Chit-Chat

Syntax errors in header_required.php and page_controls_header.php

Permalink September 30, 2012 at 2:40 PM

I recently installed Concrete and got a website up and running with no problems. Love the CMS, and it's worked really well.

But, this weekend, I went on my site and there are now errors in two of my files (header_required.php and page_controls_header.php). I grabbed the files and looked at the code, and it appears that a lot of extra stuff got added somehow (hacked?).

I removed the code, and the errors are gone...but so is all my content. I can't even get into my admin section. How can I fix this?

Here are the two files in question (compressed as an attachment). Any help would be appreciated, as I'm not sure how to get my content back, or get my site back up and running.

1 Attachment

Steevb replied on Sep 30, 2012 at 2:56 pm Permalink Reply

Try replacing ALL of header_required.php with this:

<?php  
defined('C5_EXECUTE') or die("Access Denied.");
global $c;
global $cp;
global $cvID;
if (is_object($c)) {
   $pageTitle = (!$pageTitle) ? $c->getCollectionName() : $pageTitle;
   $pageDescription = (!$pageDescription) ? $c->getCollectionDescription() : $pageDescription;
   $cID = $c->getCollectionID(); 
   $isEditMode = ($c->isEditMode()) ? "true" : "false";
   $isArrangeMode = ($c->isArrangeMode()) ? "true" : "false";
} else {
   $cID = 1;
}
?>

Viewing 15 lines of 91 lines. View entire code block.

<?php  
defined('C5_EXECUTE') or die("Access Denied.");
global $c;
global $cp;
global $cvID;
 
if (is_object($c)) {
   $pageTitle = (!$pageTitle) ? $c->getCollectionName() : $pageTitle;
   $pageDescription = (!$pageDescription) ? $c->getCollectionDescription() : $pageDescription;
   $cID = $c->getCollectionID(); 
   $isEditMode = ($c->isEditMode()) ? "true" : "false";
   $isArrangeMode = ($c->isArrangeMode()) ? "true" : "false";
 
} else {
   $cID = 1;
}
?>
 
<meta http-equiv="content-type" content="text/html; charset=<?php  echo APP_CHARSET?>">
<?php 
$akt = $c->getCollectionAttributeValue('meta_title'); 
$akd = $c->getCollectionAttributeValue('meta_description');
$akk = $c->getCollectionAttributeValue('meta_keywords');
 
if ($akt) { 
   $pageTitle = $akt; 
   ?><title><?php  echo htmlspecialchars($akt, ENT_COMPAT, APP_CHARSET)?></title>
<?php  } else { 
   $pageTitle = htmlspecialchars($pageTitle, ENT_COMPAT, APP_CHARSET);
   ?><title><?php  echo sprintf(PAGE_TITLE_FORMAT, SITE, $pageTitle)?></title>
<?php  } 
 
if ($akd) { ?>
<meta name="description" content="<?php echo htmlspecialchars($akd, ENT_COMPAT, APP_CHARSET)?>">
<?php  } else { ?>
<meta name="description" content="<?php echo htmlspecialchars($pageDescription, ENT_COMPAT, APP_CHARSET)?>">
<?php  }
if ($akk) { ?>
<meta name="keywords" content="<?php echo htmlspecialchars($akk, ENT_COMPAT, APP_CHARSET)?>">
<?php  } 
if($c->getCollectionAttributeValue('exclude_search_index')) { ?>
    <meta name="robots" content="noindex">
<?php  } ?>
<meta name="generator" content="concrete5 - <?php  echo APP_VERSION ?>">
 
<?php  $u = new User(); ?>
<script type="text/javascript">
<?php 
   echo("var CCM_DISPATCHER_FILENAME = '" . DIR_REL . '/' . DISPATCHER_FILENAME . "';\r");
   echo("var CCM_CID = ".($cID?$cID:0).";\r");
   if (isset($isEditMode)) {
      echo("var CCM_EDIT_MODE = {$isEditMode};\r");
   }
   if (isset($isEditMode)) {
      echo("var CCM_ARRANGE_MODE = {$isArrangeMode};\r");
   }
?>
var CCM_IMAGE_PATH = "<?php  echo ASSETS_URL_IMAGES?>";
var CCM_TOOLS_PATH = "<?php  echo REL_DIR_FILES_TOOLS_REQUIRED?>";
var CCM_BASE_URL = "<?php  echo BASE_URL?>";
var CCM_REL = "<?php  echo DIR_REL?>";
 
