Security threat: "This site is defaced" [NeverEverNoSanity WebWorm] Security threat: "This site is defaced" [NeverEverNoSanity WebWorm]
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Security threat: "This site is defaced" [NeverEverNoSanity WebWorm]

Started by sion3000, December 21, 2004, 10:28:21 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages1
User actions

sion3000

December 21, 2004, 10:28:21 PM Last Edit: December 22, 2004, 06:13:50 PM by GauGau
Hi

I went onto my coppermine photo gallery today and i was shocked to notice that instead of taking me to the usual front page, it gave me a message  :\'(:
========
This site is defaced!!!

--------------------------------------------------------------------------------

NeverEverNoSanity WebWorm generation 16.

Fatal error: Call to undefined function: breadcrumb() in /files/home/sion3000/Coppermine/index.php on line 118
========

It gets an almost the same error if you click a different link to get into the gallery.

The web site is: www.coolshots.co.uk and you can access the gallery by clicking any of the photos or by clicking Photo Gallery at the top of the page.
Direct link to the gallery is: www.coolshots.co.uk/Coppermine

I have had a quick look in the code but i am not expert not even a novice realy. Everything looks normal. Im currently running version 1.2.1      ???


All ideas and solutions welcome.


Thanks and have a merry xmas.

Sion

[edit GauGau]
Changed this thread's subject from Need some advice with my coppermine gallery please to Security threat: "This site is defaced" [NeverEverNoSanity WebWorm] and made it a sticky.
[/edit]

kegobeer

#1
December 21, 2004, 10:31:22 PM
Sounds like this:

http://forum.coppermine-gallery.net/index.php?topic=12803.0

We are aware of this worm.  Please read the above post.
Do not send me a private message unless I ask for one.  Make your post public so everyone can benefit.

There are no stupid questions
But there are a LOT of inquisitive idiots

kegobeer

#2
December 21, 2004, 10:34:05 PM
Do not send me a private message unless I ask for one.  Make your post public so everyone can benefit.

There are no stupid questions
But there are a LOT of inquisitive idiots

Tranz

#3
December 21, 2004, 11:54:02 PM
@sion3000, are you running a phpbb forum older than 2.0.11? I'm just trying to see if there is a pattern.

sion3000

#4
December 22, 2004, 12:00:47 AM
Im only running the Coppermine Gallery, no forums or anything else.
At the moment trying to find out what version of php the server uses where my site is hosted.

Thanks

Tranz

#5
December 22, 2004, 12:20:26 AM
In coppermine, go to Admin Tools / phpinfo. It will tell you your php version.

sion3000

#6
December 22, 2004, 12:35:01 AM
Hello again, well ive just been talking to my contacts at my ISP and they are telling me they have been hit by the worm, its managed to get into the main server and overwrite everyones php files, to some extent apatr from phpbb.

So im gona start looking for my back ups!

thanks for everyones help. I think we can prety much call this one solved!

thanks
Hope everyone has a great xmas and a happy new year!

gibblesmg

#7
December 22, 2004, 03:55:31 AM
To mu surprise i too have had the defaced page replace my photo gallery. I talked to my ISP who indicated that PHP 4.3.8 was safe so I rebuilt my gallery again. Only within 4 hours to have it shut down. I am not a PHP pro. Please help.

Aditya Mooley

#8
December 22, 2004, 06:22:28 AM
Quote from: gibblesmg on December 22, 2004, 03:55:31 AM
To mu surprise i too have had the defaced page replace my photo gallery. I talked to my ISP who indicated that PHP 4.3.8 was safe so I rebuilt my gallery again. Only within 4 hours to have it shut down. I am not a PHP pro. Please help.
The only solution to this is to upgrade to PHP 4.3.10 or more.
--- "Its Nice 2 BE Important but its more Important 2 Be NICE" ---
Follow Coppermine on Twitter

Hein Traag

#9
December 22, 2004, 11:38:48 AM
Additonal info on the virus itself can be found here.

http://securityresponse.symantec.com/avcenter/venc/data/perl.santy.html

djcrash

#10
December 23, 2004, 11:54:22 PM
Understand I help to handle (to settle) from this hold-down problem 3.4.10 entirely PHP? If I write it for administrator so e-mail.
Please, < ask > about answer.

Joachim Müller

#11
December 24, 2004, 12:46:10 AM
 ???

jack

#12
December 26, 2004, 10:57:34 PM
Versions of the worm will deface any site it can find on a server. If someone else on your server has a vulnerable version of phpBB, and other countermeasures are not implemented by your server host, your site will be defaced through no fault of your own.

A newer version of the worm will install an IRC controlled DDOS bot instead (or as well as, I'm not sure yet) of defacing sites.

The worm will try any and every php file it can find even though they are not necessarily phpBB. This will push your bandwidth usage through the roof. To guard against that, you can either edit each and every PHP file to just abort when it gets queried by the worm (easier siad than done) or if your host has mod_rewrite (most apache installations do), put the fllowing into a .htaccess file :-

Code Select

        RewriteEngine On

        RewriteCond  %{QUERY_STRING} &cmd=cd%20/tmp;
        RewriteRule  .* - [F,L]


This will block the three variants that I am aware of. I will update this if needed as time progresses.

Although this worm only affects phpBB, I would not consider php 4.3.8 'safe'. Hosts need to patch the problems in earlier versions or upgrade to 4.3.10
Please do not contact me for support directly - instead: post on this board!
Print
Go Up Pages1
User actions