Home General support

Zenphoto Sites Targeted by Moroccan Hackers

soren4 Member
in General support
A site I manage using Zenphoto was just hacked by Moroccan hackers calling themselves, Driss Moroccan Hacker. A simple Google search for that name shows lots of Zenphoto sites compromised. I was using version 1.2.9 and quickly removed the defacement and upgraded to 1.3.1.1. Apparently they were able to gain access through the admin access using XSS. They were also able to upload a theme template with the defacement.

After upgrading I checked the security log again and found the following information as the perpetrators were attempting to gain access once again. The response is in French (No Access and Fail)

2010-09-01 19:42:36 41.141.0.192 Pas d'accès [Echoué] /zp-core/admin-users.php%3Fticket%3Dda704c76c580a4639747b6b08db71efb%26user%3Ddriss
2010-09-01 19:43:00 41.141.0.192 Site d'administration driss [Echoué] casamar
2010-09-01 19:43:18 41.141.0.192 Site d'administration admin [Echoué] casamar
2010-09-01 19:43:24 41.141.0.192 Site d'administration admin [Echoué] admin
2010-09-01 19:43:32 41.141.0.192 Site d'administration admin [Echoué] casamar1882
2010-09-01 19:43:50 41.141.0.192 Site d'administration admin [Echoué] pi7v4
2010-09-01 19:44:09 41.141.0.192 Site d'administration [Echoué] utryq

I blocked the ip address which was originating from Morocco and hardened the site even further.

I hope this information helps.

Thanks

Comments

  • sbillard Member
    Cross site reference forgeries are a kind of social hack. The attacker has to cause you to visit a poisoned site which then posts a request to zenphoto. If you are logged into zenphoto then (before version 1.3.1) the post would be accepted.

    Version 1.3.1 provides protection against this in general. HOWEVER, if you have the front-end editing enabled we are unable to make the protection, so you are still vulnerable. This is why the front-end editing is disabled by default.

    But "blocked access" is not cross site forgery. It is simply a post submitted from some site. There must have been a missing check on a logged in administrator, though I don't know what that would have been. There should also have been a link in the "additional information" which will tell which access the hackers believed was open.
  • sbillard Member
    BTW, I think that the translation is not quite correct. The English is "Blocked Access" which is different (at least in English) from "No Access". I think "interdire l'accès" would have been a better choice.

    BTW, the first entry did have the page being posted.
  • soren4 Member
    Thank you for clarifying a few things. However, so what you're saying is even with the update to 1.3.1.1 they were able to gain access again based upon the first entry of the log? Could this have been a result of being logged into the admin section when they attempted again? They had compromised zenphoto for complete admin access and changed the admin email and password as well. There is only one user and that is the admin (me).

    The log was recorded after upgrading to 1.3.1.1. Front end editing was disabled. What really bothers me is how were they able to install defacement themes? This would really indicate a hole someplace.

    Thank you for your help.
  • acrylian Administrator, Developer
    Did you contact your host about that? It might also have been a combination of a security hole in the old Zenphoto install and on the server itself. Just to be sure I would contact them.

    My demo install had been hacked a while back as well but that was my fault as I accidentally had to low folder permissions.
  • sbillard Member
    No, they did not gain access, as the message should have said, their attempt was blocked.

    I would think that they would need to have FTP type access to install a theme. What are the file permissions on your installation folders?
  • sbillard Member
    I have reviewed the 1.2.9 release. The hack captured above would not work on that release either. The hacker would have to have had a login on your site to get to that page. Given the other log entries I do not think he did. Those are all login failures with various password attempts
  • soren4 Member
    I'm working with the hosting provisioner, Media Temple, to look for the point of entry. Their hosting has been a continual issue of exploits over the last few months.

    I'll keep this tread updated as I learn more.

    Thank you.
  • soren4 Member
    The perpetrators are back and in force. However, I'm posting the raw server logs with the domain changed in hope that someone can analyze their system of attack.

