zenphoto forums » Security

illegal w4577760282986243.php

(7 posts)

  1. atom

    Apprentice
    Joined: Dec '11
    Posts: 3

    recently (1 day ago) I've discovered the file in my zenphoto installation.
    this file is a filemanager written in php.
    I'm investigating about the way the crackers had installed those files in a different directory of my zenphoto gallery.
    I'm sure that crackers had used http to upload the code but apache log files report poor informations. The same from zenphoto logs.

    Posted 1 year ago #

  2. Zenphoto development team
    acrylian

    Developer
    Joined: Jul '07
    Posts: 13,513

    If you are/were on an older Zenphoto release than 1.4.1.6 please see the news section's security category.

    Also make sure you set all file/folder permissions correctly. Setup will note about that, info also on the troubleshooting.

    Don't forget to read the Forum rules and usage resources
    Posted 1 year ago #

  3. atom

    Apprentice
    Joined: Dec '11
    Posts: 3

    an update:

    I've found an illegal plugin for tiny_mce (zenphoto/zp-core/zp-extensions/tiny_mce/plugins): ajaxfilemanager

    cometadihalley.net.access.log:31.133.38.14 - - [20/Dec/2011:14:27:42 +0100] "GET /zenphoto/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/class.imagess.php HTTP/1.1" 200 22816 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET4.0C; .NET4.0E)"
    net134 (134):/home/httpd/cometadihalley.net/log# grep ajaxfilemanager *
    cometadihalley.net.access.log:31.41.14.146 - - [20/Dec/2011:07:38:29 +0100] "POST /zenphoto/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/ajax_create_folder.php HTTP/1.1" 200 33 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET4.0C; .NET4.0E)"
    cometadihalley.net.access.log:31.41.14.146 - - [20/Dec/2011:07:38:29 +0100] "POST /zenphoto/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/data.php?truecss=1 HTTP/1.1" 200 139 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET4.0C; .NET4.0E)"
    cometadihalley.net.access.log:31.41.14.146 - - [20/Dec/2011:07:38:30 +0100] "POST /zenphoto/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/data.php?truecss=1 HTTP/1.1" 200 133 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET4.0C; .NET4.0E)"
    cometadihalley.net.access.log:31.41.14.146 - - [20/Dec/2011:07:38:30 +0100] "POST /zenphoto/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/class.images.php?truecss=1 HTTP/1.1" 200 139 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET4.0C; .NET4.0E)"
    cometadihalley.net.access.log:31.133.38.14 - - [20/Dec/2011:14:25:35 +0100] "POST /zenphoto/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/class.images.php?truecss=1&truecss=1 HTTP/1.1" 200 1162 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET4.0C; .NET4.0E)"
    cometadihalley.net.access.log:31.133.38.14 - - [20/Dec/2011:14:27:42 +0100] "POST /zenphoto/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/class.images.php?truecss=1 HTTP/1.1" 200 1164 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET4.0C; .NET4.0E)"
    cometadihalley.net.access.log:31.133.38.14 - - [20/Dec/2011:14:27:42 +0100] "GET /zenphoto/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/class.imagess.php HTTP/1.1" 200 22816 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET4.0C; .NET4.0E)"
    cometadihalley.net.access.log.1:31.41.13.204 - - [15/Dec/2011:09:39:58 +0100] "POST /zenphoto/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/class.images.php?showimg=1&cookies=1&truecss=1 HTTP/1.1" 404 11592 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"

    Posted 1 year ago #

  4. Zenphoto development team
    acrylian

    Developer
    Joined: Jul '07
    Posts: 13,513

    No, not "illegal". Again, please see the news section, all already known and documentated...

    Don't forget to read the Forum rules and usage resources
    Posted 1 year ago #

  5. atom

    Apprentice
    Joined: Dec '11
    Posts: 3

    the gallery version is the latest: 1.4.1.6 (8326).
    permission verified and compared with troubleshooting and seems to be ok.
    I've give a look on http://www.zenphoto.org/news/ajax-filemanager-returns beacuse it reports a warning about the files I've found as tiny-mce plugin.

    It could be a good idea to verify and (if not essential) disable plugin.

    Posted 1 year ago #

  6. Zenphoto development team
    acrylian

    Developer
    Joined: Jul '07
    Posts: 13,513

    If you read that article correctly you will note that it speaks of 1.4.2... In 1.4.1.6 there is no ajax file manager anymore for the reasons you encountered (actually that tis the only change between 1.4.1.5 and 1.4.1.6 at all). If it is still there you did not upgrade correctly.

    Anyway, proper server permission should not even allow accessing these files.

    So again, see the security category articles and the there in linked forum topics about these hackes (assuming it is the same).

    Don't forget to read the Forum rules and usage resources
    Posted 1 year ago #

  7. Zenphoto development team
    acrylian

    Developer
    Joined: Jul '07
    Posts: 13,513

    If you read that article correctly you will note that it speaks of 1.4.2... In 1.4.1.6 there is no ajax file manager anymore for the reasons you encountered (actually that tis the only change between 1.4.1.5 and 1.4.1.6 at all). If it is still there you did not upgrade correctly.

    Anyway, proper server permission should not even allow accessing these files.

    So again, see the security category articles and the there in linked forum topics about these hackes (assuming it is the same).

    Don't forget to read the Forum rules and usage resources
    Posted 1 year ago #

RSS feed for this topic

Reply

You must log in to post.