Any Reports of G2 being hacked for File Sharing Purposes...?

SodaJim

Joined: 2004-05-20
Posts: 27

Posted: Thu, 2005-01-06 18:26

Hello,

I've been running Gallery v1.4.3-pl1 for several months now without a glitch!

I recently installed the G2 alpha 4 and was very impressed with the installer, that deserves an applause! I only had on error for the thumbnail manager... I was able upload images and the thumbnails where created so I'm not sure about this particular error...

My concern is that within 24 hours of completing this installation, my vps server was hacked into and was partially setup for file sharing... I have NEVER had this occur in the past and found it alarming since this installation was the only thing that has been modified on the server recently! Or this could be VERY coinsidental in the timing of this event...
My first thought is this application since various file types can be uploaded and possibly executed.

I'm just attempting to correspond with any of the developers to ensure there hasn't been any reports of this type...

Any response is appreciated,
Jim

jmullan

Joined: 2002-07-28
Posts: 974

Posted: Thu, 2005-01-06 18:52

We would be glad to assist in forensic analysis of this event. Would you mind sharing logs with one or more members of the dev team?

SodaJim

Joined: 2004-05-20
Posts: 27

Posted: Thu, 2005-01-06 23:48

I would be glad to assist in any way I can; however, I'm not the most knowledgeable person when it comes to server stuff... I'm mostly a web site guy that was forced to learn a little server stuff out of necessity...

I immediately removed the complete dir that G2 was installed but have left the database intact. The files and dir where the hacker placed their files have been removed but I can tell that I'm using FreeBSD and the dir was created with illegal characters so it wouldn't show up easily.

To move forward, let me know off list how you would like to pursue an investigation to see if in fact G2 or some php module was utilized to allow this to occur... Let me know specifically which log files will assist in this process.

SodaJim

Joined: 2004-05-20
Posts: 27

Posted: Fri, 2005-01-07 00:18

I have sad news on this...
I have a log analyser, Urchin, run reports every night and then delete the logs so it refreshes every night. This ocurred during the night of Jan. 4/5 so the log files have been replaced with todays file...

Any other suggestions... Possibly a another server log...?

fryfrog

Joined: 2002-10-30
Posts: 3236

Posted: Fri, 2005-01-07 00:25

There are so many things that could have been exploited, w/o anything to go on it really could have been anything.

I would check and see if the version of Apache and PHP you use are recent, I know that 4.3.10 fixed a pretty serious security hole. Also, Gallery versions below 1.4.4-pl4 had a (or some?) security holes and would warrent upgrading that.

bharat

Joined: 2002-05-21
Posts: 7994

Posted: Fri, 2005-01-07 00:37

1.4.3-pl1 has some known security flaws (you should upgrade to 1.4.4-pl4), but G2 has no known flaws. However, G2 has had far less exposure than G1 so it's entirely possible that there are some flaws in there that we know nothing about. We've designed G2 to be far less susceptible to these kinds of flaws .. but it's still in the relatively early stages of its life and we may have overlooked something.

Any information you can get us on what happened, especially access logs, will be helpful. System logs might reflect something, but they're less likely to have the kind of information we need (we really want to know what URL the user used to breach security). Is there any chance that your access logs are caught in some backup system?

SodaJim

Joined: 2004-05-20
Posts: 27

Posted: Fri, 2005-01-07 00:54

Hello again,

Running most recent version of Apache and PHP.
After reading your post, I see it could be a security issue with my Gallery v1.4.3-pl1... If this is the case, it could happen again...

Before I re-install G2 alpha-4, I'll wait for a week to see if this breakin occurs again... If so, then there's a good chance it's a problem w/ G v1.4.3-pl1; if not, I'll re-install G2 and wait to see if the breakin occurs again...

Thanks again,
Jim

SodaJim

Joined: 2004-05-20
Posts: 27

Posted: Fri, 2005-01-07 01:03

bharat,

I'll upgrade my current Gallery to 1.4.4-pl4 and disable Urchin, my stats analyzer, from rotating my logs daily in the hopes of capturing data should this occur again, I'll have something to refer to for debugging.

All in all, I found it very coincidental that within 24 hours of installing G2, the security breach was executed...

Thanks for the assistance!

I'll keep you posted...
But hopefully you won't have to hear from me...

SodaJim Joined: 2004-05-20 Posts: 27	Posted: Thu, 2005-01-06 18:26
	Hello, I've been running Gallery v1.4.3-pl1 for several months now without a glitch! I recently installed the G2 alpha 4 and was very impressed with the installer, that deserves an applause! I only had on error for the thumbnail manager... I was able upload images and the thumbnails where created so I'm not sure about this particular error... My concern is that within 24 hours of completing this installation, my vps server was hacked into and was partially setup for file sharing... I have NEVER had this occur in the past and found it alarming since this installation was the only thing that has been modified on the server recently! Or this could be VERY coinsidental in the timing of this event... My first thought is this application since various file types can be uploaded and possibly executed. I'm just attempting to correspond with any of the developers to ensure there hasn't been any reports of this type... Any response is appreciated, Jim
	XUser login Username: * Password: * Create new account Request new password
jmullan Joined: 2002-07-28 Posts: 974	Posted: Thu, 2005-01-06 18:52
	We would be glad to assist in forensic analysis of this event. Would you mind sharing logs with one or more members of the dev team?

SodaJim Joined: 2004-05-20 Posts: 27	Posted: Thu, 2005-01-06 23:48
	I would be glad to assist in any way I can; however, I'm not the most knowledgeable person when it comes to server stuff... I'm mostly a web site guy that was forced to learn a little server stuff out of necessity... I immediately removed the complete dir that G2 was installed but have left the database intact. The files and dir where the hacker placed their files have been removed but I can tell that I'm using FreeBSD and the dir was created with illegal characters so it wouldn't show up easily. To move forward, let me know off list how you would like to pursue an investigation to see if in fact G2 or some php module was utilized to allow this to occur... Let me know specifically which log files will assist in this process.

SodaJim Joined: 2004-05-20 Posts: 27	Posted: Fri, 2005-01-07 00:18
	I have sad news on this... I have a log analyser, Urchin, run reports every night and then delete the logs so it refreshes every night. This ocurred during the night of Jan. 4/5 so the log files have been replaced with todays file... Any other suggestions... Possibly a another server log...?

fryfrog Joined: 2002-10-30 Posts: 3236	Posted: Fri, 2005-01-07 00:25
	There are so many things that could have been exploited, w/o anything to go on it really could have been anything. I would check and see if the version of Apache and PHP you use are recent, I know that 4.3.10 fixed a pretty serious security hole. Also, Gallery versions below 1.4.4-pl4 had a (or some?) security holes and would warrent upgrading that.

bharat Joined: 2002-05-21 Posts: 7994	Posted: Fri, 2005-01-07 00:37
	1.4.3-pl1 has some known security flaws (you should upgrade to 1.4.4-pl4), but G2 has no known flaws. However, G2 has had far less exposure than G1 so it's entirely possible that there are some flaws in there that we know nothing about. We've designed G2 to be far less susceptible to these kinds of flaws .. but it's still in the relatively early stages of its life and we may have overlooked something. Any information you can get us on what happened, especially access logs, will be helpful. System logs might reflect something, but they're less likely to have the kind of information we need (we really want to know what URL the user used to breach security). Is there any chance that your access logs are caught in some backup system?

SodaJim Joined: 2004-05-20 Posts: 27	Posted: Fri, 2005-01-07 00:54
	Hello again, Running most recent version of Apache and PHP. After reading your post, I see it could be a security issue with my Gallery v1.4.3-pl1... If this is the case, it could happen again... Before I re-install G2 alpha-4, I'll wait for a week to see if this breakin occurs again... If so, then there's a good chance it's a problem w/ G v1.4.3-pl1; if not, I'll re-install G2 and wait to see if the breakin occurs again... Thanks again, Jim

SodaJim Joined: 2004-05-20 Posts: 27	Posted: Fri, 2005-01-07 01:03
	bharat, I'll upgrade my current Gallery to 1.4.4-pl4 and disable Urchin, my stats analyzer, from rotating my logs daily in the hopes of capturing data should this occur again, I'll have something to refer to for debugging. All in all, I found it very coincidental that within 24 hours of installing G2, the security breach was executed... Thanks for the assistance! I'll keep you posted... But hopefully you won't have to hear from me...

Any Reports of G2 being hacked for File Sharing Purposes...?

XUser login