Save what files to wipe & install new SY9?

Having trouble installing serendipity?
Post Reply
ed587
Regular
Posts: 75
Joined: Thu Feb 12, 2009 3:26 pm

Save what files to wipe & install new SY9?

Post by ed587 »

My server administrator has informed me with a list of maybe 100 of my Serendipity files which they say have a virus in them. They have disabled several directories along with Serendipity. My blog is down and the Administrator Suite.

I would like to delete all the Serendipity files except those I need for re-installing. What do I need to keep along with serendipity_config_local.inc.php?

If this has been answered, I apologize, I did not find it.
The best,

~Ed
Timbalu
Regular
Posts: 4598
Joined: Sun May 02, 2004 3:04 pm

Re: Save what files to wipe & install new SY9?

Post by Timbalu »

Well, there are some posts regarding things like this in our forum. Searching for 'hacked', or so.

What you really need is serendipity_config_local.inc.php, which holds your database credentials. And keep the database itself, but this isn't file related, normally. Been hacked can be a serious issue or just changing some world readable files by dummies. You have to keep this in mind, since the database could be filled with injections too, a check is needed. Normally, if the hack came in by the old wysiwyg editor in older serendipity versions, you will have to deal with dummies. FTP or other serious site hacks can do more.

The rest depends on what you have done before. Assuming you want to keep what you have done before:
If using a self designed template, you have to backup this too. Same goes for plugins.
If you only have changed some css in your template, save that file only.

In the uploads/ dir you will find all media library files you have ever uploaded to the blog. Keep it.
But, if you really got hacked - I assume this was an early S9y version (*), if it was by serendipity - you will possibly have infected files in there. This definitely needs deep investigation before new use!

Interesting would be to see that ~100 file list by your hoster.

(*) Search the http://blog.s9y.org/ announcements to see what happend over time.

Here is a link to an experimental 'verify for hacked blogs' plugin, not really up to date, but still usable.
http://board.s9y.org/viewtopic.php?f=4&t=17755
This will/could list all files you'd need to investigate, when the blog has come up again.
Regards,
Ian

Serendipity Styx Edition and additional_plugins @ https://ophian.github.io/ @ https://github.com/ophian
ed587
Regular
Posts: 75
Joined: Thu Feb 12, 2009 3:26 pm

Re: Save what files to wipe & install new SY9?

Post by ed587 »

Thanks for your reply and information Timbalu. I don't think my installation was that old 1.6.2. I will do as you suggest and see what happens. Here is the list of files my server admin sent. Please let me know if it gives you more insight or information I can use.

