As said it might be that all these hacks are coincidence and not even related. We don't know. It is always possible that someone hacked into the server itself (and not just your webspace if on shared host). That happens occasionally even on major hosts (a few weeks to a German one if I recall right).

Also a hacked computer system or infected browser and numerous other things could be involved. Or third party scripts like analytics or ads maybe a way, too.

Best contact your provider if you have suspicion that happened.

@huscste: To check if the db has been corrupt you can only do one thing: Look into it..
If you have a db backup using our tool and not much changed you could revert to the status before the hack.

@acrylin: i've contacted my webprovider to inform-it. For my datas, it's not a very big problem...

I would like to know if this security issue effects older versions such as 1.26? Does anyone know if that is the case?

No need to double post. Anyway, the 2nd security alert article has now that info. Bascically all release since 1.2.4 include the file manager was first used by the Zenpage CMS plugin only. The plugin itself existed independently since Zenphoto 1.2.1.

This makes me think the hacks maybe are not directly related to the file mananager. Nevertheless the deletion is a good idea.

hi @acrylian... perhaps, it's preferable to create a new archive that contains the ultime version + the tinymce replacements. no?!

Hi people i've been hacked through that security hole in tiny_mce:

92.63.104.34 - - [09/Nov/2011:07:57:00 -0300] "POST /zenphoto/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/class.images.php?truecss=1 HTTP/1.1" 200 181 "-" "User-Agent: Mozilla/5.0 (Windows; u; Windows nt 5.1; en-us; rv:1.9.1.5) gecko/20091102 firefox/3.5.5 gtb5"

82.146.43.62 - - [09/Nov/2011:18:28:38 -0300] "POST /zenphoto/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/class.images.php?truecss=1 HTTP/1.1" 200 181 "-" "User-Agent: Mozilla/5.0 (Windows; u; Windows nt 5.1; en-us; rv:1.9.1.5) gecko/20091102 firefox/3.5.5 gtb5"

I had several POST attacks (it allows to upload files as i saw in (devilscoffee)

They've changed every single .php /.js files with a malicious code.

Also they've reach the .htaccess file and added some crazy rules to redirect.

Now i'm flagged by google, that hole killed my wordpress, joomla, zencart and zenphoto installations.

Now i'm trying to get back with all, this is a huge whole.

Here is what seems to be happening.

1. The AJAX File Manager has a number of vulnerabilities. Through the class.images.php and the ajaxfilemanager.php and maybe more.

2. When exploiting these files a hacker is able to insert their own code into the Ajax File Manager data.php and/or write out their own files by dynamically inserting PHP functions into the script due to the way the AJAX File Manager handles a POST request.

3. Hackers can install a PHP Shell Script which can access every file on your webserver.

4. Their shell script will add code to the top of every file on your webserver (infect every PHP file on the server) and also possible infect your .htaccess files as well. There are different variations of the attack that do different things.

5. Their shell script will install a number of other PHP files that they can access directly to regain access to your server even after you delete the Ajax File Manager and clean all of the infected files where code has been added to them.

6. You may notice files such as tmp_989089080.php or other unknown files that you need to delete as well.

7. If you host multiple domains or WordPress installs under a single account chances are these websites will be infected too.

What to do about it? How to fix it?

1. Delete the zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager directory

2. Restore all of your website(s) files from a backup because they all have been infected.

If you don't have a backup you will need to delete Zen Photo completely a reinstall (make sure you delete the ajaxfilemanager directory if you reinstall)

3. If you have WordPress or other sites hosted (and no backups) you will need backup your wp-content folder ... then delete all the WordPress files, reinstall. AND GO THROUGH EACH FILE in wp-content to remove the code inserted at the top of every PHP file before restoring the wp-content folder.

4. You will need to go through each and every folder on your server or hostign account to remove any additional files and shell scripts that were installed by the exploit. Files such as tmp_989809809.php etc ...

5. IMPORTANT
   You will need to change the passwords of your databases for any website you host that has been infected. The exploit allows the hacker to view the source code on the config files, thereby they know what your database passwords are. This would allow them to continue to regain access through PHPMyAdmin etc. even if you cleaned everything. You need to change your passwords!!

