My site was hacked: The Chill Out Zone

Home
Search

Oh no! Where's the JavaScript?
Your Web browser does not have JavaScript enabled or does not support JavaScript. Please enable JavaScript on your Web browser to properly view this Web site, or upgrade to a Web browser that does support JavaScript.

Just want to share so others can learn.

I had still PHP-fusion v 7.02.05, got hacked, got this information from my host:

Malware uploaded through weakness in outdated PHP-fusion script.
Files uploaded by hacker:
administration/Dlogoff.php
administration/wishlistl08.php
viewpage.php
wp-conf.php

Problem is fixed, now I have updated all my sites to 7.02.06.:G

0 replies

It's not out dates script i think..
I got hacked on v7.02.05 too.. Will need to insert some extra security..
And it happened yesterday so we could be the same hacker targets.. :D

0 replies

Same happend to me yesterday, i got a mail saying :

Martin K: Malware uploaded through weakness in outdated PHP-fusion script.
Martin K: You must:
Delete files uploaded by hacker
Change MySQL password
Remove weak script or fix weaknesses
Files uploaded by hacker:
administration/erss.php
administration/loginLIfx.php
viewpage.php
wp-conf.php
Further notes:
Please note that this list may not be complete.
Please check all your files to make sure the malicious files are all removed.

0 replies

Find out when the "Attacks" took place and show us the access logs where it takes place and maybe provide us with some IP's and user agent strings.

LOL LMAO!!! :D

0 replies

My site was also hacked yesterday. Malware was uploaded by a weakness in a PHPFusion script. This was uploaded to my site c99.txt

//Removed the malware text link// Richard

Do NOT add it again.

Edited by Homdax on 21-02-2013 15:45, 11 y

0 replies

Post a link to an AV report on an AV site instead of the actual code of the malware... please.

0 replies

c99 shell is what used to get used for hacking 7.01 sites, I have not heard of it attacking any sites with that or the r57shell since 7.01 but is possible. ;)

0 replies

Sound like an RFI. Can someone provide use with more information or the attacks they have had ? Such as logs.

0 replies

I sent you my error log as PM, Im not sure if everything is secure to post in this forum.

0 replies

From the logs you sent your site was "hacked" using a a custom page. Which could mean that you gave someone this right to make a custom page or an account was "hacked" and a custom page made to upload files and / or any other attack.

0 replies

Had the same problem within 2 days of installing fusion, guess they where targeting sites? Going to try and hunt down my logs.

0 replies

Craig, do not be rude. It is very unfortunate to have a site hacked and regardless of existing updates it is not sure they could help avoiding it...

0 replies

In my opinion its a shell attack. Someone most likely uploaded a shell from another domain on the same server as your website. Upon initiating the shell commands, they're able to upload / make changes throughout the entire server.

Doesn't matter if your protected or not with PHPFusion.

I would take this issue up with your hosting provider and demand actions be taken.

In fact the attack method takes place way before PHPFusion was even drafted for development.

I remember it being used against me in my PHP-Nuke days. Quite simple process really..

0 replies

I'm actually working on a security system for PHPFusion just now. I will not say it will STOP Hacking completely and I will not say it will stop these things from happening but it will help as another defence shield and certainly put them off trying since it's a waste of time they keep getting booted to google instead. Anyway More on that at another time. ;)

0 replies

my sites also attacked:|

0 replies

Damn, sorry to hear that, it seems ok now? Any details, Jikaka?

0 replies

was filled shell, hit all the sites my account, about 25 pieces, covered with alien files of that plan:

Quote

w35574914n.php
w58108374n.php
w82323321n.php
wp-conf.php

also filled some of the files in different folders into the site
on past that introduced alien code in the first 2 files
eg artitsles.php and contact.php

bad, very bad!!!!!
:|:|:|

0 replies

Couldn't really see much in the logs.. not a great host (one.com) will look out for your security system though Craig.

This was all i was told from the host much like Juliotje.

