News:

Want to get involved in developing SMF, then why not lend a hand on our github!

Main Menu

unwanted popups

Started by crshep, July 22, 2014, 04:25:53 PM

Previous topic - Next topic
Print
Go Down Pages1 2 All
User actions

crshep

July 22, 2014, 04:25:53 PM
What file or files would I look into to find code they may have been injected to cause these popups?

The popups have to be cookie type becasue popups don'[t come up every time you click something but does if you haven't been to the forums for a few hours.  Best way to explain it to go here  hxxp:clanxa.com/smf/index.php?action=forum [nonactive]  (Hope I'm allowed to post a link if not sorry)  then click the box like your going to login and then a popup will come.  This is what I want to get rid of.  The popup doesn't show the same site all the time it could popup with a facebook site or a site that says your adobe is out of date to even some porn sites.  So I really need some help with this.  if anyone knows where to look please help

Thanks

Sir Osis of Liver

#1
July 22, 2014, 04:33:12 PM
If you have a backup of your forum files, delete the whole thing and upload the backup.
Ashes and diamonds, foe and friend,
 we were all equal in the end.
                                     - R. Waters

Arantor

#2
July 22, 2014, 05:00:59 PM
That presumes the backup is clean.

Sir Osis of Liver

#3
July 22, 2014, 05:08:45 PM
One step at a time.  I've cleaned up several hacked forums where all index.php files were affected, also source files, with foreign php files added to themes.  Much simpler to replace with backup than hunt around through 1000+ files looking for garbage.

Ashes and diamonds, foe and friend,
 we were all equal in the end.
                                     - R. Waters

Arantor

#4
July 22, 2014, 05:09:39 PM
But that still presumes the backup was *clean*. You can't know for sure that the backup wasn't already infected.

I too have been through the 1000+ files with garbage. And I've found infected backups too.

Ninja ZX-10RR

#5
July 22, 2014, 05:10:26 PM
Hi and welcome to the forum :D
Can I just say that I tried it and it didn't open anything to me? And I had deactivated both my anty-spam programs... Wanna try a different browser maybe? :) Oh maybe it's just me being lucky huh!
Quote from: BeastMode topic=525177.msg3720020#msg3720020
It's so powerful that on this post and even in the two PMs you sent me,you still answered my question very quickly and you're apologizing for the delay. You're the #1 support I've probably ever encountered man, so much respect for that. Thank you, and get better soon.
I'll keep this in my siggy for a while just to remind me that someone appreciated what I did while others didn't.

♥ Jess ♥

STOP EDITING MY PROFILE

Justyne

#6
July 22, 2014, 05:12:57 PM
could be malware. no popups for me either.
Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better.

crshep

#7
July 22, 2014, 05:16:58 PM
Already tried the backups that didn't work.  They must have been dirty

I also tried IE, google and firefox and each time to test I cleaned out cashe and everytime I still get the popups. I know it's just not my PC becasue I had a bunch of complaints from forum members also.

Sir Osis of Liver

#8
July 22, 2014, 05:18:06 PM
Quote from: ‽ on July 22, 2014, 05:09:39 PM
But that still presumes the backup was *clean*. You can't know for sure that the backup wasn't already infected.

If the backup's infected, you're no worse off for uploading it.  If it's clean and solves the problem, you're done, assuming it is a code injection.
Ashes and diamonds, foe and friend,
 we were all equal in the end.
                                     - R. Waters

Sir Osis of Liver

#9
July 22, 2014, 05:19:40 PM
Did you delete everything before uploading the backup?

Have you looked in index.php in forum root?

Have you cleared the forum cache?
Ashes and diamonds, foe and friend,
 we were all equal in the end.
                                     - R. Waters

Ninja ZX-10RR

#10
July 22, 2014, 05:20:06 PM
Well after trying the backup I suggest you to start attaching your index.php ;) that will be the first step, maybe we are lucky (if the backup doesn't fix it) and there is garbage only there.
Quote from: BeastMode topic=525177.msg3720020#msg3720020
It's so powerful that on this post and even in the two PMs you sent me,you still answered my question very quickly and you're apologizing for the delay. You're the #1 support I've probably ever encountered man, so much respect for that. Thank you, and get better soon.
I'll keep this in my siggy for a while just to remind me that someone appreciated what I did while others didn't.

♥ Jess ♥

STOP EDITING MY PROFILE

Justyne

#11
July 22, 2014, 05:22:15 PM
I'm seeing your popup now. What a nuisance. Definitely would help to see the index.php
Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better.

crshep

#12
July 22, 2014, 05:54:22 PM Last Edit: July 22, 2014, 05:58:09 PM by Illori
my index.php  file and thanks for looking..

--------------------------------------------------
Code Select

<?php

/**
 * Simple Machines Forum (SMF)
 *
 * @package SMF
 * @author Simple Machines http://www.simplemachines.org
 * @copyright 2011 Simple Machines
 * @license http://www.simplemachines.org/about/smf/license.php BSD
 *
 * @version 2.0.8
 */

/* This, as you have probably guessed, is the crux on which SMF functions.
Everything should start here, so all the setup and security is done
properly.  The most interesting part of this file is the action array in
the smf_main() function.  It is formatted as so:

'action-in-url' => array('Source-File.php', 'FunctionToCall'),

Then, you can access the FunctionToCall() function from Source-File.php
with the URL index.php?action=action-in-url.  Relatively simple, no?
*/

$forum_version 'SMF 2.0.8';
@ini_set('memory_limit''128M');

// Get everything started up...
define('SMF'1);
if (function_exists('set_magic_quotes_runtime'))
 @set_magic_quotes_runtime(0);
error_reporting(defined('E_STRICT') ? E_ALL E_STRICT E_ALL);
$time_start microtime();

// This makes it so headers can be sent!
ob_start();

// Do some cleaning, just in case.
foreach (array('db_character_set''cachedir') as $variable)
 if (isset($GLOBALS[$variable]))
 unset($GLOBALS[$variable], $GLOBALS[$variable]);

// Load the settings...
require_once(dirname(__FILE__) . '/Settings.php');

// Make absolutely sure the cache directory is defined.
if ((empty($cachedir) || !file_exists($cachedir)) && file_exists($boarddir '/cache'))
 $cachedir $boarddir '/cache';

// And important includes.
require_once($sourcedir '/QueryString.php');
require_once($sourcedir '/Subs.php');
require_once($sourcedir '/Errors.php');
require_once($sourcedir '/Load.php');
require_once($sourcedir '/Security.php');
require_once($sourcedir '/Subs-Portal.php');

// Using an pre-PHP 5.1 version?
if (@version_compare(PHP_VERSION'5.1') == -1)
 require_once($sourcedir '/Subs-Compat.php');

// If $maintenance is set specifically to 2, then we're upgrading or something.
if (!empty($maintenance) && $maintenance == 2)
 db_fatal_error();

// Create a variable to store some SMF specific functions in.
$smcFunc = array();

// Initate the database connection and define some database functions to use.
loadDatabase();

// Load the settings from the settings table, and perform operations like optimizing.
reloadSettings();
// Clean the request variables, add slashes, etc.
cleanRequest();
$context = array();

// Seed the random generator.
if (empty($modSettings['rand_seed']) || mt_rand(1250) == 69)
 smf_seed_generator();

// Before we get carried away, are we doing a scheduled task? If so save CPU cycles by jumping out!
if (isset($_GET['scheduled']))
{
 require_once($sourcedir '/ScheduledTasks.php');
 AutoTask();
}

// Check if compressed output is enabled, supported, and not already being done.
if (!empty($modSettings['enableCompressedOutput']) && !headers_sent())
{
 // If zlib is being used, turn off output compression.
 if (@ini_get('zlib.output_compression') == '1' || @ini_get('output_handler') == 'ob_gzhandler' || @version_compare(PHP_VERSION'4.2.0') == -1)
 $modSettings['enableCompressedOutput'] = '0';
 else
 {
 ob_end_clean();
 ob_start('ob_gzhandler');
 }
}

// Emit some headers for some modicum of protection against nasties.
if (!headers_sent())
{
 // Future versions will make some of this configurable. This is primarily a 'safe' configuration for most cases for now.
 header('X-Frame-Options: SAMEORIGIN');
 header('X-XSS-Protection: 1');
 header('X-Content-Type-Options: nosniff');
}

// Register an error handler.
set_error_handler('error_handler');

