About the jpg files:
I've downloaded all the images on my local pc to backup the site after the attack and they looks clean to my antivirus, that is updated several times per day.
Moreover, the site seems to be ok now, 24 hours later the cleaning and update.
Should I be concerned anyway?

@bic: don't be trust to the datas after the hack!!! Never...

@bic, re: htaccess permissions - either a) the hacker had root access and therefore could do anything, or b) they removed any original file assuming the directory had write permission, then added in a new one.

I think given the proliferation of the hack with multiple hosting providers, option 'a' is unlikely.

Which leaves option 'b', though if they added to existing rules, it implies that the file was copied first, then the original deleted, then the modified version put into place.

vpas, I'm not enough into this kind of knowledge to understand what happened, anyway my .htaccess file was still in my ownership after the hack, so it wasn't created by a script running on the server, is that true?
This excludes option b too..

It depends on the setup of your hosting provider. If your file is still owned by you, then it's possible that the webserver is running under your ID as well. I'm not sure how they do it these days.

I used to think that I owned all my files and the webserver was running under a different user. That's what I have at home. However my hosting provider seems to be different. I don't have shell access so can't tell, but I don't need to add group write permission where I thought that I would need to.

I've just been playing with some php scripting (though it's not a language that I'm strong in) in order to see if I could get it to change the permissions of the file first, then append data to it. Currently it is failing to add the write permission, but this is on my Linux computer at home, which likely doesn't have the same setup, and I'm not 100% that I've got the code right.

I really don't think that they had root access though, as I think that they'd do a lot more with it, and they'd gain access to more than your sites.

On some hosts it is not possible to change permissions via php. Our setup scripts tries but fails on some (and on some the strictest break even everything).

All I know is that files created by scripts are property of "nobody" on my server. First time I tryed to delete one of those files I had to learn that I needed another script to do that. (Now I have an option, in my provider's dashboard, to regain the property of file created by cms setups, unzippers etc)
So was not a script to create my hacked .htaccess file, unless it had access via ftp with my login credentials (or root access?).
I'm still curious to understand what the hell they did with that attack.

What are the permissions on the directory that the .htaccess file was left in? Could be worth asking your provider which processes run as 'nobody'.

On my system, the .htaccess file that was altered had owner & group of my user. Permissions were 644 on the file and 755 for the directory. I need to check with my provider as to which user runs the apache process.

As for the attack itself, the php added to my files varies slightly, but the basics seem to be that it tries to set a cookie, then if it's able to read that cookie back it inserts code into the HTML to load some javascript, and adds a redirect to the page itself. I've not sussed out the rest, as I said, PHP isn't my strong point.

I never got a chance to capture the javascript. By the time I'd got my site sorted, their site was off-line, so I couldn't go and get a copy.

I think we have an example of the js code from a forum topic. Clearded there as it alerted virus scanners. Available as pdf on 2nd security alert on the news section.

I don't know about anybody else, but my site was running IRC drones because of the exploit. They ran a perl shell to install the drones.

network teaser hack:

i found a solution for tis problem on this website:
http://howbits.com/how-to-fix-and-remove-network-teaser-ru-website-hacked/

it worked for me so far ...

roland

Back from the Hack
My hoster got in and cleaned my site of all renegade code. However, they removed my admin email so when I enter captcha info, I get a notice of no email addy to send new password.
I can login to the forums with a password that zenphoto emailed me previously. But, that password will not let me into my admin or gallery. Go figure.

Quote:I can login to the forums with a password that zenphoto emailed me previously. But, that password will not let me into my admin or gallery. Go figure.
Of course since the password of our forum has absolutly nothing to do with the password of your install.

Please read on the troubleshooting how to reset the administrators db table to create a new account on your install.

I bet I'm more pissed. I just recently installed the script, almost immediately got the redirects. I've got 7 years of work getting decent Google rankings, and now it just got flushed down the toilet.

I have no intentions of reinstalling, I'd just like to know exactly what needs to be removed so I can forget about this and try to get normal.

Any help will be appreciated.

Being pissed will do you no good. Also not reinstalling will do you no good. Given your state of mind, the answer to what you should remove is "everything".

Just FYI, since you obviously have not read these threads, I really do mean "everygthing" since probably everything was compromised by the breach.

baddco: Not really good style to both mail us directly and post the same on the forum...

I guess then ya can delete me? I don't too much care. I do plan though on dedicating my splash page to my thoughts on how ZenPhoto both replies, and offers answers. May not have gotten to this point had I gotten a decent response. I'm curious, unless it was an inside job, just how the hacker picked out the sites that used the script.

Once I'm back 100%, watch for my ZenPhoto Dedication Page. You may enjoy the publicity. I have many friends too, you may get lots.

It would have only taken a decent and human reply, not attitude.

We won't delete you. You are too good an example of someone with such a sense of self importance that you think site ediguitte does not apply to you. Our "normal" users will be amused.

But let's review your contributions. You have posted in two threads. In both you have demonstrated that you do not read first.

http://www.zenphoto.org/support/topic.php?id=10039: Here you post is unreleated to the topic as micheall has pointed out to you. Pretty difficult to make such a mistake if you had actually read the thread contents.

This thread: Two posts including this grand finale. Here on November 29 you said you "recently installed Zenphoto and were immediately hit". But of course you did not say what version or when. And the what version is one of the stipulated required bits of information we ask when people want support. (But then you did not want support, you just wanted to vent because you were "wronged". Guess you feel that we delibrately planted this timebomb just to "get" you. Sorry, but we relly do not think you are that important.)

Anyway, discussions of the security vulnerabilities started several around the 9th of November the fixed version was released November 11. Not so "recent" in my opinion.

I am sure that you will quickly rebuild your seven years rankings. People are really drawn to vindictive web content.

I had no choice of which version. It was installed for me. As for self-importance, I guess it goes without saying about people in glass houses. I came for help, Not with the better than you attitude I've read in other postings.

I maintain it's an inside job, and will continue to hold my stand. I've shared my thoughts with many elsewhere. And will continue to do so.

Thank You Sir, May I have another?

Not just self important but either ignorant or stupid. Hope it is the former, it can be corrected with education. So, someone has installed for you. Maybe they are where you should look for blame.