[Closed]: Helping each other with problems resulting from cdpuvbhfzz hacking?

[Llama8668]

I've been hacked yet again despite upgrading to 4.1.7 and attempting to clean everything up. Anyone have any advice as to how they're still getting in (will it be that there are files still left in the upload/albums which are being used) as thing is getting ridiculous  .

[marian]

I've been hacked yet again despite upgrading to 4.1.7 and attempting to clean everything up. Anyone have any advice as to how they're still getting in (will it be that there are files still left in the upload/albums which are being used) as thing is getting ridiculous  .

I had my doubts about this being over, once we were hacked AFTER our only URI upload was disabled. Bad, bad scene.

[Joachim Müller]

No. Jpeg files can't be infected anyway, as Abbas already explained.

[marian]

No. Jpeg files can't be infected anyway, as Abbas already explained.

I dont know if this is relevant but given the hackings after upgrades I thought I would mention it.
Someone has suggested to me that it could be that coppermine will accept a file as long as it contains jpg or other acceptable file format. So a file named PIC.jpg.php with malicious code would be accepted. Don't know if he is right and cant test as we have disabled gallery.

[Joachim Müller]

Upgrading will not clean your site once it is infected. The attacker left a backdoor, you have to thoroughly sanitize your site - you can not just perform the upgrade and think that everything is dandy.

[Llama8668]

Would preventing the upload of zips (forbid it in the accepted types options in the config section) help at all?

For one of the two sites which went down again the offending files were re uploaded again (after the upgrade to 4.1.7).

For the other I couldn't see the files present. It appears to have been hacked again though making it twice today.

To a degree I think all I need is a way to battern down the hatches, specifically stop the spread outside of the coppermine gallery (if it's just the addition of code they're doing I'm happy to keep re uploading the gallery files, it just becomes a big chore when it's spread to other files like forums and normal site php files).

The suggestion solution seems to be a PHP.ini file (specifically the open_basedir setting). I've tried to add that to the root of the gallery, however it spits out errors as the includes appear to fail with open_basedir set to off. I'm I just doing it wrong (should it perhaps be added to just the upload albums?) or is there some otherway of blocking the mass rewrite of an entire sites files?

[sharpo]

Just noticed mine has been infected again.

Checked all the files in album folder for any uploads other than mine, there were none, checked the index files in those folders for the iframe code, then deleted everything else before uploading 1.4.17.

Perhaps it happened because I had not finished upgrading the other galleries in my web space.

[Joachim Müller]

This thread is not what you intended it to be. You don't help each other, obviously because you can't. You're posting panic-postings only. This thread is invalid and should never have been started. I deliberatly told you on the other thread that your "me too" reports won't help and threatened everyone to ban if the posting of invalid replies continues. Marian thought that he could circumvent the ban by starting another thread that deals with the very same issue. This is not the case. Thread locked.