Urgent - site down - fatal errors in eval'd code

[websupportguy]

I have just looked at one of my CMSMS mature sites which I upgraded to the latest CMS version a month or so ago and it has crashed totally. The error message I'm seeing is:

Code: Select all

Fatal error: Cannot redeclare qjk() (previously declared in /var/virtual/web/wXXXX/html/cms/index.php(1) : eval()'d code:1) in /var/virtual/web/wXXXX/html/cms/lib/misc.functions.php(1) : eval()'d code on line 1

There is a great chunk of what looks like encrypted code in the front of each of the above files.

When I tried to get into the admin interface, it was telling me that the cache and templates_c folders had the wrong permissions (templates_c was indeed set as 755, not 777, but cache was 777). Now when I try to log in as admin I get:

Code: Select all

Fatal error: Cannot redeclare qjk() (previously declared in /var/virtual/web/w1921/html/cms/lib/misc.functions.php(1) : eval()'d code:1) in /var/virtual/web/w1921/html/cms/lib/module.functions.php(1) : eval()'d code on line 1

Any clues to the cause would be greatly appreciated. I am stumped.

Thanks, Tony

[websupportguy]

Further info - I think someone has been able to inject malicious code into my site, but not sure where yet. The extra code at the top of each PHP file looks like:

Code: Select all

xxxxxxxxxxxxxxxxxxx

If anyone knows where to start looking for the source of the problem, would much appreciate some help!!!

[jmcgin51]

yep, looks like you've been hacked.  Are you on a shared host?

Hope you've been good about backing up.  Overwrite all CMSMS files with a fresh set, restore a clean db backup, and you should be back in business in relatively short order.

[replytomk3]

http://mkrd.info/software-discussions/cms-made-simple/backin-up-and-restoring-cmsms.html

http://forum.cmsmadesimple.org/index.php/topic,38252.new/spam,true.html#new

[aijaz]

hello  . i upload my  website in server. it was working fine . but presently it is showing error . the error is
Fatal error: Cannot redeclare zoiw() (previously declared in D:\Webserver\easykitchenshop.com\www\index.php(1) : eval()'d code:1) in D:\Webserver\easykitchenshop.com\www\connect.php(1) : eval()'d code on line 1 .

i have been confused . plz tell  me the solution. your help will be appriciated

[Jeff]

That isn't a CMSms function. Your site has been hacked look at the resources provided in the thread.

[aijaz]

you plz tell me what should i do . if i will download the sit. and again upload . then i will get any benifit.
plz tell me in brief

[replytomk3]

http://mkrd.info/software-discussions/c ... cmsms.html

http://mkrd.info/services-available/rep ... ction.html

[Jeff]

you plz tell me what should i do . if i will download the sit. and again upload . then i will get any benifit.
plz tell me in brief

If you don't know what to do from the resources provide, go to the help wanted section and make a post to hire someone to clean your site.

[websupportguy]

So just what does "cms made simple" mean, if you are turning people like that guy away so curtly? He could have got that crap on the joomla forums.

[jmcgin51]

There was nothing at all wrong with ajprog's response.  The OP's question has been asked and answered dozens of times here on the forums, not to mention that it's documented in the official CMSMS documentation and on 3rd-party sites (as replytomk3 provided URLs).  Aijaz does not seem to want to put any effort into fixing the problem or providing additional details about his issue, although the "fix" information is widely available.  Why should the developers (or anyone else, really), spend their time on minimalist posts like this (especially where the fix has already been discussed numerous times), when there are "real" issues being posted by people who take the time to provide good detail, system information, etc.

If aijaz doesn't know what to do, he can post in the commercial forum for paid assistance.  If he wants to learn how to work through the problem on his own, there are plenty of resources available.  And if he does try on his own, and runs into problems, and posts a complete description of the problem (more than just "you plz tell me what should i do"), I bet he'll get some helpful responses.

I also get frustrated occasionally at what seems to be a dismissive attitude on the part of the dev team, but in this case I think it's totally warranted.

CMS Made Simple does not mean "CMS without any knowledge of HTML, CSS, hosting, databases, or other related information".

http://www.cmsmadesimple.org/about-link/

[tyman00]

I am not sure how a hacked site becomes our responsibility to support when it is extremely likely that the hack had nothing to do with the CMS. He was actually provided good information by replytomk3 and a secondary solution from ajprog was provided as well in the form of a paid support option.

Not trying to be dismissive (as jmcgin said ) but I really thought the two main options were covered well. I personally didn't respond because I didn't think there was anything more of value to respond with apart from volunteering to fix it myself.

[websupportguy]

Sometimes it helps to realise that not everyone is a web developer or programmer. Lots of people download and install CMS Made Simple because it implies that you don't need a lot of advanced knowledge to use it. But the people who do that typically also don't know how to triage a problem like this. I have been a web developer for 20 years and to be honest I'd never seen anything like this before.

For the benefit of those who come after me and find this thread on a search, the site had been infected by a virus called "gumblar" - suggest you Google this term as there's a lot of info on the web about it. Gumblar virus first infects a host PC, then injects malicious code into your website the next time you use FTP or similar to log in for maintenance. At least that's what the info online seems to suggest. For me, I was the only person other than the web hosting company with the FTP password to the site and my computer has not been infected. So how it got into this website is still a mystery.

The only way to remove it (apparently after disinfecting your PC) is to download all the site files and do a search/replace on the malicious code (there's several bits to it). Then you can upload the site again and all *should* be OK. Again, for me this is not yet the case as the virus seems to have changed my admin passwords and other info. So I am recreating the site from backups on a completely different hosting account.

Thanks to those who pointed me in the direction of a virus search. Although my query was somewhat off-topic here, at least I did get a clue of the direction to take. And I did a full search before I posted this question, by the way. So if it has been covered in other topics, the key words are no relevant or the search is dodgy.

Good luck to the newbies out there. You'll need it.

Tony

[calguy1000]

I have been a web developer for 20 years

Wow.... You predate Tim Berners-Lee... I bet your pissed about all the missed press opportunities.

[websupportguy]

Sorry, Alzheimers... make that 16 years. I started posting web content on the AARNet in 1993. If that presents a problem for you, I'd suggest the source is in the mirror.