Piwigo.org

You are not logged in. (Register / Login)

Announcement

#1 2017-02-13 23:33:25

Joergen
Translation Team
Location: Germany
Registered: 2011-09-30
Posts: 110
Website

"eval base64_decode" Code in files

Hi,

my provider told me that malicious code is in piwigo.
I found some files with eval(base64_decode code.

Is there a bad code scanner for the files on the server?

I checked a local backup with different maleware and virusscanner but nothing was found.

I just found some files with eval(base64_decode code because I knew what to look for.

So how can I clean piwigo files?


Any hint?

Thank
Jörgen

Offline

 

#2 2017-02-14 01:24:13

plg
Piwigo Team
Location: Nantes, France, Europe
Registered: 2002-04-05
Posts: 13013
Website

Re: "eval base64_decode" Code in files


Latest blog post (March 23th 2017) Piwigo.com Enterprise plans, now official!

Offline

 

#3 2017-02-14 10:45:26

Joergen
Translation Team
Location: Germany
Registered: 2011-09-30
Posts: 110
Website

Re: "eval base64_decode" Code in files

Ok, after deleting some lines in the index.php

it says:


    Piwigo 2.8.6, 573 files scanned in 0.147 seconds
    Well done! Everything seems good :-)

Offline

 

#4 2017-02-14 10:52:11

Joergen
Translation Team
Location: Germany
Registered: 2011-09-30
Posts: 110
Website

Re: "eval base64_decode" Code in files

Provider says also some files where added?

Is e.g. themes15.php part of piwigo?

Offline

 

#5 2017-02-14 11:01:57

plg
Piwigo Team
Location: Nantes, France, Europe
Registered: 2002-04-05
Posts: 13013
Website

Re: "eval base64_decode" Code in files

Indeed [extension by plg] Check Files Integrity does not check for "unexpected" files.

themes15.php does not belong to Piwigo. Before you delete it, can you send it to me by email? ("plg" /at/ <piwigo.org>)

Can you also check directories in "_data" and "install" ? especially hidden directories, starting with a dot.


Latest blog post (March 23th 2017) Piwigo.com Enterprise plans, now official!

Offline

 

#6 2017-02-14 11:18:08

WuppiGER
Member
Location: Germany
Registered: 2016-05-31
Posts: 33
Website

Re: "eval base64_decode" Code in files

Joergen wrote:

Provider says also some files where added?

Is e.g. themes15.php part of piwigo?

https://github.com/Piwigo/Piwigo/ - "File overview" - you can search a file, too.


@plg: "not check for "unexpected" files" - sounds like a good feature ;)

Offline

 

#7 2017-02-17 10:12:40

Joergen
Translation Team
Location: Germany
Registered: 2011-09-30
Posts: 110
Website

Re: "eval base64_decode" Code in files

Hi,

so it looks like the page is clean now.
It was a lot of manual work to find the pattern that the malicious software placed in some files and to remove it.

Anyway, has some one any additional help/hints or security measures to prevent such attacks?

Ok, 1. would be keep Piwigo uptodate.

What else can I do? Or what can my provider do?


thanks

Last edited by Joergen (2017-02-17 10:13:15)

Offline

 

#8 2017-02-17 11:55:15

Joergen
Translation Team
Location: Germany
Registered: 2011-09-30
Posts: 110
Website

Re: "eval base64_decode" Code in files

Hi,

can some one confirm that the file ods.php contains a big part with code?

private function getThumbnail() {
    return base64_decode("
      iVBORw0KGgoAAAANSUhEUgAAALoAAAEACAYAAAAEKGxWAAAABHNCSVQICAgIfAhkiAAAAAlwSFlz
      AAAN1wAADdcBQiibeAAAABl0RVh0U29mdHdhcmUAd3d3Lmlua3NjYXBlLm9yZ5vuPBoAACAASURB
      VHic7Z152F3T9cc/K3PMNcUUMZQ0hFJRQypiFmOpuai21NRWfmhNpWooRVDaGmqe1VDUUC1iaFHS
      0BojIaExlRAlEQlZvz/WvnlPznuGO4/r8zz3ue89e+9z1r33e/e7z95rryWqiuO0Oz0abYDj1AMXxxx ...

File is placed here: plugins\GrumPluginClasses\classes\External\odsPhpGenerator\ods.php

thank you

Offline

 

#9 2017-02-17 12:21:31

drlecter
Member
Registered: 2016-03-17
Posts: 2

Re: "eval base64_decode" Code in files

It´s look same here.

Offline

 

#10 2017-02-17 12:42:49

Joergen
Translation Team
Location: Germany
Registered: 2011-09-30
Posts: 110
Website

Re: "eval base64_decode" Code in files

drlecter wrote:

It´s look same here.

Thank you.

Offline

 

Board footer

Powered by FluxBB

github twitter facebook google+ newsletter Donate Piwigo.org © 2002-2017 · Contact