No New Members

[willie2]

It appears we have been hacked. All appears well now, but where we always have new registrations, we have had none for two months. Something is wrong. Any ideas where to look for hacks?

[br360]

Have you tried registering for an account yourself and see what happens?

[Kindred]

What is your forum URL?

[willie2]

I can register, I receive a notice that admin has to approve, which is correct.  I generally wait for email notification of new members and another admin checks out the registration. I find that we do have a list waiting for approval. So, they are getting through, but I am not getting email notification.   Where is this handled in software?

[Kindred]

What is your forum URL?

[willie2]

The awaiting approval page has disappeared.  And I have new registrations.

[Kindred]

What is your forum URL?

[willie2]

I am a little sensitive since being hacked takes a lot of work to undo.  I don't make public my url for those who are looking to hack smf sites.   I appreciate SMF since moving from UBB many years ago.

All is well now except there is no email notification of new registration to admin anymore. where can I look to correct this?

[nend]

You haven't been hacked from the looks of it.

Since your getting the email that your account has to be approved by a admin means emails are going through and not being placed in your bulk mail.

I don't know if this controls new member notifications but in the registration settings in the admin panel make sure the notify administrator when member joins is active. Also check scheduled task, I believe there is a approval notification task in there. Make sure these are enabled and test again.

[willie2]

Thanks nend. Appreciate the help. Yes, in registration there are switches for notification to admin.  it is checked and not working.
send welcome is checked and is working.
But, no box for sending pw on approval by admin. And the box when admin does a registration, the box to send pw is grayed out and can't be checked.

I am requiring admin approval.  Users are not getting their approval notice with pw.


Notify administrators when a new member joins
Send welcome email to new members

Can someone tell me where to find the code to fix this?

[Kindred]

well, first and foremost -- there are no known security issues with SMF - as long as you keep up to date with your versions. Additionally, hackers don't bother to look at links on this site to find sites -- they just randomly hit every site they can find with every hack that they know -- well, script-kiddies - who make up 90% of the "hackers" do that. The other 10% are targetted hackers who still don't use this site to find SMF URLs -- they are targeting a specific site or set of sites based on some specific action.

So, not sharing your url to "avoid hackers" is actually a rather silly argument.

your issue seems to be a mail issue - not a code issue.
http://wiki.simplemachines.org/smf/E-Mails_-_Why_are_members_not_getting_emails_sent_from_the_forum

[Siirist]

well, first and foremost -- there are no known security issues with SMF - as long as you keep up to date with your versions. Additionally, hackers don't bother to look at links on this site to find sites -- they just randomly hit every site they can find with every hack that they know -- well, script-kiddies - who make up 90% of the "hackers" do that. The other 10% are targetted hackers who still don't use this site to find SMF URLs -- they are targeting a specific site or set of sites based on some specific action.

So, not sharing your url to "avoid hackers" is actually a rather silly argument.

your issue seems to be a mail issue - not a code issue.
http://wiki.simplemachines.org/smf/E-Mails_-_Why_are_members_not_getting_emails_sent_from_the_forum

*nods in agreement*
Remain open to the advice of very experienced and honored senior members.  They know things.
They cannot help if you don't let them help because you are so focused on an item that may not be the issue at all
Please check out READ FIRST: How to help us help you.

EDIT: Also spotted this after posting. It may be a solution.
Aha! I found out why activation email were not sent!

Siirist

[willie2]

Thank you all for your help.   I had already seen the topic re: Yahoo.  I am using my domain email.

The problem was with hosting. It was an intermittent problem. Just happened to occur when malicious code had been found on the site.

SMF great!  I am a senior user.        I have had my board for 16 years, most of which has been with SMF.  As for publishing my url here, I understand, but I don't have time to fix problems created by clever hackers. If one of them decides coming here makes it easy to exploit an opening before it gets closed, I don't want to be on that list. And, yes, I don't use gmail or facebook like everyone else.     Just call me silly instead of cautious. 

It would be wise to provide a way to share a url so there is not a public list created. It is appreciated that some warn others not to share their admin pw here with all wanting to help. It appears that everywhere we look there are those who are not very honest. I appreciate that many here are. 

