I had myself and helped over 25 people on different servers to install ZenPhoto, various versions currently. Every single one of them was hacked yesterday.

Not only did it hack the zenphoto installs, it managed to change every single php and htacess file on the servers. So every single site on the same servers has been compromised.

I am very sad to see a 3rd party add-on have such an impact on a great work that has been done here.

I am wondering if the showcase library should be taken down temporary while this is going on, if there are any of the showcase galleries still alive...

Heads up people...

We are really sorry for that. The file manager is now gone and will not return. We search for a replacement solution. Probably we need to do something ourselves. Which we actually wanted to avoid..enough to do without doing everything..

I wonder if that all might mean something on the security of these sites was not correct as well.

Since the file manager - if it was the only cause of this all - was only used on the backend, someone must have had access to zp-core files. At least on our/my server that returns a access denied.

I don't think that removing the showcase will help much. Google & Co have it all anyway and who wants to exploit that does not need our showcase to find...

Yes I guess that the showcase has all been cached before by Google so that is indeed not something that will help.

I am not understanding how it managed to change every php file on the server, I am working on bringing backup files back to restore, the bad thing currently is Google has blocked all the sites I am working on currently. And if they are searched on Google they will take the user to a .ru malware site.

Looking at this from a little different and more positive side, incident like this might change the way things work, to try and stop this from happening again. I am not sure how that should go or what should be changed.

I wonder if all was really the same hack or just different ones by coincidence. When we were using Wordpress we had been hacked once or twice as well and I guess any other CMS encountered those incidents as well in their history.

Olihar: check the other thread ... I already cleaned out my install + other sites and posted some info to help you and others.

Acrylian: It is all part of the same hack. Many people have one shared hosting account with multiple domains each in a different directory under the same account.

In that scenario each website is owned by the same user so if one site gets hacked they all do. The ajaxfilemanager vulnerability allows malicious PHP code to traverse all of the directories on the webserver where Zenphoto is installed and inserts php code on every file it can find, change .htaccess files and install more php files to further compromise the system.

So the severity of the attack depends on how the hosting account is setup, how many websites are hosted by that account and the file permissions.

But in the end the vulnerability lies with the Tiny MCE Ajaxfilemanager Plugin since that's where it all starts.

It was the same hack, files where changed at the same time, and same changes made to them...

You can try and google my web-page and you will see what is happening to it, same happens to all other url on that particual server, even though only some of them run Zen-Photo

http://www.google.is/search?aq=f&gcx=w&sourceid=chrome&ie=UTF-8&q=olihar

I am having such a hard time with this, my hosting company states that everything is working fine on their end.

Thanks for the confirmation. I am about to write a mail to the developer.

I confirm the .ru malware. It's the case for me, on my directory /cgi-bin. I've contacted my webhoster to resolve it, with him... I hope a result asap.

I spent 3 hours to remove the malware. Over 1000 files touched because I got a lot of web site on the same hosting ... Finally, thank you for the quick response acrylian, but the damage was done :-(
This malware has done a lot of damage ...

Olihar, look at this post from jest3r-:
http://www.zenphoto.org/support/topic.php?id=9939&page=2

begin the job with delete all tmp_XXXXX.php
after, clean all your php files (with a good editor you can clean the first line of your files witch contain the malware) and clean all .htacess.

yes, my photo site got hacked too, it modified the .htaccess file, and redirect the site to peace-security.ru/....

thank you ZenPhoto on fixing this.

@olihar, you have to inspect all you .htaccess files (at the root of your server and all other locations)

Yes I have cleaned all php files and .htaccess files... still having problems...

I have gotten the IP from the attacker, would be interesting to see if it is the same for the rest of you guys...

Attack IP:
78.24.216.211 - - "POST /gallery/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/class.images.php?truecss=1 HTTP/1.1" 200 21 "-" "User-Agent: Mozilla/5.0 (Windows; u; Windows nt 5.1; en-us; rv:1.9.1.5) gecko/20091102 firefox/3.5.5 gtb5"

I discovered the same thing has happened to my website. I have little to no knowledge of these things and am very upset. 5GB of photo proofs from over the years are now unviewable. How does somebody with no knowledge of this sort of thing fix this?

Here are the four IP addresses that showed the same POST in my apache2 logs:
78.24.220.110
81.163.143.194 (coincided with php file mod timestamps)
92.63.104.34
92.63.105.26

I guess I was lucky in not being blacklisted by google as the hack broke zenphoto to point where apache was returning 500 code errors to visitors.

To recover, I ended up installing the latest zenphoto version in a new directory and dropping the zp_administrators table to reset my passwords as zenphoto will create a new one if it is missing. This seems to have worked as a viable method of recovery without losing the database as long you have the DB information to key back in.

The inserted code in my php files was related to a cookie with some script with a reference to a site named turnitupnow[dot]net. What I would like to find are the actual commands passed to my server vie the exploit.

Tim Brown

Everything cleaned again, yet same problems, site has been reported and seems to be blocked on and off...

Pulling my hair out here...

It may take a while until those warning database are updated.

Same problem here, the site of my girlfriend and mine. Shortly helps to delete the .htaccess and set mod_rewrite off. Then you can see the photos.
We installed the latest version of Zenphoto and it kept going a while. After 10 minutes it was hacked again.
Now i tried to change the rights on the .htaccess to 0004 and it seems to be working, site is working now for about 45 minutes

Make sure that all permissions are correct, not only the htaccess file. Info on the user guide's troubleshooting.