// Start the session. (assuming it hasn't already been.)
loadSession();

// Determine if this is using WAP, WAP2, or imode.  Technically, we should check that wap comes before application/xhtml or text/html, but this doesn't work in practice as much as it should.
if (isset($_REQUEST['wap']) || isset($_REQUEST['wap2']) || isset($_REQUEST['imode']))
 unset($_SESSION['nowap']);
elseif (isset($_REQUEST['nowap']))
 $_SESSION['nowap'] = true;
elseif (!isset($_SESSION['nowap']))
{
 if (isset($_SERVER['HTTP_ACCEPT']) && strpos($_SERVER['HTTP_ACCEPT'], 'application/vnd.wap.xhtml+xml') !== false)
 $_REQUEST['wap2'] = 1;
 elseif (isset($_SERVER['HTTP_ACCEPT']) && strpos($_SERVER['HTTP_ACCEPT'], 'text/vnd.wap.wml') !== false)
 {
 if (strpos($_SERVER['HTTP_USER_AGENT'], 'DoCoMo/') !== false || strpos($_SERVER['HTTP_USER_AGENT'], 'portalmmm/') !== false)
 $_REQUEST['imode'] = 1;
 else
 $_REQUEST['wap'] = 1;
 }
}

if (!defined('WIRELESS'))
 define('WIRELESS', isset($_REQUEST['wap']) || isset($_REQUEST['wap2']) || isset($_REQUEST['imode']));

// Some settings and headers are different for wireless protocols.
if (WIRELESS)
{
 define('WIRELESS_PROTOCOL', isset($_REQUEST['wap']) ? 'wap' : (isset($_REQUEST['wap2']) ? 'wap2' : (isset($_REQUEST['imode']) ? 'imode' '')));

 // Some cellphones can't handle output compression...
 $modSettings['enableCompressedOutput'] = '0';
 // !!! Do we want these hard coded?
 $modSettings['defaultMaxMessages'] = 5;
 $modSettings['defaultMaxTopics'] = 9;

 // Wireless protocol header.
 if (WIRELESS_PROTOCOL == 'wap')
 header('Content-Type: text/vnd.wap.wml');
}

// Restore post data if we are revalidating OpenID.
if (isset($_GET['openid_restore_post']) && !empty($_SESSION['openid']['saved_data'][$_GET['openid_restore_post']]['post']) && empty($_POST))
{
 $_POST $_SESSION['openid']['saved_data'][$_GET['openid_restore_post']]['post'];
 unset($_SESSION['openid']['saved_data'][$_GET['openid_restore_post']]);
}

// What function shall we execute? (done like this for memory's sake.)
call_user_func(smf_main());

// Call obExit specially; we're coming from the main area ;).
obExit(nullnulltrue);

// The main controlling function.
function smf_main()
{
 global $modSettings$settings$user_info$board$topic$board_info$maintenance$sourcedir;

 // Special case: session keep-alive, output a transparent pixel.
 if (isset($_GET['action']) && $_GET['action'] == 'keepalive')
 {
 header('Content-Type: image/gif');
 die("\x47\x49\x46\x38\x39\x61\x01\x00\x01\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x21\xF9\x04\x01\x00\x00\x00\x00\x2C\x00\x00\x00\x00\x01\x00\x01\x00\x00\x02\x02\x44\x01\x00\x3B");
 }

 // Load the user's cookie (or set as guest) and load their settings.
 loadUserSettings();

 // Load the current board's information.
 loadBoard();

 // Load the current user's permissions.
 loadPermissions();

 // Before we do anything else with this user we check projecthoneypot to see if it's a spammer. MOD httpBL
 // But do it only if we are not coming from the file warning.php
 global $boardurl$httpBL_warning;
 if ($modSettings['httpBL_enable'] && !isset($httpBL_warning))
 {
 require_once($sourcedir '/httpBL_Subs.php');
 $response httpBL_dnslookup($user_info['ip'], $modSettings['httpBL_honeyPot_key']);
 if ($response)
 {
 $_SESSION['response'] = $response;
 header('Location: '$boardurl .'/warning.php');
 exit();
 }
 }

 // Bad Behavior Start
 require_once($sourcedir '/bad-behavior/BadBehavior-SMF.php');
 // Bad Behavior End

