my SMF forum has been hacked

JBlaze · May 09, 2009, 07:03:09 PM

societyofrobots, check your /Sources files and make sure there is no excess php code injected into the top if your files.

societyofrobots · May 10, 2009, 02:58:18 PM

Quote from: JBlaze™ on May 09, 2009, 07:03:09 PM
societyofrobots, check your /Sources files and make sure there is no excess php code injected into the top if your files.

Way ahead of you on that. They tack stuff on, and my logs tell me what they do. I revert back whenever I find it.

JimM · May 24, 2009, 01:49:49 PM

Is this issue solved or do you still require assistance? If this is solved please mark it solved by clicking the Mark Topic Solved link at the bottom left of the page.

societyofrobots · May 24, 2009, 10:06:48 PM

It's not solved. I haven't been hacked recently, but not sure if thats only because of IP bans and turning off FTP when I'm not using it, or a recent forum upgraded sealed up a hole . . .

I'm fairly convinced it has something to do with SMF, but really not sure how.

JimM · May 24, 2009, 10:31:53 PM

If you haven't already, definitely update to 1.1.9.

rancitis · May 25, 2009, 10:27:00 AM

Usually this type of virus injected malicious code from the PC of the victim, in this case from your PC. These viruses have the particularity of not only infect .exe, .src, etc files. but also .php and .html files, for example introducing a <iframe> Then the victim upload the infected files from your ftp and the virus spreads to the site visitors.You [nofollow] can do backups 1000 times, and will happen the same because the malicious code is injected into the archives. Nobody is attacking the server remotely, the problem is with your PC. It isn't a vulnerability issue for SMF, this happens with any system. What is the solution?. You upload a backup of the SMF files from another PC. Then you try to remove the virus from your PC with your favorite antivirus. In the event that your antivirus can't detect it you can use another antivirus or analyze the PC with a online scanner like Active Scan or Trend Micro.

Edvard · May 26, 2009, 03:35:45 PM

I second rancitis on that one. That's what happened to my pc too. I ended up not being able to remove the virus and had to install Linux instead (no Windows recovery CD available...). This worked and my site has been virus free since then.

JimM · May 26, 2009, 08:56:57 PM

If this is solved feel free to mark it as solved otherwise reply with some details of what isn't working. We are trying to clear up some of the older topics. If your forum gets hacked again, it would be far better to open another topic as it will most likely be a different issue.

societyofrobots · May 28, 2009, 09:38:15 AM

rancitis, that is not even what remotely happened. You didn't read the whole thread =P

I'm now using 1.1.9, with ftp turned off and IP blocks on everything doing something funny to my server.

But I have no idea how they got in . . . would the updates in 1.1.8 and 1.1.9 corrected any holes that could have resulted in this hack?

rancitis · May 28, 2009, 11:09:47 PM

I understand buddy. The problem is that once you upload the SMF files from your PC. Surely the files has been infected before uploading. Symptoms of infection may be inactive for a long time and when the action starts it's too late. It's techniques for creating botnets via outside servers and the attacker can perform the action when he needs it. This is why just you now see the symptoms. Perhaps this option is not correct, but it is more likely. I'm sorry for my bad english.

Regards!.

societyofrobots · May 29, 2009, 11:09:24 PM

Quote from: rancitis on May 28, 2009, 11:09:47 PM
I understand buddy. The problem is that once you upload the SMF files from your PC. Surely the files has been infected before uploading. Symptoms of infection may be inactive for a long time and when the action starts it's too late. It's techniques for creating botnets via outside servers and the attacker can perform the action when he needs it. This is why just you now see the symptoms. Perhaps this option is not correct, but it is more likely. I'm sorry for my bad english.

nah dude, there were files that were created on my server that were never on my PC, some with file names I'd rather not repeat (just think britney spears and other pr0n-like descriptions). The ftp logs also showed foreign unknown IP addresses uploading these files.

JimM · May 29, 2009, 11:32:43 PM

1.1.9 patches and plugs all known security vulnerabilities. It's probably the most extensive patch that has been issued in quite some time.

societyofrobots · June 27, 2009, 08:09:41 PM

Bad news, the latest patch didn't solve the problem.

I accidentally forgot to turn off my FTP for a few days, and in that time, the same hack occurred again on my site. Its obviously automated as the hack used not one but *seven* freaking IPs to upload spam in a coordinated fashion! Somehow it gives him admin level ftp access, and I can't for the life of me figure out how.

I have two websites on my server, they both run the same exact software, but only the one that keeps getting hacked also uses SMF. Although the one that doesn't get hacked isn't that popular . . .

Tiribulus · June 27, 2009, 11:40:04 PM

OK, but an FTP exploit should be at the server level. SMF uses FTP, but doesn't control it's operations. I'm typing this message on the machine that my forum is hosted on and FTP isn't even enabled on it.

JimM · June 29, 2009, 01:16:25 PM

There are a number of topics here that talk about this problem. Following links to sites that install malware and keyloggers on your system could be the problem. Change your FTP password to something that is impossible to guess. Make it a random combintion of letters and numbers and symbols.

As Tiribulus said, this has nothing to do with SMF. If they are getting in through FTP, somehow they are getting your password.

News:

my SMF forum has been hacked