Mobile app version of vmapp.org
Login or Join
Ogunnowo487

: Part of a PHP file is missing, did I get hacked? my website is built by jooml 3.4, today it gets a syntax error message like this: syntax error, unexpected 'if' (T_IF), expecting function

@Ogunnowo487

Posted in: #Security

my website is built by jooml 3.4, today it gets a syntax error message like this:

syntax error, unexpected 'if' (T_IF), expecting function (T_FUNCTION) in /public_html/libraries/cms/router/site.php on line 350


I compare this site.php with other site's site.php file and find out some codes are missing around line 350. I copy those missing codes to the corrupted site.php file and the website is good.

My question is, what could have caused this code missing problem? Was I hacked?I've been through website being injected with malicious files, the malicious codes are quite easy to identify. But I have never seen something like this, where some authentic codes are deleted and the site stops working. Could it be that some malicious codes were injected previously and the webhosting service automatically deletes them but accidentally also deletes some good codes? For your reference, I copy those missing codes below, please note that in the last line, only br is missing, the other half of that line (eak;) remained in the corrupted file.

break;
}

// Partial route match. Item with highest level takes priority.
if (!$found || $found->level < $item->level)
{
$found = $item;
}
}
// Multilingual site.
elseif ($item->language == '*' || $item->language == $lang_tag)
{
// Exact route match.
if ($item->route == $route_lowercase)
{
$found = $item;

// Break iteration only if language is matched.
if ($item->language == $lang_tag)
{
br

10.04% popularity Vote Up Vote Down


Login to follow query

More posts by @Ogunnowo487

4 Comments

Sorted by latest first Latest Oldest Best

 

@Rambettina238

I've seen a lot of Joomla hacks and even though I don't want to rule anything out this doesn't look like one.

Joomla hacks are usually automated and append remote execution logic to the top part of core files. Sometimes new (normally looking) files are created to.

If you want to test for a hack search for files containing eval and base64_decode. If you have command line access this can be done in a simple oneliner.

Not all eval or base64 means your site is hacked. A combination usually does...

The missing characters might indicate data corruption, possibly due to storage or file transfer...

10% popularity Vote Up Vote Down


 

@Angela700

What I would recommend since you already restored the file is check all your access logs that reference the affected site.php. This means you (and/or your hosting provider) check your FTP access logs, website access logs (example: access_log in apache) and logs of any other software installed on the server that can modify the site.php.

Gather all IP addresses that used that file at the time the incident happened and exclude your IP address from the list. The remainder of IP addresses will then need to be checked out, especially those found in logs that mention that site.php is being written to or received.

Search the IP addresses on google and see if they are mentioned in a honeypot or if they are mentioned as being IP's known as malicious and if they are, consider blocking their access to your server.

If you don't see any suspicious IP addresses even after checking every log, then the media you're storing website files on may be damaged and if that media is an SSD or a hard drive (which is likely) then have it checked and possibly replaced for free. Just make sure you back up all data first before asking for a hard drive replacement.

10% popularity Vote Up Vote Down


 

@Eichhorn148

You can check apache access logs for suspicious activity near the day/time you saw the problems.

A full backup restore would be essential.
If you don't have a backup, normally try to place all joomla folders (except media and plugin related) in a backup folder.
Then do a full reupload of your joomla core installation files. After that remove and reupload the same plugin versions you had.
After that you should check all recent changed/uploaded files in your upload/media folder.

Hope that helps!

10% popularity Vote Up Vote Down


 

@Margaret670

You probably don't have enough access to determine if it is a hack. However, the fact that a file was changed means something happened.

You should contact your host and inquire on any potential backup/restore failure, and also hope you looked at your file's last modified before you fixed it.

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme