Forum hacked?

Started by Ravey76, May 14, 2023, 05:49:52 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

Ravey76

May 14, 2023, 05:49:52 PM Last Edit: May 14, 2023, 06:06:44 PM by Ravey76
Hello to the round,

earlier, a member alerted me that a picture he had attached now has a red error message with an exclamation mark. The message said something like "Wrong file ID".

I first suspected the file itself and did a forum check first. No errors were found.

Then I looked at the user's post. At first glance, nothing suspicious. Only when I looked at the source code view of the post did cryptic malicious code appear. I have attached a screenshot of it below.

I am now wondering how this can happen.

The user is a trusted member who has been with us for decades (beyond a shadow of a doubt).
Maybe an infected image file or infected image hoster?
Or: bug in the forum?

My forum is SMF 2.1.3

Thanks for your help.

Many greetings
Charly


Addition:
The User wrote me this message:

The image was a photo ([of a motorcycle] taken with the smart phone), cropped and reduced with irfan view, edited the license plate with mspaint, then uploaded in the course of posting within the forum software and embedded in the text...after uploading, everything was probably ok (as shown by the first comments, which are indeed related to the appearance). I had made no attempt to change the image or text....

Kindred

#1
May 14, 2023, 07:02:42 PM
That Additional code has nothing to do with the image...

And it should be rejected since it's not valid bbc markup

What mods do you have installed?
Url to this post?
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

GL700Wing

#2
May 14, 2023, 07:31:40 PM
Quote from: Kindred on May 14, 2023, 07:02:42 PMUrl to this post?
I found the URL to the post ...
Life doesn't have to be perfect to be wonderful ...

Slava
Ukraini!
"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

Ravey76

#3
May 15, 2023, 03:43:47 AM
Good morning everyone.

@GL700Wing: That is the correct link, you are right. But I already removed the malicious code because I didn't want to leave it online. If necessary, I can copy the code in here. Should I do that?


@Kindred: You're right - this additional code doesn't really belong in there, which is why I immediately became suspicious when I saw it.

I have installed the following mods (for years).


1    Tapatalk SMF 2.1 Plugin    5.1.3
2    Anti-spam by CleanTalk    2.36
3    Footer Menu    1.1.2
4    Global Headers Footers    2.1a
5    Similar Topics    1.2.3
7    Message Bookmarks    0.9.3
8    Stop Forum Spam    1.3
9    Google Analytics Code    1.6.1
9    More Spiders    1.3.1
10    SMF 2.1.2 Update    1.0
11    Ad Managment    3.5d
12    Google Member Map    4.0
13    Snowflakes    1.81
14    Mod Version Checker    1.1
15    Post and PM Inline Attachments    7.08
16    Simple Audio Video Embedder    7.0.1
17    SMF 2.1.3 Update    1.0


Addendum: I also looked at the error log. Unfortunately, no suspicious entries.

GL700Wing

#4
May 15, 2023, 04:26:12 AM
I've highlighted in green all the code that isn't part of the normal inline  [attach][/attach]  tag - wondering if the 'Ad Management' mod caused this issue.
You cannot view this attachment.
Life doesn't have to be perfect to be wonderful ...

Slava
Ukraini!
"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

Ravey76

#5
May 15, 2023, 04:35:10 AM
What I forgot to mention:
All advertising is disabled as soon as a user is *logged in*. That means: only the unregistered / not logged in guests get ads displayed. All "normal" users who are logged in will have a "normal", clean forum.

Means: the AD-Mod should not have been active in the situation where the "infected image" was uploaded. I think.

Ravey76

#6
May 15, 2023, 04:40:49 AM
Two more additions:
The user has sent me his "original" picture by mail, so that I can analyze it. I can't see anything suspicious about the picture. PhotoShop opens it without error message.

At the same time, I looked at the "Who's online" list. I see that there are currently several hundred accesses from an IP address range 54.36.148.* and 54.36.149.*.
Is it possible that the forum is under attack?

Ravey76

#7
May 15, 2023, 04:53:12 AM
Another important addendum:

few days ago we had an incident that two users registered in the forum and started asking curious questions. Completely pointless, such as: "What are your hobbies" or "What do you say about current world events?".

I quickly came to the suspicion that these are *KI-USER* and artificially generated questions. And I think that in the current case it is REALLY an AI-based attack on the forum.

Why?  Below I have attached you the original code that was added under the "attach" command. And the very last line in it says the following:


div[id^="gpt_ad_"]



Code Select
[attach id=92404][url="https://bmw-einzylinder.de/forum/index.php?action=dlattach;attach=92404;type=preview;file"]2023-05-09-Taz-when in Rome.gif[/url][/attach]

div[id^="ads300_100-widget-"]{display:none !important;}[href*="speenphorbin.com"]{display:none !important;}[href^="https://kingered-banctours.com/"]{display:none !important;}[class^="adDisplay-module"]{display:none !important;}a[href^="https://www.bang.com/?aff="]{display:none !important;}[href="https://clickaine.com"]{display:none !important;}a[href^="https://fertilitycommand.com/"]{display:none !important;}a[href*=".trust.zone"]{display:none !important;}[data-adblockkey]:not([style$="left: -10000px !important; top: -1000px
!important;"]):not(html):not(div.adsbygoogle){display:none !important;}a[href^="https://go.dmzjmp.com"]{display:none !important;}[href^="luvaihoo.com"]{display:none !important;}a[href^="https://www.geekbuying.com/dynamic-ads/"]{display:none !important;}[href^="https://www.cloudways.com/en/?id"]{display:none !important;}a[href^="https://go.xtbaffiliates.com/"]{display:none !important;}a[href^="https://brightadnetwork.com/"]{display:none !important;}a[href^="https://www.googleadservices.com/pagead/aclk?"]{display:none !important;}div[data-content="Advertisement"]{display:none !important;}div[data-mini-ad-unit]{display:none !important;}a[data-obtrack^="http://paid.outbrain.com/network/redir?"]{display:none !important;}a[href^="https://yogacomplyfuel.com/"]{display:none !important;}[href^="https://freecourseweb.com/"] > .sitefriend{display:none !important;}div[id*="ScriptRoot"]{display:none !important;}a[href^="https://dl-protect.net/"]{display:none !important;}a[href^="https://click.candyoffers.com/"]{display:none !important;}[href^="https://awbbjmp.com/"]{display:none !important;}a[href^="https://www.adxsrve.com/"]{display:none !important;}a[href^="https://aweptjmp.com/"]{display:none !important;}a[href^="https://www.mypornstarcams.com/landing/click/"]{display:none !important;}[href^="https://go.dmzjmp.com/"]{display:none !important;}a[href^="https://newbinotracs.com/"]{display:none !important;}div[id^="google_dfp_"]{display:none !important;}topadblock{display:none !important;}ad-shield-ads{display:none !important;}a[href^="//zunsoach.com/"]{display:none !important;}a[href^="https://ads.leovegas.com/redirect.aspx?"]{display:none !important;}div[data-insertion]{display:none !important;}div[data-id-advertdfpconf]{display:none !important;}[href="https://video-finder.net/"]{display:none !important;}a[href^="https://iqbroker.com/"][href*="?aff="]{display:none !important;}a[href^="https://prf.hn/click/"][href*="/adref:"] > img{display:none !important;}a[href^="https://intenseaffiliates.com/redirect/"]{display:none !important;}[data-template-type="nativead"]{display:none !important;}a[href^="https://paid.outbrain.com/network/redir?"]{display:none !important;}a[href^="https://go.cmtaffiliates.com/"]{display:none !important;}[href^="https://cpa.10kfreesilver.com/"]{display:none !important;}a[href^="https://pb-track.com/"]{display:none !important;}[href^="//mellowads.com/"]{display:none !important;}[data-css-class="dfp-inarticle"]{display:none !important;}a[href^="https://a.bestcontentfood.top/"]{display:none !important;}[src="/static/img/download-top.png"]{display:none !important;}ark-top-ad{display:none !important;}[href^="http://residenceseeingstanding.com/"]{display:none !important;}a[href^="https://refpa.top/"]{display:none !important;}a[href^="//pubads.g.doubleclick.net/"]{display:none !important;}[href^="https://charmingdatings.life/"]{display:none !important;}a[href^="https://adclick.g.doubleclick.net/"]{display:none !important;}div[recirculation-ad-container]{display:none !important;}a[href^="http://wct.link/"]{display:none !important;}[href^="//cadsecs.com/"]{display:none !important;}div[class^="kiwi-ad-wrapper"]{display:none !important;}a[href^="https://www.kingsoffetish.com/tour?partner_id="]{display:none !important;}[href^="https://go.zybrdr.com/"]{display:none !important;}[data-ad-width]{display:none !important;}[href^="https://popcash.net/"]{display:none !important;}[href^="https://wct.link/"]{display:none !important;}div[data-adname]{display:none !important;}a[href^="http://googleads.g.doubleclick.net/pcs/click"]{display:none !important;}a[href^="https://go.xlviirdr.com"]{display:none !important;}[src^="//dombnrs.com/"]{display:none !important;}[class*="NotificationsBell__notificationsWrapper-"]{display:none !important;}a[href^="https://affpa.top/"]{display:none !important;}a[href^="https://get.surfshark.net/aff_c?"][href*="&aff_id="] > img{display:none !important;}[href^="https://goldcometals.com/clk.trk"]{display:none !important;}a[href^="https://go.strpjmp.com/"]{display:none !important;}[href^="https://www.mypillow.com/"] > img{display:none !important;}[src^="https://forum.picbaron.com/Banner"]{display:none !important;}img[src^="https://images.purevpnaffiliates.com"]{display:none !important;}div[id^="adngin-"]{display:none !important;}a[href^="https://clicks.pipaffiliates.com/"]{display:none !important;}div[data-contentexchange-widget]{display:none !important;}[href^="https://istlnkcl.com/"]{display:none !important;}div[data-ad-targeting]{display:none !important;}a[href^="https://www.sheetmusicplus.com/"][href*="?aff_id="]{display:none !important;}div[id^="ads300_250-widget-"]{display:none !important;}bottomadblock{display:none !important;}a[href^="https://www.nudeidols.com/cams/"]{display:none !important;}[href^="https://affect3dnetwork.com/track/"]{display:none !important;}a[href^="https://go.nordvpn.net/aff"] > img{display:none !important;}div[id^="yandex_ad"]{display:none !important;}hl-adsense{display:none !important;}a[href^="https://go.goasrv.com/"]{display:none !important;}a[href^="https://go.skinstrip.net"][href*="?campaignId="]{display:none !important;}div[aria-label="Ads"]{display:none !important;}div[data-adunit]{display:none !important;}a[href^="http://bc.vc/?r="]{display:none !important;}[href^="//clk.afftracks.online/"]{display:none !important;}[href*="//atwainbounce.com/"]{display:none !important;}a[href^="https://maymooth-stopic.com/"]{display:none !important;}[href^="https://secure.bmtmicro.com/servlets/"]{display:none !important;}a[href^="https://www.adskeeper.com"]{display:none !important;}a[href^="https://1startfiledownload1.com/"]{display:none !important;}[data-name="adaptiveConstructorAd"]{display:none !important;}a[href^="https://a.bestcontentweb.top/"]{display:none !important;}div[class*="displayAdRight"]{display:none !important;}a[href^="https://track.wg-aff.com"]{display:none !important;}[href^="https://totlnkcl.com/"]{display:none !important;}a[href^="http://ad.doubleclick.net/"]{display:none !important;}[href^="https://www.onclickperformance.com/"]{display:none !important;}a[href^="http://adultfriendfinder.com/go/page/landing"]{display:none !important;}[class^="DisplayAd"]{display:none !important;}div[style*="box-shadow: rgb(136, 136, 136) 0px 0px 12px; color: "]{display:none !important;}a[href^="http://www.poweredbyliquidfire.mobi/"]{display:none !important;}a[href^="http://www.mrskin.com/tour"]{display:none !important;}a[href^="https://axdsz.pro/"]{display:none !important;}div[id^="_vdo_ads_player_ai_"]{display:none !important;}[id^="section-ad-banner"]{display:none !important;}a[href^="https://traffdaq.com/"]{display:none !important;}a[href^="https://torguard.net/aff.php"] > img{display:none !important;}[href^="https://stvkr.com/"]{display:none !important;}[href^="https://www.mypatriotsupply.com/"] > img{display:none !important;}a[href^="https://syndication.exdynsrv.com/splash.php"]{display:none !important;}div[data-ad-wrapper]{display:none !important;}a[href^="https://www.bet365.com/"][href*="affiliate="]{display:none !important;}a[data-redirect^="https://paid.outbrain.com/network/redir?"]{display:none !important;}a[href^="https://land.brazzersnetwork.com/landing/"]{display:none !important;}a[href^="https://www.adultempire.com/"][href*="?partner_id="]{display:none !important;}a[href^="https://tsartech.g2afse.com/"]{display:none !important;}[href^="https://join.girlsoutwest.com/"]{display:none !important;}[href^="http://join.trannies-******.com/"]{display:none !important;}a[href*="//lkstrck2.com/"]{display:none !important;}span[id^="ezoic-pub-ad-placeholder-"]{display:none !important;}div[id^="ad-div-"]{display:none !important;}a[href^="https://go.tmrjmp.com"]{display:none !important;}a[href^="https://misspkl.com/"]{display:none !important;}[data-uri^="https://s3.amazonaws.com"]{display:none !important;}[href^="http://mypillow.com/"] > img{display:none !important;}[href^="https://exi8ef83z9.com/"]{display:none !important;}[href^="https://www.safestcontentgate.com/"]{display:none !important;}a[href^="https://refpa4903566.top/"]{display:none !important;}a[href^="https://www.mrskin.com/account/"]{display:none !important;}[href^="https://turtlebids.irauctions.com/"] img{display:none !important;}[href="https://t.me/Russia_Vs_Ukraine_War3"]{display:none !important;}zeus-ad{display:none !important;}a[href^="https://incisivetrk.cvtr.io/click?"]{display:none !important;}a[href^="http://www.gfrevenge.com/landing/"]{display:none !important;}a[href^="https://convertmb.com/"]{display:none !important;}a[href^="https://twinrdsyn.com/"]{display:none !important;}a[href^="https://www.sheetmusicplus.com/?aff_id="]{display:none !important;}a[href^="https://clixtrac.com/"]{display:none !important;}a[href^="http://adultgames.xxx/"]{display:none !important;}a[href^="https://geniusdexchange.com/"]{display:none !important;}[id^="p_root_"]{display:none !important;}[data-adblockkey]{display:none !important;}div[id^="lazyad-"]{display:none !important;}a[href^="https://landing.brazzersnetwork.com/"]{display:none !important;}a[href^="https://www.brazzersnetwork.com/landing/"]{display:none !important;}amp-connatix-player{display:none !important;}a[href^="https://mediaserver.entainpartners.com/renderBanner.do?"]{display:none !important;}a[href^="https://ads.betfair.com/redirect.aspx?"]{display:none !important;}[href^="https://mypillow.com/"] > img{display:none !important;}a[href^="https://syndication.optimizesrv.com/"]{display:none !important;}[href*="https://catastropheillusive.com/"]{display:none !important;}a[href^="https://trk.nfl-online-streams.club/"]{display:none !important;}div[data-dfp-id]{display:none !important;}a[href^="https://adsrv4k.com/"]{display:none !important;}a[href^="https://tc.tradetracker.net/"] > img{display:none !important;}a[href^="https://mmwebhandler.aff-online.com/"]{display:none !important;}a[href^="https://traffic.bannerator.com/"]{display:none !important;}a[href^="https://t.grtyi.com/"]{display:none !important;}a[href^="https://www.get-express-vpn.com/offer/"]{display:none !important;}ADS-RIGHT{display:none !important;}[href^="http://go.cm-trk2.com/"]{display:none !important;}a[href^="https://oackoubs.com/"]{display:none !important;}div[class^="Adstyled__AdWrapper-"]{display:none !important;}[href^="https://knightsstatuesteering.com/"]{display:none !important;}a[href^="https://go.xlvirdr.com"]{display:none !important;}a[href^="https://go.hpyrdr.com/"]{display:none !important;}a[href^="https://banners.livepartners.com/"]{display:none !important;}[href^="https://go.xlrdr.com"]{display:none !important;}a[href^="http://https://www.get-express-vpn.com/offer/"]{display:none !important;}[href*="/afu.php"]{display:none !important;}[data-ad-manager-id]:not([style$="left: -10000px !important; top: -1000px !important;"]):not(div.adsbygoogle){display:none !important;}[href^="https://click2cvs.com/"]{display:none !important;}a[href^="https://ad.kubiccomps.icu/"]{display:none !important;}a[href^="https://ndt5.net/"]{display:none !important;}a[href^="https://serve.awmdelivery.com/"]{display:none !important;}[href^="https://www.herbanomic.com/"] > img{display:none !important;}a[href^="https://lobimax.com/"]{display:none !important;}a[href^="https://a-ads.com/"]{display:none !important;}a[target="_blank"][onmousedown="this.href^='http://paid.outbrain.com/network/redir?"]