diff --git a/malware4.pl b/malware4.pl
index cc2927b..a076467 100644
--- a/malware4.pl
+++ b/malware4.pl
@@ -325,8 +325,8 @@ my @regexen = (
qr/<\?php\s+\/\*.+?\*\/if\/\*.+?\*\/\(isset\(\$\{\"\_REQ\"\.\"UEST\"\}\[\'.+?\'\]\)\)\{\/\*.+?\*\/\$\w\/\*.+?\*\/\=\/\*.+?\*\/\"preg\_replace\"\;\$\w\(\'\/\/e\'\,\$\{\"\_REQ\"\.\"UEST\"\}\[\'.+?\'\]\,\'\'\)\;\/\*.+?\*\/exit\;\/\*.+?\*\/\}/is,
qr/<\?php\s+echo\s+\'([A-z0-9]{1,20})\'\;\s+preg\_replace\(\"\\x.+?\\x3B\"\,\"\\x2E\"\)\;\s+\?>/is,
qr/<\?php\s+if\s+\(\!defined\(\'ALREADY\_RUN\_.+?define\(\'ALREADY\_RUN\_.+?\$([A-z0-9]{1,20})\s+\=\s+Array\(.+?eval\/\*([A-z0-9]{1,20})\*\/\(([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\s+\$([A-z0-9]{1,20})\)\)\;\s+\}.+?\Z/is,
- qr/<\?php\s+\/\/\#\#\#\=\=\=\=\#\#\#\s+\@error\_reporting\(E\_ALL\)\;.+?\@assert\_options\(ASSERT\_QUIET\_EVAL\,\s+1\)\;.+?\)\)\;\'\)\;\s+\$strings\(\$light\)\;\s+\/\/\#\#\#\=\=\=\=\#\#\#\s+\?>/is,
-
+ qr/<\?php\s+\/\/\#\#\#\=\=\=\=\#\#\#\s+\@error\_reporting\(E\_ALL\)\;.+?\@assert\_options\(ASSERT\_QUIET\_EVAL.+?\/\/\#\#\#\=\=\=\=\#\#\#\s+\?>/is,
+
);
diff --git a/scan.php b/scan.php
index e69de29..0af6be1 100644
--- a/scan.php
+++ b/scan.php
@@ -0,0 +1,762 @@
+";
+print "Malware Scanner v{$version} by Malin Cenusa (malin@cenusa.me)\n\n";
+print "Directory depth set to {$recurse}\n\n";
+
+$fl = new e_file();
+$tree = $fl->get_files($eroot, '\.php|\.sc|.bb|\.gif|\.js|\.htm|\.html|\.htaccess', 'standard', $recurse);
+
+$counter_infected = 0;
+$counter_cleaned = 0;
+$counter_suspected = 0;
+$counter_error = 0;
+$counter_warning = 0;
+
+// just in case
+set_time_limit(0);
+error_reporting(E_ALL);
+
+ $pattern = array(
+ "^(.*)<\?php(.*)eval(\s*)\((\s*)base64_decode(\s*)\((\s*)(.*)\(\?><\?php\)*\n",
+ "eval(\s*)\((.*)base64_decode(\s*)\(",
+ "this.form.upload_file.disabled=false",
+ "function(\s*)jspw3\(d\,m\,f\)",
+ "a(\s*)simple(\s*)Web-based(\s*)file(\s*)manager",
+ "php\_uname(\s*)\(preg_replace(\s*)\(",
+ "function(\s*)rewrioutclbkxxx1\(",
+ "eval\(\(base64_decode\(",
+ "preg_replace\(strrev\(",
+ "s=base64_decode\(str_replace\(chr\(32\)",
+ "_GET\[base64_decode\(",
+ "eval\(base64_decode\(<(.*)POST(.*)>php",
+ "\.\"404\s*Not\s*Found<\/title><\/head><body>",
+ "@error_reporting\(0\)",
+ "==========================+(\s*)Credit.Mutuel.ReZult(\s*)+==================",
+ "X-Mailer:(\s*)The(\s*)Bat\!(\s*)\(v",
+ "WordPress(\s*)Inserter(\s*)Links",
+ "The(\s*)Sword(\s*)Config(\s*)Fuck(\s*)Script",
+ "@kr(\s*)=(\s*)<d0mains>;",
+ "copyto(\s*)=(\s*)explode\(",
+ "d.=sprintf\(\(substr\(urlencode\(print_r\(array\(",
+ "eval\(gzinflate\(base64_decode\(",
+ "eval\(gzinflate\(str_rot13\(base64_decode\(",
+ "Bank(\s*)of(\s*)America(\s*)\|(\s*)Home(\s*)\|(\s*)Personal",
+ "Bank(\s*)of(\s*)America(\s*)\|(\s*)Online(\s*)Banking(\s*)\|(\s*)Sign(\s*)In(\s*)to(\s*)Online(\s*)Banking",
+ "Bank(\s*)of(\s*)America(\s*)\|(\s*)Thank(\s*)you",
+ "Wells(\s*)Fargo(\s*)Home(\s*)Page",
+ "Chase(\s*)Online(\s*)-(\s*)Logon",
+ "Send(\s*)Money,(\s*)Pay(\s*)Online(\s*)or(\s*)Set(\s*)Up(\s*)a(\s*)Merchant(\s*)Account(\s*)with(\s*)PayPal",
+ "Login(\s*)-(\s*)PayPal",
+ "Sign(\s*)Up(\s*)for(\s*)PayPal(\s*)-(\s*)It\'s(\s*)Free(\s*)and(\s*)Easy(\s*)to(\s*)Get(\s*)Started",
+ "My(\s*)Account(\s*)-(\s*)Telstra",
+ "RBC(\s*)Royal(\s*)Bank(\s*)-(\s*)Sign(\s*)In(\s*)to(\s*)Online(\s*)Banking",
+ "RBC(\s*)Financial(\s*)Group(\s*)-(\s*)Online(\s*)Banking",
+ "Online(\s*)Banking(\s*)Security(\s*)and(\s*)Privacy(\s*)Guide(\s*)-(\s*)RBC(\s*)Royal(\s*)Bank",
+ "~(\s*)Santander(\s*)Online(\s*)Banking(\s*)~",
+ "Santander(\s*)e-Banking(\s*)?(\s*)Logon(\s*)page",
+ "Santander(\s*)Online(\s*)Banking",
+ "eBucks(\s*)>(\s*)Home",
