EmoTHC/Shellkiller


SUBMITTED BY: Guest

DATE: Sept. 5, 2013, 3:02 a.m.

FORMAT: PHP

SIZE: 20.4 kB

HITS: 2756

  1. <?php
  2. ## Shellkiller by EmoTHC ##
  3. $signature[0] = "c99shell.php v.";
  4. $signature[1] = "PHP Shell 2.";
  5. $signature[2] = "QAAACg07OHdvdwoNKChUc2Z1cwAAbmlgJ2Rma2t0Cg1uYScvJgAAYXJpZHNuaGlYYn9udHN0LwAAJWBi?c2puZHVoc25qYiUuLiqAJ3wCJScBqS8BkGsDEC8j";
  6. $signature[3] = "QAFzOzh3b3cNKAAAVi0oBpAAMAAAFSckJwAQAFK/9wCAJwCSAFIAAAknBZ8AAAYnBGEAQQVxAEAAsSQDzwAABScCwf79CLMDkAAwAQMD3wAABScC0SQAUwB0?";
  7. $signature[4] = "HJ3XjttcmlJfcu7mB2vBnIDGNFFFzDmTNw3mIOZZPv2wGjDsgg2XqGbOt/dNslH/+//+9e//KY6k+6dtmqHskq34J1rWgsD+kxfZmBf//K8oo+IyH0z3i8sp";
  8. $signature[5] = "FJ3HjqTamkZfpWd9JAZ4J13dIzwBBN5PWnjvPU/fkTXJUmVGBGz+/X1rVYTIf//7n3//pziT/p/qbcayT/binzTZCgL7v7zIprz4539FBZXbQ1";
  9. $signature[6] = "* Safe0ver Shell //Safe Mod Bypass *";
  10. $signature[7] = "antichat.ru";
  11. $signature[8] = "PHP DOS, coded by EXE"; //Typical 2-file POST Shell
  12. $signature[9] = "DoS Shell";
  13. $signature[10] = "By Jiin"; //Faggot backdoors his shells
  14. $signature[11] = "Mail Bomber By Risker";
  15. $signature[12] = "Lhasa Apso Shells FTW"; //Kills some slowloris shells
  16. $signature[13] = "for($i = 0; $i < 65000; $i++)"; //Kills most DoS shells
  17. $signature[14] = "flood complete"; //Kills most DoS shells that echo when they complete a flood
  18. $signature[15] = "Super Rcon FLOOD for SA-MP 0.3b by PoC!?"; //Kills an Rcon flood shell
  19. $signature[16] = "UDP Flood"; //Kills UDP and leaf shells
  20. $signature[17] = "TCP Flood"; //Kills TCP and leaf shells
  21. $signature[18] = "HTTP Flood"; //Kills HTTP and leaf shells
  22. $signature[19] = "M3G4 SH311 by ScripteD"; //Kills the backdoored shell by scripted2
  23. $signature[20] = "$host, $rand, $errno, $errstr"; //Kills almost all DoS Shells
  24. $signature[21] = "Dark Shell"; //Kills DarkShell
  25. $signature[22] = "Shell Location"; //Kills backdoored shells
  26. $signature[23] = "g00nshell v"; //Kills g00nshell
  27. $signature[24] = "<title>HiddenShell</title>"; //Kills HiddenShell
  28. $signature[25] = "ini_get('safe_mode')"; //Most shells check safe_mode
  29. $signature[26] = "<title>lama's'hell v</title>"; //Kills lama's'hell
  30. $signature[27] = "ini_get("safe_mode")"; //Quotes instead of apostrophies
  31. $signature[28] = "perl /tmp/bind.pl"; //Kills binding
  32. $signature[29] = "perl /tmp/reverse.pl"; //Kills Reverse-con
  33. $signature[30] = "Nexpl0rer Shell"; //Kills Nexpl0rer
  34. $signature[31] = "NetJackal"; //Kills PHPJackal
  35. $signature[32] = "PHPJackal"; //Kills PHPJackal
  36. $signature[33] = "Root-Access Shell"; //Kills Root-Access Shell
  37. $signature[34] = "Safe Mode Shell"; //Kills Safe Mode Shell
  38. $signature[35] = "PHP Emperor"; //Kills code by PHP Emporer
  39. $signature[36] = "Safe_Mode Bypass"; //Kills shells advertising a safe_mode bypass
