forum.coppermine-gallery.net

Support => cpg1.4.x Support => Older/other versions => cpg1.4 miscellaneous => Topic started by: kali on April 07, 2008, 12:16:29 am

Title: [Solved]: Is someone trying to hack my site?
Post by: kali on April 07, 2008, 12:16:29 am

Hi all

I am running the most recent version of coppermine and I've noticed some strange activity on my access log today:

Code: [Select]

"GET /coppermine/index.php?cat=14 HTTP/1.1" 200 53193 "-" "Mozilla/8.0"
"GET /coppermine/update.php HTTP/1.1" 200 30289 "-" "Mozilla/8.0"
"POST /coppermine/pluginmgr.php?op=upload HTTP/1.1" 302 25204 "-" "Mozilla/8.0"
"GET /coppermine/update.php HTTP/1.1" 200 30301 "-" "Mozilla/8.0"
"GET /coppermine/plugins/docs.php HTTP/1.1" 404 1046 "-" "Mozilla/8.0"
"POST /coppermine/pluginmgr.php?op=upload HTTP/1.1" 302 25204 "-" "Mozilla/8.0"
"GET /coppermine/update.php HTTP/1.1" 200 30289 "-" "Mozilla/8.0"
"GET /coppermine/plugins/docs.php HTTP/1.1" 404 1046 "-" "Mozilla/8.0"
"POST /coppermine/pluginmgr.php?op=upload HTTP/1.1" 302 25204 "-" "Mozilla/8.0"
"GET /coppermine/plugins/docs.php HTTP/1.1" 404 1046 "-" "Mozilla/8.0"
"GET /coppermine/update.php HTTP/1.1" 200 30289 "-" "Mozilla/8.0"
"POST /coppermine/pluginmgr.php?op=upload HTTP/1.1" 302 25204 "-" "Mozilla/8.0"
(and is then repeated two or three times in a five minute window all from the same IP address based in Russia)

I went in through my FTP client and there is a new folder in plugins called 'receive' with a CMOD of 777

I checked through all my other files/files and according to the FTP nothing else has been modified. I've not been able to delete the new folder as my webhost is looking into it but I have deleted update.php and pluginmgr.php so if they do come back they'll have to find another way in.

What can I do to protect myself from this sort of thing in the future? And are there any other security steps I can put in place?

Title: Re: Is someone trying to hack my site?
Post by: Nibbler on April 07, 2008, 12:44:34 am

It's harmless. Just because the logs shows someone tried to access something doesn't mean they did anything. receive is a normal part of Coppermine.

Title: Re: Is someone trying to hack my site?
Post by: slausen on April 07, 2008, 12:47:59 am

Quote from: kali on April 07, 2008, 12:16:29 am

Hi all

I am running the most recent version of coppermine and I've noticed some strange activity on my access log today:

Code: [Select]

"GET /coppermine/index.php?cat=14 HTTP/1.1" 200 53193 "-" "Mozilla/8.0"
"GET /coppermine/update.php HTTP/1.1" 200 30289 "-" "Mozilla/8.0"
"POST /coppermine/pluginmgr.php?op=upload HTTP/1.1" 302 25204 "-" "Mozilla/8.0"
"GET /coppermine/update.php HTTP/1.1" 200 30301 "-" "Mozilla/8.0"
"GET /coppermine/plugins/docs.php HTTP/1.1" 404 1046 "-" "Mozilla/8.0"
"POST /coppermine/pluginmgr.php?op=upload HTTP/1.1" 302 25204 "-" "Mozilla/8.0"
"GET /coppermine/update.php HTTP/1.1" 200 30289 "-" "Mozilla/8.0"
"GET /coppermine/plugins/docs.php HTTP/1.1" 404 1046 "-" "Mozilla/8.0"
"POST /coppermine/pluginmgr.php?op=upload HTTP/1.1" 302 25204 "-" "Mozilla/8.0"
"GET /coppermine/plugins/docs.php HTTP/1.1" 404 1046 "-" "Mozilla/8.0"
"GET /coppermine/update.php HTTP/1.1" 200 30289 "-" "Mozilla/8.0"
"POST /coppermine/pluginmgr.php?op=upload HTTP/1.1" 302 25204 "-" "Mozilla/8.0"
(and is then repeated two or three times in a five minute window all from the same IP address based in Russia)

I went in through my FTP client and there is a new folder in plugins called 'receive' with a CMOD of 777

I checked through all my other files/files and according to the FTP nothing else has been modified. I've not been able to delete the new folder as my webhost is looking into it but I have deleted update.php and pluginmgr.php so if they do come back they'll have to find another way in.

What can I do to protect myself from this sort of thing in the future? And are there any other security steps I can put in place?

Wow.

Does pluginmgr.php allow uploads from non-Admin users? Is that behavior intentional? If so, that would seem to be a major security hole. I was just about to start an upgrade to the current version to take advantage of all the security fixes, and then I see your post...

Title: Re: Is someone trying to hack my site?
Post by: Nibbler on April 07, 2008, 01:13:09 am

Of course not. Read what I wrote.

Title: Re: Is someone trying to hack my site?
Post by: slausen on April 07, 2008, 07:32:36 am

Quote from: Nibbler on April 07, 2008, 12:44:34 am

It's harmless. Just because the logs shows someone tried to access something doesn't mean they did anything. receive is a normal part of Coppermine.

Great, thanks.

Title: Re: Is someone trying to hack my site?
Post by: kali on April 07, 2008, 08:00:45 am

Quote from: Nibbler on April 07, 2008, 12:44:34 am

It's harmless. Just because the logs shows someone tried to access something doesn't mean they did anything. receive is a normal part of Coppermine.

Thank you for your reply. I'm usually not too worried about this sort of thing, however, the 'receive' folder as saying it was modified at exactly the same time (although there was nothing in it) which is what caused the alarm bells to ring.