Cannot FTP missing files upgrade 2.0.6 to 2.0.7

[Eotnak]

I'm trying to help out a friend with a forum that someone else set up.  At some point it was upgraded to 2.0.6 but the source files were 2.0.  I just tried upgrading to 2.0.7, and it displays OK, but when I try to post a new topic, I get this error:

Fatal error: require_once() [function.require]: Failed opening required '/home/content/25/5966725/html/simplemachinesforum/Sources/Post.php' (include_path='.:/usr/local/php5/lib/php') in /home/content/25/5966725/html/simplemachinesforum/index.php on line 358

The same goes for other functions like in the admin area.  When I FTP to server, for example I look for simplemachinesforum/Sources/Post.php it is not there.  I try to do a binary transfer of the file, and it looks like it transfers then disappears.  Any ideas?

[Illori]

contact the host and ask them why they are deleting the file.

[Eotnak]

the files disappear instantly, this was all prompted by failed database connection emails being sent to admin.  The host said there is a process running that can't be killed unless the simplemachinesforum folder is taken offline.  I suspected an exploit because of old source files.  Do you think this process is deleting the files?

[Illori]

could be, but without knowing what it is we can guess all day.

[kat]

it was upgraded to 2.0.6 but the source files were 2.0.

A lot of them will be. When there's an update, not every files gets changed. In fact, very few do, really.

I wonder if your host has mod_security enabled and, if they have, if it's not set a bit harshly...?

mod_security is extremely stupid. If my friend posted that he lives in S******horpe, mod_security went mental, because the second-to-fifth letters, of "S******horpe", were deemed to be extremely rude, even though they're not isolated.

[Eotnak]

sounds like it was hacked.  One user said he went to the site and got killed with pop-ups, and had to shut down the PC.  Another said his antivirus software alerted that the site was compromised.  When I went to put the site in maintenance mode, it didn't take.  I had to modify settings.php.

I'm assuming that I have to reinstall SMF into another folder, apply the DB, or maybe a new database from backup.  Also, I'm going to change the passwords for the admin accounts.  Should I sort through the users and delete the ones with 0 posts?  In any case I think I should sort through the users and remove the suspect ones.  Or is it enough to just disable them?

[kat]

If you think you've been hacked, contact your host, PDQ. They'll have access logs and the like, to help with that.

Once they've figured-out HOW you got hacked, you could do this:

http://wiki.simplemachines.org/smf/How_to_upload_a_fresh_set_of_files

If I was in your place, though, I'd simply restore a backup that I'd taken, before the hack happened.

[Kindred]

here's the difference with what you have to do versus what the faq suggests

instead of just uploading and overwriting files... 
you first need to DELETE everything on your site
-- with the exception of Settings.php, Settings_bak.php, the avatars directory and the attachments directory -- KEEP THOSE.

This means that you will start from a basic installation - you will lose all themes and all mods.
(you will keep all members, messages, etc - those are in the database)

[emanuele]

-- with the exception of Settings.php, Settings_bak.php, the avatars directory and the attachments directory -- KEEP THOSE.

Heh.
Yes and no.
Yes, you may keep them, but no, if you have been hacked you cannot trust anything, so you have only two options:
1) delete any file on the server and "start fresh",
2) check any file to find out whether they are safe or not. And "I don't know how to do, so I'll just hope" is not be an option (unless you don't care being hacked again). If you don't know how to do, find someone that knows.

[Kindred]

it is unlikely that the settings files were the target of the hacks - but yes - files or directories may have been added to avatars or attachments....

Still, it is moderately easy to check those -- and keeping those is usually worth a little effort.