  40. $signature[37] = "SimAttacker"; //Kills SimAttacker
  41. $signature[38] = "Fake Mail- DOS E-mail By Victim Server"; //SimAttacker (alt method)
  42. $signature[39] = "Simorgh Security"; //Kills SimAttacker and SimShell
  43. $signature[40] = "SimShell"; //Kills SimShell
  44. $signature[41] = "StAkeR ~ Shell"; //Kills StAkeRShell
  45. $signature[42] = "--==[[MANNU SHELL by Team IndiShell]]==--"; //Kills Mannu Shell by Team IndiShell
  46. $signature[43] = "Mannu Shell"; //Kills Mannu Shell (alt method)
  47. $signature[44] = "Team IndiShell"; //Kills shells by Team IndiShell
  48. $signature[45] = " - PoisonShell"; //Kills PoisonShell
  49. $signature[46] = "U2hlbGwgTG9jYXRpb24="; //Base64 "Shell Location"
  50. $signature[47] = "MD5 Cracker"; //Many shells offer an MD5 hash cracker
  51. $signature[48] = "CCCP Modular Shell"; //Kills CCCP Shell
  52. $signature[49] = "Lifka Shell"; //Kills Lifka Dhell
  53. $signature[50] = "$target"; //No legit reason to use this as a variable
  54. $signature[51] = "ITSecTeam, IT Security Research & Penetration Testing Team"; //Kills ITSecTeam
  55. $signature[52] = "ITSecTeam Shell"; //Kills ITSecTeam Shell
  56. $signature[53] = "Disable Safe Mode"; //No legit reason to disable safe_mode
  57. $signature[54] = "IyEvdXNyL2Jpbi9wZXJsCnVzZSBTb2NrZXQ7JHBvcnQ9JEFSR1ZbMF07JHByb3RvPWdldHByb3Rv"; //rand encrypted string from a shell
  58. $signature[55] = "63a9f0ea7bb98050796b649e85481845"; //md5 of "root"
  59. $signature[56] = "?kill=done"; //Shells often have a suicide feature
  60. $signature[57] = "confirm('Do you indeed want to delete"; //Shell suicide feature
  61. $signature[58] = "Your shell script was succefully deleted!"; //Shell suicide feature
  62. $signature[59] = "Ftp Quick Brute"; //Shells with FTP Brute forcer
  63. $signature[60] = "eXecute"; //Stylized command
  64. $signature[61] = "TeaMp0isoN Shell - Private Build [BETA]"; //Kills leaked TeaMp0isoN Shell
  65. $signature[62] = "TeaMp0isoN Shell"; //Kills any TeaMp0isoN shell
  66. $signature[63] = "ShellBanner"; //Kills TeaMp0isoN Shell (alt method)
  67. $signature[64] = "$adflyLink = "http://adf.ly/".$adflyLink"; //Kills AdFly Shell
  68. $signature[65] = "html { background:url(http://www.ajithkp560.hostei.com/images/background.gif) black; }"; //Looked up a string
  69. $signature[66] = "NC sHE3L"; //Looked up a string
  70. $signature[67] = "http://priv8.iblogger.org/s.php"; //Looked up a string
  71. $signature[68] = "Importer T00lz"; //Looked up a string
  72. $signature[69] = "$r0x=file_get_contents('http://www.music4fun.org/r0x3d/r0x/'.$d)"; //Looked up a string
  73. $signature[70] = "<imgsrc="http://securityreason.com/gfx/logo.gif?cx5211.php">"; //Looked up a string
  74. $signature[71] = "$x = preg_replace('/(.*)\?.*/ie', '\\1?redirect=login.php', $_SERVER['PHP_SELF'])"; //Looked up a string
