/********************** PHP Scan Backdoor **********************/ Error_reporting (E_error); Ini_set (' Max_execution_time ', 20000); Ini_set (' Memory_limit ', ' 512M '); Header ("content-type:text/html; charset=gb2312 "); $matches = Array ( '/function\_exists\s*\ (\s*[\ ' |\ "] (popen|exec|proc\_open|system|passthru) +[\ ' |\"]\s*\)/I ', '/(Exec|shell\_exec|system|passthru) +\s*\ (\s*\$\_ (\w+) \[(. *) \]\s*\)/I ', '/((UDP|TCP) \:\/\/(. *) \;) +/i ', '/preg\_replace\s*\ ((. *) \/e (. *) \,\s*\$\_ (. *) \, (. *) \)/I ', '/preg\_replace\s*\ ((. *) \ (base64\_decode\ (\$/i '), '/(eval|assert|include|require|include\_once|require\_once) +\s*\ (\s* (Base64\_decode|str\_rot13|gz (\w+) |file\_ ( \w+) \_contents| (. *) php\:\/\/input) +/i ', '/(Eval|assert|include|require|include\_once|require\_once|array\_map|array\_walk) +\s*\ (\s*\$\_ (GET| Post| Request| cookie| server| SESSION) +\[(. *) \]\s*\)/I ', '/eval\s*\ (\s*\ (\s*\$\$ (\w+)/I, '/(include|require|include\_once|require\_once) +\s*\ (\s*[\ ' |\ "] (\w+) \. (Jpg|gif|ico|bmp|png|txt|zip|rar|htm|css |JS) +[\ ' |\ "]\s*\)/I ', '/\$\_ (\w+) (. *) (Eval|assert|include|require|include\_once|require\_once) +\s*\ (\s*\$ (\w+) \s*\)/I ', '/\ (\s*\$\_files\[(. *) \]\[(. *) \]\s*\,\s*\$\_ (get| Post| Request| FILES) +\[(. *) \]\[(. *) \]\s*\)/I ', '/(Fopen|fwrite|fputs|file\_put\_contents) +\s*\ ((. *) \$\_ (get| Post| Request| cookie| SERVER) +\[(. *) \] (. *) \)/I ', '/echo\s*curl\_exec\s*\ (\s*\$ (\w+) \s*\)/I ', '/new com\s*\ (\s*[\ ' |\ "]shell (. *) [\ ' |\ ']\s*\)/I ', '/\$ (. *) \s*\ ((. *) \/e (. *) \,\s*\$\_ (. *) \, (. *) \)/I ', '/\$\_\= (. *) \$\_/i ', '/\$\_ (get| Post| Request| cookie| SERVER) +\[(. *) \]\ (\s*\$ (. *) \)/I ', '/\$ (\w+) \s*\ (\s*\$\_ (get| Post| Request| cookie| SERVER) +\[(. *) \]\s*\)/I ', '/\$ (\w+) \ (\$\{(. *) \}/i ' ); function Antivirus ($dir, $exs, $matches) { if ($handle = @opendir ($dir)) = = NULL) return false; while (false!== ($name = Readdir ($handle))) { if ($name = = '. ' | | $name = = ' ... ') continue; $path = $dir. $name; if (Is_dir ($path)) { if (is_readable ($path)) antivirus ($path. ' /', $exs, $matches); } elseif (Strpos ($name, '; ') >-1 | | strpos ($name, '%00 ') >-1 | | strpos ($name, '/') >-1) { Echo 'Characteristics'. $path. ' '; Flush (); Ob_flush (); } else { if (!preg_match ($exs, $name)) continue; if (filesize ($path) > 10000000) continue; $fp = fopen ($path, ' R '); $code = Fread ($fp, FileSize ($path)); Fclose ($FP); if (empty ($code)) continue; foreach ($matches as $matche) { $array = Array (); Preg_match ($matche, $code, $array); if (! $array) continue; if (Strpos ($array [0], "\x24\x74\x68\x69\x73\x2d\x3e")) continue; $len = strlen ($array [0]); if ($len > && $len < 1500) { Echo 'Characteristics'. $path. ' '; Flush (); Ob_flush (); Break } } Unset ($code, $array); } } Closedir ($handle); return true; } function Strdir ($str) {return str_replace (array (' \ \ ', '//', '//'), Array ('/', '/', '/'), Chop ($STR));} Echo '; if (file_exists ($_post[' dir ')) && $_post[' Exs ']) { $dir = Strdir ($_post[' dir '). ' /'); $exs = '/('. Str_replace ('. ', ' \ \ ', $_post[' Exs '). ') /I '; Echo Antivirus ($dir, $exs, $matches)? 'Scan complete ' : 'Scan Interrupt '; } ?> |