"; print "Malware Scanner v{$version} by Malin Cenusa (malin@cenusa.me)\n\n"; print "Directory depth set to {$recurse}\n\n"; $fl = new e_file(); $tree = $fl->get_files($eroot, '\.php|\.sc|.bb|\.gif|\.js|\.htm|\.html|\.htaccess', 'standard', $recurse); $counter_infected = 0; $counter_cleaned = 0; $counter_suspected = 0; $counter_error = 0; $counter_warning = 0; // just in case set_time_limit(0); error_reporting(E_ALL); foreach ($tree as $finfo) { // exclude self if(strpos($finfo['fname'], $self) !== FALSE && realpath(__FILE__) == realpath($finfo['path'].$finfo['fname'])) { continue; } if($print_all) print "{$finfo['path']}{$finfo['fname']}....CHECKING"; $tmp = file_get_contents($finfo['path'].$finfo['fname']); preg_match('/[^.\s]*([a-z])$/i', $finfo['fname'], $match); if(preg_match('/[^.\s]*([a-z])$/i', $finfo['fname'], $match)) { $ext = $match[0]; unset($match); } ///<\?(php)?/i - short tag detection problem if('gif' == $ext && preg_match('/<\?php/i', $tmp)) { $counter_infected++; //$counter_error++; if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "\n"; { print "...INFECTED (PHP open tag inside GIF image)\n"; // print("\n\ERROR: {$finfo['path']}{$finfo['fname']} will not be auto-deleted, you have to delete it manually if you think it's a threat!\n\n"); } } elseif('jpg' == $ext && preg_match('/<\?php/i', $tmp)) { $counter_infected++; //$counter_error++; if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "\n"; { print "...INFECTED (PHP open tag inside JPG image)\n"; // print("\n\ERROR: {$finfo['path']}{$finfo['fname']} will not be auto-deleted, you have to delete it manually if you think it's a threat!\n\n"); } } elseif('jpeg' == $ext && preg_match('/<\?php/i', $tmp)) { $counter_infected++; //$counter_error++; if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "\n"; { print "...INFECTED (PHP open tag inside JPEG image)\n"; // print("\n\ERROR: {$finfo['path']}{$finfo['fname']} will not be auto-deleted, you have to delete it manually if you think it's a threat!\n\n"); } } // known infection - can be auto-cleaned elseif(preg_match('#^(.*)<\?php(.*)eval(\s*)\((\s*)base64_decode(\s*)\((\s*)(.*)(\?><\?php)*\n#i', $tmp, $matches)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...INFECTED"; $counter_infected++; if($print_infected || $print_all) print "\n"; // $counter_error++; //print("\n\ERROR: {$finfo['path']}{$finfo['fname']} will NOT BE CLEANED! Please use the shell version of this script.\n\n"); continue; } // just a guess - eval(base64_decode(... pattern match elseif(preg_match('#eval(\s*)\((.*)base64_decode(\s*)\(#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (eval/base64_decode found)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } // Found inside the compromised e107 full release (class2.php) elseif(preg_match('/\$_COOKIE\[[\'|"]access-admin[\'|"]\]/i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) { print "...INFECTED (access-admin COOKIE reference)\n"; } // print("\nERROR: {$finfo['path']}{$finfo['fname']} can't be auto-cleaned!\n\n"); $counter_infected++; // $counter_error++; continue; } /* new patterns */ elseif(preg_match('#this.form.upload_file.disabled=false#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED MALWARE (this.form.upload_file.disabled=false)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#function(\s*)jspw3\(d\,m\,f\)#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED MALWARE (function jspw3 (d ,m ,f))"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#a(\s*)simple(\s*)Web-based(\s*)file(\s*)manager#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED SHELL (a simple Web-based file manager)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#php\_uname(\s*)\(preg_replace(\s*)\(#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED MALWARE (php_uname(preg_replace()"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#function(\s*)rewrioutclbkxxx1\(#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED MALWARE (function rewrioutclbkxxx1()"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#eval\(\(base64_decode\(#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED SHELL (eval((base64_decode()"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#preg_replace\(strrev\(#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED MALWARE (preg_replace(strrev()"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#s=base64_decode\(str_replace\(chr\(32\)#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED MALWARE (s=base64_decode(str_replace(chr(32))"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#_GET\[base64_decode\(#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED MALWARE (_GET[base64_decode()"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#@error_reporting\(0\)#i', $tmp)) { if($print_suspected) print "{$finfo['path']}{$finfo['fname']}"; if($print_suspected || $print_all) print "...SUSPECTED SHELL (error_reporting)"; $counter_suspected++; if($print_suspected || $print_all) print "\n"; continue; } elseif(preg_match('#eval\(base64_decode\(<(.*)POST(.*)>php#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED MALWARE (eval(base64_decode(<.*POST.*>php)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#==========================+(\s*)Credit.Mutuel.ReZult(\s*)+==================#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED MAILER (==========================+ Credit.Mutuel.ReZult +==================)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#X-Mailer:(\s*)The(\s*)Bat\!(\s*)\(v#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED MAILER (X-Mailer: The Bat! (v)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#WordPress(\s*)Inserter(\s*)Links#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED MALWARE (WordPress Inserter Links)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#The(\s*)Sword(\s*)Config(\s*)Fuck(\s*)Script#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED MALWARE (The Sword Config Fuck Script)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#@kr(\s*)=(\s*);#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED MALWARE (@kr = ;)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#copyto(\s*)=(\s*)explode\(#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED MALWARE (copyto = explode()"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#d.