PDA

View Full Version : vBGallery clean script Discussions


Delw
January 9th, 2008, 01:19 AM
Thanks Scott and everyone who worked on this

Delw

Delw
January 9th, 2008, 01:25 AM
Scott it comes over as a blank folder. no files in that download
the one from the members licences section

ScottW
January 9th, 2008, 01:46 AM
Can you please check again? Should be fine now.

Delw
January 9th, 2008, 01:50 AM
Scott thanks its worked fine, now to install it ;)

Delw

Delw
January 9th, 2008, 02:27 AM
I installed/upgraded it from v2.1 to the newest release everything worked fine

one suggestion, in the docs you have for upgrade just 3 files.
don't forget if your upgrading from one earlier version to another you need to put all the files in ;)

Upgrade
Upload:
/forums/includes/functions_gallery_imageedit.php
/forums/admincp/vbgallery_install.php
/forums/admincp/product-ppvbgallery.xml

Run the install script from your browser by going to:

http://www.yourwebsite.com/forums/admincp/vbgallery_install.php

[ x ] Upgrade.

This script will make all necessary changes to your database, templates, phrases, and settings.

Once you have finished please remove vbgallery_install.php, product-ppvbgallery.xml in the forums/admincp folder.




somewhere the upgrade from other versions got lost, it might throw a few people off

Thanks Again.
Delw

sebulba
January 9th, 2008, 04:39 AM
The thread about patching older versions of VBG is only accessible with current version credentials (license system), which is probably not what you intended to do. Could someone fix this ?

zlos
January 9th, 2008, 04:52 AM
somewhere the upgrade from other versions got lost, it might throw a few people off

Thanks Again.
Delw

That did the trick for upgrade from 2.3 to 2.4.2 :)
Thanks :)

V-Rodforums
January 9th, 2008, 06:12 AM
The thread about patching older versions of VBG is only accessible with current version credentials (license system), which is probably not what you intended to do. Could someone fix this ?


I own two current copies good until May 2008 and still can't access the update patch information.

Subah
January 9th, 2008, 06:25 AM
The upgrade done smoothly ;)

projectego
January 9th, 2008, 08:05 AM
Thanks for the heads-up. I'll be upgrading ASAP. :)

ntburchf
January 9th, 2008, 08:08 AM
I can not get to the older patching instructions either
and I have 2 licenses of vbgalley and 1 photopost license

get this error

ntburchf, you do not have permission to access this page. This could be due to one of several reasons:

1. Your user account may not have sufficient privileges to access this page. Are you trying to edit someone else's post, access administrative features or some other privileged system?
2. If you are trying to post, the administrator may have disabled your account, or it may be awaiting activation.

V-Rodforums
January 9th, 2008, 08:52 AM
This is what I get when I try to run the clean.php script.

Working in

Scanning for PHP files in your gallery files directory:

Warning: readdir(): supplied argument is not a valid Directory resource in /admincp/clean.php on line 17

Warning: closedir(): supplied argument is not a valid Directory resource in /admincp/clean.php on line 46
processed 0 files


Click Here to remove all files listed

Please remember to delete this clean.php file from your server when done.

boske
January 9th, 2008, 09:07 AM
thanks but, I already had this happen to me last week. As I dug through the logs I found out how they did it. They uploaded a .wmv file and we able to execute a php script

this one to be exact:
http://netjackal.by.ru/

Name: PHPJackal

This will pretty much give you access to anything on your computer.

It also seems that this may be the people that are hacking the files:

www.sniper-sa.com & www.alm3refh.com

This may be there forum: http://www.alm3refh.com/vb/

You can do whatever you want with this information. I just lost 2 months of data and hours of restoring my website because of this exploit.

Zachariah
January 9th, 2008, 09:59 AM
Thanks Michael P !!

:)

Happy Camper
January 9th, 2008, 10:18 AM
I searched for the lines to replace (from this post (http://www.photopost.com/forum/showpost.php?p=1214127&postcount=15)) but they are not in PhotoPost vBGallery v2.3.

Can you please provide the patch information for v2.3?

