I have recently had my Smf 1.1.8 board hacked. I have recently seen an increase in automatically registered accounts, and a couple of automated spam posts, so I have been monitoring a little closer lately. When suddenly lots of avatars went missing, I knew something was up.
All .php files under /www/ had this line injected at the top of the file:
The above base64 hash decodes to what is in the attached decoded_injection.php
It in turn calls the main hack file, in my case called style.css.php - in my case this was placed in a subdirectory of an outdated phpmyadmin-install, quite possibly their point of entry for the exploit. I guess this file can be named copper.php or whatever in other circumstances.
This style.css.php file was a 170kb file with a huge base64 hash. It decoded to approx 20 new base64 encoded evals. I decoded everything I found and ran it through a code prettyfier, and ended up with a 100kb php file of approx 2000 lines of code. I did a search+replace for some of the function names, but quickly tired and stopped halfway through - the file is just so massive..
Also, if your site is infected, take note of which folder that last mentioned file is in, because in the same folder is where it stores the generated spam files this hack creates. They are files without extensions, names ranging from just "t", "50", to longer names such as "f2219f70f695539a82941423841dc26c". I have attached 3 examples of those final spam files this hack aims to generate.
You can search the style.css.php file for "http:" to quickly find the involved spam domains, which include:
nomsat23.net nssat3.com wplsat23.net pearch.net gawab.com
After googling gawab.com and the other mentioned callback-urls, I found several domains common forum admins have had trouble with, so I am creating an sql file to add all these domains to my smf bantriggers. Its also attached as spamdomains.sql - remember to replace 15 with the id of the bangroup you want to add these to.
Hope this helps someone. If anyone cares to dig deeper into the code, please update the thread with whatever you find.