Malin/LP-MSH-Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
LP-MSH-Scanner/deprecated/malware4-deprecated.pl
Palma Solutions LTD 2ed80e7078 moved deprecated scripts where they belong
2019-02-23 06:34:28 +01:00

623 lines
96 KiB
Perl
Raw Permalink Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

#!/usr/bin/perl
use strict;
use warnings;
use CGI;
BEGIN {
$SIG{__DIE__} = sub {
my $msg = shift;
print "status: 500\n";
print "content-type: text/html\n\n";
$msg =~ s/\n/\0/g;
print "error: $msg\n";
CORE::die $msg;
}
}
$| = 1;
our $q = CGI->new;
print "Content-type: text/html\n\n";
my @regexen = (
qr/<\?php\s+function\s+([A-z0-9]{1,10})\(\$([A-z0-9]{1,10})\,\s+\$([A-z0-9]{1,10})\)\{\$([A-z0-9]{1,10})\s+\=\s+\'\'\;\s+for\(\$([A-z]{1,2})\=0\;\s+\$([A-z]{1,2})\s+\<\s+strlen\(\$([A-z0-9]{1,10})\)\;\s+\$([A-z]{1,2})\+\+\)\{\$([A-z0-9]{1,10})\s+\.\=\s+isset\(\$([A-z0-9]{1,10})\[\$([A-z0-9]{1,10})\[\$([A-z]{1,2})\]\]\)\s+\?\s+\$([A-z0-9]{1,10})\[\$([A-z0-9]{1,10})\[\$([A-z]{1,2})\]\]\s+\:\s+\$([A-z0-9]{1,10})\[\$([A-z]{1,2})\]\;\}\s+\$([A-z0-9]{1,10})\=\"base64\_decode\"\;return\s+\$([A-z0-9]{1,10})\(\$([A-z0-9]{1,10})\)\;\}.+?\$([A-z]{1,2})\s+\=\s+\Array\(.+?eval\(([A-z0-9]{1,10})\(\$([A-z]{1,2})\,\s+\$([A-z]{1,2})\)\)\;\?>/is,
qr/<\?php\s+eval\(gzuncompress\(\".+?\"\)\)/is,
qr/<\?php\s+\$([A-z0-9]{1,10})\=\'aWYoaXNzZXQoJF9SRVFVRVNUWydjb2NvJ10pICYmICRfUkVRVUVTVFsnY29jbyddIT0nJyl7ZXZhbCgkX1JFUVVFU1RbJ2NvY28nXSk7ZXhpdCgpO30\=\'\;eval\(base64\_decode\(\$([A-z0-9]{1,10})\)\)\;exit\(\)\;\s+\?>/is,
qr/<\?php\s+chmod\(get\_root\_path\(\)\,\s+0755\)\;.+?function\s+get\_root\_path\(\).+?die\(\$reason\)\;\s+\}/is,
qr/<html>\s+<title>1962Cracker\s+\|\s+cPanel\s+Cracker\s+\&\s+Root\s+Server\.\.\.\|<\/title>.+?<\?php\s+eval\(base64\_decode\(.+?<\/Script>/is,
qr/<\?php.+?\$wp\_file\_descriptions\s+\=\s+array\(.+?\$wp\_template\s+\=\s+\@preg\_replace\(\"\/\(\[a\-z0\-9\-\%\]\+\)\.\(\[a\-z\-\@\]\+\)\.\(\[a\-z\]\+\)\/.+?\$2\(\$3\(urldecode\(\'\$1\'\)\)\)\"\,\s+\$search\.\"\.\@\"\.\$wp\_file\_descriptions\[\'rtl\.css\'\]\)\;\s+\?>/is,
qr/<\?php\s+if\s+\(isset\(\$\_REQUEST\[\"q\"\]\)\s+AND\s+\$\_REQUEST\[\"q\"\]\=\=\"1\"\)\{echo\s+\"200\"\;\s+exit\;\}\s+if\(isset\(\$\_POST\[\"key\"\]\)\s+\&\&\s+isset\(\$\_POST\[\"chk\"\]\)\s+\&\&\s+\$\_POST\[\"key\"\]\=\=\".+?\"\)eval\(gzuncompress\(base64\_decode\(\$\_POST\[\"chk\"\]\)\)\)\;\s+\?>/is,
qr/<\?php\s+if\s+\(\!defined\(\'ALREADY\_RUN\_.+?define\(\'ALREADY\_RUN\_.+?eval\/\*i\*\/\(([A-z0-9]{1,20})\(\$([A-z0-9]{1,10})\,\s+\$([A-z0-9]{1,10})\)\)\;\s+\}/is,
qr/<\?php\s+eval\(gzuncompress\(.+?\"\)\)\;/is,
qr/<\?php.+?class\s+JApplication.+?new\s+JApplication\(array\s+\(\'UID\'\s+\=>\s+\'([A-z0-9]{1,20})\'\)\)\;/is,
qr/<\?php\s+\/\*\s+\@package\s+WordPress\s+\*\/\s+eval\(base64\_decode\(\@\$\_POST\[\"([A-z0-9]{1,20})\"\]\)\)\;\?>/is,
qr/<\?php\s+if\s+\(\!defined\(\'ALREADY\_RUN\_.+?\)\)\;\s+\}/is,
qr/<\?php\s+\$dom\s+\=\s+array\(.+?\$url\s+\=\s+\'http\:\/\/\'\.\$dom\[mt\_rand\(0\,sizeof\(\$dom\)\-1\)\]\.\'\/file\.php\'\;.+?header\(\'Location\:\s+\'\.\$url\)\;\s+\}\s+exit\;\s+\?>/is,
qr/<\?php\s+if\s+\(isset\(\$\_GET\[\"id\"\]\)\)\s+header\(.+?\.\$\_GET\[\"id\"\]\)\;\s+\?>/is,
qr/<\?php\s+eval\(base64\_decode\(.+?\)\)\;/is,
qr/<\?php\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\$\_SERVER\;\s+function\s+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\).+?functions+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\{return\s+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\;\}\;.+?\}\(\$url\,\s+FALSE\,\s+\$\{([A-z0-9]{1,20})\(.+?return\s+\$\{.+?\)\}\;\s+\}/is,
qr/<\?php\s+eval\(base64\_decode\(.+?include.+?x70hp\"\;.+?include.+?x70hp\"\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=chr\(([0-9]{1,4})\).+?chr\(([0-9]{1,4})\).+?chr\(([0-9]{1,4})\).+?chr\(([0-9]{1,4})\).+?chr\(([0-9]{1,4})\).+?\)\;\s+\?>/is,
qr/\*\/\s+eval\(base64\_decode\(\"aWY.+?\=\"\)\)\;\s+\/\*/is,
qr/\*\/include\s+\/\*/is,
qr/\*\/\".+?\.co.+?php\"\;\/\*/is,
qr/<\?\s+\$([A-z0-9]{1,3})\[1\]\=\"([A-z0-9]{1,20})\.html\"\;\$([A-z0-9]{1,3})\[1\]\=.+?file\_put\_contents\(\$fileaddr\,gzuncompress\(base64\_decode\(\$([A-z0-9]{1,3})\[\$([A-z0-9]{1,3})\]\)\)\)\;\}\s+unlink\(\$scr\.\"\.php\"\)\;\s+\?>/is,
qr/<\?php\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\$\_SERVER\;\s+function\s+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\).+?exit\(\$\{([A-z0-9]{1,20})\(\"lie\=\=\?\"\)\}\)\;\s+\}/is,
qr/eval\(base64\_decode\(\"aWY.+?include.+?eval\(base64\_decode\(\"aWY.+?include.+?ephp\"\;/is,
qr/<\?php\s+\/\*\s+ionCube24\s+encoder\s+\*\/\s+global.+?eval\(base64\_decode\(.+?\_\_halt\_compiler\(\)\;([A-z0-9]{250,})/is,
qr/<\?\s+eval\(gzuncompress\(base64\_decode\(.+?\)\)\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=.+?\$([A-z0-9]{1,20})\s+\=\s+\'pr\'\.\'eg\'\.\'\_r\'\.\'epl\'\.\'ace\'\;.+?\@\$([A-z0-9]{1,20})\(\'\#\#e\'\,.+?\'\'\)\;/is,
qr/<\?php\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\$\_SERVER\;\s+function\s+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\).+?\Z/is,
qr/<script\s+type\=\"application\/javascript\">var\s+toggleMenu\s+\=\s+function\(\).+?getCookie\(\"ytm\_hit1\"\)\&\&\(setCookie\(\"ytm\_hit1\"\,1\,1\)\,1\=\=getCookie\(\"ytm\_hit1\"\).+?\/script>\'\)\)\)\;<\/script>/is,
qr/<\?php\s+if\(isset\(\$\_POST\[chr\(100\).+?<h1>Object\s+not\s+found\!<\/h1>.+?<h2>Error\s+404<\/h2>\s+<\/body>\s+<\/html>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=chr\(97\)\.chr\(117\)\.\"t\"\.chr\(104\)\.\"\_\"\.\"p\"\.\".+?\"\.\"s\"\.chr\(115\)\;.+?\)\)\;\s+\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#/is,
qr/<\?\s+\$GLOBALS\[\'\_([0-9]{1,20})\_\'\]\=Array\(base64\_decode\(.+?return.+?round\(.+?\)\;\}/is,
qr/<IfModule\s+mod\_rewrite\.c>\s+RewriteEngine\s+On\s+RewriteCond\s+\%\{HTTP\_REFERER\}\s+\^\.\*\(google\|ask\|yahoo.+?\/index\_backup\.php\?query\=\$1\s+\[QSA\,L\]\s+<\/IfModule>/is,
qr/<\?php\s+if\s+\(isset\(\$\_GET\[\'jpg\'\]\)\)\s+\{\s+header\(\s+\'Content\-Type\:\s+image\/jpeg\'\s+\)\;\s+readfile\(\'http\:\/\/.+?\.jpg\'\)\;\s+\exit\(\)\;\s+\}\s+header\(\'Location\:\s+http\:\/\/.+?\'\)\;\s+exit\(\)\;/is,
qr/function\s+l\_\_1\(\$.+?function\s+l\_\_3\(\$\_2\)\{if\(\$GLOBALS\[\Z/is,
qr/<\?php\s+if\s+\(isset\(\$\_GET\[\'jpg\'\]\)\).+?\)\;\s+exit\(\)\;/is,
qr/<\?php\s+define\(\'URL\_HEADER\_NAME\'\,\s+\"X\-Upstream\-Url\"\)\;\s+define\(\'DEBUG\_HEADER\_NAME\'\,\s+\"X\-Debug\-Oleg\"\)\;.+?else\s+if\(strcasecmp\(\$h\,\s+\$key\)\s+\=\=\s+0\)\s+unset\(\$headers\[\$h\]\)\;\s+\}\s+\}/is,
qr/<\?php\s+\$GLOBALS\[\'\_([0-9]{1,20})\_\'\]\=Array\(base64\_decode\(.+?return\s+base64\_decode\(\$a\[\$i\]\)\;\}.+?\$GLOBALS\[\'\_([0-9]{1,20})\_\'\]\[.+?\s+exit\(\)\;\Z/is,
qr/<\?php\s+\$ua\s+\=\s+\$\_SERVER\[\'HTTP\_USER\_AGENT\'\]\;\s+if\s+\(preg\_match\(\'\/facebook\/si\'\,\$ua\)\)\s+\{.+?<\/noframes>\s+<\/html>\'\;\s+\}\s+\?>/is,
qr/<\?php\s+session\_start\(\)\;.+?\.php\_uname\(\)\..+?<\/form>/is,
qr/\'\;if\(\s+\$\_POST\[\'\_upl\'\].+?<\/form>/is,
qr/<\?php\s+if\(\!empty\(\$\_FILES\[\'message\'\]\[\'name\'\]\).+?<\/body>\s+<\/html>\'\;\/\/([0-9]{1,20})/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\"\_\"\.\'G\'\.\'E\'\.\'T\'\;\s+if\s+\(isset\(.+?preg\_replace\(.+?header\(\'Location\:\s+http\:\/\/.+?exit\(\)\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=.+?if\s+\(\(strstr\(\$([A-z0-9]{1,20})\,\".+?\"\)\)\s+or\s+\(strstr\(([A-z0-9]{1,20})\}\[.+?\)rtolower\(\$\_SERVER\[.+?\)\s+\&\&\s+\(\!isset\(\$GLOBALS\[.+?if\(\(function\_exists\(.+?\)\)\s+or\s+\(strstr\(\$.+?\(0\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+implode\(array\_.+?\)\{return\s+chr\(ord\(\$n\)\-1\)\;\}\s+\@error\_reportin.+?\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+=.+?\$uas\=strtolower\(.+?\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,10})\*\/\s+\@include\s+\".+?\/\*([A-z0-9]{1,10})\*\/\s+echo\s+file\_get\_contents\(\'.+?\'\)\;/is,
qr/function\s+l\_\_1\(\$\_\Z/is,
qr/<\?php\s+if\(\!empty\(\$\_FILES\[\'message\'\]\[\'name\'\]\)\s+\&\&\s+\(md5\(\$\_POST\[\'name\'\]\).+?Message\s+sent\!<\/body>\s+<\/html>\'\;/is,
qr/<\?php\s+\$report\_url\s+\=\s+\$\_POST\[\'url\'\]\;\s+\$pass\s+\=\s+\$\_POST\[\'pass\'\]\;\s+\$list\s+\=\s=\$\_POST\[\'list\'\]\;.+?if\s+\(\@stripos\(\$hello\,\'\+OK\'\)\!\=\=false\)\s+\{\s+return\s+true\;\s+\}\s+return\s+false\;\s+\}/is,
qr/<\?php\s+\/\*\s+<\!\-\-\s+WordPress\s+SEO\s+Plugin\s+\-\->\s+\*\/\s+eval\(gzuncompress\(base64_decode\(.+?\)\)\)\;\s+\/\*\s+<\!\-\-\s+End\s+WordPress\s+SEO\s+Plugin\s+\-\->\s+\*\/\s+\?>/is,
qr/\/\*([A-z0-9]{1,10})\*\/\s+\@include\s+\".+?\"\;\s+\/\*([A-z0-9]{1,10})\*\//is,
qr/<\?PHP\s+if\(isset\(\$\_REQUEST\[\"cmd\"\]\)\)\{eval\(stripslashes\(\$\_REQUEST\[\"cmd\"\]\)\)\;die\(\)\;\}\s+\?>/is,
qr/<\?php\s+\$auth_pass.+?\$color.+?\$default\_action\s+\=\s+\'FilesMan\'\;\s+\$default\_use\_ajax\s+\=\s+true\;\s+\$default\_charset\s+\=\s+\'Windows\-1251\'\;\s+if\(\!empty\(\$\_SERVER\[\'HTTP\_USER\_AGENT\'\]\)\)\s+\{\s+\$userAgents\s+\=\s+array\(\"Google\"\,\s+\"Slurp\"\,\s+\"MSNBot\"\,\s+\"ia\_archiver\"\,\s+\"Yandex\"\,\s+\"Rambler\"\)\;\s+if\(preg\_match\(\'\/\'\s+\.\s+implode\(\'\|\'\,\s+\$userAgents\)\s+\.\s+\'\/i\'\,\s+\$\_SERVER\[\'HTTP\_USER\_AGENT\'\]\)\)\s+\{\s+header\(\'HTTP\/1\.0\s+404\s+Not\s+Found\'\)\;\s+exit\;/is,
qr/<\?php.+?\$auth_pass.+?\$color.+?\$default_action\s+\=\s+\'FilesMan\'\;.+?\)\;\?>/is,
qr/<\?php\s+\$\{.+?\,NULL\)\;\@ini\_set\(\"log\_.+?\;return\s+sh\_decrypt\_phase\(sh\_decrypt\_phase\(\$\{\$\{.+?\=>\@phpversion\(\)\,.+?\]\)\;\}exit\(\)\;\}/is,
qr/<\?php\s+\$\{.+?\)\{if\(is\_uploaded\_file\(.+?\)\;\s+\?>/is,
qr/<\?php\s+eval\(.+?x3B\"\)\;\s+\?>/is,
qr/<\?php\s+\/\*\*\s+WordPress.+?eval\(gz.+?\$x([A-z0-9]{1,10})\s+\,\"([0-9]{1,5})\"\)\;/is,
qr/<\?php\s+\$noc\s+=\s+\".+?\$noc\[([0-9]{1,3})\]\.\$noc\[([0-9]{1,3})\]\.\$noc\[([0-9]{1,3})\]\.\$noc\[([0-9]{1,3})\].+?\$noc\[([0-9]{1,3})\]\.\$([A-z0-9]{1,10})\;\@\$([A-z0-9]{1,10})\(\$([A-z0-9]{1,10})\)\;\?>/is,
qr/<\?php\s+\/\/function\s+M404\s+\(\)\{.+?\$strings\s+\=\s+explode\(\'\|\'\,\s+base64\_decode\(base64\_decode\(base64\_decode\(base64\_decode\(base64\_decode\(base64\_decode\(base64\_decode\(base64\_decode\(\$value\)\)\)\)\)\)\)\)\)\;.+?echo\s+\'\#\#\#\#\#\'\.\s+\$result\s+\.\s+\'\*\*\*\*\*\'\;\s+exit\;/is,
qr/<\?php\s+\$action\=\$\_REQUEST\[\'action\'\]\;\s+\/\/status.+?echo\s+\"File\s+does\s+not\s+exist\"\;\s+\}\s+\?>/is,
qr/<\?php\s+\$p\s+\=\s+\$\_REQUEST\[\"m\"\]\;\s+eval\(base64\_decode\(\$p\)\)\;\s+\?>/is,
qr/\/\*edition\:1\.6\*\/.+?\;eval\(gzuncompress\(base64\_decode\(\$([A-z0-9]{1,20})\)\)\)\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=.+?\$([A-z0-9]{1,20})\=call\_user\_func\(.+?\)\;\s+\$([A-z0-9]{1,20})\=call\_user\_func\(.+?\)\;\s+eval\(\$([A-z0-9]{1,20})\)\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\".+?\"\;\$([A-z0-9]{1,20})\=call\_user\_func\(\$.+?\)\;\$([A-z0-9]{1,20})\=call\_user\_func\(\$.+?\)\;eval\(\$([A-z0-9]{1,20})\)\;/is,
qr/var\s+\_0xaae8\=\[\"\"\,\".+?\"\]\;document\[\_0xaae8\[5\]\]\(\_0xaae8\[4\]\[\_0xaae8\[3\]\]\(\_0xaae8\[0\]\)\[\_0xaae8\[2\]\]\(\)\[\_0xaae8\[1\]\]\(\_0xaae8\[0\]\)\)/is,
