Furry stuff, oekaki stuff, and other stuff.
You are not logged in.
Okay, I'm running into problems with my oekaki website. Everytime I visit my oekaki site, much of the index.php gets truncated to 4,731 bytes. The original size of the index.php fie is 40,727 bytes. Replacing the corrupt index.php file is fine as I have a backup copy of the index.php file stored on my hard drive.
Here's the link to my site again: http://ppgrainbow.netthrilldesigns.com/
When the index.php file gets corrupt, the error logs get generated and a bunch of IP addresses get stored in the bdc0b0f3f0e2cb15e331af047e51b777 file.
Looking at the error_log, I get this:
[15-Aug-2012 00:18:20 UTC] PHP Parse error: syntax error, unexpected '}' in /home4/weblined/public_html/ppgrainbow/index.php on line 8 [15-Aug-2012 00:26:25 UTC] PHP Parse error: syntax error, unexpected '}' in /home4/weblined/public_html/ppgrainbow/index.php on line 8 [15-Aug-2012 00:26:56 UTC] PHP Parse error: syntax error, unexpected '}' in /home4/weblined/public_html/ppgrainbow/index.php on line 8 [15-Aug-2012 00:28:02 UTC] PHP Parse error: syntax error, unexpected '}' in /home4/weblined/public_html/ppgrainbow/index.php on line 8 [15-Aug-2012 00:28:03 UTC] PHP Parse error: syntax error, unexpected '}' in /home4/weblined/public_html/ppgrainbow/index.php on line 8 [15-Aug-2012 00:28:32 UTC] PHP Parse error: syntax error, unexpected '}' in /home4/weblined/public_html/ppgrainbow/index.php on line 8 [15-Aug-2012 00:30:32 UTC] PHP Parse error: syntax error, unexpected '}' in /home4/weblined/public_html/ppgrainbow/index.php on line 8 [15-Aug-2012 00:32:42 UTC] PHP Parse error: syntax error, unexpected '}' in /home4/weblined/public_html/ppgrainbow/index.php on line 8 [15-Aug-2012 00:36:37 UTC] PHP Parse error: syntax error, unexpected '}' in /home4/weblined/public_html/ppgrainbow/index.php on line 8 [15-Aug-2012 00:39:50 UTC] PHP Parse error: syntax error, unexpected '}' in /home4/weblined/public_html/ppgrainbow/index.php on line 8 [15-Aug-2012 00:43:17 UTC] PHP Parse error: syntax error, unexpected '}' in /home4/weblined/public_html/ppgrainbow/index.php on line 8 [15-Aug-2012 01:07:35 UTC] PHP Parse error: syntax error, unexpected '}' in /home4/weblined/public_html/ppgrainbow/index.php on line 8 [15-Aug-2012 01:18:17 UTC] PHP Parse error: syntax error, unexpected '}' in /home4/weblined/public_html/ppgrainbow/index.php on line 8 [15-Aug-2012 01:34:31 UTC] PHP Parse error: syntax error, unexpected '}' in /home4/weblined/public_html/ppgrainbow/index.php on line 8 [15-Aug-2012 02:10:44 UTC] PHP Parse error: syntax error, unexpected '}' in /home4/weblined/public_html/ppgrainbow/index.php on line 8 [15-Aug-2012 02:16:27 UTC] PHP Parse error: syntax error, unexpected '}' in /home4/weblined/public_html/ppgrainbow/index.php on line 8 [15-Aug-2012 02:38:53 UTC] PHP Parse error: syntax error, unexpected '}' in /home4/weblined/public_html/ppgrainbow/index.php on line 8 [15-Aug-2012 02:46:44 UTC] PHP Parse error: syntax error, unexpected '}' in /home4/weblined/public_html/ppgrainbow/index.php on line 8 [15-Aug-2012 02:48:51 UTC] PHP Notice: Undefined index: viewsource in /home4/weblined/public_html/ppgrainbow/clock.php on line 9 [15-Aug-2012 02:48:51 UTC] PHP Notice: Undefined variable: white in /home4/weblined/public_html/ppgrainbow/clock.php on line 41 [15-Aug-2012 02:48:51 UTC] PHP Notice: Use of undefined constant img_arc_pie - assumed 'img_arc_pie' in /home4/weblined/public_html/ppgrainbow/clock.php on line 41 [15-Aug-2012 02:48:51 UTC] PHP Warning: imagefilledarc() expects parameter 9 to be long, string given in /home4/weblined/public_html/ppgrainbow/clock.php on line 41 [15-Aug-2012 02:48:57 UTC] PHP Notice: Undefined index: viewsource in /home4/weblined/public_html/ppgrainbow/clock.php on line 9 [15-Aug-2012 02:48:57 UTC] PHP Notice: Undefined variable: white in /home4/weblined/public_html/ppgrainbow/clock.php on line 41 [15-Aug-2012 02:48:57 UTC] PHP Notice: Use of undefined constant img_arc_pie - assumed 'img_arc_pie' in /home4/weblined/public_html/ppgrainbow/clock.php on line 41 [15-Aug-2012 02:48:57 UTC] PHP Warning: imagefilledarc() expects parameter 9 to be long, string given in /home4/weblined/public_html/ppgrainbow/clock.php on line 41 [15-Aug-2012 02:49:04 UTC] PHP Notice: Undefined index: viewsource in /home4/weblined/public_html/ppgrainbow/clock.php on line 9 [15-Aug-2012 02:49:04 UTC] PHP Notice: Undefined variable: white in /home4/weblined/public_html/ppgrainbow/clock.php on line 41 [15-Aug-2012 02:49:04 UTC] PHP Notice: Use of undefined constant img_arc_pie - assumed 'img_arc_pie' in /home4/weblined/public_html/ppgrainbow/clock.php on line 41 [15-Aug-2012 02:49:04 UTC] PHP Warning: imagefilledarc() expects parameter 9 to be long, string given in /home4/weblined/public_html/ppgrainbow/clock.php on line 41 [15-Aug-2012 02:50:18 UTC] PHP Notice: Undefined index: viewsource in /home4/weblined/public_html/ppgrainbow/clock.php on line 9 [15-Aug-2012 02:50:18 UTC] PHP Notice: Undefined variable: white in /home4/weblined/public_html/ppgrainbow/clock.php on line 41 [15-Aug-2012 02:50:18 UTC] PHP Notice: Use of undefined constant img_arc_pie - assumed 'img_arc_pie' in /home4/weblined/public_html/ppgrainbow/clock.php on line 41 [15-Aug-2012 02:50:18 UTC] PHP Warning: imagefilledarc() expects parameter 9 to be long, string given in /home4/weblined/public_html/ppgrainbow/clock.php on line 41
Something is causing data corruption in the index.php file that's making the oekaki inoperable. Is there a way to fix this? I'm gonna try contacting iceytina to see what the problem could be.
