Welcome to Geeklog Wednesday, August 12 2020 @ 06:24 am EDT

Geeklog Forums

system hacked via OLD media gallery attack (MG 1.5.0) left over from old version


Status: offline

richardpitt

Forum User
Newbie
Registered: 07/01/04
Posts: 11
Location:49'13'10.32N 122'41'07.83W
Addendum to following:

On further looking at my system, I'm of the opinion that the "zlq.php" file used in this attack may have been left over from May some time when it was put on the system via the older version of Media Gallery. In any case, this attack should serve as an example to others to check their maint sub directory for files that may have been put there prior to update to the later versions. The rest of the files in that directory are date stamped June 24 where the zlq.php was May 15.

It appears that someone "out there" is searching Google or other engines for evidence of the compromised files - or already knows they are there - or is just fishing for them on all sites. Be warned!
------------ end of addendum -------------

I don't see any info on an attack to this version of MG on Geeklog but on Oct 10 one of my installations was compromised by adding a link to the footer.thtml file in the default layout. I have the log entries and they are similar to what appears to be an attempt back on My 15 to use the previous problem noted here http://www.geeklog.net/article.php/20070515095353878

PHP Formatted Code
61.191.234.252 - - [10/Oct/2007:22:14:49 -0400] "POST /mediagallery/maint/zlq.php?dir=.%2F..%2F..%2Flayout%2Fwildlife-p%2F..%2Fhwfchannel&editfile=footer.thtml HTTP/1.1" 200 117635 "http://www.han*censored*wildlifechannel.org/mediagallery/maint/zlq.php?action=editfile&dir=.%2F..%2F..%2Flayout%2Fwildlife-p%2F..%2Fhwfchannel&editfile=footer.thtml" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" han*censored*wildlifechannel.org
 


Note the "censored" is because your badwords setting needs a space somewhere around bad particle in the word h a n c o c k as this is a legitimate web site with video and discussion from wildlife cameras.

I have the rest of the log entries for this attack - please contact me at richard@pacdat.net for details. In the mean time I'd suggest setting your layout files to read only including the directory above them.
 Quote

Status: offline

mevans

Forum User
Full Member
Registered: 08/02/04
Posts: 393
Location:Texas
Richard,

I've sent you an email requesting the logs.

From the part you quoted, it definitely looks there is a new file in the mediagallery/maint/ directory, zlq.php. That file is not part of Media Gallery. It is obviously a file that allows someone to remotely edit your web based files.

We need to determine how that file made it to your system, whether it was via a issue with Media Gallery, Geeklog, PHP, etc.

As many of the logs files as you have would be beneficial.

Thanks!
Mark
 Quote

All times are EDT. The time is now 06:24 am.

  • Normal Topic
  • Sticky Topic
  • Locked Topic
  • New Post
  • Sticky Topic W/ New Post
  • Locked Topic W/ New Post
  •  View Anonymous Posts
  •  Able to post
  •  Filtered HTML Allowed
  •  Censored Content