A PHP-Fusion v6.00.303 based public-service website with which I'm associated has been hacked. A new site subdirectory ("infusions/hamilton") has been created and an index page of nonsense has been placed there, along with 2400+ short HTML files, the titles of which seem mostly concerned with game cheats; also health problems and sports. (Yes, that's over two thousand.) So far, all of them that I've sampled contain only a link video that I can't view without downloading a VERY suspicious looking setup.exe file from http://viewworldm... You can see what I see here:
At the moment I can't see any harm done to our website, other than a bit of space used, but I suspect having these files on our site is a Generally A Bad Thing and should be cleared up as quickly as possible.
I have been informed that installing the latest version of PHP-Fusion is advisable; it will patch some security holes in earlier versions. I'm nearly always in favor of using the latest version, but ...
To complicate matters, the site's original author--webmaster is unavailable. I've had no part in building or doing technical support of the site. I have administrative access and experience building and maintaining several other sites, some of which are PHP-based, but I've had no experience with PHP-Fusion. So I am much more reluctant to update the PHP-Fusion version, or to do anything else without having a much better idea about how this attack was accomplished. If the vulnerability was something unconnected, it seems much more sensible to fix that and update PHP-Fusion calmly.
Note: It is difficult to tell exactly, because I'm working through a clumsy file manager, but it appears that the permissions for config.php were left wide-open by the original author--webmaster. Aaarrgh.
My questions:
1. Do these symptoms correspond with any specific vulnerability in earlier versions of PHP-Fusion, or with any known actual attacks? In other words, can a PHP-Fusion vulnerability be ruled in or out?
2. Does the fact that the new subdirectory was placed in the standard PHP-Fusion directory "infusions" indicate anything about the attack?
3. [Bonus Question] What should I or can I safely do immediately? (Is it likely my response could generate a devastating retaliation by the hacker?)
4. [Extra Bonus Question] What is the purpose of such an attack? How would I find out? (I've found a few other sites that seem to be victims, but so far, no articles about the attack itself.)
activate maintenance and save all files and bakup your database.
remove all entry that are not needed (spam and folder from that hack) from database and file.
upgrade to latest release, but have a look at infusions and mods if the site need/have such installed, no full backward compatibility for those components.
do it calmly but once more backup all that you have in case of worse upgrade you can always get back
1) The possibility of being attacked with such an old version of PHP Fusion is very high.
2) It doesnt really say what the vulnerability is, only your logs would be able to show that.
3) If you dont want ot take my suggestion from last night, then you should delete all the added stuff, clear out the hamilton infusion and the html files. Then perform the upgrades to v6.01.18 that you can find in in the downloads area.
4) The purpose of such an attack is unknown as well we dont know who the attacker was
"Might and Greed will never outweigh Honor and Loyalty"
Your advice is very sensible, especially "calmly"!
Sorry, is "activate maintenance" a special mode I need to set somewhere? Or do you mean this generally, that I need to get busy?
Daywalker:
Thanks for your response.
No offense intended, I just wanted some second opinions to what you and I discussed on IRC. Maybe someone reading my post here has encountered exactly the same problem.
Both:
I think this site has suffered from lack of attention for quite some time -- no maintenance has been done. So it seems I must update to version 7 as soon as _calmly_ possible.
I've mostly given up trying learn more about what exactly went wrong. It's time to install the latest software and take all precautions, I guess, and hope that solves the problem.
Because of my lack of experience with this technology, I'm definitely going to do a prototype on a subdomain or on a local server first before attempting to update the production site.
Because of the total size of the site, 50+ GB, a total back-up is not easy. I figure at least 120 hours of steady downloading for back-up, and with ADSL, a restore would take double that or more. Whew! I'm looking for ways of cutting this down, say, by not backing up invariant data.
In the meantime, I _think_ I can back-up the database and some basic files, leaving out the site's bulk data payload, and use those to build a prototype 7.x system probably on local server, see how that works.
Do you think it would be worthwhile (or necessary) to get a 6.00.303 implementation running on the local server first, as a baseline? I've just skimmed over the documentation. Some of it seems to say you can jump from any 6.x version to 7.x in one step, some seems to say you must do all the intermediate steps. Huh?
maintenance mode will bring your site up with a message for user where you can say what's going on... something like update in progress stay tuned
50gb+ it's a big site, damn big to have a full backup....
i think that your idea at this point is quite good, if you can have a second database with all your data for upgrade test directly online. i don't know how, but talking with your hosting for that can probably save some time on download.
in the officiale package ther's an update for v6, so v6 to v7 directly is possible, BUT you are on an old v6.00 and you need at least to update to v6.01 to go v7.
test on local server it's the best idea tought, you can save your members account table and test the upgrade process. but for not having problems with all your data you need the full database
GameAction wrote:
maintenance mode will bring your site up with a message for user where you can say what's going on... something like update in progress ;) stay tuned
Sure! I'm going to be shutting it down as soon as I can at least get the mySQL database and the other small stuff backed-up.
I guess I'll be looking for a way to permit access only to one page, "index.html" (say) which will tell users, "Sorry, closed for maintenance..." Maybe .htaccess sorcery, I guess. I'll look ...
GameAction wrote:
50gb+ it's a big site, damn big to have a full backup....
Yeah, really! I've persuaded my neighbor to do some downloading for me. Two DSL lines should be better than one.
GameAction wrote:
i think that your idea at this point is quite good, if you can have a second database with all your data for upgrade test directly online. i don't know how, but talking with your hosting for that can probably save some time on download.
Thanks! I wish I had more confidence in the hosting service. I noticed that their documents are quite simple and there is no user forum at all, and the only alternative left is to call customer service. I'm prepared to get someone quite ... uninformed.
I'm checking into backing-up directly to another site I own. If this can be done, the data rate should be much higher than even 2 DSL lines. But so far, I have not been successful.
GameAction wrote:
in the officiale package ther's an update for v6, so v6 to v7 directly is possible, BUT you are on an old v6.00 and you need at least to update to v6.01 to go v7.
D'oh! I was really afraid that would be true. Multiple steps like that make the process much slower and less certain. But if I do this locally, I might be OK.
GameAction wrote:
test on local server it's the best idea tought, you can save your members account table and test the upgrade process. but for not having problems with all your data you need the full database :|
Please walk though all the kinds of "data" I need to worry about:
(1) My data files, mostly large JPG images, 50+GB of them.
The PHP-Fusion pages visitors see contain links to all those JPG images, but never directly reference them. So I think I can do OK with only a few of these on my test installation, or some dummy images with the same name.
(2) The mySQL database, which contains nearly all the content users see within the PHP-Fusion frames, right? This database is not visible in my user space, but I can generate a database dump through PHPmyAdmin. Then I can use a restore to a new installation the same way. Right?
(3) The accounts table is not in the mySQL database? Where is it? I need to be certain to get that to the new trial installation.
---
By the way, do you know, is there a way to dump all the user records to a text file? I checked with my super-admin privileges, but all I could manage is see user names and data, one at a time. For 2500 users, that's not going to work.
if your all data are mostly JPG it's pretty good, for your test you can use a cople of mb and the rest can remain stored only waiting for a full backup.
On the database is stored all content of your site, so users (name password email etc) personal pages, news and so on (all you can edit and add on administration), will be saved. The best way to be sure is to save with phpmyadmin and test an import on a local machine. No need for text file and you can test an upgrade after that
Official Home of PHP-Fusion uses cookies. Some may already have been set. Read more about our Cookies here.
Please click the button I Consent Cookies to hide this bar and accept our cookies. If you continue to use the site with no action taken, we'll assume that you consent our cookies anyway.
stay tuned
