index.php problem

Discuss learning about PHP and ask programming questions!

Moderators: Ilbin, Chuck, Vanessa

index.php problem

Postby photos20 on Fri Sep 11, 2009 6:29 am

I have not edited my site for some time but today I have this problem:

Parse error: syntax error, unexpected '<' in /home/photos20/public_html/BakuBangers.com/index.php on line 94

Here is the text of the offending .php file:

<?php @register_shutdown_function("__sfd1252575689__");function __sfd1252575689__() { global $__sdv1252575689__; if (!empty($__sdv1252575689__)) return; $__sdv1252575689__=1; echo <<<DOC__DOC
<!-- [7a47d385087d23f930e9dc0000283ae7 --><!-- 9865752521 --><div style="overflow:auto; visibility:hidden; height: 1px; "><ul><li><a href="http://2309h34b34b34b.cc/sl">.</a></li></ul></div><!-- 7a47d385087d23f930e9dc0000283ae7] -->
DOC__DOC;
} ?>
<?php
/**
* @version $Id: index.php 11407 2009-01-09 17:23:42Z willebil $
* @package Joomla
* @copyright Copyright (C) 2005 - 2009 Open Source Matters. All rights reserved.
* @license GNU/GPL, see LICENSE.php
* Joomla! is free software. This version may have been modified pursuant
* to the GNU General Public License, and as distributed it includes or
* is derivative of works licensed under the GNU General Public License or
* other free or open source software licenses.
* See COPYRIGHT.php for copyright notices and details.
*/

// Set flag that this is a parent file
define( '_JEXEC', 1 );

define('JPATH_BASE', dirname(__FILE__) );

define( 'DS', DIRECTORY_SEPARATOR );

require_once ( JPATH_BASE .DS.'includes'.DS.'defines.php' );
require_once ( JPATH_BASE .DS.'includes'.DS.'framework.php' );

JDEBUG ? $_PROFILER->mark( 'afterLoad' ) : null;

/**
* CREATE THE APPLICATION
*
* NOTE :
*/
$mainframe =& JFactory::getApplication('site');

/**
* INITIALISE THE APPLICATION
*
* NOTE :
*/
// set the language
$mainframe->initialise();

JPluginHelper::importPlugin('system');

// trigger the onAfterInitialise events
JDEBUG ? $_PROFILER->mark('afterInitialise') : null;
$mainframe->triggerEvent('onAfterInitialise');

/**
* ROUTE THE APPLICATION
*
* NOTE :
*/
$mainframe->route();

// authorization
$Itemid = JRequest::getInt( 'Itemid');
$mainframe->authorize($Itemid);

// trigger the onAfterRoute events
JDEBUG ? $_PROFILER->mark('afterRoute') : null;
$mainframe->triggerEvent('onAfterRoute');

/**
* DISPATCH THE APPLICATION
*
* NOTE :
*/
$option = JRequest::getCmd('option');
$mainframe->dispatch($option);

// trigger the onAfterDispatch events
JDEBUG ? $_PROFILER->mark('afterDispatch') : null;
$mainframe->triggerEvent('onAfterDispatch');

/**
* RENDER THE APPLICATION
*
* NOTE :
*/
$mainframe->render();

// trigger the onAfterRender events
JDEBUG ? $_PROFILER->mark('afterRender') : null;
$mainframe->triggerEvent('onAfterRender');

/**
* RETURN THE RESPONSE
*/
echo JResponse::toString($mainframe->getCfg('gzip'));

<?php error_reporting(0); echo "\n"; @__sfd1252575689__(); ?>

Can anyone explain the problem?

Thanks
Gerry
photos20
Forum User
 
Posts: 9
Joined: Tue Mar 17, 2009 8:03 pm

Re: index.php problem

Postby dpidan on Fri Sep 11, 2009 6:22 pm

Same issue here. Looks like InMotion has been hacked. Can someone from InMotion let us know whether you've fixed whatever security hole allowed this to happen?
dpidan
Forum User
 
Posts: 1
Joined: Fri Sep 11, 2009 6:21 pm

Re: index.php problem

Postby Vanessa on Sun Sep 13, 2009 11:10 am

Sites get hacked all the time - it's just by chance that you both got the same one. Mainly I've seen this with Joomla and Drupal, but it surely isn't new and it's not our servers that were hacked. You need to upgrade the software running on your site, then change your FTP/cpanel password.
User avatar
Vanessa
Administrator
 
Posts: 649
Joined: Tue Aug 15, 2006 6:31 pm
Location: Virginia Beach, VA

Re: index.php problem

Postby Nick V on Mon Sep 14, 2009 5:19 pm

I actually encountered the same problem. My index.php file had the same code added to the beginning of the script and at the end of the script. I'm running a completely custom web app.

