Vim Patior

Edit file

File name : sig_inspect.lua

Content :

function main(filename)
	local ERR = 1

-- regex compile flags, REG_EXTENDED|REG_NEWLINE
	local COMPILE_FLAGS = 5

local ret, f, data, rex

f = io.open(filename, "rb")

if (not f) then
		m.log(ERR, "Could not open " .. tostring(filename))
		return
	end

local regex_signatures = {
		
			{ signature = [=[eval[(][[:space:]]*stripslashes[(][[:space:]]*[^\$]*\$_(POST|GET)]=], id = "6d462d44023cd074fb0eab99cacbcb2136c7b082", comment = "eval post or get variables" },
		
			{ signature = [=[exec.?.?.?[(][[:space:]]*['"]/bin/(su|(ba|a)?sh)['"]]=], id = "aeec3d1f041a5c13f1d2808e2929776d59546abc", comment = "backdoor: eval and calls to su" },
		
			{ signature = [=[sendraw[[:blank:]]*[(]?.*PRIVMSG]=], id = "a37721c817cdd34c3ebf1f8d18721de187899bb6", comment = "ircbot: privmsg match" },
		
			{ signature = [=[[O0]\+=urldecode]=], id = "313ec62189d81ad6bc6fc19c22a2f5adc9884736", comment = "Re-seed" },
		
			{ signature = [=[assert[(][[:blank:]]*\$_(POST|GET)[\[]]=], id = "c6e621b6afeacdc13adf8cd1f320dd118685b99f", comment = "some variation on evals from globals" },
		
			{ signature = [=[eval[(][[:blank:]]*getenv[(][^)]*[)]*;]=], id = "e0bec013a5dbd4a04d817710fb7594034f72e230", comment = "some variation on evals from globals" },
		
			{ signature = [=[system[[:blank:]]*[(]?['\"](adduser|gcc|g\+\+|passwd)]=], id = "d2719f9b714a3063c55ef4e7783d3ef95e1a87f7", comment = "system() calls to compiler/system utils" },
		
			{ signature = [=[if[[:blank:]]*[(][[:blank:]]*isset[[:blank:]]*[(][[:blank:]]*([$]_[^]]+).*?[eE][vV][aA][lL][[:blank:]]*[(][^)]*\1]=], id = "c34daa838ac9219843c10ab591cb74c77620b85f", comment = "if global values is set, eval it\!" },
		
			{ signature = [=[\W+system[(][^$;]*[$]_(GET|POST)]=], id = "7fa8933a372644321b73082c8ad663a2972fe9c6", comment = "execute commands from POST or GET" },
		
			{ signature = [=[fsockopen[(][[:blank:]]*["'](udp|tcp)://[$](0|o|O)+["'][[:blank:]]*,[[:blank:]]*[$]rand[[:blank:]]*,[[:blank:]]*[$]errno[[:blank:]]*,[[:blank:]]*[$]errstr[[:blank:]]*]=], id = "10fafaf4a5859f4ca9d020a0a2ed721f457f506e", comment = "flooding script, where most variables are some combinations of o, O, and 0." },
		
			{ signature = [=[([$][^ ]+)[[:blank:]]*=[[:blank:]]*["']a["'][[:blank:]]*.[[:blank:]]*["']s["'][[:blank:]]*.[[:blank:]]*["']s["'][[:blank:]]*.[[:blank:]]*["']e["'][[:blank:]]*.[[:blank:]]*["']r["'][[:blank:]]*.[[:blank:]]*["']t["'][[:blank:]]*;[[:blank:]]*\1[(][$]_(POST|GET)]=], id = "7a6f3340253e506f906e233297a80dfc72b81c5f", comment = "obfu assert assigned to a variable, and then called as a fnct on POST or GET." },
		
			{ signature = [=[^\W*[@]?(system|shell_exec|passthru|exec)[(][[:blank:]]*["'](wget|curl|fetch)[^;]+;[[:blank:]]*perl]=], id = "f28344188eb78dc56d441b0ac50e8f3345dbb3e3", comment = "dropper script to fetch and exec" },
		
			{ signature = [=[function[[:blank:]]*[[:alnum:]]*[(][$][[:alnum:]]*,[[:blank:]]*([$][[:alnum:]]+)[^{]*[{][^{]*[{][^=]*=[[:blank:]]*isset[(]\1]=], id = "faf7cfeb4f057c673d8e40cfcbc15d093f040ff0", comment = "looks like a mailer bot that has been obfu-ed" },
		
			{ signature = [=['#Wysigot#i', '#Yahoo!\s*Slurp#i', '#Yeti#i', '#Accoona#i', '#CazoodleBot#i',]=], id = "429d6c5525f049bfde72d0a3b61d9fcd7c7c2093", comment = "Found in scripts that are used for bouncing folks to various webpages" },
		
			{ signature = [=[([$][[:alnum:]]+)[[:blank:]]*=[^$]+[$]_(GET|POST)[^;]*;.*mail[(][[:blank:]]*stripslashes[(][[:blank:]]*\1]=], id = "258baf97ec9ddab09d1a38b79fe5970c47438d32", comment = "calls to php's mail, strip slashes or one-liners" },
		
			{ signature = [=[[<][?]php[^=]*=[[:blank:]]*mail[(]([[:blank:]]*[$]_(GET|POST)[^,]+,[[:blank:]]*){3}[$]_(GET|POST)[^;]+;[[:blank:]]*(if[(])?]=], id = "cf5d440324606ec94732a0ec25f2aa42bb024f21", comment = "calls to php's mail, strip slashes or one-liners" },
		
			{ signature = [=[[<][?]php[^=]*=[[:blank:]]*mail[(]([[:blank:]]*stripslashes[(][$]_(GET|POST)[^,]+,[[:blank:]]*){2}stripslashes[(][$]_(POST|GET)]=], id = "13b3e740aef068360cf8e447a522351da99b610c", comment = "calls to php's mail, strip slashes or one-liners" },
		
			{ signature = [=[eval[(]eval[(]"[\][$]_[[:alnum:]]{8,} = [\]x[[:digit:]]{2}]=], id = "c6b1c230aaadd3e64bd6eea055c781be4a581f8c", comment = "obfuscated code" },
		
			{ signature = [=[@preg_replace[(]['"]/[^/]+/e["']]=], id = "f34fd4d2dc30fe8da591fbc1bbfc58f6c46174a9", comment = "backdoors and evals" },
		
			{ signature = [=[if[(][[:blank:]]*isset[[:blank:]]*[(][[:blank:]]*([^)]*)[[:blank:]]*[)][[:blank:]]*[)][[:blank:]]*[{][[:blank:]]*[eE][vV][aA][lL][[:blank:]]*[(][[:blank:]]*\1]=], id = "b2bea76b6d50c1a076102003c4938804edf19b8d", comment = "backdoors and evals" },
		
			{ signature = [=[eval[[:blank:]]*[(][[:blank:]]*[$][[:alnum:]]{4,9}[[:blank:]]*[[][[:blank:]]*[$]GLOBALS[[:blank:]]*[[][[:blank:]]*['"][[:blank:]]*[[:alnum:]]{4,9}['"][[:blank:]]*[]][[][[:blank:]]*[[:digit:]]+[[:blank:]]*[]][[:blank:]]*[]][[:blank:]]*[)]]=], id = "676bd6e7e9c1f89e3f9e49071baa72432b1ac53a", comment = "backdoors and evals" },
		
			{ signature = [=[([$][^=]+)=[[:blank:]]*strtolower[^;]+;[[:blank:]]*([$][^=]+)=[$][{]strtoupper[^;]+;[[:blank:]]*[^{]+[{]eval[(]\1[(]\2]=], id = "744890ea369f9edb5cac5a93d38b5d5c87c4f6b2", comment = "backdoors and evals" },
		
			{ signature = [=[INSERT INTO [`]["'][.][$]table_pref[.]["']users[`][^@]+@wpwhitesecurity.com]=], id = "e55aa6ec95a327a5a8e91cf1edca448f6ce15a50", comment = "Script used to inject admin account in WordPress" },
		
			{ signature = [=[^[[:blank:]]+[$][^[:blank:]]+[[:blank:]]*[(][[:blank:]]*["']/([^/]+)/e["'][[:blank:]]*,[[:blank:]]*[$][^[:blank:]]+[[:blank:]]*,[[:blank:]]*\1]=], id = "bf77fdac89ae70aaf7a4b7f93d0b4b42a13dfe32", comment = "Create a php class with a constructor that appears to call preg_replace /e" },
		
			{ signature = [=[preg_replace[[:space:]]*[(][[:space:]]*['"](\\x?[[:alnum:]]{2,3}){4}]=], id = "d2b517902820b22f9c2d4c67ade04137d0d83424", comment = "preg_replace with hex" },
		
			{ signature = [=[[$]GLOBALS[[]["'][a-z0-9]{7}["'][]][[:blank:]]*=[[:blank:]]*([$][^]]+)[[][[:digit:]]+[]][[:blank:]]*[.][[:blank:]]*(\1[[][[:digit:]]+[]][[:blank:]]*[.][[:blank:]]*){10}]=], id = "aba295fbf98e1db2f95f107fa688a1c6b4cacfb4", comment = "obfuscated backdoor" },
		
			{ signature = [=[^\/\/fwrite[(][$]fp,["']\\xEF\\xBB\\xBF["'][.]iconv[(]'gbk','utf-8//IGNORE',[$]body[)][)];[[:space:]]*$]=], id = "42b31bede827b47475ebb24c61635ff6b486ee3d", comment = "backdoor script that does file writing" },
		
			{ signature = [=[([$][[:alpha:]_][[:alnum:]_]*)[[:blank:]]*=[[:blank:]]*['"][^'"]{1000,}['"][[:blank:]]*;[[:blank:]]*(eval|base64_decode|gzuncompress|str_rot13)[[:blank:]]*[(][^$]+\1]=], id = "3e8f35ad3140a74532e23ac5357a3b5890bd99e2", comment = "eval of a previously declared variable whose value is a large string" },
		
			{ signature = [=[([$][[:alpha:]_][[:alnum:]_]*)[[:space:]]*=[[:space:]]*base64_decode[[:space:]]*[(]['"][^;]+;[[:space:]]*eval[[:space:]]*[(][[:space:]]*\1]=], id = "1aa54495225016bb56ef78438d9314bdc8983a51", comment = "eval of a previously declared base64_decoded variable" },
		
			{ signature = [=[([$][{]['"]([GgLlOoBbAaSs]|(\\x)?[[:alnum:]]{2,3}){6}['"][}])\[['"]((\\x)?[[:alnum:]]{2,3}|[[:alnum:]]){5,}['"]\][[:space:]]*=[[:space:]]*['"]((\\x)?[[:alnum:]]{2,3}|[[:alnum:]])+['"]]=], id = "198198445d434aee34869ff80dd78be018202be0", comment = "set obfuscated GLOBALS array as hex-encoded values" },
		
			{ signature = [=[([$][[:alpha:]_][[:alnum:]_]*)[[:blank:]]*=[[:blank:]]*["'](\\x?[[:alnum:]]{2,3}){6}[^;]+[[:blank:]]*;[[:blank:]]*@?eval[[:blank:]]*[(][[:blank:]]*\1]=], id = "df5198a3f3b43a7d47ffa08ae98bfda3aef3bdee", comment = "eval'd PHP variable whose value is a hex-encoded string - FOPO obfuscator" },
		
			{ signature = [=[([$][[:alpha:]_][[:alnum:]_]*)[[:blank:]]*=[[:blank:]]*['"][^'"]+['"][[:blank:]]*;[[:blank:]]*([$][[:alpha:]_][[:alnum:]_]*)[[:blank:]]*=[[:blank:]]*(\1\[[[:digit:]]{1,3}\][[:blank:]]*[.]?[[:blank:]]*){3}]=], id = "d257dcc2d96acaab99d73490612ca9a97041d9dd", comment = "PHP variable built using concatenated integer-indexed string splicing" },
		
			{ signature = [=[if[[:blank:]]*[(][[:blank:]]*isset[[:blank:]]*[(][[:blank:]]*([^)]+)[^$]+([$][[:alpha:]_][[:alnum:]_]+)[[:blank:]]*=[[:blank:]]*(base64_decode[[:blank:]]*[(][[:blank:]]*)?\1[^eE]+[eE][vV][aA][lL][[:blank:]]*[(][[:blank:]]*[^)]*\2]=], id = "3d44ebcc53a6244ee0c84de4013da7f52888b1cc", comment = "PHP variable is checked with isset(), reassigned, and then eval'd" },
		
			{ signature = [=[symlink[(]['"]/home[[:digit:]]*/['"][.][$]user[.]['"]/public_html]=], id = "1c2668807e08a4dbc940d360427d608552875760", comment = "php backdoor" },
		
			{ signature = [=[^([(]'[[:punct:]]'[|^&]'[[:punct:]]'[)][.]){10}]=], id = "a145b2109975e69e819264e9f12710a3dbfd6bf8", comment = "perl obfuscated dropper" },
		
			{ signature = [=[str_rot13[[:blank:]]*[(][[:blank:]]*['"]*riny]=], id = "c88c05b07643e45f18da14ea601590c04a337d2f", comment = "obfuscated eval" },
		
			{ signature = [=[<input type=hidden name=.*[$]cwd]=], id = "ceff9d97ea0e38ea3fa29666bdbc39129d515a02", comment = "file dropper" },
		
			{ signature = [=[^<[?]php ([$][[:alpha:]][[:alnum:]_]*)[[:blank:]]*=[[:blank:]]*base64_decode[(][^;]+;[[:blank:]]*eval[(][^(]+[(][\\"]+\1]=], id = "79b077b07bb2dc5359a2826c908dfe0ecd1aae87", comment = "obfuscated backdoor" },
		
			{ signature = [=[([$][[:alpha:]][[:alnum:]_]*)=(chr[(][[:digit:]]{2,3}[)][.]){10}[^;]+;[[:blank:]]*eval[[:blank:]]*[(][[:blank:]]*\1[[:blank:]]*[[:blank:]]*[(][[:blank:]]*[$]_[A-Z]{3,10}[[]]=], id = "dfbab21e7b50c6e3ec31e576c590482ea28fdc4c", comment = "obfuscated variable function call" },
		
			{ signature = [=[chr[[:blank:]]*[(][[:blank:]]*[[:digit:]]{2,3}[[:blank:]]*[)][[:blank:]]*[.][[:blank:]]*((chr[[:blank:]]*[(][[:blank:]]*[[:digit:]]{2,3}[[:blank:]]*[)]|['"][[:alnum:]()\\\/_]+['"])[[:blank:]]*[.][[:blank:]]*){2}['"][[:alnum:]()\\\/_]+['"][[:blank:]]*[.][[:blank:]]*((chr[[:blank:]]*[(][[:blank:]]*[[:digit:]]{2,3}[[:blank:]]*[)]|['"][[:alnum:]()\\\/_]+['"])[[:blank:]]*[.][[:blank:]]*){3}]=], id = "721ada1107832d3f7bc180bf2ec77d6379811d58", comment = "obfuscated function call" },
		
			{ signature = [=[([$][[:alpha:]][[:alnum:]_]*)[[:blank:]]*=[[:blank:]]*array[()]{2};(\1[[][[:digit:]]+[]][[:blank:]]*=[[:blank:]]*chr[(][[:digit:]]{2,3}[)][[:blank:]]*;){5}]=], id = "312420295958e9a70a8298882128d183b6e5a1a6", comment = "obfuscated eval64 script related" },
		
			{ signature = [=[[$][[:alpha:]]{4,7}[[][$]i[]] = chr[(]ord[(][$][[:alpha:]]{4,7}[[][$]i[]][)][[:blank:]]*-[[:blank:]]*1]=], id = "f99eb34c61eba0d6fa06b25804bd913ac975cc70", comment = "obfuscated backdoor related" },
		
			{ signature = [=[^if[[:blank:]]*[(]([(]file_exists[(]["']tpl[[:digit:]]+[.]html?["'][)][)][[:blank:]]+or[[:blank:]]+){8}]=], id = "60c7a3565789a845e5c696de9f61eb79d27a7391", comment = "file dropper related" },
		
			{ signature = [=[[\][Xx]65[\][Xx]76[\]x61[\][Xx]6[Cc]]=], id = "4092d0aa56fda285ed083ceadc8ed9d0677e1bf5", comment = "clever eval" },
		
			{ signature = [=[if[[:blank:]]*[(][[:blank:]]*isset[[:blank:]]*[(][$][{][[:blank:]]*([$][[:alnum:]_-]+)[[:blank:]]*[}][[:blank:]]*[[][[:blank:]]*(['"][[:alnum:]]+['"])[[:blank:]]*[]][^{]+[{][[:blank:]]*eval[[:blank:]]*[(][[:blank:]]*[$][[:alnum:]_-]+[[:blank:]]*[(][$][{]\1[}][[]\2]=], id = "a6674ab076888985090a4a2d1e9c5760d3b9ca6e", comment = "clever eval" },
		
			{ signature = [=[passthru[(][$]_[A-Z]]=], id = "b2336c598b39976d4dca451a0f3213ccea875042", comment = "shells" },
		
			{ signature = [=[^cd /(var/(tmp|run)|tmp|dev/shm)/?;curl]=], id = "354eeb63830fdcc5893d5234983ae19802e1e348", comment = "dropper script that grabs others" },
		
			{ signature = [=[if[[:blank:]]*[(][[:blank:]]*isset[(][[:blank:]]*[$][{]([$][[:alnum:]]+)[[:blank:]]*[}][[:blank:]]*[[](['"][^'"]+['"])[[:blank:]]*[]][^{]+[{][[:blank:]]*eval[(][$][{][[:blank:]]*\1[[:blank:]]*[}][[][[:blank:]]*\2]=], id = "f2c20a7078c621f2f8ade5a9b649b81adef30100", comment = "eval obfuscated globals" },
		
			{ signature = [=[Packet Size Check Failed! 0 for random - 65500...\n]=], id = "15fe613c005bf6c34e99537af471173f5541a720", comment = "perl flooder script related" },
		
			{ signature = [=[if[(][[:blank:]]*isset[(][[:blank:]]*[$]_REQUEST[[][[:alnum:]]+[]][)][)][[:blank:]]*[{][[:blank:]]*([$][[:alnum:]]+)[[:blank:]]*=[[:blank:]]*[eE][vV][aA][lL][[:blank:]]*[(]([[:blank:]]*chr[(][[:digit:]]+[)][[:blank:]]*[.]?[[:blank:]]*)+[)];[[:blank:]]*([$][[:alnum:]]+)[[:blank:]]*=[[:blank:]]*([[:blank:]]*chr[(][[:digit:]]+[)][[:blank:]]*[.]?[[:blank:]]*)+;[$][[:alnum:]][(][^,]+,[[:blank:]]*\1[^;]+;[[:blank:]]*die[(][)];}]=], id = "4ebeb425cf99170556e10991279d5431c56ad86c", comment = "obfuscated eval globals" },
		
			{ signature = [=[^<[?]php[[:blank:]]*function[[:blank:]]*([[:alnum:]]{16,})[[:blank:]]*[(][$][[:alnum:]]+[)][[:blank:]]*[{][[:blank:]]*([$][[:alnum:]]+)[[:blank:]]*=[[:blank:]]*base64_decode[^;]+;[[:blank:]]*return[[:blank:]]*eval[(][[:blank:]]*["]return[[:blank:]]*\2[^}]+[}][[:blank:]]*eval[(]['"][?]>[[:blank:]]*['"][[:blank:]]*[.][[:blank:]]*\1]=], id = "9dadb14fcba03b74f01bfbb61a3caecd11812287", comment = "obfuscated eval globals" },
		
			{ signature = [=[https?:[/][/]9iaajn.net[/][?]a=]=], id = "3c16283bc0e029e8f082e5975bc98bc9df10764f", comment = "blackhatSEO related" },
		
			{ signature = [=[<[?]php ([$][[:alpha:]]+) = [$]_REQUEST[[]['"][[:alpha:]]+['"][]]; eval[(]base64_decode[(]\1[)][)][;] [?]>]=], id = "1ad13fe8ba05577cb63a559e09ca4b6cfaa3edf9", comment = "eval globals" },
		
			{ signature = [=[[$]tik=array[(]"[a-z0-9]{2,3}"=>]=], id = "893ca1f99a6fccf69c7c8e9c497a58ccc9a08163", comment = "eval globals" },
		
			{ signature = [=[^@?([$][[:alnum:]_][[:alnum:]]*)=((\/\*[^\\]*\*\/|['"][asert]['"]|\1)[.]?){4}]=], id = "7d2ad4530437ee53adcb25939d678243459096c3", comment = "obfuscated assert decocoded globals" },
		
			{ signature = [=[wget http://[[:digit:]]{1,3}[.][[:digit:]]{1,3}[.][[:digit:]]{1,3}[.][[:digit:]]{1,3}/([^[:blank:]]+)[^;]+;[^;]+; sh \1]=], id = "ba13703a618fc9cd77e29b25c540d2633a897e30", comment = "python script for scanning and exploiting/hopping" },
		
			{ signature = [=[open[^,]+,[[:space:]]*['"]<(['"][^,]*[^'"]*['"])?/etc/passwd]=], id = "1f99aed273a04bcdf2c1f9f9dd36202f4b2bf589", comment = "attempted access of sensitive files" },
		
			{ signature = [=[include[[:space:]]*['"](\\x?[[:alnum:]]{2,3}|/){5}]=], id = "76b111d5152c611c01b8b3087eaf52564d98cf98", comment = "spam mailer script" },
		
			{ signature = [=[^#[[:blank:]]*synSpoofFlood]=], id = "233cd4eda55be5a0accbc19b428a6a8e3e17bf24", comment = "syn flooding script" },
		
			{ signature = [=[^[$][[:alpha:]]{3}=["']_(\\x[[:alnum:]]{2}){6,}[^{]+[{]([$][[:alpha:]]+)[[:blank:]]*=[$][[:alpha:]]+[(]['"]{2},[$][[:alpha:]]{2}[(][$][[:alpha:]]{2}[)][)];\2[(][)];[}]$]=], id = "2a546b0441041619f0cb0a5c33555222b7ad7416", comment = "eval obfuscated globals" },
		
			{ signature = [=[^[[:blank:]]*file_put_contents[(]['"][^'"]+['"], base64_decode[(][$]_(POST|GET|REQUEST)[[]['"][[:alpha:]]+['"][]][)], LOCK_EX[)];]=], id = "9049ac9ea3fe8977a2c2cfa6c5474d4f457626f7", comment = "file dropper" },
		
			{ signature = [=[([$][[:alpha:]]+)=\1[(][$]_(POST|GET)[^)]+[)];file_put_contents[(](['"][[:alpha:]]+["']),['"]<[?]php ["'].\1[)];include[(]\3[)];]=], id = "4fe720386617da42d1fee02927463965ef230c07", comment = "include from global" },
		
			{ signature = [=[^[$][[:alnum:]_]+[[:blank:]]*=[[:blank:]]*["']\\x7f\\x45\\x4c\\x46]=], id = "630ee5ba84913e2b49e0a6c749fb81089368bb6a", comment = "LD_PRELOAD exploit related. Magic 'ELF' string in PHP." },
		
