From 6d8136600b5908facc6ab1f93ef2f1e579352a3c Mon Sep 17 00:00:00 2001 From: Greg Zemskov Date: Mon, 19 Oct 2015 16:35:52 +0300 Subject: [PATCH] New signatures, optimized scanning progress, fixes for Auth --- src/scanner/classes/Auth.inc.php | 2 +- .../classes/DownloadController.inc.php | 2 +- .../classes/ExecutorController.inc.php | 2 +- src/scanner/classes/MalwareDetector.inc.php | 29 +- src/scanner/classes/ScannerController.inc.php | 2 +- src/scanner/static/signatures/malware_db.xml | 1480 +++++++---------- 6 files changed, 652 insertions(+), 865 deletions(-) diff --git a/src/scanner/classes/Auth.inc.php b/src/scanner/classes/Auth.inc.php index f2b53da..82e6549 100644 --- a/src/scanner/classes/Auth.inc.php +++ b/src/scanner/classes/Auth.inc.php @@ -94,7 +94,7 @@ private function setNewPassword($password) } } - public function auth() + public function authenticate() { $result = false; $isPasswordSet = is_file($this->passwordHashFilepath); diff --git a/src/scanner/classes/DownloadController.inc.php b/src/scanner/classes/DownloadController.inc.php index a8f25fd..d0fd230 100644 --- a/src/scanner/classes/DownloadController.inc.php +++ b/src/scanner/classes/DownloadController.inc.php @@ -79,7 +79,7 @@ private function startDownload() public function start() { $authenticator = new Auth(); - if ($authenticator->auth()) { + if ($authenticator->authenticate()) { $this->startDownload(); } } diff --git a/src/scanner/classes/ExecutorController.inc.php b/src/scanner/classes/ExecutorController.inc.php index ba472e3..b62a887 100644 --- a/src/scanner/classes/ExecutorController.inc.php +++ b/src/scanner/classes/ExecutorController.inc.php @@ -131,7 +131,7 @@ private function getShortFileName($in_name) public function start() { $authenticator = new Auth(); - if ($authenticator->auth()) { + if ($authenticator->authenticate()) { $this->startExecutor(); } } diff --git a/src/scanner/classes/MalwareDetector.inc.php b/src/scanner/classes/MalwareDetector.inc.php index 3afea64..93398b5 100644 --- a/src/scanner/classes/MalwareDetector.inc.php +++ b/src/scanner/classes/MalwareDetector.inc.php @@ -9,6 +9,8 @@ class MalwareDetector { + private $singatureStruct; + function __construct() { global $projectRootDir, $projectTmpDir; @@ -41,8 +43,21 @@ function __construct() $this->signatures = new DOMDocument(); $this->signatures->load($this->SIGNATURE_FILENAME); + $db = $this->signatures->getElementsByTagName('signature'); + foreach ($db as $sig) { + $sigContent = $sig->nodeValue; + $attr = $sig->attributes; + $attrId = $attr->getNamedItem('id')->nodeValue; + $attrFormat = $attr->getNamedItem('format')->nodeValue; + $attrChildId = $attr->getNamedItem('child_id')->nodeValue; + $attrSeverity = $attr->getNamedItem('sever')->nodeValue; + + $this->singatureStruct[] = array('sig' => $sigContent, 'attr_id' => $attrId, 'frmt' => $attrFormat, 'chid' => $attrChildId, 'sev' => $attrSeverity); + } + } + function setRequestDelay($delay) { $this->MAX_EXECUTION_DURATION = $delay; @@ -168,9 +183,8 @@ function detectMalware($filePath, &$foundFragment, &$pos, $startTime, $timeout, $normalized = $this->normalizeContent($content); - $db = $this->signatures->getElementsByTagName('signature'); $detected = false; - foreach ($db as $sig) { + foreach ($this->singatureStruct as $sig) { if ($detected) break; $currentTime = time(); @@ -179,12 +193,11 @@ function detectMalware($filePath, &$foundFragment, &$pos, $startTime, $timeout, } $pos = -1; - $sigContent = $sig->nodeValue; - $attr = $sig->attributes; - $attrId = $attr->getNamedItem('id')->nodeValue; - $attrFormat = $attr->getNamedItem('format')->nodeValue; - $attrChildId = $attr->getNamedItem('child_id')->nodeValue; - $attrSeverity = $attr->getNamedItem('sever')->nodeValue; + $sigContent = $sig['sig']; + $attrId = $sig['attr_id']; + $attrFormat = $sig['frmt']; + $attrChildId = $sig['chid']; + $attrSeverity = $sig['sev']; switch ($attrFormat) { diff --git a/src/scanner/classes/ScannerController.inc.php b/src/scanner/classes/ScannerController.inc.php index e7df1f1..2477108 100644 --- a/src/scanner/classes/ScannerController.inc.php +++ b/src/scanner/classes/ScannerController.inc.php @@ -66,7 +66,7 @@ public function start() global $projectTmpDir, $php_errormsg; $authenticator = new Auth(); - if ($authenticator->auth()) { + if ($authenticator->authenticate()) { ob_start(); diff --git a/src/scanner/static/signatures/malware_db.xml b/src/scanner/static/signatures/malware_db.xml index 3402015..ee5b5ff 100644 --- a/src/scanner/static/signatures/malware_db.xml +++ b/src/scanner/static/signatures/malware_db.xml @@ -35,857 +35,631 @@ detailed description: --> -ZOBUGTEL -MagelangCyber -profexor\.hell -\<\!\-\-COOKIE UPDATE\-\-\> -//rasta// -\$param2mask\."\)\\\=\[\\\<qq\>\\"\]\(\.\*\?\)\(\?\=\[\\\<qq\>\\"\] \)\[\\\<qq\>\\"\]/sie -\); \$i\+\+\)\$ret\.\=chr\(\$ -ereg_replace\(\<q\>&email&\<q\>, -\]\]\)\);\}\}eval\(\$ -fwrite\(fopen\(dirname\(__FILE__\) -Baby_Drakon -\$isevalfunctionavailable -Net@ddress Mail -Password\:\<s\>"\.\$_POST\[\<q\>passwd\<q\>\] -Created By EMMA -GIF89A;\<\?php -oTat8D3DsE8'&~hU06CCH5;\$gYSq -\$md5\=md5\("\$random"\); -3xp1r3 -\$im\=substr\(\$tx,\$p\+2,\$p2\-\(\$p\+2\)\); -NinjaVirus Here -7P1td\+NWliaI/hWkZ4VX9 -\<dot\>IrIsT -ndroi\|htc_ -andex\|oogl -Hacked By EnDLeSs -\(\$_POST\["dir"\]\)\); -\(\$indata,\$b64\=1\)\{if\(\$b64\=\=1\)\{\$cd\=base64_decode\(\$indata\) -\$im\=substr\(\$im,0,\$i\)\.substr\(\$im,\$i2\+1,\$i4\-\(\$i2\+1\)\)\.substr\(\$im,\$i4\+12,strlen -\<\?php echo "\#\!\!\#"; -Punker2Bot -\$sh3llColor -@chr\(\(\$h\[\$e\[\$o\]\]\<\<4\)\+\(\$h\[\$e\[\+\+\$o\]\]\)\);\}\}eval\(\$d\) -ppc\|midp\|windows ce\|mtk\|j2me\|symbian -abacho\|abizdirectory\|about\|acoon\|alexana -Zed0x -darkminz -ReaL_PuNiShEr -OoN_Boy -__VIEWSTATEENCRYPTED -M4ll3r -createFilesForInputOutput -Pashkela -\^c\^a\^l\^p\^e\^r\^_\^g\^e\^r\^p -\=\= "bindshell" -Webcommander at -isset\(\$_POST\['execgate'\]\) -fwrite\(\$fpsetv, getenv\("HTTP_COOKIE"\) -\-I/usr/local/bandmin -\$OOO000000\=urldecode\( -YENI3ERI -letaksekarang\(\) -d3lete -function urlGetContents\(\$url, \$timeout \= 5\) -overflow\-y\:scroll;\\"\>"\.\$links\.\$html_mf\['body'\] -Made by Delorean -if\(empty\(\$_GET\['zip'\]\) and empty\(\$_GET\['download'\]\) & empty\(\$_GET\['img'\]\)\)\{ -str_rot13\(\$basea\[\(\$dimension\*\$dimension\-1\) \- \(\$i\*\$dimension\+\$j\)\]\) -R0lGODlhEwAQALMAAAAAAP///5ycAM7OY///nP//zv/OnPf39////wAAAAAA -preg_match\('\!MIDP\|WAP\|Windows\.CE\|PPC\|Series60 -preg_match\('/\(\?\<\=RewriteRule\)\.\*\(\?\=\\\[L\\,R\\\=302\\\] -\$url \= \$urls\[rand\(0, count\(\$urls\)\-1\)\] -wp_posts WHERE post_type \= 'post' AND post_status \= 'publish' ORDER BY `ID` DESC -http\://'\.\$_SERVER\['HTTP_HOST'\]\.urldecode\(\$_SERVER\['REQUEST_URI'\]\) -fwrite\(\$f,get_download\(\$_GET\['url'\]\) -\$param x \$n\.substr \(\$param, length\(\$param\) \- length\(\$code\)%length\(\$param\)\) -\$time_started\.\$secure_session_user\.session_id\(\) -\$this\-\>F\-\>GetController\(\$_SERVER\['REQUEST_URI'\]\) -luciffer@luciffer\.org -base64_decode\(\$code_script\) -unlink\(\$writable_dirs -file_get_contents\(trim\(\$f\[\$_GET\['id'\]\]\)\); -Cybester90 -/home/mydir/eggdrop/filesys -\-\-DCCDIR \[lindex \$User\(\$i\) 2\] -unbind RAW \- -putbot \$bot -privmsg \$nick -proc http\:\:Connect \{token\} -set google\(data\) \[http\:\:data \$google\(page\)\] -bind join \- \* gop_join -privmsg \$chan -r4aTc\.dPntE/fztSF1bH3RH0 -bind dcc \- -kill \-CHLD \\\$botpid \>/dev/null 2\>&1 -regsub \-all \-\- , \[string tolower \$owner\] "" owners -bind filt \- "\\001ACTION \*\\001" -ayu pr1 pr2 pr3 pr4 pr5 pr6 -set protect\-telnet 0 -/usr/local/apache/bin/httpd \-DSSL -\$tsu2\[rand\(0,count\(\$tsu2\) \- 1\)\]\.\$tsu1\[rand\(0,count\(\$tsu1\) \- 1\)\]\.\$tsu2\[rand\(0 -fopen\('/etc/passwd' -f0VMRgEBAQA -0d0a0d0a676c6f62616c20246d795f736d7 -etalfnizg -JHZpc2l0Y291bnQgPSAkSFRUUF9DT09LSUVfV -edoced_46esab -e/\*\./ -@setcookie\("hit", 1, time\(\)\+ -find_dirs\(\$grandparent_dir, \$level, 1, \$dirs\); -@copy\(\$_FILES\[fileMass\]\[tmp_name\],\$_POST\[path\]\.\$_FILES\[fileMass\]\[name -int32\(\(\(\$z \>\> 5 & 0x07ffffff\) \^ \$y \<\< 2\) \+ \(\(\$y \>\> 3 & 0x1fffffff\) \^ \$z \<\< 4 -VOBRA GANGO -echo y ; sleep 1 ; \} \| \{ while read ; do echo z\$REPLY; done -\<stdlib\.h -add_filter\('the_content', '_bloginfo', 10001\) -itsoknoproblembro -if self\.hash_type \=\= 'pwdump -\$framework\.plugins\.load\("\#\{rpctype\.downcase\}rpc", opts\)\.run -subprocess\.Popen\('%sgdb \-p %d \-batch %s' % \(gdb_prefix, p -argparse\.ArgumentParser\(description\=help, prog\="sctunnel" -rule_req \= raw_input\("SourceFire -os\.system\('echo alias ls\="\.ls\.bash" \>\> ~/\.bashrc'\) -connection\.send\("shell "\+str\(os\.getcwd\(\)\)\+ -print\("\[\!\] Host\: " \+ hostname \+ " might be down\!\\n\[\!\] Response Code -def daemon\(stdin\='/dev/null', stdout\='/dev/null', stderr\='/dev/null'\) -subprocess\.Popen\(cmd, shell \= True, stdout\=subprocess\.PIPE, stderr\=subprocess\.STDOU -if\(isset\(\$_GET\['host'\]\)&&isset\(\$_GET\['time'\]\)\)\{ -NIGGERS\.NIGGERS -HTTP flood complete after -80 \-b \$1 \-i eth0 \-s 8 -exploitcookie -system\("php \-f xpl \$host"\) -sh go \$1\.\$x -az88pix00q98 -unless\(open\(PFD,\$g_upload_db\)\) -www\.t0s\.org -\$value \=~ s/%\(\.\.\)/pack\('c',hex\(\$1\)\)/eg; -The Dark Raver -Q3JlZGl0IDogVW5kZXJncm91bmQgRGV2aWwgJm5ic3A7ICB8DQo8YSBocmVmP -\}elseif\(\$_GET\['page'\]\=\='ddos' -\{\$_POST\['root'\]\} -I/gcZ/vX0A10DDRDg7Ezk/d\+3\+8qvqqS1K0\+AXY -FJ3FkuPKFkU/53WEBmIaipktnLwQW8z49dc1rbbLqsw8e69l6vJM\+3/124xVn\+7l -\\u003c\\u0069\\u006d\\u0067\\u0020\\u0073\\u0072\\u0063\\u003d\\u0022\\u0068\\u0074\\u0074\\u0070\\u003a\\u002f\\u002f -463839610c000b00800100ffffffffffff21f90401000001002c000 -fread\(\$fp, filesize\(\$fichero\)\) -\$baslik\=\$_POST\['baslik'\] -proc_open\('IHSteam -\\x31\\xdb\\xf7\\xe3\\x53\\x43\\x53\\x6a\\x02\\x89\\xe1\\xb0\\x66\\xcd -AAAAAAAAMAAwABAAAAeAUAADQAAADsCQAAAAAAADQAIAADACgAFwAUAAEA -\$ini\['users'\] \= array\('root' \=\> -HJ3HjutckoRfpXf9A1zQO2AwDRrRey9uGvTeez79qAao1a0rgudkZkR8Ra -curl_setopt\(\$ch, CURLOPT_URL, "http\://\$host\:2082"\) -\<%\= "\\" & oScriptNet\.ComputerName & "\\" & oScriptNet\.UserName %\> -sqlCommand\.Parameters\.Add\(\(\(TableCell\)dataGridItem\.Controls\[0\]\)\.Text, SqlDbType\.Decimal\)\.Value \= decimal -Response\.Write\("\<br\>\( \) \<a href\=\?type\=1&file\=" & server\.URLencode\(item\.path\) & "\\\>" & item -new FileStream\(Path\.Combine\(fileInfo\.DirectoryName, Path\.GetFileName\(httpPostedFile\.FileName\)\), FileMode\.Create -Response\.Write\(Server\.HtmlEncode\(this\.ExecuteCommand\(txtCommand\.Text\)\)\) -\<%\=Request\.Servervariables\("SCRIPT_NAME"\)%\>\?txtpath\=\<%\=Request\.QueryString\("txtpath -outstr \+\= string\.Format\("\<a href\='\?fdir\=\{0\}'\>\{1\}/\</a\>&nbsp;" -QOiKWAgV613LvstKY\+UB98JZTRGIhYBdHuJCAwm\+Xth16AwQ8X4tPMcMVZQte -re\.findall\(dirt\+'\(\.\*\)',prognm\)\[0\] -find / \-name \.ssh \> \$dir/sshkeys/sshkeys -FS_chk_func_libc\=\( \$\(readelf \-s \$FS_libc \| grep _chk@@ \| awk -Ly83MTg3OWQyMTJkYzhjYmY0ZDRmZDA0NGEzZDE3Zjk3ZmI2N -\$file \= \$_FILES\["filename"\]\["name"\]; echo "\<a href\=\\"\$file\\"\>\$file\</a\>";\} else \{echo\("empty"\);\} -DJ7VIU7RICXr6sEEV2cBtHDSOe9nVdpEGhEmvRVRNURfw1wQ -Lz8_Ly8vDx8e_v7\-7u7u3s7uzs7Ozq6unq7erq6uvq5\-jo6ujn5 -iVBORw0KGgoAAAANSUhEUgAAAAoAAAAICAYAAADA\-m62AAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQU -server\.\</p\>\\r\\n\</body\>\</html\>";exit;\}if\(preg_match\( -\$Fchmod,\$Fdata,\$Options,\$Action,\$hddall,\$hddfree,\$hddproc,\$uname,\$idd\)\:shared -php "\.\$wso_path -\$prod\="sy"\."s"\."tem";\$id\=\$prod\(\$_REQUEST\['product'\]\);\$\{'id'\}; -@assert\(\$_REQUEST\['PHPSESSID'\] -POST \{\$path\}\{\$connector\}\?Command\=FileUpload&Type\=File&CurrentFolder\= -find / \-type f \-name \.htpasswd -find / \-type f \-perm \-02000 \-ls -find / \-type f \-perm \-04000 \-ls -"admin1\.php", "admin1\.html", "admin2\.php", "admin2\.html", "yonetim\.php", "yonetim\.html" -@path1\=\('admin/','administrator/','moderator/','webadmin/','adminarea/','bb\-admin/','adminLogin/' -cat \$\{blklog\[2\]\} \| grep "root\:x\:0\:0" -\?url\='\.\$_SERVER\['HTTP_HOST'\]\)\.unlink\(ROOT_DIR\. -long int\:t\(0,3\)\=r\(0,3\);\-2147483648;2147483647; -create_function\("&\$"\."function","\$"\."function \= chr\(ord\(\$"\."function\)\-3\);"\) -function google_bot\(\) \{\$sUserAgent \= strtolower\(\$_SERVER\['HTTP_USER_AGENT'\]\);if\(\!\(strp -copy\(\$_FILES\['upkk'\]\['tmp_name'\],"kk/"\.basename\(\$_FILES\['upkk'\]\['name'\]\)\); -for \(\$value\) \{ s/&/&amp;/g; s/\</&lt;/g; s/\>/&gt;/g; s/"/&quot;/g; \} -\$db_d \= @mysql_select_db\(\$database,\$con1\); -Send this file\: \<INPUT NAME\="userfile" TYPE\="file"\> -fwrite \(\$fp, "\$yazi"\); -map \{ read_shell\(\$_\) \} \(\$sel_shell\-\>can_read\(0\.01\)\); -2\>&1 1\>&2" \: " 1\>&1 2\>&1"\); -global \$mysqlHandle, \$dbname, \$tablename, \$old_name, \$name, -__all__ \= \["SMTPServer","DebuggingServer","PureProxy","MailmanProxy"\] -if \(is_file\("/tmp/\$ekinci"\)\)\{ -if\(\$cmd \!\= ""\) print Shell_Exec\(\$cmd\); -\$cmd \= \(\$_REQUEST\['cmd'\]\); -\$uploadfile \= \$rpath\."/" \. \$_FILES\['userfile'\]\['name'\]; -if \(\$funcarg \=~ /\^portscan \(\.\*\)/\) -\<% For Each Vars In Request\.ServerVariables %\> -if\(''\=\=\(\$df\=@ini_get\('disable_functions'\)\)\)\{echo -\$filename \= \$backupstring\."\$filename"; -\<%\#@~\^HwAAAA\=\=@\#@&DnkwKx/RUN@\#@&nx9Pd;\(@\#@&ugcAAA\=\=\^\#~@%\> -\$function\(\$_POST\['cmd'\]\) -echo "FILE UPLOADED TO \$dez"; -if \(\!@is_link\(\$file\) && \(\$r \= realpath\(\$file\)\) \!\= FALSE\) \$file \= \$r; -UNION SELECT '0' , '\<\? system\(\\\$_GET\[cpc\]\);exit; \?\>' ,0 ,0 ,0 ,0 INTO OUTFILE '\$outfile -if\(move_uploaded_file\(\$_FILES\["fic"\]\["tmp_name"\],good_link\("\./"\.\$_FILES\["fic"\]\["name"\]\)\)\) -connect\(SOCKET, sockaddr_in\(\$ARGV\[1\], inet_aton\(\$ARGV\[0\]\)\)\) or die print -elseif\(@is_writable\(\$FN\) && @is_file\(\$FN\)\) \$tmpOutMF -while \(\$row \= mysql_fetch_array\(\$result,MYSQL_ASSOC\)\) print_r\(\$row\); -\$fe\("\$cmd 2\>&1"\); -send\(SOCK5, \$msg, 0, sockaddr_in\(\$porta, \$iaddr\)\) and \$pacotes\{o\}\+\+;; -\} elsif \(\$servarg \=~ /\^\\\:\(\.\+\?\)\\\!\(\.\+\?\)\\@\(\.\+\?\) PRIVMSG \(\.\+\?\) \\\:\(\.\+\)/\) \{ -elseif\(function_exists\("shell_exec"\)\) -system\("\$cmd 1\> /tmp/cmdtemp 2\>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp"\); -\$_FILES\['probe'\]\['size'\], \$_FILES\['probe'\]\['type'\]\); -\$ra44 \= rand\(1,99999\);\$sj98 \= "sh\-\$ra44";\$ml \= "\$sd98";\$a5 \= \$_SERVER\['HTTP_REFERER'\]; -mysql_query\("CREATE TABLE `xploit` \(`xploit` LONGBLOB NOT NULL\)"\); -passthru\( \$bindir\."mysqldump \-\-user\=\$USERNAME \-\-password\=\$PASSWORD -\<a href\='\$PHP_SELF\?action\=viewSchema&dbname\=\$dbname&tablename\=\$tablename'\>Schema\</a\> -if\(get_magic_quotes_gpc\(\)\)\$shellOut\=stripslashes\(\$shellOut\); -if \(\!defined\$param\{cmd\}\)\{\$param\{cmd\}\="ls \-la"\}; -shell_exec\('uname \-a'\); -if \(move_uploaded_file\(\$_FILES\['fila'\]\['tmp_name'\], \$curdir\."/"\.\$_FILES\['fila'\]\['name'\]\)\) \{ -if \(empty\(\$_POST\['wser'\]\)\) \{\$wser \= "whois\.ripe\.net";\} else \$wser \= \$_POST\['wser'\]; -\<%\=env\.queryHashtable\("user\.name"\)%\> -PySystemState\.initialize\(System\.getProperties\(\), null, argv\); -if\(\!\$whoami\)\$whoami\=exec\("whoami"\); -shell_exec\(\$_POST\['cmd'\] \. " 2\>&1"\); -PnVlkWM63\!@\#@&dKx~nMDWM~D/Esn~x6D@\#@&P~~,\?nY,WP\{Poj -\!\$_REQUEST\["c99sh_surl"\]\) -\(ereg\('\^\[\[\:blank\:\]\]\*cd\[\[\:blank\:\]\]\*\$', \$_REQUEST\['command'\]\)\) -\$login\=@posix_getuid\(\); -system\("unset HISTFILE; unset SAVEHIST -\<HTML\>\<HEAD\>\<TITLE\>cgi\-shell\.py -execl\("/bin/sh","sh","\-i",\(char\*\)0\); -ncftpput \-u \$ftp_user_name -\$a\[hits\]'\); \\r\\n\#endquery\\r\\n -\{\$\{passthru\(\$cmd\)\}\}\<br\> -\$backdoor\-\>ccopy\(\$cfichier,\$cdestination\); -\$izinler2\=substr\(base_convert\(@fileperms\(\$fname\),10,8\),\-4\); -for\(;\$paddr\=accept\(CLIENT, SERVER\);close CLIENT\) \{ -Asmodeus -passthru\(getenv\("HTTP_ACCEPT_LANGUAGE -\$____\=@gzinflate\(\$____\)\)\{if\(isset\(\$_POS -\$subj\=urldecode\(\$_GET\['su'\]\);\$body\=urldecode\(\$_GET\['bo'\]\);\$sds\=urldecode\(\$_GET\['sd'\]\) -\$ka\='\<\?//BRE';\$kaka\=\$ka\.'ACK//\?\> -Cautam fisierele de configurare -BRUTEFORCING -pwd \> Generasi\.dir -xh \-s "/usr/local/apache/sbin/httpd \-DSSL" \./httpd \-m \$1 -\$a\=\(substr\(urlencode\(print_r\(array\(\),1\)\),5,1\)\.c\) -\!@\$_COOKIE\[\$sessdt_k\] -SELECT 1 FROM mysql\.user WHERE concat\(`user`, '@', `host`\) -copy\(\$_FILES\[x\]\[tmp_name\],\$_FILES\[x\]\[name\]\)\) -\$MessageSubject \= base64_decode\(\$_POST\["msgsubject"\]\); -rename\("wso\.php", -\$redirectURL\='http\://'\.\$rSite\.\$_SERVER\['REQUEST_URI'\];if\(isset\(\$_SERVER\['HTTP_REFERER'\]\) -\$filepath\=@realpath\(\$_POST\['filepath'\]\); -Worker_GetReplyCode\(\$opData\['recvBuffer'\]\) -FaTaLisTiCz_Fx Fx29Sh -w4ck1ng shell -private Shell by m4rco -Shell by Mawar_Hitam -PHPSHELL\.PHP -round\(0\+9830\.4\+9830\.4\+9830\.4\+9830\.4\+9830\.4\)\)\=\= -vzv6d\+iOvtkd38TlHu8mQavXdnJCbpQcpXhNbbLmZOqMopDZeNalb\+VKledhCjpVAMQSQnxVIECQAfLu5KgLmwB6ehQQGNSBYjpg9g5GdBihXo -if \(ereg\('\^\[\[\:blank\:\]\]\*cd\[\[\:blank\:\]\]\+\(\[\^;\]\+\)\$', \$command, \$regs\)\) -LS0gRHVtcDNkIGJ5IFBpcnVsaW4uUEhQIFdlYnNoM2xsIHYxLjAgYzBkZWQgYnkgcjBkcjEgOkw\= -5jb20iKW9yIHN0cmlzdHIoJHJlZmVyZXIsImFwb3J0Iikgb3Igc3RyaXN0cigkcmVmZXJlciwibmlnbWEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ3ZWJhbHRhIikgb3Igc3RyaXN0cigk -eval\(base64_decode\(\$_ -wsoEx\('tar cfzv ' \. escapeshellarg\(\$_POST\['p2'\]\) -\<nobr\>\<b\>\$cdir\$cfile\</b\> \("\.\$file\["size_str"\]\."\)\</nobr\>\</td\>\</tr\>\<form name\=curr_file\> -Content\-Type\: \$_ -\</td\>\<td id\=fa\>\[ \<a title\=\\"Home\: '"\.htmlspecialchars\(str_replace\("\\", \$sep, getcwd\(\)\)\)\."'\.\\" id\=fa href\=\\"javascript\:ViewDir\('"\.rawurlencode -CQboGl7f\+xcAyUysxb5mKS6kAWsnRLdS\+sKgGoZWdswLFJZV8tVzXsq\+meSPHMxTI3nSUB4fJ2vR3r3OnvXtNAqN6wn/DtTTi\+Cu1UOJwNL -WSOsetcookie\(md5\(\$_SERVER\['HTTP_HOST'\]\) -X1NFU1NJT05bJ3R4dGF1dGhpbiddID0gdHJ1ZTsNCiAgICBpZiAoJF9QT1NUWydybSddKSB7DQogICAgICBzZXRjb29raWUoJ3R4dGF1dGhfJy4kcm1ncm91cCwgbW -J@\!Vr@\*&RHRw~JLw\.G\|xlhnLJ~\?1\.bwObxbP\|\!V -zehirhacker -\('"','&quot;',\$fn\)\)\.'";document\.list\.submit\(\);\\'\>'\.htmlspecialchars\(strlen\(\$fn\)\>format\?substr\(\$fn,0,format\-3\)\.'\.\.\.'\:\$fn\)\.'\</a\>'\.str_repeat\(' ',format\-strlen\(\$fn\) -print\(\(is_readable\(\$f\) && is_writeable\(\$f\)\)\?"\<tr\>\<td\>"\.w\(1\)\.b\("R"\.w\(1\)\.font\('red','RW',3\)\)\.w\(1\)\:\(\(\(is_readable\(\$f\)\)\?"\<tr\>\<td\>"\.w\(1\)\.b\("R"\)\.w\(4\)\:""\)\.\(\(is_writabl -R0lGODlhFAAUAKIAAAAAAP///93d3cDAwIaGhgQEBP///wAAACH5BAEAAAYALAAAAAAUABQAA -\<%\=Request\.ServerVariables\("script_name"\)%\>\?FolderPath\=\<%\=Server\.URLPathEncode\(Folder\.Driv -m91dCwgJGVvdXQpOw0Kc2VsZWN0KCRyb3V0ID0gJHJpbiwgdW5kZWYsICRlb3V0ID0gJHJpbiwgMTIwKTsNCmlmICghJHJvdXQgICYmICAhJGVvdX -RootShell\!'\);self\.location\.href\='http\: -a href\="\<\?echo "\$fistik\.php\?dizin\=\$dizin/\.\./"\?\>" style\="text\-decoration\: non -CB2aTZpIDEwMjQtDQojLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ0KI3JlcXVp -s\(\)\.g\(\)\.s\(\)\.s\(\)\.g\(\)\.s\(\)\.s\(\)\.g\(\) -nt\)\(disk_total_space\(getcwd\(\)\)/\(1024\*1024\)\) \. "Mb " \. "Free space " \. \(int\)\(disk_free_space\(getcwd\(\)\)/\(1024\*1024\)\) \. "Mb \< -klasvayv\.asp\?yenidosya\=\<%\=aktifklas%\> -WT\+P\{~EW0ErPOtnU@\#@&\^l\^sP1ldny@\#@&nsk\+r0,GT\+ -mpty\(\$_POST\['ur'\]\)\) \$mode \|\= 0400; if \(\!empty\(\$_POST\['uw'\]\)\) \$mode \|\= 0200; if \(\!empty\(\$_POST\['ux'\]\)\) \$mode \|\= 0100 -/0tVSG/Suv0Ur/haUYAdn3jMQwbbocGffAeC29BN9tmBiJdV1lk\+jYDU92C94jdtDif\+xOYjG6CLhx31Uo9x9/eAWgsBK60kK2mLwqzqd -crlf\.'unlink\(\$name\);'\.\$crlf\.'rename\("~"\.\$name, \$name\);'\.\$crlf\.'unlink\("grp_repair\.php" -DX_Header_drawn -\[Av4bfCYCS,xKWk\$\+TkUS,xnGdAx\[O -BDAQkJCQwLDBgNDRgyIRwhMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjL/wAARCAAQABADASIAAhEBA -ctshell\.php -Executed command\: \<b\>\<font color\=\#dcdcdc\>\[\$cmd\] -WSCRIPT\.SHELL -casus15 -R0lGODlhJgAWAIAAAAAAAP///yH5BAUUAAEALAAAAAAmABYAAAIvjI\+py\+0PF4i0gVvzuVxXDnoQ -admin@spygrup\.org -temp_r57_table -\$c99sh_updatefurl -By Psych0 -c99ftpbrutecheck -\<textarea name\=\\"phpev\\" rows\=\\"5\\" cols\=\\"150\\"\>"\.@\$_POST\['phpev'\]\."\</textarea\>\<br\> -\$info \.\= \(\(\$perms & 0x0040\) \?\(\(\$perms & 0x0800\) \? 's' \: 'x' \) \:\(\(\$perms & 0x0800\) \? 'S' \: '\-'\) -\$rand_writable_folder_fullpath -Dr\.abolalh -K\!LL3r -MrHazem -C0derz\.com -OLB\:PRODUCT\:ONLINE_BANKING -BY MMNBOBZ -ConnectBackShell -Hackeado -d3b~X -rahui -Mr\.HiTman -Mrlool\.exe -function\s+read_pic\(\s*\$A\s*\)\s*{\s*\$a\s*=\s*\$_SERVER -filemtime\(\$basepath\s*\.\s*['"]/configuration\.php -list\s*\(\s*\$host\s*,\s*\$port\s*,\s*\$size\s*,\s*\$exec_time -listing_page\(\s*notice\(\s*['"]symlinked -make_dir_and_file\(\s*\$path_joomla -function\s+inDiapason -&&\s*!empty\(\s*\$_COOKIE\[['"]fill['"]\] -file_exists\s*\(*\s*['"]/var/tmp/ -str_replace\(\$find\s*,\s*\$find\s*\.\s*\$html\s*,\s*\$text -\$datamasii=date\("D M d, Y g:i a"\) -\$adddate=date\("D M d, Y g:i a"\) -fuck\s+your\s+mama -Googlebot['"]{0,1}\s*\)\){echo\s+file_get_contents -['"]{0,1}.c.['"]{0,1}\.substr\(\$vbg, -array\(\$en,\$es,\$ef,\$el\) -loc\s*=\s*['"]{0,1}<\?echo\s+\$redirect;\s*\?> -Kazan/index\.html -==0\){jsonQuit\(\$ -@stream_socket_client\(['"]{0,1}tcp://\$ -::['"]\.phpversion\(\)\.['"]:: -preg_replace\(['"].UTF\\-8:\(.\*\).Use -"=>\${\${"\\x -fsockopen\(\$m\[0\],\$m\[10\],\$_,\$__,\$m -eVaL\(\s*trim\(\s*baSe64_deCoDe\( -echo\s*md5\(\$_POST\[['"]{0,1}check['"]{0,1}\] -img src=['"]opera000\.png -function reload\(\){header\("Location -substr_count\(getenv\(\\['"]HTTP_REFERER -webi\.ru/webi_files/php_libmail -chr2=\(\(enc2&15\)<<4\)\|\(enc3>>2\);chr3=\(\(enc3&3\)<<6\)\|enc4 -REREFER_PTTH -tsoh_ptth -tnega_resu_ptth -mmcrypt\(\$data, \$key, \$iv, \$decrypt = FALSE -fopo\.com\.ar -spravochnik-nomerov- -icq-dlya-telefona- -telefonnaya-baza- -slesh\+slesh\+domen\+point -src="files_site/js\.js -\$t=\$s;\s*\$o\s*=\s*['"]['"];\s*for\(\$i=0;\$i<strlen\(\$t\);\$i\+\+\){\s*\$o\s*\.=\s*\$t{\$i} -WBS_DIR\s*\.\s*['"]{0,1}temp/['"]{0,1}\s*\.\s*\$activeFile\s*\.\s*['"]{0,1}\.tmp -@*mail\(\$mosConfig_mailfrom, \$mosConfig_live_site -\$[a-zA-Z0-9_]+?/\*.{1,10}\*/\s*\.\s*\$[a-zA-Z0-9_]+?/\*.{1,10}\*/ -@\$_POST\[\(chr\( -<\?php\s+rename\(['"]wso\.php['"] -\$str=['"]{0,1}<h1>403\s+Forbidden</h1><!--\s*token: -chunk_split\(base64_encode\(fread\(\${\${['"]{0,1} -ini_get\(['"]{0,1}filter\.default_flags['"]{0,1}\)\){foreach -file_get_contents\(trim\(\$f\[\$_GET\[ -mail\(\$arr\[['"]{0,1}to['"]{0,1}\],\$arr\[['"]{0,1}subj['"]{0,1}\],\$arr\[['"]{0,1}msg['"]{0,1}\],\$arr\[['"]{0,1}head['"]{0,1}\]\); -if\(isset\(\$_POST\[['"]{0,1}msgsubject['"]{0,1}\]\)\) -base64_decode\(\$_POST\[['"]{0,1}_- -register_shutdown_function\(\s*['"]{0,1}read_ans_code -\$param\s*=\s*\$param\s*x\s*\$n\.substr\s*\(\$param\s*,\s*length\(\$param\) -base['"]{0,1}\.\(32\*2\) -if\(@\$vars\(get_magic_quotes_gpc\(\)\s*\?\s*stripslashes\(\$uri\) -\)\];}if\(isset\(\$_SERVER\[_ -if\(empty\(\$_COOKIE\[['"]x['"]\]\)\){echo -is_writable\(\$dir\.['"]wp-includes/version\.php['"] -Apple\s+SpAm\s+ReZulT -\#\s*stealth\s*bot -\#\s*securityspace\.com -URL=<\?echo\s+\$index;\s+\?> -<script\s+type=['"]{0,1}text/javascript['"]{0,1}\s+src=['"]{0,1}jquery-u\.js['"]{0,1}></script> -create_function\(['"]['"],\s*\$opt\[1\]\s*\.\s*\$opt\[4\] -file_put_contents\(SVC_SELF\s*\.\s*['"]/\.htaccess -\$allemails\s*=\s*@split\("\\n"\s*,\s*\$emaillist\) -Joomla_brute_Force -\$sys_params\s*=\s*@*file_get_contents -fwrite\s*\(\s*\$flw\s*,\s*\$fl\s*\) -file_put_contents\s*\(['"]{0,1}1\.txt['"]{0,1}\s*,\s*print_r\s*\(\s*\$_POST\s*,\s*true -\$headers\s*=\s*\$_(GET|POST|SERVER|COOKIE|REQUEST)\[['"]{0,1}headers['"]{0,1}\] -create_function\s*\(['"]['"]\s*,\s*str_rot13 -die\s*\(\s*PHP_OS\s*\.\s*chr\s*\( -if\s*\(md5\(trim\(\$_(GET|POST|SERVER|COOKIE|REQUEST)\[ -f\s*=\s*\$q\s*\.\s*\$a\s*\.\s*\$b\s*\.\s*\$x -content=['"]{0,1}1;URL=cgi-bin\.html\?cmd -\$url['"]{0,1}\s*\.\s*\$session_id\s*\.\s*['"]{0,1}/login\.html -\$_SESSION\[['"]{0,1}session_pin['"]{0,1}\]\s*=\s*['"]{0,1}\$PIN -fsockopen\s*\(\s*\$ConnectAddress\s*,\s*25 -echo\s+\$ifupload=['"]{0,1}\s*ItsOk\s*['"]{0,1} -preg_match\(['"]/\(yandex\|google\|bot\)/i['"],\s*getenv\(['"]HTTP_USER_AGENT -\$mailer\s*=\s*\$_POST\[['"]{0,1}x_mailer['"]{0,1}\] -\$OOO0O0O00=__FILE__;\s*\$OO00O0000\s*=\s*0x1b540;\s*eval -By\s+WebRooT -header\(['"]{0,1}s:\s*['"]{0,1}\s*\.\s*php_uname\s*\(\s*['"]{0,1}n['"]{0,1}\s*\) -move_uploaded_file\(\$_FILES\[['"]{0,1}elif['"]{0,1}\]\[['"]{0,1}tmp_name -\$gzip\s*=\s*@*gzinflate\s*\(\s*@*substr\s*\(\s*\$gzencode_arg -if\s*\(\s*mail\s*\(\s*\$mails\[\$i\]\s*,\s*\$tema\s*,\s*base64_encode\s*\(\s*\$text -fwrite\s*\(\s*\$fh\s*,\s*stripslashes\s*\(\s*@*\$_(GET|POST|SERVER|COOKIE|REQUEST)\[ -echo\s+file_get_contents\s*\(\s*base64_url_decode\s*\(\s*@*\$_(GET|POST|SERVER|COOKIE|REQUEST) -if\s*\(\s*@*md5\s*\(\s*\$_(GET|POST|SERVER|COOKIE|REQUEST)\[ -chr\s*\(\s*101\s*\)\s*\.\s*chr\s*\(\s*118\s*\)\s*\.\s*chr\s*\(\s*97\s*\)\s*\.\s*chr\s*\(\s*108\s*\) -\$_(GET|POST|SERVER|COOKIE|REQUEST)\[['"]{0,1}[a-zA-Z0-9_]+?['"]{0,1}\]\(\s*\$_(GET|POST|SERVER|COOKIE|REQUEST)\[['"]{0,1}[a-zA-Z0-9_]+?['"]{0,1}\]\s*\) -\$resultFUL\s*=\s*stripcslashes\s*\(\s*\$_POST\[['"]{0,1}resultFUL['"]{0,1} -/usr/sbin/httpd -PRIVMSG\.\*:\.owner\\s\+\(\.\*\) -print\s+\$sock\s+['"]{0,1}NICK ['"]{0,1}\s+\.\s+\$nick\s+\.\s+['"]{0,1}\\n['"]{0,1} -\$url\s*=\s*\$url\s*\.\s*['"]{0,1}\?['"]{0,1}\s*\.\s*http_build_query\(\$query\) -preg_match_all\(['"]{0,1}/<a href="\\/url\\\?q=\(\.\+\?\)\[&\|"\]\+/is['"]{0,1}, \$page\[['"]{0,1}exe['"]{0,1}\], \$links\) -<script\s+language=['"]{0,1}JavaScript['"]{0,1}>\s*parent\.window\.opener\.location\s*=\s*['"]http:// -\$p\s*=\s*strpos\s*\(\s*\$tx\s*,\s*['"]{0,1}{\#['"]{0,1}\s*,\s*\$p2\s*\+\s*2\) -\(msie\|opera\) -RewriteCond\s*%{HTTP_USER_AGENT}\s*\.\*ndroid\.\* -if\s*\(\s*is_dir\s*\(\s*\$FullPath\s*\)\s*\)\s*AllDir\s*\(\s*\$FullPath\s*,\s*\$Files\s*\);\s*}\s*} -['"]{0,1}From:\s*['"]{0,1}\.\$_POST\[['"]{0,1}realname['"]{0,1}\]\.['"]{0,1} ['"]{0,1}\.['"]{0,1} <['"]{0,1}\.\$_POST\[['"]{0,1}from['"]{0,1}\]\.['"]{0,1}>\\n['"]{0,1} -<!--\#exec\s+cmd=['"]{0,1}\$HTTP_ACCEPT['"]{0,1}\s*--> -\[-\]\s+Connection\s+faild -if\(/\^\\:\$owner!\.\*\\@\.\*PRIVMSG\.\*:\.msgflood\(\.\*\)/\){ -print\s*\$sock "PRIVMSG "\.\$owner -\]=['"]{0,1}ip['"]{0,1}\s*;\s*if\s*\(\s*isset\s*\(\s*\$_SERVER\[ -\]\s*}\s*=\s*trim\s*\(\s*array_pop\s*\(\s*\${\s*\${ -print\("\#\s+info\s+OK\\n\\n"\) -\$user_agent\s*=\s*preg_replace\s*\(\s*['"]\|User\\\.Agent\\:\[\\s \]\?\|i['"]\s*,\s*['"]['"]\s*,\s*\$user_agent -\$p\s*=\s*strpos\(\$tx\s*,\s*['"]{0,1}{\#['"]{0,1}\s*,\s*\$p2\s*\+\s*2\) -create_function\s*\(\s*['"]\$m['"]\s*,\s*['"]if\s*\(\s*\$m\s*\[\s*0x01\s*\]\s*==\s*['"]L['"] -\$letter\s*=\s*str_replace\s*\(\s*\$ARRAY\[0\]\[\$j\]\s*,\s*\$arr\[\$ind\]\s*,\s*\$letter -IrIsT\.Ir -if\s*\(detect_mobile_device\(\)\)\s*{\s*header -\$post\s*=\s*['"]\\x77\\x67\\x65 -echo\s*['"]answer=error['"] -url=<\?php\s*echo\s*\$rand_url;\?> -if\(CheckIPOperator\(\)\s*&&\s*!isModem\(\)\) -strpos\(\$ua,\s*['"]{0,1}yandexbot['"]{0,1}\)\s*!==\s*false -if\s*\(\$key\s*!=\s*['"]{0,1}mail_to['"]{0,1}\s*&&\s*\$key\s*!=\s*['"]{0,1}smtp_server['"]{0,1}\s*&&\s*\$key\s*!=\s*['"]{0,1}smtp_port -echo['"]{0,1}<center><b>Done\s*==>\s*\$userfile_name -['"]e/\*\./['"] -assert\s*\(\s*@*stripslashes -\)\s*\.\s*substr\s*\(\s*md5\s*\(\s*strrev\s*\(\s*\$ -\$fl\s*=\s*"<meta http-equiv=\\"Refresh\\"\s+content=\\"0;\s*URL= -,\s*array\s*\('\.','\.\.','Thumbs\.db'\)\s*\)\s*\)\s*{\s*continue;\s*}\s*if\s*\(\s*is_file -if\s*\(\s*\$dataSize\s*<\s*BOTCRYPT_MAX_SIZE\s*\)\s*rc4\s*\(\s*\$data,\s*\$cryptkey -str_rot13\s*\(\s*['"]{0,1}tmvasyng['"]{0,1} -str_rot13\s*\(\s*['"]{0,1}onfr64_qrpbqr['"]{0,1} -if\s*\(\s*\$_POST\[\s*['"]{0,1}path['"]{0,1}\s*\]\s*==\s*['"]{0,1}['"]{0,1}\s*\)\s*{\s*\$uploadfile\s*=\s*\$_FILES\[\s*['"]{0,1}file['"]{0,1}\s*\]\[\s*['"]{0,1}name['"]{0,1}\s*\] -if\s*\(\s*fwrite\s*\(\s*\$handle\s*,\s*file_get_contents\s*\(\s*\$_(GET|POST|SERVER|COOKIE|REQUEST) -array_key_exists\s*\(\s*\$fileRas\s*,\s*\$fileType\)\s*\?\s*\$fileType\[\s*\$fileRas\s*\] -urlencode\(print_r\(array\(\),1\)\),5,1\)\.c\),\$c\);}eval\(\$d\) -if\s*\(\s*function_exists\s*\(\s*'pcntl_fork -find\s+/\s+-type\s+f\s+-perm\s+-04000\s+-ls -execl\(['"]/bin/sh['"]\s*,\s*['"]/bin/sh['"]\s*,\s*['"]-i['"]\s*,\s*0\) -function\s+inject\(\$file,\s*\$injection= -fclose\(\$f\);\s*echo\s*['"]o\.k\.['"] -preg_replace\s*\(\s*\$exif\[\s*\\['"]Make\\['"]\s*\]\s*,\s*\$exif\[\s*\\['"]Model\\['"]\s*\] -\^downloads/\(\[0-9\]\*\)/\(\[0-9\]\*\)/\$\s+downloads\.php\?c=\$1&p=\$2 -\$res=mysql_query\(['"]{0,1}SELECT\s+\*\s+FROM\s+`watchdog_old_05`\s+WHERE\s+page -RewriteRule\s+\.\*\s+index\.php\?url=\$0\s+\[L,QSA\] -IO::Socket::INET->new\(Proto\s*=>\s*"tcp"\s*,\s*LocalPort\s*=>\s*36000\s*,\s*Listen\s*=>\s*SOMAXCONN -eval\s*\(*\s*strrev\s*\(*\s*str_replace -@*move_uploaded_file\s*\(\s*\$_FILES\[\s*['"]{0,1}message['"]{0,1}\s*\]\[\s*['"]{0,1}tmp_name['"]{0,1}\s*\]\s*,\s*\$security_code\s*\.\s*"/"\s*\.\s*\$_FILES\[['"]{0,1}message['"]{0,1}\]\[['"]{0,1}name['"]{0,1}\]\) -\$URL\s*=\s*\$urls\[\s*rand\(\s*0\s*,\s*count\s*\(\s*\$urls\s*\)\s*-\s*1\s*\)\s*\] -isset\s*\(\s*\$_FILES\[\s*['"]{0,1}x['"]{0,1}\s*\]\s*\)\s*\?\s*\(\s*is_uploaded_file\s*\(\s*\$_FILES\[\s*['"]{0,1}x['"]{0,1}\s*\]\[\s*['"]{0,1}tmp_name['"]{0,1}\s*\]\s*\)\s*\?\s*\(\s*copy\s*\(\s*\$_FILES\[\s*['"]{0,1}x['"]{0,1}\s*\] -if\s*\(\s*\$i\s*<\s*\(\s*count\s*\(\s*\$_POST\[\s*['"]{0,1}q['"]{0,1}\s*\]\s*\)\s*-\s*1 -file_get_contents\s*\(*\s*ADMIN_REDIR_URL\s*,\s*false\s*,\s*\$ctx\s*\) -tmhapbzcerff -content=['"]{0,1}no-cache['"]{0,1};\s*\$config\[['"]{0,1}description['"]{0,1}\]\s*\.=\s*['"]{0,1} -clearstatcache\(\s*\);\s*if\s*\(\s*!is_dir\s*\(\s*\$fld\s*\)\s*\)\s*return -\$rBuffLen\s*=\s*ord\s*\(\s*VC_Decrypt\s*\(\s*fread\s*\(\s*\$input,\s*1\s*\)\s*\)\s*\)\s*\*\s*256 -IrSecTeam -@header\(['"]Location:\s*['"]\.['"]h['"]\.['"]t['"]\.['"]t['"]\.['"]p['"] -set_time_limit\s*\(\s*0\s*\);\s*if\s*\(!SecretPageHandler::checkKey -return\s*\(\s*strstr\s*\(\s*\$s\s*,\s*'echo'\s*\)\s*==\s*false\s*\?\s*\(\s*strstr\s*\(\s*\$s\s*,\s*'print' -time\(\)\s*\+\s*10000\s*,\s*['"]/['"]\);\s*echo\s+\$m_zz;\s*eval\s*\(\$m_zz -if\(!empty\(\$_FILES\[['"]{0,1}message['"]{0,1}\]\[['"]{0,1}name['"]{0,1}\]\)\s+AND\s+\(md5\(\$_POST\[['"]{0,1}nick['"]{0,1}\]\)\s*==\s*['"]{0,1} -str_rot13\s*\(\s*gzinflate\s*\(\s*base64_decode -gzuncompress\s*\(\s*str_rot13\s*\(\s*base64_decode -gzuncompress\s*\(\s*base64_decode\s*\(\s*str_rot13 -gzinflate\s*\(\s*base64_decode\s*\(\s*str_rot13\s*\(\s*strrev -gzinflate\s*\(\s*base64_decode\s*\(\s*strrev\s*\(\s*str_rot13 -gzinflate\s*\(\s*base64_decode\s*\(\s*strrev -gzinflate\s*\(\s*base64_decode\s*\(\s*base64_decode\s*\(\s*str_rot13 -base64_decode\s*\(\s*gzuncompress\s*\(\s*base64_decode -gzinflate\s*\(\s*base64_decode\s*\(\s*str_rot13 -gzinflate\s*\(\s*str_rot13\s*\(\s*base64_decode -Brazil\s+HackTeam -\$tld\s*=\s*array\s*\(\s*['"]com['"],['"]org['"],['"]net['"] -define\s*\(*\s*['"]SBCID_REQUEST_FILE['"]\s*, -preg_replace\s*\(*\s*['"]/\.\+/esi -Mysterious\s+Wire -\$headers\s*\.=\s*\$_POST\[\s*['"]eMailAdd['"]\s*\] -define\s*\(\s*['"]DEFCALLBACKMAIL -default_action\s*=\s*['"]{0,1}FilesMan['"]{0,1} -echo\s+@file_get_contents\s*\(\s*\$get -if\s*\(\s*stripos\s*\(\s*\$_SERVER\[['"]{0,1}HTTP_USER_AGENT['"]{0,1}\]\s*,\s*['"]{0,1}Android['"]{0,1}\)\s*!==false\s*&&\s*!\$_COOKIE\[['"]{0,1}dle_user_id -header\s*\(['"]Location:\s*['"]\s*\.\s*\$to\s*\.\s*urldecode -Dc0RHa['"] -!touch\(['"]{0,1}\.\./\.\./language/ -eval\(\s*stripslashes\(\s*\\\$_REQUEST -document\.write\s*\(\s*['"]{0,1}<script\s+src=['"]{0,1}http://<\?=\$domain\?>/ -exit\s*\(\s*['"]{0,1}<script>\s*setTimeout\s*\(\s*\\['"]{0,1}document\.location\.href -function\s+sql2_safe\s*\( -\$postResult\s*=\s*curl_exec\s*\(*\s*\$ch -&&\s*function_exists\s*\(*\s*['"]{0,1}getmxrr['"]{0,1}\)\s*\)\s*{\s*@getmxrr\s*\(*\s*\$ -is__writable\s*\(*\s*\$path\s*\.\s*uniqid\s*\(*\s*mt_rand -file_put_contentz\s*\(*\s*\$ -@*gzinflate\s*\(\s*@*base64_decode\s*\(\s*@*str_replace -fopen\s*\(*\s*['"]http://['"]\s*\.\s*\$check_domain\s*\.\s*['"]:80['"]\s*\.\s*\$check_doc\s*,\s*['"]r['"] -@\$_COOKIE\[['"]{0,1}statCounter['"]{0,1}\] -if\s*\(*\s*@*preg_match\s*\(*\s*str -array_pop\s*\(*\s*\$workReplace\s*,\s*\$_(GET|POST|SERVER|COOKIE|REQUEST)\s*,\s*\$countKeysNew -(GET|POST|SERVER|COOKIE|REQUEST)\s*\[\s*['"]___['"]\s* -\(\s*['"]INSHELL['"]\s* -\$b\s*\.\s*\$p\s*\.\s*\$h\s*\.\s*\$k\s*\.\s*\$v -=\s*preg_split\s*\(\s*['"]/\\,\(\\ \+\)\?/['"],\s*@*ini_get\s*\(\s*['"]disable_functions -if\s*\(!function_exists\s*\(\s*['"]posix_getpwuid['"]\s*\)\s*&&\s*!in_array\s*\(\s*['"]posix_getpwuid -preg_replace\s*\(\s*['"]/\^\(www\|ftp\)\\\./i['"]\s*,\s*['"]['"],\s*@\$_SERVER\s*\[\s*['"]{0,1}HTTP_HOST['"]{0,1}\s*\]\s*\) -if\s*\(*\s*isset\s*\(*\s*\$_(GET|POST|SERVER|COOKIE|REQUEST)\s*\[\s*['"]{0,1}[a-zA-Z_0-9]+['"]{0,1}\s*\]\s*\)*\s*\)\s*{\s*\$[a-zA-Z_0-9]+\s*=\s*\$_(GET|POST|SERVER|COOKIE|REQUEST)\s*\[\s*['"]{0,1}[a-zA-Z_0-9]+['"]{0,1}\s*\];\s*eval\s*\(*\s*\$[a-zA-Z_0-9]+\s*\)* -eval\s*\(*\s*stripslashes\s*\(*\s*array_pop\(*\$_(GET|POST|SERVER|COOKIE|REQUEST) -if\s+\(\s*strpos\s*\(\s*\$url\s*,\s*['"]js/mootools\.js['"]\s*\)\s*===\s*false\s+&&\s+strpos\s*\(\s*\$url\s*,\s*['"]js/caption\.js['"]{0,1} -if\s+\(*\s*mail\s*\(\s*\$recp\s*,\s*\$subj\s*,\s*\$stunt\s*,\s*\$frm -<\?php\s+\$_F\s*=\s*__FILE__\s*;\s*\$_X\s*= -\$x\d+\s*=\s*['"].+?['"]\s*;\s*\$x\d+\s*=\s*['"].+?['"]\s*;\s*\$x\d+\s*=\s*['"] -\$beecode\s*=@*file_get_contents\s*\(*['"]{0,1}\s*\$urlpurs\s*['"]{0,1}\)*\s*;\s*echo\s+['"]{0,1}\$beecode['"]{0,1} -\$GLOBALS\[\s*['"]{0,1}.+?['"]{0,1}\s*\]\[\s*\d+\s*\]\(\s*\$_\d+\s*,\s*_\d+\s*\(\s*\d+\s*\)\s*\)\s*\) -preg_replace\s*\(*\s*['"]{0,1}/\.\*\[.+?\]\?/e['"]{0,1}\s*,\s*str_replace -\$GLOBALS\[['"]{0,1}.+?['"]{0,1}\]=Array\s*\(\s*base64_decode\s*\(\s*['"]{0,1}.+?['"]{0,1}\s*\)\s*,\s*base64_decode\s*\(\s*['"]{0,1}.+?['"]{0,1}\s*\) -UNION\s+SELECT\s+['"]{0,1}0['"]{0,1}\s*,\s*['"]{0,1}<\? system\(\\\$_(GET|POST|SERVER|COOKIE|REQUEST)\[cpc\]\);exit;\s*\?>['"]{0,1}\s*,\s*0\s*,0\s*,\s*0\s*,\s*0\s+INTO\s+OUTFILE\s+['"]{0,1}\$['"]{0,1} -isset\s*\(*\s*\$_POST\s*\[\s*['"]{0,1}execgate['"]{0,1}\s*\]\s*\)* -fwrite\s*\(*\s*\$fpsetv\s*,\s*getenv\s*\(\s*['"]HTTP_COOKIE['"]\s*\)\s* -symlink\s*\(*\s*['"]/home/ -function\s+urlGetContents\s*\(*\s*\$url\s*,\s*\$timeout\s*=\s*\d+\s*\) -strrev\(*\s*['"]{0,1}edoced_46esab['"]{0,1}\s*\)* -strrev\(*\s*['"]{0,1}tressa['"]{0,1}\s*\)* -exec\s*\(\s*['"]ipfw -wp_posts\s+WHERE\s+post_type\s*=\s*['"]{0,1}post['"]{0,1}\s+AND\s+post_status\s*=\s*['"]{0,1}publish['"]{0,1}\s+ORDER\s+BY\s+`ID`\s+DESC -file_get_contents\s*\(*\s*trim\s*\(\s*\$.+?\[\$_(GET|POST|SERVER|COOKIE|REQUEST)\[['"]{0,1}.+?['"]{0,1}\]\]\)\); -is_callable\s*\(*\s*['"]{0,1}(ftp_exec|system|shell_exec|passthru|popen|proc_open)['"]{0,1}\)*\s+and\s+!in_array\s*\(*\s*['"]{0,1}(ftp_exec|system|shell_exec|passthru|popen|proc_open)['"]{0,1}\s*,\s*\$disablefuncs -\$GLOBALS\[['"]{0,1}____ -fopen\s*\(*\s*['"]{0,1}/etc/passwd['"]{0,1} -eval\s*\(*@*\s*stripslashes\s*\(*\s*array_pop\s*\(*\s*@*\$_ -eval\s*\(*@*\s*stripslashes\s*\(*\s*@*\$_ -@*setcookie\s*\(*\s*['"]{0,1}hit['"]{0,1},\s*1\s*,\s*time\s*\(*\s*\)*\s*\+ -eval\s*\(*\s*file_get_contents\s*\(* -preg_replace\s*\(*\s*['"]{0,1}/\.\*/e['"]{0,1} -\s*{\s*\$_(GET|POST|SERVER|COOKIE|REQUEST)\s*\[\s*['"]{0,1}root['"]{0,1}\s*\]\s*} -['"]{0,1}httpd\.conf['"]{0,1}\s*,\s*['"]{0,1}vhosts\.conf['"]{0,1}\s*,\s*['"]{0,1}cfg\.php['"]{0,1}\s*,\s*['"]{0,1}config\.php['"]{0,1} -proc_open\s*\(\s*['"]{0,1}IHSteam -\$ini\s*\[\s*['"]{0,1}users['"]{0,1}\s*\]\s*=\s*array\s*\(\s*['"]{0,1}root['"]{0,1}\s*=> -curl_setopt\s*\(\s*\$ch\s*,\s*CURLOPT_URL\s*,\s*['"]{0,1}http://\$host:\d+['"]{0,1}\s*\) -system\s*\(*\s*['"]{0,1}whoami['"]{0,1}\s*\)* -find\s+/\s+-name\s+\.ssh\s+>\s+\$dir/sshkeys/sshkeys -assert\s*\(*\s*@*\$_(GET|POST|SERVER|COOKIE|REQUEST) -eval\s*\(*\s*@*\$_(GET|POST|SERVER|COOKIE|REQUEST) -php\s+"\s*\.\s*\$wso_path -@*assert\s*\(*\s*\$_(GET|POST|SERVER|COOKIE|REQUEST)\s*\[\s*['"]{0,1}.+?['"]{0,1}\s*\]\s* -eva1[a-zA-Z0-9_]+?Sir -\$cmd\s*=\s*\(\s*@*\$_(GET|POST|SERVER|COOKIE|REQUEST)\s*\[\s*['"]{0,1}.+?['"]{0,1}\s*\]\s*\) -\$function\s*\(*\s*@*\$_(GET|POST|SERVER|COOKIE|REQUEST)\s*\[\s*['"]{0,1}cmd['"]{0,1}\s*\]\s*\)* -\$fe\("\$cmd\s+2>&1"\); -(ftp_exec|system|shell_exec|passthru|popen|proc_open)\(['"]\$cmd\s+1>\s*/tmp/cmdtemp\s+2>&1;\s*cat\s+/tmp/cmdtemp;\s*rm\s+/tmp/cmdtemp['"]\); -setcookie\(*\s*['"]mysql_web_admin_username['"]\s*\)* -(ftp_exec|system|shell_exec|passthru|popen|proc_open)\s*\(*\s*['"]uname\s+-a['"]\s*\)* -(ftp_exec|system|shell_exec|passthru|popen|proc_open)\s*\(*\s*@*\$_POST\s*\[\s*['"].+?['"]\s*\]\s*\.\s*"\s*2\s*>\s*&1\s*['"] -!@*\$_REQUEST\s*\[\s*['"]c99sh_surl['"]\s*\]\s*\) -\$login\s*=\s*@*posix_getuid\(*\s*\)* -ncftpput\s*-u\s*\$ftp_user_name -runcommand\s*\(\s*['"]shellhelp['"]\s*,\s*['"](GET|POST|SERVER|COOKIE|REQUEST)['"] -{\s*\$\s*{\s*passthru\s*\(*\s*\$cmd\s*\)\s*}\s*}\s*<br> -passthru\s*\(*\s*getenv\s*\(*\s*\\['"]HTTP_ACCEPT_LANGUAGE -passthru\s*\(*\s*getenv\s*\(*\s*['"]HTTP_ACCEPT_LANGUAGE -SELECT\s+1\s+FROM\s+mysql\.user\s+WHERE\s+concat\(\s*`user`\s*,\s*'@'\s*,\s*`host`\s*\) -\$MessageSubject\s*=\s*base64_decode\s*\(\s*\$_POST\s*\[\s*['"]{0,1}msgsubject['"]{0,1}\s*\]\s*\) -rename\s*\(\s*\s*['"]{0,1}wso\.php['"]{0,1}\s*, -filepath\s*=\s*@*realpath\s*\(\s*\$_POST\s*\[\s*['"]filepath['"]\s*\]\s*\) -filepath\s*=\s*@*realpath\s*\(\s*\$_POST\s*\[\s*\\['"]filepath\\['"]\s*\]\s*\) -eval\s*\(*\s*base64_decode\s*\(*\s*@*\$_ -wsoEx\s*\(\s*\\['"]\s*tar\s*cfzv\s*\\['"]\s*\.\s*escapeshellarg\s*\(\s*\$_POST\[\s*\\['"]p2\\['"]\s*\]\s*\) -WSOsetcookie\s*\(\s*md5\s*\(\s*@*\$_SERVER\[\s*['"]HTTP_HOST['"]\s*\]\s*\) -WSOsetcookie\s*\(\s*md5\s*\(\s*@*\$_SERVER\[\s*\\['"]HTTP_HOST\\['"]\s*\]\s*\) -\$info \.= \(\(\$perms\s*&\s*0x0040\)\s*\?\(\(\$perms\s*&\s*0x0800\)\s*\?\s*\\['"]s\\['"]\s*:\s*\\['"]x\\['"]\s*\)\s*:\(\(\$perms\s*&\s*0x0800\)\s*\?\s*'S'\s*:\s*'-'\s*\) -default_action\s*=\s*\\['"]FilesMan -system\s+file\s+do\s+not\s+delete -hacked\s+by\s+Hmei7 -by\s+Grinay -Captain\s+Crunch\s+Team -\$_(GET|POST|SERVER|COOKIE|REQUEST)\[\s*['"]{0,1}p2['"]{0,1}\s*\]\s*==\s*['"]{0,1}chmod['"]{0,1} -userAgent\|pp\|http\|dazalyz['"]{0,1}\.split\(['"]{0,1}\|['"]{0,1}\),0 -f='f'\+'r'\+'o'\+'m'\+'Ch'\+'arC'\+'ode'; -\.prototype\.a}catch\( -try{Boolean\(\)\.prototype\.q}catch\( -if\(Ref\.indexOf\('\.google\.'\)!= -indexOf\|if\|rc\|length\|msn\|yahoo\|referrer\|altavista\|ogo\|bi\|hp\|var\|aol\|query -Array\.prototype\.slice\.call\(arguments\)\.join\(""\) -q=document\.createElement\("d"\+"i"\+"v"\);q\.appendChild\(q\+""\);}catch\(qw\){h= -\+zz;ss=\[\];f='fr'\+'om'\+'Ch';f\+='arC';f\+='ode';w=this;e=w\[f\["substr"\]\( -s5\(q5\){return \+\+q5;}function yf\(sf,we\){return sf\.substr\(we,1\);}function y1\(wb\){if\(wb==168\)wb=1025;else -if\(navigator\.userAgent\.match\(/\(android\|midp\|j2me\|symbian -document\.write\('<script language="JavaScript" type="text/javascript" src="'\+domain\+'"></scr'\+'ipt>'\) -http://phsp\.ru/_/go\.php\?sid= -</html>\s*<script -</html>\s*<iframe -=navigator\[appVersion_var\]\.indexOf\("MSIE"\)!=-1\?'<iframe name -\\x65At -\\x61rCod -"fr"\+"omC"\+"harCode" -="ev"\+"al" -\[\(\(e\)\?"s":""\)\+"p"\+"lit"\]\("a\$"\[\(\(e\)\?"su":""\)\+"bstr"\]\(1\)\); -f='fr'\+'om'\+'Ch';f\+='arC';f\+='ode'; -f\+=\(h\)\?'ode':""; -f='f'\+'r'\+'o'\+'m'\+'Ch'\+'arC'\+'ode'; -f='fromCh';f\+='arC';f\+='qgode'\["substr"\]\(2\); -var\s+div_colors -var\s+_0x -CoreLibrariesHandler -pingnow -serchbot -km0ae9gr6m -c3284d -\\x68arC -\\x6dCha -\\x6fde -\\x6fde -\\x43ode -\\x72om -\\x43ha -\\x72Co -\\x43ode -\.dyndns\. -\.dyndns- -}\s*else\s*{\s*document\.write\s*\(\s*['"]{0,1}\.