forum.coppermine-gallery.net

Support => cpg1.4.x Support => Older/other versions => cpg1.4 miscellaneous => Topic started by: twocups on April 11, 2006, 10:16:16 am

Title: upload.php exploit
Post by: twocups on April 11, 2006, 10:16:16 am
My box, running 1.4.4 has been root kitted by an exploit in the upload.php file. Is this a known exploit? Who should I contact to share info?

Title: Re: upload.php exploit
Post by: Joachim Müller on April 11, 2006, 10:30:49 am
Post what type of files has been uploaded. Blind guess: you have fallen victim to the rar vulnerability that exists on outdated apache webserver setups. This is not related to coppermine, but a webserver vulnerability. Read the threads that deal with it: http://forum.coppermine-gallery.net/index.php?action=search2;search=rar
If this vulnerability doesn't apply for you, please contact me over PM, providing as many details as possible.
Title: Re: upload.php exploit
Post by: twocups on April 11, 2006, 11:11:40 am
Its .gz not .rar, same problemo I expect. (PM sent)
Title: Re: upload.php exploit
Post by: Joachim Müller on April 12, 2006, 07:25:53 am
you could have posted your PM publicly as well, as it doesn't contain sensitive information. Yes, imo you have been attacked using the same exploit that I refered to above.
Title: Re: upload.php exploit
Post by: twocups on April 12, 2006, 08:55:10 am
Ok, here is my post for those interested. Something to watch out for.


Looks like RAR was attempted first "Destroyer57.php.rar" in the userpics directory.

However, that file just downloads doesnt run. Its actually a .gz file that was uploaded ("a.php.gz") - which contains a copy of a rather nasty looking phpRemoteViewer. For some reason mr hacker then installed a further file "xp_publish.php" in the root directory - same software.

Im running apache 2.2 (is that outdated?!) I assume apache is decompressing and running .gz files on the fly...
Title: Re: upload.php exploit
Post by: Nibbler on April 12, 2006, 04:11:05 pm
2.2 is the latest version. Your server is setup to run anything that looks like a php script using php, regardless of the file extension.
Title: Re: upload.php exploit
Post by: twocups on April 12, 2006, 04:19:38 pm
Yeah, ill have a look at that. See if it can brew beer without being asked too!

Thanks for your help all,

James