 // Attachments don't require the entire theme to be loaded.
 if (isset($_REQUEST['action']) && $_REQUEST['action'] == 'dlattach' && (!empty($modSettings['allow_guestAccess']) && $user_info['is_guest']))
 detectBrowser();
 // Load the current theme.  (note that ?theme=1 will also work, may be used for guest theming.)
 else
 loadTheme();

 // Check if the user should be disallowed access.
 is_not_banned();

 // If we are in a topic and don't have permission to approve it then duck out now.
 if (!empty($topic) && empty($board_info['cur_topic_approved']) && !allowedTo('approve_posts') && ($user_info['id'] != $board_info['cur_topic_starter'] || $user_info['is_guest']))
 fatal_lang_error('not_a_topic'false);

 // Do some logging, unless this is an attachment, avatar, toggle of editor buttons, theme option, XML feed etc.
 if (empty($_REQUEST['action']) || !in_array($_REQUEST['action'], array('dlattach''findmember''jseditor''jsoption''requestmembers''smstats''.xml''xmlhttp''verificationcode''viewquery''viewsmfile')))
 {
 // Log this user as online.
 writeLog();

 // Don't track stats of portal xml actions.
 if (empty($_REQUEST['action']) || $_REQUEST['action'] != 'portal' || !isset($_GET['xml']))
 {
 // Track forum statistics and hits...?
 if (!empty($modSettings['hitStats']))
 trackStats(array('hits' => '+'));
 }
 }

 // Load SimplePortal.
 sportal_init();

 // Is the forum in maintenance mode? (doesn't apply to administrators.)
 if (!empty($maintenance) && !allowedTo('admin_forum'))
 {
 // You can only login.... otherwise, you're getting the "maintenance mode" display.
 if (isset($_REQUEST['action']) && ($_REQUEST['action'] == 'login2' || $_REQUEST['action'] == 'logout'))
 {
 require_once($sourcedir '/LogInOut.php');
 return $_REQUEST['action'] == 'login2' 'Login2' 'Logout';
 }
 // Don't even try it, sonny.
 else
 {
 require_once($sourcedir '/Subs-Auth.php');
 return 'InMaintenance';
 }
 }
 // If guest access is off, a guest can only do one of the very few following actions.
 elseif (empty($modSettings['allow_guestAccess']) && $user_info['is_guest'] && (!isset($_REQUEST['action']) || !in_array($_REQUEST['action'], array('coppa''login''login2''register''register2''reminder''activate''help''smstats''mailq''verificationcode''openidreturn'))))
 {
 require_once($sourcedir '/Subs-Auth.php');
 return 'KickGuest';
 }
 elseif (empty($_REQUEST['action']))
 {
 // Go catch it boy! Catch it!
 $sp_action sportal_catch_action();
 if ($sp_action)
 return $sp_action;

 // Action and board are both empty... BoardIndex!
 if (empty($board) && empty($topic))
 {
 require_once($sourcedir '/BoardIndex.php');
 return 'BoardIndex';
 }
 // Topic is empty, and action is empty.... MessageIndex!
 elseif (empty($topic))
 {
 require_once($sourcedir '/MessageIndex.php');
 return 'MessageIndex';
 }
 // Board is not empty... topic is not empty... action is empty.. Display!
 else
 {
 require_once($sourcedir '/Display.php');
 return 'Display';
 }
 }

