Home General support

illegal w4577760282986243.php

atom Member
in General support
recently (1 day ago) I've discovered the file in my zenphoto installation.
this file is a filemanager written in php.
I'm investigating about the way the crackers had installed those files in a different directory of my zenphoto gallery.
I'm sure that crackers had used http to upload the code but apache log files report poor informations. The same from zenphoto logs.

Comments

  • acrylian Administrator, Developer
    If you are/were on an older Zenphoto release than 1.4.1.6 please see the news section's security category.

    Also make sure you set all file/folder permissions correctly. Setup will note about that, info also on the troubleshooting.
  • atom Member
    an update:

    I've found an illegal plugin for tiny_mce (zenphoto/zp-core/zp-extensions/tiny_mce/plugins): ajaxfilemanager

    cometadihalley.net.access.log:31.133.38.14 - - [20/Dec/2011:14:27:42 +0100] "GET /zenphoto/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/class.imagess.php HTTP/1.1" 200 22816 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET4.0C; .NET4.0E)"
    net134 (134):/home/httpd/cometadihalley.net/log# grep ajaxfilemanager *
    cometadihalley.net.access.log:31.41.14.146 - - [20/Dec/2011:07:38:29 +0100] "POST /zenphoto/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/ajax_create_folder.php HTTP/1.1" 200 33 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET4.0C; .NET4.0E)"
    cometadihalley.net.access.log:31.41.14.146 - - [20/Dec/2011:07:38:29 +0100] "POST /zenphoto/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/data.php?truecss=1 HTTP/1.1" 200 139 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET4.0C; .NET4.0E)"
    cometadihalley.net.access.log:31.41.14.146 - - [20/Dec/2011:07:38:30 +0100] "POST /zenphoto/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/data.php?truecss=1 HTTP/1.1" 200 133 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET4.0C; .NET4.0E)"
    cometadihalley.net.access.log:31.41.14.146 - - [20/Dec/2011:07:38:30 +0100] "POST /zenphoto/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/class.images.php?truecss=1 HTTP/1.1" 200 139 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET4.0C; .NET4.0E)"
    cometadihalley.net.access.log:31.133.38.14 - - [20/Dec/2011:14:25:35 +0100] "POST /zenphoto/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/class.images.php?truecss=1&truecss=1 HTTP/1.1" 200 1162 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET4.0C; .NET4.0E)"
    cometadihalley.net.access.log:31.133.38.14 - - [20/Dec/2011:14:27:42 +0100] "POST /zenphoto/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/class.images.php?truecss=1 HTTP/1.1" 200 1164 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET4.0C; .NET4.0E)"
    cometadihalley.net.access.log:31.133.38.14 - - [20/Dec/2011:14:27:42 +0100] "GET /zenphoto/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/class.imagess.php HTTP/1.1" 200 22816 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET4.0C; .NET4.0E)"
    cometadihalley.net.access.log.1:31.41.13.204 - - [15/Dec/2011:09:39:58 +0100] "POST /zenphoto/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/class.images.php?showimg=1&cookies=1&truecss=1 HTTP/1.1" 404 11592 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"
  • acrylian Administrator, Developer
    No, not "illegal". Again, please see the news section, all already known and documentated...
  • atom Member
    the gallery version is the latest: 1.4.1.6 (8326).
    permission verified and compared with troubleshooting and seems to be ok.
    I've give a look on http://www.zenphoto.org/news/ajax-filemanager-returns beacuse it reports a warning about the files I've found as tiny-mce plugin.

    It could be a good idea to verify and (if not essential) disable plugin.
  • acrylian Administrator, Developer
    If you read that article correctly you will note that it speaks of 1.4.2... In 1.4.1.6 there is no ajax file manager anymore for the reasons you encountered (actually that tis the only change between 1.4.1.5 and 1.4.1.6 at all). If it is still there you did not upgrade correctly.

    Anyway, proper server permission should not even allow accessing these files.

    So again, see the security category articles and the there in linked forum topics about these hackes (assuming it is the same).
  • acrylian Administrator, Developer
    If you read that article correctly you will note that it speaks of 1.4.2... In 1.4.1.6 there is no ajax file manager anymore for the reasons you encountered (actually that tis the only change between 1.4.1.5 and 1.4.1.6 at all). If it is still there you did not upgrade correctly.

    Anyway, proper server permission should not even allow accessing these files.

    So again, see the security category articles and the there in linked forum topics about these hackes (assuming it is the same).
Sign In or Register to comment.