#!/usr/bin/perl

use strict;
use warnings;
use CGI;

BEGIN {
    $SIG{__DIE__} = sub {
        my $msg = shift;
        print "status: 500\n";
        print "content-type: text/html\n\n";
        $msg =~ s/\n/\0/g;
        print "error: $msg\n";
        CORE::die $msg;
    }
}

$| = 1;
our $q = CGI->new;
print "Content-type: text/html\n\n";

my @regexen = (
    qr/;tixe.+?;\)0\(emitnur_setouq_cigam_tes\@.+?\" = ssap_htua\$/is,
    qr/<span style=\"font-size:5px; font-style:italic; font-family:Arial; width:\d\dpx; display:none; color:violet;\">\s+<a href=http:\/\/.+?(viagra|cialis|levitra).+?<\/a>\s+<\/span>/is,
    qr/<?php if \(isset\(\$_GET\[\"CONFIG\"\]\)\) if \(.+?md5\(\$_GET\[\"CONFIG\"\]\)\)\{.+?if\(is_uploaded_file\/\*;\*\/\(\$_FILES\[.+?\]\)\)\{move_uploaded_file\/\*;\*\/\(\$_FILES\[.+?\);return null;\} \?>/is,
    qr/<\?php extract\(\$_REQUEST\) \&\& \@assert\(stripslashes\(\$([A-z0-9]{1,20})\)\) \&\& exit;/is,
    qr/<\?php.+?if\(\!function_exists\(\"scandir\"\)\) \{.+?\$currentCMD = str_replace\(.+?Command completed.+?exit;\s+\?>/is,
    qr/<\?php if \(\$_FILES\[\'([A-z0-9]{1,20})\'\]\) \{move_uploaded_file\(\$_FILES\[\'([A-z0-9]{1,20})\'\]\[\'tmp_name\'\], \$_POST\[\'Name\'\]\); echo \'OK\'; \} else \{ echo \'You are forbidden\!\'; \} \?>/is,
    qr/<\?php if\( isset\( \$_REQUEST\[\"\w\"\] \) \) \{ system\( \$_REQUEST\[\"\w\"\] \. \" 2>\&1\" \); \}/is,
    qr/<\?php.+?Hacked by Ammar The-InJx.+?return \$info;\s+\}\s+\?>/is,
    qr/<\?php\s+if\(\!class_exists\(\'.+?\{\$is_bot=1;\}\$bad_file=array\(\"png.+?AND\@preg_match\(\'\/bing\|msn.+?urldecode\(.+?\\x\w\w\"\]\(\);\?>/is,
    qr/<\?php \$([A-z0-9]{1,20})=\"([A-z0-9]{20,}).+?\$([A-z0-9]{1,20}) = str_replace\(\"b\",\"\",\"bsbtbrb_rbebpblacbe\"\); \$([A-z0-9]{1,20})=\"([A-z0-9]{20,}).+?\$([A-z0-9]{1,20}) = \$([A-z0-9]{1,20})\(\"q\", \"\", \"qbaqsqeq6q4q_qdqecoqde\"\); \$([A-z0-9]{1,20}) = \$([A-z0-9]{1,20})\(\"z\",\"\",\"crzezatez_fzunctzizon\"\); \$([A-z0-9]{1,20}) = \$([A-z0-9]{1,20})\(\"\", \$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\"([A-z0-9]{1,20})\", \"\", \$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\)\)\); \$([A-z0-9]{1,20})\(\); \?>/is,
    qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/\s+if\(md5\(\$\_POST\[\"([A-z0-9]{1,20})\"\]\)\s+\=\=\=\s+\"([A-z0-9]{32})\"\)\s+\{\s+eval\(base64_decode\(\$\_POST\[\"([A-z0-9_]{1,20})\"\]\)\)\;\s+\}\s+\/\*([A-z0-9]{1,20})\*\/\s+\?>/is,
    qr/<\?php.+?if \(stristr\(php_sapi_name\(\).+?404\);\} exit\(\); \?>/is,
    qr/<\?php\s+if \(!isset\(\$sRetry\)\).+?\$stCurlLink = base64_decode\(.+?curl_close\(\$stCurlHandle\);.+?\?>/is,
    qr/eval\(\"\?\>\" \. base64_decode\(.+?\)\); \?>/is,
    qr/<\?php.+?\$alphabet =.+?exit\(\);.+?\$([A-z0-9]{1,20}) =.+?\"\"\.chr\(.+?\)\.\"\"\.chr\(.+?\)\.\"\\x.+?\]\.\$([A-z0-9]{1,20})\[\d\d\], \$([A-z0-9]{1,20})  ,\"([A-z0-9]{1,20})\"\);/is,
    qr/<\? echo\(base64_decode\(.+?\)\);  \?>/is,
    qr/<\?php.+?\$auth_pass.+?FilesMan.+?preg_replace\(\"\/\.\*\/e\",\"\\x65.+?\\x3B\",\"\.\"\);\?>/is,
    qr/<\?php\s+\@preg_replace\(\"\\x.+?\);\?>/is,
    qr/<\?php \$([A-z0-9]{1,20}) = true;\$([A-z0-9]{1,20}) = true;\$([A-z0-9]{1,20}) = true;\$([A-z0-9]{1,20}).+?\);\$([A-z0-9]{1,20}) = \"([A-z0-9]{20,})\";\$([A-z0-9]{1,20}) = true;\$([A-z0-9]{1,20}).+?\$([A-z0-9]{1,20}) = \"\"; \?>/is,
    qr/<\?php if \(\$_SERVER\[\'QUERY_STRING\'\] != \"passw0rd\"\) \{.+?\$uploadfile = \$uploaddir \. basename\(\$_FILES\[.+?\$numemails mail\(s\) was sent successfully\'\); <\/script>\";.+?\?>\s+<\/body>\s+<\/html>/is,
    qr/\@ini_set\(\'display_errors\', \'0\'\);.+?if \(!\$npDcheckClassBgp\) \{.+?str_replace\(\'([A-z0-9_]{1,20})\', \'bas\'.+?str_replace\(\'([A-z0-9]{1,20})\', \'64\'.+?function wp\_cd\(\$fd, \$fa=\"\"\).+?fwrite\(\$hdl, \"<\?php\\n\$mtchs\[1\]\\n\?>\"\);.+?\$npDcheckClassBgp = \'([A-z0-9]{1,20})\';\s+\}/is,
    qr/<html>.+?<body>\s+<script type=\"text\/javascript\">.+?function ([A-z0-9]{1,20})\(\)\s+\{\s+setTimeout\(([A-z0-9]{1,20})\(\),([0-9]{1,5})\);\s+\}\s+function ([A-z0-9]{1,20})\(\)\s+\{\s+([A-z0-9]{1,20}) = ([A-z0-9]{1,20})\(\);\s+([A-z0-9]{1,20}) = \[([0-9]{1,5}),([0-9]{1,5}),([0-9]{1,5}),([0-9]{1,5}),([0-9]{1,5}),([0-9]{1,5}),([0-9]{1,5}),([0-9]{1,5}),([0-9]{1,5}),([0-9]{1,5}).+?\}\s+<\/script>\s+<\/body>\s+<\/html>/is,
    qr/<\?php \/\* get_header\(\); .+?\$wordpress_report = strrev \(.+?\@move_uploaded_file\(\$open_image_tmp,\$image_tmp\);.+?\?>/is,
    qr/<\?\s+\/\/ \@\~ PRO Mailer V2.+?return stripslashes\(ltrim\(rtrim\(\$string\)\)\);.+?function SendOrMail\(\$from\) \{.+?sent successfully\'\); <\/script>\";\}\}\s+\?>/is,
    qr/preg_replace\(\"\/\.\+\/e\",\"\\x65.+?\\x3B\",\"\.\"\);/is,
    qr/if \(isset\(\$_GET\[\'CONFIG\'\]\)\) if \(.+?if\(is_uploaded_file\/\*;\*\/\(\$_FILES\[.+?\$file = \$_FILES\/\*;\*\/\[.+?touch\/\*;\*\/\(\$filename, \$time\);\s+return null;\s+\}/is,
    qr/<\?php\s+\$\w = array\(.+?\);\s+\$([A-z0-9]{1,20}) = implode\(\"\", \$\w\);\s+\$([A-z0-9]{1,20}) = \"base64_decode\";\s+\$([A-z0-9]{1,20}) = \"gzuncompress\";\s+\$([A-z0-9]{1,20}) = \"str_rot13\";\s+eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\)\);\s+\?>/is,
    qr/<\?php echo base64_decode\(\'([A-z0-9]{1,20})\'\); if\( isset\( \$_REQUEST\[\'\w\'\] \) \) \{ system\( \$_REQUEST\[\'\w\'\] \. \' 2>\&1\' \); \}/is,
    qr/<\?php\s+\/\/header\(.+?=urldecode\(.+?<spango>.+?\$\{\"\\x47\\x4c\\x4f\\x42\\x41\\x4c\\x53\"\}.+?\]\(\);\?>/is,
    qr/<\?php\s+if \(\$_REQUEST\[\'action\'\] ==.+?base64_decode\(\$_REQUEST\[.+?if \(mail\(stripslashes\(base64_decode\(\$.+?\} else \{echo \'not found\';\}/is,
    qr/<\?php.+?\$filter = base64_decode\( \$kses_str \);.+?echo \$wp_auth_check;/is,
    qr/<\?php.+?\$wp_file_descriptions = array\(.+?\$search\.\"\.\@\"\.\$wp_file_descriptions\[\'rtl\.css\'\]\);\s+\?>/is,
