SMF SECURITY - AM I HACKED YET AGAIN ??

[glennk]

So what do I do now ?? The only admins on my sites is me (Plus 3 global mods but they dont have admin rights) and I run bit defender 2010 fully upto date and I am free from any virus on my PC. I really need to make some headway but seem very stuck at the moment.

[Norv]

Please make a backup of everything you have in your web directory. It will be appreciated if you agree that someone of the SMF team sees them, as Arantor has offered before, in which case please let us know.

Then, remove everything from the web directory.
Upload all files from a SMF large upgrade package, except upgrade.php and upgrade sql files.
Open Settings.php and Settings.bak.php from the backup's forum directory, in a text editor, and look at them: if you see anything funny except setting some variables, then remove that. Eventually PM us the code. DON'T post your Settings.php files here. Then upload them into the SMF folder on server.
Make sure access logs, error log, everything that can be made accessible by your host, is enabled. Ask them.

If it happens again, please post urgently the access logs here, or send them to a security report (link in my signature).

[青山 素子]

Interesting point though. Have you and your other admins checked their machine with recent AV products?

I also recommend a scan with Rootkit Revealer. It's usually quite good at spotting things that shouldn't be there, but keep in mind that it doesn't diagnose, just tells you if something doesn't match. Hidden service or driver registry keys are usually what you'll see with rootkits.

As for core dumps - that suggests the host has misconfigured something somewhere, since I've never known SMF to core dump on a properly configured server.

There was an issue a while back with a buggy "host" command that shipped with CentOS (and possibly RHEL too) that would segfault. A later update of that software fixed the bug SMF was triggering.

As I've said many times before, SMF is just scripting stuff. It cannot in and of itself cause a core dump. Core dumps are caused by flawed software, a script can't actually do the things that can cause core dumps. That means if something SMF does causes a core dump, it's the fault of that binary - not SMF.

(I can think of one part where a script did trigger a core dump in otherwise okay software. One of the older AVEA mod versions would cause a core dump under certain circumstances. I think it turned out that it went past a certain recursion limit. Rather than fail cleanly, the software just dumped core - still a problem with a compiled binary in it not checking things properly.)

[glennk]

Please make a backup of everything you have in your web directory. It will be appreciated if you agree that someone of the SMF team sees them, as Arantor has offered before, in which case please let us know.

Then, remove everything from the web directory.

Ok Can I have a bit of clarity please on what to delete and reupload, also please advise on which files you want to see copies of. Are you just talking about SMF files as

My site whitbyseaanglers.co.uk is made up of :

HTML files in the root directory.
6 wordpress installations in sub folders of root directory
1 coppermine Gallery in sub folders of root directory
1 smf forum in sub folders of root directory

1 subdomain - www.whitbywebdesign.co.uk (html)

1 Subdomain - www.holdernesscoastfishing.co.uk (1 wordpress installation in root and 1 smf forum in subfolder)

1 Subdomain - www.in-whitby.co.uk (1 wordpress installation in root - There was an out of date forum that I have now deleted).

[Norv]

Please make a backup of everything you have in your web directory. It will be appreciated if you agree that someone of the SMF team sees them, as Arantor has offered before, in which case please let us know.

Then, remove everything from the web directory.

Ok Can I have a bit of clarity please on what to delete and reupload

Without knowing what is infected and how spread the infection is, I would say what I said before: make a backup of everything in the web directory, verify your backup, and then, remove everything.

The same goes for what we can find useful to see. Since we don't know what is infected and how spread the infection is, we need to search everything to eventually find what is infected, and how spread it may be. In case you agree, please feel free to let us know.

[glennk]

That is one massive JOB, I couldnt put a timescale on it (Weeks or maybe months), I arent even sure its possible to check every single file as the site is very big. The thought of doing that just overwhelms me. I dont mind deleting and upgrading scripts and reinstalling the databases but to go through every HTML file in the root directory could take forever. I am also concerned that if I delete everything, verify the files and upload them again that the problem could just come back just as it already has done in smf.

I can send you a download of everything if you tell me where to send it too.

[Norv]

Then you can limit yourself to SMF, backup all SMF directory only, and then, remove everything from SMF directory only.
Note however that in case the problem is the infection in other web applications, then it will just come back upon executing them.

[glennk]

So you are really saying I have no choice.

Please can you tell me where to send a copy of the web directory to.

[Norv]

Please note that I sent a PM.

[glennk]

OK guys, I think this is now resolved. I hope I am now free from any virus/redirection problems. I apologise to the support team for wasting thier time, however the real problem was the hosting company who should really be the people apologising to myself and the SMF dev team. I will spare thier blushes by not naming them, although I fell I should given the amount of hard work they have caused everyone.

Fortunately for me I have some very skilled and resourceful people use my forum. I asked a long term forum member to help me solve this problem as I had run into a brick wall and feared there was no way I could resolve the problem. The guy I asked to help did a few tests on the site and said he felt the issue was with the hosts. He then set about finding who shared my server and he contacted the webmasters via email. By Monday morning he had quite a few replies from the various webmasters all stating that they had exactly the same issues as myself and that the hosts had blaimed thier software rather than themselves.

Armed with the results of the tests he did on my site and with the emails from the other webmasters he then confronted the hosts. The hosts quickly realised they were dealing with someone who knew what he was talking about. They looked into the matter and admitted to being at fault. I dont know the technicalities of the matter but it was enough to make them get thier asses in gear.

Fingers crossed it looks like my site is now clean and I am endebted to the lad who sorted it out for me. I would like to say a very big thankyou to the SMF support team for thier assistance and for thier patience with me. You are a great set of guys who offer an invaluable service to all of us who use the software you develop.

Best wishes - Glenn

[Arantor]

Good to know it has been resolved

Unfortunately more often than not it is hosts running outdated software that is the prime cause of hacks being successful, but good to see that you got this sorted now.