stubbyd Posted November 18, 2011 Posted November 18, 2011 As the title says... the header.php in /includes seems to "disappear" between 9 and 10am GMT and at the same time configure.php becomes writeable. After that the website displays: LOLOLOLOLOLOLOL Warning: require(includes/header.php) [function.require]: failed to open stream: No such file or directory in /home/vcc1/public_html/index.php on line 47 Warning: require(includes/header.php) [function.require]: failed to open stream: No such file or directory in /home/vcc1/public_html/index.php on line 47 Fatal error: require() [function.require]: Failed opening required 'includes/header.php' (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/vcc1/public_html/index.php on line 47 Now, I appreciate that it has likely been hacked and simply copying back header.php fixes the issue leaving just a "I can write to configure.php" warning message on the site - so we then set the permissions to 444 on that and that error disappears too. So, my question .. any suggestion where I begin as a google doesn't reveal anything? Thanks Stuart
♥geoffreywalton Posted November 18, 2011 Posted November 18, 2011 If you want to have a go yourself there are some steps you can take in my profile. HTH G Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile Virus Threat Scanner My Contributions Basic install answers. Click here for Contributions / Add Ons. UK your site. Site Move. Basic design info. For links mentioned in old answers that are no longer here follow this link Useful Threads. If this post was useful, click the Like This button over there ======>>>>>.
stubbyd Posted November 18, 2011 Author Posted November 18, 2011 If you want to have a go yourself there are some steps you can take in my profile. HTH G Thank you Geoffrey and for the PM, it may well come to that. I believe I have already done most if not all of the stuff in your profile. Did add the AV today but the results mostly mean not a lot to me. If I opted to replace files from a known good archive of 2.2RC2 then are there any I should specifically avoid so as not to mess up the template which was created for the site? S.
stubbyd Posted November 19, 2011 Author Posted November 19, 2011 OK, so some more information, I hope that may help in tracking this down. This occurs every day between 09:00 and 09:30 GMT The only files that get affected, or more accurately the only things I need to do to get the site back up are: 1. replace the now missing / deleted heade.php in /includes and 2. reset permissions on configure.php also in /includes. Does this add any extra light to anyone?
stubbyd Posted November 19, 2011 Author Posted November 19, 2011 Arggggggggggggggh - bas%$^&*( It would appear the web host, despite earlier denials are guilty of this. Here is their answer after I yet again asked them about the issue, only I worded my question differently this time: We are scanning for any malware files (exploits, PHP shells etc) all accounts and the header.php file gets quarantined, I've added the path to the file to be ignored so you'll be fine. Also new permissions are applied due to exploits that include attacker symlinking config files from various scripts as .txt files to gain access, this is a server wide issue where all accounts on the server can be affected. With the new security measures and permissions for the files on the server if it does come to this, attacker wouldn't be able to access the symlinked .txt files as he doesn't have permission to read them. These kind of exploits on user accounts are rare however they occur if a single user account gets exploted, being an outdated Wordpress installation (for example ) which can be explited to upload a PHP shell script from which the symlink script can be uploaded and executed. I hope this clears up a bit the issue with the scripts, all changes made are for the benefit of our clients to have them run in the most secure environment possible.
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.