Hacking Problem

[rcwild]

Someone hacked into our photo gallery last night. Server admins said the hacker created a hole for themselves and advised I install some patches from:

http://photos.gavintech.com

Is this something I should do?

I'm running vBGallery.

[rcwild]

This is part of the text received from our admin. I removed the long lists of error messages she included.


They use the programs you have to upload into the server and it allows full commands and then they install it all in tmp and then once it there, the programs are little robots that run and do the work all automation

they ran the application called Raven and it scans for ssh security holes

sh.tgz is port scanner a program that opens root on 4444 port on telnet

they ran this last night

muh is a smart IRC-bouncing tool that remains on IRC all the time. You can
take control over your nick by connecting to muh with an IRC client that is able to supply a password for the server connection.

>>>>>>>>>>>>>>>>>>>>>
its part of the port package when they Unzip it 200 applcations run and start working

we removed and they put it back at 4am

>>>>>>>>>>>>>>>>>>>>>>>>>>

that script also hacks sites that visit it

>>>>>>>>>>>>>>>>>>>>>>>>>>>>

its something you have in your diectory thats hacked they spent hours in there


when a error is caused, it makes a hole

there are thousands of "File does not exist" entries like below: the hacker
calling for something to create the hole

[Thu Sep 13 05:51:49 2007] [error] [client 70.58.42.163] File does not exist:

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

now at the same time frame as the installs
now same time as hack downloaded
this was run
[2007-09-18 03:23:26]: info: (target/actual) uid: (canyon/canyon) gid:
(canyon/canyon) cmd: image.php

thats in the suexec file

>>>>>>>>>>>>>>>>>>>>>>>>>>>

I deleted a folder in content they added
they named
.k
had the raven script in it

>>>>>>>>>>>>>>>>>>

I changed the permissions on the forums
but I did not change the permissions on the gallery until right now-
right now -live as I am typing this
someone is trying to install


This is how the files were uploaded

A security hole in showphoto.php (not passing in an album results in no
password protection)


Fixes are here
http://photos.gavintech.com/develope...stec&ViewPass=
easier to read here
http://photos.gavintech.com/source.php

permissions changed on the gallery folder and the forums folder
please do not change back until you run the fixes
and please do one folder at a time

also please look in these folders for any files or folders I may have
missed
or they managed to install before I changed the permissions

also -please contact who the forum and gallery application programmers-
you may have the wrong set up,
and you need to talk to the program people you
got it from

[Chuck S]

That appears to be some freeware gallery that has nothing to do with any application releases by us. They would need to quote explicit information to track down errors or assist in determining what is the cause. Example most any sites that have been hacked that I have seen over the years ALL are vbulletin sites and in the end it comes down to things where broken into like number one program FLASHCHAT. So lots of true data and site information and testing would have to go in to truly determine where your specific issue comes from or is caused by.

[rcwild]

Understood. After my first post, the server admins realized the link they provided wouldn't do me any good. That's when I posted the second message to see if someone here could provide direction.

The narrative in my second post refers to a security hole in showphoto.php. I believe that is part of vBGallery. We were running Photo Post Pro, but a previous hack resulted in problems I couldn't resolve, so I installed vBGallery instead. That was the last think I changed on our site before the hack. Very unlikely the timing was just a coincidence.

[Zachariah]

showphoto.php is not vbgallery.
- it uses showimage.php

[rcwild]

What could I have done to create this security hole when I installed vBGallery?

My frustration ... You guys are telling me the problem could not be with Photo Post ?? So I go over to vBulletin. From past experience, I believe they will tell me they can't offer support because I installed a mod and they only support their original program. So I'm stuck in the middle with no help from anyone, forced to stop using your program to get support from vBulletin. I really like your program and hope I don't have to stop using it..

[TheLastMohican]

anonymous FTP might be enabled on your site. That's one way for them to get in and place files in world writable directories like data, templates, uploads and stylesheets as these are normally set to 777 during installation.