Oh no! Where's the JavaScript?
Your Web browser does not have JavaScript enabled or does not support JavaScript. Please enable JavaScript on your Web browser to properly view this Web site, or upgrade to a Web browser that does support JavaScript.
Sign In
Not a member yet? Click here to register.

NEW V6 HACK - BLANK SCREEN ??


Print Track

41 replies

Yes, you'll have to back up all your files (copying then from FTP) and database (export from phpmyadnin).

If upgrade dosn't work you'll just upload the old files and restore the database. :)

Quote

slaughter wrote:

Quote

schoupped wrote:
I'm back again, problems hasn't still been solved for me.... today again a blank screen.

I have looked over everything again and solved it again.
- images/panel.php deleted
- the panel 'system' deleted in phpmyadmin
- theme.php re-uploaded for the active theme
- there were a bunch of files in the navigation panel folder:
A. .htaccess
B. archive_panel
C. panel_navigation
----> these files stated again the weird code like stated below:

<?eval(gzuncompress(base64_decode('eJwNlkUSrIgSRZfT7wUDKJz4 ---------> and a whole bunch like this goes on for many lines......


Why don't you upgrade to v7?
V6 is full of bugs.


I'm willing to but don't know where to start and how to start...
Also I don't know if everything will work in V7? I have an infusion for uploading photo's in bulk that have been uploaded to the ftp.
This infusion I can't miss...

Is it possible to upgrade the site to V7 and if it doesn't work at all undo the upgrade???

Please don't shoot if this is allready on the site elsewhere....

Quote

schoupped wrote:
I'm back again, problems hasn't still been solved for me.... today again a blank screen.

I have looked over everything again and solved it again.
- images/panel.php deleted
- the panel 'system' deleted in phpmyadmin
- theme.php re-uploaded for the active theme
- there were a bunch of files in the navigation panel folder:
A. .htaccess
B. archive_panel
C. panel_navigation
----> these files stated again the weird code like stated below:

<?eval(gzuncompress(base64_decode('eJwNlkUSrIgSRZfT7wUDKJz4 ---------> and a whole bunch like this goes on for many lines......


Why don't you upgrade to v7?
V6 is full of bugs.
I'm back again, problems hasn't still been solved for me.... today again a blank screen.

I have looked over everything again and solved it again.
- images/panel.php deleted
- the panel 'system' deleted in phpmyadmin
- theme.php re-uploaded for the active theme
- there were a bunch of files in the navigation panel folder:
A. .htaccess
B. archive_panel
C. panel_navigation
----> these files stated again the weird code like stated below:

<?eval(gzuncompress(base64_decode('eJwNlkUSrIgSRZfT7wUDKJz4 ---------> and a whole bunch like this goes on for many lines......
There is a vulnerable version v6.01.19 similar member_poll_panel.php by hacking the same, vulnerable file navigation_panel.php
Administrators can reset the logs cracking.
So the claim that the above advice of avoiding problems is not yet worth it.
After working well, yesterday I'm having again troubles with the site....

I think the origin is the same as mentioned earlier but now I have other problems!

The site seems to work well but when I open an photogallery I don't get any thumbnails.

When I click on the 'no thumbnail' text I get following message:
Warning: filesize() [function.filesize]: stat failed for images/photoalbum/album_68/img_4543.jpg in /customers/vbssintkatrien.be/vbssintkatrien.be/httpd.www/photogallery.php on line 77

Anyone got an idea how to solve this quickly?

thanks in advance!

Quote

VoiceX wrote:
don't forget to delete the file images/panel.php (if exists).

This was never mention before (or did I overread it???)

@smokeman: can you change the order of your solution and make the mentioned changes? THX
4 -> 5 -> 6 -> 3 delete the directory... -> delete images/panel.php -> 2 -> 1 delete panel
:) just the post above yours...
don't forget to delete the file images/panel.php (if exists).

This was never mention before (or did I overread it???)

@smokeman: can you change the order of your solution and make the mentioned changes? THX
4 -> 5 -> 6 -> 3 delete the directory... -> delete images/panel.php -> 2 -> 1 delete panel
@buspilot: can you login via login.php? If so, go to the admin panel and delete the System panel.
Also, delete panel.php in /images.
Thanks from all!
Thank you all especially smokeman and blueadept.

I have two v6.1 sites that were also hacked. I have carefully followed the instructions but seem to still have problems. My site now has it's header panel back, but the side panels and center news panels are invisible. I use the Milestone theme.

After I deleted the long string of numbers in the theme.php file I continued to see parse errors. Reading deeper in this thread I saw a suggestion to upload a fresh theme.php file, and did so after unzipping a fresh download of the php-fusion v6.1 core files.

After I uploaded a fresh theme.php file I was able to see my header, but nothing else. Side panels and center content are invisible to me. Can anyone help me with suggestions?

site is www.ascertainpolygraph.com
Thank you all for your wonderful input and feedback, especially smokeman and blueadept
Thanks guys, one of my sites which I don't check usually everyday was under attack.
Info now relayed to the French community via N.S.S. PM.

Am mostly in V7 now but some sites still need infusions or mods to be ported to V7...
The page to which malicious code sends some info uses PHP-Fusion, and in news on that website, owner tells what he got hacked not long time ago, so it does explain why that encoded code in theme.php links to him. I PMed admin of that website.
News posted and new version of PHP-Fusion v6 (6.01.19) our, read more here.
Thanks to Smokeman for reporting this and Slaughter for providing the corrected files.

Understanding the problem:
The problem is caused by an insecure variable which is not properly checked and therefor can be used to insert malicious code to the MYSql query but also PHP commands which can create and in this case edit files. We have seen the same method been used in the search.php vulnerability.

The problem is caused by two things:
  1. A variable not properly checked
  2. Global variables


How is it done?
The hack is done by implementing a code into the theme.php file, by injecting it into the SQL query, so it can be accessible form within all pages of the site running PHP-Fusion. From there the hacker has direct access to the server and can execute PHP commands upload files etc.

Preventing being hacked?
If you are running a v6 site there are three ways you can prevent being hacked:
  1. Remove member polls from the panels list, by disabling it from the admin panel => system admin => panels
  2. Replacing the files wit the new ones
  3. Upgrade to PHP-Fusion v7


If your site has been hacked?
If your site has been hacked here is what you got to do:

  1. Set your site in maintenance mode from Admin Panel => System Admin => Miscellaneous Settings
  2. Open up the file: /themes/YOUR_THEME/theme.php - and delete the long text near to the top of the file, you can't miss it! Or re-upload the file from your computer. Be sure to check all your themes, delete those your not using and re-upload those you are using.
  3. Open up the /images/ folder and delete all PHP files inside it and upload a new blank index.php file, look specifically for a file named panel.php.
  4. Delete the folder completely: /infusions/member_poll_panel - and upload the new files here.
  5. Open up phpMyAdmin. Click on the left side on "fusion_panels" or view rows and delete a panel_name: System with the panel_filename: ../images/panel.php
  6. Be sure to change your MySQL password and user password for your user on the site which has been hacked and make sure other admins and users changes their passwords too!


Questions?
Post here if you have any further questions about the hack or if you have been attacked.


Quote

More detailed information will follow!
As far as I understood right the intruder got the admin password by exploiting security hole in panel.php (e.g. by using SQL-injection).

But does anyone know how did he manage to insert malicious code into the theme.php?
Today I got message of blank screen on one of my sites and thanks for this thread I got it fixed, but not completely following the instructions: after deleting the long line in theme.php and doing the steps before I got my banner back but got error in subheader.php. so going from one error to the next. Luckely I had a local backup (Always good to have a backup, not onyl of the database, but also the files.) and after copying my backedup theme.php to the server, the site was back inthe air.

I have 2 sites with the same problem running V6.01.06.
I have solved the problems thanks to you for 1 site now.

I have an extra you have to do to get everything working:

In phpmyadmin in 'fusion_panels' there was a line "weblinks' with links to sites that have nothing to do with my site.
I also got some error code on the site due to this.

I deleted the line and it was OK again.

Will the problem be definitley solved when you have removed the member poll panel?
author smokeman
forumBugs and Errors - 6
replies42 posts
viewed46,466 times
activeLast updated on 9 years ago
You can view all discussion threads in this forum.
You can start a new discussion thread in this forum.
You cannot reply in this discussion thread.
You cannot start on a poll in this forum.
You cannot upload attachments in this forum.
You cannot download attachments in this forum.