Site Hack in v6.00.305!!!: PHPFusion 6 Support

Home
Search

Oh no! Where's the JavaScript?
Your Web browser does not have JavaScript enabled or does not support JavaScript. Please enable JavaScript on your Web browser to properly view this Web site, or upgrade to a Web browser that does support JavaScript.

Hey all, I was looking for some help in trying to get rid of this god damn idiot that likes to wipe our website and they use it to forward our site onto adult sites.

At first I thought it could be spy ware, but after uploading the backups I created of our site via (old school MacOS 9.2.2) and we’re still getting hacked. I beginning to wonder if the asshole some how has left a line of code in my previous back-ups and is still getting in even after completely reinstalling php-fusion v.6.00.305 onto my site. I started with v.6.00.305 and still would love to use it… but at this rate it’s almost not worth it if I keep getting hacked.

I’m wondering if somehow they were able to store information to my mysql database and record my information… or even if they might be running a XML script in their signature within their profile.

All I know is once I’ve put back up our site, it usually takes the hacker a few minutes to a couple of hours & it’s gone again. They take one of the .htaccess files and make it a 403 redirect to an adult site of their choice. Now I currently have a few images I’ve upload back onto my site, and just an index.htm file.

It’s been up almost 24 hours which to me says that they must be getting in via fusion somehow because it usually is hacked every 2 hours. I have no other MySQL databases running. My cPanelx has 32 characters mix with symbols, numbers, punctuation, and letters. They can’t be accessing my cPanelx directly.

My host doesn’t know what to do when I ask them for help because they say it’s low level security issue that I should be able to fix… yet they can’t seem to do anything to help because they are pointing fingers at php-fusion or pointing fingers at me saying it’s probably a Trojan or SpyWare. Yet I uploaded the back-ups of my site via MacOS 9.2.2 and still I’m getting hacked? I wonder if there truly is an infected file or a command string within fusion I’m unaware of.

I was hoping that there were a couple things that could be done but was unsure of,

1. Is there anyway to record in php what the hacker is doing? Like recording their steps so that I can put a stop to how they are getting in? Maybe even set something up and transfer the information to another site or through an e-mail. (Just guessing here)

2. Is there anyway to make the passwords longer then 20 digits? (i.e. 32 – 64 digits) Is there also a way to make them not just alphanumeric? Like including punctuation & symbols? Here is a good password generator I use: (http://www.winguides.com/security/password.php)

I would love to know how this asshole is getting in, and if it’s a security issue then I want to let php-fusion know ASAP so it can get corrected in future versions. If you have any comments or question please reply as I’m getting rather desperate seeing how I couldn’t keep our phpBB2 discussion board alive, as they hacked the **** out of that one too. Fusion was suppose to be the alternative to phpBB2 and also be a new facelift on our site… but right now it’s not doing a damn thing.

0 replies

I'm gonna try to help you through a network administrators point of view, so please don't delet the user Tester... that is just me

Possibilites and questions:
1. why is it just your site? have you tried to see if other sites from Acenet have also been hacked, and if so, are they using a cms of any type?

2. the .htaccess file can, as far as i know, only be changed by accessing the root via direct (from isp) or over the ftp port. again, why just your site? the hackers would have access to the isp account files if it was going through them in which case many sites would have been hacked, so i have to agree that the isp is secured enough.

3. php-fusion does store access to the database files (which should, as mine, have a completely different password unless you are using the same password for both the database and main site access, which i doubt is the case.)

4. i don't see any kind of user file upload script being used on your site, which logically means that an upload script is not being exploited to gain access to the root.

5. i can imagine that the upload script for the avatar would and could be a point of expoitation (i am not a programmer... but have been learning) only because it takes files from one destination and sends to the server, but you would have to talk to the people here if there is a possibility of accessing other directories is there.

6. i would, for a while disable the ability to use signatures, because of the fact scripting is uploaded from other site, but then again why haven't the people here at php-fusion and the other fusion sites been hacked?

7. which brings me to my logical point that i doubt that is will be a software (fusion) problem.

8. that leaves only the possibility that you do have a keylogger working in the system somewhere (if you would like to send me a copy of your running processes at the time of the ftp connection i will look at them for you), and a printout of the program and windows directory with files. if one is there (most likely in the processes) then we will find it.

so, running through this as a network admin / technician, these are the logical points that you should first look at if the .htaccess is being changed. i am, of course, ruling out the fact that a "friend" that may be working with you on the site is not passing information. i noticed even in your posts that passwords and usernames were being shown. that's the kind of carelessness that leads to hacking.

i hope these steps will help you in your search because i've been running many sites and networks including my webserver here in my house with many different providers and (knock on wood) have not been hacked.

for a test, i agree that a fresh insatllation would be one way to go, and on the welcome screen you could welcome all hackers and let it run like that for a couple of days. that would at least narrow it down.

The Rubberman

Edited by Rubberman on 10-04-2006 13:02, 19 y

0 replies

Site is still fully functional... (knocking on wood) and has not been hacked yet. Hopefully whatever they were using was something I'm now safeguarding against in my .htaccess file.

I guess I'll let you all know more soon if anything else happens. :(

Edited by utadexter on 10-04-2006 00:44, 19 y

0 replies

Minor update...

So with the .htaccess file updated to what it is above...

My SQL Back-up in place (and working again)...

And leaving the "Register" locked out for the moment...

Everything has been cool. No hacks and things are looking up. I will try to back up the site every night just incase this f***tard hacks it again.

I do not understand .htaccess files for the life of me... I've tried reading tutorials on how to make one but I cannot figure them out. If anyone wants to give me a quick & simple tutorial on them I'd appreciate it! :D

I think I'm going to unlock the registration later on tonight... if I do and we get hacked again, then hopefully some people might a few ideas on where they are hacking in... :(

As for our site... I bumped up the security in the .htaccess file with an auto-generated script at www.botsense.com and I made sure that config.php was set to 644 chmod (and I deleted the setup.php file)

I'm hoping I didn't forget anything. :o

Edited by utadexter on 07-04-2006 17:14, 19 y

0 replies

Quote

Quartzkyte wrote:
Quote
Taino wrote:
Your hosts (especially pay hosts) normally have a backup of your entire sites from their regular server backups...
Normally they do. Sorry to hear that.
It seems the whole PHP community CMSs are being hacked at the moment. My PHP Fusion sites are too small for now to be of interest but I'm backing up all I can.
Damn b**tards...

Not usually... if they provide you with the means of backing up... they put the ball in your court. If you don't back-up often... you lose your stuff. :@ It makes me mad because my host takes this attitude to heart. :@

0 replies

PHP and mySQL are becoming the defacto standard for us folks who want our own sites without the costs associated with commercial offerings. And as such, both are receiving more recognition by hackers. Why do you think that Microsoft products are hacked so much? Because they are so prevalent (plus, they're full of security holes, but hey) thus under more exposure.

Its much akin to anything in life but a decent example would be the latest game. If only 100 people buy it, it is less likely that all of the bugs will be discovered any time soon but if 100,000 people buy it...well you get the picture. SO as the use of PHP and mySQL continues to increase, subsequently so does the potential for more hackers to sit up and take notice.

Edited by kejonn on 07-04-2006 16:48, 19 y

0 replies

Quote

Taino wrote:
Your hosts (especially pay hosts) normally have a backup of your entire sites from their regular server backups...

Normally they do. Sorry to hear that.
It seems the whole PHP community CMSs are being hacked at the moment. My PHP Fusion sites are too small for now to be of interest but I'm backing up all I can.
Damn b**tards...

0 replies

Edited by Taino on 20-04-2006 17:29, 19 y

0 replies

My input, though it might already have been posted...
What i read is:

1) Someone has access to your .htaccess - prolly would have found your password with a packet-sniffer...you're not using secure login for cPanel as i understand.
That would be enough to redirect to any site if startpage is not found.

2) startpage is not found...could be linked via MySQL to be something else than you set it to yourself...index.php, new.php...could be changed to anything that woul give a 403...but..as i reckon, that would only be possible through phpmyadmin if it's an SQL-exploit. Otherwise, it must have been deleted through ftp or cPanel...

Regardless of what have happened, i'd recommend you to change all passwords, use the secured login in the future - AND to change your HOST since they're not very helpful to you, in their guidance..they should know all about security issues, and right away they should be able to direct you into something to try...

ANYTHING not being done through secured pages can be sniffed by anyone with a packet sniffer...passwords, messages to anything you do online the internet...Messengers, websites...anything not securely encrypted through SSL...

