Well, I have joined the ranks of sites which have recently been hacked (
http://www.zenphoto.org/support/topic.php?id=9939).
One of the sites is my primary, and I had updated it yesterday to the 1.4.2 beta which has the fix for the known ajaxfilemanager vulnerability. Since the site was running yesterday I have to assume that the hack did not use that path.
I have made a quick look at the ajaxfilemanager implementation. To the best of my knowledge there is no "security" on what it might do if someone directs a URL properly at one of its component files.
Therefore, I strongly recommend that the ajaxfilemanager folder be deleted from your sites.
We will continue to investigate and see if there is a fix for this. But since it is not our code, the understanding and correction may take a while.
Zenphoto
Comments
To be blunt, I am pissed subscribers were not warned about this as you claim in the "news" this was discovered awhile ago. To be blunt again, I am pissed that when discovery that the current release is vulnerable as well, everything is silent.
Thus the 1.4.1.5 release. We did not advertise as that would people get a real idea. The advertising of this has been done by these security sites.
I will post soon about to remove the file manager (if that is it actually). Note that sbillard and I are in different time zones so there is a overlap no one of us is available. And it is just us two!
PS: To the moderation. Well, blame it to the forum software which lets get a lot of spam throuh otherwise. You should not be moderated as frequent post, again a fault of the forum software.
Do you have any assistance on this matter as I'm pretty new to self hosting and hostmonster refuse to assist
What folder should be removed?
Kind Regards
At a first time I got all php files hacked with the code you know.
I editet index.php just to show to the visitors that a mainteinance was going on.
At a later time, few hours later, the .htaccess file was hacked too and this is very strange beacuse the permissions on it where r-r-r, so i guess something has the control over my server, is that possible?
I deleted the hacked .htaccess and replaced it with a new one from a backup but then again it changhed to the hacked version.
Any ideas?
Sorry to be a pain. Does seem logical to upgrade first then fix but just confirming.
The attacker take control on all sites that you manage ; he go up at your root directory!!!
But, how can be sure that datas in mysql are not corrupted ?
What if I upgrade, follow the further suggestions about tinymce and then the problem is still on the provider's server?
Also a hacked computer system or infected browser and numerous other things could be involved. Or third party scripts like analytics or ads maybe a way, too.
Best contact your provider if you have suspicion that happened.
If you have a db backup using our tool and not much changed you could revert to the status before the hack.
This makes me think the hacks maybe are not directly related to the file mananager. Nevertheless the deletion is a good idea.
92.63.104.34 - - [09/Nov/2011:07:57:00 -0300] "POST /zenphoto/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/class.images.php?truecss=1 HTTP/1.1" 200 181 "-" "User-Agent: Mozilla/5.0 (Windows; u; Windows nt 5.1; en-us; rv:1.9.1.5) gecko/20091102 firefox/3.5.5 gtb5"
82.146.43.62 - - [09/Nov/2011:18:28:38 -0300] "POST /zenphoto/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/class.images.php?truecss=1 HTTP/1.1" 200 181 "-" "User-Agent: Mozilla/5.0 (Windows; u; Windows nt 5.1; en-us; rv:1.9.1.5) gecko/20091102 firefox/3.5.5 gtb5"
I had several POST attacks (it allows to upload files as i saw in (devilscoffee)
They've changed every single *.php /*.js files with a malicious code.
Also they've reach the .htaccess file and added some crazy rules to redirect.
Now i'm flagged by google, that hole killed my wordpress, joomla, zencart and zenphoto installations.
Now i'm trying to get back with all, this is a huge whole.
1. The AJAX File Manager has a number of vulnerabilities. Through the class.images.php and the ajaxfilemanager.php and maybe more.
2. When exploiting these files a hacker is able to insert their own code into the Ajax File Manager data.php and/or write out their own files by dynamically inserting PHP functions into the script due to the way the AJAX File Manager handles a POST request.
3. Hackers can install a PHP Shell Script which can access every file on your webserver.
4. Their shell script will add code to the top of every file on your webserver (infect every PHP file on the server) and also possible infect your .htaccess files as well. There are different variations of the attack that do different things.
5. Their shell script will install a number of other PHP files that they can access directly to regain access to your server even after you delete the Ajax File Manager and clean all of the infected files where code has been added to them.
5. You may notice files such as tmp_989089080.php or other unknown files that you need to delete as well.
6. If you host multiple domains or WordPress installs under a single account chances are these websites will be infected too.
What to do about it? How to fix it?
1. Delete the zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager directory
2. Restore all of your website(s) files from a backup because they all have been infected.
If you don't have a backup you will need to delete Zen Photo completely a reinstall (make sure you delete the ajaxfilemanager directory if you reinstall)
3. If you have WordPress or other sites hosted (and no backups) you will need backup your wp-content folder ... then delete all the WordPress files, reinstall. AND GO THROUGH EACH FILE in wp-content to remove the code inserted at the top of every PHP file before restoring the wp-content folder.
4. You will need to go through each and every folder on your server or hostign account to remove any additional files and shell scripts that were installed by the exploit. Files such as tmp_989809809.php etc ...
5. IMPORTANT
You will need to change the passwords of your databases for any website you host that has been infected. The exploit allows the hacker to view the source code on the config files, thereby they know what your database passwords are. This would allow them to continue to regain access through PHPMyAdmin etc. even if you cleaned everything. You need to change your passwords!!
6. If you have Shell access to your server you can run the following commands to see if you have cleaned everything or help you clean everything:
7. Part of the attack *might* allow the hacker to gain access to your browser Cookie and Session info so in conjunction with the infected files they will be notified when you login to your Zen Photo Admin or other Admin tools and might be able to hijack your session to gain access to the admin without knowing your actual password. So clear your cookies and reset your Admin passwords. I don't see this happening but it is a possibility.
Run these commands from the top directory on your server or hosting account:
This will show you all the files on your webserver that have been infected and need to be cleaned:
grep -r -H "lb11" *
(looks for the string 'lb11' in every file - infected files have this inserted into them) You can substitute 'lb11' with other strongs that the hacker might have inserted into your code. For example:
grep -r -H "eval(base64_decode" *
Use the find command to show additional files that may have been installed on your server:
find / -name tmp*
Use the find command to show files that have been modified in the last day (these would be the files that have been infected or added):
find . -type f -mtime -1
Look in your access log files for suspicious activity and Ban those IP addresses:
cat access.log | grep ajaxfilemanager
cat access.log | grep ".php"
Hope this info helps ...
The 1.4.2 beta nightly of the coming night at least will have the fix.
about the point 5, also, if you can change BD user ... do-it !