Hello,
Link to my forum: http://www.true-grit.org
SMF version: SMF ver. 2.0.2
TP version: TP ver. 1.1.0.5?!?!?! Not sure this is latest?
Default Forum Language: english
Theme name and version: inferno
Browser Name and Version: ff/chrome
Mods installed: Mods listed here
Related Error messages: Was 404 not really tp issue
I've run an SMF/TP forum for 6-7 years now. It was a YaBB forum for years before that. Last week things went wacky and my host did a restore. I fully thought that it was all my host making mistakes and goofing things up. Now I am not sure.
After they restored my data, intermittently I'd have permissions mysteriously change on index.php or my htaccess would go funky causing 404 errors....
Today after going back and forth with them asking how files mysteriously change they send me back this as suspected malware---
{HEX}php.cmdshell.cih.215 : ./smf/tp-images/File/1q.php.pjpg
{HEX}php.cmdshell.unclassed.344 : ./smf/tp-images/File/cron_php.gif
{HEX}php.cmdshell.cih.215 : ./smf.back/tp-images/File/1q.php.pjpg
{HEX}php.cmdshell.unclassed.344 : ./smf.back/tp-images/File/cron_php.gif
I deleted it. Not sure if it was or wasn't but just wanted to post it here as an FYI.
My board is so old I think I am going to start it all over from scratch, new SMF install, new TP install, just to clean out a decade of crap from my /smf directory.
Not really asking a question here, just food for thought about this tp-images/File directory......I never made a File directory? Is is stock TP?
Thanks and regards,
Scott
To answer your question, there should be no folder called "File"in the /tp-images/ folder on your site nor are there any files with the names you mentioned included with the TinyPortal distribution archive.
I would definitely say that your site has been hacked with some php exploits by someone. Who that might have been, or when it might have happened is anyone's guess. If those files were only in the backup, it would stand to reason that your hosts server had been hacked. Since they were in your main folder though, they could have been there for awhile and just taken some time to manifest themselves.
There may be more of an infection than just those 4 files. In other words, some of your other files, especially if they contain some base64 code, would be suspect as well. One other thing that might be of interest to you is this --> If you have any other folders in your root folder for software other than SMF, the infection could also be in there, especially if those other folders are for software that uses php, like blogs, FAQ systems, etc., so you should be aware that everything on your site should be considered suspect. You may be able to source out where and when the exploits were uploaded to your site by doing some extensive searching in your site Admin logs.
ZarPrime
Right on Zar.
I was thinking the same. I do have wordpress also...But what is odd is there has been no issues with any of the 4 instances of WP. Only SMF....And I really think the exploit was there festering a while. Like maybe a year or over. I had some odd issues with SMF and just an ungodly amount of spam/error logs in SMF...Then with the last 2.03 they seemed to slow....This is pure guessing.
I am planning a fresh install of everything. New SMF, new TP, and totally delete the entire SMF install...I'm just trying to plan it out still.
A 10 year old forum collects a lot of junk over the years. I'm finding so much crap poking around, I think i may be a digital hoarder...Actually I am certain I am....Ooooph
Scott
Quote from: scott_t on January 16, 2013, 08:39:55 PM
I am planning a fresh install of everything. New SMF, new TP, and totally delete the entire SMF install...I'm just trying to plan it out still.
A 10 year old forum collects a lot of junk over the years. I'm finding so much crap poking around, I think i may be a digital hoarder...Actually I am certain I am....Ooooph
Scott
Scott, that's probably a good idea and, BTW, I think I'm kind of a digital hoarder as well. Unfortunately, it doesn't take too long to accumulate some pretty nifty things on the internet. :o I would definitely download (FTP) a copy of your Wordpress folder to your computer and start looking for some of these strange looking files as they could easily have migrated from the SMF folder to the WP folder or vice versa. Who knows, this may have started when someone uploaded the exploits to the WP folder. Good luck Bro' and let us know how it all comes out.
ZarPrime
I get a little weak here and need a hand.
I know to backup my DB and have done that...But which SMF/TP directories do I need?
That being said do I need any of them or is the DB really all I need? I say that because I really do not want to use ANY of my old SMF install and want a fresh start. Like I said this was a YaBB forum and about every version of SMF since 1.x....It's collected a ton of crap.
Is there a start from scratch with just the DB, keeping my users and posts?
Thanks,
Scott
But first I would uninstall an delete all the stuff you do not need, and stuff you want, make sure they have current updates!
If you want to mimic your current install, save your settings.php also, so you may go with the same DB.
Do a 2.0.2 version, then update to 2.0.3 after you change over you DB to the one you saved, by overwriting the settings.php file with the one you saved>
If you files any file that are not in the SMF package you could download them and scan or delete them, the TP you can get a fresh copy here and any other mods from the SMF mod site, or themes if their version are current, Note most 2.0.2 themes will work with 2.0.3, in most cases... and the less mods the better off you are>
Hope your DB tables are cool, you can check these first off from the Admin maintenance function in you SMF control panel.... take your time, if you need help please let someone know! ( go through the step there ) optimize and check for errors before you dwn. load the backup copy!
regards,
Maxx
Thanks Maxx,
Questions. I am going through optimize via SMF. Do I need to do optimize tables through phpmy admin as well? I'll backup through php my admin also. Any tips I need to be aware of?
So is there any reason to back up any SMF files other then settings.php? Maybe user uploads or avatars?
Thanks,
Scott
Scott, a few things here you probably want to know. There was an exploit in TP back in TP 1 RC1. This exploit allowed someone to upload a file in one of the TP directories that allowed the hacker to use their file to gain access to the server. This was fixed in RC1.2. The two things I did to fix this was to make sure no scripts like this could be uploaded with the function it was using, and to also put an .htaccess file in the said directory to keep any files (like PHP) from executing. I would wager say that this is likely what happened to you quite some time ago, only when you upgraded to TP 1.0 RC3 which is what you are on, this negated the hack that was placed on your server.
If I'm wrong, and that is not what happened it is also possible that a hacker has gained access to another site on the same server you are on, and then they were able to push files out to other sites on that server like yours. Either way, those are the possibilities.
From what you want to do now with wiping away everything fresh I would suggest doing things in this order.
1. Take a backup of all your files and database, just in case you find out you need something later. The most important directories in SMF would be attachments and avatars. This will keep all the attachments in your forum available and the avatars that people have uploaded. The most important directories in TP are the tp-images, tp-downloads, and tp-files directories. These folders hold any images uploaded with articles/downloads etc. The rest of the TP folders and files will be replaced when you update or upgrade. One thing to beware of, don't use an FTP program to download all the attachments. SMF encrypts the files by removing the extension of the file. Downloading them with and FTP program often corrupts the files because the FTP program tries to treat them differently. Make sure to use CPanel or whatever control panel they give you and zip up the folder that way. Otherwise you need to make sure your FTP program downloads them using the binary option for encoding.
2. After the backup, you should be able to delete all the files and folders in your SMF folder except the Settings.php file. This is the file you use in the clean upgrade.
3. Download and unzip the Large Upgrade package from SMF into your forum directory. Run the upgrade.php and it will update your forum to the latest version of SMF.
4. Install TP and any other mods you have.
5. Put any files that you want back onto your site from the attachments, avatars, tp files back on your server.
As far as your last question about optimized tables, either option you use is fine. No need to do both though. :)
Thanks a lot IchBin.
I'm frustrated a bit over it, mostly with my crappy host. I asked to be rescanned after I deleted the offending files...And I do not think they ever actually did because at 10:30 tonight, my index.php lost permissions again....I could not change them back to 644, but could rename the file. I uploaded a backup and that allowed me to reset permissions..So this may not have been the exploit you fixed in TP 1.0 RC3.
I've been deleting stuff out of my public_html directory all day. Old g2 installs, old smf, backups from years back, just to get rid of the junk that confuses things and could potentially house some malware.
Even with all that the index.php was hit again. I asked host to rescan me and the entire server. I will be doing more deletions tomorrow and am running some backups tonight. I just have as I mentioned amassed a ton of crap so the more I delete the more I don't have to backup.
I will scan this first swing at a backup tomorrow when it finishes downloading.
Again thanks for all your years of support. It is appreciated.
Scott
OK,
I'm still dragging my feet on this fresh install. I think I have a way to do it that seems safe to me, but need some opinions:
Right now I have an index.htm file that points to my SMF directory /smf so SMF can be in any directory it is not in my root.
Can I take my settings.php, TP folders(tp-images, tp-downloads, and tp-files) as well as attachments folders and move them to a new directory, say /forum
Then do the large upgrade there. If everything runs fine, update my index.htm to point to the new SMF directory, /forum
Then delete the old /smf directory
And if the large upgrade goes badly, couldn't I fall back to the and files at /smf
Seems like a safe way to upgrade?
Opinion? Any help appreciated!
Thanks,
Scott
Well I followed the above and errored right out. Maybe because I have settings.php in there? But that makes no sense as this is a whole new directory?
Updating Your SMF Install!
The upgrader found some old or outdated files.
Please make certain you uploaded the new versions of all the files included in the package.
The Settings.php file has the paths set inside of it. If you move it to a new directory you need to change those paths to reflect the new directory path.
I suggest using repair_settings.php so it will reset all SMF paths for you.
http://download.simplemachines.org/index.php?thanks;filename=repair_settings.php
Upload it to your root forum directory and run http://your_forum.com./repair_settings.php
Upgraded...And running mean and lean.....Working through minor things, but WHOO HOO>>>>>>>>
Thanks guys, will report back in a bit.
ST