    41.201.195.5 - - [02/Sep/2010:13:03:07 -0700] "GET /mywebsite.com/photos/zp-core/admin.php HTTP/1.1" 200 1114 "http://www.google.fr/search?q=intitle:"zenphoto+administration"&hl=fr&ei=1AKATKPpHcmN4gau6KzTCw&start=60&sa=N" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2.8) Gecko/20100722 FileDownloader"
    41.201.195.5 - - [02/Sep/2010:13:03:12 -0700] "GET /mywebsite.com/photos/zp-core/admin.css HTTP/1.1" 200 32564 "http://www.mywebsite.com/photos/zp-core/admin.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2.8) Gecko/20100722 FileDownloader"
    41.201.195.5 - - [02/Sep/2010:13:03:12 -0700] "GET /mywebsite.com/photos/zp-core/js/zenphoto.js HTTP/1.1" 200 402 "http://www.mywebsite.com/photos/zp-core/admin.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2.8) Gecko/20100722 FileDownloader"
    41.201.195.5 - - [02/Sep/2010:13:03:12 -0700] "GET /mywebsite.com/photos/zp-core/js/toggleElements.css HTTP/1.1" 200 1778 "http://www.mywebsite.com/photos/zp-core/admin.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2.8) Gecko/20100722 FileDownloader"
    41.201.195.5 - - [02/Sep/2010:13:03:12 -0700] "GET /mywebsite.com/photos/zp-core/js/jqueryui/jquery_ui_zenphoto.css HTTP/1.1" 200 27782 "http://www.mywebsite.com/photos/zp-core/admin.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2.8) Gecko/20100722 FileDownloader"
    41.201.195.5 - - [02/Sep/2010:13:03:13 -0700] "GET /mywebsite.com/photos/zp-core/js/admin.js HTTP/1.1" 200 7964 "http://www.mywebsite.com/photos/zp-core/admin.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2.8) Gecko/20100722 FileDownloader"
    41.201.195.5 - - [02/Sep/2010:13:03:13 -0700] "GET /mywebsite.com/photos/zp-core/js/jquery.tooltip.js HTTP/1.1" 200 7182 "http://www.mywebsite.com/photos/zp-core/admin.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2.8) Gecko/20100722 FileDownloader"
    41.201.195.5 - - [02/Sep/2010:13:03:13 -0700] "GET /mywebsite.com/photos/zp-core/js/colorbox/colorbox.css HTTP/1.1" 200 3015 "http://www.mywebsite.com/photos/zp-core/admin.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2.8) Gecko/20100722 FileDownloader"
    41.201.195.5 - - [02/Sep/2010:13:03:13 -0700] "GET /mywebsite.com/photos/zp-core/js/colorbox/jquery.colorbox-min.js HTTP/1.1" 200 8762 "http://www.mywebsite.com/photos/zp-core/admin.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2.8) Gecko/20100722 FileDownloader"
    41.201.195.5 - - [02/Sep/2010:13:03:13 -0700] "GET /mywebsite.com/photos/zp-core/images/zen-logo.png HTTP/1.1" 200 1748 "http://www.mywebsite.com/photos/zp-core/admin.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2.8) Gecko/20100722 FileDownloader"
    41.201.195.5 - - [02/Sep/2010:13:03:13 -0700] "GET /mywebsite.com/photos/zp-core/c.php?i=226f927bd4 HTTP/1.1" 200 3703 "http://www.mywebsite.com/photos/zp-core/admin.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2.8) Gecko/20100722 FileDownloader"
    41.201.195.5 - - [02/Sep/2010:13:03:14 -0700] "GET /mywebsite.com/photos/zp-core/images/reset.png HTTP/1.1" 200 229 "http://www.mywebsite.com/photos/zp-core/admin.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2.8) Gecko/20100722 FileDownloader"
    41.201.195.5 - - [02/Sep/2010:13:03:12 -0700] "GET /mywebsite.com/photos/zp-core/js/jquery.js HTTP/1.1" 200 160712 "http://www.mywebsite.com/photos/zp-core/admin.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2.8) Gecko/20100722 FileDownloader"
    41.201.195.5 - - [02/Sep/2010:13:03:12 -0700] "GET /mywebsite.com/photos/zp-core/js/jqueryui/jquery_ui_zenphoto.js HTTP/1.1" 200 221159 "http://www.mywebsite.com/photos/zp-core/admin.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2.8) Gecko/20100722 FileDownloader"
    41.201.195.5 - - [02/Sep/2010:13:04:11 -0700] "GET /mywebsite.com/photos/zp-core/admin-edit.php?page=edit HTTP/1.1" 302 20 "http://www.google.fr/search?q=intitle:"zenphoto+administration"&hl=fr&ei=6wKATMaeFcPU4wbG6JjTCw&start=70&sa=N" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2.8) Gecko/20100722 FileDownloader"
    41.201.195.5 - - [02/Sep/2010:13:04:12 -0700] "GET /mywebsite.com/photos/zp-core/admin.php?from=/zp-core/admin-edit.php%3Fpage%3Dedit HTTP/1.1" 200 1122 "http://www.google.fr/search?q=intitle:"zenphoto+administration"&hl=fr&ei=6wKATMaeFcPU4wbG6JjTCw&start=70&sa=N" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2.8) Gecko/20100722 FileDownloader"
    41.201.195.5 - - [02/Sep/2010:13:04:13 -0700] "GET /mywebsite.com/photos/zp-core/admin.css HTTP/1.1" 206 25304 "http://www.mywebsite.com/photos/zp-core/admin.php?from=/zp-core/admin-edit.php?page=edit" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2.8) Gecko/20100722 FileDownloader"
    41.201.195.5 - - [02/Sep/2010:13:04:16 -0700] "GET /mywebsite.com/photos/zp-core/js/colorbox/jquery.colorbox-min.js HTTP/1.1" 200 8762 "http://www.mywebsite.com/photos/zp-core/admin.php?from=/zp-core/admin-edit.php?page=edit" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2.8) Gecko/20100722 FileDownloader"
    41.201.195.5 - - [02/Sep/2010:13:04:16 -0700] "GET /mywebsite.com/photos/zp-core/c.php?i=1e7db521ca HTTP/1.1" 200 3668 "http://www.mywebsite.com/photos/zp-core/admin.php?from=/zp-core/admin-edit.php?page=edit" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2.8) Gecko/20100722 FileDownloader"
    41.201.195.5 - - [02/Sep/2010:13:04:17 -0700] "GET /mywebsite.com/photos/zp-core/js/admin.js HTTP/1.1" 200 7964 "http://www.mywebsite.com/photos/zp-core/admin.php?from=/zp-core/admin-edit.php?page=edit" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2.8) Gecko/20100722 FileDownloader"
    41.201.195.5 - - [02/Sep/2010:13:04:17 -0700] "GET /mywebsite.com/photos/zp-core/js/zenphoto.js HTTP/1.1" 200 402 "http://www.mywebsite.com/photos/zp-core/admin.php?from=/zp-core/admin-edit.php?page=edit" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2.8) Gecko/20100722 FileDownloader"
    41.201.195.5 - - [02/Sep/2010:13:04:17 -0700] "GET /mywebsite.com/photos/zp-core/js/jquery.tooltip.js HTTP/1.1" 200 7182 "http://www.mywebsite.com/photos/zp-core/admin.php?from=/zp-core/admin-edit.php?page=edit" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2.8) Gecko/20100722 FileDownloader"
    41.201.195.5 - - [02/Sep/2010:13:04:14 -0700] "GET /mywebsite.com/photos/zp-core/js/jquery.js HTTP/1.1" 200 160712 "http://www.mywebsite.com/photos/zp-core/admin.php?from=/zp-core/admin-edit.php?page=edit" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2.8) Gecko/20100722 FileDownloader"
    41.201.195.5 - - [02/Sep/2010:13:04:21 -0700] "GET /mywebsite.com/favicon.ico HTTP/1.1" 200 894 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2.8) Gecko/20100722 FileDownloader"
    41.201.195.5 - - [02/Sep/2010:13:04:14 -0700] "GET /mywebsite.com/photos/zp-core/js/jqueryui/jquery_ui_zenphoto.js HTTP/1.1" 200 221159 "http://www.mywebsite.com/photos/zp-core/admin.php?from=/zp-core/admin-edit.php?page=edit" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2.8) Gecko/20100722 FileDownloader"
    41.201.195.5 - - [02/Sep/2010:13:04:21 -0700] "GET /mywebsite.com/photos/zp-core/admin-themes.php HTTP/1.1" 302 20 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2.8) Gecko/20100722 FileDownloader"
    41.201.195.5 - - [02/Sep/2010:13:04:25 -0700] "GET /mywebsite.com/favicon.ico HTTP/1.1" 200 894 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2.8) Gecko/20100722 FileDownloader"
    41.201.195.5 - - [02/Sep/2010:13:04:25 -0700] "GET /mywebsite.com/photos/zp-core/admin.php?from=/zp-core/admin-themes.php HTTP/1.1" 200 1116 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2.8) Gecko/20100722 FileDownloader"
    41.201.195.5 - - [02/Sep/2010:13:04:27 -0700] "GET /mywebsite.com/photos/zp-core/js/zenphoto.js HTTP/1.1" 200 402 "http://www.mywebsite.com/photos/zp-core/admin.php?from=/zp-core/admin-themes.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2.8) Gecko/20100722 FileDownloader"
    41.201.195.5 - - [02/Sep/2010:13:04:27 -0700] "GET /mywebsite.com/photos/zp-core/js/jquery.tooltip.js HTTP/1.1" 200 7182 "http://www.mywebsite.com/photos/zp-core/admin.php?from=/zp-core/admin-themes.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2.8) Gecko/20100722 FileDownloader"
    41.201.195.5 - - [02/Sep/2010:13:04:27 -0700] "GET /mywebsite.com/photos/zp-core/js/colorbox/jquery.colorbox-min.js HTTP/1.1" 200 8762 "http://www.mywebsite.com/photos/zp-core/admin.php?from=/zp-core/admin-themes.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2.8) Gecko/20100722 FileDownloader"
    41.201.195.5 - - [02/Sep/2010:13:04:27 -0700] "GET /mywebsite.com/photos/zp-core/js/admin.js HTTP/1.1" 200 7964 "http://www.mywebsite.com/photos/zp-core/admin.php?from=/zp-core/admin-themes.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2.8) Gecko/20100722 FileDownloader"
    41.201.195.5 - - [02/Sep/2010:13:04:27 -0700] "GET /mywebsite.com/photos/zp-core/c.php?i=3d0bd030ee HTTP/1.1" 200 3751 "http://www.mywebsite.com/photos/zp-core/admin.php?from=/zp-core/admin-themes.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2.8) Gecko/20100722 FileDownloader"
    41.201.195.5 - - [02/Sep/2010:13:04:27 -0700] "GET /mywebsite.com/photos/zp-core/js/jquery.js HTTP/1.1" 200 160712 "http://www.mywebsite.com/photos/zp-core/admin.php?from=/zp-core/admin-themes.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2.8) Gecko/20100722 FileDownloader"
    41.201.195.5 - - [02/Sep/2010:13:04:27 -0700] "GET /mywebsite.com/photos/zp-core/js/jqueryui/jquery_ui_zenphoto.js HTTP/1.1" 200 221159 "http://www.mywebsite.com/photos/zp-core/admin.php?from=/zp-core/admin-themes.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2.8) Gecko/20100722 FileDownloader"
  • sbillard Member
    This looks like just a bunch of page load attempts. What is in the Zenphoto security log? The above log appears to show that all the illicit attempts to access the back end were properly redirected to logon screens.
  • soren4 Member
    Here you go.

