News:

Join the Facebook Fan Page.

Main Menu

Hacked, script injection

Started by vHawkeyev, May 01, 2009, 10:47:02 AM

Previous topic - Next topic

vbgamer45

Quote from: GKM Crow on May 20, 2009, 09:02:10 PM
Hi,

My forum has been hacked today by krisbarto he came online for about 1 minute and uploaded a image very small dot, but i only found this an hour later. I searched the name and found this thread. I have banned him, removed the image from database and attachments folder and i am currently going though all php files, so far i have not found a line at the top but i have found this in the gallery php file :

die(base64_decode('UG93ZXJlZCBieSBHYWxsZXJ5IEZvciBTTUYgIG1hZGUgYnkgdmJnYW1lcjQ1IGh0dHA6Ly93d3cuc21maGFja3MuY29t'));

Is that meant to be there ? I don't really know what i'm doing this is all new to me.

Thank you for any help

That one is safe I place that for copyright reasons says
Powered by Gallery For SMF  made by vbgamer45 http://www.smfhacks.com
Community Suite for SMF - Take your forum to the next level built for SMF, Gallery,Store,Classifieds,Downloads,more!

SMFHacks.com -  Paid Modifications for SMF

Mods:
EzPortal - Portal System for SMF
SMF Gallery Pro
SMF Store SMF Classifieds Ad Seller Pro

JBlaze

Way to get us all hyped up vb :)
Jason Clemons
Former Team Member 2009 - 2012

GKM Crow

Quote from: vbgamer45 on May 20, 2009, 09:47:32 PM
Quote from: GKM Crow on May 20, 2009, 09:02:10 PM
Hi,

My forum has been hacked today by krisbarto he came online for about 1 minute and uploaded a image very small dot, but i only found this an hour later. I searched the name and found this thread. I have banned him, removed the image from database and attachments folder and i am currently going though all php files, so far i have not found a line at the top but i have found this in the gallery php file :

die(base64_decode('UG93ZXJlZCBieSBHYWxsZXJ5IEZvciBTTUYgIG1hZGUgYnkgdmJnYW1lcjQ1IGh0dHA6Ly93d3cuc21maGFja3MuY29t'));

Is that meant to be there ? I don't really know what i'm doing this is all new to me.

Thank you for any help

That one is safe I place that for copyright reasons says
Powered by Gallery For SMF  made by vbgamer45 http://www.smfhacks.com [nofollow]

Thank You for letting me know.

metallica48423

#303
For anyone who hasn't done so yet, 1.1.9 was released tonight, patching this.   Please be sure to update your forums ASAP.

Thanks!

Edit: added link to the announcement topic.
Justin O'Leary
Ex-Project Manager
Ex-Lead Support Specialist

QuoteMicrosoft wants us to "Imagine life without walls"...
I say, "If there are no walls, who needs Windows?"


Useful Links:
Online Manual!
How to Help us Help you
Search
Settings Repair Tool

Sarge

Quote from: metallica48423 on May 20, 2009, 10:32:40 PM
1.1.9 was released tonight

* Sarge says something about timezones ;)

    Please do not PM me with support requests unless I invite you to.

http://www.zeriyt.com/   ~   http://www.galeriashqiptare.net/


Quote
<H> I had zero posts when I started posting

GKM Crow

I've just updated to 1.1.9  :) Thanks for this

I have gone through half of my php files and i haven't found anything wrong yet also database is looking ok. I am still checking them though. Would it be possible that i have caught him in time and i won't find anything ?

Sorry to be a pain

mycousinvinny

Quote from: JBlaze on May 20, 2009, 09:42:39 PM
mycousinvinny, make sure the check all php files on line1 for a string of "base64_decode()"

If you have that on ANY file, please let us know and we will do what we can to help.

Thanks Jblaze. In laymans terms can you tell me how I do that??  I don't know Jack about where these files are thanks for your help. Also i have udated to 1.1.9 but had 3 errors my forum appears to be functioning properly.

Vinny

mghq

Quote from: vbgamer45 on May 20, 2009, 09:47:32 PM
Quote from: GKM Crow on May 20, 2009, 09:02:10 PM
Hi,

My forum has been hacked today by krisbarto he came online for about 1 minute and uploaded a image very small dot, but i only found this an hour later. I searched the name and found this thread. I have banned him, removed the image from database and attachments folder and i am currently going though all php files, so far i have not found a line at the top but i have found this in the gallery php file :

die(base64_decode('UG93ZXJlZCBieSBHYWxsZXJ5IEZvciBTTUYgIG1hZGUgYnkgdmJnYW1lcjQ1IGh0dHA6Ly93d3cuc21maGFja3MuY29t'));

Is that meant to be there ? I don't really know what i'm doing this is all new to me.

Thank you for any help

That one is safe I place that for copyright reasons says
Powered by Gallery For SMF  made by vbgamer45 http://www.smfhacks.com

I was going to say that too

Broken Arrow

#308
updated mine, thanks guys!

massillon

My god...  I should have come here sooner.

I have been battling this for weeks and have started from scratch twice... 

The only thing I have saved was the avatars...  darn it, I was reinfecting myself and did not even know it.

I have to be honest, this is a nasty one.  I first noticed it a few weeks ago when I logged in from my blackberry and got nothing but spam...  I quickly found a computer and logged in to shut my forum down but saw it was doing nothing to the regular page so I figured it was just in the mobile version...  then my forum kept crashing because my error log was overflowing the database.

One quick question.  Does the 1.1.9 patch fix the problem or just prevent it from reoccuring once you fix it?

massillon

Wow...  I am going through all of my php files and this little bugger is in every single one of them.

This is going to be a loooooooong night.

massillon

Interestingly enough, there have been two files without this string so far...

notify.php and reminder.php

Eleseon

What a lovely way to keep me awake tonight. First I get Anon-attacked, and then this.

I deleted all of the funky php from the forum itself...but the rest of my site? *cries* It's going to take me forever.

I'm really glad this thread was here though, to walk me through all of this. Thank you all, I really appreciated all of this. ^_^

massillon

So let me get this right... unless I get it from every php file it will just come back to the rest again?

ldk

Quote from: massillon on May 22, 2009, 01:35:37 AM
So let me get this right... unless I get it from every php file it will just come back to the rest again?

Nope. You need to do all of these three things:

1. delete any avatars with the malicious code in them

2. delete theme_dir entries in your DBPREFIX_themes table that are set like so:
./attachments/avatar_xxxxx.gif\0

3. upgrade to 1.1.9

and then all the crap you take out of your php files won't come back.
see SMF put to the test at http://www.craftster.org/

Aleksi "Lex" Kilpinen

Probable though, that infected files on the server may alone do damage..
Slava
Ukraini!
"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

massillon

Quote from: ldk on May 22, 2009, 01:40:47 AM
Quote from: massillon on May 22, 2009, 01:35:37 AM
So let me get this right... unless I get it from every php file it will just come back to the rest again?

Nope. You need to do all of these three things:

1. delete any avatars with the malicious code in them

2. delete theme_dir entries in your DBPREFIX_themes table that are set like so:
./attachments/avatar_xxxxx.gif\0

3. upgrade to 1.1.9

and then all the crap you take out of your php files won't come back.

on it!

1. done
2. working on it
3. done

JBlaze

Also, there are other files named like style.css.php and s.php (not normal SMF files) scattered throughout.

Make sure to delete those as well as any files named with random sequences of numbers and letter.
Jason Clemons
Former Team Member 2009 - 2012

massillon

Did not find anything like that in my DB.


romper

Quote from: ldk on May 22, 2009, 01:40:47 AM
Quote from: massillon on May 22, 2009, 01:35:37 AM
So let me get this right... unless I get it from every php file it will just come back to the rest again?

Nope. You need to do all of these three things:

1. delete any avatars with the malicious code in them

2. delete theme_dir entries in your DBPREFIX_themes table that are set like so:
./attachments/avatar_xxxxx.gif\0

3. upgrade to 1.1.9

and then all the crap you take out of your php files won't come back.

1. I dleted all avatars
2. Can I get help with these, more specific
3. Done
4. THX!

Advertisement: