Page 1 of 1
Parse Errors
Posted: Mon Jul 31, 2006 12:59 pm
by Jagganath
Hi!
Before this weekend my website worked fine, haven't logged on to it since.
When i visited it this morning i got: Parse error: syntax error, unexpected $end
with the staticpages addon, looked at the file, a large chunk of the php code was missing... so i removed the reference in the database so it wouldn't load anymore..
Then i got the same error with another addon.. removed that also
And again the same error.. but this time within my template_c directory.
Changed the template to default and my site was visible again, however due to i removed the reference, i can't reinstall the plugins cause i get an error trying to open the event plugin manager.
At this moment i also get another error from within my template_c dir...
Tried removing the files, but i don't have access to them

Think its because they are written by apache and not by myself... and i can't chmod them also..
How could this happen? when i last visited my site everything was ok
and more important, got a clue how to solve it?
Only way is to contact my webhoster and ask them to delete everything?
then reinstall everything again? (and yes, i forgot to make a backup)
Grtz Marcel
Re: Parse Errors
Posted: Mon Jul 31, 2006 1:02 pm
by garvinhicking
Hi!
Which version of serendipity are/were you using? Do you use other applications on your host which might have got hacked? Did your provider maybe have a crash at the weekend?
It definitely seems some hardware or intrusion problem. Currently though, Serendipity 1.0 has no known security issues that could cause this behaviour...
Best regards,
Garvin
Posted: Mon Jul 31, 2006 1:26 pm
by Jagganath
am using version 1.0
Just installed it a week ago
Only using serendipity, with expose4, but that doesn't require a seperate logon.
Checked my provider, but no news on crashes whatsoever
Gonna ask them to remove everything from my site, so i can reinstall all.
saw that the UID/GID of the files i can't delete is Apache and not my normal username, those are made by serendipity itself (template_c dir and the plugins i installed using Spartacus)
Posted: Mon Jul 31, 2006 1:30 pm
by garvinhicking
Hi!
Maybe in the files that contain parse errors you could check the "Last Modify" date and see when that file was last accessed?
The UID/GID is set to Apache because plugins are usually downloaded by Serendipity's Spartacus process (BTW, you can configure the plugin to tell which username/ID should be used for downloaded files), and templates_c files are also created by Apache and thus set to that user - that's right.
However you could use the fixperm.php script as mentioined in the FAQ on
www.s9y.org to change permissions!
HTH,
Garvin
Posted: Mon Jul 31, 2006 2:14 pm
by Jagganath
thnx for pointing me to permfix.php!!
got it working again.. so happy
Must must have overlooked that in the FAQ, cause i scanned it for something similair..
Deleted all my cash files from the template i use, also updated a couple of files from plugins and now it works again.
The last modication date was at 28th so might have been a servercrash...
made a backup immidiatly now

Posted: Mon Jul 31, 2006 2:52 pm
by Jagganath
unless plugin_staticpages.tpl always have this link included (at line 6):
Code: Select all
<a href="http://www.aofrozen.net/lsdseller/Universal%20AV%201.8%20dvix.asp" class=giepoaytr>Universal AV 1.8 dvix</a>
i think i do have had an intrusion problem...
that link would have shown up on every page
Posted: Tue Aug 01, 2006 8:13 pm
by garvinhicking
Hi!
No, that link is not included. Did you ask your webprovider for a HTTP access log? This would help show possible intrusions. It might very well be the Gallery script that could have caused intrusion - since many other people using s9y have not reported such aproblem, and frankly I don't think there is a vulnerability that could cause this in current up-to-date s9y versions? It could also be caused by hacked Linux kernels, FTP servers, Apache webservers...sadly there are a lot of potential intrusion areas aside from s9y...
Tell me if I can be of any help to analyze this?
Best regards,
Garvin
Posted: Tue Aug 01, 2006 11:26 pm
by Jagganath
Just received a mail from my provider that all Joomla/Mambo users are ordered to update their version immidiately. Cause it seems my provider has been confronted with alot of hacks the last couple of days.
Asked them for a log, now waiting for an answer.
The logs i have access to within my administrationpage doesn't show anything at the time i suspect it happened.
Don't believe its the gallery script, its just some simple javascript and a flash file..
Could be they gotten into the webserver and hacked me from the inside...
my apache usage log doesn't show anything at least
Posted: Wed Aug 02, 2006 9:52 am
by garvinhicking
Hi!
Okay, this sounds very much like the propobable solution. If you are on the same host than a vulnerable joomla installation of another customer, due to the joomla bugs it is possible that they can "infect" your webspace [also dependin on the PHP setup of your provider though!].
Don't believe its the gallery script, its just some simple javascript and a flash file..
Ah, okay. I forgot that it had no "active" content. Yes, it's unlikely then.
Best regards,
Garvin