Wesbite hacked. SMF exploit?

[Jasonfran]

Hello earlier today my forum was hacked by someone/group called "Dark Devilz". They managed to upload their own index.php and rename the SMF index.php to index.php~ I am wondering whether this was an exploit in the SMF forum software as I googled the hacker and he usually hacks wordpress sites because that exploit was possible. Has anyone here has this problem or know why it happened so it can be prevented in the future. Many thanks

[kat]

Welcome to the ol' forum, Jason, even if it's coz something went bad.

Have you had a word with your host, about this? They'll have access logs that they can look at. That might be helpful.

[Jasonfran]

I have put in a support ticket. It was the first thing I did

[Chalky]

Hi Jason, it might be helpful too to know which version of SMF you're using.  Do you have any other applications on the same hosting account?

[kat]

Been doing a bit of research.

Looks like they're adding some eval(base64_decode('...long base64 encoded string')) crap.

Have a look at your files, using FTP, or your CPanel's File Manager.

Particularly, look at the timestamps. Any files with recent dates/times?

If so, take a look at the first line of the file's code.

It should be:

<?php

Just that. Absolutely nothing else.

If there's any other code, there, delete it.

I got a similar hack, ages ago. Took me a while to go through every file.

I had a backup (Obviously), which I could've restored. But, I wanted to go through everything, just to be sure and get a feel for what'd been done.

[Jasonfran]

All they did was make a new index.php and have some encoded javascript in there which had a fancy "You're hacked" site. The SMF index.php is fine. And all other files are fine (as far as I know). And no I have no other applications on there. My forum version is SMF 2.0.3

[LiroyvH]

Ask the host if they have open basedir restrictions configured properly.

[kat]

I just looked around and they seem to have been busy, of late.

They seem to run a hacking website.

Now, wouldn't it be a shame if that got hacked...?

[Jasonfran]

I should note that I just saw there was a 2.0.4 update that fixed some critical security exploits. So it could have been that that was the issue seeing as though it was only released about a month ago. Hackers must go around looking for sites that haven't patched yet and deface them.

[Kindred]

also, do note... the index.php~ file was not done by the hackers.    That file is generated by the system when you install a mod (it's the previous version of index.php before the mod was installed)

[ApplianceJunk]

I should note that I just saw there was a 2.0.4 update that fixed some critical security exploits. So it could have been that that was the issue seeing as though it was only released about a month ago. Hackers must go around looking for sites that haven't patched yet and deface them.

Your just guessing right?

Ask the host if they have open basedir restrictions configured properly.

Did you ask your host or not?

[Jasonfran]

Sorry for late reply. Yes I am guessing about what I said and I haven't asked them about the basedir yet. Also does anyone know how they did this, I want an explanation so I can stop it happening again and stop it happening when I put my own sites live.

[ApplianceJunk]

Sorry for late reply. Yes I am guessing about what I said and I haven't asked them about the basedir yet. Also does anyone know how they did this, I want an explanation so I can stop it happening again and stop it happening when I put my own sites live.

If it was me I would ask my host first.

[Kindred]

we have no explanation because you have not actually provided us with any real data other than a general "they managed to hack me" statement.

Your host would be the one to help you find out more information...   but if we were to even begin to help, we would need the server logs from the day/time period you were hacked.
Are you running any software other than SMF on that server?
Are you running any mods in SMF?

[Jasonfran]

The site is hxxp:www.bfmgaming.co.uk [nonactive] have a look around. We have simple portal, tapatalk and smfshop. I'll try and get the logs. I also have nothing else on there other than a few pages I have made myself to test my web skills

[Kindred]

and what language are those other pages written in?   Any forms or other submit actions?

[Jasonfran]

Php. Yes there are login forms and I have used mysql_real_escape_string on all post data so no SQL injections I don't think. It also isn't indexed by google and there is no link from the forums to it so I don't think you can find it other than me giving the URL out which I haven't.

[Kindred]

you would be surprised what they can find on your server. I have files buried 8 layers deep in sub directories which are restricted form indexing - but I get occasional hits on them from sources in russia and china.

If there are forms... unless you are VERY careful, there are chances of access points.
Of course, the server logs SHOULD be able to indicate how they got in.

[Jasonfran]

What I dont understand is how someone can edit the php files completely or upload their own. I never knew there was the possibility of that with a PHP script or FTP access

[Kindred]

oh, once they get access to the server,   they can do just about anything they want...   they upload a backdoor script to some directory (usually buried 4 or 5 layers deep) and then, even if you clean the main files, they still have access ot come in and do it again, any time they want.

SQL injection is not the only way they can work it, either...
http://en.wikipedia.org/wiki/Code_injection