9]{6})\#/is,
qr/eval\(gzinflate\(base64_decode\(\'y0zTyCwu.+?MEg0gXQsA\'\)\)\);/is,
qr/GIF89GHZ\s+<\?php\s+eval\s+\(gzinflate\(base64_decode\(str_rot13\(.+?\=\"\)\)\)\);\s+\?>/is,
qr/<\?php\s+\/\/\#\#.+?\/\/Jijle3.+?\#\#\s+eval\(.+?\?>/is,
qr/if\s+\(document\.referrer\.toLowerCase\(\)\.indexOf\(.+?<\/script>\s+HTML;\s+exit;\s+\}\s+\}\s+\}\s+\}\s+\}/is,
qr/<\?php\s+\$a\s+\=\s+\"a\"\.\"s\"\.\"s\"\.\"e\"\.\"r\"\.\"t\";\s+\$a\(\$_POST\[.+?\]\);\s+\?>/is,
qr/<\?php\s+if\(\@\$_COOKIE\[.+?\]\)\{\$.+?\=\$_COOKIE\[.+?\]\(\"\"\,\@\$_COOKIE\[.+?\]\(\@\$_COOKIE\[.+?\]\)\);\$.+?\(\);\}\?>/is,
qr/\#\s+BEGIN\s+SYSTEM\s+API\s+RewriteEngine\s+on.+?\.php\?\$1\s+\[L\]\s+\#\s+END\s+SYSTEM\s+API/is,
qr/<\?php\s+\/\*\*\/\s+eval\(base64_decode\(\"aWYoZnV.+?yb2JoJyk7ICB9ICB9\"\)\);\?>/is,
qr/<\?php\s+\/\*\*\s+\*\s+Error\s+Publishing\s+Protocol.+?\@eval\(gzinflate\(base64_decode\(\$error\)\)\);/is,
qr/<\?php\s+\@error_reporting\(0\);\s+if\s+\(\!isset\(\$eva1fYlbakBcVSir\)\).+?\$eva1tYidokBoVSjr\s+=\s+\$eva1tYlbakBcVSir;\}\s+\?>/is,
qr/<\?php\s+\$.+?\=\"b\"\.\"ase\"\.\"64\_de\"\.\"code\";eval\(\$.+?\=\"\)\);/is,
qr/\/\*visitorTracker\*\/\@ob_start\(\);\@ini_set\(\"display_errors\"\,0\);\@error_reporting\(0\);echo\s+base64_decode\(.+?\);\/\*visitorTracker\*\//is,
qr/<\?php\s+\(\$www=\s+\$_POST\[\'ice\'\]\)\s+\&\&\s+\@preg_replace\(\'\/ad\/e\'\,\'\@\'\.str_rot13\(\'riny\'\)\.\'\(\$www\)\'\,\s+\'add\'\);\?>/is,
qr/<\?php\s+echo\s+\"31337.+?echo\s+php_uname\(\)\..+?echo\s+getcwd\(\);.+?<b>Failed\";\}\}\}\?>/is,
qr/<\?php\s+eval\(\$_REQUEST\[cmd\]\);\s+\?>/is,
qr/<\?php\s+\$_f___f=\'base\'\.\(32\*2\)\.\'_de\'\.\'code\';\$_f___f=\$_f___f\(str_replace\(.+?<input\s+type=\"submit\"\s+value=\"\&gt;\"\/><\/form>/is,
qr/<\?php\s+\$\{.+?setcookie\(\$\{\$.+?\=\>WSO_VERSION\,.+?\]\);exit;/is,
qr/<\?php\s+\$c_\=false;mkdir\(\'cms\'\);touch\(\'cms\'\,mktime\(12\,17\,11\,12\,20\,2014\)\);\$c0=\".+?<br><br>\";unlink\(\$c5\);/is,
qr/<\!\-\-visitorTracker\-\->.+?<\!\-\-visitorTracker\-\->/is,
qr/\/\/istart.+?\/\/iend/is,
qr/<\?php\s+if\(true\)\s+\{\$csymbolz\=\"e.+?\$csymbolz\,\"\"\);\}\s+else\s+\{echo\s+\'\';\}/is,
qr/<\?php\s+function.+?\=\s+\'\';\s+for\(\$i=0;\s+\$i\s+\<\s+strlen\(\$.+?\=\"base64_decode\";return\s+\$.+?\=\s+Array\(\'1\'\=\>\'o\'.+?\)\);\?>/is,
qr/<script\s+type=\"text\/javascript\">var\s+a=\"\'1Aqapkrv\'.+?2C\'1A\-qapkrv\'1G\";b=\"\";c=\"\";var\s+clen;clen=a\.length;for\(i\=0;i\<clen;i\+\+\)\{b\+=String.fromCharCode\(a\.charCodeAt\(i\)\^2\)\}c=unescape\(b\);document.write\(c\);<\/script>/is,
qr/if\s+\(\$_REQUEST\[\'param1\'\]\&\&\$_REQUEST\[\'param2\'\]\)\s+\{\$f\s+=\s+\$_REQUEST\[\'param1\'\];\s+\$p\s+=\s+array\(\$_REQUEST\[\'param2\'\]\);\s+\$pf\s+=\s+array_filter\(\$p,\s+\$f\);\s+echo\s+\'OK\';\s+Exit;\}/is,
qr/\/\*visitorTracker\*\/.+?return\s+false;\s+\}\/\*visitorTracker\*\//is,
qr/\/\*\s+CACHESET\s+\*\/\s+eval\(base64_decode\(.+?\)\);\s+\/\*\s+\/CACHESET\s+\*\//is,
qr/<\?php\s+\$\_F=\_\_FILE\_\_;\$\_X=.+?;\$\_D=strrev\(\'edoced_46esab\'\);eval\(\$\_D\(.+?\)\);\?>/is,
qr/<html><script\s+language\=\"php\">eval\(str\_rot13\(gzinflate\(str\_rot13\(base64\_decode\(.+?<\/script><head><meta\s+content=\"Hacked\s+By\s+FasT\s+ReaCtoR\".+?<script>window\.stop\(\);<\/script>/is,
qr/\/\/\#\#\#\=\=\#\#\#\s+error\_reporting\(0\);\s+\$strings\s+\=\s+\"as\"\;\$strings\s+\.\=\s+\"sert\"\;\s+\\@\$strings\(str\_rot13\(\'riny\(onfr64\_qrpbqr\(.+?\)\)\;\'\)\)\;\s+\/\/\#\#\#\=\=#\#\#/is,
qr/<\?php\s+\$pathToDor\s+\=\s+\"\/report\";\s+\$template\s+\=\s+\'sportal\';\s+eval\(.+?\"\);/is,
qr/<\!DOCTYPE\s+html\s+PUBLIC\s+\"\-\/\/W3C\/\/DTD\s+HTML\s+4\.01\/\/EN\"\s+\"http\:\/\/www\.w3\.org\/TR\/html4\/strict\.dtd\">\s+\&nbsp;<html><head><title>HaCkEd\s+By.+?<\/html>/is,
qr/<\!doctype\s+html>\s+<head>\s+<title>Hacked\s+by\s+Team\_CC\s+\|\|\s+Kazi\s+Shaheb<\/title>.+?<\/body>\s+<\/html>/is,
qr/<\?\s+\$GLOBALS\[\'\_httpd_cnf\_\'\]\=Array\(base64\_decode\(\.+?\)\,base64\_decode\(.+?\)\,base64\_decode\(.+?\)\);\s+\?><\?\s+function\s+httpd_cnf\(\$i\)\{\$a\=Array\(.+?\);return\s+base64\_decode\(\$a\[\$i\]\);\}\s+\?><\?php\s+\$GLOBALS\[\'\_httpd\_cnf\_\'\]\[0\]\(httpd\_cnf\(0\)\,httpd\_cnf\(1\)\);\$GLOBALS\[\'\_httpd\_cnf\_\'\]\[1\]\(round\(0\)\);if\(\$_GET\[httpd\_cnf\(2\)\]\=\=\s+httpd\_cnf\(3\)\)\{\$a\=\$GLOBALS\[\'\_httpd\_cnf\_\'\]\[2\]\(httpd\_cnf\(4\)\);eval\(\$a\);exit;\}\s+\?>/is,
qr/<iframe\s+name\=Twitter\s+scrolling\=auto\s+frameborder\=no\s+align\=center\s+height\=2\s+width\=2\s+src\=http\:\/\/.+?><\/iframe>/is,
qr/<\?php\s+eval\(gzinflate\(base64\_decode\(\"BcFJkqowAADQu.+?P4H\"\)\)\);\s+\?>/is,
qr/<\?php.+?\/\*\*\s+\*\s+The\s+GNU\s+General\s+Public.+?preg\_replace\(\"\/\[.+?\]\*\.\+\[.+?\]\*\/ei\"\,str\_replace\(\"\s+\"\,\"\"\,\".+?\'\);\s+\?>/is,
qr/<\?php\s+\$p\=array\(\);foreach\(\$\_POST\s+as\s+\$x\=\>\$y\)\$p\[\]\=\$x\.\"\:\"\.base64_encode\(\$y\);\$fp\=\@fopen\(str\_replace\(\"\.php\"\,\"\.txt\"\,basename\(\$\_SERVER\[\"SCRIPT\_FILENAME\"\]\)\)\,\"a\"\);\@fputs\(\$fp\,time\(\)\..+?\.\$\_SERVER\[\"REMOTE\_ADDR\"\]\..+?\.\$\_SERVER\[\"REQUEST\_URI\"\]\..+?\.\$\_SERVER\[\"HTTP\_USER\_AGENT\"\]\..+?\.\$\_SERVER\[\"HTTP\_REFERER\"\]\..+?\.implode\(\$p\,\"\s+\"\)\..+?\);\s+\@fclose\(\$fp\);\s+\?>/is,
qr/<div\s+id\=\"links\">\s+<a\s+href\=\"http\:\/\/www\..+?<\/a>\s+<\/div>\s+<script>document\.getElementById\(\"links\"\)\.style\.display\=\"none\"<\/script>/is,
qr/echo\s+\"<script\s+type\=\'text\/javascript\'\s+src\=\'http\:\/\/.+?wp\-logo\.js\'><\/script>\";/is,
qr/\$z\=get\_option\(\"\_site\_transient\_browser\_([A-z0-9]{32})\"\);\s+\$z\=base64\_decode\(str\_rot13\(\$z\[\'\'\]\)\);\s+if\(strpos\(\$z\,\"([A-z0-9]{1,99})\"\)\!\=\=false\)\{\s+\$\_z\=create\_function\(\"\"\,\$z\);\s+\@$\_z\(\);\s+\}/is,
qr/<\?php\s+\/\/\#\#\#\#\#\#\s+\@assert\(str\_rot13\(\'riny\(onfr64\_qrpbqr\(.+?\)\)\;\'\)\)\;\s+\/\/\#\#\#\#\#\#\s+\?>/is,
qr/<\?php\s+eval\s+\(\s+base64\_decode\s+\(\"IGlm.+?cm47IH0g\"\)\s+\);\s+\?>\s+<\!\-\-([A-z0-9]{32})\-\->/is,
qr/<\?php\s+\@error\_reporting\(0\);\s+\@ini\_set\(\'error\_log\'\,NULL\);\s+\@ini\_set\(\'log\_errors\'\,0\);\s+if\s+\(count\(\$\_POST\)\s+\<\s+2\)\s+\{\s+die\(PHP\_OS\.chr.+?\=\s+\"X\-Priority\:\s+3\s+\(Normal\).+?if \(\!in\_array\(\'fsockopen\'\,\s+\$.+?\)\s+\=\=\=\s+0\)\s+return\s+\'127\.0\.0\.1\';\s+\$.+?\=\s+base64\_decode\(\$.+?return\s+\$([A-z0-9]{1,10})\;\s+\}\s+\?>/is,
qr/<\?php\s+\@error\_reporting\(0\);\s+\@ini\_set\(chr\(([A-z0-9]{1,3})\)\.chr\(([A-z0-9]{1,3})\)\.\'ror\_log\'\,NULL\);\s+\@ini\_set\(\'log\_errors\'\,0\);\s+if\s+\(count\(\$\_POST\)\s+\<\s+2\)\s+\{\s+die\(PHP\_OS\.chr.+?\.\=\s+\"Content\-Transfer\-Encoding\:\s+8bit.+?\]\)\s+\^\s+2\);\s+return\s+\$([A-z0-9]{1,10})\;\s+\}\s+\?>/is,
qr/<\?php\s+\/\*\s+GNU\s+GENERAL\s+PUBLIC\s+LICENSE.+?giving\s+you\s+\*\/extract\(\$\_COOKIE\);\/\*\s+copy\,\s+distribute\s+and\/or\s+modify\s+it\..+?which\s+are\s+not\s+\*\/\@\$.+?\(\$A\,\$B\);\/\*\..+?makes\s+it\s+unnecessary\.\s+\*\/\s+\?>/is,
qr/<\?php\s+\$target\_urls\s+\=\s+array\s+\(\s+\'http\:\/\/.+?\$rand\_url\=\$target\_urls\[\$n\];\s+\?>\s+<meta\s+http\-equiv\=\"refresh\"\s+content\=\"2;\s+url\=<\?php\s+echo\s+\$rand\_url;\?>\s+\">/is,
qr/<\?php\s+if\(\!empty\(\$\_SERVER\[\'HTTP\_USER\_AGENT\'\]\)\)\s+\{\s+([A-z0-9]{1,10})\s+\=\s+array\(\"Google\"\,\s+\"Slurp\"\,\s+\"MSNBot\"\,\s+\"ia\_archiver\"\,\s+\"Yandex\"\,\s+\"Rambler\"\,\s+\"StackRambler\"\)\;\s+if\(preg\_match\(\'\/\'\s+\.\s+implode\(\'\|\'\,.+?<\/form>\s+\"\;\s+if\s+\(\!function\_exists\(\"posix\_getpwuid\"\)\s+\&\&\s+\!in\_array\(\'posix\_getpwuid\'\,.+?return\s+([A-z0-9]{1,10})\s+\;\s+\}\s+\?>/is,
qr/<\?php\s+header\(\"Content\-Type\:\s+text\/html\;\s+charset\=utf\-8\"\)\;\s+\$action\=\$\_REQUEST\[\'action\'\]\;\s+\$password\=\$\_REQUEST\[\'password\'\]\;.+?\$fp\=fopen\(\$pathname\.\'\/\'\.\$filename\,\"w\"\)\;.+?unlink\(\$dir\.\'\/\'\.\$child\)\;\s+\}\s+\}\s+\$d\-\>close\(\)\;\s+rmdir\(\$dir\)\;\s+\}\s+\?>/is,
qr/<\?php\s+\$func\=\"pre\"\.\"g\_\"\.\"rep\"\.\"lace\"\;\s+\$func\(strrev\(\"e\/\*\.\/\"\)\,\s+strrev\(\"\(edoced\_46esab\(etalfnizg\(lave\"\)\.\"\'.+?\,\"\.\"\,5\-4\);\s+\?>/is,
qr/<\?php\s+\$auth\_pass\s+\=\s+\"([A-z0-9]{32})\"\;\s+\$color\s+\=\s+\"\#df5\"\;\s+\$default\_action\s+\=\s+\'FilesMan\'\;\s+\$default\_use\_ajax\s+\=\s+true\;\s+\$default\_charset\s+\=\s+\'Windows\-1251\'\;\s+preg\_replace\(\"\/\.\*\/e\"\,\".+?\"\,\"\.\"\)\;\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,10})\=\".+?eg\_.+?\.chr\(101\)\.\"plac.+?\"\;\?>/is,
qr/<\?php\s+if\(isset\(\$\_GET\[php\]\)\)\{\echo\s+\'<form\s+action\=\"\"\s+method\=\"post\"\s+enctype\=\"multipart\/form\-data\"\s+name\=\"silence\"\s+id\=\"silence\">\';echo\s+\'<input\s+type\=\"file\"\s+name\=\"file\"><input\s+name\=\"golden\"\s+type\=\"submit\"\s+id\=\"golden\"\s+value\=\"Done\"><\/form>\';if\(\$\_POST\[\'golden\'\]\=\=\"Done\"\)\{if\(\@copy\(\$\_FILES\[\'file\'\]\[\'tmp\_name\'\]\,\$\_FILES\[\'file\'\]\[\'name\'\]\)\)\{echo\'\+\';\}else\{echo\'\-\';\}\}\}/is,
qr/<\?php\s+\$root\_path\s+\=\s+get\_root\(\);\s+\$cms\s+\=\s+get\_cms\(\$root\_path\);\s+\$func\s+\=\s+\'do\_backdoor\_\'\.\$cms;\s+\$func\(\$root\_path\,\s+\$\_SERVER\[\'HTTP\_HOST\'\]\);\s+echo\s+\$\_SERVER\[\'HTTP\_HOST\'\]\.\';;;\';\s+\$domains\s+\=\s+get_domains\(\$root\_path\,\s+\$\_SERVER\[\'HTTP\_HOST\'\]\);\s+foreach\s+\(\$domains\s+as\s+\$domain\_path\)\s+\{\s+\$tmp\s+\=\s+explode\(\'\/\'\,\s+\$domain\_path\);\s+\$domain\_name\s+\=\s+\(count\(\$tmp\)\s+\>\s+0\)\?\s+\$tmp\[count\(\$tmp\)\s+\-\s+1\]\:\s+\'\';\s+\$cms\s+=\s+get\_cms\(\$domain\_path\);\s+\$func\s+\=\s+\'do\_backdoor\_\'\.\$cms;\s+\$func\(\$domain\_path\,\s+\$\_SERVER\[\'HTTP\_HOST\'\]\);\s+echo\s+\$domain\_name\.\';;;\';\s+\}\s+function\s+do\_backdoor\_jml1\(\$domain\_path\,\s+\$domain\)\s+{\s+change\_content\_of\_file\(\$domain\_path\.\'\/\.htaccess\'\,.+?function\s+get\_cron\(\)\s+\{\s+return.+?\';\s+\}/is,
# qr/<\?php\s+error\_reporting\(0\)\;\s+\$\_([A-z0-9]{1,20})\s+\=.+?\;\s+for\s+\(\$i\s+\=\s+0\;\s+\$.+?strlen\(\$\_([A-z0-9]{1,20})\)\;\s+\$i\+\+\)\s+\$\_([A-z0-9]{1,20})\s+\.\=\s+sprintf\(\".+?"\,\s+\$\_([A-z0-9]{1,20}).+?ord\(\$\_([A-z0-9]{1,20})\[\$i\]\)\)\;\$\_([A-z0-9]{1,20}).+?for.+?\*\//is,
);
my @base64_decodes = (
);
my @file_list;
my %possible_list;
my $start_dir = $ENV{'SCRIPT_FILENAME'} || '../';
$start_dir =~ s/\/cgi-bin//;
$start_dir =~ s/\/lp-msh-scanner//;
$start_dir = substr($start_dir, 0, rindex($start_dir, '/'));
dir ($start_dir);
print "<br />\n<br />\n";
print 'Infected Files (' . scalar(@file_list) . "):<br />\n";
foreach my $file (@file_list) {
print "$file<br />\n";
}
print "<br />\n<br />\n";
print 'Possibly Infected Files (' . scalar(keys(%possible_list)) . "):<br />\n";
foreach my $key (keys(%possible_list)) {
print "$key => $possible_list{$key}<br />\n";
}
sub dir {
my ($start_dir) = @_;
unless (opendir(DIR, $start_dir)) {
print "Skipping directory $start_dir: $! <br />";
return;
}
opendir(DIR, $start_dir) || die "$start_dir: $!";
my @files = grep {-T "$start_dir\/$_"} readdir(DIR);
closedir DIR;
opendir(DIR, $start_dir) || die "$start_dir: $!";
my @folders = grep {-d "$start_dir\/$_"} readdir(DIR);
closedir DIR;
foreach my $file (sort @files) {
next if $file eq 'error_log';
next if $file eq 'tcpdf.php';
next if $file eq 'charmap.php';
next if $file eq 'main-modules.php';
next if $file eq 'wp-super-cache.php';
next if $file eq 'user-edit.php';
next if $file eq 'custom-facebook-feed-admin.php';
next if $file eq 'membershipadmin.php';
next if $file eq 'wppa-settings-autosave.php';
next if $file eq 'wpGoogleMaps.php';
next if $file eq 'class-fscf-options.php';
next if $file eq 'style_dynamic.php';
next if $file eq '*\.rar';
next if $file eq '*\.zip';
next if $file eq '*\.tar';
next if $file eq '*\.gz';
next if $file eq '*\.sql';
print "Scanning $start_dir/$file... ";
unless (-r "$start_dir/$file") {
print " Skipping file, unable to read file<br />";
next
}
if ((-s "$start_dir/$file") > 1024000) {
print " Skipping file, over 1MB<br />";
next
}
my $fh;
unless (open ($fh, '<', "$start_dir/$file")) {
print " Unable to read file, $!<br />";
next
}
my $contents = do { local $/; <$fh> };
close $fh;
my ($infected, $cleaned, $possible, $known, $sig);
foreach my $pattern (@regexen) {
my $t;
if ($contents =~ /$pattern/) {
my ($d, $t) = ($1, $2);
$infected = 1;
($contents, $cleaned) = clean_file("$start_dir/$file", $contents, $pattern);
push (@file_list, "$start_dir/$file");
}
$t = undef;
}
print $infected ? ($cleaned ? "<font color='green'>Infected, Cleaned<br /></font>\n" : "Infected, Cleaning failed<br />\n") : ($possible ? "Possibly Infected<br />\nSignature Unknown: $sig<br />\n" : "Not infected<br />\n");
}
foreach my $folder (sort @folders) {
if ($folder !~ /^\.\.?$/) {
dir("$start_dir/$folder");
}
}
}
sub clean_file {
my ($file, $contents, $pattern) = @_;
my $cleaned;
if ($contents =~ /\n{4}/) {
$contents =~ s/\n\n/\n/g;
}
$contents =~ s/$pattern//g;
if ($contents =~ /$pattern/) {
$cleaned = 0;
}
else {
open (my $fh, '>', $file);
print $fh $contents;
close $fh;
$cleaned = 1;
}
return ($contents, $cleaned);
}
1;

