Possible/Prabable Hacker issue. I need help. :(

[daedreem]

RESOLVED!!
==============================
I have a strange issue I need help with.
I'll explain it here, and then add in the coding involved in a reply, to get the original post out quicker and a bit shorter.

I use PHP on my website, for nothing else so far except to use includes, to make adding and changing content easier.

Recently, my site went down.
It goes down a lot, but usually I get 'page not displayed'.. but this time I got this:

Quote:

Warning: Unknown(): open_basedir restriction in effect. File(/home/cat/public_html/index.php) is not within the allowed path(s): (/home/catscra:/usr/lib/php:/usr/local/lib/php:/tmp) in Unknown on line 0

Warning: Unknown(/home/cat/public_html/index.php): failed to open stream: Operation not permitted in Unknown on line 0

Warning: Unknown(): open_basedir restriction in effect. File(/home/cat/public_html/index.php) is not within the allowed path(s): (/home/catscra:/usr/lib/php:/usr/local/lib/php:/tmp) in Unknown on line 0

Warning: Unknown(/home/cat/public_html/index.php): failed to open stream: Operation not permitted in Unknown on line 0

Warning: (null)(): Failed opening '/home/cat/public_html/index.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in Unknown on line 0

I contacted my support group, who told me no one else on the server was having a problem, and suggested I'd messed it up editting it.
After I explained I hadn't editted it since the last time it was down a week ago(problem on THEIR end), a day later they somehow got MOST of it up again... they are giving me no explaination of why it went down.
(the forum is still down, and they show no intention of fixing it.)
I still could not log into the cpanel... (admin control panel) and asked them to change my password just in case the problem was caused by a hacker... it took 4 times asking them to do so before they did it. (Boy I need a new host) meanwhile, I found a problem suggesting it was indeed hacker activity. (description below)

I can now log in and see the html, and I cannot find anything wrong... and the problem is very very odd and inconsistent.

I'm beginning to wonder if it's possible it's somehow on the server, maybe in the (I'm sorry.. I don't know the correct terminology for this... I'll try to get the point across..) programming that causes the server to read and execute php includes?

Here's a description of how it's working, with links.
You can refresh each page multiple times to see what I mean.

OK.
My website has a template which includes a menu to the left .. page contents center.. with an include that holds a rotating image script at he bottom of the main contents section (not currently workingthere... it is still working where it's inserted on other places though..), below that ad space for a banner exchange, with another row that just contains the words 'thank-you'.

The menu is fine everywhere, so that leaves this that i'll be referencing elsewhere..

CONTENTS: =A
(ROTATING IMAGE.. not there on all pages and not working) =B
========new table row--columns end==========
AD TRADE =C
---------
THANKS = still part of C.


This format is on my entire site, with the exception of the rotating image which is only on some pages... however the exact same included script that currently not working one place, IS working on another..

I got very specific about the makeup of the pages so I could show you this.

Part of the time the page shows right, as above... part of the time it has what I call link spam (not hot links, just text) in varying sections...

A is unaffected.
B - part of the time is blank.. nothing shows before the new table row..
- part of the time is spam.

C - part of the time is the correct Ads and thank-you..
- Part of the time is the Spam replacing both ads and thank-you sections.

Also making the problem inconsistent.. :
My site has 2 main sections.

The main site:
http://www.catscratches.net/


And my subsection for locals:
http://www.catscratches.net/bcssitters/index.php

EVERYTHING works fine (except the forum, but that's another story) on the main site... the top level... I refreshed repeatedly and visitted every page there, and never saw the spam.

The problem is only happening on the subsection.

The subsection, where it includes the rotating image script, and the ad-trade script, PULLS the scripting from the top level... the exact same scripting as the top level uses... it doesn't pull it from the subsection...

The php pages in the subsection look exactly like I wrote them...
To make sure, I even editted the file, and deleted all the coding and replaced it with the coding from my backup on my machine.
(I couldn't just FTP the files back up.. because my host hasn't fixed my FTP access yet... grumble grumble)
I did that with the main page files, and followed the trail of includes replacing every one of them... despite the fact they were in the top level, and working fine for the top level.
I never found any errant coding.. and I've looked through every file I can think of where the problem would be... and it still isn't working right... I'm still getting part of the time what I SHOULD be getting, part of the time the spam.

It's random.. and the correct contents of those sections are random... but I can't find where it could be wrong in the coding..
As I stated, I'll post the coding in a moment in a reply... but I knew this description was going to be long and convoluted.. so I wanted to get it up here so you can mull it over first.. and hopefully give me an idea what's up.
--- EDIT... I thought I should add... the problem is exactly the same in both internet exploder and firefox.

[daedreem]

Here's the coding used in one affected page of the subsection.. since I can't find a problem, I'll include ALL of it.. not just the parts I'd think relevent in case I'm mising something..
Pardon the messyness..
I do plan to redo when I have time, to simplify it.
I changed the layout repeatedly when I was first getting the site up, until I liked it.. so it's a bit messy.

The page:
http://www.catscratches.net/bcssitters/bcssitters.php

BCSSitters.PHP -- the page that holds all of the includes.

Code:

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html>
  <head>
  <META HTTP-EQUIV="Pragma" CONTENT="no-cache">

    <!-- <base href="http://www.catscratches.net/"> -->
    <title>
      B/CS Sitters
    </title>
    <meta name="description" content="Bryan College Station Vacation House and Gentle Pet Sitters">
    <meta name="keywords" content="Bryan, College Station, Vacation, House, apartment, plant, Pet Sitter, B/CS,">
<link rel="shortcut icon" href="favicon.ico" >
<link rel="icon" href="animated_favicon1.gif" type="image/gif" >
<style type="text/css">

.opacityit img{
filter:progid:DXImageTransform.Microsoft.Alpha(opacity=70);
-moz-opacity: 0.7;
}

.opacityit:hover img{
filter:progid:DXImageTransform.Microsoft.Alpha(opacity=100);
-moz-opacity: 1;
}

<!--
A:link {text-decoration: none}
A:visited {text-decoration: none}
A:active {text-decoration: none}
A:hover {text-decoration: underline}
-->

</style>
  </head>
  <body bgcolor="#A3A3A3" background="http://www.catscratches.net/images/template/ppgranitebg.jpg" text="#5F5F5F" link="#996633" vlink="#737373">
    <div align="center">
<!-- TABLE BEGINS -->
      <table border="0" width="740" summary="Main Table" cellspacing="0" cellpadding="5" style="border: 1px solid Black;">
        <tr>
          <th valign="middle" colspan="3" style="background-color: #F1F1F1; border-bottom: 1px dotted Black;">
            <img src="http://www.catscratches.net/images/template/ppcslogo.gif" alt="CATscratches.NET">
            <br>
            <h1>
<!--   PAGE   TITLE  -->B/CS Sitters and Errands
            </h1>
          </th>
        </tr>
        <tr>
          <td width="15%" valign="top" style="background-color: #f1f1f1; border-right: 1px dotted;" align="center">

<!-- MENU INSERTION STARTS -->
     	            <? include 'bcsmenu.html'; ?>
<!-- MENU INSERTION STOPS -->
          </td>

          <td valign="top" align="left" width="75%" style="background-color: #f1f1f1;">
<!-- PAGE CONTENTS START -->
  
<!-- page INSERTION STARTS -->
     	            <? include 'bcssitters.html'; ?>
<!-- page INSERTION STOPS -->

<!-- begin random image -->
     	            <? include 'http://www.catscratches.net/myrandomtilecoding.html'; ?>
<!-- end random image -->

<!-- PAGE CONTENTS STOP -->       
          </td>
          <td width="10%" valign="top" style="background-color: #f1f1f1; border-left: 1px dotted;">
<!-- RIGHT COLUMN STARTS -->

         </td>
        </tr>
<!-- Google Adsense row STARTS -->       
        <tr>
        <td ALIGN="center" VALIGN="top" COLSPAN="3" STYLE="background-color: #f1f1f1; border-top: 1px dotted Black;">
<!-- Google Adsense INSERTION STARTS -->
     	            <? include 'http://www.catscratches.net/googleadsense.html'; ?>
<!-- Google Adsense INSERTION STOPS -->
        
        </td>
        </tr>
 <!-- Google Adsense row STOPS --> 
 
 <!-- LOCATION INSERTION STARTS for location specific webcoding -->
        <tr>
        <td ALIGN="center" VALIGN="top" COLSPAN="3" STYLE="background-color: #f1f1f1; border-top: 1px dotted Black;">
     	            
					 <? include 'http://www.catscratches.net/cslocation.html'; ?>
     	</td>
		</tr>

<!-- LOCATION INSERTION STOPS -->
        
      </table><!-- TABLE ENDS =-->
      <img src="http://www.catscratches.net/images/template/CAT.gif" alt="CAT image">
      </div>
  </body>
</html>

I'll skip the menu include...
The menu is right everywhere..

BCS Sitters.HTML - this include puts the pages main content into the main section, making it easy for me to edit without accidentally breaking my tables.
I almost didn't put this here, because I see no way the problem is here... skip this section if you want too.

Code:

<b>Bryan College Station Texas area residents.</B><br>
<br>
<dd><b>BCS Sitters</b> is proud to offer Vacation In-Home Pet Care and Housesitting.
One of the times your home is most vulnerable is when it is left empty for an extended period of time, even as little as a week. The best protection for your home or apartment during your absence is to have a house sitter, someone you can trust to care of your pets and/or plants in addition to making sure the house looks inhabited. BCS Sitters can help. We're lifelong residents of the Bryan College Station area, and can provide references on request.<br>
<br>
We'll be proud to make your vacation more relaxing by offering you:<br>
<br>
<b>Home/Garden Care</b><br>
<blockquote>
<UL>
             <LI> BCS Sitters will make your home look lived in, by picking up your papers and mail and bringing them into the home.
        </LI><LI> We'll water house and outdoor plants on the schedule given to us by you, even talk to them while we do so!
        </LI><LI> We will rotate which light(s) are left on at every visit.
        </LI><LI> If you wish, vehicles left behind can even be moved to differing parking positions.
        </LI><LI> If signs of an intruder or emergency (such as flood, fire or other calamity) are detected, we'll deal with necessary officials for you, and alert you at your provided emergency number, if applicable.
		</LI>
</UL>
</blockquote>

<b>Pet care, for your Treasured Pets.</b><br>
Depending on the pet in question, we can offer different levels of TLC.<br>
<blockquote><b>Gentle Pet Care</b><UL>
             <LI>Your beloved animals (Cats, Dogs, Iguanas, Crabs, Horses, Whatever they may be!) will be petted and loved on, talked too, and basically made to feel less alone.</li>
             <LI>Pets will be fed as specified by the owner, fresh water will always be available.</LI>
             <LI>Medical needs will be attended. (Shots and pills are no big deal- we deal with Diabetic kitties daily!)</LI>
             <LI>Animals needing walks will be given them.</LI>
             <LI>As needed, Litter trays will be cleaned.</LI>
        </UL>
</blockquote>
<blockquote><b>NON-Gentle Pet Care</b><br>
<UL>This will be on a case by case basis. We request one or more visits with you and your animals before plans have been finalized to determine the best route of care.<br>
             <LI>Penned Animals will be fed and watered, if it can be done safely.</LI>
             <LI>Unfriendly animals in the home, if they are the <i>'you keep your distance, I'll keep mine!'</i> type, will be fed and watered, and litter trays cleaned if needed.</LI>
             <LI>If your animals are the type to bite first and ask questions later, or need medication, and we are not able to befriend them before you leave, we will suggest an out of home solution, such as having them boarded by your Vet.</LI>

        </UL>
</blockquote>

<blockquote>
Email or call me with your wards and they'll be Promptly taken care of for you in an efficient, caring manner.
Reasonable rates, discount available for repeat business and Senior citizens. Email for rates and references.<br>
<img src="http://www.catscratches.net/images/EMailMe.png" alt="view image for contact information or use contact form on website"><br>
<img src="http://www.catscratches.net/images/CallMe.png" alt="view image for contact information, or use contact form on website"><br>
<br>
<br>
<font size="2"> <i>*Please provide as much notice as possible, to maximize our potential to help!</i>
</font></blockquote>

Continued below.

[daedreem]

googleadsense.html
Contains actually
-a random ad from an ad exchange,
-a simple thank-you
-a google adsense ad... (forgot to mention this above.)

Code:

<!--e-bannerx.com code begin-->
<SCRIPT language=JavaScript type=text/javascript>
<!--
var rnd = Math.round(Math.random() * 10000000);
document.writeln('<IFRAME src="http://www.e-bannerx.com:8888/adrevolver/banner?place=17454&cpy='+rnd+'" width=468 height=60 scrolling=no allowtransparency=true frameborder=0 marginheight=0 marginwidth=0>\n');
document.writeln('<A href="http://www.e-bannerx.com:8888/adrevolver/href?place=17454&rnd='+rnd+'" target="_blank">\n');
document.writeln('<IMG src="http://www.e-bannerx.com:8888/adrevolver/banner?img&place=17454&rnd='+rnd+'" width=468 height=60 border=0 alt="e-bannerx.com" ismap></A></IFRAME>\n');
//-->
</SCRIPT><NOSCRIPT>
<IFRAME src="http://www.e-bannerx.com:8888/adrevolver/banner?place=17454&cpy=1" width=468 height=60 scrolling=no allowtransparency=true frameborder=0 marginheight=0 marginwidth=0>
<A href="http://www.e-bannerx.com:8888/adrevolver/href?place=17454&rnd=1000" target="_blank">
<IMG src="http://www.e-bannerx.com:8888/adrevolver/banner?img&place=17454&rnd=1000" width=468 height=60 border=0 alt="e-bannerx.com" ismap></A></IFRAME></NOSCRIPT>
<!--e-bannerx.com code end-->