=sprintf\(\(substr\(urlencode\(print_r\(array\(#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED MALWARE (d.=sprintf((substr(urlencode(print_r(array()"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#eval\(gzinflate\(base64_decode\(#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED MALWARE (eval(gzinflate(base64_decode()"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#eval\(gzinflate\(str_rot13\(base64_decode\(#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED MALWARE (eval(gzinflate(str_rot13(base64_decode()"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#Bank(\s*)of(\s*)America(\s*)\|(\s*)Home(\s*)\|(\s*)Personal#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED PHISHING (Bank of America | Home | Personal)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#Bank(\s*)of(\s*)America(\s*)\|(\s*)Online(\s*)Banking(\s*)\|(\s*)Sign(\s*)In(\s*)to(\s*)Online(\s*)Banking#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED PHISHING (Bank of America | Online Banking | Sign In to Online Banking)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#Bank(\s*)of(\s*)America(\s*)\|(\s*)Thank(\s*)you#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED PHISHING (Bank of America | Thank you)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#Wells(\s*)Fargo(\s*)Home(\s*)Page#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED PHISHING (Wells Fargo Home Page)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#Chase(\s*)Online(\s*)-(\s*)Logon#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED PHISHING (Chase Online - Logon)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#Send(\s*)Money,(\s*)Pay(\s*)Online(\s*)or(\s*)Set(\s*)Up(\s*)a(\s*)Merchant(\s*)Account(\s*)with(\s*)PayPal#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED PHISHING (Send Money, Pay Online or Set Up a Merchant Account with PayPal)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#Login(\s*)-(\s*)PayPal#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED PHISHING (Login - PayPal)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#Sign(\s*)Up(\s*)for(\s*)PayPal(\s*)-(\s*)It\'s(\s*)Free(\s*)and(\s*)Easy(\s*)to(\s*)Get(\s*)Started#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED PHISHING (Sign Up for PayPal - It's Free and Easy to Get Started)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#My(\s*)Account(\s*)-(\s*)Telstra#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED PHISHING (My Account - Telstra)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#RBC(\s*)Royal(\s*)Bank(\s*)-(\s*)Sign(\s*)In(\s*)to(\s*)Online(\s*)Banking#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED PHISHING (RBC Royal Bank - Sign In to Online Banking)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#RBC(\s*)Financial(\s*)Group(\s*)-(\s*)Online(\s*)Banking#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED PHISHING (RBC Financial Group - Online Banking)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#Online(\s*)Banking(\s*)Security(\s*)and(\s*)Privacy(\s*)Guide(\s*)-(\s*)RBC(\s*)Royal(\s*)Bank#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED PHISHING(Online Banking Security and Privacy Guide - RBC Royal Bank)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#~(\s*)Santander(\s*)Online(\s*)Banking(\s*)~#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED PHISHING (~ Santander Online Banking ~)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#Santander(\s*)e-Banking(\s*)?(\s*)Logon(\s*)page#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED PHISHING (Santander e-Banking ? Logon page)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#Santander(\s*)Online(\s*)Banking#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED PHISHING (Santander Online Banking)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#eBucks(\s*)>(\s*)Home#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED PHISHING (eBucks > Home)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#Chase(\s*)Personal(\s*)Banking(\s*)Investments(\s*)Credit(\s*)Cards(\s*)Home(\s*)Auto(\s*)Commercial(\s*)Small(\s*)Business(\s*)Insurance#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED PHISHING (Chase Personal Banking Investments Credit Cards Home Auto Commercial Small Business Insurance)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#Yahoo!(\s*)Mail:(\s*)The(\s*)best(\s*)web-based(\s*)email!#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED PHISHING (Yahoo! Mail: The best web-based email!)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#Remax(\s*)ReZulT(\s*)By#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED MAILER (Remax ReZulT By)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#ErrorDocument(\s*)404(\s*)http#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED REDIRECT (ErrorDocument 404 http)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#ErrorDocument(\s*)500(\s*)http#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED REDIRECT (ErrorDocument 500 http)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#ErrorDocument(\s*)403(\s*)http#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (ErrorDocument 403 http)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#%u0c0c%u0c0c#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED REDIRECT (%u0c0c%u0c0c)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#String.fromCharCode(32)#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED REDIRECT (String.fromCharCode\(32\))"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#HTTP_REFERER(.*)msn(.