Thing is Hein, in order for the
142739_298w3.zip file to be placed on the compromised machine, the hack to gain entry would
already have taken place - if you see what I mean?
In our case, the Apache logs indicate that at exactly the time the various files on my system were altered, a known hacking machine with an IP 91.76.23.21 was communicating with certain key Coppermine files on my server(extraneous and irrelevant log entries removed for clarity):-
91.76.23.21 - - [08/Apr/2008:18:03:12 +0100] "GET /coppermine/update.php HTTP/1.1" 200 30007 "-" "User-Agent: Opera/9.27 (Windows NT 5.2; U; ru)"
91.76.23.21 - - [08/Apr/2008:18:04:16 +0100] "POST /coppermine/upload.php HTTP/1.1" 200 22625 "-" "User-Agent: Opera/9.27 (Windows NT 5.2; U; ru)"
91.76.23.21 - - [08/Apr/2008:18:04:18 +0100] "POST /coppermine/upload.php HTTP/1.1" 200 68582 "-" "User-Agent: Opera/9.27 (Windows NT 5.2; U; ru)"
91.76.23.21 - - [08/Apr/2008:18:03:12 +0100] "GET /coppermine/update.php HTTP/1.1" 200 30007 "-" "User-Agent: Opera/9.27 (Windows NT 5.2; U; ru)"
91.76.23.21 - - [08/Apr/2008:18:04:23 +0100] "POST /coppermine/upload.php HTTP/1.1" 200 22515 "-" "User-Agent: Opera/9.27 (Windows NT 5.2; U; ru)"
91.76.23.21 - - [08/Apr/2008:18:04:28 +0100] "POST /coppermine/admin.php HTTP/1.1" 200 22414 "-" "User-Agent: Opera/9.27 (Windows NT 5.2; U; ru)"
Another interesting fact in our case is that I limit the files that the webserver can write to on a "
need to write" basis. This means that only those files to which the web server had
write access were modified. It means my cleanup will be reasonably straightforward. Also means that the files
update.php,
upload.php &
admin.php are all unaltered and exactly the same as the originals. Yet the log evidence suggests that it was these files that the hackers exploited in order to get access to my server in order to place the
142739_298w3.zip file on the server in the first place.
Again this is
not concrete proof but it
may be another clue? What are your thoughts?
Meantime, I'll keep digging and report back if I come up with anything that might be helpful to you guys.
Best wishes, G.