SMF Support > SMF 2.0.x Support

So I just noticed my forum got hacked. (base64_decode)

<< < (2/4) > >>

checkmater:
I think you can just download all of your files and use any editing software (like dreamweaver) searching that line and replacing it with nothig (Dreamweaver can look in every file for the line and replace it autosaving the changes, very easy to do), but I suggest you to do an upgrade to the latest version.

Greetings!

K@:
You could restore your latest backup...

comedorsamus:
So I erased that code from some php files, browsed through the whole board and everything seems to be working fine, no redirects so far.

http://sitecheck.sucuri.net/scanner/ This site was reporting my board as infected, not anymore. Now waiting for Google Webmaster to give me an update. Problem is, many php files still have that line.

Also, I noticed a few files have "666" permission (index.php~, ssi_examples.php~, SSI.php~), I did some search and apparently this is not a problem?

Changed all my passwords and decided to not store any login info on FileZilla.


--- Quote from: SikLiFe on April 29, 2012, 12:25:20 AM ---is there a reason why you haven't upgraded to 2.0.2?
--- End quote ---
I'm not really familiar with such things, so I'm kinda scared of updating.


--- Quote from: checkmater on April 29, 2012, 12:27:59 AM ---I think you can just download all of your files and use any editing software (like dreamweaver) searching that line and replacing it with nothig (Dreamweaver can look in every file for the line and replace it autosaving the changes, very easy to do), but I suggest you to do an upgrade to the latest version.

Greetings!

--- End quote ---
This just might be the solution, not really the best but I'll try, thanks!


--- Quote from: Colin on April 29, 2012, 12:01:34 AM ---Yep, this has been happening to many other forums.

--- End quote ---
Including Wordpress, but now they have a script that erases the malicious line from all php files. I noticed SMF released a similar fix in the past. (can't find the link now, meh)


--- Quote from: ApplianceJunk on April 29, 2012, 12:19:51 AM ---You would loose any custom work to themes and mods.
--- End quote ---
This. And I have four themes with tweaks here and there. :/ Yet another reason why I don't want to update.


--- Quote from: K@ on April 29, 2012, 09:16:29 AM ---You could restore your latest backup...

--- End quote ---

MrPhil:
Do NOT use Dreamweaver to edit PHP code. It's very easy to get tangled up in the wrong mode, or not be aware of stuff that DW is doing behind your back. Learn to use a standard code editor (flat text file editor) such as ViM or Notepad++, and an FTP client such as Filezilla to upload and download. Your hosting service's control panel > file manager should have a built-in simple editor, which should be adequate for the purpose. It's probably easiest just to do it manually, file by file. As there are a number of different attacks that have been used against SMF files, it's probably not worth trying to write a general utility.

Do NOT overwrite your files with a fresh copy (Large Update) unless you don't mind losing all mods and themes. This will not wipe out your avatars and attachments. Restoring a backup will often lose recent avatars and attachments, but if you know how the restore works, it might do the job for you (especially if you limit it to restoring .php files).

After getting cleaned up, you have two tasks:

* Make sure you do not have any unaccounted-for files hanging around that might be back doors or Trojans, that a hacker uses to gain entry. If in doubt, rename it and see if your forum still works right.
* Find out how the hacker got in. You're a bit back-level on your SMF version, so it's possible the hacker exploited some known security hole in that version. Look at your site access logs, and consult with your host. Just for extra safety, scan all PCs used to administer your site for spyware (especially keystroke loggers and password sniffers), turn on their firewalls, and change all passwords (site access, FTP, admin account, maybe even the database).

K@:
If it helps, I got this hack, ages ago.

I used Textpad and I used the macro thingy, with that, along with an "autoit" script, to edit each file, without all that tedious loading/editing/saving crap.

Sadly, I deleted the script and the macro. Should be easy enough to work out, though.

Navigation

[0] Message Index

[#] Next page

[*] Previous page

Go to full version