Home General support

Malicious attacks in .htaccess

richrockwell Member
in General support
I keep getting malicious content written into my .htaccess file that attempts to send people to other sites, or crashes ZenPhoto. I reinstalled, set it for read only, and no matter what I do, I continue to get malicious content written into it. Any ideas on how to prevent this?

Comments

  • fretzl Administrator, Developer
    Could be that malicious code is inserted somewhere on the server out of your reach. Best you contact your host about this.
  • acrylian Administrator, Developer
    Also of course read the recent reports about security breaches.
  • MrB Member
    Normally I don’t go to my site from Google but Friday I did and I got immediately sent to some Russian web site (backgroundstylesheet.ru) and Norton detected a malicious SWF file containing Trojan.Mdroper. My Zenphoto gallery had a hacked version of .htaccess which contained rewrite rules to send users to that Russian web site. The rewrite conditions tested for Google and about 100 other popular sites.

    So I deleted it and it came back several times. Searching around I found similar cases with WordPress sites and other sites running PHP could experience the same thing.

    I upgraded ZP from 1.3.1.2 to 1.4.1.6, had the install script fix the .htaccess, and had the install script remove the setup files. Poking around I discovered, that my password is visible in ../zp-data/zp-config.php, and in ../zp-data/security_log.txt. Permissions were set so that any web user could read them.

    So now my questions…
    1) This is a chicken or the egg question. Since all of zp-data is set for any web users to read is that why my site got hacked or was that permission changed as a result of the hacking? Can I protect the zp-data directory and expect my Zenphoto site to work?

    2) Is there a script to run to lock down the permissions on the various scripts to make the site more secure? Does all of zp-core have to be visible to users?

    3) I changed my database password, and broke the site. It took me a while to make it work. I suspect there is a process (which I did not follow) to changing the password. What should I do next time?

    Thanks to the developers of Zenphoto. It is really cool and makes my site look terrific (unless of course my users end up at backgroundstylesheet.ru)
  • acrylian Administrator, Developer
    So if your Zenphoto version hacked was earlier than 1.4.1.6 please read:
    http://www.zenphoto.org/news/security-alert-part-2
    http://www.zenphoto.org/news/zenphoto-1.4.1.6

    Linked within these are serveral forum topics about this (assuming you encountered the same hack):
    http://www.zenphoto.org/support/topic.php?id=9951
    http://www.zenphoto.org/support/topic.php?id=9942

    1)/2) The Zenphoto Setup will try and warn about too loose permissions. It will also try to change them on request. However, depending on your server configuration it may not be allowed to do so. Then you have to manually do that. How is explained on our troubleshooting.
    http://www.zenphoto.org/news/troubleshooting-guide#troubleshooting-installation

    3) If you change the db password you need to change it in /zp-data/zp-config.php or rerun setup which will complain. Otherwise Zenphoto does not know of the change naturally.
  • sbillard Member
    You can protect the log files and config file in the zp-data folder to be read-writefor the owner only. (Normally ZP would have done that for you.) The other files and the folders need sometimes to be read by browsers. We are working to remove any "upating" of files within the core so that all can be read-only accessable only by the owner. However, this takes time as we have to discover what the third party tools we use do and move their updates out of the core.

    Note however, that some sites are not configured properly so that the above does work. If you get failures with owner only access you will either have to relax the security or talk to your provider.

    If you change the MySQL user/password, the zenphoto config file needs to be updated to reflect the new credentials. You can do that manually by editing the config file or you can re-upload the setup files and re-run setup. It will then prompt you for the correct credentials.
  • MrB Member
    Thank you for your prompt replies. I have the up to date version working. I locked down the permissions and so far things seem to work.

    Now how do I tell Google I'm cool? Google has me blacklisted or something. if i go to my site directly I get there. But from google they still link me to stylesheetrecord.ru. I did remove the .htaccess files. Oh well, I know it is off topic on this forum, I'm hoping if i wait long enough google will correct itself.
  • sbillard Member
    you can register your site with Google and request a re-evaluation. See:www.google.com/webmasters/tools for details.

    THe 1.4.2 release has a plugin that provides the metadata that Google requests.
  • acrylian Administrator, Developer
    Google of course does also update its catalog frequently so it will be just a matter of time this will be solved. But a re-evaluation request might be a good idea though.
  • MrB Member
    Well this style.....ru <link cleared by admin>.htaccess problem is the gift that keeps on giving. Google still has me black listed and Firefox browser won't let you get to any of my pages.

    I used WinSCP to download my entire site and was able to search to find one more bad .htaccess. I also discovered that 404 errors get directed to stylesheetrecord.ru too. I haven't figured that one out yet. Its either a goddaddy thing or one more .htaccess.

    I'm thinking of keeping only my image files and database, removing everything else including zenphoto. I have 1.4.1.6 now. If i try to install 1.4.2 will it find and use the tags and text I wrote which I think is in the database? If I go with the clean start method would it better to reinstall the current version before the upgrade?
  • fretzl Administrator, Developer
    I'm thinking of keeping only my image files and database
    That's the way I did it.

    Just install 1.4.2 directly.
  • MrB Member
    It worked on the second try. :-) First time I made the mistake of giving default table prefix and then ZenPhoto created new tables and didn't read my old ones. Thought I lost all of my comments, tags and such. Finally figured that out and got it put back together.

    Lets hope Google gives me the thumbs up.
  • acrylian Administrator, Developer
    There is a new plugin in 1.4.2 called Googleverify to "force" Google a little to take the warning for a site out after such attacks.
  • MrB Member
    I found the GoogleVerify plugin. I'd already used the HTML verification file on the Webmaster Tools page. If I understand, using GoogleVerify plugin facilitates the Meta Tag Verification method? Is there an advantage to switching to using this?
  • sbillard Member
    So far as I know, all the methods are equal. But the meta-tag method is the only one we can easily implement in a plugin. Of course, this method also does not require a file to be kept that you might someday forget and remove.
Sign In or Register to comment.