Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: PHP Bulk Emailer in my userpic directory  (Read 24917 times)

0 Members and 1 Guest are viewing this topic.

Kursk

  • Translator
  • Coppermine newbie
  • **
  • Offline Offline
  • Posts: 14
    • anton-amy.com
PHP Bulk Emailer in my userpic directory
« on: December 25, 2006, 04:15:27 am »

Got notified today that my account was suspended. After some investigation, it happens that someone had upload a PHP bulk e-mailer into my userpic directory and started sending out ebay phishing scam.

PHP Bulk Emailer
From NukedWeb
http://www.nukedweb.com/
tim@nukedweb.com

How this happened I still can't figure out.
Any thoughts (besides the fact that it is an old cpg 1.3.1)?
« Last Edit: December 26, 2006, 11:04:17 pm by GauGau »
Logged

Tarique Sani

  • VIP
  • Coppermine addict
  • ***
  • Offline Offline
  • Gender: Male
  • Posts: 2712
    • http://tariquesani.net
Re: PHP Bulk Emailer in my userpic directory
« Reply #1 on: December 25, 2006, 09:53:50 am »

Any thoughts (besides the fact that it is an old cpg 1.3.1)?
None needed what so ever :)
Logged
SANIsoft PHP applications for E Biz

Kursk

  • Translator
  • Coppermine newbie
  • **
  • Offline Offline
  • Posts: 14
    • anton-amy.com
Re: PHP Bulk Emailer in my userpic directory
« Reply #2 on: December 25, 2006, 07:21:20 pm »

None needed what so ever :)
Thanks. I take it to mean once it's updated to cpg1.4.10 (which I did last night) I don't need to be worried anymore?
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47844
  • aka "GauGau"
    • gaugau.de
Re: PHP Bulk Emailer in my userpic directory
« Reply #3 on: December 25, 2006, 08:04:17 pm »

Check for existing backdoors. Upgrading doesn't remove existing backdoors, it just protects you from falling victim to new ones.
Logged

Kursk

  • Translator
  • Coppermine newbie
  • **
  • Offline Offline
  • Posts: 14
    • anton-amy.com
Re: PHP Bulk Emailer in my userpic directory
« Reply #4 on: December 25, 2006, 08:17:58 pm »

albums/userpics is the only directory I was able to find that contained a php mailer. Any other possible locations?
« Last Edit: December 25, 2006, 08:38:22 pm by Kursk »
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47844
  • aka "GauGau"
    • gaugau.de
Re: PHP Bulk Emailer in my userpic directory
« Reply #5 on: December 26, 2006, 02:36:59 am »

If the attacker managed to place any PHP script on your server he might have infected your entire webspace. Therefor, possible locations are: the entire webspace.
Please keep in mind that cpg1.3.x goes unsupported. Your issue comes from failing to upgrade in time (while there still was support).
Logged

Kursk

  • Translator
  • Coppermine newbie
  • **
  • Offline Offline
  • Posts: 14
    • anton-amy.com
Re: PHP Bulk Emailer in my userpic directory
« Reply #6 on: December 26, 2006, 03:57:18 am »

I see your point. CPG has been updated to 1.4.10 as soon as I've discovered the hole. The rest of the webspace  besides CPG is the latest Joomla! release (no bridge.)

Userpics seems logical at it allows for a user upload. My fault not keeping up-to-date on the CPG and doing something that allowed for the upload of files other than what should have been uploaded. My question was more along the lines of any similarity to userpics apparent vulnerability (in my case of course, as I'm not generalizing here.)
Logged

Stramm

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: 00
  • Offline Offline
  • Gender: Male
  • Posts: 6006
    • Bettis Wollwelt
Re: PHP Bulk Emailer in my userpic directory
« Reply #7 on: December 26, 2006, 07:34:40 am »

as already said... if an attacker was able to upload a malicious script, then he's able to place it everywhere in your webspace. He can use this script to load other scripts ... do not only search in the albums dir.

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47844
  • aka "GauGau"
    • gaugau.de
Re: PHP Bulk Emailer in my userpic directory
« Reply #8 on: December 26, 2006, 10:09:10 am »

This is what you need to do: download all files that reside on your webspace to a folder on your hard-drive. Then use a diff viewer like WinMerge to compare all files, making sure that all code files do not differ between the forensic backup folder you just downloaded and the original sources you uploaded in the the first place. Using the diff viewer, make sure that there are no surplus executable scripts on the forensic backup folder.
Logged

Kursk

  • Translator
  • Coppermine newbie
  • **
  • Offline Offline
  • Posts: 14
    • anton-amy.com
Re: PHP Bulk Emailer in my userpic directory
« Reply #9 on: December 26, 2006, 09:16:12 pm »

Thank you all.
Logged
Pages: [1]   Go Up
 

Page created in 0.019 seconds with 19 queries.