Thanks again for taking time to help resolve this most pressing issue at my site.

[willie2]

There indeed was a problem with hosting, but it did not cure all of my problems.

I have in the source directory some files named  *.php~

They are a second file for a number of files. ie  managemail.php  and managemail.php~    and   manageregistration.php  manageregistration.php~

why the php~ file?

[br360]

Each time a file is edited it will be backed up and that "~" file is the one before the edits were done.

I'd be interested to know what was edited in your managemail.php and manageregistration.php files though.

[a10]

It would be wise to provide a way to share a url so there is not a public list created.

Charter (support) members got help forums not publicly available.

[Steve]

You can also ask if you can PM your url to whatever team member asked for it. But make sure you ask first.

[willie2]

Thanks for the help.   I will compare the files. I have not edited them.

Can I replace those files with clean ones from the same version?  I am running 2.0.11   

Or do I have to do a clean install of the whole site?

[willie2]

Here is code from manageregistration.php~   129-152

      )
   );
   if (allowedTo('admin_forum'))
   {
      $context['admin_tabs']['tabs']['agreement'] = array(
         'title' => $txt['smf11'],
         'description' => $txt['smf12'],
         'href' => $scripturl . '?action=regcenter;sa=agreement',
         'is_selected' => $context['sub_action'] == 'agreement',
      );
      $context['admin_tabs']['tabs']['reservednames'] = array(
         'title' => $txt[341],
         'description' => $txt[699],
         'href' => $scripturl . '?action=regcenter;sa=reservednames',
         'is_selected' => $context['sub_action'] == 'reservednames',
      );
      $context['admin_tabs']['tabs']['settings'] = array(
         'title' => $txt['settings'],
         'description' => $txt['admin_settings_desc'],
         'href' => $scripturl . '?action=regcenter;sa=settings',
         'is_last' => true,
         'is_selected' => $context['sub_action'] == 'settings',
      );
   }

[njtweb]

Probably commented out or removed all SMF verbiage or links.

[Kindred]

ummm.... those look like text strings from the 1.1.x version of the file...

[willie2]

It is.   Here is the whole page.

Code Select Expand


/**********************************************************************************
* ManageRegistration.php                                                          *
***********************************************************************************
* SMF: Simple Machines Forum                                                      *
* Open-Source Project Inspired by Zef Hemel ([email protected])                    *
* =============================================================================== *
* Software Version:           SMF 1.1.10                                          *





* Software by:                Simple Machines (http://www.simplemachines.org)     *
* Copyright 2006-2009 by:     Simple Machines LLC (http://www.simplemachines.org) *
*           2001-2006 by:     Lewis Media (http://www.lewismedia.com)             *
* Support, News, Updates at:  http://www.simplemachines.org                       *
***********************************************************************************
* This program is free software; you may redistribute it and/or modify it under   *
* the terms of the provided license as published by Simple Machines LLC.          *
*                                                                                 *
* This program is distributed in the hope that it is and will be useful, but      *
* WITHOUT ANY WARRANTIES; without even any implied warranty of MERCHANTABILITY    *
* or FITNESS FOR A PARTICULAR PURPOSE.                                            *
*                                                                                 *
* See the "license.txt" file for details of the Simple Machines license.          *
* The latest version can always be found at http://www.simplemachines.org.        *
**********************************************************************************/






if (!defined('SMF'))
die('Hacking attempt...');

/* This file helps the administrator setting registration settings and policy
as well as allow the administrator to register new members themselves.

void RegCenter()
- entrance point for the registration center.
- accessed by ?action=regcenter.
- requires either the moderate_forum or the admin_forum permission.
- loads the Login language file and the Register template.
- calls the right function based on the subaction.

void AdminRegister()
- a function to register a new member from the admin center.
- accessed by ?action=regcenter;sa=register
- requires the moderate_forum permission.
- uses the admin_register sub template of the Register template.
- allows assigning a primary group to the member being registered.

