#eval /* */
ZXZhbFwvXCpbYS16MC05XStcKlwvCg==

#
ZXZhbFwoW2EtejAtOV17NCx9XChcJFthLXowLTldezQsfSwgXCRbMC05YS16XXs0LH1cKVwpOwo=

# chr(101).chr(118).chr(97)
KGNoclwoXGQrXF5cZCtcKVwuKXs0LH0K

# $_uU(101).$_uU(118).$_uU(97)
KFwkXF9bYS16MC05XXsyLH1cKFxkK1wpXC4pezQsfQo=

# $uUx[101].$uUx[118].$uUx[97]
KFwkW2EtejAtOV17Myx9XFtcZCtcXVwuKXs0LH0K

#
Y2hyXChcZCtcKVwuIiJcLiIiXC4iIlwuIiJcLiIiCg==

# escaped commands pl.: "eval(base64_decode(" equal "\145\166\141\154\050\142\141\163\145\066\064\137\144\145\143\157\144\145\050"
KFxcWzAtOV17M30pezYsfQo=

#
XCRHTE9CQUxTXFtcJEdMT0JBTFNbJ1thLXowLTldezQsfSdcXVxbXGQrXF1cLlwkR0xPQkFMU1xbJ1thLXotMC05XXs0LH0nXF1cW1xkK1xdLgo=

#
XCRHTE9CQUxTXFsnW2EtejAtOV17NSx9J1xdID0gXCRbYS16XStcZCtcW1xkK1xdXC5cJFthLXpdK1xkK1xbXGQrXF1cLlwkW2Etel0rXGQrXFtcZCtcXVwuXCRbYS16XStcZCtcW1xkK1xdXC4K

#
ZXZhbFwoW2EtejAtOV9dK1woYmFzZTY0X2RlY29kZVwoCg==

#
XCRbYS16XXszLH09XCRbYS16XXszLH1cKCIiLFwkW2Etel17Myx9XCk7XCRbYS16XXszLH1cKFwpOwo=

#
e1xzKmV2YWxccypcKFxzKlwkCg==

#
R29vZ2xlYm90WyciXXswLDF9XHMqXClcKXtlY2hvXHMrZmlsZV9nZXRfY29udGVudHMK

#execute base64 code
ZVZhTFwoXHMqdHJpbVwoXHMqYmFTZTY0X2RlQ29EZVwoCg==

# execute escaped code
ZXhlY1woIihcXFswLTlhLWZ4XXsyLDN9KXszLH0K

#
aWZccypcKFxzKm1haWxccypcKFxzKlwkbWFpbHNcW1wkaVxdXHMqLFxzKlwkdGVtYVxzKixccypiYXNlNjRfZW5jb2RlXHMqXChccypcJHRleHQK

# Write HTTP Request to File
ZndyaXRlXHMqXChccypcJGZoXHMqLFxzKnN0cmlwc2xhc2hlc1xzKlwoXHMqQCpcJF8oR0VUfFBPU1R8U0VSVkVSfENPT0tJRXxSRVFVRVNUKVxbCg==

# Download Remote Code
ZWNob1xzK2ZpbGVfZ2V0X2NvbnRlbnRzXHMqXChccypiYXNlNjRfdXJsX2RlY29kZVxzKlwoXHMqQCpcJF8oR0VUfFBPU1R8U0VSVkVSfENPT0tJRXxSRVFVRVNUKQo=

# 'eval' in ascii chr() chars
Y2hyXHMqXChccyoxMDFccypcKVxzKlwuXHMqY2hyXHMqXChccyoxMThccypcKVxzKlwuXHMqY2hyXHMqXChccyo5N1xzKlwpXHMqXC5ccypjaHJccypcKFxzKjEwOFxzKlwpCg==

#
KFwkT09PX09fMDAwX1x7XGQrXH0uKXszLH0K

#Detects the '_' character encoded in a string like "\x5F".  '_' is present in many functions that malware would want to hide.
# '_' as "\x5f"
XFdcXFtYeF0oNVtGZl0p

#Detects the '_' character placed inside a call to the 'chr()' function
# '_' as 'chr(95)' or 'chr(0x5f)'
Y2hyXHMqXChccypbJyJdP1xzKigoOTUpfCgwW1h4XTVbRmZdKSlccypbJyJdP1xzKlwpCg==

#Detects generic base64 strings longer than 260 characters enclosed in quotes ending with 0-3 '=' chars.
#260 was a threshold chosen because strings of 256 characters are common enough.  Might increase later to reduce false positives.
#Long base64 quoted string.
WyciXVtBLVphLXowLTkrXC9dezI2MCx9PXswLDN9WyciXQo=

#Detects long single lines contained within PHP tags.
#We can increase from 1100 later if we need to.
#Long single line of PHP.
Xi4qPFw/cGhwLnsxMTAwLH1cPz4uKiQK