Could it be a server related issue? I'm sure hoping that I get the database backed up incase the website goes down!
Update: I'm getting this error in the error log trying to view my own website:
[15-Aug-2012 08:13:23 UTC] PHP Parse error: syntax error, unexpected '}' in /home4/weblined/public_html/ppgrainbow/index.php on line 8
Something is causing the index.php file to truncate by itself causing data corruption. Could you Wac or iceytina investigate this?
Last edited by rainbow (08-15-2012 03:16:56)
Offline
Looks like your site has been compromised by some kind of advertising bot. Unfortunately, the error logs don't give me any useful information.
My suggestion is to disable your web site so no scripts will run (remove all the index.php files from every folder), and then upload known good copies of every script file. This applies to all scripts on your site, not just your oekaki.
It's possible that the entire server has been compromised, but that depends on what kind of hosting you have. Files uploaded via FTP usually cannot be modified by PHP itself, so I'm wondering what could be manipulating the index files.
If you could, make some copies of random PHP files on your server, especially the index files, and I'll take a look to see what kind of splice job this bot is trying to do.
If all else fails, contact your hosting company and tell them your site seems to have been overrun by some kind of bot. They might have a backup from, say, a week or two ago that they can use to restore your account.
Sorry it took a while to respond. I've been away from the forum for a few days. I'll send you a note on DA to make sure you know I replied here.
Offline
Waccoon wrote:
Looks like your site has been compromised by some kind of advertising bot. Unfortunately, the error logs don't give me any useful information.
My suggestion is to disable your web site so no scripts will run (remove all the index.php files from every folder), and then upload known good copies of every script file. This applies to all scripts on your site, not just your oekaki.
It's possible that the entire server has been compromised, but that depends on what kind of hosting you have. Files uploaded via FTP usually cannot be modified by PHP itself, so I'm wondering what could be manipulating the index files.
If you could, make some copies of random PHP files on your server, especially the index files, and I'll take a look to see what kind of splice job this bot is trying to do.
If all else fails, contact your hosting company and tell them your site seems to have been overrun by some kind of bot. They might have a backup from, say, a week or two ago that they can use to restore your account.
Sorry it took a while to respond. I've been away from the forum for a few days. I'll send you a note on DA to make sure you know I replied here.
Thanks for the help.
The index.php files in other directories have been removed. The index.php files were meant to block access to other directories on this site, but it turns out that it doesn't work, because the entire server might have gotten compromised.
I'm wondering what could be manipulating the index.php file. Can you take a look to see what kind of splice job the bot is trying to do? I will most likely have to contact iceytina to see if the site is overrun by some kind of advertising bot. I sure hope that the database gets backed up as well.
I'm hoping that the advertising bot that has affected the entire server gets removed without destroying all of the hard work that I put on the oekaki itself.
Update: I already contacted iceytina regarding the issue of advertising bots affecting the site without her knowledge. Should I contact you via e-mail and send you a ZIP file containing all of the PHP files. Once you extract the PHP files, you will need to take a look at which PHP files are causing vulnerability to the advertising bots.
Last edited by rainbow (08-17-2012 11:19:12)
Offline
Yes, a single ZIP of any files you'd like me to check would be fine. I can accept large attachments, so the size of the ZIP shouldn't be an issue. Here is my e-mail
Offline
Waccoon wrote:
Yes, a single ZIP of any files you'd like me to check would be fine. I can accept large attachments, so the size of the ZIP shouldn't be an issue. Here is my e-mail
Thank you for the help. I had to exclude the \database and \pictures directories from the investigation. The size of the file is nearly 3.6 MB, shrunk down from more than 320 MB.
If for some reason, your virus scanner even rejects the file in question, let me know and we'll try to work this out more.
Offline
Okay, Wac. The problem has been fixed now.
In a MSN conversation with iceytima, she discovered that malware bypassed the security restrictions and compromised some of the websites that are hosted on NetThrillDesigns. The breach affected both WordPress-driven websites and sub-domain names as well as manually coded websites hosted on NTD.
The malware that truncated the size of the index.php files has since been removed and extra security precautions will be made to prevent this from happening again.
Offline