NEW V6 HACK - BLANK SCREEN ??
Asked Modified Viewed 51,533 times
To all of you v6-users:
Delete immediately the map member_poll_panel from your FTP-Server !!!
I have fixed 4 sites right now the last approximately 5 hours.
They all running under v6. From v6.01.15 to v6.01.18 I discovered. But I'm nut sure if the go for older versions too.
If your site is hacked:
1. If you have a Poll running - disable it from: Admin Panel->System Admin->Panels.
2. Open up the file: /themes/YOUR_THEME/theme.php - & delete the long text near to the top of the file. You can't miss it.
3. Delete the map: /infusions/member_poll_panel
4. Open up phpMyAdmin.
5. Click on the left side on "fusion_panels".
6. Delete panel_name: System / panel_filename: ../images/panel.php
Cheers!
Delete immediately the map member_poll_panel from your FTP-Server !!!
I have fixed 4 sites right now the last approximately 5 hours.
They all running under v6. From v6.01.15 to v6.01.18 I discovered. But I'm nut sure if the go for older versions too.
If your site is hacked:
1. If you have a Poll running - disable it from: Admin Panel->System Admin->Panels.
2. Open up the file: /themes/YOUR_THEME/theme.php - & delete the long text near to the top of the file. You can't miss it.
3. Delete the map: /infusions/member_poll_panel
4. Open up phpMyAdmin.
5. Click on the left side on "fusion_panels".
6. Delete panel_name: System / panel_filename: ../images/panel.php
Cheers!
Edited by smokeman on 27-11-2009 04:05,
Basti
Basti 10
[PHP-Fusion Crew Member & Admin from June 2008 - December 2010]
http://basti2web.de - Support Site for my infusions
http://basti2web.de - Support Site for my infusions
- Veteran Member, joined since
- Contributed 1,099 posts on the community forums.
- Started 32 threads in the forums
Quote
simonw wrote:
Thanks to everyone for all the help with this.
I have fixed things up on my site using the instructions, except I can't find a .htaccess file,
so don't know what to do with that part.
It would be wonderful if someone could explain the vulnerability to me (perhaps in a PM)
so I can do what I need to to prevent further exploitation while I work on the upgrade
to V7 (have some work to do since I have quite a few V6 specific mods that I need to research).
I'm assuming that V7 is not vulnerable - it would be good to understand why that it.
Simon.
PS I am still on v6.01.13
Download the file which I uploaded in my post before. There should the problem be fixed.
And yes in v7 we don't have this vulnerability, because in v7 this unsecure variable is checked with isnum().
answered
Thank you for the fix.
It actually looks like the hack on my site was over a month old. The original hack occured in October (or possibly before) for which I do not have the logs for.
It actually looks like the hack on my site was over a month old. The original hack occured in October (or possibly before) for which I do not have the logs for.
I have 2 sites with the same problem running V6.01.06.
I have solved the problems thanks to you for 1 site now.
I have an extra you have to do to get everything working:
In phpmyadmin in 'fusion_panels' there was a line "weblinks' with links to sites that have nothing to do with my site.
I also got some error code on the site due to this.
I deleted the line and it was OK again.
Will the problem be definitley solved when you have removed the member poll panel?
I have solved the problems thanks to you for 1 site now.
I have an extra you have to do to get everything working:
In phpmyadmin in 'fusion_panels' there was a line "weblinks' with links to sites that have nothing to do with my site.
I also got some error code on the site due to this.
I deleted the line and it was OK again.
Will the problem be definitley solved when you have removed the member poll panel?
vision4life
vision4life 10
Kind Regards, Fred
- Member, joined since
- Contributed 53 posts on the community forums.
- Started 21 threads in the forums
Today I got message of blank screen on one of my sites and thanks for this thread I got it fixed, but not completely following the instructions: after deleting the long line in theme.php and doing the steps before I got my banner back but got error in subheader.php. so going from one error to the next. Luckely I had a local backup (Always good to have a backup, not onyl of the database, but also the files.) and after copying my backedup theme.php to the server, the site was back inthe air.
answered
As far as I understood right the intruder got the admin password by exploiting security hole in panel.php (e.g. by using SQL-injection).
