Oh no! Where's the JavaScript?
Your Web browser does not have JavaScript enabled or does not support JavaScript. Please enable JavaScript on your Web browser to properly view this Web site, or upgrade to a Web browser that does support JavaScript.
Sign In
Not a member yet? Click here to register.

My site was hacked

Just want to share so others can learn.

I had still PHP-fusion v 7.02.05, got hacked, got this information from my host:

Malware uploaded through weakness in outdated PHP-fusion script.
Files uploaded by hacker:
administration/Dlogoff.php
administration/wishlistl08.php
viewpage.php
wp-conf.php

Problem is fixed, now I have updated all my sites to 7.02.06.:G
It's not out dates script i think..
I got hacked on v7.02.05 too.. Will need to insert some extra security..
And it happened yesterday so we could be the same hacker targets.. :D
Same happend to me yesterday, i got a mail saying :

Martin K: Malware uploaded through weakness in outdated PHP-fusion script.
Martin K: You must:
Delete files uploaded by hacker
Change MySQL password
Remove weak script or fix weaknesses
Files uploaded by hacker:
administration/erss.php
administration/loginLIfx.php
viewpage.php
wp-conf.php
Further notes:
Please note that this list may not be complete.
Please check all your files to make sure the malicious files are all removed.
Find out when the "Attacks" took place and show us the access logs where it takes place and maybe provide us with some IP's and user agent strings.

LOL LMAO!!! :D
My site was also hacked yesterday. Malware was uploaded by a weakness in a PHP-Fusion script. This was uploaded to my site c99.txt

//Removed the malware text link// Richard

Do NOT add it again.
Post a link to an AV report on an AV site instead of the actual code of the malware... please.
c99 shell is what used to get used for hacking 7.01 sites, I have not heard of it attacking any sites with that or the r57shell since 7.01 but is possible. ;)
Sound like an RFI. Can someone provide use with more information or the attacks they have had ? Such as logs.
I sent you my error log as PM, Im not sure if everything is secure to post in this forum.
From the logs you sent your site was "hacked" using a a custom page. Which could mean that you gave someone this right to make a custom page or an account was "hacked" and a custom page made to upload files and / or any other attack.
Had the same problem within 2 days of installing fusion, guess they where targeting sites? Going to try and hunt down my logs.
Craig, do not be rude. It is very unfortunate to have a site hacked and regardless of existing updates it is not sure they could help avoiding it...
In my opinion its a shell attack. Someone most likely uploaded a shell from another domain on the same server as your website. Upon initiating the shell commands, they're able to upload / make changes throughout the entire server.

Doesn't matter if your protected or not with PHP-Fusion.

I would take this issue up with your hosting provider and demand actions be taken.

In fact the attack method takes place way before PHP-Fusion was even drafted for development.

I remember it being used against me in my PHP-Nuke days. Quite simple process really..
I'm actually working on a security system for PHP-Fusion just now. I will not say it will STOP Hacking completely and I will not say it will stop these things from happening but it will help as another defence shield and certainly put them off trying since it's a waste of time they keep getting booted to google instead. Anyway More on that at another time. ;)
my sites also attacked:|
Damn, sorry to hear that, it seems ok now? Any details, Jikaka?
was filled shell, hit all the sites my account, about 25 pieces, covered with alien files of that plan:

Quote

w35574914n.php
w58108374n.php
w82323321n.php
wp-conf.php

also filled some of the files in different folders into the site
on past that introduced alien code in the first 2 files
eg artitsles.php and contact.php

bad, very bad!!!!!
:|:|:|
Couldn't really see much in the logs.. not a great host (one.com) will look out for your security system though Craig.

This was all i was told from the host much like Juliotje.

Malware uploaded through weakness in outdated PHP-fusion script.
- Delete files uploaded by hacker
- Change MySQL password
- Remove weak script or fix weaknesses
Files uploaded by hacker:
administration/mobileLXx.php
administration/oNthemes.php
viewpage.php
wp-conf.php
Do you guys know if exec or shell_exec functions are enabled on your servers? I know it could be a breach if your site is on a shared server but just wondering if its people running insecure applications on their site....
had the same

following files where affected...
administration/robotsGZHf.php
and
administration/SLrobots.php

in the access Log i found:

CodeDownload  
113.72.134.7 - - [22/Feb/2013:03:35:24 +0100] "GET /login.php HTTP/1.1" 200 7934 "http://******/" "Mozilla/5.0 (Windows NT 5.1; rv:5.0.1) Gecko/20100101 Firefox/5.0.1" ****.de
and

31.133.32.171 - - [22/Feb/2013:04:11:18 +0100] "GET /profile.php?lookup=1 HTTP/1.1" 200 9108 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET4.0C; .NET4.0E)" ****.de
31.133.32.171 - - [22/Feb/2013:04:11:19 +0100] "GET / HTTP/1.1" 302 - "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET4.0C; .NET4.0E)" ****.de


and

31.133.32.171 - - [22/Feb/2013:04:11:19 +0100] "GET /news.php HTTP/1.1" 200 13953 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET4.0C; .NET4.0E)" ***.de
31.133.32.171 - - [22/Feb/2013:04:11:19 +0100] "POST /administration/custom_pages.php?aid=d61f6dab454818e0 HTTP/1.1" 200 1289 "http://***.de/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET4.0C; .NET4.0E)" ****.de
31.133.32.171 - - [22/Feb/2013:04:11:19 +0100] "GET /viewpage.php?page_id=1&viewpages=1 HTTP/1.1" 200 1025 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET4.0C; .NET4.0E)" ****.de


31.133.32.171 - - [22/Feb/2013:06:08:51 +0100] "POST /viewpage.php?page_id=1&viewpages=1&cookies=1&showimg=1&truecss=1&t2122n=1 HTTP/1.1" 200 2039 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET4.0C; .NET4.0E)" ***.de
31.133.32.171 - - [22/Feb/2013:06:08:52 +0100] "GET /viewpage.php?t5709n=1 HTTP/1.1" 200 34559 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET4.0C; .NET4.0E)" ****.de

31.133.32.171 - - [22/Feb/2013:06:10:35 +0100] "POST /viewpage.php?page_id=1&viewpages=1&cookies=1&showimg=1&truecss=1 HTTP/1.1" 200 1037 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)" ***.de

178.152.100.2 - - [22/Feb/2013:11:46:20 +0100] "POST /viewpage.php?t5709n=1 HTTP/1.1" 200 7827 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)" ***.de

146.185.255.183 - - [22/Feb/2013:11:46:41 +0100] "POST /viewpage.php?t5709n=1 HTTP/1.1" 200 34561 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100102 Firefox/16.0" ****.de

146.185.255.183 - - [22/Feb/2013:11:46:43 +0100] "POST /viewpage.php?t5709n=1 HTTP/1.1" 200 49181 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100102 Firefox/16.0" ***.de
146.185.255.183 - - [22/Feb/2013:11:46:45 +0100] "POST /administration/robotsGZHf.php HTTP/1.1" 200 36 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100102 Firefox/16.0" ***.de


146.185.255.183 - - [22/Feb/2013:11:46:46 +0100] "POST /viewpage.php?t5709n=1 HTTP/1.1" 200 49842 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100102 Firefox/16.0" ***.de

146.185.255.183 - - [22/Feb/2013:11:46:48 +0100] "GET /administration/SLrobots.php?sf=0&showro=0 HTTP/1.1" 200 8031 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100102 Firefox/16.0" ***.de



Code Tags used / Richard
Thread Information
Author
Replies
143 posts
Views
66,222 times
Last Post
Last updated on 6 years ago
You can view all discussion threads in this forum.
You cannot set up a bounty in this discussion thread.
You can start a new discussion thread in this forum.
You cannot reply in this discussion thread.
You cannot start on a poll in this forum.
You cannot upload attachments in this forum.
You can download attachments in this forum.
You cannot up or down-vote on the post in this discussion thread.