Use this website for, online free scanner.

http://sucuri.net/

I am using every day and it catches most of the malware.

Hi,

My zenphoto gallery has been hacked too. I have been lucky so far because only a few files have been infected. Therefore, I have been able to delete all the code and files added by the hacker (well at least that’s what I think).

However, I have studied the statistics of my website visitors. I have noticed that every time I change something in the ajaxfilemanager directory, a visitor is coming a few hours later. The IP address is different each time but the visitor always comes from a URL (referring URL) such as “mail.yahoo.net” or “mail.yahoo.com” and is trying to have a look at something in the ajaxfilemanager/inc/ directory.

Therefore I think that someone is monitoring my FTP and can be somehow alerted by email every time I try to change something. I guess some files are still infected.

I wonder if deleting the ajaxfilemanager directory and upgrading zenphoto will change anything since the hacker will be alerted by email...
I currently use Zenphoto version 1.3.1.2

Has anyone noticed the same problem?

Thank you in advance for your help.

PS: I apologize for my poor English; you might have noticed that English is not my native language

You should at least upgrade anyway, not only because the security issues with the file manager (Which is optional now as well) have been fixed.

If you think someone is monitoring you or your site you might want to check not only your server but your computer as well. It is always possible that that one has been hacked or infected by a trojan or else as well!

Btw, your English is fine (I am not a native speaker as well),

Thank you for the advice, acrylian I’ll update as soon as possible.

I don’t think that the monitoring comes from a virus on my computer because I have modified my website from 3 different computers and the unknown visitor keeps coming back every time... But anyway I’ll scan my computer with an antivirus and antimalware software, just to be sure.

If you were hacked you should really check ALL files on your server (as mentioned in this topic somewhere). The hack spread over everything as reported. So it still might be something left or it was a different hack variant.

Hi there.
I've started from some point and ended elsewhere
First, I've started with a problem with the exif (it won't list the lens info but everything else was OK). So, I thought that it might be because I was on the 1.4.1.6(or something). So, I've downloaded the 1.4.2 version and upgraded. As soon the installation was complete, I've tryed the new site. Surprise... I was redirected to a russian site (). So, I've searched the issue and I discovered that the .htaccess was cracked and edited with a redirect to this site. I've edited the file (I'm not a programmer but I've searched the net) but the site is no longer working I don't know what to do about this...

I have removed the link to that site. Since this seems to be a different hack (at least the site you posted is different). It is possible that your site was hacked before you upgraded and you maybe did not delete the old htaccess file.

So if it was the same hack I would recommend to delete all zenphoto files again and reupload everything. Also check anything else on your webspace as the hack spreader to other files (see this topic and the others linked from our security alert posts on the news).

Just to mention. Remove the .htaccess file as well (actually, any .htaccess file you find) Zenphoto will offer the option of recreating it when you run setup on the fresh install.

I have to say that my site was hacked three times. They had went in and changed everything in my WordPress sites as well. I did everything as if I was reinstalling ZenPhoto on another server (saving the album and cache information) and reintalling it. That seemed to work, and then I changed all the passwords. In doing so I was told by my host 1and1 to delete TinyMCE folder of which I am waiting for an update.

Again and for the final time as it has been widely documented: If it was the hack described on our forum and site, it was NOT TinyMCE causing this security issue. It was a 3rd party plugin used with TinyMCE (and not done by the TinyMCE developers). Also the exploitation of this is only possible if the server security/permissions are not set correctly.

Hello. I just discovered my site hacked today. I have deleted the ajaxfilemanager but so far do not detect other modifications. Would someone who has experienced an attack please advise on specifically what evidence of modification I should be looking for both inside and external to the zenphoto installation? Thank you.

After deleting the ajaxfilemanager folder in my installation, following the guidelines in this thread, I searched all files under the zenphoto tree for the strings "lb11" and "eval(base64" and found no instances. I also found no tmp* files in the tree. In addition, the only objects bearing the date of the attack (11/15/2011) were the bogus class.base.php file and the inc folder under ajaxfilemanager. .htaccess also does not appear to have been modified. It would appear that I was spared the full assault that some have experienced.

Did anyone find evidence of damage beyond your zenphoto structure?

As already said delete all files and re-uploading theme should clear all possible unwanted changes.

I recently updated zenphoto to the version 1.4.2.3 because I changed my hosts. After I updated it I noticed I was getting a lot of error messages because the file relating to this virus attack is trying to be accessed. /zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/data.php

Before I did the upgrade I did not receive any error messages that something was trying to access this file, after I did the upgrade I have been getting hundreds of attempts from many different ip's. Basically every couple of minutes something was trying to access this file.

After reading this thread I trashed the ajaxfilemanager plugin even though the upgrade fixes the problem.

Because I was getting tired of receiving 404 error message emails I ended out redirecting /zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/data.php to my homepage through my .htaccess file. Can this redirection cause a problem? If this virus does not find what it is looking for will it stop trying to access the file eventually?

Due to my lack of diligence in maintaining Zenphoto on my install I missed updating it. The site was hacked and I have spent the last week resetting permissions on files all over the server and every .htaccess file was modified with every image pointing to some .ru site. Deleted the site for now and will install the back up and check that for damage - if its damaged may just opt for a clean install.

So is this just an issue with the ajax file thing?? I deleted it as it was suggested

Yes (and possibly too low set permissions), as widely discussed here and on our news section.

See this page which should be in the user guide IMHO.

It is part of the troubleshooting guide which is part of the user guide.

True, I found it by searching in News, if I click the Installation & Upgrade sidebar category in the User guide it didn't appear.