My turn for spam hijacking

http://www.php-fusion.co.uk/forum/viewthread.php?thread_id=32996&highlight=hack&pid=180869#post_180869

I took yet another look at that post, and realized that I had overlooked removing third party infusions. This time, I did that, along with all the other recommendations.

Keeping my fingers crossed!

Hopefully that solved your issues...

Unfortunately it would have been nice to get a list of your 3rd party infusions so maybe we could compile a list of insecure addons and warn users to stay away from them...

I removed these infusions:

*member_pages_pphotowidget_panel
*shoutbox_panel
*latest_articles_panel
*comment_include_panel


I have kept these that came with the official latest PHP-fusion install:

css_navigation_panel
forum_threads_list_panel
forum_threads_panel
latest_comments_panel
latest_downloads_panel
member_poll_panel
online_users_panel
user_info_panel
welcome_message_panel

And I kept:

fusionscan

The above code is targeting the login to hit the news bypassing permissions to post and not going through SQL. It uses cache because that's how phpfusion renders. Smart. But we need 1 user account to pull that.

Thanks for sharing the hack code. Well see it improvise our securities as well.

yes many thanks for sharing the code , the developers can go over it and see if they can stop it in its tracks :) i would drop the whole site and install a good backup when last ok then go over all the code again to stop it .

that will then correct from last good restore point and should stop it but double check permissions and what user groups rights are set ;) if it still happens then pop up ya maintence page and wait for a fix least then they canny do any damage then

The code must reside in the server to work.
Unknown, where did you find the file in your server? Which folder? User submissions?

Yes, can be stopped. Not difficult. Remarked for SQL methods. I will make a work around and submit under defender roadmap. Thanks!

Should hack appears please report it so we can shut the gap.

I have PHP-fusion installed in a subdirectory:

publicHTML > PHPfusionDirectory

I have it on my reseller account that is on a Windows 2010 server. I know, Linux is better! Sometimes I have need of using NET or ASP. I made only the folders that have to be, writeable.

So far (keeping fingers crossed), the site remains OK since the last re-install.

[I don't know if this will be helpful or not, but the first time this happened, the malicious code referenced the news.php file. When I reinstalled that time, I made a point of making that file read-only. When the site was hijacked again soon after, the malicious code referenced the PHP file that I posted with the code above (which is now hidden). I don't think that was a file that I made, and I didn't think to check its creation date (sorry). Regardless of the misleading name of the file, its code appeared to be a copy of news.php.]

Thank you, those of you on the PHP-fusion team, for your interest in this. I luvz PHP-fusion! It is so easy to use and to customize, it really has me spoiled.

Doesn't look like a worms doing. Yes indeed it looks very much LWP::Simple! Thank you.

Improper, But Windows server? Can phpfusion installs on one? Last guy whom I know did it made a YouTube video complaining that the setup didn't even work. :)

Beware of IE8. It has a ton of security holes.

I've had no difficulty installing it. Maybe I should make a YouTube video too.

OK, I found the file overwritten again...trying to figure out how this is happening.

You have no mods or addons installed now at all?
Would be great if you had a log on the initial inserts aswell.
Any information we can get will help.

Until it get´s sorted you can add these to your php.ini to increase your protection.

Domi, I sent you a PM.

I found that I did not have folder and file permissions set to read-only as I thought. Stupid Windows server makes that so much more difficult than Linux. However, I have finally gotten all set to read-only.

ETA: I removed fusionscan from infusions. It was the only "3rd party" infusion I still had installed. (fusionscan never revealed any issues with the site when I ran it)

A contributing factor, I discovered, was that the hosting company has site-wide Write Permissions enabled by default for all sites on Windows servers. I disabled that on mine, once I found where to do that on the control panel. (I had previously thought I had folders and files set to read-only, but alas that was not the case.)

When I asked support about why Write Permissions enabled is the default, the reply was that it was just easier that way, because so many of their users can not figure out how to get their scripts to work. :( -- this made me laugh, because they have been insisting that any vulnerabilities had to be strictly within the CMS, and were not their fault.

So far, over the past 10 or so hours, my site remains hijack-free. Although this has been exasperating, it has also been interesting.

very good reading , thanks for updating us im with you cannot understand why they would make that global full write perms to all madness