forum.coppermine-gallery.net
No Support => General discussion (no support!) => Topic started by: sion3000 on December 21, 2004, 10:28:21 pm
-
Hi
I went onto my coppermine photo gallery today and i was shocked to notice that instead of taking me to the usual front page, it gave me a message :\'(:
========
This site is defaced!!!
--------------------------------------------------------------------------------
NeverEverNoSanity WebWorm generation 16.
Fatal error: Call to undefined function: breadcrumb() in /files/home/sion3000/Coppermine/index.php on line 118
========
It gets an almost the same error if you click a different link to get into the gallery.
The web site is: www.coolshots.co.uk and you can access the gallery by clicking any of the photos or by clicking Photo Gallery at the top of the page.
Direct link to the gallery is: www.coolshots.co.uk/Coppermine
I have had a quick look in the code but i am not expert not even a novice realy. Everything looks normal. Im currently running version 1.2.1 ???
All ideas and solutions welcome.
Thanks and have a merry xmas.
Sion
[edit GauGau]
Changed this thread's subject from Need some advice with my coppermine gallery please to Security threat: "This site is defaced" [NeverEverNoSanity WebWorm] and made it a sticky.
[/edit]
-
Sounds like this:
http://forum.coppermine-gallery.net/index.php?topic=12803.0
We are aware of this worm. Please read the above post.
-
You can also read this:
http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=248046
-
@sion3000, are you running a phpbb forum older than 2.0.11? I'm just trying to see if there is a pattern.
-
Im only running the Coppermine Gallery, no forums or anything else.
At the moment trying to find out what version of php the server uses where my site is hosted.
Thanks
-
In coppermine, go to Admin Tools / phpinfo. It will tell you your php version.
-
Hello again, well ive just been talking to my contacts at my ISP and they are telling me they have been hit by the worm, its managed to get into the main server and overwrite everyones php files, to some extent apatr from phpbb.
So im gona start looking for my back ups!
thanks for everyones help. I think we can prety much call this one solved!
thanks
Hope everyone has a great xmas and a happy new year!
-
To mu surprise i too have had the defaced page replace my photo gallery. I talked to my ISP who indicated that PHP 4.3.8 was safe so I rebuilt my gallery again. Only within 4 hours to have it shut down. I am not a PHP pro. Please help.
-
To mu surprise i too have had the defaced page replace my photo gallery. I talked to my ISP who indicated that PHP 4.3.8 was safe so I rebuilt my gallery again. Only within 4 hours to have it shut down. I am not a PHP pro. Please help.
The only solution to this is to upgrade to PHP 4.3.10 or more.
-
Additonal info on the virus itself can be found here.
http://securityresponse.symantec.com/avcenter/venc/data/perl.santy.html
-
Understand I help to handle (to settle) from this hold-down problem 3.4.10 entirely PHP? If I write it for administrator so e-mail.
Please, < ask > about answer.
-
???
-
Versions of the worm will deface any site it can find on a server. If someone else on your server has a vulnerable version of phpBB, and other countermeasures are not implemented by your server host, your site will be defaced through no fault of your own.
A newer version of the worm will install an IRC controlled DDOS bot instead (or as well as, I'm not sure yet) of defacing sites.
The worm will try any and every php file it can find even though they are not necessarily phpBB. This will push your bandwidth usage through the roof. To guard against that, you can either edit each and every PHP file to just abort when it gets queried by the worm (easier siad than done) or if your host has mod_rewrite (most apache installations do), put the fllowing into a .htaccess file :-
RewriteEngine On
RewriteCond %{QUERY_STRING} &cmd=cd%20/tmp;
RewriteRule .* - [F,L]
This will block the three variants that I am aware of. I will update this if needed as time progresses.
Although this worm only affects phpBB, I would not consider php 4.3.8 'safe'. Hosts need to patch the problems in earlier versions or upgrade to 4.3.10