This is the blog of a one Ben Wilson, a Louisville, Kentucky native who enjoys baseball, beer, music, bikes, things that fly and good food. By day he pushes pixels and makes the Internet happen for a local advertising agency. His wife, Kelly is an Ironman, and his baby Amelia is the cutest thing ever.

Mar5

yay! my gallery was ‘spoited.

when I went to go upload a new gallery today, Gallery told me I had a folder that it didn’t create in the albums/ directory. Low and behold, it was some “warez” directory with an MP3 recorder or some junk in it. Doing a little more research, I find that there is a phpshell script in there (so that your browser acts like a shell), an ftp script to download a PHP Exploit Lab script.

Well, scanning my Apache logs I find that the culprits came from Russia, or at least were using dialups in Russia. The offending hosts:

213.158.2.85
82rez.telegraph.spb.ru
213.134.206.99
161ppp.telegraph.spb.ru
85rez.telegraph.spb.ru
160ppp.telegraph.spb.ru

Further, some of the referrers for these hits lead me to this URL (a forum), which is another exploited Gallery. ( some ICQ numbers of folks on that board include: 2243057, 321381, 118407481)

So, I check out Gallery’s website — and first notice this security notice about a possible security hole. Turns out, it’s not a security hole in Gallery, but in any shared webserver. Well, that IS true. However, what DOESN’T help is that there WAS an exploit with version 1.3.2, which I was running. I’m assuming this exploit allowed for the upload of a file, namely phpshell.php, and thus… script kiddies from Mother Russia had their day. Their day as an unprivileged user, mind you.

Gallery x1.3.2 exploit

filed under General and then tagged as
Mar 5 2003 ~ 3:10 pm ~ Comments Off ~

0 Comments

No comments yet.

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 2.5 License. | thelocust dot org