Hi all
I am running the most recent version of coppermine and I've noticed some strange activity on my access log today:
"GET /coppermine/index.php?cat=14 HTTP/1.1" 200 53193 "-" "Mozilla/8.0"
"GET /coppermine/update.php HTTP/1.1" 200 30289 "-" "Mozilla/8.0"
"POST /coppermine/pluginmgr.php?op=upload HTTP/1.1" 302 25204 "-" "Mozilla/8.0"
"GET /coppermine/update.php HTTP/1.1" 200 30301 "-" "Mozilla/8.0"
"GET /coppermine/plugins/docs.php HTTP/1.1" 404 1046 "-" "Mozilla/8.0"
"POST /coppermine/pluginmgr.php?op=upload HTTP/1.1" 302 25204 "-" "Mozilla/8.0"
"GET /coppermine/update.php HTTP/1.1" 200 30289 "-" "Mozilla/8.0"
"GET /coppermine/plugins/docs.php HTTP/1.1" 404 1046 "-" "Mozilla/8.0"
"POST /coppermine/pluginmgr.php?op=upload HTTP/1.1" 302 25204 "-" "Mozilla/8.0"
"GET /coppermine/plugins/docs.php HTTP/1.1" 404 1046 "-" "Mozilla/8.0"
"GET /coppermine/update.php HTTP/1.1" 200 30289 "-" "Mozilla/8.0"
"POST /coppermine/pluginmgr.php?op=upload HTTP/1.1" 302 25204 "-" "Mozilla/8.0"
(and is then repeated two or three times in a five minute window all from the same IP address based in Russia)
I went in through my FTP client and there is a new folder in plugins called 'receive' with a CMOD of 777
I checked through all my other files/files and according to the FTP nothing else has been modified. I've not been able to delete the new folder as my webhost is looking into it but I have deleted update.php and pluginmgr.php so if they do come back they'll have to find another way in.
What can I do to protect myself from this sort of thing in the future? And are there any other security steps I can put in place?