['"]{0,1}\)\s*}\s*}\s*R\(\s*\) -document\.write\(unescape\('%3Cdiv%20id%3D%22 -\.bitcoinplus\.com -\.split\("&&"\);h=2;s="";if\(m\)for\(i=0; -<iframe\s+src="http://deluxesclicks\.pro/ -3Bfor\|fromCharCode\|2C27\|3D\|2C88\|unescape -;\s*document\.write\(['"]{0,1}<iframe\s*src="http://ya\.ru -w\.document\.body\.appendChild\(script\);\s*clearInterval\(i\);\s*}\s*}\s*,\s*\d+\s*\)\s*;\s*}\s*\)\(\s*window -if\(!g\(\)&&window\.navigator\.cookieEnabled\){document\.cookie="1=1;expires="\+e\.toGMTString\(\)\+";path=/"; -nn_param_preloader_container\|5001\|hidden\|innerHTML\|inject\|visible -<!-- [a-zA-Z0-9_]+?\|\|stat --> -&parameter=\$keyword&se=\$se&ur=1&HTTP_REFERER='\+encodeURIComponent\(document\.URL\) -windows\|series\|60\|symbos\|ce\|mobile\|symbian -\[['"]eval['"]\]\(s\);}}}}</script> -kC70FMblyJkFWZodCKl1WYOdWYUlnQzRnbl1WZsVEdldmL05WZtV3YvRGI9 -{k=i;s=s\.concat\(ss\(eval\(asq\(\)\)-1\)\);}z=s;eval\( -document\.cookie\.match\(new\s+RegExp\(\s*"\(\?:\^\|; \)"\s*\+\s*name\.replace\(/\(\[\\\.\$\?\*\|{}\\\(\\\)\\\[\\\]\\/\\\+\^\]\)/g -setCookie\s*\(*\s*"arx_tt"\s*,\s*1\s*,\s*dt\.toGMTString\(\)\s*,\s*['"]{0,1}/['"]{0,1} -document\.cookie\.match\s*\(\s*new\s+RegExp\s*\(\s*"\(\?:\^\|;\s*\)"\s*\+\s*name\.replace\s*\(/\(\[\\\.\$\?\*\|{}\\\(\\\)\\\[\\\]\\/\\\+\^\]\)/g -var\s+dt\s+=\s+new\s+Date\(\),\s+expiryTime\s+=\s+dt\.setTime\(\s+dt\.getTime\(\)\s+\+\s+900000000 -if\s*\(\s*num\s*===\s*0\s*\)\s*{\s*return\s*1;\s*}\s*else\s*{\s*return\s+num\s*\*\s*rFact\(\s*num\s*-\s*1 -\+=String\.fromCharCode\(parseInt\(0\+'x' -<script\s+language="JavaScript">\s*parent\.window\.opener\.location="http://vk\.com -location\.replace\(['"]{0,1}http://v5k45\.ru -;try{\+\+document\.body}catch\(q\){aa=function\(ff\){for\(i=0;i<z\.length;i\+\+\){za\+=String\[ff\]\(e\(v\+\(z\[i\]\)\)-12\);}};} -document\.write\s*\(['"]{0,1}<['"]{0,1}\s*\+\s*x\[0\]\s*\+\s*['"]{0,1} ['"]{0,1}\s*\+\s*x\[4\]\s*\+\s*['"]{0,1}>\.['"]{0,1}\s*\+x\s*\[2\]\s*\+ -if\(t\.length==2\){z\+=String\.fromCharCode\(parseInt\(t\)\+ -window\.onload\s*=\s*function\(\)\s*{\s*if\s*\(document\.cookie\.indexOf\( -\.style\.height\s*=\s*['"]{0,1}0px['"]{0,1};window\.onload\s*=\s*function\(\)\s*{document\.cookie -\.src=\(['"]{0,1}htps:['"]{0,1}==document\.location\.protocol\?['"]{0,1}https://ssl['"]{0,1}:['"]{0,1}http://['"]{0,1}\)\+ -404\.php['"]{0,1}>\s*</script> -preg_match\(['"]{0,1}/sape/i['"]{0,1}\s*,\s*\$_SERVER\[['"]{0,1}HTTP_REFERER -div\.innerHTML\s*\+=\s*['"]{0,1}<embed\s+id="dummy2"\s+name="dummy2"\s+src -setTimeout\(['"]{0,1}addNewObject\(\)['"]{0,1},\d+\);}}};addNewObject\(\) -\(b=document\)\.head\.appendChild\(b\.createElement -Chrome\|iPad\|iPhone\|IEMobile -\$:\({}\+""\)\[\$\] --\s*PayPal\s*</title> --\s*Privati\s*</title> -<title>\s*UniCredit -Bank\s+of\s+America -Alibaba&nbsp;Manufacturer -Hong\s+Leong\s+Online -Your\s+account\s+\|\s+Log\s+in -Sign\s+in\s+to\s+Yahoo -BANCOLOMBIA -<title>\s*Amazon -<title>\s*Apple -<title>Google\s+Secure -<title>Merak\s+Mail\s+Server -<title>Socket\s+Webmail -<title>\[L_QUERY\] -<title>ANZ\s+Internet\s+Banking -com\.websterbank\.servlets\.Login -{position:absolute;top:-9999px;}</style><div\s+class= -if\s*\(\(ua\.indexOf\(['"]{0,1}chrome['"]{0,1}\)\s*==\s*-1\s*&&\s*ua\.indexOf\("win"\)\s*!=\s*-1\)\s*&&\s*navigator\.javaEnabled -parent\.window\.opener\.location=['"]{0,1}http://vk\.com\. -\]\.substr\(0,1\)\);}}return this;},\\u00 -javascript\|head\|toLowerCase\|chrome\|win\|javaEnabled\|appendChild -loadPNGData\(strFile, -\);if\(!~\(['"]{0,1} -//\s*Some\.devices\.are -stripos\s*\(\s*f_haystack\s*,\s*f_needle\s*,\s*f_offset -window\.onerror\s*=\s*killerrors -check_user_agent=\[\s*['"]{0,1}Lunascape['"]{0,1}\s*,\s*['"]{0,1}iPhone['"]{0,1}\s*,\s*['"]{0,1}Macintosh -document\.write\(['"]{0,1}<['"]{0,1}\+['"]{0,1}i['"]{0,1}\+['"]{0,1}f['"]{0,1}\+['"]{0,1}r['"]{0,1}\+['"]{0,1}a['"]{0,1}\+['"]{0,1}m['"]{0,1}\+['"]{0,1}e -sexfromindia\.com -filekx\.com -stummann\.net -http://xzx\.pm -\.hopto\.me/jquery -mobi-go\.in -bankofamerica\.com -myfilestore\.com -filestore72\.info -file2store\.info -url2short\.info -filestore123\.info -url123\.info -dollarade\.com -secclik\.ru -moby-aa\.ru -servload\.ru -nnn\.pm -stripos\(navigator\.userAgent\s*,\s*list_data\[i -if\s*\(!see_user_agent\(\) -c\.length\);}return\s*['"]['"];}if\(!getCookie -@*extract\s*\( -@*extract\s*\$ -['"]eval['"] -['"]base64_decode['"] -['"]create_function['"] -['"]assert['"] -foreach\s*\(\s*\$emails\s+as\s+\$email\s*\) -Spammer -eval\s*['"\(\$] -assert\s*['"\(\$] -srpath://\.\./\.\./\.\./\.\. -phpinfo\s*\( -SHOW\s+DATABASES -\bpopen\s*\( -exec\s*\( -\bsystem\s*\( -\bpassthru\s*\( -\bproc_open\s*\( -shell_exec\s*\( -ini_restore\s*\( -\bdl\s*\( -\bsymlink\s*\( -\bchgrp\s*\( -\bini_set\s*\( -\bputenv\s*\( -getmyuid\s*\( -fsockopen\s*\( -posix_setuid\s*\( -posix_setsid\s*\( -posix_setpgid\s*\( -posix_kill\s*\( -apache_child_terminate\s*\( -\bchmod\s*\( -\bchdir\s*\( -pcntl_exec\s*\( -\bvirtual\s*\( -proc_close\s*\( -proc_get_status\s*\( -proc_terminate\s*\( -proc_nice\s*\( -getmygid\s*\( -proc_getstatus\s*\( -proc_close\s*\( -escapeshellcmd\s*\( -escapeshellarg\s*\( -show_source\s*\( -\bpclose\s*\( -safe_dir\s*\( -ini_restore\s*\( -chown\s*\( -chgrp\s*\( -shown_source\s*\( -mysql_list_dbs\s*\( -get_current_user\s*\( -getmyid\s*\( -\bleak\s*\( -pfsockopen\s*\( -get_current_user\s*\( -syslog\s*\( -\$default_use_ajax -eval\s*\(*\s*unescape -FLoodeR -document\.write\s*\(\s*unescape -\bcopy\s*\( -move_uploaded_file\s*\( -\.333333 -\.666666 -round\s*\(*\s*0\s*\)* -copy\s*\(*\s*\$_FILES\s*\[\s*['"]{0,1}file['"]{0,1}\s*\]\[\s*['"]{0,1}tmp_name['"]{0,1}\s*\]\s*,\s*\$uploadfile -move_uploaded_files\s*\(*\s*\$_FILES\s*\[\s*['"]{0,1}file['"]{0,1}\s*\]\[\s*['"]{0,1}tmp_name['"]{0,1}\s*\]\s*,\s*\$uploadfile -ini_get\s*\(\s*['"]{0,1}disable_functions['"]{0,1} -UNION\s+SELECT\s+['"]{0,1}0['"]{0,1} -2\s*>\s*&1 -echo\s*\(*\s*\$_SERVER\[['"]{0,1}DOCUMENT_ROOT['"]{0,1}\] -=\s*Array\s*\(*\s*base64_decode\s*\(* -killall\s+-\d+ -eriuqer -touch\s*\( -sshkeys -@include -@require -if\s*\(mail\s*\(\s*\$to,\s*\$subject,\s*\$message,\s*\$headers -@ini_set\s*\(*['"]{0,1}allow_url_fopen -@file_get_contents -file_put_contents -android\s*\|\s*midp\s*\|\s*j2me\s*\|\s*symbian -@setcookie\s*\(*['"]{0,1}hit -@fileowner -<kuku> -sypex -\$beecode -Backdoor -php_uname\s*\( -mail\s*\(*\s*\$to\s*,\s*\$subj\s*,\s*\$msg\s*,\s*\$from -echo\s*['"]<script>\s*alert\( -mail\s*\(*\s*\$send\s*,\s*\$subject\s*,\s*\$headers\s*,\s*\$message -mail\s*\(*\s*\$to\s*,\s*\$subject\s*,\s*\$message\s*,\s*\$headers -strpos\s*\(*\s*\$name\s*,\s*['"]{0,1}HTTP_['"]{0,1}\s*\)*\s*!==\s*0\s*&&\s*strpos\s*\(*\s*\$name\s*,\s*['"]{0,1}REQUEST_ -is_function_enabled\s*\(\s*['"]{0,1}ignore_user_abort -echo\s*\(*\s*file_get_contents -echo\s*\(*['"]{0,1}<script -print\s*\(*\s*file_get_contents -print\s*\(*['"]{0,1}<script -<marquee\s+style\s*=\s*['"]{0,1}position\s*:\s*absolute\s*;\s*width\s*:\s*\d+\s*px\s* -=\s*['"]{0,1}\.\./\.\./\.\./wp-config\.php -eggdrop -rwxrwxrwx -error_reporting -\bcreate_function -{\s*position\s*:\s*absolute;\s*left\s*:\s*- -<script\s+async -_['"]{0,1}\s*\]\s*=\s*Array\s*\(\s*base64_decode\s*\(*\s*['"]{0,1} -AddType\s+application/x-httpd-cgi -getenv\s*\(*\s*['"]{0,1}HTTP_COOKIE['"]{0,1} -ignore_user_abort\s*\(*\s*['"]{0,1}1['"]{0,1} -\$_REQUEST\s*\[\s*%22 -url\s*\(['"]{0,1}data\s*:\s*image/png;\s*base64\s*, -url\s*\(['"]{0,1}data\s*:\s*image/gif;\s*base64\s*, -:\s*url\s*\(\s*['"]{0,1}<\?php -</html>.+?<script -</html>.+?<iframe -(ftp_exec|system|shell_exec|passthru|popen|proc_open)\s*['"\(\$] -\bmail\s*\( -file_get_contents\s*\(*\s*['"]{0,1}php://input -<meta\s+http-equiv=['"]{0,1}Content-type['"]{0,1}\s+content=['"]{0,1}text/html;\s*charset=windows-1251['"]{0,1}><body> -=\s*document\.createElement\(\s*['"]{0,1}script['"]{0,1}\s*\); -document\.body\.insertBefore\(div,\s*document\.body\.children\[0\]\); -<script\s+type="text/javascript"\s+src="http://[a-zA-Z0-9_]+?\.php"></script> -echo\s+['"]{0,1}ok['"]{0,1} -/usr/sbin/sendmail -/var/qmail/bin/sendmail +R3DTUXES +visitorTracker_isMob +com_content/articled\\\.php +\<title\>EmsProxy v +android\-igra\- +\=\=\=\:\:\:mad\:\:\:\=\=\= +H4xOr +R4pH4x0r +NG689Skw +216\\\.239\\\.32\\\. +fopo\\\.com\\\.ar +64\\\.68\\\.80\\\. +HarchaLi +64\\\.233\\\.160\\\. +1\\\.179\\\.249\\\. +P\\\.h\\\.p\\\.S\\\.p\\\.y +_shell_atildi_ +~ Shell I +0xdd82 +Antichat shell +ALEMiN KRALi +ASPX Shell by LT +aZRaiLPhP +Coded By Charlichaplin +Bl0od3r +BY iSKORPiTX +devilzShell +Written by Captain Crunch Team +c2007\\\.php +C99 Modified By Psych0 +\\\$c99sh_updatefurl +C99 Shell +cookiename\="wieeeee" +Coded by \: Super\-Crystal and Mohajer22 +CrystalShell +TEAM SCRIPTING \- RODNOC +Cyber Shell +d0mains +DarkDevilz\\\.iN +Shell written by Bl0od3r +Dive Shell \- Emperor Hacking Team +Devr\-i Mefsedet +Comandos Exclusivos do DTool Pro +Emperor Hacking TEAM +Fixed by Art Of Hack +FaTaLisTiCz_Fx Fx29Sh +Lutfen Dosyayi Adlandiriniz +this is a priv3 server +GFS Web\-Shell +GHC Manager +Goog1e_analist +Grinay Go0o\\\$E +h4ntu shell \\\[powered by tsoi\\\] +Hacked By Devr\-i Mefsedet +HACKED BY REALWAR +Hackerler Vurur Lamerler Surunur +iMHaBiRLiGi +KA_uShell +Liz0ziM +Locus7Shell +Moroccan Spamers Ma\-EditioN By GhOsT +Matamu Mat +Open the file attachment if any,and base64_encode +m0rtix +m0hze +Matamu Mat +Moroccan Spamers +\\\$MyShellVersion +MySQL RST +MySQL Web Interface +MySQL Web Interface Version +MySQL Webshell +N3tshell +Hacked by Silver +NeoHack +NetworkFileManagerPHP +NIX REMOTE WEB\-SHELL +O BiR KRAL TAKLiT EDilEMEZ +PHANTASMA\- NeW CmD +PIRATES CREW WAS HERE +a simple php backdoor +LOTFREE PHP Backdoor +News Remote PHP Shell Injection +PHPJackal +PHP HVA Shell Script +phpRemoteView +PHP Shell is aninteractive PHP\-page +PHVayv +PPS 1\\\.0 perl\-cgi web shell +Press OK to enter site +private Shell by m4rco +r0nin +R57Sql +r57shell\\\\\\\.php +rgod`s webshell +realauth\=SvBD85dINu3 +Ru24PostWebShell +KAdot Universal Shell +Crzy_King +Safe_Mode Bypass PHP +SarasaOn Services +Simple PHP backdoor by DK +G\-Security Webshell +Simorgh Security Magazine +Shell by Mawar_Hitam +SSI web\-shell +Storm7Shell +The_BeKiR +W3D Shell +w4ck1ng shell +WebControls +developed by Digital Outcast +Watch Your system Shany was here +Web Shell by +WSO2 Webshell +NetworkFileManagerPHP for channel +Small PHP Web Shell by ZaCo +Mrlool\\\.exe +SEoDOR +Mr\\\.HiTman +rahui +d3b~X +ConnectBackShell +BY MMNBOBZ +OLB\:PRODUCT\:ONLINE_BANKING +C0derz\\\.com +MrHazem +v0ld3m0rt +K\!LL3r +Dr\\\.abolalh +\\\$rand_writable_folder_fullpath +\<textarea name\=\\\\"phpev\\\\" rows\=\\\\"5\\\\" cols\=\\\\"150\\\\"\>"\\\.\\\$_POST\\\['phpev'\\\]\\\."\</textarea\>\<br\> +c99ftpbrutecheck +By Psych0 +\\\$c99sh_updatefurl +temp_r57_table +adminspygrup\\\.org +casus15 +WSCRIPT\\\.SHELL +Executed command\: \<b\>\<font color\=\\\#dcdcdc\>\\\[\\\$cmd\\\] +ctshell\\\.php +DX_Header_drawn +crlf\\\.'unlink\\\(\\\$name\\\);'\\\.\\\$crlf\\\.'rename\\\("~"\\\.\\\$name,\\\$name\\\);'\\\.\\\$crlf\\\.'unlink\\\("grp_repair\\\.php" +/0tVSG/Suv0Ur/haUYAdn3jMQwbbocGffAeC29BN9tmBiJdV1lk\\\+jYDU92C94jdtDif\\\+xOYjG6CLhx31Uo9x9/eAWgsBK60kK2mLwqzqd +mpty\\\(\\\$_POST\\\['ur'\\\]\\\)\\\) \\\$mode \\\|\=0400;if\\\(\!empty\\\(\\\$_POST\\\['uw'\\\]\\\)\\\) \\\$mode \\\|\=0200;if\\\(\!empty\\\(\\\$_POST\\\['ux'\\\]\\\)\\\) \\\$mode \\\|\=0100 +klasvayv\\\.asp\\\?yenidosya\=\<%\=aktifklas%\> +nt\\\)\\\(disk_total_space\\\(getcwd\\\(\\\)\\\)/\\\(1024\\\*1024\\\)\\\)\\\."Mb Free space "\\\.\\\(int\\\)\\\(disk_free_space\\\(getcwd\\\(\\\)\\\)/\\\(1024\\\*1024\\\)\\\)\\\."Mb \< +a href\="\<\\\?echo "\\\$fistik\\\.php\\\?dizin\=\\\$dizin/\\\.\\\./"\\\?\>" style\="text\-decoration\: non +RootShell\!'\\\);self\\\.location\\\.href\='http\: +\<%\=Request\\\.ServerVariables\\\("script_name"\\\)%\>\\\?FolderPath\=\<%\=Server\\\.URLPathEncode\\\(Folder\\\.Driv +print\\\(\\\(is_readable\\\(\\\$f\\\) && is_writeable\\\(\\\$f\\\)\\\)\\\?"\<tr\>\<td\>"\\\.w\\\(1\\\)\\\.b\\\("R"\\\.w\\\(1\\\)\\\.font\\\('red','RW',3\\\)\\\)\\\.w\\\(1\\\)\:\\\(\\\(\\\(is_readable\\\(\\\$f\\\)\\\)\\\?"\<tr\>\<td\>"\\\.w\\\(1\\\)\\\.b\\\("R"\\\)\\\.w\\\(4\\\)\:""\\\)\\\.\\\(\\\(is_writabl +\\\('"','&quot;',\\\$fn\\\)\\\)\\\.'";document\\\.list\\\.submit\\\(\\\);\\\\'\>'\\\.htmlspecialchars\\\(strlen\\\(\\\$fn\\\)\>format\\\?substr\\\(\\\$fn,0,format\-3\\\)\\\.\:\\\$fn\\\)\\\.'\</a\>'\\\.str_repeat\\\(' ',format\-strlen\\\(\\\$fn\\\) +zehirhacker +J\!Vr\\\*&RHRw~JLw\\\.G\\\|xlhnLJ~\\\?1\\\.bwObxbP\\\|\!V +WSOsetcookie\\\(md5\\\(\\\$_SERVER\\\['HTTP_HOST'\\\]\\\) +\</td\>\<td id\=fa\>\\\[ \<a title\=\\\\"Home\: '"\\\.htmlspecialchars\\\(str_replace\\\("\\\\",\\\$sep,getcwd\\\(\\\)\\\)\\\)\\\."'\\\.\\\\" id\=fa href\=\\\\"javascript\:ViewDir\\\('"\\\.rawurlencode +Content\-Type\: \\\$_ +\<nobr\>\<b\>\\\$cdir\\\$cfile\</b\>\\\("\\\.\\\$file\\\["size_str"\\\]\\\."\\\)\</nobr\>\</td\>\</tr\>\<form name\=curr_file\> +wsoEx\\\('tar cfzv '\\\.escapeshellarg\\\(\\\$_POST\\\['p2'\\\]\\\) +5jb20iKW9yIHN0cmlzdHIoJHJlZmVyZXIsImFwb3J0Iikgb3Igc3RyaXN0cigkcmVmZXJlciwibmlnbWEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ3ZWJhbHRhIikgb3Igc3RyaXN0cigk +LS0gRHVtcDNkIGJ5IFBpcnVsaW4uUEhQIFdlYnNoM2xsIHYxLjAgYzBkZWQgYnkgcjBkcjEgOkw\= +if\\\(ereg\\\('\\\^\\\[\\\[\:blank\:\\\]\\\]\\\*cd\\\[\\\[\:blank\:\\\]\\\]\\\+\\\(\\\[\\\^;\\\]\\\+\\\)\\\$',\\\$command,\\\$regs\\\)\\\) +round\\\(0\\\+9830\\\.4\\\+9830\\\.4\\\+9830\\\.4\\\+9830\\\.4\\\+9830\\\.4\\\)\\\)\=\= +PHPSHELL\\\.PHP +Shell by Mawar_Hitam +private Shell by m4rco +w4ck1ng shell +FaTaLisTiCz_Fx Fx29Sh +Worker_GetReplyCode\\\(\\\$opData\\\['recvBuffer'\\\]\\\) +\\\$filepath\=realpath\\\(\\\$_POST\\\['filepath'\\\]\\\); +\\\$redirectURL\='http\://'\\\.\\\$rSite\\\.\\\$_SERVER\\\['REQUEST_URI'\\\];if\\\(isset\\\(\\\$_SERVER\\\['HTTP_REFERER'\\\]\\\) +rename\\\("wso\\\.php", +\\\$MessageSubject\=base64_decode\\\(\\\$_POST\\\["msgsubject"\\\]\\\); +copy\\\(\\\$_FILES\\\[x\\\]\\\[tmp_name\\\],\\\$_FILES\\\[x\\\]\\\[name\\\]\\\)\\\) +SELECT 1 FROM mysql\\\.user WHERE concat\\\(`user`,'',`host`\\\) +\!\\\$_COOKIE\\\[\\\$sessdt_k\\\] +\\\$a\=\\\(substr\\\(urlencode\\\(print_r\\\(array\\\(\\\),1\\\)\\\),5,1\\\)\\\.c\\\) +xh \-s "/usr/local/apache/sbin/httpd \-DSSL"\\\./httpd \-m \\\$1 +pwd \> Generasi\\\.dir +BRUTEFORCING +Cautam fisierele de configurare +\\\$ka\='\<\\\?//BRE';\\\$kaka\=\\\$ka\\\.'ACK//\\\?\> +\\\$subj\=urldecode\\\(\\\$_GET\\\['su'\\\]\\\);\\\$body\=urldecode\\\(\\\$_GET\\\['bo'\\\]\\\);\\\$sds\=urldecode\\\(\\\$_GET\\\['sd'\\\]\\\) +\\\$____\=gzinflate\\\(\\\$____\\\)\\\)\{if\\\(isset\\\(\\\$_POS +passthru\\\(getenv\\\("HTTP_ACCEPT_LANGUAGE +Asmodeus +for\\\(;\\\$paddr\=accept\\\(CLIENT,SERVER\\\);close CLIENT\\\)\{ +\\\$izinler2\=substr\\\(base_convert\\\(fileperms\\\(\\\$fname\\\),10,8\\\),\-4\\\); +\\\$backdoor\-\>ccopy\\\(\\\$cfichier,\\\$cdestination\\\); +\{\\\$\{passthru\\\(\\\$cmd\\\)\}\}\<br\> +\\\$a\\\[hits\\\]'\\\);\\\\r\\\\n\\\#endquery\\\\r\\\\n +ncftpput \-u \\\$ftp_user_name +execl\\\("/bin/sh","sh","\-i",\\\(char\\\*\\\)0\\\); +\<HTML\>\<HEAD\>\<TITLE\>cgi\-shell\\\.py +system\\\("unset HISTFILE;unset SAVEHIST +\\\$login\=posix_getuid\\\(\\\); +\\\(ereg\\\('\\\^\\\[\\\[\:blank\:\\\]\\\]\\\*cd\\\[\\\[\:blank\:\\\]\\\]\\\*\\\$',\\\$_REQUEST\\\['command'\\\]\\\)\\\) +\!\\\$_REQUEST\\\["c99sh_surl"\\\]\\\) +PnVlkWM63\!\\\#&dKx~nMDWM~D/Esn~x6D\\\#&P~~,\\\?nY,WP\{Poj +shell_exec\\\(\\\$_POST\\\['cmd'\\\]\\\." 2\>&1"\\\); +if\\\(\!\\\$whoami\\\)\\\$whoami\=exec\\\("whoami"\\\); +PySystemState\\\.initialize\\\(System\\\.getProperties\\\(\\\),null,argv\\\); +\<%\=env\\\.queryHashtable\\\("user\\\.name"\\\)%\> +if\\\(empty\\\(\\\$_POST\\\['wser'\\\]\\\)\\\)\{\\\$wser\="whois\\\.ripe\\\.net";\}else \\\$wser\=\\\$_POST\\\['wser'\\\]; +if\\\(move_uploaded_file\\\(\\\$_FILES\\\['fila'\\\]\\\['tmp_name'\\\],\\\$curdir\\\."/"\\\.\\\$_FILES\\\['fila'\\\]\\\['name'\\\]\\\)\\\)\{ +shell_exec\\\('uname \-a'\\\); +if\\\(\!defined\\\$param\{cmd\}\\\)\{\\\$param\{cmd\}\="ls \-la"\}; +if\\\(get_magic_quotes_gpc\\\(\\\)\\\)\\\$shellOut\=stripslashes\\\(\\\$shellOut\\\); +\<a href\='\\\$PHP_SELF\\\?action\=viewSchema&dbname\=\\\$dbname&tablename\=\\\$tablename'\>Schema\</a\> +passthru\\\(\\\$bindir\\\."mysqldump \-\-user\=\\\$USERNAME \-\-password\=\\\$PASSWORD +mysql_query\\\("CREATE TABLE `xploit`\\\(`xploit` LONGBLOB NOT NULL\\\)"\\\); +\\\$ra44\=rand\\\(1,99999\\\);\\\$sj98\="sh\-\\\$ra44";\\\$ml\="\\\$sd98";\\\$a5\=\\\$_SERVER\\\['HTTP_REFERER'\\\]; +\\\$_FILES\\\['probe'\\\]\\\['size'\\\],\\\$_FILES\\\['probe'\\\]\\\['type'\\\]\\\); +system\\\("\\\$cmd 1\> /tmp/cmdtemp 2\>&1;cat /tmp/cmdtemp;rm /tmp/cmdtemp"\\\); +\}elsif\\\(\\\$servarg\=~ /\\\^\\\\\:\\\(\\\.\\\+\\\?\\\)\\\\\!\\\(\\\.\\\+\\\?\\\)\\\\\\\(\\\.\\\+\\\?\\\) PRIVMSG\\\(\\\.\\\+\\\?\\\) \\\\\:\\\(\\\.\\\+\\\)/\\\)\{ +send\\\(SOCK5,\\\$msg,0,sockaddr_in\\\(\\\$porta,\\\$iaddr\\\)\\\) and \\\$pacotes\{o\}\\\+\\\+;; +\\\$fe\\\("\\\$cmd 2\>&1"\\\); +while\\\(\\\$row\=mysql_fetch_array\\\(\\\$result,MYSQL_ASSOC\\\)\\\) print_r\\\(\\\$row\\\); +elseif\\\(is_writable\\\(\\\$FN\\\) && is_file\\\(\\\$FN\\\)\\\) \\\$tmpOutMF +connect\\\(SOCKET,sockaddr_in\\\(\\\$ARGV\\\[1\\\],inet_aton\\\(\\\$ARGV\\\[0\\\]\\\)\\\)\\\) or die print +if\\\(move_uploaded_file\\\(\\\$_FILES\\\["fic"\\\]\\\["tmp_name"\\\],good_link\\\("\\\./"\\\.\\\$_FILES\\\["fic"\\\]\\\["name"\\\]\\\)\\\)\\\) +UNION SELECT '0','\<\\\? system\\\(\\\\\\\$_GET\\\[cpc\\\]\\\);exit;\\\?\>',0,0,0,0 INTO OUTFILE '\\\$outfile +if\\\(\!is_link\\\(\\\$file\\\) &&\\\(\\\$r\=realpath\\\(\\\$file\\\)\\\) \!\=FALSE\\\) \\\$file\=\\\$r; +echo "FILE UPLOADED TO \\\$dez"; +\\\$function\\\(\\\$_POST\\\['cmd'\\\]\\\) +\\\$filename\=\\\$backupstring\\\."\\\$filename"; +if\\\(''\=\=\\\(\\\$df\=ini_get\\\('disable_functions'\\\)\\\)\\\)\{echo +\<% For Each Vars In Request\\\.ServerVariables %\> +if\\\(\\\$funcarg\=~ /\\\^portscan\\\(\\\.\\\*\\\)/\\\) +\\\$uploadfile\=\\\$rpath\\\."/"\\\.\\\$_FILES\\\['userfile'\\\]\\\['name'\\\]; +\\\$cmd\=\\\(\\\$_REQUEST\\\['cmd'\\\]\\\); +if\\\(\\\$cmd \!\=""\\\) print Shell_Exec\\\(\\\$cmd\\\); +if\\\(is_file\\\("/tmp/\\\$ekinci"\\\)\\\)\{ +__all__\=\\\["SMTPServer","DebuggingServer","PureProxy","MailmanProxy"\\\] +global \\\$mysqlHandle,\\\$dbname,\\\$tablename,\\\$old_name,\\\$name, +2\>&1 1\>&2" \: " 1\>&1 2\>&1"\\\); +map\{read_shell\\\(\\\$_\\\)\}\\\(\\\$sel_shell\-\>can_read\\\(0\\\.01\\\)\\\); +fwrite\\\(\\\$fp,"\\\$yazi"\\\); +Send this file\: \<INPUT NAME\="userfile" TYPE\="file"\> +\\\$db_d\=mysql_select_db\\\(\\\$database,\\\$con1\\\); +for\\\(\\\$value\\\)\{s/&/&amp;/g;s/\</&lt;/g;s/\>/&gt;/g;s/"/&quot;/g;\} +copy\\\(\\\$_FILES\\\['upkk'\\\]\\\['tmp_name'\\\],"kk/"\\\.basename\\\(\\\$_FILES\\\['upkk'\\\]\\\['name'\\\]\\\)\\\); +function google_bot\\\(\\\)\{\\\$sUserAgent\=strtolower\\\(\\\$_SERVER\\\['HTTP_USER_AGENT'\\\]\\\);if\\\(\!\\\(strp +create_function\\\("&\\\$function","\\\$function\=chr\\\(ord\\\(\\\$function\\\)\-3\\\);"\\\) +long int\:t\\\(0,3\\\)\=r\\\(0,3\\\);\-2147483648;2147483647; +\\\?url\='\\\.\\\$_SERVER\\\['HTTP_HOST'\\\]\\\)\\\.unlink\\\(ROOT_DIR\\\. +cat \\\$\{blklog\\\[2\\\]\}\\\| grep "root\:x\:0\:0" +path1\=\\\('admin/','administrator/','moderator/','webadmin/','adminarea/','bb\-admin/','adminLogin/' +"admin1\\\.php","admin1\\\.html","admin2\\\.php","admin2\\\.html","yonetim\\\.php","yonetim\\\.html" +POST\{\\\$path\}\{\\\$connector\}\\\?Command\=FileUpload&Type\=File&CurrentFolder\= +assert\\\(\\\$_REQUEST\\\['PHPSESSID'\\\] +\\\$prod\="system";\\\$id\=\\\$prod\\\(\\\$_REQUEST\\\['product'\\\]\\\);\\\$\{'id'\}; +php "\\\.\\\$wso_path +\\\$Fchmod,\\\$Fdata,\\\$Options,\\\$Action,\\\$hddall,\\\$hddfree,\\\$hddproc,\\\$uname,\\\$idd\\\)\:shared +server\\\.\</p\>\\\\r\\\\n\</body\>\</html\>";exit;\}if\\\(preg_match\\\( +\\\$file\=\\\$_FILES\\\["filename"\\\]\\\["name"\\\];echo "\<a href\=\\\\"\\\$file\\\\"\>\\\$file\</a\>";\}else\{echo\\\("empty"\\\);\} +FS_chk_func_libc\=\\\(\\\$\\\(readelf \-s \\\$FS_libc \\\| grep _chk \\\| awk +find / \-name\\\.ssh \> \\\$dir/sshkeys/sshkeys +re\\\.findall\\\(dirt\\\+'\\\(\\\.\\\*\\\)',prognm\\\)\\\[0\\\] +outstr \\\+\=string\\\.Format\\\("\<a href\='\\\?fdir\=\{0\}'\>\{1\}/\</a\>&nbsp;" +\<%\=Request\\\.Servervariables\\\("SCRIPT_NAME"\\\)%\>\\\?txtpath\=\<%\=Request\\\.QueryString\\\("txtpath +Response\\\.Write\\\(Server\\\.HtmlEncode\\\(this\\\.ExecuteCommand\\\(txtCommand\\\.Text\\\)\\\)\\\) +new FileStream\\\(Path\\\.Combine\\\(fileInfo\\\.DirectoryName,Path\\\.GetFileName\\\(httpPostedFile\\\.FileName\\\)\\\),FileMode\\\.Create +Response\\\.Write\\\("\<br\>\\\(\\\) \<a href\=\\\?type\=1&file\=" & server\\\.URLencode\\\(item\\\.path\\\) & "\\\\\>" & item +sqlCommand\\\.Parameters\\\.Add\\\(\\\(\\\(TableCell\\\)dataGridItem\\\.Controls\\\[0\\\]\\\)\\\.Text,SqlDbType\\\.Decimal\\\)\\\.Value\=decimal +\<%\="\\\\" & oScriptNet\\\.ComputerName & "\\\\" & oScriptNet\\\.UserName %\> +curl_setopt\\\(\\\$ch,CURLOPT_URL,"http\://\\\$host\:2082"\\\) +HJ3HjutckoRfpXf9A1zQO2AwDRrRey9uGvTeez79qAao1a0rgudkZkR8Ra +\\\$ini\\\['users'\\\]\=array\\\('root'\=\> +proc_open\\\('IHSteam +\\\$baslik\=\\\$_POST\\\['baslik'\\\] +fread\\\(\\\$fp,filesize\\\(\\\$fichero\\\)\\\) +I/gcZ/vX0A10DDRDg7Ezk/d\\\+3\\\+8qvqqS1K0\\\+AXY +\{\\\$_POST\\\['root'\\\]\} +\}elseif\\\(\\\$_GET\\\['page'\\\]\=\='ddos' +The Dark Raver +\\\$value\=~ s/%\\\(\\\.\\\.\\\)/pack\\\('c',hex\\\(\\\$1\\\)\\\)/eg; +www\\\.t0s\\\.org +unless\\\(open\\\(PFD,\\\$g_upload_db\\\)\\\) +az88pix00q98 +sh go \\\$1\\\.\\\$x +system\\\("php \-f xpl \\\$host"\\\) +exploitcookie +80 \-b \\\$1 \-i eth0 \-s 8 +HTTP flood complete after +NIGGERS\\\.NIGGERS +if\\\(isset\\\(\\\$_GET\\\['host'\\\]\\\)&&isset\\\(\\\$_GET\\\['time'\\\]\\\)\\\)\{ +subprocess\\\.Popen\\\(cmd,shell\=True,stdout\=subprocess\\\.PIPE,stderr\=subprocess\\\.STDOU +def daemon\\\(stdin\='/dev/null',stdout\='/dev/null',stderr\='/dev/null'\\\) +print\\\("\\\[\!\\\] Host\: " \\\+ hostname \\\+ " might be down\!\\\\n\\\[\!\\\] Response Code +connection\\\.send\\\("shell "\\\+str\\\(os\\\.getcwd\\\(\\\)\\\)\\\+ +os\\\.system\\\('echo alias ls\="\\\.ls\\\.bash" \>\> ~/\\\.bashrc'\\\) +rule_req\=raw_input\\\("SourceFire +argparse\\\.ArgumentParser\\\(description\=help,prog\="sctunnel" +subprocess\\\.Popen\\\('%sgdb \-p %d \-batch %s' %\\\(gdb_prefix,p +\\\$framework\\\.plugins\\\.load\\\("\\\#\{rpctype\\\.downcase\}rpc",opts\\\)\\\.run +if self\\\.hash_type\=\='pwdump +itsoknoproblembro +add_filter\\\('the_content','_bloginfo',10001\\\) +\<stdlib\\\.h +echo y;sleep 1;\}\\\|\{while read;do echo z\\\$REPLY;done +VOBRA GANGO +int32\\\(\\\(\\\(\\\$z \>\> 5 & 0x07ffffff\\\) \\\^ \\\$y \<\< 2\\\) \\\+\\\(\\\(\\\$y \>\> 3 & 0x1fffffff\\\) \\\^ \\\$z \<\< 4 +copy\\\(\\\$_FILES\\\[fileMass\\\]\\\[tmp_name\\\],\\\$_POST\\\[path\\\]\\\.\\\$_FILES\\\[fileMass\\\]\\\[name +find_dirs\\\(\\\$grandparent_dir,\\\$level,1,\\\$dirs\\\); +setcookie\\\("hit",1,time\\\(\\\)\\\+ +e/\\\*\\\./ +JHZpc2l0Y291bnQgPSAkSFRUUF9DT09LSUVfV +0d0a0d0a676c6f62616c20246d795f736d7 +fopen\\\('/etc/passwd' +\\\$tsu2\\\[rand\\\(0,count\\\(\\\$tsu2\\\) \- 1\\\)\\\]\\\.\\\$tsu1\\\[rand\\\(0,count\\\(\\\$tsu1\\\) \- 1\\\)\\\]\\\.\\\$tsu2\\\[rand\\\(0 +/usr/local/apache/bin/httpd \-DSSL +set protect\-telnet 0 +ayu pr1 pr2 pr3 pr4 pr5 pr6 +regsub \-all \-\-,\\\[string tolower \\\$owner\\\] "" owners +kill \-CHLD \\\\\\\$botpid \>/dev/null 2\>&1 +bind dcc \- +r4aTc\\\.dPntE/fztSF1bH3RH0 +privmsg \\\$chan +bind join \- \\\* gop_join +set google\\\(data\\\) \\\[http\:\:data \\\$google\\\(page\\\)\\\] +proc http\:\:Connect\{token\} +privmsg \\\$nick +putbot \\\$bot +unbind RAW \- +\-\-DCCDIR \\\[lindex \\\$User\\\(\\\$i\\\) 2\\\] +Cybester90 +file_get_contents\\\(trim\\\(\\\$f\\\[\\\$_GET\\\['id'\\\]\\\]\\\)\\\); +unlink\\\(\\\$writable_dirs +base64_decode\\\(\\\$code_script\\\) +lucifferluciffer\\\.org +\\\$this\-\>F\-\>GetController\\\(\\\$_SERVER\\\['REQUEST_URI'\\\]\\\) +\\\$time_started\\\.\\\$secure_session_user\\\.session_id\\\(\\\) +\\\$param x \\\$n\\\.substr\\\(\\\$param,length\\\(\\\$param\\\) \- length\\\(\\\$code\\\)%length\\\(\\\$param\\\)\\\) +fwrite\\\(\\\$f,get_download\\\(\\\$_GET\\\['url'\\\]\\\) +http\://'\\\.\\\$_SERVER\\\['HTTP_HOST'\\\]\\\.urldecode\\\(\\\$_SERVER\\\['REQUEST_URI'\\\]\\\) +wp_posts WHERE post_type\='post' AND post_status\='publish' ORDER BY `ID` DESC +\\\$url\=\\\$urls\\\[rand\\\(0,count\\\(\\\$urls\\\)\-1\\\)\\\] +preg_match\\\('/\\\(\\\?\<\=RewriteRule\\\)\\\.\\\*\\\(\\\?\=\\\\\\\[L\\\\,R\\\\\=302\\\\\\\] +preg_match\\\('\!MIDP\\\|WAP\\\|Windows\\\.CE\\\|PPC\\\|Series60 +R0lGODlhEwAQALMAAAAAAP///5ycAM7OY///nP//zv/OnPf39////wAAAAAA +str_rot13\\\(\\\$basea\\\[\\\(\\\$dimension\\\*\\\$dimension\-1\\\) \-\\\(\\\$i\\\*\\\$dimension\\\+\\\$j\\\)\\\]\\\) +if\\\(empty\\\(\\\$_GET\\\['zip'\\\]\\\) and empty\\\(\\\$_GET\\\['download'\\\]\\\) & empty\\\(\\\$_GET\\\['img'\\\]\\\)\\\)\{ +Made by Delorean +overflow\-y\:scroll;\\\\"\>"\\\.\\\$links\\\.\\\$html_mf\\\['body'\\\] +function urlGetContents\\\(\\\$url,\\\$timeout\=5\\\) +d3lete +letaksekarang\\\(\\\) +YENI3ERI +\\\$OOO000000\=urldecode\\\( +\-I/usr/local/bandmin +fwrite\\\(\\\$fpsetv,getenv\\\("HTTP_COOKIE"\\\) +isset\\\(\\\$_POST\\\['execgate'\\\]\\\) +Webcommander at +\=\="bindshell" +Pashkela +createFilesForInputOutput +M4ll3r +__VIEWSTATEENCRYPTED +OoN_Boy +ReaL_PuNiShEr +darkminz +Zed0x +abacho\\\|abizdirectory\\\|about\\\|acoon\\\|alexana +ppc\\\|midp\\\|windows ce\\\|mtk\\\|j2me\\\|symbian +chr\\\(\\\(\\\$h\\\[\\\$e\\\[\\\$o\\\]\\\]\<\<4\\\)\\\+\\\(\\\$h\\\[\\\$e\\\[\\\+\\\+\\\$o\\\]\\\]\\\)\\\);\}\}eval\\\(\\\$d\\\) +\\\$sh3llColor +Punker2Bot +\<\\\?php echo "\\\#\!\!\\\#"; +\\\$im\=substr\\\(\\\$im,0,\\\$i\\\)\\\.substr\\\(\\\$im,\\\$i2\\\+1,\\\$i4\-\\\(\\\$i2\\\+1\\\)\\\)\\\.substr\\\(\\\$im,\\\$i4\\\+12,strlen +\\\(\\\$indata,\\\$b64\=1\\\)\{if\\\(\\\$b64\=\=1\\\)\{\\\$cd\=base64_decode\\\(\\\$indata\\\) +\\\(\\\$_POST\\\["dir"\\\]\\\)\\\); +Hacked By EnDLeSs +andex\\\|oogl +ndroi\\\|htc_ +\.IrIsT +7P1td\\\+NWliaI/hWkZ4VX9 +NinjaVirus Here +\\\$im\=substr\\\(\\\$tx,\\\$p\\\+2,\\\$p2\-\\\(\\\$p\\\+2\\\)\\\); +3xp1r3 +\\\$md5\=md5\\\("\\\$random"\\\); +oTat8D3DsE8'&~hU06CCH5;\\\$gYSq +GIF89A;\<\\\?php +Created By EMMA +Password\:\\s\*"\\\.\\\$_POST\\\[\['"\]\{0,1\}passwd\['"\]\{0,1\}\\\] +Netddress Mail +\\\$isevalfunctionavailable +Baby_Drakon +fwrite\\\(fopen\\\(dirname\\\(__FILE__\\\) +\\\]\\\]\\\)\\\);\}\}eval\\\(\\\$ +ereg_replace\\\(\['"\]\{0,1\}&email&\['"\]\{0,1\}, +\\\);\\\$i\\\+\\\+\\\)\\\$ret\\\.