3599 lines
154 KiB
PHP
3599 lines
154 KiB
PHP
<?php
|
|
/*
|
|
[+] Malware Scanner version 2.1
|
|
[+] Patterns updated on July 18 2015 - next update in September 2015
|
|
[+] by Malin Cenusa
|
|
*/
|
|
|
|
/* let's make sure nobody uses this further */
|
|
|
|
|
|
/* script variables */
|
|
$version = '2.1';
|
|
$self = basename(__FILE__);
|
|
|
|
$eroot = '../';
|
|
$print_infected = true;
|
|
$print_suspected = true;
|
|
$print_all = false;
|
|
$recurse = 200;
|
|
|
|
print "<pre>";
|
|
print "Malware Scanner v{$version} by Malin Cenusa (malin@cenusa.me)\n\n";
|
|
print "Directory depth set to {$recurse}\n\n";
|
|
|
|
$fl = new e_file();
|
|
$tree = $fl->get_files($eroot, '\.php|\.sc|.bb|\.gif|\.js|\.htm|\.html|\.htaccess', 'standard', $recurse);
|
|
|
|
$counter_infected = 0;
|
|
$counter_cleaned = 0;
|
|
$counter_suspected = 0;
|
|
$counter_error = 0;
|
|
$counter_warning = 0;
|
|
|
|
// just in case
|
|
set_time_limit(0);
|
|
error_reporting(E_ALL);
|
|
|
|
foreach ($tree as $finfo)
|
|
{
|
|
// exclude self
|
|
if(strpos($finfo['fname'], $self) !== FALSE && realpath(__FILE__) == realpath($finfo['path'].$finfo['fname']))
|
|
{
|
|
continue;
|
|
}
|
|
|
|
if($print_all) print "{$finfo['path']}{$finfo['fname']}....CHECKING";
|
|
$tmp = file_get_contents($finfo['path'].$finfo['fname']);
|
|
preg_match('/[^.\s]*([a-z])$/i', $finfo['fname'], $match);
|
|
|
|
if(preg_match('/[^.\s]*([a-z])$/i', $finfo['fname'], $match))
|
|
{
|
|
$ext = $match[0];
|
|
unset($match);
|
|
}
|
|
|
|
///<\?(php)?/i - short tag detection problem
|
|
if('gif' == $ext && preg_match('/<\?php/i', $tmp))
|
|
{
|
|
$counter_infected++;
|
|
//$counter_error++;
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "\n";
|
|
{
|
|
print "...INFECTED (PHP open tag inside GIF image)\n";
|
|
// print("\n\ERROR: {$finfo['path']}{$finfo['fname']} will not be auto-deleted, you have to delete it manually if you think it's a threat!\n\n");
|
|
}
|
|
|
|
}
|
|
elseif('jpg' == $ext && preg_match('/<\?php/i', $tmp))
|
|
{
|
|
$counter_infected++;
|
|
//$counter_error++;
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "\n";
|
|
{
|
|
print "...INFECTED (PHP open tag inside JPG image)\n";
|
|
|
|
// print("\n\ERROR: {$finfo['path']}{$finfo['fname']} will not be auto-deleted, you have to delete it manually if you think it's a threat!\n\n");
|
|
}
|
|
|
|
}
|
|
elseif('jpeg' == $ext && preg_match('/<\?php/i', $tmp))
|
|
{
|
|
$counter_infected++;
|
|
//$counter_error++;
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "\n";
|
|
{
|
|
print "...INFECTED (PHP open tag inside JPEG image)\n";
|
|
// print("\n\ERROR: {$finfo['path']}{$finfo['fname']} will not be auto-deleted, you have to delete it manually if you think it's a threat!\n\n");
|
|
}
|
|
|
|
}
|
|
// known infection - can be auto-cleaned
|
|
elseif(preg_match('#^(.*)<\?php(.*)eval(\s*)\((\s*)base64_decode(\s*)\((\s*)(.*)(\?><\?php)*\n#i', $tmp, $matches))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "...INFECTED";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
|
|
// $counter_error++;
|
|
//print("\n\ERROR: {$finfo['path']}{$finfo['fname']} will NOT BE CLEANED! Please use the shell version of this script.\n\n");
|
|
continue;
|
|
}
|
|
|
|
// just a guess - eval(base64_decode(... pattern match
|
|
elseif(preg_match('#eval(\s*)\((.*)base64_decode(\s*)\(#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (eval/base64_decode found)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
// Found inside the compromised e107 full release (class2.php)
|
|
elseif(preg_match('/\$_COOKIE\[[\'|"]access-admin[\'|"]\]/i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all)
|
|
{
|
|
print "...INFECTED (access-admin COOKIE reference)\n";
|
|
}
|
|
// print("\nERROR: {$finfo['path']}{$finfo['fname']} can't be auto-cleaned!\n\n");
|
|
$counter_infected++;
|
|
// $counter_error++;
|
|
continue;
|
|
}
|
|
|
|
/* new patterns */
|
|
elseif(preg_match('#this.form.upload_file.disabled=false#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MALWARE (this.form.upload_file.disabled=false)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#function(\s*)jspw3\(d\,m\,f\)#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MALWARE (function jspw3 (d ,m ,f))</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#a(\s*)simple(\s*)Web-based(\s*)file(\s*)manager#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED SHELL (a simple Web-based file manager)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#php\_uname(\s*)\(preg_replace(\s*)\(#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MALWARE (php_uname(preg_replace()</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#function(\s*)rewrioutclbkxxx1\(#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MALWARE (function rewrioutclbkxxx1()</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#eval\(\(base64_decode\(#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED SHELL (eval((base64_decode()</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#preg_replace\(strrev\(#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MALWARE (preg_replace(strrev()</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#s=base64_decode\(str_replace\(chr\(32\)#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MALWARE (s=base64_decode(str_replace(chr(32))</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#_GET\[base64_decode\(#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MALWARE (_GET[base64_decode()</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#@error_reporting\(0\)#i', $tmp))
|
|
{
|
|
if($print_suspected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_suspected || $print_all) print "<font color='#FF0000'>...SUSPECTED SHELL (error_reporting)</font>";
|
|
$counter_suspected++;
|
|
if($print_suspected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#eval\(base64_decode\(<(.*)POST(.*)>php#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MALWARE (eval(base64_decode(<.*POST.*>php)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#==========================+(\s*)Credit.Mutuel.ReZult(\s*)+==================#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MAILER (==========================+ Credit.Mutuel.ReZult +==================)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#X-Mailer:(\s*)The(\s*)Bat\!(\s*)\(v#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MAILER (X-Mailer: The Bat! (v)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#WordPress(\s*)Inserter(\s*)Links#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MALWARE (WordPress Inserter Links)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#The(\s*)Sword(\s*)Config(\s*)Fuck(\s*)Script#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MALWARE (The Sword Config Fuck Script)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#@kr(\s*)=(\s*)<d0mains>;#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MALWARE (@kr = <d0mains>;)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#copyto(\s*)=(\s*)explode\(#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MALWARE (copyto = explode()</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#d.=sprintf\(\(substr\(urlencode\(print_r\(array\(#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MALWARE (d.=sprintf((substr(urlencode(print_r(array()</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#eval\(gzinflate\(base64_decode\(#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MALWARE (eval(gzinflate(base64_decode()</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#eval\(gzinflate\(str_rot13\(base64_decode\(#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MALWARE (eval(gzinflate(str_rot13(base64_decode()</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#Bank(\s*)of(\s*)America(\s*)\|(\s*)Home(\s*)\|(\s*)Personal#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED PHISHING (Bank of America | Home | Personal)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#Bank(\s*)of(\s*)America(\s*)\|(\s*)Online(\s*)Banking(\s*)\|(\s*)Sign(\s*)In(\s*)to(\s*)Online(\s*)Banking#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED PHISHING (Bank of America | Online Banking | Sign In to Online Banking)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#Bank(\s*)of(\s*)America(\s*)\|(\s*)Thank(\s*)you#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED PHISHING (Bank of America | Thank you)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#Wells(\s*)Fargo(\s*)Home(\s*)Page#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED PHISHING (Wells Fargo Home Page)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#Chase(\s*)Online(\s*)-(\s*)Logon#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED PHISHING (Chase Online - Logon)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#Send(\s*)Money,(\s*)Pay(\s*)Online(\s*)or(\s*)Set(\s*)Up(\s*)a(\s*)Merchant(\s*)Account(\s*)with(\s*)PayPal#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED PHISHING (Send Money, Pay Online or Set Up a Merchant Account with PayPal)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#Login(\s*)-(\s*)PayPal#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED PHISHING (Login - PayPal)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#Sign(\s*)Up(\s*)for(\s*)PayPal(\s*)-(\s*)It\'s(\s*)Free(\s*)and(\s*)Easy(\s*)to(\s*)Get(\s*)Started#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED PHISHING (Sign Up for PayPal - It's Free and Easy to Get Started)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#My(\s*)Account(\s*)-(\s*)Telstra#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED PHISHING (My Account - Telstra)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#RBC(\s*)Royal(\s*)Bank(\s*)-(\s*)Sign(\s*)In(\s*)to(\s*)Online(\s*)Banking#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED PHISHING (RBC Royal Bank - Sign In to Online Banking)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#RBC(\s*)Financial(\s*)Group(\s*)-(\s*)Online(\s*)Banking#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED PHISHING (RBC Financial Group - Online Banking)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#Online(\s*)Banking(\s*)Security(\s*)and(\s*)Privacy(\s*)Guide(\s*)-(\s*)RBC(\s*)Royal(\s*)Bank#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED PHISHING(Online Banking Security and Privacy Guide - RBC Royal Bank)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#~(\s*)Santander(\s*)Online(\s*)Banking(\s*)~#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED PHISHING (~ Santander Online Banking ~)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#Santander(\s*)e-Banking(\s*)?(\s*)Logon(\s*)page#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED PHISHING (Santander e-Banking ? Logon page)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#Santander(\s*)Online(\s*)Banking#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED PHISHING (Santander Online Banking)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#eBucks(\s*)>(\s*)Home#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED PHISHING (eBucks > Home)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#Chase(\s*)Personal(\s*)Banking(\s*)Investments(\s*)Credit(\s*)Cards(\s*)Home(\s*)Auto(\s*)Commercial(\s*)Small(\s*)Business(\s*)Insurance#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED PHISHING (Chase Personal Banking Investments Credit Cards Home Auto Commercial Small Business Insurance)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#Yahoo!(\s*)Mail:(\s*)The(\s*)best(\s*)web-based(\s*)email!#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED PHISHING (Yahoo! Mail: The best web-based email!)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#Remax(\s*)ReZulT(\s*)By#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MAILER (Remax ReZulT By)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#ErrorDocument(\s*)404(\s*)http#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED REDIRECT (ErrorDocument 404 http)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#ErrorDocument(\s*)500(\s*)http#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED REDIRECT (ErrorDocument 500 http)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#ErrorDocument(\s*)403(\s*)http#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (ErrorDocument 403 http)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#%u0c0c%u0c0c#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED REDIRECT (%u0c0c%u0c0c)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#String.fromCharCode(32)#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED REDIRECT (String.fromCharCode\(32\))</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#HTTP_REFERER(.*)msn(.*)live#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED REDIRECT (HTTP_REFERER msn live)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#SnIpEr_SA#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED REDIRECT (SnIpEr_SA)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#php_value(\s*)auto_append_file#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MALWARE (php_value auto_append_file)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#AddType(\s*)application(\s*).jpg#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MALWARE (AddType application .jpg)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#AddHandler(\s*)php5-script(\s*).jpg#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MALWARE (AddHandler php5-script .jpg)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#HTTP_USER_AGENT(.*)google(.*)yahoo#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED REDIRECT (HTTP_USER_AGENT google yahoo)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#HTTP_REFERER(.*)\*search.yahoo\*#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED REDIRECT (HTTP_REFERER *search.yahoo*)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#Card(.*)number:#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED PHISHING (Card number:)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
/* elseif(preg_match('#Mass(.*)Mailer#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MAILER (Mass Mailer)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
} */
|
|
elseif(preg_match('#<\?php\s*eval\(\"\?>\"\.base64\_decode\(\"(.*)\"\)\)\;\s*\?>#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED SHELL (base64 encoded shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#\;if\(aa\.indexOf\(aaa\)\=\=\=0\)#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED JS MALWARE(;if(aa.indexOf(aaa)===0))</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#function\s*re\(s\,n\,r\,b\,e\)#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED JS MALWARE (function re(s,n,r,b,e))</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#var\s*foobar\s*\=\s*unescape\;#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (var foobar = unescape;)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#auth\_pass\s*\=\s*\"(.*)\"\;\s*eval\(\"#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED SHELL (encrypted filesman)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#<\?php\s*\@copy\(\W\_FILES\[file\]\[tmp\_name\]\,\s*\W\_FILES\[file\]\[name\]\)\;\s*exit\;\s*\?>#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED DEFACE SCRIPT (filecopy)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#<\?php\s*\/\/(.*)\_\=\s*\/\/system\s*file\s*do\s*not\s*delete\'\'\;\s*\/\/system\s*file\s*do\s*not\s*delete\s*\W\_\_\s*\=\s*\"(.*)\"\;\W\_\_\_\s*\=\s*\"(.*)\"\;eval\(\W\_\_\_\(\W\_\_\)\)\;#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED SHELL (encrypted)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#preg\_replace\(\"\/\.\+\/esi\"\,\"#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED SHELL (encrypted)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#<script\s*language\=\"JavaScript\"\s*type\=\"text\/javascript\"><\!\-\-\s*var(.*)\;eval\(unescape\(\"(.*)\;document\.write\(u\)\;u\=\"\"\;\/\/\-\->\s*<\/script>#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED JS MALWARE(eval/unescape)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#<\?php\s*session\_start\(\)\;\s*\Wme\=\W\_SERVER\[\'PHP\_SELF\'\]\;\s*\WNameF\=\W\_REQUEST\[\'NameF\'\]\;\s*\Wnowaddress\=\'<input\s*type\=hidden\s*name\=address\s*value\=\"\'\.getcwd\(\)\.\'\">\'\;\s*\Wpass\_up\=#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED UPLOAD SCRIPT(malicious)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#<\?php\s*\@set\_time\_limit\(0\)\;\s*\@error\_reporting\(NULL\)\;\s*\@ini\_set\(\'display\_errors\'\,0\)\;\s*\@ignore\_user\_abort\(TRUE\)\;\s*if\(md5\(md5\(\W\_REQUEST\[\'(.*)\'\]\)\)\=\=\'#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED UPLOAD SCRIPT(malicious)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#<\?PHP\s*defined\(\'\_OLD\_JEXEC\_\'\)\s*or\s*die\(\@eval\(base64\_decode\(\W\_REQUEST\[\'(.*)\'\]\)\)\)\;\s*\?>#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED base64 injection script</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#<\?php\s*if\(isset\(\W\_REQUEST\[\"(.*)\"\]\)\)\s*\{\s*eval\(base64\_decode\(\W\_REQUEST\[\"(.*)\"\]\)\)\;\s*exit\;\s*\}\s*else\s*\{\s*die\(\"404\s*Not\s*Found\"\)\;\s*\}\?>#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED base64 injection script</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#function\_exists\(\'date\_default\_timezone\'\)\s*\?\s*date\_default\_timezone\_set\(\'America\/Los\_Angeles\'\)\s*\:\s*\@eval\(base64\_decode\(\W\_REQUEST\[\'(.