Zenphoto installation hacked

jlang

I've just found a php file and .htaccess in each of my cache directories. I didn't put them there and I'm doubtful that zenphoto should so I'm assuming I was hacked. The datastamp is two weeks ago. Not sure what the "bad stuff" could be or whether it got there via the internet or by another user on my shared server (either deliberate or because he was in turn hacked. The files all have the same owner username - not me and not the usual username used by the zenphoto process.

I'm wary of posting the contents of the php file but I can if requested or will pass it on if it would be useful if a ZP developer wants to understand what it does. (It sets up a `$_SERVER` request hash, then passes it through base64_encode, base64_decode and a few curl functions, then eval to finish.)

The .htaccess file was short and appears to only redirect the 404 page to the extra page. I don't get many viewers and most would come via a direct link so the new file probably hasn't even been viewed on a browser.

`
Options -MultiViews
ErrorDocument 404 //test/zenphoto/cache/albumname/65081.php
`
where test/zenphoto is my zenphoto installation and 65081.php is the name of the extra php file.

Is there anything extra I can do to secure my installation or should there be? I don't know if the weakness is in ZenPhoto but it could well be just that the permissions on the cache folder (777) allow these files to be written by any user where I have the rest of my filespace more secure.

acrylian

That sounds not good... I guess it might be possible that the permissions are the cause (or the webspace in generally was hacked) but I will pass the more qualified answer to my fellow devs, especially our project leader trisweb who is our server expert.

trisweb

This is most likely another user simply having access to the 777-permission directories on the server, especially since you note that the written files have a different username than the server process. It would be near impossible to change ownership of the files from the PHP server if it was hacked via PHP/zenphoto, so they probably came in from another source.

Anyway, this is clearly a permission security issue. The reason we recommend people use 777 is due to the fact that on most hosting environments, you cannot change the group or owner of the files.

Ideally, it should be set up with 660 files/770 directories ([rw-rw----] files and [rwxrwx---] directories) permissions, with [youruser:webservergroup] ownership. If you can do that, I highly recommend it. You can then also change the zenphoto umask to set the default permissions.

The idea is basically to keep ownership of the files yourself, give group access to the web server, and shut everyone else out.

Again, the reason 777 permissions are the default is because it's not possible to control permissions in this way on most hosts. But if you have the power to further secure it, we recommend it, especially if you have a situation like this.

Good luck and let us know if you have any more questions.