  75. $signature[72] = "system($_COOKIE["; //Kills some code-execution
  76. $signature[73] = "include($_GET["; //Kills some code-execution
  77. $signature[74] = "eval($_POST["; //Kills some code-execution
  78. $signature[75] = "strrev("edoced_46esab"("; //Kills some sneaky shit
  79. $signature[76] = "eval(file_get_contents("; //Kills some code-execution
  80. $signature[77] = "passthru(file_get_contents("; //Kills some code-execution
  81. $signature[78] = "exec(file_get_contents(";//Kills some code-execution
  82. $signature[79] = "if(empty($_GET['ip']) || empty($_GET['port']) || empty($_GET['length']))"; //Kills ASDA's Shell
  83. $signature[80] = "Private Denial-of-Service Shell | Created by ASDA"; //Kills ASDA's Shell
  84. $signature[81] = "the web server - you will have less chance of the"; //Kills ASDA's Shell
  85. $signature[82] = "$sock = @fsockopen("udp://{$_GET['ip']}", $_GET['port'], $errno, $errstr, 10)"; //Kills ASDA's Shell
  86. $signature[83] = "$out .= 'X'"; //Kills almost all DoS Shells
  87. $signature[84] = "\___ \| '_ \ / _ \ | |"; //Kills green DoS shells
  88. $signature[85] = "//print "Started: ".time('d-m-y h:i:s')."<br>"; //Kills some DoS Shells
  89. $signature[86] = "$rand = rand(1,65000)"; //Kills almost all DoS Shells
  90. $signature[87] = "PHP DOS v1.8 (Possibly Stronger Flood Strength)"; //Kills PHP DoS
  91. $signature[88] = "<input type="submit" value=" Start the Attack---> ">"; //Kills PHP DoS
  92. $signature[89] = "After initiating the DoS attack, please wait while the browser loads."; //Kills PHP DoS
  93. $signature[90] = "www.ZeroDayExile.com"; //Kills PHP DoS
  94. $signature[91] = "$millink="http://milw0rm.com/"; //Kills some shells
  95. $signature[92] = "back.c"; //Kills some backconnect
  96. $signature[93] = "[Backdoor Host]"; //Kills some shells
  97. $signature[94] = "[milw0rm it!]"; //Kills some milw0rm exploit searches
  98. $signature[95] = "ini_get("disable_functions")"; No legit reason to get the disabled functions
  99. $signature[96] = "act=phptools"; //Kills almost all DoS Shells
  100. $signature[97] = "JHNoX2lkID0gIlcwTjVZbVZ5SUVGdVlYSmphSGtnVTJobGJHeGQiOw0KJHNoX25hbWUgPSBiYXNl";
  101. $signature[98] = "echo"<br>Host: $m_host <br>Database: $m_db <br>Database Type: $m_dbtype <br>User: $m_user <br>Pass: $m_pass <br> Admin Directory: $m_adir <br> Super Admin UIDs: ";";
  102. $signature[99] = "Created by -:[GreenwooD]:- "; //Kills shell by GreenwooD
  103. $signature[100] = "// Created by greenwood from n57"; //Kills shell by GreenwooD
  104. $signature[101] = "// It's simple shell for all Win OS."; //Kills shell by GreenwooD
  105. $signature[102] = "<center><h1>You have been hack By Shany with Love To #worst.</h1></center>"; //Kills Shany's shell
  106. $signature[103] = "<center><h1>Watch Your system"; //Kills Shany's shell