			{ signature = [=[^[[:blank:]]*([$][[:alnum:]]+)[[:blank:]]*=[[:blank:]]*([$][[:alnum:]]+)[(][$][[:alpha:]]+[[][[:alpha:]]+[]][)];[$][[:alnum:]]+[[:blank:]]*=[[:blank:]]*\2[(][$][[:alpha:]]+[[][[:alpha:]]+[]][)];([$][[:alnum:]]+)[[:blank:]]*=[[:blank:]]*\1[^;]+;\3[()]{2};
]=], id = "2832aa1fb33a2d3eb3e1c457b454d82cfe13f087", comment = "Eval cookie values" },
		
			{ signature = [=[^[[:blank:]]*([$][[:alnum:]]+)[[:blank:]]*=[[:blank:]]*([$][[:alnum:]]+)[(][$][[:alpha:]]+[[][[:alpha:]]+[]][)];[$][[:alnum:]]+[[:blank:]]*=[[:blank:]]*\2[(][$][[:alpha:]]+[[][[:alpha:]]+[]][)];([$][[:alnum:]]+)[[:blank:]]*=[[:blank:]]*\1[^;]+;\3[()]{2};
]=], id = "2832aa1fb33a2d3eb3e1c457b454d82cfe13f087", comment = "Eval cookie values" },
		
			{ signature = [=[^<[?]php @?array_diff_ukey[(][^,]+,[^,]+,[$]_(REQUEST|POST|GET)]=], id = "dd693ea4a6d12bc568c0d1e11897d644d8844c00", comment = "evals globals" },
		
			{ signature = [=[[$](0|O)+[[:blank:]]*=[[:blank:]]*urldecode[(]['"]%66%67%36%73%62%65%68%70%72%61%34%63%6f%5f%74%6e%64["'][)];]=], id = "a4efa3ee399d1ab731376abc10efa74fb8a8ca33", comment = "obfuscated backdoor code, matching on url-encoded assert/base64decode" },
		
			{ signature = [=[^preg_replace[(]['"]\/\/e['"],(["'][eval]{1,2}([(][$][[:alpha:]]+[)])?["'][.]?)+]=], id = "4e23c14b02d0241729101dcee3037ad2ec27dc12", comment = "preg-replacing double eval, obfuscated backdoor. file manager, etc" },
		
			{ signature = [=[^<[?]php[[:blank:]]*function xsd_conventer[(][$][[:alnum:]]+,[[:blank:]]*[$][[:alnum:]]+([[:blank:]]*=[[:blank:]]*['']{2}[[:blank:]]*)?[)]]=], id = "291e522e6b7234567638a0a55e89647c85d8afc0", comment = "CPR7709.Webshell" },
		
			{ signature = [=[file_put_contents[(]["'][^'"]+['"][[:blank:]]*,[[:blank:]]*base64_encode[(]json_encode[(][$][[:alpha:]]+[)]{2}[[:blank:]]*[.][[:blank:]]*["]\\n["],[[:blank:]]*FILE_APPEND[)];]=], id = "06f9bab9dd591b1b8867d082cb1ea837895d5a94", comment = "CPR9E4A.Webshell" },
		
			{ signature = [=[array_map[[:blank:]]*[(][[:blank:]]*['"]base64_decode['"][[:blank:]]*.[[:blank:]]*unserialize[[:blank:]]*[(]]=], id = "acbdbaa1fc5a3b6a0cfb1a150d664ed5692d7314", comment = "php.spam-seo.dbload.001" },
		
			{ signature = [=[if[[:blank:]]*[(][[:blank:]]*isset[[:blank:]]*[(][[:blank:]]*[$][{][[:blank:]]*([$][[:alnum:]]+)[[:blank:]]*[}][[:blank:]]*[[][[:blank:]]*['\"]([^'\"]+)['\"][[:blank:]]*[]][[:blank:]]*[)][[:blank:]]*[)][[:blank:]]*[{][[:blank:]]*eval[[:blank:]]*[(][[:blank:]]*([$][[:alnum:]]+[[:blank:]]*[(])?[[:blank:]]*[$][{][[:blank:]]*\1[[:blank:]]*[}][[:blank:]]*[[[][[:blank:]]*['\"]\2['\"][[:blank:]]*[]]]=], id = "04c830fc586483807c00d07ab528e296a0a156e4", comment = "PHP Mini shell" },
		
			{ signature = [=[if[(]!function_exists[(]["']([A-Z0-9]+)['"][)][)][{]function \1[(]([$][A-Z0-9]+)[)][{]\2=base64_decode[(]\2[)];[^;]+;[^;]+;[^;]+;[$][A-Z0-9]+=[(]ord[(]\2]=], id = "8a43fc73952722dcb1bbf350436ac188ea32aa2d", comment = "PHP backdoor, global eval" },
		
			{ signature = [=[if[[:blank:]]*[(][[:blank:]]*!empty[[:blank:]]*[(][[:blank:]]*[$]GLOBALS([[]['"][[:alnum:]]+['"][]][[]['"][[:alnum:]]+['"][]])[)][)][[:blank:]]*[{][[:blank:]]*eval[(][$]GLOBALS\1[)];[[:blank:]]*[}]]=], id = "8276df33607fc278253f16ee5de820d534924a86", comment = "check and eval globals" },
		
			{ signature = [=[if[[[:blank:]]*[(][[[:blank:]]*@?copy[[[:blank:]]*[(][[[:blank:]]*[$]_FILES\[['"][[:alnum:]]+['"]\]\[['"]tmp_name['"]\][[[:blank:]]*,[[[:blank:]]*[$]_FILES\[['"][[:alnum:]]+['"]\]\[['"]name['"]\][[[:blank:]]*[)]]=], id = "d5a2f1e8d8e39902ec8a75beca6e946fb6611546", comment = "file dropper" },
		
			{ signature = [=[extract[(][$]_(COOKIE|GET|POST|REQUEST)[)];@([$][[:alnum:]]+)&&@\2[(]]=], id = "acad86e760c8fdcf3e9bba8e5399af4119dc227a", comment = "Extract to symbol table and call new functions" },
		
			{ signature = [=[^[[:blank:]]+[$](0|o|O){4,}=urldecode[(]['"][%[:alnum:]]+['"][)];[$](0|o|O){4,}[[:blank:]]*=[[:blank:]]*[$](0|o|O){4,}[[{][0-9][]}][.][$](0|o|O){4,}[{[][0-9][]}][.]]=], id = "e41eba991e78feab4410ad0f1b8cf19838d5ccd6", comment = "Obfuscated backdoor - common 0O pattern" },
		
			{ signature = [=[^[[:blank:]]*eval[[:blank:]]*[(][[:blank:]]*[$]_POST[[:blank:]]*[[][[:blank:]]*["']wp-load["'][[:blank:]]*[]][)];$]=], id = "b1ac8d9e90ed8f95cb6464617c030f28f77be66c", comment = "injected eval globals - WP related" },
		
			{ signature = [=[header[(]'Location: https://[^/]+/wp-content/plugins/]=], id = "d5457c82c496e29205069b06fa63a0a044a24ce0", comment = "Header redirect to WP plugin location" },
		
			{ signature = [=[[$][[:alpha:]][[:alnum:]_]*[[:blank:]]*[(][[:blank:]]*[[:alnum:]=+,.(/\\'"-]{1000}]=], id = "37cba995b7db50d92b04486f675a5dac0df95be5", comment = "obfuscated function calls" },
		
			{ signature = [=[^[$][[:alnum:]]{2,3} = [$][[:alnum:]]{2,3}[[:blank:]]*[(][[:blank:]]*['"]{2,3},[[:blank:]]*[$][[:alnum:]]{2,3}[(][[:blank:]]*[$][[:alnum:]]{2,3}[(][[:blank:]]*array[(][$][[:alnum:]]{2,3}[{][0-9]{1,2}[}],[[:blank:]]*['"][\\]n['"]]=], id = "d661743fbff3fbe14a841a68e4a5e96c8f2f1b87", comment = "FileMan" },
		
			{ signature = [=[[$][a-z0-9]{4,9}[[]['][[:alnum:]]{4,9}['][]][[][0-9]{1,2}[]]{2}as[$][a-z][a-z0-9]{3,8}=>[$][a-z]]=], id = "c29d93936567535a4c9e3a8a66544f838472c0c1", comment = "Obfuscated Base64 injection Shell" },
		
			{ signature = [=[[$][[:alnum:]]{2,3}\s[=]\s["][\\]x63[\\]x68[\\]x72["][;]\s[$][[:alnum:]]{2,3}\s[=]\s["][\\]x69[\\]x6e[\\]x74[\\]x76[\\]x61[\\]x6c["][;]]=], id = "54464e39aa332df6b41fed458772965fa3332721", comment = "Obfuscated Malvertising Pivot" },
		
			{ signature = [=[base64_decode[(][$]shellololol[)]{2}[;]]=], id = "92974cad1d8b48f15e5abfbbad2d5f840f824a26", comment = "Shellololol" },
		
			{ signature = [=[[$][A-Z][a-z_]{2,5}=@gzinflate[(]strrev[(][$][A-Z][a-z_]{2,5}[)]{2}[;]]=], id = "f86b8e1658b10dbeaaaa1a18e48e0fc5d3129467", comment = "Obfuscated Shell" },
		
			{ signature = [=[es_data[[:space:]]=[[:space:]]['][a-zA-Z0-9%+]{10000,}]=], id = "7be0826c2fa5dd6a39a0b0414d6ca40eb517089f", comment = "wp_kses_data Base64 Obfuscated Shell" },
		
			{ signature = [=[[$]strings2[(][$]gbz[.]]=], id = "3db616e22ee752e3179d68045148bea4a2732e36", comment = "rot13 base64 encoded shell" },
		
			{ signature = [=[$xred=base64_decode]=], id = "b2af13a3c163cbbd96874f78cf0afce01254836b", comment = "BlackHat SEO files" },
		
			{ signature = [=[curl_exec[(][$]_[0-9]{3,}[)];]=], id = "c6e762aa02fb719f5a4d1a9c9e3f6e821552af9c", comment = "Curl_EXEC on $_ var" },
		
			{ signature = [=[[<]?php[[:space:]]eval[(]gzuncompress[(]["]x]=], id = "3a0b037b2c288e28ed3038a2e582a5287e100bfa", comment = "Chinese PharmaHack Injector" },
		
			{ signature = [=[<[?]php.*if.*isset[(][$].*(REQUEST|COOKIE)([[]|"}[[])('|")[a-zA-Z]{3,6}.*exit;(}|\/)]=], id = "4d0ae6972d3dc3acea930d188d2ef0624e768c2f", comment = "1 line injector" },
		
			{ signature = [=[='str'.'_rot'.'1'.'3';]=], id = "02171ccf463a00a60a8c7fec2f4bee010129b308", comment = "ROT-13 obfuscation" },
		
			{ signature = [=[rename[(]['|"][a-z-]{3,10}.php.suspected]=], id = "a4946f236afcddb2416f581fb897234fe9a669a8", comment = ".suspected malware re-infector" },
		
			{ signature = [=[[$][a-z]{4,13}[ ]=[ ]stripslashes[(]base64_decode[(][$]_POST[[]'[a-z]{4,13}]=], id = "bc7b44fef9ed1f4d77d2106c4b8272fedc92fb24", comment = "Base64 Decoding" },
		
			{ signature = [=[<ti.*[Hh][Aa][Cc][Kk][Ee][Dd] [bB][Yy]]=], id = "b0de3ef9f4b1b74dcc222886491853249b087dd2", comment = "<title> Hacked By catch-all" },
		
			{ signature = [=[<ti.*[Mm][Aa][Ss][Ss] [Dd][Ee][Ff][Aa][Cc][Ee][Rr]]=], id = "b3b010c99f0bfe674b439ca1debe27382d91e625", comment = "Mass Defacer Title Tag" },
		
