Need help! Gallery (5.6.2) has been hacked. It looks like they are exploiting uploadphoto.php. In the uploads directory they were able to upload a php and html file. In addition, I don't have file permissions for either file since they were CHMOD 600. Before contacting our webhost to delete the directory I thought you may want to see.
I do not see any way in any form that they are uploading a php file through Photopost and there is no evidence of this at all. Your uploads directory is 777 which has to be set so to allow file uploads to it. Your hacker could get in through many doors on your site and find a directory that is 777 to dump that file in
The only way he would be able to upload a PHP file is if you allowed by you setting it as a multimedia type. Like the next guy said where is the hacking? You can safely just clear out all directories beneath the uploads directory and you should be fine
Chuck thank you for looking into. Currently, the gallery doesn't not allow multimedia files and jumped the gun when I saw php files inside the upload directory and assumed they got there from the upload script. I had our host remove the directories. Currently, I am speculating the exploit is from a mail form script and not photopost.
yeah Michael had something like this a while back and it turned out to be one of his vb hacks that one uses off of vbulletin.org so its pretty common for hackers to break in and dump stuff in a directory that is 777.
Being that this specific hacker dumped it in that specific upload directory I would speculate it is that specific user.
I've been battling this off and on again for the last month on another site. I found the following http://www.scrollsawer.com/gallery/templates/cmd.php. Since the file is 600 I'm going to have the webhost download for forensics and delete from the server. Does this provide any info on Photposts end.
Not really your templates directory is not 777 so unless you have set that directory to be uploadable then that file could not get there. I would suspect someone has uploaded that file through a security hole in some vb hack you have installed and they then use that script to upload other files to your site