  107. $signature[104] = "set_magic_quotes_runtime(0)"; //No legit reason for this
  108. $signature[105] = "explink = 'http://exploit-db"; //Kills some exploit searches
  109. $signature[106] = "<input type=checkbox name=reverse value=1 checked> reverse (login -> nigol)"; //Kills some reverse-con
  110. $signature[107] = "perl /tmp/bc.pl"; //Kills some backconnect
  111. $signature[108] = "/ . | | __ /| ( `. | \ /"; //Kills Jiin Shell V3
  112. $signature[109] = "Private UDP Shell"; //Kills some shells
  113. $signature[110] = "if($check == "phptools"){"; //Kills Jiin Shell
  114. $signature[111] = "$check = htmlspecialchars($_GET['act'])"; //Kills Jiin Shell
  115. $signature[112] = "$fp = stream_socket_client('udp://'.$host.':80', $errno, $errstr"; //Kills Jiin Shell
  116. $signature[113] = "__,-='=====____ ==================="; //Kills Jiin Shell V4
  117. $signature[114] = "FSockOpen() BYPASS, Infinite Time unlock"; //Kills Jiin Shell
  118. $signature[115] = "sauer.tuamamma"; //Kills anything containing Jiin's Skype
  119. $signature[116] = "|_______ | \__/ | |_______ |_______ | | |"; //Kills "SMEELO" TCP Shell
  120. $signature[117] = "This is for testing purposes only, only test TCP flooding on a server if you have permission."; //Kills "SMEELO" TCP Shell
  121. $signature[118] = "|| .:::::' ':::::::::. ::::: ':::."; //Kills BurnerTM Shell
  122. $signature[119] = "Burner is Very Sexy and Has Teh Best Sh3llz"; //Kills BurnerTM Shell
  123. $signature[120] = "aZ6qstij+Eiccoun8vW0vU5ti78HTXi5zIQ10Ahupml7FbCMWBhF9Mvx/Lahu8KUY9VryYBSNdBGW7E"; //Random string from encoded shell
  124. $signature[121] = "UsqGa3wZDHz37XVP9aTXLJK/UwPSmC1jCjKfwPKsviKcS4I/z8MSny/O7rvX+AUTFuqyJ6PUj7PjUf1"; //Random string from encoded shell
  125. $signature[122] = "$fp = fsockopen($schema.$host, $rand"; //Kills Orgy's twBooter 1.6 leaf shell
  126. $signature[123] = "if(isset($_GET['host'])&&is_numeric($_GET['time'])){"; //Kills Orgy's twBooter 1.6 leaf shell
  127. $signature[124] = "$bootallowed = $row['nextboot']"; //Cripples twBooter Web 1.6, for shiggles
  128. $signature[125] = "<!-- LOL EASTER EGG :D!!!!!!!! -->"; //In most booter sources based on twBooter Web 1.6
  129. $signature[126] = "boot.php?user=' . $bootuser . '&host=' . $host . '&port=' . $port . '&time=' . $time . '&ip=' . $_SERVER['REMOTE_ADDR'] . '&power=' . $power"; //More targetting twBooter
  130. $signature[127] = "SELECT * FROM shells WHERE status='up'")"; //Kills twBooter Web 1.6 and ALL source rips
  131. $signature[128] = "$sql = "DELETE FROM shells WHERE id='$del_id"; //Cripples twBooter Web 1.6's shell manager
  132. $signature[129] = "DDoS Sent! Wait until browser refreshes"; //Kills an old webbased booter source, may kill more
  133. $signature[130] = "$thepath = DIRNAME($_SERVER['PHP_SELF'])"; //Kills same webbased source as 129
  134. $signature[131] = "<a href="addshells.php">Add Shells</a> | <a href="showshells.php">Manage Shells</a>"; //Kills XBL Booter admin panel
  135. $signature[132] = "echo "<font color=white><center>Don't even try booting my booter. Your Account has been terminated and IP logged.</center>"; //Kills XBL Booter booting page
  136. $signature[133] = "$qry = "INSERT INTO members(firstname, login, passwd, paypal) VALUES('$fname','$login','".md5($_POST['password'])."','$email"; //Kills XBL Booter registration-processing page
  137. $signature[134] = "$Query = "SELECT * FROM `getshells"; //Kills booters using aadster's hub
  138. $signature[135] = "$mc = EpiCurl::getInstance()"; //Kills aadster's hub
  139. $signature[136] = "$shell .= "?act=phptools&host={$host}&time={$time}&port={$port"; //Kills booters using aadster's hub
  140. $signature[137] = "//POST SHELL SUPPORT"; //Kills booters using aadster's hub
  141. $signature[138] = "~~Alb0zZ Team shell~~"; //Kills Alb0zZ Team Shell
  142. $signature[139] = "~coded by 0x0 from Alb0zZ Team (Albanian Hacker)"; //Kills Alb0zZ Team Shell
  143. $signature[140] = "IyEvdXNyL2Jpbi9lbnYgcGVybA0KIyBkZXZpbHpjMGRlLm9yZyAoYykgMjAxMg0KDQp1c2UgU29ja2V0Ow0KDQokcG9ydCA9IDEzMTIzOw0KDQokcHJvdG9"; //Kills Alb0zZ Team Shell
  144. $signature[141] = "DQoJCQkJCTxoMj5EaXJlY3RvcnkgbGlzdGluZyBmb3IgXCIuJHRhcmdldC5cIjwvaDI+DQoJCQkJCTxocj48dWw"; //Kills Alb0zZ Team Shell
  145. $signature[142] = "&nbsp;&nbsp;&nbsp;&nbsp;<a style="font-family:vernada;color:pink" href='<?php echo $self ?>?go=<?php echo $drive.":\\"; ?>&action"; //Kills Alb0zZ Team Shell
  146. $signature[143] = "$info .= (($perms & 0x0010) ? 'w' : '-')"; //Kills Alb0zZ Team Shell
  147. $signature[144] = "$info .= (($perms & 0x0002) ? 'w' : '-')"; //Kills Alb0zZ Team Shell
  148. $signature[145] = "// ddos ./Syrian_Shell"; //Kills Alb0zZ Team Shell
  149. $signature[146] = "<title>Alb0zZ Team | Albanian shell</title>"; //Kills Alb0zZ Team Shell
  150. $signature[147] = "<a href="?action=symlink" onclick="alert('The window will load and load\nAccess the tool by going to site.com:13123')">symlink</a>"; //Kills Alb0zZ Team Shell
  151. $signature[148] = "<option value="28" >DNS attack through social engineering</option>"; //Kills Alb0zZ Team Shell
  152. $signature[149] = "<input type="submit" value="Ex3cut3">"; //Kills Alb0zZ Team Shell
  153. $signature[150] = "IyBPdmVycmlkZSBkZWZhdWx0IGRlbnkgcnVsZSB0byBtYWtlIC5odGFjY2VzcyBmaWxlIGFjY2Vzc2libGUgb3ZlciB3ZWINCjxGaWxlcyB+IFwiXlxcLmh0XCI"; //Kills Alb0zZ Team Shell
  154. $signature[151] = "<title>Kuroakis Symlink Shell</title>"; //Kills Kuroakis Symlink Shell
  155. $signature[152] = "[<a href="?"> Upload File</a>][<a href="?sws=sym"> Domains / Symlink </a>][<a href="?sws=sec"> Domains / Script </a>]"; //Kills Kuroakis Symlink Shell
  156. $signature[153] = "target='_blank'>config</a>";}elseif (strpos($cfig555,'200') =="; //Kills Kuroakis Symlink Shell
  157. $signature[154] = "target='_blank'>mybb 3</a>";}elseif (strpos($vb111,'200') =="; //Kills Kuroakis Symlink Shell
  158. $signature[155] = "ucDOAq+lIztrU9JhTp6vgLnxspfaPDXxLvxJ0n4TLcj61O7mJSq1AT9rqNRLQnEaEz67DLBpJU4mM9l/h5ISueqXH+c4mUTaTwJ9aiZxccDe+CQzXmIz4DG9TS41U5sOm6VCRfR1l3zR5FwemJDjX7FQZAm2ZN6"; //Kills Kuroakis Symlink Shell
  159. $signature[156] = "TPuzPtI+aiwViG4/aPcb3XgJNr0+cc4pp9o5tljMtTiqvfg4joMs1Fcyf4+2/hUudCr5INnRy9raNtofLf12SmWyCk0LUu5StToT/YHjcES19Ff+qR/QBxn01JtZMgUEjU1egTSG0sjpKc5LjlGdXZkOvMfJDN9btb70N0JBCdlLmZx6yLCoMYjVsROJh66pL2l5WNfSmyFT/tZG1aG/hrAc7woAoquiaL+w9E8+nU94UvN3u39Nv4/yQCJunN4mtnTGXWcJuWVNWgfi4"; //Kills Kuroakis Symlink Shell
  160. $signature[157] = "l5+19gXaCe+dYidWrMqYtu07o9IZ/io2XXNBeZOUmQYiFg3U6aRhNwCRvyBzjuHBlBhf8Yu4HH84+mhATXjqfV3NyU/Jvi8+l1QmyfWwapTqE2kOiDOEr1GLBfZd3s6HaCM4I1NGppnjXuGxtxTiaAgLJDckEl8UxbykQKz+AwYI0WRixL0uw21usQG/ahRh0DAHM2lO5ifFJ0gIruoJZnUU8nCFfwoHsuRkcd8C7euzPIv6Q6QFZ7/1Gbzd3YVre"; //Kills Kuroakis Symlink Shell
  161. $signature[158] = "* Developed exclusively for twBooter2"; //Kills twBooter2 scripts
  162. $signature[159] = "//=========+++#root Shell+++===========//"; //Kills #root V.1 PHP Shell
  163. $signature[160] = "FiaWxpdHkgYW5kIHNlY3VyaXR5ICBjaGVjayBvZiBhbnkgd2ViIHNlcnZlciBvciB3ZWJzaXRlLiBZb3UgY2FuIGNoZWNrIHlvdXIgV2Vic2l0ZSBhbmQgcmVtb3RlIHdlYiBzZXJ2ZXIgU2VjdXJpdHkuIFRoaXMgc2hlbGwgcHJvd"; //Kills #root V.1 PHP Shell
  164. $signature[161] = "0ZWRpbnJlZC4gSSBsaWtlIHRvIHRoYW5rZnVsIHRvIG15IGJyb3NraWlzIDxzcGFuIGNsYXNzPSJzdHlsZTEiPkJ6ZWVSZWJlbCBhbmQgQ2xheSBFdmFuczwvc3Bhbj4gd2hvIGluc3BpcmUgYW5kIGhlbHBlZCBtZSB0byBkZXZlbG9w"; //Kills #root V.1 PHP Shell
  165. $signature[162] = "<a href=http://www.hackforums.net target=_blank>Shell Tutorial</a>"; //Kills #root V.1 PHP Shell
  166. $signature[163] = "ib3JkZXItY29sb3I6IzNDM0MzQzt9DQphIHtjb2xvcjojZmZmO291dGxpbmU6bm9uZTt0ZXh0LWRlY29yYXRpb246bm9uZTt9DQphOmhvdmVye3RleH"; //Kills #root V.1 PHP Shell
  167. $signature[164] = "CmZvbnQtc2l6ZTogMTJweDsNCn0NCi5saXsNCgljb2xvcjogIzMzQ0NDQzsNCgl0ZXh0LWRlY29yYXRpb246bm9uZTsNCglmb250LWZhbWlseTogQ291cmllciBOZXcsIENvdXJpZXIsIG1vbm9zcGFjZTsNCmZvbnQtc2l6ZTo"; //Kills #root V.1 PHP Shell
  168. $signature[165] = "<u>#root V.1 PHP UDP Shell</u>"; //Kills #root V.1 PHP Shell
  169. $signature[165] = "#root V.1 PHP Shell is a PHP Script, which is hardly detectable as malicious code created for checking the vulnerability and security check of any web server or website. You can check your Website and remote web server Security."; //Kills #root V.1 PHP Shell
  170. $signature[166] = "aW5pX3NldCgnc2FmZV9tb2Rl"; //Base64 "ini_set('safe_mode"
  171. $signature[167] = "aW5pX3NldCgic2FmZV9tb2Rl"; //Base64 "ini_set("safe_mode"
  172. $signature[168] = "aW5pX3NldCgnbG9nX2Vycm9ycw=="; //Base64 "ini_set('log_errors"
  173. $signature[169] = "aW5pX3NldCgibG9nX2Vycm9ycw=="; //Base64 "ini_set("log_errors"
