Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: New exploit in 1.3.3?  (Read 6858 times)

0 Members and 1 Guest are viewing this topic.

Jackal

  • Coppermine newbie
  • Offline Offline
  • Gender: Male
  • Posts: 8
New exploit in 1.3.3?
« on: July 07, 2005, 05:12:06 pm »

Hi guys, First I've got to say that Coppermine 1.3.3 is awesome - a lot of work and well appreciated.

I've been using it for about 4 weeks without a problem - but about 5 days ago it was compromised in some way.

There any multiple problems from registered users being unable to set up new albums or upload files, to at worst - all users deleted along with their albums, images and database records.

My hosting Company says I am the sixth client who has complained of this problem in the last 10 days - but have scanned their systems and claim that the system is clear.
I've tried installing a new incidence of 1.3.3 in a new directory with a new database - but after getting a new user on - everything got deleted when I tried to use the admin account...

Any bright ideas anyone? Your help is appreciated
Logged

Tranz

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: 00
  • Offline Offline
  • Gender: Female
  • Posts: 6149
Re: New exploit in 1.3.3?
« Reply #1 on: July 07, 2005, 05:20:19 pm »

Just to eliminate other factors, have you changed your webhost and gallery account passwords in case that is how the attacks are occurring?
Logged

Jackal

  • Coppermine newbie
  • Offline Offline
  • Gender: Male
  • Posts: 8
Re: New exploit in 1.3.3?
« Reply #2 on: July 07, 2005, 05:36:03 pm »

Thanks TranzNDance - That's what I thought of first. Changed account access info then put up a new installation of 1.3.3 with different access info - but the problems were still there despite the "clean" system
Logged

kegobeer

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 4637
  • Beer - it does a body good!
    • The Kazebeer Family Website
Re: New exploit in 1.3.3?
« Reply #3 on: July 07, 2005, 09:24:33 pm »

What other PHP apps are installed on the server?
Logged
Do not send me a private message unless I ask for one.  Make your post public so everyone can benefit.

There are no stupid questions
But there are a LOT of inquisitive idiots

Jackal

  • Coppermine newbie
  • Offline Offline
  • Gender: Male
  • Posts: 8
Re: New exploit in 1.3.3?
« Reply #4 on: July 07, 2005, 09:45:10 pm »

Hi Kegobeer - now that sounds ike a good idea right now...

So far as I can tell, here is a complete list of php apps running on this server:   

Fantastico.  CpanelX.
    Blogs: b2evolution, Nucleus, pMachine Free, WordPress 
    Content Management: Drupal, Geeklog, Mambo Open Source, PHP-Nuke, phpWCMS, phpWebSite, Post-Nuke, Siteframe, Typo3, Xoops 
    Customer Relationship: Crafty Syntax Live Help, Help Center Live, osTicket, PHP Support Tickets, Support Logic Helpdesk, Support Services Manager 
    Discussion Boards: phpBB2, SMF 
    E-Commerce: CubeCart, OS Commerce, Zen Cart 
    F.A.Q: FAQMasterFlex 
    Guestbooks: ViPER Guestbook 
    Image Galleries: 4Images Gallery: Coppermine Photo Gallery, Gallery 
    Mailing Lists: PHPlist 
    Polls and Surveys: Advanced Poll, phpESP, PHPSurveyor 
    Project Management: dotProject, PHProjekt 
    Site Builders: Templates Express 
    Wiki: TikiWiki, PhpWiki 
    Other Scripts: Dew-NewPHPLinks, Moodle, Noahs Classifieds, Open-Realty, phpAdsNew, PHPauction, phpCOIN, phpFormGenerator, WebCalendar

In fact - not a bad list if not for the problems...
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: New exploit in 1.3.3?
« Reply #5 on: July 07, 2005, 09:57:41 pm »

whew, what a list... Do all of the other apps still work as expected?
Logged

Jackal

  • Coppermine newbie
  • Offline Offline
  • Gender: Male
  • Posts: 8
Re: New exploit in 1.3.3?
« Reply #6 on: July 07, 2005, 10:16:11 pm »

The only other application I've tried from the list was "Gallery". This was after the problems started - and an attempt to get around the problem.

It seems to have been affected as well, I followed the installation guidelines but couldn't set up users properly.
Logged

donnoman

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 1615
  • From donovanbray.com
    • Donovan Bray
Re: New exploit in 1.3.3?
« Reply #7 on: July 08, 2005, 04:27:50 am »

are you sure this isn't a database server issue? It may be that the mysql server is hosed and this has nothing to do with the webserver.
Logged

Jackal

  • Coppermine newbie
  • Offline Offline
  • Gender: Male
  • Posts: 8
Re: New exploit in 1.3.3?
« Reply #8 on: July 08, 2005, 12:59:02 pm »

Thanks for the suggestion donnoman - never considered that might be the problem. Have contacted our Hosting Co. and am waiting for their findings.
Logged

Jackal

  • Coppermine newbie
  • Offline Offline
  • Gender: Male
  • Posts: 8
Re: New exploit in 1.3.3?
« Reply #9 on: July 09, 2005, 12:32:28 pm »

It seems that my hosting Company are incommunicado - I've had no email response from them about the possibility that the database server may be the root of the problem -  and they can't be raised on the telephone.

What doesn't seem to fit thought is that I have other handbuilt php routines running on this website that use added tables to the Coppermine database. These are all unaffected by whatever is causing the problem. What gets affected are the cpg133_albums, cpg133_pictures, cpg133_users tables plus all of the image folders in the userpics directory get emptied...

Anyone recognize the symptoms?
Logged

donnoman

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 1615
  • From donovanbray.com
    • Donovan Bray
Re: New exploit in 1.3.3?
« Reply #10 on: July 09, 2005, 02:38:52 pm »

Are contents IN the tables when you look at them with something like phpmyadmin?

Are there files in the albums/userpics directory or do the files really go missing after they've been uploaded?

How long does it take for the entries in the db, or the filesystem to go MIA.

Do you have access to the http access logs to your site? Have you reviewed them for suspicous activity?
Logged

Jackal

  • Coppermine newbie
  • Offline Offline
  • Gender: Male
  • Posts: 8
Re: New exploit in 1.3.3?
« Reply #11 on: July 09, 2005, 07:12:16 pm »

Hi donnoman

1) The contents were in the tables before they get deleted - not there afterwards - checked by phpadmin also by viewing exported sql data in notepad.
2) The files in userpics/albums are completely deleted - vanished without a trace
3) The files and db records go missing within seconds of any attempt to access registered user data as an admin user
4) I checked through all the logs when it happened the 1st time. All were normal users - and only accessed non-critical parts of the system.

My belief is that the contamination was lurking for some time - I hadn't used the admin panel for about 3 weeks - so it could have been any time in the interim that I was struck...

It seems strange that nobody else is reporting similar problems like this. My web hosting Company seem to have forgotten about me on this issue - that or they've left the Country.
Logged

donnoman

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 1615
  • From donovanbray.com
    • Donovan Bray
Re: New exploit in 1.3.3?
« Reply #12 on: July 09, 2005, 09:43:17 pm »

Considering everything you've posted thus far, I'd change webhosts.

I'm curious about your last statements though.

Would you mind zipping up your entire website, and let me download it. I want to see if I can find where the code has been injected. If you want to make other arrangements PM me.
Logged

Jackal

  • Coppermine newbie
  • Offline Offline
  • Gender: Male
  • Posts: 8
Re: New exploit in 1.3.3?
« Reply #13 on: July 10, 2005, 05:31:43 pm »

donnoman

Have sent a pm to you with details of download url.

Thanks
Logged
Pages: [1]   Go Up
 

Page created in 0.048 seconds with 20 queries.