Is SMF 2.0.15 still safe to use?

[Stefan1200]

Yesterday evening my SMF forum got hacked (many php files of the SMF forum was changed). Apache and PHP is up to date, FTP and Apache logs looks good. So I just need to know if SMF 2.0.15 is still safe to use.

[vbgamer45]

Yes, no known security holes.

[Kindred]

Check your server logs to figure out the original vector,,  but SMF 2.0.15 currently has no known security issues

[Illori]

once you have the server logs, https://www.simplemachines.org/about/smf/security.php should be filled out.

[Stefan1200]

once you have the server logs, https://www.simplemachines.org/about/smf/security.php should be filled out.

I would do, but I have no idea how I got hacked. In the FTP logs there was no connection to my website yesterday. In Apache logs there is nothing at the file modify time, which looks suspicious. So is it useful to report it in this case?

[vbgamer45]

Anything else on your server? Any other php scripts? Are you on a vps/dedicated server?

[Shambles]

Ask your host to check their own logs too.

[Stefan1200]

Ask your host to check their own logs too.

My hoster did yesterday and found nothing. FTP logs are save too. Very confusing.

[Stefan1200]

Anything else on your server? Any other php scripts? Are you on a vps/dedicated server?

There are other self-created scripts, but none of them have the power to change other files. They are just interacting with the database, no file operations. And those scripts was not changed, only all SMF index.php files. Other customers of the hoster was not affected.

[Aleksi "Lex" Kilpinen]

Can you see the timestamps on the changed files, and compare your access logs to that time - is there any activity at all?
There are basically 2 options that come to mind, either a remote executed script (that would leave an access log record or multiple) or your server was compromised elsewhere. (would not leave logs, and should make your host worried.)

[Illori]

how do you know the php files were changed? in what way were they changed?

[Stefan1200]

how do you know the php files were changed? in what way were they changed?

All index.php files of SMF (including SMF sub directories; really only that files, no other files was changed, not even index.php files outside of the SMF directory) had inserted JavaScript code at position 0. Thanks to enabled GZIP compression this generated invalid code, so the most browsers was not able to display the content.

Luckily the file modification date was not faked, so it shows the real modification date. And at that time I didn't see any suspicious log file entries. The FTP logs are fully clean for the whole May, Apache access logs only checked for the minutes around the file modification date, because it is to big.

My hoster checked already everything, no other customers was attacked, only my own SMF forum, nothing more. Also my hoster was not able to see break in attempts in other log files.

[Aleksi "Lex" Kilpinen]

Who are you hosted with and would you be willing to post a security report for us with some further details? I still believe SMF is the least likely suspect, but would like us to get to know the details.