ZenphotoCMS Forum
illegal w4577760282986243.php - Printable Version

+- ZenphotoCMS Forum (https://forum.zenphoto.org)
+-- Forum: Support (https://forum.zenphoto.org/forum-1.html)
+--- Forum: General support (https://forum.zenphoto.org/forum-4.html)
+--- Thread: illegal w4577760282986243.php (/thread-9412.html)

illegal w4577760282986243.php - atom - 2011-12-22

recently (1 day ago) I've discovered the file in my zenphoto installation.
this file is a filemanager written in php.
I'm investigating about the way the crackers had installed those files in a different directory of my zenphoto gallery.
I'm sure that crackers had used http to upload the code but apache log files report poor informations. The same from zenphoto logs.



illegal w4577760282986243.php - acrylian - 2011-12-22

If you are/were on an older Zenphoto release than 1.4.1.6 please see the news section's security category.

Also make sure you set all file/folder permissions correctly. Setup will note about that, info also on the troubleshooting.



illegal w4577760282986243.php - atom - 2011-12-22

an update:

I've found an illegal plugin for tiny_mce (zenphoto/zp-core/zp-extensions/tiny_mce/plugins): ajaxfilemanager

cometadihalley.net.access.log:31.133.38.14 - - [20/Dec/2011:14:27:42 +0100] "GET /zenphoto/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/class.imagess.php HTTP/1.1" 200 22816 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET4.0C; .NET4.0E)"
net134 (134):/home/httpd/cometadihalley.net/log# grep ajaxfilemanager *
cometadihalley.net.access.log:31.41.14.146 - - [20/Dec/2011:07:38:29 +0100] "POST /zenphoto/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/ajax_create_folder.php HTTP/1.1" 200 33 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET4.0C; .NET4.0E)"
cometadihalley.net.access.log:31.41.14.146 - - [20/Dec/2011:07:38:29 +0100] "POST /zenphoto/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/data.php?truecss=1 HTTP/1.1" 200 139 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET4.0C; .NET4.0E)"
cometadihalley.net.access.log:31.41.14.146 - - [20/Dec/2011:07:38:30 +0100] "POST /zenphoto/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/data.php?truecss=1 HTTP/1.1" 200 133 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET4.0C; .NET4.0E)"
cometadihalley.net.access.log:31.41.14.146 - - [20/Dec/2011:07:38:30 +0100] "POST /zenphoto/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/class.images.php?truecss=1 HTTP/1.1" 200 139 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET4.0C; .NET4.0E)"
cometadihalley.net.access.log:31.133.38.14 - - [20/Dec/2011:14:25:35 +0100] "POST /zenphoto/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/class.images.php?truecss=1&truecss=1 HTTP/1.1" 200 1162 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET4.0C; .NET4.0E)"
cometadihalley.net.access.log:31.133.38.14 - - [20/Dec/2011:14:27:42 +0100] "POST /zenphoto/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/class.images.php?truecss=1 HTTP/1.1" 200 1164 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET4.0C; .NET4.0E)"
cometadihalley.net.access.log:31.133.38.14 - - [20/Dec/2011:14:27:42 +0100] "GET /zenphoto/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/class.imagess.php HTTP/1.1" 200 22816 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET4.0C; .NET4.0E)"
cometadihalley.net.access.log.1:31.41.13.204 - - [15/Dec/2011:09:39:58 +0100] "POST /zenphoto/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/class.images.php?showimg=1&cookies=1&truecss=1 HTTP/1.1" 404 11592 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"



illegal w4577760282986243.php - acrylian - 2011-12-22

No, not "illegal". Again, please see the news section, all already known and documentated...



illegal w4577760282986243.php - atom - 2011-12-22

the gallery version is the latest: 1.4.1.6 (8326).
permission verified and compared with troubleshooting and seems to be ok.
I've give a look on http://www.zenphoto.org/news/ajax-filemanager-returns beacuse it reports a warning about the files I've found as tiny-mce plugin.

It could be a good idea to verify and (if not essential) disable plugin.



illegal w4577760282986243.php - acrylian - 2011-12-22

If you read that article correctly you will note that it speaks of 1.4.2... In 1.4.1.6 there is no ajax file manager anymore for the reasons you encountered (actually that tis the only change between 1.4.1.5 and 1.4.1.6 at all). If it is still there you did not upgrade correctly.

Anyway, proper server permission should not even allow accessing these files.

So again, see the security category articles and the there in linked forum topics about these hackes (assuming it is the same).



illegal w4577760282986243.php - acrylian - 2011-12-22

If you read that article correctly you will note that it speaks of 1.4.2... In 1.4.1.6 there is no ajax file manager anymore for the reasons you encountered (actually that tis the only change between 1.4.1.5 and 1.4.1.6 at all). If it is still there you did not upgrade correctly.

Anyway, proper server permission should not even allow accessing these files.

So again, see the security category articles and the there in linked forum topics about these hackes (assuming it is the same).