			{ signature = [=[[Ff]uck[Aa][Vv].ru]=], id = "2c7c308c198e8334294990e4e3c8be95ba582753", comment = "Fuckav.ru tag used in spam scripts" },
		
			{ signature = [=[ashes[(]base64_decode[(]base64_decode[(][$]_POST[[]'[A-Za-z0-9]+'[]][)]{3};]=], id = "81f34d17d20dd5071a976188a6f0c39d7f27df2f", comment = "StripSlashes Base64_decode 2x Var" },
		
			{ signature = [=[[$]arrMail = explode[(]"@",trim[(][$]email]=], id = "ce26c473b37a21e0e4b9063016bd0e4a93c858a0", comment = "Spanish veio Mailer Script" },
		
			{ signature = [=[Inbo[Xx] Mass Mailer]=], id = "f1c4ca2704f38bf8c7438ada5f77ac11a2627b75", comment = "Inbox Mass Mailer" },
		
			{ signature = [=[if\W{0,1}[(]isset\W{1,4}_R.*?[[]'[[:alpha:]]{3,5}'[]][)]{2}.*?{[$][[:alpha:]][\/|=]]=], id = "89af5c8f8633d85dff227e8d91888e3f5924d9d0", comment = "Obfuscated Assert Request Injections" },
		
			{ signature = [=[@require[(]'wp-admin\/[[:digit:]]{2,6}'[)]]=], id = "a27866574c9d175d5b74dc73e8bdf44510d3c3d0", comment = "require numerical adware from wp-admin dir" },
		
			{ signature = [=[{ return [$][a-z]{4,8} \^ str_repeat [(]]=], id = "da0edb3da187d1e8c71f1c8423eeba80a22705db", comment = "Obfuscated Backdoor Shell" },
		
			{ signature = [=[[(]isset[(][$]{"_[REQ]{1,3}["][.]["EQUST.]{9,16}[}][[][']]=], id = "9d8bb88bff6134aa9412dd287fa943efc8295214", comment = "Obfuscated _REQUEST" },
		
			{ signature = [=[^[$][a-z]{5,13} = stripslashes[(][$]_POST[[]'[a-z]{4,13}'[]][)];]=], id = "5ae0a4a2bf33f03d3470442d0ddc7970c325f77e", comment = "POST for mini shell" },
		
			{ signature = [=[@[$]\w{5,9}([(][$]\w{5,9})+[)]{4};]=], id = "5376279a4deae00eb7afafc89c3984e30c93ad05", comment = "Array that puts together obfuscated base64 variables" },
		
			{ signature = [=[[$]\w{7,10} = implode[(]"", [$]o[)];]=], id = "de4adbc095cf05f12242f6f3ce56a61cc01d76ed", comment = "Obfuscated Shell" },
		
			{ signature = [=[Antonkill</title>]=], id = "ee64f6b3bf9deddb83ae5fc373f443e661c83ce5", comment = "Antonkill Mailer & Defacements" },
		
			{ signature = [=[\$d$'',\s+\$f\(\s+\$s\(\s+"c",\s+"",\s+\$m$]=], id = "fcacfb71177208d1ae52d2e0afc441141c29a637", comment = "injected PHP SPAM" },
		
			{ signature = [=[strlen[(][$][a-z]{5,10}[)]{2}[;]exit[();}]{6}]=], id = "c81d023975a49fb4d4264badb60dc1f4f2fc5e5a", comment = "Obfuscated Shell strlen 5-10var then exit" },
		
			{ signature = [=[( for [(][$])(\w{5}) = 0[;] [$]\2 < strlen[(][$]\w{5}[)][;][)] [{]\1]=], id = "32d416ad42e9cceb2b8f0037578514f749f5cff7", comment = "obfuscated shell" },
		
			{ signature = [=[[(]'n('[.]')+o\1+i\1+t\1+c\1+n\1+u\1+f\1+_]=], id = "d34b36a3fd8164026e2aa19ecf476e4ac1768c19", comment = "obfuscated reverse create_function" },
		
			{ signature = [=[error_reporting[(]0[)]; [@eval(bs64_dco]{19}]=], id = "8c44e4ec499f3005ca17acad605b2354ff9099c0", comment = "error_reporting(0); eval(base64_decode variants" },
		
			{ signature = [=[[$][[:alnum:]]{2,3} = str_replace[(]"([[:alnum:]])", "", "(s|s\1|\1s)(t|t\1|\1t)(r\1|\1r|r)]=], id = "fa83518ac2756a21e4a1f2f1bac601089cb3f07b", comment = "Matches string replacements in $var = str_replace" },
		
			{ signature = [=[<[?]php\sgoto\s[[:alnum:]]{5}[;]]=], id = "2a47a34ea2fcc3f7dfabd3a971a4609038198cb9", comment = "obfuscated mini shell" },
		
			{ signature = [=[([$][a-z]{5,7}[[][0-9]{1,2}[]][.]){7,}]=], id = "81a0baea84ff031c2900551ba06e8046dfb0bad9", comment = "obfuscated shell with $xxxxx[10].$xxxxx[23] pattern" },
		
			{ signature = [=[[$][trs]{3,4} = @file_get_contents[(][$]text_file[)]]=], id = "d22b28f81b86546258733296b600502763e2a9c5", comment = "file_get_contents based backdoor loader commonly appended to bottom of theme/pulgin files" },
		
	}

local flat_signatures = {
		
			{ signature = [=[$dec = mcrypt_decrypt(MCRYPT_DES, substr($k, 0, $keysize), $enc, MCRYPT_MODE_CBC, $iv);]=], id = "29ab518a3634a6fd5d834270381d83f5867db91a", comment = "decryption portion of backdoor, rest is too generic" },
		
			{ signature = [=[if(mail($MailTo,$MessageSubject,$MessageBody,$MessageHeader))]=], id = "4a4f133b5ebfc9869dc704cbb91091fbf106e131", comment = "spammy php mailer" },
		
			{ signature = [=[7X1rcxs5kuBnd0T/B7ia3STHfMpv0ZQt62G7bUtqS7bbLSkYRVa]=], id = "dfeab70252f74e86aaf48d12609c70cd01af035d", comment = "encoded backdoor" },
		
			{ signature = [=[exit(eval(base64_decode(file_get_contents]=], id = "8b9f9ac969a1d377ffc87febf885272819cf59b1", comment = "eval base64 encoded stdin" },
		
			{ signature = [=[lbnRlcmVkW2ldID0gJ1wwJzsNCn0NCmlmICghc3RyY21wKGJhc2UsZW50ZXJlZCkpDQpyZXR1cm4gMDsNCn0]=], id = "2d743f3393470931c09b5f65a8251ee3f49eeafb", comment = "base64 C reverse shell" },
		
			{ signature = [=[uc97xyIkF3dXX1Xl1dizcsr7mTWXxdLnVP9o7f]=], id = "dfaa72696789b000c11ee8ecda29bb0d6a51c8fb", comment = "preg_replace backdoor" },
		
			{ signature = [=[f0VMRgEBAQAAAAAAAAAAAAIAAwABAAAAoIUECDQ]=], id = "0ce796f173f0494efd08b7b8750547faa46051ef", comment = "encoded backdoor" },
		
			{ signature = [=[Udp1-fsockopen Udp2 pfsockopen Tcp3 CC.center]=], id = "057165203b502f93b453e9f54c41ad38da1869cf", comment = "reverse shell indicator" },
		
			{ signature = [=[LyoNCiAqIE15U1FMIFdlYiBJbnRlcmZhY2Ug]=], id = "f49a01e00eb3cb4a57ed272e97295f2c2811d896", comment = "encoded backdoor" },
		
			{ signature = [=[if($_GET['code']){$code=hexToStr($_GET['code']);]=], id = "8174a6443f27e1a684a29870c3e7891b2fc8158d", comment = "simple php auth eval" },
		
			{ signature = [=[eval (gzinflate(base64_decode(str_rot13(]=], id = "91774ccf93a0b82334ffeeb0a64a101fbf1d5b6f", comment = "malicious obfuscation" },
		
			{ signature = [=[eval(gzinflate(str_rot13(base64_decode(]=], id = "637f6f0710ff55fd4998ec6421c29601436f4cd5", comment = "malicious obfuscation" },
		
			{ signature = [=[86a20c1b92a2d831b50ba9d62e18ed86]=], id = "4a8f151f10152bc4f30cc05344e239ec772eea9e", comment = "backdoor comment indicator" },
		
			{ signature = [=[function actionFilesMan()]=], id = "029c09184dff3269f865dc49e2818a3b03062f4f", comment = "common backdoor pattern" },
		
			{ signature = [=[back_connect_pl="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj]=], id = "7b225a50994ce5da98e030279813543e31f61754", comment = "perl backdoor" },
		
			{ signature = [=[f2c4890bba2ca9344b100b86962825af]=], id = "961c64ca9dacfa79b41143f970ae68ca249ab023", comment = "backdoor auth credentials" },
		
			{ signature = [=[Hacker BoUnCeR's Private Mailer]=], id = "04ed8f337a29e353074769cac0a2e544d712a775", comment = "shell script indicator" },
		
			{ signature = [=[makemnfast.com]=], id = "d22a65f64264c97a51aa4ec2915f9dad2ab2a43a", comment = "Re-seed" },
		
			{ signature = [=[dXJsZW5jb2Rl]=], id = "540c74da7e28045b8f6a0e4cf1f5618be65ef58c", comment = "Backdoor Shell" },
		
			{ signature = [=[Y3VybF9pbml0]=], id = "1621c8dc3e56dd005c8d7057fadae8520d73dace", comment = "PharmaSpam Injector" },
		
			{ signature = [=[mail(stripslashes($YYKJKaSZ), stripslashes($hoWGI), stripslashes($pxxTkEDQO));]=], id = "e64fc9890931e5be4eb7ee7d966aa3ee813b0b2e", comment = "flat strings found in common mailer bots" },
		
			{ signature = [=[$result = mail(stripslashes($strr1), stripslashes($strr2), stripslashes($strr3));]=], id = "17e1b3fda09c7c262d1596bc199d638dd4f5f39e", comment = "calls to php's mail" },
		
			{ signature = [=[$words_idx=array_rand($words,rand($min,$max));]=], id = "385e84ad14b21861128c3e6a42de2bc5e7426c7a", comment = "Scripts generating spam for SEO" },
		
			{ signature = [=[if($password!="5fobohlovr6v")]=], id = "abe342cea5188f0dcf73737c4924496d65266f65", comment = "file dropper" },
		
			{ signature = [=[$d.=@chr(($h[$e[$o]]<<4)+($h[$e[++$o]]));}}eval($d); ?>]=], id = "68b025f273b51da1a8f11ea52c3700895d498697", comment = "obfuscated code" },
		
			{ signature = [=[global$auth;function sh_decrypt_phase($data,$key)]=], id = "f36fe60efbf3013b65c6dd68b73bd7bc3da7f554", comment = "obfuscated code" },
		
			{ signature = [=[RmlsZXNNYW4=]=], id = "d1c102c644d0aa845e2ef478493f8fc3fba3f9b8", comment = "filesman" },
		
			{ signature = [=[\x73\x74\x72\x69\x70\x73\x6C\x61\x73\x68\x65\x73]=], id = "cdcf333032e7aecd199980897f1c93dddcedf9fa", comment = "hex encoded base64_decode, rot13, etc." },
		
			{ signature = [=[\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65\x5F\x50\x4F\x53\x54]=], id = "2a5cae7263c33bb093643a33ea02e9d98aaf11b8", comment = "hex encoded base64_decode, rot13, etc." },
		
			{ signature = [=[\x73\x74\x72\x5f\x72\x6f\x74\x31\x33]=], id = "e80635dc06aa165d30f4fa882c9763643a848717", comment = "hex encoded base64_decode, rot13, etc." },
		
			{ signature = [=[3Turr]=], id = "36d0064ac5c9b279a11bccfeb39efb2ccae968b5", comment = "php backdoors" },
		
