Hacker intrusion

[347Monster]

We are running an older version of PP (4.5.1) and have had a hacker get in thru the DATA directory. Will simply upgrading the program "fix" this issue? Having a folder set for 777 makes me very nervous!!

[Chuck S]

The folder has to be 777.

As far as security issues without knowing how he got in we can not respond further but most definately you want to upgrade as there have been tons of security fixes since then

[347Monster]

Will it help to show what they put in the directory?

/home2/xxx/public_html/photopost/data/1/py2 && chmod 4755 /home2/xxx/public_html/photopost/data/1/py2 && rm -rf /etc/cron.d/core && kill -USR1 10888)

Sep 12 07:11:01 a9 crond[15618]: (root) CMD ( chown root:root /home2/xxx/public_html/photopost/data/1/py2 && chmod 4755 /home2/xxx/public_html/photopost/data/1/py2 && rm -rf /etc/cron.d/core && kill -USR1 10888)
Sep 12 07:11:01 a9 crond[15622]: (root) CMD ( chown root /tmp/pwned; chmod 4755 /tmp/pwned; rm -f /etc/cron.d/core)

Sep 12 07:12:01 a9 crond[18871]: (root) CMD ( chown root:root /home2/xxx/public_html/photopost/data/1/py2 && chmod 4755 /home2/xxx/public_html/photopost/data/1/py2 && rm -rf /etc/cron.d/core && kill -USR1 10888)
Sep 12 07:12:01 a9 crond[18872]: (root) CMD ( chown root /tmp/pwned; chmod 4755 /tmp/pwned; rm -f /etc/cron.d/core)

[347Monster]

I guess not...

[Chuck S]

I would just suggest you upgrade your photopost

[347Monster]

Ok.. well I paid the fee to be able to download and am just waiting for it to be validated.

I must say... If I paid for the original version of the software, and now that version is "not secure" I do not think it is fair or proper to have to pay again to get a copy that is properly coded. You should be able to upgrade your software without paying for it again, however since I have no choice, I paid.

[Chuck S]

When you purchase a copy of most any software you get a specific time to get code updates one year to be exact and this is industry standard usually. Your software is like 3.5 years old and hense you would need to renew access.

Now also just to point out while someone attacked a directory on your server which is 777 does not directly relate to it being because of Photopost. There have been tons of security updates mostly to plug holes in PHP UPDATES through out the years. Your hackers could have broken into any place of your site if you kept running older software on the site all around. That usually is where any hacker attacks when people are not proactive in protecting themselves.

[347Monster]

Quote:

Originally Posted by Chuck S

When you purchase a copy of most any software you get a specific time to get code updates one year to be exact and this is industry standard usually. Your software is like 3.5 years old and hense you would need to renew access.

Now also just to point out while someone attacked a directory on your server which is 777 does not directly relate to it being because of Photopost. There have been tons of security updates mostly to plug holes in PHP UPDATES through out the years. Your hackers could have broken into any place of your site if you kept running older software on the site all around. That usually is where any hacker attacks when people are not proactive in protecting themselves.

It would appear that the software allowed certain characters to be strung together and it did not stop them...


Regardless, point taken, fee paid.

We like the program very much. **** happens...

[347Monster]

http://www.frsirt.com/english/advisories/2005/1535

[Chuck S]

Yes another OLD security thread

[347Monster]

Understood. If you would like to remove this topic, feel free. I am waiting patiently for my renewal to be validated and I will update the program...

[347Monster]

Ok this is driving me CRAZY!!!

I purchased the most recent version of PP. I did a fresh install ina new folder with a new database and re-uploaded all my photos.

it took all of one day for the logs to show the same hacker scripts in the DATA directory-
c99.php
backdoor.pl

How are they able to do this? My host says that the PHP files are extremely vulnerable to attack and to contact the software maker. That would be you guys.

WTF is the deal? That c99.php is bad news man!

[Michael P]

It's possible that you didn't get all the files they installed off your server; my server was compromised a couple weeks ago by the flashchat program and I found their backdoors installed all over the place.

Try going to your top level directory and doing a:

find . -name c99.php -print

or use backdoor.pl in place of the filename. See if they have other scripts installed in your web directory. It took me a good few hours to find all the copies they had installed on my server.

You should also make sure we are using your current email address; we've sent out notices for every update (especially the security ones) and it's worthwhile to stay on top of those updates like you would with any other software application on your system.

[347Monster]

Quote:

Originally Posted by Michael P

It's possible that you didn't get all the files they installed off your server; my server was compromised a couple weeks ago by the flashchat program and I found their backdoors installed all over the place.

Try going to your top level directory and doing a:

find . -name c99.php -print

or use backdoor.pl in place of the filename. See if they have other scripts installed in your web directory. It took me a good few hours to find all the copies they had installed on my server.

You should also make sure we are using your current email address; we've sent out notices for every update (especially the security ones) and it's worthwhile to stay on top of those updates like you would with any other software application on your system.

Thank you Michael, will do.

I was reading on a security forum and they suggested adding this line near rthe top to all the php files:

Code:

Content visible to verified customers only.

Any input on this?

[Michael P]

Well, only a couple of our scripts are not meant to be called directly; so I don't really see this as necessary or effective given how our script is laid out (we don't have alot of include files).

[WB]

Michael:

Sorry to hear about your server.

Out of curiosity, after such a compromise, how do you tell that there are no remaining hidden backdoors?

From some of the other reports I've run across about FlashChat seems that some folks ended up being rooted as well (FlashChat combined with an older kernel that allowed for a local escalation from what I recall).

[mlucek]

My hosting account was badly hacked a few months ago.

All the 777'ed dirs, including all the VBGallery data file directories and my control panel statistics file dir's had extraneous .PHP files & modified .htaccess files in them that didn't belong there. So I went thru EVERY DIRECTORY in my hosting account, including all the control panel/site stats-related dir's and cleaned everything out. Some files I couldn't delete (permissions) and my hosting company was less then responsive, so I eventually had them reset my account. Even after I told them it looked like more than just my 3 distinct and separate accounts were hacked, they pretty much blew me off claiming it was a password thief program. No, it wasn't grrrrrrrrr. I even showed them the hacker results and how the PHP files were called (via a 404-not found directive) and how the hack files were sending their server info to a .ru (Russian) web site. Still blew me off.

This is the 2nd time I got badly burned with very lukewarm host response to their servers being hacked. I finally cancelled my hosting accounts there and moved to a different host.

Lessons learned. Hosts are a dime-a-dozen. After a bunch of research on

www.webhostingtalk.com

and other sites, I'm now with

A Small Orange

http://www.asmallorange.com/

Got a LOT of good reviews. I'm just getting my feet wet with them, so to speak, but very good customer service so far !! Very prompt and very helpful.