void EditAgreement()
- allows the administrator to edit the registration agreement, and
  choose whether it should be shown or not.
- accessed by ?action=regcenter;sa=agreement.
- uses the Admin template and the edit_agreement sub template.
- requires the admin_forum permission.
- uses the edit_agreement administration area.
- writes and saves the agreement to the agreement.txt file.

void SetReserve()
- set the names under which users are not allowed to register.
- accessed by ?action=regcenter;sa=reservednames.
- requires the admin_forum permission.
- uses the reserved_words sub template of the Register template.

void AdminSettings()

- set general registration settings and Coppa compliance settings.
- accessed by ?action=regcenter;sa=settings.
- requires the admin_forum permission.
- uses the admin_settings sub template of the Register template.
*/

// Main handling function for the admin approval center
function RegCenter()
{
global $modSettings, $context, $txt, $db_prefix, $scripturl;

// Old templates might still request this.
if (isset($_REQUEST['sa']) && $_REQUEST['sa'] == 'browse')
redirectexit('action=viewmembers;sa=browse' . (isset($_REQUEST['type']) ? ';type=' . $_REQUEST['type'] : ''));

$subActions = array(
'register' => array('AdminRegister', 'moderate_forum'),
'agreement' => array('EditAgreement', 'admin_forum'),
'reservednames' => array('SetReserve', 'admin_forum'),
'settings' => array('AdminSettings', 'admin_forum'),
);

// Work out which to call...
$context['sub_action'] = isset($_REQUEST['sa']) && isset($subActions[$_REQUEST['sa']]) ? $_REQUEST['sa'] : (allowedTo('moderate_forum') ? 'register' : 'settings');

// Must have sufficient permissions.
isAllowedTo($subActions[$context['sub_action']][1]);

// Set the admin area...
adminIndex('registration_center');

// Loading, always loading.
loadLanguage('Login');
loadTemplate('Register');

// Next create the tabs for the template.
$context['admin_tabs'] = array(
'title' => &$txt['registration_center'],
'help' => 'registrations',
'description' => $txt['admin_settings_desc'],
'tabs' => array(
'register' => array(
'title' => $txt['admin_browse_register_new'],
'description' => $txt['admin_register_desc'],
'href' => $scripturl . '?action=regcenter;sa=register',
'is_selected' => $context['sub_action'] == 'register',
'is_last' => !allowedTo('admin_forum'),









)
)
);
if (allowedTo('admin_forum'))
{
$context['admin_tabs']['tabs']['agreement'] = array(
'title' => $txt['smf11'],
'description' => $txt['smf12'],
'href' => $scripturl . '?action=regcenter;sa=agreement',
'is_selected' => $context['sub_action'] == 'agreement',
);
$context['admin_tabs']['tabs']['reservednames'] = array(
'title' => $txt[341],
'description' => $txt[699],
'href' => $scripturl . '?action=regcenter;sa=reservednames',
'is_selected' => $context['sub_action'] == 'reservednames',
);
$context['admin_tabs']['tabs']['settings'] = array(
'title' => $txt['settings'],
'description' => $txt['admin_settings_desc'],
'href' => $scripturl . '?action=regcenter;sa=settings',
'is_last' => true,
'is_selected' => $context['sub_action'] == 'settings',
);
}

// Finally, get around to calling the function...
$subActions[$context['sub_action']][0]();
}

// This function allows the admin to register a new member by hand.
function AdminRegister()
{
global $txt, $context, $db_prefix, $sourcedir, $scripturl;

// Setup the "tab", just incase an error occurs.
$context['admin_tabs']['tabs']['register']['is_selected'] = true;

if (!empty($_POST['regSubmit']))
{
checkSession();

foreach ($_POST as $key => $value)
if (!is_array($_POST[$key]))
$_POST[$key] = htmltrim__recursive(str_replace(array("\n", "\r"), '', $_POST[$key]));