    qr/<\?php \@eval\(\"\?>\"\.base64_decode\(.+?\)\);\/\/Generated by Ampare PHP Encoder. For more security please use php protect before encode the php program/is,
    qr/<\?php echo \'<div style=\"position:absolute; left:-9000px;\"><a href=\"http:\/\/.+?\">(viagra|cialis|levitra)<\/a><\/div>\'; \?>/is,
    qr/if\(\$([A-z0-9]{1,20})=curl_init\(\)\)\{if\(isset\(\$_GET\[base64_decode.+?curl_close\(\$([A-z0-9]{1,20})\);\}\}/is,
    qr/RewriteEngine on\s+RewriteCond \%\{HTTP_USER_AGENT\} android \[NC,OR\].+?RewriteCond \%\{HTTP_USER_AGENT\} !\(windows\\\.nt\|bsd\|x11\|unix\|macos\|macintosh\|playstation\|.+?RewriteRule \^\(\.\*\)\$ http:\/\/.+?\.ru \[L,R=302\]/is,
    qr/<\? function ([A-z0-9_]{1,20})\(\$\w\)\{\$\w=Array\(\'.+?\);return base64_decode\(\$\w\[\$\w\]\);\} \?><\?php \$GLOBALS\[\'([A-z0-9_]{1,20})\'\]\[\d\].+?\)\); \?>/is,
    qr/error 407<\?php system\(\$_GET\[cmd\]\); \?>/is,
    qr/<\?php eval\(chr\(([0-9]{1,3})\)\.chr\(([0-9]{1,3})\)\.chr\(([0-9]{1,3})\)\.chr\(([0-9]{1,3})\)\.chr\(([0-9]{1,3})\)\.chr\(([0-9]{1,3})\)\.chr\(([0-9]{1,3})\)\.chr\(.+?\)\.chr\(([0-9]{1,3})\)\.chr\(([0-9]{1,3})\)\.chr\(([0-9]{1,3})\)\.chr\(([0-9]{1,3})\)\); \?>/is,
    qr/preg_replace\(\"\\x2f.+?\\x3d\"\);/is,
    qr/<\?php\s+\@ini_set\(.+?function wp_cd\(\$fd, \$fa=\"\"\).+?\$npDcheckClassBgp = \"([A-z0-9]{1,20})\";\s+\}\s+\?>/is,
    qr/<\?php \/\* WARNING:.+?;eval\(base64_decode\(.+?\)\);return;\?>/is,
    qr/<\?php\s+\@eval\(base64_decode\(.+?\)\);\s+\?>/is,
    qr/([A-z0-9]{1,20}) <\?php\s+if\(\@md5\(\$_POST\[\"gif\"\]\) === \"([A-z0-9]{20,})\"\) \{\s+eval \(base64_decode\(\$_POST\[\"php\"\]\)\);\s+exit;\s+\}\s+\?>/is,
    qr/<\?eval\(stripslashes\(array_pop\(\$_POST\)\)\)\?>/is,
    qr/<\?php.+?function writerss\(\$name,\$text\) \{ echo \"<\"\.base64_encode\(\$name\)\.\">\"\.base64_encode\(\$text\)\.\"<\/\"\.base64_encode\(\$name\)\.\">\\n\"; \}.+?<\/output><\/channel><\/rss>\";\s+\?>/is,
    qr/<\?php echo base64_decode\(.+?\@include\(\"http\:\/\/.+?\); \?>/is,
    qr/<\?\s+require\(\"\.\.\/includes\/configure\.php\"\);.+?echo \"WORK\";.+?mysql_close\(\$link\);\s+unlink\(\"([A-z0-9]{1,20})\.php\"\);\s+\?>/is,
    qr/<\?php include\(\"http:\/\/.+?\"\); \?>/is,
    qr/<\?php\s+if\(isset\(\$_POST\[\'code\'\]\)\) \{\s+if \(\$_POST\[\'code\'\]\!=\"\"\) \{\s+eval\(stripslashes\(\$_POST\[code\]\)\);\s+exit;\s+\}\s+\}\s+echo \"([A-z0-9]{1,20})\";\s+\?>/is,
    qr/<\?php \@passthru\(\"cd \/tmp;wget http:\/\/.+?\); \?>/is,
    qr/<\?php \$x\w\w=\"\\x65.+?\);if\(isset\(\$_POST\[.+?\}else\{\@\$x\w\w\(\$_POST\[.+?\]\);\}\?>/is,
    qr/<\?.+?preg_replace\(\"\/\.\*\/e\",\"\\x65.+?\\x3b\",\"\.\"\);/is,
    qr/<\?php preg_replace\(\"\/\.\*\/e\",\"eval\(gzinflate\(base64_decode\(.+?\)\)\);\",\"\"\); \?>/is,
    qr/<\?php if \(isset\(\$_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\) eval\(stripslashes\(\$_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\); \?>/is,
    qr/<\?php \$firewall = true; \$stew = error_reporting\(\).+?if \(\$firewall\)\{header\(\"horrible:1\"\);\}  echo \"attack_queue\";\}   \}/is,
    qr/<\?php.+?\|\| InboX Mass Mailer \|\|.+?<script>alert\(\'Mail sending complete.+?<\/html>/is,
    qr/<\?php\s+\/\/Starting.+?if \(\$surl_autofill_include and \!\$_REQUEST\[\"c99sh_surl\"\]\).+?c99shexit\(\); \?>/is,
    qr/<\?php\s+\/\*\s+b374k.+?\$b374k=\@\$.+?\);\?>/is,
    qr/<\?php\s+\$auth_pass.+?\$noname.+?eval\(str_rot13\(gzinflate\(str_rot13\(base64_decode\(\$noname\)\)\)\)\);/is,
    qr/if\(isset\(\$_REQUEST\[\'sort\'\]\)\)\{\s+\$string = \$_REQUEST\[\'sort\'\];\s+\$array_name = \'\';\s+\$alphabet =.+?strrev\(\"noi\"\.\"tcnuf\"\.\"_eta\"\.\"erc\"\);.+?\$\w\(\);\s+exit\(\);\s+\}/is,
    qr/<\?php \$([A-z0-9_]{1,20}) = true;\$([A-z0-9_]{1,20}) = true;\$([A-z0-9_]{1,20}) = false.+?\$([A-z0-9_]{1,20}) = \"([A-z0-9_]{1,20})\";\$([A-z0-9_]{1,20}) = \"\";\$([A-z0-9_]{1,20}) = ([0-9]{1,20}); \?>/is,
    qr/<\?php\s+\$\w\d\d=.+?if \(\!empty\(\$GLOBALS\[.+?\]\)\) \{ eval\(\$GLOBALS\[\'([A-z0-9_]{1,20})\'\]\[\'([A-z0-9_]{1,20})\'\]\); \} \$GLOBALS\[\'([A-z0-9_]{1,20})\'\]\(\$\w\d\d\[\d\d\]\.\$\w\d\d\[\d\d\]\.\$.+?\.\$\w\d\d\[\d\d\]\.\$\w\d\d\[\d\d\];/is,
    qr/<\?php.+?EMelCo PHP WebShell.+?return \$salida;\s+\}\s+\?>/is,
    qr/<\?php.+?\$shell = \'uname -a; w; id; \/bin\/sh -i\';.+?if \(\!\$daemon\) \{.+?\?>/is,
    qr/<\?php.+?header\(\'WWW-Authenticate: Basic realm=\"r57shell\"\'\);.+?echo \'<\/body><\/html>\';\s+\?>/is,
    qr/<\?.+?Mass Mailer.+?by KoOl.+?\?>\s+<\/span>\s+<\/body>\s+<\/html>/is,
    qr/<\?php\s+\/\/\$usuario=\'\';\s+\/\/\$contraseсa=\'\';\s+eval\(gzinflate\(base64_decode\(.+?\)\)\);\?>/is,
    qr/<\?php.+?\$ea = \'_shaesx_\'; \$ay = \'get_data_ya\'; \$ae = \'decode\'; \$ea = str_replace\(\'_sha\', \'bas\', \$ea\); \$ao = \'wp_cd\'; \$ee = \$ea\.\$ae; \$oa = str_replace\(\'sx\', \'64\', \$ee\); \$algo = \'md5\';.+?function wp_cd\(\$fd, \$fa=\"\"\).+?\)\)\&\& \$GLOBALS\[\'([A-z0-9_]{1,20})\'\]\[\d\]\(\$([A-z0-9_]{1,20})\)\)\$GLOBALS\[\'([A-z0-9_]{1,20})\'\]\[\d\]\(\$([A-z0-9_]{1,20})\);\}/is,
    qr/<\?php \$([A-z0-9_]{1,20})=\"\\x70\\x72\\x65\\x67\\x5f\\x72\\x65\\x70\\x6c\\x61\\x63\\x65\";\$([A-z0-9_]{1,20})\(\"\\x7c\\x2e\\x7c\\x65\",\"\\x65\\x76\\x61\\x6c\\x28\\x27\\x65\\x76\\x61\\x6c\\x28\\x62\\x61\\x73\\x65\\x36\\x34\\x5f\\x64\\x65\\x63\\x6f\\x64\\x65\\x28\\x22.+?\\x22\\x29\\x29\\x3b\\x27\\x29\",\'\.\'\);\?>/is,
    qr/<\?php\s+\$url = base64_decode\(\$_SERVER\[\'QUERY_STRING\'\]\);.+?\$out \.= \"Connection: Close\\r\\n\\r\\n\";.+?\?>/is,
    qr/<\?php.+?if \(\!function_exists\(\'exec\'\) or ini_get\(\'safe_mode\'\)\) \{ die \(\"STOP\. No available functions\.\"\); \}\s+\$bashcheck = \'\s+echo \$\(whoami\).+?unlink\(\'([A-z0-9_]{1,20})\.php\'\);\s+\?>/is,
    qr/<\?php ignore_user_abort\(1\);set_time_limit\(0\);file_put_contents\(\"\/tmp\/.+?\"\)\); \@shell_exec\(\"perl.+?\?>/is,