0 replies

Someone recently hacked my site and deleted everything but the "new/" and "cgi" folders
see: http://deloroband.com
Don't know if it was PHPFusion or not, but I sure lost a sh*tload of code that I wrote and was planning on providing to the PHPFusion community as freeware. I have backups of the SQL but not the files. P*sses me off.

Edited by Prince NightFox on 07-04-2006 08:10, 19 y

0 replies

Well the hacker deletes all...

But I am making it a habbit to backup what I put up since it will probably be hacked again soon. :(

0 replies

Edited by Taino on 20-04-2006 17:14, 19 y

0 replies

I rewrote my .htaccess with a few things... you guys let me know if this is a good replacement or not...

Code Download source

# -FrontPage-

IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti*

<Limit GET POST>
order deny,allow
deny from all
allow from all
</Limit>
<Limit PUT DELETE>
order deny,allow
deny from all
</Limit>
AuthName www.clanuta.com
AuthUserFile /home2/webadmin/public_html/_vti_pvt/service.pwd
AuthGroupFile /home2/webadmin/public_html/_vti_pvt/service.grp

# -FrontPage-

IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti*

<Limit GET POST>
order deny,allow
deny from all
allow from all
</Limit>
<Limit PUT DELETE>
order deny,allow
deny from all
</Limit>
AuthName www.clanuta.com
AuthUserFile /home2/webadmin/public_html/_vti_pvt/service.pwd
AuthGroupFile /home2/webadmin/public_html/_vti_pvt/service.grp

RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^CherryPicker [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Extreme\ Picture\ Finder [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^HTTrack [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^JoBo [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^JOC\ Web\ Spider [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^MSIECrawler [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^ninja [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Offline\ Explorer [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^SiteCopy [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^SiteSnagger [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^SiteSucker [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^teleport [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^WebBandit [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^WebCopier [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Webdup [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^WebReaper [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^WebSnake [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^WebStripper [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^WebMiner [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^x-Tractor [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^WebZIP [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Xaldon\ WebSpider [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^mister\ pix [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^PICgrabber [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^psbot [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Mozilla/2.0\ \(compatible;\ NEWT\ ActiveX;\ Win32\) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^WebCollector [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^WebPix [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailCollector [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailMagnet [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailReaper [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailWolf [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^ExtractorPro [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^NICErsPRO [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailSiphon [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^WebEMailExtractor [NC,OR]
RewriteCond %{REMOTE_ADDR} ^63.148.99.2(2[4-9]|[3-4][0-9]|5[0-5])$ [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^NPBot [NC,OR]
RewriteCond %{REMOTE_ADDR} ^12.148.196.(12[8-9]|1[3-9][0-9]|2[0-4][0-9]|25[0-5])$ [NC,OR]
RewriteCond %{REMOTE_ADDR} ^12.148.209.(19[2-9]|2[0-4][0-9]|25[0-5])$ [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^TurnitinBot [NC,OR]
RewriteCond %{REMOTE_ADDR} ^64.140.49.6([6-9])$ [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^ClariaBot [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Diamond [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^[a-z]+$ [NC]
RewriteRule ^.* - [F,L]

I used http://www.botsense.com to help me get rid of the crap I was maybe getting hit with. Do you guys think this might help with the attacks?

I placed the .htaccess in my /public_html/ folder, in my /public_html/fusion/ folder and in my /public_html/fusion/php-files/ folder. Should I just keep one in the root folder, or in all of my folders?

Edited by utadexter on 06-04-2006 21:11, 19 y

0 replies

"Bump" :|

0 replies

Ok I have our site up again "WITHOUT" applying the back-up...

http://www.clanuta.com/fusion/php-files/news.php

So should I just leave that up right now & see if it gets hacked or should I start applying my MODs & my back-up yet?

0 replies

I recommend changing hosts. If not simply because they are jackasses but because they beat around the bush with you.

0 replies

utadexter,

I would quickly look into what your host has open.
I just did a quick login to the server with PUDDY (normal html) to find out what they are running.