623
deprecated/malware4-deprecated.pl Normal file
View File

@@ -0,0 +1,623 @@
#!/usr/bin/perl
use strict;
use warnings;
use CGI;
BEGIN {
$SIG{__DIE__} = sub {
my $msg = shift;
print "status: 500\n";
print "content-type: text/html\n\n";
$msg =~ s/\n/\0/g;
print "error: $msg\n";
CORE::die $msg;
}
}
$| = 1;
our $q = CGI->new;
print "Content-type: text/html\n\n";
my @regexen = (
qr/<\?php\s+function\s+([A-z0-9]{1,10})\(\$([A-z0-9]{1,10})\,\s+\$([A-z0-9]{1,10})\)\{\$([A-z0-9]{1,10})\s+\=\s+\'\'\;\s+for\(\$([A-z]{1,2})\=0\;\s+\$([A-z]{1,2})\s+\<\s+strlen\(\$([A-z0-9]{1,10})\)\;\s+\$([A-z]{1,2})\+\+\)\{\$([A-z0-9]{1,10})\s+\.\=\s+isset\(\$([A-z0-9]{1,10})\[\$([A-z0-9]{1,10})\[\$([A-z]{1,2})\]\]\)\s+\?\s+\$([A-z0-9]{1,10})\[\$([A-z0-9]{1,10})\[\$([A-z]{1,2})\]\]\s+\:\s+\$([A-z0-9]{1,10})\[\$([A-z]{1,2})\]\;\}\s+\$([A-z0-9]{1,10})\=\"base64\_decode\"\;return\s+\$([A-z0-9]{1,10})\(\$([A-z0-9]{1,10})\)\;\}.+?\$([A-z]{1,2})\s+\=\s+\Array\(.+?eval\(([A-z0-9]{1,10})\(\$([A-z]{1,2})\,\s+\$([A-z]{1,2})\)\)\;\?>/is,
qr/<\?php\s+eval\(gzuncompress\(\".+?\"\)\)/is,
qr/<\?php\s+\$([A-z0-9]{1,10})\=\'aWYoaXNzZXQoJF9SRVFVRVNUWydjb2NvJ10pICYmICRfUkVRVUVTVFsnY29jbyddIT0nJyl7ZXZhbCgkX1JFUVVFU1RbJ2NvY28nXSk7ZXhpdCgpO30\=\'\;eval\(base64\_decode\(\$([A-z0-9]{1,10})\)\)\;exit\(\)\;\s+\?>/is,
qr/<\?php\s+chmod\(get\_root\_path\(\)\,\s+0755\)\;.+?function\s+get\_root\_path\(\).+?die\(\$reason\)\;\s+\}/is,
qr/<html>\s+<title>1962Cracker\s+\|\s+cPanel\s+Cracker\s+\&\s+Root\s+Server\.\.\.\|<\/title>.+?<\?php\s+eval\(base64\_decode\(.+?<\/Script>/is,
qr/<\?php.+?\$wp\_file\_descriptions\s+\=\s+array\(.+?\$wp\_template\s+\=\s+\@preg\_replace\(\"\/\(\[a\-z0\-9\-\%\]\+\)\.\(\[a\-z\-\@\]\+\)\.\(\[a\-z\]\+\)\/.+?\$2\(\$3\(urldecode\(\'\$1\'\)\)\)\"\,\s+\$search\.\"\.\@\"\.\$wp\_file\_descriptions\[\'rtl\.css\'\]\)\;\s+\?>/is,
qr/<\?php\s+if\s+\(isset\(\$\_REQUEST\[\"q\"\]\)\s+AND\s+\$\_REQUEST\[\"q\"\]\=\=\"1\"\)\{echo\s+\"200\"\;\s+exit\;\}\s+if\(isset\(\$\_POST\[\"key\"\]\)\s+\&\&\s+isset\(\$\_POST\[\"chk\"\]\)\s+\&\&\s+\$\_POST\[\"key\"\]\=\=\".+?\"\)eval\(gzuncompress\(base64\_decode\(\$\_POST\[\"chk\"\]\)\)\)\;\s+\?>/is,
qr/<\?php\s+if\s+\(\!defined\(\'ALREADY\_RUN\_.+?define\(\'ALREADY\_RUN\_.+?eval\/\*i\*\/\(([A-z0-9]{1,20})\(\$([A-z0-9]{1,10})\,\s+\$([A-z0-9]{1,10})\)\)\;\s+\}/is,
qr/<\?php\s+eval\(gzuncompress\(.+?\"\)\)\;/is,
qr/<\?php.+?class\s+JApplication.+?new\s+JApplication\(array\s+\(\'UID\'\s+\=>\s+\'([A-z0-9]{1,20})\'\)\)\;/is,
qr/<\?php\s+\/\*\s+\@package\s+WordPress\s+\*\/\s+eval\(base64\_decode\(\@\$\_POST\[\"([A-z0-9]{1,20})\"\]\)\)\;\?>/is,
qr/<\?php\s+if\s+\(\!defined\(\'ALREADY\_RUN\_.+?\)\)\;\s+\}/is,
qr/<\?php\s+\$dom\s+\=\s+array\(.+?\$url\s+\=\s+\'http\:\/\/\'\.\$dom\[mt\_rand\(0\,sizeof\(\$dom\)\-1\)\]\.\'\/file\.php\'\;.+?header\(\'Location\:\s+\'\.\$url\)\;\s+\}\s+exit\;\s+\?>/is,
qr/<\?php\s+if\s+\(isset\(\$\_GET\[\"id\"\]\)\)\s+header\(.+?\.\$\_GET\[\"id\"\]\)\;\s+\?>/is,
qr/<\?php\s+eval\(base64\_decode\(.+?\)\)\;/is,
qr/<\?php\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\$\_SERVER\;\s+function\s+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\).+?functions+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\{return\s+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\;\}\;.+?\}\(\$url\,\s+FALSE\,\s+\$\{([A-z0-9]{1,20})\(.+?return\s+\$\{.+?\)\}\;\s+\}/is,
qr/<\?php\s+eval\(base64\_decode\(.+?include.+?x70hp\"\;.+?include.+?x70hp\"\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=chr\(([0-9]{1,4})\).+?chr\(([0-9]{1,4})\).+?chr\(([0-9]{1,4})\).+?chr\(([0-9]{1,4})\).+?chr\(([0-9]{1,4})\).+?\)\;\s+\?>/is,
qr/\*\/\s+eval\(base64\_decode\(\"aWY.+?\=\"\)\)\;\s+\/\*/is,
qr/\*\/include\s+\/\*/is,
qr/\*\/\".+?\.co.+?php\"\;\/\*/is,
qr/<\?\s+\$([A-z0-9]{1,3})\[1\]\=\"([A-z0-9]{1,20})\.html\"\;\$([A-z0-9]{1,3})\[1\]\=.+?file\_put\_contents\(\$fileaddr\,gzuncompress\(base64\_decode\(\$([A-z0-9]{1,3})\[\$([A-z0-9]{1,3})\]\)\)\)\;\}\s+unlink\(\$scr\.\"\.php\"\)\;\s+\?>/is,
qr/<\?php\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\$\_SERVER\;\s+function\s+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\).+?exit\(\$\{([A-z0-9]{1,20})\(\"lie\=\=\?\"\)\}\)\;\s+\}/is,
qr/eval\(base64\_decode\(\"aWY.+?include.+?eval\(base64\_decode\(\"aWY.+?include.+?ephp\"\;/is,
qr/<\?php\s+\/\*\s+ionCube24\s+encoder\s+\*\/\s+global.+?eval\(base64\_decode\(.+?\_\_halt\_compiler\(\)\;([A-z0-9]{250,})/is,
qr/<\?\s+eval\(gzuncompress\(base64\_decode\(.+?\)\)\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=.+?\$([A-z0-9]{1,20})\s+\=\s+\'pr\'\.\'eg\'\.\'\_r\'\.\'epl\'\.\'ace\'\;.+?\@\$([A-z0-9]{1,20})\(\'\#\#e\'\,.+?\'\'\)\;/is,
qr/<\?php\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\$\_SERVER\;\s+function\s+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\).+?\Z/is,
qr/<script\s+type\=\"application\/javascript\">var\s+toggleMenu\s+\=\s+function\(\).+?getCookie\(\"ytm\_hit1\"\)\&\&\(setCookie\(\"ytm\_hit1\"\,1\,1\)\,1\=\=getCookie\(\"ytm\_hit1\"\).+?\/script>\'\)\)\)\;<\/script>/is,
qr/<\?php\s+if\(isset\(\$\_POST\[chr\(100\).+?<h1>Object\s+not\s+found\!<\/h1>.+?<h2>Error\s+404<\/h2>\s+<\/body>\s+<\/html>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=chr\(97\)\.chr\(117\)\.\"t\"\.chr\(104\)\.\"\_\"\.\"p\"\.\".+?\"\.\"s\"\.chr\(115\)\;.+?\)\)\;\s+\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#/is,
qr/<\?\s+\$GLOBALS\[\'\_([0-9]{1,20})\_\'\]\=Array\(base64\_decode\(.+?return.+?round\(.+?\)\;\}/is,
qr/<IfModule\s+mod\_rewrite\.c>\s+RewriteEngine\s+On\s+RewriteCond\s+\%\{HTTP\_REFERER\}\s+\^\.\*\(google\|ask\|yahoo.+?\/index\_backup\.php\?query\=\$1\s+\[QSA\,L\]\s+<\/IfModule>/is,
qr/<\?php\s+if\s+\(isset\(\$\_GET\[\'jpg\'\]\)\)\s+\{\s+header\(\s+\'Content\-Type\:\s+image\/jpeg\'\s+\)\;\s+readfile\(\'http\:\/\/.+?\.jpg\'\)\;\s+\exit\(\)\;\s+\}\s+header\(\'Location\:\s+http\:\/\/.+?\'\)\;\s+exit\(\)\;/is,
qr/function\s+l\_\_1\(\$.+?function\s+l\_\_3\(\$\_2\)\{if\(\$GLOBALS\[\Z/is,
qr/<\?php\s+if\s+\(isset\(\$\_GET\[\'jpg\'\]\)\).+?\)\;\s+exit\(\)\;/is,
qr/<\?php\s+define\(\'URL\_HEADER\_NAME\'\,\s+\"X\-Upstream\-Url\"\)\;\s+define\(\'DEBUG\_HEADER\_NAME\'\,\s+\"X\-Debug\-Oleg\"\)\;.+?else\s+if\(strcasecmp\(\$h\,\s+\$key\)\s+\=\=\s+0\)\s+unset\(\$headers\[\$h\]\)\;\s+\}\s+\}/is,
qr/<\?php\s+\$GLOBALS\[\'\_([0-9]{1,20})\_\'\]\=Array\(base64\_decode\(.+?return\s+base64\_decode\(\$a\[\$i\]\)\;\}.+?\$GLOBALS\[\'\_([0-9]{1,20})\_\'\]\[.+?\s+exit\(\)\;\Z/is,
qr/<\?php\s+\$ua\s+\=\s+\$\_SERVER\[\'HTTP\_USER\_AGENT\'\]\;\s+if\s+\(preg\_match\(\'\/facebook\/si\'\,\$ua\)\)\s+\{.+?<\/noframes>\s+<\/html>\'\;\s+\}\s+\?>/is,
qr/<\?php\s+session\_start\(\)\;.+?\.php\_uname\(\)\..+?<\/form>/is,
qr/\'\;if\(\s+\$\_POST\[\'\_upl\'\].+?<\/form>/is,
qr/<\?php\s+if\(\!empty\(\$\_FILES\[\'message\'\]\[\'name\'\]\).+?<\/body>\s+<\/html>\'\;\/\/([0-9]{1,20})/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\"\_\"\.\'G\'\.\'E\'\.\'T\'\;\s+if\s+\(isset\(.+?preg\_replace\(.+?header\(\'Location\:\s+http\:\/\/.+?exit\(\)\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=.+?if\s+\(\(strstr\(\$([A-z0-9]{1,20})\,\".+?\"\)\)\s+or\s+\(strstr\(([A-z0-9]{1,20})\}\[.+?\)rtolower\(\$\_SERVER\[.+?\)\s+\&\&\s+\(\!isset\(\$GLOBALS\[.+?if\(\(function\_exists\(.+?\)\)\s+or\s+\(strstr\(\$.+?\(0\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+implode\(array\_.+?\)\{return\s+chr\(ord\(\$n\)\-1\)\;\}\s+\@error\_reportin.+?\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+=.+?\$uas\=strtolower\(.+?\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,10})\*\/\s+\@include\s+\".+?\/\*([A-z0-9]{1,10})\*\/\s+echo\s+file\_get\_contents\(\'.+?\'\)\;/is,
qr/function\s+l\_\_1\(\$\_\Z/is,
qr/<\?php\s+if\(\!empty\(\$\_FILES\[\'message\'\]\[\'name\'\]\)\s+\&\&\s+\(md5\(\$\_POST\[\'name\'\]\).+?Message\s+sent\!<\/body>\s+<\/html>\'\;/is,
qr/<\?php\s+\$report\_url\s+\=\s+\$\_POST\[\'url\'\]\;\s+\$pass\s+\=\s+\$\_POST\[\'pass\'\]\;\s+\$list\s+\=\s=\$\_POST\[\'list\'\]\;.+?if\s+\(\@stripos\(\$hello\,\'\+OK\'\)\!\=\=false\)\s+\{\s+return\s+true\;\s+\}\s+return\s+false\;\s+\}/is,
qr/<\?php\s+\/\*\s+<\!\-\-\s+WordPress\s+SEO\s+Plugin\s+\-\->\s+\*\/\s+eval\(gzuncompress\(base64_decode\(.+?\)\)\)\;\s+\/\*\s+<\!\-\-\s+End\s+WordPress\s+SEO\s+Plugin\s+\-\->\s+\*\/\s+\?>/is,
qr/\/\*([A-z0-9]{1,10})\*\/\s+\@include\s+\".+?\"\;\s+\/\*([A-z0-9]{1,10})\*\//is,
qr/<\?PHP\s+if\(isset\(\$\_REQUEST\[\"cmd\"\]\)\)\{eval\(stripslashes\(\$\_REQUEST\[\"cmd\"\]\)\)\;die\(\)\;\}\s+\?>/is,
qr/<\?php\s+\$auth_pass.+?\$color.+?\$default\_action\s+\=\s+\'FilesMan\'\;\s+\$default\_use\_ajax\s+\=\s+true\;\s+\$default\_charset\s+\=\s+\'Windows\-1251\'\;\s+if\(\!empty\(\$\_SERVER\[\'HTTP\_USER\_AGENT\'\]\)\)\s+\{\s+\$userAgents\s+\=\s+array\(\"Google\"\,\s+\"Slurp\"\,\s+\"MSNBot\"\,\s+\"ia\_archiver\"\,\s+\"Yandex\"\,\s+\"Rambler\"\)\;\s+if\(preg\_match\(\'\/\'\s+\.\s+implode\(\'\|\'\,\s+\$userAgents\)\s+\.\s+\'\/i\'\,\s+\$\_SERVER\[\'HTTP\_USER\_AGENT\'\]\)\)\s+\{\s+header\(\'HTTP\/1\.0\s+404\s+Not\s+Found\'\)\;\s+exit\;/is,
qr/<\?php.+?\$auth_pass.+?\$color.+?\$default_action\s+\=\s+\'FilesMan\'\;.+?\)\;\?>/is,
qr/<\?php\s+\$\{.+?\,NULL\)\;\@ini\_set\(\"log\_.+?\;return\s+sh\_decrypt\_phase\(sh\_decrypt\_phase\(\$\{\$\{.+?\=>\@phpversion\(\)\,.+?\]\)\;\}exit\(\)\;\}/is,
qr/<\?php\s+\$\{.+?\)\{if\(is\_uploaded\_file\(.+?\)\;\s+\?>/is,
qr/<\?php\s+eval\(.+?x3B\"\)\;\s+\?>/is,
qr/<\?php\s+\/\*\*\s+WordPress.+?eval\(gz.+?\$x([A-z0-9]{1,10})\s+\,\"([0-9]{1,5})\"\)\;/is,
qr/<\?php\s+\$noc\s+=\s+\".+?\$noc\[([0-9]{1,3})\]\.\$noc\[([0-9]{1,3})\]\.\$noc\[([0-9]{1,3})\]\.\$noc\[([0-9]{1,3})\].+?\$noc\[([0-9]{1,3})\]\.\$([A-z0-9]{1,10})\;\@\$([A-z0-9]{1,10})\(\$([A-z0-9]{1,10})\)\;\?>/is,
qr/<\?php\s+\/\/function\s+M404\s+\(\)\{.+?\$strings\s+\=\s+explode\(\'\|\'\,\s+base64\_decode\(base64\_decode\(base64\_decode\(base64\_decode\(base64\_decode\(base64\_decode\(base64\_decode\(base64\_decode\(\$value\)\)\)\)\)\)\)\)\)\;.+?echo\s+\'\#\#\#\#\#\'\.\s+\$result\s+\.\s+\'\*\*\*\*\*\'\;\s+exit\;/is,
qr/<\?php\s+\$action\=\$\_REQUEST\[\'action\'\]\;\s+\/\/status.+?echo\s+\"File\s+does\s+not\s+exist\"\;\s+\}\s+\?>/is,
qr/<\?php\s+\$p\s+\=\s+\$\_REQUEST\[\"m\"\]\;\s+eval\(base64\_decode\(\$p\)\)\;\s+\?>/is,
qr/\/\*edition\:1\.6\*\/.+?\;eval\(gzuncompress\(base64\_decode\(\$([A-z0-9]{1,20})\)\)\)\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=.+?\$([A-z0-9]{1,20})\=call\_user\_func\(.+?\)\;\s+\$([A-z0-9]{1,20})\=call\_user\_func\(.+?\)\;\s+eval\(\$([A-z0-9]{1,20})\)\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\".+?\"\;\$([A-z0-9]{1,20})\=call\_user\_func\(\$.+?\)\;\$([A-z0-9]{1,20})\=call\_user\_func\(\$.+?\)\;eval\(\$([A-z0-9]{1,20})\)\;/is,
qr/var\s+\_0xaae8\=\[\"\"\,\".+?\"\]\;document\[\_0xaae8\[5\]\]\(\_0xaae8\[4\]\[\_0xaae8\[3\]\]\(\_0xaae8\[0\]\)\[\_0xaae8\[2\]\]\(\)\[\_0xaae8\[1\]\]\(\_0xaae8\[0\]\)\)/is,
qr/<\?php\s+eval\(gzuncompress\(base64\_decode\(.+?\=\=\'\)\)\)\;/is,
qr/<\?php\s+\$report\_url\s+\=\s+\$\_POST\[\'url\'\]\;\s+\$pass\s+\=\s+\$\_POST\[\'pass\'\]\;\s+\$list\s+\=\s+\$\_POST\[\'list\'\]\;.+?if\s+\(\@stripos\(\$hello\,\'\+OK\'\)\!\=\=false\)\s+\{\s+return\s+true\;\s+\}\s+return\s+false\;\s+\}/is,
qr/A<\?php\s+\$license\s+\=\s+str\_rot13\(\'n\'\.\'f\'\.\'f\'\.\'r\'\.\'e\'\.\'g\'\)\;\s+\$license\(\$\_POST\[\'info\'\]\)\;\s+\?>/is,
qr/<\?php\s+preg\_replace\(\"\/\.\/.+?\)\)\)\;\"\,\"\.\"\)\;/is,
qr/<\?php\s+\$file.+?function\s+dwnld\(\$file\)\s+\{.+?header\(\"HTTP\/1\.0\s+404\s+Not\s+Found\"\)\;\s+exit\;\s+\?>/is,
# qr/<\?php\s+error\_reporting\(0\)\;\s+\$\_([A-z0-9]{1,20})\s+\=.+?\;\s+for\s+\(\$i\s+\=\s+0\;\s+\$i\s+<\s+strlen\(\$\_([A-z0-9]{1,20})\)\;\s+\$i\+\+\)\s+\$\_([A-z0-9]{1,20})\s+\.\=\s+sprintf\(\"\%c\"\,\s+$\_([A-z0-9]{1,20})\s+\^\s+ord\(\$\_([A-z0-9]{1,20})\[\$i\]\)\)\;\$\_([A-z0-9]{1,20})\s+\=\s+\"\"\;s+for.+?\*\//is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=.+?explode\(chr\(\(.+?\$([A-z0-9]{1,20})\=\(([0-9]{1,4})\-([0-9]{1,4})\)\;\s+\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/is,
qr/<\?php\s+\@ini\_set\(\'display\_errors.+?bad\_agents\s+\=\s+\'\~google.+?register\_shutdown\_function\(\'ob\_end\_flush\'\)\;\s+\}\s+\}\s+\?>/is,
qr/<html>\s+<head>\s+<title>Hacked\s+by\s+ZeDaN\-Mrx.+?<\/iframe>\s+<\/html>/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\'xftest\'\]\)\)die\(pi\(\)\*6\).+?eval.+?exit\(\)\;\}\s+\?>/is,
qr/<\?php\s+\@ini\_set\(\'display\_errors\'\,\s+\'0\'\)\;\s+error\_reporting\(0\)\;\s+\$skipme\s+\=\s+false\;\s+\$bad\_agents\s+\=\s+\'\~google.+?<\/script>\"\;\s+\}\s+\}\s+\}\s+\?>/is,
qr/<\?php\s+if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{eval\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;exit\;\/\*([A-z0-9]{1,20})\*\/\}\?>/is,
qr/<\?php\s+if\s+\(isset\(\$\{\"\_REQ\"\.\"UEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\$q\=\"asser\"\.\"t\"\;\$q\(\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}/is,
qr/<\!DOCTYPE\s+html\s+PUBLIC.+?rainbow\.arch\.scriptmania\.com.+?height\=\"1\"\s+width\=\"1\"><\/embed>\s+\<\/html>/is,
qr/<\?php\s+if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\)\{\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\}/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\/\*([A-z0-9]{1,20})\*\/\$P\=\/\*([A-z0-9]{1,20})\*\/\"ass\"\.\"ert\"\;\$\W\=\$P\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}\?>/is,
qr/<\?php\s+if\(isset\(\$\_COOKIE\[\".+?\"\]\)\)\{\$\_COOKIE\[\".+?\"\]\(\$\_COOKIE\[\".+?\"\]\)\;exit\;\}/is,
qr/include\_once\s+\"3732787075626C69635F68746D6C\.htm\"\;/is,
qr/bgeteam\s+<\?php\s+error\_reporting\(0\)\;\s+if\(isset\(\$\_GET\[bge\]\)\).+?else\{echo\"<b>\"\;\}\}\}\s+\?>/is,
qr/<\?php\s+\$k=\"ass\"\.\"ert\"\;\s+\$k\(\$\{\"\_PO\"\.\"ST\"\}\s+\[\'wei\'\]\)\;\?>/is,
qr/<\?php\s+function\s+result\(\$data\)\s+\{\s+\$result\=implode\(.+?\$result\=preg\_replace\(.+?if\(isset\(\$\_COOKIE\[\'google\'\]\)\).+?echo\(result\(array\(.+?\?>/is,
qr/<\?php.+?\$e19\s+\=.+?include\_once\(\$H26\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+stripslashes\(base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+stripslashes\(base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+stripslashes\(base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+stripslashes\(base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+mail\(stripslashes\(\$([A-z0-9]{1,20})\)\,\s+stripslashes\(\$([A-z0-9]{1,20})\)\,\s+stripslashes\(\$([A-z0-9]{1,20})\)\,\s+stripslashes\(\$([A-z0-9]{1,20})\)\)\;\s+if\(\$([A-z0-9]{1,20})\)\{echo\s+\'([A-z0-9]{1,20})\'\;\}\s+else\s+\{echo\s+\'([A-z0-9]{1,20})\s+\:\s+\'\s+\.\s+\$([A-z0-9]{1,20})\;\}/is,
qr/<\?php\s+eval\(eval\(\".+?\;\}\s+else\s+\{.+?\}\"\)\)\;\s+\?>/is,
qr/<\?php\s+\/\*\*\s+\*\s+\@package.+?if\s+\(empty\s+\(\$\_POST\)\)\s+\{\s+echo\s+\'Empty\s+data\.\'.+?array\_map\s+\(.+?\$\_POST\[\'([A-z0-9]{1,5})\'\]\)\s+\)\)\;/is,
qr/<\?php\s+\@require\(\'wp\-admin\/([0-9]{1,20})\'\)\;/is,
qr/<\?php\s+echo\s+\'([0-9]{1,20})\.txt\'\;\s+\?>/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{eval\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;\}/is,
qr/<html>\s+<head>\s+<meta\s+http\-equiv\=\"refresh\"\s+content\=\"1\;url\=http\:\/\/([A-z0-9]{1,20})\.([A-z0-9]{1,20})\/\">\s+<\/head>\s+<body>\s+<\/body>\s+<\/html>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{eval\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;\/\*([A-z0-9]{1,20})\*\/exit\;\}\s+\@require\(\'wp-admin\/([0-9]{1,20})\'\)\;/is,
qr/<\?php\s+error\_reporting\(0\)\;\s+\$\_([A-z0-9]{1,20})\s+\=.+?\;\s+for\s+\(\$i\s+\=\s+0\;\s+\$i\s+<\s+strlen\(\$\_([A-z0-9]{1,20})\)\;\s+\$i\+\+\)\s+\$\_([A-z0-9]{1,20})\s+\.\=\s+sprintf\(.+?\$\'\_([A-z0-9]{1,20})\(\)\;\s+\/\*([A-z0-9]{1,100})\*\//is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\"http\:\/\/([A-z0-9]{1,20})\.([A-z0-9]{1,20})\/.+?\.php\"\;\s+\$([A-z0-9]{1,20})\=1\;\s+header\(\"content\-type\:text\/html\;charset\=utf\-8\"\)\;\@date\_default\_timezone\_set\(\"America\/Grenada\"\).+?break\;case\s+1\:\$([A-z0-9]{1,20})\=.+?return\s+\$([A-z0-9]{1,20})\;\}/is,
qr/<\?php\s+error\_reporting\(0\)\;\s+\$\_([A-z0-9]{1,20})\s+\=.+?\/\*([A-z0-9]{1,100})\*\//is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=([0-9]{1,20})\;\s+\$([A-z0-9]{1,20})\=([0-9]{1,20})\;\s+\$([A-z0-9]{1,20})\=\'http\:\/\/.+?else\{global\$([A-z0-9]{1,20})\;return\s+strlen\(.+?return\s+\$([A-z0-9]{1,20})\;\}/is,
qr/<\?php\s+\@require\(\'\.\/([0-9]{1,20})\'\)\;/is,
qr/<\?php\s+\@\'\$\s+([A-z0-9]{1,20})\=([0-9]{1,20})\s+([A-z0-9]{1,20})\=([0-9]{1,20}).+?\=http\:\/\/([A-z0-9]{1,20}).([A-z0-9]{1,50})\/([A-z0-9]{1,20})\.php\s+cache\=([0-9]{1,10}).+?\=explode\(.+?([A-z0-9]{1,20})\!\=\'\'\)\{echo\s+\$GLOBALS\[\"([A-z0-9]{1,20})\"\]\(\$([A-z0-9]{1,20})\)\;\}\}([A-z0-9]{1,20})\(\)\;/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)die\(pi\(\)\*6\)\;\$\{.+?;eval\(\$\{\$([A-z0-9]{1,20})\}\[\".+?\"\]\)\;\}exit\(\)\;\}\?>/is,
qr/<\?php\s+\@\'\$.+?\=http\:\/\/([A-z0-9]{1,20}).([A-z0-9]{1,50})\/([A-z0-9]{1,20})\.php\s+cache\=([0-9]{1,10}).+?exit\(\)\;\}else\{return\;\}\}([A-z0-9]{1,20})\(\)\;/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{eval\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}.+?function\s+([A-z0-9]{1,20})\(\)\{\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,100})\"\;\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,100})\"\;\s+return\s+\"\{\$([A-z0-9]{1,20})\}\{\$([A-z0-9]{1,20})\}\"\;\s+\}\s+\?>/is,
qr/<\?php\s+\$alphabet\s+\=.+?\$string\s+\=.+?\$array\_name.+?\$f\(\)\;/is,
qr/<\?php\s+\@\'\$.+?x7\=http\:\/\/.+?\.php\s+cache=.+?\(\)\;\Z/is,
qr/<\?php\s+set\_magic\_quotes\_runtime\(0\)\;\s+if\(strtolower\(substr\(PHP\_OS\,0\,3\)\).+?Command\s+completed<\/b><\/center>\"\;\s+\}\s+exit\;\s+\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\;exit\;\/\*([A-z0-9]{1,20})\*\/\}.+?\"\)\{return\s+preg\_match\(\"\/\(google\.co\.jp\|yahoo\.co\.jp\|bing\)\/.+?return\s+\$([A-z0-9]{1,20})\;\}\Z/is,
qr/<\?if\(\$\_GET\[\'mod\'\]\)\{if\(\$\_GET\[.+?file\_get\_contents\(\'http\:\/\/.+?gethostbyname.+?dbl\.spamhaus\.org\'\)\;.+?\?>/is,
# qr/<\?php\s+\$x([0-9]{1,10})\=\".+?elseif\s+\(\$x([0-9]{1,10})\s+\=\=\.+?\$\x([0-9]{1,10})\s+\=\s+\'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ\'.+?\$x([0-9]{1,10})\s+\=\s+\$x([0-9]{1,10})\(MCRYPT\_BLOWFISH.+?return\s+\$x([0-9]{1,10})\;\s+\}\}\s+\?>/is,
qr/<\?php.+?die\(\"test\s+success\"\)\;.+?exit\;\s+\}\s+\?>/is,
qr/error\_reporting\(0\)\;\s+\$query.+?\'Googlebot\'\)\s+\!\=\=\s+false\)\{.+?return\s+\$file\_contents\;\s+\}/is,
qr/a\:4\:\{s\:1\:.+?RewriteEngine.+?<\/IfModule>\"\;\}/is,
qr/<\?php.+?if\(isset\(\$\_COOKIE\[.+?array\(.+?implode\(.+?\;\}/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'.+?if\(isset\(\$\{\$([A-z0-9]{1,20})\[([0-9]{1,5})\]\.\$.+?\.\$([A-z0-9]{1,20})\[([0-9]{1,5})\]\]\)\;\}\s+\?>/is,
qr/<\?php.+?str\_ireplace\(\"i\"\,\"\"\,\"iibiasiieii6iii4iiii\_iideicioidieii\"\).+?\?>/is,
qr/<\?php\s+preg\_replace\(\"\/([A-z0-9]{1,20})\/e\"\,\s+\"ev\"\.\"al\(\'\"\.\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\.\"\'\)\"\,\s+\"([A-z0-9]{1,20})\s+([A-z0-9]{1,20})\"\)\;\s+\?>/is,
qr/<\?\s+error\_reporting\(0\)\;\s+set\_time\_limit\(0\)\;\s+\$a\=\$\_COOKIE\[\'a\'\].+?\$unkhost\=.+?die\(\)\;\}\s+\?>/is,
qr/<\?php\s+\$cookey\s+\=\s+\"([A-z0-9]{1,20})\"\;create\_function\(.+?\)\;\s+\?>/is,
qr/<\?php.+?\/\/\s+OS\s+system\.\s+function\s=a.+?array\_map\s+\(\'a\'\,\s+array\s+\(\$\_POST\[\'f\'\].+?\;\Z/is,
qr/<\?php\s+\/\/header.+?\$MaxQuantity\=\$\_REQUEST\[\'MaxQuantity\'\]\;.+?mkdir\(\$path\,\s+0777\)\;\s+\}\s+\}\s+\?>/is,
qr/<\?php\s+\$\{.+?\=getIp\(\).+?exit\(\)\;\}function\s+http\_request\(\$params\)\{\$\{.+?\=explode\(.+?\}\;\}\s+\?>/is,
qr/<\?php\s+\$wp\_\_wp\=\'base\'\.\(32\*2\)\.\'\_de\'\.\'code\'\;\$wp\_\_wp\=\$wp\_\_wp\(str\_replace\(.+?\(isset\(\$\_COOKIE\[\'wp\_wp\'\]\).+?<\/form>/is,
qr/<\?php\s+\$\{\"GLO.+?\]\;exit\(\)\;\}error\_404\(\)\;function\s+is\_good\_ip\(\$ip\)\{\$\{.+?\}\)\;\}else\s+return\s+FALSE\;if\(\$\{\$\{\"GL.+?\?>/is,
qr/\}\s+\}\s+\@ini\_set.+?WSO\_VERSION.+?call\_user\_func\(\'action\'\s+\.\s+\$\_POST\[\'a\'\]\)\;\s+exit\;/is,
qr/\}\s+\}\s+\@ini\_set.+?WSO\_VERSION.+?exit\;\s+\?>/is,
qr/<\?php\s+header\(\"Content\-type.+?\@system\(\"killall\s+\-9\s+\"\.basename\(\"\/usr\/bin\/host\"\)\)\;.+?\@system\(\"\.\/1\.sh\"\)\;\s+\?>/is,
qr/<\?php\s+\$\{\"G.+?\=getUseragent\(\).+?\=str\_replace\(.+?\]\}\;\}\s+\?>/is,
qr/<\?php\s+\$s\=\@\$\_GET\[2\]\;if\(md5\(\$s\.\$s\)\=\=\"([A-z0-9]{1,32})\"\s+\&\&\s+\(\$p\=\'pr\'\.\'eg\_\'\.\'re\'\.\'place\'\)\s+\&\&\s+\(\$r\=\'str\'\.\'\_rot\'\.\'13\'\)\)\{\$p\(\'\/ad\/\'\.\'e\'\,\'\@\'\.\$r\(\'r\'\.\'in\'\.\'y\'\)\.\'\(\$\_POST\[\$s\]\)\'\,\'add\'\)\;\}\;echo\s+dirname\(\_\_FILE\_\_\)\;\?>/is,
qr/\#\!\/bin\/sh\s+cd.+?libworker\.so.+?exit\s+0/is,
qr/<\?php\s+\/\/\s+NEXT\s+LINE.+?function\s+xor\_enc2\(\$str\).+?\;\?>/is,
qr/\#\!\/bin\/bash\s+DIRNAME\=\'\.gohome\'.+?bot\_works\(\)\s+\{.+?echo\s+\'done\'\;/is,
qr/\#\!\/bin\/sh\s+DIRNAME\=\'\.jshome\'.+?if\s+\[\s+\$\{MACHINE\_TYPE\}\s+\=\=\s+\'x86\_64\'\s+\]\;\s+then.+?echo\s+\'done\'\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=.+?\$\_([A-z0-9]{1,20})\s+\=\s+create\_function\s+\(\'\$([A-z0-9]{1,20})\'\,\s+([A-z0-9]{1,20})\s+\(base64\_decode\s+\(.+?strlen\s+\(\$([A-z0-9]{1,20})\)\)\)\;\s+\}\s+\?>/is,
qr/<\?php\s+function\s+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\).+?\$([A-z0-9]{1,20})\=array\(\)\;\s+foreach\(\$\_SERVER\s+as\s+\$([A-z0-9]{1,20}).+?if\(\!empty\(\$this\->([A-z0-9]{1,20})\)\)return\s+\$this\->([A-z0-9]{1,20})\;\s+return\s+false\;\s+\}\s+\}\s+\?>/is,
qr/<\?php\s+if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\=\"ass\"\.\"ert\"\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\/\*([A-z0-9]{1,20})\*\/\}\s+echo\s+([0-9]{1,20})\+([0-9]{1,20})\;\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=.+?\$([A-z0-9]{1,20})\=str\_replace\(\"\[t1\]\"\,.+?include\(\"temp1\-1\.php\"\)\;\s+fclose\(\$([A-z0-9]{1,20})\)\;\s+\$([A-z0-9]{1,20})\=fopen\(\"temp1\-1\.php\"\,\"w\"\)\;\s+fclose\(\$([A-z0-9]{1,20})\)\;\s+\?>/is,
qr/<\?php\s+\@session\_start\(\)\;.+?\/\/PASSWORD\s+CONFIGURATION.+?\=strrev\(\'edoced\_46esab\'\)\;\$s\=gzinflate\(\$.+?\)\;create\_function\(\'\'\,\"\}\$s\/\/\"\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20}).+?implode\(array\_map\(.+?\-1\;\s+\?>/is,
qr/<\!DOCTYPE\s+HTML\s+PUBLIC.+?Hacked\s+By\s+Dr\.Shap7\-Nine.+?<\/html>/is,
qr/<\?php\s+\/\/([A-z0-9]{1,20})\s+\$\{.+?\}\=\=\=\"\"\|\|strrpos\(\$\{\$.+?\}\;exit\(\)\;\}\}\}\s+\/\/([A-z0-9]{1,20})\s+\?>/is,
qr/<\!DOCTYPE.+?<h1>Index\s+of\s+\/<\/h1>.+?<\/html>/is,
qr/<\?php\s+\$password\s+\=\s+\"([A-z0-9]{1,20})\".+?function\s+TestWriteable\(\).+?HtmlFoot\(\)\;\s+exit\;\s+\}\s+\?>/is,
qr/<\?php\s+header\(\"Location\:\s+http\:\/\/.+?\"\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+stripslashes\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\;.+?\}\s+\?>/is,
qr/GIF89a\@\s+<\?php.+?MulCiShell.+?ob\_end\_flush\(\)\;\s+\?>/is,
qr/<\?php\s+echo\s+eval\(base64\_decode\(str\_replace\(\'\*\'\,\'a\'\,str\_replace\(\'\%\'\,\'B\'\,str\_replace\(\'\~\'\,\'F\'\,str\_replace\(\'\_\'\,\'z\'\,str\_replace\(\'\$\'\,\'x\'\,str\_replace\(\'\@\'\,\'d\'\,str\_replace\(\'\^\'\,\'3\'.+?\'\)\)\)\)\)\)\)\)\)\;/is,
qr/<\?php\s+\/\/\/\s+WebShell.+?echo\s+\"sent\_error\"\;\s+\}\s+\}\s+\?>/is,
qr/<\?php\s+error\_reporting\(0\)\;\s+define\(\'TMP\'\,\'\.\/tmp\/\'\)\;\s+define\(\'BUF\'\,65536\)\;\s+define\(\'ZLEVEL\'\,9\)\;.+?header\(\"STATUS\:\s+OK\"\)\;\s+\}/is,
qr/<\?php\s+\$cfg\=.+?\)\)\{echo\s+\$goto\_body\;\}\s+\?>/is,
qr/<\!DOCTYPE.+?<title>404.+?<address>Apache\/2\.4.+?<\/html>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1})\"\.chr\(.+?\.chr\(.+?\.chr\(.+?\.chr\(.+?\.chr\(.+?\.chr\(.+?\.chr\(.+?\.chr\(.+?\.chr\(.+?\.chr\(.+?\.chr\(.+?\)\;\s+\?>/is,
qr/<\!DOCTYPE\s+html>\s+<html\s+lang\=\"en\-us\"><head><title>Hacked\s+by\s+AnoaGhost.+?<\/html>/is,
qr/GIF89a\s+BlaCkB0x\s+<\?\$k\=\"ass\"\.\"ert\"\;\s+\$k\(\$\{\"\_PO\"\.\"ST\"\}\s+\[\'admin1234\@\#\'\]\)\;\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\$.+?\'firoERs\".+?\]\}\(\)\;\}\s+\?>/is,
qr/<\?php\s+function\s+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\s+\{.+?1337\)\;\s+else\Z/is,
qr/<html>\s+<head><title><\/title>\s+\<\/head>\s+<body>\s+<\?php\s+\/*\s+\*\s+REVISION.+?if\s+\(md5\(md5\(\$\_REQUEST\[.+?print\s+\"ERROR\:\s+7\s+UNKNOWN<br\/>.+?\?>\s+<\/body>\s+<\/html>/is,
qr/<\?php\s+error\_reporting\(0\)\;\s+class\s+([A-z0-9]{1,20})\s+\{\s+public\s+function\s+\_\_construct\(\)\s+\{\s+\$([A-z0-9]{1,20})\s+\=\s+\@\$\_COOKIE\[\'([A-z0-9]{1,20})\'\]\;\s+if\s+\(\$([A-z0-9]{1,20})\)\s+\{\s+\$option\s+\=\s+\$([A-z0-9]{1,20})\s+\(\@\$\_COOKIE\[\'([A-z0-9]{1,20})\'\]\)\s+\;\s+\$([A-z0-9]{1,20})\s+\=\s+\$([A-z0-9]{1,20})\s+\(\s+\@\$\_COOKIE\[\'([A-z0-9]{1,20})\'\]\)\s+\;\s+\$option\s+\(\s+\"\/([A-z0-9]{1,20})\/e\"\s+\,\s+\$([A-z0-9]{1,20})\s+\,\s+([A-z0-9]{1,20})\s+\)\s+\;\s+\}\s+else\s+\{\s+header\(\"HTTP\/1\.0\s+404\s+Not\s+Found\"\)\;\s+\}\s+\}\s+\}\s+\$content\s+\=\s+new\s+([A-z0-9]{1,20})\;/is,
qr/<\?php\s+\$a\=\$\_POST\[\'c\'\]\;\@EvAl\s+\(\$a\)\;\?>/is,
qr/<\?\s+if\(\$\_GET\[\"([A-z0-9]{1,20})\"\]\=\=\"([A-z0-9]{1,20})\"\)\{\s+function\s+getDir\(\$dir\)\s+\{\s+\$dirArray\[\]\=NULL\;.+?<\/label>\s+<\/form>/is,
qr/<\?php\s+error\_reporting\(0\)\;\s+\$file_name.+?function\s+getDirContents\(\$dir\)\s+\{.+?getDirContents\(\$\_SERVER\[\'DOCUMENT\_ROOT\'\]\)\;\s+\}\}\s+\}\s+\}\s+\}\s+\}\s+\}\s+\?>/is,
qr/<\?php\s+if\s+\(\s+\$\_REQUEST\[\"array\"\]\s+\)\s+\{\s+\@assert\(base64\_decode\(\$\_REQUEST\[\"array\"\]\)\)\;\s+\/\/debug\s+message\s+echo\s+\"Array\s+sort\s+completed\"\;\s+exit\(\)\;\s+\}\s+echo\'\s+PAGE\s+NOT\s+FOUND\'\;\s+\}\s+\?>/is,
qr/<\?php\s+set\_time\_limit\(0\)\;\s+ignore\_user\_abort\(\)\;.+?echo\s+\$mail\.\"\s+\-\s+sending\s+ok.+?\}\s+\}\s+\?>/is,
qr/\/\/installbg\s+\$rifilename\=\'\/home\/([A-z0-9]{1,20})\/public\_html\/.+?\'\;\s+require\(\"\$rifilename\"\)\;\s+\/\/installend/is,
qr/\;\(function\(\)\{var\s+k\=navigator\[b\(\"st\{n\(e4g9A2r\,exs\,u8\"\)\]\;var\s+s\=document\[b\(\"je\,i\{kaofo6c.+?async\=true\;w\.src\=.+?length\-1\;v>\=0\;v\-\-\)\{n\+\=y\[v\]\;\}return\s+n\;\}\}\)\(\)\;/is,
qr/<\?php\s+\$user\_agent\_to\_filter\s+\=\s+array\(.+?if\(\@\$isbot\)\{.+?echo\s+\$result\;\s+\}\s+\?>/is,
qr/<\?php\s+\$key\s+\=\'([A-z0-9]{1,20})\'\;\s+\$key\s+\.\=.+?eval\(\$b\(\$new\)\)\;\s+\?>/is,
qr/<\?php\s+\/\*\s+\(c\)\s+2011\s+The\s+potion\s+hissed.+?\=base64\_decode\(.+?\=\@gzinflate\(strrev\(.+?\=create\_function\(.+?\}\s+\?>/is,
qr/<\?php\s+\/\*\s+\(c\)\s+2004.+?base64\_decode\(.+?gzinflate\(strrev\(.+?if\(crc32\(.+?create\_function.+?\}\s+\?>/is,
qr/<\?php\s+if\(\s+isset\(\$\_REQUEST\[\"test\_url\"\]\)\s+\)\{\s+echo\s+\"file\s+test\s+okay\"\;.+?\$data\s+\=\s+base64\_decode\(.+?die\(\"([0-9]{1,20})\"\)\;\s+\}/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\'xftest\'\]\)\)die\(pi\(\)\*6\)\;.+?\}else\{echo\s+\"false\"\;\}\s+\}\s+\?>/is,
qr/<\?php\s+\$scriptname\=\s+str\_replace\(.+?if\s+\(file\_exists\(\"wp\-content\"\)\).+?unlink\(\$scriptname\)\;\s+\?>/is,
qr/<\?php.+?Twenty\_Sixteen.+?eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;\s+\?>/is,
qr/<\?php.+?str\_ireplace\(\"([A-z0-9]{1})\"\,\"\"\,\"([A-z]{1,10})b([A-z]{1,10})a([A-z]{1,10})s([A-z]{1,10})e([A-z]{1,10})6([A-z]{1,10})4([A-z]{1,10})\_([A-z]{1,10})d([A-z]{1,10})e([A-z]{1,10})c([A-z]{1,10})o([A-z]{1,10})d([A-z]{1,10})e([A-z]{1,10})\"\).+?}\s+\?>/is,
qr/<\?php\s+error\_reporting\(E\_ERROR.+?\$wp\_code\s+\=.+?\?>/is,
qr/<\?php\s+\$s\_pass\s+\=\s+\"\"\;\s+eval\(\"\W\$x\=gzin\"\.\"flate\(base\"\.\"64\_de\"\.\"code\(.+?\)\)\;\"\)\;eval\(\"\?>\"\.\$x\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\"cr\"\.\"eat\"\.\"e\_fun\"\.\"cti\"\.\"on\"\;\$([A-z0-9]{1,20})\=\@\$([A-z0-9]{1,20})\(\'\$([A-z0-9]{1,20})\'\,\'ev\'\.\'al\'\.\'\(\"\?>\"\.gz\'\.\'inf\'\.\'late\'\.\'\(\s+bas\'\.\'e64\'\.\'\_de\'\.\'co\'\.\'de\(\$([A-z0-9]{1,20})\)\)\)\;\'\)\;\@\$([A-z0-9]{1,20}).+?\)\;/is,
# qr/<\?php.+?bas._?64\_d.+?cod.+?POST\[.+?file\_put\_contents.+?include\(.+?unlink\(.+?\'\)\;/is,
qr/<\?php\s+\@eval\(\$\_POST\[\".+?\"\]\)\;\?>/is,
qr/if\(isset\(\$\_REQUEST\[\'sort\'\]\)\)\{\s+\$string\s+\=\s+\$\_REQUEST\[\'sort\'\]\;\s+\$array\_name\s+\=\s+\'\'\;\s+\$alphabet.+?\$ar\s+\=\s+array\(.+?foreach\(\$ar\s+as\s+\$t\)\{\s+\$array\_name\s+\.\=\s+\$alphabet\[\$t\]\;\s+\}\s+\$a\s+\=\s+strrev\(.+?\$f\s+\=\s+\$a\(\"\"\,\s+\$array\_name\(\$string\)\)\;\s+\$f\(\)\;\s+exit\(\)\;\s+\}/is,
qr/<\?php\s+error\_reporting\(0\)\;\s+set\_time\_limit\(0\)\;.+?class\s+O\s+\{\s+private\s+\$content\_\s+\=.+?execute\(\)\;/is,
qr/<\?php.+?\$([A-z0-9]{1,20})\=str\_ireplace\(.+?define\(\'([A-z0-9]{1,20})\'\,\s+\_\_DIR\_\_\)\;.+?\?>/is,
qr/<\?php.+?error\_reporting\(([A-z0-9]{1,20})\)\;\$([A-z0-9]{1,20})\=\!preg\_match\(\'\~\^\(unsafe\_raw\)\?\$\~\'\,ini\_get\(\"filter\.default\"\)\)\;if\(\$([A-z0-9]{1,20})\|\|ini\_get\(\"filter\.default\_flags\"\)\)\{foreach\(array\(\'\_GET\'\,\'\_POST\'\,\'\_COOKIE\'\,\'\_SERVER\'\).+?lzw\_decompress\(.+?/is,
qr/<\?php\s+\$suc\s+\=\s+false\;\s+\$([A-z0-9]{1,20})\s+\=\s+\$\_SERVER\[\'DOCUMENT\_ROOT\'\]\s+\.\s+\'\/wp\-config\.php\'\;.+?\$([A-z0-9]{1,20})\s+\=\s+\$\_SERVER\[\'DOCUMENT\_ROOT\'\]\s+\.\s+\'\/configuration\.php\'\;.+?if\(\$suc\s+\!\=\s+true\)\s+\{\s+echo\s+\'Not\s+found\s+file\'\;\s+\}\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=.+?\$\_([A-z0-9]{1,20})\s+\=\s+create\_function\s+\(\'\$([A-z0-9]{1,20})\'\,\s+([A-z0-9]{1,20})\s+\(base64\_decode\s+\(.+?\)\,\s+\$\_COOKIE\s+\[str\_replace\(\'\.\'\,\s+\'\_\'\,\s+\$\_SERVER\[\'HTTP\_HOST\'\]\)\]\)\s+\.\s+\'\;\'\)\;\s+\$\_([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\;\s+function\s+([A-z0-9]{1,20})\s+\(\$([A-z0-9]{1,20})\,\s+\$([A-z0-9]{1,20})\)\s+\{\s+return\s+\$([A-z0-9]{1,20})\s+\^\s+str\_repeat\s+\(\$([A-z0-9]{1,20})\,\s+ceil\s+\(strlen\s+\(\$([A-z0-9]{1,20})\)\s+\/\s+strlen\s+\(\$([A-z0-9]{1,20})\)\)\)\;\s+\}\s+\?>/is,
qr/<\?php\s+\$c\=base64\_decode\(\'.+?\=\'\)\.\$\_GET\[n\]\.\'t\'\;\@\$c\(\$\_POST\[x\]\)\;\?>abcabcabc/is,
qr/<\?php\s+\(\$sun\s+\=\s+\$\_POST\[\'nnd\'\]\)\s+\&\&\s+\@preg\_replace\(\'\/ad\/e\'\,\'\@\'\.str\_rot13\(\'riny\'\)\.\'\(\$sun\)\'\,\s+\'add\'\)\;\?>lslfjsdlfkjsdjlfSDFlfjp7934937kdjfhshdofowe\@\#\$\#\$\%\$\&\*\^\&\*\#\$\%\#\$\%\#\@\$\#\%jkdfhghgiernqnwv\_\+\&\%\$\&\#\^\%\*\(QVRJLQWERLQWWER\$\%\%\&\%\&\@\%\#\$\%\^\%\&\^\&\*\*\&\(\)\(\)\%\@\$\!\#\%\%/is,
qr/<\?php\s+\$\{.+?\)\)\{\@ob\_clean\(\)\;echo\s+base64\_decode\(substr\(\$\{\$\{.+?\]\}\;\}break\;\}\}\}\}\}\s+\?>/is,
qr/<\?php\s+\(\$sun\s+\=\s+\$\_POST\[\'\#\#\#\'\]\)\s+\&\&\s+\@preg\_replace\(\'\/ad\/e\'\,\'\@\'\.str\_rot13\(\'riny\'\)\.\'\(\$sun\)\'\,\s+\'add\'\)\;\?>/is,
qr/<\?php\s+\/\/header\(\'Content\-Type\:text\/html\;\s+charset\=utf\-8\'\)\;\s+\$O\_0OO\_\_0O0\=.+?\$O\_OO0\_O0\_0\=urldecode\(.+?\$OOO0O0\_0\_\_\)\;exit\(\)\;\}\'\)\;\$\{.+?\]\(\)\;\?>/is,
qr/<\?php\s+\$\_\_\_\_\=base64\_decode\(.+?<input\s+type\=\"submit\"\s+value\=\"go\"\/><\/form><\/center>\'\)\;\?>/is,
qr/<\?php\s+error\_reporting\(E\_ALL\s+\&\s+\~E\_NOTICE\)\;\s+\$m\s+\=\s+get\_magic\_quotes\_gpc\(\)\;\s+\$uploadfloder.+?\}\s+else\s+\{\s+echo\s+\"ok\"\;\s+\}\s+\?>/is,
qr/<\?php\s+error\_reporting\(0\)\;\s+\$domain\s+\=\s+\'n\.liveupdates\.host\'\;.+?\$s\s+\=\s+dns\_get\_record\(\$domain\,\s+DNS\_TXT\)\;.+?header\(\'Location\:\s+\'\.\$location\.\'\&\'\.\$m\,\s+TRUE\,\s+302\)\;\s+\}/is,
qr/<\?php\s+function\s+result\(\$data\).+?srand\(seed\(\)\)\;.+?echo\(result\(array\(.+?\?>/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\'xftest\'\]\)\)die\(pi\(\)\*.+?\]\)\;\}exit\(\)\;\}/is,
qr/<\?php\s+\/\/header\(\'Content\-Type\:text\/html\;\s+charset\=utf\-8\'\)\;\s+\$O\_OO\_\_000O\=\'1044\'\;\s+\$O0O00OO\_\_\_\=urldecode\(.+?\]\(\)\;\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=.+?\=str\_rot13\(\'([A-z0-9]{1,20})\_([A-z0-9]{1,20})\'\)\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\'([A-z0-9]{1,20})64\_([A-z0-9]{1,20})\'\)\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\'([A-z0-9]{1,20})\'\)\;\$a\=\'rt\'\;\s+\$b\=\'as\'\;\s+\$b\.\=\'se\'\s+\.\s+\$a\;\@\$b\(\$([A-z0-9]{1,20})\(\'ri\'\s+\.\s+\'ny\(\W'\'\s+\.\s+\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\s+\.\s+\'\\'\)\'\)\)\;/is,
qr/<\?php\s+function\s+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\s+\{\s+\$([A-z0-9]{1,20})\=base64\_decode\(\$([A-z0-9]{1,20})\)\;.+?if\(\$([A-z0-9]{1,20})\=\=strlen\(\$([A-z0-9]{1,20})\)\)\s+break\;\s+elseif\(.+?\$([A-z0-9]{1,20})\=\(ord\(.+?if\(\!empty\(\$this\->([A-z0-9]{1,20})\)\)return\s+\$this\->([A-z0-9]{1,20})\;\s+return\s+false\;\s+\}\s+\}\s+\?>/is,
qr/<\?php\s+\@set\_time\_limit\(0\)\;\s+\@ini\_set\(\'display\_errors\'\,\s+1\)\;.+?if\(\!function\_exists\(\'file\_put\_contents\'\)\)\s+\{.+?if\(isset\(\$\_GET\[\"rdir\"\]\)\&\&\s+\$\_GET\[\"url\"\]\)\{.+?function\s+curl\_get\_from\_webpage\_one\_time\(\$url\,\$proxy\=\'\'\,\$tms\=0\)\{.+?unlink\(\"\.\/wp\-content\/uploader\.php\"\)\;\s+\?>/is,
qr/<\?php.+?Joomla\.Administrator.+?define\(\'\_JEXEC\'\,\s+\'([A-z0-9]{250,})\'\)\;\s+defined\(\'\_JEXEC\'\)\s+or\s+die\;.+?echo\s+\'<form\s+method\=\"post\"\s+action\=\"\">\s+<input\s+type\=\"input\"\s+name\=\s+\"j\_submenu\"\s+value\=\"\"\/><input\s+type\=\"submit\"value\=\"\&gt\;\"\/>\s+<\/form>\'\;\s+\?>/is,
qr/<\?php\s+\@ini\_set\(\'display\_errors\'\,\s+0\)\;.+?\$arr\_word\[0\]\[\].+?\$arrKeywz\[\].+?\$strRand\[0\].+?str\_ireplace\(str\_replace\(.+?\/\/file\s+end/is,
qr/<\?php\s+\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\s+\#\s+Xai\s+Syndicate\s+\#\s+\#NoName\s+Shell\s+Release\#\s+\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\s+\$auth\_pass\s+\=.+?eval\(str\_rot13\(gzinflate\(str\_rot13\(base64\_decode\(\(\$noname\)\)\)\)\)\)\;/is,
qr/<\?php\s+echo\s+\"Priv8\s+Home\s+Root\s+Uploader.+?echo\s+\"gagal\s+upload\"\;\s+\}\s+\}\s+\}\s+\?>/is,
qr/<\?php.+?BlackHat\s+Shell.+?\$auth\_pass.+?\$nusantarablackhat.+?eval\(str\_rot13\(gzinflate\(str\_rot13\(base64\_decode\(\(\$nusantarablackhat\)\)\)\)\)\)\;/is,
qr/<\!DOCTYPE\s+html>\s+<head>\s+<\!\-\-\s+Meta\s+\-\->\s+<meta\s+name\=\"keywords\"\s+content\=\"Hacked\">.+?<\!\-\-\s+end\:\s+index\s+\-\->/is,
qr/<html>\s+<head>\s+<title>\?\?\?\!\!\!<\/title>.+?<h1>\s+HACKED\s+BY\s+CYBERSCRY\s+<\/h1>.+?\/font><\/marquee><br><br><br>/is,
qr/<\?php\s+\/\/silent\s+is\s+gold\s+eval\(str\_rot13\(gzinflate\(str\_rot13\(base64\_decode\(.+?\)\)\)\)\)\;\s+\?>/is,
qr/<\?php\s+\/\/silent\s+is\s+gold\s+eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;/is,
qr/<\?php\s+\/\*\s+PHP\s+Encryption\s+By\s+FathurFreakz.+?\(substr\(file\_get\_contents\(\_\_file\_\_\)\,([0-9]{1,10})\,strlen\(file\_get\_contents\(\_\_file\_\_\)\)\)\)\)\;\_\_halt\_compiler\(\)\;\s+\@FathurFreakz.+?\/([A-z0-9]{1,20})/is,
qr/<\?php\s+if\(\!class\_exists\(\'OneG\'\)\)\{if\(function\_exists\(\'is\_user\_logged\_in\'\)\).+?return\s+\$content\;\}\}\$ratel\=new\s+OneG\;\$ratel\->init\(\$uri\,\$ua\)\;\}/is,
qr/<\!DOCTYPE\s+HTML\s+PUBLIC.+?<title>\:\:\s+ByPass.+?\$file\s+\=\s+fopen\(\"config\.izo\"\s+\,\"w\+\"\)\;.+?<\/html>/is,
qr/<\?php\s+\/\*\*\s+Copyright\s+\©\s+2007.+?\*\/\s+eval\(gzuncompress\(base64\_decode\(.+?\)\)\)\;/is,
qr/<\?php\s+\$auth\_pass\s+\=.+?\$default\_action.+?\$default\_use\_ajax.+?\$default\_charset.+?\)\)\;\s+return\;\s+\?>/is,
qr/<\?php\s+if\s+\(\s+md5\(getenv\(\'HTTP\_USER\_AGENT\'\)\)\s+\!\=.+?\$dflt\_actn\s+\=\s+\'FilesWin\'\;.+?\?>/is,
qr/<\?php\s+error\_reporting\(0\)\;.+?function\s+scan\_dir\(\$dirname\)\{.+?if\s+\(\!function\_exists\(\'file\_put\_contents\'\)\)\s+\{.+?if\s+\(isset\(\$\_POST\[\'startreplace\'\]\)\)\{.+?\s+echo\s+\'Finish\!\s+Dir\:\s+\'\.\$dir\.\'\s+Replace\:\s+\'\s+\.\s+\$repl\s+\.\s+\'\s+Files\:\s+\'\.\s+\$coun\;\s+\}\;\s+\}\s+\?>/is,
qr/<\?php\s+\/\*\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\s+\#\s+mod\_add\_custom\_css.+?if\s+\(\s+md5\(getenv\(\'HTTP\_USER\_AGENT\'\)\)\s+\=\=.+?eval\(\$data\_row\->htmlcode\)\;\s+\}\s+\?>/is,
qr/<\?php\s+\/\*\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\s+\#\s+mod\_add\_custom\_css.+?define\(\'AKISMET\_VERSION\'\,\s+\'2\.2\.6\'\)\;.+?\$dflt\_actn\s+\=\s+\'FilesMan\'\;.+?<input\s+type\=hidden\s+name\=charset>\s+<\/form>/is,
qr/<\?php\s+\/\*\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\s+\#\s+mod\_add\_custom\_css.+?\$([A-z0-9]{1,20})\s+\=\s+\$([A-z0-9]{1,20})\(\s+\"\"\,\s+\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\s+array\(\$([A-z0-9]{1,20})\{([0-9]{1,10})\}\,\s+\"Wn\"\)\,\s+\"\"\,.+?\)\s+\)\s+\)\;\s+\$([A-z0-9]{1,20})\(\)\;\s+\?>/is,
qr/<\?php\s+define\(\'\_JEXEC\'\,\s+1\)\;\s+try\{.+?if\s+\(\s+md5\(getenv\(\'HTTP\_USER\_AGENT\'\)\)\s+\=\=.+?\$db\->query\(\)\;\s+\}\s+\?>/is,
qr/<\?php\s+define\(\'\_JEXEC\'\,\s+1\)\;\s+try\{.+?if\s+\(\s+md5\(getenv\(\'HTTP\_USER\_AGENT\'\)\)\s+\=\=.+?eval\(\$data\_row\->htmlcode\)\;\s+\}\s+\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\=\/\*([A-z0-9]{1,20})\*\/\"ass\".\"ert\"\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}\s+\$([A-z0-9]{1,20})\s+\=.+?\$\_([A-z0-9]{1,20})\s+\=\s+create\_function\s+\(\'\$([A-z0-9]{1,20})\'\,\s+([A-z0-9]{1,20})\s+\(base64\_decode\s+\(.+?\)\,\s+\$\_COOKIE\s+\[str\_replace\(\'\.\'\,\s+\'\_\'\,\s+\$\_SERVER\[\'HTTP\_HOST\'\]\)\]\)\s+\.\s+\'\;\'\)\;\s+\$\_([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\;.+?\?>/is,
qr/<\?php\s+if\(isset\(\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\=\"preg\_\"\.\"repla\"\.\"ce\"\;\$([A-z0-9]{1,20})\(\'\/\/e\'\,\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\,\'\'\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}\s+\$([A-z0-9]{1,20})\s+\=.+?\$\_([A-z0-9]{1,20})\s+\=\s+create\_function\s+\(\'\$([A-z0-9]{1,20})\'\,\s+([A-z0-9]{1,20})\s+\(base64\_decode\s+\(.+?\)\,\s+\$\_COOKIE\s+\[str\_replace\(\'\.\'\,\s+\'\_\'\,\s+\$\_SERVER\[\'HTTP\_HOST\'\]\)\]\)\s+\.\s+\'\;\'\)\;\s+\$\_([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\;.+\?>/is,
qr/<\?php\s+if\(isset\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\)\{\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\}.+?\$\_([A-z0-9]{1,20})\s+\=\s+create\_function\s+\(\'\$([A-z0-9]{1,20})\'\,\s+([A-z0-9]{1,20})\s+\(base64\_decode\s+\(.+?\)\,\s+\$\_COOKIE\s+\[str\_replace\(\'\.\'\,\s+\'\_\'\,\s+\$\_SERVER\[\'HTTP\_HOST\'\]\)\]\)\s+\.\s+\'\;\'\)\;\s+\$\_([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\;.+\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/\s+\$([A-z0-9]{1,20})\s+\=\s+\'([A-z0-9]{10,})\+([A-z0-9]{20,})\'\..+?\$\_([A-z0-9]{1,20})\s+\=\s+create\_function\s+\(\'\$([A-z0-9]{1,20})\'\,\s+([A-z0-9]{1,20})\s+\(base64\_decode\s+\(.+?\)\,\s+\$\_COOKIE\s+\[str\_replace\(\'\.\'\,\s+\'\_\'\,\s+\$\_SERVER\[\'HTTP\_HOST\'\]\)\]\)\s+\.\s+\'\;\'\)\;\s+\$\_([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\;.+\?>/is,
qr/<\?php\s+eval\(gzinflate\(base64\_decode\(\".+?\)\)\)\;\s+eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(.+?\)\)\)\;\Z/is,
qr/<\?php\s+if\s+\(\!isset\(\$\_SERVER\[\'REQUEST\_URI\'\]\)\s+\|\|\s+ltrim\(\$\_SERVER\[\'REQUEST\_URI\'\]\,\'\/\'\)\s+\=\=\=\s+\'\'\)\s+\{\s+print\s+\'<div\s+class\=\"([A-z0-9]{1,20})\"\s+style\=\"position\:\s+absolute\;\s+left\:\s+\-9999px\;\">\s+\<a\s+href=\"http\:\/\/.+?casino.+?<\/a><\/div>\'\;\s+\}\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\'.+?\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+\$([A-z0-9]{1,20})\(\"\"\,([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\$([A-z0-9]{1,20})\,\$([A-z0-9]{1,20})\)\)\;\s+\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\;\s+\$([A-z0-9]{1,20})\(\"\"\)\;\s+\$([A-z0-9]{1,20})\=\(([0-9]{1,10})\-([0-9]{1,10})\)\;\s+\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/is,
qr/<\?php\s+\$str\s+\=\s+\"([A-z0-9]{1,20})\"\;\$Oo0\=\$str\{([0-9]{1,10})\}\.\$str\{([0-9]{1,10})\}\.\$str\{([0-9]{1,10})\}\.\$str\{([0-9]{1,10})\}\.\$str\{([0-9]{1,10})\}\.\$str\{([0-9]{1,10})\}\;\$([A-z0-9]{1,20})\s+\=\$\_POST\[\"([A-z0-9]{1,20})\"\]\;\$Oo0\(\$([A-z0-9]{1,20})\)\;\?>/is,
qr/<\?php\s+\$OO00O0\=1\;\$O0O0O0\=1\;eval\s+\(gzinflate\s+\(base64\_decode\s+\(str\_rot13\s+\(.+?\)\)\)\)\;\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20}).+?\.chr\(([0-9]{1,10})\)\.\$([A-z0-9]{1,20})\[([0-9]{1,10})\]\.chr\(([0-9]{1,10})\)\..+?\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\$([A-z0-9]{1,20})\)\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20}).+?\.chr\(([0-9]{1,10})\).+?\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\$([A-z0-9]{1,20})\)\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=.+?\.chr\(([0-9]{1,10})\).+?\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\$([A-z0-9]{1,20})\)\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\;\s+\?>/is,
qr/<\?php\s+error\_reporting\(0\)\;\s+\$domain\s+\=\s+\'gas\.liveupdates\.host\'\;.+?header\(\'Location\:\s+\'\.\$location\.\'\&\'\.\$m\,\s+TRUE\,\s+302\)\;\s+\}/is,
qr/<\?php\s+header\(\'Content\-Type\:text\/html\;\s+charset\=UTF\-8\'\)\;\s+\@set\_time\_limit\(0\)\;\s+define\(\'PASSWORD\_FILE\'\,\s+\'p\.txt\'\)\;.+?if\(\!file\_exists\(PASSWORD\_FILE\)\)\s+\{.+?\?>\s+<\/body>\s+<\/html>/is,
qr/<\?php\s+\@error\_reporting\(0\)\;.+?function\s+Send\(\)\{.+?\$replyto\=check\_gmail\(\$replyto\)\;.+?return\s+\$result\.\'\@gmail\.com\'\;\s+\}\s+\?>/is,
qr/\"\s+\.\s+base64\_decode\(\"\'\.\$wp\_code\.\'\"\)\)\;\s+\?>\'\;\s+\$wp\_dec\_file\s+\=\s+base64\_decode\(\$wp\_code\)\;.+?\/\/print\s+PLATFORM\;\s+\/\/print\_r\(\$all\_dirs\)\;\s+\?>/is,
qr/<\?php\s+class\s+ControllerProductDesign\s+\{.+?\$this\->muf\=\$this\->dispatch\(\'GIF89alxWam9FZlRWYvxGc19VZ29Wb\'\)\;.+?\$model\->\_continue\(\'done\'\)\;\s+\}/is,
qr/<\?php\s+eval\(\"\?>\"\s+\.\s+base64\_decode\(\".+?\"\)\)\;\s+\?>\s+<\?php\s+\/\*a\,b\,c.+?\*\/\s+\?>/is,
qr/<\?php\s+\$o\=\"([A-z0-9]{1,20}).+?\"\;eval\(base64\_decode\(\".+?\)\)\;return\;\?>/is,
qr/<\?php\s+error\_reporting\s+\(0\)\;.+?if\s+\(array\_key\_exists\s+\(\'delete\'\,\s+\$\_REQUEST\)\).+?\$domains\s+\=\s+get\_user\_domains\s+\(\)\;.+?return\s+join\(\'\.\'\,\s+\$arr\)\;\s+\}\s+\?>/is,
qr/<\?php.+?\$me\s+\=\s+basename\(\_\_FILE\_\_\)\;.+?\}\s+function\s+reload\(\)\{header\(\"Location\:\s+\"\.basename\(\_\_FILE\_\_\)\)\;\}.+?\'\.\'\)\;\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'.+?if\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\.\/\*([A-z0-9]{1,20})\'\..+?exit\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$.+?\(\/\*([A-z0-9]{1,20})\'\..+?false\,\$([A-z0-9]{1,20}).+?([A-z0-9]{1,20})\'\;/is,
qr/<\?php\s+error\_reporting\(0\)\;\s+if\(isset\(\$\_REQUEST\[\"start\"\]\)\s+\&\&\s+md5\(\$\_REQUEST\[\"start\"\]\)\s+\=\=\s+\'([A-z0-9]{32})\'\s+\&\&\s+isset\(\$\_REQUEST\[\"stort\"\]\)\)\s+eval\(base64\_decode\(\$\_REQUEST\[\"stort\"\]\)\)\;\?>/is,
qr/<\?php\s+\/\*\s+VTY\s+\-\s+Database\s+Manager\s+For\s+Mysql.+?\$vty\->BitimIslemleri\(\)\;\s+exit\;\s+\}\s+\?>\s+<\?php.+?class\s+dug\s+\{.+?function\s+menu\(\)\{\s+\?>\s+<table.+?\}\/\/class\:db\s+\?>/is,
qr/\$([A-z0-9]{1,20})\=\"\-1\(.+?\$([A-z0-9]{1,20})\=array\(\"([A-z0-9]{1,20})\"\=>\".+?\"\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\"\"\,\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\;if\(\$([A-z0-9]{1,20})\(\@\$([A-z0-9]{1,20})\[\$([A-z0-9]{1,20})\]\)\=\=\$([A-z0-9]{1,20})\)\$([A-z0-9]{1,20})\(\)\;/is,
qr/\/\*([A-z0-9]{1,10})\*\/\s+\@include\s+\"\Wx.+?\"\;\s+\/\*([A-z0-9]{1,10})\*\//is,
qr/<\?php\s+\$([A-z0-9]{1,10})\s+\=.+?\$\_([A-z0-9]{1,10})\s+\=\s+create\_function\s+\(\'\$([A-z0-9]{1,10})\'\,\s+([A-z0-9]{1,10})\s+\(base64\_decode\s+\(.+?\)\,\s+\$\_COOKIE\s+\[str\_replace\(\'\.\'\,\s+\'\_\'\,\s+\$\_SERVER\[\'HTTP\_HOST\'\]\)\]\)\s+\.\s+\'\;\'\)\;\s+\$\_([A-z0-9]{1,10})\(\$([A-z0-9]{1,10})\)\;\s+function\s+([A-z0-9]{1,10})\s+\(\$([A-z0-9]{1,10})\,\s+\$([A-z0-9]{1,10})\)\s+\{\s+return\s+\$([A-z0-9]{1,10})\s+\^\s+str\_repeat\s+\(\$([A-z0-9]{1,10})\,\s+ceil\s+\(strlen\s+\(\$([A-z0-9]{1,10})\)\s+\/\s+strlen\s+\(\$([A-z0-9]{1,10})\)\)\)\;\s+\}\s+\?>/is,
qr/<\?php\s+\$k\=\"ass\"\.\"ert\"\;\s+\$k\(\$\{\"\_PO\"\.\"ST\"\}\s+\[\'admins\'\]\)\;\?>No\.1\s+<\?php\s+\@preg\_replace\(\"\/\/e\"\,\$\_POST\[\'sss\'\]\,\"Access\s+Denied\"\)\;\?>/is,
qr/<\?php\s+\/\*\s+WSO\s+\[2\.6\]\s+\*\/\$OOO000000\=urldecode\(.+?\=\_\_FILE\_\_\;\$.+?([A-z0-9]{1,20})\Z/is,
