Avatar Thumb.Php

**frostymarvelous** · 03.12.10, 20:17

That's why I left it in the avatars folder. Of I remember correctly, I had a problem trying to save to a different dir so I just left it in the same dir. Its been almost a year so I can't really remember.
Try this solution instead of blocking all php extensions in the dir.. I know for sure it will prevent executing a php file in that dir directly, but I don't know about an remote call.

Upload to the avatar folder and try an avatar upload.

**Jervy** · 03.12.10, 20:23

You can't remodify it frozty? As i tried to secured my forum all the files in avatars folder exept images ang disabled or unexecuted even if a php was uploaded it cant be use. Is there any solution for that?

**frostymarvelous** · 03.12.10, 20:23

file

The file you should upload.

Attached Files

Drive_I.zip (374 Bytes, 26 views)

**Jervy** · 03.12.10, 20:26

Ok wait dude, i'll check.

**frostymarvelous** · 03.12.10, 20:27

Originally posted by Jervy View Post

You can't remodify it frozty? As i tried to secured my forum all the files in avatars folder exept images ang disabled or unexecuted even if a php was uploaded it cant be use. Is there any solution for that?

Thing is, a php can't be uploaded.
It uses gd functions, and thus makes sure the file is an image. It then makes a thumbnail of the pic and saved that not the original. Zero chance of php upload or even pics with php hidden in them. The script created the image, not the user. So all in all, you are safe.

**Jervy** · 03.12.10, 20:38

@frosty i let you handle my cpanel right? Havent you check my avatars folder? There's a hack.php uploaded and a sub dir created, and the m0st tricky thing is my .htaccess was replaced by Huwad (hacker). And when i check my attachments folder there's also a php file which is n0t renamed by md5. I w0nder how it happens thats why im over securing my folders.

Added after 2 minutes:

And also I encounter this thing. After hacking i tried to rem0ve the php file in avatars folder but the server says i dont have permissi0n! Wtf! I d0nt have permissi0n in my own server! How could it be?

Added after 3 minutes:

If its impossible to upload a php file in the avatars folder as you said then how come huwad was able to upload a php file in it and even create a sub dir? And the permission was stolen,and the htaccess was edited.Hmmm...You d0n't believe me right? But it's true. I've been hacked 32x already.Before Huwad came there's Xploder who c0mes 1st.

**frostymarvelous** · 03.12.10, 21:38

Originally posted by Jervy View Post

@frosty i let you handle my cpanel right? Havent you check my avatars folder? There's a hack.php uploaded and a sub dir created, and the m0st tricky thing is my .htaccess was replaced by Huwad (hacker). And when i check my attachments folder there's also a php file which is n0t renamed by md5. I w0nder how it happens thats why im over securing my folders.

Added after 2 minutes:

And also I encounter this thing. After hacking i tried to rem0ve the php file in avatars folder but the server says i dont have permissi0n! Wtf! I d0nt have permissi0n in my own server! How could it be?

Added after 3 minutes:

If its impossible to upload a php file in the avatars folder as you said then how come huwad was able to upload a php file in it and even create a sub dir? And the permission was stolen,and the htaccess was edited.Hmmm...You d0n't believe me right? But it's true. I've been hacked 32x already.Before Huwad came there's Xploder who c0mes 1st.

It definitely was not through that script. Have u checked ur other uploaders?
Maybe shell hacking or something.

**Jervy** · 04.12.10, 02:14

My only folder which is chmod to 777 is the "avatars" and "attachments". Is it possible to inject a shell in a folder which is chmod to 755?

**ionutvmi** · 04.12.10, 05:53

i posted on wap landz a tutorial about thumb you can try that script

**pmbguy** · 04.12.10, 07:40

it is possible technically, depends on how your hosting is configured though...

**frostymarvelous** · 04.12.10, 07:49

Once again! NEVER EVER CHMOD 777. If 755 won't work, just notch it up a bit. But never 777.

**Jervy** · 04.12.10, 09:01

But chmod 755 or 775 cant be use for uploading files, only 777.

**Wintch** · 04.12.10, 09:05

Y are people s0 wicked.

@Jervy u mean till n0w u stil cant delete the file?

**Jervy** · 04.12.10, 09:52

Already deleted.

Avatar Thumb.Php

Avatar Thumb.Php

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment