My Gallery was hacked?

[linuxhata]

Hello. Today I've discovered an "realmedia" file in my gallery, named, a.php.ram. surprised, I've clicked on it, but it won't play, so I've downloaded it and looked into it, inside it is:

<?

/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
*
*  Welcome to phpRemoteView (RemView)
*
*  View/Edit remove file system:
*  - view index of directory (/var/log - view logs, /tmp - view PHP sessions)
*  - view name, size, owner:group, perms, modify time of files
*  - view html/txt/image/session files
*  - download any file and open on Notepad
*  - create/edit/delete file/dirs
*  - executing any shell commands and any PHP-code
*
*  Free download from http://php.spb.ru/remview/
*  Version 04, 2002-08-24.
*  Please, report bugs...

and so on. As I understand, there was attempt to hack my site. Visually, everything is ok, but maybe there is some backdoor set by hacker? will Coopermine allow execution of such script? (my install is 1.3.3)

[Stramm]

Had a look at it and I'd say it was a kiddie with not much clue at all who tried to get access to your box. If your server isn't configured absolutely silly (means if it doesn't parse ram for php code there won't happen to much). If this file is saved as .php on your server then I'd say you're doomed

Delete it and change all admin passwords, your FTP, shell pwd, root if you have access to it... this you should do every few month

[kegobeer]

Also go through your server logs and look for suspicious activity; find the IP address of the user(s) online when the file was uploaded.  Examine your file system and your database(s) for any other suspicious items.

[foots]

I have had this file uploaded also - named as a.php.ra

I've deleted the file and have previously installed all the security updates.

I'm using version 1.3.4.

[kegobeer]

A google on the filename shows many sites with this crap.  This jackass (or jackasses) is/are very busy spreading this junk around.

[Joachim Müller]

as suggested, this is probably a script kiddie with little or no idea what he/she does, looking for someone who is even more stupid and set up his server to parse ram files. I wouldn't be to concerned about it. Just delete the file and you should be fine. However, as Stramm suggested it's a good idea to review your security settings and change your passwords over. A good password should be
1) not in a dictionary
2) contain upper and lower case chars
3) contain numbers (and even special chars, although some systems hickup on special chars like ,.-;:_!"§$%&/()=?ß}][{+*#'@)
4) be rather long (usually, the longer the better. However, some systems can't copy with very long passwords). I usually go for passwords that are 8 chars long for web-related stuff
5) impossible to guess (so there should be no pattern in it)
6) used only once. Although it's tempting to use the same password for several systems, it's not a good idea: once one system is broken, security of all other systems will be broken as well

My advice is to come up with a sentence that makes sense to you only and use the first letters from this sentence to memorize your password. The sentence "my Password has got 8 Chars in it" would result in "mPhg8Cii", which would be a pretty safe password. Of course you can't use this one now, as it is one that is publicly available now. It's only an example. Come up with your own.

Joachim

[nukeworker]

I found this on my site today, after being hacked.  they uses a.php.gz to get me.  I'm just tryingto figure out how they uploaded it to my server.

[kegobeer]

I found this on my site today, after being hacked.  they uses a.php.gz to get me.  I'm just tryingto figure out how they uploaded it to my server.

Offhand, I would say you don't restrict document file types.  Check your config settings - unless absolutely necessary I would not allow any documents to be uploaded.  You also need to contact your host - they don't have the server properly configured (archives are being parsed as php.)

[nukeworker]

Offhand, I would say you don't restrict document file types.  Check your config settings - unless absolutely necessary I would not allow any documents to be uploaded.  You also need to contact your host - they don't have the server properly configured (archives are being parsed as php.)

Both of your statements are correct.  Another thing I have realized is that when this file was uploaded via coppermine, I had deleted it imeadeatly via the coppermine interface.  However, the file remained on my server (and some how google found it).