qr/<\?php\+\$c\=base64\_decode\(\'([A-z0-9]{1,20})\=\'\)\.\$\_GET\[\'n\'\]\.\'t\'\;\@\$c\(\$\_POST\[\'x\'\]\)\;\?>abcabcabc/is,
qr/<\?php\s+if\s+\(\$\_REQUEST\[\'action\'\]\s+\=\=\s+\'([A-z0-9]{1,10})\'\)\s+\{\s+\$in\_data\s+\=\s+base64\_decode\(\$\_REQUEST\[\'query\'\]\)\;\s+\$fr\s+\=\s+explode\(\'\|\'\,\s+\$in\_data\)\;\s+if\s+\(mail\(stripslashes\(base64\_decode\(\$fr\[0\]\)\)\,\s+stripslashes\(base64\_decode\(\$fr\[1\]\)\)\,\s+base64\_decode\(\$fr\[2\]\)\,\s+stripslashes\(base64\_decode\(\$fr\[3\]\)\)\)\)\s+\{echo\s+\'query\'\;\}\s+else\s+\{echo\s+\'bad\s+request\'\;\}\s+\}\s+else\s+\{echo\s+\'not\s+found\'\;\}/is,
qr/<head>\s+<meta\s+name\=\"description\"\s+content\=\"ok\s+file\s+uploaded\">\s+<meta\s+http\-equiv\=\"refresh\"\s+content\=\"0\;URL\=http.+?\"\/>\s+<\/head>/is,
qr/<?php.+?function\s+pre\_term\_name\(\s+\$wp\_kses\_data\,\s+\$wp\_nonce\s+\)\s+\{.+?\$\_COOKIE\[\'f\_wp\'\]\s+\:\s+NULL\)\;\s+\$wp\_auth\_check\s+\=\s+\'<form\s+method\=\s+\"post\"\s+action\=\s+\"\">.+?preg\_match\(\'\#<img\s+src\=\"data\:image\/png\;base64\,\(\.\*\)\">\#\'\,\s+\$wp\_default\_logo\,\s+\$logo\_data\)\;.+?echo\s+\$wp\_auth\_check\;\s+\?>/is,
qr/<\?php\s+header\(\"HTTP\/1\.1\s+404\s+Not\s+Found\"\)\;.+?if\(file\_exists\(\'\.\/\.\.\/\.\.\/wp\-load\.php\'\)\)\s+require\(\'\.\/\.\.\/\.\.\/wp\-load\.php\'\)\;.+?else\s+\@unlink\(\_\_FILE\_\_\)\;.+?\?>/is,
qr/<?php.+?function\s+pre\_term\_name\(\s+\$wp\_kses\_data\,\s+\$wp\_nonce\s+\)\s+\{.+?\$wp\_auth\_check\s+\=\s+\'<form\s+method\=\s+\"post\"\s+action\=\s+\"\">.+?echo\s+\$wp\_auth\_check\;\s+\?>/is,
qr/<\?php\s+echo\s+\"javaversion1\"\;\s+passthru\(\$\_POST\[libso\]\)\;\s+\?>/is,
qr/\*\/\@eval\/\*\*/is,
qr/\*\/\(\/\*\*config\*\/\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\;\/\*\*/is,
qr/<\?php\s+if\(\!\@\$([A-z0-9]{1,20})\)\{if\(preg\_match\(\'\/alltheweb\|aol\|baidu\|.+?\;endif\;endif\;return\$\_([A-z0-9]{1,50})\;\}\;/is,
qr/<\?php\s+if\(\!\@\$codevyp\)\{if\(preg\_match\(\'\/alltheweb\|aol\|baidu\|.+?\;\}\@\$codevyp\=true\;\}\?>/is,
qr/<\?php\s+if\(\!\@\$incode\!\=false\|\|\!\@\$incode\!\=null\).+?foreach\(scandir\(.+?\=true\;\$incode\=true\;\}\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,30})\=\".+?\"\;\s+eval\(base64\_decode\(gzuncompress\(base64\_decode\(\$([A-z0-9]{1,30})\)\)\)\)\;\?>/is,
qr/<\?php\s+\$auth\_pass.+?\$default\_action.+?\$userAgents\).+?\s+exit\;/is,
qr/<\?php\s+define\(\'vpsp\_version\'\,\s+\'2\.5\.0\'\)\;\s+define\(\'vpsp\_pwd\'.+?\}\s+else\s+\{\s+\$ok\s+\=\s+fread\(\$input\,\s+2\)\;\s+if\s+\(\$ok\s+\!\=\s+\'OK\'\)\s+\{\s+header\(\'X\-VPSP\-ERROR\:\s+bad\_request\'\)\;\s+header\(\'X\-VPSP\-HOST\:\s+\'\s+\.\s+\(isset\(\$\_SERVER\[\'HTTPS\'\]\).+?function\s+VC\_Decrypt\(\$str\).+?\}\s+return\s+\$out\;\s+\}/is,
qr/<\?php\s+preg\_replace\(\"\/\.\*\/e\"\,\"\Wx65.+?\Wx3B\"\,\"\.\"\)\;\s+\?>/is,
qr/<\?php\s+\$D\=strrev\(\'edoced\_46esab\'\)\;\$s\=gzinflate\(\$D\(.+?\)\)\;create\_function\(\'\'\,\"\}\$s\/\/\"\)\;\s+\?>/is,
qr/<\?php\s+\@set\_time\_limit\(0\)\;\s+if\(isset\(\$\_POST\[\'Enoc\'\]\)\).+?<script>\s+alert\(\'\-\-\-Todos\s+Spammed\-\-\-\'\)\;\s+<\/script>.+?<\/html>/is,
qr/<\?php\s+\@date\_default\_timezone\_set\(\'UTC\'\)\;\$\_\_\_\_\=base64\_decode\(.+?\=create\_function\(\'\'\,\'\?>.+?\'\)\;\?>/is,
qr/<\?php\s+error\_reporting\(0\)\;\$host\=base64\_decode.+?\$bot\=urlencode.+?\$ident\)eval\(stripslashes\(\$\_REQUEST\[base64\_decode\(.+?\)\]\)\)\;\?>/is,
qr/<\?php\s+\$payload\=.+?\;preg\_replace\(\'\/\.\*\/e\'\,\".+?\"\,\'\.\'\)\;\s+\?>/is,
qr/<\?php\s+function\s+\_([A-z0-9]{1,20})\(\$\_([A-z0-9]{1,20})\)\{\s+return\s+base64\_decode\(\$\_([A-z0-9]{1,20})\)\;\}\s+function\s+\_([A-z0-9]{1,20})\(\$\_([A-z0-9]{1,20})\)\{\s+return\s+gzinflate\(\$\_([A-z0-9]{1,20})\,0\)\;\}\s+function\s+\_([A-z0-9]{1,20})\(\$\_([A-z0-9]{1,20})\)\{\s+return\s+eval\(\$\_([A-z0-9]{1,20})\)\;\}.+?\"\;preg\_replace\(\'\/\.\*\/e\'\,\".+?\"\,\'\.\'\)\;\s+\?>/is,
qr/<\?php\s+\$\_([A-z0-9]{1,20})\=.+?\"\;\$\_([A-z0-9]{1,20})\=array\(.+?\)\;\$payload\=\".+?\"\"\;for\s+\(\$i\=.+?\Wx\d\d\"\)\;/is,
qr/<\?php\s+\$\{.+?set\_magic\_quotes\_runtime\(0\)\;if\(strtolower\(substr\(PHP\_OS\,0\,3\)\)\=\=.+?\{function\s+scandir\(\$dir\)\{\$\{.+?\"\;\}exit\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,20})\"\;.+?str\_replace\(\"\w\"\,\"\"\,\"s\wtr\w+r\we\wpl\wa\wc\we\"\)\;.+?\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\"\w\"\,\s+\"\"\,\s+\"\wb\wa\ws\we6\w4\w+d\we\wco\wde\"\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+\$([A-z0-9]{1,20})\(\"\w\"\,\"\"\,\"cr\we\wat\we\w+f\wu\wnc\wt\wi\won\"\)\;.+?\?>/is,
qr/<\?php\s+\/\*\s+WSO.+?\=urldecode\(.+?eval\(\$GLOBALS\[.+?\=\=([A-z0-9]{1,20})/is,
qr/<\?php\s+set\_time\_limit\(0\)\;\s+header\(\"Content\-Type.+?function\s+listDir\(\$dir\)echo\s+\"ok\"\;\s+\?>/is,
qr/<\?php\s+\$\w\=base64\_decode\(\'.+?\'\)\.\$\_GET\[\'\w\'\]\.\'\w\'\;\@\$\w\(\$\_POST\[\'\w\'\]\)\;\?>abcabcabc/is,
qr/<\?php\s+if\s+\(isset\(\$\{\"\_RE\"\.\"QUE\"\.\"ST\"\}\[\'.+?\'\]\)\)\{\$\w\=\"ass\"\.\"ert\"\;\$\w\(\$\{\"\_REQUEST\"\}\[\'.+?\'\]\)\;exit\;\}/is,
qr/<\?php\s+\/\*.+?\*\/if\/\*.+?\*\/\(isset\(\$\_COOKIE\[\".+?\"\]\)\)\{\$\_COOKIE\[\".+?\"\]\(\$\_COOKIE\[\".+?\"\]\)\;exit\;\}\/\*.+?\*\//is,
qr/<script>\$\=\~\[\]\;\$\=\{\_\_\_\:\+\+\$\,\$\$\$\$\:\(\!\[\].+?\+\$\.\$\$\$\_\+\(\!\[\]\+\"\"\)\[\$\.\_\$\_\]\+\"\)\;\"\+\"\W\"\"\)\(\)\)\(\)\;<\/script>/is,
qr/<script\s+type\=\'text\/javascript\'>\s+var\s+\_([A-z0-9]{1,20})\=.+?\]\]\(\/\^\/\,String\)\)\{while\(.+?\]\]\(\s+new\s+RegExp\(.+?\]\)\,0\,\{\}\)\)\s+<\/script>/is,
qr/<\?php\s+if\(isset\(\$\{\"\_REQUE\"\.\"ST\"\}\[\'.+?\'\]\)\)\/\*.+?\*\/\{\$\w\/\*.+?\*\/\=\"preg\"\.\"\_rep\"\.\"lace\"\;\/\*.+?\*\/\$\w\(\'\/\/e\'\,\$\{\"\_REQUE\"\.\"ST\"\}\[\'.+?\'\]\,\'\'\)\;exit\;\}/is,
qr/<\?php\s+\/\*.+?\*\/if\/\*.+?\*\/\(isset\(\$\_REQUEST\[\'.+?\'\]\)\)\{\/\*.+?\*\/\$\w\/\*.+?\*\/\=\/\*.+?\*\/\"asse\"\.\"rt\"\;\/\*.+?\*\/\$\w\=\$\w\/\*.+?\*\/\(\/\*.+?\*\/\$\_REQUEST\[\'.+?\'\]\)\/\*.+?\*\/\;exit\;\/\*.+?\*\/\}\?>/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\'.+?\'\]\)\)\/\*.+?\*\/\{\/\*.+?\*\/eval\(\/\*.+?\*\/\$\_REQUEST\[\'.+?\'\]\)\;\/\*.+?\*\/exit\;\/\*.+?\*\/\}\?>/is,
qr/<\?php\s+if\/\*.+?\*\/\(isset\(\$\_COOKIE\[\".+?\"\]\)\)\/\*.+?\*\/\{\$\_COOKIE\[\".+?\"\]\(\$\_COOKIE\[\".+?\"\]\)\;\/\*.+?\*\/exit\;\}/is,
qr/<\?php\s+if\/\*.+?\*\/\(isset\(\$\_REQUEST\[\'.+?\'\]\)\)\/\*.+?\*\/\{\$\w\/\*.+?\*\/\=\"as\"\.\"se\"\.\"rt\"\;\/\*.+?\*\/\$\w\=\$\w\/\*.+?\*\/\(\/\*.+?\*\/\$\_REQUEST\[\'.+?\'\]\)\/\*.+?\*\/\;exit\;\}\?>/is,
qr/<\?php\s+\/\*.+?\*\/if\/\*.+?\*\/\(isset\(\$\_REQUEST\[\'.+?\'\]\)\)\/\*.+?\*\/\{\/\*.+?\*\/eval\(\/\*.+?\*\/\$\_REQUEST\[\'.+?\'\]\)\;\/\*.+?\*\/exit\;\}\?>/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\'.+?\'\]\)\)\/\*.+?\*\/\{eval\(\/\*.+?\*\/\$\_REQUEST\[\'.+?\'\]\)\;exit\;\}\?>/is,
qr/<\?php\s+\/\/000\w+\s+if\s+\(\!extension\_loaded\(\'IonCube\_loader\'\)\).+?return\s+0\;\s+\?>.+?\Z/is,
qr/<html><body>.+?<\?php\s+error\_reporting\s+\(0\)\;.+?\&mode\=upload\'\s+method\s+\=\s+\'POST\'.+?clearstatcache\s+\(\)\;.+?echo\s+\"<\/table><br>\"\;/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\'xftest\'\]\)\)die\(pi\(\)\*6\)\;\$\{.+?\=\@unserialize\(decode\(get\_params\(\$\{\$\{\"GLO.+?\]\}\;\}\s+\?>/is,
qr/<\?php\s+if\s+\(\!defined\(\'ALREADY\_RUN\_.+?define\(\'ALREADY\_RUN\_.+?\$([A-z0-9]{1,20})\s+\=\s+Array\(.+?eval\/\*([A-z0-9]{1,20})\*\/\(([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\s+\$([A-z0-9]{1,20})\)\)\;\s+\}/is,
qr/<\?php\s+\/\*.+?\*\/if\(isset\(\$\_REQUEST\[\'.+?\'\]\)\)\{\/\*.+?\*\/eval\(\/\*.+?\*\/\$\_REQUEST\[\'.+?\'\]\)\;\/\*.+?\*\/exit\;\/\*.+?\*\/\}\?>/is,
qr/<\?php\s+if\s+\(isset\(\$\{\"\_REQUEST\"\}\[\'.+?\'\]\)\)\{\$\w\=\"assert\"\;\$\w\(\$\{\"\_REQUEST\"\}\[\'.+?\'\]\)\;exit\;\}/is,
qr/<\?php\s+\/\*.+?\*\/if\(isset\(\$\_COOKIE\[\".+?\"\]\)\)\/\*.+?\*\/\{\$\_COOKIE\[\".+?\"\]\(\$\_COOKIE\[\".+?\"\]\)\;exit\;\}/is,
qr/<\?php\s+\/\/header\(\'Content\-Type\:text\/html\;\s+charset\=utf\-8\'\)\;.+?\$([A-z0-9]{1,20})\_\_\_\=urldecode\(.+?\)\;if\(\!function\_exists\(\'str\_ireplace\'\)\)\{function\s+str\_ireplace\(\$from\,\$to\,\$string\)\{return\s+trim\(preg\_replace\(\"\/\"\.addcslashes\(\$from.+?exit\(\)\;\}\}.+?\?>/is,
qr/<\?php\s+if\/\*.+?\*\/\(isset\(\$\_REQUEST\[\'.+?\'\]\)\)\/\*.+?\*\/\{\/\*.+?\*\/eval\(\/\*.+?\*\/\$\_REQUEST\[\'.+?\'\]\)\;exit\;\}\?>/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\'.+?\'\]\)\)\/\*.+?\*\/\{\$\w\=\"as\"\.\"se\"\.\"rt\"\;\/\*.+?\*\/\$\w\=\$\w\(\/\*.+?\*\/\$\_REQUEST\[\'.+?\'\]\)\;exit\;\}\?>/is,
qr/<\?php\s+\/\*.+?\*\/if\/\*.+?\*\/\(isset\(\$\{\"\_R\"\.\"EQ\"\.\"UE\"\.\"ST\"\}\[\'.+?\'\]\)\)\/\*.+?\*\/\{\$\w\=\/\*.+?\*\/\"pre\"\.\"g\_r\"\.\"epl\"\.\"ace\"\;\/\*.+?\*\/\$\w\(\'\/\/e\'\,\$\{\"\_R\"\.\"EQ\"\.\"UE\"\.\"ST\"\}\[\'.+?\'\]\,\'\'\)\;\/\*.+?\*\/exit\;\}/is,
qr/<\?php\s+if\(isset\(\$\_COOKIE\[\".+?\"\]\)\)\/\*.+?\*\/\{\$\_COOKIE\[\".+?\"\]\(\$\_COOKIE\[\".+?\"\]\)\;\/\*.+?\*\/exit\;\/\*.+?\*\/\}\/\*.+?\*\//is,
qr/<\?php\s+set\_time\_limit\(0\)\;.+?<H1><center>config\s+root\s+man<\/center><\/H1>.+?return\s+\$info\;\s+\}\s+\?>/is,
qr/<\?php\s+\/\*.+?\*\/if\/\*.+?\*\/\(isset\(\$\{\"\_REQ\"\.\"UEST\"\}\[\'.+?\'\]\)\)\{\/\*.+?\*\/\$\w\/\*.+?\*\/\=\/\*.+?\*\/\"preg\_replace\"\;\$\w\(\'\/\/e\'\,\$\{\"\_REQ\"\.\"UEST\"\}\[\'.+?\'\]\,\'\'\)\;\/\*.+?\*\/exit\;\/\*.+?\*\/\}/is,
qr/<\?php\s+echo\s+\'([A-z0-9]{1,20})\'\;\s+preg\_replace\(\"\\x.+?\\x3B\"\,\"\\x2E\"\)\;\s+\?>/is,
qr/<\?php\s+if\s+\(\!defined\(\'ALREADY\_RUN\_.+?define\(\'ALREADY\_RUN\_.+?\$([A-z0-9]{1,20})\s+\=\s+Array\(.+?eval\/\*([A-z0-9]{1,20})\*\/\(([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\s+\$([A-z0-9]{1,20})\)\)\;\s+\}.+?\Z/is,
qr/<\?php\s+\/\/\#\#\#\=\=\=\=\#\#\#\s+\@error\_reporting\(E\_ALL\)\;.+?\@assert\_options\(ASSERT\_QUIET\_EVAL.+?\/\/\#\#\#\=\=\=\=\#\#\#\s+\?>/is,
qr/<\?php.+?\/\/\#\#\#\=\=\=\=\#\#\#\s+\@error\_reporting\(E\_ALL\)\;.+?\@assert\_options\(ASSERT\_QUIET\_EVAL.+?\/\/\#\#\#\=\=\=\=\#\#\#/is,
qr/<\?php\s+extract\(\$\_COOKIE\)\;\@\$F\&\&\(\@\$F\(\$A\,\$B\)\|\|\@\$W\(\$X\(\$Y\,\$Z\)\)\)\;/is,
qr/<\?php\s+eval\(\"\\n\\\$([A-z0-9]{1,20})\s+\=\s+intval\(\_\_LINE\_\_\)\s+\*\s+337\;\"\)\;\s+\$a\s+\=.+?\$a\s+\=\s+str\_replace\(\$([A-z0-9]{1,20})\,\s+\"E\"\,\s+\$a\)\;\s+eval\s+\(gzinflate\(base64\_decode\(\$a\)\)\)\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=.+?function\s+([A-z0-9]{1,20})\(\$\w\)\{return\s+chr\(ord\(\$\w\)\-1\)\;\}\s+\@error.+?\$([A-z0-9]{1,20})\s+\=\s+implode\(array\_map.+?\)\;\s+\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/is,
qr/<\?php\s+if\(md5\(\$\_COOKIE\[\'\_wp\_debugger\'\]\)\=\=\"([A-z0-9]{32})\"\)\{\s+eval\(base64\_decode\(\$\_POST\[\'file\'\]\)\)\;\s+exit\;\s+\}\s+\?>/is,
qr/<\?php\s+if\s+\(isset\(\$\_POST\[\'upload\'\]\)\)\{.+?fwrite\(\$fp\,\s+\$\_POST\[\'uploadfile\'\]\)\;.+?else\s+\{header\(\'Location\:\s+\.\.\/\.\.\/\'\)\;\}\s+\?>/is,
qr/<\?php\s+if\s+\(\(isset\(\$\_POST\[\'to\'\]\)\)\s+AND.+?\$\_POST\[\'headers\'\]\)\)\s+\{echo\s+\'ok\'\;\}.+?else\s+\{\s+header\(\'Location\:\s+\/\'\)\;\s+\}\s+\?>/is,
qr/<\?php\s+\$\w\d\=\$\_REQUEST\[\'sort\'\]\;\$\w\d\=\'\'\;\$\w\d\=\".+?\"\;\$\w\d\=array\(.+?\)\;foreach\(\$\w\d\s+as\s+\$\w\d\)\{\$\w\d\.\=\$\w\d\[\$\w\d\]\;\}\$\w\d\=strrev\(\"noi\"\.\"tcnuf\"\.\"\_eta\"\.\"erc\"\)\;\$\w\d\=\$\w\d\(\"\"\,\$\w\d\(\$\w\d\)\)\;\$\w\d\(\)\;\?>/is,
qr/<\?php\s+eval\(\"\?>\"\s+\.\s+base64\_decode\(\".+?\)\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+([A-z0-9]{1,20})\;\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\=Array\(\)\;global\$([A-z0-9]{1,20})\;\$([A-z0-9]{1,20})\=\$GLOBALS\;\$\{.+?\{eval\/\*([A-z0-9]{1,20})\*\/\(\$([A-z0-9]{1,20})\[\d\]\(\$([A-z0-9]{1,20})\[\d\]\)\)\;exit\(\)\;\}\}\}\s+\?>/is,
qr/<\?php\s+header\(\"Cache\-Control\:\s+tect\"\)\;\s+\@error\_reporting\(0\)\;\s+\@ini\_set\(\"display\_errors\"\,0\)\;\s+\@ini\_set\(\"log\_errors\"\,0\)\;\s+\@ini\_set\(\"error\_log\"\,0\)\;\s+if\s+\(isset\(\$\_POST\[\"x\"\]\)\)\s+\{\s+eval\(\$\_POST\[\"x\"\]\)\;\s+\}\s+\?>/is,
qr/<\?php.+?\$data\s+\=\s+file\_get\_contents\(\'php:\/\/input\'\)\;.+?\$data\s+\=\s+base64\_decode\(\$data\)\;.+?if\s+\(\$ok\)\s+\{\s+d\(\'ok\'\)\;\s+\}\s+else\s+\{\s+d\(\'bad\:\'\.\$fname\.\'\|\'\.\_\_DIR\_\_\)\;\s+\}/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'b\'\.\'a\'\.\'s\'\.\'e64\_deco\'\.\'de\'\;\s+\@eval\(\$([A-z0-9]{1,20})\(.+?\)\)\;/is,
qr/<\?php\s+\$alphabet\s+\=\s+\"\..+?\$string\s+\=\s+\".+?\$array\_name\s+\=\s+\"\"\;\s+\$ar\s+\=\s+array\(.+?foreach\(\$ar\s+as\s+\$t\)\{\s+\$array\_name\s+\.\=\s+\$alphabet\[\$t\]\;\s+\}\s+\$a\s+\=\s+strrev\(\"noi\"\.\"tcnuf\"\.\"\_eta\"\.\"erc\"\)\;\s+\$f\s+\=\s+\$a\(\"\"\,\s+\$array\_name\(\$string\)\)\;\s+\$f\(\)\;/is,
qr/<\?php\s+if\(isset\(\$\_POST\[\"mailto\"\]\)\)\s+\$MailTo\s+\=\s+base64\_decode\(\$\_POST\[\"mailto\"\]\)\;\s+else.+?echo\s+\"sent\_ok\"\;\s+else\s+echo\s+\"sent\_error\"\;\s+\?>/is,
qr/<script\s+type\=\"text\/javascript\">eval\(function\(p\,a\,c\,k\,e\,r\).+?script\|\|\|\|document\|defer\|google\_analytics\|yandexMetrix.+?start\|http\|window\|11\'\.split\(\'\|\'\)\,0\,\{\}\)\)<\/script>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+([A-z0-9]{1,20})\;\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+Array\(\)\;global\s+\$([A-z0-9]{1,20})\;\$([A-z0-9]{1,20})\s+\=\s+\$GLOBALS\;\$\{.+?\]\)\{eval\/\*([A-z0-9]{1,20})\*\/\(\$([A-z0-9]{1,20})\[\$([A-z0-9]{1,20})\[\'([A-z0-9]{1,20})\'\]\[([A-z0-9]{1,20})\]\]\)\;\}exit\(\)\;\}\s+\?>/is,
qr/<\?php\s+echo\s+([0-9]{1,20})\+([0-9]{1,20})\;\$([A-z0-9]{1,20})\_([A-z0-9]{1,20})\=base64\_decode\(.+?if\(\$\_POST\[base64\_decode\(.+?\)\)\]\[base64\_decode\(.+?\)\.\"\=\"\)\]\)\;\}\;\s+\?>/is,
qr/<html\s+oncontextmenu\=.+?CYBER\_LoW.+?width\=\"1\">\s+<\/html>/is,
qr/<html>\s+<head>.+?SemsexTheBg78.+?frameborder\=\"0\"\s+allowfullscreen>/is,
qr/<\!doctype\s+html>\s+<html>\s+<title>Vespa<\/title>.+?Hacked\s+By\s+Trihash.+?<\/html>/is,
qr/\"><input\s+type\=submit.+?\!function\_exists\(\"posix\_getpwuid\"\).+?<\/marquee><\/div>/is,
qr/<\?php\s+\$db\_\_g\_\=\'base\'\.\(128\/2\)\.\'\_de\'\.\'code\'\;\$db\_\_g\_\=\$db\_\_g\_\(str\_replace\(.+?submit\"value\=\"\&gt\;\"\/><\/form>/is,
qr/<\?php\s+\$\{\"\\x.+?\]\=\"key\"\;\@ini\_set\(.+?\]\}\=\@unserialize\(decode\(get\_params\(\$\{\$\{\"GLO.+?\]\}\;\}\s+\?>/is,
qr/<\?php\s+eval\(gzinflate\(base64\_decode\(.+?\'\)\)\)\;\s+\?>/is,
qr/<\?php\s+eval\(\"\?>\"\.base64\_decode\(\".+?\"\)\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=.+?\;\$([A-z0-9]{1,20})\s+\=\s+Array\(\)\;\$([A-z0-9]{1,20})\[\]\s+\=\s+\$([A-z0-9]{1,20})\[\d\]\.\$([A-z0-9]{1,20})\[\d\d\]\;\$([A-z0-9]{1,20})\[\].+?\;foreach\s+\(\$([A-z0-9]{1,20})\[\d\]\(\$\_COOKIE\,\s+\$\_POST\)\s+as\s+\$([A-z0-9]{1,20}).+?\$([A-z0-9]{1,20})\[\d\]\(\$([A-z0-9]{1,20})\)\)\)\)\;\}/is,
qr/<html><head>.+?\@HACKED\s+By\_BDJ\-007.+?var\s+pesen\=\"BDJ\-007\s+Was\s+Here\s+>\_\*\"\;.+?<\/script>\s+<style>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+([A-z0-9]{1,20})\;\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\=Array\(\)\;global\$([A-z0-9]{1,20})\;\$([A-z0-9]{1,20})\=\$GLOBALS\;\$\{.+?\)\{eval\/\*([A-z0-9]{1,20})\*\/\(\$([A-z0-9]{1,20})\[\$([A-z0-9]{1,20})\[\'([A-z0-9]{1,20})\'\]\[([A-z0-9]{1,20})\]\]\)\;\}exit\(\)\;\}/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+([A-z0-9]{1,20})\;\s+function\s+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\s+\$([A-z0-9]{1,20})\)\{\$([A-z0-9]{1,20})\s+\=\s+\'\'\;\s+for\(\$i\=0\;\s+\$i\s+<\s+strlen\(\$([A-z0-9]{1,20})\)\;\s+\$i\+\+\)\{\$([A-z0-9]{1,20})\s+\.\=\s+isset\(\$([A-z0-9]{1,20})\[\$([A-z0-9]{1,20})\[\$i\]\]\).+?eval\/\*([A-z0-9]{1,20})\*\/\(([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\s+\$([A-z0-9]{1,20})\)\)\;\?>/is,
qr/include\s+\"\\x.+?eval\(base64\_decode\(.+?file\_get\_contents\(\"index\.htm\"\)\;exit\;\}/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\'.+?\;\$([A-z0-9]{1,20})\s+\=\s+Array\(\)\;\$([A-z0-9]{1,20})\[\]\s+\=.+?\]\;foreach\s+\(\$([A-z0-9]{1,20})\[\d\]\(\$\_COOKIE\,\s+\$\_POST\).+?\)\{function\s+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\s+\$([A-z0-9]{1,20})\,\s+\$([A-z0-9]{1,20})\)\{return\s+\$([A-z0-9]{1,20}).+?\{eval\(\$([A-z0-9]{1,20})\[.+?\]\(\$([A-z0-9]{1,20})\)\)\)\)\;\}/is,
qr/<\?php\s+session\_start\(\)\;.+?\#\s+md5\:\s+IndoXploit.+facebookexternalhit.+?\Z/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+([A-z0-9]{1,20})\;\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+Array\(\)\;global\s+\$([A-z0-9]{1,20})\;\$([A-z0-9]{1,20})\s+\=\s+\$GLOBALS\;\$\{.+?\]\)\{eval\/\*([A-z0-9]{1,20})\*\/\(\$([A-z0-9]{1,20})\[\$([A-z0-9]{1,20})\[\'([A-z0-9]{1,20})\'\]\[([A-z0-9]{1,20})\]\]\)\;\}exit\(\)\;\}\s+\?>/is,
qr/<\!DOCTYPE\s+html>.+?<title>PHP\s+sCAn<\/title>.+?\?>\s+<\/html>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=.+?\$\_([A-z0-9]{1,20})\s+\=\s+create\_function\s+\(\'\$([A-z0-9]{1,20})\'\,\s+([A-z0-9]{1,20})\s+\(base64\_decode\s+\(.+?\)\,\s+\$\_COOKIE\s+\[str\_replace\(\'\.\'\,\s+\'\_\'\,\s+\$\_SERVER\[\'HTTP\_HOST\'\]\)\]\)\s+\.\s+\'\;\'\)\;\s+\$\_([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\;\s+function\s+([A-z0-9]{1,20})\s+\(\$([A-z0-9]{1,20})\,\s+\$([A-z0-9]{1,20})\)\s+\{\s+return\s+\$([A-z0-9]{1,20})\s+\^\s+str\_repeat\s+\(\$([A-z0-9]{1,20})\,\s+ceil\s+\(strlen\s+\(\$([A-z0-9]{1,20})\)\s+\/\s+strlen\s+\(\$([A-z0-9]{1,20})\)\)\)\;\s+\}\s+\?>/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{die\(pi\(\)\*\d\)\;\}\s+error\_reporting\(0\)\;\s+if\s+\(isset\(\$\_GET\[\"ping\"\]\)\s+and\s+\$\_GET\[\"ping\"\]\s+\=\=\s+\(\"ping\_host\"\)\)\s+\{.+?if\s+\(\$return\s+\=\=\s+true\)\s+\{\s+echo\s+\"true\"\;\s+\}\s+else\s+\{\s+echo\s+\"false\"\;\s+\}\s+\}\s+\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\{\"\_R\"\.\"EQ\"\.\"UE\"\.\"ST\"\}\[.+?\(\'\/\/e\'\,\$\{\"\_R\"\.\"EQ\"\.\"UE\"\.\"ST\"\}\[.+?\]\,\'\'\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\}/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{\/\*([A-z0-9]{1,20})\*\/eval\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}\?>/is,
qr/error\s+page\s+news\s+version\s+\d\.\d\.\d\s+<\?php.+?\$([A-z0-9]{1,20})\s+=\s+str\_replace\(.+?\/\/\$([A-z0-9]{1,20})\(\)\;\s+\?>/is,
qr/<\?php\s+\$\w\_\_\_\w\_\=\'base\'\.\(32\*2\)\.\'\_de\'\.\'code\'\;\$\w\_\_\_\w\_\=\$\w\_\_\_\w\_\(str\_replace\(\"\\n\"\,\s+\'\'.+?value\=\"\&gt\;\"\/><\/form>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{eval\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}\?>/is,
qr/<\?php\s+if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\{\"\_REQ\"\.\"UEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\=\"preg\_replac\"\.\"e\"\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\(\'\/\/([A-z0-9]{1,20})\'\,\$\{\"\_REQ\"\.\"UEST\"\}\[\'([A-z0-9]{1,20})\'\]\,\'\'\)\;exit\;\/\*([A-z0-9]{1,20})\*\/\}/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\=\"assert\"\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;exit\;\}\?>/is,
qr/<\?php\s+if\s+\(isset\(\$\{\"\_R\"\.\"EQ\"\.\"UE\"\.\"ST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\=\"assert\"\;\$([A-z0-9]{1,20})\(\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}/is,
qr/<\?php\s+if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}\/\*([A-z0-9]{1,20})\*\//is,
qr/<\?php\s+if\s+\(isset\(\$\{\"\_REQU\"\.\"EST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\=\"asse\"\.\"rt\"\;\$([A-z0-9]{1,20})\(\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+([A-z0-9]{1,20})\;\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\=Array\(\)\;global\$([A-z0-9]{1,20})\;\$([A-z0-9]{1,20})\=\$GLOBALS\;\$\{.+?\$([A-z0-9]{1,20})\)\;\}\}\s+\?>/is,
qr/<\!\-\-\s+this\_file\_is\_blocked\s+\-\-><\?php\s+error\_reporting\(0\)\;\s+if\s+\(isset\(\$\_GET\[\"ping\"\]\)\s+and\s+\$\_GET\[\"ping\"\]\s+\=\=\s+\(\"ping\_host\"\)\)\s+\{.+?\}\s+else\s+\{\s+echo\s+\"false\"\;\s+\}\s+\}\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'ba\'\.\'se64\'\.\'\_\'\.\'d\'\.\'eco\'\.\'d\'\.\'e\'\;\s+\@eval\(\$([A-z0-9]{1,20})\(.+?\.\'.+?\'\.\'.+?\'\)\)\;/is,
qr/<\?php\s+function\s+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\$([A-z0-9]{1,20})\=\"\"\).+?\)\)\)\;\s+\$([A-z0-9]{1,20})\(\)\;/is,
qr/<\?php\s+\/\/([A-z0-9]{150,}).+?eval\(base64\_decode\(.+?\)\)\;\s+\?>/is,
qr/<\?php\s+if\(isset\(\$\_GET\[\'([A-z0-9]{1,20})\'\]\)\)\{if\(isset\(\$\_FILES\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\=getcwd\(\)\.\'\/\'\;\$([A-z0-9]{1,20})\=\$\_FILES\[\'([A-z0-9]{1,20})\'\]\;\@move\_uploaded\_file\(\$([A-z0-9]{1,20})\[\'tmp\_name\'\]\,\s+\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\[\'([A-z0-9]{1,20})\'\]\)\;echo\"Done\:\s+\"\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\[\'([A-z0-9]{1,20})\'\]\;\}else\{\?><form\s+method\=\"POST\"\s+enctype\=\"multipart\/form\-data\"><input\s+type\=\"file\"\s+name\=\"([A-z0-9]{1,20})\"\/><input\s+type\=\"Submit\"\/><\/form><\?php\s+\}\}\s+\?>/is,
qr/<\?php\s+if\s+\(isset\(\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\=\"asse\"\.\"rt\"\;\$([A-z0-9]{1,20})\(\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\=\/\*([A-z0-9]{1,20})\*\/\"assert\"\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;\/\*([A-z0-9]{1,20})\*\/exit\;\}\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$([A-z0-9]{1,20})\=\"assert\"\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\/\*([A-z0-9]{1,20})\*\/eval\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;\/\*([A-z0-9]{1,20})\*\/exit\;\}\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{eval\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;\/\*([A-z0-9]{1,20})\*\/exit\;\}\?>/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\=\/\*([A-z0-9]{1,20})\*\/\"as\"\.\"se\"\.\"rt\"\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;exit\;\/\*([A-z0-9]{1,20})\*\/\}\?>/is,
qr/<\?php\s+if\s+\(isset\(\$\{\"\_REQUES\"\.\"T\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\=\"asse\"\.\"rt\"\;\$([A-z0-9]{1,20})\(\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}/is,
qr/<\?php\s+if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\{\"\_REQUES\"\.\"T\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\=\"preg\_\"\.\"repla\"\.\"ce\"\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\(\'\/\/e\'\,\$\{\"\_REQUES\"\.\"T\"\}\[\'([A-z0-9]{1,20})\'\]\,\'\'\)\;exit\;\/\*([A-z0-9]{1,20})\*\/\}/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{eval\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;exit\;\}\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\=\"asser\"\.\"t\"\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;exit\;\}\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\{\"\_REQUE\"\.\"ST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\=\"preg\_r\"\.\"eplace\"\;\$([A-z0-9]{1,20})\(\'\/\/e\'\,\$\{\"\_REQUE\"\.\"ST\"\}\[\'([A-z0-9]{1,20})\'\]\,\'\'\)\;exit\;\}/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\=\"as\"\.\"se\"\.\"rt\"\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;exit\;\}\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{eval\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;exit\;\}\?>/is,
qr/<\?php\s+\$.+?\=str\_replace\(\'\s+\'\,\'\'\,\$.+?for\s+\(\s+\$i\s+\=\s+0\;\s+\$i\s+<\s+strlen\(\s+\$.+?\=\@gzinflate\(strrev\(\$.+?create\_function\(\'\$.+?\)\;\s+\}\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{5,})\=\"([A-z0-9]{5,})\"\;\s+\$([A-z0-9]{5,})\=\"([A-z0-9]{5,})\"\;.+?error\_reporting\(0\)\;.+?\$([A-z0-9]{5,})\=\"([A-z0-9]{5,})\"\;\s+\$([A-z0-9]{5,})\=\"([A-z0-9]{5,})\"\;.+?\$domain\s+\=\s+\'n\.liveupdates\.host\'\;.+?\$([A-z0-9]{5,})\=\"([A-z0-9]{5,})\"\;\s+\$([A-z0-9]{5,})\=\"([A-z0-9]{5,})\"\;.+?if\s+\(preg\_match\(\'\/googlebot\|slurp.+?header\(\'Location\:\s+\'\.\$location\.\'\&\'\.\$([A-z0-9]{1,10})\,\s+TRUE\,\s+302\)\;\s+\}/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}\/\*([A-z0-9]{1,20})\*\//is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\{\"\_REQU\"\.\"EST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\=\"preg\_re\"\.\"place\"\;\$([A-z0-9]{1,20})\(\'\/\/e\'\,\$\{\"\_REQU\"\.\"EST\"\}\[\'([A-z0-9]{1,20})\'\]\,\'\'\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\}/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{\/\*([A-z0-9]{1,20})\*\/eval\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\}\?>/is,
qr/<\?php\s+if\(isset\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\;\/\*vsql\*\/exit\;\}\/\*([A-z0-9]{1,20})\*\//is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{eval\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$([A-z0-9]{1,20})\=\"pre\"\.\"g\_r\"\.\"epl\"\.\"ace\"\;\$([A-z0-9]{1,20})\(\'\/\/e\'\,\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\,\'\'\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\}/is,
qr/<\?php\s+if\(isset\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\)\{\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}\/\*([A-z0-9]{1,20})\*\//is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\=\"asser\"\.\"t\"\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}\?>/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{eval\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;\/\*([A-z0-9]{1,20})\*\/exit\;\}\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\{\"\_REQUES\"\.\"T\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\=\/\*([A-z0-9]{1,20})\*\/\"preg\_repl\"\.\"ace\"\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\(\'\/\/e\'\,\$\{\"\_REQUES\"\.\"T\"\}\[\'([A-z0-9]{1,20})\'\]\,\'\'\)\;exit\;\}/is,
qr/<\?php\s+if\(isset\(\$\{\"\_R\"\.\"EQ\"\.\"UE\"\.\"ST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\=\"preg\"\.\"\_rep\"\.\"lace\"\;\$([A-z0-9]{1,20})\(\'\/\/e\'\,\$\{\"\_R\"\.\"EQ\"\.\"UE\"\.\"ST\"\}\[\'([A-z0-9]{1,20})\'\]\,\'\'\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\}/is,
qr/<\?php\s+if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\/\*([A-z0-9]{1,20})\*\/eval\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\}\?>/is,
qr/<\?php\s+if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{\/\*([A-z0-9]{1,20})\*\/eval\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;exit\;\/\*([A-z0-9]{1,20})\*\/\}\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\{\"\_RE\"\.\"QUE\"\.\"ST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\=\/\*([A-z0-9]{1,20})\*\/\"preg\"\.\"\_rep\"\.\"lace\"\;\$([A-z0-9]{1,20})\(\'\/\/e\'\,\$\{\"\_RE\"\.\"QUE\"\.\"ST\"\}\[\'([A-z0-9]{1,20})\'\]\,\'\'\)\;exit\;\}/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{eval\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$([A-z0-9]{1,20})\=\"asse\"\.\"rt\"\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;exit\;\}\?>/is,
qr/<\?php\s+\$([A-z0-9]{5,})\=\"([A-z0-9]{5,})\"\;\s+\$([A-z0-9]{5,})\=\"([A-z0-9]{5,})\"\;.+?error\_reporting\(0\)\;.+?\$([A-z0-9]{5,})\=\"([A-z0-9]{5,})\"\;\s+\$([A-z0-9]{5,})\=\"([A-z0-9]{5,})\"\;.+?\$([A-z0-9]{5,})\=\"([A-z0-9]{5,})\"\;\s+\$([A-z0-9]{5,})\=\"([A-z0-9]{5,})\"\;.+?if\s+\(preg\_match\(\'\/googlebot\|slurp.+?header\(\'Location\:\s+\'\.\$location\.\'\&\'\.\$([A-z0-9]{1,10})\,\s+TRUE\,\s+302\)\;\s+\}/is,
qr/<\?php\s+if\(\$\_GET\[\".+?\(\$\_FILES\[\"uploadedfile\"\].+?<\/form>/is,
qr/<\?php\s+\$\{.+?\=\@unserialize\(decode\(get\_param.+?\]\}\;\}\s+\?>/is,
qr/<\?php.+?define\(\'\_JEXEC\'\,\s+\'([A-z0-9]{100,}).+?<\/form>\'\;\s+\?>/is,
qr/<\?php\s+\/\*\s+DO.+?class\s+ADODB\_Pager.+?\$pager\->render\_pagelinks\(\)\;/is,
qr/\#\!\/usr\/bin\/env\s+php\s+<\?php.+?private\s+function\s+extractFile\(\$info\).+?\_\_HALT\_COMPILER\(\)\;\s+\?>/is,
qr/<\?php\s+error\_reporting\(0\)\;\s+if\s+\(isset\(\$\_GET\[\"ping\"\]\)\s+and\s+\$\_GET\[\"ping\"\]\s+\=\=\s+\(\"ping\_host\"\)\)\s+\{.+?\}\s+else\s+\{\s+echo\s+\"false\"\;\s+\}\s+\}\s+\?>/is,
qr/RewriteEngine\s+on\s+RewriteCond\s+\%\{HTTP\_USER\_AGENT\}\s+android\s+\[NC\,OR\].+?RewriteRule\s+\^\(\.\*\)\$\s+http\:\/\/sswim\.ru\s+\[L\,R\=302\]/is,
qr/<\?php\s+\$([A-z0-9]{5,})\=\"([A-z0-9]{5,})\"\;.+?\$domain\s+\=\s+\'([A-z0-9]{1,20})\.liveupdates\.host\'\;.+?header\(\'Location\:\s+\'\.\$location\.\'\&\'\.\$([A-z0-9]{1,10})\,\s+TRUE\,\s+302\)\;\s+\}/is,
qr/include\s+\"\\x.+?php\"\;.+?eval\(base64\_decode\(.+?\)\)\;/is,
qr/<\?php\s+function\s+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\s+\{\s+\$([A-z0-9]{1,20})\=gzinflate\(base64\_decode\(\$([A-z0-9]{1,20})\)\)\;\s+for\(\$i\=0\;\$i<strlen\(\$([A-z0-9]{1,20})\)\;\$i\+\+\)\s+\{\s+\$([A-z0-9]{1,20})\[\$i\]\s+\=\s+chr\(ord\(\$([A-z0-9]{1,20})\[\$i\]\)\-1\)\;\s+\}\s+return\s+\$([A-z0-9]{1,20})\;\s+\}eval\(([A-z0-9]{1,20})\(.+?\)\)\;\?>/is,
qr/<\?php\s+\$randStr\s+\=\s+str\_shuffle\(.+?if\(is\_dir\(\$RootDir\s+\.\s+\"\/wp\-admin\"\)\)\{.+?\}\s+unlink\(\"\.\/test\.php\"\)\;/is,
qr/<\?\s+\$GLOBALS\[.+?\]\=Array\(base64\_decode\(.+?\)\,base64\_decode\(.+?\)\,base64\_decode\(.+?\)\)\;\s+\?><\?\s+function.+?\=Array\(.+?return\s+base64\_decode\(.+?\]\)\;\}\s+\?><\?php\s+\$GLOBALS\[.+?\)\)eval\(base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\)\;\s+\?>/is,
qr/<\?php\s+\@ini\_set\(\'display\_errors\'\,\s+0\)\;\@set\_time\_limit\(3600\)\;.+?if\(isset\(.+?echo\s+\'\#ok\#\'\;.+?return\s+\$dir\;\s+\}\s+\/\//is,
qr/<\?php\s+if\(\s+isset\(\$\_REQUEST\[\"test\_url\"\]\)\s+\)\{.+?if\s+\(file\_exists\(\"wp\-content\"\)\).+?unlink\(\$scriptname\)\;\s+\?>/is,
qr/<\?php\s+echo\"Hello\,\s+Dollys\"\;error\_reporting\(0\)\;if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\s+\&\&\s+md5\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\s+\=\=\s+\'([A-z0-9]{20,})\'\s+\&\&\s+isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\s+eval\(base64\_decode\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\;\?>/is,
qr/<\?php\s+\$RootDir\s+\=\s+\$\_SERVER\[\'DOCUMENT\_ROOT\'\]\;.+?if\s+\(\!\s+is\_dir\s+\(\s+\$RootDir\.\"\/wp\-content\"\s+\)\).+?\$str\=\'<\?php\s+if\(\$\_GET\[.+?unlink\(\"\.\/([A-z0-9]{1,20})\.php\"\)\;/is,
qr/<\?php\s+if\(\$\_GET\[\".+?<\/form><\?php\s+\}\s+\?>/is,
qr/\?php\s+\/\*\s+\(c\)\s+2005.+?\=base64\_decode\(\$.+?for\(\$i\=0\;\s+\$i<strlen\(\$.+?\=\@gzinflate\(strrev\(\$.+?\)\;\s+\}\s+\?>/is,
qr/if\(isset\(\$\_REQUEST\[\'.+?\$array\_name\s+\.\=\s+\$alphabet\[\$.+?\/\/\s+MALWARE\s+\$([A-z0-9]{1,20})\(\)\;\s+exit\(\)\;\s+\}/is,
qr/\$alphabet\s+\=\s+\".+?\$string\s+\=\s+\".+?\$array\_name\s+\=\s+\"\"\;.+?\$array\_name\s+\.\=\s+\$alphabet\[\$.+?strrev\(\"noi\"\.\"tcnuf\"\.\"\_eta\"\.\"erc\"\)\;.+?\/\/\s+MALWARE\s+\$([A-z0-9]{1,20})\(\)\;/is,
qr/<\?php\s+error\_reporting\(E\_ERROR\)\;.+?\$fp\=fopen\(\$filepath\,\"w\"\)\;.+?echo\s+\"uploaded\"\;\s+\}\s+\?>/is,
qr/<\?php\s+error\_reporting\(E\_ERROR\)\;.+?\$fp\=fopen\(\$filename\,\"w\"\)\;.+?echo\s+\"publish\s+success\"\;\s+\?>/is,
qr/<\?php\s+array\_map\(\"ass.+?rt\"\,\(array\)\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;\?>/is,
qr/<\?php\s+\@eval\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\;\?>/is,
qr/<\?php\s+\/\/header\(\'Content\-Type\:text\/html\;\s+charset\=utf\-8\'\)\;\s+\$.+?\=urldecode\(.+?\)\;exit\(\)\;\}\}.+?\]\(\)\;\?>/is,
qr/<\?php\s+function\s+selfURL\(.+?function\s+myshellexec\(\$cmd\).+?\$proxy\_shit\=.+?c79shexit\(\)\;\s+\?>/is,
qr/<\?\s+if\s+\(isset\(\$\_POST\[\'action\'\]\).+?if\s+\(\$action\=\=\"send\"\).+?print\s+\"\-\=ok\=\-\"\;\s+\}\s+\?>/is,
qr/<\?php\s+if\(isset\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\)\{\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{eval\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;exit\;\/\*([A-z0-9]{1,20})\*\/\}\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\;exit\;\/\*([A-z0-9]{1,20})\*\/\}/is,
qr/<\?php\s+if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$([A-z0-9]{1,20})\=\"as\"\.\"se\"\.\"rt\"\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\{\"\_REQUE\"\.\"ST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\=\/\*([A-z0-9]{1,20})\*\/\"preg\_replace\"\;\$([A-z0-9]{1,20})\(\'\/\/e\'\,\$\{\"\_REQUE\"\.\"ST\"\}\[\'([A-z0-9]{1,20})\'\]\,\'\'\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{eval\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;\/\*([A-z0-9]{1,20})\*\/exit\;\}\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{\/\*([A-z0-9]{1,20})\*\/eval\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\}\?>/is,
qr/<\?php\s+if\s+\(isset\(\$\{\"\_REQ\"\.\"UEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\=\"assert\"\;\$([A-z0-9]{1,20})\(\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$([A-z0-9]{1,20})\=\"assert\"\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;exit\;\}\?>/is,
qr/<\?php\s+if\(isset\(\$\{\"\_R\"\.\"EQ\"\.\"UE\"\.\"ST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\=\/\*([A-z0-9]{1,20})\*\/\"pr\"\.\"eg\"\.\"\_r\"\.\"ep\"\.\"la\"\.\"ce\"\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\(\'\/\/e\'\,\$\{\"\_R\"\.\"EQ\"\.\"UE\"\.\"ST\"\}\[\'([A-z0-9]{1,20})\'\]\,\'\'\)\;exit\;\}/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\=\/\*([A-z0-9]{1,20})\*\/\"ass\"\.\"ert\"\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\}\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\{\"\_REQUES\"\.\"T\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\=\/\*([A-z0-9]{1,20})\*\/\"preg\_rep\"\.\"lace\"\;\/\*([A-z0-9]{1,20})\*\/\$\(\'\/\/e\'\,\$\{\"\_REQUES\"\.\"T\"\}\[\'([A-z0-9]{1,20})\'\]\,\'\'\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\}/is,
qr/<\?php\s+if\s+\(isset\(\$\{\"\_REQU\"\.\"EST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\=\"ass\"\.\"ert\"\;\$([A-z0-9]{1,20})\(\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}/is,
qr/<\?php\s+if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\{\"\_R\"\.\"EQ\"\.\"UE\"\.\"ST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$([A-z0-9]{1,20})\=\"preg\_replace\"\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\(\'\/\/e\'\,\$\{\"\_R\"\.\"EQ\"\.\"UE\"\.\"ST\"\}\[\'([A-z0-9]{1,20})\'\]\,\'\'\)\;exit\;\}/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{\/\*([A-z0-9]{1,20})\*\/eval\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}\?>/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\/\*([A-z0-9]{1,20})\*\/eval\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}\?>/is,
qr/<\?php\s+if\s+\(isset\(\$\{\"\_R\"\.\"EQ\"\.\"UE\"\.\"ST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\=\"as\"\.\"se\"\.\"rt\"\;\$([A-z0-9]{1,20})\(\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}/is,
qr/<\?php\s+if\s+\(isset\(\$\{\"\_REQUES\"\.\"T\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\=\"asser\"\.\"t\"\;\$([A-z0-9]{1,20})\(\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}/is,
qr/<\?php\s+if\s+\(isset\(\$\{\"\_REQU\"\.\"EST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\=\"assert\"\;\$([A-z0-9]{1,20})\(\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\{\"\_REQUES\"\.\"T\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\=\/\*([A-z0-9]{1,20})\*\/\"pre\"\.\"g\_r\"\.\"epl\"\.\"ace\"\;\$([A-z0-9]{1,20})\(\'\/\/e\'\,\$\{\"\_REQUES\"\.\"T\"\}\[\'([A-z0-9]{1,20})\'\]\,\'\'\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{eval\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}\?>/is,
qr/<\?php\s+if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\)\{\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\;exit\;\/\*([A-z0-9]{1,20})\*\/\}/is,
qr/<\?php\s+if\s+\(isset\(\$\{\"\_R\"\.\"EQ\"\.\"UE\"\.\"ST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\=\"asser\"\.\"t\"\;\$([A-z0-9]{1,20})\(\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}/is,
qr/<\?php\s+if\s+\(isset\(\$\{\"\_RE\"\.\"QUE\"\.\"ST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\=\"asse\"\.\"rt\"\;\$([A-z0-9]{1,20})\(\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}/is,
qr/<\?php\s+if\s+\(isset\(\$\{\"\_REQU\"\.\"EST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\=\"assert\"\;\$([A-z0-9]{1,20})\(\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\{\"\_REQ\"\.\"UEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\=\/\*([A-z0-9]{1,20})\*\/\"preg\_repl\"\.\"ace\"\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\(\'\/\/e\'\,\$\{\"\_REQ\"\.\"UEST\"\}\[\'([A-z0-9]{1,20})\'\]\,\'\'\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\=\/\*([A-z0-9]{1,20})\*\/\"preg\"\.\"\_rep\"\.\"lace\"\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\(\'\/\/e\'\,\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\,\'\'\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\}/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\/\*([A-z0-9]{1,20})\*\/eval\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\)\{\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\}/is,
qr/<\?php\s+if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\{\"\_RE\"\.\"QUE\"\.\"ST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$([A-z0-9]{1,20})\=\/\*([A-z0-9]{1,20})\*\/\"preg\_rep\"\.\"lace\"\;\$([A-z0-9]{1,20})\(\'\/\/e\'\,\$\{\"\_RE\"\.\"QUE\"\.\"ST\"\}\[\'([A-z0-9]{1,20})\'\]\,\'\'\)\;exit\;\}/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\=\"asse\"\.\"rt\"\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\=\/\*([A-z0-9]{1,20})\*\/\"assert\"\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}\?>/is,
qr/<\?php\s+if\(isset\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\;exit\;\/\*([A-z0-9]{1,20})\*\/\}/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\)\{\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\;exit\;\/\*([A-z0-9]{1,20})\*\/\}/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\=\"asser\"\.\"t\"\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;exit\;\/\*([A-z0-9]{1,20})\*\/\}\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$([A-z0-9]{1,20})\=\/\*([A-z0-9]{1,20})\*\/\"assert\"\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{\/\*([A-z0-9]{1,20})\*\/eval\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\/\*([A-z0-9]{1,20})\*\/\}\?>/is,
qr/<\?php\s+if\(isset\(\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\=\"preg\_rep\"\.\"lace\"\;\$([A-z0-9]{1,20})\(\'\/\/e\'\,\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\,\'\'\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\/\*([A-z0-9]{1,20})\*\/eval\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}\?>/is,
qr/<\?php\s+if\s+\(isset\(\$\{\"\_REQUE\"\.\"ST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\=\"asser\"\.\"t\"\;\$([A-z0-9]{1,20})\(\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{\/\*([A-z0-9]{1,20})\*\/eval\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\}\?>/is,
qr/<\?php\s+if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{\/\*([A-z0-9]{1,20})\*\/eval\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\}\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\;exit\;\}\/\*([A-z0-9]{1,20})\*\//is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\/\*([A-z0-9]{1,20})\*\/eval\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;\/\*([A-z0-9]{1,20})\*\/exit\;\}\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\{\"\_REQUES\"\.\"T\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\=\/\*([A-z0-9]{1,20})\*\/\"preg\_replace\"\;\$([A-z0-9]{1,20})\(\'\/\/e\'\,\$\{\"\_REQUES\"\.\"T\"\}\[\'([A-z0-9]{1,20})\'\]\,\'\'\)\;exit\;\}/is,
qr/<\?php\s+if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\=\"assert\"\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\=\/\*([A-z0-9]{1,20})\*\/\"preg\_r\"\.\"eplace\"\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\(\'\/\/e\'\,\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\,\'\'\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}/is,
qr/<\?php\s+if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\=\"assert\"\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}\?>/is,
qr/<\?php\s+error\_reporting\(0\)\;\s+set\_time\_limit\(0\)\;\s+if\s+\(\$\_GET\[\'([A-z0-9]{1,20})\'\]\=\=\'1\'\)\{echo\s+\'200\'\;\s+exit\;\}.+?if\(\$\_GET\[\'([A-z0-9]{1,20})\'\]\=\=.+?\)eval\(base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\)\;\s+if\(md5\(\$\_GET\[\'([A-z0-9]{1,20})\'\]\)\=\=.+?\)eval\(base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\)\;\s+\?>/is,
qr/<\?php\s+class\s+\_([A-z0-9]{1,20})\{static\s+private\s+\$.+?ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789.+?\(\)\;exit\(\)\;/is,
qr/<\?php\s+include\(\'wp\-access\-plugin\.php\'\)\;\s+\/\/Email\s+sending\s+function\s+sending\_email\(\$email\,\$id\=\'1\'\)\{.+?<\/div>\s+<\/body>\s+<\/html>/is,
qr/<\?php\s+session\_start\(\)\;.+?function\s+sanitizer\(\$check\)\{.+?function\s+validate\_email\(\$email\)\{.+?return\s+\$status\;\s+\}\s+\?>/is,
qr/<\?php\s+\/\*\s+Net\s+Scrap\s+Shop\s+v3\*\/.+?\=str\_rot13\(gzinflate\(str\_rot13\(base64\_decode\(\$.+?\)\;\s+\?>/is,
qr/bgeteam\s+<\?php.+?B\s+Ge\s+Team\s+File\s+Manager.+?value\=\"upload\"\s+\/>.+?\?>\s+B\s+Ge\s+Team\s+File\s+Manager\s+Version\s+1\.0\,\s+Coded\s+By\s+lin\s+Email\:\s+null/is,
qr/<\?php\s+error\_reporting\(0\)\;\s+\?>\s+Upload\s+is\s+<b><color>WORKING.+?<\?php\s+if\s+\(\!empty\(\$\_POST\[.+?\}\s+\?>/is,
qr/<\?php\s+\/\*\*.+?\$auth\_pass\s+\=\s+\".+?echo\s+\'changepassword\'\;.+?echo\s+\'Yeahhh\'\;.+?\*\/\s+\}\s+\?>/is,
qr/<\?php.+?Mr\.N00B\s+Mini\s+Shell.+?\$auth\_pass\s+\=.+?eval\(\$st\(\$gz\(\$st2\(\$bs\(\(\$con7ext\)\)\)\)\)\)\;/is,
qr/<\?php\s+\/\*\*\s+\*\s+Leaf.+?\$sessioncode\s+\=\s+md5\(\_\_FILE\_\_\)\;.+?Leaf\s+PHPMailer.+?\}\s+print\s+\'<\/body>\'\;\s+\?>/is,
qr/<title>Hacked\s+By\s+Dr34mCyb3r.+?<\/style>\s+<div\s+class\=\"video\-background.+?allowfullscreen><\/iframe>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'ba\'\.\'se64\_dec\'\.\'o\'\.\'d\'\.\'e\'\.\'\'\;\s+\@eval\(\$([A-z0-9]{1,20})\(.+?\)\)\;/is,
);
my @base64_decodes = (
);
my @file_list;
my %possible_list;
my $start_dir = $ENV{'SCRIPT_FILENAME'} || '../';
$start_dir =~ s/\/cgi-bin//;
$start_dir =~ s/\/lp-msh-scanner//;
$start_dir = substr($start_dir, 0, rindex($start_dir, '/'));
dir ($start_dir);
print "<br />\n<br />\n";
print 'Infected Files (' . scalar(@file_list) . "):<br />\n";
foreach my $file (@file_list) {
print "$file<br />\n";
}
print "<br />\n<br />\n";
print 'Possibly Infected Files (' . scalar(keys(%possible_list)) . "):<br />\n";
foreach my $key (keys(%possible_list)) {
print "$key => $possible_list{$key}<br />\n";
}
sub dir {
my ($start_dir) = @_;
unless (opendir(DIR, $start_dir)) {
print "Skipping directory $start_dir: $! <br />";
return;
}
opendir(DIR, $start_dir) || die "$start_dir: $!";
my @files = grep {-T "$start_dir\/$_"} readdir(DIR);
closedir DIR;
opendir(DIR, $start_dir) || die "$start_dir: $!";
my @folders = grep {-d "$start_dir\/$_"} readdir(DIR);
closedir DIR;
foreach my $file (sort @files) {
next if $file eq 'error_log';
next if $file eq 'tcpdf.php';
next if $file eq 'charmap.php';
next if $file eq 'main-modules.php';
next if $file eq 'wp-super-cache.php';
next if $file eq 'user-edit.php';
next if $file eq 'youtube.php';
next if $file eq 'FMModelForm_maker_fmc.php';
next if $file eq 'ninja-forms-submission.csv';
next if $file eq 'Nette.min.php';
print "Scanning $start_dir/$file... ";
unless (-r "$start_dir/$file") {
print " Skipping file, unable to read file<br />";
next
}
if ((-s "$start_dir/$file") > 1024000) {
print " Skipping file, over 1MB<br />";
next
}
my $fh;
unless (open ($fh, '<', "$start_dir/$file")) {
print " Unable to read file, $!<br />";
next
}
my $contents = do { local $/; <$fh> };
close $fh;
my ($infected, $cleaned, $possible, $known, $sig);
foreach my $pattern (@regexen) {
my $t;
if ($contents =~ /$pattern/) {
my ($d, $t) = ($1, $2);
$infected = 1;
($contents, $cleaned) = clean_file("$start_dir/$file", $contents, $pattern);
push (@file_list, "$start_dir/$file");
}
$t = undef;
}
print $infected ? ($cleaned ? "<font color='green'>Infected, Cleaned<br /></font>\n" : "Infected, Cleaning failed<br />\n") : ($possible ? "Possibly Infected<br />\nSignature Unknown: $sig<br />\n" : "Not infected<br />\n");
}
foreach my $folder (sort @folders) {
if ($folder !~ /^\.\.?$/) {
dir("$start_dir/$folder");
}
}
}
sub clean_file {
my ($file, $contents, $pattern) = @_;
my $cleaned;
if ($contents =~ /\n{4}/) {
$contents =~ s/\n\n/\n/g;
}
$contents =~ s/$pattern//g;
if ($contents =~ /$pattern/) {
$cleaned = 0;
}
else {
open (my $fh, '>', $file);
print $fh $contents;
close $fh;
$cleaned = 1;
}
return ($contents, $cleaned);
}
1;

