Quote
agl wrote:
well the site got hacked again today and i exactly have no idea what to do next... i emailed the hacker asking for the bug he's using to hack the site... and gonna stop working on the site till i find the error (don't want my time and work to be wasted everyday he hacks the site). is there any known exploit in v6.01.6 ? he seems to be able to easily hack my account. i think it may be by creating a fake cookie and making the system think it's the admin... not sure though but i'm sure he doesn't and can't hack the cpanel and is getting the mysql pass from the files in the site... do you think encoding the config.php file using programs like phtml encoder can help?
Hello, agl,
does the hacker still upload the webshell (the file c99.php)?
It's strange that he changed your changed your mysql, and cpanel password.
If the hacker does all the job with webshells, I will try to help you stop getting webshells in your ftp.
And.. did you try putting webshell c99.php into your ftp, open it in your browser, and try see if it allows to browse server's system files etc. Maybe the server is not secure?
Quote
do you think encoding the config.php file using programs like phtml encoder can help?[
But you can decode it. :| but encoding may help.
There is a way to view config.php file in php-fusion administration (Panels and Custom Pages). To stop it, try editing your config.php and maincore.php files:
In config.php file put this line after <?php:
foreach (explode("/",$PHP_SELF) As $d) {if ($d == "config.php") {header("Location: index.php");}}
Do the same in Maincore.php but use this line:
foreach (explode("/",$PHP_SELF) As $d) {if ($d == "maincore.php") {header("Location: index.php");}}
Config.php file should look like this:
<?php
foreach (explode("/",$PHP_SELF) As $d) {if ($d == "config.php") {header("Location: index.php");}}
// database settings
$db_host="***";
$db_user="***";
$db_pass="***";
$db_name="***";
$db_prefix="***";
define("DB_PREFIX", "***");
?>
--------------------------------
But it won't help you to protect config.php if hacker views it in webshell. To stop hacker accessing your files with webshell, try to contact you webhosting, ask what chmod (file attributes) you should use (if there is any) to stop accesing your files with webshell, but keep the site working.
------------------------------------
Make sure that you updated your profile.php (http://php-fusion.co.uk/news.php?read...admore=361)
P.S. don't forget to answer my question:
does the hacker still upload the webshell (the file c99.php)?