Thanks,
Eric

Zachariah
January 9th, 2008, 10:34 AM
I see the error :o
- I fixed the main Zip, 1st post updated.

This is what I get when I try to run the clean.php script.

Working in

Scanning for PHP files in your gallery files directory:

Warning: readdir(): supplied argument is not a valid Directory resource in /admincp/clean.php on line 17

Warning: closedir(): supplied argument is not a valid Directory resource in /admincp/clean.php on line 46
processed 0 files


Click Here to remove all files listed

Please remember to delete this clean.php file from your server when done.

Zachariah
January 9th, 2008, 10:40 AM
I searched for the lines to replace (from this post (http://www.photopost.com/forum/showpost.php?p=1214127&postcount=15)) but they are not in PhotoPost vBGallery v2.3.

Can you please provide the patch information for v2.3?

Thanks,
Eric

The 1st part is only difference.
- Line 332, 332

Under:
$imginfo['truename'] = $filename;

V-Rodforums
January 9th, 2008, 10:50 AM
I see the error :o
- I fixed the main Zip, 1st post updated.


THanks Zach but that just changes my errors to

Working in

Scanning for PHP files in your gallery files directory:

Warning: readdir(): supplied argument is not a valid Directory resource in /admincp/clean.php on line 22

Warning: closedir(): supplied argument is not a valid Directory resource in /admincp/clean.php on line 51
processed 0 files


Click Here to remove all files listed

Please remember to delete this clean.php file from your server when done.

Zachariah
January 9th, 2008, 11:06 AM
fixed your post, leave in
- $imginfo['truename'] = $filename;

only replace the two "$filename =" lines

Zachariah
January 9th, 2008, 11:12 AM
@ V-Rodforums

- I see your problem.
- I did not factor for a code change that gets your directory path on the older gallery version.

1st post attachment updated.

Primopup
January 9th, 2008, 11:26 AM
Same here..? I just downloaded clean.php from the first page.

Working in

Scanning for PHP files in your gallery files directory:

Warning: readdir(): supplied argument is not a valid Directory resource in /admincp/clean.php on line 26

Warning: closedir(): supplied argument is not a valid Directory resource in /admincp/clean.php on line 55
processed 0 files


Click Here to remove all files listed

Please remember to delete this clean.php file from your server when done.

This is what I get when I try to run the clean.php script.

Working in

Scanning for PHP files in your gallery files directory:

Warning: readdir(): supplied argument is not a valid Directory resource in /admincp/clean.php on line 17

Warning: closedir(): supplied argument is not a valid Directory resource in /admincp/clean.php on line 46
processed 0 files


Click Here to remove all files listed

Please remember to delete this clean.php file from your server when done.

V-Rodforums
January 9th, 2008, 11:37 AM
@ V-Rodforums

- I see your problem.
- I did not factor for a code change that gets your directory path on the older gallery version.

1st post attachment updated.

Thanks Zach, I know your working on it, that brings me back the same error as primeopup with a 26 and 55.

Happy Camper
January 9th, 2008, 11:41 AM
thanks for your help, Zachariah!

rinkrat
January 9th, 2008, 11:54 AM
Thanks for the update and security announcement.

Michael P
January 9th, 2008, 11:59 AM
I moved the thread here since every post sends out a notice to a many of our users subscribe to the Announcements forum for notices.

antivirus
January 9th, 2008, 12:15 PM
Same here..? I just downloaded clean.php from the first page.

Working in

Scanning for PHP files in your gallery files directory:

Warning: readdir(): supplied argument is not a valid Directory resource in /admincp/clean.php on line 26

Warning: closedir(): supplied argument is not a valid Directory resource in /admincp/clean.php on line 55
processed 0 files


Click Here to remove all files listed

Please remember to delete this clean.php file from your server when done.

Experiencing same issue here when attempting to use clean.php

Zach - is it possible that the admincp directory being renamed to something like admincpx/ could be causing the problem?

Snobbytec
January 9th, 2008, 12:34 PM
It seems that the directory variable can not be read.

Quick fix: Open clean.php find
listdir($ppg_options['gallery_filedirectory']);

change it to your path, for example
listdir("/your/path/to/gallery/files");

save, upload and re-run it.

