problem accessing admin

tonyhancock · 08-19-2006

you guys were kind enough to install for me

when i try to login to admin i get

"headers already sent" etc etc

admin login at

http://www.employment40plus.com.au/dir/admin/

can you help please?

cheers
tony

WTM · 08-19-2006

Tony,
whats with those 4 iframes that you have above the head?
may be this what couses the problem...

Vincent Wright · 08-21-2006

Please open your includes/config.inc.php file and make sure it has NO whitespace after the closing ?> tag.

tonyhancock · 08-27-2006

Hi there,

thanks for the suggestions.

All my cpanel administered hosted sites were attacked by the step57 malicious script. More (but not complete) info on step57 can be found at http://ebiz-iq.com/moodle/mod/forum/discuss.php?d=110 or just google step57.

Apparently step57 is a cpanel hack that then allows any writeable file (777, 666) to have iframes inserted and saved. They will then attempt to redirect the user to the step57 site from where other malware can attack the users computer.

To remove step57 from esyndicat I did the following;

1) download a complete backup of all the website files to your local machine.
2) use a program that can search all files - i use bbedit - and search for 'step57'
3) note the file names and paths
4) go back to your server and edit the files removing the iframes
5) the files will have had permissions such as 666 or 777 - change to 644 or 755 (**NOTE** see below)

Apparently there is little that can be done to prevent reinfection until cpanel change there code - HOWEVER ...

**NOTE**
In my instance there were 4 infected files
dir/includes/config.inc.php
esyndicat/includes/config.inc.php
dir/language/English.php
esyndicat/language/English.php

All these files had permissions of 777
I have changed to 755

I think that the 777 permissions were set like this out of the box?
I have not tested esyndicat yet to see if it operates correctly with them set to 755?

Anyway - perhaps the esyndicat dev team could examine the req permissions and advise or patch?

Any files in any scripted solution that have to have 777 or 666 will be vunerable to step57 until cpanel fix their problem.

Cheers
Tony

Vincent Wright · 09-16-2006

In the next version we will get rid of as many 777 files as possible.

And hope CPanel team will fix the bug.

08-19-2006	#1
tonyhancock Join Date: Oct 2005 Posts: 13	problem accessing admin you guys were kind enough to install for me when i try to login to admin i get "headers already sent" etc etc admin login at http://www.employment40plus.com.au/dir/admin/ can you help please? cheers tony

08-19-2006	#2
WTM Loyal User Join Date: Feb 2006 Location: Mockba - New York Posts: 1,354	Tony, whats with those 4 iframes that you have above the head? may be this what couses the problem... __________________ Custom eSyndicat Templates \| World Web Directory \| Keyword Directory Webmaster Blog

08-27-2006	#4
tonyhancock Join Date: Oct 2005 Posts: 13	step57 hack was the problem Hi there, thanks for the suggestions. All my cpanel administered hosted sites were attacked by the step57 malicious script. More (but not complete) info on step57 can be found at http://ebiz-iq.com/moodle/mod/forum/discuss.php?d=110 or just google step57. Apparently step57 is a cpanel hack that then allows any writeable file (777, 666) to have iframes inserted and saved. They will then attempt to redirect the user to the step57 site from where other malware can attack the users computer. To remove step57 from esyndicat I did the following; 1) download a complete backup of all the website files to your local machine. 2) use a program that can search all files - i use bbedit - and search for 'step57' 3) note the file names and paths 4) go back to your server and edit the files removing the iframes 5) the files will have had permissions such as 666 or 777 - change to 644 or 755 (NOTE see below) Apparently there is little that can be done to prevent reinfection until cpanel change there code - HOWEVER ... NOTE In my instance there were 4 infected files dir/includes/config.inc.php esyndicat/includes/config.inc.php dir/language/English.php esyndicat/language/English.php All these files had permissions of 777 I have changed to 755 I think that the 777 permissions were set like this out of the box? I have not tested esyndicat yet to see if it operates correctly with them set to 755? Anyway - perhaps the esyndicat dev team could examine the req permissions and advise or patch? Any files in any scripted solution that have to have 777 or 666 will be vunerable to step57 until cpanel fix their problem. Cheers Tony

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

08-21-2006	#3
Vincent Wright Join Date: Sep 2005 Posts: 1,421	Please open your includes/config.inc.php file and make sure it has NO whitespace after the closing ?> tag.

09-16-2006	#5
Vincent Wright Join Date: Sep 2005 Posts: 1,421	In the next version we will get rid of as many 777 files as possible. And hope CPanel team will fix the bug.