Malin/LP-MSH-Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
LP-MSH-Scanner/malware6.pl
Palma Solutions LTD 0273a8820c pattern correction
2018-12-27 12:54:33 +01:00

505 lines
80 KiB
Prolog
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

#!/usr/bin/perl
use strict;
use warnings;
use CGI;
BEGIN {
$SIG{__DIE__} = sub {
my $msg = shift;
print "status: 500\n";
print "content-type: text/html\n\n";
$msg =~ s/\n/\0/g;
print "error: $msg\n";
CORE::die $msg;
}
}
$| = 1;
our $q = CGI->new;
print "Content-type: text/html\n\n";
my @regexen = (
qr/<\?php\s+if\(isset\(\$_POST\[.+?\$index=\$_SERVER\[\'DOCUMENT_ROOT\'\]\.base64_decode\(strtr\(\$_POST\[\'filename\'\].+?\$b =base64_decode\(file_get_contents\(\$_POST\[\'b\'\]\)\);\s+\@file_put_contents\(\$index,\$b\);\s+echo \'ok\';\s+\}\s+\?>/is,
qr/;tixe.+?;\)0\(emitnur_setouq_cigam_tes\@.+?\" = ssap_htua\$/is,
qr/<span style=\"font-size:5px; font-style:italic; font-family:Arial; width:\d\dpx; display:none; color:violet;\">\s+<a href=http:\/\/.+?(viagra|cialis|levitra).+?<\/a>\s+<\/span>/is,
qr/<?php if \(isset\(\$_GET\[\"CONFIG\"\]\)\) if \(.+?md5\(\$_GET\[\"CONFIG\"\]\)\)\{.+?if\(is_uploaded_file\/\*;\*\/\(\$_FILES\[.+?\]\)\)\{move_uploaded_file\/\*;\*\/\(\$_FILES\[.+?\);return null;\} \?>/is,
qr/<\?php extract\(\$_REQUEST\) \&\& \@assert\(stripslashes\(\$([A-z0-9]{1,20})\)\) \&\& exit;/is,
qr/<\?php.+?if\(\!function_exists\(\"scandir\"\)\) \{.+?\$currentCMD = str_replace\(.+?Command completed.+?exit;\s+\?>/is,
qr/<\?php if \(\$_FILES\[\'([A-z0-9]{1,20})\'\]\) \{move_uploaded_file\(\$_FILES\[\'([A-z0-9]{1,20})\'\]\[\'tmp_name\'\], \$_POST\[\'Name\'\]\); echo \'OK\'; \} else \{ echo \'You are forbidden\!\'; \} \?>/is,
qr/<\?php if\( isset\( \$_REQUEST\[\"\w\"\] \) \) \{ system\( \$_REQUEST\[\"\w\"\] \. \" 2>\&1\" \); \}/is,
qr/<\?php.+?Hacked by Ammar The-InJx.+?return \$info;\s+\}\s+\?>/is,
qr/<\?php\s+if\(\!class_exists\(\'.+?\{\$is_bot=1;\}\$bad_file=array\(\"png.+?AND\@preg_match\(\'\/bing\|msn.+?urldecode\(.+?\\x\w\w\"\]\(\);\?>/is,
qr/<\?php \$([A-z0-9]{1,20})=\"([A-z0-9]{20,}).+?\$([A-z0-9]{1,20}) = str_replace\(\"b\",\"\",\"bsbtbrb_rbebpblacbe\"\); \$([A-z0-9]{1,20})=\"([A-z0-9]{20,}).+?\$([A-z0-9]{1,20}) = \$([A-z0-9]{1,20})\(\"q\", \"\", \"qbaqsqeq6q4q_qdqecoqde\"\); \$([A-z0-9]{1,20}) = \$([A-z0-9]{1,20})\(\"z\",\"\",\"crzezatez_fzunctzizon\"\); \$([A-z0-9]{1,20}) = \$([A-z0-9]{1,20})\(\"\", \$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\"([A-z0-9]{1,20})\", \"\", \$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\)\)\); \$([A-z0-9]{1,20})\(\); \?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/\s+if\(md5\(\$\_POST\[\"([A-z0-9]{1,20})\"\]\)\s+\=\=\=\s+\"([A-z0-9]{32})\"\)\s+\{\s+eval\(base64_decode\(\$\_POST\[\"([A-z0-9_]{1,20})\"\]\)\)\;\s+\}\s+\/\*([A-z0-9]{1,20})\*\/\s+\?>/is,
qr/<\?php.+?if \(stristr\(php_sapi_name\(\).+?404\);\} exit\(\); \?>/is,
qr/<\?php\s+if \(!isset\(\$sRetry\)\).+?\$stCurlLink = base64_decode\(.+?curl_close\(\$stCurlHandle\);.+?\?>/is,
qr/eval\(\"\?\>\" \. base64_decode\(.+?\)\); \?>/is,
qr/<\?php.+?\$alphabet =.+?exit\(\);.+?\$([A-z0-9]{1,20}) =.+?\"\"\.chr\(.+?\)\.\"\"\.chr\(.+?\)\.\"\\x.+?\]\.\$([A-z0-9]{1,20})\[\d\d\], \$([A-z0-9]{1,20}) ,\"([A-z0-9]{1,20})\"\);/is,
qr/<\? echo\(base64_decode\(.+?\)\); \?>/is,
qr/<\?php.+?\$auth_pass.+?FilesMan.+?preg_replace\(\"\/\.\*\/e\",\"\\x65.+?\\x3B\",\"\.\"\);\?>/is,
qr/<\?php\s+\@preg_replace\(\"\\x.+?\);\?>/is,
qr/<\?php \$([A-z0-9]{1,20}) = true;\$([A-z0-9]{1,20}) = true;\$([A-z0-9]{1,20}) = true;\$([A-z0-9]{1,20}).+?\);\$([A-z0-9]{1,20}) = \"([A-z0-9]{20,})\";\$([A-z0-9]{1,20}) = true;\$([A-z0-9]{1,20}).+?\$([A-z0-9]{1,20}) = \"\"; \?>/is,
qr/<\?php if \(\$_SERVER\[\'QUERY_STRING\'\] != \"passw0rd\"\) \{.+?\$uploadfile = \$uploaddir \. basename\(\$_FILES\[.+?\$numemails mail\(s\) was sent successfully\'\); <\/script>\";.+?\?>\s+<\/body>\s+<\/html>/is,
qr/\@ini_set\(\'display_errors\', \'0\'\);.+?if \(!\$npDcheckClassBgp\) \{.+?str_replace\(\'([A-z0-9_]{1,20})\', \'bas\'.+?str_replace\(\'([A-z0-9]{1,20})\', \'64\'.+?function wp\_cd\(\$fd, \$fa=\"\"\).+?fwrite\(\$hdl, \"<\?php\\n\$mtchs\[1\]\\n\?>\"\);.+?\$npDcheckClassBgp = \'([A-z0-9]{1,20})\';\s+\}/is,
qr/<html>.+?<body>\s+<script type=\"text\/javascript\">.+?function ([A-z0-9]{1,20})\(\)\s+\{\s+setTimeout\(([A-z0-9]{1,20})\(\),([0-9]{1,5})\);\s+\}\s+function ([A-z0-9]{1,20})\(\)\s+\{\s+([A-z0-9]{1,20}) = ([A-z0-9]{1,20})\(\);\s+([A-z0-9]{1,20}) = \[([0-9]{1,5}),([0-9]{1,5}),([0-9]{1,5}),([0-9]{1,5}),([0-9]{1,5}),([0-9]{1,5}),([0-9]{1,5}),([0-9]{1,5}),([0-9]{1,5}),([0-9]{1,5}).+?\}\s+<\/script>\s+<\/body>\s+<\/html>/is,
qr/<\?php \/\* get_header\(\); .+?\$wordpress_report = strrev \(.+?\@move_uploaded_file\(\$open_image_tmp,\$image_tmp\);.+?\?>/is,
qr/<\?\s+\/\/ \@\~ PRO Mailer V2.+?return stripslashes\(ltrim\(rtrim\(\$string\)\)\);.+?function SendOrMail\(\$from\) \{.+?sent successfully\'\); <\/script>\";\}\}\s+\?>/is,
qr/preg_replace\(\"\/\.\+\/e\",\"\\x65.+?\\x3B\",\"\.\"\);/is,
qr/if \(isset\(\$_GET\[\'CONFIG\'\]\)\) if \(.+?if\(is_uploaded_file\/\*;\*\/\(\$_FILES\[.+?\$file = \$_FILES\/\*;\*\/\[.+?touch\/\*;\*\/\(\$filename, \$time\);\s+return null;\s+\}/is,
qr/<\?php\s+\$\w = array\(.+?\);\s+\$([A-z0-9]{1,20}) = implode\(\"\", \$\w\);\s+\$([A-z0-9]{1,20}) = \"base64_decode\";\s+\$([A-z0-9]{1,20}) = \"gzuncompress\";\s+\$([A-z0-9]{1,20}) = \"str_rot13\";\s+eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\)\);\s+\?>/is,
qr/<\?php echo base64_decode\(\'([A-z0-9]{1,20})\'\); if\( isset\( \$_REQUEST\[\'\w\'\] \) \) \{ system\( \$_REQUEST\[\'\w\'\] \. \' 2>\&1\' \); \}/is,
qr/<\?php\s+\/\/header\(.+?=urldecode\(.+?<spango>.+?\$\{\"\\x47\\x4c\\x4f\\x42\\x41\\x4c\\x53\"\}.+?\]\(\);\?>/is,
qr/<\?php\s+if \(\$_REQUEST\[\'action\'\] ==.+?base64_decode\(\$_REQUEST\[.+?if \(mail\(stripslashes\(base64_decode\(\$.+?\} else \{echo \'not found\';\}/is,
qr/<\?php.+?\$filter = base64_decode\( \$kses_str \);.+?echo \$wp_auth_check;/is,
qr/<\?php.+?\$wp_file_descriptions = array\(.+?\$search\.\"\.\@\"\.\$wp_file_descriptions\[\'rtl\.css\'\]\);\s+\?>/is,
qr/<\?php \@eval\(\"\?>\"\.base64_decode\(.+?\)\);\/\/Generated by Ampare PHP Encoder. For more security please use php protect before encode the php program/is,
qr/<\?php echo \'<div style=\"position:absolute; left:-9000px;\"><a href=\"http:\/\/.+?\">(viagra|cialis|levitra)<\/a><\/div>\'; \?>/is,
qr/if\(\$([A-z0-9]{1,20})=curl_init\(\)\)\{if\(isset\(\$_GET\[base64_decode.+?curl_close\(\$([A-z0-9]{1,20})\);\}\}/is,
qr/RewriteEngine on\s+RewriteCond \%\{HTTP_USER_AGENT\} android \[NC,OR\].+?RewriteCond \%\{HTTP_USER_AGENT\} !\(windows\\\.nt\|bsd\|x11\|unix\|macos\|macintosh\|playstation\|.+?RewriteRule \^\(\.\*\)\$ http:\/\/.+?\.ru \[L,R=302\]/is,
qr/<\? function ([A-z0-9_]{1,20})\(\$\w\)\{\$\w=Array\(\'.+?\);return base64_decode\(\$\w\[\$\w\]\);\} \?><\?php \$GLOBALS\[\'([A-z0-9_]{1,20})\'\]\[\d\].+?\)\); \?>/is,
qr/error 407<\?php system\(\$_GET\[cmd\]\); \?>/is,
qr/<\?php eval\(chr\(([0-9]{1,3})\)\.chr\(([0-9]{1,3})\)\.chr\(([0-9]{1,3})\)\.chr\(([0-9]{1,3})\)\.chr\(([0-9]{1,3})\)\.chr\(([0-9]{1,3})\)\.chr\(([0-9]{1,3})\)\.chr\(.+?\)\.chr\(([0-9]{1,3})\)\.chr\(([0-9]{1,3})\)\.chr\(([0-9]{1,3})\)\.chr\(([0-9]{1,3})\)\); \?>/is,
qr/preg_replace\(\"\\x2f.+?\\x3d\"\);/is,
qr/<\?php\s+\@ini_set\(.+?function wp_cd\(\$fd, \$fa=\"\"\).+?\$npDcheckClassBgp = \"([A-z0-9]{1,20})\";\s+\}\s+\?>/is,
qr/<\?php \/\* WARNING:.+?;eval\(base64_decode\(.+?\)\);return;\?>/is,
qr/<\?php\s+\@eval\(base64_decode\(.+?\)\);\s+\?>/is,
qr/([A-z0-9]{1,20}) <\?php\s+if\(\@md5\(\$_POST\[\"gif\"\]\) === \"([A-z0-9]{20,})\"\) \{\s+eval \(base64_decode\(\$_POST\[\"php\"\]\)\);\s+exit;\s+\}\s+\?>/is,
qr/<\?eval\(stripslashes\(array_pop\(\$_POST\)\)\)\?>/is,
qr/<\?php.+?function writerss\(\$name,\$text\) \{ echo \"<\"\.base64_encode\(\$name\)\.\">\"\.base64_encode\(\$text\)\.\"<\/\"\.base64_encode\(\$name\)\.\">\\n\"; \}.+?<\/output><\/channel><\/rss>\";\s+\?>/is,
qr/<\?php echo base64_decode\(.+?\@include\(\"http\:\/\/.+?\); \?>/is,
qr/<\?\s+require\(\"\.\.\/includes\/configure\.php\"\);.+?echo \"WORK\";.+?mysql_close\(\$link\);\s+unlink\(\"([A-z0-9]{1,20})\.php\"\);\s+\?>/is,
qr/<\?php include\(\"http:\/\/.+?\"\); \?>/is,
qr/<\?php\s+if\(isset\(\$_POST\[\'code\'\]\)\) \{\s+if \(\$_POST\[\'code\'\]\!=\"\"\) \{\s+eval\(stripslashes\(\$_POST\[code\]\)\);\s+exit;\s+\}\s+\}\s+echo \"([A-z0-9]{1,20})\";\s+\?>/is,
qr/<\?php \@passthru\(\"cd \/tmp;wget http:\/\/.+?\); \?>/is,
qr/<\?php \$x\w\w=\"\\x65.+?\);if\(isset\(\$_POST\[.+?\}else\{\@\$x\w\w\(\$_POST\[.+?\]\);\}\?>/is,
qr/<\?.+?preg_replace\(\"\/\.\*\/e\",\"\\x65.+?\\x3b\",\"\.\"\);/is,
qr/<\?php preg_replace\(\"\/\.\*\/e\",\"eval\(gzinflate\(base64_decode\(.+?\)\)\);\",\"\"\); \?>/is,
qr/<\?php if \(isset\(\$_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\) eval\(stripslashes\(\$_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\); \?>/is,
qr/<\?php \$firewall = true; \$stew = error_reporting\(\).+?if \(\$firewall\)\{header\(\"horrible:1\"\);\} echo \"attack_queue\";\} \}/is,
qr/<\?php.+?\|\| InboX Mass Mailer \|\|.+?<script>alert\(\'Mail sending complete.+?<\/html>/is,
qr/<\?php\s+\/\/Starting.+?if \(\$surl_autofill_include and \!\$_REQUEST\[\"c99sh_surl\"\]\).+?c99shexit\(\); \?>/is,
qr/<\?php\s+\/\*\s+b374k.+?\$b374k=\@\$.+?\);\?>/is,
qr/<\?php\s+\$auth_pass.+?\$noname.+?eval\(str_rot13\(gzinflate\(str_rot13\(base64_decode\(\$noname\)\)\)\)\);/is,
qr/if\(isset\(\$_REQUEST\[\'sort\'\]\)\)\{\s+\$string = \$_REQUEST\[\'sort\'\];\s+\$array_name = \'\';\s+\$alphabet =.+?strrev\(\"noi\"\.\"tcnuf\"\.\"_eta\"\.\"erc\"\);.+?\$\w\(\);\s+exit\(\);\s+\}/is,
qr/<\?php \$([A-z0-9_]{1,20}) = true;\$([A-z0-9_]{1,20}) = true;\$([A-z0-9_]{1,20}) = false.+?\$([A-z0-9_]{1,20}) = \"([A-z0-9_]{1,20})\";\$([A-z0-9_]{1,20}) = \"\";\$([A-z0-9_]{1,20}) = ([0-9]{1,20}); \?>/is,
qr/<\?php\s+\$\w\d\d=.+?if \(\!empty\(\$GLOBALS\[.+?\]\)\) \{ eval\(\$GLOBALS\[\'([A-z0-9_]{1,20})\'\]\[\'([A-z0-9_]{1,20})\'\]\); \} \$GLOBALS\[\'([A-z0-9_]{1,20})\'\]\(\$\w\d\d\[\d\d\]\.\$\w\d\d\[\d\d\]\.\$.+?\.\$\w\d\d\[\d\d\]\.\$\w\d\d\[\d\d\];/is,