652
deprecated/malware5-deprecated.pl Normal file
View File

@@ -0,0 +1,652 @@
#!/usr/bin/perl
use strict;
use warnings;
use CGI;
BEGIN {
$SIG{__DIE__} = sub {
my $msg = shift;
print "status: 500\n";
print "content-type: text/html\n\n";
$msg =~ s/\n/\0/g;
print "error: $msg\n";
CORE::die $msg;
}
}
$| = 1;
our $q = CGI->new;
print "Content-type: text/html\n\n";
my @regexen = (
qr/<\?php\s+\$\{\"\\x47\\x4c\\x4fB\\x41\\x4c\\x53\"\}.+?exit\(\)\;\s+\}\Z/is,
qr/<\?php\s+\/\/header\(\'Content\-Type\:text\/html\;.+?\=array\(.+?\=urldecode\(.+?\)\;exit\(\)\;\}\'\)\;\$\{\"\\x47\\x4c\\x4f\\x42\\x41\\x4c\\x53\"\}.+?\]\(\)\;\?>/is,
qr/<\?php.+?\$\{\"\\x47\\x4c\\x4fB\\x41\\x4c\\x53\"\}.+?\?>/is,
qr/<\?php\s+\$\{\"\\x.+?\$\{\"G\\x.+?\$\{\"\\x.+?\$\{\$\{\"G\\x.+?\}\;\}\s+\?>/is,
qr/<\?php\s+\/\*\s+Plugin\s+Name\:\s+antisp.+?add\_filter\(\'all\_plugins\'\,\s+\'ANTISP\_hide\'\)\;/is,
qr/<\?php.+?\;\$\{\"G.+?\;global\$mysqli\;global\$dbHost\;global\$dbUser\;\$.+?\;else\s+return\;break\;\}\}\s+\?>/is,
qr/<script>\s+var\s+\_0xa7af\=\[.+?\]\;eval\(function\(\_0xaddfx1\,\_0xaddfx2\,\_0xaddfx3\,\_0xaddfx4\,\_0xaddfx5\,\_0xaddfx6\)\{.+?\]\)\,0\,\{\}\)\)\s+<\/script>/is,
qr/<\?php\s+\/\*\s+Plugin\s+Name\:\s+spamdetectvr.+?add\_filter\(\'all\_plugins\'\,\s+\'SPAMDETECTVR\_hide\'\)\;.+?\/\/\s+\}\s+\/\/\}\)\;/is,
qr/<script\s+type\=\"text\/javascript\">\s+eval\(function\(p\,a\,c\,k\,e\,d\)\{e\=function\(c\)\{return\s+c\.toString\(.+?\.replace\(new\s+RegExp\(.+?script\|insertBefore\'\.split\(\'\|\'\)\,0\,\{\}\)\)\s+<\/script>/is,
qr/\/\/([A-z0-9]{32})\s+create\_function\(\'\'\,\s+gzuncompress\(base64_decode\(.+?\)\)\)\;\s+\/\/([A-z0-9]{32})/is,
qr/<\?php\s+\$\{.+?\;protected\$instance\;protected\$request\;protected\$calls\=array\(\)\;protected\$response\=array\(\)\;protected\$hasCalls\=false\;private\$isBatchCall\=false\;protected\$hiddenMethods\=array\(\'execute\'\,\'\_\_construct\'\).+?\}\s+\?>/is,
qr/<\?php\s+\$\{.+?\]\;\@mail\(.+?\]\}\)\;\$\_SESSION\[.+?\]\}\=curl\_init\(\)\;curl\_setopt\(\$\{\$\{.+?\]\}\,CURLOPT\_RETURNTRANSFER\,1\)\;curl\_setopt\(\$\{\$\{.+?\]\}\}\;\}\}\s+\?>/is,
qr/<\?php\s+\/\*\s+Plugin\s+Name\:\s+Pisher.+?trojan\.25hack.+?\;\}\)\;\}\)\;\s+\?>/is,
qr/\s+<\?php\s+echo\(base64\_decode\(.+?\)\)\;eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;echo\s+\"\\x\d\d\\n\"\;\s+\?>/is,
qr/<\?php\s+echo\s+\"<div\s+align\=\\\"center\\\">.+?if\(isset\(\$\_POST\[\"submit\"\]\)\)\{if\(\$\_FILES\[\"file\"\]\[\"error\"\]>0\)\{echo.+?Go\s+here\s+\:\s+\"\.\$path\.\"<br>\"\;\}\}\s+\?>/is,
qr/<\?php\s+session\_start\(\)\;.+?function\s+login\_shell\(\)\s+\{\s+?>.+?IndoXploit.+?serverinfo\(\)\;\s+action\(\)\;\s+\?>\s+<\/body>\s+<\/html>/is,
qr/<\?.+?Aldwiry\s+Hack3r.+?\$usrp\s+\=\s+\"jo\/usr\.pl\"\;.+?Error\s+CHMOD\s+\!\"\;\s+\}\s+\?>/is,
qr/<\/br>\"\;\s+session\_start\(\)\;.+?Moshkela\s+Hacker<\/title>.+?\}\/\/\s+end\s+if\s+\}\s+\?>/is,
qr/<\?php\s+\$GLOBALS\[\'DB\_NAME\'\]\s+\=\s+array\(.+?if\(\!function\_exists\(\'bas\'\.\'e\'\.\'64\_\'\.\'en\'\.\'code\'\)\)\{.+?ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789.+?\)\;\?>/is,
qr/<\?php\s+\/\*\*\s+\*\s+SAPE\.ru.+?class\s+SAPE\_globals\s+\{.+?\$this\->\_data\[\$this\->\_request\_mode\]\s+\=\s+\$data\;\s+\}\s+\}/is,
qr/<\?php\s+if\s+\(\!defined\(\'\_SAPE\_USER\'\)\)\{\s+define\(\'\_SAPE\_USER\'\,.+?echo\s+\$sape\->return\_links\(\)\;\s+\?>/is,
qr/<\?\s+eval\(gzinflate\(base64\_decode\(.+?\)\)\)\s+\?>/is,
qr/<\?php\s+error\_reporting\(0\)\;.+?\$domain\s+\=\s+\'([A-z0-9]{1,20})\.liveupdates\.host\'\;.+?dns\_get\_record\(\$domain\,\s+DNS\_TXT\)\;.+?else\s+header\(\'Location\:\s+\'\.\$location\.\'\&\'\.\$\w\,\s+TRUE\,\s+302\)\;\s+\}/is,
qr/<\?php\s+\@date\_default\_timezone\_set\(.+?GetPageContent\(.+?EXPLOITOK.+?return\s+\(SASL\_CONTINUE\)\;\s+\}\s+\}/is,
qr/<\?php\s+function\s+cURLRequest\(\$url.+?function\s+Display404Page\(\)\s+\{.+?Display404Page\(\)\;\s+\}\s+exit\;\s+\}/is,
qr/<\?php\s+\$o0o\=\_\_FILE\_\_\;\$oOo\=\'.+?\'\;eval\(gzinflate\(base64\_decode\(.+?\'\)\)\)\;\?>/is,
qr/<\?php\s+\$o0O0\s+=.+?\$oO0\=\"cr\"\.\"eat\"\.\"e\_fun\"\.\"cti\"\.\"on\"\;\$oO0o\=\@\$oO0\(.+?\?>\"\.gz\'\.\'inf\'\.\'late\'\.\'\(\s+bas\'\.\'e64\'\.\'\_de\'\.\'co\'\.\'de\(.+?\,\$o0O0\)\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+true\;\$([A-z0-9]{1,20})\s+\=\s+true\;\$([A-z0-9]{1,20})\s+\=\s+true\;\$([A-z0-9]{1,20})\s+\=\s+\"([A-z0-9]{20,})\"\;.+?\$([A-z0-9]{1,20})\s+\=\s+\"([A-z0-9]{20,})\"\;\$([A-z0-9]{1,20})\s+\=\s+true\;\$.+?\;\$([A-z0-9]{1,20})\s+\=\s+\"\"\;\s+\?>/is,
qr/<\?php\s+\$\w\_\_\_\w\=\'base\'\.\(128\/2\)\.\'\_de\'\.\'code\'\;\$\w\_\_\_\w\=\$\w\_\_\_\w\(str\_replace\(\"\\n\"\,\ \'\'\,.+?<input\s+type\=\"submit\"value\=\"\&gt\;\"\/><\/form>/is,
qr/<\?php\s+set\_time\_limit\(0\)\;.+?Mister\s+Spy<\/title>.+?Upload\s+File.+?\?>\s+bypass.+?contact\@elmoujehidin\.net/is,
qr/<\?php\s+\@\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\;\s+\?>/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\"([A-z0-9]{1,20})\"\]\)\)\s+\{\$([A-z0-9]{1,20})\=\"ass\"\.\"ert\"\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\$\_REQUEST\[\"([A-z0-9]{1,20})\"\]\)\;\}\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\"ass\"\.\"ert\"\;\s+\$([A-z0-9]{1,20})\(\$\{\"\_PO\"\.\"ST\"\}\s+\[\"([A-z0-9]{1,20})\"\]\)\;\?>/is,
qr/<\?php\s+\$([A-z0-9]{20,})\=.+?eval\(base64\_decode\(gzuncompress\(base64\_decode\(\$([A-z0-9]{20,})\)\)\)\)\;\s+\?>/is,
qr/<\!DOCTYPE.+?libraries\/joomla\/document\/json\/a\.txt\s+was\s+not\s+found.+?<\/html>/is,
qr/<\?php\s+session\_start\(\)\;.+?\$auth\_pass.+?IndoXploit.+?IndoXploit<\/font><\/a><\/center>\"\;\s+\}\s+\?>\s+<\/html>/is,
qr/<\?php.+?FOPO.+?\$([A-z0-9]{1,20})\=.+?\@eval\(\$([A-z0-9]{1,20})\(\s+\"([A-z0-9]{50,}).+?\"\)\)\;\s+\?>/is,
qr/<SCRIPT\s+SRC\=http\:\/\/w0rms\.com\/sayac\.js><\/SCRIPT>\s+<\?php.+?header\(\'HTTP\/1\.0\s+404\s+Not\s+Found\'\)\;\s+exit\;/is,
qr/<\?php\s+if\s+\(isset\s+\(\$\_GET\[\'.+?\'\]\)\).+?\$default\_use\_ajax\s+\=\s+true\;.+?preg\_replace\(\"\/\.\*\/e\"\,\".+?\"\,\"\.\"\)\;\s+\}\s+else\s+\{\s+echo\s+\"<div\s+style\=display\:none>.+?<\/div>\"\;\s+\}\s+\?>/is,
qr/<\?php\s+WSOCheckUA\(\)\;.+?\$disable\_functions\s+\=\s+\@ini\_get\(.+?if\(\s+\!empty\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\s+\&\&\s+function\_exists\(\'action\'\s+\.\s+\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\s+\)\s+\{\s+call\_user\_func\(\'action\'\s+\.\s+\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\;\s+\}/is,
qr/<\?php.+?Bypass\s+\.\/Config\s+\.\/User\s+\.\/Domain.+?eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;\s+\?>/is,
qr/<\?php\s+function\s+wsoHeader\(\)\s+\{.+?\$drives\s+\=\s+\"\"\;.+?<div\s+style\=\"margin\:5\">\'\;\s+\}/is,
qr/<\?php\s+function\s+getBot\(\$url\)\s+.+?echo\s+\"<b>Namesis<br>.+?exit\(\)\;\s+\}\s+\?>/is,
qr/<\?php\s+\$\_F\=\_\_FILE\_\_\;\$\_X\=.+?eval\(base64\_decode\(.+?\)\)\;\?>/is,
qr/<\?php\s+error\_reporting\(0\)\;.+?File\s+Manager<\/title>.+?\$pathen\s+\=\s+base64\_encode\(\$path\)\;.+?return\s+\$info\;\s+\}\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\_\w\s+\=\s+\'\'\.chr\(([0-9]{1,5})\)\.\'\'\.chr\(([0-9]{1,5})\)\.\'([A-z0-9]{1,20})\'\.chr\(([0-9]{1,5})\)\.\'de\'\s+\;\$([A-z0-9]{1,20})\s+\=\s+\$([A-z0-9]{1,20})\_\w\(\'\'\,array\(.+?\)\)\;\$([A-z0-9]{1,20})\(\)\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\;\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+array\(.+?array\(\'ba\'\s+\,\'se\'\s+\,\'64\'\s+\,\'\_d\'\s+\,\'ec\'\s+\,\'od\'\s+\,\'e\'\)\;.+?array\(\'gzu\'\,\s+\'nco\'\,\s+\'mpr\'\,\s+\'ess\'\).+?eval.+?\)\s+\)\s+\)\s+\)\s+\;\s+\?>/is,
qr/<\?php.+?\'\'\.chr\(.+?\'\.chr\(.+?\(\'\'\,array\(.+?\)\.\'e64\_deco\'\.chr\(.+?\(\)\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\;\?>/is,
qr/<\?php\s+header\(\'Content\-Type\:text\/.+?define\(\'SHELL\_PASSWORD\'\,.+?API\_VERSION\,\s+2\)\)\)\;\s+\}\s+\?>/is,
qr/<\?php\s+\/\*a\,b\,c\,d\,e\,f\,g\,h\,i\,j\,k\,l\,m\,n\,o\,p\,q\,r\,s\,t.+?\*\/\s+\?>/is,
qr/<\?php.+?\'\.chr\(.+?\)\.\'\'\.chr\(.+?aWYo.+?\(\)\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$.+?\)\)\;\?>/is,
qr/<\?php\s+define\(\'EXT\_MYSQLI\'\,\s+\'mysqli\'\)\;.+?\{\s+if\s+\(file\_exists\(sprintf\(\'\%s\/wp\-config\.php\'.+?\s+break\;\s+\}\s+\}\s+else\s+\{\s+die\(\'ympf\'\)\;\s+\}/is,
qr/<\?php\s+\$.+?\=\s+array\(.+?\=\s+array\(\'bas\'\s+\,\'e64\'\s+\,\'\_de\'\s+\,\'cod\'\s+\,\'e\'\)\;\s+\$.+?\=\s+array\('g\'\,\s+\'z\'\,\s+\'u\'\,\s+\'n\'\,\s+\'c\'\,\s+\'o\'\,\s+\'m\'\,\s+\'p\'\,\s+\'r\'\,\s+\'e\'\,\s+\'s\'\,\s+\'s\'\)\s+\;\$.+?\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=.+?\)\.\'\'\.chr\(.+?\'\;\$([A-z0-9]{1,20})\s+\=\s+array\(.+?eval.+?\)\)\)\)\;\s+\?>/is,
qr/<\?php\s+assert\_options\(ASSERT\_WARNING\,0\)\;.+?function\s+hex2ascii\(\$.+?\'e\'\.\'\'\.\'\'\.\'\'\.\'\'\.\'.+?\.\'\'\.\'\'\.\'\'\.\'v\'\.\'a\'\.\'l\'\.\'\(\$.+?assert\(\$\w\)\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\'gzun\'\.\s+\'comp\'\.\s+\'ress\'\;\$([A-z0-9]{1,20})\s+\=\s+\'bas\'\s+\.\'e64\'\s+\.\'\_de\'\s+\.\'cod\'\s+\.\'e\'\;\$([A-z0-9]{1,20})\s+\=\s+\'imp\'\s+\.\'lod\'\s+\.\'e\'\;\$([A-z0-9]{1,20})\s+\=\s+array\(.+?eval.+?\)\)\)\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\'g\'\.\s+\'z\'\.\s+\'u\'\.\s+\'n\'\.\s+\'c\'.\s+\'o\'\.\s+\'m\'\.\s+\'p\'\.\s+\'r\'\.\s+\'e\'\.\s+\'s\'\.\s+\'s\'\;\$([A-z0-9]{1,20})\s+\=\s+\'b\'\s+\.\'a\'\s+\.\'s\'\s+\.\'e\'\s+\.\'6\'\s+\.\'4\'\s+\.\'\_\'\s+\.\'d\'\s+\.\'e\'\s+\.\'c\'\s+\.\'o\'\s+\.\'d\'\s+\.\'e\'\;\$.+?=\s+\'imp\'\s+\.\'lod\'\s+\.\'e\'\;\$([A-z0-9]{1,20})\s+\=\s+array\(.+?eval\(.+?\)\)\)\)\;\s+\?>/is,
qr/<\?php\s+\@session\_start\(\)\;.+?if\(\$chk\_login\).+?echo\s+\$buff\;\s+\}\s+\?>\s+<\/div>\s+<\/body>\s+<\/html>/is,
qr/GIF89a\?<\?php.+?\$get\.\=chr\(.+?\$undecode\=.+?\$ecode\.\=\s+\$\_REQUEST\[.+?\@eval\(\$undecode\(\$.+?\?>/is,
qr/<title>MCL<\/title><form\s+enctype\=multipart\/form\-data\s+method\=post>.+?<\?\s+echo\s+base64\_decode\(.+?\$fp\=fopen\(base64\_decode\(\$\_REQUEST\[.+?\@copy\(\$\_FILES\[.+?\}\}\;\s+\?>/is,
qr/<\?php\s+\$a\=\"4\"\;\s+\$b\=\"0\"\;\s+\$c\=\"4\"\;\s+echo\s+\$a\.\$b\.\$c\.\"\#\"\;\s+\?>\s+<\?php\s+eval\(\$\_POST\[([A-z0-9]{1,20})\]\)\;\s+\$\w\_File\=fopen\(\$\_SERVER\[\'DOCUMENT\_ROOT\'\]\.\"\/1\.txt\"\,\"w\"\)\;\s+if\(\!\$\w\_File\)\s+echo\s+\"writewrong\"\;\s+else\s+echo\s+\"writeok\"\;\s+\?>/is,
qr/GIF89a\s+<\%\s+eval\s+request\(\"([A-z0-9]{1,20})\"\)\%>\s+abcabcabc/is,
qr/GIF89a<\?php\s+\@eval\(\$\_POST\[.+?\$response\s+\=\s+curl\(\$shell\_url\)\;.+?function\s+getcontent\(\$file\)\{.+?return\s+\$tmp\_content\;\s+\}/is,
qr/GIF89a.+?<\?php\s+eval\(\$\_POST\[([A-z0-9]{1,20})\]\)\?>/is,
qr/GIF89a<\?PHP\s+fputs\(fopen\(\'([A-z0-9]{1,20})\.php\'\,\'w\'\)\,\'<\?php\s+eval\(\$\_POST\[([A-z0-9]{1,20})\]\)\?>abcabcabc\'\)\;\?>/is,
qr/<\?php\s+echo\s+\'<form\s+action\=\"\".+?\$\_POST\[\'\_\'\]\=\=\"GO\"\)\{if\(\@copy\(\$\_FILES\[.+?Err<\/b>\'\;\}\}\?>/is,
qr/GIF89a\?\s+<\?php.+?\$get\.\=chr\(.+?\$undecode\=.+?\$ecode\.\=\s+\$\_REQUEST\[.+?\@eval\(\$undecode\(\$.+?\?>/is,
qr/\%PDF\-\d\.\d.+?<\?php\s+\@include.+?<title>\'\.getenv\(\"HTTP\_HOST\"\)\.\'\s+\~\s+chmod\.php<\/title>.+?print\s+\$footer\;.+?exit\(\)\;\s+\?>/is,
qr/<\?php\s+\/\/header\(.+?\=urldecode\(.+?\\x\d\d\"\]\(\)\;\?>/is,
qr/<\?\s+eval\(base64\_decode\(.+?\)\)\;\s+\?>/is,
qr/<\?php\s+\$\{\"\\x.+?\;\$\{.+?\;\$\{.+?\;\$\{.+?\;\$\{.+?\;\$\{.+?base64\_decode\(substr\(\$\{\$\{.+?\}\;\}exit\(\)\;\}break\;\}\}\}\}\}\s+\?>/is,
# qr/GIF89a.+?<\?php.+?\?>/is,
qr/<\?php\s+\$.+?\=\s+\'gzu\'\.\s+\'nco\'\.\s+\'mpr\'\.\s+\'ess\'\;\$.+?\=\s+\'bas\'\s+\.\'e64\'\s+\.\'\_de\'\s+\.\'cod\'\s+\.\'e\'\;\$.+?\=\s+\'imp\'\s+\.\'lod\'\s+\.\'e\'\;\$.+?array\(.+?eval\(.+?\)\)\)\)\;\s+\?>/is,
qr/<\?php\s+\$.+?\=\s+\'gz\'\.\s+\'un\'\.\s+\'co\'\.\s+\'mp\'\.\s+\'re\'\.\s+\'ss\'\;\$.+?\=\s+\'ba\'\s+\.\'se\'\s+\.\'64\'\s+\.\'\_d\'\s+\.\'ec\'\s+\.\'od\'\s+\.\'e\'\;\$.+?\=\s+\'im\'\s+\.\'pl\'\s+\.\'od\'\s+\.\'e\'\;\$.+?array\(.+?eval\(.+?\)\)\)\)\;\s+\?>/is,
qr/<\?php\s+\$s\_pass\s+\=.+?\$s\_func\=\"cr\"\.\"eat\"\.\"e\_fun\"\.\"cti\"\.\"on\"\;\$b374k\=\@\$s\_func\(\'\$x\,\$y\'\,\'ev\'\.\'al\'\.\'\(\"\\\$\s\_pass\=\\\"\$y\\\"\;\?>\"\.gz\'\.\'inf\'\.\'late\'\.\'\(\s+bas\'\.\'e64\'\.\'\_de\'\.\'co\'\.\'de\(\$x\)\)\)\;\'\)\;\@\$b374k\(.+?\$s\_pass\)\;\?>/is,
qr/\?php\s+if\(\s+isset\(\$\_REQUEST\[\"test\_url\"\]\)\s+\)\{\s+echo\s+\"file\s+test\s+okay\"\;.+?\$data\s+\=\s+base64\_decode\(.+?file\_put\_contents\(\"tivuser\.zip\"\,\$data\)\;.+?die\(\"([0-9]{1,20})\"\)\;\s+\}/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+true\;\$([A-z0-9]{1,20})\s+\=\s+true\;\$([A-z0-9]{1,20})\s+\=\s+true\;\$([A-z0-9]{1,20})\s+\=.+?array\(.+?\$([A-z0-9]{1,20})\s+=\s+true\;\$([A-z0-9]{1,20})\s+\=\s+([A-z0-9]{1,20})\;\$([A-z0-9]{1,20})\s+\=\s+false\;\$([A-z0-9]{1,20})\s+\=\s+\"\"\;\$([A-z0-9]{1,20})\s+\=\s+true\;\$([A-z0-9]{1,20})\s+\=\s+true\;\$.+?\$([A-z0-9]{1,20})\s+\=\s+\"\"\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+array\(.+?\=\s+array\(\'ba\'\s+\,\'se\'\s+\,\'64\'\s+\,\'\_d\'\s+\,\'ec\'\s+\,\'od\'\s+\,\'e\'\)\;\s+\$.+?\=\s+array\(\'gzu\'\,\s+\'nco\'\,\s+\'mpr\'\,\s+\'ess\'\)\s+\;\$.+?eval\s+\(\s+\$.+?\)\s+\)\s+\)\s+\)\s+\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+array\(.+?\=\s+array\(\'b\'\s+\,\'a\'\s+\,\'s\'\s+\,\'e\'\s+\,\'6\'\s+\,\'4\'\s+\,\'\_\'\s+\,\'d\'\s+\,\'e\'\s+\,\'c\'\s+\,\'o\'\s+\,\'d\'\s+\,\'e\'\)\;\s+\$.+?\=\s+array\(\'gz\'\,\s+\'un\'\,\s+\'co\'\,\s+\'mp\'\,\s+\'re\'\,\s+\'ss\'\)\s+\;\$.+?eval\s+\(\s+\$.+?\)\s+\)\s+\)\s+\)\s+\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\'s\'\.\'t\'\.\'r\'\.\'r\'\.\'e\'\.\'v\'\;\$.+?\=\s+array\(.+?\'esab\'\)\;\$.+?\(\'edo\'\.\'lpm\'\.\'i\'\)\;\$.+?\)\.\'\'\)\;eval\(\$.+?\)\)\)\)\;\s+\?>/is,
qr/\$z\=get\_option\(\"([A-z0-9]{20,})\"\)\;\s+\$z\=base64\_decode\(str\_rot13\(\$z\)\)\;\s+if\(strpos\(\$z\,\"([A-z0-9]{1,20})\"\)\!\=\=false\)\{\s+\$\_z\=create\_function\(\"\"\,\$z\)\;\s+\@\$\_z\(\)\;\s+\}/is,
qr/function\s+add\_js\_scripts\(\)\s+\{\s+wp\_enqueue\_script\(\'js\-rws\'\,\s+\'http\:\/\/cloudflare\.solutions.+?wp\_enqueue\_script\(\'js\-cors\'\,\s+\'http\:\/\/cloudflare\.solutions\/ajax\/libs\/cors\/cors\.js\'\,\s+\'\'\,\s+null\,\s+true\)\;\s+\}.+?add\_action\(\'login\_enqueue\_scripts\'\,\s+\'add\_js\_scripts\'\s+\)\;/is,
qr/<html><head><meta.+?Mocus7Shell.+?<\?php\s+echo\s+wordwrap\(php\_uname\(\).+?<\/body><\/html><\?php\s+chdir\(\$lastdir\)\;\s+c79shexit\(\)\;\s+\}\s+\?>/is,
qr/<\?php\s+session\_start\(\)\;.+?\@clearstatcache\(\)\;.+?\$auth\_pass\s+\=.+?eval\(base64\_decode\(gzinflate\(str\_rot13\(convert\_uudecode\(gzinflate\(base64\_decode\(\(\$([A-z0-9]{1,20})\)\)\)\)\)\)\)\)\;/is,
qr/<\!doctype.+?L0LZ666H05T.+?<\/body>\s+<html>/is,
qr/<html>\s+<head>.+?213\_90N6.+?<\/body>\s+<\/html>/is,
qr/<iframe\s+width\=0px\s+height\=0px\s+frameborder\=no\s+name\=frame1\s+src\=http\:\/\/.+?\.ru>\s+<\/iframe>/is,
qr/<\?php\s+\$\{.+?\"\;eval\(base64\_decode\(\$\{\$\{\"G\\x.+?\"\;eval\(base64\_decode\(\$\{\$.+?\}\,CURLOPT\_CONNECTTIMEOUT\,10\)\;curl\_setopt\(\$\{\$\{.+?>\"\;\s+\?>/is,
qr/<\?php.+?x48x\s+Mini\s+Shell\s+Backdoor.+?\@clearstatcache\(\)\;.+?function\s+login\_shell\(\)\s+\{\s+\?>/is,
qr/<\?php\s+\/\*\s+MMM\s+\*\/\$OOO000000\=urldecode\(.+?\}\;\$GLOBALS\[.+?\=\_\_FILE\_\_\;\$.+?\)\)\;return\;\?.+?\=([A-z0-9]{1,20})/is,
qr/<\?php\s+set\_time\_limit\(0\)\;.+?eval\(base64\_decode\(file\_get\_contents\(\'https\:\/\/pastebin\.com\/raw\/.+?return\s+\$info\;\s+\}\s+\?>/is,
qr/<\?php\s+\$\{.+?\"\;function\s+http\_get\(\$url\)\{\$\{.+?\]\}\=curl\_init\(\$\{\$\{.+?\]\}\,CURLOPT\_RETURNTRANSFER\,1\)\;\$\{\"G.+?\]\}\,CURLOPT\_FOLLOWLOCATION\,1\)\;curl\_setopt\(\$\{\$\{.+?\"\;return\s+curl\_exec\(\$\{\$\{\"GLO.+?\]\}\)\)\$\_POST\[.+?\"\.\$\_POST\[\"\w\"\]\)\;\s+\?>/is,
qr/<html>\s+<head>\s+<title>Shell\s+Helix\s+Sunda\s+Version.+?BConfig\s+Fucker.+?fclose\s+\(\$dosya\)\;\s+\$([A-z0-9]{1,10})\s+\=\'([A-z0-9]{100,}).+?<\/font>\s+<\/footer>\s+<\/html>/is,
qr/<\?php.+?VARIABLES\s+GOES\s+HERE.+?\$shell\_fake\_name.+?RESOURCES\s+GOES\s+HERE.+?\$icon\s+\=\s+\".+?<\/html>\"\;\s+echo\s+preg\_replace\(\"\/\\s\+\/\"\,\"\s+\"\,\$html\_final\)\;\s+\?>/is,
qr/<html><head>.+?<address>Apache\s+Server\s+at.+?Math\.floor\(Math\.random\(\)\*99999999999\)\;var\s+url\s+\=\s+idc\_glo\_url\+.+?else\s+login\_shell\(\)\;\s+if\(isset\(\$\_GET\[\'file\'\]\).+?return\s+\$buff\;\s+\}\s+\}\s+\?>.+?<\/font>\s+<\/footer>\s+<\/html>/is,
qr/<html>.+?Shell\s+priv\s+\/\/F3KS3C.+?\}\s+elseif\(\$\_GET\[\'do\'\]\s+\=\=\s+\'whois\'\)\s+\{\s+\?>.+?<\/select>\&nbsp\;\s+<\/form>/is,
qr/}\s+\}\s+function\s+login\_shell\(\)\s+\{\s+\?>/is,
qr/<script\s+type\=\"text\/javascript\">.+?<\/script>\s+<\/head>\s+<\?php.+?\.\/Mr\.\s+aQ\..+?function\s+w\_wget\(\$array\)\{.+?mail\(\$idb1\,\s+\"Tetep\s+Ganteng\"\,\s+\$idb3\,\s+\"\[\s+\"\s+\.\s+\$\_SERVER\[\'REMOTE\_ADDR\'\]\s+.\s+\"\s+\]\"\)\;\s+\*\/\s+\?>.+?<\/html>/is,
qr/<\!DOCTYPE.+?Yhuricka<\/title>.+?uid\=0\(root\)\s+gid\=0\(root\)\s+groups\=0\(root\).+?0ut<\/font>\s+<\/div>/is,
qr/<\!DOCTYPE.+?HACKED.+?<\/html>.+?<\!\-\-\s+document\.write\(unescape\(.+?\/\/\-\->\s+<\/script>/is,
qr/<\?php\s+\$auth\_pass\s+\=\s+\".+?\"\;\s+\/\/\s+default\:.+?eval\(base64\_decode\(gzinflate\(str\_rot13\(convert\_uudecode\(gzinflate\(base64\_decode\(\(\$.+?\)\)\)\)\)\)\)\)\;/is,
qr/<html>\s+<head>\s+<title>Shell\s+Login<\/title>.+?<\?php\s+function\s+w\(\$dir\,\$perm\)\s+\{.+?if\(isset\(\$\_POST\[\'phpconfig\'\]\)\)\s+\{\s+\?>/is,
qr/<\?php\s+\/\*\s+\*\s+Ochillroot\s+Shell.+?\@clearstatcache\(\)\;.+?\{\$text\s+\=\s+\$\_POST\[\'code\'\]\;\s+\?>/is,
qr/<html>\s+<\!\-\-\s+Hacked\s+by.+?<\/body>\s+<\/html>/is,
qr/<SCRIPT\s+Language\=VBScript><\!\-\-\s+DropFileName\s+\=\s+\"svchost\.exe\"\s+WriteData\s+\=.+?Set\s+WSHshell\s+\=\s+CreateObject\(\"WScript\.Shell\"\)\s+WSHshell\.Run\s+DropPath\,\s+0\s+\/\/\-\-><\/SCRIPT>/is,
qr/<\?php.+?\$auth\_pass\s+\=\s+\".+?\"\;\s+\/\/\s+default\:.+?eval\(base64\_decode\(gzinflate\(str\_rot13\(convert\_uudecode\(gzinflate\(base64\_decode\(\(\$.+?\)\)\)\)\)\)\)\)\;/is,
qr/<\?php\s+\$\{.+?\"\;if\(get\_magic\_quotes\_gpc\(\)\)\{\$.+?\)\)\;return\$\{\$([A-z0-9]{1,20})\}\;\}\s+\?>/is,
qr/<\?php.+?\@clearstatcache\(\)\;.+?echo\s+\"<center>Copyright\s+\&copy\;.+?\}\s+\?>/is,
qr/<\?php.+?\@clearstatcache\(\)\;.+?function\s+login\_shell\(\)\s+\{.+?if\(\!is\_readable\(\$dir\)\)\s+\{.+?\}\s+\?>\s+<\/html>/is,
qr/<\?php.+?if\(get\_magic\_quotes\_gpc\(\)\)\{.+?foreach\(\$scandir\s+as\s+\$dir\)\{.+?return\s+\$info\;\s+\}\s+\?>/is,
qr/<\?php\s+ini\_get\(\'max\_execution\_time\'\)\;.+?\$message\s+\=\s+stripslashes\(\$message\)\;.+?BLACKER\.X\s+<\/p>\s+<\/body>\s+<\/html>/is,
qr/<\?php\s+\$web\s+\=\s+\$\_SERVER\[\"HTTP\_HOST\"\]\;.+?Shell\s+http\:\/\/\$web\$inj.+?IP\:\s+\"\;\s+\}\s+\?>/is,
qr/<\?php.+?\$\{.+?\$\{.+?\$\{.+?\;\$\{\"G.+?\;\$\{\"G.+?\;\$\{\"G.+?\}\)\;\}\}\}\}\}\s+\/\/([A-z0-9]{1,20})\s+\?>/is,
qr/<\?php\s+echo\s+\'<form\s+action\=\"\"\s+method\=\"post\"\s+enctype\=\"multipart\/form\-data\"\s+name\=\"upl\"\s+id\=\"upl\">\'\;echo\s+\'<input\s+type\=\"file\"\s+name\=\"file\"\s+size\=\"50\"><input\s+name\=\"\_upl\"\s+type\=\"submit\"\s+id\=\"\_upl\"\s+value\=\"Upload\"><\/form>\'\;if\(\s+\$\_POST\[\'\_upl\'\]\s+\=\=\s+\"Upload\"\s+\)\s+\{if\(\@copy\(\$\_FILES\[\'file\'\]\[\'tmp\_name\'\]\,\s+\$\_FILES\[\'file\'\]\[\'name\'\]\)\)\{echo\s+\'a\'\;\s+\}else\s+\{echo\s+\'b\'\;\}\}\?>/is,
qr/<\?php\s+header\(\'Content\-Type\:.+?Hacker\s+Shell.+?\)\;break\;default\:home\(\)\;break\;\}\?>/is,
qr/<\?php\s+\@preg\_replace\(\"\/\[pageerror\]\/e\"\,\$\_POST\[.+?\)\;\s+\?><\?php.+?\=urldecode\(.+?create\s+ok\!\"\;\}\}exit\;\'\)\;\$\{.+?\]\(\)\;\?>/is,
qr/<\?php\s+\/\/header\(.+?\=urldecode\(.+?\$start\)\,\(\$\{.+?\]\(\)\;\?>/is,
qr/<\?php\s+if\(\!function\_exists\(.+?\)\+ord\(\$.+?\=strlen\(\$.+?preg\_match\(base64\_decode\(.+?\;\}\}\}\}eval\(.+?\)\)\;\?>/is,
qr/<\?\s+function\s+query\_str\(\$params\)\{.+?BlackSHOP.+?\$numemails\s+\=\s+count\(\$allemails\)\;\s+\$random\_smtp\_string\=array\(.+?eval\(base64\_decode\(\$undetect\)\)\;\s+\?>\s+<\/body>\s+<\/html>/is,
qr/<\?php\s+\$\w\=base64\_decode\(\'.+?\'\)\.\$\_GET\[\'\w\'\]\.\'\w\'\;\@\$\w\(\$\_POST\[\'\w\'\]\)\;echo\s+\"abc\"\?>/is,
qr/<\?php.+?Akismet3.+?str\_rot13\(gzinflate\(str\_rot13\(base64\_decode\(.+?create\_function\(null\,\s+\$.+?\(\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{20,})\=.+?\"\;\s+eval\(base64\_decode\(gzuncompress\(base64\_decode\(\$([A-z0-9]{20,})\)\)\)\)\;\?>/is,
qr/<\?php\s+\$wp\_load\s+\=\s+\"wp\-load\.php\"\;\s+\$wp\_pluggable\s+\=\s+\"wp\-includes\/pluggable\.php\"\;.+?No\s+posts\s+found<\/error>\"\;\s+\}\s+\}\s+\?><\?php\s+\/\*\s+wp\-code\-inserted\s+\*\/\s+\?>/is,
qr/<\?php\s+\$.+?\=\s+\'gzun\'\.\s+\'comp\'\.\s+\'ress\'\;\$.+?\=\s+\'base\'\s+\.\'64\_d\'\s+\.\'ecod\'\s+\.\'e\'\;\$.+?\=\s+\'imp\'\s+\.\'lod\'\s+\.\'e\'\;\$.+?\=\s+array\(\".+?\)\;\s+eval\(\s+\$.+?\)\)\)\)\;\s+\?>/is,
qr/<\?php\s+error\_reporting\(E\_ERROR.+?global\s+\$site\_root\_dir\;.+?if\(PLATFORM\s+\=\=\s+WORDPRESS\)\s+\{.+?\/\/print\s+PLATFORM\;\s+\/\/print\_r\(\$all\_dirs\)\;\s+\?>/is,
qr/<\?php\s+\@preg\_replace\(\"\/\/e\"\,\$\_POST\[\'.+?\'\]\,\"Access\s+Denied\"\)\;\?>/is,
qr/<\?php\s+\@eval\(\$\_POST\[\'([A-z0-9]{1,})\'\]\)\;\s+\?>/is,
qr/<\?php.+?if\(isset\(\$\_GET\[\'check\'\]\)\)\{\s+\$file\[\]\s+\=\s+\'id0\.php\'\;.+?curl\_close\(\$ch\)\;\s+\}\s+return\s+\$data\;\s+\}/is,
qr/<\?php\s+\$arrId\s+\=\s+array\(.+?\'([0-9]{1,20})\-([0-9]{1,20})\'\,.+?\)\;\s+\?>/is,
qr/<\?php.+?\$arrnametime\[\]\=.+?\$arr\_word\[.+?\$arr\_key\[\]\=.+?\$strRand\[.+?return\s+\(\$ip\s+\?\s+\$ip\s+\:\s+\$\_SERVER\[\'REMOTE\_ADDR\'\]\)\;\}\s+\/\/file\s+end/is,
qr/<\?php\s+\$\{\"G.+?\(\$\{\$\{\"G\\x\d\wOB\\x\d\dL\\x\d\d\"\}\[.+?\\n\"\;\s+\?>/is,
qr/<\?php\s+echo\s+\'\s+<title>unzip\s+file\s+by\s+ahwak2000.+?\/\/by\s+ahwak2000\s+\?>/is,
qr/<\?php\s+\$\w\=\"ass\"\.\"ert\"\;\s+\$\w\(\$\{\"\_PO\"\.\"ST\"\}\s+\[\'([A-z0-9]{1,})\'\]\)\;\?>/is,
qr/<\?php\s+mb\_http\_input\(.+?\.php\_uname\(\)\..+?Upload\s+Failed\s+\!\!\!.+?while\(\$email\[\$i\]\).+?\$voy\+\+\;\s+\}\s+\?>\s+<\/DIV>\s+<\/div>\s+<\/form>/is,
qr/<\?php.+?\/\/w4l3XzY3\s+wuz\s+here\s+if\(isset\(\$\_POST\[\'action\'\]\s+\)\s+\)\{.+?\?>\s+<\?php\s+if\(isset\(\$\_GET\[\'u\'\]\).+?\.php\_uname\(\)\..+?\}\s+\?>\s+<\/body>\s+<\/html>/is,
qr/<\?php\s+echo\s+\"walex\\n\"\;\s+echo\s+php\_uname\(\)\;\s+\@unlink\(\_\_FILE\_\_\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+true\;\$([A-z0-9]{1,20})\s+\=\s+true\;\$([A-z0-9]{1,20})\s+\=\s+true\;\$([A-z0-9]{1,20})\s+\=.+?\;\$([A-z0-9]{1,20})\s+\=\s+false\;\$.+?\;\$([A-z0-9]{1,20})\s+\=\s+false\;\$([A-z0-9]{1,20})\s+\=\s+\"\"\;\$([A-z0-9]{1,20})\s+\=\s+true\;\$([A-z0-9]{1,20})\s+\=\s+true\;\$([A-z0-9]{1,20})\s+\=\s+\"\"\;\$([A-z0-9]{1,20})\s+\=\s+([0-9]{1,20})\;\$([A-z0-9]{1,20})\s+\=\s+([0-9]{1,20})\;\$([A-z0-9]{1,20})\s+\=\s+\"\"\;\s+\?>/is,
qr/<\!DOCTYPE.+?Spyus\s+ANH\s+Mailer.+?PRIV8\s+MA\!L3R.+?<\?php\s+\(\@copy\(\$\_FILES\[.+?<\/script>\s+<\/body>\s+<\/html>/is,
qr/<\?php.+?priv8.+?eval\(.+?\}\?>/is,
qr/<\?php\s+if\s+\(\!function\_exists\(.+?\=\s+base64\_decode\(\$.+?preg\_match\(base64\_decode\(.+?\)\)\;\s+\?>/is,
qr/<\?php\s+eval\s+\(\$\_POST\[\d\]\)\;\s+\?>/is,
qr/<\?php\s+\$auth\_pass\s+\=\s+\"\"\;.+?\$default\_action\s+\=\s+base64\_decode\(\'.+?eval\(base64\_decode\(.+?\)\)\;\s+return\;\s+\?>/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\"\w\"\]\)\)\s+\{\$\w\=\"ass\"\.\"ert\"\;\$\w\=\$\w\(\$\_REQUEST\[\"\w\"\]\)\;\}\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+array\(.+?\=\s+array\(\'base\'\s+\,\'64\_d\'\s+\,\'ecod\'\s+\,\'e\'\)\;\s+\$.+?\=\s+array\(\'g\'\,\s+\'z\'\,\s+\'u\'\,\s+\'n\'\,\s+\'c\'\,\s+\'o\'\,\s+\'m\'\,\s+\'p\'\,\s+\'r\'\,\s+\'e\'\,\s+\'s\'\,\s+\'s\'\)\s+\;\$.+?\)\;\s+eval\s+\(\s+\$.+?\)\s+\)\s+\)\s+\)\s+\;\s+\?>/is,
qr/<\?\s+error\_reporting\(0\)\;\$\w\=\(isset\(\$\_SERVER\[\"HTTP\_HOST\"\]\)\?\$\_SERVER\[.+?if\(\$\w\=file\_get\_contents\(base64\_decode\(.+?\$\w\=curl\_exec\(\$\w+\)\;curl\_close\(\$\w+\)\;eval\(\$\w\)\;\}\;die\(\)\;\s+\?>/is,
qr/<\?php.+?\$wordpress\_main\_content.+?\$joomla\_main\_content.+?return\s+false\;\s+\}\s+\?>/is,
qr/<\?php.+?zen\.spamhaus\.org.+?implode\(\"\.\"\,\s+array\_reverse\(explode\(\"\.\"\,\s+\$.+?echo\(result\(array\(.+?\?>/is,
qr/<\?php\s+\/\*\s+([A-z0-9]{1,20})\s+\*\/\s+\$eval\=\(\"\?>\"\.gzuncompress\(base64\_decode\(.+?\)\)\)\;\@eval\(\$eval\)\;\s+\?>/is,
qr/\$([A-z0-9]{1,20})\=.+?\$([A-z0-9]{1,20})\s+\=\s+\'decode\'\;\s+\$([A-z0-9]{1,20})\s+\=\s+str\_replace\(.+?\$([A-z0-9]{1,20})\s+\=\s+str\_replace\(.+?function\s+get\_data\_ya\(\$url\)\s+\{.+?function\s+wp\_cd\(.+?unlink\(\"\{\$([A-z0-9]{1,20})\}\.\$([A-z0-9]{1,20})\"\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+\'([A-z0-9]{1,20})\'\;\s+\}/is,
qr/<\?php\s+echo\s+\"Uname\:\"\.system\(\'uname\s+\-a\'\)\;.+?return\s+\$info\;\s+\}\s+\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(\$([A-z0-9]{1,20})\_\=implode\(\"\"\,\$\_POST\)\)\{\$([A-z0-9]{1,20})\_\=tmpfile\(\)\;fwrite\(\$([A-z0-9]{1,20})\_\,rawurldecode\(\$([A-z0-9]{1,20})\_\)\)\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\=stream\_get\_meta\_data\(\$([A-z0-9]{1,20})\_\)\;require\_once\(\$([A-z0-9]{1,20})\[\"uri\"\]\)\;\/\*([A-z0-9]{1,20})\*\/\}else\s+die\(\"error\"\)\;\?>/is,
qr/<\?php.+?b374k.+?\$GLOBALS\[\'pass\'\]\s+\=.+?\$func\=\"cr\"\.\"eat\"\.\"e\_fun\"\.\"cti\"\.\"on\"\;\$b374k\=\$func\(\'\$\w\'\,\'ev\'\.\'al\'\.\'\(\"\?>\"\.gz\'\.\'un\'\.\'com\'\.\'pre\'\.\'ss\(ba\'\.\'se\'\.\'64\'\.\'\_de\'\.\'co\'\.\'de\(\$\w\)\)\)\;\'\)\;\$b374k\(\".+?\)\;\?>/is,
qr/<\?php\s+\$target\_path\=basename\(\$\_FILES\[.+?\]\)\;if\(move\_uploaded\_file\(\$\_FILES\[.+?><input\s+type\=\"submit\"\s+value\=\"Upload\s+File\"\/><\/form>/is,
qr/<\?php\s+\$auth\s+\=.+?function\s+display\_auth\_form\(\)\s+\{.+?auth\(\)\;.+?if\s+\(isset\(\$\_POST\[\'action\'\]\)\).+?default\:\s+return\;\s+\}/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=.+?\]\;\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\$([A-z0-9]{1,20})\[\d\d\]\.\$([A-z0-9]{1,20})\[\d\]\.\$([A-z0-9]{1,20})\[\d\d\].+?\}\s+\}\s+if\s+\(\$([A-z0-9]{1,20})\s+>\=\s+\$([A-z0-9]{1,20})\)\s+\{\s+\$([A-z0-9]{1,20})\s+\+\=\s+1\;\s+\}\s+return\s+\$([A-z0-9]{1,20})\;\s+\}/is,
qr/<\?php.+?eval\(\"\\\$\w\=gzin\"\.\"flate\(base\"\.\"64\_de\"\.\"code\(\\\".+?\\\"\)\)\;\"\)\;eval\(\"\?>\"\.\$\w\)\;\s+\?>/is,
qr/<\?php\s+\$.+?\=\s+\'gzu\'\.\s+\'nco\'\.\s+\'mpr\'\.\s+\'ess\'\;\$.+?\=\s+\'b\'\s+\.\'a\'\s+\.\'s\'\s+\.\'e\'\s+\.\'6\'\s+\.\'4\'\s+\.\'\_\'\s+\.\'d\'\s+\.\'e\'\s+\.\'c\'\s+\.\'o\'\s+\.\'d\'\s+\.\'e\'\;\$.+?\=\s+\'im\'\s+\.\'pl\'\s+\.\'od\'\s+\.\'e\'\;\$.+?\=\s+array\(.+?eval\(.+?\)\)\)\)\;\s+\?>/is,
qr/\$([A-z0-9]{1,20})\=.+?\$([A-z0-9]{1,20})\=\'\'\;\@eval\(base64\_decode\(.+?\)\)\;\/\*\,\*\//is,
qr/<\?php\s+preg\_replace\(\"\\x.+?\\x3B\"\,\"\"\)\;\s+\?>/is,
qr/<\?php.+?WordPress\s+Options\s+Header.+?eval\(gzinflate\(base64\_decode\(rawurldecode\(.+?\)\)\)\)\;\s+\?>/is,
qr/<\?php\s+\$extraneous\=base64\_decode\(.+?\)\;\s+eval\(\"return\s+eval\(\\\"\$extraneous\\\"\)\;\"\)\s+\?>/is,
qr/<\?php\s+header\(\'Location\:\s+http\:\/\/.+?\/\'\)\;exit\;\s+\?>/is,
qr/<\?php\s+\$code\=base64\_decode\(.+?\)\;\s+eval\(\"return\s+eval\(\\\"\$code\\\"\)\;\"\)\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\"\"\;\$([A-z0-9]{1,20})\s+\=\s+\"\"\;\$([A-z0-9]{1,20})\s+\=\s+\"([A-z0-9]{20,})\"\;\$([A-z0-9]{1,20})\s+\=.+?\$([A-z0-9]{1,20})\s+\=\s+true\;\$([A-z0-9]{1,20})\s+\=\s+true\;\$([A-z0-9]{1,20})\s+\=\s+false\;\$.+?\$([A-z0-9]{1,20})\s+\=\s+false\;\$([A-z0-9]{1,20})\s+\=\s+false\;\$([A-z0-9]{1,20})\s+\=\s+\"([A-z0-9]{20,})\"\;\$([A-z0-9]{1,20})\s+\=\s+\"([A-z0-9]{1,20})\"\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\"([A-z0-9]{20,})\"\;\$([A-z0-9]{1,20})\s+\=\s+\"([A-z0-9]{1,20})\"\;\$([A-z0-9]{1,20})\s+\=\s+false\;\$.+?\$([A-z0-9]{1,20})\s+\=\s+([0-9]{1,20})\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\"\"\;\$([A-z0-9]{1,20})\s+\=\s+\"\"\;\$.+?\$([A-z0-9]{1,20})\s+\=\s+true\;\$([A-z0-9]{1,20})\s+\=\s+true\;\$([A-z0-9]{1,20})\s+\=\s+\"([A-z0-9]{20,})\"\;\$([A-z0-9]{1,20})\s+\=\s+\"([A-z0-9]{1,20})\"\;\s+\?>/is,
qr/<\?php\s+\/\*versio\:\d\.\d\d\*\/\s+\$GLOBALS\[\"yfegmf\"\]\=\".+?\$GLOBALS\[\'yfegmf\'\]\;\$.+?\)\)\;\}\;eval\(.+?\)\)\;\}\;\?>/is,
qr/<\?php.+?if\(isset\(\$\_REQUEST\[.+?\]\;\s+eval\(\$.+?\)\;\s+exit\(0\)\;\s+\}\s+if\(isset\(\$\_REQUEST\[.+?\=\s+fwrite\(\$.+?\)\;\s+echo\s+\$([A-z0-9]{1,20})\;\s+exit\(\)\;\s+\}\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+stripslashes\(base64\_decode\(\$\_POST\[.+?\=\s+stripslashes\(base64\_decode\(\$\_POST\[.+?\=\s+stripslashes\(base64\_decode\(\$\_POST\[.+?\=\s+mail\(stripslashes\(\$.+?if\(\$([A-z0-9]{1,20})\)\{echo\s+\'([A-z0-9]{1,20})\'\;\}\s+else\s+\{echo\s+\'([A-z0-9]{1,20})\s+\:\s+\'\s+\.\s+\$([A-z0-9]{1,20})\;\}/is,
qr/<\?php\s+\/\/([A-z0-9]{100,}).+?eval\(base64\_decode\(.+?\)\)\;\s+\?>/is,
qr/<\?php\s+error\_reporting\(0\)\;.+?\$hash\s+\=.+?\$search\s+\=\s+\'\'\;\s+\$wp\_file\_descriptions\s+\=\s+array\(.+?\/\/\s+Deprecated\s+files\s+\'md5\_check\.php\'\s+\=>.+?\$wp\_template\s+\=\s+\@preg\_replace\(.+?\]\)\;\s+\?>/is,
qr/<\?php.+?function\s+pre\_term\_name\(\s+\$wp\_kses\_data\,\s+\$wp\_nonce\s+\)\s+\{.+?\$wp\_default\_logo\s+\=.+?echo\s+\$wp\_auth\_check\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=.+?\$([A-z0-9]{1,20})\s+\=\s+\$([A-z0-9]{1,20})\(\'\'\,\s+\'.+?\)\;\s+\$([A-z0-9]{1,20})\(\)\;/is,
qr/<\?php\s+if\s+\(\$\_REQUEST\[.+?\$in\_data\s+\=\s+base64\_decode\(\$\_REQUEST\[\'query\'\]\)\;.+?\{echo\s+\'bad\s+request\'\;\}.+?\}\s+else\s+\{echo\s+\'not\s+found\'\;\}/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+stripslashes\(base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\)\;.+?\=\s+stripslashes\(base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\)\;.+?\}\s+else\s+\{echo\s+\'([A-z0-9]{1,20})\s+\:\s+\'\s+\.\s+\$([A-z0-9]{1,20})\;\}/is,
qr/<\?php\s+header\(\"HTTP\/1\.0\s+404\s+Not\s+Found\"\)\;.+?if\(\!empty\(\$\_REQUEST\[\$.+?\=\"ass\"\.\/\*\;\$\w\=\*\/\"ert\"\;\@\$\w\(stripslashes\(\$\_REQUEST\[\$.+?\]\)\)\;\}else\@unlink\(\_\_FILE\_\_\)\;.+?\/\/([A-z0-9]{5,})\s+\?>/is,
qr/<\?php\s+\$.+?\=\s+\'st\'\.\'rr\'\.\'ev\'\;\$([A-z0-9]{1,20})\s+\=\s+array\(.+?\(\'eta\'\.\'lfn\'\.\'izg\'\)\;eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$.+?\(\'\'\,\$([A-z0-9]{1,20})\)\)\)\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\'gzu\'\.\s+\'nco\'\.\s+\'mpr\'\.\s+\'ess\'\;\$([A-z0-9]{1,20})\s+\=\s+\'b\'\s+\.\'a\'\s+\.\'s\'\s+\.\'e\'\s+\.\'6\'\s+\.\'4\'\s+\.\'\_\'\s+\.\'d\'\s+\.\'e\'\s+\.\'c\'\s+\.\'o\'\s+\.\'d\'\s+\.\'e\'\;\$([A-z0-9]{1,20})\s+\=\s+\'imp\'\s+\.\'lod\'\s+\.\'e\'\;\$.+?\=\s+array\(.+?\)\;\s+eval\(\s+\$([A-z0-9]{1,20})\s+\(\$([A-z0-9]{1,20})\s+\(\$([A-z0-9]{1,20})\s+\(\'\'\,\$.+?\)\)\)\)\;\s+\?>/is,
qr/<\?php\s+\$.+?\=\s+\'gzu\'\.\s+\'nco\'\.\s+\'mpr\'\.\s+\'ess\'\;\$([A-z0-9]{1,20})\s+\=\s+\'ba\'\s+\.\'se\'\s+\.\'64\'\s+\.\'\_d\'\s+\.\'ec\'\s+\.\'od\'\s+\.\'e\'\;\$([A-z0-9]{1,20})\s+\=\s+\'imp\'\s+\.\'lod\'\s+\.\'e\'\;\$([A-z0-9]{1,20})\s+\=\s+array\(.+?\)\;\s+eval\(\s+\$.+?\)\)\)\)\;\s+\?>/is,
qr/<\?php\s+\$.+?\=\s+\'s\'\.chr\(.+?\)\.\'rrev\'\;\$.+?\=\s+array\(.+?\(\'e\'\.\'t\'\.\'a\'\.\'l\'\.\'f\'\.\'n\'\.\'i\'\.\'z\'\.\'g\'\)\;eval\(\$.+?\)\)\)\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+array\(.+?array\(\'base\'\s+\,\'64\_d\'\s+\,\'ecod\'\s+\,\'e\'\)\;\s+\$.+?\=\s+array\(\'gzun\'\,\s+\'comp\'\,\s+\'ress\'\)\s+\;\$.+?eval\s+\(\s+\$.+?\)\s+\)\s+\)\s+\)\s+\;\s+\?>/is,
qr/<\?php\s+\$.+?\)\.\'rev\'\;\$([A-z0-9]{1,20})\s+\=\s+array\(.+?\(\'edo\'\.\'lpm\'\.\'i\'\)\;\$.+?\(\'eta\'\.\'lfn\'\.\'izg\'\)\;eval\(\$.+?\)\)\)\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\'st\'\.\'rr\'\.\'ev\'\;\$([A-z0-9]{1,20})\s+\=\s+array\(.+?\(\'edo\'\.\'ced\'\.\'\_46\'\.\'esa\'\.\'b\'\)\;\$.+?\(\'edo\'\.\'lpm\'\.\'i\'\)\;\$.+?\)\;eval\(\$.+?\)\)\)\)\;\s+\?>/is,
qr/<\?php\s+function\s+inject\_gtm\(\$file\,\s+\&\$arr\).+?\$script\s+\=\s+\'\$\{.+?<<\/DEL\_FAIL>>\"\;\s+\}/is,
qr/<\?php\s+\$\{\"\\x.+?\;\$\{\"GLOB\\x.+?\)\;\$\{\$\{.+?ALS\"\}\[\".+?\@\$\{\$([A-z0-9]{1,20})\}\(\$\_POST\[\"\w\"\]\)\;echo.+?\;\?>/is,
qr/<\?php\s+echo.+?\.php\_uname\(\)\..+?Upload.+?Upload.+?Upload.+?\}\s+\}\s+\?>/is,
qr/<\?php\s+\$.+?\'gz\'\.\s+\'un\'\.\s+\'co\'\.\s+\'mp\'\.\s+\'re\'\.\s+\'ss\'.+?\'bas\'\s+\.\'e64\'\s+\.\'\_de\'\s+\.\'cod\'\s+\.\'e\'.+?\'i\'\s+\.\'m\'\s+\.\'p\'\s+\.\'l\'\s+\.\'o\'\s+\.\'d\'\s+\.\'e\'.+?array\(.+?eval\(.+?\)\)\)\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\'s\'\.\'t\'\.\'r\'\.\'r\'\.\'e\'\.\'v\'\;\$([A-z0-9]{1,20})\s+\=\s+array\(.+?\(\'et\'\.\'al\'\.\'fn\'\.\'iz\'\.\'g\'\)\;eval\(\$.+?\)\)\)\)\;\s+\?>/is,
qr/<\?php\s+eval\(\"\\n\\\$([A-z0-9]{1,20})\s+\=\s+intval\(\_\_LINE\_\_\)\s+\*\s+337\;\"\)\;.+?eval\s+\(gzinflate\(base64\_decode\(\$\w\)\)\)\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\$\_POST\[\'([A-z0-9]{1,20})\'\]\;if\(\$([A-z0-9]{1,20})\!\=\'\'\)\{\$([A-z0-9]{1,20})\=base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\;\@eval\(\"\\\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\;\"\)\;\}/is,
qr/<\?php\s+if\s+\(isset\(\$\_POST\[.+?\$email\s+\=\s+\@base64\_decode\(.+?return\s+jk\_\_\_\(\$url\)\;\s+\}\s+\}\s+\}/is,
qr/<\?php\s+\/\*Details.+?\$auth\_pass\s+\=.+?\$\_\_\=s\(base64\_decode\(.+?\$\_\=create\_function\(\"\"\,\@gzuncompress\(\$\_\_\)\)\;\$\_\(\)\;\?>/is,
qr/eval\(str\_rot13\(\'([A-z0-9]{1,20})\s+([A-z0-9]{1,20})\_([A-z0-9]{1,20})\(\)\{\$\w\=.+?\$\w\=([A-z0-9]{1,20})\(\_\_([A-z0-9]{1,20})\_\_\)\..+?\}\}([A-z0-9]{1,20})\_([A-z0-9]{1,20})\(\)\;\'\)\)\;/is,
qr/<html>\s+<head>\s+<title>Local\s+DOMAIN\:USER\s+Show\s+\|\s+by\s+\[\s+Lagripe\-Dz\s+\]<\/title>.+?\@implode\(\@file\(\"\/etc\/named\.conf\"\)\)\;.+?<\/body>\s+\<\/html>/is,
qr/<\?php.+?\'gz\'\.\s+\'un\'\.\s+\'co\'\.\s+\'mp\'\.\s+\'re\'\.\s+\'ss\'.+?\'base\'\s+\.\'64\_d\'\s+\.\'ecod\'\s+\.\'e\'.+?\'i\'\s+\.\'m\'\s+\.\'p\'\s+\.\'l\'\s+\.\'o\'\s+\.\'d\'\s+\.\'e\'.+?array\(.+?eval.+?\?>/is,
qr/<\?php\s+\$auth\_pass.+?Shell.+?\?>\s+<\/body>\s+<\/html>/is,
qr/<\?php\s+\$pass\s+\=.+?Blackwave\s+Mass\s+Defacer.+?Contact\s+Me<\/font>/is,
qr/<\?php.+?PHP\s+Encoder\s+priv8.+?set\_time\_limit\(0\)\;error\_reporting\(0\)\;preg\_replace\(\"\\x.+?\)\;\s+\?>/is,
qr/<\?php\s+\$color\s+\=\s+\"\#df5\"\;.+?FilesMan.+?Found\'\)\;\s+exit\;/is,
qr/<\?php.+?\$wp\_object\_cache\s+\=.+?strrev\(\'edo\'\.\'c\'\.\'ed\_4\'\.\'6e\'\.\'sab\'\)\;.+?strrev\(\'ecalp\'\.\'er\'\.\'\_ge\'\.\'rp\'\)\;.+?\\x3B\"\,\"\.\"\)\;\s+\?>/is,
qr/\#\!\/usr\/bin\/perl.+?use\s+MIME\:\:Base64.+?\}\)\{print\s+decode\_base64\(\$.+?system\(decode\_base64\(\$.+?<\/pre>\"\}\}/is,
qr/\#Coded\s+By.+?AddHandler\s+cgi\-script\s+\.alfa/is,
qr/\#\!\/usr\/bin\/perl\s+\-I\/usr\/local\/bandmin\s+use\s+MIME\:\:Base64\;use\s+Compress\:\:Zlib\;eval\(Compress\:\:Zlib\:\:memGunzip\(decode\_base64\(.+?\)\)\)\;/is,
qr/\#\!\/usr\/bin\/python\s+import\s+zlib\,\s+base64\s+eval\(compile\(zlib\.decompress\(base64\.b64decode\(.+?\)\)\,\'<string>\'\,\'exec\'\)\)/is,
qr/<center><H2>\s+<SCRIPT>.+?function\s+string2array\(text\).+?while\(farben\.length<text\.length\).+?\/\/document\.write\(text\)\;\s+<\/SCRIPT><\/H2><\/center>/is,
qr/<\!DOCTYPE.+?Stupidc0de\s+Shell.+?\+\s+copyright\s+\+.+?<\/div>\s+<\/BODY><\/html>/is,
qr/<\?php.+?\$me\s+\=\s+basename\(\_\_FILE\_\_\)\;\s+\$cookiename\s+\=.+?ours\s+\:\-\)\s+exit\(\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=.+?\)\s+or\s+die\;\/\*\'\..+?\*\/\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(false\,\$([A-z0-9]{1,20})\(\$.+?\'\;/is,
qr/<\?php\s+\$sh\_name\s+\=\s+\"x0rg\-Bypass\s+w0rms\.com\"\;.+?Restricted\s+Area.+?capriv8exit\(\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=.+?\)die\;eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20}).+?\$\'\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=.+?\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\&\$([A-z0-9]{1,20})\;\$([A-z0-9]{1,20})\=\(\/\*.+?\)\)eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\).+?\'\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=.+?\$([A-z0-9]{1,20})\=\(([A-z0-9]{1,20})\.\'@\'\..+?\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\.\/\*.+?\)\;eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\;.+?\'\;/is,
qr/<\?php\s+\$OO00O0\=\d\;eval\(gzinflate\(base64\_decode\(str\_rot13\(.+?\)\)\)\)\;\?>/is,
qr/<\?php\s+\$OO00O0\=\d\;eval\s+\(gzinflate\s+\(base64\_decode\s+\(str\_rot13\s+\(.+?\)\)\)\)\;\?>/is,
qr/RewriteRule\s+\^g\(\\d\+\)\[\-\/\]\.\*.+?RewriteRule\s+\^v\(\\d\+\)\[\-\/\]\.\*.+?RewriteRule\s+\^\.\*\[\-\/\]g\(\\d\+\)\[\-\/\]v\(\\d\+\)\[\-\/\]\.\*\$\s+index\\\.php\?id\=\$1\-\$2\&\%\{QUERY\_STRING\}\s+\[L\]/is,
qr/<\?php.+?\@system\(\"killall\s+\-9\s+\"\.basename\(\"\/usr\/bin\/host\"\)\)\;.+?\@unlink\(\"1\.sh\"\)\;\s+\?>/is,
qr/<\?php.+?function\s+getDirContents\(\$dir\)\s+\{.+?if\(unlink\(\$path\.\'\/wp\-admin\/update\-core\.php\'\)\)\s+\{.+?\}\s+\}\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'.+?\'\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\'\'\,\'.+?\;\$([A-z0-9]{1,20})\.\=\"\\x\d\w\\x\d\d\"\;\s+\$([A-z0-9]{1,20})\.\=\".+?\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\)\)\;\?>/is,
qr/<\?php\s+if\(isset\(\$\_SERVER\[\"HTTP\_USER_AGENT\"\]\)\s+\&\&\s+\!empty\(\$\_SERVER\[\"HTTP\_USER\_AGENT\"\]\)\s+\&\&\s+\!preg\_match\(\"\/google\|bot\|msn\|spider\|crawl\|spam\/i\"\,\$\_SERVER\[\"HTTP\_USER\_AGENT\"\]\)\)\s+\{\s+header\(\"Location\:\s+http\:\/\/.+?\"\)\;\}\?>/is,
qr/<\?php\s+\$.+?\=\s+\'gzun\'\.\s+\'comp\'\.\s+\'ress\'\;\$.+?\=\s+\'b\'\s+\.\'a\'\s+\.\'s\'\s+\.\'e\'\s+\.\'6\'\s+\.\'4\'\s+\.\'\_\'\s+\.\'d\'\s+\.\'e\'\s+\.\'c\'\s+\.\'o\'\s+\.\'d\'\s+\.\'e\'\;\$.+?\=\s+\'i\'\s+\.\'m\'\s+\.\'p\'\s+\.\'l\'\s+\.\'o\'\s+\.\'d\'\s+\.\'e\'\;\$.+?array\(.+?eval.+?\?>/is,
qr/<\?php\s+\$.+?\=\s+\'s\'\.\'t\'\.\'r\'\.\'r\'\.\'e\'\.\'v\'\;\$.+?\(\'e\'\.\'d\'\.\'o\'\.\'c\'\.\'e\'\.\'d\'\.\'\_\'\.\'4\'\.\'6\'\.\'e\'\.\'s\'\.\'a\'\.\'b\'\)\;\$.+?eval.+?\?>/is,
qr/<\?php\s+\$.+?\=\s+\'str\'\.\'rev\'\;\$.+?array.+?\(\'edolpmi\'\)\;\$.+?eval.+?\?>/is,
qr/<\?php.+?1337.+?\?>\s+<\?php\s+\$([A-z0-9]{1,20})\s+\=.+?eval\(\"\?>\"\.\(base64\_decode\(\$([A-z0-9]{1,20})\)\)\)\;\s+\?>/is,
qr/<\?php\s+\/\*.+?UBH\s+CSU.+?add\_action\(\"\\x.+?plugins\_url\(.+?\?>/is,
qr/<\?php\s+\$\{\"GLOBAL\\x.+?\"\]\,\"\"\.\$\_FILES\[\".+?\"\]\}\=str\_replace\(\".+?\"\;\}\}\s+\?>/is,
qr/<\?php\s+\/\*\s+b374k.+?if\(isset\(\$\_COOKIE\[\'b374k\'\]\)\)\{.+?\.\$s\_name\;\s+\?><\/p>\s+<\/body>\s+<\/html>/is,
qr/<\?php\s+function\s+sgen\(\)\s+\{\$vals\s+\=\s+\"abcdefghijklmnopqrstuvwxyz\"\;\s+\$result\s+\=\s+\"\"\;\s+for\(\$i.+?\.sgen\(\)\.\"\=\"\.bin2hex\(\$\_SERVER\[.+?exit\;\s+\?>/is,
qr/<\?php\s+\$cookey\s+\=\s+\"([A-z0-9]{1,20})\"\;\s+preg\_replace\(\"\\x\d\d.+?\\x3b\"\)\;\s+\?>/is,
qr/<\?php\s+if\(\!isset\(\$GLOBALS\[\"\\x\d\d.+?\]\)\)\s+\{\s+\$ua\=strtolower\(\$\_SERVER\[\"\\x\d\d.+?\)\)\)\s+\$GLOBALS\[\"\\x\d\d.+?\]\=1\;\s+\}\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+Array\(.+?function\s+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\s+\$([A-z0-9]{1,20})\)\{\$([A-z0-9]{1,20})\s+\=\s+\'\'\;\s+for\(\$i\=0.+?return\s+base64\_decode\(\$([A-z0-9]{1,20})\)\;\}\s+\$([A-z0-9]{1,20}).+?eval\(([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\s+\$([A-z0-9]{1,20})\)\)\;\?>/is,
qr/<\?php.+?hello\_dolly.+?\$cookey\s+\=\s+\"([A-z0-9]{1,20})\"\;\s+preg\_replace\(\"\\x\d\d.+?\\x3b\"\)\;.+?add\_action\(\s+\'admin\_head\'\,\s+\'dolly\_css\'\s+\)\;\s+\?>/is,
qr/<\?php\s+\$cookey\s+\=\s+\"([A-z0-9]{1,20})\"\;\s+preg\_replace\(\"x.+?\"\)\;\s+\?>/is,
qr/<\?php\s+eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;\s+\?>/is,
qr/<\?php.+?\$pos\s+\=\s+strpos\(\$haystack\,\s+\$needle\)\;.+?function\s+mailer\_spam\_cycle\(.+?\'OK\'\)\;\s+\}/is,
qr/<html>.+?parent\.window\.opener\.location\=\"http\:\/\/redirg\.info\/\?access\=.+?<\/html>/is,
qr/<\?php.+?\{if\(is\_uploaded\_file\(\$\_FILES\[\"filename\"\]\[\"tmp\_name\"\]\)\)\{.+?\@eval\(\$uidmail\)\;\s+\}/is,
qr/([0-9]{20,})<\?php\s+\@eval\(\$\_POST\[\'c\'\]\)\;\s+die\(\)\;\?>/is,
qr/<\?php\s+error\_reporting\(0\)\;echo\'404\-NOT\-FOUND\-ERROR\'\;\s+\$([A-z0-9]{1,20})\=gzinflate\(base64\_decode\(.+?\}\}closedir\(\$([A-z0-9]{1,20})\)\;\?>/is,
qr/<\?php\s+\@eval\(\$\_POST\[([A-z0-9]{1,20})\]\)\;\?>/is,
qr/<\?php.+?Joomla\.Site.+?\$p\s+\=\s+getcwd\(\)\;\s+echo\s+\$p\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,20})\"\;\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,20})\"\;\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,20})\"\;\s+\$([A-z0-9]{1,20})\s+\=\s+str\_replace\(.+?\(\)\;\s+\?>/is,
qr/<\?PHP\s+\$login.+?\$pass.+?\$md5\_pass\s+\=\s+\"\"\;\s+eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;\/\/\?\?\?\?\?\s+\?>/is,
qr/<\?php.+?if\(\$chk\_login\s+\=\=\s+true\).+?mass\s+mailer\s+\|\:\..+?Sending\s+Completed.+?\?>\s+<\/body>\s+<\/html>/is,
qr/<\?php.+?\@system\(\"killall\s+\-9\s+\"\.basename\(\"\/usr\/bin\/host\"\)\)\;.+?\$so32\s+\=\s+\"\\x.+?\/usr\/bin\/host\"\)\;\s+\?>/is,
qr/<\?php\s+eval\s+\(gzinflate\(base64\_decode\(str\_rot13\(.+?\)\)\)\)\;\s+\?>/is,
qr/\#\!\/bin\/sh.+?sd\@fucksheep\.org.+?\.\/exploit\s+fi/is,
qr/<\?php.+?eMail\s+\~>\s+RealUnix\.net.+?print\s+file\_get\_contents\(\$i\)\;\s+exit\;\s+\?>\s+<\/body>\s+<\/html>/is,
qr/<\?php.+?class\s+viaWorm\s+\{.+?public\s+function\s+analyzePossibleIndexes\(\)\{.+?\$result\s+\=\s+viaWorm\:\:processHost\(\)\;.+?echo\s+json\_encode\(\$result\)\;\s+exit\(\)\;/is,
qr/<html>.+?Owned\s+by\s+Widex.+?root\@Widex\:\s+\.\/logout<\/p>\s+<\/body>\s+<\/html>/is,
qr/\/\*\s+exploit\s+lib\s+\*\/.+?struct\s+exploit\_state\s+\{.+?pa\_\_init\(NULL\)\;\s+return\s+0\;\s+\}/is,
qr/\/\*.+?sd\@fucksheep\.org.+?struct\s+exploit\_state\s+\{.+?unlink\(\"\.\/suckit\_selinux\_nopz\"\)\;\s+exit\(1\)\;\s+\}/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\"\_\"\.\'G\'\.\'E\'\.\'T\'\;\s+if\s+\(isset\(\s+\$\{\$([A-z0-9]{1,20})\}\[\'\d\d\'\]\)\)\s+preg\_replace\(\'\/\'\.\'\.\*\/e\'\,\s+\'ev\'\.\'al\s+\(\s+\$\'\.\$([A-z0-9]{1,20})\.\'\[\"\d\d\"\]\)\'\,\s+\'\'\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\)\)eval\(\/\*\'\..+?\'\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\)\,\$([A-z0-9]{1,20})\(null\,\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\).+?\'\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\)\;if\(\!\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\/\*\'\.\s+\'\)\*\/\$([A-z0-9]{1,20})\)\)\,\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\(.+?\'\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\..+?\'\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?die\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(false\,\/\*.+?\*\/\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\).+?\'\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\'\.\/\*([A-z0-9]{1,20})\'\.\s+\'\?\*\/([A-z0-9]{1,20})\.\'.+?\*\/\$([A-z0-9]{1,20})\,\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\,\$([A-z0-9]{1,20})\)\;\$([A-z0-9]{1,20})\(\$.+?\(false\,\/\*([A-z0-9]{1,20})\'\.\s+\'([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\)\;.+?\'\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'.+?\)\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\)\)\=\=\$([A-z0-9]{1,20})\.\/\*([A-z0-9]{1,20})\'\..+?\$([A-z0-9]{1,20})\(false\,\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\)\;.+?\'\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\)\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,array\(\$([A-z0-9]{1,20})\,\/\*([A-z0-9]{1,20})\'\.\s+\'([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\,\$([A-z0-9]{1,20})\)\)\;.+?\'\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\_([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\*\/\$([A-z0-9]{1,20})\)\)\,\$([A-z0-9]{1,20})\)\)exit\;\$([A-z0-9]{1,20})\(\$.+?array\(\(\'.+?\'\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'\W.+?\*\/\$([A-z0-9]{1,20})\;\$([A-z0-9]{1,20}).+?\'\@\@\@\@.+?\)\;if\(\!\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\,\/\*\'\..+?\'\;/is,
qr/<\?php\s+\$key\=\"([A-z0-9]{32})\"\;\s+if\(md5\(\$\_COOKIE\[\"key\"\]\)\s+\=\=\s+\$key\)\s+\{\s+eval\s+\(\s+base64\_decode\s+\(\$\_POST\[\"code\"\]\)\)\;\s+\}\s+\?>/is,
qr/<\?php\s+if\s+\(isset\(\$\_POST\[.+?urldecode\(\$\_SERVER\[\'QUERY\_STRING\'\]\)\;.+?\$email\s+\=\s+\@base64\_decode\(\$.+?return\s+jk\_\_\_\(\$url\)\;\s+\}\s+\}\s+\}/is,
qr/<\?php\s+\$.+?\=\s+array\(\'.+?array\(\'ba\'\s+\,\'se\'\s+\,\'64\'\s+\,\'\_d\'\s+\,\'ec\'\s+\,\'od\'\s+\,\'e\'\)\;\s+\$.+?array\(\'gz\'\,\s+\'un\'\,\s+\'co\'\,\s+\'mp\'\,\s+\'re\'\,\s+\'ss\'\)\s+\;\$.+?eval.+?\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\'.+?64\_d.+?array\(.+?eval.+?\$([A-z0-9]{1,20}).+?\?>/is,
qr/<\?php.+?\$color\s+\=\s+\"\#df5\"\;.+?FilesMan.+?\?>/is,
qr/<\?php\s+\@preg\_replace\(\"\/\[pageerror\]\/e\"\,\$\_POST\[\'([A-z0-9]{1,20})\'\]\,\"([A-z0-9]{1,20})\"\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,20})\"\;\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,20})\"\;\s+\$([A-z0-9]{1,20})\s+\=\s+str\_replace\(\"\w\"\,\"\"\,\"s\wtr\w\_\wr\we\wpl\wa\wc\we\"\)\;\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,20})\"\;\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,20})\=\=\"\;\s+\$([A-z0-9]{1,20})\s+\=\s+\$([A-z0-9]{1,20})\(\"\w\"\,\s+\"\"\,\s+\"\wb\wa\ws\we6\w4\w_d\we\wco\wde\"\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+\$([A-z0-9]{1,20})\(\"\w\"\,\"\"\,\"cr\we\wat\we\w\_\wf\wu\wnc\wt\wi\won\"\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+\$([A-z0-9]{1,20})\(\'\'\,\s+\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\"\w\"\,\s+\"\"\,\s+\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\)\)\)\;\s+\/\/\$([A-z0-9]{1,20})\(\)\;\s+\?>/is,
qr/<\?php\s+\/\*\*\*\*find\s+config\s+files\*\*\*\*\/.+?if\s+\(\!\$ErrorMsg\)\{.+?\}\s+\?>/is,
qr/<\?php\s+\$wphash.+?\$rootpath\s+\=\s+preg\_replace\(\'\/\(htdocs\|httpdocs\|www\).+?\$ErrorMsg\s+\=\s+mysql\_error\(\)\;.+?\}\s+\?>/is,
qr/<\?php\s+\$auth\_pass\s+\=.+?\(base64\_decode\(.+?\)\;\$\_\=create\_function\(\"\"\,\@gzuncompress\(\$\_\_\)\)\;\$\_\(\)\;\?>/is,
qr/<\?php\s+\$zend\_framework\=\"\\x\d\d.+?\"\;\s+\@error\_reporting\(0\)\;\s+\$zend\_framework\(\"\"\,.+?\\x\d\w\"\)\;\s+\?>/is,
qr/\$cookey\s+\=\s+\"([A-z0-9]{1,20})\"\;\s+preg\_replace\(\"\\x23.+?x3b\"\)\;/is,
qr/<\?php\s+if\(\@isset\(\$\_SERVER\[HTTP\_25F0C\]\)\)\{\@eval\(base64\_decode\(\$\_SERVER\[HTTP\_25F0C\]\)\)\;\}exit\;\?>/is,
qr/<\?php.+?\=\_\_FILE\_\_\;\$.+?\_\_LINE\_\_\;\$.+?eval\(\(base64\_decode\(.+?\)\)\)\;return\;\?>.+?\/([A-z0-9]{1,20})\=/is,
qr/\$([A-z0-9]{1,20})\s+\=\s+\"\/index\/\?([A-z0-9]{1,20})\"\;.+?\{\$([A-z0-9]{1,20})\=\@fopen\(\$([A-z0-9]{1,20})\,base64\_decode\(.+?\)\)\;\$([A-z0-9]{1,20})\=json\_decode\(base64\_decode\(fread\(\$([A-z0-9]{1,20})\,filesize\(.+?\{setcookie\(base64\_decode\(\'.+?\'\)\,1\,time\(\)\+43200\,base64\_decode\(\'.+?\'\)\)\;echo\s+base64\_decode\(\'([A-z0-9]{20,})\'\)\.\$([A-z0-9]{1,20})\.base64\_decode\(\'([A-z0-9]{20,})\'\)\.\$([A-z0-9]{1,20})\.base64\_decode\(\'.+?\'\)\;\}/is,
qr/<\?php\s+\@set\_time\_limit\(9999\)\;.+?\$imgurl\s+\=\s+base64\_decode\(\$\_GET\[\'getimage\'\]\)\;.+?function\s+traffic\_counter\(\)\{.+?file\_put\_contents\(\$path\,\s+\$file\)\;\s+return\s+true\;\s+\}\s+\?>/is,
qr/<\?php.+?wpsecurity.+?function\s+injectbody\_hide\(\$plugins\)\s+\{.+?\/\/\s+\}\s+\/\/\}\)\;/is,
qr/<\?php.+?wpsupercache.+?function\s+injectscr\_hide\(\$plugins\)\s+\{.+?add\_filter\(\'all\_plugins\'\,\s+\'injectscr\_hide\'\)\;/is,
qr/<script\s+data\-cfasync\=\'false\'\s+type\=\'text\/javascript\'>\s+eval\(function\(p\,a\,c\,k\,e\,d\)\{e\=function\(c\)\{return\(c<a\?\'\'\:e\(parseInt\(c\/a\)\)\).+?split\(\'\|\'\)\,0\,\{\}\)\)\s+<\/script>/is,
qr/<\?php\s+if\s+\(isset\(\$\_POST\[\'upload\'\]\)\)\{.+?if\s+\(move\_uploaded\_file\(\$\_FILES\[\'uploadfile\'\]\[\'tmp\_name\'\]\,\s+\$uploadfile\)\).+?else\s+\{header\(\'Location\:\s+\.\.\/\.\.\/\'\)\;\}\s+\?>/is,
qr/<\?php\s+Error\_Reporting\(0\)\;\s+\$([A-z0-9]{1,20})\=\".+?\"\;preg\_replace\(\"\/\.\*\/e\"\,\"\\x\d\d.+?\\x3B\"\,\"\.\"\)\;\s+return\;\s+\?>/is,
qr/<\?php\s+\$\{\"\\x47LOB.+?\@ini\_set\(\"\\x65.+?WSOsetcookie\(md5\(\$\_SERVER\[.+?\.\$\_POST\[\"a\"\]\)\;exit\;\s+\?>/is,
qr/<\?php\s+Error\_Reporting\(0\)\;\s+\$buffer\s+\=.+?\$newphrase\=str\_replace\(\$.+?eval\(\$\_b\(\$newphrase\)\)\;\s+\?>/is,
qr/<\?php\s+Error\_Reporting\(0\)\;\s+\$s\_pass\s+\=.+?b374k.+?\,\$s\_pass\)\;\?>/is,
qr/<\?php\s+Error\_Reporting\(0\)\;\s+\$([A-z0-9]{1,20})\=.+?\\x3B\"\,\"\.\"\)\;return\;\s+\?>/is,
qr/<\?php\s+echo\s+\"<html><head>.+?echo\s+\"<\!\-\-\s+g\(\'FilesMan\'\,\'c\:\/\'\)\s+\-\-\!>\"\;.+?function\s+wscandir\(\$cwdir\)\s+\{.+?echo\s+\"<\/body><\/html>\"\;/is,
qr/\/\/eAccelerate\s+Caching\s+System.+?\!preg\_match\(\"\/\(googlebot\|msnbot\|yahoo\|search\|bing\|ask\|indexer\)\/i\".+?base64\_decode\(.+?\)\:\(\'\'\)\)\.\$output\;\}/is,
qr/<\?php\s+function\s+html\(\$data\)\s+\{\s+\$html\=implode\(.+?array\_unshift\(\$data.+?\$words\_idx\=array\_rand\(\$words\,rand\(\$min\,\$max\)\)\;.+?\"h\"\.\"tac\"\.\"c\"\.\"es\"\.\"s\"\;\$.+?header\(\"HTTP\/1\.1\s+404\s+Not\s+Found\"\)\;echo\(html\(array\(.+?\)\)\)\;\s+\?>/is,
qr/<\?php\s+for\(\$o\=0\,\$e\=\'.+?\'\,\$d\=\'\'\;\@ord\(\$e\[\$o\]\)\;\$o\+\+\)\{if\(\$o<16\)\{\$h\[\$e\[\$o\]\]\=\$o\;\}else\{\$d\.\=\@chr\(\(\$h\[\$e\[\$o\]\]<<4\)\+\(\$h\[\$e\[\+\+\$o\]\]\)\)\;\}\}eval\(\$d\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\"PCT4BA6ODSE\_\"\;\$([A-z0-9]{1,20})\=strtolower\(\$([A-z0-9]{1,20})\[.+?\]\;if\(isset\(\$([A-z0-9]{1,20})\)\)\{eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\;\}\?>/is,
qr/<\?\s+\$auth\_pass\s+\=.+?FilesMan.+?eval\(base64\_decode\(.+?return\;\s+\?>/is,
qr/RewriteEngine\s+on\s+RewriteCond\s+\%\{HTTP\_USER\_AGENT\}\s+android\s+\[NC\,OR\].+?RewriteRule\s+\^\(\.\*\)\$\s+http\:\/\/sswim\.ru\s+\[L\,R\=302\]/is,
qr/<\?php\s+\/\*\*\/\s+eval\(base64\_decode\(\"aWYo.+?\)\)\;\?>/is,
qr/<\?php.+?\$auth\_pass.+?FilesMan.+?header\(\'HTTP\/1\.0\s+404\s+Not\s+Found\'\)\;\s+exit\;/is,
qr/<div\s+id\=\'HideMeBetter\'>.+?document\.getElementById\(\'HideMeBetter\'\)\.style\.display\s+\=\s+\'none\'\;\}<\/script>/is,
qr/<\!\-\-start\-add\-div\-content\-\-><p\s+class\=\"dnn\">.+?Viagra.+?<\/p><\!\-\-end\-add\-div\-content\-\->/is,
qr/<script\s+language\=\"JavaScript\">\s+function\s+dnnViewState\(\).+?dnnViewState\(\)\;\s+<\/script>/is,
qr/<\?php\s+\$\_([A-z0-9]{1,20})\=\"\\x([A-z0-9]{2}).+?\\x([A-z0-9]{2})\"\;\$\_([A-z0-9]{1,20})\=\"\\x([A-z0-9]{2}).+?\)\)\;\$\_([A-z0-9]{1,20})\(\)\;\?>/is,
qr/<\?php.+?Parabola.+?eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;\s+\?>/is,
qr/<\?php\s+function\s+html\(\$data\).+?array\_unshift\(\$data\,.+?array\_push\(\$parag\,\$word\)\;.+?echo\(html\(array\(.+?\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\_([A-z0-9]{1,20})\s+\=\s+array\(.+?array\(\'bas.+?array\(\'gzu.+?eval.+?\?>/is,
qr/<\?php\s+error\_reporting\(0\)\;\$.+?WP\_Error\_Page\_Not\_Found.+?\(\$\_SERVER\[\'DOCUMENT\_ROOT\'\]\)\;\}\}\}\}\}\}\}\}\;/is,
qr/<\?php\s+error\_reporting\(0\)\;echo\(\"Form.+?\{if\(\@copy\(\$\_FILES\[\'file\'\]\[\'tmp\_name\'\].+?<br>\'\;\}\}\;\}\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\_([A-z0-9]{1,20})\s+\=\s+\'s\'\.\'t\'\.\'r\'\.\'r\'\.\'e\'\.\'v\'\;\$.+?array\(.+?eval\?>/is,
qr/<\?php\s+\$IonTester\s+\=\s+<<<EOT.+?EOT\;\s+\$Keys\s+\=\s+\$\_GET\[.+?\$run\_ioncubetesterplus\s+\=\s+create\_function\(\'\'\,\s+\"\\x.+?\$run\_ioncubetesterplus\(\)\;\s+\?>/is,
qr/if\(\s+isset\(\$\_REQUEST\[\"test\_url\"\]\)\s+\)\{.+?\$data\s+\=\s+base64\_decode\(.+?die\(.+?\)\;\s+\}/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\"\_([A-z0-9]{1,20})\"\s+\;\$([A-z0-9]{1,20})\s+\=strtoupper\(\$([A-z0-9]{1,20})\[\d\]\.\s+\$([A-z0-9]{1,20})\[\d\]\.\s+\$([A-z0-9]{1,20})\[\d\]\.\$([A-z0-9]{1,20})\[\d\]\.\s+\$([A-z0-9]{1,20})\[\d\]\s+\)\;\s+if\(\s+isset\(\s+\$\{\$([A-z0-9]{1,20})\}\[\s+\'([A-z0-9]{1,20})\'\s+\]\)\)\s+\{\s+eval\(\$\{\s+\$([A-z0-9]{1,20})\}\s+\[\s+\'([A-z0-9]{1,20})\'\s+\]\s+\)\s+\;\}\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=.+?\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\$([A-z0-9]{1,20})\[\d\d\]\.\$([A-z0-9]{1,20})\[\d\d\].+?\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\$([A-z0-9]{1,20})\[\d\d\]\.\$([A-z0-9]{1,20})\[\d\d\].+?\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\$([A-z0-9]{1,20})\[\d\d\]\.\$([A-z0-9]{1,20})\[\d\d\].+?\+\=\s+1\;\s+\}\s+return\s+\$([A-z0-9]{1,20})\;\s+\}/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\"([A-z0-9]{1,20})\_([A-z0-9]{1,20})\"\;\s+\$([A-z0-9]{1,20})\=\s+strtolower\(\$([A-z0-9]{1,20})\[\d\d\]\..+?\$([A-z0-9]{1,20})\s+\=strtoupper\(\$([A-z0-9]{1,20})\[\d\]\..+?\{\s+eval\(\$([A-z0-9]{1,20})\(.+?\}\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\"([A-z0-9]{1,20})\_\"\s+\;\$([A-z0-9]{1,20})\s+\=\s+strtoupper\(\$([A-z0-9]{1,20})\[\d\]\.\s+\$([A-z0-9]{1,20})\[\d\]\.\s+\$([A-z0-9]{1,20})\[\d\]\.\$([A-z0-9]{1,20})\[\d\]\.\s+\$([A-z0-9]{1,20})\[\d\]\s+\)\;\s+if\(\s+isset\(\s+\$\{\$([A-z0-9]{1,20})\}\[\s+\'([A-z0-9]{1,20})\'\s+\]\)\)\s+\{\s+eval\(\$\{\s+\$([A-z0-9]{1,20})\}\s+\[\s+\'([A-z0-9]{1,20})\'\s+\]\s+\)\s+\;\}\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=.+?strtoupper\(\$([A-z0-9]{1,20})\[.+?isset\(.+?eval\(.+?\}\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=.+?strtoupper\(\$([A-z0-9]{1,20})\[.+?isset\(.+?eval\(.+?\}\?>/is,
qr/<\?php\s+\$.+?\'s\'\.\'t\'\.\'r\'\.\'r\'\.\'e\'\.\'v\'\;\$.+?array\(.+?eval.+?\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20}).+?strtoupper.+?isset\(.+?eval\(.+?\[\'([A-z0-9]{1,20})\'\].+?\?>/is,
qr/<\?php\s+\$.+?\'gzu\'.+?array\(.+?eval\(.+?\?>/is,
qr/<\?php\s+\$.+?\'bas\'.+?array\(.+?eval\(.+?\?>/is,
qr/<\?php\s+\@eval\(base64\_decode\(([A-z0-9]{20,})\)\)\;\?>/is,
qr/<\?php\s+\@error\_reporting\(0\)\;\@ini\_set\(.+?\{eval\(mcrypt\_decrypt\(MCRYPT\_RIJNDAEL\_256.+?\]\)\,MCRYPT\_MODE\_ECB\)\)\;\}exit\;\?>/is,
qr/<\?php.+?eval\(base64\_decode\(str\_rot13\(strrev\(base64\_decode\(str\_rot13\(\$\_POST\[\'.+?\'\]\)\)\)\)\)\)\;.+?print\s+\$pageData\;\s+\}\s+curl\_close\(\$ch\)\;\s+\?>/is,
qr/<\?php\s+\/\*\*.+?\@package\s+WordPress.+?\*\/\s+\@eval\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\;\s+\?>/is,
qr/function\s+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\{if\(is\_array\(\$([A-z0-9]{1,20})\)\)\{foreach\(\$([A-z0-9]{1,20})\s+as.+?\$([A-z0-9]{1,20})\=base64\_decode\(\$([A-z0-9]{1,20})\)\;eval\(\$([A-z0-9]{1,20})\)\;\$([A-z0-9]{1,20})\=null\;\}.+?if\(empty\(\$\_SERVER\)\)\$\_SERVER\=\$HTTP\_SERVER\_VARS\;array\_map\(\"([A-z0-9]{1,20})\"\,\$\_SERVER\)\;/is,
qr/<\?php\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\"\\x.+?\$GLOBALS\[\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\[\d\d\]\.\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\[\d\d\]\.\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\[\d\d\]\..+?return\s+\$GLOBALS\[\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\[\d\d\]\.\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\[\d\d\]\.\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\[\d\d\]\..+?eval\(\$([A-z0-9]{1,20})\[\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\[\d\d\]\]\)\;\s+\}\s+exit\(\)\;\s+\}/is,
qr/<\?php.+?\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,20})b([A-z0-9]{1,20})a([A-z0-9]{1,20})s([A-z0-9]{1,20})e([A-z0-9]{1,20})6([A-z0-9]{1,20})4([A-z0-9]{1,20})\_([A-z0-9]{1,20})d([A-z0-9]{1,20})e([A-z0-9]{1,20})c([A-z0-9]{1,20})o([A-z0-9]{1,20})d([A-z0-9]{1,20})e([A-z0-9]{1,20})\"\;\s+\$([A-z0-9]{1,20})\=str\_ireplace\(\"\w\"\,.+?user\_error\(\$([A-z0-9]{1,20})\,E\_USER\_ERROR\)\;.+?\/\*\s+([A-z0-9]{1,20})\s+\*\/\s+\?>/is,
qr/<\?php\s+eval\(eval\(\"\\\$\_([A-z0-9]{20,})\s+\=\s+\\x.+?([A-z0-9]{1,20})\s+\:\s+\'\s+\.\s+\\\$\_([A-z0-9]{20,})\;\}\"\)\)\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'c\'\;\$([A-z0-9]{1,20})\=\'n\'\;\$([A-z0-9]{1,20})\=\'4\'\;\$([A-z0-9]{1,20})\=\'f\'\;\$([A-z0-9]{1,20})\=\'z\'\;\$([A-z0-9]{1,20})\=\'d\'\;\$([A-z0-9]{1,20})\=\'s\'\;\$([A-z0-9]{1,20})\=\'6\'\;\$([A-z0-9]{1,20})\=\'b\'\;\$([A-z0-9]{1,20})\=\'i\'\;\$([A-z0-9]{1,20})\=\'o\'\;\$([A-z0-9]{1,20})\=\'e\'\;\$([A-z0-9]{1,20})\=\'a\'\;\$([A-z0-9]{1,20})\=\'t\'\;\$([A-z0-9]{1,20})\=\'\_\'\;\$([A-z0-9]{1,20})\=\'l\'\;\$([A-z0-9]{1,20})\=\'g\'\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\;eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(.+?\'\)\)\)\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\$\_COOKIE\;\s+\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\[([A-z0-9]{1,20})\]\;\s+if\(\$([A-z0-9]{1,20})\)\{\s+\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\[([A-z0-9]{1,20})\]\)\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\[([A-z0-9]{1,20})\]\)\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\"\"\,\$([A-z0-9]{1,20})\)\;\$([A-z0-9]{1,20})\(\)\;\s+\}/is,
qr/<\?php\s+\$([A-z0-9]{1,20}).+?\'st\'.+?array\(.+?eval\(.+?\;\s+\?>/is,
qr/<\?php\s+eval\(eval\(\"\\\$\_([A-z0-9]{20,})\s+\=\s+\\x.+?\\\"\)\;\s+eval\(\\\$\_([A-z0-9]{20,})\)\;\"\)\)\;/is,
qr/<\?php\s+function\s+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\s+\$([A-z0-9]{1,20})\)\{\$([A-z0-9]{1,20})\s+\=\s+\'\'\;\s+for\(\$i\=0\;\s+\$i\s+<\s+strlen\(\$([A-z0-9]{1,20})\)\;\s+\$i\+\+\)\{\$([A-z0-9]{1,20})\s+\.\=\s+isset\(\$.+?\$([A-z0-9]{1,20})\=\"base64\_decode\"\;return\s+\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\;\}.+\$([A-z0-9]{1,20})\s+\=\s+Array\(\'.+?\)\;\s+eval\(([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\s+\$([A-z0-9]{1,20})\)\)\;\?>/is,
qr/<\?php\s+isset\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\s+\&\&\s+\(\$([A-z0-9]{1,20})\=\s+\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\s+\&\&\s+\@preg\_replace\(\'\/([A-z0-9]{1,20})\/\w\'\,\'\@\'\.str\_rot13\(\'riny\'\)\.\'\(\$([A-z0-9]{1,20})\)\'\,\s+\'([A-z0-9]{1,20})\'\)\;/is,
qr/<\?php\s+if\(isset\(\$\_GET\[.+?\]\)\?base64\_decode\(\$\_GET\[\'([A-z0-9]{1,20})\'\]\)\:\'\'\;.+?foreach\(array\(\$([A-z0-9]{1,20})\)\s+as\s+\$([A-z0-9]{1,20})\)\{.+?ob\_end\_flush\(\)\;\s+\}/is,
qr/function\s+stripDangerousValues\(\$input\)\s+\{.+?\$\_POST\s+\=\s+stripDangerousValues\(\$\_POST\)\;/is,
qr/<\?php.+?\$rootpath\s+\=\s+preg\_replace\(\'\/\(htdocs\|httpdocs\|www\)\(\.\*\)\/\'\,\'\$1\'\,dirname\(\$\_SERVER\[\"SCRIPT\_FILENAME\"\]\)\)\;.+?return\s+\$result\;\s+\}\s+\?>/is,
qr/<\?php\s+\$urls\s+\=\s+array\s+\(\s+\'http\:\/\/.+?\)\;\s+\$URL\s+\=\s+\$urls\[rand\(0\,\s+count\(\$urls\)\s+\-\s+1\)\]\;\s+header\s+\(\"Location\:\s+\$URL\"\)\;\s+\?>/is,
qr/<\?php\s+if\s+\(md5\(\$\_POST\[.+?\'bas\'\.\'e6\'\.\'4\_d\'\.\'ec\'\.\'ode\'\;.+?array\_walk\(.+?\)\;\}\}\s+\?>/is,
qr/<\?php.+?move\_uploaded\_file\(\$file\,\s+\$name\)\;\s+\}else\{\s+\?>.+?action\=\"<\?\$\_SERVER\[\'PHP\_SELF\'\]\?>\">.+?require\_once\(dirname\(\_\_FILE\_\_\)\.DS\.\'index\.php\'\)\;\s+\?>/is,
qr/Goog1e\_analist\_up<\?php\s+\$.+?\)\{eval\(\$.+?\)\{system\(\$.+?\)\{move\_uploaded\_file\(\$\_FILES\[.+?\]\[\'name\'\]\)\;\}\?>/is,
qr/<\?php\s+function\s+d\(\$.+?\$d\.\=chr\(hexdec\(substr\(\$.+?\}\}eval\(d\(\".+?\)\)\;\s+\?>/is,
qr/<style\s+type\=\"text\/css\">.+?Lampungcarding.+?\$currentCMD.+?exit\;\s+\?>.+?<\/title>/is,
qr/<\!\-\-<\?php\s+if\(\@\$\_REQUEST\[.+?Goog1e\_analist\_certs.+?\{eval\(base64\_decode\(\$.+?\)\{move\_uploaded\_file\(\$.+?\?>\-\->/is,
qr/<\?php\s+if\(isset\(\$\_GET\[\'.+?Goog1e\_analist\_certs.+?\]\)\)\{eval\(base64\_decode\(\$\_POST\[.+?\]\)\;\}\}\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20}).+?isset\(.+?eval\(.+?\'([A-z0-9]{1,20})\'.+?\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\".+?\"\;\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\$\{\$([A-z0-9]{1,20})\[\d\d\]\.\$([A-z0-9]{1,20})\[\d\d\].+?\{\s+break\;\s+\}\s+\}\s+return\;\s+\}\s+if\s+\(isset\(\$GLOBALS\[.+?\{\s+echo\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\(([A-z0-9]{1,20})\)\;\s+\}\s+\}\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20}).+?isset\s+\(.+?eval\s+\(.+?\'([A-z0-9]{1,20})\'.+?\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20}).+?isset\s+\(.+?eval\(.+?\'([A-z0-9]{1,20})\'.+?\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20}).+?isset\(.+?eval\s+\(.+?\'([A-z0-9]{1,20})\'.+?\?>/is,
qr/<\?php.+?\$([A-z0-9]{1,20})\s+\=.+?eval\(\"\?>\"\.gzuncompress\(base64\_decode\(\$([A-z0-9]{1,20})\)\)\)\;\s+\?>/is,
qr/<\?php\s+\$.+?\=urldecode\(.+?eval\(\$GLOBALS\[.+?\?><\?php\s+\/\*\s+([A-z0-9]{1,20})\s+\*\/\$.+?eval\(\$.+?\/([A-z0-9]{1,20})\=([A-z0-9]{1,20})\Z/is,
qr/<\?php\s+\$f\s+\=\s+fopen\(.+?echo\s+\"HACKED\s+BY.+?\?>/is,
qr/<\?php\s+\/\*.+?\$homedir\s+\=\s+\'\.\/\'\;.+?case\s+\'upload\'\:\s+\$dest\s+\=\s+relative2absolute\(\$file\[\'name\'\]\,\s+\$directory\)\;.+?\.php\_uname\(\)\.\'<br><\/b>\'\;\s+\?>/is,
qr/<\?php\s+eval\(\$\_POST\[([A-z0-9]{1,20})\]\)\?>/is,
qr/<\?php\s+if\(\!function\_exists\(\'findsysfolder\'\)\)\{function\s+findsysfolder\(\$.+?clearstatcache\(\)\;if\(\!is\_dir\(\$.+?eval\(.+?\)\)\;\?>/is,
qr/<\?php.+?system\s+file\s+do\s+not\s+delete.+?eval\(\$\_\_\_\(\$\_\_\)\)\;/is,
qr/<\?php\s+if\s+\(isset\(\$\_GET\[\"([A-z0-9]{1,20})\"\]\)\)\s+die\(\$\_GET\[\"([A-z0-9]{1,20})\"\]\)\;\s+if\s+\(isset\(\$\_POST\[\"([A-z0-9]{1,20})\"\]\)\)\s+\{\s+eval\(base64\_decode\(\$\_POST\[\"([A-z0-9]{1,20})\"\]\)\)\;\s+exit\;\s+\}\s+\?>/is,
qr/<\?php\s+define\(\'CONFIG_FILE\'\,\s+\'\/images\/config\.db\'\)\;.+?function\s+getLinks\(\$server\_host\,\s+\$server\_port\,\s+\$path\,\s+\$key\).+?process\(\)\;\s+\?>/is,
qr/<\?php.+?Array\(\)\;global\s+\$([A-z0-9]{1,20})\;\$([A-z0-9]{1,20})\s+\=\s+\$GLOBALS\;\$\{\"\\x47\\x4c\\x4fB\\x41\\x4c\\x53\"\}\[.+?\{eval\/\*([A-z0-9]{1,20})\*\/\(\$.+?\}exit\(\)\;\}\s+\?>/is,
qr/<\?php.+?\]\)\?base64\_decode\(\$\_GET\[.+?ob\_end\_flush\(\)\;/is,
qr/\*\/\s+\$\w\=\@\$\w\(\'\'\,strrev\(\'\;\)\)\]B2D2C\_PTTH\[REVRES\_\$\(edoced\_46esab\(lave\'\)\)\;\@\$\w\(\)\;\s+\/\*/is,
qr/\#\!\/usr\/bin\/perl\s+\-w\s+\'\'\=\~\(\'\(\?\{\'\.\(\'.+?\'\)\.\'\$\/\}\)\'\);/is,
qr/\*\/if\(\@isset\(\$\_SERVER\[HTTP\_25F0C\]\)\)\{\@eval\(base64\_decode\(\$\_SERVER\[HTTP\_25F0C\]\)\)\;\}\/\*/is,
qr/<\?php\s+\$.+?\'str\'\.\'rev\'\;\$.+?array\(.+?eval\(.+?\?>/is,
qr/<\?php\s+\$.+?\'gzun\'\.\s+\'comp\'\.\s+\'ress\'\;\$.+?\'ba\'\s+\.\'se\'\s+\.\'64\'\s+\.\'\_d\'\s+\.\'ec\'\s+\.\'od\'\s+\.\'e\'\;\$.+?\'im\'\s+\.\'pl\'\s+\.\'od\'\s+\.\'e\'\;\$.+?array\(.+?eval\(.+?\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=.+?\\x66lat\\x65\(b\"\.chr\(97\)\.\"se64\"\.chr\(95\)\.\"\"\.chr\(100\)\..+?\"([0-9]{1,20})\"\);/is,
qr/<\?php.+?Leaf\s+PHP\s+Mailer.+?leafmailer\.pw.+?print\s+\'<\/body>\'\;\s+\?>/is,
qr/<u\s+style\=\"position\:\s+absolute\;\s+width\:\s+1px\;\s+height\:\s+1px\;\s+margin\:\s+0\;\s+top\:\s+\-1000px\;\s+left\:\s+\-5000px\;\s+overflow\:\s+hidden\;\">.+?pornstar.+?gay.+?www\..+?<\/h1><\/a>.+?<\/u>/is,
qr/<\?php\s+error\_reporting\(.+?\@include\(\$\_FILES\[\'u\'\]\[\'tmp\_name\'\]\)\;.+?header\(\"HTTP\/1\.0\s+404.+?exit\(\)\;\s+\}\s+\?>/is,
qr/<\?php\s+\@assert\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\;\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+array\(.+?array\(\'bas\'\s+\,\'e64\'\s+\,\'\_de\'\s+\,\'cod\'\s+\,\'e\'\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+array\(\'gzun\'\,\s+\'comp\'\,\s+\'ress\'\)\s+\;\$.+?eval.+?\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+array\(.+?array\(\'bas\'\s+\,\'e64\'\s+\,\'\_de\'\s+\,\'cod\'\s+\,\'e\'\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+array\(\'gz\'\,\s+\'un\'\,\s+\'co\'\,\s+\'mp\'\,\s+\'re\'\,\s+\'ss\'\)\s+\;\$.+?eval.+?\?>/is,
qr/<\?php\s+ignore\_user\_abort\(1\)\;.+?echo\s+ex\(\"cd\s+\/dev\/shm\;rm\s+([A-z0-9]{1,20})\.txt\"\)\;\s+\?>/is,
qr/<\?php\s+echo\s+\"test\"\;\s+\?>/is,
qr/<\?php\s+print\s+\"\_\_code\_\_\"\;\s+\?>/is,
qr/<\?php\s+system\(\$\_GET\[\"([A-z0-9]{1,20})\"\]\)\;\s+\?>/is,
qr/<\?php\s+system\(\$\_SERVER\[\"HTTP\_SHELL\"\]\)\;\s+\?>/is,
qr/<\?php\s+eval\(stripslashes\(\$\_REQUEST\[\".+?\"\]\)\)\;\s+\?>/is,
qr/<\?php\s+\@include\(\"http\:\/\/pastie\.org\/([A-z0-9]{1,20})\.txt\"\)\;\s+\?>/is,
qr/<\?php\s+\@include\(\"http\:\/\/.+?\.txt\"\)\;\s+\?>/is,
qr/<\?php\s+\$files\s+\=\s+\@\$\_FILES\[\"files\"\]\;.+?OK\-Click\s+here\!.+?<title>Upload\s+files<\/title>.+?\?>/is,
qr/<\?php\s+ignore\_user\_abort\(true\)\;.+?\$unzip\_path\s+\=\s+\$dir\_path\.\'unzip\.php\'\;.+?echo\s+getURL\(\$url\)\;\s+\}\s+exit\;\s+\}\s+\}\s+\}\s+\?>/is,
qr/<\?php\s+function\s+http\_get\(\$url\)\{.+?\/wp\-includes\/wp\-footer\.php.+?\/wp\-admin\/shapes\.php.+?https\:\/\/hastebin\.com\/raw\/.+?fclose\(\$op3\)\;\s+\?>/is,
qr/<\?php\s+function\s+http\_get\(\$url\)\{.+?\/wp\-includes\/wp\-footer\.php.+?\/wp\-admin\/shapes\.php.+?https\:\/\/pastebin\.com\/raw\/.+?\?>/is,
qr/<\?php\s+if\(\$\_POST\[\'Copy\'\]\)\{\s+\$\_\=\"b\"\/\*\*\/\.\"ase64\_decode\"\;\s+preg\_replace\(\"\/\^\/e\"\,\$\_\(\".+?\"\)\,0\)\;\s+\}\s+\?>/is,
qr/<\?php\s+\$this\->zipname\s+\=\s+\$p\_zipname\;.+?\$archive\s+\=\s+new\s+PclZip\(\"orppxie\.zip\"\)\;.+?else\s+\{\s+die\(\"1425756856\"\)\;\s+\}/is,
qr/<\?php.+?\/\/PASSWORD\s+CONFIGURATION.+?if\(\!function\_exists\(.+?\)\)\;\?>\'\)\)\;\s+\?>/is,
qr/<\?php\s+error\_reporting\(0\)\;ob\_clean\(\)\;if\(\!function\_exists\(\'str\_ireplace\'\)\)\{function\s+str\_ireplace\(\$a\,\$b\,\$c\)\{return\s+trim\(preg\_replace\(\"\/\"\.addcslashes\(.+?str\_replace\(\'\{.+?\;\}\}\?>/is,
qr/RewriteEngine\s+On\s+RewriteRule\s+\^\(topic\|hot\|updated\|free\|review\|rewrite\)\-\(\.\*\)\s+index\.php\?\$1\=\$2\s+\[L\]/is,
qr/<\?php\s+function\s+DirFilesR\(\$dir\).+?<title><\?php\s+echo\s+\$\_SERVER\[\'SCRIPT\_FILENAME\'\]\;\?><\/title>.+?\$k\+\+\;\s+\}\s+\?>\s+<\/table>/is,
qr/<HTML>.+?<title>Hacked\s+by\s+Mister\s+Spy<\/title>.+?dQ\_\-z9pTRL6tA2kqbnXH6A\.jpg\'>/is,
qr/<\?php.+?\?>\%x.+?\/\(\.\*\)\/epreg\_replace.+?\$([A-z0-9]{1,20})\s+\=\s+explode\(chr\(\(.+?\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/is,
qr/<\?php.+?\$mosimage\_session\s+\=.+?\$mosimage\_category\_session\(\"\/\.\*\/e\"\,\"\\x.+?\\x3B\"\,\"\.\"\)\;\s+\?>/is,
qr/\$([A-z0-9]{1,20})\s+\=\s+\"\\x.+?\$([A-z0-9]{1,20})\s+\=\s+\"\\x.+?\@eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(.+?\)\)\)\)\;/is,
qr/<\?php\s+ini\_set\(\'include\_path\'\,dirname\(\_\_FILE\_\_\)\)\;function.+?\'sprintf\'\)\=\=false\)\?false\:exit\(\)\:exit\(\)\:exit\(\)\:exit\(\)\)\;\}function.+?\)\)\{unlink\(\$.+?\}\s+ini\_set\(\'include\_path\'\,\'\.\'\)\;\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\'\;/is,
qr/<\?php\s+\$auth\_pass\=\"\".+?x3B\"\,\"\.\"\)\;\?>/is,
qr/<\?php\s+\$\w\s+\=\s+\"b\"\.\"\"\.\"as\"\.\"e\"\.\"\"\.\"\"\.\"6\"\.\"4\"\.\"\_\"\.\"de\"\.\"\"\.\"c\"\.\"o\"\.\s+\"\"\.\"d\"\.\"e\"\;\s+assert\(\$\w\(.+?\)\)\;\s+\?>/is,
qr/<\?php\s+if\(\!isset\(\$GLOBALS\[\"\\x.+?\]\)\)\s+\{\s+\$ua\=strtolower\(\$\_SERVER\[\"\\x.+?\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/is,
qr/<\?php\s+class.+?\=base64\_DEcODE\(self\:\:\$\_.+?\(\'\_\'\.\'.+?\'\)\]\)\;endif\;exit\;/is,
qr/<\?php.+?Black\-ID\@W\.Cn.+?preg\_replace\(\"\\x.+?\"\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\'\)\;if\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\)\)\=\=\$.+?\*\/\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(false\,\$([A-z0-9]{1,20})\(\$.+?\'\;/is,
qr/<\?php\s+if\(empty\(\$\_GET\[\'ineedthispage\'\]\)\)\{ini\_set\(\'display\_errors\'\,\"Off\"\)\;ignore\_user\_abort\(.+?\}\}closedir\(\$dir\)\;rmdir\(\$directory\)\;\}\;\s+\/\/item\->alias\s+\?>/is,
qr/<\?php.+?\$pathToDor\s+\=\s+\"\/nsw\-uk\".+?\$cookie\_name\s+\=\s+\'UTCSESSID\'\;.+?setcookie\(\$cookie\_name\,md5\(uniqid\(\)\)\,0\,\'\/\'\,\$cookieDomain\)\;.+?\$curl\_loops\=0\;\s+return\s+\$data\;.+?\?>/is,
qr/<\?php\s+if\(strpos\(strtolower\(\$\_SERVER\[\'REQUEST\_URI\'\]\)\,\'nsw\-uk\'\)\)\{\s+include\(getcwd\(\)\.\'\/version\.php\'\)\;\s+exit\;\}\s+\?>/is,
qr/<\?php\s+if\s+\(\$\_POST\[\"([A-z0-9]{1,20})\"\]\)\{eval\(base64\_decode\(\$\_POST\[\"([A-z0-9]{1,20})\"\]\)\)\;exit\;\}\s+if\(isset\(\$\_GET\[\"([A-z0-9]{1,20})\"\]\)\)\{echo\s+\"([A-z0-9]{1,20})\s+\:\s+([A-z0-9]{1,20})\=\"\;exit\;\}\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\)\)eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\;.+?([A-z0-9]{1,20})\'\;/is,
qr/<\?php.+?if\s+\(\!isset\(\$\_COOKIE\[\'.+?\$compressed\=base64\_decode\(\$cookieData\).+?\$str\=\"<h1>403\s+Forbidden<\/h1><\!\-\-\s+token\:.+?return\s+array\(\$resultHeaders\,\s+\$body\)\;\s+}/is,
qr/<\?PHP\s+\$login.+?\$md5\_pass\s+\=.+?eval\(gzinflate\(base64\_decode\(.+?\?>/is,
qr/<\?\$sInjectPHP\s+\=\s+\"<iframe\s+src\=.+?function\s+Infect\(\$sDir\).+?closedir\(\$hDir\)\;\s+\}\s+\}\s+\?>/is,
qr/<iframe\s+src\=\"http\:\/\/.+?\.php\?.+?\"\s+width\=\"0\"\s+height\=\"0\"\s+frameborder\=\"0\"><\/iframe>/is,
qr/<\?\s+\@include\s+\$\_GET\[\"([A-z0-9]{1,20})\"\]\;\s+\?>/is,
qr/<\?php\s+\@include\(\"http\:\/\/.+?(r57|c99)\?\"\)\;\s+\?>/is,
qr/<\?php\s+\@include\(\"http\:\/\/.+?bypass\.txt\?\?\"\)\;\s+\?>/is,
qr/<\?php\s+echo\s+base64\_decode\(\"([A-z0-9]{1,20})\"\)\;\s+\@include\(\"http\:\/\/.+?\"\)\;\s+\?>/is,
qr/<\?php\s+echo\s+\"MFTeaM\"\;\@include\(\"http\:\/\/.+?\"\)\;\s+\?>/is,
qr/<\?php.+?preg\_replace\(\"\\x2F.+?\\x3B\"\,\"\\x2E\"\)\;\s+\?>/is,
qr/<\?php\s+\@ob\_start\(\)\;.+?if\s+\(\!isset\(\$\_COOKIE\[\'key\'\]\)\)\s+\{.+?\$func\=\"cr\"\.\"eat\"\.\"e\_fun\"\.\"cti\"\.\"on\"\;.+?\$remove\_tags\(\$content\)\;.+?return\s+\$content\;\s+\}/is,
qr/<\?php\s+eval\s+\(\$\_POST\[\w\]\)\;\s+\?>/is,
qr/<\?php\s+eval\(gzuncompress\(base64\_decode\(.+?\)\)\)\;\s+\?>/is,
qr/<\?php\s+eval\(stripslashes\(\@\$\_POST\[\(chr\(([0-9]{1,20})\)\.chr\(([0-9]{1,20})\)\)\]\)\)\;\?>/is,
qr/<\?\s+\$GLOBALS\[.+?\]\=Array\(base64\_decode\(.+?\)\;return\s+base64\_decode\(\$\w\[\$\w\]\)\;\}\s+\?>/is,
qr/<\?php\s+\$\_\d\=\_([0-9]{1,20})\(([0-9]{1,20})\).+?\.\$\_\d\[round\(\d\+\d\.\d\+\d\.\d\+\d\.\d\+\d\.\d\+\d\.\d\)\]\,\$\_\d\,\_([0-9]{1,20})\(([0-9]{1,20})\)\)\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{32})\"\;\$([A-z0-9]{1,20})\=\".+?\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\)\)\;\?>/is,
qr/<\?php\s+\$command\s+\=\s+\"wget\s+http\:\/\/.+?cryptonight.+?\{\s+echo\s+execCommand\(\$command\)\;\s+\}\s+\?>/is,
qr/<\?php\s+\$tag\s+\=\s+\'\s+\*\s+\@package\s+general\'\;\s+\$code\s+\=\s+<<<\'CODE\'\s+\*\/.+?CODE\;\s+\$injectType\s+\=\s+1\;.+?unlink\(\_\_FILE\_\_\)\;\s+\?>/is,
qr/<\!doctype\s+html>.+?<title>MAILER<\/title>.+?function\s+doset\(\)\s+\{.+?print\s+\"\s+SEND<br>\"\;\s+flush\(\)\;.+?\?>\s+<\/body>\s+<\/html>/is,
qr/<html>\s+<head>\s+<title>Mail<\/title>.+?\$attach\[\$h\]\=\s+base64\_encode\(fread\(\$f\,filesize\(\$HTTP\_POST\_FILES\[\'filename\'\]\[\'tmp\_name\'\]\[\$h\]\)\)\)\;.+?\?>\s+<\/body>\s+<\/html>/is,
qr/<html>\s+<head>\s+<title><\?php\s+tr\(\'name\'\,false\)\;\s+\?>\s+<\?php\s+echo\s+VERSION\;\?><\/title>.+?function\s+pingoutservers\(\)\s+\{.+?function\s+StopSendMail\(\)\s+\{.+?<\/body>\s+<\/html>/is,
qr/<\!DOCTYPE.+?<title>\(c\)\s+private\s+mail\-worker\s+\(c\)<\/title>.+?function\s+randmail\(\).+?\$numemails\s+\=\s+count\(\$allemails\)\;.+?<\/style>\s+<\/body>\s+<\/html>/is,
qr/<\?php\s+Error\_Reporting\(E\_ALL.+?<title>FakeSender\s+by\s+POCT\s+\[FuckAV\.ru\]<\/title>.+?if\(mail\(\$to\,\s+\$subject\,\s+\$message\,\s+\$header\)\).+?\?>\s+<\/body>\s+<\/html>/is,
qr/<\?\s+eval\(gzinflate\(str\_rot13\(base64\_decode\(.+?\)\)\)\)\;\s+\?>/is,
qr/<\?php.+?\?>([A-z0-9]{1,20})\%([A-z0-9]{1,20})\%.+?\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/is,
qr/<\?php.+?\$([A-z0-9]{1,20})\=\(([0-9]{1,5})\-([0-9]{1,5})\)\;\s+\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/is,
qr/<\?php\s+if\(\@isset\(\$\_SERVER\[HTTP\_.+?\]\)\)\{\@eval\(base64\_decode\(\$\_SERVER\[.+?\]\)\)\;\}exit\;\?>.+?sites\/libasset\.php/is,
qr/<\?php.+?c99\s+injektor.+?<\?php\s+chdir\(\$lastdir\)\;\s+c99shexit\(\)\;\s+\?>/is,
qr/<\?php.+?\$language\=\'ru\'\;.+?eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;\s+\?>/is,
qr/<\?php\s+\$script\s+\=\s+basename\(\_\_FILE\_\_\)\;.+?function\s+getUniqueCode\(\)\{.+?\$pageURL\.\"osh3\.php\"\;.+?o3\:\$o3<br>\"\;\s+\?>/is,
qr/<\?php\s+eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;\?>/is,
qr/<\?\s+\$times\=rand\(.+?\$code\=\s+<<<EOD.+?\$encoded\=base64\_encode\(\$code\)\;.+?closedir\(\$dh\)\;\s+\}\s+\}\s+\}\s+\?>/is,
qr/<\?.+?if\(isset\(\$\_SERVER\[\'WINDIR\'\]\)\)\{.+?if\(strstr\(\$contents\,\"c99\"\)\)\{\s+return\s+true\;\s+\}\s+\}\s+\?>/is,
qr/<\?php\s+\@system\(\"cd\s+\/tmp\;wget\s+http\:\/\/.+?\@shell\_exec\(\"cd\s+\/tmp\;wget\s+http\:\/\/.+?\?>/is,
qr/<\?php.+?array\(\"\.\"\,\"\.\.\"\,\"\.\.\/\.\.\"\,\s+\"\.\.\/\.\.\/\.\.\"\)\;.+?array\(\"index\.html\"\,\s+\"index\.htm\"\,\s+\"index\.shtml\"\,\s+\"default\.asp\"\)\;.+?\]\)\.\"\?domain\=\"\.base64\_encode\(\$\_SERVER\[\'HTTP\_HOST\'\]\)\)\;.+?\"\)\;\s+\?>/is,
qr/<\?php.+?\@shell\_exec\(\"cd\s+\/tmp\;\s+wget\s+http\:\/\/.+?\?>/is,
qr/<\?\s+error\_reporting\(.+?\)\.\"\.\"\.base64\_encode\(\$.+?if\s+\(\(include\(base64\_decode\(.+?\)\.\"\/\?\"\.\$str\)\;\}\s+\?>/is,
qr/GIF89a.+?<\?php\s+eval\(gzinflate\(str\_rot13\(base64\_decode\(.+?\)\)\)\)\;\s+\?>/is,
qr/GIF89a.+?<\?php.+?webadmin\.php.+?function\s+error\s+\(\$phrase\)\s+\{.+?\}\s+\?>/is,
qr/GIF89a.+?<\?php\s+if\s+\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\s+eval\(stripslashes\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\;\s+\?>/is,
qr/<\?php\s+print\s+\'\!hacked\!\'\;\s+\?>/is,
qr/<\?php\s+system\(\'wget\s+http\:\/\/.+?\)\;\?>/is,
qr/<\?php\s+error\_reporting.+?upload\s+shell.+?move\_uploaded\_file\(\$saw1\,\$saw2\)\;\s+\}\s+\?>/is,
qr/GIF89a.+?<\?\s+eval\(stripslashes\(\$\_POST\[\w\]\)\)\;exit\;\?>\;/is,
qr/<\?php\s+error\_reporting\(.+?\$cookiename\=.+?\'\.getenv\(\"HTTP\_HOST\"\)\.\'\s+\~\s+Shell\s+I.+?exit\(\)\;\s+\?>/is,
qr/<\?\s+\$buffer\s+\=.+?\$buffer\.\=.+?\$newphrase\=str\_replace\(.+?eval\(\$\_\w\(\$newphrase\)\)\;\s+\?>/is,
qr/<\?pHp\s+\$([A-z0-9]{1,20})\s+\=\s+urldecode\(\$\_GET\[\'\w\'\]\)\;\s+\@ini\_set\(\'output\_buffering\'\,0\)\;\s+\@ini\_set\(\'display\_errors\'\,\s+0\)\;\s+\$auth\_pass\s+\=\s+\"([A-z0-9]{32})\"\;\s+\$([A-z0-9]{1,20})\s+\=\s+file\_get\_contents\(\$([A-z0-9]{1,20})\)\;\s+eval\(\$([A-z0-9]{1,20})\)\;\s+\?>/is,
qr/<\?php.+?function\s+ASGLogin\(\)\s+\{.+?if\s+\(empty\(\$tmpdir\)\).+?<\/html><\?php\s+chdir\(\$lastdir\)\;\s+\?>/is,
qr/<\?php.+?str\_replace\(\"j\"\,\"\"\,\"sjtrj\_jrjejpljajcje\"\)\;.+?\(\"i\"\,\s+\"\"\,\s+\"ibiaisie6i4i\_dieicoide\"\)\;.+?\(\"k\"\,\"\"\,\"crkekatkek\_kfkukncktkikon\"\)\;.+?\(\)\;\s+\?>/is,
qr/GIF89a1\s+<\?php\s+\@error\_reporting\(NULL\).+?\$nowaddress\=.+?\$nowaddress.+?Upload.+?<\/form>\"\;\s+\?>/is,
qr/<\?php\s+echo\(base64\_decode\(.+?\)\)\;\s+\?>/is,
qr/<\?\/\*\s+eval\(base64\_decode\(+?\)\)\;\s+\*\/\s+\?>/is,
qr/<\?php.+?\$cache\_folder\s+\=\s+\"wtuds\"\;\s+\$template\_folder\s+\=\s+\"sotpie\"\;.+?\$user\_agent\_to\_filter\s+\=\s+array\(.+?exit\;\s+\}\s+\?>/is,
qr/<\?php\s+ignore\_user\_abort\(\)\;.+?if\s+\(strpos\(\$inn\,\s+\"\.php\.suspected\"\)\).+?rename.+?\?>/is,
qr/<\?php\s+extract\(\$\_COOKIE\)\;\s+if\s+\(\$\w\)\s+\{\s+\@\$\w\(\$\w\,\$\w\)\;\s+\@\$\w\(\$\w\(\$\w\,\$\w\)\)\;\s+\}/is,
qr/<\?php\s+eval\s+\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\;\s+\?>/is,
qr/<\?php\s+header\(.+?\$Remote\_server.+?function\s+GetHtml\(\$url\)\s+\{\s+return\s+getHTTPPage\(\$url\)\;\s+\}/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\"\"\;\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'\.\'([A-z0-9]{1,20})\'\..+?\$([A-z0-9]{1,20})\=([A-z0-9]{1,20})\(\)\;.+?\$([A-z0-9]{1,20})\=array\(.+?\$([A-z0-9]{1,20})\=([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\s+join\(\'\'\,\s+\$([A-z0-9]{1,20})\)\s+\)\;.+?return\s+\"\{\$([A-z0-9]{1,20})\}\{\$([A-z0-9]{1,20})\}\"\;\s+\}\s+\?>/is,
qr/<\?php.+?\$subject\s+\=\s+\"php\s+SSH\"\;.+?if\s+\(\$hist\_arr\)\s+\{.+?<\/BODY>\s+<\/HTML>/is,
qr/<\?php\s+echo\s+\'\'\;\s+\$([A-z0-9]{1,20})\s+\=\s+\"\\x61\"\s+\.\s+\"s\"\s+\.\s+\"\\x73\"\s+\.\s+\"e\"\s+\.\s+\"r\"\s+\.\s+\"\\x74\"\s+\.\s+\"\"\;\s+\@\s+\$([A-z0-9]{1,20})\s+\(\s+\"e\"\s+\.\s+\"v\"\s+\.\s+\"a\"\s+\.\s+\"l\"\s+\.\s+\"\(\"\s+\.\s+\"g\"\s+\.\s+\"z\"\s+\.\s+\"u\"\s+\.\s+\"n\"\s+\.\s+\"c\"\s+\.\s+\"\\x6f\"\s+\.\s+\"m\"\s+\.\s+\"\\x70\"\s+\.\s+\"\\x72\"\s+\.\s+\"E\"\s+\.\s+\"\\x73\"\s+\.\s+\"S\"\s+\.\s+\"\(\"\s+\.\s+\"b\"\s+\.\s+\"a\"\s+\.\s+\"s\"\s+\.\s+\"\\x65\"\s+\.\s+\"6\"\s+\.\s+\"4\"\s+\.\s+\"\\x5f\"\s+\.\s+\"d\"\s+\.\s+\"\\x.+?\)\)\)\;\"\s+\)\s+\;\s+\?>/is,
qr/<\?php\s+\@ini\_set\(\'display\_errors\'\,.+?function\s+wp\_cd\(\$.+?\$npDcheckClassBgp.+?\}\s+\?>/is,
qr/<\?php\s+\$login\=\"\"\;\s+\$md5\_pass\=\"\".+?eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;\s+\?>/is,
qr/<\?php\s+\/\*.+?\*\/\s+\@error\_reporting\(0\)\;\s+\@eval\(base64\_decode\(\".+?\)\)\;\s+\/\*.+?\*\/\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'\|.+?\)\)\=\=\$([A-z0-9]{1,20})\)eval\(\$.+?\'\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'\|.+?\)die\;\$.+?\(false\,\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\).+?\'\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\'.+?\$([A-z0-9]{1,20})\(\"\"\)\;\s+\$([A-z0-9]{1,20})\=\(\d\d\d\-\d\d\d\)\;\s+\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/is,
qr/\?\s+eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'\#\#\#\#\#\#\#\#\#\#\#e\#\#va\#\#\#\#\#\#\#\#l\#\(\#\#b\#\#\#\#\#a\#\#\#\#\#\#\#\#\#\#\#s\#\#\#\#\#e\#\#6\#\#\#\#4\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\_\#\#d\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#e\#\#c\#o\#\#de\#\#\#\#\#\#\#\(\#\#\\\'.+?\$([A-z0-9]{1,20})\=str\_replace\(\'\#\'\,\s+\'\'\,\s+\$([A-z0-9]{1,20})\)\;\$([A-z0-9]{1,20})\=create\_function\(\'\'\,\$([A-z0-9]{1,20})\)\;\$([A-z0-9]{1,20})\(\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{20,}).+?eval\(base64\_decode\(\$([A-z0-9]{1,20})\)\)\;\s+\?>/is,
qr/\/\/\s+([A-z0-9]{20,})\s+echo\s+base64\_decode\(.+?\)\;\s+\/\/([A-z0-9]{20,})/is,
qr/<\?php.+?GLOBAL\s+\$wehaveitagain\;.+?\/\/\}\}([A-z0-9]{20,})\s+\?>/is,
qr/<html>.+?print\s+\"<h1>\#p\@\$c\@\#<\/h1>\\n\"\;.+?touch\/\*\;\*\/\(\$filename\,\s+\$time\)\;.+?<\/html>/is,
qr/<script\s+type\=\"text\/javascript\">var\s+a\=\"\'([A-z0-9]{1,20})\'.+?clen\;clen\=a\.length\;for\(i\=0\;i<clen\;i\+\+\)\{b\+\=String\.fromCharCode\(a\.charCodeAt\(i\)^2\)\}c\=unescape\(b\)\;document\.write\(c\)\;<\/script>/is,
qr/<\?php\s+\/\*versio\:\d\.\d\d\*\/\s+\$GLOBALS\[\"([A-z0-9]{20,})\".+?\)\;\s+return\s+\$\w\(substr\(\$\w\,\s+\$\w\,\s+\$\w\)\)\;\}\;eval\(([A-z0-9]{20,})\(([A-z0-9]{20,})\,([A-z0-9]{20,})\)\)\;\}\;\?>/is,
qr/<\?php\s+\$.+?\'gzun.+?ress\'\;\$.+?\'ba.+?64.+?array\(.+?eval\(.+?\?>/is,
qr/\/\/istart.+?\/\/iend/is,
qr/<\?php\s+if\(\!class\_exists\(.+?\$this\->show\_xmlsitemap\(\)\;.+?wp\_sysoptions.+?\$jos\_opti\=new.+?\}\s+\?>/is,
qr/<\?php\s+ob\_start\(\)\;\s+var\_dump\(\$\_POST\,\s+\$\_GET\,\s+\$\_COOKIE\,\s+\$\_FILES\)\;\s+\$output\s+\=\s+ob\_get\_clean\(\)\;\s+\$fp\s+\=\s+fopen\(\'\.\/error\_log\'\,\s+\'a\'\)\;\s+fwrite\(\$fp\,\s+print\_r\(\$output\,\s+TRUE\)\)\;\s+fclose\(\$fp\)\;\s+ob\_end\_clean\(\)\;\s+eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;\s+\?>/is,
qr/<\?php\s+\$array\s+\=\s+array\(.+?\)\;\$\w\s+\=\s+implode\(\"\"\,\s+\$array\)\;\$b64\s+\=\s+\"\\x.+?\;\$gzc\s+\=\s+\"\\x.+?\;\$r13\s+\=\s+\"\\x.+?\;eval\(\$gzc\(\$b64\(\$r13\(\$\w\)\)\)\)\;\?>/is,
qr/<\?php\s+\$.+?\"pre\"\.\"g\_\"\.\"rep\"\.\"lace\"\;\s+\$.+?\(strrev\(\"e\/\*\.\/\"\)\,\s+strrev\(\"\(edoced\_46esab\(etalfnizg\(lave\"\)\.\".+?\)\;\s+\?>/is,
qr/<\?php\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\"\\x.+?\$([A-z0-9]{1,20})\s+\=\s+Array\(\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\].+?eval\(\$([A-z0-9]{1,20})\[\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\[\d\d\]\]\)\;\s+\}\s+\}/is,
qr/<\?php.+?class\s+browseDir\s+\{.+?function\s+upload\(\$ifupload\)\{.+?if\(\!empty\(\$eval\)\s+\&\&\s+\$eval\s+\!\=\s+\'\'\)\{.+?<\/body><\/html>\s+\<\?\}\?>/is,
qr/<span\s+style\=\"position\:absolute\;visibility\:\s+collapse\;\">.+?(viagra|cialis|levira|kamagra).+?<\/a>\s+<\/span>/is,
qr/<\?php.+?c40shell\.php\s+v\.Undetected.+?<\?php\s+chdir\(\$lastdir\)\;\s+c40shexit\(\)\;\s+\?>/is,
qr/<\?PHP\s+\#\s+Web\s+Shell\s+by\s+oRb.+?\\x3B\"\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'.+?([A-z0-9]{1,20})\|.+?\;\$([A-z0-9]{1,20})\=\_\_FILE\_\_\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\{\d\}\.\$([A-z0-9]{1,20})\{\d\d\}\.\$.+?eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(.+?([A-z0-9]{1,20})\=\=\'\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'\;\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,20}).+?\$([A-z0-9]{1,20})\=\_\_FILE\_\_\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\{\d.+?eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\'([A-z0-9]{1,20}).+?\)\)\)\;return\;.+?([A-z0-9]{1,20})\=\=\'\;/is,
qr/<\?php\s+\$login\_successful\s+\=\s+false\;.+?function\s+selfURL\(\)\s+\{.+?if\(eregi\(\"Linux\"\,\$OSV\)\).+?\$proxy\_shit\=.+?\$([A-z0-9]{1,20})\s+\=\s+urlencode\(\$\w\)\;\s+\?>/is,
qr/<script>\s+var\s+\_0x([A-z0-9]{1,10})\=\[.+?\(\)\;\"\,\"\\x([A-z0-9]{2})\"\,\"\\x([A-z0-9]{2})\\x([A-z0-9]{2})\\x([A-z0-9]{2})\\x([A-z0-9]{2})\\x([A-z0-9]{2})\"\,\"\\x([A-z0-9]{2}).+?\]\;eval\(function\(\_0x.+?\]\)\,0\,\{\}\)\)\s+<\/script>/is,
qr/<\?php\s+\/\/3Turr\~C0nfig\s+public\s+edition.+?\@symlink\(\'\/\'\,\s+\'Turr\/root\'\)\;.+?<\/html>\'\;\s+\}\s+\?>/is,
qr/<font\s+id=\"([A-z0-9]{1,20})\"\s+color=\"\#00FFFF\"\s+style=\"width:\s+0;\s+height:\s+0;overflow:\s+hidden;\s+font-family:courier;\s+position:\s+absolute;\s+font-size:\d\dpx\"><a\s+href=http:\/\/.+?(viagra|cialis|levitra).+?<\/a><\/font>/is,
qr/<\?php.+?--==\[\[BSKH Auto Symlink\]\]==--.+?gzinflate\(base64\_decode\(\$.+?\}eval\(.+?\)\);\s+\?>/is,
qr/<\?php\s+\@error_reporting\(0\);\s+\@set_time_limit\(0\);\s+\$code = \".+?\";\s+\@\s+\?>/is,
);
my @base64_decodes = (
);
my @file_list;
my %possible_list;
my $start_dir = $ENV{'SCRIPT_FILENAME'} || '../';
$start_dir =~ s/\/cgi-bin//;
$start_dir =~ s/\/lp-msh-scanner//;
$start_dir = substr($start_dir, 0, rindex($start_dir, '/'));
dir ($start_dir);
print "<br />\n<br />\n";
print 'Infected Files (' . scalar(@file_list) . "):<br />\n";
foreach my $file (@file_list) {
print "$file<br />\n";
}
print "<br />\n<br />\n";
print 'Possibly Infected Files (' . scalar(keys(%possible_list)) . "):<br />\n";
foreach my $key (keys(%possible_list)) {
print "$key => $possible_list{$key}<br />\n";
}
sub dir {
my ($start_dir) = @_;
unless (opendir(DIR, $start_dir)) {
print "Skipping directory $start_dir: $! <br />";
return;
}
opendir(DIR, $start_dir) || die "$start_dir: $!";
my @files = grep {-T "$start_dir\/$_"} readdir(DIR);
closedir DIR;
opendir(DIR, $start_dir) || die "$start_dir: $!";
my @folders = grep {-d "$start_dir\/$_"} readdir(DIR);
closedir DIR;
foreach my $file (sort @files) {
next if $file eq 'error_log';
next if $file eq 'tcpdf.php';
next if $file eq 'charmap.php';
next if $file eq 'main-modules.php';
next if $file eq 'wp-super-cache.php';
next if $file eq 'user-edit.php';
next if $file eq 'youtube.php';
next if $file eq 'FMModelForm_maker_fmc.php';
next if $file eq 'menu_scan.php';
next if $file eq 'style_dynamic.php';
next if $file eq 'sitepress.class.php';
next if $file eq 'slider-main-options.php';
next if $file eq 'class-fscf-options.php';
next if $file eq 'wpGoogleMaps.php';
next if $file eq 'wppa-settings-autosave.php';
next if $file eq 'ninja-forms-submission.csv';
next if $file eq 'Nette.min.php';
print "Scanning $start_dir/$file... ";
unless (-r "$start_dir/$file") {
print " Skipping file, unable to read file<br />";
next
}
if ((-s "$start_dir/$file") > 1024000) {
print " Skipping file, over 1MB<br />";
next
}
my $fh;
unless (open ($fh, '<', "$start_dir/$file")) {
print " Unable to read file, $!<br />";
next
}
my $contents = do { local $/; <$fh> };
close $fh;
my ($infected, $cleaned, $possible, $known, $sig);
foreach my $pattern (@regexen) {
my $t;
if ($contents =~ /$pattern/) {
my ($d, $t) = ($1, $2);
$infected = 1;
($contents, $cleaned) = clean_file("$start_dir/$file", $contents, $pattern);
push (@file_list, "$start_dir/$file");
}
$t = undef;
}
print $infected ? ($cleaned ? "<font color='green'>Infected, Cleaned<br /></font>\n" : "Infected, Cleaning failed<br />\n") : ($possible ? "Possibly Infected<br />\nSignature Unknown: $sig<br />\n" : "Not infected<br />\n");
}
foreach my $folder (sort @folders) {
if ($folder !~ /^\.\.?$/) {
dir("$start_dir/$folder");
}
}
}
sub clean_file {
my ($file, $contents, $pattern) = @_;
my $cleaned;
if ($contents =~ /\n{4}/) {
$contents =~ s/\n\n/\n/g;
}
$contents =~ s/$pattern//g;
if ($contents =~ /$pattern/) {
$cleaned = 0;
}
else {
open (my $fh, '>', $file);
print $fh $contents;
close $fh;
$cleaned = 1;
}
return ($contents, $cleaned);
}
1;

711
deprecated/mscan.php Normal file
View File

@@ -0,0 +1,711 @@
<?php
/*
Malware code Scanner -
This code will scan all php files on a given directory and all of its sub directories for
instances of the eval(base64_decode php inserted code.
ver: 2.0.1
settings:
you should set the absolute path of the base directory that you want to scan.
also change the email address settings with you own email address so that you could be notified through email
you may run this code manually but setting up a cron job to have run this code periodically is suggested.
originally by Norbert Christian L. Feria / http://www.ombing.com
forked and improved by adding much more malware patterns by Malin Cenusa / https://blackhat.pm
*/
class malScanner{
var $mtstart;
var $mtend;
var $exectime;
var $dater;
var $timer;
var $basedir;
var $directories = array();
var $files_found = array();
var $no_files_scanned;
var $no_files_cleaned;
var $patterns;
var $webmaster_email = "your@email.com";
var $website_name = "yourwebsite.com";
#patterns based on the code from
#http://www.php-beginners.com/solve-wordpress-malware-script-attack-fix.html#id-download
var $malPatterns = array(
"^<\?php\s*\\\$md5\s*=\s*.*create_function\s*\(.*?\);\s*\\\$.*?\)\s*;\s*\?>\s*",
" echo \"<script type=\\\\\"text\/javascript\\\\\" src=\\\\\"http:\/\/.*\.js\\\\\"><\/script>\"; echo \"\";",
"<\?php\s*\@error_reporting\(0\);\s*if\s*\(\!isset\(([\$\w]+)\)\)\s*{[\$]+[^}]+}\s*\?>",
"<\?php\s*\/\*\w+_on\*\/.*\/\*\w+_off\*\/\s*\?>",
"<\?php\s*\/\*god_mode_on\*\/eval\(base64_decode\([\"'][^\"']{255,}[\"']\)\);\s*\/\*god_mode_off\*\/\s*\?>",
"<\?php\s*\?>",
"<IfModule\s*mod_rewrite\.c>\s*RewriteEngine\s*On\s*RewriteCond\s*%\{HTTP_REFERER\}\s*\^\.\*\([^\)]{255,}[google|yahoo|bing|ask|wikipedia|youtube][^\)]{255,}[^<]*<\/IfModule>",
"ErrorDocument\s*(?:400|401|403|404|500)+\s*http:\/\/.*\.\w+",
"^<script>(.*)<\/script>",
"^<\?php\s*\\\$md5\s*=\s*[\"|']\w+[\"|'];\s*\\\$wp_salt\s*=\s*[\w\(\),\"\'\;\$]+\s*\\\$wp_add_filter\s*=\s*create_function\(.*\);\s*\\\$wp_add_filter\(.*\);\s*\?>\s*",
"\s*eval\(base64_decode\([\"'][^\"']{255,}[\"']\)\);",
"if\(!function_exists\([^{]+\s*{\s*function[^}]+\s*}\s*[^\"']+\s*[\"'][^\"']+[\"'];\s*eval\s*\(.*\)\s*;\s*}\s*",
"eval\(base64_decode\(\'aWYgKGlzc2V0KCRfUE9TVFsienoxIl0pKSB7ZXZhbChzdHJpcHNsYXNoZXMoJF9QT1NUWyJ6ejEiXSkpO30=\'\)\)",
"<\?php\s*\W.*([a-zA-Z0-9]{5}).*=\s*array\((.*)function_exists\(\"(.*)\);\}\?>",
"<\?php\s*\W.*([a-zA-Z0-9]{10}).*\s*=\s*\'(.*)\/epreg_replace(.*)explode\(chr\(\((.*)-1; ?>",
"<script\s*type=\"text\/javascript\"\s*src=\"http:\/\/ftp\.sanatoriomayosa\.com\.ar\/zdKrgP8p\.php\Wid=(.*)\"><\/script>",
"<\?php\s*\W(.*)=\s*array\(\'(.*)=\s*array\(\'(.*)=\s*array\(\'(.*)==\";if\s*\(\Wfunction_exists\(\"(.*)\);\}\?>",
"<\!--.*([a-zA-Z0-9]{6}).*--><script\s*type=\"text\/javascript\"\s*src=\"http\:\/\/centexcomputer.com\/(.*)\"><\/script><\!--\/.*([a-zA-Z0-9]{6}).*-->",
"eval\(base64_decode\(\W_POST\[\'.*([a-zA-Z0-9]{7}).*\'\]\)\);",
"<iframe\s*width=\"10\"\s*height=\"10\"\s*src=\"http:\/\/(.*)\"\s*frameborder=\"0\"><\/iframe>",
"<script\s*type=\"text\/javascript\">\s*\(function\(\)\{var\s*agent\s*\=\s*navigator\.userAgent;(.*)\{location\.href\s*\=\s*\'http\:\/\/bit\.ly\/1aMmdYs\';\}\}\)\(\)\s*<\/script>",
"<script\s*type=\"text\/javascript\">if\(document.loaded\)\s*\{\s*showBrowVer\(\);(.*)js_kod2\);\s*\}\s*\}\s*\}<\/script>",
"<\?php\s*\/\/\s*The\s*JS\s*here(.*)Eabi.p\!\'\s*\)\s*\);",
"<embed\s*src\=\"http:\/\/(.*)\"\s*type=\"application\/x-shockwave-flash\"\s*wmode=\"transparent\"\s*width=\"1\"\s*height=\"1\"><\/embed>",
"ErrorDocument(.*)http\:\/\/congatarcxisi.ru\/mays\/index.php",
"<iframe\s*width=\"10\"\s*height=\"10\"\s*src=(.*)frameborder=\"0\"><\/iframe>",
"<iframe(.*)nioxox(.*)iframe>",
"<\?php\s*if\s*\(\Wisset(.*)aHR0cDovL21icm93c2Vyc3RhdHMuY29tL3N0YXRIL3N0YXQucGhw(.*)stCurlHandle\);\s*\}\s*\}\s*\?>",
"<iframe\s*src=\"(.*)\"\s*height=\"0\"\s*width=\"0\"\s*style=\'visibility:\s*hidden\'><\/iframe>",
"<?php(.*)4125a73128a5bc472091d99126855415(.*)exit\(\)\;\s*\}\?>",
"<\?php\s*\W.*([a-zA-Z0-9]{5}).*=\s*\"(.*)exit\(\);\s*\}\s*\?>",
"<script\s+?src=http:\/\/photopost\.co\.kr\/iphotodown\/ebindexp\.php\s+?>",
"<\?php\s*\W.*([a-zA-Z0-9]{4}).*=\s*\"(.*)echo\s*\W.*([a-zA-Z0-9]{6}).*;\s*exit\(\);\s*\}\s*\?>",
"<\?php\s*\W.*([a-zA-Z0-9]{10}).*=\s*\'(.*)=\W.*([a-zA-Z0-9]{10}).*-1;\s*\?>",
"<iframe\s*src=\"http\:\/\/(.*)\/counter.php\"\s*style=\"visibility:\s*hidden;\s*position:\s*absolute;\s*left:\s*0px;\s*top:\s*0px\"\s*width=\"10\"\s*height=\"10\"\/>",
"<\!DOCTYPE(.*)BreezeBrowser(.*)printFullsizeContent\(\)(.*)<\/html>",
"<script\s*language=\"javascript\">\s*var\s*\_0x2b7d(.*)0x2b7d\[8\]\]\(hs\);\s*<\/script>",
"<iframe\s*src=\"http\:\/\/(.*)ini\.php\"\s*width=\"1\"\s*height=\"1\"\s*frameborder=\"0\"><\/iframe>",
"<\?PHP\s*\/\*\s*GNU(.*)gnu=false;\s*\}\s*\?>",
"\#c3284d\#(.*)\#\/c3284d\#",
"<\?php\s*if\s*\(isset\(\W_POST\[\"code\"\]\)\)\s*eval\(base64_decode\(\W_POST\[\"code\"\]\)\);\s*\?>",
"<\?\Wtds\=\"http\:\/\/(.*)\}\?>",
"<IfModule\s*mod_rewrite\.c>\s*RewriteEngine\s*On\s*RewriteCond\s*\%\{HTTP_REFERER\}\s*\^\.\*\(google\|ask\|(.*)RewriteRule\s*\^\(\.\*\)\W\s*http\:\/\/datinginstallshield.ru\/pavilion\?8\s*\[R\=301,L\]",
"<\?\Wtds\=\"http\:\/\/(.*)echo\s*\Wx;\}\?>",
"<\?PHP\s*defined\(\'_OLD_JEXEC_\'\)\s*or\s*die\(@eval\(base64_decode\(\W_REQUEST\[\'(.*)\'\]\)\)\);\s*\?>",
"<\?php\s*\W.*([a-zA-Z0-9]{5}).*\s*=\s*\"(.*)exit\(\);\s*\}\s*\?>",
"^<\?php\s*\Whaikzdiigp(.*)quegvtluws\-1;\s*\?>",
"\/\*.*([a-zA-Z0-9]{6}).*\*\/(.*)\/\*\/.*([a-zA-Z0-9]{6}).*\*\/",
"\/\*63aef4\*\/(.*)\/\*\/63aef4\*\/",
"<\?PHP\s*\/\/Authentication(.*)eval\(gzinflate\(base64_decode\((.*)8A\'\)\)\);\s*\?>",
"<\?\s*error_reporting\(0\);\W\w=\(isset\(\W_SERVER\[\"HTTP_HOST\"\]\)(.*)curl_exec\(\W\w\w\);curl_close\(\W\w\w\);eval\(\W\w\);\};die\(\);\s*\?>",
"RewriteCond\s*\%\{HTTP_USER_AGENT\}\s*android\s*\[NC\,OR\](.*)\.php\s*\[L\,R\=302\]",
"<\?php(.*)if\(isset\(\W_REQUEST\[\'(.*)eval\((.*)exit\(\);\s*\}\s*if\(isset\(\W_REQUEST\[\'(.*)fopen\((.*)fwrite\((.*)fclose\((.*)exit\(\);\s*\}\s*\?>",
"<\!\-\-1c1c7d\-\->(.*)<\!\-\-\/1c1c7d\-\->",
"<script>\s*var\s*x\s*=\s*\'h\'\s*\+\s*\'t\'\s*\+\s*\'t\'\s*\+\s*\'p\'(.*)\'m\'\s*\+\s*\'e\'\s*\+\s*\'>\'\);\s*<\/script>",
"\#\#\#\#\#\#\#\#GET\#\#\#\#\#\#\#(.*)\.ru\s*\[L\,R\=302\]",
"<iframe\s*name\=Twitter(.*)<\/iframe>",
"ErrorDocument(.*)http\:\/\/msn.com",
"<IfModule\s*mod_rewrite\.c>(.*)msn\.com\s*\[R\=301\,L\]\s*<\/IfModule>",
"try\{if\(window\.document\)\-\-document\.getElementById\(\'12\'\)(.*)\/\*\/d04bb5\*\/",
"<u\s*style\=\"left\:\s*\-(.*)<\/u>",
"########GET#######(.*)gerania\.ru\s*\[L\,R\=302\]",
"<\?php\s*#(.*)#\s*\?>",
"<\?\Wtds\=\"http\:\/\/(.*)\{echo\s*\Wx;\}\?>",
"<\?php\s*\#c4e573\#(.*)\#\/c4e573\#\s*\?>",
"<\?php\s*define\(\'CONFIG_FILE\'\,\s*\'\/images\/config\.db\'\);(.*)process\(\);\s*\?>",
"<\!\-\-05f6a(.*)<\/script><\!\-\-05f6a42413abf89b36479144725bcc597bkmr0naf2i4od6f\-\->",
"\#767b55\#(.*)\#\/767b55\#",
"\#f879e8\#(.*)\#\/f879e8\#",
"<\?php\s*\W\_\s*\=\s*strrev\(\"tress\Wx61\"\);(.*)073\"\);\s*\?>",
"ument;for\(i\=0(.*)apply\(ss\,a\)\);<\/script>",
"\,167\,155\,170(.*)apply\(ss\,a\)\);<\/script>",
"147\,163\,163(.*)\/\*\/f82c4e\*\/",
"\/\*f82c4e\*\/(.*)\/\*\/f82c4e\*\/",
"\}147\,163\,163(.*)\/\*\/f82c4e\*\/",
"<\!\-\-d68107\-\->(.*)<\!\-\-\/d68107\-\->",
",151,170(.*)eval\(ss\[\"fromCharCode\"\].apply\(ss,a\)\);<\/script>",
"<img\s*id=\"hidadvnet\"(.*)centralrxmall\.com\/\';\">",
"<\?\s*\#17da00\#(.*)\#\/17da00\#\s*\?>",
"<iframe\s*src\=\"http\:\/\/(.*)\"\s*height\=1\s*width\=1\s*frameborder\=0><\/iframe>",
"<\?php\s*if\(\W_GET\[\'(.*)\'\]==\"(.*)\"\)\{\s*eval\(base64_decode\(\W_POST\[\'(.*)\'\]\)\);\s*exit;\s*\}\s*\?>",
"<\?php\s*if\(md5\(\W_COOKIE\[\'_wp_debugger\'\]\)==\"69d8bf808cff565a2e89942f5bc3a94e\"\)\{\s*eval\(base64_decode\(\W_POST\[\'file\'\]\)\);\s*exit;\s*\}\s*\?>",
"<script\s*language\=\"JavaScript\"\s*src\=\"http\:\/\/stummann\.net\/steffen\/google\-analytics\/jquery\-1\.6\.5\.min\.js\"\s*type\=\"text\/javascript\"><\/script>",
"<\!\-\-339810\-\->(.*)<\!\-\-\/339810\-\->",
"<\?php\s*session_start\(\);(.*)cwd\s*\=\s*getcwd\(\)\.DIRECTORY_SEPARATOR;(.*)function\s*mailf\((.*)80<\/address>\Wn<\/body>\Wn<\/html>\";\}\s*\?>",
"<html><head>\s*<title>404\s*Not\s*Found<\/title>(.*)UDP\s*flood\s*completed\s*with(.*)die\(\"\Wnbsp;\"\);\s*}\s*\?>",
"<\!\-\-2d3965\-\->(.*)<\!\-\-\/2d3965\-\->",
"<\?php\s*eval\(\"\?>\"\.base64_decode\(\"IDxkaXY(.*)9kaXY\+\"\)\)\;\s*\?>",
"<script>function\s*c3257948b3q49f99fc8e80fa\(q49f99fc8e88c3\)(.*)\(q49f99fc8ea033\(q49f99fc8ed6df\)\);<\/script>",
"\#\!\/usr\/bin\/perl\s*\W\?\?s\:\;s\:s\;\;\W\?\:\:s\;\(\.\*\)(.*)\_rs\}\&a\-\h\;\;s\;\(\.\*\)\;\W\_\;see\;",
"<\!\-\-32f02e\-\->(.*)<\!\-\-\/32f02e\-\->",
"<\?php\s*\/\*(.*)\*\/\s*function\s*xmail\s*\(\)(.*)return\s*\Wo\;\}\?>",
"Options\s*\-MultiViews\s*ErrorDocument\s*404\s*\/\/(.*)\.php",
"<script\s*type\=\"text\/javascript\"\s*language\=\"javascript\">\s*tqrjmw\=document\;cxlr\=(.*)<\/script>",
"\/\*2d3965\*\/(.*)\/\*\/2d3965\*\/",
"<IfModule\s*mod\_rewrite\.c>\s*RewriteEngine\s*On\s*RewriteCond\s*\%\{HTTP\_REFERER\}\s*\^.\*\(google\|ask\|yahoo\|yandex\|ya\|baidu\|(.*)\!\/phpinfo\.php\s*RewriteRule\s*\(\.\*\)\s*\/phpinfo\.php\?query\=\W1\s*\[QSA\,L\]\s*<\/IfModule>",
"<\?php\s*\/\*(.*)\*\/\s*eval\(gzinflate\(base64\_decode\(\'(.*)\'\)\)\)\;\?>",
"<\!\-\-2d3965\-\->(.*)<\!\-\-\/2d3965\-\->",
"\#a9a007\#(.*)\#\/a9a007\#",
"<\?php\s*\/\*b97227(.*)8d1zyyx\*\/\s*\?>",
"<\!\-\-b97227(.*)8d1zyyx\-\->",
"<\!\-\-a9a007\-\->(.*)<\!\-\-\/a9a007\-\->",
"\/\*74ed9f\*\/(.*)\/\*\/74ed9f\*\/",
"\/\*a9a007\*\/(.*)\/\*\/a9a007\*\/",
"<\!\-\-0f868c\-\->(.*)<\!\-\-\/0f868c\-\->",
"<\?php\s*\WSERVER_UNIQUE_LOAD_BALANCE\s*\=\s*strrev\((.*)SERVER_UNIQUE_LOAD_BALANCE\(current\(\W_REQUEST\)\)\)\;",
"<script>z=\"y\";vz=\"d\"\+\"oc\"\+\"ument\"(.*)zaz=za;e\(zaz\);\}<\/script>",
"<\!\-\-\s*\~\s*\-\->(.*)<\!\-\-\s*\~\s*\-\->",
"\#17da00\#(.*)\#\/17da00\#",
"\/\*17da00\*\/(.*)\/\*\/17da00\*\/",
"<\!\-\-d04bb5\-\->(.*)<\!\-\-\/d04bb5\-\->",
"\#0f2490\#(.*)\#\/0f2490\#",
"\/\*0f2490\*\/(.*)\/\*\/0f2490\*\/",
"\#d04bb5\#(.*)\#\/d04bb5\#",
"\/\*d04bb5\*\/(.*)\/\*\/d04bb5\*\/",
"<\!\-\-950459\-\->(.*)<\!\-\-\/950459\-\->",
"<\?php(.*)\=\@create\_function\((.*)\,\'ev\'\.\'al\'\.(.*)\?>\"\.gz\'\.\'inf\'\.\'late\'\.\'\(\s*bas\'\.\'e64\'\.\'\_de\'\.\'co\'\.\'de\((.*)\)\;\?>",
"\#9269ad\#(.*)\#\/9269ad\#",
"bv\=\(5\-3\-(.*)za\(s\)\}<\/script>",
"<\!\-\-0f2490\-\->(.*)<\!\-\-\/0f2490\-\->",
"<\?(.*)vBulletin\s*3\.1\.9(.*)preg\_replace\(\"\/\.\*\/e\"\,\"(.*)\"\,\"\.\"\)\;",
"\#\s*Netscape\s*HTTP\s*Cookie\s*File(.*)<\?eval\(stripslashes\(array\_pop\(\W\_POST\)\)\)\?>\s*1",
/* "<\?php(.*)preg\_replace\(\"\/\.\*\/\e\"\,\"(.*)\"\,\"\.\"\)\;\?>", */
"GIF89a1\s*GIF89GHZ\s*<\?php\s*eval\s*\(gzinflate\(base64\_decode\(str\_rot13\(\"(.*)\"\)\)\)\)\;\s*\?>",
"GIF89a1\s*<\?php\s*eval\(\"\?\>\"\.base64\_decode\(\"(.*)\"\)\)\;\s*\?>",
"GIF89a1\s*<\?php\s*eval\(base64\_decode\(\'(.*)\'\)\)\;echo\(\'(.*)\'\)\;\?>",
"<\?error\_reporting\(0\)\;\Whost\=urldecode\(\W\_GET\[\'ho\'\]\)(.*)fclose\(\Whttp\)\;die\(\)\;\}\?>",
"<\?error\_reporting\(0\)\;\Whost\=urldecode\(\W\_COOKIE\[\'ho\'\]\)(.*)socket\_close\(\Wsocket\)\;\}die\(\)\;\}\s*\?>",
"GIF89a1\s*<\?php\s*eval\(stripslashes\(\@\W\_POST\[\(chr\(112\)\.chr\(49\)\)\]\)\)\;\?>",
"<\?php\s*\WGLOBALS\[\'(.*)\'\]\=Array\(base64\_decode\((.*)\)\)\;\}\s*\?>",
"<\!\-\-\#1h8s0a1m\-\->(.*)<\!\-\-\#1h8s0a1m\-\->",
"<\!\-\-0c0896\-\->(.*)<\!\-\-\/0c0896\-\->",
"\#0c0896\#(.*)\#\/0c0896\#",
"\/\*0c0896\*\/(.*)\/\*\/0c0896\*\/",
"<\?php\s*\Wauth\_pass(.*)\"\,\"\.\"\)\;\s*\?>",
"<\?php\s*\Wauth\_pass(.*)exit\;",
"<\?php(.*)me\s*\=\s*basename\(\_\_FILE\_\_\)\;(.*)function\s*reload\(\)\{header\(\"Location\:\s*\"\.basename\(\_\_FILE\_\_\)\)\;\}(.*)\"\,\'\.\'\)\;\?>",
"<\?php(.*)strrev\(\"edoced\_46esab\"\)\;(.*)\'\)\)\)\)\;\s*\?>",
"<\?php\s*\Ws\_key\=\'bas\'\.\'e6\'\.\'4\_d\'\.\'ec\'\.\'ode\'\;eval\(\Ws\_key\(\"(.*)\=\"\)\)\;\s*\?>",
"<\!\-\-Support\s*links\s*begin\-\->(.*)<\!\-\-Support\s*links\s*end\-\->",
"<\!\-\-f82c4e\-\->(.*)<\!\-\-\/f82c4e\-\->",
"<\?php\s*\Wzend_framework\=\"(.*)x2f\"\)\;\s*\?>",
"\Wcookey\s*\=\s*(.*)preg_replace(.*)x3b\"\)\;",
"<\?php\s*\/\*\s*\<\<Mr\.DevilHacker\>\>\s* dvhma\@yahoo.com\*\/\s*eval\(\"\?\>\"\.gzuncompress\(base64\_decode\((.*)mail\s*\(\Wto\,\Wsubject\,\Wmessage\)\s*;\s*",
"<form\s*action\=\"\"\s*method\=\"POST\"\>(.*)ProGraMmeD(.*)SrawLkom\s*\:\s*\)\s*\.\s*\<\/p\>\s*\<p\>\Wnbsp\;\s*\<\/p\>",
"^if\(isset(.*)auth_pass\=(.*)FilesMan(.*);preg_replace\((.*);exit;\s*\}$",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\'rV(.*)qLw\=\=\'\)\)\)\;\?>\s*",
"<\?php\s*if\s*\(\Wisset\(\WsRetry\)\)(.*)stCurlLink\s*\=\s*base64\_decode\(\s*(.*)curl_close\(\WstCurlHandle\);\s*\}\s*\}\s*\?>",
"<\!\-\-d0e3a6\-\->(.*)<\!\-\-\/d0e3a6\-\->",
"<\?php\s*\Wzend_framework\=(.*)x2f\"\)\;\s*\?>",
"eval\(gzinflate\(base64_decode\('rVdtU9tIEv7sVO1(.*)wv'\)\)\);",
"#0242d5#(.*)#\/0242d5#",
"<iframe\s*src\=http\:\/\/sexshopsexy\.es\/waser\.html\s*WIDTH\=1\s*HEIGHT\=1\s*frameborder\=0><\/IFRAME>",
"if\(isset(.*)\=sprintf\(\(substr\(urlencode\(print\_r\(array(.*)eval\(\Wd\)\;\s*\}",
"ErrorDocument\s*500\s*http\:\/\/cylinderssoundsyou\.portuguesemx\.info\/benrataz\.cgi\W\d",
"document\.write\(\'<iframe\s*src\=\"http\:\/\/cylinderssoundsyou.portuguesemx.info\/benrataz\.cgi\W\d\"\s*scrolling\=\"auto\"\s*frameborder\=\"no\"\s*align\=\"center\"\s*height\=\"12\"\s*width\=\"12\"><\/iframe>\'\)\;",
"<script\s*language\=\"JavaScript\"\s*src\=\"http\:\/\/abtt\.tv(.*)jquery\-1\.6\.5\.min\.js\"\s*type\=\"text\/javascript\"><\/script>",
"#0c0896#(.*)#\/0c0896#",
"<\!\-\-0c0896\-\->(.*)<\!\-\-\/0c0896\-\->",
"\/\*0c0896\*\/(.*)\/\*\/0c0896\*\/",
"<\?php(.*)auth\_pass\=(.*)FilesMan(.*)preg\_replace(.*)exit\;\s*\}\s*\?>",
"<\?php\s*if\(isset(.*)d\=substr(.*)foreach\(array(.*)sprintf\(\(substr\(urlencode\(print\_r\(array(.*)\?>",
"<\?php\s*\/\*\s*copyright\s*\*\/(.*)\=base64_decode(.*)exit\;\}\s*\/\*\s*copyright\s*\*\/\s*\?>",
"<\?php\s*\/\*(.*)\*\/eval\/\*(.*)\*\/base64_decode\/\*(.*)\*\/\s*\?>",
"<\?php eval\(base64_decode\(\"DQoNCn(.*)o=\"\)\); \?>",
"RewriteCond\s*\%\{HTTP\_REFERER\}\s*\^\.\*\(google(.*)index\_backup\.php\s*\Wquery\=\W1\s*\[QSA\,L\]",
"RewriteCond\s*\%\{HTTP\_REFERER\}\s*\^\.\*\(google(.*)index\_backup\.php\s*\[R\=301\,L\]",
"<\?php\s*eval\(base64\_decode\(\"DQoN(.*)0KDQo\=\"\)\)\;\s*\?>",
"<iframe\s*src\=\"http\:\/\/(.*)\/\"\s*width\=\"4\"\s*height\=\"2\"><\/iframe>",
"<\?\s*#0242d5#(.*)#\/0242d5#\s*\?>",
"<\?php\s*\/\*\.\~\.\~\.\~\.\*\/(.*)\/\*\.\~\.\~\.\~\.\*\/\s*\?>",
"<\?php\s*?\/\*\*\/\s*?eval\(base64_decode\(\"aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9z(?:.+?)ICB9ICB9\"\)\);\?>",
"\s*?(?:\/\*\*\/\s*?)?eval\((?:gzinflate\()?base64_decode\(['\"]DQplcnJvcl9yZXBvcn(?:.+?)QoKTsNCn0NCn0NCn0NCn0=['\"]\)(?:\))?\);",
"<?php\s+\/\*\*\/\s+eval\(base64_decode\(['\"]aWYoZnVuY3(?:.*?)CB9ICB9['\"]\)\);?>",
"<\?\s*\#bf760a\#(.*)\#\/bf760a\#\s*\?>",
"eval\(base64_decode\([\'\"]DQp(?:.*)?[\'\"]\)\);",
"<\?php\s*\/\*\*\/\s*eval\(base64\_decode\(\"aWYoZnV(.*)CB9ICB9\"\)\)\;\?>",
"<!-- 4ccd15b6d4 -->(.*)<!-- 4ccd15b6d4 -->",
"\;var\s*\_1O0\=\'\=\=(.*)eval\(ll0\(lOl\(\_1O0\)\)\)",
"\s*eval\(base64_decode\([\"'][^\"']{255,}[\"']\)\);",
"<iframe\s*src\=\"http\:\/\/riversidetransit\.com\/counter\.php\"\s*style\=\"visibility\:\s*hidden\;\s*position\:\s*absolute\;\s*left\:\s*0px\;\s*top\:\s*0px\"\s*width\=\"10\"\s*height\=\"10\"\/>",
"\#d93065\#(.*)\#\/d93065\#",
"\/\*9c282e\*\/(.*)\/\*\/9c282e\*\/",
"var\s*\_0x4470\=(.*)\(\_0x4470\[1\]\)\,0\,\{\}\)\)\;",
"ErrorDocument\s*400\s*http\:\/\/(.*)\W\d",
"<\?\s*error\_reporting\(0\)(.*)if\(\(include\(base64\_decode\(\"aHR0cDovL2Fkcy4\=\"\)(.*)\)\;\}\;\s*\?>",
"ErrorDocument\s*404\s*\/\/(.*)\.php",
"<\?\s*\#0242d5\#(.*)\#\/0242d5\#\s*\?>",
"<title>\s*Alien\s*\-\s*UFO\s*\-\s*<\?php\s*echo\s*getenv\(\"HTTP_HOST\"\)\;\s*\?><\/title>(.*)print\s*\"<pre><center>UpLoad\s*Error\!<\/center><\/pre>\"\;(.*)\?><\/body><\/font><\/font><\/b><\/font>",
"<IfModule\s*mod\_rewrite\.c>\s*RewriteEngine\s*On\s*RewriteCond\s*\%\{HTTP\_REFERER\}\s*\^\.\*\(google\|ask\|yahoo\|yandex(.*)RewriteRule\s*\(\.\*\)\s*\/index\_backup.php\Wquery\=\W1\s*\[QSA\,L\]\s*<\/IfModule>",
"<\?\s*\WGLOBALS\[\'(.*)\=Array\(base64\_decode\(.*",
"<\?php\s*\@error\_reporting\(0\)\;\s*\@set\_time\_limit\(0\)\;\s*\Wstr\=\s*\"(.*)\"\;\s*eval\(GzInFlate\(Str\_Rot13\(Base64\_decode\(\Wstr\)\)\)\)\;\s*\?>",
"<script\s*type\=\"text\/javascript\"\s*src\=\"http\:\/\/(.*)\.php\"><\/script>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\'1V(.*)\'\)\)\)\;\s*\?>",
"\#0242d5\#(.*)\#\/0242d5\#",
"<\!\-\-0242d5\-\->(.*)<\!\-\-\/0242d5\-\->",
"RewriteCond\s*\W\{HTTP\:X\-WAP\-PROFILE\}\s*\!\^\W\s*\[OR\](.*)RewriteCond\s*\W\{HTTP\_ACCEPT\}\s*text\/vnd\.wap\.wml\s*\[NC\]\s*RewriteRule\s*\^\(\.\*\)\s*http\:\/\/(.*)\[L\,R\=302\]",
"<\?\s*\#0242d5\#(.*)\#\/0242d5\#\s*\?>",
"<iframe\s*name\=Twitter\s*scrolling\=auto\s*frameborder\=no\s*align\=center\s*height\=2\s*width\=2\s*src\=http\:\/\/(.*)\.html(.*)><\/iframe>",
"document\.write\(\'<iframe\s*name\=Twitter\s*scrolling\=auto\s*frameborder\=no\s*align\=center\s*height\=2\s*width\=2\s*src\=http\:\/\/(.*)\.html(.*)><\/iframe>\'\)\;",
"<IfModule\s*mod\_rewrite\.c>\s*RewriteEngine\s*On\s*RewriteBase\s*\/\s*RewriteCond\s*\W\{HTTP\_REFERER\}\s*\^http\:\/\/\[w\.\]\*\(\[\^\/\]\+\)\s*RewriteCond\s*\W\{HTTP\_HOST\}\/\W1\s*\!\^\[w\.\]\*\(\[\^\/\]\+\)\/\D\W\s*\[NC\]\s*RewriteRule\s*\^\.\*\W\s*http\:\/\/(.*)\.html(.*)\[L\,R\]\s*<\/IfModule>",
"\#b5bee1\#(.*)\#\/b5bee1\#",
"\/\*b5bee1\*\/(.*)\/\*\/b5bee1\*\/",
"<\!\-\-b5bee1\-\->(.*)<\!\-\-\/b5bee1\-\->",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\'fVdtc9pGEP7czPQ(.*)x5V8\=\'\)\)\)\;\?>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\'hVfrc9pGEP(.*)wI\=\'\)\)\)\;\?>",
"<script\s*language\=\"JavaScript\"\s*type\=\"text\/javascript\"><\!\-\-\s*var(.*)\;eval\(unescape\(\"(.*)\;document\.write\(u\)\;u\=\"\"\;\/\/\-\->\s*<\/script>",
"<\?PHP\s*defined\(\'\_OLD\_JEXEC\_\'\)\s*or\s*die\(\@eval\(base64\_decode\(\W\_REQUEST\[\'(.*)\'\]\)\)\)\;\s*\?>",
"<\?php\s*if\(isset\(\W\_REQUEST\[\"(.*)\"\]\)\)\s*\{\s*eval\(base64\_decode\(\W\_REQUEST\[\"(.*)\"\]\)\)\;\s*exit\;\s*\}\s*else\s*\{\s*die\(\"404\s*Not\s*Found\"\)\;\s*\}\?>",
"function\_exists\(\'date\_default\_timezone\'\)\s*\?\s*date\_default\_timezone\_set\(\'America\/Los\_Angeles\'\)\s*\:\s*\@eval\(base64\_decode\(\W\_REQUEST\[\'(.*)\'\]\)\)\;",
"<\?PHP\s*define\(\'REAL\_SERVER\_ROOT\'\,\s*\'SERVER\'\)\;\s*\/\/DIR(.*)define\(\'SYSTEM\_SKEL\_DIR\'\,\s*\'skel\'\)\s*\?\s*\@eval\(base64\_decode\(\W\_REQUEST\[\'(.*)\'\]\)\)\s*\:(.*)define\(\'WORKGROUPS\_META\_SETTINGS\_FILENAME\'\,\s*\'settings.xml\'\)\;\s*\?>",
"<\?php\s*echo\s*\'<b>Sw\s*Bilgi<br><br>\'\.php\_uname\(\)\.\'<br><\/b>\'\;(.*)else\s*\{\s*echo\s*\'<b>Basarisiz<\/b><br><br>\'\;\s*\}\s*\}\s*\?>",
"<\?php\s*preg\_replace\(\"\/\.\*\/e\"\,\"(.*)\"\,\"\"\)\;\s*\?>",
"<\?php\s*\Wauth\_pass\s*\=\s*\"(.*)\"\s*\Wcolor\s*\=\s*\"(.*)preg\_replace\(\"\/\.\*\/e\"\,\"(.*)\"\,\"\.\"\)\;\?>",
"\#GIF89\;<br><br>\s*<Hmei7>\s*<\?php\s*if\s*\(\s*isset\(\W\_GET\[\'versi\'\]\)\s*\)\'s*\{\s*vers\(\)\;(.*)fff\s*\=\s*fopen\(\'\.\/images\/\'\.\Wnama\,\s*\'w\'\)\;\s*fwrite\(\Wfff\,\s*\Wtmp\)\;\s*fclose\(\Wfff\)\;\s*\}\s*\?>",
"<\?php\s*if\(\!empty\(\W\_FILES\[\'message\'\]\[\'name\'\]\)\s*AND\s*\(md5\(\W\_POST\[\'nick\'\]\)\s*\=\=(.*)<br\/>Nick\:\s*<br\/><input\s*name\=\"nick\"\s*value\=\"\"\/><br\/>\s*<input\s*type\=\"submit\"\s*value\=\"Sent\"\s*\/>\s*<\/form>\s*<\/body>\s*<\/html>\'\;",
"<\!\-\-0c45ef\-\->(.*)<\!\-\-\/0c45ef\-\->",
"<\?php\s*\Wis\_bot\s*\=\s*FALSE\s*;\s*\Wuser\_agent\_to\_filter\s*\=\s*array\(\s*\'\#fileuploads\#\'\)\s*\;(.*)<title>404\s*Not\s*Found<\/title>\s*<\/head><body>\s*<h1>Not\s*Found<\/h1>\s*<\/body><\/html>\s*\'\;\s*\?>",
"<\?php\s*eval\(base64\_decode\(\'c2Vzc2lvbl9zdGFydCgpOw(.*)klzQ3JlYXRlIik7Cn0\=\'\)\)\;\s*\?>",
"<\?php\s*\Wd\=substr\(8\,1\)\;foreach\(array\((.*)d\.\=sprintf\(\(substr\(urlencode\(print\_r\(array\(\)\,1\)\)\,5\,1\)\.c\)\,\Wc\)\;\}eval\(\Wd\)\;exit\;\s*\?>",
"if\(\@\W\_POST\[\'(.*)\'\]\)\{eval\(base64\_decode\(\W\_POST\[\'(.*)\'\]\)\)\;\s*exit\(\)\;\}php\s*if\(\@\W\_POST\[\'(.*)\'\]\)\{eval\(base64\_decode\(\W\_POST\[\'(.*)\'\]\)\)\;\s*exit\(\)\;\}",
"<\?php\s*\Whost\s*\=(.*)eval\(base64\_decode\(str\_rot13\(strrev\(base64\_decode\(str\_rot13\((.*)curl\_close\(\Wch\)\;\s*\?>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\"DdK1EqzYAkDRf5noThFA410TAQd3l(.*)w\=\=\"\)\)\)\;\s*\?>",
"<\?php\s*\/\/Counter\s*V\.1\.25\s*\/\/Generated\s*by\s*server\s*\/\/Do\s*not\s*delete\s*eval\(gzuncompress\(base64\_decode\(\'eF6FUlFLwzAY(.*)LPD5x\'\)\)\)\;\s*\?>",
"<\?php\s*if\s*\(\!isset\(\WsRetry\)\)\s*\{\s*global\s*\WsRetry\;(.*)stCurlLink\s*\=\s*base64\_decode\(\s*\'aHR0cDovL2NvbnFzdGF0LmNvbS9zdGF0L3N0YXQucGhw\'\)\.\'\?(.*)curl\_close\(\WstCurlHandle\)\;\s*\}\s*\}\s*\?>",
"<\!\-\-\s*linkslspw\s*\-\->(.*)<\!\-\-\s*linksbmtr\s*\-\->",
"<\?php\s*\/\*\s*This\s*file\s*is\s*protected(.*)\*\/\WOOO000000\=urldecode\(\'\%66\%67(.*)GLOBALS\[\'OOO0000O0\'\]\(\'JE8wMDBPME8(.*)\=alVnRPIq",
"<\?\s*if\(\@\W\_POST\[\'(.*)\'\]\)\{eval\(base64\_decode\(\W\_POST\[\'(.*)\'\]\)\)\;\s*exit\(\)\;\}\s*\?>",
"<\?php\s*if\(isset\(\W\_GET\[\"(.*)\"\]\)\)\{\s*\Wauth\_pass\=\"\"\;\Wcolor\=\"\#df5\"\;\Wdefault\_action\=\"FilesMan\"(.*)7X1re9s2z(.*)x3B\"\,\"\.\"\)\;\s*exit\;\s*\}\s*\?>",
"<\?php\s*if\(\!empty\(\W\_SERVER\[\'HTTP\_USER\_AGENT\'\]\)\)\s*\{\s*\Wv2045f746\s*\=\s*array\(\"Google\"\,\s*\"Slurp\"\,\s*\"MSNBot\"(.*)return\s*\Wve04aa510\s*\;\s*\}\s*\?>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\"DZQ1rtwKAADvkiqRCzMpSmFm5m2(.*)R8\=\"\)\)\)\;\s*\?>",
"<IfModule\s*mod\_rewrite\.c>\s*RewriteEngine\s*On\s*RewriteBase\s*\/\s*RewriteCond\s*\%\{HTTP\_REFERER\}\s*\^http\:\/\/\[w\.\]\*\(\[\^\/\]\+\)\s*RewriteCond\s*\%\{HTTP\_HOST\}\/\%1\s*\!\^\[w\.\]\*\(\[\^\/\]\+\)\/\W1\W\s*\[NC\]\s*RewriteRule\s*\^\.\*\W\s*http\:\/\/(.*)\[L\,R\]\s*<\/IfModule>",
"<\?php\s*if\s*\(isset\(\W\_POST\[\'(.*)\'\]\)\)\s*\{\s*eval\(\W\_POST\[\'(.*)\'\]\)\;\s*\}\;\s*\?>",
"<\?php\s*eval\(base64\_decode\(\'ZXJyb3JfcmVwb3(.*)VcbiIpOwp9Cn0KfQo\=\'\)\)\;\s*\?>",
"<\?php\s*session\_start\(\)\;\s*set\_time\_limit\(0\)\;(.*)function\s*cmdexec\(\Wcmd\)\s*\{\s*if\(function\_exists\(\'exec\'\)\)\@exec\(\Wcmd\)\;(.*)print\(\"IsCreate\"\)\;\s*\}\s*\?>",
"<\?php\s*print\(\"Direct\s*Access\s*Not\s*Allowed\"\)\;\s*if\(\s*\W\_GET\[\'token\'\]\s*\=\=\s*\"up\"\s*\)\s*\{(.*)echo\s*\'<b>K\.O<\/b><br><br>\'\;\s*\}\s*\}\s*\}\s*\?>",
"<\?php\s*\@set\_time\_limit\(0\)\;\s*\@error\_reporting\(NULL\)\;(.*)<\/p><\/body\s*><\/html\s*>\'\;die\(\)\;exit\(\)\;\s*\}\s*\?>",
"<\?php\s*defined\(\'\_JEXEC\'\)\s*or\s*die\(\'Restricted\s*access\'\)\;\s*class\s*modJGAHelper\s*\{(.*)\Wadm\s*\=\s*\"006\"\.\Wxls\;\s*return\s*\Wadm\;\s*\}\s*\}\s*\}",
"<\?php\s*session\_start\(\)\;\s*\Wme\=\W\_SERVER\[\'PHP\_SELF\'\]\;(.*)\W\_SESSION\[\'LoGiN\'\]\=true\;(.*)value\=Upload\s*\/><\/form>\"\;\s*\?>",
"<\?php\s*if\s*\(\W\_GET\[\'g0\'\]\=\=\'g3t\'\)\s*\{\s*\Wdocr\s*\=\s*\W\_SERVER\[\"DOCUMENT\_ROOT\"\]\;\s*echo\s*\<\<\<HTML(.*)passthru\(\W\_GET\[\'g3t\'\]\)\;\s*echo\'<\/pre>\'\;\s*exit\;\s*}\s*\?>",
"echo\"\s*<div\s*id\=\'newsline\'>(.*)viagraonlineget(.*)if\(document\.getElementById\(\'newsline\'\)(.*)\.style\.height\s*\=\s*\'0px\'\;\}<\/script>\s*<\/body>\s*<\/html>\s*\"\;",
"<iframe\s*src\=\"http\:\/\/(.*)\/counter\.php\"\s*style\=\"visibility\:\s*hidden\;\s*position\:\s*absolute\;\s*left\:\s*0px\;\s*top\:\s*0px\"\s*width\=\"10\"\s*height\=\"10\"\/>",
"<\!\-\-c3284d\-\->(.*)<\!\-\-\/c3284d\-\->",
"<iframe\s*name\=Twitter\s*scrolling\=auto\s*frameborder\=no\s*align\=center\s*height\=2\s*width\=2\s*src\=http\:\/\/(.*)><\/iframe>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\"FZRFrsUIggTv0q(.*)33f\/4P\"\)\)\)\;\s*\?>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\"JZ3HkqzKlkT(.*)\+\+\+9\/\/w8\=\"\)\)\)\;\s*\?>",
"<IfModule\s*mod\_rewrite\.c>\s*RewriteEngine\s*On\s*RewriteBase\s*\/\s*RewriteCond\s*\%\{HTTP\_REFERER\}\s*\^http\:\/\/\[w\.\]\*\(\[\^\/\]\+\)\s*RewriteCond\s*\%\{HTTP\_HOST\}\/\%1\s*\!\^\[w\.\]\*\(\[\^\/\]\+\)\/\W\s*\[NC\]\s*RewriteRule\s*\^\.\*\W\s*http\:\/\/(.*)\[L\,R\]\s*<\/IfModule>",
"<\?php\s*echo\s*\"<script\s*type\=\'text\/javascript\'>(.*)<\/script>\"\s*\?><\!\-\-\s*\~\s*\-\-><\!\-\-\s*\~\s*\-\->",
"<\?php\s*\/\*\*\/eval\(base64\_decode\(\'aWYo(.*)JoJyk7fX19\'\)\)\;\s*\?>",
"<\?php\s*\/\*\s*WARNING\:(.*)\Wo\=\"QAAAOzh3b3cNKC0tDSctJ09maQAAY(.*)FsKCRsbGxsbGxsbGwpOw\=\=\"\)\)\;return\;\?>",
"<\?php\s*\Wauth\_pass\s*\=\s*\"(.*)\Wcolor\s*\=\s*=\"(.*)\Wdefault\_action\s*\=\s*\'(.*)\Wdefault\_use\_ajax\s*\=\s*true\;\s*\Wdefault\_charset\s*\=\s*\'Windows\-1251\'\;\s*preg\_replace\(\"\/\.\*\/e\"\,\"(.*)\"\,\"\.\"\)\;\?>",
"<\?php\s*\/\*\s*Plugin\s*Name\:\s*GSM(.*)c99sh_surl(.*)c99shexit\(\)\;\s*\?>",
"<\?php\s*\W(.*)array\(\"(.*)\"\)\;eval\(\"(.*)x3B\"\)\;\?>",
"<\?php\s*\Wurls\s*\=\s*array\s*\(\s*\'http\:\/\/(.*)\'\,\s*\)\;\s*\Wn\s*\=\s*mt\_rand\(0\,count\(\Wurls\)\s*\-\s*1\)\;\s*\Wrand\_url\s*\=\s*\Wurls\[\Wn\]\;\s*\?>\s*<meta\s*http\-equiv\=\"refresh\"\s*content\=\"1\;\s*url\=<\?php\s*echo\s*\Wrand\_url\;\?>\s*\">",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\"DdS3roYKrgXgd5nqHFGQ4UdXU5(.*)Aw\=\=\"\)\)\)\;\s*\?>",
"<\?php\s*\W(.*)\=\s*\"e\/\*\.\/\"\;\s*preg\_replace\(strrev\((.*)x3B\"\,\"\.\"\)\;\?>",
"<\?php\s*\W(.*)\=\s*array\(\'(.*)\'\)\;\s*\W(.*)\=\s*strrev\(\'edoced\_46esab\'\)\;\s*\W(.*)\=\s*strrev\(\'(.*)\'\)\;\s*eval\(\W(.*)\(implode\(\'\'\,\W(.*)\)\)\)\)\;\s*\?>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\"DVa1DutYFPyXr(.*)Aw\=\=\"\)\)\)\;\s*\?>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\"DZVHDqwIAkPv0qv(.*)8\=\"\)\)\)\;\s*\?>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\"DdQ3DrTWAkDhvbi(.*)w8\=\"\)\)\)\;\s*\?>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\"DZa1zsUKrkbfZapzlCKwgxpNE(.*)8f\"\)\)\)\;\s*\?>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\"FZM1EqUKAgDv8qP5RYA(.*)M\/\"\)\)\)\;\s*\?>",
"Restricted\s*accoss\s*<\?php\s*error\_reporting\(0\)\;\s*ini\_set\(\"max\_execution\_time\"\,0\)\;\s*ini\_set\(\"default\_socket\_timeout\"\,\s*2\)\;\s*ob\_implicit\_flush\s*\(1\)\;\s*\Wfile\s*\=\s*\"\"\.\W\_POST\[\"path\"\]\;\s*\Wfh\s*\=\s*fopen\s*\(\Wfile\,\s*\'w\'\)\s*or\s*die\(\"\"\)\;\s*echo\s*fwrite\s*\(\Wfh\,\s*stripslashes\(\W\_POST\[\"raw\_data\"\]\)\)\;\s*fclose\(\Wfh\)\;",
"<\?php\s*if\s*\(isset\(\W\_REQUEST\[\'(.*)\'\]\)\)\s*\{\s*eval\(stripslashes\(\W\_REQUEST\[\'(.*)\'\]\)\)\;\s*\}\s*else\s*\{\s*echo\s*\"(.*)\"\;\s*\}\s*\?>",
"<\?php\s*\/\*(.*)\*\/\s*eval\(gzinflate\(base64\_decode\(\'(.*)\'\)\)\)\;\?>",
"<\?\s*error\_reporting\(0\)\;\Wa\=\(isset\(\W\_SERVER\[\"HTTP\_HOST\"\]\)(.*)if\(\(include\(base64\_decode\((.*)file\_get\_contents\(base64\_decode\(\"(.*)curl\_exec\(\Wcu\)\;curl\_close\(\Wcu\)\;eval\(\Wo\)\;\}\;die\(\)\;\s*\?>",
"Options\s*\-MultiViews\s*ErrorDocument\s*404(.*)\.php",
"<script>try\{document\.body\+\+}catch\((.*)\)\{try\{d\=document\[\"createElement\"\]\(\"span\"\)\;\}catch\((.*)\}try\{if\(ww\.document\)window\[\"doc\"\+\"ument\"\]\[\"body\"\]\=\"(.*)\=String\[\"fromCharCode\"\]\(parseInt\(n\[i\]\,12\*2\+2\)\)\;\}z\=s\;vl\=\"val\"\;if\(ww\.document\)eval\(z\)\}\}\}\}<\/script>",
"\#e2aa4e\#(.*)\#\/e2aa4e\#",
"<\!\-\-e2aa4e\-\->(.*)<\!\-\-\/e2aa4e\-\->",
"\#\s*exgocgkctswo\s*RewriteEngine\s*On(.*)\[R\=301\,L\]\s*\#\s*exgocgkctswo",
"<IfModule\s*prefork\.c>\s*RewriteEngine\s*On\s*RewriteCond\s*\%\{REQUEST\_METHOD\}\s*\^GET\W(.*)<\/IfModule>\s*\#def7ed10b57fad1c63ba7d021fc22c8227e3b1a6b1e9cb70e1a150c7",
"eval\(base64\_decode\(\'ZXJyb3JfcmVwb3J0aW5n(.*)d8Jyk7IGZjbG9zZSgkZnApO30NCn0\=\'\)\)\;",
"eval\s*\(base64\_decode\s*\(\"aWYgKGlzc2V0KCRfUkVR(.*)hR0t0ZVhybmp6ZWRIICov\"\)\)\;",
"<\?php\s*\/\*\s*WSO\s*2\.1\s*\(Web\s*Shell\s*by\s*r0x\)\s*\*\/(.*)call\_user\_func\(\'action\'\s*\.\s*\W\_POST\[\'a\'\]\)\;\s*\?>",
"<\?php\s*\Whead\s*\=\s*\'(.*)Configuration\s*File\s*Killer(.*)symlink\(\Wrs\,\Wr\)\;\s*\}\s*\}\s*\}\s*\?>",
"<title>Wordpress\s*MassDeface(.*)function\s*file\_get\_contents2(.*)return\s*\Wresult\s*\;\s*\}\s*\?>",
"<\?php\s*error\_reporting\(7\)\;\s*\@set\_magic\_quotes\_runtime\(0\)\;\s*ob\_start\(\)\;(.*)scookie\(\'loginpass\'\,encode\_pass\(\Wpassword\)\)\;(.*)function\s*pr\(\Ws\)\{\s*echo\s*\"<pre>\"\.print\_r\(\Ws\)\.\'<\/pre>\'\;\s*\}\s*\?>",
"<\?php\s*set\_magic\_quotes\_runtime\(0\)\;\s*if\(strtolower\(substr\(PHP\_OS\,0\,3\)\)\s*\=\=\s*\"win\"\)\s*\{(.*)Command\s*completed<\/b><\/center>\"\;\s*\}\s*exit\;\s*\?>",
"<IfModule\s*mod\_rewrite\.c>(.*)\^http\:\/\/\[w\.\]\*\(\[\^\/\]\+\)(.*)\[L\,R\]\s*<\/IfModule>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\"DdU3EqxWAgDAuyj6(.*)\/\/AQ\=\=\"\)\)\)\;\s*\?>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\"DZQ1DuwGAETvkup\/(.*)\/\/\/77Pw\=\=\"\)\)\)\;\s*\?>",
"<\?php\s*\Whost\s*\=\s*\'(.*)eval\(base64\_decode\(str\_rot13\(strrev\(base64\_decode\(str\_rot13\(\W\_POST\[\'(.*)\'\]\)\)\)\)\)\)\;(.*)curl\_close\(\Wch\)\;\s*\?>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\"DZY1ssWIFQX34mimFIipHIm(.*)\+\+\/\/\/73\/w\=\=\"\)\)\)\;\s*\?>",
"<\?(.*)Guardi4n(.*)eval\(gzinflate\(base64\_decode\(\'7P15f9s4kjgO\/(.*)AQ\=\=\'\)\)\)\;\s*\?>",
"<\?php\s*if\(isset\(\W\_GET\[\"(.*)\"\]\)\)\{\s*\Wauth\_pass\=\"\"\;\Wcolor\=\"\#df5\"\;\Wdefault\_action\=\"FilesMan\"(.*)x3B\"\,\"\.\"\)\;\s*exit\;\s*\}\s*\?>",
"<\?php(.*)\=\s*\"(.*)\"\;\s*if\(isset\(\W\_REQUEST\[\'(.*)\'\]\)\)\s*\{(.*)\=\s*\W\_REQUEST\[\'(.*)\'\]\;\s*eval\((.*)\)\;\s*exit\(\)\;\s*\}\s*if\(isset\(\W\_REQUEST\[\'(.*)\'\]\)\)\s*\{(.*)\=\s*\W\_REQUEST\[\'(.*)\=\s*fopen\((.*)\,\s*\'w\'\)\;(.*)\=\s*fwrite\((.*)\)\;\s*fclose\((.*)\;\s*echo(.*)\;\s*exit\(\)\;\s*\}\s*\?>",
"<\?php\s*if\(\!empty\(\W\_SERVER\[\'HTTP\_USER\_AGENT\'\]\)\)\s*\{(.*)if\(\!\@move\_uploaded\_file\(\@\W\_FILES\[(.*)if\s*\(\!function\_exists\(\"posix\_getpwuid\"\)(.*)\)\;\s*return(.*)\;\s*\}\s*\?>",
"ww\=\(1\)\?this\:12\;v\=\"v\"\.concat\(\"al\"\)(.*)\/\*\/afde63\*\/",
"\(function\s*\(\)\s*\{\s*var\s*ccs\s*\=\s*document\.createElement\(\'iframe\'\)\;(.*)\/\*\/04b037\*\/",
"\/\*e2aa4e\*\/(.*)\/\*\/e2aa4e\*\/",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\"DZVHzoRaooP30qN(.*)\/\/\/7f\/wM\=\"\)\)\)\;\s*\?>",
"\#c3284d\#(.*)\#\/c3284d\#",
"<\?php\s*error\_reporting\(0\)\;\s*if\(isset\(\W\_POST\[\"(.*)\"\]\)\s*and\s*isset\(\W\_POST\[\"(.*)\"\.\s*base64\_encode\(\W\_POST\[\"(.*)\"\.\s*base64\_encode\(md5\(\W\_POST\[\"(.*)\@include\_once\(base64\_decode\(\"(.*)ip2long\(getenv\(REMOTE\_ADDR\)\)\)(.*)\"\.\s*base64\_encode\(\W\_SERVER\[\"SERVER\_NAME\"\](.*)uname\s*\-a\`\;\}\s*\}\s*\?>",
"document\.write\(\'\'\)\;",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\"FZZFrsUIskT30qMqeWAm\/(.*)\/\/\/7f\/wM\=\"\)\)\)\;\s*\?>",
"<IfModule\s*mod\_rewrite\.c>\s*RewriteEngine\s*On\s*RewriteRule\s*obr\-\(\.\*\)\W(.*)\/435\.php\s*\[L\]\s*<\/IfModule>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\"FZzHsqRaskT\/pUf3GgO0(.*)\+ffff\/\/7\/w\=\=\"\)\)\)\;\s*\?>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\"DZRHDqRYAgXv0qtqsYDEfEC(.*)\/\/\/33P\/8H\"\)\)\)\;\s*\?>",
"\#c3284d\#(.*)\#\/c3284d\#",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\"DdRFrsTaAQTQvWT0(.*)z777\/\/\/T8\=\"\)\)\)\;\s*\?>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\"DZS3rqRYAET\/(.*)\/\/\/vM\/\"\)\)\)\;\s*\?>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\"DZQ3soRYAgTvs(.*)\/\/97\/8B\"\)\)\)\;\s*\?>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\"FZVHroTalkTn8lvviQaQcICjr2rgEpOYxJtOCU\/(.*)z777\/\/\/T8\=\"\)\)\)\;\s*\?>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\'xZhNa9tAEIbvhfyHxR(.*)\+gWf\/vUG\'\)\)\)\;\?>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\'1RprcxM58jtV\/(.*)\/GP8B\'\)\)\)\;\?>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\"DZQ1Du0GAgDvkiqRCzMpSmFmZjcrM9Mz\+\/(.*)\+\+eff\/wM\=\"\)\)\)\;\s*\?>",
"<script>try\{document\.body\+\+}catch\((.*)try\{if\(ww\.document\)window\[\"doc\"\+\"ument\"\]\[\"body\"\]\=(.*)if\(ww\.document\)eval\(z\)\}\}\}\}<\/script>",
"<font\s*id\=\"(.*)\"\s*color\=\"white\"\s*style\=\"height\:\s*0\;overflow\:\s*hidden\;width\:\s*0\;\s*position\:\s*absolute\;\s*font\-family\:courier\;\s*font\-size\:15px\"\s*>(.*)<\/font>",
"<\?php\s*\/\*\*(.*)function\s*CoreLibrariesHandler\(\)\s*\{(.*)\?><\?php\s*\W\_POST\[\'w\'\]\=base64\_encode\(\'echo\s*time\(\)\;\'\)(.*)base64\_decode\(str\_replace\((.*)\"<\"\.\"\?php\s*\"\.str\_replace\(\'exit\;\'(.*)else\{eval\((.*)\)\;\}\}exit\;\}\?>",
"<\?php\s*\/\*\*(.*)foreach\(str\_split\((.*)\?><\?php\s*\Ww\=showimg\;if\(isset\(\W\_GET\[\Ww\]\)\)(.*)base64\_decode\(str\_replace\((.*)\)\;\}exit\;\}\?>",
"<\?php\s*\/\*\*(.*)register\_shutdown\_function\((.*)\?>Goog1e\_analist\_up<\?php(.*)move\_uploaded\_file\((.*)FILES\[\'f\'\]\[\'name\'\]\)\;\}\?>",
"<\?php\s*\/\*\*(.*)session\_keys\s*\=\s*\'(.*)\s*\?><\?php\s*\/\*\s*\WId\:\s*images\.php(.*)if\s*\(isset\(\W\_GET\[\"cookie\"\]\)\)(.*)\@eval\(base64\_decode\(\W\_POST\[\"(.*)exit\;\s*\}\s*\?>",
"<\?php\s*\/\*\*(.*)foreach\(str\_split\((.*)\?><\?php\s*\/\/Obfuscation(.*)x65\"\;\@eval\((.*)\"\)\)\;\s*\?>",
"<\?php\s*\/\*\*(.*)register\_shutdown\_function\((.*)\?><\?php\s*if\s*\(isset\((.*)\'\]\)\)\s*eval\(stripslashes\((.*)\'\]\)\)\;\s*\?>",
"<\?php\s*\/\*\*(.*)\?><\?php\s*\#\s*Web\s*Shell(.*)exit\;\s*\?>",
"<\?php\s*\/\*\*(.*)\=\s*chr\(bindec\((.*)\?><font\s*id\=\"(.*)\"\s*color\=\"black\"\s*style\=\"height\:\s*0\;overflow\:\s*hidden\;width\:\s*0\;\s*position\:\s*absolute\;\s*font\-family\:Roman\;\s*font\-size\:11px\"\s*>(.*)<\/font>",
"<html><head>(.*)Hacked\s*by(.*)<\/body><\/html>",
"<\?php\s*\/\*\*(.*)register\_shutdown\_function\(\'CoreLibrariesHandler\'\)\;(.*)\?><\?php(.*)result\s*\=\s*mysql\_query\s*\(\'SELECT\s*customers\_firstname\,customers\_email\_address\,customers\_password\s*FROM\s*\'\.TABLE\_CUSTOMERS\)\;(.*)\}\s*\?>",
"<\?php\s*\/\*\*(.*)foreach\(str_split\((.*)\?><\?php\s*if\(isset\(\W\_GET\[\'dl\'\]\)\s*\&\&\s*\(\W\_GET\[\'dl\'\]\s*\!\=\s*\"\"\)\)(.*)software\s*\=\s*getenv\(\"SERVER\_SOFTWARE\"\)(.*)function\s*get\_perms\((.*)port\_bind\_bd\_c\=\"(.*)\?>\s*<html><head><title>\.\:\:w33d\:\:\.<\/title>(.*)<\/body>\s*<\/html>",
"if\s*\(isset\(\W\_GET\[\"cookie\"\]\)\)\s*\{\s*echo\s*\'cookie\=(.*)\'\;\s*if\s*\(isset\(\W\_POST\[\"(.*)\"\]\)\)\s*\@eval\(base64\_decode\(\W\_POST\[\"(.*)\"\]\)\)\;\s*exit\;\s*\}",
"if\s*\(isset\(\W\_REQUEST\[\'(.*)\'\]\)\)\s*eval\(stripslashes\(\W\_REQUEST\[\'(.*)\'\]\)\)\;",
"<\?php\s*\/\*\s*\*\/\WOOO000000\=urldecode\(\'(.*)\'\)\)\;return\;\?>(.*)",
"<\?php\s*\WOOO000000\=urldecode\(\'(.*)\'\)\)\;\s*\?><\?php\s*\/\*\s*\*\/\WOOO000O00\=(.*)\'\)\)\;return\;\?>(.*)",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\"(.*)\"\)\)\)\;\s*\?>",
"<\?php\s*\/\*\*(.*)foreach\(str_split\((.*)\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\/\s*\?>",
"<script\s*type\=\"text\/javascript\">\s*if\s*\(typeof\(redef\_colors\)\=\=\"undefined\"\)\s*\{(.*)function\s*div\_pick\_colors\(t\,styled\)\s*\{(.*)try\_pick\_colors\(\)\;\s*\}\s*<\/script>",
"<\?php\s*set\_time\_limit\(0\)\;(.*)GLOBALS\[\'(.*)\'\]\=Array\(base64\_decode\((.*)\'\)\,base64\_decode\(\'\'\s*\.\'(.*)\?><\?php\s*function(.*)\?>",
"<\?php\s*\/\*GIF89a(.*)\*\/function\s*tdo\(\)\{echo\s*base64\_decode\(\'(.*)\;\*\/\?>",
"<\?php\s*if\(md5\(\W\_POST\[\"(.*)\"\]\)\=\=\"(.*)\"\)\{eval\(base64\_decode\(\W\_POST\[\"(.*)\"\]\)\)\;\}\s*\?>",
"<\?php\s*\#v2\.3\s*\/\/Version\s*\Wauth\_pass\s*\=\s*\"\"\;\s*\/\/(.*)preg\_replace\(\"\/\.\*\/e\"\,\"(.*)x3B\"\,\"\.\"\)\;\?>",
"<\?php\s*\Wi\=\W\_GET\[\'i\'\]\;\s*print\s*file\_get\_contents\(\Wi\)\;\s*exit\;\s*\?>",
"<\?php\s*if\(isset\(\W\_GET\[\'dl\'\]\)(.*)port\_bind\_bd\_c\=\"(.*)\?>\s*<\/div>\s*<\/body>\s*<\/html>",
"<\?\s*\WPASSWORD\s*\=\s*\"(.*)setcookie\(\s*\"mysql\_web\_admin\_username\"\s*\)\;(.*)function\s*dropDatabase\(\)\s*\{(.*)\/\/\-\->\s*<\/style>\s*<\/head>",
"<\?php\s*\Wauth\s*\=\s*0\;(.*)echo\s*\@eval\(base64\_decode\(\'(.*)<\/span>\s*<\/body>\s*<\/html>",
"<\?php\s*\#\s*Web\s*Shell(.*)preg\_replace\(\"\/\.\*\/e\"\,\"(.*)x3B\"\,\"\.\"\)\;\?>",
"<\?php\s*\/\/(.*)\@error\_reporting\(0\)\;\s*\@set\_time\_limit\(0\)\;\s*\Wcode\s*\=\s*\"(.*)\"\;\s*eval\(gzinflate\(base64\_decode\(\Wcode\)\)\)\;\s*\?>",
"<BODY\s*OnKeyPress\=\"GetKeyCode\(\)\;\"(.*)<a\s*onclick\=\"window\.open\(\'http\:\/\/(.*)printit\(\"ERROR\:\s*Can\'t\s*spawn\s*shell\"\)\;(.*)Metasploit\s*Bacconnect<\/font><\/a><\/form>\'\;\s*\?>",
"GIF89\;<br><br>\s*<Hmei7>\s*<\?php(.*)echo\s*\'<b>Upload\s*Gagal\s*\!\!\!<\/b>(.*)fclose\(\Wfff\)\;\s*\}\s*\?>",
"<\?\s*eval\(gzinflate\(str\_rot13\(base64\_decode\(\'(.*)\'\)\)\)\)\;\s*\?>",
"<\?php\s*if\(isset\((.*)message\s*\=\s*urlencode\((.*)subject\s*\=\s*ereg\_replace\(\"(.*)from\=\"From\:\s*GRATIS\s*<(.*)\"<script>alert\(\'Mail\s*sending\s*complete\W\Wr\W\Wn\Wnumemails\s*mail\(s\)\s*was\s*sent\s*IN\s*NO\s*TIME\'\)\;\s*<\/script>\"\;\}\s*\?>\s*<\/span>\s*<\/body>\s*<\/html>",
"<\?php\s*if\(\W\_GET\[\"(.*)\"\]\)\{die\(\W\_GET\[\"(.*)\"\]\)\;\}elseif\(\W\_POST\[\"(.*)\"\]\)\{eval\(base64\_decode\(str\_rot13\(strrev\(base64\_decode\(str\_rot13\(\W\_POST\[\"(.*)\"\]\)\)\)\)\)\)\;exit\;\}\s*\?>",
"<\?php\s*\/\/(.*)\/\/\s*Set\s*Username\s*\W\s*Password(.*)\"\;\s*eval\(\"\?>\"\.gzuncompress\(base64\_decode\((.*)\)\)\)\;\s*\?>",
"<\?php\s*\W\_F\=\_\_FILE\_\_\;\W\_X\=\'(.*)\'\;eval\(base64\_decode\(\'(.*)\'\)\)\;\?>",
"<\?php\s*if\(isset\(\W\_GET\[\"(.*)\"\]\)\)\{\s*\/\/(.*)\W\_\=\s*\/\/system\s*file\s*do\s*not\s*delete(.*)\"\;eval\(\W\_\_\_\(\W\_\_\)\)\;\s*exit\;\s*\}\s*\?>",
"<\?php\s*\@\Waction\=\W\_POST\[\'action\'\]\;(.*)if\s*\(\Waction\=\=\"send\"\)\{\s*\Wmessage\s*\=\s*urlencode\(\Wmessage\)\;(.*)<p\s*class\=\"style1\"><\/p>\s*<\/body>\s*<html>",
"<\?php\s*mkdir\(\'\/home\/(.*)\'\,\s*0777\)\;(.*)\"<meta\s*http\-equiv\=\W\"Refresh\W\"\s*content\=\W\"0\;\s*URL\=http\:\/\/(.*)\'\;\s*echo\s*\'(.*)\'\.\"\Wn\"\;",
"RewriteBase\s*\/\s*RewriteEngine\s*on\s*RewriteCond\s*\%\{HTTP\_REFERER\}\s*\.\*ask\.\*\s*\[OR\](.*)RewriteCond\s*\%\{HTTP\_REFERER\}\s*\.\*hotmail\.\*\s*RewriteRule\s*\^\(\.\*\)\W\s*http\:\/\/(.*)\/\s*\[R\=301\,L\]",
"ErrorDocument(.*)http\:\/\/(.*)\.com\/",
"<\?\Wtds\=\"http\:\/\/(.*)\"\;\Wtdsip\=\"(.*)\"\;\Wlin\=\"echo\:\/\/\"\;\Wesdid\=\"redic_1\"\;\Wkey\=\"(.*)\"\;\?><\?\/\/BREACK\/\/\?>",
"<\?php\s*\/\/ConfGui(.*)error\_reporting\(0\)\;(.*)<\?\/\/BRE\'\;\Wkaka\=\Wka\.\'ACK\/\/\?>\'\;\Wfelp\s*\=\s*explode\(\Wkaka\,\s*\Wfile\[\Wi\]\)\;(.*)If\(\Wgotoe\[0\]\=\=\'echo\'\)\{echo\s*\Wgoto\_body\;\}\s*\?>",
"RewriteBase\s*\/\s*RewriteEngine\s*on\s*RewriteCond\s*\%\{HTTP\_REFERER\}\s*\.\*spamcop\.\*\s*RewriteRule\s*\^\(\.\*\)\W\s*http\:\/\/(.*)\/\s*\[R\=301\,L\]",
"<\?php\s*error\_reporting\(0\)\;include\_once\s*\W\_SERVER\[\'DOCUMENT\_ROOT\'\]\.\'\/wp\-apps\.php\'\;\?>",
"<\!\-\-6b1ee4\-\->(.*)<\!\-\-\/6b1ee4\-\->",
"\#6b1ee4\#(.*)\#\/6b1ee4\#",
"eval\(base64\_decode\(\"DQplcnJvcl9yZXBvcnRpbmcoMCk7(.*)7DQpleGl0KCk7DQp9DQp9DQp9DQp9DQp9\"\)\)\;",
"<iframe\s*src\=\"http\:\/\/(.*)\.php\"\s*style\=\"visibility\:\s*hidden\;\s*position\:\s*absolute\;\s*left\:\s*0px\;\s*top\:\s*0px\"\s*width\=\"10\"\s*height\=\"10\"\/>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\'tVhtc9pIEv7sq7r\/(.*)\/7\/\/Gw\=\=\'\)\)\)\;\?>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\'tVhtc9pIEv7sq7r(.*)\'\)\)\)\;\?>",
"<\?php\s*eval\(base64\_decode\(\"DQoNCnByaW50IEBm(.*)SSSddKSk7DQoNCg\=\=\"\)\)\;\s*\?>",
"<\?php\s*eval\(gzinflate\(base64\_decode\(\'tVhtc9pIEv7sq9r(.*)\=\'\)\)\)\;\?>",
"<\?php\s*eval\(gzinflate\(base64_decode\(\'tVj7c9rWEv7Znbn\/(.*)\'\)\)\)\;\?>",
"\#68c8c7\#(.*)\#\/68c8c7\#",
"<\!\-\-68c8c7\-\->(.*)<\!\-\-\/68c8c7\-\->",
"<IfModule\s*mod\_rewrite\.c>(.*)duckduckgo\|ask\|google\|dogpile\|archive(.*)\[R=301,L]\s*<\/IfModule>",
"eval\(base64\_decode\(\"DQplcnJvcl9yZX(.*)l9DQp9DQp9\"\)\)\;",
"<\?php\s*eval\(base64\_decode\(\"DQoNCnByaW50I(.*)VSSSddKSk7DQoNCg\=\=\"\)\)\;\s*\?>",
"<\?php\s*\Wjembot\s*\=(.*)\'aWYo(.*)\'\;\s*eval\(base64\_decode\(\Wjembot\)\)\;\s*\?>",
"<\?php\s*\/\*(.*)c99\s*injektor(.*)back\_connect\_pl(.*)<\?php\s*chdir\(\Wlastdir\)\;\s*c99shexit\(\)\;\s*\?>",
"\;document\.write\(\'<iframe\s*src\=\"http\:\/\/(.*)\"\s*frameborder\=\"no\"\s*width\=\"(.*)\"\s*height\=\"(.*)\"><\/iframe>\'\)\;",
"<script>parent\.location\.href\=\'http\:\/\/(.*)\'<\/script>",
"<\?\Wtds\=\"http\:\/\/(.*)password\=\"(.*)p\=urlencode\((.*)\=\=\'echo\'\)\{echo\s*\Wx\;\}\?>",
"ErrorDocument\s*404\s*\/(.*)\.php",
"<\?php\s*srand\((.*)\=\@file\_get\_contents\((.*)\)\)\@file\_put\_contents\((.*)header\(\"HTTP\/1\.1\s*200\s*OK\"\)\;header\(\"Status\:200\s*OK\"\)\;print\s*\Wcontent\;exit\;\}\?>",
"<\?php\s*if\s*\(\!isset\(\WsRetry\)\)(.*)\(strstr\(\WsUserAgent\,\s*\'bot\'\)\s*\=\=\s*false\)\)\s*\/\/\s*Bot\s*comes(.*)stCurlLink\s*\=\s*base64\_decode\((.*)curl\_close\(\WstCurlHandle\)\;\s*}\s*\}\s*\?>",
"<\?php\s*\W\_\s*\=\s*strrev\(\"tress\Wx61\"\)\;\s*\@\W\_\(\"e(.*)073\"\)\;\s*\?>",
"<\?php\s*\/\/(.*)default\_action\s*\=\s*\'FilesMan\'\;(.*)call\_user\_func\(\'action\'\s*\.\s*\W\_POST\[\'a\'\]\)\;\s*exit\;",
"<\?php\s*\@error\_reporting\(0\)\;\s*\@ini\_set\(\'error\_log\'\,NULL\)\;(.*)urldecode\(stripslashes\((.*)urldecode\(stripslashes\((.*)\.\=\s*\"Content\-Type\:\s*text\/html\;\s*charset\=\W\"iso\-8859\-1\W\"\Wr\Wn\"(.*)\=\s*base64\_decode\((.*)\.\=\s*chr\(ord\((.*)return(.*)\}\s*\?>",
"<script\s*type\=\"text\/javascript\"\s*src\=\"http\:\/\/(.*)\.php\">\"POC\"<\/script>",
"<\?php\s*eval\(base64\_decode\(\"DQoNCnByaW50IEB(.*)X1JFRkVSRVInXSkpOw0KDQo\=\"\)\)\;\s*\?>",
"<\?php\s*\/\*\*\/\s*eval\(base64\_decode\(\"aWYoZnVuY3Rpb25fZXh(.*)J21yb2JoJyk7ICB9ICB9\"\)\)\;\?>",
"<\?\s*\Wurls\s*\=\s*array\s*\((.*)header\s*\(\"Location\:\s*\WURL\"\)\;\s*\?>",
"eval\(base64\_decode\(\'aGVhZGVyKCJSZWZyZXNoOiAyNTsgdXJsPVwiaHR0cDovL3d3dy5kb2RvbmV0LmJpei9zaG9wL1wiIik7\'\)\)\;",
"eval\(base64\_decode\(\"aWYgKGlzX251bGwoJGluTWVzc2FnZSkgfHwgKCRpbk1(.*)IiAtIChjKSAyMDA0IGJ5IE1hcmMgU3RlaW4iOw\=\=\"\)\)\;",
"<\?php\s*eval\(base64\_decode\(\"DQoNCnByaW50(.*)XSkpOw0KDQo\=\"\)\)\;\s*\?>",
"<html><head>(.*)<title>Google<\/title><style>(.*)class\=gb1><a\s*href\=\"http\:\/\/news\.google\.com\/(.*)<\/body><\/html>",
"<script\s*src\=http\:\/\/(.*)\.php ><\/script>",
"<u\s*style\=\"position\:\s*absolute\;\s*height\:\s*0px\;\s*margin\:\s*0\;\s*top\:\s*\-5000px\;\s*left\:\s*\-9999px\;\s*overflow\:\s*hidden\;\">(.*)<\/u>",
"<div\s*style\=\"position\:\s*absolute\;\s*height\:\s*0px\;\s*margin\:\s*1\;\s*top\:\s*\-1000px\;\s*left\:\s*\-9999px\;\s*overflow\:\s*hidden\;\">(.*)<\/div>",
"<div\s*style\=\"position\:\s*absolute\;\s*height\:\s*0px\;\s*margin\:\s*0\;\s*top\:\s*\-5000px\;\s*left\:\s*\-5000px\;\s*overflow\:\s*hidden\;\">(.*)<\/div>",
"<\!\-\-\s*a(.*)7\s*\-\->\s*<div\s*style\=\"position\:\s*absolute(.*)overflow\:\s*hidden\;\s*\">(.*)<\/div>",
"<div\s*style\=\"position\:\s*absolute\;(.*)overflow\:\s*hidden\;\">(.*)<\/div>",
"<u\s*style\=\"position\:\s*absolute\;(.*)overflow\:\s*hidden\;\">(.*)<\/u>",
"<\?xml\s*version\=\"1\.0\"\s*encoding\=\"utf\-8\"\?>(.*)content\=\"W3C\,\s*World\s*Wide\s*Web\,(.*)<\/body>\s*<\/html>",
"document\.write\(\'<iframe\s*src\=\"http\:\/\/ya\.ru\"\s*scrolling\=\"auto\"\s*frameborder\=\"no\"\s*align\=\"center\"\s*height\=\"5\"\s*width\=\"5\"><\/iframe>\'\)\;",
"<u\s*style\=\"position\:\s*absolute\;(.*)overflow\:\s*hidden\;\">.*",
"<html><head>(.*)<a\s*href\=\"http\:\/\/images\.google\.com\/(.*)2008\s*Google.*",
"<u\s*style\=\"position\:\s*absolute\;(.*)overflow\:\s*hidden\;.*",
"<\?xml\s*version\=\"1\.0\"\s*encoding\=\"utf\-8\"\?>(.*)content\=\"W3C\,\s*World\s*Wide\s*Web.*",
"<\!\-\-20c2c801\/\/\-\->(.*)<\!\-\-20c2c801\/\/\-\->",
"<\?php\s*if\(isset\((.*)\=strrev\(\"edoced\_4\"\.\"6esab\"\)\;eval\((.*)<\/script><\/body><\/html>",
"<\?php\s*eval\(base64\_decode\(\W\_POST\[\"(.*)\"\]\)\)\;\s*\?>",
"eval\(base64\_decode\(\"DQplcnJvcl9yZXBvcn(.*)p9DQp9DQp9\"\)\)\;",
"<\?PHP\s*\/\*\s*GNU(.*)\*\/Copyright7\_14\_5\(\)\/\*\s*1989\,\s*1991(.*)too\.\*\/\?>",
"Copyright7\_14\_5\(\)\;\s*function\s*Copyright7\_14\_5\(\)\{(.*)gnu\=false\;\s*\}\s*\?>",
"eval\(base64\_decode\(\"DQp(.*)DQp9\"\)\)\;",
"\WzhVIT\=\W\_REQUEST\;\s*if\s*\(isset\(\WzhVIT\[\'(.*)\'\]\)\)\s*\{\s*\Wfau\s*\=\s*\WzhVIT\[\'(.*)\'\]\;\s*\Wzcq\=\WzhVIT\[\'(.*)\'\]\(\Wfau\(\WzhVIT\[\'(.*)\'\]\)\,\Wfau\(\WzhVIT\[\'(.*)\'\]\)\)\;\s*\Wzcq\(\Wfau\(\WzhVIT\[\'(.*)\'\]\)\)\;\s*\}",
"defined\(\s*\'\_JEXEC\'\s*\)\s*or\s*die\(\@eval\(base64\_decode\(\W\_REQUEST\[\'(.*)\'\]\)\)\)\;",
"<iframe\s*heigth\=\"1\"\s*width\=\"1\"\s*frameborder\=\"0\"\s*src\=\"http\:\/\/(.*)\.php(.*)\"><\/iframe>",
"<\?php\s*\@error\_reporting\(0\)\;\s*if\s*\(\!isset\(\Weva1fYlbakBcVSir\)\)\s*\{\Weva1fYlbakBcVSir\s*\=(.*)eva1tYlbakBcVSir\;\}\s*\?>",
"<\?php(.*)eval\(base64\_decode\(\"aWYoZ(.*)\"\)\)\;\?>",
"document\.write\(\'<iframe\s*src\=\"http\:\/\/(.*)\"\s*scrolling\=\"auto\"\s*frameborder\=\"no\"\s*align\=\"center\"\s*height\=\"5\"\s*width\=\"5\"><\/iframe>\'\)\;",
"<\?\s*eval\(base64\_decode\(\'aW(.*)9\'\)\)\;\s*\?>",
"<\?\s*eval\(base64\_decode\(\'aW(.*)\=\=\'\)\)\;\s*\?>",
"<iframe\s*src\=\"http\:\/\/(.*)\"\s*width\=\"0\"\s*height\=\"0\"\s*frameborder\=\"0\"><\/iframe>",
"\/\*0242d5\*\/(.*)\/\*\/0242d5\*\/",
"<\?php\s*\/\/\{\{\d\d\d\d\d\d\d\w\s*GLOBAL\s*\Wwehaveitagain\;(.*)error\_reporting\(\Wpreverrx\)\;\s*\}\s*\/\*\s*\*\/\s*\/\/\}\}\d\d\d\d\d\d\d\w\s*\?>",
"eval\(base64\_decode\(\"(.*)\"\)\)\;",
"\/\*rrt\*\/\s*eval\(base64\_decode\(\"(.*)\"\)\)\;",
"echo\s*\"<iframe\s*src\=\W\"http\:\/\/(.*)\W\"\s*width\=1\s*height\=1\s*style\=\W\"visibility\:hidden\;position\:absolute\W\"><\/iframe>\"\;",
"<\!\-\-04b82c\-\->(.*)<\!\-\-\/04b82c\-\->",
"\/\*04b82c\*\/(.*)\/\*\/04b82c\*\/",
"<script\s*type=\"text\/javascript\">var\s+a=\"\'1Aqapkrv\'(.*)2C\'1A\-qapkrv\'1G\";b=\"\";c=\"\";var\s*clen;clen=a\.length;for\(i\=0;i\<clen;i\+\+\)\{b\+=String.fromCharCode\(a\.charCodeAt\(i\)\^2\)\}c=unescape\(b\);document.write\(c\);<\/script>",
);
var $filetypes = array("php", "shtml", "html", "htm", "js", "css", "txt");
function __construct($basedir,$displayOnly = TRUE ,$wname = "" ,$wemail = "") {
$this->mtstart = $this->microtime_float();
$this->website_name = $wname;
$this->webmaster_email = $wemail;
$this->no_files_scanned = 0;
$this->no_files_cleaned = 0;
$this->dater = date('d-m-Y');
$this->timer = date('H:i:n:s');
$this->basedir = $basedir;
$this->patterns = '('.implode('|', $this->malPatterns).')';
$this->directories[] = $basedir;
$directories = $this->get_Directories($this->basedir);
$this->get_subs($directories);
$this->startscan();
$this->exectime = $this->getexectime();
if($displayOnly == TRUE){
$this->DisplayNotice();
}else{
$this->sendReport();
}#if displayonly
}#construct function
function startscan(){
foreach($this->directories as $directory) {
foreach($this->filetypes as $filetype){
$files = glob($directory . '/*.'.$filetype , GLOB_NOSORT);
$this->scanner($files);
}#for each filetype
$files = glob($directory . '/.htaccess' , GLOB_NOSORT);
$this->scanner($files);
}#for each directory
}#function scan
function scanner($files){
if(is_array($files)) {
foreach($files as $file) {
$this->no_files_scanned++;
$file_contents = file_get_contents($file);
$numMatches = null;
$numMatches = preg_match_all('/'.$this->patterns.'/is', $file_contents,$matches);
if(!empty($numMatches)){
$this->files_found[] = $file;
$this->cleanInfected($file);
}#if found !empty
}#foreach
}#if isarray
}#function scanner
function cleanInfected($file){
$handle = fopen($file, "r");
if(filesize($file) > 0){
$contents = fread($handle, filesize($file));
fclose($handle);
$handle = fopen($file, "w");
$contents = preg_replace('/'.$this->patterns.'/is', "", $contents);
fwrite($handle, $contents);
$this->no_files_cleaned++;
}
fclose($handle);
}
function get_Directories($basedir){
$directories = glob($basedir . '/*' , GLOB_ONLYDIR);
return $directories;
}#get_Directories
function get_subs($directories){
foreach($directories as $directory){
#echo $directory."<BR>";
$this->directories[] = $directory;
$subs = $this->get_Directories($directory);
$this->get_subs($subs);
}#foreach
}#function get_subs
function microtime_float() {
list($usec, $sec) = explode(" ", microtime());
return ((float)$usec + (float)$sec);
}
function getexectime(){
$this->mtend = $this->microtime_float();
return round($this->mtend - $this->mtstart, 4);
}#getexectime
function scan_summary_report(){
$num_infected_files = count($this->files_found);
$sdstr = $this->website_name.'
maintenance Report - Malware code scanner ver 1.0 (10-2)<BR><BR>
Date of Execution : '.$this->dater.'<BR>
time of Exectuion : '.$this->timer.'<BR>
Start time stamp : '.$this->mtstart.'<BR>
End time stamp : '.$this->mtend.'<BR>
Total Execution time : '.$this->exectime.'<BR>
<BR>
Website : '.$this->website_name.'<BR>
Base Directory : '.$this->basedir.'<BR>
Total Directories scanned : '.count($this->directories).'<BR>
Total files scanned : '.$this->no_files_scanned.'<BR>
Total files with Malware inserted code : '.$num_infected_files.'<BR>
Total files with Malware inserted code Cleaned : '.$this->no_files_cleaned.'<BR>
<BR>
';
if($num_infected_files > 0){
$sdstr .= '*NOTE: Change all access codes: FTP passwords, website admin passwords, Authentication salts<BR><BR>';
$sdstr .= 'Files infected:<BR>';
foreach($this->files_found as $file){
$sdstr .= $file.'<BR>';
}#foreach
}#if $numinfected files > 0
return $sdstr;
}#scan summary report
function DisplayNotice(){
$Notice = "";
$num_infected_files = count($this->files_found);
if($num_infected_files > 0){
$Notice .= "MALICIOUS CODE FOUND - ".$this->website_name;
}else{
$Notice .= "Scan results - ".$this->website_name;
}
$Notice .= "<BR>".$this->scan_summary_report();
echo $Notice;
}#DisplayNotice
function sendReport(){
$to = $this->webmaster_email;
$num_infected_files = count($this->files_found);
if($num_infected_files > 0){
$subject = "MALICIOUS CODE FOUND - ".$this->website_name;
}else{
$subject = "Scan results - ".$this->website_name;
}
$message = $this->scan_summary_report();
$headers = 'MIME-Version: 1.0' . "\r\n";
$headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n";
$headers .= 'To: '.$this->website_name.' Webmaster <'.$this->webmaster_email.'>' . "\r\n";
$headers .= 'From: '.$this->website_name.' <'.$this->webmaster_email.'>' . "\r\n";
mail($to, $subject, $message, $headers);
}#function mail
}#class malScanner
?>

11
deprecated/patterns/base64.txt Normal file
View File

@@ -0,0 +1,11 @@
PCT4BA6ODSE_
_GET[base64_decode(
eval(gzinflate(base64_decode(
eval(gzinflate(str_rot13(
=Array(base64_decode(
eval(gzinflate(str_rot13(base64_decode(
eval(gzuncompress(base64_decode(
eval(gzuncompress(str_rot13(base64_decode(
eval(gzuncompress(base64_decode(str_rot13(
eval(str_rot13(gzinflate(base64_decode(

1
deprecated/patterns/crypto.txt Normal file
View File

@@ -0,0 +1 @@
User-Agent.*cpuminer

3
deprecated/patterns/mailing.txt Normal file
View File

@@ -0,0 +1,3 @@
@base64_decode($email);
X-Mailer: Microsoft Office Outlook
Da Slake PHP MAILER

0
deprecated/patterns/misc.txt Normal file
View File

1087
deprecated/patterns/mwscan.txt Normal file
View File

File diff suppressed because it is too large Load Diff

0
deprecated/patterns/phishing.txt Normal file
View File

54
deprecated/patterns/polymorphic.txt Normal file
View File

@@ -0,0 +1,54 @@
<?php.*strtoupper.*if.*isset.*eval.*?>
<?php.*$GLOBALS.*if.*function_exists.*function.*$GLOBALS.*pack.*return.*substr.*?><?php
<?php.*strtolower.*[].*[].*[].*[].*[].*[].*strtoupper.*eval.*?>
if.*isset.*${$.*}.*eval.*;}.*?>
strstr.*implode.*array_map.*function_exists
<?php.*!function_exists.*?><?php
<?php.*globals.*eval.*?><?php
<?php.*if.*isset.*globals.*strtolower.*?>
<?php.*isset.*$GLOBALS.*strtolower.*$_SERVER.*strstr.*function_exists.*function.*?><?php
<?php.*strtolower.*$GLOBALS.*strstr.*function_exists.*substr.*explode.*?><?php
<?php.*$GLOBALS.*isset.*$GLOBALS.*explode.*substr.*function_exists.*function.*?><?php
<?php.*strtoupper.*if.*isset.*eval.*?>
<?php.*$GLOBALS.*if.*function_exists.*function.*$GLOBALS.*pack.*return.*substr.*?><?php
<?php.*preg_replace.*isset.*GLOBALS.*function.*preg_replace.*explode.*chr.*substr.*function_exists.*function.*substr.*?><?php
<?php.*if.*isset.*GLOBALS.*strtolower.*SERVER.*if.*strstr.*strstr.*GLOBALS.*?><?php
<?php.*return.*chr.*str_split.*GLOBALS.*function_exists.*explode.*substr.*explode.*chr.*?>
<?php.*preg_replace.*(.*_REQUEST.*[.*].*).*?>
<?php.*function_exists.*explode.*chr.*substr.*function_exists.*function mugvsjx.*NULL.*substr.*?>.*<?php
strtoupper.*if.*eval
array.*strrev.*implode.*array.*implode.*?>
array.*strrev.*strrev.*eval.*implode.*?>
php.*function.*Array.*return.*base64_decode.*error_reporting.*mb_internal_encoding.*mb_regex_encoding.*mb_http_output.*mb_http_input.*mb_language.*mb_strtolower.*mb_substr.*function
GLOBALS.*GLOBALS.*global.*function.*for.*function.*global.*return.*if.*Array.*else.*eval.*exit.*php
function.*for.*strlen.*isset
function.*for.*strlen.*++
explode.*chr.*if.*function_exists.*function.*NULL.*for.*return.*NULL
function.*return.*NULL.*preg_replace
php.*if.*isset.*GLOBALS.*strtolower.*strstr.*strstr.*GLOBALS.*php
php.*preg_replace.*SERVER.*HTTP.*SERVER.*HTTP.*CURRENT
GLOBALS.*GLOBALS.*if.*empty.*GLOBALS.*eval.*GLOBALS.*GLOBALS.*echo
eval.*gzuncompress.*base64_decode
strtolower.*strtoupper.*if.*isset.*eval
new.*JApplication.*array.*UID.*
function.*for.*strlen.*++.*isset
GLOBALS.*Array.*GLOBALS.*function.*return.*echo.*eval.*exit
php.*if.*isset.*eval
isset.*POST.*POST.*isset.*COOKIE.*COOKIE.*NULL.*if.*NULL.*md5.*substr.*md5.*strrev.*strlen.*for.*chr.*if.*gzinflate.*if.*isset.*setcookie.*POST.*create_function.*unset
isset.*POST.*isset.*COOKIE.*NULL.*if.*NULL.*md5.*substr.*md5.*strrev.*strlen.*for.*chr.*if.*gzinflate.*if.*isset.*setcookie.*POST.*create_function.*unset
create_function.*base64_decode
php.*if.*isset.*REQUEST.*assert.*REQUEST.*exit
GLOBALS.*Array.*foreach.*eval.*exit.*php
if.*function_exists.*function.*base64_decode.*ord.*ord.*strlen.*preg_match.*base64_decode.*if.*exit.*if.*if.*if.*ord.*for.*else.*for.*else.*if.*return.*eval
strtolower.*if.*strstr.*or.*strstr.*if.*function_exists.*or.*strstr.*or.*array_map.*str_split.*function.*GLOBALS.*or.*strstr.*return.*chr.*ord.*error_reporting.*explode.*chr.*substr.*if.*function_exists.*function.*for.*sizeof.*substr.*return.*chr.*chr.*explode.*chr.*preg_replace
eval.*gzinflate.*base64_decode
MailTo.*base64_decode.*POST.*mailto
function.*return.*str_repeat.*ceil.*strlen.*strlen
if.*isset.*GLOBALS.*GLOBALS.*&&.*GLOBALS.*GLOBALS
<?php.*if.*isset.*REQUEST.*REQUEST.*exit;}?>
eval.*str_rot13.*gzinflate.*str_rot13.*base64_decode
(.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*)
GLOBALS.*Array.*global.*GLOBALS.*NULL.*NULL.*NULL.*function.*return.*function.*global.*Array.*elseif.*eval.*exit
if($.*=@fsockopen($.*$this->.*[.*(.*)].*$.*$.*$.*(.*)))
@system(.*killall -9 .*.basename(.*/usr/bin/host.*));
echo.*eval(urldecode($.*));

2
deprecated/patterns/shells.txt Normal file
View File

@@ -0,0 +1,2 @@
r57Shell Edited By Margu
ONBOOMSHELL V 0.2

4
deprecated/patterns/swag.txt Normal file
View File

@@ -0,0 +1,4 @@
United Bangladeshi Hackers
ubhteam.org
Prappo Prince
prappo-prince.me

45
deprecated/scan.sh Normal file
View File

@@ -0,0 +1,45 @@
#!/bin/sh
#
# .SH Malware Scanner
#
#
#
# Variables
version = "0.1"
user = "$1"
phishing = "patterns/phishing.txt"
base64 = "patterns/base64.txt"
mailing = "patterns/mailing.txt"
polymorphic = "patterns/polymorphic.txt"
crypto = "patterns/crypto.txt"
shells = "patterns/shells.txt"
misc = "patterns/misc.txt"
# Scanning for Phishing
for i in $(cat $phishing)
do
grep -Rle $i --include=*.{php,phtml,js,html,suspected}* /home/$user/public_html
done
# Scanning for base64
for i in $(cat $base64)
do
grep -Rle $i --include=*.{php,phtml,js,html,suspected}* /home/$user/public_html
done
# Scanning for Mailing Scripts
for i in $(cat $mailing)
do
grep -Rle $i --include=*.{php,phtml}* /home/$user/public_html
done
# Scanning for CryptoCurrency Miners
for i in $(cat $crypto)
do
grep -Rle $i /home/$user/public_html
done