Zenphoto
The simpler media website CMS
ZenphotoThe simpler media website CMS
Forum search only. You might also want to search on the main site's user guide.
Your support helps pay for this server, and helps development of zenphoto. Thank you!
Visit the donations page
Comments
My db was not affected though.
I have upgraded and followed the other instructions for ajax and tinymce, I hope it will be ok now. Luckely I'm not on google blacklist so far.
I've also changed ftp password, though I dunno wheter or not it was stolen too, couse of course it was not stored in any of the zenpphoto files.
I've some minor issues, as always after a long time needed update, but I'll deal with them later on.
If that person then follows up .. perhaps a few days later ... they will have access to your files. That's why the damage reports are so different from everyone. Depends on what stage of the "attack" you are in.
They wouldn't be able to get your FTP password ... but the config files all contain your database passwords in plain text which is readable by the hacker on an infected website.
So change your passwords!!
Probaly I was at an early stage of the attack. The .php files where changed yesterday afternoon (Europe time) and .htaccess yesterday evening. I have not shell access on my server but made a search via ftp and I didn't find any temp files, should I ask the provider for a deeper search?
I made the search after deleting zenphoto core and reinstalling but leaving albums and chache plus some folders not pertinent to zenphoto
For people with custom themes:
I repaired mine in a few seconds with the great function "search and replace in files" by notepad++
"tiny_mce/plugins/ajaxfilemanager"
Here is a page showing how to find and hack vulnerable websites.
http://www.devilscafe.in/2011/10/tinymce-ajaxfilemanager-remote-file.html#.TrzfxUPz2dA
Part of the problem is due to Google who managed to find and index these paths (the question is how?).
Maybe this should be added to the robots.txt file`:
`Disallow:*scripts*`
`Disallow:*plugins*`
`Disallow:*jscripts*`
as
`Disallow: /zp-core/`
is apparently not enough.
In fact, not considere that yours albums are clean!
Prefere delete all ... and after reinstall zenphoto with 1.4.1.6, upload yours images jpg - thoses are you sure that cleaned, protected.
PS : excuse-me for my very poor english...
I've downloaded all the images on my local pc to backup the site after the attack and they looks clean to my antivirus, that is updated several times per day.
Moreover, the site seems to be ok now, 24 hours later the cleaning and update.
Should I be concerned anyway?
I think given the proliferation of the hack with multiple hosting providers, option 'a' is unlikely.
Which leaves option 'b', though if they added to existing rules, it implies that the file was copied first, then the original deleted, then the modified version put into place.
This excludes option b too..
I used to think that I owned all my files and the webserver was running under a different user. That's what I have at home. However my hosting provider *seems* to be different. I don't have shell access so can't tell, but I don't need to add group write permission where I thought that I would need to.
I've just been playing with some php scripting (though it's not a language that I'm strong in) in order to see if I could get it to change the permissions of the file first, then append data to it. Currently it is failing to add the write permission, but this is on my Linux computer at home, which likely doesn't have the same setup, and I'm not 100% that I've got the code right.
I really don't think that they had root access though, as I think that they'd do a lot more with it, and they'd gain access to more than your sites.
So was not a script to create my hacked .htaccess file, unless it had access via ftp with my login credentials (or root access?).
I'm still curious to understand what the hell they did with that attack.
On my system, the .htaccess file that was altered had owner & group of my user. Permissions were 644 on the file and 755 for the directory. I need to check with my provider as to which user runs the apache process.
As for the attack itself, the php added to my files varies slightly, but the basics seem to be that it tries to set a cookie, then if it's able to read that cookie back it inserts code into the HTML to load some javascript, and adds a redirect to the page itself. I've not sussed out the rest, as I said, PHP isn't my strong point.
I never got a chance to capture the javascript. By the time I'd got my site sorted, their site was off-line, so I couldn't go and get a copy.
i found a solution for tis problem on this website:
http://howbits.com/how-to-fix-and-remove-network-teaser-ru-website-hacked/
it worked for me so far ...
roland
My hoster got in and cleaned my site of all renegade code. However, they removed my admin email so when I enter captcha info, I get a notice of no email addy to send new password.
I can login to the forums with a password that zenphoto emailed me previously. But, that password will not let me into my admin or gallery. Go figure.
Please read on the troubleshooting how to reset the administrators db table to create a new account on your install.
I have no intentions of reinstalling, I'd just like to know exactly what needs to be removed so I can forget about this and try to get normal.
Any help will be appreciated.
Just FYI, since you obviously have not read these threads, I really do mean "everygthing" since probably everything was compromised by the breach.
Once I'm back 100%, watch for my ZenPhoto Dedication Page. You may enjoy the publicity. I have many friends too, you may get lots.
It would have only taken a decent and human reply, not attitude.
But let's review your contributions. You have posted in two threads. In both you have demonstrated that you do not read first.
http://www.zenphoto.org/support/topic.php?id=10039: Here you post is unreleated to the topic as micheall has pointed out to you. Pretty difficult to make such a mistake if you had actually read the thread contents.
This thread: Two posts including this grand finale. Here on November 29 you said you "recently installed Zenphoto and were immediately hit". But of course you did not say what version or when. And the what version is one of the stipulated required bits of information we ask when people want support. (But then you did not want support, you just wanted to vent because you were "wronged". Guess you feel that we delibrately planted this timebomb just to "get" you. Sorry, but we relly do not think you are that important.)
Anyway, discussions of the security vulnerabilities started several around the 9th of November the fixed version was released November 11. Not so "recent" in my opinion.
I am sure that you will quickly rebuild your seven years rankings. People are really drawn to vindictive web content.
I maintain it's an inside job, and will continue to hold my stand. I've shared my thoughts with many elsewhere. And will continue to do so.
Thank You Sir, May I have another?
Just a word of advice, I recently came back from being
compromised.
I downloaded the script for ZENPHOTO. Less than 2 days later
I was banned from Google as well as other search engines.
ZenPhoto was no help, actually they were nasty. Think, before
You install it.
I believe it was an inside Job.