Code Download source

HTTP/1.1 200 OK
Date: Wed, 05 Apr 2006 22:47:19 GMT
Server: Apache/1.3.34 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_ssl/2.8.25 OpenSSL/0.9.7a PHP-CGI/0.1b
Last-Modified: Fri, 21 Jan 2005 21:57:22 GMT
ETag: "162b35-b9d-41f17ac2"
Accept-Ranges: bytes
Content-Length: 2973
Connection: close
Content-Type: text/html

1. I am guessing you have access to your log files (what your viewers are looking at/getting from your website). Look for anything like PUT index.html or something similar. I would not think your host has this on but this is the #1 thing most people will try.

2. I would look into what DoS (Denial of Service) attacks each service has that your host is running. IE: Apache 1.3.34, OPENSSL, etc

If you can get a full log you should be able to tell if its something like Host Error, PHPFusion Error, or human error (Passwords)

0 replies

I had my host check this topic out and here is what they have to say:

Quote

Acenet Inc
Posted on 05 Apr 2006 05:06 PM
--------------------------------------------------------------------------------
It does not appear that the source of this abuse is a user knowing the password used for your account. Thus I would expect this issue to reoccur regardless of the password set.

Quote
utadexter: "I've been talking to the php-Fusion people about this and then think it may be something to do with my .htaccess files on the site."

I would advise persuing this issue with php-Fusion as it seems they will be best suited to help to secure and "lock down" your scripts to ensure it is secure.

Its like I'm trying to pry open a top-secret box to get them to look into any internal issues. Jeese, this is really sucking because I really like php-Fusion (just the little bit I played with) :(

0 replies

A wild guess in the Dark here, but if this would've been a Fusion issue, I reckon more sites than yours would have been exposed for this kind of attacks?

And I haven't heard of no other site than yours who had this happening, so, check that host out a wee bit more.

0 replies

My backed-up .htaccess file in my /public_html/ directory looks like so:

Code Download source

# -FrontPage-

IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti*

<Limit GET POST>
order deny,allow
deny from all
allow from all
</Limit>
<Limit PUT DELETE>
order deny,allow
deny from all
</Limit>
AuthName www.clanuta.com
AuthUserFile /home2/*****/public_html/_vti_pvt/service.pwd
AuthGroupFile /home2/*****/public_html/_vti_pvt/service.grp

RedirectMatch permanent ^/html/main.htm$ http://www.clanuta.com/fusion/php-files/news.php

RedirectMatch permanent ^/fusion$ http://www.clanuta.com/fusion/php-files/news.php

RedirectMatch permanent ^/phpBB/index.php$ http://www.clanuta.com/fusion/php-files/news.php

RedirectMatch permanent ^/fusion/php-files/$ http://www.clanuta.com/fusion/php-files/news.php

RedirectMatch permanent ^/cblweb$ http://www.clanuta.com/fusion/php-files/news.php

RedirectMatch permanent ^/forum$ http://www.clanuta.com/fusion/php-files/news.php

RedirectMatch permanent ^/phpbb/nfphpbb$ http://www.clanuta.com/fusion/php-files/news.php

RedirectMatch permanent ^/cbl/nfphpbb$ http://www.clanuta.com/fusion/php-files/news.php

Edited by utadexter on 05-04-2006 22:23, 19 y

0 replies

The .htacces file is a default in the way my host sets up my site.

Now I do have an index manager that I can set certain folders to have no index's in them. So say I make a /help directoy. If I set the index manager to not allow the /help directory to have an index you will be unable to go to: http://www.clanuta.com/help - you will actually be unable to view anything.

Although I'm sure most of you already know that but I was also using those to lock out the hacker on each one of my directories that didn't have an index.html or an index.htm in it's directory.

I'm sending Digi the site back-ups that I created on Monday the 3rd, 2006 @ 6:57AM PST. One back-up is a COMPLETE site back-up (5.44M

. The other is just a backed up sql of Fusion (69.9K

. Both files are in .gz format with WinRAR or WinZip can open. .gz is the default my site saves them as once everything have been backed up.

I'm also currently re-installing a "Fresh copy" of Fusion back onto my site as I wasn't able to get around to it last night.

Edited by utadexter on 05-04-2006 17:18, 19 y

0 replies

Category Forum

Bugs and Errors - 6

Labels

None yet

Statistics

Views 0 views
Posts 35 posts
Votes 0 votes
Topic users 14 members

0 participants

Notifications

Track thread

You are not receiving notifications from this thread.

Site Hack in v6.00.305!!!

35 posts

PHPFusion

Resources

Community

Development