By Militopedia on

Hello,

I tried to change the theme for the off-line maintenance page according to http://drupal.org/node/195435

I added one line to the sites/default/settings.php file

<?php $conf['maintenance_theme'] = 'nitobe'; ?>

but got the error message:

Fatal error: Cannot redeclare gnf2() (previously declared in /home/mypage/public_html/index.php(1) : eval()'d code:1) in /home/mypage/public_html/sites/default/settings.php(1) : eval()'d code on line 1

After I removed the statement again from the settings.php file I still have this error message and cannot access my page anymore.

I hope somebody can help me out! I am at the end of my wisdom.

Thanks!
Roger

Categories: Drupal 6.x

Comments

Militopedia’s picture

Militopedia commented

Can anybody help? I was still not able to solve the problem and my site is still down. Unfortunately, I am no server or programming expert but just started with Drupal and writing some php statements a while ago. So, I would really grateful for any expert taking a few minutes to reply and help. A big thanks in advance.

Cheers,
Roger

Militopedia’s picture

Militopedia commented

OK, I noticed that I had the following code at the top of the files I mention below:

<?php> eval(base64_decode(' [lots of code] ')); ?>

- systems.php
- index.php
- database.inc

If I compare with Drupal API (e.g. http://api.drupal.org/api/drupal/index.php/6/source) I don't see such a statement at the top and the PHP statement is not closed by ?>

Should that be like that? I assume that causes the fatal error. However, if I remove the statement in each of the 3 files and reload the page I get to the installation page of drupal! But all folders, modules, content of my website that was running already are still there.

I am really getting desparate. Please, if somebody knows what's going on here, please let me know.

Regards
Roger

Militopedia’s picture

Militopedia commented

OK, I got one step closer! It appears to be a malicious code that was injected in above mentioned files. The <?php> eval(base64_decode( ... )); ?> should not be part of these files (I compared with a backup).

Another website of mine is also affected. After I removed the code from the files I have so far identified the page didn't show the error message anymore but started to load and from the link bar in my firefox browser I noticed that it was trying to contact www.elpotrero.com.ar/ which is an Argentinian football website, which 100% doesn't have anything to do with my website (which is about militaria collecting). Now, my 2nd website is about 1 year old and may not be on the latest status, but the other page I mentioned first in this thread is just 2 weeks old!

So, this appears to be a serious security leak?! I noticed that somebody had the same issue like me before (see this thread: http://drupal.org/node/347429)

Where do I have to report this? I mean it is not just an issue related to my website only but is potentially a security risk for all Drupalers.

And I still could not get the website working again...

Roger

markabur’s picture

markabur commented

be sure to report it to your web host as they may have ideas where the hack came from. it is not necessarily drupal (i've helped two clients clean off this kind of hack and neither was a drupal site).

Militopedia’s picture

Militopedia commented

Hi markabur,

Thanks for the feedback. I have contacted the web host provider and explained what happened. Meanwhile I was able to remove the malicious code and bring the website back to life. I have posted further details about what happened here: http://drupal.org/node/604628

Regards
Roger