Hello, I will paste here what I have pasted to my Hosting Provider.
Here's what we know so far. 2 weeks ago our forum was hacked by someone named "b4rt" who deleted our FTP files and uploaded his own custom index.html file. Immediately after that I ran patches for SIMPLE MACHINE FORUMS (CMS) 1.1.11 > 1.1.12 > 1.1.13 > 1.1.14 > 1.1.15 > 1.1.16 + patch. I also removed a ton of packages that are installed on the CMS like Custom Form Mod, Ultimate Profile, and a few others. Two night ago we had our second hack happen where they DID NOT delete FTP files but did upload an index.html with a new guys custom page. 5 mins after this was discovered I deleted it, they reuploaded it, this occurred 4-5x within one hour after initially happening. Tonight we have had our 3rd successful attempt at the hack. They uploaded a BLANK index.html file and I discovered "support.php" file in my /images/ directory that has never been there before. Upon further investigation I have found out this is a "Web Shell by boff" script in my FTP directory. I have browsed the entire FTP for any more files and have discovered none, I have also looked for any modified existing files, I have searched the database for any "<object / <script" tags and returned none. Some more details that have been taken care of on my side are as listed..
1) Changed the account/ftp/cpanel password 4x since the first hack.
2) Updated and scanned my personal PC with AVG pro / Malwarebytes / Hi-jack This and all results were negative.
3) I use WINSCP for log ins to the FTP from my machine.
4) Forum version: SMF 1.1.16 - Current SMF version: SMF 1.1.16 (OK)
I have also discussed the matter with the Senior Developer for podiatry.com and he's looked over the web shell script. Claims the script checks if the server is in safe mode, then allows access to upload files, change time staps, etc. Doing a bit of research on the source.php file that was discovered we have come to the following link:
SMF File Your Version Current VersionPackages Installed:
SMF Package SMF 1.1.16 SMF 1.1.16
Sources 1.1.16 1.1.16
Default Templates1.1.12 1.1.12
Language Files 1.1.15 1.1.15
Current Templates1.1.12 1.1.12
Mod Name Version
1. AJAX Instant Quick Reply 1.0.3
2. Social Login Pro 1.1
3. SMF 1.1.15 Update 1.0
4. YouTube BBCode 2.6
5. Anti-Bot Registration Puzzles 18.104.22.168
6. SMF 1.0.21 / 1.1.13 Update 1.0
7. EzPortal 0.4.4a
8. Quick Moderation on Quick Reply
9. SMF 1.0.21 / 1.1.13 Update
10. SMF 1.1.14 Update 1.0
11. SMF 1.0.20 / 1.1.12 Update 1.0
12. Treasury 1.04
Thank You to anyone for their kind help. This has plagued us for many weeks and we're a gaming community about fun. Sad to say we've made many enemies in the noble battle against hackers/cheaters.
p.s. since i tried adding links with this it blocked me from posting. If you need the pastebin link with the shell file, an info.php link thats on my web site, and the oscommerce discussion link about the shell file, please just ask.