HTTP Error 500, non-Joomla files and encrypted scripts Topic is solved

[jekim16]

Our website suddenly experienced HTTP Error 500. Even our administrator page experienced it. Fortunately, the cPanel was still working. I imported the existing Joomla application to our website making our administrator page accessible again. The files/data inside our administrator page still exists, but our website is still experiencing HTTP Error 500. I checked our file manager in Cpanel, and it says that config.php, db.php, submitticket.php, and wp-config.php is not existing anymore. Btw, it is located in public_html. I also tried disabling the plugins by renaming it. And our website showed Class 'SunFwSite' not found.

I also tried to backup our website using akeeba, and it gave me Warnings about files not existing anymore. Most files are from

F0xAutoConfig

folder.

I don't know what to do. I don't want to meddle with it for the reason that it may go worst.

[Rondeb]

I checked our file manager in Cpanel, and it says that config.php, db.php, submitticket.php, and wp-config.php is not existing any.

Strange that your cpanel say that Wordpress files not existing anymore.... Are you sure you have joomla site?

And our website showed Class 'SunFwSite' not found.

This error say that you have joomlashine.com template and then the question is is your template still installed correctly?

Use a joomla standard template to see if the site is working again.

Greatings Ron

[jekim16]

I checked our file manager in Cpanel, and it says that config.php, db.php, submitticket.php, and wp-config.php is not existing any.

Strange that your cpanel say that Wordpress files not existing anymore.... Are you sure you have joomla site?

And our website showed Class 'SunFwSite' not found.

This error say that you have joomlashine.com template and then the question is is your template still installed correctly?

Use a joomla standard template to see if the site is working again.

Greatings Ron

I was confused too if our website is created with joomla or wordpress. But we are currently using a joomla for our administrator. I also asked the developer of what he used to create our website, and he answered Joomla. Will using standard template affect our website in any way?

[jekim16]

I checked our file manager in Cpanel, and it says that config.php, db.php, submitticket.php, and wp-config.php is not existing any.

Strange that your cpanel say that Wordpress files not existing anymore.... Are you sure you have joomla site?

And our website showed Class 'SunFwSite' not found.

This error say that you have joomlashine.com template and then the question is is your template still installed correctly?

Use a joomla standard template to see if the site is working again.

Greatings Ron

The other templates actually works. I guess the template our website is using is not installed correctly anymore. Any suggestions as to how I can reinstall the same template?

[Rondeb]

The other templates actually works. I guess the template our website is using is not installed correctly anymore. Any suggestions as to how I can reinstall the same template?

Hello,

you can reinstall the template only the problem is when you have customised they template this can be lost!

Which template do you use?

Greatings Ron

[jekim16]

The other templates actually works. I guess the template our website is using is not installed correctly anymore. Any suggestions as to how I can reinstall the same template?

Hello,

you can reinstall the template only the problem is when you have customised they template this can be lost!

Which template do you use?

Greatings Ron

I just found out that my license PRO to the theme has already expired. Is there a chance that the expired license is what is causing the error and the lost of files?

[Rondeb]

No a expired license does not cause this problem You have no longer updates and support from joomlashine.

Has your hosting not made backups?

Greatings Ron

[jekim16]

No a expired license does not cause this problem You have no longer updates and support from joomlashine.

Has your hosting not made backups?

Greatings Ron

I thought so too, since the subdomain of my website still works. And it uses the same theme. I do have a backup. I've been wanting to restore it to its previous version, but the problem is, I'm hesitant to lose the current data we've uploaded to it.

[Rondeb]

If it is an old backup, yes then the adjustments are gone.

Can you still open the template in the backend or does that also give errors?

[jekim16]

If it is an old backup, yes then the adjustments are gone.

Can you still open the template in the backend or does that also give errors?

It gives errors. Though, the theme also exists in another folder. In the subdomain folder. And the subdomain works just fine.

[Rondeb]

You can put a copy of the template folder of the subdomain in maindomain folder.

Rename the old folder in maindomain but do not delete it !!

If this doesn't work then it is a setting in the database.

