"milanka" mysql hack

AlexWilson

I was trying to help a friend resolve what looks like a hack on his site. His ZP gallery now brings up the configuration page, but mentions the user/database name "milanka", which is not correct.

The zp-config file was changed, not only to the new user/db, but to point to freesql.org

My Google-fu is pretty good, but I can find no mention of the milanka and ZenPhoto hacks, other than the scores of already-hacked sites that show up:
http://www.google.ca/search?q=milanka+zenphoto

The date on the changed config file is Oct 20th, so it just happened 2 days ago.

He was running a slightly older ZP release: 1.2.6 (4335)

At this point it's unclear how it was hacked. I'm getting him to look at his access logs to see if the attack vector is evident there.

Hopefully this info helps anyone else looking for information on why their site is broken.

sbillard

Older versions of Zenphoto are vulnerable to "Cross site reference forgeries" Which are "social engineering" exploits that can trick you into making bogus updates to your site. About the only other way of this kind of hack happening is if the file/folder permissions of the site are too loose.

Interesting list of sites. I wonder why Google is indexing them? Many seem to be now running installations, so I presume either the hack had failed or the owner has recovered from it. Others appear to be broken still. I wonder if "milanka" is the handle of the hacker.

AlexWilson

Since the config file was changed to point to the freesql server, I wonder if the intent was to attack that database user -- some of the Google cached pages show connection limit errors.

Bookofsand

I've just had an encounter "milanka" as well -- see the thread I posted yesterday:

http://www.zenphoto.org/support/topic.php?id=8233

AlexWilson, was your friend's site hosted on Dreamhost, by any chance? Mine is. I'm curious as to whether that might be relevant.

LePhasme

I'm hosting 2 zenphoto gallery and i found the same problem on one.
My gallery are hosted on dreamhost too...

acrylian

So far all hacked sites where on Dreamhost, right? Have you already contacted Dreamhost to see what they say?

Bookofsand

I've learned thru long experience that Dreamhost support is often of limited use in resolving problems with software hosted on their accounts, so I didn't bother going to them for help with this.

However, now that my site seems to be fixed, I've told them about it, and forwarded a link to this thread. Hopefully they'll do something if they understand that multiple users are having problems.

fromedome

Same thing happened to me, also with Dreamhost. Glad I found this thread. Fixed my gallery without too much trouble. But not techie enough to figure out how it may have been hacked in the first place.

Will complain to Dreamhost but I doubt they will be helpful -- they certainly haven't been helpful when trying to recover WordPress installations.

sbillard

The prime directive to remove the setup files once you have installed Zenphoto. If you have done that and this hack appears, then there must be a security hole on the server. Perhaps file permissions are weak or Dreamhost has an issue.

fromedome

Thanks. There's a good chance I forgot/neglected to remove the setup files. They're gone now!

elliott

I too was a victim of this hack. Just posted about it and found this thread afterward.

I used the user name "milanka" and the password they put in the config file and logged into that account at mysqlforfree.com (which is the host they indicated in the edited config file.

There was an account set up at mysqlforfree.com and it also indicated an IP address "89.78.22.192". I did a search on that IP and it appears to be:

server location: Polska in Poland
ISP: UPC Polska Sp. z o.o.

email address in the account was: milankavolshakoya@yahoo.com

I am not using Dreamhost, I have dedicated servers of my own .... wanted to mention that to help out the above posters who mentioned Dreamhost could be the problem.

I could have sworn that I deleted the set up file, but it is there. Not sure if I left it there or the hacker put it in.... is that posssible? Hoping that it was just my dummy move to forget and leave it in.