Hi

Can you please look at here: http://www.miliwoman.com/

Press on links in LATEST UPDATED GALLERIES

I guess someone hack Zen and add this to the albums paths:

栀琀琀瀀㨀⼀⼀瀀愀最攀愀搀㈀⸀最漀漀最氀攀猀礀渀搀椀挀愀琀椀漀渀⸀挀漀洀⼀瀀愀最攀愀搀⼀猀栀漀眀开愀搀猀⸀樀猀

And such crappy URLs outputs through this function only:

``

http://www.miliwoman.com/%E6%A0%80%E7%90%80%E7%90%80%E7%80%80%E3%A8%80%E2%BC%80%E2%BC%80%E7%80%80%E6%84%80%E6%9C%80%E6%94%80%E6%84%80%E6%90%80%E3%88%80%E2%B8%80%E6%9C%80%E6%BC%80%E6%BC%80%E6%9C%80%E6%B0%80%E6%94%80%E7%8C%80%E7%A4%80%E6%B8%80%E6%90%80%E6%A4%80%E6%8C%80%E6%84%80%E7%90%80%E6%A4%80%E6%BC%80%E6%B8%80%E2%B8%80%E6%8C%80%E6%BC%80%E6%B4%80%E2%BC%80%E7%80%80%E6%84%80%E6%9C%80%E6%94%80%E6%84%80%E6%90%80%E2%BC%80%E7%8C%80%E6%A0%80%E6%BC%80%E7%9C%80%E5%BC%80%E6%84%80%E6%90%80%E7%8C%80%E2%B8%80%E6%A8%80%E7%8C%80/Germany/Army

Other paths are fully OK

And I cannot find this in Admin panel, I can remove it through database only

Very strange

Very strange indeed. How does the function itself in the album_image_plugin.php file look like? IF that has been altered by someonme you should be able to remove this by overwriting that file with the actual one. Also please read this:
http://www.zenphoto.org/2008/08/troubleshooting-zenphoto/#29

Thanks for quick respond

I have no such file at all - album_image_plugin.php

And yep I set 660 files/770 directories

Sorry, the file is actually named image_album_statistics.php, thought you know/see what I mean, it's within zp-core/plugins

I would also suggest you contact your host about that. It may be the case that the hack took place via your accout or the server in general and not via zenphoto. Please also read this recent thread: http://www.zenphoto.org/support/topic.php?id=4656

Checked image_album_statistics.php it fully correct, nothing changed...

It looks like someone added info directly into database

I would also suggest you contact your host about that

Unfortunately it's not a host, it is dedicated server :-)

May it be some kind of sql-injection? or something similar?

Screen from DB:

http://pixhost.ws/avaxhome/b5/2e/000b2eb5.png

And I can delete all this strange info through database only

The link you posted above leads to an album which displays, so there must be a folder on your server with that name. This means that someone has hacked your filesystem.

This means that someone has hacked your filesystem.

I'm sorry, but no, all folders in albums directory does not contain any folders with name:

栀琀琀瀀㨀⼀⼀瀀愀最攀愀搀㈀⸀最漀漀最氀攀猀礀渀搀椀挀愀琀椀漀渀⸀挀漀洀⼀瀀愀最攀愀搀⼀猀栀漀眀开愀搀猀⸀樀猀

All directory structure not touched.

Changes take place in DB only.

I hope what it is my mistake and ZenPhoto has no security bugs

you where not playing around with UTF-16. I got some similar strange things when I did that the other day.

Zenphoto is folder/file based. If there is no folder then it cannot find files from the folder and will show nothing. So, somehow that is being treated as a folder by your filesystem.

olihar
you where not playing around with UTF-16. I got some similar strange things when I >did that the other day.

I'm not play with UTF-16 or something similar, character encoding, in Admin panel, set as UTF-8

sbillard
I have such paths in DB ONLY (zp_albums table):

栀琀琀瀀㨀⼀⼀瀀愀最攀愀搀㈀⸀最漀漀最氀攀猀礀渀搀椀挀愀琀椀漀渀⸀挀漀洀⼀瀀愀最攀愀搀⼀猀栀漀眀开愀搀猀⸀樀猀
/Austria/Police

栀琀琀瀀㨀⼀⼀瀀愀最攀愀搀㈀⸀最漀漀最氀攀猀礀渀搀椀挀愀琀椀漀渀⸀挀漀洀⼀瀀愀最攀愀搀⼀猀栀漀眀开愀搀猀⸀樀猀/Denmark/Army

There are no such Chinese folders at all. And this paths appear for printLatestUpdatedAlbums ONLY. So if this is not a security bug I do not know what it is...

Unfortunately this shit continue

I was change all possible passwords, check files/directories permission etc.

But it doesn't help

Maybe the mysql-account has been hacked then? Is there anything strange in your server logs? I currently don't see that the function printLatestUpdatedAlbums() could be the cause as this function just returns what is already in the database. But we of course need to find that out.

Maybe the mysql-account has been hacked then?

It is very doubtful. Mysql use only internal IP, especially it look strange after I was change all passwords.

Someone found a way to add data in zp_albums table:

http://pixhost.ws/avaxhome/b5/2e/000b2eb5.png

and printLatestUpdatedAlbums() perceive this rows as Latest Updated Albums and display it.

Well, we really need to find out the way this data gets into your database. I really doubt it is the printLatestUpdatedAlbums function the leak must be somewhere else.

Well, we really need to find out the way this data gets into your database.

Thank you, may be what this can be affected on many installed ZenPhoto

I really doubt it is the printLatestUpdatedAlbums function the leak must be somewhere else.

Yep, it just Read and Output data.

Attack continue, here is part of dump with new "hack" records:

http://www.miliwoman.com/dump.sql

Too many work for human, I guess it some "hacker script" do this.

Maybe it help.

P.S.
Maybe give zp_albums table read only rights? And change it before gallery update

Yes it's already fixed, but anyway here it is:

http://www.xakep.ru/post/41761/Zenphoto-SQL-Injection-Exploit.txt

Look like someone found a similar vulnerability :-(

Found another strange regularity, as always as I open similar URL:

http://www.miliwoman.com/%E6%A0%80%E7%90%80%E7%90%80%E7%80%80%E3%A8%80%E2%BC%80%E2%BC%80%E7%80%80%E6%84%80%E6%9C%80%E6%94%80%E6%84%80%E6%90%80%E3%88%80%E2%B8%80%E6%9C%80%E6%BC%80%E6%BC%80%E6%9C%80%E6%B0%80%E6%94%80%E7%8C%80%E7%A4%80%E6%B8%80%E6%90%80%E6%A4%80%E6%8C%80%E6%84%80%E7%90%80%E6%A4%80%E6%BC%80%E6%B8%80%E2%B8%80%E6%8C%80%E6%BC%80%E6%B4%80%E2%BC%80%E7%80%80%E6%84%80%E6%9C%80%E6%94%80%E6%84%80%E6%90%80%E2%BC%80%E7%8C%80%E6%A0%80%E6%BC%80%E7%9C%80%E5%BC%80%E6%84%80%E6%90%80%E7%8C%80%E2%B8%80%E6%A8%80%E7%8C%80/Hong.Kong/

In zp_albums table appear 2 rows with this paths

Look like Easter egg ))

if someone will open this link in zp_albums table appear 93 row, all my albums.

http://www.miliwoman.com/%E6%A0%80%E7%90%80%E7%90%80%E7%80%80%E3%A8%80%E2%BC%80%E2%BC%80%E7%80%80%E6%84%80%E6%9C%80%E6%94%80%E6%84%80%E6%90%80%E3%88%80%E2%B8%80%E6%9C%80%E6%BC%80%E6%BC%80%E6%9C%80%E6%B0%80%E6%94%80%E7%8C%80%E7%A4%80%E6%B8%80%E6%90%80%E6%A4%80%E6%8C%80

Yep, I was right, this is Easter egg

http://www.zenphoto.org/zenphoto/%E6%A0%80%E7%90%80%E7%90%80%E7%80%80%E3%A8%80%E2%BC%80%E2%BC%80%E7%80%80%E6%84%80%E6%9C%80%E6%94%80%E6%84%80%E6%90%80%E3%88%80%E2%B8%80%E6%9C%80%E6%BC%80%E6%BC%80%E6%9C%80%E6%B0%80%E6%94%80%E7%8C%80%E7%A4%80%E6%B8%80%E6%90%80%E6%A4%80%E6%8C%80

or

http://www.zenphoto.org/zenphoto/%E6%A0%80%E7%90%80%E7%90%80%E7%80%80%E3%A8%80%E2%BC%80%E2%BC%80%E7%80%80%E6%84%80%E6%9C%80%E6%94%80%E6%84%80%E6%90%80%E3%88%80%E2%B8%80%E6%9C%80%E6%BC%80%E6%BC%80%E6%9C%80%E6%B0%80%E6%94%80%E7%8C%80%E7%A4%80%E6%B8%80%E6%90%80%E6%A4%80%E6%8C%80/impressionists/Monet+-+sunrise.jpg.php

Links works pretty fine.

It ever works with ZenPage

http://zenpage.maltem.de/%E6%A0%80%E7%90%80%E7%90%80%E7%80%80%E3%A8%80%E2%BC%80%E2%BC%80%E7%80%80%E6%84%80%E6%9C%80%E6%94%80%E6%84%80%E6%90%80%E3%88%80%E2%B8%80%E6%9C%80%E6%BC%80%E6%BC%80%E6%9C%80%E6%B0%80%E6%94%80%E7%8C%80%E7%A4%80%E6%B8%80%E6%90%80%E6%A4%80%E6%8C%80/Screenshots/Admin-backend/