forum.coppermine-gallery.net

Support => cpg1.5.x Support => cpg1.5 miscellaneous => Topic started by: dreimer on February 03, 2017, 11:32:58 am

Title: Website with 1.5.12 ecard hack by .RU 188.143.232.*
Post by: dreimer on February 03, 2017, 11:32:58 am
My site running 1.5.12 has experienced an ecard hack by .RU 188.143.232.*

Initially there were 100-200 bogus emails sent via ecards sent daily
I was able to delete them and ban the individual IP address

Then the hacker / spammer was able to disable adding new files and new albums

Has this been the reason for any of the security upgrades?
Or is this a new breach via mysql?
Title: Re: Website with 1.5.12 ecard hack by .RU 188.143.232.*
Post by: phill104 on February 03, 2017, 01:28:50 pm
We cannot tell without extensive investigation exactly how the hacker gained access. It could be the very old version of coppermine you are running which is why we work hard to keep the package up to date. It could be some other vulnerability on your system but like I say, without doinf extensive investigations we could not tell. Having said that the version you are running has a number of issues that have since been fixed. As is often the case, when a security issue arises, it is usually published on numerous online resources. The hackers then see these and begin searching for vulnerable sites. Running an old version of any server side software increases substantially your risk of attack.
Title: Re: Website with 1.5.12 ecard hack by .RU 188.143.232.*
Post by: dreimer on February 03, 2017, 01:57:38 pm
My site is 5 GB, 363 albums and 78,000 files

5 years ago the site was about 10% the current size and I had to migrate each album manually, which took a month
There was no way I was going to do upgrades 2 or 3 times a year

Your advice about easy migrations is completely unrealistic for large sites like mine.
I have a website developer background using HTML and not PHP and not mysql.

Surely the exposure of organized Russian hacking of Coppermine should have been identified by now?
Title: Re: Website with 1.5.12 ecard hack by .RU 188.143.232.*
Post by: phill104 on February 03, 2017, 02:07:59 pm
Upgrading does not require moving any albums. It is a simple and relatively fast process. Only the core coppermine files need replacing and a small script running.

Many hacks have been identified hence the later releases of CPG. CPG 1.5.12 was release in Jan 2011, 6 years ago. A lot has changed since then and many hacks have been identified and fixed.
Title: Re: Website with 1.5.12 ecard hack by .RU 188.143.232.*
Post by: dreimer on February 03, 2017, 07:31:26 pm
More analysis of the ecard log shows there were two different Russian hackers involved in submitting bogus emails

My site running 1.5.12 has experienced another ecard hack by .RU 46.161.9.*
This one submitted adverts for legal drugs: 200 - 300 emails per day

The ecard hack by .RU 188.143.232.* submitted emails to random users: ~5000 per day
This has resulted in the site being shutdown for spamming!  :'( :'(  :'(
Title: Re: Website with 1.5.12 ecard hack by .RU 188.143.232.*
Post by: phill104 on February 04, 2017, 07:32:16 am
I am sure Gmc can help you fix it. Hopefully once it  is fixed you can keep your instal up to date. Take a look at th docs and feel free to ask questions about upgrading when you need to. A basic cpg install no matter how many albums and images should only take a few minutes to update.
Title: Re: Website with 1.5.12 ecard hack by .RU 188.143.232.*
Post by: dreimer on February 07, 2017, 11:55:39 am
My site Thai-NL.com/gallery/ (http://Thai-NL.com/gallery/) has been updated  ;D. (NSFW)
We'll see if the .ru guys can get back in  :-[
Title: Re: Website with 1.5.12 ecard hack by .RU 188.143.232.*
Post by: Joe Carver on February 07, 2017, 02:17:26 pm
The previous post was edited to mark your site as NSFW = Not Safe For Work.

Without any captcha or other protection, it will be easy for someone to abuse the ecard feature...
Title: Re: Website with 1.5.12 ecard hack by .RU 188.143.232.*
Post by: dreimer on February 09, 2017, 10:01:23 am
It turns out that my few remaining Coppermine sites are still running 1.4.xx
They too were hacked via the ecard facility from Russian websites 10 years ago

I have deleted all the bogus emails, which required mods to Coppermine db_ecard.php and wasted a lot of my time  >:(
I have now removed ecards from my sites via Groups disable, which I should have done a long time ago  :'(

Title: Re: Website with 1.5.12 ecard hack by .RU 188.143.232.*
Post by: phill104 on February 09, 2017, 12:16:08 pm
Hopefully you can upgrade those sites too, there are some other entry points which could be used if you do not.