But does anyone know how did he manage to insert malicious code into the theme.php?
But does anyone know how did he manage to insert malicious code into the theme.php?
Edited by jiikoo on 28-11-2009 01:20,
starefossen
starefossen 10
www.postexus.com - Follow Postexus on Facebook.
- Senior Member, joined since
- Contributed 359 posts on the community forums.
- Started 20 threads in the forums
Thanks to Smokeman for reporting this and Slaughter for providing the corrected files.
Understanding the problem:
The problem is caused by an insecure variable which is not properly checked and therefor can be used to insert malicious code to the MYSql query but also PHP commands which can create and in this case edit files. We have seen the same method been used in the search.php vulnerability.
The problem is caused by two things:
[olist=1]A variable not properly checked
Global variables[/olist]
How is it done?
The hack is done by implementing a code into the theme.php file, by injecting it into the SQL query, so it can be accessible form within all pages of the site running PHPFusion. From there the hacker has direct access to the server and can execute PHP commands upload files etc.
Preventing being hacked?
If you are running a v6 site there are three ways you can prevent being hacked:
[olist=1]Remove member polls from the panels list, by disabling it from the admin panel => system admin => panels
Replacing the files wit the new ones
Upgrade to PHPFusion v7[/olist]
If your site has been hacked?
If your site has been hacked here is what you got to do:
[olist=1]Set your site in maintenance mode from Admin Panel => System Admin => Miscellaneous Settings
Open up the file: /themes/YOUR_THEME/theme.php - and delete the long text near to the top of the file, you can't miss it! Or re-upload the file from your computer. Be sure to check all your themes, delete those your not using and re-upload those you are using.
Open up the /images/ folder and delete all PHP files inside it and upload a new blank index.php file, look specifically for a file named panel.php.
Delete the folder completely: /infusions/member_poll_panel - and upload the new files here.
Open up phpMyAdmin. Click on the left side on "fusion_panels" or view rows and delete a panel_name: System with the panel_filename: ../images/panel.php
Be sure to change your MySQL password and user password for your user on the site which has been hacked and make sure other admins and users changes their passwords too![/olist]
Questions?
Post here if you have any further questions about the hack or if you have been attacked.
Understanding the problem:
The problem is caused by an insecure variable which is not properly checked and therefor can be used to insert malicious code to the MYSql query but also PHP commands which can create and in this case edit files. We have seen the same method been used in the search.php vulnerability.
The problem is caused by two things:
[olist=1]A variable not properly checked
Global variables[/olist]
How is it done?
The hack is done by implementing a code into the theme.php file, by injecting it into the SQL query, so it can be accessible form within all pages of the site running PHPFusion. From there the hacker has direct access to the server and can execute PHP commands upload files etc.
Preventing being hacked?
If you are running a v6 site there are three ways you can prevent being hacked:
[olist=1]Remove member polls from the panels list, by disabling it from the admin panel => system admin => panels
Replacing the files wit the new ones
Upgrade to PHPFusion v7[/olist]
If your site has been hacked?
If your site has been hacked here is what you got to do:
[olist=1]Set your site in maintenance mode from Admin Panel => System Admin => Miscellaneous Settings
Open up the file: /themes/YOUR_THEME/theme.php - and delete the long text near to the top of the file, you can't miss it! Or re-upload the file from your computer. Be sure to check all your themes, delete those your not using and re-upload those you are using.
Open up the /images/ folder and delete all PHP files inside it and upload a new blank index.php file, look specifically for a file named panel.php.
Delete the folder completely: /infusions/member_poll_panel - and upload the new files here.
Open up phpMyAdmin. Click on the left side on "fusion_panels" or view rows and delete a panel_name: System with the panel_filename: ../images/panel.php
Be sure to change your MySQL password and user password for your user on the site which has been hacked and make sure other admins and users changes their passwords too![/olist]
Questions?
Post here if you have any further questions about the hack or if you have been attacked.
Quote
More detailed information will follow!
Edited by Basti on 28-11-2009 12:26,
starefossen
starefossen 10
www.postexus.com - Follow Postexus on Facebook.