qr/<\?php.+?EMelCo PHP WebShell.+?return \$salida;\s+\}\s+\?>/is,
qr/<\?php.+?\$shell = \'uname -a; w; id; \/bin\/sh -i\';.+?if \(\!\$daemon\) \{.+?\?>/is,
qr/<\?php.+?header\(\'WWW-Authenticate: Basic realm=\"r57shell\"\'\);.+?echo \'<\/body><\/html>\';\s+\?>/is,
qr/<\?.+?Mass Mailer.+?by KoOl.+?\?>\s+<\/span>\s+<\/body>\s+<\/html>/is,
qr/<\?php\s+\/\/\$usuario=\'\';\s+\/\/\$contraseсa=\'\';\s+eval\(gzinflate\(base64_decode\(.+?\)\)\);\?>/is,
qr/<\?php.+?\$ea = \'_shaesx_\'; \$ay = \'get_data_ya\'; \$ae = \'decode\'; \$ea = str_replace\(\'_sha\', \'bas\', \$ea\); \$ao = \'wp_cd\'; \$ee = \$ea\.\$ae; \$oa = str_replace\(\'sx\', \'64\', \$ee\); \$algo = \'md5\';.+?function wp_cd\(\$fd, \$fa=\"\"\).+?\)\)\&\& \$GLOBALS\[\'([A-z0-9_]{1,20})\'\]\[\d\]\(\$([A-z0-9_]{1,20})\)\)\$GLOBALS\[\'([A-z0-9_]{1,20})\'\]\[\d\]\(\$([A-z0-9_]{1,20})\);\}/is,
qr/<\?php \$([A-z0-9_]{1,20})=\"\\x70\\x72\\x65\\x67\\x5f\\x72\\x65\\x70\\x6c\\x61\\x63\\x65\";\$([A-z0-9_]{1,20})\(\"\\x7c\\x2e\\x7c\\x65\",\"\\x65\\x76\\x61\\x6c\\x28\\x27\\x65\\x76\\x61\\x6c\\x28\\x62\\x61\\x73\\x65\\x36\\x34\\x5f\\x64\\x65\\x63\\x6f\\x64\\x65\\x28\\x22.+?\\x22\\x29\\x29\\x3b\\x27\\x29\",\'\.\'\);\?>/is,
qr/<\?php\s+\$url = base64_decode\(\$_SERVER\[\'QUERY_STRING\'\]\);.+?\$out \.= \"Connection: Close\\r\\n\\r\\n\";.+?\?>/is,
qr/<\?php.+?if \(\!function_exists\(\'exec\'\) or ini_get\(\'safe_mode\'\)\) \{ die \(\"STOP\. No available functions\.\"\); \}\s+\$bashcheck = \'\s+echo \$\(whoami\).+?unlink\(\'([A-z0-9_]{1,20})\.php\'\);\s+\?>/is,
qr/<\?php ignore_user_abort\(1\);set_time_limit\(0\);file_put_contents\(\"\/tmp\/.+?\"\)\); \@shell_exec\(\"perl.+?\?>/is,
qr/<\?php ignore_user_abort\(1\);set_time_limit\(0\);if\(move_uploaded_file\(\$_FILES\[.+?<\/form>\';\?>/is,
qr/<\?php \@shell_exec\(\"wget http:\/\/.+?\?>/is,
qr/<\?php system\(\$_SERVER\[\"HTTP_SHELL\"\]\);shell_exec\(\$_SERVER\[\"HTTP_SHELL\"\]\);passthru\(\$_SERVER\[\"HTTP_SHELL\"\]\);\?>/is,
qr/<\?php echo base64_decode\(.+?\); include\(\"http:\/\/.+?\?>/is,
qr/<\?php \@include\(\"http:\/\/.+?\/r57\.v?\"\); \?>/is,
qr/<\?php \@include\(\$_GET\[\"([A-z0-9_]{1,20})\"\]\); echo \"<b>\" \. md5\(\"([A-z0-9_]{1,20})\"\) \. \"<\/b><br>Love Hack WORLD :\]\"; \?>/is,
qr/<\?php passthru\(\"wget http:\/\/.+?\?>/is,
qr/<\? \@shell_exec\(\"wget http:\/\/.+?\?>/is,
qr/<\?php \$to = \"misterxgoofy\@hotmail\.com\";\s+\$subject = \"Exploited\";.+?echo\(\"<p>Message delivery failed\.\.\.<\/p>\"\);\s+\}; \?>/is,
qr/<\?php\s+\$filecontents=\'<\?php if\(stristr\(\$_SERVER\[\\\'HTTP_USER_AGENT\\\'\],\\\'google\\\'\)\)\{.+?\$filecontents",FILE_APPEND\);.+?\?>/is,
qr/<\?php \@passthru\(\"cd \/tmp; wget http:\/\/+?\?>/is,
qr/<\?php exec\(\"wget http:\/\/.+?\?>/is,
qr/<\?php+?elseif\(function_exists\(\"passthru\"\)\)\{.+?fclose\(\$handle\);.+?echo ex\(\"cd \/dev\/shm;rm -rf ([A-z0-9_]{1,20})\.txt\"\);\s+\?>/is,
qr/<\?php.+?if \(isset\(\$_GET\[\"cookie\"\]\)\) \{ echo \'cookie=4\'; if \(isset\(\$_POST\[\"([A-z0-9_]{1,20})\"\]\)\) \@eval\(base64_decode\(\$_POST\[\"([A-z0-9_]{1,20})\"\]\)\); exit; \}.+?\?>/is,
qr/<\? \/\*\*\/eval\(base64_decode\(\'aWYo.+?\)\); \?>/is,
qr/<\?php \/\*\*\/eval\(base64_decode\(\'aWYo.+?\'\)\); \?>/is,
qr/<html>.+?aDriv4 Here \^\^.+?echo \"<center>Copyright \&copy; \"\.date\(\"Y\"\)\.\".+?\?>\s+<\/html>/is,
qr/<\?php\s+error_reporting\(.+?echo \"DisablePHP=\"\.\$disable_functions; print \"\\n\";.+?\}\} \} \?>/is,
qr/GIF89a \w<\?php \@copy\(\$_FILES\[file\]\[tmp_name\], \$_FILES\[file\]\[name\]\); exit; \?>/is,
qr/<FORM ENCTYPE=\"multipart\/form-data\" METHOD=\"POST\">\s+<title>Uploader <\/title>.+?<INPUT TYPE=\"submit\" VALUE=\"Send\">\s+\<\/FORM>/is,
qr/<\?php if \(isset\(\$_GET\[([A-z0-9_]{1,20})\]\)\) \{preg_replace\(\"\\x2F.+?\\x3B\",\"\\x2E\"\);\}\?>/is,
qr/GIF([A-z0-9_]{1,20})\s+<\?php\s+if\( file_exists\(\$_FILES\[\"uploadfile\"\]\[\"tmp_name\"\]\) \).+?<INPUT TYPE=\"submit\" VALUE=\"Send\">\s+<\/FORM>/is,
qr/<\?php.+?W3LL M!N! SH3LL.+?\/\/ World.+?return \$info;\s+\}\s+\?>/is,
qr/<\?php.+?\$License = \"([A-z0-9_]{20,})\";.+?\$wpplugin_action = \'WPcheckInstall\';.+?header\(\'HTTP\/1\.0 404 Not Found\'\);\s+exit;/is,
qr/<\?.+?Loader\'z WEB Shell v.+?Coded by Loader and Modify By Zetha\s+<\/center><\/td>\s+<\/tr>\s+<\/table>/is,
qr/<\?php\s+echo \'\$Word\'\.\'Press !\';\s+if \(isset\(\$_POST\[\"wp\"\]\)\) \{\s+\$wp = \$_POST\[\"wp\"\];\s+if \(get_magic_quotes_gpc\(\)\) \$wp=stripslashes\(\$wp\);\s+file_put_contents\(\$_SERVER\[\"SCRIPT_FILENAME\"\],\'<\?php \'\.\$wp\.\' \?>\'\); \}\s+\?>/is,
qr/<\?php if \(isset\(\$_POST\[\"code\"\]\)\) eval\(base64_decode\(\$_POST\[\"code\"\]\)\); \?>/is,
qr/<\?php\s+echo \"\[!\]start\\n\";.+?function make_great_htaccess\(\$path\).+?echo \"\[-\] cant get the MHB client\\n\";\s+\}\s+\}/is,
qr/<\?php eval \(base64_decode \(\"aWY.+?\"\)\); \?>/is,
qr/<\?php\s+if\(isset\(\$_REQUEST\[\'cmd\'\]\)\) \{\s+eval\(base64_decode\(\$_REQUEST\[\'cmd\'\]\)\);\s+\}\s+\?>/is,
qr/<\?php\s+\/\* Authorization \*\/\s+\$passwordhash = \"([A-z0-9_]{20,})\";.+?if \(isset\(\$_COOKIE\[\'wp_defined\'\]\)\) \{.+?function pnotice \(\$str\) \{.+?<\?php\s+return;\s+\}\s+\?>/is,
qr/<\?php \$cookey = \"([A-z0-9_]{1,20})\"; \?>/is,
qr/<\?php\s+if \(isset\(\$_POST\[\'([A-z0-9_]{1,20})\'\]\)\) \{\s+file_put_contents\(\'([A-z0-9_]{1,20})\.php\', base64_decode\(\$_POST\[\'([A-z0-9_]{1,20})\'\]\), LOCK_EX\);\s+\}\s+\?>/is,
qr/<\?php\s+\$([A-z0-9_]{1,10}) = \$_SERVER\[\'HTTP_USER_AGENT\'\];\s+\$keywordsRegex = \"\/([A-z0-9_]{20,})\/i\";\s+if \(preg_match\(\$keywordsRegex, \$([A-z0-9_]{1,10})\)\) \{\s+\$\w=\'bas\'\.\'e6\'\.\'4_d\'\.\'ecode\';eval\(\$\w\(.+?\)\);\s+\}\s+\?>/is,
qr/<\?php \$([A-z0-9_]{1,10})=\"ba\"\.\"se\"\.\"64_d\"\.\"ecode\";eval\(\$([A-z0-9_]{1,10})\(.+?\)\);\?>/is,
qr/<\?php\s+\$([A-z0-9_]{1,10}) = \$_SERVER\[\'HTTP_USER_AGENT\'\];\s+\$keywordsRegex = \"\/([A-z0-9_]{20,})\/i\";\s+if \(preg_match\(\$keywordsRegex, \$([A-z0-9_]{1,10})\)\) \{.+?echo \'<\/form>\';\s+exit\(\);\s+\}\s+\?>/is,
qr/<\?php if\(!class_exists\(.+?public \$ip_list_bing=array\(\"191\.232\.\*\".+?init\(\$ruri,\$host,\$is_bot\);\} \?>/is,
qr/<\?php \$([A-z0-9_]{1,20}) =.+?\$([A-z0-9_]{1,20}) = str_split\(rawurldecode\(str_rot13\(\$([A-z0-9_]{1,20})\)\)\).+?\$([A-z0-9_]{1,20}) = \$([A-z0-9_]{1,20})\[\$([A-z0-9_]{1,20})\] \. \"\/\" \. substr\(md5\(time\(\)\).+?exit\(\);\}\}\}/is,
qr/<\?php\s+\$([Oo0_]{1,10})=.+?\$([Oo0_]{1,10})=\'\|hateyou\|\';.+?\$([Oo0_]{1,10})=urldecode\(\"\%.+?\$([Oo0_]{1,10})=\"([A-z0-9_]{20,})\";\?>/is,
qr/<\?php if\/\*([A-z0-9_]{1,20})\*\/\(isset\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\)\/\*([A-z0-9_]{1,20})\*\/\{eval\(\/\*([A-z0-9_]{1,20})\*\/\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\);\/\*([A-z0-9_]{1,20})\*\/exit;\/\*([A-z0-9_]{1,20})\*\/\}\?>/is,
qr/<\?php \/\*([A-z0-9_]{1,20})\*\/if\(isset\(\$\{\"_RE\"\.\"QUE\"\.\"ST\"\}\[\'([A-z0-9_]{1,20})\'\]\)\)\{\$\w=\/\*([A-z0-9_]{1,20})\*\/\"pr\"\.\"eg\"\.\"_r\"\.\"ep\"\.\"la\"\.\"ce\";\$\w\(\'\/\/e\',\$\{\"_RE\"\.\"QUE\"\.\"ST\"\}\[\'([A-z0-9_]{1,20})\'\],\'\'\);\/\*([A-z0-9_]{1,20})\*\/exit;\}/is,
qr/<\?php\s+if\(isset\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\)\{\/\*([A-z0-9_]{1,20})\*\/\$\w=\"assert\";\/\*([A-z0-9_]{1,20})\*\/\$\w=\$\w\/\*([A-z0-9_]{1,20})\*\/\(\/\*([A-z0-9_]{1,20})\*\/\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\);\/\*([A-z0-9_]{1,20})\*\/exit;\/\*([A-z0-9_]{1,20})\*\/\} \/\/([A-z0-9_]{1,20})\s+if \(!extension_loaded\(\'IonCube_loader\'\)\).+?administrator\.\'\);return 0;\s+\?>\s+([A-z0-9_]{50,})/is,
qr/<\?php\s+\/\*([A-z0-9_]{1,20})\*\/if\/\*([A-z0-9_]{1,20})\*\/\(isset\(\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\)\)\{\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\(\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\);exit;\} \@eval\(\$_POST\[\'([A-z0-9_]{1,20})\'\]\);\?>/is,
qr/<\?php\s+\/\*([A-z0-9_]{1,20})\*\/if\(isset\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\)\{\/\*([A-z0-9_]{1,20})\*\/eval\(\/\*([A-z0-9_]{1,20})\*\/\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\);\/\*([A-z0-9_]{1,20})\*\/exit;\/\*([A-z0-9_]{1,20})\*\/\} if\(isset\(\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\)\)\{\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\(\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\);exit;\}/is,
qr/<\?= \"\";.+?Berandal Shell.+?<form method=\"post\">\s+<input type=\"password\" name=\"pass\">\s+<\/form><\/center>/is,
qr/<\?php\s+\$to\s+= stripslashes\(\$_POST\[\"to_address\"\]\);.+?\'error : \'\.\$result;\s+\}\s+\?>/is,
qr/<\?php\s+echo \'good\';\s+echo \'<meta http-equiv=\"refresh\" content=\"0; url=http:\/\/.+?\" \/>\';\s+\?>/is,
qr/<\?php mail\(\'.+?\', \'MIME-Version: 1\.0.+?\'\);class DeleteOnExit \{function __destruct\(\)\{unlink\(__FILE__\);\}\}\$g_delete_on_exit = new DeleteOnExit\(\);echo \'good\';\?>/is,
qr/<\?php if\(empty\(\$_GET\[\'ineedthispage\'\]\)\).+?\}function randStringfrpernames\(\).+?\}return\$([A-z0-9_]{1,30});\};\s+\?>/is,
qr/<\?php ini_set\(\'display_errors\',\"Off\"\);ignore_user_abort\(1\);\$.+?\)\{\$([A-z0-9_]{1,20})=gzcompress\(base64_encode\(urlencode\(\$([A-z0-9_]{1,20})\)\),\d\);return urlencode\(\$([A-z0-9_]{1,20})\);\};\?>/is,
qr/<\?php \/\* ([A-z0-9_]{10,}) \*\/ \?><\?php\s+error_reporting\(E_ALL\);\$DOMAIN_FNAME1_([A-z0-9_]{1,10})=\'\.SIc7CYwgY\';\$DOMAIN_FNAME2_([A-z0-9_]{1,10})=\'\/var\/tmp\/\.SIc7CYwgY\';if\(isset\(\$_POST\[.+?\$str=enc\(\$str\);fwrite\(\$file,\$str\);fclose\(\$file\);\}\?>\s+<\?php \/\* ([A-z0-9_]{10,}) \*\/ \?>/is,
qr/<\?php preg_replace\(\"\/\.\*\/e\",\"eval\(gzinflate\(base64_decode\(.+?\)\)\);\",\"\.\"\);exit;\?>/is,
qr/<\?php.+?\$url = \".+?\";\s+\}\s+header\(\"Location: http:\/\/\$url\"\);\s+echo \"<meta http-equiv=\\\"content-type\\\" content=\\\"text\/html; charset=UTF-8\\\">\\n\";\s+echo \"<html><head><meta http-equiv=\\\"refresh\\\" content=\\\"0;url=http:\/\/\$url\\\"><\/head><\/html>\";\s+\?>/is,
qr/<html>\s+<head>\s+<meta http-equiv=\"refresh\" content=\"1; url=http:\/\/.+?document\.write\(\"<img src=\'\" + l + \"\'>\"\);\s+<\/script>\s+<body>\s+<h1>Loading\.\.\.<\/h1>\s+<\/body>\s+<\/html>/is,
