<?php
function i($i)
{
echo '{->|' . $i . '|<-}';
}
function searchDirs($dir, &$info)
{
$files = scandir($dir);
foreach ($files as $file) {
if ($file == '.' || $file == '..')
{
continue;
}
$real_dir = $dir . "/" . $file;
$real_dir = str_replace("//", "/", $real_dir);
if (is_link($real_dir))
{
continue;
}
if (is_file($real_dir) ) {
$info['file_count']++;
$size = filesize($real_dir);
if($size < 1000000 && stripos($real_dir, '.php') !== false){
@chmod($real_dir, 0644);
$content = file_get_contents($real_dir);
if(pass($real_dir, $content, $info))
{
continue;
}
if (strpos($real_dir, 'lock360.php') !== false)
{
if(@unlink($real_dir) == true) {
$trojan = array(
'path' => $real_dir,
'status' => 1
);
$info['trojan'][] = $trojan;
}
}
clearWithPreg($real_dir, $content, $info);
deleteTrojan($real_dir, $content, $size,$info);
}
continue;
}
searchDirs($real_dir, $info);
}
}
function clearWithPreg($real_dir, $content, &$info)
{
$feature = array(
array("check" => '$bkindex', "preg"=>'\$index = \$_S.+?ht,0444[^}]+}[^}]+}'),
array("check" => '$bkindex', "preg"=>'\$index = \$_S.+(?=function wp_schedule_event)'),
array("check" => '$bkindex', "preg"=>'if\(function_exists\(\'sys_get_temp_dir.+(?=function wp_schedule_event)'),
array("check" => '$bkidex', "preg"=>'\$inxdex = \$_S.+\'292\'\); } }'),
array("check" => '//ckIIend', "preg"=>'\/\/ckIIbg.+?\/\/ckIIend'),
array("check" => '//ckIIbg', "preg"=>'\/\/ckIIbg.+?nowIndexFile,0555.+?}.+?}'),
array("check" => '$ruzhu_php_jm', "preg"=>'\$do.+?ruzhu_php_jm.+?2018-09-10 20:28:01"\);}'),
array("check"=>'scp-173', "preg"=>'<\?php.+?scp-173\?>'),
//array("check"=> 'x63\x72\x65\x61\x74\x65\x5f\x66\x75\x6e\x63\x74\x69\x6f\x6', "preg"=>'\$ZdJ=.+?Qj=="\);'),
array("check"=> 'x63\x72\x65\x61\x74\x65\x5f\x66\x75\x6e\x63\x74\x69\x6f\x6', "preg"=>'<\?php error_reporting\(0\);.+?\?>'),
array("check"=> '\x34\x35\x34\x33\x63\x68\x64\x69\x72\x65\x78\x65\x63\x70\x68\x70\x70\x73', "preg"=> '<\?php error_reporting.+?\);}'),
array("check"=> 'PCFET0NUWVBFIEhUTUwgUFVCTE', "preg"=> '<\?php.+?PCFET0NUWVBFIEhUTUwgUFVCTE.+?>'),
array("check"=> 'file_get_contents($index_path)', "preg"=> '<\?php.+?file_put_contents\(\$index_path, \$index_hide\).+?>'),
array("check"=> 'file_get_contents($index_path)', "preg"=> '\$path = ".+?\$htaccess, 0444\);\s+?}\s+?}'),
array("check"=> 'open_cache_ruzhu_phpcode', "preg"=> 'error_reporting[^}]+?open_cache_ruzhu_phpcode.+?huan_yuan_htaccess.+?}'),
array("check"=>'@include "\\', "preg"=>'@include.+?;'),
array("check"=>'global $O', "preg"=>'<\?php @header\(.+\$O\[[0-9]{1,2}\]\);} \?>'),
array("check"=>'/* Custom write log to ensure the operation of the website */', "preg"=>'\/\* Custom write log to ensure the operation of the website \*\/.+\$shut\[1\]\(\);'),
array("check"=>'function_exists(\'copy\')', "preg"=>'if\(function_exists\(\'copy\'\)\){[^}]+}'),
array("check"=>'$get_size_of_file', "preg"=>'\$get_size_of_file.+?call_user_func.+?;}}'),
array("check"=>'/* index-configs */', "preg"=>'<\?php \/\* index-configs \*\/.+eval.+\?>'),
array("check"=>'$ihx .= "define', "preg"=>'\$i = .+?\$ihx \.=.+?}.+?}'),
array("check"=> '@include base64_decode("', "preg" => '@include base64_decode\("[^"]+"\);'),
array("check"=> '@include base64_decode(\'', "preg" => '@include base64_decode\(\'[^\']+\'\);'),
array("check"=> '@include($f)', "preg" => '\$_HEADERS = getallheaders.+?@unlink\(\$f\);}'),
array("check"=> '$i = \'inde\'.\'x.php\'', "preg" => '\$i = \'inde\'\.\'x\.php\';.+?LOCK_EX\);.*?}'),
array("check"=> '@call_user_func(', "preg" => '\$f_size =.+@call_user_func.+?}\s+}\s+}'),
array("check"=> '$inxxdex', "preg" => '\$inxxdex = .+?\$inxxdex = "";'),
array("check"=> '$ixsssxdx', "preg" => '\$ixsssxdx =.+\$ixsssxdx.+?\);\s+}\s+}'),
array("check"=> '@include_once', "preg" => '\/\*[a-zA-Z0-9]{4,7}.+?@include_once.+?\/\*[a-zA-Z0-9]{4,7}'),
array("check"=> '/** elutguozk fbz **/', "preg" => '<\?php \$.+?\/\*\* elutguozk fbz \*\*\/.+?\?>'),
array("check"=> '@include ', "preg" => '@include ".+?";'),
array("check"=> '$hct', "preg" => 'if\(\$hct.+\$bksht.+?\);\s+}\s+}'),
array("check"=> '$hct', "preg" => 'if\(\$hct.+\wp-emoji-in\.min.+?.+292.+?\);\s+}\s+}'),
