Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: My Gallery was hacked?  (Read 6683 times)

0 Members and 1 Guest are viewing this topic.

linuxhata

  • Coppermine regular visitor
  • **
  • Offline Offline
  • Posts: 50
My Gallery was hacked?
« on: October 08, 2005, 08:15:34 pm »

Hello. Today I've discovered an "realmedia" file in my gallery, named, a.php.ram. surprised, I've clicked on it, but it won't play, so I've downloaded it and looked into it, inside it is:

<?

/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
 *
 *  Welcome to phpRemoteView (RemView)
 *
 *  View/Edit remove file system:
 *  - view index of directory (/var/log - view logs, /tmp - view PHP sessions)
 *  - view name, size, owner:group, perms, modify time of files
 *  - view html/txt/image/session files
 *  - download any file and open on Notepad
 *  - create/edit/delete file/dirs
 *  - executing any shell commands and any PHP-code
 *
 *  Free download from http://php.spb.ru/remview/
 *  Version 04, 2002-08-24.
 *  Please, report bugs...

and so on. As I understand, there was attempt to hack my site. Visually, everything is ok, but maybe there is some backdoor set by hacker? will Coopermine allow execution of such script? (my install is 1.3.3)
Logged

Stramm

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: 00
  • Offline Offline
  • Gender: Male
  • Posts: 6006
    • Bettis Wollwelt
Re: My Gallery was hacked?
« Reply #1 on: October 08, 2005, 11:54:06 pm »

Had a look at it and I'd say it was a kiddie with not much clue at all who tried to get access to your box. If your server isn't configured absolutely silly (means if it doesn't parse ram for php code there won't happen to much). If this file is saved as .php on your server then I'd say you're doomed

Delete it and change all admin passwords, your FTP, shell pwd, root if you have access to it... this you should do every few month

kegobeer

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 4637
  • Beer - it does a body good!
    • The Kazebeer Family Website
Re: My Gallery was hacked?
« Reply #2 on: October 09, 2005, 04:49:59 am »

Also go through your server logs and look for suspicious activity; find the IP address of the user(s) online when the file was uploaded.  Examine your file system and your database(s) for any other suspicious items.
Logged
Do not send me a private message unless I ask for one.  Make your post public so everyone can benefit.

There are no stupid questions
But there are a LOT of inquisitive idiots

foots

  • Coppermine newbie
  • Offline Offline
  • Posts: 1
Re: My Gallery was hacked?
« Reply #3 on: October 09, 2005, 02:45:50 pm »

I have had this file uploaded also - named as a.php.ra

I've deleted the file and have previously installed all the security updates.

I'm using version 1.3.4.
Logged

kegobeer

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 4637
  • Beer - it does a body good!
    • The Kazebeer Family Website
Re: My Gallery was hacked?
« Reply #4 on: October 09, 2005, 07:18:11 pm »

A google on the filename shows many sites with this crap.  This jackass (or jackasses) is/are very busy spreading this junk around.
Logged
Do not send me a private message unless I ask for one.  Make your post public so everyone can benefit.

There are no stupid questions
But there are a LOT of inquisitive idiots

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: My Gallery was hacked?
« Reply #5 on: October 10, 2005, 08:56:27 am »

as suggested, this is probably a script kiddie with little or no idea what he/she does, looking for someone who is even more stupid and set up his server to parse ram files. I wouldn't be to concerned about it. Just delete the file and you should be fine. However, as Stramm suggested it's a good idea to review your security settings and change your passwords over. A good password should be
1) not in a dictionary
2) contain upper and lower case chars
3) contain numbers (and even special chars, although some systems hickup on special chars like ,.-;:_!"§$%&/()=?ß}][{+*#'@)
4) be rather long (usually, the longer the better. However, some systems can't copy with very long passwords). I usually go for passwords that are 8 chars long for web-related stuff
5) impossible to guess (so there should be no pattern in it)
6) used only once. Although it's tempting to use the same password for several systems, it's not a good idea: once one system is broken, security of all other systems will be broken as well

My advice is to come up with a sentence that makes sense to you only and use the first letters from this sentence to memorize your password. The sentence "my Password has got 8 Chars in it" would result in "mPhg8Cii", which would be a pretty safe password. Of course you can't use this one now, as it is one that is publicly available now. It's only an example. Come up with your own.

Joachim
Logged

nukeworker

  • Coppermine regular visitor
  • **
  • Offline Offline
  • Gender: Male
  • Posts: 83
  • Visit NukeWorker.com
    • Nuclear Jobs
Re: My Gallery was hacked?
« Reply #6 on: April 02, 2006, 11:09:59 pm »

I found this on my site today, after being hacked.  they uses a.php.gz to get me.  I'm just tryingto figure out how they uploaded it to my server.

kegobeer

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 4637
  • Beer - it does a body good!
    • The Kazebeer Family Website
Re: My Gallery was hacked?
« Reply #7 on: April 03, 2006, 12:11:02 am »

I found this on my site today, after being hacked.  they uses a.php.gz to get me.  I'm just tryingto figure out how they uploaded it to my server.

Offhand, I would say you don't restrict document file types.  Check your config settings - unless absolutely necessary I would not allow any documents to be uploaded.  You also need to contact your host - they don't have the server properly configured (archives are being parsed as php.)
Logged
Do not send me a private message unless I ask for one.  Make your post public so everyone can benefit.

There are no stupid questions
But there are a LOT of inquisitive idiots

nukeworker

  • Coppermine regular visitor
  • **
  • Offline Offline
  • Gender: Male
  • Posts: 83
  • Visit NukeWorker.com
    • Nuclear Jobs
Re: My Gallery was hacked?
« Reply #8 on: April 03, 2006, 01:06:47 pm »

Offhand, I would say you don't restrict document file types.  Check your config settings - unless absolutely necessary I would not allow any documents to be uploaded.  You also need to contact your host - they don't have the server properly configured (archives are being parsed as php.)

Both of your statements are correct.  Another thing I have realized is that when this file was uploaded via coppermine, I had deleted it imeadeatly via the coppermine interface.  However, the file remained on my server (and some how google found it). 
Pages: [1]   Go Up
 

Page created in 0.022 seconds with 19 queries.