#eval /* */
eval\/\*[a-z0-9]+\*\/

#
eval\([a-z0-9]{4,}\(\$[a-z0-9]{4,}, \$[0-9a-z]{4,}\)\);

# chr(101).chr(118).chr(97)
(chr\(\d+\^\d+\)\.){4,}

# $_uU(101).$_uU(118).$_uU(97)
(\$\_[a-z0-9]{2,}\(\d+\)\.){4,}

# $uUx[101].$uUx[118].$uUx[97]
(\$[a-z0-9]{3,}\[\d+\]\.){4,}

#
chr\(\d+\)\.""\.""\.""\.""\.""

# escaped commands pl.: "eval(base64_decode(" equal "\145\166\141\154\050\142\141\163\145\066\064\137\144\145\143\157\144\145\050"
(\\[0-9]{3}){6,}

#
\$GLOBALS\[\$GLOBALS['[a-z0-9]{4,}'\]\[\d+\]\.\$GLOBALS\['[a-z-0-9]{4,}'\]\[\d+\].

#
\$GLOBALS\['[a-z0-9]{5,}'\] = \$[a-z]+\d+\[\d+\]\.\$[a-z]+\d+\[\d+\]\.\$[a-z]+\d+\[\d+\]\.\$[a-z]+\d+\[\d+\]\.

#
eval\([a-z0-9_]+\(base64_decode\(

#
\$[a-z]{3,}=\$[a-z]{3,}\("",\$[a-z]{3,}\);\$[a-z]{3,}\(\);

#
{\s*eval\s*\(\s*\$

#
Googlebot['"]{0,1}\s*\)\){echo\s+file_get_contents

#execute base64 code
eVaL\(\s*trim\(\s*baSe64_deCoDe\(

# execute escaped code
exec\("(\\[0-9a-fx]{2,3}){3,}

#
if\s*\(\s*mail\s*\(\s*\$mails\[\$i\]\s*,\s*\$tema\s*,\s*base64_encode\s*\(\s*\$text

# Write HTTP Request to File
fwrite\s*\(\s*\$fh\s*,\s*stripslashes\s*\(\s*@*\$_(GET|POST|SERVER|COOKIE|REQUEST)\[

# Download Remote Code
echo\s+file_get_contents\s*\(\s*base64_url_decode\s*\(\s*@*\$_(GET|POST|SERVER|COOKIE|REQUEST)

# 'eval' in ascii chr() chars
chr\s*\(\s*101\s*\)\s*\.\s*chr\s*\(\s*118\s*\)\s*\.\s*chr\s*\(\s*97\s*\)\s*\.\s*chr\s*\(\s*108\s*\)

#
(\$OOO_O_000_\{\d+\}.){3,}

#Detects the '_' character encoded in a string like "\x5F".  '_' is present in many functions that malware would want to hide.
# '_' as "\x5f"
# \\[Xx](5[Ff]) - removed because generate many false positives

#Detects the '_' character placed inside a call to the 'chr()' function
# '_' as 'chr(95)' or 'chr(0x5f)'
chr\s*\(\s*['"]?\s*((95)|(0[Xx]5[Ff]))\s*['"]?\s*\)

#Detects generic base64 strings longer than 260 characters enclosed in quotes ending with 0-3 '=' chars.
#260 was a threshold chosen because strings of 256 characters are common enough.  Might increase later to reduce false positives.
#Long base64 quoted string.
['"][A-Za-z0-9+\/]{260,}={0,3}['"]

#Detects long single lines contained within PHP tags.
#We can increase from 1100 later if we need to.
#Long single line of PHP.
^.*<\?php.{1100,}\?>.*$

#Escaped path characters: \x2fho\x6de/\x69mp\x75ls\x69oq\x65/w\x77w. or \x2fhome\x2fimpu\x6csioq\x65/www\x2emusc
(\\x[0-9abcdef]{2}[a-z0-9.-\/]{1,4}){4,}

#Malware inffected files sometimes marked with comments like /*87cda*/ to avoid infect again
\/\*[a-z0-9]{5}\*\/

# XOR-ed strings with custom math
%\(\d+\-\d+\+\d+\)==\(\-\d+\+\d+\+\d+\)

# XOR-ed strings with custom math 2.
\(\$[a-zA-Z0-9]+%\d==\(\d+\-\d+\+\d+\)

# eval code from POST on second nested level
eval\(\$[a-z0-9_]+\(\$_POST

# characted concated with chr() alteast 3 times
("[a-z0-9]+"\.chr\(\d+\)\.){3,}

# nested function call used variables
\$[a-z0-9_]+\(\$[a-z0-9_]+\(

# GLOBALS inject with escaped content
\$GLOBALS;\$\{"\\x

# web shells host type extraction RE
php_uname\(["'asrvm]+\)

# XOR decode POST-ed payload
(\^\s*\$\w+\[\$\w+\s*%\s*strlen\(\$\w+\)\]\s*){2,}

# uncommon function name underscore with many numbers
function\s+_[0-9]{8,}\(

# escaped include with error hiding
@include ".*?(\\x[0-9a-f]{2,}.*?){2,}.*?";

# create_function is dangerous as like eval() see http://php.net/manual/en/function.create-function.php
create_function\s*\(\s*['"]{2}

# control concated from cookie at the call
(\$[a-z]{2,}=urldecode\(\$_COOKIE\['[a-z]{2,}'\]\);){3,}

# ${$O{18}.$O{7}.$O{24}.$O{2}.$O{50}.$O{8}
(\$[A-Z]+\{\d+\}\.){3,}

# comment in variable name $_REQUEST /*YUsrqpbzvXTSa...QpDNTPYQvLSFPCqsSnWNVqPdSIAYaQj*/[
\$_REQUEST\s*\/\*[A-Za-z]+\*\/\[

# cookie payload if(isset($_COOKIE)){$p=$_COOKIE;(count($p)==55&&in_array(gettype($p).count($p),$p))?(($p[68]=$p[68].$p[22])&&($p[35]=$p[68]($p[35]))&&($p=$p[35]($p[13],$p[68]($p[45])))&&$p()):$p;}
\(count\(\$p\)==\d+&&in_array\(gettype\(\$p\)\.count\(\$p\),\$p\)\)

# gzipped payload post process
explode\('\|\x01\|\x03\|\x03', gzinflate\(

# backdoor reported #71
@header\(\w{3,5}::\w{1,2}\('_\w{1,3}' \. '\w{1,3}', '_\w{1,3}'\)\);
@header\(\w{3,5}::\w{1,2}\('_\w{1,3}', '_' \. '\w{1,3}' . '\w{1,3}'\)\);

# backdoor reported #72
@\$[a-z]{1}\[\d+\]\(\$[a-z]{1}\[\d+\]\);

# reported #77
\$[a-z]11 \^ [a-z]8\(\$[a-z]6, \$[a-z]14, \$[a-z]6\[13\]\(\$[a-z]11\)\)\)\);

# eval function return and concat
eval\([A-Za-z0-9]{5,}\(\) \. '

# eval function return, parameter is a hex string
eval\([A-Za-z0-9]{5,}\(\"[A-Z0-9]{16,}

# gzip payload called by variable named function
\$[a-zA-Z0-9]{6,}\('\x78\x9C\xAD\x90\x41\x0E

# obfuscated code return with error suppression
return @\$[a-z]{2}\d+\[\d+\]\(\$[a-z]{2}\d+\[\d+\],

# htaccess alternating
[a-z]{1}\([a-z]{1}\(\$[a-z]{2}\.'\/\.htaccess'\)
