Help needed with 2.0.15 clean up after malware infection

shred · June 17, 2018, 03:52:09 PM

Good evening all,

I hope that someone can offer some guidance?

We were recently informed by Lunarpages that our forum was infected by malware. They have carried out an audit and requested the following:

Quotebefore the web service can be reinstated for yur account, we would need you to review the list of scripts below and remove those that are no longer in use:

SMF found - (Maintained):
$forum_version = 'SMF 2.0.15';
location:/home/*******/public_html/forum

SMF found - (Maintained):
$forum_version = 'SMF 2.0.15';
location:/home/********/public_html/smf

SMF found - (Maintained):
$forum_version = 'SMF 2.0.15';
location:/home/********/public_html/smfnew

4images found - ():
define('SCRIPT_VERSION', '1.7.4');
location:/home/*******/public_html/

phpWebSite found - (EOL):
$version = "0.10.2";
location:/home/*******/public_html/phpWebSite

Joomla 1.5 found - (EOL):
var $RELEASE = '1.5';
var $DEV_LEVEL = '8';
location:/home/******/public_html/joomtest

Then, once the permissions are reinstated, you must upgrade the remaining ones.

How would we know if the scripts are no longer in use? How do we reinstate permissions, and upgrade remaining ones.

Thank you for taking the time to read.

Shred.

GigaWatt · June 17, 2018, 06:22:05 PM

Can you provide an URL to your site? Are you using only SMF or are there any other PHP scripts in play (I can see they mentioned Joomla) redirecting to SMF or using SSI?

Kindred · June 17, 2018, 06:25:01 PM

So, the short answer is... what URLs do you use on your site?

You have three smf installations.
You have a joomla installation that is ancient. 1.5 has not been supported for years.

shred · June 18, 2018, 11:36:14 AM

Sorry guys

URL is https://themanchesters.org/forum/index.php [nofollow]

Should we uninstall 2 of the SMF installations, and how do we uninstall joomla

I am asking on behalf of the administrator. I do not have access to the sites cPanel.

Cheers

Kindred · June 18, 2018, 12:25:44 PM

how to uninstall ANY php software from a web server

delete the directory and all files and subdirectories.

(note, always make a back up. you may have something in there that you want, years from now)

Sir Osis of Liver · June 18, 2018, 12:38:43 PM

Did some work on this forum couple years ago, looks like some things are broken. Do a complete backup of your production install before you start hacking away.

GigaWatt · June 18, 2018, 11:31:19 PM

It's running really slow and it doesn't seem to load the whole theme.

Go to Admin --> Configuration --> Server Settings --> Database and Paths and see in which directory the current SMF install (the one that's linked to your main domain) resides in (at the bottom of the page, SMF Directory, Sources Directory). As Kindred suggested, delete all of the other directories, BUT keep a backup of all of them, since, as he also said, you might need some of that data in the future, or SMF might be somewhat misconfigured and pulling themes or images from those directories.

If you don't want to risk it, after you've found out the root directory of the forum (SMF Directory), drop repair_settings.php? in it and run it (yurforumurl.com/repair_settings.php), see if all of the paths (Themes, Attachments, Smileys, etc.) all reside in the same directory. They should all reside in the same dir and in that case, it should be safe to delete all of the other directories, but... if they don't... you might have a bigger problem :S.

shred · June 26, 2018, 05:00:35 PM

Thanks all for your help and support so far.

Sorry for the delayed response, I only managed to visit the Admin yesterday evening and made some changes to get the forum back up as it had disappeared.

The strange thing now is that if we visit http://themanchesters.org/forum/ [nofollow] there are no error messages, but if we visit www.themanchesters.org/forum/index.php [nofollow] we are getting errors.

Chromes developer tools reports

QuoteMixed Content: The page at 'https://www.themanchesters.org/forum/index.php' [nofollow]; was loaded over HTTPS, but requested an insecure stylesheet 'http://themanchesters.org/forum/Themes/default/css/index.css?fin20' [nofollow];. This content should also be served over HTTPS.
index.php:5 Mixed Content: The page at 'https://www.themanchesters.org/forum/index.php' [nofollow]; was loaded over HTTPS, but requested an insecure stylesheet 'http://themanchesters.org/forum/Themes/default/css/webkit.css' [nofollow];. This content should also be served over HTTPS.
index.php:1 Mixed Content: The page at 'https://www.themanchesters.org/forum/index.php' [nofollow]; was loaded over HTTPS, but requested an insecure script 'http://themanchesters.org/forum/Themes/default/scripts/script.js?fin20' [nofollow];. This content should also be served over HTTPS.
index.php:1 Mixed Content: The page at 'https://www.themanchesters.org/forum/index.php' [nofollow]; was loaded over HTTPS, but requested an insecure script 'http://themanchesters.org/forum/Themes/default/scripts/theme.js?fin20' [nofollow];. This content should also be served over HTTPS.
118Mixed Content: The page at '<URL>' was loaded over HTTPS, but requested an insecure image '<URL>'. This content should also be served over HTTPS.
index.php:48 Mixed Content: The page at 'https://www.themanchesters.org/forum/index.php' [nofollow]; was loaded over a secure connection, but contains a form that targets an insecure endpoint 'http://themanchesters.org/forum/index.php?action=search2' [nofollow];. This endpoint should be made available over a secure connection.
index.php:1 Mixed Content: The page at 'https://www.themanchesters.org/forum/index.php' [nofollow]; was loaded over HTTPS, but requested an insecure stylesheet 'http://themanchesters.org/forum/Themes/default/css/index.css?fin20' [nofollow];. This content should also be served over HTTPS.
index.php:1 Mixed Content: The page at 'https://www.themanchesters.org/forum/index.php' [nofollow]; was loaded over HTTPS, but requested an insecure stylesheet 'http://themanchesters.org/forum/Themes/default/css/webkit.css' [nofollow];. This content should also be served over HTTPS.

Do we just need to change all the theme settings to https rather than http.

A special hello to Sir Osis who dug us out of the last hole.

All the best.

Shred

Sir Osis of Liver · June 26, 2018, 06:02:58 PM

Your forum is running in http, not https. I would run repair_settings.php and set all links to http.

GigaWatt · June 26, 2018, 08:45:29 PM

Change all your URLs via repair_settings.php? to www.themanchesters.org or to themanchesters.org.

shred · June 27, 2018, 07:31:09 AM

Cheers gents,

We will give it a go this evening.

Aleksi "Lex" Kilpinen · July 08, 2018, 01:57:40 AM

Any progress on this? Did it all work out?

News:

Help needed with 2.0.15 clean up after malware infection