Storm_Law wrote:

My b2evolution Version: 1.9.xThis must be someone who knows B2evolution!

Not nescecarily so. The pics are in the media folder and that folder is less protected than other folders. So at least in that folder they can see what pictures are in it. Don't you think they would change the text if they really had access to your blog?
Most likely the server has been hacked. I strongly advise you to change the password for your ftp connections and host access. Furthermore there is a possibility some one gained access through B2evo itself, so you should change that passwords also.

Since this is a serious issue, I advise you to contact your host. They may have log files to find out what went wrong.

Good luck

I dont know, they sure could have done lots of damage, but they were able to replace my pictures with their own pictures using the same name. That is what leads me to believe it came from B2evolution. Who knows.

I will look into it. I did delete the effected pictures and put the normal ones back on.

This is some scary stuff! I also backed everything up just in case!

Google for file permission. The media directory has a (possibly) 777 permission and perhaps the pictures themselves have a high permission also. That's the price you pay for being able to upload the pics from within B2evo. And because they only affected this folder, I am pretty sure nothing is wrong with B2evo itself. But I do not know what the vulnerability means and how they can expoit it.

Good luck

You can make the /media/ folder and all its subfolders 755, and any images in any of those folders can be 644... At least that removes write access from Group and Other...

jj.

Thanks I will CHMOD to 755 on the media folder!

The CHMOD to 755 made my file manager in B2 not work, the picture files are already 644

Ah, ok, that might be an unwelcome side-effect... on my blog I upload photos via FTP just so that I can restrict the folder perms a little more than their default... For me, it's a worthwhile tradeoff as I have an FTP client on the same machine from which I access my blog...

jj.

I reuse my photos on the blog so the file manager really helps. I will see how things go and if necessary make the necessary changes to just use FTP.

I really do like the file manager!

That's a good example of bad PHP setups. If you need to have folders/files chmod'ed to 777/666, this is what can happen, if e.g. another user on the same server gets hacked: he has write access to your files then.

Please: make sure, that your scripts are executed as your user and then permissions of 755/644 are alright (or 775/664). 777/666 is really bad and it's the X+1th time I'm telling this!
Yes, I know that most webhosts set this up crappy. But this is what you get then..
You may want to at least ask them about using suexec/running scripts as the user.

Yeah my host changed script process ownership a while back, which made it possible for me to CHMOD 755 on the media folder... (I still prefer to upload using ftp because I tend to upload batches of images at a time)...

My guess is that if they exploited your server once by that method, they'll do it again in the future... Perhaps looking for a better/more secure host is in order... but follow Blueyed's advice first and ask your host to adjust the way scripts are run, pointing out that their current method is insecure and adding to that the fact that you, a paying customer, were just hacked because of it...

jj.

I was hacked again!! They changed my another picture to something derogatory about America.

I just changed my FTP permissions to 755 on all Media/blog folders to see if this helps. I will just CHMOD back to 777 to upload a file when I need to.

I cannot believe this idiot came back again. This really concerns me.