Hacking Alert

woodwater · July 12th, 2007, 02:07 PM

I am using the latest version of PhotoPost and it was hacked.

I received notification that this account is getting high loads.

In WHM I saw someone was creating the load by accessing some files in photopost

/photos/data/500/search/stats.php?addurlhttp%3A%2F%2Fwww.s

/photos/data/500/search/distrib_stats.php?takeurl1

These files are not part of photopost. The /photos/data/500/search/ folder is foreign and not created by the software.

I tried to delete it via FTP but I was unable to do it. When I try to delete via Cpanel File Manage, I get this error "a fatal error or timeout occurred while processing this directive"

Below are the files inside /photos/data/500/search/

distrib_stats.php 2 k 0644
distrib_url.txt 3363 k 0644
error_log 4 k 0644
found.old.txt 20 k 0644
found.txt 6 k 0644
index.php 3 k 0644
inject.php 1 k 0644
misc.inc.php 1 k 0644
net.inc.php 1 k 0644
search.inc.php 4 k 0644
search_collect.php 7 k 0644
stats.php 0 k 0644
tmp.php 14 k 0644
upload.txt

Check your installation too, if the same thing happened to you, it could be anywhere in any folder inside DATA.

I have no idea how the hacker gain access. But I suspect somehow the person is able to upload and run his hacking folder in DATA as it's 777.

Does DATA need to be 777? Can we use other stricter permission?

I have alerted my host and they are investigating.

woodwater · July 12th, 2007, 02:19 PM

My host replied this.

"I have deleted that directory as per your request. There are quite a few public directories that have 777 permissions on them; I would suggest auditing each one of these as malicious files could have been uploaded to any of them."

but Photopost DATA folder has tons of 777 folders.....

woodwater · July 12th, 2007, 02:21 PM

I need add. I am running a default installation of photopost without any hack and it was upgraded to the latest version recently too.

Chuck S · July 12th, 2007, 03:57 PM

There are many points where someone can enter your site through many applications and they search out 777 directories to deposit files. There are no known security holes with Photopost allowing these types of files

Data and uploads directories need to be 777 for uploads to work unless you host changes that.

I would suggest you look at all the software you run on your site and make sure it is current and see if any of that software has known security issues

example people running vbulletin hacks on their vb forums we see this alot.

pistebasher · July 12th, 2007, 06:09 PM

If php runs as a cgi on your server (ie not as an Apache module) then you should be able to run with 755 instead of 777. Ask your host.

Michael P · July 12th, 2007, 06:24 PM

755 can work as long as your web process owns the directory; but if they compromised another script on your system they will still be able to place files in your directory structure.

I haven't seen any hacks using PhotoPost; but I have seen people use PhotoPost directories to place files - including on my own server when FlashChat was compromised.