Someone has Redirected my Site to cdpuvbhfzz.com-What do I do? - Page 8 Someone has Redirected my Site to cdpuvbhfzz.com-What do I do? - Page 8
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?

Started by htgguy, April 06, 2008, 10:04:11 PM

Previous topic - Next topic

0 Members and 3 Guests are viewing this topic.

Nibbler

The latest patch indeed does not fix the problem - it fixes a different problem, one which this latest attack does not actually exploit. There will be a new release soon that will address the current issue, as a result of information provided to us by a webhost sysadmin that actually has the skills needed to investigate the problem properly.

Coppermine will not be brought down by hackers,  but by people like you dragging down developer morale until we all give up.

tfischer

Quote from: Nibbler on April 13, 2008, 10:36:03 PM
The latest patch indeed does not fix the problem - it fixes a different problem, one which this latest attack does not actually exploit. There will be a new release soon that will address the current issue, as a result of information provided to us by a webhost sysadmin that actually has the skills needed to investigate the problem properly.

Coppermine will not be brought down by hackers,  but by people like you dragging down developer morale until we all give up.

This is excellent news.  I hope I'm not adding to thread-clutter by saying this (if so please delete this reply and forgive me), but I really appreciate the work you guys do.  I felt a bit sickened when I read marian's response -- not sure why someone would treat people who volunteer to create a great product and also attempt to support it for free, like that.  The implication that nobody cared about the problem for three days was especially sickening...  I guess people like him don't understand software security -- that cannot be too transparent  until a specific problem is identified and a fix has been confirmed...

Anyway I for one, and surely countless others like me, really appreciate all the hard work you guys do. 

-Tim

marian

Quote from: Nibbler on April 13, 2008, 10:36:03 PM
Coppermine will not be brought down by hackers,  but by people like you dragging down developer morale until we all give up.
No Nibbler, Coppermine will not be brought down by "people dragging down developer morale until we all give up", but by this forum dragging down Coppermine enthusiast morale, because they are treated like shit.
Being a major website with a big CPG, our Gallery Editor has had many emails saying "I know you have a very big Coppermine Gallery so you must be an expert and I hope you can help me" ............... What follows varies, according to the problem, but is along the lines of "Before contacting you, I've tried to find the answer by searching the Coppermine forum and couldn't. Seeing responses to other novice questions, I don't feel I can post my question on the forum, so I hope you can tell me what to do."

Nibbler

Oh, you mean the same way you treated 'oflus' back there? Who just made his first post, was being helpful and you jumped down his throat?

If you don't like the support here then stick around, answer questions, and show us how it's done.

marian

Quote from: Nibbler on April 13, 2008, 11:08:31 PM
Oh, you mean the same way you treated 'oflus' back there? Who just made his first post, was being helpful and you jumped down his throat?
How was oflus' remark "I am sure that there is a simple shell command that you can think of to clean up your infected files, by using perl or sed." helpful, when the majority of Coppermine users do not understand the terms shell command, perl and sed?
I am a huge Coppermine - ie the way the Gallery works - fan; I appreciate the work that has been put into developing it; that does not alter the fact that I think the way the forum operates is counter productive to producing any sense of loyalty/community in Coppermine users.

Nibbler

Just because you don't understand it doesn't mean someone won't find it helpful. If you were prepared to actually learn such tools you could clean up an entire server in just a few minutes.

You can't change anything by complaining. Stick around and provide the support you wish to see.

