vBGallery clean script Discussions

[balikci]

hello, i use currently php4 on my server.

can i use still these instructions: ?

http://www.photopost.com/forum/showp...7&postcount=15

[YSR50]

Quote:

Originally Posted by Delw

I installed/upgraded it from v2.1 to the newest release everything worked fine

one suggestion, in the docs you have for upgrade just 3 files.
don't forget if your upgrading from one earlier version to another you need to put all the files in

somewhere the upgrade from other versions got lost, it might throw a few people off

Thanks Again.
Delw

it threw me off. I still have questions. Do I install all files in all folders or just the ones listed in the included readme.html? If just the ones in the readme.html, there are a few that are listed that are not in included in the folders???

[YSR50]

well, I just went ahead and uploaded all files included and now I have this problem


Admin permissions, can't see gallery

[edprush]

My host suspended my account because of this vulnerability and told me that they would unsuspend it only if they could delete the directory: ..../public_html/gallery/files/.

I am not sure what would be impacted by removing that directory. Does that directory contain all of the images that have been uploaded?

Thanks.

[Zachariah]

Quote:

Originally Posted by edprush

My host suspended my account because of this vulnerability and told me that they would unsuspend it only if they could delete the directory: ..../public_html/gallery/files/.

I am not sure what would be impacted by removing that directory. Does that directory contain all of the images that have been uploaded?

Thanks.

Correct it has all of your images.
- I would say rename the folder to something else and then scan for problems, if they open your site up to fix the problem. The scan and clean script looks in your gallery/files for problems and removes them.

- if they will not open the account for you to proceed on a fix have them Gzip your folder , You can download it and scan on your PC, fix the problems then re-upload.

[edprush]

Quote:

Originally Posted by Zachariah

Correct it has all of your images.
- I would say rename the folder to something else and then scan for problems, if they open your site up to fix the problem. The scan and clean script looks in your gallery/files for problems and removes them.

- if they will not open the account for you to proceed on a fix have them Gzip your folder , You can download it and scan on your PC, fix the problems then re-upload.

My host has informed me that some of the infected files include:
/public_html/gallery/files/1/4/2/4/c999.php
/public_html/gallery/files/1/4/2/4/.r57.php
/public_html/gallery/files/1/4/2/4/rer.php
/public_html/gallery/files/safe.php
/public_html/gallery/files/1/4/2/4/safe.php

If I run the clean.php script, I assume, it will remove those files. Is there a clean version of those files that will need to be reuploaded?

[edprush]

(just a bump for the above post)

Thanks.

[edprush]

Does anyone happen to know the answers to my concerns? If you are not allowed to post your reply in this thread, you may PM me.

Also, after I run clean.php and patch the insecurity in the script how can I determine what 'damage' was done? Such as if they uploaded more files to another folder for a 2nd way of access?

Thanks.

[Zachariah]

The script will scan and clean your galley upload folder and all sub folders.
- it will not scan other folders.

I have fixed 5 systems. They hide files in the root of your forums attachments folder if you save to fileserver vs. database and /your/gallery/upload folders.

[edprush]

Quote:

Originally Posted by Zachariah

They hide files in the root of your forums attachments folder if you save to fileserver vs. database and /your/gallery/upload folders.

Are you saying that they don't hide files in the database storage system or are you saying that they hide them in both the fileserver and database storage systems?

Sorry about my lack of knowledge. This is the first time I've been hacked.

[edprush]

Quote:

Originally Posted by Zachariah

- if they will not open the account for you to proceed on a fix have them Gzip your folder , You can download it and scan on your PC, fix the problems then re-upload.

How do I run the clean.php file from my PC (without uploading it to my server)?

Thanks.

[Zachariah]

Well if you have you site localy on your PC up you can scan with windows search.

Start => Search => for files and folders
- search in your /gallery/files
Find: *php*.*

-- Remove anything found with "php" in the title.

If you have your attachments for threads in the forum set to save to disk vs. database, look in that folder for any php files.

[edprush]

Quote:

Originally Posted by Snobbytec

It seems that the directory variable can not be read.

Quick fix: Open clean.php find
listdir($ppg_options['gallery_filedirectory']);

change it to your path, for example
listdir("/your/path/to/gallery/files");

save, upload and re-run it.

Then change the path again for the userfolder:
listdir("/your/path/to/gallery/users");

re-run it.

Zachariah, is the above change correct? If so, have you added it to clean.php?

I am getting this message when I try to run clean.php:

Quote:

Working in

Scanning for PHP files in your gallery files directory:

Warning: readdir(): supplied argument is not a valid Directory resource in /admincp/clean.php on line 26

Warning: closedir(): supplied argument is not a valid Directory resource in /admincp/clean.php on line 55
processed 0 files


Click Here to remove all files listed

Please remember to delete this clean.php file from your server when done.

[edprush]

I made the changes shown in: http://www.photopost.com/forum/photopost-announcements/134910-photopost-vbgallery-important-security-bulletin.html#post1214127

After that I noticed that when members try to upload a photo to the gallery it doesn't display--they don't get an error message.

I have my vbgallery set to moderate all uploads but the images never show up in the vbgallery moderation queue.

Any idea what I did wrong?

Thanks.

[InterFX]

I just realized I have this issue... 4 sites hacked bad in the past 24 hrs. While I get ready to get everything updated, I went ahead and turned OFF the gallery... Will that protect me while I upgrade in the next days?

Thanks in advance -

[Zachariah]

Quote:

Originally Posted by InterFX

I just realized I have this issue... 4 sites hacked bad in the past 24 hrs. While I get ready to get everything updated, I went ahead and turned OFF the gallery... Will that protect me while I upgrade in the next days?

Thanks in advance -

No, The files will still be on your system.
- The attacker will hide in your gallery/files folder. Rename the folder that holds you gallery images to something else. This way they do not know where the files are to directly access them.