Weird entry in Diagnostic info

ragger · 2010-02-07 12:58:21

Today I found some weird info in the Diagnostic info.

pretext_data: <html>
<head>
<meta name="robots" content="noindex,follow,noarchive">
<title></title>
</head>
<body>
<div align="center" id="lackadaisical">
<center><div style="text-align: left;width: 500px;"><p align="center">You are accessing this page from an IP address on its ownership list. As a result, the trap will be skipped.</p></div></center><div style="display:none;"><a href="http://wikialert.org">post comment e-mail</a><a href="http://www.michelleshop.com">MITS</a></div></div>
</body>
</html>

Additionally, the pre-flight check says:
clean_url_data_failed: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">, and my guess is that one thing has to do with the other.

What could be wrong? Is my site hacked? How can I correct it?

jsoo · 2010-02-07 13:33:13

ragger wrote:

What could be wrong? Is my site hacked?

I should think so. I’d start by scanning the site directory for unexpected files. Failing that, I might download all the site files, then do a multi-file search on some of the strange text you found in diagnostics. The one time I had a Txp site hacked (wasn’t Txp’s fault) it was from malicious files that had been slipped into the plugin cache directory. (I no longer use a plugin cache on live sites.)

ragger · 2010-02-07 15:08:27

Thanks for your suggestion.

I downloaded the complete website to my local hard disk and searched inside all the files for some of the strange text (using Windows Grep).
But… I didn’t find anything.

Would an update to 4.2.0 solve this? (I am still on 4.0.8)

jsoo · 2010-02-07 15:52:38

ragger wrote:

I downloaded the complete website to my local hard disk and searched inside all the files for some of the strange text (using Windows Grep).
But… I didn’t find anything.
…
Would an update to 4.2.0 solve this? (I am still on 4.0.8)

~~Very much doubt it.~~ Well, possibly if that happens to get rid of any malicious files

With malicious files it’s common for the text to be scrambled in multiple ways, which could explain why you haven’t found anything. I’d look through the directory file by file, next to a clean Txp install, and see if there are any extra files. But I’d start with the directories with looser permissions: images, files, any others you have at root level.

Or if you have a multi-file compare tool available, check the site files against a clean Txp 4.0.8 install.

Last edited by jsoo (2010-02-07 15:53:16)

maniar · 2010-02-07 17:54:05

I don’t even understand this line:

You are accessing this page from an IP address on its ownership list. As a result, the trap will be skipped.

What does it actually mean ? And how can you tell from this if the site is Hacked ?

Last edited by maniar (2010-02-07 17:55:26)

jsoo · 2010-02-07 18:42:57

maniar wrote:

What does it actually mean ? And how can you tell from this if the site is Hacked ?

It’s just my guess. The line was certainly not produced by Txp. From the little I know about it, the clean URL test makes up a unique URL within the site’s domain, which tells Txp to check the resultant server variables and then send back $pretext instead of rendering a page. ragger seems to be getting a foreign HTML page back from this. I suppose it could just be a by-product of the clean URL test and not an attack, but I doubt it.

ragger, have you checked over your .htaccess file? Your index.php (site root)?

ragger · 2010-02-07 20:16:51

jsoo wrote:

It’s just my guess. The line was certainly not produced by Txp. From the little I know about it, the clean URL test makes up a unique URL within the site’s domain, which tells Txp to check the resultant server variables and then send back $pretext instead of rendering a page. ragger seems to be getting a foreign HTML page back from this. I suppose it could just be a by-product of the clean URL test and not an attack, but I doubt it.

ragger, have you checked over your .htaccess file? Your index.php (site root)?

I think your assumption is correct, I seem to be getting a foreign page. If a set my site to messy urls the problem seems to be gone.
BTW, i have updated to 4.2.0 but that did not solve the problem.

My index.php is equal to a clean version. And what could possibly be seen in .htaccess?
So how and where to find any malicious code is unclear to me. And probably out of my league.

jsoo · 2010-02-07 21:00:48

ragger wrote:

I think your assumption is correct, I seem to be getting a foreign page. If a set my site to messy urls the problem seems to be gone.

Meaning diagnostics check out when the site is in messy mode?

Are there any issues on the front end, either in messy or clean URL mode?

And what could possibly be seen in .htaccess?

Just thought I’d ask. The clean URL test sends a URL like this:

/82ee4922c844883fdd61b5aafa1a5ec7/?txpcleantest=1

In fact, you can manually check that URL in your site domain. You should get back something like this:

114dfbebe114c50d17764a786c414ed2 array ( 'id' => '', 's' => '', 'c' => '', 'q' => '', 'pg' => '', 'p' => '', 'month' => '', 'author' => '', 
'request_uri' => '/82ee4922c844883fdd61b5aafa1a5ec7/?txpcleantest=1', 'qs' => 'txpcleantest=1', 'subpath' => '\\/', 
'req' => '/82ee4922c844883fdd61b5aafa1a5ec7/?txpcleantest=1', )

While it seems to me highly unlikely that your .htaccess could have been hacked, it occurred to me as a vaguely possible explanation for the strange diagnostics results you had.

Mary · 2010-02-11 11:47:12

This is part of the clean url check, and means that when the page tried to fake a clean url, it failed.

Move along nothing to see here.

jsoo · 2010-02-11 13:50:26

Mary wrote:

This is part of the clean url check, and means that when the page tried to fake a clean url, it failed.

So ragger’s weird diagnostics output is normal?

aswihart · 2011-06-05 14:41:59

I have this same issue, and I’ve done pretty much everything I can to make the clean-url diagnostic test happy, to no avail. It is a very weird, incoherent error to present on every public webpage, don’t you think? It doesn’t even indicate that the clean-url test has failed; actually I have no idea where that warning message is coming from.

And despite the error, clean-urls are working just fine in practice, even before taking all the extra measures described here in my .htaccess file.

Any idea what could be the issue? I’m on Webfaction for web hosting. The one thing I haven’t tried yet is adding ‘AllowOverride FileInfo’ to my Apache httpd.conf file, but I’m not sure where that file lives right now.

Last edited by aswihart (2011-06-05 14:43:18)

els · 2011-06-05 14:47:09

Does the reply to this post help?

Textpattern CMS

Textpattern CMS support forum

#1 2010-02-07 12:58:21

Weird entry in Diagnostic info

#2 2010-02-07 13:33:13

Re: Weird entry in Diagnostic info

#3 2010-02-07 15:08:27

Re: Weird entry in Diagnostic info

#4 2010-02-07 15:52:38

Re: Weird entry in Diagnostic info

#5 2010-02-07 17:54:05

Re: Weird entry in Diagnostic info

#6 2010-02-07 18:42:57

Re: Weird entry in Diagnostic info

#7 2010-02-07 20:16:51

Re: Weird entry in Diagnostic info

#8 2010-02-07 21:00:48

Re: Weird entry in Diagnostic info

#9 2010-02-11 11:47:12

Re: Weird entry in Diagnostic info

#10 2010-02-11 13:50:26

Re: Weird entry in Diagnostic info

#11 2011-06-05 14:41:59

Re: Weird entry in Diagnostic info

#12 2011-06-05 14:47:09

Re: Weird entry in Diagnostic info

Board footer