      </td>
        </tr>
 <!-- ad STOPS --> 

 
 <!-- thanks STARTS -->
        <tr>

        <td ALIGN="center" VALIGN="top" COLSPAN="3" STYLE="background-color: #f1f1f1; border-top: 1px dotted Black;">
  THANKS FOR VISITING!
       </td>
        </tr>
 <!-- thanksSTOPS --> 
 <!-- google AD STARTS -->
        <tr>

        <td ALIGN="center" VALIGN="top" COLSPAN="3" STYLE="background-color: #f1f1f1; border-top: 1px dotted Black;">
     	           


<script type="text/javascript"><!--
google_ad_client = "pub-7140056325775173";
google_ad_width = 728;
google_ad_height = 90;
google_ad_format = "728x90_as";
google_ad_type = "text";
google_ad_channel ="";
google_color_border = "CCCCCC";
google_color_bg = "FFFFFF";
google_color_link = "000000";
google_color_url = "666666";
google_color_text = "333333";
//--></script>
<script type="text/javascript"
  src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script>

<script type="text/javascript"><!--
google_ad_client = "pub-7140056325775173";
google_ad_width = 110;
google_ad_height = 32;
google_ad_format = "110x32_as_rimg";
google_cpa_choice = "CAAQ2ZCazgEaCCvPXrFfpg_0KPmNxXQ";
//--></script>
<script type="text/javascript" src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script>

Here's a last section I forgot to mention in the 'map' I gave you above...
it's also used on my entire site, files on the top level, correct on the top level, randomly right and randomly spam in the subsection.



CS location.html

Code:

<!--FreeWebs FreeBar Code Begin-->
<!--#include virtual="/Include/tracker"-->
<!--FreeWebs FreeBar Code End-->

I beleive that's everything used in that page, except for the menu.. (which I looked at, and IS right, in addition to being the one place on the page that IS always right...)

Any ideas anyone??

I'm baffled as to whats going on...
Does my server maybe have a virus?

[daedreem]

No ideas yet, anyone?

[Iturea]

Quote:

Originally Posted by daedreem

No ideas yet, anyone?

Just for the future a simple google search can help you resolve most errors you need resolved right away. I don't mind helping, don't get me wrong, but just wanted to let you know a faster solution for help with this type of problem...

I simply searched:

open_basedir restriction in effect

and I found: http://www.sixapart.com/movabletype/...asedir_re.html

Share this with your hosting company and they should be able to help you resolve the issue.

[daedreem]

Quote:

Originally Posted by Iturea

Just for the future a simple google search can help you resolve most errors you need resolved right away. I don't mind helping, don't get me wrong, but just wanted to let you know a faster solution for help with this type of problem...

I simply searched:

open_basedir restriction in effect

and I found: http://www.sixapart.com/movabletype/...asedir_re.html

Share this with your hosting company and they should be able to help you resolve the issue.

Hi Iturea..
Thanks for the answer.. but that's not the problem I was having.

Are you getting that now?
I'm not getting anything.
My hosting company was planning to move my site to a new server this weekend..
They must have already started, despite the fact I told them that I didn't want them to bring down my old site until they had it transferred to the new one, and it WASN'T transferred... (sigh)

I'll let y'all know when it's back up, so that you can help with the issue I couldn't figure out.

As stated in my posts above, the problem I had was that my website was showing, but random bits of it were being replaced by tons of 'not mine' website addresses...
mostly blogs...

time to yell at my hosts for bringing down my site when i'd told them the copy of the site they'd supposedly put on the new server wasn't there.
(sigh)
I REALLY need a new host.

PS... I do not know how to search for error "random bits of site being replaced by tons of 'not mine' website addresses...

PPS... here is the supposed location of the copy of my website.
I'll be away from my computer today.. but IF they actually LISTEN to me for once and get the site actually PUT there, you will be able to see the site, and supposedly the problem, here.
-- Edit..
The host has changed the destination website during my emails to them to let them know nothing was there, and neglected to tell me thay had changed it.. (sigh)
http://70.86.9.114/~cat/
parts of the site DID get moved to here, but they missed lots of files.

I have changed the forwarding of my domain to here, but don't bother checking it out for a while... as too much of the ssite is missing to do any diagnostic...

HOPEFULLY if the problem causing my link-spam was on the server, instead of my site, the problem will not transfer here anyway.

I'll let you know when everything is back up if the case is resolved, or if the link-spam moved along with everything else.

[daedreem]

Update..
Thanks for any help offered here.

Just updating to let you know, once I FINALLY got my site back up and running after the server move... which included making them change my username back to what it was before they decided to change it when i asked them to change my password, in order to get my forum running again... everythings working OK.

I haven't seen any of the 'link spam' again... so I think it actally WAS being inserted into my site by the server.