Error: "Hacking attempt..."

[serramagk]

Currently running version 2.0.9
Been using SMF for over a year and have had no problems. Earlier this week I got a message from a user that the following error message was all she got when she went to the site "Hacking attempt..." I'm also unable to access it nor the admin panel.

Currently my earliest backup only goes to Oct. 29th. I tried to have my hosting company use this restore point, but it didn't help. I know I used Softaculous maybe Sept (?) to upgrade to the latest version. I'm 99% sure I checked the forums at that point and they were fine. I also had Softaculous make a backup. In a nutshell, I really dont know when things went wrong.

I tried to follow the directions here > http://www.simplemachines.org/community/index.php?topic=487592.60 and I added require_once($sourcedir . '/DreamPortal.php'); to the index.php exactly as it says (it wasn't there prior)

To further the problem I know just enough about all this to be dangerous, and not enough to really help myself. I'm really hoping one of you can help me out, unfortunately Barney style.

[kat]

Got a URL, so that we can have a butcher's?

[serramagk]

Sorry about that
http://therunes.net/equinox_forum/ [nofollow]

[Sir Osis of Liver]

You shouldn't be editing files on a crashed forum if you're not sure what you're doing.

Look in index.php,  do you see this -

Code Select Expand



// Get everything started up...
define('SMF', 1);



[kat]

This could be phun...

Almost every file, in the "Sources" directory has this:

Code Select Expand

if (!defined('SMF'))
die('Hacking attempt...');

Now, I have to confess that I have no idea what that means other than that it's trying to find a constant named "SMF"  and it's not finding it. Now, where's that constant defined? The root index.php I'd imagine.

Code Select Expand

// Get everything started up...
define('SMF', 1);

Is that there, in yours? (I'm fishing, coz this bit's entirely new, to me).

Edit: NINJAD!

[Sir Osis of Liver]

Hee, hee, gotcha.

Yes, if 'SMF' is not defined in index.php, the source files will throw the error and exit.  His index.php is probably damaged, sounds like he's running DP and the call was not there, so file's been changed.

[serramagk]

You shouldn't be editing files on a crashed forum if you're not sure what you're doing.

Look in index.php,  do you see this -

Code Select Expand



// Get everything started up...
define('SMF', 1);



No, don't see it

[Sir Osis of Liver]

Attach the file, let's have a look.

[kat]

Hee, hee, gotcha.

That was a difficult one, for me, too, ya bugger!

[serramagk]

Code Select Expand

<?php
/**
 * Copyright (c) 2014 Robin Appelman <[email protected]>
 * This file is licensed under the Affero General Public License version 3 or
 * later.
 * See the COPYING-README file.
 */
namespace OCP;
H
/**
 * This class provides an easy way for apps to store config values in the
 * database.
 */
interface IAppConfig {
/**
 * check if a key is set in the appconfig
 * @param string $app
 * @param string $key
 * @return bool
 */
public function hasKey($app, $key);

/**
 * Gets the config value
 * @param string $app app
 * @param string $key key
 * @param string $default = null, default value if the key does not exist
 * @return string the value or $default
 *
 * This function gets a value from the appconfig table. If the key does
 * not exist the default value will be returned
 */
public function getValue($app, $key, $default = null);

/**
 * Deletes a key
 * @param string $app app
 * @param string $key key
 * @return bool
 *
 * Deletes a key.
 */
public function deleteKey($app, $key);

/**
 * Get the available keys for an app
 * @param string $app the app we are looking for
 * @return array an array of key names
 *
 * This function gets all keys of an app. Please note that the values are
 * not returned.
 */
public function getKeys($app);

/**
 * get multiply values, either the app or key can be used as wildcard by setting it to false
 *
 * @param string|false $key
 * @param string|false $app
 * @return array
 */
public function getValues($app, $key);

/**
 * sets a value in the appconfig
 * @param string $app app
 * @param string $key key
 * @param string $value value
 *
 * Sets a value. If the key did not exist before it will be created.
 * @return void
 */
public function setValue($app, $key, $value);