Malware uploaded through weakness in outdated PHP-fusion script.
- Delete files uploaded by hacker
- Change MySQL password
- Remove weak script or fix weaknesses
Files uploaded by hacker:
administration/mobileLXx.php
administration/oNthemes.php
viewpage.php
wp-conf.php

0 replies

Do you guys know if exec or shell_exec functions are enabled on your servers? I know it could be a breach if your site is on a shared server but just wondering if its people running insecure applications on their site....

0 replies

had the same

following files where affected...
administration/robotsGZHf.php
and
administration/SLrobots.php

in the access Log i found:

Code Download source

113.72.134.7 - - [22/Feb/2013:03:35:24 +0100] "GET /login.php HTTP/1.1" 200 7934 "http://******/" "Mozilla/5.0 (Windows NT 5.1; rv:5.0.1) Gecko/20100101 Firefox/5.0.1" ****.de
and

31.133.32.171 - - [22/Feb/2013:04:11:18 +0100] "GET /profile.php?lookup=1 HTTP/1.1" 200 9108 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET4.0C; .NET4.0E)" ****.de
31.133.32.171 - - [22/Feb/2013:04:11:19 +0100] "GET / HTTP/1.1" 302 - "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET4.0C; .NET4.0E)" ****.de


and

31.133.32.171 - - [22/Feb/2013:04:11:19 +0100] "GET /news.php HTTP/1.1" 200 13953 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET4.0C; .NET4.0E)" ***.de
31.133.32.171 - - [22/Feb/2013:04:11:19 +0100] "POST /administration/custom_pages.php?aid=d61f6dab454818e0 HTTP/1.1" 200 1289 "http://***.de/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET4.0C; .NET4.0E)" ****.de
31.133.32.171 - - [22/Feb/2013:04:11:19 +0100] "GET /viewpage.php?page_id=1&viewpages=1 HTTP/1.1" 200 1025 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET4.0C; .NET4.0E)" ****.de


31.133.32.171 - - [22/Feb/2013:06:08:51 +0100] "POST /viewpage.php?page_id=1&viewpages=1&cookies=1&showimg=1&truecss=1&t2122n=1 HTTP/1.1" 200 2039 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET4.0C; .NET4.0E)" ***.de
31.133.32.171 - - [22/Feb/2013:06:08:52 +0100] "GET /viewpage.php?t5709n=1 HTTP/1.1" 200 34559 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET4.0C; .NET4.0E)" ****.de

31.133.32.171 - - [22/Feb/2013:06:10:35 +0100] "POST /viewpage.php?page_id=1&viewpages=1&cookies=1&showimg=1&truecss=1 HTTP/1.1" 200 1037 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)" ***.de

178.152.100.2 - - [22/Feb/2013:11:46:20 +0100] "POST /viewpage.php?t5709n=1 HTTP/1.1" 200 7827 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)" ***.de

146.185.255.183 - - [22/Feb/2013:11:46:41 +0100] "POST /viewpage.php?t5709n=1 HTTP/1.1" 200 34561 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100102 Firefox/16.0" ****.de

[b]146.185.255.183 - - [22/Feb/2013:11:46:43 +0100] "POST /viewpage.php?t5709n=1 HTTP/1.1" 200 49181 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100102 Firefox/16.0" ***.de
146.185.255.183 - - [22/Feb/2013:11:46:45 +0100] "POST /administration/robotsGZHf.php HTTP/1.1" 200 36 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100102 Firefox/16.0" ***.de[/b]

[b]146.185.255.183 - - [22/Feb/2013:11:46:46 +0100] "POST /viewpage.php?t5709n=1 HTTP/1.1" 200 49842 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100102 Firefox/16.0" ***.de

146.185.255.183 - - [22/Feb/2013:11:46:48 +0100] "GET /administration/SLrobots.php?sf=0&showro=0 HTTP/1.1" 200 8031 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100102 Firefox/16.0" ***.de[/b]

Code Tags used / Richard

Edited by Homdax on 24-02-2013 11:41, 11 y

0 replies

Category Forum

Announcements & Security Issues

Labels

None yet

Statistics

Views 0 views
Posts 142 posts
Votes 0 votes
Topic users 41 members

41 participants

Notifications

Track thread

You are not receiving notifications from this thread.

My site was hacked

142 posts

PHPFusion

Resources

Community

Development