I’ve done an audit on the files of phpugph.com’s SMF board and found that a certain user who’s only identity is krisbarteo@gmail.com using the IP 94.142.129.147 appended spam links to the Settings.php of SMF.
I’m no security expert, but I think what he did was he uploaded an avatar with a PHP code inside it, found a server/script exploit and ran it. I opened up the avatar (after looking for it for hours) and found this code (see below screenshot). Then he launched the attack from there appending malicious links on a file that is being included everytime SMF draws a page.
A quick Diff on SMF’s base files and our SMF files revealed that a new readme.php was created. And it contained the following:
Decoding that garbled texts reveals that readme.php was run on the browser and that was the main cause of appending links on the Settings.php.
I am still baffled by the fact that some people would do such things. Disrupt service for profit? Well, as forĀ krisbarteo, yes you’ve succeeded in doing that. Then what? Happy now? If you only have used that smarts and skills on the good stuff, you’d probably be rich by now.
To all PHPugers, we hope that this thing doesn’t happen again even if we all know that the Internet isn’t safe from these crackers. It’s all good. For now.