Can't get rid of Trojan.PHP-43

[Мel]

Well, this is the problem. I can't get rid of the Trojan.PHP-43 - when I do virus scan from my cPanel it finds it and I destroy it, but some time later it just reappears.
FTP Access switched on only for my single IP address, I've changed passwords and stuff - no effect.
And now some messages on my form just turns out to be empty
Where should I look kill this trojan once and for all?

[Colin]

Is SMF the only thing you have on your web server? Has your host been of any help?

[Мel]

I've got 2 WP blogs and one more SMF on my server, they're all clean, this particular trojan resides only in this one certan forum. Once I catched it in the root directory, but it didn't go anywhere else.
Ans yes, my host provides no help.

[NanoSector]

Do you have a lot of mods installed?
Also, what file does it say is infected?

[Мel]

There are not many mods, just a several and all of them are from here. I could get a list, if needed.
Infected files are every time different.

[NanoSector]

There are not many mods, just a several and all of them are from here. I could get a list, if needed.
Infected files are every time different.

Can you attach the file it reports the next time, then, so we can check if anything's wrong with it?

[Мel]

I've run a scan and it's clear for now. Whenever I'd find a trojan, I'd attach an infected file.

[Ricky.]

Generally, there are some idiotic figures in this world who maintain list of sites they hack or infect in their hacking community or forums, users regularly checks them and someone clean or fixes their forum, they again intimate hacker and then hacker again try to heck it. Generally they leave some script which is undetectable to programs but when they execute them, they get full access to your serer through http based file browser. .. so, it may be clean for now , if it infects again then must be some hidden script in your files. They even hide them encrypted so that remains undetected to scanners.. (happened with me.. I have been behind these trolls from a good time).. ~~

[Мel]

Ricky, so what am I supposed to do about that?

[Ricky.]

If it appears again then you have to figure out its origin. I had simply deleted everything apart of db and had even checked db to see if there is anything unusual , then downloaded everything fresh and uploaded. Since then I never saw them again. In my site, they came in through an old WP installation.

[NanoSector]

If it appears again then you have to figure out its origin. I had simply deleted everything apart of db and had even checked db to see if there is anything unusual , then downloaded everything fresh and uploaded. Since then I never saw them again. In my site, they came in through an old WP installation.

Which indicates that you need to keep your software updated

[SMURF6060]

what you have is basically an iframe trogan.

It wrote itself to every single php file you have on that server.

Depending on the version, your more than likely to find it in all the footers of all your php files.

If you hosting service provider wasn't compromised, and you didn't give your c/panel - ftp credentials to some third world dirtbag programmer,...you caught the bug by:

1.  your machine was/is infected, it gained access to all your saved passwords.
2.  you downloaded and installed NULLED scripts-mods-plugins -  / had work done by someone who used nulled scripts,mods,plugins
3. your smf theme is the cause.

a. scan your machine multiple times
b. double check the source of anything you installed
c. double check your smf theme.

The only reason Ive included the SMF theme into the equation is for the simple fact that my host a few years back caught  it in action  in the theme itself( wasnt the smf script or settings) and immediately changed all file permissions to block it from writing itself to all my php files

Unless you have great service with your plan, your hosting service will not help you ( maybe for a fee )

Considering you still havnt solved the issue, you will need to find someone to install / perform a server side scan

the best way is to delete EVERYTHING off the server ..and check for hidden files...aswell.

best if you have root access.


this can also be caused intentionally..with you being a "mark"
how do you know if your a "mark"?

if your sites are successful enough to the point where your taking money out of the pockets of your competitor...
an example would be a well placed search engine rank.

but by my logic, thats highly unlikely in your case considering your on the board asking for assistance when you could of easily taken some of your riches and had a pro clean it.

Generally, there are some idiotic figures in this world who maintain list of sites they hack or infect in their hacking community or forums, users regularly checks them and someone clean or fixes their forum, they again intimate hacker and then hacker again try to heck it. Generally they leave some script which is undetectable to programs but when they execute them, they get full access to your serer through http based file browser. .. so, it may be clean for now , if it infects again then must be some hidden script in your files. They even hide them encrypted so that remains undetected to scanners.. (happened with me.. I have been behind these trolls from a good time).. ~~

its not hidden per say..it re writes itself and changes its name.
huh? you've been behind these trolls?
what part of the con did you play? the savior or the infector?? or both?

to the o.p:

do yourself a favor, this kind of job isnt for an amateur...you need a pro.
dont waste your money on paying someone unless you are physically able to walk into their office.

the reason i say that because it takes a high level of skill to clean and chase this bug down. ..and if your willing to handover access to your server to an entity over the internet..chances are your going to get screwed BIG TIME.

either strip the server down completely..or get a pro...WITH AN OFFICE...in the real world...who doesnt use a google number  lol.

best of luck


i think its best to keep a few personal thoughts to myself. nevermind.

[Мel]

Ricky
Yeah, I suppose so. Still clean.
But I'm not a master of a DB, that's the problem.

Yoshi2889
My software is pretty much updated. I suppose all this was caused by my specific config, something to do with Php, there were a message not long ago about this.

SMURF6060
Maybe it's the theme, I use Curve Multi Color by MrGrumpy.  All the access is in my hands, FTP Access set up only for me and my PC is clean.
I don't know anything about a mark - my forum is just a fan community, nothing more, no money involved.
Thanx for your advice.

[SMURF6060]

SMURF6060
Maybe it's the theme, I use Curve Multi Color by MrGrumpy.  All the access is in my hands, FTP Access set up only for me and my PC is clean.
I don't know anything about a mark - my forum is just a fan community, nothing more, no money involved.
Thanx for your advice.

I hate to be the grim reaper Mel...you wont have peace of mind till you wipe it all out and start fresh.  This will help you out:

check the dates of any modified files through your ftp.
if you werent doing any work...and that file isnt read and write and it was modified...you just caught your first foot print.

submit your site to google through the "webmaster" product and have google scan your files for any infections. I think its under health or scan for malware ( risk with that is you get a big fat  THIS WEBSITE WILL HARM YOUR COMPUTER label ) ..but you can use google to help you out...and you are correct; the darkside is stronger than everyone good luck Mel

p.s. I forgot the theme that got me..but it was from a turk ( not that im bashing turks )..this was like 7 years ago..

[nend]

do yourself a favor, this kind of job isnt for an amateur...you need a pro.
dont waste your money on paying someone unless you are physically able to walk into their office.

the reason i say that because it takes a high level of skill to clean and chase this bug down. ..and if your willing to handover access to your server to an entity over the internet..chances are your going to get screwed BIG TIME.

either strip the server down completely..or get a pro...WITH AN OFFICE...in the real world...who doesnt use a google number  lol.

best of luck


i think its best to keep a few personal thoughts to myself. nevermind.

Yeah you shouldn't trust me as I don't have a office you can walk into and I do have a Google number also. Maybe you should hire someone that has a office you can walk into that may or may not be a disgruntle employee and may or may not help you at all. You know there is a couple times I have walked into a shop before and asked about their procedures after figuring out I wouldn't trust them with one thing I own. Not saying every place is the same but your going to find just as good help here as anywhere else.

Most people here do not have a workplace that specifically deals with development of server side software but they have designed some of the best software on the web. 

[SMURF6060]

do yourself a favor, this kind of job isnt for an amateur...you need a pro.
dont waste your money on paying someone unless you are physically able to walk into their office.

the reason i say that because it takes a high level of skill to clean and chase this bug down. ..and if your willing to handover access to your server to an entity over the internet..chances are your going to get screwed BIG TIME.

either strip the server down completely..or get a pro...WITH AN OFFICE...in the real world...who doesnt use a google number  lol.

best of luck


i think its best to keep a few personal thoughts to myself. nevermind.

