How to clean header, URL and .htaccess areas

bgpzone · 2016-11-02 06:52:32

My blog (website) keeps displaying this error message in the header of my site on all pages and blocking my backgroup image from displaying. How can I clean this up?

Thanks
bgpzone
————————————————————
Warning: include(/home/bgpzblog/public_html/textpattern/setup/test.php) [function.include]: failed to open stream: No such file or directory in /home/bgpzblog/public_html/index.php on line 3

Warning: include() [function.include]: Failed opening ‘/home/bgpzblog/public_html/textpattern/setup/test.php’ for inclusion (include_path=’.:/usr/lib/php:/usr/local/lib/php’) in /home/bgpzblog/public_html/index.php on line 3

colak · 2016-11-02 08:48:50

bgpzone wrote #302545:

Warning: include(/home/bgpzblog/public_html/textpattern/setup/test.php) [function.include]: failed to open stream: No such file or directory in /home/bgpzblog/public_html/index.php on line 3

Warning: include() [function.include]: Failed opening ‘/home/bgpzblog/public_html/textpattern/setup/test.php’ for inclusion (include_path=’.:/usr/lib/php:/usr/local/lib/php’) in /home/bgpzblog/public_html/index.php on line 3

Hi bgpzone and welcome to txp,

As far as I know there is no file called test.php in the textpattern install but maybe our developers might be able to shed some light.

gaekwad · 2016-11-02 10:53:08

+1 for there not being a test.php. I’m thinking it’s a compromised site.

bgpzone: check Admin -> Diagnostics in the admin area. It may report checksums have changed.

Also, the textpattern/setup directory must be deleted after install, per the installation instructions.

gaekwad · 2016-11-02 10:54:02

PS: I just googled `bgpzone` — that was a wild (NSFW) ride!

bgpzone · 2016-11-03 01:03:24

Thanks

bgpzone · 2016-11-03 01:08:07

Thanks Gaekwad, and yes I has been compromised. I do not know how some of my files had been modified. I do not have my first initial pages/scripts (save on a damage/stolen pc).
I notice these messages on my Diagnostics Pre-flight check

/home/bgpzblog/public_html/textpattern/setup/ still exists i

Some Textpattern files have been modified:
/home/bgpzblog/public_html/index.php,
/home/bgpzblog/public_html/textpattern/lib/admin_config.php i

The following PHP functions (which may be necessary to run Textpattern) are disabled on your server: eval, show_source, phpinfo, allow_url_fopen i

Clean URL data test failed: <br /> i

———————————————————————————-

Can you share some light on how and which menus, files etc…I can go edit and or add something to correct the problem?

Thanks again in advance
bgpzone

——————————————————————————————————————————————————————————————————————————————-
h6. gaekwad wrote #302547:

+1 for there not being a test.php. I’m thinking it’s a compromised site.

bgpzone: check Admin -> Diagnostics in the admin area. It may report checksums have changed.

Also, the textpattern/setup directory must be deleted after install, per the installation instructions.

p.

colak · 2016-11-03 04:46:28

There is a series of questions suggestions below

Are you using the latest version of textpattern?
The devs should look into the compromised files.
Check the logs of your site to see if you can spot anything strange.
Your host should be notified
Do you have any other installs in your website apart from textpattern? (ie wordpress, statistics software, etc)
Change all your passwords including: ftp, mysql, etc.
Backup the site in a safe folder in your computer and replace all files with a freshly downloaded txp from textpattern.com/.

The config file should only include:

<?php
$txpcfg['db'] = '[your db name]';
$txpcfg['user'] = '[your db user name]';
$txpcfg['pass'] = '[your db password]';
$txpcfg['host'] = '[your db host, usually, localhost]';
$txpcfg['table_prefix'] = '[if you use a prefix for the textpattern tables]';
$txpcfg['txpath'] = '/path/to/textpattern';
$txpcfg['dbcharset'] = 'utf8mb4';
?>

Bloke · 2016-11-03 08:46:57

In addition to what Yiannis said, also look out for additional files that are not part of the Txp installation, as these can be used for shell backdoors or to reinfect things after uploading a fresh Textpattern. Often the files are easy to spot: the modification datestamps may differ from those you originally uploaded, or the filenames might be a little wonky, or refer to ‘other systems’ like WordPressHelper.php, etc.

But be careful: bad files may be disguised as images, so check your images and files directories thoroughly for any signs of files that have not been managed by Textpattern. And when you’ve downloaded your entire site to your computer, switch your images folder to thumbnail or tile view and check every image has a legitimate thumbnail image. Any that don’t, try opening them in a text editor to see if they have code inside them.

gaekwad · 2016-11-03 09:07:23

I +1 what colak and Bloke have said, I would also add a couple of points:

In the first instance, make a decision if the compromise is worth investigating for your own site. If you just want to get ‘live’ again, then the first step would be to replace the affected files with known-good versions from the same release version that are you using, which will make the checksums tally up correctly. Check to see if your /.htaccess file is missing, because that may explain the clean URL check failing.

Check your Pages and Forms for any references or code you don’t recognise. I’m going to assume that you’re on shared hosting and a noisy neighbour has a compromised site that’s affected yours, rather than Textpattern being compromised (this is very, very rare). What’s probably happened is rogue files have been dropped and index.php has been prepended with some code, hence the checksum fail.

Note the version of Textpattern you’re using, and download a fresh copy from here along with 4.6.2 (latest, currently) if you’re not on that version.

Save the config.php file. Make sure you actually have it saved. Export your database, and check it’s a legit backup and not a zero byte file. Save all your files from the server to a local backup. You may not use them all again, especially if they include rogue/bogus files, but having them is better than not. Make sure you have your files and images directories backed up, too.

If it was me, and I appreciate it’s not, the server is now tainted and should be considered damaged. Burn it. Start over. Flatten and repave. Use this opportunity to take a full backup of your site with a database export and file backup. Throw up a ‘maintenance mode’ index.html file and delete everything. Make sure hidden files are listed and deleted. Make a decision at this point if your web host is right for you — that’s only a decision you can make.

Copy known-good Textpattern files and directories into place, including .htacess. Delete /textpattern/setup and drop your config.php in the root. Pick through the images and files directories on your local backup and make sure they’re legit, uploading them to the appropriate directory on your server. At this point, check your Diagnostics panel to make sure you’re not showing any checksum errors.

Your site should now be live again. Check on the front end for errors and/or malfunctions, and if all is well, take a database + file backup. Same deal as before – this is now your known-good bgpzblog backup for this moment in time. Check your plugins panel and let us know what you’re using (name and version), then we can note any potential snags for upgrading to Textpattern 4.6.2, which should be your next step if you’re not up-to-date.

Bloke · 2016-11-03 13:14:34

Pete, bravo.

OT: Amalgamating the various steps to recover and things to look for would make an excellent .com blog post: “I think my Txp site’s been hacked, what should I do?” Or maybe in the troubleshooting section of the shiny new docs site?

Y’know, if you’re ever up for it and have a spare hour or so…

Textpattern CMS

Textpattern CMS support forum

#1 2016-11-02 06:52:32

How to clean header, URL and .htaccess areas

#2 2016-11-02 08:48:50

Re: How to clean header, URL and .htaccess areas

bgpzone wrote #302545:

#3 2016-11-02 10:53:08

Re: How to clean header, URL and .htaccess areas

#4 2016-11-02 10:54:02

Re: How to clean header, URL and .htaccess areas

#5 2016-11-03 01:03:24

Re: How to clean header, URL and .htaccess areas

#6 2016-11-03 01:08:07

Re: How to clean header, URL and .htaccess areas

#7 2016-11-03 04:46:28

Re: How to clean header, URL and .htaccess areas

#8 2016-11-03 08:46:57

Re: How to clean header, URL and .htaccess areas

#9 2016-11-03 09:07:23

Re: How to clean header, URL and .htaccess areas

#10 2016-11-03 13:14:34

Re: How to clean header, URL and .htaccess areas

Board footer