upload.php exploit upload.php exploit
 

News:

CPG Release 1.6.26
Correct PHP8.2 issues with user and language managers.
Additional fixes for PHP 8.2
Correct PHP8 error with SMF 2.0 bridge.
Correct IPTC supplimental category parsing.
Download and info HERE

Main Menu

upload.php exploit

Started by twocups, April 11, 2006, 10:16:16 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

twocups

My box, running 1.4.4 has been root kitted by an exploit in the upload.php file. Is this a known exploit? Who should I contact to share info?


Joachim Müller

Post what type of files has been uploaded. Blind guess: you have fallen victim to the rar vulnerability that exists on outdated apache webserver setups. This is not related to coppermine, but a webserver vulnerability. Read the threads that deal with it: http://forum.coppermine-gallery.net/index.php?action=search2;search=rar
If this vulnerability doesn't apply for you, please contact me over PM, providing as many details as possible.

twocups

Its .gz not .rar, same problemo I expect. (PM sent)

Joachim Müller

you could have posted your PM publicly as well, as it doesn't contain sensitive information. Yes, imo you have been attacked using the same exploit that I refered to above.

twocups

Ok, here is my post for those interested. Something to watch out for.


Looks like RAR was attempted first "Destroyer57.php.rar" in the userpics directory.

However, that file just downloads doesnt run. Its actually a .gz file that was uploaded ("a.php.gz") - which contains a copy of a rather nasty looking phpRemoteViewer. For some reason mr hacker then installed a further file "xp_publish.php" in the root directory - same software.

Im running apache 2.2 (is that outdated?!) I assume apache is decompressing and running .gz files on the fly...

Nibbler

2.2 is the latest version. Your server is setup to run anything that looks like a php script using php, regardless of the file extension.

twocups

Yeah, ill have a look at that. See if it can brew beer without being asked too!

Thanks for your help all,

James