			{ signature = [=[$pageparsemini=array_slice($pageparsemini, 0, 5);]=], id = "dfa0aa0c93e9f0a14f278a846a2a0254d0be0a49", comment = "SEO Spam" },
		
			{ signature = [=[a=314759&c=wl_con]=], id = "d64215d5d8e44247ee60d4f3d2c87faec62206d1", comment = "SPAM link bouncer" },
		
			{ signature = [=[move_uploaded_file/*;*/]=], id = "7665eba47ce4641abe6d678f16c69c2d2bdd1443", comment = "file dropper" },
		
			{ signature = [=[send(crazy, 0, $size, sockaddr_in($port, $iaddr));]=], id = "3ad79a33ccfdf3b6ef4b7922fea1960c40a164e6", comment = "perl flooding script" },
		
			{ signature = [=[Content-Length: 42\r\n]=], id = "ff101a89d1c42a2a497816f2807dd6d2b420f87e", comment = "slowloris scripts (content length 42)" },
		
			{ signature = [=[open(STDIN,">&SERVER");]=], id = "3688adb4868852d2a0895ad2b871d6e80fc86408", comment = "perl shell, redirect tcp to system" },
		
			{ signature = [=[<META HTTP-EQUIV=REFRESH CONTENT="0; URL=http://mysale.top">]=], id = "df8c8dfb60f253dd7ba1bc0f3c2acb1f0a5e9f19", comment = "spam redirect" },
		
			{ signature = [=[b374k]=], id = "7ffc8bd11adf336b6728efd37b50f8b723c83d14", comment = "string associated with known webshell" },
		
			{ signature = [=[$out .= "OtrasherDDoSTOOL";]=], id = "9f2a3f26397a22e3536cc5fd374adf8bb8dadd0b", comment = "ddos script" },
		
			{ signature = [=[socket_write($socket, "GET http://".$sds."/cpost.php HTTP/1.1\r\nHost: ".$host[0]."\r\nCookie: ".$data."\r\n\r\n");socket_close($socket);}die();}]=], id = "790081f4c93e73261f2b2031a446c3552ae2edfc", comment = "exploitkit related, backdoor dropper" },
		
			{ signature = [=[User-Agent: Internal Wordpress RPC connection]=], id = "d43132b224eb4fb946aaaa402c3c81772cb76fb5", comment = "fake WordPress User-Agent string" },
		
			{ signature = [=[GoTT Attacking]=], id = "f795aa36e7e72485357fc9125487a596a33256eb", comment = "python flooder" },
		
			{ signature = [=[D05TsM2Smfa5Gi5i]=], id = "e0b168da59b57edbc4048c0f02b12bdec84878f0", comment = "php shell related" },
		
			{ signature = [=['<h1>#p@$c@#</h1>';]=], id = "3db51a92fde48a8c47f9279e331bd33aac5feb58", comment = "flooder scripts or flooder frontends" },
		
			{ signature = [=[DDOS_MAX_EXECUTION_TIME]=], id = "79d5cd3ab3ad01b1044626cfbda4929ced2d32d3", comment = "flooder scripts or flooder frontends" },
		
			{ signature = [=[www.ZeroDayExile.com]=], id = "f6922d207476d5c3a02b390d37f12766a89785f9", comment = "flooder scripts or flooder frontends" },
		
			{ signature = [=[V.lenovoE125]=], id = "5660b7df4dfe0cfa483cf88628cef08609e941d7", comment = "obfuscated function call" },
		
			{ signature = [=[$wwwPath = realpath($shellDir]=], id = "9c9db349dfcc3752d25d824332b86e40893e838b", comment = "script for doing code injection" },
		
			{ signature = [=[$headers .= "X-Mailer: iGMail [www.ig.com.br]\n";]=], id = "5d3b2b9a0c99aadb1d7a9f146b5042f4613b250e", comment = "mailer" },
		
			{ signature = [=[window.location.href="http://www.slimmingmart.com/"]=], id = "63f205f62136ee2138b4dd3e80f6c603ecbf804a", comment = "javascript redirect, blackhatseo" },
		
			{ signature = [=[Script Upload By Osamaa kaboo]=], id = "5034baf16929b00903537c1b99fa6375fd12fbe5", comment = "file dropper" },
		
			{ signature = [=[<title>[S]uper[BAD] Mailer</title>]=], id = "1aecc546cc211ba6e6ee170a94685a7cddb44fd3", comment = "mailing script forms" },
		
			{ signature = [=[<title>Priv8 Mailer</title>]=], id = "9405b50bd87a61c71e643ecc514cebc6744090c0", comment = "mailing script forms" },
		
			{ signature = [=[<title>Spiral Mailer 2014</title>]=], id = "ea45994c48265069fe9dc50ee10f6a2ff0a2ec1d", comment = "mailing script forms" },
		
			{ signature = [=[<title>PHP Inbox Mailer Web</title>]=], id = "d685686898918546bfc47ceb177ce8bf86d7343c", comment = "mailing script forms" },
		
			{ signature = [=[echo "  SYN Flood]=], id = "e01219a6d4d41a5de9e6f50ce86fa8b6b13865b1", comment = "syn flooder script" },
		
			{ signature = [=[sprintf('!ev' . 'al(b' . 'ase' . '64' . '_' . 'de' . 'code' . ' ("%s"))']=], id = "4262bab8c4a1ae205fd1d087818b491e7b3f3138", comment = "clever eval" },
		
			{ signature = [=[edoced_46esab]=], id = "76233a4806d430b39acff7931b2a482ea5f5c52c", comment = "clever eval" },
		
			{ signature = [=[eval("?>".base64_decode("]=], id = "2adc9482267f39a479391bb0dc2b9d32d0de1f2c", comment = "mailers" },
		
			{ signature = [=[-Execute Rootshell.c]=], id = "86ed34f00c5f10f917cdfd3bd32a750f4d007c65", comment = "shells" },
		
			{ signature = [=[$g___g]=], id = "5b4ea07abd39b2a6902991a596bb4c2c72688ad4", comment = "web shells" },
		
			{ signature = [=[<title>:: www.islam-hack.com :: Coded By TaRik King & RiadSP ::</title>]=], id = "1ad2366b0c582a94f8e7bd49d286a637f934daca", comment = "Dropper/shell related" },
		
			{ signature = [=[you dont have SMTP login, leave blank queries above <b>&quot;</b></font></td>]=], id = "bb31ac72990069a32e0389441d4c3b37828ba053", comment = "spam scripts" },
		
			{ signature = [=[random_smtp_string=array]=], id = "32e7d608f20fe9265a5da1fe4d72080f3ccd95fb", comment = "spam scripts" },
		
			{ signature = [=[$url = "http://wordpresscore.com/plugins/cctm/update/" . $url;]=], id = "17fd935b520c5150be757e4d9ce82f3288dc8782", comment = "Custom Content Type Manager 0.9.8.8 backdoor" },
		
			{ signature = [=[$password=file_get_contents("http://wordpresscore.com/in/asd456.php");]=], id = "bd198fb4f02e7b0966b097a78489aca1df6165dc", comment = "Custom Content Type Manager 0.9.8.8 backdoor" },
		
			{ signature = [=[3xp1r3 Cyber Army</title>]=], id = "150d461aadba469220553724a2f9cf9414fb4bae", comment = "cPanel bruteforcing script" },
		
			{ signature = [=[Xtreme PuTTy powered]=], id = "faa1df3aa9955749d6493bb5db2df4c703edc2ec", comment = "flooder control script" },
		
			{ signature = [=[pack('H2CnnB16CCna4a4']=], id = "b85407bab2460ace73b122822839b68c1059a5fb", comment = "perl flooder script" },
		
			{ signature = [=[print('@Lord_Mo_Mo attacking:]=], id = "da71ee1b37854f681e791457c0a31743ade67f5e", comment = "python flooder script" },
		
			{ signature = [=[$_GET['wowex']=='activex7']=], id = "e1d54da28551303020c53a89c6ad5587f984ec80", comment = "php file dropper related" },
		
			{ signature = [=[$alqnasshell]=], id = "c24b6f33a0ab84562c0549dda066262bce93126a", comment = "php file dropper related" },
		
			{ signature = [=[if (($code = request_url_data($url)) AND $decoded = base64_decode($code, true)) {']=], id = "c644b025393c817d73a633662c38076487409436", comment = "angler exploit related" },
		
			{ signature = [=[if (($code = request_url_data($url)) AND base64_decode($code) AND preg_match(]=], id = "38af273cb3bd9bab40755da77bed530ac546dfbc", comment = "angler exploit related" },
		
			{ signature = [=[system("$currentCMD]=], id = "2ca8082fc068a6cea783a7617f7466ee41f6a1cd", comment = "shell exec script" },
		
			{ signature = [=[Completed with $packets (" . round(($packets*65)/1024, 2)]=], id = "6a96fa62dbef63e6c52a953322facd3752a104ca", comment = "php flooding script" },
		
			{ signature = [=[$mhost = 'http://www.Vel0zBR.xpg.com.br/Owner?';]=], id = "bdd81f4097f9847513beb09523a4cc1098c39e9e", comment = "PHP backdoor script, unique sentence" },
		
			{ signature = [=[<!-- PHP DOS]=], id = "2f5893ac1a1e59761bf32b9ea584d35ef74becad", comment = "PHP DoSing script interface" },
		
			{ signature = [=[Made by: DeltaForce101]=], id = "1163c38c43b5c85636ed71ada8d34de9e5cd245d", comment = "bash DoSing script" },
		
			{ signature = [=[Script is for DOS - USE WISELY]=], id = "72b2f7101dc9601a0604a21c8ea242a3d17818e5", comment = "python DoSing script" },
		
			{ signature = [=[Locus7s Modified c100 Shell]=], id = "a45e83412abe35ab39964535c97fe222999871a3", comment = "php script provides shell, file dropping, and others" },
		
			{ signature = [=[$cookiename = "wieeeee"]=], id = "a1773ad760f26d7def0fd790ff24edcfbd383555", comment = "php shells" },
		
			{ signature = [=[echo 'np9i8gkli';]=], id = "7452455e569025fc1955f0694c9602003929adce", comment = "WSO shell, fragment" },
		
			{ signature = [=[5pJQhrPh3XJCUOiaQCa6]=], id = "4b5bd2b330cebe24e0b656eaab336eeb5bcf9ae1", comment = "Test Zero Wordpress Redirect" },
		
			{ signature = [=[loadXMLDoc('?check=$plan&email=$mail&password=$pass&sock=$sock_use','result_$id')]=], id = "956ddd9398c89b99187d8945cb65dcfe9fb1a892", comment = "Credential testing program" },
		
			{ signature = [=[loadXMLDoc('?check=$plan&email=$mail&password=$pass&sock=$sock_use','result_$id')]=], id = "956ddd9398c89b99187d8945cb65dcfe9fb1a892", comment = "Credential testing program" },
		
			{ signature = [=[$dest = relative2absolute($_POST['destination'], $directory)]=], id = "d38badedc1828b896441e02cc7b2e6b7586be458", comment = "PHP backdoor script" },
		
			{ signature = [=[if yourafag.lower() == "y":]=], id = "60ab61eadeb1ab256f34b78519ba31b7b1cf6161", comment = "script used to facility backdoor building" },
		
			{ signature = [=[%76%61%72%20%6D%65%73%73%61%67%65%3D%22%43%4F%44%45%44%20%42%59%20%53%49%44%48%45%4C%20%43%48%4F%52%21%22%3B]=], id = "ca3a446a354bad987d1f10b96514d05d7c09bc3e", comment = "percent encoded defacement" },
		
			{ signature = [=[########## E C O S I S T E M A / S E C U R I T Y ##########]=], id = "395620cbe4739851ca32f6e8a912566633df4f2c", comment = "perl flooder" },
		
			{ signature = [=[priv8 fdp c passa pra frente t mato\n";]=], id = "f2efece8ea1332f8fb95922403f4c8c72a8bf525", comment = "old perl mailer" },
		
			{ signature = [=[<b>FALLAGA TEAM , TUNISIAN CYBER RESISTANCE]=], id = "d3bd7461bb42880fe4f03f84c4263649acfc2047", comment = "Fallaga Team defacement" },
		
			{ signature = [=[ <input type=submit value=Загрузить></form>]=], id = "f6adc33c8ac02b0f307349e4f0b4a38634bedc09", comment = "Russian file dropper" },
		
			{ signature = [=[function createCookie(_0xbb87x2,_0xbb87x3,_0xbb87x4){if(_0xbb87x4){var _0xbb87x5= new Date();_0xbb87x5]=], id = "c0031ca565f1534aed3421f6c4c237518c1fe5ea", comment = "Light Root mini shell" },
		
			{ signature = [=[<?php $xml='PGgyPg0KPGRpdiBzdHlsZT0icG9zaXRpb246IGFic29sdXRlOyB0b3A6IDBweDsgbGVmdDogLTgwMDBweDsiPlRoZSBiZXN0IGJvb2ttYWtlciANC]=], id = "05c14e8d78feb6227565ef4a41f2ab665e1ce707", comment = "injected ads" },
		
			{ signature = [=[die("1425756856");]=], id = "f617c227d8d9f9121a1f809e7a086a7ef5957b03", comment = "zip_lib + filedropper" },
		
			{ signature = [=[flashvars="letter=We Hack To Protect Bangladesh."]=], id = "e4346f8845d78207e155253c5781718350d76a55", comment = "Frozen hacker team defacement" },
		
			{ signature = [=[if($_GET["login"]=="cmd"){if($_POST['pass']==''){echo('->|OK|-<');exit();}eval($_POST['pass']);exit();}]=], id = "87ca68ecd7c44ea92f03ea26fd50a0c65a556aef", comment = "PHP backdoor, global eval" },
		
			{ signature = [=[die("1425756856");]=], id = "f617c227d8d9f9121a1f809e7a086a7ef5957b03", comment = "file dropper" },
		
			{ signature = [=[</form>';if(isset($_POST['g'])){if(is_uploaded_file($_FILES['uf']]=], id = "f287d2aec754f2570b5046588b7a2e6cf9675bc8", comment = "file dropper" },
		
			{ signature = [=[echo $ok ? "SHELL_OK" : "SHELL_BAD";]=], id = "5360d0cbb882d881ebd02252a11c2248b6bd1a33", comment = "shell installer script related" },
		
			{ signature = [=[strripos(@sha1($shall)]=], id = "01558ac7b118a4d6d12e9dcddc29155067a950b9", comment = "partial shell" },
		
			{ signature = [=[str_rot13('fge_ebg13')]=], id = "3db8be10e70158a13fce873a4aaa6456be03285b", comment = "obfuscated backdoor, proxy, and more" },
		
			{ signature = [=[action="/FalabellaPeru/LoginPage.jsp" method="post"]=], id = "144c8965ef933e58d140f616f390dddd13a4208d", comment = "Bank phishing website" },
		
			{ signature = [=[include_once(sys_get_temp_dir()]=], id = "70e7cf8db03b658574e3bac7b92fff6bd8902fe1", comment = "require from temp directory" },
		
			{ signature = [=[echo "###UNPKEND###";]=], id = "9c1b8568a034d50e5e556279271f49b04cd564b1", comment = "russian/ukranian file dropper related" },
		
			{ signature = [=[<title>r00t@BLACK</title>]=], id = "a15471a6553247a539a327f9f534df4f6566916f", comment = "perl shell and file dropper FE" },
		
			{ signature = [=[<title>priv8 cgi shell</title>]=], id = "1289a79df5d67738d44409b287aa3fe34680326b", comment = "perl shell and file dropper FE" },
		
			{ signature = [=[theformhead = """<HTML><HEAD><TITLE>cgi-shell.py - a CGI by Fuzzyman</TITLE></HEAD>]=], id = "f1e291893c355062cd64438d6fe9dad74adeb264", comment = "python web shell" },
		
			{ signature = [=[http://businessdailygroup.com/?utm_source=]=], id = "dfab21cbba33d70d985de4c41b11841f97742a12", comment = "malicious URI redirection" },
		
			{ signature = [=[http://dailyfinancesnetwork.com/?from=1&ssl=2820814667851517&=f&my=65a42460]=], id = "238651ed6a08b134cc4498e665c8ffa715cb046c", comment = "malicious URI redirection" },
		
			{ signature = [=[open(STDERR, ">&SOCKET");]=], id = "5206cee523f1e232f80803b47c677db0ca943a07", comment = "perl shell" },
		
			{ signature = [=[$f = $_REQUEST['param1']; $p = array($_REQUEST['param2']); $pf = array_filter($p, $f);]=], id = "06969729fc0582261011af3b79b7cfc9e7224da6", comment = "eval globals" },
		
			{ signature = [=[$full_url = "http://$subdomain.$red_host/$fake_script?id=$enc_id";]=], id = "f6f17f3485d23a988ae01dec2664041bd1f566b2", comment = "malicious url redirector" },
		
			{ signature = [=[/* BUILT BY R3V3NG4NS]=], id = "f95f8fde0c4468d32602a333d79bb3c1e52bc50a", comment = "email phishing related" },
		
			{ signature = [=[^if[(]!empty[(][$]_COOKIE[[][^]]+[]][)][^{]+[{]if [(]!empty[(][$]_POST[[][^]]+[]][)] and ([$][[:alnum:]_]+)=@gzinflate[(]@base64_decode[(]@str_replace[(][^,]+,[^,]+,[^(]+[(][$]_POST[^{]+[{][^;]+;eval[(]\1]=], id = "0c42df941ec1134107a9435be69e48bd8d4a1dc8", comment = "simple shell" },
		
			{ signature = [=[#Owned by D4RK 4NG31.]=], id = "9472b45340e8a7d707740ae825f1db0a90a164f9", comment = "defacement by 4NG31" },
		
			{ signature = [=[print '\x1b[31mINFECTING:'+self.host+']=], id = "ee0b52823101052abea5ed32dbb827d703c4ceb8", comment = "b1nary's ssh bruteforcing script" },
		
			{ signature = [=['ev'.'al(bas'.'e6'.'4_deco'.'de(\\$_POST[\']=], id = "7e62196912e297e84344b6ef941798420370c744", comment = "eval globals" },
		
			{ signature = [=[<?eval($_POST[a]);?>)?>]=], id = "142a27f24c9fded299d5f56699fc20c78978f26c", comment = "eval globals" },
		
			{ signature = [=[sleep(1) while(<$socket>);]=], id = "7b909ce01aa0cbb9c1d9e18f4c3acfd9f461d3c6", comment = "dos remote by exhaustion" },
		
			{ signature = [=[<?php if(md5($_GET["ms-load"])=="]=], id = "9cade877ab91244eeed37dff3d4e839c862b38c7", comment = "generic file dropper" },
		
			{ signature = [=[<meta http-equiv="refresh" content="1;URL=http://lonely-affair.pro"/>]=], id = "336cd8da179957ecad1b0a968c613af8cd2b7b3c", comment = "blackhatseo redirection" },
		
			{ signature = [=[<meta http-equiv="refresh" content="1;URL=http://royal-night.pro"/>]=], id = "6943205f52f407831291d64f5266819552bb8063", comment = "blackhatseo redirection" },
		
			{ signature = [=[7feea3bc0897cda1d093d727a530935f]=], id = "e1a3250b72ce758d48431d237596db77f6f184a9", comment = "backdoor shell" },
		
			{ signature = [=[JGFyclswXT0iQ2lSaGRYU]=], id = "46a0fc7d369f5fcb4ff5736b2e37c236c8b3662c", comment = "backdoor shell" },
		
			{ signature = [=[IGVycm9yX3JlcG9ydGluZygwKTs]=], id = "0e2cac5b141c15b3c879209c5decef488e4b5320", comment = "backdoor shell" },
		
			{ signature = [=[\$_POST\['massdefacedir'\]]=], id = "9c6ef2def8d4e0574c3caa46b733257010fdaebe", comment = "mass defacer" },
		
			{ signature = [=[add_object_page("UBH"]=], id = "fcb5e3e18340dd651a4145f6e734a247a8c0ea9c", comment = "UBH Plugin Shell" },
		
			{ signature = [=[{move_uploaded_file($_FILES['F1l3']]=], id = "62cdae9914cc49a2416b38ef3420ca121cd75806", comment = "F1l3 shell" },
		
			{ signature = [=[/js/jquery.min.php' + '?key=]=], id = "3c239ed25b133924c960c81090214e230f6931c7", comment = "Malicious JS include - Fake jQuery" },
		
			{ signature = [=[echo 'DarkCrewFriends';]=], id = "880c58752ab07c92ce0fd641599ea16caa2a9be2", comment = "DarkCrewFriends Shell" },
		
			{ signature = [=[protection="1af98609adf796b21c9fc735e31c57b7"]=], id = "539adb103e5cf9cb7264d0ad58457f89342461ef", comment = "Sandy Shell/Mailer" },
		
			{ signature = [=[ba\163\1456\x34\x5f\144\145]=], id = "64abf75a138d06dbc86add472a65e2157b3230fd", comment = "Mailer Shell" },
		
			{ signature = [=[="\x62\x61\x73\x65\x36\x34\x5f\x64\x65\x63\x6f\x64\x65"]=], id = "0125629717e66379d70b1d25c17359c96a8caad9", comment = "Base64 in hex" },
		
			{ signature = [=[value=\"chmod\">Chmod</option>]=], id = "65c91e594986ea1b2a42aa34e484e08546a004f5", comment = "Shell Chmod Code" },
		
			{ signature = [=[mode=port_scan]=], id = "396cd10516b52c99385a3120e4f8863d00c129d8", comment = "Dark Shell" },
		
			{ signature = [=[gzinflate(@base64_decode(@str_replace]=], id = "91021c8bc64b20576febce855053b7a2afef4d0b", comment = "gzinflate base64 str_replace chain" },
		
			{ signature = [=[flashvars="letter=SECURITY Is Just An ILLUSION">]=], id = "da2963769c553b3240fbac0b6d166d58305c7ee4", comment = "BLOODSEC Defacement" },
		
			{ signature = [=[Exploiter By Maronox]=], id = "6938f09ee36db0f677548b66795e7deb54145e5c", comment = "Exploiter By Maronox" },
		
			{ signature = [=[Creates common globals for the rest of Site]=], id = "e34c801461eddf8d921636ac84dc3a5a3c939f78", comment = "PharmaHack Injector" },
		
			{ signature = [=[meigao2016]=], id = "d655d084586ce1c9ae034d1b557a7d17d3370961", comment = "meigao2016 shell" },
		
			{ signature = [=[this-is-the-test-of-door]=], id = "2a91dd128d1dbb9d4ed11d6bde31068864eaac5a", comment = "backdoor shell/injector" },
		
			{ signature = [=[$wp_blog_content_ ]=], id = "4a1d8da639bf3848eb3f6d49a554cc6fad4d6d31", comment = "ReInfects PharmaSpam" },
		
			{ signature = [=[WSO_VERSION]=], id = "ee161d0e35d73a7ecc505f7867241538291fec25", comment = "WSO SHELL" },
		
			{ signature = [=[$wp_xmlrpc_ =]=], id = "91fe29362472ece5d0172dcbc26c3ac8b79ff940", comment = "ReInfects PharmaSpam" },
		
			{ signature = [=[$xsser=base64_decode($_POST]=], id = "ca60e4f440ac23a4374b3e27207e448d0b84ea97", comment = "XSSer Var Base64 decoder/injector" },
		