Greatings Ron

[sozzled]

See also the general guidelines for working through HTTP 500 Internal Server Error problems at viewtopic.php?f=706&t=976319

[Webdongle]

https://forumpostassistant.github.io/docs/ please

[jekim16]

See also the general guidelines for working through HTTP 500 Internal Server Error problems at viewtopic.php?f=706&t=976319

I tried following the steps with the link that you've sent. And I ended up seeing the error "Warning: require_once(/home/[ redacted ]/public_html/modules/mod_news_pro_gk5/helper.php): failed to open stream: No such file or directory in /home/[ redacted ]/public_html/modules/mod_news_pro_gk5/mod_news_pro_gk5.php on line 17". The problem is, the template of our website is pre-built. We used JSN Time 2 from Joomlashine.com. And there are already files that can not be used in our file manager anymore, but are still existing in it.

[jekim16]

You can put a copy of the template folder of the subdomain in maindomain folder.

Rename the old folder in maindomain but do not delete it !!

If this doesn't work then it is a setting in the database.

Greatings Ron

Our website is now up and running again. I copied each of the helper.php of our subdomain that was missing from our main domain since it was the error that kept appearing after I activated the debug system from our admin page. Thank you for the help sir!

[jekim16]

https://forumpostassistant.github.io/docs/ please

[ redacted ]

[jekim16]

[ redacted ]

Our website is working. But still in FPA, it still says that I am receiving an error. And I don't really know what this anti10.php is.

[sozzled]

[09-Nov-2020 02:46:29 UTC] PHP Warning: include(): Failed opening 'anti10.php' for inclusion (include_path='.:/opt/alt/php73/usr/share/pear') in /home/[ redacted ]/public_html/indeeex.php(4) : eval()'d code(1) : eval()'d code on line 19

Suspect the website may have been hacked or, at the very least, attempts have been made to hack the site.

[sozzled]

Apologies. I commented on this matter at viewtopic.php?f=706&t=982827#p3617817

[jekim16]

Suspect the website may have been hacked or, at the very least, attempts have been made to hack the site.

Thank you for your answer. Any suggestions on what I should do?

[Webdongle]

What does the file contain?

[jekim16]

What does the file contain?

I actually don't have an "anti10.php" file.

[jekim16]

What does the file contain?

Also, there are files existing in my file manager that might be the same with the anti10.php since it also has an "anti" to its file name which has this inside:

<?php
if(strstr(strtolower($_SERVER['HTTP_USER_AGENT']), "googlebot"))
{ header('Location: https://www.[ redacted ].org/'); }
?>

[sozzled]

I think the file @Webdongle is talking about is the file indeeex.php in the public_html folder. That's where I would be looking.

[jekim16]

I think the file @Webdongle is talking about is the file indeeex.php in the public_html folder. That's where I would be looking.

Well, the codes are encrypted, so I don't understand it. It is also a pre-coded file since it came from Joomla. I was not the one who made it.

[toivo]

Well, the codes are encrypted, so I don't understand it. It is also a pre-coded file since it came from Joomla.

Joomla does not encrypt its scripts. The contents of that file did not originate from Joomla.

Several factors, including the URL from one of the 'anti' files above, show clearly that this website has been compromised. This topic will now be moved to the 3.x Security forum, where the sticky topics contain advice how to clean hacked sites and follow best security practice.

[jekim16]

Well, the codes are encrypted, so I don't understand it. It is also a pre-coded file since it came from Joomla.

Joomla does not encrypt its scripts. The contents of that file did not originate from Joomla.

Several factors, including the URL from one of the 'anti' files above, show clearly that this website has been compromised. This topic will now be moved to the 3.x Security forum, where the sticky topics contain advice how to clean hacked sites and follow best security practice.

Thank you!

[Webdongle]

viewtopic.php?f=714&t=946026

[mandville]

ok from my side, i recall that those file names were popular around december last year,.
the bot that placed them no seems to be making a revisit for the shell script .
you will no doubt have lots of other files in our directory like joomlahide and joomla/zip
i wont kudos the defacer or the name some of the other distinctive files as they are named after him.

needless to say you have LOT of out of date extensions, any one of which could have enabled the hacker access

[jekim16]

ok from my side, i recall that those file names were popular around december last year,.
the bot that placed them no seems to be making a revisit for the shell script .
you will no doubt have lots of other files in our directory like joomlahide and joomla/zip
i wont kudos the defacer or the name some of the other distinctive files as they are named after him.

needless to say you have LOT of out of date extensions, any one of which could have enabled the hacker access

I already updated everything that can be updated. Any way that I can determine what these suspicious files are?