*)\'\]\)\)\;#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MALICIOUS SCRIPT</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#<\?PHP\s*define\(\'REAL\_SERVER\_ROOT\'\,\s*\'SERVER\'\)\;\s*\/\/DIR(.*)define\(\'SYSTEM\_SKEL\_DIR\'\,\s*\'skel\'\)\s*\?\s*\@eval\(base64\_decode\(\W\_REQUEST\[\'(.*)\'\]\)\)\s*\:(.*)define\(\'WORKGROUPS\_META\_SETTINGS\_FILENAME\'\,\s*\'settings.xml\'\)\;\s*\?>#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MALICIOUS SCRIPT</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#<\?\s*if\(\@\W\_POST\[\'(.*)\'\]\)\{eval\(base64\_decode\(\W\_POST\[\'(.*)\'\]\)\)\;\s*exit\(\)\;\}\s*\?>#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED base64 injection script</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#<\?php\s*echo\s*\'<b>Sw\s*Bilgi<br><br>\'\.php\_uname\(\)\.\'<br><\/b>\'\;(.*)else\s*\{\s*echo\s*\'<b>Basarisiz<\/b><br><br>\'\;\s*\}\s*\}\s*\?>#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED UPLOAD SCRIPT</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#GIF89\;<br><br>\s*<Hmei7>\s*<\?php\s*if\s*\(\s*isset\(\W\\[\'versi\'\]\)\s*\)\'s*\{\s*vers\(\)\;#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (GIF infection)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#<\?php\s*if\(\!empty\(\W\_FILES\[\'message\'\]\[\'name\'\]\)\s*AND\s*\(md5\(\W\_POST\[\'nick\'\]\)\s*\=\=#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (POST backdoor)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#<\?php\s*\Wis\_bot\s*\=\s*FALSE\s*;\s*\Wuser\_agent\_to\_filter\s*\=\s*array\(\s*\'\#fileuploads\#\'\)\s*\;#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED UPLOAD SCRIPT</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#auth_pass(.*)eval\(#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED SHELL</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#<\?php\s*\/\*\s*Plugin\s*Name\:\s*GSM#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MALICIOUS PLUGIN</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#<\?php\s*\W(.*)array\(\"(.*)\"\)\;eval\(\"(.*)x3B\"\)\;\?>#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED SHELL</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#base=base64_encode\(#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (base=base64_encode()</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#.rand\(100000000,9999999999\).#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (.rand(100000000,9999999999).)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#__++\)\)\].=#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (__++))].=)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#Fredrik N. Almroth - h.ackack.net#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (Fredrik N. Almroth - h.ackack.net)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#The Sword Config Fuck Script#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (The Sword Config Fuck Script)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#4297f44b13955235245b2497399d7a93#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (4297f44b13955235245b2497399d7a93)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#<\!-- provided by.\/katAK -->#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (<!-- provided by./katAK -->)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#user_agent_to_filter#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (user_agent_to_filter)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#\@unserialize\(base64_decode\(#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (@unserialize(base64_decode()</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#file_put_contents\(__FILE__,base64_decode\(#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (file_put_contents(__FILE__,base64_decode()</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#echo eval\(urldecode\(#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (echo eval(urldecode()</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#echo @eval\(base64_decode\(#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (echo @eval(base64_decode()</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#xml_str = base64_decode#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (xml_str = base64_decode)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#X-Mailer: Microsoft Office Outlook#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (X-Mailer: Microsoft Office Outlook)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#mode=show>Commands Run#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (mode=show>Commands Run)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#_SAPE_USER#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (_SAPE_USER)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#.gzuncompress\(base64_decode\(#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (.gzuncompress(base64_decode()</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#\);preg_replace\(#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED ();preg_replace()</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#\),base64_decode\(#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (),base64_decode()</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#eVAl\( base64_decode\(#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (eVAl( base64_decode()</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#\(gzinflate\(str_rot13\(base64_decode\(#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED ((gzinflate(str_rot13(base64_decode()</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#body=stripslashes\(urldecode\(#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (body=stripslashes(urldecode()</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#REQUEST = array_merge\(#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (REQUEST = array_merge()</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#;eval\(\(\(strlen\(#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (;eval(((strlen()</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#viagra#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (viagra)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#levitra#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (levitra)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#male enhancement#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (male enhancement)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#propceia#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (propceia)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#xViewState\(\)#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (xViewState)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#Fonksiyonlar#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (Fonksiyonlar)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#<vuln> <dork>#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (<vuln> <dork>)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#Sh3llBoT#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (Sh3llBoT)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#Upload Your Fav Shell#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (Upload Your Fav Shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#Is cURL installed\? \(nst\) which curl#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (Is cURL installed\? \(nst\) which curl)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#Magic Include Shell ver#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (Magic Include Shell ver)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#irc.securitychat.org#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (irc.securitychat.org)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#function printLogin\(\)#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (function printLogin\(\))</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#function GetMama\(\)#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (function GetMama\(\))</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#runcommand#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (AJAX runcommand)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#my @nickname = #i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (my @nickname = )</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#dosyaPath = mid\(mpat,InStrRev\(mpat#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (ASP Shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#coded by z0mbie#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (coded by z0mbie)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#Php Bypass - www.shellci.biz#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (Php Bypass - www.shellci.biz)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#fistik=PHVayv;#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (fistik=PHVayv;)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#Dark Shell#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (Dark Shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#CTT SHELL#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (CTT SHELL)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#\/etc\/passwd#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (/etc/passwd)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#<tr><td>Chiave<\/td><td>Valore<\/td><\/tr>#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (cShell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#fonk_kap = get_cfg_var#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (fonk_kap = get_cfg_var)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#PHPSHELL_VERSION#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (PHPSHELL_VERSION)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#Root-Access Shell#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (Root-Access Shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#s101 Interamente creata da Sora101#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (s101 Interamente creata da Sora101)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#SimAttacker - Vrsion#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (SimAttacker - Vrsion)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#Shell Dizini:#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (Shell Dizini:)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#\/etc\/syslog.conf#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (\/etc\/syslog.conf)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#die\(PHP_OS.chr\(49\).chr\(48\)#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED die\(PHP_OS.chr\(49\).chr\(48\)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#stCurlLink = base64_decode\(#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (stCurlLink = base64_decode\()</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#cookey =#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (cookey =)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#cxyyt = array\(#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (cxyyt = array\()</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#.str_pad\(strtoupper\(dechex\(#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (.str_pad\(strtoupper\(dechex\()</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#veb65c0b0 = array_keys\(#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (veb65c0b0 = array_keys\()</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#=Array\(base64_decode\(#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (=Array(base64_decode\()</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#edoced_46esab#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (edoced_46esab)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#\*\/base64_decode\/\*#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (\*\/base64_decode\/\*)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#eval\(stripslashes\(#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (eval\(stripslashes\()</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#eval\(\@gzinflate\(base64_decode\(#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (eval\(\@gzinflate\(base64_decode\()</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#eva1fYlbakBcVSir#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (eva1fYlbakBcVSir)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#preg_replace\(\"\/\.\*\/e\"\,\"\\x65#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (preg_replace\(\"\/\.\*\/e\"\,\"\\x65)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#cg2bW3yV4NSpnvKX2cFAvjczD7#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (cg2bW3yV4NSpnvKX2cFAvjczD7)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#fcgr2boWm3yVC4NShpnvaKrXC2ocFAdvjcezD7#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (fcgr2boWm3yVC4NShpnvaKrXC2ocFAdvjcezD7)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#Macro Hack#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (Macro Hack)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#JGs9MTQzOyRtPWV4cGxvZGUoIjsiLCIyMzQ7MjUzOzI1Mzs#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (JGs9MTQzOyRtPWV4cGxvZGUoIjsiLCIyMzQ7MjUzOzI1Mzs)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#XERATUTA#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (XERATUTA)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#unserialize\(string_cpt\(base64_decode\(#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unserialize\(string_cpt\(base64_decode\()</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#data.dat.gz#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (data.dat.gz)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#Scam Redirector#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (Scam Redirector)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#\/images\/config.db#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (\/images\/config.db)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#\/temp\/links.db#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (\/temp\/links.db)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#LS0tLS0tLS0tLS0tLS0t#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (LS0tLS0tLS0tLS0tLS0t)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#BlackMail#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (BlackMail)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#\{ hauguen priv\@ spammer \}#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (\{ hauguen priv\@ spammer \})</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#echo \'Shell Ok \';#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (echo \'Shell Ok \';)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#Da Slake PHP MAILER#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (Da Slake PHP MAILER)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#: : M A I L E R : : \$ d o m a i n - I n s i d e T e a m v#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (: : M A I L E R : : \$ d o m a i n - I n s i d e T e a m v)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#\/etc\/valiases/#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (\/etc\/valiases/)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#numemails#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (numemails)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#PHP Mailer#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (PHP Mailer)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#\/etc\/named.conf#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (\/etc\/named.conf)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#set_index .= base64_encode\(#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (set_index .= base64_encode\()</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#eval\(gzinflate\(base64_decode\(strrev\(#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (eval\(gzinflate\(base64_decode\(strrev\()</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#system file do not delete#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (system file do not delete)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#nslookup -type=MX#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (nslookup -type=MX)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#\$copyto = explode\(\'wp-content\'\,#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (copyto = explode\()</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#default_action =(.*)default_charset =(.*)preg_replace\((/*)\,str_replace\(#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED FilesMan Shell</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#\<\?php for\(\$o=0,\$e=#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (\<\?php for\(\$o=0,\$e=)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#\$felp = explode\(\$kaka#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (\$felp = explode\(\$kaka)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#getdata = base64_decode\(\$datacheck\);#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (getdata = base64_decode\(\$datacheck\);)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#array_map\(strrev\(\"ed\".\"oced_\".