Help, files identified as containing malware.

[sbartelski]

Our server provider has identified a couple of files in SMF that appear to contain malware. Below I attach images of the top of those files. Is this actually malware or is this standard content for these two files? If corrupted, where can I get clean versions (v2.1.4)?

They are both in the avatars folder and are called avatars.php and votes.php

You cannot view this attachment.
You cannot view this attachment.

[sbartelski]

Good news, I found an old version of our forums on a different server and both those files are empty. So I will clear out this malware.

[Kindred]

Not smf files.

So, the question is, how did they get there.

I would recommend a complete replacement of all files in all directories.


Do you only run smf on that site?

If so, then delete all files except Settings.php and all directories except the avatars and attachments
(Look closely in those directories for any files except .dat or index.php)
Then load a clean set of files and Reload custom themes and mods.


Also. Start checking with your host about how those files got there

[Doug Heffernan]

Also a thorough checkup of the server is in order too imo for any other potential infected file(s).

[sbartelski]

Thanks, I am hoping that they are the only

Not smf files.

So, the question is, how did they get there.

I would recommend a complete replacement of all files in all directories.


Do you only run smf on that site?

If so, then delete all files except Settings.php and all directories except the avatars and attachments
(Look closely in those directories for any files except .dat or index.php)
Then load a clean set of files and Reload custom themes and mods.


Also. Start checking with your host about how those files got there

In answer to your questions & comments
1) If not SMF files, why do I see empty files with the same name in an old (Feb 2024) version of the forums
2) Yes, SMF is the only thing running on this server (shared server)
3) They were discovered by a deep scan of the site by our provider, after I signed up for their protection service. Nothing else was found here, so I am hoping that the files are OK.
4) On the line with the host support desk now to find out how the files got corrupted.

Thanks for the reply, if a rebuild is required, do I just delete everything except the two named files and then re-install with a fresh copy?

[Aleksi "Lex" Kilpinen]

No idea where the files came from, but that's a very good question.
You can find all SMF files on our Github if you want to check what is supposed to be there, and what they are supposed to contain though, so you can make sure yourself. https://github.com/SimpleMachines/SMF/tree/release-2.1

What are the 2 files called, and where exactly in the files were they found? EDIT : Sorry, you did mention this but I missed it. Definitely not SMF files, not even compromised SMF files but completely extra.

It wouldn't be the first time if the actual access point was a completely different account on the same shared environment, but at this point I don't want to point any fingers - Better if you work with your host to try and find out what happened.

https://wiki.simplemachines.org/smf/How_to_upload_a_fresh_set_of_files

[sbartelski]

The two files were in the avatars folder and called avatars.php and votes.php. As mentioned above, the "old" (Feb2024) copy of our forums on a different server had both files in the folder but they were both empty.

We also had something similar on a different site on the same shared server using Coppermine.

Stefan

[Aleksi "Lex" Kilpinen]

Yeah, sorry I just corrected my post above after I re-read your first post. So, yeah - Definitely not part of SMF, but something extra, that at this point we don't know where they came from.

[Kindred]

Copperfield has had alot of know security issues over the years...

But I suspect this files were dropped onto your server a long time ago and recently updated with a payload...   and that implies that you have a script hidden somewhere that let's hackers have access to your system -- and they will probably do it again

[sbartelski]

Thanks for bearing with me. I am now skittish about security so was checking the logs. I found a couple of strange (?) entries in the Genetral category. Could these be related?

Code Select Expand

The file at "/home/dh_p6nj8d/clc-smf-test.dreamhosters.com/Themes/default/scripts/minified_e50ba16bec0f474df1e2a332ee1986a5.js" could not be created. Please make sure the parent directory has the appropriate permissions.

The file at "/home/dh_p6nj8d/clc-smf-test.dreamhosters.com/Themes/default/css/minified_453980f27a263a88ace542e129238578.css" could not be created. Please make sure the parent directory has the appropriate permissions.
Interestingly enough, these entries come from my test forums, a duplicate of the live forums, that I am using to test some chnages that we are going to be making.

Any idea why they would be here and are thye evidence of someone messing around in either of these two forums?

Stefan

[Kindred]

No, those files are attempting to be created by the forum, as expected... but can not be created because the permissions won't allow it to be created

[sbartelski]

No, those files are attempting to be created by the forum, as expected... but can not be created because the permissions won't allow it to be created

If I change the permissions, will they be created again?

Stefan

[Aleksi "Lex" Kilpinen]

Yes, unless you change the settings. There is a setting for that.

[sbartelski]

Yes, unless you change the settings. There is a setting for that.

So do I need them? Which setting, please?

TIA

Stefan

[Aleksi "Lex" Kilpinen]

Well, they are designed to make your site load a little lighter, a little faster, but you don't really need them - so if you want, you can try turning them off
Admin -> Configuration -> Features and Options -> General -> Minimize CSS and JavaScript files.