Best way to handle trojan infected Gallery 2 install- possible to save photos/comments?

redeye_lady

Joined: 2009-05-02
Posts: 5

Posted: Sat, 2009-05-02 15:25

MY Gallery 2.3 install is infected with "JS:Redirector-H" Trojan...
does anyone know the best way to handle this? From what I can see the code is very compromised at this point and a new install is probably in order... what is the best way to go about this without losing the current photos/data?

Any ideas?

Gallery version: 2.3
PHP version: 4.x
Database MySql 5.0
Activated toolkits:
Operating system: Linux
Browser IE 7.0

suprsidr

Joined: 2005-04-17
Posts: 6136

Posted: Sat, 2009-05-02 16:21

You can always overwrite your gallery files with a fresh copy of the same version.

-s
FlashYourWeb and Your Gallery with The E2 XML Media Player for Gallery2

redeye_lady

Joined: 2009-05-02
Posts: 5

Posted: Sat, 2009-05-02 17:48

What will that do to the existing users and comments? I'm just not sure how to protect what is already there? Thank you for your help.

suprsidr

Joined: 2005-04-17
Posts: 6136

Posted: Sat, 2009-05-02 18:02

All that stuf is in the database and would not be affected by overwriting the files.
I'm talking about /galler2/ not your g2data storage directory.

-s
FlashYourWeb and Your Gallery with The E2 XML Media Player for Gallery2

redeye_lady

Joined: 2009-05-02
Posts: 5

Posted: Sat, 2009-05-02 18:28

My current install was preinstalled by the server and they placed the g2data storage inside the gallery directory. At the time I didn't know anything about the security risks of such a set up and honsetly didn't pay any attention to *how* they set it up, they installed it and I began to use it. That said, it appears that there are even infected files within the g2data folder.

suprsidr

Joined: 2005-04-17
Posts: 6136

Posted: Sat, 2009-05-02 18:42

So instead of trying it you are coming up with excuses not to?

move your g2data out of public access
adjust the path to g2data in gallery2/config.php to where you moved it in previous step
overwrite all files in /gallery2/ it won't overwrite your config.
probably smart to re-run the upgrader to see if there are any other modified files your_gallery_site.com/upgrade/

-s
FlashYourWeb and Your Gallery with The E2 XML Media Player for Gallery2

redeye_lady

Joined: 2009-05-02
Posts: 5

Posted: Sat, 2009-05-02 19:37

I'm not making excuses not to do it, I'm being cautious for the sake of my site and the people who use my gallery install. I don't want the fact that the data folder could be infected too to create issues in a clean install or create continued issues within the site itself.

If the config.php does not get overwritten and is infected, then what? Can I install a new config.php file and reinsert my database info or is there more info stored there than I can replace?

Thank you for your suggestions.

suprsidr

Joined: 2005-04-17
Posts: 6136

Posted: Sat, 2009-05-02 20:27

Look through the config for any non-gallery code.
It would be very obvious.

-s
FlashYourWeb and Your Gallery with The E2 XML Media Player for Gallery2

redeye_lady

Joined: 2009-05-02
Posts: 5

Posted: Sat, 2009-05-02 23:28

Now for the ultimate "dumb" question... what is the best way to overwrite the files? What I mean by that is am I running through the install process again and letting it install directly over the current install?

Thanks again for your help.

suprsidr

Joined: 2005-04-17
Posts: 6136

Posted: Sat, 2009-05-02 23:59

Download a fresh copy unzip, and ftp the new files directly over the old ones.

-s
FlashYourWeb and Your Gallery with The E2 XML Media Player for Gallery2

redeye_lady Joined: 2009-05-02 Posts: 5	Posted: Sat, 2009-05-02 15:25
	MY Gallery 2.3 install is infected with "JS:Redirector-H" Trojan... does anyone know the best way to handle this? From what I can see the code is very compromised at this point and a new install is probably in order... what is the best way to go about this without losing the current photos/data? Any ideas? Gallery version: 2.3 PHP version: 4.x Database MySql 5.0 Activated toolkits: Operating system: Linux Browser IE 7.0
	XUser login Username: * Password: * Create new account Request new password
suprsidr Joined: 2005-04-17 Posts: 6136	Posted: Sat, 2009-05-02 16:21
	You can always overwrite your gallery files with a fresh copy of the same version. -s FlashYourWeb and Your Gallery with The E2 XML Media Player for Gallery2

redeye_lady Joined: 2009-05-02 Posts: 5	Posted: Sat, 2009-05-02 17:48
	What will that do to the existing users and comments? I'm just not sure how to protect what is already there? Thank you for your help.

suprsidr Joined: 2005-04-17 Posts: 6136	Posted: Sat, 2009-05-02 18:02
	All that stuf is in the database and would not be affected by overwriting the files. I'm talking about /galler2/ not your g2data storage directory. -s FlashYourWeb and Your Gallery with The E2 XML Media Player for Gallery2

redeye_lady Joined: 2009-05-02 Posts: 5	Posted: Sat, 2009-05-02 18:28
	My current install was preinstalled by the server and they placed the g2data storage inside the gallery directory. At the time I didn't know anything about the security risks of such a set up and honsetly didn't pay any attention to how they set it up, they installed it and I began to use it. That said, it appears that there are even infected files within the g2data folder.

suprsidr Joined: 2005-04-17 Posts: 6136	Posted: Sat, 2009-05-02 18:42
	So instead of trying it you are coming up with excuses not to? move your g2data out of public access adjust the path to g2data in gallery2/config.php to where you moved it in previous step overwrite all files in /gallery2/ it won't overwrite your config. probably smart to re-run the upgrader to see if there are any other modified files your_gallery_site.com/upgrade/ -s FlashYourWeb and Your Gallery with The E2 XML Media Player for Gallery2

redeye_lady Joined: 2009-05-02 Posts: 5	Posted: Sat, 2009-05-02 19:37
	I'm not making excuses not to do it, I'm being cautious for the sake of my site and the people who use my gallery install. I don't want the fact that the data folder could be infected too to create issues in a clean install or create continued issues within the site itself. If the config.php does not get overwritten and is infected, then what? Can I install a new config.php file and reinsert my database info or is there more info stored there than I can replace? Thank you for your suggestions.

suprsidr Joined: 2005-04-17 Posts: 6136	Posted: Sat, 2009-05-02 20:27
	Look through the config for any non-gallery code. It would be very obvious. -s FlashYourWeb and Your Gallery with The E2 XML Media Player for Gallery2

redeye_lady Joined: 2009-05-02 Posts: 5	Posted: Sat, 2009-05-02 23:28
	Now for the ultimate "dumb" question... what is the best way to overwrite the files? What I mean by that is am I running through the install process again and letting it install directly over the current install? Thanks again for your help.

suprsidr Joined: 2005-04-17 Posts: 6136	Posted: Sat, 2009-05-02 23:59
	Download a fresh copy unzip, and ftp the new files directly over the old ones. -s FlashYourWeb and Your Gallery with The E2 XML Media Player for Gallery2

Best way to handle trojan infected Gallery 2 install- possible to save photos/comments?

XUser login