+ "Chase(\s*)Personal(\s*)Banking(\s*)Investments(\s*)Credit(\s*)Cards(\s*)Home(\s*)Auto(\s*)Commercial(\s*)Small(\s*)Business(\s*)Insurance",
+ "Yahoo!(\s*)Mail:(\s*)The(\s*)best(\s*)web-based(\s*)email!",
+ "Remax(\s*)ReZulT(\s*)By",
+ "ErrorDocument(\s*)404(\s*)http",
+ "ErrorDocument(\s*)500(\s*)http",
+ "ErrorDocument(\s*)403(\s*)http",
+ "%u0c0c%u0c0c",
+ "String.fromCharCode\(32\)",
+ "HTTP_REFERER(.*)msn(.*)live",
+ "SnIpEr_SA",
+ "php_value(\s*)auto_append_file",
+ "AddType(\s*)application(\s*).jpg",
+ "AddHandler(\s*)php5-script(\s*).jpg",
+ "HTTP_USER_AGENT(.*)google(.*)yahoo",
+ "HTTP_REFERER(.*)search.yahoo\*",
+ "Card(.*)number:",
+ "Mass(.*)Mailer",
+ "<\?php\s*eval\(\"\?>\"\.base64\_decode\(\"(.*)\"\)\)\;\s*\?>",
+ "\;if\(aa\.indexOf\(aaa\)\=\=\=0\)",
+ "function\s*re\(s\,n\,r\,b\,e\)",
+ "var\s*foobar\s*\=\s*unescape\;",
+ "auth\_pass\s*\=\s*\"(.*)\"\;\s*eval\(\"",
+ "<\?php\s*\@copy\(\W\_FILES\[file\]\[tmp\_name\]\,\s*\W\_FILES\[file\]\[name\]\)\;\s*exit\;\s*\?>",
+ "<\?php\s*\/\/(.*)\_\=\s*\/\/system\s*file\s*do\s*not\s*delete\'\'\;\s*\/\/system\s*file\s*do\s*not\s*delete\s*\W\_\_\s*\=\s*\"(.*)\"\;\W\_\_\_\s*\=\s*\"(.*)\"\;eval\(\W\_\_\_\(\W\_\_\)\)\;",
+ "preg\_replace\(\"\/\.\+\/esi\"\,\"",
+ "<script\s*language\=\"JavaScript\"\s*type\=\"text\/javascript\"><\!\-\-\s*var(.*)\;eval\(unescape\(\"(.*)\;document\.write\(u\)\;u\=\"\"\;\/\/\-\->\s*<\/script>",
+ "<\?php\s*session\_start\(\)\;\s*\Wme\=\W\_SERVER\[\'PHP\_SELF\'\]\;\s*\WNameF\=\W\_REQUEST\[\'NameF\'\]\;\s*\Wnowaddress\=\'<input\s*type\=hidden\s*name\=address\s*value\=\"\'\.getcwd\(\)\.\'\">\'\;\s*\Wpass\_up\=",
+ "<\?php\s*\@set\_time\_limit\(0\)\;\s*\@error\_reporting\(NULL\)\;\s*\@ini\_set\(\'display\_errors\'\,0\)\;\s*\@ignore\_user\_abort\(TRUE\)\;\s*if\(md5\(md5\(\W\_REQUEST\[\'(.*)\'\]\)\)\=\=\'",
+ "<\?PHP\s*defined\(\'\_OLD\_JEXEC\_\'\)\s*or\s*die\(\@eval\(base64\_decode\(\W\_REQUEST\[\'(.*)\'\]\)\)\)\;\s*\?>",
+ "<\?php\s*if\(isset\(\W\_REQUEST\[\"(.*)\"\]\)\)\s*\{\s*eval\(base64\_decode\(\W\_REQUEST\[\"(.*)\"\]\)\)\;\s*exit\;\s*\}\s*else\s*\{\s*die\(\"404\s*Not\s*Found\"\)\;\s*\}\?>",
+ "function\_exists\(\'date\_default\_timezone\'\)\s*\?\s*date\_default\_timezone\_set\(\'America\/Los\_Angeles\'\)\s*\:\s*\@eval\(base64\_decode\(\W\_REQUEST\[\'(.*)\'\]\)\)\;",
+ "<\?PHP\s*define\(\'REAL\_SERVER\_ROOT\'\,\s*\'SERVER\'\)\;\s*\/\/DIR(.*)define\(\'SYSTEM\_SKEL\_DIR\'\,\s*\'skel\'\)\s*\?\s*\@eval\(base64\_decode\(\W\_REQUEST\[\'(.*)\'\]\)\)\s*\:(.*)define\(\'WORKGROUPS\_META\_SETTINGS\_FILENAME\'\,\s*\'settings.xml\'\)\;\s*\?>",
+ "<\?\s*if\(\@\W\_POST\[\'(.*)\'\]\)\{eval\(base64\_decode\(\W\_POST\[\'(.*)\'\]\)\)\;\s*exit\(\)\;\}\s*\?>",
+ "<\?php\s*echo\s*\'<b>Sw\s*Bilgi<br><br>\'\.php\_uname\(\)\.\'<br><\/b>\'\;(.*)else\s*\{\s*echo\s*\'<b>Basarisiz<\/b><br><br>\'\;\s*\}\s*\}\s*\?>",
+ "GIF89\;<br><br>\s*<Hmei7>\s*<\?php\s*if\s*\(\s*isset\(\W\\[\'versi\'\]\)\s*\)\'s*\{\s*vers\(\)\;",
+ "<\?php\s*if\(\!empty\(\W\_FILES\[\'message\'\]\[\'name\'\]\)\s*AND\s*\(md5\(\W\_POST\[\'nick\'\]\)\s*\=\=",
+ "<\?php\s*\Wis\_bot\s*\=\s*FALSE\s*;\s*\Wuser\_agent\_to\_filter\s*\=\s*array\(\s*\'\#fileuploads\#\'\)\s*\;",
+ "auth_pass(.*)eval\(",
+ "<\?php\s*\/\*\s*Plugin\s*Name\:\s*GSM",
+ "<\?php\s*\W(.*)array\(\"(.*)\"\)\;eval\(\"(.*)x3B\"\)\;\?>",
+ "base=base64_encode\(",
+ ".rand\(100000000,9999999999\).",
+ "__++\)\)\].=",
+ "Fredrik N. Almroth - h.ackack.net",
+ "The Sword Config Fuck Script",
+ "4297f44b13955235245b2497399d7a93",
+ "<\!-- provided by.\/katAK -->",
+ "user_agent_to_filter",
+ "\@unserialize\(base64_decode\(",
+ "file_put_contents\(__FILE__,base64_decode\(",
+ "echo eval\(urldecode\(",