Then change the path again for the userfolder:
listdir("/your/path/to/gallery/users");

re-run it.

antivirus
January 9th, 2008, 01:02 PM
It seems that the directory variable can not be read.

Quick fix: Open clean.php find
listdir($ppg_options['gallery_filedirectory']);

change it to your path, for example
listdir("/your/path/to/gallery/files");

save, upload and re-run it.

Then change the path again for the userfolder:
listdir("/your/path/to/gallery/users");

re-run it.

Thanks Snobbytech, that worked just fine.

V-Rodforums
January 9th, 2008, 01:16 PM
It seems that the directory variable can not be read.

Quick fix: Open clean.php find
listdir($ppg_options['gallery_filedirectory']);

change it to your path, for example
listdir("/your/path/to/gallery/files");

save, upload and re-run it.

Then change the path again for the userfolder:
listdir("/your/path/to/gallery/users");

re-run it.

Thanks, that seems to do it. Can I assume that this means I had no files with problems?

Working in

Scanning for PHP files in your gallery files directory:
processed 130631 files


Click Here to remove all files listed

Please remember to delete this clean.php file from your server when done.

Zachariah
January 9th, 2008, 01:28 PM
Thanks, that seems to do it. Can I assume that this means I had no files with problems?

Working in

Scanning for PHP files in your gallery files directory:
processed 130631 files


Click Here to remove all files listed

Please remember to delete this clean.php file from your server when done.

Your good
- No problems:)

---------------------------------------------------

EX: Output of problems
There will be a file list output to review:

Scanning for PHP files in your gallery files directory:
Found file -> /home/public_html/gallery/files/1/phpinfo.php.psd
Found file -> /home/public_html/gallery/files/1/somefile.cgi
Found file -> /home/public_html/gallery/files/1/somefile.pl
Found file -> /home/public_html/gallery/files/1/somefile.php.wmv
Found file -> /home/public_html/gallery/files/1/somefile.php.wav
Found file -> /home/public_html/gallery/files/clean.php
processed 6088 files
6 PHP files found!


Click Here to remove all files listed

Please remember to delete this clean.php file from your server when done.

*CLICK*

Scanning for PHP files in your gallery files directory:
Found file -> /home/public_html/gallery/files/1/phpinfo.php.psd
Removing file -> /home/public_html/gallery/files/1/phpinfo.php.psd
Found file -> /home/public_html/gallery/files/1/somefile.cgi
Removing file -> /home/public_html/gallery/files/1/somefile.cgi
Found file -> /home/public_html/gallery/files/1/somefile.pl
Removing file -> /home/public_html/gallery/files/1/somefile.pl
Found file -> /home/public_html/gallery/files/1/somefile.php.wmv
Removing file -> /home/public_html/gallery/files/1/somefile.php.wmv
Found file -> /home/public_html/gallery/files/1/somefile.php.wav
Removing file -> /home/public_html/gallery/files/1/somefile.php.wav
Found file -> /home/public_html/gallery/files/clean.php
Removing file -> /home/public_html/gallery/files/clean.php
processed 6088 files
6 PHP files found!
6 files removed!

imported_Allen
January 9th, 2008, 03:25 PM
Trying to patch vB Gallery v 2.1

This code: (I can't find)
$filename = preg_replace("/[^a-zA-Z0-9\-_\.]+/", "_", $filename);
$filename = strtolower($filename);

This code: ( I can find)
$filename = preg_replace("/[^a-z_.0-9-]/i", '', $filename);
---------------------------

Do I replace : $filename = preg_replace("/[^a-z_.0-9-]/i", '', $filename);

With:
$ext = substr($filename,strrpos($filename,".")+1);
$name = preg_replace( "/\.\w+$/U", "", $filename );
$name = preg_replace(array('/\.php/', '/\.php3/', '/\.php4/', '/\.php5/', '/\.php6/', '/\.pl/', '/\.cgi/'), "", $name);
$name = preg_replace("#[^a-z0-9_,]#i", " ", $name);
$name = trim(str_replace("_", " ", $name));
$name = str_replace(" ", "_", $name);

$filename = strtolower($name.'.'.$ext);
unset($name, $ext);


Thanks for any help.

Zachariah
January 9th, 2008, 04:48 PM
@imported_Allen

You should have 2 lines of code right next to each other starting with
$filename =

Just below:
$imginfo['truename'] = $filename;

kall
January 9th, 2008, 04:57 PM
I must say, it's quite slack to have allowed this exploit to occur in the first place, but totally rude not to supply people with free 'upgrades' to the unexploited version.

As with Allan, I don't have that code to find/replace in v2.2.

A suggestion to avoid multiple unhappier customers, provide the fix for all versions.

imported_Allen
January 9th, 2008, 05:30 PM
@ Zacharia

This is what I have:

$imginfo['truename'] = $filename;
$filename = urldecode($filename);
$filename = preg_replace("/[^a-z_.0-9-]/i", '', $filename);

oldengine
January 9th, 2008, 08:37 PM
How does one determine the version number currently installed? I don't find it in the script headers or the config file and I have the brand free option.

Skip it. I found it under admin > vBGallery > Statistics

Zachariah
January 9th, 2008, 08:59 PM
Good idea kall :)

1.0.0 - 2.1
$filename = preg_replace("/[^a-z_.0-9-]/i", '', $filename);

2.2, 2.3
$filename = urldecode($filename);
$filename = preg_replace("/[^a-z_.0-9-]/i", '', $filename);

2.4 +
$filename = preg_replace("/[^a-zA-Z0-9\-_\.]+/", "_", $filename);
$filename = strtolower($filename);

---------------------------------------------------------

@Oldengine

AdminCP -> vBGallery => Statistics
- Installed Version: x.x.x

OR

vBulletin 3.0 - 3.5
SELECT value FROM adv_setting WHERE varname = 'gallery_version'

vBulletin 3.5 - 3.6+
SELECT value FROM ppgal_setting WHERE varname = 'gallery_version'

Ozark
January 9th, 2008, 11:00 PM
Is there a new update for the "Clean" scanner script? What I used in the email (PhotoPost vBGallery Important Security Bulletin) is no help. My site is hacked big time! Ordered upgrade and to see if that would be faster.

0ptima
January 9th, 2008, 11:19 PM
Thanks for providing the fix! The clean.php file needs to be fixed as I had to manually add my files directory to the script.

AtomicVette
January 10th, 2008, 12:53 AM
since this is actually an apache security hole, will it affect my photopost install which is running on IIS6?

ScottW
January 10th, 2008, 01:36 AM
Is there a new update for the "Clean" scanner script? What I used in the email (PhotoPost vBGallery Important Security Bulletin) is no help. My site is hacked big time! Ordered upgrade and to see if that would be faster.

The clean script only removes files that hackers might have uploaded using vBGallery. It doesn't repair anything that a hacker might have done to your site using those uploaded files, since there's no way for us to know what they did or didn't do. A hacker executing a malicious script on your server can do anything from wiping your server's hard drive clean, and deleting your databases, to just changing a few pages around. That's why we always recommend backing up your server daily - most hosts offer these services included. Hackers will always find a way to do their thing despite software developers' best efforts.

BrentWilson
January 10th, 2008, 01:24 PM
Is this vulnerability exclusive to apache servers or are Lighttpd servers vulnerable as well?

Michael P
January 10th, 2008, 06:41 PM
I use thttpd on my server, but it doesn't have PHP support, so I cant test it.

Ozark
January 10th, 2008, 08:38 PM
It seems that the directory variable can not be read.

Quick fix: Open clean.php find
listdir($ppg_options['gallery_filedirectory']);

change it to your path, for example
listdir("/your/path/to/gallery/files");

save, upload and re-run it.

Then change the path again for the userfolder:
listdir("/your/path/to/gallery/users");

re-run it.

Thank you Snobbytec!

I was able to remove the file and the user. However, my site still has the hacked message when you visit the url. Any ideas what I can do next?

Note: After I ran the Clean.php, I'm now able to access the admin control panel. I'm happy about that.

Zachariah
January 10th, 2008, 10:16 PM
Thank you Snobbytec!

I was able to remove the file and the user. However, my site still has the hacked message when you visit the url. Any ideas what I can do next?

Note: After I ran the Clean.php, I'm now able to access the admin control panel. I'm happy about that.

Not knowing what they did:

1) change your database password and username that vBulletin uses.
- also means /includes/config.php (update info)

2) change your password in vBulletin AdminCP

3) enable all usergroups to change their passwords on next visit.

After you do #1 and #2 shoot me some access to AdminCP and a FTP account in PM i'll do a scan and see what the damage is.

attroll
January 11th, 2008, 04:39 AM
What a coincidence. I get this security bulletin in my email yesterday and my web site got hacked big time 24 hours after I got the notice. What a coincidence.

Now I need to get my site working and then apply the new VBG and hope it does not get hacked again.

Cheertobi
January 11th, 2008, 10:10 AM
Got it!

Ozark
January 11th, 2008, 02:49 PM
Not knowing what they did:

1) change your database password and username that vBulletin uses.
- also means /includes/config.php (update info)

2) change your password in vBulletin AdminCP

3) enable all usergroups to change their passwords on next visit.

After you do #1 and #2 shoot me some access to AdminCP and a FTP account in PM i'll do a scan and see what the damage is.

Thanks for looking under the hood. :)

MillerLight
January 11th, 2008, 05:44 PM
Can the latest VBgallery ver 2.4 be deployed on a Vbulletin 3.6.7 PL1?

Read it was designed for 3.6.8, but is it compatible with 3.6.7, want to save the file edits if possible?

Zachariah
January 11th, 2008, 06:08 PM
Can the latest VBgallery ver 2.4 be deployed on a Vbulletin 3.6.7 PL1?

Read it was designed for 3.6.8, but is it compatible with 3.6.7, want to save the file edits if possible?

No problems. There may be a few added integrations that will not show up in the forums because of a missing php or template hooks. With a few manual edits they can also show up.

MillerLight
January 11th, 2008, 06:57 PM
Thanks Zach, will be upgrading Saturday night.

Zachariah
January 11th, 2008, 07:04 PM
Thanks for looking under the hood. :)
Ok, back from the front "figuratively" .

They had 2 files in your vBulletin attachments folder. 1 file was a backdoor to allow access the other was ran to blank out your templates and put the rude message in place of each template. I removed them.

I restored your Default templates with a tools.php provided by vBulletin
in the "do_not_upload" folder.

tools.php - This file must be uploaded to the AdminCP folder and allows you to perform certain tasks should your board go down or you accidentally lock yourself out of the Admin Control Panel. This file must be deleted immediately after use or it will cause a SEVERE security problem.

This file allowed me to restore your default templates of vBulletin. :)

I created a new default template set.
AdminCP => Styles & Templates => Style Manager
- [Add New Style] - Parent Style: none

I then changed all your applications to use the new default style.

- FTP'ed the installer file of vBAdvanced CMPS, vBAdvanced Links, Photopost vBGallery (and product xml file) and choose the option to reinstall the templates of each program. While in vbgallery installer I also chose to "update your image paths". This was used to cycle through the new default style and add full URL's to the image folders.
- removed installers


- I left your old skin, but disabled it. It has a lot of messed up templates, but you can use many of the templates to re-build your custom blocks on your portal and get your site back in order.

/ OK
/forums/ OK
/gallery/ OK
/links/ OK

I added the new security update to your gallery.

Ozark
January 11th, 2008, 07:27 PM
WOW!

What can I say, your my hero!

hotwheels
January 15th, 2008, 12:05 AM
Well they got me today:

Working in

Scanning for PHP files in your gallery files directory:
Found file: -> /home/hotwheel/public_html/forums/gallery/files/1/7/2/2/sa.php.wmv
processed 3471 files
1 file(s) found!


Click Here to remove all files listed

Please remember to delete this clean.php file from your server when done.

They changed my admin password on my website.......

Zachariah
January 15th, 2008, 10:30 AM
hotwheels, did you regain control , if so also

1) change your database password and username that vBulletin uses.
- also means /includes/config.php (update info)

2) change your password in vBulletin AdminCP

3) enable all usergroups to change their passwords on next visit.

-------------------------------------

Ozark had a fairly new site and did not have backups of file or database. The simple fix would of been to remove all records in the template table with phpmyadmin and restore only the template data from backup.

hotwheels
January 15th, 2008, 12:06 PM
Yes, i got my control back and made a change in the config.php to ensure they can't change my name again through the night, but they still came back and changed one of my users post counts.

I have completed steps 1 and 2. I will start step 3 asap........not sure what else to do Zachariah, i can't really afford to buy anymore vbgallery software updates...

hotwheels
January 15th, 2008, 01:44 PM
Well i went ahead and extended my membership here and am now waiting for my approval to get vbgallery 2.4.........Hopefully this will close the hole the hacker put on my site.

I made the manual changes that were recommended in a different post, but the hacker still got through last night.

hey zachariah, where is the spot where i can force the user to change their passwords the next time they log on. If i go into my admincp, the only option i am show is: password expires in blank days........if i put a 1 in there, the users would have to change thier passwords everyday. I only want them to change them one time for now.....

Zachariah
January 15th, 2008, 01:47 PM
http://www.photopost.com/forum/showthread.php?t=134910
- this is how to patch your system and scan your gallery folder

also look in your vBulletin attachments folder for files in the root that they may use. "somefile.php"

0ptima
January 15th, 2008, 09:00 PM
I made the manual changes that were recommended in a different post, but the hacker still got through last night.



Are you saying that even with the patch, they could still upload the exploit?

Zachariah
January 15th, 2008, 09:08 PM
Are you saying that even with the patch, they
No. He may have a breach.

They had 2 files in your vBulletin attachments folder. 1 file was a backdoor to allow access the other was ran to blank out your templates and put the rude message in place of each template. I removed them.

EX:

Post 51 ^^

Once they gained access to the server more files were uploaded to another folder for a 2nd way of access. This of it like spyware or a virus. (replicate multiple points of entry in case one is found)

ludachris
January 29th, 2008, 12:12 PM
I'm trying to run the scan db utility to remove orphaned images but it's maxing out the 30 second limit. Where do I change that setting? Is it on the server or in the software settings?

balikci
February 8th, 2008, 11:31 PM
hello, i use currently php4 on my server.

can i use still these instructions: ?

http://www.photopost.com/forum/showpost.php?p=1214127&postcount=15

YSR50
February 10th, 2008, 01:02 PM
I installed/upgraded it from v2.1 to the newest release everything worked fine

one suggestion, in the docs you have for upgrade just 3 files.
don't forget if your upgrading from one earlier version to another you need to put all the files in ;)

somewhere the upgrade from other versions got lost, it might throw a few people off

Thanks Again.
Delw

it threw me off. :o I still have questions. Do I install all files in all folders or just the ones listed in the included readme.html? If just the ones in the readme.html, there are a few that are listed that are not in included in the folders???

YSR50
February 10th, 2008, 06:40 PM
well, I just went ahead and uploaded all files included and now I have this problem :(


http://www.photopost.com/forum/showthread.php?t=135360

edprush
February 17th, 2008, 07:43 PM
My host suspended my account because of this vulnerability and told me that they would unsuspend it only if they could delete the directory: ..../public_html/gallery/files/.

I am not sure what would be impacted by removing that directory. Does that directory contain all of the images that have been uploaded?

Thanks.

Zachariah
February 17th, 2008, 10:23 PM
My host suspended my account because of this vulnerability and told me that they would unsuspend it only if they could delete the directory: ..../public_html/gallery/files/.

I am not sure what would be impacted by removing that directory. Does that directory contain all of the images that have been uploaded?

Thanks.

Correct it has all of your images.
- I would say rename the folder to something else and then scan for problems, if they open your site up to fix the problem. The scan and clean script looks in your gallery/files for problems and removes them.

- if they will not open the account for you to proceed on a fix have them Gzip your folder , You can download it and scan on your PC, fix the problems then re-upload.

edprush
February 17th, 2008, 11:07 PM
Correct it has all of your images.
- I would say rename the folder to something else and then scan for problems, if they open your site up to fix the problem. The scan and clean script looks in your gallery/files for problems and removes them.

- if they will not open the account for you to proceed on a fix have them Gzip your folder , You can download it and scan on your PC, fix the problems then re-upload.
My host has informed me that some of the infected files include:
/public_html/gallery/files/1/4/2/4/c999.php
/public_html/gallery/files/1/4/2/4/.r57.php
/public_html/gallery/files/1/4/2/4/rer.php
/public_html/gallery/files/safe.php
/public_html/gallery/files/1/4/2/4/safe.php

If I run the clean.php script, I assume, it will remove those files. Is there a clean version of those files that will need to be reuploaded?

edprush
February 19th, 2008, 10:36 AM
(just a bump for the above post)

Thanks.

edprush
February 20th, 2008, 10:39 AM
Does anyone happen to know the answers to my concerns? If you are not allowed to post your reply in this thread, you may PM me.

Also, after I run clean.php and patch the insecurity in the script how can I determine what 'damage' was done? Such as if they uploaded more files to another folder for a 2nd way of access?

Thanks.

Zachariah
February 20th, 2008, 08:57 PM
The script will scan and clean your galley upload folder and all sub folders.
- it will not scan other folders.

I have fixed 5 systems. They hide files in the root of your forums attachments folder if you save to fileserver vs. database and /your/gallery/upload folders.

edprush
February 21st, 2008, 11:39 AM
They hide files in the root of your forums attachments folder if you save to fileserver vs. database and /your/gallery/upload folders.

Are you saying that they don't hide files in the database storage system or are you saying that they hide them in both the fileserver and database storage systems?:confused:

Sorry about my lack of knowledge. This is the first time I've been hacked.

edprush
February 26th, 2008, 02:52 PM
- if they will not open the account for you to proceed on a fix have them Gzip your folder , You can download it and scan on your PC, fix the problems then re-upload.

How do I run the clean.php file from my PC (without uploading it to my server)?

Thanks.

Zachariah
February 26th, 2008, 09:49 PM
Well if you have you site localy on your PC up you can scan with windows search.

Start => Search => for files and folders
- search in your /gallery/files
Find: *php*.*

-- Remove anything found with "php" in the title.

If you have your attachments for threads in the forum set to save to disk vs. database, look in that folder for any php files.

edprush
February 28th, 2008, 08:24 PM
It seems that the directory variable can not be read.

Quick fix: Open clean.php find
listdir($ppg_options['gallery_filedirectory']);

change it to your path, for example
listdir("/your/path/to/gallery/files");

save, upload and re-run it.

Then change the path again for the userfolder:
listdir("/your/path/to/gallery/users");

re-run it.

Zachariah, is the above change correct? If so, have you added it to clean.php?

I am getting this message when I try to run clean.php:Working in

Scanning for PHP files in your gallery files directory:

Warning: readdir(): supplied argument is not a valid Directory resource in /admincp/clean.php on line 26

Warning: closedir(): supplied argument is not a valid Directory resource in /admincp/clean.php on line 55
processed 0 files


Click Here to remove all files listed

Please remember to delete this clean.php file from your server when done.

edprush
March 1st, 2008, 06:11 PM
I made the changes shown in: http://www.photopost.com/forum/showthread.php?p=1214127

After that I noticed that when members try to upload a photo to the gallery it doesn't display--they don't get an error message.

I have my vbgallery set to moderate all uploads but the images never show up in the vbgallery moderation queue.

Any idea what I did wrong?

Thanks.

InterFX
April 18th, 2008, 09:42 PM
I just realized I have this issue... 4 sites hacked bad in the past 24 hrs. While I get ready to get everything updated, I went ahead and turned OFF the gallery... Will that protect me while I upgrade in the next days?

Thanks in advance -

Zachariah
April 19th, 2008, 11:01 AM
I just realized I have this issue... 4 sites hacked bad in the past 24 hrs. While I get ready to get everything updated, I went ahead and turned OFF the gallery... Will that protect me while I upgrade in the next days?

Thanks in advance -
No, The files will still be on your system.
- The attacker will hide in your gallery/files folder. Rename the folder that holds you gallery images to something else. This way they do not know where the files are to directly access them.