Advertisement:

Author Topic: Hacked, script injection  (Read 269954 times)

Offline vbgamer45

  • Customizer
  • SMF Super Hero
  • *
  • Posts: 21,675
    • smfhacks on Facebook
    • VBGAMER45 on GitHub
    • @createaforum on Twitter
    • SMF For Free
Re: Hacked, script injection
« Reply #300 on: May 20, 2009, 09:47:32 PM »
Hi,

My forum has been hacked today by krisbarto he came online for about 1 minute and uploaded a image very small dot, but i only found this an hour later. I searched the name and found this thread. I have banned him, removed the image from database and attachments folder and i am currently going though all php files, so far i have not found a line at the top but i have found this in the gallery php file :

die(base64_decode('UG93ZXJlZCBieSBHYWxsZXJ5IEZvciBTTUYgIG1hZGUgYnkgdmJnYW1lcjQ1IGh0dHA6Ly93d3cuc21maGFja3MuY29t'));

Is that meant to be there ? I don't really know what i'm doing this is all new to me.

Thank you for any help

That one is safe I place that for copyright reasons says
Powered by Gallery For SMF  made by vbgamer45 http://www.smfhacks.com
Community Suite for SMF - Take your forum to the next level built for SMF, Gallery,Store,Classifieds,Downloads,more!

SMFHacks.com -  Paid Modifications for SMF

Mods:
EzPortal - Portal System for SMF
SMF Gallery Pro
SMF Store SMF Classifieds Ad Seller Pro

Offline JBlaze

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 12,160
  • Gender: Male
    • @fragicide on Twitter
Re: Hacked, script injection
« Reply #301 on: May 20, 2009, 09:48:47 PM »
Way to get us all hyped up vb :)
Jason Clemons
Former Lead Customizer/Support Specialist
Twitter | Facebook | Instagram

Offline GKM Crow

  • Semi-Newbie
  • *
  • Posts: 12
Re: Hacked, script injection
« Reply #302 on: May 20, 2009, 10:07:28 PM »
Hi,

My forum has been hacked today by krisbarto he came online for about 1 minute and uploaded a image very small dot, but i only found this an hour later. I searched the name and found this thread. I have banned him, removed the image from database and attachments folder and i am currently going though all php files, so far i have not found a line at the top but i have found this in the gallery php file :

die(base64_decode('UG93ZXJlZCBieSBHYWxsZXJ5IEZvciBTTUYgIG1hZGUgYnkgdmJnYW1lcjQ1IGh0dHA6Ly93d3cuc21maGFja3MuY29t'));

Is that meant to be there ? I don't really know what i'm doing this is all new to me.

Thank you for any help

That one is safe I place that for copyright reasons says
Powered by Gallery For SMF  made by vbgamer45 http://www.smfhacks.com [nofollow]

Thank You for letting me know.

Offline metallica48423

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 19,842
  • Gender: Male
  • Professional Multislacker!
    • Zentendo
Re: Hacked, script injection
« Reply #303 on: May 20, 2009, 10:32:40 PM »
For anyone who hasn't done so yet, 1.1.9 was released tonight, patching this.   Please be sure to update your forums ASAP.

Thanks!

Edit: added link to the announcement topic.
« Last Edit: May 20, 2009, 10:40:36 PM by Sarge »
Justin O'Leary
Ex-Project Manager
Ex-Lead Support Specialist

Quote
Microsoft wants us to "Imagine life without walls"...
I say, "If there are no walls, who needs Windows?"