  174. $signature[170] = "aW5pX3NldCgiZGlzYWJsZV9mdW5jdGlvbnM="; //Base64 "ini_set("disable_functions"
  175. $signature[171] = "aW5pX3NldCgnZGlzYWJsZV9mdW5jdGlvbnM="; //Base64 "ini_set('disable_functions"
  176. $signature[172] = "else if ($_GET['type'] == "slowloris")"; //Kills twShell
  177. $signature[173] = "else if ($_GET['type'] == "http")"; //Kills twShell
  178. $signature[174] = "Slowloris Flood"; //Kills slowloris and leaf shells
  179. $signature[175] = "JGZwID0gZnNvY2tvcGVuKCRzY2hlbWEuJGhvc3QsICRyYW5k"; //Base64 "$fp = fsockopen($schema.$host, $rand", kills Orgy's twBooter Web 1.6 leaf shell
  180. $signature[176] = "RGlzYWJsZSBTYWZlIE1vZGU="; //Base64 "Disable Safe Mode"
  181. $signature[177] = "Zmxvb2QgY29tcGxldGU="; //Base64 "flood complete"
  182. $signature[178] = "c3RycmV2KCJlZG9jZWRfNDZlc2FiIig="; //Base64 "strrev("edoced_46esab"("
  183. $signature[179] = "<title>PHP Shell</title>"; //Kills php-web-shell
  184. $signature[180] = "<span id="phpshell-prompt">guest@php-web-shell:~ $ </span>"; //Kills php-web-shell
  185. $signature[181] = "phpShell::execPHP($cmd);"; //Kills php-web-shell
  186. $signature[182] = "config.php file for PHP Shell"; //Kills PHP Shell
  187. $signature[183] = "pwhash.php file for PHP Shell"; //Kills PHP Shell
  188. $signature[184] = "define('PHPSHELL_VERSION"; //Kills PHP Shell
  189. $signature[185] = "<div class="warning">Warning: Safe-mode is enabled." //Kills PHP Shell
  190. $signature[186] = "Phpshell running on: " //Kills PHP Shell
  191. $signature[187] = "print("You are editing this file: " //Kills PHP Shell
  192. $signature[188] = "http://phpshell.sourceforge.net" //Kills PHP Shell
  193. $bgtime = time();
  194. $fileCount = 0;
  195. $infectCount = 0;
  196. Start();
  197. function Start($path = ".", $level = 0 ){
  198. $ignore = array("cgi-bin", ".", "..");
  199. $dh = @opendir($path);
  200. while(false !== ($file = readdir($dh))){
  201. if(!in_array($file, $ignore)){
  202. if(is_dir("$path/$file")){
  203. Start("$path/$file", ($level + 1));
  204. }
  205. else{
  206. scanFile("$path/$file");
  207. }
  208. }
  209. }
  210. closedir($dh);
  211. }
  212. function scanFile($file){
  213. global $signature, $fileCount, $infectCount;
  214. if(filesize($file) > 5242880){
  215. return;
  216. }
  217. elseif($file == ".".$_SERVER["PHP_SELF"]){
  218. return;
  219. }
  220. else{
  221. $file_cont = file_get_contents($file);
  222. $flag = false;
  223. $fileCount++;
  224. for($i = 0; $i < sizeof($signature); $i++){
  225. if(stristr($file_cont, $signature[$i]) != false){
  226. $flag = true; //Trips the AV flag
  227. $infectCount++;
  228. }
  229. }
  230. if($flag == true){
  231. fopen($file, 'w');
  232. ftruncate($file, 0);
  233. fclose($file);
  234. unlink($file);
  235. }
  236. else{
  237. }
  238. }
  239. }
  240. $time = (time()-$bgtime);
  241. ?>

comments powered by Disqus