My site was hacked: The Chill Out Zone

Home
Search

Oh no! Where's the JavaScript?
Your Web browser does not have JavaScript enabled or does not support JavaScript. Please enable JavaScript on your Web browser to properly view this Web site, or upgrade to a Web browser that does support JavaScript.

Just want to share so others can learn.

I had still PHP-fusion v 7.02.05, got hacked, got this information from my host:

Malware uploaded through weakness in outdated PHP-fusion script.
Files uploaded by hacker:
administration/Dlogoff.php
administration/wishlistl08.php
viewpage.php
wp-conf.php

Problem is fixed, now I have updated all my sites to 7.02.06.:G

0 replies

About 20 sites were affected early this morning. Malicious content was added to various files.

One of the sites was php-fusion and only one file was altered on this occasion.
Bad content was added to file login.php.

Here's a link to the access log...
I have REMOVED link and the complete php-fusion site : 03/03/13

Perhaps the references to login.php in that log file provide clues as to what's going on?

There's a lot of other content in the access log which may also provide useful information about this hack to experts in this sort of thing?

Thanks

Edited by billhunter on 03-03-2013 17:34, 11 y

0 replies

Hi. I have 2 php sites, one of which was infected on the 21 Feb

wp-config.php
&
viewpage.php ,like other posters ,were added along with 3 other files

auRT.html
configGfWE.php
w1main.php

each file has mixes of capitals or numbers in the wrong place and the date modified was just after the initial infection so these were easy to find.
Do I need to check for other files added? These were all I could spot.
I copied the entire site to my local pc, then virus checked it all. Trojans were found in wp-config and viewpage, but not in those other 3.

That site was a newer version php created August last yr... 7.02.xx probably (can't get it live to see at the mo)

So

My more important older site luckily wasn't hacked and is 7.00.07, and therefore I want to try to put measures in place to stop this.

At this time, is the current 7.02.06 hackproof? Drbo on 7.02.06 seems not to be.!!

I tried to update my 7.00.07 to 7.01.00 as a first step (of 12), as described, but when running update on the admin page after uploading the relevant files, got a screenful of syntax errors in my SQL database, then the site stops working, needing the SQL db recovering. Anyway, I'll do a separate post regarding my update issues.

Thanks for any help.
Andy

0 replies

Our some php-fusion site's accounts has been suspended..Because malicious content was added to various files..

(7.02.04 - 7.02.05)

What is problem?
What is your ftp program? ex: cuteftp 8.0 e.t.c

0 replies

my site new attack ... this file
every day an attack

0 replies

I controlled my backup and I found this strange code in "viewpage" section:
(see pic at flickr)

farm9.staticflickr.com/8516/8523290445_3d3d8219be_b.jpg

What do you think about it?

0 replies

Just confirming what's been mentioned previously.
I have now checked out 7 php-fusion sites in Scotland which were hacked.
About a dozen more still to be checked.
All sites are on two servers.

In every case so far a custom page was added to the site entitled 'testtitl'.
The custom page had content as shown above by others.

Reference to viewpage.php crops up frequently in access and error logs.
The initial offending IPs in every case began 31.133.
This series of IPs seem to be Ukrainian in origin.
Many site files were subsequently edited and new malicious files added. This was achieved via many different IPs.
All sites on the server were eventually infected whether php-fusion or not.

I've no idea how the hacker originally gained access to add content to these custom pages.... or if the sites are still vulnerable.

Edited by billhunter on 03-03-2013 17:37, 11 y

0 replies

Falk

answered 3 Mar 2013 at 01:29 PM

Super Admin

Here are some things you can do if you get hacked.

Close the site.
Dowload the whole site to your local computer, save it as a backup.
Get a new database copy , save it as a backup.

Find files and codes that dosen´t belong to your installation.
You can take help from the attached file "fusionscan" , it is a very good tool from Netrix, It will give you a quick overview.

Check your custom pages for bad codes and if new ones have been created.

If you do not have a modified system you can delete your whole installation, save your config file first and download a fresh copy of the latest PHPFusion version.
Upload the new files, delete setup.php copy your old config.php back to the folder.
Remember that avatars / photos to everything will also be deleted, they are stored in your images folder unless you use 3d party infusions.
Do the same with any 3d party infusions you have, makesure you got the latest version available, mind your data so you dont accidently delete data folders you wish to save.

Change your passwords, MySql / FTP / Admin.

If your PHP Fusion version is below 7.02.06 you need to update this.
If you/your host have a older version than PHP 5.3.4, it´s strongly recommended that this also get´s updated.

Edited by N/A on 13-07-2013 02:57, 11 y

Falk attached the following file:

fusionscan.zip [No information available / 411 Downloads]

0 replies

Where are the custom pages located? One of my sites does not have the drop down list of existing custom pages. Where do I look for them in the files?

0 replies

They are in the database if you are referring to the Custom pages you can do from within PHPFusion Content Admin.

You might of course have done other pages with custom code, like our CoC but that is of course not stored in the database.

Afoster, considering the time you have been here, I am a bit surprised you did not know that.

Edited by Homdax on 03-03-2013 18:48, 11 y

0 replies

I have two sites on the same hosting account via StartLogic.
One site, for an emergency radio group, is running 7.00.3 which did have some hacking attempts in the past, but was relatively forgotten after the update to 7.00.3, and hasn't had any further attempts in over a year.
I had installed another site on the same account using 7.02.5, was propmtly hacked. I cleaned that and upgraded to 7.02.6 and again was promptly hacked using the methods both drbo and alecxz have posted of sql injection.

This is NOT a host account hacking issue, as both sites would have been affected. it is directly related to the 7.02.x versions inability to filter bad sql injection requests and trash them properly thereby disallowing the overflow vulnerability that this hack provides.

I did mirror the user access settings that work fine in the 7.00.3 site to the new one, so it isn't an access issue in that respect. The first I noticed the hacks were tons of spam posts in my forums that had no relation to my sites scope. as well as hundreds of junk accounts. I turned the auto accept new users validation off, which trapped a lot of attempts to join the site, yet the updated 7.02.6 was again hacked and my host found the following files infected:

Code Download source

/home/users/web/b2539/sl.collinar/kd6ojipublic_html/viewpage.php: Trojan.PHP-43 FOUND
/home/users/web/b2539/sl.collinar/kd6ojipublic_html/administration/accountZQ1O.php: PHP.Trojan.Spambot FOUND
/home/users/web/b2539/sl.collinar/kd6ojipublic_html/administration/Jabook.php: LONGDEF.PHP.Backdoor-3.UNOFFICIAL FOUND
/home/users/web/b2539/sl.collinar/kd6ojipublic_html/includes/jquery/colorbox/images/gallery.php: PHP.Trojan.Spambot FOUND
/home/users/web/b2539/sl.collinar/kd6ojipublic_html/includes/jquery/xml.php: EIG.URL.Malware.Redir-2.UNOFFICIAL FOUND
/home/users/web/b2539/sl.collinar/kd6ojipublic_html/includes/jscripts/tiny_mce/plugins/advhr/js/title.php: PHP.Trojan.Spambot FOUND
/home/users/web/b2539/sl.collinar/kd6ojipublic_html/includes/jscripts/tiny_mce/plugins/contextmenu/plugin.php: EIG.URL.Malware.Redir-2.UNOFFICIAL FOUND
/home/users/web/b2539/sl.collinar/kd6ojipublic_html/themes/Fumaeleon/images/colours/red/ajax.php: EIG.URL.Malware.Redir-2.UNOFFICIAL FOUND
/home/users/web/b2539/sl.collinar/kd6ojipublic_html/themes/Stylo/colour/diff.php: PHP.Trojan.Spambot FOUND
/home/users/web/b2539/sl.collinar/kd6ojipublic_html/wp-conf.php: Trojan.PHP-43 FOUND
/home/users/web/b2539/sl.collinar/wp-conf.php: Trojan.PHP-43 FOUND

That was less than 48 hours after a FRESH installation.

Keep posted code within [CODE] tags /Richard

Edited by Homdax on 03-03-2013 23:20, 11 y

0 replies

Quote

Afoster, considering the time you have been here, I am a bit surprised you did not know that.

You're right...I should have know that.

0 replies

FRESH installation - with new passwords?

0 replies

All hello. If you were updated till 7.02.06, and you again cracked. So, why follow new hack if all files are updated:
- The trojan can be in a database, recover it BEFORE cracking, differently you look manually. After all agree, we well filter entering data, and here to data output from basis we pay less attention;
- Check ALL .htaccess files, they can lie above a root of a site and contain permission for the image files .gif and .jpg on .php code execution;
- Don't forget to change ALL passwords: from a panel of the administrator, from FTP and so on;
- Check MANUALLY all files on contents of the malicious code.
I apologize for my English :-)

0 replies

i want to send the changed php files and access logs to an admin inhere from 1 og my sites that has been hacked, how can i do that?

Regards Val

Btw: i can state that it is not 1 or 2 places they replace your php files, it happens all over your website, around 20 files has been altered with on 1 of my sites, running 07.02.05.
Examples: index.php in alot of directories, config.php, viewpage.php, articles.php and more.

0 replies

Also my side was completely taken over:
The webspace was filled with a lot of folders which contained php-files.

First I tried to delete all the unknown and recently changed stuff. Then I recopied the missing files. This still haven't solved the Issue.

I saved then my Infusions, config.php, and some additional self made content.

Second try was to completely empty the webspace. Then I copied a complete new 7.02.6 installation to the webspace - before that I had 7.02.4- copied my theme and infusions back to the webspace. Then I triggered a fresh installation. After installation I changed my config-file back to the former values. Finished - it was back as usual. The I deleted the strange custom page "testtitl" checked the .htaccess files and done - two hours and everything is back and save (as far as I can hope) - then I triggered the Update to 7.02.6 via Administration.

It seems to be stable again.

I write this because I was really worried about getting my site back as it was. So maybe this may help someone.

0 replies

Haven't check resent posts, but i think i found out where is the thing on this..

ALL users please check your custom pages @ admin panel.. check all pages that you have and there should be THE HACKER add code there.. Stored in database..
Maybe worth to check other things in database..
AND ADD THIS IP: 31.133.41.75 to blacklist..
Useful links:
http://stackoverflow.com/questions/81...it-by-this
http://ghaoui.com/blog/2010/05/php-di...nd-others/
P.S. Hope on v8 we won't use eval() ... I think that is how they got information..
P.S. Would love to hear something from other DEV's.. This could be the bug in system?..

eval() is equally evil at all times. - Good quote..

0 replies

This hack looks to be from the SQL attack which was patched in 7.02.06. I haven't seen any attack using eval.

But just as a note eval is used in 6 pages of PHPFusion.

custom_pages.php
banners.php
panels.php
viewpage.php
theme_functions_include.php
output_hadling_include.php

0 replies

Disabling eval() will block some important PF functions...
For example - php in panels etc etc etc.

0 replies

[bcolor=#ff0000]NEW[/bcolor] Multiple vulnerabilities in PHPFusion
http://www.securitylab.ru/vulnerabili...438312.php

Quote

Affected versions: PHPFusion 7.02.06, possibly earlier.
Description:
The vulnerability allows malicious people to conduct XSS attacks.

1. The vulnerability is caused due to insufficient input validation in the parameters "news_id", "news_image", "news_image_t1" and "news_image_t2" in the script administration / news.php. This can be exploited to execute arbitrary SQL commands in the application database.

Note: Successful exploitation requires that you must have permission "administer news".

2. The vulnerability is caused due to insufficient input validation in the parameter "article_id" in the script administration / articles.php. This can be exploited to execute arbitrary SQL commands in the application database.

Note: Successful exploitation requires that you must have permission "administer articles".

3. The vulnerability is caused due to insufficient input validation in the parameter "highlight" in the script forum / viewthread.php (when the parameter "thread_id" is a legitimate ID Notes Forum). This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Manufacturer URL: http://www.php-fusion.co.uk/news.php

Solution: The way to eliminate the vulnerability does not exist at present.

??????????????????????????????????
??????????????????????????????????
??????????????????????????????????

0 replies

Falk

answered 6 Mar 2013 at 08:13 AM

Super Admin

@jikaka
Also all those attacks require Admin access as a user to start with, we can imagine that beeing a admin on a site you don´t need to hack the site to destroy it.
But it is good for us, the wave of attacks shows that we are more popular again.
To find these things before we get a Beta of V8 out is crucial.
Not only because the V8 will be the safest PHPFusion version ever.
It will also look good ;)

0 replies