runtime error

iain sherriff · January 24, 2014, 06:41:36 AM

Does this give clues as to where I should look to cure this Please ?

"Enable compressed output" is not selected.
This error was showing on my account and I was not using mobile but was wireless.
The code around there is

Code Select


// Some settings and headers are different for wireless protocols.
if (WIRELESS)
{
	define('WIRELESS_PROTOCOL', isset($_REQUEST['wap']) ? 'wap' : (isset($_REQUEST['wap2']) ? 'wap2' : (isset($_REQUEST['imode']) ? 'imode' : '')));

	// Some cellphones can't handle output compression...
	$modSettings['enableCompressedOutput'] = '0';
	// !!! Do we want these hard coded?
	$modSettings['defaultMaxMessages'] = 5;
	$modSettings['defaultMaxTopics'] = 9;

	// Wireless protocol header.
	if (WIRELESS_PROTOCOL == 'wap')
		header('Content-Type: text/vnd.wap.wml');
}

// Restore post data if we are revalidating OpenID.
if (isset($_GET['openid_restore_post']) && !empty($_SESSION['openid']['saved_data'][$_GET['openid_restore_post']]['post']) && empty($_POST))
{
	$_POST = $_SESSION['openid']['saved_data'][$_GET['openid_restore_post']]['post'];
	unset($_SESSION['openid']['saved_data'][$_GET['openid_restore_post']]);
}

// What function shall we execute? (done like this for memory's sake.)
call_user_func(smf_main());

// Call obExit specially; we're coming from the main area ;).
obExit(null, null, true);

// The main controlling function.

Thanks in advance

kat · January 24, 2014, 07:30:26 AM

Some could, probably, figure this out, as-is. But, for me, that "Eval" thing is masking the true error.

Can you go to Admin>Configuration>Server settings and put a check in "Disable emulation of templates"?

After you've done that, you should get the true error-message.

iain sherriff · January 24, 2014, 07:55:18 AM

Thanks K@. (evaluation ? ) It already is ticked ?

kat · January 24, 2014, 08:31:03 AM

I think you'll need to have a natter with your host, for this one, mate.

I suspect that there's something in php.ini under the "disable_functions" section that's been... er... disabled.

Possibly, you don't have full CHOWN ownership of everything, on your site?

(I'm fishing, here. You may have noticed)

I'm pretty sure it's "Permissions" related, anyway.

iain sherriff · January 24, 2014, 08:33:29 AM

will do. cheers

kat · January 24, 2014, 08:40:31 AM

Let us know what they say, yeah?

iain sherriff · January 24, 2014, 08:43:49 AM

will do

iain sherriff · January 24, 2014, 09:19:31 AM

Server is on maintainence today.
Will just sit it out for a bit (everything seems to work, just thousands of errors logging)

I'll mark this as solved for now

Arantor · January 24, 2014, 10:13:53 AM

There is a WTf there. The whole list of evals is a bit suspicious. In fact, look at the top of our index.php file for something that should not be there.

iain sherriff · January 24, 2014, 02:14:53 PM

I can see differences in line with the mods I know are there but cant see anything wrong.
Can I post it here for someone to look ?

kat · January 24, 2014, 02:43:00 PM

Might be wise...

Arantor · January 24, 2014, 03:04:46 PM

Please attach your index.php file, because it does look suspicious from what has been posted thus far.

iain sherriff · January 24, 2014, 04:41:46 PM

thanks

kat · January 24, 2014, 04:52:10 PM

Might be interesting, this... I'm about to disable avast, because it wouldn't let me download that file. Claims it's infected with PHP:agent-RK [Trj].

kat · January 24, 2014, 05:01:08 PM

Yep. Look at the first line.

It should be just:

<?php

Yours has a lot more than that. I'm afraid you've been hacked.

I'm afraid you'll need to go through all of your files and remove that malicious code, unless you have a clean backup.

You'll want to notify your host, PDQ, too.

Arantor · January 24, 2014, 05:14:51 PM

Sneaky, too. Must remember that one in future.

iain sherriff · January 24, 2014, 05:20:25 PM

bugger..........

Thanks guys.

iain sherriff · January 24, 2014, 05:27:55 PM

I'm confused.
When I look at the first line of the attachment I see

Code Select

<?php

but if I copy it and paste in is see al the other gibberish before the <?php

??

Arantor · January 24, 2014, 05:38:13 PM

That's the thing... it's all one line. One very long line with lots of spaces before the 'gibberish'. It's perfectly legal PHP to do that.

Shambles · January 24, 2014, 05:51:47 PM

As perverse as it may seem, I quite like what's been done there. Sorry.

iain sherriff · January 24, 2014, 06:02:27 PM

will the host be able to tell where it came from ?

Arantor · January 24, 2014, 06:13:14 PM

Maybe. Ask them.

@Shambles: it is not wrong to appreciate the subtlety and ingenuity of something like that. I just wish they'd channel their skills into producing new good software rather than attacking things.

iain sherriff · January 24, 2014, 06:18:18 PM

Im a bit at arms length as I Admin the forum, have FTP access but not CP or dB access. The host is looking at it.
I have gone through what I can and removed all traces I can see.
The forum is for a business that is subject to a lot of flack from trolls and has been attacked before unfortunately.

iain sherriff · January 24, 2014, 06:30:43 PM

I've just realised the bit about one line

that is sneaky

Arantor · January 24, 2014, 06:33:33 PM

Not just the fact it's on one line, it's one line - but with enough spaces that to the casual observer, you'd never notice anything was amiss. When I first looked at it in Notepad++, I thought... there's something weird here, because I couldn't *immediately* see something awry.

iain sherriff · January 25, 2014, 04:35:29 AM

that code was in every index.php file.

kat · January 25, 2014, 05:30:13 AM

Quote from: Sir Cumber-Patcher on January 24, 2014, 06:33:33 PMI couldn't *immediately* see something awry.

When I looked, it was the fact that the scrollbar, at the bottom, indicated that there was a LONG line, somewhere, that gave me the hint. So, I whacked it over to the far-right and voila! There it was.

iain sherriff · January 25, 2014, 07:15:35 AM

I cottoned onto that in the end. Also the file size was way too big.
I thnik it is all OK now...........just not sure if the dB and server will be infected but that is being checked

kat · January 25, 2014, 07:22:45 AM

Do yourself a favour, Iain... Read my sig.

Click it, for the "How?".

If you think it's clean, do it right now.

You know you want to.

iain sherriff · January 25, 2014, 08:28:51 AM

done................

kat · January 25, 2014, 08:34:59 AM

Only the one?

Seriously, I take two, now, in case one's corrupt. Especially when I get the db.

iain sherriff · January 25, 2014, 08:51:23 AM

OK
Have to rely on the owner to get the dB

kat · January 25, 2014, 11:08:42 AM

Make sure he does something. Regularly. Your forum can be rebuilt, easily enough. But, the database, which stores all of your members, posts, &c?

Not so easy. (Fookin' difficult, really)

iain sherriff · January 25, 2014, 06:47:55 PM

I know it is regularly backed up by the host. Going to see if I can get phpmyadmin access after this.

kat · January 26, 2014, 10:26:40 AM

Good finkin'.

iain sherriff · March 06, 2014, 04:40:00 AM

K@ I have PMd you about this.

kat · March 06, 2014, 05:16:28 AM

Goddit.

I don't see anything weird, though. Does one have to be logged-in?

iain sherriff · March 06, 2014, 05:30:03 AM

Nothing shows visually and it seems to behave as it should. I assume the code is some sort of data harvesting ?

kat · March 06, 2014, 05:36:12 AM

You're getting that some chunk of code, in index.php, are you?

Might be an idea to have a word with your host. They should have raw access logs and be able to figure-out who's getting in and how.

iain sherriff · March 06, 2014, 06:49:54 AM

It's exactly the same as you saw at the start of this topic, in every index.php.

Host is looking at it now.

News:

runtime error

kat

kat

kat

kat

kat

kat

kat

kat

kat

kat

kat

kat

kat