I'm having problem getting rid of someone injecting spam into my website here www.osghelp.com .. you can see the spam if you take a source view of the html code.
I have applied the newest patches.. anyone know what/where the security hole is?
Which version of PHPFusion do you have? If you have the latest one: Are you sure, that the changes in code were made after the update to the latest version?
blackfox101 wrote: try re-uploading the whole php fusion package... Then re-apply the patches. see if that works... if not i dont know
the code has been modified,.. so I don't think I want to go that far right now.
I have added some code in where they inject the spam.. so next time I will have a time stamp and IP address and see if I can solve the problem that way around.
I have created some code to record the IP address when the injection happens.. I have banned that IP address but they still inject spam into my website...
there is a serious security hole in the php-fusion .16
does anyone know what I can do to prevent this or find out how they do it so I can fix the problem
Matonor wrote: where is the code inserted? what kind of modifications and infusions do you have installed?
As I can see the attacker is inserting the code in the panels. i'm on a laptop right now so I cant see my own code right now.. but I have added code in the administration panel editor something.... where I record the IP address of anyone adding a panel... and this code does get activated and I do get IP address of the attacker.
you can see the spam that has been put in at www.osghelp.com , just view the source code of the html and you will see hidden spam
so when the attacker adds a new panel i basically record the IP address.. I have banned this IP address but the attack still adds spam to my website.
I'm considering recording the GET and POST arrays and see how what the URL they used..because they are injecting spam and by-passing security routines in the php-fusion.
I'll get back if I know more.. if you have any suggestions please tell..
If there's a lot of modding done maybe that can be the source which can cause the injections. Other then that it might be wrong CHMODing of the core files.
If I'm correct you DO have the unspoiled and modded files on your PC don't you?
First check every file for the correct CHMOD (read the readme.htm). Then upload all the unspoiled and modded files again to the server making sure you overwrite everything.
Check the database :export to XML using PHPMyAdmin (for easier reading) and save the file on your PC, check for rogue code etc in EVERY table and record
Also install the Security System from bs-fusion.de, this will probably hold of future attackers.
It's a lot of work but badly modded (not saying that your mods are bad but mistakes are easily made) sites are very vulnarable to these kinds of attacks and make troubleshooting very hard....
There was a rogue file in the forum/attachments folder, similar to the ones found when the search vulnerability was exploited. The file was deleted and we will monitor if that cures the problem.
Our sports association has been using php-fusion extensively for many years now but over recent months 17 of our sites have been hacked in the same way. A rogue file has appeared in forum/attachments. The footer and panels are full of spam and this causes any google ADS to spew out pharmacy links. There may of course be other changes to files or dbases which have not been discovered!
This problem was only identified a couple of weeks ago although the attacks began in late August 2008. These spam links can easily go unnoticed as they reside in footer.php or disabled panels.
Versions 6 and 7 were affected. Some sites were backed up, others not. Because of the number of sites affected it's become a major problem and unfortunately raises concerns about the continued use of the software.
Please note that this may all have been due to an earlier vulnerability that was exploited before it was patched. Affected v7 sites may well have been attacked (it is even likely) before they were upgraded to v7. In itself PHPFusion is safe. Almost every system suffers because a vulnerability is discovered every now and then. We are proud to have closed all recently discovered vulnerabilities in the core of PHPFusion within 24 hours. Sorting out vulnerailities due to third party mods/infusions is much more difficult because that means that common factors between sites need to be established. Still, even those we can usually track down and patch within 48 hours. At the moment there is no reason to abandon the use of PHPFusion but when a backdoor has been created on a site it will be exploited untill you remove it.
I would not mind helping to clean up the sites but then I'd need to have full site backups and preferably also database backups to scan them for suspicious code/files.