injected spam.. help!

Take a look at this topic:
http://php-fusion.co.uk/forum/viewthr...d_id=23366

Which version of PHPFusion do you have?
If you have the latest one: Are you sure, that the changes in code were made after the update to the latest version?

hi,

i'm using v6.01.16 and the link you gave me is exactly what my problem is and I can see know one has a solution for it!

I have removed it from the sql database and updated the patch.

so the problem is still very very much alive.

peter

try re-uploading the whole php fusion package... Then re-apply the patches. see if that works... if not i dont know

the code has been modified,.. so I don't think I want to go that far right now.

I have added some code in where they inject the spam.. so next time I will have a time stamp and IP address and see if I can solve the problem that way around.

Peter

I have created some code to record the IP address when the injection happens.. I have banned that IP address but they still inject spam into my website...

there is a serious security hole in the php-fusion .16

does anyone know what I can do to prevent this or find out how they do it so I can fix the problem

peter

where is the code inserted?
what kind of modifications and infusions do you have installed?

As I can see the attacker is inserting the code in the panels.
i'm on a laptop right now so I cant see my own code right now.. but I have added code in the administration panel editor something.... where I record the IP address of anyone adding a panel... and this code does get activated and I do get IP address of the attacker.

you can see the spam that has been put in at www.osghelp.com , just view the source code of the html and you will see hidden spam

regards,
Peter

finally got access to my vps.

ok.. the file I changed to log the attacker is
panel_editor.php

there is only one place where the panel is INSERT(ed) in this file and I added the following:

$file = "/tmp/marino.txt";
$handle = fopen( $file, 'w' );
$data = $_SERVER['REMOTE_ADDR'];
fwrite( $handle, $data );
fclose( $handle);

so when the attacker adds a new panel i basically record the IP address.. I have banned this IP address but the attack still adds spam to my website.

I'm considering recording the GET and POST arrays and see how what the URL they used..because they are injecting spam and by-passing security routines in the php-fusion.

I'll get back if I know more.. if you have any suggestions please tell..

regards,
Peter

Hi all,

ok.. it seems like this thread is getting ignored.. even though its a very valid thread.

I have added more code to catch the $_GET and $_POST when the spam gets injected this is what they are doing when they inject the spam:

87.118.112.44****** GET *******Array
(
[aid] => 47433b88e8d85291
)
****** POST *******Array
(
[panel_name] => Weblinks
[panel_display] => 1
[save] => save
[panel_content] => $echo =<<<END
<!-- ~ --><u style=\'display:none\'> <a href=\"http://www.agnes-karll-krankenhaus.de/index.php?u=14737\">viagra para que</
END;
echo($echo);
[panel_filename] => none
[panel_side] => 1
[panel_access] => 0
)

I cut the spam short!!!! for a good reason... but if you view the source file for www.osghelp.com you can see the full length of the spam.

why can they inject the spam????

anyone?
Peter Marino

oh forgot to show you the code that I use to capture this:
$file = "/tmp/marino.txt";
$handle = fopen( $file, 'w' );

// write IP address
$data = $_SERVER['REMOTE_ADDR'];
fwrite( $handle, $data );

// write $_GET
fwrite( $handle, "****** GET *******" );
ob_start();
print_r( $_GET );
$return_str = ob_get_contents();
ob_end_clean();
fwrite( $handle, $return_str );

// write $_POST
fwrite( $handle, "****** POST *******" );
ob_start();
print_r( $_POST );
$return_str = ob_get_contents();
ob_end_clean();
fwrite( $handle, $return_str );

fclose( $handle);

please help.
peter

If there's a lot of modding done maybe that can be the source which can cause the injections. Other then that it might be wrong CHMODing of the core files.

If I'm correct you DO have the unspoiled and modded files on your PC don't you?

First check every file for the correct CHMOD (read the readme.htm).
Then upload all the unspoiled and modded files again to the server making sure you overwrite everything.

Check the database :export to XML using PHPMyAdmin (for easier reading) and save the file on your PC, check for rogue code etc in EVERY table and record

Also install the Security System from bs-fusion.de, this will probably hold of future attackers.

It's a lot of work but badly modded (not saying that your mods are bad but mistakes are easily made) sites are very vulnarable to these kinds of attacks and make troubleshooting very hard....

Good Luck

There was a rogue file in the forum/attachments folder, similar to the ones found when the search vulnerability was exploited. The file was deleted and we will monitor if that cures the problem.

Our sports association has been using php-fusion extensively for many years now but over recent months 17 of our sites have been hacked in the same way.
A rogue file has appeared in forum/attachments.
The footer and panels are full of spam and this causes any google ADS to spew out pharmacy links.
There may of course be other changes to files or dbases which have not been discovered!

This problem was only identified a couple of weeks ago although the attacks began in late August 2008.
These spam links can easily go unnoticed as they reside in footer.php or disabled panels.

Versions 6 and 7 were affected.
Some sites were backed up, others not.
Because of the number of sites affected it's become a major problem and unfortunately raises concerns about the continued use of the software.

Please note that this may all have been due to an earlier vulnerability that was exploited before it was patched. Affected v7 sites may well have been attacked (it is even likely) before they were upgraded to v7.
In itself PHPFusion is safe. Almost every system suffers because a vulnerability is discovered every now and then. We are proud to have closed all recently discovered vulnerabilities in the core of PHPFusion within 24 hours. Sorting out vulnerailities due to third party mods/infusions is much more difficult because that means that common factors between sites need to be established. Still, even those we can usually track down and patch within 48 hours.
At the moment there is no reason to abandon the use of PHPFusion but when a backdoor has been created on a site it will be exploited untill you remove it.

I would not mind helping to clean up the sites but then I'd need to have full site backups and preferably also database backups to scan them for suspicious code/files.