Heads up, security issue

[Brad Dutton]

Hi,

Just a heads up to everyone, my gallery was hacked. Someone was able to upload some exploit files and run them. I've disabled my gallery for the time being until I figure out where the issue is.

Thanks,
Brad

[Kazuo Kuroi]

Hi Brad,

Thank you for updating us! I checked my install which is under ZFS and has "noexec, nosuid, nosymlinkfollow" enabled and that stops most PHP exploits in its tracks IME. I will be interested to see your findings!

---- On Sun, 17 Oct 2021 19:17:23 -0400 Brad Dutton <bwdu...@gmail.com> wrote ----

--
WHEN USING AN EMAIL PROGRAM to reply to this message, click REPLY TO LIST or REPLY TO ALL so your reply goes out to everyone in the group. If you click REPLY or REPLY TO SENDER Google will *only* send your reply to the original author (not recommended).
 
To post a NEW MESSAGE to the group, send an new email to:
gallery...@googlegroups.com
 
To view or sign in to this group on the web, use this URL:
https://groups.google.com/forum/#!forum/gallery-3-users
---
You received this message because you are subscribed to the Google Groups "Gallery 3 Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gallery-3-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/gallery-3-users/2727875f-e36f-4d01-b393-1a8fb6f003f7n%40googlegroups.com.

[Darren Bowers]

Hi Brad - anything we should look out for in the exploit to tell if we have been targeted?

Thanks

Darren

[J.R.]

Brad,

Damn. Terribly sorry this happened to you. I was hoping this shoe wouldn't drop. While putting on a more active, public face and gathering existing Gallery users  together (and helping new users get started) we -- and you in particular -- have made great strides in making Gallery work in the modern server environment. Unfortunately, the flip side to this renewed activity is that at some point we might attract some unwanted attention and apparently that has happened.

Can you tell us what the "symptoms" of the hack were (and what the effect was) so that we can be on the lookout? Were images in the gallery affected (or possibly involved in executing the hack... i.e, using images as Trojans for the exploit code?)

-- J.R.

[Brad Dutton]

False alarm, looks like this wasn't anything related to gallery. The default apache install has /cgi-bin enabled and calling
/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh

was basically running a shell so the person POSTed to that URL to create a cron entry that ran some other scripts. I'm not sure what was running but that was the problem.

Some of the uploaded files were uploaded to the gallery directories which is why I initially suspected the gallery software.

Thanks,
Brad

[J.R.]

Brad,

*sigh* of relief. Thanks for letting us know.

--J.R.

To view this discussion on the web visit https://groups.google.com/d/msgid/gallery-3-users/f1aca675-c589-4644-9886-2a5885d61c6cn%40googlegroups.com.