Hello - Are there any other folks hosting EE at BlueHost - bluehost.com?

I ask because as of mid afternoon Central time in the US, my sites were only showing index.php!  After some investigation it appeared that the php.ini files were overwritten with changes, and the /system/config.sys file was modified as well.  This does not appear to be a hack, more like a global search & replace.

I have 2 sites/blogs on my BlueHost account and both have this problem.  I have contacted BlueHost support but have not received a response.  I replaced all of the overwritten files and that did not change anything.  I captured the changes and am now reviewing all of them.

Any help is appreciated!

thnx… mp/m

Mike,

Thanks for reporting this. We take security very seriously and will do our best to work with you on figuring out what’s going on. To that, we need some additional information from you ...

1. EE version and build (found at the bottom of your control panel)

2. Other scripts on your account, whether in use or not (phpBB, etc…)*

* If this is a shared hosting environment, the host can make a determination if the attack came through scripts on another account on the server, which is commonly the case with these types of hacks.

While we work through this, please check through these files:

* path.php
* config.php
* index.php

to ensure that there is no unusual code such as iFrames or Javascript includes; if you do find that code, then please back-up the file and remove said code.  If you are unsure of what does or doesn’t belong in these files, do not hesitate to ask.

You may also wish to refresh your files by following the build update instructions.

Also please ensure that you report this to your host immediately as they can help identify where the attack originated from so that steps can be taken to prevent this in the future.

The php.ini isn’t a part of the EE install - that would be something provided to you.

Are you able to get into your CP back end?

Hi Sue:

Thanks for your follow-up.  I have been in contact with the host and they believe there was a PHP upgrade, however I have yet to hear back from them with regards to this issue.

The blog - www.thehotiron.com is working, though all links point to the home page, which is related to this known issue:

http://expressionengine.com/knowledge_base/article/main_page_content_appears_on_every_page_i_get_404s_except_on_the_main_page_/

I had this problem when I setup the blog a year ago, and followed these steps and it was working well up until yesterday whenever they updated PHP.

In my haste to troubleshoot the issue, I upgraded the site to 1.6.1, though I have another site on the same hosting account - www.sourcegate.com - that is running 1.6 and has the same issue.  I am able to log into the CP and even posted a “broken” post.  I can turn on “Force URL Query String” but I would prefer not to as the blog has been running for over a year without a questionmark in the URL.

Do you have any troubleshooting recommendations?

thnx… mp/m

In my haste to troubleshoot the issue, I upgraded the site to 1.6.1, though I have another site on the same hosting account - www.sourcegate.com - that is running 1.6 and has the same issue.  I am able to log into the CP and even posted a “broken” post.  I can turn on “Force URL Query String” but I would prefer not to as the blog has been running for over a year without a questionmark in the URL.

If your host upgraded PHP across the board, and you need to turn on Force URL Query Strings, then you’ll need to turn them on. Sometimes there is a way of turning them off, but sometimes the only thing you can do is change hosts if it is a deal breaker.

The other option is to remove index.php? from your URLs using .htaccess (which we can’t give you any official support for) but works for many others.

Is it possible to just remove the “?” and not the entirety of “index.php?” for this would allow my URLs out there to continue to work?

I see a lot of wiki and forum posts that mention this - can you refer me to one?

thnx… mp/m

Hm- all the ones I’ve seen to remove the ? via htaccess have also been removing the index.php bit.  So I don’t have an example of just removing the ?.  Let me poke a bit- but my first approach would be to contact the host.  Explain the change has broken your site- could reference the info here and ask them to add support for path_info.  I’d rather have the server supporting it than have to hide it via htaccess.  If they aren’t willing to poke it, I can move this over to ‘How to’ and we can take a closer look at some of the htaccess options.  (Not my strong point, but there’s bound to be a way as long as the htaccess approach will work at all.)

Sound good?

I was having the same issue, and I fixed it by changing two things inside my index.php page.

FIRST: 

$qtype variable was set to 0 (auto). I changed it to 1 (path_info).

SECOND:

Then I looked at around line 78 in the code and made sure that it was:

and not…

That fixed it

And it worked for me too!  Thanks!

mp/m

Sue, this is just a question but where do paid licence users ask questions that aren’t officially supported, like the removing index.php from URLs? Just asking for future reference and for those who find this by means of the search feature. Oh, and you might wanna consider editing the getting help post once you have an answer, because frankly it would confuse me.

For help with customizations, you post in the How To forum.  Removing index.php is a customization, so questions about that should go to How To. =)

Thank you, Lisa! *kisses*