Ebay Spoof - Site Hacked

[starman]

Need help! Gallery (5.6.2) has been hacked. It looks like they are exploiting uploadphoto.php. In the uploads directory they were able to upload a php and html file. In addition, I don't have file permissions for either file since they were CHMOD 600. Before contacting our webhost to delete the directory I thought you may want to see.

http://www.woodcarvingillustrated.co.../uploads/3670/.

[1996 328ti]

What is odd is that I don't see any links to a rogue site.

[Chuck S]

I do not see any way in any form that they are uploading a php file through Photopost and there is no evidence of this at all. Your uploads directory is 777 which has to be set so to allow file uploads to it. Your hacker could get in through many doors on your site and find a directory that is 777 to dump that file in

The only way he would be able to upload a PHP file is if you allowed by you setting it as a multimedia type. Like the next guy said where is the hacking? You can safely just clear out all directories beneath the uploads directory and you should be fine

[starman]

Chuck thank you for looking into. Currently, the gallery doesn't not allow multimedia files and jumped the gun when I saw php files inside the upload directory and assumed they got there from the upload script. I had our host remove the directories. Currently, I am speculating the exploit is from a mail form script and not photopost.

[Chuck S]

yeah Michael had something like this a while back and it turned out to be one of his vb hacks that one uses off of vbulletin.org so its pretty common for hackers to break in and dump stuff in a directory that is 777.

Being that this specific hacker dumped it in that specific upload directory I would speculate it is that specific user.

[Michael P]

My server was hacked using a version of FlashChat... they put files all through my website directory structure..

[starman]

No Flash Chat Installed. The hacks I have installed are

NoSpam!
Prevent Spam
Add PhotoPost Pro to each forum
Separate Sticky and Normal Threads
vBSEO
vBSEO :: Conditional Signatures
Welcome Headers
VB Spell Check

I believe the exploit might be coming from a mail form script "PHPforms" which I removed. So far so good and no new files created. That said maybe they haven't been back either.

[b6gm6n]

firefox told me your site was dodgy... suspected something or other...

[starman]

"Being that this specific hacker dumped it in that specific upload directory I would speculate it is that specific user."

uploads/3670/

So would 3670 be the User ID in the VB user table?

[Chuck S]

yes that is the userid thing but if you removed php forms and no new occurrences just keep an eye on things

[starman]

It has been quite on the home front since removing the forms. More of just an fyi...

[starman]

I've been battling this off and on again for the last month on another site. I found the following http://www.scrollsawer.com/gallery/templates/cmd.php. Since the file is 600 I'm going to have the webhost download for forensics and delete from the server. Does this provide any info on Photposts end.

[Chuck S]

Not really your templates directory is not 777 so unless you have set that directory to be uploadable then that file could not get there. I would suspect someone has uploaded that file through a security hole in some vb hack you have installed and they then use that script to upload other files to your site

[starman]

The template directory is 777 according to the install instructiuons. Should I set it to something else?

photopost
images (chmod 755)
uploads (chmod 777)
help (chmod 755)
data (chmod 777)
1 (chmod 777 - including subdirectories)
2 (chmod 777 - including subdirectories)
500 (chmod 777 - including subdirectories)
languages (chmod 755) (a
stylesheets (chmod 777)
templates (chmod 777)
forums (chmod 755)

[Chuck S]

Those are the templates themselves not the directory