Malin/LP-MSH-Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
LP-MSH-Scanner/sc.php
Palma Solutions LTD 1010ae071b new patterns & fixes
2018-04-01 09:58:49 +02:00

1634 lines
71 KiB
PHP
Raw Blame History

<?php
/* Moved to the README.md*/
$version = "v4.0.3";
$released = "May/17";
$author = "Malin Cenusa";
$mail = "malin.cenusa@lunarpages.com";
$ip = "84.124.94.176";
$error = "Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 54 bytes)";
?>
<html>
<head>
<title>..:: Global Account Maintenance Tool ::.. <?php print_r($version); ?> released <?php print_r($released); ?> - by <?php print_r($author); ?> [ <?php print_r($mail); ?> ]</title>
<link rel="stylesheet" type="text/css" href="http://fonts.googleapis.com/css?family=Poiret One|Play" media="screen">
<!-- <link rel="stylesheet" type="text/css" href="css/style.css"> -->
</head>
<body>
<div id="menu">
<h3>..:: Global Account Maintenance Tool ::.. <?php print_r($version); ?> released <?php print_r($released); ?> - by <?php print_r($author); ?> [ <?php print_r($mail); ?> ]</h3>
<div align="right" ><a href="?run=remove" style="color: #000000; background-color:#00ff00; font-size: 18px;">REMOVE SCRIPT</a></div><br /><hr>
<table style="border-spacing:0; width:100%; ">
<tr>
<td width="25%">
<span style="background-color:#00ff00; font-family: 'Play', Helvetica, Arial, serif; font-size: 16px; ">..:: MALWARE AUDIT ::..</span><br />
<ul>
<li><a href="?run=infection" style="color: #ff0000;">Known PHPShell Scan</a></li>
<li><a href="?run=scanme" style="color: #ff0000;">Known Malware Scan</a></li>
<li><a href="?run=checkexif" style="color: #ff0000;">Scan JPEG EXIF Data</b></a></li>
<li><a href="?run=iframe" style="color: #ff0000;">malicious IFRAME scan</a></li>
<li><a href="?run=checklarge" style="color: #ff0000;">Check Files With Large Lines</b></a></li>
<li><a href="?run=newscan" style="color: #ff0000;">Database String Scanner</a></li>
<li><a href="?run=findbot" style="color: #ff0000;">Run Findbot.PL</a></li>
<li><a href="?run=insecplug" style="color: #ff0000;">Insecure WP plugins</a></li>
<li><a href="?run=custom" style="color: #ff0000;">Custom string scanner</b></a></li>
</ul>
</td>
<td width="25%">
<span style="background-color:#00ff00; font-family: 'Play', Helvetica, Arial, serif; font-size: 16px; ">..:: SOP ::..</span><br />
<ul>
<li><a href="?run=version" style="color: #ff0000;">Get a list of installed scripts and their versions</a></li>
<li><a href="?run=addsec" style="color: #ff0000;">Secure .htaccess and php.ini</a></li>
<li><a href="?run=securetemps" style="color: #ff0000;">Secure Temporary/Images</a></li>
<li><a href="?run=fixperms" style="color: #ff0000;">Fix File and Folder Permissions</a></li>
<li><a href="?run=pwds" style="color: #ff0000;">Check password security</a></li>
<li><a href="?run=optim" style="color: #ff0000;">MySQL DB Optimization</a></li>
<li><a href="?run=cleanupl" style="color: #ff0000;">Cleanup (error logs, .suspected, zero byte files)</a></li>
</ul>
</td>
<td width="25%">
<span style="background-color:#00ff00; font-family: 'Play', Helvetica, Arial, serif; font-size: 16px; ">..:: CLEANER ::..</span><br />
<ul>
<li><a href="?run=cleanPL" style="color: #ff0000;">Clean.PL</b></a></li>
<li><a href="?run=cleanPHP" style="color: #ff0000;">Clean.PHP</a></li>
<li><a href="?run=cleanexif" style="color: #ff0000;">Clean EXIF</a></li>
<li><a href="?run=cleangravity" style="color: #ff0000;">Clean Gravity Forms Exploit</a></li>
</ul>
</td>
<td width="25%">
<span style="background-color:#00ff00; font-family: 'Play', Helvetica, Arial, serif; font-size: 16px; ">..:: MySQL ::..</span><br />
<ul>
<li><a href="?run=prefix" style="color: #ff0000;">Change Table Prefix</a></li>
<li><a href="?run=mysqlpwd" style="color: #ff0000;">Change MySQL user password</a></li>
<li><a href="?run=changeengine" style="color: #ff0000;">Change MySQL database engine</a></li>
<li><a href="?run=repl" style="color: #ff0000;">Replace Strings (MySQL password)</a></li>
</ul>
</td>
</tr>
</table><br />
<table style="border-spacing:0; width:100%; ">
<tr>
<td width="25%">
<span style="background-color:#00ff00; font-family: 'Play', Helvetica, Arial, serif; font-size: 16px; ">..:: FIND STUFF::..</span><br />
<ul>
<li><a href="?run=tmpcheck" style="color: #ff0000;">Find suspicious files in /tmp</a></li>
<li><a href="?run=symcheck" style="color: #ff0000;">Check for broken symlinks</a></li>
<li><a href="?run=findbackups" style="color: #ff0000;">Find backups</a></li>
<li><a href="?run=findsql" style="color: #ff0000;">Find SQL dumps</a></li>
<li><a href="?run=findlarge" style="color: #ff0000;">Find large files (unrelated content)</a></li>
<li><a href="?run=lastfiles" style="color: #ff0000;">Find last 500 modified files</a></li>
<li><a href="?run=findsymlinks" style="color: #ff0000;">Find Symlinks</a></li>
<li><a href="?run=findchmod" style="color: #ff0000;">Find Files & Dirs With Chmod 0000</a></li>
<li><a href="?run=getsize" style="color: #ff0000;">Get Size of a directory</a></li>
</ul>
</td>
<td width="25%">
<span style="background-color:#00ff00; font-family: 'Play', Helvetica, Arial, serif; font-size: 16px; ">..:: SOP/MISC. ::..</span><br />
<ul>
<li><a href="?run=reshog" style="color: #ff0000;">WP Resource Hogs</a></li>
<li><a href="?run=reshog" style="color: #ff0000;">Database Size</a></li>
<li><a href="?run=reshog" style="color: #ff0000;">Running Processes</a></li>
<li><a href="?run=processlist" style="color: #ff0000;">Check The ProcessList</a></li>
<li><a href="?run=transfer" style="color: #ff0000;">Site Transfer</a></li>
<li><a href="?run=zencart" style="color: #ff0000;">ZenCart Concantenated</a></li>
<li><a href="?run=vulntheme" style="color: #ff0000;">Vulnerable WP themes</a></li>
</ul>
</td>
</tr>
</ul>
</table>
<hr>
<div align="center">
<?php
/* let's define the paths first */
$processUser = posix_getpwuid(posix_geteuid());
$GLOBALS["user"] = $processUser['name'];
$GLOBALS["docroot"] = '/home/'.$GLOBALS["user"].'/';
$GLOBALS["webroot"] = '/home/'.$GLOBALS["user"].'/public_html/';
$GLOBALS["red"] = "<span style='color: #FF0000';>";
$GLOBALS["br"] = "<br />";
$GLOBALS["span"] = "</span>";
/* let's get the server and account specs */
echo "Server: ";
system('hostname');
echo " | user: ";
system('whoami');
echo " | location: ";
system('pwd');
if( ini_get('safe_mode') ){
echo "<font color=\"#ff0000;\"><br />PHP is running in safe mode - functionality is limited</font>";
}else{
echo "<font color=\"#ff0000;\"><br />PHP is not running in safe mode - script has full functionality<br /></font>";
}
/* checking the server wide load */
echo "<h3><b><center><font color='#FF0000'>Check the server load below first and make sure that you do not execute any of the functions if server has high load!!!</font></b></h3>";
system ("w | grep load");
?>
<hr>
</div>
<span style="font-size: 15px; line-height:90%">
<?php
function cleanupl(){
system('find '.$GLOBALS["webroot"].'/*/wp-content/uploads/ -type f -name "*.php" -print -exec rm -rfv {} \;'); /* clear PHP files from wp-content/uploads */
system('find '.$GLOBALS["webroot"].' -type f -name "*.php.suspected" -print -exec rm -rfv {} \;'); /* clear files renamed as *.suspected by the server AV */
system('find '.$GLOBALS["webroot"].' -type f -name "*.php" -size 0 -print -exec rm -rfv {} \;'); /* clear files with 0 bytes size */
system('find '.$GLOBALS["webroot"].' -type f -name "error_log" -print -exec rm -rfv {} \;'); // clear the error logs
}
function passgen(){
$caracteres = '0123456789abcdefghijklmnpqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ$#@!?=%-+*.[]{}_,;:<>|';
$caractereslong = strlen($caracteres);
$clave = '';
for($i = 0; $i < 24; $i++) {
$clave .= $caracteres[rand(0, $caractereslong - 1)];
}
echo $clave;
}
/* function removezero(){
system("find ./ -type f -empty -print -exec rm -f {} \;");
} */
function vulntheme(){
}
function clear_cache(){
//system("if [ $(find-name "cache" -maxdepth 0 -type d -empty 2>/dev/null) ]; then rm -rfv $i/*; echo "no cache dirs, or empty ones found"; fi");
}
/* cleaning the backdoor files of the Gravity Forms Exploit */
function cleangravity(){
system('find '.$GLOBALS["webroot"].' -type f -name "*_input__test*" -print -exec rm -rf {} \;');
system('find '.$GLOBALS["webroot"].' -type f -name "*_input_*.php*" -print -exec rm -rf {} \;');
system('find '.$GLOBALS["webroot"].' -type f -name "*_input_*.txt*" -print -exec rm -rf {} \;');
}
/* use a modified version of Spamhaus's findbot.pl to identify left over backdoors */
function findbot(){
$output = shell_exec('./findbot.pl -c ./');
echo "<pre>$output</pre>";
}
/* secure the temporary directories against execution of malicious files */
// need to change this to PHP: https://gist.github.com/PalmaSolutions/3b5d2b69ac020c87ce53942785e39127
function securetemps(){
$htdata = '
<FilesMatch "\.(php([0-9]|s)?|s?p?html|cgi|pl|exe)$">
Order Deny,Allow
Deny from all
</FilesMatch>
';
foreach(glob("../{**/*,*}/wp-content/uploads/") as $dirname)
{
$hta = fopen($dirname."/.htaccess", "w");
fwrite($hta, $htdata);
fclose($hta);
}
// patch for document root
if (file_exists("../wp-content"))
{
if (file_exists("../wp-content/uploads"))
{
if ((is_dir("../wp-content/uploads/")) AND ($dir !== ".") AND ($dir !== ".."))
{
if (file_exists("../wp-content/uploads/.htaccess"))
{
echo "";
}
else {
$hta = fopen("../wp-content/uploads/.htaccess", "w");
fwrite($hta, $htdata);
fclose($hta);
}
}
}
}
// system("for i in `find ../ -type d -path '*/tmp'`; do echo $i && echo -e '".$htdata."' >> \$i/.htaccess; done");
/* Joomla /images may cause a ton of false positive patches so we'll research this further */
// system("for i in `find ./ -type d -path '*/images' -print;`; do echo -e '".$htdata."' >> \$i/.htaccess; done");
//echo "all patched\n";
}
/* Vulnerability check
$output = shell_exec('find ./ -type f -name "*.php" -print -exec grep -RPn "(passthru|shell_exec|system|phpinfo|base64_decode|chmod|mkdir|fopen|fclose|readfile|php_uname|eval|tcpflood|udpflood|edoced_46esab) *\(" --color {} \;');
echo "<pre>$output</pre>"; */
/* let's scan and clean cryptoPHP - moved to the main scanner - needs testing
function cryptophp(){
echo "Scanning for cryptoPHP in social.png files\n";
system("find ../ -type f -iname \"social*.png\" -exec grep -E -o 'php.{0,80}' {} \; -print");
echo "\nScanning for cryptoPHP in all PNG files\n";
system("find ../ -type f -iname '*.png' -print0 | xargs -0 file | grep \"PHP script\"");
}
*/
/* Execute The Malware Scanner */
function scanme(){
require_once("./scan.php");
}
/* Execute The PHP Cleaner */
function cleanPHP(){
require_once("./clean.php");
}
/* Execute the Perl Cleaners */
function cleanPL(){
system("./malware.pl");
}
/* EXIF scanner */
function checkexif(){
define('IMAGEPATH', $GLOBALS["webroot"]);
$directory = new RecursiveDirectoryIterator(IMAGEPATH);
$iterator = new RecursiveIteratorIterator($directory);
$matches = new RegexIterator($iterator, '/^.+\.(jpg|jpeg|png|tiff)$/i', RecursiveRegexIterator::GET_MATCH);
foreach($matches as $key => $match):
$exif = exif_read_data($match[0], 0, 'EXIF');
echo '<pre>', print_r($exif, true), '</pre>';
endforeach;
}
/* Insecure Plugins */
function insecplug(){
$plugins_list = array(
"complete-gallery-manager",
"wp-phpmyadmin",
"1-flash-gallery",
"category-list-portfolio-page",
"disclosure-policy-plugin",
"dp-thumbnail",
"ip-logger",
"is-human",
"jquery-slider-for-featured-content",
"kish-guest-posting",
"lisl-last-image-slider",
"really-easy-slider",
"rent-a-car",
"vk-gallery",
"wordpress-news-ticker-plugin",
"wp-marketplace",
"adminer",
"file-commander",
"portable-phpmyadmin",
"portable-phpmyadmin",
"toolspack",
"ToolsPack",
"revslider",
"research-plugin*"
);
foreach ($plugins_list as $plugin){
system('find '.$GLOBALS["webroot"].' -type d -name '.$plugin.' -print');
}
}
/* Resource Hog Plugins */
function reshog(){
$plugin_list = array(
"broken-link-checker",
"myreviewplugin",
"linkman",
"fuzzy-seo-booster",
"wp-postviews",
"wordfence",
"tweet-blender",
"dynamic-related-posts",
"yet-another-related-posts-plugin",
"similar-posts",
"contextual-related-posts",
"yet-another-featured-posts-plugin",
"wponlinebackup",
"wpengine-snapshot",
"wpengine-migrate",
"wp-symposium-alerts",
"wp-slimstat",
"wp-missed-schedule",
"wordpress-gzip-compression",
"wp-cache",
"wp-database-optimizer",
"wp-db-backup",
"wp-dbmanager",
"wp-engine-snapshot",
"wp-file-cache",
"wp-mailinglist",
"async-google-analytics",
"backup-scheduler",
"backupwordpress",
"backwpup",
"duplicator",
"ewww-image-optimizer",
"ezpz-one-click-backup",
"google-xml-sitemaps-with-multisite-support",
"jr-referrer",
"missed-schedule",
"no-revisions",
"ozh-who-sees-ads",
"quick-cache",
"seo-alrp",
"si-captcha-for-wordpress",
"similar-posts",
"spyderspanker",
"spyderspanker_pro",
"super-post",
"superslider",
"text-passwords",
"the-codetree-backup",
);
foreach ($plugin_list as $plugins){
system('find '.$GLOBALS["webroot"].' -type d -name '.$plugins.' -print');
}
}
/* EXIF cleaner */
function cleanexif(){
define('IMAGEPATH', $GLOBALS["webroot"]);
$directory = new RecursiveDirectoryIterator(IMAGEPATH);
$iterator = new RecursiveIteratorIterator($directory);
$matches = new RegexIterator($iterator, '/^.+\.(jpg|jpeg)$/i', RecursiveRegexIterator::GET_MATCH);
foreach($matches as $key => $image):
echo '<pre>', print_r($image, true),'</pre>';
try
{
$img = new Imagick($image[0]);
$img->stripImage();
$img->writeImage($image[0]);
$img->clear();
$img->destroy();
echo "Removed EXIF data from $image. \n";
} catch(Exception $e) {
echo 'Exception caught: ', $e->getMessage(), PHP_EOL;
}
endforeach;
}
/* Get MySQL process list for a given user */
function processlist(){
echo '<form method="post" enctype="multipart/form-data"><br /><hr>';
echo '<b>MySQL Host:</b></td><td><input name="host" id="host" type="text" size="30"><br />';
echo '<b>MySQL Username:</b></td><td><input name="usern" id="usern" type="text" size="30"><br />';
echo '<b>MySQL Password:</b></td><td><input name="passwd" id="passwd" type="text" size="30"><br />';
echo '<input name="submit" type="submit" value="Go"><br /><br />';
if(($_POST['submit']) == "Go") {
$mhost = ($_POST["host"]);;
$mpass = ($_POST["passwd"]);
$musr = ($_POST["usern"]);
}
mysql_connect($mhost, $musr, $mpass);
$q = mysql_query("SHOW FULL PROCESSLIST");
echo "<span style='background-color:#00ff00; '>..:: MySQL-Processes ::..</span>\n";
echo "<table width='*' border='1' cellspacing='1' cellpadding='3'>\n";
while($l = mysql_fetch_row($q) ) {
echo "<tr>\n";
foreach($l as $val) echo "<td>$val&nbsp;</td>\n";
echo "</tr>\n";
}
echo "</table>\n";
echo "<span style='background-color:#00ff00; '>..:: Query Cache Status ::..</span>\n";
echo "<table width='*' border='1' cellspacing='1' cellpadding='3'>\n";
$q = mysql_query("SHOW STATUS LIKE 'Qcache%'");
while($l = mysql_fetch_row($q) ) {
echo "<tr>\n";
foreach($l as $val) echo "<td>$val&nbsp;</td>\n";
echo "</tr>\n";
}
echo "</table>\n";
mysql_close();
}
/* Get STAT data for a given file */
function stats(){
$output = shell_exec('stat ./ModSettings.php');
echo "<pre>$output</pre>";
}
/* change MySQL Engine */
function changeengine(){
mysql_connect('localhost', 'learn0_mdle1', 'O{XgxSMtTXrD');
$databases = mysql_query('SHOW databases');
while($db = mysql_fetch_array($databases)) {
echo "database => {$db[0]}\n";
mysql_select_db($db[0]);
$tables = mysql_query('SHOW tables');
while($tbl = mysql_fetch_array($tables)) {
echo "table => {$tbl[0]}\n";
mysql_query("ALTER TABLE {$tbl[0]} ENGINE=INNODB");
}
}
}
function checklarge(){
$ite=new RecursiveDirectoryIterator(dirname(__FILE__));
$i = 0;
foreach (new RecursiveIteratorIterator($ite) as $filename=>$cur):
preg_match('/^.+\.php$/i', $filename, $match);
if($match):
$file = fopen($match[0], "r");
while(!feof($file)):
$line = fgets($file);
if(!feof($file)):
if(mb_strlen($line) > 999):
$i++;
echo '<div class="well">', $i ,')<div class="alert alert-danger"><i class="icon-warning-sign"></i>', $filename ,' found line having more than 1000 characters, output to follow:</div>';
echo '<pre class="prettyprint">';
echo trim(htmlentities($line));
echo '</pre>';
echo '<span>This file was last modified on: ' , date ("F d Y H:i:s.", filemtime($filename)) ,'</span>';
echo '</div>';
endif;
endif;
endwhile;
fclose($file);
endif;
endforeach;
}
function removezero(){
echo "Removing Files With Zero Size";
}
function findchmod(){
echo "Finding All Files With Chmod Set To 0000<br /><br />";
system('find '.$GLOBALS["webroot"].' -type f -perm 0000 -exec ls -al');
echo "Finding All Directories With Chmod Set To 0000<br /><br />";
system('find '.$GLOBALS["webroot"].' -type d -perm 0000 -exec ls -al');
}
function trimblanklines($str) {
return preg_replace('`\A[ \t]*\r?\n|\r?\n[ \t]*\Z`','',$str);
}
function scanspam(){
}
function fixperms(){
echo("To save time (and money) we're going to locate the files and directories with improper permissions and fix just those:\n");
system('find '.$GLOBALS["webroot"].' -perm +og+w -follow -type d -print -exec chmod 755 {} \;');
system('find '.$GLOBALS["webroot"].' -perm 0000 -follow -type d -print -exec chmod 755 {} \;');
system('find '.$GLOBALS["webroot"].' -perm +og+w -follow -type f -print -exec chmod 644 {} \;');
system('find '.$GLOBALS["webroot"].' -perm 0000 -follow -type f -print -exec chmod 644 {} \;');
system('find '.$GLOBALS["webroot"].' -perm +og+w -follow -type f -name "*.cgi" -print -exec chmod 755 {} \;');
system('find '.$GLOBALS["webroot"].' -perm +og+w -follow -type f -name "*.pl" -print -exec chmod 755 {} \;');
}
function getcleaner(){
$remote = "http://malin.online9.net/cl.txt";
$local = "cl.php";
$contents=file_get_contents($remote);
$fp=fopen($local, "w");
fwrite($fp, $contents);
fclose($fp);
include('./cl.php');
}
function addsec(){
echo "securing .htaccess<br />";
$htafile = $GLOBALS["webroot"].'/.htaccess';
$htaData = "
# Protection agains XSS exploits added by Lunarpages MSH team
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index_error.php [F,L]
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
";
file_put_contents($htafile, $htaData, FILE_APPEND | LOCK_EX);
echo "data added to .htaccess<br />";
show_source($htafile);
echo "moving on to php.ini";
$phpfile = $GLOBALS["webroot"].'/php.ini';
$phpData = '
; Protection agains RFI exploits added by Lunarpages MSH team
allow_url_fopen = Off
allow_url_include = Off
disable_functions=popen,passthru,escapeshellarg,escapeshellcmd,exec,passthru,proc_close,proc_get_status,proc_nice,proc_open,proc_terminate,shell_exec,system,blob,exec,escapeshellarg,pfsockopen,stream_get_transports,stream_set_blocking
display_errors = Off
display_startup_errors = Off
error_reporting = E_ALL
mail.add_x_header = On
mail.log = '.$GLOBALS["docroot"].'/phpmail.log
';
file_put_contents($phpfile, $phpData, FILE_APPEND | LOCK_EX);
echo "data added to php.ini";
show_source($phpfile);
}
function rmfile(){
echo "insert filename for mass deletion: <br />";
echo '<form method="post" enctype="multipart/form-data">';
echo '<input name="name" id="name" type="text" size="100">;';
echo '<input name="send" type="send" value="Remove it">';
if(($_POST['send']) == "Remove it") {
$name= ($_POST["name"]);
system('find '.$GLOBALS["webroot"].' -name "'.$name.'" -print -exec rm -fr {} \;');
}
}
function mysqlsearch(){
?>
<form method="post" enctype="multipart/form-data"> <table>
<tbody>
<tr>
<td><label for="server">Server Name </label></td>
<td><input type="text" name="server" value="localhost"/></td>
</tr>
<tr>
<td><label for="dbuser">User Name </label></td>
<td><input type="text" name="dbuser" /></td>
</tr>
<tr>
<td><label for="pass">Password </label></td>
<td><input type="password" name="pass" /></td>
</tr>
<tr>
<td><label for="dbname">Database Name </label></td>
<td><input type="text" name="dbname" /></td>
</tr>
<!-- <tr>
<td><label for="search_text"> Search on Database</label><br /></td>
<td><input type="text" name="search_text" <?php if(!empty($_POST['search_text'])) echo 'value="'.$_POST['search_text'].'"'; ?> /></td>
</tr>
<tr> -->
<td><input type="submit" value="Find the Malware" /></td>
</tr>
</tbody>
</table>
</form>
<?php
$server = ($_POST["server"]);
$dbuser = ($_POST["dbuser"]);
$dbpass = ($_POST["pass"]);
$dbname = ($_POST["dbname"]);
$link = @mysql_connect($server, $dbuser, $dbpass);
if (!$link) { session_destroy(); header("Refresh:0;url=http://".$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'].'?error_message=Username OR password Missmatch');}
if(!@mysql_select_db($dbname, $link)){ session_destroy(); header("Refresh:0;url=http://".$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'].'?error_message=Database Not found');};
///@endof Databse Connection
$patterns = array(
"cacat",
"lacat",
);
foreach ($patterns as $pattern) {
$search_text = ($pattern);
$result_in_tables = 0;
echo "<h4>Results for: <i>".$search_text.'</i></h4>';
// @abstract table count in the database
$sql= 'show tables';
$res = mysql_query($sql);
//@abstract get all table information in row tables
$tables = fetch_array($res);
//$tables = array(array('album'));
//endof table count
for($i=0;$i<sizeof($tables);$i++)
// @abstract for each table of the db seaching text
{
//@abstract querry bliding of each table
$sql = 'select count(*) from '.$tables[$i]['Tables_in_'.$dbname];
$res = mysql_query($sql);
if(mysql_num_rows($res)>0)
//@abstract Buliding search Querry, search
{
//@abstract taking the table data type information
$sql = 'desc '.$tables[$i]['Tables_in_'.$dbname];
$res = mysql_query($sql);
$collum = fetch_array($res);
$search_sql = 'select * from '.$tables[$i]['Tables_in_'.$dbname].' where ';
$no_varchar_field = 0;
for($j=0;$j<sizeof($collum);$j++)
// @abstract only finding each row information
{
## we are searching all the fields in this table
//if(substr($collum[$j]['Type'],0,7)=='varchar'|| substr($collum[$j]['Type'],0,7)=='text')
// @abstractonly type selection part of query buliding
// @todo seach all field in the data base put a 1 in if(1)
// @example if(1)
//{
//echo $collum[$j]->Field .'<br />';
if($no_varchar_field!=0){$search_sql .= ' or ' ;}
$search_sql .= '`'.$collum[$j]['Field'] .'` like \'%'.$search_text.'%\' ';
$no_varchar_field++;
//} // endof type selection part of query bulidingtype selection part
}//@endof for |buliding search query
if($no_varchar_field>0)
// @abstract only main searching part showing the data
{
$res = mysql_query($search_sql);
$search_result = fetch_array($res);
if(sizeof($search_result))
// @abstract found search data showing it!
{
$result_in_tables++;
echo '<div class="table_name">&nbsp;&nbsp; Table : '
. $tables[$i]['Tables_in_'.$dbname]
.' &nbsp;&nbsp;</div>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;'.
'<span class="number_result"> Total Results for <i>"'.$search_text .'"</i>: '.mysql_affected_rows().'</span>
<br/>
<div class="link_wrapper"><a href="javascript:toggle(\''.$tables[$i]['Tables_in_'.$dbname].'_sql'.'\')">SQL</a></div>
<div id="'.$tables[$i]['Tables_in_'.$dbname].'_sql" class="sql keys"><i>'.$search_sql.'</i ></div>
<div class="link_wrapper"><a href="javascript:toggle(\''.$tables[$i]['Tables_in_'.$dbname].'_wrapper'.'\')">Result</a></div>
<script language="JavaScript">
table_id.push("'.$tables[$i]['Tables_in_'.$dbname].'_wrapper");
</script>
<div class="wrapper" id="'.$tables[$i]['Tables_in_'.$dbname].'_wrapper">';
table_arrange($search_result);
echo '</div><br/><br/>';
}// @endof showing found search
}//@endof main searching
}//@endof querry building and searching
}
if(!$result_in_tables)
// @abstract if result is not found
{
echo '<p style="color:red;">Sorry, <i>'.
$search_text.
'</i> is not found in this Database ('.$dbname.') !</p>';
}
mysql_close($link);
}
}
//*********************
//* PHP functions
//*********************
function fetch_array($res)
// @method fetch_array
// @abstract taking the mySQL $resource id and fetch and return the result array
// @param string| MySQL resouser
// @return array
{
$data = array();
while ($row = mysql_fetch_assoc($res))
{
$data[] = $row;
}
return $data;
} //@endof function fetch_array
function table_arrange($array)
// @method table_arrange
// @abstract taking the mySQL the result array and return html Table in a string. showing the search content in a diffrent css class.
// @param array
// @post_data search_text
// @return string | html table
{
$table_data = ''; // @abstract returning table
$max =0; // @abstract max lenth of a row
$max_i =0; // @abstract number of the row which is maximum max lenth of a row
$search_text = $_POST["search_text"];
for($i=0;$i<sizeof($array);$i++)
{
//@abstract table row
$table_data .= '<tr class='.(($i&1)?'"odd_row"':'"even_row"') .' >';
//
$j=0;
foreach($array[$i] as $key => $data)
{
//@abstract a class around the search text
$data = preg_replace("|($search_text)|Ui" , "<pre class=\"search_text\"><b>$1</b></pre>" , htmlspecialchars($data));
$table_data .= '<td>'. $data .' &nbsp;</td>';
$j++;
}
if($max<$j)
{
$max = $j;
$max_i = $i;
}
$table_data .= '</tr>'."\n";
}
$table_data .= '</table></div>';
unset($data);
// @endof html table
//@abstract populating the table head
// @varname $data_a
//@abstract taking the highest sized array and printing the key name.
$data_a = $array[$max_i];
$table_head = '<tr>';
foreach($data_a as $key => $value)
{
$table_head .= '<td class="keys">'. $key.'</td>';
}
$table_head .= '</tr>'."\n";
//@endof populating the table head
// @abstract printing the table data
echo '<div class="table_bor">
<table cellspacing="0" cellpadding="3" border="0" class="data_table">'.$table_head.$table_data;
}//@endof function table_arrange
/*
Calculate sizes of all your databases in MB:
SELECT table_schema "DB Name", SUM( data_length + index_length) / 1024 / 1024
"DB Size" FROM information_schema.TABLES GROUP BY table_schema ;
Calculate table sizes for a specific database:
SELECT TABLE_NAME, table_rows, data_length, index_length, round(((data_length + index_length) / 1024 / 1024),2) "Size in MB" FROM information_schema.TABLES WHERE table_schema = "PUT_YOUR_DATABASE_NAME_HERE";
*/
function repl(){
echo "String Replacement";
echo '<form method="post" enctype="multipart/form-data"><br /><hr>';
echo '<b>Old String:</b></td><td><input name="oldstr" id="oldstr" type="text" size="50"><br />';
echo '<b>New String:</b></td><td><input name="newstr" id="newstr" type="text" size="50"><br />';
echo '<input name="submit" type="submit" value="Go"><br /><br />';
if(($_POST['submit']) == "Go") {
$oldstr = ($_POST["oldstr"]);
$newstr = ($_POST["newstr"]);
system("grep -ilr '".$oldstr."' * | xargs -i@ sed -i 's/".$oldstr."/".$newstr."/g' @");
/* xargs /usr/bin/perl -w -i -p -e "s/your_old_string/your_new_string/g" */
echo 'all done';
}
}
/* getting the total size of a specific directory */
function getsize(){
$username = system('whoami');
echo "insert the location you wish to get the size for: <br />";
echo '<form method="post" enctype="multipart/form-data">';
echo ''.$GLOBALS["docroot"].'<input name="path" id="path" type="text" size="100">';
echo '<input name="send" type="submit" value="Get it">';
if(($_POST['send']) == "Get it") {
$path = ($_POST["path"]);
echo "<br />Getting size of: ".$path."<br/>";
system('du -sh '.$GLOBALS["docroot"].$path);
}
}
/* looking for any backup files that would cause issues */
function findbackups(){
$ziparray = array("zip", "rar", "tgz", "tar.gz", "bz2", "tar");
foreach ($ziparray as $i => $valzip) {
echo 'checking for backup files with extension: '.$valzip.'<br />';
system('find '.$GLOBALS["webroot"].'-name *.'.$valzip.' -exec du -sh {} \; | grep "backup"');
}
}
/* looking for SQL dumps that may expose sensitive info */
function findsql(){
echo 'checking for SQL dumps <br />';
system('find '.$GLOBALS["docroot"].' -name "*.sql" -exec du -sh {} \;');
}
/* looking for large files that may crash the scans*/
function findlarge(){
echo 'checking for large files (over 10MB) <br/>';
system('find '.$GLOBALS["docroot"].' -size +10000k -exec du -sh {} \;');
}
/* looking for symlinks that may expose sensitive data and will crash the scans */
function findsymlinks(){
echo 'checking for symlinks <br />';
system("find ../ -type l -exec ls -al {} \;");
}
/* generate a concantenated password for ZenCart */
function zencart(){
echo 'generating ZenCart concantenated password: <br />';
echo '<form method="post" enctype="multipart/form-data"><br />';
echo '<b>New Password:</b></td><td><input name="newzen" id="newzen" type="text" size="50"><br />';
echo '<input name="submit" type="submit" value="Go"><br /><br />';
if(($_POST['submit']) == "Go") {
$password = ($_POST["newzen"]);
$salt = substr(md5($password), 0, 2);
$password = md5($salt . $password) . ':' . $salt;
echo 'New Password Hash is: <br />';
echo $password;
}
}
function mysqlpwd(){
echo '<form method="post" enctype="multipart/form-data"><br /><hr>';
echo '<b>MySQL Username:</b></td><td><input name="actusr" id="actusr" type="text" size="50"><br />';
echo '<b>Current Password:</b></td><td><input name="actpwd" id="actpwd" type="text" size="50"><br />';
echo '<b>New MySQL Password:</b></td><td><input name="pwd" id="pwd" type="text" size="50"><br />';
echo '<input name="submit" type="submit" value="Go"><br /><br />';
if(($_POST['submit']) == "Go") {
$host = "localhost";
$pass = ($_POST["pwd"]);
$actusr = ($_POST["actusr"]);
$actpass = ($_POST["actpwd"]);
$link = mysql_connect($host, $actusr, $actpass) or die(mysql_error());