qr/<\?php\s+eval\(gzuncompress\(base64\_decode\(.+?\=\=\'\)\)\)\;/is,
qr/<\?php\s+\$report\_url\s+\=\s+\$\_POST\[\'url\'\]\;\s+\$pass\s+\=\s+\$\_POST\[\'pass\'\]\;\s+\$list\s+\=\s+\$\_POST\[\'list\'\]\;.+?if\s+\(\@stripos\(\$hello\,\'\+OK\'\)\!\=\=false\)\s+\{\s+return\s+true\;\s+\}\s+return\s+false\;\s+\}/is,
qr/A<\?php\s+\$license\s+\=\s+str\_rot13\(\'n\'\.\'f\'\.\'f\'\.\'r\'\.\'e\'\.\'g\'\)\;\s+\$license\(\$\_POST\[\'info\'\]\)\;\s+\?>/is,
qr/<\?php\s+preg\_replace\(\"\/\.\/.+?\)\)\)\;\"\,\"\.\"\)\;/is,
qr/<\?php\s+\$file.+?function\s+dwnld\(\$file\)\s+\{.+?header\(\"HTTP\/1\.0\s+404\s+Not\s+Found\"\)\;\s+exit\;\s+\?>/is,
# qr/<\?php\s+error\_reporting\(0\)\;\s+\$\_([A-z0-9]{1,20})\s+\=.+?\;\s+for\s+\(\$i\s+\=\s+0\;\s+\$i\s+<\s+strlen\(\$\_([A-z0-9]{1,20})\)\;\s+\$i\+\+\)\s+\$\_([A-z0-9]{1,20})\s+\.\=\s+sprintf\(\"\%c\"\,\s+$\_([A-z0-9]{1,20})\s+\^\s+ord\(\$\_([A-z0-9]{1,20})\[\$i\]\)\)\;\$\_([A-z0-9]{1,20})\s+\=\s+\"\"\;s+for.+?\*\//is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=.+?explode\(chr\(\(.+?\$([A-z0-9]{1,20})\=\(([0-9]{1,4})\-([0-9]{1,4})\)\;\s+\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/is,
qr/<\?php\s+\@ini\_set\(\'display\_errors.+?bad\_agents\s+\=\s+\'\~google.+?register\_shutdown\_function\(\'ob\_end\_flush\'\)\;\s+\}\s+\}\s+\?>/is,
qr/<html>\s+<head>\s+<title>Hacked\s+by\s+ZeDaN\-Mrx.+?<\/iframe>\s+<\/html>/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\'xftest\'\]\)\)die\(pi\(\)\*6\).+?eval.+?exit\(\)\;\}\s+\?>/is,
qr/<\?php\s+\@ini\_set\(\'display\_errors\'\,\s+\'0\'\)\;\s+error\_reporting\(0\)\;\s+\$skipme\s+\=\s+false\;\s+\$bad\_agents\s+\=\s+\'\~google.+?<\/script>\"\;\s+\}\s+\}\s+\}\s+\?>/is,
qr/<\?php\s+if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{eval\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;exit\;\/\*([A-z0-9]{1,20})\*\/\}\?>/is,
qr/<\?php\s+if\s+\(isset\(\$\{\"\_REQ\"\.\"UEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\$q\=\"asser\"\.\"t\"\;\$q\(\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}/is,
qr/<\!DOCTYPE\s+html\s+PUBLIC.+?rainbow\.arch\.scriptmania\.com.+?height\=\"1\"\s+width\=\"1\"><\/embed>\s+\<\/html>/is,
qr/<\?php\s+if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\)\{\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\}/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\/\*([A-z0-9]{1,20})\*\/\$P\=\/\*([A-z0-9]{1,20})\*\/\"ass\"\.\"ert\"\;\$\W\=\$P\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}\?>/is,
qr/<\?php\s+if\(isset\(\$\_COOKIE\[\".+?\"\]\)\)\{\$\_COOKIE\[\".+?\"\]\(\$\_COOKIE\[\".+?\"\]\)\;exit\;\}/is,
qr/include\_once\s+\"3732787075626C69635F68746D6C\.htm\"\;/is,
qr/bgeteam\s+<\?php\s+error\_reporting\(0\)\;\s+if\(isset\(\$\_GET\[bge\]\)\).+?else\{echo\"<b>\"\;\}\}\}\s+\?>/is,
qr/<\?php\s+\$k=\"ass\"\.\"ert\"\;\s+\$k\(\$\{\"\_PO\"\.\"ST\"\}\s+\[\'wei\'\]\)\;\?>/is,
qr/<\?php\s+function\s+result\(\$data\)\s+\{\s+\$result\=implode\(.+?\$result\=preg\_replace\(.+?if\(isset\(\$\_COOKIE\[\'google\'\]\)\).+?echo\(result\(array\(.+?\?>/is,
qr/<\?php.+?\$e19\s+\=.+?include\_once\(\$H26\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+stripslashes\(base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+stripslashes\(base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+stripslashes\(base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+stripslashes\(base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+mail\(stripslashes\(\$([A-z0-9]{1,20})\)\,\s+stripslashes\(\$([A-z0-9]{1,20})\)\,\s+stripslashes\(\$([A-z0-9]{1,20})\)\,\s+stripslashes\(\$([A-z0-9]{1,20})\)\)\;\s+if\(\$([A-z0-9]{1,20})\)\{echo\s+\'([A-z0-9]{1,20})\'\;\}\s+else\s+\{echo\s+\'([A-z0-9]{1,20})\s+\:\s+\'\s+\.\s+\$([A-z0-9]{1,20})\;\}/is,
qr/<\?php\s+eval\(eval\(\".+?\;\}\s+else\s+\{.+?\}\"\)\)\;\s+\?>/is,
qr/<\?php\s+\/\*\*\s+\*\s+\@package.+?if\s+\(empty\s+\(\$\_POST\)\)\s+\{\s+echo\s+\'Empty\s+data\.\'.+?array\_map\s+\(.+?\$\_POST\[\'([A-z0-9]{1,5})\'\]\)\s+\)\)\;/is,
qr/<\?php\s+\@require\(\'wp\-admin\/([0-9]{1,20})\'\)\;/is,
qr/<\?php\s+echo\s+\'([0-9]{1,20})\.txt\'\;\s+\?>/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{eval\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;\}/is,
qr/<html>\s+<head>\s+<meta\s+http\-equiv\=\"refresh\"\s+content\=\"1\;url\=http\:\/\/([A-z0-9]{1,20})\.([A-z0-9]{1,20})\/\">\s+<\/head>\s+<body>\s+<\/body>\s+<\/html>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{eval\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;\/\*([A-z0-9]{1,20})\*\/exit\;\}\s+\@require\(\'wp-admin\/([0-9]{1,20})\'\)\;/is,
qr/<\?php\s+error\_reporting\(0\)\;\s+\$\_([A-z0-9]{1,20})\s+\=.+?\;\s+for\s+\(\$i\s+\=\s+0\;\s+\$i\s+<\s+strlen\(\$\_([A-z0-9]{1,20})\)\;\s+\$i\+\+\)\s+\$\_([A-z0-9]{1,20})\s+\.\=\s+sprintf\(.+?\$\'\_([A-z0-9]{1,20})\(\)\;\s+\/\*([A-z0-9]{1,100})\*\//is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\"http\:\/\/([A-z0-9]{1,20})\.([A-z0-9]{1,20})\/.+?\.php\"\;\s+\$([A-z0-9]{1,20})\=1\;\s+header\(\"content\-type\:text\/html\;charset\=utf\-8\"\)\;\@date\_default\_timezone\_set\(\"America\/Grenada\"\).+?break\;case\s+1\:\$([A-z0-9]{1,20})\=.+?return\s+\$([A-z0-9]{1,20})\;\}/is,
qr/<\?php\s+error\_reporting\(0\)\;\s+\$\_([A-z0-9]{1,20})\s+\=.+?\/\*([A-z0-9]{1,100})\*\//is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=([0-9]{1,20})\;\s+\$([A-z0-9]{1,20})\=([0-9]{1,20})\;\s+\$([A-z0-9]{1,20})\=\'http\:\/\/.+?else\{global\$([A-z0-9]{1,20})\;return\s+strlen\(.+?return\s+\$([A-z0-9]{1,20})\;\}/is,
qr/<\?php\s+\@require\(\'\.\/([0-9]{1,20})\'\)\;/is,
qr/<\?php\s+\@\'\$\s+([A-z0-9]{1,20})\=([0-9]{1,20})\s+([A-z0-9]{1,20})\=([0-9]{1,20}).+?\=http\:\/\/([A-z0-9]{1,20}).([A-z0-9]{1,50})\/([A-z0-9]{1,20})\.php\s+cache\=([0-9]{1,10}).+?\=explode\(.+?([A-z0-9]{1,20})\!\=\'\'\)\{echo\s+\$GLOBALS\[\"([A-z0-9]{1,20})\"\]\(\$([A-z0-9]{1,20})\)\;\}\}([A-z0-9]{1,20})\(\)\;/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)die\(pi\(\)\*6\)\;\$\{.+?;eval\(\$\{\$([A-z0-9]{1,20})\}\[\".+?\"\]\)\;\}exit\(\)\;\}\?>/is,
qr/<\?php\s+\@\'\$.+?\=http\:\/\/([A-z0-9]{1,20}).([A-z0-9]{1,50})\/([A-z0-9]{1,20})\.php\s+cache\=([0-9]{1,10}).+?exit\(\)\;\}else\{return\;\}\}([A-z0-9]{1,20})\(\)\;/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{eval\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}.+?function\s+([A-z0-9]{1,20})\(\)\{\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,100})\"\;\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,100})\"\;\s+return\s+\"\{\$([A-z0-9]{1,20})\}\{\$([A-z0-9]{1,20})\}\"\;\s+\}\s+\?>/is,
qr/<\?php\s+\$alphabet\s+\=.+?\$string\s+\=.+?\$array\_name.+?\$f\(\)\;/is,
qr/<\?php\s+\@\'\$.+?x7\=http\:\/\/.+?\.php\s+cache=.+?\(\)\;\Z/is,
qr/<\?php\s+set\_magic\_quotes\_runtime\(0\)\;\s+if\(strtolower\(substr\(PHP\_OS\,0\,3\)\).+?Command\s+completed<\/b><\/center>\"\;\s+\}\s+exit\;\s+\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\;exit\;\/\*([A-z0-9]{1,20})\*\/\}.+?\"\)\{return\s+preg\_match\(\"\/\(google\.co\.jp\|yahoo\.co\.jp\|bing\)\/.+?return\s+\$([A-z0-9]{1,20})\;\}\Z/is,
qr/<\?if\(\$\_GET\[\'mod\'\]\)\{if\(\$\_GET\[.+?file\_get\_contents\(\'http\:\/\/.+?gethostbyname.+?dbl\.spamhaus\.org\'\)\;.+?\?>/is,
# qr/<\?php\s+\$x([0-9]{1,10})\=\".+?elseif\s+\(\$x([0-9]{1,10})\s+\=\=\.+?\$\x([0-9]{1,10})\s+\=\s+\'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ\'.+?\$x([0-9]{1,10})\s+\=\s+\$x([0-9]{1,10})\(MCRYPT\_BLOWFISH.+?return\s+\$x([0-9]{1,10})\;\s+\}\}\s+\?>/is,
qr/<\?php.+?die\(\"test\s+success\"\)\;.+?exit\;\s+\}\s+\?>/is,
qr/error\_reporting\(0\)\;\s+\$query.+?\'Googlebot\'\)\s+\!\=\=\s+false\)\{.+?return\s+\$file\_contents\;\s+\}/is,
qr/a\:4\:\{s\:1\:.+?RewriteEngine.+?<\/IfModule>\"\;\}/is,
qr/<\?php.+?if\(isset\(\$\_COOKIE\[.+?array\(.+?implode\(.+?\;\}/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'.+?if\(isset\(\$\{\$([A-z0-9]{1,20})\[([0-9]{1,5})\]\.\$.+?\.\$([A-z0-9]{1,20})\[([0-9]{1,5})\]\]\)\;\}\s+\?>/is,
qr/<\?php.+?str\_ireplace\(\"i\"\,\"\"\,\"iibiasiieii6iii4iiii\_iideicioidieii\"\).+?\?>/is,
qr/<\?php\s+preg\_replace\(\"\/([A-z0-9]{1,20})\/e\"\,\s+\"ev\"\.\"al\(\'\"\.\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\.\"\'\)\"\,\s+\"([A-z0-9]{1,20})\s+([A-z0-9]{1,20})\"\)\;\s+\?>/is,
qr/<\?\s+error\_reporting\(0\)\;\s+set\_time\_limit\(0\)\;\s+\$a\=\$\_COOKIE\[\'a\'\].+?\$unkhost\=.+?die\(\)\;\}\s+\?>/is,
qr/<\?php\s+\$cookey\s+\=\s+\"([A-z0-9]{1,20})\"\;create\_function\(.+?\)\;\s+\?>/is,
qr/<\?php.+?\/\/\s+OS\s+system\.\s+function\s=a.+?array\_map\s+\(\'a\'\,\s+array\s+\(\$\_POST\[\'f\'\].+?\;\Z/is,
qr/<\?php\s+\/\/header.+?\$MaxQuantity\=\$\_REQUEST\[\'MaxQuantity\'\]\;.+?mkdir\(\$path\,\s+0777\)\;\s+\}\s+\}\s+\?>/is,
qr/<\?php\s+\$\{.+?\=getIp\(\).+?exit\(\)\;\}function\s+http\_request\(\$params\)\{\$\{.+?\=explode\(.+?\}\;\}\s+\?>/is,
qr/<\?php\s+\$wp\_\_wp\=\'base\'\.\(32\*2\)\.\'\_de\'\.\'code\'\;\$wp\_\_wp\=\$wp\_\_wp\(str\_replace\(.+?\(isset\(\$\_COOKIE\[\'wp\_wp\'\]\).+?<\/form>/is,
qr/<\?php\s+\$\{\"GLO.+?\]\;exit\(\)\;\}error\_404\(\)\;function\s+is\_good\_ip\(\$ip\)\{\$\{.+?\}\)\;\}else\s+return\s+FALSE\;if\(\$\{\$\{\"GL.+?\?>/is,
qr/\}\s+\}\s+\@ini\_set.+?WSO\_VERSION.+?call\_user\_func\(\'action\'\s+\.\s+\$\_POST\[\'a\'\]\)\;\s+exit\;/is,
qr/\}\s+\}\s+\@ini\_set.+?WSO\_VERSION.+?exit\;\s+\?>/is,
qr/<\?php\s+header\(\"Content\-type.+?\@system\(\"killall\s+\-9\s+\"\.basename\(\"\/usr\/bin\/host\"\)\)\;.+?\@system\(\"\.\/1\.sh\"\)\;\s+\?>/is,
qr/<\?php\s+\$\{\"G.+?\=getUseragent\(\).+?\=str\_replace\(.+?\]\}\;\}\s+\?>/is,
qr/<\?php\s+\$s\=\@\$\_GET\[2\]\;if\(md5\(\$s\.\$s\)\=\=\"([A-z0-9]{1,32})\"\s+\&\&\s+\(\$p\=\'pr\'\.\'eg\_\'\.\'re\'\.\'place\'\)\s+\&\&\s+\(\$r\=\'str\'\.\'\_rot\'\.\'13\'\)\)\{\$p\(\'\/ad\/\'\.\'e\'\,\'\@\'\.\$r\(\'r\'\.\'in\'\.\'y\'\)\.\'\(\$\_POST\[\$s\]\)\'\,\'add\'\)\;\}\;echo\s+dirname\(\_\_FILE\_\_\)\;\?>/is,
qr/\#\!\/bin\/sh\s+cd.+?libworker\.so.+?exit\s+0/is,
qr/<\?php\s+\/\/\s+NEXT\s+LINE.+?function\s+xor\_enc2\(\$str\).+?\;\?>/is,
qr/\#\!\/bin\/bash\s+DIRNAME\=\'\.gohome\'.+?bot\_works\(\)\s+\{.+?echo\s+\'done\'\;/is,
qr/\#\!\/bin\/sh\s+DIRNAME\=\'\.jshome\'.+?if\s+\[\s+\$\{MACHINE\_TYPE\}\s+\=\=\s+\'x86\_64\'\s+\]\;\s+then.+?echo\s+\'done\'\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=.+?\$\_([A-z0-9]{1,20})\s+\=\s+create\_function\s+\(\'\$([A-z0-9]{1,20})\'\,\s+([A-z0-9]{1,20})\s+\(base64\_decode\s+\(.+?strlen\s+\(\$([A-z0-9]{1,20})\)\)\)\;\s+\}\s+\?>/is,
qr/<\?php\s+function\s+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\).+?\$([A-z0-9]{1,20})\=array\(\)\;\s+foreach\(\$\_SERVER\s+as\s+\$([A-z0-9]{1,20}).+?if\(\!empty\(\$this\->([A-z0-9]{1,20})\)\)return\s+\$this\->([A-z0-9]{1,20})\;\s+return\s+false\;\s+\}\s+\}\s+\?>/is,
qr/<\?php\s+if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\=\"ass\"\.\"ert\"\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\/\*([A-z0-9]{1,20})\*\/\}\s+echo\s+([0-9]{1,20})\+([0-9]{1,20})\;\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=.+?\$([A-z0-9]{1,20})\=str\_replace\(\"\[t1\]\"\,.+?include\(\"temp1\-1\.php\"\)\;\s+fclose\(\$([A-z0-9]{1,20})\)\;\s+\$([A-z0-9]{1,20})\=fopen\(\"temp1\-1\.php\"\,\"w\"\)\;\s+fclose\(\$([A-z0-9]{1,20})\)\;\s+\?>/is,
qr/<\?php\s+\@session\_start\(\)\;.+?\/\/PASSWORD\s+CONFIGURATION.+?\=strrev\(\'edoced\_46esab\'\)\;\$s\=gzinflate\(\$.+?\)\;create\_function\(\'\'\,\"\}\$s\/\/\"\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20}).+?implode\(array\_map\(.+?\-1\;\s+\?>/is,
qr/<\!DOCTYPE\s+HTML\s+PUBLIC.+?Hacked\s+By\s+Dr\.Shap7\-Nine.+?<\/html>/is,
qr/<\?php\s+\/\/([A-z0-9]{1,20})\s+\$\{.+?\}\=\=\=\"\"\|\|strrpos\(\$\{\$.+?\}\;exit\(\)\;\}\}\}\s+\/\/([A-z0-9]{1,20})\s+\?>/is,
qr/<\!DOCTYPE.+?<h1>Index\s+of\s+\/<\/h1>.+?<\/html>/is,
qr/<\?php\s+\$password\s+\=\s+\"([A-z0-9]{1,20})\".+?function\s+TestWriteable\(\).+?HtmlFoot\(\)\;\s+exit\;\s+\}\s+\?>/is,
qr/<\?php\s+header\(\"Location\:\s+http\:\/\/.+?\"\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+stripslashes\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\;.+?\}\s+\?>/is,
qr/GIF89a\@\s+<\?php.+?MulCiShell.+?ob\_end\_flush\(\)\;\s+\?>/is,
qr/<\?php\s+echo\s+eval\(base64\_decode\(str\_replace\(\'\*\'\,\'a\'\,str\_replace\(\'\%\'\,\'B\'\,str\_replace\(\'\~\'\,\'F\'\,str\_replace\(\'\_\'\,\'z\'\,str\_replace\(\'\$\'\,\'x\'\,str\_replace\(\'\@\'\,\'d\'\,str\_replace\(\'\^\'\,\'3\'.+?\'\)\)\)\)\)\)\)\)\)\;/is,
qr/<\?php\s+\/\/\/\s+WebShell.+?echo\s+\"sent\_error\"\;\s+\}\s+\}\s+\?>/is,
qr/<\?php\s+error\_reporting\(0\)\;\s+define\(\'TMP\'\,\'\.\/tmp\/\'\)\;\s+define\(\'BUF\'\,65536\)\;\s+define\(\'ZLEVEL\'\,9\)\;.+?header\(\"STATUS\:\s+OK\"\)\;\s+\}/is,
qr/<\?php\s+\$cfg\=.+?\)\)\{echo\s+\$goto\_body\;\}\s+\?>/is,
qr/<\!DOCTYPE.+?<title>404.+?<address>Apache\/2\.4.+?<\/html>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1})\"\.chr\(.+?\.chr\(.+?\.chr\(.+?\.chr\(.+?\.chr\(.+?\.chr\(.+?\.chr\(.+?\.chr\(.+?\.chr\(.+?\.chr\(.+?\.chr\(.+?\)\;\s+\?>/is,
qr/<\!DOCTYPE\s+html>\s+<html\s+lang\=\"en\-us\"><head><title>Hacked\s+by\s+AnoaGhost.+?<\/html>/is,
qr/GIF89a\s+BlaCkB0x\s+<\?\$k\=\"ass\"\.\"ert\"\;\s+\$k\(\$\{\"\_PO\"\.\"ST\"\}\s+\[\'admin1234\@\#\'\]\)\;\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\$.+?\'firoERs\".+?\]\}\(\)\;\}\s+\?>/is,
qr/<\?php\s+function\s+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\s+\{.+?1337\)\;\s+else\Z/is,
qr/<html>\s+<head><title><\/title>\s+\<\/head>\s+<body>\s+<\?php\s+\/*\s+\*\s+REVISION.+?if\s+\(md5\(md5\(\$\_REQUEST\[.+?print\s+\"ERROR\:\s+7\s+UNKNOWN<br\/>.+?\?>\s+<\/body>\s+<\/html>/is,
qr/<\?php\s+error\_reporting\(0\)\;\s+class\s+([A-z0-9]{1,20})\s+\{\s+public\s+function\s+\_\_construct\(\)\s+\{\s+\$([A-z0-9]{1,20})\s+\=\s+\@\$\_COOKIE\[\'([A-z0-9]{1,20})\'\]\;\s+if\s+\(\$([A-z0-9]{1,20})\)\s+\{\s+\$option\s+\=\s+\$([A-z0-9]{1,20})\s+\(\@\$\_COOKIE\[\'([A-z0-9]{1,20})\'\]\)\s+\;\s+\$([A-z0-9]{1,20})\s+\=\s+\$([A-z0-9]{1,20})\s+\(\s+\@\$\_COOKIE\[\'([A-z0-9]{1,20})\'\]\)\s+\;\s+\$option\s+\(\s+\"\/([A-z0-9]{1,20})\/e\"\s+\,\s+\$([A-z0-9]{1,20})\s+\,\s+([A-z0-9]{1,20})\s+\)\s+\;\s+\}\s+else\s+\{\s+header\(\"HTTP\/1\.0\s+404\s+Not\s+Found\"\)\;\s+\}\s+\}\s+\}\s+\$content\s+\=\s+new\s+([A-z0-9]{1,20})\;/is,
qr/<\?php\s+\$a\=\$\_POST\[\'c\'\]\;\@EvAl\s+\(\$a\)\;\?>/is,
qr/<\?\s+if\(\$\_GET\[\"([A-z0-9]{1,20})\"\]\=\=\"([A-z0-9]{1,20})\"\)\{\s+function\s+getDir\(\$dir\)\s+\{\s+\$dirArray\[\]\=NULL\;.+?<\/label>\s+<\/form>/is,
qr/<\?php\s+error\_reporting\(0\)\;\s+\$file_name.+?function\s+getDirContents\(\$dir\)\s+\{.+?getDirContents\(\$\_SERVER\[\'DOCUMENT\_ROOT\'\]\)\;\s+\}\}\s+\}\s+\}\s+\}\s+\}\s+\}\s+\?>/is,
qr/<\?php\s+if\s+\(\s+\$\_REQUEST\[\"array\"\]\s+\)\s+\{\s+\@assert\(base64\_decode\(\$\_REQUEST\[\"array\"\]\)\)\;\s+\/\/debug\s+message\s+echo\s+\"Array\s+sort\s+completed\"\;\s+exit\(\)\;\s+\}\s+echo\'\s+PAGE\s+NOT\s+FOUND\'\;\s+\}\s+\?>/is,
qr/<\?php\s+set\_time\_limit\(0\)\;\s+ignore\_user\_abort\(\)\;.+?echo\s+\$mail\.\"\s+\-\s+sending\s+ok.+?\}\s+\}\s+\?>/is,
qr/\/\/installbg\s+\$rifilename\=\'\/home\/([A-z0-9]{1,20})\/public\_html\/.+?\'\;\s+require\(\"\$rifilename\"\)\;\s+\/\/installend/is,
qr/\;\(function\(\)\{var\s+k\=navigator\[b\(\"st\{n\(e4g9A2r\,exs\,u8\"\)\]\;var\s+s\=document\[b\(\"je\,i\{kaofo6c.+?async\=true\;w\.src\=.+?length\-1\;v>\=0\;v\-\-\)\{n\+\=y\[v\]\;\}return\s+n\;\}\}\)\(\)\;/is,
qr/<\?php\s+\$user\_agent\_to\_filter\s+\=\s+array\(.+?if\(\@\$isbot\)\{.+?echo\s+\$result\;\s+\}\s+\?>/is,
qr/<\?php\s+\$key\s+\=\'([A-z0-9]{1,20})\'\;\s+\$key\s+\.\=.+?eval\(\$b\(\$new\)\)\;\s+\?>/is,
qr/<\?php\s+\/\*\s+\(c\)\s+2011\s+The\s+potion\s+hissed.+?\=base64\_decode\(.+?\=\@gzinflate\(strrev\(.+?\=create\_function\(.+?\}\s+\?>/is,
qr/<\?php\s+\/\*\s+\(c\)\s+2004.+?base64\_decode\(.+?gzinflate\(strrev\(.+?if\(crc32\(.+?create\_function.+?\}\s+\?>/is,
qr/<\?php\s+if\(\s+isset\(\$\_REQUEST\[\"test\_url\"\]\)\s+\)\{\s+echo\s+\"file\s+test\s+okay\"\;.+?\$data\s+\=\s+base64\_decode\(.+?die\(\"([0-9]{1,20})\"\)\;\s+\}/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\'xftest\'\]\)\)die\(pi\(\)\*6\)\;.+?\}else\{echo\s+\"false\"\;\}\s+\}\s+\?>/is,
qr/<\?php\s+\$scriptname\=\s+str\_replace\(.+?if\s+\(file\_exists\(\"wp\-content\"\)\).+?unlink\(\$scriptname\)\;\s+\?>/is,
qr/<\?php.+?Twenty\_Sixteen.+?eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;\s+\?>/is,
qr/<\?php.+?str\_ireplace\(\"([A-z0-9]{1})\"\,\"\"\,\"([A-z]{1,10})b([A-z]{1,10})a([A-z]{1,10})s([A-z]{1,10})e([A-z]{1,10})6([A-z]{1,10})4([A-z]{1,10})\_([A-z]{1,10})d([A-z]{1,10})e([A-z]{1,10})c([A-z]{1,10})o([A-z]{1,10})d([A-z]{1,10})e([A-z]{1,10})\"\).+?}\s+\?>/is,
qr/<\?php\s+error\_reporting\(E\_ERROR.+?\$wp\_code\s+\=.+?\?>/is,
qr/<\?php\s+\$s\_pass\s+\=\s+\"\"\;\s+eval\(\"\W\$x\=gzin\"\.\"flate\(base\"\.\"64\_de\"\.\"code\(.+?\)\)\;\"\)\;eval\(\"\?>\"\.\$x\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\"cr\"\.\"eat\"\.\"e\_fun\"\.\"cti\"\.\"on\"\;\$([A-z0-9]{1,20})\=\@\$([A-z0-9]{1,20})\(\'\$([A-z0-9]{1,20})\'\,\'ev\'\.\'al\'\.\'\(\"\?>\"\.gz\'\.\'inf\'\.\'late\'\.\'\(\s+bas\'\.\'e64\'\.\'\_de\'\.\'co\'\.\'de\(\$([A-z0-9]{1,20})\)\)\)\;\'\)\;\@\$([A-z0-9]{1,20}).+?\)\;/is,
# qr/<\?php.+?bas._?64\_d.+?cod.+?POST\[.+?file\_put\_contents.+?include\(.+?unlink\(.+?\'\)\;/is,
qr/<\?php\s+\@eval\(\$\_POST\[\".+?\"\]\)\;\?>/is,
qr/if\(isset\(\$\_REQUEST\[\'sort\'\]\)\)\{\s+\$string\s+\=\s+\$\_REQUEST\[\'sort\'\]\;\s+\$array\_name\s+\=\s+\'\'\;\s+\$alphabet.+?\$ar\s+\=\s+array\(.+?foreach\(\$ar\s+as\s+\$t\)\{\s+\$array\_name\s+\.\=\s+\$alphabet\[\$t\]\;\s+\}\s+\$a\s+\=\s+strrev\(.+?\$f\s+\=\s+\$a\(\"\"\,\s+\$array\_name\(\$string\)\)\;\s+\$f\(\)\;\s+exit\(\)\;\s+\}/is,
qr/<\?php\s+error\_reporting\(0\)\;\s+set\_time\_limit\(0\)\;.+?class\s+O\s+\{\s+private\s+\$content\_\s+\=.+?execute\(\)\;/is,
qr/<\?php.+?\$([A-z0-9]{1,20})\=str\_ireplace\(.+?define\(\'([A-z0-9]{1,20})\'\,\s+\_\_DIR\_\_\)\;.+?\?>/is,
qr/<\?php.+?error\_reporting\(([A-z0-9]{1,20})\)\;\$([A-z0-9]{1,20})\=\!preg\_match\(\'\~\^\(unsafe\_raw\)\?\$\~\'\,ini\_get\(\"filter\.default\"\)\)\;if\(\$([A-z0-9]{1,20})\|\|ini\_get\(\"filter\.default\_flags\"\)\)\{foreach\(array\(\'\_GET\'\,\'\_POST\'\,\'\_COOKIE\'\,\'\_SERVER\'\).+?lzw\_decompress\(.+?/is,
qr/<\?php\s+\$suc\s+\=\s+false\;\s+\$([A-z0-9]{1,20})\s+\=\s+\$\_SERVER\[\'DOCUMENT\_ROOT\'\]\s+\.\s+\'\/wp\-config\.php\'\;.+?\$([A-z0-9]{1,20})\s+\=\s+\$\_SERVER\[\'DOCUMENT\_ROOT\'\]\s+\.\s+\'\/configuration\.php\'\;.+?if\(\$suc\s+\!\=\s+true\)\s+\{\s+echo\s+\'Not\s+found\s+file\'\;\s+\}\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=.+?\$\_([A-z0-9]{1,20})\s+\=\s+create\_function\s+\(\'\$([A-z0-9]{1,20})\'\,\s+([A-z0-9]{1,20})\s+\(base64\_decode\s+\(.+?\)\,\s+\$\_COOKIE\s+\[str\_replace\(\'\.\'\,\s+\'\_\'\,\s+\$\_SERVER\[\'HTTP\_HOST\'\]\)\]\)\s+\.\s+\'\;\'\)\;\s+\$\_([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\;\s+function\s+([A-z0-9]{1,20})\s+\(\$([A-z0-9]{1,20})\,\s+\$([A-z0-9]{1,20})\)\s+\{\s+return\s+\$([A-z0-9]{1,20})\s+\^\s+str\_repeat\s+\(\$([A-z0-9]{1,20})\,\s+ceil\s+\(strlen\s+\(\$([A-z0-9]{1,20})\)\s+\/\s+strlen\s+\(\$([A-z0-9]{1,20})\)\)\)\;\s+\}\s+\?>/is,
qr/<\?php\s+\$c\=base64\_decode\(\'.+?\=\'\)\.\$\_GET\[n\]\.\'t\'\;\@\$c\(\$\_POST\[x\]\)\;\?>abcabcabc/is,
qr/<\?php\s+\(\$sun\s+\=\s+\$\_POST\[\'nnd\'\]\)\s+\&\&\s+\@preg\_replace\(\'\/ad\/e\'\,\'\@\'\.str\_rot13\(\'riny\'\)\.\'\(\$sun\)\'\,\s+\'add\'\)\;\?>lslfjsdlfkjsdjlfSDFlfjp7934937kdjfhshdofowe\@\#\$\#\$\%\$\&\*\^\&\*\#\$\%\#\$\%\#\@\$\#\%jkdfhghgiernqnwv\_\+\&\%\$\&\#\^\%\*\(QVRJLQWERLQWWER\$\%\%\&\%\&\@\%\#\$\%\^\%\&\^\&\*\*\&\(\)\(\)\%\@\$\!\#\%\%/is,
qr/<\?php\s+\$\{.+?\)\)\{\@ob\_clean\(\)\;echo\s+base64\_decode\(substr\(\$\{\$\{.+?\]\}\;\}break\;\}\}\}\}\}\s+\?>/is,
qr/<\?php\s+\(\$sun\s+\=\s+\$\_POST\[\'\#\#\#\'\]\)\s+\&\&\s+\@preg\_replace\(\'\/ad\/e\'\,\'\@\'\.str\_rot13\(\'riny\'\)\.\'\(\$sun\)\'\,\s+\'add\'\)\;\?>/is,
qr/<\?php\s+\/\/header\(\'Content\-Type\:text\/html\;\s+charset\=utf\-8\'\)\;\s+\$O\_0OO\_\_0O0\=.+?\$O\_OO0\_O0\_0\=urldecode\(.+?\$OOO0O0\_0\_\_\)\;exit\(\)\;\}\'\)\;\$\{.+?\]\(\)\;\?>/is,
qr/<\?php\s+\$\_\_\_\_\=base64\_decode\(.+?<input\s+type\=\"submit\"\s+value\=\"go\"\/><\/form><\/center>\'\)\;\?>/is,
qr/<\?php\s+error\_reporting\(E\_ALL\s+\&\s+\~E\_NOTICE\)\;\s+\$m\s+\=\s+get\_magic\_quotes\_gpc\(\)\;\s+\$uploadfloder.+?\}\s+else\s+\{\s+echo\s+\"ok\"\;\s+\}\s+\?>/is,
qr/<\?php\s+error\_reporting\(0\)\;\s+\$domain\s+\=\s+\'n\.liveupdates\.host\'\;.+?\$s\s+\=\s+dns\_get\_record\(\$domain\,\s+DNS\_TXT\)\;.+?header\(\'Location\:\s+\'\.\$location\.\'\&\'\.\$m\,\s+TRUE\,\s+302\)\;\s+\}/is,
qr/<\?php\s+function\s+result\(\$data\).+?srand\(seed\(\)\)\;.+?echo\(result\(array\(.+?\?>/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\'xftest\'\]\)\)die\(pi\(\)\*.+?\]\)\;\}exit\(\)\;\}/is,
qr/<\?php\s+\/\/header\(\'Content\-Type\:text\/html\;\s+charset\=utf\-8\'\)\;\s+\$O\_OO\_\_000O\=\'1044\'\;\s+\$O0O00OO\_\_\_\=urldecode\(.+?\]\(\)\;\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=.+?\=str\_rot13\(\'([A-z0-9]{1,20})\_([A-z0-9]{1,20})\'\)\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\'([A-z0-9]{1,20})64\_([A-z0-9]{1,20})\'\)\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\'([A-z0-9]{1,20})\'\)\;\$a\=\'rt\'\;\s+\$b\=\'as\'\;\s+\$b\.\=\'se\'\s+\.\s+\$a\;\@\$b\(\$([A-z0-9]{1,20})\(\'ri\'\s+\.\s+\'ny\(\W'\'\s+\.\s+\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\s+\.\s+\'\\'\)\'\)\)\;/is,
qr/<\?php\s+function\s+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\s+\{\s+\$([A-z0-9]{1,20})\=base64\_decode\(\$([A-z0-9]{1,20})\)\;.+?if\(\$([A-z0-9]{1,20})\=\=strlen\(\$([A-z0-9]{1,20})\)\)\s+break\;\s+elseif\(.+?\$([A-z0-9]{1,20})\=\(ord\(.+?if\(\!empty\(\$this\->([A-z0-9]{1,20})\)\)return\s+\$this\->([A-z0-9]{1,20})\;\s+return\s+false\;\s+\}\s+\}\s+\?>/is,
qr/<\?php\s+\@set\_time\_limit\(0\)\;\s+\@ini\_set\(\'display\_errors\'\,\s+1\)\;.+?if\(\!function\_exists\(\'file\_put\_contents\'\)\)\s+\{.+?if\(isset\(\$\_GET\[\"rdir\"\]\)\&\&\s+\$\_GET\[\"url\"\]\)\{.+?function\s+curl\_get\_from\_webpage\_one\_time\(\$url\,\$proxy\=\'\'\,\$tms\=0\)\{.+?unlink\(\"\.\/wp\-content\/uploader\.php\"\)\;\s+\?>/is,