+ "echo @eval\(base64_decode\(",
+ "xml_str = base64_decode",
+ "X-Mailer: Microsoft Office Outlook",
+ "mode=show>Commands Run",
+ "_SAPE_USER",
+ ".gzuncompress\(base64_decode\(",
+ "\);preg_replace\(",
+ "\),base64_decode\(",
+ "eVAl\( base64_decode\(",
+ "\(gzinflate\(str_rot13\(base64_decode\(",
+ "body=stripslashes\(urldecode\(",
+ /* "REQUEST = array_merge\(", --too many false positives */
+ ";eval\(\(\(strlen\(",
+ "viagra",
+ "levitra",
+ "male enhancement",
+ "propceia",
+ "xViewState\(\)",
+ "Fonksiyonlar",
+ "<vuln> <dork>",
+ "Sh3llBoT",
+ "Upload Your Fav Shell",
+ "Is cURL installed\? \(nst\) which curl",
+ "Magic Include Shell ver",
+ "irc.securitychat.org",
+ "function printLogin\(\)",
+ "function GetMama\(\)",
+ "runcommand",
+ "my @nickname = ",
+ "dosyaPath = mid\(mpat,InStrRev\(mpat",
+ "coded by z0mbie",
+ "Php Bypass - www.shellci.biz",
+ "fistik=PHVayv;",
+ "Dark Shell",
+ "CTT SHELL",
+ /* "\/etc\/passwd", --too many false positives */
+ "<tr><td>Chiave<\/td><td>Valore<\/td><\/tr>",
+ "fonk_kap = get_cfg_var",
+ "PHPSHELL_VERSION",
+ "Root-Access Shell",
+ "s101 Interamente creata da Sora101",
+ "SimAttacker - Vrsion",
+ "Shell Dizini:",
+ "\/etc\/syslog.conf",
+ "die\(PHP_OS.chr\(49\).chr\(48\)",
+ "stCurlLink = base64_decode\(",
+ "cookey =",
+ "cxyyt = array\(",
+ /* ".str_pad\(strtoupper\(dechex\(", --too many false positives */
+ "veb65c0b0 = array_keys\(",
+ "=Array\(base64_decode\(",
+ "edoced_46esab",
+ "\*\/base64_decode\/\*",
+ "eval\(stripslashes\(",
+ "eval\(\@gzinflate\(base64_decode\(",
+ "eva1fYlbakBcVSir",
+ "preg_replace\(\"\/\.\*\/e\"\,\"\\x65",
+ "cg2bW3yV4NSpnvKX2cFAvjczD7",
+ "fcgr2boWm3yVC4NShpnvaKrXC2ocFAdvjcezD7",
+ "Macro Hack",
+ "JGs9MTQzOyRtPWV4cGxvZGUoIjsiLCIyMzQ7MjUzOzI1Mzs",
+ "XERATUTA",
+ "unserialize\(string_cpt\(base64_decode\(",
+ "data.dat.gz",
+ "Scam Redirector",
+ "\/images\/config.db",
+ "\/temp\/links.db",
+ "LS0tLS0tLS0tLS0tLS0t",
+ "BlackMail",
+ "\{ hauguen priv\@ spammer \}",
+ "echo \'Shell Ok \';",
+ "Da Slake PHP MAILER",
+ ": : M A I L E R : : \$ d o m a i n - I n s i d e T e a m v",
+ "\/etc\/valiases/",
+ "numemails",
+ "PHP Mailer",
+ "\/etc\/named.conf",
+ "set_index .= base64_encode\(",
+ "eval\(gzinflate\(base64_decode\(strrev\(",
+ "system file do not delete",
+ "nslookup -type=MX",
+ "\$copyto = explode\(\'wp-content\'\,",
+ "default_action =(.*)default_charset =(.*)preg_replace\((.*)\,str_replace\(",
+ "\<\?php for\(\$o=0,\$e=",
+ "\$felp = explode\(\$kaka",
+ "getdata = base64_decode\(\$datacheck\);",
+ "array_map\(strrev\(\"ed\".\"oced_\".\"46esab\"\),array\(str_replace\(",
+ "if \(md5\(md5\(\$\_REQUEST\[\'hhh\'\]\)\) ==",
+ "Upload GAGAL",
+ "Config Grabber",
+ "@symlink\(",
+ "OOO000000=urldecode\(",
+ "eval \(gzinflate\(base64_decode\(",
+ "return rawurlencode\(rawurlencode\(",
+ "=array_map\(\"ba\".\"se6\".\"4\".\"_decode\",array\(\'\',str_replace\(",
+ "d.=sprintf\(\(substr\(urlencode\(print_r\(array\(",
+ "eval\(gzinflate\(base64_decode\(",
+ "eval\(gzinflate\(str_rot13\(base64_decode\(",
+ "eval\(gzinflate\(base64_decode\(str_rot13\(",
+ "eval\(gzinflate\(base64_decode\(base64_decode\(",
+ "eval\(gzuncompress\(base64_decode\(",
+ "eval\(gzuncompress\(str_rot13\(base64_decode\(",
+ "eval\(gzuncompress\(base64_decode\(str_rot13\(",
+ "eval\(str_rot13\(gzinflate\(base64_decode\(",
+ "eval\(gzinflate\(base64_decode\(strrev\(str_rot13\(",
+ "eval\(gzinflate\(base64_decode\(strrev\(",
+ "eval\(gzinflate\(base64_decode\(str_rot13\(",
+ "eval\(gzinflate\(base64_decode\(str_rot13\(strrev\(",
+ "echo\(gzinflate\(base64_decode\(",
+ "^<\?php\s*\\\$md5\s*=\s*[\"|\']\w+[\"|\'];\s*\\\$wp_salt\s*=\s*[\w\(\),\"\'\;\$]+\s*\\\$wp_add_filter\s*=\s*create_function\(.*\);\s*\\\$wp_add_filter\(.*\);\s*\?>\s*",
+ "libworker.so",
+ "by.\/katAK",
+ "array\(\"Google\", \"Slurp\", \"MSNBot\", \"ia_archiver\", \"Yandex\", \"Rambler\", \"StackRambler\"\)",
+ "<span>Make dir:<\/span>",
+ "\}eval\(x0r\(\"",
+ "function x0r\(\$h3ll0s\)",
+ "<\?php\s*preg_replace\(\"",
+ "\$security_code = \(empty\(\$_POST\[\'security_code\'\]\)\)",
+ "\.ucwords\(str_replace\(",
+ "\)\);array_multisort\(array_map\(",
+ "\.rawurlencode\(strtolower\(",
+ "<\?php\s*eval \( base64_decode \(\"",
+ "eval\(stripslashes\(\$_POST\[codee\]\)\);\"",
+ "eval\(pet\(\"",
+ "<\?php \$g___g_=\'base\'.\(32*2\).\'_de\'.\'code\';\$g___g_=\$g___g_\(str_replace\(\"\n\", \'\', \'",
+ "eval\((.*)\(base64_decode\((.*)1234567890\)\);",
+ "\$opt\(\"\/292\/e\",\$au,292\); die\(\);\}\}\}",
+ "\$MailTo = base64_decode\(\$_POST\[\"mailto\"\]\);",
+ "email_polucha",
+ "if\(isset\(\$_REQUEST\[\'(.*)eval\((.*)\); exit\(\); \} if\(isset\(\$_REQUEST\[\'(.*)exit\(\); \}\s*\?>",
+ ".::\[ Phproxy \]::.",
+ "teksasli=unescape\(teks\);document.write\(teksasli\)",
+ "eval\(base64_decode\(\$jembot\)\);",
+ "eval\(base64_decode\(\$_REQUEST\[\'p64\'\]\)\);",
+ "die\(\"Restricted accoss\"\);",
+ "<\?php\s*eval\(gzinflate\(str_rot13\(base64_decode\(\'",
+ "phpRemoteView",
+ "if \(isset\(\$_POST\[\'_\'\]\) \&\& \(sha1\(base64_decode\(\$_POST\[\'_\'\]\)\^\$str\) ==",
+ "x47FzcyA9ICI",
+ "mkdir\(\'Indishell\',0777\);",
+ "Superfast Zone-H submitter",
+ "if\(stripos\((.*)=base64_decode\((.*)=create_function\(\"\"",
+ "Done ==> \$userfile_name",
+ "preg_match\(\"\/google\|bot\|msn\|spider\|crawl\|spam",
+ "WEB(.*)Shell",
+ "index.php replaced successufuly\!",
+ "sloboz",
+ "\$URI = str_replace\(\"sync.php\", \$filename, \$URI\);",
+ "<\? eval\(gzuncompress\(base64_decode\(\'",
+ "WPcheckInstall",
+ "echo \"Already writed\"",
+ "if \(move_uploaded_file \(\$_FILES\[\"update\"\]\[\"tmp_name\"\], __FILE__\)\)",
+ "FilesMan",
+ "<\?php(.*)= array\(\'(.*)= array\(\'(.*)= array\(\'(.*)\";if \(\!function_exists\(\"",
+ "\{eval\(base64_decode\(\$_POST\[\"",
+ "\$uid = strtoupper\(md5\(uniqid\(time\(\)\)\)\);",
+ "Created By Spaghy",
+ "= strrev\(\'ed\'.\'oc\'.\'ed_4\'.\'6e\'.\'sab\'\);",
+ "= strrev\(\'eca\'.\'lper\'.\'_ge\'.\'rp\'\);",
+ "<\?php\s*if \(\!function_exists\(\"(.*)\"\)\)\s*\{\s*function(.*)= base64_decode\((.*)= strlen\((.*)= file_get_contents\(",
+ "Mestre eCoLoGy",
+ "PHP eMailer",
+ "= \"p\".\"r\".\"e\".\"g\".\"_\".\"r\".\"e\".\"p\".\"l\".\"a\".\"c\".\"e\";",
+ "The Devil made me do it :\)",
+ "echo \"Can\'t upload file:",
+ "<\?\/\/BREACK\/\/\?>",
+ "Bypass SuHosin",
+ "\$_FILE\(stripslashes\(\$_REQUEST\[\'HOST\'\]\)\);\}",
+ "atualizar_flash_player_ver",
+ "Made By mr.hosam",
+ "<script>document.getElementById\(\'a22\'+\'222\'\).style.display=\'no\'+\'ne\'<\/script><\!-- InstanceEnd -->",
+ "\$auth_pass = \"",
+ "<\?php\s*\/\*(.*)*\/\s*eval \( base64_decode \(\"",
+ "\/usr\/bin\/host",
+ "<\?php preg_replace\(\"\/.\*\/e\",\"",
+ "\]\}=__FUNCTION__;return\@is_object\(",
+ "eval\(\"\?>\".gzuncompress\(base64_decode\(",
+ "\$headers = \"Alibaba:",
+ "<\?php \@array_diff_ukey\(\@array\(\(string\)",
+ "\$auth = \$filter\(\@\$_COOKIE\[\'p1\'\]\);",
+ "<\?php\s*if \(isset\(\$_REQUEST\[\'p1\'\]\)\) \{\s*eval\(stripslashes\(\$_REQUEST\[\'p1\'\]\)\);",
+ "<\?php function(.*)=gzinflate\(base64_decode\((.*)\)\); for\(\$i=0;\$i<strlen\(",
+ "\'\]=Array\(base64_decode\(\'",
+ "<\?php \(\$_=\@\$_GET\[2\]\).\@\$_\(\$_POST\[1\]\)\?>",
+ "return stripslashes\(ltrim\(rtrim\(\$string\)\)\);",
+ "4297f44b13955235245b2497399d7a93",
+ "<\?php \$a=\'bas\'.\'e6\'.\'4_d\'.\'ecode\';eval\(\$a\(\"",
+ "l = \"http:\/\/(.*)\" + r + \"&r=\" + document.referrer;\s*document.write\(\"<img src=\'\" + l + \"\'>\"\);",
+ "<title>(.*)PORN(.*)",
+ "Login your email address below to view the document",
+ "symlink\(\'\/home",
+ "local-root-exploit",
+ "my \$fakeproc\s*= \"\/usr\/sbin\/httpd\";",
+ "Server Scanner",
+ "<\?\$x\d\d=\"(.*)\"; \$GLOBALS\[\'",
+ "<\?php(.*)=\s*\'(.*)\';(.*)=\s*str_replace\(\'(.*)\',\'\',(.*)\);(.*)=\s*\'(.*)\';(.*)=\s*str_replace\(\'",
+ "function\s*xViewState\(\)",
+ "<\!\-\-start\-add\-div\-content\-\->",
+ "<\?php\s*if\(\W_GET\[\"(.*)\"\]==\"(.*)value=\"ok\"><\/form><\?php\s*\}\?>",
+ "function\s*research_plugin\(\)(.*)eval\(base64_decode\(",
+ "",
+ "move_uploaded_file\(\W_FILES\[\"file\"\]\[\"tmp_name\"\],\Wz\);",
+ "str_replace\(\"w\",\"\",\"wstrw_wrewpwlwawcwe\"\);",
+ "echo\s*\'\[vuln\]\';",
+ "echo\"\[uname\]\".php_uname\(\).",
+ "if\(\Wresult\)\s*\{\s*echo\s*\'good\';\s*\}\s*else\s*\{\s*\'error\s*:\s*\'.\Wresult;\s*\}",
+ "<\?php\s*\Wandroid\s*=\s*strpos\(\W_SERVER\[\'HTTP_USER_AGENT\'\],\"Android\"\);\s*\Wandroid_urls\s*=\s*array\s*\(",
+ "last\s*root\s*\(nst\)\s*last\s*root",
+ "online\s*encode\s*by\s*cha88.cn\!",
+ "SERVER\s*INFO<\/title>",
+ "ZnZGZnZGZnZGZn",
+ "else\{\s*echo\s*\"sorry\s*file\s*didn\'t\s*chmoded\";\s*\}",
+ "\"\];exit\(\);\}error_404\(\);function\s*is_good_ip\(",
+ "\@system\(\"killall\s*-9\s*\".basename\(\"\/usr\/bin\/host\"\)\);",
+ "<\?php\s*\/\/\#\#\#==\#\#\#(.*)\/\/\#\#\#==\#\#\#\s*\?>",
+ "<\?php\s*\$r76=\"F\[<PAlDf\|\]\}",
+ "<\?php\s*include\(\'(.*)\.png\'\);\s*\?>",
+ "<\?php\s*include\(\'(.*)\.jpg\'\);\s*\?>",
+ "<\?php\s*include\(\'(.*)\.gif\'\);\s*\?>",
+ "\$GLOBALS\[(.*)\$GLOBALS\[(.*)\}\s*\}\s*return\s*\$(.*)\$GLOBALS\[(.*)\}\s*return\s*\$",
+ "\$qV=\"stop_\"",
+ "\$GD_get_img\s*=\s*\"p\"\.\s*\"r\"\.\"eg\"\.\"_r\"\.\"ep\"\.\"l\"\.\"ace\";",
+ "<\?php\s*\$array\s*=\s*array\(\'(.*)=\s*implode\(\"\"\,\s*\$array\)\;\$(.*)eval\(\$(.*)\)\)\)\);\?>",
+ "\#\!\/usr\/bin\/perl(.*)\#\s*Do\s*login\s*authentication\s*subroutine(.*)\#EOF",
+ "<\?php\s*\$(.*);eval\(base64_decode\(gzuncompress\(base64_decode\(\$(.*)\)\)\)\);\?>",
+ "<\?php(.*)\$EmailTemporario\s*=\s*\$email\[\$i\];(.*)Safe\s*Mode:\s*<\?php\s*echo\s*\$safe_mode\s*=\s*\@ini_get\(\'safe_mode\'\);\s*\?>(.*)<\/form>",
+ "<\?php\s*\@ignore_user_abort\(true\);(.*)\@eval\(\$(.*)\@realpath\(\"\"\)\.DIRECTORY_SEPARATOR(.*)404\s*Not\s*Found(.*)\?>",
+ "\#\!\/usr\/bin\/perl\s*\-w\s*\'\'\=\~\(\'\(\?\{\'\.\(\'(.*)\'\)\.\'\$\/\}\)\'\);",
+ "<\?php\s*\/\*\*(.*)\$https_in\s*=\s*\"(.*)\"\);\s*\?>",
+ "<html>\s*<head>(.*)if\(is_uploaded_file(.*)move_uploaded_file(.*)\?>\s*<\/body>\s*<\/html>",
+ "DK\s*Shell\s*\-",
+ "<\?php\s*\$(.*)\]\.\$(.*)\]\.\$(.*)\]\.\$(.*)\]\.\$(.*)\"\.chr\((.*)\"\.chr\((.*)\"\.chr\((.*)\"\.chr\((.*)\,\"(.*)\"\);",
+ "<\?php\s*\@ini_set\(\'max_execution_time\'\,0\);(.*)\}\}echo\s*\'rahui\#\'\,\$maxlen\,\'\#rahui\';\s*\?>",
+ "randomId(.*)Access\s*Denied(.*)wproPreviewHTML",
+ "md5\(IMAILpassword\)(.*)base64_decode",
+ "value=\'Ввойти\'><br><\/form><br>вы\s*не\s*авторизованы\s*<\/center>",
+ "ping(.*)ping_host(.*)browser_strings",
+ "Help(.*)support(.*)=base64_decode\(\$create_function\(\'\$",
+ "if\(isset\(\$_COOKIE\[\'google\'\]\)\)(.*)if\(strtolower\(substr\(PHP_OS\,0\,3\)\)==\'win\'\)\s*\$",
+ "class\s*RSSInitEx(.*)getCMS\(\)(.*)new\s*RSSInitEx\(\);",
+ "\$this\-\>headers\s*\.=\s*\"Errors\-To\:\s*\{\$this\-\>from\}",
+ "PRIV8",
+ "for\s*i\s*in\s*\"uname\s*\-a\"",
+ "Exploit\s*failed",
+ "Suicide\(\'Windows\s*\-\s*Suicide\'\)\;\}",
+ "=\s*str\_replace\(\"w\"\,\"\"\,\"wstrw\_wrewpwlwawcwe\"\);",
+ "\(\"x\"\,\s*\"\"\,\s*\"xbxasxex6x4x_xdexcoxde\"\);",
+ "\(\"s\"\,\"\"\,\"scsrsesatses_fsusnscstsisosn\"\);",
+ "\$i=strrev\(\"uoy yb dekcah\"\);",
+ "<font\s*color=\#FFFFFF>\[uname\]\"\.php_uname\(\)\.\"",
+ "\$result\s*=\s*mail\(stripslashes\(\$to\)\,\s*stripslashes\(\$subject\)\,\s*stripslashes\(\$message\)\);",
+ "\$android\s*=\s*strpos\(\$_SERVER\[\'HTTP_USER_AGENT\'\]\,\"Android\"\);",
+ "last\s*\(all\s*users\)\s*\(nst\)\s*last\s*all",
+ "online\s*encode\s*by\s*cha88\.cn\!",
+ "<title>Solutions\s*en\s*ligne\s*\-\s*AccèsD<\/title>",
+ "<title>SERVER\s*INFO<\/title>",
+ "\$OUT=alfa\(\$OUT\);eval\(\$OOO0000O0\(\$OUT\)\);return;",
+ "\$sys\s*=\s*strrev\(base64_decode\(\"bWV0U3lT\"\)\);\/\/system",
+ "\}=\@unserialize\(base64_decode\(\$_POST\[\"",
+ "\@system\(\"killall\s*\-9\s*\"\.basename\(\"\/usr\/bin\/host\"\)\);",
+ "\@system\(\"\(crontab\s*\-l\|grep\s*\-v\s*crontab;echo;echo\s*\'\*\s*\*\s*\*\s*\*\s*\*\s*\"\.\$SCP\.\"\/1\.sh\'\)\|crontab\"\,\s*\$ret\);",
+ "function\s*GetWPFooterFNs\(\)",
+ "\$tmp\s*=\s*\@fread\s*\(\$a\,\s*sprintf\s*\(\"\%u\"\,\s*\@filesize\s*\(\$a\)\)\);",
+ "\(\"e\"\.\"va\"\.\"l\(\'",
+ "title=\"Remote\s*Shell\">",
+ "\/\/Obfuscation\s*provided\s*by\s*FOPO\s*-\s*Free\s*Online\s*PHP\s*Obfuscator\s*v1\.2\:",
+ "<\?php\s*\@array_diff_ukey\(\@array\(\(string\)\$_REQUEST\[\'password\'\]\=\>1\)",
+ "\$file=\@\$_COOKIE\[\'Jlma3\'\];",
+ "\$fc64=strip_tags\(str_replace\(\"\s*\"\,\"\"\,trim\(\$_GET\[\'fc\'\]\)\)\);",
+ "<li><a\s*href=http\:\/\/(.*)<\/a><\/li>\s*<li><a\s*href=http\:\/\/(.*)<\/a><\/li>(.*)<li><a\s*href=http\:\/\/(.*)<\/a><\/li>(.*)<li><a\s*href=http\:\/\/",
+ "echo\s*base64_encode\(\'error\s*\:\s*\'\.\$result\);",
+ "\$i59\[",
+ "\$x74\[",
+ "if\s*\(get_magic_quotes_gpc\(\)\)\s*\{\s*\$wp=stripslashes\(\$wp\);\s*\}",
+ "my\s*\@dangercalls=qw\(",
+ "<\?php\s*extract\(\$_COOKIE\);\s*\@\$F\&\&\@\$F\(\$A\,\$B\);",
+ "copy\(\$_FILES\[\"upfile\"\]\[\"tmp_name\"\]\,\s*\$_FILES\[\"upfile\"\]\[\"name\"\]\)",
+ "\$back_connect=\"",
+ "add_action\(\'after_setup_theme\'\,\s*\'research_plugin\'\);",
+ "document\.getElementById\(\'HideMeBetter\'\)",
+ "<\?php\s*\/\*\s*copyright\s*\*\/(.*)\/\*\s*copyright\s*\*\/ ?>",
+ "elseif\(strstr\(\$_0\,_203519383",
+ "<div\s*style=\"position\:absolute;\s*left\:\-(.*)px;\s*top\:\-(.*)px;\"><a\s*href=\"http\:\/\/",
+ "<\?php\s*eval\(\"\?>\"\.base64_decode\(\"",
+ "\$workdir\s*=\s*preg_replace\(\"\/\^www\W\.\/\"\,\s*\"\"\,\s*\$_SERVER\[\"HTTP_HOST\"\]\);",
+ "<\?php\s*echo\s*eval\(base64_decode\(str_replace\(\'\*\'\,\'a\'\,str_replace\(\'\%\'\,\'B\'\,str_replace\(\'\~\'\,\'F\'\,str_replace\(\'\_\'\,\'z\'\,str_replace\(\'\$\'\,\'x\'\,str_replace\(\'\@\'\,\'d\'\,str_replace\(\'\^\'\,\'3\'\,str_rot13\(",
+ "<\?php\s*if\(\@\$_COOKIE\[\'ft\'\]\)\{\$xww=\$_COOKIE\[\'ft\'\]\(\"\"\,\@\$_COOKIE\[\'st\'\]\(\@\$_COOKIE\[\'nk\'\]\)\);\$xww\(\);\}\?>",
+ "function\s*Decode\(\)\{var",
+ "<\?php\s*function\s*hex2str\(\$hex\)\s*\{\s*return\s*pack\(\'H\*\'\,\s*\$hex\);\s*\}\s*if\(\$_GET\[\'xhelp\'\]\)\s*\{\s*echo\s*\"<pre>\";\s*eval\(\$_GET\[\'xhelp\'\]\);\s*\}\s*if\(\$_GET\[\'hex\'\]\)\s*\{\s*\$payload=hex2str\(\$_GET\[\'hex\'\]\);\s*echo\s*\"<pre>\";\s*system\(\$payload\);\s*\}\s*\?>",
+ "\$z=get_option\(\"_site_transient_browser_(.*)\)\"\);\s*\$z=base64_decode\(str_rot13\(\$z\)\);\s*if\(strpos\(\$z\,\"C20F58DE\"\)\!\=\=false\)\{\s*\$_z=create_function\(\"\"\,\$z\);\s*\@\$_z\(\);\s*\}",
+ "Copyright7_20_127\(\);",
+ "eval\(\"\W\$x=gzin\"\.\"flate\(base\"\.\"64_de\"\.\"code\(\W\"",
+ "\$userAgents\s*=\s*array\(\"Google\"\,\s*\"Slurp\"\,\s*\"MSNBot\"\,\s*\"ia_archiver\"\,\s*\"Yandex\"\,\s*\"Rambler\"\)",
+ "for\(\$i=0;\s*\$i\s*<\s*strlen\(\$x\);\s*\$i\+\+\)\{\$(.*)=\"base64_decode\";return\s*\$",
+ "Upload Complete\!",
+ "\$query\s*=\s*base64_decode\(str_replace\(\'\s*\'\,\s*\'\+\'\,\s*\$_POST\[\'query\'\]\)\);",
+ "<\?php\s*\$wp__wp=\'base\'\.\(32\*2\)\.\'_de\'\.\'code\';\$wp__wp=\$wp__wp\(str_replace\(\"",
+ "\#Coded\s*By\s*Pejvaknuse\s*Socket;",
+ "<\?php\s*\(\$www=\s*\$_POST\[\'yt\'\]\)\s*\&\&\s*\@preg_replace\(\'\/ad\/e\'\,\'\@\'\.str_rot13\(\'riny\'\)\.\'\(\$www\)\'\,\s*\'add\'\);\?>",
+ "OOO000000=urldecode\(",
+ "visitorTracker_isMob",
+ "this->privmsg\(",
+ "Starting call",
+ /* "Hacked", - removed pattern due to large volume of false positives */
+ /* "boff", - removed pattern due to large volume of false positives */
+ "r57Shell Edited By Margu",
+ "IRC_socket",
+ "ConfigSpy",
+ "aWYo",
+ "currentCMD",
+ "IyEvdXNyL2Jpbi9",
+ "bind_port",
+ "BaseIRC",
+ "procname",
+ "Web Shell",
+ "Goog1e_analist",
+ "Upload Fail !",
+ "FilesMan",
+ "uname -a",
+ "Sakerhetsniva",
+ "0x00 PHP shell",
+ "surl = htmlspecialchars",
+ "function echoQueryResult\(\) \{",
+ "Safe Mode on/off:",
+ "Script for l33t admin job",
+ "ONBOOMSHELL V 0.2",
+ "StresBypass v1.0",
+ "JspWebshell",
+ "StAkeR ~ Shell",
+ "SnIpEr_SA",
+ "<style name=\"Mr.HiTman\"",
+ "\$\w+\(.*\)",
+ "<\?php\s*\/\*god_mode_on\*\/eval\(base64_decode\([\"'][^\"']{255,}[\"']\)\);\s*\/\*god_mode_off\*\/\s*\?>",
+ "RewriteCond %{HTTP_REFERER}\s*\^\.\*\s*\([^\)]*[google|yahoo|bing|ask|wikipedia|youtube][^\)]",
+ "^<\?php\s*if\(!function_exists\([^{]+\s*{\s*function[^}]+\s*}\s*[^\"']+\s*[\"'][^\"']+[\"'];\s*eval\s*\(.*\)\s*;\s*}",
+ "<\?php)*\\\$md5\s*=\s*[\"|']\w+[\"|'];\s*\\\$wp_salt\s*=\s*[\w\(\),\"\'\;\$]+\s*\\\$wp_add_filter\s*=\s*create_function\(.*\);\s*\\\$wp_add_filter\(.*\);\s*(\?>",
+
+);
+
+foreach ($tree as $finfo)
+{
+ // exclude scanner directory from the scan
+ if(realpath(__DIR__) == realpath($finfo['path'].$finfo['dirname']) )
+
+ {
+ continue;
+ }
+
+ if($print_all) print "{$finfo['path']}{$finfo['fname']}....CHECKING";
+ $tmp = file_get_contents($finfo['path'].$finfo['fname']);
+ preg_match('/[^.\s]*([a-z])$/i', $finfo['fname'], $match);
+
+ if(preg_match('/[^.\s]*([a-z])$/i', $finfo['fname'], $match))
+ {
+ $ext = $match[0];
+ unset($match);
+ }
+
+ if('gif' == $ext && preg_match('/<\?php/i', $tmp))
+ {
+ $counter_infected++;
+ if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+ if($print_infected || $print_all) print "\n";
+ {
+ print "...INFECTED (PHP open tag inside GIF image)\n";
+ }
+
+ }
+ elseif('jpg' == $ext && preg_match('/<\?php/i', $tmp))
+ {
+ $counter_infected++;
+ if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+ if($print_infected || $print_all) print "\n";
+ {
+ print "...INFECTED (PHP open tag inside JPG image)\n";
+
+ }
+
+ }
+
+ elseif('png' == $ext && preg_match('\"PHP script\"', $tmp))
+ {
+ $counter_infected++;
+ if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+ if($print_infected || $print_all) print "\n";
+ {
+ print "...INFECTED (cryptoPHP)\n";
+
+ }
+
+ }
+
+ elseif('png' == $ext && preg_match('php.{0,80}', $tmp))
+ {
+ $counter_infected++;
+ if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+ if($print_infected || $print_all) print "\n";
+ {
+ print "...INFECTED (cryptoPHP)\n";
+
+ }
+
+ }
+
+ elseif('jpeg' == $ext && preg_match('/<\?php/i', $tmp))
+ {
+ $counter_infected++;
+ if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+ if($print_infected || $print_all) print "\n";
+ {
+ print "...INFECTED (PHP open tag inside JPEG image)\n";
+ }
+
+ }
+
+ elseif('php' == $ext)
+ {
+ foreach($pattern as $regex){
+ if(preg_match('#'.$regex.'#i', $tmp, $matches)){
+ if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+ if($print_infected || $print_all) print "<em> => <font color=\"#B22222\">SUSPECTED</font> String: ".$regex."</em>";
+ $counter_suspected++;
+ if($print_infected || $print_all) print "\n";
+ continue;
+ }
+ }
+ }
+
+ elseif($print_all) print "...OK\n";
+ unset($tmp);
+}
+echo "\n";
+print "Files checked: ".count($tree)."\n";
+print "Files suspected: ".$counter_suspected."\n";
+print "Files infected: ".$counter_infected."\n";
+
+if($counter_suspected) print "NOTE: SUSPECTED DOESN'T MEAN INFECTED! DIFF AGAINST TRUSTED COPY OF SUSPECTED FILES TO BE SURE EVERYTHING IS OK. \n\n";
+print "</pre>";
+unlink(__FILE__);
+exit;
+
+class e_file
+{
+ function get_files($path, $fmask = '', $omit='standard', $recurse_level = 0, $current_level = 0)
+ {
+ $ret = array();
+ if($recurse_level != 0 && $current_level > $recurse_level)
+ {
+ return $ret;
+ }
+ if(substr($path,-1) == '/')
+ {
+ $path = substr($path, 0, -1);
+ }
+
+ if(!$handle = opendir($path))
+ {
+ return $ret;
+ }
+ if($omit == 'standard')
+ {
+ $rejectArray = array('^\.$','^\.\.$','^\/$','^CVS$','thumbs\.db','.*\._$','null\.txt');
+ }
+ else
+ {
+ if(is_array($omit))
+ {
+ $rejectArray = $omit;
+ }
+ else
+ {
+ $rejectArray = array($omit);
+ }
+ }
+ while (false !== ($file = readdir($handle)))
+ {
+ if(is_dir($path.'/'.$file))
+ {
+ if($file != '.' && $file != '..' && $file != 'CVS' && $recurse_level > 0 && $current_level < $recurse_level)
+ {
+ $xx = $this->get_files($path.'/'.$file, $fmask, $omit, $recurse_level, $current_level+1);
+ $ret = array_merge($ret,$xx);
+ }
+ }
+ elseif ($fmask == '' || preg_match("#".$fmask."#i", $file))
+ {
+ $rejected = FALSE;
+
+ foreach($rejectArray as $rmask)
+ {
+ if(preg_match("#".$rmask."#", $file))
+ {
+ $rejected = TRUE;
+ break;
+ }
+ }
+ if($rejected == FALSE)
+ {
+ $finfo['path'] = $path."/"; // important: leave this slash here and update other file instead.
+ $finfo['fname'] = $file;
+ $ret[] = $finfo;
+ }
+ }
+ }
+ return $ret;
+ }
+
+ function get_dirs($path, $fmask = '', $omit='standard')
+ {
+ $ret = array();
+ if(substr($path,-1) == '/')
+ {
+ $path = substr($path, 0, -1);
+ }
+
+ if(!$handle = opendir($path))
+ {
+ return $ret;
+ }
+ if($omit == 'standard')
+ {
+ $rejectArray = array(
+ '^\.$',
+ '^\.\.$',
+ '^\/$',
+ '^CVS$',
+ 'thumbs\.db',
+ '.*\._$',
+ 'error_log',
+ '.*\.pdf',
+ '.*\.doc',
+ '.*\.xls',
+ '.*\.mp3',
+ '.*\.mov',
+ '.*\.mp4',
+ '.*\.flv',
+ '.*\.swf',
+ '.*\.ppt',
+ '.*\.log',
+ '.*\.zip',
+ '.*\.tar',
+ '.*\.gz',
+ '.*\.tar.gz',
+ '.*\.rar',
+ '.*\.exe',
+ '.*\.7z',
+ '.*\.webm',
+ '.*\.txt',
+ '.*\.csv',
+ '.*\.svg',
+ '.*\.wmv',
+ '.*\.iso',
+ '.*\.sql',
+ '.*\.db',
+ '.*\.psd',
+ '.*\.eps',
+ '.*\.ai');
+ }
+ else
+ {
+ if(is_array($omit))
+ {
+ $rejectArray = $omit;
+ }
+ else
+ {
+ $rejectArray = array($omit);
+ }
+ }
+ while (false !== ($file = readdir($handle)))
+ {
+ if(is_dir($path.'/'.$file) && ($fmask == '' || preg_match("#".$fmask."#", $file)))
+ {
+ $rejected = FALSE;
+ foreach($rejectArray as $rmask)
+ {
+ if(preg_match("#".$rmask."#", $file))
+ {
+ $rejected = TRUE;
+ break;
+ }
+ }
+ if($rejected == FALSE)
+ {
+ $ret[] = $file;
+ }
+ }
+ }
+ return $ret;
+ }
+
+ function rmtree($dir)
+ {
+ if (substr($dir, strlen($dir)-1, 1) != '/')
+ {
+ $dir .= '/';
+ }
+ if ($handle = opendir($dir))
+ {
+ while ($obj = readdir($handle))
+ {
+ if ($obj != '.' && $obj != '..')
+ {
+ if (is_dir($dir.$obj))
+ {
+ if (!$this->rmtree($dir.$obj))
+ {
+ return false;
+ }
+ }
+ elseif (is_file($dir.$obj))
+ {
+ if (!unlink($dir.$obj))
+ {
+ return false;
+ }
+ }
+ }
+ }
+
+ closedir($handle);
+
+ if (!@rmdir($dir))
+ {
+ return false;
+ }
+ return true;
+ }
+ return false;
+ }
+
+}
+?>
\ No newline at end of file