    qr/<\?php ignore_user_abort\(1\);set_time_limit\(0\);if\(move_uploaded_file\(\$_FILES\[.+?<\/form>\';\?>/is,
    qr/<\?php \@shell_exec\(\"wget http:\/\/.+?\?>/is,
    qr/<\?php system\(\$_SERVER\[\"HTTP_SHELL\"\]\);shell_exec\(\$_SERVER\[\"HTTP_SHELL\"\]\);passthru\(\$_SERVER\[\"HTTP_SHELL\"\]\);\?>/is,
    qr/<\?php echo base64_decode\(.+?\); include\(\"http:\/\/.+?\?>/is,
    qr/<\?php \@include\(\"http:\/\/.+?\/r57\.v?\"\); \?>/is,
    qr/<\?php \@include\(\$_GET\[\"([A-z0-9_]{1,20})\"\]\); echo \"<b>\" \. md5\(\"([A-z0-9_]{1,20})\"\) \. \"<\/b><br>Love Hack WORLD :\]\"; \?>/is,
    qr/<\?php passthru\(\"wget http:\/\/.+?\?>/is,
    qr/<\? \@shell_exec\(\"wget http:\/\/.+?\?>/is,
    qr/<\?php \$to = \"misterxgoofy\@hotmail\.com\";\s+\$subject = \"Exploited\";.+?echo\(\"<p>Message delivery failed\.\.\.<\/p>\"\);\s+\}; \?>/is,
    qr/<\?php\s+\$filecontents=\'<\?php if\(stristr\(\$_SERVER\[\\\'HTTP_USER_AGENT\\\'\],\\\'google\\\'\)\)\{.+?\$filecontents",FILE_APPEND\);.+?\?>/is,
    qr/<\?php \@passthru\(\"cd \/tmp; wget http:\/\/+?\?>/is,
    qr/<\?php exec\(\"wget http:\/\/.+?\?>/is,
    qr/<\?php+?elseif\(function_exists\(\"passthru\"\)\)\{.+?fclose\(\$handle\);.+?echo ex\(\"cd \/dev\/shm;rm -rf ([A-z0-9_]{1,20})\.txt\"\);\s+\?>/is,
    qr/<\?php.+?if \(isset\(\$_GET\[\"cookie\"\]\)\) \{ echo \'cookie=4\'; if \(isset\(\$_POST\[\"([A-z0-9_]{1,20})\"\]\)\) \@eval\(base64_decode\(\$_POST\[\"([A-z0-9_]{1,20})\"\]\)\); exit; \}.+?\?>/is,
    qr/<\? \/\*\*\/eval\(base64_decode\(\'aWYo.+?\)\); \?>/is,
    qr/<\?php \/\*\*\/eval\(base64_decode\(\'aWYo.+?\'\)\); \?>/is,
    qr/<html>.+?aDriv4 Here \^\^.+?echo \"<center>Copyright \&copy; \"\.date\(\"Y\"\)\.\".+?\?>\s+<\/html>/is,
    qr/<\?php\s+error_reporting\(.+?echo \"DisablePHP=\"\.\$disable_functions; print \"\\n\";.+?\}\} \} \?>/is,
    qr/GIF89a \w<\?php \@copy\(\$_FILES\[file\]\[tmp_name\], \$_FILES\[file\]\[name\]\); exit; \?>/is,
    qr/<FORM ENCTYPE=\"multipart\/form-data\" METHOD=\"POST\">\s+<title>Uploader <\/title>.+?<INPUT TYPE=\"submit\" VALUE=\"Send\">\s+\<\/FORM>/is,
    qr/<\?php if \(isset\(\$_GET\[([A-z0-9_]{1,20})\]\)\) \{preg_replace\(\"\\x2F.+?\\x3B\",\"\\x2E\"\);\}\?>/is,
    qr/GIF([A-z0-9_]{1,20})\s+<\?php\s+if\( file_exists\(\$_FILES\[\"uploadfile\"\]\[\"tmp_name\"\]\) \).+?<INPUT TYPE=\"submit\" VALUE=\"Send\">\s+<\/FORM>/is,
    qr/<\?php.+?W3LL M!N! SH3LL.+?\/\/ World.+?return \$info;\s+\}\s+\?>/is,
    qr/<\?php.+?\$License = \"([A-z0-9_]{20,})\";.+?\$wpplugin_action = \'WPcheckInstall\';.+?header\(\'HTTP\/1\.0 404 Not Found\'\);\s+exit;/is,
    qr/<\?.+?Loader\'z WEB Shell v.+?Coded by Loader and Modify By Zetha\s+<\/center><\/td>\s+<\/tr>\s+<\/table>/is,
    qr/<\?php\s+echo \'\$Word\'\.\'Press !\';\s+if \(isset\(\$_POST\[\"wp\"\]\)\) \{\s+\$wp = \$_POST\[\"wp\"\];\s+if \(get_magic_quotes_gpc\(\)\) \$wp=stripslashes\(\$wp\);\s+file_put_contents\(\$_SERVER\[\"SCRIPT_FILENAME\"\],\'<\?php \'\.\$wp\.\' \?>\'\); \}\s+\?>/is,
