View Full Version : Ebay Spoof - Site Hacked
April 3rd, 2007, 08:00 AM
Need help! Gallery (5.6.2) has been hacked. It looks like they are exploiting uploadphoto.php. In the uploads directory they were able to upload a php and html file. In addition, I don't have file permissions for either file since they were CHMOD 600. Before contacting our webhost to delete the directory I thought you may want to see.
April 3rd, 2007, 08:05 AM
What is odd is that I don't see any links to a rogue site.
April 3rd, 2007, 09:07 AM
I do not see any way in any form that they are uploading a php file through Photopost and there is no evidence of this at all. Your uploads directory is 777 which has to be set so to allow file uploads to it. Your hacker could get in through many doors on your site and find a directory that is 777 to dump that file in
The only way he would be able to upload a PHP file is if you allowed by you setting it as a multimedia type. Like the next guy said where is the hacking? You can safely just clear out all directories beneath the uploads directory and you should be fine
April 3rd, 2007, 10:47 AM
Chuck thank you for looking into. Currently, the gallery doesn't not allow multimedia files and jumped the gun when I saw php files inside the upload directory and assumed they got there from the upload script. I had our host remove the directories. Currently, I am speculating the exploit is from a mail form script and not photopost.
April 3rd, 2007, 11:17 AM
yeah Michael had something like this a while back and it turned out to be one of his vb hacks that one uses off of vbulletin.org so its pretty common for hackers to break in and dump stuff in a directory that is 777.
Being that this specific hacker dumped it in that specific upload directory I would speculate it is that specific user.
April 3rd, 2007, 06:34 PM
My server was hacked using a version of FlashChat... they put files all through my website directory structure..
April 4th, 2007, 12:41 PM
No Flash Chat Installed. The hacks I have installed are
Add PhotoPost Pro to each forum
Separate Sticky and Normal Threads
vBSEO :: Conditional Signatures
VB Spell Check
I believe the exploit might be coming from a mail form script "PHPforms" which I removed. So far so good and no new files created. That said maybe they haven't been back either.
April 4th, 2007, 03:55 PM
firefox told me your site was dodgy... suspected something or other...
April 9th, 2007, 09:43 AM
"Being that this specific hacker dumped it in that specific upload directory I would speculate it is that specific user."
So would 3670 be the User ID in the VB user table?
April 9th, 2007, 10:59 AM
yes that is the userid thing but if you removed php forms and no new occurrences just keep an eye on things
April 9th, 2007, 11:05 AM
It has been quite on the home front since removing the forms. More of just an fyi...
May 25th, 2007, 01:56 PM
I've been battling this off and on again for the last month on another site. I found the following http://www.scrollsawer.com/gallery/templates/cmd.php. Since the file is 600 I'm going to have the webhost download for forensics and delete from the server. Does this provide any info on Photposts end.
May 25th, 2007, 01:59 PM
Not really your templates directory is not 777 so unless you have set that directory to be uploadable then that file could not get there. I would suspect someone has uploaded that file through a security hole in some vb hack you have installed and they then use that script to upload other files to your site
May 25th, 2007, 02:16 PM
The template directory is 777 according to the install instructiuons. Should I set it to something else?
images (chmod 755)
uploads (chmod 777)
help (chmod 755)
data (chmod 777)
1 (chmod 777 - including subdirectories)
2 (chmod 777 - including subdirectories)
500 (chmod 777 - including subdirectories)
languages (chmod 755) (a
stylesheets (chmod 777)
templates (chmod 777)
forums (chmod 755)
May 25th, 2007, 05:14 PM
Those are the templates themselves not the directory ;)
vBulletin® v3.8.1, Copyright ©2000-2014, Jelsoft Enterprises Ltd.