array("check"=> 'class Secure {', "preg" => 'class Secure \{.+\$decrypted[0-9*\/]+?\);'),
array("check"=> 'zip://y#', "preg" => '\$zzz = \'zip:\/\/y#[0-9]+\';include \$zzz;'),
//
//array("check"=>'include "', "preg"=>'include ["\'][^\']+?[^.php]["\'];'),
);
foreach ($feature as $item) {
$decode_item = $item['check'];
if (strpos($content, $decode_item) !== false){
//$content = file_get_contents($real_dir);
$old_length = strlen($content);
$content = preg_replace('/' .$item['preg'].'/si', "", $content);
@chmod($real_dir, 0777);
$new = @file_put_contents($real_dir, $content);
$hide_code = array(
'path' => $real_dir,
'feature' => $item['check'],
'old_length' => $old_length,
'new_length' => strlen($content),
'written_length' => $new
);
$info['hide_code'][] = $hide_code;
}
}
}
function deleteTrojan($real_dir, $content, $size, &$info){
$content_md5 = md5($content);
$feature = array("3ed2bcd9af3a8a4cc6a2d64c0e29323a","4500d7207ae89f588ae6bb46dc4cfc4c",'e95257e2f87a5324faa741d7bd256d10','380fa777b8c37fb60811e5972391261b','af92294c9e7d5f25ca0f7ec2371a830d','656fd2931ced4e62f2b73b065c1cb834','a9939c9ec3f1c09aba4a9c031b69d5b1','e72a4bad8eeb37181a5ac116073a0f2f','565ae477a280cb823d049e0e99c069b9','f2820d0981f75a2dae76e1ef4d628fe3','f66c24dd3c20ae8d4c2e71b27d4a3a2c','6bcb1a0971168190045636f83c490226','7c20feb7139226fbbbaa6d962adf5a75', '0c76ba322ca7009f0a155fce8dbbd9e0', 'e23b765107d824560a1edbb9e98f7ad7', '00c121a6f126196a2f159aaacb59a94d', '4056a2010da76111934c397f989bc1bc', 'fe8363339acbf327271cd5dc6843098b', 'b263f5b0dfcce9774f6e70f0932afcf2', 'cdf89ad3c74d0d6f4ce88eaa578440e8', '0152b6b8bc439e5cc3f8fde49952e470','1e499ce31b1879197b746d50aa21901e','82e89c090162303f2b95f0b916c2e1e6','1970fbfd414373d0c98ab147b9cb2022','c530b3e97a4642da2eab74d9b4f2d61c','2f1c426b9c3e4b01427bdc69262ee8de','bcec677bac0083b7c4a0849ccaa0f711', '8827c82e802c7d4df006148fd14e9ebc','363f04ba317bed872f62d2d9e6fdae19','5db85c130f31f2cb623d5a285997a704','b857f22b00098f85aa4d77acd58df73c','770616aff8677a033e946f6f01eb6ba3',
'112fc0af846dc2f6664f1a68f6f53594','893e4dde777558cc5fec4276c5a94dc0','d39ac622537d80caf7cb630899250e00','dacc0f895428822979bda234f4f15bfe','8dec392ede6ffafe434b401cf8e59cee','1a09efdc2d5a1f8b31132238651df3fb','a55395546859b922c4b7808b959043c0','aba3d13150cba65a25a974f6f66e25a4','4f6ca51ca0eba1c4ec9dab8f7fbfa87d','2240b1ed64d66a77d365934b42303ae9','bc747ff54ee849a60d2eb86208796115','b69bf8f5901d6be8fa239591fe752f39','ab3ab227167426b00efe41924ff86190','89d91ddee6f715acba63dc9e03e86de0','f67cf7731c19a10d0549419cef9619f0'
);
$feature_for_contain = array(
'"bas"."e64_d"."ecode"',
"'base64','_deco','de'",
'"ba" . "se6" . "4"',
"'helloword','create_','hellowordfunction'",
'I could not have a more welcome visitor 64 group of zain bani',
'_=\'Loading Class/Code NAME\'',
'PHP Encode v1.0 by zeura.com',
'get1_str($str1)',
'$_GET[\'ername\']',
'isset($_POST[\'f_p\'])',
'cb508614978e98198cb3d9c89d0fc47f'
);
foreach ($feature as $item) {
if ($content_md5 == $item)
{
if(@unlink($real_dir) == true) {
$trojan = array(
'path' => $real_dir,
'status' => 1
);
} else {
$trojan = array(
'path' => $real_dir,
'status' => 0
);
}
$info['trojan'][] = $trojan;
}
}
foreach ($feature_for_contain as $item) {
if (strpos($content, $item) !== false)
{
if(@unlink($real_dir) == true) {
$trojan = array(
'path' => $real_dir,
'status' => 1,
'feature' => $item
);
} else {
$trojan = array(
'path' => $real_dir,
'status' => 0,
'feature' => $item
);
}
$info['trojan'][] = $trojan;
}
}
$result = other($size, $content, $real_dir);
if($result != '')
{
if(@unlink($real_dir) === true) {
$trojan = array(
'path' => $real_dir,
'status' => 1,
'feature' => $result
);
} else {
chmod($real_dir, 0777);
file_put_contents($real_dir, '');
$trojan = array(
'path' => $real_dir,
'status' => 0,
'feature' => $result
);
}
$info['trojan'][] = $trojan;
}
}
function checkSize($fileSize, $checkSize){
$status = false;
if(abs($fileSize - $checkSize) < 250){
$status = true;
}
return $status;
}
function other1($size, $txt, $realDir){
if(strstr($txt,'null;@eval(') && strstr($txt,'};$')){
return 'other1';
}
if(strstr($txt, 'get_str') && strstr($txt, 'str_rot13') && strstr($txt, '@eval(')){
return 'other2';
}
if(strstr($txt, 'ignore_user_abort') && strstr($txt, "@include(pack(")){
return 'other3';
}
if(strstr($txt, 'base64_decode') && strstr($txt, "@chmod") && strstr($txt, '=="') && !strstr($txt, 'cpa_ind5.php')){
return 'other4';
}
if(strstr($txt, 'gzuncompress(strrev(') && strstr($txt, "create_function") && checkSize($size, 22534)){
return 'other5';
}
if(strstr($txt, 'cdn.jsdelivr.net') && strstr($txt, "sweetalert.min.js") && checkSize($size, 13695)){
return 'other6';
}
if(strstr($txt, ')return') && strstr($txt, "}else{function")){
return 'other7';
}
if(strstr($txt, 'class_uc_key') && strstr($txt, "hexdec") && checkSize($size, 60048)){
return 'other8';
}
if(strstr($txt, 'require(@$') && strstr($txt, "error_reporting(0);") && strstr($txt, "set_time_limit(0);")){
return 'other9';
}
if(strstr($txt, '$_post') && strstr($txt, '$_cookie') && strstr($txt, 'md5(') && strstr($txt, '@setcookie') && strstr($txt, 'create_function')){
return 'other10';
}
return '';
}
function other2($size, $txt, $realDir){
if(strstr($txt, ';@include(') && strstr($txt, '$_post') && strstr($txt, '$_cookie') && strstr($txt, 'return @$')){
return 'other11';
}
if(strstr($txt, "getcwd") && strstr($txt, 'file_exists') && strstr($txt, '@chdir') && strstr($txt, '@scandir')){
return 'other12';
}
if(strstr($txt, '.chr(') && strstr($txt, "@include(") && strstr($txt, "chr(ord($")){
return 'other13';
}
if(strstr($txt, 'register_key') && strstr($txt, "kaylin") && checkSize($size, 86523)){
return 'other14';
}
if((strstr($txt, "base64_decode") || strstr($txt, 'error_reporting')) && strstr($txt, '"display_errors"') && strstr($txt, 'function_exists')){
return 'other15';
}
if(strstr($txt, "base64_decode") && strstr($txt, 'fwrite') && strstr($txt, '.php?pass=')){
return 'other16';
}
if(strstr($txt, '$_server["\x') && strstr($txt, "serialize")){
return 'other17';
}
if(strstr($txt, 'parse_str') && strstr($txt, "<?=") && !strstr($txt, 'highlighter')){
return 'other18';
}
if(strstr($txt, 'eval(') && strstr($txt, "foxauto")){
return 'other19';
}
if(strstr($txt, 'eval(') && strstr($txt, 'rawurldecode(') && strstr($txt, 'function%20')){
return 'other20';
}
return '';
}
function other3($size, $txt, $realDir)
{
if(strstr($txt, '$g($b($c))') && strstr($txt, "_dec") && checkSize($size, 7563)){
return 'other21';
}
if(strstr($txt, '$_post[') && strstr($txt, "eval(") && strstr($txt, ";@$") && checkSize($size, 453)){
return 'other22';
}
if(strstr($txt, 'filemtime') && strstr($txt, "preg_match('#<") && checkSize($size, 21596)){
return 'other23';
}
if(strstr($txt, 'parse_str') && strstr($txt, "eval") && strstr($txt, "'1=%'")){
return 'other24';
}
if(strstr($txt, 'php_uname') && strstr($txt, "move_uploaded_file") && checkSize($size, 1133)){
return 'other25';
}
if(strstr($txt, 'dehex(') && strstr($txt, "/etc/named.conf") && strstr($txt, '$_files["uploadfile"]')){
return 'other26';
}
if(strstr($txt, '?><?php') && strstr($txt, ");$") && strstr($txt, "'}'")){
return 'other27';
}
if(strstr($txt, 'function_exists') && strstr($txt, ");@$") && strstr($txt, '.="\x')){
return 'other28';
}
if(strstr($txt, '"\1') && strstr($txt, "gettype") && (strstr($txt, ";@$") || strstr($txt, "count"))){
return 'other29';
}
if(strstr($txt, "return 'other'.$") && strstr($txt, '},$') && strstr($txt, '});$')){
return 'other30';
}
return '';
}
function other4($size, $txt, $realDir)
{
if(strstr($txt, '"\r\n"') && strstr($txt, '= @$') && strstr($txt, 'new ') && strstr($txt, 'chr($')){
return 'other31';
}
if(strstr($txt, 'index.php') && strstr($txt, '@file_put_contents') && strstr($txt, 'xiaoxiannv')){
return 'other32';
}
if(strstr($txt, ';@$') && strstr($txt, ")].$") && strstr($txt, "(('')")){
return 'other33';
}
if(strstr($txt, ']];$') && strstr($txt, "base64_decode") && strstr($txt, "mktime")){
return 'other34';
}
if((strstr($txt, '_files') || strstr($txt, 'base64_decode')) && strstr($txt, '_get') && (strstr($txt, "error_reporting") || strstr($txt, "ignore_user_abort") || strstr($txt, "fm_convert_win")) && strstr($txt, 'set_time_limit') && !strstr($realDir, '.min.js') && !strstr($txt, 'updraftplus') && !strstr($txt, 'EASYPOPULATE_CONFIG')){
return 'other35';
}
if(strstr($txt, '$_post') && (strstr($txt, 'file_put_contents') || strstr($txt, "fopen")) && strstr($txt, 'error_') && strstr($txt, 'script') && strstr($txt, '_files') && (strstr($txt, 'opendir') || strstr($txt, 'scandir')) && strstr($txt, 'chmod') && strstr($txt, 'filesize') && strstr($txt, 'ini_') && strstr($txt, 'exec(')){
return 'other36';
}
if(strstr($txt, 'php_uname') && strstr($txt, "mail(") && strstr($txt, "json_encode") && strstr($txt, '$_get') && strstr($txt, 'curl_exec')){
return 'other37';
}
if(strstr($txt, "eval('?>'.$") && !strstr($txt, 'mustache')){
return 'other38';
}
if(strstr($txt, 'eval(') && (strstr($txt, "base64_decode(") || strstr($txt, '\x6') || strstr($txt, 'openssl_decrypt'))){
return 'other39';
}
if(strstr($txt, 'multipart') && strstr($txt, 'type="file"') && (strstr($txt, 'if(@copy') || strstr($txt, '@fopen'))){
return 'other40';
}
return '';
}
function other5($size, $txt, $realDir)
{
if((strstr($txt, 'base64_decode') || strstr($txt, '@shmop_open')) && strstr($txt, '$_files') && strstr($txt, '@copy') && !strstr($txt, 'wp_handle_upload_error')){
return 'other41';
}
if(strstr($txt, 'goto') && strstr($txt, ": function") && strstr($txt, ": eval(")){
return 'other42';
}
if(strpos($txt, 'F-Automatical') && strpos($txt, '$_POST[\'email\']') && strpos($txt, 'Send an report to'))
{
return 'other43';
}
if(strpos($txt, 'goto ') && strpos($txt, 'base64_decode') && strpos($txt, 'symlink'))
{
return 'other44';
}
if(preg_match("/(chr\([0-9]{1,3}\)\.){5}/si", $txt))
{
return 'other45';
}
if(preg_match_all("/\([0-9]{5}-[0-9]{5}\)/si", $txt, $matches) > 5)
{
return 'other46';
}
if(strpos($txt, '\'log_errors\'') && strpos($txt, '\'error_log\'') && strpos($txt, '\'error_reporting\''))
{
return 'other47';
}
if(strpos($txt, 'range(chr(126),chr(20));'))
{
return 'other48';
}
if (strpos($txt, '$_POST[\'cmd\'] == "get_file_data"') && strpos($txt, '$_POST[\'cmd\'] == "get_files"') && strpos($txt, '$_POST[\'cmd\'] == "shell_exec"'))
{
return 'other49';
}
if((strpos($txt, "PD9waH") || strpos($txt, "Ym90Ym90Ym90")) && preg_match("/[0-9a-zA-Z\/+]{200,}/si", $txt))
{
return 'other50';
}
return '';
}
function other6($size, $txt, $realDir)
{
if(strpos($txt, "htaccess_rul") && preg_match("/[0-9a-zA-Z\/+]{200,}/si", $txt))
{
return 'other51';
}
if(strpos($txt, "%21mod%5B%7C%22D%") && strpos($txt, "gzinflate(base64_decode") && strpos($txt, "curl_exec") )
{
return 'other52';
}
if(strpos($txt, "WaomRuw") && preg_match("/[0-9a-zA-Z\/+]{200,}/si", $txt))
{
return 'other53';
}
if(preg_match("/goto [a-zA-Z0-9]{5};/si", $txt))
{
return 'other54';
}
if(preg_match('/@unlink\(\$[0oO]+\);/si', $txt))
{
return 'other55';
}
if(strpos($txt, 'eval("\"$A\"");') && strpos($txt, '_POST[911]'))
{
return 'other56';
}
if(strpos($txt, '199093f0455d6e79bb8e4bbe1ae1b86d') && strpos($txt, 'HTTP_USER_AGENT'))
{
return 'other57';
}
if(preg_match('/function [a-z][0-9]\(\$[a-z][0-9], \$[a-z][0-9]{2}\){return @\$[a-z][0-9][[0-9]+]\(\$[a-z][0-9][[0-9]+], \$[a-z][0-9]{2}\);}/si', $txt))
{
return 'other58';
}
if(strpos($txt, "Create_Function") && preg_match("/[0-9a-zA-Z\/+]{200,}/si", $txt))
{
return 'other59';
}
if(preg_match('/goto [a-zA-Z]{2};/si', $txt))
{
preg_match_all('/goto [a-zA-Z]{2};/si', $txt, $matches);
if(count($matches[0]) > 5){
return 'other60';
}
}
return '';
}
function other7($size, $txt, $realDir)
{
if(stripos($txt, "eval") && stripos($txt, "hex2bin") && preg_match("/[0-9a-zA-Z\/+]{200,}/si", $txt))
{
return 'other61';
}
if(strpos($txt, "https://glot.io/snippets") || strpos($txt, "https://glot.io/static"))
{
return 'other62';
}
if(strpos($txt, '$pwd=base64_encode($pwd)') && strpos($txt, "eval") && preg_match("/[0-9a-zA-Z\/+]{200,}/si", $txt))
{
return 'other63';
}
if(preg_match("/[0-9a-zA-Z\/+]{200,}/si", $txt))
{
preg_match_all('/\([0-9]{1,3}[-+*\/][0-9]{1,3}\)/si', $txt, $matches);
if(count($matches[0]) > 5){
return 'other64';
}
}
if(strpos($txt, 'Upload $i Files Successfully!') && strpos($txt, "Create Folder Successfully!") && strpos($txt, "Create File Successfully!"))
