The Simple Machines Team has recently identified and patched an attack against all versions of SMF. The development team has fixed the underlying issue to ensure this type of attack can not re-occur. SMF 1.0.17, SMF 1.1.9 and SMF 2.0 RC1.1, have been released as a result.
Symptoms of an infected forum may include:
- A member with a very small (1x1 pixels) white avatar with .jpg extension
- Random spam links in the theme that can be found by viewing the source in your browser
- An extra theme being added to the database, usually with ID = 32
To better aid our users, we have created a tool to enable clean up of an infected site. This tool can be run on any SMF forum. It should remove the infection code from any files that happened to be hit. It also raises flags on the following
possible files/matches:
- Those mentioned in the exploit source
- Fully numeric .php filenames
- No-extension filenames (doesn't match directories)
If you are not sure if you have been hit, please do try out the tool. If you feel you are still infected after using the tool, please create a support topic for one of our support team to assist you.
This tool works with all SMF versions.
You can find the updates at http://download.simplemachines.org/
Thank you,
The Simple Machines Team
To use this file:
- Make a backup of your forum's files and database. If you do not know how or are not allowed, ask your host for help.
- Upload the attached file to your forum's directory (alongside SSI.php and index.php)
- Open the file in your browser (http://www.yourforum.com/kb_scan.php)
- If any rows are red, they're exploited. Click the "click here" link to attempt to fix them.
- If any rows are orange, they might be from the infection. These are not files from a default installation of SMF, and they match those that the infection might create. Be careful when deleting these, though!
- Green rows are safe :)
- If a database infection was found, a box will pop up telling you so. Check your {db_prefix} themes table for anything with an id_theme of 32, or a value starting with ./ or ending with \0 or a diamond. These might be rows that were affected by the attack. Add ?noquery to the end of the URL if the database check is timing out, and it won't scan it for you.
- If you need to use this from the base of your site (for example, if files outside of your forum's directory are showing symptoms too), all you need to do is change the path to SMF's SSI.php at the top of kb_scan.php when you upload it to your site's base directory, and it will work as expected, and scan your whole site.
If you have any questions, please start a new topic