\"46esab\"\),array\(str_replace\(#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED Shell (encrypted)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#if \(md5\(md5\(\$\_REQUEST\[\'hhh\'\]\)\) ==#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED Shell (encrypted)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#Upload GAGAL#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (Upload GAGAL)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#Config Grabber#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (Config Grabber)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#@symlink\(#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (@symlink\()</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#OOO000000=urldecode\(#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (OOO000000=urldecode\()</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#eval \(gzinflate\(base64_decode\(#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (eval \(gzinflate\(base64_decode\()</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#return rawurlencode\(rawurlencode\(#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (return rawurlencode\(rawurlencode\()</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#=array_map\(\"ba\".\"se6\".\"4\".\"_decode\",array\(\'\',str_replace\(#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED Shell (encrypted)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#d.=sprintf\(\(substr\(urlencode\(print_r\(array\(#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED Shell (encrypted)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#eval\(gzinflate\(base64_decode\(#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED Shell (encrypted)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#eval\(gzinflate\(str_rot13\(base64_decode\(#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED Shell (encrypted)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#eval\(gzinflate\(base64_decode\(str_rot13\(#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED Shell (encrypted)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#eval\(gzinflate\(base64_decode\(base64_decode\(#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED Shell (encrypted)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#eval\(gzuncompress\(base64_decode\(#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED Shell (encrypted)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#eval\(gzuncompress\(str_rot13\(base64_decode\(#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED Shell (encrypted)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#eval\(gzuncompress\(base64_decode\(str_rot13\(#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED Shell (encrypted)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#eval\(str_rot13\(gzinflate\(base64_decode\(#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED Shell (encrypted)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#eval\(gzinflate\(base64_decode\(strrev\(str_rot13\(#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED Shell (encrypted)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#eval\(gzinflate\(base64_decode\(strrev\(#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED Shell (encrypted)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#eval\(gzinflate\(base64_decode\(str_rot13\(#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED Shell (encrypted)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#eval\(gzinflate\(base64_decode\(str_rot13\(strrev\(#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED Shell (encrypted)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#echo\(gzinflate\(base64_decode\(#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED Shell (encrypted)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#^<\?php\s*\\\$md5\s*=\s*[\"|\']\w+[\"|\'];\s*\\\$wp_salt\s*=\s*[\w\(\),\"\'\;\$]+\s*\\\$wp_add_filter\s*=\s*create_function\(.*\);\s*\\\$wp_add_filter\(.*\);\s*\?>\s*#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED Shell (encrypted)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#libworker.so#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (libworker.so)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#by.\/katAK#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (by.\/katAK)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#array\(\"Google\", \"Slurp\", \"MSNBot\", \"ia_archiver\", \"Yandex\", \"Rambler\", \"StackRambler\"\)#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (crawler filter)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#<span>Make dir:<\/span>#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#\}eval\(x0r\("#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#function x0r\(\$h3ll0s\)#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#<\?php\s*preg_replace\(\"#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#\$security_code = \(empty\(\$_POST\[\'security_code\'\]\)\)#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#\.ucwords\(str_replace\(#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#\)\);array_multisort\(array_map\(#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#\.rawurlencode\(strtolower\(#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#<\?php\s*eval \( base64_decode \(\"#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#eval\(stripslashes\(\$_POST\[codee\]\)\);"#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#eval\(pet\(\"#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#<\?php \$g___g_=\'base\'.\(32*2\).\'_de\'.\'code\';\$g___g_=\$g___g_\(str_replace\(\"\n\", \'\', \'#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#eval\((.*)\(base64_decode\((.*)1234567890\)\);#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#\$opt\(\"\/292\/e\",\$au,292\); die\(\);\}\}\}#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#\$MailTo = base64_decode\(\$_POST\[\"mailto\"\]\);#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#email_polucha#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#if\(isset\(\$_REQUEST\[\'(.*)eval\((.*)\); exit\(\); \} if\(isset\(\$_REQUEST\[\'(.*)exit\(\); \}\s*\?>#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#.::\[ Phproxy \]::.#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#teksasli=unescape\(teks\);document.write\(teksasli\)#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#eval\(base64_decode\(\$jembot\)\);#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#eval\(base64_decode\(\$_REQUEST\[\'p64\'\]\)\);#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#die\(\"Restricted accoss\"\);#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
/* elseif(preg_match('#F(.*)i(.*)l(.*)e(.*)s(.*)m(.*)a(.*)n#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
} */
|
|
elseif(preg_match('#<\?php\s*eval\(gzinflate\(str_rot13\(base64_decode\(\'#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#phpRemoteView#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#if \(isset\(\$_POST\[\'_\'\]\) \&\& \(sha1\(base64_decode\(\$_POST\[\'_\'\]\)\^\$str\) ==#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#x47FzcyA9ICI#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#mkdir\(\'Indishell\',0777\);#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#Superfast Zone-H submitter#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#if\(stripos\((.*)=base64_decode\((.*)=create_function\(\"\"#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#Done ==> \$userfile_name#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#preg_match\(\"\/google\|bot\|msn\|spider\|crawl\|spam#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#WEB(.*)Shell#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#index.php replaced successufuly\!#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#sloboz#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#\$URI = str_replace\(\"sync.php\", \$filename, \$URI\);#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#<\? eval\(gzuncompress\(base64_decode\(\'#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#WPcheckInstall#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#echo \"Already writed\"#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#if \(move_uploaded_file \(\$_FILES\[\"update\"\]\[\"tmp_name\"\], __FILE__\)\)#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#FilesMan#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#<\?php(.*)= array\(\'(.*)= array\(\'(.*)= array\(\'(.*)\";if \(\!function_exists\(\"#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#\{eval\(base64_decode\(\$_POST\[\"#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#\$uid = strtoupper\(md5\(uniqid\(time\(\)\)\)\);#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#Created By Spaghy#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#= strrev\(\'ed\'.\'oc\'.\'ed_4\'.\'6e\'.\'sab\'\);#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#= strrev\(\'eca\'.\'lper\'.\'_ge\'.\'rp\'\);#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#<\?php\s*if \(\!function_exists\(\"(.*)\"\)\)\s*\{\s*function(.