I have also seemed to be attacked. I have upgraded to the oct 31, 2011 version and all seems to be fine.
I had to purge image cache, then pre-catch images.
The attack also places .htaccess files in all my root folders. You should check if the same happened to you.
Below is what was in the .htaccess file.
ErrorDocument 400 http://large... ErrorDocument 401 http://large... ErrorDocument 403 http://large... ErrorDocument 404 http://largep.... ErrorDocument 500 http://large... RewriteEngine On RewriteCond %{HTTP_REFERER} .*google.* [OR] RewriteCond %{HTTP_REFERER} .*ask.* [OR] RewriteCond %{HTTP_REFERER} .*yahoo.* [OR] RewriteCond %{HTTP_REFERER} .*baidu.* [OR] RewriteCond %{HTTP_REFERER} .*youtube.* [OR] RewriteCond %{HTTP_REFERER} .*wikipedia.* [OR] RewriteCond %{HTTP_REFERER} .*qq.* [OR] RewriteCond %{HTTP_REFERER} .*excite.* [OR] RewriteCond %{HTTP_REFERER} .*altavista.* [OR] RewriteCond %{HTTP_REFERER} .*msn.* [OR] RewriteCond %{HTTP_REFERER} .*netscape.* [OR] RewriteCond %{HTTP_REFERER} .*aol.* [OR] RewriteCond %{HTTP_REFERER} .*hotbot.* [OR] RewriteCond %{HTTP_REFERER} .*goto.* [OR] RewriteCond %{HTTP_REFERER} .*infoseek.* [OR] RewriteCond %{HTTP_REFERER} .*mamma.* [OR] RewriteCond %{HTTP_REFERER} .*alltheweb.* [OR] RewriteCond %{HTTP_REFERER} .*lycos.* [OR] RewriteCond %{HTTP_REFERER} .*search.* [OR] RewriteCond %{HTTP_REFERER} .*metacrawler.* [OR] RewriteCond %{HTTP_REFERER} .*bing.* [OR] RewriteCond %{HTTP_REFERER} .*dogpile.* [OR] RewriteCond %{HTTP_REFERER} .*facebook.* [OR] RewriteCond %{HTTP_REFERER} .*twitter.* [OR] RewriteCond %{HTTP_REFERER} .*blog.* [OR] RewriteCond %{HTTP_REFERER} .*live.* [OR] RewriteCond %{HTTP_REFERER} .*myspace.* [OR] RewriteCond %{HTTP_REFERER} .*mail.* [OR] RewriteCond %{HTTP_REFERER} .*yandex.* [OR] RewriteCond %{HTTP_REFERER} .*rambler.* [OR] RewriteCond %{HTTP_REFERER} .*ya.* [OR] RewriteCond %{HTTP_REFERER} .*aport.* [OR] RewriteCond %{HTTP_REFERER} .*linkedin.* [OR] RewriteCond %{HTTP_REFERER} .*flickr.* RewriteRule ^(.*)$ http://large... [R=301,L] ADMINISTRATOR NOTE: Code example editied because it seems to alert virus scanners
Hello, I just updated to 1.4.1.5 but still the hack is active...
I don't have any idea what to do next...
I changed the theme from one to another.
Still got this redirect from:
to:
My advice (based on my experience today) would be to delete ALL the files in your zenphoto folder (except the albums and cache folders), including .htaccess. Don't copy them to your local directory first otherwise you may bring over corrupted files (I made that mistake).
Then copy the new release files (1.4.1.5) in full (except albums and cache) over to your server.
The reason for deleting ALL the zenphoto files at your remote site is because spurious files have been added to several folders by the hack so a simple "overwrite" in FTP, for example, won't get rid of these (again I learned this the hard way!)
You'll have to re-configure zp-data/zp-config.php (or copy it from a known clean source).
If you have a local theme, delete all of those files and copy them from a known good source. If you haven't got a clean copy of the files then check them all for the code noted above which may have been injected unto them:
`
global $sessdt_o; if(!$s....;} }
`
This was added to ALL the .php files in my theme - just after the initial
I have the same feedback than other posters.
html files seems to be corrupted too :
I found this code at the end in some of them :
`
try{...
`
no idea about the damage that this code could done
could you give an advice :
should I modify all the login/password : ftp ? sql ? zenphoto ?
ADMINISTRATOR NOTE: Code example editied because it seems to alert virus scanners
I can confirm the exact same injection problem DarkUfo has. ( http://www.zenphoto.org/support/topic.php?id=9939#post-58252 )Probably injected at ~11:00 CEST today; serves me right for procrastinating on tightening up permissions.
If I am reading the injected js right it is trying to steal sessions/cookies. Make sure to remove cookies/sessions from your browser and logout/login on the webapp if you have navigated to an injected site with your browser!
The user and all related content has been deleted.
I run 5 galleries within my employer's websites... and we got hacked, too, although just on one, I guess. Firefox alert + strange htaccess.
OK, enough with what happened... the question is how to clean up the mess.
What do you say about deleting everything apart from the albums folder + copy the table which has got the names of galleries? I have like hundreds of galleries and it would be too much for me to add names again.
Can anyone from Zenphoto tell me the tables to copy? Is the way I want it to do possible at all?
Installing fresh Zenphoto, copying albums, adding only the images + descriptions tables.
You know what, this might be in fact a nice idea for a quick script : )
What dod you say, guys?
If your database is not hacked you don't need to do aynthing. We recommend to use the database backup tool on the admin overview page frequently to be prepared.
Follow the upgrade/installation instructions and don't touch the albums folder. Then all should be as before,
We actually don't know what exactly these hacks did. Zenphoto.org and none of my sites were affectly. It seems at least that there were two different hacks if you read on the forum topics.
It is up to you as the site manager to check if there is anything else.
All we know is that the 3rd party file manager we included is probably more insecure than the issue fixed we did for 1.4.1.5. Thus is should be removed completly.
I really don't know. As said we/I did not encounter hacks so far and I don't know what these might have done.
If you upgrade normally all core files are replaced. It is up to you as the site manager to check other files like custom themes, the database etc.
Here is what seems to be happening.
-
The AJAX File Manager has a number of vulnerabilities. Through the class.images.php and the ajaxfilemanager.php and maybe more.
-
When exploiting these files a hacker is able to insert their own code into the Ajax File Manager data.php and/or write out their own files by dynamically inserting PHP functions into the script due to the way the AJAX File Manager handles a POST request.
-
Hackers can install a PHP Shell Script which can access every file on your webserver.
-
Their shell script will add code to the top of every file on your webserver (infect every PHP file on the server) and also possible infect your .htaccess files as well. There are different variations of the attack that do different things.
-
Their shell script will install a number of other PHP files that they can access directly to regain access to your server even after you delete the Ajax File Manager and clean all of the infected files where code has been added to them.
-
You may notice files such as tmp_989089080.php or other unknown files that you need to delete as well.
-
If you host multiple domains or WordPress installs under a single account chances are these websites will be infected too.
What to do about it? How to fix it?
-
Delete the zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager directory
-
Restore all of your website(s) files from a backup because they all have been infected.
If you don't have a backup you will need to delete Zen Photo completely a reinstall (make sure you delete the ajaxfilemanager directory if you reinstall)
-
If you have WordPress or other sites hosted (and no backups) you will need backup your wp-content folder ... then delete all the WordPress files, reinstall. AND GO THROUGH EACH FILE in wp-content to remove the code inserted at the top of every PHP file before restoring the wp-content folder.
-
You will need to go through each and every folder on your server or hostign account to remove any additional files and shell scripts that were installed by the exploit. Files such as tmp_989809809.php etc ...
-
IMPORTANT
You will need to change the passwords of your databases for any website you host that has been infected. The exploit allows the hacker to view the source code on the config files, thereby they know what your database passwords are. This would allow them to continue to regain access through PHPMyAdmin etc. even if you cleaned everything. You need to change your passwords!! -
If you have Shell access to your server you can run the following commands to see if you have cleaned everything or help you clean everything:
-
Part of the attack might allow the hacker to gain access to your browser Cookie and Session info so in conjunction with the infected files they will be notified when you login to your Zen Photo Admin or other Admin tools and might be able to hijack your session to gain access to the admin without knowing your actual password. So clear your cookies and reset your Admin passwords. I don't see this happening but it is a possibility.
Run these commands from the top directory on your server or hosting account:
This will show you all the files on your webserver that have been infected and need to be cleaned:
grep -r -H "lb11" *
(looks for the string 'lb11' in every file - infected files have this inserted into them) You can substitute 'lb11' with other strongs that the hacker might have inserted into your code. For example:
grep -r -H "eval(base64_decode" *
Use the find command to show additional files that may have been installed on your server:
find / -name tmp*
Use the find command to show files that have been modified in the last day (these would be the files that have been infected or added):
find . -type f -mtime -1
Look in your access log files for suspicious activity and Ban those IP addresses:
cat access.log | grep ajaxfilemanager
cat access.log | grep ".php"
Hope this info helps ...