Support => cpg1.4.x Support => Older/other versions => cpg1.4 miscellaneous => Topic started by: Bri32560 on March 03, 2009, 02:07:59 am

Title: [Solved]: What to do after exploit
Post by: Bri32560 on March 03, 2009, 02:07:59 am
I have looked at the docs and faqs and searched so if I missed the information I am sorry for that I tried.
Here is what I am trying to find.  Some time back my site was hacked and as a result several lines of code was added to every php file in every folder on my site.  After some reading I came to the conclusion that they got in through wordpress so I deleted and reinstalled wordpress.
Today for a lack of knowing what to do I was going through every folder and every file and removing the code that had been placed in each and I ran across several files and folders in coppermine in the incudes/modules folder that do not belong so that leads me to think the exploit was actually through coppermine. There are a couple .htaccess files and php files and a lot of html files.
What I am trying to find out is the proper way to fix all of this?
1)clean each file one by one? Takes a long time but would save all the setup I have done
2)delete and install from scratch?  would have to setup again and add the themes and changes I made some 3 years ago.
Are there any other options?
If I save the files that its tells me to in the upgrade docs how much will that save that I don't have to setup?

I am just looking for some advise or how to's
A script that would undo everything they did would be nice but would be shocked if that exist.

Thank You for any help or advise you can give me.

PS: I also run smf heavily modded as well as flashchat.  Everything else I have removed trying to stop this.

I would be happy to give you anymore information you might need to help
Title: Re: What to do after exploit
Post by: Fabricio Ferrero on March 03, 2009, 02:13:11 am
You should have posted a link to your gallery, anyways, read--> Yikes, I've been hacked! Now what?  (,51927.0.html)
Title: Re: What to do after exploit
Post by: Bri32560 on March 03, 2009, 11:52:05 am
Thank You very much for the link and the help.  There is a lot of useful information, links and tools.  After reading through it all I think I will be able to get my gallery cleaned and back in order.
I have one more question if anyone wouldn't mind helping with.  It isn't really a coppermine question so I hope it is ok to ask. While reading through and following all the links in that thread there was a program referenced called replace in files.  I downloaded and tried that program and it works great.  I thought I might be able to clean all the files in the rest of my site using it but found that while it removes all the inserted code at the beginning of each of my php files it also leaves line 1 blank and leaves <?php on line 2.  I searched and found several other programs that do the same thing as replace in files but none seemed to work for various reasons like the search text is to large and so on.
Is there a program like replace in files that can handle large multi-line files?  I have my site downloaded to my computer and just need to clean the rest of the files after I finish following the instructions you gave me in the link.

Thank You again for your help, I don't mind putting in the work I just need a little help in the right direction.
Title: Re: What to do after exploit
Post by: Joachim Müller on March 04, 2009, 09:14:53 am
We have a strict "one question per thread" policy that you agreed to respect when signing up, so yes: we do mind that you post another unrelated question here. You should have started another thread, although we don't support third party software. The reference to "replace in files" by Emura was provided as a courtesy - we don't want this forum to be used to review issues with other apps.
Let me just say that I have used "replace in files" many times over and that it works exactly as advertized for me - I can not confirm what you say. However, I'm not aware of another tool under Windows that can do the same. On Linux, I use
Code: [Select]
find /path/to/folder/ -maxdepth 3 -name "*.php" | xargs sed -i 's/string that I want to search for/string that I want to replace stuff with/g', but that's probably not an option for you.