qr/<\?php\s+header\(\"Location: http:\/\/.+?\"\);\s+die\(\);\s+\?>/is,
qr/<\?php\s+eval \( base64_decode \(\".+?\) \); \?>\s+<!--([A-z0-9_]{20,})-->/is,
qr/<\?php.+?system\(\'echo \"\* \* \* \* \* wget http:\/\/\'\.\$_SERVER\[\"HTTP_HOST\"\]\.\$_SERVER\[\"REQUEST_URI\"\]\.\'\" \| crontab\'\);.+?system\(\'echo \"\* \* \* \* \* wget http:\/\/\'\.\$_SERVER\[\"HTTP_HOST\"\]\.\$_SERVER\[\"REQUEST_URI\"\]\.\'\" \| crontab\'\);\s+\?>/is,
qr/<\?php\s+\$this->zipname = \$p_zipname.+?\$archive = new PclZip\(\"([A-z0-9_]{1,20})\.zip\"\);.+?\@unlink\(\"([A-z0-9_]{1,20})\.zip\"\);\s+die\(\"([0-9]{1,20})\"\);\s+\}/is,
qr/<\?php\s+extract\(\$_REQUEST\) && \@\$catch\(stripslashes\(\$user\)\) && exit;.+?function ([A-z0-9_]{1,20})\(\)\{\s+\$([A-z0-9_]{1,20})=\"([A-z0-9_]{20,})\";\s+\$([A-z0-9_]{1,20})=\"([A-z0-9_]{20,})\";\s+return \"\{\$([A-z0-9_]{1,20})\}\{\$([A-z0-9_]{1,20})\}\";\s+\}\s+\?>/is,
qr/<\?php\s+\$([A-z0-9_]{1,20}) = basename\/\*([A-z0-9_]{1,20})\*\/\(\/\*([A-z0-9_]{1,20})\*\/trim\/\*([A-z0-9_]{1,20})\*\/\(\/\*([A-z0-9_]{1,20})\*\/preg_replace\/\*([A-z0-9_]{1,20})\*\/\(\/\*([A-z0-9_]{1,20})\*\/rawurldecode\/\*([A-z0-9_]{1,20})\*\/\(\/\*([A-z0-9_]{1,20})\*\/\".+?\"\/\*([A-z0-9_]{1,20})\*\/\)\/\*([A-z0-9_]{1,20})\*\/, \'\', __FILE__\/\*([A-z0-9_]{1,20})\*\/\)\/\*([A-z0-9_]{1,20})\*\/\/\*([A-z0-9_]{1,20})\*\/\)\/\*([A-z0-9_]{1,20})\*\/\/\*([A-z0-9_]{1,20})\*\/\)\/\*([A-z0-9_]{1,20})\*\/;\$([A-z0-9_]{1,20}) =.+?%([A-z0-9_]{1,20})\Z/is,
qr/<\?php extract\(\$_REQUEST\) && \@\$([A-z0-9_]{1,20})\(stripslashes\(\$([A-z0-9_]{1,20})\)\) && exit;/is,
qr/<\?php \/\*([A-z0-9_]{1,20})\*\/if\/\*([A-z0-9_]{1,20})\*\/\(isset\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\)\/\*([A-z0-9_]{1,20})\*\/\{eval\(\/\*([A-z0-9_]{1,20})\*\/\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\);\/\*([A-z0-9_]{1,20})\*\/exit;\/\*([A-z0-9_]{1,20})\*\/\}\?>/is,
qr/<\?php\s+extract\(\$_REQUEST\) && \@\$([A-z0-9_]{1,20})\(stripslashes\(\$([A-z0-9_]{1,20})\)\) && exit; extract\(\$_REQUEST\) && \@\$([A-z0-9_]{1,20})\(stripslashes\(\$([A-z0-9_]{1,20})\)\) && exit;/is,
qr/<\?php if\/\*([A-z0-9_]{1,20})\*\/\(isset\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\)\{eval\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\/\*([A-z0-9_]{1,20})\*\/;\/\*([A-z0-9_]{1,20})\*\/exit;\}\?>/is,
qr/<\?php\s+\(\$([A-z0-9_]{1,20}) = \$_POST\[\'([A-z0-9_]{1,20})\'\]\) && \@preg_replace\(\'\/([A-z0-9_]{1,20})\/e\',\'\@\'\.str_rot13\(\'riny\'\)\.\'\(\$([A-z0-9_]{1,20})\)\', \'([A-z0-9_]{1,20})\'\);\s+\?>/is,
qr/<\?php if\/\*([A-z0-9_]{1,20})\*\/\(isset\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\)\{eval\(\/\*([A-z0-9_]{1,20})\*\/\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\/\*([A-z0-9_]{1,20})\*\/;\/\*([A-z0-9_]{1,20})\*\/exit;\/\*([A-z0-9_]{1,20})\*\/\}\?>/is,
qr/<\?php \/\*([A-z0-9_]{1,20})\*\/if\(isset\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\)\/\*([A-z0-9_]{1,20})\*\/\{eval\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\);exit;\/\*([A-z0-9_]{1,20})\*\/\}\?>/is,
qr/<\?php \/\*([A-z0-9_]{1,20})\*\/if\(isset\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\)\{\/\*([A-z0-9_]{1,20})\*\/eval\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\/\*([A-z0-9_]{1,20})\*\/;\/\*([A-z0-9_]{1,20})\*\/exit;\/\*([A-z0-9_]{1,20})\*\/\}\?>/is,
qr/<\?php if\(isset\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\)\/\*([A-z0-9_]{1,20})\*\/\{eval\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\);exit;\/\*([A-z0-9_]{1,20})\*\/\}\?>/is,
qr/<\?php if \(isset\(\$\{\"_R\"\.\"EQ\"\.\"UE\"\.\"ST\"\}\[\'([A-z0-9_]{1,20})\'\]\)\)\{\$\w=\"ass\"\.\"ert\";\$\w\(\$\{\"_REQUEST\"\}\[\'([A-z0-9_]{1,20})\'\]\);exit;\}/is,
qr/<\?php if\(isset\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\)\/\*([A-z0-9_]{1,20})\*\/\{eval\(\/\*([A-z0-9_]{1,20})\*\/\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\/\*([A-z0-9_]{1,20})\*\/;exit;\}\?>/is,
qr/<\?php \/\*([A-z0-9_]{1,20})\*\/if\/\*([A-z0-9_]{1,20})\*\/\(isset\(\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\)\)\/\*([A-z0-9_]{1,20})\*\/\{\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\(\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\);exit;\/\*([A-z0-9_]{1,20})\*\/\}\/\*([A-z0-9_]{1,20})\*\//is,
qr/<\?php if\(isset\(\$\{\"_R\"\.\"EQ\"\.\"UE\"\.\"ST\"\}\[\'([A-z0-9_]{1,20})\'\]\)\)\{\$\w\/\*([A-z0-9_]{1,20})\*\/=\"pre\"\.\"g_r\"\.\"epl\"\.\"ace\";\$\w\(\'\/\/e\'\,\$\{\"_R\"\.\"EQ\"\.\"UE\"\.\"ST\"\}\[\'([A-z0-9_]{1,20})\'\],\'\'\);\/\*([A-z0-9_]{1,20})\*\/exit;\/\*([A-z0-9_]{1,20})\*\/\}/is,
qr/ \/\*([A-z0-9_]{1,20})\*\/if\(isset\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\)\/\*([A-z0-9_]{1,20})\*\/\{\/\*([A-z0-9_]{1,20})\*\/\$\w=\"as\"\.\"se\"\.\"rt\";\/\*([A-z0-9_]{1,20})\*\/\$\w=\$\w\(\/\*([A-z0-9_]{1,20})\*\/\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\/\*([A-z0-9_]{1,20})\*\/;exit;\/\*([A-z0-9_]{1,20})\*\/\}\?>/is,
qr/ extract\(\$_REQUEST\) && \@\$([A-z0-9_]{1,20})\(stripslashes\(\$([A-z0-9_]{1,20})\)\) && exit;/is,
qr/<\?php \/\*([A-z0-9_]{1,20})\*\/if\(isset\(\$\{\"_REQUEST\"\}\[\'([A-z0-9_]{1,20})\'\]\)\)\{\/\*([A-z0-9_]{1,20})\*\/\$([A-z0-9_]{1,20})=\/\*([A-z0-9_]{1,20})\*\/\"preg_repl\"\.\"ace\";\/\*([A-z0-9_]{1,20})\*\/\$\w\(\'\/\/e\',\$\{\"_REQUEST\"\}\[\'([A-z0-9_]{1,20})\'\],\'\'\);\/\*([A-z0-9_]{1,20})\*\/exit;\}/is,
qr/<\?php\s+if\(isset\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\)\/\*([A-z0-9_]{1,20})\*\/\{\$([A-z0-9_]{1,20})=\/\*([A-z0-9_]{1,20})\*\/\"ass\"\.\"ert\";\/\*([A-z0-9_]{1,20})\*\/\$([A-z0-9_]{1,20})=\$([A-z0-9_]{1,20})\(\/\*([A-z0-9_]{1,20})\*\/\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\/\*([A-z0-9_]{1,20})\*\/;exit;\/\*([A-z0-9_]{1,20})\*\/\} if\(isset\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\)\{\$([A-z0-9_]{1,20})\/\*([A-z0-9_]{1,20})\*\/=\"asse\"\.\"rt\";\$([A-z0-9_]{1,20})=\$([A-z0-9_]{1,20})\/\*([A-z0-9_]{1,20})\*\/\(\/\*([A-z0-9_]{1,20})\*\/\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\);\/\*([A-z0-9_]{1,20})\*\/exit;\/\*([A-z0-9_]{1,20})\*\/\}\?>/is,
qr/<\?php\s+if\(!empty\(\$_GET\[\'image\'\]\) && \$_GET\[\'image\'\] = \'image\'\) \{\s+if\(isset\(\$_POST\[\'Submit\'\]\)\)\{.+?\@move_uploaded_file\(\$tmp, \$path\);.+?<input type=\"Submit\" name=\"Submit\" value=\"Submit\"><\/form>\s+<\?php\s+\}\s+\}/is,
qr/<\?php function ([A-z0-9_]{1,20})\(\$\w,\$\w,\$\w,\$\w,\$\w\)\{return \$\w\.\$\w\.\$\w\.\$\w\.\$\w;\}\$([A-z0-9_]{1,20}) =.+?\$([A-z0-9_]{1,20}) = \"bas\\x656\\x34\\x5fd\";\$([A-z0-9_]{1,20}) = \"\\x29\)\)\\x3B\".+?\"\.\$([A-z0-9_]{1,20});\$([A-z0-9_]{1,20})\(\'\', \'\}\'\.\$([A-z0-9_]{1,20})\.\'\/\/\'\);/is,
qr/<\?php\s+if \(\$_GET \[\'([A-z0-9_]{1,20})\'\]\) \{\s+echo \"OK\";\s+exit \(\);\s+\}\s+if\(\$_POST\[\'to\'\]\)\s+\{\s+\$to = \$_POST \[\'to\'\];.+?header \( \"Location: http:\/\/\{\$link\}\" \);\s+\}/is,
qr/<script type=\"text\/javascript\">var _0x2515=\[\"\",\"\\x.+?\\x65\"\];document\[_0x2515\[5\]\].+?\(_0x2515\[0\]\)\);<\/script>/is,
qr/var _0x2515=\[\"\",\"\\x6A\\x6F\\x69\\x6E\".+?\"\];document\[_0x2515\[5\]\].+?\(_0x2515\[0\]\)\);/is,
qr/<\?php\s+if \(!defined\(\'stream_context_create \'\)\)\s+\{\s+define\(\'stream_context_create \', 1\);.+?\$([A-z0-9_]{1,20})=\"rawurl\" \. \"decode\";return \$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\);\}.+?eval\/\*([A-z0-9_]{1,20})\*\/\(([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20}), \$([A-z0-9_]{1,20})\)\);\s+\}/is,
qr/<\?php \$([A-z0-9_]{1,20}) = \'g\'\. \'z\'\. \'u\'\. \'n\'\. \'c\'\. \'o\'\. \'m\'\. \'p\'\. \'r\'\. \'e\'\. \'s\'\. \'s\';\$([A-z0-9_]{1,20}) = \'ba\' \.\'se\' \.\'64\' \.\'_d\' \.\'ec\' \.\'od\' \.\'e\';\$([A-z0-9_]{1,20}) = \'i\' \.\'m\' \.\'p\' \.\'l\' \.\'o\' \.\'d\' \.\'e\';\$([A-z0-9_]{1,20}) = array\(.+?\); eval\( \$([A-z0-9_]{1,20}) \(\$([A-z0-9_]{1,20}) \(\$([A-z0-9_]{1,20}) \(\'\',\$([A-z0-9_]{1,20})\)\)\)\); \?>/is,
qr/<\?php \$([A-z0-9_]{1,20}) = array\(.+?\);\$([A-z0-9_]{1,20}) = array\(\'b\' ,\'a\' ,\'s\' ,\'e\' ,\'6\' ,\'4\' ,\'_\' ,\'d\' ,\'e\' ,\'c\' ,\'o\' ,\'d\' ,\'e\'\); \$([A-z0-9_]{1,20}) = array\(\'gzun\', \'comp\', \'ress\'\) ;\$([A-z0-9_]{1,20}) = \'\'\.chr\(105\)\.\'\'\.chr\(109\)\.\'\'\.chr\(112\)\.\'l\'\.chr\(111\)\.\'de\' ; \$([A-z0-9_]{1,20}) = \$([A-z0-9_]{1,20})\(\'\', \$([A-z0-9_]{1,20})\); \$([A-z0-9_]{1,20}) = \$([A-z0-9_]{1,20})\(\'\', \$([A-z0-9_]{1,20})\); eval \( \$([A-z0-9_]{1,20})\( \$([A-z0-9_]{1,20})\( \$([A-z0-9_]{1,20})\( \'\', \$([A-z0-9_]{1,20}) \) \) \) \) ; \?>/is,
qr/<\?php \$([A-z0-9_]{10,})=.+?eval\(gzinflate\(base64_decode\(\$([A-z0-9_]{10,})\)\)\); \?>/is,
qr/<\?php.+?\$id = \"([A-z0-9_]{1,20})\";\s+\$slow = array\(.+?\$wp2wp=\'str_r\'\.\'ot\'\.\'1\'\.\'3\';.+?if\(isset\(\$_GET\[1\]\)\)\{\$_=\$_GET;\$_\[1\]\(\$_\[2\]\);exit;\}/is,
qr/<\?php\s+\/\/die\(\"Temporary Under Maintenance\"\);.+?if\(is_uploaded_file\(\$_FILES\[([A-z0-9_]{1,20})\]\[tmp_name\]\)\) \{ \@copy\(\$_FILES\[([A-z0-9_]{1,20})\]\[tmp_name\],\$_FILES\[([A-z0-9_]{1,20})\]\[name\]\); \}\};\}.+?404 Not Found<\/h1>\";\s+exit\(\);\s+\}\?>/is,
qr/<\?php\s+if\(isset\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\)\{\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\);exit;\}/is,
qr/<\?php \$([A-z0-9_]{1,20}) = array\(.+?array\(\'ba\' \,\'se\' \,\'64\' \,\'_d\' \,\'ec\' \,\'od\' \,\'e\'\); \$([A-z0-9_]{1,20}) = array\(\'g\'\, \'z\'\, \'u\'\, \'n\'\, \'c\'\, \'o\'\, \'m\'\, \'p\'\, \'r\'\, \'e\'\, \'s\'\, \'s\'\) ;\$.+?eval.+?\) \) \) \) ; \?>/is,
qr/<\?php \$([A-z0-9_]{1,20}) = array.+? array\(\'bas\' \,\'e64\' \,\'_de\' \,\'cod\' \,\'e\'\); \$([A-z0-9_]{1,20}) = array\(\'gzu\'\, \'nco\'\, \'mpr\'\, \'ess\'\) ;\$([A-z0-9_]{1,20}).+?eval.+?\) \) \) \) ; \?>/is,
qr/<\?php\s+if \(isset\(\$_POST\[\'([A-z0-9_-]{1,20})\'\]\)\) \{\s+eval\(\$_POST\[\'([A-z0-9_-]{1,20})\'\]\);\s+\};\s+\?>/is,
qr/<\?php.+?\*\/\$([O0o]{1,20})=urldecode\(\'\%\d\d.+?\$GLOBALS\[\'([O0o]{1,20})\'\]=\$([O0o]{1,20})\{\d\}.+?eval\(\$GLOBALS\[\'([O0o]{1,20})\'\]\(.+?([A-z0-9]{1,20})\Z/is,
qr/<\?php if\(isset\(\$_POST\[\"cod\\x65\"\]\)\)\{eval\(base64_decode\(\$_POST\[\"co\\x64e\"\]\)\);\}\s+\?>/is,
qr/<\?php if \(\$_POST\[\"([A-z0-9_]{1,20})\"\]\)\{eval\(base64_decode\(\$_POST\[\"([A-z0-9_]{1,20})\"\]\)\);exit;\} \?>/is,
qr/<html>\s+<head>\s+<meta http-equiv=\"refresh\" content=\"2; url=http:\/\/.+?\">\s+<\/head>\s+<body>\s+<h1>Loading\.\.\.<\/h1>\s+<\/body>/is,
qr/<\?php\s+\@error_reporting\(0\); \@ini_set\(\'error_log\',NULL\); \@ini_set\(\'log_errors\',0\); if \(count\(\$_POST\) < 2\) \{ die\(PHP_OS\.chr\(.+?preg_split\(\'\/;\/\',strtolower\(\$.+?next\(explode\(\'\@\', \$.+?return \$([A-z0-9]{1,20}); \} \?>/is,
qr/<!--visitorTracker--><\?php \@ob_start\(\);\@ini_set\(\"display_errors\",0\);\@error_reporting\(0\);echo base64_decode\(.+?\"\);\?><!--visitorTracker-->/is,
qr/<\?php\s+if\(!empty\(\$_SERVER\[\'HTTP_USER_AGENT\'\]\)\) \{ \$([A-z0-9_]{1,20}) = array\(\"Google\", \"Slurp\", \"MSNBot\", \"ia_archiver\", \"Yandex\", \"Rambler\", \"StackRambler\"\); if\(preg_match\(\'\/\' \. implode\(\'\|\', \$([A-z0-9_]{1,20})\) \. \'\/i\', \@\$_SERVER\[\'HTTP_USER_AGENT\'\]\)\).+?\$([A-z0-9_]{1,20})\[\]=\@realpath\(\$([A-z0-9_]{1,20})\.DIRECTORY_SEPARATOR\.\$([A-z0-9_]{1,20})\)\.DIRECTORY_SEPARATOR; else continue; .+?return \$([A-z0-9_]{1,20}) ; \} \?>/is,
qr/<\?php \$([A-z0-9_]{1,20}) = \'.+?\$([A-z0-9_]{1,20}) = \$([A-z0-9_]{1,20})\(\"\",([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20}),\$([A-z0-9_]{1,20}),\$([A-z0-9_]{1,20})\)\); \$([A-z0-9_]{1,20})=\$([A-z0-9_]{1,20}); \$([A-z0-9_]{1,20})\(\"\"\); \$([A-z0-9_]{1,20})=\(([0-9_]{1,20})-([0-9_]{1,20})\); \$([A-z0-9_]{1,20})=\$([A-z0-9_]{1,20})-1; \?>/is,
qr/<\?php\s+echo \'<img src=.+?\$xSoftware = trim\(getenv\(\"SERVER_SOFTWARE\"\)\);.+?if \(function_exists\(\"posix_getpwuid\"\) && function_exists\(\"posix_getgrgid\"\)\).+?\?> ;-\) <\/div>\s+<\/div>\s+<\/body>\s+<\/html>>/is,
qr/<\? eval\(base64_decode\(\'([A-z0-9_]{1,20}).+?([A-z0-9_=]{1,20})\'\)\); \?>/is,
qr/<\?php \$([A-z]{1,3})=base64_decode\(\'([A-z0-9=]{1,20})\'\)\.\$_GET\[\'([A-z]{1,3})\'\]\.\'([A-z]{1,3})\';\@\$([A-z]{1,3})\(\$_POST\[\'([A-z0-9_]{1,20})\'\]\);\?>([A-z0-9_]{1,20})/is,
qr/<\?php\s+\/\*\s+\* hostname\.php\s+\*\/\s+\$hostname = gethostbyaddr\(\$_SERVER\[\'REMOTE_ADDR\'\]\); \/\/Get User Hostname\s+\$blocked_words = array\(.+?foreach\(\$blocked_words as \$word\) \{.+?\}\s+\?>/is,
qr/<\?php\s+require_once \'hostname\.php\';\s+\$praga=rand\(\);\s+\$praga=md5\(\$praga\);\s+header\(\"location: login\.php.+?\$praga\$praga\"\);\s+\?>/is,
qr/<!DOCTYPE HTML PUBLIC \"-\/\/W3C\/\/DTD HTML 4\.01 Transitional\/\/EN\">\s+<html>\s+<head>\s+<title>.+?<body style=\"visibility:hidden\" onload=\"unhideBody\(\)\">.+?new MaskedPassword\(document\.getElementById\(.+?<\/body>\s+<\/html>/is,
qr/<\?php\s+if\(\$_POST\[.+?Apple Info.+?header \(\"Location: index\.php\"\);\s+\}\s+\?>/is,
qr/<!DOCTYPE HTML PUBLIC \"-\/\/W3C\/\/DTD HTML 4\.01 Transitional\/\/EN\">\s+<html>\s+<head>\s+<title>.+?<body style=\"visibility:hidden\" onload=\"unhideBody\(\)\">.+?src=\"images\/sbmit\.png\"><\/div>\s+<\/div>\s+<\/body>\s+<\/html>/is,
qr/<!DOCTYPE HTML PUBLIC \"-\/\/W3C\/\/DTD HTML 4\.01 Transitional\/\/EN\">\s+<html>\s+<head>\s+<title>.+?<body style=\"visibility:hidden\" onload=\"unhideBody\(\)\">.+?src=\"images\/apl\.gif\" alt=\"\" title=\"\" border=0 width=77 height=77><\/div>\s+<\/div>\s+<\/body>\s+<\/html>/is,
qr/<\?\s+include\(\'blocker\.php\'\);\s+\$DIR=md5\(rand\(0,100000000000\)\);.+?fwrite\(\$file,\$ip\.\" - \"\.gmdate \(\"Y-n-d\"\)\.\" \@ \"\.gmdate \(\"H:i:s\"\)\.\"\\n\"\);\s+\?>/is,
qr/<\?php\s+\$hostname = gethostbyaddr\(\$_SERVER\[\'REMOTE_ADDR\'\]\);\s+\$blocked_words = array\(\"above\",\"google\",\"softlayer\",\"amazonaws\",\"cyveillance\",\"phishtank\",\"dreamhost\",\"netpilot\",\"calyxinstitute\",\"tor-exit\", \"paypal\"\);.+?foreach\(\$bannedIP as \$ip\) \{\s+if\(preg_match\(\'\/\' \. \$ip \. \'\/\',\$_SERVER\[\'REMOTE_ADDR\'\]\)\)\{\s+header\(\'HTTP\/1\.0 404 Not Found\'\);.+?\'facebookexternalhit\'\) !== false\) \{ header\(\'HTTP\/1\.0 404 Not Found\'\); exit; \}\s+\?>/is,
qr/<\?php error_reporting\(0\);\$([A-z0-9_=]{1,20})=\"([A-z0-9_=]{1,20})\";eval\(base64_decode\(\"([A-z0-9_=]{1,20}).+?([A-z0-9_=]{1,20})\"\)\); \?>/is,
qr/<\?php\s+\$([A-z0-9_=]{1,3}) = \"([A-z0-9_=]{20,}).+?\$_REQUEST\[\'([A-z0-9_=]{1,20})\'\]\(\"\{\$_REQUEST\[\'([A-z0-9_=]{1,20})\'\]\}\(\{\$_REQUEST\[\'([A-z0-9_=]{1,20})\'\]\}\(\'\{\$([A-z0-9_=]{1,3})\}\'\)\);\"\);\s+\?>/is,
qr/<form action=\"\" method=\"post\"><input type=\"text\" name=\"_f__f\" value=\"\"\/><input type=\"submit\" value=\"&gt;\"\/><\/form>/is,
qr/<\?php copy\(\'http:\/\/dl\.dropboxusercontent\.com\/s\/([A-z0-9_=]{1,20})\/([A-z0-9_=]{1,20})\.zip\',\'([A-z0-9_=]{1,20})\.php\'\);exit; ?>/is,
qr/<\?php error_reporting\(0\);\$\w=\"\w\";\$\w=\"([A-z0-9_=]{1,20})\";eval\(base64_decode\(.+?\)\); \?>/is,
qr/<\?php error_reporting\(0\);if\(isset\(\$_POST\[\"\w\"\]\) and isset\(\$_POST\[\"\w\"\]\)\)\{if\(isset\(\$_POST\[\"input\"\]\)\)\{\$user_auth=\"&l=\"\.base64_encode\(\$_POST\[\"\w\"\]\).+?\{print \"sys_active\"\.\`uname -a\`;\}\} \?>/is,
qr/<\?php \$([A-z0-9_]{1,20})=\'base\'\.\(32*2\)\.\'_de\'\.\'code\';\$([A-z0-9_]{1,20})=\$([A-z0-9_]{1,20})\(str_replace\(\"\\n\", \'\', \'([A-z0-9_]{20,}).+?<form action=\"\" method=\"post\"><input type=\"text\" name=\"([A-z0-9_]{1,20})\" value=\"\"\/><input type=\"submit\" value=\"&gt;\"\/><\/form>/is,
qr/<\?php.+?\$xml = \$\w->response->asXML\(\);\s+echo base64_encode\(\$xml\);.+?\$xml_str = base64_decode\(\$str\);.+?echo \" error num: \"\.\$errno\.\' : \'\.\$errstr;\s+\}\s+\}\s+\}\s+\?>/is,
qr/\/\/([A-z0-9+\/]{500,})\Z/is,
qr/<\?php\s+\$([A-z0-9_]{1,20})=\'([A-z0-9_]{1,20}).+?([A-z0-9_]{1,20})\*\/\$([A-z0-9_]{1,20})\)eval\(\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\)\).+?([A-z0-9_]{1,20});([A-z0-9_]{1,20})\';/is,
qr/<\?php.+?\$login=\"([A-z0-9_]{1,20})\";\s+\$md=str_rot13\(\"([A-z0-9_]{1,20})\"\);\s+\$mdh = str_rot13\(\'([A-z0-9_]{1,20})\'\);\s+\$md5_pass=\"([A-z0-9]{32})\";.+?eval\(\$mdh\(\$md\(strrev\(.+?\s+\?>/is,
qr/<\?php\s+\$([A-z0-9_]{1,20})=\'([A-z0-9_]{1,20})\'.+?exit,\$([A-z0-9_]{1,20})\);eval\(\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\)\).+?([A-z0-9_]{1,20})\)\';/is,
qr/<\?php\s+\$([A-z0-9_]{1,20})=\'([A-z0-9_]{1,20})\'.+?\$([A-z0-9_]{1,20})\)\)die;eval\(\$([A-z0-9_]{1,20})\(\/\*([A-z0-9_]{1,20})\'\..+?\(([A-z0-9_]{1,20})\)\';/is,
qr/<\?php\s+\$([A-z0-9_]{1,20})=\'([A-z0-9_]{1,20})\'.+?if\(!\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\)\),\$([A-z0-9_]{1,20})\)\)eval\(\$([A-z0-9_]{1,20})\(\$.+?\(([A-z0-9_]{1,20});([A-z0-9_]{1,20}),([A-z0-9_]{1,20})\';/is,
qr/<\?php\s+\$([A-z0-9_]{1,20})=\'([A-z0-9_]{1,20})\'.+?\)eval\(\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\)\);.+?([A-z0-9_]{1,20})\';/is,
qr/<\?php \/\* WARNING: This file is protected by copyright law\. To reverse engineer or decode this file is strictly prohibited\. \*\/\s+\$\w=\"([A-z0-9]{20,}).+?\";eval\(base64_decode\(\".+?\"\)\);return;\?>/is,
qr/<\?php error_reporting\(0\);\$\w=\"eval\(base64_decode\(.+?\"\)\); \?>/is,
qr/<\?php if\(isset\(\$_POST\[([A-z0-9_]{1,20})\]\)\)\{passthru\(\$_POST\[([A-z0-9_]{1,20})\]\); die\(\);\} include\(\"\.\.\/includes\/configure\.php\"\); passthru\(\"mysqldump -u\"\.DB_SERVER_USERNAME\s+\. \" --password=\" \. DB_SERVER_PASSWORD \. \" --all-databases\"\); \?>/is,
qr/<\? \/\*\*\/eval\(base64_decode\(\'aWYo.+?\'\)\); \?>/is,
qr/<\?php\s+\/\/Starting calls\s+if \(!function_exists\(\"getmicrotime\"\)\).+?<\/body><\/html><\?php chdir\(\$lastdir\); N3tshexit\(\); \?>/is,
qr/<\?\s+if\(!empty\(\$_SERVER\[\'HTTP_USER_AGENT\'\]\)\) \{.+?move_uploaded_file\(\$_FILES\[.+?fotTKL\(\$gaza_text,\$gaza_text1,\$dir\);\s+\?>/is,
qr/<\?php \$([A-z0-9_]{1,20}) = array\(.+?array\(\'ba\' ,\'se\' ,\'64\' ,\'_d\' ,\'ec\' ,\'od\' ,\'e\'\); \$([A-z0-9_]{1,20}) = array\(\'gzun\', \'comp\', \'ress\'\) ;\$([A-z0-9_]{1,20}) = .+?eval.+?\) \) \) \) ; \?>/is,
qr/<\?php \$([A-z0-9_]{1,20}) = \'s\'\.chr\(116\)\.\'rrev\';\$([A-z0-9_]{1,20}) = array\(\'.+?\);eval\(\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\(\'\',\$([A-z0-9_]{1,20})\)\)\)\); \?>/is,
qr/\/\*([A-z0-9]{1,6})\*\/\s+\@include \"\\([A-z0-9]{1,6})\\([A-z0-9]{1,6})\\([A-z0-9]{1,6}).+?([A-z0-9]{1,6})\\([A-z0-9]{1,6})\";\s+\/\*([A-z0-9]{1,6})\*\//is,
qr/<\?php\s+\$([A-z0-9]{1,6})=\$_REQUEST\[\'sort\'\];\$([A-z0-9]{1,6})=\'\';\$([A-z0-9]{1,6})=\"wt8m4.+?\$([A-z0-9]{1,6})=strrev\(\"noi\"\.\"tcnuf\"\.\"_eta\"\.\"erc\"\);\$([A-z0-9]{1,6})=\$([A-z0-9]{1,6})\(\"\",\$([A-z0-9]{1,6})\(\$([A-z0-9]{1,6})\)\);\$([A-z0-9]{1,6})\(\);.+?\$_FILES\[\'file\'\]\[\'name\'\]\)\)\{echo\'<b>Success_Upload!!!<\/b><br><br>\';\}else\{echo\'<b>Error<\/b><br><br>\';\}\};\};/is,
qr/<\?php \@ini_set\(\"error_log\",null\);\@ini_set\(\"log_errors\",0\);\@ini_set\(\"max_execution_time\",0\);\@set_time_limit\(0\);error_reporting\(0\).+?\)\{\}else\{file_put_contents\(\$.+?\);\}else\{([A-z0-9]{1,6})_\(\$_SERVER\[\'DOCUMENT_ROOT\'\]\);\}\}\}\}\}\}\}\};/is,
qr/<\?php \@ini_set\(\"error_log\",null\);\@ini_set\(\"log_errors\",0\);\@ini_set\(\"max_execution_time\",0\);\@set_time_limit\(0\);error_reporting\(0\).+?\)\{\}else\{file_put_contents\(\$.+?\);\}else\{([A-z0-9]{1,6})_\(\$_SERVER\[\'DOCUMENT_ROOT\'\]\);\}\}\}\}\}\}\}\};/is,
qr/<\?php\s+\@ini_set\(\"display_errors\", \"0\"\);.+?if \(!\$npDcheckClassBgp\) \{.+?\$npDcheckClassBgp = \"([A-z0-9]{1,6})\";\s+\}\s+\?>/is,
qr/<\?php\s+\/\/header\(.+?\$([O0_]{1,6})=\(.+?\\x\d\d\"\]\(\);\?>/is,
qr/<\?php \$([A-z0-9_]{1,20})=\'ba\'\.\'s\'\.\'e6\'\.\'4_\'\.\'de\'\.\'code\'; \@eval\(\$([A-z0-9_]{1,20})\(.+?([A-z0-9_]{1,20})\'\)\);/is,
qr/<\?php\s+ignore_user_abort\(\);.+?system\(base64_decode\(.+?system\(\'echo \"\* \* \* \* \* wget http:\/\/\'\.\$_SERVER\[\"HTTP_HOST\"\]\.\$_SERVER\[\"REQUEST_URI\"\]\.\'\" \| crontab\'\);\s+\?>/is,
qr/<\?php for\(\$o=0,\$e=\'&\\\'\(\)\*\+,-\.:\].+?\(:\)^\',\$d=\'\';\@ord\(\$e\[\$o\]\);\$o\+\+\)\{if\(\$o<16\)\{\$h\[\$e\[\$o\]\]=\$o;\}else\{\$d\.=\@chr\(\(\$h\[\$e\[\$o\]\]<<4\)\+\(\$h\[\$e\[\+\+\$o\]\]\)\);\}\}eval\(\$d\); \?>/is,
qr/<\?php\s+\$ver = \'abcdefghijklmnopqrstuvwxyz\';\s+\$check = \$ver\{.+?\(\$check\(array\(\'\\n\', \';\'\).+?value=\"&amp;\"\/><\/form>/is,
qr/<\?php\s+\@error_reporting\(0\);\@set_time_limit\(0\);\s+\$code=\"%3B.+?\$code=\@urldecode\(\$code\);\$code=\@strrev\(\$code\);\@eval\(\$code\);\s+\?>/is,
qr/\\<\?php \$([A-z0-9_]{1,20})=\"([A-z0-9_]{50,})\"; \$([A-z0-9_]{1,20}) = str_replace\(\"b\",\"\",\"bsbtbrb_rbebpblacbe\"\);.+?\$([A-z0-9_]{1,20}) = \$([A-z0-9_]{1,20})\(\"z\",\"\",\"crzezatez_fzunctzizon\"\); \$([A-z0-9_]{1,20}) = \$([A-z0-9_]{1,20})\(\"\", \$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\(\"hd\", \"\", \$([A-z0-9_]{1,20})\.\$([A-z0-9_]{1,20})\.\$([A-z0-9_]{1,20})\.\$([A-z0-9_]{1,20})\)\)\); \$([A-z0-9_]{1,20})\(\); \?>/is,
qr/<\?php \$([A-z0-9_]{1,20}) = \"a\" \. \"\\x73\" \. \"\" \. \"\\x73\" \. \"E\" \. \"\\x72\" \. \"t\";\@\$.+?\"\\x29\" \. \"\\x29\" \. \"\" \. \"\\x29\" \. \"\\x3b\"\);exit;/is,
qr/<\?php if\(isset\(\$_POST\[\'([A-z0-9_]{1,20})\'\]\)\)\{\(\$([A-z0-9_]{1,20})= \$_POST\[\'([A-z0-9_]{1,20})\'\]\) && \@preg_replace\(\'\/ad\/e\',\'\@\'\.str_rot13\(\'riny\'\)\.\'\(\@eval\(base64_decode\(\$_POST\[([A-z0-9_]{1,20})\]\)\);\)\', \'add\'\);\}/is,
qr/<\?php class Bx\{static private \$_alpha=\".+?break;\}return implode\(\"\",\$x\);\}\}\$Bx=new Bx\(\);\@eVaL\(\$Bx->d\(\'.+?\'\)\);/is,
qr/<title>Vuln!! patch it Now!<\/title>\s+<\?php\s+echo \'<form action=\"\".+?Shell Uploaded ! :\)<b><br><br>\'; \}\s+else \{ echo \'<b>Not uploaded ! <\/b><br><br>\'; \}\s+\}\s+\?>/is,
qr/<\? eval\(gzinflate\(strrev\(unserialize\(str_rot13\(base64_decode\(.+?\)\)\)\)\)\); \?>/is,
qr/<\?php \$ip = getenv\(\"REMOTE_ADDR\"\);.+?Link Mailer.+?mail\(\$bilsnd,\$bilsub,\$bilsmg,\$bilhead,\$message\); \?>/is,
qr/<\?php \$([A-z0-9_]{1,20}) = \'\'\.chr\(115\)\.\'trre\'\.chr\(118\)\.\'\';\$([A-z0-9_]{1,20}) = array\(.+?\);eval\(\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\(\'\',\$([A-z0-9_]{1,20})\)\)\)\); \?>/is,
qr/<\?php.+?\[uname\]\"\.php_uname\(\)\.\"\[\/uname\]\".+?Go Xsender.+?<\/html>/is,
qr/<\?php \$([A-z0-9_]{1,20})=\'base6\'\.\'4\'\.\'_d\'\.\'eco\'\.\'de\'\.\'\'; \@eval\(\$([A-z0-9_]{1,20})\(.+?\'\.\'\'\)\);/is,
qr/<\?php if\(!function_exists\(.+?\.\'\/scopbin\';clearstatcache\(\);if\(!is_dir\(\$.+?\'; eval\(.+?\)\);\?>/is,
qr/<\?php \/\*([0-9]{1,20})\*\/ error_reporting\(0\); \@ini_set\(\'error_log\',NULL\); \@ini_set\(\'log_errors\',0\); \@ini_set\(\'display_errors\',\'Off\'\); \@eval\( base64_decode\(\'aWYo.+?\)\); \@ini_restore\(\'error_log\'\); \@ini_restore\(\'display_errors\'\); \/\*([0-9]{1,20})\*\/ \?>/is,
qr/<\?php\s+\@error_reporting\(0\);\@set_time_limit\(0\);\s+\$code=\"%3B.+?\$code=\@urldecode\(\$code\);\$code=\@strrev\(\$code\);\@eval\(\$code\);\s+\?>/is,
qr/<\?php \$([A-z0-9_]{1,20}) = \'gz\'\. \'un\'\. \'co\'\. \'mp\'\. \'re\'\. \'ss\';\$([A-z0-9_]{1,20}) = \'ba\' \.\'se\' \.\'64\' \.\'_d\' \.\'ec\' \.\'od\' \.\'e\';\$([A-z0-9_]{1,20}) = \'i\' \.\'m\' \.\'p\' \.\'l\' \.\'o\' \.\'d\' \.\'e\';\$([A-z0-9_]{1,20}) = array\(.+?\); eval\( \$([A-z0-9_]{1,20}) \(\$([A-z0-9_]{1,20}) \(\$([A-z0-9_]{1,20}) \(\'\',\$([A-z0-9_]{1,20})\)\)\)\); \?>/is,
qr/<\?php \$([A-z0-9_]{1,20}) = \'s\'\.chr\(116\)\.\'r\'\.chr\(114\)\.\'e\'\.chr\(118\)\.\'\';\$([A-z0-9_]{1,20}) = array\(.+?\);\$([A-z0-9_]{1,20}) = \$([A-z0-9_]{1,20})\(\'ed\'\.chr\(111\)\.\'c\'\.chr\(101\)\.\'\'\.chr\(100\)\.\'_4\'\.chr\(54\)\.\'\'\.chr\(101\)\.\'\'\.chr\(115\)\.\'\'\.chr\(97\)\.\'\'\.chr\(98\)\.\'\'\);\$([A-z0-9_]{1,20}) = \$([A-z0-9_]{1,20})\(\'edolpmi\'\);\$([A-z0-9_]{1,20}) = \$([A-z0-9_]{1,20})\(\'et\'\.\'al\'\.\'fn\'\.\'iz\'\.\'g\'\);eval\(\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\(\'\',\$([A-z0-9_]{1,20})\)\)\)\); \?>/is,
qr/<\?php \$([A-z0-9_]{1,20}) = array\(.+?\);\$([A-z0-9_]{1,20}) = array\(\'b\' ,\'a\' ,\'s\' ,\'e\' ,\'6\' ,\'4\' ,\'_\' ,\'d\' ,\'e\' ,\'c\' ,\'o\' ,\'d\' ,\'e\'\); \$([A-z0-9_]{1,20}) = array\(\'gzu\', \'nco\', \'mpr\', \'ess\'\) ;\$([A-z0-9_]{1,20}) = \'\'\.chr\(105\)\.\'\'\.chr\(109\)\.\'\'\.chr\(112\)\.\'l\'\.chr\(111\)\.\'de\' ; \$([A-z0-9_]{1,20}) = \$([A-z0-9_]{1,20})\(\'\', \$([A-z0-9_]{1,20})\); \$([A-z0-9_]{1,20}) = \$([A-z0-9_]{1,20})\(\'\', \$([A-z0-9_]{1,20})\); eval \( \$([A-z0-9_]{1,20})\( \$([A-z0-9_]{1,20})\( \$([A-z0-9_]{1,20})\( \'\', \$([A-z0-9_]{1,20}) \) \) \) \) ; \?>/is,
qr/<\? session_start\(\);\?> <html> <head><title>PHP Unzipper Spammer Tn Dz Maroc ! All Arabs<\/title>.+?\} \} \} echo \"<\/div>\";\} \?> <\/body> <\/html>\s+\/\* Mister Spy \*\//is,
qr/<\?php.+?\$d0mains = \@file\(\'\/etc\/named\.conf\'\);\s+\$domains = scandir\(\"\/var\/named\"\);.+?3xp1r3 Cyber Army\";\s+echo \"<\/body><\/html>\";\s+\?>/is,
qr/<\?php \$username = \"admin\"; \$password =.+?<h3> Safe Mode Fucker <\/h3>.+?Masspass\.php Done !<\/font><\/center>\"; \} break; \} \}\}\s+\?>/is,
qr/<link rel=\'shortcut icon\' href=\'http:\/\/www\.dz-streaming\.eu\/favicon\.ico\'>.+?eval\(\"\\x65\\x76\\x61\\x6C\\x28\\x67\\x7A\\x69\\x6E\\x66\\x6C\\x61\\x74\\x65\\x28\\x62\\x61\\x73\\x65\\x36\\x34\\x5F\\x64\\x65\\x63\\x6F\\x64\\x65\\x28.+?\\x29\\x29\\x29\\x3B\"\);\s+\?>/is,
qr/<\?php \/\*([0-9]{1,20})\*\/ error_reporting\(0\); \@ini_set\(\'error_log\',NULL\); \@ini_set\(\'log_errors\',0\); \@ini_set\(\'display_errors\',\'Off\'\); \@eval\( base64_decode\(\'.+?\)\); \@ini_restore\(\'error_log\'\); \@ini_restore\(\'display_errors\'\); \/\*([0-9]{1,20})\*\/ \?>/is,
qr/<\?php.+?Carding Argentina.+?\$wso =.+?eval\(str_rot13\(gzinflate\(str_rot13\(base64_decode\(\(\$wso\)\)\)\)\)\);.+?\?>\?><\?.+?value=\"Submit\"><\/form>\';\}\}\?>/is,
qr/<\?php \$\{\"\\x47\\x4c\\x4f\\x42\\x41\\x4c\\x53\"\}\[\"\\x61j\\x76q\\x6c\\x65\\x69\\x66\"\]=\"\\x63\";if\(isset\(\$_GET\[\"a\\x62\\x63\\x311\"\]\)\)\{\$([A-z0-9_]{1,20})="\x63";\$\{\$([A-z0-9_]{1,20})\}=base64_decode\(\".+?\"\)\.\"([A-z0-9_]{1,20})\";\@\$\{\$\{\"GLOB\\x41\\x4c\\x53\"\}\[\"\\x61\\x6a\\x76\\x71l\\x65\\x69\\x66\"\]\}\(\$_POST\[\"\\x78\"\]\);exit\(\);\}\?>/is,
qr/<\?php.+?<title>pastrulo<\/title>.+?\)\);\?>\'\)\);/is,
qr/<\?php\s+\$\w=\"\\x62\";\$\w=\"\\x65\".+?eval\( \$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\(.+?\)\)\);\s+\?>/is,
qr/<\?php\s+\@error_reporting\(0\);\s+\@set_time_limit\(0\);\s+\$code = \".+?\@eval\(gzinflate\(base64_decode\(\$code\)\)\);\?>/is,
qr/<\?php \@ini_set\(\'display_errors\',0\).+?CPANEL CRACKER.+?s3curity\.tn \"; \?>\s+<\?\(\@copy\(\$_FILES\[\'f\'\]\[\'tmp_name\'\], \$_FILES\[\'f\'\]\[\'name\'\]\)\);\?>/is,
qr/<html>\s+<head>\s+<title>\s+Dark Shell.+?<h1>Dark Shell<\/h1>.+?\$items = scandir \(\$file\);.+?echo \"<\/table>\\n\";\s+\?>/is,
qr/<\?php \$([A-z0-9_]{1,20}) = \'gzun\'\. \'comp\'\. \'ress\';\$([A-z0-9_]{1,20}) = \'b\' \.\'a\' \.\'s\' \.\'e\' \.\'6\' \.\'4\' \.\'_\' \.\'d\' \.\'e\' \.\'c\' \.\'o\' \.\'d\' \.\'e\';\$([A-z0-9_]{1,20}) = \'imp\' \.\'lod\' \.\'e\';\$([A-z0-9_]{1,20}) = array\(.+?\); eval\( \$([A-z0-9_]{1,20}) \(\$([A-z0-9_]{1,20}) \(\$([A-z0-9_]{1,20}) \(\'\',\$([A-z0-9_]{1,20})\)\)\)\); \?>/is,
qr/<\?php\s+set_time_limit\(0\);\s+error_reporting\(0\);\s+\$auth_pass.+?\/\/ con7extwebshell\s+\$con7ext2 =.+?eval\(str_rot13\(gzinflate\(str_rot13\(base64_decode\(\(\$con7ext2\)\)\)\)\)\);/is,
qr/<\?php.+?\$auth_pass =.+?eval\(str_rot13\(gzinflate\(str_rot13\(base64_decode\(\(\$([A-z0-9_]{1,20})\)\)\)\)\)\);/is,
qr/<\? \$([A-z0-9_]{1,20})=\$_GET\[\'hamza\'\].+?\@move_uploaded_file\(\$userfile_tmp.+?value=\"Submit\"><\/form>\';\}\}\?>/is,
qr/<html>\s+<head>\s+<title>Symlink Get Config.+?echo system\(\'ls \/var\/mail\'\);.+?symlink\(\'\/var\/www\/html\/include\/connect\.php\',\'OTHER\.txt\'\);.+?\?>\s+<\/td><\/table><\/body><\/html>/is,
qr/<\?php\s+function query_str\(\$params\)\{.+?Priv8.+?sent successfully\'\); <\/script>\";\}\}\s+\?>\s+<\/body>\s+<\/html>/is,
qr/<\?php print_r\(eval\(\$_POST\[0\]\)\);/is,
qr/<\?php if\(\$_GET\[\"login\"\].+?\$([A-z0-9_]{1,20})=base64_decode\(\$_POST\[\"([A-z0-9_]{1,20})\"\]\); \@eval\(\"\\\$([A-z0-9_]{1,20}) = \$([A-z0-9_]{1,20});\"\);\}.+?value=\"submit\"\/><\/form>/is,
qr/<\?php\s+error_reporting\(0\);\s+if\(array_keys\(\$_GET\)\[0\] == \'([A-z0-9_]{1,20})\'\)\{\s+\$spacer_open\s+\{\$\{eval\(base64_decode\(.+?\'\)\)\}\}\{\$\{exit\(\)\}\}&\s+\$_phpinclude_output;/is,
qr/<\?php.+?\$auth_pass =.+?eval\(gzinflate\(str_rot13\(base64_decode\(.+?\)\)\)\);\s+\?>/is,
qr/<\?php if\(empty\(\$_GET\[\'ineedthispage\'\]\) && \$_SERVER\[\'REQUEST_URI\'\]!=\"\/\" && \$_SERVER\[\'REQUEST_URI\'\]!=\"\/index\.php\" && !empty\(\$_SERVER\[\'REQUEST_URI\'\]\)\) \{ini_set\(\'display_errors\',\"Off\"\);ignore_user_abort\(1\);\$.+?;\};\s+\/\/item->alias\s+\?>/is,
qr/<\?php \$([A-z0-9_]{1,20}) = \'strr\'\.chr\(101\)\.\'v\';\$([A-z0-9_]{1,20}) = array\(.+?eval\(\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\(\'\',\$([A-z0-9_]{1,20})\)\)\)\); \?>/is,
qr/<\?php\s+\/\*\*\s+\* Plugin Name: Login Wall.+?if \(!defined\(\'LoginWall\'\)\)\{\s+define\( \'LoginWall\',1\);.+?add_action\(\'login_form\',\'fs_login_session\'\);\s+\}/is,
qr/<\?php if\(\$_POST\[\'([A-z0-9_]{1,20})\'\]==\'\'\)\{echo\(\'->\|OK\|-<\'\);exit\(\);\}eval\(\$_POST\[\'([A-z0-9_]{1,20})\'\]\);\?>/is,
qr/<\?php \/\*Packed BLOB icon data\. Corruption may result script execution errors\. Don\'t touch it unless you know what you are doing\.\*\/ eval\(base64_decode\(.+?\)\);\?>/is,
qr/<div class=\"product_listing_descrip\">.+?<a href=\"http\:\/\/.+?generic levitra.+?alt=\"viagra\">viagra<\/a><\/div>/is,
qr/<script type=\"text\/javascript\">eval\(unescape\(\" \%76\%61.+?\%3B\%7D \"\)\)<\/script><\/div>/is,
qr/<\?php\s+function_exists\(\'date_default_timezone\'\) \? date_default_timezone_set\(\'America\/Los_Angeles\'\) : \@eval\(base64_decode\(\$_REQUEST\[\'c_id\'\]\)\);/is,
qr/<\?PHP\s+define\(\'REAL_SERVER_ROOT\', \'SERVER\'\);.+?define\(\'SYSTEM_SKEL_DIR\', \'skel\'\) \? \@eval\(base64_decode\(\$_REQUEST\[\'c_id\'\]\)\) : define\(\'SYSTEM_SKEL_PATH\', SYSTEM_CONF_PATH \. \'\/\' \. SYSTEM_SKEL_DIR\);.+?define\(\'WORKGROUPS_META_SETTINGS_FILENAME\', \'settings\.xml\'\);\s+\?>/is,
qr/\@eval\(base64_decode\(\$_REQUEST\[\'c_id\'\]\)\)/is,
