Gallery hacked on and on :(

g00rek

Joined: 2008-10-22
Posts: 8

Posted: Sat, 2009-09-26 17:16

I have Gallery 2 (latest version) installed od http://fotold.mikemary.pl.
I also use WPG2 on http://mikemary.pl

My site is getting hacked for weeks now and I do not now how to prevent it. Somebody somehow is able to:

-add details for my galleries (spam or meaningless words like "CcztSfLMFbNZItdCV").
-Add new galleries with spam info.

I tried to protect my gallery but I do not know what else can I do. Please help me!

I do not know if this is done form gallery level or maybe theese are direct mysql injections...

help please!

floridave

Joined: 2003-12-22
Posts: 22888

Posted: Sat, 2009-09-26 18:42

Quote:

I do not know if this is done form gallery level or maybe theese are direct mysql injections...

All the hacking that I have seen has been through file manipulation and gaining access through the hosts control panel:
http://gallery2.ca/?p=57

Got an example of what it looks like, or have you deleted it all?

Also is your WP up to date? Word Press is a common access point for hackers. http://wordpress.org/development/2009/09/keep-wordpress-secure/

Anything in your web servers access logs that can help? Have you contacted your host, what did they say?

Dave
_____________________________________________
Blog & G2 || floridave - Gallery Team

bharat

Joined: 2002-05-21
Posts: 7934

Posted: Sun, 2009-09-27 00:09

Executive summary: you have another vulnerable app on your server, but it's not Gallery.

Details:
We've seen this issue come up before and it has always been because of a different exploit on your server. Gallery requires a webserver writable directory hierarchy to store its data which means that:

a) any web based application on your system has access to write to any files in the g2data hierarchy

b) any other local PHP files that can be exploited (on any of the virtual hosts on the same machine) can be used to exploit any writable diretory structures.

A common way that this works is that a single script (not limited to PHP -- anything that can be executed on the server side including mod_perl, mod_python, CGI scripts) is exploited, and then the exploit script walks your entire filesystem and edits any files that it can find, looking for certain patterns.

Since Gallery 2.1, we've had paid security audits on the product and have no known exploits of this kind so I'd take a good look at anything else hosted on the same machine (and don't limit your scan to your virtual host) to find the real culprit. Otherwise you can expect to see this culprit pop up again. You might try searching for ".php" in your access logs to see if you can figure out the original vector of the attack. If you look at the date stamps on the hacked files in your g2data directory, you can figure out the creation time and then correlate that with entries in your Apache access log to figure out what scripts were running at that time. Remember that you have to find the *earliest* files to figure out the original vector of attack because typically in this case they cover their tracks.

---
Problems? Check gallery3/var/logs
bugs/feature req's | upgrade to the latest code | use git

g00rek

Joined: 2008-10-22
Posts: 8

Posted: Sun, 2009-10-04 21:02

Ok got it finally. Yes, you can add subgallerys. That's what the link does:

{EDIT} LINK REMOVED BY MODERATROR{/EDIT}

It might be a noob question but I cannot find where should I turn it off, I mean so nobody (except for admins) could add a gallery?

thanx

floridave

Joined: 2003-12-22
Posts: 22888

Posted: Sun, 2009-10-04 21:55

The album you linked to has permissions for EVERYBODY. remove that permissions and it should be sorted out.
I removed the link because EVERYBODY could delete that album and all the other albums inside it.

http://codex.gallery2.org/Gallery2:Quick_Start_Guide#Configure_Permissions

Dave
_____________________________________________
Blog & G2 || floridave - Gallery Team

g00rek Joined: 2008-10-22 Posts: 8	Posted: Sat, 2009-09-26 17:16
	I have Gallery 2 (latest version) installed od http://fotold.mikemary.pl. I also use WPG2 on http://mikemary.pl My site is getting hacked for weeks now and I do not now how to prevent it. Somebody somehow is able to: -add details for my galleries (spam or meaningless words like "CcztSfLMFbNZItdCV"). -Add new galleries with spam info. I tried to protect my gallery but I do not know what else can I do. Please help me! I do not know if this is done form gallery level or maybe theese are direct mysql injections... help please!
	XUser login Username: * Password: * Create new account Request new password
floridave Joined: 2003-12-22 Posts: 22888	Posted: Sat, 2009-09-26 18:42
	Quote: I do not know if this is done form gallery level or maybe theese are direct mysql injections... All the hacking that I have seen has been through file manipulation and gaining access through the hosts control panel: http://gallery2.ca/?p=57 Got an example of what it looks like, or have you deleted it all? Also is your WP up to date? Word Press is a common access point for hackers. http://wordpress.org/development/2009/09/keep-wordpress-secure/ Anything in your web servers access logs that can help? Have you contacted your host, what did they say? Dave _____________________________________________ Blog & G2 \|\| floridave - Gallery Team

bharat Joined: 2002-05-21 Posts: 7934	Posted: Sun, 2009-09-27 00:09
	Executive summary: you have another vulnerable app on your server, but it's not Gallery. Details: We've seen this issue come up before and it has always been because of a different exploit on your server. Gallery requires a webserver writable directory hierarchy to store its data which means that: a) any web based application on your system has access to write to any files in the g2data hierarchy b) any other local PHP files that can be exploited (on any of the virtual hosts on the same machine) can be used to exploit any writable diretory structures. A common way that this works is that a single script (not limited to PHP -- anything that can be executed on the server side including mod_perl, mod_python, CGI scripts) is exploited, and then the exploit script walks your entire filesystem and edits any files that it can find, looking for certain patterns. Since Gallery 2.1, we've had paid security audits on the product and have no known exploits of this kind so I'd take a good look at anything else hosted on the same machine (and don't limit your scan to your virtual host) to find the real culprit. Otherwise you can expect to see this culprit pop up again. You might try searching for ".php" in your access logs to see if you can figure out the original vector of the attack. If you look at the date stamps on the hacked files in your g2data directory, you can figure out the creation time and then correlate that with entries in your Apache access log to figure out what scripts were running at that time. Remember that you have to find the earliest files to figure out the original vector of attack because typically in this case they cover their tracks. --- Problems? Check gallery3/var/logs bugs/feature req's \| upgrade to the latest code \| use git

g00rek Joined: 2008-10-22 Posts: 8	Posted: Sun, 2009-10-04 21:02
	Ok got it finally. Yes, you can add subgallerys. That's what the link does: {EDIT} LINK REMOVED BY MODERATROR{/EDIT} It might be a noob question but I cannot find where should I turn it off, I mean so nobody (except for admins) could add a gallery? thanx

floridave Joined: 2003-12-22 Posts: 22888	Posted: Sun, 2009-10-04 21:55
	The album you linked to has permissions for EVERYBODY. remove that permissions and it should be sorted out. I removed the link because EVERYBODY could delete that album and all the other albums inside it. http://codex.gallery2.org/Gallery2:Quick_Start_Guide#Configure_Permissions Dave _____________________________________________ Blog & G2 \|\| floridave - Gallery Team

Gallery hacked on and on :(

XUser login