Download.php problems and core files

[khansahib]

Hello,

I am getting strange issue with my 4images gallery, first of all large number of core files were placed in the directory in which the gallery is installed, I contacted my hosting company here is what they replied.


------------------------------------------------

The core files are created by PHP while executing the code in /home/gallery/public_html/download.php.
===============
[root@server themes]# gdb php core.14929 | grep Core
Core was generated by `/usr/bin/php /home/gallery/public_html/download.php'.
Quit
===============

We have turned off core dump in the server now. The OS will not generate any core files. For this we have added the following parameters in the system configuration file (/etc/sysctl.conf).
================
kernel.core_uses_pid = 0
kernel.core_pattern = /dev/null

[root@server themes]# ulimit -a
core file size (blocks, -c) 0
================

We would recommend to contact your PHP developer to check the PHP code. You can view the contents of core file with GNU Debugger 'gdb php <core file>' and check the cause for the core dump.
===============
[root@server ~]#gdb php /home/gallery/public_html/core.14929
(gdb) bt


---------------------------------------

And second issue is that my server is running csf firewall here is what it detected.

--------------------------------------------

lfd on server: Suspicious process running under user gallery

Time:    Fri Aug 13 09:53:11 2010 -0500
PID:     9006
Account: gallery
Uptime:  124 seconds
 
 
Executable:
 
/usr/bin/php
 
 
Command Line (often faked in exploits):
 
/usr/bin/php /home/gallery/public_html/download.php
 
 
Network connections by the process (if any):
 

 
Files open by the process (if any):
 
 
 
Memory maps by the process (if any):
 
00101000-0022b000 r-xp 00000000 08:05 2295394    /lib/libcrypto.so.0.9.8e
0022b000-0023e000 rw-p 00129000 08:05 2295394    /lib/libcrypto.so.0.9.8e
0023e000-00242000 rw-p 00000000 00:00 0
00244000-00274000 r-xp 00000000 08:03 1310775    /usr/lib/libidn.so.11.5.19
00274000-00275000 rw-p 0002f000 08:03 1310775    /usr/lib/libidn.so.11.5.19
00285000-00295000 r-xp 00000000 08:05 2295403    /lib/libresolv-2.5.so
00295000-00296000 r--p 0000f000 08:05 2295403    /lib/libresolv-2.5.so
00296000-00297000 rw-p 00010000 08:05 2295403    /lib/libresolv-2.5.so
00297000-00299000 rw-p 00000000 00:00 0
0031d000-003fd000 r-xp 00000000 08:03 724089     /usr/lib/libstdc++.so.6.0.8
003fd000-00401000 r--p 000df000 08:03 724089     /usr/lib/libstdc++.so.6.0.8
00401000-00402000 rw-p 000e3000 08:03 724089     /usr/lib/libstdc++.so.6.0.8
00402000-00408000 rw-p 00000000 00:00 0
00415000-00417000 r-xp 00000000 08:05 2295402    /lib/libkeyutils-1.2.so
00417000-00418000 rw-p 00001000 08:05 2295402    /lib/libkeyutils-1.2.so
0041a000-004ad000 r-xp 00000000 08:03 1310753    /usr/lib/libkrb5.so.3.3
004ad000-004b0000 rw-p 00092000 08:03 1310753    /usr/lib/libkrb5.so.3.3
004b2000-004ba000 r-xp 00000000 08:03 1310748    /usr/lib/libkrb5support.so.0.1
004ba000-004bb000 rw-p 00007000 08:03 1310748    /usr/lib/libkrb5support.so.0.1
004bd000-004e2000 r-xp 00000000 08:03 1310749    /usr/lib/libk5crypto.so.3.1
004e2000-004e3000 rw-p 00025000 08:03 1310749    /usr/lib/libk5crypto.so.3.1
004e5000-00502000 r-xp 00000000 08:03 723450     /usr/lib/libexpat.so.0.4.0
00502000-00504000 rw-p 0001c000 08:03 723450     /usr/lib/libexpat.so.0.4.0
00522000-0054f000 r-xp 00000000 08:03 1310754    /usr/lib/libgssapi_krb5.so.2.2
0054f000-00550000 rw-p 0002d000 08:03 1310754    /usr/lib/libgssapi_krb5.so.2.2
005a6000-005c7000 r-xp 00000000 08:03 724094     /usr/lib/libjpeg.so.62.0.0
005c7000-005c8000 rw-p 00020000 08:03 724094     /usr/lib/libjpeg.so.62.0.0
00716000-0075a000 r-xp 00000000 08:05 2295396    /lib/libssl.so.0.9.8e
0075a000-0075e000 rw-p 00043000 08:05 2295396    /lib/libssl.so.0.9.8e
007a1000-007c6000 r-xp 00000000 08:03 1310771    /usr/lib/libpng12.so.0.10.0
007c6000-007c7000 rw-p 00024000 08:03 1310771    /usr/lib/libpng12.so.0.10.0
007c9000-008f5000 r-xp 00000000 08:03 723855     /usr/lib/libmysqlclient.so.15.0.0
008f5000-00924000 rw-p 0012c000 08:03 723855     /usr/lib/libmysqlclient.so.15.0.0
00924000-00925000 rw-p 00000000 00:00 0
009a2000-009bd000 r-xp 00000000 08:05 2294035    /lib/ld-2.5.so
009bd000-009be000 r--p 0001a000 08:05 2294035    /lib/ld-2.5.so
009be000-009bf000 rw-p 0001b000 08:05 2294035    /lib/ld-2.5.so
009c1000-00b13000 r-xp 00000000 08:05 2295325    /lib/libc-2.5.so
00b13000-00b15000 r--p 00152000 08:05 2295325    /lib/libc-2.5.so
00b15000-00b16000 rw-p 00154000 08:05 2295325    /lib/libc-2.5.so
00b16000-00b19000 rw-p 00000000 00:00 0
00b1b000-00b1e000 r-xp 00000000 08:05 2295327    /lib/libdl-2.5.so
00b1e000-00b1f000 r--p 00002000 08:05 2295327    /lib/libdl-2.5.so
00b1f000-00b20000 rw-p 00003000 08:05 2295327    /lib/libdl-2.5.so
00b22000-00b49000 r-xp 00000000 08:05 2295329    /lib/libm-2.5.so
00b49000-00b4a000 r--p 00026000 08:05 2295329    /lib/libm-2.5.so
00b4a000-00b4b000 rw-p 00027000 08:05 2295329    /lib/libm-2.5.so
00b4d000-00b62000 r-xp 00000000 08:05 2295349    /lib/libpthread-2.5.so
00b62000-00b63000 r--p 00015000 08:05 2295349    /lib/libpthread-2.5.so
00b63000-00b64000 rw-p 00016000 08:05 2295349    /lib/libpthread-2.5.so
00b64000-00b66000 rw-p 00000000 00:00 0
00b68000-00b7a000 r-xp 00000000 08:03 724095     /usr/lib/libz.so.1.2.3
00b7a000-00b7b000 rw-p 00011000 08:03 724095     /usr/lib/libz.so.1.2.3
00b7d000-00b93000 r-xp 00000000 08:05 2295383    /lib/libselinux.so.1
00b93000-00b95000 rw-p 00015000 08:05 2295383    /lib/libselinux.so.1
00b97000-00bd2000 r-xp 00000000 08:05 2295382    /lib/libsepol.so.1
00bd2000-00bd3000 rw-p 0003a000 08:05 2295382    /lib/libsepol.so.1
00bd3000-00bdd000 rw-p 00000000 00:00 0
00bdf000-00be6000 r-xp 00000000 08:05 2295362    /lib/librt-2.5.so
00be6000-00be7000 r--p 00007000 08:05 2295362    /lib/librt-2.5.so
00be7000-00be8000 rw-p 00008000 08:05 2295362    /lib/librt-2.5.so
00bea000-00bff000 r-xp 00000000 08:05 2294008    /lib/libnsl-2.5.so
00bff000-00c00000 r--p 00014000 08:05 2294008    /lib/libnsl-2.5.so
00c00000-00c01000 rw-p 00015000 08:05 2294008    /lib/libnsl-2.5.so
00c01000-00c03000 rw-p 00000000 00:00 0
00c05000-00c0e000 r-xp 00000000 08:05 2295331    /lib/libcrypt-2.5.so
00c0e000-00c0f000 r--p 00008000 08:05 2295331    /lib/libcrypt-2.5.so
00c0f000-00c10000 rw-p 00009000 08:05 2295331    /lib/libcrypt-2.5.so
00c10000-00c37000 rw-p 00000000 00:00 0
00c39000-00c49000 r-xp 00000000 08:03 1310758    /usr/lib/libXpm.so.4.11.0
00c49000-00c4a000 rw-p 00010000 08:03 1310758    /usr/lib/libXpm.so.4.11.0
00c4c000-00c85000 r-xp 00000000 08:03 1310782    /usr/lib/libldap-2.3.so.0.2.15
00c85000-00c86000 rw-p 00039000 08:03 1310782    /usr/lib/libldap-2.3.so.0.2.15
00c8c000-00ca4000 r-xp 00000000 08:03 1310752    /usr/lib/libsasl2.so.2.0.22
00ca4000-00ca5000 rw-p 00017000 08:03 1310752    /usr/lib/libsasl2.so.2.0.22
00ca7000-00cb4000 r-xp 00000000 08:03 1310781    /usr/lib/liblber-2.3.so.0.2.15
00cb4000-00cb5000 rw-p 0000c000 08:03 1310781    /usr/lib/liblber-2.3.so.0.2.15
00cb7000-00cbd000 r-xp 00000000 08:03 723366     /usr/lib/libltdl.so.3.1.4
00cbd000-00cbe000 rw-p 00005000 08:03 723366     /usr/lib/libltdl.so.3.1.4
00cd9000-00cde000 r-xp 00000000 08:03 724080     /usr/lib/libXdmcp.so.6.0.0
00cde000-00cdf000 rw-p 00004000 08:03 724080     /usr/lib/libXdmcp.so.6.0.0
00ce1000-00cec000 r-xp 00000000 08:05 2295346    /lib/libgcc_s-4.1.2-20080825.so.1
00cec000-00ced000 rw-p 0000a000 08:05 2295346    /lib/libgcc_s-4.1.2-20080825.so.1
00cef000-00cf1000 r-xp 00000000 08:03 724079     /usr/lib/libXau.so.6.0.0
00cf1000-00cf2000 rw-p 00001000 08:03 724079     /usr/lib/libXau.so.6.0.0
00cf4000-00df3000 r-xp 00000000 08:03 724083     /usr/lib/libX11.so.6.2.0
00df3000-00df7000 rw-p 000ff000 08:03 724083     /usr/lib/libX11.so.6.2.0
00df9000-00dfb000 r-xp 00000000 08:05 2295395    /lib/libcom_err.so.2.1
00dfb000-00dfc000 rw-p 00001000 08:05 2295395    /lib/libcom_err.so.2.1
08048000-08573000 r-xp 00000000 08:03 1971159    /usr/bin/php
08573000-0859a000 rw-p 0052b000 08:03 1971159    /usr/bin/php
0859a000-085a3000 rw-p 00000000 00:00 0
0a297000-0a55e000 rw-p 00000000 00:00 0          [heap]
4c553000-4c5d0000 r-xp 00000000 08:03 723301     /usr/lib/libfreetype.so.6.3.10