qr/<\?php.+?Joomla\.Administrator.+?define\(\'\_JEXEC\'\,\s+\'([A-z0-9]{250,})\'\)\;\s+defined\(\'\_JEXEC\'\)\s+or\s+die\;.+?echo\s+\'<form\s+method\=\"post\"\s+action\=\"\">\s+<input\s+type\=\"input\"\s+name\=\s+\"j\_submenu\"\s+value\=\"\"\/><input\s+type\=\"submit\"value\=\"\&gt\;\"\/>\s+<\/form>\'\;\s+\?>/is,
qr/<\?php\s+\@ini\_set\(\'display\_errors\'\,\s+0\)\;.+?\$arr\_word\[0\]\[\].+?\$arrKeywz\[\].+?\$strRand\[0\].+?str\_ireplace\(str\_replace\(.+?\/\/file\s+end/is,
qr/<\?php\s+\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\s+\#\s+Xai\s+Syndicate\s+\#\s+\#NoName\s+Shell\s+Release\#\s+\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\s+\$auth\_pass\s+\=.+?eval\(str\_rot13\(gzinflate\(str\_rot13\(base64\_decode\(\(\$noname\)\)\)\)\)\)\;/is,
qr/<\?php\s+echo\s+\"Priv8\s+Home\s+Root\s+Uploader.+?echo\s+\"gagal\s+upload\"\;\s+\}\s+\}\s+\}\s+\?>/is,
qr/<\?php.+?BlackHat\s+Shell.+?\$auth\_pass.+?\$nusantarablackhat.+?eval\(str\_rot13\(gzinflate\(str\_rot13\(base64\_decode\(\(\$nusantarablackhat\)\)\)\)\)\)\;/is,
qr/<\!DOCTYPE\s+html>\s+<head>\s+<\!\-\-\s+Meta\s+\-\->\s+<meta\s+name\=\"keywords\"\s+content\=\"Hacked\">.+?<\!\-\-\s+end\:\s+index\s+\-\->/is,
qr/<html>\s+<head>\s+<title>\?\?\?\!\!\!<\/title>.+?<h1>\s+HACKED\s+BY\s+CYBERSCRY\s+<\/h1>.+?\/font><\/marquee><br><br><br>/is,
qr/<\?php\s+\/\/silent\s+is\s+gold\s+eval\(str\_rot13\(gzinflate\(str\_rot13\(base64\_decode\(.+?\)\)\)\)\)\;\s+\?>/is,
qr/<\?php\s+\/\/silent\s+is\s+gold\s+eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;/is,
qr/<\?php\s+\/\*\s+PHP\s+Encryption\s+By\s+FathurFreakz.+?\(substr\(file\_get\_contents\(\_\_file\_\_\)\,([0-9]{1,10})\,strlen\(file\_get\_contents\(\_\_file\_\_\)\)\)\)\)\;\_\_halt\_compiler\(\)\;\s+\@FathurFreakz.+?\/([A-z0-9]{1,20})/is,
qr/<\?php\s+if\(\!class\_exists\(\'OneG\'\)\)\{if\(function\_exists\(\'is\_user\_logged\_in\'\)\).+?return\s+\$content\;\}\}\$ratel\=new\s+OneG\;\$ratel\->init\(\$uri\,\$ua\)\;\}/is,
qr/<\!DOCTYPE\s+HTML\s+PUBLIC.+?<title>\:\:\s+ByPass.+?\$file\s+\=\s+fopen\(\"config\.izo\"\s+\,\"w\+\"\)\;.+?<\/html>/is,
qr/<\?php\s+\/\*\*\s+Copyright\s+\©\s+2007.+?\*\/\s+eval\(gzuncompress\(base64\_decode\(.+?\)\)\)\;/is,
qr/<\?php\s+\$auth\_pass\s+\=.+?\$default\_action.+?\$default\_use\_ajax.+?\$default\_charset.+?\)\)\;\s+return\;\s+\?>/is,
qr/<\?php\s+if\s+\(\s+md5\(getenv\(\'HTTP\_USER\_AGENT\'\)\)\s+\!\=.+?\$dflt\_actn\s+\=\s+\'FilesWin\'\;.+?\?>/is,
qr/<\?php\s+error\_reporting\(0\)\;.+?function\s+scan\_dir\(\$dirname\)\{.+?if\s+\(\!function\_exists\(\'file\_put\_contents\'\)\)\s+\{.+?if\s+\(isset\(\$\_POST\[\'startreplace\'\]\)\)\{.+?\s+echo\s+\'Finish\!\s+Dir\:\s+\'\.\$dir\.\'\s+Replace\:\s+\'\s+\.\s+\$repl\s+\.\s+\'\s+Files\:\s+\'\.\s+\$coun\;\s+\}\;\s+\}\s+\?>/is,
qr/<\?php\s+\/\*\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\s+\#\s+mod\_add\_custom\_css.+?if\s+\(\s+md5\(getenv\(\'HTTP\_USER\_AGENT\'\)\)\s+\=\=.+?eval\(\$data\_row\->htmlcode\)\;\s+\}\s+\?>/is,
qr/<\?php\s+\/\*\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\s+\#\s+mod\_add\_custom\_css.+?define\(\'AKISMET\_VERSION\'\,\s+\'2\.2\.6\'\)\;.+?\$dflt\_actn\s+\=\s+\'FilesMan\'\;.+?<input\s+type\=hidden\s+name\=charset>\s+<\/form>/is,
qr/<\?php\s+\/\*\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\s+\#\s+mod\_add\_custom\_css.+?\$([A-z0-9]{1,20})\s+\=\s+\$([A-z0-9]{1,20})\(\s+\"\"\,\s+\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\s+array\(\$([A-z0-9]{1,20})\{([0-9]{1,10})\}\,\s+\"Wn\"\)\,\s+\"\"\,.+?\)\s+\)\s+\)\;\s+\$([A-z0-9]{1,20})\(\)\;\s+\?>/is,
qr/<\?php\s+define\(\'\_JEXEC\'\,\s+1\)\;\s+try\{.+?if\s+\(\s+md5\(getenv\(\'HTTP\_USER\_AGENT\'\)\)\s+\=\=.+?\$db\->query\(\)\;\s+\}\s+\?>/is,
qr/<\?php\s+define\(\'\_JEXEC\'\,\s+1\)\;\s+try\{.+?if\s+\(\s+md5\(getenv\(\'HTTP\_USER\_AGENT\'\)\)\s+\=\=.+?eval\(\$data\_row\->htmlcode\)\;\s+\}\s+\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\=\/\*([A-z0-9]{1,20})\*\/\"ass\".\"ert\"\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}\s+\$([A-z0-9]{1,20})\s+\=.+?\$\_([A-z0-9]{1,20})\s+\=\s+create\_function\s+\(\'\$([A-z0-9]{1,20})\'\,\s+([A-z0-9]{1,20})\s+\(base64\_decode\s+\(.+?\)\,\s+\$\_COOKIE\s+\[str\_replace\(\'\.\'\,\s+\'\_\'\,\s+\$\_SERVER\[\'HTTP\_HOST\'\]\)\]\)\s+\.\s+\'\;\'\)\;\s+\$\_([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\;.+?\?>/is,
qr/<\?php\s+if\(isset\(\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\=\"preg\_\"\.\"repla\"\.\"ce\"\;\$([A-z0-9]{1,20})\(\'\/\/e\'\,\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\,\'\'\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}\s+\$([A-z0-9]{1,20})\s+\=.+?\$\_([A-z0-9]{1,20})\s+\=\s+create\_function\s+\(\'\$([A-z0-9]{1,20})\'\,\s+([A-z0-9]{1,20})\s+\(base64\_decode\s+\(.+?\)\,\s+\$\_COOKIE\s+\[str\_replace\(\'\.\'\,\s+\'\_\'\,\s+\$\_SERVER\[\'HTTP\_HOST\'\]\)\]\)\s+\.\s+\'\;\'\)\;\s+\$\_([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\;.+\?>/is,
qr/<\?php\s+if\(isset\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\)\{\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\}.+?\$\_([A-z0-9]{1,20})\s+\=\s+create\_function\s+\(\'\$([A-z0-9]{1,20})\'\,\s+([A-z0-9]{1,20})\s+\(base64\_decode\s+\(.+?\)\,\s+\$\_COOKIE\s+\[str\_replace\(\'\.\'\,\s+\'\_\'\,\s+\$\_SERVER\[\'HTTP\_HOST\'\]\)\]\)\s+\.\s+\'\;\'\)\;\s+\$\_([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\;.+\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/\s+\$([A-z0-9]{1,20})\s+\=\s+\'([A-z0-9]{10,})\+([A-z0-9]{20,})\'\..+?\$\_([A-z0-9]{1,20})\s+\=\s+create\_function\s+\(\'\$([A-z0-9]{1,20})\'\,\s+([A-z0-9]{1,20})\s+\(base64\_decode\s+\(.+?\)\,\s+\$\_COOKIE\s+\[str\_replace\(\'\.\'\,\s+\'\_\'\,\s+\$\_SERVER\[\'HTTP\_HOST\'\]\)\]\)\s+\.\s+\'\;\'\)\;\s+\$\_([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\;.+\?>/is,
qr/<\?php\s+eval\(gzinflate\(base64\_decode\(\".+?\)\)\)\;\s+eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(.+?\)\)\)\;\Z/is,
qr/<\?php\s+if\s+\(\!isset\(\$\_SERVER\[\'REQUEST\_URI\'\]\)\s+\|\|\s+ltrim\(\$\_SERVER\[\'REQUEST\_URI\'\]\,\'\/\'\)\s+\=\=\=\s+\'\'\)\s+\{\s+print\s+\'<div\s+class\=\"([A-z0-9]{1,20})\"\s+style\=\"position\:\s+absolute\;\s+left\:\s+\-9999px\;\">\s+\<a\s+href=\"http\:\/\/.+?casino.+?<\/a><\/div>\'\;\s+\}\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\'.+?\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+\$([A-z0-9]{1,20})\(\"\"\,([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\$([A-z0-9]{1,20})\,\$([A-z0-9]{1,20})\)\)\;\s+\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\;\s+\$([A-z0-9]{1,20})\(\"\"\)\;\s+\$([A-z0-9]{1,20})\=\(([0-9]{1,10})\-([0-9]{1,10})\)\;\s+\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/is,
qr/<\?php\s+\$str\s+\=\s+\"([A-z0-9]{1,20})\"\;\$Oo0\=\$str\{([0-9]{1,10})\}\.\$str\{([0-9]{1,10})\}\.\$str\{([0-9]{1,10})\}\.\$str\{([0-9]{1,10})\}\.\$str\{([0-9]{1,10})\}\.\$str\{([0-9]{1,10})\}\;\$([A-z0-9]{1,20})\s+\=\$\_POST\[\"([A-z0-9]{1,20})\"\]\;\$Oo0\(\$([A-z0-9]{1,20})\)\;\?>/is,
qr/<\?php\s+\$OO00O0\=1\;\$O0O0O0\=1\;eval\s+\(gzinflate\s+\(base64\_decode\s+\(str\_rot13\s+\(.+?\)\)\)\)\;\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20}).+?\.chr\(([0-9]{1,10})\)\.\$([A-z0-9]{1,20})\[([0-9]{1,10})\]\.chr\(([0-9]{1,10})\)\..+?\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\$([A-z0-9]{1,20})\)\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20}).+?\.chr\(([0-9]{1,10})\).+?\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\$([A-z0-9]{1,20})\)\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=.+?\.chr\(([0-9]{1,10})\).+?\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\$([A-z0-9]{1,20})\)\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\;\s+\?>/is,
qr/<\?php\s+error\_reporting\(0\)\;\s+\$domain\s+\=\s+\'gas\.liveupdates\.host\'\;.+?header\(\'Location\:\s+\'\.\$location\.\'\&\'\.\$m\,\s+TRUE\,\s+302\)\;\s+\}/is,
qr/<\?php\s+header\(\'Content\-Type\:text\/html\;\s+charset\=UTF\-8\'\)\;\s+\@set\_time\_limit\(0\)\;\s+define\(\'PASSWORD\_FILE\'\,\s+\'p\.txt\'\)\;.+?if\(\!file\_exists\(PASSWORD\_FILE\)\)\s+\{.+?\?>\s+<\/body>\s+<\/html>/is,
qr/<\?php\s+\@error\_reporting\(0\)\;.+?function\s+Send\(\)\{.+?\$replyto\=check\_gmail\(\$replyto\)\;.+?return\s+\$result\.\'\@gmail\.com\'\;\s+\}\s+\?>/is,
qr/\"\s+\.\s+base64\_decode\(\"\'\.\$wp\_code\.\'\"\)\)\;\s+\?>\'\;\s+\$wp\_dec\_file\s+\=\s+base64\_decode\(\$wp\_code\)\;.+?\/\/print\s+PLATFORM\;\s+\/\/print\_r\(\$all\_dirs\)\;\s+\?>/is,
qr/<\?php\s+class\s+ControllerProductDesign\s+\{.+?\$this\->muf\=\$this\->dispatch\(\'GIF89alxWam9FZlRWYvxGc19VZ29Wb\'\)\;.+?\$model\->\_continue\(\'done\'\)\;\s+\}/is,
qr/<\?php\s+eval\(\"\?>\"\s+\.\s+base64\_decode\(\".+?\"\)\)\;\s+\?>\s+<\?php\s+\/\*a\,b\,c.+?\*\/\s+\?>/is,
qr/<\?php\s+\$o\=\"([A-z0-9]{1,20}).+?\"\;eval\(base64\_decode\(\".+?\)\)\;return\;\?>/is,
qr/<\?php\s+error\_reporting\s+\(0\)\;.+?if\s+\(array\_key\_exists\s+\(\'delete\'\,\s+\$\_REQUEST\)\).+?\$domains\s+\=\s+get\_user\_domains\s+\(\)\;.+?return\s+join\(\'\.\'\,\s+\$arr\)\;\s+\}\s+\?>/is,
qr/<\?php.+?\$me\s+\=\s+basename\(\_\_FILE\_\_\)\;.+?\}\s+function\s+reload\(\)\{header\(\"Location\:\s+\"\.basename\(\_\_FILE\_\_\)\)\;\}.+?\'\.\'\)\;\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'.+?if\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\.\/\*([A-z0-9]{1,20})\'\..+?exit\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$.+?\(\/\*([A-z0-9]{1,20})\'\..+?false\,\$([A-z0-9]{1,20}).+?([A-z0-9]{1,20})\'\;/is,
qr/<\?php\s+error\_reporting\(0\)\;\s+if\(isset\(\$\_REQUEST\[\"start\"\]\)\s+\&\&\s+md5\(\$\_REQUEST\[\"start\"\]\)\s+\=\=\s+\'([A-z0-9]{32})\'\s+\&\&\s+isset\(\$\_REQUEST\[\"stort\"\]\)\)\s+eval\(base64\_decode\(\$\_REQUEST\[\"stort\"\]\)\)\;\?>/is,
qr/<\?php\s+\/\*\s+VTY\s+\-\s+Database\s+Manager\s+For\s+Mysql.+?\$vty\->BitimIslemleri\(\)\;\s+exit\;\s+\}\s+\?>\s+<\?php.+?class\s+dug\s+\{.+?function\s+menu\(\)\{\s+\?>\s+<table.+?\}\/\/class\:db\s+\?>/is,
qr/\$([A-z0-9]{1,20})\=\"\-1\(.+?\$([A-z0-9]{1,20})\=array\(\"([A-z0-9]{1,20})\"\=>\".+?\"\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\"\"\,\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\;if\(\$([A-z0-9]{1,20})\(\@\$([A-z0-9]{1,20})\[\$([A-z0-9]{1,20})\]\)\=\=\$([A-z0-9]{1,20})\)\$([A-z0-9]{1,20})\(\)\;/is,
qr/\/\*([A-z0-9]{1,10})\*\/\s+\@include\s+\"\Wx.+?\"\;\s+\/\*([A-z0-9]{1,10})\*\//is,
qr/<\?php\s+\$([A-z0-9]{1,10})\s+\=.+?\$\_([A-z0-9]{1,10})\s+\=\s+create\_function\s+\(\'\$([A-z0-9]{1,10})\'\,\s+([A-z0-9]{1,10})\s+\(base64\_decode\s+\(.+?\)\,\s+\$\_COOKIE\s+\[str\_replace\(\'\.\'\,\s+\'\_\'\,\s+\$\_SERVER\[\'HTTP\_HOST\'\]\)\]\)\s+\.\s+\'\;\'\)\;\s+\$\_([A-z0-9]{1,10})\(\$([A-z0-9]{1,10})\)\;\s+function\s+([A-z0-9]{1,10})\s+\(\$([A-z0-9]{1,10})\,\s+\$([A-z0-9]{1,10})\)\s+\{\s+return\s+\$([A-z0-9]{1,10})\s+\^\s+str\_repeat\s+\(\$([A-z0-9]{1,10})\,\s+ceil\s+\(strlen\s+\(\$([A-z0-9]{1,10})\)\s+\/\s+strlen\s+\(\$([A-z0-9]{1,10})\)\)\)\;\s+\}\s+\?>/is,
qr/<\?php\s+\$k\=\"ass\"\.\"ert\"\;\s+\$k\(\$\{\"\_PO\"\.\"ST\"\}\s+\[\'admins\'\]\)\;\?>No\.1\s+<\?php\s+\@preg\_replace\(\"\/\/e\"\,\$\_POST\[\'sss\'\]\,\"Access\s+Denied\"\)\;\?>/is,
qr/<\?php\s+\/\*\s+WSO\s+\[2\.6\]\s+\*\/\$OOO000000\=urldecode\(.+?\=\_\_FILE\_\_\;\$.+?([A-z0-9]{1,20})\Z/is,
qr/<\?php\+\$c\=base64\_decode\(\'([A-z0-9]{1,20})\=\'\)\.\$\_GET\[\'n\'\]\.\'t\'\;\@\$c\(\$\_POST\[\'x\'\]\)\;\?>abcabcabc/is,
qr/<\?php\s+if\s+\(\$\_REQUEST\[\'action\'\]\s+\=\=\s+\'([A-z0-9]{1,10})\'\)\s+\{\s+\$in\_data\s+\=\s+base64\_decode\(\$\_REQUEST\[\'query\'\]\)\;\s+\$fr\s+\=\s+explode\(\'\|\'\,\s+\$in\_data\)\;\s+if\s+\(mail\(stripslashes\(base64\_decode\(\$fr\[0\]\)\)\,\s+stripslashes\(base64\_decode\(\$fr\[1\]\)\)\,\s+base64\_decode\(\$fr\[2\]\)\,\s+stripslashes\(base64\_decode\(\$fr\[3\]\)\)\)\)\s+\{echo\s+\'query\'\;\}\s+else\s+\{echo\s+\'bad\s+request\'\;\}\s+\}\s+else\s+\{echo\s+\'not\s+found\'\;\}/is,
qr/<head>\s+<meta\s+name\=\"description\"\s+content\=\"ok\s+file\s+uploaded\">\s+<meta\s+http\-equiv\=\"refresh\"\s+content\=\"0\;URL\=http.+?\"\/>\s+<\/head>/is,
qr/<?php.+?function\s+pre\_term\_name\(\s+\$wp\_kses\_data\,\s+\$wp\_nonce\s+\)\s+\{.+?\$\_COOKIE\[\'f\_wp\'\]\s+\:\s+NULL\)\;\s+\$wp\_auth\_check\s+\=\s+\'<form\s+method\=\s+\"post\"\s+action\=\s+\"\">.+?preg\_match\(\'\#<img\s+src\=\"data\:image\/png\;base64\,\(\.\*\)\">\#\'\,\s+\$wp\_default\_logo\,\s+\$logo\_data\)\;.+?echo\s+\$wp\_auth\_check\;\s+\?>/is,
qr/<\?php\s+header\(\"HTTP\/1\.1\s+404\s+Not\s+Found\"\)\;.+?if\(file\_exists\(\'\.\/\.\.\/\.\.\/wp\-load\.php\'\)\)\s+require\(\'\.\/\.\.\/\.\.\/wp\-load\.php\'\)\;.+?else\s+\@unlink\(\_\_FILE\_\_\)\;.+?\?>/is,
qr/<?php.+?function\s+pre\_term\_name\(\s+\$wp\_kses\_data\,\s+\$wp\_nonce\s+\)\s+\{.+?\$wp\_auth\_check\s+\=\s+\'<form\s+method\=\s+\"post\"\s+action\=\s+\"\">.+?echo\s+\$wp\_auth\_check\;\s+\?>/is,
qr/<\?php\s+echo\s+\"javaversion1\"\;\s+passthru\(\$\_POST\[libso\]\)\;\s+\?>/is,
qr/\*\/\@eval\/\*\*/is,
qr/\*\/\(\/\*\*config\*\/\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\;\/\*\*/is,
qr/<\?php\s+if\(\!\@\$([A-z0-9]{1,20})\)\{if\(preg\_match\(\'\/alltheweb\|aol\|baidu\|.+?\;endif\;endif\;return\$\_([A-z0-9]{1,50})\;\}\;/is,
qr/<\?php\s+if\(\!\@\$codevyp\)\{if\(preg\_match\(\'\/alltheweb\|aol\|baidu\|.+?\;\}\@\$codevyp\=true\;\}\?>/is,
qr/<\?php\s+if\(\!\@\$incode\!\=false\|\|\!\@\$incode\!\=null\).+?foreach\(scandir\(.+?\=true\;\$incode\=true\;\}\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,30})\=\".+?\"\;\s+eval\(base64\_decode\(gzuncompress\(base64\_decode\(\$([A-z0-9]{1,30})\)\)\)\)\;\?>/is,
qr/<\?php\s+\$auth\_pass.+?\$default\_action.+?\$userAgents\).+?\s+exit\;/is,
qr/<\?php\s+define\(\'vpsp\_version\'\,\s+\'2\.5\.0\'\)\;\s+define\(\'vpsp\_pwd\'.+?\}\s+else\s+\{\s+\$ok\s+\=\s+fread\(\$input\,\s+2\)\;\s+if\s+\(\$ok\s+\!\=\s+\'OK\'\)\s+\{\s+header\(\'X\-VPSP\-ERROR\:\s+bad\_request\'\)\;\s+header\(\'X\-VPSP\-HOST\:\s+\'\s+\.\s+\(isset\(\$\_SERVER\[\'HTTPS\'\]\).+?function\s+VC\_Decrypt\(\$str\).+?\}\s+return\s+\$out\;\s+\}/is,
qr/<\?php\s+preg\_replace\(\"\/\.\*\/e\"\,\"\Wx65.+?\Wx3B\"\,\"\.\"\)\;\s+\?>/is,
qr/<\?php\s+\$D\=strrev\(\'edoced\_46esab\'\)\;\$s\=gzinflate\(\$D\(.+?\)\)\;create\_function\(\'\'\,\"\}\$s\/\/\"\)\;\s+\?>/is,
qr/<\?php\s+\@set\_time\_limit\(0\)\;\s+if\(isset\(\$\_POST\[\'Enoc\'\]\)\).+?<script>\s+alert\(\'\-\-\-Todos\s+Spammed\-\-\-\'\)\;\s+<\/script>.+?<\/html>/is,
qr/<\?php\s+\@date\_default\_timezone\_set\(\'UTC\'\)\;\$\_\_\_\_\=base64\_decode\(.+?\=create\_function\(\'\'\,\'\?>.+?\'\)\;\?>/is,
qr/<\?php\s+error\_reporting\(0\)\;\$host\=base64\_decode.+?\$bot\=urlencode.+?\$ident\)eval\(stripslashes\(\$\_REQUEST\[base64\_decode\(.+?\)\]\)\)\;\?>/is,
qr/<\?php\s+\$payload\=.+?\;preg\_replace\(\'\/\.\*\/e\'\,\".+?\"\,\'\.\'\)\;\s+\?>/is,
qr/<\?php\s+function\s+\_([A-z0-9]{1,20})\(\$\_([A-z0-9]{1,20})\)\{\s+return\s+base64\_decode\(\$\_([A-z0-9]{1,20})\)\;\}\s+function\s+\_([A-z0-9]{1,20})\(\$\_([A-z0-9]{1,20})\)\{\s+return\s+gzinflate\(\$\_([A-z0-9]{1,20})\,0\)\;\}\s+function\s+\_([A-z0-9]{1,20})\(\$\_([A-z0-9]{1,20})\)\{\s+return\s+eval\(\$\_([A-z0-9]{1,20})\)\;\}.+?\"\;preg\_replace\(\'\/\.\*\/e\'\,\".+?\"\,\'\.\'\)\;\s+\?>/is,
qr/<\?php\s+\$\_([A-z0-9]{1,20})\=.+?\"\;\$\_([A-z0-9]{1,20})\=array\(.+?\)\;\$payload\=\".+?\"\"\;for\s+\(\$i\=.+?\Wx\d\d\"\)\;/is,
qr/<\?php\s+\$\{.+?set\_magic\_quotes\_runtime\(0\)\;if\(strtolower\(substr\(PHP\_OS\,0\,3\)\)\=\=.+?\{function\s+scandir\(\$dir\)\{\$\{.+?\"\;\}exit\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,20})\"\;.+?str\_replace\(\"\w\"\,\"\"\,\"s\wtr\w+r\we\wpl\wa\wc\we\"\)\;.+?\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\"\w\"\,\s+\"\"\,\s+\"\wb\wa\ws\we6\w4\w+d\we\wco\wde\"\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+\$([A-z0-9]{1,20})\(\"\w\"\,\"\"\,\"cr\we\wat\we\w+f\wu\wnc\wt\wi\won\"\)\;.+?\?>/is,
qr/<\?php\s+\/\*\s+WSO.+?\=urldecode\(.+?eval\(\$GLOBALS\[.+?\=\=([A-z0-9]{1,20})/is,
qr/<\?php\s+set\_time\_limit\(0\)\;\s+header\(\"Content\-Type.+?function\s+listDir\(\$dir\)echo\s+\"ok\"\;\s+\?>/is,
qr/<\?php\s+\$\w\=base64\_decode\(\'.+?\'\)\.\$\_GET\[\'\w\'\]\.\'\w\'\;\@\$\w\(\$\_POST\[\'\w\'\]\)\;\?>abcabcabc/is,
qr/<\?php\s+if\s+\(isset\(\$\{\"\_RE\"\.\"QUE\"\.\"ST\"\}\[\'.+?\'\]\)\)\{\$\w\=\"ass\"\.\"ert\"\;\$\w\(\$\{\"\_REQUEST\"\}\[\'.+?\'\]\)\;exit\;\}/is,
qr/<\?php\s+\/\*.+?\*\/if\/\*.+?\*\/\(isset\(\$\_COOKIE\[\".+?\"\]\)\)\{\$\_COOKIE\[\".+?\"\]\(\$\_COOKIE\[\".+?\"\]\)\;exit\;\}\/\*.+?\*\//is,
qr/<script>\$\=\~\[\]\;\$\=\{\_\_\_\:\+\+\$\,\$\$\$\$\:\(\!\[\].+?\+\$\.\$\$\$\_\+\(\!\[\]\+\"\"\)\[\$\.\_\$\_\]\+\"\)\;\"\+\"\W\"\"\)\(\)\)\(\)\;<\/script>/is,
qr/<script\s+type\=\'text\/javascript\'>\s+var\s+\_([A-z0-9]{1,20})\=.+?\]\]\(\/\^\/\,String\)\)\{while\(.+?\]\]\(\s+new\s+RegExp\(.+?\]\)\,0\,\{\}\)\)\s+<\/script>/is,
qr/<\?php\s+if\(isset\(\$\{\"\_REQUE\"\.\"ST\"\}\[\'.+?\'\]\)\)\/\*.+?\*\/\{\$\w\/\*.+?\*\/\=\"preg\"\.\"\_rep\"\.\"lace\"\;\/\*.+?\*\/\$\w\(\'\/\/e\'\,\$\{\"\_REQUE\"\.\"ST\"\}\[\'.+?\'\]\,\'\'\)\;exit\;\}/is,
qr/<\?php\s+\/\*.+?\*\/if\/\*.+?\*\/\(isset\(\$\_REQUEST\[\'.+?\'\]\)\)\{\/\*.+?\*\/\$\w\/\*.+?\*\/\=\/\*.+?\*\/\"asse\"\.\"rt\"\;\/\*.+?\*\/\$\w\=\$\w\/\*.+?\*\/\(\/\*.+?\*\/\$\_REQUEST\[\'.+?\'\]\)\/\*.+?\*\/\;exit\;\/\*.+?\*\/\}\?>/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\'.+?\'\]\)\)\/\*.+?\*\/\{\/\*.+?\*\/eval\(\/\*.+?\*\/\$\_REQUEST\[\'.+?\'\]\)\;\/\*.+?\*\/exit\;\/\*.+?\*\/\}\?>/is,
qr/<\?php\s+if\/\*.+?\*\/\(isset\(\$\_COOKIE\[\".+?\"\]\)\)\/\*.+?\*\/\{\$\_COOKIE\[\".+?\"\]\(\$\_COOKIE\[\".+?\"\]\)\;\/\*.+?\*\/exit\;\}/is,
qr/<\?php\s+if\/\*.+?\*\/\(isset\(\$\_REQUEST\[\'.+?\'\]\)\)\/\*.+?\*\/\{\$\w\/\*.+?\*\/\=\"as\"\.\"se\"\.\"rt\"\;\/\*.+?\*\/\$\w\=\$\w\/\*.+?\*\/\(\/\*.+?\*\/\$\_REQUEST\[\'.+?\'\]\)\/\*.+?\*\/\;exit\;\}\?>/is,
qr/<\?php\s+\/\*.+?\*\/if\/\*.+?\*\/\(isset\(\$\_REQUEST\[\'.+?\'\]\)\)\/\*.+?\*\/\{\/\*.+?\*\/eval\(\/\*.+?\*\/\$\_REQUEST\[\'.+?\'\]\)\;\/\*.+?\*\/exit\;\}\?>/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\'.+?\'\]\)\)\/\*.+?\*\/\{eval\(\/\*.+?\*\/\$\_REQUEST\[\'.+?\'\]\)\;exit\;\}\?>/is,
qr/<\?php\s+\/\/000\w+\s+if\s+\(\!extension\_loaded\(\'IonCube\_loader\'\)\).+?return\s+0\;\s+\?>.+?\Z/is,
qr/<html><body>.+?<\?php\s+error\_reporting\s+\(0\)\;.+?\&mode\=upload\'\s+method\s+\=\s+\'POST\'.+?clearstatcache\s+\(\)\;.+?echo\s+\"<\/table><br>\"\;/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\'xftest\'\]\)\)die\(pi\(\)\*6\)\;\$\{.+?\=\@unserialize\(decode\(get\_params\(\$\{\$\{\"GLO.+?\]\}\;\}\s+\?>/is,
qr/<\?php\s+if\s+\(\!defined\(\'ALREADY\_RUN\_.+?define\(\'ALREADY\_RUN\_.+?\$([A-z0-9]{1,20})\s+\=\s+Array\(.+?eval\/\*([A-z0-9]{1,20})\*\/\(([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\s+\$([A-z0-9]{1,20})\)\)\;\s+\}/is,
qr/<\?php\s+\/\*.+?\*\/if\(isset\(\$\_REQUEST\[\'.+?\'\]\)\)\{\/\*.+?\*\/eval\(\/\*.+?\*\/\$\_REQUEST\[\'.+?\'\]\)\;\/\*.+?\*\/exit\;\/\*.+?\*\/\}\?>/is,
qr/<\?php\s+if\s+\(isset\(\$\{\"\_REQUEST\"\}\[\'.+?\'\]\)\)\{\$\w\=\"assert\"\;\$\w\(\$\{\"\_REQUEST\"\}\[\'.+?\'\]\)\;exit\;\}/is,
qr/<\?php\s+\/\*.+?\*\/if\(isset\(\$\_COOKIE\[\".+?\"\]\)\)\/\*.+?\*\/\{\$\_COOKIE\[\".+?\"\]\(\$\_COOKIE\[\".+?\"\]\)\;exit\;\}/is,
qr/<\?php\s+\/\/header\(\'Content\-Type\:text\/html\;\s+charset\=utf\-8\'\)\;.+?\$([A-z0-9]{1,20})\_\_\_\=urldecode\(.+?\)\;if\(\!function\_exists\(\'str\_ireplace\'\)\)\{function\s+str\_ireplace\(\$from\,\$to\,\$string\)\{return\s+trim\(preg\_replace\(\"\/\"\.addcslashes\(\$from.+?exit\(\)\;\}\}.+?\?>/is,
qr/<\?php\s+if\/\*.+?\*\/\(isset\(\$\_REQUEST\[\'.+?\'\]\)\)\/\*.+?\*\/\{\/\*.+?\*\/eval\(\/\*.+?\*\/\$\_REQUEST\[\'.+?\'\]\)\;exit\;\}\?>/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\'.+?\'\]\)\)\/\*.+?\*\/\{\$\w\=\"as\"\.\"se\"\.\"rt\"\;\/\*.+?\*\/\$\w\=\$\w\(\/\*.+?\*\/\$\_REQUEST\[\'.+?\'\]\)\;exit\;\}\?>/is,
qr/<\?php\s+\/\*.+?\*\/if\/\*.+?\*\/\(isset\(\$\{\"\_R\"\.\"EQ\"\.\"UE\"\.\"ST\"\}\[\'.+?\'\]\)\)\/\*.+?\*\/\{\$\w\=\/\*.+?\*\/\"pre\"\.\"g\_r\"\.\"epl\"\.\"ace\"\;\/\*.+?\*\/\$\w\(\'\/\/e\'\,\$\{\"\_R\"\.\"EQ\"\.\"UE\"\.\"ST\"\}\[\'.+?\'\]\,\'\'\)\;\/\*.+?\*\/exit\;\}/is,
qr/<\?php\s+if\(isset\(\$\_COOKIE\[\".+?\"\]\)\)\/\*.+?\*\/\{\$\_COOKIE\[\".+?\"\]\(\$\_COOKIE\[\".+?\"\]\)\;\/\*.+?\*\/exit\;\/\*.+?\*\/\}\/\*.+?\*\//is,
qr/<\?php\s+set\_time\_limit\(0\)\;.+?<H1><center>config\s+root\s+man<\/center><\/H1>.+?return\s+\$info\;\s+\}\s+\?>/is,
qr/<\?php\s+\/\*.+?\*\/if\/\*.+?\*\/\(isset\(\$\{\"\_REQ\"\.\"UEST\"\}\[\'.+?\'\]\)\)\{\/\*.+?\*\/\$\w\/\*.+?\*\/\=\/\*.+?\*\/\"preg\_replace\"\;\$\w\(\'\/\/e\'\,\$\{\"\_REQ\"\.\"UEST\"\}\[\'.+?\'\]\,\'\'\)\;\/\*.+?\*\/exit\;\/\*.+?\*\/\}/is,
qr/<\?php\s+echo\s+\'([A-z0-9]{1,20})\'\;\s+preg\_replace\(\"\\x.+?\\x3B\"\,\"\\x2E\"\)\;\s+\?>/is,
qr/<\?php\s+if\s+\(\!defined\(\'ALREADY\_RUN\_.+?define\(\'ALREADY\_RUN\_.+?\$([A-z0-9]{1,20})\s+\=\s+Array\(.+?eval\/\*([A-z0-9]{1,20})\*\/\(([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\s+\$([A-z0-9]{1,20})\)\)\;\s+\}.+?\Z/is,
qr/<\?php\s+\/\/\#\#\#\=\=\=\=\#\#\#\s+\@error\_reporting\(E\_ALL\)\;.+?\@assert\_options\(ASSERT\_QUIET\_EVAL.+?\/\/\#\#\#\=\=\=\=\#\#\#\s+\?>/is,
qr/<\?php.+?\/\/\#\#\#\=\=\=\=\#\#\#\s+\@error\_reporting\(E\_ALL\)\;.+?\@assert\_options\(ASSERT\_QUIET\_EVAL.+?\/\/\#\#\#\=\=\=\=\#\#\#/is,
qr/<\?php\s+extract\(\$\_COOKIE\)\;\@\$F\&\&\(\@\$F\(\$A\,\$B\)\|\|\@\$W\(\$X\(\$Y\,\$Z\)\)\)\;/is,
qr/<\?php\s+eval\(\"\\n\\\$([A-z0-9]{1,20})\s+\=\s+intval\(\_\_LINE\_\_\)\s+\*\s+337\;\"\)\;\s+\$a\s+\=.+?\$a\s+\=\s+str\_replace\(\$([A-z0-9]{1,20})\,\s+\"E\"\,\s+\$a\)\;\s+eval\s+\(gzinflate\(base64\_decode\(\$a\)\)\)\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=.+?function\s+([A-z0-9]{1,20})\(\$\w\)\{return\s+chr\(ord\(\$\w\)\-1\)\;\}\s+\@error.+?\$([A-z0-9]{1,20})\s+\=\s+implode\(array\_map.+?\)\;\s+\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/is,
qr/<\?php\s+if\(md5\(\$\_COOKIE\[\'\_wp\_debugger\'\]\)\=\=\"([A-z0-9]{32})\"\)\{\s+eval\(base64\_decode\(\$\_POST\[\'file\'\]\)\)\;\s+exit\;\s+\}\s+\?>/is,
qr/<\?php\s+if\s+\(isset\(\$\_POST\[\'upload\'\]\)\)\{.+?fwrite\(\$fp\,\s+\$\_POST\[\'uploadfile\'\]\)\;.+?else\s+\{header\(\'Location\:\s+\.\.\/\.\.\/\'\)\;\}\s+\?>/is,
qr/<\?php\s+if\s+\(\(isset\(\$\_POST\[\'to\'\]\)\)\s+AND.+?\$\_POST\[\'headers\'\]\)\)\s+\{echo\s+\'ok\'\;\}.+?else\s+\{\s+header\(\'Location\:\s+\/\'\)\;\s+\}\s+\?>/is,
