Our server provider has identified a couple of files in SMF that appear to contain malware. Below I attach images of the top of those files. Is this actually malware or is this standard content for these two files? If corrupted, where can I get clean versions (v2.1.4)?
They are both in the avatars folder and are called avatars.php and votes.php
Strange file.jpg
Strange file2.jpg
Good news, I found an old version of our forums on a different server and both those files are empty. So I will clear out this malware.
Not smf files.
So, the question is, how did they get there.
I would recommend a complete replacement of all files in all directories.
Do you only run smf on that site?
If so, then delete all files except Settings.php and all directories except the avatars and attachments
(Look closely in those directories for any files except .dat or index.php)
Then load a clean set of files and Reload custom themes and mods.
Also. Start checking with your host about how those files got there
Also a thorough checkup of the server is in order too imo for any other potential infected file(s).
Thanks, I am hoping that they are the only
Quote from: Kindred on April 17, 2024, 12:55:53 PMNot smf files.
So, the question is, how did they get there.
I would recommend a complete replacement of all files in all directories.
Do you only run smf on that site?
If so, then delete all files except Settings.php and all directories except the avatars and attachments
(Look closely in those directories for any files except .dat or index.php)
Then load a clean set of files and Reload custom themes and mods.
Also. Start checking with your host about how those files got there
In answer to your questions & comments
1) If not SMF files, why do I see empty files with the same name in an old (Feb 2024) version of the forums
2) Yes, SMF is the only thing running on this server (shared server)
3) They were discovered by a deep scan of the site by our provider, after I signed up for their protection service. Nothing else was found here, so I am hoping that the files are OK.
4) On the line with the host support desk now to find out how the files got corrupted.
Thanks for the reply, if a rebuild is required, do I just delete everything except the two named files and then re-install with a fresh copy?
No idea where the files came from, but that's a very good question.
You can find all SMF files on our Github if you want to check what is supposed to be there, and what they are supposed to contain though, so you can make sure yourself. https://github.com/SimpleMachines/SMF/tree/release-2.1
What are the 2 files called, and where exactly in the files were they found? EDIT : Sorry, you did mention this but I missed it. Definitely not SMF files, not even compromised SMF files but completely extra.
It wouldn't be the first time if the actual access point was a completely different account on the same shared environment, but at this point I don't want to point any fingers - Better if you work with your host to try and find out what happened.
https://wiki.simplemachines.org/smf/How_to_upload_a_fresh_set_of_files
The two files were in the avatars folder and called avatars.php and votes.php. As mentioned above, the "old" (Feb2024) copy of our forums on a different server had both files in the folder but they were both empty.
We also had something similar on a different site on the same shared server using Coppermine.
Stefan
Yeah, sorry I just corrected my post above after I re-read your first post. So, yeah - Definitely not part of SMF, but something extra, that at this point we don't know where they came from.
Copperfield has had alot of know security issues over the years...
But I suspect this files were dropped onto your server a long time ago and recently updated with a payload... and that implies that you have a script hidden somewhere that let's hackers have access to your system -- and they will probably do it again
Thanks for bearing with me. I am now skittish about security so was checking the logs. I found a couple of strange (?) entries in the Genetral category. Could these be related?
The file at "/home/dh_p6nj8d/clc-smf-test.dreamhosters.com/Themes/default/scripts/minified_e50ba16bec0f474df1e2a332ee1986a5.js" could not be created. Please make sure the parent directory has the appropriate permissions.
The file at "/home/dh_p6nj8d/clc-smf-test.dreamhosters.com/Themes/default/css/minified_453980f27a263a88ace542e129238578.css" could not be created. Please make sure the parent directory has the appropriate permissions.
Interestingly enough, these entries come from my test forums, a duplicate of the live forums, that I am using to test some chnages that we are going to be making.
Any idea why they would be here and are thye evidence of someone messing around in either of these two forums?
Stefan
No, those files are attempting to be created by the forum, as expected... but can not be created because the permissions won't allow it to be created
Quote from: Kindred on April 18, 2024, 10:11:58 PMNo, those files are attempting to be created by the forum, as expected... but can not be created because the permissions won't allow it to be created
If I change the permissions, will they be created again?
Stefan
Yes, unless you change the settings. There is a setting for that.
Quote from: Aleksi "Lex" Kilpinen on April 23, 2024, 03:35:29 PMYes, unless you change the settings. There is a setting for that.
So do I need them? Which setting, please?
TIA
Stefan
Well, they are designed to make your site load a little lighter, a little faster, but you don't really need them - so if you want, you can try turning them off
Admin -> Configuration -> Features and Options -> General -> Minimize CSS and JavaScript files.