News:

SMF 2.1.4 has been released! Take it for a spin! Read more.

Main Menu

Unable to delete .ttf file

Started by Krashsite, July 05, 2014, 04:44:46 PM

Previous topic - Next topic

Sir Osis of Liver

One of my regular guys was hacked again, and I had the same creepy problem I've had previously with this forum.  It's a GoDaddy account running on a windows box, 2.0.6, only mod is SMF Classifieds.  Base64 hack, which targets only the forum, rest of his website is clean.  Deleted all forum files to reinstall backup, but one file will not delete.  /Themes/default/fonts/Screenge.ttf and subdirs above remain. When I try to delete it, FZ tells me the file is being used by another process.  Any other font file will delete successfully.  I've gotten rid of it previously by using cpanel file manager and dicking around for a while with file permissions (you can't change permissions on a windows server with FZ).  Permissions are the same for all font files.

The backup works fine, no hint of any further security problem.  No problem deleting this file on any of my forums (different host, linux box).  Anyone have an idea what causes this?
Ashes and diamonds, foe and friend,
 we were all equal in the end.

                                     - R. Waters

Illori

someone must have been using the registration process somewhat recently so the webserver is using that file... unless you can restart the webserver there is not much you can do but wait.

Sir Osis of Liver

Last registration was yesterday morning, over 30 hours ago.  Why would that tie up the file?
Ashes and diamonds, foe and friend,
 we were all equal in the end.

                                     - R. Waters

Illori

No spider or guest hit the page since?

Sir Osis of Liver

Don't have access to server logs.  But why would it affect only the font file?  Everything else connected to registration deletes normally.
Ashes and diamonds, foe and friend,
 we were all equal in the end.

                                     - R. Waters

Illori

i am not 100% sure, i saw this once on my localhost. i wonder if our CAPTCHA code does not clean up correctly, leaving this one file effected.

kat

I had that, some time back. It was extremely odd. As was the fix...

I had one of those peculiar "This shouldn't work. But, I'll try it, anyway" ideas.

If it really was in use, I shouldn't even have been able to rename it. But, I did so (Fark knows why/how). So, I renamed the file. I called it something silly, like "DeleteMe.now". I left it there, for about half-an-hour.

Then, I deleted it, without any hassles.

'course, I might just've got lucky...

Sir Osis of Liver

Was just able to delete it normally.  When it's hung up, you can't do anything to it with FZ, including rename.  It's the only file out of 1400 or so on this forum that won't delete, and it's happened every time the forum's been hacked (this was the third or fourth base64 hack).
Ashes and diamonds, foe and friend,
 we were all equal in the end.

                                     - R. Waters

kat


Sir Osis of Liver

Ashes and diamonds, foe and friend,
 we were all equal in the end.

                                     - R. Waters

Arantor

There's nothing wrong with the CAPTCHA code nor is there anything linking this file to a hacking (which is the implication, and it's wrong)

On Windows - and it is only on Windows - PHP's bundled GD library does not properly release all the file locks on loaded TTF files. As a result, the Screen Gems font will be requested when a CAPTCHA is made, and the lock isn't properly released until the server is restarted. Nothing suspicious, nothing to see here, and I know this has been reported to the PHP team in the past as a bug in the GD library.

Sir Osis of Liver

Thanks for the info.  This has been a recurring nuisance, never knew what caused it.
Ashes and diamonds, foe and friend,
 we were all equal in the end.

                                     - R. Waters

Advertisement: