Hey everyone I had a topic before but its marked solved. Previous topic url http://www.simplemachines.org/community/index.php?topic=496153.0
It happened again but this time hacker changed it to hacked by bla bla bla. I think they do it from admin login? I removed all other admins and moved them to other group. So they have no access. Changed my passes also. From raw logs i found these. Can someone check them if there is anyhing important there? Or any ideas how did it get hacked?
188.181.59.9 - - [05/Feb/2013:09:13:43 -0500] "GET /index.php?action=viewsmfile;filename=latest-news.js HTTP/1.1" 200 3201 "http://www.****.com/index.php?action=admin" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17"
5.248.83.134 - - [05/Feb/2013:09:13:45 -0500] "GET /index.php HTTP/1.0" 200 29637 "http://www.****.com/index.php" "Opera/9.80 (Windows NT 6.1; WOW64; U; ru) Presto/2.10.289 Version/12.02"
188.181.59.9 - - [05/Feb/2013:09:13:49 -0500] "GET /index.php?action=admin;area=theme;sa=admin;b3e3cc9=f54057b5f790cb8855a3b0bbc95a8a6f HTTP/1.1" 200 6100 "http://www.****.com/index.php?action=admin" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17"
188.181.59.9 - - [05/Feb/2013:09:13:49 -0500] "GET /index.php?action=viewsmfile;filename=latest-themes.js HTTP/1.1" 200 2539 "http://www.****.com/index.php?action=admin;area=theme;sa=admin;b3e3cc9=f54057b5f790cb8855a3b0bbc95a8a6f" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17"
188.181.59.9 - - [05/Feb/2013:09:13:53 -0500] "GET /index.php?action=admin;area=theme;sa=edit;b3e3cc9=f54057b5f790cb8855a3b0bbc95a8a6f HTTP/1.1" 200 4703 "http://www.****.com/index.php?action=admin;area=theme;sa=admin;b3e3cc9=f54057b5f790cb8855a3b0bbc95a8a6f" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17"
188.181.59.9 - - [05/Feb/2013:09:13:56 -0500] "GET /index.php?action=admin;area=theme;th=9;b3e3cc9=f54057b5f790cb8855a3b0bbc95a8a6f;sa=edit HTTP/1.1" 200 5055 "http://www.****.com/index.php?action=admin;area=theme;sa=edit;b3e3cc9=f54057b5f790cb8855a3b0bbc95a8a6f" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17"
188.181.59.9 - - [05/Feb/2013:09:13:59 -0500] "GET /index.php?action=admin;area=theme;th=9;b3e3cc9=f54057b5f790cb8855a3b0bbc95a8a6f;sa=edit;filename=index.template.php HTTP/1.1" 200 10176 "http://www.****.com/index.php?action=admin;area=theme;th=9;b3e3cc9=f54057b5f790cb8855a3b0bbc95a8a6f;sa=edit" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17"
5.248.83.134 - - [05/Feb/2013:09:14:06 -0500] "GET /index.php?PHPSESSID=092a6b2344aa1a6fb79faacbd63c7127&action=register HTTP/1.0" 200 9599 "http://www.****.com/index.php?PHPSESSID=092a6b2344aa1a6fb79faacbd63c7127&action=register" "Opera/9.80 (Windows NT 6.1; WOW64; U; ru) Presto/2.10.289 Version/12.02"
66.249.75.124 - - [05/Feb/2013:09:14:06 -0500] "GET /index.php?topic=116628.430 HTTP/1.1" 200 6370 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
5.248.83.134 - - [05/Feb/2013:09:14:07 -0500] "POST /index.php?action=register HTTP/1.0" 200 13345 "http://www.****.com/index.php?PHPSESSID=092a6b2344aa1a6fb79faacbd63c7127&action=register" "Opera/9.80 (Windows NT 6.1; WOW64; U; ru) Presto/2.10.289 Version/12.02"
5.248.83.134 - - [05/Feb/2013:09:14:09 -0500] "GET /index.php?action=verificationcode;vid=register;rand=0b31c78b4ce2898753f84458494906fe HTTP/1.0" 200 2645 "http://www.****.com/index.php?PHPSESSID=092a6b2344aa1a6fb79faacbd63c7127&action=register" "Opera/9.80 (Windows NT 6.1; WOW64; U; ru) Presto/2.10.289 Version/12.02"
5.248.83.134 - - [05/Feb/2013:09:14:10 -0500] "GET /index.php?action=verificationcode;vid=register;rand=0b31c78b4ce2898753f84458494906fe HTTP/1.0" 200 2400 "http://www.****.com/index.php?PHPSESSID=092a6b2344aa1a6fb79faacbd63c7127&action=register" "Opera/9.80 (Windows NT 6.1; WOW64; U; ru) Presto/2.10.289 Version/12.02"
5.248.83.134 - - [05/Feb/2013:09:14:14 -0500] "POST /index.php?action=register2 HTTP/1.0" 200 5442 "http://www.****.com/index.php?PHPSESSID=092a6b2344aa1a6fb79faacbd63c7127&action=register" "Opera/9.80 (Windows NT 6.1; WOW64; U; ru) Presto/2.10.289 Version/12.02"
188.181.59.9 - - [05/Feb/2013:09:14:15 -0500] "POST /index.php?action=admin;area=theme;th=9;sa=edit HTTP/1.1" 302 26 "http://www.****.com/index.php?action=admin;area=theme;th=9;b3e3cc9=f54057b5f790cb8855a3b0bbc95a8a6f;sa=edit;filename=index.template.php" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17"
188.181.59.9 - - [05/Feb/2013:09:14:15 -0500] "GET /index.php?action=admin;area=theme;th=9;b3e3cc9=f54057b5f790cb8855a3b0bbc95a8a6f;sa=edit;directory=. HTTP/1.1" 200 1016 "http://www.****.com/index.php?action=admin;area=theme;th=9;b3e3cc9=f54057b5f790cb8855a3b0bbc95a8a6f;sa=edit;filename=index.template.php" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17"
188.181.59.9 - - [05/Feb/2013:09:14:18 -0500] "GET / HTTP/1.1" 200 1016 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17"
5.248.83.134 - - [05/Feb/2013:09:14:39 -0500] "GET /index.php?PHPSESSID=092a6b2344aa1a6fb79faacbd63c7127&action=login HTTP/1.0" 200 1708 "http://www.****.com/index.php?PHPSESSID=092a6b2344aa1a6fb79faacbd63c7127&action=login" "Opera/9.80 (Windows NT 6.1; WOW64; U; ru) Presto/2.10.289 Version/12.02"
5.248.83.134 - - [05/Feb/2013:09:14:45 -0500] "GET /index.php?action=login HTTP/1.0" 200 1708 "http://www.****.com/index.php?action=login" "Opera/9.80 (Windows NT 6.1; WOW64; U; ru) Presto/2.10.289 Version/12.02"
173.199.120.155 - - [05/Feb/2013:09:14:54 -0500] "GET /index.php/board,11.0/sort,views.html HTTP/1.1" 200 1016 "-" "Mozilla/5.0 (compatible; AhrefsBot/4.0; +http://ahrefs.com/robot/)"
66.249.78.132 - - [05/Feb/2013:09:14:54 -0500] "GET /index.php?topic=88382.1550 HTTP/1.1" 200 1016 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
5.248.83.134 - - [05/Feb/2013:09:15:08 -0500] "GET /index.php?action=login HTTP/1.0" 200 1708 "http://www.****.com/index.php?action=login" "Opera/9.80 (Windows NT 6.1; WOW64; U; ru) Presto/2.10.289 Version/12.02"
5.248.83.134 - - [05/Feb/2013:09:15:35 -0500] "GET /index.php HTTP/1.0" 200 1708 "http://www.****.com/index.php" "Opera/9.80 (Windows NT 6.1; WOW64; U; ru) Presto/2.10.289 Version/12.02"
173.199.120.155 - - [05/Feb/2013:09:15:35 -0500] "GET /index.php/topic,109710.160.html HTTP/1.1" 200 1016 "-" "Mozilla/5.0 (compatible; AhrefsBot/4.0; +http://ahrefs.com/robot/)"
173.199.120.155 - - [05/Feb/2013:09:15:37 -0500] "GET /index.php/topic,88382.1750.html HTTP/1.1" 200 1016 "-" "Mozilla/5.0 (compatible; AhrefsBot/4.0; +http://ahrefs.com/robot/)"
66.249.78.132 - - [05/Feb/2013:09:15:44 -0500] "GET /index.php?topic=88382.160 HTTP/1.1" 200 1016 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
188.181.59.9 - - [05/Feb/2013:09:15:54 -0500] "GET / HTTP/1.1" 200 1016 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17"
Hello there.
Did you updated your forum to 2.0.4 version?
You should consider to take some steps in order to improve your security status of server. Do you have anonymous logins offered for ftp server maybe?
Did you reported possible hack to your hosts support?
Sorry forgot to mention. Forum is 2.0.4. Reported to my server, they investigated and not found anything. I guess this happens from admin panel of smf. Like I said removed all other admins and will see what happens.
Unless you have some further evidence, I don't think that you can blame SMF...
If you have been hacked before - I would bet that the hacker left some package behind, hidden in a sub-sub-sub-sub directory that basiclaly allows him to get in and modify files any time he wants.
I'm not blaming smf :) I was thinking hacker did it from one of the admin logins and from Themes and Layout Settings. Thats why i gave here raw logs maybe there is something in there.
This one looks suspicous to me
action=admin;area=theme;
Have only 2 admins and none of us went to theme settings. Thats why i changed my pass and moved my other 2 admins to different group. Now I'll wait and see what happens.
Edit: Any tips for "- I would bet that the hacker left some package behind" What should i look for? Can you filter it for me, for example 500byte or blabla.php etc. Thanks.
no... they're all different. but they usually bury the back doors deep in the directory structure, so my suggestion is to go through every directory, especially looking for php files in an image directory or extra directories which don't make sense