Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: Security threat: "This site is defaced" [NeverEverNoSanity WebWorm]  (Read 10925 times)

0 Members and 1 Guest are viewing this topic.

sion3000

  • Coppermine newbie
  • Offline Offline
  • Posts: 18
    • http://www.coolshots.co.uk

Hi

I went onto my coppermine photo gallery today and i was shocked to notice that instead of taking me to the usual front page, it gave me a message  :\'(:
========
This site is defaced!!!

--------------------------------------------------------------------------------

NeverEverNoSanity WebWorm generation 16.

Fatal error: Call to undefined function: breadcrumb() in /files/home/sion3000/Coppermine/index.php on line 118
========

It gets an almost the same error if you click a different link to get into the gallery.

The web site is: www.coolshots.co.uk and you can access the gallery by clicking any of the photos or by clicking Photo Gallery at the top of the page.
Direct link to the gallery is: www.coolshots.co.uk/Coppermine

I have had a quick look in the code but i am not expert not even a novice realy. Everything looks normal. Im currently running version 1.2.1      ???


All ideas and solutions welcome.


Thanks and have a merry xmas.

Sion

[edit GauGau]
Changed this thread's subject from Need some advice with my coppermine gallery please to Security threat: "This site is defaced" [NeverEverNoSanity WebWorm] and made it a sticky.
[/edit]
« Last Edit: December 22, 2004, 06:13:50 pm by GauGau »
Logged

kegobeer

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 4637
  • Beer - it does a body good!
    • The Kazebeer Family Website
Re: Need some advice with my coppermine gallery please
« Reply #1 on: December 21, 2004, 10:31:22 pm »

Sounds like this:

http://forum.coppermine-gallery.net/index.php?topic=12803.0

We are aware of this worm.  Please read the above post.
Logged
Do not send me a private message unless I ask for one.  Make your post public so everyone can benefit.

There are no stupid questions
But there are a LOT of inquisitive idiots

kegobeer

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 4637
  • Beer - it does a body good!
    • The Kazebeer Family Website
Re: Need some advice with my coppermine gallery please
« Reply #2 on: December 21, 2004, 10:34:05 pm »

Logged
Do not send me a private message unless I ask for one.  Make your post public so everyone can benefit.

There are no stupid questions
But there are a LOT of inquisitive idiots

Tranz

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: 00
  • Offline Offline
  • Gender: Female
  • Posts: 6149
Re: Need some advice with my coppermine gallery please
« Reply #3 on: December 21, 2004, 11:54:02 pm »

@sion3000, are you running a phpbb forum older than 2.0.11? I'm just trying to see if there is a pattern.
Logged

sion3000

  • Coppermine newbie
  • Offline Offline
  • Posts: 18
    • http://www.coolshots.co.uk
Re: Need some advice with my coppermine gallery please
« Reply #4 on: December 22, 2004, 12:00:47 am »

Im only running the Coppermine Gallery, no forums or anything else.
At the moment trying to find out what version of php the server uses where my site is hosted.

Thanks
Logged

Tranz

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: 00
  • Offline Offline
  • Gender: Female
  • Posts: 6149
Re: Need some advice with my coppermine gallery please
« Reply #5 on: December 22, 2004, 12:20:26 am »

In coppermine, go to Admin Tools / phpinfo. It will tell you your php version.
Logged

sion3000

  • Coppermine newbie
  • Offline Offline
  • Posts: 18
    • http://www.coolshots.co.uk
Re: Need some advice with my coppermine gallery please
« Reply #6 on: December 22, 2004, 12:35:01 am »

Hello again, well ive just been talking to my contacts at my ISP and they are telling me they have been hit by the worm, its managed to get into the main server and overwrite everyones php files, to some extent apatr from phpbb.

So im gona start looking for my back ups!

thanks for everyones help. I think we can prety much call this one solved!

thanks
Hope everyone has a great xmas and a happy new year!
Logged

gibblesmg

  • Coppermine newbie
  • Offline Offline
  • Posts: 1
Re: Need some advice with my coppermine gallery please
« Reply #7 on: December 22, 2004, 03:55:31 am »

To mu surprise i too have had the defaced page replace my photo gallery. I talked to my ISP who indicated that PHP 4.3.8 was safe so I rebuilt my gallery again. Only within 4 hours to have it shut down. I am not a PHP pro. Please help.
Logged

Aditya Mooley

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 781
    • My Sweet Home
Re: Need some advice with my coppermine gallery please
« Reply #8 on: December 22, 2004, 06:22:28 am »

To mu surprise i too have had the defaced page replace my photo gallery. I talked to my ISP who indicated that PHP 4.3.8 was safe so I rebuilt my gallery again. Only within 4 hours to have it shut down. I am not a PHP pro. Please help.
The only solution to this is to upgrade to PHP 4.3.10 or more.
Logged
--- "Its Nice 2 BE Important but its more Important 2 Be NICE" ---
Follow Coppermine on Twitter

Hein Traag

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: nl
  • Offline Offline
  • Gender: Male
  • Posts: 2166
  • A, B, Cpg
    • Personal website - Spintires.nl
Re: Need some advice with my coppermine gallery please
« Reply #9 on: December 22, 2004, 11:38:48 am »

Additonal info on the virus itself can be found here.

http://securityresponse.symantec.com/avcenter/venc/data/perl.santy.html
Logged

djcrash

  • Coppermine newbie
  • Offline Offline
  • Posts: 3
Re: Security threat: "This site is defaced" [NeverEverNoSanity WebWorm]
« Reply #10 on: December 23, 2004, 11:54:22 pm »

Understand I help to handle (to settle) from this hold-down problem 3.4.10 entirely PHP? If I write it for administrator so e-mail.
Please, < ask > about answer.
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47844
  • aka "GauGau"
    • gaugau.de
Re: Security threat: "This site is defaced" [NeverEverNoSanity WebWorm]
« Reply #11 on: December 24, 2004, 12:46:10 am »

 ???
Logged

jack

  • VIP
  • Coppermine frequent poster
  • ***
  • Country: 00
  • Offline Offline
  • Posts: 279
Re: Security threat: "This site is defaced" [NeverEverNoSanity WebWorm]
« Reply #12 on: December 26, 2004, 10:57:34 pm »

Versions of the worm will deface any site it can find on a server. If someone else on your server has a vulnerable version of phpBB, and other countermeasures are not implemented by your server host, your site will be defaced through no fault of your own.

A newer version of the worm will install an IRC controlled DDOS bot instead (or as well as, I'm not sure yet) of defacing sites.

The worm will try any and every php file it can find even though they are not necessarily phpBB. This will push your bandwidth usage through the roof. To guard against that, you can either edit each and every PHP file to just abort when it gets queried by the worm (easier siad than done) or if your host has mod_rewrite (most apache installations do), put the fllowing into a .htaccess file :-

Code: [Select]
        RewriteEngine On

        RewriteCond  %{QUERY_STRING} &cmd=cd%20/tmp;
        RewriteRule  .* - [F,L]

This will block the three variants that I am aware of. I will update this if needed as time progresses.

Although this worm only affects phpBB, I would not consider php 4.3.8 'safe'. Hosts need to patch the problems in earlier versions or upgrade to 4.3.10
Logged
Please do not contact me for support directly - instead: post on this board!
Pages: [1]   Go Up
 

Page created in 0.024 seconds with 20 queries.