{"rules":[["legacy-10",1458883265,"Can't open file, permission denide","Antichat shell",null,0,[]],["legacy-100",1458883265,"jmiO\\@sxhFnD","f711 infection",null,0,[]],["legacy-101",1458883265,"<\\?php\\sif\\(\\!isset\\(\\$GLOBALS\\[\\\"\\\\x","f710 infection",null,0,[0]],["legacy-102",1458883265,"strto(?:lower|upper)\\(\\$[a-z][A-Z]\\[\\d\\]\\.\\$[a-z][A-Z]\\[\\d\\]\\.\\$[a-z][A-Z]\\[\\d\\]","f709 infection",null,0,[]],["legacy-103",1458883265,"\\\\x65\\\\x76\\\\x61\\\\x6C\\\\x28\\\\x67\\\\x7A\\\\x69\\\\x6E\\\\x66\\\\x6C\\\\x61\\\\x74\\\\x65\\\\x28\\\\x62\\\\x61\\\\x73\\\\x65\\\\x36\\\\x34\\\\x5F\\\\x64\\\\x65\\\\x63\\\\x6F\\\\x64\\\\x65\\\\x28","Encoded eval, gzinflate, base64",null,0,[]],["legacy-104",1458883265,"\\$GLOBALS\\[['\"][a-z0-9]+['\"]\\]\\s*=\\s*\\$[a-z]\\d\\d\\[\\d\\d\\]\\.\\$[a-z]\\d\\d\\[\\d\\d\\]\\.\\$[a-z]\\d\\d\\[\\d\\d\\]\\.","f703 infection",null,0,[]],["legacy-105",1458883265,"Loader'z WEB Shell","f726 infection",null,0,[]],["legacy-106",1458883265,"cd \\\/tmp;wget clintonandersonperformancehorses\\.com\\\/js\\\/test;sh test","f726 infection",null,0,[1]],["legacy-107",1458883265,"'str_?'\\.#([a-z0-9]+)\\.\\s+'_?rot","f726 infection",null,0,[]],["legacy-108",1458883265,"\\$[a-z][a-z0-9]+=\\s*\"[a-z0-9]+\"\\s*\\^\\s*\"(\\\\x[a-f0-9]{1,2}|\\\\[0-9]{1,3})+\";","f726 infection",null,0,[]],["legacy-109",1458883265,"\\$l____l_\\(\\);","f726 infection",null,0,[]],["legacy-11",1458883265,"tmp['\"],\\s*[\"']phpshell","Ayyildiz Tim  -AYT- Shell v 2.1",null,0,[]],["legacy-110",1458883265,"\"b\"\\.\"\"\\.\"\"\\.\"\"\\.\"as\"\\.\"\"\\.\"\"\\.\"\"\\.\"e\"\\.\"\"\\.\"\"\\.\"6\"\\.\"\"\\.\"\"\\.\"4\"\\.\"_\"\\.\"\"\\.\"\"\\.\"\"\\.\"de\"\\.\"\"\\.\"c\"\\.\"o\"\\.\"\"\\.\"\"\\.\"\"\\.\"\"\\.\"\"\\.\"d\"\\.\"\"\\.\"\"\\.\"\"\\.\"e\"","f734 infection",null,0,[]],["legacy-111",1458883265,"http:\\\/\\\/SVU\\-Phoenix\\.de\\\/jv7rdmcp\\.php","f750 infection",null,0,[2]],["legacy-112",1458883265,"onfr64_qrpbqr","f751 infection",null,0,[]],["legacy-113",1458883265,"El Moujahidin Bypass Shell","f760 infection",null,0,[]],["legacy-114",1458883265,"preg_replace\\(\"\\\\x2F\\\\x2E\\\\x2A\\\\x2F\\\\x65\"","f760 infection",null,0,[]],["legacy-116",1458883265,"aQ0O010O","f773 infection",null,0,[]],["legacy-117",1458883265,"fwrite\\(\\$[a-z0-9]+,file_get_contents\\(base64_decode\\(rawurldecode\\(\\$_GET","f781 infection",null,0,[3]],["legacy-118",1458883265,"Randomnya:\"\\.\\$ndom","f783 infection",null,0,[]],["legacy-119",1458883265,"\\$text[0-9]* = http_get\\([^<]*?\\);\\s+\\$op(?>en|[0-9]+) = fopen\\(\\$check[0-9]*, 'w'\\);\\s+fwrite\\(\\$op(?>en|[0-9]+), \\$text[0-9]*\\);\\s+fclose\\(\\$op(?>en|[0-9]+)\\);\\s+if\\(file_exists\\(\\$check[0-9]*\\)\\)","f783 infection",null,0,[]],["legacy-12",1458883265,"\\$this_file\\?op=phpinfo","aZRaiLPhp v1.0",null,0,[]],["legacy-120",1458883265,"Bulk Mailer By HolaKo","f783 infection",null,0,[]],["legacy-121",1458883265,"1Aqapkrv","supp1 infection",null,0,[]],["legacy-122",1458883265,"@\\$GLOBALS\\[\\$GLOBALS\\['[a-z0-9]+'\\]\\[[0-9]+\\]\\.\\$GLOBALS\\['[a-z0-9]+'\\]\\[[0-9]+\\].\\$GLOBALS\\['[a-z0-9]+'\\]\\[[0-9]+\\]","supp2 infection",null,0,[]],["legacy-123",1458883265,"visitorTracker_isMob","isMob infection",null,0,[]],["legacy-124",1458883265,"base64_decode\\(['\"]?PHNjcmlwdCB0eXBlPSJ0ZXh0L2phdmFzY3JpcHQiIGlkPSJpZF","base64 encoded malware infection",null,0,[3]],["legacy-125",1458883265,"do_backdoor_wp","Backdoor function call",null,0,[]],["legacy-13",1458883265,"\\.