PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
I've not had any problems in the past and my site has been operational for months - I also haven't made any changes to my site in weeks.. BUT all of a sudden I am getting the following error message when trying to access my Joomla installation;
Parse error: syntax error, unexpected '"', expecting T_STRING or T_VARIABLE or T_NUM_STRING in /home/ausnzcla/public_html/libraries/joomla/environment/uri.php on line 741
WARNING Do not run the script posted above and do not click on the link.
You have been hacked! The script is attempting to send your server variables to a Russian site, behgazzazbzefa.users.phpinclude.ru. Fortunately, the hacker was sloppy and edited the script in a way that causes a parse error, so it is possible that the edited script has never run and none of your users' IP addresses have been sent to the hacker's site. Unfortunately, you have a security hole that allowed the hacker to change your files.
Reinstall Joomla or restore uri.php by replacing it with a clean copy. Download Joomla here. Save the hacked copy for forensic evidence. Find the security hole.
Edit: This post was recovered from search engine cache.
Last edited by McInfo on Wed Jun 16, 2010 12:31 pm, edited 1 time in total.
Your database should not be affected by reinstalling the scripts, but make a backup just in case. I have not worked with Joomla, so I don't know how its installer operates (I'm assuming it has one).
You should be able to make a copy-backup of your template and put it back in the templates folder after reinstalling Joomla. However, your template files may have also been compromised by the attack. So, if you can, install a clean copy of the template.
Edit: This post was recovered from search engine cache.
Last edited by McInfo on Wed Jun 16, 2010 12:31 pm, edited 1 time in total.
Joomla may not have been how they got in either. Check the file date on uri.php and look for other files with similar change/mod times...assuming the hacker was sloppy. Also check your raw log files for suspicious access to your site. Change all your passwords too. If your database had unencrypted passwords you need to get your users to change them as the database could have been copied.
It wouldn't hurt to notify your host of the details as they are sometimes willing to help analize and monitor your account. Sometimes attacks can come from users sharing the host server with you and they found a way into your files.