{display:none !important;}[src^="https://aff1xstavka.com"]{display:none !important;}[href*="www.gaming-adult.com/"]{display:none !important;}a[href^="https://go.trackitalltheway.com/"]{display:none !important;}[href*="postlnk.com"]{display:none !important;}a[href^="https://fleshlight.sjv.io/"]{display:none !important;}a[href^="http://adf.ly/?id="]{display:none !important;}amp-fx-flying-carpet{display:none !important;}a[href^="https://s.optzsrv.com/"]{display:none !important;}[href^="https://ahf8n.com/"]{display:none !important;}a[href^="https://www.mobi24.net/"]{display:none !important;}[href^="https://fireads.online/"]{display:none !important;}a[href^="https://syndication.dynsrvtbg.com/"]{display:none !important;}[href^="https://www.reimageplus.com/"]{display:none !important;}[href^="https://go.xxxiijmp.com/"]{display:none !important;}a[href^="https://staRTgamIng.net/tienda/"]{display:none !important;}a[href^="https://prf.hn/click/"][href*="/creativeref:"] > img{display:none !important;}article.ad{display:none !important;}a[href^="https://tracker.loropartners.com/"]{display:none !important;}a[href^="https://lead1.pl/"]{display:none !important;}a[href^="https://lnkxt.bannerator.com/"]{display:none !important;}div[id^="adspot-"]{display:none !important;}[href^="https://bestbuyrdp.com/"]{display:none !important;}[href^="http://globsads.com/"]{display:none !important;}[href^="https://traffserve.com/"]{display:none !important;}[href^="http://join.rodneymoore.com/"]{display:none !important;}a[href^="https://black77854.com/"]{display:none !important;}a[onmousedown^="this.href='https://paid.outbrain.com/network/redir?"][target="_blank"] + .ob_source{display:none !important;}[href^="//prayuserparka.com/"]{display:none !important;}div[id][style^="position: fixed; inset: 0px; z-index: 2147483647; background: black"][style*="opacity: 0.01"]{display:none !important;}a[href^="https://go.zybrdr.com"]{display:none !important;}[href^="https://safer-redirection.com"]{display:none !important;}div[data-adunit-path]{display:none !important;}[data-ad-manager-id]{display:none !important;}[data-id^="div-gpt-ad"]{display:none !important;}a[href^="https://wittered-mainging.com/"]{display:none !important;}[data-advadstrackid]{display:none !important;}a[href^="https://bc.game/"]{display:none !important;}[href*="passtechusa.com"]{display:none !important;}a[href^="https://startgAming.net/tienda/"]{display:none !important;}a[href^="https://billing.purevpn.com/aff.php"] > img{display:none !important;}atf-ad-slot{display:none !important;}a[href^="http://cam4com.go2cloud.org/aff_c?"]{display:none !important;}a[href^="https://trk.softonixs.xyz/"]{display:none !important;}[href^="http://join.shemale.xxx/"]{display:none !important;}a[href^="https://go.xxxiijmp.com"]{display:none !important;}a[href^="http://go.xtbaffiliates.com/"]{display:none !important;}a[href^="https://datingoffers30.info/"]{display:none !important;}a[href^="https://go.etoro.com/"] > img{display:none !important;}AD-TRIPLE-BOX{display:none !important;}a[href^="http://www.onclickmega.com/jump/next.php?"]{display:none !important;}[href*="https://mlksis.com/"]{display:none !important;}div[id^="div-ads-"]{display:none !important;}a[href^="https://albionsoftwares.com/"]{display:none !important;}[href="//xxxrevpushclcdu.com/app.webp"]{display:none !important;}[class^="div-gpt-ad"]:not([style^="width: 1px; height: 1px; position: absolute; left: -10000px; top: -"]){display:none !important;}[class^="tile-picker__CitrusBannerContainer-sc-"]{display:none !important;}div[id^="advads_ad_"]{display:none !important;}div[id^="adrotate_widgets-"]{display:none !important;}a[href^="https://wantopticalfreelance.com/"]{display:none !important;}a[href^="http://traffic.tc-clicks.com/"]{display:none !important;}[href^="https://www.brighteonstore.com/products/"] img{display:none !important;}[href^="https://go.astutelinks.com/"]{display:none !important;}a[href^="https://losingoldfry.com/"]{display:none !important;}a[href^="https://azpresearch.club/"]{display:none !important;}a[href^="https://engine.trackingdesks.com/"]{display:none !important;}[href^="http://www.mypillow.com/"] > img{display:none !important;}[id^="ad_slider"]{display:none !important;}[style="position:absolute;top:0;left:0;width: 100%;height: 100%;z-index:2147483647"]{display:none !important;}[data-advadstrackid]:not([style$="left: -10000px !important; top: -1000px !important;"]):not(div.adsbygoogle){display:none !important;}[href^="https://buycheaprdp.com/"]{display:none !important;}a[href^="https://transfer.xe.com/signup/track/redirect?"]{display:none !important;}[data-lnguri^="https://s3.amazonaws.com"]{display:none !important;}a[href^="https://www.mrskin.com/tour"]{display:none !important;}a[href^="https://cam4com.go2cloud.org/"]{display:none !important;}a[href^="https://ads.planetwin365affiliate.com/redirect.aspx?"]{display:none !important;}[data-ez-name]{display:none !important;}a[href^="https://www.purevpn.com/"][href*="&utm_source=aff-"]{display:none !important;}[data-mobile-ad-id]{display:none !important;}div[id^="div-gpt-"]{display:none !important;}a[href^="http://bongacams.com/track?"]{display:none !important;}a[href^="https://go.xlivrdr.com"]{display:none !important;}a[href^="https://loboclick.com"]{display:none !important;}a[href^="http://affiliates.thrixxx.com/"]{display:none !important;}a[href^="https://go.xxxijmp.com"]{display:none !important;}a[href^="https://go.247traffic.com/"]{display:none !important;}div[id^="ezoic-pub-ad-"]{display:none !important;}a[href^="http://www.adultempire.com/unlimited/promo?"][href*="&partner_id="]{display:none !important;}a[href^="https://agacelebir.com/"]{display:none !important;}a[href^="https://track.ultravpn.com/"]{display:none !important;}a[href^="https://spygasm.com/track?"]{display:none !important;}[href^="https://buycheaphost.net/"]{display:none !important;}a[href^="http://partners.etoro.com/"]{display:none !important;}[href^="//ad.jetx.info/"]{display:none !important;}amp-app-banner{display:none !important;}[href^="https://join3.bannedsextapes.com"]{display:none !important;}a[href^="https://reinstandpointdumbest.com/"]{display:none !important;}[href*="//agacelebir.com"]{display:none !important;}[id^="div-gpt-ad"]{display:none !important;}display-ads{display:none !important;}a[href^="http://www.mobi24.net/"]{display:none !important;}div[data-spotim-slot]{display:none !important;}a[href^="https://a.adtng.com/"]{display:none !important;}div[id^="zergnet-widget"]{display:none !important;}a[href^="https://click.linksynergy.com/fs-bin/"]{display:none !important;}a[href^="https://www.highcpmrevenuenetwork.com/"]{display:none !important;}a[href^="https://juicyads.in/"]{display:none !important;}[href^="http://trafficare.net/"]{display:none !important;}[data-ad-module]:not([style$="left: -10000px !important; top: -1000px !important;"]):not(div.adsbygoogle){display:none !important;}a[href^="https://awptjmp.com/"]{display:none !important;}amp-ad-custom{display:none !important;}[href^="https://t.mobtyb.com/"]{display:none !important;}[data-freestar-ad]{display:none !important;}a[href^="https://batheunits.com/"]{display:none !important;}div[class^="native-ad-"]{display:none !important;}a[href^="https://track.afcpatrk.com/"]{display:none !important;}a[href^="https://clickadilla.com/"]{display:none !important;}[class^="s2nPlayer"]{display:none !important;}a[href^="https://googleads.g.doubleclick.net/pcs/click"]{display:none !important;}a[href^="https://tour.mrskin.com/"]{display:none !important;}a[href^="https://k2s.cc/pr/"]{display:none !important;}a[href^="https://frameworkdeserve.com/"]{display:none !important;}div[data-alias="300x250 Ad 2"]{display:none !important;}a[href^="https://ovb.im/"]{display:none !important;}[href^="//look.utndln.com/offer"]{display:none !important;}a[href^="https://funkydaters.com/"]{display:none !important;}[class^="div-gpt-ad"]{display:none !important;}[href^="//taghaugh.com/"]{display:none !important;}a[href^="https://tm-offers.gamingadult.com/"]{display:none !important;}div[id^="crt-"][style]{display:none !important;}a[href^="https://claring-loccelkin.com/"]{display:none !important;}[href^="http://wurfl.site/Ck.php"]{display:none !important;}a[href^="http://tour.mrskin.com/"]{display:none !important;}a[href^="https://chaturbate.com/in/?track="]{display:none !important;}a[href^="https://refpazkjixes.top/"]{display:none !important;}[data-desktop-ad-id]{display:none !important;}DFP-AD{display:none !important;}aside[id^="adrotate_widgets-"]{display:none !important;}[data-dynamic-ads]{display:none !important;}[href^="https://www.restoro.com/"]{display:none !important;}[data-m-ad-id]{display:none !important;}[data-d-ad-id]{display:none !important;}[href^="https://mystore.com/"] > img{display:none !important;}a[href^="http://d2.zedo.com/"]{display:none !important;}a[href^="https://syndication.exoclick.com/"]{display:none !important;}[class^="amp-ad-"]{display:none !important;}[href^="https://antiagingbed.com/discount/"] > img{display:none !important;}[href^="https://engine.gettopple.com/"]{display:none !important;}a[href^="http://tc.tradetracker.net/"] > img{display:none !important;}[onclick*="content.ad/"]{display:none !important;}a[href^="https://track.adform.net/"]{display:none !important;}[href^="https://detachedbates.com/"]{display:none !important;}[href^="https://r.kraken.com/"]{display:none !important;}[href^="https://ad.admitad.com/"]{display:none !important;}[href^="https://goldforyourfuture.com/clk.trk"] img{display:none !important;}[href="https://ourgoldguy.com/contact/"] img{display:none !important;}a[href^="http://www.friendlyduck.com/AF_"]{display:none !important;}a[href^="http://www.onwebcam.com/random?t_link="]{display:none !important;}div[id^="taboola-stream-"]{display:none !important;}a[href^="https://adserver.adreactor.com/"]{display:none !important;}a[href^="https://fc.lc/ref/"]{display:none !important;}a[href^="https://fastestvpn.com/lifetime-special-deal?a_aid="]{display:none !important;}a[href^="https://click.dtiserv2.com/"]{display:none !important;}a[href^="https://t.adating.link/"]{display:none !important;}[href^="https://zstacklife.com/"] img{display:none !important;}a[href^="http://com-1.pro/"]{display:none !important;}[href^="https://shrugartisticelder.com"]{display:none !important;}a[href^="https://ad.zanox.com/ppc/"] > img{display:none !important;}[href^="https://noqreport.com/"] > img{display:none !important;}[href^="https://pl.allsports4free.club/"]{display:none !important;}[href^="https://rapidgator.net/article/premium/ref/"]{display:none !important;}a[href^="https://webroutetrk.com/"]{display:none !important;}a[href^="https://ismlks.com/"]{display:none !important;}[href^="https://www.avantlink.com/click.php"] img{display:none !important;}a[href^="https://go.admjmp.com/"]{display:none !important;}[href^="https://go.smljmp.com/"]{display:none !important;}a[href^="https://bluedelivery.pro/"]{display:none !important;}[data-lnguri*="vipbox"]{display:none !important;}iframe.lazyloaded[data-src^="https://rcm-fe.amazon-adsystem.com/"]{display:none !important;}[href^="https://glersakr.com/"]{display:none !important;}[href^="https://mymediarecommendations.com/"]{display:none !important;}a[href^="https://chaturbate.com/in/?tour="]{display:none !important;}div[data-alias="300x250 Ad 1"]{display:none !important;}a[href^="https://prf.hn/click/"][href*="/camref:"] > img{display:none !important;}a[href^="https://porntubemate.com/"]{display:none !important;}[href^="https://affiliate.fastcomet.com/"] > img{display:none !important;}[href^="https://www.hostg.xyz/"] > img{display:none !important;}a[href^="https://itubego.com/video-downloader/?affid="]{display:none !important;}[href^="http://join.shemalesfromhell.com/"]{display:none !important;}a[href^="https://adnetwrk.com/"]{display:none !important;}[href^="https://cipledecline.buzz/"]{display:none !important;}div[data-native-ad]{display:none !important;}a[href^="https://www.infowarsstore.com/"] > img{display:none !important;}a[href^="http://bodelen.com/"]{display:none !important;}a[href^="https://fourwhenstatistics.com/"]{display:none !important;}a[href^="https://ad.doubleclick.net/"]{display:none !important;}a[href^="https://STaRtgAmInG.net/tienda/"]{display:none !important;}div[id^="ads250_250-widget-"]{display:none !important;}[href^="https://wap4dollar.com/ad/nonadult/serve.php"]{display:none !important;}a[href^="https://a.bestcontentoperation.top/"]{display:none !important;}a[href^="https://join.virtuallust3d.com/"]{display:none !important;}div[class^="Display_displayAd"]{display:none !important;}[href*="uselnk.com/"]{display:none !important;}a[href^="https://bngpt.com/"]{display:none !important;}a[href^="https://www.sugarinstant.com/?partner_id="]{display:none !important;}a[href^="https://go.hpyjmp.com"]{display:none !important;}[href^="https://trk.clmbtrck.in/click"]{display:none !important;}[href^="https://mypatriotsupply.com/"] > img{display:none !important;}a[href^="https://camfapr.com/landing/click/"]{display:none !important;}[style="top: 0px; left: 0px; width: 940px; height: 600px; position: absolute; z-index: 2147483647;"]{display:none !important;}[href^="https://infinitytrk.com/"]{display:none !important;}div[id^="ad_position_"]{display:none !important;}a[href^="https://www.goldenfrog.com/vyprvpn?offer_id="][href*="&aff_id="]{display:none !important;}a[href^="https://go.gldrdr.com/"]{display:none !important;}a[href^="https://clk.wrenchsound.store/"]{display:none !important;}a[href^="https://staRTgaming.net/tienda/"]{display:none !important;}a[href^="https://www.5mno3.com/"]{display:none !important;}a[href^="https://cpmspace.com/"]{display:none !important;}[id^="div-gpt-ad"]:not([style^="width: 1px; height: 1px; position: absolute; left: -10000px; top: -"]){display:none !important;}[id^="google_ads_iframe"]{display:none !important;}[data-ad-cls]{display:none !important;}a[href^="http://affiliate.glbtracker.com/"]{display:none !important;}a[href^="http://trk.globwo.online/"]{display:none !important;}a[href^="https://see.kmisln.com/"]{display:none !important;}div[id^="sticky_ad_"]{display:none !important;}[href^="https://go.4rabettraff.com/"]{display:none !important;}a[href^="https://www.privateinternetaccess.com/"] > img{display:none !important;}a[href^="https://streamate.com/landing/click/"]{display:none !important;}a[href^="https://go.markets.com/visit/?bta="]{display:none !important;}a[href^="https://mediaserver.gvcaffiliates.com/renderBanner.do?"]{display:none !important;}a[onmousedown^="this.href='http://paid.outbrain.com/network/redir?"][target="_blank"]{display:none !important;}a[href*=".engine.adglare.net/"]{display:none !important;}a[href^="https://bongacams10.com/track?"]{display:none !important;}a[data-widget-outbrain-redirect^="http://paid.outbrain.com/network/redir?"]{display:none !important;}a[href^="https://m.do.co/c/"] > img{display:none !important;}a[href^="https://www.financeads.net/tc.php?"]{display:none !important;}[href^="//producebreed.com/"]{display:none !important;}a[href^="https://adjoincomprise.com/"]{display:none !important;}div[id^="div-gpt-"]:not([style^="width: 1px; height: 1px; position: absolute; left: -10000px; top: -"]){display:none !important;}[href^="https://www.highperformancecpm.com/"]{display:none !important;}a[href^="https://thechleads.pro/"]{display:none !important;}a[href^="http://click.payserve.com/"]{display:none !important;}AMP-AD{display:none !important;}a[href^="https://chaturbate.jjgirls.com/?track="]{display:none !important;}a[href^="https://flirtandsweets.life/"]{display:none !important;}a[href^="https://bs.serving-sys.com"]{display:none !important;}[id^="ad-wrap-"]{display:none !important;}[href^="https://v.investologic.co.uk/"]{display:none !important;}a[href^="https://mityneedn.com/"]{display:none !important;}a[href^="https://www.onlineusershielder.com/"]{display:none !important;}a[data-oburl^="https://paid.outbrain.com/network/redir?"]{display:none !important;}div[id*="MarketGid"]{display:none !important;}[href^="https://klsdee.com/"]{display:none !important;}[href^="https://trackfin.asia/"]{display:none !important;}a[onmousedown^="this.href='http://paid.outbrain.com/network/redir?"][target="_blank"] + .ob_source{display:none !important;}a[href^="https://thaudray.com/"]{display:none !important;}[href="https://jdrucker.com/gold"] > img{display:none !important;}[href*="https://ads.enrt.eu/"]{display:none !important;}a[href^="http://www.adultdvdempire.com/?partner_id="][href*="&utm_"]{display:none !important;}[href="https://masstortfinancing.com"] img{display:none !important;}[href^="https://ghoto-12.win/"]{display:none !important;}a[href^="https://t.aslnk.link/"]{display:none !important;}a[href^="https://tracking.avapartner.com/"]{display:none !important;}a[href^="http://adtrack"]{display:none !important;}a[href^="https://adultfriendfinder.com/go/page/landing"]{display:none !important;}div[data-ad-placeholder]{display:none !important;}[href^="https://pl.allsports4u.club/"]{display:none !important;}[href^="http://clicks.totemcash.com/"]{display:none !important;}a[href^="https://awentw.com/"]{display:none !important;}[href^="https://track.fiverr.com/visit/"] > img{display:none !important;}a[href^="https://a2.adform.net/"]{display:none !important;}app-advertisement{display:none !important;}div[class$="player-promo-col"]{display:none !important;}a[href^="//go.eabids.com/"]{display:none !important;}a[href^="https://track.totalav.com/"]{display:none !important;}a[href*="/go.php?a_aid="]{display:none !important;}a[href^="https://click.hoolig.app/"]{display:none !important;}a[href="http://linkswala.club/"]{display:none !important;}[data-ad-module]{display:none !important;}[href^="https://go.affiliatexe.com/"]{display:none !important;}[data-revive-zoneid]{display:none !important;}div#spot-holder.spot-holder[style="display: block;"]{display:none !important;}a-ad{display:none !important;}div[id^="optidigital-adslot"]{display:none !important;}a[href^="https://promo-bc.com/"]{display:none !important;}[href^="http://join.shemalepornstar.com/"]{display:none !important;}[href^="http://misslinkvocation.com/"]{display:none !important;}[href^="https://13vm73vbmp.com/"]{display:none !important;}[href^="https://join.playboyplus.com/track/"]{display:none !important;}AD-SLOT{display:none !important;}[href^="https://zone.gotrackier.com/"]{display:none !important;}a[href^="https://financeads.net/tc.php?"]{display:none !important;}div[data-google-query-id]{display:none !important;}[data-adbridg-ad-class]{display:none !important;}a[href^="https://www.highperformancecpmgate.com/"]{display:none !important;}[href="//sexcams.plus/"]{display:none !important;}citrus-ad-wrapper{display:none !important;}a[href^="https://a.medfoodhome.com/"]{display:none !important;}div[id^="vuukle-ad-"]{display:none !important;}a[href^="https://go.julrdr.com/"]{display:none !important;}[href^="https://www.onclickmega.com/"]{display:none !important;}a[href^="https://porngames.adult/?SID="]{display:none !important;}[href^="https://ilovemyfreedoms.com/landing-"]{display:none !important;}a[onclick="openAuc();"]{display:none !important;}div[style^="position:fixed;inset:0px;z-index:2147483647;background:black;opacity:0.01"]{display:none !important;}a[href^="https://join.sexworld3d.com/track/"]{display:none !important;}a[href^="https://leg.xyz/?track="]{display:none !important;}amp-embed[type="taboola"]{display:none !important;}a[href^="https://bongacams2.com/track?"]{display:none !important;}a[href^="https://thefacux.com/"]{display:none !important;}div[jsdata*="CarouselPLA-"][data-id^="CarouselPLA-"]{display:none !important;}a[onmousedown^="this.href='https://paid.outbrain.com/network/redir?"][target="_blank"]{display:none !important;}[href^="https://cluttercallousstopped.com/"]{display:none !important;}div[id^="rc-widget-"]{display:none !important;}a[href^="https://cams.imagetwist.com/in/?track="]{display:none !important;}[href^="https://go.rdrjmp.com/"]{display:none !important;}[href^="https://adult.xyz/"]{display:none !important;}div[style^="z-index: 999999; background-image: url(\"data:image/gif;base64,"][style$="position: absolute;"]{display:none !important;}a[href^="https://taghaugh.com/"]{display:none !important;}[href^="https://mylead.global/stl/"] > img{display:none !important;}a[href^="https://ak.psaltauw.net/"]{display:none !important;}a[href^="https://go.xxxjmp.com"]{display:none !important;}a[href^="https://www.nutaku.net/signup/landing/"]{display:none !important;}a[href^="https://u.expresstech.io/"]{display:none !important;}a[href^="https://go.xlviiirdr.com"]{display:none !important;}a[href^="https://ads.ad4game.com/"]{display:none !important;}[href^="http://referrer.website/"]{display:none !important;}app-large-ad{display:none !important;}[href="https://www.masstortfinancing.com/"] > img{display:none !important;}gpt-ad{display:none !important;}[href^="https://www.targetingpartner.com/"]{display:none !important;}[href^="https://optimizedelite.com/"] > img{display:none !important;}div[id^="dfp-ad-"]{display:none !important;}[name^="google_ads_iframe"]{display:none !important;}[onclick*="window.open('http://deloplen.com/"]{display:none !important;}a[href^="https://t.hrtye.com/"]{display:none !important;}a[href^="https://iactrivago.ampxdirect.com/"]{display:none !important;}[onclick*="postlnk.com"]{display:none !important;}a[href^="https://twinrdsrv.com/"]{display:none !important;}a[href^="http://static.fleshlight.com/images/banners/"]{display:none !important;}[href^="https://dl-protect.net/get-premium-url"]{display:none !important;}a[href^="https://join.virtualtaboo.com/track/"]{display:none !important;}a[href^="https://adswick.com/"]{display:none !important;}a[href^="https://go.goaserv.com/"]{display:none !important;}[onclick^="location.href='http://www.reimageplus.com"]{display:none !important;}a[href^="https://engine.phn.doublepimp.com/"]{display:none !important;}a[href^="https://go.ebrokerserve.com/"]{display:none !important;}a[href^="https://affiliate.rusvpn.com/click.php?"]{display:none !important;}a[href^="https://trk.sportsflix4k.club/"]{display:none !important;}app-ad{display:none !important;}div[data-adzone]{display:none !important;}a[href^="https://join.dreamsexworld.com/"]{display:none !important;}a[href^="https://affcpatrk.com/"]{display:none !important;}[href^="https://instatus.in/status1.php"]{display:none !important;}[data-role="tile-ads-module"]{display:none !important;}a[href^="https://natour.naughtyamerica.com/track/"]{display:none !important;}[href^="http://www.fleshlightgirls.com/"]{display:none !important;}[href^="https://shiftnetwork.infusionsoft.com/go/"] > img{display:none !important;}a[href^="https://go.currency.com/"]{display:none !important;}a[href^="https://engine.blueistheneworanges.com/"]{display:none !important;}[href^="https://track.wg-aff.com/click"]{display:none !important;}a[href^="https://go.xlirdr.com"]{display:none !important;}div[id^="ad-position-"]{display:none !important;}guj-ad{display:none !important;}a[href^="//a.bestcontentfare.top/"]{display:none !important;}[href^="http://join.michelle-austin.com/"]{display:none !important;}[data-ad-width]:not([style$="left: -10000px !important; top: -1000px !important;"]):not(div.adsbygoogle){display:none !important;}[id^="ad_sky"]{display:none !important;}a[href^="https://static.fleshlight.com/images/banners/"]{display:none !important;}[href^="http://homemoviestube.com/"]{display:none !important;}[href^="//mob1ledev1ces.com"]{display:none !important;}[href^="https://routewebtk.com/"]{display:none !important;}div[data-native_ad]{display:none !important;}display-ad-component{display:none !important;}a[href^="https://landing1.brazzersnetwork.com"]{display:none !important;}a[data-url^="http://paid.outbrain.com/network/redir?"] + .author{display:none !important;}ins.adsbygoogle{display:none !important;}[class^="adjust-smart-banner"]{display:none !important;}div[id^="gpt_ad_"]{display:none !important;}

