Appears My PhotoPost Has Been Hacked!

[ryand789]

After we upgraded to 5.62 (the latest, latest version of it), on December 26th, somebody somehow uploaded files through PhotoPost that created an IRC channel program on our server (and ran it).

It was in this folder:

htdocs/photo/uploads/398515/

There were files like mybot.jpg, mybot.jpg~, iroffer.zip, xh, hira.txt, and more. I can't attach them here because it is too big. I can e-mail them to you though. Tell me where to e-mail them.

Appears to be this program: http://iroffer.org/

Also, the mybot.jpg file was a 4kb file that did not work when I tried to "view" it, and it contains this in it:

strings mybot.jpg
IRFR
@iroffer v1.4.b01 [20040901211948], Linux 2.6.9-22.ELsmp

Obviously, I am very concerned about this situation and we need to know how to fix it quick!

FYI, we do not allow zip uploads.

The user that uploaded it (or at least the userid of the uploads directory where the files were) appears to be a good user that started their account in October and uploaded legitimate files at first. So maybe their account was hacked first, or the hacker somehow uploaded to their directory.

More info, in case you are wondering:

Server version: Apache/2.0.52
Red Hat Enterprise Linux ES release 4 (Nahant Update 4)
We are on the latest updates of the OS

http://forum.bodybuilding.com/photo

Please help! I don't want to wait until it happens again. We removed the program and it doesn't appear it did anything negative except act as a relayer or something for an IRC chat channel.

Ryan

[Michael P]

Hi, Ryan; do you have any indication as to when the files were uploaded? I know you said December 26th, but are those when the files were uploaded or were the files already there?

The files wouldn't have made it into that directory through PhotoPost unless they were approved file types, so I'm wondering if the files didn't get placed there via another script.

Can you check your server logs to see when those files may have been accessed?

PS: Are we going to see you guys at the Arnold in a couple months?

[ryand789]

It appears they were uploaded on December 26th and last accessed today.

It seems hard to believe they were uploaded to the PhotoPost "uploaded files" area of our server but were not uploaded through PhotoPost. The only other software on there is VBulletin.

Could a .jpg file be uploaded that was actually a virus file and not a real jpeg?

Yes, I'll be at the Arnold for sure and we'll have a booth like always. This year we are going to actually be doing a LIVE free webcast of the entire Arnold Classic event! Check back on our site soon for more info. Hopefully we can meet in person there!

Ryan

[Michael P]

Sounds good to me, Ryan; I was looking for you last year, but we kept missing each other as you were never at your booth when I was (I have the extremefitness.com website).

Anyways, back to the issue.

I'm not aware of anyone being able to do something like this or having done so in the past; that different file types are in the directory is a concern. I simply don't know how those files could be in the uploads directory if done via PhotoPost because they would never have been placed there with names like that.

Do you have FlashChat on your server?