*)= base64_decode\((.*)= strlen\((.*)= file_get_contents\(#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#Mestre eCoLoGy#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#PHP eMailer#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#= \"p\".\"r\".\"e\".\"g\".\"_\".\"r\".\"e\".\"p\".\"l\".\"a\".\"c\".\"e\";#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#The Devil made me do it :\)#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#echo \"Can\'t upload file:#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#<\?\/\/BREACK\/\/\?>#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#Bypass SuHosin#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#\$_FILE\(stripslashes\(\$_REQUEST\[\'HOST\'\]\)\);\}#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#atualizar_flash_player_ver#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#Made By mr.hosam#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#<script>document.getElementById\(\'a22\'+\'222\'\).style.display=\'no\'+\'ne\'<\/script><\!-- InstanceEnd -->#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#\$auth_pass = \"#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#<\?php\s*\/\*(.*)*\/\s*eval \( base64_decode \(\"#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#\/usr\/bin\/host#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#<\?php preg_replace\(\"\/.\*\/e\",\"#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#\]\}=__FUNCTION__;return\@is_object\(#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#eval\(\"\?>\".gzuncompress\(base64_decode\(#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#\$headers = \"Alibaba:#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#<\?php \@array_diff_ukey\(\@array\(\(string\)#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#\$auth = \$filter\(\@\$_COOKIE\[\'p1\'\]\);#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#<\?php\s*if \(isset\(\$_REQUEST\[\'p1\'\]\)\) \{\s*eval\(stripslashes\(\$_REQUEST\[\'p1\'\]\)\);#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#<\?php function(.*)=gzinflate\(base64_decode\((.*)\)\); for\(\$i=0;\$i<strlen\(#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#\'\]=Array\(base64_decode\(\'#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#<\?php \(\$_=\@\$_GET\[2\]\).\@\$_\(\$_POST\[1\]\)\?>#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#return stripslashes\(ltrim\(rtrim\(\$string\)\)\);#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#4297f44b13955235245b2497399d7a93#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#<\?php \$a=\'bas\'.\'e6\'.\'4_d\'.\'ecode\';eval\(\$a\(\"#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#l = \"http:\/\/(.*)\" + r + \"&r=\" + document.referrer;\s*document.write\(\"<img src=\'\" + l + \"\'>\"\);#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#<title>(.*)PORN(.*)</title>#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#Login your email address below to view the document#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (Google Docs Phishing)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#symlink\(\'\/home#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#local-root-exploit#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (local root)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#my \$fakeproc\s*= \"\/usr\/sbin\/httpd\";#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#Server Scanner#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#<\?\$x\d\d=\"(.*)\"; \$GLOBALS\[\'#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#<\?php(.*)=\s*\'(.*)\';(.*)=\s*str_replace\(\'(.*)\',\'\',(.*)\);(.*)=\s*\'(.*)\';(.*)=\s*str_replace\(\'#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#function\s*xViewState\(\)#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (function xViewState())</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#<\!\-\-start\-add\-div\-content\-\->#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (<!--start-add-div-content-->)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#<\?php\s*if\(\W_GET\[\"(.*)\"\]==\"(.*)value=\"ok\"><\/form><\?php\s*\}\?>#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (uploader)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#function\s*research_plugin\(\)(.*)eval\(base64_decode\(#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (malicious WP plugin)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#<chr\(ord\(\Wn\)\-1\);\}\s*\@error_reporting#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#Exploit\s*failed#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (local root exploit)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#for\s*i\s*in\s*\"uname\s*-a\"\s*\"mount\"\s*\"df\s*-h\"#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (server info grabber)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#<\?php\s*\Wdomain\s*=\s*"(.*)header\(\"Location:\s*\Wurl\"\);\s*\?>#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (malicious redirect)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#move_uploaded_file\(\W_FILES\[\"file\"\]\[\"tmp_name\"\],\Wz\);#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (uploader)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#str_replace\(\"w\",\"\",\"wstrw_wrewpwlwawcwe\"\);#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#echo\s*\'\[vuln\]\';#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (exploit)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#echo"<font\s*color=\#FFFFFF>\[uname\]\".php_uname\(\).#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (server info grabber)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#if\(\Wresult\)\s*\{\s*echo\s*\'good\';\s*\}\s*else\s*\{\s*\'error\s*:\s*\'.\Wresult;\s*\}#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (malicious mailer)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#<\?php\s*\Wandroid\s*=\s*strpos\(\W_SERVER\[\'HTTP_USER_AGENT\'\],\"Android\"\);\s*\Wandroid_urls\s*=\s*array\s*\(#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (malicious redirect)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#last\s*root\s*\(nst\)\s*last\s*root#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#online\s*encode\s*by\s*cha88.cn\!#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#<title>SERVER\s*INFO<\/title>#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#ZnZGZnZGZnZGZn#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#else\{\s*echo\s*\"sorry\s*file\s*didn\'t\s*chmoded\";\s*\}#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#\"\];exit\(\);\}error_404\(\);function\s*is_good_ip\(#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#\@system\(\"killall\s*-9\s*\".basename\(\"\/usr\/bin\/host\"\)\);#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#<\?php\s*\/\/\#\#\#==\#\#\#(.*)\/\/\#\#\#==\#\#\#\s*\?>#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#<\?php\s*\$r76=\"F\[<PAlDf\|\]\}#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#<\?php\s*include\(\'(.*)\.png\'\);\s*\?>#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (CryptoPHP)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#<\?php\s*include\(\'(.*)\.jpg\'\);\s*\?>#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (CryptoPHP)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#<\?php\s*include\(\'(.*)\.gif\'\);\s*\?>#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (CryptoPHP)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#\$GLOBALS\[(.*)\$GLOBALS\[(.*)\}\s*\}\s*return\s*$(.*)\$GLOBALS\[(.*)\}\s*return\s*\$#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (GLOBALS backdoor)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#\$qV=\"stop_\"#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (qV stop backdoor)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#\$GD_get_img\s*=\s*\"p\"\.\s*\"r\"\.\"eg\"\.\"_r\"\.\"ep\"\.\"l\"\.\"ace\";#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (Wordpress malicious plugin)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#<\?php\s*\$array\s*=\s*array\(\'(.*)=\s*implode\(\"\"\,\s*\$array\)\;\$(.*)eval\(\$(.*)\)\)\)\);\?>#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#\#\!\/usr\/bin\/perl(.*)\#\s*Do\s*login\s*authentication\s*subroutine(.*)\#EOF#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (Proxy opener)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#<\?php\s*\$(.*);eval\(base64_decode\(gzuncompress\(base64_decode\(\$(.*)\)\)\)\);\?>#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#<\?php(.*)\$EmailTemporario\s*=\s*\$email\[\$i\];(.*)Safe\s*Mode:\s*<\?php\s*echo\s*\$safe_mode\s*=\s*\@ini_get\(\'safe_mode\'\);\s*\?>(.*)<\/form>#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (info mailer)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#<\?php\s*\@ignore_user_abort\(true\);(.