Hi,
my provider told me that malicious code is in piwigo.
I found some files with eval(base64_decode code.
Is there a bad code scanner for the files on the server?
I checked a local backup with different maleware and virusscanner but nothing was found.
I just found some files with eval(base64_decode code because I knew what to look for.
So how can I clean piwigo files?
Any hint?
Thank
Jörgen
Offline
Give a try to [extension by plg] Check Files Integrity
Offline
Ok, after deleting some lines in the index.php
it says:
Piwigo 2.8.6, 573 files scanned in 0.147 seconds
Well done! Everything seems good :-)
Offline
Provider says also some files where added?
Is e.g. themes15.php part of piwigo?
Offline
Indeed [extension by plg] Check Files Integrity does not check for "unexpected" files.
themes15.php does not belong to Piwigo. Before you delete it, can you send it to me by email? ("plg" /at/ <piwigo.org>)
Can you also check directories in "_data" and "install" ? especially hidden directories, starting with a dot.
Offline
Joergen wrote:
Provider says also some files where added?
Is e.g. themes15.php part of piwigo?
https://github.com/Piwigo/Piwigo/ - "File overview" - you can search a file, too.
@plg: "not check for "unexpected" files" - sounds like a good feature ;)
Offline
Hi,
so it looks like the page is clean now.
It was a lot of manual work to find the pattern that the malicious software placed in some files and to remove it.
Anyway, has some one any additional help/hints or security measures to prevent such attacks?
Ok, 1. would be keep Piwigo uptodate.
What else can I do? Or what can my provider do?
thanks
Last edited by Joergen (2017-02-17 10:13:15)
Offline
Hi,
can some one confirm that the file ods.php contains a big part with code?
private function getThumbnail() {
return base64_decode("
iVBORw0KGgoAAAANSUhEUgAAALoAAAEACAYAAAAEKGxWAAAABHNCSVQICAgIfAhkiAAAAAlwSFlz
AAAN1wAADdcBQiibeAAAABl0RVh0U29mdHdhcmUAd3d3Lmlua3NjYXBlLm9yZ5vuPBoAACAASURB
VHic7Z152F3T9cc/K3PMNcUUMZQ0hFJRQypiFmOpuai21NRWfmhNpWooRVDaGmqe1VDUUC1iaFHS
0BojIaExlRAlEQlZvz/WvnlPznuGO4/r8zz3ue89e+9z1r33e/e7z95rryWqiuO0Oz0abYDj1AMXxxx ...
File is placed here: plugins\GrumPluginClasses\classes\External\odsPhpGenerator\ods.php
thank you
Offline
drlecter wrote:
It´s look same here.
Thank you.
Offline