X3Photo Gallery Forums

cyrofila · 05 Jun 2013, 12:02

Hi Imagevue Support Team,

Recently my server was hacked, opened a ticket with the webhosting tech support and they claimed that hackers gained access via script injection.

Below is the response from the webhosting tech support.

For your advise.

I believe that i am on the latest version of imagevue which is 2.8.

================================
Dear Faizal,

We have checked and found the script was injected from cyrofila2.140613.com.
Below is the log:
=======================================
41.203.67.51 - - [02/Jun/2013:19:06:05 +0800] "POST /content/Zzb/install/index.php HTTP/1.1" 200 1795 "http://www.cyrofila.net/content/Zzb/install/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0"
41.203.67.51 - - [02/Jun/2013:19:10:18 +0800] "POST /content/Zzb/cp.php?m=login HTTP/1.1" 302 - "http://www.cyrofila.net/content/Zzb/cp.php?m=login" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0"
41.203.67.51 - - [02/Jun/2013:19:36:15 +0800] "POST /content/Zzb/Shrelll.php HTTP/1.1" 200 27350 "http://www.cyrofila.net/content/Zzb/Shrelll.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0"
=======================================

You may access to http://who.is/whois-ip/ip-address/41.203.67.51 and get the IP destination.

We believe they is a vulnerability for the application, kindly upgrade your application or contact developer for further assistance.

If you have any enquiries, please do not hesitate to contact us. Thank You!
Sincerely,
Alexander
Hosting Support Engineer
Technical Support Department

How Am I Doing? Email My Manager At feedback@exabytes.sg
Need more resources for your website? Check out our VPS and Dedicated Server !

06 Jun 2013, 00:57

I am not sure what your link is, and I don't really see any context in their explanation explains how you were hacked, although you obviously were.

We have had to deal with vulnerabilities in Imagevue a long time ago, and I can confirm that there are none at this point in time, with one exception: If you leave your admin un-passworded, a hacker will be able to upload malicious files (inject?), and then execute them. Outside of this, it is simply not possible to "inject" files through Imagevue unless they have access to the admin. Recently we even added an extra layer of protection to prevent uploading script files, for those who in fact forget to set a password for their admin.

If you have been hacked an Imagevue is the only thing you had on your website, you would need to delete all Imagevue script files+folders, and then check in ALL your "content" folders and subfolders making sure there are no suspect files there. Then upload latest Imagevue, keep your content, and make sure to set a password on the admin.

cyrofila · 06 Jun 2013, 20:09

Admin is passworded.

06 Jun 2013, 22:45

cyrofila wrote:Admin is passworded.

You cannot "inject" anything through Imagevue without access to admin, unless you were using a very old version from a few years back. Maybe someone sniffed out your password, its just not possible to "inject" files in Imagevue without being able to access the admin. Btw when your host says "inject", that some times refers to injecting code into a database, but Imagevue does not even use a database. Therefore, their reference to "inject" would be identical to "upload".

steveman0018 · 08 Jun 2013, 11:20

were you running powerpack add on? Is so maybe you might want to tell the developer of that add on since he does use databases for comments and stuff

X3Photo Gallery Forums

Hacked - Security Concern5 posts

Hacked - Security Concern

Re: Hacked - Security Concern

Re: Hacked - Security Concern

Re: Hacked - Security Concern

Re: Hacked - Security Concern