hacked? or something else?

[Absoblogginlutely]

Google alerts showed me a link to my site at which has a link I didn't recognise.
Basically there was a whole load of buy_this_drug.htm in /gallery/include/misc/1/, misc/2 misc/3 etc
As far as I am aware I was up to date on all the security patches with gallery, picmgr was the latest patch that I applied.
Now when I go to the /gallery site I just get "Fatal Error :<br />"

Any ideas if this is a known hacking breach/attack and where to start looking for a repair? I'm now looking through my backups to see if I can see how long ago it happened.

[Absoblogginlutely]

i've tracked what looks like the hack down to about 80 lines in the log file. I've narrowed it down to these lines as the first line misc/1 returns a 404, the last lines, misc/1 returns the file they've somehow uploaded.
The only files that look like they could possibly invoke xss is a line like the following as phpsessid seems strange
66.249.72.197 - - [18/Feb/2007:08:35:13 -0500] "GET /gallery/addfav.php?pid=1113&ref=displayimage.php%3Falbum%3Dtopn%26cat%3D-45%26pos%3D11%26PHPSESSID%3Dcc423731d739a1ce566daa4c2376e542&PHPSESSID=cc423731d739a1ce566daa4c2376e542 HTTP/1.1" 302 5 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

Any ideas? I can paste the lines in here if that would help.

[Joachim Müller]

Posting a link to your gallery might be helpfull.