*)live#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED REDIRECT (HTTP_REFERER msn live)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#SnIpEr_SA#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED REDIRECT (SnIpEr_SA)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#php_value(\s*)auto_append_file#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED MALWARE (php_value auto_append_file)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#AddType(\s*)application(\s*).jpg#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED MALWARE (AddType application .jpg)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#AddHandler(\s*)php5-script(\s*).jpg#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED MALWARE (AddHandler php5-script .jpg)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#HTTP_USER_AGENT(.*)google(.*)yahoo#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED REDIRECT (HTTP_USER_AGENT google yahoo)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#HTTP_REFERER(.*)\*search.yahoo\*#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED REDIRECT (HTTP_REFERER *search.yahoo*)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#Card(.*)number:#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED PHISHING (Card number:)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } /* elseif(preg_match('#Mass(.*)Mailer#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED MAILER (Mass Mailer)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } */ elseif(preg_match('#<\?php\s*eval\(\"\?>\"\.base64\_decode\(\"(.*)\"\)\)\;\s*\?>#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED SHELL (base64 encoded shell)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#\;if\(aa\.indexOf\(aaa\)\=\=\=0\)#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED JS MALWARE(;if(aa.indexOf(aaa)===0))"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#function\s*re\(s\,n\,r\,b\,e\)#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED JS MALWARE (function re(s,n,r,b,e))"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#var\s*foobar\s*\=\s*unescape\;#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (var foobar = unescape;)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#auth\_pass\s*\=\s*\"(.*)\"\;\s*eval\(\"#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED SHELL (encrypted filesman)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#<\?php\s*\@copy\(\W\_FILES\[file\]\[tmp\_name\]\,\s*\W\_FILES\[file\]\[name\]\)\;\s*exit\;\s*\?>#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED DEFACE SCRIPT (filecopy)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#<\?php\s*\/\/(.*)\_\=\s*\/\/system\s*file\s*do\s*not\s*delete\'\'\;\s*\/\/system\s*file\s*do\s*not\s*delete\s*\W\_\_\s*\=\s*\"(.*)\"\;\W\_\_\_\s*\=\s*\"(.*)\"\;eval\(\W\_\_\_\(\W\_\_\)\)\;#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED SHELL (encrypted)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#preg\_replace\(\"\/\.\+\/esi\"\,\"#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED SHELL (encrypted)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#<\!\-\-\s*var(.*)\;eval\(unescape\(\"(.*)\;document\.write\(u\)\;u\=\"\"\;\/\/\-\->\s*<\/script>#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED JS MALWARE(eval/unescape)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#<\?php\s*session\_start\(\)\;\s*\Wme\=\W\_SERVER\[\'PHP\_SELF\'\]\;\s*\WNameF\=\W\_REQUEST\[\'NameF\'\]\;\s*\Wnowaddress\=\'\'\;\s*\Wpass\_up\=#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED UPLOAD SCRIPT(malicious)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#<\?php\s*\@set\_time\_limit\(0\)\;\s*\@error\_reporting\(NULL\)\;\s*\@ini\_set\(\'display\_errors\'\,0\)\;\s*\@ignore\_user\_abort\(TRUE\)\;\s*if\(md5\(md5\(\W\_REQUEST\[\'(.*)\'\]\)\)\=\=\'#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED UPLOAD SCRIPT(malicious)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#<\?PHP\s*defined\(\'\_OLD\_JEXEC\_\'\)\s*or\s*die\(\@eval\(base64\_decode\(\W\_REQUEST\[\'(.*)\'\]\)\)\)\;\s*\?>#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED base64 injection script"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#<\?php\s*if\(isset\(\W\_REQUEST\[\"(.*)\"\]\)\)\s*\{\s*eval\(base64\_decode\(\W\_REQUEST\[\"(.*)\"\]\)\)\;\s*exit\;\s*\}\s*else\s*\{\s*die\(\"404\s*Not\s*Found\"\)\;\s*\}\?>#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED base64 injection script"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#function\_exists\(\'date\_default\_timezone\'\)\s*\?\s*date\_default\_timezone\_set\(\'America\/Los\_Angeles\'\)\s*\:\s*\@eval\(base64\_decode\(\W\_REQUEST\[\'(.*)\'\]\)\)\;#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED MALICIOUS SCRIPT"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#<\?PHP\s*define\(\'REAL\_SERVER\_ROOT\'\,\s*\'SERVER\'\)\;\s*\/\/DIR(.*)define\(\'SYSTEM\_SKEL\_DIR\'\,\s*\'skel\'\)\s*\?\s*\@eval\(base64\_decode\(\W\_REQUEST\[\'(.*)\'\]\)\)\s*\:(.*)define\(\'WORKGROUPS\_META\_SETTINGS\_FILENAME\'\,\s*\'settings.xml\'\)\;\s*\?>#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED MALICIOUS SCRIPT"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#<\?\s*if\(\@\W\_POST\[\'(.*)\'\]\)\{eval\(base64\_decode\(\W\_POST\[\'(.*)\'\]\)\)\;\s*exit\(\)\;\}\s*\?>#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED base64 injection script"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#<\?php\s*echo\s*\'Sw\s*Bilgi

\'\.php\_uname\(\)\.\'
<\/b>\'\;(.*)else\s*\{\s*echo\s*\'Basarisiz<\/b>

\'\;\s*\}\s*\}\s*\?>#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED UPLOAD SCRIPT"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#GIF89\;

\s*\s*<\?php\s*if\s*\(\s*isset\(\W\\[\'versi\'\]\)\s*\)\'s*\{\s*vers\(\)\;#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (GIF infection)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#<\?php\s*if\(\!empty\(\W\_FILES\[\'message\'\]\[\'name\'\]\)\s*AND\s*\(md5\(\W\_POST\[\'nick\'\]\)\s*\=\=#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (POST backdoor)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#<\?php\s*\Wis\_bot\s*\=\s*FALSE\s*;\s*\Wuser\_agent\_to\_filter\s*\=\s*array\(\s*\'\#fileuploads\#\'\)\s*\;#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED UPLOAD SCRIPT"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#auth_pass(.*)eval\(#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED SHELL"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#<\?php\s*\/\*\s*Plugin\s*Name\:\s*GSM#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED MALICIOUS PLUGIN"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#<\?php\s*\W(.*)array\(\"(.*)\"\)\;eval\(\"(.*)x3B\"\)\;\?>#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED SHELL"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#base=base64_encode\(#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (base=base64_encode()"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#.rand\(100000000,9999999999\).#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (.rand(100000000,9999999999).)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#__++\)\)\].=#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (__++))].=)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#Fredrik N. Almroth - h.ackack.net#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (Fredrik N. Almroth - h.ackack.net)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#The Sword Config Fuck Script#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (The Sword Config Fuck Script)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#4297f44b13955235245b2497399d7a93#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (4297f44b13955235245b2497399d7a93)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#<\!-- provided by.\/katAK -->#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED ()"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#user_agent_to_filter#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (user_agent_to_filter)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#\@unserialize\(base64_decode\(#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (@unserialize(base64_decode()"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#file_put_contents\(__FILE__,base64_decode\(#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (file_put_contents(__FILE__,base64_decode()"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#echo eval\(urldecode\(#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (echo eval(urldecode()"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#echo @eval\(base64_decode\(#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (echo @eval(base64_decode()"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#xml_str = base64_decode#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (xml_str = base64_decode)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#X-Mailer: Microsoft Office Outlook#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (X-Mailer: Microsoft Office Outlook)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#mode=show>Commands Run#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (mode=show>Commands Run)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#_SAPE_USER#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (_SAPE_USER)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#.gzuncompress\(base64_decode\(#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (.gzuncompress(base64_decode()"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#\);preg_replace\(#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED ();preg_replace()"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#\),base64_decode\(#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (),base64_decode()"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#eVAl\( base64_decode\(#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (eVAl( base64_decode()"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#\(gzinflate\(str_rot13\(base64_decode\(#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED ((gzinflate(str_rot13(base64_decode()"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#body=stripslashes\(urldecode\(#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (body=stripslashes(urldecode()"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#REQUEST = array_merge\(#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (REQUEST = array_merge()"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#;eval\(\(\(strlen\(#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (;eval(((strlen()"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#viagra#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (viagra)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#levitra#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (levitra)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#male enhancement#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (male enhancement)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#propceia#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (propceia)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#xViewState\(\)#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (xViewState)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#Fonksiyonlar#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (Fonksiyonlar)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('# #i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED ( )"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#Sh3llBoT#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (Sh3llBoT)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#Upload Your Fav Shell#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (Upload Your Fav Shell)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#Is cURL installed\? \(nst\) which curl#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (Is cURL installed\? \(nst\) which curl)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#Magic Include Shell ver#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (Magic Include Shell ver)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#irc.securitychat.org#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (irc.securitychat.org)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#function printLogin\(\)#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (function printLogin\(\))"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#function GetMama\(\)#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (function GetMama\(\))"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#runcommand#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (AJAX runcommand)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#my @nickname = #i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (my @nickname = )"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#dosyaPath = mid\(mpat,InStrRev\(mpat#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (ASP Shell)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#coded by z0mbie#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (coded by z0mbie)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#Php Bypass - www.shellci.biz#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (Php Bypass - www.shellci.biz)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#fistik=PHVayv;#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (fistik=PHVayv;)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#Dark Shell#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (Dark Shell)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#CTT SHELL#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (CTT SHELL)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#\/etc\/passwd#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (/etc/passwd)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#Chiave<\/td>Valore<\/td><\/tr>#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (cShell)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#fonk_kap = get_cfg_var#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (fonk_kap = get_cfg_var)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#PHPSHELL_VERSION#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (PHPSHELL_VERSION)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#Root-Access Shell#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (Root-Access Shell)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#s101 Interamente creata da Sora101#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (s101 Interamente creata da Sora101)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#SimAttacker - Vrsion#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (SimAttacker - Vrsion)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#Shell Dizini:#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (Shell Dizini:)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#\/etc\/syslog.conf#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (\/etc\/syslog.conf)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#die\(PHP_OS.chr\(49\).chr\(48\)#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED die\(PHP_OS.chr\(49\).chr\(48\)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#stCurlLink = base64_decode\(#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (stCurlLink = base64_decode\()"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#cookey =#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (cookey =)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#cxyyt = array\(#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (cxyyt = array\()"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#.str_pad\(strtoupper\(dechex\(#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (.str_pad\(strtoupper\(dechex\()"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#veb65c0b0 = array_keys\(#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (veb65c0b0 = array_keys\()"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#=Array\(base64_decode\(#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (=Array(base64_decode\()"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#edoced_46esab#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (edoced_46esab)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#\*\/base64_decode\/\*#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (\*\/base64_decode\/\*)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#eval\(stripslashes\(#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (eval\(stripslashes\()"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#eval\(\@gzinflate\(base64_decode\(#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (eval\(\@gzinflate\(base64_decode\()"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#eva1fYlbakBcVSir#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (eva1fYlbakBcVSir)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#preg_replace\(\"\/\.\*\/e\"\,\"\\x65#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (preg_replace\(\"\/\.\*\/e\"\,\"\\x65)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#cg2bW3yV4NSpnvKX2cFAvjczD7#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (cg2bW3yV4NSpnvKX2cFAvjczD7)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#fcgr2boWm3yVC4NShpnvaKrXC2ocFAdvjcezD7#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (fcgr2boWm3yVC4NShpnvaKrXC2ocFAdvjcezD7)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#Macro Hack#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (Macro Hack)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#JGs9MTQzOyRtPWV4cGxvZGUoIjsiLCIyMzQ7MjUzOzI1Mzs#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (JGs9MTQzOyRtPWV4cGxvZGUoIjsiLCIyMzQ7MjUzOzI1Mzs)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#XERATUTA#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (XERATUTA)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#unserialize\(string_cpt\(base64_decode\(#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (unserialize\(string_cpt\(base64_decode\()"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#data.dat.gz#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (data.dat.gz)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#Scam