|
NEW V6 HACK - BLANK SCREEN ??
|
| slaughter |
Posted on 27-11-2009 18:34
|
Admin
Posts: 1361
Joined: 09.04.07
|
simonw wrote:
Thanks to everyone for all the help with this.
I have fixed things up on my site using the instructions, except I can't find a .htaccess file,
so don't know what to do with that part.
It would be wonderful if someone could explain the vulnerability to me (perhaps in a PM)
so I can do what I need to to prevent further exploitation while I work on the upgrade
to V7 (have some work to do since I have quite a few V6 specific mods that I need to research).
I'm assuming that V7 is not vulnerable - it would be good to understand why that it.
Simon.
PS I am still on v6.01.13
Download the file which I uploaded in my post before. There should the problem be fixed.
And yes in v7 we don't have this vulnerability, because in v7 this unsecure variable is checked with isnum().
Links:
Support Site for my infusions
Pimped-Fusion: A highly modified version of PHP-Fusion 7.01 |
| |
|
|
| blueadept |
Posted on 27-11-2009 18:45
|
Junior Member
Posts: 13
Joined: 24.03.06
|
Thank you for the fix.
It actually looks like the hack on my site was over a month old. The original hack occured in October (or possibly before) for which I do not have the logs for. |
| |
|
|
| schoupped |
Posted on 27-11-2009 20:04
|
Newbie
Posts: 4
Joined: 27.11.09
|
I have 2 sites with the same problem running V6.01.06.
I have solved the problems thanks to you for 1 site now.
I have an extra you have to do to get everything working:
In phpmyadmin in 'fusion_panels' there was a line "weblinks' with links to sites that have nothing to do with my site.
I also got some error code on the site due to this.
I deleted the line and it was OK again.
Will the problem be definitley solved when you have removed the member poll panel? |
| |
|
|
| vision4life |
Posted on 27-11-2009 21:10
|
Member
Posts: 54
Joined: 07.06.07
|
Today I got message of blank screen on one of my sites and thanks for this thread I got it fixed, but not completely following the instructions: after deleting the long line in theme.php and doing the steps before I got my banner back but got error in subheader.php. so going from one error to the next. Luckely I had a local backup (Always good to have a backup, not onyl of the database, but also the files.) and after copying my backedup theme.php to the server, the site was back inthe air.
Kind Regards, Fred |
| |
|
|
| jiikoo |
Posted on 27-11-2009 23:46
|
Junior Member
Posts: 16
Joined: 24.01.06
|
As far as I understood right the intruder got the admin password by exploiting security hole in panel.php (e.g. by using SQL-injection).
But does anyone know how did he manage to insert malicious code into the theme.php?
Edited by jiikoo on 28-11-2009 00:20
Lorem ipsum dolor sit amet |
| |
|
|
| starefossen |
Posted on 28-11-2009 00:31
|
Super Admin
Posts: 586
Joined: 09.02.06
|
Thanks to Smokeman for reporting this and Slaughter for providing the corrected files.
Understanding the problem:
The problem is caused by an insecure variable which is not properly checked and therefor can be used to insert malicious code to the MYSql query but also PHP commands which can create and in this case edit files. We have seen the same method been used in the search.php vulnerability.
The problem is caused by two things:
- A variable not properly checked
- Global variables
How is it done?
The hack is done by implementing a code into the theme.php file, by injecting it into the SQL query, so it can be accessible form within all pages of the site running PHP-Fusion. From there the hacker has direct access to the server and can execute PHP commands upload files etc.
Preventing being hacked?
If you are running a v6 site there are three ways you can prevent being hacked:
- Remove member polls from the panels list, by disabling it from the admin panel => system admin => panels
- Replacing the files wit the new ones
- Upgrade to PHP-Fusion v7
If your site has been hacked?
If your site has been hacked here is what you got to do:
- Set your site in maintenance mode from Admin Panel => System Admin => Miscellaneous Settings
- Open up the file: /themes/YOUR_THEME/theme.php - and delete the long text near to the top of the file, you can't miss it! Or re-upload the file from your computer. Be sure to check all your themes, delete those your not using and re-upload those you are using.
- Open up the /images/ folder and delete all PHP files inside it and upload a new blank index.php file, look specifically for a file named panel.php.
- Delete the folder completely: /infusions/member_poll_panel - and upload the new files here.
- Open up phpMyAdmin. Click on the left side on "fusion_panels" or view rows and delete a panel_name: System with the panel_filename: ../images/panel.php
- Be sure to change your MySQL password and user password for your user on the site which has been hacked and make sure other admins and users changes their passwords too!
Questions?
Post here if you have any further questions about the hack or if you have been attacked.
More detailed information will follow!
Edited by slaughter on 28-11-2009 11:26
PHP-Fusion Development Team Leader
PHP-Fusion Codex - The complete reference to PHP-Fusion! |
| |
|
|
| starefossen |
Posted on 28-11-2009 01:27
|
Super Admin
Posts: 586
Joined: 09.02.06
|
News posted and new version of PHP-Fusion v6 (6.01.19) our, read more here.
PHP-Fusion Development Team Leader
PHP-Fusion Codex - The complete reference to PHP-Fusion! |
| |
|
|
| bite |
Posted on 28-11-2009 01:35
|
Senior Member
Posts: 218
Joined: 07.07.08
|
The page to which malicious code sends some info uses PHP-Fusion, and in news on that website, owner tells what he got hacked not long time ago, so it does explain why that encoded code in theme.php links to him. I PMed admin of that website.
Edited by bite on 28-11-2009 01:54 |
| |
|
|
| Quartzkyte |
Posted on 28-11-2009 23:01
|
Moderator
Posts: 578
Joined: 25.01.06
|
Thanks guys, one of my sites which I don't check usually everyday was under attack.
Info now relayed to the French community via N.S.S. PM.
Am mostly in V7 now but some sites still need infusions or mods to be ported to V7...
---------------------------------------
My PHP Fusion sites (sorry, in French...) :
My first try, left open for v7 testing
My Win XP site from the one above
My work site
Site for a non-profit organization teaching computing to retired people
Site for Travel from France to U.S.A. & Canada
and My PHP Fusion Blog, just starting...
+ 15 more PHP - Fusion sites! |
| |
|
|
| IPN |
Posted on 30-11-2009 16:30
|
Junior Member
Posts: 21
Joined: 16.09.04
|
Thank you all for your wonderful input and feedback, especially smokeman and blueadept |
| |
|
|
| buspilot |
Posted on 03-12-2009 19:00
|
Newbie
Posts: 1
Joined: 08.10.09
|
Thank you all especially smokeman and blueadept.
I have two v6.1 sites that were also hacked. I have carefully followed the instructions but seem to still have problems. My site now has it's header panel back, but the side panels and center news panels are invisible. I use the Milestone theme.
After I deleted the long string of numbers in the theme.php file I continued to see parse errors. Reading deeper in this thread I saw a suggestion to upload a fresh theme.php file, and did so after unzipping a fresh download of the php-fusion v6.1 core files.
After I uploaded a fresh theme.php file I was able to see my header, but nothing else. Side panels and center content are invisible to me. Can anyone help me with suggestions?
site is www.ascertainpoly... |
| |
|
|
| Olegan |
Posted on 03-12-2009 22:06
|
Newbie
Posts: 1
Joined: 06.07.06
|
Thanks from all!
|
| |
|
|
| Quartzkyte |
Posted on 03-12-2009 23:30
|
Moderator
Posts: 578
Joined: 25.01.06
|
@buspilot: can you login via login.php? If so, go to the admin panel and delete the System panel.
Also, delete panel.php in /images.
---------------------------------------
My PHP Fusion sites (sorry, in French...) :
My first try, left open for v7 testing
My Win XP site from the one above
My work site
Site for a non-profit organization teaching computing to retired people
Site for Travel from France to U.S.A. & Canada
and My PHP Fusion Blog, just starting...
+ 15 more PHP - Fusion sites! |
| |
|
|
| VoiceX |
Posted on 09-12-2009 17:55
|
Newbie
Posts: 3
Joined: 05.10.06
|
don't forget to delete the file images/panel.php (if exists).
This was never mention before (or did I overread it???)
@smokeman: can you change the order of your solution and make the mentioned changes? THX
4 -> 5 -> 6 -> 3 delete the directory... -> delete images/panel.php -> 2 -> 1 delete panel
Edited by VoiceX on 09-12-2009 18:06 |
| |
|
|
| Quartzkyte |
Posted on 10-12-2009 08:02
|
Moderator
Posts: 578
Joined: 25.01.06
|
VoiceX wrote:
don't forget to delete the file images/panel.php (if exists).
This was never mention before (or did I overread it???)
@smokeman: can you change the order of your solution and make the mentioned changes? THX
4 -> 5 -> 6 -> 3 delete the directory... -> delete images/panel.php -> 2 -> 1 delete panel  just the post above yours...
---------------------------------------
My PHP Fusion sites (sorry, in French...) :
My first try, left open for v7 testing
My Win XP site from the one above
My work site
Site for a non-profit organization teaching computing to retired people
Site for Travel from France to U.S.A. & Canada
and My PHP Fusion Blog, just starting...
+ 15 more PHP - Fusion sites! |
| |
|
|
| schoupped |
Posted on 02-02-2010 10:51
|
Newbie
Posts: 4
Joined: 27.11.09
|
After working well, yesterday I'm having again troubles with the site....
I think the origin is the same as mentioned earlier but now I have other problems!
The site seems to work well but when I open an photogallery I don't get any thumbnails.
When I click on the 'no thumbnail' text I get following message:
Warning: filesize() [function.filesize]: stat failed for images/photoalbum/album_68/img_4543.jpg in /customers/vbssintkatrien.be/vbssintkatrien.be/httpd.www/photogallery.php on line 77
Anyone got an idea how to solve this quickly?
thanks in advance! |
| |
|
|
| PolarFox |
Posted on 14-03-2010 15:47
|
Senior Member
Posts: 302
Joined: 26.08.08
|
guys I think something wrong...
I'm about latest build http://www.php-fu...oad_id=190 for the v6
and
this patch http://www.php-fu...oad_id=259
Patch have a patch (yeah )
But, latest build HAVEN'T!
Please rebuild core archive!
The BS-Fusion Security System - protect yourself. |
| |
|
|
| m_a_f |
Posted on 14-03-2010 16:36
|
Junior Member
Posts: 37
Joined: 04.09.05
|
There is a vulnerable version v6.01.19 similar member_poll_panel.php by hacking the same, vulnerable file navigation_panel.php
Administrators can reset the logs cracking.
So the claim that the above advice of avoiding problems is not yet worth it.
Ukrainian support site |
| |
|
|
| schoupped |
Posted on 02-06-2010 19:46
|
Newbie
Posts: 4
Joined: 27.11.09
|
I'm back again, problems hasn't still been solved for me.... today again a blank screen.
I have looked over everything again and solved it again.
- images/panel.php deleted
- the panel 'system' deleted in phpmyadmin
- theme.php re-uploaded for the active theme
- there were a bunch of files in the navigation panel folder:
A. .htaccess
B. archive_panel
C. panel_navigation
----> these files stated again the weird code like stated below:
<?eval(gzuncompress(base64_decode('eJwNlkUSrIgSRZfT7wUDKJz4 ---------> and a whole bunch like this goes on for many lines...... |
| |
|
|
| slaughter |
Posted on 02-06-2010 19:57
|
Admin
Posts: 1361
Joined: 09.04.07
|
schoupped wrote:
I'm back again, problems hasn't still been solved for me.... today again a blank screen.
I have looked over everything again and solved it again.
- images/panel.php deleted
- the panel 'system' deleted in phpmyadmin
- theme.php re-uploaded for the active theme
- there were a bunch of files in the navigation panel folder:
A. .htaccess
B. archive_panel
C. panel_navigation
----> these files stated again the weird code like stated below:
<?eval(gzuncompress(base64_decode('eJwNlkUSrIgSRZfT7wUDKJz4 ---------> and a whole bunch like this goes on for many lines......
Why don't you upgrade to v7?
V6 is full of bugs.
Links:
Support Site for my infusions
Pimped-Fusion: A highly modified version of PHP-Fusion 7.01 |
| |
|
