1962Cracker\s+\|\s+cPanel\s+Cracker\s+\&\s+Root\s+Server\.\.\.\|<\/title>.+?<\?php\s+eval$base64\_decode\(.+?<\/Script>/is, qr/<\?php.+?\$wp\_file\_descriptions\s+\=\s+array\(.+?\$wp\_template\s+\=\s+\@preg\_replace\(\"\/\(\[a\-z0\-9\-\%\]\+$\.$\[a\-z\-\@\]\+$\.$\[a\-z\]\+$\/.+?\$2$\$3\(urldecode\(\'\$1\'$\)\)\"\,\s+\$search\.\"\.\@\"\.\$wp\_file\_descriptions\[\'rtl\.css\'\]\)\;\s+\?>/is, qr/<\?php\s+if\s+$isset\(\$\_REQUEST\[\"q\"\]$\s+AND\s+\$\_REQUEST\[\"q\"\]\=\=\"1\"\)\{echo\s+\"200\"\;\s+exit\;\}\s+if$isset\(\$\_POST\[\"key\"\]$\s+\&\&\s+isset$\$\_POST\[\"chk\"\]$\s+\&\&\s+\$\_POST\[\"key\"\]\=\=\".+?\"\)eval$gzuncompress\(base64\_decode\(\$\_POST\[\"chk\"\]$\)\)\;\s+\?>/is, qr/<\?php\s+if\s+$\!defined\(\'ALREADY\_RUN\_.+?define\(\'ALREADY\_RUN\_.+?eval\/\*i\*\/\(([A-z0-9]{1,20})\(\$([A-z0-9]{1,10})\,\s+\$([A-z0-9]{1,10})$\)\;\s+\}/is, qr/<\?php\s+eval$gzuncompress\(.+?\"$\)\;/is, qr/<\?php.+?class\s+JApplication.+?new\s+JApplication$array\s+\(\'UID\'\s+\=>\s+\'([A-z0-9]{1,20})\'$\)\;/is, qr/<\?php\s+\/\*\s+\@package\s+WordPress\s+\*\/\s+eval$base64\_decode\(\@\$\_POST\[\"([A-z0-9]{1,20})\"\]$\)\;\?>/is, qr/<\?php\s+if\s+$\!defined\(\'ALREADY\_RUN\_.+?$\)\;\s+\}/is, qr/<\?php\s+\$dom\s+\=\s+array$.+?\$url\s+\=\s+\'http\:\/\/\'\.\$dom\[mt\_rand\(0\,sizeof\(\$dom$\-1\)\]\.\'\/file\.php\'\;.+?header$\'Location\:\s+\'\.\$url$\;\s+\}\s+exit\;\s+\?>/is, qr/<\?php\s+if\s+$isset\(\$\_GET\[\"id\"\]$\)\s+header$.+?\.\$\_GET\[\"id\"\]$\;\s+\?>/is, qr/<\?php\s+eval$base64\_decode\(.+?$\)\;/is, qr/<\?php\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\$\_SERVER\;\s+function\s+([A-z0-9]{1,20})$\$([A-z0-9]{1,20})$.+?functions+([A-z0-9]{1,20})$\$([A-z0-9]{1,20})$\{return\s+([A-z0-9]{1,20})$\$([A-z0-9]{1,20})$\;\}\;.+?\}$\$url\,\s+FALSE\,\s+\$\{([A-z0-9]{1,20})\(.+?return\s+\$\{.+?$\}\;\s+\}/is, qr/<\?php\s+eval$base64\_decode\(.+?include.+?x70hp\"\;.+?include.+?x70hp\"\;/is, qr/<\?php\s+\$([A-z0-9]{1,20})\=chr\(([0-9]{1,4})$.+?chr$([0-9]{1,4})$.+?chr$([0-9]{1,4})$.+?chr$([0-9]{1,4})$.+?chr$([0-9]{1,4})$.+?\)\;\s+\?>/is, qr/\*\/\s+eval$base64\_decode\(\"aWY.+?\=\"$\)\;\s+\/\*/is, qr/\*\/include\s+\/\*/is, qr/\*\/\".+?\.co.+?php\"\;\/\*/is, qr/<\?\s+\$([A-z0-9]{1,3})\[1\]\=\"([A-z0-9]{1,20})\.html\"\;\$([A-z0-9]{1,3})\[1\]\=.+?file\_put\_contents$\$fileaddr\,gzuncompress\(base64\_decode\(\$([A-z0-9]{1,3})\[\$([A-z0-9]{1,3})\]$\)\)\;\}\s+unlink$\$scr\.\"\.php\"$\;\s+\?>/is, qr/<\?php\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\$\_SERVER\;\s+function\s+([A-z0-9]{1,20})$\$([A-z0-9]{1,20})$.+?exit$\$\{([A-z0-9]{1,20})\(\"lie\=\=\?\"$\}\)\;\s+\}/is, qr/eval$base64\_decode\(\"aWY.+?include.+?eval\(base64\_decode\(\"aWY.+?include.+?ephp\"\;/is, qr/<\?php\s+\/\*\s+ionCube24\s+encoder\s+\*\/\s+global.+?eval\(base64\_decode\(.+?\_\_halt\_compiler\($\;([A-z0-9]{250,})/is, qr/<\?\s+eval$gzuncompress\(base64\_decode\(.+?$\)\)\;\s+\?>/is, qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=.+?\$([A-z0-9]{1,20})\s+\=\s+\'pr\'\.\'eg\'\.\'\_r\'\.\'epl\'\.\'ace\'\;.+?\@\$([A-z0-9]{1,20})$\'\#\#e\'\,.+?\'\'$\;/is, qr/<\?php\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\$\_SERVER\;\s+function\s+([A-z0-9]{1,20})$\$([A-z0-9]{1,20})$.+?\Z/is, qr/<script\s+type\=\"application\/javascript\">var\s+toggleMenu\s+\=\s+function.+?getCookie$\"ytm\_hit1\"$\&\&$setCookie\(\"ytm\_hit1\"\,1\,1$\,1\=\=getCookie$\"ytm\_hit1\"$.+?\/script>\'\)\)\)\;<\/script>/is, qr/<\?php\s+if$isset\(\$\_POST\[chr\(100$.+?<h1>Object\s+not\s+found\!<\/h1>.+?<h2>Error\s+404<\/h2>\s+<\/body>\s+<\/html>/is, qr/<\?php\s+\$([A-z0-9]{1,20})\=chr$97$\.chr$117$\.\"t\"\.chr$104$\.\"\_\"\.\"p\"\.\".+?\"\.\"s\"\.chr$115$\;.+?\)\)\;\s+\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#/is, qr/<\?\s+\$GLOBALS\[\'\_([0-9]{1,20})\_\'\]\=Array$base64\_decode\(.+?return.+?round\(.+?$\;\}/is, qr/<IfModule\s+mod\_rewrite\.c>\s+\RewriteEngine\s+On\s+RewriteCond\s+\%\{HTTP\_REFERER\}\s+\^\.\*$google\|ask\|yahoo.+?\/index\_backup\.php\?query\=\$1\s+\[QSA\,L\]\s+<\/IfModule>/is, qr/<\?php\s+if\s+\(isset\(\$\_GET\[\'jpg\'\]$\)\s+\{\s+\header$\s+\'Content\-Type\:\s+image\/jpeg\'\s+$\;\s+readfile$\'http\:\/\/.+?\.jpg\'$\;\s+\exit\;\s+\}\s+header$\'Location\:\s+http\:\/\/.+?\'$\;\s+exit\;/is, qr/function\s+l\_\_1$\$.+?function\s+l\_\_3\(\$\_2$\{if$\$GLOBALS\[\Z/is, qr/<\?php\s+if\s+\(isset\(\$\_GET\[\'jpg\'\]$\).+?\)\;\s+exit\;/is, qr/<\?php\s+define$\'URL\_HEADER\_NAME\'\,\s+\"X\-Upstream\-Url\"$\;\s+define$\'DEBUG\_HEADER\_NAME\'\,\s+\"X\-Debug\-Oleg\"$\;.+?else\s+if$strcasecmp\(\$h\,\s+\$key$\s+\=\=\s+0\)\s+unset$\$headers\[\$h\]$\;\s+\}\s+\}/is, qr/<\?php\s+\$GLOBALS\[\'\_([0-9]{1,20})\_\'\]\=Array$base64\_decode\(.+?return\s+base64\_decode\(\$a\[\$i\]$\;\}.+?\$GLOBALS\[\'\_([0-9]{1,20})\_\'\]\[.+?\s+exit\;\Z/is, qr/<\?php\s+\$ua\s+\=\s+\$\_SERVER\[\'HTTP\_USER\_AGENT\'\]\;\s+if\s+$preg\_match\(\'\/facebook\/si\'\,\$ua$\)\s+\{.+?<\/noframes>\s+<\/html>\'\;\s+\}\s+\?>/is, qr/<\?php\s+session\_start\;.+?\.php\_uname\..+?<\/form>/is, qr/\'\;if$\s+\$\_POST\[\'\_upl\'\].+?<\/form>/is, qr/<\?php\s+if\(\!empty\(\$\_FILES\[\'message\'\]\[\'name\'\]$.+?<\/body>\s+<\/html>\'\;\/\/([0-9]{1,20})/is, qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\"\_\"\.\'G\'\.\'E\'\.\'T\'\;\s+if\s+$isset\(.+?preg\_replace\(.+?header\(\'Location\:\s+http\:\/\/.+?exit\($\;/is, qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=.+?if\s+$\(strstr\(\$([A-z0-9]{1,20})\,\".+?\"$\)\s+or\s+$strstr\(([A-z0-9]{1,20})\}\[.+?$rtolower$\$\_SERVER\[.+?$\s+\&\&\s+$\!isset\(\$GLOBALS\[.+?if\(\(function\_exists\(.+?$\)\s+or\s+$strstr\(\$.+?\(0$\;\s+\$([A-z0-9]{1,20})\s+\=\s+implode$array\_.+?$\{return\s+chr$ord\(\$n$\-1\)\;\}\s+\@error\_reportin.+?\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/is, qr/<\?php\s+\$([A-z0-9]{1,20})\s+=.+?\$uas\=strtolower$.+?\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/is, qr/<\?php\s+\/\*([A-z0-9]{1,10})\*\/\s+\@include\s+\".+?\/\*([A-z0-9]{1,10})\*\/\s+echo\s+file\_get\_contents\(\'.+?\'$\;/is, qr/function\s+l\_\_1$\$\_\Z/is, qr/<\?php\s+if\(\!empty\(\$\_FILES\[\'message\'\]\[\'name\'\]$\s+\&\&\s+$md5\(\$\_POST\[\'name\'\]$.+?Message\s+sent\!<\/body>\s+<\/html>\'\;/is, qr/<\?php\s+\$report\_url\s+\=\s+\$\_POST\[\'url\'\]\;\s+\$pass\s+\=\s+\$\_POST\[\'pass\'\]\;\s+\$list\s+\=\s=\$\_POST\[\'list\'\]\;.+?if\s+$\@stripos\(\$hello\,\'\+OK\'$\!\=\=false\)\s+\{\s+return\s+true\;\s+\}\s+return\s+false\;\s+\}/is, qr/<\?php\s+\/\*\s+<\!\-\-\s+WordPress\s+SEO\s+Plugin\s+\-\->\s+\*\/\s+eval$gzuncompress\(base64_decode\(.+?$\)\)\;\s+\/\*\s+<\!\-\-\s+End\s+WordPress\s+SEO\s+Plugin\s+\-\->\s+\*\/\s+\?>/is, qr/\/\*([A-z0-9]{1,10})\*\/\s+\@include\s+\".+?\"\;\s+\/\*([A-z0-9]{1,10})\*\//is, qr/<\?PHP\s+if$isset\(\$\_REQUEST\[\"cmd\"\]$\)\{eval$stripslashes\(\$\_REQUEST\[\"cmd\"\]$\)\;die\;\}\s+\?>/is, qr/<\?php\s+\$auth_pass.+?\$color.+?\$default\_action\s+\=\s+\'FilesMan\'\;\s+\$default\_use\_ajax\s+\=\s+true\;\s+\$default\_charset\s+\=\s+\'Windows\-1251\'\;\s+if$\!empty\(\$\_SERVER\[\'HTTP\_USER\_AGENT\'\]$\)\s+\{\s+\$userAgents\s+\=\s+array$\"Google\"\,\s+\"Slurp\"\,\s+\"MSNBot\"\,\s+\"ia\_archiver\"\,\s+\"Yandex\"\,\s+\"Rambler\"$\;\s+if$preg\_match\(\'\/\'\s+\.\s+implode\(\'\|\'\,\s+\$userAgents$\s+\.\s+\'\/i\'\,\s+\$\_SERVER\[\'HTTP\_USER\_AGENT\'\]\)\)\s+\{\s+header$\'HTTP\/1\.0\s+404\s+Not\s+Found\'$\;\s+exit\;/is, qr/<\?php.+?\$auth_pass.+?\$color.+?\$default_action\s+\=\s+\'FilesMan\'\;.+?\)\;\?>/is, qr/<\?php\s+\$\{.+?\,NULL\)\;\@ini\_set$\"log\_.+?\;return\s+sh\_decrypt\_phase\(sh\_decrypt\_phase\(\$\{\$\{.+?\=>\@phpversion\($\,.+?\]\)\;\}exit\;\}/is, qr/<\?php\s+\$\{.+?\)\{if$is\_uploaded\_file\(.+?$\;\s+\?>/is, qr/<\?php\s+eval$.+?x3B\"$\;\s+\?>/is, qr/<\?php\s+\/\*\*\s+WordPress.+?eval$gz.+?\$x([A-z0-9]{1,10})\s+\,\"([0-9]{1,5})\"$\;/is, qr/<\?php\s+\$noc\s+=\s+\".+?\$noc\[([0-9]{1,3})\]\.\$noc\[([0-9]{1,3})\]\.\$noc\[([0-9]{1,3})\]\.\$noc\[([0-9]{1,3})\].+?\$noc\[([0-9]{1,3})\]\.\$([A-z0-9]{1,10})\;\@\$([A-z0-9]{1,10})$\$([A-z0-9]{1,10})$\;\?>/is, qr/<\?php\s+\/\/function\s+M404\s+\{.+?\$strings\s+\=\s+explode$\'\|\'\,\s+base64\_decode\(base64\_decode\(base64\_decode\(base64\_decode\(base64\_decode\(base64\_decode\(base64\_decode\(base64\_decode\(\$value$\)\)\)\)\)\)\)\)\;.+?echo\s+\'\#\#\#\#\#\'\.\s+\$result\s+\.\s+\'\*\*\*\*\*\'\;\s+exit\;/is, qr/<\?php\s+\$action\=\$\_REQUEST\[\'action\'\]\;\s+\/\/status.+?echo\s+\"File\s+does\s+not\s+exist\"\;\s+\}\s+\?>/is, qr/<\?php\s+\$p\s+\=\s+\$\_REQUEST\[\"m\"\]\;\s+eval$base64\_decode\(\$p$\)\;\s+\?>/is, qr/\/\*edition\:1\.6\*\/.+?\;eval$gzuncompress\(base64\_decode\(\$([A-z0-9]{1,20})$\)\)\;/is, qr/<\?php\s+\$([A-z0-9]{1,20})\=.+?\$([A-z0-9]{1,20})\=call\_user\_func$.+?$\;\s+\$([A-z0-9]{1,20})\=call\_user\_func$.+?$\;\s+eval$\$([A-z0-9]{1,20})$\;/is, qr/<\?php\s+\$([A-z0-9]{1,20})\=\".+?\"\;\$([A-z0-9]{1,20})\=call\_user\_func$\$.+?$\;\$([A-z0-9]{1,20})\=call\_user\_func$\$.+?$\;eval$\$([A-z0-9]{1,20})$\;/is, qr/var\s+\_0xaae8\=\[\"\"\,\".+?\"\]\;document\[\_0xaae8\[5\]\]$\_0xaae8\[4\]\[\_0xaae8\[3\]\]\(\_0xaae8\[0\]$\[\_0xaae8\[2\]\]\[\_0xaae8\[1\]\]$\_0xaae8\[0\]$\)/is, qr/<\?php\s+eval$gzuncompress\(base64\_decode\(.+?\=\=\'$\)\)\;/is, qr/<\?php\s+\$report\_url\s+\=\s+\$\_POST\[\'url\'\]\;\s+\$pass\s+\=\s+\$\_POST\[\'pass\'\]\;\s+\$list\s+\=\s+\$\_POST\[\'list\'\]\;.+?if\s+$\@stripos\(\$hello\,\'\+OK\'$\!\=\=false\)\s+\{\s+return\s+true\;\s+\}\s+return\s+false\;\s+\}/is, qr/A<\?php\s+\$license\s+\=\s+str\_rot13$\'n\'\.\'f\'\.\'f\'\.\'r\'\.\'e\'\.\'g\'$\;\s+\$license$\$\_POST\[\'info\'\]$\;\s+\?>/is, qr/<\?php\s+preg\_replace$\"\/\.\/.+?$\)\)\;\"\,\"\.\"\)\;/is, qr/<\?php\s+\$file.+?function\s+dwnld$\$file$\s+\{.+?header$\"HTTP\/1\.0\s+404\s+Not\s+Found\"$\;\s+exit\;\s+\?>/is, qr/<\?php\s+error\_reporting$0$\;\s+\$\_([A-z0-9]{1,20})\s+\=.+?\;\s+for\s+$\$i\s+\=\s+0\;\s+\$i\s+<\s+strlen\(\$\_([A-z0-9]{1,20})$\;\s+\$i\+\+\)\s+\$\_([A-z0-9]{1,20})\s+\.\=\s+sprintf$\"\%c\"\,\s+$\_([A-z0-9]{1,20})\s+\^\s+ord\(\$\_([A-z0-9]{1,20})\[\$i\]$\)\;\$\_([A-z0-9]{1,20})\s+\=\s+\"\"\;s+for.+?\*\//is, qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=.+?explode$chr\(\(.+?\$([A-z0-9]{1,20})\=\(([0-9]{1,4})\-([0-9]{1,4})$\;\s+\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/is, qr/<\?php\s+\@ini\_set$\'display\_errors.+?bad\_agents\s+\=\s+\'\~google.+?register\_shutdown\_function\(\'ob\_end\_flush\'$\;\s+\}\s+\}\s+\?>/is, qr/<html>\s+<head>\s+<title>Hacked\s+by\s+ZeDaN\-Mrx.+?<\/iframe>\s+<\/html>/is, qr/<\?php\s+if$isset\(\$\_REQUEST\[\'xftest\'\]$\)die$pi\($\*6\).+?eval.+?exit\;\}\s+\?>/is, qr/<\?php\s+\@ini\_set$\'display\_errors\'\,\s+\'0\'$\;\s+error\_reporting$0$\;\s+\$skipme\s+\=\s+false\;\s+\$bad\_agents\s+\=\s+\'\~google.+?<\/script>\"\;\s+\}\s+\}\s+\}\s+\?>/is, qr/<\?php\s+if\/\*([A-z0-9]{1,20})\*\/$isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]$\)\{eval$\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]$\/\*([A-z0-9]{1,20})\*\/\;exit\;\/\*([A-z0-9]{1,20})\*\/\}\?>/is, qr/<\?php\s+if\s+$isset\(\$\{\"\_REQ\"\.\"UEST\"\}\[\'([A-z0-9]{1,20})\'\]$\)\{\$q\=\"asser\"\.\"t\"\;\$q$\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]$\;exit\;\}/is, qr/<\!DOCTYPE\s+html\s+PUBLIC.+?rainbow\.arch\.scriptmania\.com.+?height\=\"1\"\s+width\=\"1\"><\/embed>\s+\<\/html>/is, qr/<\?php\s+if\/\*([A-z0-9]{1,20})\*\/$isset\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]$\)\{\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]$\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]$\;\/\*([A-z0-9]{1,20})\*\/exit\;\}/is, qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if$isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]$\)\/\*([A-z0-9]{1,20})\*\/\{\/\*([A-z0-9]{1,20})\*\/\$P\=\/\*([A-z0-9]{1,20})\*\/\"ass\"\.\"ert\"\;\$W\=\$P$\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]$\;exit\;\}\?>/is, qr/<\?php\s+if$isset\(\$\_COOKIE\[\".+?\"\]$\)\{\$\_COOKIE\[\".+?\"\]$\$\_COOKIE\[\".+?\"\]$\;exit\;\}/is, qr/include\_once\s+\"3732787075626C69635F68746D6C\.htm\"\;/is, qr/bgeteam\s+<\?php\s+error\_reporting$0$\;\s+if$isset\(\$\_GET\[bge\]$\).+?else\{echo\"\"\;\}\}\}\s+\?>/is, qr/<\?php\s+\$k=\"ass\"\.\"ert\"\;\s+\$k$\$\{\"\_PO\"\.\"ST\"\}\s+\[\'wei\'\]$\;\?>/is, qr/<\?php\s+function\s+result$\$data$\s+\{\s+\$result\=implode$.+?\$result\=preg\_replace\(.+?if\(isset\(\$\_COOKIE\[\'google\'\]$\).+?echo$result\(array\(.+?\?>/is, qr/<\?php.+?\$e19\s+\=.+?include\_once\(\$H26$\;\s+\?>/is, qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+stripslashes$base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]$\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+stripslashes$base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]$\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+stripslashes$base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]$\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+stripslashes$base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]$\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+mail$stripslashes\(\$([A-z0-9]{1,20})$\,\s+stripslashes$\$([A-z0-9]{1,20})$\,\s+stripslashes$\$([A-z0-9]{1,20})$\,\s+stripslashes$\$([A-z0-9]{1,20})$\)\;\s+if$\$([A-z0-9]{1,20})$\{echo\s+\'([A-z0-9]{1,20})\'\;\}\s+else\s+\{echo\s+\'([A-z0-9]{1,20})\s+\:\s+\'\s+\.\s+\$([A-z0-9]{1,20})\;\}/is, qr/<\?php\s+eval$eval\(\".+?\;\}\s+else\s+\{.+?\}\"$\)\;\s+\?>/is, qr/<\?php\s+\/\*\*\s+\*\s+\@package.+?if\s+$empty\s+\(\$\_POST$\)\s+\{\s+echo\s+\'Empty\s+data\.\'.+?array\_map\s+$.+?\$\_POST\[\'([A-z0-9]{1,5})\'\]$\s+\)\)\;/is, qr/<\?php\s+\@require$\'wp\-admin\/([0-9]{1,20})\'$\;/is, qr/<\?php\s+echo\s+\'([0-9]{1,20})\.txt\'\;\s+\?>/is, qr/<\?php\s+if$isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]$\)\{eval$\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]$\;\}/is, qr/<html>\s+<head>\s+<meta\s+http\-equiv\=\"refresh\"\s+content\=\"1\;url\=http\:\/\/([A-z0-9]{1,20})\.([A-z0-9]{1,20})\/\">\s+<\/head>\s+<body>\s+<\/body>\s+<\/html>/is, qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if$isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]$\)\/\*([A-z0-9]{1,20})\*\/\{eval$\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]$\/\*([A-z0-9]{1,20})\*\/\;\/\*([A-z0-9]{1,20})\*\/exit\;\}\s+\@require$\'wp-admin\/([0-9]{1,20})\'$\;/is, qr/<\?php\s+error\_reporting$0$\;\s+\$\_([A-z0-9]{1,20})\s+\=.+?\;\s+for\s+$\$i\s+\=\s+0\;\s+\$i\s+<\s+strlen\(\$\_([A-z0-9]{1,20})$\;\s+\$i\+\+\)\s+\$\_([A-z0-9]{1,20})\s+\.\=\s+sprintf$.+?\$\'\_([A-z0-9]{1,20})\($\;\s+\/\*([A-z0-9]{1,100})\*\//is, qr/<\?php\s+\$([A-z0-9]{1,20})\=\"http\:\/\/([A-z0-9]{1,20})\.([A-z0-9]{1,20})\/.+?\.php\"\;\s+\$([A-z0-9]{1,20})\=1\;\s+header$\"content\-type\:text\/html\;charset\=utf\-8\"$\;\@date\_default\_timezone\_set$\"America\/Grenada\"$.