Yeah you shouldn't trust me as I don't have a office you can walk into and I do have a Google number also.
exactly. why should I trust you? because you have a high post count? or because Ive flipped through your pasts posts and you seem to be such a nice guy/gal? The O.P didnt mention anything as far as if its an income generating site or not...WOULD YOU TRUST A COMPLETE STRANGER  OFF THE STREET TO HANG ON TO YOUR CHECK BOOK & DEBIT CARDS?.. BECAUSE THEY DRESSED WELL AND SMELLED NICE?  Why should  anyone trust anyone on the internet. I dont even trust the SMF software. Nothing is for free in this world. And if it is, its because something comes attached to it that your unaware of. Are they great programmers and architects ? Absolutely...but that doesn't mean they are mother Theresa .


Maybe you should hire someone that has a office you can walk into that may or may not be a disgruntle employee and may or may not help you at all.

with all due respect, you cant compare the odds of getting screwed by a disgruntled employee versus a complete anonymous person through the internet.  That comparison is illogical- and im not even dr.spock.

You know there is a couple times I have walked into a shop before and asked about their procedures after figuring out I wouldn't trust them with one thing I own. Not saying every place is the same but your going to find just as good help here as anywhere else.

Thats my entire point. You physically saw ..heard..smelled...your mind didn't  fill in the blanks like it does online. Your guard wasn't down. I could be sitting typing my response to you while some chick is chained to the wall...bleeding out after 2 weeks of torture. The best you can do is try to profile me by my typing..and even then you would be 99.9% wrong. Your not a behavioral analyst by trade .


Most people here do not have a workplace that specifically deals with development of server side software but they have designed some of the best software on the web. 

My statement to the O.P was said out of brotherhood. Your the creative..you create what the O.P and I use;whether its for profits or entertainment. You know this stuff and we don't., We wish we knew what you knew. We have to rely on the programmers, coders..what ever it is you want to call yourself. We rely on you to give us a fair and balanced cost. But those odds are astronomically not in our favor... Because you do not exist. ..and you have issues just like we do. You need to eat..you need a roof over your head. Because we not familiar with your knowledge, you have the power to take a 5 minute job and make it into a 2 week gig. And that advantage and power runs unchecked in this community.  The fact that I told the O.P to find someone that had an office ment that if the person screwed him..he or she at least has the option of catching him after hours and breaking his neck for ripping him or her off.   I wasn't saying that a person with an office and a real phone number was more credible than a person without.  You misunderstood.

You expect me to chase after some dirtbag in india..or romania. ? I almost got conned here today by a scumbag who expected me to pay for his coke habit.  I needed 4 lines of code..he needed 4 lines for his nose. 

Dude, im not trying to take money out of your pocket..im trying to put money in it.

[NanoSector]

Guys, keep this on topic, this is about the trojan, not who makes profit. In fact I don't think the OP cares whether SMURF or nend makes profit, as long as his issue gets solved. I'm seriously thinking of splitting this altogether, and removing some posts.

[nend]

Don't split just remove these useless post, mine included. 

[Arantor]

That's the thing, it is totally relevant. Dealing with a server infection is a very complex and skilled art, and you absolutely DO NOT want an amateur doing it.

I actually agree with the sentiments about getting a paid professional - because if there is a foul-up down the line, the business will have things like business liability insurance to cover damages and costs of getting it fixed, and an individual may or may not have that.

NONE of the posts in this thread are useless. Please do not do the community an injustice by removing them.

[NanoSector]

Don't split just remove these useless post, mine included. 

Lol not all are useless, but it's enough to just say it once, don't keep going on about it.

That's the thing, it is totally relevant. Dealing with a server infection is a very complex and skilled art, and you absolutely DO NOT want an amateur doing it.

I actually agree with the sentiments about getting a paid professional - because if there is a foul-up down the line, the business will have things like business liability insurance to cover damages and costs of getting it fixed, and an individual may or may not have that.

NONE of the posts in this thread are useless. Please do not do the community an injustice by removing them.

It may be relevant, but as I said, don't keep going on about it and then driving crazy at some point. That drives moderators to splitting and removing. I agree with the point of getting a professional too, but the *discussion* just isn't relevant in here, being told once is enough.
I wasn't talking about useless posts though, rather offending posts.

Anywayzz, you guys are driving me too far into the discussion, xcuse me for the clutter.

[SMURF6060]

Mel

heres a little help in your fight. This will help scan all your php files for the bug. The script is attached to this post.

** important
change all file permissions so they cant be written to.
*******************************************
Use these regular expressions to search for all pages containing the malicious code and replace it with space:

for example:

    <iframe src=\"http://[^"]*" width=1 height=1 style=\"visibility:hidden;position:absolute\"></iframe>

    echo \"<iframe src=\\\"http://[^"]*\" width=1 height=1 style=\\\"visibility:hidden;position:absolute\\\"></iframe>\";

** YOU WILL NEED TO CATCH AN INFECTED FILE FIRST INORDER TO GET THE PARAMETERS NEEDED ; TAKE THE INFECTION CODE AND EDIT THE  scan.php file WITH IT.

Once you have the infection code, and included it onto the scan.php file...
- upload the scan.php file to your server ( root of the site of infection )
visit www.yoursite.com/clean.php?c=iframe
The parameter c specifies the text to search for inside the file. The results will be something like:




It will search all the files in your website and if any of the files contains the given string, it will print the filename along with the number of occurrences of the string. In the above screenshot, you can see that one file is infected.

Note that the script will not remove the iframes from your files. Automated cleaning could break some of your websites. So as of now you will have to clean the files manually.

also:

what ever ftp client your using, configure it to show you all hidden files .
example; CORE FTP doesn't show the .htaccess file by default..

remember:
change all file permissions so they cant be written.
change your ftp client settings so your able to see ALL files

------------------------------------------------------------------------

Wanna laugh?
do a google search for SERVER SIDE INFECTION  ..  depending on your region, the first post in the results would be mine; posted on smf back in 2009 for this same issue.
i dont know why my other post; posted back in 2006 i believe-  isnt indexed.

-----------------------------------------------------------------------------------------------------

I have already experienced 2 server side infections using themes ( never the default theme ) and admins here should really look into this issue.

The only way a theme can be determined to be SAFE is where it DOES not " CALL BACK HOME"

Common sense: I can easily create a theme, sumbit it to the community...where it gets accepted...where members download it. and then later on, I  can have the theme "call home" where i can inject my google adsense code..or any other malicious code into that theme... for whatever reason.
---------------------------------------------------
to the moderator:

I know exactly what you are doing..and why you are doing it.

I will be filing a formal complaint with SIMPLE MACHINES against you

[butchs]

Be careful.  Type something wrong and you will duplicate your server.

[SMURF6060]

what do you mean by "type something wrong and you will duplicate your server"

[Arantor]

Anyone who uses that script as-is is also exposing themselves to an XSS bug in the script (by it not bothering to sanitise the contents of $_GET variables before displaying them directly to users)

[Kindred]

Out of curiosity....

You kee suggesting/accusing the SMF theme as being the culprit and suggesting that admins need to worry about themes downloaded fro here... However, you have not actually given any details on how this is so.

If you have a problem with a specific theme or author, then report that to the SMF team. SMF takes its security very seriously, and is one of the best forum softwares with one of the best security records out there.

Considering your screen shot shows Wordpress themes, I would hazard a guess that, if you gt needed, that may be the vector... Not anything to do wit SMF. If you actually have security details to report, then please do s, to the [email protected] email address.

Your attitude has also been very confrontational from the start... I suggest that you chill.

[Kindred]

To Mel...


Ok, here's part of your likely problem.
You clean the infected files, but have not found and removed the actual back door that they used.