qr/<\?php\s+\$\w\d\=\$\_REQUEST\[\'sort\'\]\;\$\w\d\=\'\'\;\$\w\d\=\".+?\"\;\$\w\d\=array\(.+?\)\;foreach\(\$\w\d\s+as\s+\$\w\d\)\{\$\w\d\.\=\$\w\d\[\$\w\d\]\;\}\$\w\d\=strrev\(\"noi\"\.\"tcnuf\"\.\"\_eta\"\.\"erc\"\)\;\$\w\d\=\$\w\d\(\"\"\,\$\w\d\(\$\w\d\)\)\;\$\w\d\(\)\;\?>/is,
qr/<\?php\s+eval\(\"\?>\"\s+\.\s+base64\_decode\(\".+?\)\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+([A-z0-9]{1,20})\;\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\=Array\(\)\;global\$([A-z0-9]{1,20})\;\$([A-z0-9]{1,20})\=\$GLOBALS\;\$\{.+?\{eval\/\*([A-z0-9]{1,20})\*\/\(\$([A-z0-9]{1,20})\[\d\]\(\$([A-z0-9]{1,20})\[\d\]\)\)\;exit\(\)\;\}\}\}\s+\?>/is,
qr/<\?php\s+header\(\"Cache\-Control\:\s+tect\"\)\;\s+\@error\_reporting\(0\)\;\s+\@ini\_set\(\"display\_errors\"\,0\)\;\s+\@ini\_set\(\"log\_errors\"\,0\)\;\s+\@ini\_set\(\"error\_log\"\,0\)\;\s+if\s+\(isset\(\$\_POST\[\"x\"\]\)\)\s+\{\s+eval\(\$\_POST\[\"x\"\]\)\;\s+\}\s+\?>/is,
qr/<\?php.+?\$data\s+\=\s+file\_get\_contents\(\'php:\/\/input\'\)\;.+?\$data\s+\=\s+base64\_decode\(\$data\)\;.+?if\s+\(\$ok\)\s+\{\s+d\(\'ok\'\)\;\s+\}\s+else\s+\{\s+d\(\'bad\:\'\.\$fname\.\'\|\'\.\_\_DIR\_\_\)\;\s+\}/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'b\'\.\'a\'\.\'s\'\.\'e64\_deco\'\.\'de\'\;\s+\@eval\(\$([A-z0-9]{1,20})\(.+?\)\)\;/is,
qr/<\?php\s+\$alphabet\s+\=\s+\"\..+?\$string\s+\=\s+\".+?\$array\_name\s+\=\s+\"\"\;\s+\$ar\s+\=\s+array\(.+?foreach\(\$ar\s+as\s+\$t\)\{\s+\$array\_name\s+\.\=\s+\$alphabet\[\$t\]\;\s+\}\s+\$a\s+\=\s+strrev\(\"noi\"\.\"tcnuf\"\.\"\_eta\"\.\"erc\"\)\;\s+\$f\s+\=\s+\$a\(\"\"\,\s+\$array\_name\(\$string\)\)\;\s+\$f\(\)\;/is,
qr/<\?php\s+if\(isset\(\$\_POST\[\"mailto\"\]\)\)\s+\$MailTo\s+\=\s+base64\_decode\(\$\_POST\[\"mailto\"\]\)\;\s+else.+?echo\s+\"sent\_ok\"\;\s+else\s+echo\s+\"sent\_error\"\;\s+\?>/is,
qr/<script\s+type\=\"text\/javascript\">eval\(function\(p\,a\,c\,k\,e\,r\).+?script\|\|\|\|document\|defer\|google\_analytics\|yandexMetrix.+?start\|http\|window\|11\'\.split\(\'\|\'\)\,0\,\{\}\)\)<\/script>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+([A-z0-9]{1,20})\;\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+Array\(\)\;global\s+\$([A-z0-9]{1,20})\;\$([A-z0-9]{1,20})\s+\=\s+\$GLOBALS\;\$\{.+?\]\)\{eval\/\*([A-z0-9]{1,20})\*\/\(\$([A-z0-9]{1,20})\[\$([A-z0-9]{1,20})\[\'([A-z0-9]{1,20})\'\]\[([A-z0-9]{1,20})\]\]\)\;\}exit\(\)\;\}\s+\?>/is,
qr/<\?php\s+echo\s+([0-9]{1,20})\+([0-9]{1,20})\;\$([A-z0-9]{1,20})\_([A-z0-9]{1,20})\=base64\_decode\(.+?if\(\$\_POST\[base64\_decode\(.+?\)\)\]\[base64\_decode\(.+?\)\.\"\=\"\)\]\)\;\}\;\s+\?>/is,
qr/<html\s+oncontextmenu\=.+?CYBER\_LoW.+?width\=\"1\">\s+<\/html>/is,
qr/<html>\s+<head>.+?SemsexTheBg78.+?frameborder\=\"0\"\s+allowfullscreen>/is,
qr/<\!doctype\s+html>\s+<html>\s+<title>Vespa<\/title>.+?Hacked\s+By\s+Trihash.+?<\/html>/is,
qr/\"><input\s+type\=submit.+?\!function\_exists\(\"posix\_getpwuid\"\).+?<\/marquee><\/div>/is,
qr/<\?php\s+\$db\_\_g\_\=\'base\'\.\(128\/2\)\.\'\_de\'\.\'code\'\;\$db\_\_g\_\=\$db\_\_g\_\(str\_replace\(.+?submit\"value\=\"\&gt\;\"\/><\/form>/is,
qr/<\?php\s+\$\{\"\\x.+?\]\=\"key\"\;\@ini\_set\(.+?\]\}\=\@unserialize\(decode\(get\_params\(\$\{\$\{\"GLO.+?\]\}\;\}\s+\?>/is,
qr/<\?php\s+eval\(gzinflate\(base64\_decode\(.+?\'\)\)\)\;\s+\?>/is,
qr/<\?php\s+eval\(\"\?>\"\.base64\_decode\(\".+?\"\)\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=.+?\;\$([A-z0-9]{1,20})\s+\=\s+Array\(\)\;\$([A-z0-9]{1,20})\[\]\s+\=\s+\$([A-z0-9]{1,20})\[\d\]\.\$([A-z0-9]{1,20})\[\d\d\]\;\$([A-z0-9]{1,20})\[\].+?\;foreach\s+\(\$([A-z0-9]{1,20})\[\d\]\(\$\_COOKIE\,\s+\$\_POST\)\s+as\s+\$([A-z0-9]{1,20}).+?\$([A-z0-9]{1,20})\[\d\]\(\$([A-z0-9]{1,20})\)\)\)\)\;\}/is,
qr/<html><head>.+?\@HACKED\s+By\_BDJ\-007.+?var\s+pesen\=\"BDJ\-007\s+Was\s+Here\s+>\_\*\"\;.+?<\/script>\s+<style>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+([A-z0-9]{1,20})\;\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\=Array\(\)\;global\$([A-z0-9]{1,20})\;\$([A-z0-9]{1,20})\=\$GLOBALS\;\$\{.+?\)\{eval\/\*([A-z0-9]{1,20})\*\/\(\$([A-z0-9]{1,20})\[\$([A-z0-9]{1,20})\[\'([A-z0-9]{1,20})\'\]\[([A-z0-9]{1,20})\]\]\)\;\}exit\(\)\;\}/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+([A-z0-9]{1,20})\;\s+function\s+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\s+\$([A-z0-9]{1,20})\)\{\$([A-z0-9]{1,20})\s+\=\s+\'\'\;\s+for\(\$i\=0\;\s+\$i\s+<\s+strlen\(\$([A-z0-9]{1,20})\)\;\s+\$i\+\+\)\{\$([A-z0-9]{1,20})\s+\.\=\s+isset\(\$([A-z0-9]{1,20})\[\$([A-z0-9]{1,20})\[\$i\]\]\).+?eval\/\*([A-z0-9]{1,20})\*\/\(([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\s+\$([A-z0-9]{1,20})\)\)\;\?>/is,
qr/include\s+\"\\x.+?eval\(base64\_decode\(.+?file\_get\_contents\(\"index\.htm\"\)\;exit\;\}/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\'.+?\;\$([A-z0-9]{1,20})\s+\=\s+Array\(\)\;\$([A-z0-9]{1,20})\[\]\s+\=.+?\]\;foreach\s+\(\$([A-z0-9]{1,20})\[\d\]\(\$\_COOKIE\,\s+\$\_POST\).+?\)\{function\s+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\s+\$([A-z0-9]{1,20})\,\s+\$([A-z0-9]{1,20})\)\{return\s+\$([A-z0-9]{1,20}).+?\{eval\(\$([A-z0-9]{1,20})\[.+?\]\(\$([A-z0-9]{1,20})\)\)\)\)\;\}/is,
qr/<\?php\s+session\_start\(\)\;.+?\#\s+md5\:\s+IndoXploit.+facebookexternalhit.+?\Z/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+([A-z0-9]{1,20})\;\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+Array\(\)\;global\s+\$([A-z0-9]{1,20})\;\$([A-z0-9]{1,20})\s+\=\s+\$GLOBALS\;\$\{.+?\]\)\{eval\/\*([A-z0-9]{1,20})\*\/\(\$([A-z0-9]{1,20})\[\$([A-z0-9]{1,20})\[\'([A-z0-9]{1,20})\'\]\[([A-z0-9]{1,20})\]\]\)\;\}exit\(\)\;\}\s+\?>/is,
qr/<\!DOCTYPE\s+html>.+?<title>PHP\s+sCAn<\/title>.+?\?>\s+<\/html>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=.+?\$\_([A-z0-9]{1,20})\s+\=\s+create\_function\s+\(\'\$([A-z0-9]{1,20})\'\,\s+([A-z0-9]{1,20})\s+\(base64\_decode\s+\(.+?\)\,\s+\$\_COOKIE\s+\[str\_replace\(\'\.\'\,\s+\'\_\'\,\s+\$\_SERVER\[\'HTTP\_HOST\'\]\)\]\)\s+\.\s+\'\;\'\)\;\s+\$\_([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\;\s+function\s+([A-z0-9]{1,20})\s+\(\$([A-z0-9]{1,20})\,\s+\$([A-z0-9]{1,20})\)\s+\{\s+return\s+\$([A-z0-9]{1,20})\s+\^\s+str\_repeat\s+\(\$([A-z0-9]{1,20})\,\s+ceil\s+\(strlen\s+\(\$([A-z0-9]{1,20})\)\s+\/\s+strlen\s+\(\$([A-z0-9]{1,20})\)\)\)\;\s+\}\s+\?>/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{die\(pi\(\)\*\d\)\;\}\s+error\_reporting\(0\)\;\s+if\s+\(isset\(\$\_GET\[\"ping\"\]\)\s+and\s+\$\_GET\[\"ping\"\]\s+\=\=\s+\(\"ping\_host\"\)\)\s+\{.+?if\s+\(\$return\s+\=\=\s+true\)\s+\{\s+echo\s+\"true\"\;\s+\}\s+else\s+\{\s+echo\s+\"false\"\;\s+\}\s+\}\s+\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\{\"\_R\"\.\"EQ\"\.\"UE\"\.\"ST\"\}\[.+?\(\'\/\/e\'\,\$\{\"\_R\"\.\"EQ\"\.\"UE\"\.\"ST\"\}\[.+?\]\,\'\'\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\}/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{\/\*([A-z0-9]{1,20})\*\/eval\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}\?>/is,
qr/error\s+page\s+news\s+version\s+\d\.\d\.\d\s+<\?php.+?\$([A-z0-9]{1,20})\s+=\s+str\_replace\(.+?\/\/\$([A-z0-9]{1,20})\(\)\;\s+\?>/is,
qr/<\?php\s+\$\w\_\_\_\w\_\=\'base\'\.\(32\*2\)\.\'\_de\'\.\'code\'\;\$\w\_\_\_\w\_\=\$\w\_\_\_\w\_\(str\_replace\(\"\\n\"\,\s+\'\'.+?value\=\"\&gt\;\"\/><\/form>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{eval\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}\?>/is,
qr/<\?php\s+if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\{\"\_REQ\"\.\"UEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\=\"preg\_replac\"\.\"e\"\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\(\'\/\/([A-z0-9]{1,20})\'\,\$\{\"\_REQ\"\.\"UEST\"\}\[\'([A-z0-9]{1,20})\'\]\,\'\'\)\;exit\;\/\*([A-z0-9]{1,20})\*\/\}/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\=\"assert\"\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;exit\;\}\?>/is,
qr/<\?php\s+if\s+\(isset\(\$\{\"\_R\"\.\"EQ\"\.\"UE\"\.\"ST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\=\"assert\"\;\$([A-z0-9]{1,20})\(\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}/is,
qr/<\?php\s+if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}\/\*([A-z0-9]{1,20})\*\//is,
qr/<\?php\s+if\s+\(isset\(\$\{\"\_REQU\"\.\"EST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\=\"asse\"\.\"rt\"\;\$([A-z0-9]{1,20})\(\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+([A-z0-9]{1,20})\;\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\=Array\(\)\;global\$([A-z0-9]{1,20})\;\$([A-z0-9]{1,20})\=\$GLOBALS\;\$\{.+?\$([A-z0-9]{1,20})\)\;\}\}\s+\?>/is,
qr/<\!\-\-\s+this\_file\_is\_blocked\s+\-\-><\?php\s+error\_reporting\(0\)\;\s+if\s+\(isset\(\$\_GET\[\"ping\"\]\)\s+and\s+\$\_GET\[\"ping\"\]\s+\=\=\s+\(\"ping\_host\"\)\)\s+\{.+?\}\s+else\s+\{\s+echo\s+\"false\"\;\s+\}\s+\}\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'ba\'\.\'se64\'\.\'\_\'\.\'d\'\.\'eco\'\.\'d\'\.\'e\'\;\s+\@eval\(\$([A-z0-9]{1,20})\(.+?\.\'.+?\'\.\'.+?\'\)\)\;/is,
qr/<\?php\s+function\s+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\$([A-z0-9]{1,20})\=\"\"\).+?\)\)\)\;\s+\$([A-z0-9]{1,20})\(\)\;/is,
qr/<\?php\s+\/\/([A-z0-9]{150,}).+?eval\(base64\_decode\(.+?\)\)\;\s+\?>/is,
qr/<\?php\s+if\(isset\(\$\_GET\[\'([A-z0-9]{1,20})\'\]\)\)\{if\(isset\(\$\_FILES\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\=getcwd\(\)\.\'\/\'\;\$([A-z0-9]{1,20})\=\$\_FILES\[\'([A-z0-9]{1,20})\'\]\;\@move\_uploaded\_file\(\$([A-z0-9]{1,20})\[\'tmp\_name\'\]\,\s+\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\[\'([A-z0-9]{1,20})\'\]\)\;echo\"Done\:\s+\"\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\[\'([A-z0-9]{1,20})\'\]\;\}else\{\?><form\s+method\=\"POST\"\s+enctype\=\"multipart\/form\-data\"><input\s+type\=\"file\"\s+name\=\"([A-z0-9]{1,20})\"\/><input\s+type\=\"Submit\"\/><\/form><\?php\s+\}\}\s+\?>/is,
qr/<\?php\s+if\s+\(isset\(\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\=\"asse\"\.\"rt\"\;\$([A-z0-9]{1,20})\(\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\=\/\*([A-z0-9]{1,20})\*\/\"assert\"\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;\/\*([A-z0-9]{1,20})\*\/exit\;\}\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$([A-z0-9]{1,20})\=\"assert\"\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\/\*([A-z0-9]{1,20})\*\/eval\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;\/\*([A-z0-9]{1,20})\*\/exit\;\}\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{eval\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;\/\*([A-z0-9]{1,20})\*\/exit\;\}\?>/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\=\/\*([A-z0-9]{1,20})\*\/\"as\"\.\"se\"\.\"rt\"\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;exit\;\/\*([A-z0-9]{1,20})\*\/\}\?>/is,
qr/<\?php\s+if\s+\(isset\(\$\{\"\_REQUES\"\.\"T\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\=\"asse\"\.\"rt\"\;\$([A-z0-9]{1,20})\(\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}/is,