4c5d0000-4c5d3000 rw-p 0007d000 08:03 723301     /usr/lib/libfreetype.so.6.3.10
b61f2000-b71f2000 rw-s 00000000 00:04 1610285060  /SYSV00000000 (deleted)
b71f2000-b71fc000 r-xp 00000000 08:05 2294011    /lib/libnss_files-2.5.so
b71fc000-b71fd000 r--p 00009000 08:05 2294011    /lib/libnss_files-2.5.so
b71fd000-b71fe000 rw-p 0000a000 08:05 2294011    /lib/libnss_files-2.5.so
b71fe000-b721e000 r-xp 00000000 08:03 524896     /usr/local/lib/php/extensions/no-debug-non-zts-20060613/suhosin.so
b721e000-b7222000 rw-p 0001f000 08:03 524896     /usr/local/lib/php/extensions/no-debug-non-zts-20060613/suhosin.so
b7222000-b7225000 rw-p 00000000 00:00 0
b7225000-b723d000 r-xp 00000000 08:03 524897     /usr/local/lib/php/extensions/no-debug-non-zts-20060613/eaccelerator.so
b723d000-b723e000 rw-p 00017000 08:03 524897     /usr/local/lib/php/extensions/no-debug-non-zts-20060613/eaccelerator.so
b723e000-b7389000 r-xp 00000000 08:03 1441809    /usr/local/Zend/lib/Optimizer-3.3.9/php-5.2.x/ZendOptimizer.so
b7389000-b739a000 rw-p 0014b000 08:03 1441809    /usr/local/Zend/lib/Optimizer-3.3.9/php-5.2.x/ZendOptimizer.so
b739a000-b739f000 rw-p 00000000 00:00 0
b739f000-b748b000 r-xp 00000000 08:03 1869310    /usr/local/IonCube/ioncube_loader_lin_5.2.so
b748b000-b7490000 rw-p 000eb000 08:03 1869310    /usr/local/IonCube/ioncube_loader_lin_5.2.so
b74cb000-b74cf000 r-xp 00000000 08:05 2293963    /lib/libnss_dns-2.5.so
b74cf000-b74d0000 r--p 00003000 08:05 2293963    /lib/libnss_dns-2.5.so
b74d0000-b74d1000 rw-p 00004000 08:05 2293963    /lib/libnss_dns-2.5.so
b74d1000-b74d7000 rw-p 00000000 00:00 0
b74d7000-b75f0000 r-xp 00000000 08:05 656323     /opt/xml2/lib/libxml2.so.2.7.6
b75f0000-b75f5000 rw-p 00118000 08:05 656323     /opt/xml2/lib/libxml2.so.2.7.6
b75f5000-b75f7000 rw-p 00000000 00:00 0
b75f7000-b762b000 r-xp 00000000 08:05 688497     /opt/xslt/lib/libxslt.so.1.1.26
b762b000-b762c000 rw-p 00034000 08:05 688497     /opt/xslt/lib/libxslt.so.1.1.26
b762c000-b762d000 rw-p 00000000 00:00 0
b762d000-b7678000 r-xp 00000000 08:05 656320     /opt/curlssl/lib/libcurl.so.4.2.0
b7678000-b767a000 rw-p 0004a000 08:05 656320     /opt/curlssl/lib/libcurl.so.4.2.0
b767a000-b76ac000 r-xp 00000000 08:05 688650     /opt/pcre/lib/libpcre.so.0.0.1
b76ac000-b76ad000 rw-p 00031000 08:05 688650     /opt/pcre/lib/libpcre.so.0.0.1
b76ad000-b76ae000 rw-p 00000000 00:00 0
b76ae000-b76d5000 r-xp 00000000 08:05 688212     /opt/libmcrypt/lib/libmcrypt.so.4.4.8
b76d5000-b76d8000 rw-p 00027000 08:05 688212     /opt/libmcrypt/lib/libmcrypt.so.4.4.8
b76d8000-b76de000 rw-p 00000000 00:00 0
b76de000-b7723000 r-xp 00000000 08:05 688310     /opt/mhash/lib/libmhash.so.2.0.1
b7723000-b7724000 rw-p 00044000 08:05 688310     /opt/mhash/lib/libmhash.so.2.0.1
b7724000-b7769000 r-xp 00000000 08:05 688482     /opt/tidy/lib/libtidy-0.99.so.0.0.0
b7769000-b776e000 rw-p 00045000 08:05 688482     /opt/tidy/lib/libtidy-0.99.so.0.0.0
b776e000-b776f000 rw-p 00000000 00:00 0
b776f000-b777f000 r-xp 00000000 08:05 688530     /opt/xslt/lib/libexslt.so.0.8.15
b777f000-b7780000 rw-p 0000f000 08:05 688530     /opt/xslt/lib/libexslt.so.0.8.15
b778b000-b778c000 rw-p 00000000 00:00 0
b778c000-b778d000 r-xp 00000000 00:00 0          [vdso]
bf88f000-bf8af000 rwxp 00000000 00:00 0          [stack]
bf8af000-bf8b0000 rw-p 00000000 00:00 0
 
----------------------------------

I am running the latest version of 4images. And cache is enabled on the gallery.

Please Help.

[V@no]

was your download.php modified in any way (by you or not)? if it didn't then can you check access logs and see how download.php was executed, with what parameters?

[khansahib]

Thanks for your reply, Well I have never edited file, here is wt i got from hosting support.


"This clearly indicates the occurrence of 'WEB_ATTACK/COMMAND_INJECTION' through this PHP code."

CSF Firewall continuously notifying me about this issue.

Please suggest.

[V@no]

compare download.php and global.php with unmodified version
If nothing revealed, then access log could possibly reveal something, at least what command they (if there is "they") used..

[khansahib]

I compared download.php and global.php nothing found.

Here is the response from hosting support.

------------------------------------------------------------------
Hello,

I am pasting Apache error logs for the file '/home/gallery/public_html/download.php'
----------------------------------
$ grep 'download.php' /usr/local/apache/logs/error_log

[Mon Aug 09 09:28:27 2010] [error] [client 180.214.233.9] ModSecurity: Access denied with code 501 (phase 2). Pattern match "(?:\\b(??:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(??:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}?\\+.{0,3}x))|[\\;\\|\\`]\\W*? ..." at REQUEST_HEADERS:User-Agent. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "146"] [id "959006"] [msg "System Command Injection"] [data "; id"] [severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"] [hostname ""] [uri "download.php"] [unique_id "TGAQi0PkFkIAAHC-CuoAAACe"]
[Mon Aug 09 09:28:49 2010] [error] [client 180.214.233.9] ModSecurity: Access denied with code 501 (phase 2). Pattern match "(?:\\b(??:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(??:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}?\\+.{0,3}x))|[\\;\\|\\`]\\W*? ..." at REQUEST_HEADERS:User-Agent. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "146"] [id "959006"] [msg "System Command Injection"] [data "; id"] [severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"] [hostname ""] [uri "download.php"] [unique_id "TGAQoUPkFkIAAG0NgrcAAADK"]
----------------------------------

The code in '/home/gallery/download.php' is conflicting with the ModSecurity rule.
--------------------------------------
SecRule ARGS \
"(??:[\;\|\`]\W*?\bcc|\bwget)\b|\/cc(?:[\'\"\|\;\`\-\s]|$))" \
"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'System Command Injection',id:'950907',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2'"
SecRule "REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:'/^(Cookie|Referer|X-OS-Prefs|User-Agent)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES" \
"(??:[\;\|\`]\W*?\bcc|\bwget)\b|\/cc(?:[\'\"\|\;\`\-\s]|$))" \
"phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'System Command Injection',id:'959907',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2'"
--------------------------------------

Thank you,
Cathy T.
SoftLayer Support

[V@no]

This doesn't tell me anything...it doesn't show what exactly matched that pattern...

here is an example of how access logs might look like:

Code: [Select]

192.168.53.3 - - [13/Aug/2010:22:13:08 -0400] "GET /4images/1.7.8/download.php?image_id=83 HTTP/1.1" 200 63409 "http://192.168.52.2/4images/1.7.8/details.php?image_id=83" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8 ImageShackToolbar/5.2.4 ( .NET CLR 3.5.30729; .NET4.0C)"
192.168.53.3 - - [13/Aug/2010:22:13:10 -0400] "GET /4images/1.7.8/download.php?action=zip&image_id=83 HTTP/1.1" 200 63415 "http://192.168.52.2/4images/1.7.8/details.php?image_id=83" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8 ImageShackToolbar/5.2.4 ( .NET CLR 3.5.30729; .NET4.0C)"

But, perhaps access logs will not reveal anything...


1) is there any other scripts running on your website? (we've had a few people reporting their websites were hacked through 4images, but turned out it was due to security holes in other software they had (wordpress mostly)
2) can you confirm that there is no suspicious files anywhere on your website?
3) you've said you are running latest 4images version, do you mean recently released v1.7.8? If it's v1.7.7, have you apply ALL bug fixes?
4) is this happening often or happened just once?
5) if it happening often, try to delete download.php see if this happens again.

[khansahib]

1) is there any other scripts running on your website? (we've had a few people reporting their websites were hacked through 4images, but turned out it was due to security holes in other software they had (wordpress mostly)

>> Complete scan done nothing found everything seems up to date and OK.

2) can you confirm that there is no suspicious files anywhere on your website?

>> Nothing

3) you've said you are running latest 4images version, do you mean recently released v1.7.8? If it's v1.7.7, have you apply ALL bug fixes?

>> I have uploaded 1.7.8 means its the latest.

4) is this happening often or happened just once?

>> It was happening regularly and was using cpu at highest.

5) if it happening often, try to delete download.php see if this happens again.

>> delete and then re upload or what?


Please help.

And here is something more from the hosting support.

========================================
     
Hello,

>>>Can you please explain why this happened?