$regOptions = array(
'interface' => 'admin',
'username' => $_POST['user'],
'email' => $_POST['email'],
'password' => $_POST['password'],
'password_check' => $_POST['password'],
'check_reserved_name' => true,
'check_password_strength' => false,
'check_email_ban' => false,
'send_welcome_email' => isset($_POST['emailPassword']) || empty($_POST['password']),
'require' => isset($_POST['emailActivate']) ? 'activation' : 'nothing',
'memberGroup' => empty($_POST['group']) ? 0 : (int) $_POST['group'],
);

require_once($sourcedir . '/Subs-Members.php');
$memberID = registerMember($regOptions);
if (!empty($memberID))
{
$context['new_member'] = array(
'id' => $memberID,
'name' => $_POST['user'],
'href' => $scripturl . '?action=profile;u=' . $memberID,
'link' => '<a href="' . $scripturl . '?action=profile;u=' . $memberID . '">' . $_POST['user'] . '</a>',
);
$context['registration_done'] = sprintf($txt['admin_register_done'], $context['new_member']['link']);
}
}

// Basic stuff.
$context['sub_template'] = 'admin_register';
$context['page_title'] = $txt['registration_center'];

// Load the assignable member groups.


$request = db_query("
SELECT groupName, ID_GROUP

FROM {$db_prefix}membergroups
WHERE ID_GROUP != 3
AND minPosts = -1" . (allowedTo('admin_forum') ? '' : "
AND ID_GROUP != 1") . "
ORDER BY minPosts, IF(ID_GROUP < 4, ID_GROUP, 4), groupName", __FILE__, __LINE__);













$context['member_groups'] = array(0 => &$txt['admin_register_group_none']);
while ($row = mysql_fetch_assoc($request))
$context['member_groups'][$row['ID_GROUP']] = $row['groupName'];
mysql_free_result($request);



}

// I hereby agree not to be a lazy bum.
function EditAgreement()
{
global $txt, $boarddir, $context, $modSettings;
























if (isset($_POST['agreement']))
{
checkSession();

// Off it goes to the agreement file.
$fp = fopen($boarddir . '/agreement.txt', 'w');
fwrite($fp, str_replace("\r", '', stripslashes($_POST['agreement'])));
fclose($fp);

updateSettings(array('requireAgreement' => !empty($_POST['requireAgreement'])));

redirectexit('action=regcenter;sa=agreement');
}

// Get the current agreement.
$context['agreement'] = file_exists($boarddir . '/agreement.txt') ? htmlspecialchars(file_get_contents($boarddir . '/agreement.txt')) : '';
$context['warning'] = is_writable($boarddir . '/agreement.txt') ? '' : $txt['smf320'];
$context['require_agreement'] = !empty($modSettings['requireAgreement']);

$context['sub_template'] = 'edit_agreement';
$context['page_title'] = $txt['smf11'];
}

// Set reserved names/words....
function SetReserve()
{
global $txt, $db_prefix, $context, $modSettings;

// Submitting new reserved words.
if (!empty($_POST['save_reserved_names']))
{
checkSession();

// Set all the options....
updateSettings(array(
'reserveWord' => (isset($_POST['matchword']) ? '1' : '0'),
'reserveCase' => (isset($_POST['matchcase']) ? '1' : '0'),
'reserveUser' => (isset($_POST['matchuser']) ? '1' : '0'),
'reserveName' => (isset($_POST['matchname']) ? '1' : '0'),
'reserveNames' => str_replace("\r", '', $_POST['reserved'])
));
}

// Get the reserved word options and words.

$context['reserved_words'] = explode("\n", $modSettings['reserveNames']);
$context['reserved_word_options'] = array();
$context['reserved_word_options']['match_word'] = $modSettings['reserveWord'] == '1';
$context['reserved_word_options']['match_case'] = $modSettings['reserveCase'] == '1';
$context['reserved_word_options']['match_user'] = $modSettings['reserveUser'] == '1';
$context['reserved_word_options']['match_name'] = $modSettings['reserveName'] == '1';

// Ready the template......
$context['sub_template'] = 'edit_reserved_words';
$context['page_title'] = $txt[341];
}

// This function handles registration settings, and provides a few pretty stats too while it's at it.
function AdminSettings()

{
global $txt, $context, $db_prefix, $scripturl, $modSettings;




















// Setup the template
$context['sub_template'] = 'admin_settings';
$context['page_title'] = $txt['registration_center'];

// Saving?
if (isset($_POST['save']))
{
checkSession();

// Are there some contacts missing?
if (!empty($_POST['coppaAge']) && !empty($_POST['coppaType']) && empty($_POST['coppaPost']) && empty($_POST['coppaFax']))
fatal_error($txt['admin_setting_coppa_require_contact']);

// Post needs to take into account line breaks.
$_POST['coppaPost'] = str_replace("\n", '<br />', empty($_POST['coppaPost']) ? '' : $_POST['coppaPost']);

// Update the actual settings.
updateSettings(array(
'registration_method' => (int) $_POST['registration_method'],
'notify_new_registration' => isset($_POST['notify_new_registration']) ? 1 : 0,
'send_welcomeEmail' => isset($_POST['send_welcomeEmail']) ? 1 : 0,
'password_strength' => (int) $_POST['password_strength'],
'disable_visual_verification' => isset($_POST['visual_verification_type']) ? (int) $_POST['visual_verification_type'] : 0,
'coppaAge' => (int) $_POST['coppaAge'],
'coppaType' => empty($_POST['coppaType']) ? 0 : (int) $_POST['coppaType'],
'coppaPost' => $_POST['coppaPost'],
'coppaFax' => !empty($_POST['coppaFax']) ? $_POST['coppaFax'] : '',
'coppaPhone' => !empty($_POST['coppaPhone']) ? $_POST['coppaPhone'] : '',
));


// Reload the page, so the tabs are accurate.
redirectexit('action=regcenter;sa=settings');
}

// Turn the postal address into something suitable for a textbox.
$context['coppaPost'] = !empty($modSettings['coppaPost']) ? preg_replace('~<br(?: /)?' . '>~', "\n", $modSettings['coppaPost']) : '';



// Generate a sample registration image.
$context['use_graphic_library'] = in_array('gd', get_loaded_extensions());
$context['verificiation_image_href'] = $scripturl . '?action=verificationcode;rand=' . md5(mt_rand());







$character_range = array_merge(range('A', 'H'), array('K', 'M', 'N', 'P'), range('R', 'Z'));
$_SESSION['visual_verification_code'] = '';
for ($i = 0; $i < 5; $i++)
$_SESSION['visual_verification_code'] .= $character_range[array_rand($character_range)];



[Steve]

Do us a favor and when you're going to be posting code like that could you put it in code tags? Just press the button that has this on it:

[willie2]

I would be happy to, Steve. When do you want me to press #?   When I post what I copied?

I have been comparing my files in the source folder to the clean files that are manage files, and they all match so far. Where do I look for files that may be corrupted that control the mail out for new approvals?

[nend]

The problem shouldn't be in any of the manage files in the sources. 

[willie2]

Where do I look?

[nend]

The Admin notification function is in Subs-Post.php. Since the user is getting a welcome message we know email is working so I say you should start there. 

Be sure to put your content in between [code]    [/code] tags.

[Kindred]

No.. It is dead that file that is an issue...

Look...   That file is, as I said, a file for 1.1.10
It will never work with 2.0.x

I have to wonder what else  was never properly updated on your site

[willie2]

All updates have gone through the package manager.

I just found out hosting has blocked the "new member has joined" because of the language. She said a lot of hosts are blocking that phrase since it is being used by spammers.

I said that seems impossible since no one here is complaining about it.

She then said that there may be meta code hidden in it. I am going to look at it. Where is the language located?

[Kindred]

First...  As I have said twice already, that is the wrong version of the file. Period.
That file is clearly labeled as 1.1.10
It will not work with 2.0.11

As for blocking emails...  I think your host is full of it.

[nend]

All updates have gone through the package manager.

I just found out hosting has blocked the "new member has joined" because of the language. She said a lot of hosts are blocking that phrase since it is being used by spammers.

I said that seems impossible since no one here is complaining about it.

She then said that there may be meta code hidden in it. I am going to look at it. Where is the language located?

Look in the languages folder in the default theme for EmailTemplates.english.php, under admin_notify.

If you are running 2.0.x you need to get your Sources updated as well. Not upgrading them is just going to cause allot of problems in the long run.

[willie2]

Thank you, nend.  I am running 2.0.11 so I have the latest sources.  I will take a look in email templates. Appreciate your help.

Kindred, that file is not being used.  I posted it saying  "Here is code from manageregistration.php~"   It is the   php~    I wanted to know why it was there.  I don't know why it is there. I was asking about it.  I have updated from that version a long time ago.

Anyway, the tech said they have blocked that script because of the language.  That does not explain why no pw is going out after admin approval.

[Kindred]

Ah. You have never bothered to clean up the old 1.1.x files...

It is there because some mod, at some point in the past dotted that file and the php~ files are backups taken before the mod gets installed.   I thought that was already explained.

You need to give your host a dope slap and tell them to unblock your files

[willie2]

Thanks nend. That is what I was looking for.  The file matches a clean one.  That leaves me without any ideas left to try.

I edited the file to change the wording and it still does not work.

I am ready to do a new install. Unless there is something else I can try.

[willie2]

Since from what I can tell, my site is working fine except for these two notification issues. How should I go about loading clean files? Can I just ftp new files? Any short cuts?

[Illori]

http://wiki.simplemachines.org/smf/How_to_upload_a_fresh_set_of_files

[willie2]

Thanks.

My search in the online manual  here does not turn up anything on a hacked database.  If the admin pw was acquired, then they would have the password for the db. Is it possible then to have the db infected?

If so, then when copying files, does the smf version have to match the date of the backed up database?  Or can a current version of smf use a database that was using an older version of smf?

[Kindred]

as long as the database is 2.0.x - you can have any 2.0.x version of the files.


I am curious... why do you think that you were hacked?

[willie2]

Thanks, Kindred.  I contacted host about a problem in editing a post. They said there was malicious code on the site.  I took a look at the ban log and saw a lot of activity by a few ips.  Reviewed the error log and found banned ips in areas they were banned from. At least that is what I think I was seeing. Would not have known if it had not been for the wrong code at line 185. 

Banned them at server.  Not showing up anymore. But, I still have this problem with the notices not going out to admin and new members after being admin approved. Sitelock is scanning daily for problems.

When the notifications stopped coming to admin, I noticed an increase in the banned ips showing up in the ban log. The link in the error log went to an admin board. Changed all passwords everywhere and am using a new computer.  I can't find those errors anymore in the error log, the ones that revealed the banned ips. They disappeared.

[willie2]

OK, here's something new for the experts.   

The error log revealed banned ips at different boards.   One of the links revealed they were viewing the summary page which included the private boards. But, I am thinking that I could see the private boards, but maybe they could not?

The error log revealed where they were going at the site.  Three days ago I began banning them at the server level. Today,  the errors revealing when and where the banned ips were are no longer in the log.  I just spent some time going back to see if any were still listed. 268 pages back, I found a couple of the banned ips listed.   How is it possible that these errors have been scrubbed from the log?

[Kindred]

please define what "malicious code" was found by the host?
There have been several hosts out there who assume that there is "malicious code" when it is actually SMF's own sendmail routine or is a base64 line in a mod...

I am afraid I don't understand what you are talking about with your description...
However --
1- SMF's logging does not log what the users can or can not see -- it logs the page they are on when they trigger the error...   which could be an admin URL that actually only shows them the password challenge screen. However, the who's online and error log would should the user as being on the page -- even though they actually had no content displayed.
2- there is only one way for log entries to be deleted.  -- and admin deleted them - either individually, by filter or by clearing the log entirely.
Do note... most people clear the error log when they do an upgrade.

[willie2]

When the line 185 error was showing up all the time, it revealed banned ips and showed where they were by way of a link to a page. Some of these these notices showed banned ips viewing a page with private boards. How does a banned ip end up viewing a page of private boards?