			{ signature = [=[fopen("temp1-1.php","w"]=], id = "882277cf7647768c637e7ebddf1d2f2aa37d5ef3", comment = "Public Shell Version 2.0" },
		
			{ signature = [=[yumingid=]=], id = "19a0d6d329acf39faa86d632c3a57164db3950de", comment = "BlackHat SEO Content Gen/Redirect" },
		
			{ signature = [=[<title>Hacked By]=], id = "97903a6807f8fc74e905c0a227a474c5aacb3a8c", comment = "Hacked By HTML title" },
		
			{ signature = [=[filesize("wp-login.php"]=], id = "7102503f37654c642d2187ea05c17a291c740465", comment = "Backdoor Shell" },
		
			{ signature = [=[wt8m4;6eb39fxl*s5]=], id = "2c48c41f90ceec0b58987aa42045a4d4a2288c36", comment = "Alphabit used in series of Backdoor Shells" },
		
			{ signature = [=[$shell_fake_name]=], id = "62ebb210c5efed2d4a9738a421963574739f66d2", comment = "shell_fake_name var" },
		
			{ signature = [=[eval(gzinflate(base64_decode(rawurldecode(]=], id = "7017f77d04e4ef2ade297296e954167084904058", comment = "Eval Gzinflate Base64_decode rawurldecode nest used in shells" },
		
			{ signature = [=[{ eval(gzinflate(base64_decode('pZ]=], id = "e7f2801f9aeebab45a8ab8aca0590c3de3c23eff", comment = "Eval Gzinflate Base64_decode used in backdoor shells" },
		
			{ signature = [=[eval(gzuncompress(base64_decode('eN]=], id = "ec8ee119e6f70059c52a52f756062bbdd200cd03", comment = "Eval Gzuncompress Base64_decode En used in backdoor shells" },
		
			{ signature = [=[ZGllKGluY2x1ZGVfb25jZSAkaW4pOw==]=], id = "84052d87266999d9539c96c7608dff6d52695d3b", comment = "Base64 code used in mailer" },
		
			{ signature = [=[eval(base64_decode("ZXJyb3Jfcm]=], id = "05378257b1c728ba0d819ddc55af8e8d444a829b", comment = "Base64 code in PharmaSpam Redirect" },
		
			{ signature = [=[aWYgKCFpc3NldCgkX1BPU1]=], id = "bc4490f3b788c00980b7aee9bdb4294acff4b62e", comment = "Base64 common eval" },
		
			{ signature = [=['base'.(128/2).'_de']=], id = "f963f406655730fedad787eb218bde0d2436a0e8", comment = "Base64/2 Decoding" },
		
			{ signature = [=[hexToStr($_POST['code']);@eval($code)]=], id = "6d38343474bf7f76778f0366f84c6e4ad64cef1f", comment = "hexToStr and eval of code" },
		
			{ signature = [=[.substr(md5(strrev]=], id = "7e192901527353d753a4f750897e4af1649d1506", comment = "Substr(md5(strrev" },
		
			{ signature = [=[foreach(str_split(base64_url_decode]=], id = "4269093349352b660955154e27d2590599ccb621", comment = "foreach str_split base64_url_decode" },
		
			{ signature = [=[.$base64attach.]=], id = "bdeb87b33a5612347ada059a81e172c1cfb33513", comment = "Mailer Script" },
		
			{ signature = [=[?>this ok sentance]=], id = "53682acd27518d17e423cfac2828ee63b1183950", comment = "Generic Upload - this ok sentance" },
		
			{ signature = [=[\142\141\163\145\066\064\137]=], id = "42cc03a24523e09650922e8a23c581d7c06aee1c", comment = "Base64_ Oct" },
		
			{ signature = [=[BruteEngine()]=], id = "feeab7ecef84ec2a28112084f691f8a9213ed2f9", comment = "Brute Forcer from fuckav.ru" },
		
			{ signature = [=[if($vas){echo 'lessloss';}]=], id = "f50108bc228bb1c683127c6911117d01424d4e77", comment = "Malicious Mailer Script" },
		
			{ signature = [=[$_GET['mod']=='00X'){$g_sch=file_get_c]=], id = "e7fe3958cb7e9342750ad081161fe401faa069e1", comment = "SEO SPAM redirect" },
		
			{ signature = [=[fclose($outht);]=], id = "390fde8b33e3baf48b9aefff35484425d0d84433", comment = "SEO SPAM injector" },
		
			{ signature = [=[<div id="ddos">]=], id = "7270bac137e5f7d9d127ca0f86f48f1ebf0fa03b", comment = "UDP DDOS script" },
		
			{ signature = [=[$subject = $_POST['assunto']]=], id = "75e00ac024b7643ccaf1fb45fee8b238ff985af1", comment = "Portuguese Spammer Script" },
		
			{ signature = [=[/* WSO [2.6]]=], id = "3b9edeb4d397234640c683c03a1273b79e54ee39", comment = "WSO Shell 2.6" },
		
			{ signature = [=["ev"."al(']=], id = "7c5dc84f57b6195ff1e341cc71555a85ddc2c3d7", comment = "obfuscated eval" },
		
			{ signature = [=[private $shellManager;]=], id = "f8f80a72720f4ff440dc8bd929eedc2005b828ca", comment = "Banana Shell / AlexusMailer" },
		
			{ signature = [=[RooT HaXor xD]=], id = "85d6ff30ac674e776778a909a7af167acc67e944", comment = "Root HaXor mailer" },
		
			{ signature = [=[May Hack The Server');]=], id = "767b5a22672f4f7ff5a610d37940baeac7b9cedd", comment = "mailer inbox" },
		
			{ signature = [=[Do BRUTE-FORCE ATACK]=], id = "601b5431c5409eba0abf931a01742ccbc35f01ff", comment = "Romanian E-mail Auth Brute Forcer" },
		
			{ signature = [=[x=shell_url]=], id = "9a008c2e81d0397569e3fd142105ed5fb6c035f8", comment = "Spammer Script" },
		
			{ signature = [=[GIF89a?lovealihack]=], id = "82d1c90869e21d7dc33128814ce29238b738f70b", comment = "lovealihack shell" },
		
			{ signature = [=[$xred=base64_decode]=], id = "b2af13a3c163cbbd96874f78cf0afce01254836b", comment = "pharmaspam loader" },
		
			{ signature = [=[?utf-8?B?'.base64_encode(randText())]=], id = "d275ae6b5d2c9611b08ba0ab816ce33b4553f4dd", comment = "Spammer Script" },
		
			{ signature = [=[/POWER-BY WWW.XXDDOS.COM]=], id = "352810c5e254875564a5ee76c254bfa64976e0b4", comment = "CN DDOS Tool" },
		
			{ signature = [=['b'.'as'.'e6'.'4_'.'en'.]=], id = "59614d7066d115130d15c69d991b11c33bfd99ff", comment = "Obfuscated Base64 Encode" },
		
			{ signature = [=[$testa = $_POST['veio'];]=], id = "8e52a7028ab6cb525ad6e1587cb3571aaec75a7c", comment = "Brazilian Spammer Script" },
		
			{ signature = [=[spamer v0.]=], id = "fac15bb79c31857a72ea34f9588682153e583025", comment = "Hecker Spamer Script" },
		
			{ signature = [=[style.cssKO,]=], id = "c9f99bf22e76215854955be851a6469b70d4b962", comment = "herewgo.php malware" },
		
			{ signature = [=[pack_sockaddr_in($pport,]=], id = "e49ead2147f4a192e808ab937093e4b5fdf474c0", comment = "Perl UDP Flood script" },
		
			{ signature = [=[iisitiir_ireipliaicie]=], id = "799fd2fde7c75114d845ad4dbc45fa05ce81abf3", comment = "obfuscated str_replace" },
		
			{ signature = [=[Do BRUTE-FORCE ATACK]=], id = "601b5431c5409eba0abf931a01742ccbc35f01ff", comment = "pop3 brute forcer" },
		
			{ signature = [=[ibiaisie6i4i_dieicoide]=], id = "c0f407b2319c28102c592167b2ff83bd893ff794", comment = "Obfuscated base64" },
		
			{ signature = [=[.substr($wp_file_descriptions]=], id = "79222dcb47e971247a7e186b1fc930fd32aa3e60", comment = "WSO Shell" },
		
			{ signature = [=[($_POST[xo]);?>]=], id = "6bb9cdcb046cf289adedbc39dea99323524000bd", comment = "mini shell" },
		
			{ signature = [=[*::::::-]=], id = "19a47c8a652d6f3a846f49c68ffb7b496201bc30", comment = "packed PHP malware" },
		
			{ signature = [=[key_that_script_is_crypted]=], id = "22c540da5464fbe9601ba23bfddaccb39b54fc79", comment = "script_is_crypted PHP malware" },
		
			{ signature = [=[base64_decode($_POST["chk"]))));exit]=], id = "a535220032280084c97a9610c05088cdf69270f2", comment = "Small Backdoor shell based upon chk POST" },
		
			{ signature = [=[@include "\057ho]=], id = "1450a8fddd9f5c19f61878015b4d854558520845", comment = "obfuscated /home/ include call" },
		
			{ signature = [=[@include "\057h\157m]=], id = "eefd9feeb2d7cd7a27f1b9185fa19dc505d21082", comment = "obfuscated /home/ include call" },
		
			{ signature = [=["\x47\x4c\x4f\x42\x41\x4c\x53"}]=], id = "147782ece8213c79f68cfbddaa139776a5a7a515", comment = "hex obfuscated GLOBALS" },
		
			{ signature = [=[(str_rot13(gzinflate(str_rot13(base64_decode]=], id = "db5969357e4a5dc2568ca18d8918a2494c6e795c", comment = "rot13->gzinf->rot13->base64" },
		
			{ signature = [=[YXNzZXI=']=], id = "7c537e751852e53f86147d1f2aaaab60af77d56d", comment = "Base64 asser" },
		
			{ signature = [=[ZXZhbCAoZ3ppbmZsYXRlKGJhc2U2NF9kZWNvZGU]=], id = "1495128e4d0cfe12e1f729bc2ee68dce8124add0", comment = "Base64 eval (gzinflate(base64_decode" },
		
			{ signature = [=[>>debbug.txt]=], id = "155a47f4a82a6766d872f6031eafcda86b91cb50", comment = ">>debbug.txt" },
		
			{ signature = [=[cookie|clickund_expert]=], id = "e268f3efa17c9ce1183e654ed2e01a8bae74e579", comment = "WP Malicious Plug-ins - pop up ads - clickund_expert" },
		
			{ signature = [=[|var|return||fn|jQuery|is||]=], id = "a5a21bc0ba04185a127c805c4599921949ff2d8e", comment = "Obfuscated javascript pattern" },
		
			{ signature = [=[ass"."ert"]=], id = "797102177ed122307cc6092250383b895c1fa50f", comment = "Obfuscatation of assert in simple shells" },
		
			{ signature = [=[ath=/";window.open('http://www.baidu.com/link]=], id = "66f0871cc257ff598fa61051ae0a46f6db214625", comment = "Javascript redirects to baidu in hidden window" },
		
			{ signature = [=[32ea1d73793d5a216770b3430665c026]=], id = "25562088ece4a7d69c3440590b5a15f9f45ed204", comment = "Hashed PW to common shell" },
		
			{ signature = [=[time() - 105211600;]=], id = "4e11ffd4a0fd03b6ff10dbf3591d356baef42299", comment = "setting timestamp on files to 45 days prior" },
		
			{ signature = [=[,"\x72\x65tu\x72\x6e\x20\x65\x76\x61l(\x24]=], id = "2ca49439a2d2cde9d8f31329aa2df1302ca4a951", comment = "Encoded return eval($" },
		
			{ signature = [=[<title>Priv8 Mailer]=], id = "d6e4485e5c5097fee3acee8648338cfe8d90e4cf", comment = "Priv8 Mailer" },
		
			{ signature = [=[extract($_REQUEST) &&]=], id = "46c68ea42f2cfe1d5f3bc08b7cb139bb0c1370ea", comment = "extract request used in simple shells" },
		
			{ signature = [=[$_POST['czea'];]=], id = "e5e4bb0d07543853a1d22bea2e41ddff3b1594b5", comment = "POST param in simple spam script" },
		
			{ signature = [=[la\x74e\x28\x62"]=], id = "4aa4e808a74eefddbceccda9d49b9eef72371f08", comment = "Obfuscated FilesMan Shell" },
		
			{ signature = [=[@eval(gzinflate(base64_decode($code)));]=], id = "45e88cccb86700b2ccc88a944729a9c384d71c1d", comment = "eval gzinflate base64_decode of $code" },
		
			{ signature = [=[echo 'SendsGood';]=], id = "d602e3a8494a258d1e65b7ce0bcfa1b13ca58aed", comment = "Spammer wrapper for phpmailer" },
		
			{ signature = [=[_COOKIE["pizda"]);]=], id = "842b1afab29da68c83f55e702153b5455f52c070", comment = "Injected cookie request" },
		
			{ signature = [=[phpinfo();die;}}}]=], id = "e81ac87587a893cc2f31065551e26a2325cc756b", comment = "phpinfo request in Joomla exploit" },
		
			{ signature = [=[HBN=basename]=], id = "471fa0123f5a2ff4e87f54ad2da4fbfc8d4ec7bd", comment = "Mayhem Malware" },
		
			{ signature = [=[$bjqnt = mail($ndqrk]=], id = "5b6e02dd33b6d7570533745484de8dd58702582b", comment = "Base64 Webshell" },
		
			{ signature = [=[x2F\x3F\x6B\x65\x79\x3D]=], id = "01863e6aaddea9f857eef0474f60e0b6adf2f29e", comment = "/?key= hex encoded in JS malware" },
		
			{ signature = [=["algo": "cryptonight",]=], id = "08dfdaee68436c7c7a7aedbe118a01cf375546a7", comment = "xmrig cryptominer config" },
		
			{ signature = [=[.="\164\x65";]=], id = "4336f171da3040d54f9bad61033817fa337f705d", comment = "encoded de in end of obfuscated shell" },
		
			{ signature = [=[Mr Secretz Shell<]=], id = "cd8de5b98216bb9f68282fbafa7614a937b461c9", comment = "Mr Secretz Shell<" },
		
			{ signature = [=[tcget($url,$proxy=]=], id = "eac5b4d941057345298853691ee955c6cfddd0ee", comment = "Injected Proxy" },
		
			{ signature = [=[$email_polucha,$tema_pisma]=], id = "bd151799179da467f337c10fad2f47fea294947e", comment = "Spanish Mailing Script" },
		
			{ signature = [=[en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6\r\n]=], id = "c28164bdef36999f8041431d916f6bf413ad9499", comment = "UA used in spam script" },
		
			{ signature = [=['7X1re9s2z]=], id = "a2b1eb025422d4d6eb116e5717b026ee694b2449", comment = "obfuscated filesman" },
		
			{ signature = [=[f152ff3d0236535f1a5feb9272731e47]=], id = "b40c7ad5a30648e778530e6f67faaf49ed895534", comment = "obfuscated shell" },
		
			{ signature = [=[WebShellOrb]=], id = "22564ab1e347686d6e53340ce49757dbe2b82bf4", comment = "WebShellOrb" },
		
			{ signature = [=[Ci9PSpH'.split]=], id = "cbcdce9af44e7d83af031bb823f19fef081d4ac9", comment = "Footer injected JS adware" },
		
			{ signature = [=[("".chr(41),"".chr(41)."".chr(41),"\x3b")]=], id = "e885fe44d8d866bb8814486de4dea68d11614f9c", comment = "wp-reset-xxxxx.php wp-register-xxxxx.php" },
		
			{ signature = [=[Xh33l Backdoor]=], id = "09145e93167f6722eede41a8472ac91e09938c36", comment = "Xh33l Backdoor" },
		
			{ signature = [=[PWJhc2U2NF9kZWNvZGUo]=], id = "45f285cd4e7f70e1bde933402fd2e32f85f09aa1", comment = "Base64 of =base64_decode(" },
		
			{ signature = [=[echo '<a href='.$file.]=], id = "87f7ca95775140408edf9a365897564849a25bff", comment = "echo of uploaded file from simple shell" },
		
			{ signature = [=[chr(hexdec($func_string]=], id = "9d4c944e0ec31c19fc3b6fb3f0f1d1771deb46a6", comment = "chr(hexdec($func_string" },
		
			{ signature = [=[base64_decode($_POST['nrsf']]=], id = "8497770dbf05838475bb4fa2b141d2bef5288d00", comment = "Base64_Decode POST" },
		
			{ signature = [=[echo 'O1024K';]=], id = "67fda4cad29840781a581634a4a7b8e5af93c87b", comment = "Mr Secretz Shell" },
		
			{ signature = [=[$tfn=tempnam("/tmp",]=], id = "9c2fd70fa08dfc55114e774202ef83e325d7ee38", comment = "tempnam("/tmp"," },
		
			{ signature = [=[function BASE64_DEC0DE]=], id = "1bfbbe7c5430a306949850a0c7f989cc7d5ab1b7", comment = "function BASE64_DEC0DE" },
		
			{ signature = [=[PHP_VERSION < "\x35"]=], id = "ff807af694a3b97c696ec565b068f1dd51037860", comment = "PHP_VERSION < "\x35"" },
		
			{ signature = [=[\145\x4e\x6f\61\x76\145\x65\171\x71]=], id = "9624945a7811cfde00e44c0a69e51db738703325", comment = "\145\x4e\x6f\61\x76\145\x65\171\x71" },
		
			{ signature = [=[* @package api key]=], id = "6620a96548aaee6fcdeb90ef53010675e9aa323b", comment = "Fake WP Plug-In api key" },
		
			{ signature = [=[eval('?>'.$a);]=], id = "c7fa4df3e0e61a02f18aec0fddabb963d7bce9f7", comment = "Eval of simple data from paste source" },
		
			{ signature = [=[x=shell\]=], id = "6bd0bfd480f72d7052567d818f799f1d5a6caa90", comment = "x=shell" },
		
			{ signature = [=[require_once('407.php');]=], id = "0c2d46e747de2d9f6d2ebdb6a24f55bdb661931f", comment = "require_once 407.php" },
		
			{ signature = [=['n'.'f'.'f'.'r'.'e'.'g']=], id = "84cdada0eed27ee9bce0fcc8877da6b5f56c9643", comment = "rot13 assert" },
		
			{ signature = [=["\x7a\x69\x6e\x66".chr(108).]=], id = "715919ee3f512ec537277c420b97f257b3c95cbf", comment = "Obfuscated WP Attack File" },
		
			{ signature = [=[=connect_using_parse_config($]=], id = "7414c4d16c23a1dbf8af71393f42724dcf80672c", comment = "wp-main.php malware" },
		
			{ signature = [=[QGV2YWwoJF9QT1NUWydwYXNzJ10pOz8]=], id = "88120463ae907eee3ce8611c70127eeb27bcac35", comment = "base64: @eval($_POST" },
		
			{ signature = [=[AtOPvMzpDosdPDlkm3ZmPzxoP]=], id = "dffcb80e7c6710127a75632ec40c47a56f877e12", comment = "$keywordsRegex string in WP attack file" },
		
			{ signature = [=[3x-Fucker-v]=], id = "8b65326020e8c6906d9b9e89ca7b89ae3af533e7", comment = "3x-Fucker toolkit https://github.com/3xPr1nc3/3x-fucker-v0.2" },
		
			{ signature = [=[7374725f7265706c616365]=], id = "bf2097219b45cfcf2b1392c5632039132e56322d", comment = "Ninja Shell" },
		
			{ signature = [=[Mini Shell By Black_Shadow]=], id = "be53412c87b5c7d30806523dafe20a425e9f8065", comment = "Mini Shell By Black_Shadow" },
		
			{ signature = [=[eval\(htmlspecialchars_decode\(gzinflate\(base64_decode]=], id = "3408419280216f28e900b025ff83b8506f5d77ba", comment = "eval htmlspecialchars_decode gzinflate base64_decode" },
		
			{ signature = [=[JFVlWHBsb2lUID0g]=], id = "88fb168f718b7e11ded442d2a519533797259b9f", comment = "$UeXploiT in base64" },
		
			{ signature = [=[Ganti Nama Berhasil]=], id = "38ee8beebe6936b85f7b6015bd97da388b007c31", comment = "w42001 Shell Ganti Nama Berhasil" },
		
			{ signature = [=[<spam style=]=], id = "3ada7ab2279d277829de46494add18a6e61bd7a1", comment = "<spam style=" },
		
			{ signature = [=[Coded By Spiner]=], id = "b9fa2df3a09605995e22d81d9e92c616d18e2819", comment = "Coded By Spiner" },
		
			{ signature = [=[PHP Encode v1.0 by zeura.com]=], id = "fdd9ca825f4a405caa6f0ec9fa53b723b4babbda", comment = "PHP Encode v1.0 by zeura.com" },
		
			{ signature = [=[function featureShell($cmd, $cwd)]=], id = "41c57ddd305edf3ee9c0f80baa937adb7a6a1374", comment = "p0wny-shell" },
		
			{ signature = [=[{if(@copy($_FILES["]=], id = "eb047fb54440ce9a81240f22b364033eca9c71f5", comment = "obfuscated shell" },
		
			{ signature = [=[base64_" . "decode";]=], id = "24c4f99f86fa1ce68171edf044b77123248731e0", comment = "obfuscated incantation of base64_decode" },
		
			{ signature = [=[exec("getconf LONG_BIT")]=], id = "d90166f4114e7a62cf32782694c99a45dae1114f", comment = "exec( getconf LONG_BIT )" },
		
	}

data = f:read("*all")
	f:close()

rex = require("rex_posix")
	require("alarm")

local start, fin

local str_find = string.find
	local rex_find = rex.find

local search_sig = function()
		for _, signature in ipairs(regex_signatures) do
			local sig = signature.signature

start, fin = rex_find(data, sig, 1, COMPILE_FLAGS)

if (start) then
				m.setvar("TX.sig_id", signature.id)
				m.setvar("TX.filename", filename)
				m.setvar("TX.sig_comment", signature.comment)
				ret = string.format("s:%d f:%d", start, fin)
				return
			end
		end

for _, signature in ipairs(flat_signatures) do
			local sig = signature.signature

start, fin = str_find(data, sig, 1, true)

-- throw an exception after one second
	alarm(1, function() error("timed out while examining file upload") end)

-- grab a nanosecond-precision timestamp via FFI for time tracking
	local ffi = require "ffi"
	ffi.cdef[[
		typedef long time_t;

typedef struct timeval {
			time_t tv_sec;
			time_t tv_usec;
		} timeval;

int gettimeofday(struct timeval *t, void *tzp);
	]]

local time_struct  = ffi.new("timeval")
	local gettimeofday = function()
		ffi.C.gettimeofday(time_struct, nil)
		return tonumber(time_struct.tv_sec) * 1000000 + tonumber(time_struct.tv_usec)
	end

local start = gettimeofday()

-- do our search
	-- the error thrown by alarm above will be caught by pcall()
	-- when that happens we log the error and will break out of the logic in search_sig
	local res, err = pcall(search_sig)
	if not res then
		m.setvar("TX.upload_alarm", 1)
	end

local runtime = gettimeofday() - start
	m.setvar("TX.sig_runtime", runtime)

-- cancel the pending alarm
	alarm()

return ret
end