SMF Update to 2.0 done. Default theme set to curve w/TCL stuff for all users. Installed Bad Behavior Mod, notCaptcha Mod, Anti-Spam-Link Mod. dokuwiki updated to "Rincewind", SMF auth is working again.
Many thanks for the pointer, this rr.nu redirection was indeed in many of the forum php files, which should be clean now... attachments seem to be clean as well, at least I didn't find any reference to rr.nu in them any more, so it must have been delivered while accessing and downloading them.
Do you know how these files got infected?
Quote from: bmarkus on March 05, 2012, 07:58:44 AMDo you know how these files got infected?Nope. But it seems to have hit also wordpress and other php based installations... so I would guess it's got something to do with an admin account and maybe a hacked browser/OS, which triggers some "nice" update functions within SMF itself to spread the malware.