News:

Bored?  Looking to kill some time?  Want to chat with other SMF users?  Join us in IRC chat or Discord

Main Menu

strange source code with spam?

Started by Fassbier, July 02, 2018, 11:49:51 AM

Previous topic - Next topic

Fassbier

Hi all,
I found in the sourcecode of my SMF board 2015 some very strange things! There are only 2 guys with access to the files and I do not know how this could get in.
For those lines I had a look in several .php files and I try to search in the DB, but I could not find anything.

May someone help me please where I can find this strange lines?

Quote<script type="text/javascript"><!-- // --><![CDATA[
         var oMainHeaderToggle = new smc_Toggle({
            bToggleEnabled: true,
            bCurrentlyCollapsed: false,
            aSwappableContainers: [
               'upper_section'
            ],
            aSwapImages: [
               {
                  sId: 'upshrink',
                  srcExpanded: smf_images_url + '/upshrink.png',
                  altExpanded: 'Ein- oder Ausklappen der Kopfzeile',
                  srcCollapsed: smf_images_url + '/upshrink2.png',
                  altCollapsed: 'Ein- oder Ausklappen der Kopfzeile'
               }
            ],
            oThemeOptions: {
               bUseThemeSettings: true,
               sOptionName: 'collapse_header',
               sSessionVar: 'cd77851',
               sSessionId: '9dd7f67a4a368d5c7b91cd0cf980d5aa'
            },
            oCookieOptions: {
               bUseCookie: false,
               sCookieName: 'upshrink'
            }
         });
      // ]]></script>
      <div id="main_menu"><script type="text/javascript"> function get_style () { return "none"; } function end_ () { document.getElementById("ANVR7").style.display = get_style(); } </script>
              <span id="ANVR7">
               my website <a href="h**ps://pretty.porn/amazing.html">Hot Amazing </a> Check Out Your URL <br>
            <a href="h**ps://kickassbase.com/search?q=undertale+torrent">Download undertale</a><br>
             <a href="h**ps://torrentsway.com">h**ps://torrentsway.com</a>   

           </span>
           <div><script type="text/javascript"> end_(); </script></div>


         <ul class="dropmenu" id="menu_nav">

I changed the "tt" to "**" that it is possible to share this code. DON'T click on it, I don't try and know what is behind.

best regards,
Fassbier

Arantor

I'd suspect it was the index.template.php file for your current theme. As for how it got there, multiple explanations present, but find if the code is in that file first.

Fassbier

got it!
Thanks a lot!

Now to the most interessting question...
My first ideas was that it came through some mods which are installed. I don't think that somebody else had access or it was hacked. but who knows.
What is your guess?

btw, the file was last modified in 2014, if this is correct.

To remove that, from " <span id..." to "  </span>" should be good, or?

best regards

Illori

it is possible you got hacked. bad code could be found elsewhere you just dont know where.

Fassbier

ok, found one more issue:

Quote<div class="title_barIC">
            <h4 class="titlebg">
               <span class="ie6_header floatleft">
                  <img class="icon" src=".........." alt="Benutzer Online" />Mitglieder Online
               </span>
            </h4>
         </div>
         <p class="inline smalltext">Insgesamt: <b>24</b> (Sichtbar: 24, Versteckt: 0)<br />..............
         </p>
<script type="text/javascript"> function get_style () { return "none"; } function end_ () { document.getElementById("ZH4x2G").style.display = get_style(); } </script>
              <span id="ZH4x2G">
                <a href="h**ps://ot****len.com" target="_blank">https://ot***llen.com/</a> <br>
           sehen Sie diese Website <a href="https://eda****ke-de.com">https://eda****ke-de.com/</a>
           </span>
           <div><script type="text/javascript"> end_(); </script></div>
      </div>

I removed the links. This I cannot find in the same file. Any idea?

In the meantime the server, db, all passwords and the admin changed... so if it is correct and the file was modified last in 2014, thats all from the past. Anyway I would like to know where it is from.

best regards, thanks for your help!
Fassbier

Sir Osis of Liver

I would backup all files and database, delete everything except Settings.php, Settings_bak.php, /attachments and /avatars, do a clean install.

Ashes and diamonds, foe and friend,
 we were all equal in the end.

                                     - R. Waters

Fassbier


Sir Osis of Liver

There could be more code elsewhere, you could be chasing it for a long time.  Do a clean install.
Ashes and diamonds, foe and friend,
 we were all equal in the end.

                                     - R. Waters

Fassbier

I think this would be the best, yes.
All the mods have to be installed then again, right?

Any idea where it comes from? could it be related to a bad mod which was installed?


Sir Osis of Liver

Yes, you'll have to reinstall mods and themes, and redo any manual customizations.  Very unlikely it got there via a mod, unless you installed one you got from another source.  Advise your host your account was hacked, ask them to run a complete security scan if you can't do it in cpanel.
Ashes and diamonds, foe and friend,
 we were all equal in the end.

                                     - R. Waters


GigaWatt

Quote from: Fassbier on July 02, 2018, 11:49:51 AM
DON'T click on it, I don't try and know what is behind.

Clicked it. It is what the URL says it is :P.

Quote from: Sir Osis of Liver on July 02, 2018, 12:43:32 PMThere could be more code elsewhere, you could be chasing it for a long time. Do a clean install.

^^ What he said.
"This is really a generic concept about human thinking - when faced with large tasks we're naturally inclined to try to break them down into a bunch of smaller tasks that together make up the whole."

"A 500 error loosely translates to the webserver saying, "WTF?"..."

Advertisement: