Advanced search  

News:

cpg1.5.46 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter recently discovered vulnerabilities. It is important that all users who run version cpg1.5.44 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: Website with 1.5.12 ecard hack by .RU 188.143.232.*  (Read 2041 times)

0 Members and 1 Guest are viewing this topic.

dreimer

  • Coppermine novice
  • *
  • Country: th
  • Offline Offline
  • Gender: Male
  • Posts: 28
  • Cpg 1.2->1.3->1.425 & 1.5.x
Website with 1.5.12 ecard hack by .RU 188.143.232.*
« on: February 03, 2017, 11:32:58 am »

My site running 1.5.12 has experienced an ecard hack by .RU 188.143.232.*

Initially there were 100-200 bogus emails sent via ecards sent daily
I was able to delete them and ban the individual IP address

Then the hacker / spammer was able to disable adding new files and new albums

Has this been the reason for any of the security upgrades?
Or is this a new breach via mysql?
Logged

Phill Luckhurst

  • Administrator
  • Coppermine addict
  • *****
  • Country: gb
  • Offline Offline
  • Gender: Male
  • Posts: 4456
    • Windsurf.me
Re: Website with 1.5.12 ecard hack by .RU 188.143.232.*
« Reply #1 on: February 03, 2017, 01:28:50 pm »

We cannot tell without extensive investigation exactly how the hacker gained access. It could be the very old version of coppermine you are running which is why we work hard to keep the package up to date. It could be some other vulnerability on your system but like I say, without doinf extensive investigations we could not tell. Having said that the version you are running has a number of issues that have since been fixed. As is often the case, when a security issue arises, it is usually published on numerous online resources. The hackers then see these and begin searching for vulnerable sites. Running an old version of any server side software increases substantially your risk of attack.
Logged
It is a mistake to think you can solve any major problems just with potatoes.

dreimer

  • Coppermine novice
  • *
  • Country: th
  • Offline Offline
  • Gender: Male
  • Posts: 28
  • Cpg 1.2->1.3->1.425 & 1.5.x
Re: Website with 1.5.12 ecard hack by .RU 188.143.232.*
« Reply #2 on: February 03, 2017, 01:57:38 pm »

My site is 5 GB, 363 albums and 78,000 files

5 years ago the site was about 10% the current size and I had to migrate each album manually, which took a month
There was no way I was going to do upgrades 2 or 3 times a year

Your advice about easy migrations is completely unrealistic for large sites like mine.
I have a website developer background using HTML and not PHP and not mysql.

Surely the exposure of organized Russian hacking of Coppermine should have been identified by now?
Logged

Phill Luckhurst

  • Administrator
  • Coppermine addict
  • *****
  • Country: gb
  • Offline Offline
  • Gender: Male
  • Posts: 4456
    • Windsurf.me
Re: Website with 1.5.12 ecard hack by .RU 188.143.232.*
« Reply #3 on: February 03, 2017, 02:07:59 pm »

Upgrading does not require moving any albums. It is a simple and relatively fast process. Only the core coppermine files need replacing and a small script running.

Many hacks have been identified hence the later releases of CPG. CPG 1.5.12 was release in Jan 2011, 6 years ago. A lot has changed since then and many hacks have been identified and fixed.
Logged
It is a mistake to think you can solve any major problems just with potatoes.

dreimer

  • Coppermine novice
  • *
  • Country: th
  • Offline Offline
  • Gender: Male
  • Posts: 28
  • Cpg 1.2->1.3->1.425 & 1.5.x
Re: Website with 1.5.12 ecard hack by .RU 188.143.232.*
« Reply #4 on: February 03, 2017, 07:31:26 pm »

More analysis of the ecard log shows there were two different Russian hackers involved in submitting bogus emails

My site running 1.5.12 has experienced another ecard hack by .RU 46.161.9.*
This one submitted adverts for legal drugs: 200 - 300 emails per day

The ecard hack by .RU 188.143.232.* submitted emails to random users: ~5000 per day
This has resulted in the site being shutdown for spamming!  :'( :'(  :'(
Logged

Phill Luckhurst

  • Administrator
  • Coppermine addict
  • *****
  • Country: gb
  • Offline Offline
  • Gender: Male
  • Posts: 4456
    • Windsurf.me
Re: Website with 1.5.12 ecard hack by .RU 188.143.232.*
« Reply #5 on: February 04, 2017, 07:32:16 am »

I am sure Gmc can help you fix it. Hopefully once it  is fixed you can keep your instal up to date. Take a look at th docs and feel free to ask questions about upgrading when you need to. A basic cpg install no matter how many albums and images should only take a few minutes to update.
Logged
It is a mistake to think you can solve any major problems just with potatoes.

dreimer

  • Coppermine novice
  • *
  • Country: th
  • Offline Offline
  • Gender: Male
  • Posts: 28
  • Cpg 1.2->1.3->1.425 & 1.5.x
Re: Website with 1.5.12 ecard hack by .RU 188.143.232.*
« Reply #6 on: February 07, 2017, 11:55:39 am »

My site Thai-NL.com/gallery/ has been updated  ;D. (NSFW)
We'll see if the .ru guys can get back in  :-[
« Last Edit: February 07, 2017, 02:13:51 pm by Joe Carver »
Logged

Joe Carver

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: us
  • Offline Offline
  • Gender: Male
  • Posts: 1498
  • aka 'i-imagine'
    • Home Page
Re: Website with 1.5.12 ecard hack by .RU 188.143.232.*
« Reply #7 on: February 07, 2017, 02:17:26 pm »

The previous post was edited to mark your site as NSFW = Not Safe For Work.

Without any captcha or other protection, it will be easy for someone to abuse the ecard feature...

dreimer

  • Coppermine novice
  • *
  • Country: th
  • Offline Offline
  • Gender: Male
  • Posts: 28
  • Cpg 1.2->1.3->1.425 & 1.5.x
Re: Website with 1.5.12 ecard hack by .RU 188.143.232.*
« Reply #8 on: February 09, 2017, 10:01:23 am »

It turns out that my few remaining Coppermine sites are still running 1.4.xx
They too were hacked via the ecard facility from Russian websites 10 years ago

I have deleted all the bogus emails, which required mods to Coppermine db_ecard.php and wasted a lot of my time  >:(
I have now removed ecards from my sites via Groups disable, which I should have done a long time ago  :'(

Logged

Phill Luckhurst

  • Administrator
  • Coppermine addict
  • *****
  • Country: gb
  • Offline Offline
  • Gender: Male
  • Posts: 4456
    • Windsurf.me
Re: Website with 1.5.12 ecard hack by .RU 188.143.232.*
« Reply #9 on: February 09, 2017, 12:16:08 pm »

Hopefully you can upgrade those sites too, there are some other entry points which could be used if you do not.
Logged
It is a mistake to think you can solve any major problems just with potatoes.
Pages: [1]   Go Up
 

Page created in 0.017 seconds with 21 queries.