[SOLVED?] Very strange find within /modules/sitemap/locale/it/*

Homy

Joined: 2005-09-14
Posts: 28

Posted: Sat, 2014-03-29 10:17

I am in the process up updating a Gallery 2.3 version to 2.3.2

Quote:

Gallery URL = http://homeworldshots.net/main.php
Gallery version = 2.3 core 1.3.0
API = Core 7.54, Module 3.9, Theme 2.6, Embed 1.5
PHP version = 5.2.42-servage30 apache2handler
Webserver = Apache
Database = mysqli 5.0.85-log, lock.system=flock
Toolkits = Getid3, LinkItemToolkit, Thumbnail, SquareThumb, Exif, ArchiveUpload, ImageMagick, NetPBM, Gd
Acceleration = partial/900, full/1800
Operating system = Linux node4 2.100.4-1-amd64-grsec #1 SMP Tue Dec 28 21:57:50 CET 2010 x86_64
Default theme = carbon
gettext = enabled
Locale = en_GB

While doing the backup prior to upgrade I got a message about long file path. Investigating this I see to my astonishment that other sites on the same server have file directories inside /modules/sitemap/locale/it/*

They are in fact pretty much duplicated in that directory. 471 MB (494 400 090 bytes).

Now, I am not putting any blame here or on to Gallery, I am only trying to find out how this happened and if the SiteMap Module could somehow gather files and put them there or anything remotely like that. To my knowledge I have not done any manual copy of other sites in to that directory, there is no reason for it, it makes no sense etc etc... I do not even use the SiteMap module, even if it is installed.

Any ideas?

suprsidr

Joined: 2005-04-17
Posts: 8339

Posted: Sat, 2014-03-29 11:24

Nope, gallery does not store any working files in the gallery directory, only in g2data itself.
Looks like you've been hacked.

-s
________________________________
All New jQuery Minislideshow for G2/G3

Homy

Joined: 2005-09-14
Posts: 28

Posted: Sat, 2014-03-29 12:13

Well, the gallery site works fine, I have deleted that. If it were a hack it was probably an attempt, unsuccessful.

Thanks

Dayo

Joined: 2005-11-04
Posts: 1642

Posted: Sun, 2014-03-30 03:56

On the contrary, the fact that some random person has been able to upload 145mb of stuff (that you know about) to your server shows a very sucessful hack as you will find out to your cost sooner or later.

--
dakanji.com

Homy

Joined: 2005-09-14
Posts: 28

Posted: Sun, 2014-03-30 09:58

Well everything has been checked and rechecked and all access creds changed.

Dayo

Joined: 2005-11-04
Posts: 1642

Posted: Mon, 2014-03-31 04:34

You sure you really checked everything?

You went line by line through the archived server logs for every domain in your account, found the command script the hacker used to upload the stuff and then worked your way back through these logs and identified the vulnerability that was initially exploited, closed this and then searched for, located and deleted the trojan(s) he put on the server to give him access regardless of what your access creds are?

If so, then fine, all is well.
--
dakanji.com

Homy

Joined: 2005-09-14
Posts: 28

Posted: Mon, 2014-03-31 06:33

Listen, I fear you may have misread something.
It was copies of some of my own sites on the same ftp root. No other files nor anything else to suggest a hack. In theory I could achieve the exact same result by just uploading copies of those site to that exact place, which I of course have not. I checked the files for size and date and found nothing overly suspicious, I also checked access logs, as you suggest. All sites were working fine, the server is not mine, it belongs to a web host, they have not reported anything fishy. I have removed all superfluous files I can find (comparing with default file lists). If this was a hack, it seemed to have achieved nothing, for now.

Not saying you are wrong with your approach, but considering I upload 20MB of advanced php scripting that I barely understand each time I upload an Gallery installation...well.

Having said that, I do experience Socket errors on FTP transfer, causing the connection to be reset, so I need to investigate that. There seems to be a possibility that when these things occur the file transfer behaves unexpectedly and could actually cause issues with file locations.

BTW I like your site, Dayo. ;)

Dayo

Joined: 2005-11-04
Posts: 1642

Posted: Mon, 2014-03-31 08:02

Fair enough.
--
dakanji.com

Homy Joined: 2005-09-14 Posts: 28	Posted: Sat, 2014-03-29 10:17
	I am in the process up updating a Gallery 2.3 version to 2.3.2 Quote: Gallery URL = http://homeworldshots.net/main.php Gallery version = 2.3 core 1.3.0 API = Core 7.54, Module 3.9, Theme 2.6, Embed 1.5 PHP version = 5.2.42-servage30 apache2handler Webserver = Apache Database = mysqli 5.0.85-log, lock.system=flock Toolkits = Getid3, LinkItemToolkit, Thumbnail, SquareThumb, Exif, ArchiveUpload, ImageMagick, NetPBM, Gd Acceleration = partial/900, full/1800 Operating system = Linux node4 2.100.4-1-amd64-grsec #1 SMP Tue Dec 28 21:57:50 CET 2010 x86_64 Default theme = carbon gettext = enabled Locale = en_GB While doing the backup prior to upgrade I got a message about long file path. Investigating this I see to my astonishment that other sites on the same server have file directories inside /modules/sitemap/locale/it/* They are in fact pretty much duplicated in that directory. 471 MB (494 400 090 bytes). Now, I am not putting any blame here or on to Gallery, I am only trying to find out how this happened and if the SiteMap Module could somehow gather files and put them there or anything remotely like that. To my knowledge I have not done any manual copy of other sites in to that directory, there is no reason for it, it makes no sense etc etc... I do not even use the SiteMap module, even if it is installed. Any ideas?
	XUser login Username: * Password: * Create new account Request new password
suprsidr Joined: 2005-04-17 Posts: 8339	Posted: Sat, 2014-03-29 11:24
	Nope, gallery does not store any working files in the gallery directory, only in g2data itself. Looks like you've been hacked. -s ________________________________ All New jQuery Minislideshow for G2/G3

Homy Joined: 2005-09-14 Posts: 28	Posted: Sat, 2014-03-29 12:13
	Well, the gallery site works fine, I have deleted that. If it were a hack it was probably an attempt, unsuccessful. Thanks

Dayo Joined: 2005-11-04 Posts: 1642	Posted: Sun, 2014-03-30 03:56
	On the contrary, the fact that some random person has been able to upload 145mb of stuff (that you know about) to your server shows a very sucessful hack as you will find out to your cost sooner or later. -- dakanji.com

Homy Joined: 2005-09-14 Posts: 28	Posted: Sun, 2014-03-30 09:58
	Well everything has been checked and rechecked and all access creds changed.

Dayo Joined: 2005-11-04 Posts: 1642	Posted: Mon, 2014-03-31 04:34
	You sure you really checked everything? You went line by line through the archived server logs for every domain in your account, found the command script the hacker used to upload the stuff and then worked your way back through these logs and identified the vulnerability that was initially exploited, closed this and then searched for, located and deleted the trojan(s) he put on the server to give him access regardless of what your access creds are? If so, then fine, all is well. -- dakanji.com

Homy Joined: 2005-09-14 Posts: 28	Posted: Mon, 2014-03-31 06:33
	Listen, I fear you may have misread something. It was copies of some of my own sites on the same ftp root. No other files nor anything else to suggest a hack. In theory I could achieve the exact same result by just uploading copies of those site to that exact place, which I of course have not. I checked the files for size and date and found nothing overly suspicious, I also checked access logs, as you suggest. All sites were working fine, the server is not mine, it belongs to a web host, they have not reported anything fishy. I have removed all superfluous files I can find (comparing with default file lists). If this was a hack, it seemed to have achieved nothing, for now. Not saying you are wrong with your approach, but considering I upload 20MB of advanced php scripting that I barely understand each time I upload an Gallery installation...well. Having said that, I do experience Socket errors on FTP transfer, causing the connection to be reset, so I need to investigate that. There seems to be a possibility that when these things occur the file transfer behaves unexpectedly and could actually cause issues with file locations. BTW I like your site, Dayo. ;)

Dayo Joined: 2005-11-04 Posts: 1642	Posted: Mon, 2014-03-31 08:02
	Fair enough. -- dakanji.com

[SOLVED?] Very strange find within /modules/sitemap/locale/it/*

XUser login