I keep getting malicious content written into my .htaccess file that attempts to send people to other sites, or crashes ZenPhoto. I reinstalled, set it for read only, and no matter what I do, I continue to get malicious content written into it. Any ideas on how to prevent this?
Normally I don’t go to my site from Google but Friday I did and I got immediately sent to some Russian web site (backgroundstylesheet.ru) and Norton detected a malicious SWF file containing Trojan.Mdroper. My Zenphoto gallery had a hacked version of .htaccess which contained rewrite rules to send users to that Russian web site. The rewrite conditions tested for Google and about 100 other popular sites.
So I deleted it and it came back several times. Searching around I found similar cases with WordPress sites and other sites running PHP could experience the same thing.
I upgraded ZP from 1.3.1.2 to 1.4.1.6, had the install script fix the .htaccess, and had the install script remove the setup files. Poking around I discovered, that my password is visible in ../zp-data/zp-config.php, and in ../zp-data/security_log.txt. Permissions were set so that any web user could read them.
So now my questions…
This is a chicken or the egg question. Since all of zp-data is set for any web users to read is that why my site got hacked or was that permission changed as a result of the hacking? Can I protect the zp-data directory and expect my Zenphoto site to work?
Is there a script to run to lock down the permissions on the various scripts to make the site more secure? Does all of zp-core have to be visible to users?
I changed my database password, and broke the site. It took me a while to make it work. I suspect there is a process (which I did not follow) to changing the password. What should I do next time?
Thanks to the developers of Zenphoto. It is really cool and makes my site look terrific (unless of course my users end up at backgroundstylesheet.ru)
So if your Zenphoto version hacked was earlier than 1.4.1.6 please read:
http://www.zenphoto.org/news/security-alert-part-2
http://www.zenphoto.org/news/zenphoto-1.4.1.6
Linked within these are serveral forum topics about this (assuming you encountered the same hack):
http://www.zenphoto.org/support/topic.php?id=9951
http://www.zenphoto.org/support/topic.php?id=9942
1)/2) The Zenphoto Setup will try and warn about too loose permissions. It will also try to change them on request. However, depending on your server configuration it may not be allowed to do so. Then you have to manually do that. How is explained on our troubleshooting.
http://www.zenphoto.org/news/troubleshooting-guide#troubleshooting-installation
You can protect the log files and config file in the zp-data folder to be read-writefor the owner only. (Normally ZP would have done that for you.) The other files and the folders need sometimes to be read by browsers. We are working to remove any "upating" of files within the core so that all can be read-only accessable only by the owner. However, this takes time as we have to discover what the third party tools we use do and move their updates out of the core.
Note however, that some sites are not configured properly so that the above does work. If you get failures with owner only access you will either have to relax the security or talk to your provider.
If you change the MySQL user/password, the zenphoto config file needs to be updated to reflect the new credentials. You can do that manually by editing the config file or you can re-upload the setup files and re-run setup. It will then prompt you for the correct credentials.
Thank you for your prompt replies. I have the up to date version working. I locked down the permissions and so far things seem to work.
Now how do I tell Google I'm cool? Google has me blacklisted or something. if i go to my site directly I get there. But from google they still link me to stylesheetrecord.ru. I did remove the .htaccess files. Oh well, I know it is off topic on this forum, I'm hoping if i wait long enough google will correct itself.
Well this style.....ru .htaccess problem is the gift that keeps on giving. Google still has me black listed and Firefox browser won't let you get to any of my pages.
I used WinSCP to download my entire site and was able to search to find one more bad .htaccess. I also discovered that 404 errors get directed to stylesheetrecord.ru too. I haven't figured that one out yet. Its either a goddaddy thing or one more .htaccess.
I'm thinking of keeping only my image files and database, removing everything else including zenphoto. I have 1.4.1.6 now. If i try to install 1.4.2 will it find and use the tags and text I wrote which I think is in the database? If I go with the clean start method would it better to reinstall the current version before the upgrade?
It worked on the second try. :-) First time I made the mistake of giving default table prefix and then ZenPhoto created new tables and didn't read my old ones. Thought I lost all of my comments, tags and such. Finally figured that out and got it put back together.
Lets hope Google gives me the thumbs up.