Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
server been hacked: anyone know about this?
Emergency situation: it appears that my server has been hacked, and I have no idea who, how and what has happened. I get this error:
Fatal error: Call to undefined function: parse() in /……./textpattern/lib/txplib_misc.php on line 1309
Has anyone seen this before? It doesn’t appear that any of my files have been deleted; I tried replacing txplib_misc.php with a fresh file, but that did nothing. In Internet Explorer, the hack is generating links to commercial web sites.
Aaaargh.
How sickening, that people out there do this kind of thing.
I did notice a suspicious looking file called ftpIMIhWx.cgi on the server that I don’t recall uploading, although I could be mistaken. But could a trojan cgi script somehow be illegally uploaded, that could cause this problem? (although I tried disabling/re-naming it, and it changed nothing).
Offline
Re: server been hacked: anyone know about this?
These are the links its generating – add them to your security/htaccess file, whatever:
http://hotoffers.com/?new-home-now
http://lincmad.com/?new-home-online
http://lincmad.com/?new-home-online
http://mactrainers.com/?new-home
http://digitalselect.net/?new-home-now
fastsearch.com/?new-home
http://draac.com/?new-home-online
http://subjectfinder.com/?new-home
http://bestway.com/?new-home-now
http://spokaneappraiser.com/?new-home-online
http://fonefinder.net/?new-home-now
http://bestway.com/?new-home-now
http://shopperguide.net/?new-home
http://hotoffers.com/?new-home-online
http://askbrown.com/?new-home-online
http://dinercity.com/?new-home-now
http://waveii.com/?new-home-online
http://shopperguide.net/?new-home
http://bigportal.com/?new-home
http://activejump.com/?new-home-online
http://fonefinder.net/?new-home
http://sonic.net/?new-home
http://spokaneappraiser.com/?new-home-now
http://digitalselect.net/?adipex
http://www.us-meds.com/_buy_soma.htm
http://waveii.com/?new-home-now
http://subjectfinder.com/?new-home-online
http://webseek.com/?new-home
http://askbrown.com/?new-home-now
http://fastsearch.com/?new-home
http://thesushibar.com/?new-home-now
http://www.inspectorhome.co.uk/
http://search.globofind.com/search.php?q=01newHeader05.html
http://dsli.com/?new-home
http://lincmad.com/?new-home
http://draac.com/?ringtones
http://askbrown.com/?mp3
http://webseek.com/?new-home-online
http://www.negotiateyourhouseprice.co.uk/
http://subjectfinder.com/?new-home-online
http://bigportal.com/?new-home-now
http://askbrown.com/?new-home
http://primusdsl.net/?new-home-online
http://shopperguide.net/?new-home-online
http://webstuff.com/?new-home-now
http://spokaneappraiser.com/?new-home-online
- It appears to be exploiting a weakness in IE, because Firefox isn’t generating this crap.
Offline
#3 2006-05-03 01:17:56
- zem
- Developer Emeritus
- From: Melbourne, Australia
- Registered: 2004-04-08
- Posts: 2,579
Re: server been hacked: anyone know about this?
I’ve contacted James in email. No more details here until we know where the vulnerability is (it’s not necessarily in Textpattern itself).
Alex
Offline
#4 2006-05-03 04:18:14
- zem
- Developer Emeritus
- From: Melbourne, Australia
- Registered: 2004-04-08
- Posts: 2,579
Re: server been hacked: anyone know about this?
Update: it looks like several independent issues. There’s no indication of a security issue in Textpattern so far. Still investigating.
Alex
Offline
#5 2006-05-13 21:36:19
- zem
- Developer Emeritus
- From: Melbourne, Australia
- Registered: 2004-04-08
- Posts: 2,579
Re: server been hacked: anyone know about this?
There’s no evidence of a hack. The problem appears to be two independent issues:
1. A corrupt MySQL table. The undefined parse() error is displayed because of some buggy logic in Textpattern’s error display code. This only happens in very specific circumstances (the ‘textpattern’ table is inaccessible, but everything else is fine).
2. A browser infected with wpyware, adware or similar. The spam links aren’t included in anything sent by the server, and are only visible with IE from one specific machine.
There’s no evidence the table corruption was anything other than accidental.
Alex
Offline
Re: server been hacked: anyone know about this?
Update: it appears that this was a server mysql error, resulting in a broken ‘textpattern’ table. The mysql ‘repair table’ command resolved it, and my site is now operational again. The commercial links do indeed appear to be spyware related, although I’d suggest the URLs I provided could still be added to your blacklist: not because of a hack, but because they are involved in hijacking, spyware bullshit.
Thanks to Alex, for a prompt response and accurate advice.
Offline
#7 2006-05-14 14:26:52
- Mary
- Sock Enthusiast
- Registered: 2004-06-27
- Posts: 6,236
Re: server been hacked: anyone know about this?
Glad it’s working again, James.
So, to restate for anyone that was/is worried: James’ site wasn’t hacked, there’s no Textpattern vulnerability to worry about. :)
Offline