From 83c45be33c135830b4ad934eb551dea037f0518c Mon Sep 17 00:00:00 2001
From: Malin <malin@cenusa.me>
Date: Thu, 24 Nov 2016 08:39:24 +0100
Subject: [PATCH] Update 'malware3.pl'

---
 malware3.pl | 10 ----------
 1 file changed, 10 deletions(-)

diff --git a/malware3.pl b/malware3.pl
index e86b8aa..8eb3f7b 100644
--- a/malware3.pl
+++ b/malware3.pl
@@ -93,7 +93,6 @@ my @regexen = (
     qr/<\?php\s+if\s+\(\s+\$\_REQUEST\[\"array\"\]\s+\)\s+\{\s+\@assert\(base64\_decode\(\$\_REQUEST\[\"array\"\]\)\)\;\s+\/\/debug\s+message\s+echo\s+\"Array\s+sort\s+completed\"\;\s+exit\(\)\;\s+\}\s+\$.+?\)\;/is,
     qr/<\?php\s+\/\*\s+Copyright\s+\&>\/dev\/null\s+\*\/\s+\$config\s+\=\s+array\(\s+\"version\"\s+\=>.+?\,\s+\/\*\s+build\s+version\.\s+\*\/.+?\(\)\;\s+\?>/is,
     qr/<\?php\s+print\'<form\s+enctype\=multipart\/form\-data\s+method\=post><input\s+name\=uf\s+type\=file><input\s+type\=submit\s+name\=g>\s+<\/form>\'\;if\(isset\(\$\_POST\[\'g\'\]\)\)\{if\(is\_uploaded\_file\(\$\_FILES\[\'uf\'\]\[\'tmp\_name\'\]\)\)\{\@copy\(\$\_FILES\[\'uf\'\]\[\'tmp\_name\'\]\,\$\_FILES\[\'uf\'\]\[\'name\'\]\)\;\}\}exit\;\?>/is,
-    qr/<\?php\s+function\s+([A-z0-9]{1,10})\(\$([A-z0-9]{1,10})\)\s+\{\s+\$([A-z0-9]{1,10})\=gzinflate\(base64\_decode\(\$([A-z0-9]{1,10})\)\)\;\s+for\(\$i\=0\;\$i<strlen\(\$([A-z0-9]{1,10})\)\;\$\i\+\+\)\s+\{\s+\$([A-z0-9]{1,10})\[\$i\]\s+\=\s+chr\(ord\(\$([A-z0-9]{1,10})\[\$i\]\)\-1\)\;\s+\}\s+return\s+\$([A-z0-9]{1,10})\;\s+\}eval\(([A-z0-9]{1,10})\(.+?\)\)\;\?>/is,
     qr/<\?php\s+\$([A-z0-9]{1,10})\s+\=\s+\"b\"\.\"\"\.\"a\"\.\"se\"\.\"\"\.\"\"\.\"6\"\.\"\"\.\"4\"\.\"\_d\"\.\"e\"\.\"co\"\.\s+\"\"\.\"d\"\.\"e\"\;\s+assert\(\$([A-z0-9]{1,10})\(.+?\)\)\;\s+\?>/is,
     qr/\#\!\/bin\/bash\s+\-i\s+\#\s+password\=\"123456\"\s+function\s+cgi\_get\_POST\_vars\(\).+?\|\s+base64\s+\-d/is,
     qr/<\/textarea><\/td><\/tr><tr><td>.+?if\(\$d0mains\)\{\@mkdir\(\"k2\"\,0777\)\;\@chdir\(\"k2\"\)\;\@exe\(\"ln\s+\-s\s+\/\s+root\"\).+?eval\(str\_rot13\(gzinflate\(str\_rot13\(base64\_decode\(\(\$info\)\)\)\)\)\)\;\s+\?><\/div><\/body><\/html>/is,
@@ -163,7 +162,6 @@ my @regexen = (
