Kryptronic Software Support Forum

nickf · 11-21-2008 13:49:06

Hi

I seem to have server ewrrors when I try and get into the admin page.

wwwhorsingaroundsaddlery.co.uk/ccp51/admin used to get me into it. I am nor getting a server error.

Any ideas please, have my hosts changed server paths?

Nick

rachaelseven · 11-21-2008 14:21:26

That sort of error is usually caused by one of two things:

1. Something in the server's PERL cnfiguration won't let the script execute. Obviously, this would have required the host to have changed something for it to stop working. And since your storefront still seems to be working, this is unlikely.

2. Corrupted table (.csv file). When using FTP, CSV files must be transferred in BINARY mode. If tables are transferred using FTP in ASCII mode, that will corrupt the table and cause that sort of error. To have corrupted only the admin and not the store, someone would have to have been working with one of the backend tables.

In this case, it will definitely be necessary to get a look at the server error logs. Hopefully the logs will reveal additional details that can help suss out the cause of the problem.

nickf · 11-22-2008 08:04:48

Thanks for the thoughts. The cart has been stable for a long time and the only table to have been uploaded is the product.csv. The site was then swapped over to MYSQL (I do updates off line in an access database and then move them onto the site).

I am trying to get hold of the hosting company to find out if they have migrated me onto another server.

I've looked at the cp-admin.cgi and cp-app.cgi files in the CGI Bin and they seem to have the same path statements on both files. The file updates dates are 11/10/2008 which makes me think someone has been in there and changed files/paths recently. I havn't alterned those files and most other files on the site are dated 2004.

My product.csv table is dated 4/10/2008 which is about right for when I last updated the content.

It looks like the host has migrated me without telling me, I just need to work out where and what has happened now.

Any more thoughts are welcome

Nick

rachaelseven · 11-22-2008 09:14:24

Well, the paths in cp-admin would cause an error if they were wrong, but they wouldn't cause a 501 server error. With the wrong paths, the script would execute and give you a message about the paths. So I would start looking at file permissions. The scripts should all be at 755 and elements and tables should all be at 777. Maybe they moved you and forgot to set the permissions on one of the files.

nickf · 11-22-2008 11:05:14

Any idea where to look??

The permissions on CP-app and CP-admin are identical.

I can't get a reply from my host at the moment.

Nick

nickf · 11-22-2008 17:03:22

Just got at the server logs and this appears to be the relevant error message

[Sat Nov 22 21:52:51 2008] [error] [client 86.152.20.210] Premature end of script headers: cp-admin.cgi, referer: http://www.horsingaroundsaddlery.co.uk/ccp51/admin/

Any suggestions are very welcome

Thanks

Nick

rachaelseven · 11-23-2008 12:00:09

Sorry, Nick... that doesn't give much to go on. I'd have a look at the permissions on all of the PERL files... cgi-bin/ccp51/library and all the subdirectories. All of them should be set to 755. If not permissions, it's likely that the host did something... what I don't know, but something. Beyond that, I've got nuttin' and I'd have to suggest a paid support ticket with Howard (greenbarn) or Stephen (cartmod.com) if your host can't help you sort it. Sorry.

nickf · 11-25-2008 04:24:16

Spoken to the host and there were no changes their end around that date

Any ideas are welcome as I need to update the product table with some new prices.

Nick

rachaelseven · 11-25-2008 23:50:03

Have a look at the permissions on all of the PERL files... cgi-bin/ccp51/library and all the subdirectories. All of them should be set to 755. After that, get in touch with Stephen at cartmod.com and pay him to find the problem - there's nothing more that can be done from here with the information you've provided.

nickf · 11-26-2008 14:33:39

Thanks for the thoughts. The permissions all look sensible.

I am considering replacing the CP-admin.cgi file which has gained a file date of when this seems to have happened (looking at server logs showing problems) with the local copy I have from when I uploaded CCP in 2004.

There is a difference in the path statements, the remote copy has this wort of path

$server_script_path = "/var/www/vhosts/horsingaroundsaddlery.co.uk/cgi-bin/ccp51";

and the local copy where the paths start with /user/local/psa/home/vhosts . . . . .

I'm out of my depth knowing what these differences are about but the cp-app file has the vhosts version and that is working.

There are other differences later in the script , particularly at the end where the live version has this which is missing from my local copy

print "The root web directory of this account appears to be:<BR><BR>\n";
print "$ENV{'DOCUMENT_ROOT'}<BR><BR>";

******DELETED BY MODERATOR*******

print "</BODY></HTML>\n";

any idea where this crept in??

The SEO and sitemap mods have been done, is this anything to do with them? they have been in and stable for years.

Thanks

Nick

Last edited by rachaelseven (11-26-2008 15:46:18)

rachaelseven · 11-26-2008 15:31:11

Either of those path definitions could be right - it depends on how your server is set up. Whatever version of the paths work in cp-app.cgi, should also be the right general format to work in cp-admin.cgi; so make cp-admin.cgi of the same style as cp-app.cgi if you need to. I'm not inclined to think the issue is there though - that bit at the end of the live version is almost certainly the problem. I have no idea where that would have come from and it certainly doesn't belong there. Frankly, from the looks of that script, I'm suspecting you were hacked. The only good news is that the syntax of that apparent hack attempt is flawed and will keep the CGI from executing. The last part of that script, starting with where you pasted in, should look like this:

Code:

print "The root web directory of this account appears to be:<BR><BR>\n";
print "$ENV{'DOCUMENT_ROOT'}<BR><BR>";

print "</BODY></HTML>\n";

} ######### End of if statement.

#######################################################################
# Exit                                                                #   
####################################################################### 

exit;

That's everything from your start point right to the end of the file. I would definitely delete this part:

Code:

******DELETED BY MODERATOR*******

You could comment it out instead of deleting it (by putting a # at the beginning of each line), but that script makes me nervous and I would not recommend that. Instead, I recommend you keep a backup copy on your local machine and remove the suspect code. If you've already compared the rest of the script against your original and you are sure that that code and the paths are the only differences, then you're probably ok to proceed once you've removed that code. However, if you want to PM me the entire contents of the file I'd be happy to double-check for you.

EDIT: Removed malicious code from post for security purposes.

Last edited by rachaelseven (11-26-2008 15:47:17)

rachaelseven · 11-26-2008 15:38:31

P.S. - I decoded the suspect script and that is definitely evidence of a hack. That script was attempting to insert a javascript into your admin pages that would load another JS from a remote server. The purpose isn't entirely clear, but it's a safe bet it was probably going to try to steal customer data. Definitely remove that code, check for other possible hacking (same file dates, perhaps), and check the security on your FTP - someone would have had to breach your site via FTP or through a hosting control panel to make that change.

Dave · 11-26-2008 15:39:13

That's only slightly obfuscated code that will likely send the person off to a site where "bad things" will attempt to be downloaded and installed/run. If you have that in one file it is well worth your effort to check every file on your site for signs of it elsewhere.

nickf · 11-26-2008 15:42:48

many thanks, I'm going to go and revert to the old file with the new format paths

The app side of it has the new dates too so I will check the content of that and revert thhat to the old version with the new paths.

After that I'll change the FTP passowrd.

Many thanks for the help, I'll let you know how it goes.

Nick

rachaelseven · 11-26-2008 15:44:20

It was going to attempt to load a JS called quant.js from a site which I won't repeat here. What quant.js was going to do from there is anyone's guess. Fortunately, the script was very poorly written and could never execute, but it was definitely a hack attempt. And Dave is absolutely right - your site has been seriously breached and I would check very carefully for other evidence of tampering - front end and back end.

EDIT: I have edited both earlier posts where the code appeared - malicious code has no place on the forum, now that we've identified it.

Last edited by rachaelseven (11-26-2008 15:48:11)

nickf · 11-26-2008 17:12:03

Files compared, App file seems not to have been altered.

Admin file shpws the differences in path that were discussed earlier and the additional script at the end that is spurious.

This has now been deleted and the file uploaded but I am getting thee same errors.

I have looked round the CGI-BIN files and they all seem to have appropriate dates (it was the dates on these files that alterted me).

I still can't get it running though, can I PM you that file (the bersion I edited) as you offered earlier please?

I've not used this forum much, is there a way of attaching it or do I just paste it into the conversation window?

Thanks for all the help, we seem to be getting there

Nick

rachaelseven · 11-26-2008 22:14:45

You're welcome, Nick, and I'd be happy to have a look at your file for you. Hit the PM link below my name and you'll get a composition window. Send me the cp-app.cgi file that is work, as well as the cp-admin.cgi file that isn't, and I'll see what I can do. Please use the [ c o d e ] and [ / c o d e] notation (without the extra spaces) around the code blocks to make it easier to read. You can follow he BBCode link here if you need to brush up on how to use those or other BBCode tags to make the message easier to follow. Thanks.

nickf · 11-27-2008 06:12:35

PM sent with scripts, thanks for the instructions on embedding code

Nick

rachaelseven · 11-27-2008 08:59:34

Hi Nick,

Your cp-admin.cgi script looks ok. The paths seem to be suitable and I couldn't find any syntax errors in the script. There is no more sign of malicious code or anything I can see that would keep it from running. At this point, all that's really left is check permissions again and then look for other problematic files. You might also check the server error log again to see if the error has changed. Last time, the error pointed straight at cp-admin.cgi and it was indeed the culprit. That script looks right now, so perhaps the error has cascaded down to the next file being called. initialize.pl would be a likely guess, but it could be several others also. What's the log say now?

nickf · 11-27-2008 15:57:09

Hi

The error log produces a set of 3 errors each time I try to open the admin page. These are them together with the time stamps. I've put a space between the 3 for clarity

Thu Nov 27 20:30:03 2008] [error] [client 86.146.136.135] failed to open log file /var/log/httpd/suexec_log, referer: http://www.horsingaroundsaddlery.co.uk/ccp51/admin/
[Thu Nov 27 20:30:03 2008] [error] [client 86.146.136.135] fopen: Permission denied, referer: http://www.horsingaroundsaddlery.co.uk/ccp51/admin/
[Thu Nov 27 20:30:03 2008] [error] [client 86.146.136.135] Premature end of script headers: cp-admin.cgi, referer: http://www.horsingaroundsaddlery.co.uk/ccp51/admin/

[Thu Nov 27 20:53:41 2008] [error] [client 86.146.136.135] failed to open log file /var/log/httpd/suexec_log, referer: http://www.horsingaroundsaddlery.co.uk/ccp51/admin/
[Thu Nov 27 20:53:41 2008] [error] [client 86.146.136.135] fopen: Permission denied, referer: http://www.horsingaroundsaddlery.co.uk/ccp51/admin/
[Thu Nov 27 20:53:41 2008] [error] [client 86.146.136.135] Premature end of script headers: cp-admin.cgi, referer: http://www.horsingaroundsaddlery.co.uk/ccp51/admin/

Any thoughts are welcome

Nick

nickf · 11-27-2008 16:11:09

SORTED!!!!

I Googled the last error message and got this

http://forums.theplanet.com/lofiversion … 61003.html

His final post was that an editor had added hard returns and that was breaking this script. I checked mine and that was the case as well. Went back to the hacked version and used notepad to edit it and remove the hack, saved it, and uploaded it and I can get at the admin panel again.

Many thanks to Rachael and everyone for the ideas.

Nick

rachaelseven · 11-27-2008 17:05:27

Great news! You are very welcome. I am very glad you were able to track the source of the problem and thank you very much for reporting it here for everyone's benefit!

nickf · 11-27-2008 17:11:28

I'm impressed with the quality of help here in the forums.

I've been using CCP51 for 4 years not and it's been very reliable.

I am not a professional programmer and have had no dealings with perl before so the hard returns caught me out.

Thanks again

Nick

Last edited by nickf (11-27-2008 18:17:43)

Kryptronic Software Support Forum

#1 11-21-2008 13:49:06

Admin page missing

#2 11-21-2008 14:21:26

Re: Admin page missing

#3 11-22-2008 08:04:48

Re: Admin page missing

#4 11-22-2008 09:14:24

Re: Admin page missing

#5 11-22-2008 11:05:14

Re: Admin page missing

#6 11-22-2008 17:03:22

Re: Admin page missing

#7 11-23-2008 12:00:09

Re: Admin page missing

#8 11-25-2008 04:24:16

Re: Admin page missing

#9 11-25-2008 23:50:03

Re: Admin page missing

#10 11-26-2008 14:33:39

Re: Admin page missing

#11 11-26-2008 15:31:11

Re: Admin page missing

Code:

Code:

#12 11-26-2008 15:38:31

Re: Admin page missing

#13 11-26-2008 15:39:13

Re: Admin page missing

#14 11-26-2008 15:42:48

Re: Admin page missing

#15 11-26-2008 15:44:20

Re: Admin page missing

#16 11-26-2008 17:12:03

Re: Admin page missing

#17 11-26-2008 22:14:45

Re: Admin page missing

#18 11-27-2008 06:12:35

Re: Admin page missing

#19 11-27-2008 08:59:34

Re: Admin page missing

#20 11-27-2008 15:57:09

Re: Admin page missing

#21 11-27-2008 16:11:09

Re: Admin page missing

#22 11-27-2008 17:05:27

Re: Admin page missing

#23 11-27-2008 17:11:28

Re: Admin page missing

Board footer