    2010-09-02 13:04:12 41.201.195.5 Pas d'accès [Echoué] /zp-core/admin-edit.php%3Fpage%3Dedit
    2010-09-02 13:04:24 41.201.195.5 Pas d'accès [Echoué] /zp-core/admin-themes.php
    2010-09-02 13:15:33 41.201.195.5 Pas d'accès [Echoué] /zp-core/admin-upload.php%3Falbum%3Dsomealbum
  • sbillard Member
    All is good. Zenphoto is prohibiting these attacks as it should. Short of blocking the IP from your server there is not much you can do that is not already been done. Anyone can concoct a URL to your site and try to access it. That is the nature of the internet. But of course, no one but a logged in user should be able to complete the transaction. That is what has been happening on your site.

    I suppose the hackers could have tried a similar ploy to write files to your site. That can be prevented only by having the proper strong file permissions in place.
  • soren4 Member
    A follow up post on this exploit. I contacted the security admin support for my provisioner, Media Temple, and according to them they claimed that the perpetrators, once they had access to the zen photo admin, they were able to upload altered themes to their intended target without FTP access or SSH. I'm only going by what they said - perhaps deflecting any blame on their part. However, it does appear that Zenphoto has been compromised on a lot of sites with different provisioners recently, by these same individuals. I just wish I knew their methodology of entry so it can be patched.

    Thanks for everyone's help.
  • acrylian Administrator, Developer
    If the file/folder permissions were set to low that probably might happen but is not exactly the fault of Zenphoto.

    You say there have been more Zenphoto sites compromised. It would be interessting to know details about those (what version, what permissions).

    It is always possible that we missed something (it's software...). Anyway, I would suggest you inform your host to tell those users to immediatly upgrade to our recent release (1.3.1.2).
  • sbillard Member
    You should be gravely concerned about the knowledge of Media Temple with respect to security (at least.)

    There is no provision in Zenphoto to upload themes. At best if a hacker gained admin rights to your site he could copy and edit a theme that you already had.

    But there is no indication that the hackers did get admin rights on your site. You could tell if there were a "new" admin you did not create. Since you have not mentioned that, I presume that there was not. So only if the hacker gained your user/password could he access your site without your knowing. That seems unlikely since the above log shows him trying to guess a user/password. Why would he do that if he already knew one.

    Most likely the cause of any breach is inadequate file permissions on the site.
  • soren4 Member
    Actually, the perpetrators were able to gain access to manage the admin prior to updating to 1.3.1.1 with version 1.2.9. I had to go into phpMyadmin and wipe the user.

    I had to take additional security measures and block all traffic with .htaccess from all of Morocco. All has been quiet for the past few days until failed attempts are showing up now originating out of France and Bulgaria. Since this site only really benefits the North American and English speaking counties I'm going to block access from all the former Soviet block nations as well and mainland China.

    A few more logs from to help you analyze attempted incursions.

    2010-09-06 11:11:31 78.246.80.48 Pas d'accès [Echoué] /zp-core/admin-themes.php%3Faction%3Dsettheme%26themealbum%3D%26theme%3Dstopdesign
    2010-09-06 15:29:46 76.167.243.98 Blocked access Failed /zp-core/admin-themes.php%3Faction%3Dsettheme%26themealbum%3D%26theme%3Dstopdesign

    Thank you.
  • acrylian Administrator, Developer
    Thanks for the update. These are hard measures for all normal surfers from those countries...
Sign In or Register to comment.