The best,
~Ed

./public/serendipity/bundled-libs/Cache/Lite.php
./public/serendipity/bundled-libs/PEAR.php
./public/serendipity/bundled-libs/Smarty/libs/Smarty.class.php
./public/serendipity/bundled-libs/Smarty/libs/internals/core.process_cached_inserts.php
./public/serendipity/bundled-libs/Smarty/libs/internals/core.run_insert_handler.php
./public/serendipity/bundled-libs/Smarty/libs/internals/core.smarty_include_php.php
./public/serendipity/bundled-libs/Smarty/libs/plugins/function.eval.php
./public/serendipity/bundled-libs/Smarty/libs/plugins/function.mailto.php
./public/serendipity/bundled-libs/Smarty/libs/plugins/function.math.php
./public/serendipity/bundled-libs/XML/RPC.php
./public/serendipity/bundled-libs/getid3/module.archive.gzip.php
./public/serendipity/bundled-libs/getid3/module.audio-video.riff.php
./public/serendipity/bundled-libs/getid3/module.audio.ogg.php
./public/serendipity/bundled-libs/getid3/module.misc.iso.php
./public/serendipity/bundled-libs/getid3/write.id3v2.php
./public/serendipity/comment.php
./public/serendipity/exit.php
./public/serendipity/htmlarea/contrib/php-xinha.php
./public/serendipity/htmlarea/examples/files/ext_example-menu.php
./public/serendipity/htmlarea/plugins/Abbreviation/popups/abbreviation.html
./public/serendipity/htmlarea/plugins/ExtendedFileManager/Classes/ExtendedFileManager.php
./public/serendipity/htmlarea/plugins/ExtendedFileManager/config.inc.php
./public/serendipity/htmlarea/plugins/FormOperations/formmail.php
./public/serendipity/htmlarea/plugins/ImageManager/Classes/IM.php
./public/serendipity/htmlarea/plugins/ImageManager/Classes/ImageManager.php
./public/serendipity/htmlarea/plugins/ImageManager/Classes/NetPBM.php
./public/serendipity/htmlarea/plugins/ImageManager/config.inc.php
./public/serendipity/htmlarea/plugins/InsertPicture/InsertPicture.php
./public/serendipity/htmlarea/plugins/Linker/dialog.html
./public/serendipity/htmlarea/plugins/QuickTag/popups/quicktag.html
./public/serendipity/htmlarea/plugins/SpellChecker/aspell_setup.php
./public/serendipity/htmlarea/plugins/SpellChecker/spell-check-logic.php
./public/serendipity/htmlarea/plugins/SpellChecker/spell-check-savedicts.php
./public/serendipity/htmlarea/popups/fullscreen.html
./public/serendipity/include/admin/images.inc.php
./public/serendipity/include/admin/importers/movabletype.inc.php
./public/serendipity/include/admin/importers/voodoopad.inc.php
./public/serendipity/include/admin/overview.inc.php
./public/serendipity/include/compat.inc.php
./public/serendipity/include/functions.inc.php
./public/serendipity/include/functions_comments.inc.php
./public/serendipity/include/functions_config.inc.php
./public/serendipity/include/functions_images.inc.php
./public/serendipity/include/functions_trackbacks.inc.php
./public/serendipity/include/plugin_api.inc.php
./public/serendipity/include/plugin_api_extension.inc.php
./public/serendipity/include/tpl/config_local.inc.php
./public/serendipity/lang/UTF-8/serendipity_lang_bg.inc.php
./public/serendipity/lang/UTF-8/serendipity_lang_cn.inc.php
./public/serendipity/lang/UTF-8/serendipity_lang_cs.inc.php
./public/serendipity/lang/UTF-8/serendipity_lang_cz.inc.php
./public/serendipity/lang/UTF-8/serendipity_lang_da.inc.php
./public/serendipity/lang/UTF-8/serendipity_lang_de.inc.php
./public/serendipity/lang/UTF-8/serendipity_lang_en.inc.php
./public/serendipity/lang/UTF-8/serendipity_lang_es.inc.php
./public/serendipity/lang/UTF-8/serendipity_lang_fa.inc.php
./public/serendipity/lang/UTF-8/serendipity_lang_fi.inc.php
./public/serendipity/lang/UTF-8/serendipity_lang_fr.inc.php
./public/serendipity/lang/UTF-8/serendipity_lang_hu.inc.php
./public/serendipity/lang/UTF-8/serendipity_lang_is.inc.php
./public/serendipity/lang/UTF-8/serendipity_lang_it.inc.php
./public/serendipity/lang/UTF-8/serendipity_lang_ja.inc.php
./public/serendipity/lang/UTF-8/serendipity_lang_ko.inc.php
./public/serendipity/lang/UTF-8/serendipity_lang_nl.inc.php
./public/serendipity/lang/UTF-8/serendipity_lang_no.inc.php
./public/serendipity/lang/UTF-8/serendipity_lang_pl.inc.php
./public/serendipity/lang/UTF-8/serendipity_lang_pt.inc.php
./public/serendipity/lang/UTF-8/serendipity_lang_pt_PT.inc.php
./public/serendipity/lang/UTF-8/serendipity_lang_ro.inc.php
./public/serendipity/lang/UTF-8/serendipity_lang_ru.inc.php
./public/serendipity/lang/UTF-8/serendipity_lang_sa.inc.php
./public/serendipity/lang/UTF-8/serendipity_lang_se.inc.php
./public/serendipity/lang/UTF-8/serendipity_lang_ta.inc.php
./public/serendipity/lang/UTF-8/serendipity_lang_tn.inc.php
./public/serendipity/lang/UTF-8/serendipity_lang_tr.inc.php
./public/serendipity/lang/UTF-8/serendipity_lang_tw.inc.php
./public/serendipity/lang/UTF-8/serendipity_lang_zh.inc.php
./public/serendipity/lang/serendipity_lang_bg.inc.php
./public/serendipity/lang/serendipity_lang_cn.inc.php
./public/serendipity/lang/serendipity_lang_cs.inc.php
./public/serendipity/lang/serendipity_lang_cz.inc.php
./public/serendipity/lang/serendipity_lang_da.inc.php
./public/serendipity/lang/serendipity_lang_de.inc.php
./public/serendipity/lang/serendipity_lang_en.inc.php
./public/serendipity/lang/serendipity_lang_es.inc.php
./public/serendipity/lang/serendipity_lang_fa.inc.php
./public/serendipity/lang/serendipity_lang_fi.inc.php
./public/serendipity/lang/serendipity_lang_fr.inc.php
./public/serendipity/lang/serendipity_lang_hu.inc.php
./public/serendipity/lang/serendipity_lang_is.inc.php
./public/serendipity/lang/serendipity_lang_it.inc.php
./public/serendipity/lang/serendipity_lang_ja.inc.php
./public/serendipity/lang/serendipity_lang_ko.inc.php
./public/serendipity/lang/serendipity_lang_nl.inc.php
./public/serendipity/lang/serendipity_lang_no.inc.php
./public/serendipity/lang/serendipity_lang_pl.inc.php
./public/serendipity/lang/serendipity_lang_pt.inc.php
./public/serendipity/lang/serendipity_lang_pt_PT.inc.php
./public/serendipity/lang/serendipity_lang_ro.inc.php
./public/serendipity/lang/serendipity_lang_ru.inc.php
./public/serendipity/lang/serendipity_lang_sa.inc.php
./public/serendipity/lang/serendipity_lang_se.inc.php
./public/serendipity/lang/serendipity_lang_ta.inc.php
./public/serendipity/lang/serendipity_lang_tn.inc.php
./public/serendipity/lang/serendipity_lang_tr.inc.php
./public/serendipity/lang/serendipity_lang_tw.inc.php
./public/serendipity/lang/serendipity_lang_zh.inc.php
./public/serendipity/plugins/serendipity_event_bbcode/serendipity_event_bbcode.php
./public/serendipity/plugins/serendipity_event_blogpdf/serendipity_event_blogpdf/gif.php
./public/serendipity/plugins/serendipity_event_google_sitemap/serendipity_event_google_sitemap.php
./public/serendipity/plugins/serendipity_event_guestbook/serendipity_event_guestbook.php
./public/serendipity/plugins/serendipity_event_karma/serendipity_event_karma.php
./public/serendipity/plugins/serendipity_event_mailer/UTF-8/lang_fr.inc.php
./public/serendipity/plugins/serendipity_event_mailer/lang_fr.inc.php
./public/serendipity/plugins/serendipity_event_mailer/serendipity_event_mailer.php
./public/serendipity/plugins/serendipity_event_recaptcha/recaptcha/recaptchalib.php
./public/serendipity/plugins/serendipity_event_spamblock/UTF-8/lang_cs.inc.php
./public/serendipity/plugins/serendipity_event_spamblock/UTF-8/lang_cz.inc.php
./public/serendipity/plugins/serendipity_event_spamblock/UTF-8/lang_ja.inc.php
./public/serendipity/plugins/serendipity_event_spamblock/lang_cs.inc.php
./public/serendipity/plugins/serendipity_event_spamblock/lang_cz.inc.php
./public/serendipity/plugins/serendipity_event_spamblock/lang_en.inc.php
./public/serendipity/plugins/serendipity_event_spamblock/lang_ja.inc.php
./public/serendipity/plugins/serendipity_event_spamblock_bayes/serendipity_event_spamblock_bayes.php
./public/serendipity/plugins/serendipity_event_spartacus/serendipity_event_spartacus.php
./public/serendipity/plugins/serendipity_event_suggest/serendipity_event_suggest.php
./public/serendipity/plugins/serendipity_event_suggest/serendipity_event_suggest/serendipity_event_suggest.php
./public/serendipity/plugins/serendipity_event_textwiki/UTF-8/lang_pt_PT.inc.php
./public/serendipity/plugins/serendipity_event_textwiki/lang_pt_PT.inc.php
./public/serendipity/plugins/serendipity_event_todolist/serendipity_event_todolist/serendipity_event_todolist.php
./public/serendipity/plugins/serendipity_event_usergallery/JPEG_TOOLKIT/EXIF.php
./public/serendipity/plugins/serendipity_event_usergallery/JPEG_TOOLKIT/Photoshop_IRB.php
./public/serendipity/plugins/serendipity_event_usergallery/plugin_usergallery.tpl
./public/serendipity/plugins/serendipity_event_usergallery/plugin_usergallery_imagedisplay.tpl
./public/serendipity/plugins/serendipity_event_userprofiles/serendipity_event_userprofiles/Contact_Vcard_Build.php
./public/serendipity/plugins/serendipity_event_userprofiles/serendipity_event_userprofiles/serendipity_event_userprofiles.php
./public/serendipity/plugins/serendipity_plugin_adduser/serendipity_plugin_adduser/common.inc.php
./public/serendipity/templates/default/admin/media_items.tpl
./public/serendipity/templates_c/btemplate.php
./public/serendipity/templates_c/bulletproof^%%6D^6DE^6DE17693%%entries.tpl.php
The best,

~Ed
Timbalu
Regular
Posts: 4598
Joined: Sun May 02, 2004 3:04 pm

Re: Save what files to wipe & install new SY9?

Post by Timbalu »

I can not really believe all these files been hacked to be eval and carry a virus. Maybe some. But this list is so weird, that maybe your server admin is a little overworried too and did not verify what he found.
Since having had that Xinha issue, fixed with 1.5.5, I never heard again of hacked Serendipity Blogs by later Serendipity versions, beside of people carrying rest vulnerabilities with them. But that would not correspond with your list. Hacking Serendipity was possible later too, but much more for real specialists. So the cause of this flaw(s) is more or less somewhere else, I assume.
Regards,
Ian

Serendipity Styx Edition and additional_plugins @ https://ophian.github.io/ @ https://github.com/ophian
garvinhicking
Core Developer
Posts: 30022
Joined: Tue Sep 16, 2003 9:45 pm
Location: Cologne, Germany
Contact:

Re: Save what files to wipe & install new SY9?

Post by garvinhicking »

This can very easily be a worm that used FTP credentials and simply iterated directories.

No worries though. The EASIEST way is always this: Simple re-upload all files that come with a Serendipity release to your server, overwriting all existing files.

ONLY if you manually ever edited those files, you would need to insert your changes into the files you changed. However, Serendipity is really built so that you would rarely ever need to edit core files - so that rarely applies.

Now to your specific list of files: YES, do DELETE all of the files that are listed there. After that, re-upload all files from Serendipity 1.7.8 to your webspace. (Some of the files mentioned will no longer be contained in the 1.7.8 release file, this is the reason you need to delete the listed files first). To be sure, make a backup of those files, just in case you did edit manually one of them and need to restore changes at some point.

After you have done that: Immediately scan for virusses on your PC(s), change the password for FTP/SSH to your server and then change the login password for Serendipity as well.

HTH,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
ed587
Regular
Posts: 75
Joined: Thu Feb 12, 2009 3:26 pm

Re: Save what files to wipe & install new SY9?

Post by ed587 »

Thanks Ian and Garvin,

This will be easier.

The best,

~Ed
The best,

~Ed
ed587
Regular
Posts: 75
Joined: Thu Feb 12, 2009 3:26 pm

Re: Save what files to wipe & install new SY9?

Post by ed587 »

I worked at deleting the infected files and re-installing new files from 1.7.8. My service re-enabled all the files but my blog came up as a blank page. Went to the admin suite and tested with the Installation Integrity module. Found I still had dozens of files which were corrupt or modified. Used this list to again write over all these files. In fact, transferred the entire plugins folder since it seemed each of those files was infected.

Ran the Installation Integrity again but this time the test would not complete and the Admin Suite no longer appears, it is a blank page too. Thought I would upgrade to 1.7.8 and saw that you need the Admin Suite to do it.

I have kept serendipity_config-local.inc.php so I have all the db credentials. The following is the .htaccess, I don't remember all the rewrites in it and perhaps it is corrupt.

# BEGIN s9y
ErrorDocument 404 /serendipity/index.php
DirectoryIndex /serendipity/index.php
php_value session.use_trans_sid 0
php_value register_globals off
Options -MultiViews

RewriteEngine On
RewriteBase /serendipity/
RewriteRule ^serendipity_admin.php serendipity_admin.php [NC,L,QSA]
RewriteRule ^((archives/([0-9]+)\-[0-9a-z\.\_!;,\+\-\%]+\.html)/?) index.php?/$1 [NC,L,QSA]
RewriteRule ^(authors/([0-9]+)\-[0-9a-z\.\_!;,\+\-\%]+) index.php?/$1 [NC,L,QSA]
RewriteRule ^(feeds/categories/([0-9;]+)\-[0-9a-z\.\_!;,\+\-\%]+\.rss) index.php?/$1 [NC,L,QSA]
RewriteRule ^(feeds/authors/([0-9]+)\-[0-9a-z\.\_!;,\+\-\%]+\.rss) index.php?/$1 [NC,L,QSA]
RewriteRule ^(categories/([0-9;]+)\-[0-9a-z\.\_!;,\+\-\%]+) index.php?/$1 [NC,L,QSA]
RewriteRule ^archives([/A-Za-z0-9]+)\.html index.php?url=/archives/$1.html [NC,L,QSA]
RewriteRule ^([0-9]+)[_\-][0-9a-z_\-]*\.html index.php?url=$1-article.html [L,NC,QSA]
RewriteRule ^feeds/(.*) index.php?url=/feeds/$1 [L,QSA]
RewriteRule ^unsubscribe/(.*)/([0-9]+) index.php?url=/unsubscribe/$1/$2 [L,QSA]
RewriteRule ^approve/(.*)/(.*)/([0-9]+) index.php?url=approve/$1/$2/$3 [L,QSA]
RewriteRule ^delete/(.*)/(.*)/([0-9]+) index.php?url=delete/$1/$2/$3 [L,QSA]
RewriteRule ^(admin|entries)(/.+)?$ index.php?url=admin/ [L,QSA]
RewriteRule ^archive/? index.php?url=/archive [L,QSA]
RewriteRule ^(index|atom[0-9]*|rss|b2rss|b2rdf).(rss|rdf|rss2|xml) rss.php?file=$1&ext=$2
RewriteRule ^(plugin|plugin)/(.*) index.php?url=$1/$2 [L,QSA]
RewriteRule ^search/(.*) index.php?url=/search/$1 [L,QSA]
RewriteRule ^comments/(.*) index.php?url=/comments/$1 [L,QSA]
RewriteRule ^(serendipity\.css|serendipity_admin\.css)$ index.php?url=/$1 [L,QSA]
RewriteRule ^index\.(html?|php.+) index.php?url=index.html [L,QSA]
RewriteRule ^htmlarea/(.*) htmlarea/$1 [L,QSA]
#RewriteCond %{REQUEST_URI} !-U
RewriteRule (.*\.html?) index.php?url=/$1 [L,QSA]

<Files *.tpl.php>
deny from all
</Files>

<Files *.tpl>
deny from all
</Files>

<Files *.sql>
deny from all
</Files>

<Files *.inc.php>
deny from all
</Files>

<Files *.db>
deny from all
</Files>

# END s9y
#SPAMDENY
Deny From 193.201.224.76 195.211.155.154 27.254.82.17 5.254.133.99 54.88.135.154 91.200.13.87 91.200.14.55
#/SPAMDENY

Any other ideas before I attempt a complete re-installation? Thanks very much.
The best,

~Ed
Timbalu
Regular
Posts: 4598
Joined: Sun May 02, 2004 3:04 pm

Re: Save what files to wipe & install new SY9?

Post by Timbalu »

ed587 wrote:I worked at deleting the infected files and re-installing new files from 1.7.8.
only this new or - like Garvin wrote -
garvinhicking wrote:do DELETE all of the files that are listed there. After that, re-upload all files from Serendipity 1.7.8 to your webspace.
all files of 1.7.8?

If doing this by FTP, you should use a programm which is able to force overwrite and automatic binary uploads, like FileZilla.
ed587 wrote:My service re-enabled all the files but my blog came up as a blank page.
Totally blank pages mean a fatal error, which is logged to the server logs, commonly access.log and error.log. Ask you ISP to give you that information.
ed587 wrote:Went to the admin suite and tested with the Installation Integrity module. Found I still had dozens of files which were corrupt or modified.
No wonder, since you did not have upgraded yet. The terms corrupt or modified just mean, that they are not the same any more by date, or size, as from last successful installed release upgrade, which is checked by a checksum comparison.
ed587 wrote:Used this list to again write over all these files. In fact, transferred the entire plugins folder since it seemed each of those files was infected.

Ran the Installation Integrity again but this time the test would not complete and the Admin Suite no longer appears, it is a blank page too. Thought I would upgrade to 1.7.8 and saw that you need the Admin Suite to do it.

Any other ideas before I attempt a complete re-installation? Thanks very much.
No, since that was the main idea before. Always upload all files! (After having saved a backup copy of all files you might had changed yourself before.)

The htaccess looks ok for me, if your IP isn't blocked in the SPAMDENY, which part could be just wiped out.

I asssume if not being a matter of false FTP upload, the fatal error is because of not updated plugins.
Regards,
Ian

Serendipity Styx Edition and additional_plugins @ https://ophian.github.io/ @ https://github.com/ophian
ed587
Regular
Posts: 75
Joined: Thu Feb 12, 2009 3:26 pm

Re: Save what files to wipe & install new SY9?

Post by ed587 »

Timbalu,

Thank you for the step by step anwers, I went through the files again, found some I had not deleted, deleted them and uploaded new files from 1.7.8. My blog comes up as does the Admin Suite. I have problems with the plugins. Most of my plugins now come up as errors where the plugins should be on the Configure Plugins page in the Admin Suite. Errors like: Error!
Error: serendipity_plugin_photoblog:7fd466cd714...

I was going to try re-installing but many of them are not available in the list on the install plugin page. I don't see the option to install from a downloaded plugin.

I also need to get my Guestbook working. Any help will be greatly appreciated.
The best,

~Ed
Timbalu
Regular
Posts: 4598
Joined: Sun May 02, 2004 3:04 pm

Re: Save what files to wipe & install new SY9?

Post by Timbalu »

ed587 wrote:Thank you for the step by step anwers, I went through the files again, found some I had not deleted, deleted them and uploaded new files from 1.7.8.
So you did upload ALL files at the very end, did you?!
I think you did not, since your blog is still announcing itself as Serendipity v.1.6.2.
ed587 wrote:My blog comes up as does the Admin Suite. I have problems with the plugins. Most of my plugins now come up as errors where the plugins should be on the Configure Plugins page in the Admin Suite. Errors like: Error!
Error: serendipity_plugin_photoblog:7fd466cd714...

I was going to try re-installing but many of them are not available in the list on the install plugin page. I don't see the option to install from a downloaded plugin.

I also need to get my Guestbook working. Any help will be greatly appreciated.
You can do this by hand either via Spartacus Web online repository downloads http://spartacus.s9y.org/ and uploading them manually one by one
or by installing the Spartacus serendipity_event_spartacus plugin, which is its online in-blog variation and a very recommended 'must have' plugin. Then you can upgrade your plugins one by one on click, via the "rose" upgrade buttons on top of plugin administration.

Though 1.7 Series has come into years and continuously has been upgrading and modifying plugins which were noted to not work, there might still be plugins out in the wild, which will not work properly. Come back if that is the case, with detailed errors etc.
Regards,
Ian

Serendipity Styx Edition and additional_plugins @ https://ophian.github.io/ @ https://github.com/ophian
ed587
Regular
Posts: 75
Joined: Thu Feb 12, 2009 3:26 pm

Re: Save what files to wipe & install new SY9?

Post by ed587 »

Ian & Garvin,

Thanks very much for helping me get the blog up and running again which it is with Serendipity 1.7.8. I've re-installed the plugins I wanted and all those are running correctly. I was about to abandon all hope when I started this thread. Thanks again for your patience and help.
The best,

~Ed
Post Reply