No New Members

[Kindred]

please define what "malicious code" was found by the host?
There have been several hosts out there who assume that there is "malicious code" when it is actually SMF's own sendmail routine or is a base64 line in a mod...

I am afraid I don't understand what you are talking about with your description...
However --
1- SMF's logging does not log what the users can or can not see -- it logs the page they are on when they trigger the error...   which could be an admin URL that actually only shows them the password challenge screen. However, the who's online and error log would should the user as being on the page -- even though they actually had no content displayed.
2- there is only one way for log entries to be deleted.  -- and admin deleted them - either individually, by filter or by clearing the log entirely.
Do note... most people clear the error log when they do an upgrade.

[willie2]

When the line 185 error was showing up all the time, it revealed banned ips and showed where they were by way of a link to a page. Some of these these notices showed banned ips viewing a page with private boards. How does a banned ip end up viewing a page of private boards?

After correcting the line 185 error that nend pointed me to, that cleared up the error log reporting that error.  The next day, all of the errors that had been in the error log revealing banned ips disappeared. The two events are unrelated unless it revealed I was working in the error log.

After searching the whole error log which went back to 11/27 I found a few that had not been deleted.

Guest
Apply Filter: Only show the error messages of this IP address 188.143.232.19 
     Reverse chronological order of list December 25, 2015, 12:42:15 PM
Apply Filter: Only show the error messages of this session b799610b12c425f5e75f66ba23ae95fb
Apply Filter: Only show the errors of this type Type of error: User
Apply Filter: Only show the error messages of this URL
http://xxxxxxx.com/smf/index.php?action=forum;wap2
Apply Filter: Only show the errors with the same message
Sorry Guest, you are banned from using this forum!
spam IP
This ban is not set to expire.
   Apply Filter: Only show the error messages of this member Guest
Apply Filter: Only show the error messages of this IP address 188.143.232.19 
     Reverse chronological order of list December 25, 2015, 12:42:15 PM
Apply Filter: Only show the error messages of this session b799610b12c425f5e75f66ba23ae95fb
Apply Filter: Only show the errors of this type Type of error: User
Apply Filter: Only show the error messages of this URL
http://xxxxxxxx.com/smf/index.php?action=credits
Apply Filter: Only show the errors with the same message
Sorry Guest, you are banned from using this forum!
spam IP
This ban is not set to expire.

Notice the one link is to    {=forum;wap2}  That is the private admin area. I am not sure why they do not reveal a graphic of the page, but instead show a text file.  These deletions have nothing to do with the line 185 error. As you say, Kindred, they were deleted. Why? and How?
   
This happened after all admin passwords were changed to everything  at the same time.  The admin log is not reporting the admin changes regarding the deletions in the error log.

Screen shots are attached.

[Kindred]

ummm.... no.  the wap2 is *NOT* the private admin area.  It's the original "mobile" view (for old phones which didn't do graphics, etc)

and, as I said above...    just because they show up in the log does not mean that they actually SAW anything. It just means that they hit that page URL -- (and, in this case, got the "yu are banned" message.)   That's all they saw at that location.
How can they get there?
Anyone can get there if they type in the URL or click a link from some other site...   it still doesn't mean that they could see anything once the URL got loaded.

[willie2]

That's nice to know. 

How did the error log postings get deleted? They showed the banned ips that were attempting to access those pages.

I am just a little paranoid at this point, Kindred.  I see a hacker at every turn. 

How can I fix my notification problem?

nend pointed me to sub-post.php.   

I compared my file to a clean file and found the only difference was the version. Not sure why since I am running 2.0.11.   The clean file is version 2.0.10   Mine is  2.0.8.

Did my updates get corrupted?   

    SMF 2.0.11 | SMF © 2015, Simple Machines
    Anecdota by, Crip XHTML WAP2

[Kindred]

well, the only way for the error log to have stuff removed is if it was deleted. period.

So either you accidentally deleted it or someone else did.
I seriously doubt that any hackers went in and carefully cleaned the error log of their IP errors.

[willie2]

There are 685 pages. I did not delete one of them.  I don't know of any way to delete them except manually one by one. And, not all were deleted. I found those I copied on pg 268. How does one delete all but a few unless it was done manually?

Any way, why is my sub-post.php file dated 2.0.8  when I am running 2.0.11?

[Kindred]

because not every file is updated in every release...

it does sound like you may have missed some or all of the 2.0.10 updates for that file.

[willie2]

Since I already updated 2.0.11  what do I do?

[Kindred]

put the 2.0.10 release through the package/mod parse and check to see if the edits to that file were actually done (I suspect that the only thing which wasn't done is the version number update in the file header/comment)

When a mod package gives you and error on installation -- especially when it is a patch package -- you need to be careful.

However, it is unlikely that that file has anything to do with the problems you have reported.

[Illori]

it does sound like you may have missed some or all of the 2.0.10 updates for that file.

that file has the version of 2.0.8 on it even if you did upgrade to 2.0.10. so the op has nothing missing in that file.