forum.coppermine-gallery.net

Support => Older/other versions => cpg1.3.x Support => Topic started by: Kursk on December 25, 2006, 04:15:27 am

Title: PHP Bulk Emailer in my userpic directory
Post by: Kursk on December 25, 2006, 04:15:27 am

Got notified today that my account was suspended. After some investigation, it happens that someone had upload a PHP bulk e-mailer into my userpic directory and started sending out ebay phishing scam.

PHP Bulk Emailer
From NukedWeb
http://www.nukedweb.com/
tim@nukedweb.com

How this happened I still can't figure out.
Any thoughts (besides the fact that it is an old cpg 1.3.1)?

Title: Re: PHP Bulk Emailer in my userpic directory
Post by: Tarique Sani on December 25, 2006, 09:53:50 am

Quote from: Kursk on December 25, 2006, 04:15:27 am

Any thoughts (besides the fact that it is an old cpg 1.3.1)?

None needed what so ever :)

Title: Re: PHP Bulk Emailer in my userpic directory
Post by: Kursk on December 25, 2006, 07:21:20 pm

Quote from: Tarique Sani on December 25, 2006, 09:53:50 am

None needed what so ever :)

Thanks. I take it to mean once it's updated to cpg1.4.10 (which I did last night) I don't need to be worried anymore?

Title: Re: PHP Bulk Emailer in my userpic directory
Post by: Joachim Müller on December 25, 2006, 08:04:17 pm

Check for existing backdoors. Upgrading doesn't remove existing backdoors, it just protects you from falling victim to new ones.

Title: Re: PHP Bulk Emailer in my userpic directory
Post by: Kursk on December 25, 2006, 08:17:58 pm

albums/userpics is the only directory I was able to find that contained a php mailer. Any other possible locations?

Title: Re: PHP Bulk Emailer in my userpic directory
Post by: Joachim Müller on December 26, 2006, 02:36:59 am

If the attacker managed to place any PHP script on your server he might have infected your entire webspace. Therefor, possible locations are: the entire webspace.
Please keep in mind that cpg1.3.x goes unsupported. Your issue comes from failing to upgrade in time (while there still was support).

Title: Re: PHP Bulk Emailer in my userpic directory
Post by: Kursk on December 26, 2006, 03:57:18 am

I see your point. CPG has been updated to 1.4.10 as soon as I've discovered the hole. The rest of the webspace  besides CPG is the latest Joomla! release (no bridge.)

Userpics seems logical at it allows for a user upload. My fault not keeping up-to-date on the CPG and doing something that allowed for the upload of files other than what should have been uploaded. My question was more along the lines of any similarity to userpics apparent vulnerability (in my case of course, as I'm not generalizing here.)

Title: Re: PHP Bulk Emailer in my userpic directory
Post by: Stramm on December 26, 2006, 07:34:40 am

as already said... if an attacker was able to upload a malicious script, then he's able to place it everywhere in your webspace. He can use this script to load other scripts ... do not only search in the albums dir.

Title: Re: PHP Bulk Emailer in my userpic directory
Post by: Joachim Müller on December 26, 2006, 10:09:10 am

This is what you need to do: download all files that reside on your webspace to a folder on your hard-drive. Then use a diff viewer like WinMerge to compare all files, making sure that all code files do not differ between the forensic backup folder you just downloaded and the original sources you uploaded in the the first place. Using the diff viewer, make sure that there are no surplus executable scripts on the forensic backup folder.

Title: Re: PHP Bulk Emailer in my userpic directory
Post by: Kursk on December 26, 2006, 09:16:12 pm

Thank you all.