Advanced search  

News:

cpg1.5.46 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter recently discovered vulnerabilities. It is important that all users who run version cpg1.5.44 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: upload.php exploit  (Read 11626 times)

0 Members and 1 Guest are viewing this topic.

twocups

  • Coppermine newbie
  • Offline Offline
  • Posts: 4
upload.php exploit
« on: April 11, 2006, 10:16:16 am »

My box, running 1.4.4 has been root kitted by an exploit in the upload.php file. Is this a known exploit? Who should I contact to share info?

« Last Edit: April 12, 2006, 04:22:49 pm by Nibbler »
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47844
  • aka "GauGau"
    • gaugau.de
Re: upload.php exploit
« Reply #1 on: April 11, 2006, 10:30:49 am »

Post what type of files has been uploaded. Blind guess: you have fallen victim to the rar vulnerability that exists on outdated apache webserver setups. This is not related to coppermine, but a webserver vulnerability. Read the threads that deal with it: http://forum.coppermine-gallery.net/index.php?action=search2;search=rar
If this vulnerability doesn't apply for you, please contact me over PM, providing as many details as possible.
Logged

twocups

  • Coppermine newbie
  • Offline Offline
  • Posts: 4
Re: upload.php exploit
« Reply #2 on: April 11, 2006, 11:11:40 am »

Its .gz not .rar, same problemo I expect. (PM sent)
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47844
  • aka "GauGau"
    • gaugau.de
Re: upload.php exploit
« Reply #3 on: April 12, 2006, 07:25:53 am »

you could have posted your PM publicly as well, as it doesn't contain sensitive information. Yes, imo you have been attacked using the same exploit that I refered to above.
Logged

twocups

  • Coppermine newbie
  • Offline Offline
  • Posts: 4
Re: upload.php exploit
« Reply #4 on: April 12, 2006, 08:55:10 am »

Ok, here is my post for those interested. Something to watch out for.


Looks like RAR was attempted first "Destroyer57.php.rar" in the userpics directory.

However, that file just downloads doesnt run. Its actually a .gz file that was uploaded ("a.php.gz") - which contains a copy of a rather nasty looking phpRemoteViewer. For some reason mr hacker then installed a further file "xp_publish.php" in the root directory - same software.

Im running apache 2.2 (is that outdated?!) I assume apache is decompressing and running .gz files on the fly...
Logged

Nibbler

  • Guest
Re: upload.php exploit
« Reply #5 on: April 12, 2006, 04:11:05 pm »

2.2 is the latest version. Your server is setup to run anything that looks like a php script using php, regardless of the file extension.
Logged

twocups

  • Coppermine newbie
  • Offline Offline
  • Posts: 4
Re: upload.php exploit
« Reply #6 on: April 12, 2006, 04:19:38 pm »

Yeah, ill have a look at that. See if it can brew beer without being asked too!

Thanks for your help all,

James
Logged
Pages: [1]   Go Up
 

Page created in 0.014 seconds with 21 queries.