Hacker on my Gallery part 2 Hacker on my Gallery part 2
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Hacker on my Gallery part 2

Started by LACA Rio, July 19, 2006, 09:11:09 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages1
User actions

LACA Rio

July 19, 2006, 09:11:09 PM
Hi guys,

I upgrade my gallery from 1.3.5 to 1.4.8 because some files were uploaded by a hacker in my albums/userpics/1001 folder.
This files were used to make phishing (in this case a Chase bank).
Today, when I check the files using a FTP program, I found another very suspect file (sanyo.php.rar) in the same folder.
I deleted the file and changed my password again but I can't change the chmod properties that is 777.
Thanks for any help. 
Luiz Araujo

Joachim Müller

#1
July 20, 2006, 06:19:59 AM
The upgrade doesn't cure infected webspace, it only keeps your gallery from getting infected in the first place. As your initial reason for upgrading was an infection, you'll have to cure your webspace first by scanning for leftover dangerous files and subsequent backdoors the attacker may have left.

LACA Rio

#2
July 20, 2006, 03:02:28 PM
As a webmaster, I did it and the server that hosting all my websites too.
That rar file was uploaded before the upgrade. The folder has very dangerous CHMOD 777.
If you want to check the malicious script, I can send you the file (sanyo.php.rar). I'm afraid to open it.
Luiz Araujo

Joachim Müller

#3
July 20, 2006, 10:13:47 PM
Quote from: LACA Rio on July 20, 2006, 03:02:28 PM
That rar file was uploaded before the upgrade.
There you go: as it has been uploaded before the upgrade, you should have deleted it before doing anything else.

Quote from: LACA Rio on July 20, 2006, 03:02:28 PM
The folder has very dangerous CHMOD 777.
Not dangerous if your webserver is set up properly. Read http://www.simplemachines.org/community/index.php?topic=2987.0 for details.

Quote from: LACA Rio on July 20, 2006, 03:02:28 PM
I'm afraid to open it.
There's no need to be afraid: download it to your client (using your FTP app). Then open it in a plain text editor (notepad.exe is fine). However: you'll only need to do this if you're curious, it won't help you in solving any infection-related issues that you might have.

For security reasons, ask your webhost to configure your apache webserver to do something with .rar files. Refer to the announcement thread Coppermine-driven galleries hit by RAR exploit what the setup needs to be.

LACA Rio

#4
July 22, 2006, 06:08:17 PM
You were right.  I uploaded a test "php.rar" and after run it, I can read "Oops, my webserver is vulnerable" in my browser. I sent these post to my webhoster and leave empty instead of "ALL" in "Allowed document types" field at the config settings.
Luiz Araujo

Joachim Müller

#5
July 22, 2006, 08:40:47 PM
Read the entire thread I refered to.
Print
Go Up Pages1
User actions