Simple Machines Forum is a really great free and open source script for running a forum. There were some vulnerabilities in earlier versions, however, and a forum I run seems to have become victim to one such attack. A user under the name ‘krisbarteo’ was able to register, then create an avatar picture which somehow gained him access to editing some of the files in the SMF script files. There was a one-line string added to the top of these which was obfuscated by a base 64 bit code. This looked like so (the actual code is a very long string and was cut up here):
<? /**/eval(base64_decode(’aWYoZ … … fX19′)); ?>
This caused the php to emit a bunch of links in hidden HTML so that certain Google search hits to my site would redirect to the spammer’s sites.
Fixing the issue took awhile, but only because so many pages had been infected. I got bored of opening each page and made a regex search using grepWin to mass-delete the string.
^(<\? /\*\*/eval\(base64_decode).*\s*<\?php
and replace with:
<\?php
I found a program called Regex Coach which was invaluable for this.
I can only say that it worked for me, of course, and if anyone else is going to try it then they should make a backup.
More details on the fix are here:
http://www.simplemachines.org/community/index.php?topic=338877.0
Figuring out how to do a regex search led me to this java regex string testing site:
http://regexpal.com/
Also, this site is very good at explaining regex expressions:
http://www.regular-expressions.info/completelines.html
Posted in Programming, Software, Troubleshooting.
By Ryan
September 27, 2009
0 Responses
Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.
You must be logged in to post a comment.