Home General support

Trojan spamming script inserted into ajaxfilemanager structure

retronaut Member
in General support
(I hope this is not a double-post, but I received an error message after clicking "Send Post" under FireFox...trying here under IE)

I have been using zenphoto for several months now, and today I discovered that my server was being used for spam-mailing via a bogus class.base.php script which had somehow been inserted into this zenphoto folder:

zp-code/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc

How did this happen? Did an injection possibly occur via the comment mechanism?

Comments

  • acrylian Administrator, Developer
    It is a double post. We have an akismet filter and moderation in effect (as noted). In case that anything is wrong with that we need to know the error message.

    That security issue has been widely documented since November 2011 and affects all version of 1.4.1.5 and older and happens together with too lax server permissions:
    http://www.zenphoto.org/news/alert-security-hole-in-zenphoto-1.4.1.4
    http://www.zenphoto.org/news/security-alert-part-2

    Please read those and also the linked forum posts as they provide detailed info from users (we were not affected ourselves).

    Then best upgrade to the current release which is 1.4.2.1.
  • retronaut Member
    Thank you, and sorry for the double-post. I have removed the ajaxfilemanager completely and have updated the two tiny_mce config files as advised.

    I am not convinced that the exploit on my server involved anything beyond creating and then utilizing the bogus class.base.php script. I have not yet found evidence of .htaccess file manipulation or of modifications to other scripts (.php or .js). Can anyone point me to some specific files to check...files within the zenphoto installation for example?

    Thank you
  • acrylian Administrator, Developer
    Your hack attack might be a little different and less severe than the November ones so please read on the forum topics to check.

    Best is that you check all files or best either update or just reupload your version (if it is 1.4.1.5 or older I recommend to update to the current as 1.4.2.1 fixes further security issues) again to be sure no file has been hacked. Please reffer to the installation page how to upgrade.
  • retronaut Member
    My zenphoto installation was hacked on November 15, 2011, and only detected today. The detailed analysis document suggests that all .php and .js files on my server (virtual domain) may have been modified, along with .htaccess files. I have spot-checked, but so far have not found any issues beyond the bogus script created on that date. Also, the rest of my zenphoto files bear an April 2011 date.

    When checking .php and .js files both within and external to the zenphoto installation, what specifically should I look for as an indication of a modification?

    Thank you
  • acrylian Administrator, Developer
    I am sorry, I cannot answer that as neither zenphoto.org nor one of the other zp powered sites I maintain were affected. I have not seen this myself.

    As far as I remember from the forum posts the hacks affected files but primarily placed lots of htaccess redirection everywhere. The detailed infos have been provided by users on these topics. That is all we know. It does not hurt to check the database as well. Maybe your attack was less severe or a different one. One of the security posts has also a download of some extra info provided by a user.

    As said the best is to re-upload all standard files and check your custom ones.

    For the future best stay tuned by subscribing our RSS, google group or Twitter feed. Also current Zenphoto releases have plugin zenphoto-news that displays our latest news on the admin overview page.
Sign In or Register to comment.