Piwigo.org

Joergen · 2017-02-13 23:33:25

Hi,

my provider told me that malicious code is in piwigo.
I found some files with eval(base64_decode code.

Is there a bad code scanner for the files on the server?

I checked a local backup with different maleware and virusscanner but nothing was found.

I just found some files with eval(base64_decode code because I knew what to look for.

So how can I clean piwigo files?

Any hint?

Thank
Jörgen

plg · 2017-02-14 01:24:13

Give a try to [extension by plg] Check Files Integrity

Joergen · 2017-02-14 10:45:26

Ok, after deleting some lines in the index.php

it says:

Piwigo 2.8.6, 573 files scanned in 0.147 seconds
Well done! Everything seems good :-)

Joergen · 2017-02-14 10:52:11

Provider says also some files where added?

Is e.g. themes15.php part of piwigo?

plg · 2017-02-14 11:01:57

Indeed [extension by plg] Check Files Integrity does not check for "unexpected" files.

themes15.php does not belong to Piwigo. Before you delete it, can you send it to me by email? ("plg" /at/ <piwigo.org>)

Can you also check directories in "_data" and "install" ? especially hidden directories, starting with a dot.

WuppiGER · 2017-02-14 11:18:08

Joergen wrote:
Provider says also some files where added?

Is e.g. themes15.php part of piwigo?

https://github.com/Piwigo/Piwigo/ - "File overview" - you can search a file, too.

@plg: "not check for "unexpected" files" - sounds like a good feature ;)

Joergen · 2017-02-17 10:12:40

Hi,

so it looks like the page is clean now.
It was a lot of manual work to find the pattern that the malicious software placed in some files and to remove it.

Anyway, has some one any additional help/hints or security measures to prevent such attacks?

Ok, 1. would be keep Piwigo uptodate.

What else can I do? Or what can my provider do?

thanks

Last edited by Joergen (2017-02-17 10:13:15)

Joergen · 2017-02-17 11:55:15

Hi,

can some one confirm that the file ods.php contains a big part with code?

private function getThumbnail() {
return base64_decode("
iVBORw0KGgoAAAANSUhEUgAAALoAAAEACAYAAAAEKGxWAAAABHNCSVQICAgIfAhkiAAAAAlwSFlz
AAAN1wAADdcBQiibeAAAABl0RVh0U29mdHdhcmUAd3d3Lmlua3NjYXBlLm9yZ5vuPBoAACAASURB
VHic7Z152F3T9cc/K3PMNcUUMZQ0hFJRQypiFmOpuai21NRWfmhNpWooRVDaGmqe1VDUUC1iaFHS
0BojIaExlRAlEQlZvz/WvnlPznuGO4/r8zz3ue89e+9z1r33e/e7z95rryWqiuO0Oz0abYDj1AMXxxx ...

File is placed here: plugins\GrumPluginClasses\classes\External\odsPhpGenerator\ods.php

thank you

drlecter · 2017-02-17 12:21:31

It´s look same here.

Joergen · 2017-02-17 12:42:49

drlecter wrote:
It´s look same here.

Thank you.

Piwigo.org

Announcement

#1 2017-02-13 23:33:25

"eval base64_decode" Code in files

#2 2017-02-14 01:24:13

Re: "eval base64_decode" Code in files

#3 2017-02-14 10:45:26

Re: "eval base64_decode" Code in files

#4 2017-02-14 10:52:11

Re: "eval base64_decode" Code in files

#5 2017-02-14 11:01:57

Re: "eval base64_decode" Code in files

#6 2017-02-14 11:18:08

Re: "eval base64_decode" Code in files

Joergen wrote:

#7 2017-02-17 10:12:40

Re: "eval base64_decode" Code in files

#8 2017-02-17 11:55:15

Re: "eval base64_decode" Code in files

#9 2017-02-17 12:21:31

Re: "eval base64_decode" Code in files

#10 2017-02-17 12:42:49

Re: "eval base64_decode" Code in files

drlecter wrote:

Board footer