Hi,
I am referring to my last post Get some fake links in my Homepage but this problem seems to be a general issue with Piwigo.
You can test it by yourself, go to google and enter
piwigo Apotheke
or
piwigo -//:---spam
or
piwigo cialis
You get hundreds of pages created with Piwigo but they are all going to the same drug store http://drugs-avenue.com where you can order more or less legal stuff.
I strongly advise the Piwigo developers to review your code carefully! Check if your webserver has been hacked.
Best Regards
Last edited by wernfried (2016-12-13 08:16:27)
Offline
oha! Bad - Very Bad ...
My Company-FW blocked Access to EVERY Piwigo-Page with this Fake-Links. Illegal Content: Malicious Code, Hate / Discrimination, Pornography. I think it is the Malicous Code-Reason ...
Is this an problem with comments? I have deactivated comments ... no problems with this
Offline
Could be .htaccess injection issue, like here:
http://piwigo.org/forum/viewtopic.php?p … 88#p164288
Offline
With further investigations [Forum, post 165518 by plg in topic 27112] Get some fake links in my Homepage I can tell you it's not htaccess redirection. It's in the PHP code. In the hacked Piwigo I am analyzing, some code was added and handles the redirection.
Offline
Oh, bad stuff.
Some sort of the pharma hack? https://aw-snap.info/articles/spam-hacks.php (parmacy hack, around middle of the page)
Last edited by teekay (2016-12-13 15:49:46)
Offline
Yes, exactly that, a pharma hack as described on your link.
The question is "did they modified PHP code thanks to security failure in Piwigo, or did they simply hacked the FTP connection?"
Offline
Hi
Have a look at file include\config_default.inc.php
I found this one:
// use_exif_mapping: same behaviour as use_iptc_mapping //70be5e0f56ae4ed71c6cee02278e1891 create_function('', gzuncompress(base64_decode("eAHNW+lz2kgW [....] iRkg="))); //70be5e0f56ae4ed71c6cee02278e1891
I did not manage to decode, but I don't think this should be a problem for you.
Wernfried
Last edited by wernfried (2016-12-13 16:51:14)
Offline
Yes, I also found it. What is very interesting is that on the other hacked Piwigo I analyzed, it was another file that had been modified! These guys do whatever they can to make the hack hard to find.
For now, I don't know how they modified Piwigo. The most obvious answer is they had access to the filesystem. The less obvious answer would be they used a security failure in Piwigo. Considering there is no Piwigo.com account hacked, I nearly sure this is not a security failure in Piwigo. But I'm not 100% sure yet.
Offline
I'm going to prepare a plugin which scans Piwigo core files and compare them to what they should be.
Offline
Hi
On my webpage modification time for newest files is 22. Nov 2016 12:04:22, for file config_default.inc.php it is 22. Nov 2016 12:04:23
Although I know it is fairly simple to change that to an arbitrary value. Maybe it helps.
Wernfried
Offline
and what about files in tools/.metadata ?
Offline
plg wrote:
and what about files in tools/.metadata ?
There are various files. Newest one 13. Dez 2016 10:57:03
eb5bfe399c6fabfc2912ff5339617ae0 13. Dez 2016 10:57:03 32.0 KB rw- rw- rw- domscheit psacln
fca74ac17e5291fb4b6a2462898d3248 12. Dez 2016 11:22:58 16.0 KB rw- rw- rw- domscheit psacln
717cd1fe561a79a5ae39416877a7d487 12. Dez 2016 10:15:42 16.0 KB rw- rw- rw- domscheit psacln
9fc8708930b258724a90ad7d0cbefcbe 10. Dez 2016 23:43:57 12.0 KB rw- rw- rw- domscheit psacln
ec07dfc4e2529e10c71fcc85ef03ce6b 10. Dez 2016 16:17:00 12.0 KB rw- rw- rw- domscheit psacln
3e028ac2494adcc19fe791a53734a90f 10. Dez 2016 06:00:24 8.0 KB rw- rw- rw- domscheit psacln
35e6fc9c875334ff9d9b69c5b4ca39b2 9. Dez 2016 12:32:46 16.0 KB rw- rw- rw- domscheit psacln
60bf7cae591dfeea3db234f95ceae167 9. Dez 2016 09:45:18 8.0 KB rw- rw- rw- domscheit psacln
df2851a955ad79dcde0d3b55d6e90514 9. Dez 2016 09:42:40 4.0 KB rw- rw- rw- domscheit psacln
fd501573359a7b3fee0ffffdba58aba8
Just a note, actually I noticed this issue quite some time ago (for sure longer than the most recent update of Piwigo)
I saw the link in Google, then I opened my webpage and I did not see them. My impression at this time was: "Oh, somebody hacked my webpage but now it is looking fine. Apparently somebody hacked the server of my web-hoster earlier times but they discovered the hack and restored my files from their backup they certainly have." Just wait for Google when they scan my page again, then the Google result will match again my page.
Obviously this was a bit naive, but this would also mean:
1) somebody had or have access to file system and changed files several times (on current release but also on previous release)
or
2) downloaded file from Piwigo server was already corrupted.
Best Regards
Wernfried
Offline
Hi
Just for information I issued a Webspam report at Google:
https://www.google.com/webmasters/tools/spamreport
Maybe it helps.
Best Regards
Wernfried
Offline
You should also overwrite your Piwigo install with a clean Piwigo 2.8.3.
Offline
wernfried wrote:
1) somebody had or have access to file system and changed files several times (on current release but also on previous release)
Not necessarily: only the first modification needs an access. The other files, the ones in tools/.metadata (this directory differs from one hacked installation to another) are written by the modified core file (in your case include/config_defaults.inc.php)
wernfried wrote:
2) downloaded file from Piwigo server was already corrupted.
That's unlikely:
[pierrick@pierrick-desktop] /tmp $ wget http://piwigo.org/download/dlcounter.php?code=latest -O piwigo-2.8.3.zip --2016-12-14 10:33:13-- http://piwigo.org/download/dlcounter.php?code=latest Resolving piwigo.org... 87.98.147.22 Connecting to piwigo.org|87.98.147.22|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 7594750 (7.2M) [application/zip] Saving to: `piwigo-2.8.3.zip' 100%[==========>] 7,594,750 40.2M/s in 0.2s 2016-12-14 10:33:13 (40.2 MB/s) - `piwigo-2.8.3.zip' saved [7594750/7594750] [pierrick@pierrick-desktop] /tmp $ md5sum /tmp/piwigo-2.8.3.zip /home/pierrick/public_html/piwigo.org/download/piwigo/release/2.8/2.8.3/piwigo-2.8.3.zip da7d4fd93bca8dd2fdd7ca6782ed2a86 /tmp/piwigo-2.8.3.zip da7d4fd93bca8dd2fdd7ca6782ed2a86 /home/pierrick/public_html/piwigo.org/download/piwigo/release/2.8/2.8.3/piwigo-2.8.3.zip
/home/pierrick/public_html/piwigo.org/download/piwigo/release/2.8/2.8.3/piwigo-2.8.3.zip is the release I created on my Piwigo environment before pushing it to piwigo.org production servers.
Considering also that on the 2 hacked installations I analyzed the hack was a bit different, it's obvious that it was not modified "on the original Piwigo files", but afterwards.
Offline