Print

[sdkester]

Hello all,

This morning when opened my photo gallery I got this error:

Coppermine critical error:
Unable to connect to database !

MySQL said: Too many connections

I average 40-50 MB per month of traffic. This month I'm only up to 37MB. The gallery is/was located at http://www.skester.com/photos.

I went into the admin side of my website only to find that the databases are gone. Everything that is mySQL has been erased. Users, databases, everything.

Now I've got my site host working on it, but I wanted to bring this to the experts.

I'm using cpg 1.2.1 stand-alone. Is there a vulnribility that allows some script kiddie to wipe out the databases?

How can I help you help me?

Thank you.

[Joachim Müller]

There's no known vulnerability (which means that we don't know of such a vulnerability, but of course there could be one we don't know of). More likely is a brute force password attack: did you have a weak password for your coppermine admin account, phpMyAdmin or your mySQL user? Weak passwords are words that are short and easy to guess or that exist in a dictionary. Strong passwords don't mean a thing, they have upper and lower case chars, numbers and special chars in them. There has been a discussion on how long a password is suppossed to be, imo you should go for 8 characters.
To find out what actually happened, take a look into your server logs. Please report back here if your webhost has found out what happened.

GauGau

[sdkester]

My password is not in a dictionary. It is a random combo of numbers intermixed with letters 11 characters long. I've been in IT for a couple of years now to know better then "cat" as a password. LOL.

GauGau, thanks for the response. If I find out anything, I'll be sure to post it. It looks as though he got into the phpMySQL admin. He not only hit the coppermine DBs, but the Horde webmail, etc. Essentially, his attack was limited to mySQL, so it may be more of an issue there then coppermine. I guess what makes me the most mad is the randomness/immaturity of it all. Very aggravating.

He even sent a "taunting" (for lack of a better word) email. It says:

Do you like Horses? I do but I dont like cows.

His email was jmelocik@yahoo.com.

I say that only for reference in case anyone else it watching this thread and had a similiar experience.

Thanks again for your response during this frustrating investigation.

Shaun

[Joachim Müller]

just for the record: I added an admin settable threshold for failed logins and duration of the period an IP address is then temporarily banned to the devel branch - will be in cpg1.4

GauGau

[sdkester]

Five days and still nothing back from the hosts. It would seem they are as stumped as I. If it was just as you say, then the new feature will at least make it tougher.

I not only use coppermine for my site, but for two other sites I built and maintain as a volunteer for non-profit groups. I would like to honestly be able to tell them I've done all I can to make their sites secure. I am pleasantly surprised over the response and attention you've given to this matter. I will continue to champion the use of coppermine in all the sites I build.

Thank you.

[sdkester]

The final word from my hosts, deafening-urge.net.

Hello,

I'm sorry to say, but it is impossible to know exactly what happened. The logs do not show any sign of a hacking attempt, however this does not mean there was not one.

There could very well be a flaw in the code which allowed someone to inject a MySQL query into your database causing it to delete itself. However it is not likely that it deleted other databases unless they all had the same username and password.

A brute force hacking attempt is possible and could have been happening without your knowledge for some time now, the best option there is to simply change your password every few weeks, once a month is really optimal. A lot of script have built in means for protecting against brute force hacks, and I know that the majority of scripts I write have a built in log to keep track of login attempts. I then have checks to make sure no one is trying random passwords.

You mentioned in your last response that the script's creators added a new feature to it to only allow a certain number of login attempts per IP address, this should definitely help in the case of a brute force attack.

While I fully support open source software that is freely distributed, one major problem with it is the fact that anyone can download it and find out exactly what makes it tick. This can be both good and bad depending on how you use this information. If you look at certain open source project, such as XMB, a popular forum -- its been riddled with security flaw after security flaw. This can be blamed on poor coding, but also the fact that its open source and extremely popular. If some input field isn't checked properly, a hacker could inject code into your script, which it will parse.

It is the job of the creator of the script to help to ensure things like this do not happen.

Mind you nothing is fool proof, and this type of stuff can happen no matter how secure and safe a script is.

Sorry for any inconvenience this has caused you, I would go ahead and reinstall the script, and make sure you keep up on any upgrades that coppermine releases.

Thank you,
-Tom
--------------------------------

Well...Live and learn I guess. As I stated in my last post, I will rebuild coppermine on my server and start over. Thanks everyone!