Kindred

#8
May 15, 2023, 08:24:54 AM
Quote from: Ravey76You're right - this additional code doesn't really belong in there, which is why I immediately became suspicious when I saw it.

No, what I meant is that code is completely invalid as far as the SMF parser is concerned.There is no way that should actually even make it through the posting process. Unless something is breaking your system's parser.

Standard Smf does not allow html code like that css display:none
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Ravey76

#9
May 15, 2023, 08:56:10 AM
I realise that this was a completely wrong code that would not have passed the parser. Someone put in a standard HTML code without knowing that it is not compatible with the BBC code.

I wonder HOW this code could have been put into this thread. When the thread was published, everything was fine for about half a day. Then suddenly the image was gone and the malicious code was in it. And nobody knows how this could happen (even the author of the thread did not change anything during this time).

Could it be that the database was hacked and this malicious code was inserted there?

Ravey76

#10
May 15, 2023, 09:06:42 AM
Here's a screenshot of my BBC settings:

@rjen

#11
May 15, 2023, 09:50:47 AM
Just a question: was the user in question using tapatalk when he posted?
Running SMF 2.1 with latest TinyPortal at www.fjr-club.nl

Ravey76

#12
May 15, 2023, 10:28:17 AM Last Edit: May 15, 2023, 11:09:05 AM by Ravey76
The user just told me: No Tapatalk was used, but a PC with Windows 10 and current Firefox browser.

I took a look at the server log files. The original post was written at 18:20. From that time until 21:47, when the error first occurred, there was neither a message of this kind nor anything else that would be suspicious.

What is suspicious, however, is that someone or something has tried to access this post creator's profile/alerts about 140 times in the period from 21:47 to 6:49 of today.

Example:
Code Select
bmw-einzylinder.de anon-31-94-67-160.ip.invalid - - [14/May/2023:21:54:55 +0200] "GET /forum/index.php?action=profile;area=alerts_popup;counter=0;u=709 HTTP/1.1" 200 505 "https://bmw-einzylinder.de/forum/index.php?topic=22535.new" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0"

Steve

#13
May 15, 2023, 11:09:15 AM
Has the post creator changed their password? If not, they should.
DO NOT pm me for support!

Ravey76

#14
May 15, 2023, 11:46:58 AM
I will pass on the hint ....

But even if the author's computer was infected by a virus, it does not explain how the malicious code could have been transferred to the forum.

Addendum:
User says: Password was changed, virus scan performed (scan was negative).

Aleksi "Lex" Kilpinen

#15
May 15, 2023, 12:47:10 PM
If I had to venture a guess (without having access to the original post as it was, or the server logs from that time), the most plausible explanation is that there are a few things at play that may or may not have relation to each other.

1) The post was most likely edited. If this was a "true hack", you would see a lot more than just one or two post(s) with hidden backlinks.

2) Number 1 suggests there was a compromised account at play.

3) The account compromised might have been the original poster, or literally anyone with moderation access. Have you checked moderation logs?

4) The suspicious accounts can be from Tapatalk. Tapatalk allows registration in a way that (at least in the past used to) allows bypassing admin set limitations such as admin approval or email confirmation. Tapatalk is bad, and is known to cause issues.
Slava
Ukraini!
"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

Ravey76

#16
May 15, 2023, 01:10:22 PM
Hello Aleksi,

thank you for your feedback.
You can find the original post here under #7 in the "Code" - I had saved it as a text file.

Regarding point 1) Unfortunately, I can no longer see whether the post was edited - I was probably the last editor when I removed the malicious code. 

On point 2) That is quite possible. The user says his virus scan was negative, but how sure can you be? Nevertheless, the question I have is: how does the malicious code get into the forum from a compromised account?

On point 3) There are no moderators in our forum (apart from me, the admin). For this reason, I had never activated the "moderation logs". Unfortunately, no entries because of this.

On point 4) For security reasons, I have never activated this function, that new users can register with us in the forum directly from Tapatalk. That only works via the website. See screenshot.

Aleksi "Lex" Kilpinen

#17
May 15, 2023, 01:18:00 PM
Sadly this is all mostly speculation, if there are no logs that can show what happened. But a compromised account can simply mean that someone has found out the password, either through a breach somewhere else (and the user recycling passwords), or by brute force. After this, whoever has this information can do anything the original user could. This is also why Steve suggested changing passwords earlier. If the account was breached, there was a risk of losing access to it completely should the bad actors decide to change the account details.
Slava
Ukraini!
"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

Ravey76

#18
May 15, 2023, 01:33:49 PM
Ok. The user has confirmed that his password has been changed. I'll keep watching to see if something like this happens again and keep you posted.

Thank you for all your feedback.
Print
Go Up Pages1
User actions
Advertisement: