ZenphotoCMS Forum     Support     General support    

illegal w4577760282986243.php

Member
Member
atom   22-12-2011, 11:13
#1

recently (1 day ago) I've discovered the file in my zenphoto installation.
this file is a filemanager written in php.
I'm investigating about the way the crackers had installed those files in a different directory of my zenphoto gallery.
I'm sure that crackers had used http to upload the code but apache log files report poor informations. The same from zenphoto logs.

  
Administrator
Administrator
acrylian   22-12-2011, 11:37
#2

If you are/were on an older Zenphoto release than 1.4.1.6 please see the news section's security category.

Also make sure you set all file/folder permissions correctly. Setup will note about that, info also on the troubleshooting.

  
Member
Member
atom   22-12-2011, 11:40
#3

an update:

I've found an illegal plugin for tiny_mce (zenphoto/zp-core/zp-extensions/tiny_mce/plugins): ajaxfilemanager

cometadihalley.net.access.log:31.133.38.14 - - [20/Dec/2011:14:27:42 +0100] "GET /zenphoto/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/class.imagess.php HTTP/1.1" 200 22816 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET4.0C; .NET4.0E)"
net134 (134):/home/httpd/cometadihalley.net/log# grep ajaxfilemanager *
cometadihalley.net.access.log:31.41.14.146 - - [20/Dec/2011:07:38:29 +0100] "POST /zenphoto/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/ajax_create_folder.php HTTP/1.1" 200 33 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET4.0C; .NET4.0E)"
cometadihalley.net.access.log:31.41.14.146 - - [20/Dec/2011:07:38:29 +0100] "POST /zenphoto/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/data.php?truecss=1 HTTP/1.1" 200 139 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET4.0C; .NET4.0E)"
cometadihalley.net.access.log:31.41.14.146 - - [20/Dec/2011:07:38:30 +0100] "POST /zenphoto/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/data.php?truecss=1 HTTP/1.1" 200 133 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET4.0C; .NET4.0E)"
cometadihalley.net.access.log:31.41.14.146 - - [20/Dec/2011:07:38:30 +0100] "POST /zenphoto/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/class.images.php?truecss=1 HTTP/1.1" 200 139 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET4.0C; .NET4.0E)"
cometadihalley.net.access.log:31.133.38.14 - - [20/Dec/2011:14:25:35 +0100] "POST /zenphoto/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/class.images.php?truecss=1&truecss=1 HTTP/1.1" 200 1162 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET4.0C; .NET4.0E)"
cometadihalley.net.access.log:31.133.38.14 - - [20/Dec/2011:14:27:42 +0100] "POST /zenphoto/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/class.images.php?truecss=1 HTTP/1.1" 200 1164 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET4.0C; .NET4.0E)"
cometadihalley.net.access.log:31.133.38.14 - - [20/Dec/2011:14:27:42 +0100] "GET /zenphoto/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/class.imagess.php HTTP/1.1" 200 22816 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET4.0C; .NET4.0E)"
cometadihalley.net.access.log.1:31.41.13.204 - - [15/Dec/2011:09:39:58 +0100] "POST /zenphoto/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/class.images.php?showimg=1&cookies=1&truecss=1 HTTP/1.1" 404 11592 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"

  
Administrator
Administrator
acrylian   22-12-2011, 11:45
#4

No, not "illegal". Again, please see the news section, all already known and documentated...

  
Member
Member
atom   22-12-2011, 11:55
#5

the gallery version is the latest: 1.4.1.6 (8326).
permission verified and compared with troubleshooting and seems to be ok.
I've give a look on http://www.zenphoto.org/news/ajax-filemanager-returns beacuse it reports a warning about the files I've found as tiny-mce plugin.

It could be a good idea to verify and (if not essential) disable plugin.

  
Administrator
Administrator
acrylian   22-12-2011, 12:01
#6

If you read that article correctly you will note that it speaks of 1.4.2... In 1.4.1.6 there is no ajax file manager anymore for the reasons you encountered (actually that tis the only change between 1.4.1.5 and 1.4.1.6 at all). If it is still there you did not upgrade correctly.

Anyway, proper server permission should not even allow accessing these files.

So again, see the security category articles and the there in linked forum topics about these hackes (assuming it is the same).

  
Administrator
Administrator
acrylian   22-12-2011, 12:01
#7

If you read that article correctly you will note that it speaks of 1.4.2... In 1.4.1.6 there is no ajax file manager anymore for the reasons you encountered (actually that tis the only change between 1.4.1.5 and 1.4.1.6 at all). If it is still there you did not upgrade correctly.

Anyway, proper server permission should not even allow accessing these files.

So again, see the security category articles and the there in linked forum topics about these hackes (assuming it is the same).

  
Next Oldest      Next Newest
  
 Contact Us
Legal
Terms Of Service
Privacy
 RSS Syndication
 Return to Top
Powered By MyBB, © 2002-2026 MyBB Group.
Made with by Curves UI.