I think I have been hacked, I'm not sure, how do I check?
The best way to check is to open up a few of the Source files (the files located in ./Sources) and see if there is any trace of base64_decode. If there is, there are a few utilities and steps that help users to recover their SMF installation. Another method is the kb_scan.php tool, which is explained later in this documentation.
I am sure I have been hacked...what do I do now?
First of all, keep calm. When the user has been hacked, there are a few simple steps he/she can perform.
- Backup your database.
One of the most critical steps is to make backups of the whole SMF system, including the database. If the user has not yet made a backup of the database, he/she should do right now. If something goes wrong, you always have a backup at hand.
- Run the kb_scan.php tool.
Simply upload this to the forum directory (the directory where SMF is located) via FTP (File Transfer Protocol, How do I use FTP?), and run it in the browser of the user's preference. The kb_scan utility will find infected files and will also try to recover them.
- Re-upload SMF files.
Download a Large Upgrade Pack (Go to the download site) for the version of SMF that the user is running. Upload every file in the package, except the files required for upgrading (usually just Upgrade.php and a few SQL files), using FTP (How do I use FTP?, note that uploading may take a while). Now the user has fresh files and can use their forum safely again.
- File a security report with SMF.
If your forum was breached via a security weakness within SMF or an SMF mod, and not via a weakness in a non-SMF script, report it to the staff so the mod can be investigated or the hole patched. Please report Security issues here
I have cleared my hacked SMF installation, how can I prevent this from happening again?
Using the kb_scan.php tool the user can keep their files safe. The user can also install a security modification (Go to the modification site) to enhance the forums security level. Depending on the modification's features this can be more or less active against hackers.
It is also important to make sure you notify your host when you have been hacked so they can make sure no other servers have been effected. When you report the hack to your host you should also ask them to check their logs to see who might have had access to your server, and get them to check your file permissions as with some low quality hosts incorrect file permissions can leave files open for easier hacking.