Joomla! Discussion Forums

I have folowed all the instructions, i deleted the files that were on the server and uploaded again from a different pc. It worked for a day and then the error message re-appeared again (Fatal error: Cannot redeclare opxm() (previously declared in /home/ascntgm/public_html/index.php(1) : eval()'d code:1) in /home/ascntgm/public_html/configuration.php(1) : eval()'d code on line 1

I am wondering if the problem is the ftp client that am using (smartFTP) that comes with the virus? or if someone is hacking the site?
I'm stuck,need some help.

Thanks,

you have 3 digits of dirt before your "<?php" in your configuration.php which is caused by the fact that you do not save the ftp edited file as UTF8 (without BOM) that will add ? and two more of those in front of the opening tag. Save your configuration.php properly and it won't happen

Leo

Sorry i didn't understand,what three digits you mean and where can i find it on my cong.php?there is no number b4 <?php>?
Also how should i save an sql script so that i can load my customised set of content into a new installation?
Thanks,

Your site has likely been compromised as their is no eval()'d code in configuration.php.

Line 1 of the configuration.php file is <?php and nothing else. You apparently from the error have at least eval()'d before the <?php so yes you likely have been compromised.

smartFTP does not come with a virus.

I have deleted all the files that were on the server and installed joomla from the Cpanel and it worked for a few hours but now i'm getting the error gain!I'm starting to wonder if there is a bug with joomla?I've tried everything but nothing works so i dont know what else to do!I'd appreciate any suggestions.
Thanks

Install and run the Security Checklist http://docs.joomla.org/Category:Security_Checklist on your Joomla site and report the results here.

Thanks for replying. i might sound stupid but how can i install the security checklist because i dont see and install files? or do you mean i should follow the security recommendations?

Sorry I mean the forum post assistant viewtopic.php?f=428&t=272481 Just follow the directions to upload and run it

Review of the Security Checklist and following the recommendations there is also a good idea.

I did it and i get the same error :Fatal error: Cannot redeclare lbnnv() (previously declared in /home/ascntgm/public_html/configuration.php(1) : eval()'d code:1) in /home/ascntgm/public_html/libraries/joomla/config.php(1) : eval()'d code on line 1
I am planning to delete the files and upload them again and run the jtspost because the server as it won't show anything else other than the error.

Your computer is infected with a virus. There are dozens of posts like this on the forums.

Fatal error: Cannot redeclare opxm() (previously declared in /home/ascntgm/public_html/index.php(1) : eval()'d code:1) in /home/ascntgm/public_html/configuration.php(1) : eval()'d code on line 1

Needless to say that standard Joomla files index.php and configuration.php don’t contain any eval() functions. This means that some alien, presumably malicious, content was injected into the files.

This appears to be code from the current version of an exploit (no credit given here) that has apparently made a comeback recently. The last time it was really active was in May and was a different version that worked.

The error the Op is getting is likely from this exploit. The exploit injects encrypted PHP code at the very top of various .php files.

The PHP eval() function very simply executes any PHP code sent to it from a browser.

The error says that some function with a meaningless name (in this case xfm, but it changes from site to site e.g. q1dj, oh0e, jjyrv, gba, etc.) was redeclared in configuration.php in code passed to an eval() function. Previously a function with the same name was declared in index.php, again in code passed to an eval() function.

The breaking of the sites this exploit is injected on is probably due to a lack of testing or a bug in the exploit. PHP won't allow declarations of identically named functions. The previous exploit version apparently handled this situation correctly.

The bug in the malicious code prevents hacked sites from serving malicious content and infecting their visitors. The fact that the broken websites are harmless to web surfers is a poor consolation for owners of hacked sites.

Database driven sites such as Joomla, store database credentials in configuration files (configuration.php for Joomla) in plain text. Since the hackers use stolen FTP credentials from your computers ftp program, they have full access to compromised web sites. They can retrieve database passwords and use them to modify data stored there in the databases. They can also retrieve credentials of existing site users (super-admins, admins) or create new users with administrator permissions. So even if you remove all original backdoor scripts and change FTP passwords, hackers can still control your site.

It is very important to change database and site ( Joomla, etc.) passwords and usernames after this sort of attack. You will also need to remove delete all files (including configuration.php) on your site and replace the files with known clean copies of the files. A clean copy of configuration.php-dist (renamed to configuration.php) with the new values entered in for the database can be used to replace the original configuration.php file. Joomla core, components, modules, plugins templates etc. will all need to be replaced with known clean copies.

You should also make a database dump of all databases associated with the site (not just Joomla) and hand check your databases for malicious records inserted into tables. An alternative is to replace the data with known good and clean database backups making sure to drop the tables first and use create if not exists in your restore query. Why do this? Hacks of this type (though not necessarily this one in particular since it does not work correctly) can add Select statements to files (configuration.php for example) to retrieve code from your own database.

BTW. If you don’t fully clean up after a hack, then you *stay* hacked. It’s not a new hack, it’s the same one and the hacker still has access as the backdoor is still there.