Mayday! ACP Down....

[EmpireKicking]

I just login in for the first time today and the page is white, Completely white as a sheet of paper, The login page works. I have tried on all different devices and same things.

  

[Daniel F]

Do you see any errors in your server error log? I would suggest to create a ticket for further support

[EmpireKicking]

8 minutes ago, Daniel F said:

Do you see any errors in your server error log? I would suggest to create a ticket for further support

Sent 

[John_C]

Get it fixed? What was the issue? 

[iacas]

I was having this issue too. In looking at my httpd error_log, a file named "failedMailCount.xxxxxxxx.php" (xxx were a series of digits) was responsible. Deleting it would let me see the ACP. On Safari, it would be blank. On Chrome, a 500 error.

The failedMailCount file is in /datastore and keeps recurring. I don't know what causes it to exist.

@EmpireKickAss, please keep this thread updated. Thanks.

P.S. It's just the dashboard that was blank for me. The other pages, if I had a link to them from my history or something, worked fine.

[EmpireKicking]

@iacas Sounds like you have something else that doesn't included on the problem that I have, and I'm glad to share. IPS Support team is still investigation, it's advanced support nature, so it's high. Plus doesn't help that advanced support is only available Monday through Friday, which I do understand.

The Support team found the following, doesn't look right and could probably be a vulnerable. They said to recreate the file, if not, then restore the default theme for me. However I want to get down to the bottom so they are going to go an advanced investigation

<?php exit; ?>

Sat, 09 Jan 2016 12:43:28 +0000 (Severity: 2)
1.136.96.110 - http://www.baysidega...45ca36dc1cab1d
ErrorException
2: file_get_contents(http://www.generalno...ics/adminer.txt): failed to open stream: HTTP request failed! HTTP/1.0 503 Service Unavailable 


#0 [internal function]: IPS\IPS::errorHandler(2, 'file_get_conten...', '/*****/*****/p...', 4, Array)
#1 /*****/*****/public_html/system/Theme/Theme.php(713) : eval()'d code(4): file_get_contents('[url="""]http://www.gene...')[/url]
#2 /*****/*****/public_html/system/Theme/Theme.php(713): eval()
#3 /*****/*****/public_html/system/Dispatcher/Admin.php(113): IPS\_Theme->getTemplate('global', 'core')
#4 /*****/*****/public_html/system/Dispatcher/Dispatcher.php(86): IPS\Dispatcher\_Admin->init()
#5 /*****/*****/public_html/bayside/index.php(13): IPS\_Dispatcher::i()
#6 {main}
------------------------------------------------------------------------

  I don't understated or I'm lost since it's more of an Software issue, and My site http://www.baysidegamers.com/forums/ Front of house is working full steam ahead, 

I like to get my ACP working on Monday ASAP, I have allot of work to do.  

 

[Koby]

I don't get why it's fetching an off-site txt file called adminer. Are you sure your site wasn't compromised? Sort of seems like someone may have injected some sort of keylogger into your admin cp login.

Can you get the full address of that link and see what the file contains?

[EmpireKicking]

I'm also getting and error (error.log)

[10-Jan-2016 03:49:52 UTC] PHP Fatal error:  Call to undefined method IPS\Content\Search\Mysql\Query::excludeFirstPostContentItems() in /****/*****/public_html/applications/core/modules/front/activity/activity.php on line 105

Leads to

$query = \IPS\Content\Search\Query::init()->excludeFirstPostContentItems()->excludeDisabledApps()->setOrder( \IPS\Content\Search\Query::ORDER_NEWEST_CREATED )->setPage( $page );
			$results = $query->search();
			$pagination = trim( \IPS\Theme::i()->getTemplate( 'global', 'core', 'global' )->pagination( $url, ceil( $results->count( TRUE ) / $query->resultsToGet ), $page, $query->resultsToGet ) );
			$output = \IPS\Theme::i()->getTemplate('system')->activityStream( $results, $pagination );

@Koby  Aren't an adminer.txt looked allover. and can't find much with key logging other then whats from ckeditor, but that's got nothing to do with it. 

 

Waiting on IPS support 

[Koby]

46 minutes ago, EmpireKickAss said:

I'm also getting and error (error.log)

[10-Jan-2016 03:49:52 UTC] PHP Fatal error:  Call to undefined method IPS\Content\Search\Mysql\Query::excludeFirstPostContentItems() in /****/*****/public_html/applications/core/modules/front/activity/activity.php on line 105

Leads to

$query = \IPS\Content\Search\Query::init()->excludeFirstPostContentItems()->excludeDisabledApps()->setOrder( \IPS\Content\Search\Query::ORDER_NEWEST_CREATED )->setPage( $page );
			$results = $query->search();
			$pagination = trim( \IPS\Theme::i()->getTemplate( 'global', 'core', 'global' )->pagination( $url, ceil( $results->count( TRUE ) / $query->resultsToGet ), $page, $query->resultsToGet ) );
			$output = \IPS\Theme::i()->getTemplate('system')->activityStream( $results, $pagination );

@Koby  Aren't an adminer.txt looked allover. and can't find much with key logging other then whats from ckeditor, but that's got nothing to do with it. 

 

Waiting on IPS support 

I'm not talking about on your site. I mean this:

2: file_get_contents(http://www.generalno...ics/adminer.txt)

If you know the full address to that file, see what it contains.

[Tracy Perry]

I'm aware of an adminer (used to be phpMinAdmin) add-on for WordPress.  By chance do you have Wordpress installed on the server @EmpireKickAss and are you using adminer as a SQL DB management tool?

[EmpireKicking]

19 minutes ago, Tracy Perry said:

I'm aware of an adminer (used to be phpMinAdmin) add-on for WordPress.  By chance do you have Wordpress installed on the server @EmpireKickAss and are you using adminer as a SQL DB management tool?

Yes, I have Wordpress on the same server at www.baysideves.com However I have an IPS Test website on the same server, and the ACP is working

[IveLeft...]

Have you changed anything recently ?

[Daniel F]

23 minutes ago, Tracy Perry said:

I'm aware of an adminer (used to be phpMinAdmin) add-on for WordPress.  By chance do you have Wordpress installed on the server @EmpireKickAss and are you using adminer as a SQL DB management tool?

Yea, but wouldn't it be adminer.php and not adminer.txt  and why would one want to include the adminer script into the global template:)

 

Since @EmpireKickAss said it's not something from him, it's something bad:D

Anyway, the file doesn't exist(which is good, because without the missing file, nobody would have noticed this:D ) , so i can't investigate further. I'm going to restore the default ACP theme and do some further checks for compromised code.

 

 

[EmpireKicking]

5 minutes ago, Cloud 9 said:

Have you changed anything recently ?

Nope, I only added the Twitch steam page, which isn't that anyway 

Like I said, it came out of the blue sky

[Tracy Perry]

14 minutes ago, Daniel F said:

Yea, but wouldn't it be adminer.php and not adminer.txt  and why would one want to include the adminer script into the global template:)

Ever hear of a point of intrusion?  Very possible to use a similar file name to something that is already on the system so that those that are not very technically inclined may overlook it since they utilize something by that name - and WP is a fairly common point of intrusion if it (and it's add-ons/plug-ins) is not kept up to date... of course I'm sure you were already aware of that.
Utilize an SQL injection and insert a call to a "text" file (that may not be a .txt file) in the template and then you could be in for all kinds of fun.

 

 

[Daniel F]

Sorry, I think I got your post wrong ( or you mine:D  )

[EmpireKicking]

11 minutes ago, Tracy Perry said:

Ever hear of a point of intrusion?  Very possible to use a similar file name to something that is already on the system so that those that are not very technically inclined may overlook it since they utilize something by that name - and WP is a fairly common point of intrusion if it (and it's add-ons/plug-ins) is not kept up to date... of course I'm sure you were already aware of that.

 

 

Got nothing to do with WordPress, like I said before. I have WordPress located under a different domain with one or two plugins, I had it installed for 8 or more months on maintenance closed page. And I said before that I have a test website which the ACP is working with no problems.

The files doesn't exist, and can't find anything similar or possibly losing my mind

[Tracy Perry]

9 minutes ago, EmpireKickAss said:

Got nothing to do with WordPress, like I said before. I have WordPress located under a different domain with one or two plugins, I had it installed for 8 or more months on maintenance closed page. And I said before that I have a test website which the ACP is working with no problems.

The files doesn't exist, and can't find anything similar or possibly losing my mind

If you think just because you have it under a different domain you are safe... then you are under a false sense of security.  The ONLY way you could do that if it was on another server entirely.

How do you think shared hosting accounts get crapped on?  There is an attack vector on another client (entirely different) than yours and because they allow an intrusion into the DB, it can likely lead to ALL accounts on that SQL server instance being effected.
And the point I was attempting to make is... WordPress could be a point of INTRUSION that allow(ed) a SQL injection. 

[TAMAN]

As far as i know if any of forum folder permissions or a file set to 00 you will get a blank white page and this happens when you manually moved your public_html files and folders using drag and drop on Cpanle file Manager sometimes, it happened to me.

anyways you should really check your forum "admin" folder permissions it should be set to to 644 or 755 otherwise you will get a blank page : ) 

[EmpireKicking]

23 minutes ago, TAMAN said:

As far as i know if any of forum folder permissions or a file set to 00 you will get a blank white page and this happens when you manually moved your public_html files and folders using drag and drop on Cpanle file Manager sometimes, it happened to me.

anyways you should really check your forum "admin" folder permissions it should be set to to 644 or 755 otherwise you will get a blank page : ) 

Aren't that. But I double check anyway.

Edit: Already set to 755...

[TAMAN]

Have you done anything at Cpanel before the issue? 

[EmpireKicking]

14 hours ago, TAMAN said:

Have you done anything at Cpanel before the issue? 

Support team is working on it and I'm waiting :/

[GregoryRasputin]

@EmpireKickAss check your uploads folder for files that should't be there.

[MADMAN32395]

1 hour ago, GregoryRasputin said:

@EmpireKickAss check your uploads folder for files that should't be there.

im guessing 8 days later, empire is back online.

[GregoryRasputin]

58 minutes ago, MADMAN32395 said:

im guessing 8 days later, empire is back online.

Probably, though with the breach, it wouldn't harm to check the folder.