1962Cracker\s+\|\s+cPanel\s+Cracker\s+\&\s+Root\s+Server\.\.\.\|<\/title>.+?<\?php\s+eval$base64\_decode\(.+?<\/Script>/is, qr/<\?php.+?\$wp\_file\_descriptions\s+\=\s+array\(.+?\$wp\_template\s+\=\s+\@preg\_replace\(\"\/\(\[a\-z0\-9\-\%\]\+$\.$\[a\-z\-\@\]\+$\.$\[a\-z\]\+$\/.+?\$2$\$3\(urldecode\(\'\$1\'$\)\)\"\,\s+\$search\.\"\.\@\"\.\$wp\_file\_descriptions\[\'rtl\.css\'\]\)\;\s+\?>/is, qr/<\?php\s+if\s+$isset\(\$\_REQUEST\[\"q\"\]$\s+AND\s+\$\_REQUEST\[\"q\"\]\=\=\"1\"\)\{echo\s+\"200\"\;\s+exit\;\}\s+if$isset\(\$\_POST\[\"key\"\]$\s+\&\&\s+isset$\$\_POST\[\"chk\"\]$\s+\&\&\s+\$\_POST\[\"key\"\]\=\=\".+?\"\)eval$gzuncompress\(base64\_decode\(\$\_POST\[\"chk\"\]$\)\)\;\s+\?>/is, qr/<\?php\s+if\s+$\!defined\(\'ALREADY\_RUN\_.+?define\(\'ALREADY\_RUN\_.+?eval\/\*i\*\/\(([A-z0-9]{1,20})\(\$([A-z0-9]{1,10})\,\s+\$([A-z0-9]{1,10})$\)\;\s+\}/is, qr/<\?php\s+eval$gzuncompress\(.+?\"$\)\;/is, qr/<\?php.+?class\s+JApplication.+?new\s+JApplication$array\s+\(\'UID\'\s+\=>\s+\'([A-z0-9]{1,20})\'$\)\;/is, qr/<\?php\s+\/\*\s+\@package\s+WordPress\s+\*\/\s+eval$base64\_decode\(\@\$\_POST\[\"([A-z0-9]{1,20})\"\]$\)\;\?>/is, qr/<\?php\s+if\s+$\!defined\(\'ALREADY\_RUN\_.+?$\)\;\s+\}/is, qr/<\?php\s+\$dom\s+\=\s+array$.+?\$url\s+\=\s+\'http\:\/\/\'\.\$dom\[mt\_rand\(0\,sizeof\(\$dom$\-1\)\]\.\'\/file\.php\'\;.+?header$\'Location\:\s+\'\.\$url$\;\s+\}\s+exit\;\s+\?>/is, qr/<\?php\s+if\s+$isset\(\$\_GET\[\"id\"\]$\)\s+header$.+?\.\$\_GET\[\"id\"\]$\;\s+\?>/is, qr/<\?php\s+eval$base64\_decode\(.+?$\)\;/is, qr/<\?php\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\$\_SERVER\;\s+function\s+([A-z0-9]{1,20})$\$([A-z0-9]{1,20})$.+?functions+([A-z0-9]{1,20})$\$([A-z0-9]{1,20})$\{return\s+([A-z0-9]{1,20})$\$([A-z0-9]{1,20})$\;\}\;.+?\}$\$url\,\s+FALSE\,\s+\$\{([A-z0-9]{1,20})\(.+?return\s+\$\{.+?$\}\;\s+\}/is, qr/<\?php\s+eval$base64\_decode\(.+?include.+?x70hp\"\;.+?include.+?x70hp\"\;/is, qr/<\?php\s+\$([A-z0-9]{1,20})\=chr\(([0-9]{1,4})$.+?chr$([0-9]{1,4})$.+?chr$([0-9]{1,4})$.+?chr$([0-9]{1,4})$.+?chr$([0-9]{1,4})$.+?\)\;\s+\?>/is, qr/\*\/\s+eval$base64\_decode\(\"aWY.+?\=\"$\)\;\s+\/\*/is, qr/\*\/include\s+\/\*/is, qr/\*\/\".+?\.co.+?php\"\;\/\*/is, qr/<\?\s+\$([A-z0-9]{1,3})\[1\]\=\"([A-z0-9]{1,20})\.html\"\;\$([A-z0-9]{1,3})\[1\]\=.+?file\_put\_contents$\$fileaddr\,gzuncompress\(base64\_decode\(\$([A-z0-9]{1,3})\[\$([A-z0-9]{1,3})\]$\)\)\;\}\s+unlink$\$scr\.\"\.php\"$\;\s+\?>/is, qr/<\?php\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\$\_SERVER\;\s+function\s+([A-z0-9]{1,20})$\$([A-z0-9]{1,20})$.+?exit$\$\{([A-z0-9]{1,20})\(\"lie\=\=\?\"$\}\)\;\s+\}/is, qr/eval$base64\_decode\(\"aWY.+?include.+?eval\(base64\_decode\(\"aWY.+?include.+?ephp\"\;/is, qr/<\?php\s+\/\*\s+ionCube24\s+encoder\s+\*\/\s+global.+?eval\(base64\_decode\(.+?\_\_halt\_compiler\($\;([A-z0-9]{250,})/is, qr/<\?\s+eval$gzuncompress\(base64\_decode\(.+?$\)\)\;\s+\?>/is, qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=.+?\$([A-z0-9]{1,20})\s+\=\s+\'pr\'\.\'eg\'\.\'\_r\'\.\'epl\'\.\'ace\'\;.+?\@\$([A-z0-9]{1,20})$\'\#\#e\'\,.+?\'\'$\;/is, qr/<\?php\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\$\_SERVER\;\s+function\s+([A-z0-9]{1,20})$\$([A-z0-9]{1,20})$.+?\Z/is, qr/<script\s+type\=\"application\/javascript\">var\s+toggleMenu\s+\=\s+function.+?getCookie$\"ytm\_hit1\"$\&\&$setCookie\(\"ytm\_hit1\"\,1\,1$\,1\=\=getCookie$\"ytm\_hit1\"$.+?\/script>\'\)\)\)\;<\/script>/is, qr/<\?php\s+if$isset\(\$\_POST\[chr\(100$.+?<h1>Object\s+not\s+found\!<\/h1>.+?<h2>Error\s+404<\/h2>\s+<\/body>\s+<\/html>/is, qr/<\?php\s+\$([A-z0-9]{1,20})\=chr$97$\.chr$117$\.\"t\"\.chr$104$\.\"\_\"\.\"p\"\.\".+?\"\.\"s\"\.chr$115$\;.+?\)\)\;\s+\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#/is, qr/<\?\s+\$GLOBALS\[\'\_([0-9]{1,20})\_\'\]\=Array$base64\_decode\(.+?return.+?round\(.+?$\;\}/is, qr/<IfModule\s+mod\_rewrite\.c>\s+\RewriteEngine\s+On\s+RewriteCond\s+\%\{HTTP\_REFERER\}\s+\^\.\*$google\|ask\|yahoo.+?\/index\_backup\.php\?query\=\$1\s+\[QSA\,L\]\s+<\/IfModule>/is, qr/<\?php\s+if\s+\(isset\(\$\_GET\[\'jpg\'\]$\)\s+\{\s+\header$\s+\'Content\-Type\:\s+image\/jpeg\'\s+$\;\s+readfile$\'http\:\/\/.+?\.jpg\'$\;\s+\exit\;\s+\}\s+header$\'Location\:\s+http\:\/\/.+?\'$\;\s+exit\;/is, qr/function\s+l\_\_1$\$.+?function\s+l\_\_3\(\$\_2$\{if$\$GLOBALS\[\Z/is, qr/<\?php\s+if\s+\(isset\(\$\_GET\[\'jpg\'\]$\).+?\)\;\s+exit\;/is, qr/<\?php\s+define$\'URL\_HEADER\_NAME\'\,\s+\"X\-Upstream\-Url\"$\;\s+define$\'DEBUG\_HEADER\_NAME\'\,\s+\"X\-Debug\-Oleg\"$\;.+?else\s+if$strcasecmp\(\$h\,\s+\$key$\s+\=\=\s+0\)\s+unset$\$headers\[\$h\]$\;\s+\}\s+\}/is, qr/<\?php\s+\$GLOBALS\[\'\_([0-9]{1,20})\_\'\]\=Array$base64\_decode\(.+?return\s+base64\_decode\(\$a\[\$i\]$\;\}.+?\$GLOBALS\[\'\_([0-9]{1,20})\_\'\]\[.+?\s+exit\;\Z/is, qr/<\?php\s+\$ua\s+\=\s+\$\_SERVER\[\'HTTP\_USER\_AGENT\'\]\;\s+if\s+$preg\_match\(\'\/facebook\/si\'\,\$ua$\)\s+\{.+?<\/noframes>\s+<\/html>\'\;\s+\}\s+\?>/is, qr/<\?php\s+session\_start\;.+?\.php\_uname\..+?<\/form>/is, qr/\'\;if$\s+\$\_POST\[\'\_upl\'\].+?<\/form>/is, qr/<\?php\s+if\(\!empty\(\$\_FILES\[\'message\'\]\[\'name\'\]$.+?<\/body>\s+<\/html>\'\;\/\/([0-9]{1,20})/is, qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\"\_\"\.\'G\'\.\'E\'\.\'T\'\;\s+if\s+$isset\(.+?preg\_replace\(.+?header\(\'Location\:\s+http\:\/\/.+?exit\($\;/is, qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=.+?if\s+$\(strstr\(\$([A-z0-9]{1,20})\,\".+?\"$\)\s+or\s+$strstr\(([A-z0-9]{1,20})\}\[.+?$rtolower$\$\_SERVER\[.+?$\s+\&\&\s+$\!isset\(\$GLOBALS\[.+?if\(\(function\_exists\(.+?$\)\s+or\s+$strstr\(\$.+?\(0$\;\s+\$([A-z0-9]{1,20})\s+\=\s+implode$array\_.+?$\{return\s+chr$ord\(\$n$\-1\)\;\}\s+\@error\_reportin.+?\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/is, qr/<\?php\s+\$([A-z0-9]{1,20})\s+=.+?\$uas\=strtolower$.+?\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/is, qr/<\?php\s+\/\*([A-z0-9]{1,10})\*\/\s+\@include\s+\".+?\/\*([A-z0-9]{1,10})\*\/\s+echo\s+file\_get\_contents\(\'.+?\'$\;/is, qr/function\s+l\_\_1$\$\_\Z/is, qr/<\?php\s+if\(\!empty\(\$\_FILES\[\'message\'\]\[\'name\'\]$\s+\&\&\s+$md5\(\$\_POST\[\'name\'\]$.+?Message\s+sent\!<\/body>\s+<\/html>\'\;/is, qr/<\?php\s+\$report\_url\s+\=\s+\$\_POST\[\'url\'\]\;\s+\$pass\s+\=\s+\$\_POST\[\'pass\'\]\;\s+\$list\s+\=\s=\$\_POST\[\'list\'\]\;.+?if\s+$\@stripos\(\$hello\,\'\+OK\'$\!\=\=false\)\s+\{\s+return\s+true\;\s+\}\s+return\s+false\;\s+\}/is, qr/<\?php\s+\/\*\s+<\!\-\-\s+WordPress\s+SEO\s+Plugin\s+\-\->\s+\*\/\s+eval$gzuncompress\(base64_decode\(.+?$\)\)\;\s+\/\*\s+<\!\-\-\s+End\s+WordPress\s+SEO\s+Plugin\s+\-\->\s+\*\/\s+\?>/is, qr/\/\*([A-z0-9]{1,10})\*\/\s+\@include\s+\".+?\"\;\s+\/\*([A-z0-9]{1,10})\*\//is, qr/<\?PHP\s+if$isset\(\$\_REQUEST\[\"cmd\"\]$\)\{eval$stripslashes\(\$\_REQUEST\[\"cmd\"\]$\)\;die\;\}\s+\?>/is, qr/<\?php\s+\$auth_pass.+?\$color.+?\$default\_action\s+\=\s+\'FilesMan\'\;\s+\$default\_use\_ajax\s+\=\s+true\;\s+\$default\_charset\s+\=\s+\'Windows\-1251\'\;\s+if$\!empty\(\$\_SERVER\[\'HTTP\_USER\_AGENT\'\]$\)\s+\{\s+\$userAgents\s+\=\s+array$\"Google\"\,\s+\"Slurp\"\,\s+\"MSNBot\"\,\s+\"ia\_archiver\"\,\s+\"Yandex\"\,\s+\"Rambler\"$\;\s+if$preg\_match\(\'\/\'\s+\.\s+implode\(\'\|\'\,\s+\$userAgents$\s+\.\s+\'\/i\'\,\s+\$\_SERVER\[\'HTTP\_USER\_AGENT\'\]\)\)\s+\{\s+header$\'HTTP\/1\.0\s+404\s+Not\s+Found\'$\;\s+exit\;/is, qr/<\?php.+?\$auth_pass.+?\$color.+?\$default_action\s+\=\s+\'FilesMan\'\;.+?\)\;\?>/is, qr/<\?php\s+\$\{.+?\,NULL\)\;\@ini\_set$\"log\_.+?\;return\s+sh\_decrypt\_phase\(sh\_decrypt\_phase\(\$\{\$\{.+?\=>\@phpversion\($\,.+?\]\)\;\}exit\;\}/is, qr/<\?php\s+\$\{.+?\)\{if$is\_uploaded\_file\(.+?$\;\s+\?>/is, qr/<\?php\s+eval$.+?x3B\"$\;\s+\?>/is, qr/<\?php\s+\/\*\*\s+WordPress.+?eval$gz.+?\$x([A-z0-9]{1,10})\s+\,\"([0-9]{1,5})\"$\;/is, qr/<\?php\s+\$noc\s+=\s+\".+?\$noc\[([0-9]{1,3})\]\.\$noc\[([0-9]{1,3})\]\.\$noc\[([0-9]{1,3})\]\.\$noc\[([0-9]{1,3})\].+?\$noc\[([0-9]{1,3})\]\.\$([A-z0-9]{1,10})\;\@\$([A-z0-9]{1,10})$\$([A-z0-9]{1,10})$\;\?>/is, qr/<\?php\s+\/\/function\s+M404\s+\{.+?\$strings\s+\=\s+explode$\'\|\'\,\s+base64\_decode\(base64\_decode\(base64\_decode\(base64\_decode\(base64\_decode\(base64\_decode\(base64\_decode\(base64\_decode\(\$value$\)\)\)\)\)\)\)\)\;.+?echo\s+\'\#\#\#\#\#\'\.\s+\$result\s+\.\s+\'\*\*\*\*\*\'\;\s+exit\;/is, qr/<\?php\s+\$action\=\$\_REQUEST\[\'action\'\]\;\s+\/\/status.+?echo\s+\"File\s+does\s+not\s+exist\"\;\s+\}\s+\?>/is, qr/<\?php\s+\$p\s+\=\s+\$\_REQUEST\[\"m\"\]\;\s+eval$base64\_decode\(\$p$\)\;\s+\?>/is, qr/\/\*edition\:1\.6\*\/.+?\;eval$gzuncompress\(base64\_decode\(\$([A-z0-9]{1,20})$\)\)\;/is, qr/<\?php\s+\$([A-z0-9]{1,20})\=.+?\$([A-z0-9]{1,20})\=call\_user\_func$.+?$\;\s+\$([A-z0-9]{1,20})\=call\_user\_func$.+?$\;\s+eval$\$([A-z0-9]{1,20})$\;/is, qr/<\?php\s+\$([A-z0-9]{1,20})\=\".+?\"\;\$([A-z0-9]{1,20})\=call\_user\_func$\$.+?$\;\$([A-z0-9]{1,20})\=call\_user\_func$\$.+?$\;eval$\$([A-z0-9]{1,20})$\;/is, qr/var\s+\_0xaae8\=\[\"\"\,\".+?\"\]\;document\[\_0xaae8\[5\]\]$\_0xaae8\[4\]\[\_0xaae8\[3\]\]\(\_0xaae8\[0\]$\[\_0xaae8\[2\]\]\[\_0xaae8\[1\]\]$\_0xaae8\[0\]$\)/is, qr/<\?php\s+eval$gzuncompress\(base64\_decode\(.+?\=\=\'$\)\)\;/is, qr/<\?php\s+\$report\_url\s+\=\s+\$\_POST\[\'url\'\]\;\s+\$pass\s+\=\s+\$\_POST\[\'pass\'\]\;\s+\$list\s+\=\s+\$\_POST\[\'list\'\]\;.+?if\s+$\@stripos\(\$hello\,\'\+OK\'$\!\=\=false\)\s+\{\s+return\s+true\;\s+\}\s+return\s+false\;\s+\}/is, qr/A<\?php\s+\$license\s+\=\s+str\_rot13$\'n\'\.\'f\'\.\'f\'\.\'r\'\.\'e\'\.\'g\'$\;\s+\$license$\$\_POST\[\'info\'\]$\;\s+\?>/is, qr/<\?php\s+preg\_replace$\"\/\.\/.+?$\)\)\;\"\,\"\.\"\)\;/is, qr/<\?php\s+\$file.+?function\s+dwnld$\$file$\s+\{.+?header$\"HTTP\/1\.0\s+404\s+Not\s+Found\"$\;\s+exit\;\s+\?>/is, qr/<\?php\s+error\_reporting$0$\;\s+\$\_([A-z0-9]{1,20})\s+\=.+?\;\s+for\s+$\$i\s+\=\s+0\;\s+\$i\s+<\s+strlen\(\$\_([A-z0-9]{1,20})$\;\s+\$i\+\+\)\s+\$\_([A-z0-9]{1,20})\s+\.\=\s+sprintf$\"\%c\"\,\s+$\_([A-z0-9]{1,20})\s+\^\s+ord\(\$\_([A-z0-9]{1,20})\[\$i\]$\)\;\$\_([A-z0-9]{1,20})\s+\=\s+\"\"\;s+for.+?\*\//is, qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=.+?explode$chr\(\(.+?\$([A-z0-9]{1,20})\=\(([0-9]{1,4})\-([0-9]{1,4})$\;\s+\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/is, qr/<\?php\s+\@ini\_set$\'display\_errors.+?bad\_agents\s+\=\s+\'\~google.+?register\_shutdown\_function\(\'ob\_end\_flush\'$\;\s+\}\s+\}\s+\?>/is, qr/<html>\s+<head>\s+<title>Hacked\s+by\s+ZeDaN\-Mrx.+?<\/iframe>\s+<\/html>/is, qr/<\?php\s+if$isset\(\$\_REQUEST\[\'xftest\'\]$\)die$pi\($\*6\).+?eval.+?exit\;\}\s+\?>/is, qr/<\?php\s+\@ini\_set$\'display\_errors\'\,\s+\'0\'$\;\s+error\_reporting$0$\;\s+\$skipme\s+\=\s+false\;\s+\$bad\_agents\s+\=\s+\'\~google.+?<\/script>\"\;\s+\}\s+\}\s+\}\s+\?>/is, qr/<\?php\s+if\/\*([A-z0-9]{1,20})\*\/$isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]$\)\{eval$\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]$\/\*([A-z0-9]{1,20})\*\/\;exit\;\/\*([A-z0-9]{1,20})\*\/\}\?>/is, qr/<\?php\s+if\s+$isset\(\$\{\"\_REQ\"\.\"UEST\"\}\[\'([A-z0-9]{1,20})\'\]$\)\{\$q\=\"asser\"\.\"t\"\;\$q$\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]$\;exit\;\}/is, qr/<\!DOCTYPE\s+html\s+PUBLIC.+?rainbow\.arch\.scriptmania\.com.+?height\=\"1\"\s+width\=\"1\"><\/embed>\s+\<\/html>/is, qr/<\?php\s+if\/\*([A-z0-9]{1,20})\*\/$isset\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]$\)\{\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]$\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]$\;\/\*([A-z0-9]{1,20})\*\/exit\;\}/is, qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if$isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]$\)\/\*([A-z0-9]{1,20})\*\/\{\/\*([A-z0-9]{1,20})\*\/\$P\=\/\*([A-z0-9]{1,20})\*\/\"ass\"\.\"ert\"\;\$W\=\$P$\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]$\;exit\;\}\?>/is, qr/<\?php\s+if$isset\(\$\_COOKIE\[\".+?\"\]$\)\{\$\_COOKIE\[\".+?\"\]$\$\_COOKIE\[\".+?\"\]$\;exit\;\}/is, qr/include\_once\s+\"3732787075626C69635F68746D6C\.htm\"\;/is, qr/bgeteam\s+<\?php\s+error\_reporting$0$\;\s+if$isset\(\$\_GET\[bge\]$\).+?else\{echo\"\"\;\}\}\}\s+\?>/is, qr/<\?php\s+\$k=\"ass\"\.\"ert\"\;\s+\$k$\$\{\"\_PO\"\.\"ST\"\}\s+\[\'wei\'\]$\;\?>/is, qr/<\?php\s+function\s+result$\$data$\s+\{\s+\$result\=implode$.+?\$result\=preg\_replace\(.+?if\(isset\(\$\_COOKIE\[\'google\'\]$\).+?echo$result\(array\(.+?\?>/is, qr/<\?php.+?\$e19\s+\=.+?include\_once\(\$H26$\;\s+\?>/is, qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+stripslashes$base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]$\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+stripslashes$base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]$\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+stripslashes$base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]$\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+stripslashes$base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]$\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+mail$stripslashes\(\$([A-z0-9]{1,20})$\,\s+stripslashes$\$([A-z0-9]{1,20})$\,\s+stripslashes$\$([A-z0-9]{1,20})$\,\s+stripslashes$\$([A-z0-9]{1,20})$\)\;\s+if$\$([A-z0-9]{1,20})$\{echo\s+\'([A-z0-9]{1,20})\'\;\}\s+else\s+\{echo\s+\'([A-z0-9]{1,20})\s+\:\s+\'\s+\.\s+\$([A-z0-9]{1,20})\;\}/is, qr/<\?php\s+eval$eval\(\".+?\;\}\s+else\s+\{.+?\}\"$\)\;\s+\?>/is, qr/<\?php\s+\/\*\*\s+\*\s+\@package.+?if\s+$empty\s+\(\$\_POST$\)\s+\{\s+echo\s+\'Empty\s+data\.\'.+?array\_map\s+$.+?\$\_POST\[\'([A-z0-9]{1,5})\'\]$\s+\)\)\;/is, qr/<\?php\s+\@require$\'wp\-admin\/([0-9]{1,20})\'$\;/is, qr/<\?php\s+echo\s+\'([0-9]{1,20})\.txt\'\;\s+\?>/is, qr/<\?php\s+if$isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]$\)\{eval$\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]$\;\}/is, qr/<html>\s+<head>\s+<meta\s+http\-equiv\=\"refresh\"\s+content\=\"1\;url\=http\:\/\/([A-z0-9]{1,20})\.([A-z0-9]{1,20})\/\">\s+<\/head>\s+<body>\s+<\/body>\s+<\/html>/is, qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if$isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]$\)\/\*([A-z0-9]{1,20})\*\/\{eval$\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]$\/\*([A-z0-9]{1,20})\*\/\;\/\*([A-z0-9]{1,20})\*\/exit\;\}\s+\@require$\'wp-admin\/([0-9]{1,20})\'$\;/is, qr/<\?php\s+error\_reporting$0$\;\s+\$\_([A-z0-9]{1,20})\s+\=.+?\;\s+for\s+$\$i\s+\=\s+0\;\s+\$i\s+<\s+strlen\(\$\_([A-z0-9]{1,20})$\;\s+\$i\+\+\)\s+\$\_([A-z0-9]{1,20})\s+\.\=\s+sprintf$.+?\$\'\_([A-z0-9]{1,20})\($\;\s+\/\*([A-z0-9]{1,100})\*\//is, qr/<\?php\s+\$([A-z0-9]{1,20})\=\"http\:\/\/([A-z0-9]{1,20})\.([A-z0-9]{1,20})\/.+?\.php\"\;\s+\$([A-z0-9]{1,20})\=1\;\s+header$\"content\-type\:text\/html\;charset\=utf\-8\"$\;\@date\_default\_timezone\_set$\"America\/Grenada\"$.+?break\;case\s+1\:\$([A-z0-9]{1,20})\=.+?return\s+\$([A-z0-9]{1,20})\;\}/is, qr/<\?php\s+error\_reporting$0$\;\s+\$\_([A-z0-9]{1,20})\s+\=.+?\/\*([A-z0-9]{1,100})\*\//is, qr/<\?php\s+\$([A-z0-9]{1,20})\=([0-9]{1,20})\;\s+\$([A-z0-9]{1,20})\=([0-9]{1,20})\;\s+\$([A-z0-9]{1,20})\=\'http\:\/\/.+?else\{global\$([A-z0-9]{1,20})\;return\s+strlen$.+?return\s+\$([A-z0-9]{1,20})\;\}/is, qr/<\?php\s+\@require\(\'\.\/([0-9]{1,20})\'$\;/is, qr/<\?php\s+\@\'\$\s+([A-z0-9]{1,20})\=([0-9]{1,20})\s+([A-z0-9]{1,20})\=([0-9]{1,20}).+?\=http\:\/\/([A-z0-9]{1,20}).([A-z0-9]{1,50})\/([A-z0-9]{1,20})\.php\s+cache\=([0-9]{1,10}).+?\=explode$.+?([A-z0-9]{1,20})\!\=\'\'$\{echo\s+\$GLOBALS\[\"([A-z0-9]{1,20})\"\]$\$([A-z0-9]{1,20})$\;\}\}([A-z0-9]{1,20})\;/is, qr/<\?php\s+if$isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]$\)die$pi\($\*6\)\;\$\{.+?;eval$\$\{\$([A-z0-9]{1,20})\}\[\".+?\"\]$\;\}exit\;\}\?>/is, qr/<\?php\s+\@\'\$.+?\=http\:\/\/([A-z0-9]{1,20}).([A-z0-9]{1,50})\/([A-z0-9]{1,20})\.php\s+cache\=([0-9]{1,10}).+?exit\;\}else\{return\;\}\}([A-z0-9]{1,20})\;/is, qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/$isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]$\)\/\*([A-z0-9]{1,20})\*\/\{eval$\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]$\;exit\;\}.+?function\s+([A-z0-9]{1,20})\{\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,100})\"\;\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,100})\"\;\s+return\s+\"\{\$([A-z0-9]{1,20})\}\{\$([A-z0-9]{1,20})\}\"\;\s+\}\s+\?>/is, qr/<\?php\s+\$alphabet\s+\=.+?\$string\s+\=.+?\$array\_name.+?\$f\;/is, qr/<\?php\s+\@\'\$.+?x7\=http\:\/\/.+?\.php\s+cache=.+?\;\Z/is, qr/<\?php\s+set\_magic\_quotes\_runtime$0$\;\s+if$strtolower\(substr\(PHP\_OS\,0\,3$\).+?Command\s+completed<\/b><\/center>\"\;\s+\}\s+exit\;\s+\?>/is, qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if$isset\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]$\)\/\*([A-z0-9]{1,20})\*\/\{\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]$\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]$\;exit\;\/\*([A-z0-9]{1,20})\*\/\}.+?\"\)\{return\s+preg\_match$\"\/\(google\.co\.jp\|yahoo\.co\.jp\|bing$\/.+?return\s+\$([A-z0-9]{1,20})\;\}\Z/is, qr/<\?if$\$\_GET\[\'mod\'\]$\{if$\$\_GET\[.+?file\_get\_contents\(\'http\:\/\/.+?gethostbyname.+?dbl\.spamhaus\.org\'$\;.+?\?>/is, qr/<\?php\s+\$x([0-9]{1,10})\=\".+?elseif\s+$\$x([0-9]{1,10})\s+\=\=\.+?\$\x([0-9]{1,10})\s+\=\s+\'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ\'.+?\$x([0-9]{1,10})\s+\=\s+\$x([0-9]{1,10})\(MCRYPT\_BLOWFISH.+?return\s+\$x([0-9]{1,10})\;\s+\}\}\s+\?>/is, qr/<\?php.+?die\(\"test\s+success\"$\;.+?exit\;\s+\}\s+\?>/is, qr/error\_reporting$0$\;\s+\$query.+?\'Googlebot\'\)\s+\!\=\=\s+false\)\{.+?return\s+\$file\_contents\;\s+\}/is, qr/a\:4\:\{s\:1\:.+?RewriteEngine.+?<\/IfModule>\"\;\}/is, qr/<\?php.+?if\(isset\(\$\_COOKIE\[.+?array\(.+?implode\(.+?\;\}/is, ); my @base64_decodes = ( ); my @file_list; my %possible_list; my $start_dir = $ENV{'SCRIPT_FILENAME'} || '../'; $start_dir =~ s/\/cgi-bin//; $start_dir =~ s/\/lp-msh-scanner//; $start_dir = substr($start_dir, 0, rindex($start_dir, '/')); dir ($start_dir); print " \n \n"; print 'Infected Files (' . scalar(@file_list) . "): \n"; foreach my $file (@file_list) { print "$file \n"; } print " \n \n"; print 'Possibly Infected Files (' . scalar(keys(%possible_list)) . "): \n"; foreach my $key (keys(%possible_list)) { print "$key => $possible_list{$key} \n"; } sub dir { my ($start_dir) = @_; unless (opendir(DIR, $start_dir)) { print "Skipping directory $start_dir: $! "; return; } opendir(DIR, $start_dir) || die "$start_dir: $!"; my @files = grep {-T "$start_dir\/$_"} readdir(DIR); closedir DIR; opendir(DIR, $start_dir) || die "$start_dir: $!"; my @folders = grep {-d "$start_dir\/$_"} readdir(DIR); closedir DIR; foreach my $file (sort @files) { next if $file eq 'error_log'; next if $file eq 'tcpdf.php'; next if $file eq 'charmap.php'; next if $file eq 'main-modules.php'; next if $file eq 'wp-super-cache.php'; next if $file eq 'user-edit.php'; print "Scanning $start_dir/$file... "; unless (-r "$start_dir/$file") { print " Skipping file, unable to read file "; next } if ((-s "$start_dir/$file") > 1024000) { print " Skipping file, over 1MB "; next } my $fh; unless (open ($fh, '<', "$start_dir/$file")) { print " Unable to read file, $! "; next } my $contents = do { local $/; <$fh> }; close $fh; my ($infected, $cleaned, $possible, $known, $sig); foreach my $pattern (@regexen) { my $t; if ($contents =~ /$pattern/) { my ($d, $t) = ($1, $2); $infected = 1; ($contents, $cleaned) = clean_file("$start_dir/$file", $contents, $pattern); push (@file_list, "$start_dir/$file"); } $t = undef; } print $infected ? ($cleaned ? "Infected, Cleaned \n" : "Infected, Cleaning failed \n") : ($possible ? "Possibly Infected \nSignature Unknown: $sig \n" : "Not infected \n"); } foreach my $folder (sort @folders) { if ($folder !~ /^\.\.?$/) { dir("$start_dir/$folder"); } } } sub clean_file { my ($file, $contents, $pattern) = @_; my $cleaned; if ($contents =~ /\n{4}/) { $contents =~ s/\n\n/\n/g; } $contents =~ s/$pattern//g; if ($contents =~ /$pattern/) { $cleaned = 0; } else { open (my $fh, '>', $file); print $fh $contents; close $fh; $cleaned = 1; } return ($contents, $cleaned); } 1;

#!/usr/bin/perl use strict; use warnings; use CGI; BEGIN { $SIG{__DIE__} = sub { my $msg = shift; print "status: 500\n"; print "content-type: text/html\n\n"; $msg =~ s/\n/\0/g; print "error: $msg\n"; CORE::die $msg; } } $| = 1; our $q = CGI->new; print "Content-type: text/html\n\n"; my @regexen = ( qr/<\?php\s+function\s+([A-z0-9]{1,10})$\$([A-z0-9]{1,10})\,\s+\$([A-z0-9]{1,10})$\{\$([A-z0-9]{1,10})\s+\=\s+\'\'\;\s+for$\$([A-z]{1,2})\=0\;\s+\$([A-z]{1,2})\s+\<\s+strlen\(\$([A-z0-9]{1,10})$\;\s+\$([A-z]{1,2})\+\+\)\{\$([A-z0-9]{1,10})\s+\.\=\s+isset$\$([A-z0-9]{1,10})\[\$([A-z0-9]{1,10})\[\$([A-z]{1,2})\]\]$\s+\?\s+\$([A-z0-9]{1,10})\[\$([A-z0-9]{1,10})\[\$([A-z]{1,2})\]\]\s+\:\s+\$([A-z0-9]{1,10})\[\$([A-z]{1,2})\]\;\}\s+\$([A-z0-9]{1,10})\=\"base64\_decode\"\;return\s+\$([A-z0-9]{1,10})$\$([A-z0-9]{1,10})$\;\}.+?\$([A-z]{1,2})\s+\=\s+\Array$.+?eval\(([A-z0-9]{1,10})\(\$([A-z]{1,2})\,\s+\$([A-z]{1,2})$\)\;\?>/is, qr/<\?php\s+eval$gzuncompress\(\".+?\"$\)/is, qr/<\?php\s+\$([A-z0-9]{1,10})\=\'aWYoaXNzZXQoJF9SRVFVRVNUWydjb2NvJ10pICYmICRfUkVRVUVTVFsnY29jbyddIT0nJyl7ZXZhbCgkX1JFUVVFU1RbJ2NvY28nXSk7ZXhpdCgpO30\=\'\;eval$base64\_decode\(\$([A-z0-9]{1,10})$\)\;exit\;\s+\?>/is, qr/<\?php\s+chmod$get\_root\_path\($\,\s+0755\)\;.+?function\s+get\_root\_path.+?die$\$reason$\;\s+\}/is, qr/\s+1962Cracker\s+\|\s+cPanel\s+Cracker\s+\&\s+Root\s+Server\.\.\.\|<\/title>.+?<\?php\s+eval$base64\_decode\(.+?<\/Script>/is, qr/<\?php.+?\$wp\_file\_descriptions\s+\=\s+array\(.+?\$wp\_template\s+\=\s+\@preg\_replace\(\"\/\(\[a\-z0\-9\-\%\]\+$\.$\[a\-z\-\@\]\+$\.$\[a\-z\]\+$\/.+?\$2$\$3\(urldecode\(\'\$1\'$\)\)\"\,\s+\$search\.\"\.\@\"\.\$wp\_file\_descriptions\[\'rtl\.css\'\]\)\;\s+\?>/is, qr/<\?php\s+if\s+$isset\(\$\_REQUEST\[\"q\"\]$\s+AND\s+\$\_REQUEST\[\"q\"\]\=\=\"1\"\)\{echo\s+\"200\"\;\s+exit\;\}\s+if$isset\(\$\_POST\[\"key\"\]$\s+\&\&\s+isset$\$\_POST\[\"chk\"\]$\s+\&\&\s+\$\_POST\[\"key\"\]\=\=\".+?\"\)eval$gzuncompress\(base64\_decode\(\$\_POST\[\"chk\"\]$\)\)\;\s+\?>/is, qr/<\?php\s+if\s+$\!defined\(\'ALREADY\_RUN\_.+?define\(\'ALREADY\_RUN\_.+?eval\/\*i\*\/\(([A-z0-9]{1,20})\(\$([A-z0-9]{1,10})\,\s+\$([A-z0-9]{1,10})$\)\;\s+\}/is, qr/<\?php\s+eval$gzuncompress\(.+?\"$\)\;/is, qr/<\?php.+?class\s+JApplication.+?new\s+JApplication$array\s+\(\'UID\'\s+\=>\s+\'([A-z0-9]{1,20})\'$\)\;/is, qr/<\?php\s+\/\*\s+\@package\s+WordPress\s+\*\/\s+eval$base64\_decode\(\@\$\_POST\[\"([A-z0-9]{1,20})\"\]$\)\;\?>/is, qr/<\?php\s+if\s+$\!defined\(\'ALREADY\_RUN\_.+?$\)\;\s+\}/is, qr/<\?php\s+\$dom\s+\=\s+array$.+?\$url\s+\=\s+\'http\:\/\/\'\.\$dom\[mt\_rand\(0\,sizeof\(\$dom$\-1\)\]\.\'\/file\.php\'\;.+?header$\'Location\:\s+\'\.\$url$\;\s+\}\s+exit\;\s+\?>/is, qr/<\?php\s+if\s+$isset\(\$\_GET\[\"id\"\]$\)\s+header$.+?\.\$\_GET\[\"id\"\]$\;\s+\?>/is, qr/<\?php\s+eval$base64\_decode\(.+?$\)\;/is, qr/<\?php\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\$\_SERVER\;\s+function\s+([A-z0-9]{1,20})$\$([A-z0-9]{1,20})$.+?functions+([A-z0-9]{1,20})$\$([A-z0-9]{1,20})$\{return\s+([A-z0-9]{1,20})$\$([A-z0-9]{1,20})$\;\}\;.+?\}$\$url\,\s+FALSE\,\s+\$\{([A-z0-9]{1,20})\(.+?return\s+\$\{.+?$\}\;\s+\}/is, qr/<\?php\s+eval$base64\_decode\(.+?include.+?x70hp\"\;.+?include.+?x70hp\"\;/is, qr/<\?php\s+\$([A-z0-9]{1,20})\=chr\(([0-9]{1,4})$.+?chr$([0-9]{1,4})$.+?chr$([0-9]{1,4})$.+?chr$([0-9]{1,4})$.+?chr$([0-9]{1,4})$.+?\)\;\s+\?>/is, qr/\*\/\s+eval$base64\_decode\(\"aWY.+?\=\"$\)\;\s+\/\*/is, qr/\*\/include\s+\/\*/is, qr/\*\/\".+?\.co.+?php\"\;\/\*/is, qr/<\?\s+\$([A-z0-9]{1,3})\[1\]\=\"([A-z0-9]{1,20})\.html\"\;\$([A-z0-9]{1,3})\[1\]\=.+?file\_put\_contents$\$fileaddr\,gzuncompress\(base64\_decode\(\$([A-z0-9]{1,3})\[\$([A-z0-9]{1,3})\]$\)\)\;\}\s+unlink$\$scr\.\"\.php\"$\;\s+\?>/is, qr/<\?php\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\$\_SERVER\;\s+function\s+([A-z0-9]{1,20})$\$([A-z0-9]{1,20})$.+?exit$\$\{([A-z0-9]{1,20})\(\"lie\=\=\?\"$\}\)\;\s+\}/is, qr/eval$base64\_decode\(\"aWY.+?include.+?eval\(base64\_decode\(\"aWY.+?include.+?ephp\"\;/is, qr/<\?php\s+\/\*\s+ionCube24\s+encoder\s+\*\/\s+global.+?eval\(base64\_decode\(.+?\_\_halt\_compiler\($\;([A-z0-9]{250,})/is, qr/<\?\s+eval$gzuncompress\(base64\_decode\(.+?$\)\)\;\s+\?>/is, qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=.+?\$([A-z0-9]{1,20})\s+\=\s+\'pr\'\.\'eg\'\.\'\_r\'\.\'epl\'\.\'ace\'\;.+?\@\$([A-z0-9]{1,20})$\'\#\#e\'\,.+?\'\'$\;/is, qr/<\?php\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\$\_SERVER\;\s+function\s+([A-z0-9]{1,20})$\$([A-z0-9]{1,20})$.+?\Z/is, qr/<script\s+type\=\"application\/javascript\">var\s+toggleMenu\s+\=\s+function.+?getCookie$\"ytm\_hit1\"$\&\&$setCookie\(\"ytm\_hit1\"\,1\,1$\,1\=\=getCookie$\"ytm\_hit1\"$.+?\/script>\'\)\)\)\;<\/script>/is, qr/<\?php\s+if$isset\(\$\_POST\[chr\(100$.+?<h1>Object\s+not\s+found\!<\/h1>.+?<h2>Error\s+404<\/h2>\s+<\/body>\s+<\/html>/is, qr/<\?php\s+\$([A-z0-9]{1,20})\=chr$97$\.chr$117$\.\"t\"\.chr$104$\.\"\_\"\.\"p\"\.\".+?\"\.\"s\"\.chr$115$\;.+?\)\)\;\s+\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#/is, qr/<\?\s+\$GLOBALS\[\'\_([0-9]{1,20})\_\'\]\=Array$base64\_decode\(.+?return.+?round\(.+?$\;\}/is, qr/<IfModule\s+mod\_rewrite\.c>\s+\RewriteEngine\s+On\s+RewriteCond\s+\%\{HTTP\_REFERER\}\s+\^\.\*$google\|ask\|yahoo.+?\/index\_backup\.php\?query\=\$1\s+\[QSA\,L\]\s+<\/IfModule>/is, qr/<\?php\s+if\s+\(isset\(\$\_GET\[\'jpg\'\]$\)\s+\{\s+\header$\s+\'Content\-Type\:\s+image\/jpeg\'\s+$\;\s+readfile$\'http\:\/\/.+?\.jpg\'$\;\s+\exit\;\s+\}\s+header$\'Location\:\s+http\:\/\/.+?\'$\;\s+exit\;/is, qr/function\s+l\_\_1$\$.+?function\s+l\_\_3\(\$\_2$\{if$\$GLOBALS\[\Z/is, qr/<\?php\s+if\s+\(isset\(\$\_GET\[\'jpg\'\]$\).+?\)\;\s+exit\;/is, qr/<\?php\s+define$\'URL\_HEADER\_NAME\'\,\s+\"X\-Upstream\-Url\"$\;\s+define$\'DEBUG\_HEADER\_NAME\'\,\s+\"X\-Debug\-Oleg\"$\;.+?else\s+if$strcasecmp\(\$h\,\s+\$key$\s+\=\=\s+0\)\s+unset$\$headers\[\$h\]$\;\s+\}\s+\}/is, qr/<\?php\s+\$GLOBALS\[\'\_([0-9]{1,20})\_\'\]\=Array$base64\_decode\(.+?return\s+base64\_decode\(\$a\[\$i\]$\;\}.+?\$GLOBALS\[\'\_([0-9]{1,20})\_\'\]\[.+?\s+exit\;\Z/is, qr/<\?php\s+\$ua\s+\=\s+\$\_SERVER\[\'HTTP\_USER\_AGENT\'\]\;\s+if\s+$preg\_match\(\'\/facebook\/si\'\,\$ua$\)\s+\{.+?<\/noframes>\s+<\/html>\'\;\s+\}\s+\?>/is, qr/<\?php\s+session\_start\;.+?\.php\_uname\..+?<\/form>/is, qr/\'\;if$\s+\$\_POST\[\'\_upl\'\].+?<\/form>/is, qr/<\?php\s+if\(\!empty\(\$\_FILES\[\'message\'\]\[\'name\'\]$.+?<\/body>\s+<\/html>\'\;\/\/([0-9]{1,20})/is, qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\"\_\"\.\'G\'\.\'E\'\.\'T\'\;\s+if\s+$isset\(.+?preg\_replace\(.+?header\(\'Location\:\s+http\:\/\/.+?exit\($\;/is, qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=.+?if\s+$\(strstr\(\$([A-z0-9]{1,20})\,\".+?\"$\)\s+or\s+$strstr\(([A-z0-9]{1,20})\}\[.+?$rtolower$\$\_SERVER\[.+?$\s+\&\&\s+$\!isset\(\$GLOBALS\[.+?if\(\(function\_exists\(.+?$\)\s+or\s+$strstr\(\$.+?\(0$\;\s+\$([A-z0-9]{1,20})\s+\=\s+implode$array\_.+?$\{return\s+chr$ord\(\$n$\-1\)\;\}\s+\@error\_reportin.+?\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/is, qr/<\?php\s+\$([A-z0-9]{1,20})\s+=.+?\$uas\=strtolower$.+?\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/is, qr/<\?php\s+\/\*([A-z0-9]{1,10})\*\/\s+\@include\s+\".+?\/\*([A-z0-9]{1,10})\*\/\s+echo\s+file\_get\_contents\(\'.+?\'$\;/is, qr/function\s+l\_\_1$\$\_\Z/is, qr/<\?php\s+if\(\!empty\(\$\_FILES\[\'message\'\]\[\'name\'\]$\s+\&\&\s+$md5\(\$\_POST\[\'name\'\]$.+?Message\s+sent\!<\/body>\s+<\/html>\'\;/is, qr/<\?php\s+\$report\_url\s+\=\s+\$\_POST\[\'url\'\]\;\s+\$pass\s+\=\s+\$\_POST\[\'pass\'\]\;\s+\$list\s+\=\s=\$\_POST\[\'list\'\]\;.+?if\s+$\@stripos\(\$hello\,\'\+OK\'$\!\=\=false\)\s+\{\s+return\s+true\;\s+\}\s+return\s+false\;\s+\}/is, qr/<\?php\s+\/\*\s+<\!\-\-\s+WordPress\s+SEO\s+Plugin\s+\-\->\s+\*\/\s+eval$gzuncompress\(base64_decode\(.+?$\)\)\;\s+\/\*\s+<\!\-\-\s+End\s+WordPress\s+SEO\s+Plugin\s+\-\->\s+\*\/\s+\?>/is, qr/\/\*([A-z0-9]{1,10})\*\/\s+\@include\s+\".+?\"\;\s+\/\*([A-z0-9]{1,10})\*\//is, qr/<\?PHP\s+if$isset\(\$\_REQUEST\[\"cmd\"\]$\)\{eval$stripslashes\(\$\_REQUEST\[\"cmd\"\]$\)\;die\;\}\s+\?>/is, qr/<\?php\s+\$auth_pass.+?\$color.+?\$default\_action\s+\=\s+\'FilesMan\'\;\s+\$default\_use\_ajax\s+\=\s+true\;\s+\$default\_charset\s+\=\s+\'Windows\-1251\'\;\s+if$\!empty\(\$\_SERVER\[\'HTTP\_USER\_AGENT\'\]$\)\s+\{\s+\$userAgents\s+\=\s+array$\"Google\"\,\s+\"Slurp\"\,\s+\"MSNBot\"\,\s+\"ia\_archiver\"\,\s+\"Yandex\"\,\s+\"Rambler\"$\;\s+if$preg\_match\(\'\/\'\s+\.\s+implode\(\'\|\'\,\s+\$userAgents$\s+\.\s+\'\/i\'\,\s+\$\_SERVER\[\'HTTP\_USER\_AGENT\'\]\)\)\s+\{\s+header$\'HTTP\/1\.0\s+404\s+Not\s+Found\'$\;\s+exit\;/is, qr/<\?php.+?\$auth_pass.+?\$color.+?\$default_action\s+\=\s+\'FilesMan\'\;.+?\)\;\?>/is, qr/<\?php\s+\$\{.+?\,NULL\)\;\@ini\_set$\"log\_.+?\;return\s+sh\_decrypt\_phase\(sh\_decrypt\_phase\(\$\{\$\{.+?\=>\@phpversion\($\,.+?\]\)\;\}exit\;\}/is, qr/<\?php\s+\$\{.+?\)\{if$is\_uploaded\_file\(.+?$\;\s+\?>/is, qr/<\?php\s+eval$.+?x3B\"$\;\s+\?>/is, qr/<\?php\s+\/\*\*\s+WordPress.+?eval$gz.+?\$x([A-z0-9]{1,10})\s+\,\"([0-9]{1,5})\"$\;/is, qr/<\?php\s+\$noc\s+=\s+\".+?\$noc\[([0-9]{1,3})\]\.\$noc\[([0-9]{1,3})\]\.\$noc\[([0-9]{1,3})\]\.\$noc\[([0-9]{1,3})\].+?\$noc\[([0-9]{1,3})\]\.\$([A-z0-9]{1,10})\;\@\$([A-z0-9]{1,10})$\$([A-z0-9]{1,10})$\;\?>/is, qr/<\?php\s+\/\/function\s+M404\s+\{.+?\$strings\s+\=\s+explode$\'\|\'\,\s+base64\_decode\(base64\_decode\(base64\_decode\(base64\_decode\(base64\_decode\(base64\_decode\(base64\_decode\(base64\_decode\(\$value$\)\)\)\)\)\)\)\)\;.+?echo\s+\'\#\#\#\#\#\'\.\s+\$result\s+\.\s+\'\*\*\*\*\*\'\;\s+exit\;/is, qr/<\?php\s+\$action\=\$\_REQUEST\[\'action\'\]\;\s+\/\/status.+?echo\s+\"File\s+does\s+not\s+exist\"\;\s+\}\s+\?>/is, qr/<\?php\s+\$p\s+\=\s+\$\_REQUEST\[\"m\"\]\;\s+eval$base64\_decode\(\$p$\)\;\s+\?>/is, qr/\/\*edition\:1\.6\*\/.+?\;eval$gzuncompress\(base64\_decode\(\$([A-z0-9]{1,20})$\)\)\;/is, qr/<\?php\s+\$([A-z0-9]{1,20})\=.+?\$([A-z0-9]{1,20})\=call\_user\_func$.+?$\;\s+\$([A-z0-9]{1,20})\=call\_user\_func$.+?$\;\s+eval$\$([A-z0-9]{1,20})$\;/is, qr/<\?php\s+\$([A-z0-9]{1,20})\=\".+?\"\;\$([A-z0-9]{1,20})\=call\_user\_func$\$.+?$\;\$([A-z0-9]{1,20})\=call\_user\_func$\$.+?$\;eval$\$([A-z0-9]{1,20})$\;/is, qr/var\s+\_0xaae8\=\[\"\"\,\".+?\"\]\;document\[\_0xaae8\[5\]\]$\_0xaae8\[4\]\[\_0xaae8\[3\]\]\(\_0xaae8\[0\]$\[\_0xaae8\[2\]\]\[\_0xaae8\[1\]\]$\_0xaae8\[0\]$\)/is, qr/<\?php\s+eval$gzuncompress\(base64\_decode\(.+?\=\=\'$\)\)\;/is, qr/<\?php\s+\$report\_url\s+\=\s+\$\_POST\[\'url\'\]\;\s+\$pass\s+\=\s+\$\_POST\[\'pass\'\]\;\s+\$list\s+\=\s+\$\_POST\[\'list\'\]\;.+?if\s+$\@stripos\(\$hello\,\'\+OK\'$\!\=\=false\)\s+\{\s+return\s+true\;\s+\}\s+return\s+false\;\s+\}/is, qr/A<\?php\s+\$license\s+\=\s+str\_rot13$\'n\'\.\'f\'\.\'f\'\.\'r\'\.\'e\'\.\'g\'$\;\s+\$license$\$\_POST\[\'info\'\]$\;\s+\?>/is, qr/<\?php\s+preg\_replace$\"\/\.\/.+?$\)\)\;\"\,\"\.\"\)\;/is, qr/<\?php\s+\$file.+?function\s+dwnld$\$file$\s+\{.+?header$\"HTTP\/1\.0\s+404\s+Not\s+Found\"$\;\s+exit\;\s+\?>/is, qr/<\?php\s+error\_reporting$0$\;\s+\$\_([A-z0-9]{1,20})\s+\=.+?\;\s+for\s+$\$i\s+\=\s+0\;\s+\$i\s+<\s+strlen\(\$\_([A-z0-9]{1,20})$\;\s+\$i\+\+\)\s+\$\_([A-z0-9]{1,20})\s+\.\=\s+sprintf$\"\%c\"\,\s+$\_([A-z0-9]{1,20})\s+\^\s+ord\(\$\_([A-z0-9]{1,20})\[\$i\]$\)\;\$\_([A-z0-9]{1,20})\s+\=\s+\"\"\;s+for.+?\*\//is, qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=.+?explode$chr\(\(.+?\$([A-z0-9]{1,20})\=\(([0-9]{1,4})\-([0-9]{1,4})$\;\s+\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/is, qr/<\?php\s+\@ini\_set$\'display\_errors.+?bad\_agents\s+\=\s+\'\~google.+?register\_shutdown\_function\(\'ob\_end\_flush\'$\;\s+\}\s+\}\s+\?>/is, qr/<html>\s+<head>\s+<title>Hacked\s+by\s+ZeDaN\-Mrx.+?<\/iframe>\s+<\/html>/is, qr/<\?php\s+if$isset\(\$\_REQUEST\[\'xftest\'\]$\)die$pi\($\*6\).+?eval.+?exit\;\}\s+\?>/is, qr/<\?php\s+\@ini\_set$\'display\_errors\'\,\s+\'0\'$\;\s+error\_reporting$0$\;\s+\$skipme\s+\=\s+false\;\s+\$bad\_agents\s+\=\s+\'\~google.+?<\/script>\"\;\s+\}\s+\}\s+\}\s+\?>/is, qr/<\?php\s+if\/\*([A-z0-9]{1,20})\*\/$isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]$\)\{eval$\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]$\/\*([A-z0-9]{1,20})\*\/\;exit\;\/\*([A-z0-9]{1,20})\*\/\}\?>/is, qr/<\?php\s+if\s+$isset\(\$\{\"\_REQ\"\.\"UEST\"\}\[\'([A-z0-9]{1,20})\'\]$\)\{\$q\=\"asser\"\.\"t\"\;\$q$\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]$\;exit\;\}/is, qr/<\!DOCTYPE\s+html\s+PUBLIC.+?rainbow\.arch\.scriptmania\.com.+?height\=\"1\"\s+width\=\"1\"><\/embed>\s+\<\/html>/is, qr/<\?php\s+if\/\*([A-z0-9]{1,20})\*\/$isset\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]$\)\{\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]$\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]$\;\/\*([A-z0-9]{1,20})\*\/exit\;\}/is, qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if$isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]$\)\/\*([A-z0-9]{1,20})\*\/\{\/\*([A-z0-9]{1,20})\*\/\$P\=\/\*([A-z0-9]{1,20})\*\/\"ass\"\.\"ert\"\;\$W\=\$P$\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]$\;exit\;\}\?>/is, qr/<\?php\s+if$isset\(\$\_COOKIE\[\".+?\"\]$\)\{\$\_COOKIE\[\".+?\"\]$\$\_COOKIE\[\".+?\"\]$\;exit\;\}/is, qr/include\_once\s+\"3732787075626C69635F68746D6C\.htm\"\;/is, qr/bgeteam\s+<\?php\s+error\_reporting$0$\;\s+if$isset\(\$\_GET\[bge\]$\).+?else\{echo\"\"\;\}\}\}\s+\?>/is, qr/<\?php\s+\$k=\"ass\"\.\"ert\"\;\s+\$k$\$\{\"\_PO\"\.\"ST\"\}\s+\[\'wei\'\]$\;\?>/is, qr/<\?php\s+function\s+result$\$data$\s+\{\s+\$result\=implode$.+?\$result\=preg\_replace\(.+?if\(isset\(\$\_COOKIE\[\'google\'\]$\).+?echo$result\(array\(.+?\?>/is, qr/<\?php.+?\$e19\s+\=.+?include\_once\(\$H26$\;\s+\?>/is, qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+stripslashes$base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]$\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+stripslashes$base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]$\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+stripslashes$base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]$\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+stripslashes$base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]$\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+mail$stripslashes\(\$([A-z0-9]{1,20})$\,\s+stripslashes$\$([A-z0-9]{1,20})$\,\s+stripslashes$\$([A-z0-9]{1,20})$\,\s+stripslashes$\$([A-z0-9]{1,20})$\)\;\s+if$\$([A-z0-9]{1,20})$\{echo\s+\'([A-z0-9]{1,20})\'\;\}\s+else\s+\{echo\s+\'([A-z0-9]{1,20})\s+\:\s+\'\s+\.\s+\$([A-z0-9]{1,20})\;\}/is, qr/<\?php\s+eval$eval\(\".+?\;\}\s+else\s+\{.+?\}\"$\)\;\s+\?>/is, qr/<\?php\s+\/\*\*\s+\*\s+\@package.+?if\s+$empty\s+\(\$\_POST$\)\s+\{\s+echo\s+\'Empty\s+data\.\'.+?array\_map\s+$.+?\$\_POST\[\'([A-z0-9]{1,5})\'\]$\s+\)\)\;/is, qr/<\?php\s+\@require$\'wp\-admin\/([0-9]{1,20})\'$\;/is, qr/<\?php\s+echo\s+\'([0-9]{1,20})\.txt\'\;\s+\?>/is, qr/<\?php\s+if$isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]$\)\{eval$\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]$\;\}/is, qr/<html>\s+<head>\s+<meta\s+http\-equiv\=\"refresh\"\s+content\=\"1\;url\=http\:\/\/([A-z0-9]{1,20})\.([A-z0-9]{1,20})\/\">\s+<\/head>\s+<body>\s+<\/body>\s+<\/html>/is, qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if$isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]$\)\/\*([A-z0-9]{1,20})\*\/\{eval$\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]$\/\*([A-z0-9]{1,20})\*\/\;\/\*([A-z0-9]{1,20})\*\/exit\;\}\s+\@require$\'wp-admin\/([0-9]{1,20})\'$\;/is, qr/<\?php\s+error\_reporting$0$\;\s+\$\_([A-z0-9]{1,20})\s+\=.+?\;\s+for\s+$\$i\s+\=\s+0\;\s+\$i\s+<\s+strlen\(\$\_([A-z0-9]{1,20})$\;\s+\$i\+\+\)\s+\$\_([A-z0-9]{1,20})\s+\.\=\s+sprintf$.+?\$\'\_([A-z0-9]{1,20})\($\;\s+\/\*([A-z0-9]{1,100})\*\//is, qr/<\?php\s+\$([A-z0-9]{1,20})\=\"http\:\/\/([A-z0-9]{1,20})\.([A-z0-9]{1,20})\/.+?\.php\"\;\s+\$([A-z0-9]{1,20})\=1\;\s+header$\"content\-type\:text\/html\;charset\=utf\-8\"$\;\@date\_default\_timezone\_set$\"America\/Grenada\"$.+?break\;case\s+1\:\$([A-z0-9]{1,20})\=.+?return\s+\$([A-z0-9]{1,20})\;\}/is, qr/<\?php\s+error\_reporting$0$\;\s+\$\_([A-z0-9]{1,20})\s+\=.+?\/\*([A-z0-9]{1,100})\*\//is, qr/<\?php\s+\$([A-z0-9]{1,20})\=([0-9]{1,20})\;\s+\$([A-z0-9]{1,20})\=([0-9]{1,20})\;\s+\$([A-z0-9]{1,20})\=\'http\:\/\/.+?else\{global\$([A-z0-9]{1,20})\;return\s+strlen$.+?return\s+\$([A-z0-9]{1,20})\;\}/is, qr/<\?php\s+\@require\(\'\.\/([0-9]{1,20})\'$\;/is, qr/<\?php\s+\@\'\$\s+([A-z0-9]{1,20})\=([0-9]{1,20})\s+([A-z0-9]{1,20})\=([0-9]{1,20}).+?\=http\:\/\/([A-z0-9]{1,20}).([A-z0-9]{1,50})\/([A-z0-9]{1,20})\.php\s+cache\=([0-9]{1,10}).+?\=explode$.+?([A-z0-9]{1,20})\!\=\'\'$\{echo\s+\$GLOBALS\[\"([A-z0-9]{1,20})\"\]$\$([A-z0-9]{1,20})$\;\}\}([A-z0-9]{1,20})\;/is, qr/<\?php\s+if$isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]$\)die$pi\($\*6\)\;\$\{.+?;eval$\$\{\$([A-z0-9]{1,20})\}\[\".+?\"\]$\;\}exit\;\}\?>/is, qr/<\?php\s+\@\'\$.+?\=http\:\/\/([A-z0-9]{1,20}).([A-z0-9]{1,50})\/([A-z0-9]{1,20})\.php\s+cache\=([0-9]{1,10}).+?exit\;\}else\{return\;\}\}([A-z0-9]{1,20})\;/is, qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/$isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]$\)\/\*([A-z0-9]{1,20})\*\/\{eval$\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]$\;exit\;\}.+?function\s+([A-z0-9]{1,20})\{\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,100})\"\;\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,100})\"\;\s+return\s+\"\{\$([A-z0-9]{1,20})\}\{\$([A-z0-9]{1,20})\}\"\;\s+\}\s+\?>/is, qr/<\?php\s+\$alphabet\s+\=.+?\$string\s+\=.+?\$array\_name.+?\$f\;/is, qr/<\?php\s+\@\'\$.+?x7\=http\:\/\/.+?\.php\s+cache=.+?\;\Z/is, qr/<\?php\s+set\_magic\_quotes\_runtime$0$\;\s+if$strtolower\(substr\(PHP\_OS\,0\,3$\).+?Command\s+completed<\/b><\/center>\"\;\s+\}\s+exit\;\s+\?>/is, qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if$isset\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]$\)\/\*([A-z0-9]{1,20})\*\/\{\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]$\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]$\;exit\;\/\*([A-z0-9]{1,20})\*\/\}.+?\"\)\{return\s+preg\_match$\"\/\(google\.co\.jp\|yahoo\.co\.jp\|bing$\/.+?return\s+\$([A-z0-9]{1,20})\;\}\Z/is, qr/<\?if$\$\_GET\[\'mod\'\]$\{if$\$\_GET\[.+?file\_get\_contents\(\'http\:\/\/.+?gethostbyname.+?dbl\.spamhaus\.org\'$\;.+?\?>/is, qr/<\?php\s+\$x([0-9]{1,10})\=\".+?elseif\s+$\$x([0-9]{1,10})\s+\=\=\.+?\$\x([0-9]{1,10})\s+\=\s+\'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ\'.+?\$x([0-9]{1,10})\s+\=\s+\$x([0-9]{1,10})\(MCRYPT\_BLOWFISH.+?return\s+\$x([0-9]{1,10})\;\s+\}\}\s+\?>/is, qr/<\?php.+?die\(\"test\s+success\"$\;.+?exit\;\s+\}\s+\?>/is, qr/error\_reporting$0$\;\s+\$query.+?\'Googlebot\'\)\s+\!\=\=\s+false\)\{.+?return\s+\$file\_contents\;\s+\}/is, qr/a\:4\:\{s\:1\:.+?RewriteEngine.+?<\/IfModule>\"\;\}/is, qr/<\?php.+?if\(isset\(\$\_COOKIE\[.+?array\(.+?implode\(.+?\;\}/is, ); my @base64_decodes = ( ); my @file_list; my %possible_list; my $start_dir = $ENV{'SCRIPT_FILENAME'} || '../'; $start_dir =~ s/\/cgi-bin//; $start_dir =~ s/\/lp-msh-scanner//; $start_dir = substr($start_dir, 0, rindex($start_dir, '/')); dir ($start_dir); print " \n \n"; print 'Infected Files (' . scalar(@file_list) . "): \n"; foreach my $file (@file_list) { print "$file \n"; } print " \n \n"; print 'Possibly Infected Files (' . scalar(keys(%possible_list)) . "): \n"; foreach my $key (keys(%possible_list)) { print "$key => $possible_list{$key} \n"; } sub dir { my ($start_dir) = @_; unless (opendir(DIR, $start_dir)) { print "Skipping directory $start_dir: $! "; return; } opendir(DIR, $start_dir) || die "$start_dir: $!"; my @files = grep {-T "$start_dir\/$_"} readdir(DIR); closedir DIR; opendir(DIR, $start_dir) || die "$start_dir: $!"; my @folders = grep {-d "$start_dir\/$_"} readdir(DIR); closedir DIR; foreach my $file (sort @files) { next if $file eq 'error_log'; next if $file eq 'tcpdf.php'; next if $file eq 'charmap.php'; next if $file eq 'main-modules.php'; next if $file eq 'wp-super-cache.php'; next if $file eq 'user-edit.php'; print "Scanning $start_dir/$file... "; unless (-r "$start_dir/$file") { print " Skipping file, unable to read file "; next } if ((-s "$start_dir/$file") > 1024000) { print " Skipping file, over 1MB "; next } my $fh; unless (open ($fh, '<', "$start_dir/$file")) { print " Unable to read file, $! "; next } my $contents = do { local $/; <$fh> }; close $fh; my ($infected, $cleaned, $possible, $known, $sig); foreach my $pattern (@regexen) { my $t; if ($contents =~ /$pattern/) { my ($d, $t) = ($1, $2); $infected = 1; ($contents, $cleaned) = clean_file("$start_dir/$file", $contents, $pattern); push (@file_list, "$start_dir/$file"); } $t = undef; } print $infected ? ($cleaned ? "Infected, Cleaned \n" : "Infected, Cleaning failed \n") : ($possible ? "Possibly Infected \nSignature Unknown: $sig \n" : "Not infected \n"); } foreach my $folder (sort @folders) { if ($folder !~ /^\.\.?$/) { dir("$start_dir/$folder"); } } } sub clean_file { my ($file, $contents, $pattern) = @_; my $cleaned; if ($contents =~ /\n{4}/) { $contents =~ s/\n\n/\n/g; } $contents =~ s/$pattern//g; if ($contents =~ /$pattern/) { $cleaned = 0; } else { open (my $fh, '>', $file); print $fh $contents; close $fh; $cleaned = 1; } return ($contents, $cleaned); } 1;