Support community for TTG plugins and products.
NOTICE
The Turning Gate's Community has moved to a new home, at https://discourse.theturninggate.net.
This forum is now closed, and exists here as a read-only archive.
You are not logged in.
Pages: 1
Every few days, I have a failure on my site, which manifests itself when I load any of the top level pages:
Something went wrong
Unexpected error: unserialize(): Error at offset 0 of 18 bytes in .42ff19c8.ico(2) : runtime-created function on line 4
Please report error at http://community.theturninggate.net
If I run the "update album files" function it is repaired for some amount of time. But it returns (possibly as soon as overnight). I just verified that (by updating album files) so don't bother looking today (03-30-2020). I will reply as soon as I see it do it again.
My site is https://www.lightsmithy.com
if you select any of the top level pages from the menu, it will re-occur (probably by tomorrow morning). For example, any of the first level items under "places" for example: https://www.lightsmithy.com/collections/parks/ (it does error when going to the URL directly as well)
I have reinstalled 'all' and made sure it is up to date.
I am guessing this is not actually a backlight issue, but something my host is doing. I need a clue of what to point them at.
Thanks!
Last edited by scottfrey (2020-03-31 08:29:07)
Offline
update. Doing some digging and found some odd php files.
In addition (despite have ing favicon turned off everywhere) My site is littered with files that have names like the above:.42ff19c8.ico
and cracking them open with Bbedit, they all start with <?php
Presumably these are malicious and I should whack them.
If support could confirm they are not part of backlight, I will whack them promptly
Last edited by scottfrey (2020-03-31 11:40:11)
Offline
Hi Scott, that looks very much like your site has been hacked. If the files keep reappearing then the vulnerability is still there.
Do you run Wordpress anywhere on your server? That's a very common entry point for hackers.
Can you provide me with FTP access via email, so that I can see if there's anything obvious that needs removing or fixing?
I'd be keen on seeing one of the ico files. They probably can't be emailed though, since Gmail will flag them as malicious.
Offline
Indeed, there is a compromised WordPress site on the same server. The host also discovered that php 5.4 was not removed when php 7 was installed (5.4 was still available from the CLI) so, that probably explains that.
@Ben, I’ll save you a sample. I could probably send it via encrypted zip file. Can I find your email address here somewhere? Otherwise, I can zip it and post a link
Offline
there's a link to Ben's email address in his post signature above
Rod
Just a user with way too much time on his hands.
www.rodbarbee.com
ttg-tips.com, Backlight 2/3 test site
Offline
Pages: 1