HiddenShell"; //Kills HiddenShell $signature[25] = "ini_get('safe_mode')"; //Most shells check safe_mode $signature[26] = "lama's'hell v"; //Kills lama's'hell $signature[27] = "ini_get("safe_mode")"; //Quotes instead of apostrophies $signature[28] = "perl /tmp/bind.pl"; //Kills binding $signature[29] = "perl /tmp/reverse.pl"; //Kills Reverse-con $signature[30] = "Nexpl0rer Shell"; //Kills Nexpl0rer $signature[31] = "NetJackal"; //Kills PHPJackal $signature[32] = "PHPJackal"; //Kills PHPJackal $signature[33] = "Root-Access Shell"; //Kills Root-Access Shell $signature[34] = "Safe Mode Shell"; //Kills Safe Mode Shell $signature[35] = "PHP Emperor"; //Kills code by PHP Emporer $signature[36] = "Safe_Mode Bypass"; //Kills shells advertising a safe_mode bypass $signature[37] = "SimAttacker"; //Kills SimAttacker $signature[38] = "Fake Mail- DOS E-mail By Victim Server"; //SimAttacker (alt method) $signature[39] = "Simorgh Security"; //Kills SimAttacker and SimShell $signature[40] = "SimShell"; //Kills SimShell $signature[41] = "StAkeR ~ Shell"; //Kills StAkeRShell $signature[42] = "--==[[MANNU SHELL by Team IndiShell]]==--"; //Kills Mannu Shell by Team IndiShell $signature[43] = "Mannu Shell"; //Kills Mannu Shell (alt method) $signature[44] = "Team IndiShell"; //Kills shells by Team IndiShell $signature[45] = " - PoisonShell"; //Kills PoisonShell $signature[46] = "U2hlbGwgTG9jYXRpb24="; //Base64 "Shell Location" $signature[47] = "MD5 Cracker"; //Many shells offer an MD5 hash cracker $signature[48] = "CCCP Modular Shell"; //Kills CCCP Shell $signature[49] = "Lifka Shell"; //Kills Lifka Dhell $signature[50] = "$target"; //No legit reason to use this as a variable $signature[51] = "ITSecTeam, IT Security Research & Penetration Testing Team"; //Kills ITSecTeam $signature[52] = "ITSecTeam Shell"; //Kills ITSecTeam Shell $signature[53] = "Disable Safe Mode"; //No legit reason to disable safe_mode $signature[54] = "IyEvdXNyL2Jpbi9wZXJsCnVzZSBTb2NrZXQ7JHBvcnQ9JEFSR1ZbMF07JHByb3RvPWdldHByb3Rv"; //rand encrypted string from a shell $signature[55] = "63a9f0ea7bb98050796b649e85481845"; //md5 of "root" $signature[56] = "?kill=done"; //Shells often have a suicide feature $signature[57] = "confirm('Do you indeed want to delete"; //Shell suicide feature $signature[58] = "Your shell script was succefully deleted!"; //Shell suicide feature $signature[59] = "Ftp Quick Brute"; //Shells with FTP Brute forcer $signature[60] = "eXecute"; //Stylized command $signature[61] = "TeaMp0isoN Shell - Private Build [BETA]"; //Kills leaked TeaMp0isoN Shell $signature[62] = "TeaMp0isoN Shell"; //Kills any TeaMp0isoN shell $signature[63] = "ShellBanner"; //Kills TeaMp0isoN Shell (alt method) $signature[64] = "$adflyLink = "http://adf.ly/".$adflyLink"; //Kills AdFly Shell $signature[65] = "html { background:url(http://www.ajithkp560.hostei.com/images/background.gif) black; }"; //Looked up a string $signature[66] = "NC sHE3L"; //Looked up a string $signature[67] = "http://priv8.iblogger.org/s.php"; //Looked up a string $signature[68] = "Importer T00lz"; //Looked up a string $signature[69] = "$r0x=file_get_contents('http://www.music4fun.org/r0x3d/r0x/'.$d)"; //Looked up a string $signature[70] = ""; //Looked up a string $signature[71] = "$x = preg_replace('/(.*)\?.*/ie', '\\1?redirect=login.php', $_SERVER['PHP_SELF'])"; //Looked up a string $signature[72] = "system($_COOKIE["; //Kills some code-execution $signature[73] = "include($_GET["; //Kills some code-execution $signature[74] = "eval($_POST["; //Kills some code-execution $signature[75] = "strrev("edoced_46esab"("; //Kills some sneaky shit $signature[76] = "eval(file_get_contents("; //Kills some code-execution $signature[77] = "passthru(file_get_contents("; //Kills some code-execution $signature[78] = "exec(file_get_contents(";//Kills some code-execution $signature[79] = "if(empty($_GET['ip']) || empty($_GET['port']) || empty($_GET['length']))"; //Kills ASDA's Shell $signature[80] = "Private Denial-of-Service Shell | Created by ASDA"; //Kills ASDA's Shell $signature[81] = "the web server - you will have less chance of the"; //Kills ASDA's Shell $signature[82] = "$sock = @fsockopen("udp://{$_GET['ip']}", $_GET['port'], $errno, $errstr, 10)"; //Kills ASDA's Shell $signature[83] = "$out .= 'X'"; //Kills almost all DoS Shells $signature[84] = "\___ \| '_ \ / _ \ | |"; //Kills green DoS shells $signature[85] = "//print "Started: ".time('d-m-y h:i:s')."
