Gallery has been hacked Gallery has been hacked
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Gallery has been hacked

Started by Nancy, April 02, 2006, 01:42:35 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Nancy

Hello! First, sorry if this is posted in the wrong section. I'm new...

My site's gallery has been hacked. This isn't the first time, it happens to be the third time. The last 2 times, we had no idea how to fix it and just installed a new gallery. The latest hack, the main page was just hacked and it looks like our pictures were still there.  I didn't bother to put the style sheet back up because I was too aggravated. Time passed, I wanted to put the Gallery back up and now this shows:

Coppermine critical error:
Unable to connect to database !

MySQL said: Access denied for user: '******@localhost' (Using password: YES)

I read tutorials everywhere. From changing the password and stuff. I'm still confused. I'm not an expert on all this MySQL databases and php stuff. I just want to know how to fix it. I really don't want to lose the gallery and lose all our hits. It's very frustrating to keep getting hacked. Is there anyway to stop people from hacking our Gallery?

Can anyone please help me get my Gallery back up. Any help is appreciated of how to do it step by step. Also, can you explain in "dummy" terms because I'll still be confused. Sorry. :(

Joachim Müller

without knowing what the hacker did it's hard to recommend anything. Post more details. Make sure not to use trivial passwords. Re-upload a backup of your files. Change the admin password and the mysql password. Edit include/config.inc.php to reflect your password changes. Scan the files on your webserver for backdoor scripts.

Nancy

When we went to our page, the main page was hacked. I found the index file. This is what it said:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Documento sin t&iacute;tulo</title>
</head>

<body>
<p align="center">hOHOhOHOHOHOhO</p>
<p align="center">Happy HACK !!!!</p>
<p align="center">&nbsp;</p>
<p align="center"><strong>AgReSsOr</strong> &amp; <strong>Emi_shalala</strong><br />
was here and *beep* with ur box !!!</p>
<p>&nbsp;</p>
<p>root@server4 [~]# uname -a;id;uptime;w<br />
  Linux server4.dnssecure4.info 2.6.10dn #1 SMP Thu Feb 17 16:46:53 EST 2005 i686 i686 i386 GNU/Linux<br />
  uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)<br />
22:55:59 up 3 days, 23:01,  0 users,  load average: 0.21, 0.27, 0.34<br />
22:55:59 up 3 days, 23:01,  0 users,  load average: 0.21, 0.27, 0.34<br />
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT<br />
root@server4 [~]#</p>
<p align="center">&nbsp;</p>
<p align="center"><img alt="http://tbc-labz.net/kiddie.gif" src="http://tbc-labz.net/kiddie.gif" /></p>
<p align="center">irc.h4x0r.cl 6667<br />
  #pc_labs</p>
<p align="center">&nbsp;</p>
<p align="center">PD:And remember god dont love u <strong>;)</strong></p>
</body>
</html>


I wish I can get that stupid person who did it.

I tried changing the MySQL passwords 900 times but still wasn't working. I just changed the admin password and I found a backup of the Gallery. I'm uploading it now to see what happens.

How do you scan your server? Thanks for replying.

kegobeer

Don't allow any document uploads.  Check your config settings, and remove "ALL" from allowed document types.  Look for any archive files (rar, gz, zip) and remove them.  You must change all of your passwords (FTP, MySQL, cPanel, etc) and make sure to remove any users that you haven't created yourself.
Do not send me a private message unless I ask for one.  Make your post public so everyone can benefit.

There are no stupid questions
But there are a LOT of inquisitive idiots

condomax

#4
I was just apprised by my ISP that one of my virtual hosts had been hacked in a similar fashion to what has been described in this thread and others. A file called img.php.rar was installed in a directory under userpics by a new user called 'quad.' I had 'require email confirmation of new users' turned on, and the email address given by the moron was wquadw@yahoo.com. Interestingly enough, if you do a Google search on 'img.php.rar' you'll find lots and lots of galleries out there into which the same file has been uploaded (galleries which are no doubt hacked), some also having directories called 'quad'. My ISP took ownership of userpics and set it to mode 0 until we get this straightened out. I have since then disabled new user registrations--which I don't really need--and I have disallowed any file types other than jpg/gif/png/bmp. Is there anything else I need to do before I assure my ISP that I've done all I can?

Based on the ubiquitousness of this hacking experience, as evidenced by the aforementioned Google search, I am suggesting that a sticky thread be created for this issue and that the other related threads be merged into it. It is hard to think of everything when faced with the broad array of configuration options in Coppermine, and a well placed caveat would serve users well. Being hacked is an invasive, horrifying experience, particulary for the non-technical user. This is the only place they can turn when things go wrong involving Coppermine. Thus, I hope you will take my suggestion seriously and act on it accordingly.

Thanks for a fine product that has served me well through the years. I have no complaints, inasmuch as my failure to disallow dangerous file types was an error of omission on my part.
Max