Hacked 1_backuptoaster.php ???

Started by Astra_200, February 02, 2011, 07:17:29 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

Astra_200

February 02, 2011, 07:17:29 AM Last Edit: February 03, 2011, 08:10:04 AM by Astral2000
Hi there.

My forum has had its account suspended and blacklisted for sending lots of spam mail. I am using 2.0 RC1.2 with anti bot, and stop forum spam mods.

My ISP has said that a Perl script was used to send outgoing mail, and a PHP script (called 1_backuptoaster.php) was also used in the exploit.
They also added " Your account is the only one on the server that's been sending out spam emails based on the mail logs  - fortunately the exploit has not spread to other accounts, again implying it's most likely SMF related!"

I have not updated the forum for a couple of months, nor added any new mods. I have also Googled 1_backuptoaster.php and not found anything on it.

Thankfully my ISP is working hard to get me back online but is afraid the problem may start again despite not seeing anything suspicious in my files.

I intend to uprade to RC4 when I can get access again, I want to keep all the posts and pictures I have in backups, but can I delete all the mods, custom theme, and gallery and start all over and re import pics and posts into upgraded forum?

Also does anyone have any idea how this could have happened?

Thanks in advance.







Aleksi "Lex" Kilpinen

#1
February 02, 2011, 07:21:54 AM
I do not remember what vulnerabilities were patched in RC4 exactly, but still I believe this to have been done directly and only through SMF is unlikely to say the least.
What mods do you have installed, and do you have any other scripts running besides SMF?
Slava
Ukraini!
"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

Astra_200

#2
February 02, 2011, 07:55:39 AM
Hi LexArma

I cant give you list of mods right now as i cant get into site yet, I am running Simple Portal and Avea Media and a handful of others.

To my knowledge no other scripts running.

Aleksi "Lex" Kilpinen

#3
February 02, 2011, 08:08:42 AM
At least SP I know to have had some security issues in the older versions, and they say on their own site that

Quote
We urge all users to upgrade to SimplePortal 2.3.3 as soon as possible to take advantage of the bug fixes. If you are currently running SMF 2.0 RC3 and SP 2.3.2, we strongly encourage you to upgrade both to the latest version to have the latest security features and bugfixes

But that doesn't mean that is to blame either, it's just a possibility.
Slava
Ukraini!
"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

Astra_200

#4
February 02, 2011, 08:17:07 AM
Thank you, I fully intend to upgrade everything when I get access again.

I need to know if I can put pics and the 1000's of posts back into an upgraded forum / portal from a recent backup?

Aleksi "Lex" Kilpinen

#5
February 02, 2011, 08:22:10 AM
You would be best to import them first to the same version they are from, and then upgrade - but I do not know if there were any significant changes in RC4 that would actually stop you from doing it the otherway around... You could try...?
Slava
Ukraini!
"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF
Print
Go Up Pages1
User actions
Advertisement: