I’m no security expert, but I think what he did was he uploaded an avatar with a PHP code inside it, found a server/script exploit and ran it. I opened up the avatar (after looking for it for hours) and found this code (see below screenshot). Then he launched the attack from there appending malicious links on a file that is being included everytime SMF draws a page.

A quick Diff on SMF’s base files and our SMF files revealed that a new readme.php was created. And it contained the following:

Decoding that garbled texts reveals that readme.php was run on the browser and that was the main cause of appending links on the Settings.php.

I am still baffled by the fact that some people would do such things. Disrupt service for profit? Well, as for  krisbarteo, yes you’ve succeeded in doing that. Then what? Happy now? If you only have used that smarts and skills on the good stuff, you’d probably be rich by now.

To all PHPugers, we hope that this thing doesn’t happen again even if we all know that the Internet isn’t safe from these crackers. It’s all good. For now.