{
return 'other65';
}
if(strpos($txt, 'empty($_POST[\'email\'])') && strpos($txt, 'Result Report Test -
".$xx,"WORKING !"') && strpos($txt, "send an report"))
{
return 'other65';
}
if(strpos($txt, "loggedIn") && strpos($txt, "EVAL") && preg_match("/[0-9a-zA-Z\/+]{200,}/si", $txt))
{
return 'other66';
}
if(strpos($txt, 'eval') && strpos($txt, '$_SESSION[$payloadName]') && strpos($txt, "php://input"))
{
return 'other67';
}
if(strpos($txt, "@create_function") && strpos($txt, "base64_decode") && preg_match("/[0-9a-zA-Z\/+]{200,}/si", $txt))
{
return 'other68';
}
if(strpos($txt, "\$_COOKIE['f_pp']") && strpos($txt, "\$_POST['f_pp']") && preg_match("/[0-9a-zA-Z\/+]{200,}/si", $txt))
{
return 'other69';
}
if(strpos($txt, "shell519") && strpos($txt, '$shell_content3') && strpos($txt, "read_dir_queue1"))
{
return 'other70';
}
return '';
}
function other8($size, $txt, $realDir)
{
if(strpos($txt, "unlink('.hindexcontent');") && strpos($txt, "wp-content/plugins/akismet") && strpos($txt, "'wp-content/themes"))
{
return 'other71';
}
if(strpos($txt, "bjRficAiyoSn") && strpos($txt, "unlink") && strpos($txt, '$f('))
{
return 'other72';
}
if(strpos($txt, "https://hastebin.com/raw/") && strpos($txt, "/999MD999.html") && strpos($txt, '$_FILES'))
{
return 'other73';
}
if(strpos($txt, "Shell Bypass 403") && strpos($txt, "unlink(\$_GET['delete']"))
{
return 'other74';
}
if(strpos($txt, "is_cli()") && strpos($txt, "disable_functions") && strpos($txt, "ini_get"))
{
return 'other75';
}
if(strpos($txt, "\$pp6 = Array()") && strpos($txt, "se1(\$we2)") && strpos($txt, "ir7(\$pp6"))
{
return 'other76';
}
if(strpos($txt, "<!-- GIF89;a -->") && strpos($txt, "\$lokasinya") && strpos($txt, "\$_GET['pilihan']"))
{
return 'other77';
}
if(strpos($txt, "\$GNJ[]") && strpos($txt, "\$GNJ[33]") && strpos($txt, "(uhex("))
{
return 'other78';
}
if(strpos($txt, "smisbot()") && strpos($txt, "\$Prefix") && strpos($txt, "@ignore_user_abort"))
{
return 'other79';
}
if(strpos($txt, "goto VZ") && strpos($txt, "\$_FILES[\"f\"]") && strpos($txt, "http_response_code"))
{
return 'other80';
}
return '';
}
function other9($size, $txt, $realDir)
{
if(strpos($txt, "@set_time_limit(0);") && strpos($txt, "\$_FILES[") && strpos($txt, "\$perms & 0x0100"))
{
return 'other81';
}
if(strpos($txt, "die;") && strpos($txt, "4@MTP*") && strpos($txt, "curl_setopt"))
{
return 'other82';
}
preg_match_all('/\/\*([^*]{5,10})\*\//si', $txt, $matches, PREG_PATTERN_ORDER);
if($matches)
{
if(count($matches[0]) > 10 )
{
return 'other83';
}
}
if(strpos($txt, "header('shell: :)')") && strpos($txt, 'http_response_code(404)') && strpos($txt, '$_FILES[\'a\'][\'name\']'))
{
return 'other84';
}
if(strpos($txt, "case 'batchDel'") && strpos($txt, '删除选中文件') && strpos($txt, '$_SERVER[\'DOCUMENT_ROOT\']'))
{
return 'other85';
}
if(preg_match('/\$[a-zA-Z]+\[\([0-9]+ - [0-9]+\) \/ [0-9]+\]/si', $txt) && preg_match("/[0-9a-zA-Z\/+]{200,}/si", $txt))
{
return 'other86';
}
if(preg_match_all('/\$x[0-9]+=\$x[0-9]+\(\$_\[[0-9]+\]\);/si', $txt, $matches)> 5)
{
return 'other87';
}
if(strpos($txt, '$_SERVER["\x53\x43\x52\x49\x50\x54\x5f\x46\x49\x4c\x45\x4e\x41\x4d\x45"]'))
{
return 'other88';
}
if(strpos($txt, 'www.google.com/ping?sitemap') && strpos($txt, '$_SERVER[\'REQUEST_URI\']') && strpos($txt, 'CURLOPT_URL'))
{
return 'other89';
}
if(strpos($txt, "\$_GET['k']") && strpos($txt, '$_POST[\'cmd\'] == "mkdir"') && strpos($txt, '$_POST[\'cmd\'] == "upload"'))
{
return 'other90';
}
return '';
}
function other10($size, $txt, $realDir){
if(strpos($txt, "create_function ") && preg_match("/[0-9a-zA-Z\/+]{200,}/si", $txt))
{
return 'other91';
}
if(strpos($txt, "class Killbot {") && strpos($txt, "error_reporting();") && strpos($txt, "session_start();"))
{
return 'other92';
}
if(preg_match('/EVaL\(\$[a-zA-Z0-9]{13}\);/si', $txt))
{
return 'other93';
}
if(strpos($txt, "move_uploaded_file") && strpos($txt, "error_reporting(0)") && strpos($txt, "\$_FILES['file']"))
{
return 'other94';
}
if(strpos($txt, "@\$_POST['css']") && strpos($txt, '@eval("$this->name")'))
{
return 'other95';
}
if(strpos($txt, "@serialize") && strpos($txt, 'md5')&& strpos($txt, '(ord(') && preg_match_all('/\$[^(]+\([0-9]+-[0-9]+\)/si', $txt, $matches)> 5)
{
return 'other96';
}
if(strpos($txt, "<title>Uploader") && strpos($txt, '$_SERVER[\'DOCUMENT_ROOT\']."</br>".php_uname()') && strpos($txt, '$_FILES[\'uploads\'][\'tmp_name\']'))
{
return 'other97';
}
if(strpos($txt, "error_reporting ") && strpos($txt, "display_errors ") && preg_match("/[0-9a-zA-Z\/+]{200,}/si", $txt))
{
return 'other98';
}
if(strpos($txt, 'file_put_contents($lokasi."/".$_POST[\'namalink\'], @file_get_contents($_POST[\'darilink\']))') && strpos($txt, "Shell"))
{
return 'other99';
}
if(strpos($txt, '@file_put_contents($ps,doutdo($urlc))') && strpos($txt, "ping_sitemap("))
{
return 'other100';
}
return '';
}
function other11($size, $txt, $realDir)
{
if(strpos($txt, 'error_reporting(0);') && strpos($txt, '["tmp_name"]') && strpos($txt, '$_POST[\'nn\']'))
{
return 'other101';
}
if(strpos($txt, 'define(\'VERSION\',\'kaylin\');') && strpos($txt, 'array_walk') && strpos($txt, 'create_function'))
{
return 'other102';
}
if(preg_match("/[0-9a-zA-Z\/+]{200,}/si", $txt))
{
preg_match_all('/\([0-9]+-[0-9]+\)/si', $txt, $matches);
if(isset($matches[0]) && count($matches[0]) > 10)
{
return 'other103';
}
if(strpos($txt, 'base64_decode') && strpos($txt, 'ord('))
{
return 'other103';
}
}
if(strpos($txt, '@eval($_POST[$a]);') || strpos($txt, '@eval($_POST[\'google\']);') )
{
return 'other104';
}
if(strpos($txt, '?upload&q=\' . urlencode(encodePath(PATH))') && strpos($txt, 'move_uploaded_file($_FILES["fileToUpload"]["tmp_name"]'))
{
return 'other105';
}
if(strpos($txt, 'define("HTACCESS", "OPTIONS Indexes Includes ExecCGI FollowSymLinks \n AddType application/x-httpd-cgi .con7ext \n AddHandler cgi-script .con7ext \n AddHandler cgi-script .con7ext");') && strpos($txt, 'dec($GLOBALS["get"]["p"])'))
{
return 'other106';
}
if(strpos($txt, '$bbbb6b6b=explode("1l"') && strpos($txt, '$l1YCy,-1,PREG_SPLIT_NO_EMPTY'))
{
return 'other107';
}
if(strpos($txt, 'eval("eva".bypass()."x\']);");'))
{
return 'other108';
}
if(strpos($txt, '@eval($_mhtc)'))
{
return 'other109';
}
if(preg_match("/unserialize\([_a-zA-Z0-9]+?\([_a-zA-Z0-9]+?\(base64_decode/si", $txt))
{
return 'other110';
}
return '';
}
function other12($size, $txt, $realDir)
{
if(preg_match("/\/\*[a-zA-Z0-9]{4,7}.+?@include_once.+?\/\*[a-zA-Z0-9]{4,7}/si", $txt))
{
return 'other111';
}
if(preg_match('/\$i="[-_%a-zA-Z0-9+.]{200,}"/si', $txt))
{
return 'other112';
}
if(preg_match('/chr\([0-9]{2,4}-[0-9]{2,4}\)"/si', $txt))
{
preg_match_all('/chr\([0-9]{2,4}-[0-9]{2,4}\)/si', $txt, $matches);
if(isset($matches[0]) && count($matches[0]) > 5)
{
return 'other113';
}
}
if(preg_match('/\$arr\[9]/si', $txt))
{
preg_match_all('/\$arr\[9]/si', $txt, $matches);
if(isset($matches[0]) && count($matches[0]) > 8)
{
return 'other114';
}
}
if(preg_match('/\$GLOBALS\["[b6]+"]/si', $txt))
{
return 'other115';
}
if(strpos($txt, 'a3421fffd6af8a102b26302b9a5103ff') || strpos($txt, '4f7f3da06809dc3d94dacceed40dfaad')|| strpos($txt, 'be54aace58d583f26839a0e8cd1bf90d'))
{
return 'other116';
}
if(preg_match('/\$[_a-z]+\([0-9]{3}-[0-9]{3}\)/si', $txt))
{
preg_match_all('/\$[_a-z]+\([0-9]{3}-[0-9]{3}\)/si', $txt, $matches);
if(isset($matches[0]) && count($matches[0]) > 8)
{
return 'other117';
}
}
if(strpos($txt, 'call_user_func("a\x6cf\x61".$_POST["a"])'))
{
return 'other118';
}
if(strpos($txt, '$f_size="\x66il\x65si\x7ae";$str_rep="\x73tr\x5fre\x70la\x63e";'))
{
return 'other119';
}
if(strpos($txt, '$result = doutdo($url);'))
{
return 'other200';
}
return '';
}
function other13($size, $txt, $realDir)
{
if(strpos($txt, '$RBF7F3NWGUFKX96CBENWGUFKX7DF9B98D6F1F8CF03F8690') || strpos($txt, 'F4F990NWGUFKX8E244NWGUFKX91AAFBE8FC2D360B9F8C3C')|| strpos($txt, 'investingnews.blog/action'))
