Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: [Solved]: What to do after exploit  (Read 1774 times)

0 Members and 1 Guest are viewing this topic.

Bri32560

  • Coppermine newbie
  • Offline Offline
  • Posts: 8
[Solved]: What to do after exploit
« on: March 03, 2009, 02:07:59 am »

I have looked at the docs and faqs and searched so if I missed the information I am sorry for that I tried.
Here is what I am trying to find.  Some time back my site was hacked and as a result several lines of code was added to every php file in every folder on my site.  After some reading I came to the conclusion that they got in through wordpress so I deleted and reinstalled wordpress.
Today for a lack of knowing what to do I was going through every folder and every file and removing the code that had been placed in each and I ran across several files and folders in coppermine in the incudes/modules folder that do not belong so that leads me to think the exploit was actually through coppermine. There are a couple .htaccess files and php files and a lot of html files.
What I am trying to find out is the proper way to fix all of this?
1)clean each file one by one? Takes a long time but would save all the setup I have done
2)delete and install from scratch?  would have to setup again and add the themes and changes I made some 3 years ago.
Are there any other options?
If I save the files that its tells me to in the upgrade docs how much will that save that I don't have to setup?

I am just looking for some advise or how to's
A script that would undo everything they did would be nice but would be shocked if that exist.

Thank You for any help or advise you can give me.

PS: I also run smf heavily modded as well as flashchat.  Everything else I have removed trying to stop this.

I would be happy to give you anymore information you might need to help
 
« Last Edit: March 04, 2009, 09:15:08 am by Joachim Müller »
Logged

Fabricio Ferrero

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: 00
  • Offline Offline
  • Gender: Male
  • Posts: 1996
  • From San Juan, Argentina, to the World!
    • http://fabricioferrero.com/
Re: What to do after exploit
« Reply #1 on: March 03, 2009, 02:13:11 am »

You should have posted a link to your gallery, anyways, read--> Yikes, I've been hacked! Now what?
Logged
Read Docs and Search the Forum before posting. - Soporte en español
--*--
Fabricio Ferrero's Website

Catching up! :)

Bri32560

  • Coppermine newbie
  • Offline Offline
  • Posts: 8
Re: What to do after exploit
« Reply #2 on: March 03, 2009, 11:52:05 am »

Thank You very much for the link and the help.  There is a lot of useful information, links and tools.  After reading through it all I think I will be able to get my gallery cleaned and back in order.
I have one more question if anyone wouldn't mind helping with.  It isn't really a coppermine question so I hope it is ok to ask. While reading through and following all the links in that thread there was a program referenced called replace in files.  I downloaded and tried that program and it works great.  I thought I might be able to clean all the files in the rest of my site using it but found that while it removes all the inserted code at the beginning of each of my php files it also leaves line 1 blank and leaves <?php on line 2.  I searched and found several other programs that do the same thing as replace in files but none seemed to work for various reasons like the search text is to large and so on.
Is there a program like replace in files that can handle large multi-line files?  I have my site downloaded to my computer and just need to clean the rest of the files after I finish following the instructions you gave me in the link.

Thank You again for your help, I don't mind putting in the work I just need a little help in the right direction.
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: What to do after exploit
« Reply #3 on: March 04, 2009, 09:14:53 am »

We have a strict "one question per thread" policy that you agreed to respect when signing up, so yes: we do mind that you post another unrelated question here. You should have started another thread, although we don't support third party software. The reference to "replace in files" by Emura was provided as a courtesy - we don't want this forum to be used to review issues with other apps.
Let me just say that I have used "replace in files" many times over and that it works exactly as advertized for me - I can not confirm what you say. However, I'm not aware of another tool under Windows that can do the same. On Linux, I use
Code: [Select]
find /path/to/folder/ -maxdepth 3 -name "*.php" | xargs sed -i 's/string that I want to search for/string that I want to replace stuff with/g', but that's probably not an option for you.

Locking.
Logged
Pages: [1]   Go Up
 

Page created in 0.051 seconds with 22 queries.