*)\@eval\(\$(.*)\@realpath\(\"\"\)\.DIRECTORY_SEPARATOR(.*)404\s*Not\s*Found(.*)\?>#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown backdoor)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#\#\!\/usr\/bin\/perl\s*\-w\s*\'\'\=\~\(\'\(\?\{\'\.\(\'(.*)\'\)\.\'\$\/\}\)\'\);#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (CGI shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#<\?php\s*\/\*\*(.*)\$https_in\s*=\s*\"(.*)\"\);\s*\?>#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown backdoor)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#<html>\s*<head>(.*)if\(is_uploaded_file(.*)move_uploaded_file(.*)\?>\s*<\/body>\s*<\/html>#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (shell uploader)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#DK\s*Shell\s*\-#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (DK Shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#<\?php\s*\$(.*)\]\.\$(.*)\]\.\$(.*)\]\.\$(.*)\]\.\$(.*)\"\.chr\((.*)\"\.chr\((.*)\"\.chr\((.*)\"\.chr\((.*)\,\"(.*)\"\);#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#<\?php\s*\@ini_set\(\'max_execution_time\'\,0\);(.*)\}\}echo\s*\'rahui\#\'\,\$maxlen\,\'\#rahui\';\s*\?>#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (uploader)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#randomId(.*)Access\s*Denied(.*)wproPreviewHTML#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#md5\(IMAILpassword\)(.*)base64_decode#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#value=\'Ввойти\'><br><\/form><br>вы\s*не\s*авторизованы\s*<\/center>#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (uploader)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#ping(.*)ping_host(.*)browser_strings#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (proxy)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#Help(.*)support(.*)=base64_decode\(\$create_function\(\'\$#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown backdoor)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
elseif(preg_match('#if\(isset\(\$_COOKIE\[\'google\'\]\)\)(.*)if\(strtolower\(substr\(PHP_OS\,0\,3\)\)==\'win\'\)\s*\$#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (spam script)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#class\s*RSSInitEx(.*)getCMS\(\)(.*)new\s*RSSInitEx\(\);#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (config stealer)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
/* added July 2015 */
|
|
elseif(preg_match('#\$this\-\>headers\s*\.=\s*\"Errors\-To\:\s*\{\$this\-\>from\}#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (malicious mailer)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#PRIV8#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (backdoor)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#for\s*i\s*in\s*\"uname\s*\-a\"#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (config stealer)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#Exploit\s*failed#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (local root)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#Suicide\(\'Windows\s*\-\s*Suicide\'\)\;\}#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (Suicide shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#=\s*str\_replace\(\"w\"\,\"\"\,\"wstrw\_wrewpwlwawcwe\"\);#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (malicious string replace)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#\(\"x\"\,\s*\"\"\,\s*\"xbxasxex6x4x_xdexcoxde\"\);#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (obfuscated base64 strings)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#\(\"s\"\,\"\"\,\"scsrsesatses_fsusnscstsisosn\"\);#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (obfuscated function create)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#\$i=strrev\(\"uoy yb dekcah\"\);#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (reversed string deface)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#<font\s*color=\#FFFFFF>\[uname\]\"\.php_uname\(\)\.\"#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (config stealer)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#\$result\s*=\s*mail\(stripslashes\(\$to\)\,\s*stripslashes\(\$subject\)\,\s*stripslashes\(\$message\)\);#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (malicious mailer)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#\$android\s*=\s*strpos\(\$_SERVER\[\'HTTP_USER_AGENT\'\]\,\"Android\"\);#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (mobile redirect)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#last\s*\(all\s*users\)\s*\(nst\)\s*last\s*all#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (config stealer)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#online\s*encode\s*by\s*cha88\.cn\!#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (malicious encoder)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#<title>Solutions\s*en\s*ligne\s*\-\s*AccèsD<\/title>#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (phishing)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#<title>SERVER\s*INFO<\/title>#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (config stealer)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#\$OUT=alfa\(\$OUT\);eval\(\$OOO0000O0\(\$OUT\)\);return;#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (malicous script)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#\$sys\s*=\s*strrev\(base64_decode\(\"bWV0U3lT\"\)\);\/\/system#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (malicious shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#\}=\@unserialize\(base64_decode\(\$_POST\[\"#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (backdoor)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#\@system\(\"killall\s*\-9\s*\"\.basename\(\"\/usr\/bin\/host\"\)\);#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (WP bruteforcer)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#\@system\(\"\(crontab\s*\-l\|grep\s*\-v\s*crontab;echo;echo\s*\'\*\s*\*\s*\*\s*\*\s*\*\s*\"\.\$SCP\.\"\/1\.sh\'\)\|crontab\"\,\s*\$ret\);#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (cron injection)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#function\s*GetWPFooterFNs\(\)#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (WP backdoor)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#\$tmp\s*=\s*\@fread\s*\(\$a\,\s*sprintf\s*\(\"\%u\"\,\s*\@filesize\s*\(\$a\)\)\);#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (config stealer)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#\(\"e\"\.\"va\"\.\"l\(\'#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (base64 obfuscation)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#title=\"Remote\s*Shell\">#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#\/\/Obfuscation\s*provided\s*by\s*FOPO\s*-\s*Free\s*Online\s*PHP\s*Obfuscator\s*v1\.2\:#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (obfuscated - maybe malicious)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#<\?php\s*\@array_diff_ukey\(\@array\(\(string\)\$_REQUEST\[\'password\'\]\=\>1\)#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (backdoor)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#\$file=\@\$_COOKIE\[\'Jlma3\'\];#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (cookie backdoor)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#\$fc64=strip_tags\(str_replace\(\"\s*\"\,\"\"\,trim\(\$_GET\[\'fc\'\]\)\)\);#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (backdoor)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#<li><a\s*href=http\:\/\/(.*)<\/a><\/li>\s*<li><a\s*href=http\:\/\/(.*)<\/a><\/li>(.*)<li><a\s*href=http\:\/\/(.*)<\/a><\/li>(.*)<li><a\s*href=http\:\/\/#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (spam links)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#echo\s*base64_encode\(\'error\s*\:\s*\'\.\$result\);#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (backdoor)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#\$i59\[#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#\$x74\[#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#if\s*\(get_magic_quotes_gpc\(\)\)\s*\{\s*\$wp=stripslashes\(\$wp\);\s*\}#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (backdoor)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#my\s*\@dangercalls=qw\(#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (malicious Perl)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#<\?php\s*extract\(\$_COOKIE\);\s*\@\$F\&\&\@\$F\(\$A\,\$B\);#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (cookie stealer)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#copy\(\$_FILES\[\"upfile\"\]\[\"tmp_name\"\]\,\s*\$_FILES\[\"upfile\"\]\[\"name\"\]\)#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (uploader)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#\$back_connect=\"#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (backdoor)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#add_action\(\'after_setup_theme\'\,\s*\'research_plugin\'\);#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (WP backdoor)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#document\.getElementById\(\'HideMeBetter\'\)#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (spam JS)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#<\?php\s*\/\*\s*copyright\s*\*\/(.