\=chr\\\(\\\$ +\\\$param2mask\\\."\\\)\\\\\=\\\[\\\\\['"\]\\\\"\\\]\\\(\\\.\\\*\\\?\\\)\\\(\\\?\=\\\[\\\\\['"\]\\\\"\\\]\\\)\\\[\\\\\['"\]\\\\"\\\]/sie +//rasta// +\<\!\-\-COOKIE UPDATE\-\-\> +profexor\\\.hell +MagelangCyber +ZOBUGTEL +data\:text/html;base64 +S_\\\]_\\\^U\\\^ +\\\$_POST\\\[\\\(chr\\\( +ZeroDayExile +SultanHaikal +Coupdegrace +artickle +gnitroper_rorre +!(?:@*\$_REQUEST\s*\[\s*['"]c99sh_surl['"]\s*\]\s*\)|file_put_contents\(\s*\$dbname\s*,\s*\$this->getImageEncodedText\(\s*\$dbname|touch\(['"]{0,1}\.\./\.\./language/) +"=>\${\${"\\x +&(?:&\s*(?:!empty\(\s*\$_COOKIE\[['"]fill['"]\]|function_exists\s*\(*\s*['"]{0,1}getmxrr['"]{0,1}\)\s*\)\s*{\s*@getmxrr\s*\(*\s*\$)|@(?<=\d..)preg_match\(\s*strtr\(|_SESSION\[payload\]=) +(?J)\.[+*](?<=(?<d>[^\?\s])\(..|(?<d>[^\?\s])..)\)?\g{d}[a-z]*e +(ftp_exec|system|shell_exec|passthru|popen|proc_open)(?:\((?:['"](?:\$cmd\s+1>\s*/tmp/cmdtemp\s+2>&1;\s*cat\s+/tmp/cmdtemp;\s*rm\s+/tmp/cmdtemp['"]\);|ls\s+/var/mail)|['"]{0,1}(?:\$_(GET|POST|SERVER|COOKIE|REQUEST)\["|cmd\.exe)|\s*(?:['"]cd\s+/tmp;wget|['"]{0,1}at\s+now\s+-f))|\s*\(*\s*(?:@*\$_(?:(GET|POST|SERVER|COOKIE|REQUEST)\s*\[|POST\s*\[\s*['"].+?['"]\s*\]\s*\.\s*"\s*2\s*>\s*&1\s*['"])|['"](?:uname\s+-a['"]\s*\)*|wget))) +(GET|POST|SERVER|COOKIE|REQUEST)\s*\[\s*['"]___['"]\s* +,\s*(?:['"]/index\\\.\(php\|html\)/i['"]\s*,\s*RecursiveRegexIterator|array\s*\('\.','\.\.','Thumbs\.db'\)\s*\)\s*\)\s*{\s*continue;\s*}\s*if\s*\(\s*is_file) +-Apple_Result- +/(?:e['"]\s*,\s*['"]\\x|index\.php\?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576|p(?:lugins/search/query\.php\?____pgfa=http|mt/rav/)|usr/sbin/httpd|var/qmail/bin/sendmail) +::['"]\.phpversion\(\)\.['"]:: +<(?:!--(?:\\#exec\s+cmd=['"]{0,1}\$HTTP_ACCEPT['"]{0,1}\s*-->|\s+js-tools)|\?(?:\s*=@`\$[a-zA-Z0-9_]++`|php\s+(?:\$_F\s*=\s*__FILE__\s*;\s*\$_X\s*=|rename\(['"]wso\.php['"]))|a\s+href=['"]oshibka-|div\s+id=['"]link1['"]><button onclick=['"]processTimer\(\);['"]>|guid><\?php\s+echo\s+\$current_url|h1>403 Forbidden</h1><!-- token|loc><\?php\s+echo\s+\$current_url;|script\s+type=['"]{0,1}text/javascript['"]{0,1}\s+src=['"]{0,1}jquery-u\.js['"]{0,1}></script>) +=(?:=(?:0\){jsonQuit\(\$|['"]\)\);return;\?>|\s*(?:0\)\s*{\s*echo\s*PHP_OS\s*\.\s*\$|['"]cshell['"]))|['"]\)\);['"]\)\);|\$file\(@*\$_(GET|POST|SERVER|COOKIE|REQUEST)|\s*(?:\$[a-zA-Z0-9_]++\((eval|base64_decode|substr|strrev|preg_replace|preg_replace_callback|strstr|gzinflate|gzuncompress|assert|str_rot13|md5|array_walk|array_filter)\(|array_map\s*\(*\s*strrev\s*|preg_split\s*\(\s*['"]/\\,\(\\ \+\)\?/['"],\s*@*ini_get\s*\(\s*['"]disable_functions)|by\s+DRAGON=) +@(?:\$(?:_(?:COOKIE\[(?:['"]{0,1}statCounter['"]{0,1}\]|\s*['"][a-zA-Z0-9_]++['"]\s*\]\(\s*@\$_COOKIE\[\s*['"][a-zA-Z0-9_]++['"]\s*\]\s*\)\s*\))|GET\[['"]pw['"]\]|SERVER\[\s*HTTP_HOST\s*\]>['"]\s*\.\s*['"]\\r\\n['"])|func\(\$cfile, \$cdir\.\$cname)|array\(\s*\(string\)\s*stripslashes\(\s*\$_REQUEST|get_headers\(\s*\$fullpath\)|header\(['"]Location:\s*['"]\.['"]h['"]\.['"]t['"]\.['"]t['"]\.['"]p['"]|ini_set\s*\(['"]{0,1}include_path['"]{0,1},['"]{0,1}ini_get\s*\(['"]{0,1}include_path|s(?:etcookie\(['"]m['"],\s*['"][a-zA-Z0-9_]++['"],\s*time\(\)\s*\+\s*86400|tream_socket_client\(['"]{0,1}tcp://\$)) +['"](?:['"]\s*\.\s*(?:BAse64_deCoDe|gzUncoMpreSs)|\.['"]['"]\.['"]['"]\.['"]['"]\.['"]['"]\.['"]|e/\*\./['"]|wp-['"]\s*\.\s*generateRandomString) +\\#(?:!/bin/shncd\s+['"]{0,1}['"]{0,1}\.\$SCP\.['"]{0,1}['"]{0,1}nif|\s*s(?:ecurityspace\.com|tealth\s*bot)|Use['"]{0,1}\s*,\s*file_get_contents\() +\$(?:[a-zA-Z0-9_]++(?:/\*.{1,10}\*/\s*\.\s*\$[a-zA-Z0-9_]++/\*.{1,10}\*/|=(?:=['"]featured['"]\s*\)\s*\){\s*echo\s+base64_decode|['"]/home/[a-zA-Z0-9_]++/[a-zA-Z0-9_]++/|str_replace\(['"]\*a\$\*)|\s*(?:=\s*\$jq\s*\(\s*@*\$_(GET|POST|SERVER|COOKIE|REQUEST)\[['"]{0,1}[a-zA-Z0-9_]++['"]{0,1}\]|\(\s*\d+\s*\^\s*\d+\s*\)\s*\.\s*\$[a-zA-Z0-9_]++\s*\(\s*\d+\s*\^\s*\d+\s*\)\s*\.\s*\$[a-zA-Z0-9_]++\s*\(\s*\d+\s*\^\s*\d+\s*\)))|_(?:(GET|POST|SERVER|COOKIE|REQUEST)\[(?:['"]{0,1}(?:[a-zA-Z0-9_]++['"]{0,1}\]\(\s*\$_(GET|POST|SERVER|COOKIE|REQUEST)\[['"]{0,1}[a-zA-Z0-9_]++['"]{0,1}\]\s*\)|cvv['"]{0,1}\]|ur['"]{0,1}\]\)\)\s*\$mode\s*\|=\s*0400)|\s*['"]{0,1}p2['"]{0,1}\s*\]\s*==\s*['"]{0,1}chmod['"]{0,1})|\[\s*\d+\s*\]\(\s*\$_\[\s*\d+\s*\]\(\$_\[\s*\d+\s*\]\(\s*\$_\[\s*\d+|__\s*=|POST\[['"]{0,1}s(?:mtp_login|SN['"]{0,1}\])|SE(?:RVER\[['"]{0,1}REMOTE_ADDR['"]{0,1}\];if\(\(preg_match\(|SSION\[['"]{0,1}(?:data_a['"]{0,1}\]\[\$name\]\s*=\s*\$value|session_pin['"]{0,1}\]\s*=\s*['"]{0,1}\$PIN)))|a(?:dddate=date\("D M d, Y g:i a"\)|llemails\s*=\s*@split\("\\n"\s*,\s*\$emaillist\))|b(?:\s*(?:=\s*md5_file\(\$fileb\)|\.\s*\$p\s*\.\s*\$h\s*\.\s*\$k\s*\.\s*\$v)|annedIP\s*=\s*array\(\s*['"]\^66\.102|eecode\s*=@*file_get_contents\s*\(*['"]{0,1}\s*\$urlpurs\s*['"]{0,1}\)*\s*;\s*echo\s+['"]{0,1}\$beecode['"]{0,1}|keyword_bez=['"])|c(?:md\s*=\s*\(\s*@*\$_(GET|POST|SERVER|COOKIE|REQUEST)\s*\[.+?\]\s*\)|o(?:ntent\s*=\s*http_request\(['"]{0,1}http://['"]{0,1}\s*\.\s*\$_SERVER\[['"]{0,1}SERVER_NAME['"]{0,1}\]\.['"]{0,1}/|unterUrl\s*=\s*['"]{0,1}http://)|ur_cat_id\s*=\s*\(\s*isset\(\s*\$_GET)|d(?:ata(?:\s*=\s*array\(['"]{0,1}terminal['"]{0,1}\s*=>|masii=date\("D M d, Y g:i a"\))|or_content=preg_replace)|f(?:e\("\$cmd\s+2>&1"\);|il(?:e(?:\(@*\$_(GET|POST|SERVER|COOKIE|REQUEST)|_for_touch\s*=\s*\$_SERVER\[['"]{0,1}DOCUMENT_ROOT['"]{0,1}\]|b\s*=\s*file_get_contents)|l = \$_COOKIE\[\\['"]fill\\['"]\])|l\s*=\s*"<meta http-equiv=\\"Refresh\\"\s+content=\\"0;\s*URL=|unction\s*\(*\s*@*\$_(GET|POST|SERVER|COOKIE|REQUEST)\s*\[\s*['"]{0,1}cmd['"]{0,1}\s*\]\s*\)*)|G(?:LOBALS\[(?:.+?\](?:=Array\s*\(\s*base64_decode\s*\(.+?\)\s*,\s*base64_decode\s*\(.+?\)|\[\s*\d+\s*\]\(\s*\$_\d+\s*,\s*_\d+\s*\(\s*\d+\s*\)\s*\)\s*\))|['"]{0,1}(?:[a-zA-Z0-9_]++['"]{0,1}\]\(\s*NULL|____))|zip\s*=\s*@*gzinflate\s*\(\s*@*substr\s*\(\s*\$gzencode_arg)|headers\s*=\s*\$_(GET|POST|SERVER|COOKIE|REQUEST)\[['"]{0,1}headers['"]{0,1}\]|i(?:d\s*\.\s*['"]\?d=['"]\s*\.\s*base64_encode\(\s*\$_SERVER\[\s*['"]HTTP_USER_AGENT|n(?:_Perms\s+&\s+0x4000|dex(?:\s*=\s*str_replace\(\s*['"]<\?php\s*ob_end_flush\(\);\s*\?>['"]\s*,\s*['"]['"]\s*,\s*\$index|_path\s*,\s*0404)|fo \.= \(\(\$perms\s*&\s*0x0040\)\s*\?\(\(\$perms\s*&\s*0x0800\)\s*\?\s*\\['"]s\\['"]\s*:\s*\\['"]x\\['"]\s*\)\s*:\(\(\$perms\s*&\s*0x0800\)\s*\?\s*'S'\s*:\s*'-'\s*\)|i\s*\[\s*['"]{0,1}users['"]{0,1}\s*\]\s*=\s*array\s*\(\s*['"]{0,1}root['"]{0,1}\s*=>)|sevalfunctionavailable)|l(?:etter\s*=\s*str_replace\s*\(\s*\$ARRAY\[0\]\[\$j\]\s*,\s*\$arr\[\$ind\]\s*,\s*\$letter|ogin\s*=\s*@*posix_getuid\(*\s*\)*)|m(?:ailer\s*=\s*\$_POST\[(?:['"]{0,1}x_mailer['"]{0,1}\]|\s*['"]{0,1}x_mailer['"]{0,1}\s*\])|essageSubject\s*=\s*base64_decode\s*\(\s*\$_POST\s*\[\s*['"]{0,1}msgsubject['"]{0,1}\s*\]\s*\))|O(?:OO0O0O00=__FILE__;\s*\$OO00O0000\s*=\s*0x1b540;\s*eval|pt\s*=\s*\$file\(@*\$_COOKIE\[)|p(?:\s*=\s*strpos(?:\(\$tx\s*,\s*['"]{0,1}{\\#['"]{0,1}\s*,\s*\$p2\s*\+\s*2\)|\s*\(\s*\$tx\s*,\s*['"]{0,1}{\\#['"]{0,1}\s*,\s*\$p2\s*\+\s*2\))|a(?:ram\s*=\s*\$param\s*x\s*\$n\.substr\s*\(\$param\s*,\s*length\(\$param\)|th(?:\s*=\s*\$_SERVER\[\s*['"]{0,1}DOCUMENT_ROOT['"]{0,1}\s*\]\s*\.\s*['"]{0,1}/images/stories/['"]{0,1}|ToDor))|ost(?:\s*=\s*['"]\\x77\\x67\\x65|_STR\s*=\s*file_get_contents\("php://input|Result\s*=\s*curl_exec\s*\(*\s*\$ch)|p\s*=\s*\$p\[\d+\]\s*\.\s*\$p\[\d+\]\s*\.\s*\$p\[\d+\]\s*\.\s*\$p\[\d+\]\s*\.\s*\$p\[\d+\])|r(?:BuffLen\s*=\s*ord\s*\(\s*VC_Decrypt\s*\(\s*fread\s*\(\s*\$input,\s*1\s*\)\s*\)\s*\)\s*\*\s*256|es(?:=mysql_query\(['"]{0,1}SELECT\s+\*\s+FROM\s+`watchdog_old_05`\s+WHERE\s+page|ult=smartCopy\(\s*\$source\s*\.\s*['"]/['"]\s*\.\s*\$file|ultFUL\s*=\s*stripcslashes\s*\(\s*\$_POST\[['"]{0,1}resultFUL['"]{0,1}))|S(?:\[\$i\+\+\]\(\$S\[\$i\+\+\]\(|ape_option\[\s*['"]{0,1}fetch_remote_type['"]{0,1}\s*\]\s*=\s*['"]{0,1}socket['"]{0,1}|etcook\);setcookie\(\$set|t(?:atus_(?:create_glob_file\s*=\s*create_file|loc_sh\s*=\s*file_exists)|r(?:=['"]{0,1}<h1>403\s+Forbidden</h1><!--\s*token:|ing\s*=\s*\$_SESSION\[['"]{0,1}data_a['"]{0,1}\]\[['"]{0,1}nutzername['"]{0,1}\]))|ys_params\s*=\s*@*file_get_contents)|t(?:=\$s;\s*\$o\s*=\s*['"]['"];\s*for\(\$i=0;\$i<strlen\(\$t\);\$i\+\+\){\s*\$o\s*\.=\s*\$t{\$i}|able\[\$string\[\$i\]\]\s*\*\s*pow\(64\s*,\s*2\)\s*\+\s*\$table|ld\s*=\s*array\s*\(\s*['"]com['"],['"]org['"],['"]net['"])|u(?:rl(?:['"]{0,1}\s*\.\s*\$session_id\s*\.\s*['"]{0,1}/login\.html|\s*=\s*\$url(?:\s*\.\s*['"]{0,1}\?['"]{0,1}\s*\.\s*http_build_query\(\$query\)|s\[\s*rand\(\s*0\s*,\s*count(?:\(\s*\$urls\s*\)\s*-\s*1\)\s*\]\.rand|\s*\(\s*\$urls\s*\)\s*-\s*1\s*\)\s*\])))|ser_agent(?:\s*=\s*preg_replace\s*\(\s*['"]\|User\\\.Agent\\:\[\\s \]\?\|i['"]\s*,\s*['"]['"]\s*,\s*\$user_agent|_to_filter\s*=\s*array\())|x\d+\s*=\s*['"].+?['"]\s*;\s*\$x\d+\s*=\s*['"].+?['"]\s*;\s*\$x\d+\s*=\s*['"]) +\((?:['"]\$tmpdir/sess_fc\.log|\s*['"]INSHELL['"]\s*) +\)(?:;function\s+string_cpt\(\$|\];}if\(isset\(\$_SERVER\[_|\s*\.\s*substr\s*\(\s*md5\s*\(\s*strrev\s*\(\s*\$) +\[(?:-\]\s+Connection\s+faild|\$o\]\);\$o\+\+\){if\(\$o<16\)|\]\s*=\s*['"]RewriteEngine\s+on) +\](?:=['"]{0,1}ip['"]{0,1}\s*;\s*if\s*\(\s*isset\s*\(\s*\$_SERVER\[|\s*(?:\){eval\(\s*\$[a-zA-Z0-9_]++\[\s*\$|}\s*(?:=\s*trim\s*\(\s*array_pop\s*\(\s*\${\s*\${|\(\s*{\s*\$_(GET|POST|SERVER|COOKIE|REQUEST)\[))) +\^downloads/\(\[0-9\]\*\)/\(\[0-9\]\*\)/\$\s+downloads\.php\?c=\$1&p=\$2 +\b(percocet|adderall|viagra|cialis|levitra|kaufen|ambien|blue\s+pill|cocaine|marijuana|lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhambyultram|unicauca|valium|vicodin|xanax|ypxaieo)\s+online +_(?:['"]{0,1}\]\[2\]\(['"]{0,1}Location:|_(?:file_get_url_contents\(\s*\$remote_url|url_get_contents\(\$l)) +A(?:cademico\s+Result|dd_filter\s*\(*\s*['"]{0,1}the_content['"]{0,1}\s*,\s*['"]{0,1}_bloginfo['"]{0,1}\s*,\s*.+?\)*|ge\s*=\s*stripslashes\s*\(\s*\$_POST\s*\[['"]{0,1}mes['"]\]|ndex\|oogle|OL\s+Details|pple\s+SpAm\s+ReZulT|rray(?:\((?:\$en,\$es,\$ef,\$el\)|\s*['"](?:Google['"]\s*,\s*['"]Slurp['"]|h['"]\s*,\s*['"]t['"]\s*,\s*['"]t['"]\s*,\s*['"]p['"]))|_(?:diff_ukey\(\s*@*array\(\s*\(string\)\s*\$_(GET|POST|SERVER|COOKIE|REQUEST)|key_exists\s*\(\s*\$fileRas\s*,\s*\$fileType\)\s*\?\s*\$fileType\[\s*\$fileRas\s*\]|pop\s*\(*\s*\$workReplace\s*,\s*\$_(GET|POST|SERVER|COOKIE|REQUEST)\s*,\s*\$countKeysNew))|ssert\s*(?:\(*\s*(?:@*\$_(GET|POST|SERVER|COOKIE|REQUEST)|\$_(GET|POST|SERVER|COOKIE|REQUEST)\s*\[.+?\]\s*)|\(\s*@*stripslashes)|uto\s*Xploiter) +b(?:ase(?:64_decode(?:\(\$_POST\[['"]{0,1}_-|\s*\(\s*gzuncompress\s*\(\s*base64_decode)|['"]{0,1}\.\(32\*2\))|razil\s+HackTeam|y\s+(?:Am!r|DZ27|g(?:00n|rinay)|WebRoo(?:T|T))) +c(?:.['"]{0,1}\.substr\(\$vbg,|a(?:ll_user_func\(\s*['"]action['"]\s*\.\s*\$_(GET|POST|SERVER|COOKIE|REQUEST)\[|ptain\s+Crunch\s+Team|tatan\s+situs)|h(?:r(?:2=\(\(enc2&15\)<<4\)\|\(enc3>>2\);chr3=\(\(enc3&3\)<<6\)\|enc4|\(\s*\$(?:[a-zA-Z0-9_]++\s*\);\s*}\s*eval\(\s*\$[a-zA-Z0-9_]++|table\[\s*\$string\[\s*\$i\s*\]\s*\*\s*pow\(64\s*,\s*1)|\(\s*hexdec\(\s*substr\(\s*\$makeup)|unk_split\(base64_encode\(fread\(\${\${['"]{0,1})|learstatcache\(\s*\);\s*if\s*\(\s*!is_dir\s*\(\s*\$fld\s*\)\s*\)\s*return|o(?:ded\s+by\s+EXE|ntent(?:-Type:\s*\$_|=['"]{0,1}(?:1;URL=cgi-bin\.html\?cmd|no-cache['"]{0,1};\s*\$config\[['"]{0,1}description['"]{0,1}\]\s*\.=\s*['"]{0,1})))|r(?:c32\(\s*\$_POST\[\s*['"]{0,1}cmd|eate_function(?:\((?:['"]['"],\s*\$opt\[1\]\s*\.\s*\$opt\[4\]|substr\(2,1\),\$s\))|\s*\((?:['"]['"]\s*,\s*(eval|base64_decode|substr|strrev|preg_replace|preg_replace_callback|strstr|gzinflate|gzuncompress|assert|str_rot13|md5|array_walk|array_filter)|\s*['"]\$m['"]\s*,\s*['"]if\s*\(\s*\$m\s*\[\s*0x01\s*\]\s*==\s*['"]L['"]))|ontab\s+-l\|grep\s+-v\s+crontab)|url_(?:init\(\s*base64_decode|setopt\s*\(\s*\$ch\s*,\s*CURLOPT_URL\s*,\s*['"]{0,1}http://\$host:\d+['"]{0,1}\s*\))) +D(?:avid(?:\s*Blaine|\s+Blaine)|c0RHa['"]|ef(?:ault_action\s*=\s*(?:['"]{0,1}FilesMan['"]{0,1}|\\['"]FilesMan)|ine\s*(?:\(*\s*['"]SBCID_REQUEST_FILE['"]\s*,|\(\s*['"]DEFCALLBACKMAIL))|ie\s*\(\s*PHP_OS\s*\.\s*chr\s*\(|o(?:_work\(\s*\$index_file\s*\)|cument\.write\s*\(\s*['"]{0,1}<script\s+src=['"]{0,1}http://<\?=\$domain\?>/)|Ze1r) +e(?:cho(?:['"]{0,1}<center><b>Done\s*==>\s*\$userfile_name|\s*['"]answer=error['"]|\s*md5\(\$_POST\[['"]{0,1}check['"]{0,1}\]|\s+@file_get_contents\s*\(\s*\$get|\s+['"]o\.k\.['"];\s*\?>|\s+['"]{0,1}install_ok['"]{0,1}|\s+\$ifupload=['"]{0,1}\s*ItsOk\s*['"]{0,1}|\s+file_get_contents\s*\(\s*base64_url_decode\s*\(\s*@*\$_(GET|POST|SERVER|COOKIE|REQUEST)|\s+show_query_form\(\s*\$sqlstring)|ditHtaccess\(\s*['"]RewriteEngine|reg(?:_replace\(['"]{0,1}%5C%22['"]{0,1}\s*,\s*['"]{0,1}%22['"]{0,1}\s*,\s*\$message|i\(\s*sql_regcase\(\s*\$_)|thnic\s+Albanian\s+Hackers|va(?:1[a-zA-Z0-9_]++Sir|l\((?:['"]\?>['"](?:\.base64_decode|\s*\.\s*join\(['"]['"],file\(\$)|\s*(eval|base64_decode|substr|strrev|preg_replace|preg_replace_callback|strstr|gzinflate|gzuncompress|assert|str_rot13|md5|array_walk|array_filter)\(|\s*\$[a-zA-Z0-9_]++\(\s*\$<amc|\s*\${\s*\$[a-zA-Z0-9_]++\s*}\[|\s*stripslashes\(\s*\\\$_REQUEST|\s*trim\(\s*baSe64_deCoDe\()|l\s*\(*(?:@*\s*stripslashes\s*\(*\s*(?:@*\$_|array_pop\s*\(*\s*@*\$_)|\s*@*\$_(GET|POST|SERVER|COOKIE|REQUEST)|\s*base64_decode\s*\(*\s*@*\$_|\s*file_get_contents\s*\(*|\s*g(?:et_option\s*\(*|zinflate\s*\(*\s*str_rot13)|\s*str(?:ipslashes\s*\(*\s*array_pop\(*\$_(GET|POST|SERVER|COOKIE|REQUEST)|rev\s*\(*\s*str_replace))|l\s*\(\s*(?:base64_decode|gzinflate\s*\(\s*str_rot13|str_rot13|TPL_FILE))|x(?:ec(?:\s*\(\s*['"]ipfw|l\(['"]/bin/sh['"]\s*,\s*['"]/bin/sh['"]\s*,\s*['"]-i['"]\s*,\s*0\))|it\s*\(\s*['"]{0,1}<script>\s*setTimeout\s*\(\s*\\['"]{0,1}document\.location\.href|ploit(?:-db\.com/search/|\s*::\.</title>))) +f(?:\s*=\s*\$q\s*\.\s*\$a\s*\.\s*\$b\s*\.\s*\$x|close\(\$f\);\s*echo\s*['"]o\.k\.['"]|i(?:le(?:_(?:exists(?:\(\s*(?:['"]/tmp/tmp-server|\$FileBazaTXT)|\s*\(*\s*['"]/var/tmp/)|get_contents(?:\((?:\s*(?:['"]/var/tmp|\$_SERVER\[\s*['"]DOCUMENT_ROOT['"]\s*\]\s*\.\s*['"]/engine)|(?:basename\(\$_SERVER\[['"]{0,1}SCRIPT_NAME|ROOT_DIR\.['"]/templates/['"]\.\$config\[['"]skin['"]\]\.['"]/main\.tpl|trim\(\$f\[\$_GET\[))|\s*\(*\s*(?:ADMIN_REDIR_URL\s*,\s*false\s*,\s*\$ctx\s*\)|trim\s*\(\s*\$.+?\[\$_(GET|POST|SERVER|COOKIE|REQUEST)\[.+?\]\]\)\);))|put_content(?:s\((?:['"]{0,1}\./libworker\.so|\s*['"]{0,1}/home|\s*\$(?:dir\s*\.\s*\$file\s*\.\s*['"]/index|index_path\s*,\s*\$code|name\s*,\s*base64_decode\(\s*\$_(GET|POST|SERVER|COOKIE|REQUEST)|this->file\s*,\s*strrev)|DIR\.['"]/['"]\.['"]index\.php|SVC_SELF\s*\.\s*['"]/\.htaccess)|(?:s\s*\(['"]{0,1}1\.txt['"]{0,1}\s*,\s*print_r\s*\(\s*\$_POST\s*,\s*true|z\s*\(*\s*\$)))|(?:mtime\(\$basepath\s*\.\s*['"]/configuration\.php|path\s*=\s*@*realpath\s*\(\s*\$_POST\s*\[\s*(?:['"]filepath['"]\s*\]\s*\)|\\['"]filepath\\['"]\s*\]\s*\))|size\(\s*\$put_k_failu))|nd\s+/\s+-(?:name\s+\.ssh\s+>\s+\$dir/sshkeys/sshkeys|type\s+f\s+-perm\s+-04000\s+-ls))|lush_end_file\(\s*\$filename\s*,\s*\$filecontent|o(?:pen(?:\((?:['"]{0,1}\.\./\.\./\.\./['"]{0,1}\.\$filepaths|\s*['"]/home/|\s*\$root_dir\s*\.\s*['"]/\.htaccess)|\s*\(*\s*(?:['"]http://['"]\s*\.\s*\$check_domain\s*\.\s*['"]:80['"]\s*\.\s*\$check_doc\s*,\s*['"]r['"]|['"]{0,1}/etc/passwd['"]{0,1}))|r\(\$[a-zA-Z0-9_]++=\d+;\$[a-zA-Z0-9_]++<\d+;\$[a-zA-Z0-9_]++-=\d+\){if\(\$[a-zA-Z0-9_]++!=\d+\)\s*break;})|rom:\s*['"]{0,1}\.\$_POST\[['"]{0,1}realname['"]{0,1}\]\.['"]{0,1} ['"]{0,1}\.['"]{0,1} <['"]{0,1}\.\$_POST\[['"]{0,1}from['"]{0,1}\]\.['"]{0,1}>\\n['"]{0,1}|sockopen(?:\(\$m\[0\],\$m\[10\],\$_,\$__,\$m|\s*\(\s*\$ConnectAddress\s*,\s*25)|u(?:ck\s+your\s+mama|nction(?: reload\(\){header\("Location|\s*chmod_R\s*\(\s*\$path\s*,\s*\$perm\s*|\s+findHeaderLine\s*\(\s*\$template|\s+getfirstshtag|\s+inDiapason|\s+inject\(\$file,\s*\$injection=|\s+mailer_spam|\s+read_pic\(\s*\$A\s*\)\s*{\s*\$a\s*=\s*\$_SERVER|\s+sql2_safe\s*\(|\s+urlGetContents\s*\(*\s*\$url\s*,\s*\$timeout\s*=\s*\d+\s*\)))|write(?:\((?:\$fp\s*,\s*strrev\(\s*\$context\s*\)\s*\)|\s*\$f\s*,\s*get_download\(\s*\$_(GET|POST|SERVER|COOKIE|REQUEST)\[)|\s*(?:\(*\s*\$fpsetv\s*,\s*getenv\s*\(\s*['"]HTTP_COOKIE['"]\s*\)\s*|\(\s*\$f(?:h\s*,\s*stripslashes\s*\(\s*@*\$_(GET|POST|SERVER|COOKIE|REQUEST)\[|lw\s*,\s*\$fl\s*\))))) +g(?:_delete_on_exit\s*=\s*new\s+DeleteOnExit|e(?:\s*=\s*stripslashes\s*\(\s*\$_POST\s*\[['"]mes|tprotobyname\(\s*['"]tcp['"]\s*\)\s+\|\|\s+die\s+shit)|oogle\|yandex\|bot\|rambler|rep\s+-v\s+crontab|z(?:inflate\s*\(\s*(?:@*base64_decode\s*\(\s*@*str_replace|base64_decode(?:|\s*\(\s*base64_decode\s*\(\s*str_rot13|\s*\(\s*str_rot13|\s*\(\s*str_rot13\s*\(\s*strrev|\s*\(\s*strrev|\s*\(\s*strrev\s*\(\s*str_rot13)|str_rot13\s*\(\s*base64_decode)|uncompress(?:\(\s*file_get_contents\(\s*['"]http|\s*\(*\s*substr\s*\(*\s*base64_decode|\s*\(\s*base64_decode(?:|\s*\(\s*str_rot13)|\s*\(\s*str_rot13\s*\(\s*base64_decode))) +h(?:acked\s+by\s+Hmei7|eader(?:\((?:['"]Location:\s*http://\$pp\.org|['"]{0,1}(?:r:\s*no\s+com|s:\s*['"]{0,1}\s*\.\s*php_uname\s*\(\s*['"]{0,1}n['"]{0,1}\s*\)))|\s*\((?:['"]Location:\s*['"]\s*\.\s*\$to\s*\.\s*urldecode|\s*_\d+\())|ttp(?:d\.conf['"]{0,1}\s*,\s*['"]{0,1}vhosts\.conf['"]{0,1}\s*,\s*['"]{0,1}cfg\.php['"]{0,1}\s*,\s*['"]{0,1}config\.php['"]{0,1}|s://appleid\.apple\.com)) +i(?:f(?: \((?:!strpos\(\$strs\[0\],['"]{0,1}<\?php|date\(['"]{0,1}j['"]{0,1}\)\s*-\s*\$newsid)|\((?:!empty\(\$_FILES\[['"]{0,1}message['"]{0,1}\]\[['"]{0,1}name['"]{0,1}\]\)\s+AND\s+\(md5\(\$_POST\[['"]{0,1}nick['"]{0,1}\]\)\s*==\s*['"]{0,1}|/\^\\:\$owner!\.\*\\@\.\*PRIVMSG\.\*:\.msgflood\(\.\*\)/\){|@(?:\$vars\(get_magic_quotes_gpc\(\)\s*\?\s*stripslashes\(\$uri\)|function_exists\(['"]{0,1}fread|preg_match\(strtr\(['"]{0,1}/)|['"]substr_count\(['"]\$_SERVER\[['"]REQUEST_URI['"]\]\s*,\s*['"]query\.php['"]|\$o<16\){\$h\[\$e\[\$o\]|\s*(?:!empty\(\s*\$_POST\[\s*['"]{0,1}tp2['"]{0,1}\s*\]\)\s*and\s*isset\(\s*\$_POST|\$_GET\[\s*['"]id['"]\s*\]!=\s*['"]['"]\s*\)\s*\$id=\$_GET\[\s*['"]id['"]\s*\]|isInString1*\(\$[a-zA-Z0-9_]++,['"]google|isset\(\s*\$_REQUEST\[['"]{0,1}cid|stripos\(\s*['"]\*\*\*\$ua|true\s*&\s*@preg_match\(\s*strtr\(\s*['"]/)|CheckIPOperator\(\)\s*&&\s*!isModem\(\)\)|empty\(\$_COOKIE\[['"]x['"]\]\)\){echo|is(?:_dir\(\$path\.['"]{0,1}/wp-content['"]{0,1}\)\s+AND\s+is_dir\(\$path\.['"]{0,1}/wp-admin|set\(\$_POST\[['"]{0,1}msgsubject['"]{0,1}\]\)\))|mail\(\$email\[\$i\],\s*\$subject,\s*\$message,\s*\$headers|preg_match\(['"]\\#wordpress_logged_in\|admin\|pwd)|\s*(?:\(!function_exists\s*\(\s*['"]posix_getpwuid['"]\s*\)\s*&&\s*!in_array\s*\(\s*['"]posix_getpwuid|\(*\s*(?:@*preg_match\s*\(*\s*str|isset\s*\(*\s*\$_(GET|POST|SERVER|COOKIE|REQUEST)\s*\[\s*['"]{0,1}[a-zA-Z_0-9]+['"]{0,1}\s*\]\s*\)*\s*\)\s*{\s*\$[a-zA-Z_0-9]+\s*=\s*\$_(GET|POST|SERVER|COOKIE|REQUEST)\s*\[\s*['"]{0,1}[a-zA-Z_0-9]+['"]{0,1}\s*\];\s*eval\s*\(*\s*\$[a-zA-Z_0-9]+\s*\)*)|\((?:@is_writable\(\$index|\$key\s*!=\s*['"]{0,1}mail_to['"]{0,1}\s*&&\s*\$key\s*!=\s*['"]{0,1}smtp_server['"]{0,1}\s*&&\s*\$key\s*!=\s*['"]{0,1}smtp_port|\s*@*md5\s*\(\s*\$_(GET|POST|SERVER|COOKIE|REQUEST)\[|\s*@filetype\(\$leadon\s*\.\s*\$file|\s*\$_POST\[\s*['"]{0,1}path['"]{0,1}\s*\]\s*==\s*['"]{0,1}['"]{0,1}\s*\)\s*{\s*\$uploadfile\s*=\s*\$_FILES\[\s*['"]{0,1}file['"]{0,1}\s*\]\[\s*['"]{0,1}name['"]{0,1}\s*\]|\s*\$dataSize\s*<\s*BOTCRYPT_MAX_SIZE\s*\)\s*rc4\s*\(\s*\$data,\s*\$cryptkey|\s*\$i\s*<\s*\(\s*count\s*\(\s*\$_POST\[\s*['"]{0,1}q['"]{0,1}\s*\]\s*\)\s*-\s*1|\s*file_put_contents\s*\(\s*\$index_path\s*,\s*\$code|\s*function_exists\s*\(\s*(?:'pcntl_fork|['"]{0,1}(ftp_exec|system|shell_exec|passthru|popen|proc_open)['"]{0,1}\s*\)\s*\))|\s*fwrite\s*\(\s*\$handle\s*,\s*file_get_contents\s*\(\s*\$_(GET|POST|SERVER|COOKIE|REQUEST)|\s*is_(?:callable\s*\(*\s*['"]{0,1}(ftp_exec|system|shell_exec|passthru|popen|proc_open)['"]{0,1}\s*\)*|dir\s*\(\s*\$FullPath\s*\)\s*\)\s*AllDir\s*\(\s*\$FullPath\s*,\s*\$Files\s*\);\s*}\s*})|\s*mail\s*\(\s*\$mails\[\$i\]\s*,\s*\$tema\s*,\s*base64_encode\s*\(\s*\$text|\s*preg_match\s*\(\s*['"]\\#yandex|\s*stripos\s*\(\s*\$_SERVER\[['"]{0,1}HTTP_USER_AGENT['"]{0,1}\]\s*,\s*['"]{0,1}Android['"]{0,1}\)\s*!==false\s*&&\s*!\$_COOKIE\[['"]{0,1}dle_user_id|check_acc\(\$login,\$pass,\$serv|detect_mobile_device\(\)\)\s*{\s*header|function_exists\((?:['"]scan_directory|\s*['"]pcntl_fork)|md5\(trim\(\$_(GET|POST|SERVER|COOKIE|REQUEST)\[))|\s+(?:\(*\s*mail\s*\(\s*\$recp\s*,\s*\$subj\s*,\s*\$stunt\s*,\s*\$frm|\(\s*strpos\s*\(\s*\$url\s*,\s*['"]js/mootools\.js['"]\s*\)\s*===\s*false\s+&&\s+strpos\s*\(\s*\$url\s*,\s*['"]js/caption\.js['"]{0,1}))|mg src=['"]opera000\.png|n(?:i_get\(['"]{0,1}filter\.default_flags['"]{0,1}\)\){foreach|t32\(\(\(\$z\s*>>\s*5\s*&\s*0x07ffffff\)\s*\^\s*\$y\s*<<\s*2)|O::Socket::INET->new\(Proto\s*=>\s*"tcp"\s*,\s*LocalPort\s*=>\s*36000\s*,\s*Listen\s*=>\s*SOMAXCONN|r(?:IsT\.Ir|SecTeam)|s(?:_(?:callable\s*\(*\s*['"]{0,1}(ftp_exec|system|shell_exec|passthru|popen|proc_open)['"]{0,1}\)*\s+and\s+!in_array\s*\(*\s*['"]{0,1}(ftp_exec|system|shell_exec|passthru|popen|proc_open)['"]{0,1}\s*,\s*\$disablefuncs|writable(?:=is_writable|\(\$dir\.['"]wp-includes/version\.php['"]|\s*\(*\s*['"]/var/tmp))|set(?:\(\s*(?:@*\$_(GET|POST|SERVER|COOKIE|REQUEST)\[['"][a-zA-Z0-9_]++['"]\]\)\s*or\s*die\(*.+?\)*|\$_SERVER\[\s*_\d+\(\s*\d+\s*\)\s*\]\s*\)\s*\?\s*\$_SERVER\[\s*_\d+\(\d+\)\s*\]\s*:\s*_\d+\(\d+\))|\s*(?:\(*\s*\$_POST\s*\[\s*['"]{0,1}execgate['"]{0,1}\s*\]\s*\)*|\(\s*\$_FILES\[\s*['"]{0,1}x['"]{0,1}\s*\]\s*\)\s*\?\s*\(\s*is_uploaded_file\s*\(\s*\$_FILES\[\s*['"]{0,1}x['"]{0,1}\s*\]\[\s*['"]{0,1}tmp_name['"]{0,1}\s*\]\s*\)\s*\?\s*\(\s*copy\s*\(\s*\$_FILES\[\s*['"]{0,1}x['"]{0,1}\s*\])))) +J(?:Response::setBody\s*\(\s*preg_replace|son_encode\(alexusMailer) +kill\s+-9 +l(?:ist(?:\s*\(\s*\$host\s*,\s*\$port\s*,\s*\$size\s*,\s*\$exec_time|ing_page\(\s*notice\(\s*['"]symlinked)|oc(?:\s*=\s*['"]{0,1}<\?echo\s+\$redirect;\s*\?>|ation::isFileWritable\(\s*EncodeExplorer::getConfig)) +m(?:a(?:il\((?:\$(?:arr\[['"]{0,1}to['"]{0,1}\],\$arr\[['"]{0,1}subj['"]{0,1}\],\$arr\[['"]{0,1}msg['"]{0,1}\],\$arr\[['"]{0,1}head['"]{0,1}\]\);|mosConfig_mailfrom, \$mosConfig_live_site)|\s*\$(?:a\[\d+\]\s*,\s*\$a\[\d+\]\s*,\s*\$a\[\d+\]\s*,\s*\$a\[\d+\]|MailTo\s*,\s*\$MessageSubject\s*,\s*\$MessageBody|retorno\s*,\s*\$asunto\s*,\s*\$mensaje)|\s*stripslashes\(\$to\)\s*,\s*stripslashes\(\$subject\)\s*,\s*stripslashes\(\$message)|ke_dir_and_file\(\s*\$path_joomla|sr(?:1\s+Cyb3r\s+Te4m|i\s+Cyber\s+Team))|kdir\(\s*['"]/home/|mcrypt\(\$data, \$key, \$iv, \$decrypt = FALSE|ove_uploaded_file(?:\(\$_FILES\[['"]{0,1}elif['"]{0,1}\]\[['"]{0,1}tmp_name|\s*\(\s*\$_FILES\[\s*['"]{0,1}message['"]{0,1}\s*\]\[\s*['"]{0,1}tmp_name['"]{0,1}\s*\]\s*,\s*\$security_code\s*\.\s*"/"\s*\.\s*\$_FILES\[['"]{0,1}message['"]{0,1}\]\[['"]{0,1}name['"]{0,1}\]\))|x2\.hotmail\.com|ys(?:ql_connect\(\$_(GET|POST|SERVER|COOKIE|REQUEST)\[['"][a-zA-Z0-9_]++['"]\]\s*,\s*\$_(GET|POST|SERVER|COOKIE|REQUEST)|terious\s+Wire)) +n(?:cftpput\s*-u\s*\$ftp_user_name|ew\s+conectBase\(['"]aHR) +Options\s+FollowSymLinks\s+MultiViews\s+Indexes\s+ExecCGI +p(?:a(?:ck\s+"SnA4x8"|ssthru\s*\(*\s*getenv\s*\(*\s*(?:['"]HTTP_ACCEPT_LANGUAGE|\\['"]HTTP_ACCEPT_LANGUAGE))|hp(?:\s+"\s*\.\s*\$wso_path|_['"]\.\$ext\.['"]\.dll['"]{0,1}|SHELL_VERSION)|lugins/search/query\.php\?____pgfa=http%3A%2F%2Fwww\.google|ortlets/framework/security/login|r(?:eg_(?:match(?:\((?:['"]/\(yandex\|google\|bot\)/i['"],\s*getenv\(['"]HTTP_USER_AGENT|\s*['"]{0,1}~Location:\(\.\*\?\)\(\?:\\n\|\$)|_all\((?:['"]{0,1}/<a href="\\/url\\\?q=\(\.\+\?\)\[&\|"\]\+/is['"]{0,1}, \$page\[['"]{0,1}exe['"]{0,1}\], \$links\)|\s*['"]\|\(\.\*\)<\\!-- js-tools))|replace(?:\((?:['"].UTF\\-8:\(.\*\).Use|\){return\s+__FUNCTION__|\s*['"]e['"],['"]{0,1})|\s*\(*\s*(?:['"]/\.\+/esi|['"]{0,1}/\.\*(?:/e['"]{0,1}|\[.+?\]\?/e['"]{0,1}\s*,\s*str_replace))|\s*\(\s*(?:@*\$_(GET|POST|SERVER|COOKIE|REQUEST)|['"]/(?:\.\*/|\^\(www\|ftp\)\\\./i['"]\s*,\s*['"]['"],\s*@\$_SERVER\s*\[\s*['"]{0,1}HTTP_HOST['"]{0,1}\s*\]\s*\))|\$exif\[\s*\\['"]Make\\['"]\s*\]\s*,\s*\$exif\[\s*\\['"]Model\\['"]\s*\])))|i(?:nt(?:\("\\#\s+info\s+OK\\n\\n"\)|\s*\$sock "PRIVMSG "\.\$owner|\s+['"]{0,1}dle_nulled['"]{0,1}|\s+\$sock\s+['"]{0,1}NICK ['"]{0,1}\s+\.\s+\$nick\s+\.\s+['"]{0,1}\\n['"]{0,1})|VMSG\.\*:\.owner\\s\+\(\.\*\))|oc_open\s*\(\s*['"]{0,1}IHSteam)) +r(?:e(?:ad_file_new_2\(\$result_path|gister_shutdown_function\(\s*['"]{0,1}read_ans_code|name\s*\(\s*\s*['"]{0,1}wso\.php['"]{0,1}\s*,|quest\.servervariables\(\s*['"]HTTP_USER_AGENT['"]\s*\)\s*,\s*['"]Googlebot|REFER_PTTH|sultsign_warning|turn(?:\s*\(\s*strstr\s*\(\s*\$s\s*,\s*'echo'\s*\)\s*==\s*false\s*\?\s*\(\s*strstr\s*\(\s*\$s\s*,\s*'print'|\s+['"]/home/[a-zA-Z0-9_]++/[a-zA-Z0-9_]++/|\s+base64_decode\(\$a\[\$i\]\))|writeRule\s+\^\(\.\*\),\(\.\*\)\$\s+\$2\.php\?rewrite_params=\$1&page_url=\$2)|o(?:okee['"]{0,1}\s*,\s*['"]{0,1}webeffector|und\s*\(\s*0\s*\+)|uncommand\s*\(\s*['"]shellhelp['"]\s*,\s*['"](GET|POST|SERVER|COOKIE|REQUEST)['"]) +s(?:c(?:opbin['"]|ripts\[\s*gzuncompress\(\s*base64_decode\()|E(?:LECT\s+(?:1\s+FROM\s+mysql\.user\s+WHERE\s+concat\(\s*`user`\s*,\s*'@'\s*,\s*`host`\s*\)|\*\s+FROM\s+dor_pages)|nd_smtp\(\s*\$email\[['"]{0,1}adr['"]{0,1}\]\s*,\s*\$subj\s*,\s*\$text|t(?:_time_limit\s*\(\s*0\s*\);\s*if\s*\(!SecretPageHandler::checkKey|cookie(?:\(*\s*['"]mysql_web_admin_username['"]\s*\)*|\(\s*\$z\[0\]\s*,\s*\$z\[1\]|\s*\(*\s*['"]{0,1}hit['"]{0,1},\s*1\s*,\s*time\s*\(*\s*\)*\s*\+)|opt\(\$ch\s*,\s*CURLOPT_POSTFIELDS\s*,\s*http_build_query\(\$data))|ite_from=['"]{0,1}\.\$_SERVER\[['"]{0,1}HTTP_HOST['"]{0,1}\]\.['"]{0,1}&site_folder=['"]{0,1}\.\$f\[1\]|lurp['"]{0,1}\s*,\s*['"]{0,1}msnbot|pam\s+completed|tr(?:_(?:ireplace\s*\(*\s*['"]</head>|replace(?:\(\$find\s*,\s*\$find\s*\.\s*\$html\s*,\s*\$text|\s*\(\s*['"]{0,1}/public_html)|rot13\s*\(\s*gzinflate\s*\(\s*base64_decode)|pos\(\$ua,\s*['"]{0,1}yandexbot['"]{0,1}\)\s*!==\s*false|rev\(*\s*['"]{0,1}(?:edoced_46esab['"]{0,1}\s*\)*|tressa['"]{0,1}\s*\)*))|ubstr(?:\(\s*\$string2\s*,\s*strlen\(\s*\$string2\s*\)\s*-\s*9\s*,\s*9\)\s*==\s*['"]{0,1}\[l,r=302\]|_count\(getenv\(\\['"]HTTP_REFERER)|y(?:m(?:bian\|midp\|wap\|phone\|pocket|link\s*\(*\s*['"]/home/)|stem(?:\s*\(*\s*['"]{0,1}whoami['"]{0,1}\s*\)*|\s+file\s+do\s+not\s+delete))) +t(?:ar\s+-czf\s+"\s*\.\s*\$FORM{tar}\s*\.\s*"\.tar|eaM\s+MosTa|HANKs\s+tO\s+Snoppy|ime\(\)\s*\+\s*10000\s*,\s*['"]/['"]\);\s*echo\s+\$m_zz;\s*eval\s*\(\$m_zz|mhapbzcerff|nega_resu_ptth|ouch\(\s*(?:['"]{0,1}\$basepath/components/com_content|\$(?:_SERVER\[\s*['"]DOCUMENT_ROOT['"]\s*\]\s*\.