Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: [Solved]: Is someone trying to hack my site?  (Read 2406 times)

0 Members and 1 Guest are viewing this topic.

kali

  • Coppermine newbie
  • Offline Offline
  • Posts: 17
[Solved]: Is someone trying to hack my site?
« on: April 07, 2008, 12:16:29 am »

Hi all

I am running the most recent version of coppermine and I've noticed some strange activity on my access log today:

Code: [Select]
"GET /coppermine/index.php?cat=14 HTTP/1.1" 200 53193 "-" "Mozilla/8.0"
"GET /coppermine/update.php HTTP/1.1" 200 30289 "-" "Mozilla/8.0"
"POST /coppermine/pluginmgr.php?op=upload HTTP/1.1" 302 25204 "-" "Mozilla/8.0"
"GET /coppermine/update.php HTTP/1.1" 200 30301 "-" "Mozilla/8.0"
"GET /coppermine/plugins/docs.php HTTP/1.1" 404 1046 "-" "Mozilla/8.0"
"POST /coppermine/pluginmgr.php?op=upload HTTP/1.1" 302 25204 "-" "Mozilla/8.0"
"GET /coppermine/update.php HTTP/1.1" 200 30289 "-" "Mozilla/8.0"
"GET /coppermine/plugins/docs.php HTTP/1.1" 404 1046 "-" "Mozilla/8.0"
"POST /coppermine/pluginmgr.php?op=upload HTTP/1.1" 302 25204 "-" "Mozilla/8.0"
"GET /coppermine/plugins/docs.php HTTP/1.1" 404 1046 "-" "Mozilla/8.0"
"GET /coppermine/update.php HTTP/1.1" 200 30289 "-" "Mozilla/8.0"
"POST /coppermine/pluginmgr.php?op=upload HTTP/1.1" 302 25204 "-" "Mozilla/8.0"
(and is then repeated two or three times in a five minute window all from the same IP address based in Russia)

I went in through my FTP client and there is a new folder in plugins called 'receive' with a CMOD of 777

I checked through all my other files/files and according to the FTP nothing else has been modified. I've not been able to delete the new folder as my webhost is looking into it but I have deleted update.php and pluginmgr.php so if they do come back they'll have to find another way in.

What can I do to protect myself from this sort of thing in the future? And are there any other security steps I can put in place?

« Last Edit: April 07, 2008, 07:53:58 am by Joachim Müller »
Logged

Nibbler

  • Guest
Re: Is someone trying to hack my site?
« Reply #1 on: April 07, 2008, 12:44:34 am »

It's harmless. Just because the logs shows someone tried to access something doesn't mean they did anything. receive is a normal part of Coppermine.
Logged

slausen

  • Coppermine regular visitor
  • **
  • Offline Offline
  • Posts: 67
Re: Is someone trying to hack my site?
« Reply #2 on: April 07, 2008, 12:47:59 am »

Hi all

I am running the most recent version of coppermine and I've noticed some strange activity on my access log today:

Code: [Select]
"GET /coppermine/index.php?cat=14 HTTP/1.1" 200 53193 "-" "Mozilla/8.0"
"GET /coppermine/update.php HTTP/1.1" 200 30289 "-" "Mozilla/8.0"
"POST /coppermine/pluginmgr.php?op=upload HTTP/1.1" 302 25204 "-" "Mozilla/8.0"
"GET /coppermine/update.php HTTP/1.1" 200 30301 "-" "Mozilla/8.0"
"GET /coppermine/plugins/docs.php HTTP/1.1" 404 1046 "-" "Mozilla/8.0"
"POST /coppermine/pluginmgr.php?op=upload HTTP/1.1" 302 25204 "-" "Mozilla/8.0"
"GET /coppermine/update.php HTTP/1.1" 200 30289 "-" "Mozilla/8.0"
"GET /coppermine/plugins/docs.php HTTP/1.1" 404 1046 "-" "Mozilla/8.0"
"POST /coppermine/pluginmgr.php?op=upload HTTP/1.1" 302 25204 "-" "Mozilla/8.0"
"GET /coppermine/plugins/docs.php HTTP/1.1" 404 1046 "-" "Mozilla/8.0"
"GET /coppermine/update.php HTTP/1.1" 200 30289 "-" "Mozilla/8.0"
"POST /coppermine/pluginmgr.php?op=upload HTTP/1.1" 302 25204 "-" "Mozilla/8.0"
(and is then repeated two or three times in a five minute window all from the same IP address based in Russia)

I went in through my FTP client and there is a new folder in plugins called 'receive' with a CMOD of 777

I checked through all my other files/files and according to the FTP nothing else has been modified. I've not been able to delete the new folder as my webhost is looking into it but I have deleted update.php and pluginmgr.php so if they do come back they'll have to find another way in.

What can I do to protect myself from this sort of thing in the future? And are there any other security steps I can put in place?



Wow.

Does pluginmgr.php allow uploads from non-Admin users? Is that behavior intentional? If so, that would seem to be a major security hole. I was just about to start an upgrade to the current version to take advantage of all the security fixes, and then I see your post...
Logged

Nibbler

  • Guest
Re: Is someone trying to hack my site?
« Reply #3 on: April 07, 2008, 01:13:09 am »

Of course not. Read what I wrote.
Logged

slausen

  • Coppermine regular visitor
  • **
  • Offline Offline
  • Posts: 67
Re: Is someone trying to hack my site?
« Reply #4 on: April 07, 2008, 07:32:36 am »

It's harmless. Just because the logs shows someone tried to access something doesn't mean they did anything. receive is a normal part of Coppermine.

Great, thanks.
Logged

kali

  • Coppermine newbie
  • Offline Offline
  • Posts: 17
Re: Is someone trying to hack my site?
« Reply #5 on: April 07, 2008, 08:00:45 am »

It's harmless. Just because the logs shows someone tried to access something doesn't mean they did anything. receive is a normal part of Coppermine.

Thank you for your reply. I'm usually not too worried about this sort of thing, however, the 'receive' folder as saying it was modified at exactly the same time (although there was nothing in it) which is what caused the alarm bells to ring.
Logged
Pages: [1]   Go Up
 

Page created in 0.018 seconds with 20 queries.