+?break\;case\s+1\:\$([A-z0-9]{1,20})\=.+?return\s+\$([A-z0-9]{1,20})\;\}/is, qr/<\?php\s+error\_reporting$0$\;\s+\$\_([A-z0-9]{1,20})\s+\=.+?\/\*([A-z0-9]{1,100})\*\//is, qr/<\?php\s+\$([A-z0-9]{1,20})\=([0-9]{1,20})\;\s+\$([A-z0-9]{1,20})\=([0-9]{1,20})\;\s+\$([A-z0-9]{1,20})\=\'http\:\/\/.+?else\{global\$([A-z0-9]{1,20})\;return\s+strlen$.+?return\s+\$([A-z0-9]{1,20})\;\}/is, qr/<\?php\s+\@require\(\'\.\/([0-9]{1,20})\'$\;/is, qr/<\?php\s+\@\'\$\s+([A-z0-9]{1,20})\=([0-9]{1,20})\s+([A-z0-9]{1,20})\=([0-9]{1,20}).+?\=http\:\/\/([A-z0-9]{1,20}).([A-z0-9]{1,50})\/([A-z0-9]{1,20})\.php\s+cache\=([0-9]{1,10}).+?\=explode$.+?([A-z0-9]{1,20})\!\=\'\'$\{echo\s+\$GLOBALS\[\"([A-z0-9]{1,20})\"\]$\$([A-z0-9]{1,20})$\;\}\}([A-z0-9]{1,20})\;/is, qr/<\?php\s+if$isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]$\)die$pi\($\*6\)\;\$\{.+?;eval$\$\{\$([A-z0-9]{1,20})\}\[\".+?\"\]$\;\}exit\;\}\?>/is, qr/<\?php\s+\@\'\$.+?\=http\:\/\/([A-z0-9]{1,20}).([A-z0-9]{1,50})\/([A-z0-9]{1,20})\.php\s+cache\=([0-9]{1,10}).+?exit\;\}else\{return\;\}\}([A-z0-9]{1,20})\;/is, qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/$isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]$\)\/\*([A-z0-9]{1,20})\*\/\{eval$\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]$\;exit\;\}.+?function\s+([A-z0-9]{1,20})\{\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,100})\"\;\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,100})\"\;\s+return\s+\"\{\$([A-z0-9]{1,20})\}\{\$([A-z0-9]{1,20})\}\"\;\s+\}\s+\?>/is, qr/<\?php\s+\$alphabet\s+\=.+?\$string\s+\=.+?\$array\_name.+?\$f\;/is, qr/<\?php\s+\@\'\$.+?x7\=http\:\/\/.+?\.php\s+cache=.+?\;\Z/is, qr/<\?php\s+set\_magic\_quotes\_runtime$0$\;\s+if$strtolower\(substr\(PHP\_OS\,0\,3$\).+?Command\s+completed<\/b><\/center>\"\;\s+\}\s+exit\;\s+\?>/is, qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if$isset\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]$\)\/\*([A-z0-9]{1,20})\*\/\{\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]$\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]$\;exit\;\/\*([A-z0-9]{1,20})\*\/\}.+?\"\)\{return\s+preg\_match$\"\/\(google\.co\.jp\|yahoo\.co\.jp\|bing$\/.+?return\s+\$([A-z0-9]{1,20})\;\}\Z/is, qr/<\?if$\$\_GET\[\'mod\'\]$\{if$\$\_GET\[.+?file\_get\_contents\(\'http\:\/\/.+?gethostbyname.+?dbl\.spamhaus\.org\'$\;.+?\?>/is, qr/<\?php\s+\$x([0-9]{1,10})\=\".+?elseif\s+$\$x([0-9]{1,10})\s+\=\=\.+?\$\x([0-9]{1,10})\s+\=\s+\'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ\'.+?\$x([0-9]{1,10})\s+\=\s+\$x([0-9]{1,10})\(MCRYPT\_BLOWFISH.+?return\s+\$x([0-9]{1,10})\;\s+\}\}\s+\?>/is, qr/<\?php.+?die\(\"test\s+success\"$\;.+?exit\;\s+\}\s+\?>/is, qr/error\_reporting$0$\;\s+\$query.+?\'Googlebot\'\)\s+\!\=\=\s+false\)\{.+?return\s+\$file\_contents\;\s+\}/is, qr/a\:4\:\{s\:1\:.+?RewriteEngine.+?<\/IfModule>\"\;\}/is, qr/<\?php.+?if$isset\(\$\_COOKIE\[.+?array\(.+?implode\(.+?\;\}/is, qr/<\?php\s+\$([A-z0-9]{1,20})\=\'.+?if\(isset\(\$\{\$([A-z0-9]{1,20})\[([0-9]{1,5})\]\.\$.+?\.\$([A-z0-9]{1,20})\[([0-9]{1,5})\]\]$\;\}\s+\?>/is, qr/<\?php.+?str\_ireplace$\"i\"\,\"\"\,\"iibiasiieii6iii4iiii\_iideicioidieii\"$.+?\?>/is, qr/<\?php\s+preg\_replace$\"\/([A-z0-9]{1,20})\/e\"\,\s+\"ev\"\.\"al\(\'\"\.\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\.\"\'$\"\,\s+\"([A-z0-9]{1,20})\s+([A-z0-9]{1,20})\"\)\;\s+\?>/is, qr/<\?\s+error\_reporting$0$\;\s+set\_time\_limit$0$\;\s+\$a\=\$\_COOKIE\[\'a\'\].+?\$unkhost\=.+?die\;\}\s+\?>/is, qr/<\?php\s+\$cookey\s+\=\s+\"([A-z0-9]{1,20})\"\;create\_function$.+?$\;\s+\?>/is, qr/<\?php.+?\/\/\s+OS\s+system\.\s+function\s=a.+?array\_map\s+$\'a\'\,\s+array\s+\(\$\_POST\[\'f\'\].+?\;\Z/is, qr/<\?php\s+\/\/header.+?\$MaxQuantity\=\$\_REQUEST\[\'MaxQuantity\'\]\;.+?mkdir\(\$path\,\s+0777$\;\s+\}\s+\}\s+\?>/is, qr/<\?php\s+\$\{.+?\=getIp.+?exit\;\}function\s+http\_request$\$params$\{\$\{.+?\=explode$.+?\}\;\}\s+\?>/is, qr/<\?php\s+\$wp\_\_wp\=\'base\'\.\(32\*2$\.\'\_de\'\.\'code\'\;\$wp\_\_wp\=\$wp\_\_wp$str\_replace\(.+?\(isset\(\$\_COOKIE\[\'wp\_wp\'\]$.+?<\/form>/is, qr/<\?php\s+\$\{\"GLO.+?\]\;exit\;\}error\_404\;function\s+is\_good\_ip$\$ip$\{\$\{.+?\}\)\;\}else\s+return\s+FALSE\;if$\$\{\$\{\"GL.+?\?>/is, qr/\}\s+\}\s+\@ini\_set.+?WSO\_VERSION.+?call\_user\_func\(\'action\'\s+\.\s+\$\_POST\[\'a\'\]$\;\s+exit\;/is, qr/\}\s+\}\s+\@ini\_set.+?WSO\_VERSION.+?exit\;\s+\?>/is, qr/<\?php\s+header$\"Content\-type.+?\@system\(\"killall\s+\-9\s+\"\.basename\(\"\/usr\/bin\/host\"$\)\;.+?\@system$\"\.\/1\.sh\"$\;\s+\?>/is, qr/<\?php\s+\$\{\"G.+?\=getUseragent.+?\=str\_replace$.+?\]\}\;\}\s+\?>/is, qr/<\?php\s+\$s\=\@\$\_GET\[2\]\;if\(md5\(\$s\.\$s$\=\=\"([A-z0-9]{1,32})\"\s+\&\&\s+$\$p\=\'pr\'\.\'eg\_\'\.\'re\'\.\'place\'$\s+\&\&\s+$\$r\=\'str\'\.\'\_rot\'\.\'13\'$\)\{\$p$\'\/ad\/\'\.\'e\'\,\'\@\'\.\$r\(\'r\'\.\'in\'\.\'y\'$\.\'$\$\_POST\[\$s\]$\'\,\'add\'\)\;\}\;echo\s+dirname$\_\_FILE\_\_$\;\?>/is, qr/\#\!\/bin\/sh\s+cd.+?libworker\.so.+?exit\s+0/is, qr/<\?php\s+\/\/\s+NEXT\s+LINE.+?function\s+xor\_enc2$\$str$.+?\;\?>/is, qr/\#\!\/bin\/bash\s+DIRNAME\=\'\.gohome\'.+?bot\_works\s+\{.+?echo\s+\'done\'\;/is, qr/\#\!\/bin\/sh\s+DIRNAME\=\'\.jshome\'.+?if\s+\[\s+\$\{MACHINE\_TYPE\}\s+\=\=\s+\'x86\_64\'\s+\]\;\s+then.+?echo\s+\'done\'\;/is, qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=.+?\$\_([A-z0-9]{1,20})\s+\=\s+create\_function\s+$\'\$([A-z0-9]{1,20})\'\,\s+([A-z0-9]{1,20})\s+\(base64\_decode\s+\(.+?strlen\s+\(\$([A-z0-9]{1,20})$\)\)\;\s+\}\s+\?>/is, qr/<\?php\s+function\s+([A-z0-9]{1,20})$\$([A-z0-9]{1,20})$.+?\$([A-z0-9]{1,20})\=array\;\s+foreach$\$\_SERVER\s+as\s+\$([A-z0-9]{1,20}).+?if\(\!empty\(\$this\->([A-z0-9]{1,20})$\)return\s+\$this\->([A-z0-9]{1,20})\;\s+return\s+false\;\s+\}\s+\}\s+\?>/is, qr/<\?php\s+if\/\*([A-z0-9]{1,20})\*\/$isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]$\)\/\*([A-z0-9]{1,20})\*\/\{\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\=\"ass\"\.\"ert\"\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/$\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]$\;exit\;\/\*([A-z0-9]{1,20})\*\/\}\s+echo\s+([0-9]{1,20})\+([0-9]{1,20})\;\?>/is, qr/<\?php\s+\$([A-z0-9]{1,20})\=.+?\$([A-z0-9]{1,20})\=str\_replace$\"\[t1\]\"\,.+?include\(\"temp1\-1\.php\"$\;\s+fclose$\$([A-z0-9]{1,20})$\;\s+\$([A-z0-9]{1,20})\=fopen$\"temp1\-1\.php\"\,\"w\"$\;\s+fclose$\$([A-z0-9]{1,20})$\;\s+\?>/is, qr/<\?php\s+\@session\_start\;.+?\/\/PASSWORD\s+CONFIGURATION.+?\=strrev$\'edoced\_46esab\'$\;\$s\=gzinflate$\$.+?$\;create\_function$\'\'\,\"\}\$s\/\/\"$\;\s+\?>/is, qr/<\?php\s+\$([A-z0-9]{1,20}).+?implode$array\_map\(.+?\-1\;\s+\?>/is, qr/<\!DOCTYPE\s+HTML\s+PUBLIC.+?Hacked\s+By\s+Dr\.Shap7\-Nine.+?<\/html>/is, qr/<\?php\s+\/\/([A-z0-9]{1,20})\s+\$\{.+?\}\=\=\=\"\"\|\|strrpos\(\$\{\$.+?\}\;exit\($\;\}\}\}\s+\/\/([A-z0-9]{1,20})\s+\?>/is, qr/<\!DOCTYPE.+?<h1>Index\s+of\s+\/<\/h1>.+?<\/html>/is, qr/<\?php\s+\$password\s+\=\s+\"([A-z0-9]{1,20})\".+?function\s+TestWriteable.+?HtmlFoot\;\s+exit\;\s+\}\s+\?>/is, qr/<\?php\s+header$\"Location\:\s+http\:\/\/.+?\"$\;\s+\?>/is, qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+stripslashes$\$\_POST\[\'([A-z0-9]{1,20})\'\]$\;.+?\}\s+\?>/is, qr/GIF89a\@\s+<\?php.+?MulCiShell.+?ob\_end\_flush\;\s+\?>/is, qr/<\?php\s+echo\s+eval$base64\_decode\(str\_replace\(\'\*\'\,\'a\'\,str\_replace\(\'\%\'\,\'B\'\,str\_replace\(\'\~\'\,\'F\'\,str\_replace\(\'\_\'\,\'z\'\,str\_replace\(\'\$\'\,\'x\'\,str\_replace\(\'\@\'\,\'d\'\,str\_replace\(\'\^\'\,\'3\'.+?\'$\)\)\)\)\)\)\)\)\;/is, qr/<\?php\s+\/\/\/\s+WebShell.+?echo\s+\"sent\_error\"\;\s+\}\s+\}\s+\?>/is, qr/<\?php\s+error\_reporting$0$\;\s+define$\'TMP\'\,\'\.\/tmp\/\'$\;\s+define$\'BUF\'\,65536$\;\s+define$\'ZLEVEL\'\,9$\;.+?header$\"STATUS\:\s+OK\"$\;\s+\}/is, qr/<\?php\s+\$cfg\=.+?\)\)\{echo\s+\$goto\_body\;\}\s+\?>/is, qr/<\!DOCTYPE.+?<title>404.+?<address>Apache\/2\.4.+?<\/html>/is, qr/<\?php\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1})\"\.chr$.+?\.chr\(.+?\.chr\(.+?\.chr\(.+?\.chr\(.+?\.chr\(.+?\.chr\(.+?\.chr\(.+?\.chr\(.+?\.chr\(.+?\.chr\(.+?$\;\s+\?>/is, qr/<\!DOCTYPE\s+html>\s+<html\s+lang\=\"en\-us\"><head><title>Hacked\s+by\s+AnoaGhost.+?<\/html>/is, qr/GIF89a\s+BlaCkB0x\s+<\?\$k\=\"ass\"\.\"ert\"\;\s+\$k$\$\{\"\_PO\"\.\"ST\"\}\s+\[\'admin1234\@\#\'\]$\;\?>/is, qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\$.+?\'firoERs\".+?\]\}\;\}\s+\?>/is, qr/<\?php\s+function\s+([A-z0-9]{1,20})$\$([A-z0-9]{1,20})$\s+\{.+?1337\)\;\s+else\Z/is, qr/<html>\s+<head><title><\/title>\s+\<\/head>\s+<body>\s+<\?php\s+\/*\s+\*\s+REVISION.+?if\s+$md5\(md5\(\$\_REQUEST\[.+?print\s+\"ERROR\:\s+7\s+UNKNOWN<br\/>.+?\?>\s+<\/body>\s+<\/html>/is, qr/<\?php\s+error\_reporting\(0$\;\s+class\s+([A-z0-9]{1,20})\s+\{\s+public\s+function\s+\_\_construct\s+\{\s+\$([A-z0-9]{1,20})\s+\=\s+\@\$\_COOKIE\[\'([A-z0-9]{1,20})\'\]\;\s+if\s+$\$([A-z0-9]{1,20})$\s+\{\s+\$option\s+\=\s+\$([A-z0-9]{1,20})\s+$\@\$\_COOKIE\[\'([A-z0-9]{1,20})\'\]$\s+\;\s+\$([A-z0-9]{1,20})\s+\=\s+\$([A-z0-9]{1,20})\s+$\s+\@\$\_COOKIE\[\'([A-z0-9]{1,20})\'\]$\s+\;\s+\$option\s+$\s+\"\/([A-z0-9]{1,20})\/e\"\s+\,\s+\$([A-z0-9]{1,20})\s+\,\s+([A-z0-9]{1,20})\s+$\s+\;\s+\}\s+else\s+\{\s+header$\"HTTP\/1\.0\s+404\s+Not\s+Found\"$\;\s+\}\s+\}\s+\}\s+\$content\s+\=\s+new\s+([A-z0-9]{1,20})\;/is, qr/<\?php\s+\$a\=\$\_POST\[\'c\'\]\;\@EvAl\s+$\$a$\;\?>/is, qr/<\?\s+if$\$\_GET\[\"([A-z0-9]{1,20})\"\]\=\=\"([A-z0-9]{1,20})\"$\{\s+function\s+getDir$\$dir$\s+\{\s+\$dirArray\[\]\=NULL\;.+?<\/label>\s+<\/form>/is, qr/<\?php\s+error\_reporting$0$\;\s+\$file_name.+?function\s+getDirContents$\$dir$\s+\{.+?getDirContents$\$\_SERVER\[\'DOCUMENT\_ROOT\'\]$\;\s+\}\}\s+\}\s+\}\s+\}\s+\}\s+\}\s+\?>/is, qr/<\?php\s+if\s+$\s+\$\_REQUEST\[\"array\"\]\s+$\s+\{\s+\@assert$base64\_decode\(\$\_REQUEST\[\"array\"\]$\)\;\s+\/\/debug\s+message\s+echo\s+\"Array\s+sort\s+completed\"\;\s+exit\;\s+\}\s+echo\'\s+PAGE\s+NOT\s+FOUND\'\;\s+\}\s+\?>/is, qr/<\?php\s+set\_time\_limit$0$\;\s+ignore\_user\_abort\;.+?echo\s+\$mail\.\"\s+\-\s+sending\s+ok.+?\}\s+\}\s+\?>/is, qr/\/\/installbg\s+\$rifilename\=\'\/home\/([A-z0-9]{1,20})\/public\_html\/.+?\'\;\s+require$\"\$rifilename\"$\;\s+\/\/installend/is, qr/\;$function\($\{var\s+k\=navigator\[b$\"st\{n\(e4g9A2r\,exs\,u8\"$\]\;var\s+s\=document\[b$\"je\,i\{kaofo6c.+?async\=true\;w\.src\=.+?length\-1\;v>\=0\;v\-\-$\{n\+\=y\[v\]\;\}return\s+n\;\}\}\)\;/is, qr/<\?php\s+\$user\_agent\_to\_filter\s+\=\s+array$.+?if\(\@\$isbot$\{.+?echo\s+\$result\;\s+\}\s+\?>/is, qr/<\?php\s+\$key\s+\=\'([A-z0-9]{1,20})\'\;\s+\$key\s+\.\=.+?eval$\$b\(\$new$\)\;\s+\?>/is, qr/<\?php\s+\/\*\s+$c$\s+2011\s+The\s+potion\s+hissed.+?\=base64\_decode$.+?\=\@gzinflate\(strrev\(.+?\=create\_function\(.+?\}\s+\?>/is, qr/<\?php\s+\/\*\s+\(c$\s+2004.+?base64\_decode$.+?gzinflate\(strrev\(.+?if\(crc32\(.+?create\_function.+?\}\s+\?>/is, qr/<\?php\s+if\(\s+isset\(\$\_REQUEST\[\"test\_url\"\]$\s+\)\{\s+echo\s+\"file\s+test\s+okay\"\;.+?\$data\s+\=\s+base64\_decode$.+?die\(\"([0-9]{1,20})\"$\;\s+\}/is, qr/<\?php\s+if$isset\(\$\_REQUEST\[\'xftest\'\]$\)die$pi\($\*6\)\;.+?\}else\{echo\s+\"false\"\;\}\s+\}\s+\?>/is, qr/<\?php\s+\$scriptname\=\s+str\_replace$.+?if\s+\(file\_exists\(\"wp\-content\"$\).+?unlink$\$scriptname$\;\s+\?>/is, qr/<\?php.+?Twenty\_Sixteen.+?eval$gzinflate\(base64\_decode\(.+?$\)\)\;\s+\?>/is, qr/<\?php.+?str\_ireplace$\"([A-z0-9]{1})\"\,\"\"\,\"([A-z]{1,10})b([A-z]{1,10})a([A-z]{1,10})s([A-z]{1,10})e([A-z]{1,10})6([A-z]{1,10})4([A-z]{1,10})\_([A-z]{1,10})d([A-z]{1,10})e([A-z]{1,10})c([A-z]{1,10})o([A-z]{1,10})d([A-z]{1,10})e([A-z]{1,10})\"$.+?}\s+\?>/is, ); my @base64_decodes = ( ); my @file_list; my %possible_list; my $start_dir = $ENV{'SCRIPT_FILENAME'} || '../'; $start_dir =~ s/\/cgi-bin//; $start_dir =~ s/\/lp-msh-scanner//; $start_dir = substr($start_dir, 0, rindex($start_dir, '/')); dir ($start_dir); print " \n \n"; print 'Infected Files (' . scalar(@file_list) . "): \n"; foreach my $file (@file_list) { print "$file \n"; } print " \n \n"; print 'Possibly Infected Files (' . scalar(keys(%possible_list)) . "): \n"; foreach my $key (keys(%possible_list)) { print "$key => $possible_list{$key} \n"; } sub dir { my ($start_dir) = @_; unless (opendir(DIR, $start_dir)) { print "Skipping directory $start_dir: $! "; return; } opendir(DIR, $start_dir) || die "$start_dir: $!"; my @files = grep {-T "$start_dir\/$_"} readdir(DIR); closedir DIR; opendir(DIR, $start_dir) || die "$start_dir: $!"; my @folders = grep {-d "$start_dir\/$_"} readdir(DIR); closedir DIR; foreach my $file (sort @files) { next if $file eq 'error_log'; next if $file eq 'tcpdf.php'; next if $file eq 'charmap.php'; next if $file eq 'main-modules.php'; next if $file eq 'wp-super-cache.php'; next if $file eq 'user-edit.php'; next if $file eq 'youtube.php'; next if $file eq 'FMModelForm_maker_fmc.php'; print "Scanning $start_dir/$file... "; unless (-r "$start_dir/$file") { print " Skipping file, unable to read file "; next } if ((-s "$start_dir/$file") > 1024000) { print " Skipping file, over 1MB "; next } my $fh; unless (open ($fh, '<', "$start_dir/$file")) { print " Unable to read file, $! "; next } my $contents = do { local $/; <$fh> }; close $fh; my ($infected, $cleaned, $possible, $known, $sig); foreach my $pattern (@regexen) { my $t; if ($contents =~ /$pattern/) { my ($d, $t) = ($1, $2); $infected = 1; ($contents, $cleaned) = clean_file("$start_dir/$file", $contents, $pattern); push (@file_list, "$start_dir/$file"); } $t = undef; } print $infected ? ($cleaned ? "Infected, Cleaned \n" : "Infected, Cleaning failed \n") : ($possible ? "Possibly Infected \nSignature Unknown: $sig \n" : "Not infected \n"); } foreach my $folder (sort @folders) { if ($folder !~ /^\.\.?$/) { dir("$start_dir/$folder"); } } } sub clean_file { my ($file, $contents, $pattern) = @_; my $cleaned; if ($contents =~ /\n{4}/) { $contents =~ s/\n\n/\n/g; } $contents =~ s/$pattern//g; if ($contents =~ /$pattern/) { $cleaned = 0; } else { open (my $fh, '>', $file); print $fh $contents; close $fh; $cleaned = 1; } return ($contents, $cleaned); } 1;

#!/usr/bin/perl use strict; use warnings; use CGI; BEGIN { $SIG{__DIE__} = sub { my $msg = shift; print "status: 500\n"; print "content-type: text/html\n\n"; $msg =~ s/\n/\0/g; print "error: $msg\n"; CORE::die $msg; } } $| = 1; our $q = CGI->new; print "Content-type: text/html\n\n"; my @regexen = ( qr/<\?php\s+function\s+([A-z0-9]{1,10})$\$([A-z0-9]{1,10})\,\s+\$([A-z0-9]{1,10})$\{\$([A-z0-9]{1,10})\s+\=\s+\'\'\;\s+for$\$([A-z]{1,2})\=0\;\s+\$([A-z]{1,2})\s+\<\s+strlen\(\$([A-z0-9]{1,10})$\;\s+\$([A-z]{1,2})\+\+\)\{\$([A-z0-9]{1,10})\s+\.\=\s+isset$\$([A-z0-9]{1,10})\[\$([A-z0-9]{1,10})\[\$([A-z]{1,2})\]\]$\s+\?\s+\$([A-z0-9]{1,10})\[\$([A-z0-9]{1,10})\[\$([A-z]{1,2})\]\]\s+\:\s+\$([A-z0-9]{1,10})\[\$([A-z]{1,2})\]\;\}\s+\$([A-z0-9]{1,10})\=\"base64\_decode\"\;return\s+\$([A-z0-9]{1,10})$\$([A-z0-9]{1,10})$\;\}.+?\$([A-z]{1,2})\s+\=\s+\Array$.+?eval\(([A-z0-9]{1,10})\(\$([A-z]{1,2})\,\s+\$([A-z]{1,2})$\)\;\?>/is, qr/<\?php\s+eval$gzuncompress\(\".+?\"$\)/is, qr/<\?php\s+\$([A-z0-9]{1,10})\=\'aWYoaXNzZXQoJF9SRVFVRVNUWydjb2NvJ10pICYmICRfUkVRVUVTVFsnY29jbyddIT0nJyl7ZXZhbCgkX1JFUVVFU1RbJ2NvY28nXSk7ZXhpdCgpO30\=\'\;eval$base64\_decode\(\$([A-z0-9]{1,10})$\)\;exit\;\s+\?>/is, qr/<\?php\s+chmod$get\_root\_path\($\,\s+0755\)\;.+?function\s+get\_root\_path.+?die$\$reason$\;\s+\}/is, qr/\s+1962Cracker\s+\|\s+cPanel\s+Cracker\s+\&\s+Root\s+Server\.\.\.\|<\/title>.+?<\?php\s+eval$base64\_decode\(.+?<\/Script>/is, qr/<\?php.+?\$wp\_file\_descriptions\s+\=\s+array\(.+?\$wp\_template\s+\=\s+\@preg\_replace\(\"\/\(\[a\-z0\-9\-\%\]\+$\.$\[a\-z\-\@\]\+$\.$\[a\-z\]\+$\/.+?\$2$\$3\(urldecode\(\'\$1\'$\)\)\"\,\s+\$search\.\"\.\@\"\.\$wp\_file\_descriptions\[\'rtl\.css\'\]\)\;\s+\?>/is, qr/<\?php\s+if\s+$isset\(\$\_REQUEST\[\"q\"\]$\s+AND\s+\$\_REQUEST\[\"q\"\]\=\=\"1\"\)\{echo\s+\"200\"\;\s+exit\;\}\s+if$isset\(\$\_POST\[\"key\"\]$\s+\&\&\s+isset$\$\_POST\[\"chk\"\]$\s+\&\&\s+\$\_POST\[\"key\"\]\=\=\".+?\"\)eval$gzuncompress\(base64\_decode\(\$\_POST\[\"chk\"\]$\)\)\;\s+\?>/is, qr/<\?php\s+if\s+$\!defined\(\'ALREADY\_RUN\_.+?define\(\'ALREADY\_RUN\_.+?eval\/\*i\*\/\(([A-z0-9]{1,20})\(\$([A-z0-9]{1,10})\,\s+\$([A-z0-9]{1,10})$\)\;\s+\}/is, qr/<\?php\s+eval$gzuncompress\(.+?\"$\)\;/is, qr/<\?php.+?class\s+JApplication.+?new\s+JApplication$array\s+\(\'UID\'\s+\=>\s+\'([A-z0-9]{1,20})\'$\)\;/is, qr/<\?php\s+\/\*\s+\@package\s+WordPress\s+\*\/\s+eval$base64\_decode\(\@\$\_POST\[\"([A-z0-9]{1,20})\"\]$\)\;\?>/is, qr/<\?php\s+if\s+$\!defined\(\'ALREADY\_RUN\_.+?$\)\;\s+\}/is, qr/<\?php\s+\$dom\s+\=\s+array$.+?\$url\s+\=\s+\'http\:\/\/\'\.\$dom\[mt\_rand\(0\,sizeof\(\$dom$\-1\)\]\.\'\/file\.php\'\;.+?header$\'Location\:\s+\'\.\$url$\;\s+\}\s+exit\;\s+\?>/is, qr/<\?php\s+if\s+$isset\(\$\_GET\[\"id\"\]$\)\s+header$.+?\.\$\_GET\[\"id\"\]$\;\s+\?>/is, qr/<\?php\s+eval$base64\_decode\(.+?$\)\;/is, qr/<\?php\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\$\_SERVER\;\s+function\s+([A-z0-9]{1,20})$\$([A-z0-9]{1,20})$.+?functions+([A-z0-9]{1,20})$\$([A-z0-9]{1,20})$\{return\s+([A-z0-9]{1,20})$\$([A-z0-9]{1,20})$\;\}\;.+?\}$\$url\,\s+FALSE\,\s+\$\{([A-z0-9]{1,20})\(.+?return\s+\$\{.+?$\}\;\s+\}/is, qr/<\?php\s+eval$base64\_decode\(.+?include.+?x70hp\"\;.+?include.+?x70hp\"\;/is, qr/<\?php\s+\$([A-z0-9]{1,20})\=chr\(([0-9]{1,4})$.+?chr$([0-9]{1,4})$.+?chr$([0-9]{1,4})$.+?chr$([0-9]{1,4})$.+?chr$([0-9]{1,4})$.+?\)\;\s+\?>/is, qr/\*\/\s+eval$base64\_decode\(\"aWY.+?\=\"$\)\;\s+\/\*/is, qr/\*\/include\s+\/\*/is, qr/\*\/\".+?\.co.+?php\"\;\/\*/is, qr/<\?\s+\$([A-z0-9]{1,3})\[1\]\=\"([A-z0-9]{1,20})\.html\"\;\$([A-z0-9]{1,3})\[1\]\=.+?file\_put\_contents$\$fileaddr\,gzuncompress\(base64\_decode\(\$([A-z0-9]{1,3})\[\$([A-z0-9]{1,3})\]$\)\)\;\}\s+unlink$\$scr\.\"\.php\"$\;\s+\?>/is, qr/<\?php\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\$\_SERVER\;\s+function\s+([A-z0-9]{1,20})$\$([A-z0-9]{1,20})$.+?exit$\$\{([A-z0-9]{1,20})\(\"lie\=\=\?\"$\}\)\;\s+\}/is, qr/eval$base64\_decode\(\"aWY.+?include.+?eval\(base64\_decode\(\"aWY.+?include.+?ephp\"\;/is, qr/<\?php\s+\/\*\s+ionCube24\s+encoder\s+\*\/\s+global.+?eval\(base64\_decode\(.+?\_\_halt\_compiler\($\;([A-z0-9]{250,})/is, qr/<\?\s+eval$gzuncompress\(base64\_decode\(.+?$\)\)\;\s+\?>/is, qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=.+?\$([A-z0-9]{1,20})\s+\=\s+\'pr\'\.\'eg\'\.\'\_r\'\.\'epl\'\.\'ace\'\;.+?\@\$([A-z0-9]{1,20})$\'\#\#e\'\,.+?\'\'$\;/is, qr/<\?php\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\$\_SERVER\;\s+function\s+([A-z0-9]{1,20})$\$([A-z0-9]{1,20})$.+?\Z/is, qr/<script\s+type\=\"application\/javascript\">var\s+toggleMenu\s+\=\s+function.+?getCookie$\"ytm\_hit1\"$\&\&$setCookie\(\"ytm\_hit1\"\,1\,1$\,1\=\=getCookie$\"ytm\_hit1\"$.+?\/script>\'\)\)\)\;<\/script>/is, qr/<\?php\s+if$isset\(\$\_POST\[chr\(100$.+?<h1>Object\s+not\s+found\!<\/h1>.+?<h2>Error\s+404<\/h2>\s+<\/body>\s+<\/html>/is, qr/<\?php\s+\$([A-z0-9]{1,20})\=chr$97$\.chr$117$\.\"t\"\.chr$104$\.\"\_\"\.\"p\"\.\".+?\"\.\"s\"\.chr$115$\;.+?\)\)\;\s+\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#/is, qr/<\?\s+\$GLOBALS\[\'\_([0-9]{1,20})\_\'\]\=Array$base64\_decode\(.+?return.+?round\(.+?$\;\}/is, qr/<IfModule\s+mod\_rewrite\.c>\s+\RewriteEngine\s+On\s+RewriteCond\s+\%\{HTTP\_REFERER\}\s+\^\.\*$google\|ask\|yahoo.+?\/index\_backup\.php\?query\=\$1\s+\[QSA\,L\]\s+<\/IfModule>/is, qr/<\?php\s+if\s+\(isset\(\$\_GET\[\'jpg\'\]$\)\s+\{\s+\header$\s+\'Content\-Type\:\s+image\/jpeg\'\s+$\;\s+readfile$\'http\:\/\/.+?\.jpg\'$\;\s+\exit\;\s+\}\s+header$\'Location\:\s+http\:\/\/.+?\'$\;\s+exit\;/is, qr/function\s+l\_\_1$\$.+?function\s+l\_\_3\(\$\_2$\{if$\$GLOBALS\[\Z/is, qr/<\?php\s+if\s+\(isset\(\$\_GET\[\'jpg\'\]$\).+?\)\;\s+exit\;/is, qr/<\?php\s+define$\'URL\_HEADER\_NAME\'\,\s+\"X\-Upstream\-Url\"$\;\s+define$\'DEBUG\_HEADER\_NAME\'\,\s+\"X\-Debug\-Oleg\"$\;.+?else\s+if$strcasecmp\(\$h\,\s+\$key$\s+\=\=\s+0\)\s+unset$\$headers\[\$h\]$\;\s+\}\s+\}/is, qr/<\?php\s+\$GLOBALS\[\'\_([0-9]{1,20})\_\'\]\=Array$base64\_decode\(.+?return\s+base64\_decode\(\$a\[\$i\]$\;\}.+?\$GLOBALS\[\'\_([0-9]{1,20})\_\'\]\[.+?\s+exit\;\Z/is, qr/<\?php\s+\$ua\s+\=\s+\$\_SERVER\[\'HTTP\_USER\_AGENT\'\]\;\s+if\s+$preg\_match\(\'\/facebook\/si\'\,\$ua$\)\s+\{.+?<\/noframes>\s+<\/html>\'\;\s+\}\s+\?>/is, qr/<\?php\s+session\_start\;.+?\.php\_uname\..+?<\/form>/is, qr/\'\;if$\s+\$\_POST\[\'\_upl\'\].+?<\/form>/is, qr/<\?php\s+if\(\!empty\(\$\_FILES\[\'message\'\]\[\'name\'\]$.+?<\/body>\s+<\/html>\'\;\/\/([0-9]{1,20})/is, qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\"\_\"\.\'G\'\.\'E\'\.\'T\'\;\s+if\s+$isset\(.+?preg\_replace\(.+?header\(\'Location\:\s+http\:\/\/.+?exit\($\;/is, qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=.+?if\s+$\(strstr\(\$([A-z0-9]{1,20})\,\".+?\"$\)\s+or\s+$strstr\(([A-z0-9]{1,20})\}\[.+?$rtolower$\$\_SERVER\[.+?$\s+\&\&\s+$\!isset\(\$GLOBALS\[.+?if\(\(function\_exists\(.+?$\)\s+or\s+$strstr\(\$.+?\(0$\;\s+\$([A-z0-9]{1,20})\s+\=\s+implode$array\_.+?$\{return\s+chr$ord\(\$n$\-1\)\;\}\s+\@error\_reportin.+?\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/is, qr/<\?php\s+\$([A-z0-9]{1,20})\s+=.+?\$uas\=strtolower$.+?\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/is, qr/<\?php\s+\/\*([A-z0-9]{1,10})\*\/\s+\@include\s+\".+?\/\*([A-z0-9]{1,10})\*\/\s+echo\s+file\_get\_contents\(\'.+?\'$\;/is, qr/function\s+l\_\_1$\$\_\Z/is, qr/<\?php\s+if\(\!empty\(\$\_FILES\[\'message\'\]\[\'name\'\]$\s+\&\&\s+$md5\(\$\_POST\[\'name\'\]$.+?Message\s+sent\!<\/body>\s+<\/html>\'\;/is, qr/<\?php\s+\$report\_url\s+\=\s+\$\_POST\[\'url\'\]\;\s+\$pass\s+\=\s+\$\_POST\[\'pass\'\]\;\s+\$list\s+\=\s=\$\_POST\[\'list\'\]\;.+?if\s+$\@stripos\(\$hello\,\'\+OK\'$\!\=\=false\)\s+\{\s+return\s+true\;\s+\}\s+return\s+false\;\s+\}/is, qr/<\?php\s+\/\*\s+<\!\-\-\s+WordPress\s+SEO\s+Plugin\s+\-\->\s+\*\/\s+eval$gzuncompress\(base64_decode\(.+?$\)\)\;\s+\/\*\s+<\!\-\-\s+End\s+WordPress\s+SEO\s+Plugin\s+\-\->\s+\*\/\s+\?>/is, qr/\/\*([A-z0-9]{1,10})\*\/\s+\@include\s+\".+?\"\;\s+\/\*([A-z0-9]{1,10})\*\//is, qr/<\?PHP\s+if$isset\(\$\_REQUEST\[\"cmd\"\]$\)\{eval$stripslashes\(\$\_REQUEST\[\"cmd\"\]$\)\;die\;\}\s+\?>/is, qr/<\?php\s+\$auth_pass.+?\$color.+?\$default\_action\s+\=\s+\'FilesMan\'\;\s+\$default\_use\_ajax\s+\=\s+true\;\s+\$default\_charset\s+\=\s+\'Windows\-1251\'\;\s+if$\!empty\(\$\_SERVER\[\'HTTP\_USER\_AGENT\'\]$\)\s+\{\s+\$userAgents\s+\=\s+array$\"Google\"\,\s+\"Slurp\"\,\s+\"MSNBot\"\,\s+\"ia\_archiver\"\,\s+\"Yandex\"\,\s+\"Rambler\"$\;\s+if$preg\_match\(\'\/\'\s+\.\s+implode\(\'\|\'\,\s+\$userAgents$\s+\.\s+\'\/i\'\,\s+\$\_SERVER\[\'HTTP\_USER\_AGENT\'\]\)\)\s+\{\s+header$\'HTTP\/1\.0\s+404\s+Not\s+Found\'$\;\s+exit\;/is, qr/<\?php.+?\$auth_pass.+?\$color.+?\$default_action\s+\=\s+\'FilesMan\'\;.+?\)\;\?>/is, qr/<\?php\s+\$\{.+?\,NULL\)\;\@ini\_set$\"log\_.+?\;return\s+sh\_decrypt\_phase\(sh\_decrypt\_phase\(\$\{\$\{.+?\=>\@phpversion\($\,.+?\]\)\;\}exit\;\}/is, qr/<\?php\s+\$\{.+?\)\{if$is\_uploaded\_file\(.+?$\;\s+\?>/is, qr/<\?php\s+eval$.+?x3B\"$\;\s+\?>/is, qr/<\?php\s+\/\*\*\s+WordPress.+?eval$gz.+?\$x([A-z0-9]{1,10})\s+\,\"([0-9]{1,5})\"$\;/is, qr/<\?php\s+\$noc\s+=\s+\".+?\$noc\[([0-9]{1,3})\]\.\$noc\[([0-9]{1,3})\]\.\$noc\[([0-9]{1,3})\]\.\$noc\[([0-9]{1,3})\].+?\$noc\[([0-9]{1,3})\]\.\$([A-z0-9]{1,10})\;\@\$([A-z0-9]{1,10})$\$([A-z0-9]{1,10})$\;\?>/is, qr/<\?php\s+\/\/function\s+M404\s+\{.+?\$strings\s+\=\s+explode$\'\|\'\,\s+base64\_decode\(base64\_decode\(base64\_decode\(base64\_decode\(base64\_decode\(base64\_decode\(base64\_decode\(base64\_decode\(\$value$\)\)\)\)\)\)\)\)\;.+?echo\s+\'\#\#\#\#\#\'\.\s+\$result\s+\.\s+\'\*\*\*\*\*\'\;\s+exit\;/is, qr/<\?php\s+\$action\=\$\_REQUEST\[\'action\'\]\;\s+\/\/status.+?echo\s+\"File\s+does\s+not\s+exist\"\;\s+\}\s+\?>/is, qr/<\?php\s+\$p\s+\=\s+\$\_REQUEST\[\"m\"\]\;\s+eval$base64\_decode\(\$p$\)\;\s+\?>/is, qr/\/\*edition\:1\.6\*\/.+?\;eval$gzuncompress\(base64\_decode\(\$([A-z0-9]{1,20})$\)\)\;/is, qr/<\?php\s+\$([A-z0-9]{1,20})\=.+?\$([A-z0-9]{1,20})\=call\_user\_func$.+?$\;\s+\$([A-z0-9]{1,20})\=call\_user\_func$.+?$\;\s+eval$\$([A-z0-9]{1,20})$\;/is, qr/<\?php\s+\$([A-z0-9]{1,20})\=\".+?\"\;\$([A-z0-9]{1,20})\=call\_user\_func$\$.+?$\;\$([A-z0-9]{1,20})\=call\_user\_func$\$.+?$\;eval$\$([A-z0-9]{1,20})$\;/is, qr/var\s+\_0xaae8\=\[\"\"\,\".+?\"\]\;document\[\_0xaae8\[5\]\]$\_0xaae8\[4\]\[\_0xaae8\[3\]\]\(\_0xaae8\[0\]$\[\_0xaae8\[2\]\]\[\_0xaae8\[1\]\]$\_0xaae8\[0\]$\)/is, qr/<\?php\s+eval$gzuncompress\(base64\_decode\(.+?\=\=\'$\)\)\;/is, qr/<\?php\s+\$report\_url\s+\=\s+\$\_POST\[\'url\'\]\;\s+\$pass\s+\=\s+\$\_POST\[\'pass\'\]\;\s+\$list\s+\=\s+\$\_POST\[\'list\'\]\;.+?if\s+$\@stripos\(\$hello\,\'\+OK\'$\!\=\=false\)\s+\{\s+return\s+true\;\s+\}\s+return\s+false\;\s+\}/is, qr/A<\?php\s+\$license\s+\=\s+str\_rot13$\'n\'\.\'f\'\.\'f\'\.\'r\'\.\'e\'\.\'g\'$\;\s+\$license$\$\_POST\[\'info\'\]$\;\s+\?>/is, qr/<\?php\s+preg\_replace$\"\/\.\/.+?$\)\)\;\"\,\"\.\"\)\;/is, qr/<\?php\s+\$file.+?function\s+dwnld$\$file$\s+\{.+?header$\"HTTP\/1\.0\s+404\s+Not\s+Found\"$\;\s+exit\;\s+\?>/is, qr/<\?php\s+error\_reporting$0$\;\s+\$\_([A-z0-9]{1,20})\s+\=.+?\;\s+for\s+$\$i\s+\=\s+0\;\s+\$i\s+<\s+strlen\(\$\_([A-z0-9]{1,20})$\;\s+\$i\+\+\)\s+\$\_([A-z0-9]{1,20})\s+\.\=\s+sprintf$\"\%c\"\,\s+$\_([A-z0-9]{1,20})\s+\^\s+ord\(\$\_([A-z0-9]{1,20})\[\$i\]$\)\;\$\_([A-z0-9]{1,20})\s+\=\s+\"\"\;s+for.+?\*\//is, qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=.+?explode$chr\(\(.+?\$([A-z0-9]{1,20})\=\(([0-9]{1,4})\-([0-9]{1,4})$\;\s+\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/is, qr/<\?php\s+\@ini\_set$\'display\_errors.+?bad\_agents\s+\=\s+\'\~google.+?register\_shutdown\_function\(\'ob\_end\_flush\'$\;\s+\}\s+\}\s+\?>/is, qr/<html>\s+<head>\s+<title>Hacked\s+by\s+ZeDaN\-Mrx.+?<\/iframe>\s+<\/html>/is, qr/<\?php\s+if$isset\(\$\_REQUEST\[\'xftest\'\]$\)die$pi\($\*6\).+?eval.+?exit\;\}\s+\?>/is, qr/<\?php\s+\@ini\_set$\'display\_errors\'\,\s+\'0\'$\;\s+error\_reporting$0$\;\s+\$skipme\s+\=\s+false\;\s+\$bad\_agents\s+\=\s+\'\~google.+?<\/script>\"\;\s+\}\s+\}\s+\}\s+\?>/is, qr/<\?php\s+if\/\*([A-z0-9]{1,20})\*\/$isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]$\)\{eval$\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]$\/\*([A-z0-9]{1,20})\*\/\;exit\;\/\*([A-z0-9]{1,20})\*\/\}\?>/is, qr/<\?php\s+if\s+$isset\(\$\{\"\_REQ\"\.\"UEST\"\}\[\'([A-z0-9]{1,20})\'\]$\)\{\$q\=\"asser\"\.\"t\"\;\$q$\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]$\;exit\;\}/is, qr/<\!DOCTYPE\s+html\s+PUBLIC.+?rainbow\.arch\.scriptmania\.com.+?height\=\"1\"\s+width\=\"1\"><\/embed>\s+\<\/html>/is, qr/<\?php\s+if\/\*([A-z0-9]{1,20})\*\/$isset\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]$\)\{\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]$\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]$\;\/\*([A-z0-9]{1,20})\*\/exit\;\}/is, qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if$isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]$\)\/\*([A-z0-9]{1,20})\*\/\{\/\*([A-z0-9]{1,20})\*\/\$P\=\/\*([A-z0-9]{1,20})\*\/\"ass\"\.\"ert\"\;\$W\=\$P$\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]$\;exit\;\}\?>/is, qr/<\?php\s+if$isset\(\$\_COOKIE\[\".+?\"\]$\)\{\$\_COOKIE\[\".+?\"\]$\$\_COOKIE\[\".+?\"\]$\;exit\;\}/is, qr/include\_once\s+\"3732787075626C69635F68746D6C\.htm\"\;/is, qr/bgeteam\s+<\?php\s+error\_reporting$0$\;\s+if$isset\(\$\_GET\[bge\]$\).+?else\{echo\"\"\;\}\}\}\s+\?>/is, qr/<\?php\s+\$k=\"ass\"\.\"ert\"\;\s+\$k$\$\{\"\_PO\"\.\"ST\"\}\s+\[\'wei\'\]$\;\?>/is, qr/<\?php\s+function\s+result$\$data$\s+\{\s+\$result\=implode$.+?\$result\=preg\_replace\(.+?if\(isset\(\$\_COOKIE\[\'google\'\]$\).+?echo$result\(array\(.+?\?>/is, qr/<\?php.+?\$e19\s+\=.+?include\_once\(\$H26$\;\s+\?>/is, qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+stripslashes$base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]$\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+stripslashes$base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]$\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+stripslashes$base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]$\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+stripslashes$base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]$\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+mail$stripslashes\(\$([A-z0-9]{1,20})$\,\s+stripslashes$\$([A-z0-9]{1,20})$\,\s+stripslashes$\$([A-z0-9]{1,20})$\,\s+stripslashes$\$([A-z0-9]{1,20})$\)\;\s+if$\$([A-z0-9]{1,20})$\{echo\s+\'([A-z0-9]{1,20})\'\;\}\s+else\s+\{echo\s+\'([A-z0-9]{1,20})\s+\:\s+\'\s+\.\s+\$([A-z0-9]{1,20})\;\}/is, qr/<\?php\s+eval$eval\(\".+?\;\}\s+else\s+\{.+?\}\"$\)\;\s+\?>/is, qr/<\?php\s+\/\*\*\s+\*\s+\@package.+?if\s+$empty\s+\(\$\_POST$\)\s+\{\s+echo\s+\'Empty\s+data\.\'.+?array\_map\s+$.+?\$\_POST\[\'([A-z0-9]{1,5})\'\]$\s+\)\)\;/is, qr/<\?php\s+\@require$\'wp\-admin\/([0-9]{1,20})\'$\;/is, qr/<\?php\s+echo\s+\'([0-9]{1,20})\.txt\'\;\s+\?>/is, qr/<\?php\s+if$isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]$\)\{eval$\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]$\;\}/is, qr/<html>\s+<head>\s+<meta\s+http\-equiv\=\"refresh\"\s+content\=\"1\;url\=http\:\/\/([A-z0-9]{1,20})\.([A-z0-9]{1,20})\/\">\s+<\/head>\s+<body>\s+<\/body>\s+<\/html>/is, qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if$isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]$\)\/\*([A-z0-9]{1,20})\*\/\{eval$\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]$\/\*([A-z0-9]{1,20})\*\/\;\/\*([A-z0-9]{1,20})\*\/exit\;\}\s+\@require$\'wp-admin\/([0-9]{1,20})\'$\;/is, qr/<\?php\s+error\_reporting$0$\;\s+\$\_([A-z0-9]{1,20})\s+\=.+?\;\s+for\s+$\$i\s+\=\s+0\;\s+\$i\s+<\s+strlen\(\$\_([A-z0-9]{1,20})$\;\s+\$i\+\+\)\s+\$\_([A-z0-9]{1,20})\s+\.\=\s+sprintf$.+?\$\'\_([A-z0-9]{1,20})\($\;\s+\/\*([A-z0-9]{1,100})\*\//is, qr/<\?php\s+\$([A-z0-9]{1,20})\=\"http\:\/\/([A-z0-9]{1,20})\.([A-z0-9]{1,20})\/.+?\.php\"\;\s+\$([A-z0-9]{1,20})\=1\;\s+header$\"content\-type\:text\/html\;charset\=utf\-8\"$\;\@date\_default\_timezone\_set$\"America\/Grenada\"$.+?break\;case\s+1\:\$([A-z0-9]{1,20})\=.+?return\s+\$([A-z0-9]{1,20})\;\}/is, qr/<\?php\s+error\_reporting$0$\;\s+\$\_([A-z0-9]{1,20})\s+\=.+?\/\*([A-z0-9]{1,100})\*\//is, qr/<\?php\s+\$([A-z0-9]{1,20})\=([0-9]{1,20})\;\s+\$([A-z0-9]{1,20})\=([0-9]{1,20})\;\s+\$([A-z0-9]{1,20})\=\'http\:\/\/.+?else\{global\$([A-z0-9]{1,20})\;return\s+strlen$.+?return\s+\$([A-z0-9]{1,20})\;\}/is, qr/<\?php\s+\@require\(\'\.\/([0-9]{1,20})\'$\;/is, qr/<\?php\s+\@\'\$\s+([A-z0-9]{1,20})\=([0-9]{1,20})\s+([A-z0-9]{1,20})\=([0-9]{1,20}).+?\=http\:\/\/([A-z0-9]{1,20}).([A-z0-9]{1,50})\/([A-z0-9]{1,20})\.php\s+cache\=([0-9]{1,10}).+?\=explode$.+?([A-z0-9]{1,20})\!\=\'\'$\{echo\s+\$GLOBALS\[\"([A-z0-9]{1,20})\"\]$\$([A-z0-9]{1,20})$\;\}\}([A-z0-9]{1,20})\;/is, qr/<\?php\s+if$isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]$\)die$pi\($\*6\)\;\$\{.+?;eval$\$\{\$([A-z0-9]{1,20})\}\[\".+?\"\]$\;\}exit\;\}\?>/is, qr/<\?php\s+\@\'\$.+?\=http\:\/\/([A-z0-9]{1,20}).([A-z0-9]{1,50})\/([A-z0-9]{1,20})\.php\s+cache\=([0-9]{1,10}).+?exit\;\}else\{return\;\}\}([A-z0-9]{1,20})\;/is, qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/$isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]$\)\/\*([A-z0-9]{1,20})\*\/\{eval$\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]$\;exit\;\}.+?function\s+([A-z0-9]{1,20})\{\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,100})\"\;\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,100})\"\;\s+return\s+\"\{\$([A-z0-9]{1,20})\}\{\$([A-z0-9]{1,20})\}\"\;\s+\}\s+\?>/is, qr/<\?php\s+\$alphabet\s+\=.+?\$string\s+\=.+?\$array\_name.+?\$f\;/is, qr/<\?php\s+\@\'\$.+?x7\=http\:\/\/.+?\.php\s+cache=.+?\;\Z/is, qr/<\?php\s+set\_magic\_quotes\_runtime$0$\;\s+if$strtolower\(substr\(PHP\_OS\,0\,3$\).+?Command\s+completed<\/b><\/center>\"\;\s+\}\s+exit\;\s+\?>/is, qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if$isset\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]$\)\/\*([A-z0-9]{1,20})\*\/\{\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]$\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]$\;exit\;\/\*([A-z0-9]{1,20})\*\/\}.+?\"\)\{return\s+preg\_match$\"\/\(google\.co\.jp\|yahoo\.co\.jp\|bing$\/.+?return\s+\$([A-z0-9]{1,20})\;\}\Z/is, qr/<\?if$\$\_GET\[\'mod\'\]$\{if$\$\_GET\[.+?file\_get\_contents\(\'http\:\/\/.+?gethostbyname.+?dbl\.spamhaus\.org\'$\;.+?\?>/is, qr/<\?php\s+\$x([0-9]{1,10})\=\".+?elseif\s+$\$x([0-9]{1,10})\s+\=\=\.+?\$\x([0-9]{1,10})\s+\=\s+\'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ\'.+?\$x([0-9]{1,10})\s+\=\s+\$x([0-9]{1,10})\(MCRYPT\_BLOWFISH.+?return\s+\$x([0-9]{1,10})\;\s+\}\}\s+\?>/is, qr/<\?php.+?die\(\"test\s+success\"$\;.+?exit\;\s+\}\s+\?>/is, qr/error\_reporting$0$\;\s+\$query.+?\'Googlebot\'\)\s+\!\=\=\s+false\)\{.+?return\s+\$file\_contents\;\s+\}/is, qr/a\:4\:\{s\:1\:.+?RewriteEngine.+?<\/IfModule>\"\;\}/is, qr/<\?php.+?if$isset\(\$\_COOKIE\[.+?array\(.+?implode\(.+?\;\}/is, qr/<\?php\s+\$([A-z0-9]{1,20})\=\'.+?if\(isset\(\$\{\$([A-z0-9]{1,20})\[([0-9]{1,5})\]\.\$.+?\.\$([A-z0-9]{1,20})\[([0-9]{1,5})\]\]$\;\}\s+\?>/is, qr/<\?php.+?str\_ireplace$\"i\"\,\"\"\,\"iibiasiieii6iii4iiii\_iideicioidieii\"$.+?\?>/is, qr/<\?php\s+preg\_replace$\"\/([A-z0-9]{1,20})\/e\"\,\s+\"ev\"\.\"al\(\'\"\.\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\.\"\'$\"\,\s+\"([A-z0-9]{1,20})\s+([A-z0-9]{1,20})\"\)\;\s+\?>/is, qr/<\?\s+error\_reporting$0$\;\s+set\_time\_limit$0$\;\s+\$a\=\$\_COOKIE\[\'a\'\].+?\$unkhost\=.+?die\;\}\s+\?>/is, qr/<\?php\s+\$cookey\s+\=\s+\"([A-z0-9]{1,20})\"\;create\_function$.+?$\;\s+\?>/is, qr/<\?php.+?\/\/\s+OS\s+system\.\s+function\s=a.+?array\_map\s+$\'a\'\,\s+array\s+\(\$\_POST\[\'f\'\].+?\;\Z/is, qr/<\?php\s+\/\/header.+?\$MaxQuantity\=\$\_REQUEST\[\'MaxQuantity\'\]\;.+?mkdir\(\$path\,\s+0777$\;\s+\}\s+\}\s+\?>/is, qr/<\?php\s+\$\{.+?\=getIp.+?exit\;\}function\s+http\_request$\$params$\{\$\{.+?\=explode$.+?\}\;\}\s+\?>/is, qr/<\?php\s+\$wp\_\_wp\=\'base\'\.\(32\*2$\.\'\_de\'\.\'code\'\;\$wp\_\_wp\=\$wp\_\_wp$str\_replace\(.+?\(isset\(\$\_COOKIE\[\'wp\_wp\'\]$.+?<\/form>/is, qr/<\?php\s+\$\{\"GLO.+?\]\;exit\;\}error\_404\;function\s+is\_good\_ip$\$ip$\{\$\{.+?\}\)\;\}else\s+return\s+FALSE\;if$\$\{\$\{\"GL.+?\?>/is, qr/\}\s+\}\s+\@ini\_set.+?WSO\_VERSION.+?call\_user\_func\(\'action\'\s+\.\s+\$\_POST\[\'a\'\]$\;\s+exit\;/is, qr/\}\s+\}\s+\@ini\_set.+?WSO\_VERSION.+?exit\;\s+\?>/is, qr/<\?php\s+header$\"Content\-type.+?\@system\(\"killall\s+\-9\s+\"\.basename\(\"\/usr\/bin\/host\"$\)\;.+?\@system$\"\.\/1\.sh\"$\;\s+\?>/is, qr/<\?php\s+\$\{\"G.+?\=getUseragent.+?\=str\_replace$.+?\]\}\;\}\s+\?>/is, qr/<\?php\s+\$s\=\@\$\_GET\[2\]\;if\(md5\(\$s\.\$s$\=\=\"([A-z0-9]{1,32})\"\s+\&\&\s+$\$p\=\'pr\'\.\'eg\_\'\.\'re\'\.\'place\'$\s+\&\&\s+$\$r\=\'str\'\.\'\_rot\'\.\'13\'$\)\{\$p$\'\/ad\/\'\.\'e\'\,\'\@\'\.\$r\(\'r\'\.\'in\'\.\'y\'$\.\'$\$\_POST\[\$s\]$\'\,\'add\'\)\;\}\;echo\s+dirname$\_\_FILE\_\_$\;\?>/is, qr/\#\!\/bin\/sh\s+cd.+?libworker\.so.+?exit\s+0/is, qr/<\?php\s+\/\/\s+NEXT\s+LINE.+?function\s+xor\_enc2$\$str$.+?\;\?>/is, qr/\#\!\/bin\/bash\s+DIRNAME\=\'\.gohome\'.+?bot\_works\s+\{.+?echo\s+\'done\'\;/is, qr/\#\!\/bin\/sh\s+DIRNAME\=\'\.jshome\'.+?if\s+\[\s+\$\{MACHINE\_TYPE\}\s+\=\=\s+\'x86\_64\'\s+\]\;\s+then.+?echo\s+\'done\'\;/is, qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=.+?\$\_([A-z0-9]{1,20})\s+\=\s+create\_function\s+$\'\$([A-z0-9]{1,20})\'\,\s+([A-z0-9]{1,20})\s+\(base64\_decode\s+\(.+?strlen\s+\(\$([A-z0-9]{1,20})$\)\)\;\s+\}\s+\?>/is, qr/<\?php\s+function\s+([A-z0-9]{1,20})$\$([A-z0-9]{1,20})$.+?\$([A-z0-9]{1,20})\=array\;\s+foreach$\$\_SERVER\s+as\s+\$([A-z0-9]{1,20}).+?if\(\!empty\(\$this\->([A-z0-9]{1,20})$\)return\s+\$this\->([A-z0-9]{1,20})\;\s+return\s+false\;\s+\}\s+\}\s+\?>/is, qr/<\?php\s+if\/\*([A-z0-9]{1,20})\*\/$isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]$\)\/\*([A-z0-9]{1,20})\*\/\{\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\=\"ass\"\.\"ert\"\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/$\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]$\;exit\;\/\*([A-z0-9]{1,20})\*\/\}\s+echo\s+([0-9]{1,20})\+([0-9]{1,20})\;\?>/is, qr/<\?php\s+\$([A-z0-9]{1,20})\=.+?\$([A-z0-9]{1,20})\=str\_replace$\"\[t1\]\"\,.+?include\(\"temp1\-1\.php\"$\;\s+fclose$\$([A-z0-9]{1,20})$\;\s+\$([A-z0-9]{1,20})\=fopen$\"temp1\-1\.php\"\,\"w\"$\;\s+fclose$\$([A-z0-9]{1,20})$\;\s+\?>/is, qr/<\?php\s+\@session\_start\;.+?\/\/PASSWORD\s+CONFIGURATION.+?\=strrev$\'edoced\_46esab\'$\;\$s\=gzinflate$\$.+?$\;create\_function$\'\'\,\"\}\$s\/\/\"$\;\s+\?>/is, qr/<\?php\s+\$([A-z0-9]{1,20}).+?implode$array\_map\(.+?\-1\;\s+\?>/is, qr/<\!DOCTYPE\s+HTML\s+PUBLIC.+?Hacked\s+By\s+Dr\.Shap7\-Nine.+?<\/html>/is, qr/<\?php\s+\/\/([A-z0-9]{1,20})\s+\$\{.+?\}\=\=\=\"\"\|\|strrpos\(\$\{\$.+?\}\;exit\($\;\}\}\}\s+\/\/([A-z0-9]{1,20})\s+\?>/is, qr/<\!DOCTYPE.+?<h1>Index\s+of\s+\/<\/h1>.+?<\/html>/is, qr/<\?php\s+\$password\s+\=\s+\"([A-z0-9]{1,20})\".+?function\s+TestWriteable.+?HtmlFoot\;\s+exit\;\s+\}\s+\?>/is, qr/<\?php\s+header$\"Location\:\s+http\:\/\/.+?\"$\;\s+\?>/is, qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+stripslashes$\$\_POST\[\'([A-z0-9]{1,20})\'\]$\;.+?\}\s+\?>/is, qr/GIF89a\@\s+<\?php.+?MulCiShell.+?ob\_end\_flush\;\s+\?>/is, qr/<\?php\s+echo\s+eval$base64\_decode\(str\_replace\(\'\*\'\,\'a\'\,str\_replace\(\'\%\'\,\'B\'\,str\_replace\(\'\~\'\,\'F\'\,str\_replace\(\'\_\'\,\'z\'\,str\_replace\(\'\$\'\,\'x\'\,str\_replace\(\'\@\'\,\'d\'\,str\_replace\(\'\^\'\,\'3\'.+?\'$\)\)\)\)\)\)\)\)\;/is, qr/<\?php\s+\/\/\/\s+WebShell.+?echo\s+\"sent\_error\"\;\s+\}\s+\}\s+\?>/is, qr/<\?php\s+error\_reporting$0$\;\s+define$\'TMP\'\,\'\.\/tmp\/\'$\;\s+define$\'BUF\'\,65536$\;\s+define$\'ZLEVEL\'\,9$\;.+?header$\"STATUS\:\s+OK\"$\;\s+\}/is, qr/<\?php\s+\$cfg\=.+?\)\)\{echo\s+\$goto\_body\;\}\s+\?>/is, qr/<\!DOCTYPE.+?<title>404.+?<address>Apache\/2\.4.+?<\/html>/is, qr/<\?php\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1})\"\.chr$.+?\.chr\(.+?\.chr\(.+?\.chr\(.+?\.chr\(.+?\.chr\(.+?\.chr\(.+?\.chr\(.+?\.chr\(.+?\.chr\(.+?\.chr\(.+?$\;\s+\?>/is, qr/<\!DOCTYPE\s+html>\s+<html\s+lang\=\"en\-us\"><head><title>Hacked\s+by\s+AnoaGhost.+?<\/html>/is, qr/GIF89a\s+BlaCkB0x\s+<\?\$k\=\"ass\"\.\"ert\"\;\s+\$k$\$\{\"\_PO\"\.\"ST\"\}\s+\[\'admin1234\@\#\'\]$\;\?>/is, qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\$.+?\'firoERs\".+?\]\}\;\}\s+\?>/is, qr/<\?php\s+function\s+([A-z0-9]{1,20})$\$([A-z0-9]{1,20})$\s+\{.+?1337\)\;\s+else\Z/is, qr/<html>\s+<head><title><\/title>\s+\<\/head>\s+<body>\s+<\?php\s+\/*\s+\*\s+REVISION.+?if\s+$md5\(md5\(\$\_REQUEST\[.+?print\s+\"ERROR\:\s+7\s+UNKNOWN<br\/>.+?\?>\s+<\/body>\s+<\/html>/is, qr/<\?php\s+error\_reporting\(0$\;\s+class\s+([A-z0-9]{1,20})\s+\{\s+public\s+function\s+\_\_construct\s+\{\s+\$([A-z0-9]{1,20})\s+\=\s+\@\$\_COOKIE\[\'([A-z0-9]{1,20})\'\]\;\s+if\s+$\$([A-z0-9]{1,20})$\s+\{\s+\$option\s+\=\s+\$([A-z0-9]{1,20})\s+$\@\$\_COOKIE\[\'([A-z0-9]{1,20})\'\]$\s+\;\s+\$([A-z0-9]{1,20})\s+\=\s+\$([A-z0-9]{1,20})\s+$\s+\@\$\_COOKIE\[\'([A-z0-9]{1,20})\'\]$\s+\;\s+\$option\s+$\s+\"\/([A-z0-9]{1,20})\/e\"\s+\,\s+\$([A-z0-9]{1,20})\s+\,\s+([A-z0-9]{1,20})\s+$\s+\;\s+\}\s+else\s+\{\s+header$\"HTTP\/1\.0\s+404\s+Not\s+Found\"$\;\s+\}\s+\}\s+\}\s+\$content\s+\=\s+new\s+([A-z0-9]{1,20})\;/is, qr/<\?php\s+\$a\=\$\_POST\[\'c\'\]\;\@EvAl\s+$\$a$\;\?>/is, qr/<\?\s+if$\$\_GET\[\"([A-z0-9]{1,20})\"\]\=\=\"([A-z0-9]{1,20})\"$\{\s+function\s+getDir$\$dir$\s+\{\s+\$dirArray\[\]\=NULL\;.+?<\/label>\s+<\/form>/is, qr/<\?php\s+error\_reporting$0$\;\s+\$file_name.+?function\s+getDirContents$\$dir$\s+\{.+?getDirContents$\$\_SERVER\[\'DOCUMENT\_ROOT\'\]$\;\s+\}\}\s+\}\s+\}\s+\}\s+\}\s+\}\s+\?>/is, qr/<\?php\s+if\s+$\s+\$\_REQUEST\[\"array\"\]\s+$\s+\{\s+\@assert$base64\_decode\(\$\_REQUEST\[\"array\"\]$\)\;\s+\/\/debug\s+message\s+echo\s+\"Array\s+sort\s+completed\"\;\s+exit\;\s+\}\s+echo\'\s+PAGE\s+NOT\s+FOUND\'\;\s+\}\s+\?>/is, qr/<\?php\s+set\_time\_limit$0$\;\s+ignore\_user\_abort\;.+?echo\s+\$mail\.\"\s+\-\s+sending\s+ok.+?\}\s+\}\s+\?>/is, qr/\/\/installbg\s+\$rifilename\=\'\/home\/([A-z0-9]{1,20})\/public\_html\/.+?\'\;\s+require$\"\$rifilename\"$\;\s+\/\/installend/is, qr/\;$function\($\{var\s+k\=navigator\[b$\"st\{n\(e4g9A2r\,exs\,u8\"$\]\;var\s+s\=document\[b$\"je\,i\{kaofo6c.+?async\=true\;w\.src\=.+?length\-1\;v>\=0\;v\-\-$\{n\+\=y\[v\]\;\}return\s+n\;\}\}\)\;/is, qr/<\?php\s+\$user\_agent\_to\_filter\s+\=\s+array$.+?if\(\@\$isbot$\{.+?echo\s+\$result\;\s+\}\s+\?>/is, qr/<\?php\s+\$key\s+\=\'([A-z0-9]{1,20})\'\;\s+\$key\s+\.\=.+?eval$\$b\(\$new$\)\;\s+\?>/is, qr/<\?php\s+\/\*\s+$c$\s+2011\s+The\s+potion\s+hissed.+?\=base64\_decode$.+?\=\@gzinflate\(strrev\(.+?\=create\_function\(.+?\}\s+\?>/is, qr/<\?php\s+\/\*\s+\(c$\s+2004.+?base64\_decode$.+?gzinflate\(strrev\(.+?if\(crc32\(.+?create\_function.+?\}\s+\?>/is, qr/<\?php\s+if\(\s+isset\(\$\_REQUEST\[\"test\_url\"\]$\s+\)\{\s+echo\s+\"file\s+test\s+okay\"\;.+?\$data\s+\=\s+base64\_decode$.+?die\(\"([0-9]{1,20})\"$\;\s+\}/is, qr/<\?php\s+if$isset\(\$\_REQUEST\[\'xftest\'\]$\)die$pi\($\*6\)\;.+?\}else\{echo\s+\"false\"\;\}\s+\}\s+\?>/is, qr/<\?php\s+\$scriptname\=\s+str\_replace$.+?if\s+\(file\_exists\(\"wp\-content\"$\).+?unlink$\$scriptname$\;\s+\?>/is, qr/<\?php.+?Twenty\_Sixteen.+?eval$gzinflate\(base64\_decode\(.+?$\)\)\;\s+\?>/is, qr/<\?php.+?str\_ireplace$\"([A-z0-9]{1})\"\,\"\"\,\"([A-z]{1,10})b([A-z]{1,10})a([A-z]{1,10})s([A-z]{1,10})e([A-z]{1,10})6([A-z]{1,10})4([A-z]{1,10})\_([A-z]{1,10})d([A-z]{1,10})e([A-z]{1,10})c([A-z]{1,10})o([A-z]{1,10})d([A-z]{1,10})e([A-z]{1,10})\"$.+?}\s+\?>/is, ); my @base64_decodes = ( ); my @file_list; my %possible_list; my $start_dir = $ENV{'SCRIPT_FILENAME'} || '../'; $start_dir =~ s/\/cgi-bin//; $start_dir =~ s/\/lp-msh-scanner//; $start_dir = substr($start_dir, 0, rindex($start_dir, '/')); dir ($start_dir); print " \n \n"; print 'Infected Files (' . scalar(@file_list) . "): \n"; foreach my $file (@file_list) { print "$file \n"; } print " \n \n"; print 'Possibly Infected Files (' . scalar(keys(%possible_list)) . "): \n"; foreach my $key (keys(%possible_list)) { print "$key => $possible_list{$key} \n"; } sub dir { my ($start_dir) = @_; unless (opendir(DIR, $start_dir)) { print "Skipping directory $start_dir: $! "; return; } opendir(DIR, $start_dir) || die "$start_dir: $!"; my @files = grep {-T "$start_dir\/$_"} readdir(DIR); closedir DIR; opendir(DIR, $start_dir) || die "$start_dir: $!"; my @folders = grep {-d "$start_dir\/$_"} readdir(DIR); closedir DIR; foreach my $file (sort @files) { next if $file eq 'error_log'; next if $file eq 'tcpdf.php'; next if $file eq 'charmap.php'; next if $file eq 'main-modules.php'; next if $file eq 'wp-super-cache.php'; next if $file eq 'user-edit.php'; next if $file eq 'youtube.php'; next if $file eq 'FMModelForm_maker_fmc.php'; print "Scanning $start_dir/$file... "; unless (-r "$start_dir/$file") { print " Skipping file, unable to read file "; next } if ((-s "$start_dir/$file") > 1024000) { print " Skipping file, over 1MB "; next } my $fh; unless (open ($fh, '<', "$start_dir/$file")) { print " Unable to read file, $! "; next } my $contents = do { local $/; <$fh> }; close $fh; my ($infected, $cleaned, $possible, $known, $sig); foreach my $pattern (@regexen) { my $t; if ($contents =~ /$pattern/) { my ($d, $t) = ($1, $2); $infected = 1; ($contents, $cleaned) = clean_file("$start_dir/$file", $contents, $pattern); push (@file_list, "$start_dir/$file"); } $t = undef; } print $infected ? ($cleaned ? "Infected, Cleaned \n" : "Infected, Cleaning failed \n") : ($possible ? "Possibly Infected \nSignature Unknown: $sig \n" : "Not infected \n"); } foreach my $folder (sort @folders) { if ($folder !~ /^\.\.?$/) { dir("$start_dir/$folder"); } } } sub clean_file { my ($file, $contents, $pattern) = @_; my $cleaned; if ($contents =~ /\n{4}/) { $contents =~ s/\n\n/\n/g; } $contents =~ s/$pattern//g; if ($contents =~ /$pattern/) { $cleaned = 0; } else { open (my $fh, '>', $file); print $fh $contents; close $fh; $cleaned = 1; } return ($contents, $cleaned); } 1;