 // Here's the monstrous $_REQUEST['action'] array - $_REQUEST['action'] => array($file, $function).
 $actionArray = array(
 'activate' => array('Register.php''Activate'),
 'admin' => array('Admin.php''AdminMain'),
 'announce' => array('Post.php''AnnounceTopic'),
 'attachapprove' => array('ManageAttachments.php''ApproveAttach'),
 // Bad Behavior Start
 'badbehavior' => array('BadBehavior-SMF.php''badbehavior'),
 // Bad Behavior End
 'buddy' => array('Subs-Members.php''BuddyListToggle'),
 'calendar' => array('Calendar.php''CalendarMain'),
 'clock' => array('Calendar.php''clock'),
 'collapse' => array('BoardIndex.php''CollapseCategory'),
 'coppa' => array('Register.php''CoppaForm'),
 'credits' => array('Who.php''Credits'),
 'deletemsg' => array('RemoveTopic.php''DeleteMessage'),
 'display' => array('Display.php''Display'),
 'dlattach' => array('Display.php''Download'),
 'editpoll' => array('Poll.php''EditPoll'),
 'editpoll2' => array('Poll.php''EditPoll2'),
 'emailuser' => array('SendTopic.php''EmailUser'),
 'findmember' => array('Subs-Auth.php''JSMembers'),
 'forum' => array('BoardIndex.php''BoardIndex'),
 'portal' => array('PortalMain.php''sportal_main'),
 'groups' => array('Groups.php''Groups'),
 'help' => array('Help.php''ShowHelp'),
 'helpadmin' => array('Help.php''ShowAdminHelp'),
 'httpBL' => array('httpBL_2_Config.php''httpBL_Admin'),
 'im' => array('PersonalMessage.php''MessageMain'),
 'jseditor' => array('Subs-Editor.php''EditorMain'),
 'jsmodify' => array('Post.php''JavaScriptModify'),
 'jsoption' => array('Themes.php''SetJavaScript'),
 'lock' => array('LockTopic.php''LockTopic'),
 'lockvoting' => array('Poll.php''LockVoting'),
 'login' => array('LogInOut.php''Login'),
 'login2' => array('LogInOut.php''Login2'),
 'logout' => array('LogInOut.php''Logout'),
 'markasread' => array('Subs-Boards.php''MarkRead'),
 'mergetopics' => array('SplitTopics.php''MergeTopics'),
 'mlist' => array('Memberlist.php''Memberlist'),
 'moderate' => array('ModerationCenter.php''ModerationMain'),
 'modifycat' => array('ManageBoards.php''ModifyCat'),
 'modifykarma' => array('Karma.php''ModifyKarma'),
 'movetopic' => array('MoveTopic.php''MoveTopic'),
 'movetopic2' => array('MoveTopic.php''MoveTopic2'),
 'notify' => array('Notify.php''Notify'),
 'notifyboard' => array('Notify.php''BoardNotify'),
 'openidreturn' => array('Subs-OpenID.php''smf_openID_return'),
 'pm' => array('PersonalMessage.php''MessageMain'),
 'post' => array('Post.php''Post'),
 'post2' => array('Post.php''Post2'),
 'printpage' => array('Printpage.php''PrintTopic'),
 'profile' => array('Profile.php''ModifyProfile'),
 'quotefast' => array('Post.php''QuoteFast'),
 'quickmod' => array('MessageIndex.php''QuickModeration'),
 'quickmod2' => array('Display.php''QuickInTopicModeration'),
 'recent' => array('Recent.php''RecentPosts'),
 'register' => array('Register.php''Register'),
 'register2' => array('Register.php''Register2'),
 'reminder' => array('Reminder.php''RemindMe'),
 'removepoll' => array('Poll.php''RemovePoll'),
 'removetopic2' => array('RemoveTopic.php''RemoveTopic2'),
 'reporttm' => array('SendTopic.php''ReportToModerator'),
 'requestmembers' => array('Subs-Auth.php''RequestMembers'),
 'restoretopic' => array('RemoveTopic.php''RestoreTopic'),
 'search' => array('Search.php''PlushSearch1'),
 'search2' => array('Search.php''PlushSearch2'),
 'sendtopic' => array('SendTopic.php''EmailUser'),
 'smstats' => array('Stats.php''SMStats'),
 'suggest' => array('Subs-Editor.php''AutoSuggestHandler'),
 'spellcheck' => array('Subs-Post.php''SpellCheck'),
 'splittopics' => array('SplitTopics.php''SplitTopics'),
 'stats' => array('Stats.php''DisplayStats'),
 'sticky' => array('LockTopic.php''Sticky'),
 'theme' => array('Themes.php''ThemesMain'),
 'trackip' => array('Profile-View.php''trackIP'),
 'about:mozilla' => array('Karma.php''BookOfUnknown'),
 'about:unknown' => array('Karma.php''BookOfUnknown'),
 'unread' => array('Recent.php''UnreadTopics'),
 'unreadreplies' => array('Recent.php''UnreadTopics'),
 'verificationcode' => array('Register.php''VerificationCode'),
 'viewprofile' => array('Profile.php''ModifyProfile'),
 'vote' => array('Poll.php''Vote'),
 'viewquery' => array('ViewQuery.php''ViewQuery'),
 'viewsmfile' => array('Admin.php''DisplayAdminFile'),
 'who' => array('Who.php''Who'),
 '.xml' => array('News.php''ShowXmlFeed'),
 'xmlhttp' => array('Xml.php''XMLhttpMain'),
 );

 // Allow modifying $actionArray easily.
 call_integration_hook('integrate_actions', array(&$actionArray));

 if (!empty($context['disable_sp']))
 unset($actionArray['portal'], $actionArray['forum']);

 // Get the function and file to include - if it's not there, do the board index.
 if (!isset($_REQUEST['action']) || !isset($actionArray[$_REQUEST['action']]))
 {
 // Catch the action with the theme?
 if (!empty($settings['catch_action']))
 {
 require_once($sourcedir '/Themes.php');
 return 'WrapAction';
 }

 // Fall through to the board index then...
 require_once($sourcedir '/BoardIndex.php');
 return 'BoardIndex';
 }

 // Otherwise, it was set - so let's go to that action.
 require_once($sourcedir '/' $actionArray[$_REQUEST['action']][0]);
 return $actionArray[$_REQUEST['action']][1];
}

?>
----------------------------------------------------------

Arantor

#13
July 22, 2014, 05:55:22 PM
Looks clean enough to me. But there's still hundreds of other files it could be.

Ninja ZX-10RR

#14
July 22, 2014, 05:56:59 PM
Dang it we meant to post it as an attachment or either use [code][/code] tags >.<
Krash can you edit his post? Can't see a thing XD (don't want to bother with reporting for a slight thing like this)

Can we try load.php and subs.php?
Quote from: BeastMode topic=525177.msg3720020#msg3720020
It's so powerful that on this post and even in the two PMs you sent me,you still answered my question very quickly and you're apologizing for the delay. You're the #1 support I've probably ever encountered man, so much respect for that. Thank you, and get better soon.
I'll keep this in my siggy for a while just to remind me that someone appreciated what I did while others didn't.

♥ Jess ♥

STOP EDITING MY PROFILE

Illori

#15
July 22, 2014, 05:58:39 PM
or it could be related to ads on the page... checking for recently modified files would be a good start rather then randomly checking files.

Ninja ZX-10RR

#16
July 22, 2014, 06:03:10 PM
Wouldn't it be easier to try to deactivate them all? :P it would exclude the problem completely, nice guess though. Didn't think about it.
Quote from: BeastMode topic=525177.msg3720020#msg3720020
It's so powerful that on this post and even in the two PMs you sent me,you still answered my question very quickly and you're apologizing for the delay. You're the #1 support I've probably ever encountered man, so much respect for that. Thank you, and get better soon.
I'll keep this in my siggy for a while just to remind me that someone appreciated what I did while others didn't.

♥ Jess ♥

STOP EDITING MY PROFILE

crshep

#17
July 22, 2014, 06:03:46 PM
ok here are the other 2 you asked for as attachments this time.

Illori

#18
July 22, 2014, 06:05:18 PM
Quote from: Flavio93Zena on July 22, 2014, 06:03:10 PM
Wouldn't it be easier to try to deactivate them all? :P it would exclude the problem completely, nice guess though. Didn't think about it.

if there is a php shell somewhere, just overriding the files will not solve the problem. you have to find the extra file/shell and remove it or a hack can happen again. that is if there was a shell uploaded to start with.

Ninja ZX-10RR

#19
July 22, 2014, 06:07:48 PM
I meant just to uninstall any ad-related mod and remove ANY ads from the host panel. If some still appear there is definitely an infection somewhere.
Quote from: BeastMode topic=525177.msg3720020#msg3720020
It's so powerful that on this post and even in the two PMs you sent me,you still answered my question very quickly and you're apologizing for the delay. You're the #1 support I've probably ever encountered man, so much respect for that. Thank you, and get better soon.
I'll keep this in my siggy for a while just to remind me that someone appreciated what I did while others didn't.

♥ Jess ♥

STOP EDITING MY PROFILE
Print
Go Up Pages1 2 All
User actions
Advertisement: