forum.coppermine-gallery.net

Support => cpg1.4.x Support => Older/other versions => cpg1.4 permissions => Topic started by: Naif on March 13, 2007, 04:26:02 pm

Title: Phishing site in my gallery
Post by: Naif on March 13, 2007, 04:26:02 pm
Hello

I've been notified that someone uploaded a phishing site in my gallery (in userpics/10001). The file in question has been deleted, and I have upgraded the software (from 1.4.9 to 1.4.10), but I'd like to know if this is enough to prevent further attacks.
Title: Re: Phishing site in my gallery
Post by: Joachim Müller on March 14, 2007, 07:08:36 am
How could one possibly upload a phishing site? Did your site get hacked? Post a deep link, or (if you have already removed the offending stuff) post a screenshot of the "thing" that you refered to as "phising site".
Title: Re: Phishing site in my gallery
Post by: Naif on March 14, 2007, 05:55:01 pm
That's what I wonder... I didn't even know how my site got hacked, it's my hosting provider who warned me. This is the phishing site: http://theothersize.com/galeria/albums/userpics/10001/muie/ But they already deleted that file.

So, how may have this happened? And how can I solve it, and prevent further problems...?
Title: Re: Phishing site in my gallery
Post by: Nibbler on March 14, 2007, 06:10:46 pm
The fact they uploaded into userpics/10001 indicates they gained access to your Coppermine admin account. Change the password and check your webspace for anything that looks suspicious.
Title: Re: Phishing site in my gallery
Post by: Naif on March 14, 2007, 07:17:32 pm
But how could they possibly find my password? It is one that is not precisely easy to guess (very long, using letters and numbers mixed...)
Title: Re: Phishing site in my gallery
Post by: Joachim Müller on March 14, 2007, 07:23:04 pm
There are several methods: brute force, exploits of known issues, keystroke loggers. Hard to guess, as your overall web presence is empty (nothing in http://theothersize.com/). Start from scratch. Keep your apps up-to-date. Backup-up regularly.
Title: Re: Phishing site in my gallery
Post by: Naif on March 16, 2007, 04:27:03 pm
Oh, the web is not exactly empty but it's not available now, only the domain is currently not visible. It only contained some other scripts like a phpbb forum and a wiki, but they didn't get hacked.

Keeping this gallery updated can guarantee no further attacks?
Title: Re: Phishing site in my gallery
Post by: Joachim Müller on March 16, 2007, 08:06:31 pm
Can going to the doctor guarantee that you're never going to become ill? There's no absolute sure things in life, nor is there such a thing as a bug-free software. Keeping your software up-to-date and applying all safety precautions you possibly could makes another attack less likely, that's all I can promise. Applies for every software in the world.
I suggest relying on brain.exe and regular-backups.exe - those are the mightiest programs in the world.
Title: Re: Phishing site in my gallery
Post by: EZ on March 18, 2007, 11:33:11 pm
I've just been hit with the same problem! My hosting provider notified me that the gallery contains a phishing page. In my case some files (html, php, txt) were uploaded into /gallery/include/makers.

A day later I was also notified that my phpBB forum has been hacked. A spam script was uploaded to /forum/images/avatars.

At the moment I have no idea how this could have happened. I don't think my password was compromised. Of course there's no way I can be 100% sure about it, but apparently there's no other damage except for the uploaded files.

EZ.
Title: Re: Phishing site in my gallery
Post by: martl on May 02, 2007, 12:35:15 pm
My gallery has caught a phishing website too and was shut off by the webhoster :(

Doing a google search, i found this one:
http://www.virenschutz.info/beitrag_Angriffe+auf+das+Galeriescript+Coppermine_1020.html

its german, but Gaugau should be able to understand it :)

it talks about a vulnerability of coppermine that has to do with inserting an iframe  (or so... ;))

they give the advice to shut down down the website until a patch is available... well do the devs already know about it and when can we expect a patch?

Martin
Title: Re: Phishing site in my gallery
Post by: martl on May 02, 2007, 12:38:47 pm
 :-X pease disregard... the news message i quoted was exactly 1 year old.. all i saw was "28th of April" and so i assumed it was news... sorry for any confusion! :)

My gallery has caught a phishing website too and was shut off by the webhoster :(

Doing a google search, i found this one:
http://www.virenschutz.info/beitrag_Angriffe+auf+das+Galeriescript+Coppermine_1020.html

its german, but Gaugau should be able to understand it :)

it talks about a vulnerability of coppermine that has to do with inserting an iframe  (or so... ;))

they give the advice to shut down down the website until a patch is available... well do the devs already know about it and when can we expect a patch?

Martin

Title: Re: Phishing site in my gallery
Post by: Joachim Müller on May 02, 2007, 12:48:33 pm
The site you refer to deals with the outdated and unsupported coppermine versions for nuke anyway, so the alert you refer to doesn't apply. We only and exclusively support the standalone version of coppermine, and only the most recent stable release. The site you refer to isn't very helpfull: any good bug report site that is worth mentioning should mention what version of the app they refer to their bug report applies. The site virenschutz.info fails to do so, so I wouldn't trust anything they claim. In my eyes, those are just rumors. Their report is just damaging our app's reputation but fails to improve the situation for those who have fallen victim of their wannabe-report.
Title: Re: Phishing site in my gallery
Post by: martl on May 07, 2007, 07:22:50 pm
I agree, i also was angry about that website not giving any version numbers of the software involved, as well as the insufficient timestamp. Still i had to kick two different chatbot subdirs and a phishing site mimmicking "bank of America" out of my userpics subdirs, but it can well be that it is me to blame for running a not-too-clean installation. I will check the permissions on file level and also rethink my liberal strategy of allowing users to self-register and upload :p a pity, it ran well for a long time, but i guess the internet is a bad place to rely on trust and common sense :)
Title: Re: Phishing site in my gallery
Post by: bern5 on July 24, 2009, 01:03:15 am
whats the solution to fix ?

just had 2 phising folders setup in 2 days in /include/  - ive changed permission to 755

also have a folder /include/makers/ - should that be there?

running  1.4.10 (stable)

thx in advance.
Title: Re: Phishing site in my gallery
Post by: Joachim Müller on July 24, 2009, 09:35:33 am
whats the solution to fix ?
The solution is pretty straightforward: in the future, don't be lazy - failing to perform frequent updated of any pre-written script-driven web app will result in getting hacked sooner or later. The fact that you're running
running  1.4.10 (stable)
shows that you must have been very lazy: cpg1.4.10 has been released three years ago. The fact that you tried to hijack such an ancient thread shows your laziness as well. Anyway, sanitize as suggested in the thread Yikes, I've been hacked! Now what? (http://forum.coppermine-gallery.net/index.php/topic,51927.0.html). Just upgrading is not enough now that your site was hacked. Locking.