PHPFusion Australia Hacked for 3rd Time

So sorry, really bad news that. :(

You said hacked with a news post - by hacked do you mean admin rights grabbed, defacement or something else?

Ok, will understand if you don't want to post full details, but as a Php-Fusion user with a few sites (and client sites) I'd really appreciate a few more details and maybe I can help. Feel free to PM me.

Well, if this is the case - a news post - are you referring to a comment to a news item or a news submission? If the latter, you approved it :o. With the exploits lately, and the fact that you've been hacked, it would seem you would take more care in what is approved. If a comment, then that would be more interesting...

G'day Guys,

It was a news post, using my account. I'm not sure how they are accessing my account, or how they are doing it. If you guys would like, I can open the site, so you can see what they have done?? If you do let me know.

Cheers

If you want to open it a bit quick I'll stay online and take a look

Sorry gotta go 2:30 in the morning uk time and I'm knackered. Have to catch up with the thread tomorrow ;)

Nuts! Being an Aussie I was looking forward to contributing to the community and sticking with it.

It's a shame this is happening and it seems pretty childish for the culprit to keep doing this.

I hope this gets sorted out :(

It is a great site, too bad there are stupid hackers in the world

You may have had a bad image before the upgrade. Check for bad images in your avatars and change your password if you haven't already done so.

Trix, i suggest you try running my avatar and forum image checker infusions. Basically it displays the images in a gallery, if an image is blank chances are its a baddy, you can safely inspect or delete any baddies.

Requires v6.01.3

Avatar checker attached

Forum image checker

Sweet :)

Both were run and did not yield anything. I guess it may be necessary to check if other files are present (php files in either attachments or avatars). One user account in the name of a known hacker was found (including a known email address) and the member was banned. A blacklist was created to reduce the chances of the culprit returning.

Also don't rule out the possibility that php-fusion was not the method of entry.

Without posting details, there are methods to drop a couple of files into any folder that is chmod 777. They gain access to cpanel and ftp - cpanel being the worse as once they gain access to phpmyadmin or similar, the fusion db can be altered and they are into your cms as super admin.

Let's hope that Digi's infusions find something and you can knock this hack on the head once and for all.

Let me guess.
You got hacked a cpl of days ago, prolly a belgian IP address, defacing the main page with a black screen, showing the turkish flag.?

A known guy is around and pretty much known, several Email addresses and nicks are known.

What happened was, if you ask me, a little piece of scrit in a jpg image called bb.jpg probably...was with me.

With that little "image-scripting" he stole your cookie after you clicked his image after recieving a PM that his avatar was broken. That executes the script and bingo, he got the logon for your account if cookies are ON.
After that, he could just log in EVEN after you upgrading, and make a nice news...

What i mean is, it's leftovers from first hack attempt, and you have no need to worry for now, no other exploits are known as of right now, so if updated, just make a new password that you haven't used anywhere else, that'll keep him off your back for now i think.

Also this thread got our earlier exploit:
http://www.securityfocus.com/archive/...e/1/433277