- Senior Member, joined since
- Contributed 359 posts on the community forums.
- Started 20 threads in the forums
News posted and new version of PHPFusion v6 (6.01.19) our, read more here.
bite
bite 10
- Member, joined since
- Contributed 163 posts on the community forums.
- Started 5 threads in the forums
The page to which malicious code sends some info uses PHPFusion, and in news on that website, owner tells what he got hacked not long time ago, so it does explain why that encoded code in theme.php links to him. I PMed admin of that website.
Edited by bite on 28-11-2009 02:54,
Quartzkyte
Quartzkyte 10
Mike
---------------------------------------
Quartzkyte, admin @ French N.S.S.
- Senior Member, joined since
- Contributed 404 posts on the community forums.
- Started 40 threads in the forums
Thanks guys, one of my sites which I don't check usually everyday was under attack.
Info now relayed to the French community via N.S.S. PM.
Am mostly in V7 now but some sites still need infusions or mods to be ported to V7...
Info now relayed to the French community via N.S.S. PM.
Am mostly in V7 now but some sites still need infusions or mods to be ported to V7...
Thank you all for your wonderful input and feedback, especially smokeman and blueadept
Thank you all especially smokeman and blueadept.
I have two v6.1 sites that were also hacked. I have carefully followed the instructions but seem to still have problems. My site now has it's header panel back, but the side panels and center news panels are invisible. I use the Milestone theme.
After I deleted the long string of numbers in the theme.php file I continued to see parse errors. Reading deeper in this thread I saw a suggestion to upload a fresh theme.php file, and did so after unzipping a fresh download of the php-fusion v6.1 core files.
After I uploaded a fresh theme.php file I was able to see my header, but nothing else. Side panels and center content are invisible to me. Can anyone help me with suggestions?
site is www.ascertainpolygraph.com
I have two v6.1 sites that were also hacked. I have carefully followed the instructions but seem to still have problems. My site now has it's header panel back, but the side panels and center news panels are invisible. I use the Milestone theme.
After I deleted the long string of numbers in the theme.php file I continued to see parse errors. Reading deeper in this thread I saw a suggestion to upload a fresh theme.php file, and did so after unzipping a fresh download of the php-fusion v6.1 core files.
After I uploaded a fresh theme.php file I was able to see my header, but nothing else. Side panels and center content are invisible to me. Can anyone help me with suggestions?
site is www.ascertainpolygraph.com
Thanks from all!
Quartzkyte
Quartzkyte 10
Mike
---------------------------------------
Quartzkyte, admin @ French N.S.S.
- Senior Member, joined since
- Contributed 404 posts on the community forums.
- Started 40 threads in the forums
@buspilot: can you login via login.php? If so, go to the admin panel and delete the System panel.
Also, delete panel.php in /images.
Also, delete panel.php in /images.
answered
don't forget to delete the file images/panel.php (if exists).
This was never mention before (or did I overread it???)
@smokeman: can you change the order of your solution and make the mentioned changes? THX
4 -> 5 -> 6 -> 3 delete the directory... -> delete images/panel.php -> 2 -> 1 delete panel
This was never mention before (or did I overread it???)
@smokeman: can you change the order of your solution and make the mentioned changes? THX
4 -> 5 -> 6 -> 3 delete the directory... -> delete images/panel.php -> 2 -> 1 delete panel
Edited by VoiceX on 09-12-2009 19:06,
Quartzkyte
Quartzkyte 10
Mike
---------------------------------------
Quartzkyte, admin @ French N.S.S.
- Senior Member, joined since
- Contributed 404 posts on the community forums.
- Started 40 threads in the forums
Quote
VoiceX wrote:
don't forget to delete the file images/panel.php (if exists).
This was never mention before (or did I overread it???)
@smokeman: can you change the order of your solution and make the mentioned changes? THX
4 -> 5 -> 6 -> 3 delete the directory... -> delete images/panel.php -> 2 -> 1 delete panel
— 1 month later —
After working well, yesterday I'm having again troubles with the site....
