Parse error: syntax error

apsara · October 06, 2009, 03:13:06 AM

All my sites hosted on the same hosting service (including smf sites and non smf sites, wordpress site and joomla site) suddenly and simultaneously are showing similar errors but on different lines.
But smf sites are showing error on same line.(see below)
The hosting guys have washed off their hands and also I protested their move of referring me to a 'script fixer' site which is a paid affiliate of hosting providers. My hosting is a paid plan.

How can all sites develop similar errors beats me.

What should I do right now at least to fix the smf site errors?

The following are errors on the sites:(Both these sites have simple portal and smf)

Parse error: syntax error, unexpected T_LNUMBER, expecting ',' or ';' in

:
Parse error: syntax error, unexpected T_LNUMBER, expecting ',' or ';' in /

I remember someone somewhere earlier here, for similar problem, suggesting an 'error fixer' plugin kind of thing to be uploaded via ftp and 'fix' the script. I have ftp access and can i do this?
Or
Any other suggestion?

Please help!

Tyrsson · October 06, 2009, 03:15:05 AM

Can you please attach your index.php from the site to your next post.

apsara · October 06, 2009, 10:42:59 AM

I found 2 files and am attaching both. One seems to be a cache file.

sshahnawaz · October 06, 2009, 10:57:47 AM

Quote
I remember someone somewhere earlier here, for similar problem, suggesting an 'error fixer' plugin kind of thing to be uploaded via ftp and 'fix' the script. I have ftp access and can i do this?

I think you are talking about repair_settings.php. Just find it in the Online Help Manual and first read about it if it can help you fixing the problem.

Tyrsson · October 06, 2009, 04:39:10 PM

There appears to have been script injected into that file. Please keep a backup of the file and try the one I have attached. There are a couple things you need to do.

1.) Check the last edit dates for every file on your server. If you have not changed them recently and the last edit date is that same as with the index.php file then they will most likely have the same code within them.

2.) Notify your host that a site on your server has been hacked and see if they can look over the access logs to find where the hack originated from. There is a chance it was not through your site but could be from another site on the server.

3.) Check all non smf applications and static html pages as well. Since every app showed problems at the same time this leads me to think that it is not confined to SMF and most likely originated outside of SMF as there are no known vulnerabilities in the 1.1.x branch.

4.) Look for any files that have odd or all numeric file names that are not native to the application(s).

apsara · October 06, 2009, 09:20:54 PM

I have made some good progress.
I have done what you suggested. The the home page loaded partially. But forum loaded completely. I thought I will re install Simple portal and that would do the trick.
But while uninstalling, SMF warned me not to proceed as 'test failed' and the failure was in index.php.

Tyrsson · October 07, 2009, 01:05:10 AM

You can backup the settings.php and settings_bak.php files then remove the smf files and upload new files from a large upgrade package (just remove the upgrade.php and .sql files) and then upload the settings and settings_bak to the top level and your forum will be back to a fresh install (except for the mod tables in the db).

It is important to note however that if all of the infected files are not removed prior to this it may do very little good. I would also suggest that you run a virus scan on your computer and use a clean computer to change all your passwords for the forum, hosting, ftp etc.

apsara · October 07, 2009, 02:13:55 AM

Waiting to completely clean the computer. Avast is failing to install. Trying again.
Plan to use CC cleaner and Avast to get a clean computer.
Any suggestions from anyone?

sshahnawaz · October 07, 2009, 04:53:00 AM

Avast being failed to installed means that you have a certain virus attack on your PC or there must be some OS corruption etc.

apsara · October 07, 2009, 05:06:11 AM

Avast installed after second try. Found a bundle of trozans. All moved to chest. Ready to do as suggested by Tyrsson.
I hope I do it right
I have a lingering doubt that I didnt exactly follow what Tyrsson actually explained.
I will wait by and see if someone/Tyrsson explains Tyrsson's solution in a step by step manner.
Tyrsson: Can you please?
Thanks

Tyrsson · October 07, 2009, 05:20:00 AM

Quote from: apsara on October 07, 2009, 05:06:11 AM
Avast installed after second try. Found a bundle of trozans. All moved to chest. Ready to do as suggested by Tyrsson.
I hope I do it right
I have a lingering doubt that I didnt exactly follow what Tyrsson actually explained.
I will wait by and see if someone/Tyrsson explains Tyrsson's solution in a step by step manner.
Tyrsson: Can you please?
Thanks

Which parts and I will be happy to explain

apsara · October 07, 2009, 11:02:37 AM

Avast was installed successfully and after full virus scan and 'moving to the chest',
My avast program gave me warning of a malaware from my site. I am attaching the screen shot:

sshahnawaz · October 07, 2009, 12:44:48 PM

I am not sure if there is something wrong with your website or not, because sometimes some scripts written in JavaScript or PHP (not sure about PHP too much) alert the anti-viruses about some exploit-vir or malware etc.

A Trojan Horse (provided if surely exists and your forum is really infected with this and not just the wrong doubt of your antivirus software), means that somebody is trying to hack your forum. In such case, it is better to re-install your forum I would advise...

Tyrsson · October 08, 2009, 01:51:08 AM

You will need to seek support for the other application you are running and find out which files they store settings in. Once you have that information you will need to download copies of the settings.php and settings_bak.php along with the settings files for the other app's you are running and then remove all the files from the server. Once that is done you can use the settings files that you downloaded and rebuild packages to upload and have your sites running trojan and error free. I do caution you though that if you have not spoken to your host and if they have not found which site was compromised and have the problem fixed it may little good and you may find yourself in the same situation two-three days from now. If this script came in from another site that shares the server with your site and you clean your but the other site is not cleaned as well it could reinfect your site, which is why it is critical that you notify your host so they can resolve the problem. If you need further instructions and help please post back with specific questions and I will glad to help you.

apsara · October 11, 2009, 12:27:11 AM

I found iframe in almost all the files on the server ( on all the sites). Deleted a few but found them written back in a couple of hours. Alerted the server admin.
I am going in for a complete clean up of the account. First let me learn about saving the sql databases!!

apsara · October 12, 2009, 03:14:48 AM

This is clear case of Iframe attack.

sshahnawaz · October 12, 2009, 07:46:46 AM

You should start a new thread for this topic.

Tyrsson · October 12, 2009, 08:36:26 AM

Quote from: sshahnawaz on October 12, 2009, 07:46:46 AM
You should start a new thread for this topic.

The thread is fine to run here.

If the files had been rewritting then most likely either your computer is still infected (keylogger most likely) and you did not use a secure (clean) system to change ALL passwords etc. It will also be instrumental to determine where the hack come in from. Your host should be able to determine that. Please secure all your password info (especially ftp, cpanel, forum admin etc). and keep us posted on the situation. If we can be of more assistance please let us know.

apsara · October 12, 2009, 11:51:47 AM

I have so many viruses , key loggers, trojans, oh..... what not.... an entire army of enemies sitting in my computer.

I selected all drives for a deep scan including archives with my avast and there was a string of warnings and warnings.

I had all these viruses in my system all along? I cant believe. I now am kind of a neurotic

( like the one who washes his hands all the times) with any system and pen drives especially.. I have scheduled tasks of running an anti virus software in all the 4 systems i commonly use.

apsara · October 20, 2009, 08:55:06 AM

This is what I have done.

Cleaned up my computer completely
Changed ftp passwords
Downloaded the attachments folder.(found no virus)
Took a backup of the sql database. (found no virus)
Asked the hosting provider to clean up the the whole account.

Re installed smf
uploaded the attachments folder
Uploaded the database
Ran the repair-setting tool and deleted it after using it.
Most of it is ok. Only problem is with pictures in posts and user uploaded avtars.

Most of the avtars are not seen. Few seen
All of the pictures in the posts are not seen
The database is showing the pictures, but they are not reflected in the forum.
Pictures in the database are showing garbled images when seen apart the forum.

News:

Parse error: syntax error