#Escaped path characters: \x2fho\x6de/\x69mp\x75ls\x69oq\x65/w\x77w. or \x2fhome\x2fimpu\x6csioq\x65/www\x2emusc
KFxceFswLTlhYmNkZWZdezJ9W2EtejAtOS4tXC9dezEsNH0pezQsfQo=

#Malware inffected files sometimes marked with comments like /*87cda*/ to avoid infect again
XC9cKlthLXowLTldezV9XCpcLwo=

# XOR-ed strings with custom math
JVwoXGQrXC1cZCtcK1xkK1wpPT1cKFwtXGQrXCtcZCtcK1xkK1wpCg==

# XOR-ed strings with custom math 2.
XChcJFthLXpBLVowLTldKyVcZD09XChcZCtcLVxkK1wrXGQrXCkK

# eval code from POST on second nested level
ZXZhbFwoXCRbYS16MC05X10rXChcJF9QT1NUCg==

# characted concated with chr() alteast 3 times
KCJbYS16MC05XSsiXC5jaHJcKFxkK1wpXC4pezMsfQo=

# nested function call used variables
XCRbYS16XStcKFwkW2EtejAtOV0rXCgK

# GLOBALS inject with escaped content
XCRHTE9CQUxTO1wkXHsiXFx4Cg==

# XOR decode POST-ed payload
KFxeXHMqXCRcdytcW1wkXHcrXHMqJVxzKnN0cmxlblwoXCRcdytcKVxdXHMqKXsyLH0K

# uncommon function name underscore with many numbers
ZnVuY3Rpb25ccytfWzAtOV17OCx9XCgK

# escaped include with error hiding
QGluY2x1ZGUgIi4qPyhcXHhbMC05YS1mXXsyLH0uKj8pezIsfS4qPyI7Cg==

# create_function is dangerous as like eval() see http://php.net/manual/en/function.create-function.php
Y3JlYXRlX2Z1bmN0aW9uXHMqXChccypbJyJdezJ9Cg==

# control concated from cookie at the call
KFwkW2Etel17Mix9PXVybGRlY29kZVwoXCRfQ09PS0lFXFsnW2Etel17Mix9J1xdXCk7KXszLH0K

# ${$O{18}.$O{7}.$O{24}.$O{2}.$O{50}.$O{8}
KFwkW0EtWl0rXHtcZCtcfVwuKXszLH0K

# comment in variable name $_REQUEST /*YUsrqpbzvXTSa...QpDNTPYQvLSFPCqsSnWNVqPdSIAYaQj*/[
XCRfUkVRVUVTVFxzKlwvXCpbQS1aYS16XStcKlwvXFsK

# cookie payload
XChjb3VudFwoXCRwXCk9PVxkKyYmaW5fYXJyYXlcKGdldHR5cGVcKFwkcFwp

# gzipped payload post process
ZXhwbG9kZVwoJ1x8XHgwMVx8XHgwM1x8XHgwMycsIGd6aW5mbGF0ZVwoCg==

# backdoor reported #71
QGhlYWRlclwoXHd7Myw1fTo6XHd7MSwyfVwoJ19cd3sxLDN9JyBcLiAnXHd7MSwzfScsICdfXHd7MSwzfSdcKVwpOwo=
QGhlYWRlclwoXHd7Myw1fTo6XHd7MSwyfVwoJ19cd3sxLDN9JywgJ18nIFwuICdcd3sxLDN9JyAuICdcd3sxLDN9J1wpXCk7Cg==

# backdoor reported #72
QFwkW2Etel17MX1cW1xkK1xdXChcJFthLXpdezF9XFtcZCtcXVwpOw

# Suspicious access to file src/config.php
c3JjW1wvXFxdY29uZmlnXC5waHBbJyJdW15cXV0=
XFx4NjNcXHg2ZlxceDZlXFx4NjZcXHg2OVxceDY3XFx4MmVcXHg3MFxceDY4XFx4NzA=

# Base64 file config.php
WTI5dVptbG5MbkJvY0E9PQ==

# Suspicious access to colums is_admin, is_super_admin
LVw+ZmFzdFVwZGF0ZVwoWyAnIl1pc18oc3VwZXJfKT9hZG1pblsgJyJd
W15ucl0tXD5pc18oc3VwZXJfKT9hZG1pbihccykqPQ==
VVBEQVRFIHhmX3VzZXIgU0VUIGlzXyhzdXBlcl8pP2FkbWlu
U0VUKC4rKWlzXyhzdXBlcl8pP2FkbWlu

# Base64 colums is_admin, is_super_admin
YVhOZllXUnRhVzQ9
YVhOZmMzVndaWEpmWVdSdGFXND0=

# Base64 function setPassword, setNoPassword, setAdmin
YzJWMFVHRnpjM2R2Y21RPQ==
YzJWMFRtOVFZWE56ZDI5eVpBPT0=
YzJWMFFXUnRhVzQ9