Exploitable PHP functions

I'm trying to build a list of functions that can be used for arbitrary code execution. The purpose isn't to list functions that should be blacklisted or otherwise disallowed. Rather, I'd like to have a `grep`-able list of *red-flag* keywords handy when searching a compromised server for back-doors. The idea is that if you want to build a multi-purpose malicious PHP script -- such as a "web shell" script like c99 or r57 -- you're going to have to use one or more of a relatively small set of functions somewhere in the file in order to allow the user to execute arbitrary code. Searching for those those functions helps you more quickly narrow down a haystack of tens-of-thousands of PHP files to a relatively small set of scripts that require closer examination. Clearly, for example, any of the following would be considered malicious (or terrible coding): <? eval($_GET['cmd']); ?> <? system($_GET['cmd']); ?> <? preg_replace('/.*/e',$_POST['code']); ?> and so forth. Searching through a compromised website the other day, I didn't notice a piece of malicious code because I didn't realize `preg_replace` could be made dangerous by the use of the `/e` flag (*which, seriously? Why is that even there*?). Are there any others that I missed? Here's my list so far: **Shell Execute** * `system` * `exec` * `popen` * *`backtick operator`* * `pcntl_exec` **PHP Execute** * `eval` * `preg_replace` (with `/e` modifier) * `create_function` * `include`[`_once`] / `require`[`_once`] (*see <a href="#3115645">mario's answer</a>* for exploit details) It might also be useful to have a list of functions that are capable of modifying files, but I imagine 99% of the time exploit code will contain at least one of the functions above. But if you have a list of all the functions capable of editing or outputting files, post it and I'll include it here. (And I'm not counting `mysql_execute`, since that's part of another class of exploit.)