6. If you have Shell access to your server you can run the following commands to see if you have cleaned everything or help you clean everything:

7. Part of the attack might allow the hacker to gain access to your browser Cookie and Session info so in conjunction with the infected files they will be notified when you login to your Zen Photo Admin or other Admin tools and might be able to hijack your session to gain access to the admin without knowing your actual password. So clear your cookies and reset your Admin passwords. I don't see this happening but it is a possibility.

Run these commands from the top directory on your server or hosting account:

This will show you all the files on your webserver that have been infected and need to be cleaned:

grep -r -H "lb11" *

(looks for the string 'lb11' in every file - infected files have this inserted into them) You can substitute 'lb11' with other strongs that the hacker might have inserted into your code. For example:

grep -r -H "eval(base64_decode" *

Use the find command to show additional files that may have been installed on your server:

find / -name tmp*

Use the find command to show files that have been modified in the last day (these would be the files that have been infected or added):

find . -type f -mtime -1

Look in your access log files for suspicious activity and Ban those IP addresses:

cat access.log | grep ajaxfilemanager
cat access.log | grep ".php"

Hope this info helps ...

Thanks, that is a great analysis. I will link that on our news section.

@hucste:

Quote:perhaps, it's preferable to create a new archive that contains the ultime version + the tinymce replacements. no?!
We could provide a download of the TinyMCE plugin corrected. A real new release 1.4.1.6 is not possible at the moment in case you meant that.

The 1.4.2 beta nightly of the coming night at least will have the fix.

Thanks jest3r- :

about the point 5, also, if you can change BD user ... do-it !

Ok, thanks jest3r-, good idea to change the database password too. My provider says that there is not such a risk, but it souds strange to me.
My db was not affected though.
I have upgraded and followed the other instructions for ajax and tinymce, I hope it will be ok now. Luckely I'm not on google blacklist so far.
I've also changed ftp password, though I dunno wheter or not it was stolen too, couse of course it was not stored in any of the zenpphoto files.

I've some minor issues, as always after a long time needed update, but I'll deal with them later on.

bic: if their exploit can infect every file on your server that means it can read those files too. Typically what happens is a robot scans millions of websites and when it finds a vulnerability it "quietly" creates a backdoor and notifies whomever is running the robot.

If that person then follows up .. perhaps a few days later ... they will have access to your files. That's why the damage reports are so different from everyone. Depends on what stage of the "attack" you are in.

They wouldn't be able to get your FTP password ... but the config files all contain your database passwords in plain text which is readable by the hacker on an infected website.

So change your passwords!!

Thanks again jest3r-,
Probaly I was at an early stage of the attack. The .php files where changed yesterday afternoon (Europe time) and .htaccess yesterday evening. I have not shell access on my server but made a search via ftp and I didn't find any temp files, should I ask the provider for a deeper search?
I made the search after deleting zenphoto core and reinstalling but leaving albums and chache plus some folders not pertinent to zenphoto

For people with custom themes:
I repaired mine in a few seconds with the great function "search and replace in files" by notepad++

Do the latest builds from last night include this fix?

No, tonights will. But caution that nightly is now 1.4.2 beta (as announced some days ago). Since a few things change you might run into trouble. Just replace the tiny_mce plugin with the one now provided on the post (and download page) or remove it yourself.

Vulnerable websites are apparently found using this search in Google:
"tiny_mce/plugins/ajaxfilemanager"

Here is a page showing how to find and hack vulnerable websites.
http://www.devilscafe.in/2011/10/tinymce-ajaxfilemanager-remote-file.html#.TrzfxUPz2dA

Part of the problem is due to Google who managed to find and index these paths (the question is how?).
Maybe this should be added to the robots.txt file: Disallow:scripts Disallow:plugins Disallow:jscripts as Disallow: /zp-core/`
is apparently not enough.

The good search engine crawlers respect those setting but I am not convince those with bad intentions do as well. I think that with the right permissions these directories should not be indexable at all.

Another attention, please, with this hack, it's possible to upload image .jpg... and by this way, it's possible to obtain control to the visitor station, if a potentially victim download this image modified.

In fact, not considere that yours albums are clean!

Prefere delete all ... and after reinstall zenphoto with 1.4.1.6, upload yours images jpg - thoses are you sure that cleaned, protected.

PS : excuse-me for my very poor english...

Good point. Btw, your English is for sure better than my French..;-)