[SOLVED?] Very strange find within /modules/sitemap/locale/it/*
Homy
Joined: 2005-09-14
Posts: 28 |
Posted: Sat, 2014-03-29 10:17 |
I am in the process up updating a Gallery 2.3 version to 2.3.2 Quote:
Gallery URL = http://homeworldshots.net/main.php While doing the backup prior to upgrade I got a message about long file path. Investigating this I see to my astonishment that other sites on the same server have file directories inside /modules/sitemap/locale/it/* They are in fact pretty much duplicated in that directory. 471 MB (494 400 090 bytes). Now, I am not putting any blame here or on to Gallery, I am only trying to find out how this happened and if the SiteMap Module could somehow gather files and put them there or anything remotely like that. To my knowledge I have not done any manual copy of other sites in to that directory, there is no reason for it, it makes no sense etc etc... I do not even use the SiteMap module, even if it is installed. Any ideas? |
|
Posts: 8339
Nope, gallery does not store any working files in the gallery directory, only in g2data itself.
Looks like you've been hacked.
-s
________________________________
All New jQuery Minislideshow for G2/G3
Posts: 28
Well, the gallery site works fine, I have deleted that. If it were a hack it was probably an attempt, unsuccessful.
Thanks
Posts: 1642
On the contrary, the fact that some random person has been able to upload 145mb of stuff (that you know about) to your server shows a very sucessful hack as you will find out to your cost sooner or later.
--
dakanji.com
Posts: 28
Well everything has been checked and rechecked and all access creds changed.
Posts: 1642
You sure you really checked everything?
You went line by line through the archived server logs for every domain in your account, found the command script the hacker used to upload the stuff and then worked your way back through these logs and identified the vulnerability that was initially exploited, closed this and then searched for, located and deleted the trojan(s) he put on the server to give him access regardless of what your access creds are?
If so, then fine, all is well.
--
dakanji.com
Posts: 28
Listen, I fear you may have misread something.
It was copies of some of my own sites on the same ftp root. No other files nor anything else to suggest a hack. In theory I could achieve the exact same result by just uploading copies of those site to that exact place, which I of course have not. I checked the files for size and date and found nothing overly suspicious, I also checked access logs, as you suggest. All sites were working fine, the server is not mine, it belongs to a web host, they have not reported anything fishy. I have removed all superfluous files I can find (comparing with default file lists). If this was a hack, it seemed to have achieved nothing, for now.
Not saying you are wrong with your approach, but considering I upload 20MB of advanced php scripting that I barely understand each time I upload an Gallery installation...well.
Having said that, I do experience Socket errors on FTP transfer, causing the connection to be reset, so I need to investigate that. There seems to be a possibility that when these things occur the file transfer behaves unexpectedly and could actually cause issues with file locations.
BTW I like your site, Dayo. ;)
Posts: 1642
Fair enough.
--
dakanji.com