I had Zenphoto running (I thought) like a charm, for quite a while. The last time I looked at my photos was probably a week or 2 ago. Today I tried to go to my site, and after a long wait, was redirected to zpcore/setup.php.
The page starts with the message "Zenphoto has detected that you're upgrading to a new version." No, actually, I'm not -- at least, I didn't intend to. Is this a forced upgrade? Or a hack? Or a bug?
I did absolutely nothing to any files or code to instigate this. But when I try to load any of my photos, this is what happens.
Any suggestions?
Zenphoto
Comments
Now it looks different: Someone else has apparently attempted to use it to set up a new Zenphoto install! Beneath the line of text which reads "Fill in the information below and setup will attempt to update your zp-config.php file", the following information has been filled in:
MySQL admin user: milanka
MySQL host: db4free.net
MySQL database: milanka
It appears to me that the setup was unsuccessful -- the database was not created. But how is that anyone can come along and run the setup program? Right now it appears that my site is tremendously insecure and subject to possible hijacking and/or vandalism. I have no idea what to do about it. Any help appreciated!
I am shown a login form at the bottom of the page, but I cannot login -- my username/password combo is not accepted. I see an option to enter a CAPTCHA in place of my password for a password reset, but when I do this, nothing happens. I am not receiving any email telling me that I have a new password (which is what I assume is supposed to happen).
I'm not sure who it was sent to -- nothing has arrived in my inbox. (Or my spam folder, but I'm checking there too.)
Sounds like a hacking attempt. If your situation is the same as above, I would suggest first checking your `zp-config.php` to make sure that all the info is still correct. Second, I would update Zenphoto to the latest release (if it isn't updated already). Third, I would check the permissions on your Zenphoto files.
You might need to run setup again after all of this, but once you're done with the setup scripts, you should probably get rid of them. Seems to me that this "milanka" gained access to the files on your server and, as you have said, has been able to replace the setup scripts and Zenphoto config. How he got this access is uncertain. Perhaps your host could give you more information.
Anyway, I edited zp-config.php to fix the filename and provide the proper MySQL info, then reuploaded it. But nothing has changed. All pages redirect to setup.php, and running setup.php gets me nowhere. I am asked to log in, but my password doesn't work. I try to request a password reset using the CAPTCHA, but I don't get any email.
Any ideas on next steps?
$conf['mysql_user'] = 'milanka';
$conf['mysql_pass'] = '3pieknekwiaty';
$conf['mysql_host'] = 'db4free.net';
$conf['mysql_database'] = 'milanka';
Looks like milanka is probably Polish (Google tells me that "piekne kwiaty" means "beautiful flowers" in that language).
Upon swapping in a copy of zp-config.php with the proper info for my database, my site appears to work again.
acrylian: .htaccess doesn't seem to have been modified since I installed ZP, so I don't think it was compromised.
I don't recall seeing a suggestion to delete setup.php after install... perhaps any message to that effect could be made more prominent? Anyway, I've deleted it now.
What about these files?
setup-option-defaults.php
setup-primitive.php
setup_permissions_changer.php
setup_set-mod_rewrite.php
Is there any need for me to keep them around after installation? Could they present any kind of vulnerability?
Thanks again for everyone's help. Glad to get my site back online.
Don't remember when the deleted setup message was introduced but it is for sure in 1.3.1.2 (the 1.3.1.x release are security bug fix releases mainly). Without being logged in setup is not doing much.