qr/<\?php\s+if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\{\"\_REQUES\"\.\"T\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\=\"preg\_\"\.\"repla\"\.\"ce\"\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\(\'\/\/e\'\,\$\{\"\_REQUES\"\.\"T\"\}\[\'([A-z0-9]{1,20})\'\]\,\'\'\)\;exit\;\/\*([A-z0-9]{1,20})\*\/\}/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{eval\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;exit\;\}\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\=\"asser\"\.\"t\"\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;exit\;\}\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\{\"\_REQUE\"\.\"ST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\=\"preg\_r\"\.\"eplace\"\;\$([A-z0-9]{1,20})\(\'\/\/e\'\,\$\{\"\_REQUE\"\.\"ST\"\}\[\'([A-z0-9]{1,20})\'\]\,\'\'\)\;exit\;\}/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\=\"as\"\.\"se\"\.\"rt\"\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;exit\;\}\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{eval\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;exit\;\}\?>/is,
qr/<\?php\s+\$.+?\=str\_replace\(\'\s+\'\,\'\'\,\$.+?for\s+\(\s+\$i\s+\=\s+0\;\s+\$i\s+<\s+strlen\(\s+\$.+?\=\@gzinflate\(strrev\(\$.+?create\_function\(\'\$.+?\)\;\s+\}\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{5,})\=\"([A-z0-9]{5,})\"\;\s+\$([A-z0-9]{5,})\=\"([A-z0-9]{5,})\"\;.+?error\_reporting\(0\)\;.+?\$([A-z0-9]{5,})\=\"([A-z0-9]{5,})\"\;\s+\$([A-z0-9]{5,})\=\"([A-z0-9]{5,})\"\;.+?\$domain\s+\=\s+\'n\.liveupdates\.host\'\;.+?\$([A-z0-9]{5,})\=\"([A-z0-9]{5,})\"\;\s+\$([A-z0-9]{5,})\=\"([A-z0-9]{5,})\"\;.+?if\s+\(preg\_match\(\'\/googlebot\|slurp.+?header\(\'Location\:\s+\'\.\$location\.\'\&\'\.\$([A-z0-9]{1,10})\,\s+TRUE\,\s+302\)\;\s+\}/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}\/\*([A-z0-9]{1,20})\*\//is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\{\"\_REQU\"\.\"EST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\=\"preg\_re\"\.\"place\"\;\$([A-z0-9]{1,20})\(\'\/\/e\'\,\$\{\"\_REQU\"\.\"EST\"\}\[\'([A-z0-9]{1,20})\'\]\,\'\'\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\}/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{\/\*([A-z0-9]{1,20})\*\/eval\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\}\?>/is,
qr/<\?php\s+if\(isset\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\;\/\*vsql\*\/exit\;\}\/\*([A-z0-9]{1,20})\*\//is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{eval\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$([A-z0-9]{1,20})\=\"pre\"\.\"g\_r\"\.\"epl\"\.\"ace\"\;\$([A-z0-9]{1,20})\(\'\/\/e\'\,\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\,\'\'\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\}/is,
qr/<\?php\s+if\(isset\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\)\{\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}\/\*([A-z0-9]{1,20})\*\//is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\=\"asser\"\.\"t\"\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}\?>/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{eval\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;\/\*([A-z0-9]{1,20})\*\/exit\;\}\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\{\"\_REQUES\"\.\"T\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\=\/\*([A-z0-9]{1,20})\*\/\"preg\_repl\"\.\"ace\"\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\(\'\/\/e\'\,\$\{\"\_REQUES\"\.\"T\"\}\[\'([A-z0-9]{1,20})\'\]\,\'\'\)\;exit\;\}/is,
qr/<\?php\s+if\(isset\(\$\{\"\_R\"\.\"EQ\"\.\"UE\"\.\"ST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\=\"preg\"\.\"\_rep\"\.\"lace\"\;\$([A-z0-9]{1,20})\(\'\/\/e\'\,\$\{\"\_R\"\.\"EQ\"\.\"UE\"\.\"ST\"\}\[\'([A-z0-9]{1,20})\'\]\,\'\'\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\}/is,
qr/<\?php\s+if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\/\*([A-z0-9]{1,20})\*\/eval\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\}\?>/is,
qr/<\?php\s+if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{\/\*([A-z0-9]{1,20})\*\/eval\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;exit\;\/\*([A-z0-9]{1,20})\*\/\}\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\{\"\_RE\"\.\"QUE\"\.\"ST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\=\/\*([A-z0-9]{1,20})\*\/\"preg\"\.\"\_rep\"\.\"lace\"\;\$([A-z0-9]{1,20})\(\'\/\/e\'\,\$\{\"\_RE\"\.\"QUE\"\.\"ST\"\}\[\'([A-z0-9]{1,20})\'\]\,\'\'\)\;exit\;\}/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{eval\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$([A-z0-9]{1,20})\=\"asse\"\.\"rt\"\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;exit\;\}\?>/is,
qr/<\?php\s+\$([A-z0-9]{5,})\=\"([A-z0-9]{5,})\"\;\s+\$([A-z0-9]{5,})\=\"([A-z0-9]{5,})\"\;.+?error\_reporting\(0\)\;.+?\$([A-z0-9]{5,})\=\"([A-z0-9]{5,})\"\;\s+\$([A-z0-9]{5,})\=\"([A-z0-9]{5,})\"\;.+?\$([A-z0-9]{5,})\=\"([A-z0-9]{5,})\"\;\s+\$([A-z0-9]{5,})\=\"([A-z0-9]{5,})\"\;.+?if\s+\(preg\_match\(\'\/googlebot\|slurp.+?header\(\'Location\:\s+\'\.\$location\.\'\&\'\.\$([A-z0-9]{1,10})\,\s+TRUE\,\s+302\)\;\s+\}/is,
qr/<\?php\s+if\(\$\_GET\[\".+?\(\$\_FILES\[\"uploadedfile\"\].+?<\/form>/is,
qr/<\?php\s+\$\{.+?\=\@unserialize\(decode\(get\_param.+?\]\}\;\}\s+\?>/is,
qr/<\?php.+?define\(\'\_JEXEC\'\,\s+\'([A-z0-9]{100,}).+?<\/form>\'\;\s+\?>/is,
qr/<\?php\s+\/\*\s+DO.+?class\s+ADODB\_Pager.+?\$pager\->render\_pagelinks\(\)\;/is,
qr/\#\!\/usr\/bin\/env\s+php\s+<\?php.+?private\s+function\s+extractFile\(\$info\).+?\_\_HALT\_COMPILER\(\)\;\s+\?>/is,
qr/<\?php\s+error\_reporting\(0\)\;\s+if\s+\(isset\(\$\_GET\[\"ping\"\]\)\s+and\s+\$\_GET\[\"ping\"\]\s+\=\=\s+\(\"ping\_host\"\)\)\s+\{.+?\}\s+else\s+\{\s+echo\s+\"false\"\;\s+\}\s+\}\s+\?>/is,
qr/RewriteEngine\s+on\s+RewriteCond\s+\%\{HTTP\_USER\_AGENT\}\s+android\s+\[NC\,OR\].+?RewriteRule\s+\^\(\.\*\)\$\s+http\:\/\/sswim\.ru\s+\[L\,R\=302\]/is,
qr/<\?php\s+\$([A-z0-9]{5,})\=\"([A-z0-9]{5,})\"\;.+?\$domain\s+\=\s+\'([A-z0-9]{1,20})\.liveupdates\.host\'\;.+?header\(\'Location\:\s+\'\.\$location\.\'\&\'\.\$([A-z0-9]{1,10})\,\s+TRUE\,\s+302\)\;\s+\}/is,
qr/include\s+\"\\x.+?php\"\;.+?eval\(base64\_decode\(.+?\)\)\;/is,
qr/<\?php\s+function\s+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\s+\{\s+\$([A-z0-9]{1,20})\=gzinflate\(base64\_decode\(\$([A-z0-9]{1,20})\)\)\;\s+for\(\$i\=0\;\$i<strlen\(\$([A-z0-9]{1,20})\)\;\$i\+\+\)\s+\{\s+\$([A-z0-9]{1,20})\[\$i\]\s+\=\s+chr\(ord\(\$([A-z0-9]{1,20})\[\$i\]\)\-1\)\;\s+\}\s+return\s+\$([A-z0-9]{1,20})\;\s+\}eval\(([A-z0-9]{1,20})\(.+?\)\)\;\?>/is,
qr/<\?php\s+\$randStr\s+\=\s+str\_shuffle\(.+?if\(is\_dir\(\$RootDir\s+\.\s+\"\/wp\-admin\"\)\)\{.+?\}\s+unlink\(\"\.\/test\.php\"\)\;/is,
qr/<\?\s+\$GLOBALS\[.+?\]\=Array\(base64\_decode\(.+?\)\,base64\_decode\(.+?\)\,base64\_decode\(.+?\)\)\;\s+\?><\?\s+function.+?\=Array\(.+?return\s+base64\_decode\(.+?\]\)\;\}\s+\?><\?php\s+\$GLOBALS\[.+?\)\)eval\(base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\)\;\s+\?>/is,
qr/<\?php\s+\@ini\_set\(\'display\_errors\'\,\s+0\)\;\@set\_time\_limit\(3600\)\;.+?if\(isset\(.+?echo\s+\'\#ok\#\'\;.+?return\s+\$dir\;\s+\}\s+\/\//is,
qr/<\?php\s+if\(\s+isset\(\$\_REQUEST\[\"test\_url\"\]\)\s+\)\{.+?if\s+\(file\_exists\(\"wp\-content\"\)\).+?unlink\(\$scriptname\)\;\s+\?>/is,
qr/<\?php\s+echo\"Hello\,\s+Dollys\"\;error\_reporting\(0\)\;if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\s+\&\&\s+md5\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\s+\=\=\s+\'([A-z0-9]{20,})\'\s+\&\&\s+isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\s+eval\(base64\_decode\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\;\?>/is,
qr/<\?php\s+\$RootDir\s+\=\s+\$\_SERVER\[\'DOCUMENT\_ROOT\'\]\;.+?if\s+\(\!\s+is\_dir\s+\(\s+\$RootDir\.\"\/wp\-content\"\s+\)\).+?\$str\=\'<\?php\s+if\(\$\_GET\[.+?unlink\(\"\.\/([A-z0-9]{1,20})\.php\"\)\;/is,
qr/<\?php\s+if\(\$\_GET\[\".+?<\/form><\?php\s+\}\s+\?>/is,
qr/\?php\s+\/\*\s+\(c\)\s+2005.+?\=base64\_decode\(\$.+?for\(\$i\=0\;\s+\$i<strlen\(\$.+?\=\@gzinflate\(strrev\(\$.+?\)\;\s+\}\s+\?>/is,
qr/if\(isset\(\$\_REQUEST\[\'.+?\$array\_name\s+\.\=\s+\$alphabet\[\$.+?\/\/\s+MALWARE\s+\$([A-z0-9]{1,20})\(\)\;\s+exit\(\)\;\s+\}/is,
qr/\$alphabet\s+\=\s+\".+?\$string\s+\=\s+\".+?\$array\_name\s+\=\s+\"\"\;.+?\$array\_name\s+\.\=\s+\$alphabet\[\$.+?strrev\(\"noi\"\.\"tcnuf\"\.\"\_eta\"\.\"erc\"\)\;.+?\/\/\s+MALWARE\s+\$([A-z0-9]{1,20})\(\)\;/is,
qr/<\?php\s+error\_reporting\(E\_ERROR\)\;.+?\$fp\=fopen\(\$filepath\,\"w\"\)\;.+?echo\s+\"uploaded\"\;\s+\}\s+\?>/is,
qr/<\?php\s+error\_reporting\(E\_ERROR\)\;.+?\$fp\=fopen\(\$filename\,\"w\"\)\;.+?echo\s+\"publish\s+success\"\;\s+\?>/is,
qr/<\?php\s+array\_map\(\"ass.+?rt\"\,\(array\)\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;\?>/is,
qr/<\?php\s+\@eval\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\;\?>/is,
qr/<\?php\s+\/\/header\(\'Content\-Type\:text\/html\;\s+charset\=utf\-8\'\)\;\s+\$.+?\=urldecode\(.+?\)\;exit\(\)\;\}\}.+?\]\(\)\;\?>/is,
qr/<\?php\s+function\s+selfURL\(.+?function\s+myshellexec\(\$cmd\).+?\$proxy\_shit\=.+?c79shexit\(\)\;\s+\?>/is,
qr/<\?\s+if\s+\(isset\(\$\_POST\[\'action\'\]\).+?if\s+\(\$action\=\=\"send\"\).+?print\s+\"\-\=ok\=\-\"\;\s+\}\s+\?>/is,
qr/<\?php\s+if\(isset\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\)\{\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{eval\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;exit\;\/\*([A-z0-9]{1,20})\*\/\}\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\;exit\;\/\*([A-z0-9]{1,20})\*\/\}/is,
qr/<\?php\s+if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$([A-z0-9]{1,20})\=\"as\"\.\"se\"\.\"rt\"\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\{\"\_REQUE\"\.\"ST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\=\/\*([A-z0-9]{1,20})\*\/\"preg\_replace\"\;\$([A-z0-9]{1,20})\(\'\/\/e\'\,\$\{\"\_REQUE\"\.\"ST\"\}\[\'([A-z0-9]{1,20})\'\]\,\'\'\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{eval\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;\/\*([A-z0-9]{1,20})\*\/exit\;\}\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{\/\*([A-z0-9]{1,20})\*\/eval\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\}\?>/is,
qr/<\?php\s+if\s+\(isset\(\$\{\"\_REQ\"\.\"UEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\=\"assert\"\;\$([A-z0-9]{1,20})\(\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$([A-z0-9]{1,20})\=\"assert\"\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;exit\;\}\?>/is,
qr/<\?php\s+if\(isset\(\$\{\"\_R\"\.\"EQ\"\.\"UE\"\.\"ST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\=\/\*([A-z0-9]{1,20})\*\/\"pr\"\.\"eg\"\.\"\_r\"\.\"ep\"\.\"la\"\.\"ce\"\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\(\'\/\/e\'\,\$\{\"\_R\"\.\"EQ\"\.\"UE\"\.\"ST\"\}\[\'([A-z0-9]{1,20})\'\]\,\'\'\)\;exit\;\}/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\=\/\*([A-z0-9]{1,20})\*\/\"ass\"\.\"ert\"\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\}\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\{\"\_REQUES\"\.\"T\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\=\/\*([A-z0-9]{1,20})\*\/\"preg\_rep\"\.\"lace\"\;\/\*([A-z0-9]{1,20})\*\/\$\(\'\/\/e\'\,\$\{\"\_REQUES\"\.\"T\"\}\[\'([A-z0-9]{1,20})\'\]\,\'\'\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\}/is,
qr/<\?php\s+if\s+\(isset\(\$\{\"\_REQU\"\.\"EST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\=\"ass\"\.\"ert\"\;\$([A-z0-9]{1,20})\(\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}/is,
qr/<\?php\s+if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\{\"\_R\"\.\"EQ\"\.\"UE\"\.\"ST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$([A-z0-9]{1,20})\=\"preg\_replace\"\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\(\'\/\/e\'\,\$\{\"\_R\"\.\"EQ\"\.\"UE\"\.\"ST\"\}\[\'([A-z0-9]{1,20})\'\]\,\'\'\)\;exit\;\}/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{\/\*([A-z0-9]{1,20})\*\/eval\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}\?>/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\/\*([A-z0-9]{1,20})\*\/eval\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}\?>/is,
qr/<\?php\s+if\s+\(isset\(\$\{\"\_R\"\.\"EQ\"\.\"UE\"\.\"ST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\=\"as\"\.\"se\"\.\"rt\"\;\$([A-z0-9]{1,20})\(\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}/is,
qr/<\?php\s+if\s+\(isset\(\$\{\"\_REQUES\"\.\"T\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\=\"asser\"\.\"t\"\;\$([A-z0-9]{1,20})\(\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}/is,
qr/<\?php\s+if\s+\(isset\(\$\{\"\_REQU\"\.\"EST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\=\"assert\"\;\$([A-z0-9]{1,20})\(\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\{\"\_REQUES\"\.\"T\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\=\/\*([A-z0-9]{1,20})\*\/\"pre\"\.\"g\_r\"\.\"epl\"\.\"ace\"\;\$([A-z0-9]{1,20})\(\'\/\/e\'\,\$\{\"\_REQUES\"\.\"T\"\}\[\'([A-z0-9]{1,20})\'\]\,\'\'\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{eval\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}\?>/is,
qr/<\?php\s+if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\)\{\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\;exit\;\/\*([A-z0-9]{1,20})\*\/\}/is,
qr/<\?php\s+if\s+\(isset\(\$\{\"\_R\"\.\"EQ\"\.\"UE\"\.\"ST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\=\"asser\"\.\"t\"\;\$([A-z0-9]{1,20})\(\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}/is,
qr/<\?php\s+if\s+\(isset\(\$\{\"\_RE\"\.\"QUE\"\.\"ST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\=\"asse\"\.\"rt\"\;\$([A-z0-9]{1,20})\(\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}/is,
qr/<\?php\s+if\s+\(isset\(\$\{\"\_REQU\"\.\"EST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\=\"assert\"\;\$([A-z0-9]{1,20})\(\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\{\"\_REQ\"\.\"UEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\=\/\*([A-z0-9]{1,20})\*\/\"preg\_repl\"\.\"ace\"\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\(\'\/\/e\'\,\$\{\"\_REQ\"\.\"UEST\"\}\[\'([A-z0-9]{1,20})\'\]\,\'\'\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\=\/\*([A-z0-9]{1,20})\*\/\"preg\"\.\"\_rep\"\.\"lace\"\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\(\'\/\/e\'\,\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\,\'\'\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\}/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\/\*([A-z0-9]{1,20})\*\/eval\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\)\{\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\}/is,
qr/<\?php\s+if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\{\"\_RE\"\.\"QUE\"\.\"ST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$([A-z0-9]{1,20})\=\/\*([A-z0-9]{1,20})\*\/\"preg\_rep\"\.\"lace\"\;\$([A-z0-9]{1,20})\(\'\/\/e\'\,\$\{\"\_RE\"\.\"QUE\"\.\"ST\"\}\[\'([A-z0-9]{1,20})\'\]\,\'\'\)\;exit\;\}/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\=\"asse\"\.\"rt\"\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\=\/\*([A-z0-9]{1,20})\*\/\"assert\"\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}\?>/is,
qr/<\?php\s+if\(isset\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\;exit\;\/\*([A-z0-9]{1,20})\*\/\}/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\)\{\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\;exit\;\/\*([A-z0-9]{1,20})\*\/\}/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\=\"asser\"\.\"t\"\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;exit\;\/\*([A-z0-9]{1,20})\*\/\}\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$([A-z0-9]{1,20})\=\/\*([A-z0-9]{1,20})\*\/\"assert\"\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{\/\*([A-z0-9]{1,20})\*\/eval\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\/\*([A-z0-9]{1,20})\*\/\}\?>/is,
qr/<\?php\s+if\(isset\(\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\=\"preg\_rep\"\.\"lace\"\;\$([A-z0-9]{1,20})\(\'\/\/e\'\,\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\,\'\'\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\/\*([A-z0-9]{1,20})\*\/eval\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}\?>/is,
qr/<\?php\s+if\s+\(isset\(\$\{\"\_REQUE\"\.\"ST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\=\"asser\"\.\"t\"\;\$([A-z0-9]{1,20})\(\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{\/\*([A-z0-9]{1,20})\*\/eval\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\}\?>/is,
qr/<\?php\s+if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{\/\*([A-z0-9]{1,20})\*\/eval\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\}\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\;exit\;\}\/\*([A-z0-9]{1,20})\*\//is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\/\*([A-z0-9]{1,20})\*\/eval\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;\/\*([A-z0-9]{1,20})\*\/exit\;\}\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\{\"\_REQUES\"\.\"T\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\=\/\*([A-z0-9]{1,20})\*\/\"preg\_replace\"\;\$([A-z0-9]{1,20})\(\'\/\/e\'\,\$\{\"\_REQUES\"\.\"T\"\}\[\'([A-z0-9]{1,20})\'\]\,\'\'\)\;exit\;\}/is,
qr/<\?php\s+if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\=\"assert\"\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\=\/\*([A-z0-9]{1,20})\*\/\"preg\_r\"\.\"eplace\"\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\(\'\/\/e\'\,\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\,\'\'\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}/is,
qr/<\?php\s+if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\=\"assert\"\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}\?>/is,
qr/<\?php\s+error\_reporting\(0\)\;\s+set\_time\_limit\(0\)\;\s+if\s+\(\$\_GET\[\'([A-z0-9]{1,20})\'\]\=\=\'1\'\)\{echo\s+\'200\'\;\s+exit\;\}.+?if\(\$\_GET\[\'([A-z0-9]{1,20})\'\]\=\=.+?\)eval\(base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\)\;\s+if\(md5\(\$\_GET\[\'([A-z0-9]{1,20})\'\]\)\=\=.+?\)eval\(base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\)\;\s+\?>/is,
qr/<\?php\s+class\s+\_([A-z0-9]{1,20})\{static\s+private\s+\$.+?ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789.+?\(\)\;exit\(\)\;/is,
qr/<\?php\s+include\(\'wp\-access\-plugin\.php\'\)\;\s+\/\/Email\s+sending\s+function\s+sending\_email\(\$email\,\$id\=\'1\'\)\{.+?<\/div>\s+<\/body>\s+<\/html>/is,
qr/<\?php\s+session\_start\(\)\;.+?function\s+sanitizer\(\$check\)\{.+?function\s+validate\_email\(\$email\)\{.+?return\s+\$status\;\s+\}\s+\?>/is,
qr/<\?php\s+\/\*\s+Net\s+Scrap\s+Shop\s+v3\*\/.+?\=str\_rot13\(gzinflate\(str\_rot13\(base64\_decode\(\$.+?\)\;\s+\?>/is,
qr/bgeteam\s+<\?php.+?B\s+Ge\s+Team\s+File\s+Manager.+?value\=\"upload\"\s+\/>.+?\?>\s+B\s+Ge\s+Team\s+File\s+Manager\s+Version\s+1\.0\,\s+Coded\s+By\s+lin\s+Email\:\s+null/is,
qr/<\?php\s+error\_reporting\(0\)\;\s+\?>\s+Upload\s+is\s+<b><color>WORKING.+?<\?php\s+if\s+\(\!empty\(\$\_POST\[.+?\}\s+\?>/is,
qr/<\?php\s+\/\*\*.+?\$auth\_pass\s+\=\s+\".+?echo\s+\'changepassword\'\;.+?echo\s+\'Yeahhh\'\;.+?\*\/\s+\}\s+\?>/is,
qr/<\?php.+?Mr\.N00B\s+Mini\s+Shell.+?\$auth\_pass\s+\=.+?eval\(\$st\(\$gz\(\$st2\(\$bs\(\(\$con7ext\)\)\)\)\)\)\;/is,
qr/<\?php\s+\/\*\*\s+\*\s+Leaf.+?\$sessioncode\s+\=\s+md5\(\_\_FILE\_\_\)\;.+?Leaf\s+PHPMailer.+?\}\s+print\s+\'<\/body>\'\;\s+\?>/is,
qr/<title>Hacked\s+By\s+Dr34mCyb3r.+?<\/style>\s+<div\s+class\=\"video\-background.+?allowfullscreen><\/iframe>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'ba\'\.\'se64\_dec\'\.\'o\'\.\'d\'\.\'e\'\.\'\'\;\s+\@eval\(\$([A-z0-9]{1,20})\(.+?\)\)\;/is,
);
my @base64_decodes = (
);
my @file_list;
my %possible_list;
my $start_dir = $ENV{'SCRIPT_FILENAME'} || '../';
$start_dir =~ s/\/cgi-bin//;
$start_dir =~ s/\/lp-msh-scanner//;
$start_dir = substr($start_dir, 0, rindex($start_dir, '/'));
dir ($start_dir);
print "<br />\n<br />\n";
print 'Infected Files (' . scalar(@file_list) . "):<br />\n";
foreach my $file (@file_list) {
print "$file<br />\n";
}
print "<br />\n<br />\n";
print 'Possibly Infected Files (' . scalar(keys(%possible_list)) . "):<br />\n";
foreach my $key (keys(%possible_list)) {
print "$key => $possible_list{$key}<br />\n";
}
sub dir {
my ($start_dir) = @_;
unless (opendir(DIR, $start_dir)) {
print "Skipping directory $start_dir: $! <br />";
return;
}
opendir(DIR, $start_dir) || die "$start_dir: $!";
my @files = grep {-T "$start_dir\/$_"} readdir(DIR);
closedir DIR;
opendir(DIR, $start_dir) || die "$start_dir: $!";
my @folders = grep {-d "$start_dir\/$_"} readdir(DIR);
closedir DIR;
foreach my $file (sort @files) {
next if $file eq 'error_log';
next if $file eq 'tcpdf.php';
next if $file eq 'charmap.php';
next if $file eq 'main-modules.php';
next if $file eq 'wp-super-cache.php';
next if $file eq 'user-edit.php';
next if $file eq 'youtube.php';
next if $file eq 'FMModelForm_maker_fmc.php';
next if $file eq 'ninja-forms-submission.csv';
next if $file eq 'Nette.min.php';
print "Scanning $start_dir/$file... ";
unless (-r "$start_dir/$file") {
print " Skipping file, unable to read file<br />";
next
}
if ((-s "$start_dir/$file") > 1024000) {
print " Skipping file, over 1MB<br />";
next
}
my $fh;
unless (open ($fh, '<', "$start_dir/$file")) {
print " Unable to read file, $!<br />";
next
}
my $contents = do { local $/; <$fh> };
close $fh;
my ($infected, $cleaned, $possible, $known, $sig);
foreach my $pattern (@regexen) {
my $t;
if ($contents =~ /$pattern/) {
my ($d, $t) = ($1, $2);
$infected = 1;
($contents, $cleaned) = clean_file("$start_dir/$file", $contents, $pattern);
push (@file_list, "$start_dir/$file");
}
$t = undef;
}
print $infected ? ($cleaned ? "<font color='green'>Infected, Cleaned<br /></font>\n" : "Infected, Cleaning failed<br />\n") : ($possible ? "Possibly Infected<br />\nSignature Unknown: $sig<br />\n" : "Not infected<br />\n");
}
foreach my $folder (sort @folders) {
if ($folder !~ /^\.\.?$/) {
dir("$start_dir/$folder");
}
}
}
sub clean_file {
my ($file, $contents, $pattern) = @_;
my $cleaned;
if ($contents =~ /\n{4}/) {
$contents =~ s/\n\n/\n/g;
}
$contents =~ s/$pattern//g;
if ($contents =~ /$pattern/) {
$cleaned = 0;
}
else {
open (my $fh, '>', $file);
print $fh $contents;
close $fh;
$cleaned = 1;
}
return ($contents, $cleaned);
}
1;
Reference in New Issue View Git Blame Copy Permalink