\s*['"]/engine|this->conf->root))|rim\(\s*\$headers\s*\)\s*\)\s*as\s*\$header\s*\)\s*header\(\s*\$header|soh_ptth|ypeof\s*\(dle_admin\)\s*==\s*['"]{0,1}undefined['"]{0,1}\s*\|\|\s*dle_admin\s*==) +u(?:ggc://|n(?:ame\]['"]{0,1}\s*\.\s*php_uname\(\)\s*\.\s*['"]{0,1}\[/uname|ION\s+SELECT\s+['"]{0,1}0['"]{0,1}\s*,\s*['"]{0,1}<\? system\(\\\$_(GET|POST|SERVER|COOKIE|REQUEST)\[cpc\]\);exit;\s*\?>['"]{0,1}\s*,\s*0\s*,0\s*,\s*0\s*,\s*0\s+INTO\s+OUTFILE\s+['"]{0,1}\$['"]{0,1})|RL(?:=<\?(?:echo\s+\$index;\s+\?>|php\s*echo\s*\$rand_url;\?>)|encode\(print_r\(array\(\),1\)\),5,1\)\.c\),\$c\);}eval\(\$d\))|s3\s+Y0ur\s+br41n) +value=['"]<\?\s+(ftp_exec|system|shell_exec|passthru|popen|proc_open)\(['"] +W(?:BS_DIR\s*\.\s*['"]{0,1}temp/['"]{0,1}\s*\.\s*\$activeFile\s*\.\s*['"]{0,1}\.tmp|ebi\.ru/webi_files/php_libmail|hile\(count\(\$lines\)>\$col_zap\) array_pop\(\$lines\)|p_posts\s+WHERE\s+post_type\s*=\s*['"]{0,1}post['"]{0,1}\s+AND\s+post_status\s*=\s*['"]{0,1}publish['"]{0,1}\s+ORDER\s+BY\s+`ID`\s+DESC|so(?:Ex\s*\(\s*\\['"]\s*tar\s*cfzv\s*\\['"]\s*\.\s*escapeshellarg\s*\(\s*\$_POST\[\s*\\['"]p2\\['"]\s*\]\s*\)|setcookie\s*\(\s*md5\s*\(\s*@*\$_SERVER\[\s*(?:['"]HTTP_HOST['"]\s*\]\s*\)|\\['"]HTTP_HOST\\['"]\s*\]\s*\)))) +Zend\s+Optimization\s+ver\s+1\.0\.0\.1 +{\s*\$(?:\s*{\s*passthru\s*\(*\s*\$cmd\s*\)\s*}\s*}\s*<br>|_(GET|POST|SERVER|COOKIE|REQUEST)\s*\[\s*['"]{0,1}root['"]{0,1}\s*\]\s*}) +"(?:\s*\+\s*new Date\(\)\.getTime\(\);\s*document\.body\.appendChild\(|fr"\+"omC"\+"harCode") +&(?:adult=1&|parameter=\$keyword&se=\$se&ur=1&HTTP_REFERER='\+encodeURIComponent\(document\.URL\)) +.(?:://.\..\../.\..\?/|=['"].://.\..(?:/.|\..\../.\..\..)) +/(?:/\s*Some\.devices\.are|g,['"]['"]\)\.split\(['"]\]) +3Bfor\|fromCharCode\|2C27\|3D\|2C88\|unescape +404\.php['"]{0,1}>\s*</script> +;(?:\s*document\.write\(['"]{0,1}<iframe\s*src="http://ya\.ru|try{\+\+document\.body}catch\(q\){aa=function\(ff\){for\(i=0;i<z\.length;i\+\+\){za\+=String\[ff\]\(e\(v\+\(z\[i\]\)\)-12\);}};}|while\([a-zA-Z0-9_]+?<\d+\)document\[.+?\]\(String\[['"]fromChar) +<(?:!--(?:[a-zA-Z0-9_]+?\|\|stat -->|\s*[a-zA-Z0-9_]+?\s*--><script.+?</script><!--/\s*[a-zA-Z0-9_]+?\s*-->)|/(?:body>\s*<script|html>\s*<(?:iframe|script)|iframe>['"]\);\s*var\s+j=new\s+Date\(new\s+Date|script>['"]\);\s*/\*/[a-zA-Z0-9_]+?\*/)|iframe\s+src="http://deluxesclicks\.pro/|script(?:\s*type=['"]{0,1}text/javascript['"]{0,1}\s*src=['"]{0,1}(?:ftp://|http://goo\.gl)|\s+language="JavaScript">\s*parent\.window\.opener\.location="http://vk\.com)) +=(?:"ev"\+"al"|document\.referrer;\s*[a-zA-Z0-9_]+?=unescape\(\s*[a-zA-Z0-9_]+?\s*\);\s*var\s+ExpDate|navigator\[appVersion_var\]\.indexOf\("MSIE"\)!=-1\?'<iframe name) +['"](?:\[\s*['"]charCodeAt['"]\s*\]\(\s*\d+\s*\)|\]\([a-zA-Z0-9_]+?\+\+\)-\d+\)}\(Function\(['"]|replace['"]\]\(/\[) +[a-zA-Z0-9_]+?\.attachEvent\(['"]onload['"],a\):[a-zA-Z0-9_]+?\.addEventListener\(['"]load['"],a,!1\);loadMatcher +\$:\({}\+""\)\[\$\] +\((?:b=document\)\.head\.appendChild\(b\.createElement|function\(a,b\){if\(/\(andr|self===top\?0:1\)\+['"]\.js['"],a\(f,function\(\)) +\);(?:\s*if\(\s*[a-zA-Z0-9_]+?\.test\(\s*document\.referrer\s*\)\s*&&\s*[a-zA-Z0-9_]+?\)\s*{\s*document\.location\.href|if\(!~\(['"]{0,1}) +\+(?:=String\.fromCharCode\(parseInt\(0\+'x'|zz;ss=\[\];f='fr'\+'om'\+'Ch';f\+='arC';f\+='ode';w=this;e=w\[f\["substr"\]\() +\.(?:bitcoinplus\.com|dyndns(?:-|\.)|hopto\.me/jquery|indexOf\(\s*['"]IBrowse['"]\s*\)|prototype\.a}catch\(|s(?:plit\("&&"\);h=2;s="";if\(m\)for\(i=0;|rc=\(['"]{0,1}htps:['"]{0,1}==document\.location\.protocol\?['"]{0,1}https://ssl['"]{0,1}:['"]{0,1}http://['"]{0,1}\)\+|tyle\.height\s*=\s*['"]{0,1}0px['"]{0,1};window\.onload\s*=\s*function\(\)\s*{document\.cookie)) +\[(?:['"](?:char['"]\s*\+\s*[a-zA-Z0-9_]+?\s*\+\s*['"]At['"]\]\(|eval['"]\]\(s\);}}}}</script>)|\(\(e\)\?"s":""\)\+"p"\+"lit"\]\("a\$"\[\(\(e\)\?"su":""\)\+"bstr"\]\(1\)\);) +\\x(?:43(?:ha|ode|ode)|6(?:1rCod|5At|8arC|dCha|fd(?:e|e))|72(?:Co|om)) +\](?:\(\s*v\+\+\s*\)-1\s*\)\s*\)|\.substr\(0,1\)\);}}return this;},\\u00) +\d+\s*>\s*\d+\s*\?\s*['"]\\x\d+['"]\s*: +A(?:rray\.prototype\.slice\.call\(arguments\)\.join\(""\)|t['"]\]\(v\+\+\)-1\)\)) +bankofamerica\.com +c(?:3284d|\.length\);}return\s*['"]['"];}if\(!getCookie|h(?:eck_user_agent=\[\s*['"]{0,1}Lunascape['"]{0,1}\s*,\s*['"]{0,1}iPhone['"]{0,1}\s*,\s*['"]{0,1}Macintosh|rome\|iPad\|iPhone\|IEMobile)|lickUndercookie\s*=\s*GetCookie|o(?:mpal\|elaine\|fennec\|hiptop|reLibrariesHandler)) +d(?:iv\.innerHTML\s*\+=\s*['"]{0,1}<embed\s+id="dummy2"\s+name="dummy2"\s+src|o(?:cument(?:\.(?:c(?:aption=null;window\.addEvent\(['"]{0,1}load['"]{0,1},function\(\){var caption=new JCaption|ookie\.match(?:\(new\s+RegExp\(\s*"\(\?:\^\|; \)"\s*\+\s*name\.replace\(/\(\[\\\.\$\?\*\|{}\\\(\\\)\\\[\\\]\\/\\\+\^\]\)/g|\s*\(\s*new\s+RegExp\s*\(\s*"\(\?:\^\|;\s*\)"\s*\+\s*name\.replace\s*\(/\(\[\\\.\$\?\*\|{}\\\(\\\)\\\[\\\]\\/\\\+\^\]\)/g))|(?:getElementsByTagName\(['"]head['"]\)\[0\]\.appendChild\(a\)|readyState\s+==\s+['"]complete['"]\)\s*{\s*clearInterval\([a-zA-Z0-9_]+?\);\s*s\.src\s*=|write\((?:'<script language="JavaScript" type="text/javascript" src="'\+domain\+'"></scr'\+'ipt>'\)|['"]{0,1}<['"]{0,1}\+['"]{0,1}i['"]{0,1}\+['"]{0,1}f['"]{0,1}\+['"]{0,1}r['"]{0,1}\+['"]{0,1}a['"]{0,1}\+['"]{0,1}m['"]{0,1}\+['"]{0,1}e|\s*(?:['"]<script\s+type=['"]text/javascript['"]\s*src=['"]//['"]\s*\+\s*String\.fromCharCode\.apply|String\.fromCharCode(?:\(|\.apply\())|unescape\('%3Cdiv%20id%3D%22)|write\s*\((?:['"]{0,1}<['"]{0,1}\s*\+\s*x\[0\]\s*\+\s*['"]{0,1} ['"]{0,1}\s*\+\s*x\[4\]\s*\+\s*['"]{0,1}>\.['"]{0,1}\s*\+x\s*\[2\]\s*\+|\s*unescape\s*\(['"]{0,1}%3c)))|\[(?:\s*_0x[a-zA-Z0-9_]+?\[\d+\]\s*\]\(|_0x\d+\[\d+\]\]\(_0x\d+\[\d+\]\+_0x\d+\[\d+\]\+_0x\d+\[\d+\]\);))|llarade\.com)) +e(?:laine\|fennec\|hiptop|val\s*\(\s*decodeURIComponent\s*\() +f(?:='f(?:'\+'r'\+'o'\+'m'\+'Ch'\+'arC'\+'ode'(?:;|;)|r'\+'om'\+'Ch';f\+='arC';f\+='ode';|romCh';f\+='arC';f\+='qgode'\["substr"\]\(2\);)|\+=\(h\)\?'ode':"";|alse};[a-zA-Z0-9_]+?=[a-zA-Z0-9_]+?\(['"][a-zA-Z0-9_]+?['"]\)\|[a-zA-Z0-9_]+?\(['"][a-zA-Z0-9_]+?['"]\);[a-zA-Z0-9_]+?\|=[a-zA-Z0-9_]+?;|ile(?:2store\.info|kx\.com|store(?:123\.info|72\.info))) +goodpillservice\.ru +http://(?:ftp\.|phsp\.ru/_/go\.php\?sid=|xzx\.pm) +i(?:\[_0x[a-zA-Z0-9_]+?\[\d+\]\]\([a-zA-Z0-9_]+?\[_0x[a-zA-Z0-9_]+?\[\d+\]\]\(\d+,\d+\)\)\){window\[_0x[a-zA-Z0-9_]+?\[\d+\]\]=loc|f(?:\((?:!g\(\)&&window\.navigator\.cookieEnabled\){document\.cookie="1=1;expires="\+e\.toGMTString\(\)\+";path=/";|\(a=e\.getElementsByTagName\(['"]a['"]\)\)&&a\[0\]&&a\[0\]\.href\)for\(var|navigator\.userAgent\.match\(/\(android\|midp\|j2me\|symbian|Ref\.indexOf\('\.google\.'\)!=|t\.length==2\){z\+=String\.fromCharCode\(parseInt\(t\)\+)|\s*\((?:!see_user_agent\(\)|[a-zA-Z0-9_]+?\.indexOf\(document\.referrer\.split\(['"]/['"]\)\[['"]2['"]\]\)\s*!=\s*['"]-1['"]\)\s*{|\(ua\.indexOf\(['"]{0,1}chrome['"]{0,1}\)\s*==\s*-1\s*&&\s*ua\.indexOf\("win"\)\s*!=\s*-1\)\s*&&\s*navigator\.javaEnabled|\s*num\s*===\s*0\s*\)\s*{\s*return\s*1;\s*}\s*else\s*{\s*return\s+num\s*\*\s*rFact\(\s*num\s*-\s*1|document\.cookie\.indexOf\(['"]{0,1}sabri)|rame\.style\.width\s*=\s*['"]{0,1}0px['"]{0,1};)|ndexOf\|if\|rc\|length\|msn\|yahoo\|referrer\|altavista\|ogo\|bi\|hp\|var\|aol\|query|p\(hone\|od\)\|iris\|kindle) +javascript\|head\|toLowerCase\|chrome\|win\|javaEnabled\|appendChild +k(?:C70FMblyJkFWZodCKl1WYOdWYUlnQzRnbl1WZsVEdldmL05WZtV3YvRGI9|m0ae9gr6m) +lo(?:adPNGData\(strFile,|cation\.replace\(['"]{0,1}http://v5k45\.ru) +m(?:ob(?:-redirect\.ru|i-go\.in|y-aa\.ru)|yfilestore\.com) +nn(?:_param_preloader_container\|5001\|hidden\|innerHTML\|inject\|visible|m\.pm|n\.pm) +p(?:arent\.window\.opener\.location=['"]{0,1}http://vk\.com\.|ingnow|reg_match\((?:['"]@\(yandex\|google\|bot|['"]{0,1}/sape/i['"]{0,1}\s*,\s*\$_SERVER\[['"]{0,1}HTTP_REFERER)) +q=document\.createElement\("d"\+"i"\+"v"\);q\.appendChild\(q\+""\);}catch\(qw\){h= +s(?:5\(q5\){return \+\+q5;}function yf\(sf,we\){return sf\.substr\(we,1\);}function y1\(wb\){if\(wb==168\)wb=1025;else|e(?:cclik\.ru|r(?:chbot|vload\.ru)|t(?:Cookie(?:\(\s*_0x[a-zA-Z0-9_]+?\s*,\s*_0x[a-zA-Z0-9_]+?\s*,\s*_0x[a-zA-Z0-9_]+?\)|\s*\(*\s*"arx_tt"\s*,\s*1\s*,\s*dt\.toGMTString\(\)\s*,\s*['"]{0,1}/['"]{0,1})|Timeout\(['"]{0,1}addNewObject\(\)['"]{0,1},\d+\);}}};addNewObject\(\))|xfromindia\.com)|martphone\|blackberry\|mtk\|bada\|windows phone|rc=(?:"files_site/js\.js|['"]//['"]\s*\+\s*String\.fromCharCode\.apply)|t(?:ri(?:ng(?:\.fromCharCode\(\s*[a-zA-Z0-9_]+?\.charCodeAt\(i\)\s*\^\s*2|\[\s*['"]fromChar['"]\s*\+\s*[a-zA-Z0-9_]+?\s*\]\()|pos(?:\(navigator\.userAgent\s*,\s*list_data\[i|\s*\(\s*f_haystack\s*,\s*f_needle\s*,\s*f_offset))|ummann\.net)) +t(?:op(?:-webpill\.com|laygame\.ru)|ry{Boolean\(\)\.prototype\.q}catch\() +u(?:rl(?:123\.info|2short\.info)|serAgent\|pp\|http\|dazalyz['"]{0,1}\.split\(['"]{0,1}\|['"]{0,1}\),0) +v(?:=0;vx=['"]Cod|ar\s+(?:_0x|div_colors|dt\s+=\s+new\s+Date\(\),\s+expiryTime\s+=\s+dt\.setTime\(\s+dt\.getTime\(\)\s+\+\s+900000000)) +w(?:\.document\.body\.appendChild\(script\);\s*clearInterval\(i\);\s*}\s*}\s*,\s*\d+\s*\)\s*;\s*}\s*\)\(\s*window|eb-redirect\.ru|hile\(\s*f<\d+\s*\)document\[\s*[a-zA-Z0-9_]+?\+['"]te['"]\s*\]\(String|indow(?:\.(?:location=b}(?:\)\(navigator\.userAgent|\s*\)\(\s*navigator\.userAgent\s*\|\|\s*navigator\.vendor\s*\|\|\s*window\.opera\s*,\s*['"]{0,1}http://)|on(?:error\s*=\s*killerrors|load\s*=\s*function\(\)\s*{\s*if\s*\(document\.cookie\.indexOf\()|postMessage\({\s*zorsystem:\s*1,\s*type:\s*['"]update['"],\s*params:\s*{\s*['"]url['"])|s\|series\|60\|symbos\|ce\|mobile\|symbian)) +{(?:k=i;s=s\.concat\(ss\(eval\(asq\(\)\)-1\)\);}z=s;eval\(|position:absolute;top:-9999px;}</style><div\s+class=) +}\s*else\s*{\s*document\.write\s*\(\s*['"]{0,1}\.['"]{0,1}\)\s*}\s*}\s*R\(\s*\) +@*extract\s*\( +@*extract\s*\$ +['"]eval['"] +['"]base64_decode['"] +['"]create_function['"] +['"]assert['"] +foreach\s*\(\s*\$emails\s+as\s+\$email\s*\) +Spammer +eval\s*['"\(\$] +assert\s*['"\(\$] +srpath://\.\./\.\./\.\./\.\. +phpinfo\s*\( +SHOW\s+DATABASES +\bpopen\s*\( +exec\s*\( +\bsystem\s*\( +\bpassthru\s*\( +\bproc_open\s*\( +shell_exec\s*\( +ini_restore\s*\( +\bdl\s*\( +\bsymlink\s*\( +\bchgrp\s*\( +\bini_set\s*\( +\bputenv\s*\( +getmyuid\s*\( +fsockopen\s*\( +posix_setuid\s*\( +posix_setsid\s*\( +posix_setpgid\s*\( +posix_kill\s*\( +apache_child_terminate\s*\( +\bchmod\s*\( +\bchdir\s*\( +pcntl_exec\s*\( +\bvirtual\s*\( +proc_close\s*\( +proc_get_status\s*\( +proc_terminate\s*\( +proc_nice\s*\( +getmygid\s*\( +proc_getstatus\s*\( +proc_close\s*\( +escapeshellcmd\s*\( +escapeshellarg\s*\( +show_source\s*\( +\bpclose\s*\( +safe_dir\s*\( +ini_restore\s*\( +chown\s*\( +chgrp\s*\( +shown_source\s*\( +mysql_list_dbs\s*\( +get_current_user\s*\( +getmyid\s*\( +\bleak\s*\( +pfsockopen\s*\( +get_current_user\s*\( +syslog\s*\( +\$default_use_ajax +eval\s*\(*\s*unescape +FLoodeR +document\.write\s*\(\s*unescape +\bcopy\s*\( +move_uploaded_file\s*\( +\.333333 +\.666666 +round\s*\(*\s*0\s*\)* +move_uploaded_files\s*\( +ini_get\s*\(\s*['"]{0,1}disable_functions['"]{0,1} +UNION\s+SELECT\s+['"]{0,1}0['"]{0,1} +2\s*>\s*&1 +echo\s*\(*\s*\$_SERVER\[['"]{0,1}DOCUMENT_ROOT['"]{0,1}\] +=\s*Array\s*\(*\s*base64_decode\s*\(* +killall\s+-\d+ +eriuqer +touch\s*\( +sshkeys +@include +@require +if\s*\(mail\s*\(\s*\$to,\s*\$subject,\s*\$message,\s*\$headers +@ini_set\s*\(*['"]{0,1}allow_url_fopen +@file_get_contents +file_put_contents +android\s*\|\s*midp\s*\|\s*j2me\s*\|\s*symbian +@setcookie\s*\(*['"]{0,1}hit +@fileowner +<kuku> +sypex +\$beecode +root@localhost +Backdoor +php_uname\s*\( +mail\s*\(*\s*\$to\s*,\s*\$subj\s*,\s*\$msg\s*,\s*\$from +echo\s*['"]<script>\s*alert\( +mail\s*\(*\s*\$send\s*,\s*\$subject\s*,\s*\$headers\s*,\s*\$message +mail\s*\(*\s*\$to\s*,\s*\$subject\s*,\s*\$message\s*,\s*\$headers +strpos\s*\(*\s*\$name\s*,\s*['"]{0,1}HTTP_['"]{0,1}\s*\)*\s*!==\s*0\s*&&\s*strpos\s*\(*\s*\$name\s*,\s*['"]{0,1}REQUEST_ +is_function_enabled\s*\(\s*['"]{0,1}ignore_user_abort +echo\s*\(*\s*file_get_contents +echo\s*\(*['"]{0,1}<script +print\s*\(*\s*file_get_contents +print\s*\(*['"]{0,1}<script +<marquee\s+style\s*=\s*['"]{0,1}position\s*:\s*absolute\s*;\s*width\s*:\s*\d+\s*px\s* +=\s*['"]{0,1}\.\./\.\./\.\./wp-config\.php +eggdrop +rwxrwxrwx +error_reporting +\bcreate_function +{\s*position\s*:\s*absolute;\s*left\s*:\s*- +<script\s+async +_['"]{0,1}\s*\]\s*=\s*Array\s*\(\s*base64_decode\s*\(*\s*['"]{0,1} +AddType\s+application/x-httpd-cgi +getenv\s*\(*\s*['"]{0,1}HTTP_COOKIE['"]{0,1} +ignore_user_abort\s*\(*\s*['"]{0,1}1['"]{0,1} +\$_REQUEST\s*\[\s*%22 +url\s*\(['"]{0,1}data\s*:\s*image/png;\s*base64\s*, +url\s*\(['"]{0,1}data\s*:\s*image/gif;\s*base64\s*, +:\s*url\s*\(\s*['"]{0,1}<\?php +</html>.+?<script +</html>.+?<iframe +(ftp_exec|system|shell_exec|passthru|popen|proc_open)\s*['"\(\$] +\bmail\s*\( +file_get_contents\s*\(*\s*['"]{0,1}php://input +<meta\s+http-equiv=['"]{0,1}Content-type['"]{0,1}\s+content=['"]{0,1}text/html;\s*charset=windows-1251['"]{0,1}><body> +=\s*document\.createElement\(\s*['"]{0,1}script['"]{0,1}\s*\); +document\.body\.insertBefore\(div,\s*document\.body\.children\[0\]\); +<script\s+type="text/javascript"\s+src="http://[a-zA-Z0-9_]+?\.php"></script> +echo\s+['"]{0,1}ok['"]{0,1} +/usr/sbin/sendmail +/var/qmail/bin/sendmail \ No newline at end of file