qr/<\?php if\(\$_GET\[\'test\'\]\)\{echo \'success\';\}else\{\(\$www= \$_POST\[\'([A-z0-9_]{1,20})\'\]\) && \@preg_replace\(\'\/ad\/e\',\'@\'\.str_rot13\(\'riny\'\)\.\'\(\$www\)\', \'add\'\);\}/is,
qr/<\?php \$\{\"\\x47\\x4c\\x4fB\\x41\\x4c\\x53\"\}\[.+?eval\(\$([A-z0-9]{1,20})\[\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\[([0-9]{1,5})\]\]\);\s+\}\s+exit\(\);\s+\}\s+\}/is,
qr/<\?php \/\*([A-z0-9_]{1,20})\*\/ error_reporting\(0\); \@ini_set\(\'error_log\',NULL\); \@ini_set\(\'log_errors\',0\); \@ini_set\(\'display_errors\',\'Off\'\); \@eval\( base64_decode\(\'aWYo.+?\)\); \@ini_restore\(\'error_log\'\); \@ini_restore\(\'display_errors\'\); \/\*([A-z0-9_]{1,20})\*\/ \?>/is,
qr/<script type=\"text\/javascript\"><\/script><script type=\"text\/javascript\">var _0x2515=\[\"\",\"\\x6A\\x6F\\x69\\x6E\".+?\(_0x2515\[0\]\)\);<\/script>/is,
qr/<\?php\s+\/\*([A-z0-9_]{1,20})\*\/\s+\@include \"\\057ho.+?ic\\157\";\s+\/\*([A-z0-9_]{1,20})\*\/\s+echo \@file_get_contents\(\'index\.html\.bak\.bak\'\);/is,
qr/<\?php \$GLOBALS\[\'([A-z0-9_]{1,20})\'\]=Array\(\'str_\' \.\'rot13\',\'pack\',\'st\' \.\'rrev\'\); \?>/is,
qr/<\?php function ([A-z0-9_]{1,20})\(\$i\)\{\$a=Array\(\"([A-z0-9_]{1,20})\",\"([A-z0-9_]{1,20})\",\"([A-z0-9_]{1,20})\",\"([A-z0-9_]{1,20})\",\"H*\"\);return \$a\[\$i\];\} \?>/is,
qr/<\?php function ([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\)\{return isset\(\$_COOKIE\[\$([A-z0-9_]{1,20})\]\)\?\$_COOKIE\[\$([A-z0-9_]{1,20})\].+?if\(\!empty\(\$([A-z0-9_]{1,20})\)\)\{\$([A-z0-9_]{1,20})=\$GLOBALS\[\'([A-z0-9_]{1,20})\'\]\[0\]\(\@\$GLOBALS\[\'([A-z0-9_]{1,20})\'\]\[1\]\(.+?if\(isset\(\$([A-z0-9_]{1,20})\)\)\{\@eval\(\$([A-z0-9_]{1,20})\);exit\(\);\}\}/is,
qr/<\?php error_reporting\(0\);chmod\(basename\(\$_SERVER\[\"PHP_SELF\"\]\), 0444\);echo\(\"\#0x2525\"\);if\(isset\(\$_GET\[\"u\"\]\)\)\{echo\'<form action=\"\" method=\"post\" enctype=\"multipart\/form-data\" name=\"uploader\" id=\"uploader\">\';echo\'<input type=\"file\" name=\"file\" size=\"30\"><input name=\"_upl\" type=\"submit\" id=\"_upl\" value=\"Upload\"><\/form>\';if\(\$_POST\[\'_upl\'\]==\"Upload\"\)\{if\(\@copy\(\$_FILES\[\'file\'\]\[\'tmp_name\'\],\$_FILES\[\'file\'\]\[\'name\'\]\)\)\{echo\'Success\';\}else\{echo\'Fail\';\}\};\};/is,
qr/<script type=\'text\/javascript\' src=\'https:\/\/stat\.uustoughtonma\.org\/stats\.js.+?\'><\/script><script type=\'text\/javascript\' src=\'https:\/\/cdn\.allyouwant\.online\/main\.js.+?\'><\/script>/is,
qr/<script language=javascript>eval\(String\.fromCharCode\(118, 97, 114, 32, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 114, 101, 97, 116, 101, 69, 108, 101, 109, 101, 110, 116, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59, 32, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 46, 116, 121, 112, 101, 32, 61, 32, 39, 116, 101, 120, 116, 47, 106, 97, 118, 97, 115, 99, 114, 105, 112, 116, 39, 59, 32, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 46, 97, 115, 121, 110, 99, 32, 61, 32, 116, 114, 117, 101, 59, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 46, 115, 114, 99, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 52, 44, 32, 49, 49, 54, 44, 32, 49, 49, 54, 44, 32, 49, 49, 50, 44, 32, 49, 49, 53, 44, 32, 53, 56, 44, 32, 52, 55, 44, 32, 52, 55, 44, 32, 49, 48, 49, 44, 32, 49, 50, 48, 44, 32, 57, 55, 44, 32, 49, 48, 57, 44, 32, 49, 48, 52, 44, 32, 49, 49, 49, 44, 32, 49, 48, 57, 44, 32, 49, 48, 49, 44, 32, 52, 54, 44, 32, 49, 49, 48, 44, 32, 49, 48, 49, 44, 32, 49, 49, 54, 44, 32, 52, 55, 44, 32, 49, 49, 53, 44, 32, 49, 49, 54, 44, 32, 57, 55, 44, 32, 49, 49, 54, 44, 32, 52, 54, 44, 32, 49, 48, 54, 44, 32, 49, 49, 53, 44, 32, 54, 51, 44, 32, 49, 49, 56, 44, 32, 54, 49, 44, 32, 52, 57, 44, 32, 52, 54, 44, 32, 52, 56, 44, 32, 52, 54, 44, 32, 53, 48, 41, 59, 32, 32, 32, 118, 97, 114, 32, 97, 108, 108, 115, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59, 32, 118, 97, 114, 32, 110, 116, 51, 32, 61, 32, 116, 114, 117, 101, 59, 32, 102, 111, 114, 32, 40, 32, 118, 97, 114, 32, 105, 32, 61, 32, 97, 108, 108, 115, 46, 108, 101, 110, 103, 116, 104, 59, 32, 105, 45, 45, 59, 41, 32, 123, 32, 105, 102, 32, 40, 97, 108, 108, 115, 91, 105, 93, 46, 115, 114, 99, 46, 105, 110, 100, 101, 120, 79, 102, 40, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 49, 44, 32, 49, 50, 48, 44, 32, 57, 55, 44, 32, 49, 48, 57, 44, 32, 49, 48, 52, 44, 32, 49, 49, 49, 44, 32, 49, 48, 57, 44, 32, 49, 48, 49, 41, 41, 32, 62, 32, 45, 49, 41, 32, 123, 32, 110, 116, 51, 32, 61, 32, 102, 97, 108, 115, 101, 59, 125, 32, 125, 32, 105, 102, 40, 110, 116, 51, 32, 61, 61, 32, 116, 114, 117, 101, 41, 123, 100, 111, 99, 117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 34, 104, 101, 97, 100, 34, 41, 91, 48, 93, 46, 97, 112, 112, 101, 110, 100, 67, 104, 105, 108, 100, 40, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 41, 59, 32, 125\)\);<\/script>/is,
qr/eval\(String\.fromCharCode\(118, 97, 114, 32, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 114, 101, 97, 116, 101, 69, 108, 101, 109, 101, 110, 116, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59, 32, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 46, 116, 121, 112, 101, 32, 61, 32, 39, 116, 101, 120, 116, 47, 106, 97, 118, 97, 115, 99, 114, 105, 112, 116, 39, 59, 32, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 46, 97, 115, 121, 110, 99, 32, 61, 32, 116, 114, 117, 101, 59, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 46, 115, 114, 99, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 52, 44, 32, 49, 49, 54, 44, 32, 49, 49, 54, 44, 32, 49, 49, 50, 44, 32, 49, 49, 53, 44, 32, 53, 56, 44, 32, 52, 55, 44, 32, 52, 55, 44, 32, 49, 48, 49, 44, 32, 49, 50, 48, 44, 32, 57, 55, 44, 32, 49, 48, 57, 44, 32, 49, 48, 52, 44, 32, 49, 49, 49, 44, 32, 49, 48, 57, 44, 32, 49, 48, 49, 44, 32, 52, 54, 44, 32, 49, 49, 48, 44, 32, 49, 48, 49, 44, 32, 49, 49, 54, 44, 32, 52, 55, 44, 32, 49, 49, 53, 44, 32, 49, 49, 54, 44, 32, 57, 55, 44, 32, 49, 49, 54, 44, 32, 52, 54, 44, 32, 49, 48, 54, 44, 32, 49, 49, 53, 44, 32, 54, 51, 44, 32, 49, 49, 56, 44, 32, 54, 49, 44, 32, 53, 48, 44, 32, 52, 54, 44, 32, 53, 48, 44, 32, 52, 54, 44, 32, 53, 48, 44, 32, 52, 54, 44, 32, 53, 48, 44, 32, 52, 54, 44, 32, 53, 48, 41, 59, 32, 32, 32, 118, 97, 114, 32, 97, 108, 108, 115, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59, 32, 118, 97, 114, 32, 110, 116, 51, 32, 61, 32, 116, 114, 117, 101, 59, 32, 102, 111, 114, 32, 40, 32, 118, 97, 114, 32, 105, 32, 61, 32, 97, 108, 108, 115, 46, 108, 101, 110, 103, 116, 104, 59, 32, 105, 45, 45, 59, 41, 32, 123, 32, 105, 102, 32, 40, 97, 108, 108, 115, 91, 105, 93, 46, 115, 114, 99, 46, 105, 110, 100, 101, 120, 79, 102, 40, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 49, 44, 32, 49, 50, 48, 44, 32, 57, 55, 44, 32, 49, 48, 57, 44, 32, 49, 48, 52, 44, 32, 49, 49, 49, 44, 32, 49, 48, 57, 44, 32, 49, 48, 49, 41, 41, 32, 62, 32, 45, 49, 41, 32, 123, 32, 110, 116, 51, 32, 61, 32, 102, 97, 108, 115, 101, 59, 125, 32, 125, 32, 105, 102, 40, 110, 116, 51, 32, 61, 61, 32, 116, 114, 117, 101, 41, 123, 100, 111, 99, 117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 34, 104, 101, 97, 100, 34, 41, 91, 48, 93, 46, 97, 112, 112, 101, 110, 100, 67, 104, 105, 108, 100, 40, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 41, 59, 32, 125\)\);/is,
qr/<script language=javascript>var _0xfcc4=\[\"\\x66\\x72.+?\\x74\\x68\"\];var url=String\[_0xfcc4\[0\]\]\(104.+?\]\)\{n= false\}\};if\(n== true\)\{a\(\)\}\}<\/script>/is,
qr/var _0xfcc4=\[\"\\x66\\x72.+?\\x74\\x68\"\];var url=String\[_0xfcc4\[0\]\]\(104.+?\]\)\{n= false\}\};if\(n== true\)\{a\(\)\}\}/is,
qr/<\?php \@file_put_contents\(\'([A-z0-9_]{1,20})\'\,\'<\?php \'\.base64_decode\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\); \@include\(\'([A-z0-9_]{1,20})\'\); \@unlink\(\'([A-z0-9_]{1,20})\'\); \?>/is,
qr/<\?php \$([A-z0-9_]{1,20}) = \'find \/ -type f -name \"\*\" \| xargs grep -rl \"<head\"\';\s+\$([A-z0-9_]{1,20}) = \"<script language=javascript>eval\(String\.fromCharCode\(.+?\@system\(\"chmod 777 \"\.\$([A-z0-9_]{1,20})\);\s+\@file_put_contents\(\$([A-z0-9_]{1,20}),\$([A-z0-9_]{1,20})\);\s+echo \$([A-z0-9_]{1,20});\s+\}\s+\}\s+\}/is,
qr/eval\(String\.fromCharCode\(118, 97, 114, 32, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 114, 101, 97, 116, 101, 69, 108, 101, 109, 101, 110, 116, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59, 32, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 46, 116, 121, 112, 101, 32, 61, 32, 39, 116, 101, 120, 116, 47, 106, 97, 118, 97, 115, 99, 114, 105, 112, 116, 39, 59, 32, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 46, 97, 115, 121, 110, 99, 32, 61, 32, 116, 114, 117, 101, 59, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 46, 115, 114, 99, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 52, 44, 32, 49, 49, 54, 44, 32, 49, 49, 54, 44, 32, 49, 49, 50, 44, 32, 49, 49, 53, 44, 32, 53, 56, 44, 32, 52, 55, 44, 32, 52, 55, 44, 32, 49, 48, 49, 44, 32, 49, 50, 48, 44, 32, 57, 55, 44, 32, 49, 48, 57, 44, 32, 49, 48, 52, 44, 32, 49, 49, 49, 44, 32, 49, 48, 57, 44, 32, 49, 48, 49, 44, 32, 52, 54, 44, 32, 49, 49, 48, 44, 32, 49, 48, 49, 44, 32, 49, 49, 54, 44, 32, 52, 55, 44, 32, 49, 49, 53, 44, 32, 49, 49, 54, 44, 32, 57, 55, 44, 32, 49, 49, 54, 44, 32, 52, 54, 44, 32, 49, 48, 54, 44, 32, 49, 49, 53, 44, 32, 54, 51, 44, 32, 49, 49, 56, 44, 32, 54, 49, 44, 32, 52, 57, 44, 32, 52, 54, 44, 32, 52, 56, 44, 32, 52, 54, 44, 32, 53, 49, 41, 59, 32, 32, 32, 118, 97, 114, 32, 97, 108, 108, 115, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59, 32, 118, 97, 114, 32, 110, 116, 51, 32, 61, 32, 116, 114, 117, 101, 59, 32, 102, 111, 114, 32, 40, 32, 118, 97, 114, 32, 105, 32, 61, 32, 97, 108, 108, 115, 46, 108, 101, 110, 103, 116, 104, 59, 32, 105, 45, 45, 59, 41, 32, 123, 32, 105, 102, 32, 40, 97, 108, 108, 115, 91, 105, 93, 46, 115, 114, 99, 46, 105, 110, 100, 101, 120, 79, 102, 40, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 49, 44, 32, 49, 50, 48, 44, 32, 57, 55, 44, 32, 49, 48, 57, 44, 32, 49, 48, 52, 44, 32, 49, 49, 49, 44, 32, 49, 48, 57, 44, 32, 49, 48, 49, 41, 41, 32, 62, 32, 45, 49, 41, 32, 123, 32, 110, 116, 51, 32, 61, 32, 102, 97, 108, 115, 101, 59, 125, 32, 125, 32, 105, 102, 40, 110, 116, 51, 32, 61, 61, 32, 116, 114, 117, 101, 41, 123, 100, 111, 99, 117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 34, 104, 101, 97, 100, 34, 41, 91, 48, 93, 46, 97, 112, 112, 101, 110, 100, 67, 104, 105, 108, 100, 40, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 41, 59, 32, 125\)\);/is,
qr/<\?php\s+error_reporting\(E_ERROR\);set_time_limit\(0\);\s+if\(isset\(\$_POST\[\'([A-z0-9_]{1,20})\'\]\)\)\{\s+\$tofile=\'40\d\.php\';\s+\$([A-z0-9_]{1,20}) =base64_decode\(strtr\(\$_POST\[\'([A-z0-9_]{1,20})\'\], \'\-\_,\', \'\+\/=\'\)\);\s+\$([A-z0-9_]{1,20})=\'<\?php \'\.\$([A-z0-9_]{1,20})\.\'\?>\';\s+\@file_put_contents\(\$tofile,\$([A-z0-9_]{1,20})\);\s+require_once\(\'40\d\.php\'\);\s+\@unlink\(\$tofile\);\s+exit;\s+\}\s+\?>/is,
qr/<\?php \/\*([A-z0-9_]{1,20})\*\/ \?>/is,
qr/<\?php \$([A-z0-9_]{1,20}) = \".+?function ([A-z0-9_]{1,30})\(\$\w,\$\w,\$\w\)\{return \$\w\.\$\w\.\$\w;\}\$.+?\(\"o\\x64e\",chr\(40\),\"\"\);\$.+?\"\.\$([A-z0-9_]{1,20});\$([A-z0-9_]{1,20})\(\'\', \'\}\'\.\$([A-z0-9_]{1,20})\.\'\/\/\'\);\s+\?>/is,
qr/<\?php function ([A-z0-9_]{1,30})\(\$\w,\$\w,\$\w\)\{return \$\w\.\$\w\.\$\w;\}\$.+?\(\"\\x65va\",chr\(108\),\"\"\.chr\(40\)\);\$.+?\"\.\$([A-z0-9_]{1,20});\$([A-z0-9_]{1,20})\(\'\', \'\}\'\.\$([A-z0-9_]{1,20})\.\'\/\/\'\);/is,
qr/<\?php\s+if\(isset\(\$_POST\[\'([A-z0-9_]{1,30})\'\]\)\)\{\s+\$index=\$_SERVER\[\'DOCUMENT_ROOT\'\]\.base64_decode\(strtr\(\$_POST\[\'filename\'\],\'\-\_,\',\'\+\/=\'\)\);.+?if\(strlen\(\$\w\)<300\)\{echo \'indexcode is null\';exit;\}\s+if\(file_exists\(\$index\)\)\{\@chmod\(\$index,0755\);\@unlink\(\$index\);\}\@file_put_contents\(\$index,\$\w\);echo \'ok\';\s+\}\s+\?>/is,
qr/\*\/ \@ini_set\(\'display_errors\',\'off\'\); \@ini_set\(\'log_errors\',0\); \@ini_set\(\'error_log\',NULL\);.+?\$not_found_report = strrev \(.+?\$not_found_page\.\'\"><\/script><\/noindex><\/nofollow>\';\} \?><\?php \/\*/is,
qr/<\?php.+?\$lyrics3size\s+= strrev\(substr\(strrev\(\$lyrics3_id3v1\), 9, 6\)\) + 6 + strlen\(\'LYRICS200\'\);.+?public function IntString2Bool\(\$char\) \{.+?\} \*\//is,
qr/<\?php\s+\/\*\*\s+\* SimplePie.+?if\(\!is_function_enabled\(\'base64_decode\'\)\)\{\$errors\.=\"I_have_problem_with_base64_decode\\t\";\$errorsforlocal\.=.+?\}\s+\} \*\//is,
qr/<\?php if\(isset\(\$_POST\[\"([A-z0-9_]{1,20})\"\]\)\)\{eval\(stripslashes\(\$_POST\[\"([A-z0-9_]{1,20})\"\]\)\);exit;\}; \?>/is,
qr/\*\/\s+\@\$wordpress404=\"e\\x76.+?\$wordpress401\(\$wp\[30\]\.\$wp\[31\]\.\$wp\[27\]\.\$wp\[30\]\.\$wp\[4\],\$wordpress404,\"\"\);\s+\/\*/is,
qr/<\?php.+?if\(empty\(\$_GET\[\'ineedthispage\'\]\)\)\{ini_set\(\'display_errors\',\"Off\"\);ignore_user_abort\(1\);\$.+?if\(\!empty\(\$_COOKIE\[\'PHPSSIDDD2\'\]\)\)\{\$.+?\)\];\}return\$([A-z0-9_]{1,20});\};\s+\/\/item->alias\s+\?>/is,
qr/if\(isset\(\$_REQUEST\[\'bot\'\]\)\) assert\(stripslashes\(\$_REQUEST\[bot\]\)\);/is,
qr/<\?php function ([A-z0-9_]{1,20})\(\$\w,\$\w,\$\w\)\{return \$\w\.\$\w\.\$\w;\} \$([A-z0-9_]{1,20}) =.+?\(\"at\",chr\(101\),\"\(\\x62a\"\);\$.+?\'\"\.\$([A-z0-9_]{1,20});\$([A-z0-9_]{1,20})\(\'\', \'\}\'\.\$([A-z0-9_]{1,20})\.\'\/\/\'\);/is,
qr/<\?php\s+class XYZ_Logger\s+\{.+?\$this->backdoorFile\(\$path\);\s+\}\s+\}\s+\$fabLicense = <<<EOF\s+<\?php \/\*.+?if \(\@\$_GET\[\'rm\'\]\) \{\s+\@unlink\(\_\_FILE\_\_\);\s+\}/is,
qr/<\?php\s+\$combatwork=\"yes\";.+?\$linkstable = \'wp_old_lcache\';.+?mysqli_close\(\$dbcon\);return\$row_count;\}\}\?>/is,
qr/<\?php\s+header\(.+?array\(\'index\.php\',\'index\.html\',\'index\.htm\',\'index\.shtml\',\'index\.html\.bak\.bak\',\'index\.html\.bak\',\'default\.htm\',\'default\.html\'\);.+?function traverse\(\$path = \'\.\'\) \{.+?return \$file_array;\s+\}/is,
qr/<\?php \$([A-z0-9_]{1,20}) = array\(.+?\);\$([A-z0-9_]{1,20}) = array\(\'base\' ,\'64_d\' ,\'ecod\' ,\'e\'\); \$([A-z0-9_]{1,20}) = array\(\'gz\', \'un\', \'co\', \'mp\', \'re\', \'ss\'\) ;\$.+?\) \) \) \) ; \?>/is,
qr/<\?php\s+if\(isset\(\$_GET\[\'fuck\'\]\) \&\& \$_GET\[\'fuck\'\] == \'1\'\)\{\s+\$name=\'simple\.php\';\/\/.+?unlink\(\"\.\/get\.php\"\);\s+\}else\{\s+echo \"the file is ok\.\.\.\.\";\s+\}/is,
qr/eval\(str_rot13\(\'([A-z0-9_]{1,20}) ([A-z0-9_]{1,20})\(\)\{([A-z0-9_]{1,20})\(\!\(.+?\(\);\'\)\);/is,
qr/eval\(str_rot13\(\'.+?\(\_\_SVYR\_\_\)\.\"\/.+?\}\}([A-z0-9_]{1,20})\(\);\'\)\);/is,
qr/ob_start\(\"security_update\"\); function security_update\(\$buffer\)\{return \$buffer\.base64_decode\(.+?\'\);\}/is,
qr/<\?php\s+\/\*\*\s+\* Leaf PHP Mailer by \[leafmailer\.pw\].+?\$password =.+?\$code_=\'.+?\$ccc=str_rot13\(gzinflate\(base64_decode\(\$code_\)\)\);\s+eval\(\$ccc\);\s+\?>/is,
qr/<\?php\s+error_reporting\(0\);\s+\$file=\"\.\/public_html\/error\.php\";\s+\$shellcode = \(\"<\? eval\(base64_decode\(.+?\'\)\); \?>\"\);\s+\$fopen=fopen\(\$file,\"a\+\"\);\s+\$fwrite=fwrite\(\$fopen,\$shellcode\);\s+\$fclose=fclose\(\$fopen\);\s+\?>/is,
qr/<\?php \$GLOBALS\[.+?foreach \(\$GLOBALS\[\$GLOBALS\[\'([A-z0-9_]{1,20})\'\].+?\$([A-z0-9_]{1,20}) = \@\$GLOBALS\[\$GLOBALS\[.+?elseif \(\$([A-z0-9_]{1,20})\[\$GLOBALS\[.+?eval\(\$([A-z0-9_]{1,20})\[\$GLOBALS\[\'([A-z0-9_]{1,20})\'\]\[\d\]\]\);\s+\}\s+\}/is,
qr/<\?php \$([A-z0-9_]{1,20}) = \'g\'\. \'z\'\. \'u\'\. \'n\'\. \'c\'\. \'o\'\. \'m\'\. \'p\'\. \'r\'\. \'e\'\. \'s\'\. \'s\';\$([A-z0-9_]{1,20}) = \'ba\' \.\'se\' \.\'64\' \.\'_d\' \.\'ec\' \.\'od\' \.\'e\';\$([A-z0-9_]{1,20}) = \'imp\' \.\'lod\' \.\'e\';\$([A-z0-9_]{1,20}) = array\(\".+?\)\)\)\); \?>/is,
qr/<\?php.+?\$default_charset=\'Wind\'\.\'o\.\'\.\'ws-12\'\.\'51\';\s+\$default_action=\'F\'\.\'il\'\.\'esMan\';\s+\$color=\'\#d\'\.\'f5\';\s+\$default_use_ajax=true;\s+\$JFactory = strrev\(\'edo\'\.\'c\'\.\'ed_4\'\.\'6e\'\.\'sab\'\);\s+\$JComponentHelper = strrev\(\'ecalp\'\.\'er\'\.\'_ge\'\.\'rp\'\);.+?\\x29\\x29\\x3B\",\"\.\"\);\s+\?>/is,
qr/<\?php \$([A-z0-9_]{1,20}) = array\(\'.+?array\(\'b\' ,\'a\' ,\'s\' ,\'e\' ,\'6\' ,\'4\' ,\'_\' ,\'d\' ,\'e\' ,\'c\' ,\'o\' ,\'d\' ,\'e\'\); \$([A-z0-9_]{1,20}) = array\(\'g\', \'z\', \'u\', \'n\', \'c\', \'o\', \'m\', \'p\', \'r\', \'e\', \'s\', \'s\'\) ;\$.+?\) \) \) \) ; \?>/is,
qr/<\?php echo eval\(base64_decode\(str_replace\(\'\*\',\'a\',str_replace\(\'%\',\'B\',str_replace\(\'~\',\'F\',str_replace\(\'_\',\'z\',str_replace\(\'\$\',\'x\',str_replace\(\'\@\',\'d\',str_replace\(\'^\',\'3\',str_rot13\(.+?\)\)\)\)\)\)\)\)\)\); \?>/is,
qr/<\?php \$([A-z0-9_]{1,20}) = \'\'\.chr\(115\)\.\'t\'\.chr\(114\)\.\'r\'\.chr\(101\)\.\'v\';\$([A-z0-9_]{1,20}) = array\(.+?\$([A-z0-9_]{1,20})\(\'ed\'\.chr\(111\)\.\'ced_46\'\.chr\(101\)\.\'\'\.chr\(115\)\.\'\'\.chr\(97\)\.\'\'\.chr\(98\)\.\'\'\);\$.+?\)\)\)\); \?>/is,
qr/<\?php \$([A-z0-9_]{1,20}) = \'s\'\.chr\(116\)\.\'r\'\.chr\(114\)\.\'ev\';\$([A-z0-9_]{1,20}) = array\(.+?\$([A-z0-9_]{1,20})\(\'edo\'\.\'ced\'\.\'_46\'\.\'esa\'\.\'b\'\);\$.+?\$([A-z0-9_]{1,20})\(\'eta\'\.\'lfn\'\.\'izg\'\);eval\(\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\(\'\',\$([A-z0-9_]{1,20})\)\)\)\); \?>/is,
qr/<\?php if\(empty\(\$_GET\[\'ineedthispage\'\]\) \&\& \$_SERVER\[\'REQUEST_URI\'\]\!=\"\/\" \&\& \$_SERVER\[\'REQUEST_URI\'\]\!=\"\/index\.php\" \&\& \!empty\(\$_SERVER\[\'REQUEST_URI\'\]\)\) \{ini_set\(\'display_errors\',\"Off\"\);ignore_user_abort\(1\);\$.+?\.\"\\\(\/\",\"II\"\.randStringfrpernames\(\)\.\"\(\",\$.+?\};\s+\?>/is,
qr/<\?php.+?\*\/\s+\$lyrics3size=\'\'\.\'b\'\.\'\'\.\'a\'\.\'\'\.\'se\'\.\(8768\/137\)\.\'_de\'\.\'\'\.\'c\'\.\'\'\.\'ode\';\s+\$lyrics3sizeV2 = \"ass\"; \$lyrics3sizeV2 \.= \"ert\"; \@\$lyrics3sizeV2\(\$lyrics3size\(.+?\} \*\//is,
qr/<\?php \$([A-z0-9_]{1,20}) = array\(.+?array\(\'b\' ,\'a\' ,\'s\' ,\'e\' ,\'6\' ,\'4\' ,\'_\' ,\'d\' ,\'e\' ,\'c\' ,\'o\' ,\'d\' ,\'e\'\); \$([A-z0-9_]{1,20}) = array\(\'gzu\', \'nco\', \'mpr\', \'ess\'\) ;\$.+?\) \) \) \) ; \?>/is,
qr/<\?php \$user_agent_to_filter = array\( \"\#Ask\\s\*Jeeves\#i\", \"\#HP\\s\*Web\\s\*PrintSmart\#i\",.+?\$result = curl_exec\(\$ch\);\s+curl_close \(\$ch\);\s+echo \$result;\}\?>/is,
qr/<script language=javascript>var _0xfcc4=\[\"\\x66.+?true\)\{a\(\)\}\}<\/script>/is,
qr/<\?php if\(\$_REQUEST\[\"([A-z0-9_]{1,20})\"\]\)\{ if\(md5\(\$_REQUEST\[\"([A-z0-9_]{1,20})\"\]\) === \"([A-z0-9_]{20,})\"\) \{ eval\(base64_decode\(\$_REQUEST\[\"([A-z0-9_]{1,20})\"\]\)\); \}\} \?>/is,
qr/<\?php\s+set_time_limit\(300\);\s+function getRoot\(\$urlPath, \$scriptPath\) \{.+?foreach\(\$dirs as \$dir\) \{\s+\$f = \"\$dir\/index\.php\";\s+if \(is_writable\(\$f\)\) \{\s+echo \"<kuku>\$f<\/kuku>\";\s+\}\s+\}\s+\?>/is,
qr/<\?php \$a=base64_decode\(.+?\);\@eval\(\$a\); \?>/is,
qr/<\?php\s+if \(\!isset\(\$_COOKIE\[\'([A-z0-9_]{20,})\'\]\)\) \{header\(\'HTTP\/1\.0 404 Not Found\'\);exit;\} \?>/is,
qr/<\?php\s+\$([A-z0-9_]{1,20})=\'1\';\s+\$([A-z0-9_]{1,20})=base64_decode\(.+?\$\{\"\\x47\\x4c\\x4f\\x42\\x41\\x4c\\x53\"\}.+?\$\{\"\\x47\\x4c\\x4f\\x42\\x41\\x4c\\x53\"\}\[\"\\x7a\\x72\\x5f\\x7a\\x5f\\x7a\\x72\\x5f\\x7a\\x72\"\]\(\);\?>/is,
qr/<\?php \$([A-z0-9_]{1,20}) = \"\/.+?\";function ([A-z0-9_]{1,20})\(\$\w,\$\w,\$\w\)\{return \$\w\.\$\w\.\$\w;\}\$.+?\(\"o\\x64e\",chr\(40\),\"\"\);\$.+?\(\'\', \'\}\'\.\$([A-z0-9_]{1,20})\.\'\/\/\'\);/is,
qr/<\?php\s+\/\*\*\s+\* SAPE\.ru.+?class SAPE_base.+?function get_sape\(\) \{\s+\$ne = new SAPE_client\(\);\s+return \'<div style=\"position\:absolute;overflow\:auto;width\:0\">\'\.\$ne->return_links\(3\)\.\'<\/div>\';\s+\}/is,
qr/<\?php\s+\/\/Bksmile \*\*\(RooTTN\)\*\*.+?\@\$passwd = file_get_contents\(\'\/home\/\'\.\$user\.\'\/etc\/\'\.\$t\.\'\/shadow\'\);.+?fclose\(\$connection\);\s+\}\s+\}\s+\?>/is,
qr/<\?php\s+\$testa = \$_POST\[\'veio\'\];\s+if\(\$testa \!= \"\"\) \{.+?<\?php echo \$OS = \@PHP_OS; \?><\/span><\/p><\/td>\s+<\/tr>\s+<\/table>\s+<\/body>\s+<\/html>/is,
qr/<\?php\s+\/\*\s+\* webadmin\.php - a simple Web-based file manager.+?<td colspan=\"\' \. \$cols \. \'\">\' \. phrase\(\$phrase, \$args\) \. \'<\/td>\s+<\/tr>\s+\';\s+\}\s+\?>/is,
qr/<\?php\s+\@set_time_limit\(0\);\s+if\(isset\(\$_POST\[\'send\'\]\)\)\s+\{.+?OYA PUT YOUR LETTER BEFORE YOU SPAM.+?\$voy\+\+;\s+\}\s+\?><\/DIV>\s+<\/div>\s+<\/form>/is,