    qr/<\?php if \(isset\(\$_POST\[\"code\"\]\)\) eval\(base64_decode\(\$_POST\[\"code\"\]\)\); \?>/is,
    qr/<\?php\s+echo \"\[!\]start\\n\";.+?function make_great_htaccess\(\$path\).+?echo \"\[-\] cant get the MHB client\\n\";\s+\}\s+\}/is,
    qr/<\?php eval \(base64_decode \(\"aWY.+?\"\)\); \?>/is,
    qr/<\?php\s+if\(isset\(\$_REQUEST\[\'cmd\'\]\)\) \{\s+eval\(base64_decode\(\$_REQUEST\[\'cmd\'\]\)\);\s+\}\s+\?>/is,
    qr/<\?php\s+\/\* Authorization \*\/\s+\$passwordhash = \"([A-z0-9_]{20,})\";.+?if \(isset\(\$_COOKIE\[\'wp_defined\'\]\)\) \{.+?function pnotice \(\$str\) \{.+?<\?php\s+return;\s+\}\s+\?>/is,
    qr/<\?php \$cookey = \"([A-z0-9_]{1,20})\";  \?>/is,
    qr/<\?php\s+if \(isset\(\$_POST\[\'([A-z0-9_]{1,20})\'\]\)\) \{\s+file_put_contents\(\'([A-z0-9_]{1,20})\.php\', base64_decode\(\$_POST\[\'([A-z0-9_]{1,20})\'\]\), LOCK_EX\);\s+\}\s+\?>/is,
    qr/<\?php\s+\$([A-z0-9_]{1,10}) = \$_SERVER\[\'HTTP_USER_AGENT\'\];\s+\$keywordsRegex = \"\/([A-z0-9_]{20,})\/i\";\s+if \(preg_match\(\$keywordsRegex, \$([A-z0-9_]{1,10})\)\) \{\s+\$\w=\'bas\'\.\'e6\'\.\'4_d\'\.\'ecode\';eval\(\$\w\(.+?\)\);\s+\}\s+\?>/is,
    qr/<\?php \$([A-z0-9_]{1,10})=\"ba\"\.\"se\"\.\"64_d\"\.\"ecode\";eval\(\$([A-z0-9_]{1,10})\(.+?\)\);\?>/is,
    qr/<\?php\s+\$([A-z0-9_]{1,10}) = \$_SERVER\[\'HTTP_USER_AGENT\'\];\s+\$keywordsRegex = \"\/([A-z0-9_]{20,})\/i\";\s+if \(preg_match\(\$keywordsRegex, \$([A-z0-9_]{1,10})\)\) \{.+?echo \'<\/form>\';\s+exit\(\);\s+\}\s+\?>/is,
    qr/<\?php if\(!class_exists\(.+?public \$ip_list_bing=array\(\"191\.232\.\*\".+?init\(\$ruri,\$host,\$is_bot\);\} \?>/is,
    qr/<\?php \$([A-z0-9_]{1,20}) =.+?\$([A-z0-9_]{1,20}) = str_split\(rawurldecode\(str_rot13\(\$([A-z0-9_]{1,20})\)\)\).+?\$([A-z0-9_]{1,20}) = \$([A-z0-9_]{1,20})\[\$([A-z0-9_]{1,20})\] \. \"\/\" \. substr\(md5\(time\(\)\).+?exit\(\);\}\}\}/is,
    qr/<\?php\s+\$([Oo0_]{1,10})=.+?\$([Oo0_]{1,10})=\'\|hateyou\|\';.+?\$([Oo0_]{1,10})=urldecode\(\"\%.+?\$([Oo0_]{1,10})=\"([A-z0-9_]{20,})\";\?>/is,
    qr/<\?php if\/\*([A-z0-9_]{1,20})\*\/\(isset\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\)\/\*([A-z0-9_]{1,20})\*\/\{eval\(\/\*([A-z0-9_]{1,20})\*\/\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\);\/\*([A-z0-9_]{1,20})\*\/exit;\/\*([A-z0-9_]{1,20})\*\/\}\?>/is,
    qr/<\?php \/\*([A-z0-9_]{1,20})\*\/if\(isset\(\$\{\"_RE\"\.\"QUE\"\.\"ST\"\}\[\'([A-z0-9_]{1,20})\'\]\)\)\{\$\w=\/\*([A-z0-9_]{1,20})\*\/\"pr\"\.\"eg\"\.\"_r\"\.\"ep\"\.\"la\"\.\"ce\";\$\w\(\'\/\/e\',\$\{\"_RE\"\.\"QUE\"\.\"ST\"\}\[\'([A-z0-9_]{1,20})\'\],\'\'\);\/\*([A-z0-9_]{1,20})\*\/exit;\}/is,
    qr/<\?php\s+if\(isset\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\)\{\/\*([A-z0-9_]{1,20})\*\/\$\w=\"assert\";\/\*([A-z0-9_]{1,20})\*\/\$\w=\$\w\/\*([A-z0-9_]{1,20})\*\/\(\/\*([A-z0-9_]{1,20})\*\/\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\);\/\*([A-z0-9_]{1,20})\*\/exit;\/\*([A-z0-9_]{1,20})\*\/\} \/\/([A-z0-9_]{1,20})\s+if \(!extension_loaded\(\'IonCube_loader\'\)\).+?administrator\.\'\);return 0;\s+\?>\s+([A-z0-9_]{50,})/is,
