Hacked Again - errorlog_enable error

13 posts by 5 authors in: Forums > CMS Builder
Last Post: November 24, 2015   (RSS)

Hi!

Back in august, I suffered a massive breach on a bunch of websites, some CMS Builder and some Wordpress. I rebuilt my server from scratch and I believe it is much more secure now.

However, I found that one of my CMS Builder sites has been compromised again. It is located at http://springflingevent.ca.

There is code being added to core files, as well as randomly named php files appearing in many places. Only one of my three CMS Builder sites seems to be affected and I haven't noticed any problems from the other wordpress sites. I removed all the malicious code I could find in the infected site, and I looked through all the files. Now if I try to load my site I get an error message instead of my homepage that states:

errorlog_enable: error_reporting() must be set to -1, not 0!

I saw the error_reporting() variable set to 0 in the malicious code, but I have removed the code from the infected files. I also have checked the permissions on the folders and files, and I believe they are all correct (Folders are 755 and files are 644). I would love some help thinking of ways to figure out how the hacks are being carried out as well as how to resolve the errorlog error.

Please let me know what other info I can provide to better help explain the problem or find a solution.

Thank you,

Jacob

By Damon - October 8, 2015

Hi Jacob,

In /lib/errorlog_functions.php on line 23 you should see this:

  if (error_reporting() !== -1) { die(__FUNCTION__ . ": error_reporting() must be set to -1, not " .error_reporting(). "!"); }


If it is 0 and not -1, change to -1 and upload it back to your site. This should remove the error.

There are no known security vulnerabilities in CMS Builder, but website hacks are becoming more and more common so we've created a page to help explain the issue, and to provide tips on restoring a hacked site:
http://www.interactivetools.com/docs/cmsbuilder/how_to_restore_hacked_sites.html

Have you tried using the Exploit Scanner.  After it runs and scans your files, it creates a list of detected hacks and modified files.
http://www.interactivetools.com/add-ons/exploit-scanner/

If you want more details about it, email: support@interactivetools.com

Also, let me know if you have any other errors or issues getting CMS Builder working again.

Thanks!

Cheers,
Damon Edis - interactivetools.com

Hire me! Save time by getting our experts to help with your project.
http://www.interactivetools.com/consulting/

Hi Damon,

I have checked that line in the errorlog_functions.php file and the value is already set to -1. I did some grep searches and found a bunch of infected files in my 3rdParty folder and lib folder. I removed and re-uploaded the folders. I tried opening my site and got a message about needing to install the program first before I could use the viewers. I tried going to the admin section of my site, and immediately got redirected to namespro.ca. Now, if I try to view my website, even just the main page not the admin section, I get redirected. This was initially my indication that there was something wrong with my site, but it seemed to eventually go away and give me the error_reporting message. I have checked my .htaccess files in the root directory and in the cmsb (I have it called something else) folders, and they look just fine to me.

Is there something that comes to mind that I should check for those symptoms?

Thank you for your help so far!

Jacob

By Damon - October 9, 2015

Hi Jacob,

Can you send in a Support Request with your CMS Builder and FTP details:
https://www.interactivetools.com/support/email_support_form.php?priority=regular&message=Hacked-Again---errorlog_enable-error-80255

Then I can look into the errors and see how I can help.

Thanks!

Cheers,
Damon Edis - interactivetools.com

Hire me! Save time by getting our experts to help with your project.
http://www.interactivetools.com/consulting/

By Dave - October 9, 2015

Jacob, 

The error you're getting should never come up.  It's just a safety check in the CMSB code.  That you are seeing it suggests the CMSB code might have been modified when you got hacked.  

I'd re-upload the latest CMSB files from the zip (not a backup) and see if it still happens.  And also check your site for other infected or malicious files.

Hope that helps!

Dave Edis - Senior Developer
interactivetools.com

Hi Dave,

I have reuploaded the CMSB files. I still get redirected to namespro.ca frequently trying to get to the admin page. I usually by trying a few times with and without the admin.php part it will manage to continue. I am now getting an error about not being able to create a session. I get: 

Couldn't start session! 'session_start(): open(**FILE_PATH_HERE**, O_RDWR) failed: No such file or directory (2)'!

I'm not sure what to do to fix this error. 

One note about the redirect stuff too, I happens no matter what device I am on. All my computers as well as my phone do the redirect thing. Other sites running on the server work fine, and all my .htaccess files look ok too. I'm not sure what is causing that problem either.

By Dave - October 13, 2015

Hi Jacob,

Unfortunately, after getting hacked it can be a potentially long tedious process now of cleaning up the website and getting it back to normal again.  

Couldn't start session! 'session_start(): open(**FILE_PATH_HERE**, O_RDWR) failed: No such file or directory (2)'!
I'm not sure what to do to fix this error. 

PHP creates files to store data between page views (session files).  What that error means is that the folder that PHP trying to write those files to doesn't exist.  So it's either been changed or reset to an invalid value.

Under Admin > General you can search for "session.save_path".  You can check if the value is being set in CMSB (and it will also show you the default value in the line of text below the field).

One note about the redirect stuff too, I happens no matter what device I am on. All my computers as well as my phone do the redirect thing. Other sites running on the server work fine, and all my .htaccess files look ok too. I'm not sure what is causing that problem either.

.htaccess files can exist in any parent directory as well.  So check for one above your htdocs/public_html/web folder and in other folders as well.  The redirect could be caused by some directives in an .htaccess, by some PHP/Javascript code that was added to one of the pages.  Also, if namespro.ca is your web host it could be that you're getting redirected there because another misconfiguration.

Hope that helps! (and good luck!)

Dave Edis - Senior Developer
interactivetools.com

By master - November 8, 2015

It's easy to restore if you have the data/schema files and the database backup.

Just upload a clean CMSB and install again in a new database, restore the database and overwrite the data/schema files.

Ready to work.

By zaba - November 12, 2015

Just to echo your pain, I had a similar problem when all my sites on a virtual private cloud server, running plesk, got hacked. I bought the exploit scanner script, which saved me hours of time and I cleaned up the server. This happened again a few months later and all my sites were again hacked. Some got blacklisted in google. Everything was updated including plesk. All passwords changed. I did everything. For the third time it happened. I decided that this was really bad for my reputation and decided to abandon the VPS route as I wasted too much time trying to track down things that I wasn't really experienced with. I realised that Plesk was not great on security. I decided to move everything to a reputable cloud based reseller package on a shared platform, this was a good move. I moved all my sites over a couple of weeks, this was 2 years ago. I didn't need anything more than the magic 3 apache php mysql, and the requirements for managing my own server were not really required. I researched a decent host here in the UK and found the excellent TSOHOST https://www.tsohost.com. Since moving over 2 years ago I have had ZERO hacks and close to 100% uptime. They are not expensive. They will do the SSL installations and the like and they do full daily backups. Unless you need to make specific server level tweaks fro as I did. I slept easy at night and I don't get the client ringing up saying 'my website redirects to a porn site".