\\s*\\$server_ip\\s*=\\s*gethostbyname\\s*\\(\\$SERVER_NAME","c0derz shell [csh] v. 0.1.1",null,0,[]],["legacy-14",1458883265,"dosyayicek","c99_locus7s and c99_PSych0 shells",null,0,[]],["legacy-15",1458883265,"c99_sess_put","c99_locus7s, c99_PSych0, c99_w4cking and RedhatC99 shells",null,0,[]],["legacy-16",1458883265,"PHP Safe\\-Mode Bypass","c99_w4cking shell",null,0,[]],["legacy-17",1458883265,"fonksiyonlary_kapat","CasuS shell",null,0,[]],["legacy-18",1458883265,"Dim szCMD, szTempFile","CmdAsp.asp shell",null,0,[]],["legacy-19",1458883265,"Open base dir: \\$hopenbasedir","Crystal shell",null,0,[]],["legacy-2",1458883265,"\\$QBDB51E25BF9A7F3D2475072803D1C36D","The antichat.php, cgi.php and possibly other shells.",null,0,[]],["legacy-20",1458883265,"find config.inc.php files","Many c99 variants including NFM, Perl, Predator, CTT, r57 and Redhatc99",null,0,[4]],["legacy-21",1458883265,"find all .htpasswd files","Many c99 variants including NFM, Perl, Predator, CTT, r57 and Redhatc99",null,0,[]],["legacy-22",1458883265,"function anonim_mail","Cybershell",null,0,[]],["legacy-23",1458883265,"\\$_SESSION\\[aupass\\]=md5\\(\\$aupassword","Cybershell",null,0,[]],["legacy-24",1458883265,"echo\\s+htmlspecialchars\\(\\s*crypt\\(\\s*fread","dC3  Security Crew Shell PRiV",null,0,[5]],["legacy-25",1458883265,"proc_open\\(\\s*\\$_REQUEST","Dive Shell",null,0,[]],["legacy-26",1458883265,"file_exists\\(['\"]\\\/usr\\\/bin\\\/gcc","DTool Pro",null,0,[]],["legacy-27",1458883265,"find all \\*\\.php files with word ['\"]password","Dx shell",null,0,[4]],["legacy-28",1458883265,"WebShell::Configuration","Gamma Web Shell (perl)",null,0,[]],["legacy-29",1458883265,"base64_decode\\(\\$prx","GFS shell",null,0,[3]],["legacy-3",1458883265,"\\$login\\s*=\\s*\"c99\"|\\$pass\\s*=\\s*\"c99\"|\\$sess_cookie\\s*=\\s*\"c99shvars\"","c99 shell decoded",null,0,[]],["legacy-30",1458883265,"icq, command\\-n\\-conquer and shell nfm","Various GFS variants",null,0,[]],["legacy-31",1458883265,"open\\(FILEHANDLE,\\s*['\"]cd\\s+\\$param\\{dir\\}","go-shell (perl)",null,0,[]],["legacy-32",1458883265,"document.PostActForm\\$","GRP Webshell",null,0,[]],["legacy-33",1458883265,"\\$cmd 1> \\\/tmp\\\/cmdtemp 2>\\&1\\; cat","h4ntu shell",null,0,[]],["legacy-34",1458883265,"\\$D\u00c3\u00bczenlecols, \\$D\u00c3\u00bczenlerows","iMHaBiRLiGi PHP FTP",null,0,[]],["legacy-35",1458883265,"get_execution_method\\s*\\(","Ironshell and many others",null,0,[]],["legacy-36",1458883265,"proc\\s*=\\s*runtime\\.exec\\(\\s*cmd\\s*\\)","JSP Web Shell",null,0,[]],["legacy-37",1458883265,"eval>PHP Eval Code","KAdot Universal Shell",null,0,[6]],["legacy-38",1458883265,"if\\(\\(\\$_POST\\['exe'\\]\\) == \"Execute\"","Lamashell",null,0,[]],["legacy-39",1458883265,"cat \\\/etc\\\/passwd","Liz0ziM and many other malicious apps",null,0,[]],["legacy-4",1458883265,"C99Shell v\\.","c99.php shell",null,0,[]],["legacy-40",1458883265,"exec\\(\\$com,\\$arr\\)","Loaderz WEB Shell",null,0,[]],["legacy-41",1458883265,"\\$SFileName=\\$PHP_SELF","Macker's Private PHPShell",null,0,[]],["legacy-42",1458883265,"if\\s*\\(isset\\s*\\(\\$_POST\\)\\)\\s*walkArray\\(\\s*\\$_POST","Macker's and some c99 variants",null,0,[]],["legacy-43",1458883265,"define\\(\\s*[\"']PHPSHELL_VERSION['\"]\\s*,\\s*['\"]\\d+","Matamu and other shells",null,0,[]],["legacy-44",1458883265,"If\\s*\\(\\$file_name\\)\\s*\\$header\\s*\\.=\\s*\"Content\\-Transfer\\-Encoding:\\s*base64","Moroccan Spamers Ma-EditioN By GhOsT",null,0,[7]],["legacy-45",1458883265,"\\$MyShellVersion","MyShell",null,0,[]],["legacy-46",1458883265,"function viewSchema","Mysql interface",null,0,[]],["legacy-47",1458883265,"global \\$HTTP_GET_VARS, \\$HTTP_COOKIE_VARS, \\$password","mysql_tool",null,0,[]],["legacy-48",1458883265,"\\$file\\s*=\\s*['\"]\\\/etc\\\/passwd['\"];","mysql.php malicious script",null,0,[]],["legacy-49",1458883265,"move_uploaded_file\\(\\$_FILES\\['probe'\\]\\['tmp_name'\\]","NCC-Shell",null,0,[]],["legacy-5",1458883265,"passthru\\s*\\(\\s*getenv\\s*\\(\\s*\"HTTP_ACCEPT_LANGUAGE","accept_language HTTP header backdoor",null,0,[]],["legacy-50",1458883265,"find all suid files['\"]","NetworkFileManager.php and variants",null,0,[]],["legacy-51",1458883265,"find all sgid files['\"]","NetworkFileManager.php and variants",null,0,[]],["legacy-52",1458883265,"find all config\\.inc\\.php files['\"]","NetworkFileManager.php