Redirector#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (Scam Redirector)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#\/images\/config.db#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (\/images\/config.db)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#\/temp\/links.db#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (\/temp\/links.db)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#LS0tLS0tLS0tLS0tLS0t#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (LS0tLS0tLS0tLS0tLS0t)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#BlackMail#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (BlackMail)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#\{ hauguen priv\@ spammer \}#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (\{ hauguen priv\@ spammer \})"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#echo \'Shell Ok \';#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (echo \'Shell Ok \';)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#Da Slake PHP MAILER#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (Da Slake PHP MAILER)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#: : M A I L E R : : \$ d o m a i n - I n s i d e T e a m v#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (: : M A I L E R : : \$ d o m a i n - I n s i d e T e a m v)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#\/etc\/valiases/#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (\/etc\/valiases/)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#numemails#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (numemails)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#PHP Mailer#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (PHP Mailer)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#\/etc\/named.conf#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (\/etc\/named.conf)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#set_index .= base64_encode\(#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (set_index .= base64_encode\()"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#eval\(gzinflate\(base64_decode\(strrev\(#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (eval\(gzinflate\(base64_decode\(strrev\()"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#system file do not delete#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (system file do not delete)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#nslookup -type=MX#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (nslookup -type=MX)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#\$copyto = explode\(\'wp-content\'\,#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (copyto = explode\()"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#default_action =(.*)default_charset =(.*)preg_replace\((/*)\,str_replace\(#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED FilesMan Shell"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#\<\?php for\(\$o=0,\$e=#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (\<\?php for\(\$o=0,\$e=)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#\$felp = explode\(\$kaka#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (\$felp = explode\(\$kaka)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#getdata = base64_decode\(\$datacheck\);#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (getdata = base64_decode\(\$datacheck\);)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#array_map\(strrev\(\"ed\".\"oced_\".\"46esab\"\),array\(str_replace\(#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED Shell (encrypted)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#if \(md5\(md5\(\$\_REQUEST\[\'hhh\'\]\)\) ==#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED Shell (encrypted)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#Upload GAGAL#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (Upload GAGAL)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#Config Grabber#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (Config Grabber)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#@symlink\(#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (@symlink\()"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#OOO000000=urldecode\(#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (OOO000000=urldecode\()"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#eval \(gzinflate\(base64_decode\(#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (eval \(gzinflate\(base64_decode\()"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#return rawurlencode\(rawurlencode\(#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (return rawurlencode\(rawurlencode\()"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#=array_map\(\"ba\".\"se6\".\"4\".\"_decode\",array\(\'\',str_replace\(#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED Shell (encrypted)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#d.=sprintf\(\(substr\(urlencode\(print_r\(array\(#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED Shell (encrypted)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#eval\(gzinflate\(base64_decode\(#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED Shell (encrypted)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#eval\(gzinflate\(str_rot13\(base64_decode\(#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED Shell (encrypted)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#eval\(gzinflate\(base64_decode\(str_rot13\(#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED Shell (encrypted)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#eval\(gzinflate\(base64_decode\(base64_decode\(#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED Shell (encrypted)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#eval\(gzuncompress\(base64_decode\(#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED Shell (encrypted)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#eval\(gzuncompress\(str_rot13\(base64_decode\(#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED Shell (encrypted)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#eval\(gzuncompress\(base64_decode\(str_rot13\(#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED Shell (encrypted)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#eval\(str_rot13\(gzinflate\(base64_decode\(#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED Shell (encrypted)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#eval\(gzinflate\(base64_decode\(strrev\(str_rot13\(#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED Shell (encrypted)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#eval\(gzinflate\(base64_decode\(strrev\(#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED Shell (encrypted)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#eval\(gzinflate\(base64_decode\(str_rot13\(#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED Shell (encrypted)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#eval\(gzinflate\(base64_decode\(str_rot13\(strrev\(#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED Shell (encrypted)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#echo\(gzinflate\(base64_decode\(#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED Shell (encrypted)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#^<\?php\s*\\\$md5\s*=\s*[\"|\']\w+[\"|\'];\s*\\\$wp_salt\s*=\s*[\w\(\),\"\'\;\$]+\s*\\\$wp_add_filter\s*=\s*create_function\(.*\);\s*\\\$wp_add_filter\(.*\);\s*\?>\s*#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED Shell (encrypted)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#libworker.so#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (libworker.so)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#by.\/katAK#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (by.\/katAK)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#array\(\"Google\", \"Slurp\", \"MSNBot\", \"ia_archiver\", \"Yandex\", \"Rambler\", \"StackRambler\"\)#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (crawler filter)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#Make dir:<\/span>#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (unknown shell)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#\}eval\(x0r\("#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (unknown shell)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#function x0r\(\$h3ll0s\)#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (unknown shell)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#<\?php\s*preg_replace\(\"#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (unknown shell)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#\$security_code = \(empty\(\$_POST\[\'security_code\'\]\)\)#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (unknown shell)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#\.ucwords\(str_replace\(#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (unknown shell)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#\)\);array_multisort\(array_map\(#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (unknown shell)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#\.rawurlencode\(strtolower\(#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (unknown shell)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#<\?php\s*eval \( base64_decode \(\"#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (unknown shell)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#eval\(stripslashes\(\$_POST\[codee\]\)\);"#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (unknown shell)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#eval\(pet\(\"#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (unknown shell)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#<\?php \$g___g_=\'base\'.\(32*2\).\'_de\'.\'code\';\$g___g_=\$g___g_\(str_replace\(\"\n\", \'\', \'#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (unknown shell)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#eval\((.*)\(base64_decode\((.*)1234567890\)\);#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (unknown shell)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#\$opt\(\"\/292\/e\",\$au,292\); die\(\);\}\}\}#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (unknown shell)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#\$MailTo = base64_decode\(\$_POST\[\"mailto\"\]\);#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (unknown shell)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#email_polucha#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (unknown shell)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#if\(isset\(\$_REQUEST\[\'(.*)eval\((.*)\); exit\(\); \} if\(isset\(\$_REQUEST\[\'(.*)exit\(\); \}\s*\?>#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (unknown shell)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#.::\[ Phproxy \]::.#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (unknown shell)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#teksasli=unescape\(teks\);document.write\(teksasli\)#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (unknown shell)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#eval\(base64_decode\(\$jembot\)\);#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (unknown shell)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#eval\(base64_decode\(\$_REQUEST\[\'p64\'\]\)\);#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (unknown shell)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#die\(\"Restricted accoss\"\);#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (unknown shell)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } /* elseif(preg_match('#F(.*)i(.*)l(.*)e(.*)s(.*)m(.*)a(.*)n#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (unknown shell)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } */ elseif(preg_match('#<\?php\s*eval\(gzinflate\(str_rot13\(base64_decode\(\'#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (unknown shell)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#phpRemoteView#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (unknown shell)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#if \(isset\(\$_POST\[\'_\'\]\) \&\& \(sha1\(base64_decode\(\$_POST\[\'_\'\]\)\^\$str\) ==#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (unknown shell)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#x47FzcyA9ICI#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (unknown shell)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#mkdir\(\'Indishell\',0777\);#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (unknown shell)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#Superfast Zone-H submitter#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (unknown shell)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#if\(stripos\((.*)=base64_decode\((.*)=create_function\(\"\"#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (unknown shell)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#Done ==> \$userfile_name#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (unknown shell)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#preg_match\(\"\/google\|bot\|msn\|spider\|crawl\|spam#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (unknown shell)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#WEB(.*)Shell#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (unknown shell)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#index.php replaced successufuly\!#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (unknown shell)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#sloboz#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (unknown shell)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#\$URI = str_replace\(\"sync.php\", \$filename, \$URI\);#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (unknown shell)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#<\? eval\(gzuncompress\(base64_decode\(\'#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (unknown shell)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#WPcheckInstall#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (unknown shell)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#echo \"Already writed\"#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (unknown shell)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#if \(move_uploaded_file \(\$_FILES\[\"update\"\]\[\"tmp_name\"\], __FILE__\)\)#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (unknown shell)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#FilesMan#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (unknown shell)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#<\?php(.*)= array\(\'(.*)= array\(\'(.*)= array\(\'(.*)\";if \(\!function_exists\(\"#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (unknown shell)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#\{eval\(base64_decode\(\$_POST\[\"#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (unknown shell)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#\$uid = strtoupper\(md5\(uniqid\(time\(\)\)\)\);#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (unknown shell)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#Created By Spaghy#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (unknown shell)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#= strrev\(\'ed\'.\'oc\'.\'ed_4\'.\'6e\'.\'sab\'\);#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (unknown shell)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#= strrev\(\'eca\'.\'lper\'.\'_ge\'.\'rp\'\);#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (unknown shell)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#<\?php\s*if \(\!function_exists\(\"(.*)\"\)\)\s*\{\s*function(.*)= base64_decode\((.*)= strlen\((.*)= file_get_contents\(#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (unknown shell)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#Mestre eCoLoGy#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (unknown shell)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#PHP eMailer#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (unknown shell)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#= \"p\".\"r\".\"e\".\"g\".\"_\".\"r\".\"e\".\"p\".\"l\".\"a\".\"c\".\"e\";#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (unknown shell)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#The Devil made me do it :\)#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (unknown shell)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#echo \"Can\'t upload file:#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (unknown shell)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#<\?\/\/BREACK\/\/\?>#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (unknown shell)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#Bypass SuHosin#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (unknown shell)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#\$_FILE\(stripslashes\(\$_REQUEST\[\'HOST\'\]\)\);\}#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (unknown shell)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#atualizar_flash_player_ver#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (unknown shell)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#Made By mr.hosam#i', $tmp)) { if($print_infected) print "{$finfo['path']}{$finfo['fname']}"; if($print_infected || $print_all) print "...SUSPECTED (unknown shell)"; $counter_infected++; if($print_infected || $print_all) print "\n"; continue; } elseif(preg_match('#