/**
 * Get all apps using the config
 * @return array an array of app ids
 *
 * This function returns a list of all apps that have at least one
 * entry in the appconfig table.
 */
public function getApps();

/**
 * Remove app from appconfig
 * @param string $app app
 * @return bool
 *
 * Removes all keys in appconfig belonging to the app.
 */
public function deleteApp($app);
}
<?php
/**
 * This file is licensed under the Affero General Public License version 3 or
 * later.
 * See the COPYING-README file.
 */

namespace OCP;

/**
 * This class provides avatar functionality
 */

interface IAvatar {

/**
 * get the users avatar
 * @param int $size size in px of the avatar, avatars are square, defaults to 64
 * @return boolean|\OC_Image containing the avatar or false if there's no image
 */
function get($size = 64);

/**
 * sets the users avatar
 * @param Image $data mixed imagedata or path to set a new avatar
 * @throws Exception if the provided file is not a jpg or png image
 * @throws Exception if the provided image is not valid
 * @throws \OCP\NotSquareException if the image is not square
 * @return void
 */
function set($data);

/**
 * remove the users avatar
 * @return void
 */
function remove();
}
<?php
/**
 * This file is licensed under the Affero General Public License version 3 or
 * later.
 * See the COPYING-README file.
 */

namespace OCP;

/**
 * This class provides avatar functionality
 */

interface IAvatarManager {

/**
 * return a user specific instance of \OCP\IAvatar
 * @see \OCP\IAvatar
 * @param string $user the ownCloud user id
 * @return \OCP\IAvatar
 */
function getAvatar($user);
}
<?php
/**
 * ownCloud
 *
 * @author Thomas Tanghus
 * @copyright 2013 Thomas Tanghus [email protected]
 *
 * This library is free software; you can redistribute it and/or
 * modify it under the terms of the GNU AFFERO GENERAL PUBLIC LICENSE
 * License as published by the Free Software Foundation; either
 * version 3 of the License, or any later version.
 *
 * This library is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU AFFERO GENERAL PUBLIC LICENSE for more details.
 *
 * You should have received a copy of the GNU Affero General Public
 * License along with this library.  If not, see <http://www.gnu.org/licenses/>.
 *
 */

/**
 * Public interface of ownCloud for apps to use.
 * Cache interface
 *
 */

// use OCP namespace for all classes that are considered public.
// This means that they should be used by apps instead of the internal ownCloud classes
namespace OCP;

/**
 * This interface defines method for accessing the file based user cache.
 */
interface ICache {

/**
 * Get a value from the user cache
 * @param string $key
 * @return mixed
 */
public function get($key);

/**
 * Set a value in the user cache
 * @param string $key
 * @param mixed $value
 * @param int $ttl Time To Live in seconds. Defaults to 60*60*24
 * @return bool
 */
public function set($key, $value, $ttl = 0);

/**
 * Check if a value is set in the user cache
 * @param string $key
 * @return bool
 */
public function hasKey($key);

/**
 * Remove an item from the user cache
 * @param string $key
 * @return bool
 */
public function remove($key);

/**
 * Clear the user cache of all entries starting with a prefix
 * @param string $prefix (optional)
 * @return bool
 */
public function clear($prefix = '');
}

[Sir Osis of Liver]

WTF?  That's not even a SMF file.  Is that the index.php in your forum root?

[serramagk]

I know right!? I kinda wondered WTF myself. And what's even more weird, up until this morning I haven't touched ANYTHING in months. Only thing I did was update the version.

[serramagk]

Ok.. now going into my back up folders I have found a different index.php

Code Select Expand


<?php

/**
 * Simple Machines Forum (SMF)
 *
 * @package SMF
 * @author Simple Machines http://www.simplemachines.org
 * @copyright 2011 Simple Machines
 * @license http://www.simplemachines.org/about/smf/license.php BSD
 *
 * @version 2.0.5
 */

/* This, as you have probably guessed, is the crux on which SMF functions.
Everything should start here, so all the setup and security is done
properly.  The most interesting part of this file is the action array in
the smf_main() function.  It is formatted as so:

