Hacker on my Gallery part 2 Hacker on my Gallery part 2
 

News:

CPG Release 1.6.26
Correct PHP8.2 issues with user and language managers.
Additional fixes for PHP 8.2
Correct PHP8 error with SMF 2.0 bridge.
Correct IPTC supplimental category parsing.
Download and info HERE

Main Menu

Hacker on my Gallery part 2

Started by LACA Rio, July 19, 2006, 09:11:09 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

LACA Rio

Hi guys,

I upgrade my gallery from 1.3.5 to 1.4.8 because some files were uploaded by a hacker in my albums/userpics/1001 folder.
This files were used to make phishing (in this case a Chase bank).
Today, when I check the files using a FTP program, I found another very suspect file (sanyo.php.rar) in the same folder.
I deleted the file and changed my password again but I can't change the chmod properties that is 777.
Thanks for any help. 
Luiz Araujo

Joachim Müller

The upgrade doesn't cure infected webspace, it only keeps your gallery from getting infected in the first place. As your initial reason for upgrading was an infection, you'll have to cure your webspace first by scanning for leftover dangerous files and subsequent backdoors the attacker may have left.

LACA Rio

As a webmaster, I did it and the server that hosting all my websites too.
That rar file was uploaded before the upgrade. The folder has very dangerous CHMOD 777.
If you want to check the malicious script, I can send you the file (sanyo.php.rar). I'm afraid to open it.
Luiz Araujo

Joachim Müller

Quote from: LACA Rio on July 20, 2006, 03:02:28 PM
That rar file was uploaded before the upgrade.
There you go: as it has been uploaded before the upgrade, you should have deleted it before doing anything else.

Quote from: LACA Rio on July 20, 2006, 03:02:28 PM
The folder has very dangerous CHMOD 777.
Not dangerous if your webserver is set up properly. Read http://www.simplemachines.org/community/index.php?topic=2987.0 for details.

Quote from: LACA Rio on July 20, 2006, 03:02:28 PM
I'm afraid to open it.
There's no need to be afraid: download it to your client (using your FTP app). Then open it in a plain text editor (notepad.exe is fine). However: you'll only need to do this if you're curious, it won't help you in solving any infection-related issues that you might have.

For security reasons, ask your webhost to configure your apache webserver to do something with .rar files. Refer to the announcement thread Coppermine-driven galleries hit by RAR exploit what the setup needs to be.

LACA Rio

You were right.  I uploaded a test "php.rar" and after run it, I can read "Oops, my webserver is vulnerable" in my browser. I sent these post to my webhoster and leave empty instead of "ALL" in "Allowed document types" field at the config settings.
Luiz Araujo

Joachim Müller

Read the entire thread I refered to.