Announcement

#16 2016-12-14 11:53:40

jdd
Member
Toulouse (France)
2009-12-19
118

Re: Serious security issue in Piwigo?

plg wrote:

I'm going to prepare a plugin which scans Piwigo core files and compare them to what they should be.

may be also some server side tool, like rkhunter or tripwire (there is an opensource one)

jdd

Offline

 

#17 2016-12-14 11:59:28

wernfried
Member
2012-01-21
84

Re: Serious security issue in Piwigo?

plg wrote:

Considering also that on the 2 hacked installations I analyzed the hack was a bit different, it's obvious that it was not modified "on the original Piwigo files", but afterwards.

On the other hand, see how many pages are hacked (see https://www.google.ch/search?q=piwigo+apotheke) and all of them are using Piwigo.

Compare with other famous gallery applications, they don't seem to be hacked (apotheke is german for pharmacy): 

https://www.google.ch/search?q=zenphoto+apotheke
https://www.google.ch/search?q=GALLERY3+apotheke
https://www.google.ch/search?q=Phoca+Gallery+apotheke
https://www.google.ch/search?q=Coppermine+apotheke
https://www.google.ch/search?q=lychee+apotheke


Anyway, you suggest to overwrite my Piwigo install with a clean Piwigo 2.8.3.
How can I do this without losing my pictures and album settings?

Is it possible to restore them after a fresh installation?

I am a professional software developer, so I will manage to do this. However, since my webpage is not the only one which affected, it should be an easy and straight-forward approach.


Best Regards
Wernfried

Offline

 

#18 2016-12-14 12:41:55

plg
Piwigo Team
Nantes, France, Europe
2002-04-05
13786

Re: Serious security issue in Piwigo?

wernfried wrote:

On the other hand, see how many pages are hacked (see https://www.google.ch/search?q=piwigo+apotheke) and all of them are using Piwigo.

But it still doesn't mean there is a security breach in Piwigo. Just that Piwigo is popular enough to deserve interest from spammers.

Actually, if you find a way to steal username/password of the webmaster, you get access to pretty much everything, including modifying PHP files. Then an hacker can do whatever (s)he wants.

You can also think about a failure on another CMS installed on the same web space. I have already seen a hack on Wordpress which let the hacker add files "somewhere else" on the same web space. This is smart because it makes the hack more complicated to understand.

So for now, I simply state "we don't know how the Piwigo core file was primarily modified".

wernfried wrote:

Anyway, you suggest to overwrite my Piwigo install with a clean Piwigo 2.8.3.
How can I do this without losing my pictures and album settings?

Simply extract files from piwigo-2.8.3.zip and upload them to your web space. Nothing will be lost.

wernfried wrote:

Is it possible to restore them after a fresh installation?

Yes, you can also restore an old backup. It would be very interesting if you could find when your PHP core files was modified thanks to your daily or weekly backup. You have some, don't you ?

Offline

 

#19 2016-12-14 13:09:06

jdd
Member
Toulouse (France)
2009-12-19
118

Re: Serious security issue in Piwigo?

In my case, I have no other app in this user account, and my other (main) piwigo session, hosted in the main web root (htdocs) don't seems to be spammed.

the user account can't have been compromised (the login didn't work atm), but the admin piwigo accound could have been eventually.

if time permits, I will make a new install with same login/pass and make a tripwire scan to monitor if the spammer come again

jdd

Last edited by jdd (2016-12-14 13:11:13)

Offline

 

#20 2016-12-14 13:35:07

wernfried
Member
2012-01-21
84

Re: Serious security issue in Piwigo?

plg wrote:

Simply extract files from piwigo-2.8.3.zip and upload them to your web space. Nothing will be lost.

Yes, you can also restore an old backup. It would be very interesting if you could find when your PHP core files was modified thanks to your daily or weekly backup. You have some, don't you ?

You mean, I can delete entire /piwigo folder (include subfolders), extract files from piwigo-2.8.3.zip to this folder and everything will work again? Does it automatically restore my plugins, account settings, albums and  photos?

I was thinking my photos are stored in folder /piwigo/_data - they would be lost I assume.

I don't have a personal backup of my webspace. My idea was more like this:
1) Rename folder /piwigo to /piwigo_bak
2) Make a fresh install to /piwigo
3) Copy pictures (and maybe a few other customized files like local/config/database.inc.php) from /piwigo_bak to /piwigo
4) Delete /piwigo_bak folder to get rid of any malicious code

Best Regards

Offline

 

#21 2016-12-14 13:38:12

jdd
Member
Toulouse (France)
2009-12-19
118

Re: Serious security issue in Piwigo?

You mean, I can delete entire /piwigo folder (include subfolders), extract files from piwigo-2.8.3.zip to this folder and

instructions detailed are on the piwigo dowload section, with the list of folders to keep

jdd

Last edited by jdd (2016-12-14 13:38:40)

Offline

 

#22 2016-12-14 13:44:41

plg
Piwigo Team
Nantes, France, Europe
2002-04-05
13786

Re: Serious security issue in Piwigo?

wernfried wrote:

You mean, I can delete entire /piwigo folder (include subfolders), extract files from piwigo-2.8.3.zip to this folder and everything will work again? Does it automatically restore my plugins, account settings, albums and  photos?

Of course Piwigo can't "restore" your photos if you delete them :-)

No, I meant to simply overwrite your files with files from the original piwigo-2.8.3.zip. This archive won't overwrite any "local" file, such as your database configuration or your photos. Only Piwigo core files.

You can also remove directories "install" and "tools" before the overwrite. It will be safer (to remove any files added by the hacker)

I don't have a personal backup of my webspace.

Big mistake. From now, I strongly recommend that you create one. This is the only reliable way to feel safe against hacks like this one.

My idea was more like this:
1) Rename folder /piwigo to /piwigo_bak
2) Make a fresh install to /piwigo
3) Copy pictures (and maybe a few other customized files like local/config/database.inc.php) from /piwigo_bak to /piwigo
4) Delete /piwigo_bak folder to get rid of any malicious code

Yes, you can also do that. Files to restore :

* upload
* galleries
* local

And you also have some hacked code in your local/config/database.inc.php. The last official line is:

Code:

define('DB_COLLATE', '');

Offline

 

#23 2016-12-14 14:09:41

jnashpiwigo
Piwigo Team
2014-10-21
254

Re: Serious security issue in Piwigo?

This definitely doesn't bode well...

https://www.google.com/search?q=piwigo+pharmacy

returns 46300 hits on what appears to be identical scenarios regarding this 'hack'

I know some folks who run brlcad.org (the first few returns on the google search) - I'll see if I can get some insight and copies of the files for further analysis.

Offline

 

#24 2016-12-14 14:17:28

plg
Piwigo Team
Nantes, France, Europe
2002-04-05
13786

Re: Serious security issue in Piwigo?

jnashpiwigo wrote:

I know some folks who run brlcad.org (the first few returns on the google search) - I'll see if I can get some insight and copies of the files for further analysis.

Thank you. I would be happy to analyse that.

I'm preparing a plugin to check files compared to the original ones.

Offline

 

#25 2016-12-14 15:08:17

plg
Piwigo Team
Nantes, France, Europe
2002-04-05
13786

Re: Serious security issue in Piwigo?

You can give a try to [extension by plg] Check Files Integrity

Very simple for now. Can only check expected files on versions 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.8.0, 2.8.1, 2.8.2 and 2.8.3

Offline

 

#26 2016-12-14 15:12:15

wernfried
Member
2012-01-21
84

Re: Serious security issue in Piwigo?

plg wrote:

My idea was more like this:
1) Rename folder /piwigo to /piwigo_bak
2) Make a fresh install to /piwigo
3) Copy pictures (and maybe a few other customized files like local/config/database.inc.php) from /piwigo_bak to /piwigo
4) Delete /piwigo_bak folder to get rid of any malicious code

Yes, you can also do that. Files to restore :

* upload
* galleries
* local

That's all? What about folder /plugins, /themes, /template-extension? This is in contradiction to Step 5 at http://piwigo.org/basics/upgrade_manual


Wernfried

Offline

 

#27 2016-12-14 15:17:34

plg
Piwigo Team
Nantes, France, Europe
2002-04-05
13786

Re: Serious security issue in Piwigo?

Follow the upgrade guide. That's the reference.

In your specific case, I would not restore the _data directory. This is only cache, your Piwigo will rebuild it.

Offline

 

#28 2016-12-14 15:44:16

wernfried
Member
2012-01-21
84

Re: Serious security issue in Piwigo?

Ok, it worked. Everything seems to be fine.

Also your plugin Check Files Integrity works as expected.

Best Regards
Wernfried

Offline

 

#29 2016-12-14 15:50:49

plg
Piwigo Team
Nantes, France, Europe
2002-04-05
13786

Re: Serious security issue in Piwigo?

wernfried wrote:

Also your plugin Check Files Integrity works as expected.

To make this utility useful and reliable, we need at least to:

1) reinstall it very often, before any use actually (because a serious hacker will also modify it...)
2) execute it automatically very often, and report by email (which can also be hacked...)

Another solution would be that piwigo.org does a part of the job, such as requesting for a check and report to the owner in case of problem. As said earlier, all this is very complicated because once the hacker has access to the filesystem (s)he can do pretty anything to "fake" the system.

Furthermore, we all know that the most vulnerable website are the one managed with no "high seriousness". I don't know how to say it... and of course these users won't check files integrity either... :-/

Offline

 

#30 2016-12-14 16:20:02

eliz82
Member
Romania
2016-04-27
281

Re: Serious security issue in Piwigo?

plg wrote:

Yes, exactly that, a pharma hack as described on your link.

The question is "did they modified PHP code thanks to security failure in Piwigo, or did they simply hacked the FTP connection?"

I dont think is related to Piwigo.  3-4 years ago i got the same pharma hack in the Phpbb3 files. it was very hard to find, i finally read some tips on a site and search the files by base64_decode and then i finally found the malicious code.

this plugin is userfull to see your site as google see it
https://addons.mozilla.org/en-GB/firefo … -switcher/
or you can use google webmaster tools.

@later edit: google webmaster tools also can give you an email alert when it detect your site is hacked. otherwise if you can stay for months without observing anything strange. because the hack is viewable only to search engines not to normal users.

Last edited by eliz82 (2016-12-15 08:31:57)

Offline

 

Board footer

Powered by FluxBB

github twitter newsletter Donate Piwigo.org © 2002-2024 · Contact