forum.coppermine-gallery.net

Support => cpg1.4.x Support => Older/other versions => cpg1.4 miscellaneous => Topic started by: Absoblogginlutely on March 28, 2007, 02:09:10 am

Title: hacked? or something else?
Post by: Absoblogginlutely on March 28, 2007, 02:09:10 am

Google alerts showed me a link to my site at which has a link I didn't recognise.
Basically there was a whole load of buy_this_drug.htm in /gallery/include/misc/1/, misc/2 misc/3 etc
As far as I am aware I was up to date on all the security patches with gallery, picmgr was the latest patch that I applied.
Now when I go to the /gallery site I just get "Fatal Error :<br />"

Any ideas if this is a known hacking breach/attack and where to start looking for a repair? I'm now looking through my backups to see if I can see how long ago it happened.

Title: Re: hacked? or something else?
Post by: Absoblogginlutely on March 28, 2007, 03:29:57 am

i've tracked what looks like the hack down to about 80 lines in the log file. I've narrowed it down to these lines as the first line misc/1 returns a 404, the last lines, misc/1 returns the file they've somehow uploaded.
The only files that look like they could possibly invoke xss is a line like the following as phpsessid seems strange
66.249.72.197 - - [18/Feb/2007:08:35:13 -0500] "GET /gallery/addfav.php?pid=1113&ref=displayimage.php%3Falbum%3Dtopn%26cat%3D-45%26pos%3D11%26PHPSESSID%3Dcc423731d739a1ce566daa4c2376e542&PHPSESSID=cc423731d739a1ce566daa4c2376e542 HTTP/1.1" 302 5 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

Any ideas? I can paste the lines in here if that would help.

Title: Re: hacked? or something else?
Post by: Joachim Müller on March 28, 2007, 08:04:47 am

Posting a link to your gallery might be helpfull.