PhotoPost Community - View Single Post

ryand789 · December 28th, 2006, 11:07 AM

After we upgraded to 5.62 (the latest, latest version of it), on December 26th, somebody somehow uploaded files through PhotoPost that created an IRC channel program on our server (and ran it).

It was in this folder:

htdocs/photo/uploads/398515/

There were files like mybot.jpg, mybot.jpg~, iroffer.zip, xh, hira.txt, and more. I can't attach them here because it is too big. I can e-mail them to you though. Tell me where to e-mail them.

Appears to be this program: http://iroffer.org/

Also, the mybot.jpg file was a 4kb file that did not work when I tried to "view" it, and it contains this in it:

strings mybot.jpg
IRFR
@iroffer v1.4.b01 [20040901211948], Linux 2.6.9-22.ELsmp

Obviously, I am very concerned about this situation and we need to know how to fix it quick!

FYI, we do not allow zip uploads.

The user that uploaded it (or at least the userid of the uploads directory where the files were) appears to be a good user that started their account in October and uploaded legitimate files at first. So maybe their account was hacked first, or the hacker somehow uploaded to their directory.

More info, in case you are wondering:

Server version: Apache/2.0.52
Red Hat Enterprise Linux ES release 4 (Nahant Update 4)
We are on the latest updates of the OS

http://forum.bodybuilding.com/photo

Please help! I don't want to wait until it happens again. We removed the program and it doesn't appear it did anything negative except act as a relayer or something for an IRC chat channel.

Ryan

December 28th, 2006, 11:07 AM	#1 (permalink)
ryand789 Junior Member Verified Customer Join Date: Sep 2003 Location: Boise Posts: 20	Appears My PhotoPost Has Been Hacked! After we upgraded to 5.62 (the latest, latest version of it), on December 26th, somebody somehow uploaded files through PhotoPost that created an IRC channel program on our server (and ran it). It was in this folder: htdocs/photo/uploads/398515/ There were files like mybot.jpg, mybot.jpg~, iroffer.zip, xh, hira.txt, and more. I can't attach them here because it is too big. I can e-mail them to you though. Tell me where to e-mail them. Appears to be this program: http://iroffer.org/ Also, the mybot.jpg file was a 4kb file that did not work when I tried to "view" it, and it contains this in it: strings mybot.jpg IRFR @iroffer v1.4.b01 [20040901211948], Linux 2.6.9-22.ELsmp Obviously, I am very concerned about this situation and we need to know how to fix it quick! FYI, we do not allow zip uploads. The user that uploaded it (or at least the userid of the uploads directory where the files were) appears to be a good user that started their account in October and uploaded legitimate files at first. So maybe their account was hacked first, or the hacker somehow uploaded to their directory. More info, in case you are wondering: Server version: Apache/2.0.52 Red Hat Enterprise Linux ES release 4 (Nahant Update 4) We are on the latest updates of the OS http://forum.bodybuilding.com/photo Please help! I don't want to wait until it happens again. We removed the program and it doesn't appear it did anything negative except act as a relayer or something for an IRC chat channel. Ryan