My site was working fine yesterday I think and today I get this.
Parse error: syntax error, unexpected '<' in /hsphere/local/home/dcockrel/thecockrells.com/blog/include/plugin_internal.inc.php on line 1794
I don't know that anything changed. Any help would be great.
plugin_internal.inc.php
-
garvinhicking
- Core Developer
- Posts: 30022
- Joined: Tue Sep 16, 2003 9:45 pm
- Location: Cologne, Germany
- Contact:
Re: plugin_internal.inc.php
Hi!
Supposedly someone (like a provider or anyone with FTP access) or you changed that file. You should restore it from a backup or replace it with a clean version of the serendipity release archive of your currently installed serendipity version.
Regards,
Garvin
Supposedly someone (like a provider or anyone with FTP access) or you changed that file. You should restore it from a backup or replace it with a clean version of the serendipity release archive of your currently installed serendipity version.
Regards,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
-
garvinhicking
- Core Developer
- Posts: 30022
- Joined: Tue Sep 16, 2003 9:45 pm
- Location: Cologne, Germany
- Contact:
Hi!
How does that file look like in line 1185?
This sounds like you might have gotten hacked, and someone inserted HTML code into all of your files. Immediately check that line and see at what place it is.
If it contains malicious trojans or foreign links to sites you did not put there, immediately temporarily disable your site for forensic analysis, your provider might be able to help you with that. You will need to check through which application they got into your host. Usual culprits are phpBB, Menalto Gallery, coppermine Gallery or other applications. There is no known security hole in Serendipity that could cause this, as long as you're running at least serendipity 1.0
Regards,
Garvin
How does that file look like in line 1185?
This sounds like you might have gotten hacked, and someone inserted HTML code into all of your files. Immediately check that line and see at what place it is.
If it contains malicious trojans or foreign links to sites you did not put there, immediately temporarily disable your site for forensic analysis, your provider might be able to help you with that. You will need to check through which application they got into your host. Usual culprits are phpBB, Menalto Gallery, coppermine Gallery or other applications. There is no known security hole in Serendipity that could cause this, as long as you're running at least serendipity 1.0
Regards,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
-
garvinhicking
- Core Developer
- Posts: 30022
- Joined: Tue Sep 16, 2003 9:45 pm
- Location: Cologne, Germany
- Contact:
Hi!
Yeah, sadly that's a "rootkit". Your acccount got hacked, someone added those files. Since it also affects files that are only writable via FTP, it could mean that your base account or FTP account got hacked, not only a web application...
I hope your host will be able to offer you support, this is always a tricky matter.
Regards,
Garvin
Yeah, sadly that's a "rootkit". Your acccount got hacked, someone added those files. Since it also affects files that are only writable via FTP, it could mean that your base account or FTP account got hacked, not only a web application...
I hope your host will be able to offer you support, this is always a tricky matter.
Regards,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
Serendipity has been pretty thoroughly vetted; it's unlikely that the hacker got in that way. It's more likely he got access through some other means, then used that access to hack your other files, including Serendipity. You'll want to take a look at everything else you've got installed to make sure it doesn't have modifications lurking around.
It's also possible he hacked in through somebody else's account, and gained access to the provider's main accounts. From there, he could hack anybody at all.
Your provider may be able to figure something out from the access logs. If so, please let us know. We'd like to make Serendipity even more secure, if possible.
It's also possible he hacked in through somebody else's account, and gained access to the provider's main accounts. From there, he could hack anybody at all.
Your provider may be able to figure something out from the access logs. If so, please let us know. We'd like to make Serendipity even more secure, if possible.
It looks like I am getting the blame! I think I left some directories open to get it to work and that's the only thing I have been told by them that the problem was. (but I'm not done talking with them)
I have been using s9y for a long time but this is the first time I've had something like this. I have 5 sites with this host and 3 are s9y. All three were taken down. One site is just a plain html site and the other is Drupal. Both of these were fine.
The three s9y site are still messed up. They restored one and it was working but when I took 777 off of a few directories and put them like it says in the s9y installation info, I get an error.
You can see the error at www.thecockrells.com with the templates_c directory set to 775.
I have been using s9y for a long time but this is the first time I've had something like this. I have 5 sites with this host and 3 are s9y. All three were taken down. One site is just a plain html site and the other is Drupal. Both of these were fine.
The three s9y site are still messed up. They restored one and it was working but when I took 777 off of a few directories and put them like it says in the s9y installation info, I get an error.
You can see the error at www.thecockrells.com with the templates_c directory set to 775.
-
garvinhicking
- Core Developer
- Posts: 30022
- Joined: Tue Sep 16, 2003 9:45 pm
- Location: Cologne, Germany
- Contact:
Hi!
According to the error output 775 is not sufficient. The PHP process (often www-run or nobody) must have write access, you must make sure that PHP can write to the directory. You might want to ask your provider if the PHP user pcan be part of your FTP group, then 775 would be fine. Else, only 777 would work for that.
Which serendipity version are you running? I am still thinking that it is not caused by serendipity itself.
Have you check your client PC for trojans? Just today I had a client at work whose PC was infected with arussian botnet virus. this one logged all FTP and mail and onlinebanking account data and used it to put bad javascript and evil HTML into files that it could access with those stolen FTP data...
Regards,
Garvin
According to the error output 775 is not sufficient. The PHP process (often www-run or nobody) must have write access, you must make sure that PHP can write to the directory. You might want to ask your provider if the PHP user pcan be part of your FTP group, then 775 would be fine. Else, only 777 would work for that.
Which serendipity version are you running? I am still thinking that it is not caused by serendipity itself.
Have you check your client PC for trojans? Just today I had a client at work whose PC was infected with arussian botnet virus. this one logged all FTP and mail and onlinebanking account data and used it to put bad javascript and evil HTML into files that it could access with those stolen FTP data...
Regards,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
Well, I finally got them to restore everything of mine and I still get an error on both of my sites that matter to me. Both errors are related to the templates_c directory and I've tried everything but 777.
I'll try to get with them again but they earlier implied that me having those directories set to 777 was the reason 'their' server got hacked!
Is there any other way around this?
Thanks for all your help.
I'll try to get with them again but they earlier implied that me having those directories set to 777 was the reason 'their' server got hacked!
Is there any other way around this?
Thanks for all your help.
-
garvinhicking
- Core Developer
- Posts: 30022
- Joined: Tue Sep 16, 2003 9:45 pm
- Location: Cologne, Germany
- Contact:
Hi!
That actually only possible if their infrastructure was weak to begin with! They should configure PHP so that only you can access your isolated directory, and not that any other customers or scripts are able to write to your own files.
And not only Serendipity but many other tools like Typo3 or WordPress require to have PHP write access to files and directories. It does not need to be 777, but other modes only work if the provider made a merge of your PHP/Apache and FTP user groups.
There's no way around this. Without being able to write files to templates_c, Serendipity cannot operate.
Regards,
Garvin
That actually only possible if their infrastructure was weak to begin with! They should configure PHP so that only you can access your isolated directory, and not that any other customers or scripts are able to write to your own files.
And not only Serendipity but many other tools like Typo3 or WordPress require to have PHP write access to files and directories. It does not need to be 777, but other modes only work if the provider made a merge of your PHP/Apache and FTP user groups.
There's no way around this. Without being able to write files to templates_c, Serendipity cannot operate.
Regards,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
I appreciate you guys helping me out so quick the other day. I ended up getting them to restore all my domains as of a few days ago so they are all back up and running.
I asked if they could get PHP to run in the same group as the FTP user so I would not have to leave any directories open but their response was:
"You need to either change the permissions to 777 or have the owner set to httpd."
Until I figure out how to change the owner, I guess I'll keep a good backup!
Thanks again for the help.
I asked if they could get PHP to run in the same group as the FTP user so I would not have to leave any directories open but their response was:
"You need to either change the permissions to 777 or have the owner set to httpd."
Until I figure out how to change the owner, I guess I'll keep a good backup!
Thanks again for the help.
The folks where my sites are hosted restored my sites from a few days earlier and things have ran fine for a while now. Last night I noticed my sites not finishing loading. They would almost get done and they would get stuck right at the end of the whole thing loading. I noticed it saying it was connecting to two strange IPs down in the status bar. I looked up the IPs and one was in ASIA and one was in Amsterdam. I can't imagine why that would be. I emailed my host and explained the whole scenario to them. I haven't heard from them but around mid morning my sites started loading all the way like normal and were pretty fast. Now this after noon, I went to one of my sites and got an alert from my firewall saying it blocked - Dropper.RSA (Trojan) blocked - 218.93.202.61 - which is one of the IPs I noted last night.
Could someone give me an idea of what I can do? Is there any way for me to figure out how or why my sites would try to connect to these IPs when the page is just about finished loading? Is there any way for me to figure out if it's something in my directories related to my websites or just something with this host?
Thanks for any help.
Could someone give me an idea of what I can do? Is there any way for me to figure out how or why my sites would try to connect to these IPs when the page is just about finished loading? Is there any way for me to figure out if it's something in my directories related to my websites or just something with this host?
Thanks for any help.
-
garvinhicking
- Core Developer
- Posts: 30022
- Joined: Tue Sep 16, 2003 9:45 pm
- Location: Cologne, Germany
- Contact:
Hi!
That sounds like a virus on your client PC. This could also be the reason your site got infected in firs tplace. There are viri that collect your FTP information, put stuff onto your site.
On http://www.thecockrells.com/blog/ I cannot find a javascript that looks like an infection. You did refer to that site, right?
Check your PC thoroughly for viri, though.
Regards,
Garvin
That sounds like a virus on your client PC. This could also be the reason your site got infected in firs tplace. There are viri that collect your FTP information, put stuff onto your site.
On http://www.thecockrells.com/blog/ I cannot find a javascript that looks like an infection. You did refer to that site, right?
Check your PC thoroughly for viri, though.
Regards,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/