'action-in-url' => array('Source-File.php', 'FunctionToCall'),

Then, you can access the FunctionToCall() function from Source-File.php
with the URL index.php?action=action-in-url.  Relatively simple, no?
*/

$forum_version = 'SMF 2.0.5';

// Get everything started up...
define('SMF', 1);
if (function_exists('set_magic_quotes_runtime'))
@set_magic_quotes_runtime(0);
error_reporting(defined('E_STRICT') ? E_ALL | E_STRICT : E_ALL);
$time_start = microtime();

// This makes it so headers can be sent!
ob_start();

// Do some cleaning, just in case.
foreach (array('db_character_set', 'cachedir') as $variable)
if (isset($GLOBALS[$variable]))
unset($GLOBALS[$variable], $GLOBALS[$variable]);

// Load the settings...
require_once(dirname(__FILE__) . '/Settings.php');

// Make absolutely sure the cache directory is defined.
if ((empty($cachedir) || !file_exists($cachedir)) && file_exists($boarddir . '/cache'))
$cachedir = $boarddir . '/cache';

// And important includes.
require_once($sourcedir . '/QueryString.php');
require_once($sourcedir . '/Subs.php');
require_once($sourcedir . '/Errors.php');
require_once($sourcedir . '/Load.php');
require_once($sourcedir . '/Security.php');

// Using an pre-PHP 5.1 version?
if (@version_compare(PHP_VERSION, '5.1') == -1)
require_once($sourcedir . '/Subs-Compat.php');

// If $maintenance is set specifically to 2, then we're upgrading or something.
if (!empty($maintenance) && $maintenance == 2)
db_fatal_error();

// Create a variable to store some SMF specific functions in.
$smcFunc = array();

// Initate the database connection and define some database functions to use.
loadDatabase();

// Load the settings from the settings table, and perform operations like optimizing.
reloadSettings();
// Clean the request variables, add slashes, etc.
cleanRequest();
$context = array();

// Seed the random generator.
if (empty($modSettings['rand_seed']) || mt_rand(1, 250) == 69)
smf_seed_generator();

// Before we get carried away, are we doing a scheduled task? If so save CPU cycles by jumping out!
if (isset($_GET['scheduled']))
{
require_once($sourcedir . '/ScheduledTasks.php');
AutoTask();
}

// Check if compressed output is enabled, supported, and not already being done.
if (!empty($modSettings['enableCompressedOutput']) && !headers_sent())
{
// If zlib is being used, turn off output compression.
if (@ini_get('zlib.output_compression') == '1' || @ini_get('output_handler') == 'ob_gzhandler' || @version_compare(PHP_VERSION, '4.2.0') == -1)
$modSettings['enableCompressedOutput'] = '0';
else
{
ob_end_clean();
ob_start('ob_gzhandler');
}
}

// Register an error handler.
set_error_handler('error_handler');

// Start the session. (assuming it hasn't already been.)
loadSession();

// Determine if this is using WAP, WAP2, or imode.  Technically, we should check that wap comes before application/xhtml or text/html, but this doesn't work in practice as much as it should.
if (isset($_REQUEST['wap']) || isset($_REQUEST['wap2']) || isset($_REQUEST['imode']))
unset($_SESSION['nowap']);
elseif (isset($_REQUEST['nowap']))
$_SESSION['nowap'] = true;
elseif (!isset($_SESSION['nowap']))
{
if (isset($_SERVER['HTTP_ACCEPT']) && strpos($_SERVER['HTTP_ACCEPT'], 'application/vnd.wap.xhtml+xml') !== false)
$_REQUEST['wap2'] = 1;
elseif (isset($_SERVER['HTTP_ACCEPT']) && strpos($_SERVER['HTTP_ACCEPT'], 'text/vnd.wap.wml') !== false)
{
if (strpos($_SERVER['HTTP_USER_AGENT'], 'DoCoMo/') !== false || strpos($_SERVER['HTTP_USER_AGENT'], 'portalmmm/') !== false)
$_REQUEST['imode'] = 1;
else
$_REQUEST['wap'] = 1;
}
}

if (!defined('WIRELESS'))
define('WIRELESS', isset($_REQUEST['wap']) || isset($_REQUEST['wap2']) || isset($_REQUEST['imode']));

// Some settings and headers are different for wireless protocols.
if (WIRELESS)
{
define('WIRELESS_PROTOCOL', isset($_REQUEST['wap']) ? 'wap' : (isset($_REQUEST['wap2']) ? 'wap2' : (isset($_REQUEST['imode']) ? 'imode' : '')));

// Some cellphones can't handle output compression...
$modSettings['enableCompressedOutput'] = '0';
// !!! Do we want these hard coded?
$modSettings['defaultMaxMessages'] = 5;
$modSettings['defaultMaxTopics'] = 9;

// Wireless protocol header.
if (WIRELESS_PROTOCOL == 'wap')
header('Content-Type: text/vnd.wap.wml');
}

// Restore post data if we are revalidating OpenID.
if (isset($_GET['openid_restore_post']) && !empty($_SESSION['openid']['saved_data'][$_GET['openid_restore_post']]['post']) && empty($_POST))
{
$_POST = $_SESSION['openid']['saved_data'][$_GET['openid_restore_post']]['post'];
unset($_SESSION['openid']['saved_data'][$_GET['openid_restore_post']]);
}

// What function shall we execute? (done like this for memory's sake.)
call_user_func(smf_main());

// Call obExit specially; we're coming from the main area ;).
obExit(null, null, true);

// The main controlling function.
function smf_main()
{
global $modSettings, $settings, $user_info, $board, $topic, $board_info, $maintenance, $sourcedir;

// Special case: session keep-alive, output a transparent pixel.
if (isset($_GET['action']) && $_GET['action'] == 'keepalive')
{
header('Content-Type: image/gif');
die("\x47\x49\x46\x38\x39\x61\x01\x00\x01\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x21\xF9\x04\x01\x00\x00\x00\x00\x2C\x00\x00\x00\x00\x01\x00\x01\x00\x00\x02\x02\x44\x01\x00\x3B");
}

// Load the user's cookie (or set as guest) and load their settings.
loadUserSettings();

// Load the current board's information.
loadBoard();

// Load the current user's permissions.
loadPermissions();

// Attachments don't require the entire theme to be loaded.
if (isset($_REQUEST['action']) && $_REQUEST['action'] == 'dlattach' && (!empty($modSettings['allow_guestAccess']) && $user_info['is_guest']))
detectBrowser();
// Load the current theme.  (note that ?theme=1 will also work, may be used for guest theming.)
else
loadTheme();

// Check if the user should be disallowed access.
is_not_banned();

// If we are in a topic and don't have permission to approve it then duck out now.
if (!empty($topic) && empty($board_info['cur_topic_approved']) && !allowedTo('approve_posts') && ($user_info['id'] != $board_info['cur_topic_starter'] || $user_info['is_guest']))
fatal_lang_error('not_a_topic', false);

// Do some logging, unless this is an attachment, avatar, toggle of editor buttons, theme option, XML feed etc.
if (empty($_REQUEST['action']) || !in_array($_REQUEST['action'], array('dlattach', 'findmember', 'jseditor', 'jsoption', 'requestmembers', 'smstats', '.xml', 'xmlhttp', 'verificationcode', 'viewquery', 'viewsmfile')))
{
// Log this user as online.
writeLog();

// Track forum statistics and hits...?
if (!empty($modSettings['hitStats']))
trackStats(array('hits' => '+'));
}

// Is the forum in maintenance mode? (doesn't apply to administrators.)
if (!empty($maintenance) && !allowedTo('admin_forum'))
{
// You can only login.... otherwise, you're getting the "maintenance mode" display.
if (isset($_REQUEST['action']) && ($_REQUEST['action'] == 'login2' || $_REQUEST['action'] == 'logout'))
{
require_once($sourcedir . '/LogInOut.php');
return $_REQUEST['action'] == 'login2' ? 'Login2' : 'Logout';
}
// Don't even try it, sonny.
else
{
require_once($sourcedir . '/Subs-Auth.php');
return 'InMaintenance';
}
}
// If guest access is off, a guest can only do one of the very few following actions.
elseif (empty($modSettings['allow_guestAccess']) && $user_info['is_guest'] && (!isset($_REQUEST['action']) || !in_array($_REQUEST['action'], array('coppa', 'login', 'login2', 'register', 'register2', 'reminder', 'activate', 'help', 'smstats', 'mailq', 'verificationcode', 'openidreturn'))))
{
require_once($sourcedir . '/Subs-Auth.php');
return 'KickGuest';
}
elseif (empty($_REQUEST['action']))
{
// Action and board are both empty... BoardIndex!
if (empty($board) && empty($topic))
{
require_once($sourcedir . '/BoardIndex.php');
return 'BoardIndex';
}
// Topic is empty, and action is empty.... MessageIndex!
elseif (empty($topic))
{
require_once($sourcedir . '/MessageIndex.php');
return 'MessageIndex';
}
// Board is not empty... topic is not empty... action is empty.. Display!
else
{
require_once($sourcedir . '/Display.php');
return 'Display';
}
}

// Here's the monstrous $_REQUEST['action'] array - $_REQUEST['action'] => array($file, $function).
$actionArray = array(
'activate' => array('Register.php', 'Activate'),
'admin' => array('Admin.php', 'AdminMain'),
'announce' => array('Post.php', 'AnnounceTopic'),
'attachapprove' => array('ManageAttachments.php', 'ApproveAttach'),
'buddy' => array('Subs-Members.php', 'BuddyListToggle'),
'calendar' => array('Calendar.php', 'CalendarMain'),
'clock' => array('Calendar.php', 'clock'),
'collapse' => array('BoardIndex.php', 'CollapseCategory'),
'coppa' => array('Register.php', 'CoppaForm'),
'credits' => array('Who.php', 'Credits'),
'deletemsg' => array('RemoveTopic.php', 'DeleteMessage'),
'display' => array('Display.php', 'Display'),
'dlattach' => array('Display.php', 'Download'),
'editpoll' => array('Poll.php', 'EditPoll'),
'editpoll2' => array('Poll.php', 'EditPoll2'),
'emailuser' => array('SendTopic.php', 'EmailUser'),
'findmember' => array('Subs-Auth.php', 'JSMembers'),
'groups' => array('Groups.php', 'Groups'),
'help' => array('Help.php', 'ShowHelp'),
'helpadmin' => array('Help.php', 'ShowAdminHelp'),
'im' => array('PersonalMessage.php', 'MessageMain'),
'jseditor' => array('Subs-Editor.php', 'EditorMain'),
'jsmodify' => array('Post.php', 'JavaScriptModify'),
'jsoption' => array('Themes.php', 'SetJavaScript'),
'lock' => array('LockTopic.php', 'LockTopic'),
'lockvoting' => array('Poll.php', 'LockVoting'),
'login' => array('LogInOut.php', 'Login'),
'login2' => array('LogInOut.php', 'Login2'),
'logout' => array('LogInOut.php', 'Logout'),
'markasread' => array('Subs-Boards.php', 'MarkRead'),
'mergetopics' => array('SplitTopics.php', 'MergeTopics'),
'mlist' => array('Memberlist.php', 'Memberlist'),
'moderate' => array('ModerationCenter.php', 'ModerationMain'),
'modifycat' => array('ManageBoards.php', 'ModifyCat'),
'modifykarma' => array('Karma.php', 'ModifyKarma'),
'movetopic' => array('MoveTopic.php', 'MoveTopic'),
'movetopic2' => array('MoveTopic.php', 'MoveTopic2'),
'notify' => array('Notify.php', 'Notify'),
'notifyboard' => array('Notify.php', 'BoardNotify'),
'openidreturn' => array('Subs-OpenID.php', 'smf_openID_return'),
'pm' => array('PersonalMessage.php', 'MessageMain'),
'post' => array('Post.php', 'Post'),
'post2' => array('Post.php', 'Post2'),
'printpage' => array('Printpage.php', 'PrintTopic'),
'profile' => array('Profile.php', 'ModifyProfile'),
'quotefast' => array('Post.php', 'QuoteFast'),
'quickmod' => array('MessageIndex.php', 'QuickModeration'),
'quickmod2' => array('Display.php', 'QuickInTopicModeration'),
'recent' => array('Recent.php', 'RecentPosts'),
'register' => array('Register.php', 'Register'),
'register2' => array('Register.php', 'Register2'),
'reminder' => array('Reminder.php', 'RemindMe'),
'removepoll' => array('Poll.php', 'RemovePoll'),
'removetopic2' => array('RemoveTopic.php', 'RemoveTopic2'),
'reporttm' => array('SendTopic.php', 'ReportToModerator'),
'requestmembers' => array('Subs-Auth.php', 'RequestMembers'),
'restoretopic' => array('RemoveTopic.php', 'RestoreTopic'),
'search' => array('Search.php', 'PlushSearch1'),
'search2' => array('Search.php', 'PlushSearch2'),
'sendtopic' => array('SendTopic.php', 'EmailUser'),
'smstats' => array('Stats.php', 'SMStats'),
'suggest' => array('Subs-Editor.php', 'AutoSuggestHandler'),
'spellcheck' => array('Subs-Post.php', 'SpellCheck'),
'splittopics' => array('SplitTopics.php', 'SplitTopics'),
'stats' => array('Stats.php', 'DisplayStats'),
'sticky' => array('LockTopic.php', 'Sticky'),
'theme' => array('Themes.php', 'ThemesMain'),
'trackip' => array('Profile-View.php', 'trackIP'),
'about:mozilla' => array('Karma.php', 'BookOfUnknown'),
'about:unknown' => array('Karma.php', 'BookOfUnknown'),
'unread' => array('Recent.php', 'UnreadTopics'),
'unreadreplies' => array('Recent.php', 'UnreadTopics'),
'verificationcode' => array('Register.php', 'VerificationCode'),
'viewprofile' => array('Profile.php', 'ModifyProfile'),
'vote' => array('Poll.php', 'Vote'),
'viewquery' => array('ViewQuery.php', 'ViewQuery'),
'viewsmfile' => array('Admin.php', 'DisplayAdminFile'),
'who' => array('Who.php', 'Who'),
'.xml' => array('News.php', 'ShowXmlFeed'),
'xmlhttp' => array('Xml.php', 'XMLhttpMain'),
);

