|Posted: Mon, 2011-03-07 20:17|
[Edit: to summarize, I found nothing to suggest that my Gallery3 installation was the cause of this hack--M.W. 03/08/2011]
My website was hacked two days ago, and I am wondering if my Gallery3 installation was connected with this: pages advertising drugs were put in a folder deep in the site, and almost all my page folders had bogus .htaccess files added that redirected users coming in from search engines to the bogus pages instead of the intended pages which showed up eg in Google.
From my site logs, I see that two machines/addresses on baltnet.ru accessed my site 500 times just before this happened; this is larger than any user other than a search bot such as Yahoo or Google. My reason for thinking that Gallery3 may have been connected is that the Russian machines/addresses apparently made 300 requests for a page address in the folder superfish, with this URL: /gallery3/lib/superfish/images/404.php
From the detailed site logs, here is a typical line from the log:
Can anyone tell me what the superfish folder in my Gallery3 installation is for? Is there any way someone using that address could get access to the rest of my site?
For the time being I have changed my passwords, deleted all the bogus .htaccess files and deleted my Gallery3 installation.