and variants",null,0,[4]],["legacy-53",1458883265,"find writeable directories and files['\"]","NetworkFileManager.php and variants",null,0,[]],["legacy-54",1458883265,"xargs grep \\-li password","NetworkFileManager.php and variants",null,0,[]],["legacy-55",1458883265,"\\$filename\\s*=\\s*['\"]\\\/etc\\\/passwd[\"']","NFM 1.8, NIX Remote Web Shell and others",null,0,[]],["legacy-56",1458883265,"function mvcp\\(\\$from","NGH, Webcommander",null,0,[]],["legacy-57",1458883265,"find \\\/ \\-type f \\-name \\.ht","NIX Remote Web Shell, nsTView and other variants",null,0,[]],["legacy-58",1458883265,"passthru\\(\\$comd","NShell",null,0,[]],["legacy-59",1458883265,"find \\\/ \\-type f \\-perm \\-04000","nsTView and others",null,0,[]],["legacy-6",1458883265,"runcommand\\s*\\(['\"]etcpasswdfile","Ajax_PHP Command Shell",null,0,[]],["legacy-60",1458883265,"bind\\(S,sockaddr_in\\(\\$LISTEN_PORT,INADDR_ANY","Perl Web Shell by RST-GHC",null,0,[]],["legacy-61",1458883265,"jmp_buf jmp;","PHANTASMA",null,0,[]],["legacy-62",1458883265,"\\b(?:system|exec|passthru|shell_exec|proc_open)[\\r\\n\\s\\t]*\\([\\r\\n\\s\\t]*\\$_(?:POST|GET|REQUEST|SERVER)","PHP Backdoor and many malicious apps",null,0,[]],["legacy-63",1458883265,"reklama_k3","Magic Include Shell Reklama pattern",null,0,[]],["legacy-64",1458883265,"\\$site\\?\\$kverya","Magic Include Shell Kverya pattern",null,0,[]],["legacy-65",1458883265,"eval\\(\\$_POST\\[","Any eval of a post.",null,0,[6]],["legacy-66",1458883265,"define\\s*\\(['\"]WSO_VERSION['\"]","Found in many backdoors",null,0,[]],["legacy-67",1458883265,"(?:tcp|udp)[\\r\\n\\s\\t]*flood","Code that engages in TCP or UDP flooding",null,0,[]],["legacy-68",1458883265,"eval[\\r\\n\\s\\t]*\\((?![\\r\\n\\s\\t]*\\$tempb64[\\r\\n\\s\\t]*)[^<\\)]+\\)[\\r\\n\\s\\t]*;[\\r\\n\\s\\t]*(?:exit|die)[\\r\\n\\s\\t]*(?:\\(|;)","Eval of code followed by exit.",null,0,[6]],["legacy-69",1458883265,"stream_socket_client[^<]*EHLO[^<]*MAIL FROM","Socket based mail clients hackers drop into hacked sites.",null,0,[]],["legacy-7",1458883265,"exesysform","AK-74 Security Team Web Shell",null,0,[]],["legacy-70",1458883265,"str_rot13\\([^\\r\\n<]+eval\\(","rot13 of eval function",null,0,[6]],["legacy-71",1458883265,"eval\\([^\\r\\n<]+str_rot14\\(","eval and rot14",null,0,[6]],["legacy-72",1458883265,"wp_function_initialize = create_function","Possibly malicious lambda function",null,0,[]],["legacy-73",1458883265,"From: Apple Rezult","Malicious signature",null,0,[]],["legacy-74",1458883265,"tHAnks tO PHish","Malicious signature",null,0,[]],["legacy-75",1458883265,"https:\\\/\\\/www\\.chase\\.com\\\/online\\\/services\\\/thankyou\\.htm","Malicious URL",null,0,[2]],["legacy-76",1458883265,"GIF89GHZ","Malicious gif signature",null,0,[]],["legacy-77",1458883265,"bTltmNyWIcIOy716s8oYaTltmNyWIcIOy716s8oYsTltmNyWIcIOy716s8oYeTltmNyWIcIOy716s8oY","PHP variable name used as function.",null,0,[]],["legacy-78",1458883265,"2842123700","The \/usr\/bin\/host botnet",null,0,[]],["legacy-79",1458883265,"file_put_contents\\(\"\\.\\\/libworker\\.so","The \/usr\/bin\/host botnet",null,0,[7]],["legacy-8",1458883265,"\\$password\\s*=\\s*['\"]antichat","Antichat shell",null,0,[]],["legacy-80",1458883265,"zbUVSfJ\\!ts\\~","Malicious pastebin code",null,0,[]],["legacy-81",1458883265,"7b1tVxs50jD8OXvO9R9Er3fanhhjm2Q2Y7ADIZCQSSAD5GUC3N623bZ7aLs93","Pharma hack",null,0,[]],["legacy-82",1458883265,"\\$propapi\\s=\\s\\\"\\=8w\\\/ffP8RzjvG1QE2yjfY7iQVWGzbtNxw\\\/J6t\\+yKcW\\+Q","Pharma hack",null,0,[]],["legacy-83",1458883265,"\\$[a-z0-9]{5,20}=\"(?:\\\\[x0-9][a-f0-9]{1,3})+\"\\;\\@eval\\(\\$[0-9a-z]+\\(","Typical first line of obfuscated code from FOPO",null,0,[6]],["legacy-84",1458883265,"\\\\x65\\\\x76\\\\x61\\\\x6C\\\\x28","The word eval( obfuscated",null,0,[]],["legacy-85",1458883265,"strrev\\('edoc'\\.'ed_4'\\.'6'\\.'es'\\.'ab'","base64_decode backwards",null,0,[]],["legacy-86",1458883265,"strrev\\([\"']edoced_46esab[\"']\\)","base64_decode backwards",null,0,[]],["legacy-87",1458883265,"base64_decode\\('[a-zA-Z0-9\\+\\\/\\=]*' \\.'