Useful Links:
Online Manual!
How to Help us Help you   
Search
Settings Repair Tool
     

Offline Sarge

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 6,209
  • Gender: Male
    • Zëri YT!
Re: Hacked, script injection
« Reply #304 on: May 20, 2009, 10:41:50 PM »
1.1.9 was released tonight

* Sarge says something about timezones ;)
    Please do not PM me with support requests unless I invite you to.

http://www.zeriyt.com/   ~   http://www.galeriashqiptare.net/


Quote
<H> I had zero posts when I started posting

Offline GKM Crow

  • Semi-Newbie
  • *
  • Posts: 12
Re: Hacked, script injection
« Reply #305 on: May 20, 2009, 10:55:18 PM »
I've just updated to 1.1.9  :) Thanks for this

I have gone through half of my php files and i haven't found anything wrong yet also database is looking ok. I am still checking them though. Would it be possible that i have caught him in time and i won't find anything ?

Sorry to be a pain

Offline mycousinvinny

  • Jr. Member
  • **
  • Posts: 177
Re: Hacked, script injection
« Reply #306 on: May 21, 2009, 08:30:30 AM »
mycousinvinny, make sure the check all php files on line1 for a string of "base64_decode()"

If you have that on ANY file, please let us know and we will do what we can to help.

Thanks Jblaze. In laymans terms can you tell me how I do that??  I don't know Jack about where these files are thanks for your help. Also i have udated to 1.1.9 but had 3 errors my forum appears to be functioning properly.

Vinny

Offline mghq

  • Jr. Member
  • **
  • Posts: 194
    • Mega Gaming Hq
Re: Hacked, script injection
« Reply #307 on: May 21, 2009, 05:24:39 PM »
Hi,

My forum has been hacked today by krisbarto he came online for about 1 minute and uploaded a image very small dot, but i only found this an hour later. I searched the name and found this thread. I have banned him, removed the image from database and attachments folder and i am currently going though all php files, so far i have not found a line at the top but i have found this in the gallery php file :

die(base64_decode('UG93ZXJlZCBieSBHYWxsZXJ5IEZvciBTTUYgIG1hZGUgYnkgdmJnYW1lcjQ1IGh0dHA6Ly93d3cuc21maGFja3MuY29t'));

Is that meant to be there ? I don't really know what i'm doing this is all new to me.

Thank you for any help

That one is safe I place that for copyright reasons says
Powered by Gallery For SMF  made by vbgamer45 http://www.smfhacks.com

I was going to say that too

Offline Broken Arrow

  • Jr. Member
  • **
  • Posts: 185
  • Gender: Female
    • Broken Arrow's Peace Pipe
Re: Hacked, script injection
« Reply #308 on: May 21, 2009, 07:45:02 PM »
updated mine, thanks guys!
« Last Edit: May 22, 2009, 12:53:53 AM by Broken Arrow »

Offline massillon

  • Semi-Newbie
  • *
  • Posts: 49
Re: Hacked, script injection
« Reply #309 on: May 22, 2009, 12:43:30 AM »
My god...  I should have come here sooner.

I have been battling this for weeks and have started from scratch twice... 

The only thing I have saved was the avatars...  darn it, I was reinfecting myself and did not even know it.

I have to be honest, this is a nasty one.  I first noticed it a few weeks ago when I logged in from my blackberry and got nothing but spam...  I quickly found a computer and logged in to shut my forum down but saw it was doing nothing to the regular page so I figured it was just in the mobile version...  then my forum kept crashing because my error log was overflowing the database.

One quick question.  Does the 1.1.9 patch fix the problem or just prevent it from reoccuring once you fix it?

Offline massillon

  • Semi-Newbie
  • *
  • Posts: 49
Re: Hacked, script injection
« Reply #310 on: May 22, 2009, 01:04:21 AM »
Wow...  I am going through all of my php files and this little bugger is in every single one of them.

This is going to be a loooooooong night.

Offline massillon

  • Semi-Newbie
  • *
  • Posts: 49
Re: Hacked, script injection
« Reply #311 on: May 22, 2009, 01:18:59 AM »
Interestingly enough, there have been two files without this string so far...

notify.php and reminder.php

Offline Eleseon

  • Newbie
  • *
  • Posts: 1
Re: Hacked, script injection
« Reply #312 on: May 22, 2009, 01:21:58 AM »
What a lovely way to keep me awake tonight. First I get Anon-attacked, and then this.

I deleted all of the funky php from the forum itself...but the rest of my site? *cries* It's going to take me forever.

I'm really glad this thread was here though, to walk me through all of this. Thank you all, I really appreciated all of this. ^_^

Offline massillon

  • Semi-Newbie
  • *
  • Posts: 49
Re: Hacked, script injection
« Reply #313 on: May 22, 2009, 01:35:37 AM »
So let me get this right... unless I get it from every php file it will just come back to the rest again?

Offline ldk

  • Jr. Member
  • **
  • Posts: 332
  • Gender: Female
    • Craftster.org
Re: Hacked, script injection
« Reply #314 on: May 22, 2009, 01:40:47 AM »
So let me get this right... unless I get it from every php file it will just come back to the rest again?

Nope. You need to do all of these three things:

1. delete any avatars with the malicious code in them

2. delete theme_dir entries in your DBPREFIX_themes table that are set like so:
./attachments/avatar_xxxxx.gif\0

3. upgrade to 1.1.9

and then all the crap you take out of your php files won't come back.
see SMF put to the test at http://www.craftster.org/

Offline Aleksi "Lex" Kilpinen

  • A Peculiar Finn
  • Lead Support Specialist
  • SMF Super Hero
  • *
  • Posts: 18,738
  • Gender: Male
  • Don't worry, I'm n00b friendly
    • Aleksi.Kilpinen on Facebook
    • LexArma on GitHub
    • aleksi-kilpinen on LinkedIn
    • There's No Place Like 127.0.0.1
Re: Hacked, script injection
« Reply #315 on: May 22, 2009, 01:41:13 AM »
Probable though, that infected files on the server may alone do damage..
A Finnish Support Specialist
 Happily running multiple SMF 2.0 installations.
  Fooling around with an i7 990X @ 3,47Ghz / 12Gb / Win 10 x64 / 3840x2160


How you can help SMF

"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum.
 Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

Offline massillon

  • Semi-Newbie
  • *
  • Posts: 49
Re: Hacked, script injection
« Reply #316 on: May 22, 2009, 01:42:12 AM »
So let me get this right... unless I get it from every php file it will just come back to the rest again?

Nope. You need to do all of these three things:

1. delete any avatars with the malicious code in them

2. delete theme_dir entries in your DBPREFIX_themes table that are set like so:
./attachments/avatar_xxxxx.gif\0

3. upgrade to 1.1.9

and then all the crap you take out of your php files won't come back.

on it!

1. done
2. working on it
3. done

Offline JBlaze

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 12,160
  • Gender: Male
    • @fragicide on Twitter
Re: Hacked, script injection
« Reply #317 on: May 22, 2009, 01:45:40 AM »
Also, there are other files named like style.css.php and s.php (not normal SMF files) scattered throughout.

Make sure to delete those as well as any files named with random sequences of numbers and letter.
Jason Clemons
Former Lead Customizer/Support Specialist
Twitter | Facebook | Instagram

Offline massillon

  • Semi-Newbie
  • *
  • Posts: 49
Re: Hacked, script injection
« Reply #318 on: May 22, 2009, 01:51:39 AM »
Did not find anything like that in my DB.


Offline romper

  • Semi-Newbie
  • *
  • Posts: 88
Re: Hacked, script injection
« Reply #319 on: May 22, 2009, 09:09:00 AM »
So let me get this right... unless I get it from every php file it will just come back to the rest again?

Nope. You need to do all of these three things:

1. delete any avatars with the malicious code in them

2. delete theme_dir entries in your DBPREFIX_themes table that are set like so:
./attachments/avatar_xxxxx.gif\0

3. upgrade to 1.1.9

and then all the crap you take out of your php files won't come back.

1. I dleted all avatars
2. Can I get help with these, more specific
3. Done
4. THX!