I had myself and helped over 25 people on different servers to install ZenPhoto, various versions currently. Every single one of them was hacked yesterday.
Not only did it hack the zenphoto installs, it managed to change every single php and htacess file on the servers. So every single site on the same servers has been compromised.
I am very sad to see a 3rd party add-on have such an impact on a great work that has been done here.
I am wondering if the showcase library should be taken down temporary while this is going on, if there are any of the showcase galleries still alive...
Heads up people...
Zenphoto
Comments
I wonder if that all might mean something on the security of these sites was not correct as well.
Since the file manager - if it was the only cause of this all - was only used on the backend, someone must have had access to zp-core files. At least on our/my server that returns a access denied.
I don't think that removing the showcase will help much. Google & Co have it all anyway and who wants to exploit that does not need our showcase to find...
I am not understanding how it managed to change every php file on the server, I am working on bringing backup files back to restore, the bad thing currently is Google has blocked all the sites I am working on currently. And if they are searched on Google they will take the user to a .ru malware site.
Acrylian: It is all part of the same hack. Many people have one shared hosting account with multiple domains each in a different directory under the same account.
In that scenario each website is owned by the same user so if one site gets hacked they all do. The ajaxfilemanager vulnerability allows malicious PHP code to traverse all of the directories on the webserver where Zenphoto is installed and inserts php code on every file it can find, change .htaccess files and install more php files to further compromise the system.
So the severity of the attack depends on how the hosting account is setup, how many websites are hosted by that account and the file permissions.
But in the end the vulnerability lies with the Tiny MCE Ajaxfilemanager Plugin since that's where it all starts.
You can try and google my web-page and you will see what is happening to it, same happens to all other url on that particual server, even though only some of them run Zen-Photo
http://www.google.is/search?aq=f&gcx=w&sourceid=chrome&ie=UTF-8&q=olihar
I am having such a hard time with this, my hosting company states that everything is working fine on their end.
This malware has done a lot of damage ...
Olihar, look at this post from jest3r-:
http://www.zenphoto.org/support/topic.php?id=9939&page=2
begin the job with delete all tmp_XXXXX.php
after, clean all your php files (with a good editor you can clean the first line of your files witch contain the malware) and clean all .htacess.
thank you ZenPhoto on fixing this.
Attack IP:
78.24.216.211 - - "POST /gallery/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/class.images.php?truecss=1 HTTP/1.1" 200 21 "-" "User-Agent: Mozilla/5.0 (Windows; u; Windows nt 5.1; en-us; rv:1.9.1.5) gecko/20091102 firefox/3.5.5 gtb5"
78.24.220.110
81.163.143.194 (coincided with php file mod timestamps)
92.63.104.34
92.63.105.26
I guess I was lucky in not being blacklisted by google as the hack broke zenphoto to point where apache was returning 500 code errors to visitors.
To recover, I ended up installing the latest zenphoto version in a new directory and dropping the zp_administrators table to reset my passwords as zenphoto will create a new one if it is missing. This seems to have worked as a viable method of recovery without losing the database as long you have the DB information to key back in.
The inserted code in my php files was related to a cookie with some script with a reference to a site named turnitupnow[dot]net. What I would like to find are the actual commands passed to my server vie the exploit.
Tim Brown
Pulling my hair out here...
We installed the latest version of Zenphoto and it kept going a while. After 10 minutes it was hacked again.
Now i tried to change the rights on the .htaccess to 0004 and it seems to be working, site is working now for about 45 minutes
User was named as "www-data".
My ftp-account is an totaly different name and i have no user registered besides me as admin.
Please find an way out, it sucks if you are forced to reupload the original .htaccess every hour...
If it all does not help or you don't know how to do that also contact your host.
The bad thing is, every computer that visited any of the pages on the servers have all infected cookies, and will have to remove cookies before visiting any of the pages, as the cookies all redirect to russian sites.
This is a little tricky to do as some internet users never clear their cookies, and there is no way to get the message to them.