8: Undefined index: dhhag

[FUBAR]

I've been in contact with my host twice today. They have just redirected me to  to the provider of the original script that was exploited (SMF).  I asked if they could give me any info on who/when/how and they said it's beyond their scope. 

Do you know if the FCKeditor is part of SMF or TinyPortal?

[G6Cad]

What host do you have ?  An answer like that from them would make me change host.
It's in their interest to find out more instead of sending you to other places.

Tell them you need the info to file a hack report on SMF

[IchBin]

If you're host is blaming SMF, then they should be able to tell you why. Othewise, the proof is in the pudding. They need to show you how it happened or at least give you some information on how they "think" it happened. I'm with G6 here, any host worth their money should be able to tell you what happened.

[FUBAR]

I do agree with both of you and think they should have been able to give me more information.  Although, I can't really expect them to be on top of every exploit out there either.  I've been with them for a long time and have received good service in the past. 

In the mean time I've run a backup on my forum and deleted the files from this post prior to running the backup.  I'm sure it's these file that created the issue because I tried running a backup with these files still on the host and the problem happened again.  (I forgot to delete them the first time,  ) 

After I deleted the files and uploaded my backup, my forum seems to be running fine and error free. 

I just have to backup my other php scripts as well because those files were affected as well.

----------------------------

As to the exploit, I think it's because either Tinyportal or SMF is running an outdated version of the FCKeditor which is version 2.3.2 Build 1082.  The current version is Version 2.6.3 and has "Important security fixes have been applied to the File Manager, Uploader and Connectors. Upgrade is highly recommended.".

Thanks again for the help ZTM, IchBin and G6.

[IchBin]

I don't expect them to know every exploit either. But I do expect them to actually find out why their servers have been compromised. Ambiguously blaming a piece of software without anything to back it up is ignorant.

Personally, I don't use any editors. But yes, I agree it sounds like an editor exploit which could be fixed possibly by updating the FCK editor. I'm not sure if TP modifies any of the files though, so I'm not sure if you could just arbitrarily put the new version in place without having to modify anything.

[supert3d]

Heya guys,

Just to give you an update. I got hit with exactly the same problem. Every PHP page on my domain has been injected with base64 code.

I decoded it here so people can see what it is doing. (It echo() now and doesn't eval(), so no code is executed).

You will note it that it modifies this file :
/js/tinymce/themes/advanced/images/xp/js.php

On opening this file I note that it has been completely modified to base64, some 1000 lines, and has been base64_encode() twice for obscurity. I have decoded it to here.

Note the line "INJECTING PHP FILES". This is quite blatantly an exploit. It's my own fault. I was running an older version of Wordpress on my sisters website that no doubt is using an older version of the TinyMCE WYSIWYG.

Just be warned !

[TinkyWinky]

Hello everybody
I have just registered here because I have the same problem: copper.php, one injected line in every .php file and thousands of files with html code witch are included in every my page. These files contain spam links (viagra, porn...) and these links are all invisible to visitors of site but when I look "view page source" they are there in "invisible" div tag:

Code Select Expand


<div style="position:absolute;left:-74402px;top:-56110px">

I deleted all these files but first line (base64 code) of all my .php files should also be deleted and it's a big job. Do you have any idea how could I do it?

[IchBin]

You'd have to write some sort of script to go through and open the files, and then delete the offending lines that you don't want there any more. It really is out of scope for this site as we are not a server scripting site. Best thing you could do is restore from a backup that is not infected.