I don't know who your host is... But when I got an infected site (from zenphoto, but it hit evey file) they helped me track down not only the infected  files, but also the 3 back door directories that had been added so the hackers could get in and reinfect at will.

So, I stored all of the avatar and attachment directories on my pc and cleaned out all of the php and HTML files.  I then just deleted everything and reinstalled from scratch.  I could also have used one of the backups, but I decided the I was going to just clean out much of the crap as well.
Then I replaced all of the avatars and attachments as well as custom graphics.

As I said, you not only have to worry about specific files which has been infected, but hidden, buried directories that have backdoors. A good host will help you track, find and remove those as well.

Finally, once you've found the backdoors, look at your server logs, find the ips which have accessed it and use htaccess to stop them.

[butchs]

what do you mean by "type something wrong and you will duplicate your server"

Besides what Arantor pointed out, it is not easy to use.  If the user types in the wrong thing it can copy a ton of files to the "iframe_cleaner_backup" folder filling up a limited account.  Check out KB Scan script?

[SMURF6060]

Out of curiosity....

You kee suggesting/accusing the SMF theme as being the culprit and suggesting that admins need to worry about themes downloaded fro here... However, you have not actually given any details on how this is so.

[ what details would you like?  are you publically asking me to publically post how to hack a persons server  byway of an smf theme? is that what your asking?  - any theme that has the ability to "call home" is a security risk

any mod that calls home is a security risk ]

If you have a problem with a specific theme or author, then report that to the SMF team. SMF takes its security very seriously, and is one of the best forum softwares with one of the best security records out there.

[ that's your opinion...and your entitled to it   just like its my opinion to say that i do not agree with your statement]

Considering your screen shot shows Wordpress themes, I would hazard a guess that, if you gt needed, that may be the vector... Not anything to do wit SMF. If you actually have security details to report, then please do s, to the [email protected] email address.

[ the screen shot is an EXAMPLE]

Your attitude has also been very confrontational from the start... I suggest that you chill.

[ where in this topic do you see any confrontation. ??  Because I responded and explained my statements to another member using a different font color; your opinion is that its confrontational?  I beg to differ.

- suggesting " I chill "  is being confrontational..and also inciting .  I dont accept your threats  ]

[Arantor]

No, it's asking you to submit the details of this apparent hack to the form that will tell the developers about it. The information is passed only to the development team. Assuming it's a genuine threat and that you actually care about users enough to want to help the SMF team fix it.

FWIW, any theme installed from the admin panel is a threat to the server. Has been since... pretty much forever, because it's almost always owned by the webserver user and thus can be attacked by anything else on the server regardless of file permissions (because it's owned by the webserver, it can always have its permissions elevated)

Same deal with mods that add files, for the same reason. Even the most ardent fan of reducing file permissions refuses to acknowledge this as a possible vector, and it's something I've spent many hours trying to figure out a reasonable way around it that doesn't require the user to just do everything via FTP and be done with it. Note that this is only indirectly an SMF problem and a lot more related to how hosts configure their system and don't have things like suPHP to force PHP to be run as the file owner instead (which would totally negate this entire vector)

The fact is, whether you think it is secure or not is pretty much irrelevant. How many products do you know that have been in active use for 6 years and only received a total of 16 security patches in that time? (That's the security record of SMF 1.1 series.)

Here's the thing: you're trying to tell people who use SMF, who have used it for years, that there is a major vulnerability, except that all you're doing is blustering. We've all heard it before, usually from people who haven't a clue what they're talking about. Right now you're putting yourself in that same group.

You want to be taken seriously? Act seriously, not blustery.

[Night09]

Basically Mel to be fair your out of your depth here tracking this down and clutching at straws as to the real cause but not doing anything to investigate this as removal isnt removing the reason its there to begin.  Id suggest you post in the help wanted for free or paid for someone with good reputation who you can then trust with your login details. Then hopefully somebody with a decent knowledge of these situations can go over it for you.

Forget the soothsayer warnings about going to an office bla bla as its bull****** frankly as you can be ripped off anywhere...

[Kindred]

quote fail.....

1- No, I am asking you to send such details to the security address.
I tend to doubt your assertion though...   any mod or theme that 'calls home" but is not protected against XSS, maybe...  but not "any".

2- No, actually, it is not just my opinion. It is proven fact, backed by security reports and hack records as well as the immediate response by SMF devs when a vulnerability is found/reported.

3- suggesting that someone chill is being confrontational? inciting? threats?  Wow, you really do need to chill. I see no threats in my statements for you to accept or reject.... (a threat would be do this or else.... no where did I say that, nor do I have any power on this site to do that...   sheesh)

[Arantor]

I tend to doubt your assertion though...   any mod or theme that 'calls home" but is not protected against XSS, maybe...  but not "any".

That assumes the home that is being called is also not compromised. No server is bullet proof.

Id suggest you post in the help wanted for free or paid for someone with good reputation who you can then trust with your login details. Then hopefully somebody with a decent knowledge of these situations can go over it for you.

Forget the soothsayer warnings about going to an office bla bla as its bull****** frankly as you can be ripped off anywhere...

No, it isn't. Proper companies that do this stuff will also have warranties they can give, i.e. insurance. How many people here - me included, for example - would do that?

[Kindred]

true, arantor...   if the target site is already infected - depending on what is being done with the "call home" function, it could be a problem.

Of course, he doesn't specify what he actually means by "call home".
Does he means "adds a link back to the author's site"? (if so, I can't see any way that would cause a problem)
Does he mean, in the admin section, checks against the recent versions or news form the author's site? (if so, I could see a way for that to be targeted, but only if the user had admin access already - or the mod didn't do proper checks AND was not configured against XSS
Does he mean something else?   His reports, as both you and I pointed out are full of hot air and bluster and very little actual content.

Of course, since neither of us have access to the security reports email and discussion area, we can't confirm if he has or has not submitted any reports... but I don't recall seeing anything from this user when I was on the team....

[Night09]

I tend to doubt your assertion though...   any mod or theme that 'calls home" but is not protected against XSS, maybe...  but not "any".

That assumes the home that is being called is also not compromised. No server is bullet proof.

Id suggest you post in the help wanted for free or paid for someone with good reputation who you can then trust with your login details. Then hopefully somebody with a decent knowledge of these situations can go over it for you.

Forget the soothsayer warnings about going to an office bla bla as its bull****** frankly as you can be ripped off anywhere...

No, it isn't. Proper companies that do this stuff will also have warranties they can give, i.e. insurance. How many people here - me included, for example - would do that?

I work at an apple authorised IT repair centre dealing with both Mac and PC and theres no warranty on viruses since users are too stupid not to reinfect machines doing the exact same stuff that caused it to begin. People can have activated subs to all major antivirus products yet the logs will show they never ever run a  scan and some even disable it working properly to begin.

[Arantor]

Does he mean, in the admin section, checks against the recent versions or news form the author's site? (if so, I could see a way for that to be targeted, but only if the user had admin access already - or the mod didn't do proper checks AND was not configured against XSS

That's a vulnerability vector and no mistake. Let's say it is in the admin panel. Now let's say for the sake of argument that the method used to 'call home' is done as a compromise against the JS files SMF normally uses for such things (that SMF, SimplePortal, SimpleDesk etc. all in their own slightly different ways)... that file will be included against an admin user. If that happens to, say, steal the session ID (which is entirely possible) the entire administrative session could theoretically be spoofed.

There's all kinds of other vectors. Bad Behaviour's author, for example (I mean the original BB, not the SMF port of it) is planning to add a setup to the next major version to allow rule lists to be downloaded automatically. Depending on the method used there, it's entirely possible that it could allow arbitrary code execution, and if that IS the case, should his site be compromised, anyone else could also be compromised by the same fashion.

People can have activated subs to all major antivirus products yet the logs will show they never ever run a  scan and some even disable it working properly to begin.

I actually don't bother running AV as standard. I do routine scans every month or so, or when anything isn't working as expected, and I keep an eye on other things, but I don't have any in the background, there is little real point to it, IMNSHO.

[青山 素子]

Мel,

If you'd like someone to take a look at the website and see what is going on, I can certainly offer some assistance. If it's somewhat simple, I can work on cleaning it up. If it's a complex thing to clean up, I'll tell you so and you can decide how you want to proceed.

If you'd like references or at least some reassurances that I know what I'm doing, I'd be happy to send you my credentials in a PM. I'll say publicly that I'm a systems administrator for a small Internet development company in California that has done work for large clients like Experian and Quicksilver. I'm also fairly experienced in reviewing compromised sites.

[Arantor]

FWIW, I'd vouch for 青山 素子 as someone who is trustworthy and very competent all round

[NanoSector]

FWIW, I'd vouch for 青山 素子 as someone who is trustworthy and very competent all round

So do I, Motoko is good with these kind of things

[Kindred]

As a side note: I installed the Curve Multicolor theme, looked through the installation and the files and can not see any (obvious) way that the theme itself could have been used. The only function which is subject to an injection would be the variant= argument...  however, this appears to be properly handled.

[Arantor]

That's the thing: I don't think there's any vulnerability in the theme code itself, I still suspect it is as I called it: there is a side vulnerability in file ownership that allowed them to get infected, but there was a separate vulnerability that was the way into the server.

[Kindred]

yeah, the whole upload/permissions thing is screwy and I'm not sure there is any good way around it...
(in theory, ANY script which allows you to upload, install, etc through the script has the issue - right?)

For the original vector, I think WordPress may have been it... The OP did state that s/he had WP on the same server... right?

[Arantor]

yeah, the whole upload/permissions thing is screwy and I'm not sure there is any good way around it...
(in theory, ANY script which allows you to upload, install, etc through the script has the issue - right?)

Correct. Any script that can upload files will be uploading files owned by the webserver.

[Night09]

This kind of attack has been documented for other setups but this link will give the general idea of whats at risk and the resolution they took. Its not directly for SMF but gives a decent insight.  http://twiki.org/cgi-bin/view/Codev/SecurityAlertSecureFileUploads

[Arantor]

It gives a decent insight into a separate and not-really-related issue. In SMF parlance, the context is essentially about the attachments system not having executable extensions (which has been the case in SMF for years)

The issue I'm referring to is nothing to do with that, but the fact that uploading mods and themes means uploading PHP files that are by their nature vulnerable on shared hosting.

[Kindred]

right...

Files Uploaded (from FTP) are owned by the logged in user on the server.
Files Uploaded (from a script) are owned by php, the script, the server or various other combinations -- all depending on how the server and php are set up.

If your files are owned by the user, then - when a hacker breaking into your file system, he can only do limited damage - because, assuming your permissions are not 777, there is a good chance that his scripts will be refused permissions to edit the existing files.

It is POSSIBLE to lock down a system like SMF or WP (or most others) which allows the script to upload, extract and run files... but doing so requires a fair bit of manual effort and access to chown and chmod.

[Мel]

Well, here it is again. I've uploaded the infected file for anyone interested to check out.

[NanoSector]

...that is *not* a regular wp-config file. There's a huge preg_replace() in there, along with an eval(), and no settings at all...

Sorry if this is too much work but i'd reinstall WP to be safe...

[Мel]

I see that it's not normal WP, that's why it's called "infected"
How do I reinstall WP?

[NanoSector]

I see that it's not normal WP, that's why it's called "infected"
How do I reinstall WP?

ACP > Updates > Reinstall

[Мel]

ACP > Updates > Reinstall

Sorry, where is that exactly?

[Kindred]

in wordpress admin panel.

Alternatively, do as I suggested for the SMF re-install.... delete the files in the wordpress directory and all subdorectories (just kill everything) and do a fresh installation of files, but then point the reinstall to your existing database