mysql_query("SET PASSWORD FOR '".$actusr."'@'".$host."' = PASSWORD('".$pass."');") or die(mysql_error());
}
mysql_close($link);
}
function pwds(){
system('find ../ -name "*.php" -type f -exec grep -HA4 "`whoami`_" {} \;');
}
function clean(){
$dir = "../";
echo '<form method="post" enctype="multipart/form-data"><br /><hr>';
echo '<b>Malware String:</b></td><td><input name="malware" id="malware" type="text" size="300">';
echo '<input name="submit" type="submit" value="Go"><br /><br />';
if(($_POST['submit']) == "Go") {
$malware = ($_POST["malware"]);
system(`find $dir -name "*.php" -type f |xargs sed -i 's#<?php /\*\*/ '.$malware.'.*?>##g' 2>&1`);
echo "Malware removed.<br />\n";
}
system(`find $dir -name "*.php" -type f | xargs sed -i '/./,$!d' 2>&1`);
echo "Empty lines removed.<br />\n";
}
function optim(){
echo '<form method="post" enctype="multipart/form-data"><br /><hr>';
echo '<b>MySQL Hostname/IP:</b></td><td><input name="host" id="host" type="text" size="50">';
echo '<b>MySQL Username:</b></td><td><input name="usr" id="usr" type="text" size="50">';
echo '<b>MySQL Password:</b></td><td><input name="pwd" id="pwd" type="text" size="50">';
echo '<input name="submit" type="submit" value="Go"><br /><br />';
if(($_POST['submit']) == "Go") {
$host = ($_POST["host"]);
$user = ($_POST["usr"]);
$pass = ($_POST["pwd"]);
echo "".date('H:i:s').": Connecting to MySQL Server .... <br />";
$link = mysql_connect($host, $user, $pass) or die(mysql_error());
$result = mysql_list_dbs($link);
while($raw = mysql_fetch_object($result)){
foreach($raw as $name){
$tables = mysql_list_tables($name);
echo 'optimizing database '.$name.'<br />';
if($name == 'information_schema')
{
echo 'skipping information_schema<br />';
}
else
{
echo "".date('H:i:s').": Get tables from database $name .... <br />";
while ($row = mysql_fetch_row($tables)) {
echo "".date('H:i:s').": Optimize table $row[0] ....<br />";
mysql_query('optimize table '.$row[0].' ') or die(mysql_error());
}
}
echo "".date('H:i:s').": Table of Database ".$name." Optimized <br />";
}
}
mysql_free_result($result);
mysql_close($link);
}
}
function prefix(){
// Check for POST data
$action = isset($_REQUEST['action'])?$_REQUEST['action']:false;
if (!$action) {
?>
<form name="form1" method="post" enctype="multipart/form-data">
<table width="75%" border="0" cellspacing="2" cellpadding="2">
<tr>
<td>Enter database name:</td>
<td><input name="d" type="text" id="d" size="50"></td>
</tr>
<tr>
<td>Enter database user</td>
<td><input name="u" type="text" id="u" size="50"</td>
</tr>
<tr>
<td>Enter database password:</td>
<td><input name="p" type="password" id="p" size="50"></td>
</tr>
<tr>
<td>Enter New Prefix:</td>
<td><input name="n" type="text" id="n" size="50" value="(Do not include the trailing underscore)"></td>
</tr>
<tr>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td colspan="2" align="center"><input name="action" type="hidden" id="action" value="data">
<input type="submit" name="Submit" value="Change Table Prefixes"></td>
</tr>
</table>
</form>
<?php
} else {
$mysql_db = $_REQUEST['d'];
$mysql_user = $_REQUEST['u'];
$mysql_pass = $_REQUEST['p'];
$table_prefix = $_REQUEST['n'];
// Open MySQL link
$link = mysql_connect('localhost', $mysql_user, $mysql_pass);
if (!$link) {
die('Could not connect: ' . mysql_error());
}
echo 'Connected successfully<br><br>';
// Select database and grab table list
mysql_select_db($mysql_db, $link) or die ("Database not found.");
$tables = mysql_list_tables($mysql_db);
// Pull table names into an array and replace prefixes
$i = 0;
while ($i < mysql_num_rows($tables)) {
$table_name = mysql_tablename($tables, $i);
$table_array[$i] = $table_name;
$i++;
}
// Pull table names into another array after replacing prefixes
foreach ($table_array as $key => $value) {
$table_names[$key] = replace_prefix($value, $table_prefix);
}
// Write new table names back
foreach ($table_array as $key => $value) {
$query = sprintf('RENAME TABLE %s TO %s', $table_array[$key], $table_names[$key]);
$result = mysql_query($query, $link);
if (!$result) {
$error = mysql_error();
echo "Could not $query : $error<br>";
} else {
$message = sprintf('Successfully renamed %s to %s in %s', $table_array[$key], $table_names[$key], $mysql_db);
echo "$message<br>";
}
}
// Free the resources
mysql_close($link);
}
function replace_prefix($s, $prefix) {
$pos = strpos($s, "_");
$s = substr($s, $pos + 1);
$s = sprintf("%s_%s", $prefix, $s);
return $s;
}
}
function loop(){
system('find ../ -type l -exec ls -l {} \;');
}
function lastfiles(){
system("find ../ -type f -printf '%T@ %p\t\t %t\n' | sort -k 1 -nr | sed 's/^[^ ]* //' | head -n 500");
}
function execmd(){
}
/* Let's Remove All Files So The Don't Fall In Wrong Hands */
function remove(){
if (!is_dir($GLOBALS["webroot"].'/lp-msh-scanner')) {
rmdir($GLOBALS["webroot"].'/lp-msh-scanner');
}
}
function norun(){
if(''==$df) {
echo "<font color='#0000FF'>[X]=> <font color='#04B404'>No functions are disabled, this script should run without issues <br /></font> ";
} else {
echo "<font color='#FF0000'>WARNING!: The following functions are disabled, please check your php.ini ".$df." <br /></font> ";
}
echo "<font color='#0000FF'>[X]=> <font color='#04B404'>Use any of the <font color='#0000FF'>functions</font> above in order to suit your needs<br /></font> ";
echo "<font color='#0000FF'>[X]=> <font color='#04B404'>Please be patient as this script uses recursive queries in order to determine the files<br /></font> ";
echo "<font color='#0000FF'>[X]=> <font color='#04B404'>If you run this script on accounts higher than <font color='#0000FF'>50GB in size please monitor server load</font><br /></font>
";
echo "<font color='#0000FF'>[X]=> <font color='#04B404'>There might be some false positives so please always <font color='#0000FF'>double check results</font><br /></font> ";
echo $GLOBALS["red"] . "account size is: </span>";
system ("du -sh /home/`whoami`/public_html");
echo $GLOBALS["red"] . "total files in public_html: </span>";
system ("find ../ -type f | wc -l");
echo '<br />php.ini files with register_globals enabled: <br />';
system("find ../ -name php.ini -exec grep -Hli '^register_globals.*=.*On' {} \;");
echo '<br />Running processes:';
echo '<br><pre>';
system("ps -eo pid,user,cmd | grep `whoami`");
}
echo '<br><pre>';
//starting script functions
function version() {
// externalized the function to version.php in order to keep this cleaner than before
require_once("cms-ver.php");
}
//custom pattern scanner
function custom(){
echo '<form method="post" enctype="multipart/form-data"><br /><hr>';
echo '<b>Enter desired string:</b></td><td><input name="customz" id="customz" type="text" size="100">';
echo '<input name="submit" type="submit" value="Go">';
if(($_POST['submit']) == "Go") {
$string = ($_POST["customz"]);
echo "<br />Scanning for: ".$string."<br/>";
system('grep -RHl '.$string.' /home/`whoami`/public_html');
}
}
/*
function spam(){
<u style="display: block;overflow: hidden;width: 0;height: 0;">
<div style="position: absolute; left: -5000px; font-size: 0; width: 1; height: 0; overflow: hidden;">
}
*/
// Checking for suspicious files in /tmp
function tmpcheck() {
echo '<p>';
echo '<h4><b><u>Suspicious files in /tmp:</h4></b></u>';
echo '<br><pre>';
system("ls -al /tmp/ | grep `whoami` | grep -v sess_");
}
// check broken symlinks
function symcheck() {
echo '</pre></p><p>';
echo 'Broken symlinks:';
echo '<br><pre>';
system("for i in `find ../ -type l`; do [ -e $i ] || echo $i is broken; done");
}
// Searching for malicious php shells
function infection(){
echo '</pre></p><p>';
echo 'Let`s find if there is a malicious base64 infection:<br />';
function parse_dir( $dir ) {
global $shell_definitions;
global $generic;
global $settings;
$dh = dir( $dir );
while( $entry = $dh -> read( ) )
{
if( $entry == '.' ||
$entry == '..' ||
@filesize( $dir . '/' . $entry ) > $settings[ 'SIZE_LIMIT' ] ||
$entry === basename( $_SERVER[ 'PHP_SELF' ] ) )
continue;
if( @is_dir( $dir . '/' . $entry ) )
$dirs[] = $dir . '/' . $entry;
if( @filesize( $dir . '/' . $entry ) > 0 )
{
$h = fopen( $dir . '/' . $entry, 'r' );
$cnt = fread( $h, @filesize( $dir . '/' . $entry ) );
fclose( $h );
if( $settings[ 'USE_DEFINITIONS' ] )
{
for( $i = 0; $i < count( $shell_definitions ); $i++ )
{
foreach( $shell_definitions[ $i ] as $key => $el )
{
if( $key == 'id' )
{
$id = $el;
continue;
}
if( strpos( strtolower( $cnt ), strtolower( base64_decode( $el ) ) ) !== FALSE )
{
$site = $dir . '/' . $entry;
@$shfound .= '<br />Probabile shell [' . $id . ']: <b> <a href='.$site.' target="_blank">' . $dir . '/' . $entry .
'</a></b><br />';
$end = true;
break;
}
}
if( @$end )
{
$end = false;
break;
}
}
}
else
if( strpos( strtolower( $cnt ), $generic ) !== FALSE )
$shfound .= 'Probabile shell [generica]: <b>' . $dir . '/' . $entry . '</b><br />';
}
}
$dh -> close( );
if( strlen( @$shfound ) > 0 )
{
echo '<b>Directory: ' .$dir . '</b>';
echo $shfound;
}
if( count( @$dirs ) <= 0 ) return;
foreach( $dirs as $dir )
parse_dir( $dir );
}
}
if (isset($_GET['run'])) $linkchoice=$_GET['run'];
else $linkchoice='';
switch($linkchoice){
case 'removezero' :
removezero();
break;
case 'findchmod' :
findchmod();
break;
case 'optim' :
optim();
break;
case 'addsec' :
addsec();
break;
case 'getcleaner' :
getcleaner();
break;
case 'tmpcheck' :
tmpcheck();
break;
case 'prefix' :
prefix();
break;
case 'symcheck' :
symcheck();
break;
case 'infection' :
infection();
break;
case 'pwds' :
pwds();
break;
case 'mailing' :
mailing();
break;
case 'mysqlsearch' :
mysqlsearch();
break;
case 'remove' :
remove();
break;
case 'clean' :
clean();
break;
case 'loop' :
loop();
break;
case 'otherinfect' :
otherinfect();
break;
case 'hta' :
hta();
break;
case 'version' :
version();
break;
case 'checkexif' :
checkexif();
break;
case 'transfer' :
transfer();
break;
case 'cleanexif' :
cleanexif();
break;
case 'custom' :
custom();
break;
case 'iframe' :
iframe();
break;
case 'lastfiles' :
lastfiles();
break;
case 'execcmd' :
execcmd();
break;
case 'mysqlpwd' :
mysqlpwd();
break;
case 'findbackups' :
findbackups();
break;
case 'findlarge' :
findlarge();
break;
case 'findsql' :
findsql();
break;
case 'findsymlinks' :
findsymlinks();
break;
case 'zencart' :
zencart();
break;
case 'getsize' :
getsize();
break;
case 'repl' :
repl();
break;
case 'fixperms' :
fixperms();
break;
case 'checklarge' :
checklarge();
break;
case 'processlist' :
processlist();
break;
case 'scanme' :
scanme();
break;
case 'cleanPHP' :
cleanPHP();
break;
case 'securetemps' :
securetemps();
break;
case 'cleanPL' :
cleanPL();
break;
case 'insecplug' :
insecplug();
break;
case 'reshog' :
reshog();
break;
case 'findbot' :
findbot();
break;
case 'cleangravity' :
cleangravity();
break;
case 'cleanupl' :
cleanupl();
break;
default :
norun();
echo 'no function chosen. please pick a function from the menu above';
}
$settings = array (
'BASE_DIR' => $GLOBALS["webroot"],
'USE_DEFINITIONS' => true,
'SIZE_LIMIT' => ( 1024 * 1024 ) //size limit set to 1mb
);
$shell_definitions = array (
array( 'id' => 'Database', 'def1' => 'cGhwTXlBZG1pbiBTUUwgRHVtcA==', 'def2' => 'cGhwQkIgQmFja3VwIFNjcmlwdA==', 'def3' => 'VkFMVUVTKCIxIiwi' ),
array( 'id' => 'Ciro1992Shell', 'def1' =>
'JHRleHRbMV0gPSAifCBTYWZlIG1vZGUgPSAiOw0KJHRleHRbMl0gPSAiT24iOw0KJHRleHRbM10gPSAiT2ZmIjsNCiR0ZXh0WzRdID0gIk1hZ2ljcyBRdW90ZXMgPSAiOw0KJHRleHRbNV0gPSAiIHwgIjsNCiR0ZXh0WzZdID0gIk15U3FsID0gIjsNCiR0ZXh0WzddID0gIkhkZCBMaWJlcm8gOiAi',
'def2' => 'JHRleHRbMzZdID0gIi46Oi4gUG93ZXJlZCBieSBDaXJvMTk5MiAtIEJsYWNrIE1pbGl0aWEgVGVhbQ==' ),
array( 'id' => 'Ka_uShell', 'def1' => 'PHRpdGxlPktBX3VTaGVsbCAwLjEuNjwvdGl0bGU+', 'def2' =>
'Ly8gTWVudQ0KZWNobyAiDQp8PGEgaHJlZj0kc2VsZj9hYz1zaGVsbD5TaGVsbDwvYT58DQp8PGEgaHJlZj0kc2VsZj9hYz11cGxvYWQ+RmlsZSBVcGxvYWQ8L2E+fA0KfDxhIGhyZWY9JHNlbGY/YWM9dG9vbHM+VG9vbHM8L2E+fA0KfDxhIGhyZWY9JHNlbGY/YWM9ZXZhbD5QSFAgRXZhbCBDb2RlPC9hPnwNCnw8YSBocmVmPSRzZWxmP2FjPXdob2lzPldob2lzPC9hPnwNCjxicj48YnI+PGJyPjxwcmU+Ijs='
),
array( 'id' => 'DxShell', 'def1' => 'aWYgKGhlYWRlcnNfc2VudCgpKSAkRFhHTE9CQUxTSElUPXRydWU7IGVsc2UgJERYR0xPQkFMU0hJVD1GQUxTRTs=', 'def2' =>
'aWYgKCEoJGRpcl9wdHI9b3BlbmRpcigkX0dFVFsnZHhkaXInXSkpKSBkaWUoRHhFcnJvcignVW5hYmxlIHRvIG9wZW4gZGlyIGZvciByZWFkaW5nLiBQZXJtcz8uLi4nKSk7' ),
array( 'id' => 'Crystal', 'def1' =>
'aWYgKCRhY3QgPT0gImFib3V0Iikge2VjaG8gIjxjZW50ZXI+PGI+Q29kaW5nIGJ5Ojxicj48YnI+U3VwZXItQ3J5c3RhbDxicj4mPGJyPk1vaGFqZXIyMjxicj4tLS0tLTxicj5UaGFua3MgPGJyPlRyWWFHIFRlYW0gPGJyPiBBcmFiU2VjdXJpdHlDZW50ZXIgVGVhbSA8YnI+Q1JZU1RBTC1IIFZlcnNpb246MCBCZXRhIHBocHNoZWxsIGNvZGU8YnI+U2F1ZGkgQXJhYmljICA8L2E+LjwvYj4iO30=',
'def2' => 'aWYoZW1wdHkoJF9QT1NUWydNb2hhamVyMjInXSkpew==' ),
array( 'id' => 'Antichat', 'def1' => 'PHRkPjxhIGhyZWY9IiMiIG9uY2xpY2s9ImRvY3VtZW50LnJlcXMuYWN0aW9uLnZhbHVlPSdzaGVsbCc7IGRvY3VtZW50LnJlcXMuc3VibWl0KCk7Ij58IFNoZWxsIDwvYT48L3RkPg==',
'def2' =>
'PHRhYmxlIHN0eWxlPSJCT1JERVItQ09MTEFQU0U6IGNvbGxhcHNlIiBjZWxsU3BhY2luZz0wIGJvcmRlckNvbG9yRGFyaz0jNjY2NjY2IGNlbGxQYWRkaW5nPTUgd2lkdGg9IjEwMCUiIGJnQ29sb3I9IzMzMzMzMyBib3JkZXJDb2xvckxpZ2h0PSNjMGMwYzAgYm9yZGVyPTE+'
),
array( 'id' => 'Arabic', 'def1' => 'dHJ5YWcucGhwIC0gaHR0cDovL3dXdy50cnlhZy5jT20=', 'def2' => 'ZXhpdCgiPGI+PGEgaHJlZj1odHRwOi8vd1d3LnRyeWFnLmNPbT50cnlhZy10ZWFtPC9hPg==' ),
array( 'id' => 'ZipShell', 'def1' => 'WmlwU2hlbGwgVjEuMSBQcml2YXRlIEVkaXRvbiBbR1JFWS1IQVQtSEFDS0lOR10=', 'def2' =>
'JHRoaXMtPl9fZXJyb3IoJ2NyZWF0aW9uJywnVW5rbm93biBtZXRob2Q6IDx1PicuJHR5cGUuJzwvdT4uIFVzZSBjb25zdGFudHMgPGI+U1pJUF9EVU1QPC9iPiBvcg==' ),
array( 'id' => 's101', 'def1' => 'ZWNobyAiRWxlbmNvIGNhbXBpIHByZXNlbnRpIG5lbGxhIFRhYmVsbGE6PGI+ICR0YWI8L2I+IDxicj4iOw==', 'def2' => 'czEwMSBJbnRlcmFtZW50ZSBjcmVhdGEgZGEgU29yYTEwMQ=='
),
array( 'id' => '0-Day_Script', 'def1' => 'PGhlYWQ+PHRpdGxlPlBvd2VyZWQgQnkgI1NjYW4tWDwvdGl0bGU+PC9oZWFkPg==', 'def2' =>
'PGhlYUJ5IFRoaXMgc2NyaXB0IHlvdSBjYW4ganVtcCBpbiB0aGUgKFNhZmUgTW9kZT1PTik=' ),
