my forum was hacked and how do i fix it?

[planetcare]

 this from my web  host

Hi,
 We may inform you that from our side, we did not change any server configurations.
 but related to the malware redirection on your previous ticket: 356578.
 We might find these 2 suspicious files in your website files that probably caused the malware URL redirection issue
 - \httpdocs\Themes\default\sha1.js
 - \httpdocs\Themes\default\scripts\script.js
We are assuming the hacker has injected through your website CMS to those 2 files.
 We also do not know if those 2 files are your true website file or not, but if we do not take action about those 2 files, your website might have the malware URL redirection issue again.
 As for now, we have renamed both of those 2 files into this:
 - \httpdocs\Themes\default\sha1-Suspected.js
 - httpdocs\Themes\default\scripts\script - Suspected.js
If we renamed those 2 files that might be causing your smiley forum issue but as per our earlier explanation, we need to rename those 2 files to avoid the URL malware redirection.
 If we do not rename those 2 files, the previous URL malware issue redirection will happening again.
 Therefore, please kindly escalate to your Website Developer to check and fix the malware issue on those 2 files: sha1.js and script.js.
 After your website developer fixes the malware URL issue, then you can try to re-upload both of those files.
help please!

[Diego Andrés]

You should first figure out how someone else managed to get access to the server, or if an administrator account was compromised.

[Aleksi "Lex" Kilpinen]

First thing you should do is make sure are the files really infected? So, is your host right or are they simply sharing a false positive with you?
I wouldn't trust "probably caused" as a diagnosis easily.
 
Compare them to the originals, are they the same size? If they are the same size, do they have the same contents? If not, what is different?
If they are infected, yes the next step is to try and figure out how that happened. Logs could help, your host should also be able to help with the logs.


 

[planetcare]

First thing you should do dare they the same size? If they are the same size, do they have the same contents? If not, what is different?
If they are infected, yes the next step is to try and figure out how that happened. Logs could help, your host should also be able to help with the logs.


 

When anyone tried to access my site a malware warning came up, the malware attempted to re direct you to a  .biz site. Other than that it did not cause any other problems when hxxp:blocked.now [nonactive] because of what the host has done i have no smileys, can't log out  normally  or directly load images.The host wants to fix the problem  by deleting the database and everything else and do a clean install, 14 years of posts etc then down the drain!

[@rjen]

These kind of infections are usually in files, not the database. Whatever happens first take a full database backup usin phpmyadmin and save that locally!

[Kindred]

Why would the host want to delete the database?? ?? ??

Who is your host?

Anyway...  clean **FILES** sounds like a good idea.
First, check as Lex suggested. ARE those files ACTUALLY  infected.

Cleaning is easy.
Backup Backup Backup Backup Backup
Then
Reset the forum and all users to the default theme
Delete all files and directories ----except Settings.php and attachments and avatars directories.  Keep those.
Get the large upgrade ZIP.
Upload the contents of that to your site.
Use repair_settings.php to remove mod hooks, if needed
Reinstall custom theme(s)
Reinstall mods

[planetcare]

This is the latest response from mt forum  host after i sent them all your posts. They seem to be wiping their hands of the  issue?
Hi,
 Thank you for contacting us.
Regarding this issue, we checked that this issue is related to your previous ticket : #783759 - forum changes and as previously informed by our partner that We might find these 2 suspicious files in your website files that probably caused the malware URL redirection issue
 - \httpdocs\Themes\default\sha1.js
 - \httpdocs\Themes\default\scripts\script.js
Since every website has its own script structure and only web developer understand the most about their code including their own website structure and based on the screenshot that provided, the detail of technical procedures only can be done from developer side, then you can download all your website files from hosting to your local side then we suggest to consult with web developer and proceed with troubleshooting the website issue from the local side, after the troubleshooting is completed then you can reupload all your website files from local to hosting side.
Please kindly check it again from your end.
If there's any issue or need further assistance, then please don't hesitate to contact us.
Thank you.

[Doug Heffernan]

What is your exact forum version? It looks like to me that your host is trying to pass the buck. Can you ask them to tell you how exactly the hackers managed to get access to your server space? Are you on a shared hosting btw or do you manage your own Dedicated/Vpn box?

Anyways, can you try the following? Overwrite your forum files with a fresh set from the large 2.0.19 upgrade package, minus the upgrade files. That will clean up any infected file(s), but it will also uninstall all your mods and undo any manual edits done to the files.

[Kindred]

Why would the host want to delete the database?? ?? ??

Who is your host?

Anyway...  clean **FILES** sounds like a good idea.
First, check as Lex suggested. ARE those files ACTUALLY  infected.

Cleaning is easy.
Backup Backup Backup Backup Backup
Then
Reset the forum and all users to the default theme
Delete all files and directories ----except Settings.php and attachments and avatars directories.  Keep those.
Get the large upgrade ZIP.
Upload the contents of that to your site.
Use repair_settings.php to remove mod hooks, if needed
Reinstall custom theme(s)
Reinstall mods

[Sesquipedalian]

Themes\default\sha1.js is not part of standard SMF. You could try removing it and see if that solves the problem.

Themes\default\scripts\script.js is part of standard SMF. You could try uploading a clean copy of it and see if that solves the problem. You can do this by downloading the SMF 2.0.19 install package, extracting it on your local computer, and then uploading that one file to your server.

[planetcare]

What is your exact forum version? It looks like to me that your host is trying to pass the buck. Can you ask them to tell you how exactly the hackers managed to get access to your server space? Are you on a shared hosting btw or do you manage your own Dedicated/Vpn box?

Anyways, can you try the following? Overwrite your forum files with a fresh set from the large 2.0.19 upgrade package, minus the upgrade files. That will clean up any infected file(s), but it will also uninstall all your mods and undo any manual edits done to the files.

My forum version is SMF 2.1.4
best regards to,
Planetcare

[Doug Heffernan]

My forum version is SMF 2.1.4

In that case I moved this to the 2.1. support board.

Have you tried all the suggestions posted above or has this been solved?

[planetcare]

sadly things have gone from bad  to worse on my forum as  the host seems to have no idea of what to do!
The latest from my host

We have taken several steps to address suspicious files on your website, as previously discussed in tickets #783759 and #770439. However, when implementing the 'script.js' file from the original installer, an error was found displaying 'smc_PopupMenu not defined', which caused the dropdown menu on the username to not work as depicted in the attached screenshot 'inspect-element.png'.
Upon further investigation, it was found that the dropdown menu worked fine when using the presumed 'script.js' file. This suggests that the 'smc_PopupMenu' function may be contained within a suspicious file.
Additionally, unusual lines of code were identified within the suspicious 'script.js' file, as depicted in the attached screenshot 'suspect-script.png'. Due to the complexity of the code and our limited understanding, further investigation was challenging.
As a temporary measure to mitigate the website injection issue, we have chosen to continue using the 'script.js' file from the original SMF 2.0.19 installer.

[Aleksi "Lex" Kilpinen]

https://wiki.simplemachines.org/smf/How_to_upload_a_fresh_set_of_files