Error after being hacked

[carolk1099]

Hello,
I have a problem with some of my files after being hacked.  I preformed a backup before going to 1.1.9 but I did not perform one after upgrading.  Well of course the next day after upgrading to 1.1.9 I was hacked and had to revert back to my backup (1.1..

When I go into the admin it indicates my software is out of date (1.1. and that I need to update it.  When I try to upgrade I get "Test failed" on the following files.  I think I've messed up enough trying things myself - could someone please advise me how to correct this?

Thank you!

2.   Execute Modification   ./Sources/Display.php   Test failed
3.   Execute Modification   ./Sources/Load.php   Test failed
4.   Execute Modification   ./Sources/ManageAttachments.php   Test failed
5.   Execute Modification   ./Sources/PackageGet.php   Test failed
6.   Execute Modification   ./Sources/Post.php   Test failed
7.   Execute Modification   ./Sources/Profile.php   Test failed
8.   Execute Modification   ./Sources/QueryString.php   Test failed
9.   Execute Modification   ./Sources/Security.php   Test failed
10.   Execute Modification   ./Sources/Subs.php   Test failed
11.   Execute Modification   ./Sources/Subs-Graphics.php   Test failed
12.   Execute Modification   ./Sources/Subs-Members.php   Test failed
13.   Execute Modification   ./Sources/Subs-Post.php   Test failed
14.   Execute Modification   ./Themes/default/ManageAttachments.template.php   Test failed
15.   Execute Modification   ./Themes/default/Recent.template.php   Test failed

[Norv]

Please check out: 1.1.8/2.0 RC1 Exploit Utility - kb_scan.php, and let us know the results of scanning your with the script, as advised there.

On another note, the files may be not recognized by the package manager because many mods may have changed them, but in that case you probably should have got it when you first performed the upgrade on these files. Did you have the error before?
Please post as attachment here, at least one of these files, for us to take a quick look. Maybe they are actually hacked or something.

[carolk1099]

Thank you for the link and the script.  I ran it and everything is green. 

I believe the reason I'm having problems is that I had to delete a lot of files because they had been changed. 

I don't have mods on my forum so no problem there.  The only thing that I've done was change the theme.

After looking at all the files that the upgrade fails on each one and another files that has a "~" with the same name.  I'm new to this but aren't those backup files?  What I don't understand is why do they seem to be a conflicting?  But I guess a better question no is how to fix this. 

Everything for the most part is working normal.  Everyone is logging in posting etc but one thing I have noticed is anyone that forget their password and they try to retrieve it they don't receive the password in their email.  Not sure if this is related but something that is new.

Thanks again for your help.

[JimM]

Welcome to SMF.

Yes, the files with the tilde "~" are backups of recently changed files.

Did you get upgraded back to 1.1.9?  If not and you don't have any mods the easiest way to upgrade would be to obtain the large 1.1.9 upgrade package and follow these instructions:

Upgrade SMF

SMF does not send a new password by email.  It sends a link to the registered email address that can be clicked and a new password entered.

[carolk1099]

Thank you for the welcome 

When I orginally upgraded after the "break in" only part of the upgrade worked this is when I tried to go from 1.1.8 to 1.1.9.

I have a question about using the full kit. I of course have all my files in the SMF folder now should I run the install or should I just replace those files that I'm having problems with?  The reason I'm asking this is because when I FTP my files into the file it will ask me if I want to overwrite the old file.  Very sorry if this seems like a very simple question I just don't want to mess up my forum and cause even more work because I didn't ask before going forward.

Thank you for all the help!

[Norv]

If you didn't run the upgrade script (upgrade.php) successfully yet on this forum, then you should do so, apart from the files being overwritten when uploading on FTP.
As said before, the large upgrade package to 1.1.9 would be the best choice, as you have no mods and you get a cleaner installation (it replaces practically all the files in the SMF installation).

[carolk1099]

Yes!!!  I got it upgraded without any errors!  Thank you for all your help on this Norv and JimM!

I do have one more question.  Before I upgraded I looked at all the folders and the location I felt the hacker was allowed to access.  I had down for the users to access the attachment area.  This is where I found the code and the only place the person had access.  They created an account but instead of an avatar the dropped in their little file. 

I now have it so members can't use the attachment area but before I upgraded I found 3 files in the attachment area - again!  One was from yesterday.  So my question - is the system using this area?  The attachment is a "file" type and this is one of the names "32_f96b5f943f720078d101c280c660f8c32aab4745".  I downloaded the file, scanned it and nothing came up.  I tried to open it with notepad but it's just a bunch of numbers, letters, symbols etc. 

Could someone tell me if these are created by SMF or not?


Thank you!

[Norv]

I don't see how it could be created by SMF, unless simply a member or admin uploaded an attachment. Can you please attach the file(s)?
That the filename starts with 32 seems ... interesting. (krisbarteo methods are known to use the number 32, a weird coincidence)

[carolk1099]

Here's one of the attachments.  I scanned it with my AV software and nothing came up so . . .

Thank you for looking at this for me.  I've removed them from the attachment area just in case.  everything with SMF is running fine so not sure where they came from.

[carolk1099]

All is good - I found out why and who was putting the files in the attachment area.  It was one of my moderators - uploading their avatar.  I guess even though I selected the no attachments moderators can do it regardless.  After going through my CP to look at the file it's a PNG.

Thank you for all your help!

[Norv]

Ah I see. This is a funny coincidence then... Do the other files names start with 31_ or 33_ ?

[carolk1099]

Yes they were number sequentially 31_ . . . , 32_ . . . , 33_ . . . when I deleted it his avatar disapeared.  Very strange that it numbers them like this.

[Norv]

However, it's okay, SMF does that
At least there's no illegitimate touch of the files.

Good to know it all worked out now!
Please feel free to mark the topic as solved then, in case you consider it solved. (using the green link on the bottom left of the page)

[carolk1099]

Great and thank you for all the help!