Thread

i want to upgrade to the commercial version. considering my current security compromise has not been resolved, should i wait until security is established to keep things simpler? it’s not like a few days will make any difference to me. i think that upgrading now might just add another layer of unnecessary complexity perhaps.

Let’s get you back up and running before doing the upgrade.  Are you there yet?  If not- $site_index should most likely be index.php- the name of your main index file.  You should be ok leaving the templates blank and setting then via the ‘Template’ tab once you’re back up.  config_bk is just a copy of your config.php file- once you’re up and all is well?  I’d copy the working config.php over to that.

IF you are up and running…  I think it’s going to be a matter of personal preference whether you go ahead with the upgrade.  I probably would- but only if EE is up and running fine.  (And by the security compromise being unresolved, I’m thinking you’re meaning you’re still getting info from the host on how they gained access- and want to lock things down once you hear back.)

Once it’s all locked down, you’ll want to consider renaming your system folder and perhaps changing your db info.

That all make sense?

thanks robin
path and config files are now working - i just need to put in the database connection values.
the host’s phones are engaged all day and they aren’t replying to emails - so i reckon that i’m not the only one affected. i think i’ll wait for the dust to settle and lie on the beach until they’ve sorted their security out.
thanks for helping

Probably a good call if you aren’t dying to play with new features.  Once you know you’re locked down, might be worth replacing all of the files with fresh copies.  Accepting the config and path files- of course!

before going to the beach, i thought i’d share what i’ve done in the meantime to protect further damage - while the host is infected.

1. set the path and config files to chmod 600 - go to this cool link to see useful info on how chmod works:  http://www.fas.harvard.edu/computing/kb/kb0026.html (am i allowed to post link suggestions in this forum - or am i breaking protocol?)

2. to prevent malicious stuff getting into the database - make sure that in the config file you disable the connection to the database - at least the db won’t be compromised.

Thank you, mike, for sharing this. And yes, of course you can share appropriate links. =)

since i am rebuilding config etc from scratch (nice way to learn things thoroughly) - could you tell me whether the code that currently resides in my index.php file is correct please:

<?php

error_reporting(0);

$pathinfo = pathinfo(__FILE__);
$ext = '.'.$pathinfo['extension'];

require './core/core.system'.$ext;

?>

thanks

That’s correct- for the index.php that’s inside the system folder.  (It’s an exact copy of the file you’d get in a fresh download- no need to rebuild it by hand.)  About the only files that will differ from a clean install are the main path.php and the config.php files.  The rest you could use a fresh copy from a download and be fine.

i’ve added the correct db values in the config but i still have a problem.

before i go into detail i’d like to make sure that the directory structure is correct.

the path.php file is in the root folder. the config and index.php files are in system folder situated in the “utilities” sub-folder. shouldn’t the url be:  system/utilities/config.php - or am i really stupid.? i’ve tried moving these files by dragging them into the system directory but it won’t allow me to.

problem: when i try link to my control panel it seems like i have reached the /index.php url but - the screen is blank and when i view source - i see this:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=windows-1252"></HEAD>
<BODY></BODY></HTML>

the path file contains this:

<?php

error_reporting(0);

$pathinfo = pathinfo(__FILE__);
$ext = '.'.$pathinfo['extension'];

?>

just in case it’s relevant, the code in the index.html file (which is in the utilities sub-folder of the sytem folder is:

<title>Redirect</title>

<meta http-equiv="refresh" content="0; url=index.php">

</head>

<body bgcolor="#ffffff">

</body>

</html>

could you look at the config values set in the code below - these are all default settings so all users would benefit from knowing these values:

is the format for the licence number correct? yunno, are those hyphens causing hassles?

$conf['license_number'] = "xxxx-yyyy-zzzz-aaaa";

$conf['debug'] = "2";

$conf['install_lock'] = "1";

$conf['db_prefix'] = "exp";

$conf['db_conntype'] = "0";

$conf['doc_url'] = "http://expressionengine.com/docs/";

$conf['is_system_on'] = "y";

$conf['allow_extensions'] = "n";

$conf['multiple_sites_enabled'] = "n";

by the way, and maybe importantly, i haven’t done anything with any other files in my website.

do i need to “build it” or something. i mean should i upload my whole site up from my local system. should i download from the server and replace my local copy? do i need to install “fresh files “, hey, i’m so stupid i wouldn’t know what a fresh file is or where to find one.

thanks, mike

Your config.php should be directly in your system directory, not in the utilities folder. =) 

Try that and see if it helps.

one thing i can confirm (and i will use filthy bold tags ‘cos in this case it is appropriate.

i can confirm that my ee system was compromised through a security weakness on my host’s servers and not from your end. 

i don’t want to cast any aspersions on the character of my host - afterall, the character flaw is with the malicious hacker.

thank you for confirming that, Mike.  Now lets work on getting everything working again!

i use dreamweaver and i’ve tried every way to try and move the config file into the system folder using their file sytem interface, cut and paste, drag drop, edit/copy etc. (is it just the config file or the index.php and index, html and config_bak files that need to be moved to.

i suppose i need dreamweaver support on how to move a file to another folder - i’m not sure if dreamweaver would like it if i tried to do it through windows explorer - and i don’t even know how to do it in windows explorer. how ridiculous - i can’t move a file.

I’d highly recommend getting a real FTP program, Dreamweaver really doesn’t cut it for FTP, nor does Windows Explorer.  I’m a fan of CuteFTP personally.  WS_FTP is also nice, as is SmartFTP on Windows.

hi
thanks fo non-ee advise. i got cuteftp and all the path config files are in the system folder, on the server. alas, if you go to my login url:

http://www.thewebsite.co.za/thegoldenthroatcharmer/index.php

you’ll see i just get a blank page. should i perhaps uninstall ee and re-install - if so how do i do this?
thanks