<?php/********************** author Spider Online published a variety of PHP backdoor annihilated for some special deformed back door need to add characteristics of the false alarm rate less than 1% **********************/ Error_reporting (E_error); Ini_set (' Max_execution_time ', 20000); Ini_set (' Memory_limit ', ' 512M '); Header (" content-type:text/html; charset=gb2312 "); $matches = Array ('/function\_exists\s*\ (\s*[\ ' |\"] (popen|exec|proc\_open|system|passthru) +[\ ' |\ "]\s*\)/I ', '/(Exec|shell\_exec|system|passthru) +\s*\ (\s*\$\_ (\w+) \[(. *) \]\s*\)/I ', '/((UDP|TCP) \:\/\/(. *) \; ) +/i ', '/preg\_replace\s*\ ((. *) \/e (. *) \,\s*\$\_ (. *) \, (. *) \)/I ', '/preg\_replace\s*\ ((. *) \ (base64\_decode\ (\$ /I ', '/(eval|assert|include|require|include\_once|require\_once) +\s*\ (\s* (Base64\_decode|str\_rot13|gz (\w+) | File\_ (\w+) \_contents| (. *) php\:\/\/input) +/i ', '/(Eval|assert|include|require|include\_once|require\_once|array\_map|array\_walk) +\s* \ (\s*\$\_ (get| Post| Request| cookie| server| SESSION) +\[(. *) \]\s*\)/I ', '/eval\s*\ (\s*\ (\s*\$\$ (\w+)/I ', '/(include|require|include\_once|require\_once) +\s*\ (\s*[\ ' |\ "] (\w+) \. ( JPG|GIF|ICO|BMP|PNG|TXT|ZIP|RAR|HTM|CSS|JS) +[\ ' |\ "]\s*\)/I ', '/\$\_ (\w+) (. *) (eval|assert|include|require| include\_once|require\_once) +\s*\ (\s*\$ (\w+) \s*\)/I ', '/\ (\s*\$\_files\[(. *) \]\[(. *) \]\s*\,\s*\$\_ (GET| Post| Request| FILES) +\[(. *) \]\[(. *) \]\s*\)/I ', '/(fopen|fwrite|fputs|file\_put\_contents) +\s*\ ((. *) \$\_ (get| Post| Request| cookie| SERVER) +\[(. *) \] (. *) \)/I ', '/echo\s*curl\_exec\s*\ (\s*\$ (\w+) \s*\)/I ', '/new com\s*\ (\s*[\ ' |\ ']shell (. *) [\ ' | \ "]\s*\)/I ', '/\$ (. *) \s*\ ((. *) \/e (. *) \,\s*\$\_ (. *) \, (. *) \)/I ', '/\$\_\= (. *) \$\_/i ', '/\$\_ (get| Post| Request| cookie| SERVER) +\[(. *) \]\ (\s*\$ (. *) \)/I ', '/\$ (\w+) \s*\ (\s*\$\_ (get| Post| Request| cookie| SERVER) +\[(. *) \]\s*\)/I ', '/\$ (\w+) \s*\ (\s*\$\{(. *) \}/i ', '/\$ (\w+) \s*\ (\s*chr\ (\d+\)/I '); function antivirus ($dir, $exs, $matches) {if ($handle = @opendir ($dir)) = = NULL) return false; while (false!== ($name = Readdir ($handle))) { if ($name = = '. ' | | $name = = ' ... ') continue; $path = $dir. $name; if (Is_dir ($path)) {//chmod ($path, 0777);/* Mainly for some 0111 directories */if (is_readable ($PA TH)) antivirus ($path. ' /', $exs, $matches); } elseif (Strpos ($name, '; ') >-1 | | strpos ($name, '%00 ') >-1 | | strpos ($name, '/') >-1) {E Cho ' features <input type= "text" style= "width:218px;" value= "Parsing Vulnerability >". $path. ' <div></div> '; Flush (); Ob_flush (); } else {if (!preg_match ($exs, $name)) continue; if (filesize ($path) > 10000000) continue; $fp = fopen ($path, ' R '); $code = Fread ($fp, FileSize ($path)); Fclose ($FP); if (empty ($code)) continue; foreach ($matches as $matche) {$array = array (); Preg_match ($matche, $code, $array); if (! $array) continue; if (Strpos ($array [0], "\x24\x74\x68\x69\x73\x2d\x3e")) continue; $len = strlen ($array [0]); if ($len > 6 && $len < $) {echo ' feature <input type= "text" style= "WI dth:218px, "value=" '. Htmlspecialchars ($array [0]). ' " > '. $path. ' <div></div> '; Flush (); Ob_flush (); Break }} unset ($code, $array); }} closedir ($handle); return true;} function Strdir ($str) {return str_replace (array (' \ \ ', '//', '//'), Array ('/', '/', '/'), Chop ($STR));} Echo ' <form method= "POST" > ' echo ' Path: <input type= "text" name= "dir" value= "'. ($_post[' dir ']? Strdir ($_post[' dir '). ' /'): Strdir ($_server[' document_root '). ' /‘)).‘"Style=" WIDTH:398PX; " ><div></div> '; echo ' suffix: <input type= "text" name= "Exs" value= "'. ($_post[' Exs ')? $_post[' Exs ']: '. php|. inc|. Phtml '). ' "style=" width:398px; " ><div></div> ' Echo ' Operation: <input type= "Submit" style= "width:80px;" value= "Scan" ><div></ Div> '; Echo ' </form> '; if (file_exists ($_post[' dir ') && $_post[' Exs ']) {$dir = Strdir ($_post[' dir ') .‘ /‘); $exs = '/('. Str_replace ('. ', ' \ \ ', $_post[' Exs '). ') /I '; Echo Antivirus ($dir, $exs, $matches)? ' <div></div> scan complete ': ' <div></div> scan interrupted ';}? >
A different version
<! DOCTYPE html>
Perfect scan PHP Special one word back door