SMF :: 1.1.9 and 2.0 RC1-1 released (May 20, 2009)

Jason · May 20, 2009, 11:12:03 PM

This update should be top priority for everyone:

http://www.simplemachines.org/community/index.php?topic=311899.0

Jason · May 20, 2009, 11:29:24 PM

By the way, I applied this to two sites (1.1.8 and 2.x) and it took about 3 minutes combined to patch both.

I've been reading/following the issues that can happen if this isn't patched and I strongly recommend upgrading as soon as you're able.

Mark · May 21, 2009, 12:09:00 AM

Download update package, install it, done. Easy.

Jason · May 26, 2009, 10:53:52 PM

The Simple Machines Team has recently identified and patched an attack against all versions of SMF. The development team has fixed the underlying issue to ensure this type of attack can not re-occur. SMF 1.0.17, SMF 1.1.9 and SMF 2.0 RC1.1, have been released as a result.

Symptoms of an infected forum may include:

* A member with a very small (1x1 pixels) white avatar with .jpg extension
* Random spam links in the theme that can be found by viewing the source in your browser
* An extra theme being added to the database, usually with ID = 32

To better aid our users, we have created a tool to enable clean up of an infected site. This tool can be run on any SMF forum. It should remove the infection code from any files that happened to be hit. It also raises flags on the following possible files/matches:

* Those mentioned in the exploit source
* Fully numeric .php filenames
* No-extension filenames (doesn't match directories)

If you are not sure if you have been hit, please do try out the tool. If you feel you are still infected after using the tool, please create a support topic for one of our support team to assist you.

You can find the updates at http://download.simplemachines.org/

Thank you,
The Simple Machines Team

To use this file:

* Make a backup of your forum's files and database. If you do not know how or are not allowed, ask your host for help.
* Upload the file (found in the link below) to your forum's directory (alongside SSI.php and index.php)
* Open the file in your browser (http://www.yourforum.com/kb_scan.php)
* If any rows are red, they're exploited. Click the "click here" link to attempt to fix them.
* If any rows are orange, they might be from the infection. These are not files from a default installation of SMF, and they match those that the infection might create. Be careful when deleting these, though!
* Green rows are safe

* If a database infection was found, a box will pop up telling you so. Check your {db_prefix} themes table for anything with an id_theme of 32, or a value starting with ./ or ending with \0 or a diamond. These might be rows that were affected by the attack. Add ?noquery to the end of the URL if the database check is timing out, and it won't scan it for you.

http://www.simplemachines.org/community/index.php?topic=313201.0

rebelsgirl · May 30, 2009, 08:11:36 PM

Jason, or someone who can help me. I'm not sure what I should do here? I downloaded the package to my computer. First I tried to upload it from package manager but it tells me it's empty and there are no packages to browse
When I try to upload it directly from the package manager it tells me this:

QuoteAlthough the package was downloaded to the server it appears to be empty. Please check the Packages directory, and the "temp" sub-directory are both writable. If you continue to experience this problem you should try extracting the package on your PC and uploading the extracted files into a subdirectory in your Packages directory and try again. For example, if the package was called shout.tar.gz you should:
1) Download the package to your local PC and extract it into files.
2) Using an FTP client create a new directory in your "Packages" folder, in this example you may call it "shout".
3) Upload all the files from the extracted package to this directory.
4) Go back to the package manager browse page and the package will be automatically found by SMF.

Am I suppose to FTP the whole folder to change the one that is already on my forum or just the contents of what is IN the folder?

I know I should know what to do, but since my surgery, my meds make me a little muddled in the head. Can anyone please kinda give me step by step directions? I have my FTP open now but I am so confused as to what to do.

Thank you!!!
Kim

Jason · May 30, 2009, 08:48:59 PM

How big is the file you downloaded? Is it empty by chance?

If you doubleclick it on your computer, does it open and show you files inside?

rebelsgirl · June 01, 2009, 03:32:55 PM

The file I downloaded has attachments folder, sources folder and index.php and there are things inside the folders. The file I downloaded is called modified_2-0-rc1_2-0rc1-1

If I upload the folders thru FTP it overwrites what is already inside those folders. I know I'm making this harder than is seems. I've never had a problem understanding how to update my files. But I just had a mastectomy and have been on some meds and my brain is not functioning right, right now.

thanks for any help. I'd like to get my forum fixed so it doesn't get hacked.

oh, and the folder is 239kb in size

Jason · June 01, 2009, 04:42:33 PM

Yes, you would upload those files overwriting the existing ones. (Backup your forum first if you want an "insurance policy")

You also might have to get the updateDatabase.php file (if it's not included) and run it to have it do a db update.

rebelsgirl · June 02, 2009, 03:15:08 PM

Gosh, I am so sorry for making that seems so hard. It took me about 3 seconds.. lol I had to update using my FTP because package manager wouldn't let me upload it thru there.

fmofmpls · July 10, 2009, 07:50:44 AM

Hi Jason. Do you think upgrading a live forum to SMF 2.0 is safe to do? Is it stable enough by now? I've been itching to take the plunge from 1.9. Your advice?

BTW, on a completely embarrassing note, how do I upload an avatar at this forum? It seems I can't find the option to use my own pic? I've looked a thousand times in "modify profile" and can't seem to find any option to do so. $:-\$

Best, Terry.

Jason · July 10, 2009, 10:31:23 AM

Hi Terry,

I have avatar uploads disabled. That's one of the compromises the past SMF releases fixed and I've always avoided enabling that partially for that reason.

I turned on external avatars for "charlottezwebbers" just now so you should be able to link to your avatar on your own account if you want.

As for 2.x -- I would say it depends on a few things. Personally, I'd say go for it as long as you back up *everything* first just in case. The one thing that might prevent you from upgrading would be if you use any mods, customizations or themes that aren't set yet to work with 2.x.

I have been running 2.x here ever since it was very first released to charter members so I never follow the "don't use on a production site" rule. Of course, it's not like the forum here gets a lot of traffic compared to other forums I host.

As long as you backup first, it never hurts to give it a shot. You can always restore what you had previously if it comes to that.

Hope that helps!

fmofmpls · July 10, 2009, 09:25:18 PM

Quote from: Jason on July 10, 2009, 10:31:23 AM
I turned on external avatars for "charlottezwebbers" just now so you should be able to link to your avatar on your own account if you want.

Thanks for the info Jason.

BTW, I tried linking to my avatar at ImageShack but came up with the following error:

Parse error: syntax error, unexpected T_ELSE in /home/maddness/public_html/forums/Sources/Subs-Graphics.php on line 227

Jason · July 11, 2009, 10:00:19 AM

Super.

Thanks, I'll take a look today and keep you posted.

Jason · July 11, 2009, 07:53:11 PM

Quote from: fmofmpls on July 10, 2009, 09:25:18 PM
BTW, I tried linking to my avatar at ImageShack but came up with the following error:

Parse error: syntax error, unexpected T_ELSE in /home/maddness/public_html/forums/Sources/Subs-Graphics.php on line 227

Can you see if it works now?