[a-zA-Z0-9\\+\\\/\\=]*' \\.'[a-zA-Z0-9\\+\\\/\\=]*' \\.'[a-zA-Z0-9\\+\\\/\\=]*'","sickthings.php",null,0,[]],["legacy-88",1458883265,"function _1213652259","ylcore.php malware",null,0,[]],["legacy-89",1458883265,"DZa1rsYMrkVfZTTV","zr_trim.php malware",null,0,[]],["legacy-9",1458883265,"if\\s*\\(\\s*\\$action\\s*==\\s*[\"']phpeval","Antichat shell",null,0,[6]],["legacy-90",1458883265,"include\\([\\\"'][a-zA-Z0-9\\-\\\/\\_\\~]*social\\.png['\\\"]","CryptoPHP infection",null,0,[8]],["legacy-91",1458883265,"decode\\(\\$v910YLG",".include.php infection",null,0,[3]],["legacy-92",1458883265,"\\$vu6\\=\\&\\$\\$an6\\;\\$zmt\\=array","sig478 infection",null,0,[]],["legacy-93",1458883265,"\\$wp_user_functions_init = create_function","t5263 infection",null,0,[]],["legacy-94",1458883265,"\\$burdening\\='U'\\;\\$captain","t5263 infection",null,0,[]],["legacy-95",1458883265,"edoced_46esab\\(","t5194 infection",null,0,[]],["legacy-96",1458883265,"error\\\"\\.\\\"content\\\"\\.\\\"\\.com\\\/","f680 infection",null,0,[7]],["legacy-97",1458883265,"eval\\(v[a-zA-Z0-9]+\\(\\$v[a-zA-Z0-9]+\\, \\$v[a-zA-Z0-9]+\\)\\)\\;\\?\\>","t5426 infection",null,0,[6]],["legacy-98",1458883265,"\\$cdn\\=\\\"\\_\\\\x[0-9a-fA-F]{2}\\\\x[0-9a-fA-F]{2}\\\\x[0-9a-fA-F]{2}\\\\x[0-9a-fA-F]{2}\\\\x[0-9a-fA-F]{2}\\\\x[0-9a-fA-F]{2}","f649 infection",null,0,[]],["legacy-128",1459115483,"\\!isset\\s*\\(\\$_REQUEST\\s*\\[\\s*'b64cont'\\s*\\]\\)\\)\\s*\\{\\s*print\\s*\"\\<err\\>NO b64(?:cont)?\\<\\\/err\\>\";\\s*exit\\s*\\(\\s*0\\s*\\)","StealRat Infection #2",null,0,[]],["G35\/rule#1",1463598573,"eval\\s*\\(\\s*eval\\s*\\(\\s*[\"']\\[[a-z0-9]+\\[","G35\/rule","server",0,[6]],["G250\/rule#1",1463773983,"\\$GLOBALS\\[[\"']\\w{1,15}['\"]\\]\\s*+=\\s*+\\$\\w{1,5}\\[\\d{1,3}\\]\\.\\$\\w{1,5}\\[\\d{1,3}\\]\\.\\$\\w{1,5}\\[\\d{1,3}\\]\\.\\$\\w{1,5}\\[\\d{1,3}\\]\\.\\$\\w{1,5}\\[\\d{1,3}\\]\\.\\$\\w{1,5}\\[\\d{1,3}\\]\\.\\$\\w{1,3}\\[\\d{1,3}\\];\\s*+\\$GLOBALS","GLOBALS_malware","server",0,[9]],["G83\/file#1",1464120893,"'Windows-1251'\\s*+;\\s*+preg_replace\\(\"\\\/\\.\\*\\\/e\",\"(?:\\\\x\\w\\w?){10}","Windows-1251","server",0,[9]],["G83\/fle1#1",1464120893,"'Windows-1251'\\s*+;\\s*+preg_replace\\(\"\\\/\\.\\*\\\/e\",\"(?:\\\\x\\w\\w?){10}","Windows-1251","server",0,[9]],["G252\/rule#1",1464274172,"base64_decode\\s*+\\(\\s*+['\"]\\s*+JFAkQk5yZmE4eE1Memp0TVhFQjNaeC9IcnhjQXlmV21tLw==\\s*+[\"']\\s*+\\)\\.[\"']\\s*+[\"']\\s*+,\\s*+'tempuser'\\s*+,\\s*+'\\s*+support@wpwhitesecurity\\.com\\s*+['\"]\\s*+,\\s*+['\"]\\s*+0\\s*+['\"]\\s*+,\\s*+['\"]Temp\\s*+User\\s*+","G252\/rule","server",0,[1]],["G79\/rule#1",1464278790,"de\\(\\$\\w{1,10}\\)\\)\\);['\"]\\);@\\$\\w{1,10}\\(['\"][\\w+\\\/]{800,}?","Obfuscated base64_decode","server",0,[]],["G78\/rule#1",1464279702,"isset\\s*+\\(\\s*+\\$GLOBALS\\s*+\\[\\s*+['\"](?:\\\\x?\\w{1,3}){3,10}\\s*+['\"]\\s*+\\]\\s*+\\)\\s*+\\)\\s*+\\{\\s*+\\$\\w{1,10}\\s*+=\\s*+strtolower\\s*+\\(\\s*+\\$_SERVER\\s*+\\[\\s*+['\"]\\s*+(?:\\\\x?\\w{1,3}){3,}","GLOBALS Variant","server",0,[9]],["G77\/rule#1",1464280583,"ent\\s*+['\"]\\s*+;\\s*+error_reporting\\(\\d{1,3}\\)\\s*+;\\s*+\\$\\{['\"](?:\\\\x\\w{2}){4}ALS['\"]\\s*+\\}\\[[\"'](?:\\\\x[\\d\\w]{2,3}?){4}['\"]\\]\\s*+=\\s*+['\"]co\\\\x","$GLOBLAS Varians","server",0,[10]],["G76\/rule#1",1464281672,"de\\(\\$\\w{1,10}\\)\\)\\);['\"]\\);@?\\$\\w{1,10}\\(['\"][\\w+\\\/]{800,}?","eval(gzinflate(base64_decode variant","server",0,[]],["G74\/conf#1",1464360737,"\\$rcakey\\s*+=\\s*+['\"]rca\\.1\\.1\\.\\w{16}\\.\\w{16}\\.\\w{40}['\"]\\s*+;\\s*+\\$maxtxt\\s*+=\\s*+\\w{1,3}\\s*+;\\s*+\\$maxtext\\s*+=\\s*+rand\\s*+\\(\\w{3}\\s*+,\\s*+\\$maxtxt\\s*+\\)\\s*+;\\s*+\\$maxpage\\s*+=\\s*+['\"]\\w{1,8}['\"]\\s*+;","Malicious settings","server",0,[9]],["G74\/index#1",1464360737,"\\{\\s*+\\$s\\s*+=\\s*+['\"]\\s*+\\w{1,5}\\.