Print

[Nancy]

Hello! First, sorry if this is posted in the wrong section. I'm new...

My site's gallery has been hacked. This isn't the first time, it happens to be the third time. The last 2 times, we had no idea how to fix it and just installed a new gallery. The latest hack, the main page was just hacked and it looks like our pictures were still there.  I didn't bother to put the style sheet back up because I was too aggravated. Time passed, I wanted to put the Gallery back up and now this shows:

Coppermine critical error:
Unable to connect to database !

MySQL said: Access denied for user: '******@localhost' (Using password: YES)

I read tutorials everywhere. From changing the password and stuff. I'm still confused. I'm not an expert on all this MySQL databases and php stuff. I just want to know how to fix it. I really don't want to lose the gallery and lose all our hits. It's very frustrating to keep getting hacked. Is there anyway to stop people from hacking our Gallery?

Can anyone please help me get my Gallery back up. Any help is appreciated of how to do it step by step. Also, can you explain in "dummy" terms because I'll still be confused. Sorry.

[Joachim Müller]

without knowing what the hacker did it's hard to recommend anything. Post more details. Make sure not to use trivial passwords. Re-upload a backup of your files. Change the admin password and the mysql password. Edit include/config.inc.php to reflect your password changes. Scan the files on your webserver for backdoor scripts.

[Nancy]

When we went to our page, the main page was hacked. I found the index file. This is what it said:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Documento sin t&iacute;tulo</title>
</head>

<body>
<p align="center">hOHOhOHOHOHOhO</p>
<p align="center">Happy HACK !!!!</p>
<p align="center">&nbsp;</p>
<p align="center"><strong>AgReSsOr</strong> &amp; <strong>Emi_shalala</strong><br />
was here and *beep* with ur box !!!</p>
<p>&nbsp;</p>
<p>root@server4 [~]# uname -a;id;uptime;w<br />
  Linux server4.dnssecure4.info 2.6.10dn #1 SMP Thu Feb 17 16:46:53 EST 2005 i686 i686 i386 GNU/Linux<br />
  uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)<br />
22:55:59 up 3 days, 23:01,  0 users,  load average: 0.21, 0.27, 0.34<br />
22:55:59 up 3 days, 23:01,  0 users,  load average: 0.21, 0.27, 0.34<br />
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT<br />
root@server4 [~]#</p>
<p align="center">&nbsp;</p>
<p align="center"><img alt="http://tbc-labz.net/kiddie.gif" src="http://tbc-labz.net/kiddie.gif" /></p>
<p align="center">irc.h4x0r.cl 6667<br />
  #pc_labs</p>
<p align="center">&nbsp;</p>
<p align="center">PD:And remember god dont love u <strong></strong></p>
</body>
</html>


I wish I can get that stupid person who did it.

I tried changing the MySQL passwords 900 times but still wasn't working. I just changed the admin password and I found a backup of the Gallery. I'm uploading it now to see what happens.

How do you scan your server? Thanks for replying.

[kegobeer]

Don't allow any document uploads.  Check your config settings, and remove "ALL" from allowed document types.  Look for any archive files (rar, gz, zip) and remove them.  You must change all of your passwords (FTP, MySQL, cPanel, etc) and make sure to remove any users that you haven't created yourself.

[condomax]

I was just apprised by my ISP that one of my virtual hosts had been hacked in a similar fashion to what has been described in this thread and others. A file called img.php.rar was installed in a directory under userpics by a new user called 'quad.' I had 'require email confirmation of new users' turned on, and the email address given by the moron was wquadw@yahoo.com. Interestingly enough, if you do a Google search on 'img.php.rar' you'll find lots and lots of galleries out there into which the same file has been uploaded (galleries which are no doubt hacked), some also having directories called 'quad'. My ISP took ownership of userpics and set it to mode 0 until we get this straightened out. I have since then disabled new user registrations--which I don't really need--and I have disallowed any file types other than jpg/gif/png/bmp. Is there anything else I need to do before I assure my ISP that I've done all I can?

Based on the ubiquitousness of this hacking experience, as evidenced by the aforementioned Google search, I am suggesting that a sticky thread be created for this issue and that the other related threads be merged into it. It is hard to think of everything when faced with the broad array of configuration options in Coppermine, and a well placed caveat would serve users well. Being hacked is an invasive, horrifying experience, particulary for the non-technical user. This is the only place they can turn when things go wrong involving Coppermine. Thus, I hope you will take my suggestion seriously and act on it accordingly.

Thanks for a fine product that has served me well through the years. I have no complaints, inasmuch as my failure to disallow dangerous file types was an error of omission on my part.