main.php "Exploit Link to Known Exploit Site"

mark0

Joined: 2009-05-15
Posts: 3

Posted: Fri, 2009-05-15 02:54

I get a popup notifying me that main.php contains a link "to a known exploit site."

Either my gallery site has been compromised or my AVG antivirus software is over reacting.

I have:
- deleted gallery2 folder and replaced with the latest 2.3 code
- moved my data files so they cannot be accessed via the web.
- emailed my hosting provider... I haven't heard back.

I think your app is excellent and have used it for many years. If this really is some hacker I would love to hear how to kick these guys off my server.

Thanks much for your help!

mark0

Joined: 2009-05-15
Posts: 3

Posted: Fri, 2009-05-15 14:22

Other info: my site is at www.markkoss.com/gallery2

System integrity checks out.

PHP info link is here:
www.markkoss.com/gallery2/phpinfo.php

Let me know if you need any other info.

mark0

Joined: 2009-05-15
Posts: 3

Posted: Sun, 2009-05-17 20:36

SOLVED!!!

This was an exploit. You can read about it, and how to clean it here. http://www.phpbb.com/community/viewtopic.php?f=46&t=1322765

Along the way I found that other files had also been compromised on my server.

If you find yourself in a similar position where you are unsure which files on your system have been compromised here is a way to go about cleaning things up.

1. Backup everything.
2. Delete your gallery2 folder. This can be regenerated.
3. In your g2 data directory delete every file EXCEPT your albums directory and versions.dat file.
4. In each album file there should only be images. PHP files or .htaccess files are exploit files and should be deleted.
5. Reinstall using preinstall.php and point to your existing database and data directory.
6. If your issue still isn't fixed then you can run main.php and look for code that doesn't look right.
7. You can do a full text search for rogue code using the method described here: http://www.phpbb.com/community/viewtopic.php?f=46&t=1322765
8. I also had to empty my comment tables as robots had filled them with 80MB of junk.
9. After making modifications to your database you may have to go into your admin panel under maintenance and empty the database cache to see your changes.

Hopefully this helps unfortunate people like me who find their photo gallerys defaced and compromised.

Of course, you could always read up on gallery security precautions:
http://codex.gallery2.org/Gallery2:Security
and not find yourself in my situation in the first place! ;-)

mark0 Joined: 2009-05-15 Posts: 3	Posted: Fri, 2009-05-15 02:54
	I get a popup notifying me that main.php contains a link "to a known exploit site." Either my gallery site has been compromised or my AVG antivirus software is over reacting. I have: - deleted gallery2 folder and replaced with the latest 2.3 code - moved my data files so they cannot be accessed via the web. - emailed my hosting provider... I haven't heard back. I think your app is excellent and have used it for many years. If this really is some hacker I would love to hear how to kick these guys off my server. Thanks much for your help!
	XUser login Username: * Password: * Create new account Request new password
mark0 Joined: 2009-05-15 Posts: 3	Posted: Fri, 2009-05-15 14:22
	Other info: my site is at www.markkoss.com/gallery2 System integrity checks out. PHP info link is here: www.markkoss.com/gallery2/phpinfo.php Let me know if you need any other info.

mark0 Joined: 2009-05-15 Posts: 3	Posted: Sun, 2009-05-17 20:36
	SOLVED!!! This was an exploit. You can read about it, and how to clean it here. http://www.phpbb.com/community/viewtopic.php?f=46&t=1322765 Along the way I found that other files had also been compromised on my server. If you find yourself in a similar position where you are unsure which files on your system have been compromised here is a way to go about cleaning things up. 1. Backup everything. 2. Delete your gallery2 folder. This can be regenerated. 3. In your g2 data directory delete every file EXCEPT your albums directory and versions.dat file. 4. In each album file there should only be images. PHP files or .htaccess files are exploit files and should be deleted. 5. Reinstall using preinstall.php and point to your existing database and data directory. 6. If your issue still isn't fixed then you can run main.php and look for code that doesn't look right. 7. You can do a full text search for rogue code using the method described here: http://www.phpbb.com/community/viewtopic.php?f=46&t=1322765 8. I also had to empty my comment tables as robots had filled them with 80MB of junk. 9. After making modifications to your database you may have to go into your admin panel under maintenance and empty the database cache to see your changes. Hopefully this helps unfortunate people like me who find their photo gallerys defaced and compromised. Of course, you could always read up on gallery security precautions: http://codex.gallery2.org/Gallery2:Security and not find yourself in my situation in the first place! ;-)

main.php "Exploit Link to Known Exploit Site"

XUser login