How do I find what files on my forum has been hacked?

[City Builder]

Hi,
I believe I'm running 1.1.18 (I believe) on my forums at citybuildergames.com

One of our members just told me that he thinks my site has been hacked since it's popping up all kinds of popup windows and new tabs and since I have adblocker installed I've never seen them.  However, I just turned off adblocker and sure enough when I go to the main page on the forum I get all kinds of popups.

What do I have to do to find the hacked code?

The main popup window that appears shows in the url bar this address: soali.ir/s5/index.html
But after trying to move around in the forums all kinds of other tabs in my chrome browser open up trying to get me to download some bogus software.

Help greatly appreciated.

[Arantor]

I'd usually start by downloading all the files, comparing them to a known clean copy and examining what's different - and then for files that weren't stock, I'd be doing them by hand, looking for anything suspicious.

This is not a quick or easy job. A simpler approach is to just nuke all the files and replace with a known good copy and then reinstall everything - but this is probably more time intensive than hiring someone to fix it.

[City Builder]

Okay, well I went into the likely suspect areas of the directories on the server and sorted the files by date and found some files that were altered as recent as 2 days ago

Something added javascript code to the following files
Settings.php
script.js

And files were added named
archivees.php (no, I didn't mispell it)
bot.php
addform.html
I cleared out what I thought was abnormal in the first two files and then downloaded the added files and deleted them off the server and now when I go to the site no more popups.

Unfortunately that still leaves me to wonder or find out how this has happened so that I can prevent further happenings of this sort.
I've changed my admin password and my ftp password many times over the past 4 or more years.  Every time that my host did their scan of their servers they would clean out some backdoor files by removing the malicious code, then renaming the file something like filename.INFECTED.php and put back the original file without the malicious code.  So anytime they found something I would again change my admin and ftp password with solid 20 to 32 alphanumeric (with special characters) passwords that were generated randomly for me from lastpass (but I never recorded them in lastpass just on paper in my wallet, just in case lastpass or my computer were to get hacked).  So I'm totally stumped on how this has happened.

[Arantor]

I suspect I know exactly how it happened: bumped up file permissions to allow mod installation - and not putting them back down again, so anyone else on the same server as you could have infected you.

This is actually more common than you might think.

[City Builder]

So then I would look for file permissions on any and all files that are anything other than 0644?

Or should all files be at x44 which is read only permission according to my ftp file permissions window.

[Arantor]

Depending on file ownership, even 644 might be too high.

444 is read only, 555 is read only on a folder.

Some things need to be write enabled though - e.g. you need attachments to be write enabled, and Settings.php needs to be write enabled under some circumstances.

[City Builder]

Hmm, all my Themes folders are listed at 0755 for some reason.  Maybe I'll mess around changing the permissions to read only to see what happens, see if it breaks the theme we're currently using

Does anybody know if there is a list of what the file permissions need to be on all of the smf forum files so that I can just go and change them all to what they should rightly be?

[Arantor]

I thought I just outlined that...

But making permissions into read only prevents you installing new smileys, new mods, new themes etc. and under some circumstances limits Settings.php being updated to do things like put your forum in maintenance mode.

There's no 'what they need to be', because that depends on whether you want inconvenience+paranoia or slight risk+convenience.

[City Builder]

You did and I thank you, I was just curious if there was a strict rule somewhere that showed exactly what every single file and folder would be on a default installation so that if any mods that I've installed over the past many many years  that might have changed files then I could change them back to the default to avoid this in the future.

I don't mind making the permissions all read only if it's only going to limit me from adding new smileys, mods or themes as my site is now so old and people are quite used to using it the way it's been for several years now, I just don't want to change a permission only to find out from somebody messaging me over on Steam or somewhere else telling me that some major function of the site is dead.

[Arantor]

No, there isn't any such rule.

Going read only will only affect attachments in practice, because that folder does sort of need to be write enabled if you want new attachments/avatars.

[Illori]

maybe a good time to consider upgrading to 2.0, given that you delete your Sources and Themes folders that should help to make sure whatever the infection was is gone and you will be upgraded to the latest version. if you are not going to upgrade to 2.0 now you should in the near future. you should either way upgrade to 1.1.20.

[City Builder]

Thanks for the suggestion.  I'll be quite honest... I've wanted to upgrade to 2.0 since 2.0 was first introduced and all my other forum sites were upgraded to 2.0 once I was satisfied that it was stable (which was very soon after it was officially released), however this particular site had so many mods installed over the past 7 or so years that I was afraid to upgrade it to 2.0 in that doing so might break some of the mods that we still do use (although we don't really use many anymore, maybe 3 to 5) and make the site unusable in it's current form.

[Illori]

if your host upgrades to php 5.5 your forum will stop working all together. better to start working on the upgrade sooner then later.

[City Builder]

Okay, well I'm trying to uprade to 1.1.20 and just getting a long time sitting waiting on the server and finally a 500 server internal error, so I guess I'll have to start chasing down the logs again (haven't had to do that in years and years) and see if I can determine why it's giving me the internal server error when trying to update to 1.1.20.

Thanks again for the info and suggestions.

[kat]

Any joy, with this?