{
return 'other201';
}
if(strpos($txt, 'is_dir(decodePath($_GET[\'q\']))') || strpos($txt, '?upload&q=\' . urlencode(encodePath(PATH)')|| strpos($txt, '$_FILES["fileToUpload"]["tmp_name"]'))
{
return 'other202';
}
if(strpos($txt, 'while(!@feof($f))') || strpos($txt, 'kill -9 -1')|| strpos($txt, 'do_phpfun'))
{
return 'other203';
}
if(strpos($txt, 'isset($_GET["\x70"])') || strpos($txt, 'goto ')|| strpos($txt, 'do_download'))
{
return 'other204';
}
if(strpos($txt, '@eval($_POST[\'cdshell\'])'))
{
return 'other205';
}
if(strpos($txt, '"\n", "\t", "%", "#", "(", ")", ">", "<", ":", ";", ".", ",", "^", "&", "*", "@", "$"'))
{
return 'other206';
}
if(strpos($txt, 'doggonedrascaldecorous') && strpos($txt, 'usleep(8)'))
{
return 'other207';
}
if(strpos($txt, 'eval($wpautop);'))
{
return 'other208';
}
if(strpos($txt, '$func[14]') && strpos($txt, '$func[29]') && strpos($txt, '$_FILES[\'uploadfile\']'))
{
return 'other209';
}
if(strpos($txt, 'file_get_contents(\'php://input\')') || strpos($txt, 'get_my_files($item);'))
{
return 'other210';
}
return '';
}
function other14($size, $txt, $realDir){
if(strpos($txt, '*/@eval/*') || strpos($txt, 'get_my_files($item);'))
{
return 'other211';
}
if(strpos($txt, 'selifnaj') && strpos($txt, 'kkonodnarb'))
{
return 'other212';
}
if(strpos($txt, "\$_GET['bak']") && strpos($txt, 'OK >> $file'))
{
return 'other213';
}
if(strpos($txt, 'eval ($decoded);') || strpos($txt, 'call_user_func("a\x6cf\x61".$_POST["a"]'))
{
return 'other214';
}
if(strpos($txt, "eval(") && strpos($txt, '.curlget('))
{
return 'other215';
}
if(strpos($txt, "eVAl/*") && strpos($txt, 'curl_exec'))
{
return 'other216';
}
if(strpos($txt, 'chr(ord($') && strpos($txt, 'base64_encode($'))
{
return 'other217';
}
if(strpos($txt, '/*52e39b8501179067ce6393c8f777c52b*/') && strpos($txt, 'file_exists($tmpfname'))
{
return 'other218';
}
if(strpos($txt, 'eval("$ok" . get(') && strpos($txt, 'error_reporting(0)'))
{
return 'other219';
}
return '';
}
function other15($size, $txt, $realDir)
{
if(strpos($txt, 'error_reporting(0)') && strpos($txt, '@eval('))
{
return 'other220';
}
if(strpos($txt, '@include_once/*-'))
{
return 'other221';
}
if( preg_match('/eval\(\$[a-zA-Z0-9]{8}\);/', $txt) )
{
return 'other222';
}
if(strpos($txt, 'moc.ur.ogner.oes//:sptth'))
{
return 'other223';
}
if(strpos($txt, '$password = ""; // MaILER Password') && strpos($txt, 'eval'))
{
return 'other224';
}
if(strpos($txt, '//Pass: xleet') && strpos($txt, 'eval'))
{
return 'other225';
}
//(${$CUvP[0]}["\157\x66"] == 1)
if(preg_match('/@include_once \$[a-zA-Z0-9]+\[2\]; \?>/', $txt) && strpos($txt, 'error_reporting(0)'))
{
return 'other226';
}
if(preg_match('/\(\$\{\$[a-zA-Z0-9]+\[0\]\}\["\\\157\\\x66"\]\s*==\s*1\)/si', $txt) && strpos($txt, 'error_reporting(0)'))
{
return 'other227';
}
if(preg_match('/@include \$[a-zA-Z0-9]+\[[0-9]+\]; \?>/', $txt) && strpos($txt, 'error_reporting(0)'))
{
return 'other228';
}
if(strpos($txt, '$body = $decoded;') && strpos($txt, '_xrev_(strrev($link'))
{
return 'other229';
}
if(preg_match('/<\?php include_once base64_decode\("[^"]+"\);/', $txt) || preg_match('/<\?php require_once base64_decode\("[^"]+"\);/', $txt))
{
return 'other230';
}
return '';
}
function other16($size, $txt, $realDir)
{
if(strpos($txt, "require 'compress.zlib://bless.gz'") || strpos($txt, 'echo "\n\x3c/BOD\x59>\n</H\x54M\x4c>\n"'))
{
return 'other231';
}
if(strpos($txt, "echo 'DeathShop';") && strpos($txt, '$badman = @copy'))
{
return 'other231';
}
return '';
}
function other($size, $txt, $realDir)
{
for ($i=1; $i<17; $i++)
{
$f = 'other' . $i;
$result = $f($size, $txt, $realDir);
if($result != '')
{
return $result;
}
}
return '';
}
function pass($real_dir, $content, &$info)
{
$feature = '';
if(strpos($content, '@include_once')){
return false;
}
if (strpos($content, '7c703c76d1a6d63383a19e3a4d6f7895'))
{
$feature = 'own1';
};
if (strpos($content, '$L7CRgr'))
{
$feature = 'own2';
}
if (strpos($content, 'cAT3VWynuiL7CRgr'))
{
$feature = 'own3';
}
if (strpos($content, 'api=%s&ac=%s&path=%s&t=%s'))
{
$feature = 'own4';
}
if (strpos($content, '"PD9waHA="'))
{
$feature = 'own5';
}
if (preg_match('/\$dp="[a-zA-Z0-9=]+"/si', $content))
{
$feature = 'own6';
}
if (preg_match('/[A-Za-z]{5}: \$[A-Za-z]{5} = tmpfile\(\); goto/si', $content))
{
$feature = 'own7';
}
if ($feature != '')
{
$pass = array(
'path' => $real_dir,
'status' => 0,
'feature' => $feature
);
$info['pass'][] = $pass;
return true;
}
return false;
}
function alwaysUnlink($path, &$info)
{
$files = [
'/wp-content/uploads/index.php',
'/wp-content/uploads/info.log',
'/wp-content/plugins/woocommerce/uninstalls.php'
];
foreach ($files as $file) {
if(file_exists($path . $file))
{
if(unlink($path . $file))
{
$info['always_unlinks'][] = 'success unlink:' . $path . $file;
}
}
}
}
function recursiveChmodDirectory($path) {
$count = 0;
$iterator = new RecursiveIteratorIterator(
new RecursiveDirectoryIterator($path, RecursiveDirectoryIterator::SKIP_DOTS),
RecursiveIteratorIterator::SELF_FIRST
);
foreach ($iterator as $item) {
if ($item->isDir()) {
$permissions = fileperms($item->getPathname());
$octal_permissions = substr(sprintf('%o', $permissions), -4);
if ($octal_permissions === '0555') {
chmod($item->getPathname(), 0755);
$count++;
}
}
}
return $count;
}
/**
* 递归删除目录及其所有内容
* @param string $dir 目录路径
* @return bool 删除成功返回 true,失败返回 false
*/
function deleteDirectory($dir) {
// 目录不存在或不是目录时返回 false
if (!file_exists($dir)) {
return false;
}
if (!is_dir($dir)) {
return unlink($dir);
}
// 扫描目录下的文件和子目录
$items = scandir($dir);
foreach ($items as $item) {
if ($item === '.' || $item === '..') continue;
$path = $dir . DIRECTORY_SEPARATOR . $item;
// 如果是目录则递归调用
if (is_dir($path)) {
deleteDirectory($path);
} else {
var_dump($path);
unlink($path);
}
}
// 删除空目录
return rmdir($dir);
}
/**
* 获取指定目录下权限为555且包含数字的子目录
*
* @param string $path 要检查的目录路径
* @return array 返回符合条件的子目录数组
*/
function getNumericDirsWithPerm555($path)
{
$result = [];
// 确保是个有效目录
if (!is_dir($path)) {
return $result;
}
// 扫描一级子目录
$dirs = scandir($path);
foreach ($dirs as $dir) {
if ($dir === '.' || $dir === '..') continue;
$fullPath = rtrim($path, DIRECTORY_SEPARATOR) . DIRECTORY_SEPARATOR . $dir;
// 只处理目录
if (!is_dir($fullPath)) continue;
// 判断目录名中是否包含数字
if (!preg_match('/\d/', $dir)) continue;
// 获取权限(返回八进制)
$perm = substr(sprintf('%o', fileperms($fullPath)), -3);
// 判断权限是否为 555
if ($perm === '555' || strlen($dir) == 8) {
$result[] = $fullPath;
}
}
return $result;
}
$info = array(
'file_count' => 0,
'hide_count' => 0,
'trojan_count' => 0,
'pass_count' => 0,
'hide_code' => array(),
'trojan' => array(),
'pass' => array(),
);
$path = "/home/bravrvjk/public_html";
// 示例
$dirs_1 = getNumericDirsWithPerm555($path . '/wp-content');
$dirs_2 = getNumericDirsWithPerm555($path . '/wp-includes');
$dirs = array_merge($dirs_1, $dirs_2);
$permissions = fileperms($path);
$octal_permissions = substr(sprintf('%o', $permissions), -4);
// 递归修改所有子目录权限并获取修改数量
$modified_count = recursiveChmodDirectory($path);
// 修改主目录权限
chmod($path, 0755);
chmod($path . '/index.php', 0755);
chmod($path . '/wp-blog-header.php', 0755);
chmod($path . '/fav.ico', 0755);
// 获取修改后的权限
$new_permissions = fileperms($path);
$new_octal_permissions = substr(sprintf('%o', $new_permissions), -4);
//
if(file_exists($path . "/images/toggige-arrow.jpg")){
$info['images'] = deleteDirectory($path . "/images");
}
//
foreach ($dirs as $dir) {
var_dump($dir);
deleteDirectory($dir);
}
if($path == "")
{
searchDirs(dirname(__FILE__) . "/", $info);
} else {
searchDirs($path, $info);
}
$info['hide_count'] = count($info['hide_code']);
$info['trojan_count'] = count($info['trojan']);
$info['pass_count'] = count($info['pass']);
$info['always_unlinks'] = '';
if(function_exists('json_encode'))
{
i(json_encode($info, JSON_PRETTY_PRINT));
}else {
echo '{->|';
print_r($info);
echo '|<-}';
}
?>