After correcting the line 185 error that nend pointed me to, that cleared up the error log reporting that error.  The next day, all of the errors that had been in the error log revealing banned ips disappeared. The two events are unrelated unless it revealed I was working in the error log.

After searching the whole error log which went back to 11/27 I found a few that had not been deleted.

Guest
Apply Filter: Only show the error messages of this IP address 188.143.232.19 
     Reverse chronological order of list December 25, 2015, 12:42:15 PM
Apply Filter: Only show the error messages of this session b799610b12c425f5e75f66ba23ae95fb
Apply Filter: Only show the errors of this type Type of error: User
Apply Filter: Only show the error messages of this URL
http://xxxxxxx.com/smf/index.php?action=forum;wap2
Apply Filter: Only show the errors with the same message
Sorry Guest, you are banned from using this forum!
spam IP
This ban is not set to expire.
   Apply Filter: Only show the error messages of this member Guest
Apply Filter: Only show the error messages of this IP address 188.143.232.19 
     Reverse chronological order of list December 25, 2015, 12:42:15 PM
Apply Filter: Only show the error messages of this session b799610b12c425f5e75f66ba23ae95fb
Apply Filter: Only show the errors of this type Type of error: User
Apply Filter: Only show the error messages of this URL
http://xxxxxxxx.com/smf/index.php?action=credits
Apply Filter: Only show the errors with the same message
Sorry Guest, you are banned from using this forum!
spam IP
This ban is not set to expire.

Notice the one link is to    {=forum;wap2}  That is the private admin area. I am not sure why they do not reveal a graphic of the page, but instead show a text file.  These deletions have nothing to do with the line 185 error. As you say, Kindred, they were deleted. Why? and How?
   
This happened after all admin passwords were changed to everything  at the same time.  The admin log is not reporting the admin changes regarding the deletions in the error log.

Screen shots are attached.

[Kindred]

ummm.... no.  the wap2 is *NOT* the private admin area.  It's the original "mobile" view (for old phones which didn't do graphics, etc)

and, as I said above...    just because they show up in the log does not mean that they actually SAW anything. It just means that they hit that page URL -- (and, in this case, got the "yu are banned" message.)   That's all they saw at that location.
How can they get there?
Anyone can get there if they type in the URL or click a link from some other site...   it still doesn't mean that they could see anything once the URL got loaded.

[willie2]

That's nice to know. 

How did the error log postings get deleted? They showed the banned ips that were attempting to access those pages.

I am just a little paranoid at this point, Kindred.  I see a hacker at every turn. 

How can I fix my notification problem?

nend pointed me to sub-post.php.   

I compared my file to a clean file and found the only difference was the version. Not sure why since I am running 2.0.11.   The clean file is version 2.0.10   Mine is  2.0.8.

Did my updates get corrupted?   

    SMF 2.0.11 | SMF © 2015, Simple Machines
    Anecdota by, Crip XHTML WAP2

[Kindred]

well, the only way for the error log to have stuff removed is if it was deleted. period.

So either you accidentally deleted it or someone else did.
I seriously doubt that any hackers went in and carefully cleaned the error log of their IP errors.

[willie2]

There are 685 pages. I did not delete one of them.  I don't know of any way to delete them except manually one by one. And, not all were deleted. I found those I copied on pg 268. How does one delete all but a few unless it was done manually?

Any way, why is my sub-post.php file dated 2.0.8  when I am running 2.0.11?

[Kindred]

because not every file is updated in every release...

it does sound like you may have missed some or all of the 2.0.10 updates for that file.

[willie2]

Since I already updated 2.0.11  what do I do?

[Kindred]

put the 2.0.10 release through the package/mod parse and check to see if the edits to that file were actually done (I suspect that the only thing which wasn't done is the version number update in the file header/comment)

When a mod package gives you and error on installation -- especially when it is a patch package -- you need to be careful.

However, it is unlikely that that file has anything to do with the problems you have reported.

[Illori]

it does sound like you may have missed some or all of the 2.0.10 updates for that file.

that file has the version of 2.0.8 on it even if you did upgrade to 2.0.10. so the op has nothing missing in that file.