<?php

class BGSPatterns
{
	// extensions list to skip
	public static function skipExtensions()
	{
		return '/^.*\.(jpg|jpeg|png|gif|bmp|svg|txt|ini|md|js|json|css|scss)$/i';
	}

	public static function allowedExtensions()
	{
		return '/^.*\.(php|htaccess)$/i';
	}

	// ignore every type of comments in code
	public static function ignoreCommentedLines()
	{
		$regex = '/\/\*[\s\S]*?\*\/|'; // inline comment php start with new line
		$regex .= '([^:]|^)\/\/.*$|'; // inline comment after code part
		$regex .= '\/\*\*[\s\S]*?|'; // multy line comment php start
		$regex .= '.*?\*\/|'; //  multy line comment php middle part with * symbole
		$regex .= '\*.*?|'; //  multy line comment php end
		$regex .= '^#(.*)$|'; // comment with #
		$regex .= '<!--.*?-->/isU'; // html comment

		return $regex;
	}

	// eval(base64_"encode/decode") functions and similare patterns
	public static function regexMaliciousFunctionCombinations()
	{
		$regex = '/\bsystem\(|'; // system function
		$regex .= '\bpopen\(|'; // popen function
		$regex .= '\bpcntl_exec\(|'; // pcntl_exec function
		$regex .= '\bshel_exec\(|'; // shel_exec function
		$regex .= 'eval\('; // eval function
		$regex .= '(base64|'; // eval + base64 pattern
		$regex .= 'eval|'; // eval + eval pattern
		$regex .= 'gzinflate|'; // eval + gzinflate pattern
		$regex .= 'gzuncompress|'; // eval + gzuncompress pattern
		$regex .= 'gzinflate'; // eval + gzinflate pattern
		$regex .= '\$_|\$\$|\$[A-Za-z_0-9\{]*(\(|\{|\[))/i'; // anyything after detected patterns inside round brackets

		return $regex;
	}

	// domains to search in '<iframe src="' code part`
	public static function maliciousIframeDomins()
	{
		$regex = '/(sitigadget\.altervista\.org|ciaccia\.altervista\.org|poseyhumane6;org|zumobtr\.ru|ads\.rzb\.ir|www\.cascadecowcutters\.org|google-analistyc6;net|jrdzow\.ddnsking\.com|2nf\.com\.vn|businessriver\.top|sellads\.eu|world-serio-db\.top|moddisright\.top|www\.777seo\.com|ARX8)/';

		return $regex;
	}

	// domains to search in rewrite rules of .htaccess file
	public static function htaccesRedirectionRules()
	{
		$regex = '/(www\.mpzbearing\.in|portal-d\.pw|default7\.com|alfsystem\.com\.my|asunagira\.ru|asunagira\.ru|absshots\.pro|acknowledgecalendar\.shop-bacon\.com|acrobatwordprocessor\.pro|advancedconcur\.gamers-pc\.info|affordscorrection\.basketball-team\.info|ageoldtwitterfocused\.info|allencompassingips\.org|allspec\.google-pics\.info|alphanumericbrowser\.pro|altimetersevere\.pro|analytics\.hosting24\.com|assemblenot\.change-money\.info|asynchronouslyinteractivity\.pilot-cooking\.us|baranowskyquitesimple\.profit-food\.info|basketball-team\.info|bebutasphalt\.net|believeaberration\.com|birseks\.org|braviaguaranteeing\.pro|canadagoosejakker2dk\.com|cartographicglobs\.net|cashadvancefor\.me|categorizationclick\.portuguesemx\.info|centerweightedreverse\.info|certificatesimages\.info|cheapchristianlouboutinsaleuk\.net|christianlouboutin2saleuk\.co\.uk|christianlouboutininsales\.com|christianlouboutinsalelover\.net|christianlouboutinsalesireland\.com|christianlouboutinuksaleshop\.com|clippedhousewarming\.shop-bacon\.com|cloakloopbased\.info|clshoescanada\.net|clshoessale\.co\.uk|cluk4salepop\.com|cluk\.info|coachbagoutletinsg\.com|coachbagsoutletinsg\.com|coachdenndou\.com|coachfactoryoutletbags\.net|coachoutletsinca\.com|cognitiveaddition\.info|collegesorcerer\.org|commonlyassist\.pro|completingsamplers\.iphone-gadget\.info|complexcombining\.net|compressorvolution\.pro|connecticutsdo\.info|constructionverified\.org|contentblockingtypically\.info|crankyimpact\.net|cropstretched\.noteman\.info|cupertinostranslating\.profit-food\.info|custommadehappen\.itunes-media\.us|deafmassachusetts\.info|deathmegarowep\.com|delvecompliance\.net|depthsdriving\.biz|desktopbasedshipshape\.cognitiveaddition\.info|digestiblefaxed\.downloadmanagerrisky\.info|distractedconnect\.shop-bacon\.com|dp\.000\.in|earspiderman\.fish-salad\.info|earthlinkunadorned\.info|ejbbridges\.info|employeeexcludes\.info|emulatedfeminine\.pro|emulatesdigital\.pro|enabledsaints\.download-apple\.us|enduredid\.net|enemiesfocuses\.org|erasedhosts\.google-pics\.info|excelsmargin\.football-pro\.org|exchangebasedfold\.pro|exercisesquicklook\.info|fghhghfs6fg\.osa\.pl|fgnfdfthrv\.bee\.pl|fileswappingcreator\.pro|finetunerings\.net|fish-salad\.info|fixturesfinance\.pro|flameorangeadvantageous\.info|floatingprotects\.net|focusedpassby\.net|football-pro\.org|fredperrycoolsale\.com|fulltexthightech\.info|gamers-pc\.info|gberbhjerfds\.osa\.pl|getfastmoney\.com\.au|get-health\.us|globalsinstantrecovery\.pro|gmailsnotemaking\.net|godinset\.shop-bacon\.com|google-adsenc\.com|google-pics\.info|guardcheck\.green-monkeys\.us|guccioutlethandbagsonline\.com|gutterspaused\.gamers-pc\.info|handwrittencry\.net|headingsleazy\.patefon32\.us|herdhappening\.itunes-media\.us|heuristicecommerce\.net|honestlyrestrictive\.com|hotjobsswiss\.google-pics\.info|howmcoming\.patefon32\.us|icesoverarching\.info|imagesworsetightened\.info|impersonatecontentrich\.com|indesignscalculate\.info|indianmotorcycle\.co|industrystandardpup\.pro|instructedtabtastic\.org|intelextraction\.org|iphone-gadget\.info|iseriesbiotics\.biz|itunes-media\.us|jcshoesalesau\.com|jimmychoooutletuksale\.net|jimmychooshoes4uksale\.com|jimmychooshoesuk-cheap\.com|jimmychooshoesukstore\.com|jurylegend\.info|kampanarrative\.biz|katiesoftpalmnet\.pro|keyloggersgracenote\.pro|kickedrears\.get-health\.us|kidsaccounts\.pro|kitsucesso\.com\.br|ksninnovative\.info|lamoderately\.pro|largescalebuffer\.ru|laspector\.pro|librarieswhichiowa\.info|likenesslooking\.pro|linkageinstructor\.football-pro\.org|linkbaitarbitrarilynamed\.biz|localhost|longpressarchived\.fish-salad\.info|loopedbizfinity\.in|lowresolutionit\.in|ltoprepared\.net|lvseikai\.com|maintainingcmyk\.download-apple\.us|mapnzapepoxy\.net|marvelpad\.net|maximizersgratifying\.com|Maximum\.multidimensionalpersisted\.org|mengedoht\.net|merelysr\.pro|michaelkorsoutlet2012ca\.com|michaelkorsoutlettop\.com|michaelkorsoutletus\.us|michaelkorsoutletworld\.com|microprocessorsapproximately\.profit-food\.info|missionrent\.net|modelsnewsfeeds\.info|modificationprebuilt\.info|moneyloansonline\.com\.au|monidopo\.bee\.pl|mostusedmeaning\.cognitiveaddition\.info|motherslowering\.info|multicamquicksites\.info|multidimensionalpersisted\.org|Nervous\.constructionverified\.org|Nest\.intelextraction\.org|Net\.workweekdepending\.org|newandnonresizable\.pro|newsgroupsshadowsoften\.pro|nextlowercertainly\.info|nhfnjfg43\.bij\.pl|nicesoundingglitch\.pilot-cooking\.us|nmmkmm\.com|nobelsituation\.net|noncommercialmall\.basketball-team\.info|openendedfreewebs\.biz|painfulmaneuver\.net|Passage\.constructionverified\.org|Passenger\.intelextraction\.org|Passport\.workweekdepending\.org|passwordallinclusive\.info|patefon32\.us|Path\.workweekdepending\.org|Patient\.collegesorcerer\.org|payrollpixelperfect\.net|pctopcresizing\.info|phonesthoughuploader\.info|phonycalculating\.info|photodirectorsshared\.net|pilot-cooking\.us|pivothalfmegabyte\.areagarmin\.info|pixelperfectminimalist\.patefon32\.us|polarizebit\.org|portuguesemx\.info|Potential\.intelextraction\.org|Pour\.collegesorcerer\.org|pqasbeaten\.net|proclaimtotal\.basketball-team\.info|progressiveunerase\.info|pulpvenerable\.pro|purchacialisnow\.com|pursuitdistribution\.info|Rail\.constructionverified\.org|Rain\.intelextraction\.org|rajablogs\.co\.cc|Range\.workweekdepending\.org|ranwen\.com|rebuildingirk\.com|recyclearrowsfootnote\.cognitiveaddition\.info|refinedthanshareddocument\.pro|relaxingteenagers\.studiosexport\.info|requisitewebmisleadingly\.net|resellersex\.info|rk400\.com|Rob\.intelextraction\.org|Rock\.intelextraction\.org|Roll\.multidimensionalpersisted\.org|Romantic\.multidimensionalpersisted\.org|scadscropping\.sennheiser-mp3\.us|schiedsrichterge\.bplaced\.net|sdjutn\.dns-stuff\.com|sendreceivestep\.info|sennheiser-mp3\.us|serviceavisualizations\.pro|shadowprotectglasses\.iphone-gadget\.info|shop-bacon\.com|shotalltoptier\.net|showstoppercharacter\.pro|shrinkwrappedproturbos\.fish-salad\.info|simsapis\.info|sizeitemsreleased\.pro|smilemiddleoftheroad\.pro|snazzywinpebased\.net|sombernicknamed\.pro|speakingtrialed\.net|spectrumoutlined\.net|starflyerspicasas\.maemo-phone\.info|stashzoomedin\.patefon32\.us|stealthsfingerinput\.biz|stifleeclectic\.shop-bacon\.com|stillimagepatentpending\.profit-food\.info|stuttgartsmart\.info|subtopicsninja\.profit-food\.info|supportiveneural\.info|sweeperunappealing\.net|swipeheavythgeneration\.info|therewide\.net|thirdvoiceplaylists\.pro|threeparagraphyammer\.info|thumbnails\.iwebtool\.com|totalmood\.football-pro\.org|touchtutorials\.net|tousecallouts\.pro|tractionsps\.fish-salad\.info|travelocitysformality\.biz|tutimaps\.info|tweetdeckslowmotion\.info|uninstalleddialogue\.biz|untilscript\.google-pics\.info|untrainedguaranteed\.net|upandcomingfirewalls\.pilot-cooking\.us|update\.windowsautoupdate\.com|verdeyogurt\.com|verifydvdits\.shop-bacon\.com|vieweditconversions\.pro|visiobackfire\.profit-food\.info|warnewsreading\.net|watchessnag\.pro|weddingshowerinvitationwording\.net|wishingcell\.sennheiser-mp3\.us|workweekdepending\.org|worldsalso\.pro|www3\.ddns\.info|wwwaviracommacdownloadforward\.pro|www\.haofbi\.com|www\.ranwen\.com|www\.threesproject\.org|xmediamobil\.org|onclasrv\.com|crzyluxtds\.in|luxurytds\.com|07z7\.com|go60\.ru|default72\.com|default7\.com|mmasoft\.ru|vcminden\.de|tds\.animal-porn-portal\.com|tds\.another-xxx-clips\.biz|liuliang\.ok365\.com|cloud-security\.ru|web-redirect\.ru|osta-x\.ru|traf-extractor\.ru|ph21us\.ru|top-24h-can-store\.com|sexboo\.ru)/i';

		return $regex;
	}
}