Firstly I want to tell you a bit about the background.
I’ve got a little problem here and it seems like it began after a server attack that we have had here last week. We were using an old webshop (ok, not really using, but it was there) and someone have found a hole in it, uploaded some exploits and got a root. One thing he used was a script called suhosin.sh, that installed some kind of fake plugin and edited the php.ini, so that this plugin was executed every time a page was loaded. So far I could delete everything that I could find and blocked many holes on our server, but it seems like something is still wrong with php or apache or both or something else.
Now the problem is, that I have noticed, that some of html pages on a website shows blank page with a lenght of 0 in the http-header. The pages were generated by an eLearning platform called Ilias, so that could be simply uploaded to a server as an eLearning module, so they are all static and were showing up normally in the past, before the mentioned above happened, as well as they work on another server and localhost.
I first thought it was a php problem and tried to do something in php.ini, but nothing worked out good so far. Than I noticed following:
Strange thing is that as far as I remove
<?xml version="1.0" encoding="UTF-8"?>
from the very beginning of the page, it works! So that would probably have something to do with apache, that I don’t know why can’t show that kind of page, that it seems like is being recognized as xml.
I already tried to compare php.ini with the one on another server, I don’t really know where that kind of stuff can be configurated in apache or w/e, so I hope someone could help me to find the right direction, googling in all 3 languages that I “know” doesn’t help much. 🙁
And well, I want to apologise for my english, that’s the first time that I have to ask something like that, but am slowly getting a bit frustrated and getting out of time because of deadline…
Hope someone will help. If you want to know anything about the php or apache config or w/e, ask, I could provide almost everything.
Alex
Problem solved!
Could either be solved by:
1) “short_open_tag = Off” in php.ini
2) removing “AddType application/x-httpd-php .html” from .htaccess as well as /etc/apache2/httpd.conf
Thanks to everyone!
The
<?is one of the delimiters for PHP code. If they are static HTML pages, they should not be parsed by the PHP interpreter in the first place! Unluckily, there are just too many ways to tell Apache that certain file is PHP code, but chances are that you have an.htaccessfile somewhere with this code:However, you should really wipe out everything in your server and restore from either your local development copy of the software or a clean backup. There are just too many places where malware can hide.