Back up ALL files that reside on your webhost to your client PCNo matter what security hole the attacker has used to break into your site, the payload of the hack (i.e. the files that the attacker has tampered with or created) might reside all over your site - even outside your gallery folder. Therefore, you'll need to make a backup of
all of the files that reside on your webspace, even the files that reside outside of your webroot (one level up).
So you better use your FTP app (use a real FTP app, not a lame crutch like a web FTP application or something built into your editor) and start the backup. Depending on the amount of files on your webserver and your connection speed, this may take some time. You better use an FTP app that is capable of re-connecting and continuing the backup even if it gets interrupted. The coppermine dev team recommends FileZilla or Smart FTP (see "
Tools recommended by the devs").
As a target for the backup, create a new folder on your desktop PC, e.g.
c:\working_copy\ - I'll refer to that folder name in this thread accordingly.
For this article I will asume that your coppermine gallery doesn't reside in your webroot, but within a sub folder named "coppermine", so your gallery URL is
http://your_site.tld/coppermine/. Subsequently, your actual coppermine files in your working copy should reside in
c:\working_copy\coppermine\. It doesn't matter if this is not the case for you - probably, the folder is named differently or your gallery resides in the web root - I just needed a naming scheme in this article to follow; make the changes accordingly. Please note: I'm not suggesting that you rename your gallery's URL or the folder names of your local copy: keep them as they are. I'll just refer to the folders in this article accordingly.
We will use the folder
c:\working_copy\ as a working copy (i.e. we will later modify the files that reside in that folder), so you should make a copy of that folder to another location to keep a forensic copy in case you need it later. That second copy should reside in a safe place - you might even burn it to a CD or DVD. You're welcome to store it inside a ZIP archive. For this article, I'll assume that you have stored this copy in
c:\forensic_backup\