Does anyone know why I am suddenly getting parse errors on several of the PHP scripts on my site. This all happened within the last week or so. The error message says that there was an unexpected T_STRING. Any ideas?

I have sent a TT to HR, but thought I would check here as well.

Thanks,

Paste the full message. It's usually due to a type in the code. You haven't been tinerking with them at all?

No, I haven't been messing with any of them. I'm not sure why they have all shown this type of error. I do not know of anything that I have changed that should do that. I wondered if maybe HR had upgraded PHP on the server or something like that.

Anyway the errors are a variation on the same theme mostly. I have one script that displays only the header of the page, but nothing else. The rest have something like these:

Parse error: parse error, unexpected T_STRING in /home/mysite/public_html/subfolder/cache/user_main.tpl.php on line 11

Parse error: parse error, unexpected T_CONSTANT_ENCAPSED_STRING in /home/mysite/public_html/subfolder/index.php on line 232

Parse error: parse error, unexpected $ in /home/mysite/public_html/subfolder/components/com_content/content.php on line 278

Any ideas? Could it be due to a hack or security hole in a script?

In my experience, usually the unexpected errors come from a line that isn't closed with ';' or a loop statement without the ending bracket '}'. As for how it just happened right now... I have no clue. Do you have writeable files? Maybe someone did hack them? Have you checked out those lines that are being referenced?

I am checking through the scripts now. I did find this bit of code in one of the scripts where the problem was. It looks like it has been hacked. <a href="http://d3609509.serv64.ixwebhosting.com/public_html/album_pl/img/Photoshop%20cracked%20sphere.jsp" class=giepoaytr>Photoshop cracked sphere</a>

Is there any way to report this?

Yikes.... yeah let HR know. Make sure that you have the most current version of any scripts that were compromised. Are any files or directories chmod'ed 777? Try to avoid that above the publi_html/ directory.

almost the same exact thing has happened to me just a few hours ago (or thats when I noticed it)

I went to my forums, noticed some parse error. I login to ftp and go to the folder with the bad file, and see that there are numerous files that I didn't upload. Upon further inspection, inside the files there are things like this in input boxes>

< a href="http:// internationalcockpitclub.org.uk/discus/messages/3/email%20hunter%202.20%20crack.shtml" class=giepoaytr title="email hunter 2.20 crack">email hunter 2.20 crack</a >


Notice how mine has the same "giepoaytr" as yours.

Did you get this fixed?? what has host rocket said? I have sent a ticket in , but no reply yet. I am worried. I don't know what to do.

Well, HR has told me basically what I had thought. I have been hacked. There were some files that I had apparently left chmod'ed at 777 after I had set the script up and that is how they were able to get in. Fortunately, the worst problem was in one of my scripts that is small and only displays a portfolio of about 20 images. Pretty easy to re-install. The others should be easy enough to re-install the scripts depending on what damage there has been.

Anyway, you should go through and see what is set to 777 on your site. I found that it is pretty easy to do this through the file manager in the control panel. Anyway, I am still assesing the damage and I will let you know what I find.

Can you let us know what script was compromised?

Jennifer

The one that I had compromised was called simpleviewer and also one that I used called uploader. I have others that may have been compromised, but I am currently not sure of thier status.

What is the best setting for my permissions to be set to/ Some of the scripts have folders that have to be writeable to work. Any suggestions?

I can tell you everything I have on my site.

I have IPB 2.1.x, Website baker, and wordpress. All the newest versions.


this is so frustrating!!!


I have been trying to fix things, and it looks like yes, all folder that were 777 have extra 'bad' files in them, and files that were 777 also have extra stuff in them now. thing is, some files and folders MUST be 777 in order for my site to work. IPB works that way.


how did you narrow it down to what script was the bad one? I don't have much on my sites, but a lot of it is affected now :(

I still haven't heard a response from HR or Invisionpower

Well, I don't know if I narrowed it down really, but that script would try to run a trojan when I opened it, so I guess I would say it was affected the worst. I have spent the better part of the evening trying to rid my site of bad files and reset the chmod's on things. Tomorrow I will have to reinstall a couple of scripts to get them working, I hope. I have a friend who has a site on HR that was affected slightly. His was in a coppermine gallery. Some of the files needed to be set that way in order to allow uploads by others, but I'm not sure what to with the scripts that need write access.

Also, does anyone know of a way to search through the files in a site to find ones that are 777 chmod and a way to see all of the files that are sorted by owner? It would make this much easier to narrow down.

I would suggest that everyone take a look at this on thier site to see if they have been compromised. I did a search for "giepoaytr" on google earlier and this is not an uncommon thing. It seems that it has hit several WordPress sites.

New issue with the same problem. I have some folders on my site that have been damaged/changed that I am not able to remove, overwrite, chmod or anything. How can I get rid of these. I have tried through the file manager in the control panel and through my ftp program withno luck.

I think HR will have to come in and delete those folders (or change their ownership/permssions).

To all: If you need a folder writeable by the webserver, send in a ticket to HR asking them to CHOWN it to NOBODY. That will allow Apache to write to that folder without CHMOD'ing to 777.

I just wanted to let everyone know what a great job HR has done with helping me resolve this issue. We tend to only say anything when someone offers us poor service, but I want to make sure eveyone know how helpful HR has been. Thanks, HR!