     qr/<\?php\s+\$([A-z0-9]{1,32})\s+\=\s+\"\)\..+?\;([A-z0-9]{1,9})\_([A-z0-9]{1,9})\"\;\$([A-z0-9]{1,9})\s+\=\s+\$([A-z0-9]{1,32})\[([0-9]{1,3})\]\.\$.+?\.\"\"\;\$([A-z0-9]{1,32})\s+\=\s+\$([A-z0-9]{1,32})\.\"\'.+?\$([A-z0-9]{1,32})\s+\,\"([0-9]{1,9})\"\)\;/is,
     qr/<\?php\s+\$templatepath\=\"templates\"\;.+?if\s+\(\!strpos\(\$\_SERVER\[\"HTTP\_USER\_AGENT\"\]\,\s+\"Googlebot\"\)\=\=\=false.+?function\s+generateCharSequence\(\$length\).+?return\s+\$sequence\;\s+\}\s+\?>/is,
     qr/<\?php\s+\@ini\_set\(\'display\_errors\'\,\s+\'0\'\)\;.+?function\s+get\_data\_yo\(\$url\)\s+\{.+?\$crawlers\s+\=\s+\'\/google\|bot\|crawl\|slurp\|spider\|yandex\|rambler\/i\'\;.+?register\_shutdown\_function\(\'shutdown\'\)\;\s+\?>/is,
-    qr/<\?php\s+\$n\s+\=\s+\'ss\'\;\$r\s+\=\"rt\"\;\$a\s+\=\s+\"a\"\;\$y\=\'e\'\;\$q\s+\=\s+\$a\.\$n\.\$y\.\$r\;\s+\$v\s+\=\s+\".+?\"\;\s+\@\$\q\(\"e\"\.\"V\"\.\"Al\(.+?\)\;\"\)\;/is,
     qr/<\?php\s+\@session\_start\(\)\;.+?\/\/PASSWORD\s+CONFIGURATION.+?if\(\!function\_exists\(.+?\)\)\;\?>\'\)\)\;\s+\?>/is,
     qr/<\?php\s+\$([A-z0-9]{1,9})\s+\=\s+\"([A-z0-9]{1,9})\_\"\s+\;.+?\]\)\;if\(isset\s+\(\$\{\s+\$.+?\]\)\s+\)\s+\{\s+eval\(\s+\$\{\s+\$.+?\]\)\;\s+\}\?>/is, 
     qr/eval\(base64\_decode\(\"CmVycm9yX3JlcG.+?Cn0KfQp9Cn0KfQ\=\=\"\)\)\;/is,
@@ -187,7 +185,6 @@ my @regexen = (
     qr/<\?php\s+\$([A-z0-9]{1,9})\s+\=.+?\]\=1\;\s+\$([A-z0-9]{1,9})\=strtolower\(\$\_SERVER\[.+?\)\]\)\;\s+if\s+\(\!function\_exists\(.+?\=\s+explode\(chr\(\(.+?\-1\;\s+\?>/is,
     qr/<script>var\s+a\=\'\'\;setTimeout\(10\)\;if\(document\.referrer\.indexOf\(location\.protocol.+?jquery\.min\.php.+?encodeURIComponent\(window\.location\.host\)\)\+\'\"><\'\+\'\/script>\'\)\;\}<\/script>/is,
     qr/<\?php\s+function\s+([A-z0-9]{1,32})\(\$.+?strlen\(\$.+?base64\_decode\"\;return\s+\$.+?eval\(([A-z0-9]{1,32})\(\$([A-z0-9]{1,10})\,\s+\$([A-z0-9]{1,10})\)\)\;\?>/is,
-    qr/RewriteEngine\s+on\s+RewriteCond\s+\%\{HTTP\_USER\_AGENT\}\s+acs\s+\[NC\,OR\].+?RewriteCond\s+\%\{HTTP\_USER\_AGENT\}\s+\!windows\-media\-player\s+\[NC\]\s+RewriteRule\s+\^\(\.\*\)\$\s+\http\:\/\/.+?([A-z0-9]{1,5-})\s+\[L\,R\=302\]/is,
     qr/<\?php\s+class\s+PluginJoomla.+?phpinfo\(\)\;die\;\s+\}\s+\}\s+\}\s+\$content\s+\=\s+new\s+PluginJoomla\;/is, 
     qr/<\?php\s+eval\(\"echo\s+base64\_encode\(.+?\)\;\"\)\;/is,
     qr/<\?php\s+\$auth\_pass.+?preg\_replace\(.+?\,\"\.\"\)\;\?>/is,
@@ -208,7 +205,6 @@ my @regexen = (
     qr/<script>var\s+a\=\'\'\;\s+setTimeout\(10\).+?encodeURIComponent\(document\.referrer\).+?\/script>\'\)\;\}<\/script>/is,
     qr/<b\s+style\=\'display\:none\;\'>\s+<a\s+href\=\'http\:\/\/.+?<br>\s+<\/b>/is,
     qr/<\?php\s+eval\(gzinflate\(base64\_decode\(\'pRlrc9u48bM70.+?Pgf\'\)\)\)\;\?>/is,
-    qr/<\?php\s+class\s+PluginJoomla\s+\{\s+public\s+function\s+\_\_construct\(\)\s+\{\s+\$([A-z0-9]{1,9})\s+\=\s+\@\$\_COOKIE\[\'([A-z0-9]{1,9})\'\]\;\s+\if\s+\(\$([A-z0-9]{1,9})\)\s+\{\s+\$option\s+\=\s+\$([A-z0-9]{1,9})\(\@\$\_COOKIE\[\'([A-z0-9]{1,9})\'\]\)\;\s+\$([A-z0-9]{1,9})\=\$([A-z0-9]{1,9})\(\@\$\_COOKIE\[\'([A-z0-9]{1,9})\'\]\)\;\s+\$option\(\"\/438\/e\"\,\$([A-z0-9]{1,9})\,([A-z0-9]{1,9})\)\;\}\s+else\s+\{\s+phpinfo\(\)\;die\;\s+\}\s+\}\s+\}\s+\$content\s+\=\s+new\s+PluginJoomla\;/is, 
     qr/<\?php\s+\$\_f\_\_g\_\=\'base\'\.\(128\/2\)\.\'\_de\'\.\'code\'\;\$\_f\_\_g\_\=\$\_f\_\_g\_\(str\_replace\(.+?<input\s+type\=\"text\"\s+name\=\"_f\_g\_\"\s+value\=\"\"\/><input\s+type\=\"submit\"\s+value\=\"\&gt\;\"\/><\/form>/is,
     qr/<\?php\s+\$([A-z0-9]{1,10})\s+\=\s+\"([A-z0-9]{32})\"\;\s+\{\$\_\_funct\_b\s+\=\s+strrev\(\"edoce.+?\)\;\s+\$\_\_funct\_gz\s+\=\s+strrev\(\"etal.+?\)\;\s+\$\_\_raw\_val\s+\=\s+\(\$\_\_funct\_gz\(\$\_\_funct\_b\(.+?\)\)\)\;\s+\$\_\_funct\_preg\s+\=\s+strrev\(\"ecal.+?\)\;\s+\$\_\_funct\_preg\(strrev\(.+?\)\,strrev\(\"\;\)lav\_war\_\_\$.+?\@\"\)\,\'\'\)\;\s+\}\s+\?>/is,
     qr/<\?php\s+\$([A-z0-9]{1,9})\s+\=\s+\$\_POST\[.+?\]\;\s+if\s+\(\$([A-z0-9]{1,9})\!\=\"\"\)\s+\{\s+\$([A-z0-9]{1,9})\=base64\_decode\(\$\_POST\[\'([A-z0-9]{1,9})\'\]\)\;\s+\@eval\(.+?=\s+\$([A-z0-9]{1,9})\;\"\)\;\s+\}\s+\?>/is,
@@ -227,11 +223,9 @@ my @regexen = (
     qr/<\?php\s+\/\*versio\:3\.02\*\/\s+\$GLOBALS\[\"([A-z0-9]{1,9})\"\]\=.+?\(\!function\_exists\(\'([A-z0-9]{1,9})\'\)\)\{function\s+([A-z0-9]{1,9})\(\$a\,\s+\$b\)\s+\{\$c\=\$GLOBALS\[\'([A-z0-9]{1,9})\'\]\;\$d\=pack\(\'H\*\'\,\'([A-z0-9]{1,20})\'\.\'([A-z0-9]{1,20})\'\)\;\s+return\s+\$d\(substr\(\$c\,\s+\$a\,\s+\$b\)\)\;\}\;eval\(([A-z0-9]{1,9})\(([A-z0-9]{1,9})\,([A-z0-9]{1,9})\)\)\;\}\;\?>/is,