"; //Kills some DoS Shells $signature[86] = "$rand = rand(1,65000)"; //Kills almost all DoS Shells $signature[87] = "PHP DOS v1.8 (Possibly Stronger Flood Strength)"; //Kills PHP DoS $signature[88] = ""; //Kills PHP DoS $signature[89] = "After initiating the DoS attack, please wait while the browser loads."; //Kills PHP DoS $signature[90] = "www.ZeroDayExile.com"; //Kills PHP DoS $signature[91] = "$millink="http://milw0rm.com/"; //Kills some shells $signature[92] = "back.c"; //Kills some backconnect $signature[93] = "[Backdoor Host]"; //Kills some shells $signature[94] = "[milw0rm it!]"; //Kills some milw0rm exploit searches $signature[95] = "ini_get("disable_functions")"; No legit reason to get the disabled functions $signature[96] = "act=phptools"; //Kills almost all DoS Shells $signature[97] = "JHNoX2lkID0gIlcwTjVZbVZ5SUVGdVlYSmphSGtnVTJobGJHeGQiOw0KJHNoX25hbWUgPSBiYXNl"; $signature[98] = "echo"
Host: $m_host
Database: $m_db
Database Type: $m_dbtype
User: $m_user
Pass: $m_pass
Admin Directory: $m_adir
Super Admin UIDs: ";"; $signature[99] = "Created by -:[GreenwooD]:- "; //Kills shell by GreenwooD $signature[100] = "// Created by greenwood from n57"; //Kills shell by GreenwooD $signature[101] = "// It's simple shell for all Win OS."; //Kills shell by GreenwooD $signature[102] = "

You have been hack By Shany with Love To #worst.

"; //Kills Shany's shell $signature[103] = "

Watch Your system"; //Kills Shany's shell $signature[104] = "set_magic_quotes_runtime(0)"; //No legit reason for this $signature[105] = "explink = 'http://exploit-db"; //Kills some exploit searches $signature[106] = " reverse (login -> nigol)"; //Kills some reverse-con $signature[107] = "perl /tmp/bc.pl"; //Kills some backconnect $signature[108] = "/ . | | __ /| ( `. | \ /"; //Kills Jiin Shell V3 $signature[109] = "Private UDP Shell"; //Kills some shells $signature[110] = "if($check == "phptools"){"; //Kills Jiin Shell $signature[111] = "$check = htmlspecialchars($_GET['act'])"; //Kills Jiin Shell $signature[112] = "$fp = stream_socket_client('udp://'.$host.':80', $errno, $errstr"; //Kills Jiin Shell $signature[113] = "__,-='=====____ ==================="; //Kills Jiin Shell V4 $signature[114] = "FSockOpen() BYPASS, Infinite Time unlock"; //Kills Jiin Shell $signature[115] = "sauer.tuamamma"; //Kills anything containing Jiin's Skype $signature[116] = "|_______ | \__/ | |_______ |_______ | | |"; //Kills "SMEELO" TCP Shell $signature[117] = "This is for testing purposes only, only test TCP flooding on a server if you have permission."; //Kills "SMEELO" TCP Shell $signature[118] = "|| .:::::' ':::::::::. ::::: ':::."; //Kills BurnerTM Shell $signature[119] = "Burner is Very Sexy and Has Teh Best Sh3llz"; //Kills BurnerTM Shell $signature[120] = "aZ6qstij+Eiccoun8vW0vU5ti78HTXi5zIQ10Ahupml7FbCMWBhF9Mvx/Lahu8KUY9VryYBSNdBGW7E"; //Random string from encoded shell $signature[121] = "UsqGa3wZDHz37XVP9aTXLJK/UwPSmC1jCjKfwPKsviKcS4I/z8MSny/O7rvX+AUTFuqyJ6PUj7PjUf1"; //Random string from encoded shell $signature[122] = "$fp = fsockopen($schema.$host, $rand"; //Kills Orgy's twBooter 1.6 leaf shell $signature[123] = "if(isset($_GET['host'])&&is_numeric($_GET['time'])){"; //Kills Orgy's twBooter 1.6 leaf shell $signature[124] = "$bootallowed = $row['nextboot']"; //Cripples twBooter Web 1.6, for shiggles $signature[125] = ""; //In most booter sources based on twBooter Web 1.6 $signature[126] = "boot.php?user=' . $bootuser . '&host=' . $host . '&port=' . $port . '&time=' . $time . '&ip=' . $_SERVER['REMOTE_ADDR'] . '&power=' . $power"; //More targetting twBooter $signature[127] = "SELECT * FROM shells WHERE status='up'")"; //Kills twBooter Web 1.6 and ALL source rips $signature[128] = "$sql = "DELETE FROM shells WHERE id='$del_id"; //Cripples twBooter Web 1.6's shell manager $signature[129] = "DDoS Sent! Wait until browser refreshes"; //Kills an old webbased booter source, may kill more $signature[130] = "$thepath = DIRNAME($_SERVER['PHP_SELF'])"; //Kills same webbased source as 129 $signature[131] = "Add Shells | Manage Shells"; //Kills XBL Booter admin panel $signature[132] = "echo "
Don't even try booting my booter. Your Account has been terminated and IP logged.
"; //Kills XBL Booter booting page $signature[133] = "$qry = "INSERT INTO members(firstname, login, passwd, paypal) VALUES('$fname','$login','".md5($_POST['password'])."','$email"; //Kills XBL Booter registration-processing page $signature[134] = "$Query = "SELECT * FROM `getshells"; //Kills booters using aadster's hub $signature[135] = "$mc = EpiCurl::getInstance()"; //Kills aadster's hub $signature[136] = "$shell .= "?act=phptools&host={$host}&time={$time}&port={$port"; //Kills booters using aadster's hub $signature[137] = "//POST SHELL SUPPORT"; //Kills booters using aadster's hub $signature[138] = "~~Alb0zZ Team shell~~"; //Kills Alb0zZ Team Shell $signature[139] = "~coded by 0x0 from Alb0zZ Team (Albanian Hacker)"; //Kills Alb0zZ Team Shell $signature[140] = "IyEvdXNyL2Jpbi9lbnYgcGVybA0KIyBkZXZpbHpjMGRlLm9yZyAoYykgMjAxMg0KDQp1c2UgU29ja2V0Ow0KDQokcG9ydCA9IDEzMTIzOw0KDQokcHJvdG9"; //Kills Alb0zZ Team Shell $signature[141] = "DQoJCQkJCTxoMj5EaXJlY3RvcnkgbGlzdGluZyBmb3IgXCIuJHRhcmdldC5cIjwvaDI+DQoJCQkJCTxocj48dWw"; //Kills Alb0zZ Team Shell $signature[142] = "    symlink"; //Kills Alb0zZ Team Shell $signature[148] = ""; //Kills Alb0zZ Team Shell $signature[149] = ""; //Kills Alb0zZ Team Shell $signature[150] = "IyBPdmVycmlkZSBkZWZhdWx0IGRlbnkgcnVsZSB0byBtYWtlIC5odGFjY2VzcyBmaWxlIGFjY2Vzc2libGUgb3ZlciB3ZWINCjxGaWxlcyB+IFwiXlxcLmh0XCI"; //Kills Alb0zZ Team Shell $signature[151] = "Kuroakis Symlink Shell"; //Kills Kuroakis Symlink Shell $signature[152] = "[ Upload File][ Domains / Symlink ][ Domains / Script ]"; //Kills Kuroakis Symlink Shell $signature[153] = "target='_blank'>config";}elseif (strpos($cfig555,'200') =="; //Kills Kuroakis Symlink Shell $signature[154] = "target='_blank'>mybb 3";}elseif (strpos($vb111,'200') =="; //Kills Kuroakis Symlink Shell $signature[155] = "ucDOAq+lIztrU9JhTp6vgLnxspfaPDXxLvxJ0n4TLcj61O7mJSq1AT9rqNRLQnEaEz67DLBpJU4mM9l/h5ISueqXH+c4mUTaTwJ9aiZxccDe+CQzXmIz4DG9TS41U5sOm6VCRfR1l3zR5FwemJDjX7FQZAm2ZN6"; //Kills Kuroakis Symlink Shell $signature[156] = "TPuzPtI+aiwViG4/aPcb3XgJNr0+cc4pp9o5tljMtTiqvfg4joMs1Fcyf4+2/hUudCr5INnRy9raNtofLf12SmWyCk0LUu5StToT/YHjcES19Ff+qR/QBxn01JtZMgUEjU1egTSG0sjpKc5LjlGdXZkOvMfJDN9btb70N0JBCdlLmZx6yLCoMYjVsROJh66pL2l5WNfSmyFT/tZG1aG/hrAc7woAoquiaL+w9E8+nU94UvN3u39Nv4/yQCJunN4mtnTGXWcJuWVNWgfi4"; //Kills Kuroakis Symlink Shell $signature[157] = "l5+19gXaCe+dYidWrMqYtu07o9IZ/io2XXNBeZOUmQYiFg3U6aRhNwCRvyBzjuHBlBhf8Yu4HH84+mhATXjqfV3NyU/Jvi8+l1QmyfWwapTqE2kOiDOEr1GLBfZd3s6HaCM4I1NGppnjXuGxtxTiaAgLJDckEl8UxbykQKz+AwYI0WRixL0uw21usQG/ahRh0DAHM2lO5ifFJ0gIruoJZnUU8nCFfwoHsuRkcd8C7euzPIv6Q6QFZ7/1Gbzd3YVre"; //Kills Kuroakis Symlink Shell $signature[158] = "* Developed exclusively for twBooter2"; //Kills twBooter2 scripts $signature[159] = "//=========+++#root Shell+++===========//"; //Kills #root V.1 PHP Shell $signature[160] = "FiaWxpdHkgYW5kIHNlY3VyaXR5ICBjaGVjayBvZiBhbnkgd2ViIHNlcnZlciBvciB3ZWJzaXRlLiBZb3UgY2FuIGNoZWNrIHlvdXIgV2Vic2l0ZSBhbmQgcmVtb3RlIHdlYiBzZXJ2ZXIgU2VjdXJpdHkuIFRoaXMgc2hlbGwgcHJvd"; //Kills #root V.1 PHP Shell $signature[161] = "0ZWRpbnJlZC4gSSBsaWtlIHRvIHRoYW5rZnVsIHRvIG15IGJyb3NraWlzIDxzcGFuIGNsYXNzPSJzdHlsZTEiPkJ6ZWVSZWJlbCBhbmQgQ2xheSBFdmFuczwvc3Bhbj4gd2hvIGluc3BpcmUgYW5kIGhlbHBlZCBtZSB0byBkZXZlbG9w"; //Kills #root V.1 PHP Shell $signature[162] = "Shell Tutorial"; //Kills #root V.1 PHP Shell $signature[163] = "ib3JkZXItY29sb3I6IzNDM0MzQzt9DQphIHtjb2xvcjojZmZmO291dGxpbmU6bm9uZTt0ZXh0LWRlY29yYXRpb246bm9uZTt9DQphOmhvdmVye3RleH"; //Kills #root V.1 PHP Shell $signature[164] = "CmZvbnQtc2l6ZTogMTJweDsNCn0NCi5saXsNCgljb2xvcjogIzMzQ0NDQzsNCgl0ZXh0LWRlY29yYXRpb246bm9uZTsNCglmb250LWZhbWlseTogQ291cmllciBOZXcsIENvdXJpZXIsIG1vbm9zcGFjZTsNCmZvbnQtc2l6ZTo"; //Kills #root V.1 PHP Shell $signature[165] = "#root V.1 PHP UDP Shell"; //Kills #root V.1 PHP Shell $signature[165] = "#root V.1 PHP Shell is a PHP Script, which is hardly detectable as malicious code created for checking the vulnerability and security check of any web server or website. You can check your Website and remote web server Security."; //Kills #root V.1 PHP Shell $signature[166] = "aW5pX3NldCgnc2FmZV9tb2Rl"; //Base64 "ini_set('safe_mode" $signature[167] = "aW5pX3NldCgic2FmZV9tb2Rl"; //Base64 "ini_set("safe_mode" $signature[168] = "aW5pX3NldCgnbG9nX2Vycm9ycw=="; //Base64 "ini_set('log_errors" $signature[169] = "aW5pX3NldCgibG9nX2Vycm9ycw=="; //Base64 "ini_set("log_errors" $signature[170] = "aW5pX3NldCgiZGlzYWJsZV9mdW5jdGlvbnM="; //Base64 "ini_set("disable_functions" $signature[171] = "aW5pX3NldCgnZGlzYWJsZV9mdW5jdGlvbnM="; //Base64 "ini_set('disable_functions" $signature[172] = "else if ($_GET['type'] == "slowloris")"; //Kills twShell $signature[173] = "else if ($_GET['type'] == "http")"; //Kills twShell $signature[174] = "Slowloris Flood"; //Kills slowloris and leaf shells $signature[175] = "JGZwID0gZnNvY2tvcGVuKCRzY2hlbWEuJGhvc3QsICRyYW5k"; //Base64 "$fp = fsockopen($schema.$host, $rand", kills Orgy's twBooter Web 1.6 leaf shell $signature[176] = "RGlzYWJsZSBTYWZlIE1vZGU="; //Base64 "Disable Safe Mode" $signature[177] = "Zmxvb2QgY29tcGxldGU="; //Base64 "flood complete" $signature[178] = "c3RycmV2KCJlZG9jZWRfNDZlc2FiIig="; //Base64 "strrev("edoced_46esab"(" $signature[179] = "PHP Shell"; //Kills php-web-shell $signature[180] = "guest@php-web-shell:~ $ "; //Kills php-web-shell $signature[181] = "phpShell::execPHP($cmd);"; //Kills php-web-shell $signature[182] = "config.php file for PHP Shell"; //Kills PHP Shell $signature[183] = "pwhash.php file for PHP Shell"; //Kills PHP Shell $signature[184] = "define('PHPSHELL_VERSION"; //Kills PHP Shell $signature[185] = "
Warning: Safe-mode is enabled." //Kills PHP Shell $signature[186] = "Phpshell running on: " //Kills PHP Shell $signature[187] = "print("You are editing this file: " //Kills PHP Shell $signature[188] = "http://phpshell.sourceforge.net" //Kills PHP Shell $bgtime = time(); $fileCount = 0; $infectCount = 0; Start(); function Start($path = ".", $level = 0 ){ $ignore = array("cgi-bin", ".", ".."); $dh = @opendir($path); while(false !== ($file = readdir($dh))){ if(!in_array($file, $ignore)){ if(is_dir("$path/$file")){ Start("$path/$file", ($level + 1)); } else{ scanFile("$path/$file"); } } } closedir($dh); } function scanFile($file){ global $signature, $fileCount, $infectCount; if(filesize($file) > 5242880){ return; } elseif($file == ".".$_SERVER["PHP_SELF"]){ return; } else{ $file_cont = file_get_contents($file); $flag = false; $fileCount++; for($i = 0; $i < sizeof($signature); $i++){ if(stristr($file_cont, $signature[$i]) != false){ $flag = true; //Trips the AV flag $infectCount++; } } if($flag == true){ fopen($file, 'w'); ftruncate($file, 0); fclose($file); unlink($file); } else{ } } } $time = (time()-$bgtime); ?>