8: Undefined index: dhhag

[Zetan]

Do you think this could be related? 

I'm no expert, but I don't think so. You can ask for support at the FCK forums, they do have one. While TP use the editor, we don't provide any support for it.

[G6Cad]

I will point Bloc to this topic so he can check it out.

[FUBAR]

One last thing I noticed was all the .php files on my site have been modified on the same date 18/09/2008.

I have not done any editing in a long time and there's no way I modified every php file on the same day.  So this must be the day my site was hacked or when this happened.

Thanks again for the help.

[Zetan]

  So this must be the day my site was hacked or when this happened.

So your site has been hacked? If thats the hack, it serves no purpose that I can see.

[dafunky]

Hello, I'm encountering similar errors...

Link to my site: http://www.motostrada.fr/forum

SMF version: SMF ver. 1.1.6 (Upgraded recently from 1.1.5)
TP version: TP v0.9.8
Theme name : New Damage
Mods installed:

1.    SMF 1.0.14 / 1.1.6 Update   
2.    TinyPortal    0.9.8   


Related Error messages:

8: Undefined index: dhhag
Fichier: /forum/Themes/Aa_New_Damage_1/Display.template.php (eval?)
Ligne: 1

8: Undefined index: dhhag
Fichier: /forum/Themes/default/Printpage.template.php (eval?)
Ligne: 1

8: Undefined index: dhhag
Fichier: /forum/FCKeditor/editor/filemanager/browser/default/images/icons/32/copper.php(1) : eval()'d code(1) : eval()'d code
1

Thanks for your help, I can't say when it appeared...

[IchBin]

Looks like an exploit to me. If all your files have been touched at the same time and have the same code in it, it definitely sounds like an exploit. Whether it is in the the editor or some where else remains to be seen. You need to ask your host for more info and give them the date that it happened. Ask them to look into it as well.

[FUBAR]

@ dafunky - Can you check and see if all of your .php files on your site have been modified.  You should see a large portion of code at the top of all the.php files above the <?php. 

To check what day you could FTP to your site and see when the files were modified. 

If this code has been added to your pages as well then it's most definitely an exploit.

@ IchBin - I'll let me host know about it tonight and see what they say or can do.

[dafunky]

Yes, I can confirm that I can see the same code than your in the header of my php files.
OVH is my host.

[FUBAR]

Ok, so it's not just me.  Thanks for looking into that DaFunky.

I just got off the phone with my host and should be able to run a backup from Sept 11.  I don't think this exploit has affected my database and would like to restore my posts and members registered after the backup is completed.  

If this is something I should direct to SMF I can post this there.  
 
Edit: Also just noticed my error log is 12,000 pages long and it was just cleared last night.  LOL

[IchBin]

You need to try and get the information from your host on where/what/when/how the exploit happened. And whether this exploit touched your database or not, make sure you change your password for the database as it could have been compromised. If your host blames SMF, then submit a security report to SMF and give them your access logs for your site.