// Allow modifying $actionArray easily.
call_integration_hook('integrate_actions', array(&$actionArray));

// Get the function and file to include - if it's not there, do the board index.
if (!isset($_REQUEST['action']) || !isset($actionArray[$_REQUEST['action']]))
{
// Catch the action with the theme?
if (!empty($settings['catch_action']))
{
require_once($sourcedir . '/Themes.php');
return 'WrapAction';
}

// Fall through to the board index then...
require_once($sourcedir . '/BoardIndex.php');
return 'BoardIndex';
}

// Otherwise, it was set - so let's go to that action.
require_once($sourcedir . '/' . $actionArray[$_REQUEST['action']][0]);
return $actionArray[$_REQUEST['action']][1];
}

?>

[Sir Osis of Liver]

That can't be index.php from your forum, you wouldn't be getting the hack error.  You need to find /equinox_forum/index.php.

[kat]

Attach, please.

Pasting it can make it lose formatting, unless you use code tags.

Ta!

[Sir Osis of Liver]

Yes, the backup looks ok.  You have to upload it to your forum root to replace what's there.

[serramagk]

Promise, I triple checked. Thats exactly the file that's there as index.php
Attaching the backup...

[Sir Osis of Liver]

That backup is 2.0.5.  You may have to restore the entire backup, then upgrade to 2.0.9.  Don't believe there were any changes to the database from 2.0.5 to 2.0.9, but not certain.  K@?

[kat]

I don't think there were ANY... But, I wouldn't swear on that. Changelog?

[serramagk]

OK.. so when I look at the file by downloading it, it looks like it should. However when I open it via the CPanel it looks like the first file I attached.