My site was hacked: The Chill Out Zone

Home
Search

Oh no! Where's the JavaScript?
Your Web browser does not have JavaScript enabled or does not support JavaScript. Please enable JavaScript on your Web browser to properly view this Web site, or upgrade to a Web browser that does support JavaScript.

Just want to share so others can learn.

I had still PHP-fusion v 7.02.05, got hacked, got this information from my host:

Malware uploaded through weakness in outdated PHP-fusion script.
Files uploaded by hacker:
administration/Dlogoff.php
administration/wishlistl08.php
viewpage.php
wp-conf.php

Problem is fixed, now I have updated all my sites to 7.02.06.:G

0 replies

Post a link to an AV report on an AV site instead of the actual code of the malware... please.

0 replies

c99 shell is what used to get used for hacking 7.01 sites, I have not heard of it attacking any sites with that or the r57shell since 7.01 but is possible. ;)

0 replies

Sound like an RFI. Can someone provide use with more information or the attacks they have had ? Such as logs.

0 replies

I sent you my error log as PM, Im not sure if everything is secure to post in this forum.

0 replies

From the logs you sent your site was "hacked" using a a custom page. Which could mean that you gave someone this right to make a custom page or an account was "hacked" and a custom page made to upload files and / or any other attack.

0 replies

Had the same problem within 2 days of installing fusion, guess they where targeting sites? Going to try and hunt down my logs.

0 replies

Craig, do not be rude. It is very unfortunate to have a site hacked and regardless of existing updates it is not sure they could help avoiding it...

0 replies

In my opinion its a shell attack. Someone most likely uploaded a shell from another domain on the same server as your website. Upon initiating the shell commands, they're able to upload / make changes throughout the entire server.

Doesn't matter if your protected or not with PHPFusion.

I would take this issue up with your hosting provider and demand actions be taken.

In fact the attack method takes place way before PHPFusion was even drafted for development.

I remember it being used against me in my PHP-Nuke days. Quite simple process really..

0 replies

I'm actually working on a security system for PHPFusion just now. I will not say it will STOP Hacking completely and I will not say it will stop these things from happening but it will help as another defence shield and certainly put them off trying since it's a waste of time they keep getting booted to google instead. Anyway More on that at another time. ;)

0 replies

my sites also attacked:|

0 replies

Damn, sorry to hear that, it seems ok now? Any details, Jikaka?

0 replies

was filled shell, hit all the sites my account, about 25 pieces, covered with alien files of that plan:

Quote

w35574914n.php
w58108374n.php
w82323321n.php
wp-conf.php

also filled some of the files in different folders into the site
on past that introduced alien code in the first 2 files
eg artitsles.php and contact.php

bad, very bad!!!!!
:|:|:|

0 replies

Couldn't really see much in the logs.. not a great host (one.com) will look out for your security system though Craig.

This was all i was told from the host much like Juliotje.

Malware uploaded through weakness in outdated PHP-fusion script.
- Delete files uploaded by hacker
- Change MySQL password
- Remove weak script or fix weaknesses
Files uploaded by hacker:
administration/mobileLXx.php
administration/oNthemes.php
viewpage.php
wp-conf.php

0 replies

Do you guys know if exec or shell_exec functions are enabled on your servers? I know it could be a breach if your site is on a shared server but just wondering if its people running insecure applications on their site....

0 replies

had the same

following files where affected...
administration/robotsGZHf.php
and
administration/SLrobots.php

in the access Log i found:

Code Download source

113.72.134.7 - - [22/Feb/2013:03:35:24 +0100] "GET /login.php HTTP/1.1" 200 7934 "http://******/" "Mozilla/5.0 (Windows NT 5.1; rv:5.0.1) Gecko/20100101 Firefox/5.0.1" ****.de
and

31.133.32.171 - - [22/Feb/2013:04:11:18 +0100] "GET /profile.php?lookup=1 HTTP/1.1" 200 9108 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET4.0C; .NET4.0E)" ****.de
31.133.32.171 - - [22/Feb/2013:04:11:19 +0100] "GET / HTTP/1.1" 302 - "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET4.0C; .NET4.0E)" ****.de


and

31.133.32.171 - - [22/Feb/2013:04:11:19 +0100] "GET /news.php HTTP/1.1" 200 13953 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET4.0C; .NET4.0E)" ***.de
31.133.32.171 - - [22/Feb/2013:04:11:19 +0100] "POST /administration/custom_pages.php?aid=d61f6dab454818e0 HTTP/1.1" 200 1289 "http://***.de/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET4.0C; .NET4.0E)" ****.de
31.133.32.171 - - [22/Feb/2013:04:11:19 +0100] "GET /viewpage.php?page_id=1&viewpages=1 HTTP/1.1" 200 1025 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET4.0C; .NET4.0E)" ****.de


31.133.32.171 - - [22/Feb/2013:06:08:51 +0100] "POST /viewpage.php?page_id=1&viewpages=1&cookies=1&showimg=1&truecss=1&t2122n=1 HTTP/1.1" 200 2039 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET4.0C; .NET4.0E)" ***.de
31.133.32.171 - - [22/Feb/2013:06:08:52 +0100] "GET /viewpage.php?t5709n=1 HTTP/1.1" 200 34559 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET4.0C; .NET4.0E)" ****.de

31.133.32.171 - - [22/Feb/2013:06:10:35 +0100] "POST /viewpage.php?page_id=1&viewpages=1&cookies=1&showimg=1&truecss=1 HTTP/1.1" 200 1037 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)" ***.de

178.152.100.2 - - [22/Feb/2013:11:46:20 +0100] "POST /viewpage.php?t5709n=1 HTTP/1.1" 200 7827 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)" ***.de

146.185.255.183 - - [22/Feb/2013:11:46:41 +0100] "POST /viewpage.php?t5709n=1 HTTP/1.1" 200 34561 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100102 Firefox/16.0" ****.de

[b]146.185.255.183 - - [22/Feb/2013:11:46:43 +0100] "POST /viewpage.php?t5709n=1 HTTP/1.1" 200 49181 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100102 Firefox/16.0" ***.de
146.185.255.183 - - [22/Feb/2013:11:46:45 +0100] "POST /administration/robotsGZHf.php HTTP/1.1" 200 36 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100102 Firefox/16.0" ***.de[/b]

[b]146.185.255.183 - - [22/Feb/2013:11:46:46 +0100] "POST /viewpage.php?t5709n=1 HTTP/1.1" 200 49842 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100102 Firefox/16.0" ***.de

146.185.255.183 - - [22/Feb/2013:11:46:48 +0100] "GET /administration/SLrobots.php?sf=0&showro=0 HTTP/1.1" 200 8031 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100102 Firefox/16.0" ***.de[/b]

Code Tags used / Richard

Edited by Homdax on 24-02-2013 11:41, 11 y

0 replies

I checked my MYSQL Database and saw that this IP adress 31.133.32.171
was Logged in as Admin !!

Found new Infos !!!

CODE REMOVED /Richard

Edited by Homdax on 24-02-2013 11:40, 11 y

0 replies

PF versions?

0 replies

SOME TIPS:

If you can access your site admin put the site in maintenance mode else go into phpmyadmin if you can look in the settings table for Maintenance and enter 1.

Check your FTP all folders for malicious files and check your themes/templates/header.php. Other folders to check are administration/backups and forum/attachments but check all folders anyway and if possible get a scan done by your host.

Disable all infusions and panels and check all your infusions folders for malicious files.
What infusions and panels do you all use any in common?

Change All Your Passwords for your site and ftp and sql and whatever else.

It is not necessary your PHPFusion that was hacked/exploited it could be server side or locally. Get your host to check things for you as well. ;)

If you know when roughly the time was when your site got hacked you can look in your site access logs for around the time the site was hacked and you might be able to see who and how it was hacked. Ask your host about your site access logs if you do not know about them.

Best thing if you have no idea what to do contact your host see if they can investigate deeper for you.

Good Luck!

0 replies

v7.02.05

0 replies

That has known vulnerabilities upgrade to 7.02.06

0 replies

Category Forum

Announcements & Security Issues

Labels

None yet

Statistics

Views 0 views
Posts 142 posts
Votes 0 votes
Topic users 41 members

41 participants

Notifications

Track thread

You are not receiving notifications from this thread.

My site was hacked

142 posts

PHPFusion

Resources

Community

Development