Vulnerability? Had shell uploaded through upload.php

[SickFinga]

I was checking my counter, and saw someone was "google hacking"

Someone was searching for "coppermine photo gallery intitle:"Upload File"" and yahoo and got to my site.
I checked my logs and noticed that used tried to access
http://url.com/albums/userpics/is.php.rar

I checked my USERPICS folder and sure is.php.rar was there.
I opened it with notepad, and it is a shell.


So I was wondering if there is any danger?


I have 1.4.5 patched to 1.4.8

[Sami]

yes there is , you should delete that file
- as cpg 1.4.6 , gallery is protected against Apache's .rar vulnerability
- This file uploaded ,before you upgraded the gallery

[SickFinga]

Nope, uploaded yesterday.
Guess I should double check if I acually patched it.

[SickFinga]

Check function.inc.php and it is patched (patched on May 26)
rar file was uploaded on 16th June.

[Sami]

look for other shell file may be you have a shell file uploaded before update, and they use that to upload new one !
waht is the actual name? is.php.rar or is_php.rar?
- link to site with test (non admin) user would be helpfull

[SickFinga]

File name is is_php.rar

But when he tried to access it, he tried is.php.rar
[Fri Jun 16 10:05:53 2006] [error] [client 193.226.60.107] File does not exist: /usr/home/tttt/public_html/404.shtml
[Fri Jun 16 10:05:53 2006] [error] [client 193.226.60.107] File does not exist: /usr/home/tttt/public_html/albums/userpics/is.php.rar

site
http://tuningdb.com

[SickFinga]

OK I just tried to rename the shell to is.php.rar and upload it. Coppermine changed the file name to is_php.rar

So I guess fix does works.

Sorry for the false alarm.

[Sami]

Yes, it works 
Nop ,