Get started with PHP-Fusion

Start a New Thread

Users Participated

  • IPN
    Post made: 1
  • m_a_f
    Post made: 1
  • jiikoo
    Post made: 3
  • Quartzkyte
    Post made: 3
  • starefossen
    Post made: 3
  • blueadept
    Post made: 6
  • neltek
    Post made: 6
  • smokeman
    Post made: 3
  • Olegan
    Post made: 1
  • VoiceX
    Post made: 1
  • simonw
    Post made: 1
  • Basti
    Post made: 3
  • vision4life
    Post made: 1
  • bite
    Post made: 1
  • PolarFox
    Post made: 1
  • Whitey
    Post made: 2
  • buspilot
    Post made: 1
  • schoupped
    Post made: 4

  1. PHP-Fusion Support Forums
  2. PHP-Fusion 6 Support
  3. Bugs and Errors - 6

NEW V6 HACK - BLANK SCREEN ??

Forum Locked - v6 no longer supported

41 Replies 41,669 Views Last Updated on 7 years ago

Basti


Fusioneer

#21

Posted 8 years ago

simonw wrote:
Thanks to everyone for all the help with this.

I have fixed things up on my site using the instructions, except I can't find a .htaccess file,
so don't know what to do with that part.

It would be wonderful if someone could explain the vulnerability to me (perhaps in a PM)
so I can do what I need to to prevent further exploitation while I work on the upgrade
to V7 (have some work to do since I have quite a few V6 specific mods that I need to research).

I'm assuming that V7 is not vulnerable - it would be good to understand why that it.

Simon.

PS I am still on v6.01.13


Download the file which I uploaded in my post before. There should the problem be fixed.

And yes in v7 we don't have this vulnerability, because in v7 this unsecure variable is checked with isnum().
[PHP-Fusion Crew Member & Admin from June 2008 - December 2010]

http://basti2web.de - Support Site for my infusions

Posts: 1103

Joined: 09/04/2007

blueadept


Junior Member

#22

Posted 8 years ago

Thank you for the fix.

It actually looks like the hack on my site was over a month old. The original hack occured in October (or possibly before) for which I do not have the logs for.

Posts: 17

Joined: 24/03/2006

schoupped


Newbie

#23

Posted 8 years ago

I have 2 sites with the same problem running V6.01.06.
I have solved the problems thanks to you for 1 site now.

I have an extra you have to do to get everything working:

In phpmyadmin in 'fusion_panels' there was a line "weblinks' with links to sites that have nothing to do with my site.
I also got some error code on the site due to this.

I deleted the line and it was OK again.

Will the problem be definitley solved when you have removed the member poll panel?

Posts: 4

Joined: 27/11/2009

vision4life


Member

#24

Posted 8 years ago

Today I got message of blank screen on one of my sites and thanks for this thread I got it fixed, but not completely following the instructions: after deleting the long line in theme.php and doing the steps before I got my banner back but got error in subheader.php. so going from one error to the next. Luckely I had a local backup (Always good to have a backup, not onyl of the database, but also the files.) and after copying my backedup theme.php to the server, the site was back inthe air.


Kind Regards, Fred

Posts: 53

Joined: 07/06/2007

jiikoo


Junior Member

#25

Posted 8 years ago

As far as I understood right the intruder got the admin password by exploiting security hole in panel.php (e.g. by using SQL-injection).

But does anyone know how did he manage to insert malicious code into the theme.php?
Edited by jiikoo on 28-11-2009 00:20
Lorem ipsum dolor sit amet

Posts: 10

Joined: 24/01/2006

starefossen


Senior Member

#26

Posted 8 years ago

Thanks to Smokeman for reporting this and Slaughter for providing the corrected files.

Understanding the problem:
The problem is caused by an insecure variable which is not properly checked and therefor can be used to insert malicious code to the MYSql query but also PHP commands which can create and in this case edit files. We have seen the same method been used in the search.php vulnerability.

The problem is caused by two things:
  1. A variable not properly checked
  2. Global variables


How is it done?
The hack is done by implementing a code into the theme.php file, by injecting it into the SQL query, so it can be accessible form within all pages of the site running PHP-Fusion. From there the hacker has direct access to the server and can execute PHP commands upload files etc.

Preventing being hacked?
If you are running a v6 site there are three ways you can prevent being hacked:
  1. Remove member polls from the panels list, by disabling it from the admin panel => system admin => panels
  2. Replacing the files wit the new ones
  3. Upgrade to PHP-Fusion v7


If your site has been hacked?
If your site has been hacked here is what you got to do:

  1. Set your site in maintenance mode from Admin Panel => System Admin => Miscellaneous Settings
  2. Open up the file: /themes/YOUR_THEME/theme.php - and delete the long text near to the top of the file, you can't miss it! Or re-upload the file from your computer. Be sure to check all your themes, delete those your not using and re-upload those you are using.
  3. Open up the /images/ folder and delete all PHP files inside it and upload a new blank index.php file, look specifically for a file named panel.php.
  4. Delete the folder completely: /infusions/member_poll_panel - and upload the new files here.
  5. Open up phpMyAdmin. Click on the left side on "fusion_panels" or view rows and delete a panel_name: System with the panel_filename: ../images/panel.php
  6. Be sure to change your MySQL password and user password for your user on the site which has been hacked and make sure other admins and users changes their passwords too!


Questions?
Post here if you have any further questions about the hack or if you have been attacked.


More detailed information will follow!

Edited by Basti on 28-11-2009 11:26
www.postexus.com - Follow Postexus on Facebook.

Posts: 359

Joined: 09/02/2006

starefossen


Senior Member

#27

Posted 8 years ago

News posted and new version of PHP-Fusion v6 (6.01.19) our, read more here.
www.postexus.com - Follow Postexus on Facebook.

Posts: 359

Joined: 09/02/2006

bite


Member

#28

Posted 8 years ago

The page to which malicious code sends some info uses PHP-Fusion, and in news on that website, owner tells what he got hacked not long time ago, so it does explain why that encoded code in theme.php links to him. I PMed admin of that website.
Edited by bite on 28-11-2009 01:54

Posts: 163

Joined: 07/07/2008

Quartzkyte


Senior Member

#29

Posted 8 years ago

Thanks guys, one of my sites which I don't check usually everyday was under attack.
Info now relayed to the French community via N.S.S. PM.

Am mostly in V7 now but some sites still need infusions or mods to be ported to V7...
www.php-fusion.co.uk/images/smiley/cool.gif
Mike
---------------------------------------
Quartzkyte, admin @ French N.S.S.

Posts: 406

Joined: 25/01/2006

IPN


Newbie

#30

Posted 8 years ago

Thank you all for your wonderful input and feedback, especially smokeman and blueadept

Posts: 4

Joined: 16/09/2004

buspilot


Newbie

#31

Posted 8 years ago

Thank you all especially smokeman and blueadept.

I have two v6.1 sites that were also hacked. I have carefully followed the instructions but seem to still have problems. My site now has it's header panel back, but the side panels and center news panels are invisible. I use the Milestone theme.

After I deleted the long string of numbers in the theme.php file I continued to see parse errors. Reading deeper in this thread I saw a suggestion to upload a fresh theme.php file, and did so after unzipping a fresh download of the php-fusion v6.1 core files.

After I uploaded a fresh theme.php file I was able to see my header, but nothing else. Side panels and center content are invisible to me. Can anyone help me with suggestions?

site is www.ascertainpoly...

Posts: 1

Joined: 08/10/2009

Olegan


Newbie

#32

Posted 8 years ago

Thanks from all!

Posts: 1

Joined: 06/07/2006

Quartzkyte


Senior Member

#33

Posted 8 years ago

@buspilot: can you login via login.php? If so, go to the admin panel and delete the System panel.
Also, delete panel.php in /images.
www.php-fusion.co.uk/images/smiley/cool.gif
Mike
---------------------------------------
Quartzkyte, admin @ French N.S.S.

Posts: 406

Joined: 25/01/2006

VoiceX


Newbie

#34

Posted 8 years ago

don't forget to delete the file images/panel.php (if exists).

This was never mention before (or did I overread it???)

@smokeman: can you change the order of your solution and make the mentioned changes? THX
4 -> 5 -> 6 -> 3 delete the directory... -> delete images/panel.php -> 2 -> 1 delete panel
Edited by VoiceX on 09-12-2009 18:06

Posts: 7

Joined: 05/10/2006

Quartzkyte


Senior Member

#35

Posted 8 years ago

VoiceX wrote:
don't forget to delete the file images/panel.php (if exists).

This was never mention before (or did I overread it???)

@smokeman: can you change the order of your solution and make the mentioned changes? THX
4 -> 5 -> 6 -> 3 delete the directory... -> delete images/panel.php -> 2 -> 1 delete panel
Smile just the post above yours...
www.php-fusion.co.uk/images/smiley/cool.gif
Mike
---------------------------------------
Quartzkyte, admin @ French N.S.S.

Posts: 406

Joined: 25/01/2006

schoupped


Newbie

#36

Posted 8 years ago

After working well, yesterday I'm having again troubles with the site....

I think the origin is the same as mentioned earlier but now I have other problems!

The site seems to work well but when I open an photogallery I don't get any thumbnails.

When I click on the 'no thumbnail' text I get following message:
Warning: filesize() [function.filesize]: stat failed for images/photoalbum/album_68/img_4543.jpg in /customers/vbssintkatrien.be/vbssintkatrien.be/httpd.www/photogallery.php on line 77

Anyone got an idea how to solve this quickly?

thanks in advance!

Posts: 4

Joined: 27/11/2009

PolarFox


Fusioneer

#37

Posted 7 years ago

guys I think something wrong...

I'm about latest build http://www.php-fu...oad_id=190 for the v6
and
this patch http://www.php-fu...oad_id=259

Patch have a patch (yeah Smile )
But, latest build HAVEN'T!

Please rebuild core archive!

Posts: 1642

Joined: 26/08/2008

m_a_f


Junior Member

#38

Posted 7 years ago

There is a vulnerable version v6.01.19 similar member_poll_panel.php by hacking the same, vulnerable file navigation_panel.php
Administrators can reset the logs cracking.
So the claim that the above advice of avoiding problems is not yet worth it.

Posts: 29

Joined: 04/09/2005

schoupped


Newbie

#39

Posted 7 years ago

I'm back again, problems hasn't still been solved for me.... today again a blank screen.

I have looked over everything again and solved it again.
- images/panel.php deleted
- the panel 'system' deleted in phpmyadmin
- theme.php re-uploaded for the active theme
- there were a bunch of files in the navigation panel folder:
A. .htaccess
B. archive_panel
C. panel_navigation
----> these files stated again the weird code like stated below:

<?eval(gzuncompress(base64_decode('eJwNlkUSrIgSRZfT7wUDKJz4 ---------> and a whole bunch like this goes on for many lines......

Posts: 4

Joined: 27/11/2009

Basti


Fusioneer

#40

Posted 7 years ago

schoupped wrote:
I'm back again, problems hasn't still been solved for me.... today again a blank screen.

I have looked over everything again and solved it again.
- images/panel.php deleted
- the panel 'system' deleted in phpmyadmin
- theme.php re-uploaded for the active theme
- there were a bunch of files in the navigation panel folder:
A. .htaccess
B. archive_panel
C. panel_navigation
----> these files stated again the weird code like stated below:

<?eval(gzuncompress(base64_decode('eJwNlkUSrIgSRZfT7wUDKJz4 ---------> and a whole bunch like this goes on for many lines......


Why don't you upgrade to v7?
V6 is full of bugs.
[PHP-Fusion Crew Member & Admin from June 2008 - December 2010]

http://basti2web.de - Support Site for my infusions

Posts: 1103

Joined: 09/04/2007

Jump to Forum:
12 users are online
0 member and 12 guests