As your site is using PHP function "allow_url_fopen" for delivering the download requests. PHP function "allow_url_fopen" enables the URL-aware fopen wrappers that enable accessing URL object like files. Default wrappers are provided for the access of remote files using the ftp or http protocol.

Enabling "allow_url_fopen" in the server make it vulnerable to server hack. However, installing PHP extension Suhosin, will help you in protecting the server form such vulnerabilities to some extend.

Please go through the following URL to know more about this:

---------
http://blog.php-security.org/archives/45-PHP-5.2.0-and-allow_url_include.html
---------

Suhosin is already installed in the server.

----------
[root@server ~]# php -v
PHP 5.2.13 (cli) (built: Jul 10 2010 06:38:36)
Copyright (c) 1997-2010 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2010 Zend Technologies
with eAccelerator v0.9.6.1, Copyright (c) 2004-2010 eAccelerator, by eAccelerator
with the ionCube PHP Loader v3.3.20, Copyright (c) 2002-2010, by ionCube Ltd., and
with Zend Optimizer v3.3.9, Copyright (c) 1998-2009, by Zend Technologies
with Suhosin v0.9.31, Copyright (c) 2007-2010, by SektionEins GmbH <=====
[root@server ~]#
----------

Hence, I recommend you to disable "allow_url_fopen" in the server. You need to find an alternative to make the download option in the site to work without "allow_url_fopen". I would suggest you to seek the assistance of your web developer for this task.

If you have any further queries regarding this, please get back to us.

Thank you for understanding.

Regards,
Derrick P
SoftLayer Support
===============================

With Regards.

[V@no]

>> delete and then re upload or what?

No, I meant delete it and wait to see if core files appear again...


now that they mentioned allow_url_fopen, search for any images that were added to your gallery with a remove url (images not physically uploaded, only url to it submitted). I'd suggest you use [MOD] Batch Copy/Move/Edit Images v4.15.1 (2010-08-14) for this task (search for "/" without quotes in "Image file contains" field)

[khansahib]

now that they mentioned allow_url_fopen, search for any images that were added to your gallery with a remove url (images not physically uploaded, only url to it submitted). I'd suggest you use [MOD] Batch Copy/Move/Edit Images v4.15.1 (2010-08-14) for this task (search for "/" without quotes in "Image file contains" field)

No entries found.

Now the hosting support have disabled that creation of core files by doing the following.

====================================
We have turned off core dump in the server now. The OS will not generate any core files. For this we have added the following parameters in the system configuration file (/etc/sysctl.conf).
================
kernel.core_uses_pid = 0
kernel.core_pattern = /dev/null

[root@server themes]# ulimit -a
core file size (blocks, -c) 0
====================================

The core files are created by PHP while executing the code in /home/gallery/public_html/download.php.
===============
[root@server gallery]# gdb php core.14929 | grep Core
Core was generated by `/usr/bin/php /home/gallery/public_html/download.php'.
Quit
===============
We would recommend to contact your PHP developer to check the PHP code.


==========================

Please suggest.

With Regards.

[V@no]

By any chance do you have these core files, can I see it?

Just googled a big about core files, so far I found references to "broken" binaries on the server that crashing. 4images doesn't have any binaries and download.php only uses gzip module on the server, so I could only assume these core files created when visitor clicked on download zip button. It doesn't look like someone is hacking your gallery - that's a relief

It's probably too late now, but could you confirm/deny my theory that core files created only when clicked download zip button, normal download not causing this?


P.S.
http://www.simplemachines.org/community/index.php?topic=275760.0

[khansahib]

Here is the response from support once agian,

>>It's probably too late now, but could you confirm/deny my theory that core files created only when clicked download zip button, normal download not causing this?

Kindly note that core files are not generated when you click on download zip button, but is created when some programs are crashed/failed.

Core file is an image of a process that is created by the operating system when the process terminates unexpectedly due to a segmentation fault. The file saves the current state of a process and its memory.

>>Do you think we should do some adjustments to the server? Also core files creating has been disabled by Softlayer team Refer to Ticket ------.

I could see that the core dump has been disabled in the ticket ------. Do you want to enable it now?

Awaiting your reply.

Thank you,
Lionel R.
SoftLayer Support

[khansahib]

Can anybody please post a suggestion on how to fix the core files issue wt i can see is hell of core files in the directory where 4images is installed.