Forum hacked? - redirections from google search results

Kenny01 · October 28, 2009, 08:20:50 AM

Listen to make things easy, create a new folder in your server and move all files that you suspect there and check again to see if it help.

[SAP]Francis · October 28, 2009, 05:23:01 PM

I never got redirected after clicking about 15 times.

cat11 · October 28, 2009, 06:48:37 PM

Kenny01 - Ok i'll try it tomorrow and see if it helps.

[SAP]Francis - It doesn't work every time, maybe you've tried in time when it works properly or maybe it works only for my country's connections. My firends who are living in another towns tried and there were redirected. Also Kenny01 was redirected as you can see below.

cat11 · October 29, 2009, 06:50:54 AM

My host didn't respond because they were searching so long, I was told that one day log can be 1GB file (only with text) and that's the reason of so late contact. Anyway - they told me that there was suspicious FTP connection but it wasn't any brake in, someone normally logged in(possible break in to my PC). I've changed all FTP passwords again and did the large update again

I don't know if it helped because at the first time just after upgrade I was redirected, later I wasn't and now I'm not. Maybe I'll just have to wait to check it.

They (host) told me that someone changed only files named:
index.***
main.***
configuration.***

I'll write here when I'll know something more.

cat11 · October 29, 2009, 07:15:59 AM

weird... my host told me that even after I did the large upgrade in many files(that was overwritten) WAS MALICIOUS CODE so it's most probably that large upgrade files are corrupted too.

If anyone of you can check it or ask SimpleMachines to check it please do it.

Aleksi "Lex" Kilpinen · October 29, 2009, 08:15:59 AM

If they are corrupted, they are corrupted on your computer. If in any change the package would be corrupted on sm.org, we would have heard about it by now.

cat11 · October 29, 2009, 09:51:07 AM

Yes you are right.

They had to be corrupted after overwritting. My host removed malicious code from remaining files and now works OK. I'll wait to see if it's permament.

cat11 · October 30, 2009, 05:01:38 AM

YES!

It's OK

So for maybe I'll leave for the others that will have the same problem in future:

Problem is caused by mailcious script that(most often) hacks your PC and founds FTP password(to avoid this don't store your password in FTP client). Then he connects to FTP and adds to files his code.

Code is mostly at the beginning of the file as a long sequence of characters.

Mostly are corrupted files that name begins as:
Index
Main
Configuration

To solve the problem you'll need:

IMPORTANT: Change all FTP Passwords and don't store them on PC to avoid the same problem in the future and:

Or:
install Large Upgrade pack of files and overwrite files, then manually check all infected files and remove malicious code(some of files can have code)

Or:
perform new clean SMF install in the other folder and connect to it your database + settings.php file(warning: it'll probably have malicioys code at the beggining of the file so first you'll have to clean it up. Otherwise new forum can be also infected.)

Thats all, I'm sorry for any errors I might have made and my not to good language, maybe someone will find these advices useful.

Aleksi "Lex" Kilpinen · October 30, 2009, 06:23:30 AM

The advice you gave looks good to me

Glad to hear you've been able to sort it all out.

cat11 · October 30, 2009, 06:25:24 AM

Yes and many thanks to you and others who helped me, I wouldn't manage alone

Kenny01 · October 30, 2009, 11:02:56 AM

Good news at last.

News:

Forum hacked? - redirections from google search results