Home General support

virus attack on my website

vincent3569 Member, Translator
in General support
I had a virus attack on my website: malicious code had been added to different zenphoto index.php files.

any idea to detect and correct all the infected files ?

thanks for help
«1

Comments

  • acrylian Administrator, Developer
    Sorry about that. I can only suggest the obvious: Use the original files from backup or else and compare with the compromised ones.

    It would be interessting to know what exactly happend in case it concerns Zenphoto (which must not be the case).
  • Lithium07 Member
    The same happened to me today, my htaccess files got edited and put in som redirections, see part of the redirects below

    ErrorDocument 400 http://network....
    ErrorDocument 401 http://network...
    ErrorDocument 403 http://network...
    ErrorDocument 404 http://network...
    ErrorDocument 500 http://network...

    ------------
    ADMINISTRATOR NOTE: Code example editied because it seems to alert virus scanners
  • peacepostman Member
    Hello, i've also been hacked recently but i've found where the problem was thanks to the log :
    92.63.104.34 - - [08/Nov/2011:19:49:50 +0100] "POST /zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/class.images.php?truecss=1 HTTP/1.1" 200 53 "-" "User-Agent: Mozilla/5.0 (Windows; u; Windows nt 5.1; en-us; rv:1.9.1.5) gecko/20091102 firefox/3.5.5 gtb5"

    It was an old problem detected in tinymce File Ajax manager, it seems that the hacker has the ability to upload desired files on the server and also replace .htaccess files in order to redirect to some malware site. I have deleted this plugin because i have no use of it but update tinymce or zenphoto should be a good alternative. Also check the last modified date of your files, you will easily find out the concerned files.

    The uploaded file was a file called class.images.php and index.php, the last one is empty but the class file contain this code :
    ` 
    Array
    (
        [d] =>

    // here the date of the hack

    `
    ------------
    ADMINISTRATOR NOTE: Code example editied because it seems to alert virus scanners.

  • Lithium07 Member
    Seems to be a pretty new bug http://www.devilscafe.in/2011/10/tinymce-ajaxfilemanager-remote-file.html
  • sbillard Member
    Have you actually tried this on your zenphoto installation? Just wondering, because of two things:

    First, the search that web page suggests is pretty useless. Too many legitimate results to sift through.

    Second, If I do manage to browse to the filemanager script I can get it to load the page, but it is locked into the "uploaded" folder and anyway I could not get an upload to actually work.
  • Lithium07 Member
    i didn't try it, but it seems you already fixed it in the current version http://www.zenphoto.org/trac/ticket/2005

    Maybe you can warn your users to avoid further damages.
  • peacepostman Member
    It doesnt work like that, a pretty easy script is hosted on a server with a post to various websites, those websites can easily be crawled by bots if they know what to look for, as an example a comment like <!--zenphoto--> or something else. To me zenphoto could have been spotted as a potential hackable cms, I hope im wrong, but the real problem is in ajaxfilemanager.php, it must be updated to avoid these hack.
  • edouardito Member
    Hi,
    I also had an attack on some of my websites working on an old release of ZP (I know I should update them).

    I fixed ajax_create_folder.php refering to http://www.zenphoto.org/trac/ticket/2005

    Then I've deleted ajaxfilemanager/inc/class.images.php and removed the content of ajaxfilemanager/inc/data.php

    The script was creating .htaccess in my folders trying to redirect to some russian adresses.

    Check if a bot called "MaMa CaSpEr" crawled you site.

    @peacepostman : what did you change in ajaxfilemanager.php ?
  • fanda Member
    My site was atacked too. Overwrite of .htaccess by file from backup fix the hack. Now, I have to look if upgrade is possible. :-)
  • acrylian Administrator, Developer
    @Lithium: The ajax file manager issue is actually fixed in 1.4.1.5 already. We alway urge to upgrade as we don't do these updates for no reason. Note that the ajax file manager is actually a 3rd party tool we just use (see the ticket edouardito linked). and its developer had been informed by the reporter of ticket #2005.

    Recently a lot of these security reports flooded twitter (these sites tend to copy from each other anyway) and they all address 1.4.1.4. Of course if anyone finds other potential security issues feel free to let us know via the forum, bugtracker or even for security reasons via our contact form.

    If any file has been replace it might be a good idea to check permissions and the server configuration. If that is too loose Zenphoto is not even involved. Also inform your host about it as it is also possible that someone got into the server itself (happen a few weeks ago to a quite big German hoster).
  • darkufo Member
    Does anyone know what this hack did.

    We had the same problem and had to reupload all php files :(

    I worried about what the hack actually did.
    It injected this code to all our php zen files.

    global $sessdt_o; if(!.... }

    ------------
    ADMINISTRATOR NOTE: Code example editied because it seems to alert virus scanners
  • markky99 Member
    and I had a similar issue today. Was running 1.4.1.4. htaccess file hacked - could be seen from site logs.

    I held off updating because I lost all my descriptions last time I updated.
  • acrylian Administrator, Developer
    Sorry that you have been hacked. See for more discussion: http://www.zenphoto.org/support/topic.php?id=9942&replies=21#post-58257

    If you lost descriptions on an upgrade you did something wrong, sorry to say that. If you keep the zp-data folder and its config file intact (e.g. the same database credentials) nothing will be lost. Also a good idea is to use the database backup tool before upgrading so you always can revert.
  • acrylian Administrator, Developer
    @darkufo: The hack seems to set a cookie via Javascript and then is able to execute code that has been passed via POST. What exactly I cannot see.

    There is an url and if I google that it seems that is some film related site. Either this is a very bad and illegal way of selfpromotion or they have been expoited as well.
  • darkufo Member
    Thanks Acrylian.

    Are you able to determine what the cookie name might be. All that is gibberish to me :)

    I'd like to find it and delete.
  • acrylian Administrator, Developer
    No, sorry. But it does not hurt to just delete them all.
  • darkufo Member
    ha true :)
  • mowgli597 Member
    Sad to say I also experienced an attack on my Zenphoto installation. It was flagged to me by my hosting company as "Malware" on http:......./zenphoto/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/ajax_create_folder.php

    I have updated my installation to 1.4.1.5(8326) (from 1.4.1.4), disabled tiny_mce and deleted its folder in /zenphoto/zp-core/zp-extensions. Hopefully that will shut the door on any other attacks.

    Interestingly following this thread I checked my cookies and found several with a .ru domain name extension! Logging out of Firefox and back in they had all disappeared (I have the option set to accept all cookies but delete them when I log off).

    One other query if I may: I have Sitewatch (sitewat.ch) enabled on my site and it has flagged an XSS vulnerability on /zenphoto/page/search/ using the input:

    </sCrIpT><sCrIpT>alert(123)</sCrIpT>

    It comes up as no matches found, of course, but is it something about which I should worry?

    Mowgli
  • sbillard Member
    That code would presumably have displayed a javascript alert: 123 had the exploit worked.

    Anyway, Search parameters are sanitized when retrieved and html encoded when displayed so that code fails to execute.

    [edit] Well, at least standard themes do the html encoding. I cannot guarantee that third party thems do the same. If not there could be a vulnerability.
  • fdnyfish Member
    I have also seemed to be attacked. I have upgraded to the oct 31, 2011 version and all seems to be fine.

    I had to purge image cache, then pre-catch images.

    The attack also places .htaccess files in all my root folders. You should check if the same happened to you.

    Below is what was in the .htaccess file.

    --------------------

    ErrorDocument 400 http://large... ErrorDocument 401 http://large... ErrorDocument 403 http://large... ErrorDocument 404 http://largep.... ErrorDocument 500 http://large... <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTP_REFERER} .*google.* [OR] RewriteCond %{HTTP_REFERER} .*ask.* [OR] RewriteCond %{HTTP_REFERER} .*yahoo.* [OR] RewriteCond %{HTTP_REFERER} .*baidu.* [OR] RewriteCond %{HTTP_REFERER} .*youtube.* [OR] RewriteCond %{HTTP_REFERER} .*wikipedia.* [OR] RewriteCond %{HTTP_REFERER} .*qq.* [OR] RewriteCond %{HTTP_REFERER} .*excite.* [OR] RewriteCond %{HTTP_REFERER} .*altavista.* [OR] RewriteCond %{HTTP_REFERER} .*msn.* [OR] RewriteCond %{HTTP_REFERER} .*netscape.* [OR] RewriteCond %{HTTP_REFERER} .*aol.* [OR] RewriteCond %{HTTP_REFERER} .*hotbot.* [OR] RewriteCond %{HTTP_REFERER} .*goto.* [OR] RewriteCond %{HTTP_REFERER} .*infoseek.* [OR] RewriteCond %{HTTP_REFERER} .*mamma.* [OR] RewriteCond %{HTTP_REFERER} .*alltheweb.* [OR] RewriteCond %{HTTP_REFERER} .*lycos.* [OR] RewriteCond %{HTTP_REFERER} .*search.* [OR] RewriteCond %{HTTP_REFERER} .*metacrawler.* [OR] RewriteCond %{HTTP_REFERER} .*bing.* [OR] RewriteCond %{HTTP_REFERER} .*dogpile.* [OR] RewriteCond %{HTTP_REFERER} .*facebook.* [OR] RewriteCond %{HTTP_REFERER} .*twitter.* [OR] RewriteCond %{HTTP_REFERER} .*blog.* [OR] RewriteCond %{HTTP_REFERER} .*live.* [OR] RewriteCond %{HTTP_REFERER} .*myspace.* [OR] RewriteCond %{HTTP_REFERER} .*mail.* [OR] RewriteCond %{HTTP_REFERER} .*yandex.* [OR] RewriteCond %{HTTP_REFERER} .*rambler.* [OR] RewriteCond %{HTTP_REFERER} .*ya.* [OR] RewriteCond %{HTTP_REFERER} .*aport.* [OR] RewriteCond %{HTTP_REFERER} .*linkedin.* [OR] RewriteCond %{HTTP_REFERER} .*flickr.* RewriteRule ^(.*)$ http://large... [R=301,L] </IfModule>

    ------------
    ADMINISTRATOR NOTE: Code example editied because it seems to alert virus scanners
  • acrylian Administrator, Developer
    I have modifed the links in your post a little. No need to link to them, right?...;-)
  • matt666 Member
    Hello, I just updated to 1.4.1.5 but still the hack is active...

    I don't have any idea what to do next...

    I changed the theme from one to another.

    Still got this redirect from:

    http://www.cxc.info/

    to:

    http://network-teaser.ru/getup/index.php
  • acrylian Administrator, Developer
    Note that all the occurances today may not be the same issue. This can also be a "casual" hack via wrong file folder permissions. Check your htaccess file.
  • mowgli597 Member
    My advice (based on my experience today) would be to delete ALL the files in your zenphoto folder (except the albums and cache folders), including .htaccess. Don't copy them to your local directory first otherwise you may bring over corrupted files (I made that mistake).

    Then copy the new release files (1.4.1.5) in full (except albums and cache) over to your server.

    The reason for deleting ALL the zenphoto files at your remote site is because spurious files have been added to several folders by the hack so a simple "overwrite" in FTP, for example, won't get rid of these (again I learned this the hard way!)

    You'll have to re-configure zp-data/zp-config.php (or copy it from a known clean source).

    If you have a local theme, delete all of those files and copy them from a known good source. If you haven't got a clean copy of the files then check them all for the code noted above which may have been injected unto them:

    `


    global $sessdt_o; if(!$s....;} }
    `
    This was added to ALL the .php files in my theme - just after the initial <?php line.

    So far that seems to have cleared everything that I can find but I await with trepidation for the appearance of something else.

    Hope this helps.

    Mowgli

    ------------
    ADMINISTRATOR NOTE: Code example editied because it seems to alert virus scanners
  • vincent3569 Member, Translator
    I have the same feedback than other posters.

    html files seems to be corrupted too :
    I found this code at the end in some of them :

    `
    try{...

    `
    no idea about the damage that this code could done

    could you give an advice :
    should I modify all the login/password : ftp ? sql ? zenphoto ?

    ------------
    ADMINISTRATOR NOTE: Code example editied because it seems to alert virus scanners
  • darkufo Member
    Thanks Mowgli, that looks exactly like the issue I had, and I did the same as you to fix it.
  • cjdmax Member
    I can confirm the exact same injection problem DarkUfo has. ( http://www.zenphoto.org/support/topic.php?id=9939#post-58252 )Probably injected at ~11:00 CEST today; serves me right for procrastinating on tightening up permissions.

    If I am reading the injected js right it is trying to steal sessions/cookies. Make sure to remove cookies/sessions from your browser and logout/login on the webapp if you have navigated to an injected site with your browser!
  • [Deleted User]
    The user and all related content has been deleted.
  • kocho Member
    Does anyone else have files scatted around their server with files such as: tmp_50594xxxxxxxx.php, tmp_8285xxxxxxx.php (etc)? The files are 1.4k in size and the x's are obviously numbers.
  • fdnyfish Member
    I found a few and deleted them, hope they dont pop up again
Sign In or Register to comment.