problem with phpThumb

stuartball
Offline
New Member

11 years 11 months ago #31438 by stuartball

Replied by stuartball on topic problem with phpThumb

Thanks for your help so far.

Now I'm flummoxed: the PHPThumb URL is
hxxp://greatlinfordscouts.org/3/compone ... q=95&f=png and it's a wrong-un

Nothing is in the database, I've re-uploaded PHPthumb,I've text searched the files and nothing. Only thing I can think of is the URL is embedded in the PNG file?

Stu

Please Log in or Create an account to join the conversation.

stuartball
Offline
New Member

11 years 11 months ago #31440 by stuartball

Replied by stuartball on topic problem with phpThumb

OK, it's a .HTAccess hack apparently. Now need to find the offending .htaccess file.

Where does PHPThumb store it links?

Please Log in or Create an account to join the conversation.

Rooney
Offline
Moderator

11 years 11 months ago #31441 by Rooney

Replied by Rooney on topic problem with phpThumb

StuartBall wrote: I cleaned installed the code, but didn't run through the database looking for stored links.

Ken said something about a CGI script. Have you deleted all FTP accounts and changed the Joomla passwords? To run a CGI script you need write access to the server. This means that either a FTP account is compromised or Joomla was hacked. If you haven't change passwords you might be hacked again!

Rooney

Joomla! 3.9.24 and FC 3.3.9

Please Log in or Create an account to join the conversation.

stuartball
Offline
New Member

11 years 11 months ago #31454 by stuartball

Replied by stuartball on topic problem with phpThumb

Well I found the .htaccess files that were missed when I cleaned up.

Thanks for your help.

Stuart

Please Log in or Create an account to join the conversation.

kenmcd
Offline
Moderator

11 years 11 months ago #31458 by kenmcd

Replied by kenmcd on topic problem with phpThumb

Rooney wrote:
StuartBall wrote: I cleaned installed the code, but didn't run through the database looking for stored links.

Ken said something about a CGI script. Have you deleted all FTP accounts and changed the Joomla passwords? To run a CGI script you need write access to the server. This means that either a FTP account is compromised or Joomla was hacked. If you haven't change passwords you might be hacked again!

Rooney

@Rooney
The CGI script being called was on another server (the .RU server).
But being able to write the htaccess file means they did get write access.
And part of the hack recovery checklist is to change all passwords.
So that is good advice.

@StuartBall
Looks like the images are working now.
8-)

Odd hack, or hacker screw-up.
Usually they do not want you to know they are there.

.

AllMedia4Joomla Project
Download AllMedia YouTube Feed Gallery module

Please Log in or Create an account to join the conversation.

ggppdk
Offline
Administrator

11 years 11 months ago #31464 by ggppdk

Replied by ggppdk on topic problem with phpThumb

I have added an extra step in installation process to try setting these permission

(post-install FLEXIcontent Dashboard screen already has it, but did not want to put it there since the task there checks minimum required permissions but installation extra step set them to 664(file), 755(folder) which doing any check)

anyway will test this

-- Flexicontent is Free but involves a big effort on our part.
Like the our support? (for a bug-free FC, despite having a long list of functions) Like the features? Like the ongoing development and future commitment to FLEXIcontent?
-- Add your voice to the FLEXIcontent JED listing with a 5-star...

Please Log in or Create an account to join the conversation.