Potential malicious activity on forum that's overdue for update, advice please?

[adrimat]

Hi everyone, I am the reluctant administrator for a small, private forum and I could really use some assistance.

Many years ago I set up a basic SMF forum for myself and a few friends. We didn't need anything fancy, just a private community where we could share stories, advice, and pictures. None of us knew what we were doing, so I wound up becoming the host/admin for the site. I have no experience in this sort of thing, but it didn't seem too complicated at the time. I apologize in advance that I will most likely use the wrong terminology in describing the problem, but I hope you understand. 

When I configured the forum, I set the robots file so it wouldn't be crawled and disabled registrations (anyone who wanted to join contacted me and I would create an account for them and forward them the temporary login credentials, which they could change after joining). We figured that would be the best way to protect conversations that were often personal, and that the site would not attract much attention since it's not public (or even particularly interesting).

Each time I saw that a new version of the SMF software was available, I updated it through the admin panel, until we got a point where that was no longer an option - I think it was SMF 1.0.23. To update the software beyond that point required a download and install, and as an utterly inexperienced admin I wasn't sure how to do that without losing our post history and table structure. One of our friends who was a member has passed away, and for sentimental reasons we'd prefer not to lose his posts when we update.

The version we had was working for our needs and none of us were really sure how to do this, so I've procrastinated on addressing this problem for a very long time. The forum experience has deteriorated significantly since then, to the point where any special punctuation (smart quotes, ellipses, en- and em-dashes) or accented characters cause the entire post to be lost when the user submits it. It's frustrating but we've managed to work around this for a while. I would certainly appreciate your advice on how to update to the latest version while retaining the post history.
 
But the thing that really motivated me to join this morning is a concern about potential malicious activity on the site.

When I logged in this morning, I saw an unfamiliar IP address listed under Who's Online. This happens fairly often with web crawlers, but they stop at the login page.

This IP was listed as "Viewing the admin help pages," and that was a red flag. I looked up the IP (213.180.203.164) and started to panic a bit.

I went to log in to the admin panel to put the site into maintenance mode (honestly I don't know if that would have done what I needed it to do - I know I need to dedicate some time to learning to administer the site properly, but I don't even know where to begin and that's a problem for another day) and was prompted for my password as normal. When I clicked in the box to enter it, a message popped up reminding me that the 'connection is not secure. Logins entered here could be compromised.' (I think this is completely normal, but if the site had been compromised I didn't want to compromise it further.)

Instead of continuing, I logged in to my account with my web host and tried to resolve it from there, but I couldn't make heads nor tails of their instructions.   
 
If anyone could advise me what to do from here - how to confirm that private information hasn't been compromised, how to secure the forum from unwanted visitors, and even how to update the forum software properly, I would be incredibly grateful.

Thanks for taking the time to read, and if I can provide any additional information please don't hesitate to ask!

[Doug Heffernan]

how to confirm that private information hasn't been compromised

Can you ask your host to check their logs and see if there was any unauthorised access to your database? That ip address trying the admin help files is nothing to worry about imo.

If anyone could advise me what to do from here

You need to upgrade your forum and php version too to the latest versions. You are running a very old version of both which have a lot of security issues, not to mention the bugs.

and even how to update the forum software properly, I would be incredibly grateful.

Have a look at the follwoing link:

Upgrading SMF

[adrimat]

Thanks so much, I'll take a look!

[Doug Heffernan]

Thanks so much, I'll take a look!

No problem.

[adrimat]

Hi again! I feel like an idiot, but somehow this didn't go as planned and I'm hoping someone might be able to point out where I went wrong.

I'll note right from the start that I called my web host today but that only seemed to complicate things further. (My forum is hosted as a subdomain of the main site. I don't really use the main site for anything any more, so I wouldn't mind removing it and just hosting the forum, but I haven't even looked at how to do that yet. When I mentioned concerns about security, the rep attempted to add an SSL certificate to the site, and that disabled the forum. I asked him to remove it until I updated everything, and we eventually got it working again so I could try to do the update.)

I logged into the forum and downloaded the table data and structure from the admin panel, then downloaded Smart FTP and backed up all my files locally.

Next, I downloaded the update package (smf_2-1-4_upgrade), extracted the files, and used SmartFTP to copy those files into the SMF folder, overwriting the previous versions.

Everything seemed ok, until I attempted to run the upgrading tool by navigating to the file in my browser.

There's an example given in the update instructions, but mine isn't configured quite that way, so it took a few tries to find the correct path. No matter what I tried, I kept getting a white screen, like it was an invalid address or it had just timed out. I waited and tried a few times, but nothing happened.

I tried returning to index.php (the forum home page) to see if I had different options there, but now that page is redirecting to update.php, and I am getting a message with error code: SSL_ERROR_INTERNAL_ERROR_ALERT.

I tried this in my regular browser and then in private mode, but I seem to be stuck here.

I contacted the web host again (since this is the same error I got when he activated the SSL certificate), and one of his colleagues replied saying that this is outside their scope and I should contact my web developer. Of course, I don't have a web developer.

Do you know what went wrong, or have any ideas how to fix it?

I suppose that for now, I can delete the SMF folder from the site and replace it with the old one, but that doesn't solve the underlying problem... and apart from the security concerns, they're charging me quite a lot for 'extended php support' to keep the outdated version running.

Would it be a better idea to delete the SMF folder completely, do a clean install, and then try to load the table structure and data that I exported? (I'm not sure that's possible, but figured it can't hurt to ask.)

Thanks again for any advice you can provide!

[adrimat]

Follow-up note: I did try removing all files in the SMF folder and restoring the backed up version, and that worked. From there, I uploaded the new files as I had done before and the same thing happened again - blank page, no response.

Since I knew that I could restore the old version, I deleted everything in the SMF folder and tried doing a full install. Unfortunately, I got the same issue with attempting to run the install.php file (blank screen, no response).

I suspect that this has something to do with the way the site is set up, with the forum as a subdomain. The address we enter to access the forum is something like 'forum dot domain dot com' but once we log in, the URL turns to a string of numbers.

I feel like I followed the directions as written (I'm not suggesting it's NOT user error, it's been a LONG day) but I don't really understand what the host is doing on their side. I put in a request for another callback tomorrow, but I'm worried that I don't know enough about this sort of thing to ask the right questions.

It turns out I'm paying a significant fee for extended php support, which is another reason I don't want to keep using the old version. I'm not sure if any of this helps, but wanted to provide as much information as possible in hopes that it's relevant. 

[Chen Zhen]

You have to upgrade PHP before running the SMF 2.1.4 upgrade script.

[Doug Heffernan]

Also make sure that you make a backup of your database.

[Kindred]

Please note that "viewing the admin page" does **NOT** mean that they were SEEING anything other then an "access denied" message.  The who's online list of actions is based on the URL only -- it does not process whether the individual attempting to access that URL completes the action or is rejected.

If I visit your site as a guest and go to index.php?action=admin, you will see me "viewing the admin page" -- but all I will see is a message stating that I am not allowed to access that section.

That being said, there ARE known vulnerabilities in the 1.0.x series....   that was end of life more than 10 years ago - which means that there have been no patches made for any discovered flaws.

[adrimat]

I spoke to the web host, and they insist that the problem is with the SMF installation software. Obviously, I don't believe that to be the case, particularly since this call began with the rep asking me to explain what a 'forum' is. Needless to say, it wasn't a good experience.

I backed up all of my files locally, and I also saved a copy on a jump drive to be safe.

The web host downloaded the full install version of SMF 2.1.4 and uploaded it to my web space. They insist that there's a problem with the forum software (missing files?) and said that even after trying PHP v8.2 and 8.3 they can't run the installer.

They told me that they are unable to complete the install, and that all of this is outside their scope anyway so it's up to me to figure it out.

I tried loading the URL for the forum, which led me to the installer - which is farther than I got before, at least. There was a critical error notification saying that I needed to update PHP before I could continue, so I logged in to my hosting account and changed it from 5.4 to v8.3 (recommended).

I clicked "Continue" and the progress bar moved to 10% before giving another critical error. This one says "Cannot connect to the database server with the supplied data. If you are not sure what to type in, please contact your host."

I had asked the rep if I needed to use the ftp credentials I have on hand and he said that I should just leave it as "localhost". When that didn't work, I tried the ftp credentials, only to get a new critical error - "2006: MySQL server has gone away".

I'm at a total loss here. I am actually wondering if I should change web hosts (this isn't the only reason, but it just might be the final push). I feel like this shouldn't be so complicated and they're utterly irritated at being asked to help me sort things out, though they kindly offered to restore a backup of the forum and keep charging me PHP extended support indefinitely.

Any idea what's going wrong here? Could changing hosts make a difference?

I don't want to give up on this and abandon a forum we've been using for 15 years unless there's no other alternative. Apologies for my cluelessness, and thank you again for your help and insights!

[Aleksi "Lex" Kilpinen]

https://dev.mysql.com/doc/refman/8.4/en/gone-away.html

Yes, changing hosts could make a difference.

[Kindred]

Also... DO NOT use the "full install" package  that will ERASE your existing database.

You need the UPGRADE package

Also, you should bec using php 8.2 -- 8.3 is not fully supported for 2.1.4 last time I checked.

But yes,  changing hosts will definitely help.

I recommend ICD Soft, although others support Crocweb