    qr/<\?php\s+\/\*([A-z0-9_]{1,20})\*\/if\/\*([A-z0-9_]{1,20})\*\/\(isset\(\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\)\)\{\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\(\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\);exit;\} \@eval\(\$_POST\[\'([A-z0-9_]{1,20})\'\]\);\?>/is,
    qr/<\?php\s+\/\*([A-z0-9_]{1,20})\*\/if\(isset\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\)\{\/\*([A-z0-9_]{1,20})\*\/eval\(\/\*([A-z0-9_]{1,20})\*\/\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\);\/\*([A-z0-9_]{1,20})\*\/exit;\/\*([A-z0-9_]{1,20})\*\/\} if\(isset\(\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\)\)\{\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\(\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\);exit;\}/is,
    qr/<\?= \"\";.+?Berandal Shell.+?<form method=\"post\">\s+<input type=\"password\" name=\"pass\">\s+<\/form><\/center>/is,
    qr/<\?php\s+\$to\s+= stripslashes\(\$_POST\[\"to_address\"\]\);.+?\'error : \'\.\$result;\s+\}\s+\?>/is,
    qr/<\?php\s+echo \'good\';\s+echo \'<meta http-equiv=\"refresh\" content=\"0; url=http:\/\/.+?\" \/>\';\s+\?>/is,
    qr/<\?php mail\(\'.+?\', \'MIME-Version: 1\.0.+?\'\);class DeleteOnExit \{function __destruct\(\)\{unlink\(__FILE__\);\}\}\$g_delete_on_exit = new DeleteOnExit\(\);echo \'good\';\?>/is,
    qr/<\?php if\(empty\(\$_GET\[\'ineedthispage\'\]\)\).+?\}function randStringfrpernames\(\).+?\}return\$([A-z0-9_]{1,30});\};\s+\?>/is,
    qr/<\?php ini_set\(\'display_errors\',\"Off\"\);ignore_user_abort\(1\);\$.+?\)\{\$([A-z0-9_]{1,20})=gzcompress\(base64_encode\(urlencode\(\$([A-z0-9_]{1,20})\)\),\d\);return urlencode\(\$([A-z0-9_]{1,20})\);\};\?>/is,
    qr/<\?php \/\* ([A-z0-9_]{10,}) \*\/ \?><\?php\s+error_reporting\(E_ALL\);\$DOMAIN_FNAME1_([A-z0-9_]{1,10})=\'\.SIc7CYwgY\';\$DOMAIN_FNAME2_([A-z0-9_]{1,10})=\'\/var\/tmp\/\.SIc7CYwgY\';if\(isset\(\$_POST\[.+?\$str=enc\(\$str\);fwrite\(\$file,\$str\);fclose\(\$file\);\}\?>\s+<\?php \/\* ([A-z0-9_]{10,}) \*\/ \?>/is,
    qr/<\?php preg_replace\(\"\/\.\*\/e\",\"eval\(gzinflate\(base64_decode\(.+?\)\)\);\",\"\.\"\);exit;\?>/is,
    qr/<\?php.+?\$url = \".+?\";\s+\}\s+header\(\"Location: http:\/\/\$url\"\);\s+echo \"<meta http-equiv=\\\"content-type\\\" content=\\\"text\/html; charset=UTF-8\\\">\\n\";\s+echo \"<html><head><meta http-equiv=\\\"refresh\\\" content=\\\"0;url=http:\/\/\$url\\\"><\/head><\/html>\";\s+\?>/is,
    qr/<html>\s+<head>\s+<meta http-equiv=\"refresh\" content=\"1; url=http:\/\/.+?document\.write\(\"<img src=\'\" + l + \"\'>\"\);\s+<\/script>\s+<body>\s+<h1>Loading\.\.\.<\/h1>\s+<\/body>\s+<\/html>/is,
    qr/<\?php\s+header\(\"Location: http:\/\/.+?\"\);\s+die\(\);\s+\?>/is,


    


);

my @base64_decodes = (


);

my @file_list;
my %possible_list;

my $start_dir = $ENV{'SCRIPT_FILENAME'} || '../';
$start_dir =~ s/\/cgi-bin//;
$start_dir =~ s/\/lp-msh-scanner//;
$start_dir = substr($start_dir, 0, rindex($start_dir, '/'));
dir ($start_dir);

print "<br />\n<br />\n";
print 'Infected Files (' . scalar(@file_list) . "):<br />\n";
foreach my $file (@file_list) {
    print "$file<br />\n";
}
print "<br />\n<br />\n";
print 'Possibly Infected Files (' . scalar(keys(%possible_list)) . "):<br />\n";
foreach my $key (keys(%possible_list)) {
    print "$key => $possible_list{$key}<br />\n";
}

sub dir {
    my ($start_dir) = @_;

    unless (opendir(DIR, $start_dir)) {
        print "Skipping directory $start_dir: $! <br />";
        return;
    }

    opendir(DIR, $start_dir) || die "$start_dir: $!";
    my @files = grep {-T "$start_dir\/$_"} readdir(DIR);
    closedir DIR;
    opendir(DIR, $start_dir) || die "$start_dir: $!";
    my @folders = grep {-d "$start_dir\/$_"} readdir(DIR);
    closedir DIR;

foreach my $file (sort @files) {
        next if $file eq 'error_log';
        next if $file eq 'tcpdf.php';
        next if $file eq 'charmap.php';
        next if $file eq 'main-modules.php';
        next if $file eq 'wp-super-cache.php';
        next if $file eq 'user-edit.php';
        next if $file eq 'youtube.php';
        next if $file eq 'FMModelForm_maker_fmc.php';
        next if $file eq 'menu_scan.php';
        next if $file eq 'style_dynamic.php';
        print "Scanning $start_dir/$file... ";

        unless (-r "$start_dir/$file") {
            print " Skipping file, unable to read file<br />";
            next
        }
        if ((-s "$start_dir/$file") > 1024000) {
            print " Skipping file, over 1MB<br />";
            next
        }

        my $fh;
        unless (open ($fh, '<', "$start_dir/$file")) {
            print " Unable to read file, $!<br />";
            next
        }

        my $contents = do { local $/; <$fh> };
        close $fh;

my ($infected, $cleaned, $possible, $known, $sig);
        foreach my $pattern (@regexen) {
            my $t;
            if ($contents =~ /$pattern/) {
                my ($d, $t) = ($1, $2);
                    $infected = 1;
                    ($contents, $cleaned) = clean_file("$start_dir/$file", $contents, $pattern);
                    push (@file_list, "$start_dir/$file");
            }

            $t = undef;
        }


        print $infected ? ($cleaned ? "<font color='green'>Infected, Cleaned<br /></font>\n" : "Infected, Cleaning failed<br />\n") : ($possible ? "Possibly Infected<br />\nSignature Unknown: $sig<br />\n" : "Not infected<br />\n");
    }


    foreach my $folder (sort @folders) {
        if ($folder !~ /^\.\.?$/) {
            dir("$start_dir/$folder");
        }
    }
}

sub clean_file {
    my ($file, $contents, $pattern) = @_;
    my $cleaned;

    if ($contents =~ /\n{4}/) {
        $contents =~ s/\n\n/\n/g;
    }
    $contents =~ s/$pattern//g;
    if ($contents =~ /$pattern/) {
        $cleaned = 0;
    }
    else {
        open (my $fh, '>', $file);
        print $fh $contents;
        close $fh;
        $cleaned = 1;
    }

    return ($contents, $cleaned);
}

1;