@ Joachim:- I followed your instructions to the letter. But my configuration settings have been changed again. I have attached two SQL dumps which show the changes made (I edited out my email address). Happened at 09:00 UTC. As a safety precaution, I am still denying the webserver write-access to any files at the moment, so no files have been altered - which means I can't tell you whether the
upload issue is still affecting us or not. However, I studied my logs very carefully...
195.5.117.252 - - [12/Apr/2008:08:57:33 +0100] "GET /coppermine/update.php HTTP/1.1" 200 30405 "-" "User-Agent: Opera/9.27 (Windows NT 5.2; U; ru)"
195.5.117.252 - - [12/Apr/2008:08:58:37 +0100] "POST /coppermine/upload.php HTTP/1.1" 200 23507 "-" "User-Agent: Opera/9.27 (Windows NT 5.2; U; ru)"
195.5.117.252 - - [12/Apr/2008:08:58:40 +0100] "POST /coppermine/upload.php HTTP/1.1" 200 22292 "-" "User-Agent: Opera/9.27 (Windows NT 5.2; U; ru)"
195.5.117.252 - - [12/Apr/2008:08:58:45 +0100] "POST /coppermine/upload.php HTTP/1.1" 200 22244 "-" "User-Agent: Opera/9.27 (Windows NT 5.2; U; ru)"
195.5.117.252 - - [12/Apr/2008:08:58:48 +0100] "POST /coppermine/admin.php HTTP/1.1" 200 22779 "-" "User-Agent: Opera/9.27 (Windows NT 5.2; U; ru)"
195.5.117.252 - - [12/Apr/2008:08:57:34 +0100] "GET /coppermine/update.php HTTP/1.1" 200 30405 "-" "User-Agent: Opera/9.27 (Windows NT 5.2; U; ru)"
195.5.117.252 - - [12/Apr/2008:08:58:51 +0100] "GET /coppermine/?ff=1 HTTP/1.1" 200 26233 "-" "User-Agent: Opera/9.27 (Windows NT 5.2; U; ru)"
195.5.117.252 - - [12/Apr/2008:08:58:56 +0100] "POST /coppermine/admin.php HTTP/1.1" 200 22779 "-" "User-Agent: Opera/9.27 (Windows NT 5.2; U; ru)"
195.5.117.252 - - [12/Apr/2008:08:59:01 +0100] "GET /coppermine/displayimage.php?album=lastup&cat=0&pos=0 HTTP/1.1" 200 42567 "-" "User-Agent: Opera/9.27 (Windows NT 5.2; U; ru)"
195.5.117.252 - - [12/Apr/2008:08:59:05 +0100] "GET /coppermine/ HTTP/1.1" 200 25783 "-" "User-Agent: Opera/9.27 (Windows NT 5.2; U; ru)"
195.5.117.252 - - [12/Apr/2008:10:04:57 +0100] "GET /coppermine/update.php HTTP/1.1" 200 30405 "-" "User-Agent: Opera/9.27 (Windows NT 5.2; U; ru)"
195.5.117.252 - - [12/Apr/2008:10:06:02 +0100] "POST /coppermine/upload.php HTTP/1.1" 200 23507 "-" "User-Agent: Opera/9.27 (Windows NT 5.2; U; ru)"
195.5.117.252 - - [12/Apr/2008:10:06:04 +0100] "POST /coppermine/upload.php HTTP/1.1" 200 22292 "-" "User-Agent: Opera/9.27 (Windows NT 5.2; U; ru)"
195.5.117.252 - - [12/Apr/2008:10:06:07 +0100] "POST /coppermine/admin.php HTTP/1.1" 200 22779 "-" "User-Agent: Opera/9.27 (Windows NT 5.2; U; ru)"
195.5.117.252 - - [12/Apr/2008:10:06:10 +0100] "POST /coppermine/upload.php HTTP/1.1" 200 22244 "-" "User-Agent: Opera/9.27 (Windows NT 5.2; U; ru)"
195.5.117.252 - - [12/Apr/2008:10:06:13 +0100] "GET /coppermine/displayimage.php?album=lastup&cat=0&pos=0 HTTP/1.1" 200 42566 "-" "User-Agent: Opera/9.27 (Windows NT 5.2; U; ru)"
195.5.117.252 - - [12/Apr/2008:10:05:00 +0100] "GET /coppermine/update.php HTTP/1.1" 200 30405 "-" "User-Agent: Opera/9.27 (Windows NT 5.2; U; ru)"
195.5.117.252 - - [12/Apr/2008:10:06:15 +0100] "POST /coppermine/upload.php HTTP/1.1" 200 23507 "-" "User-Agent: Opera/9.27 (Windows NT 5.2; U; ru)"
195.5.117.252 - - [12/Apr/2008:10:06:18 +0100] "POST /coppermine/upload.php HTTP/1.1" 200 22292 "-" "User-Agent: Opera/9.27 (Windows NT 5.2; U; ru)"
195.5.117.252 - - [12/Apr/2008:10:06:22 +0100] "POST /coppermine/admin.php HTTP/1.1" 200 22779 "-" "User-Agent: Opera/9.27 (Windows NT 5.2; U; ru)"
195.5.117.252 - - [12/Apr/2008:10:06:25 +0100] "POST /coppermine/upload.php HTTP/1.1" 200 22244 "-" "User-Agent: Opera/9.27 (Windows NT 5.2; U; ru)"
195.5.117.252 - - [12/Apr/2008:10:06:27 +0100] "GET /coppermine/displayimage.php?album=lastup&cat=0&pos=0 HTTP/1.1" 200 42568 "-" "User-Agent: Opera/9.27 (Windows NT 5.2; U; ru)"
I suspect that the
1.4.17 patch only addresses one vulnerability. I think there
may be another hack that involves
update.php in some way. Note how each attack commences with a GET of
update.php. Perhaps it's this that allows the attacker to alter the config settings. Also, I am slightly concerned that that a file that writes such significant changes to my database can be accessed by the world in the first place. Indeed, it seems you can visit any Coppermine-powered site and run their
update.php with no permissions at all. Interestingly, the subject of deleting "
update.php" was discussed a while ago:-
http://coppermine-gallery.net/forum/index.php?topic=34169.0 I
may try deleting mine if we are attacked again.
Anyway my site is
http://www.garfnet.org.uk/coppermine and my server info is as follows:-
- Linux 2.6.18-6-686 #1 SMP Sun Feb 10 22:11:31 UTC 2008 i686 GNU/Linux
- Apache/2.2.3 Server built: Jan 27 2008 18:13:21
- mysql Ver 14.12 Distrib 5.0.32, for pc-linux-gnu (i486) using readline 5.2
- PHP 5.2.0-8+etch10 (cli) (built: Jan 18 2008 18:52:58) Zend Engine v2.2.0 with Suhosin v0.9.12
- Coppermine v1.4.17
,
Best wishes, G