</script>
 
<?php 
$html = Loader::helper('html');
$this->addHeaderItem($html->css('ccm.base.css'), 'CORE');
$this->addHeaderItem($html->javascript('jquery.js'), 'CORE');
$this->addHeaderItem($html->javascript('ccm.base.js', false, true), 'CORE');
 
$favIconFID=intval(Config::get('FAVICON_FID'));
$appleIconFID =intval(Config::get('IPHONE_HOME_SCREEN_THUMBNAIL_FID'));
 
 
if($favIconFID) {
   $f = File::getByID($favIconFID); ?>
   <link rel="shortcut icon" href="<?php  echo $f->getRelativePath()?>" type="image/x-icon">
   <link rel="icon" href="<?php  echo $f->getRelativePath()?>" type="image/x-icon">
<?php  } 
 
if($appleIconFID) {
   $f = File::getByID($appleIconFID); ?>
   <link rel="apple-touch-icon" href="<?php  echo $f->getRelativePath()?>">
<?php  } ?>
 
<?php  
if (is_object($cp)) { 
 
   if ($this->editingEnabled()) {
      Loader::element('page_controls_header', array('cp' => $cp, 'c' => $c));
   }
 
   if ($this->areLinksDisabled()) { 
      $this->addHeaderItem('<script type="text/javascript">window.onload = function() {ccm_disableLinks()}</script>', 'CORE');
   }
   $cih = Loader::helper('concrete/interface');
   if ($cih->showNewsflowOverlay()) {
      $this->addFooterItem('<script type="text/javascript">$(function() { ccm_showDashboardNewsflowWelcome(); });</script>');
   }   
 
}
 
print $this->controller->outputHeaderItems();
$_trackingCodePosition = Config::get('SITE_TRACKING_CODE_POSITION');
if (empty($disableTrackingCode) && $_trackingCodePosition === 'top') {
   echo Config::get('SITE_TRACKING_CODE');
}
echo $c->getCollectionAttributeValue('header_extra_content');

mhawke replied on Sep 30, 2012 at 4:50 pm Permalink Reply

I see you're site is still having issues. This does sound like someone may have gotten a hold of your FTP password so I wouldn't trust any of your files. I would re-install the core files by unzipping a fresh copy of C5 to your computer and then upload just the 'concrete' folder from this zip to the 'root/concrete' on your server so it replaces the existing concrete folder (i.e. don't end up with 'root/concrete/concrete'). If you followed 'best practices' and never modified your core files then everything should function properly.

You may have to search through all your non-core files as well for tell-tale signs of tampering. If they were able to modify the 2 files that were causing you trouble, there's no telling what else they changed. Needles to say, I think you should change your FTP password ASAP.

radiofreebc replied on Oct 1, 2012 at 12:23 am Permalink Reply

I've changed my FTP password and reinstalled concrete. Didn't know how to save my content, and I had to wipe my db to do the reinstall, so I guess it's a complete rebuild. Oh well. Sola vida.

But, I've got a couple of questions now...since things aren't coming back together as smoothly as it seemed to the first time around. Things aren't working that used to work, and I'm not sure how to fix them.

1 - I'm not sure how to rebuild my horizontal navigation links. When I add them through the "Add Blocks" command, they only stack vertically. I've added them to my sidebar like that, but I'd like to get my horizontal navigation links back up to the top.

2 - I can't seem to re-embed my photo album from Picasaweb. When I edit the page, and add HTML code through the WYSIWYG editor (by clicking on the HTML link), it doesn't want to recognize my code anymore. It hasn't changed, so I'm wondering why that doesn't work. Anything else I put in there works, but it won't accept this code at all.

<embed type="application/x-shockwave-flash" src="https://picasaweb.google.com/s/c/bin/slideshow.swf" width="600" height="400" flashvars="host=picasaweb.google.com&captions=1&noautoplay=1&hl=en_US&feat=flashalbum&RGB=0x000000&feed=https%3A%2F%2Fpicasaweb.google.com%2Fdata%2Ffeed%2Fapi%2Fuser%2F109648020120171021036%3Falt%3Drss%26kind%3Dphoto%26access%3Dpublic%26psc%3DF%26q%26uname%3D109648020120171021036" pluginspage="http://www.macromedia.com/go/getflashplayer"></embed>

I'm pretty bummed I have to rebuild, but hopefully this won't happen again. Thanks for any additional help you can give me.

mhawke replied on Oct 1, 2012 at 6:04 am Permalink Reply

That's a real shame that you have to start over. My instructions were to only replace the core files. I know you are new so I expected some further questions if you didn't understand what I had suggested. Often it takes more 'back and forth' to properly restore things without losing things. I'm sorry you ended up with a clean slate. That was not my intention.

Oh well, it is what it is now. You can change your vertical nav into a horizontal nav but clicking on the nav block and choosing 'Custom Template'. I wish this option were labeled 'Custom View' for clarity.

As for embedding the Picasaweb, I would think you need to choose the 'HTML' block rather than the 'Content' block for this. I just tested your Picasaweb embed code on my site and the HTML block worked. this.

Give those two suggestions a shot and see how it goes.

radiofreebc replied on Oct 1, 2012 at 10:43 am Permalink Reply

Oh well, at least it wasn't too difficult. I haven't completely rebuilt it, but it's on it's way. Those suggestions worked, so thanks. I didn't even see the HTML option, and that worked perfectly.

Is there a way to back up my site, so this is easier the next time I get hacked? Seems like I'm being targeted. This is the 3rd time this month I've been hacked, and I've changed passwords each time...so I think this won't be the last time this happens. It'd be nice to not have to rebuild from scratch every time.

Also, I'm wondering where content gets stored to. I made a whole bunch of additional pages, but am not sure where that data gets saved to. Does it get saved onto a page, or just into the db?

Hope these aren't stupid questions.

mhawke replied on Oct 1, 2012 at 11:43 am Permalink Reply

Hacked 3 times? Is it the same hack every time (i.e. they add stuff to your PHP files?) I'm not an expert on preventing this because I've only been hacked once. From my server logs, I found out the IP address of the perpetrator and then used my host's 'IP Deny' function to deny access to this IP. I also changing my password to something much stronger and I haven't been hacked since (knock on wood).

I also suggest setting up your FTP client for SFTP rather than just ftp because I understand that hackers can 'sniff' out regular passwords from your FTP stream.

Ok, back to backing up. I usually do 2 things... files and database. Files are just containers for content so all content is in the database and when C5 renders a page, the database fills these 'containers' with content. My sites usually don't change very much so I backup about once a week. If your sites are very active with content added daily, or if you make significant changes to the site you might want to backup more often.

I go to the File Manager on my host's Control Panel and 'Compress' the 'public_html' directory. Your folder structure might call this folder something different but basically it's the folder that contains C5 so if you have C5 installed at 'public_html/C5' then you just have to compress the C5 folder. Also, the 'Compress' function in your File Manager might be labelled something different like 'Backup' or 'Archive'.

This takes a while to complete and I end up with a large 'public_html.zip' file on my server containing a snapshot of all my files. While the server is creating this zip file, I open another browser window and I go to phpMyAdmin (again in my host's Control Panel) and create a backup of the database. The 'Export' function in phpMyAdmin automatically downloads it's output to your computer but I would also highly recommend that you download the 'public_html.zip' file to your local computer as well because any hacker who gets your FTP password could also delete this zip file from your server.

frz replied on Oct 1, 2012 at 1:15 pm Permalink Reply

Best advice for anyone with these issues:

Change your passwords.
Stop saving your passwords in your FTP client.

best wishes

Franz Maruna
CEO - concrete5.org
http://about.me/frz

mhawke replied on Oct 1, 2012 at 1:37 pm Permalink Reply

Franz... I don't doubt your advice for a moment so I have cleared my passwords from Filezilla. Just being curious but can you 'school' me on how saving passwords in my client lead to hacks.

frz replied on Oct 1, 2012 at 4:40 pm Permalink Reply

There's any number of worms, viruses and malware out there that will
embed themselves on a windows box and look for popular FTP clients
that are installed. If your passwords are all saved, its quite easy
for them to embed their php bits onto any script they can access from
any site you have a stored password locally on.

best wishes

Franz Maruna
CEO - concrete5.org
http://about.me/frz

mhawke replied on Oct 1, 2012 at 4:51 pm Permalink Reply

Thanks for the details. I had a situation years ago where my local machine had been hacked and they added a hidden iframe with a nasty perl script as it's source to all my .asp files. I uploaded these infected files and self-hacked myself.

radiofreebc replied on Oct 2, 2012 at 11:32 am Permalink Reply

Thanks for your advice. I'll do that. This last month has been busy...been hacked 3 times. I'll look through my IP logs and block those IP's...and be careful from now on.

I should probably stop posting on political websites too...haha.

radiofreebc replied on Oct 18, 2012 at 1:48 pm Permalink Reply

It's happened again...even after all my passwords have been changed, and IP's have been blocked. I'm at the end of my rope...I've rebuilt this site 3 times now.

Forums

Chit-Chat

Syntax errors in header_required.php and page_controls_header.php

Code

Post Reply

Delete Post

Mark Post as Spam

Destroy Spammer

Sign In?