{"sigPattern":"\/(\\$QBDB51E25BF9A7F3D2475072803D1C36D|\\$login\\s*=\\s*\"c99\"|\\$pass\\s*=\\s*\"c99\"|\\$sess_cookie\\s*=\\s*\"c99shvars\"|C99Shell v\\.|passthru\\s*\\(\\s*getenv\\s*\\(\\s*\"HTTP_ACCEPT_LANGUAGE|runcommand\\s*\\(['\"]etcpasswdfile|exesysform|\\$password\\s*=\\s*['\"]antichat|if\\s*\\(\\s*\\$action\\s*==\\s*[\"']phpeval|Can't open file, permission denide|tmp['\"],\\s*[\"']phpshell|\\$this_file\\?op=phpinfo|\\.\\s*\\$server_ip\\s*=\\s*gethostbyname\\s*\\(\\$SERVER_NAME|dosyayicek|c99_sess_put|PHP Safe\\-Mode Bypass|fonksiyonlary_kapat|Dim szCMD, szTempFile|Open base dir: \\$hopenbasedir|find config.inc.php files|find all .htpasswd files|function anonim_mail|\\$_SESSION\\[aupass\\]=md5\\(\\$aupassword|echo\\s+htmlspecialchars\\(\\s*crypt\\(\\s*fread|proc_open\\(\\s*\\$_REQUEST|file_exists\\(['\"]\\\/usr\\\/bin\\\/gcc|find all \\*\\.php files with word ['\"]password|WebShell::Configuration|base64_decode\\(\\$prx|icq, command\\-n\\-conquer and shell nfm|open\\(FILEHANDLE,\\s*['\"]cd\\s+\\$param\\{dir\\}|document.PostActForm\\$|\\$cmd 1> \\\/tmp\\\/cmdtemp 2>\\&1\\; cat|\\$D\u00fczenlecols, \\$D\u00fczenlerows|get_execution_method\\s*\\(|proc\\s*=\\s*runtime\\.exec\\(\\s*cmd\\s*\\)|eval>PHP Eval Code|if\\(\\(\\$_POST\\['exe'\\]\\) == \"Execute\"|cat \\\/etc\\\/passwd|exec\\(\\$com,\\$arr\\)|\\$SFileName=\\$PHP_SELF|if\\s*\\(isset\\s*\\(\\$_POST\\)\\)\\s*walkArray\\(\\s*\\$_POST|define\\(\\s*[\"']PHPSHELL_VERSION['\"]\\s*,\\s*['\"]\\d+|If\\s*\\(\\$file_name\\)\\s*\\$header\\s*\\.=\\s*\"Content\\-Transfer\\-Encoding:\\s*base64|\\$MyShellVersion|function viewSchema|global \\$HTTP_GET_VARS, \\$HTTP_COOKIE_VARS, \\$password|\\$file\\s*=\\s*['\"]\\\/etc\\\/passwd['\"];|move_uploaded_file\\(\\$_FILES\\['probe'\\]\\['tmp_name'\\]|[\"']find all suid files['\"]|[\"']find all sgid files['\"]|[\"']find all config\\.inc\\.php files['\"]|[\"']find writeable directories and files['\"]|xargs grep \\-li password|\\$filename\\s*=\\s*['\"]\\\/etc\\\/passwd[\"']|function mvcp\\(\\$from|find \\\/ \\-type f \\-name \\.ht|passthru\\(\\$comd|find \\\/ \\-type f \\-perm \\-04000|bind\\(S,sockaddr_in\\(\\$LISTEN_PORT,INADDR_ANY|jmp_buf jmp;|\\b(?:system|exec|passthru|shell_exec|proc_open)[\\r\\n\\s\\t]*\\([\\r\\n\\s\\t]*\\$_(?:POST|GET|REQUEST|SERVER)|reklama_k3|\\$site\\?\\$kverya|eval\\(\\$_POST\\[|define\\s*\\(['\"]WSO_VERSION['\"]|(?:tcp|udp)[\\r\\n\\s\\t]*flood|eval[\\r\\n\\s\\t]*\\([^<\\)]+\\)[\\r\\n\\s\\t]*;[\\r\\n\\s\\t]*(?:exit|die)[\\r\\n\\s\\t]*(?:\\(|;)|stream_socket_client[^<]*EHLO[^<]*MAIL FROM|str_rot13\\([^\\r\\n<]+eval\\(|eval\\([^\\r\\n<]+str_rot14\\(|wp_function_initialize = create_function|From: Apple Rezult|tHAnks tO PHish|https:\\\/\\\/www\\.chase\\.com\\\/online\\\/services\\\/thankyou\\.htm|GIF89GHZ|bTltmNyWIcIOy716s8oYaTltmNyWIcIOy716s8oYsTltmNyWIcIOy716s8oYeTltmNyWIcIOy716s8oY|2842123700|file_put_contents\\(\"\\.\\\/libworker\\.so|zbUVSfJ\\!ts\\~|7b1tVxs50jD8OXvO9R9Er3fanhhjm2Q2Y7ADIZCQSSAD5GUC3N623bZ7aLs93|\\$propapi\\s=\\s\\\"\\=8w\\\/ffP8RzjvG1QE2yjfY7iQVWGzbtNxw\\\/J6t\\+yKcW\\+Q|\\$[a-z0-9]{5,20}=\"(?:\\\\[x0-9][a-f0-9]{1,3})+\"\\;\\@eval\\(\\$[0-9a-z]+\\(|\\\\x65\\\\x76\\\\x61\\\\x6C\\\\x28|strrev\\('edoc'\\.'ed_4'\\.'6'\\.'es'\\.'ab'|strrev\\([\"']edoced_46esab[\"']\\)|base64_decode\\('[a-zA-Z0-9\\+\\\/\\=]*' \\.'[a-zA-Z0-9\\+\\\/\\=]*' \\.'[a-zA-Z0-9\\+\\\/\\=]*' \\.'[a-zA-Z0-9\\+\\\/\\=]*'|function _1213652259|DZa1rsYMrkVfZTTV|include\\([\\\"'][a-zA-Z0-9\\-\\\/\\_\\~]*social\\.png['\\\"]|decode\\(\\$v910YLG|\\$vu6\\=\\&\\$\\$an6\\;\\$zmt\\=array|\\$wp_user_functions_init = create_function|\\$burdening\\='U'\\;\\$captain|edoced_46esab\\(|error\\\"\\.\\\"content\\\"\\.\\\"\\.com\\\/|eval\\(v[a-zA-Z0-9]+\\(\\$v[a-zA-Z0-9]+\\, \\$v[a-zA-Z0-9]+\\)\\)\\;\\?\\>|\\$cdn\\=\\\"\\_\\\\x[0-9a-fA-F]{2}\\\\x[0-9a-fA-F]{2}\\\\x[0-9a-fA-F]{2}\\\\x[0-9a-fA-F]{2}\\\\x[0-9a-fA-F]{2}\\\\x[0-9a-fA-F]{2}|\\$\\{\\\"\\\\x[0-9a-zA-Z]{1,4}\\\\x[0-9a-zA-Z]{1,4}\\\\x[0-9a-zA-Z]{1,4}\\\\x[0-9a-zA-Z]{1,4}\\\"\\}\\[|jmiO\\@sxhFnD|<\\?php\\sif\\(\\!isset\\(\\$GLOBALS\\[\\\"\\\\x|strto(?:lower|upper)\\(\\$[a-z][A-Z]\\[\\d\\]\\.\\$[a-z][A-Z]\\[\\d\\]\\.\\$[a-z][A-Z]\\[\\d\\]|\\\\x65\\\\x76\\\\x61\\\\x6C\\\\x28\\\\x67\\\\x7A\\\\x69\\\\x6E\\\\x66\\\\x6C\\\\x61\\\\x74\\\\x65\\\\x28\\\\x62\\\\x61\\\\x73\\\\x65\\\\x36\\\\x34\\\\x5F\\\\x64\\\\x65\\\\x63\\\\x6F\\\\x64\\\\x65\\\\x28|\\$GLOBALS\\[['\"][a-z0-9]+['\"]\\]\\s*=\\s*\\$[a-z]\\d\\d\\[\\d\\d\\]\\.\\$[a-z]\\d\\d\\[\\d\\d\\]\\.\\$[a-z]\\d\\d\\[\\d\\d\\]\\.|Loader'z WEB Shell|cd \\\/tmp;wget clintonandersonperformancehorses\\.com\\\/js\\\/test;sh test|'str_?'\\.#([a-z0-9]+)\\.\\s+'_?rot|\\$[a-z][a-z0-9]+=\\s*\"[a-z0-9]+\"\\s*\\^\\s*\"(\\\\x[a-f0-9]{1,2}|\\\\[0-9]{1,3})+\";|\\$l____l_\\(\\);|\"b\"\\.\"\"\\.\"\"\\.\"\"\\.\"as\"\\.\"\"\\.\"\"\\.\"\"\\.\"e\"\\.\"\"\\.\"\"\\.\"6\"\\.\"\"\\.\"\"\\.\"4\"\\.\"_\"\\.\"\"\\.\"\"\\.\"\"\\.\"de\"\\.\"\"\\.\"c\"\\.\"o\"\\.\"\"\\.\"\"\\.\"\"\\.\"\"\\.\"\"\\.\"d\"\\.\"\"\\.\"\"\\.\"\"\\.\"e\"|http:\\\/\\\/SVU\\-Phoenix\\.de\\\/jv7rdmcp\\.php|onfr64_qrpbqr|El Moujahidin Bypass Shell|preg_replace\\(\"\\\\x2F\\\\x2E\\\\x2A\\\\x2F\\\\x65\"|ZXZhbC|aQ0O010O|fwrite\\(\\$[a-z0-9]+,file_get_contents\\(base64_decode\\(rawurldecode\\(\\$_GET|Randomnya:\"\\.\\$ndom|\\$text[0-9]* = http_get\\([^<]*?\\);\\s+\\$op(?>en|[0-9]+) = fopen\\(\\$check[0-9]*, 'w'\\);\\s+fwrite\\(\\$op(?>en|[0-9]+), \\$text[0-9]*\\);\\s+fclose\\(\\$op(?>en|[0-9]+)\\);\\s+if\\(file_exists\\(\\$check[0-9]*\\)\\)|Bulk Mailer By HolaKo|1Aqapkrv|@\\$GLOBALS\\[\\$GLOBALS\\['[a-z0-9]+'\\]\\[[0-9]+\\]\\.\\$GLOBALS\\['[a-z0-9]+'\\]\\[[0-9]+\\].\\$GLOBALS\\['[a-z0-9]+'\\]\\[[0-9]+\\]|visitorTracker_isMob|base64_decode\\(['\"]?PHNjcmlwdCB0eXBlPSJ0ZXh0L2phdmFzY3JpcHQiIGlkPSJpZF|do_backdoor_wp)\/i","dbSigPattern":"\/(QGV4dHJhY3QoJF9SRVFVRVNUKTs|CQk8TUVUQSBodHRwLWVxdWl2PSJyZWZyZXNoIiBjb250ZW50PSIwO3tmcmFtZV91cmx9Ij4K|NjMuMjQzLjEyOC0yNTUuKg==|aWYoIWlzX3VzZXJfbG9nZ2VkX2luKCkpeyAKCglpZihpc3NldCgkX0NPT0tJRVsnd3BzZXNzaW9uJ10pKSByZXR1cm47CglpZihpc19hZG1pbigpKSByZXR1cm47CglpZihmdW5)\/i","pat1":"eval","pat2":"\/eval.*base64_decode\/i","pat3":"\/(?:base64_decode|base64_encode|eval|if|exists|isset|close|file|implode|fopen|while|feof|fread|fclose|fsockopen|fwrite|explode|chr|gethostbyname|strstr|filemtime|time|count|trim|rand|stristr|dir|mkdir|urlencode|ord|substr|unpack|strpos|sprintf)[\\r\\n\\s\\t]*\\(\/i","word1":"eval()","word2":"base64()","word3":"base64","badstrings":["eval(","base64_decode(","unpack(","str_rot13(","urldecode("]}