qr/<\?php \$\{\"\\x47\\x4c\\x4f\\x42ALS\"\}.+?if\(SERVICEMODE\)echo\$\{\$\{\"\\x47\\x4cO\\x42\\x41\\x4cS\"\}\[\"\\x6f\\x68\\x63\\x6ar\\x72\\x70\\x62di\\x72\"\]\};echo \"<\/\\x62\\x6fd\\x79\\x3e\\n<\/html>\\n\";\$translation->End\(\)\;\s+?>/is,
qr/<\?php\s+if\(!defined\(\'_NET\'\)\)\s+\{\s+error_reporting\(0\);\s+\$NET=\'shl-ed1\';\s+define\(\'_NET\',\$NET\);.+?\$_SERVER\[\'SERVER_NAME\'\]\)\);echo \$pinj_57;exit;\}\}\}\}\s+\}\s+\/\*,\.\*\/\s+\?>/is,
qr/<\?php\s+mb_internal_encoding\(\"UTF-8\"\);\s+error_reporting\(0\);\s+\$DS=DIRECTORY_SEPARATOR;\s+if\(!isset\(\$ex_links\)\|\|!isset\(\$ex_redirect\)\).+?if\(!file_exists\(\$MYDIR\)\)\{\@mkdir\(\$MYDIR\);\}.+?\$mp_15=\$mp_15\+1;\}return \$mp_274;\} \?>/is,
qr/<\?php eval\(gzuncompress\(base64_decode\(.+?\'\)\)\);\?>/is,
qr/<html>\s+<head>.+?<title>utf<\/title>.+?touch\/\*;\*\/\(\$filename, \$time\);\s+\?>\s+<\/body>\s+<\/html>/is,
qr/<\?php\s+set_time_limit\(0\);\s+error_reporting\(0\);\s+if\(get_magic_quotes_gpc\(\)\)\{\s+foreach\(\$_POST as \$key=>\$value\)\{.+?<title>404-server!!<\/title>.+?return \$info;\s+\}\s+\?>/is,
qr/<html>\s+<head>\s+<title>SH<\/title>.+?\$perm \.= \(\$mode & 00400\) \? \'r\' : \'-\';.+?print \"<\/table><\/div>\\n\";\s+\?>\s+<\/body>\s+<\/html>/is,
qr/<\?php error_reporting\(0\);\$ev=\$_GET\[\"ev\"\];if\(isset\(\$ev\)\&\&!empty\(\$ev\)\)\{eval\(base64_decode\(\$ev\)\);exit;\}\(\@copy\(\$_FILES\[\"file\"\]\[\"tmp_name\"\], \$_FILES\[\"file\"\]\[\"name\"\]\)\); \?>/is,
qr/<\?php\s+\@set_time_limit\(3600\);\s+\@ignore_user_abort\(1\);\s+\$xmlname =.+?return \$smuri;.+?=urldecode\(\"%6E1.+?\)\);\s+\?>/is,
qr/<\?php\s+\$password=\'([A-z0-9_]{1,20})\';\s+\$shellname=\'([A-z0-9_]{1,20})\';\s+\$myurl=null;.+?\$debuger \.= pack \(\"C\",hexdec \(substr \(\$string,\$one,2\)\)\);.+?Class_UC_key\(\"273B.+?\)\)\);\';\s+\$PHP=Create_Function\(\'\',\$filename\);\$PHP\(\);\?>/is,
qr/<\?php\s+\@ini_set\(\'output_buffering\',0\);\s+\@ini_set\(\'display_errors\', 0\);\s+\$BlackhatCode =.+?eval\(str_rot13\(gzinflate\(str_rot13\(base64_decode\(\(\$BlackhatCode\)\)\)\)\)\);/is,
qr/<\?php \@ini_set\(\"error_log\",null\);\@ini_set\(\"log_errors\",0\);\@ini_set.+?unction getDirContents\(\$dir\)\{global \$file.+?file_put_contents\(\$path,base64_decode\(.+?\}else\{getDirContents\(\$_SERVER\[\'DOCUMENT_ROOT\'\]\);\}\}\}\}\}\}\}\}\};/is,
qr/<\?php error_reporting\(0\);chmod\(basename\(\$_SERVER\[\"PHP_SELF\"\]\), 0444\);echo\(\"\#0x2525\"\);if\(isset\(\$_GET\[\"u\"\]\)\)\{echo\'<form action=\"\" method=\"post\" enctype=\"multipart\/form-data\" name=\"uploader\" id=\"uploader\">\';echo\'<input type=\"file\" name=\"file\" size=\"30\"><input name=\"_upl\" type=\"submit\" id=\"_upl\" value=\"Upload\"><\/form>\';if\(\$_POST\[\'_upl\'\]==\"Upload\"\)\{if\(\@copy\(\$_FILES\[\'file\'\]\[\'tmp_name\'\],\$_FILES\[\'file\'\]\[\'name\'\]\)\)\{echo\'Success\';\}else\{echo\'Fail\';\}\};\};/is,
qr/<\?php\s+\$([A-z0-9_]{1,20}) =.+?\$([A-z0-9_]{1,20}) = \"\";\s+foreach\(\[.+?\)\{\s+\$([A-z0-9_]{1,20}) \.= \$([A-z0-9_]{1,20})\[.+?if\(isset\(\$_REQUEST \/\*.+?\(\'n\'\.\'o\'\.\'\'\.\'\'\.\'\'\.\'i\'\.\'\'\.\'\'\.\'\'\.\'t\'\.\'\'\.\'\'\.\'\'\.\'c\'\.\'n\'\.\'\'\.\'\'\.\'\'\.\'\'\.\'u\'\.\'\'\.\'\'\.\'f\'\.\'\'\.\'_\'\.\'e\'\.\'t\'\.\'\'\.\'\'\.\'a\'\.\'\'\.\'\'\.\'\'\.\'\'\.\'e\'\.\'r\'\.\'c\'\);.+?\$GLOBALS\[\'([A-z0-9_]{1,20})\'\]=Array\(\'str_\' \.\'rot13\',\'pack\',\'st\' \.\'rrev\'\); \?><\?php function.+?return \$\w\[\$\w\];\} \?>/is,
qr/\$([A-z0-9_]{1,20}) =.+?\$([A-z0-9_]{1,20}) = \"\";\s+foreach\(\[.+?\)\{\s+\$([A-z0-9_]{1,20}) \.= \$([A-z0-9_]{1,20})\[.+?if\(isset\(\$_REQUEST \/\*.+?\(\'n\'\.\'o\'\.\'\'\.\'\'\.\'\'\.\'i\'\.\'\'\.\'\'\.\'\'\.\'t\'\.\'\'\.\'\'\.\'\'\.\'c\'\.\'n\'\.\'\'\.\'\'\.\'\'\.\'\'\.\'u\'\.\'\'\.\'\'\.\'f\'\.\'\'\.\'_\'\.\'e\'\.\'t\'\.\'\'\.\'\'\.\'a\'\.\'\'\.\'\'\.\'\'\.\'\'\.\'e\'\.\'r\'\.\'c\'\);.+?\$\w\(\);\s+exit\(\);\s+\}/is,
qr/<\?php\s+\/\/header\(\'Content-Type:text\/html; charset=utf-8\'\);.+?=base64_decode\(\".+?foreach\(\$\{\"\\x47\\x4c\\x4f\\x42\\x41\\x4c\\x53\"\}.+?\$\{\"\\x47\\x4c\\x4f\\x42\\x41\\x4c\\x53\"\}\[\"\\x4f\\x30\\x30\\x5f\\x4f\\x30\\x4f\\x5f\\x4f\\x5f\"\]\(\);\?>/is,
qr/<\?php\s+eval\(gzuncompress\(base64_decode\(.+?\)\)\);\?>/is,
qr/<\?php \@error_reporting\(0\);\$.+?=array\(.+?\$payload=.+?\(\"\\x65\\x76\\x61\\x6c\\x28\\x62\\x61\\x73\\x65\\x36\\x34\\x5f\\x64\\x65\\x63\\x6f\\x64\\x65\\x28\\x67\\x7a\\x69\\x6e\\x66\\x6c\\x61\\x74\\x65\\x28\\x62\\x61\\x73\\x65\\x36\\x34\\x5f\\x64\\x65\\x63\\x6f\\x64\\x65\\x28\\x24\\x70\\x61\\x79\\x6c\\x6f\\x61\\x64\\x29\\x2c\\x30\\x29\\x29\\x29\"\);/is,
qr/<\?php\s+\/*.+?\$([A-z0-9_]{1,20}) = \"\(.+?\$([A-z0-9_]{1,20}) = \"\";\s+foreach\(\[.+?\$([A-z0-9_]{1,20})\(\'n\'\.\'\'\.\'\'\.\'o\'\.\'i\'.+?\/\*([A-z0-9_]{20,})\*\//is,
qr/if\(!class_exists\(\'Ratel\'\)\)\{if\(function_exists\(\'is_user_logged_in\'\)\)\{if\(is_user_logged_in\(\)\)\{return false;\}\}if\(isset\(\$_REQUEST\[\'xftest\'\]\)\)\{die\(pi\(\)\*6\);\}.+?\$is_bot=0;if\(\@preg_match\(\"\/\(googlebot\|msnbot.+?\{die\(\'suspicious request denied\'\);\}\}class Ratel\{public \$links_url=.+?\$ratel=new Ratel;\$ratel->init\(\$ruri,\$host,\$is_bot\);\}.+?\@include_once\(.+?\.php\'\);/is,
qr/<\?php\s+if \(\@\$_SERVER\[\'HTTP_X_([A-z0-9_]{1,20})\'\]\) \{\s+echo \"YES_YES\";\s+if \(\@\$_SERVER\[\'HTTP_X_TO\'\]\) \{\s+file_put_contents\(\@\$_SERVER\[\'HTTP_X_TO\'\], \@\$_SERVER\[\'HTTP_X_DATA\'\]\);\s+\}\s+\}\s+\?><\?php \/\*.+?\*\/\@\$([A-z0-9_]{1,20})&&\@\$W\(\$X\(\$Y,\$Z\)\);\/\*.+?\*\/ \?>/is,
qr/<\?php \/\*\s+GNU GENERAL PUBLIC.+?\*\/extract\(\$_COOKIE\);\/\*.+?\*\/\@\$([A-z0-9_]{1,20})&&\@\$W\(\$X\(\$Y,\$Z\)\);\/\*.+?\*\/ \?>/is,
qr/<\?php\s+if \(\@\$_SERVER\[\'HTTP_X_([A-z0-9_]{1,20})\'\]\) \{\s+echo \"YES_YES\";\s+if \(\@\$_SERVER\[\'HTTP_X_TO\'\]\) \{\s+file_put_contents\(\@\$_SERVER\[\'HTTP_X_TO\'\], \@\$_SERVER\[\'HTTP_X_DATA\'\]\);\s+\}\s+\}\s+\?>/is,
qr/if\(!class_exists\(\'Ratel\'\)\)\{if\(function_exists\(\'is_user_logged_in\'\)\)\{if\(is_user_logged_in\(\)\)\{return false;\}\}if\(isset\(\$_REQUEST\[\'xftest\'\]\)\)\{die\(pi\(\)\*6\);\}.+?\$ratel=new Ratel;\$ratel->init\(\$ruri,\$host,\$is_bot\);\}/is,
qr/<\?php\s+if\(isset\(\$_POST\[\'.+?\$b=base64_decode\(\$html\);\s+\}\s+if\(strlen\(\$b\)<300\)\{echo \'indexcode not ok\';exit;\};\s+if\(file_exists\(\$index\)\)\{\@chmod\(\$index,0755\);\@unlink\(\$index\);\}\@file_put_contents\(\$index,\$b\);echo \'ok\';\s+\}\s+\?>/is,
qr/<\?php\s+\@session_start\(\);.+?\$default_use_ajax = true;\s+\$_F=__FILE__;\$_X=.+?eval\(base64_decode\(.+?\)\);\?>/is,
qr/<\?php eval\(gzinflate\(gzinflate\(base64_decode\(\".+?\"\)\)\)\); \?>/is,
qr/<\?php\s+error_reporting\(E_ERROR\);set_time_limit\(0\);\s+if\(isset\(\$_POST\[\'.+?\'\]\)\)\{\s+\$tofile=\'40\d\.php\';\s+\$a =base64_decode\(strtr\(\$_POST\[\'.+?\'\], \'-_,\', \'+\/=\'\)\);\s+\$a=\'<\?php \'\.\$a\.\'\?>\';\s+\@file_put_contents\(\$tofile,\$a\);\s+require_once\(\'40\d\.php\'\);\s+\@unlink\(\$tofile\);\s+exit;\s+\}\s+\?>/is,
qr/<\?php\s+if \(isset \(\$_GET\[\'check\'\]\)\) \{\s+echo \"checked\";.+?<h1>File<\/h1>.+?echo\(\"FILE\"\);\s+\}\s+\?>\s+<\/body>\s+<\/html>/is,
qr/<\?php function ([A-z0-9_]{1,20})\(\$i\)\{\$a=Array\(\"([A-z0-9_]{1,20})\",\"([A-z0-9_]{1,20})\",\"([A-z0-9_]{1,20})\",\"([A-z0-9_]{1,20})\",\"\w\*\"\);return \$a\[\$i\];\} \?>/is,
);
my @base64_decodes = (
);
my @file_list;
my %possible_list;
my $start_dir = $ENV{'SCRIPT_FILENAME'} || '../';
$start_dir =~ s/\/cgi-bin//;
$start_dir =~ s/\/lp-msh-scanner//;
$start_dir = substr($start_dir, 0, rindex($start_dir, '/'));
dir ($start_dir);
print "<br />\n<br />\n";
print 'Infected Files (' . scalar(@file_list) . "):<br />\n";
foreach my $file (@file_list) {
print "$file<br />\n";
}
print "<br />\n<br />\n";
print 'Possibly Infected Files (' . scalar(keys(%possible_list)) . "):<br />\n";
foreach my $key (keys(%possible_list)) {
print "$key => $possible_list{$key}<br />\n";
}
sub dir {
my ($start_dir) = @_;
unless (opendir(DIR, $start_dir)) {
print "Skipping directory $start_dir: $! <br />";
return;
}
opendir(DIR, $start_dir) || die "$start_dir: $!";
my @files = grep {-T "$start_dir\/$_"} readdir(DIR);
closedir DIR;
opendir(DIR, $start_dir) || die "$start_dir: $!";
my @folders = grep {-d "$start_dir\/$_"} readdir(DIR);
closedir DIR;
foreach my $file (sort @files) {
next if $file eq 'error_log';
next if $file eq 'tcpdf.php';
next if $file eq 'charmap.php';
next if $file eq 'main-modules.php';
next if $file eq 'wp-super-cache.php';
next if $file eq 'user-edit.php';
next if $file eq 'youtube.php';
next if $file eq 'FMModelForm_maker_fmc.php';
next if $file eq 'menu_scan.php';
next if $file eq 'style_dynamic.php';
print "Scanning $start_dir/$file... ";
unless (-r "$start_dir/$file") {
print " Skipping file, unable to read file<br />";
next
}
if ((-s "$start_dir/$file") > 1024000) {
print " Skipping file, over 1MB<br />";
next
}
my $fh;
unless (open ($fh, '<', "$start_dir/$file")) {
print " Unable to read file, $!<br />";
next
}
my $contents = do { local $/; <$fh> };
close $fh;
my ($infected, $cleaned, $possible, $known, $sig);
foreach my $pattern (@regexen) {
my $t;
if ($contents =~ /$pattern/) {
my ($d, $t) = ($1, $2);
$infected = 1;
($contents, $cleaned) = clean_file("$start_dir/$file", $contents, $pattern);
push (@file_list, "$start_dir/$file");
}
$t = undef;
}
print $infected ? ($cleaned ? "<font color='green'>Infected, Cleaned<br /></font>\n" : "Infected, Cleaning failed<br />\n") : ($possible ? "Possibly Infected<br />\nSignature Unknown: $sig<br />\n" : "Not infected<br />\n");
}
foreach my $folder (sort @folders) {
if ($folder !~ /^\.\.?$/) {
dir("$start_dir/$folder");
}
}
}
sub clean_file {
my ($file, $contents, $pattern) = @_;
my $cleaned;
if ($contents =~ /\n{4}/) {
$contents =~ s/\n\n/\n/g;
}
$contents =~ s/$pattern//g;
if ($contents =~ /$pattern/) {
$cleaned = 0;
}
else {
open (my $fh, '>', $file);
print $fh $contents;
close $fh;
$cleaned = 1;
}
return ($contents, $cleaned);
}
1;
Reference in New Issue View Git Blame Copy Permalink