I think the origin is the same as mentioned earlier but now I have other problems!
The site seems to work well but when I open an photogallery I don't get any thumbnails.
When I click on the 'no thumbnail' text I get following message:
Warning: filesize() [function.filesize]: stat failed for images/photoalbum/album_68/img_4543.jpg in /customers/vbssintkatrien.be/vbssintkatrien.be/httpd.www/photogallery.php on line 77
Anyone got an idea how to solve this quickly?
thanks in advance!
I think the origin is the same as mentioned earlier but now I have other problems!
The site seems to work well but when I open an photogallery I don't get any thumbnails.
When I click on the 'no thumbnail' text I get following message:
Warning: filesize() [function.filesize]: stat failed for images/photoalbum/album_68/img_4543.jpg in /customers/vbssintkatrien.be/vbssintkatrien.be/httpd.www/photogallery.php on line 77
Anyone got an idea how to solve this quickly?
thanks in advance!
— 1 month later —
answered
guys I think something wrong...
I'm about latest build http://www.php-fusion.co.uk/downloads...oad_id=190 for the v6
and
this patch http://www.php-fusion.co.uk/downloads...oad_id=259
Patch have a patch (yeah :) )
But, latest build HAVEN'T!
Please rebuild core archive!
I'm about latest build http://www.php-fusion.co.uk/downloads...oad_id=190 for the v6
and
this patch http://www.php-fusion.co.uk/downloads...oad_id=259
Patch have a patch (yeah :) )
But, latest build HAVEN'T!
Please rebuild core archive!
There is a vulnerable version v6.01.19 similar member_poll_panel.php by hacking the same, vulnerable file navigation_panel.php
Administrators can reset the logs cracking.
So the claim that the above advice of avoiding problems is not yet worth it.
Administrators can reset the logs cracking.
So the claim that the above advice of avoiding problems is not yet worth it.
— 2 months later —
I'm back again, problems hasn't still been solved for me.... today again a blank screen.
I have looked over everything again and solved it again.
- images/panel.php deleted
- the panel 'system' deleted in phpmyadmin
- theme.php re-uploaded for the active theme
- there were a bunch of files in the navigation panel folder:
A. .htaccess
B. archive_panel
C. panel_navigation
----> these files stated again the weird code like stated below:
<?eval(gzuncompress(base64_decode('eJwNlkUSrIgSRZfT7wUDKJz4 ---------> and a whole bunch like this goes on for many lines......
I have looked over everything again and solved it again.
- images/panel.php deleted
- the panel 'system' deleted in phpmyadmin
- theme.php re-uploaded for the active theme
- there were a bunch of files in the navigation panel folder:
A. .htaccess
B. archive_panel
C. panel_navigation
----> these files stated again the weird code like stated below:
<?eval(gzuncompress(base64_decode('eJwNlkUSrIgSRZfT7wUDKJz4 ---------> and a whole bunch like this goes on for many lines......
Basti
Basti 10
[PHP-Fusion Crew Member & Admin from June 2008 - December 2010]
http://basti2web.de - Support Site for my infusions
http://basti2web.de - Support Site for my infusions
- Veteran Member, joined since
- Contributed 1,099 posts on the community forums.
- Started 32 threads in the forums
Quote
schoupped wrote:
I'm back again, problems hasn't still been solved for me.... today again a blank screen.
I have looked over everything again and solved it again.
- images/panel.php deleted
- the panel 'system' deleted in phpmyadmin
- theme.php re-uploaded for the active theme
- there were a bunch of files in the navigation panel folder:
A. .htaccess
B. archive_panel
C. panel_navigation
----> these files stated again the weird code like stated below:
<?eval(gzuncompress(base64_decode('eJwNlkUSrIgSRZfT7wUDKJz4 ---------> and a whole bunch like this goes on for many lines......
Why don't you upgrade to v7?
V6 is full of bugs.
Category Forum
Bugs and Errors - 6Labels
None yet
Statistics
- Views 0 views
- Posts 41 posts
- Votes 0 votes
- Topic users 18 members
0 participants
Notifications
Track thread
You are not receiving notifications from this thread.
Related Questions