I found that all my sites did not work on Feb 19, including 3 piwigo sites.
I renamed the hacked sites to public_h and restored backups to public_html.
I thought everything was working.
But I noticed last night that all my photos says "updated Feb 18, 2023" in one piwigo site.
I thought it was strange and this morning I took a look at my database via phpmyadmin.
sure enough, somebody had inserted to every album something via the database.
here is the screen capture.
<img src="https://ibb.co/6n6wZZW">
I am guessing there is no easy way to delete these? I will see if I can find a backup mysl file to replace this one.
but I am not sure how the hack got in.
Last edited by beepro (2023-02-25 16:12:22)
Offline
all image date stamp also changed...so perhaps each jpeg had something inserted?
To be safe I have stopped that site and will restore older image backups also.
I do not understand the image date stamp. On another site, piwigo shows the correct "posted date" of June 24, 2014, but the gallery folder shows Set 5, 2021 (which might be a date of backed-up or restored...sometimes time stamps change inside windows, I know it is not supposed to). so hopefully these files were still clean.
Offline
The IP address was from "China Mobile" and the first line definite is not kosher (i.e. insert agent).
Later lines seem to synchronize the albums, but synchronizing albums did not change photo time stamp in another site.
Offline
Found another one, in a different piwigo site.
It says:
a:2:{s:6:"script";s:7:"install";s:5:"agent";s:78:"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0";}
what does this mean? it could be just installed piwigo? but the installation itself should be logged?
I do not quite understand this log.
Offline
false scare? I now remembered I was in China Feb 2022 and I was working on the galleries (and Zhejiang Jiaxing was the correct location with me being isolated for 21 days)...
and I found no bad codes in the downloaded sql.
still remains the question why photo date stamp was changed on Feb 18, which happened to be the day of being hacked (or at least I found many codes of lock360.php) running, infecting 43,000 files (basically putting .htaccess to every single directory).
Offline
sorry after one week working on malware I became paranoid about it. the Feb 18 date was 2022, and I took it to be 2023.
Anyway still would like to have the original upload date back since that was the real history :) :)
Offline
so most likely, it was Feb 18, 2022 I was migrating from gallery3 to piwigo. thus the time stamp? and the import perhaps did not work so my hit counters were all reset.
today I tried a few times to remigrate (newest piwigo, too new to run the migration pluggin, version 2.8, too old and have errors. version 11.00 was the only one to go.). finally done and got the posted time correct and also hit counters all back. good that I did not update that gallery the last few years :)
done with this scare...
Offline
Hi,
FYI.
using the IP displayed on the screen shot shared.
https://whois.domaintools.com/111.3.26.238
results is:
--
IP Location China China Hangzhou China Mobile Communications Corporation
ASN China AS56041 CMNET-ZHEJIANG-AP China Mobile communications corporation, CN (registered Jan 19, 2011)
Whois Server whois.apnic.net
IP Address 111.3.26.238
--
Offline
Yes that was me trying to install a piwigo to migrate the gallery3 to it.
the "install agent" which scared the hell out me, was actually myself installing piwigo. I did not sleep enough trying to remove malware codes and took the 2022 date to be 2023, thinking this was recent events. sorry for the false alarm!
Offline