array( 'id' => 'nefastica', 'def1' => 'TjNmYTV0MWNBIFNoM2xs', 'def2' => 'ZnVuY3Rpb24gaXNfb3duZXIoKXsNCiRjb29raWUgPSAkX0NPT0tJRVsnY29va2llX25hbWUnXTs=' ),
array( 'id' => 'k0tw', 'def1' => 'UDBzdCBNM3RoMGQgcDB3NGgh', 'def2' => 'ISEtIFdoMTczIGg0NyByMHggLSEh', 'def3' => 'azB0dyBzaDNsbCBieSBLaU5nT2ZUaEV3T3JMZA==' ),
array( 'id' => 'dc3', 'def1' => 'U2hlbGwgd3JpdHRlbiBieSBCbDBvZDNy', 'def2' =>
'IlIwbEdPRGxoRkFBVUFMTUlBQUQvQUFDQUFJQUFBTURBd0g5L2YvOEFBUC8vL3dBQUFQLy8vd0FBQUFBQUFBQUFBQUFBQUFBQUFBQUEiLiANCiJBQUFBQUNINUJBRUFBQWdBTEFBQUFBQVVBQlFBQUFST0VNbEpxNzA0VXlHT3ZrTGhmVlU0a3BPSlNweDVuRjlZaUN0TGYwU3VIN3B1Ii4gDQoiRVlPZ2NCZ2t3QWlHcEhLWnpCMkp4QURBU1FGQ2lkUUpzTWZkR3FzREpuT1FsWFRQMzhwcnpXYlgzcWdJQURzPSIsIA0KImV4dF93cmkiPT4gDQoiUjBsR09EbGhFQUFRQURNQUFDSDVCQUVBQUFnQUxBQUFBQUFRQUJBQWcvLy8vd0FBQUlDQWdNREF3SUNBQUFBQWdBQUEvLy8vQUFBQSIuIA0KIkFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQVJSVU1oSmtiMEM2SzJIdUVpUmNkc0FmS0V4a2tEZ0JvVnhzdHdBQXlwZHVvYW8iLiANCiJhNFNYVDBjNEJGMHJVaEZBRUFRUUk5ZG1lYlJFVzh5WEM2TngyUUk3THJZYnRwSlpOc3hnelc2bkxkcTQ5aElCQURzPSIsIA0KInNtYWxsX2RpciI9Pg=='
),
array( 'id' => 'Backdoor', 'def1' => 'PGEgaHJlZj0iPD9waHAgZWNobyAkX1NFUlZFUlsnUEhQX1NFTEYnXTsgPz4/ZGlyPSI+', 'def2' => 'c2lyaXVzX2JsYWNr' ),
array( 'id' => 'n3tShell', 'def1' => 'TjN0c2hleGl0KCk7', 'def2' => 'RW1wM3JvciBVbmRldGVjdGFibGU=' ),
array( 'id' => 'Nexen', 'def1' => 'TmV4cGwwcmVyIFNoZWxs', 'def2' => 'aWYgKCRfUE9TVFsnbW9kZSddID09ICJ1cGxvYWR6Iikgew==' ),
array( 'id' => '33rd', 'def1' => 'MzNyZCBTaGVsbA==', 'def2' => 'Ynk6Z3IzM24=' ),
array( 'id' => 'c99', 'def1' => 'Yzk5c2g=', 'def2' => 'T0RoVDJDOU43YkJmYm5uRE50bXYwVURsdjVZRDltdmFHWEk4WFl4bg==' ),
array( 'id' => 'r57-2', 'def1' => 'TUFYNjY2QGlyYW5zdGFycy5jb20=', 'def2' =>
'QXsgdGV4dC1kZWNvcmF0aW9uOm5vbmU7IGNvbG9yOm5hdnk7IGZvbnQtc2l6ZTogMTJweCB9DQoNCiAgICBib2R5IHsgZm9udC1zaXplOiAxMnB4OyANCg0KICAgICAgICAgICBmb250LWZhbWlseTogYXJpYWwsIGhlbHZldGljYTsNCg0KICAgICAgICAgICAgc2Nyb2xsYmFyLXdpZHRoOiA1Ow0KDQogICAgICAgICAgICBzY3JvbGxiYXItaGVpZ2h0OiA1Ow0KDQogICAgICAgICAgICBzY3JvbGxiYXItZmFjZS1jb2xvcjogd2hpdGU7DQoNCiAgICAgICAgICAgIHNjcm9sbGJhci1zaGFkb3ctY29sb3I6IHNpbHZlcjsNCg0KICAgICAgICAgICAgc2Nyb2xsYmFyLWhpZ2hsaWdodC1jb2xvcjogd2hpdGU7DQoNCiAgICAgICAgICAgIHNjcm9sbGJhci0zZGxpZ2h0LWNvbG9yOnNpbHZlcjsNCg0KICAgICAgICAgICAgc2Nyb2xsYmFyLWRhcmtzaGFkb3ctY29sb3I6IHNpbHZlcjsNCg0KICAgICAgICAgICAgc2Nyb2xsYmFyLXRyYWNrLWNvbG9yOiB3aGl0ZTsNCg0KICAgICAgICAgICAgc2Nyb2xsYmFyLWFycm93LWNvbG9yOiBibGFjazsNCg0KICAgIH0='
),
array( 'id' => 'Uploader', 'def1' => 'JF9GSUxFU1snbWlvZmlsZSddWyd0bXBfbmFtZSddOw==', 'def2' => 'aWYgKG1vdmVfdXBsb2FkZWRfZmlsZSg=' ),
array( 'id' => 'Cod3rz', 'def1' =>
'PHRkPjxiPkZpbGUgTmFtZTo8L2I+PC90ZD48dGQ+PGI+VHlwZTo8L2I+PC90ZD48dGQgd2lkdGg9MTUlPjxiPlNpemU6PC9iPjwvdGQ+PHRkIHdpZHRoPTEwJT48Yj5QZXJtczo8L2I+PC90ZD4kbGlzdGY8L2ZvbnQ+', 'def2' =>
'RGV2aWxzIE5pZ2h0IENyZXc=', 'def3' => 'LSBDb2Qzcno8L3RpdGxlPg==' ),
array( 'id' => 'r57', 'def1' => 'cjU3c2g=', 'def2' => 'SXlFdmRYTnlMMkpwYmk5d1pYSnNEUXAxYzJVZw==' ),
array( 'id' => 'Fire-Crash', 'def1' => 'PHRpdGxlPkZpUmUtQ3JBc0g8L3RpdGxlPg==', 'def2' =>
'JGRpciA9ICIuIjsNCiRvcGVuID0gb3BlbmRpcigkZGlyKTsNCiRyZWFkID0gcmVhZGRpcigkb3Blbik7DQplY2hvICJMaXN0IEZpbGVzOiA8YnI+PGJyIjsNCndoaWxlICgkcmVhZCA9IHJlYWRkaXIoJG9wZW4pKQ0Kew0KZWNobyAiPGEgaHJlZj0kcmVhZD4kcmVhZDwvYT48YnI+Ijs='
),
array( 'id' => 'Root Shell', 'def1' => 'Um9vdFNo', 'def2' => 'PHA+PGZvbnQgZmFjZT0iV2ViZGluZ3MiIHNpemU9IjYiIGNvbG9yPSIjMDBGRjAwIj4hPC9mb250Pjxicj4=' ),
array( 'id' => 'Fatal_Shell', 'def1' => 'RmFUYUwgU2hlbGw=', 'def2' => 'RmFUYUxTaGVMTA==' ),
array( 'id' => 'KA-uShell', 'def1' => 'S0FfdVNoZWxs', 'def2' => 'QXV0aG9yOiBLQWRvdA==' ),
array( 'id' => 'GFS Shell', 'def1' => 'R0ZTIFdlYi1TaGVsbA==', 'def2' => 'STJsdVkyeDFaR1VnUEhOMFpHbHZMbWcrRFFvamFXNWpiSFZrWlNBOGMzUnlhVzVuTG1nK0RRb2phVzVqYkhWa1o=', 'def3' =>
'WENJN0RRb05Dbk4xWWlCd2NtVm1hWGdnZXcwS0lHMTVJQ1J1YjNjZ1BTQnNiMk5oYkhScGI=' ),
array( 'id' => 'Defacing Tool Pro', 'def1' => 'cjN2M25nNG5zIDpQ', 'def2' => 'RFRvb2wgUHJv' ),
array( 'id' => 'Private Arabic Shell', 'def1' => 'aHR0cDovL3dXdy50cnlhZy5jT20=', 'def2' => 'dHJ5YWdAdHJ5YWcuY29t', 'def3' => '0JfQsdCe0L3Ql9Ch0JfQmg==' ),
array( 'id' => 'Bk-Code Shell', 'def1' => 'QmstQ29kZSBzaGVsbA==', 'def2' => 'QXJhYi1TZWNyZXRzLVRlYW0=' ),
array( 'id' => 'SnIpEr_SA Shell', 'def1' => 'U25JcEVyX1NB', 'def2' => 'M2FzZmgubmU=' ),
array( 'id' => 'Fileman', 'def1' => 'RmlsM21hbg==' ),
array( 'id' => 'Ajax/PHP Command Shell', 'def1' => 'PGJyPg0KPGI+PGZvbnQgc2l6ZT0zPkFqYXgvUEhQIENvbW1hbmQgU2hlbGw8L2I+PC9mb250Pjxicj5ieSBJcm9uZmlzdA0KPGJyPg0K', 'def2' =>
'ICAgIGFqYXhSZXF1ZXN0Lm9ucmVhZHlzdGF0ZWNoYW5nZSA9IGZ1bmN0aW9uKCl7DQogICAgICAgIGlmKGFqYXhSZXF1ZXN0LnJlYWR5U3RhdGUgPT0gNCl7DQogICAgICAgIG91dHB1dGNtZCA9ICI8cHJlPiIgICsgb3V0cHV0Y21kICsgYWpheFJlcXVlc3QucmVzcG9uc2VUZXh0ICsiPC9wcmU+IjsNCg0K'
),
array( 'id' => 'Anti Chat', 'def1' => 'JHBhc3N3b3JkPSdyMDB0JzsNCiRhdXRoPTE7DQokdmVyc2lvbj0ndmVyc2lvbiAxLjMgYnkgR3JpbmF5JzsNCg0KDQo=', 'def2' =>
'ZWNobyAiPC90YWJsZT4iOw0KfX19DQoNCmlmKCRhY3Rpb249PSJ2aWV3ZXIiKXsNCnNjYW5kaXJlKCRkaXIpOw0KfQ0KLy9lbmQgdmlld2VyIEZTDQoNCg0KDQo=' ),
array( 'id' => 'Ayyildiz Tim | AYT | Shell v 2.1 Biz', 'def1' =>
'PHRpdGxlPkhBQ0tFRCBCWSBBWVlJTERJWiCZPC90aXRsZT4NCjxTVFlMRSBUWVBFPSJ0ZXh0L2NzcyI+DQo8IS0tDQoNCmJvZHkgeyANCnNjcm9sbGJhci0zZC1saWdodC1jb2xvciA6ICM0MDQwNDA7DQoNCg0KDQo=', 'def2' =>
'PGNlbnRlcj48Zm9udCBjb2xvcj0icmVkIiBzaXplPSIxMCIgZmFjZT0iSW1wcmludCBNVCBTaGFkb3ciPg0KIDwvZm9udD4NCg==' ),
array( 'id' => 'azrail 1.0 by C-W-M', 'def1' =>
'aWYgKCRvcD09J3BocGluZm8nKXsNCiRmb25rX2thcCA9IGdldF9jZmdfdmFyKCJmb25rc2l5b25sYXL9X2thcGF0Iik7DQogICAgICAgIGVjaG8gJHBocGluZm89KCFlcmVnaSgicGhwaW5mbyIsJGZvbmtfa2FwYXQpKSA/IHBocGluZm8oKSA6ICI8Y2VudGVyPnBocGluZm8oKSBLb211dHUgx2Fs/f5t/XlpaWk8L2NlbnRlcj4iOw0KICAgICAgICBleGl0Ow0KfQ0K',
'def2' => 'ICAgICAgPGhlYWQ+DQogICAgICAgICAgICAgPHRpdGxlPmF6cmFpbCAxLjAgYnkgQy1XLU08L3RpdGxlPg0KICAgICAgPC9oZWFkPg0KDQo=' ),
array( 'id' => 'Ajax/PHP Command Shell', 'def1' => 'PGJyPg0KPGI+PGZvbnQgc2l6ZT0zPkFqYXgvUEhQIENvbW1hbmQgU2hlbGw8L2I+PC9mb250Pjxicj5ieSBJcm9uZmlzdA0KPGJyPg0K', 'def2' =>
'ICAgIGFqYXhSZXF1ZXN0Lm9ucmVhZHlzdGF0ZWNoYW5nZSA9IGZ1bmN0aW9uKCl7DQogICAgICAgIGlmKGFqYXhSZXF1ZXN0LnJlYWR5U3RhdGUgPT0gNCl7DQogICAgICAgIG91dHB1dGNtZCA9ICI8cHJlPiIgICsgb3V0cHV0Y21kICsgYWpheFJlcXVlc3QucmVzcG9uc2VUZXh0ICsiPC9wcmU+IjsNCg0K'
),
array( 'id' => 'Backup script on server', 'def1' =>
'JGZ0cGNvbm5lY3QgPSAibmNmdHBwdXQgLXUgJGZ0cF91c2VyX25hbWUgLXAgJGZ0cF91c2VyX3Bhc3MgLWQgZGVic2VuZGVyX2Z0cGxvZy5sb2cgLWUgZGJzZW5kZXJfZnRwbG9nMi5sb2cgLWEgLUUgLVYgJGZ0cF9zZXJ2ZXIgJGZ0cF9wYXRoICRmaWxlbmFtZTIiOw0Kc2hlbGxfZXhlYygkZnRwY29ubmVjdCk7DQo=',
'def2' =>
'JG1lc3NhZ2UgPSAiVGhpcyBpcyBhIG11bHRpLXBhcnQgbWVzc2FnZSBpbiBNSU1FIGZvcm1hdC5cblxuIi4iLS17JG1pbWVfYm91bmRhcnl9XG4iIC4iQ29udGVudC1UeXBlOiB0ZXh0L3BsYWluOyBjaGFyc2V0PVwiaXNvLTg4NTktMVwiXG4iIC4iQ29udGVudC1UcmFuc2Zlci1FbmNvZGluZzogN2JpdFxuXG4iIC4='
),
array( 'id' => 'rgod shell', 'def1' => 'ZUp6c3ZXMlBxa3IzTi9oK2t2a084KzUvSi85a0FxaDliWk5KSm8wQ2lvSk5RUlZTYnlZb25rWXBsTjF0Ky9UcFo2MnF3c2JkdmEvSGM5K1pTVQ==', 'def2' =>
'LS0gRG8gbm90IERpc3RpYnV0ZSBUaGlzIHNoZWxsDQotLSBEbyBub3QgU2VsbCBUaGlzIHNoZWxsDQotLSBEbyBub3QgZ2l2ZSBpdCBldmVuIHRvIHlvdXIgbW90aGVyDQotLSBieSByZ29kIA==' ),
array( 'id' => 'Symlink User Bypass', 'def1' =>
'PGZvcm0gc3R5bGU9ImJvcmRlcjogNHB4IHJpZGdlICNGRkZGRkYiPg0KPHAgYWxpZ249ImNlbnRlciIgZGlyPSJydGwiPjxmb250IGNvbG9yPSIjRkYwMDAwIj48c3BhbiBsYW5nPSJhci1zYSI+PGI+DQombmJzcDsgLT1bU3ltbGluayBUb29scyB0byBieXBhc3MgdXNlcl1WLjMgPS0NCjwvYj4NCg==',
'def2' =>
'ICA8Zm9udCBjb2xvcj0iI0ZGRkZGRiI+by0tLVs8L2ZvbnQ+IDxmb250IGNvbG9yPSIjRkYwMDAwIj5EZXZlbG9wZXIgYnkgU25JcEVyX1NBCSBTeW1saW5rIFVzZXIgQnlwYXNzIDwvZm9udD4gPGZvbnQgY29sb3I9IiNGRkZGRkYiPnw8L2ZvbnQ+IDxhIGhyZWY9aHR0cDovL3NuaXBlci1zYS5jb20+aHR0cDovL3NuaXBlci1zYS5jb208L2E+DQogIDxmb250IGNvbG9yPSIjRkZGRkZGIj58PC9mb250PiA8Zm9udCBjb2xvcj0iI0ZGMDAwMCI+DQo='
),
array( 'id' => 'C100 Yarakam Modified Shell', 'def1' =>
'aWYgKCFlbXB0eSgkdW5zZXRfc3VybCkpIHtzZXRjb29raWUoImsxcjRfc3VybCIpOyAkc3VybCA9ICIiO30NCmVsc2VpZiAoIWVtcHR5KCRzZXRfc3VybCkpIHskc3VybCA9ICRzZXRfc3VybDsgc2V0Y29va2llKCJrMXI0X3N1cmwiLCRzdXJsKTt9DQplbHNlIHskc3VybCA9ICRfUkVRVUVTVFsiazFyNF9zdXJsIl07IC8vU2V0IHRoaXMgY29va2llIGZvciBtYW51YWwgU1VSTA0KfQ0KDQo=',
'def2' => 'aWYgKCRzdXJsX2F1dG9maWxsX2luY2x1ZGUgYW5kICEkX1JFUVVFU1RbImsxcjRfc3VybCJdKSANCg0KDQo=' ),
array( 'id' => 'c99shell v. 1.0 pre-release build', 'def1' => 'Zi8vSzhvbytJeUgwejNpOHNwWEdEblpDVW5uWFQ=', 'def2' =>
'bEpmY3U3bUIydkJuSURHTkZGRnpEbVROdzNtSU9aWlB2MndHakRzZ2cyWHFHYk90L2ROc2xILysvLys5ZS8vS1k2ays2ZA0K' ),
array( 'id' => 'N3tShell Emp3ror Undetectable (C99)', 'def1' =>
'JHNhZmVtb2RlX2Rpc2tldHRlcyA9IGFycmF5KCJhIik7IC8vIFRoaXMgdmFyaWFibGUgZm9yIGRpc2FibGluZyBkaXNrZXR0LWVycm9ycy4NCiAvLyBhcnJheSAoaT0+e2xldHRlcn0gLi4uKTsgc3RyaW5nIHtsZXR0ZXJ9IC0gbGV0dGVyIG9mIGEgZHJpdmUNCi8vJHNhZmVtb2RlX2Rpc2tldHRlcyA9IHJhbmdlKCJhIiwieiIpOw0KJGhleGR1bXBfbGluZXMgPSA4Oy8vIGxpbmVzIGluIGhleCBwcmV2aWV3IGZpbGUNCiRoZXhkdW1wX3Jvd3MgPSAyNDsvLyAxNiwgMjQgb3IgMzIgYnl0ZXMgaW4gb25lIGxpbmUNCg=='
),
array( 'id' => 'C99 Saldiri.org version', 'def1' => 'aWYgKCFmdW5jdGlvbl9leGlzdHMoImsxcjRfYnVmZl9wcmVwYXJlIikpDQp7DQpmdW5jdGlvbiBrMXI0X2J1ZmZfcHJlcGFyZSgpDQo='),
array( 'id' => 'CGI Telnet', 'def1' => 'c3ViIFJlYWRQYXJzZQ0Kew0KICAgICAgICBsb2NhbCAoKmluKSA9IEBfIGlmIEBfOw0KICAgICAgICBsb2NhbCAoJGksICRsb2MsICRrZXksICR2YWwpOw0KDQoNCg=='),
array( 'id' => 'CTT Shell', 'def1' =>
'aWYgKCRhY3QgPT0gImZ0cHF1aWNrYnJ1dGUiKQ0Kew0KIGVjaG8gIjxiPkZ0cCBRdWljayBicnV0ZTo8L2I+PGJyPiI7DQogaWYgKCR3aW4pIHtlY2hvICJUaGlzIGZ1bmN0aW9ucyBub3Qgd29yayBpbiBXaW5kb3dzITxicj48YnI+Ijt9DQogZWxzZQ0KIHsNCiAgZnVuY3Rpb24gY3RmdHBicnV0ZWNoZWNrKCRob3N0LCRwb3J0LCR0aW1lb3V0LCRsb2dpbiwkcGFzcywkc2gsJGZxYl9vbmx5d2l0aHNoKQ0KICB7DQppZiAoJGZxYl9vbmx5d2l0aHNoKQ0KDQo='),
array( 'id' => 'Cyber Shell', 'def1' =>
'PGNlbnRlcj4uOkN5YmVyIFNoZWxsICh2IDEuMCk6Ljxicj5Db3B5cmlnaHQgqSA8YSBocmVmPSJodHRwOi8vd3d3LmN5YmVybG9yZHMubmV0IiB0YXJnZXQ9Il9ibGFuayI+Q3liZXIgTG9yZHMgQ29tbXVuaXR5PC9hPiwgMjAwMi0yMDA2PC9jZW50ZXI+'),
array( 'id' => 'Dive Shell', 'def1' => 'LypFbXBlcm9yIEhhY2tpbmcgVEVBTSAqLw0KICBzZXNzaW9uX3N0YXJ0KCk7DQo='),
array( 'id' => 'DTool Pro Shell', 'def1' =>
'aWYoaXNzZXQoJGNoZGlyKSkgQGNoZGlyKCRjaGRpcik7DQpmdW5jdGlvbiBzYWZlbW9kZSgkd2hhdCl7ZWNobyAiVGhpcyBzZXJ2ZXIgaXMgaW4gc2FmZW1vZGUuIFRyeSB0byB1c2UgRFRvb2wgaW4gU2FmZW1vZGUuIjt9DQo='),
array( 'id' => 'Erne Safe Mode Bypass Shell', 'def1' =>
'PHRyPjx0ZD48Y2VudGVyPjxmb250IHNpemU9IjQiIGNvbG9yPSIjRkZGRkZGIj48c3BhbiBzdHlsZT0iYmFja2dyb3VuZC1jb2xvcjogIzAwMDAwMCI+RXJOZSBTYWZlIE1vZGUgQnlwYXNzIEZvciBCaXlvU2VjdXJpdHkuTmV0PC9zcGFuPg0K'),
array( 'id' => 'GFS Shell', 'def1' => 'R0ZTIFdlYi1TaGVsbA0KKi8NCmVycm9yX3JlcG9ydGluZygwKTsNCmlmKCRfUE9TVFsnYl9kb3duJ10pew0K'),
array( 'id' => 'GNY Shell', 'def1' =>
'Ly93NGNrMW5nIFNoZWxsDQppZiAoIWZ1bmN0aW9uX2V4aXN0cygnbXlzaGVsbGV4ZWMnKSkNCnsNCmlmKGlzX2NhbGxhYmxlKCdwb3BlbicpKXsNCmZ1bmN0aW9uIG15c2hlbGxleGVjKCRjb21tYW5kKSB7DQoNCg=='),
array( 'id' => 'H4NTU Shell', 'def1' =>
'PD9waHANCmVjaG8gIjxwPjxmb250IHNpemU9MiBmYWNlPVZlcmRhbmE+PGI+VGhpcyBJcyBUaGUgU2VydmVyIEluZm9ybWF0aW9uPC9iPjwvZm9udD48L3A+IjsNCj8+DQoNCg0KDQo='),
array( 'id' => 'Heykir Shell', 'def1' =>
'ICRjb2Rlcj0iVGhlX0JlS2lSICAmICBUaVQgICYgUnVzbGFuICI7DQogJHN0cmluZyA9ICFlbXB0eSgkX1BPU1RbJ3N0cmluZyddKSA/ICRfUE9TVFsnc3RyaW5nJ10gOiAwOw0KICRzd2l0Y2ggPSAhZW1wdHkoJF9QT1NUWydzd2l0Y2gnXSkgPyAkX1BPU1RbJ3N3aXRjaCddIDogMDsNCg=='),
array( 'id' => 'iMHaP FTP Shell', 'def1' =>
'PEJPRFk+PElNRyBzdHlsZT0iV0lEVEg6IDMwNnB4OyBIRUlHSFQ6IDc2cHgiIGhlaWdodD0xMDAgDQpzcmM9Imh0dHA6Ly93d3cubmV0dGVraWFkcmVzLmNvbS9pbWhhYmlybGlnaS5qcGciIHdpZHRoPTI4Mj48L0JPRFk+DQo8YnI+PENlbnRlcj5TVSBBTiA8QSBocmVmPSJodHRwOi8vd3d3LmltaGFiaXJsaWdpLmNvbSI+aU1IYUJpUkxpR2k8L0E+IEhVRFVUTEFSSU5EQSBCVUxVTk1BS1RBU0lOSVouISE8L0NlbnRlcj4NCg0K'),
array( 'id' => 'Iron Shell', 'def1' =>
'cHJpbnQgIjxmb3JtIGFjdGlvbj1cIiIuJG1lLiI/cD1ldmFsXCIgbWV0aG9kPVBPU1Q+DQoNCgkJCQk8dGV4dGFyZWEgY29scz02MCByb3dzPTEwIG5hbWU9XCJldmFsXCI+IjsNCg0KCQkJCWlmKGlzc2V0KCRfUE9TVFsnZXZhbCddKSkNCg0KDQo='),
array( 'id' => 'JSP Shell', 'def1' =>
'PC90YWJsZT4NCjxwIGFsaWduPSJjZW50ZXIiPlBvd2VyIEJ5IL74ttTB47bIW0IuQy5UXSBRUTo0ODEyNDAxMjwvcD4NCjxwIGFsaWduPSJjZW50ZXIiPiZuYnNwOzwvcD4NCjwlfS8vaWYgZWRpdA0KDQoNCg=='),
array( 'id' => 'Kacak Shell', 'def1' =>
'PG1ldGEgaHR0cC1lcXVpdj0iQ29udGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9d2luZG93cy0xMjU0Ij4NCjx0aXRsZT5LYWNhayBGU08gMS4wIHwgVGVycm9yaXN0IENyZXcgLSBTaGVsbGNpLmJpejwvdGl0bGU+DQoNCg0K'),
array( 'id' => 'KADot Shell', 'def1' =>
'PG1ldGEgaHR0cC1lcXVpdj0iQ29udGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9d2luZG93cy0xMjU0Ij4NCjx0aXRsZT5LYWNhayBGU08gMS4wIHwgVGVycm9yaXN0IENyZXcgLSBTaGVsbGNpLmJpejwvdGl0bGU+DQoNCg0K'),
array( 'id' => 'Lama Shell', 'def1' => 'PGh0bWw+DQogIDxoZWFkPg0KICAgIDx0aXRsZT5sYW1hJ3MnaGVsbCB2LiAzLjA8L3RpdGxlPg0K'),
array( 'id' => 'Liz0zim Shell', 'def1' =>
'ZWNobyAiPGI+PGZvbnQgY29sb3I9Ymx1ZT5MaXowemlNIFByaXZhdGUgU2FmZSBNb2RlIENvbW1hbmQgRXhlY3VyaXRvbiBCeXBhc3MgRXhwbG9pdDwvZm9udD48L2I+PGJyPiI7DQo='),
array( 'id' => 'Load Shell', 'def1' => 'PHRpdGxlPkxvYWRlcid6IFdFQiBzaGVsbDwvdGl0bGU+DQo='),
array( 'id' => 'Moroccan Spamers Shell', 'def1' =>
'PHRkIHdpZHRoPSIzMTciIGJvcmRlcmNvbG9yPSIjQ0NDQ0NDIiBiZ2NvbG9yPSIjRjBGMEYwIiBiYWNrZ3JvdW5kPSIvc2ltcGFydHMvaW1hZ2VzL2NlbGxwaWMxLmdpZiIgaGVpZ2h0PSIyMiI+PGZvbnQgc2l6ZT0iLTEiIGZhY2U9IlZlcmRhbmEsIEFyaWFsLCBIZWx2ZXRpY2EsIHNhbnMtc2VyaWYiPiA='),
array( 'id' => 'MyShell Shell', 'def1' => 'PHRpdGxlPiRNeVNoZWxsVmVyc2lvbiAtIEFjY2VzcyBEZW5pZWQ8L3RpdGxlPg0KICAgICAgICAgPC9oZWFkPg0K'),
array( 'id' => 'MySQL Interface Shell', 'def1' =>
'KiBNeXNxbCBpbnRlcmZhY2UgdjEuMA0KKiAtLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tDQoqIERlc2NyaXB0aW9uIDoNCiogRHVuZ2AgZGUgbG9naW4gdmFvYCBDU0RMIGN1YSB2aWN0aW0ga2hpIGRhIGJpZXQgdXNlciB2YWAgcGFzcyBjdWEgbXlzcWwgdGhvbmcgcXVhIGZpbGUgY29uZmlnDQo='),
array( 'id' => 'Sora 101 shell', 'def1' =>
'fWVsc2VpZigkX0dFVFsiYXp6Il09PSJ2ZWRpIil7DQogICAgZWNobyBodG1sc3BlY2lhbGNoYXJzKGZpbGVfZ2V0X2NvbnRlbnRzKCRfR0VUWyJmaWxlIl0pKTsNCn1lbHNlaWYoJF9HRVRbImF6eiJdPT0iaW5jIil7DQogICAgaW5jbHVkZSgkX0dFVFsiZmlsZSJdKTsNCn0='),
array( 'id' => 'N Shell', 'def1' => 'PHRpdGxlPiBuU2hlbGwgdjEuMDwvdGl0bGU+DQo='),
array( 'id' => 'NCC Shell', 'def1' => 'PGgxPi46TkNDOi4gU2hlbGwgdjEuMC4wPC9oMT4NCg=='),
array( 'id' => 'Network File Manager PHP Shell', 'def1' => 'JHRpdGxlPSJOZXR3b3JrRmlsZU1hbmFnZXJQSFAgZm9yIGNoYW5uZWwgI2hhY2sucnUiOw0K'),
array( 'id' => 'Nix Remote Shell', 'def1' =>
'JHRpdGxlPSJOZXR3b3JrRmlsZU1hbmFnZXJQSFAgZm9yIGNoYW5uZWwgI2hhY2sucnUiOw0KDQokdmVyPSIxLjcucHJpdmF0ZSAoW2ZpbmFsX2VuZ2xpc2hfcmVsZWFzZV0pIjsNCg=='),
array( 'id' => 'NST Shell', 'def1' => 'IyMjIyMjdmVyIyMjIw0KJHZlcj0gInYyLjEiOw0KIyMjIyMjIyMjIyMjIw0K'),
array( 'id' => 'PH Vayv Shell', 'def1' => 'ICAgIDxicj4NCiAgICBQSFZheXYgMS4wPC9zcGFuPjwvZm9udD48L3RkPg0K'),
array( 'id' => 'PHANTASMA Shell', 'def1' =>
'PERJViBTVFlMRT0iZm9udC1mYW1pbHk6IHZlcmRhbmE7IGZvbnQtc2l6ZTogMjVweDsgZm9udC13ZWlnaHQ6IGJvbGQ7IGNvbG9yOiAjRjNiNzAwOyI+UEhBTlRBU01BLSBOZVcgQ21EIDspIDwvRElWPg0KDQo='),
array( 'id' => 'PHP Backdoor Shell', 'def1' => 'Ly8gYSBzaW1wbGUgcGhwIGJhY2tkb29yIHwgY29kZWQgYnkgejBtYmllIFszMC4wOC4wM10gfCBodHRwOi8vZnJlZW5ldC5hbS9+em9tYmllIFxcDQo='),
array( 'id' => 'PHP Bypass Shell', 'def1' => 'KgkJCQkJCQlTaGVMTCBBcmNoaXZlDQoqICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBQaHAgQnlwYXNzIC0gd3d3LnNoZWxsY2kuYml6DQoNCg=='),
array( 'id' => 'PHP Include With Shell', 'def1' => 'IyB3ZSBkZWNpZGUgaWYgd2Ugd2FudCBzeXNsb2dnaW5nDQpjbG9zZWxvZygpOw0KDQo='),
array( 'id' => 'PHP Inj Shell', 'def1' => 'PHRpdGxlPnx8IC46Ok5ld3MgUmVtb3RlIFBIUCBTaGVsbCBJbmplY3Rpb246Oi4gfHwgICA8L3RpdGxlPg0K'),
array( 'id' => 'PHP Jackal Shell', 'def1' =>
'Y2FzZSAnY3InOmNyYWNrZVIoKTticmVhazsNCmNhc2UgJ2RpYyc6ZGljbWFrZVIoKTticmVhazsNCmNhc2UgJ3Rvb2xzJzp0b29sUygpO2JyZWFrOw0KY2FzZSAnaGV4JzpoZXh2aWVXKCk7YnJlYWs7DQoNCg=='),
array( 'id' => 'PHP Remote View Shell', 'def1' => 'ICogIFdlbGNvbWUgdG8gcGhwUmVtb3RlVmlldyAoUmVtVmlldykgDQoNCg=='),
array( 'id' => 'R57 ORIGINAL Shell', 'def1' => 'LyogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBSNTcgc2hlbGwNCg0K'),
array( 'id' => 'R57 IFX Modified Shell', 'def1' =>
'LyogIHI1N3NoZWxsLnBocCAtID8/Pz8/PyA/PyA/Pz8gPz8/Pz8/Pz8/Pz8gPz8/ID8/Pz8/Pz8/PyA/Pz8/ID8/Pz8/Pz8gID8/ID8/Pz8/Pz8gPz8/Pz8gPz8/Pz8/Pw0K'),
array( 'id' => 'R57 Kartal Modified Shell', 'def1' => 'LyogICAgICAgICAgICAgICAgICAgIGthcnRhbF81NjdAaG90bWFpbC5jb21bS2FSVGFMXQ0KDQo='),
array( 'id' => 'R57 Mohajer22 Shell', 'def1' => 'LyogIChjKW9kZWQgYnkgMWR0LncwbGYNCg0KDQo='),
array( 'id' => 'R57 New Year Edition Shell', 'def1' => 'LyogID8/Pz8/PzogMS4yNCAoTmV3IFllYXIgRWRpdGlvbikNCg0KDQo='),
array( 'id' => 'Remview Shell', 'def1' => 'ICogICMgU2hlbGxjaS5CaXoNCiAqICBXZWxjb21lIHRvIHBocFJlbW90ZVZpZXcgKFJlbVZpZXcpIA0K'),
array( 'id' => 'S72 Shell', 'def1' => 'PHRpdGxlPnM3MiBTaGVsbCB2MS4wIENvZGluZiBieSBDckB6eV9LaW5nPC90aXRsZT4NCg=='),
array( 'id' => 'Safe Mode Bypass PHP 4.4.2 & 5.1.2 Shell', 'def1' =>
'TW9kZSBTaGVsbCB2MS4wPC9mb250Pjwvc3Bhbj48L2E+PC9mb250Pjxmb250IGZhY2U9IldlYmRpbmdzIiBzaXplPSI2IiBjb2xvcj0iI0ZGMDAwMCI+ITwvZm9udD48L2I+PC9wPg0KDQo='),
array( 'id' => 'SIM Attacker Shell', 'def1' => 'Jm5ic3A7SXJhbmlhbiBIYWNrZXJzIDogV1dXLlNJTU9SR0gtRVYuQ09NIDxicj4NCiZuYnNwO1Byb2dyYW1lciA6IEhvc3NlaW4gQXNnYXJ5IDxicj4NCg=='),
array( 'id' => 'SnIpEr SA Shell', 'def1' =>
'LyogIFNuSXBFcl9TQS5waHAgLSA/Pz8/Pz8gPz8gPz8/ID8/Pz8/Pz8/Pz8/ID8/PyA/Pz8/Pz8/Pz8gPz8/Pz8/Pz8/ID8/Pz8/Pz8gPz8gPz8/Pz8/PyA/Pz8/PyA/Pz8/Pz8/DQo='),
array( 'id' => 'Stres Bypass Shell', 'def1' => 'LyogICAgICAgICAgICAgICAgICAgICAgICAgIFN0cmVzQnlwYXNzIHYxLjANCg=='),
array( 'id' => 'Dark-Shell', 'def1' => 'ZWNobyAiPGNlbnRlcj48aDE+RGFyayBTaGVsbDwvaDE+PC9jZW50ZXI+PHA+PGhyPjxwPlxuIjsNCg=='),
array( 'id' => '0x00 PHP shell', 'def1' => 'ICAgICAgICA8dGl0bGU+fiAweDAwIFBIUCBzaGVsbCB2LjB4MjwvdGl0bGU+DQo='),
array( 'id' => 'okno_Shell', 'def1' => 'ZWNobyAnPGJyPlBIUCBzeXN0ZW0oKSBjb25zb2xlIGJ5IG9rbm8gLSBtYWluQHBhd2Vsem9yemFuLmV1IDxicj4nOw0K'),
array( 'id' => 'CShell', 'def1' => 'ICogQ1NoZWxsDQoNCg=='),
array( 'id' => 'Bl0od3r Priv8 Shell', 'def1' => 'U2hlbGwgd3JpdHRlbiBieSBCbDBvZDNyDQoNCg0K'),
array( 'id' => 'Root Access Shell', 'def1' =>
'PHRyPjx0ZCBjbGFzcz1jb250ZW50Yj48Y2VudGVyPjxhIGhyZWY9Imh0dHA6Ly9mb3J1bS5yb290LWFjY2Vzcy5ydSI+PGZvbnQgc2l6ZT0yIGNvbG9yPSNlN2U3ZWI+Um9vdC1BY2Nlc3MgU2hlbGwgdjEuMDwvZm9udD48L2E+PC9jZW50ZXI+DQoNCg0K'),
array( 'id' => 'G00nShell', 'def1' => 'IyBbZzAwbl1GaVNoIHByZXNlbnRzOiAjDQojIGcwMG5zaGVsbCB2MS4zIGZpbmFsICMNCg0KDQo='),
array( 'id' => 'CShell', 'def1' => 'ICogQ1NoZWxsDQoNCg=='),
array( 'id' => 'lostDC shell', 'def1' => 'ICogbG9zdERDIHNoZWxsDQoNCg0K'),
array( 'id' => '_GsC_ shell', 'def1' => 'R3NDIFNoZUxMIHYwLjguMCBDcmVhdGVkIEJ5IF9Hc0NfIEFrYSBTazFwcDNyDQoNCg0K'),
array( 'id' => 'OnBoomShell', 'def1' => 'LyoNCk9OQk9PTVNIRUxMIFYgMC4yDQpieSBjb2JyYTkwbmoNCg=='),
array( 'id' => 'StAkeR ~ Shell', 'def1' => 'PHRpdGxlPlN0QWtlUiB+IFNoZWxsPC90aXRsZT4NCjxzdHlsZSB0eXBlPSJ0ZXh0L2NzcyI+DQo='),
array( 'id' => 'Iron Shell', 'def1' =>
'JGZvb3RlciA9ICc8dHI+PHRkPjxocj48Y2VudGVyPiZjb3B5OyA8YSBocmVmPSJodHRwOi8vd3d3Lmlyb253YXJlei5pbmZvIj5Jcm9uPC9hPiAmIDxhIGhyZWY9Imh0dHA6Ly93d3cucm9vdHNoZWxsLXRlYW0uaW5mbyI+Um9vdFNoZWxsIFNlY3VyaXR5IEdyb3VwPC9hPjwvY2VudGVyPjwvdGQ+PC90YWJsZT48L2JvZHk+PC9oZWFkPjwvaHRtbD4nOw=='),
array( 'id' => '..:: HiddenShell ::..', 'def1' => 'ICAgIDx0aXRsZT5IaWRkZW5TaGVsbDwvdGl0bGU+DQo='),
array( 'id' => 'N3fa5t1cA Sh3ll', 'def1' => 'PGh0bWw+PHRpdGxlPk4zZmE1dDFjQSBTaDNsbDwvdGl0bGU+DQoNCg=='),
array( 'id' => '! ~ Cod3rZ Shell ~ !', 'def1' => 'IyBDb2QzclogU2hlbGwgNS4xDQojIGMwZGVkIGJ5IENvZDNyWg0KDQoNCg=='),
array( 'id' => 's101', 'def1' => 'PHRpdGxlPnMxMDEgdjAuMi41PC90aXRsZT4NCg0K'),
array( 'id' => 'Nexpl0rer Shell', 'def1' => 'MzEzMzcgU2hlbGwgYnkgTmV4ZW4gLSBQaFAgYzBkYWgNCg0K'),
array( 'id' => 'DC3 Shell (Priv8)', 'def1' => 'ICAgICAgICAgIGRDMyBTZWN1cml0eSBDcmV3DQo='),
array( 'id' => 'H4ntu Shell', 'def1' =>
'ZWNobyAiPHRpdGxlPmg0bnR1IHNoZWxsIFtwb3dlcmVkIGJ5IHRzb2ldPC90aXRsZT5cbjxwPjxmb250IHNpemU9MiBmYWNlPVZlcmRhbmE+PGI+VGhpcyBJcyBUaGUgU2VydmVyIEluZm9ybWF0aW9uPC9iPjwvZm9udD48L3A+IjsNCg=='),
array( 'id' => 'Macker s Private PHPShell', 'def1' => 'KiAgICAgICAgICAgICAgICAgICAgICAgICAgIFBIUFNIRUxMLlBIUCAgICAgICAgICAgICAqDQoNCg=='),
array( 'id' => '~ Andr3a92 ~ Sh3ll ~', 'def1' =>
'ZWNobyAiPHRyPjx0ZCBiZ2NvbG9yPVwiI0NDQ0NDQ1wiPjxjZW50ZXI+PGltZyBzcmM9XCIiLiRzaGVsbC4iP2ltZz1maWxlXCIgYm9yZGVyPVwiMFwiPjwvY2VudGVyPjwvdGQ+PHRkIGJnY29sb3I9XCIjQ0NDQ0NDXCI+PGEgaHJlZj1cIiIuJGZpbGV6LiJcIiB0YXJnZXQ9XCJfQkxBTktcIj4iLiRmaWxlX25hbWUuIjwvYT48L3RkPg0K'),
array( 'id' => 'JsBack - Shell Backdoor', 'def1' => 'ICAgICAgICAgICAgICAgSnNCYWNrIC0gSmF2YXNjcmlwdCBCYWNrZG9vcg0K'),
array( 'id' => 'shell qualsiasi', 'def1' => 'c2hlbGwNCg==', 'def2' => 'U2hlbGwNCg==', 'def3' => 'U2gzbGwNCg==')
);
$generic = 'Shell';
//parse_dir( $settings[ 'BASE_DIR' ] );
echo "</pre><br />";
?>
<br>
</div></span>
</pre></p></body></html>
Reference in New Issue View Git Blame Copy Permalink