regex that might help: /.*?\$.*?/

To reduce false positive due to the usage of regex, you can use php tokenizer to eliminate the "strings" that is not important such as commented code/information/header etc etc..

http://php.net/manual/en/book.tokenizer.php

Hello,

I've uploaded shelldetect.php and /shelldetect.db in my root directory and executed it and it gives me this type of result on a brand new fresh uploaded site !

modules/mod_languages/helper.php

Owner: 5500 Permission: 0644 Last accessed: 12:31:11 04/09/2012 Last modified: 09:45:42 19/07/2012 MD5 hash: 4828db57f0ea1c460fa9796532257f2a Filesize: 2.5 KB Error: Undefined offset: 1 line: 268 Error: Undefined offset: 4 line: 268 Error: Undefined offset: 3 line: 269 Fingerprint: Positive, it`s a ()

at the end

Status: 7 suspicious files found and 1699 shells found

What are thoses 3 errors ?

Line 6 of shelldetect.ini file got typo error. Must be language instead of langauge. Little bit confusing, takes some time to realize why language isn't applied.

Line 35 of shelldetect.php says:

$shelldetector::$_settings['is_cron']=true; 

It's a syntax error. Maybe this should work:

shelldetector::$_settings['is_cron']=true;

@emposha, I've corrected a typographical error in the documentation of the PHP-Shell-Detector project. Specifically, I've changed carefull to careful. You should be able to merge this pull request automatically. However, if this was intentional or if you enjoy living in linguistic squalor, please let me know and create an issue on my home repository.

Hello, I just uploaded on my server root and it asking username and password on alert like authentication and not getting logged success at all.

I am using default username and password: Username: admin Password: protect

Screenshot: http://prntscr.com/hpx26u

Currently $hidesuspicious is set to be false by default on line 87:

  private $hidesuspicious = true;

and the only other place where its value is set is on line 155:

    if (isset($_GET['s']) && 1 == $_GET['s']) {
      $this->hidesuspicious = false;
    }

... where it's set to false again. Basically this means $hidesuspicious is forever false. This makes the program display A LOT of data to the screen, and more than often (in my case) renders to browser inresponsive, or even crash.

On modern browsers, calling this skript with https would create errors like "blocked mixed content".

• i removed "http:" for the external jquery Stuff, now it uses http or https as needed
• in Function fileprepare i replaced "http//www.shelldetector.com/api/loader.html" with "about:blank"

this code is problematic, to say the least:

    if (file_exists('shelldetect.db')) {
      $context = stream_context_create(array('http' => array('timeout' => 30)));
      $this->fingerprints = unserialize(base64_decode(file_get_contents('shelldetect.db', 0, $context)));
    }
    if ($this->remotefingerprint) {
      $this->fingerprints = unserialize(base64_decode(file_get_contents('https://raw.github.com/emposha/PHP-Shell-Detector/master/shelldetect.db')));
    }
  }

now not only does this look like the malware it's suppose to stop, it's actually vulnerable to remote code execution (if file_get_contents('https://...) can be broken, which I wouldn't be surprised - yay sslstrip) as unserialize will happily execute code it uncompresses: http://ca1.php.net/manual/en/function.unserialize.php#refsect1-function.unserialize-notes

seriously, why is this DB stored that way anyways? it's just a huge array... why not store it in a non-executable code format?