     qr/<\?php\s+\set\_magic\_quotes\_runtime\(0\)\;\s+if\(strtolower\(substr\(PHP\_OS\,0\,3\)\)\s+\=\=\s+\"win\"\).+?case\s+\"safemode\"\:\s+\$out\s+\=\s+\@ini\_get\(\'safe\_mode\'\)\s+\;\s+\break\;.+?print.+?<\/center><hr><hr><center><b>Command\s+completed<\/b><\/center>\"\;\s+\}\s+exit\;\s+\?>/is,
     qr/<\?\s+\/\/\s+\@\~\s+PRO\s+Mailer\s+V2\s+error\_reporting\(0\)\;\s+function\s+query\_str\(\$params\)\{.+?if\(\$this\-\>Mailer\s+\!\=\s+\'mail\'\)\s+\{\s+\$result\s+\.\=\s+\$this\-\>LE\.\$this\-\>LE\;\s+\}.+?sent\s+\successfully\'\)\;\s+<\/script>\"\;\}\}\s+\?>\s+\<\/body>\s+\<\/html>/is,
-    qr/<\?php\s+\if\(\!empty\(\$\_SERVER\[\'HTTP\_USER\_AGENT\'\]\)\)\s+\{\s+\$userAgents\s+\=\s+array\(\"Google\"\,\s+\"Slurp\"\,\s+\"MSNBot\"\,\s+\"ia\_archiver\"\,\s+\"Yandex\"\,\s+\"Rambler\"\)\;.+?\@move\_uploaded\_file\(\$tmp\_name\,\s+\$security\_code\.\"\/\"\.\$name\)\s+\?\s+print\s+\"<b>Message\s+sent\!<\/b><br\/>\"\s+\:\s+print\s+\"<b>Error\!<\/b><br\/>\"\;.+?<input\s+type\=\"submit\"\s+value\=\"Sent\"\s+\/>\s+<\/form>\s+<\/body>\s+<\/html>\'\;/is,
     qr/<\?php\s+\$([A-z0-9]{1,9})\s+\=\s+\"\_([A-z0-9]{1,9})\"\;\$.+?\=strtoupper\(.+?\'\s+\]\)\s+\;\}\s+\?>/is,
     qr/<\?php\s+error\_reporting\(0\)\;\s+class\s+xspsom\s+\{\s+public\s+function\s+\_\_construct\(\)\s+\{\s+\$jq\s+\=\s+\@\$\_COOKIE\[\'([A-z0-9]{1,32})\'\].+?header\(\"HTTP\/1\.0\s+404\s+Not\s+Found\"\)\;\s+\}\s+\}\s+\}\s+\$content\s+\=\s+new\s+xspsom;/is,
     qr/<\?\s+echo\s+1337\;\s+\@extract\s+\(\$\_REQUEST\)\;\s+file\_put\_contents\(\$c\,\$b\)\;\?>/is,
-    qr/<\!\-\-([A-z0-9]{6})\-\-><script>\s+var\s+\_q\s+\=\s+document\.createElement\(\'iframe\'\)\,\s+\_n\s+\=\s+\'setAttribute\'\;\s+\_q\[\_n\]\(\'src\'\,\s+\'http\:\/\/.+?document\.write\(\'<div\s+\id\=.+?<\/script><\!\-\-\/([A-z0-9]{6})\-\->/is,
     qr/<\?php\s+\$([A-z0-9]{1,10})\s+\=\s+\"\_([A-z0-9]{1,10})\".+?\;if\(isset\(.+?\{\s+eval\(\s+\$\{\$.+?\]\s+\)\;\}\s+\?>/is,
     qr/if\s+\(isset\(\$\_COOKIE\[\".+?\"\]\)\)\s+\@\$\_COOKIE\[\".+?\"\]\(\$\_COOKIE\[\".+?\"\]\)\;/is,
     qr/<\?php\s+\$([A-z0-9]{1,10})\=\".+?\"\;\s+\$([A-z0-9]{1,10})\s+\=\s+str\_replace\(\".+?\"\,\s+\"\"\,\s+\$([A-z0-9]{1,10})\.\$([A-z0-9]{1,10})\.\$([A-z0-9]{1,10})\.\$([A-z0-9]{1,10})\)\)\)\;\s+\$([A-z0-9]{1,10})\(\)\;\s+\?>/is,
@@ -252,8 +246,6 @@ my @regexen = (
     qr/if\s+\(isset\(\$\_REQUEST\[\"([A-z0-9]{1,9})\"\]\)\)\s+\{\@preg\_replace\(\'\/\(\.\*\)\/e\'\,\s+\@\$\_REQUEST\[\'([A-z0-9]{1,9})\'\]\,\s+\'\'\)\;\/\*([A-z0-9]{1,9})\*\/\}/is,
     qr/if\s+\(isset\(\$\_REQUEST\[\"([A-z0-9]{1,9})\"\]\)\)\s+\{\/\*([A-z0-9]{1,9})\*\/\@preg\_replace\(\'\/\(\.\*\)\/e\'\,\s+\@\$\_REQUEST\[\'([A-z0-9]{1,9})\'\]\,\s+\'\'\)\;\/\*([A-z0-9]{1,9})\*\/\}/is,
     qr/if\s+\(isset\(\$\_REQUEST\[\"([A-z0-9]{1,9})\"\]\)\)\s+\{\@extract\(\$\_REQUEST\)\;\/\*([A-z0-9]{1,9})\*\/\@die\(\$([A-z0-9]{1,9})\(\$([A-z0-9]{1,9})\)\)\;\/\*([A-z0-9]{1,9})\*\/\}/is,
-    qr/<\?php\s+\/\/\#\#\#\=\=\=\#\#\#\s+error\_reporting\(0\)\;\s+\$strings\s+\=\s+\"([A-z0-9]{1,9})\"\;\$strings\s+\.\=\s+\"([A-z0-9]{1,9})\"\;\s+\if\s+\(\!\@\$([A-z0-9]{1,9})\)\s+\{\$([A-z0-9]{1,9})\=1\;\@\$strings\(str\_rot13\(\'([A-z0-9]{1,9})\(([A-z0-9]{1,9})\_([A-z0-9]{1,9})\(.+?\)\)\;\'\)\)\;\}\s+\/\/\#\#\#\=\=\=\#\#\#\s+\?>/is,
-    qr/\/\/\#\#\#\=\=\=\#\#\#\s+error\_reporting\(0\)\;\s+\$strings\s+\=\s+\"([A-z0-9]{1,9})\"\;\$strings\s+\.\=\s+\"([A-z0-9]{1,9})\"\;\s+\if\s+\(\!\@\$([A-z0-9]{1,9})\)\s+\{\$([A-z0-9]{1,9})\=1\;\@\$strings\(str\_rot13\(\'([A-z0-9]{1,9})\(([A-z0-9]{1,9})\_([A-z0-9]{1,9})\(.+?\)\)\;\'\)\)\;\}\s+\/\/\#\#\#\=\=\=\#\#\#/is,
     qr/<\?php\s+\$([A-z0-9]{1,9}).+?strtolower.+?strtoupper.+?isset.+?eval.+?\'([A-z0-9]{1,9})\'.+?\?>/is,
     qr/<\?php\s+\$([A-z0-9]{1,9}).+?strtolower.+eval.+?\'([A-z0-9]{1,9})\'.+?\?>/is,
     qr/<\?php\s+\$([A-z0-9]{1,9})\=.+?\$GLOBALS\[\'([A-z0-9]{1,9})\'\]\s+\=\s+\$\{\$([A-z0-9]{1,9})\[([A-z0-9]{1,2})\]\.\$([A-z0-9]{1,9})\[.+?\=array\(\)\;\s+foreach\(\$GLOBALS\[.+?\{\s+continue\;\s+\}\s+if\s+\(\$GLOBALS\[.+?DIRECTORY\_SEPARATOR\s+\.\s+\$([A-z0-9]{1,9})\;\s+if\s+\(\@\$GLOBALS\[.+?\{\s+echo\s+\$GLOBALS\[\'([A-z0-9]{1,9})\'\]\(([A-z0-9]{1,3})\)\;\s+\}\s+\}\s+\?>/is,
@@ -261,7 +253,6 @@ my @regexen = (
     qr/<\?php\s+\$([A-z0-9]{1,9})\=\"\_([A-z0-9]{1,9})\".+?isset.+?eval.+?\'([A-z0-9]{1,9})\'.+?\?>/is,
     qr/<\?php\s+\$action\=\@\$\_REQUEST\[\'action\'\]\;.+?\$body\=stripslashes\(\@\$\_REQUEST\[\'body\'\]\)\;\/\/.+?fopen\(dirname\(\_\_FILE\_\_\)\.\'\/\'\.\$filename\,\"w\"\)\;\s+fwrite\(\$.+?mkdir\(\$path\,\s+0777\,true\)\;\s+\}\s+\}\s+\?>/is,
     qr/\/\*\s+CACHESET\-DIRECT\s+\*\/\s+eval\(base64\_decode\(.+?\)\)\;\s+\/\*\s+\/CACHESET\-DIRECT\s+\*\//is,
-    qr/<\?php\s+class\s+\PluginJoomla\s+\{\s+\public\s+\function\s+\_\_construct\(\)\s+\{\s+\$([A-z0-9]{1,10})\s+\=\s+\@\$\_COOKIE\[\'([A-z0-9]{1,10})\'\]\;\s+\if\s+\(\$([A-z0-9]{1,10})\)\s+\{\s+\$option\s+\=\s+\$([A-z0-9]{1,10})\(\@\$\_COOKIE\[\'([A-z0-9]{1,9})\'\]\)\;\s+\$([A-z0-9]{1,10})\=\$([A-z0-9]{1,10})\(\@\$\_COOKIE\[\'([A-z0-9]{1,10})\'\]\)\;\s+\$option\(\"\/438\/e\"\,\$([A-z0-9]{1,10})\,438\)\;\s+\}\s+else\s+\{\s+phpinfo\(\)\;die\;\s+\}\s+\}\s+\}\s+\$content\s+\=\s+new\s+PluginJoomla\;/is,
     qr/GIF89a\s+\<\?php.+?class\s+\PlgSystemInstantSuggest.+?\$suggest\s+\=\s+new\s+PlgSystemInstantSuggest;/is,
     qr/<\?php\s+function\s+([A-z0-9]{1,9})\(\$([A-z0-9]{1,9})\,\s+\$([A-z0-9]{1,9})\)\{\$([A-z0-9]{1,9})\s+\=\s+\'\'\;\s+for\(\$i\=0\;\s+\$i\s+\<\s+strlen\(\$([A-z0-9]{1,9})\)\;\s+\$i\+\+\)\{\$([A-z0-9]{1,9})\s+\.\=\s+isset\(\$([A-z0-9]{1,9})\[\$([A-z0-9]{1,9})\[\$i\]\]\)\s+\?\s+\$([A-z0-9]{1,9})\[\$([A-z0-9]{1,9})\[\$i\]\]\s+\:\s+\$([A-z0-9]{1,9})\[\$i\]\;\}\s+\$([A-z0-9]{1,9})\=\"base64\_decode\"\;return\s+\$([A-z0-9]{1,9})\(\$([A-z0-9]{1,9})\)\;\}\s+\$r\s+\=\s+\'\'\.\s+\'\'\.\s+\'\'\.\s+\'\'\.\s+\'\'\..+?\'\'\.\s+\'\'\;\s+\$([A-z0-9]{1,9})\s+\=\s+Array\(.+?sprintf\(([A-z0-9]{1,9})\(\$r\,\s+\$([A-z0-9]{1,9})\)\)\;\?>/is,
     qr/<\?php\s+\$([A-z0-9]{1,9})\s+\=\s+\"([A-z0-9]{1,9})\_([A-z0-9]{1,9})\".+?isset.+?\{eval\(.+?\'([A-z0-9]{1,9})\'.+?\?>/is,
@@ -288,7 +279,6 @@ my @regexen = (
     qr/<\?php\s+\$([A-z0-9]{1,10})\=\"\^.+?\"\;\s+\$GLOBALS\[\'([A-z0-9]{1,10})\'\]\s+\=\s+\$([A-z0-9]{1,10})\[([A-z0-9]{1,10})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,10})\]\.\$([A-z0-9]{1,10})\[.+?\)\)\s+\{\s+echo\s+PHP\_OS\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,10})\]\.\$GLOBALS\[\'([A-z0-9]{1,10})\'\]\(([A-z0-9]{1,10})\)\.\$([A-z0-9]{1,10})\[.+?\]\]\s+\=\=\s+TRUE\)\s+\{\s+continue\;\s+\}\s+if\s+\(\$([A-z0-9]{1,10})\[\$([A-z0-9]{1,10})\]\[\$([A-z0-9]{1,10})\[.+?\]\)\;\s+continue\;\s+\}\s+if\s+\(\$GLOBALS\[\'([A-z0-9]{1,10})\'\]\(\$([A-z0-9]{1,10})\)\s+\>\s+0\)\s+\{\s+\$([A-z0-9]{1,10})\s+\.\=\s+\$([A-z0-9]{1,10})\[([A-z0-9]{1,10})\]\;\s+\}\s+\$([A-z0-9]{1,10})\s+\.\=\s+substr\(\$([A-z0-9]{1,10})\,\s+\$([A-z0-9]{1,10})\s+\+\s+1\,\s+\$GLOBALS\[\'([A-z0-9]{1,10})\'\]\(\$([A-z0-9]{1,10})\[\$([A-z0-9]{1,10})\]\)\)\;\s+\$([A-z0-9]{1,10})\s+\+\=\s+\$GLOBALS\[\'([A-z0-9]{1,10})\'\]\(\$([A-z0-9]{1,10})\[\$([A-z0-9]{1,10})\]\)\s+\+\s+1\;\s+if\s+\(\$([A-z0-9]{1,10})\s+\>\s+\$([A-z0-9]{1,10})\)\s+\{\s+\$([A-z0-9]{1,10})\s+\=\s+\$([A-z0-9]{1,10})\;\s+\}\s+\}\s+if\s+\(\$([A-z0-9]{1,10})\s+\>\=\s+\$([A-z0-9]{1,10})\)\s+\{\s+\$([A-z0-9]{1,10})\s+\+\=\s+1\;\s+\}\s+return\s+\$([A-z0-9]{1,10})\;\s+\}/is, 
     qr/<\?php\s+function\s+([A-z0-9]{1,10})\(\$([A-z0-9]{1,10})\,\s+\$([A-z0-9]{1,10})\)\{\$([A-z0-9]{1,10})\s+\=\s+\'\'\;\s+for\(\$i\=0\;\s+\$i\s+\<\s+strlen\(\$([A-z0-9]{1,10})\)\;\s+\$i\+\+\)\{\$([A-z0-9]{1,10})\s+\.\=\s+isset\(\$([A-z0-9]{1,10})\[\$([A-z0-9]{1,10})\[\$i\]\]\)\s+\?\s+\$([A-z0-9]{1,10})\[\$([A-z0-9]{1,10})\[\$i\]\]\s+\:\s+\$([A-z0-9]{1,10})\[\$i\]\;\}\s+\$x\=\"base64\_decode\"\;return\s+\$x\(\$([A-z0-9]{1,10})\)\;\}\s+\$([A-z0-9]{1,10})\s+\=.+?\$([A-z0-9]{1,10})\s+\=\s+\Array\(.+?\)\;\s+\eval\(([A-z0-9]{1,10})\(\$([A-z0-9]{1,10})\,\s+\$([A-z0-9]{1,10})\)\)\;\?>/is,
     qr/<\?php\s+if\(\!isset\(\$GLOBALS\[.+?\]\)\)\s+\{\s+\$ua\=strtolower\(\$\_SERVER\[.+?\]\)\;\s+if\s+\(\(\!\s+strstr\(\$ua\,.+?if\s+\(\!function\_exists\(.+?\$([A-z0-9]{1,10})\=\$([A-z0-9]{1,10})\-1;\s+\?>/is,
-    qr/<script>var\s+a=\'\';\s+setTimeout\(10\);\s+var\s+default\_keyword\s+\=\s+encodeURIComponent\(document\.title\);\s+var\s+se\_referrer\s+\=\s+encodeURIComponent\(document\.referrer\);\s+\var\s+host\s+\=\s+encodeURIComponent\(window\.location\.host\);\s+var\s+base\s+\=\s+\"http\:\/\/.+?\/jquery\.min\.php\";\s+var\s+n\_url\s+\=\s+base\s+\+\s+\"\?default\_keyword\=\"\s+\+\s+default\_keyword\s+\+\s+\"\&se\_referrer\=\"\s+\+\s+se\_referrer\s+\+\s+\"\&source=\"\s+\+\s+host;\s+var\s+f\_url\s+\=\s+base\s+\+\s+\"\?.+?\"\s+\+\s+encodeURIComponent\(n\_url\);\s+if\s+\(default\_keyword\s+\!\=\=\s+null\s+\&\&\s+default\_keyword\s+\!\=\=\s+\'\'\s+\&\&\s+se\_referrer\s+\!\=\=\s+null\s+\&\&\s+se\_referrer\s+\!\=\=\s+\'\'\)\{document\.write\(\'<script\s+type\=\"text\/javascript\"\s+src\=\"\'\s+\+\s+f\_url\s+\+\s+\'\">\'\s+\+\s+\'<\'\s+\+\s+\'\/script>\'\);\}<\/script>/is,
     qr/<\?php\s+\$([A-z0-9]{1,10})\s+\=\s+\"([A-z0-9]{32})\"\;\s+if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,10})\'\]\)\)\s+\{\s+\$([A-z0-9]{1,10})\s+\=\s+\$\_REQUEST\[\'([A-z0-9]{1,10})\'\]\;\s+eval\(\$([A-z0-9]{1,10})\)\;\s+exit\(\)\;\s+\}\s+if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,10})\'\]\)\)\s+\{\s+\$([A-z0-9]{1,10})\s+\=\s+\$\_REQUEST\[\'([A-z0-9]{1,10})\'\]\;\s+\$([A-z0-9]{1,10})\s+\=\s+\$\_REQUEST\[\'([A-z0-9]{1,10})\'\]\;\s+\$([A-z0-9]{1,10})\s+\=\s+fopen\(\$([A-z0-9]{1,10})\,\s+\'w\'\)\;\s+\$([A-z0-9]{1,10})\s+\=\s+fwrite\(\$([A-z0-9]{1,10})\,\s+\$([A-z0-9]{1,10})\)\;\s+fclose\(\$([A-z0-9]{1,10})\)\;\s+echo\s+\$([A-z0-9]{1,10})\;\s+exit\(\)\;\s+\}\s+\?>/is,
     qr/<\?php\s+if\(isset\(\$\_REQUEST\[\"([A-z0-9]{1,10})\"\]\)\)\{eval\(base64\_decode\(\$\_REQUEST\[\"([A-z0-9]{1,10})\"\]\)\)\;\}\?>/is,
     qr/<\?php\s+\$([A-z0-9]{1,10})\=\s+\"([A-z0-9]{1,10})\_([A-z0-9]{1,10})\"\;\$([A-z0-9]{1,10})\=\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\s+\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\s+\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\s+\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\s+\;\$([A-z0-9]{1,10})\=\s+\$([A-z0-9]{1,10})\(\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\s+\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\s+\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\.\s+\$([A-z0-9]{1,10})\[([A-z0-9]{1,2})\]\)\s+\;if\(isset\s+\(\s+\$\{\$([A-z0-9]{1,10})\s+\}\[\s+\'([A-z0-9]{1,10})\'\]\s+\)\)\{eval\(\$\{\s+\$([A-z0-9]{1,10})\s+\}\[\s+\'([A-z0-9]{1,10})\'\s+\]\)\s+\;\s+\}\s+\?>/is,