Hercules24

I have a lot of respect for the mods here, who I'm sure are stressed out and work their ass off to get things solved asap.
But until the next patch comes out, is there anything users with a cleaned 1.4.17 can do to avoid getting hacked again?
Like temporary deleting some of the files in the CPG directory that are only needed to perform admin tools, but not when viewing the gallery?

strokesfan

How long will it be until the new version? The 'hacker' changed my settings again despite having 1.7 and there were no backdoors or anything. I checked the IP of whoever was doing it and it was someone from Russia w/ the IP:  91.76.173.220  and after researching, it was the domain: mtu.ru

Thank you for providing a wonderful service and all your hard work.

steveeh131047

Folks - just wanted to say that I spent a few hours this afternoon with a close family friend who is in his last few weeks of life - he has terminal lung cancer. Suddenly, any worries I might have over cpg vulnerability were put into perspective!

marian

Quote from: Nibbler on April 13, 2008, 11:27:29 PM
Just because you don't understand it doesn't mean someone won't find it helpful. If you were prepared to actually learn such tools you could clean up an entire server in just a few minutes.

You can't change anything by complaining. Stick around and provide the support you wish to see.
You misundertand me Nibbler. I understood perfectly and our web people are experts in the use of such tools. Because I and other associated with our site understood, our site WAS cleaned up in a  few minutes, which is why we were so certain that the exploit that mod 17 addressed was NOT the problem. What I was pointing out was that the vast majority of coppermine users are not pros like me.

mr.goose

Quote from: strokesfan on April 13, 2008, 11:34:26 PM
How long will it be until the new version? The 'hacker' changed my settings again despite having 1.7 and there were no backdoors or anything. I checked the IP of whoever was doing it and it was someone from Russia w/ the IP:  91.76.173.220  and after researching, it was the domain: mtu.ru

Thank you for providing a wonderful service and all your hard work.

As I suggested in an earlier post, deleting update.php seems to "break" the hack. It looks at update.php before posting data to your cpgxxx_gonfig table. I think it uses this to determine the table prefix as Nibbler suggested earlier. Without this info, the hack seems unable to proceed. I have been hack free since doing this. http://www.garfnet.org.uk/coppermine


Best wishes, G

Nibbler

The release will be whenever GauGau finds time to put it together, it takes quite some time and effort.

Until then, you can replace your copy of bridge/coppermine.inc.php with the fixed copy in svn, here.

mr.goose

Quote from: Nibbler on April 13, 2008, 11:42:22 PM
The release will be whenever GauGau finds time to put it together, it takes quite some time and effort.

Until then, you can replace your copy of bridge/coppermine.inc.php with the fixed copy in svn, here.

Thanks for that. Getting it now.

Meantime, what's the current thinking about leaving update.php accessible? I know the security boys at Waraxe seem to think its a bad idea. http://www.waraxe.us/advisory-66.html

What would you advise?

Best wishes, G


gertiebeth

#154
I have a gallery that was NOT hacked and these are the steps I took to secure it:

1. Disabled uploads server wide via php.conf
2. Disabled user group uploads
3. Upgraded the gallery to version 1.4.17
4. Changed all passwords including FTP, admin and database

But my gallery was hacked today. Is there any information available for this new vulnerability so we can start patching until a new version comes out?
Gertie

slausen

Fortunately, my install has not gotten hacked, but I want to take whatever measures are needed to protect my users.

So then, would it be correct to summarize the temporary fixes (until the next patch) to keep from getting infected as follows:

delete update.php from server
delete upload.php from server
delete bridge/coppermine.inc.php from server

If there are any other files to be deleted, please quote my reply and add them. If my list is incorrect, or there is another procedure, please let me know.

Thanks.

Nibbler

Deleting bridge/coppermine.inc.php doesn't make sense.

If you are not bridged you will bring down your gallery.
If you are bridged then you are not vulnerable there to begin with.

Deleting update.php is reasonable, deleting upload.php is reasonable if you don't use http/uri uploads.

mr.goose

Seems one could alternatively:-

  • delete update.php, 
  • patch upload.php by upgrading to 1.4.17, which means users can still upload things,
  • patch bridge/coppermine.inc.php with the fixed copy in svn, as described by Nibbler a couple of posts ago .

At least, that's what we have done.
Best wishes, G.

mr.goose

Sorry Nibbler - seems our posts crossed. Does the above make sense?
Best wishes, G