Oh no! Where's the JavaScript?
Your Web browser does not have JavaScript enabled or does not support JavaScript. Please enable JavaScript on your Web browser to properly view this Web site, or upgrade to a Web browser that does support JavaScript.
Sign In
Not a member yet? Click here to register.

NEW V6 HACK - BLANK SCREEN ??

Quote

simonw wrote:
Thanks to everyone for all the help with this.

I have fixed things up on my site using the instructions, except I can't find a .htaccess file,
so don't know what to do with that part.

It would be wonderful if someone could explain the vulnerability to me (perhaps in a PM)
so I can do what I need to to prevent further exploitation while I work on the upgrade
to V7 (have some work to do since I have quite a few V6 specific mods that I need to research).

I'm assuming that V7 is not vulnerable - it would be good to understand why that it.

Simon.

PS I am still on v6.01.13


Download the file which I uploaded in my post before. There should the problem be fixed.

And yes in v7 we don't have this vulnerability, because in v7 this unsecure variable is checked with isnum().
Thank you for the fix.

It actually looks like the hack on my site was over a month old. The original hack occured in October (or possibly before) for which I do not have the logs for.
I have 2 sites with the same problem running V6.01.06.
I have solved the problems thanks to you for 1 site now.

I have an extra you have to do to get everything working:

In phpmyadmin in 'fusion_panels' there was a line "weblinks' with links to sites that have nothing to do with my site.
I also got some error code on the site due to this.

I deleted the line and it was OK again.

Will the problem be definitley solved when you have removed the member poll panel?
Today I got message of blank screen on one of my sites and thanks for this thread I got it fixed, but not completely following the instructions: after deleting the long line in theme.php and doing the steps before I got my banner back but got error in subheader.php. so going from one error to the next. Luckely I had a local backup (Always good to have a backup, not onyl of the database, but also the files.) and after copying my backedup theme.php to the server, the site was back inthe air.

As far as I understood right the intruder got the admin password by exploiting security hole in panel.php (e.g. by using SQL-injection).

But does anyone know how did he manage to insert malicious code into the theme.php?
Thanks to Smokeman for reporting this and Slaughter for providing the corrected files.

Understanding the problem:
The problem is caused by an insecure variable which is not properly checked and therefor can be used to insert malicious code to the MYSql query but also PHP commands which can create and in this case edit files. We have seen the same method been used in the search.php vulnerability.

The problem is caused by two things:
  1. A variable not properly checked
  2. Global variables


How is it done?
The hack is done by implementing a code into the theme.php file, by injecting it into the SQL query, so it can be accessible form within all pages of the site running PHP-Fusion. From there the hacker has direct access to the server and can execute PHP commands upload files etc.

Preventing being hacked?
If you are running a v6 site there are three ways you can prevent being hacked:
  1. Remove member polls from the panels list, by disabling it from the admin panel => system admin => panels
  2. Replacing the files wit the new ones
  3. Upgrade to PHP-Fusion v7


If your site has been hacked?
If your site has been hacked here is what you got to do:

  1. Set your site in maintenance mode from Admin Panel => System Admin => Miscellaneous Settings
  2. Open up the file: /themes/YOUR_THEME/theme.php - and delete the long text near to the top of the file, you can't miss it! Or re-upload the file from your computer. Be sure to check all your themes, delete those your not using and re-upload those you are using.
  3. Open up the /images/ folder and delete all PHP files inside it and upload a new blank index.php file, look specifically for a file named panel.php.
  4. Delete the folder completely: /infusions/member_poll_panel - and upload the new files here.
  5. Open up phpMyAdmin. Click on the left side on "fusion_panels" or view rows and delete a panel_name: System with the panel_filename: ../images/panel.php
  6. Be sure to change your MySQL password and user password for your user on the site which has been hacked and make sure other admins and users changes their passwords too!


Questions?
Post here if you have any further questions about the hack or if you have been attacked.


Quote

More detailed information will follow!
News posted and new version of PHP-Fusion v6 (6.01.19) our, read more here.
The page to which malicious code sends some info uses PHP-Fusion, and in news on that website, owner tells what he got hacked not long time ago, so it does explain why that encoded code in theme.php links to him. I PMed admin of that website.
Thanks guys, one of my sites which I don't check usually everyday was under attack.
Info now relayed to the French community via N.S.S. PM.

Am mostly in V7 now but some sites still need infusions or mods to be ported to V7...
Thank you all for your wonderful input and feedback, especially smokeman and blueadept
Thank you all especially smokeman and blueadept.

I have two v6.1 sites that were also hacked. I have carefully followed the instructions but seem to still have problems. My site now has it's header panel back, but the side panels and center news panels are invisible. I use the Milestone theme.

After I deleted the long string of numbers in the theme.php file I continued to see parse errors. Reading deeper in this thread I saw a suggestion to upload a fresh theme.php file, and did so after unzipping a fresh download of the php-fusion v6.1 core files.

After I uploaded a fresh theme.php file I was able to see my header, but nothing else. Side panels and center content are invisible to me. Can anyone help me with suggestions?

site is www.ascertainpolygraph.com
Thanks from all!
@buspilot: can you login via login.php? If so, go to the admin panel and delete the System panel.
Also, delete panel.php in /images.
don't forget to delete the file images/panel.php (if exists).

This was never mention before (or did I overread it???)

@smokeman: can you change the order of your solution and make the mentioned changes? THX
4 -> 5 -> 6 -> 3 delete the directory... -> delete images/panel.php -> 2 -> 1 delete panel

Quote

VoiceX wrote:
don't forget to delete the file images/panel.php (if exists).

This was never mention before (or did I overread it???)

@smokeman: can you change the order of your solution and make the mentioned changes? THX
4 -> 5 -> 6 -> 3 delete the directory... -> delete images/panel.php -> 2 -> 1 delete panel
:) just the post above yours...
After working well, yesterday I'm having again troubles with the site....

I think the origin is the same as mentioned earlier but now I have other problems!

The site seems to work well but when I open an photogallery I don't get any thumbnails.

When I click on the 'no thumbnail' text I get following message:
Warning: filesize() [function.filesize]: stat failed for images/photoalbum/album_68/img_4543.jpg in /customers/vbssintkatrien.be/vbssintkatrien.be/httpd.www/photogallery.php on line 77

Anyone got an idea how to solve this quickly?

thanks in advance!
There is a vulnerable version v6.01.19 similar member_poll_panel.php by hacking the same, vulnerable file navigation_panel.php
Administrators can reset the logs cracking.
So the claim that the above advice of avoiding problems is not yet worth it.
I'm back again, problems hasn't still been solved for me.... today again a blank screen.

I have looked over everything again and solved it again.
- images/panel.php deleted
- the panel 'system' deleted in phpmyadmin
- theme.php re-uploaded for the active theme
- there were a bunch of files in the navigation panel folder:
A. .htaccess
B. archive_panel
C. panel_navigation
----> these files stated again the weird code like stated below:

<?eval(gzuncompress(base64_decode('eJwNlkUSrIgSRZfT7wUDKJz4 ---------> and a whole bunch like this goes on for many lines......

Quote

schoupped wrote:
I'm back again, problems hasn't still been solved for me.... today again a blank screen.

I have looked over everything again and solved it again.
- images/panel.php deleted
- the panel 'system' deleted in phpmyadmin
- theme.php re-uploaded for the active theme
- there were a bunch of files in the navigation panel folder:
A. .htaccess
B. archive_panel
C. panel_navigation
----> these files stated again the weird code like stated below:

<?eval(gzuncompress(base64_decode('eJwNlkUSrIgSRZfT7wUDKJz4 ---------> and a whole bunch like this goes on for many lines......


Why don't you upgrade to v7?
V6 is full of bugs.
Thread Information
Author
Replies
42 posts
Views
46,833 times
Last Post
Last updated on 9 years ago
You can view all discussion threads in this forum.
You can start a new discussion thread in this forum.
You cannot reply in this discussion thread.
You cannot start on a poll in this forum.
You cannot upload attachments in this forum.
You cannot download attachments in this forum.