Print

[chkla]

Yesterday the copperminepart of my site was intruded.

For the second time in 2 weeks, by the same source I think, because the files I saw were rather equal.
 
An image-directory was added with sexcontent, a number of critical files in the include-directory were replaced like:
init.inc.php, themes.inc.php, update.inc.php, functions.inc.php
Strange enough this time also the whole doc-directory was replaced, which was't the fact last time.

The whole intrusion didn't have the objected result, I think, because entering the coppermine part of my site you got an error message ( on line 173 it was I believe).

So there seems to be a real security issue in this version of coppermine(4.1.19).

My question: is it already known? are you working on it? what do you want to know from me to be helpful for you?

Kind regards,

Chris P. van der Klauw

[Joachim Müller]

There is no known security vulnerability. Please post a link to your gallery, the server's access log that you're refering to and a sample of the files that were changed. Please post as well what other apps you're using on your server and what type of hosting contract you have (shared hosting, dedicated server etc.).

[chkla]

I'm not quite happy to publish this in public, but there seems to be no other way

on this url you will find the plesk logfiles of my application
http://www.west-papua.nl/leeg.htm
on sept 1. it was around midnight, so the logfiles of the 2nd are also available
And on the 14th it was between 11:30 and noon
You see records with HEAD were it happened.

My copperminepart of the website you can find under:
http://www.west-papua.nl/cop148/index.php

This evening I will look for the effected files of yesterday, but I'm quite sure that I have thrown them away completely.
The image-directory was a kind of exploding so I was afraid for a virus and stopped the downloading.
But maybe I have some of the files of September 2nd and I'll put them in the same place as the logfiles.

I have shared hosting in a plesk surrounding and furthermore on the same server you can find Merak and PHPBB installed.

Hope this will help you further
If you would need some server logs you have to specify more what exactly you're looking for

Kind regards, Chris

[Joachim Müller]

What coppermine version have you been on when you first noticed the incident? It looks like you have been on cpg1.4.14 by then when the infection happened and upgraded as a result of the infection. Is this the case? Are you 100% sure that you have closed all possible backdoors after upgrading and sanitizing?

[chkla]

I'm a little bit puzzled by what you say. I don't know on what you came to this conclusion.
After the first intrusion I was a little bit shocked because it came on a absolute wrong moment.
And I just looked for a surrounding that was working. It could be that I then used files from version .14 to restore a working environment.
I updated fully to .19 on the 16. of August.

[Joachim Müller]

http://www.west-papua.nl/temp_folder/init.inc.php_verpest.txt is not infected - it's a vanilla file.

Could you please show us the code of an infected file?

[chkla]

Joachim,

sorry for the delay. I have made thoroughly investigation after your input and found out that the hacking was not caused by a leak in coppermine. Sorry for that.
The intruder not only had changed the coppermine files I mentioned, but also all sourcecodes of the html-files in the website and he has added directories with a bunge of sex-images.
It was a complete network of websites he hacked and changed all over the world. I warned as many webowners as I could reach.
I changed all my passwords because he has problably caught the ftp-inlogcodes by listening internettraffic.

Thanx for your attention and sorry for the trouble I caused.

Kind regards, Chris