Topic: Being hammered with a hack, need guideance!

[Nicka]

Hello, I will paste here what I have pasted to my Hosting Provider.

Here's what we know so far. 2 weeks ago our forum was hacked by someone named "b4rt" who deleted our FTP files and uploaded his own custom index.html file. Immediately after that I ran patches for SIMPLE MACHINE FORUMS (CMS) 1.1.11 > 1.1.12 > 1.1.13 > 1.1.14 > 1.1.15 > 1.1.16 + patch. I also removed a ton of packages that are installed on the CMS like Custom Form Mod, Ultimate Profile, and a few others. Two night ago we had our second hack happen where they DID NOT delete FTP files but did upload an index.html with a new guys custom page. 5 mins after this was discovered I deleted it, they reuploaded it, this occurred 4-5x within one hour after initially happening. Tonight we have had our 3rd successful attempt at the hack. They uploaded a BLANK index.html file and I discovered "support.php" file in my /images/ directory that has never been there before. Upon further investigation I have found out this is a "Web Shell by boff" script in my FTP directory. I have browsed the entire FTP for any more files and have discovered none, I have also looked for any modified existing files, I have searched the database for any "<object / <script" tags and returned none. Some more details that have been taken care of on my side are as listed..

1) Changed the account/ftp/cpanel password 4x since the first hack.
2) Updated and scanned my personal PC with AVG pro / Malwarebytes / Hi-jack This and all results were negative.
3) I use WINSCP for log ins to the FTP from my machine.
4) Forum version: SMF 1.1.16 - Current SMF version: SMF 1.1.16 (OK)

I have also discussed the matter with the Senior Developer for podiatry.com and he's looked over the web shell script. Claims the script checks if the server is in safe mode, then allows access to upload files, change time staps, etc. Doing a bit of research on the source.php file that was discovered we have come to the following link:

SOURCE.PHP: pastebin.com/pCecNf1V
OSCOMMERCE forums.oscommerce.com/topic/364871-hacked-google-analytics-obh/


Thank You
Nick R.

SMF File          Your Version    Current Version
SMF Package   SMF 1.1.16          SMF 1.1.16
Sources           1.1.16         1.1.16
Default Templates1.1.12         1.1.12
Language Files   1.1.15         1.1.15
Current Templates1.1.12         1.1.12

Packages Installed:
Mod Name    Version    
1.    AJAX Instant Quick Reply    1.0.3
2.    Social Login Pro    1.1    
3.    SMF 1.1.15 Update    1.0    
4.    YouTube BBCode    2.6    
5.    Anti-Bot Registration Puzzles    1.2.0.1    
6.    SMF 1.0.21 / 1.1.13 Update    1.0    
7.    EzPortal    0.4.4a    
8.    Quick Moderation on Quick Reply    
9.    SMF 1.0.21 / 1.1.13 Update    
10.    SMF 1.1.14 Update    1.0
11.    SMF 1.0.20 / 1.1.12 Update    1.0    
12.    Treasury    1.04


Thank You to anyone for their kind help. This has plagued us for many weeks and we're a gaming community about fun. Sad to say we've made many enemies in the noble battle against hackers/cheaters.

Nick R.



p.s. since i tried adding links with this it blocked me from posting. If you need the pastebin link with the shell file, an info.php link thats on my web site, and the oscommerce discussion link about the shell file, please just ask.

[Ricky.]

The such kind of intrusion hacker generally found a way to upload file to your server using either weak script or may be compromised server security, once they are able to upload a file they have complete access to your server using that file and then they hide scripts clone or code somewhere, sometimes they even hid them off root www directory. I have faced few such situation, in one situation I was able to get rid of this only after I deleted that account and created new one, all new files , manually checked database .


PS: you can paste link without http etc in it.

[Nicka]

I have checked the entire FTP for any "unknown" files I haven't seen before. So far everything is in the clear. However I have been warned the shell script allows them access to insert code into previous files. I have ran a check on the database for any <script or <object code and found nothing. I have checked my folder permissions and seen that none where on world wide write.

The only weak "forms" I think could have possibly infected us would have been in the packages "Custom Form Mod or Ultimate Profile."

Thanks for you time. Hopefully I get hear back from some of the professionals here at SMF.


Cheers

[Nicka]

No help from the SMF team? Host is telling me it's a vulnerability in the CMS.

[busterone]

What is the CMS that you are using?  If you are referring to your portal, then it is out of date. You have EzPortal    0.4.4a and the newest is 0.6.0
I have no idea if there were any vulnerabilities in your version though. If you suspect there is, it would be better to post in the support topic for ezportal and allow the mod author to look into that.

[JimM]

Additionally I would think your host would be able to pinpoint the intrusion from the server access logs.  They should be able to determine the weakness by analyzing the logs.  If you are on a shared server, that is not properly secured, the hacker could have come in through one of the other sites with a vulnerability that allowed them to replace your files.  Were any other sites hacked?

[Ricky.]

No help from the SMF team? Host is telling me it's a vulnerability in the CMS.

You were looking for professionals, I thought I don't qualify