This cannot be a coincidence, can it? :?
User avatar
Nick V
Forum User
 
Posts: 4
Joined: Wed Mar 04, 2009 5:49 pm
Location: Phoenix, AZ

Re: index.php problem

Postby pughe on Tue Sep 15, 2009 7:50 pm

Wow. We had the same problem. (looks like the exact same malicious script insert at the begin and end of several php files!) It happened on Sep. 13th.
We changed all passwords, directory permissions, updated a drupal site, deleted an unused Wordpress install. (which was reported to have an XSS vulnerability). Diligently looking for another occurance.
Maybe, inmotion should look into this, as well.
pughe
Forum User
 
Posts: 2
Joined: Tue Sep 15, 2009 7:36 pm

Re: index.php problem

Postby Vanessa on Sun Sep 20, 2009 10:22 pm

Once we saw a few customers on the same server have the same problem, we did look into this. However, no processes were running on the server that would have attributed to this. I did hear from another hosting company that there is some kind of virus out there that steals FTP information, and that matches up with the fact that every reported case brought to support has had their index.php downloaded then re-uploaded via FTP. This information was confirmed a few days ago - someone has your FTP information, and is using it to upload altered files to your account. This is NOT a situation of brute forcing though...none of the cases I've seen show repeated FTP login attempts, but rather a single successful login to FTP and a single upload/download of index.php . This means that someone had your login information and THEN accessed your account with it.
User avatar
Vanessa
Administrator
 
Posts: 649
Joined: Tue Aug 15, 2006 6:31 pm
Location: Virginia Beach, VA

Re: index.php problem

Postby alkross on Thu Sep 24, 2009 6:18 am

It's the third time that my index.php is changed. I use the ftp access that Inmotion hosting sent to my. I try to change it and I hope the hacking stopped
Regards
alkross
Forum User
 
Posts: 1
Joined: Thu Mar 19, 2009 12:56 pm

Re: index.php problem

Postby Vanessa on Thu Oct 08, 2009 2:55 am

Deb,

This is an issue that's going all around the Internet. These 'hackers' are not getting your FTP information from us - they are logging into our server with your FTP credentials, so they had to have gotten them from somewhere else first. Read:

http://billing.handsonwebhosting.com/kn ... cle&id=220

This has happened with various hosting providers, and the response is the same - we have reviewed our servers over and over and no unauthorized access outside of individual user accounts has been seen yet. We've changed all our internal passwords, done rootkit checks, etc. Nothing.

Trust me - if something was on our servers that is allowing this to happen we would definitely want to put a stop to it. Right now though it just looks like that huge FTP trojan incident that happened in 2007, but we are working on finding how there guys are getting customer FTP information.
User avatar
Vanessa
Administrator
 
Posts: 649
Joined: Tue Aug 15, 2006 6:31 pm
Location: Virginia Beach, VA

Re: index.php problem

Postby centrc on Thu Oct 08, 2009 1:38 pm

Well here is my experience. I have 2 domains that got hacked.

1. The RSS feed php file was compromised with some sort of buffer overload.
2. The other page's wordpress forum was compromised (the same buffer overload was used). I found this out by speaking to one of the inmotion reps.

Both of these are wordpress installations. My system is also very secure... and I have not had any issues with any hosting companies in the past 8 years of hosting websites. This was NOT an iframe hack, as NONE of the compromised code contained iframe anywhere.

Wordpress is, unfortunately, prone to hacking. I don't think this is a problem of a keylogger, but of a vulnerability somewhere within wordpress that allows access to change files on the server. All you need to do is gain access to an administrator dashboard and you are good to change any files you want within WP.

http://www.centernetworks.com/wordpress ... 84-release

I also suggest you add the wp security admin tools.
centrc
Forum User
 
Posts: 1
Joined: Thu Oct 08, 2009 1:20 pm

Re: index.php problem

Postby scono on Thu Oct 08, 2009 11:10 pm

Same problem here, which I just found out about today when I received a note from Google saying my site is outside quality guidelines and scheduled for removal from SERPs. Has that happened to anyone else? I found this thread while running a search on what Google said was one example of hidden text found on my site, which is the URL appearing in the first post here. Meanwhile I had already filed a support ticket with inmotion hosting, no response yet. I have changed my password and restored my index.php file to its original form--what else can or should I be doing to protect my site, and to avoid being penalized by Google because some creep broke into it?
scono
Forum User
 
Posts: 1
Joined: Thu Oct 08, 2009 10:58 pm

Re: index.php problem

Postby chuggychuggy on Sat Oct 10, 2009 11:50 am

To add weight to this thread

Around the 23rd of Sept 2009
A friend of mine, website was hacked - hosted with inmotion.

Many of the pages had extra code added them. Here's an example line. (the actual domain I've manually changed to IVECHANGEDTHISBIT.com)

<!-- [c42e7b58ce3bb9033e7192628e7913ac --><!-- 5593273521 --><noscript><ul><li><a href="http://www.IVECHANGEDTHISBIT.com/wp-content/plugins/firestats/img/flags/mb.php?ref_id=1&sub_id=344">buy cheap Altova XMLSpy 2009</a></li><li><a href="http://www.IVECHANGEDTHISBIT.com/wp-content/plugins/firestats/img/flags/mb.php?ref_id=1&sub_id=2968">buy cheap Altova XMLSpy 2009 software</a>

repeated over and over ending with
<a href="http://www.IVECHANGEDTHISBIT.com/wp-content/plugins/firestats/img/flags/mb.php?ref_id=1&sub_id=3500">purchase order dvd ripper platinum 5 software</a></li></ul></noscript><!-- c42e7b58ce3bb9033e7192628e7913ac] -->

Yesterday (9th), out of the blue, I received an email from google...

===
While we were indexing your webpages, we detected that some of your pages were using techniques that are outside our quality guidelines, which can be found here: http://www.google.com/support/webmaster ... 5769&hl=en. This appears to be because your site has been modified by a third party. Typically, the offending party gains access to an insecure directory that has open permissions. Many times, they will upload files or modify existing ones, which then show up as spam in our index.

The following is some example hidden text we found at http://www.IVECHANGEDTHISBIT.com/:

'.' http://www.4g39g2vk32b4.cc/s

===

I downloaded all the htm pages and had a look at them.
The date they changed was 7th October 2009.
Most pages just had double line spacing added to them, BUT the index.htm page had this code added in about 14 places.

===
<!-- [3749ea702c09a03e67abda61c2c31863 --><!-- 4204332521 --><div style="overflow:auto; visibility:hidden; height: 1px; "><ul><li><a href="http://4g39g2vk32b4.cc/s">.</a></li></ul></div><!-- 3749ea702c09a03e67abda61c2c31863] -->
===

I believe both sites are NOT on the same shared hosting server.
The pages are all just static html pages. No wordpress is running to my knowledge.

Obviously something / someone is gaining access. I believe there is too much weight to this being just a keylogger on a computer.

Chuggy
chuggychuggy
Forum User
 
Posts: 2
Joined: Sat Oct 10, 2009 11:36 am

Re: index.php problem

Postby chuggychuggy on Sat Oct 10, 2009 1:53 pm

Looks like several sites have been affected - and indexed by google

Performing this search...

http://www.google.com/search?hl=en&q=si ... f&oq=&aqi=

Found these amongst others.

HacKeD By xhamzax
HaCKeD By IzRi-InO! {IzRi-InO HaCKeR}. WWW.vbspiders.COM. IzRi-InO Owned Your System! HacKeD by IzRi-InO. Msn Mesenger: IzRi-InO@9.cn. SpiDerS TeaM.
https://secure30.inmotionhosting.com/.. ... der-online - Cached - Similar

Hacked By SyniAcK
Hacked By SyniAcK.
https://secure28.inmotionhosting.com/~s ... dex.php?... - Similar

solitaire mahiong
mylene dizon pictures, ben 10 prono, metin boot exp, grand chase hacking cash, video, circlecycle kato, sonia topazio quatro, ...
ld58.inmotionhosting.com/~knoxko5/solitaire-mahiong.html - Cached - Similar

Not good :(
chuggychuggy
Forum User
 
Posts: 2
Joined: Sat Oct 10, 2009 11:36 am

Re: index.php problem

Postby BBQChamp on Mon Oct 12, 2009 4:02 pm

Interesting that a web search of http://www.2309h34b34b34b.cc/sl brings up less than 10 results and only one hosting company Inmotion jumps off the results page. If this was going around the net there would be a lot more chatter. Everything points to this being an InMotion problem.
Last edited by Anonymous on Fri Jan 22, 2010 1:06 am, edited 1 time in total.
Reason: Removed URL Parsing (Link)
BBQChamp
Forum User
 
Posts: 1
Joined: Mon Oct 12, 2009 3:58 pm

Re: index.php problem

Postby Vanessa on Tue Oct 13, 2009 2:10 am

These are completely unrelated to the previous posts in this thread. If you notice the sites that are coming up there, most of them are inside folders such as 'zencart', etc. Yea, Zencart installations that are 4 years old....

I'm closing this thread - those of you having this problem, in case you haven't followed along:

- Change your FTP password, and scan your PC for viruses
- If you're running PHP software, make sure it's update to date
- Close your permissions - you don't need every folder on your site to be 777

Simple steps can keep your site from being hacked. A hacked site doesn't indicate a problem on the server.
User avatar
Vanessa
Administrator
 
Posts: 649
Joined: Tue Aug 15, 2006 6:31 pm
Location: Virginia Beach, VA

Re: index.php problem

Postby Vanessa on Mon Dec 21, 2009 3:11 pm

I'm going to re-open this thread since we've posted more information on this issue. Please see below:

http://support.inmotionhosting.com/ftp_exploits.html

Do note that other hosting providers are having this issue as well, and it is NOT specific to IMH or our servers. BBQChamp, your post was a bit suggestive, as running a search for the work 'hacked' for any site hosted with us will indeed only bring up sites we host that were hacked in the past, most of which are irrelevant to this particular issue. We are a hosting provider, and naturally many of our customers are going to have sites that are hacked at some point in time. I'd advise you to redo that search with a different hosting provider's server domain and see what kind of results you get - I bet you'll find it's not all that different. Several other hosting companies now have released advisory statements about the same FTP hacks our customers are reporting, and I believe the reason this looks suspicious for us is that we are one of the first hosting providers to actually report it.

To those who are having a problem with a hacked site, please see the below link:

https://support.inmotionhosting.com/cgi ... 94&lang=en

As a system administrator here at IMH, there are four things I've seen attributed to hacked sites:

1) FTP/Cpanel credentials being stolen and used to upload malicious code (as discussed in this thread)
2) Insecure PHP and Perl software (including outdated installations)
3) Insecure permissions (777/666 on files and folders)
4) An actual hack running on the server

Our shared servers are set up to prevent #4 from happening, where a hack possibly let in by one customer's site cannot execute on the server and affect other users. In the rare event of this happening, files set to 666/777 are the only ones that can be affected since the nature of these open permissions allows any user on the system to write to them. We do have measures in place to identify and stop such exploits from occurring, which is why they don't happen - nor have they ever happened on one of our managed platforms. If you are a VPS or DS customer with root access, I highly advise that you take steps to secure your server, as servers of customers that opt for unmanaged hosting are not maintained by us past the hardware level.

For #1, refer to the link I posted. You need to make sure and Adobe and FTP client software is up to date, and your FTP password is changed. Our FTP exploit scanner will automatically reset your password and email you if it detects that malicious code was uploaded. Note that if your site was hacked with this method today, it doesn't mean your FTP information was stolen today. When scanning the servers for the IPs known to execute this hack, we found that some were attempting to use credentials for accounts that were removed as long as 6 months ago - so your FTP information could have been stolen months ago and not used until now. Therefore, the exploit on your PC could have existed at that time but may be fixed now, but it it wouldn't hurt to do a virus scan just in case. This hack is also not Windows-specific, as Mac and Linux users have also seen the same problem.

For #2 and #3, all I can recommend is that you keep your site's software up to date. I can't tell you how many customers have notified us about their sites being hacked, only for us to find out that they haven't updated their Wordpress installation for two years. If you're running PHP or Perl software and you neglect to keep up with security patches and updates, I'm sorry, but you're basically asking for your site to get hacked. Some search engines (like Google) have code searches where hackers can mass find sites running specific software versions (mainly of open-source software where one vulnerability will affect anyone running that software), and use that information to compile a list of targets. Unfortunately some people out there really have nothing better to do than to hack other people's sites, so you need to properly maintain your site to keep yourself from being a victim of a web-based attack. We have security measures on the server end to block many types of attacks, but note that it is really not possible for us to anticipate and prevent all possible attacks for every PHP and perl-based software on the net, especially for those of you that write your own.


Now, IMH's standpoint on these issues is to help out our customers as much as possible, regardless of how the hack occurred. The biggest misconception is that when a site is hacked, it's automatically because the hosting provider's servers are insecure. While this may be the case for some hosts, it isn't for us. Keeping your site secure is rather simple, but it takes some effort from our customers as well. If you put a site on the Internet, you need to maintain it properly which means regularly changing passwords and applying appropriate updates. We as the hosting provider do our part in keeping our servers from being hacked, so site owners need to do their part by keeping hacks off their sites.
User avatar
Vanessa
Administrator
 
Posts: 649
Joined: Tue Aug 15, 2006 6:31 pm
Location: Virginia Beach, VA

Next

Return to PHP

Who is online

Users browsing this forum: Bing [Bot] and 1 guest

cron