\\w{1,3}:\\w{1,3}\\\/\\w{1,3}\\s*+['\"]\\s*+;\\s*+\\$l\\s*+=(?:\\s*+\\$\\w{1,5}\\s*+\\[\\s*+\\w{1,3}\\s*+\\]\\s*+\\.?){10}","Malicious index.php","server",0,[9]],["G74\/license#1",1464360737,"if\\s*+\\(isset\\s*+\\(\\$_GET\\s*+\\[gotop\\s*+\\]\\s*+\\)\\s*+\\)\\s*+\\{\\$x\\s*+=\\s*+['\"]e\\\\x76\\\\x61l","Encoded Malware","server",0,[9]],["G68\/rule#1",1464374796,"client\\.justcloakit\\.com\\\/pcl.php\\s*+[\"']\\s*+;\\s*+\\$data\\s*+=\\s*+array\\s*+\\(\\s*+[\"']\\s*+lan\\s*+[\"']\\s*+=>","justcloakit","server",0,[1]],["G63\/rule#1",1464378442,"@define\\s*+\\(\\s*+['\"]VERSION['\"]\\s*+,\\s*+['\"]\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\s*+by\\s*+Drac\\-101code['\"]\\s*+\\)","Drac-101code backdoor","server",0,[]],["G61\/class-wp-links-list_table#1",1464380352,"Win-7-key\\s*+['\"]\\s*+=>\\s*+[\"']http:\\\/\\\/www\\.officialkeyshop\\.com\\\/['\"]\\s*+,\\s*+[\"']Win-7-key-online[\"']\\s*+=>","Microsoft Key Spam","both",0,[2]],["G61\/index#1",1464380352,"Win-7-key\\s*+['\"]\\s*+=>\\s*+[\"']http:\\\/\\\/www\\.officialkeyshop\\.com\\\/['\"]\\s*+,\\s*+[\"']Win-7-key-online[\"']\\s*+=>","Microsoft Key Spam","both",0,[2]],["G60\/rule#1",1464383948,"\\$\\w{1,5}\\s*+=\\s*+['\"]\\s*+&\\\\['\"]\\(\\)\\*\\+,-\\.:\\]\\^_`\\{\\|,,,\\|","SpecialSymbols","server",0,[]],["G56\/rule#1",1464384189,"['\"]\\s*+64_de\\s*+['\"]\\s*+\\.\\s*+['\"]\\s*+code\\s*+['\"]\\s*+;\\s*+eval\\s*+\\(\\s*+\\$\\w{1,10}\\s*+\\(\\s*+['\"]\\s*+\\w{100}","eval-base64_decode variation","server",0,[3]],["G57\/hunterspointresport.com\/home#1",1464410325,"\\$keys\\s*+=\\s*+['\"]\\s*+\\\/dating\\|adult\\|cialis\\|levitra\\|kamagra\\|vigora","Spam Redirect","both",0,[]],["G57\/hunterspointresport.com\/license#1",1464410325,"print\\s*+['\"]\\s*+<h1>\\s*+#p@\\$c@#<\\\/h1>\\\\n\\s*+['\"]\\s*+;\\s*+echo\\s*+['\"]\\s*+Your\\s*+IP:\\s*+['\"]\\s*+;","Uploader","both",0,[5]],["G57\/hunterspointresport.com\/session#1",1464410325,"\\$GLOBALS\\s*+\\[['\"]\\w{1,10}['\"]\\s*+\\]\\s*+=\\s*+(?:\\$\\w{1,10}\\[\\d{2}\\]\\s*+\\.?){15}","$GLOBALS obfuscated variant","server",0,[9]],["G57\/hunterspointresport.com\/wp-cache-control#1",1464410325,"\\\/\\*CACHE-CONTROL:YToxNDE6e3M6MzI6IjhmNWE5NjEwNzhjOTM2NzU3MjJmYjZkYWIzNGEwZWY3IjthOjI6e3M6MzoicG9zIjtzOjE6IjUiO3M6NDoibGluayI7czoyMzk6IjxwPkFkb3B0ZWQgZnJvbSBzb3JlIHRocm9hdCBwYWluIDxhIHRpdGxlPSJ0cmV0aW5vaW4gZm9yIHNhbGUgd2l0aG91d\\w{226}\\+","base64 encoded spam","server",0,[]],["G57\/hunterspointresport.com\/wp-config#1",1464410325,"\\$____\\s*+=\\s*+base64_decode\\s*+\\(\\s*+['\"][\\w+]{71}\\\/","base64 encoded","server",0,[9]],["G311\/rule#1",1465105605,"\\b83cf1e45074275561a8b6ef539359342\\b","G311 - Hacker Signature","server",0,[]],["G311\/rule#2",1465105605,"warning.{1,10}?include\\(\\.\\\/common.php\\)","G311 - error message","server",0,[8]],["G311\/rule#3",1465105605,"^#!\\\/usr\\\/bin\\\/perl\\s*\\-I\\\/usr\\\/local\\\/bandmin(?:\\n|.){10,200}?eval\\s*\\(\\s*decode_base64\\s*\\(","G311 - embed a shell in CGI perl","server",0,[6]],["G47\/rule#1",1465164258,"<\\?\\s*+php\\s*+\\$_GET\\s*+\\[\\s*+['\"]\\s*+\\w['\"]\\s*+\\]\\s*+\\(\\s*+base64_decode\\s*+\\(\\s*+\\$_GET\\s*+\\[\\s*+['\"]\\s*+\\w\\s*+['\"]\\s*+\\]\\s*+\\)\\s*+\\)\\s*+;\\s*+\\?>","G47 - Runs arbritrary code execution","server",0,[9]],["G46\/rule#1",1465165429,"<\\?php\\s*+error_reporting\\s*+\\(\\s*+0\\s*+\\)\\s*+;\\s*+include_once\\s*+\\$_SERVER\\s*+\\[\\s*+['\"]DOCUMENT_ROOT\\s*+['\"]\\s*+\\]\\s*+\\.\\s*+['\"]\\s*+\\\/wp-apps\\.php\\s*+['\"]\\s*+;","G46 - Include malware file","server",0,[0]],["G45\/cur#1",1465168727,"\\$home_cwd\\s*+=\\s*+@getcwd\\s*+\\(\\s*+\\)\\s*+;\\s*+if\\s*+\\(\\s*+isset\\s*+\\(\\s*+\\$_POST\\s*+\\[\\s*+['\"]\\w{1,10}\\s*+['\"]\\s*+\\]\\s*+\\)\\s*+\\)\\s*+@chdir\\s*+\\(\\s*+\\$_POST\\s*+\\[\\s*+['\"]\\w{1,10}['\"]\\s*+\\]\\s*+\\)\\s*+;\\s*+\\$cwd\\s*+=\\s*+@getcwd\\s*+\\(\\s*+\\)\\s*+;\\s*+if\\s*+\\(\\s*+\\$os\\s*+==\\s*+['\"]\\s*+win\\s*+['\"]\\s*+\\)","G45 - Basic Backdoor","server",0,[9]],["G45\/p5cux#1",1465168727,"\\$jq\\s*+=\\s*+@\\$_COOKIE\\s*+\\[\\s*+['\"]\\w{5,20}\\s*+['\"]\\s*+\\]\\s*+;\\s*+if\\s*+\\(\\$jq\\s*+\\)\\s*+\\{\\s*+\\$option\\s*+=\\s*+\\$\\w{1,10}\\s*+\\(\\s*+@\\$_COOKIE\\s*+\\[\\s*+['\"]\\s*+\\w{5,20}\\s*+['\"]\\s*+\\]\\s*+\\)\\s*+;\\s*+\\$au\\s*+=\\s*+\\$jq\\s*+\\(\\s*+@\\$_COOKIE","G45 - Malware marker","server",0,[9]],["G34\/rule#1",1465326911,"\\\/\"\\s*+\\+\\s*+location\\.host\\s*+\\)\\s*+!==0\\s*+\\|\\|\\s*+document\\.referrer\\s*+!==undefined\\s*+\\|\\|\\s*+document\\.referrer\\s*+!==''\\s*+\\|\\|\\s*+document\\.referrer\\s*+!==\\s*+null\\s*+\\)\\s*+\\{\\s*+document\\.write\\s*+\\(\\s*+'\\s*+<script\\s*+type\\s*+=\\s*+\"text\\\/javascript\\s*+\"\\s*+src\\s*+","JavaScript redirector","both",0,[]],["G364\/rule#1",1465332834,"<li>\\s*+<a\\s*+href\\s*+=\\s*+\"\\s*+brandcopy-l-3\\.html\\s*+\"\\s*+style\\s*+=\\s*+\"\\s*+padding-left:\\s*+10px;\\s*+\"\\s*+>\\s*+OMEGA\\s*+<br\\s\\\/>","BUYDOKEI.NET!","both",0,[11]],["G336\/rule#1",1465493969,"\\$\\w{1,255}\\s*+=\\s*+\\$_COOKIE\\s*+;\\s*+\\$\\w{1,255}\\s*+=\\s*+\\$\\w{1,255}\\s*+\\[\\w{1,255}\\s*+\\]\\s*+;\\s*+if\\s*+\\(\\s*+\\$\\w{1,255}\\s*+\\)","Backdoor:PHP\/nomnom.A","server",0,[9]],["G82\/ChangePVQ2.cibc.txt#1",1465503277,"\\baction=\\s*+\"\\s*+ChangePVQ2\\s*+\\.\\s*+cibc\\s*+\\.\\s*+php\\s*+\"\\s*+class=\\s*+\"\\s*+inlineForm\\s*+\"\\s*+>\\s*+<input\\s*+type=\\s*+\"\\s*+hidden\\s*+\"\\s*+name=\\s*+\"\\s*+uid\\s*+\"\\s*+id=\\s*+\"\\s*+uid\"\\s*+value\\s*+=\\s*+\"\\s*+<\\?\\s*+print\\s++\\$\\w{1,10}?;","Phishing-CIBC","both",0,[]],["G82\/olbtxn.authentication.txt#1",1465503277,"\\baction=\\s*+\"\\s*+ChangePVQ2\\s*+\\.\\s*+cibc\\s*+\\.\\s*+php\\s*+\"\\s*+class=\\s*+\"\\s*+inlineForm\\s*+\"\\s*+>\\s*+<input\\s*+type=\\s*+\"\\s*+hidden\\s*+\"\\s*+name=\\s*+\"\\s*+uid\\s*+\"\\s*+id=\\s*+\"\\s*+uid\"\\s*+value\\s*+=\\s*+\"\\s*+<\\?\\s*+print\\s++\\$\\w{1,10}?;","Phishing-CIBC","both",0,[]],["G80\/rule#1",1465504022,"\\\/\\*\\w{32}\\*\\\/\\s*+var\\s*+_\\w{1,10}\\s*+=\\s*+\\[\\s*+\"\\s*+(?:\\\\x\\w\\w){3,}\\s*+\"\\s*+,\\s*+\"(?:\\\\x\\w\\w){3,}\\s*+\"\\s*+,\\s*+\"\\\\x","Injected javascript","both",0,[]],["G311\/rule#5",1465506537,"<\\?php\\s*+if\\s*+\\(\\s*+!isset\\s*+\\(\\s*+\\$_GET\\s*+\\[\\s*+'dep\\s*+'\\s*+\\]\\s*+\\)\\s*+or\\s*+\\(\\s*+\\$_GET\\s*+\\[\\s*+'\\s*+dep\\s*+'\\s*+\\]\\s*+!=\\s*+\\d{1,3}\\s*+\\)\\s*+\\)\\s*+exit\\s*+;\\s*+\\?>\\s*+<!\\s*+DOCTYPE","Backdoor:PHP\/admininfo.A","both",0,[0]],["G357\/rules#1",1465580043,"error_reporting\\s*+\\(\\s*+0\\s*+\\)\\s*+;\\s*+ini_set\\s*+\\(\\s*+'\\s*+display_errors\\s*+'\\s*+,\\s*+0\\s*+\\)\\s*+;\\s*+set_time_limit\\s*+\\(\\s*+0\\s*+\\)\\s*+;\\s*+\\$ref\\s*+=\\s*+strtolower\\s*+\\(isset\\s*+\\(\\s*+\\$_SERVER\\s*+\\[\\s*+'\\s*+HTTP_REFERER\\s*+'\\s*+\\]\\s*+\\)\\s*+\\?\\s*+\\$_SERVER\\s*+\\[\\s*+'\\s*+HTTP_REFERER\\s*+'\\s*+\\]\\s*+:\\s*+'\\s*+'\\)\\s*+;\\s*+if\\s*+\\(\\s*+strlen\\s*+\\(\\s*+\\$ref\\s*+\\)\\s*+>\\s*+\\d{1,3}\\s*+\\)\\s*+\\{\\s*+\\$ref\\s*+=\\s*+substr\\s*+\\(\\s*+\\$ref\\s*+,\\s*+0\\s*+,","Behavior:PHP\/whatbot.A","server",0,[10]],["G357\/rules#2",1465580043,"\\$\\w{1,255}\\s*+=\\s*+(?:\\$\\w{1,255}\\s*+\\[\\s*+\\d{1,3}\\s*+\\]\\s*+\\.?){5,20}\\s*+;\\s*+\\$\\w{1,255}\\s*+=\\s*+\"\"\\s*+\\.chr\\s*+\\(\\d{1,3}\\s*+\\)","Backdoor:PHP\/sungoat.A","server",0,[]],["G357\/rules#3",1465580043,"include_once\\s*+\\(\\s*+\"\\s*+\\$root_path\\s*+\"\\s*+\\.\\s*+\"\\s*+\\\/wp-admin\\\/includes\\\/class-wp-text\\.php\\s*+\"","Behavior:PHP\/slyguy.A","server",0,[8]],["G430\/cmd1#1",1466018735,"\\$GLOBALS\\['nbozb93'\\]\\s*?=\\s*?(?:\\$d93(?:\\[\\d{1,2}\\])\\.){10}","Backdoor:PHP\/nboz.A","server",0,[9]],["G430\/proxy#1",1466018735,"\\$GLOBALS\\['nbozb93'\\]\\s*?=\\s*?(?:\\$d93(?:\\[\\d{1,2}\\])\\.){10}","Backdoor:PHP\/nboz.A","server",0,[9]],["G432\/rule#1",1466021326,"eval\\s*\\(\\s*base64_decode\\s*\\(\\s*gzuncompress\\s*\\(\\s*base64_decode","Backdoor:PHP\/deobfuscation.A","server",0,[6]],["G75\/rule#1",1466024685,"base64_decode\\s*+\\(\\s*+str_rot13\\s*+\\(\\s*+\\$\\w{1,10}\\s*+\\[['\"]+\\]\\s*+\\)\\s*+\\)\\s*+;\\s*+if\\s*+\\(\\s*+strpos\\s*+\\(\\s*+\\$z","base64_decode with Caesar cipher","server",0,[9]],["G85\/winc#1",1466027519,"\\$result\\s*+=\\s*+'\\s*+http:\\\/\\\/\\s*+'\\s*+\\.\\s*+file_get_contents\\s*+\\(\\s*+dirname\\s*+\\(\\s*+__FILE__\\s*+\\)\\s*+\\.\\s*+'\\s*+\\\/\\s*+\\.\\s*+\\.\\s*+\\\/bin\\\/\\s*+\\.\\s*+zdaccess\\s*+'\\s*+\\)\\s*+\\.\\s*+'\\s*+\\\/wsearch\\s*+\\.\\s*+php\\?q=\\s*+'\\s*+\\.\\s*+urlencode\\s*+\\(\\s*+\\$k\\s*+\\[\\s*+1\\s*+\\]\\s*+\\)\\s*+\\.\\s*+'\\s*+&x=1&y=1&cid=no_pill_search","Pharmacy Page","both",0,[2]],["G85\/wp-java#1",1466027519,"\\$agent\\s*+=\\s*+preg_match\\s*+\\(\\s*+'\\s*+!\\s*+\\(\\s*+google\\|yahoo\\|bing\\|msn\\|yandex\\s*+\\)\\s*+!\\s*+'\\s*+\\,\\s*+strtolower\\s*+\\(\\s*+\\$_SERVER\\s*+\\[\\s*+'\\s*+HTTP_USER_AGENT\\s*+'\\s*+\\]\\s*+\\)\\s*+\\)\\s*+;\\s*+if\\s*+\\(\\s*+!\\$allow\\s*+\\|\\|\\s*+check_bot_ip\\s*+\\(\\s*+\\$ip\\s*+\\)\\s*+\\|\\|\\s*+\\$agent\\s*+\\)\\s*+\\{","Bot Template","server",0,[9]],["G55\/jquery.so#1",1466028104,"error_reporting\\s*+\\(\\s*+0\\s*+\\)\\s*+;\\s*+echo\\s*+base64_decode\\s*+\\(\\s*+['\"]\\w{75}=\\s*+['\"]\\s*+\\)\\s*+;\\\/\\*visitorTracker\\*\\\/","visitorTracker","both",0,[10]],["G55\/tetqwqsadzfdzsh#1",1466028104,"<!--\\s*+\\w{3,30}\\s*+-->\\s*+<\\?php\\s*+@ob_start\\(\\)\\s*+;\\s*+@ini_set\\s*+\\(\\s*+['\"]\\s*+display_errors\\s*+['\"]\\s*+,\\s*+0\\s*+\\)\\s*+;\\s*+@error_reporting\\s*+\\(0\\s*+\\)\\s*+;\\s*+echo\\s*+base64_decode\\s*+\\(\\s*+['\"]\\s*+\\w{10,300}=\\s*+['\"]\\s*+\\)\\s*+;\\s*+\\?>\\s*+<!--\\s*+\\w{3,30}\\s*+-->","G55 - Embedded malicious php code","both",0,[10]],["G55\/tetqwqsadzXp2xl#1",1466028104,"error_reporting\\s*+\\(\\s*+0\\s*+\\)\\s*+;\\s*+echo\\s*+base64_decode\\s*+\\(\\s*+['\"]\\w{75}=\\s*+['\"]\\s*+\\)\\s*+;\\\/\\*visitorTracker\\*\\\/","visitorTracker","both",0,[10]],["G439\/rule#1",1466083021,"time\\s*+\\(\\s*+\\)[-\\d]{5,10}\\s*+\\);=[\"']bas[\"'][.]{1,5}+[\"']e6[\"'][.]{1,5}+[\"']4_d[\"'][.]{1,5}+[\"']ec[\"'][.]{1,5}+[\"']ode[\"']\\s*+;\\s*+if\\s*+\\(\\s*+isset\\s*+\\(\\s*+\\)\\s*+\\)\\s*+eval","base64 decode eval","server",0,[6]],["G441\/rule#1",1466087643,"\\\\x62\\\\x61\\\\x73\\\\x65\\\\x36\\\\x34\\\\x5f\\\\x64\\\\x65\\\\x63\\\\x6f\\\\x64\\\\x65.{10,50}?\\\\x73\\\\x74\\\\x72\\\\x5f\\\\x72\\\\x6f\\\\x74\\\\x31\\\\x33.{60,100}?eval","Backdoor:PHP\/hexeval.A","server",0,[6]],["G443\/rule#1",1466089495,"^<\\?php\\s*?\\$ver\\s*+=\\s*+[\"'][a-z]{26}['\"]\\s*+;\\s*?\\$check\\s*+=\\s*+(?:\\$ver\\{\\d{1,2}\\}\\s*+\\.\\s*+|['\"]_['\"]\\s*+\\.\\s*+){5}?","Backdoor:PHP\/vercheck.A","server",0,[9]],["G445\/wp-ecfd#1",1466089847,"\\btrimmed\\s*+pussy\\s*+pics<\\\/a>\\s*+<\\\/li>\\s*+<li><a\\s*+href=\"http:\\\/\\\/northvilletvrepair.com\\\/sunshades\\\/moissanite-sex","Behavior:PHP\/sunshades.A","both",0,[11]],["G445\/wp-ywl#1",1466089847,"^\\s*?<\\?php\\s*?ignore_user_aborts*+\\(s*+1\\)\\s*+;\\s*?\\$err_flgs*+=s*+\\$_GET\\[['\"]err['\"]\\]s*+;s*+\\s*?if\\s*+\\(\\$err_flg==1\\s*+\\)\\s*+\\{error_reporting\\s*+\\(\\s*+-1[^$]{60,80}\\$_GET\\s*+\\[\\s*+['\"]sc['\"]\\s*+\\]\\s*+\\)\\s*+&&","Backdoor:PHP\/rptflgs.A","server",0,[10]],["G447\/rules#1",1466091032,"\\$\\w{1,255}\\s*+=\\s*+\"\"\\s*+;\\s*+\\$\\w{1,255}\\s*+.=\\s*+\"\\w{1000}","Backdoor:PHP\/multiobf.A","server",0,[]],["G449\/rule#1",1466092167,"preg_replace\\s*\\(\\s*[\"'](?:\\\\x?[a-f0-9]{2,3})[^\\^]{10,30}\\^\\s*[\"'](?:\\\\x?[a-f0-9]{2,3})","Backdoor:PHP\/pregbackdoor.A","server",0,[9]],["G455\/rules#1",1466101107,"(?:chr\\s*\\([0-9]+\\)[\\.;])+\\s*\\$c_u_f\\s*=","Backdoor:PHP\/cufs.A","server",0,[9]],["G459\/rule#1",1466103318,"preg_replace.{10,20}?e[^,]{1,3}?[^\\\\]{10,30}?\\\\x65\\s*\\\\x76\\s*\\\\x61\\s*\\\\x6C\\s*\\\\x28\\s*\\\\x67\\s*\\\\x7A\\s*\\\\x69\\s*\\\\x6E\\s*\\\\x66\\s*\\\\x6C\\s*\\\\x61\\s*\\\\x74\\s*\\\\x65\\s*\\\\x28\\s*\\\\x62\\s*\\\\x61\\s*\\\\x73\\s*\\\\x65\\s*\\\\x36\\s*\\\\x34\\s*\\\\x5F\\s*\\\\x64\\s*\\\\x65\\s*\\\\x63\\s*\\\\x6F\\s*\\\\x64\\s*\\\\x65","Backdoor:PHP\/preg_replace.A","server",0,[9]],["G461\/rule#1",1466104436,"set_time_limit\\s*\\(\\s*0\\s*\\)\\s*;\\s*ignore_user_abort\\(true\\)\\s*;\\s*defines*\\(\\s*VERSION\\s*,\\s*'[\\w.]{1,5}\\s*'\\s*\\)\\s*;\\s*\\$config\\s*\\[\\s*'\\w{1,20}\\s*'\\s*\\]\\s*=\\s*'[0-9a-fA-F]{32}\\s*'\\s*;","Backdoor:PHP\/massmailer.A","server",0,[9]],["G463\/rule#1",1466107452,"preg_replace\\s*\\(\\s*\"\\\/\\.\\+\\\/esi\\s*\"\\s*,\\s*\"\\s*(?:\\\\x\\w\\w?){10}","Backdoor:PHP\/preg_replace.B","server",0,[9]],["G466\/rule#1",1466111611,"@eval\\s*\\(\\s*\\$_POST\\[\\s*[\"']v[\"']\\s*\\]\\s*\\)","Backdoor:PHP\/evalpost.A","server",0,[6]],["G468\/rules#1",1466111848,"(?P<var_99>\\$[a-z0-9_]+)\\s*=\\s*(chr\\s*\\(\\s*[0-9]+\\)\\s*[\\.;]\\s*)+eval\\s*\\(\\s*(?P=var_99)\\s*\\(\\$_REQUEST\\s*\\[\\s*[\"']?sam","Backdoor:PHP\/evalrequest.A","server",0,[6]],["G472\/rules#1",1466175126,"\\$path\\s*=\\s*\\$dir\\s*\\.\\s*'\\\/index\\.php\\s*'\\s*;\\s*\\$content\\s*=\\s*base64_decode\\s*\\(\\s*'\\w{250}","Backdoor:PHP\/navmenu.A","server",0,[7]],["G474\/rules#1",1466179566,"@error_reporting\\s*\\(\\s*0\\s*\\)\\s*;\\s*define\\s*\\(\\s*'\\s*__SEC_VALUE__\\s*'\\s*,\\s*'\\s*[0-9a-fA-F]{32}\\s*'\\s*\\)\\s*;\\s*define\\s*\\(\\s*'\\s*__MAIN_PATH__\\s*'","Backdoor:PHP\/secvalue.A","server",0,[10]],["G476\/rules#1",1466181609,"readf2\\.php[^\\?]{1,10}?[^p]{1,10}?password=systemseo[^<]{40,50}?<!\\-\\-\\s*read_url[^<]{20,30}?<!\\-\\-\\s*read_url","Backdoor:PHP\/reflect.A","server",0,[4]],["G478\/rules#1",1466181609,"\\$cbblq.+?vkel.+?\\$ews[^=]*=.+?\\$ews[^\\(]*\\(","CookieAttack","server",0,[9]],["G480\/rules#1",1466182545,"\\\/cheapest\\-without\\-prescription\\-no\\-prescription","SpamPage","both",0,[]],["G480\/rules#2",1466182545,"\\\/cost\\-of\\-aldara\\-5\\-cream\\-online\\-where\\-can\\-i\\-buy\\-imiquimod\\-250\\-mg\\-no\\-prescription","G480\/rules","server",0,[]],["G480\/rules#3",1466182545,"\\\/medications\\-best\\-place\\-zelnorm","G480\/rules","server",0,[]],["G480\/rules#4",1466182545,"\\\/buy\\-online\\-without\\-prescription","G480\/rules","server",0,[]],["G480\/rules#5",1466182545,"\\\/medications\\-best\\-place\\-baclofen","G480\/rules","server",0,[]],["G484\/rule#1",1466184625,"mplode\\(array_map\\(\"sdfiedv\",str_spgb2dc","Backdoor:PHP\/sdfidev.A","server",0,[]],["G488\/rule#1",1466186301,"eval\\s*\\(\\s*eval\\s*\\(\\s*[\"']String.fromCharCode","Backdoor:PHP\/doubleEval.A","server",0,[6]],["G492\/rule#1",1466190954,"\\$assumed\\s*+=\\s*+'\"TTee\"MC'\\s*+;\\s*+\\$cutler='O'\\s*+;\\s*+\\$carts=\\s*+'_RaeVfd'\\s*+;\\s*+\\$emirate\\s*+=","Backdoor:PHP\/amuses.A","server",0,[9]],["G496\/rules#1",1466192585,"cac5\\\/\\?useragent=\\$_SERVER\\[[\"']?HTTP_USER_AGENT[\"']?\\]&domain=\\$_SERVER\\[[\"']?HTTP_HOST[\"']?\\]","Behavior:PHP\/useragent.A","server",0,[9]],["G500\/rules#1",1466193564,"peerychiropractic.com\\\/db\\\/layout3.txt","Backdoor:PHP\/peery.A","server",0,[1]],["legacy-1",1458883265,"eval.*?base64_decode","Suspicious eval with base64 decode.",null,1,[3]],["legacy-115",1458883265,"ZXZhbC","eval base64 encoded",null,1,[]],["legacy-99",1458883265,"\\$\\{\\\"\\\\x[0-9a-zA-Z]{1,4}\\\\x[0-9a-zA-Z]{1,4}\\\\x[0-9a-zA-Z]{1,4}\\\\x[0-9a-zA-Z]{1,4}\\\"\\}\\[","f649 infection",null,1,[]],["G311\/rule#4",1465105605,"if\\s*\\(\\s*\\$_GET\\[\\s*[\"']file[\"']\\s*\\].{10,100}?header\\s*\\(.{1,100}?echo\\s*lzw_decompress\\s*\\(","G311 - obuscated code","server",1,[5]]],"commonStrings":["<\\?php","\\.(?:com|net|org|ru|su)","https?(\\?)?:","code","\\.php","echo","eval","content","include","<(?:\\?(?:\\s|php|=)|%(?:\\s|=)|script)","error_reporting","<a"],"signatureUpdateTime":1466193564,"word1":"eval()","word2":"base64()","word3":"base64","badstrings":["eval(","base64_decode(","unpack(","str_rot13(","urldecode("]}