*)\/\*\s*copyright\s*\*\/ ?>#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#elseif\(strstr\(\$_0\,_203519383#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#<div\s*style=\"position\:absolute;\s*left\:\-(.*)px;\s*top\:\-(.*)px;\"><a\s*href=\"http\:\/\/#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (spam links)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#<\?php\s*eval\(\"\?>\"\.base64_decode\(\"#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#\$workdir\s*=\s*preg_replace\(\"\/\^www\W\.\/\"\,\s*\"\"\,\s*\$_SERVER\[\"HTTP_HOST\"\]\);#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (spam redirect)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#<\?php\s*echo\s*eval\(base64_decode\(str_replace\(\'\*\'\,\'a\'\,str_replace\(\'\%\'\,\'B\'\,str_replace\(\'\~\'\,\'F\'\,str_replace\(\'\_\'\,\'z\'\,str_replace\(\'\$\'\,\'x\'\,str_replace\(\'\@\'\,\'d\'\,str_replace\(\'\^\'\,\'3\'\,str_rot13\(#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (obfuscator)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#<\?php\s*if\(\@\$_COOKIE\[\'ft\'\]\)\{\$xww=\$_COOKIE\[\'ft\'\]\(\"\"\,\@\$_COOKIE\[\'st\'\]\(\@\$_COOKIE\[\'nk\'\]\)\);\$xww\(\);\}\?>#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (backdoor)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#function\s*Decode\(\)\{var#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (JS malware)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#<\?php\s*function\s*hex2str\(\$hex\)\s*\{\s*return\s*pack\(\'H\*\'\,\s*\$hex\);\s*\}\s*if\(\$_GET\[\'xhelp\'\]\)\s*\{\s*echo\s*\"<pre>\";\s*eval\(\$_GET\[\'xhelp\'\]\);\s*\}\s*if\(\$_GET\[\'hex\'\]\)\s*\{\s*\$payload=hex2str\(\$_GET\[\'hex\'\]\);\s*echo\s*\"<pre>\";\s*system\(\$payload\);\s*\}\s*\?>#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (backdoor)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#\$z=get_option\(\"_site_transient_browser_(.*)\)\"\);\s*\$z=base64_decode\(str_rot13\(\$z\)\);\s*if\(strpos\(\$z\,\"C20F58DE\"\)\!\=\=false\)\{\s*\$_z=create_function\(\"\"\,\$z\);\s*\@\$_z\(\);\s*\}#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (backdoor)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#Copyright7_20_127\(\);#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#eval\(\"\W\$x=gzin\"\.\"flate\(base\"\.\"64_de\"\.\"code\(\W\"#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#\$userAgents\s*=\s*array\(\"Google\"\,\s*\"Slurp\"\,\s*\"MSNBot\"\,\s*\"ia_archiver\"\,\s*\"Yandex\"\,\s*\"Rambler\"\)#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (uploader)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#for\(\$i=0;\s*\$i\s*<\s*strlen\(\$x\);\s*\$i\+\+\)\{\$(.*)=\"base64_decode\";return\s*\$#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#Upload Complete\!#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (insecure uploader)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#\$query\s*=\s*base64_decode\(str_replace\(\'\s*\'\,\s*\'\+\'\,\s*\$_POST\[\'query\'\]\)\);#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (web proxy)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#<\?php\s*\$wp__wp=\'base\'\.\(32\*2\)\.\'_de\'\.\'code\';\$wp__wp=\$wp__wp\(str_replace\("#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (shell)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#\#Coded\s*By\s*Pejvaknuse\s*Socket;#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (DDoSer)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#<\?php\s*\(\$www=\s*\$_POST\[\'yt\'\]\)\s*\&\&\s*\@preg_replace\(\'\/ad\/e\'\,\'\@\'\.str_rot13\(\'riny\'\)\.\'\(\$www\)\'\,\s*\'add\'\);\?>#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (backdoor)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif(preg_match('#\.\"<html><head><title>404\s*Not\s*Found<\/title><\/head><body>#i', $tmp))
|
|
{
|
|
if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
|
|
if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (hide behind 404 error)</font>";
|
|
$counter_infected++;
|
|
if($print_infected || $print_all) print "\n";
|
|
continue;
|
|
}
|
|
|
|
elseif($print_all) print "...OK\n";
|
|
unset($tmp);
|
|
}
|
|
echo "\n";
|
|
print "Files checked: ".count($tree)."\n";
|
|
print "Files suspected: ".$counter_suspected."\n";
|
|
print "Files infected: ".$counter_infected."\n";
|
|
//print "Files cleaned: ".$counter_cleaned."\n";
|
|
//print "Clean errors: ".$counter_error."\n";
|
|
//print "Clean warnings: ".$counter_warning."\n\n";
|
|
if($counter_suspected) print "NOTE: SUSPECTED DOESN'T MEAN INFECTED! DIFF AGAINST TRUSTED COPY OF SUSPECTED FILES TO BE SURE EVERYTHING IS OK. \n\n";
|
|
print "</pre>";
|
|
unlink(__FILE__);
|
|
exit;
|
|
|
|
class e_file
|
|
{
|
|
function get_files($path, $fmask = '', $omit='standard', $recurse_level = 0, $current_level = 0)
|
|
{
|
|
$ret = array();
|
|
if($recurse_level != 0 && $current_level > $recurse_level)
|
|
{
|
|
return $ret;
|
|
}
|
|
if(substr($path,-1) == '/')
|
|
{
|
|
$path = substr($path, 0, -1);
|
|
}
|
|
|
|
if(!$handle = opendir($path))
|
|
{
|
|
return $ret;
|
|
}
|
|
if($omit == 'standard')
|
|
{
|
|
$rejectArray = array('^\.$','^\.\.$','^\/$','^CVS$','thumbs\.db','.*\._$','null\.txt');
|
|
}
|
|
else
|
|
{
|
|
if(is_array($omit))
|
|
{
|
|
$rejectArray = $omit;
|
|
}
|
|
else
|
|
{
|
|
$rejectArray = array($omit);
|
|
}
|
|
}
|
|
while (false !== ($file = readdir($handle)))
|
|
{
|
|
if(is_dir($path.'/'.$file))
|
|
{
|
|
if($file != '.' && $file != '..' && $file != 'CVS' && $recurse_level > 0 && $current_level < $recurse_level)
|
|
{
|
|
$xx = $this->get_files($path.'/'.$file, $fmask, $omit, $recurse_level, $current_level+1);
|
|
$ret = array_merge($ret,$xx);
|
|
}
|
|
}
|
|
elseif ($fmask == '' || preg_match("#".$fmask."#i", $file))
|
|
{
|
|
$rejected = FALSE;
|
|
|
|
foreach($rejectArray as $rmask)
|
|
{
|
|
if(preg_match("#".$rmask."#", $file))
|
|
{
|
|
$rejected = TRUE;
|
|
break;
|
|
}
|
|
}
|
|
if($rejected == FALSE)
|
|
{
|
|
$finfo['path'] = $path."/"; // important: leave this slash here and update other file instead.
|
|
$finfo['fname'] = $file;
|
|
$ret[] = $finfo;
|
|
}
|
|
}
|
|
}
|
|
return $ret;
|
|
}
|
|
|
|
function get_dirs($path, $fmask = '', $omit='standard')
|
|
{
|
|
$ret = array();
|
|
if(substr($path,-1) == '/')
|
|
{
|
|
$path = substr($path, 0, -1);
|
|
}
|
|
|
|
if(!$handle = opendir($path))
|
|
{
|
|
return $ret;
|
|
}
|
|
if($omit == 'standard')
|
|
{
|
|
$rejectArray = array(
|
|
'^\.$',
|
|
'^\.\.$',
|
|
'^\/$',
|
|
'^CVS$',
|
|
'thumbs\.db',
|
|
'.*\._$',
|
|
'error_log',
|
|
'.*\.pdf',
|
|
'.*\.doc',
|
|
'.*\.xls',
|
|
'.*\.mp3',
|
|
'.*\.mov',
|
|
'.*\.mp4',
|
|
'.*\.flv',
|
|
'.*\.swf',
|
|
'.*\.ppt',
|
|
'.*\.log',
|
|
'.*\.zip',
|
|
'.*\.tar',
|
|
'.*\.gz',
|
|
'.*\.tar.gz',
|
|
'.*\.rar',
|
|
'.*\.exe',
|
|
'.*\.7z',
|
|
'.*\.webm',
|
|
'.*\.txt',
|
|
'.*\.csv',
|
|
'.*\.svg',
|
|
'.*\.wmv',
|
|
'.*\.iso',
|
|
'.*\.sql',
|
|
'.*\.db',
|
|
'.*\.psd',
|
|
'.*\.eps',
|
|
'.*\.ai');
|
|
}
|
|
else
|
|
{
|
|
if(is_array($omit))
|
|
{
|
|
$rejectArray = $omit;
|
|
}
|
|
else
|
|
{
|
|
$rejectArray = array($omit);
|
|
}
|
|
}
|
|
while (false !== ($file = readdir($handle)))
|
|
{
|
|
if(is_dir($path.'/'.$file) && ($fmask == '' || preg_match("#".$fmask."#", $file)))
|
|
{
|
|
$rejected = FALSE;
|
|
foreach($rejectArray as $rmask)
|
|
{
|
|
if(preg_match("#".$rmask."#", $file))
|
|
{
|
|
$rejected = TRUE;
|
|
break;
|
|
}
|
|
}
|
|
if($rejected == FALSE)
|
|
{
|
|
$ret[] = $file;
|
|
}
|
|
}
|
|
}
|
|
return $ret;
|
|
}
|
|
|
|
function rmtree($dir)
|
|
{
|
|
if (substr($dir, strlen($dir)-1, 1) != '/')
|
|
{
|
|
$dir .= '/';
|
|
}
|
|
if ($handle = opendir($dir))
|
|
{
|
|
while ($obj = readdir($handle))
|
|
{
|
|
if ($obj != '.' && $obj != '..')
|
|
{
|
|
if (is_dir($dir.$obj))
|
|
{
|
|
if (!$this->rmtree($dir.$obj))
|
|
{
|
|
return false;
|
|
}
|
|
}
|
|
elseif (is_file($dir.$obj))
|
|
{
|
|
if (!unlink($dir.$obj))
|
|
{
|
|
return false;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
closedir($handle);
|
|
|
|
if (!@rmdir($dir))
|
|
{
|
|
return false;
|
|
}
|
|
return true;
|
|
}
|
|
return false;
|
|
}
|
|
|
|
}
|
|
?>
|